Grsec/PaX: 2.9-{2.6.32.59,3.2.17,3.3.6}-20120513165820120513

27 files changed, 9438 insertions, 3866 deletions

diff --git a/2.6.32/0000_README b/2.6.32/0000_README
index cfcffd4..3655217 100644
--- a/2.6.32/0000_README
+++ b/2.6.32/0000_README
@@ -30,7 +30,7 @@ Patch:	1058_linux-2.6.32.59.patch
 From:	http://www.kernel.org
 Desc:	Linux 2.6.32.59
 
-Patch:	4420_grsecurity-2.9-2.6.32.59-201205071838.patch
+Patch:	4420_grsecurity-2.9-2.6.32.59-201205131656.patch
 From:	http://www.grsecurity.net
 Desc:	hardened-sources base patch from upstream grsecurity
 
diff --git a/2.6.32/4420_grsecurity-2.9-2.6.32.59-201205071838.patch b/2.6.32/4420_grsecurity-2.9-2.6.32.59-201205131656.patch
index 185e1d4..d324f88 100644
--- a/2.6.32/4420_grsecurity-2.9-2.6.32.59-201205071838.patch
+++ b/2.6.32/4420_grsecurity-2.9-2.6.32.59-201205131656.patch
@@ -1171,6 +1171,34 @@ index d65b2f5..9d87555 100644
  #endif /* __ASSEMBLY__ */
  
  #define arch_align_stack(x) (x)
+diff --git a/arch/arm/include/asm/thread_info.h b/arch/arm/include/asm/thread_info.h
+index 2dfb7d7..8fadd73 100644
+--- a/arch/arm/include/asm/thread_info.h
++++ b/arch/arm/include/asm/thread_info.h
+@@ -138,6 +138,12 @@ extern void vfp_sync_state(struct thread_info *thread);
+ #define TIF_NEED_RESCHED	1
+ #define TIF_NOTIFY_RESUME	2	/* callback before returning to user */
+ #define TIF_SYSCALL_TRACE	8
++
++/* within 8 bits of TIF_SYSCALL_TRACE
++   to meet flexible second operand requirements
++*/
++#define TIF_GRSEC_SETXID	9
++
+ #define TIF_POLLING_NRFLAG	16
+ #define TIF_USING_IWMMXT	17
+ #define TIF_MEMDIE		18
+@@ -152,6 +158,10 @@ extern void vfp_sync_state(struct thread_info *thread);
+ #define _TIF_USING_IWMMXT	(1 << TIF_USING_IWMMXT)
+ #define _TIF_FREEZE		(1 << TIF_FREEZE)
+ #define _TIF_RESTORE_SIGMASK	(1 << TIF_RESTORE_SIGMASK)
++#define _TIF_GRSEC_SETXID	(1 << TIF_GRSEC_SETXID)
++
++/* Checks for any syscall work in entry-common.S */
++#define _TIF_SYSCALL_WORK (_TIF_SYSCALL_TRACE | _TIF_GRSEC_SETXID)
+ 
+ /*
+  * Change these and you break ASM code in entry-common.S
 diff --git a/arch/arm/include/asm/uaccess.h b/arch/arm/include/asm/uaccess.h
 index 1d6bd40..fba0cb9 100644
 --- a/arch/arm/include/asm/uaccess.h
@@ -1245,6 +1273,28 @@ index 0e62770..e2c2cd6 100644
  EXPORT_SYMBOL(__clear_user);
  
  EXPORT_SYMBOL(__get_user_1);
+diff --git a/arch/arm/kernel/entry-common.S b/arch/arm/kernel/entry-common.S
+index a6c66f5..bfdad39 100644
+--- a/arch/arm/kernel/entry-common.S
++++ b/arch/arm/kernel/entry-common.S
+@@ -77,7 +77,7 @@ ENTRY(ret_from_fork)
+ 	get_thread_info tsk
+ 	ldr	r1, [tsk, #TI_FLAGS]		@ check for syscall tracing
+ 	mov	why, #1
+-	tst	r1, #_TIF_SYSCALL_TRACE		@ are we tracing syscalls?
++	tst	r1, #_TIF_SYSCALL_WORK		@ are we tracing syscalls?
+ 	beq	ret_slow_syscall
+ 	mov	r1, sp
+ 	mov	r0, #1				@ trace exit [IP = 1]
+@@ -275,7 +275,7 @@ ENTRY(vector_swi)
+ #endif
+ 
+ 	stmdb	sp!, {r4, r5}			@ push fifth and sixth args
+-	tst	ip, #_TIF_SYSCALL_TRACE		@ are we tracing syscalls?
++	tst	ip, #_TIF_SYSCALL_WORK		@ are we tracing syscalls?
+ 	bne	__sys_trace
+ 
+ 	cmp	scno, #NR_syscalls		@ check upper syscall limit
 diff --git a/arch/arm/kernel/kgdb.c b/arch/arm/kernel/kgdb.c
 index ba8ccfe..2dc34dc 100644
 --- a/arch/arm/kernel/kgdb.c
@@ -1296,6 +1346,30 @@ index 61f90d3..771ab27 100644
  }
  
  void machine_restart(char *cmd)
+diff --git a/arch/arm/kernel/ptrace.c b/arch/arm/kernel/ptrace.c
+index a2ea385..4783488 100644
+--- a/arch/arm/kernel/ptrace.c
++++ b/arch/arm/kernel/ptrace.c
+@@ -847,10 +847,19 @@ long arch_ptrace(struct task_struct *child, long request, long addr, long data)
+ 	return ret;
+ }
+ 
++#ifdef CONFIG_GRKERNSEC_SETXID
++extern void gr_delayed_cred_worker(void);
++#endif
++
+ asmlinkage int syscall_trace(int why, struct pt_regs *regs, int scno)
+ {
+ 	unsigned long ip;
+ 
++#ifdef CONFIG_GRKERNSEC_SETXID
++	if (unlikely(test_and_clear_thread_flag(TIF_GRSEC_SETXID)))
++		gr_delayed_cred_worker();
++#endif
++
+ 	if (!test_thread_flag(TIF_SYSCALL_TRACE))
+ 		return scno;
+ 	if (!(current->ptrace & PT_PTRACED))
 diff --git a/arch/arm/kernel/setup.c b/arch/arm/kernel/setup.c
 index c6c57b6..0c3b29e 100644
 --- a/arch/arm/kernel/setup.c
@@ -2917,6 +2991,35 @@ index 83b5509..9fa24a23 100644
 +#define arch_align_stack(x) ((x) & ~0xfUL)
  
  #endif /* _ASM_SYSTEM_H */
+diff --git a/arch/mips/include/asm/thread_info.h b/arch/mips/include/asm/thread_info.h
+index 845da21..f2a91b9 100644
+--- a/arch/mips/include/asm/thread_info.h
++++ b/arch/mips/include/asm/thread_info.h
+@@ -120,6 +120,8 @@ register struct thread_info *__current_thread_info __asm__("$28");
+ #define TIF_32BIT_ADDR		23	/* 32-bit address space (o32/n32) */
+ #define TIF_FPUBOUND		24	/* thread bound to FPU-full CPU set */
+ #define TIF_LOAD_WATCH		25	/* If set, load watch registers */
++/* li takes a 32bit immediate */
++#define TIF_GRSEC_SETXID	29	/* update credentials on syscall entry/exit */
+ #define TIF_SYSCALL_TRACE	31	/* syscall trace active */
+ 
+ #ifdef CONFIG_MIPS32_O32
+@@ -144,11 +146,14 @@ register struct thread_info *__current_thread_info __asm__("$28");
+ #define _TIF_32BIT_ADDR		(1<<TIF_32BIT_ADDR)
+ #define _TIF_FPUBOUND		(1<<TIF_FPUBOUND)
+ #define _TIF_LOAD_WATCH		(1<<TIF_LOAD_WATCH)
++#define _TIF_GRSEC_SETXID	(1<<TIF_GRSEC_SETXID)
++
++#define _TIF_SYSCALL_WORK	(_TIF_SYSCALL_TRACE | _TIF_SYSCALL_AUDIT | _TIF_GRSEC_SETXID)
+ 
+ /* work to do on interrupt/exception return */
+ #define _TIF_WORK_MASK		(0x0000ffef & ~_TIF_SECCOMP)
+ /* work to do on any return to u-space */
+-#define _TIF_ALLWORK_MASK	(0x8000ffff & ~_TIF_SECCOMP)
++#define _TIF_ALLWORK_MASK	((0x8000ffff & ~_TIF_SECCOMP) | _TIF_GRSEC_SETXID)
+ 
+ #endif /* __KERNEL__ */
+ 
 diff --git a/arch/mips/kernel/binfmt_elfn32.c b/arch/mips/kernel/binfmt_elfn32.c
 index 9fdd8bc..fcf9d68 100644
 --- a/arch/mips/kernel/binfmt_elfn32.c
@@ -2953,6 +3056,19 @@ index ff44823..cf0b48a 100644
  #include <asm/processor.h>
  
  /*
+diff --git a/arch/mips/kernel/entry.S b/arch/mips/kernel/entry.S
+index ffa3310..f8b1e06 100644
+--- a/arch/mips/kernel/entry.S
++++ b/arch/mips/kernel/entry.S
+@@ -167,7 +167,7 @@ work_notifysig:				# deal with pending signals and
+ FEXPORT(syscall_exit_work_partial)
+ 	SAVE_STATIC
+ syscall_exit_work:
+-	li	t0, _TIF_SYSCALL_TRACE | _TIF_SYSCALL_AUDIT
++	li	t0, _TIF_SYSCALL_WORK
+ 	and	t0, a2			# a2 is preloaded with TI_FLAGS
+ 	beqz	t0, work_pending	# trace bit set?
+ 	local_irq_enable		# could let do_syscall_trace()
 diff --git a/arch/mips/kernel/kgdb.c b/arch/mips/kernel/kgdb.c
 index 50c9bb8..efdd5f8 100644
 --- a/arch/mips/kernel/kgdb.c
@@ -2985,6 +3101,33 @@ index f3d73e1..bb3f57a 100644
 -
 -	return sp & ALMASK;
 -}
+diff --git a/arch/mips/kernel/ptrace.c b/arch/mips/kernel/ptrace.c
+index 054861c..ddbbc7d 100644
+--- a/arch/mips/kernel/ptrace.c
++++ b/arch/mips/kernel/ptrace.c
+@@ -558,6 +558,10 @@ static inline int audit_arch(void)
+ 	return arch;
+ }
+ 
++#ifdef CONFIG_GRKERNSEC_SETXID
++extern void gr_delayed_cred_worker(void);
++#endif
++
+ /*
+  * Notification of system call entry/exit
+  * - triggered by current->work.syscall_trace
+@@ -568,6 +572,11 @@ asmlinkage void do_syscall_trace(struct pt_regs *regs, int entryexit)
+ 	if (!entryexit)
+ 		secure_computing(regs->regs[0]);
+ 
++#ifdef CONFIG_GRKERNSEC_SETXID
++	if (unlikely(test_and_clear_thread_flag(TIF_GRSEC_SETXID)))
++		gr_delayed_cred_worker();
++#endif
++
+ 	if (unlikely(current->audit_context) && entryexit)
+ 		audit_syscall_exit(AUDITSC_RESULT(regs->regs[2]),
+ 		                   regs->regs[2]);
 diff --git a/arch/mips/kernel/reset.c b/arch/mips/kernel/reset.c
 index 060563a..7fbf310 100644
 --- a/arch/mips/kernel/reset.c
@@ -3020,6 +3163,58 @@ index 060563a..7fbf310 100644
  		pm_power_off();
 +	BUG();
  }
+diff --git a/arch/mips/kernel/scall32-o32.S b/arch/mips/kernel/scall32-o32.S
+index fd2a9bb..73ecc89 100644
+--- a/arch/mips/kernel/scall32-o32.S
++++ b/arch/mips/kernel/scall32-o32.S
+@@ -52,7 +52,7 @@ NESTED(handle_sys, PT_SIZE, sp)
+ 
+ stack_done:
+ 	lw	t0, TI_FLAGS($28)	# syscall tracing enabled?
+-	li	t1, _TIF_SYSCALL_TRACE | _TIF_SYSCALL_AUDIT
++	li	t1, _TIF_SYSCALL_WORK
+ 	and	t0, t1
+ 	bnez	t0, syscall_trace_entry	# -> yes
+ 
+diff --git a/arch/mips/kernel/scall64-64.S b/arch/mips/kernel/scall64-64.S
+index 18bf7f3..6659dde 100644
+--- a/arch/mips/kernel/scall64-64.S
++++ b/arch/mips/kernel/scall64-64.S
+@@ -54,7 +54,7 @@ NESTED(handle_sys64, PT_SIZE, sp)
+ 
+ 	sd	a3, PT_R26(sp)		# save a3 for syscall restarting
+ 
+-	li	t1, _TIF_SYSCALL_TRACE | _TIF_SYSCALL_AUDIT
++	li	t1, _TIF_SYSCALL_WORK
+ 	LONG_L	t0, TI_FLAGS($28)	# syscall tracing enabled?
+ 	and	t0, t1, t0
+ 	bnez	t0, syscall_trace_entry
+diff --git a/arch/mips/kernel/scall64-n32.S b/arch/mips/kernel/scall64-n32.S
+index 6ebc079..a16f976 100644
+--- a/arch/mips/kernel/scall64-n32.S
++++ b/arch/mips/kernel/scall64-n32.S
+@@ -53,7 +53,7 @@ NESTED(handle_sysn32, PT_SIZE, sp)
+ 
+ 	sd	a3, PT_R26(sp)		# save a3 for syscall restarting
+ 
+-	li	t1, _TIF_SYSCALL_TRACE | _TIF_SYSCALL_AUDIT
++	li	t1, _TIF_SYSCALL_WORK
+ 	LONG_L	t0, TI_FLAGS($28)	# syscall tracing enabled?
+ 	and	t0, t1, t0
+ 	bnez	t0, n32_syscall_trace_entry
+diff --git a/arch/mips/kernel/scall64-o32.S b/arch/mips/kernel/scall64-o32.S
+index 14dde4c..dc68acf 100644
+--- a/arch/mips/kernel/scall64-o32.S
++++ b/arch/mips/kernel/scall64-o32.S
+@@ -81,7 +81,7 @@ NESTED(handle_sys, PT_SIZE, sp)
+ 	PTR	4b, bad_stack
+ 	.previous
+ 
+-	li	t1, _TIF_SYSCALL_TRACE | _TIF_SYSCALL_AUDIT
++	li	t1, _TIF_SYSCALL_WORK
+ 	LONG_L	t0, TI_FLAGS($28)	# syscall tracing enabled?
+ 	and	t0, t1, t0
+ 	bnez	t0, trace_a_syscall
 diff --git a/arch/mips/kernel/syscall.c b/arch/mips/kernel/syscall.c
 index 3f7f466..3abe0b5 100644
 --- a/arch/mips/kernel/syscall.c
@@ -3893,6 +4088,33 @@ index 094a12a..877a60a 100644
  
  /* Used in very early kernel initialization. */
  extern unsigned long reloc_offset(void);
+diff --git a/arch/powerpc/include/asm/thread_info.h b/arch/powerpc/include/asm/thread_info.h
+index aa9d383..0380a05 100644
+--- a/arch/powerpc/include/asm/thread_info.h
++++ b/arch/powerpc/include/asm/thread_info.h
+@@ -110,7 +110,9 @@ static inline struct thread_info *current_thread_info(void)
+ #define TIF_NOERROR		12	/* Force successful syscall return */
+ #define TIF_NOTIFY_RESUME	13	/* callback before returning to user */
+ #define TIF_FREEZE		14	/* Freezing for suspend */
+-#define TIF_RUNLATCH		15	/* Is the runlatch enabled? */
++/* mask must be expressable within 16 bits to satisfy 'andi' instruction reqs */
++#define TIF_GRSEC_SETXID	15	/* update credentials on syscall entry/exit */
++#define TIF_RUNLATCH		16	/* Is the runlatch enabled? */
+ 
+ /* as above, but as bit values */
+ #define _TIF_SYSCALL_TRACE	(1<<TIF_SYSCALL_TRACE)
+@@ -128,7 +130,10 @@ static inline struct thread_info *current_thread_info(void)
+ #define _TIF_NOTIFY_RESUME	(1<<TIF_NOTIFY_RESUME)
+ #define _TIF_FREEZE		(1<<TIF_FREEZE)
+ #define _TIF_RUNLATCH		(1<<TIF_RUNLATCH)
+-#define _TIF_SYSCALL_T_OR_A	(_TIF_SYSCALL_TRACE|_TIF_SYSCALL_AUDIT|_TIF_SECCOMP)
++#define _TIF_GRSEC_SETXID	(1<<TIF_GRSEC_SETXID)
++
++#define _TIF_SYSCALL_T_OR_A	(_TIF_SYSCALL_TRACE|_TIF_SYSCALL_AUDIT| \
++				 _TIF_SECCOMP|_TIF_GRSEC_SETXID)
+ 
+ #define _TIF_USER_WORK_MASK	(_TIF_SIGPENDING | _TIF_NEED_RESCHED | \
+ 				 _TIF_NOTIFY_RESUME)
 diff --git a/arch/powerpc/include/asm/uaccess.h b/arch/powerpc/include/asm/uaccess.h
 index bd0fb84..a42a14b 100644
 --- a/arch/powerpc/include/asm/uaccess.h
@@ -4422,7 +4644,7 @@ index 7b816da..8d5c277 100644
 -	return ret;
 -}
 diff --git a/arch/powerpc/kernel/ptrace.c b/arch/powerpc/kernel/ptrace.c
-index ef14988..856c4bc 100644
+index ef14988..8a37ddb 100644
 --- a/arch/powerpc/kernel/ptrace.c
 +++ b/arch/powerpc/kernel/ptrace.c
 @@ -86,7 +86,7 @@ static int set_user_trap(struct task_struct *task, unsigned long trap)
@@ -4443,6 +4665,41 @@ index ef14988..856c4bc 100644
  		} else {
  			flush_fp_to_thread(child);
  			tmp = ((unsigned long *)child->thread.fpr)
+@@ -1033,6 +1033,10 @@ long arch_ptrace(struct task_struct *child, long request, long addr, long data)
+ 	return ret;
+ }
+ 
++#ifdef CONFIG_GRKERNSEC_SETXID
++extern void gr_delayed_cred_worker(void);
++#endif
++
+ /*
+  * We must return the syscall number to actually look up in the table.
+  * This can be -1L to skip running any syscall at all.
+@@ -1043,6 +1047,11 @@ long do_syscall_trace_enter(struct pt_regs *regs)
+ 
+ 	secure_computing(regs->gpr[0]);
+ 
++#ifdef CONFIG_GRKERNSEC_SETXID
++	if (unlikely(test_and_clear_thread_flag(TIF_GRSEC_SETXID)))
++		gr_delayed_cred_worker();
++#endif
++
+ 	if (test_thread_flag(TIF_SYSCALL_TRACE) &&
+ 	    tracehook_report_syscall_entry(regs))
+ 		/*
+@@ -1076,6 +1085,11 @@ void do_syscall_trace_leave(struct pt_regs *regs)
+ {
+ 	int step;
+ 
++#ifdef CONFIG_GRKERNSEC_SETXID
++	if (unlikely(test_and_clear_thread_flag(TIF_GRSEC_SETXID)))
++		gr_delayed_cred_worker();
++#endif
++
+ 	if (unlikely(current->audit_context))
+ 		audit_syscall_exit((regs->ccr&0x10000000)?AUDITSC_FAILURE:AUDITSC_SUCCESS,
+ 				   regs->result);
 diff --git a/arch/powerpc/kernel/signal_32.c b/arch/powerpc/kernel/signal_32.c
 index d670429..2bc59b2 100644
 --- a/arch/powerpc/kernel/signal_32.c
@@ -5951,7 +6208,7 @@ index 844d73a..f787fb9 100644
  
  /*
 diff --git a/arch/sparc/include/asm/thread_info_64.h b/arch/sparc/include/asm/thread_info_64.h
-index f78ad9a..9f55fc7 100644
+index f78ad9a..a3213ed 100644
 --- a/arch/sparc/include/asm/thread_info_64.h
 +++ b/arch/sparc/include/asm/thread_info_64.h
 @@ -68,6 +68,8 @@ struct thread_info {
@@ -5963,6 +6220,34 @@ index f78ad9a..9f55fc7 100644
  	unsigned long		fpregs[0] __attribute__ ((aligned(64)));
  };
  
+@@ -227,6 +229,8 @@ register struct thread_info *current_thread_info_reg asm("g6");
+ /* flag bit 8 is available */
+ #define TIF_SECCOMP		9	/* secure computing */
+ #define TIF_SYSCALL_AUDIT	10	/* syscall auditing active */
++#define TIF_GRSEC_SETXID	11	/* update credentials on syscall entry/exit */
++
+ /* NOTE: Thread flags >= 12 should be ones we have no interest
+  *       in using in assembly, else we can't use the mask as
+  *       an immediate value in instructions such as andcc.
+@@ -247,12 +251,18 @@ register struct thread_info *current_thread_info_reg asm("g6");
+ #define _TIF_SYSCALL_AUDIT	(1<<TIF_SYSCALL_AUDIT)
+ #define _TIF_POLLING_NRFLAG	(1<<TIF_POLLING_NRFLAG)
+ #define _TIF_FREEZE		(1<<TIF_FREEZE)
++#define _TIF_GRSEC_SETXID	(1<<TIF_GRSEC_SETXID)
+ 
+ #define _TIF_USER_WORK_MASK	((0xff << TI_FLAG_WSAVED_SHIFT) | \
+ 				 _TIF_DO_NOTIFY_RESUME_MASK | \
+ 				 _TIF_NEED_RESCHED | _TIF_PERFCTR)
+ #define _TIF_DO_NOTIFY_RESUME_MASK	(_TIF_NOTIFY_RESUME | _TIF_SIGPENDING)
+ 
++#define _TIF_WORK_SYSCALL		\
++	(_TIF_SYSCALL_TRACE | _TIF_SECCOMP | _TIF_SYSCALL_AUDIT | \
++	 _TIF_GRSEC_SETXID)
++
++
+ /*
+  * Thread-synchronous status.
+  *
 diff --git a/arch/sparc/include/asm/uaccess.h b/arch/sparc/include/asm/uaccess.h
 index e88fbe5..96b0ce5 100644
 --- a/arch/sparc/include/asm/uaccess.h
@@ -6275,6 +6560,45 @@ index cb70476..3d0c191 100644
  			       (void *) gp->tpc,
  			       (void *) gp->o7,
  			       (void *) gp->i7,
+diff --git a/arch/sparc/kernel/ptrace_64.c b/arch/sparc/kernel/ptrace_64.c
+index 4ae91dc..c2e705e 100644
+--- a/arch/sparc/kernel/ptrace_64.c
++++ b/arch/sparc/kernel/ptrace_64.c
+@@ -1049,6 +1049,10 @@ long arch_ptrace(struct task_struct *child, long request, long addr, long data)
+ 	return ret;
+ }
+ 
++#ifdef CONFIG_GRKERNSEC_SETXID
++extern void gr_delayed_cred_worker(void);
++#endif
++
+ asmlinkage int syscall_trace_enter(struct pt_regs *regs)
+ {
+ 	int ret = 0;
+@@ -1056,6 +1060,11 @@ asmlinkage int syscall_trace_enter(struct pt_regs *regs)
+ 	/* do the secure computing check first */
+ 	secure_computing(regs->u_regs[UREG_G1]);
+ 
++#ifdef CONFIG_GRKERNSEC_SETXID
++	if (unlikely(test_and_clear_thread_flag(TIF_GRSEC_SETXID)))
++		gr_delayed_cred_worker();
++#endif
++
+ 	if (test_thread_flag(TIF_SYSCALL_TRACE))
+ 		ret = tracehook_report_syscall_entry(regs);
+ 
+@@ -1074,6 +1083,11 @@ asmlinkage int syscall_trace_enter(struct pt_regs *regs)
+ 
+ asmlinkage void syscall_trace_leave(struct pt_regs *regs)
+ {
++#ifdef CONFIG_GRKERNSEC_SETXID
++	if (unlikely(test_and_clear_thread_flag(TIF_GRSEC_SETXID)))
++		gr_delayed_cred_worker();
++#endif
++
+ 	if (unlikely(current->audit_context)) {
+ 		unsigned long tstate = regs->tstate;
+ 		int result = AUDITSC_SUCCESS;
 diff --git a/arch/sparc/kernel/rtrap_64.S b/arch/sparc/kernel/rtrap_64.S
 index fd3cee4..cc4b1ff 100644
 --- a/arch/sparc/kernel/rtrap_64.S
@@ -6486,6 +6810,55 @@ index cfa0e19..98972ac 100644
  		mm->get_unmapped_area = arch_get_unmapped_area_topdown;
  		mm->unmap_area = arch_unmap_area_topdown;
  	}
+diff --git a/arch/sparc/kernel/syscalls.S b/arch/sparc/kernel/syscalls.S
+index d150c2a..bffda9d 100644
+--- a/arch/sparc/kernel/syscalls.S
++++ b/arch/sparc/kernel/syscalls.S
+@@ -62,7 +62,7 @@ sys32_rt_sigreturn:
+ #endif
+ 	.align	32
+ 1:	ldx	[%g6 + TI_FLAGS], %l5
+-	andcc	%l5, (_TIF_SYSCALL_TRACE|_TIF_SECCOMP|_TIF_SYSCALL_AUDIT), %g0
++	andcc	%l5, _TIF_WORK_SYSCALL, %g0
+ 	be,pt	%icc, rtrap
+ 	 nop
+ 	call	syscall_trace_leave
+@@ -198,7 +198,7 @@ linux_sparc_syscall32:
+ 
+ 	srl	%i5, 0, %o5				! IEU1
+ 	srl	%i2, 0, %o2				! IEU0	Group
+-	andcc	%l0, (_TIF_SYSCALL_TRACE|_TIF_SECCOMP|_TIF_SYSCALL_AUDIT), %g0
++	andcc	%l0, _TIF_WORK_SYSCALL, %g0
+ 	bne,pn	%icc, linux_syscall_trace32		! CTI
+ 	 mov	%i0, %l5				! IEU1
+ 	call	%l7					! CTI	Group brk forced
+@@ -221,7 +221,7 @@ linux_sparc_syscall:
+ 
+ 	mov	%i3, %o3				! IEU1
+ 	mov	%i4, %o4				! IEU0	Group
+-	andcc	%l0, (_TIF_SYSCALL_TRACE|_TIF_SECCOMP|_TIF_SYSCALL_AUDIT), %g0
++	andcc	%l0, _TIF_WORK_SYSCALL, %g0
+ 	bne,pn	%icc, linux_syscall_trace		! CTI	Group
+ 	 mov	%i0, %l5				! IEU0
+ 2:	call	%l7					! CTI	Group brk forced
+@@ -245,7 +245,7 @@ ret_sys_call:
+ 
+ 	cmp	%o0, -ERESTART_RESTARTBLOCK
+ 	bgeu,pn	%xcc, 1f
+-	 andcc	%l0, (_TIF_SYSCALL_TRACE|_TIF_SECCOMP|_TIF_SYSCALL_AUDIT), %l6
++	 andcc	%l0, _TIF_WORK_SYSCALL, %l6
+ 80:
+ 	/* System call success, clear Carry condition code. */
+ 	andn	%g3, %g2, %g3
+@@ -260,7 +260,7 @@ ret_sys_call:
+ 	/* System call failure, set Carry condition code.
+ 	 * Also, get abs(errno) to return to the process.
+ 	 */
+-	andcc	%l0, (_TIF_SYSCALL_TRACE|_TIF_SECCOMP|_TIF_SYSCALL_AUDIT), %l6	
++	andcc	%l0, _TIF_WORK_SYSCALL, %l6	
+ 	sub	%g0, %o0, %o0
+ 	or	%g3, %g2, %g3
+ 	stx	%o0, [%sp + PTREGS_OFF + PT_V9_I0]
 diff --git a/arch/sparc/kernel/traps_32.c b/arch/sparc/kernel/traps_32.c
 index c0490c7..84959d1 100644
 --- a/arch/sparc/kernel/traps_32.c
@@ -13413,7 +13786,7 @@ index e0fbf29..858ef4a 100644
  /*
   * Force strict CPU ordering.
 diff --git a/arch/x86/include/asm/thread_info.h b/arch/x86/include/asm/thread_info.h
-index 19c3ce4..8962535 100644
+index 19c3ce4..4ad5ba4 100644
 --- a/arch/x86/include/asm/thread_info.h
 +++ b/arch/x86/include/asm/thread_info.h
 @@ -10,6 +10,7 @@
@@ -13462,7 +13835,45 @@ index 19c3ce4..8962535 100644
  #define init_stack		(init_thread_union.stack)
  
  #else /* !__ASSEMBLY__ */
-@@ -163,45 +157,40 @@ struct thread_info {
+@@ -95,6 +89,7 @@ struct thread_info {
+ #define TIF_DS_AREA_MSR		26      /* uses thread_struct.ds_area_msr */
+ #define TIF_LAZY_MMU_UPDATES	27	/* task is updating the mmu lazily */
+ #define TIF_SYSCALL_TRACEPOINT	28	/* syscall tracepoint instrumentation */
++#define TIF_GRSEC_SETXID	29	/* update credentials on syscall entry/exit */
+ 
+ #define _TIF_SYSCALL_TRACE	(1 << TIF_SYSCALL_TRACE)
+ #define _TIF_NOTIFY_RESUME	(1 << TIF_NOTIFY_RESUME)
+@@ -117,16 +112,17 @@ struct thread_info {
+ #define _TIF_DS_AREA_MSR	(1 << TIF_DS_AREA_MSR)
+ #define _TIF_LAZY_MMU_UPDATES	(1 << TIF_LAZY_MMU_UPDATES)
+ #define _TIF_SYSCALL_TRACEPOINT	(1 << TIF_SYSCALL_TRACEPOINT)
++#define _TIF_GRSEC_SETXID	(1 << TIF_GRSEC_SETXID)
+ 
+ /* work to do in syscall_trace_enter() */
+ #define _TIF_WORK_SYSCALL_ENTRY	\
+ 	(_TIF_SYSCALL_TRACE | _TIF_SYSCALL_EMU | _TIF_SYSCALL_AUDIT |	\
+-	 _TIF_SECCOMP | _TIF_SINGLESTEP | _TIF_SYSCALL_TRACEPOINT)
++	 _TIF_SECCOMP | _TIF_SINGLESTEP | _TIF_SYSCALL_TRACEPOINT | _TIF_GRSEC_SETXID)
+ 
+ /* work to do in syscall_trace_leave() */
+ #define _TIF_WORK_SYSCALL_EXIT	\
+ 	(_TIF_SYSCALL_TRACE | _TIF_SYSCALL_AUDIT | _TIF_SINGLESTEP |	\
+-	 _TIF_SYSCALL_TRACEPOINT)
++	 _TIF_SYSCALL_TRACEPOINT | _TIF_GRSEC_SETXID)
+ 
+ /* work to do on interrupt/exception return */
+ #define _TIF_WORK_MASK							\
+@@ -136,7 +132,8 @@ struct thread_info {
+ 
+ /* work to do on any return to user space */
+ #define _TIF_ALLWORK_MASK						\
+-	((0x0000FFFF & ~_TIF_SECCOMP) | _TIF_SYSCALL_TRACEPOINT)
++	((0x0000FFFF & ~_TIF_SECCOMP) | _TIF_SYSCALL_TRACEPOINT |	\
++	 _TIF_GRSEC_SETXID)
+ 
+ /* Only used for 64 bit */
+ #define _TIF_DO_NOTIFY_MASK						\
+@@ -163,45 +160,40 @@ struct thread_info {
  #define alloc_thread_info(tsk)						\
  	((struct thread_info *)__get_free_pages(THREAD_FLAGS, THREAD_ORDER))
  
@@ -13533,7 +13944,7 @@ index 19c3ce4..8962535 100644
  /*
   * macros/functions for gaining access to the thread information structure
   * preempt_count needs to be 1 initially, until the scheduler is functional.
-@@ -209,21 +198,8 @@ static inline struct thread_info *current_thread_info(void)
+@@ -209,21 +201,8 @@ static inline struct thread_info *current_thread_info(void)
  #ifndef __ASSEMBLY__
  DECLARE_PER_CPU(unsigned long, kernel_stack);
  
@@ -13557,7 +13968,7 @@ index 19c3ce4..8962535 100644
  #endif
  
  #endif /* !X86_32 */
-@@ -260,5 +236,16 @@ extern void arch_task_cache_init(void);
+@@ -260,5 +239,16 @@ extern void arch_task_cache_init(void);
  extern void free_thread_info(struct thread_info *ti);
  extern int arch_dup_task_struct(struct task_struct *dst, struct task_struct *src);
  #define arch_task_cache_init arch_task_cache_init
@@ -16397,7 +16808,7 @@ index 4c07cca..2c8427d 100644
  	ret
  ENDPROC(efi_call6)
 diff --git a/arch/x86/kernel/entry_32.S b/arch/x86/kernel/entry_32.S
-index c097e7d..91be126 100644
+index c097e7d..853746c 100644
 --- a/arch/x86/kernel/entry_32.S
 +++ b/arch/x86/kernel/entry_32.S
 @@ -95,12 +95,6 @@
@@ -16618,7 +17029,7 @@ index c097e7d..91be126 100644
 +#ifdef CONFIG_PAX_KERNEXEC
 +	jae resume_userspace
 +
-+	PAX_EXIT_KERNEL
++	pax_exit_kernel
 +	jmp resume_kernel
 +#else
  	jb resume_kernel		# not returning to v8086 or userspace
@@ -20524,7 +20935,7 @@ index 39493bc..196816d 100644
  		ip = *(u64 *)(fp+8);
  		if (!in_sched_functions(ip))
 diff --git a/arch/x86/kernel/ptrace.c b/arch/x86/kernel/ptrace.c
-index c06acdd..09de221 100644
+index c06acdd..e7dffe1 100644
 --- a/arch/x86/kernel/ptrace.c
 +++ b/arch/x86/kernel/ptrace.c
 @@ -559,6 +559,10 @@ static int ioperm_active(struct task_struct *target,
@@ -20606,7 +21017,15 @@ index c06acdd..09de221 100644
  
  	/* Send us the fake SIGTRAP */
  	force_sig_info(SIGTRAP, &info, tsk);
-@@ -1469,7 +1473,7 @@ void send_sigtrap(struct task_struct *tsk, struct pt_regs *regs,
+@@ -1465,14 +1469,23 @@ void send_sigtrap(struct task_struct *tsk, struct pt_regs *regs,
+ # define IS_IA32	0
+ #endif
+ 
++#ifdef CONFIG_GRKERNSEC_SETXID
++extern void gr_delayed_cred_worker(void);
++#endif
++
+ /*
   * We must return the syscall number to actually look up in the table.
   * This can be -1L to skip running any syscall at all.
   */
@@ -20615,15 +21034,29 @@ index c06acdd..09de221 100644
  {
  	long ret = 0;
  
-@@ -1514,7 +1518,7 @@ asmregparm long syscall_trace_enter(struct pt_regs *regs)
++#ifdef CONFIG_GRKERNSEC_SETXID
++	if (unlikely(test_and_clear_thread_flag(TIF_GRSEC_SETXID)))
++                gr_delayed_cred_worker();
++#endif		
++
+ 	/*
+ 	 * If we stepped into a sysenter/syscall insn, it trapped in
+ 	 * kernel mode; do_debug() cleared TF and set TIF_SINGLESTEP.
+@@ -1514,8 +1527,13 @@ asmregparm long syscall_trace_enter(struct pt_regs *regs)
  	return ret ?: regs->orig_ax;
  }
  
 -asmregparm void syscall_trace_leave(struct pt_regs *regs)
 +void syscall_trace_leave(struct pt_regs *regs)
  {
++#ifdef CONFIG_GRKERNSEC_SETXID
++	if (unlikely(test_and_clear_thread_flag(TIF_GRSEC_SETXID)))
++                gr_delayed_cred_worker();
++#endif		
++
  	if (unlikely(current->audit_context))
  		audit_syscall_exit(AUDITSC_RESULT(regs->ax), regs->ax);
+ 
 diff --git a/arch/x86/kernel/reboot.c b/arch/x86/kernel/reboot.c
 index cf98100..e76e03d 100644
 --- a/arch/x86/kernel/reboot.c
@@ -26424,7 +26857,7 @@ index 63a6ba6..79abd7a 100644
  	return (void *)vaddr;
  }
 diff --git a/arch/x86/mm/hugetlbpage.c b/arch/x86/mm/hugetlbpage.c
-index f46c3407..6ff9a26 100644
+index f46c3407..f7e72b0 100644
 --- a/arch/x86/mm/hugetlbpage.c
 +++ b/arch/x86/mm/hugetlbpage.c
 @@ -267,13 +267,20 @@ static unsigned long hugetlb_get_unmapped_area_bottomup(struct file *file,
@@ -26500,7 +26933,7 @@ index f46c3407..6ff9a26 100644
  
  	/* don't allow allocations above current base */
  	if (mm->free_area_cache > base)
-@@ -322,64 +329,63 @@ static unsigned long hugetlb_get_unmapped_area_topdown(struct file *file,
+@@ -322,64 +329,68 @@ static unsigned long hugetlb_get_unmapped_area_topdown(struct file *file,
  	        largest_hole = 0;
  		mm->free_area_cache  = base;
  	}
@@ -26515,15 +26948,16 @@ index f46c3407..6ff9a26 100644
 +	addr = (mm->free_area_cache - len);
  	do {
 +		addr &= huge_page_mask(h);
-+		vma = find_vma(mm, addr);
  		/*
  		 * Lookup failure means no vma is above this address,
  		 * i.e. return with success:
--		 */
+ 		 */
 -		if (!(vma = find_vma_prev(mm, addr, &prev_vma)))
--			return addr;
--
--		/*
++		vma = find_vma(mm, addr);
++		if (!vma)
+ 			return addr;
+ 
+ 		/*
  		 * new region fits between prev_vma->vm_end and
  		 * vma->vm_start, use it:
  		 */
@@ -26595,7 +27029,7 @@ index f46c3407..6ff9a26 100644
  	mm->cached_hole_size = ~0UL;
  	addr = hugetlb_get_unmapped_area_bottomup(file, addr0,
  			len, pgoff, flags);
-@@ -387,6 +393,7 @@ fail:
+@@ -387,6 +398,7 @@ fail:
  	/*
  	 * Restore the topdown base:
  	 */
@@ -26603,7 +27037,7 @@ index f46c3407..6ff9a26 100644
  	mm->free_area_cache = base;
  	mm->cached_hole_size = ~0UL;
  
-@@ -400,10 +407,19 @@ hugetlb_get_unmapped_area(struct file *file, unsigned long addr,
+@@ -400,10 +412,19 @@ hugetlb_get_unmapped_area(struct file *file, unsigned long addr,
  	struct hstate *h = hstate_file(file);
  	struct mm_struct *mm = current->mm;
  	struct vm_area_struct *vma;
@@ -26624,7 +27058,7 @@ index f46c3407..6ff9a26 100644
  		return -ENOMEM;
  
  	if (flags & MAP_FIXED) {
-@@ -415,8 +431,7 @@ hugetlb_get_unmapped_area(struct file *file, unsigned long addr,
+@@ -415,8 +436,7 @@ hugetlb_get_unmapped_area(struct file *file, unsigned long addr,
  	if (addr) {
  		addr = ALIGN(addr, huge_page_size(h));
  		vma = find_vma(mm, addr);
@@ -27083,7 +27517,7 @@ index 30938c1..bda3d5d 100644
  	printk(KERN_INFO "Write protecting the kernel text: %luk\n",
  		size >> 10);
 diff --git a/arch/x86/mm/init_64.c b/arch/x86/mm/init_64.c
-index 7d095ad..acf1be9 100644
+index 7d095ad..f833fa2 100644
 --- a/arch/x86/mm/init_64.c
 +++ b/arch/x86/mm/init_64.c
 @@ -123,7 +123,7 @@ static pud_t *fill_pud(pgd_t *pgd, unsigned long vaddr)
@@ -27131,6 +27565,15 @@ index 7d095ad..acf1be9 100644
  		}
  		pmd = pmd_offset(pud, phys);
  		BUG_ON(!pmd_none(*pmd));
+@@ -507,7 +507,7 @@ phys_pud_init(pud_t *pud_page, unsigned long addr, unsigned long end,
+ 		unmap_low_page(pmd);
+ 
+ 		spin_lock(&init_mm.page_table_lock);
+-		pud_populate(&init_mm, pud, __va(pmd_phys));
++		pud_populate_kernel(&init_mm, pud, __va(pmd_phys));
+ 		spin_unlock(&init_mm.page_table_lock);
+ 	}
+ 	__flush_tlb_all();
 @@ -560,7 +560,7 @@ kernel_physical_mapping_init(unsigned long start,
  		unmap_low_page(pud);
  
@@ -74487,10 +74930,10 @@ index 8f32f50..b6a41e8 100644
  		link[pathlen] = '\0';
 diff --git a/grsecurity/Kconfig b/grsecurity/Kconfig
 new file mode 100644
-index 0000000..50819f8
+index 0000000..5be91c0
 --- /dev/null
 +++ b/grsecurity/Kconfig
-@@ -0,0 +1,1077 @@
+@@ -0,0 +1,1078 @@
 +#
 +# grecurity configuration
 +#
@@ -74625,7 +75068,7 @@ index 0000000..50819f8
 +	select GRKERNSEC_PROC_ADD
 +	select GRKERNSEC_CHROOT_CHMOD
 +	select GRKERNSEC_CHROOT_NICE
-+	select GRKERNSEC_SETXID
++	select GRKERNSEC_SETXID if (X86 || SPARC64 || PPC || ARM || MIPS)
 +	select GRKERNSEC_AUDIT_MOUNT
 +	select GRKERNSEC_MODHARDEN if (MODULES)
 +	select GRKERNSEC_HARDEN_PTRACE
@@ -75319,6 +75762,7 @@ index 0000000..50819f8
 +
 +config GRKERNSEC_SETXID
 +	bool "Enforce consistent multithreaded privileges"
++	depends on (X86 || SPARC64 || PPC || ARM || MIPS)
 +	help
 +	  If you say Y here, a change from a root uid to a non-root uid
 +	  in a multithreaded application will cause the resulting uids,
@@ -75614,10 +76058,10 @@ index 0000000..1b9afa9
 +endif
 diff --git a/grsecurity/gracl.c b/grsecurity/gracl.c
 new file mode 100644
-index 0000000..67b34b9
+index 0000000..c475143
 --- /dev/null
 +++ b/grsecurity/gracl.c
-@@ -0,0 +1,4169 @@
+@@ -0,0 +1,4171 @@
 +#include <linux/kernel.h>
 +#include <linux/module.h>
 +#include <linux/sched.h>
@@ -79454,20 +79898,22 @@ index 0000000..67b34b9
 +		return 0;
 +#endif
 +
-+	read_lock(&tasklist_lock);
-+	while (tmp->pid > 0) {
-+		if (tmp == curtemp)
-+			break;
-+		tmp = tmp->real_parent;
-+	}
++	if (request == PTRACE_ATTACH) {
++		read_lock(&tasklist_lock);
++		while (tmp->pid > 0) {
++			if (tmp == curtemp)
++				break;
++			tmp = tmp->real_parent;
++		}
 +
-+	if (tmp->pid == 0 && ((grsec_enable_harden_ptrace && current_uid() && !(gr_status & GR_READY)) ||
-+				((gr_status & GR_READY)	&& !(current->acl->mode & GR_RELAXPTRACE)))) {
++		if (tmp->pid == 0 && ((grsec_enable_harden_ptrace && current_uid() && !(gr_status & GR_READY)) ||
++					((gr_status & GR_READY)	&& !(current->acl->mode & GR_RELAXPTRACE)))) {
++			read_unlock(&tasklist_lock);
++			gr_log_ptrace(GR_DONT_AUDIT, GR_PTRACE_ACL_MSG, task);
++			return 1;
++		}
 +		read_unlock(&tasklist_lock);
-+		gr_log_ptrace(GR_DONT_AUDIT, GR_PTRACE_ACL_MSG, task);
-+		return 1;
 +	}
-+	read_unlock(&tasklist_lock);
 +
 +#ifdef CONFIG_GRKERNSEC_HARDEN_PTRACE
 +	if (!(gr_status & GR_READY))
@@ -91553,7 +91999,7 @@ index 3f2f04f..4e53ded 100644
  /* If set, cpu_up and cpu_down will return -EBUSY and do nothing.
   * Should always be manipulated under cpu_add_remove_lock
 diff --git a/kernel/cred.c b/kernel/cred.c
-index 0b5b5fc..3fe945c 100644
+index 0b5b5fc..f20c6b9 100644
 --- a/kernel/cred.c
 +++ b/kernel/cred.c
 @@ -160,6 +160,8 @@ static void put_cred_rcu(struct rcu_head *rcu)
@@ -91676,7 +92122,7 @@ index 0b5b5fc..3fe945c 100644
  	 */
  	alter_cred_subscribers(new, 2);
  	if (new->user != old->user)
-@@ -595,8 +622,96 @@ int commit_creds(struct cred *new)
+@@ -595,8 +622,105 @@ int commit_creds(struct cred *new)
  	put_cred(old);
  	return 0;
  }
@@ -91743,6 +92189,8 @@ index 0b5b5fc..3fe945c 100644
 +int commit_creds(struct cred *new)
 +{
 +#ifdef CONFIG_GRKERNSEC_SETXID
++	int ret;
++	int schedule_it = 0;
 +	struct task_struct *t;
 +
 +	/* we won't get called with tasklist_lock held for writing
@@ -91751,20 +92199,27 @@ index 0b5b5fc..3fe945c 100644
 +	*/
 +	if (grsec_enable_setxid && !current_is_single_threaded() &&
 +	    !current_uid() && new->uid) {
++		schedule_it = 1;
++	}
++	ret = __commit_creds(new);
++	if (schedule_it) {
 +		rcu_read_lock();
 +		read_lock(&tasklist_lock);
 +		for (t = next_thread(current); t != current;
 +			t = next_thread(t)) {
 +			if (t->delayed_cred == NULL) {
 +				t->delayed_cred = get_cred(new);
++				set_tsk_thread_flag(t, TIF_GRSEC_SETXID);
 +				set_tsk_need_resched(t);
 +			}
 +		}
 +		read_unlock(&tasklist_lock);
 +		rcu_read_unlock();
 +	}
-+#endif
++	return ret;
++#else
 +	return __commit_creds(new);
++#endif
 +}
 +
  EXPORT_SYMBOL(commit_creds);
@@ -91773,7 +92228,7 @@ index 0b5b5fc..3fe945c 100644
  /**
   * abort_creds - Discard a set of credentials and unlock the current task
   * @new: The credentials that were going to be applied
-@@ -606,6 +721,8 @@ EXPORT_SYMBOL(commit_creds);
+@@ -606,6 +730,8 @@ EXPORT_SYMBOL(commit_creds);
   */
  void abort_creds(struct cred *new)
  {
@@ -91782,7 +92237,7 @@ index 0b5b5fc..3fe945c 100644
  	kdebug("abort_creds(%p{%d,%d})", new,
  	       atomic_read(&new->usage),
  	       read_cred_subscribers(new));
-@@ -629,6 +746,8 @@ const struct cred *override_creds(const struct cred *new)
+@@ -629,6 +755,8 @@ const struct cred *override_creds(const struct cred *new)
  {
  	const struct cred *old = current->cred;
  
@@ -91791,7 +92246,7 @@ index 0b5b5fc..3fe945c 100644
  	kdebug("override_creds(%p{%d,%d})", new,
  	       atomic_read(&new->usage),
  	       read_cred_subscribers(new));
-@@ -658,6 +777,8 @@ void revert_creds(const struct cred *old)
+@@ -658,6 +786,8 @@ void revert_creds(const struct cred *old)
  {
  	const struct cred *override = current->cred;
  
@@ -91800,7 +92255,7 @@ index 0b5b5fc..3fe945c 100644
  	kdebug("revert_creds(%p{%d,%d})", old,
  	       atomic_read(&old->usage),
  	       read_cred_subscribers(old));
-@@ -704,6 +825,8 @@ struct cred *prepare_kernel_cred(struct task_struct *daemon)
+@@ -704,6 +834,8 @@ struct cred *prepare_kernel_cred(struct task_struct *daemon)
  	const struct cred *old;
  	struct cred *new;
  
@@ -91809,7 +92264,7 @@ index 0b5b5fc..3fe945c 100644
  	new = kmem_cache_alloc(cred_jar, GFP_KERNEL);
  	if (!new)
  		return NULL;
-@@ -758,6 +881,8 @@ EXPORT_SYMBOL(prepare_kernel_cred);
+@@ -758,6 +890,8 @@ EXPORT_SYMBOL(prepare_kernel_cred);
   */
  int set_security_override(struct cred *new, u32 secid)
  {
@@ -91818,7 +92273,7 @@ index 0b5b5fc..3fe945c 100644
  	return security_kernel_act_as(new, secid);
  }
  EXPORT_SYMBOL(set_security_override);
-@@ -777,6 +902,8 @@ int set_security_override_from_ctx(struct cred *new, const char *secctx)
+@@ -777,6 +911,8 @@ int set_security_override_from_ctx(struct cred *new, const char *secctx)
  	u32 secid;
  	int ret;
  
@@ -94871,7 +95326,7 @@ index 29bd4ba..8c5de90 100644
  	WARN_ON(pendowner->pi_blocked_on->lock != lock);
  
 diff --git a/kernel/sched.c b/kernel/sched.c
-index 0591df8..e3af3a4 100644
+index 0591df8..db35e3d 100644
 --- a/kernel/sched.c
 +++ b/kernel/sched.c
 @@ -5043,7 +5043,7 @@ out:
@@ -94883,27 +95338,7 @@ index 0591df8..e3af3a4 100644
  {
  	int this_cpu = smp_processor_id();
  	struct rq *this_rq = cpu_rq(this_cpu);
-@@ -5690,6 +5690,19 @@ pick_next_task(struct rq *rq)
- 	}
- }
- 
-+#ifdef CONFIG_GRKERNSEC_SETXID
-+extern void gr_delayed_cred_worker(void);
-+static inline void gr_cred_schedule(void)
-+{
-+	if (unlikely(current->delayed_cred))
-+		gr_delayed_cred_worker();
-+}
-+#else
-+static inline void gr_cred_schedule(void)
-+{
-+}
-+#endif
-+
- /*
-  * schedule() is the main scheduler function.
-  */
-@@ -5700,6 +5713,8 @@ asmlinkage void __sched schedule(void)
+@@ -5700,6 +5700,8 @@ asmlinkage void __sched schedule(void)
  	struct rq *rq;
  	int cpu;
  
@@ -94912,16 +95347,7 @@ index 0591df8..e3af3a4 100644
  need_resched:
  	preempt_disable();
  	cpu = smp_processor_id();
-@@ -5713,6 +5728,8 @@ need_resched_nonpreemptible:
- 
- 	schedule_debug(prev);
- 
-+	gr_cred_schedule();
-+
- 	if (sched_feat(HRTICK))
- 		hrtick_clear(rq);
- 
-@@ -5770,7 +5787,7 @@ EXPORT_SYMBOL(schedule);
+@@ -5770,7 +5772,7 @@ EXPORT_SYMBOL(schedule);
   * Look out! "owner" is an entirely speculative pointer
   * access and not reliable.
   */
@@ -94930,7 +95356,7 @@ index 0591df8..e3af3a4 100644
  {
  	unsigned int cpu;
  	struct rq *rq;
-@@ -5784,10 +5801,10 @@ int mutex_spin_on_owner(struct mutex *lock, struct thread_info *owner)
+@@ -5784,10 +5786,10 @@ int mutex_spin_on_owner(struct mutex *lock, struct thread_info *owner)
  	 * DEBUG_PAGEALLOC could have unmapped it if
  	 * the mutex owner just released it and exited.
  	 */
@@ -94943,7 +95369,7 @@ index 0591df8..e3af3a4 100644
  #endif
  
  	/*
-@@ -5816,7 +5833,7 @@ int mutex_spin_on_owner(struct mutex *lock, struct thread_info *owner)
+@@ -5816,7 +5818,7 @@ int mutex_spin_on_owner(struct mutex *lock, struct thread_info *owner)
  		/*
  		 * Is that owner really running on that cpu?
  		 */
@@ -94952,7 +95378,7 @@ index 0591df8..e3af3a4 100644
  			return 0;
  
  		cpu_relax();
-@@ -6359,6 +6376,8 @@ int can_nice(const struct task_struct *p, const int nice)
+@@ -6359,6 +6361,8 @@ int can_nice(const struct task_struct *p, const int nice)
  	/* convert nice value [19,-20] to rlimit style value [1,40] */
  	int nice_rlim = 20 - nice;
  
@@ -94961,7 +95387,7 @@ index 0591df8..e3af3a4 100644
  	return (nice_rlim <= p->signal->rlim[RLIMIT_NICE].rlim_cur ||
  		capable(CAP_SYS_NICE));
  }
-@@ -6392,7 +6411,8 @@ SYSCALL_DEFINE1(nice, int, increment)
+@@ -6392,7 +6396,8 @@ SYSCALL_DEFINE1(nice, int, increment)
  	if (nice > 19)
  		nice = 19;
  
@@ -94971,7 +95397,7 @@ index 0591df8..e3af3a4 100644
  		return -EPERM;
  
  	retval = security_task_setnice(current, nice);
-@@ -8774,7 +8794,7 @@ static void init_sched_groups_power(int cpu, struct sched_domain *sd)
+@@ -8774,7 +8779,7 @@ static void init_sched_groups_power(int cpu, struct sched_domain *sd)
  	long power;
  	int weight;
  
@@ -96268,6 +96694,28 @@ index d102559..4215f31 100644
  #define free(a) kfree(a)
  #endif
  
+diff --git a/lib/ioremap.c b/lib/ioremap.c
+index 14c6078..65526a1 100644
+--- a/lib/ioremap.c
++++ b/lib/ioremap.c
+@@ -37,7 +37,7 @@ static inline int ioremap_pmd_range(pud_t *pud, unsigned long addr,
+ 	unsigned long next;
+ 
+ 	phys_addr -= addr;
+-	pmd = pmd_alloc(&init_mm, pud, addr);
++	pmd = pmd_alloc_kernel(&init_mm, pud, addr);
+ 	if (!pmd)
+ 		return -ENOMEM;
+ 	do {
+@@ -55,7 +55,7 @@ static inline int ioremap_pud_range(pgd_t *pgd, unsigned long addr,
+ 	unsigned long next;
+ 
+ 	phys_addr -= addr;
+-	pud = pud_alloc(&init_mm, pgd, addr);
++	pud = pud_alloc_kernel(&init_mm, pgd, addr);
+ 	if (!pud)
+ 		return -ENOMEM;
+ 	do {
 diff --git a/lib/is_single_threaded.c b/lib/is_single_threaded.c
 index bd2bea9..6b3c95e 100644
 --- a/lib/is_single_threaded.c
@@ -96853,7 +97301,7 @@ index 8aeba53..b4a4198 100644
  	/*
  	 * We need/can do nothing about count=0 pages.
 diff --git a/mm/memory.c b/mm/memory.c
-index 6c836d3..693224d 100644
+index 6c836d3..b2296e1 100644
 --- a/mm/memory.c
 +++ b/mm/memory.c
 @@ -187,8 +187,12 @@ static inline void free_pmd_range(struct mmu_gather *tlb, pud_t *pud,
@@ -96955,7 +97403,29 @@ index 6c836d3..693224d 100644
  
  	if (addr < vma->vm_start || addr >= vma->vm_end)
  		return -EFAULT;
-@@ -1977,6 +2001,186 @@ static inline void cow_user_page(struct page *dst, struct page *src, unsigned lo
+@@ -1855,7 +1879,9 @@ static int apply_to_pmd_range(struct mm_struct *mm, pud_t *pud,
+ 
+ 	BUG_ON(pud_huge(*pud));
+ 
+-	pmd = pmd_alloc(mm, pud, addr);
++	pmd = (mm == &init_mm) ?
++		pmd_alloc_kernel(mm, pud, addr) :
++		pmd_alloc(mm, pud, addr);
+ 	if (!pmd)
+ 		return -ENOMEM;
+ 	do {
+@@ -1875,7 +1901,9 @@ static int apply_to_pud_range(struct mm_struct *mm, pgd_t *pgd,
+ 	unsigned long next;
+ 	int err;
+ 
+-	pud = pud_alloc(mm, pgd, addr);
++	pud = (mm == &init_mm) ?
++		pud_alloc_kernel(mm, pgd, addr) :
++		pud_alloc(mm, pgd, addr);
+ 	if (!pud)
+ 		return -ENOMEM;
+ 	do {
+@@ -1977,6 +2005,186 @@ static inline void cow_user_page(struct page *dst, struct page *src, unsigned lo
  		copy_user_highpage(dst, src, va, vma);
  }
  
@@ -97142,7 +97612,7 @@ index 6c836d3..693224d 100644
  /*
   * This routine handles present pages, when users try to write
   * to a shared page. It is done by copying the page to a new address
-@@ -2156,6 +2360,12 @@ gotten:
+@@ -2156,6 +2364,12 @@ gotten:
  	 */
  	page_table = pte_offset_map_lock(mm, pmd, address, &ptl);
  	if (likely(pte_same(*page_table, orig_pte))) {
@@ -97155,7 +97625,7 @@ index 6c836d3..693224d 100644
  		if (old_page) {
  			if (!PageAnon(old_page)) {
  				dec_mm_counter(mm, file_rss);
-@@ -2207,6 +2417,10 @@ gotten:
+@@ -2207,6 +2421,10 @@ gotten:
  			page_remove_rmap(old_page);
  		}
  
@@ -97166,7 +97636,7 @@ index 6c836d3..693224d 100644
  		/* Free the old page.. */
  		new_page = old_page;
  		ret |= VM_FAULT_WRITE;
-@@ -2606,6 +2820,11 @@ static int do_swap_page(struct mm_struct *mm, struct vm_area_struct *vma,
+@@ -2606,6 +2824,11 @@ static int do_swap_page(struct mm_struct *mm, struct vm_area_struct *vma,
  	swap_free(entry);
  	if (vm_swap_full() || (vma->vm_flags & VM_LOCKED) || PageMlocked(page))
  		try_to_free_swap(page);
@@ -97178,7 +97648,7 @@ index 6c836d3..693224d 100644
  	unlock_page(page);
  
  	if (flags & FAULT_FLAG_WRITE) {
-@@ -2617,6 +2836,11 @@ static int do_swap_page(struct mm_struct *mm, struct vm_area_struct *vma,
+@@ -2617,6 +2840,11 @@ static int do_swap_page(struct mm_struct *mm, struct vm_area_struct *vma,
  
  	/* No need to invalidate - it was non-present before */
  	update_mmu_cache(vma, address, pte);
@@ -97190,7 +97660,7 @@ index 6c836d3..693224d 100644
  unlock:
  	pte_unmap_unlock(page_table, ptl);
  out:
-@@ -2632,40 +2856,6 @@ out_release:
+@@ -2632,40 +2860,6 @@ out_release:
  }
  
  /*
@@ -97231,7 +97701,7 @@ index 6c836d3..693224d 100644
   * We enter with non-exclusive mmap_sem (to exclude vma changes,
   * but allow concurrent faults), and pte mapped but not yet locked.
   * We return with mmap_sem still held, but pte unmapped and unlocked.
-@@ -2674,27 +2864,23 @@ static int do_anonymous_page(struct mm_struct *mm, struct vm_area_struct *vma,
+@@ -2674,27 +2868,23 @@ static int do_anonymous_page(struct mm_struct *mm, struct vm_area_struct *vma,
  		unsigned long address, pte_t *page_table, pmd_t *pmd,
  		unsigned int flags)
  {
@@ -97264,7 +97734,7 @@ index 6c836d3..693224d 100644
  	if (unlikely(anon_vma_prepare(vma)))
  		goto oom;
  	page = alloc_zeroed_user_highpage_movable(vma, address);
-@@ -2713,6 +2899,11 @@ static int do_anonymous_page(struct mm_struct *mm, struct vm_area_struct *vma,
+@@ -2713,6 +2903,11 @@ static int do_anonymous_page(struct mm_struct *mm, struct vm_area_struct *vma,
  	if (!pte_none(*page_table))
  		goto release;
  
@@ -97276,7 +97746,7 @@ index 6c836d3..693224d 100644
  	inc_mm_counter(mm, anon_rss);
  	page_add_new_anon_rmap(page, vma, address);
  setpte:
-@@ -2720,6 +2911,12 @@ setpte:
+@@ -2720,6 +2915,12 @@ setpte:
  
  	/* No need to invalidate - it was non-present before */
  	update_mmu_cache(vma, address, entry);
@@ -97289,7 +97759,7 @@ index 6c836d3..693224d 100644
  unlock:
  	pte_unmap_unlock(page_table, ptl);
  	return 0;
-@@ -2862,6 +3059,12 @@ static int __do_fault(struct mm_struct *mm, struct vm_area_struct *vma,
+@@ -2862,6 +3063,12 @@ static int __do_fault(struct mm_struct *mm, struct vm_area_struct *vma,
  	 */
  	/* Only go through if we didn't race with anybody else... */
  	if (likely(pte_same(*page_table, orig_pte))) {
@@ -97302,7 +97772,7 @@ index 6c836d3..693224d 100644
  		flush_icache_page(vma, page);
  		entry = mk_pte(page, vma->vm_page_prot);
  		if (flags & FAULT_FLAG_WRITE)
-@@ -2881,6 +3084,14 @@ static int __do_fault(struct mm_struct *mm, struct vm_area_struct *vma,
+@@ -2881,6 +3088,14 @@ static int __do_fault(struct mm_struct *mm, struct vm_area_struct *vma,
  
  		/* no need to invalidate: a not-present page won't be cached */
  		update_mmu_cache(vma, address, entry);
@@ -97317,7 +97787,7 @@ index 6c836d3..693224d 100644
  	} else {
  		if (charged)
  			mem_cgroup_uncharge_page(page);
-@@ -3028,6 +3239,12 @@ static inline int handle_pte_fault(struct mm_struct *mm,
+@@ -3028,6 +3243,12 @@ static inline int handle_pte_fault(struct mm_struct *mm,
  		if (flags & FAULT_FLAG_WRITE)
  			flush_tlb_page(vma, address);
  	}
@@ -97330,7 +97800,7 @@ index 6c836d3..693224d 100644
  unlock:
  	pte_unmap_unlock(pte, ptl);
  	return 0;
-@@ -3044,6 +3261,10 @@ int handle_mm_fault(struct mm_struct *mm, struct vm_area_struct *vma,
+@@ -3044,6 +3265,10 @@ int handle_mm_fault(struct mm_struct *mm, struct vm_area_struct *vma,
  	pmd_t *pmd;
  	pte_t *pte;
  
@@ -97341,7 +97811,7 @@ index 6c836d3..693224d 100644
  	__set_current_state(TASK_RUNNING);
  
  	count_vm_event(PGFAULT);
-@@ -3051,6 +3272,34 @@ int handle_mm_fault(struct mm_struct *mm, struct vm_area_struct *vma,
+@@ -3051,6 +3276,34 @@ int handle_mm_fault(struct mm_struct *mm, struct vm_area_struct *vma,
  	if (unlikely(is_vm_hugetlb_page(vma)))
  		return hugetlb_fault(mm, vma, address, flags);
  
@@ -97376,7 +97846,7 @@ index 6c836d3..693224d 100644
  	pgd = pgd_offset(mm, address);
  	pud = pud_alloc(mm, pgd, address);
  	if (!pud)
-@@ -3086,6 +3335,23 @@ int __pud_alloc(struct mm_struct *mm, pgd_t *pgd, unsigned long address)
+@@ -3086,6 +3339,23 @@ int __pud_alloc(struct mm_struct *mm, pgd_t *pgd, unsigned long address)
  	spin_unlock(&mm->page_table_lock);
  	return 0;
  }
@@ -97400,7 +97870,7 @@ index 6c836d3..693224d 100644
  #endif /* __PAGETABLE_PUD_FOLDED */
  
  #ifndef __PAGETABLE_PMD_FOLDED
-@@ -3116,6 +3382,30 @@ int __pmd_alloc(struct mm_struct *mm, pud_t *pud, unsigned long address)
+@@ -3116,6 +3386,30 @@ int __pmd_alloc(struct mm_struct *mm, pud_t *pud, unsigned long address)
  	spin_unlock(&mm->page_table_lock);
  	return 0;
  }
@@ -97431,7 +97901,7 @@ index 6c836d3..693224d 100644
  #endif /* __PAGETABLE_PMD_FOLDED */
  
  int make_pages_present(unsigned long addr, unsigned long end)
-@@ -3148,7 +3438,7 @@ static int __init gate_vma_init(void)
+@@ -3148,7 +3442,7 @@ static int __init gate_vma_init(void)
  	gate_vma.vm_start = FIXADDR_USER_START;
  	gate_vma.vm_end = FIXADDR_USER_END;
  	gate_vma.vm_flags = VM_READ | VM_MAYREAD | VM_EXEC | VM_MAYEXEC;
diff --git a/3.2.16/0000_README b/3.2.17/0000_README
index b39a326..d74a42e 100644
--- a/3.2.16/0000_README
+++ b/3.2.17/0000_README
@@ -2,7 +2,11 @@ README
 -----------------------------------------------------------------------------
 Individual Patch Descriptions:
 -----------------------------------------------------------------------------
-Patch:	4420_grsecurity-2.9-3.2.16-201205071838.patch
+Patch:	1016_linux-3.2.17.patch
+From:	http://www.kernel.org
+Desc:	Linux 3.2.17
+
+Patch:	4420_grsecurity-2.9-3.2.17-201205131657.patch
 From:	http://www.grsecurity.net
 Desc:	hardened-sources base patch from upstream grsecurity
 
diff --git a/3.2.17/1016_linux-3.2.17.patch b/3.2.17/1016_linux-3.2.17.patch
new file mode 100644
index 0000000..5aeed10
--- /dev/null
+++ b/3.2.17/1016_linux-3.2.17.patch
@@ -0,0 +1,5695 @@
+diff --git a/Makefile b/Makefile
+index 3da29cb..4c4efa3 100644
+--- a/Makefile
++++ b/Makefile
+@@ -1,6 +1,6 @@
+ VERSION = 3
+ PATCHLEVEL = 2
+-SUBLEVEL = 16
++SUBLEVEL = 17
+ EXTRAVERSION =
+ NAME = Saber-toothed Squirrel
+ 
+diff --git a/arch/arm/Kconfig b/arch/arm/Kconfig
+index ab3740e..ef642a0 100644
+--- a/arch/arm/Kconfig
++++ b/arch/arm/Kconfig
+@@ -1155,6 +1155,15 @@ if !MMU
+ source "arch/arm/Kconfig-nommu"
+ endif
+ 
++config ARM_ERRATA_326103
++	bool "ARM errata: FSR write bit incorrect on a SWP to read-only memory"
++	depends on CPU_V6
++	help
++	  Executing a SWP instruction to read-only memory does not set bit 11
++	  of the FSR on the ARM 1136 prior to r1p0. This causes the kernel to
++	  treat the access as a read, preventing a COW from occurring and
++	  causing the faulting task to livelock.
++
+ config ARM_ERRATA_411920
+ 	bool "ARM errata: Invalidation of the Instruction Cache operation can fail"
+ 	depends on CPU_V6 || CPU_V6K
+diff --git a/arch/arm/include/asm/tls.h b/arch/arm/include/asm/tls.h
+index 60843eb..73409e6 100644
+--- a/arch/arm/include/asm/tls.h
++++ b/arch/arm/include/asm/tls.h
+@@ -7,6 +7,8 @@
+ 
+ 	.macro set_tls_v6k, tp, tmp1, tmp2
+ 	mcr	p15, 0, \tp, c13, c0, 3		@ set TLS register
++	mov	\tmp1, #0
++	mcr	p15, 0, \tmp1, c13, c0, 2	@ clear user r/w TLS register
+ 	.endm
+ 
+ 	.macro set_tls_v6, tp, tmp1, tmp2
+@@ -15,6 +17,8 @@
+ 	mov	\tmp2, #0xffff0fff
+ 	tst	\tmp1, #HWCAP_TLS		@ hardware TLS available?
+ 	mcrne	p15, 0, \tp, c13, c0, 3		@ yes, set TLS register
++	movne	\tmp1, #0
++	mcrne	p15, 0, \tmp1, c13, c0, 2	@ clear user r/w TLS register
+ 	streq	\tp, [\tmp2, #-15]		@ set TLS value at 0xffff0ff0
+ 	.endm
+ 
+diff --git a/arch/arm/kernel/irq.c b/arch/arm/kernel/irq.c
+index 3efd82c..87c8be5 100644
+--- a/arch/arm/kernel/irq.c
++++ b/arch/arm/kernel/irq.c
+@@ -156,10 +156,10 @@ static bool migrate_one_irq(struct irq_desc *desc)
+ 	}
+ 
+ 	c = irq_data_get_irq_chip(d);
+-	if (c->irq_set_affinity)
+-		c->irq_set_affinity(d, affinity, true);
+-	else
++	if (!c->irq_set_affinity)
+ 		pr_debug("IRQ%u: unable to set affinity\n", d->irq);
++	else if (c->irq_set_affinity(d, affinity, true) == IRQ_SET_MASK_OK && ret)
++		cpumask_copy(d->affinity, affinity);
+ 
+ 	return ret;
+ }
+diff --git a/arch/arm/kernel/smp.c b/arch/arm/kernel/smp.c
+index ef5640b..e10e59a 100644
+--- a/arch/arm/kernel/smp.c
++++ b/arch/arm/kernel/smp.c
+@@ -297,8 +297,6 @@ asmlinkage void __cpuinit secondary_start_kernel(void)
+ 	struct mm_struct *mm = &init_mm;
+ 	unsigned int cpu = smp_processor_id();
+ 
+-	printk("CPU%u: Booted secondary processor\n", cpu);
+-
+ 	/*
+ 	 * All kernel threads share the same mm context; grab a
+ 	 * reference and switch to it.
+@@ -310,6 +308,8 @@ asmlinkage void __cpuinit secondary_start_kernel(void)
+ 	enter_lazy_tlb(mm, current);
+ 	local_flush_tlb_all();
+ 
++	printk("CPU%u: Booted secondary processor\n", cpu);
++
+ 	cpu_init();
+ 	preempt_disable();
+ 	trace_hardirqs_off();
+diff --git a/arch/arm/kernel/sys_arm.c b/arch/arm/kernel/sys_arm.c
+index d2b1779..76cbb05 100644
+--- a/arch/arm/kernel/sys_arm.c
++++ b/arch/arm/kernel/sys_arm.c
+@@ -115,7 +115,7 @@ int kernel_execve(const char *filename,
+ 		  "Ir" (THREAD_START_SP - sizeof(regs)),
+ 		  "r" (&regs),
+ 		  "Ir" (sizeof(regs))
+-		: "r0", "r1", "r2", "r3", "ip", "lr", "memory");
++		: "r0", "r1", "r2", "r3", "r8", "r9", "ip", "lr", "memory");
+ 
+  out:
+ 	return ret;
+diff --git a/arch/arm/mach-omap1/timer.c b/arch/arm/mach-omap1/timer.c
+index 6e90665..fb202af 100644
+--- a/arch/arm/mach-omap1/timer.c
++++ b/arch/arm/mach-omap1/timer.c
+@@ -47,9 +47,9 @@ static int omap1_dm_timer_set_src(struct platform_device *pdev,
+ 	int n = (pdev->id - 1) << 1;
+ 	u32 l;
+ 
+-	l = __raw_readl(MOD_CONF_CTRL_1) & ~(0x03 << n);
++	l = omap_readl(MOD_CONF_CTRL_1) & ~(0x03 << n);
+ 	l |= source << n;
+-	__raw_writel(l, MOD_CONF_CTRL_1);
++	omap_writel(l, MOD_CONF_CTRL_1);
+ 
+ 	return 0;
+ }
+diff --git a/arch/arm/mm/abort-ev6.S b/arch/arm/mm/abort-ev6.S
+index ff1f7cc..8074199 100644
+--- a/arch/arm/mm/abort-ev6.S
++++ b/arch/arm/mm/abort-ev6.S
+@@ -26,18 +26,23 @@ ENTRY(v6_early_abort)
+ 	mrc	p15, 0, r1, c5, c0, 0		@ get FSR
+ 	mrc	p15, 0, r0, c6, c0, 0		@ get FAR
+ /*
+- * Faulty SWP instruction on 1136 doesn't set bit 11 in DFSR (erratum 326103).
+- * The test below covers all the write situations, including Java bytecodes
++ * Faulty SWP instruction on 1136 doesn't set bit 11 in DFSR.
+  */
+-	bic	r1, r1, #1 << 11		@ clear bit 11 of FSR
++#ifdef CONFIG_ARM_ERRATA_326103
++	ldr	ip, =0x4107b36
++	mrc	p15, 0, r3, c0, c0, 0		@ get processor id
++	teq	ip, r3, lsr #4			@ r0 ARM1136?
++	bne	do_DataAbort
+ 	tst	r5, #PSR_J_BIT			@ Java?
++	tsteq	r5, #PSR_T_BIT			@ Thumb?
+ 	bne	do_DataAbort
+-	do_thumb_abort fsr=r1, pc=r4, psr=r5, tmp=r3
+-	ldreq	r3, [r4]			@ read aborted ARM instruction
++	bic	r1, r1, #1 << 11		@ clear bit 11 of FSR
++	ldr	r3, [r4]			@ read aborted ARM instruction
+ #ifdef CONFIG_CPU_ENDIAN_BE8
+-	reveq	r3, r3
++	rev	r3, r3
+ #endif
+ 	do_ldrd_abort tmp=ip, insn=r3
+ 	tst	r3, #1 << 20			@ L = 0 -> write
+ 	orreq	r1, r1, #1 << 11		@ yes.
++#endif
+ 	b	do_DataAbort
+diff --git a/arch/arm/mm/cache-l2x0.c b/arch/arm/mm/cache-l2x0.c
+index b1e192b..db7bcc0 100644
+--- a/arch/arm/mm/cache-l2x0.c
++++ b/arch/arm/mm/cache-l2x0.c
+@@ -32,6 +32,7 @@ static void __iomem *l2x0_base;
+ static DEFINE_RAW_SPINLOCK(l2x0_lock);
+ static uint32_t l2x0_way_mask;	/* Bitmask of active ways */
+ static uint32_t l2x0_size;
++static unsigned long sync_reg_offset = L2X0_CACHE_SYNC;
+ 
+ struct l2x0_regs l2x0_saved_regs;
+ 
+@@ -61,12 +62,7 @@ static inline void cache_sync(void)
+ {
+ 	void __iomem *base = l2x0_base;
+ 
+-#ifdef CONFIG_PL310_ERRATA_753970
+-	/* write to an unmmapped register */
+-	writel_relaxed(0, base + L2X0_DUMMY_REG);
+-#else
+-	writel_relaxed(0, base + L2X0_CACHE_SYNC);
+-#endif
++	writel_relaxed(0, base + sync_reg_offset);
+ 	cache_wait(base + L2X0_CACHE_SYNC, 1);
+ }
+ 
+@@ -85,10 +81,13 @@ static inline void l2x0_inv_line(unsigned long addr)
+ }
+ 
+ #if defined(CONFIG_PL310_ERRATA_588369) || defined(CONFIG_PL310_ERRATA_727915)
++static inline void debug_writel(unsigned long val)
++{
++	if (outer_cache.set_debug)
++		outer_cache.set_debug(val);
++}
+ 
+-#define debug_writel(val)	outer_cache.set_debug(val)
+-
+-static void l2x0_set_debug(unsigned long val)
++static void pl310_set_debug(unsigned long val)
+ {
+ 	writel_relaxed(val, l2x0_base + L2X0_DEBUG_CTRL);
+ }
+@@ -98,7 +97,7 @@ static inline void debug_writel(unsigned long val)
+ {
+ }
+ 
+-#define l2x0_set_debug	NULL
++#define pl310_set_debug	NULL
+ #endif
+ 
+ #ifdef CONFIG_PL310_ERRATA_588369
+@@ -331,6 +330,11 @@ void __init l2x0_init(void __iomem *base, __u32 aux_val, __u32 aux_mask)
+ 		else
+ 			ways = 8;
+ 		type = "L310";
++#ifdef CONFIG_PL310_ERRATA_753970
++		/* Unmapped register. */
++		sync_reg_offset = L2X0_DUMMY_REG;
++#endif
++		outer_cache.set_debug = pl310_set_debug;
+ 		break;
+ 	case L2X0_CACHE_ID_PART_L210:
+ 		ways = (aux >> 13) & 0xf;
+@@ -379,7 +383,6 @@ void __init l2x0_init(void __iomem *base, __u32 aux_val, __u32 aux_mask)
+ 	outer_cache.flush_all = l2x0_flush_all;
+ 	outer_cache.inv_all = l2x0_inv_all;
+ 	outer_cache.disable = l2x0_disable;
+-	outer_cache.set_debug = l2x0_set_debug;
+ 
+ 	printk(KERN_INFO "%s cache controller enabled\n", type);
+ 	printk(KERN_INFO "l2x0: %d ways, CACHE_ID 0x%08x, AUX_CTRL 0x%08x, Cache size: %d B\n",
+diff --git a/arch/x86/boot/compressed/relocs.c b/arch/x86/boot/compressed/relocs.c
+index 89bbf4e..e77f4e4 100644
+--- a/arch/x86/boot/compressed/relocs.c
++++ b/arch/x86/boot/compressed/relocs.c
+@@ -402,13 +402,11 @@ static void print_absolute_symbols(void)
+ 	for (i = 0; i < ehdr.e_shnum; i++) {
+ 		struct section *sec = &secs[i];
+ 		char *sym_strtab;
+-		Elf32_Sym *sh_symtab;
+ 		int j;
+ 
+ 		if (sec->shdr.sh_type != SHT_SYMTAB) {
+ 			continue;
+ 		}
+-		sh_symtab = sec->symtab;
+ 		sym_strtab = sec->link->strtab;
+ 		for (j = 0; j < sec->shdr.sh_size/sizeof(Elf32_Sym); j++) {
+ 			Elf32_Sym *sym;
+diff --git a/arch/x86/kernel/apic/apic.c b/arch/x86/kernel/apic/apic.c
+index f98d84c..c4e3581 100644
+--- a/arch/x86/kernel/apic/apic.c
++++ b/arch/x86/kernel/apic/apic.c
+@@ -1577,9 +1577,11 @@ static int __init apic_verify(void)
+ 	mp_lapic_addr = APIC_DEFAULT_PHYS_BASE;
+ 
+ 	/* The BIOS may have set up the APIC at some other address */
+-	rdmsr(MSR_IA32_APICBASE, l, h);
+-	if (l & MSR_IA32_APICBASE_ENABLE)
+-		mp_lapic_addr = l & MSR_IA32_APICBASE_BASE;
++	if (boot_cpu_data.x86 >= 6) {
++		rdmsr(MSR_IA32_APICBASE, l, h);
++		if (l & MSR_IA32_APICBASE_ENABLE)
++			mp_lapic_addr = l & MSR_IA32_APICBASE_BASE;
++	}
+ 
+ 	pr_info("Found and enabled local APIC!\n");
+ 	return 0;
+@@ -1597,13 +1599,15 @@ int __init apic_force_enable(unsigned long addr)
+ 	 * MSR. This can only be done in software for Intel P6 or later
+ 	 * and AMD K7 (Model > 1) or later.
+ 	 */
+-	rdmsr(MSR_IA32_APICBASE, l, h);
+-	if (!(l & MSR_IA32_APICBASE_ENABLE)) {
+-		pr_info("Local APIC disabled by BIOS -- reenabling.\n");
+-		l &= ~MSR_IA32_APICBASE_BASE;
+-		l |= MSR_IA32_APICBASE_ENABLE | addr;
+-		wrmsr(MSR_IA32_APICBASE, l, h);
+-		enabled_via_apicbase = 1;
++	if (boot_cpu_data.x86 >= 6) {
++		rdmsr(MSR_IA32_APICBASE, l, h);
++		if (!(l & MSR_IA32_APICBASE_ENABLE)) {
++			pr_info("Local APIC disabled by BIOS -- reenabling.\n");
++			l &= ~MSR_IA32_APICBASE_BASE;
++			l |= MSR_IA32_APICBASE_ENABLE | addr;
++			wrmsr(MSR_IA32_APICBASE, l, h);
++			enabled_via_apicbase = 1;
++		}
+ 	}
+ 	return apic_verify();
+ }
+@@ -2149,10 +2153,12 @@ static void lapic_resume(void)
+ 		 * FIXME! This will be wrong if we ever support suspend on
+ 		 * SMP! We'll need to do this as part of the CPU restore!
+ 		 */
+-		rdmsr(MSR_IA32_APICBASE, l, h);
+-		l &= ~MSR_IA32_APICBASE_BASE;
+-		l |= MSR_IA32_APICBASE_ENABLE | mp_lapic_addr;
+-		wrmsr(MSR_IA32_APICBASE, l, h);
++		if (boot_cpu_data.x86 >= 6) {
++			rdmsr(MSR_IA32_APICBASE, l, h);
++			l &= ~MSR_IA32_APICBASE_BASE;
++			l |= MSR_IA32_APICBASE_ENABLE | mp_lapic_addr;
++			wrmsr(MSR_IA32_APICBASE, l, h);
++		}
+ 	}
+ 
+ 	maxlvt = lapic_get_maxlvt();
+diff --git a/arch/x86/kernel/microcode_core.c b/arch/x86/kernel/microcode_core.c
+index 9d46f5e..563a09d 100644
+--- a/arch/x86/kernel/microcode_core.c
++++ b/arch/x86/kernel/microcode_core.c
+@@ -418,10 +418,8 @@ static int mc_sysdev_add(struct sys_device *sys_dev)
+ 	if (err)
+ 		return err;
+ 
+-	if (microcode_init_cpu(cpu) == UCODE_ERROR) {
+-		sysfs_remove_group(&sys_dev->kobj, &mc_attr_group);
++	if (microcode_init_cpu(cpu) == UCODE_ERROR)
+ 		return -EINVAL;
+-	}
+ 
+ 	return err;
+ }
+diff --git a/arch/x86/kernel/setup_percpu.c b/arch/x86/kernel/setup_percpu.c
+index 71f4727..5a98aa2 100644
+--- a/arch/x86/kernel/setup_percpu.c
++++ b/arch/x86/kernel/setup_percpu.c
+@@ -185,10 +185,22 @@ void __init setup_per_cpu_areas(void)
+ #endif
+ 	rc = -EINVAL;
+ 	if (pcpu_chosen_fc != PCPU_FC_PAGE) {
+-		const size_t atom_size = cpu_has_pse ? PMD_SIZE : PAGE_SIZE;
+ 		const size_t dyn_size = PERCPU_MODULE_RESERVE +
+ 			PERCPU_DYNAMIC_RESERVE - PERCPU_FIRST_CHUNK_RESERVE;
++		size_t atom_size;
+ 
++		/*
++		 * On 64bit, use PMD_SIZE for atom_size so that embedded
++		 * percpu areas are aligned to PMD.  This, in the future,
++		 * can also allow using PMD mappings in vmalloc area.  Use
++		 * PAGE_SIZE on 32bit as vmalloc space is highly contended
++		 * and large vmalloc area allocs can easily fail.
++		 */
++#ifdef CONFIG_X86_64
++		atom_size = PMD_SIZE;
++#else
++		atom_size = PAGE_SIZE;
++#endif
+ 		rc = pcpu_embed_first_chunk(PERCPU_FIRST_CHUNK_RESERVE,
+ 					    dyn_size, atom_size,
+ 					    pcpu_cpu_distance,
+diff --git a/arch/x86/xen/enlighten.c b/arch/x86/xen/enlighten.c
+index 1f92865..e7c920b 100644
+--- a/arch/x86/xen/enlighten.c
++++ b/arch/x86/xen/enlighten.c
+@@ -62,6 +62,7 @@
+ #include <asm/reboot.h>
+ #include <asm/stackprotector.h>
+ #include <asm/hypervisor.h>
++#include <asm/pci_x86.h>
+ 
+ #include "xen-ops.h"
+ #include "mmu.h"
+@@ -1278,8 +1279,10 @@ asmlinkage void __init xen_start_kernel(void)
+ 		/* Make sure ACS will be enabled */
+ 		pci_request_acs();
+ 	}
+-		
+-
++#ifdef CONFIG_PCI
++	/* PCI BIOS service won't work from a PV guest. */
++	pci_probe &= ~PCI_PROBE_BIOS;
++#endif
+ 	xen_raw_console_write("about to get started...\n");
+ 
+ 	xen_setup_runstate_info(0);
+diff --git a/arch/x86/xen/mmu.c b/arch/x86/xen/mmu.c
+index 87f6673..ec3d603 100644
+--- a/arch/x86/xen/mmu.c
++++ b/arch/x86/xen/mmu.c
+@@ -353,8 +353,13 @@ static pteval_t pte_mfn_to_pfn(pteval_t val)
+ {
+ 	if (val & _PAGE_PRESENT) {
+ 		unsigned long mfn = (val & PTE_PFN_MASK) >> PAGE_SHIFT;
++		unsigned long pfn = mfn_to_pfn(mfn);
++
+ 		pteval_t flags = val & PTE_FLAGS_MASK;
+-		val = ((pteval_t)mfn_to_pfn(mfn) << PAGE_SHIFT) | flags;
++		if (unlikely(pfn == ~0))
++			val = flags & ~_PAGE_PRESENT;
++		else
++			val = ((pteval_t)pfn << PAGE_SHIFT) | flags;
+ 	}
+ 
+ 	return val;
+diff --git a/arch/x86/xen/smp.c b/arch/x86/xen/smp.c
+index 041d4fe..9a23fff 100644
+--- a/arch/x86/xen/smp.c
++++ b/arch/x86/xen/smp.c
+@@ -172,6 +172,7 @@ static void __init xen_fill_possible_map(void)
+ static void __init xen_filter_cpu_maps(void)
+ {
+ 	int i, rc;
++	unsigned int subtract = 0;
+ 
+ 	if (!xen_initial_domain())
+ 		return;
+@@ -186,8 +187,22 @@ static void __init xen_filter_cpu_maps(void)
+ 		} else {
+ 			set_cpu_possible(i, false);
+ 			set_cpu_present(i, false);
++			subtract++;
+ 		}
+ 	}
++#ifdef CONFIG_HOTPLUG_CPU
++	/* This is akin to using 'nr_cpus' on the Linux command line.
++	 * Which is OK as when we use 'dom0_max_vcpus=X' we can only
++	 * have up to X, while nr_cpu_ids is greater than X. This
++	 * normally is not a problem, except when CPU hotplugging
++	 * is involved and then there might be more than X CPUs
++	 * in the guest - which will not work as there is no
++	 * hypercall to expand the max number of VCPUs an already
++	 * running guest has. So cap it up to X. */
++	if (subtract)
++		nr_cpu_ids = nr_cpu_ids - subtract;
++#endif
++
+ }
+ 
+ static void __init xen_smp_prepare_boot_cpu(void)
+diff --git a/arch/x86/xen/xen-asm.S b/arch/x86/xen/xen-asm.S
+index 79d7362..3e45aa0 100644
+--- a/arch/x86/xen/xen-asm.S
++++ b/arch/x86/xen/xen-asm.S
+@@ -96,7 +96,7 @@ ENTRY(xen_restore_fl_direct)
+ 
+ 	/* check for unmasked and pending */
+ 	cmpw $0x0001, PER_CPU_VAR(xen_vcpu_info) + XEN_vcpu_info_pending
+-	jz 1f
++	jnz 1f
+ 2:	call check_events
+ 1:
+ ENDPATCH(xen_restore_fl_direct)
+diff --git a/crypto/sha512_generic.c b/crypto/sha512_generic.c
+index 107f6f7..dd30f40 100644
+--- a/crypto/sha512_generic.c
++++ b/crypto/sha512_generic.c
+@@ -174,7 +174,7 @@ sha512_update(struct shash_desc *desc, const u8 *data, unsigned int len)
+ 	index = sctx->count[0] & 0x7f;
+ 
+ 	/* Update number of bytes */
+-	if (!(sctx->count[0] += len))
++	if ((sctx->count[0] += len) < len)
+ 		sctx->count[1]++;
+ 
+         part_len = 128 - index;
+diff --git a/drivers/ata/libata-eh.c b/drivers/ata/libata-eh.c
+index a9b2820..58db834 100644
+--- a/drivers/ata/libata-eh.c
++++ b/drivers/ata/libata-eh.c
+@@ -3500,7 +3500,8 @@ static int ata_count_probe_trials_cb(struct ata_ering_entry *ent, void *void_arg
+ 	u64 now = get_jiffies_64();
+ 	int *trials = void_arg;
+ 
+-	if (ent->timestamp < now - min(now, interval))
++	if ((ent->eflags & ATA_EFLAG_OLD_ER) ||
++	    (ent->timestamp < now - min(now, interval)))
+ 		return -1;
+ 
+ 	(*trials)++;
+diff --git a/drivers/bluetooth/ath3k.c b/drivers/bluetooth/ath3k.c
+index 003cd8d..99fefbd 100644
+--- a/drivers/bluetooth/ath3k.c
++++ b/drivers/bluetooth/ath3k.c
+@@ -73,6 +73,7 @@ static struct usb_device_id ath3k_table[] = {
+ 	{ USB_DEVICE(0x0CF3, 0x3004) },
+ 	{ USB_DEVICE(0x0CF3, 0x311D) },
+ 	{ USB_DEVICE(0x13d3, 0x3375) },
++	{ USB_DEVICE(0x04CA, 0x3005) },
+ 
+ 	/* Atheros AR5BBU12 with sflash firmware */
+ 	{ USB_DEVICE(0x0489, 0xE02C) },
+@@ -91,6 +92,7 @@ static struct usb_device_id ath3k_blist_tbl[] = {
+ 	{ USB_DEVICE(0x0cf3, 0x3004), .driver_info = BTUSB_ATH3012 },
+ 	{ USB_DEVICE(0x0cf3, 0x311D), .driver_info = BTUSB_ATH3012 },
+ 	{ USB_DEVICE(0x13d3, 0x3375), .driver_info = BTUSB_ATH3012 },
++	{ USB_DEVICE(0x04ca, 0x3005), .driver_info = BTUSB_ATH3012 },
+ 
+ 	{ }	/* Terminating entry */
+ };
+diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c
+index db44ad5..e56da6a 100644
+--- a/drivers/bluetooth/btusb.c
++++ b/drivers/bluetooth/btusb.c
+@@ -129,6 +129,7 @@ static struct usb_device_id blacklist_table[] = {
+ 	{ USB_DEVICE(0x0cf3, 0x3004), .driver_info = BTUSB_ATH3012 },
+ 	{ USB_DEVICE(0x0cf3, 0x311d), .driver_info = BTUSB_ATH3012 },
+ 	{ USB_DEVICE(0x13d3, 0x3375), .driver_info = BTUSB_ATH3012 },
++	{ USB_DEVICE(0x04ca, 0x3005), .driver_info = BTUSB_ATH3012 },
+ 
+ 	/* Atheros AR5BBU12 with sflash firmware */
+ 	{ USB_DEVICE(0x0489, 0xe02c), .driver_info = BTUSB_IGNORE },
+diff --git a/drivers/dma/at_hdmac.c b/drivers/dma/at_hdmac.c
+index a60adbf..79dcf6e 100644
+--- a/drivers/dma/at_hdmac.c
++++ b/drivers/dma/at_hdmac.c
+@@ -239,10 +239,6 @@ static void atc_dostart(struct at_dma_chan *atchan, struct at_desc *first)
+ 
+ 	vdbg_dump_regs(atchan);
+ 
+-	/* clear any pending interrupt */
+-	while (dma_readl(atdma, EBCISR))
+-		cpu_relax();
+-
+ 	channel_writel(atchan, SADDR, 0);
+ 	channel_writel(atchan, DADDR, 0);
+ 	channel_writel(atchan, CTRLA, 0);
+diff --git a/drivers/firmware/efivars.c b/drivers/firmware/efivars.c
+index b0a8117..0535c21 100644
+--- a/drivers/firmware/efivars.c
++++ b/drivers/firmware/efivars.c
+@@ -191,6 +191,190 @@ utf16_strncmp(const efi_char16_t *a, const efi_char16_t *b, size_t len)
+ 	}
+ }
+ 
++static bool
++validate_device_path(struct efi_variable *var, int match, u8 *buffer,
++		     unsigned long len)
++{
++	struct efi_generic_dev_path *node;
++	int offset = 0;
++
++	node = (struct efi_generic_dev_path *)buffer;
++
++	if (len < sizeof(*node))
++		return false;
++
++	while (offset <= len - sizeof(*node) &&
++	       node->length >= sizeof(*node) &&
++		node->length <= len - offset) {
++		offset += node->length;
++
++		if ((node->type == EFI_DEV_END_PATH ||
++		     node->type == EFI_DEV_END_PATH2) &&
++		    node->sub_type == EFI_DEV_END_ENTIRE)
++			return true;
++
++		node = (struct efi_generic_dev_path *)(buffer + offset);
++	}
++
++	/*
++	 * If we're here then either node->length pointed past the end
++	 * of the buffer or we reached the end of the buffer without
++	 * finding a device path end node.
++	 */
++	return false;
++}
++
++static bool
++validate_boot_order(struct efi_variable *var, int match, u8 *buffer,
++		    unsigned long len)
++{
++	/* An array of 16-bit integers */
++	if ((len % 2) != 0)
++		return false;
++
++	return true;
++}
++
++static bool
++validate_load_option(struct efi_variable *var, int match, u8 *buffer,
++		     unsigned long len)
++{
++	u16 filepathlength;
++	int i, desclength = 0, namelen;
++
++	namelen = utf16_strnlen(var->VariableName, sizeof(var->VariableName));
++
++	/* Either "Boot" or "Driver" followed by four digits of hex */
++	for (i = match; i < match+4; i++) {
++		if (var->VariableName[i] > 127 ||
++		    hex_to_bin(var->VariableName[i] & 0xff) < 0)
++			return true;
++	}
++
++	/* Reject it if there's 4 digits of hex and then further content */
++	if (namelen > match + 4)
++		return false;
++
++	/* A valid entry must be at least 8 bytes */
++	if (len < 8)
++		return false;
++
++	filepathlength = buffer[4] | buffer[5] << 8;
++
++	/*
++	 * There's no stored length for the description, so it has to be
++	 * found by hand
++	 */
++	desclength = utf16_strsize((efi_char16_t *)(buffer + 6), len - 6) + 2;
++
++	/* Each boot entry must have a descriptor */
++	if (!desclength)
++		return false;
++
++	/*
++	 * If the sum of the length of the description, the claimed filepath
++	 * length and the original header are greater than the length of the
++	 * variable, it's malformed
++	 */
++	if ((desclength + filepathlength + 6) > len)
++		return false;
++
++	/*
++	 * And, finally, check the filepath
++	 */
++	return validate_device_path(var, match, buffer + desclength + 6,
++				    filepathlength);
++}
++
++static bool
++validate_uint16(struct efi_variable *var, int match, u8 *buffer,
++		unsigned long len)
++{
++	/* A single 16-bit integer */
++	if (len != 2)
++		return false;
++
++	return true;
++}
++
++static bool
++validate_ascii_string(struct efi_variable *var, int match, u8 *buffer,
++		      unsigned long len)
++{
++	int i;
++
++	for (i = 0; i < len; i++) {
++		if (buffer[i] > 127)
++			return false;
++
++		if (buffer[i] == 0)
++			return true;
++	}
++
++	return false;
++}
++
++struct variable_validate {
++	char *name;
++	bool (*validate)(struct efi_variable *var, int match, u8 *data,
++			 unsigned long len);
++};
++
++static const struct variable_validate variable_validate[] = {
++	{ "BootNext", validate_uint16 },
++	{ "BootOrder", validate_boot_order },
++	{ "DriverOrder", validate_boot_order },
++	{ "Boot*", validate_load_option },
++	{ "Driver*", validate_load_option },
++	{ "ConIn", validate_device_path },
++	{ "ConInDev", validate_device_path },
++	{ "ConOut", validate_device_path },
++	{ "ConOutDev", validate_device_path },
++	{ "ErrOut", validate_device_path },
++	{ "ErrOutDev", validate_device_path },
++	{ "Timeout", validate_uint16 },
++	{ "Lang", validate_ascii_string },
++	{ "PlatformLang", validate_ascii_string },
++	{ "", NULL },
++};
++
++static bool
++validate_var(struct efi_variable *var, u8 *data, unsigned long len)
++{
++	int i;
++	u16 *unicode_name = var->VariableName;
++
++	for (i = 0; variable_validate[i].validate != NULL; i++) {
++		const char *name = variable_validate[i].name;
++		int match;
++
++		for (match = 0; ; match++) {
++			char c = name[match];
++			u16 u = unicode_name[match];
++
++			/* All special variables are plain ascii */
++			if (u > 127)
++				return true;
++
++			/* Wildcard in the matching name means we've matched */
++			if (c == '*')
++				return variable_validate[i].validate(var,
++							     match, data, len);
++
++			/* Case sensitive match */
++			if (c != u)
++				break;
++
++			/* Reached the end of the string while matching */
++			if (!c)
++				return variable_validate[i].validate(var,
++							     match, data, len);
++		}
++	}
++
++	return true;
++}
++
+ static efi_status_t
+ get_var_data_locked(struct efivars *efivars, struct efi_variable *var)
+ {
+@@ -324,6 +508,12 @@ efivar_store_raw(struct efivar_entry *entry, const char *buf, size_t count)
+ 		return -EINVAL;
+ 	}
+ 
++	if ((new_var->Attributes & ~EFI_VARIABLE_MASK) != 0 ||
++	    validate_var(new_var, new_var->Data, new_var->DataSize) == false) {
++		printk(KERN_ERR "efivars: Malformed variable content\n");
++		return -EINVAL;
++	}
++
+ 	spin_lock(&efivars->lock);
+ 	status = efivars->ops->set_variable(new_var->VariableName,
+ 					    &new_var->VendorGuid,
+@@ -624,6 +814,12 @@ static ssize_t efivar_create(struct file *filp, struct kobject *kobj,
+ 	if (!capable(CAP_SYS_ADMIN))
+ 		return -EACCES;
+ 
++	if ((new_var->Attributes & ~EFI_VARIABLE_MASK) != 0 ||
++	    validate_var(new_var, new_var->Data, new_var->DataSize) == false) {
++		printk(KERN_ERR "efivars: Malformed variable content\n");
++		return -EINVAL;
++	}
++
+ 	spin_lock(&efivars->lock);
+ 
+ 	/*
+diff --git a/drivers/gpu/drm/i915/i915_gem_execbuffer.c b/drivers/gpu/drm/i915/i915_gem_execbuffer.c
+index b9da890..a6c2f7a 100644
+--- a/drivers/gpu/drm/i915/i915_gem_execbuffer.c
++++ b/drivers/gpu/drm/i915/i915_gem_execbuffer.c
+@@ -984,6 +984,7 @@ i915_gem_do_execbuffer(struct drm_device *dev, void *data,
+ 	struct intel_ring_buffer *ring;
+ 	u32 exec_start, exec_len;
+ 	u32 seqno;
++	u32 mask;
+ 	int ret, mode, i;
+ 
+ 	if (!i915_gem_check_execbuffer(args)) {
+@@ -1021,6 +1022,7 @@ i915_gem_do_execbuffer(struct drm_device *dev, void *data,
+ 	}
+ 
+ 	mode = args->flags & I915_EXEC_CONSTANTS_MASK;
++	mask = I915_EXEC_CONSTANTS_MASK;
+ 	switch (mode) {
+ 	case I915_EXEC_CONSTANTS_REL_GENERAL:
+ 	case I915_EXEC_CONSTANTS_ABSOLUTE:
+@@ -1034,18 +1036,9 @@ i915_gem_do_execbuffer(struct drm_device *dev, void *data,
+ 			    mode == I915_EXEC_CONSTANTS_REL_SURFACE)
+ 				return -EINVAL;
+ 
+-			ret = intel_ring_begin(ring, 4);
+-			if (ret)
+-				return ret;
+-
+-			intel_ring_emit(ring, MI_NOOP);
+-			intel_ring_emit(ring, MI_LOAD_REGISTER_IMM(1));
+-			intel_ring_emit(ring, INSTPM);
+-			intel_ring_emit(ring,
+-					I915_EXEC_CONSTANTS_MASK << 16 | mode);
+-			intel_ring_advance(ring);
+-
+-			dev_priv->relative_constants_mode = mode;
++			/* The HW changed the meaning on this bit on gen6 */
++			if (INTEL_INFO(dev)->gen >= 6)
++				mask &= ~I915_EXEC_CONSTANTS_REL_SURFACE;
+ 		}
+ 		break;
+ 	default:
+@@ -1064,6 +1057,11 @@ i915_gem_do_execbuffer(struct drm_device *dev, void *data,
+ 			return -EINVAL;
+ 		}
+ 
++		if (args->num_cliprects > UINT_MAX / sizeof(*cliprects)) {
++			DRM_DEBUG("execbuf with %u cliprects\n",
++				  args->num_cliprects);
++			return -EINVAL;
++		}
+ 		cliprects = kmalloc(args->num_cliprects * sizeof(*cliprects),
+ 				    GFP_KERNEL);
+ 		if (cliprects == NULL) {
+@@ -1176,6 +1174,21 @@ i915_gem_do_execbuffer(struct drm_device *dev, void *data,
+ 		}
+ 	}
+ 
++	if (ring == &dev_priv->ring[RCS] &&
++	    mode != dev_priv->relative_constants_mode) {
++		ret = intel_ring_begin(ring, 4);
++		if (ret)
++				goto err;
++
++		intel_ring_emit(ring, MI_NOOP);
++		intel_ring_emit(ring, MI_LOAD_REGISTER_IMM(1));
++		intel_ring_emit(ring, INSTPM);
++		intel_ring_emit(ring, mask << 16 | mode);
++		intel_ring_advance(ring);
++
++		dev_priv->relative_constants_mode = mode;
++	}
++
+ 	trace_i915_gem_ring_dispatch(ring, seqno);
+ 
+ 	exec_start = batch_obj->gtt_offset + args->batch_start_offset;
+@@ -1314,7 +1327,8 @@ i915_gem_execbuffer2(struct drm_device *dev, void *data,
+ 	struct drm_i915_gem_exec_object2 *exec2_list = NULL;
+ 	int ret;
+ 
+-	if (args->buffer_count < 1) {
++	if (args->buffer_count < 1 ||
++	    args->buffer_count > UINT_MAX / sizeof(*exec2_list)) {
+ 		DRM_ERROR("execbuf2 with %d buffers\n", args->buffer_count);
+ 		return -EINVAL;
+ 	}
+diff --git a/drivers/gpu/drm/i915/i915_reg.h b/drivers/gpu/drm/i915/i915_reg.h
+index 2f99fd4..cbe5a88 100644
+--- a/drivers/gpu/drm/i915/i915_reg.h
++++ b/drivers/gpu/drm/i915/i915_reg.h
+@@ -442,6 +442,7 @@
+ #define   INSTPM_AGPBUSY_DIS (1<<11) /* gen3: when disabled, pending interrupts
+ 					will not assert AGPBUSY# and will only
+ 					be delivered when out of C3. */
++#define   INSTPM_FORCE_ORDERING				(1<<7) /* GEN6+ */
+ #define ACTHD	        0x020c8
+ #define FW_BLC		0x020d8
+ #define FW_BLC2		0x020dc
+@@ -522,6 +523,7 @@
+ #define   CM0_MASK_SHIFT          16
+ #define   CM0_IZ_OPT_DISABLE      (1<<6)
+ #define   CM0_ZR_OPT_DISABLE      (1<<5)
++#define	  CM0_STC_EVICT_DISABLE_LRA_SNB	(1<<5)
+ #define   CM0_DEPTH_EVICT_DISABLE (1<<4)
+ #define   CM0_COLOR_EVICT_DISABLE (1<<3)
+ #define   CM0_DEPTH_WRITE_DISABLE (1<<1)
+diff --git a/drivers/gpu/drm/i915/intel_hdmi.c b/drivers/gpu/drm/i915/intel_hdmi.c
+index 64541f7..9cd81ba 100644
+--- a/drivers/gpu/drm/i915/intel_hdmi.c
++++ b/drivers/gpu/drm/i915/intel_hdmi.c
+@@ -136,7 +136,7 @@ static void i9xx_write_infoframe(struct drm_encoder *encoder,
+ 
+ 	val &= ~VIDEO_DIP_SELECT_MASK;
+ 
+-	I915_WRITE(VIDEO_DIP_CTL, val | port | flags);
++	I915_WRITE(VIDEO_DIP_CTL, VIDEO_DIP_ENABLE | val | port | flags);
+ 
+ 	for (i = 0; i < len; i += 4) {
+ 		I915_WRITE(VIDEO_DIP_DATA, *data);
+diff --git a/drivers/gpu/drm/i915/intel_ringbuffer.c b/drivers/gpu/drm/i915/intel_ringbuffer.c
+index 8673581..62f9ac5 100644
+--- a/drivers/gpu/drm/i915/intel_ringbuffer.c
++++ b/drivers/gpu/drm/i915/intel_ringbuffer.c
+@@ -414,6 +414,22 @@ static int init_render_ring(struct intel_ring_buffer *ring)
+ 			return ret;
+ 	}
+ 
++
++	if (IS_GEN6(dev)) {
++		/* From the Sandybridge PRM, volume 1 part 3, page 24:
++		 * "If this bit is set, STCunit will have LRA as replacement
++		 *  policy. [...] This bit must be reset.  LRA replacement
++		 *  policy is not supported."
++		 */
++		I915_WRITE(CACHE_MODE_0,
++			   CM0_STC_EVICT_DISABLE_LRA_SNB << CM0_MASK_SHIFT);
++	}
++
++	if (INTEL_INFO(dev)->gen >= 6) {
++		I915_WRITE(INSTPM,
++			   INSTPM_FORCE_ORDERING << 16 | INSTPM_FORCE_ORDERING);
++	}
++
+ 	return ret;
+ }
+ 
+diff --git a/drivers/gpu/drm/i915/intel_sdvo.c b/drivers/gpu/drm/i915/intel_sdvo.c
+index e334ec3..8eddcca 100644
+--- a/drivers/gpu/drm/i915/intel_sdvo.c
++++ b/drivers/gpu/drm/i915/intel_sdvo.c
+@@ -731,6 +731,7 @@ static void intel_sdvo_get_dtd_from_mode(struct intel_sdvo_dtd *dtd,
+ 	uint16_t width, height;
+ 	uint16_t h_blank_len, h_sync_len, v_blank_len, v_sync_len;
+ 	uint16_t h_sync_offset, v_sync_offset;
++	int mode_clock;
+ 
+ 	width = mode->crtc_hdisplay;
+ 	height = mode->crtc_vdisplay;
+@@ -745,7 +746,11 @@ static void intel_sdvo_get_dtd_from_mode(struct intel_sdvo_dtd *dtd,
+ 	h_sync_offset = mode->crtc_hsync_start - mode->crtc_hblank_start;
+ 	v_sync_offset = mode->crtc_vsync_start - mode->crtc_vblank_start;
+ 
+-	dtd->part1.clock = mode->clock / 10;
++	mode_clock = mode->clock;
++	mode_clock /= intel_mode_get_pixel_multiplier(mode) ?: 1;
++	mode_clock /= 10;
++	dtd->part1.clock = mode_clock;
++
+ 	dtd->part1.h_active = width & 0xff;
+ 	dtd->part1.h_blank = h_blank_len & 0xff;
+ 	dtd->part1.h_high = (((width >> 8) & 0xf) << 4) |
+@@ -997,7 +1002,7 @@ static void intel_sdvo_mode_set(struct drm_encoder *encoder,
+ 	struct intel_sdvo *intel_sdvo = to_intel_sdvo(encoder);
+ 	u32 sdvox;
+ 	struct intel_sdvo_in_out_map in_out;
+-	struct intel_sdvo_dtd input_dtd;
++	struct intel_sdvo_dtd input_dtd, output_dtd;
+ 	int pixel_multiplier = intel_mode_get_pixel_multiplier(adjusted_mode);
+ 	int rate;
+ 
+@@ -1022,20 +1027,13 @@ static void intel_sdvo_mode_set(struct drm_encoder *encoder,
+ 					  intel_sdvo->attached_output))
+ 		return;
+ 
+-	/* We have tried to get input timing in mode_fixup, and filled into
+-	 * adjusted_mode.
+-	 */
+-	if (intel_sdvo->is_tv || intel_sdvo->is_lvds) {
+-		input_dtd = intel_sdvo->input_dtd;
+-	} else {
+-		/* Set the output timing to the screen */
+-		if (!intel_sdvo_set_target_output(intel_sdvo,
+-						  intel_sdvo->attached_output))
+-			return;
+-
+-		intel_sdvo_get_dtd_from_mode(&input_dtd, adjusted_mode);
+-		(void) intel_sdvo_set_output_timing(intel_sdvo, &input_dtd);
+-	}
++	/* lvds has a special fixed output timing. */
++	if (intel_sdvo->is_lvds)
++		intel_sdvo_get_dtd_from_mode(&output_dtd,
++					     intel_sdvo->sdvo_lvds_fixed_mode);
++	else
++		intel_sdvo_get_dtd_from_mode(&output_dtd, mode);
++	(void) intel_sdvo_set_output_timing(intel_sdvo, &output_dtd);
+ 
+ 	/* Set the input timing to the screen. Assume always input 0. */
+ 	if (!intel_sdvo_set_target_input(intel_sdvo))
+@@ -1053,6 +1051,10 @@ static void intel_sdvo_mode_set(struct drm_encoder *encoder,
+ 	    !intel_sdvo_set_tv_format(intel_sdvo))
+ 		return;
+ 
++	/* We have tried to get input timing in mode_fixup, and filled into
++	 * adjusted_mode.
++	 */
++	intel_sdvo_get_dtd_from_mode(&input_dtd, adjusted_mode);
+ 	(void) intel_sdvo_set_input_timing(intel_sdvo, &input_dtd);
+ 
+ 	switch (pixel_multiplier) {
+@@ -1219,8 +1221,14 @@ static bool intel_sdvo_get_capabilities(struct intel_sdvo *intel_sdvo, struct in
+ 
+ static int intel_sdvo_supports_hotplug(struct intel_sdvo *intel_sdvo)
+ {
++	struct drm_device *dev = intel_sdvo->base.base.dev;
+ 	u8 response[2];
+ 
++	/* HW Erratum: SDVO Hotplug is broken on all i945G chips, there's noise
++	 * on the line. */
++	if (IS_I945G(dev) || IS_I945GM(dev))
++		return false;
++
+ 	return intel_sdvo_get_value(intel_sdvo, SDVO_CMD_GET_HOT_PLUG_SUPPORT,
+ 				    &response, 2) && response[0];
+ }
+diff --git a/drivers/gpu/drm/nouveau/nouveau_acpi.c b/drivers/gpu/drm/nouveau/nouveau_acpi.c
+index 525744d..3df56c7 100644
+--- a/drivers/gpu/drm/nouveau/nouveau_acpi.c
++++ b/drivers/gpu/drm/nouveau/nouveau_acpi.c
+@@ -245,7 +245,7 @@ static bool nouveau_dsm_detect(void)
+ 	struct acpi_buffer buffer = {sizeof(acpi_method_name), acpi_method_name};
+ 	struct pci_dev *pdev = NULL;
+ 	int has_dsm = 0;
+-	int has_optimus;
++	int has_optimus = 0;
+ 	int vga_count = 0;
+ 	bool guid_valid;
+ 	int retval;
+diff --git a/drivers/gpu/drm/radeon/atombios_crtc.c b/drivers/gpu/drm/radeon/atombios_crtc.c
+index b30081f..757c549 100644
+--- a/drivers/gpu/drm/radeon/atombios_crtc.c
++++ b/drivers/gpu/drm/radeon/atombios_crtc.c
+@@ -917,8 +917,8 @@ static void atombios_crtc_set_pll(struct drm_crtc *crtc, struct drm_display_mode
+ 		break;
+ 	}
+ 
+-	if (radeon_encoder->active_device &
+-	    (ATOM_DEVICE_LCD_SUPPORT | ATOM_DEVICE_DFP_SUPPORT)) {
++	if ((radeon_encoder->active_device & (ATOM_DEVICE_LCD_SUPPORT | ATOM_DEVICE_DFP_SUPPORT)) ||
++	    (radeon_encoder_get_dp_bridge_encoder_id(encoder) != ENCODER_OBJECT_ID_NONE)) {
+ 		struct radeon_encoder_atom_dig *dig = radeon_encoder->enc_priv;
+ 		struct drm_connector *connector =
+ 			radeon_get_connector_for_encoder(encoder);
+diff --git a/drivers/hwmon/coretemp.c b/drivers/hwmon/coretemp.c
+index 104b376..427468f 100644
+--- a/drivers/hwmon/coretemp.c
++++ b/drivers/hwmon/coretemp.c
+@@ -51,7 +51,7 @@ module_param_named(tjmax, force_tjmax, int, 0444);
+ MODULE_PARM_DESC(tjmax, "TjMax value in degrees Celsius");
+ 
+ #define BASE_SYSFS_ATTR_NO	2	/* Sysfs Base attr no for coretemp */
+-#define NUM_REAL_CORES		16	/* Number of Real cores per cpu */
++#define NUM_REAL_CORES		32	/* Number of Real cores per cpu */
+ #define CORETEMP_NAME_LENGTH	17	/* String Length of attrs */
+ #define MAX_CORE_ATTRS		4	/* Maximum no of basic attrs */
+ #define TOTAL_ATTRS		(MAX_CORE_ATTRS + 1)
+@@ -705,6 +705,10 @@ static void __cpuinit put_core_offline(unsigned int cpu)
+ 
+ 	indx = TO_ATTR_NO(cpu);
+ 
++	/* The core id is too big, just return */
++	if (indx > MAX_CORE_DATA - 1)
++		return;
++
+ 	if (pdata->core_data[indx] && pdata->core_data[indx]->cpu == cpu)
+ 		coretemp_remove_core(pdata, &pdev->dev, indx);
+ 
+diff --git a/drivers/hwmon/fam15h_power.c b/drivers/hwmon/fam15h_power.c
+index 930370d..9a4c3ab 100644
+--- a/drivers/hwmon/fam15h_power.c
++++ b/drivers/hwmon/fam15h_power.c
+@@ -122,6 +122,41 @@ static bool __devinit fam15h_power_is_internal_node0(struct pci_dev *f4)
+ 	return true;
+ }
+ 
++/*
++ * Newer BKDG versions have an updated recommendation on how to properly
++ * initialize the running average range (was: 0xE, now: 0x9). This avoids
++ * counter saturations resulting in bogus power readings.
++ * We correct this value ourselves to cope with older BIOSes.
++ */
++static DEFINE_PCI_DEVICE_TABLE(affected_device) = {
++	{ PCI_VDEVICE(AMD, PCI_DEVICE_ID_AMD_15H_NB_F4) },
++	{ 0 }
++};
++
++static void __devinit tweak_runavg_range(struct pci_dev *pdev)
++{
++	u32 val;
++
++	/*
++	 * let this quirk apply only to the current version of the
++	 * northbridge, since future versions may change the behavior
++	 */
++	if (!pci_match_id(affected_device, pdev))
++		return;
++
++	pci_bus_read_config_dword(pdev->bus,
++		PCI_DEVFN(PCI_SLOT(pdev->devfn), 5),
++		REG_TDP_RUNNING_AVERAGE, &val);
++	if ((val & 0xf) != 0xe)
++		return;
++
++	val &= ~0xf;
++	val |=  0x9;
++	pci_bus_write_config_dword(pdev->bus,
++		PCI_DEVFN(PCI_SLOT(pdev->devfn), 5),
++		REG_TDP_RUNNING_AVERAGE, val);
++}
++
+ static void __devinit fam15h_power_init_data(struct pci_dev *f4,
+ 					     struct fam15h_power_data *data)
+ {
+@@ -155,6 +190,13 @@ static int __devinit fam15h_power_probe(struct pci_dev *pdev,
+ 	struct device *dev;
+ 	int err;
+ 
++	/*
++	 * though we ignore every other northbridge, we still have to
++	 * do the tweaking on _each_ node in MCM processors as the counters
++	 * are working hand-in-hand
++	 */
++	tweak_runavg_range(pdev);
++
+ 	if (!fam15h_power_is_internal_node0(pdev)) {
+ 		err = -ENODEV;
+ 		goto exit;
+diff --git a/drivers/i2c/busses/i2c-pnx.c b/drivers/i2c/busses/i2c-pnx.c
+index 04be9f8..eb8ad53 100644
+--- a/drivers/i2c/busses/i2c-pnx.c
++++ b/drivers/i2c/busses/i2c-pnx.c
+@@ -546,8 +546,7 @@ static int i2c_pnx_controller_suspend(struct platform_device *pdev,
+ {
+ 	struct i2c_pnx_algo_data *alg_data = platform_get_drvdata(pdev);
+ 
+-	/* FIXME: shouldn't this be clk_disable? */
+-	clk_enable(alg_data->clk);
++	clk_disable(alg_data->clk);
+ 
+ 	return 0;
+ }
+diff --git a/drivers/md/md.c b/drivers/md/md.c
+index 6f37aa4..065ab4f 100644
+--- a/drivers/md/md.c
++++ b/drivers/md/md.c
+@@ -8100,7 +8100,8 @@ static int md_notify_reboot(struct notifier_block *this,
+ 
+ 	for_each_mddev(mddev, tmp) {
+ 		if (mddev_trylock(mddev)) {
+-			__md_stop_writes(mddev);
++			if (mddev->pers)
++				__md_stop_writes(mddev);
+ 			mddev->safemode = 2;
+ 			mddev_unlock(mddev);
+ 		}
+diff --git a/drivers/media/dvb/frontends/drxk_hard.c b/drivers/media/dvb/frontends/drxk_hard.c
+index f6431ef..a1f5e3d 100644
+--- a/drivers/media/dvb/frontends/drxk_hard.c
++++ b/drivers/media/dvb/frontends/drxk_hard.c
+@@ -1523,8 +1523,10 @@ static int scu_command(struct drxk_state *state,
+ 	dprintk(1, "\n");
+ 
+ 	if ((cmd == 0) || ((parameterLen > 0) && (parameter == NULL)) ||
+-	    ((resultLen > 0) && (result == NULL)))
+-		goto error;
++	    ((resultLen > 0) && (result == NULL))) {
++		printk(KERN_ERR "drxk: Error %d on %s\n", status, __func__);
++		return status;
++	}
+ 
+ 	mutex_lock(&state->mutex);
+ 
+diff --git a/drivers/media/rc/winbond-cir.c b/drivers/media/rc/winbond-cir.c
+index 13f54b5..a7e7d6f 100644
+--- a/drivers/media/rc/winbond-cir.c
++++ b/drivers/media/rc/winbond-cir.c
+@@ -1046,6 +1046,7 @@ wbcir_probe(struct pnp_dev *device, const struct pnp_device_id *dev_id)
+ 		goto exit_unregister_led;
+ 	}
+ 
++	data->dev->driver_type = RC_DRIVER_IR_RAW;
+ 	data->dev->driver_name = WBCIR_NAME;
+ 	data->dev->input_name = WBCIR_NAME;
+ 	data->dev->input_phys = "wbcir/cir0";
+diff --git a/drivers/mmc/card/block.c b/drivers/mmc/card/block.c
+index e15e47d..34416d4 100644
+--- a/drivers/mmc/card/block.c
++++ b/drivers/mmc/card/block.c
+@@ -799,7 +799,7 @@ static int mmc_blk_issue_secdiscard_rq(struct mmc_queue *mq,
+ {
+ 	struct mmc_blk_data *md = mq->data;
+ 	struct mmc_card *card = md->queue.card;
+-	unsigned int from, nr, arg;
++	unsigned int from, nr, arg, trim_arg, erase_arg;
+ 	int err = 0, type = MMC_BLK_SECDISCARD;
+ 
+ 	if (!(mmc_can_secure_erase_trim(card) || mmc_can_sanitize(card))) {
+@@ -807,20 +807,26 @@ static int mmc_blk_issue_secdiscard_rq(struct mmc_queue *mq,
+ 		goto out;
+ 	}
+ 
++	from = blk_rq_pos(req);
++	nr = blk_rq_sectors(req);
++
+ 	/* The sanitize operation is supported at v4.5 only */
+ 	if (mmc_can_sanitize(card)) {
+-		err = mmc_switch(card, EXT_CSD_CMD_SET_NORMAL,
+-				EXT_CSD_SANITIZE_START, 1, 0);
+-		goto out;
++		erase_arg = MMC_ERASE_ARG;
++		trim_arg = MMC_TRIM_ARG;
++	} else {
++		erase_arg = MMC_SECURE_ERASE_ARG;
++		trim_arg = MMC_SECURE_TRIM1_ARG;
+ 	}
+ 
+-	from = blk_rq_pos(req);
+-	nr = blk_rq_sectors(req);
+-
+-	if (mmc_can_trim(card) && !mmc_erase_group_aligned(card, from, nr))
+-		arg = MMC_SECURE_TRIM1_ARG;
+-	else
+-		arg = MMC_SECURE_ERASE_ARG;
++	if (mmc_erase_group_aligned(card, from, nr))
++		arg = erase_arg;
++	else if (mmc_can_trim(card))
++		arg = trim_arg;
++	else {
++		err = -EINVAL;
++		goto out;
++	}
+ retry:
+ 	if (card->quirks & MMC_QUIRK_INAND_CMD38) {
+ 		err = mmc_switch(card, EXT_CSD_CMD_SET_NORMAL,
+@@ -830,25 +836,41 @@ retry:
+ 				 INAND_CMD38_ARG_SECERASE,
+ 				 0);
+ 		if (err)
+-			goto out;
++			goto out_retry;
+ 	}
++
+ 	err = mmc_erase(card, from, nr, arg);
+-	if (!err && arg == MMC_SECURE_TRIM1_ARG) {
++	if (err == -EIO)
++		goto out_retry;
++	if (err)
++		goto out;
++
++	if (arg == MMC_SECURE_TRIM1_ARG) {
+ 		if (card->quirks & MMC_QUIRK_INAND_CMD38) {
+ 			err = mmc_switch(card, EXT_CSD_CMD_SET_NORMAL,
+ 					 INAND_CMD38_ARG_EXT_CSD,
+ 					 INAND_CMD38_ARG_SECTRIM2,
+ 					 0);
+ 			if (err)
+-				goto out;
++				goto out_retry;
+ 		}
++
+ 		err = mmc_erase(card, from, nr, MMC_SECURE_TRIM2_ARG);
++		if (err == -EIO)
++			goto out_retry;
++		if (err)
++			goto out;
+ 	}
+-out:
+-	if (err == -EIO && !mmc_blk_reset(md, card->host, type))
++
++	if (mmc_can_sanitize(card))
++		err = mmc_switch(card, EXT_CSD_CMD_SET_NORMAL,
++				 EXT_CSD_SANITIZE_START, 1, 0);
++out_retry:
++	if (err && !mmc_blk_reset(md, card->host, type))
+ 		goto retry;
+ 	if (!err)
+ 		mmc_blk_reset_success(md, type);
++out:
+ 	spin_lock_irq(&md->lock);
+ 	__blk_end_request(req, err, blk_rq_bytes(req));
+ 	spin_unlock_irq(&md->lock);
+diff --git a/drivers/mmc/card/queue.c b/drivers/mmc/card/queue.c
+index dcad59c..78690f2 100644
+--- a/drivers/mmc/card/queue.c
++++ b/drivers/mmc/card/queue.c
+@@ -134,7 +134,7 @@ static void mmc_queue_setup_discard(struct request_queue *q,
+ 
+ 	queue_flag_set_unlocked(QUEUE_FLAG_DISCARD, q);
+ 	q->limits.max_discard_sectors = max_discard;
+-	if (card->erased_byte == 0)
++	if (card->erased_byte == 0 && !mmc_can_discard(card))
+ 		q->limits.discard_zeroes_data = 1;
+ 	q->limits.discard_granularity = card->pref_erase << 9;
+ 	/* granularity must not be greater than max. discard */
+diff --git a/drivers/mmc/core/core.c b/drivers/mmc/core/core.c
+index 950b97d..411a994 100644
+--- a/drivers/mmc/core/core.c
++++ b/drivers/mmc/core/core.c
+@@ -1516,7 +1516,10 @@ static unsigned int mmc_mmc_erase_timeout(struct mmc_card *card,
+ {
+ 	unsigned int erase_timeout;
+ 
+-	if (card->ext_csd.erase_group_def & 1) {
++	if (arg == MMC_DISCARD_ARG ||
++	    (arg == MMC_TRIM_ARG && card->ext_csd.rev >= 6)) {
++		erase_timeout = card->ext_csd.trim_timeout;
++	} else if (card->ext_csd.erase_group_def & 1) {
+ 		/* High Capacity Erase Group Size uses HC timeouts */
+ 		if (arg == MMC_TRIM_ARG)
+ 			erase_timeout = card->ext_csd.trim_timeout;
+@@ -1788,8 +1791,6 @@ int mmc_can_trim(struct mmc_card *card)
+ {
+ 	if (card->ext_csd.sec_feature_support & EXT_CSD_SEC_GB_CL_EN)
+ 		return 1;
+-	if (mmc_can_discard(card))
+-		return 1;
+ 	return 0;
+ }
+ EXPORT_SYMBOL(mmc_can_trim);
+@@ -1808,6 +1809,8 @@ EXPORT_SYMBOL(mmc_can_discard);
+ 
+ int mmc_can_sanitize(struct mmc_card *card)
+ {
++	if (!mmc_can_trim(card) && !mmc_can_erase(card))
++		return 0;
+ 	if (card->ext_csd.sec_feature_support & EXT_CSD_SEC_SANITIZE)
+ 		return 1;
+ 	return 0;
+diff --git a/drivers/mmc/host/sdhci-esdhc-imx.c b/drivers/mmc/host/sdhci-esdhc-imx.c
+index 4540e37..1b47937 100644
+--- a/drivers/mmc/host/sdhci-esdhc-imx.c
++++ b/drivers/mmc/host/sdhci-esdhc-imx.c
+@@ -467,8 +467,7 @@ static int __devinit sdhci_esdhc_imx_probe(struct platform_device *pdev)
+ 	clk_enable(clk);
+ 	pltfm_host->clk = clk;
+ 
+-	if (!is_imx25_esdhc(imx_data))
+-		host->quirks |= SDHCI_QUIRK_BROKEN_TIMEOUT_VAL;
++	host->quirks |= SDHCI_QUIRK_BROKEN_TIMEOUT_VAL;
+ 
+ 	if (is_imx25_esdhc(imx_data) || is_imx35_esdhc(imx_data))
+ 		/* Fix errata ENGcm07207 present on i.MX25 and i.MX35 */
+diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
+index e58aa2b..f65e0b9 100644
+--- a/drivers/net/bonding/bond_main.c
++++ b/drivers/net/bonding/bond_main.c
+@@ -2982,7 +2982,11 @@ static void bond_ab_arp_commit(struct bonding *bond, int delta_in_ticks)
+ 					   trans_start + delta_in_ticks)) ||
+ 			    bond->curr_active_slave != slave) {
+ 				slave->link = BOND_LINK_UP;
+-				bond->current_arp_slave = NULL;
++				if (bond->current_arp_slave) {
++					bond_set_slave_inactive_flags(
++						bond->current_arp_slave);
++					bond->current_arp_slave = NULL;
++				}
+ 
+ 				pr_info("%s: link status definitely up for interface %s.\n",
+ 					bond->dev->name, slave->dev->name);
+diff --git a/drivers/net/dummy.c b/drivers/net/dummy.c
+index a7c5e88..eeac9ca 100644
+--- a/drivers/net/dummy.c
++++ b/drivers/net/dummy.c
+@@ -106,14 +106,14 @@ static int dummy_dev_init(struct net_device *dev)
+ 	return 0;
+ }
+ 
+-static void dummy_dev_free(struct net_device *dev)
++static void dummy_dev_uninit(struct net_device *dev)
+ {
+ 	free_percpu(dev->dstats);
+-	free_netdev(dev);
+ }
+ 
+ static const struct net_device_ops dummy_netdev_ops = {
+ 	.ndo_init		= dummy_dev_init,
++	.ndo_uninit		= dummy_dev_uninit,
+ 	.ndo_start_xmit		= dummy_xmit,
+ 	.ndo_validate_addr	= eth_validate_addr,
+ 	.ndo_set_rx_mode	= set_multicast_list,
+@@ -127,7 +127,7 @@ static void dummy_setup(struct net_device *dev)
+ 
+ 	/* Initialize the device structure. */
+ 	dev->netdev_ops = &dummy_netdev_ops;
+-	dev->destructor = dummy_dev_free;
++	dev->destructor = free_netdev;
+ 
+ 	/* Fill in device structure with ethernet-generic values. */
+ 	dev->tx_queue_len = 0;
+diff --git a/drivers/net/ethernet/atheros/atlx/atl1.c b/drivers/net/ethernet/atheros/atlx/atl1.c
+index 33a4e35..ee532e1 100644
+--- a/drivers/net/ethernet/atheros/atlx/atl1.c
++++ b/drivers/net/ethernet/atheros/atlx/atl1.c
+@@ -2473,7 +2473,7 @@ static irqreturn_t atl1_intr(int irq, void *data)
+ 					"pcie phy link down %x\n", status);
+ 			if (netif_running(adapter->netdev)) {	/* reset MAC */
+ 				iowrite32(0, adapter->hw.hw_addr + REG_IMR);
+-				schedule_work(&adapter->pcie_dma_to_rst_task);
++				schedule_work(&adapter->reset_dev_task);
+ 				return IRQ_HANDLED;
+ 			}
+ 		}
+@@ -2485,7 +2485,7 @@ static irqreturn_t atl1_intr(int irq, void *data)
+ 					"pcie DMA r/w error (status = 0x%x)\n",
+ 					status);
+ 			iowrite32(0, adapter->hw.hw_addr + REG_IMR);
+-			schedule_work(&adapter->pcie_dma_to_rst_task);
++			schedule_work(&adapter->reset_dev_task);
+ 			return IRQ_HANDLED;
+ 		}
+ 
+@@ -2630,10 +2630,10 @@ static void atl1_down(struct atl1_adapter *adapter)
+ 	atl1_clean_rx_ring(adapter);
+ }
+ 
+-static void atl1_tx_timeout_task(struct work_struct *work)
++static void atl1_reset_dev_task(struct work_struct *work)
+ {
+ 	struct atl1_adapter *adapter =
+-		container_of(work, struct atl1_adapter, tx_timeout_task);
++		container_of(work, struct atl1_adapter, reset_dev_task);
+ 	struct net_device *netdev = adapter->netdev;
+ 
+ 	netif_device_detach(netdev);
+@@ -3032,12 +3032,10 @@ static int __devinit atl1_probe(struct pci_dev *pdev,
+ 		    (unsigned long)adapter);
+ 	adapter->phy_timer_pending = false;
+ 
+-	INIT_WORK(&adapter->tx_timeout_task, atl1_tx_timeout_task);
++	INIT_WORK(&adapter->reset_dev_task, atl1_reset_dev_task);
+ 
+ 	INIT_WORK(&adapter->link_chg_task, atlx_link_chg_task);
+ 
+-	INIT_WORK(&adapter->pcie_dma_to_rst_task, atl1_tx_timeout_task);
+-
+ 	err = register_netdev(netdev);
+ 	if (err)
+ 		goto err_common;
+diff --git a/drivers/net/ethernet/atheros/atlx/atl1.h b/drivers/net/ethernet/atheros/atlx/atl1.h
+index 109d6da..e04bf4d 100644
+--- a/drivers/net/ethernet/atheros/atlx/atl1.h
++++ b/drivers/net/ethernet/atheros/atlx/atl1.h
+@@ -758,9 +758,8 @@ struct atl1_adapter {
+ 	u16 link_speed;
+ 	u16 link_duplex;
+ 	spinlock_t lock;
+-	struct work_struct tx_timeout_task;
++	struct work_struct reset_dev_task;
+ 	struct work_struct link_chg_task;
+-	struct work_struct pcie_dma_to_rst_task;
+ 
+ 	struct timer_list phy_config_timer;
+ 	bool phy_timer_pending;
+diff --git a/drivers/net/ethernet/atheros/atlx/atlx.c b/drivers/net/ethernet/atheros/atlx/atlx.c
+index aabcf4b..41c6d83 100644
+--- a/drivers/net/ethernet/atheros/atlx/atlx.c
++++ b/drivers/net/ethernet/atheros/atlx/atlx.c
+@@ -193,7 +193,7 @@ static void atlx_tx_timeout(struct net_device *netdev)
+ {
+ 	struct atlx_adapter *adapter = netdev_priv(netdev);
+ 	/* Do the reset outside of interrupt context */
+-	schedule_work(&adapter->tx_timeout_task);
++	schedule_work(&adapter->reset_dev_task);
+ }
+ 
+ /*
+diff --git a/drivers/net/ethernet/micrel/ks8851_mll.c b/drivers/net/ethernet/micrel/ks8851_mll.c
+index d19c849..77241b6 100644
+--- a/drivers/net/ethernet/micrel/ks8851_mll.c
++++ b/drivers/net/ethernet/micrel/ks8851_mll.c
+@@ -40,7 +40,7 @@
+ #define	DRV_NAME	"ks8851_mll"
+ 
+ static u8 KS_DEFAULT_MAC_ADDRESS[] = { 0x00, 0x10, 0xA1, 0x86, 0x95, 0x11 };
+-#define MAX_RECV_FRAMES			32
++#define MAX_RECV_FRAMES			255
+ #define MAX_BUF_SIZE			2048
+ #define TX_BUF_SIZE			2000
+ #define RX_BUF_SIZE			2000
+diff --git a/drivers/net/ethernet/micrel/ksz884x.c b/drivers/net/ethernet/micrel/ksz884x.c
+index 7ece990..4b9f4bd 100644
+--- a/drivers/net/ethernet/micrel/ksz884x.c
++++ b/drivers/net/ethernet/micrel/ksz884x.c
+@@ -5679,7 +5679,7 @@ static int netdev_set_mac_address(struct net_device *dev, void *addr)
+ 		memcpy(hw->override_addr, mac->sa_data, MAC_ADDR_LEN);
+ 	}
+ 
+-	memcpy(dev->dev_addr, mac->sa_data, MAX_ADDR_LEN);
++	memcpy(dev->dev_addr, mac->sa_data, ETH_ALEN);
+ 
+ 	interrupt = hw_block_intr(hw);
+ 
+diff --git a/drivers/net/ethernet/realtek/8139cp.c b/drivers/net/ethernet/realtek/8139cp.c
+index aba4f67..8f47907 100644
+--- a/drivers/net/ethernet/realtek/8139cp.c
++++ b/drivers/net/ethernet/realtek/8139cp.c
+@@ -961,6 +961,11 @@ static inline void cp_start_hw (struct cp_private *cp)
+ 	cpw8(Cmd, RxOn | TxOn);
+ }
+ 
++static void cp_enable_irq(struct cp_private *cp)
++{
++	cpw16_f(IntrMask, cp_intr_mask);
++}
++
+ static void cp_init_hw (struct cp_private *cp)
+ {
+ 	struct net_device *dev = cp->dev;
+@@ -1000,8 +1005,6 @@ static void cp_init_hw (struct cp_private *cp)
+ 
+ 	cpw16(MultiIntr, 0);
+ 
+-	cpw16_f(IntrMask, cp_intr_mask);
+-
+ 	cpw8_f(Cfg9346, Cfg9346_Lock);
+ }
+ 
+@@ -1133,6 +1136,8 @@ static int cp_open (struct net_device *dev)
+ 	if (rc)
+ 		goto err_out_hw;
+ 
++	cp_enable_irq(cp);
++
+ 	netif_carrier_off(dev);
+ 	mii_check_media(&cp->mii_if, netif_msg_link(cp), true);
+ 	netif_start_queue(dev);
+@@ -2034,6 +2039,7 @@ static int cp_resume (struct pci_dev *pdev)
+ 	/* FIXME: sh*t may happen if the Rx ring buffer is depleted */
+ 	cp_init_rings_index (cp);
+ 	cp_init_hw (cp);
++	cp_enable_irq(cp);
+ 	netif_start_queue (dev);
+ 
+ 	spin_lock_irqsave (&cp->lock, flags);
+diff --git a/drivers/net/ethernet/smsc/smsc911x.c b/drivers/net/ethernet/smsc/smsc911x.c
+index 8843071..8c7dd21 100644
+--- a/drivers/net/ethernet/smsc/smsc911x.c
++++ b/drivers/net/ethernet/smsc/smsc911x.c
+@@ -1089,10 +1089,8 @@ smsc911x_rx_counterrors(struct net_device *dev, unsigned int rxstat)
+ 
+ /* Quickly dumps bad packets */
+ static void
+-smsc911x_rx_fastforward(struct smsc911x_data *pdata, unsigned int pktbytes)
++smsc911x_rx_fastforward(struct smsc911x_data *pdata, unsigned int pktwords)
+ {
+-	unsigned int pktwords = (pktbytes + NET_IP_ALIGN + 3) >> 2;
+-
+ 	if (likely(pktwords >= 4)) {
+ 		unsigned int timeout = 500;
+ 		unsigned int val;
+@@ -1156,7 +1154,7 @@ static int smsc911x_poll(struct napi_struct *napi, int budget)
+ 			continue;
+ 		}
+ 
+-		skb = netdev_alloc_skb(dev, pktlength + NET_IP_ALIGN);
++		skb = netdev_alloc_skb(dev, pktwords << 2);
+ 		if (unlikely(!skb)) {
+ 			SMSC_WARN(pdata, rx_err,
+ 				  "Unable to allocate skb for rx packet");
+@@ -1166,14 +1164,12 @@ static int smsc911x_poll(struct napi_struct *napi, int budget)
+ 			break;
+ 		}
+ 
+-		skb->data = skb->head;
+-		skb_reset_tail_pointer(skb);
++		pdata->ops->rx_readfifo(pdata,
++				 (unsigned int *)skb->data, pktwords);
+ 
+ 		/* Align IP on 16B boundary */
+ 		skb_reserve(skb, NET_IP_ALIGN);
+ 		skb_put(skb, pktlength - 4);
+-		pdata->ops->rx_readfifo(pdata,
+-				 (unsigned int *)skb->head, pktwords);
+ 		skb->protocol = eth_type_trans(skb, dev);
+ 		skb_checksum_none_assert(skb);
+ 		netif_receive_skb(skb);
+@@ -1396,7 +1392,7 @@ static int smsc911x_open(struct net_device *dev)
+ 	smsc911x_reg_write(pdata, FIFO_INT, temp);
+ 
+ 	/* set RX Data offset to 2 bytes for alignment */
+-	smsc911x_reg_write(pdata, RX_CFG, (2 << 8));
++	smsc911x_reg_write(pdata, RX_CFG, (NET_IP_ALIGN << 8));
+ 
+ 	/* enable NAPI polling before enabling RX interrupts */
+ 	napi_enable(&pdata->napi);
+diff --git a/drivers/net/ethernet/ti/davinci_mdio.c b/drivers/net/ethernet/ti/davinci_mdio.c
+index 7615040..f470ab6 100644
+--- a/drivers/net/ethernet/ti/davinci_mdio.c
++++ b/drivers/net/ethernet/ti/davinci_mdio.c
+@@ -181,6 +181,11 @@ static inline int wait_for_user_access(struct davinci_mdio_data *data)
+ 		__davinci_mdio_reset(data);
+ 		return -EAGAIN;
+ 	}
++
++	reg = __raw_readl(&regs->user[0].access);
++	if ((reg & USERACCESS_GO) == 0)
++		return 0;
++
+ 	dev_err(data->dev, "timed out waiting for user access\n");
+ 	return -ETIMEDOUT;
+ }
+diff --git a/drivers/net/ppp/ppp_generic.c b/drivers/net/ppp/ppp_generic.c
+index 486b404..3ed983c 100644
+--- a/drivers/net/ppp/ppp_generic.c
++++ b/drivers/net/ppp/ppp_generic.c
+@@ -968,7 +968,6 @@ ppp_start_xmit(struct sk_buff *skb, struct net_device *dev)
+ 	proto = npindex_to_proto[npi];
+ 	put_unaligned_be16(proto, pp);
+ 
+-	netif_stop_queue(dev);
+ 	skb_queue_tail(&ppp->file.xq, skb);
+ 	ppp_xmit_process(ppp);
+ 	return NETDEV_TX_OK;
+@@ -1063,6 +1062,8 @@ ppp_xmit_process(struct ppp *ppp)
+ 		   code that we can accept some more. */
+ 		if (!ppp->xmit_pending && !skb_peek(&ppp->file.xq))
+ 			netif_wake_queue(ppp->dev);
++		else
++			netif_stop_queue(ppp->dev);
+ 	}
+ 	ppp_xmit_unlock(ppp);
+ }
+diff --git a/drivers/net/usb/smsc75xx.c b/drivers/net/usb/smsc75xx.c
+index a5b9b12..7bd219b 100644
+--- a/drivers/net/usb/smsc75xx.c
++++ b/drivers/net/usb/smsc75xx.c
+@@ -1050,6 +1050,7 @@ static int smsc75xx_bind(struct usbnet *dev, struct usb_interface *intf)
+ 	dev->net->ethtool_ops = &smsc75xx_ethtool_ops;
+ 	dev->net->flags |= IFF_MULTICAST;
+ 	dev->net->hard_header_len += SMSC75XX_TX_OVERHEAD;
++	dev->hard_mtu = dev->net->mtu + dev->net->hard_header_len;
+ 	return 0;
+ }
+ 
+diff --git a/drivers/net/usb/smsc95xx.c b/drivers/net/usb/smsc95xx.c
+index eff6767..55b3218 100644
+--- a/drivers/net/usb/smsc95xx.c
++++ b/drivers/net/usb/smsc95xx.c
+@@ -1190,7 +1190,7 @@ static const struct driver_info smsc95xx_info = {
+ 	.rx_fixup	= smsc95xx_rx_fixup,
+ 	.tx_fixup	= smsc95xx_tx_fixup,
+ 	.status		= smsc95xx_status,
+-	.flags		= FLAG_ETHER | FLAG_SEND_ZLP,
++	.flags		= FLAG_ETHER | FLAG_SEND_ZLP | FLAG_LINK_INTR,
+ };
+ 
+ static const struct usb_device_id products[] = {
+diff --git a/drivers/net/wimax/i2400m/netdev.c b/drivers/net/wimax/i2400m/netdev.c
+index 64a1106..4697cf3 100644
+--- a/drivers/net/wimax/i2400m/netdev.c
++++ b/drivers/net/wimax/i2400m/netdev.c
+@@ -607,7 +607,8 @@ static void i2400m_get_drvinfo(struct net_device *net_dev,
+ 	struct i2400m *i2400m = net_dev_to_i2400m(net_dev);
+ 
+ 	strncpy(info->driver, KBUILD_MODNAME, sizeof(info->driver) - 1);
+-	strncpy(info->fw_version, i2400m->fw_name, sizeof(info->fw_version) - 1);
++	strncpy(info->fw_version,
++	        i2400m->fw_name ? : "", sizeof(info->fw_version) - 1);
+ 	if (net_dev->dev.parent)
+ 		strncpy(info->bus_info, dev_name(net_dev->dev.parent),
+ 			sizeof(info->bus_info) - 1);
+diff --git a/drivers/net/wireless/b43/main.c b/drivers/net/wireless/b43/main.c
+index 5634d9a..680709c 100644
+--- a/drivers/net/wireless/b43/main.c
++++ b/drivers/net/wireless/b43/main.c
+@@ -4820,8 +4820,14 @@ static int b43_op_start(struct ieee80211_hw *hw)
+  out_mutex_unlock:
+ 	mutex_unlock(&wl->mutex);
+ 
+-	/* reload configuration */
+-	b43_op_config(hw, ~0);
++	/*
++	 * Configuration may have been overwritten during initialization.
++	 * Reload the configuration, but only if initialization was
++	 * successful. Reloading the configuration after a failed init
++	 * may hang the system.
++	 */
++	if (!err)
++		b43_op_config(hw, ~0);
+ 
+ 	return err;
+ }
+diff --git a/drivers/net/wireless/brcm80211/brcmsmac/main.c b/drivers/net/wireless/brcm80211/brcmsmac/main.c
+index 453f58e..f98becc 100644
+--- a/drivers/net/wireless/brcm80211/brcmsmac/main.c
++++ b/drivers/net/wireless/brcm80211/brcmsmac/main.c
+@@ -7865,6 +7865,7 @@ brcms_c_recvctl(struct brcms_c_info *wlc, struct d11rxhdr *rxh,
+ {
+ 	int len_mpdu;
+ 	struct ieee80211_rx_status rx_status;
++	struct ieee80211_hdr *hdr;
+ 
+ 	memset(&rx_status, 0, sizeof(rx_status));
+ 	prep_mac80211_status(wlc, rxh, p, &rx_status);
+@@ -7874,6 +7875,13 @@ brcms_c_recvctl(struct brcms_c_info *wlc, struct d11rxhdr *rxh,
+ 	skb_pull(p, D11_PHY_HDR_LEN);
+ 	__skb_trim(p, len_mpdu);
+ 
++	/* unmute transmit */
++	if (wlc->hw->suspended_fifos) {
++		hdr = (struct ieee80211_hdr *)p->data;
++		if (ieee80211_is_beacon(hdr->frame_control))
++			brcms_b_mute(wlc->hw, false);
++	}
++
+ 	memcpy(IEEE80211_SKB_RXCB(p), &rx_status, sizeof(rx_status));
+ 	ieee80211_rx_irqsafe(wlc->pub->ieee_hw, p);
+ }
+diff --git a/drivers/net/wireless/ipw2x00/ipw2200.c b/drivers/net/wireless/ipw2x00/ipw2200.c
+index 99a710d..827889b 100644
+--- a/drivers/net/wireless/ipw2x00/ipw2200.c
++++ b/drivers/net/wireless/ipw2x00/ipw2200.c
+@@ -2183,6 +2183,7 @@ static int __ipw_send_cmd(struct ipw_priv *priv, struct host_cmd *cmd)
+ {
+ 	int rc = 0;
+ 	unsigned long flags;
++	unsigned long now, end;
+ 
+ 	spin_lock_irqsave(&priv->lock, flags);
+ 	if (priv->status & STATUS_HCMD_ACTIVE) {
+@@ -2224,10 +2225,20 @@ static int __ipw_send_cmd(struct ipw_priv *priv, struct host_cmd *cmd)
+ 	}
+ 	spin_unlock_irqrestore(&priv->lock, flags);
+ 
++	now = jiffies;
++	end = now + HOST_COMPLETE_TIMEOUT;
++again:
+ 	rc = wait_event_interruptible_timeout(priv->wait_command_queue,
+ 					      !(priv->
+ 						status & STATUS_HCMD_ACTIVE),
+-					      HOST_COMPLETE_TIMEOUT);
++					      end - now);
++	if (rc < 0) {
++		now = jiffies;
++		if (time_before(now, end))
++			goto again;
++		rc = 0;
++	}
++
+ 	if (rc == 0) {
+ 		spin_lock_irqsave(&priv->lock, flags);
+ 		if (priv->status & STATUS_HCMD_ACTIVE) {
+diff --git a/drivers/net/wireless/iwlwifi/iwl-1000.c b/drivers/net/wireless/iwlwifi/iwl-1000.c
+index dd008b0..1e6c8cc 100644
+--- a/drivers/net/wireless/iwlwifi/iwl-1000.c
++++ b/drivers/net/wireless/iwlwifi/iwl-1000.c
+@@ -45,8 +45,8 @@
+ #include "iwl-cfg.h"
+ 
+ /* Highest firmware API version supported */
+-#define IWL1000_UCODE_API_MAX 6
+-#define IWL100_UCODE_API_MAX 6
++#define IWL1000_UCODE_API_MAX 5
++#define IWL100_UCODE_API_MAX 5
+ 
+ /* Oldest version we won't warn about */
+ #define IWL1000_UCODE_API_OK 5
+@@ -244,5 +244,5 @@ struct iwl_cfg iwl100_bg_cfg = {
+ 	IWL_DEVICE_100,
+ };
+ 
+-MODULE_FIRMWARE(IWL1000_MODULE_FIRMWARE(IWL1000_UCODE_API_MAX));
+-MODULE_FIRMWARE(IWL100_MODULE_FIRMWARE(IWL100_UCODE_API_MAX));
++MODULE_FIRMWARE(IWL1000_MODULE_FIRMWARE(IWL1000_UCODE_API_OK));
++MODULE_FIRMWARE(IWL100_MODULE_FIRMWARE(IWL100_UCODE_API_OK));
+diff --git a/drivers/net/wireless/iwlwifi/iwl-2000.c b/drivers/net/wireless/iwlwifi/iwl-2000.c
+index 7943197..9823e41 100644
+--- a/drivers/net/wireless/iwlwifi/iwl-2000.c
++++ b/drivers/net/wireless/iwlwifi/iwl-2000.c
+@@ -51,10 +51,10 @@
+ #define IWL135_UCODE_API_MAX 6
+ 
+ /* Oldest version we won't warn about */
+-#define IWL2030_UCODE_API_OK 5
+-#define IWL2000_UCODE_API_OK 5
+-#define IWL105_UCODE_API_OK 5
+-#define IWL135_UCODE_API_OK 5
++#define IWL2030_UCODE_API_OK 6
++#define IWL2000_UCODE_API_OK 6
++#define IWL105_UCODE_API_OK 6
++#define IWL135_UCODE_API_OK 6
+ 
+ /* Lowest firmware API version supported */
+ #define IWL2030_UCODE_API_MIN 5
+@@ -372,7 +372,7 @@ struct iwl_cfg iwl135_bgn_cfg = {
+ 	.ht_params = &iwl2000_ht_params,
+ };
+ 
+-MODULE_FIRMWARE(IWL2000_MODULE_FIRMWARE(IWL2000_UCODE_API_MAX));
+-MODULE_FIRMWARE(IWL2030_MODULE_FIRMWARE(IWL2030_UCODE_API_MAX));
+-MODULE_FIRMWARE(IWL105_MODULE_FIRMWARE(IWL105_UCODE_API_MAX));
+-MODULE_FIRMWARE(IWL135_MODULE_FIRMWARE(IWL135_UCODE_API_MAX));
++MODULE_FIRMWARE(IWL2000_MODULE_FIRMWARE(IWL2000_UCODE_API_OK));
++MODULE_FIRMWARE(IWL2030_MODULE_FIRMWARE(IWL2030_UCODE_API_OK));
++MODULE_FIRMWARE(IWL105_MODULE_FIRMWARE(IWL105_UCODE_API_OK));
++MODULE_FIRMWARE(IWL135_MODULE_FIRMWARE(IWL135_UCODE_API_OK));
+diff --git a/drivers/net/wireless/iwlwifi/iwl-5000.c b/drivers/net/wireless/iwlwifi/iwl-5000.c
+index f55fb2d..606213f 100644
+--- a/drivers/net/wireless/iwlwifi/iwl-5000.c
++++ b/drivers/net/wireless/iwlwifi/iwl-5000.c
+@@ -50,6 +50,10 @@
+ #define IWL5000_UCODE_API_MAX 5
+ #define IWL5150_UCODE_API_MAX 2
+ 
++/* Oldest version we won't warn about */
++#define IWL5000_UCODE_API_OK 5
++#define IWL5150_UCODE_API_OK 2
++
+ /* Lowest firmware API version supported */
+ #define IWL5000_UCODE_API_MIN 1
+ #define IWL5150_UCODE_API_MIN 1
+@@ -373,6 +377,7 @@ static struct iwl_ht_params iwl5000_ht_params = {
+ #define IWL_DEVICE_5000						\
+ 	.fw_name_pre = IWL5000_FW_PRE,				\
+ 	.ucode_api_max = IWL5000_UCODE_API_MAX,			\
++	.ucode_api_ok = IWL5000_UCODE_API_OK,			\
+ 	.ucode_api_min = IWL5000_UCODE_API_MIN,			\
+ 	.eeprom_ver = EEPROM_5000_EEPROM_VERSION,		\
+ 	.eeprom_calib_ver = EEPROM_5000_TX_POWER_VERSION,	\
+@@ -416,6 +421,7 @@ struct iwl_cfg iwl5350_agn_cfg = {
+ 	.name = "Intel(R) WiMAX/WiFi Link 5350 AGN",
+ 	.fw_name_pre = IWL5000_FW_PRE,
+ 	.ucode_api_max = IWL5000_UCODE_API_MAX,
++	.ucode_api_ok = IWL5000_UCODE_API_OK,
+ 	.ucode_api_min = IWL5000_UCODE_API_MIN,
+ 	.eeprom_ver = EEPROM_5050_EEPROM_VERSION,
+ 	.eeprom_calib_ver = EEPROM_5050_TX_POWER_VERSION,
+@@ -429,6 +435,7 @@ struct iwl_cfg iwl5350_agn_cfg = {
+ #define IWL_DEVICE_5150						\
+ 	.fw_name_pre = IWL5150_FW_PRE,				\
+ 	.ucode_api_max = IWL5150_UCODE_API_MAX,			\
++	.ucode_api_ok = IWL5150_UCODE_API_OK,			\
+ 	.ucode_api_min = IWL5150_UCODE_API_MIN,			\
+ 	.eeprom_ver = EEPROM_5050_EEPROM_VERSION,		\
+ 	.eeprom_calib_ver = EEPROM_5050_TX_POWER_VERSION,	\
+@@ -450,5 +457,5 @@ struct iwl_cfg iwl5150_abg_cfg = {
+ 	IWL_DEVICE_5150,
+ };
+ 
+-MODULE_FIRMWARE(IWL5000_MODULE_FIRMWARE(IWL5000_UCODE_API_MAX));
+-MODULE_FIRMWARE(IWL5150_MODULE_FIRMWARE(IWL5150_UCODE_API_MAX));
++MODULE_FIRMWARE(IWL5000_MODULE_FIRMWARE(IWL5000_UCODE_API_OK));
++MODULE_FIRMWARE(IWL5150_MODULE_FIRMWARE(IWL5150_UCODE_API_OK));
+diff --git a/drivers/net/wireless/iwlwifi/iwl-6000.c b/drivers/net/wireless/iwlwifi/iwl-6000.c
+index c840c78..b4f809c 100644
+--- a/drivers/net/wireless/iwlwifi/iwl-6000.c
++++ b/drivers/net/wireless/iwlwifi/iwl-6000.c
+@@ -46,12 +46,15 @@
+ #include "iwl-cfg.h"
+ 
+ /* Highest firmware API version supported */
+-#define IWL6000_UCODE_API_MAX 4
++#define IWL6000_UCODE_API_MAX 6
+ #define IWL6050_UCODE_API_MAX 5
+ #define IWL6000G2_UCODE_API_MAX 6
+ 
+ /* Oldest version we won't warn about */
++#define IWL6000_UCODE_API_OK 4
+ #define IWL6000G2_UCODE_API_OK 5
++#define IWL6050_UCODE_API_OK 5
++#define IWL6000G2B_UCODE_API_OK 6
+ 
+ /* Lowest firmware API version supported */
+ #define IWL6000_UCODE_API_MIN 4
+@@ -399,7 +402,7 @@ struct iwl_cfg iwl6005_2agn_d_cfg = {
+ #define IWL_DEVICE_6030						\
+ 	.fw_name_pre = IWL6030_FW_PRE,				\
+ 	.ucode_api_max = IWL6000G2_UCODE_API_MAX,		\
+-	.ucode_api_ok = IWL6000G2_UCODE_API_OK,			\
++	.ucode_api_ok = IWL6000G2B_UCODE_API_OK,		\
+ 	.ucode_api_min = IWL6000G2_UCODE_API_MIN,		\
+ 	.eeprom_ver = EEPROM_6030_EEPROM_VERSION,		\
+ 	.eeprom_calib_ver = EEPROM_6030_TX_POWER_VERSION,	\
+@@ -479,6 +482,7 @@ struct iwl_cfg iwl130_bg_cfg = {
+ #define IWL_DEVICE_6000i					\
+ 	.fw_name_pre = IWL6000_FW_PRE,				\
+ 	.ucode_api_max = IWL6000_UCODE_API_MAX,			\
++	.ucode_api_ok = IWL6000_UCODE_API_OK,			\
+ 	.ucode_api_min = IWL6000_UCODE_API_MIN,			\
+ 	.valid_tx_ant = ANT_BC,		/* .cfg overwrite */	\
+ 	.valid_rx_ant = ANT_BC,		/* .cfg overwrite */	\
+@@ -559,6 +563,7 @@ struct iwl_cfg iwl6000_3agn_cfg = {
+ 	.name = "Intel(R) Centrino(R) Ultimate-N 6300 AGN",
+ 	.fw_name_pre = IWL6000_FW_PRE,
+ 	.ucode_api_max = IWL6000_UCODE_API_MAX,
++	.ucode_api_ok = IWL6000_UCODE_API_OK,
+ 	.ucode_api_min = IWL6000_UCODE_API_MIN,
+ 	.eeprom_ver = EEPROM_6000_EEPROM_VERSION,
+ 	.eeprom_calib_ver = EEPROM_6000_TX_POWER_VERSION,
+@@ -569,7 +574,7 @@ struct iwl_cfg iwl6000_3agn_cfg = {
+ 	.led_mode = IWL_LED_BLINK,
+ };
+ 
+-MODULE_FIRMWARE(IWL6000_MODULE_FIRMWARE(IWL6000_UCODE_API_MAX));
+-MODULE_FIRMWARE(IWL6050_MODULE_FIRMWARE(IWL6050_UCODE_API_MAX));
+-MODULE_FIRMWARE(IWL6005_MODULE_FIRMWARE(IWL6000G2_UCODE_API_MAX));
+-MODULE_FIRMWARE(IWL6030_MODULE_FIRMWARE(IWL6000G2_UCODE_API_MAX));
++MODULE_FIRMWARE(IWL6000_MODULE_FIRMWARE(IWL6000_UCODE_API_OK));
++MODULE_FIRMWARE(IWL6050_MODULE_FIRMWARE(IWL6050_UCODE_API_OK));
++MODULE_FIRMWARE(IWL6005_MODULE_FIRMWARE(IWL6000G2_UCODE_API_OK));
++MODULE_FIRMWARE(IWL6030_MODULE_FIRMWARE(IWL6000G2B_UCODE_API_OK));
+diff --git a/drivers/net/wireless/iwlwifi/iwl-agn.c b/drivers/net/wireless/iwlwifi/iwl-agn.c
+index e0e9a3d..d7d2512 100644
+--- a/drivers/net/wireless/iwlwifi/iwl-agn.c
++++ b/drivers/net/wireless/iwlwifi/iwl-agn.c
+@@ -1504,7 +1504,6 @@ static void iwl_bg_run_time_calib_work(struct work_struct *work)
+ 
+ static void iwlagn_prepare_restart(struct iwl_priv *priv)
+ {
+-	struct iwl_rxon_context *ctx;
+ 	bool bt_full_concurrent;
+ 	u8 bt_ci_compliance;
+ 	u8 bt_load;
+@@ -1513,8 +1512,6 @@ static void iwlagn_prepare_restart(struct iwl_priv *priv)
+ 
+ 	lockdep_assert_held(&priv->shrd->mutex);
+ 
+-	for_each_context(priv, ctx)
+-		ctx->vif = NULL;
+ 	priv->is_open = 0;
+ 
+ 	/*
+diff --git a/drivers/net/wireless/iwlwifi/iwl-core.c b/drivers/net/wireless/iwlwifi/iwl-core.c
+index 3d75d4c..832ec4d 100644
+--- a/drivers/net/wireless/iwlwifi/iwl-core.c
++++ b/drivers/net/wireless/iwlwifi/iwl-core.c
+@@ -1228,6 +1228,7 @@ int iwlagn_mac_add_interface(struct ieee80211_hw *hw,
+ 	struct iwl_rxon_context *tmp, *ctx = NULL;
+ 	int err;
+ 	enum nl80211_iftype viftype = ieee80211_vif_type_p2p(vif);
++	bool reset = false;
+ 
+ 	IWL_DEBUG_MAC80211(priv, "enter: type %d, addr %pM\n",
+ 			   viftype, vif->addr);
+@@ -1249,6 +1250,13 @@ int iwlagn_mac_add_interface(struct ieee80211_hw *hw,
+ 			tmp->interface_modes | tmp->exclusive_interface_modes;
+ 
+ 		if (tmp->vif) {
++			/* On reset we need to add the same interface again */
++			if (tmp->vif == vif) {
++				reset = true;
++				ctx = tmp;
++				break;
++			}
++
+ 			/* check if this busy context is exclusive */
+ 			if (tmp->exclusive_interface_modes &
+ 						BIT(tmp->vif->type)) {
+@@ -1275,7 +1283,7 @@ int iwlagn_mac_add_interface(struct ieee80211_hw *hw,
+ 	ctx->vif = vif;
+ 
+ 	err = iwl_setup_interface(priv, ctx);
+-	if (!err)
++	if (!err || reset)
+ 		goto out;
+ 
+ 	ctx->vif = NULL;
+diff --git a/drivers/net/wireless/iwlwifi/iwl-fh.h b/drivers/net/wireless/iwlwifi/iwl-fh.h
+index 5bede9d..aae992a 100644
+--- a/drivers/net/wireless/iwlwifi/iwl-fh.h
++++ b/drivers/net/wireless/iwlwifi/iwl-fh.h
+@@ -104,15 +104,29 @@
+  * (see struct iwl_tfd_frame).  These 16 pointer registers are offset by 0x04
+  * bytes from one another.  Each TFD circular buffer in DRAM must be 256-byte
+  * aligned (address bits 0-7 must be 0).
++ * Later devices have 20 (5000 series) or 30 (higher) queues, but the registers
++ * for them are in different places.
+  *
+  * Bit fields in each pointer register:
+  *  27-0: TFD CB physical base address [35:8], must be 256-byte aligned
+  */
+-#define FH_MEM_CBBC_LOWER_BOUND          (FH_MEM_LOWER_BOUND + 0x9D0)
+-#define FH_MEM_CBBC_UPPER_BOUND          (FH_MEM_LOWER_BOUND + 0xA10)
+-
+-/* Find TFD CB base pointer for given queue (range 0-15). */
+-#define FH_MEM_CBBC_QUEUE(x)  (FH_MEM_CBBC_LOWER_BOUND + (x) * 0x4)
++#define FH_MEM_CBBC_0_15_LOWER_BOUND		(FH_MEM_LOWER_BOUND + 0x9D0)
++#define FH_MEM_CBBC_0_15_UPPER_BOUND		(FH_MEM_LOWER_BOUND + 0xA10)
++#define FH_MEM_CBBC_16_19_LOWER_BOUND		(FH_MEM_LOWER_BOUND + 0xBF0)
++#define FH_MEM_CBBC_16_19_UPPER_BOUND		(FH_MEM_LOWER_BOUND + 0xC00)
++#define FH_MEM_CBBC_20_31_LOWER_BOUND		(FH_MEM_LOWER_BOUND + 0xB20)
++#define FH_MEM_CBBC_20_31_UPPER_BOUND		(FH_MEM_LOWER_BOUND + 0xB80)
++
++/* Find TFD CB base pointer for given queue */
++static inline unsigned int FH_MEM_CBBC_QUEUE(unsigned int chnl)
++{
++	if (chnl < 16)
++		return FH_MEM_CBBC_0_15_LOWER_BOUND + 4 * chnl;
++	if (chnl < 20)
++		return FH_MEM_CBBC_16_19_LOWER_BOUND + 4 * (chnl - 16);
++	WARN_ON_ONCE(chnl >= 32);
++	return FH_MEM_CBBC_20_31_LOWER_BOUND + 4 * (chnl - 20);
++}
+ 
+ 
+ /**
+diff --git a/drivers/net/wireless/iwlwifi/iwl-prph.h b/drivers/net/wireless/iwlwifi/iwl-prph.h
+index bebdd82..d9b089e 100644
+--- a/drivers/net/wireless/iwlwifi/iwl-prph.h
++++ b/drivers/net/wireless/iwlwifi/iwl-prph.h
+@@ -227,12 +227,33 @@
+ #define SCD_AIT			(SCD_BASE + 0x0c)
+ #define SCD_TXFACT		(SCD_BASE + 0x10)
+ #define SCD_ACTIVE		(SCD_BASE + 0x14)
+-#define SCD_QUEUE_WRPTR(x)	(SCD_BASE + 0x18 + (x) * 4)
+-#define SCD_QUEUE_RDPTR(x)	(SCD_BASE + 0x68 + (x) * 4)
+ #define SCD_QUEUECHAIN_SEL	(SCD_BASE + 0xe8)
+ #define SCD_AGGR_SEL		(SCD_BASE + 0x248)
+ #define SCD_INTERRUPT_MASK	(SCD_BASE + 0x108)
+-#define SCD_QUEUE_STATUS_BITS(x)	(SCD_BASE + 0x10c + (x) * 4)
++
++static inline unsigned int SCD_QUEUE_WRPTR(unsigned int chnl)
++{
++	if (chnl < 20)
++		return SCD_BASE + 0x18 + chnl * 4;
++	WARN_ON_ONCE(chnl >= 32);
++	return SCD_BASE + 0x284 + (chnl - 20) * 4;
++}
++
++static inline unsigned int SCD_QUEUE_RDPTR(unsigned int chnl)
++{
++	if (chnl < 20)
++		return SCD_BASE + 0x68 + chnl * 4;
++	WARN_ON_ONCE(chnl >= 32);
++	return SCD_BASE + 0x2B4 + (chnl - 20) * 4;
++}
++
++static inline unsigned int SCD_QUEUE_STATUS_BITS(unsigned int chnl)
++{
++	if (chnl < 20)
++		return SCD_BASE + 0x10c + chnl * 4;
++	WARN_ON_ONCE(chnl >= 32);
++	return SCD_BASE + 0x384 + (chnl - 20) * 4;
++}
+ 
+ /*********************** END TX SCHEDULER *************************************/
+ 
+diff --git a/drivers/net/wireless/mwifiex/pcie.h b/drivers/net/wireless/mwifiex/pcie.h
+index 445ff21..2f218f9 100644
+--- a/drivers/net/wireless/mwifiex/pcie.h
++++ b/drivers/net/wireless/mwifiex/pcie.h
+@@ -48,15 +48,15 @@
+ #define PCIE_HOST_INT_STATUS_MASK			0xC3C
+ #define PCIE_SCRATCH_2_REG				0xC40
+ #define PCIE_SCRATCH_3_REG				0xC44
+-#define PCIE_SCRATCH_4_REG				0xCC0
+-#define PCIE_SCRATCH_5_REG				0xCC4
+-#define PCIE_SCRATCH_6_REG				0xCC8
+-#define PCIE_SCRATCH_7_REG				0xCCC
+-#define PCIE_SCRATCH_8_REG				0xCD0
+-#define PCIE_SCRATCH_9_REG				0xCD4
+-#define PCIE_SCRATCH_10_REG				0xCD8
+-#define PCIE_SCRATCH_11_REG				0xCDC
+-#define PCIE_SCRATCH_12_REG				0xCE0
++#define PCIE_SCRATCH_4_REG				0xCD0
++#define PCIE_SCRATCH_5_REG				0xCD4
++#define PCIE_SCRATCH_6_REG				0xCD8
++#define PCIE_SCRATCH_7_REG				0xCDC
++#define PCIE_SCRATCH_8_REG				0xCE0
++#define PCIE_SCRATCH_9_REG				0xCE4
++#define PCIE_SCRATCH_10_REG				0xCE8
++#define PCIE_SCRATCH_11_REG				0xCEC
++#define PCIE_SCRATCH_12_REG				0xCF0
+ 
+ #define CPU_INTR_DNLD_RDY				BIT(0)
+ #define CPU_INTR_DOOR_BELL				BIT(1)
+diff --git a/drivers/net/wireless/rt2x00/rt2800usb.c b/drivers/net/wireless/rt2x00/rt2800usb.c
+index cb71e88..0ffa111 100644
+--- a/drivers/net/wireless/rt2x00/rt2800usb.c
++++ b/drivers/net/wireless/rt2x00/rt2800usb.c
+@@ -914,12 +914,14 @@ static struct usb_device_id rt2800usb_device_table[] = {
+ 	{ USB_DEVICE(0x050d, 0x8053) },
+ 	{ USB_DEVICE(0x050d, 0x805c) },
+ 	{ USB_DEVICE(0x050d, 0x815c) },
++	{ USB_DEVICE(0x050d, 0x825a) },
+ 	{ USB_DEVICE(0x050d, 0x825b) },
+ 	{ USB_DEVICE(0x050d, 0x935a) },
+ 	{ USB_DEVICE(0x050d, 0x935b) },
+ 	/* Buffalo */
+ 	{ USB_DEVICE(0x0411, 0x00e8) },
+ 	{ USB_DEVICE(0x0411, 0x0158) },
++	{ USB_DEVICE(0x0411, 0x015d) },
+ 	{ USB_DEVICE(0x0411, 0x016f) },
+ 	{ USB_DEVICE(0x0411, 0x01a2) },
+ 	/* Corega */
+@@ -934,6 +936,8 @@ static struct usb_device_id rt2800usb_device_table[] = {
+ 	{ USB_DEVICE(0x07d1, 0x3c0e) },
+ 	{ USB_DEVICE(0x07d1, 0x3c0f) },
+ 	{ USB_DEVICE(0x07d1, 0x3c11) },
++	{ USB_DEVICE(0x07d1, 0x3c13) },
++	{ USB_DEVICE(0x07d1, 0x3c15) },
+ 	{ USB_DEVICE(0x07d1, 0x3c16) },
+ 	{ USB_DEVICE(0x2001, 0x3c1b) },
+ 	/* Draytek */
+@@ -944,6 +948,7 @@ static struct usb_device_id rt2800usb_device_table[] = {
+ 	{ USB_DEVICE(0x7392, 0x7711) },
+ 	{ USB_DEVICE(0x7392, 0x7717) },
+ 	{ USB_DEVICE(0x7392, 0x7718) },
++	{ USB_DEVICE(0x7392, 0x7722) },
+ 	/* Encore */
+ 	{ USB_DEVICE(0x203d, 0x1480) },
+ 	{ USB_DEVICE(0x203d, 0x14a9) },
+@@ -978,6 +983,7 @@ static struct usb_device_id rt2800usb_device_table[] = {
+ 	{ USB_DEVICE(0x1737, 0x0070) },
+ 	{ USB_DEVICE(0x1737, 0x0071) },
+ 	{ USB_DEVICE(0x1737, 0x0077) },
++	{ USB_DEVICE(0x1737, 0x0078) },
+ 	/* Logitec */
+ 	{ USB_DEVICE(0x0789, 0x0162) },
+ 	{ USB_DEVICE(0x0789, 0x0163) },
+@@ -1001,9 +1007,13 @@ static struct usb_device_id rt2800usb_device_table[] = {
+ 	{ USB_DEVICE(0x0db0, 0x871b) },
+ 	{ USB_DEVICE(0x0db0, 0x871c) },
+ 	{ USB_DEVICE(0x0db0, 0x899a) },
++	/* Ovislink */
++	{ USB_DEVICE(0x1b75, 0x3071) },
++	{ USB_DEVICE(0x1b75, 0x3072) },
+ 	/* Para */
+ 	{ USB_DEVICE(0x20b8, 0x8888) },
+ 	/* Pegatron */
++	{ USB_DEVICE(0x1d4d, 0x0002) },
+ 	{ USB_DEVICE(0x1d4d, 0x000c) },
+ 	{ USB_DEVICE(0x1d4d, 0x000e) },
+ 	{ USB_DEVICE(0x1d4d, 0x0011) },
+@@ -1056,7 +1066,9 @@ static struct usb_device_id rt2800usb_device_table[] = {
+ 	/* Sparklan */
+ 	{ USB_DEVICE(0x15a9, 0x0006) },
+ 	/* Sweex */
++	{ USB_DEVICE(0x177f, 0x0153) },
+ 	{ USB_DEVICE(0x177f, 0x0302) },
++	{ USB_DEVICE(0x177f, 0x0313) },
+ 	/* U-Media */
+ 	{ USB_DEVICE(0x157e, 0x300e) },
+ 	{ USB_DEVICE(0x157e, 0x3013) },
+@@ -1140,27 +1152,24 @@ static struct usb_device_id rt2800usb_device_table[] = {
+ 	{ USB_DEVICE(0x13d3, 0x3322) },
+ 	/* Belkin */
+ 	{ USB_DEVICE(0x050d, 0x1003) },
+-	{ USB_DEVICE(0x050d, 0x825a) },
+ 	/* Buffalo */
+ 	{ USB_DEVICE(0x0411, 0x012e) },
+ 	{ USB_DEVICE(0x0411, 0x0148) },
+ 	{ USB_DEVICE(0x0411, 0x0150) },
+-	{ USB_DEVICE(0x0411, 0x015d) },
+ 	/* Corega */
+ 	{ USB_DEVICE(0x07aa, 0x0041) },
+ 	{ USB_DEVICE(0x07aa, 0x0042) },
+ 	{ USB_DEVICE(0x18c5, 0x0008) },
+ 	/* D-Link */
+ 	{ USB_DEVICE(0x07d1, 0x3c0b) },
+-	{ USB_DEVICE(0x07d1, 0x3c13) },
+-	{ USB_DEVICE(0x07d1, 0x3c15) },
+ 	{ USB_DEVICE(0x07d1, 0x3c17) },
+ 	{ USB_DEVICE(0x2001, 0x3c17) },
+ 	/* Edimax */
+ 	{ USB_DEVICE(0x7392, 0x4085) },
+-	{ USB_DEVICE(0x7392, 0x7722) },
+ 	/* Encore */
+ 	{ USB_DEVICE(0x203d, 0x14a1) },
++	/* Fujitsu Stylistic 550 */
++	{ USB_DEVICE(0x1690, 0x0761) },
+ 	/* Gemtek */
+ 	{ USB_DEVICE(0x15a9, 0x0010) },
+ 	/* Gigabyte */
+@@ -1172,19 +1181,13 @@ static struct usb_device_id rt2800usb_device_table[] = {
+ 	/* LevelOne */
+ 	{ USB_DEVICE(0x1740, 0x0605) },
+ 	{ USB_DEVICE(0x1740, 0x0615) },
+-	/* Linksys */
+-	{ USB_DEVICE(0x1737, 0x0078) },
+ 	/* Logitec */
+ 	{ USB_DEVICE(0x0789, 0x0168) },
+ 	{ USB_DEVICE(0x0789, 0x0169) },
+ 	/* Motorola */
+ 	{ USB_DEVICE(0x100d, 0x9032) },
+-	/* Ovislink */
+-	{ USB_DEVICE(0x1b75, 0x3071) },
+-	{ USB_DEVICE(0x1b75, 0x3072) },
+ 	/* Pegatron */
+ 	{ USB_DEVICE(0x05a6, 0x0101) },
+-	{ USB_DEVICE(0x1d4d, 0x0002) },
+ 	{ USB_DEVICE(0x1d4d, 0x0010) },
+ 	/* Planex */
+ 	{ USB_DEVICE(0x2019, 0x5201) },
+@@ -1203,9 +1206,6 @@ static struct usb_device_id rt2800usb_device_table[] = {
+ 	{ USB_DEVICE(0x083a, 0xc522) },
+ 	{ USB_DEVICE(0x083a, 0xd522) },
+ 	{ USB_DEVICE(0x083a, 0xf511) },
+-	/* Sweex */
+-	{ USB_DEVICE(0x177f, 0x0153) },
+-	{ USB_DEVICE(0x177f, 0x0313) },
+ 	/* Zyxel */
+ 	{ USB_DEVICE(0x0586, 0x341a) },
+ #endif
+diff --git a/drivers/net/wireless/rtlwifi/pci.c b/drivers/net/wireless/rtlwifi/pci.c
+index d44d398..47ba0f7 100644
+--- a/drivers/net/wireless/rtlwifi/pci.c
++++ b/drivers/net/wireless/rtlwifi/pci.c
+@@ -1961,6 +1961,7 @@ void rtl_pci_disconnect(struct pci_dev *pdev)
+ 		rtl_deinit_deferred_work(hw);
+ 		rtlpriv->intf_ops->adapter_stop(hw);
+ 	}
++	rtlpriv->cfg->ops->disable_interrupt(hw);
+ 
+ 	/*deinit rfkill */
+ 	rtl_deinit_rfkill(hw);
+diff --git a/drivers/net/wireless/wl1251/main.c b/drivers/net/wireless/wl1251/main.c
+index ba3268e..40c1574 100644
+--- a/drivers/net/wireless/wl1251/main.c
++++ b/drivers/net/wireless/wl1251/main.c
+@@ -479,6 +479,7 @@ static void wl1251_op_stop(struct ieee80211_hw *hw)
+ 	cancel_work_sync(&wl->irq_work);
+ 	cancel_work_sync(&wl->tx_work);
+ 	cancel_work_sync(&wl->filter_work);
++	cancel_delayed_work_sync(&wl->elp_work);
+ 
+ 	mutex_lock(&wl->mutex);
+ 
+diff --git a/drivers/net/wireless/wl1251/sdio.c b/drivers/net/wireless/wl1251/sdio.c
+index f786942..1b851f6 100644
+--- a/drivers/net/wireless/wl1251/sdio.c
++++ b/drivers/net/wireless/wl1251/sdio.c
+@@ -315,8 +315,8 @@ static void __devexit wl1251_sdio_remove(struct sdio_func *func)
+ 
+ 	if (wl->irq)
+ 		free_irq(wl->irq, wl);
+-	kfree(wl_sdio);
+ 	wl1251_free_hw(wl);
++	kfree(wl_sdio);
+ 
+ 	sdio_claim_host(func);
+ 	sdio_release_irq(func);
+diff --git a/drivers/pci/quirks.c b/drivers/pci/quirks.c
+index 6476547..78fda9c 100644
+--- a/drivers/pci/quirks.c
++++ b/drivers/pci/quirks.c
+@@ -2906,6 +2906,40 @@ DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_INTEL, 0x65f8, quirk_intel_mc_errata);
+ DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_INTEL, 0x65f9, quirk_intel_mc_errata);
+ DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_INTEL, 0x65fa, quirk_intel_mc_errata);
+ 
++/*
++ * Some BIOS implementations leave the Intel GPU interrupts enabled,
++ * even though no one is handling them (f.e. i915 driver is never loaded).
++ * Additionally the interrupt destination is not set up properly
++ * and the interrupt ends up -somewhere-.
++ *
++ * These spurious interrupts are "sticky" and the kernel disables
++ * the (shared) interrupt line after 100.000+ generated interrupts.
++ *
++ * Fix it by disabling the still enabled interrupts.
++ * This resolves crashes often seen on monitor unplug.
++ */
++#define I915_DEIER_REG 0x4400c
++static void __devinit disable_igfx_irq(struct pci_dev *dev)
++{
++	void __iomem *regs = pci_iomap(dev, 0, 0);
++	if (regs == NULL) {
++		dev_warn(&dev->dev, "igfx quirk: Can't iomap PCI device\n");
++		return;
++	}
++
++	/* Check if any interrupt line is still enabled */
++	if (readl(regs + I915_DEIER_REG) != 0) {
++		dev_warn(&dev->dev, "BIOS left Intel GPU interrupts enabled; "
++			"disabling\n");
++
++		writel(0, regs + I915_DEIER_REG);
++	}
++
++	pci_iounmap(dev, regs);
++}
++DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_INTEL, 0x0102, disable_igfx_irq);
++DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_INTEL, 0x010a, disable_igfx_irq);
++
+ static void pci_do_fixups(struct pci_dev *dev, struct pci_fixup *f,
+ 			  struct pci_fixup *end)
+ {
+diff --git a/drivers/platform/x86/dell-laptop.c b/drivers/platform/x86/dell-laptop.c
+index d93e962..1d3bcce 100644
+--- a/drivers/platform/x86/dell-laptop.c
++++ b/drivers/platform/x86/dell-laptop.c
+@@ -184,6 +184,34 @@ static struct dmi_system_id __devinitdata dell_quirks[] = {
+ 		},
+ 		.driver_data = &quirk_dell_vostro_v130,
+ 	},
++	{
++		.callback = dmi_matched,
++		.ident = "Dell Vostro 3555",
++		.matches = {
++			DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."),
++			DMI_MATCH(DMI_PRODUCT_NAME, "Vostro 3555"),
++		},
++		.driver_data = &quirk_dell_vostro_v130,
++	},
++	{
++		.callback = dmi_matched,
++		.ident = "Dell Inspiron N311z",
++		.matches = {
++			DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."),
++			DMI_MATCH(DMI_PRODUCT_NAME, "Inspiron N311z"),
++		},
++		.driver_data = &quirk_dell_vostro_v130,
++	},
++	{
++		.callback = dmi_matched,
++		.ident = "Dell Inspiron M5110",
++		.matches = {
++			DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."),
++			DMI_MATCH(DMI_PRODUCT_NAME, "Inspiron M5110"),
++		},
++		.driver_data = &quirk_dell_vostro_v130,
++	},
++	{ }
+ };
+ 
+ static struct calling_interface_buffer *buffer;
+@@ -615,6 +643,7 @@ static void touchpad_led_set(struct led_classdev *led_cdev,
+ static struct led_classdev touchpad_led = {
+ 	.name = "dell-laptop::touchpad",
+ 	.brightness_set = touchpad_led_set,
++	.flags = LED_CORE_SUSPENDRESUME,
+ };
+ 
+ static int __devinit touchpad_led_init(struct device *dev)
+diff --git a/drivers/scsi/libsas/sas_expander.c b/drivers/scsi/libsas/sas_expander.c
+index 1b831c5..e48ba4b 100644
+--- a/drivers/scsi/libsas/sas_expander.c
++++ b/drivers/scsi/libsas/sas_expander.c
+@@ -192,7 +192,14 @@ static void sas_set_ex_phy(struct domain_device *dev, int phy_id,
+ 	phy->attached_sata_ps   = dr->attached_sata_ps;
+ 	phy->attached_iproto = dr->iproto << 1;
+ 	phy->attached_tproto = dr->tproto << 1;
+-	memcpy(phy->attached_sas_addr, dr->attached_sas_addr, SAS_ADDR_SIZE);
++	/* help some expanders that fail to zero sas_address in the 'no
++	 * device' case
++	 */
++	if (phy->attached_dev_type == NO_DEVICE ||
++	    phy->linkrate < SAS_LINK_RATE_1_5_GBPS)
++		memset(phy->attached_sas_addr, 0, SAS_ADDR_SIZE);
++	else
++		memcpy(phy->attached_sas_addr, dr->attached_sas_addr, SAS_ADDR_SIZE);
+ 	phy->attached_phy_id = dr->attached_phy_id;
+ 	phy->phy_change_count = dr->change_count;
+ 	phy->routing_attr = dr->routing_attr;
+@@ -1643,9 +1650,17 @@ static int sas_find_bcast_phy(struct domain_device *dev, int *phy_id,
+ 		int phy_change_count = 0;
+ 
+ 		res = sas_get_phy_change_count(dev, i, &phy_change_count);
+-		if (res)
+-			goto out;
+-		else if (phy_change_count != ex->ex_phy[i].phy_change_count) {
++		switch (res) {
++		case SMP_RESP_PHY_VACANT:
++		case SMP_RESP_NO_PHY:
++			continue;
++		case SMP_RESP_FUNC_ACC:
++			break;
++		default:
++			return res;
++		}
++
++		if (phy_change_count != ex->ex_phy[i].phy_change_count) {
+ 			if (update)
+ 				ex->ex_phy[i].phy_change_count =
+ 					phy_change_count;
+@@ -1653,8 +1668,7 @@ static int sas_find_bcast_phy(struct domain_device *dev, int *phy_id,
+ 			return 0;
+ 		}
+ 	}
+-out:
+-	return res;
++	return 0;
+ }
+ 
+ static int sas_get_ex_change_count(struct domain_device *dev, int *ecc)
+diff --git a/drivers/spi/spi-fsl-spi.c b/drivers/spi/spi-fsl-spi.c
+index 24cacff..5f748c0 100644
+--- a/drivers/spi/spi-fsl-spi.c
++++ b/drivers/spi/spi-fsl-spi.c
+@@ -139,10 +139,12 @@ static void fsl_spi_change_mode(struct spi_device *spi)
+ static void fsl_spi_chipselect(struct spi_device *spi, int value)
+ {
+ 	struct mpc8xxx_spi *mpc8xxx_spi = spi_master_get_devdata(spi->master);
+-	struct fsl_spi_platform_data *pdata = spi->dev.parent->platform_data;
++	struct fsl_spi_platform_data *pdata;
+ 	bool pol = spi->mode & SPI_CS_HIGH;
+ 	struct spi_mpc8xxx_cs	*cs = spi->controller_state;
+ 
++	pdata = spi->dev.parent->parent->platform_data;
++
+ 	if (value == BITBANG_CS_INACTIVE) {
+ 		if (pdata->cs_control)
+ 			pdata->cs_control(spi, !pol);
+diff --git a/drivers/spi/spi.c b/drivers/spi/spi.c
+index 77eae99..b2ccdea 100644
+--- a/drivers/spi/spi.c
++++ b/drivers/spi/spi.c
+@@ -319,7 +319,7 @@ struct spi_device *spi_alloc_device(struct spi_master *master)
+ 	}
+ 
+ 	spi->master = master;
+-	spi->dev.parent = dev;
++	spi->dev.parent = &master->dev;
+ 	spi->dev.bus = &spi_bus_type;
+ 	spi->dev.release = spidev_release;
+ 	device_initialize(&spi->dev);
+diff --git a/drivers/staging/rtl8712/os_intfs.c b/drivers/staging/rtl8712/os_intfs.c
+index fb11743..4bb2797 100644
+--- a/drivers/staging/rtl8712/os_intfs.c
++++ b/drivers/staging/rtl8712/os_intfs.c
+@@ -476,9 +476,6 @@ static int netdev_close(struct net_device *pnetdev)
+ 	r8712_free_assoc_resources(padapter);
+ 	/*s2-4.*/
+ 	r8712_free_network_queue(padapter);
+-	release_firmware(padapter->fw);
+-	/* never exit with a firmware callback pending */
+-	wait_for_completion(&padapter->rtl8712_fw_ready);
+ 	return 0;
+ }
+ 
+diff --git a/drivers/staging/rtl8712/usb_intf.c b/drivers/staging/rtl8712/usb_intf.c
+index 9bade18..ec41d38 100644
+--- a/drivers/staging/rtl8712/usb_intf.c
++++ b/drivers/staging/rtl8712/usb_intf.c
+@@ -30,6 +30,7 @@
+ 
+ #include <linux/usb.h>
+ #include <linux/module.h>
++#include <linux/firmware.h>
+ 
+ #include "osdep_service.h"
+ #include "drv_types.h"
+@@ -621,6 +622,10 @@ static void r871xu_dev_remove(struct usb_interface *pusb_intf)
+ 	struct _adapter *padapter = netdev_priv(pnetdev);
+ 	struct usb_device *udev = interface_to_usbdev(pusb_intf);
+ 
++	if (padapter->fw_found)
++		release_firmware(padapter->fw);
++	/* never exit with a firmware callback pending */
++	wait_for_completion(&padapter->rtl8712_fw_ready);
+ 	usb_set_intfdata(pusb_intf, NULL);
+ 	if (padapter) {
+ 		if (drvpriv.drv_registered == true)
+diff --git a/drivers/tty/amiserial.c b/drivers/tty/amiserial.c
+index b84c834..8daf073 100644
+--- a/drivers/tty/amiserial.c
++++ b/drivers/tty/amiserial.c
+@@ -1113,8 +1113,10 @@ static int set_serial_info(struct async_struct * info,
+ 		    (new_serial.close_delay != state->close_delay) ||
+ 		    (new_serial.xmit_fifo_size != state->xmit_fifo_size) ||
+ 		    ((new_serial.flags & ~ASYNC_USR_MASK) !=
+-		     (state->flags & ~ASYNC_USR_MASK)))
++		     (state->flags & ~ASYNC_USR_MASK))) {
++			tty_unlock();
+ 			return -EPERM;
++		}
+ 		state->flags = ((state->flags & ~ASYNC_USR_MASK) |
+ 			       (new_serial.flags & ASYNC_USR_MASK));
+ 		info->flags = ((info->flags & ~ASYNC_USR_MASK) |
+diff --git a/drivers/tty/serial/clps711x.c b/drivers/tty/serial/clps711x.c
+index e6c3dbd..836fe273 100644
+--- a/drivers/tty/serial/clps711x.c
++++ b/drivers/tty/serial/clps711x.c
+@@ -154,10 +154,9 @@ static irqreturn_t clps711xuart_int_tx(int irq, void *dev_id)
+ 		port->x_char = 0;
+ 		return IRQ_HANDLED;
+ 	}
+-	if (uart_circ_empty(xmit) || uart_tx_stopped(port)) {
+-		clps711xuart_stop_tx(port);
+-		return IRQ_HANDLED;
+-	}
++
++	if (uart_circ_empty(xmit) || uart_tx_stopped(port))
++		goto disable_tx_irq;
+ 
+ 	count = port->fifosize >> 1;
+ 	do {
+@@ -171,8 +170,11 @@ static irqreturn_t clps711xuart_int_tx(int irq, void *dev_id)
+ 	if (uart_circ_chars_pending(xmit) < WAKEUP_CHARS)
+ 		uart_write_wakeup(port);
+ 
+-	if (uart_circ_empty(xmit))
+-		clps711xuart_stop_tx(port);
++	if (uart_circ_empty(xmit)) {
++	disable_tx_irq:
++		disable_irq_nosync(TX_IRQ(port));
++		tx_enabled(port) = 0;
++	}
+ 
+ 	return IRQ_HANDLED;
+ }
+diff --git a/drivers/tty/serial/pch_uart.c b/drivers/tty/serial/pch_uart.c
+index da776a0..a4b192d 100644
+--- a/drivers/tty/serial/pch_uart.c
++++ b/drivers/tty/serial/pch_uart.c
+@@ -1356,9 +1356,11 @@ static int pch_uart_verify_port(struct uart_port *port,
+ 			__func__);
+ 		return -EOPNOTSUPP;
+ #endif
+-		priv->use_dma = 1;
+ 		priv->use_dma_flag = 1;
+ 		dev_info(priv->port.dev, "PCH UART : Use DMA Mode\n");
++		if (!priv->use_dma)
++			pch_request_dma(port);
++		priv->use_dma = 1;
+ 	}
+ 
+ 	return 0;
+diff --git a/drivers/usb/class/cdc-wdm.c b/drivers/usb/class/cdc-wdm.c
+index 9eb71d8..2db0327 100644
+--- a/drivers/usb/class/cdc-wdm.c
++++ b/drivers/usb/class/cdc-wdm.c
+@@ -108,8 +108,9 @@ static void wdm_out_callback(struct urb *urb)
+ 	spin_lock(&desc->iuspin);
+ 	desc->werr = urb->status;
+ 	spin_unlock(&desc->iuspin);
+-	clear_bit(WDM_IN_USE, &desc->flags);
+ 	kfree(desc->outbuf);
++	desc->outbuf = NULL;
++	clear_bit(WDM_IN_USE, &desc->flags);
+ 	wake_up(&desc->wait);
+ }
+ 
+@@ -312,7 +313,7 @@ static ssize_t wdm_write
+ 	if (we < 0)
+ 		return -EIO;
+ 
+-	desc->outbuf = buf = kmalloc(count, GFP_KERNEL);
++	buf = kmalloc(count, GFP_KERNEL);
+ 	if (!buf) {
+ 		rv = -ENOMEM;
+ 		goto outnl;
+@@ -376,10 +377,12 @@ static ssize_t wdm_write
+ 	req->wIndex = desc->inum;
+ 	req->wLength = cpu_to_le16(count);
+ 	set_bit(WDM_IN_USE, &desc->flags);
++	desc->outbuf = buf;
+ 
+ 	rv = usb_submit_urb(desc->command, GFP_KERNEL);
+ 	if (rv < 0) {
+ 		kfree(buf);
++		desc->outbuf = NULL;
+ 		clear_bit(WDM_IN_USE, &desc->flags);
+ 		dev_err(&desc->intf->dev, "Tx URB error: %d\n", rv);
+ 	} else {
+diff --git a/drivers/usb/core/hcd-pci.c b/drivers/usb/core/hcd-pci.c
+index 61d08dd..5f1404a 100644
+--- a/drivers/usb/core/hcd-pci.c
++++ b/drivers/usb/core/hcd-pci.c
+@@ -495,6 +495,15 @@ static int hcd_pci_suspend_noirq(struct device *dev)
+ 
+ 	pci_save_state(pci_dev);
+ 
++	/*
++	 * Some systems crash if an EHCI controller is in D3 during
++	 * a sleep transition.  We have to leave such controllers in D0.
++	 */
++	if (hcd->broken_pci_sleep) {
++		dev_dbg(dev, "Staying in PCI D0\n");
++		return retval;
++	}
++
+ 	/* If the root hub is dead rather than suspended, disallow remote
+ 	 * wakeup.  usb_hc_died() should ensure that both hosts are marked as
+ 	 * dying, so we only need to check the primary roothub.
+diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c
+index e238b3b..2b0a341 100644
+--- a/drivers/usb/core/hub.c
++++ b/drivers/usb/core/hub.c
+@@ -1644,7 +1644,6 @@ void usb_disconnect(struct usb_device **pdev)
+ {
+ 	struct usb_device	*udev = *pdev;
+ 	int			i;
+-	struct usb_hcd		*hcd = bus_to_hcd(udev->bus);
+ 
+ 	/* mark the device as inactive, so any further urb submissions for
+ 	 * this device (and any of its children) will fail immediately.
+@@ -1667,9 +1666,7 @@ void usb_disconnect(struct usb_device **pdev)
+ 	 * so that the hardware is now fully quiesced.
+ 	 */
+ 	dev_dbg (&udev->dev, "unregistering device\n");
+-	mutex_lock(hcd->bandwidth_mutex);
+ 	usb_disable_device(udev, 0);
+-	mutex_unlock(hcd->bandwidth_mutex);
+ 	usb_hcd_synchronize_unlinks(udev);
+ 
+ 	usb_remove_ep_devs(&udev->ep0);
+diff --git a/drivers/usb/core/message.c b/drivers/usb/core/message.c
+index aed3e07..ca717da 100644
+--- a/drivers/usb/core/message.c
++++ b/drivers/usb/core/message.c
+@@ -1136,8 +1136,6 @@ void usb_disable_interface(struct usb_device *dev, struct usb_interface *intf,
+  * Deallocates hcd/hardware state for the endpoints (nuking all or most
+  * pending urbs) and usbcore state for the interfaces, so that usbcore
+  * must usb_set_configuration() before any interfaces could be used.
+- *
+- * Must be called with hcd->bandwidth_mutex held.
+  */
+ void usb_disable_device(struct usb_device *dev, int skip_ep0)
+ {
+@@ -1190,7 +1188,9 @@ void usb_disable_device(struct usb_device *dev, int skip_ep0)
+ 			usb_disable_endpoint(dev, i + USB_DIR_IN, false);
+ 		}
+ 		/* Remove endpoints from the host controller internal state */
++		mutex_lock(hcd->bandwidth_mutex);
+ 		usb_hcd_alloc_bandwidth(dev, NULL, NULL, NULL);
++		mutex_unlock(hcd->bandwidth_mutex);
+ 		/* Second pass: remove endpoint pointers */
+ 	}
+ 	for (i = skip_ep0; i < 16; ++i) {
+@@ -1750,7 +1750,6 @@ free_interfaces:
+ 	/* if it's already configured, clear out old state first.
+ 	 * getting rid of old interfaces means unbinding their drivers.
+ 	 */
+-	mutex_lock(hcd->bandwidth_mutex);
+ 	if (dev->state != USB_STATE_ADDRESS)
+ 		usb_disable_device(dev, 1);	/* Skip ep0 */
+ 
+@@ -1763,6 +1762,7 @@ free_interfaces:
+ 	 * host controller will not allow submissions to dropped endpoints.  If
+ 	 * this call fails, the device state is unchanged.
+ 	 */
++	mutex_lock(hcd->bandwidth_mutex);
+ 	ret = usb_hcd_alloc_bandwidth(dev, cp, NULL, NULL);
+ 	if (ret < 0) {
+ 		mutex_unlock(hcd->bandwidth_mutex);
+diff --git a/drivers/usb/dwc3/ep0.c b/drivers/usb/dwc3/ep0.c
+index 27bd50a..c0dcf69 100644
+--- a/drivers/usb/dwc3/ep0.c
++++ b/drivers/usb/dwc3/ep0.c
+@@ -572,9 +572,10 @@ static void dwc3_ep0_complete_data(struct dwc3 *dwc,
+ 		dwc->ep0_bounced = false;
+ 	} else {
+ 		transferred = ur->length - trb.length;
+-		ur->actual += transferred;
+ 	}
+ 
++	ur->actual += transferred;
++
+ 	if ((epnum & 1) && ur->actual < ur->length) {
+ 		/* for some reason we did not get everything out */
+ 
+diff --git a/drivers/usb/gadget/dummy_hcd.c b/drivers/usb/gadget/dummy_hcd.c
+index ab8f1b4..527736e 100644
+--- a/drivers/usb/gadget/dummy_hcd.c
++++ b/drivers/usb/gadget/dummy_hcd.c
+@@ -925,7 +925,6 @@ static int dummy_udc_stop(struct usb_gadget *g,
+ 
+ 	dum->driver = NULL;
+ 
+-	dummy_pullup(&dum->gadget, 0);
+ 	return 0;
+ }
+ 
+diff --git a/drivers/usb/gadget/f_fs.c b/drivers/usb/gadget/f_fs.c
+index acb3800..0e641a1 100644
+--- a/drivers/usb/gadget/f_fs.c
++++ b/drivers/usb/gadget/f_fs.c
+@@ -712,7 +712,7 @@ static long ffs_ep0_ioctl(struct file *file, unsigned code, unsigned long value)
+ 	if (code == FUNCTIONFS_INTERFACE_REVMAP) {
+ 		struct ffs_function *func = ffs->func;
+ 		ret = func ? ffs_func_revmap_intf(func, value) : -ENODEV;
+-	} else if (gadget->ops->ioctl) {
++	} else if (gadget && gadget->ops->ioctl) {
+ 		ret = gadget->ops->ioctl(gadget, code, value);
+ 	} else {
+ 		ret = -ENOTTY;
+diff --git a/drivers/usb/gadget/f_mass_storage.c b/drivers/usb/gadget/f_mass_storage.c
+index 1a6f415..a5570b6 100644
+--- a/drivers/usb/gadget/f_mass_storage.c
++++ b/drivers/usb/gadget/f_mass_storage.c
+@@ -2182,7 +2182,7 @@ unknown_cmnd:
+ 		common->data_size_from_cmnd = 0;
+ 		sprintf(unknown, "Unknown x%02x", common->cmnd[0]);
+ 		reply = check_command(common, common->cmnd_size,
+-				      DATA_DIR_UNKNOWN, 0xff, 0, unknown);
++				      DATA_DIR_UNKNOWN, ~0, 0, unknown);
+ 		if (reply == 0) {
+ 			common->curlun->sense_data = SS_INVALID_COMMAND;
+ 			reply = -EINVAL;
+diff --git a/drivers/usb/gadget/file_storage.c b/drivers/usb/gadget/file_storage.c
+index 11b5196..db2d607 100644
+--- a/drivers/usb/gadget/file_storage.c
++++ b/drivers/usb/gadget/file_storage.c
+@@ -2569,7 +2569,7 @@ static int do_scsi_command(struct fsg_dev *fsg)
+ 		fsg->data_size_from_cmnd = 0;
+ 		sprintf(unknown, "Unknown x%02x", fsg->cmnd[0]);
+ 		if ((reply = check_command(fsg, fsg->cmnd_size,
+-				DATA_DIR_UNKNOWN, 0xff, 0, unknown)) == 0) {
++				DATA_DIR_UNKNOWN, ~0, 0, unknown)) == 0) {
+ 			fsg->curlun->sense_data = SS_INVALID_COMMAND;
+ 			reply = -EINVAL;
+ 		}
+diff --git a/drivers/usb/gadget/udc-core.c b/drivers/usb/gadget/udc-core.c
+index 6939e17..901924a 100644
+--- a/drivers/usb/gadget/udc-core.c
++++ b/drivers/usb/gadget/udc-core.c
+@@ -211,9 +211,9 @@ static void usb_gadget_remove_driver(struct usb_udc *udc)
+ 
+ 	if (udc_is_newstyle(udc)) {
+ 		udc->driver->disconnect(udc->gadget);
++		usb_gadget_disconnect(udc->gadget);
+ 		udc->driver->unbind(udc->gadget);
+ 		usb_gadget_udc_stop(udc->gadget, udc->driver);
+-		usb_gadget_disconnect(udc->gadget);
+ 	} else {
+ 		usb_gadget_stop(udc->gadget, udc->driver);
+ 	}
+@@ -359,9 +359,13 @@ static ssize_t usb_udc_softconn_store(struct device *dev,
+ 	struct usb_udc		*udc = container_of(dev, struct usb_udc, dev);
+ 
+ 	if (sysfs_streq(buf, "connect")) {
++		if (udc_is_newstyle(udc))
++			usb_gadget_udc_start(udc->gadget, udc->driver);
+ 		usb_gadget_connect(udc->gadget);
+ 	} else if (sysfs_streq(buf, "disconnect")) {
+ 		usb_gadget_disconnect(udc->gadget);
++		if (udc_is_newstyle(udc))
++			usb_gadget_udc_stop(udc->gadget, udc->driver);
+ 	} else {
+ 		dev_err(dev, "unsupported command '%s'\n", buf);
+ 		return -EINVAL;
+diff --git a/drivers/usb/gadget/uvc.h b/drivers/usb/gadget/uvc.h
+index bc78c60..ca4e03a 100644
+--- a/drivers/usb/gadget/uvc.h
++++ b/drivers/usb/gadget/uvc.h
+@@ -28,7 +28,7 @@
+ 
+ struct uvc_request_data
+ {
+-	unsigned int length;
++	__s32 length;
+ 	__u8 data[60];
+ };
+ 
+diff --git a/drivers/usb/gadget/uvc_v4l2.c b/drivers/usb/gadget/uvc_v4l2.c
+index f6e083b..54d7ca5 100644
+--- a/drivers/usb/gadget/uvc_v4l2.c
++++ b/drivers/usb/gadget/uvc_v4l2.c
+@@ -39,7 +39,7 @@ uvc_send_response(struct uvc_device *uvc, struct uvc_request_data *data)
+ 	if (data->length < 0)
+ 		return usb_ep_set_halt(cdev->gadget->ep0);
+ 
+-	req->length = min(uvc->event_length, data->length);
++	req->length = min_t(unsigned int, uvc->event_length, data->length);
+ 	req->zero = data->length < uvc->event_length;
+ 	req->dma = DMA_ADDR_INVALID;
+ 
+diff --git a/drivers/usb/host/ehci-hcd.c b/drivers/usb/host/ehci-hcd.c
+index 3ff9f82..da2f711 100644
+--- a/drivers/usb/host/ehci-hcd.c
++++ b/drivers/usb/host/ehci-hcd.c
+@@ -815,8 +815,13 @@ static irqreturn_t ehci_irq (struct usb_hcd *hcd)
+ 		goto dead;
+ 	}
+ 
++	/*
++	 * We don't use STS_FLR, but some controllers don't like it to
++	 * remain on, so mask it out along with the other status bits.
++	 */
++	masked_status = status & (INTR_MASK | STS_FLR);
++
+ 	/* Shared IRQ? */
+-	masked_status = status & INTR_MASK;
+ 	if (!masked_status || unlikely(ehci->rh_state == EHCI_RH_HALTED)) {
+ 		spin_unlock(&ehci->lock);
+ 		return IRQ_NONE;
+@@ -867,7 +872,7 @@ static irqreturn_t ehci_irq (struct usb_hcd *hcd)
+ 		pcd_status = status;
+ 
+ 		/* resume root hub? */
+-		if (!(cmd & CMD_RUN))
++		if (ehci->rh_state == EHCI_RH_SUSPENDED)
+ 			usb_hcd_resume_root_hub(hcd);
+ 
+ 		/* get per-port change detect bits */
+diff --git a/drivers/usb/host/ehci-pci.c b/drivers/usb/host/ehci-pci.c
+index f4b627d..971d312 100644
+--- a/drivers/usb/host/ehci-pci.c
++++ b/drivers/usb/host/ehci-pci.c
+@@ -144,6 +144,14 @@ static int ehci_pci_setup(struct usb_hcd *hcd)
+ 			hcd->has_tt = 1;
+ 			tdi_reset(ehci);
+ 		}
++		if (pdev->subsystem_vendor == PCI_VENDOR_ID_ASUSTEK) {
++			/* EHCI #1 or #2 on 6 Series/C200 Series chipset */
++			if (pdev->device == 0x1c26 || pdev->device == 0x1c2d) {
++				ehci_info(ehci, "broken D3 during system sleep on ASUS\n");
++				hcd->broken_pci_sleep = 1;
++				device_set_wakeup_capable(&pdev->dev, false);
++			}
++		}
+ 		break;
+ 	case PCI_VENDOR_ID_TDI:
+ 		if (pdev->device == PCI_DEVICE_ID_TDI_EHCI) {
+diff --git a/drivers/usb/misc/yurex.c b/drivers/usb/misc/yurex.c
+index ac5bfd6..2504694 100644
+--- a/drivers/usb/misc/yurex.c
++++ b/drivers/usb/misc/yurex.c
+@@ -99,9 +99,7 @@ static void yurex_delete(struct kref *kref)
+ 	usb_put_dev(dev->udev);
+ 	if (dev->cntl_urb) {
+ 		usb_kill_urb(dev->cntl_urb);
+-		if (dev->cntl_req)
+-			usb_free_coherent(dev->udev, YUREX_BUF_SIZE,
+-				dev->cntl_req, dev->cntl_urb->setup_dma);
++		kfree(dev->cntl_req);
+ 		if (dev->cntl_buffer)
+ 			usb_free_coherent(dev->udev, YUREX_BUF_SIZE,
+ 				dev->cntl_buffer, dev->cntl_urb->transfer_dma);
+@@ -234,9 +232,7 @@ static int yurex_probe(struct usb_interface *interface, const struct usb_device_
+ 	}
+ 
+ 	/* allocate buffer for control req */
+-	dev->cntl_req = usb_alloc_coherent(dev->udev, YUREX_BUF_SIZE,
+-					   GFP_KERNEL,
+-					   &dev->cntl_urb->setup_dma);
++	dev->cntl_req = kmalloc(YUREX_BUF_SIZE, GFP_KERNEL);
+ 	if (!dev->cntl_req) {
+ 		err("Could not allocate cntl_req");
+ 		goto error;
+@@ -286,7 +282,7 @@ static int yurex_probe(struct usb_interface *interface, const struct usb_device_
+ 			 usb_rcvintpipe(dev->udev, dev->int_in_endpointAddr),
+ 			 dev->int_buffer, YUREX_BUF_SIZE, yurex_interrupt,
+ 			 dev, 1);
+-	dev->cntl_urb->transfer_flags |= URB_NO_TRANSFER_DMA_MAP;
++	dev->urb->transfer_flags |= URB_NO_TRANSFER_DMA_MAP;
+ 	if (usb_submit_urb(dev->urb, GFP_KERNEL)) {
+ 		retval = -EIO;
+ 		err("Could not submitting URB");
+diff --git a/drivers/usb/musb/omap2430.c b/drivers/usb/musb/omap2430.c
+index ba85f27..a8f0c09 100644
+--- a/drivers/usb/musb/omap2430.c
++++ b/drivers/usb/musb/omap2430.c
+@@ -282,7 +282,8 @@ static int musb_otg_notifications(struct notifier_block *nb,
+ 
+ static int omap2430_musb_init(struct musb *musb)
+ {
+-	u32 l, status = 0;
++	u32 l;
++	int status = 0;
+ 	struct device *dev = musb->controller;
+ 	struct musb_hdrc_platform_data *plat = dev->platform_data;
+ 	struct omap_musb_board_data *data = plat->board_data;
+@@ -299,7 +300,7 @@ static int omap2430_musb_init(struct musb *musb)
+ 
+ 	status = pm_runtime_get_sync(dev);
+ 	if (status < 0) {
+-		dev_err(dev, "pm_runtime_get_sync FAILED");
++		dev_err(dev, "pm_runtime_get_sync FAILED %d\n", status);
+ 		goto err1;
+ 	}
+ 
+@@ -451,14 +452,14 @@ static int __init omap2430_probe(struct platform_device *pdev)
+ 		goto err2;
+ 	}
+ 
++	pm_runtime_enable(&pdev->dev);
++
+ 	ret = platform_device_add(musb);
+ 	if (ret) {
+ 		dev_err(&pdev->dev, "failed to register musb device\n");
+ 		goto err2;
+ 	}
+ 
+-	pm_runtime_enable(&pdev->dev);
+-
+ 	return 0;
+ 
+ err2:
+diff --git a/drivers/usb/serial/cp210x.c b/drivers/usb/serial/cp210x.c
+index 4c12404..f2c57e0 100644
+--- a/drivers/usb/serial/cp210x.c
++++ b/drivers/usb/serial/cp210x.c
+@@ -285,7 +285,8 @@ static int cp210x_get_config(struct usb_serial_port *port, u8 request,
+ 	/* Issue the request, attempting to read 'size' bytes */
+ 	result = usb_control_msg(serial->dev, usb_rcvctrlpipe(serial->dev, 0),
+ 				request, REQTYPE_DEVICE_TO_HOST, 0x0000,
+-				port_priv->bInterfaceNumber, buf, size, 300);
++				port_priv->bInterfaceNumber, buf, size,
++				USB_CTRL_GET_TIMEOUT);
+ 
+ 	/* Convert data into an array of integers */
+ 	for (i = 0; i < length; i++)
+@@ -335,12 +336,14 @@ static int cp210x_set_config(struct usb_serial_port *port, u8 request,
+ 		result = usb_control_msg(serial->dev,
+ 				usb_sndctrlpipe(serial->dev, 0),
+ 				request, REQTYPE_HOST_TO_DEVICE, 0x0000,
+-				port_priv->bInterfaceNumber, buf, size, 300);
++				port_priv->bInterfaceNumber, buf, size,
++				USB_CTRL_SET_TIMEOUT);
+ 	} else {
+ 		result = usb_control_msg(serial->dev,
+ 				usb_sndctrlpipe(serial->dev, 0),
+ 				request, REQTYPE_HOST_TO_DEVICE, data[0],
+-				port_priv->bInterfaceNumber, NULL, 0, 300);
++				port_priv->bInterfaceNumber, NULL, 0,
++				USB_CTRL_SET_TIMEOUT);
+ 	}
+ 
+ 	kfree(buf);
+diff --git a/drivers/usb/serial/sierra.c b/drivers/usb/serial/sierra.c
+index 7c3ec9e..e093585 100644
+--- a/drivers/usb/serial/sierra.c
++++ b/drivers/usb/serial/sierra.c
+@@ -221,7 +221,7 @@ static const struct sierra_iface_info typeB_interface_list = {
+ };
+ 
+ /* 'blacklist' of interfaces not served by this driver */
+-static const u8 direct_ip_non_serial_ifaces[] = { 7, 8, 9, 10, 11 };
++static const u8 direct_ip_non_serial_ifaces[] = { 7, 8, 9, 10, 11, 19, 20 };
+ static const struct sierra_iface_info direct_ip_interface_blacklist = {
+ 	.infolen = ARRAY_SIZE(direct_ip_non_serial_ifaces),
+ 	.ifaceinfo = direct_ip_non_serial_ifaces,
+@@ -289,7 +289,6 @@ static const struct usb_device_id id_table[] = {
+ 	{ USB_DEVICE(0x1199, 0x6856) },	/* Sierra Wireless AirCard 881 U */
+ 	{ USB_DEVICE(0x1199, 0x6859) },	/* Sierra Wireless AirCard 885 E */
+ 	{ USB_DEVICE(0x1199, 0x685A) },	/* Sierra Wireless AirCard 885 E */
+-	{ USB_DEVICE(0x1199, 0x68A2) }, /* Sierra Wireless MC7710 */
+ 	/* Sierra Wireless C885 */
+ 	{ USB_DEVICE_AND_INTERFACE_INFO(0x1199, 0x6880, 0xFF, 0xFF, 0xFF)},
+ 	/* Sierra Wireless C888, Air Card 501, USB 303, USB 304 */
+@@ -299,6 +298,9 @@ static const struct usb_device_id id_table[] = {
+ 	/* Sierra Wireless HSPA Non-Composite Device */
+ 	{ USB_DEVICE_AND_INTERFACE_INFO(0x1199, 0x6892, 0xFF, 0xFF, 0xFF)},
+ 	{ USB_DEVICE(0x1199, 0x6893) },	/* Sierra Wireless Device */
++	{ USB_DEVICE(0x1199, 0x68A2),   /* Sierra Wireless MC77xx in QMI mode */
++	  .driver_info = (kernel_ulong_t)&direct_ip_interface_blacklist
++	},
+ 	{ USB_DEVICE(0x1199, 0x68A3), 	/* Sierra Wireless Direct IP modems */
+ 	  .driver_info = (kernel_ulong_t)&direct_ip_interface_blacklist
+ 	},
+diff --git a/drivers/uwb/hwa-rc.c b/drivers/uwb/hwa-rc.c
+index 2babcd4..86685e9 100644
+--- a/drivers/uwb/hwa-rc.c
++++ b/drivers/uwb/hwa-rc.c
+@@ -645,7 +645,8 @@ void hwarc_neep_cb(struct urb *urb)
+ 		dev_err(dev, "NEEP: URB error %d\n", urb->status);
+ 	}
+ 	result = usb_submit_urb(urb, GFP_ATOMIC);
+-	if (result < 0) {
++	if (result < 0 && result != -ENODEV && result != -EPERM) {
++		/* ignoring unrecoverable errors */
+ 		dev_err(dev, "NEEP: Can't resubmit URB (%d) resetting device\n",
+ 			result);
+ 		goto error;
+diff --git a/drivers/uwb/neh.c b/drivers/uwb/neh.c
+index a269937..8cb71bb 100644
+--- a/drivers/uwb/neh.c
++++ b/drivers/uwb/neh.c
+@@ -107,6 +107,7 @@ struct uwb_rc_neh {
+ 	u8 evt_type;
+ 	__le16 evt;
+ 	u8 context;
++	u8 completed;
+ 	uwb_rc_cmd_cb_f cb;
+ 	void *arg;
+ 
+@@ -409,6 +410,7 @@ static void uwb_rc_neh_grok_event(struct uwb_rc *rc, struct uwb_rceb *rceb, size
+ 	struct device *dev = &rc->uwb_dev.dev;
+ 	struct uwb_rc_neh *neh;
+ 	struct uwb_rceb *notif;
++	unsigned long flags;
+ 
+ 	if (rceb->bEventContext == 0) {
+ 		notif = kmalloc(size, GFP_ATOMIC);
+@@ -422,7 +424,11 @@ static void uwb_rc_neh_grok_event(struct uwb_rc *rc, struct uwb_rceb *rceb, size
+ 	} else {
+ 		neh = uwb_rc_neh_lookup(rc, rceb);
+ 		if (neh) {
+-			del_timer_sync(&neh->timer);
++			spin_lock_irqsave(&rc->neh_lock, flags);
++			/* to guard against a timeout */
++			neh->completed = 1;
++			del_timer(&neh->timer);
++			spin_unlock_irqrestore(&rc->neh_lock, flags);
+ 			uwb_rc_neh_cb(neh, rceb, size);
+ 		} else
+ 			dev_warn(dev, "event 0x%02x/%04x/%02x (%zu bytes): nobody cared\n",
+@@ -568,6 +574,10 @@ static void uwb_rc_neh_timer(unsigned long arg)
+ 	unsigned long flags;
+ 
+ 	spin_lock_irqsave(&rc->neh_lock, flags);
++	if (neh->completed) {
++		spin_unlock_irqrestore(&rc->neh_lock, flags);
++		return;
++	}
+ 	if (neh->context)
+ 		__uwb_rc_neh_rm(rc, neh);
+ 	else
+diff --git a/drivers/xen/gntdev.c b/drivers/xen/gntdev.c
+index afca14d..625890c 100644
+--- a/drivers/xen/gntdev.c
++++ b/drivers/xen/gntdev.c
+@@ -692,7 +692,7 @@ static int gntdev_mmap(struct file *flip, struct vm_area_struct *vma)
+ 	vma->vm_flags |= VM_RESERVED|VM_DONTEXPAND;
+ 
+ 	if (use_ptemod)
+-		vma->vm_flags |= VM_DONTCOPY|VM_PFNMAP;
++		vma->vm_flags |= VM_DONTCOPY;
+ 
+ 	vma->vm_private_data = map;
+ 
+diff --git a/drivers/xen/xenbus/xenbus_probe_frontend.c b/drivers/xen/xenbus/xenbus_probe_frontend.c
+index 2f73195..2ce95c0 100644
+--- a/drivers/xen/xenbus/xenbus_probe_frontend.c
++++ b/drivers/xen/xenbus/xenbus_probe_frontend.c
+@@ -129,7 +129,7 @@ static int read_backend_details(struct xenbus_device *xendev)
+ 	return xenbus_read_otherend_details(xendev, "backend-id", "backend");
+ }
+ 
+-static int is_device_connecting(struct device *dev, void *data)
++static int is_device_connecting(struct device *dev, void *data, bool ignore_nonessential)
+ {
+ 	struct xenbus_device *xendev = to_xenbus_device(dev);
+ 	struct device_driver *drv = data;
+@@ -146,16 +146,41 @@ static int is_device_connecting(struct device *dev, void *data)
+ 	if (drv && (dev->driver != drv))
+ 		return 0;
+ 
++	if (ignore_nonessential) {
++		/* With older QEMU, for PVonHVM guests the guest config files
++		 * could contain: vfb = [ 'vnc=1, vnclisten=0.0.0.0']
++		 * which is nonsensical as there is no PV FB (there can be
++		 * a PVKB) running as HVM guest. */
++
++		if ((strncmp(xendev->nodename, "device/vkbd", 11) == 0))
++			return 0;
++
++		if ((strncmp(xendev->nodename, "device/vfb", 10) == 0))
++			return 0;
++	}
+ 	xendrv = to_xenbus_driver(dev->driver);
+ 	return (xendev->state < XenbusStateConnected ||
+ 		(xendev->state == XenbusStateConnected &&
+ 		 xendrv->is_ready && !xendrv->is_ready(xendev)));
+ }
++static int essential_device_connecting(struct device *dev, void *data)
++{
++	return is_device_connecting(dev, data, true /* ignore PV[KBB+FB] */);
++}
++static int non_essential_device_connecting(struct device *dev, void *data)
++{
++	return is_device_connecting(dev, data, false);
++}
+ 
+-static int exists_connecting_device(struct device_driver *drv)
++static int exists_essential_connecting_device(struct device_driver *drv)
+ {
+ 	return bus_for_each_dev(&xenbus_frontend.bus, NULL, drv,
+-				is_device_connecting);
++				essential_device_connecting);
++}
++static int exists_non_essential_connecting_device(struct device_driver *drv)
++{
++	return bus_for_each_dev(&xenbus_frontend.bus, NULL, drv,
++				non_essential_device_connecting);
+ }
+ 
+ static int print_device_status(struct device *dev, void *data)
+@@ -186,6 +211,23 @@ static int print_device_status(struct device *dev, void *data)
+ /* We only wait for device setup after most initcalls have run. */
+ static int ready_to_wait_for_devices;
+ 
++static bool wait_loop(unsigned long start, unsigned int max_delay,
++		     unsigned int *seconds_waited)
++{
++	if (time_after(jiffies, start + (*seconds_waited+5)*HZ)) {
++		if (!*seconds_waited)
++			printk(KERN_WARNING "XENBUS: Waiting for "
++			       "devices to initialise: ");
++		*seconds_waited += 5;
++		printk("%us...", max_delay - *seconds_waited);
++		if (*seconds_waited == max_delay)
++			return true;
++	}
++
++	schedule_timeout_interruptible(HZ/10);
++
++	return false;
++}
+ /*
+  * On a 5-minute timeout, wait for all devices currently configured.  We need
+  * to do this to guarantee that the filesystems and / or network devices
+@@ -209,19 +251,14 @@ static void wait_for_devices(struct xenbus_driver *xendrv)
+ 	if (!ready_to_wait_for_devices || !xen_domain())
+ 		return;
+ 
+-	while (exists_connecting_device(drv)) {
+-		if (time_after(jiffies, start + (seconds_waited+5)*HZ)) {
+-			if (!seconds_waited)
+-				printk(KERN_WARNING "XENBUS: Waiting for "
+-				       "devices to initialise: ");
+-			seconds_waited += 5;
+-			printk("%us...", 300 - seconds_waited);
+-			if (seconds_waited == 300)
+-				break;
+-		}
+-
+-		schedule_timeout_interruptible(HZ/10);
+-	}
++	while (exists_non_essential_connecting_device(drv))
++		if (wait_loop(start, 30, &seconds_waited))
++			break;
++
++	/* Skips PVKB and PVFB check.*/
++	while (exists_essential_connecting_device(drv))
++		if (wait_loop(start, 270, &seconds_waited))
++			break;
+ 
+ 	if (seconds_waited)
+ 		printk("\n");
+diff --git a/fs/autofs4/autofs_i.h b/fs/autofs4/autofs_i.h
+index 308a98b..650d520 100644
+--- a/fs/autofs4/autofs_i.h
++++ b/fs/autofs4/autofs_i.h
+@@ -110,7 +110,6 @@ struct autofs_sb_info {
+ 	int sub_version;
+ 	int min_proto;
+ 	int max_proto;
+-	int compat_daemon;
+ 	unsigned long exp_timeout;
+ 	unsigned int type;
+ 	int reghost_enabled;
+@@ -269,6 +268,17 @@ int autofs4_fill_super(struct super_block *, void *, int);
+ struct autofs_info *autofs4_new_ino(struct autofs_sb_info *);
+ void autofs4_clean_ino(struct autofs_info *);
+ 
++static inline int autofs_prepare_pipe(struct file *pipe)
++{
++	if (!pipe->f_op || !pipe->f_op->write)
++		return -EINVAL;
++	if (!S_ISFIFO(pipe->f_dentry->d_inode->i_mode))
++		return -EINVAL;
++	/* We want a packet pipe */
++	pipe->f_flags |= O_DIRECT;
++	return 0;
++}
++
+ /* Queue management functions */
+ 
+ int autofs4_wait(struct autofs_sb_info *,struct dentry *, enum autofs_notify);
+diff --git a/fs/autofs4/dev-ioctl.c b/fs/autofs4/dev-ioctl.c
+index 56bac70..de54271 100644
+--- a/fs/autofs4/dev-ioctl.c
++++ b/fs/autofs4/dev-ioctl.c
+@@ -376,7 +376,7 @@ static int autofs_dev_ioctl_setpipefd(struct file *fp,
+ 			err = -EBADF;
+ 			goto out;
+ 		}
+-		if (!pipe->f_op || !pipe->f_op->write) {
++		if (autofs_prepare_pipe(pipe) < 0) {
+ 			err = -EPIPE;
+ 			fput(pipe);
+ 			goto out;
+@@ -385,7 +385,6 @@ static int autofs_dev_ioctl_setpipefd(struct file *fp,
+ 		sbi->pipefd = pipefd;
+ 		sbi->pipe = pipe;
+ 		sbi->catatonic = 0;
+-		sbi->compat_daemon = is_compat_task();
+ 	}
+ out:
+ 	mutex_unlock(&sbi->wq_mutex);
+diff --git a/fs/autofs4/inode.c b/fs/autofs4/inode.c
+index 98a5695..7b5293e 100644
+--- a/fs/autofs4/inode.c
++++ b/fs/autofs4/inode.c
+@@ -19,7 +19,6 @@
+ #include <linux/parser.h>
+ #include <linux/bitops.h>
+ #include <linux/magic.h>
+-#include <linux/compat.h>
+ #include "autofs_i.h"
+ #include <linux/module.h>
+ 
+@@ -225,7 +224,6 @@ int autofs4_fill_super(struct super_block *s, void *data, int silent)
+ 	set_autofs_type_indirect(&sbi->type);
+ 	sbi->min_proto = 0;
+ 	sbi->max_proto = 0;
+-	sbi->compat_daemon = is_compat_task();
+ 	mutex_init(&sbi->wq_mutex);
+ 	spin_lock_init(&sbi->fs_lock);
+ 	sbi->queues = NULL;
+@@ -294,7 +292,7 @@ int autofs4_fill_super(struct super_block *s, void *data, int silent)
+ 		printk("autofs: could not open pipe file descriptor\n");
+ 		goto fail_dput;
+ 	}
+-	if (!pipe->f_op || !pipe->f_op->write)
++	if (autofs_prepare_pipe(pipe) < 0)
+ 		goto fail_fput;
+ 	sbi->pipe = pipe;
+ 	sbi->pipefd = pipefd;
+diff --git a/fs/autofs4/waitq.c b/fs/autofs4/waitq.c
+index 6861f61..e1fbdee 100644
+--- a/fs/autofs4/waitq.c
++++ b/fs/autofs4/waitq.c
+@@ -90,24 +90,7 @@ static int autofs4_write(struct file *file, const void *addr, int bytes)
+ 
+ 	return (bytes > 0);
+ }
+-
+-/*
+- * The autofs_v5 packet was misdesigned.
+- *
+- * The packets are identical on x86-32 and x86-64, but have different
+- * alignment. Which means that 'sizeof()' will give different results.
+- * Fix it up for the case of running 32-bit user mode on a 64-bit kernel.
+- */
+-static noinline size_t autofs_v5_packet_size(struct autofs_sb_info *sbi)
+-{
+-	size_t pktsz = sizeof(struct autofs_v5_packet);
+-#if defined(CONFIG_X86_64) && defined(CONFIG_COMPAT)
+-	if (sbi->compat_daemon > 0)
+-		pktsz -= 4;
+-#endif
+-	return pktsz;
+-}
+-
++	
+ static void autofs4_notify_daemon(struct autofs_sb_info *sbi,
+ 				 struct autofs_wait_queue *wq,
+ 				 int type)
+@@ -164,7 +147,8 @@ static void autofs4_notify_daemon(struct autofs_sb_info *sbi,
+ 	{
+ 		struct autofs_v5_packet *packet = &pkt.v5_pkt.v5_packet;
+ 
+-		pktsz = autofs_v5_packet_size(sbi);
++		pktsz = sizeof(*packet);
++
+ 		packet->wait_queue_token = wq->wait_queue_token;
+ 		packet->len = wq->name.len;
+ 		memcpy(packet->name, wq->name.name, wq->name.len);
+diff --git a/fs/btrfs/ctree.h b/fs/btrfs/ctree.h
+index 6738503..83a871f 100644
+--- a/fs/btrfs/ctree.h
++++ b/fs/btrfs/ctree.h
+@@ -2025,7 +2025,7 @@ BTRFS_SETGET_STACK_FUNCS(root_last_snapshot, struct btrfs_root_item,
+ 
+ static inline bool btrfs_root_readonly(struct btrfs_root *root)
+ {
+-	return root->root_item.flags & BTRFS_ROOT_SUBVOL_RDONLY;
++	return (root->root_item.flags & cpu_to_le64(BTRFS_ROOT_SUBVOL_RDONLY)) != 0;
+ }
+ 
+ /* struct btrfs_root_backup */
+diff --git a/fs/cifs/cifssmb.c b/fs/cifs/cifssmb.c
+index 0e6adac..e89803b 100644
+--- a/fs/cifs/cifssmb.c
++++ b/fs/cifs/cifssmb.c
+@@ -4826,8 +4826,12 @@ parse_DFS_referrals(TRANSACTION2_GET_DFS_REFER_RSP *pSMBr,
+ 		max_len = data_end - temp;
+ 		node->node_name = cifs_strndup_from_ucs(temp, max_len,
+ 						      is_unicode, nls_codepage);
+-		if (!node->node_name)
++		if (!node->node_name) {
+ 			rc = -ENOMEM;
++			goto parse_DFS_referrals_exit;
++		}
++
++		ref++;
+ 	}
+ 
+ parse_DFS_referrals_exit:
+diff --git a/fs/eventpoll.c b/fs/eventpoll.c
+index ea54cde..4d9d3a4 100644
+--- a/fs/eventpoll.c
++++ b/fs/eventpoll.c
+@@ -988,6 +988,10 @@ static int path_count[PATH_ARR_SIZE];
+ 
+ static int path_count_inc(int nests)
+ {
++	/* Allow an arbitrary number of depth 1 paths */
++	if (nests == 0)
++		return 0;
++
+ 	if (++path_count[nests] > path_limits[nests])
+ 		return -1;
+ 	return 0;
+diff --git a/fs/exec.c b/fs/exec.c
+index 3625464..160cd2f 100644
+--- a/fs/exec.c
++++ b/fs/exec.c
+@@ -973,6 +973,9 @@ static int de_thread(struct task_struct *tsk)
+ 	sig->notify_count = 0;
+ 
+ no_thread_group:
++	/* we have changed execution domain */
++	tsk->exit_signal = SIGCHLD;
++
+ 	if (current->mm)
+ 		setmax_mm_hiwater_rss(&sig->maxrss, current->mm);
+ 
+diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c
+index c2a2012..54f2bdc 100644
+--- a/fs/ext4/extents.c
++++ b/fs/ext4/extents.c
+@@ -2812,7 +2812,7 @@ static int ext4_split_extent_at(handle_t *handle,
+ 		if (err)
+ 			goto fix_extent_len;
+ 		/* update the extent length and mark as initialized */
+-		ex->ee_len = cpu_to_le32(ee_len);
++		ex->ee_len = cpu_to_le16(ee_len);
+ 		ext4_ext_try_to_merge(inode, path, ex);
+ 		err = ext4_ext_dirty(handle, inode, path + depth);
+ 		goto out;
+diff --git a/fs/hfsplus/catalog.c b/fs/hfsplus/catalog.c
+index 4dfbfec..ec2a9c2 100644
+--- a/fs/hfsplus/catalog.c
++++ b/fs/hfsplus/catalog.c
+@@ -366,6 +366,10 @@ int hfsplus_rename_cat(u32 cnid,
+ 	err = hfs_brec_find(&src_fd);
+ 	if (err)
+ 		goto out;
++	if (src_fd.entrylength > sizeof(entry) || src_fd.entrylength < 0) {
++		err = -EIO;
++		goto out;
++	}
+ 
+ 	hfs_bnode_read(src_fd.bnode, &entry, src_fd.entryoffset,
+ 				src_fd.entrylength);
+diff --git a/fs/hfsplus/dir.c b/fs/hfsplus/dir.c
+index 4536cd3..5adb740 100644
+--- a/fs/hfsplus/dir.c
++++ b/fs/hfsplus/dir.c
+@@ -150,6 +150,11 @@ static int hfsplus_readdir(struct file *filp, void *dirent, filldir_t filldir)
+ 		filp->f_pos++;
+ 		/* fall through */
+ 	case 1:
++		if (fd.entrylength > sizeof(entry) || fd.entrylength < 0) {
++			err = -EIO;
++			goto out;
++		}
++
+ 		hfs_bnode_read(fd.bnode, &entry, fd.entryoffset,
+ 			fd.entrylength);
+ 		if (be16_to_cpu(entry.type) != HFSPLUS_FOLDER_THREAD) {
+@@ -181,6 +186,12 @@ static int hfsplus_readdir(struct file *filp, void *dirent, filldir_t filldir)
+ 			err = -EIO;
+ 			goto out;
+ 		}
++
++		if (fd.entrylength > sizeof(entry) || fd.entrylength < 0) {
++			err = -EIO;
++			goto out;
++		}
++
+ 		hfs_bnode_read(fd.bnode, &entry, fd.entryoffset,
+ 			fd.entrylength);
+ 		type = be16_to_cpu(entry.type);
+diff --git a/fs/jbd2/commit.c b/fs/jbd2/commit.c
+index 68d704d..d751f04 100644
+--- a/fs/jbd2/commit.c
++++ b/fs/jbd2/commit.c
+@@ -683,7 +683,7 @@ start_journal_io:
+ 	if (commit_transaction->t_need_data_flush &&
+ 	    (journal->j_fs_dev != journal->j_dev) &&
+ 	    (journal->j_flags & JBD2_BARRIER))
+-		blkdev_issue_flush(journal->j_fs_dev, GFP_KERNEL, NULL);
++		blkdev_issue_flush(journal->j_fs_dev, GFP_NOFS, NULL);
+ 
+ 	/* Done it all: now write the commit record asynchronously. */
+ 	if (JBD2_HAS_INCOMPAT_FEATURE(journal,
+@@ -819,7 +819,7 @@ wait_for_iobuf:
+ 	if (JBD2_HAS_INCOMPAT_FEATURE(journal,
+ 				      JBD2_FEATURE_INCOMPAT_ASYNC_COMMIT) &&
+ 	    journal->j_flags & JBD2_BARRIER) {
+-		blkdev_issue_flush(journal->j_dev, GFP_KERNEL, NULL);
++		blkdev_issue_flush(journal->j_dev, GFP_NOFS, NULL);
+ 	}
+ 
+ 	if (err)
+diff --git a/fs/lockd/clnt4xdr.c b/fs/lockd/clnt4xdr.c
+index f848b52..046bb77 100644
+--- a/fs/lockd/clnt4xdr.c
++++ b/fs/lockd/clnt4xdr.c
+@@ -241,7 +241,7 @@ static int decode_nlm4_stat(struct xdr_stream *xdr, __be32 *stat)
+ 	p = xdr_inline_decode(xdr, 4);
+ 	if (unlikely(p == NULL))
+ 		goto out_overflow;
+-	if (unlikely(*p > nlm4_failed))
++	if (unlikely(ntohl(*p) > ntohl(nlm4_failed)))
+ 		goto out_bad_xdr;
+ 	*stat = *p;
+ 	return 0;
+diff --git a/fs/lockd/clntxdr.c b/fs/lockd/clntxdr.c
+index 180ac34..36057ce 100644
+--- a/fs/lockd/clntxdr.c
++++ b/fs/lockd/clntxdr.c
+@@ -236,7 +236,7 @@ static int decode_nlm_stat(struct xdr_stream *xdr,
+ 	p = xdr_inline_decode(xdr, 4);
+ 	if (unlikely(p == NULL))
+ 		goto out_overflow;
+-	if (unlikely(*p > nlm_lck_denied_grace_period))
++	if (unlikely(ntohl(*p) > ntohl(nlm_lck_denied_grace_period)))
+ 		goto out_enum;
+ 	*stat = *p;
+ 	return 0;
+diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c
+index 757293b..51f6a40 100644
+--- a/fs/nfs/nfs4proc.c
++++ b/fs/nfs/nfs4proc.c
+@@ -4453,7 +4453,9 @@ static int _nfs4_do_setlk(struct nfs4_state *state, int cmd, struct file_lock *f
+ static int nfs4_lock_reclaim(struct nfs4_state *state, struct file_lock *request)
+ {
+ 	struct nfs_server *server = NFS_SERVER(state->inode);
+-	struct nfs4_exception exception = { };
++	struct nfs4_exception exception = {
++		.inode = state->inode,
++	};
+ 	int err;
+ 
+ 	do {
+@@ -4471,7 +4473,9 @@ static int nfs4_lock_reclaim(struct nfs4_state *state, struct file_lock *request
+ static int nfs4_lock_expired(struct nfs4_state *state, struct file_lock *request)
+ {
+ 	struct nfs_server *server = NFS_SERVER(state->inode);
+-	struct nfs4_exception exception = { };
++	struct nfs4_exception exception = {
++		.inode = state->inode,
++	};
+ 	int err;
+ 
+ 	err = nfs4_set_lock_state(state, request);
+@@ -4551,6 +4555,7 @@ static int nfs4_proc_setlk(struct nfs4_state *state, int cmd, struct file_lock *
+ {
+ 	struct nfs4_exception exception = {
+ 		.state = state,
++		.inode = state->inode,
+ 	};
+ 	int err;
+ 
+@@ -4596,6 +4601,20 @@ nfs4_proc_lock(struct file *filp, int cmd, struct file_lock *request)
+ 
+ 	if (state == NULL)
+ 		return -ENOLCK;
++	/*
++	 * Don't rely on the VFS having checked the file open mode,
++	 * since it won't do this for flock() locks.
++	 */
++	switch (request->fl_type & (F_RDLCK|F_WRLCK|F_UNLCK)) {
++	case F_RDLCK:
++		if (!(filp->f_mode & FMODE_READ))
++			return -EBADF;
++		break;
++	case F_WRLCK:
++		if (!(filp->f_mode & FMODE_WRITE))
++			return -EBADF;
++	}
++
+ 	do {
+ 		status = nfs4_proc_setlk(state, cmd, request);
+ 		if ((status != -EAGAIN) || IS_SETLK(cmd))
+diff --git a/fs/nfs/read.c b/fs/nfs/read.c
+index cfa175c..41bae32 100644
+--- a/fs/nfs/read.c
++++ b/fs/nfs/read.c
+@@ -324,7 +324,7 @@ out_bad:
+ 	while (!list_empty(res)) {
+ 		data = list_entry(res->next, struct nfs_read_data, list);
+ 		list_del(&data->list);
+-		nfs_readdata_free(data);
++		nfs_readdata_release(data);
+ 	}
+ 	nfs_readpage_release(req);
+ 	return -ENOMEM;
+diff --git a/fs/nfs/super.c b/fs/nfs/super.c
+index 3ada13c..376cd65 100644
+--- a/fs/nfs/super.c
++++ b/fs/nfs/super.c
+@@ -2708,11 +2708,15 @@ static struct vfsmount *nfs_do_root_mount(struct file_system_type *fs_type,
+ 	char *root_devname;
+ 	size_t len;
+ 
+-	len = strlen(hostname) + 3;
++	len = strlen(hostname) + 5;
+ 	root_devname = kmalloc(len, GFP_KERNEL);
+ 	if (root_devname == NULL)
+ 		return ERR_PTR(-ENOMEM);
+-	snprintf(root_devname, len, "%s:/", hostname);
++	/* Does hostname needs to be enclosed in brackets? */
++	if (strchr(hostname, ':'))
++		snprintf(root_devname, len, "[%s]:/", hostname);
++	else
++		snprintf(root_devname, len, "%s:/", hostname);
+ 	root_mnt = vfs_kern_mount(fs_type, flags, root_devname, data);
+ 	kfree(root_devname);
+ 	return root_mnt;
+diff --git a/fs/nfs/write.c b/fs/nfs/write.c
+index 1dda78d..4efd421 100644
+--- a/fs/nfs/write.c
++++ b/fs/nfs/write.c
+@@ -974,7 +974,7 @@ out_bad:
+ 	while (!list_empty(res)) {
+ 		data = list_entry(res->next, struct nfs_write_data, list);
+ 		list_del(&data->list);
+-		nfs_writedata_free(data);
++		nfs_writedata_release(data);
+ 	}
+ 	nfs_redirty_request(req);
+ 	return -ENOMEM;
+diff --git a/fs/nfsd/nfs3xdr.c b/fs/nfsd/nfs3xdr.c
+index 08c6e36..43f46cd 100644
+--- a/fs/nfsd/nfs3xdr.c
++++ b/fs/nfsd/nfs3xdr.c
+@@ -803,13 +803,13 @@ encode_entry_baggage(struct nfsd3_readdirres *cd, __be32 *p, const char *name,
+ 	return p;
+ }
+ 
+-static int
++static __be32
+ compose_entry_fh(struct nfsd3_readdirres *cd, struct svc_fh *fhp,
+ 		const char *name, int namlen)
+ {
+ 	struct svc_export	*exp;
+ 	struct dentry		*dparent, *dchild;
+-	int rv = 0;
++	__be32 rv = nfserr_noent;
+ 
+ 	dparent = cd->fh.fh_dentry;
+ 	exp  = cd->fh.fh_export;
+@@ -817,26 +817,20 @@ compose_entry_fh(struct nfsd3_readdirres *cd, struct svc_fh *fhp,
+ 	if (isdotent(name, namlen)) {
+ 		if (namlen == 2) {
+ 			dchild = dget_parent(dparent);
+-			if (dchild == dparent) {
+-				/* filesystem root - cannot return filehandle for ".." */
+-				dput(dchild);
+-				return -ENOENT;
+-			}
++			/* filesystem root - cannot return filehandle for ".." */
++			if (dchild == dparent)
++				goto out;
+ 		} else
+ 			dchild = dget(dparent);
+ 	} else
+ 		dchild = lookup_one_len(name, dparent, namlen);
+ 	if (IS_ERR(dchild))
+-		return -ENOENT;
+-	rv = -ENOENT;
++		return rv;
+ 	if (d_mountpoint(dchild))
+ 		goto out;
+-	rv = fh_compose(fhp, exp, dchild, &cd->fh);
+-	if (rv)
+-		goto out;
+ 	if (!dchild->d_inode)
+ 		goto out;
+-	rv = 0;
++	rv = fh_compose(fhp, exp, dchild, &cd->fh);
+ out:
+ 	dput(dchild);
+ 	return rv;
+@@ -845,7 +839,7 @@ out:
+ static __be32 *encode_entryplus_baggage(struct nfsd3_readdirres *cd, __be32 *p, const char *name, int namlen)
+ {
+ 	struct svc_fh	fh;
+-	int err;
++	__be32 err;
+ 
+ 	fh_init(&fh, NFS3_FHSIZE);
+ 	err = compose_entry_fh(cd, &fh, name, namlen);
+diff --git a/fs/nfsd/nfs4proc.c b/fs/nfsd/nfs4proc.c
+index fa38336..b8c5538 100644
+--- a/fs/nfsd/nfs4proc.c
++++ b/fs/nfsd/nfs4proc.c
+@@ -231,17 +231,17 @@ do_open_lookup(struct svc_rqst *rqstp, struct svc_fh *current_fh, struct nfsd4_o
+ 		 */
+ 		if (open->op_createmode == NFS4_CREATE_EXCLUSIVE && status == 0)
+ 			open->op_bmval[1] = (FATTR4_WORD1_TIME_ACCESS |
+-						FATTR4_WORD1_TIME_MODIFY);
++							FATTR4_WORD1_TIME_MODIFY);
+ 	} else {
+ 		status = nfsd_lookup(rqstp, current_fh,
+ 				     open->op_fname.data, open->op_fname.len, &resfh);
+ 		fh_unlock(current_fh);
+-		if (status)
+-			goto out;
+-		status = nfsd_check_obj_isreg(&resfh);
+ 	}
+ 	if (status)
+ 		goto out;
++	status = nfsd_check_obj_isreg(&resfh);
++	if (status)
++		goto out;
+ 
+ 	if (is_create_with_attrs(open) && open->op_acl != NULL)
+ 		do_set_nfs4_acl(rqstp, &resfh, open->op_acl, open->op_bmval);
+@@ -827,6 +827,7 @@ nfsd4_setattr(struct svc_rqst *rqstp, struct nfsd4_compound_state *cstate,
+ 	      struct nfsd4_setattr *setattr)
+ {
+ 	__be32 status = nfs_ok;
++	int err;
+ 
+ 	if (setattr->sa_iattr.ia_valid & ATTR_SIZE) {
+ 		nfs4_lock_state();
+@@ -838,9 +839,9 @@ nfsd4_setattr(struct svc_rqst *rqstp, struct nfsd4_compound_state *cstate,
+ 			return status;
+ 		}
+ 	}
+-	status = mnt_want_write(cstate->current_fh.fh_export->ex_path.mnt);
+-	if (status)
+-		return status;
++	err = mnt_want_write(cstate->current_fh.fh_export->ex_path.mnt);
++	if (err)
++		return nfserrno(err);
+ 	status = nfs_ok;
+ 
+ 	status = check_attr_support(rqstp, cstate, setattr->sa_bmval,
+diff --git a/fs/nfsd/nfs4state.c b/fs/nfsd/nfs4state.c
+index 5abced7..4cfe260 100644
+--- a/fs/nfsd/nfs4state.c
++++ b/fs/nfsd/nfs4state.c
+@@ -4080,16 +4080,14 @@ out:
+  * vfs_test_lock.  (Arguably perhaps test_lock should be done with an
+  * inode operation.)
+  */
+-static int nfsd_test_lock(struct svc_rqst *rqstp, struct svc_fh *fhp, struct file_lock *lock)
++static __be32 nfsd_test_lock(struct svc_rqst *rqstp, struct svc_fh *fhp, struct file_lock *lock)
+ {
+ 	struct file *file;
+-	int err;
+-
+-	err = nfsd_open(rqstp, fhp, S_IFREG, NFSD_MAY_READ, &file);
+-	if (err)
+-		return err;
+-	err = vfs_test_lock(file, lock);
+-	nfsd_close(file);
++	__be32 err = nfsd_open(rqstp, fhp, S_IFREG, NFSD_MAY_READ, &file);
++	if (!err) {
++		err = nfserrno(vfs_test_lock(file, lock));
++		nfsd_close(file);
++	}
+ 	return err;
+ }
+ 
+@@ -4103,7 +4101,6 @@ nfsd4_lockt(struct svc_rqst *rqstp, struct nfsd4_compound_state *cstate,
+ 	struct inode *inode;
+ 	struct file_lock file_lock;
+ 	struct nfs4_lockowner *lo;
+-	int error;
+ 	__be32 status;
+ 
+ 	if (locks_in_grace())
+@@ -4149,12 +4146,10 @@ nfsd4_lockt(struct svc_rqst *rqstp, struct nfsd4_compound_state *cstate,
+ 
+ 	nfs4_transform_lock_offset(&file_lock);
+ 
+-	status = nfs_ok;
+-	error = nfsd_test_lock(rqstp, &cstate->current_fh, &file_lock);
+-	if (error) {
+-		status = nfserrno(error);
++	status = nfsd_test_lock(rqstp, &cstate->current_fh, &file_lock);
++	if (status)
+ 		goto out;
+-	}
++
+ 	if (file_lock.fl_type != F_UNLCK) {
+ 		status = nfserr_denied;
+ 		nfs4_set_lock_denied(&file_lock, &lockt->lt_denied);
+diff --git a/fs/nfsd/nfs4xdr.c b/fs/nfsd/nfs4xdr.c
+index b6fa792..9cfa60a 100644
+--- a/fs/nfsd/nfs4xdr.c
++++ b/fs/nfsd/nfs4xdr.c
+@@ -3411,7 +3411,7 @@ nfsd4_encode_test_stateid(struct nfsd4_compoundres *resp, int nfserr,
+ 		nfsd4_decode_stateid(argp, &si);
+ 		valid = nfs4_validate_stateid(cl, &si);
+ 		RESERVE_SPACE(4);
+-		*p++ = htonl(valid);
++		*p++ = valid;
+ 		resp->p = p;
+ 	}
+ 	nfs4_unlock_state();
+diff --git a/fs/nfsd/vfs.c b/fs/nfsd/vfs.c
+index 7a2e442..5c3cd82 100644
+--- a/fs/nfsd/vfs.c
++++ b/fs/nfsd/vfs.c
+@@ -1439,7 +1439,7 @@ do_nfsd_create(struct svc_rqst *rqstp, struct svc_fh *fhp,
+ 		switch (createmode) {
+ 		case NFS3_CREATE_UNCHECKED:
+ 			if (! S_ISREG(dchild->d_inode->i_mode))
+-				err = nfserr_exist;
++				goto out;
+ 			else if (truncp) {
+ 				/* in nfsv4, we need to treat this case a little
+ 				 * differently.  we don't want to truncate the
+diff --git a/fs/ocfs2/alloc.c b/fs/ocfs2/alloc.c
+index 3165aeb..31b9463 100644
+--- a/fs/ocfs2/alloc.c
++++ b/fs/ocfs2/alloc.c
+@@ -1134,7 +1134,7 @@ static int ocfs2_adjust_rightmost_branch(handle_t *handle,
+ 	}
+ 
+ 	el = path_leaf_el(path);
+-	rec = &el->l_recs[le32_to_cpu(el->l_next_free_rec) - 1];
++	rec = &el->l_recs[le16_to_cpu(el->l_next_free_rec) - 1];
+ 
+ 	ocfs2_adjust_rightmost_records(handle, et, path, rec);
+ 
+diff --git a/fs/ocfs2/refcounttree.c b/fs/ocfs2/refcounttree.c
+index cf78233..9f32d7c 100644
+--- a/fs/ocfs2/refcounttree.c
++++ b/fs/ocfs2/refcounttree.c
+@@ -1036,14 +1036,14 @@ static int ocfs2_get_refcount_cpos_end(struct ocfs2_caching_info *ci,
+ 
+ 	tmp_el = left_path->p_node[subtree_root].el;
+ 	blkno = left_path->p_node[subtree_root+1].bh->b_blocknr;
+-	for (i = 0; i < le32_to_cpu(tmp_el->l_next_free_rec); i++) {
++	for (i = 0; i < le16_to_cpu(tmp_el->l_next_free_rec); i++) {
+ 		if (le64_to_cpu(tmp_el->l_recs[i].e_blkno) == blkno) {
+ 			*cpos_end = le32_to_cpu(tmp_el->l_recs[i+1].e_cpos);
+ 			break;
+ 		}
+ 	}
+ 
+-	BUG_ON(i == le32_to_cpu(tmp_el->l_next_free_rec));
++	BUG_ON(i == le16_to_cpu(tmp_el->l_next_free_rec));
+ 
+ out:
+ 	ocfs2_free_path(left_path);
+@@ -1468,7 +1468,7 @@ static int ocfs2_divide_leaf_refcount_block(struct buffer_head *ref_leaf_bh,
+ 
+ 	trace_ocfs2_divide_leaf_refcount_block(
+ 		(unsigned long long)ref_leaf_bh->b_blocknr,
+-		le32_to_cpu(rl->rl_count), le32_to_cpu(rl->rl_used));
++		le16_to_cpu(rl->rl_count), le16_to_cpu(rl->rl_used));
+ 
+ 	/*
+ 	 * XXX: Improvement later.
+@@ -2411,7 +2411,7 @@ static int ocfs2_calc_refcount_meta_credits(struct super_block *sb,
+ 				rb = (struct ocfs2_refcount_block *)
+ 							prev_bh->b_data;
+ 
+-				if (le64_to_cpu(rb->rf_records.rl_used) +
++				if (le16_to_cpu(rb->rf_records.rl_used) +
+ 				    recs_add >
+ 				    le16_to_cpu(rb->rf_records.rl_count))
+ 					ref_blocks++;
+@@ -2476,7 +2476,7 @@ static int ocfs2_calc_refcount_meta_credits(struct super_block *sb,
+ 	if (prev_bh) {
+ 		rb = (struct ocfs2_refcount_block *)prev_bh->b_data;
+ 
+-		if (le64_to_cpu(rb->rf_records.rl_used) + recs_add >
++		if (le16_to_cpu(rb->rf_records.rl_used) + recs_add >
+ 		    le16_to_cpu(rb->rf_records.rl_count))
+ 			ref_blocks++;
+ 
+@@ -3629,7 +3629,7 @@ int ocfs2_refcounted_xattr_delete_need(struct inode *inode,
+ 			 * one will split a refcount rec, so totally we need
+ 			 * clusters * 2 new refcount rec.
+ 			 */
+-			if (le64_to_cpu(rb->rf_records.rl_used) + clusters * 2 >
++			if (le16_to_cpu(rb->rf_records.rl_used) + clusters * 2 >
+ 			    le16_to_cpu(rb->rf_records.rl_count))
+ 				ref_blocks++;
+ 
+diff --git a/fs/ocfs2/suballoc.c b/fs/ocfs2/suballoc.c
+index ba5d97e..f169da4 100644
+--- a/fs/ocfs2/suballoc.c
++++ b/fs/ocfs2/suballoc.c
+@@ -600,7 +600,7 @@ static void ocfs2_bg_alloc_cleanup(handle_t *handle,
+ 		ret = ocfs2_free_clusters(handle, cluster_ac->ac_inode,
+ 					  cluster_ac->ac_bh,
+ 					  le64_to_cpu(rec->e_blkno),
+-					  le32_to_cpu(rec->e_leaf_clusters));
++					  le16_to_cpu(rec->e_leaf_clusters));
+ 		if (ret)
+ 			mlog_errno(ret);
+ 		/* Try all the clusters to free */
+@@ -1628,7 +1628,7 @@ static int ocfs2_bg_discontig_fix_by_rec(struct ocfs2_suballoc_result *res,
+ {
+ 	unsigned int bpc = le16_to_cpu(cl->cl_bpc);
+ 	unsigned int bitoff = le32_to_cpu(rec->e_cpos) * bpc;
+-	unsigned int bitcount = le32_to_cpu(rec->e_leaf_clusters) * bpc;
++	unsigned int bitcount = le16_to_cpu(rec->e_leaf_clusters) * bpc;
+ 
+ 	if (res->sr_bit_offset < bitoff)
+ 		return 0;
+diff --git a/fs/pipe.c b/fs/pipe.c
+index 4065f07..05ed5ca 100644
+--- a/fs/pipe.c
++++ b/fs/pipe.c
+@@ -345,6 +345,16 @@ static const struct pipe_buf_operations anon_pipe_buf_ops = {
+ 	.get = generic_pipe_buf_get,
+ };
+ 
++static const struct pipe_buf_operations packet_pipe_buf_ops = {
++	.can_merge = 0,
++	.map = generic_pipe_buf_map,
++	.unmap = generic_pipe_buf_unmap,
++	.confirm = generic_pipe_buf_confirm,
++	.release = anon_pipe_buf_release,
++	.steal = generic_pipe_buf_steal,
++	.get = generic_pipe_buf_get,
++};
++
+ static ssize_t
+ pipe_read(struct kiocb *iocb, const struct iovec *_iov,
+ 	   unsigned long nr_segs, loff_t pos)
+@@ -406,6 +416,13 @@ redo:
+ 			ret += chars;
+ 			buf->offset += chars;
+ 			buf->len -= chars;
++
++			/* Was it a packet buffer? Clean up and exit */
++			if (buf->flags & PIPE_BUF_FLAG_PACKET) {
++				total_len = chars;
++				buf->len = 0;
++			}
++
+ 			if (!buf->len) {
+ 				buf->ops = NULL;
+ 				ops->release(pipe, buf);
+@@ -458,6 +475,11 @@ redo:
+ 	return ret;
+ }
+ 
++static inline int is_packetized(struct file *file)
++{
++	return (file->f_flags & O_DIRECT) != 0;
++}
++
+ static ssize_t
+ pipe_write(struct kiocb *iocb, const struct iovec *_iov,
+ 	    unsigned long nr_segs, loff_t ppos)
+@@ -592,6 +614,11 @@ redo2:
+ 			buf->ops = &anon_pipe_buf_ops;
+ 			buf->offset = 0;
+ 			buf->len = chars;
++			buf->flags = 0;
++			if (is_packetized(filp)) {
++				buf->ops = &packet_pipe_buf_ops;
++				buf->flags = PIPE_BUF_FLAG_PACKET;
++			}
+ 			pipe->nrbufs = ++bufs;
+ 			pipe->tmp_page = NULL;
+ 
+@@ -1012,7 +1039,7 @@ struct file *create_write_pipe(int flags)
+ 		goto err_dentry;
+ 	f->f_mapping = inode->i_mapping;
+ 
+-	f->f_flags = O_WRONLY | (flags & O_NONBLOCK);
++	f->f_flags = O_WRONLY | (flags & (O_NONBLOCK | O_DIRECT));
+ 	f->f_version = 0;
+ 
+ 	return f;
+@@ -1056,7 +1083,7 @@ int do_pipe_flags(int *fd, int flags)
+ 	int error;
+ 	int fdw, fdr;
+ 
+-	if (flags & ~(O_CLOEXEC | O_NONBLOCK))
++	if (flags & ~(O_CLOEXEC | O_NONBLOCK | O_DIRECT))
+ 		return -EINVAL;
+ 
+ 	fw = create_write_pipe(flags);
+diff --git a/fs/splice.c b/fs/splice.c
+index fa2defa..6d0dfb8 100644
+--- a/fs/splice.c
++++ b/fs/splice.c
+@@ -31,6 +31,7 @@
+ #include <linux/uio.h>
+ #include <linux/security.h>
+ #include <linux/gfp.h>
++#include <linux/socket.h>
+ 
+ /*
+  * Attempt to steal a page from a pipe buffer. This should perhaps go into
+@@ -691,7 +692,9 @@ static int pipe_to_sendpage(struct pipe_inode_info *pipe,
+ 	if (!likely(file->f_op && file->f_op->sendpage))
+ 		return -EINVAL;
+ 
+-	more = (sd->flags & SPLICE_F_MORE) || sd->len < sd->total_len;
++	more = (sd->flags & SPLICE_F_MORE) ? MSG_MORE : 0;
++	if (sd->len < sd->total_len)
++		more |= MSG_SENDPAGE_NOTLAST;
+ 	return file->f_op->sendpage(file, buf->page, buf->offset,
+ 				    sd->len, &pos, more);
+ }
+diff --git a/include/asm-generic/statfs.h b/include/asm-generic/statfs.h
+index 0fd28e0..c749af9 100644
+--- a/include/asm-generic/statfs.h
++++ b/include/asm-generic/statfs.h
+@@ -15,7 +15,7 @@ typedef __kernel_fsid_t	fsid_t;
+  * with a 10' pole.
+  */
+ #ifndef __statfs_word
+-#if BITS_PER_LONG == 64
++#if __BITS_PER_LONG == 64
+ #define __statfs_word long
+ #else
+ #define __statfs_word __u32
+diff --git a/include/linux/efi.h b/include/linux/efi.h
+index 2362a0b..1328d8c 100644
+--- a/include/linux/efi.h
++++ b/include/linux/efi.h
+@@ -383,7 +383,18 @@ extern int __init efi_setup_pcdp_console(char *);
+ #define EFI_VARIABLE_NON_VOLATILE       0x0000000000000001
+ #define EFI_VARIABLE_BOOTSERVICE_ACCESS 0x0000000000000002
+ #define EFI_VARIABLE_RUNTIME_ACCESS     0x0000000000000004
+-
++#define EFI_VARIABLE_HARDWARE_ERROR_RECORD 0x0000000000000008
++#define EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS 0x0000000000000010
++#define EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS 0x0000000000000020
++#define EFI_VARIABLE_APPEND_WRITE	0x0000000000000040
++
++#define EFI_VARIABLE_MASK 	(EFI_VARIABLE_NON_VOLATILE | \
++				EFI_VARIABLE_BOOTSERVICE_ACCESS | \
++				EFI_VARIABLE_RUNTIME_ACCESS | \
++				EFI_VARIABLE_HARDWARE_ERROR_RECORD | \
++				EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS | \
++				EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS | \
++				EFI_VARIABLE_APPEND_WRITE)
+ /*
+  * EFI Device Path information
+  */
+diff --git a/include/linux/kvm_host.h b/include/linux/kvm_host.h
+index d526231..35410ef 100644
+--- a/include/linux/kvm_host.h
++++ b/include/linux/kvm_host.h
+@@ -562,6 +562,7 @@ void kvm_free_irq_source_id(struct kvm *kvm, int irq_source_id);
+ 
+ #ifdef CONFIG_IOMMU_API
+ int kvm_iommu_map_pages(struct kvm *kvm, struct kvm_memory_slot *slot);
++void kvm_iommu_unmap_pages(struct kvm *kvm, struct kvm_memory_slot *slot);
+ int kvm_iommu_map_guest(struct kvm *kvm);
+ int kvm_iommu_unmap_guest(struct kvm *kvm);
+ int kvm_assign_device(struct kvm *kvm,
+@@ -575,6 +576,11 @@ static inline int kvm_iommu_map_pages(struct kvm *kvm,
+ 	return 0;
+ }
+ 
++static inline void kvm_iommu_unmap_pages(struct kvm *kvm,
++					 struct kvm_memory_slot *slot)
++{
++}
++
+ static inline int kvm_iommu_map_guest(struct kvm *kvm)
+ {
+ 	return -ENODEV;
+diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h
+index a82ad4d..cbeb586 100644
+--- a/include/linux/netdevice.h
++++ b/include/linux/netdevice.h
+@@ -2536,8 +2536,6 @@ extern void		net_disable_timestamp(void);
+ extern void *dev_seq_start(struct seq_file *seq, loff_t *pos);
+ extern void *dev_seq_next(struct seq_file *seq, void *v, loff_t *pos);
+ extern void dev_seq_stop(struct seq_file *seq, void *v);
+-extern int dev_seq_open_ops(struct inode *inode, struct file *file,
+-			    const struct seq_operations *ops);
+ #endif
+ 
+ extern int netdev_class_create_file(struct class_attribute *class_attr);
+diff --git a/include/linux/pipe_fs_i.h b/include/linux/pipe_fs_i.h
+index 77257c9..0072a53 100644
+--- a/include/linux/pipe_fs_i.h
++++ b/include/linux/pipe_fs_i.h
+@@ -8,6 +8,7 @@
+ #define PIPE_BUF_FLAG_LRU	0x01	/* page is on the LRU */
+ #define PIPE_BUF_FLAG_ATOMIC	0x02	/* was atomically mapped */
+ #define PIPE_BUF_FLAG_GIFT	0x04	/* page is a gift */
++#define PIPE_BUF_FLAG_PACKET	0x08	/* read() as a packet */
+ 
+ /**
+  *	struct pipe_buffer - a linux kernel pipe buffer
+diff --git a/include/linux/seqlock.h b/include/linux/seqlock.h
+index c6db9fb..bb1fac5 100644
+--- a/include/linux/seqlock.h
++++ b/include/linux/seqlock.h
+@@ -141,7 +141,7 @@ static inline unsigned __read_seqcount_begin(const seqcount_t *s)
+ 	unsigned ret;
+ 
+ repeat:
+-	ret = s->sequence;
++	ret = ACCESS_ONCE(s->sequence);
+ 	if (unlikely(ret & 1)) {
+ 		cpu_relax();
+ 		goto repeat;
+diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h
+index 6cf8b53..e689b47 100644
+--- a/include/linux/skbuff.h
++++ b/include/linux/skbuff.h
+@@ -458,6 +458,7 @@ struct sk_buff {
+ 	union {
+ 		__u32		mark;
+ 		__u32		dropcount;
++		__u32		avail_size;
+ 	};
+ 
+ 	__u16			vlan_tci;
+@@ -1326,6 +1327,18 @@ static inline int skb_tailroom(const struct sk_buff *skb)
+ }
+ 
+ /**
++ *	skb_availroom - bytes at buffer end
++ *	@skb: buffer to check
++ *
++ *	Return the number of bytes of free space at the tail of an sk_buff
++ *	allocated by sk_stream_alloc()
++ */
++static inline int skb_availroom(const struct sk_buff *skb)
++{
++	return skb_is_nonlinear(skb) ? 0 : skb->avail_size - skb->len;
++}
++
++/**
+  *	skb_reserve - adjust headroom
+  *	@skb: buffer to alter
+  *	@len: bytes to move
+diff --git a/include/linux/socket.h b/include/linux/socket.h
+index d0e77f6..ad919e0 100644
+--- a/include/linux/socket.h
++++ b/include/linux/socket.h
+@@ -265,7 +265,7 @@ struct ucred {
+ #define MSG_NOSIGNAL	0x4000	/* Do not generate SIGPIPE */
+ #define MSG_MORE	0x8000	/* Sender will send more */
+ #define MSG_WAITFORONE	0x10000	/* recvmmsg(): block until 1+ packets avail */
+-
++#define MSG_SENDPAGE_NOTLAST 0x20000 /* sendpage() internal : not the last page */
+ #define MSG_EOF         MSG_FIN
+ 
+ #define MSG_CMSG_CLOEXEC 0x40000000	/* Set close_on_exit for file
+diff --git a/include/linux/usb/hcd.h b/include/linux/usb/hcd.h
+index 03354d5..64cec8d 100644
+--- a/include/linux/usb/hcd.h
++++ b/include/linux/usb/hcd.h
+@@ -128,6 +128,8 @@ struct usb_hcd {
+ 	unsigned		wireless:1;	/* Wireless USB HCD */
+ 	unsigned		authorized_default:1;
+ 	unsigned		has_tt:1;	/* Integrated TT in root hub */
++	unsigned		broken_pci_sleep:1;	/* Don't put the
++			controller in PCI-D3 for system sleep */
+ 
+ 	int			irq;		/* irq allocated */
+ 	void __iomem		*regs;		/* device memory/io */
+diff --git a/kernel/exit.c b/kernel/exit.c
+index e6e01b9..5a8a66e 100644
+--- a/kernel/exit.c
++++ b/kernel/exit.c
+@@ -819,25 +819,6 @@ static void exit_notify(struct task_struct *tsk, int group_dead)
+ 	if (group_dead)
+ 		kill_orphaned_pgrp(tsk->group_leader, NULL);
+ 
+-	/* Let father know we died
+-	 *
+-	 * Thread signals are configurable, but you aren't going to use
+-	 * that to send signals to arbitrary processes.
+-	 * That stops right now.
+-	 *
+-	 * If the parent exec id doesn't match the exec id we saved
+-	 * when we started then we know the parent has changed security
+-	 * domain.
+-	 *
+-	 * If our self_exec id doesn't match our parent_exec_id then
+-	 * we have changed execution domain as these two values started
+-	 * the same after a fork.
+-	 */
+-	if (thread_group_leader(tsk) && tsk->exit_signal != SIGCHLD &&
+-	    (tsk->parent_exec_id != tsk->real_parent->self_exec_id ||
+-	     tsk->self_exec_id != tsk->parent_exec_id))
+-		tsk->exit_signal = SIGCHLD;
+-
+ 	if (unlikely(tsk->ptrace)) {
+ 		int sig = thread_group_leader(tsk) &&
+ 				thread_group_empty(tsk) &&
+diff --git a/kernel/power/swap.c b/kernel/power/swap.c
+index 11a594c..b313086 100644
+--- a/kernel/power/swap.c
++++ b/kernel/power/swap.c
+@@ -52,6 +52,23 @@
+ 
+ #define MAP_PAGE_ENTRIES	(PAGE_SIZE / sizeof(sector_t) - 1)
+ 
++/*
++ * Number of free pages that are not high.
++ */
++static inline unsigned long low_free_pages(void)
++{
++	return nr_free_pages() - nr_free_highpages();
++}
++
++/*
++ * Number of pages required to be kept free while writing the image. Always
++ * half of all available low pages before the writing starts.
++ */
++static inline unsigned long reqd_free_pages(void)
++{
++	return low_free_pages() / 2;
++}
++
+ struct swap_map_page {
+ 	sector_t entries[MAP_PAGE_ENTRIES];
+ 	sector_t next_swap;
+@@ -73,7 +90,7 @@ struct swap_map_handle {
+ 	sector_t cur_swap;
+ 	sector_t first_sector;
+ 	unsigned int k;
+-	unsigned long nr_free_pages, written;
++	unsigned long reqd_free_pages;
+ 	u32 crc32;
+ };
+ 
+@@ -317,8 +334,7 @@ static int get_swap_writer(struct swap_map_handle *handle)
+ 		goto err_rel;
+ 	}
+ 	handle->k = 0;
+-	handle->nr_free_pages = nr_free_pages() >> 1;
+-	handle->written = 0;
++	handle->reqd_free_pages = reqd_free_pages();
+ 	handle->first_sector = handle->cur_swap;
+ 	return 0;
+ err_rel:
+@@ -353,11 +369,11 @@ static int swap_write_page(struct swap_map_handle *handle, void *buf,
+ 		handle->cur_swap = offset;
+ 		handle->k = 0;
+ 	}
+-	if (bio_chain && ++handle->written > handle->nr_free_pages) {
++	if (bio_chain && low_free_pages() <= handle->reqd_free_pages) {
+ 		error = hib_wait_on_bio_chain(bio_chain);
+ 		if (error)
+ 			goto out;
+-		handle->written = 0;
++		handle->reqd_free_pages = reqd_free_pages();
+ 	}
+  out:
+ 	return error;
+@@ -619,7 +635,7 @@ static int save_image_lzo(struct swap_map_handle *handle,
+ 	 * Adjust number of free pages after all allocations have been done.
+ 	 * We don't want to run out of pages when writing.
+ 	 */
+-	handle->nr_free_pages = nr_free_pages() >> 1;
++	handle->reqd_free_pages = reqd_free_pages();
+ 
+ 	/*
+ 	 * Start the CRC32 thread.
+diff --git a/kernel/sched.c b/kernel/sched.c
+index d6b149c..299f55c 100644
+--- a/kernel/sched.c
++++ b/kernel/sched.c
+@@ -3538,13 +3538,10 @@ calc_load_n(unsigned long load, unsigned long exp,
+  * Once we've updated the global active value, we need to apply the exponential
+  * weights adjusted to the number of cycles missed.
+  */
+-static void calc_global_nohz(unsigned long ticks)
++static void calc_global_nohz(void)
+ {
+ 	long delta, active, n;
+ 
+-	if (time_before(jiffies, calc_load_update))
+-		return;
+-
+ 	/*
+ 	 * If we crossed a calc_load_update boundary, make sure to fold
+ 	 * any pending idle changes, the respective CPUs might have
+@@ -3556,31 +3553,25 @@ static void calc_global_nohz(unsigned long ticks)
+ 		atomic_long_add(delta, &calc_load_tasks);
+ 
+ 	/*
+-	 * If we were idle for multiple load cycles, apply them.
++	 * It could be the one fold was all it took, we done!
+ 	 */
+-	if (ticks >= LOAD_FREQ) {
+-		n = ticks / LOAD_FREQ;
++	if (time_before(jiffies, calc_load_update + 10))
++		return;
+ 
+-		active = atomic_long_read(&calc_load_tasks);
+-		active = active > 0 ? active * FIXED_1 : 0;
++	/*
++	 * Catch-up, fold however many we are behind still
++	 */
++	delta = jiffies - calc_load_update - 10;
++	n = 1 + (delta / LOAD_FREQ);
+ 
+-		avenrun[0] = calc_load_n(avenrun[0], EXP_1, active, n);
+-		avenrun[1] = calc_load_n(avenrun[1], EXP_5, active, n);
+-		avenrun[2] = calc_load_n(avenrun[2], EXP_15, active, n);
++	active = atomic_long_read(&calc_load_tasks);
++	active = active > 0 ? active * FIXED_1 : 0;
+ 
+-		calc_load_update += n * LOAD_FREQ;
+-	}
++	avenrun[0] = calc_load_n(avenrun[0], EXP_1, active, n);
++	avenrun[1] = calc_load_n(avenrun[1], EXP_5, active, n);
++	avenrun[2] = calc_load_n(avenrun[2], EXP_15, active, n);
+ 
+-	/*
+-	 * Its possible the remainder of the above division also crosses
+-	 * a LOAD_FREQ period, the regular check in calc_global_load()
+-	 * which comes after this will take care of that.
+-	 *
+-	 * Consider us being 11 ticks before a cycle completion, and us
+-	 * sleeping for 4*LOAD_FREQ + 22 ticks, then the above code will
+-	 * age us 4 cycles, and the test in calc_global_load() will
+-	 * pick up the final one.
+-	 */
++	calc_load_update += n * LOAD_FREQ;
+ }
+ #else
+ static void calc_load_account_idle(struct rq *this_rq)
+@@ -3592,7 +3583,7 @@ static inline long calc_load_fold_idle(void)
+ 	return 0;
+ }
+ 
+-static void calc_global_nohz(unsigned long ticks)
++static void calc_global_nohz(void)
+ {
+ }
+ #endif
+@@ -3620,8 +3611,6 @@ void calc_global_load(unsigned long ticks)
+ {
+ 	long active;
+ 
+-	calc_global_nohz(ticks);
+-
+ 	if (time_before(jiffies, calc_load_update + 10))
+ 		return;
+ 
+@@ -3633,6 +3622,16 @@ void calc_global_load(unsigned long ticks)
+ 	avenrun[2] = calc_load(avenrun[2], EXP_15, active);
+ 
+ 	calc_load_update += LOAD_FREQ;
++
++	/*
++	 * Account one period with whatever state we found before
++	 * folding in the nohz state and ageing the entire idle period.
++	 *
++	 * This avoids loosing a sample when we go idle between 
++	 * calc_load_account_active() (10 ticks ago) and now and thus
++	 * under-accounting.
++	 */
++	calc_global_nohz();
+ }
+ 
+ /*
+@@ -7605,16 +7604,26 @@ static void __sdt_free(const struct cpumask *cpu_map)
+ 		struct sd_data *sdd = &tl->data;
+ 
+ 		for_each_cpu(j, cpu_map) {
+-			struct sched_domain *sd = *per_cpu_ptr(sdd->sd, j);
+-			if (sd && (sd->flags & SD_OVERLAP))
+-				free_sched_groups(sd->groups, 0);
+-			kfree(*per_cpu_ptr(sdd->sd, j));
+-			kfree(*per_cpu_ptr(sdd->sg, j));
+-			kfree(*per_cpu_ptr(sdd->sgp, j));
++			struct sched_domain *sd;
++
++			if (sdd->sd) {
++				sd = *per_cpu_ptr(sdd->sd, j);
++				if (sd && (sd->flags & SD_OVERLAP))
++					free_sched_groups(sd->groups, 0);
++				kfree(*per_cpu_ptr(sdd->sd, j));
++			}
++
++			if (sdd->sg)
++				kfree(*per_cpu_ptr(sdd->sg, j));
++			if (sdd->sgp)
++				kfree(*per_cpu_ptr(sdd->sgp, j));
+ 		}
+ 		free_percpu(sdd->sd);
++		sdd->sd = NULL;
+ 		free_percpu(sdd->sg);
++		sdd->sg = NULL;
+ 		free_percpu(sdd->sgp);
++		sdd->sgp = NULL;
+ 	}
+ }
+ 
+diff --git a/kernel/signal.c b/kernel/signal.c
+index 2065515..08e0b97 100644
+--- a/kernel/signal.c
++++ b/kernel/signal.c
+@@ -1610,6 +1610,15 @@ bool do_notify_parent(struct task_struct *tsk, int sig)
+ 	BUG_ON(!tsk->ptrace &&
+ 	       (tsk->group_leader != tsk || !thread_group_empty(tsk)));
+ 
++	if (sig != SIGCHLD) {
++		/*
++		 * This is only possible if parent == real_parent.
++		 * Check if it has changed security domain.
++		 */
++		if (tsk->parent_exec_id != tsk->parent->self_exec_id)
++			sig = SIGCHLD;
++	}
++
+ 	info.si_signo = sig;
+ 	info.si_errno = 0;
+ 	/*
+diff --git a/kernel/trace/trace_output.c b/kernel/trace/trace_output.c
+index 5199930..1dcf253 100644
+--- a/kernel/trace/trace_output.c
++++ b/kernel/trace/trace_output.c
+@@ -638,6 +638,8 @@ int trace_print_lat_context(struct trace_iterator *iter)
+ {
+ 	u64 next_ts;
+ 	int ret;
++	/* trace_find_next_entry will reset ent_size */
++	int ent_size = iter->ent_size;
+ 	struct trace_seq *s = &iter->seq;
+ 	struct trace_entry *entry = iter->ent,
+ 			   *next_entry = trace_find_next_entry(iter, NULL,
+@@ -646,6 +648,9 @@ int trace_print_lat_context(struct trace_iterator *iter)
+ 	unsigned long abs_usecs = ns2usecs(iter->ts - iter->tr->time_start);
+ 	unsigned long rel_usecs;
+ 
++	/* Restore the original ent_size */
++	iter->ent_size = ent_size;
++
+ 	if (!next_entry)
+ 		next_ts = iter->ts;
+ 	rel_usecs = ns2usecs(next_ts - iter->ts);
+diff --git a/mm/swap_state.c b/mm/swap_state.c
+index 78cc4d1..7704d9c 100644
+--- a/mm/swap_state.c
++++ b/mm/swap_state.c
+@@ -27,7 +27,7 @@
+  */
+ static const struct address_space_operations swap_aops = {
+ 	.writepage	= swap_writepage,
+-	.set_page_dirty	= __set_page_dirty_nobuffers,
++	.set_page_dirty	= __set_page_dirty_no_writeback,
+ 	.migratepage	= migrate_page,
+ };
+ 
+diff --git a/net/ax25/af_ax25.c b/net/ax25/af_ax25.c
+index e7c69f4..b04a6ef 100644
+--- a/net/ax25/af_ax25.c
++++ b/net/ax25/af_ax25.c
+@@ -2006,16 +2006,17 @@ static void __exit ax25_exit(void)
+ 	proc_net_remove(&init_net, "ax25_route");
+ 	proc_net_remove(&init_net, "ax25");
+ 	proc_net_remove(&init_net, "ax25_calls");
+-	ax25_rt_free();
+-	ax25_uid_free();
+-	ax25_dev_free();
+ 
+-	ax25_unregister_sysctl();
+ 	unregister_netdevice_notifier(&ax25_dev_notifier);
++	ax25_unregister_sysctl();
+ 
+ 	dev_remove_pack(&ax25_packet_type);
+ 
+ 	sock_unregister(PF_AX25);
+ 	proto_unregister(&ax25_proto);
++
++	ax25_rt_free();
++	ax25_uid_free();
++	ax25_dev_free();
+ }
+ module_exit(ax25_exit);
+diff --git a/net/bridge/br_multicast.c b/net/bridge/br_multicast.c
+index 8eb6b15..5ac1811 100644
+--- a/net/bridge/br_multicast.c
++++ b/net/bridge/br_multicast.c
+@@ -241,7 +241,6 @@ static void br_multicast_group_expired(unsigned long data)
+ 	hlist_del_rcu(&mp->hlist[mdb->ver]);
+ 	mdb->size--;
+ 
+-	del_timer(&mp->query_timer);
+ 	call_rcu_bh(&mp->rcu, br_multicast_free_group);
+ 
+ out:
+@@ -271,7 +270,6 @@ static void br_multicast_del_pg(struct net_bridge *br,
+ 		rcu_assign_pointer(*pp, p->next);
+ 		hlist_del_init(&p->mglist);
+ 		del_timer(&p->timer);
+-		del_timer(&p->query_timer);
+ 		call_rcu_bh(&p->rcu, br_multicast_free_pg);
+ 
+ 		if (!mp->ports && !mp->mglist &&
+@@ -507,74 +505,6 @@ static struct sk_buff *br_multicast_alloc_query(struct net_bridge *br,
+ 	return NULL;
+ }
+ 
+-static void br_multicast_send_group_query(struct net_bridge_mdb_entry *mp)
+-{
+-	struct net_bridge *br = mp->br;
+-	struct sk_buff *skb;
+-
+-	skb = br_multicast_alloc_query(br, &mp->addr);
+-	if (!skb)
+-		goto timer;
+-
+-	netif_rx(skb);
+-
+-timer:
+-	if (++mp->queries_sent < br->multicast_last_member_count)
+-		mod_timer(&mp->query_timer,
+-			  jiffies + br->multicast_last_member_interval);
+-}
+-
+-static void br_multicast_group_query_expired(unsigned long data)
+-{
+-	struct net_bridge_mdb_entry *mp = (void *)data;
+-	struct net_bridge *br = mp->br;
+-
+-	spin_lock(&br->multicast_lock);
+-	if (!netif_running(br->dev) || !mp->mglist ||
+-	    mp->queries_sent >= br->multicast_last_member_count)
+-		goto out;
+-
+-	br_multicast_send_group_query(mp);
+-
+-out:
+-	spin_unlock(&br->multicast_lock);
+-}
+-
+-static void br_multicast_send_port_group_query(struct net_bridge_port_group *pg)
+-{
+-	struct net_bridge_port *port = pg->port;
+-	struct net_bridge *br = port->br;
+-	struct sk_buff *skb;
+-
+-	skb = br_multicast_alloc_query(br, &pg->addr);
+-	if (!skb)
+-		goto timer;
+-
+-	br_deliver(port, skb);
+-
+-timer:
+-	if (++pg->queries_sent < br->multicast_last_member_count)
+-		mod_timer(&pg->query_timer,
+-			  jiffies + br->multicast_last_member_interval);
+-}
+-
+-static void br_multicast_port_group_query_expired(unsigned long data)
+-{
+-	struct net_bridge_port_group *pg = (void *)data;
+-	struct net_bridge_port *port = pg->port;
+-	struct net_bridge *br = port->br;
+-
+-	spin_lock(&br->multicast_lock);
+-	if (!netif_running(br->dev) || hlist_unhashed(&pg->mglist) ||
+-	    pg->queries_sent >= br->multicast_last_member_count)
+-		goto out;
+-
+-	br_multicast_send_port_group_query(pg);
+-
+-out:
+-	spin_unlock(&br->multicast_lock);
+-}
+-
+ static struct net_bridge_mdb_entry *br_multicast_get_group(
+ 	struct net_bridge *br, struct net_bridge_port *port,
+ 	struct br_ip *group, int hash)
+@@ -690,8 +620,6 @@ rehash:
+ 	mp->addr = *group;
+ 	setup_timer(&mp->timer, br_multicast_group_expired,
+ 		    (unsigned long)mp);
+-	setup_timer(&mp->query_timer, br_multicast_group_query_expired,
+-		    (unsigned long)mp);
+ 
+ 	hlist_add_head_rcu(&mp->hlist[mdb->ver], &mdb->mhash[hash]);
+ 	mdb->size++;
+@@ -746,8 +674,6 @@ static int br_multicast_add_group(struct net_bridge *br,
+ 	hlist_add_head(&p->mglist, &port->mglist);
+ 	setup_timer(&p->timer, br_multicast_port_group_expired,
+ 		    (unsigned long)p);
+-	setup_timer(&p->query_timer, br_multicast_port_group_query_expired,
+-		    (unsigned long)p);
+ 
+ 	rcu_assign_pointer(*pp, p);
+ 
+@@ -1291,9 +1217,6 @@ static void br_multicast_leave_group(struct net_bridge *br,
+ 		     time_after(mp->timer.expires, time) :
+ 		     try_to_del_timer_sync(&mp->timer) >= 0)) {
+ 			mod_timer(&mp->timer, time);
+-
+-			mp->queries_sent = 0;
+-			mod_timer(&mp->query_timer, now);
+ 		}
+ 
+ 		goto out;
+@@ -1310,9 +1233,6 @@ static void br_multicast_leave_group(struct net_bridge *br,
+ 		     time_after(p->timer.expires, time) :
+ 		     try_to_del_timer_sync(&p->timer) >= 0)) {
+ 			mod_timer(&p->timer, time);
+-
+-			p->queries_sent = 0;
+-			mod_timer(&p->query_timer, now);
+ 		}
+ 
+ 		break;
+@@ -1680,7 +1600,6 @@ void br_multicast_stop(struct net_bridge *br)
+ 		hlist_for_each_entry_safe(mp, p, n, &mdb->mhash[i],
+ 					  hlist[ver]) {
+ 			del_timer(&mp->timer);
+-			del_timer(&mp->query_timer);
+ 			call_rcu_bh(&mp->rcu, br_multicast_free_group);
+ 		}
+ 	}
+diff --git a/net/bridge/br_private.h b/net/bridge/br_private.h
+index d7d6fb0..93264df 100644
+--- a/net/bridge/br_private.h
++++ b/net/bridge/br_private.h
+@@ -82,9 +82,7 @@ struct net_bridge_port_group {
+ 	struct hlist_node		mglist;
+ 	struct rcu_head			rcu;
+ 	struct timer_list		timer;
+-	struct timer_list		query_timer;
+ 	struct br_ip			addr;
+-	u32				queries_sent;
+ };
+ 
+ struct net_bridge_mdb_entry
+@@ -94,10 +92,8 @@ struct net_bridge_mdb_entry
+ 	struct net_bridge_port_group __rcu *ports;
+ 	struct rcu_head			rcu;
+ 	struct timer_list		timer;
+-	struct timer_list		query_timer;
+ 	struct br_ip			addr;
+ 	bool				mglist;
+-	u32				queries_sent;
+ };
+ 
+ struct net_bridge_mdb_htable
+diff --git a/net/core/dev.c b/net/core/dev.c
+index 55cd370..cd5050e 100644
+--- a/net/core/dev.c
++++ b/net/core/dev.c
+@@ -4102,54 +4102,41 @@ static int dev_ifconf(struct net *net, char __user *arg)
+ 
+ #ifdef CONFIG_PROC_FS
+ 
+-#define BUCKET_SPACE (32 - NETDEV_HASHBITS)
+-
+-struct dev_iter_state {
+-	struct seq_net_private p;
+-	unsigned int pos; /* bucket << BUCKET_SPACE + offset */
+-};
++#define BUCKET_SPACE (32 - NETDEV_HASHBITS - 1)
+ 
+ #define get_bucket(x) ((x) >> BUCKET_SPACE)
+ #define get_offset(x) ((x) & ((1 << BUCKET_SPACE) - 1))
+ #define set_bucket_offset(b, o) ((b) << BUCKET_SPACE | (o))
+ 
+-static inline struct net_device *dev_from_same_bucket(struct seq_file *seq)
++static inline struct net_device *dev_from_same_bucket(struct seq_file *seq, loff_t *pos)
+ {
+-	struct dev_iter_state *state = seq->private;
+ 	struct net *net = seq_file_net(seq);
+ 	struct net_device *dev;
+ 	struct hlist_node *p;
+ 	struct hlist_head *h;
+-	unsigned int count, bucket, offset;
++	unsigned int count = 0, offset = get_offset(*pos);
+ 
+-	bucket = get_bucket(state->pos);
+-	offset = get_offset(state->pos);
+-	h = &net->dev_name_head[bucket];
+-	count = 0;
++	h = &net->dev_name_head[get_bucket(*pos)];
+ 	hlist_for_each_entry_rcu(dev, p, h, name_hlist) {
+-		if (count++ == offset) {
+-			state->pos = set_bucket_offset(bucket, count);
++		if (++count == offset)
+ 			return dev;
+-		}
+ 	}
+ 
+ 	return NULL;
+ }
+ 
+-static inline struct net_device *dev_from_new_bucket(struct seq_file *seq)
++static inline struct net_device *dev_from_bucket(struct seq_file *seq, loff_t *pos)
+ {
+-	struct dev_iter_state *state = seq->private;
+ 	struct net_device *dev;
+ 	unsigned int bucket;
+ 
+-	bucket = get_bucket(state->pos);
+ 	do {
+-		dev = dev_from_same_bucket(seq);
++		dev = dev_from_same_bucket(seq, pos);
+ 		if (dev)
+ 			return dev;
+ 
+-		bucket++;
+-		state->pos = set_bucket_offset(bucket, 0);
++		bucket = get_bucket(*pos) + 1;
++		*pos = set_bucket_offset(bucket, 1);
+ 	} while (bucket < NETDEV_HASHENTRIES);
+ 
+ 	return NULL;
+@@ -4162,33 +4149,20 @@ static inline struct net_device *dev_from_new_bucket(struct seq_file *seq)
+ void *dev_seq_start(struct seq_file *seq, loff_t *pos)
+ 	__acquires(RCU)
+ {
+-	struct dev_iter_state *state = seq->private;
+-
+ 	rcu_read_lock();
+ 	if (!*pos)
+ 		return SEQ_START_TOKEN;
+ 
+-	/* check for end of the hash */
+-	if (state->pos == 0 && *pos > 1)
++	if (get_bucket(*pos) >= NETDEV_HASHENTRIES)
+ 		return NULL;
+ 
+-	return dev_from_new_bucket(seq);
++	return dev_from_bucket(seq, pos);
+ }
+ 
+ void *dev_seq_next(struct seq_file *seq, void *v, loff_t *pos)
+ {
+-	struct net_device *dev;
+-
+ 	++*pos;
+-
+-	if (v == SEQ_START_TOKEN)
+-		return dev_from_new_bucket(seq);
+-
+-	dev = dev_from_same_bucket(seq);
+-	if (dev)
+-		return dev;
+-
+-	return dev_from_new_bucket(seq);
++	return dev_from_bucket(seq, pos);
+ }
+ 
+ void dev_seq_stop(struct seq_file *seq, void *v)
+@@ -4287,13 +4261,7 @@ static const struct seq_operations dev_seq_ops = {
+ static int dev_seq_open(struct inode *inode, struct file *file)
+ {
+ 	return seq_open_net(inode, file, &dev_seq_ops,
+-			    sizeof(struct dev_iter_state));
+-}
+-
+-int dev_seq_open_ops(struct inode *inode, struct file *file,
+-		     const struct seq_operations *ops)
+-{
+-	return seq_open_net(inode, file, ops, sizeof(struct dev_iter_state));
++			    sizeof(struct seq_net_private));
+ }
+ 
+ static const struct file_operations dev_seq_fops = {
+diff --git a/net/core/dev_addr_lists.c b/net/core/dev_addr_lists.c
+index febba51..277faef 100644
+--- a/net/core/dev_addr_lists.c
++++ b/net/core/dev_addr_lists.c
+@@ -696,7 +696,8 @@ static const struct seq_operations dev_mc_seq_ops = {
+ 
+ static int dev_mc_seq_open(struct inode *inode, struct file *file)
+ {
+-	return dev_seq_open_ops(inode, file, &dev_mc_seq_ops);
++	return seq_open_net(inode, file, &dev_mc_seq_ops,
++			    sizeof(struct seq_net_private));
+ }
+ 
+ static const struct file_operations dev_mc_seq_fops = {
+diff --git a/net/core/net_namespace.c b/net/core/net_namespace.c
+index 0e950fd..31a5ae5 100644
+--- a/net/core/net_namespace.c
++++ b/net/core/net_namespace.c
+@@ -83,21 +83,29 @@ assign:
+ 
+ static int ops_init(const struct pernet_operations *ops, struct net *net)
+ {
+-	int err;
++	int err = -ENOMEM;
++	void *data = NULL;
++
+ 	if (ops->id && ops->size) {
+-		void *data = kzalloc(ops->size, GFP_KERNEL);
++		data = kzalloc(ops->size, GFP_KERNEL);
+ 		if (!data)
+-			return -ENOMEM;
++			goto out;
+ 
+ 		err = net_assign_generic(net, *ops->id, data);
+-		if (err) {
+-			kfree(data);
+-			return err;
+-		}
++		if (err)
++			goto cleanup;
+ 	}
++	err = 0;
+ 	if (ops->init)
+-		return ops->init(net);
+-	return 0;
++		err = ops->init(net);
++	if (!err)
++		return 0;
++
++cleanup:
++	kfree(data);
++
++out:
++	return err;
+ }
+ 
+ static void ops_free(const struct pernet_operations *ops, struct net *net)
+@@ -448,12 +456,7 @@ static void __unregister_pernet_operations(struct pernet_operations *ops)
+ static int __register_pernet_operations(struct list_head *list,
+ 					struct pernet_operations *ops)
+ {
+-	int err = 0;
+-	err = ops_init(ops, &init_net);
+-	if (err)
+-		ops_free(ops, &init_net);
+-	return err;
+-	
++	return ops_init(ops, &init_net);
+ }
+ 
+ static void __unregister_pernet_operations(struct pernet_operations *ops)
+diff --git a/net/core/skbuff.c b/net/core/skbuff.c
+index 3c30ee4..2ec200de 100644
+--- a/net/core/skbuff.c
++++ b/net/core/skbuff.c
+@@ -903,9 +903,11 @@ int pskb_expand_head(struct sk_buff *skb, int nhead, int ntail,
+ 		goto adjust_others;
+ 	}
+ 
+-	data = kmalloc(size + sizeof(struct skb_shared_info), gfp_mask);
++	data = kmalloc(size + SKB_DATA_ALIGN(sizeof(struct skb_shared_info)),
++		       gfp_mask);
+ 	if (!data)
+ 		goto nodata;
++	size = SKB_WITH_OVERHEAD(ksize(data));
+ 
+ 	/* Copy only real data... and, alas, header. This should be
+ 	 * optimized for the cases when header is void.
+@@ -3111,6 +3113,8 @@ static void sock_rmem_free(struct sk_buff *skb)
+  */
+ int sock_queue_err_skb(struct sock *sk, struct sk_buff *skb)
+ {
++	int len = skb->len;
++
+ 	if (atomic_read(&sk->sk_rmem_alloc) + skb->truesize >=
+ 	    (unsigned)sk->sk_rcvbuf)
+ 		return -ENOMEM;
+@@ -3125,7 +3129,7 @@ int sock_queue_err_skb(struct sock *sk, struct sk_buff *skb)
+ 
+ 	skb_queue_tail(&sk->sk_error_queue, skb);
+ 	if (!sock_flag(sk, SOCK_DEAD))
+-		sk->sk_data_ready(sk, skb->len);
++		sk->sk_data_ready(sk, len);
+ 	return 0;
+ }
+ EXPORT_SYMBOL(sock_queue_err_skb);
+diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
+index 34f5db1..7904db4 100644
+--- a/net/ipv4/tcp.c
++++ b/net/ipv4/tcp.c
+@@ -701,11 +701,12 @@ struct sk_buff *sk_stream_alloc_skb(struct sock *sk, int size, gfp_t gfp)
+ 	skb = alloc_skb_fclone(size + sk->sk_prot->max_header, gfp);
+ 	if (skb) {
+ 		if (sk_wmem_schedule(sk, skb->truesize)) {
++			skb_reserve(skb, sk->sk_prot->max_header);
+ 			/*
+ 			 * Make sure that we have exactly size bytes
+ 			 * available to the caller, no more, no less.
+ 			 */
+-			skb_reserve(skb, skb_tailroom(skb) - size);
++			skb->avail_size = size;
+ 			return skb;
+ 		}
+ 		__kfree_skb(skb);
+@@ -860,7 +861,7 @@ wait_for_memory:
+ 	}
+ 
+ out:
+-	if (copied)
++	if (copied && !(flags & MSG_SENDPAGE_NOTLAST))
+ 		tcp_push(sk, flags, mss_now, tp->nonagle);
+ 	return copied;
+ 
+@@ -995,10 +996,9 @@ new_segment:
+ 				copy = seglen;
+ 
+ 			/* Where to copy to? */
+-			if (skb_tailroom(skb) > 0) {
++			if (skb_availroom(skb) > 0) {
+ 				/* We have some space in skb head. Superb! */
+-				if (copy > skb_tailroom(skb))
+-					copy = skb_tailroom(skb);
++				copy = min_t(int, copy, skb_availroom(skb));
+ 				err = skb_add_data_nocache(sk, skb, from, copy);
+ 				if (err)
+ 					goto do_fault;
+diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
+index e4d1e4a..daedc07 100644
+--- a/net/ipv4/tcp_input.c
++++ b/net/ipv4/tcp_input.c
+@@ -334,6 +334,7 @@ static void tcp_grow_window(struct sock *sk, const struct sk_buff *skb)
+ 			incr = __tcp_grow_window(sk, skb);
+ 
+ 		if (incr) {
++			incr = max_t(int, incr, 2 * skb->len);
+ 			tp->rcv_ssthresh = min(tp->rcv_ssthresh + incr,
+ 					       tp->window_clamp);
+ 			inet_csk(sk)->icsk_ack.quick |= 1;
+@@ -473,8 +474,11 @@ static void tcp_rcv_rtt_update(struct tcp_sock *tp, u32 sample, int win_dep)
+ 		if (!win_dep) {
+ 			m -= (new_sample >> 3);
+ 			new_sample += m;
+-		} else if (m < new_sample)
+-			new_sample = m << 3;
++		} else {
++			m <<= 3;
++			if (m < new_sample)
++				new_sample = m;
++		}
+ 	} else {
+ 		/* No previous measure. */
+ 		new_sample = m << 3;
+diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
+index 097e0c7..c51dd5b 100644
+--- a/net/ipv4/tcp_output.c
++++ b/net/ipv4/tcp_output.c
+@@ -1093,6 +1093,14 @@ static void __pskb_trim_head(struct sk_buff *skb, int len)
+ {
+ 	int i, k, eat;
+ 
++	eat = min_t(int, len, skb_headlen(skb));
++	if (eat) {
++		__skb_pull(skb, eat);
++		skb->avail_size -= eat;
++		len -= eat;
++		if (!len)
++			return;
++	}
+ 	eat = len;
+ 	k = 0;
+ 	for (i = 0; i < skb_shinfo(skb)->nr_frags; i++) {
+@@ -1124,11 +1132,7 @@ int tcp_trim_head(struct sock *sk, struct sk_buff *skb, u32 len)
+ 	if (skb_cloned(skb) && pskb_expand_head(skb, 0, 0, GFP_ATOMIC))
+ 		return -ENOMEM;
+ 
+-	/* If len == headlen, we avoid __skb_pull to preserve alignment. */
+-	if (unlikely(len < skb_headlen(skb)))
+-		__skb_pull(skb, len);
+-	else
+-		__pskb_trim_head(skb, len - skb_headlen(skb));
++	__pskb_trim_head(skb, len);
+ 
+ 	TCP_SKB_CB(skb)->seq += len;
+ 	skb->ip_summed = CHECKSUM_PARTIAL;
+@@ -2057,7 +2061,7 @@ static void tcp_retrans_try_collapse(struct sock *sk, struct sk_buff *to,
+ 		/* Punt if not enough space exists in the first SKB for
+ 		 * the data in the second
+ 		 */
+-		if (skb->len > skb_tailroom(to))
++		if (skb->len > skb_availroom(to))
+ 			break;
+ 
+ 		if (after(TCP_SKB_CB(skb)->end_seq, tcp_wnd_end(tp)))
+diff --git a/net/ipv6/mcast.c b/net/ipv6/mcast.c
+index 2257366..f2d74ea 100644
+--- a/net/ipv6/mcast.c
++++ b/net/ipv6/mcast.c
+@@ -2054,7 +2054,7 @@ static int ip6_mc_add_src(struct inet6_dev *idev, const struct in6_addr *pmca,
+ 		if (!delta)
+ 			pmc->mca_sfcount[sfmode]--;
+ 		for (j=0; j<i; j++)
+-			(void) ip6_mc_del1_src(pmc, sfmode, &psfsrc[i]);
++			ip6_mc_del1_src(pmc, sfmode, &psfsrc[j]);
+ 	} else if (isexclude != (pmc->mca_sfcount[MCAST_EXCLUDE] != 0)) {
+ 		struct ip6_sf_list *psf;
+ 
+diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
+index b859e4a..4a56574 100644
+--- a/net/ipv6/tcp_ipv6.c
++++ b/net/ipv6/tcp_ipv6.c
+@@ -1494,6 +1494,10 @@ static struct sock * tcp_v6_syn_recv_sock(struct sock *sk, struct sk_buff *skb,
+ 	tcp_mtup_init(newsk);
+ 	tcp_sync_mss(newsk, dst_mtu(dst));
+ 	newtp->advmss = dst_metric_advmss(dst);
++	if (tcp_sk(sk)->rx_opt.user_mss &&
++	    tcp_sk(sk)->rx_opt.user_mss < newtp->advmss)
++		newtp->advmss = tcp_sk(sk)->rx_opt.user_mss;
++
+ 	tcp_initialize_rcv_mss(newsk);
+ 	if (tcp_rsk(req)->snt_synack)
+ 		tcp_valid_rtt_meas(newsk,
+diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c
+index eff1f4e..4ff35bf 100644
+--- a/net/mac80211/tx.c
++++ b/net/mac80211/tx.c
+@@ -1121,7 +1121,8 @@ ieee80211_tx_prepare(struct ieee80211_sub_if_data *sdata,
+ 		tx->sta = rcu_dereference(sdata->u.vlan.sta);
+ 		if (!tx->sta && sdata->dev->ieee80211_ptr->use_4addr)
+ 			return TX_DROP;
+-	} else if (info->flags & IEEE80211_TX_CTL_INJECTED) {
++	} else if (info->flags & IEEE80211_TX_CTL_INJECTED ||
++		   tx->sdata->control_port_protocol == tx->skb->protocol) {
+ 		tx->sta = sta_info_get_bss(sdata, hdr->addr1);
+ 	}
+ 	if (!tx->sta)
+diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
+index 1201b6d..a99fb41 100644
+--- a/net/netlink/af_netlink.c
++++ b/net/netlink/af_netlink.c
+@@ -830,12 +830,19 @@ int netlink_attachskb(struct sock *sk, struct sk_buff *skb,
+ 	return 0;
+ }
+ 
+-int netlink_sendskb(struct sock *sk, struct sk_buff *skb)
++static int __netlink_sendskb(struct sock *sk, struct sk_buff *skb)
+ {
+ 	int len = skb->len;
+ 
+ 	skb_queue_tail(&sk->sk_receive_queue, skb);
+ 	sk->sk_data_ready(sk, len);
++	return len;
++}
++
++int netlink_sendskb(struct sock *sk, struct sk_buff *skb)
++{
++	int len = __netlink_sendskb(sk, skb);
++
+ 	sock_put(sk);
+ 	return len;
+ }
+@@ -960,8 +967,7 @@ static inline int netlink_broadcast_deliver(struct sock *sk,
+ 	if (atomic_read(&sk->sk_rmem_alloc) <= sk->sk_rcvbuf &&
+ 	    !test_bit(0, &nlk->state)) {
+ 		skb_set_owner_r(skb, sk);
+-		skb_queue_tail(&sk->sk_receive_queue, skb);
+-		sk->sk_data_ready(sk, skb->len);
++		__netlink_sendskb(sk, skb);
+ 		return atomic_read(&sk->sk_rmem_alloc) > sk->sk_rcvbuf;
+ 	}
+ 	return -1;
+@@ -1684,10 +1690,8 @@ static int netlink_dump(struct sock *sk)
+ 
+ 		if (sk_filter(sk, skb))
+ 			kfree_skb(skb);
+-		else {
+-			skb_queue_tail(&sk->sk_receive_queue, skb);
+-			sk->sk_data_ready(sk, skb->len);
+-		}
++		else
++			__netlink_sendskb(sk, skb);
+ 		return 0;
+ 	}
+ 
+@@ -1701,10 +1705,8 @@ static int netlink_dump(struct sock *sk)
+ 
+ 	if (sk_filter(sk, skb))
+ 		kfree_skb(skb);
+-	else {
+-		skb_queue_tail(&sk->sk_receive_queue, skb);
+-		sk->sk_data_ready(sk, skb->len);
+-	}
++	else
++		__netlink_sendskb(sk, skb);
+ 
+ 	if (cb->done)
+ 		cb->done(cb);
+diff --git a/net/phonet/pep.c b/net/phonet/pep.c
+index 2ba6e9f..007546d 100644
+--- a/net/phonet/pep.c
++++ b/net/phonet/pep.c
+@@ -1046,6 +1046,9 @@ static int pep_sendmsg(struct kiocb *iocb, struct sock *sk,
+ 	int flags = msg->msg_flags;
+ 	int err, done;
+ 
++	if (len > USHRT_MAX)
++		return -EMSGSIZE;
++
+ 	if ((msg->msg_flags & ~(MSG_DONTWAIT|MSG_EOR|MSG_NOSIGNAL|
+ 				MSG_CMSG_COMPAT)) ||
+ 			!(msg->msg_flags & MSG_EOR))
+diff --git a/net/sched/sch_gred.c b/net/sched/sch_gred.c
+index 6cd8ddf..e1afe0c 100644
+--- a/net/sched/sch_gred.c
++++ b/net/sched/sch_gred.c
+@@ -544,11 +544,8 @@ static int gred_dump(struct Qdisc *sch, struct sk_buff *skb)
+ 		opt.packets	= q->packetsin;
+ 		opt.bytesin	= q->bytesin;
+ 
+-		if (gred_wred_mode(table)) {
+-			q->parms.qidlestart =
+-				table->tab[table->def]->parms.qidlestart;
+-			q->parms.qavg = table->tab[table->def]->parms.qavg;
+-		}
++		if (gred_wred_mode(table))
++			gred_load_wred_set(table, q);
+ 
+ 		opt.qave = red_calc_qavg(&q->parms, q->parms.qavg);
+ 
+diff --git a/net/sctp/socket.c b/net/sctp/socket.c
+index 54a7cd2..0075554 100644
+--- a/net/sctp/socket.c
++++ b/net/sctp/socket.c
+@@ -4133,9 +4133,10 @@ static int sctp_getsockopt_disable_fragments(struct sock *sk, int len,
+ static int sctp_getsockopt_events(struct sock *sk, int len, char __user *optval,
+ 				  int __user *optlen)
+ {
+-	if (len < sizeof(struct sctp_event_subscribe))
++	if (len <= 0)
+ 		return -EINVAL;
+-	len = sizeof(struct sctp_event_subscribe);
++	if (len > sizeof(struct sctp_event_subscribe))
++		len = sizeof(struct sctp_event_subscribe);
+ 	if (put_user(len, optlen))
+ 		return -EFAULT;
+ 	if (copy_to_user(optval, &sctp_sk(sk)->subscribe, len))
+diff --git a/net/socket.c b/net/socket.c
+index 2dce67a..273cbce 100644
+--- a/net/socket.c
++++ b/net/socket.c
+@@ -791,9 +791,9 @@ static ssize_t sock_sendpage(struct file *file, struct page *page,
+ 
+ 	sock = file->private_data;
+ 
+-	flags = !(file->f_flags & O_NONBLOCK) ? 0 : MSG_DONTWAIT;
+-	if (more)
+-		flags |= MSG_MORE;
++	flags = (file->f_flags & O_NONBLOCK) ? MSG_DONTWAIT : 0;
++	/* more is a combination of MSG_MORE and MSG_SENDPAGE_NOTLAST */
++	flags |= more;
+ 
+ 	return kernel_sendpage(sock, page, offset, size, flags);
+ }
+diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
+index ffafda5..c06c365 100644
+--- a/net/wireless/nl80211.c
++++ b/net/wireless/nl80211.c
+@@ -1258,6 +1258,11 @@ static int nl80211_set_wiphy(struct sk_buff *skb, struct genl_info *info)
+ 			goto bad_res;
+ 		}
+ 
++		if (!netif_running(netdev)) {
++			result = -ENETDOWN;
++			goto bad_res;
++		}
++
+ 		nla_for_each_nested(nl_txq_params,
+ 				    info->attrs[NL80211_ATTR_WIPHY_TXQ_PARAMS],
+ 				    rem_txq_params) {
+@@ -5944,7 +5949,7 @@ static struct genl_ops nl80211_ops[] = {
+ 		.doit = nl80211_get_key,
+ 		.policy = nl80211_policy,
+ 		.flags = GENL_ADMIN_PERM,
+-		.internal_flags = NL80211_FLAG_NEED_NETDEV |
++		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
+ 				  NL80211_FLAG_NEED_RTNL,
+ 	},
+ 	{
+@@ -5976,7 +5981,7 @@ static struct genl_ops nl80211_ops[] = {
+ 		.policy = nl80211_policy,
+ 		.flags = GENL_ADMIN_PERM,
+ 		.doit = nl80211_addset_beacon,
+-		.internal_flags = NL80211_FLAG_NEED_NETDEV |
++		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
+ 				  NL80211_FLAG_NEED_RTNL,
+ 	},
+ 	{
+@@ -5984,7 +5989,7 @@ static struct genl_ops nl80211_ops[] = {
+ 		.policy = nl80211_policy,
+ 		.flags = GENL_ADMIN_PERM,
+ 		.doit = nl80211_addset_beacon,
+-		.internal_flags = NL80211_FLAG_NEED_NETDEV |
++		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
+ 				  NL80211_FLAG_NEED_RTNL,
+ 	},
+ 	{
+@@ -6008,7 +6013,7 @@ static struct genl_ops nl80211_ops[] = {
+ 		.doit = nl80211_set_station,
+ 		.policy = nl80211_policy,
+ 		.flags = GENL_ADMIN_PERM,
+-		.internal_flags = NL80211_FLAG_NEED_NETDEV |
++		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
+ 				  NL80211_FLAG_NEED_RTNL,
+ 	},
+ 	{
+@@ -6024,7 +6029,7 @@ static struct genl_ops nl80211_ops[] = {
+ 		.doit = nl80211_del_station,
+ 		.policy = nl80211_policy,
+ 		.flags = GENL_ADMIN_PERM,
+-		.internal_flags = NL80211_FLAG_NEED_NETDEV |
++		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
+ 				  NL80211_FLAG_NEED_RTNL,
+ 	},
+ 	{
+@@ -6057,7 +6062,7 @@ static struct genl_ops nl80211_ops[] = {
+ 		.doit = nl80211_del_mpath,
+ 		.policy = nl80211_policy,
+ 		.flags = GENL_ADMIN_PERM,
+-		.internal_flags = NL80211_FLAG_NEED_NETDEV |
++		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
+ 				  NL80211_FLAG_NEED_RTNL,
+ 	},
+ 	{
+@@ -6065,7 +6070,7 @@ static struct genl_ops nl80211_ops[] = {
+ 		.doit = nl80211_set_bss,
+ 		.policy = nl80211_policy,
+ 		.flags = GENL_ADMIN_PERM,
+-		.internal_flags = NL80211_FLAG_NEED_NETDEV |
++		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
+ 				  NL80211_FLAG_NEED_RTNL,
+ 	},
+ 	{
+@@ -6091,7 +6096,7 @@ static struct genl_ops nl80211_ops[] = {
+ 		.doit = nl80211_get_mesh_config,
+ 		.policy = nl80211_policy,
+ 		/* can be retrieved by unprivileged users */
+-		.internal_flags = NL80211_FLAG_NEED_NETDEV |
++		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
+ 				  NL80211_FLAG_NEED_RTNL,
+ 	},
+ 	{
+@@ -6224,7 +6229,7 @@ static struct genl_ops nl80211_ops[] = {
+ 		.doit = nl80211_setdel_pmksa,
+ 		.policy = nl80211_policy,
+ 		.flags = GENL_ADMIN_PERM,
+-		.internal_flags = NL80211_FLAG_NEED_NETDEV |
++		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
+ 				  NL80211_FLAG_NEED_RTNL,
+ 	},
+ 	{
+@@ -6232,7 +6237,7 @@ static struct genl_ops nl80211_ops[] = {
+ 		.doit = nl80211_setdel_pmksa,
+ 		.policy = nl80211_policy,
+ 		.flags = GENL_ADMIN_PERM,
+-		.internal_flags = NL80211_FLAG_NEED_NETDEV |
++		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
+ 				  NL80211_FLAG_NEED_RTNL,
+ 	},
+ 	{
+@@ -6240,7 +6245,7 @@ static struct genl_ops nl80211_ops[] = {
+ 		.doit = nl80211_flush_pmksa,
+ 		.policy = nl80211_policy,
+ 		.flags = GENL_ADMIN_PERM,
+-		.internal_flags = NL80211_FLAG_NEED_NETDEV |
++		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
+ 				  NL80211_FLAG_NEED_RTNL,
+ 	},
+ 	{
+@@ -6328,7 +6333,7 @@ static struct genl_ops nl80211_ops[] = {
+ 		.doit = nl80211_set_wds_peer,
+ 		.policy = nl80211_policy,
+ 		.flags = GENL_ADMIN_PERM,
+-		.internal_flags = NL80211_FLAG_NEED_NETDEV |
++		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
+ 				  NL80211_FLAG_NEED_RTNL,
+ 	},
+ 	{
+diff --git a/net/wireless/util.c b/net/wireless/util.c
+index 4dde429..8bf8902 100644
+--- a/net/wireless/util.c
++++ b/net/wireless/util.c
+@@ -996,7 +996,7 @@ int cfg80211_can_change_interface(struct cfg80211_registered_device *rdev,
+ 			if (rdev->wiphy.software_iftypes & BIT(iftype))
+ 				continue;
+ 			for (j = 0; j < c->n_limits; j++) {
+-				if (!(limits[j].types & iftype))
++				if (!(limits[j].types & BIT(iftype)))
+ 					continue;
+ 				if (limits[j].max < num[iftype])
+ 					goto cont;
+diff --git a/scripts/mod/file2alias.c b/scripts/mod/file2alias.c
+index f936d1f..d1d0ae8 100644
+--- a/scripts/mod/file2alias.c
++++ b/scripts/mod/file2alias.c
+@@ -926,6 +926,10 @@ void handle_moddevtable(struct module *mod, struct elf_info *info,
+ 	if (!sym->st_shndx || get_secindex(info, sym) >= info->num_sections)
+ 		return;
+ 
++	/* We're looking for an object */
++	if (ELF_ST_TYPE(sym->st_info) != STT_OBJECT)
++		return;
++
+ 	/* Handle all-NULL symbols allocated into .bss */
+ 	if (info->sechdrs[get_secindex(info, sym)].sh_type & SHT_NOBITS) {
+ 		zeros = calloc(1, sym->st_size);
+diff --git a/sound/pci/hda/patch_conexant.c b/sound/pci/hda/patch_conexant.c
+index ae94929..51a1afc 100644
+--- a/sound/pci/hda/patch_conexant.c
++++ b/sound/pci/hda/patch_conexant.c
+@@ -4003,9 +4003,14 @@ static void cx_auto_init_output(struct hda_codec *codec)
+ 	int i;
+ 
+ 	mute_outputs(codec, spec->multiout.num_dacs, spec->multiout.dac_nids);
+-	for (i = 0; i < cfg->hp_outs; i++)
++	for (i = 0; i < cfg->hp_outs; i++) {
++		unsigned int val = PIN_OUT;
++		if (snd_hda_query_pin_caps(codec, cfg->hp_pins[i]) &
++		    AC_PINCAP_HP_DRV)
++			val |= AC_PINCTL_HP_EN;
+ 		snd_hda_codec_write(codec, cfg->hp_pins[i], 0,
+-				    AC_VERB_SET_PIN_WIDGET_CONTROL, PIN_HP);
++				    AC_VERB_SET_PIN_WIDGET_CONTROL, val);
++	}
+ 	mute_outputs(codec, cfg->hp_outs, cfg->hp_pins);
+ 	mute_outputs(codec, cfg->line_outs, cfg->line_out_pins);
+ 	mute_outputs(codec, cfg->speaker_outs, cfg->speaker_pins);
+@@ -4408,8 +4413,10 @@ static void apply_pin_fixup(struct hda_codec *codec,
+ 
+ enum {
+ 	CXT_PINCFG_LENOVO_X200,
++	CXT_PINCFG_LENOVO_TP410,
+ };
+ 
++/* ThinkPad X200 & co with cxt5051 */
+ static const struct cxt_pincfg cxt_pincfg_lenovo_x200[] = {
+ 	{ 0x16, 0x042140ff }, /* HP (seq# overridden) */
+ 	{ 0x17, 0x21a11000 }, /* dock-mic */
+@@ -4417,15 +4424,33 @@ static const struct cxt_pincfg cxt_pincfg_lenovo_x200[] = {
+ 	{}
+ };
+ 
++/* ThinkPad 410/420/510/520, X201 & co with cxt5066 */
++static const struct cxt_pincfg cxt_pincfg_lenovo_tp410[] = {
++	{ 0x19, 0x042110ff }, /* HP (seq# overridden) */
++	{ 0x1a, 0x21a190f0 }, /* dock-mic */
++	{ 0x1c, 0x212140ff }, /* dock-HP */
++	{}
++};
++
+ static const struct cxt_pincfg *cxt_pincfg_tbl[] = {
+ 	[CXT_PINCFG_LENOVO_X200] = cxt_pincfg_lenovo_x200,
++	[CXT_PINCFG_LENOVO_TP410] = cxt_pincfg_lenovo_tp410,
+ };
+ 
+-static const struct snd_pci_quirk cxt_fixups[] = {
++static const struct snd_pci_quirk cxt5051_fixups[] = {
+ 	SND_PCI_QUIRK(0x17aa, 0x20f2, "Lenovo X200", CXT_PINCFG_LENOVO_X200),
+ 	{}
+ };
+ 
++static const struct snd_pci_quirk cxt5066_fixups[] = {
++	SND_PCI_QUIRK(0x17aa, 0x20f2, "Lenovo T400", CXT_PINCFG_LENOVO_TP410),
++	SND_PCI_QUIRK(0x17aa, 0x215e, "Lenovo T410", CXT_PINCFG_LENOVO_TP410),
++	SND_PCI_QUIRK(0x17aa, 0x215f, "Lenovo T510", CXT_PINCFG_LENOVO_TP410),
++	SND_PCI_QUIRK(0x17aa, 0x21ce, "Lenovo T420", CXT_PINCFG_LENOVO_TP410),
++	SND_PCI_QUIRK(0x17aa, 0x21cf, "Lenovo T520", CXT_PINCFG_LENOVO_TP410),
++	{}
++};
++
+ /* add "fake" mute amp-caps to DACs on cx5051 so that mixer mute switches
+  * can be created (bko#42825)
+  */
+@@ -4462,11 +4487,13 @@ static int patch_conexant_auto(struct hda_codec *codec)
+ 		break;
+ 	case 0x14f15051:
+ 		add_cx5051_fake_mutes(codec);
++		apply_pin_fixup(codec, cxt5051_fixups, cxt_pincfg_tbl);
++		break;
++	default:
++		apply_pin_fixup(codec, cxt5066_fixups, cxt_pincfg_tbl);
+ 		break;
+ 	}
+ 
+-	apply_pin_fixup(codec, cxt_fixups, cxt_pincfg_tbl);
+-
+ 	err = cx_auto_search_adcs(codec);
+ 	if (err < 0)
+ 		return err;
+diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c
+index dc8a6fc..0bc5a46 100644
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -5032,6 +5032,7 @@ static const struct alc_fixup alc269_fixups[] = {
+ };
+ 
+ static const struct snd_pci_quirk alc269_fixup_tbl[] = {
++	SND_PCI_QUIRK(0x1043, 0x1427, "Asus Zenbook UX31E", ALC269VB_FIXUP_DMIC),
+ 	SND_PCI_QUIRK(0x1043, 0x1a13, "Asus G73Jw", ALC269_FIXUP_ASUS_G73JW),
+ 	SND_PCI_QUIRK(0x1043, 0x16e3, "ASUS UX50", ALC269_FIXUP_STEREO_DMIC),
+ 	SND_PCI_QUIRK(0x1043, 0x831a, "ASUS P901", ALC269_FIXUP_STEREO_DMIC),
+diff --git a/sound/soc/codecs/tlv320aic23.c b/sound/soc/codecs/tlv320aic23.c
+index 336de8f..0e7e26e 100644
+--- a/sound/soc/codecs/tlv320aic23.c
++++ b/sound/soc/codecs/tlv320aic23.c
+@@ -473,7 +473,7 @@ static int tlv320aic23_set_dai_sysclk(struct snd_soc_dai *codec_dai,
+ static int tlv320aic23_set_bias_level(struct snd_soc_codec *codec,
+ 				      enum snd_soc_bias_level level)
+ {
+-	u16 reg = snd_soc_read(codec, TLV320AIC23_PWR) & 0xff7f;
++	u16 reg = snd_soc_read(codec, TLV320AIC23_PWR) & 0x17f;
+ 
+ 	switch (level) {
+ 	case SND_SOC_BIAS_ON:
+@@ -492,7 +492,7 @@ static int tlv320aic23_set_bias_level(struct snd_soc_codec *codec,
+ 	case SND_SOC_BIAS_OFF:
+ 		/* everything off, dac mute, inactive */
+ 		snd_soc_write(codec, TLV320AIC23_ACTIVE, 0x0);
+-		snd_soc_write(codec, TLV320AIC23_PWR, 0xffff);
++		snd_soc_write(codec, TLV320AIC23_PWR, 0x1ff);
+ 		break;
+ 	}
+ 	codec->dapm.bias_level = level;
+diff --git a/sound/soc/codecs/wm8994.c b/sound/soc/codecs/wm8994.c
+index 2f1f5f8..7806301 100644
+--- a/sound/soc/codecs/wm8994.c
++++ b/sound/soc/codecs/wm8994.c
+@@ -883,61 +883,170 @@ static void wm8994_update_class_w(struct snd_soc_codec *codec)
+ 	}
+ }
+ 
+-static int late_enable_ev(struct snd_soc_dapm_widget *w,
+-			  struct snd_kcontrol *kcontrol, int event)
++static int aif1clk_ev(struct snd_soc_dapm_widget *w,
++		      struct snd_kcontrol *kcontrol, int event)
+ {
+ 	struct snd_soc_codec *codec = w->codec;
+-	struct wm8994_priv *wm8994 = snd_soc_codec_get_drvdata(codec);
++	struct wm8994 *control = codec->control_data;
++	int mask = WM8994_AIF1DAC1L_ENA | WM8994_AIF1DAC1R_ENA;
++	int dac;
++	int adc;
++	int val;
++
++	switch (control->type) {
++	case WM8994:
++	case WM8958:
++		mask |= WM8994_AIF1DAC2L_ENA | WM8994_AIF1DAC2R_ENA;
++		break;
++	default:
++		break;
++	}
+ 
+ 	switch (event) {
+ 	case SND_SOC_DAPM_PRE_PMU:
+-		if (wm8994->aif1clk_enable) {
+-			snd_soc_update_bits(codec, WM8994_AIF1_CLOCKING_1,
+-					    WM8994_AIF1CLK_ENA_MASK,
+-					    WM8994_AIF1CLK_ENA);
+-			wm8994->aif1clk_enable = 0;
+-		}
+-		if (wm8994->aif2clk_enable) {
+-			snd_soc_update_bits(codec, WM8994_AIF2_CLOCKING_1,
+-					    WM8994_AIF2CLK_ENA_MASK,
+-					    WM8994_AIF2CLK_ENA);
+-			wm8994->aif2clk_enable = 0;
+-		}
++		val = snd_soc_read(codec, WM8994_AIF1_CONTROL_1);
++		if ((val & WM8994_AIF1ADCL_SRC) &&
++		    (val & WM8994_AIF1ADCR_SRC))
++			adc = WM8994_AIF1ADC1R_ENA | WM8994_AIF1ADC2R_ENA;
++		else if (!(val & WM8994_AIF1ADCL_SRC) &&
++			 !(val & WM8994_AIF1ADCR_SRC))
++			adc = WM8994_AIF1ADC1L_ENA | WM8994_AIF1ADC2L_ENA;
++		else
++			adc = WM8994_AIF1ADC1R_ENA | WM8994_AIF1ADC2R_ENA |
++				WM8994_AIF1ADC1L_ENA | WM8994_AIF1ADC2L_ENA;
++
++		val = snd_soc_read(codec, WM8994_AIF1_CONTROL_2);
++		if ((val & WM8994_AIF1DACL_SRC) &&
++		    (val & WM8994_AIF1DACR_SRC))
++			dac = WM8994_AIF1DAC1R_ENA | WM8994_AIF1DAC2R_ENA;
++		else if (!(val & WM8994_AIF1DACL_SRC) &&
++			 !(val & WM8994_AIF1DACR_SRC))
++			dac = WM8994_AIF1DAC1L_ENA | WM8994_AIF1DAC2L_ENA;
++		else
++			dac = WM8994_AIF1DAC1R_ENA | WM8994_AIF1DAC2R_ENA |
++				WM8994_AIF1DAC1L_ENA | WM8994_AIF1DAC2L_ENA;
++
++		snd_soc_update_bits(codec, WM8994_POWER_MANAGEMENT_4,
++				    mask, adc);
++		snd_soc_update_bits(codec, WM8994_POWER_MANAGEMENT_5,
++				    mask, dac);
++		snd_soc_update_bits(codec, WM8994_CLOCKING_1,
++				    WM8994_AIF1DSPCLK_ENA |
++				    WM8994_SYSDSPCLK_ENA,
++				    WM8994_AIF1DSPCLK_ENA |
++				    WM8994_SYSDSPCLK_ENA);
++		snd_soc_update_bits(codec, WM8994_POWER_MANAGEMENT_4, mask,
++				    WM8994_AIF1ADC1R_ENA |
++				    WM8994_AIF1ADC1L_ENA |
++				    WM8994_AIF1ADC2R_ENA |
++				    WM8994_AIF1ADC2L_ENA);
++		snd_soc_update_bits(codec, WM8994_POWER_MANAGEMENT_5, mask,
++				    WM8994_AIF1DAC1R_ENA |
++				    WM8994_AIF1DAC1L_ENA |
++				    WM8994_AIF1DAC2R_ENA |
++				    WM8994_AIF1DAC2L_ENA);
++		break;
++
++	case SND_SOC_DAPM_PRE_PMD:
++	case SND_SOC_DAPM_POST_PMD:
++		snd_soc_update_bits(codec, WM8994_POWER_MANAGEMENT_5,
++				    mask, 0);
++		snd_soc_update_bits(codec, WM8994_POWER_MANAGEMENT_4,
++				    mask, 0);
++
++		val = snd_soc_read(codec, WM8994_CLOCKING_1);
++		if (val & WM8994_AIF2DSPCLK_ENA)
++			val = WM8994_SYSDSPCLK_ENA;
++		else
++			val = 0;
++		snd_soc_update_bits(codec, WM8994_CLOCKING_1,
++				    WM8994_SYSDSPCLK_ENA |
++				    WM8994_AIF1DSPCLK_ENA, val);
+ 		break;
+ 	}
+ 
+-	/* We may also have postponed startup of DSP, handle that. */
+-	wm8958_aif_ev(w, kcontrol, event);
+-
+ 	return 0;
+ }
+ 
+-static int late_disable_ev(struct snd_soc_dapm_widget *w,
+-			   struct snd_kcontrol *kcontrol, int event)
++static int aif2clk_ev(struct snd_soc_dapm_widget *w,
++		      struct snd_kcontrol *kcontrol, int event)
+ {
+ 	struct snd_soc_codec *codec = w->codec;
+-	struct wm8994_priv *wm8994 = snd_soc_codec_get_drvdata(codec);
++	int dac;
++	int adc;
++	int val;
+ 
+ 	switch (event) {
++	case SND_SOC_DAPM_PRE_PMU:
++		val = snd_soc_read(codec, WM8994_AIF2_CONTROL_1);
++		if ((val & WM8994_AIF2ADCL_SRC) &&
++		    (val & WM8994_AIF2ADCR_SRC))
++			adc = WM8994_AIF2ADCR_ENA;
++		else if (!(val & WM8994_AIF2ADCL_SRC) &&
++			 !(val & WM8994_AIF2ADCR_SRC))
++			adc = WM8994_AIF2ADCL_ENA;
++		else
++			adc = WM8994_AIF2ADCL_ENA | WM8994_AIF2ADCR_ENA;
++
++
++		val = snd_soc_read(codec, WM8994_AIF2_CONTROL_2);
++		if ((val & WM8994_AIF2DACL_SRC) &&
++		    (val & WM8994_AIF2DACR_SRC))
++			dac = WM8994_AIF2DACR_ENA;
++		else if (!(val & WM8994_AIF2DACL_SRC) &&
++			 !(val & WM8994_AIF2DACR_SRC))
++			dac = WM8994_AIF2DACL_ENA;
++		else
++			dac = WM8994_AIF2DACL_ENA | WM8994_AIF2DACR_ENA;
++
++		snd_soc_update_bits(codec, WM8994_POWER_MANAGEMENT_4,
++				    WM8994_AIF2ADCL_ENA |
++				    WM8994_AIF2ADCR_ENA, adc);
++		snd_soc_update_bits(codec, WM8994_POWER_MANAGEMENT_5,
++				    WM8994_AIF2DACL_ENA |
++				    WM8994_AIF2DACR_ENA, dac);
++		snd_soc_update_bits(codec, WM8994_CLOCKING_1,
++				    WM8994_AIF2DSPCLK_ENA |
++				    WM8994_SYSDSPCLK_ENA,
++				    WM8994_AIF2DSPCLK_ENA |
++				    WM8994_SYSDSPCLK_ENA);
++		snd_soc_update_bits(codec, WM8994_POWER_MANAGEMENT_4,
++				    WM8994_AIF2ADCL_ENA |
++				    WM8994_AIF2ADCR_ENA,
++				    WM8994_AIF2ADCL_ENA |
++				    WM8994_AIF2ADCR_ENA);
++		snd_soc_update_bits(codec, WM8994_POWER_MANAGEMENT_5,
++				    WM8994_AIF2DACL_ENA |
++				    WM8994_AIF2DACR_ENA,
++				    WM8994_AIF2DACL_ENA |
++				    WM8994_AIF2DACR_ENA);
++		break;
++
++	case SND_SOC_DAPM_PRE_PMD:
+ 	case SND_SOC_DAPM_POST_PMD:
+-		if (wm8994->aif1clk_disable) {
+-			snd_soc_update_bits(codec, WM8994_AIF1_CLOCKING_1,
+-					    WM8994_AIF1CLK_ENA_MASK, 0);
+-			wm8994->aif1clk_disable = 0;
+-		}
+-		if (wm8994->aif2clk_disable) {
+-			snd_soc_update_bits(codec, WM8994_AIF2_CLOCKING_1,
+-					    WM8994_AIF2CLK_ENA_MASK, 0);
+-			wm8994->aif2clk_disable = 0;
+-		}
++		snd_soc_update_bits(codec, WM8994_POWER_MANAGEMENT_5,
++				    WM8994_AIF2DACL_ENA |
++				    WM8994_AIF2DACR_ENA, 0);
++		snd_soc_update_bits(codec, WM8994_POWER_MANAGEMENT_5,
++				    WM8994_AIF2ADCL_ENA |
++				    WM8994_AIF2ADCR_ENA, 0);
++
++		val = snd_soc_read(codec, WM8994_CLOCKING_1);
++		if (val & WM8994_AIF1DSPCLK_ENA)
++			val = WM8994_SYSDSPCLK_ENA;
++		else
++			val = 0;
++		snd_soc_update_bits(codec, WM8994_CLOCKING_1,
++				    WM8994_SYSDSPCLK_ENA |
++				    WM8994_AIF2DSPCLK_ENA, val);
+ 		break;
+ 	}
+ 
+ 	return 0;
+ }
+ 
+-static int aif1clk_ev(struct snd_soc_dapm_widget *w,
+-		      struct snd_kcontrol *kcontrol, int event)
++static int aif1clk_late_ev(struct snd_soc_dapm_widget *w,
++			   struct snd_kcontrol *kcontrol, int event)
+ {
+ 	struct snd_soc_codec *codec = w->codec;
+ 	struct wm8994_priv *wm8994 = snd_soc_codec_get_drvdata(codec);
+@@ -954,8 +1063,8 @@ static int aif1clk_ev(struct snd_soc_dapm_widget *w,
+ 	return 0;
+ }
+ 
+-static int aif2clk_ev(struct snd_soc_dapm_widget *w,
+-		      struct snd_kcontrol *kcontrol, int event)
++static int aif2clk_late_ev(struct snd_soc_dapm_widget *w,
++			   struct snd_kcontrol *kcontrol, int event)
+ {
+ 	struct snd_soc_codec *codec = w->codec;
+ 	struct wm8994_priv *wm8994 = snd_soc_codec_get_drvdata(codec);
+@@ -972,6 +1081,63 @@ static int aif2clk_ev(struct snd_soc_dapm_widget *w,
+ 	return 0;
+ }
+ 
++static int late_enable_ev(struct snd_soc_dapm_widget *w,
++			  struct snd_kcontrol *kcontrol, int event)
++{
++	struct snd_soc_codec *codec = w->codec;
++	struct wm8994_priv *wm8994 = snd_soc_codec_get_drvdata(codec);
++
++	switch (event) {
++	case SND_SOC_DAPM_PRE_PMU:
++		if (wm8994->aif1clk_enable) {
++			aif1clk_ev(w, kcontrol, event);
++			snd_soc_update_bits(codec, WM8994_AIF1_CLOCKING_1,
++					    WM8994_AIF1CLK_ENA_MASK,
++					    WM8994_AIF1CLK_ENA);
++			wm8994->aif1clk_enable = 0;
++		}
++		if (wm8994->aif2clk_enable) {
++			aif2clk_ev(w, kcontrol, event);
++			snd_soc_update_bits(codec, WM8994_AIF2_CLOCKING_1,
++					    WM8994_AIF2CLK_ENA_MASK,
++					    WM8994_AIF2CLK_ENA);
++			wm8994->aif2clk_enable = 0;
++		}
++		break;
++	}
++
++	/* We may also have postponed startup of DSP, handle that. */
++	wm8958_aif_ev(w, kcontrol, event);
++
++	return 0;
++}
++
++static int late_disable_ev(struct snd_soc_dapm_widget *w,
++			   struct snd_kcontrol *kcontrol, int event)
++{
++	struct snd_soc_codec *codec = w->codec;
++	struct wm8994_priv *wm8994 = snd_soc_codec_get_drvdata(codec);
++
++	switch (event) {
++	case SND_SOC_DAPM_POST_PMD:
++		if (wm8994->aif1clk_disable) {
++			snd_soc_update_bits(codec, WM8994_AIF1_CLOCKING_1,
++					    WM8994_AIF1CLK_ENA_MASK, 0);
++			aif1clk_ev(w, kcontrol, event);
++			wm8994->aif1clk_disable = 0;
++		}
++		if (wm8994->aif2clk_disable) {
++			snd_soc_update_bits(codec, WM8994_AIF2_CLOCKING_1,
++					    WM8994_AIF2CLK_ENA_MASK, 0);
++			aif2clk_ev(w, kcontrol, event);
++			wm8994->aif2clk_disable = 0;
++		}
++		break;
++	}
++
++	return 0;
++}
++
+ static int adc_mux_ev(struct snd_soc_dapm_widget *w,
+ 		      struct snd_kcontrol *kcontrol, int event)
+ {
+@@ -1268,9 +1434,9 @@ static const struct snd_kcontrol_new aif2dacr_src_mux =
+ 	SOC_DAPM_ENUM("AIF2DACR Mux", aif2dacr_src_enum);
+ 
+ static const struct snd_soc_dapm_widget wm8994_lateclk_revd_widgets[] = {
+-SND_SOC_DAPM_SUPPLY("AIF1CLK", SND_SOC_NOPM, 0, 0, aif1clk_ev,
++SND_SOC_DAPM_SUPPLY("AIF1CLK", SND_SOC_NOPM, 0, 0, aif1clk_late_ev,
+ 	SND_SOC_DAPM_PRE_PMU | SND_SOC_DAPM_POST_PMD),
+-SND_SOC_DAPM_SUPPLY("AIF2CLK", SND_SOC_NOPM, 0, 0, aif2clk_ev,
++SND_SOC_DAPM_SUPPLY("AIF2CLK", SND_SOC_NOPM, 0, 0, aif2clk_late_ev,
+ 	SND_SOC_DAPM_PRE_PMU | SND_SOC_DAPM_POST_PMD),
+ 
+ SND_SOC_DAPM_PGA_E("Late DAC1L Enable PGA", SND_SOC_NOPM, 0, 0, NULL, 0,
+@@ -1299,8 +1465,10 @@ SND_SOC_DAPM_POST("Late Disable PGA", late_disable_ev)
+ };
+ 
+ static const struct snd_soc_dapm_widget wm8994_lateclk_widgets[] = {
+-SND_SOC_DAPM_SUPPLY("AIF1CLK", WM8994_AIF1_CLOCKING_1, 0, 0, NULL, 0),
+-SND_SOC_DAPM_SUPPLY("AIF2CLK", WM8994_AIF2_CLOCKING_1, 0, 0, NULL, 0),
++SND_SOC_DAPM_SUPPLY("AIF1CLK", WM8994_AIF1_CLOCKING_1, 0, 0, aif1clk_ev,
++		    SND_SOC_DAPM_PRE_PMU | SND_SOC_DAPM_PRE_PMD),
++SND_SOC_DAPM_SUPPLY("AIF2CLK", WM8994_AIF2_CLOCKING_1, 0, 0, aif2clk_ev,
++		    SND_SOC_DAPM_PRE_PMU | SND_SOC_DAPM_PRE_PMD),
+ SND_SOC_DAPM_PGA("Direct Voice", SND_SOC_NOPM, 0, 0, NULL, 0),
+ SND_SOC_DAPM_MIXER("SPKL", WM8994_POWER_MANAGEMENT_3, 8, 0,
+ 		   left_speaker_mixer, ARRAY_SIZE(left_speaker_mixer)),
+@@ -1353,30 +1521,30 @@ SND_SOC_DAPM_SUPPLY("VMID", SND_SOC_NOPM, 0, 0, vmid_event,
+ SND_SOC_DAPM_SUPPLY("CLK_SYS", SND_SOC_NOPM, 0, 0, clk_sys_event,
+ 		    SND_SOC_DAPM_POST_PMU | SND_SOC_DAPM_PRE_PMD),
+ 
+-SND_SOC_DAPM_SUPPLY("DSP1CLK", WM8994_CLOCKING_1, 3, 0, NULL, 0),
+-SND_SOC_DAPM_SUPPLY("DSP2CLK", WM8994_CLOCKING_1, 2, 0, NULL, 0),
+-SND_SOC_DAPM_SUPPLY("DSPINTCLK", WM8994_CLOCKING_1, 1, 0, NULL, 0),
++SND_SOC_DAPM_SUPPLY("DSP1CLK", SND_SOC_NOPM, 3, 0, NULL, 0),
++SND_SOC_DAPM_SUPPLY("DSP2CLK", SND_SOC_NOPM, 2, 0, NULL, 0),
++SND_SOC_DAPM_SUPPLY("DSPINTCLK", SND_SOC_NOPM, 1, 0, NULL, 0),
+ 
+ SND_SOC_DAPM_AIF_OUT("AIF1ADC1L", NULL,
+-		     0, WM8994_POWER_MANAGEMENT_4, 9, 0),
++		     0, SND_SOC_NOPM, 9, 0),
+ SND_SOC_DAPM_AIF_OUT("AIF1ADC1R", NULL,
+-		     0, WM8994_POWER_MANAGEMENT_4, 8, 0),
++		     0, SND_SOC_NOPM, 8, 0),
+ SND_SOC_DAPM_AIF_IN_E("AIF1DAC1L", NULL, 0,
+-		      WM8994_POWER_MANAGEMENT_5, 9, 0, wm8958_aif_ev,
++		      SND_SOC_NOPM, 9, 0, wm8958_aif_ev,
+ 		      SND_SOC_DAPM_POST_PMU | SND_SOC_DAPM_POST_PMD),
+ SND_SOC_DAPM_AIF_IN_E("AIF1DAC1R", NULL, 0,
+-		      WM8994_POWER_MANAGEMENT_5, 8, 0, wm8958_aif_ev,
++		      SND_SOC_NOPM, 8, 0, wm8958_aif_ev,
+ 		      SND_SOC_DAPM_POST_PMU | SND_SOC_DAPM_POST_PMD),
+ 
+ SND_SOC_DAPM_AIF_OUT("AIF1ADC2L", NULL,
+-		     0, WM8994_POWER_MANAGEMENT_4, 11, 0),
++		     0, SND_SOC_NOPM, 11, 0),
+ SND_SOC_DAPM_AIF_OUT("AIF1ADC2R", NULL,
+-		     0, WM8994_POWER_MANAGEMENT_4, 10, 0),
++		     0, SND_SOC_NOPM, 10, 0),
+ SND_SOC_DAPM_AIF_IN_E("AIF1DAC2L", NULL, 0,
+-		      WM8994_POWER_MANAGEMENT_5, 11, 0, wm8958_aif_ev,
++		      SND_SOC_NOPM, 11, 0, wm8958_aif_ev,
+ 		      SND_SOC_DAPM_POST_PMU | SND_SOC_DAPM_POST_PMD),
+ SND_SOC_DAPM_AIF_IN_E("AIF1DAC2R", NULL, 0,
+-		      WM8994_POWER_MANAGEMENT_5, 10, 0, wm8958_aif_ev,
++		      SND_SOC_NOPM, 10, 0, wm8958_aif_ev,
+ 		      SND_SOC_DAPM_POST_PMU | SND_SOC_DAPM_POST_PMD),
+ 
+ SND_SOC_DAPM_MIXER("AIF1ADC1L Mixer", SND_SOC_NOPM, 0, 0,
+@@ -1403,14 +1571,14 @@ SND_SOC_DAPM_MIXER("DAC1R Mixer", SND_SOC_NOPM, 0, 0,
+ 		   dac1r_mix, ARRAY_SIZE(dac1r_mix)),
+ 
+ SND_SOC_DAPM_AIF_OUT("AIF2ADCL", NULL, 0,
+-		     WM8994_POWER_MANAGEMENT_4, 13, 0),
++		     SND_SOC_NOPM, 13, 0),
+ SND_SOC_DAPM_AIF_OUT("AIF2ADCR", NULL, 0,
+-		     WM8994_POWER_MANAGEMENT_4, 12, 0),
++		     SND_SOC_NOPM, 12, 0),
+ SND_SOC_DAPM_AIF_IN_E("AIF2DACL", NULL, 0,
+-		      WM8994_POWER_MANAGEMENT_5, 13, 0, wm8958_aif_ev,
++		      SND_SOC_NOPM, 13, 0, wm8958_aif_ev,
+ 		      SND_SOC_DAPM_POST_PMU | SND_SOC_DAPM_PRE_PMD),
+ SND_SOC_DAPM_AIF_IN_E("AIF2DACR", NULL, 0,
+-		      WM8994_POWER_MANAGEMENT_5, 12, 0, wm8958_aif_ev,
++		      SND_SOC_NOPM, 12, 0, wm8958_aif_ev,
+ 		      SND_SOC_DAPM_POST_PMU | SND_SOC_DAPM_PRE_PMD),
+ 
+ SND_SOC_DAPM_AIF_IN("AIF1DACDAT", "AIF1 Playback", 0, SND_SOC_NOPM, 0, 0),
+diff --git a/sound/soc/soc-dapm.c b/sound/soc/soc-dapm.c
+index ea909c5..90e93bf 100644
+--- a/sound/soc/soc-dapm.c
++++ b/sound/soc/soc-dapm.c
+@@ -69,6 +69,7 @@ static int dapm_up_seq[] = {
+ 	[snd_soc_dapm_out_drv] = 10,
+ 	[snd_soc_dapm_hp] = 10,
+ 	[snd_soc_dapm_spk] = 10,
++	[snd_soc_dapm_line] = 10,
+ 	[snd_soc_dapm_post] = 11,
+ };
+ 
+@@ -77,6 +78,7 @@ static int dapm_down_seq[] = {
+ 	[snd_soc_dapm_adc] = 1,
+ 	[snd_soc_dapm_hp] = 2,
+ 	[snd_soc_dapm_spk] = 2,
++	[snd_soc_dapm_line] = 2,
+ 	[snd_soc_dapm_out_drv] = 2,
+ 	[snd_soc_dapm_pga] = 4,
+ 	[snd_soc_dapm_mixer_named_ctl] = 5,
+diff --git a/tools/perf/util/hist.c b/tools/perf/util/hist.c
+index adb372d..e0a0970 100644
+--- a/tools/perf/util/hist.c
++++ b/tools/perf/util/hist.c
+@@ -237,8 +237,8 @@ struct hist_entry *__hists__add_entry(struct hists *hists,
+ 			 * mis-adjust symbol addresses when computing
+ 			 * the history counter to increment.
+ 			 */
+-			if (he->ms.map != entry->ms.map) {
+-				he->ms.map = entry->ms.map;
++			if (he->ms.map != entry.ms.map) {
++				he->ms.map = entry.ms.map;
+ 				if (he->ms.map)
+ 					he->ms.map->referenced = true;
+ 			}
+diff --git a/virt/kvm/iommu.c b/virt/kvm/iommu.c
+index a195c07..fd817a2 100644
+--- a/virt/kvm/iommu.c
++++ b/virt/kvm/iommu.c
+@@ -309,6 +309,11 @@ static void kvm_iommu_put_pages(struct kvm *kvm,
+ 	}
+ }
+ 
++void kvm_iommu_unmap_pages(struct kvm *kvm, struct kvm_memory_slot *slot)
++{
++	kvm_iommu_put_pages(kvm, slot->base_gfn, slot->npages);
++}
++
+ static int kvm_iommu_unmap_memslots(struct kvm *kvm)
+ {
+ 	int i, idx;
+@@ -317,10 +322,9 @@ static int kvm_iommu_unmap_memslots(struct kvm *kvm)
+ 	idx = srcu_read_lock(&kvm->srcu);
+ 	slots = kvm_memslots(kvm);
+ 
+-	for (i = 0; i < slots->nmemslots; i++) {
+-		kvm_iommu_put_pages(kvm, slots->memslots[i].base_gfn,
+-				    slots->memslots[i].npages);
+-	}
++	for (i = 0; i < slots->nmemslots; i++)
++		kvm_iommu_unmap_pages(kvm, &slots->memslots[i]);
++
+ 	srcu_read_unlock(&kvm->srcu, idx);
+ 
+ 	return 0;
+diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c
+index d9cfb78..e401c1b 100644
+--- a/virt/kvm/kvm_main.c
++++ b/virt/kvm/kvm_main.c
+@@ -802,12 +802,13 @@ skip_lpage:
+ 	if (r)
+ 		goto out_free;
+ 
+-	/* map the pages in iommu page table */
++	/* map/unmap the pages in iommu page table */
+ 	if (npages) {
+ 		r = kvm_iommu_map_pages(kvm, &new);
+ 		if (r)
+ 			goto out_free;
+-	}
++	} else
++		kvm_iommu_unmap_pages(kvm, &old);
+ 
+ 	r = -ENOMEM;
+ 	slots = kzalloc(sizeof(struct kvm_memslots), GFP_KERNEL);
diff --git a/3.2.16/4420_grsecurity-2.9-3.2.16-201205071838.patch b/3.2.17/4420_grsecurity-2.9-3.2.17-201205131657.patch
index 390b567..8ddeecb 100644
--- a/3.2.16/4420_grsecurity-2.9-3.2.16-201205071838.patch
+++ b/3.2.17/4420_grsecurity-2.9-3.2.17-201205131657.patch
@@ -195,7 +195,7 @@ index 81c287f..d456d02 100644
  
  	pcd.		[PARIDE]
 diff --git a/Makefile b/Makefile
-index 3da29cb..47b7468 100644
+index 4c4efa3..1171c69 100644
 --- a/Makefile
 +++ b/Makefile
 @@ -245,8 +245,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \
@@ -1454,6 +1454,34 @@ index 984014b..a6d914f 100644
  #endif /* __ASSEMBLY__ */
  
  #define arch_align_stack(x) (x)
+diff --git a/arch/arm/include/asm/thread_info.h b/arch/arm/include/asm/thread_info.h
+index 7b5cc8d..5d70d88 100644
+--- a/arch/arm/include/asm/thread_info.h
++++ b/arch/arm/include/asm/thread_info.h
+@@ -139,6 +139,12 @@ extern void vfp_flush_hwstate(struct thread_info *);
+ #define TIF_NEED_RESCHED	1
+ #define TIF_NOTIFY_RESUME	2	/* callback before returning to user */
+ #define TIF_SYSCALL_TRACE	8
++
++/* within 8 bits of TIF_SYSCALL_TRACE
++   to meet flexible second operand requirements
++*/
++#define TIF_GRSEC_SETXID	9
++
+ #define TIF_POLLING_NRFLAG	16
+ #define TIF_USING_IWMMXT	17
+ #define TIF_MEMDIE		18	/* is terminating due to OOM killer */
+@@ -155,6 +161,10 @@ extern void vfp_flush_hwstate(struct thread_info *);
+ #define _TIF_FREEZE		(1 << TIF_FREEZE)
+ #define _TIF_RESTORE_SIGMASK	(1 << TIF_RESTORE_SIGMASK)
+ #define _TIF_SECCOMP		(1 << TIF_SECCOMP)
++#define _TIF_GRSEC_SETXID	(1 << TIF_GRSEC_SETXID)
++
++/* Checks for any syscall work in entry-common.S */
++#define _TIF_SYSCALL_WORK (_TIF_SYSCALL_TRACE | _TIF_GRSEC_SETXID)
+ 
+ /*
+  * Change these and you break ASM code in entry-common.S
 diff --git a/arch/arm/include/asm/uaccess.h b/arch/arm/include/asm/uaccess.h
 index b293616..96310e5 100644
 --- a/arch/arm/include/asm/uaccess.h
@@ -1528,6 +1556,28 @@ index 5b0bce6..becd81c 100644
  EXPORT_SYMBOL(__clear_user);
  
  EXPORT_SYMBOL(__get_user_1);
+diff --git a/arch/arm/kernel/entry-common.S b/arch/arm/kernel/entry-common.S
+index b2a27b6..520889c 100644
+--- a/arch/arm/kernel/entry-common.S
++++ b/arch/arm/kernel/entry-common.S
+@@ -87,7 +87,7 @@ ENTRY(ret_from_fork)
+ 	get_thread_info tsk
+ 	ldr	r1, [tsk, #TI_FLAGS]		@ check for syscall tracing
+ 	mov	why, #1
+-	tst	r1, #_TIF_SYSCALL_TRACE		@ are we tracing syscalls?
++	tst	r1, #_TIF_SYSCALL_WORK		@ are we tracing syscalls?
+ 	beq	ret_slow_syscall
+ 	mov	r1, sp
+ 	mov	r0, #1				@ trace exit [IP = 1]
+@@ -443,7 +443,7 @@ ENTRY(vector_swi)
+ 1:
+ #endif
+ 
+-	tst	r10, #_TIF_SYSCALL_TRACE		@ are we tracing syscalls?
++	tst	r10, #_TIF_SYSCALL_WORK		@ are we tracing syscalls?
+ 	bne	__sys_trace
+ 
+ 	cmp	scno, #NR_syscalls		@ check upper syscall limit
 diff --git a/arch/arm/kernel/process.c b/arch/arm/kernel/process.c
 index 3d0c6fb..9d326fa 100644
 --- a/arch/arm/kernel/process.c
@@ -1579,6 +1629,30 @@ index 3d0c6fb..9d326fa 100644
  #ifdef CONFIG_MMU
  /*
   * The vectors page is always readable from user space for the
+diff --git a/arch/arm/kernel/ptrace.c b/arch/arm/kernel/ptrace.c
+index 90fa8b3..a3a2212 100644
+--- a/arch/arm/kernel/ptrace.c
++++ b/arch/arm/kernel/ptrace.c
+@@ -904,10 +904,19 @@ long arch_ptrace(struct task_struct *child, long request,
+ 	return ret;
+ }
+ 
++#ifdef CONFIG_GRKERNSEC_SETXID
++extern void gr_delayed_cred_worker(void);
++#endif
++
+ asmlinkage int syscall_trace(int why, struct pt_regs *regs, int scno)
+ {
+ 	unsigned long ip;
+ 
++#ifdef CONFIG_GRKERNSEC_SETXID
++	if (unlikely(test_and_clear_thread_flag(TIF_GRSEC_SETXID)))
++		gr_delayed_cred_worker();
++#endif
++
+ 	if (!test_thread_flag(TIF_SYSCALL_TRACE))
+ 		return scno;
+ 	if (!(current->ptrace & PT_PTRACED))
 diff --git a/arch/arm/kernel/setup.c b/arch/arm/kernel/setup.c
 index 8fc2c8f..064c150 100644
 --- a/arch/arm/kernel/setup.c
@@ -2779,6 +2853,40 @@ index 6018c80..7c37203 100644
 +#define arch_align_stack(x) ((x) & ~0xfUL)
  
  #endif /* _ASM_SYSTEM_H */
+diff --git a/arch/mips/include/asm/thread_info.h b/arch/mips/include/asm/thread_info.h
+index 97f8bf6..3986751 100644
+--- a/arch/mips/include/asm/thread_info.h
++++ b/arch/mips/include/asm/thread_info.h
+@@ -124,6 +124,8 @@ register struct thread_info *__current_thread_info __asm__("$28");
+ #define TIF_32BIT_ADDR		23	/* 32-bit address space (o32/n32) */
+ #define TIF_FPUBOUND		24	/* thread bound to FPU-full CPU set */
+ #define TIF_LOAD_WATCH		25	/* If set, load watch registers */
++/* li takes a 32bit immediate */
++#define TIF_GRSEC_SETXID	29	/* update credentials on syscall entry/exit */
+ #define TIF_SYSCALL_TRACE	31	/* syscall trace active */
+ 
+ #ifdef CONFIG_MIPS32_O32
+@@ -148,15 +150,18 @@ register struct thread_info *__current_thread_info __asm__("$28");
+ #define _TIF_32BIT_ADDR		(1<<TIF_32BIT_ADDR)
+ #define _TIF_FPUBOUND		(1<<TIF_FPUBOUND)
+ #define _TIF_LOAD_WATCH		(1<<TIF_LOAD_WATCH)
++#define _TIF_GRSEC_SETXID	(1<<TIF_GRSEC_SETXID)
++
++#define _TIF_SYSCALL_WORK	(_TIF_SYSCALL_TRACE | _TIF_SYSCALL_AUDIT | _TIF_GRSEC_SETXID)
+ 
+ /* work to do in syscall_trace_leave() */
+-#define _TIF_WORK_SYSCALL_EXIT	(_TIF_SYSCALL_TRACE | _TIF_SYSCALL_AUDIT)
++#define _TIF_WORK_SYSCALL_EXIT	(_TIF_SYSCALL_TRACE | _TIF_SYSCALL_AUDIT | _TIF_GRSEC_SETXID)
+ 
+ /* work to do on interrupt/exception return */
+ #define _TIF_WORK_MASK		(0x0000ffef &				\
+ 					~(_TIF_SECCOMP | _TIF_SYSCALL_AUDIT))
+ /* work to do on any return to u-space */
+-#define _TIF_ALLWORK_MASK	(0x8000ffff & ~_TIF_SECCOMP)
++#define _TIF_ALLWORK_MASK	((0x8000ffff & ~_TIF_SECCOMP) | _TIF_GRSEC_SETXID)
+ 
+ #endif /* __KERNEL__ */
+ 
 diff --git a/arch/mips/kernel/binfmt_elfn32.c b/arch/mips/kernel/binfmt_elfn32.c
 index 9fdd8bc..4bd7f1a 100644
 --- a/arch/mips/kernel/binfmt_elfn32.c
@@ -2835,6 +2943,85 @@ index c47f96e..661d418 100644
 -
 -	return sp & ALMASK;
 -}
+diff --git a/arch/mips/kernel/ptrace.c b/arch/mips/kernel/ptrace.c
+index 4e6ea1f..0922422 100644
+--- a/arch/mips/kernel/ptrace.c
++++ b/arch/mips/kernel/ptrace.c
+@@ -529,6 +529,10 @@ static inline int audit_arch(void)
+ 	return arch;
+ }
+ 
++#ifdef CONFIG_GRKERNSEC_SETXID
++extern void gr_delayed_cred_worker(void);
++#endif
++
+ /*
+  * Notification of system call entry/exit
+  * - triggered by current->work.syscall_trace
+@@ -538,6 +542,11 @@ asmlinkage void syscall_trace_enter(struct pt_regs *regs)
+ 	/* do the secure computing check first */
+ 	secure_computing(regs->regs[2]);
+ 
++#ifdef CONFIG_GRKERNSEC_SETXID
++	if (unlikely(test_and_clear_thread_flag(TIF_GRSEC_SETXID)))
++		gr_delayed_cred_worker();
++#endif
++
+ 	if (!(current->ptrace & PT_PTRACED))
+ 		goto out;
+ 
+diff --git a/arch/mips/kernel/scall32-o32.S b/arch/mips/kernel/scall32-o32.S
+index a632bc1..0b77c7c 100644
+--- a/arch/mips/kernel/scall32-o32.S
++++ b/arch/mips/kernel/scall32-o32.S
+@@ -52,7 +52,7 @@ NESTED(handle_sys, PT_SIZE, sp)
+ 
+ stack_done:
+ 	lw	t0, TI_FLAGS($28)	# syscall tracing enabled?
+-	li	t1, _TIF_SYSCALL_TRACE | _TIF_SYSCALL_AUDIT
++	li	t1, _TIF_SYSCALL_WORK
+ 	and	t0, t1
+ 	bnez	t0, syscall_trace_entry	# -> yes
+ 
+diff --git a/arch/mips/kernel/scall64-64.S b/arch/mips/kernel/scall64-64.S
+index 3b5a5e9..e1ee86d 100644
+--- a/arch/mips/kernel/scall64-64.S
++++ b/arch/mips/kernel/scall64-64.S
+@@ -54,7 +54,7 @@ NESTED(handle_sys64, PT_SIZE, sp)
+ 
+ 	sd	a3, PT_R26(sp)		# save a3 for syscall restarting
+ 
+-	li	t1, _TIF_SYSCALL_TRACE | _TIF_SYSCALL_AUDIT
++	li	t1, _TIF_SYSCALL_WORK
+ 	LONG_L	t0, TI_FLAGS($28)	# syscall tracing enabled?
+ 	and	t0, t1, t0
+ 	bnez	t0, syscall_trace_entry
+diff --git a/arch/mips/kernel/scall64-n32.S b/arch/mips/kernel/scall64-n32.S
+index 6be6f70..1859577 100644
+--- a/arch/mips/kernel/scall64-n32.S
++++ b/arch/mips/kernel/scall64-n32.S
+@@ -53,7 +53,7 @@ NESTED(handle_sysn32, PT_SIZE, sp)
+ 
+ 	sd	a3, PT_R26(sp)		# save a3 for syscall restarting
+ 
+-	li	t1, _TIF_SYSCALL_TRACE | _TIF_SYSCALL_AUDIT
++	li	t1, _TIF_SYSCALL_WORK
+ 	LONG_L	t0, TI_FLAGS($28)	# syscall tracing enabled?
+ 	and	t0, t1, t0
+ 	bnez	t0, n32_syscall_trace_entry
+diff --git a/arch/mips/kernel/scall64-o32.S b/arch/mips/kernel/scall64-o32.S
+index 5422855..74e63a3 100644
+--- a/arch/mips/kernel/scall64-o32.S
++++ b/arch/mips/kernel/scall64-o32.S
+@@ -81,7 +81,7 @@ NESTED(handle_sys, PT_SIZE, sp)
+ 	PTR	4b, bad_stack
+ 	.previous
+ 
+-	li	t1, _TIF_SYSCALL_TRACE | _TIF_SYSCALL_AUDIT
++	li	t1, _TIF_SYSCALL_WORK
+ 	LONG_L	t0, TI_FLAGS($28)	# syscall tracing enabled?
+ 	and	t0, t1, t0
+ 	bnez	t0, trace_a_syscall
 diff --git a/arch/mips/mm/fault.c b/arch/mips/mm/fault.c
 index 937cf33..adb39bb 100644
 --- a/arch/mips/mm/fault.c
@@ -3677,6 +3864,41 @@ index e30a13d..2b7d994 100644
  
  /* Used in very early kernel initialization. */
  extern unsigned long reloc_offset(void);
+diff --git a/arch/powerpc/include/asm/thread_info.h b/arch/powerpc/include/asm/thread_info.h
+index 836f231..8403cfb 100644
+--- a/arch/powerpc/include/asm/thread_info.h
++++ b/arch/powerpc/include/asm/thread_info.h
+@@ -104,7 +104,6 @@ static inline struct thread_info *current_thread_info(void)
+ #define TIF_PERFMON_CTXSW	6	/* perfmon needs ctxsw calls */
+ #define TIF_SYSCALL_AUDIT	7	/* syscall auditing active */
+ #define TIF_SINGLESTEP		8	/* singlestepping active */
+-#define TIF_MEMDIE		9	/* is terminating due to OOM killer */
+ #define TIF_SECCOMP		10	/* secure computing */
+ #define TIF_RESTOREALL		11	/* Restore all regs (implies NOERROR) */
+ #define TIF_NOERROR		12	/* Force successful syscall return */
+@@ -112,6 +111,9 @@ static inline struct thread_info *current_thread_info(void)
+ #define TIF_FREEZE		14	/* Freezing for suspend */
+ #define TIF_SYSCALL_TRACEPOINT	15	/* syscall tracepoint instrumentation */
+ #define TIF_RUNLATCH		16	/* Is the runlatch enabled? */
++#define TIF_MEMDIE		17	/* is terminating due to OOM killer */
++/* mask must be expressable within 16 bits to satisfy 'andi' instruction reqs */
++#define TIF_GRSEC_SETXID	9	/* update credentials on syscall entry/exit */
+ 
+ /* as above, but as bit values */
+ #define _TIF_SYSCALL_TRACE	(1<<TIF_SYSCALL_TRACE)
+@@ -130,8 +132,11 @@ static inline struct thread_info *current_thread_info(void)
+ #define _TIF_FREEZE		(1<<TIF_FREEZE)
+ #define _TIF_SYSCALL_TRACEPOINT	(1<<TIF_SYSCALL_TRACEPOINT)
+ #define _TIF_RUNLATCH		(1<<TIF_RUNLATCH)
++#define _TIF_GRSEC_SETXID	(1<<TIF_GRSEC_SETXID)
++
+ #define _TIF_SYSCALL_T_OR_A	(_TIF_SYSCALL_TRACE | _TIF_SYSCALL_AUDIT | \
+-				 _TIF_SECCOMP | _TIF_SYSCALL_TRACEPOINT)
++				 _TIF_SECCOMP | _TIF_SYSCALL_TRACEPOINT \
++				 _TIF_GRSEC_SETXID)
+ 
+ #define _TIF_USER_WORK_MASK	(_TIF_SIGPENDING | _TIF_NEED_RESCHED | \
+ 				 _TIF_NOTIFY_RESUME)
 diff --git a/arch/powerpc/include/asm/uaccess.h b/arch/powerpc/include/asm/uaccess.h
 index bd0fb84..a42a14b 100644
 --- a/arch/powerpc/include/asm/uaccess.h
@@ -4053,6 +4275,45 @@ index 6457574..08b28d3 100644
 -
 -	return ret;
 -}
+diff --git a/arch/powerpc/kernel/ptrace.c b/arch/powerpc/kernel/ptrace.c
+index 5de73db..a05f61c 100644
+--- a/arch/powerpc/kernel/ptrace.c
++++ b/arch/powerpc/kernel/ptrace.c
+@@ -1702,6 +1702,10 @@ long arch_ptrace(struct task_struct *child, long request,
+ 	return ret;
+ }
+ 
++#ifdef CONFIG_GRKERNSEC_SETXID
++extern void gr_delayed_cred_worker(void);
++#endif
++
+ /*
+  * We must return the syscall number to actually look up in the table.
+  * This can be -1L to skip running any syscall at all.
+@@ -1712,6 +1716,11 @@ long do_syscall_trace_enter(struct pt_regs *regs)
+ 
+ 	secure_computing(regs->gpr[0]);
+ 
++#ifdef CONFIG_GRKERNSEC_SETXID
++	if (unlikely(test_and_clear_thread_flag(TIF_GRSEC_SETXID)))
++		gr_delayed_cred_worker();
++#endif
++
+ 	if (test_thread_flag(TIF_SYSCALL_TRACE) &&
+ 	    tracehook_report_syscall_entry(regs))
+ 		/*
+@@ -1748,6 +1757,11 @@ void do_syscall_trace_leave(struct pt_regs *regs)
+ {
+ 	int step;
+ 
++#ifdef CONFIG_GRKERNSEC_SETXID
++	if (unlikely(test_and_clear_thread_flag(TIF_GRSEC_SETXID)))
++		gr_delayed_cred_worker();
++#endif
++
+ 	if (unlikely(current->audit_context))
+ 		audit_syscall_exit((regs->ccr&0x10000000)?AUDITSC_FAILURE:AUDITSC_SUCCESS,
+ 				   regs->result);
 diff --git a/arch/powerpc/kernel/signal_32.c b/arch/powerpc/kernel/signal_32.c
 index 836a5a1..27289a3 100644
 --- a/arch/powerpc/kernel/signal_32.c
@@ -5278,7 +5539,7 @@ index fa57532..e1a4c53 100644
  
  /*
 diff --git a/arch/sparc/include/asm/thread_info_64.h b/arch/sparc/include/asm/thread_info_64.h
-index 60d86be..952dea1 100644
+index 60d86be..6389ac8 100644
 --- a/arch/sparc/include/asm/thread_info_64.h
 +++ b/arch/sparc/include/asm/thread_info_64.h
 @@ -63,6 +63,8 @@ struct thread_info {
@@ -5290,6 +5551,38 @@ index 60d86be..952dea1 100644
  	unsigned long		fpregs[0] __attribute__ ((aligned(64)));
  };
  
+@@ -214,10 +216,11 @@ register struct thread_info *current_thread_info_reg asm("g6");
+ #define TIF_UNALIGNED		5	/* allowed to do unaligned accesses */
+ /* flag bit 6 is available */
+ #define TIF_32BIT		7	/* 32-bit binary */
+-/* flag bit 8 is available */
++#define TIF_GRSEC_SETXID	8	/* update credentials on syscall entry/exit */
+ #define TIF_SECCOMP		9	/* secure computing */
+ #define TIF_SYSCALL_AUDIT	10	/* syscall auditing active */
+ #define TIF_SYSCALL_TRACEPOINT	11	/* syscall tracepoint instrumentation */
++
+ /* NOTE: Thread flags >= 12 should be ones we have no interest
+  *       in using in assembly, else we can't use the mask as
+  *       an immediate value in instructions such as andcc.
+@@ -238,12 +241,18 @@ register struct thread_info *current_thread_info_reg asm("g6");
+ #define _TIF_SYSCALL_TRACEPOINT	(1<<TIF_SYSCALL_TRACEPOINT)
+ #define _TIF_POLLING_NRFLAG	(1<<TIF_POLLING_NRFLAG)
+ #define _TIF_FREEZE		(1<<TIF_FREEZE)
++#define _TIF_GRSEC_SETXID	(1<<TIF_GRSEC_SETXID)
+ 
+ #define _TIF_USER_WORK_MASK	((0xff << TI_FLAG_WSAVED_SHIFT) | \
+ 				 _TIF_DO_NOTIFY_RESUME_MASK | \
+ 				 _TIF_NEED_RESCHED)
+ #define _TIF_DO_NOTIFY_RESUME_MASK	(_TIF_NOTIFY_RESUME | _TIF_SIGPENDING)
+ 
++#define _TIF_WORK_SYSCALL		\
++	(_TIF_SYSCALL_TRACE | _TIF_SECCOMP | _TIF_SYSCALL_AUDIT | \
++	 _TIF_SYSCALL_TRACEPOINT | _TIF_GRSEC_SETXID)
++
++
+ /*
+  * Thread-synchronous status.
+  *
 diff --git a/arch/sparc/include/asm/uaccess.h b/arch/sparc/include/asm/uaccess.h
 index e88fbe5..96b0ce5 100644
 --- a/arch/sparc/include/asm/uaccess.h
@@ -5500,6 +5793,45 @@ index 3739a06..48b2ff0 100644
  			       (void *) gp->tpc,
  			       (void *) gp->o7,
  			       (void *) gp->i7,
+diff --git a/arch/sparc/kernel/ptrace_64.c b/arch/sparc/kernel/ptrace_64.c
+index 96ee50a..68ce124 100644
+--- a/arch/sparc/kernel/ptrace_64.c
++++ b/arch/sparc/kernel/ptrace_64.c
+@@ -1058,6 +1058,10 @@ long arch_ptrace(struct task_struct *child, long request,
+ 	return ret;
+ }
+ 
++#ifdef CONFIG_GRKERNSEC_SETXID
++extern void gr_delayed_cred_worker(void);
++#endif
++
+ asmlinkage int syscall_trace_enter(struct pt_regs *regs)
+ {
+ 	int ret = 0;
+@@ -1065,6 +1069,11 @@ asmlinkage int syscall_trace_enter(struct pt_regs *regs)
+ 	/* do the secure computing check first */
+ 	secure_computing(regs->u_regs[UREG_G1]);
+ 
++#ifdef CONFIG_GRKERNSEC_SETXID
++	if (unlikely(test_and_clear_thread_flag(TIF_GRSEC_SETXID)))
++		gr_delayed_cred_worker();
++#endif
++
+ 	if (test_thread_flag(TIF_SYSCALL_TRACE))
+ 		ret = tracehook_report_syscall_entry(regs);
+ 
+@@ -1086,6 +1095,11 @@ asmlinkage int syscall_trace_enter(struct pt_regs *regs)
+ 
+ asmlinkage void syscall_trace_leave(struct pt_regs *regs)
+ {
++#ifdef CONFIG_GRKERNSEC_SETXID
++	if (unlikely(test_and_clear_thread_flag(TIF_GRSEC_SETXID)))
++		gr_delayed_cred_worker();
++#endif
++
+ #ifdef CONFIG_AUDITSYSCALL
+ 	if (unlikely(current->audit_context)) {
+ 		unsigned long tstate = regs->tstate;
 diff --git a/arch/sparc/kernel/sys_sparc_32.c b/arch/sparc/kernel/sys_sparc_32.c
 index 42b282f..28ce9f2 100644
 --- a/arch/sparc/kernel/sys_sparc_32.c
@@ -5673,6 +6005,55 @@ index 441521a..b767073 100644
  		mm->get_unmapped_area = arch_get_unmapped_area_topdown;
  		mm->unmap_area = arch_unmap_area_topdown;
  	}
+diff --git a/arch/sparc/kernel/syscalls.S b/arch/sparc/kernel/syscalls.S
+index 1d7e274..b39c527 100644
+--- a/arch/sparc/kernel/syscalls.S
++++ b/arch/sparc/kernel/syscalls.S
+@@ -62,7 +62,7 @@ sys32_rt_sigreturn:
+ #endif
+ 	.align	32
+ 1:	ldx	[%g6 + TI_FLAGS], %l5
+-	andcc	%l5, (_TIF_SYSCALL_TRACE|_TIF_SECCOMP|_TIF_SYSCALL_AUDIT|_TIF_SYSCALL_TRACEPOINT), %g0
++	andcc	%l5, _TIF_WORK_SYSCALL, %g0
+ 	be,pt	%icc, rtrap
+ 	 nop
+ 	call	syscall_trace_leave
+@@ -179,7 +179,7 @@ linux_sparc_syscall32:
+ 
+ 	srl	%i5, 0, %o5				! IEU1
+ 	srl	%i2, 0, %o2				! IEU0	Group
+-	andcc	%l0, (_TIF_SYSCALL_TRACE|_TIF_SECCOMP|_TIF_SYSCALL_AUDIT|_TIF_SYSCALL_TRACEPOINT), %g0
++	andcc	%l0, _TIF_WORK_SYSCALL, %g0
+ 	bne,pn	%icc, linux_syscall_trace32		! CTI
+ 	 mov	%i0, %l5				! IEU1
+ 	call	%l7					! CTI	Group brk forced
+@@ -202,7 +202,7 @@ linux_sparc_syscall:
+ 
+ 	mov	%i3, %o3				! IEU1
+ 	mov	%i4, %o4				! IEU0	Group
+-	andcc	%l0, (_TIF_SYSCALL_TRACE|_TIF_SECCOMP|_TIF_SYSCALL_AUDIT|_TIF_SYSCALL_TRACEPOINT), %g0
++	andcc	%l0, _TIF_WORK_SYSCALL, %g0
+ 	bne,pn	%icc, linux_syscall_trace		! CTI	Group
+ 	 mov	%i0, %l5				! IEU0
+ 2:	call	%l7					! CTI	Group brk forced
+@@ -226,7 +226,7 @@ ret_sys_call:
+ 
+ 	cmp	%o0, -ERESTART_RESTARTBLOCK
+ 	bgeu,pn	%xcc, 1f
+-	 andcc	%l0, (_TIF_SYSCALL_TRACE|_TIF_SECCOMP|_TIF_SYSCALL_AUDIT|_TIF_SYSCALL_TRACEPOINT), %l6
++	 andcc	%l0, _TIF_WORK_SYSCALL, %l6
+ 80:
+ 	/* System call success, clear Carry condition code. */
+ 	andn	%g3, %g2, %g3
+@@ -241,7 +241,7 @@ ret_sys_call:
+ 	/* System call failure, set Carry condition code.
+ 	 * Also, get abs(errno) to return to the process.
+ 	 */
+-	andcc	%l0, (_TIF_SYSCALL_TRACE|_TIF_SECCOMP|_TIF_SYSCALL_AUDIT|_TIF_SYSCALL_TRACEPOINT), %l6	
++	andcc	%l0, _TIF_WORK_SYSCALL, %l6	
+ 	sub	%g0, %o0, %o0
+ 	or	%g3, %g2, %g3
+ 	stx	%o0, [%sp + PTREGS_OFF + PT_V9_I0]
 diff --git a/arch/sparc/kernel/traps_32.c b/arch/sparc/kernel/traps_32.c
 index 591f20c..0f1b925 100644
 --- a/arch/sparc/kernel/traps_32.c
@@ -7544,7 +7925,7 @@ index 3a19d04..7c1d55a 100644
  #endif
  
 diff --git a/arch/x86/boot/compressed/relocs.c b/arch/x86/boot/compressed/relocs.c
-index 89bbf4e..869908e 100644
+index e77f4e4..17e511f 100644
 --- a/arch/x86/boot/compressed/relocs.c
 +++ b/arch/x86/boot/compressed/relocs.c
 @@ -13,8 +13,11 @@
@@ -7649,7 +8030,7 @@ index 89bbf4e..869908e 100644
  			rel->r_info   = elf32_to_cpu(rel->r_info);
  		}
  	}
-@@ -396,14 +440,14 @@ static void read_relocs(FILE *fp)
+@@ -396,13 +440,13 @@ static void read_relocs(FILE *fp)
  
  static void print_absolute_symbols(void)
  {
@@ -7660,13 +8041,12 @@ index 89bbf4e..869908e 100644
  	for (i = 0; i < ehdr.e_shnum; i++) {
  		struct section *sec = &secs[i];
  		char *sym_strtab;
- 		Elf32_Sym *sh_symtab;
 -		int j;
 +		unsigned int j;
  
  		if (sec->shdr.sh_type != SHT_SYMTAB) {
  			continue;
-@@ -431,14 +475,14 @@ static void print_absolute_symbols(void)
+@@ -429,14 +473,14 @@ static void print_absolute_symbols(void)
  
  static void print_absolute_relocs(void)
  {
@@ -7683,7 +8063,7 @@ index 89bbf4e..869908e 100644
  		if (sec->shdr.sh_type != SHT_REL) {
  			continue;
  		}
-@@ -499,13 +543,13 @@ static void print_absolute_relocs(void)
+@@ -497,13 +541,13 @@ static void print_absolute_relocs(void)
  
  static void walk_relocs(void (*visit)(Elf32_Rel *rel, Elf32_Sym *sym))
  {
@@ -7699,7 +8079,7 @@ index 89bbf4e..869908e 100644
  		struct section *sec = &secs[i];
  
  		if (sec->shdr.sh_type != SHT_REL) {
-@@ -530,6 +574,22 @@ static void walk_relocs(void (*visit)(Elf32_Rel *rel, Elf32_Sym *sym))
+@@ -528,6 +572,22 @@ static void walk_relocs(void (*visit)(Elf32_Rel *rel, Elf32_Sym *sym))
  			    !is_rel_reloc(sym_name(sym_strtab, sym))) {
  				continue;
  			}
@@ -7722,7 +8102,7 @@ index 89bbf4e..869908e 100644
  			switch (r_type) {
  			case R_386_NONE:
  			case R_386_PC32:
-@@ -571,7 +631,7 @@ static int cmp_relocs(const void *va, const void *vb)
+@@ -569,7 +629,7 @@ static int cmp_relocs(const void *va, const void *vb)
  
  static void emit_relocs(int as_text)
  {
@@ -7731,7 +8111,7 @@ index 89bbf4e..869908e 100644
  	/* Count how many relocations I have and allocate space for them. */
  	reloc_count = 0;
  	walk_relocs(count_reloc);
-@@ -665,6 +725,7 @@ int main(int argc, char **argv)
+@@ -663,6 +723,7 @@ int main(int argc, char **argv)
  			fname, strerror(errno));
  	}
  	read_ehdr(fp);
@@ -12161,7 +12541,7 @@ index 2d2f01c..f985723 100644
  /*
   * Force strict CPU ordering.
 diff --git a/arch/x86/include/asm/thread_info.h b/arch/x86/include/asm/thread_info.h
-index d7ef849..6af292e 100644
+index d7ef849..b1b009a 100644
 --- a/arch/x86/include/asm/thread_info.h
 +++ b/arch/x86/include/asm/thread_info.h
 @@ -10,6 +10,7 @@
@@ -12210,7 +12590,45 @@ index d7ef849..6af292e 100644
  #define init_stack		(init_thread_union.stack)
  
  #else /* !__ASSEMBLY__ */
-@@ -170,45 +164,40 @@ struct thread_info {
+@@ -95,6 +89,7 @@ struct thread_info {
+ #define TIF_BLOCKSTEP		25	/* set when we want DEBUGCTLMSR_BTF */
+ #define TIF_LAZY_MMU_UPDATES	27	/* task is updating the mmu lazily */
+ #define TIF_SYSCALL_TRACEPOINT	28	/* syscall tracepoint instrumentation */
++#define TIF_GRSEC_SETXID	29	/* update credentials on syscall entry/exit */
+ 
+ #define _TIF_SYSCALL_TRACE	(1 << TIF_SYSCALL_TRACE)
+ #define _TIF_NOTIFY_RESUME	(1 << TIF_NOTIFY_RESUME)
+@@ -117,16 +112,17 @@ struct thread_info {
+ #define _TIF_BLOCKSTEP		(1 << TIF_BLOCKSTEP)
+ #define _TIF_LAZY_MMU_UPDATES	(1 << TIF_LAZY_MMU_UPDATES)
+ #define _TIF_SYSCALL_TRACEPOINT	(1 << TIF_SYSCALL_TRACEPOINT)
++#define _TIF_GRSEC_SETXID	(1 << TIF_GRSEC_SETXID)
+ 
+ /* work to do in syscall_trace_enter() */
+ #define _TIF_WORK_SYSCALL_ENTRY	\
+ 	(_TIF_SYSCALL_TRACE | _TIF_SYSCALL_EMU | _TIF_SYSCALL_AUDIT |	\
+-	 _TIF_SECCOMP | _TIF_SINGLESTEP | _TIF_SYSCALL_TRACEPOINT)
++	 _TIF_SECCOMP | _TIF_SINGLESTEP | _TIF_SYSCALL_TRACEPOINT | _TIF_GRSEC_SETXID)
+ 
+ /* work to do in syscall_trace_leave() */
+ #define _TIF_WORK_SYSCALL_EXIT	\
+ 	(_TIF_SYSCALL_TRACE | _TIF_SYSCALL_AUDIT | _TIF_SINGLESTEP |	\
+-	 _TIF_SYSCALL_TRACEPOINT)
++	 _TIF_SYSCALL_TRACEPOINT | _TIF_GRSEC_SETXID)
+ 
+ /* work to do on interrupt/exception return */
+ #define _TIF_WORK_MASK							\
+@@ -136,7 +132,8 @@ struct thread_info {
+ 
+ /* work to do on any return to user space */
+ #define _TIF_ALLWORK_MASK						\
+-	((0x0000FFFF & ~_TIF_SECCOMP) | _TIF_SYSCALL_TRACEPOINT)
++	((0x0000FFFF & ~_TIF_SECCOMP) | _TIF_SYSCALL_TRACEPOINT |	\
++	 _TIF_GRSEC_SETXID)
+ 
+ /* Only used for 64 bit */
+ #define _TIF_DO_NOTIFY_MASK						\
+@@ -170,45 +167,40 @@ struct thread_info {
  	ret;								\
  })
  
@@ -12281,7 +12699,7 @@ index d7ef849..6af292e 100644
  /*
   * macros/functions for gaining access to the thread information structure
   * preempt_count needs to be 1 initially, until the scheduler is functional.
-@@ -216,21 +205,8 @@ static inline struct thread_info *current_thread_info(void)
+@@ -216,21 +208,8 @@ static inline struct thread_info *current_thread_info(void)
  #ifndef __ASSEMBLY__
  DECLARE_PER_CPU(unsigned long, kernel_stack);
  
@@ -12305,7 +12723,7 @@ index d7ef849..6af292e 100644
  #endif
  
  #endif /* !X86_32 */
-@@ -264,5 +240,16 @@ extern void arch_task_cache_init(void);
+@@ -264,5 +243,16 @@ extern void arch_task_cache_init(void);
  extern void free_thread_info(struct thread_info *ti);
  extern int arch_dup_task_struct(struct task_struct *dst, struct task_struct *src);
  #define arch_task_cache_init arch_task_cache_init
@@ -13612,7 +14030,7 @@ index 1f84794..e23f862 100644
  }
  
 diff --git a/arch/x86/kernel/apic/apic.c b/arch/x86/kernel/apic/apic.c
-index f98d84c..e402a69 100644
+index c4e3581..7e2f9d0 100644
 --- a/arch/x86/kernel/apic/apic.c
 +++ b/arch/x86/kernel/apic/apic.c
 @@ -174,7 +174,7 @@ int first_system_vector = 0xfe;
@@ -13624,7 +14042,7 @@ index f98d84c..e402a69 100644
  
  int pic_mode;
  
-@@ -1853,7 +1853,7 @@ void smp_error_interrupt(struct pt_regs *regs)
+@@ -1857,7 +1857,7 @@ void smp_error_interrupt(struct pt_regs *regs)
  	apic_write(APIC_ESR, 0);
  	v1 = apic_read(APIC_ESR);
  	ack_APIC_irq();
@@ -14623,7 +15041,7 @@ index cd28a35..c72ed9a 100644
  #include <asm/processor.h>
  #include <asm/fcntl.h>
 diff --git a/arch/x86/kernel/entry_32.S b/arch/x86/kernel/entry_32.S
-index bcda816..b0cbdf9 100644
+index bcda816..5c89791 100644
 --- a/arch/x86/kernel/entry_32.S
 +++ b/arch/x86/kernel/entry_32.S
 @@ -180,13 +180,146 @@
@@ -14816,7 +15234,7 @@ index bcda816..b0cbdf9 100644
 +#ifdef CONFIG_PAX_KERNEXEC
 +	jae resume_userspace
 +
-+	PAX_EXIT_KERNEL
++	pax_exit_kernel
 +	jmp resume_kernel
 +#else
  	jb resume_kernel		# not returning to v8086 or userspace
@@ -18551,7 +18969,7 @@ index 6a364a6..b147d11 100644
  		ip = *(u64 *)(fp+8);
  		if (!in_sched_functions(ip))
 diff --git a/arch/x86/kernel/ptrace.c b/arch/x86/kernel/ptrace.c
-index 8252879..f367ec9 100644
+index 8252879..39d15fc 100644
 --- a/arch/x86/kernel/ptrace.c
 +++ b/arch/x86/kernel/ptrace.c
 @@ -791,6 +791,10 @@ static int ioperm_active(struct task_struct *target,
@@ -18600,6 +19018,41 @@ index 8252879..f367ec9 100644
  }
  
  void user_single_step_siginfo(struct task_struct *tsk,
+@@ -1360,6 +1364,10 @@ void send_sigtrap(struct task_struct *tsk, struct pt_regs *regs,
+ # define IS_IA32	0
+ #endif
+ 
++#ifdef CONFIG_GRKERNSEC_SETXID
++extern void gr_delayed_cred_worker(void);
++#endif
++
+ /*
+  * We must return the syscall number to actually look up in the table.
+  * This can be -1L to skip running any syscall at all.
+@@ -1368,6 +1376,11 @@ long syscall_trace_enter(struct pt_regs *regs)
+ {
+ 	long ret = 0;
+ 
++#ifdef CONFIG_GRKERNSEC_SETXID
++	if (unlikely(test_and_clear_thread_flag(TIF_GRSEC_SETXID)))
++                gr_delayed_cred_worker();
++#endif		
++
+ 	/*
+ 	 * If we stepped into a sysenter/syscall insn, it trapped in
+ 	 * kernel mode; do_debug() cleared TF and set TIF_SINGLESTEP.
+@@ -1413,6 +1426,11 @@ void syscall_trace_leave(struct pt_regs *regs)
+ {
+ 	bool step;
+ 
++#ifdef CONFIG_GRKERNSEC_SETXID
++	if (unlikely(test_and_clear_thread_flag(TIF_GRSEC_SETXID)))
++                gr_delayed_cred_worker();
++#endif		
++
+ 	if (unlikely(current->audit_context))
+ 		audit_syscall_exit(AUDITSC_RESULT(regs->ax), regs->ax);
+ 
 diff --git a/arch/x86/kernel/pvclock.c b/arch/x86/kernel/pvclock.c
 index 42eb330..139955c 100644
 --- a/arch/x86/kernel/pvclock.c
@@ -18838,7 +19291,7 @@ index cf0ef98..e3f780b 100644
  	bss_resource.start = virt_to_phys(&__bss_start);
  	bss_resource.end = virt_to_phys(&__bss_stop)-1;
 diff --git a/arch/x86/kernel/setup_percpu.c b/arch/x86/kernel/setup_percpu.c
-index 71f4727..217419b 100644
+index 5a98aa2..848d2be 100644
 --- a/arch/x86/kernel/setup_percpu.c
 +++ b/arch/x86/kernel/setup_percpu.c
 @@ -21,19 +21,17 @@
@@ -18897,7 +19350,7 @@ index 71f4727..217419b 100644
  	write_gdt_entry(get_cpu_gdt_table(cpu),
  			GDT_ENTRY_PERCPU, &gdt, DESCTYPE_S);
  #endif
-@@ -207,6 +209,11 @@ void __init setup_per_cpu_areas(void)
+@@ -219,6 +221,11 @@ void __init setup_per_cpu_areas(void)
  	/* alrighty, percpu areas up and running */
  	delta = (unsigned long)pcpu_base_addr - (unsigned long)__per_cpu_start;
  	for_each_possible_cpu(cpu) {
@@ -18909,7 +19362,7 @@ index 71f4727..217419b 100644
  		per_cpu_offset(cpu) = delta + pcpu_unit_offsets[cpu];
  		per_cpu(this_cpu_off, cpu) = per_cpu_offset(cpu);
  		per_cpu(cpu_number, cpu) = cpu;
-@@ -247,6 +254,12 @@ void __init setup_per_cpu_areas(void)
+@@ -259,6 +266,12 @@ void __init setup_per_cpu_areas(void)
  		 */
  		set_cpu_numa_node(cpu, early_cpu_to_node(cpu));
  #endif
@@ -20979,7 +21432,7 @@ index e8e7e0d..56fd1b0 100644
  	movl %eax,  (v)
  	movl %edx, 4(v)
 diff --git a/arch/x86/lib/atomic64_cx8_32.S b/arch/x86/lib/atomic64_cx8_32.S
-index 391a083..d658e9f 100644
+index 391a083..3a2cf39 100644
 --- a/arch/x86/lib/atomic64_cx8_32.S
 +++ b/arch/x86/lib/atomic64_cx8_32.S
 @@ -35,10 +35,20 @@ ENTRY(atomic64_read_cx8)
@@ -21090,7 +21543,7 @@ index 391a083..d658e9f 100644
  
 -.macro incdec_return func ins insc
 -ENTRY(atomic64_\func\()_return_cx8)
-+.macro incdec_return func ins insc unchecked
++.macro incdec_return func ins insc unchecked=""
 +ENTRY(atomic64_\func\()_return\unchecked\()_cx8)
  	CFI_STARTPROC
  	SAVE ebx
@@ -24383,7 +24836,7 @@ index f4f29b1..5cac4fb 100644
  
  	return (void *)vaddr;
 diff --git a/arch/x86/mm/hugetlbpage.c b/arch/x86/mm/hugetlbpage.c
-index f581a18..29efd37 100644
+index f581a18..a269cab 100644
 --- a/arch/x86/mm/hugetlbpage.c
 +++ b/arch/x86/mm/hugetlbpage.c
 @@ -266,13 +266,20 @@ static unsigned long hugetlb_get_unmapped_area_bottomup(struct file *file,
@@ -24459,7 +24912,7 @@ index f581a18..29efd37 100644
  
  	/* don't allow allocations above current base */
  	if (mm->free_area_cache > base)
-@@ -321,64 +328,63 @@ static unsigned long hugetlb_get_unmapped_area_topdown(struct file *file,
+@@ -321,64 +328,68 @@ static unsigned long hugetlb_get_unmapped_area_topdown(struct file *file,
  	        largest_hole = 0;
  		mm->free_area_cache  = base;
  	}
@@ -24474,15 +24927,16 @@ index f581a18..29efd37 100644
 +	addr = (mm->free_area_cache - len);
  	do {
 +		addr &= huge_page_mask(h);
-+		vma = find_vma(mm, addr);
  		/*
  		 * Lookup failure means no vma is above this address,
  		 * i.e. return with success:
--		 */
+ 		 */
 -		if (!(vma = find_vma_prev(mm, addr, &prev_vma)))
--			return addr;
--
--		/*
++		vma = find_vma(mm, addr);
++		if (!vma)
+ 			return addr;
+ 
+ 		/*
  		 * new region fits between prev_vma->vm_end and
  		 * vma->vm_start, use it:
  		 */
@@ -24554,7 +25008,7 @@ index f581a18..29efd37 100644
  	mm->cached_hole_size = ~0UL;
  	addr = hugetlb_get_unmapped_area_bottomup(file, addr0,
  			len, pgoff, flags);
-@@ -386,6 +392,7 @@ fail:
+@@ -386,6 +397,7 @@ fail:
  	/*
  	 * Restore the topdown base:
  	 */
@@ -24562,7 +25016,7 @@ index f581a18..29efd37 100644
  	mm->free_area_cache = base;
  	mm->cached_hole_size = ~0UL;
  
-@@ -399,10 +406,19 @@ hugetlb_get_unmapped_area(struct file *file, unsigned long addr,
+@@ -399,10 +411,19 @@ hugetlb_get_unmapped_area(struct file *file, unsigned long addr,
  	struct hstate *h = hstate_file(file);
  	struct mm_struct *mm = current->mm;
  	struct vm_area_struct *vma;
@@ -24583,7 +25037,7 @@ index f581a18..29efd37 100644
  		return -ENOMEM;
  
  	if (flags & MAP_FIXED) {
-@@ -414,8 +430,7 @@ hugetlb_get_unmapped_area(struct file *file, unsigned long addr,
+@@ -414,8 +435,7 @@ hugetlb_get_unmapped_area(struct file *file, unsigned long addr,
  	if (addr) {
  		addr = ALIGN(addr, huge_page_size(h));
  		vma = find_vma(mm, addr);
@@ -25011,7 +25465,7 @@ index 29f7c6d..b46b35b 100644
  	printk(KERN_INFO "Write protecting the kernel text: %luk\n",
  		size >> 10);
 diff --git a/arch/x86/mm/init_64.c b/arch/x86/mm/init_64.c
-index bbaaa00..0ad4539 100644
+index bbaaa00..020e913 100644
 --- a/arch/x86/mm/init_64.c
 +++ b/arch/x86/mm/init_64.c
 @@ -75,7 +75,7 @@ early_param("gbpages", parse_direct_gbpages_on);
@@ -25128,6 +25582,15 @@ index bbaaa00..0ad4539 100644
  	adr = (void *)(((unsigned long)adr) | left);
  
  	return adr;
+@@ -546,7 +560,7 @@ phys_pud_init(pud_t *pud_page, unsigned long addr, unsigned long end,
+ 		unmap_low_page(pmd);
+ 
+ 		spin_lock(&init_mm.page_table_lock);
+-		pud_populate(&init_mm, pud, __va(pmd_phys));
++		pud_populate_kernel(&init_mm, pud, __va(pmd_phys));
+ 		spin_unlock(&init_mm.page_table_lock);
+ 	}
+ 	__flush_tlb_all();
 @@ -592,7 +606,7 @@ kernel_physical_mapping_init(unsigned long start,
  		unmap_low_page(pud);
  
@@ -26908,10 +27371,10 @@ index 153407c..611cba9 100644
 -}
 -__setup("vdso=", vdso_setup);
 diff --git a/arch/x86/xen/enlighten.c b/arch/x86/xen/enlighten.c
-index 1f92865..c843b20 100644
+index e7c920b..c9bdcf7 100644
 --- a/arch/x86/xen/enlighten.c
 +++ b/arch/x86/xen/enlighten.c
-@@ -85,8 +85,6 @@ EXPORT_SYMBOL_GPL(xen_start_info);
+@@ -86,8 +86,6 @@ EXPORT_SYMBOL_GPL(xen_start_info);
  
  struct shared_info xen_dummy_shared_info;
  
@@ -26920,7 +27383,7 @@ index 1f92865..c843b20 100644
  RESERVE_BRK(shared_info_page_brk, PAGE_SIZE);
  __read_mostly int xen_have_vector_callback;
  EXPORT_SYMBOL_GPL(xen_have_vector_callback);
-@@ -1029,7 +1027,7 @@ static const struct pv_apic_ops xen_apic_ops __initconst = {
+@@ -1030,7 +1028,7 @@ static const struct pv_apic_ops xen_apic_ops __initconst = {
  #endif
  };
  
@@ -26929,7 +27392,7 @@ index 1f92865..c843b20 100644
  {
  	struct sched_shutdown r = { .reason = reason };
  
-@@ -1037,17 +1035,17 @@ static void xen_reboot(int reason)
+@@ -1038,17 +1036,17 @@ static void xen_reboot(int reason)
  		BUG();
  }
  
@@ -26950,7 +27413,7 @@ index 1f92865..c843b20 100644
  {
  	xen_reboot(SHUTDOWN_poweroff);
  }
-@@ -1153,7 +1151,17 @@ asmlinkage void __init xen_start_kernel(void)
+@@ -1154,7 +1152,17 @@ asmlinkage void __init xen_start_kernel(void)
  	__userpte_alloc_gfp &= ~__GFP_HIGHMEM;
  
  	/* Work out if we support NX */
@@ -26969,7 +27432,7 @@ index 1f92865..c843b20 100644
  
  	xen_setup_features();
  
-@@ -1184,13 +1192,6 @@ asmlinkage void __init xen_start_kernel(void)
+@@ -1185,13 +1193,6 @@ asmlinkage void __init xen_start_kernel(void)
  
  	machine_ops = xen_machine_ops;
  
@@ -26984,10 +27447,10 @@ index 1f92865..c843b20 100644
  
  #ifdef CONFIG_ACPI_NUMA
 diff --git a/arch/x86/xen/mmu.c b/arch/x86/xen/mmu.c
-index 87f6673..e2555a6 100644
+index ec3d603..fa4ed1b 100644
 --- a/arch/x86/xen/mmu.c
 +++ b/arch/x86/xen/mmu.c
-@@ -1733,6 +1733,9 @@ pgd_t * __init xen_setup_kernel_pagetable(pgd_t *pgd,
+@@ -1738,6 +1738,9 @@ pgd_t * __init xen_setup_kernel_pagetable(pgd_t *pgd,
  	convert_pfn_mfn(init_level4_pgt);
  	convert_pfn_mfn(level3_ident_pgt);
  	convert_pfn_mfn(level3_kernel_pgt);
@@ -26997,7 +27460,7 @@ index 87f6673..e2555a6 100644
  
  	l3 = m2v(pgd[pgd_index(__START_KERNEL_map)].pgd);
  	l2 = m2v(l3[pud_index(__START_KERNEL_map)].pud);
-@@ -1751,7 +1754,11 @@ pgd_t * __init xen_setup_kernel_pagetable(pgd_t *pgd,
+@@ -1756,7 +1759,11 @@ pgd_t * __init xen_setup_kernel_pagetable(pgd_t *pgd,
  	set_page_prot(init_level4_pgt, PAGE_KERNEL_RO);
  	set_page_prot(level3_ident_pgt, PAGE_KERNEL_RO);
  	set_page_prot(level3_kernel_pgt, PAGE_KERNEL_RO);
@@ -27009,7 +27472,7 @@ index 87f6673..e2555a6 100644
  	set_page_prot(level2_kernel_pgt, PAGE_KERNEL_RO);
  	set_page_prot(level2_fixmap_pgt, PAGE_KERNEL_RO);
  
-@@ -1962,6 +1969,7 @@ static void __init xen_post_allocator_init(void)
+@@ -1967,6 +1974,7 @@ static void __init xen_post_allocator_init(void)
  	pv_mmu_ops.set_pud = xen_set_pud;
  #if PAGETABLE_LEVELS == 4
  	pv_mmu_ops.set_pgd = xen_set_pgd;
@@ -27017,7 +27480,7 @@ index 87f6673..e2555a6 100644
  #endif
  
  	/* This will work as long as patching hasn't happened yet
-@@ -2043,6 +2051,7 @@ static const struct pv_mmu_ops xen_mmu_ops __initconst = {
+@@ -2048,6 +2056,7 @@ static const struct pv_mmu_ops xen_mmu_ops __initconst = {
  	.pud_val = PV_CALLEE_SAVE(xen_pud_val),
  	.make_pud = PV_CALLEE_SAVE(xen_make_pud),
  	.set_pgd = xen_set_pgd_hyper,
@@ -27026,10 +27489,10 @@ index 87f6673..e2555a6 100644
  	.alloc_pud = xen_alloc_pmd_init,
  	.release_pud = xen_release_pmd_init,
 diff --git a/arch/x86/xen/smp.c b/arch/x86/xen/smp.c
-index 041d4fe..7666b7e 100644
+index 9a23fff..9dfee11ca 100644
 --- a/arch/x86/xen/smp.c
 +++ b/arch/x86/xen/smp.c
-@@ -194,11 +194,6 @@ static void __init xen_smp_prepare_boot_cpu(void)
+@@ -209,11 +209,6 @@ static void __init xen_smp_prepare_boot_cpu(void)
  {
  	BUG_ON(smp_processor_id() != 0);
  	native_smp_prepare_boot_cpu();
@@ -27041,7 +27504,7 @@ index 041d4fe..7666b7e 100644
  	xen_filter_cpu_maps();
  	xen_setup_vcpu_info_placement();
  }
-@@ -275,12 +270,12 @@ cpu_initialize_context(unsigned int cpu, struct task_struct *idle)
+@@ -290,12 +285,12 @@ cpu_initialize_context(unsigned int cpu, struct task_struct *idle)
  	gdt = get_cpu_gdt_table(cpu);
  
  	ctxt->flags = VGCF_IN_KERNEL;
@@ -27057,7 +27520,7 @@ index 041d4fe..7666b7e 100644
  #else
  	ctxt->gs_base_kernel = per_cpu_offset(cpu);
  #endif
-@@ -331,13 +326,12 @@ static int __cpuinit xen_cpu_up(unsigned int cpu)
+@@ -346,13 +341,12 @@ static int __cpuinit xen_cpu_up(unsigned int cpu)
  	int rc;
  
  	per_cpu(current_task, cpu) = idle;
@@ -27073,19 +27536,6 @@ index 041d4fe..7666b7e 100644
  #endif
  	xen_setup_runstate_info(cpu);
  	xen_setup_timer(cpu);
-diff --git a/arch/x86/xen/xen-asm.S b/arch/x86/xen/xen-asm.S
-index 79d7362..3e45aa0 100644
---- a/arch/x86/xen/xen-asm.S
-+++ b/arch/x86/xen/xen-asm.S
-@@ -96,7 +96,7 @@ ENTRY(xen_restore_fl_direct)
- 
- 	/* check for unmasked and pending */
- 	cmpw $0x0001, PER_CPU_VAR(xen_vcpu_info) + XEN_vcpu_info_pending
--	jz 1f
-+	jnz 1f
- 2:	call check_events
- 1:
- ENDPATCH(xen_restore_fl_direct)
 diff --git a/arch/x86/xen/xen-asm_32.S b/arch/x86/xen/xen-asm_32.S
 index b040b0e..8cc4fe0 100644
 --- a/arch/x86/xen/xen-asm_32.S
@@ -30676,7 +31126,7 @@ index ae294a0..1755461 100644
  	return container_of(adapter, struct intel_gmbus, adapter)->force_bit;
  }
 diff --git a/drivers/gpu/drm/i915/i915_gem_execbuffer.c b/drivers/gpu/drm/i915/i915_gem_execbuffer.c
-index b9da890..cad1d98 100644
+index a6c2f7a..0eea25d 100644
 --- a/drivers/gpu/drm/i915/i915_gem_execbuffer.c
 +++ b/drivers/gpu/drm/i915/i915_gem_execbuffer.c
 @@ -189,7 +189,7 @@ i915_gem_object_set_to_gpu_domain(struct drm_i915_gem_object *obj,
@@ -33705,7 +34155,7 @@ index 4720f68..78d1df7 100644
  
  void dm_uevent_add(struct mapped_device *md, struct list_head *elist)
 diff --git a/drivers/md/md.c b/drivers/md/md.c
-index 6f37aa4..8d49123 100644
+index 065ab4f..653e6d8 100644
 --- a/drivers/md/md.c
 +++ b/drivers/md/md.c
 @@ -278,10 +278,10 @@ EXPORT_SYMBOL_GPL(md_trim_bio);
@@ -35613,10 +36063,10 @@ index 1b7082d..c786773 100644
  		if ((num_pages != size) ||
  		    (num_pages > MAX_SKB_FRAGS - skb_shinfo(skb)->nr_frags))
 diff --git a/drivers/net/ppp/ppp_generic.c b/drivers/net/ppp/ppp_generic.c
-index 486b404..0d6677d 100644
+index 3ed983c..a1bb418 100644
 --- a/drivers/net/ppp/ppp_generic.c
 +++ b/drivers/net/ppp/ppp_generic.c
-@@ -987,7 +987,6 @@ ppp_net_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd)
+@@ -986,7 +986,6 @@ ppp_net_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd)
  	void __user *addr = (void __user *) ifr->ifr_ifru.ifru_data;
  	struct ppp_stats stats;
  	struct ppp_comp_stats cstats;
@@ -35624,7 +36074,7 @@ index 486b404..0d6677d 100644
  
  	switch (cmd) {
  	case SIOCGPPPSTATS:
-@@ -1009,8 +1008,7 @@ ppp_net_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd)
+@@ -1008,8 +1007,7 @@ ppp_net_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd)
  		break;
  
  	case SIOCGPPPVER:
@@ -37836,7 +38286,7 @@ index f64250e..1ee3049 100644
  	{ PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x0800) },
  	{},
 diff --git a/drivers/spi/spi.c b/drivers/spi/spi.c
-index 77eae99..b7cdcc9 100644
+index b2ccdea..84cde75 100644
 --- a/drivers/spi/spi.c
 +++ b/drivers/spi/spi.c
 @@ -1024,7 +1024,7 @@ int spi_bus_unlock(struct spi_master *master)
@@ -42484,7 +42934,7 @@ index 7ee7ba4..0c61a60 100644
  			goto out_sig;
  		if (offset > inode->i_sb->s_maxbytes)
 diff --git a/fs/autofs4/waitq.c b/fs/autofs4/waitq.c
-index 6861f61..a25f010 100644
+index e1fbdee..cd5ea56 100644
 --- a/fs/autofs4/waitq.c
 +++ b/fs/autofs4/waitq.c
 @@ -60,7 +60,7 @@ static int autofs4_write(struct file *file, const void *addr, int bytes)
@@ -44516,7 +44966,7 @@ index 608c1c3..7d040a8 100644
  	return rc;
  }
 diff --git a/fs/exec.c b/fs/exec.c
-index 3625464..ff895b9 100644
+index 160cd2f..e74d2a6 100644
 --- a/fs/exec.c
 +++ b/fs/exec.c
 @@ -55,12 +55,28 @@
@@ -44771,7 +45221,7 @@ index 3625464..ff895b9 100644
  	set_fs(old_fs);
  	return result;
  }
-@@ -1067,6 +1099,21 @@ void set_task_comm(struct task_struct *tsk, char *buf)
+@@ -1070,6 +1102,21 @@ void set_task_comm(struct task_struct *tsk, char *buf)
  	perf_event_comm(tsk);
  }
  
@@ -44793,7 +45243,7 @@ index 3625464..ff895b9 100644
  int flush_old_exec(struct linux_binprm * bprm)
  {
  	int retval;
-@@ -1081,6 +1128,7 @@ int flush_old_exec(struct linux_binprm * bprm)
+@@ -1084,6 +1131,7 @@ int flush_old_exec(struct linux_binprm * bprm)
  
  	set_mm_exe_file(bprm->mm, bprm->file);
  
@@ -44801,7 +45251,7 @@ index 3625464..ff895b9 100644
  	/*
  	 * Release all of the old mmap stuff
  	 */
-@@ -1112,10 +1160,6 @@ EXPORT_SYMBOL(would_dump);
+@@ -1115,10 +1163,6 @@ EXPORT_SYMBOL(would_dump);
  
  void setup_new_exec(struct linux_binprm * bprm)
  {
@@ -44812,7 +45262,7 @@ index 3625464..ff895b9 100644
  	arch_pick_mmap_layout(current->mm);
  
  	/* This is the point of no return */
-@@ -1126,18 +1170,7 @@ void setup_new_exec(struct linux_binprm * bprm)
+@@ -1129,18 +1173,7 @@ void setup_new_exec(struct linux_binprm * bprm)
  	else
  		set_dumpable(current->mm, suid_dumpable);
  
@@ -44832,7 +45282,7 @@ index 3625464..ff895b9 100644
  
  	/* Set the new mm task size. We have to do that late because it may
  	 * depend on TIF_32BIT which is only updated in flush_thread() on
-@@ -1247,7 +1280,7 @@ int check_unsafe_exec(struct linux_binprm *bprm)
+@@ -1250,7 +1283,7 @@ int check_unsafe_exec(struct linux_binprm *bprm)
  	}
  	rcu_read_unlock();
  
@@ -44841,7 +45291,7 @@ index 3625464..ff895b9 100644
  		bprm->unsafe |= LSM_UNSAFE_SHARE;
  	} else {
  		res = -EAGAIN;
-@@ -1442,6 +1475,28 @@ int search_binary_handler(struct linux_binprm *bprm,struct pt_regs *regs)
+@@ -1445,6 +1478,28 @@ int search_binary_handler(struct linux_binprm *bprm,struct pt_regs *regs)
  
  EXPORT_SYMBOL(search_binary_handler);
  
@@ -44870,7 +45320,7 @@ index 3625464..ff895b9 100644
  /*
   * sys_execve() executes a new program.
   */
-@@ -1450,6 +1505,11 @@ static int do_execve_common(const char *filename,
+@@ -1453,6 +1508,11 @@ static int do_execve_common(const char *filename,
  				struct user_arg_ptr envp,
  				struct pt_regs *regs)
  {
@@ -44882,7 +45332,7 @@ index 3625464..ff895b9 100644
  	struct linux_binprm *bprm;
  	struct file *file;
  	struct files_struct *displaced;
-@@ -1457,6 +1517,8 @@ static int do_execve_common(const char *filename,
+@@ -1460,6 +1520,8 @@ static int do_execve_common(const char *filename,
  	int retval;
  	const struct cred *cred = current_cred();
  
@@ -44891,7 +45341,7 @@ index 3625464..ff895b9 100644
  	/*
  	 * We move the actual failure in case of RLIMIT_NPROC excess from
  	 * set*uid() to execve() because too many poorly written programs
-@@ -1497,12 +1559,27 @@ static int do_execve_common(const char *filename,
+@@ -1500,12 +1562,27 @@ static int do_execve_common(const char *filename,
  	if (IS_ERR(file))
  		goto out_unmark;
  
@@ -44919,7 +45369,7 @@ index 3625464..ff895b9 100644
  	retval = bprm_mm_init(bprm);
  	if (retval)
  		goto out_file;
-@@ -1519,24 +1596,65 @@ static int do_execve_common(const char *filename,
+@@ -1522,24 +1599,65 @@ static int do_execve_common(const char *filename,
  	if (retval < 0)
  		goto out;
  
@@ -44989,7 +45439,7 @@ index 3625464..ff895b9 100644
  	current->fs->in_exec = 0;
  	current->in_execve = 0;
  	acct_update_integrals(current);
-@@ -1545,6 +1663,14 @@ static int do_execve_common(const char *filename,
+@@ -1548,6 +1666,14 @@ static int do_execve_common(const char *filename,
  		put_files_struct(displaced);
  	return retval;
  
@@ -45004,7 +45454,7 @@ index 3625464..ff895b9 100644
  out:
  	if (bprm->mm) {
  		acct_arg_size(bprm, 0);
-@@ -1618,7 +1744,7 @@ static int expand_corename(struct core_name *cn)
+@@ -1621,7 +1747,7 @@ static int expand_corename(struct core_name *cn)
  {
  	char *old_corename = cn->corename;
  
@@ -45013,7 +45463,7 @@ index 3625464..ff895b9 100644
  	cn->corename = krealloc(old_corename, cn->size, GFP_KERNEL);
  
  	if (!cn->corename) {
-@@ -1715,7 +1841,7 @@ static int format_corename(struct core_name *cn, long signr)
+@@ -1718,7 +1844,7 @@ static int format_corename(struct core_name *cn, long signr)
  	int pid_in_pattern = 0;
  	int err = 0;
  
@@ -45022,7 +45472,7 @@ index 3625464..ff895b9 100644
  	cn->corename = kmalloc(cn->size, GFP_KERNEL);
  	cn->used = 0;
  
-@@ -1812,6 +1938,228 @@ out:
+@@ -1815,6 +1941,228 @@ out:
  	return ispipe;
  }
  
@@ -45251,7 +45701,7 @@ index 3625464..ff895b9 100644
  static int zap_process(struct task_struct *start, int exit_code)
  {
  	struct task_struct *t;
-@@ -2023,17 +2371,17 @@ static void wait_for_dump_helpers(struct file *file)
+@@ -2026,17 +2374,17 @@ static void wait_for_dump_helpers(struct file *file)
  	pipe = file->f_path.dentry->d_inode->i_pipe;
  
  	pipe_lock(pipe);
@@ -45274,7 +45724,7 @@ index 3625464..ff895b9 100644
  	pipe_unlock(pipe);
  
  }
-@@ -2094,7 +2442,7 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs)
+@@ -2097,7 +2445,7 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs)
  	int retval = 0;
  	int flag = 0;
  	int ispipe;
@@ -45283,7 +45733,7 @@ index 3625464..ff895b9 100644
  	struct coredump_params cprm = {
  		.signr = signr,
  		.regs = regs,
-@@ -2109,6 +2457,9 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs)
+@@ -2112,6 +2460,9 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs)
  
  	audit_core_dumps(signr);
  
@@ -45293,7 +45743,7 @@ index 3625464..ff895b9 100644
  	binfmt = mm->binfmt;
  	if (!binfmt || !binfmt->core_dump)
  		goto fail;
-@@ -2176,7 +2527,7 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs)
+@@ -2179,7 +2530,7 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs)
  		}
  		cprm.limit = RLIM_INFINITY;
  
@@ -45302,7 +45752,7 @@ index 3625464..ff895b9 100644
  		if (core_pipe_limit && (core_pipe_limit < dump_count)) {
  			printk(KERN_WARNING "Pid %d(%s) over core_pipe_limit\n",
  			       task_tgid_vnr(current), current->comm);
-@@ -2203,6 +2554,8 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs)
+@@ -2206,6 +2557,8 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs)
  	} else {
  		struct inode *inode;
  
@@ -45311,7 +45761,7 @@ index 3625464..ff895b9 100644
  		if (cprm.limit < binfmt->min_coredump)
  			goto fail_unlock;
  
-@@ -2246,7 +2599,7 @@ close_fail:
+@@ -2249,7 +2602,7 @@ close_fail:
  		filp_close(cprm.file, NULL);
  fail_dropcount:
  	if (ispipe)
@@ -45320,7 +45770,7 @@ index 3625464..ff895b9 100644
  fail_unlock:
  	kfree(cn.corename);
  fail_corename:
-@@ -2265,7 +2618,7 @@ fail:
+@@ -2268,7 +2621,7 @@ fail:
   */
  int dump_write(struct file *file, const void *addr, int nr)
  {
@@ -47143,50 +47593,6 @@ index cfd4959..a780959 100644
  	if (!IS_ERR(s))
  		kfree(s);
  }
-diff --git a/fs/hfsplus/catalog.c b/fs/hfsplus/catalog.c
-index 4dfbfec..ec2a9c2 100644
---- a/fs/hfsplus/catalog.c
-+++ b/fs/hfsplus/catalog.c
-@@ -366,6 +366,10 @@ int hfsplus_rename_cat(u32 cnid,
- 	err = hfs_brec_find(&src_fd);
- 	if (err)
- 		goto out;
-+	if (src_fd.entrylength > sizeof(entry) || src_fd.entrylength < 0) {
-+		err = -EIO;
-+		goto out;
-+	}
- 
- 	hfs_bnode_read(src_fd.bnode, &entry, src_fd.entryoffset,
- 				src_fd.entrylength);
-diff --git a/fs/hfsplus/dir.c b/fs/hfsplus/dir.c
-index 4536cd3..5adb740 100644
---- a/fs/hfsplus/dir.c
-+++ b/fs/hfsplus/dir.c
-@@ -150,6 +150,11 @@ static int hfsplus_readdir(struct file *filp, void *dirent, filldir_t filldir)
- 		filp->f_pos++;
- 		/* fall through */
- 	case 1:
-+		if (fd.entrylength > sizeof(entry) || fd.entrylength < 0) {
-+			err = -EIO;
-+			goto out;
-+		}
-+
- 		hfs_bnode_read(fd.bnode, &entry, fd.entryoffset,
- 			fd.entrylength);
- 		if (be16_to_cpu(entry.type) != HFSPLUS_FOLDER_THREAD) {
-@@ -181,6 +186,12 @@ static int hfsplus_readdir(struct file *filp, void *dirent, filldir_t filldir)
- 			err = -EIO;
- 			goto out;
- 		}
-+
-+		if (fd.entrylength > sizeof(entry) || fd.entrylength < 0) {
-+			err = -EIO;
-+			goto out;
-+		}
-+
- 		hfs_bnode_read(fd.bnode, &entry, fd.entryoffset,
- 			fd.entrylength);
- 		type = be16_to_cpu(entry.type);
 diff --git a/fs/hugetlbfs/inode.c b/fs/hugetlbfs/inode.c
 index 2d0ca24..c4b8676511 100644
 --- a/fs/hugetlbfs/inode.c
@@ -47965,7 +48371,7 @@ index 50a15fa..ca113f9 100644
  
  void nfs_fattr_init(struct nfs_fattr *fattr)
 diff --git a/fs/nfsd/vfs.c b/fs/nfsd/vfs.c
-index 7a2e442..8e544cc 100644
+index 5c3cd82..ed535e5 100644
 --- a/fs/nfsd/vfs.c
 +++ b/fs/nfsd/vfs.c
 @@ -914,7 +914,7 @@ nfsd_vfs_read(struct svc_rqst *rqstp, struct svc_fh *fhp, struct file *file,
@@ -48109,7 +48515,7 @@ index d355e6e..578d905 100644
  
  enum ocfs2_local_alloc_state
 diff --git a/fs/ocfs2/suballoc.c b/fs/ocfs2/suballoc.c
-index ba5d97e..c77db25 100644
+index f169da4..9112253 100644
 --- a/fs/ocfs2/suballoc.c
 +++ b/fs/ocfs2/suballoc.c
 @@ -872,7 +872,7 @@ static int ocfs2_reserve_suballoc_bits(struct ocfs2_super *osb,
@@ -48345,10 +48751,10 @@ index bd8ae78..539d250 100644
  		ldm_crit ("Out of memory.");
  		return false;
 diff --git a/fs/pipe.c b/fs/pipe.c
-index 4065f07..68c0706 100644
+index 05ed5ca..ab15592 100644
 --- a/fs/pipe.c
 +++ b/fs/pipe.c
-@@ -420,9 +420,9 @@ redo:
+@@ -437,9 +437,9 @@ redo:
  		}
  		if (bufs)	/* More to do? */
  			continue;
@@ -48360,7 +48766,7 @@ index 4065f07..68c0706 100644
  			/* syscall merging: Usually we must not sleep
  			 * if O_NONBLOCK is set, or if we got some data.
  			 * But if a writer sleeps in kernel space, then
-@@ -481,7 +481,7 @@ pipe_write(struct kiocb *iocb, const struct iovec *_iov,
+@@ -503,7 +503,7 @@ pipe_write(struct kiocb *iocb, const struct iovec *_iov,
  	mutex_lock(&inode->i_mutex);
  	pipe = inode->i_pipe;
  
@@ -48369,7 +48775,7 @@ index 4065f07..68c0706 100644
  		send_sig(SIGPIPE, current, 0);
  		ret = -EPIPE;
  		goto out;
-@@ -530,7 +530,7 @@ redo1:
+@@ -552,7 +552,7 @@ redo1:
  	for (;;) {
  		int bufs;
  
@@ -48378,7 +48784,7 @@ index 4065f07..68c0706 100644
  			send_sig(SIGPIPE, current, 0);
  			if (!ret)
  				ret = -EPIPE;
-@@ -616,9 +616,9 @@ redo2:
+@@ -643,9 +643,9 @@ redo2:
  			kill_fasync(&pipe->fasync_readers, SIGIO, POLL_IN);
  			do_wakeup = 0;
  		}
@@ -48390,7 +48796,7 @@ index 4065f07..68c0706 100644
  	}
  out:
  	mutex_unlock(&inode->i_mutex);
-@@ -685,7 +685,7 @@ pipe_poll(struct file *filp, poll_table *wait)
+@@ -712,7 +712,7 @@ pipe_poll(struct file *filp, poll_table *wait)
  	mask = 0;
  	if (filp->f_mode & FMODE_READ) {
  		mask = (nrbufs > 0) ? POLLIN | POLLRDNORM : 0;
@@ -48399,7 +48805,7 @@ index 4065f07..68c0706 100644
  			mask |= POLLHUP;
  	}
  
-@@ -695,7 +695,7 @@ pipe_poll(struct file *filp, poll_table *wait)
+@@ -722,7 +722,7 @@ pipe_poll(struct file *filp, poll_table *wait)
  		 * Most Unices do not set POLLERR for FIFOs but on Linux they
  		 * behave exactly like pipes for poll().
  		 */
@@ -48408,7 +48814,7 @@ index 4065f07..68c0706 100644
  			mask |= POLLERR;
  	}
  
-@@ -709,10 +709,10 @@ pipe_release(struct inode *inode, int decr, int decw)
+@@ -736,10 +736,10 @@ pipe_release(struct inode *inode, int decr, int decw)
  
  	mutex_lock(&inode->i_mutex);
  	pipe = inode->i_pipe;
@@ -48422,7 +48828,7 @@ index 4065f07..68c0706 100644
  		free_pipe_info(inode);
  	} else {
  		wake_up_interruptible_sync_poll(&pipe->wait, POLLIN | POLLOUT | POLLRDNORM | POLLWRNORM | POLLERR | POLLHUP);
-@@ -802,7 +802,7 @@ pipe_read_open(struct inode *inode, struct file *filp)
+@@ -829,7 +829,7 @@ pipe_read_open(struct inode *inode, struct file *filp)
  
  	if (inode->i_pipe) {
  		ret = 0;
@@ -48431,7 +48837,7 @@ index 4065f07..68c0706 100644
  	}
  
  	mutex_unlock(&inode->i_mutex);
-@@ -819,7 +819,7 @@ pipe_write_open(struct inode *inode, struct file *filp)
+@@ -846,7 +846,7 @@ pipe_write_open(struct inode *inode, struct file *filp)
  
  	if (inode->i_pipe) {
  		ret = 0;
@@ -48440,7 +48846,7 @@ index 4065f07..68c0706 100644
  	}
  
  	mutex_unlock(&inode->i_mutex);
-@@ -837,9 +837,9 @@ pipe_rdwr_open(struct inode *inode, struct file *filp)
+@@ -864,9 +864,9 @@ pipe_rdwr_open(struct inode *inode, struct file *filp)
  	if (inode->i_pipe) {
  		ret = 0;
  		if (filp->f_mode & FMODE_READ)
@@ -48452,7 +48858,7 @@ index 4065f07..68c0706 100644
  	}
  
  	mutex_unlock(&inode->i_mutex);
-@@ -931,7 +931,7 @@ void free_pipe_info(struct inode *inode)
+@@ -958,7 +958,7 @@ void free_pipe_info(struct inode *inode)
  	inode->i_pipe = NULL;
  }
  
@@ -48461,7 +48867,7 @@ index 4065f07..68c0706 100644
  
  /*
   * pipefs_dname() is called from d_path().
-@@ -961,7 +961,8 @@ static struct inode * get_pipe_inode(void)
+@@ -988,7 +988,8 @@ static struct inode * get_pipe_inode(void)
  		goto fail_iput;
  	inode->i_pipe = pipe;
  
@@ -49865,10 +50271,10 @@ index dba43c3..4b3f701 100644
  
  	if (op) {
 diff --git a/fs/splice.c b/fs/splice.c
-index fa2defa..8601650 100644
+index 6d0dfb8..115bb3a 100644
 --- a/fs/splice.c
 +++ b/fs/splice.c
-@@ -194,7 +194,7 @@ ssize_t splice_to_pipe(struct pipe_inode_info *pipe,
+@@ -195,7 +195,7 @@ ssize_t splice_to_pipe(struct pipe_inode_info *pipe,
  	pipe_lock(pipe);
  
  	for (;;) {
@@ -49877,7 +50283,7 @@ index fa2defa..8601650 100644
  			send_sig(SIGPIPE, current, 0);
  			if (!ret)
  				ret = -EPIPE;
-@@ -248,9 +248,9 @@ ssize_t splice_to_pipe(struct pipe_inode_info *pipe,
+@@ -249,9 +249,9 @@ ssize_t splice_to_pipe(struct pipe_inode_info *pipe,
  			do_wakeup = 0;
  		}
  
@@ -49889,7 +50295,7 @@ index fa2defa..8601650 100644
  	}
  
  	pipe_unlock(pipe);
-@@ -560,7 +560,7 @@ static ssize_t kernel_readv(struct file *file, const struct iovec *vec,
+@@ -561,7 +561,7 @@ static ssize_t kernel_readv(struct file *file, const struct iovec *vec,
  	old_fs = get_fs();
  	set_fs(get_ds());
  	/* The cast to a user pointer is valid due to the set_fs() */
@@ -49898,7 +50304,7 @@ index fa2defa..8601650 100644
  	set_fs(old_fs);
  
  	return res;
-@@ -575,7 +575,7 @@ static ssize_t kernel_write(struct file *file, const char *buf, size_t count,
+@@ -576,7 +576,7 @@ static ssize_t kernel_write(struct file *file, const char *buf, size_t count,
  	old_fs = get_fs();
  	set_fs(get_ds());
  	/* The cast to a user pointer is valid due to the set_fs() */
@@ -49907,7 +50313,7 @@ index fa2defa..8601650 100644
  	set_fs(old_fs);
  
  	return res;
-@@ -626,7 +626,7 @@ ssize_t default_file_splice_read(struct file *in, loff_t *ppos,
+@@ -627,7 +627,7 @@ ssize_t default_file_splice_read(struct file *in, loff_t *ppos,
  			goto err;
  
  		this_len = min_t(size_t, len, PAGE_CACHE_SIZE - offset);
@@ -49916,7 +50322,7 @@ index fa2defa..8601650 100644
  		vec[i].iov_len = this_len;
  		spd.pages[i] = page;
  		spd.nr_pages++;
-@@ -846,10 +846,10 @@ EXPORT_SYMBOL(splice_from_pipe_feed);
+@@ -849,10 +849,10 @@ EXPORT_SYMBOL(splice_from_pipe_feed);
  int splice_from_pipe_next(struct pipe_inode_info *pipe, struct splice_desc *sd)
  {
  	while (!pipe->nrbufs) {
@@ -49929,7 +50335,7 @@ index fa2defa..8601650 100644
  			return 0;
  
  		if (sd->flags & SPLICE_F_NONBLOCK)
-@@ -1182,7 +1182,7 @@ ssize_t splice_direct_to_actor(struct file *in, struct splice_desc *sd,
+@@ -1185,7 +1185,7 @@ ssize_t splice_direct_to_actor(struct file *in, struct splice_desc *sd,
  		 * out of the pipe right after the splice_to_pipe(). So set
  		 * PIPE_READERS appropriately.
  		 */
@@ -49938,7 +50344,7 @@ index fa2defa..8601650 100644
  
  		current->splice_pipe = pipe;
  	}
-@@ -1734,9 +1734,9 @@ static int ipipe_prep(struct pipe_inode_info *pipe, unsigned int flags)
+@@ -1737,9 +1737,9 @@ static int ipipe_prep(struct pipe_inode_info *pipe, unsigned int flags)
  			ret = -ERESTARTSYS;
  			break;
  		}
@@ -49950,7 +50356,7 @@ index fa2defa..8601650 100644
  			if (flags & SPLICE_F_NONBLOCK) {
  				ret = -EAGAIN;
  				break;
-@@ -1768,7 +1768,7 @@ static int opipe_prep(struct pipe_inode_info *pipe, unsigned int flags)
+@@ -1771,7 +1771,7 @@ static int opipe_prep(struct pipe_inode_info *pipe, unsigned int flags)
  	pipe_lock(pipe);
  
  	while (pipe->nrbufs >= pipe->buffers) {
@@ -49959,7 +50365,7 @@ index fa2defa..8601650 100644
  			send_sig(SIGPIPE, current, 0);
  			ret = -EPIPE;
  			break;
-@@ -1781,9 +1781,9 @@ static int opipe_prep(struct pipe_inode_info *pipe, unsigned int flags)
+@@ -1784,9 +1784,9 @@ static int opipe_prep(struct pipe_inode_info *pipe, unsigned int flags)
  			ret = -ERESTARTSYS;
  			break;
  		}
@@ -49971,7 +50377,7 @@ index fa2defa..8601650 100644
  	}
  
  	pipe_unlock(pipe);
-@@ -1819,14 +1819,14 @@ retry:
+@@ -1822,14 +1822,14 @@ retry:
  	pipe_double_lock(ipipe, opipe);
  
  	do {
@@ -49988,7 +50394,7 @@ index fa2defa..8601650 100644
  			break;
  
  		/*
-@@ -1923,7 +1923,7 @@ static int link_pipe(struct pipe_inode_info *ipipe,
+@@ -1926,7 +1926,7 @@ static int link_pipe(struct pipe_inode_info *ipipe,
  	pipe_double_lock(ipipe, opipe);
  
  	do {
@@ -49997,7 +50403,7 @@ index fa2defa..8601650 100644
  			send_sig(SIGPIPE, current, 0);
  			if (!ret)
  				ret = -EPIPE;
-@@ -1968,7 +1968,7 @@ static int link_pipe(struct pipe_inode_info *ipipe,
+@@ -1971,7 +1971,7 @@ static int link_pipe(struct pipe_inode_info *ipipe,
  	 * return EAGAIN if we have the potential of some data in the
  	 * future, otherwise just return 0
  	 */
@@ -50306,10 +50712,10 @@ index 23ce927..e274cc1 100644
  		kfree(s);
 diff --git a/grsecurity/Kconfig b/grsecurity/Kconfig
 new file mode 100644
-index 0000000..4089e05
+index 0000000..2645296
 --- /dev/null
 +++ b/grsecurity/Kconfig
-@@ -0,0 +1,1078 @@
+@@ -0,0 +1,1079 @@
 +#
 +# grecurity configuration
 +#
@@ -50444,7 +50850,7 @@ index 0000000..4089e05
 +	select GRKERNSEC_PROC_ADD
 +	select GRKERNSEC_CHROOT_CHMOD
 +	select GRKERNSEC_CHROOT_NICE
-+	select GRKERNSEC_SETXID
++	select GRKERNSEC_SETXID if (X86 || SPARC64 || PPC || ARM || MIPS)
 +	select GRKERNSEC_AUDIT_MOUNT
 +	select GRKERNSEC_MODHARDEN if (MODULES)
 +	select GRKERNSEC_HARDEN_PTRACE
@@ -51139,6 +51545,7 @@ index 0000000..4089e05
 +
 +config GRKERNSEC_SETXID
 +	bool "Enforce consistent multithreaded privileges"
++	depends on (X86 || SPARC64 || PPC || ARM || MIPS)
 +	help
 +	  If you say Y here, a change from a root uid to a non-root uid
 +	  in a multithreaded application will cause the resulting uids,
@@ -51434,10 +51841,10 @@ index 0000000..1b9afa9
 +endif
 diff --git a/grsecurity/gracl.c b/grsecurity/gracl.c
 new file mode 100644
-index 0000000..50b4257
+index 0000000..e22066e
 --- /dev/null
 +++ b/grsecurity/gracl.c
-@@ -0,0 +1,4185 @@
+@@ -0,0 +1,4186 @@
 +#include <linux/kernel.h>
 +#include <linux/module.h>
 +#include <linux/sched.h>
@@ -55288,21 +55695,22 @@ index 0000000..50b4257
 +	if (unlikely(!(gr_status & GR_READY)))
 +		return 0;
 +#endif
++	if (request == PTRACE_ATTACH || request == PTRACE_SEIZE) {
++		read_lock(&tasklist_lock);
++		while (tmp->pid > 0) {
++			if (tmp == curtemp)
++				break;
++			tmp = tmp->real_parent;
++		}
 +
-+	read_lock(&tasklist_lock);
-+	while (tmp->pid > 0) {
-+		if (tmp == curtemp)
-+			break;
-+		tmp = tmp->real_parent;
-+	}
-+
-+	if (tmp->pid == 0 && ((grsec_enable_harden_ptrace && current_uid() && !(gr_status & GR_READY)) ||
-+				((gr_status & GR_READY)	&& !(current->acl->mode & GR_RELAXPTRACE)))) {
++		if (tmp->pid == 0 && ((grsec_enable_harden_ptrace && current_uid() && !(gr_status & GR_READY)) ||
++					((gr_status & GR_READY)	&& !(current->acl->mode & GR_RELAXPTRACE)))) {
++			read_unlock(&tasklist_lock);
++			gr_log_ptrace(GR_DONT_AUDIT, GR_PTRACE_ACL_MSG, task);
++			return 1;
++		}
 +		read_unlock(&tasklist_lock);
-+		gr_log_ptrace(GR_DONT_AUDIT, GR_PTRACE_ACL_MSG, task);
-+		return 1;
 +	}
-+	read_unlock(&tasklist_lock);
 +
 +#ifdef CONFIG_GRKERNSEC_HARDEN_PTRACE
 +	if (!(gr_status & GR_READY))
@@ -61396,10 +61804,10 @@ index e13117c..e9fc938 100644
  #define DMA_BIT_MASK(n)	(((n) == 64) ? ~0ULL : ((1ULL<<(n))-1))
  
 diff --git a/include/linux/efi.h b/include/linux/efi.h
-index 2362a0b..cfaf8fcc 100644
+index 1328d8c..2cd894c 100644
 --- a/include/linux/efi.h
 +++ b/include/linux/efi.h
-@@ -446,7 +446,7 @@ struct efivar_operations {
+@@ -457,7 +457,7 @@ struct efivar_operations {
  	efi_get_variable_t *get_variable;
  	efi_get_next_variable_t *get_next_variable;
  	efi_set_variable_t *set_variable;
@@ -62939,7 +63347,7 @@ index b16f653..eb908f4 100644
  #define request_module_nowait(mod...) __request_module(false, mod)
  #define try_then_request_module(x, mod...) \
 diff --git a/include/linux/kvm_host.h b/include/linux/kvm_host.h
-index d526231..c9599fc 100644
+index 35410ef..9f98b23 100644
 --- a/include/linux/kvm_host.h
 +++ b/include/linux/kvm_host.h
 @@ -308,7 +308,7 @@ void kvm_vcpu_uninit(struct kvm_vcpu *vcpu);
@@ -62987,7 +63395,7 @@ index d526231..c9599fc 100644
  void kvm_arch_exit(void);
  
  int kvm_arch_vcpu_init(struct kvm_vcpu *vcpu);
-@@ -690,7 +690,7 @@ int kvm_setup_default_irq_routing(struct kvm *kvm);
+@@ -696,7 +696,7 @@ int kvm_setup_default_irq_routing(struct kvm *kvm);
  int kvm_set_irq_routing(struct kvm *kvm,
  			const struct kvm_irq_routing_entry *entries,
  			unsigned nr,
@@ -63521,7 +63929,7 @@ index ffc0213..2c1f2cb 100644
  	return nd->saved_names[nd->depth];
  }
 diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h
-index a82ad4d..90d15b7 100644
+index cbeb586..eba9b27 100644
 --- a/include/linux/netdevice.h
 +++ b/include/linux/netdevice.h
 @@ -949,6 +949,7 @@ struct net_device_ops {
@@ -63646,10 +64054,10 @@ index 8fc7dd1a..c19d89e 100644
  
  /*
 diff --git a/include/linux/pipe_fs_i.h b/include/linux/pipe_fs_i.h
-index 77257c9..51d473a 100644
+index 0072a53..c5dcca5 100644
 --- a/include/linux/pipe_fs_i.h
 +++ b/include/linux/pipe_fs_i.h
-@@ -46,9 +46,9 @@ struct pipe_buffer {
+@@ -47,9 +47,9 @@ struct pipe_buffer {
  struct pipe_inode_info {
  	wait_queue_head_t wait;
  	unsigned int nrbufs, curbuf, buffers;
@@ -64223,10 +64631,10 @@ index 92808b8..c28cac4 100644
  
  /* shm_mode upper byte flags */
 diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h
-index 6cf8b53..bcce844 100644
+index e689b47..3404939 100644
 --- a/include/linux/skbuff.h
 +++ b/include/linux/skbuff.h
-@@ -642,7 +642,7 @@ static inline struct skb_shared_hwtstamps *skb_hwtstamps(struct sk_buff *skb)
+@@ -643,7 +643,7 @@ static inline struct skb_shared_hwtstamps *skb_hwtstamps(struct sk_buff *skb)
   */
  static inline int skb_queue_empty(const struct sk_buff_head *list)
  {
@@ -64235,7 +64643,7 @@ index 6cf8b53..bcce844 100644
  }
  
  /**
-@@ -655,7 +655,7 @@ static inline int skb_queue_empty(const struct sk_buff_head *list)
+@@ -656,7 +656,7 @@ static inline int skb_queue_empty(const struct sk_buff_head *list)
  static inline bool skb_queue_is_last(const struct sk_buff_head *list,
  				     const struct sk_buff *skb)
  {
@@ -64244,7 +64652,7 @@ index 6cf8b53..bcce844 100644
  }
  
  /**
-@@ -668,7 +668,7 @@ static inline bool skb_queue_is_last(const struct sk_buff_head *list,
+@@ -669,7 +669,7 @@ static inline bool skb_queue_is_last(const struct sk_buff_head *list,
  static inline bool skb_queue_is_first(const struct sk_buff_head *list,
  				      const struct sk_buff *skb)
  {
@@ -64253,7 +64661,7 @@ index 6cf8b53..bcce844 100644
  }
  
  /**
-@@ -1533,7 +1533,7 @@ static inline int pskb_network_may_pull(struct sk_buff *skb, unsigned int len)
+@@ -1546,7 +1546,7 @@ static inline int pskb_network_may_pull(struct sk_buff *skb, unsigned int len)
   * NET_IP_ALIGN(2) + ethernet_header(14) + IP_header(20/40) + ports(8)
   */
  #ifndef NET_SKB_PAD
@@ -66500,7 +66908,7 @@ index 42e8fa0..9e7406b 100644
  		return -ENOMEM;
  
 diff --git a/kernel/cred.c b/kernel/cred.c
-index 48c6fd3..3342f00 100644
+index 48c6fd3..8398912 100644
 --- a/kernel/cred.c
 +++ b/kernel/cred.c
 @@ -204,6 +204,15 @@ void exit_creds(struct task_struct *tsk)
@@ -66537,7 +66945,7 @@ index 48c6fd3..3342f00 100644
  	/* dumpability changes */
  	if (old->euid != new->euid ||
  	    old->egid != new->egid ||
-@@ -540,6 +551,92 @@ int commit_creds(struct cred *new)
+@@ -540,6 +551,101 @@ int commit_creds(struct cred *new)
  	put_cred(old);
  	return 0;
  }
@@ -66603,6 +67011,8 @@ index 48c6fd3..3342f00 100644
 +int commit_creds(struct cred *new)
 +{
 +#ifdef CONFIG_GRKERNSEC_SETXID
++	int ret;
++	int schedule_it = 0;
 +	struct task_struct *t;
 +
 +	/* we won't get called with tasklist_lock held for writing
@@ -66611,20 +67021,27 @@ index 48c6fd3..3342f00 100644
 +	*/
 +	if (grsec_enable_setxid && !current_is_single_threaded() &&
 +	    !current_uid() && new->uid) {
++		schedule_it = 1;
++	}
++	ret = __commit_creds(new);
++	if (schedule_it) {
 +		rcu_read_lock();
 +		read_lock(&tasklist_lock);
 +		for (t = next_thread(current); t != current;
 +		     t = next_thread(t)) {
 +			if (t->delayed_cred == NULL) {
 +				t->delayed_cred = get_cred(new);
++				set_tsk_thread_flag(t, TIF_GRSEC_SETXID);
 +				set_tsk_need_resched(t);
 +			}
 +		}
 +		read_unlock(&tasklist_lock);
 +		rcu_read_unlock();
 +	}
-+#endif
++	return ret;
++#else
 +	return __commit_creds(new);
++#endif
 +}
 +
  EXPORT_SYMBOL(commit_creds);
@@ -66816,7 +67233,7 @@ index 58690af..d903d75 100644
  
  	/*
 diff --git a/kernel/exit.c b/kernel/exit.c
-index e6e01b9..0a21b0a 100644
+index 5a8a66e..ded4680 100644
 --- a/kernel/exit.c
 +++ b/kernel/exit.c
 @@ -57,6 +57,10 @@
@@ -66868,7 +67285,7 @@ index e6e01b9..0a21b0a 100644
  	/*
  	 * If we were started as result of loading a module, close all of the
  	 * user space pages.  We don't need them, and if we didn't close them
-@@ -893,6 +912,8 @@ NORET_TYPE void do_exit(long code)
+@@ -874,6 +893,8 @@ NORET_TYPE void do_exit(long code)
  	struct task_struct *tsk = current;
  	int group_dead;
  
@@ -66877,7 +67294,7 @@ index e6e01b9..0a21b0a 100644
  	profile_task_exit(tsk);
  
  	WARN_ON(blk_needs_flush_plug(tsk));
-@@ -909,7 +930,6 @@ NORET_TYPE void do_exit(long code)
+@@ -890,7 +911,6 @@ NORET_TYPE void do_exit(long code)
  	 * mm_release()->clear_child_tid() from writing to a user-controlled
  	 * kernel address.
  	 */
@@ -66885,7 +67302,7 @@ index e6e01b9..0a21b0a 100644
  
  	ptrace_event(PTRACE_EVENT_EXIT, code);
  
-@@ -971,6 +991,9 @@ NORET_TYPE void do_exit(long code)
+@@ -952,6 +972,9 @@ NORET_TYPE void do_exit(long code)
  	tsk->exit_code = code;
  	taskstats_exit(tsk, group_dead);
  
@@ -66895,7 +67312,7 @@ index e6e01b9..0a21b0a 100644
  	exit_mm(tsk);
  
  	if (group_dead)
-@@ -1068,7 +1091,7 @@ SYSCALL_DEFINE1(exit, int, error_code)
+@@ -1049,7 +1072,7 @@ SYSCALL_DEFINE1(exit, int, error_code)
   * Take down every thread in the group.  This is called by fatal signals
   * as well as by sys_exit_group (below).
   */
@@ -69537,39 +69954,10 @@ index 3d9f31c..7fefc9e 100644
  
  	default:
 diff --git a/kernel/sched.c b/kernel/sched.c
-index d6b149c..896cbb8 100644
+index 299f55c..2b2e317 100644
 --- a/kernel/sched.c
 +++ b/kernel/sched.c
-@@ -4389,6 +4389,19 @@ pick_next_task(struct rq *rq)
- 	BUG(); /* the idle class will always have a runnable task */
- }
- 
-+#ifdef CONFIG_GRKERNSEC_SETXID
-+extern void gr_delayed_cred_worker(void);
-+static inline void gr_cred_schedule(void)
-+{
-+	if (unlikely(current->delayed_cred))
-+		gr_delayed_cred_worker();
-+}
-+#else
-+static inline void gr_cred_schedule(void)
-+{
-+}
-+#endif
-+
- /*
-  * __schedule() is the main scheduler function.
-  */
-@@ -4408,6 +4421,8 @@ need_resched:
- 
- 	schedule_debug(prev);
- 
-+	gr_cred_schedule();
-+
- 	if (sched_feat(HRTICK))
- 		hrtick_clear(rq);
- 
-@@ -5098,6 +5113,8 @@ int can_nice(const struct task_struct *p, const int nice)
+@@ -5097,6 +5097,8 @@ int can_nice(const struct task_struct *p, const int nice)
  	/* convert nice value [19,-20] to rlimit style value [1,40] */
  	int nice_rlim = 20 - nice;
  
@@ -69578,7 +69966,7 @@ index d6b149c..896cbb8 100644
  	return (nice_rlim <= task_rlimit(p, RLIMIT_NICE) ||
  		capable(CAP_SYS_NICE));
  }
-@@ -5131,7 +5148,8 @@ SYSCALL_DEFINE1(nice, int, increment)
+@@ -5130,7 +5132,8 @@ SYSCALL_DEFINE1(nice, int, increment)
  	if (nice > 19)
  		nice = 19;
  
@@ -69588,7 +69976,7 @@ index d6b149c..896cbb8 100644
  		return -EPERM;
  
  	retval = security_task_setnice(current, nice);
-@@ -5288,6 +5306,7 @@ recheck:
+@@ -5287,6 +5290,7 @@ recheck:
  			unsigned long rlim_rtprio =
  					task_rlimit(p, RLIMIT_RTPRIO);
  
@@ -69632,7 +70020,7 @@ index 8a39fa3..34f3dbc 100644
  	int this_cpu = smp_processor_id();
  	struct rq *this_rq = cpu_rq(this_cpu);
 diff --git a/kernel/signal.c b/kernel/signal.c
-index 2065515..aed2987 100644
+index 08e0b97..cdf6f49 100644
 --- a/kernel/signal.c
 +++ b/kernel/signal.c
 @@ -45,12 +45,12 @@ static struct kmem_cache *sigqueue_cachep;
@@ -69741,7 +70129,7 @@ index 2065515..aed2987 100644
  
  	return ret;
  }
-@@ -2754,7 +2777,15 @@ do_send_specific(pid_t tgid, pid_t pid, int sig, struct siginfo *info)
+@@ -2763,7 +2786,15 @@ do_send_specific(pid_t tgid, pid_t pid, int sig, struct siginfo *info)
  	int error = -ESRCH;
  
  	rcu_read_lock();
@@ -70729,7 +71117,7 @@ index fd3c8aa..5f324a6 100644
  	}
  	entry	= ring_buffer_event_data(event);
 diff --git a/kernel/trace/trace_output.c b/kernel/trace/trace_output.c
-index 5199930..26c73a0 100644
+index 1dcf253..b31d45c 100644
 --- a/kernel/trace/trace_output.c
 +++ b/kernel/trace/trace_output.c
 @@ -278,7 +278,7 @@ int trace_seq_path(struct trace_seq *s, struct path *path)
@@ -70934,6 +71322,28 @@ index 013a761..c28f3fc 100644
  #define free(a) kfree(a)
  #endif
  
+diff --git a/lib/ioremap.c b/lib/ioremap.c
+index da4e2ad..6373b5f 100644
+--- a/lib/ioremap.c
++++ b/lib/ioremap.c
+@@ -38,7 +38,7 @@ static inline int ioremap_pmd_range(pud_t *pud, unsigned long addr,
+ 	unsigned long next;
+ 
+ 	phys_addr -= addr;
+-	pmd = pmd_alloc(&init_mm, pud, addr);
++	pmd = pmd_alloc_kernel(&init_mm, pud, addr);
+ 	if (!pmd)
+ 		return -ENOMEM;
+ 	do {
+@@ -56,7 +56,7 @@ static inline int ioremap_pud_range(pgd_t *pgd, unsigned long addr,
+ 	unsigned long next;
+ 
+ 	phys_addr -= addr;
+-	pud = pud_alloc(&init_mm, pgd, addr);
++	pud = pud_alloc_kernel(&init_mm, pgd, addr);
+ 	if (!pud)
+ 		return -ENOMEM;
+ 	do {
 diff --git a/lib/is_single_threaded.c b/lib/is_single_threaded.c
 index bd2bea9..6b3c95e 100644
 --- a/lib/is_single_threaded.c
@@ -71500,7 +71910,7 @@ index 06d3479..0778eef 100644
  	/* keep elevated page count for bad page */
  	return ret;
 diff --git a/mm/memory.c b/mm/memory.c
-index 1b1ca17..d49bd61 100644
+index 1b1ca17..e6715dd 100644
 --- a/mm/memory.c
 +++ b/mm/memory.c
 @@ -457,8 +457,12 @@ static inline void free_pmd_range(struct mmu_gather *tlb, pud_t *pud,
@@ -71627,7 +72037,29 @@ index 1b1ca17..d49bd61 100644
  
  	if (addr < vma->vm_start || addr >= vma->vm_end)
  		return -EFAULT;
-@@ -2453,6 +2466,186 @@ static inline void cow_user_page(struct page *dst, struct page *src, unsigned lo
+@@ -2345,7 +2358,9 @@ static int apply_to_pmd_range(struct mm_struct *mm, pud_t *pud,
+ 
+ 	BUG_ON(pud_huge(*pud));
+ 
+-	pmd = pmd_alloc(mm, pud, addr);
++	pmd = (mm == &init_mm) ?
++		pmd_alloc_kernel(mm, pud, addr) :
++		pmd_alloc(mm, pud, addr);
+ 	if (!pmd)
+ 		return -ENOMEM;
+ 	do {
+@@ -2365,7 +2380,9 @@ static int apply_to_pud_range(struct mm_struct *mm, pgd_t *pgd,
+ 	unsigned long next;
+ 	int err;
+ 
+-	pud = pud_alloc(mm, pgd, addr);
++	pud = (mm == &init_mm) ?
++		pud_alloc_kernel(mm, pgd, addr) :
++		pud_alloc(mm, pgd, addr);
+ 	if (!pud)
+ 		return -ENOMEM;
+ 	do {
+@@ -2453,6 +2470,186 @@ static inline void cow_user_page(struct page *dst, struct page *src, unsigned lo
  		copy_user_highpage(dst, src, va, vma);
  }
  
@@ -71814,7 +72246,7 @@ index 1b1ca17..d49bd61 100644
  /*
   * This routine handles present pages, when users try to write
   * to a shared page. It is done by copying the page to a new address
-@@ -2664,6 +2857,12 @@ gotten:
+@@ -2664,6 +2861,12 @@ gotten:
  	 */
  	page_table = pte_offset_map_lock(mm, pmd, address, &ptl);
  	if (likely(pte_same(*page_table, orig_pte))) {
@@ -71827,7 +72259,7 @@ index 1b1ca17..d49bd61 100644
  		if (old_page) {
  			if (!PageAnon(old_page)) {
  				dec_mm_counter_fast(mm, MM_FILEPAGES);
-@@ -2715,6 +2914,10 @@ gotten:
+@@ -2715,6 +2918,10 @@ gotten:
  			page_remove_rmap(old_page);
  		}
  
@@ -71838,7 +72270,7 @@ index 1b1ca17..d49bd61 100644
  		/* Free the old page.. */
  		new_page = old_page;
  		ret |= VM_FAULT_WRITE;
-@@ -2994,6 +3197,11 @@ static int do_swap_page(struct mm_struct *mm, struct vm_area_struct *vma,
+@@ -2994,6 +3201,11 @@ static int do_swap_page(struct mm_struct *mm, struct vm_area_struct *vma,
  	swap_free(entry);
  	if (vm_swap_full() || (vma->vm_flags & VM_LOCKED) || PageMlocked(page))
  		try_to_free_swap(page);
@@ -71850,7 +72282,7 @@ index 1b1ca17..d49bd61 100644
  	unlock_page(page);
  	if (swapcache) {
  		/*
-@@ -3017,6 +3225,11 @@ static int do_swap_page(struct mm_struct *mm, struct vm_area_struct *vma,
+@@ -3017,6 +3229,11 @@ static int do_swap_page(struct mm_struct *mm, struct vm_area_struct *vma,
  
  	/* No need to invalidate - it was non-present before */
  	update_mmu_cache(vma, address, page_table);
@@ -71862,7 +72294,7 @@ index 1b1ca17..d49bd61 100644
  unlock:
  	pte_unmap_unlock(page_table, ptl);
  out:
-@@ -3036,40 +3249,6 @@ out_release:
+@@ -3036,40 +3253,6 @@ out_release:
  }
  
  /*
@@ -71903,7 +72335,7 @@ index 1b1ca17..d49bd61 100644
   * We enter with non-exclusive mmap_sem (to exclude vma changes,
   * but allow concurrent faults), and pte mapped but not yet locked.
   * We return with mmap_sem still held, but pte unmapped and unlocked.
-@@ -3078,27 +3257,23 @@ static int do_anonymous_page(struct mm_struct *mm, struct vm_area_struct *vma,
+@@ -3078,27 +3261,23 @@ static int do_anonymous_page(struct mm_struct *mm, struct vm_area_struct *vma,
  		unsigned long address, pte_t *page_table, pmd_t *pmd,
  		unsigned int flags)
  {
@@ -71936,7 +72368,7 @@ index 1b1ca17..d49bd61 100644
  	if (unlikely(anon_vma_prepare(vma)))
  		goto oom;
  	page = alloc_zeroed_user_highpage_movable(vma, address);
-@@ -3117,6 +3292,11 @@ static int do_anonymous_page(struct mm_struct *mm, struct vm_area_struct *vma,
+@@ -3117,6 +3296,11 @@ static int do_anonymous_page(struct mm_struct *mm, struct vm_area_struct *vma,
  	if (!pte_none(*page_table))
  		goto release;
  
@@ -71948,7 +72380,7 @@ index 1b1ca17..d49bd61 100644
  	inc_mm_counter_fast(mm, MM_ANONPAGES);
  	page_add_new_anon_rmap(page, vma, address);
  setpte:
-@@ -3124,6 +3304,12 @@ setpte:
+@@ -3124,6 +3308,12 @@ setpte:
  
  	/* No need to invalidate - it was non-present before */
  	update_mmu_cache(vma, address, page_table);
@@ -71961,7 +72393,7 @@ index 1b1ca17..d49bd61 100644
  unlock:
  	pte_unmap_unlock(page_table, ptl);
  	return 0;
-@@ -3267,6 +3453,12 @@ static int __do_fault(struct mm_struct *mm, struct vm_area_struct *vma,
+@@ -3267,6 +3457,12 @@ static int __do_fault(struct mm_struct *mm, struct vm_area_struct *vma,
  	 */
  	/* Only go through if we didn't race with anybody else... */
  	if (likely(pte_same(*page_table, orig_pte))) {
@@ -71974,7 +72406,7 @@ index 1b1ca17..d49bd61 100644
  		flush_icache_page(vma, page);
  		entry = mk_pte(page, vma->vm_page_prot);
  		if (flags & FAULT_FLAG_WRITE)
-@@ -3286,6 +3478,14 @@ static int __do_fault(struct mm_struct *mm, struct vm_area_struct *vma,
+@@ -3286,6 +3482,14 @@ static int __do_fault(struct mm_struct *mm, struct vm_area_struct *vma,
  
  		/* no need to invalidate: a not-present page won't be cached */
  		update_mmu_cache(vma, address, page_table);
@@ -71989,7 +72421,7 @@ index 1b1ca17..d49bd61 100644
  	} else {
  		if (cow_page)
  			mem_cgroup_uncharge_page(cow_page);
-@@ -3439,6 +3639,12 @@ int handle_pte_fault(struct mm_struct *mm,
+@@ -3439,6 +3643,12 @@ int handle_pte_fault(struct mm_struct *mm,
  		if (flags & FAULT_FLAG_WRITE)
  			flush_tlb_fix_spurious_fault(vma, address);
  	}
@@ -72002,7 +72434,7 @@ index 1b1ca17..d49bd61 100644
  unlock:
  	pte_unmap_unlock(pte, ptl);
  	return 0;
-@@ -3455,6 +3661,10 @@ int handle_mm_fault(struct mm_struct *mm, struct vm_area_struct *vma,
+@@ -3455,6 +3665,10 @@ int handle_mm_fault(struct mm_struct *mm, struct vm_area_struct *vma,
  	pmd_t *pmd;
  	pte_t *pte;
  
@@ -72013,7 +72445,7 @@ index 1b1ca17..d49bd61 100644
  	__set_current_state(TASK_RUNNING);
  
  	count_vm_event(PGFAULT);
-@@ -3466,6 +3676,34 @@ int handle_mm_fault(struct mm_struct *mm, struct vm_area_struct *vma,
+@@ -3466,6 +3680,34 @@ int handle_mm_fault(struct mm_struct *mm, struct vm_area_struct *vma,
  	if (unlikely(is_vm_hugetlb_page(vma)))
  		return hugetlb_fault(mm, vma, address, flags);
  
@@ -72048,7 +72480,7 @@ index 1b1ca17..d49bd61 100644
  	pgd = pgd_offset(mm, address);
  	pud = pud_alloc(mm, pgd, address);
  	if (!pud)
-@@ -3495,7 +3733,7 @@ int handle_mm_fault(struct mm_struct *mm, struct vm_area_struct *vma,
+@@ -3495,7 +3737,7 @@ int handle_mm_fault(struct mm_struct *mm, struct vm_area_struct *vma,
  	 * run pte_offset_map on the pmd, if an huge pmd could
  	 * materialize from under us from a different thread.
  	 */
@@ -72057,7 +72489,7 @@ index 1b1ca17..d49bd61 100644
  		return VM_FAULT_OOM;
  	/* if an huge pmd materialized from under us just retry later */
  	if (unlikely(pmd_trans_huge(*pmd)))
-@@ -3532,6 +3770,23 @@ int __pud_alloc(struct mm_struct *mm, pgd_t *pgd, unsigned long address)
+@@ -3532,6 +3774,23 @@ int __pud_alloc(struct mm_struct *mm, pgd_t *pgd, unsigned long address)
  	spin_unlock(&mm->page_table_lock);
  	return 0;
  }
@@ -72081,7 +72513,7 @@ index 1b1ca17..d49bd61 100644
  #endif /* __PAGETABLE_PUD_FOLDED */
  
  #ifndef __PAGETABLE_PMD_FOLDED
-@@ -3562,6 +3817,30 @@ int __pmd_alloc(struct mm_struct *mm, pud_t *pud, unsigned long address)
+@@ -3562,6 +3821,30 @@ int __pmd_alloc(struct mm_struct *mm, pud_t *pud, unsigned long address)
  	spin_unlock(&mm->page_table_lock);
  	return 0;
  }
@@ -72112,7 +72544,7 @@ index 1b1ca17..d49bd61 100644
  #endif /* __PAGETABLE_PMD_FOLDED */
  
  int make_pages_present(unsigned long addr, unsigned long end)
-@@ -3599,7 +3878,7 @@ static int __init gate_vma_init(void)
+@@ -3599,7 +3882,7 @@ static int __init gate_vma_init(void)
  	gate_vma.vm_start = FIXADDR_USER_START;
  	gate_vma.vm_end = FIXADDR_USER_END;
  	gate_vma.vm_flags = VM_READ | VM_MAYREAD | VM_EXEC | VM_MAYEXEC;
@@ -75714,10 +76146,10 @@ index 17b5b1c..826d872 100644
  		}
  	}
 diff --git a/net/bridge/br_multicast.c b/net/bridge/br_multicast.c
-index 8eb6b15..e3db7ab 100644
+index 5ac1811..7eb2320 100644
 --- a/net/bridge/br_multicast.c
 +++ b/net/bridge/br_multicast.c
-@@ -1488,7 +1488,7 @@ static int br_multicast_ipv6_rcv(struct net_bridge *br,
+@@ -1408,7 +1408,7 @@ static int br_multicast_ipv6_rcv(struct net_bridge *br,
  	nexthdr = ip6h->nexthdr;
  	offset = ipv6_skip_exthdr(skb, sizeof(*ip6h), &nexthdr);
  
@@ -76073,7 +76505,7 @@ index 68bbf9f..5ef0d12 100644
  
  	return err;
 diff --git a/net/core/dev.c b/net/core/dev.c
-index 55cd370..672cffa 100644
+index cd5050e..b1b4530 100644
 --- a/net/core/dev.c
 +++ b/net/core/dev.c
 @@ -1139,10 +1139,14 @@ void dev_load(struct net *net, const char *name)
@@ -76154,7 +76586,7 @@ index 55cd370..672cffa 100644
  {
  	struct softnet_data *sd = &__get_cpu_var(softnet_data);
  	unsigned long time_limit = jiffies + 2;
-@@ -5956,7 +5960,7 @@ struct rtnl_link_stats64 *dev_get_stats(struct net_device *dev,
+@@ -5924,7 +5928,7 @@ struct rtnl_link_stats64 *dev_get_stats(struct net_device *dev,
  	} else {
  		netdev_stats_to_stats64(storage, &dev->stats);
  	}
@@ -76278,28 +76710,6 @@ index ff52ad0..aff1c0f 100644
  	     i++, cmfptr++)
  	{
  		int new_fd;
-diff --git a/net/core/skbuff.c b/net/core/skbuff.c
-index 3c30ee4..29cb392 100644
---- a/net/core/skbuff.c
-+++ b/net/core/skbuff.c
-@@ -3111,6 +3111,8 @@ static void sock_rmem_free(struct sk_buff *skb)
-  */
- int sock_queue_err_skb(struct sock *sk, struct sk_buff *skb)
- {
-+	int len = skb->len;
-+
- 	if (atomic_read(&sk->sk_rmem_alloc) + skb->truesize >=
- 	    (unsigned)sk->sk_rcvbuf)
- 		return -ENOMEM;
-@@ -3125,7 +3127,7 @@ int sock_queue_err_skb(struct sock *sk, struct sk_buff *skb)
- 
- 	skb_queue_tail(&sk->sk_error_queue, skb);
- 	if (!sock_flag(sk, SOCK_DEAD))
--		sk->sk_data_ready(sk, skb->len);
-+		sk->sk_data_ready(sk, len);
- 	return 0;
- }
- EXPORT_SYMBOL(sock_queue_err_skb);
 diff --git a/net/core/sock.c b/net/core/sock.c
 index b23f174..b9a0d26 100644
 --- a/net/core/sock.c
@@ -77312,7 +77722,7 @@ index 361ebf3..d5628fb 100644
  
  static int raw6_seq_show(struct seq_file *seq, void *v)
 diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
-index b859e4a..f9d1589 100644
+index 4a56574..9745b8a 100644
 --- a/net/ipv6/tcp_ipv6.c
 +++ b/net/ipv6/tcp_ipv6.c
 @@ -93,6 +93,10 @@ static struct tcp_md5sig_key *tcp_v6_md5_do_lookup(struct sock *sk,
@@ -77326,7 +77736,7 @@ index b859e4a..f9d1589 100644
  static void tcp_v6_hash(struct sock *sk)
  {
  	if (sk->sk_state != TCP_CLOSE) {
-@@ -1651,6 +1655,9 @@ static int tcp_v6_do_rcv(struct sock *sk, struct sk_buff *skb)
+@@ -1655,6 +1659,9 @@ static int tcp_v6_do_rcv(struct sock *sk, struct sk_buff *skb)
  	return 0;
  
  reset:
@@ -77336,7 +77746,7 @@ index b859e4a..f9d1589 100644
  	tcp_v6_send_reset(sk, skb);
  discard:
  	if (opt_skb)
-@@ -1730,12 +1737,20 @@ static int tcp_v6_rcv(struct sk_buff *skb)
+@@ -1734,12 +1741,20 @@ static int tcp_v6_rcv(struct sk_buff *skb)
  	TCP_SKB_CB(skb)->sacked = 0;
  
  	sk = __inet6_lookup_skb(&tcp_hashinfo, skb, th->source, th->dest);
@@ -77359,7 +77769,7 @@ index b859e4a..f9d1589 100644
  
  	if (hdr->hop_limit < inet6_sk(sk)->min_hopcount) {
  		NET_INC_STATS_BH(net, LINUX_MIB_TCPMINTTLDROP);
-@@ -1783,6 +1798,10 @@ no_tcp_socket:
+@@ -1787,6 +1802,10 @@ no_tcp_socket:
  bad_packet:
  		TCP_INC_STATS_BH(net, TCP_MIB_INERRS);
  	} else {
@@ -77370,7 +77780,7 @@ index b859e4a..f9d1589 100644
  		tcp_v6_send_reset(NULL, skb);
  	}
  
-@@ -2043,7 +2062,13 @@ static void get_openreq6(struct seq_file *seq,
+@@ -2047,7 +2066,13 @@ static void get_openreq6(struct seq_file *seq,
  		   uid,
  		   0,  /* non standard timer */
  		   0, /* open_requests have no inode */
@@ -77385,7 +77795,7 @@ index b859e4a..f9d1589 100644
  }
  
  static void get_tcp6_sock(struct seq_file *seq, struct sock *sp, int i)
-@@ -2093,7 +2118,12 @@ static void get_tcp6_sock(struct seq_file *seq, struct sock *sp, int i)
+@@ -2097,7 +2122,12 @@ static void get_tcp6_sock(struct seq_file *seq, struct sock *sp, int i)
  		   sock_i_uid(sp),
  		   icsk->icsk_probes_out,
  		   sock_i_ino(sp),
@@ -77399,7 +77809,7 @@ index b859e4a..f9d1589 100644
  		   jiffies_to_clock_t(icsk->icsk_rto),
  		   jiffies_to_clock_t(icsk->icsk_ack.ato),
  		   (icsk->icsk_ack.quick << 1 ) | icsk->icsk_ack.pingpong,
-@@ -2128,7 +2158,13 @@ static void get_timewait6_sock(struct seq_file *seq,
+@@ -2132,7 +2162,13 @@ static void get_timewait6_sock(struct seq_file *seq,
  		   dest->s6_addr32[2], dest->s6_addr32[3], destp,
  		   tw->tw_substate, 0, 0,
  		   3, jiffies_to_clock_t(ttd), 0, 0, 0, 0,
@@ -78097,7 +78507,7 @@ index 4fe4fb4..87a89e5 100644
  	return 0;
  }
 diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
-index 1201b6d..bcff8c6 100644
+index a99fb41..740c2a4 100644
 --- a/net/netlink/af_netlink.c
 +++ b/net/netlink/af_netlink.c
 @@ -742,7 +742,7 @@ static void netlink_overrun(struct sock *sk)
@@ -78109,7 +78519,7 @@ index 1201b6d..bcff8c6 100644
  }
  
  static struct sock *netlink_getsockbypid(struct sock *ssk, u32 pid)
-@@ -1999,7 +1999,7 @@ static int netlink_seq_show(struct seq_file *seq, void *v)
+@@ -2001,7 +2001,7 @@ static int netlink_seq_show(struct seq_file *seq, void *v)
  			   sk_wmem_alloc_get(s),
  			   nlk->cb,
  			   atomic_read(&s->sk_refcnt),
@@ -78201,7 +78611,7 @@ index d65f699..05aa6ce 100644
  
  	err = proto_register(pp->prot, 1);
 diff --git a/net/phonet/pep.c b/net/phonet/pep.c
-index 2ba6e9f..409573f 100644
+index 007546d..9a8e5c6 100644
 --- a/net/phonet/pep.c
 +++ b/net/phonet/pep.c
 @@ -388,7 +388,7 @@ static int pipe_do_rcv(struct sock *sk, struct sk_buff *skb)
@@ -78679,10 +79089,10 @@ index 1e2eee8..ce3967e 100644
  			   assoc->assoc_id,
  			   assoc->sndbuf_used,
 diff --git a/net/sctp/socket.c b/net/sctp/socket.c
-index 54a7cd2..944edae 100644
+index 0075554..42d36a1 100644
 --- a/net/sctp/socket.c
 +++ b/net/sctp/socket.c
-@@ -4574,7 +4574,7 @@ static int sctp_getsockopt_peer_addrs(struct sock *sk, int len,
+@@ -4575,7 +4575,7 @@ static int sctp_getsockopt_peer_addrs(struct sock *sk, int len,
  		addrlen = sctp_get_af_specific(temp.sa.sa_family)->sockaddr_len;
  		if (space_left < addrlen)
  			return -ENOMEM;
@@ -78692,7 +79102,7 @@ index 54a7cd2..944edae 100644
  		to += addrlen;
  		cnt++;
 diff --git a/net/socket.c b/net/socket.c
-index 2dce67a..1e91168 100644
+index 273cbce..fd1e8ff 100644
 --- a/net/socket.c
 +++ b/net/socket.c
 @@ -88,6 +88,7 @@
@@ -79535,7 +79945,7 @@ index 0000000..8729101
 +#!/bin/sh
 +echo -e "#include \"gcc-plugin.h\"\n#include \"tree.h\"\n#include \"tm.h\"\n#include \"rtl.h\"" | $1 -x c -shared - -o /dev/null -I`$2 -print-file-name=plugin`/include >/dev/null 2>&1 && echo "y"
 diff --git a/scripts/mod/file2alias.c b/scripts/mod/file2alias.c
-index f936d1f..a66d95f 100644
+index d1d0ae8..6b73b2a 100644
 --- a/scripts/mod/file2alias.c
 +++ b/scripts/mod/file2alias.c
 @@ -72,7 +72,7 @@ static void device_id_check(const char *modname, const char *device_id,
@@ -87078,21 +87488,6 @@ index 0000000..b87ec9d
 +
 +	return 0;
 +}
-diff --git a/tools/perf/util/hist.c b/tools/perf/util/hist.c
-index adb372d..e0a0970 100644
---- a/tools/perf/util/hist.c
-+++ b/tools/perf/util/hist.c
-@@ -237,8 +237,8 @@ struct hist_entry *__hists__add_entry(struct hists *hists,
- 			 * mis-adjust symbol addresses when computing
- 			 * the history counter to increment.
- 			 */
--			if (he->ms.map != entry->ms.map) {
--				he->ms.map = entry->ms.map;
-+			if (he->ms.map != entry.ms.map) {
-+				he->ms.map = entry.ms.map;
- 				if (he->ms.map)
- 					he->ms.map->referenced = true;
- 			}
 diff --git a/tools/perf/util/include/asm/alternative-asm.h b/tools/perf/util/include/asm/alternative-asm.h
 index 6789d78..4afd019 100644
 --- a/tools/perf/util/include/asm/alternative-asm.h
@@ -87132,7 +87527,7 @@ index af0f22f..9a7d479 100644
                         break;
         }
 diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c
-index d9cfb78..4f27c10 100644
+index e401c1b..8d4d5fa 100644
 --- a/virt/kvm/kvm_main.c
 +++ b/virt/kvm/kvm_main.c
 @@ -75,7 +75,7 @@ LIST_HEAD(vm_list);
@@ -87144,7 +87539,7 @@ index d9cfb78..4f27c10 100644
  
  struct kmem_cache *kvm_vcpu_cache;
  EXPORT_SYMBOL_GPL(kvm_vcpu_cache);
-@@ -2268,7 +2268,7 @@ static void hardware_enable_nolock(void *junk)
+@@ -2269,7 +2269,7 @@ static void hardware_enable_nolock(void *junk)
  
  	if (r) {
  		cpumask_clear_cpu(cpu, cpus_hardware_enabled);
@@ -87153,7 +87548,7 @@ index d9cfb78..4f27c10 100644
  		printk(KERN_INFO "kvm: enabling virtualization on "
  				 "CPU%d failed\n", cpu);
  	}
-@@ -2322,10 +2322,10 @@ static int hardware_enable_all(void)
+@@ -2323,10 +2323,10 @@ static int hardware_enable_all(void)
  
  	kvm_usage_count++;
  	if (kvm_usage_count == 1) {
@@ -87166,7 +87561,7 @@ index d9cfb78..4f27c10 100644
  			hardware_disable_all_nolock();
  			r = -EBUSY;
  		}
-@@ -2676,7 +2676,7 @@ static void kvm_sched_out(struct preempt_notifier *pn,
+@@ -2677,7 +2677,7 @@ static void kvm_sched_out(struct preempt_notifier *pn,
  	kvm_arch_vcpu_put(vcpu);
  }
  
@@ -87175,7 +87570,7 @@ index d9cfb78..4f27c10 100644
  		  struct module *module)
  {
  	int r;
-@@ -2739,7 +2739,7 @@ int kvm_init(void *opaque, unsigned vcpu_size, unsigned vcpu_align,
+@@ -2740,7 +2740,7 @@ int kvm_init(void *opaque, unsigned vcpu_size, unsigned vcpu_align,
  	if (!vcpu_align)
  		vcpu_align = __alignof__(struct kvm_vcpu);
  	kvm_vcpu_cache = kmem_cache_create("kvm_vcpu", vcpu_size, vcpu_align,
@@ -87184,7 +87579,7 @@ index d9cfb78..4f27c10 100644
  	if (!kvm_vcpu_cache) {
  		r = -ENOMEM;
  		goto out_free_3;
-@@ -2749,9 +2749,11 @@ int kvm_init(void *opaque, unsigned vcpu_size, unsigned vcpu_align,
+@@ -2750,9 +2750,11 @@ int kvm_init(void *opaque, unsigned vcpu_size, unsigned vcpu_align,
  	if (r)
  		goto out_free;
  
diff --git a/3.2.16/4430_grsec-remove-localversion-grsec.patch b/3.2.17/4430_grsec-remove-localversion-grsec.patch
index 31cf878..31cf878 100644
--- a/3.2.16/4430_grsec-remove-localversion-grsec.patch
+++ b/3.2.17/4430_grsec-remove-localversion-grsec.patch
diff --git a/3.2.16/4435_grsec-mute-warnings.patch b/3.2.17/4435_grsec-mute-warnings.patch
index e85abd6..e85abd6 100644
--- a/3.2.16/4435_grsec-mute-warnings.patch
+++ b/3.2.17/4435_grsec-mute-warnings.patch
diff --git a/3.2.16/4440_grsec-remove-protected-paths.patch b/3.2.17/4440_grsec-remove-protected-paths.patch
index 637934a..637934a 100644
--- a/3.2.16/4440_grsec-remove-protected-paths.patch
+++ b/3.2.17/4440_grsec-remove-protected-paths.patch
diff --git a/3.2.16/4445_grsec-pax-without-grsec.patch b/3.2.17/4445_grsec-pax-without-grsec.patch
index 58301c0..58301c0 100644
--- a/3.2.16/4445_grsec-pax-without-grsec.patch
+++ b/3.2.17/4445_grsec-pax-without-grsec.patch
diff --git a/3.2.16/4450_grsec-kconfig-default-gids.patch b/3.2.17/4450_grsec-kconfig-default-gids.patch
index 123f877..123f877 100644
--- a/3.2.16/4450_grsec-kconfig-default-gids.patch
+++ b/3.2.17/4450_grsec-kconfig-default-gids.patch
diff --git a/3.2.16/4455_grsec-kconfig-gentoo.patch b/3.2.17/4455_grsec-kconfig-gentoo.patch
index 87b5454..87b5454 100644
--- a/3.2.16/4455_grsec-kconfig-gentoo.patch
+++ b/3.2.17/4455_grsec-kconfig-gentoo.patch
diff --git a/3.2.16/4460-grsec-kconfig-proc-user.patch b/3.2.17/4460-grsec-kconfig-proc-user.patch
index b2b3188..b2b3188 100644
--- a/3.2.16/4460-grsec-kconfig-proc-user.patch
+++ b/3.2.17/4460-grsec-kconfig-proc-user.patch
diff --git a/3.2.16/4465_selinux-avc_audit-log-curr_ip.patch b/3.2.17/4465_selinux-avc_audit-log-curr_ip.patch
index 5a9d80c..5a9d80c 100644
--- a/3.2.16/4465_selinux-avc_audit-log-curr_ip.patch
+++ b/3.2.17/4465_selinux-avc_audit-log-curr_ip.patch
diff --git a/3.2.16/4470_disable-compat_vdso.patch b/3.2.17/4470_disable-compat_vdso.patch
index 4742d01..4742d01 100644
--- a/3.2.16/4470_disable-compat_vdso.patch
+++ b/3.2.17/4470_disable-compat_vdso.patch
diff --git a/3.3.5/1004_linux-3.3.5.patch b/3.3.5/1004_linux-3.3.5.patch
deleted file mode 100644
index a1fa635..0000000
--- a/3.3.5/1004_linux-3.3.5.patch
+++ /dev/null
@@ -1,3285 +0,0 @@
-diff --git a/Makefile b/Makefile
-index 44ef766..64615e9 100644
---- a/Makefile
-+++ b/Makefile
-@@ -1,6 +1,6 @@
- VERSION = 3
- PATCHLEVEL = 3
--SUBLEVEL = 4
-+SUBLEVEL = 5
- EXTRAVERSION =
- NAME = Saber-toothed Squirrel
- 
-diff --git a/arch/arm/Kconfig b/arch/arm/Kconfig
-index dfb0312..dedb885 100644
---- a/arch/arm/Kconfig
-+++ b/arch/arm/Kconfig
-@@ -1163,6 +1163,15 @@ if !MMU
- source "arch/arm/Kconfig-nommu"
- endif
- 
-+config ARM_ERRATA_326103
-+	bool "ARM errata: FSR write bit incorrect on a SWP to read-only memory"
-+	depends on CPU_V6
-+	help
-+	  Executing a SWP instruction to read-only memory does not set bit 11
-+	  of the FSR on the ARM 1136 prior to r1p0. This causes the kernel to
-+	  treat the access as a read, preventing a COW from occurring and
-+	  causing the faulting task to livelock.
-+
- config ARM_ERRATA_411920
- 	bool "ARM errata: Invalidation of the Instruction Cache operation can fail"
- 	depends on CPU_V6 || CPU_V6K
-diff --git a/arch/arm/include/asm/tls.h b/arch/arm/include/asm/tls.h
-index 60843eb..73409e6 100644
---- a/arch/arm/include/asm/tls.h
-+++ b/arch/arm/include/asm/tls.h
-@@ -7,6 +7,8 @@
- 
- 	.macro set_tls_v6k, tp, tmp1, tmp2
- 	mcr	p15, 0, \tp, c13, c0, 3		@ set TLS register
-+	mov	\tmp1, #0
-+	mcr	p15, 0, \tmp1, c13, c0, 2	@ clear user r/w TLS register
- 	.endm
- 
- 	.macro set_tls_v6, tp, tmp1, tmp2
-@@ -15,6 +17,8 @@
- 	mov	\tmp2, #0xffff0fff
- 	tst	\tmp1, #HWCAP_TLS		@ hardware TLS available?
- 	mcrne	p15, 0, \tp, c13, c0, 3		@ yes, set TLS register
-+	movne	\tmp1, #0
-+	mcrne	p15, 0, \tmp1, c13, c0, 2	@ clear user r/w TLS register
- 	streq	\tp, [\tmp2, #-15]		@ set TLS value at 0xffff0ff0
- 	.endm
- 
-diff --git a/arch/arm/kernel/irq.c b/arch/arm/kernel/irq.c
-index 3efd82c..87c8be5 100644
---- a/arch/arm/kernel/irq.c
-+++ b/arch/arm/kernel/irq.c
-@@ -156,10 +156,10 @@ static bool migrate_one_irq(struct irq_desc *desc)
- 	}
- 
- 	c = irq_data_get_irq_chip(d);
--	if (c->irq_set_affinity)
--		c->irq_set_affinity(d, affinity, true);
--	else
-+	if (!c->irq_set_affinity)
- 		pr_debug("IRQ%u: unable to set affinity\n", d->irq);
-+	else if (c->irq_set_affinity(d, affinity, true) == IRQ_SET_MASK_OK && ret)
-+		cpumask_copy(d->affinity, affinity);
- 
- 	return ret;
- }
-diff --git a/arch/arm/mm/abort-ev6.S b/arch/arm/mm/abort-ev6.S
-index ff1f7cc..8074199 100644
---- a/arch/arm/mm/abort-ev6.S
-+++ b/arch/arm/mm/abort-ev6.S
-@@ -26,18 +26,23 @@ ENTRY(v6_early_abort)
- 	mrc	p15, 0, r1, c5, c0, 0		@ get FSR
- 	mrc	p15, 0, r0, c6, c0, 0		@ get FAR
- /*
-- * Faulty SWP instruction on 1136 doesn't set bit 11 in DFSR (erratum 326103).
-- * The test below covers all the write situations, including Java bytecodes
-+ * Faulty SWP instruction on 1136 doesn't set bit 11 in DFSR.
-  */
--	bic	r1, r1, #1 << 11		@ clear bit 11 of FSR
-+#ifdef CONFIG_ARM_ERRATA_326103
-+	ldr	ip, =0x4107b36
-+	mrc	p15, 0, r3, c0, c0, 0		@ get processor id
-+	teq	ip, r3, lsr #4			@ r0 ARM1136?
-+	bne	do_DataAbort
- 	tst	r5, #PSR_J_BIT			@ Java?
-+	tsteq	r5, #PSR_T_BIT			@ Thumb?
- 	bne	do_DataAbort
--	do_thumb_abort fsr=r1, pc=r4, psr=r5, tmp=r3
--	ldreq	r3, [r4]			@ read aborted ARM instruction
-+	bic	r1, r1, #1 << 11		@ clear bit 11 of FSR
-+	ldr	r3, [r4]			@ read aborted ARM instruction
- #ifdef CONFIG_CPU_ENDIAN_BE8
--	reveq	r3, r3
-+	rev	r3, r3
- #endif
- 	do_ldrd_abort tmp=ip, insn=r3
- 	tst	r3, #1 << 20			@ L = 0 -> write
- 	orreq	r1, r1, #1 << 11		@ yes.
-+#endif
- 	b	do_DataAbort
-diff --git a/arch/mips/ath79/dev-wmac.c b/arch/mips/ath79/dev-wmac.c
-index e215070..9c717bf 100644
---- a/arch/mips/ath79/dev-wmac.c
-+++ b/arch/mips/ath79/dev-wmac.c
-@@ -58,8 +58,8 @@ static void __init ar913x_wmac_setup(void)
- 
- static int ar933x_wmac_reset(void)
- {
--	ath79_device_reset_clear(AR933X_RESET_WMAC);
- 	ath79_device_reset_set(AR933X_RESET_WMAC);
-+	ath79_device_reset_clear(AR933X_RESET_WMAC);
- 
- 	return 0;
- }
-diff --git a/arch/powerpc/platforms/85xx/common.c b/arch/powerpc/platforms/85xx/common.c
-index 9fef530..67dac22 100644
---- a/arch/powerpc/platforms/85xx/common.c
-+++ b/arch/powerpc/platforms/85xx/common.c
-@@ -21,6 +21,12 @@ static struct of_device_id __initdata mpc85xx_common_ids[] = {
- 	{ .compatible = "fsl,qe", },
- 	{ .compatible = "fsl,cpm2", },
- 	{ .compatible = "fsl,srio", },
-+	/* So that the DMA channel nodes can be probed individually: */
-+	{ .compatible = "fsl,eloplus-dma", },
-+	/* For the PMC driver */
-+	{ .compatible = "fsl,mpc8548-guts", },
-+	/* Probably unnecessary? */
-+	{ .compatible = "gpio-leds", },
- 	{},
- };
- 
-diff --git a/arch/powerpc/platforms/85xx/mpc85xx_mds.c b/arch/powerpc/platforms/85xx/mpc85xx_mds.c
-index 1d15a0c..b498864 100644
---- a/arch/powerpc/platforms/85xx/mpc85xx_mds.c
-+++ b/arch/powerpc/platforms/85xx/mpc85xx_mds.c
-@@ -405,12 +405,6 @@ static int __init board_fixups(void)
- machine_arch_initcall(mpc8568_mds, board_fixups);
- machine_arch_initcall(mpc8569_mds, board_fixups);
- 
--static struct of_device_id mpc85xx_ids[] = {
--	{ .compatible = "fsl,mpc8548-guts", },
--	{ .compatible = "gpio-leds", },
--	{},
--};
--
- static int __init mpc85xx_publish_devices(void)
- {
- 	if (machine_is(mpc8568_mds))
-@@ -418,10 +412,7 @@ static int __init mpc85xx_publish_devices(void)
- 	if (machine_is(mpc8569_mds))
- 		simple_gpiochip_init("fsl,mpc8569mds-bcsr-gpio");
- 
--	mpc85xx_common_publish_devices();
--	of_platform_bus_probe(NULL, mpc85xx_ids, NULL);
--
--	return 0;
-+	return mpc85xx_common_publish_devices();
- }
- 
- machine_device_initcall(mpc8568_mds, mpc85xx_publish_devices);
-diff --git a/arch/powerpc/platforms/85xx/p1022_ds.c b/arch/powerpc/platforms/85xx/p1022_ds.c
-index b0984ad..cc79cad8 100644
---- a/arch/powerpc/platforms/85xx/p1022_ds.c
-+++ b/arch/powerpc/platforms/85xx/p1022_ds.c
-@@ -303,18 +303,7 @@ static void __init p1022_ds_setup_arch(void)
- 	pr_info("Freescale P1022 DS reference board\n");
- }
- 
--static struct of_device_id __initdata p1022_ds_ids[] = {
--	/* So that the DMA channel nodes can be probed individually: */
--	{ .compatible = "fsl,eloplus-dma", },
--	{},
--};
--
--static int __init p1022_ds_publish_devices(void)
--{
--	mpc85xx_common_publish_devices();
--	return of_platform_bus_probe(NULL, p1022_ds_ids, NULL);
--}
--machine_device_initcall(p1022_ds, p1022_ds_publish_devices);
-+machine_device_initcall(p1022_ds, mpc85xx_common_publish_devices);
- 
- machine_arch_initcall(p1022_ds, swiotlb_setup_bus_notifier);
- 
-diff --git a/arch/x86/boot/Makefile b/arch/x86/boot/Makefile
-index 95365a8..5a747dd 100644
---- a/arch/x86/boot/Makefile
-+++ b/arch/x86/boot/Makefile
-@@ -37,7 +37,8 @@ setup-y		+= video-bios.o
- targets		+= $(setup-y)
- hostprogs-y	:= mkcpustr tools/build
- 
--HOST_EXTRACFLAGS += $(LINUXINCLUDE)
-+HOST_EXTRACFLAGS += -I$(srctree)/tools/include $(LINUXINCLUDE) \
-+	            -D__EXPORTED_HEADERS__
- 
- $(obj)/cpu.o: $(obj)/cpustr.h
- 
-diff --git a/arch/x86/boot/compressed/Makefile b/arch/x86/boot/compressed/Makefile
-index b123b9a..fd55a2f 100644
---- a/arch/x86/boot/compressed/Makefile
-+++ b/arch/x86/boot/compressed/Makefile
-@@ -22,6 +22,7 @@ LDFLAGS := -m elf_$(UTS_MACHINE)
- LDFLAGS_vmlinux := -T
- 
- hostprogs-y	:= mkpiggy
-+HOST_EXTRACFLAGS += -I$(srctree)/tools/include
- 
- VMLINUX_OBJS = $(obj)/vmlinux.lds $(obj)/head_$(BITS).o $(obj)/misc.o \
- 	$(obj)/string.o $(obj)/cmdline.o $(obj)/early_serial_console.o \
-diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c
-index fec216f..0cdfc0d 100644
---- a/arch/x86/boot/compressed/eboot.c
-+++ b/arch/x86/boot/compressed/eboot.c
-@@ -539,7 +539,7 @@ static efi_status_t handle_ramdisks(efi_loaded_image_t *image,
- 		struct initrd *initrd;
- 		efi_file_handle_t *h;
- 		efi_file_info_t *info;
--		efi_char16_t filename[256];
-+		efi_char16_t filename_16[256];
- 		unsigned long info_sz;
- 		efi_guid_t info_guid = EFI_FILE_INFO_ID;
- 		efi_char16_t *p;
-@@ -552,14 +552,14 @@ static efi_status_t handle_ramdisks(efi_loaded_image_t *image,
- 		str += 7;
- 
- 		initrd = &initrds[i];
--		p = filename;
-+		p = filename_16;
- 
- 		/* Skip any leading slashes */
- 		while (*str == '/' || *str == '\\')
- 			str++;
- 
- 		while (*str && *str != ' ' && *str != '\n') {
--			if (p >= filename + sizeof(filename))
-+			if ((u8 *)p >= (u8 *)filename_16 + sizeof(filename_16))
- 				break;
- 
- 			*p++ = *str++;
-@@ -583,7 +583,7 @@ static efi_status_t handle_ramdisks(efi_loaded_image_t *image,
- 				goto free_initrds;
- 		}
- 
--		status = efi_call_phys5(fh->open, fh, &h, filename,
-+		status = efi_call_phys5(fh->open, fh, &h, filename_16,
- 					EFI_FILE_MODE_READ, (u64)0);
- 		if (status != EFI_SUCCESS)
- 			goto close_handles;
-diff --git a/arch/x86/boot/compressed/head_32.S b/arch/x86/boot/compressed/head_32.S
-index a055993..c85e3ac 100644
---- a/arch/x86/boot/compressed/head_32.S
-+++ b/arch/x86/boot/compressed/head_32.S
-@@ -33,6 +33,9 @@
- 	__HEAD
- ENTRY(startup_32)
- #ifdef CONFIG_EFI_STUB
-+	jmp	preferred_addr
-+
-+	.balign	0x10
- 	/*
- 	 * We don't need the return address, so set up the stack so
- 	 * efi_main() can find its arugments.
-@@ -41,12 +44,17 @@ ENTRY(startup_32)
- 
- 	call	efi_main
- 	cmpl	$0, %eax
--	je	preferred_addr
- 	movl	%eax, %esi
--	call	1f
-+	jne	2f
- 1:
-+	/* EFI init failed, so hang. */
-+	hlt
-+	jmp	1b
-+2:
-+	call	3f
-+3:
- 	popl	%eax
--	subl	$1b, %eax
-+	subl	$3b, %eax
- 	subl	BP_pref_address(%esi), %eax
- 	add	BP_code32_start(%esi), %eax
- 	leal	preferred_addr(%eax), %eax
-diff --git a/arch/x86/boot/compressed/head_64.S b/arch/x86/boot/compressed/head_64.S
-index 558d76c..87e03a1 100644
---- a/arch/x86/boot/compressed/head_64.S
-+++ b/arch/x86/boot/compressed/head_64.S
-@@ -200,18 +200,28 @@ ENTRY(startup_64)
- 	 * entire text+data+bss and hopefully all of memory.
- 	 */
- #ifdef CONFIG_EFI_STUB
--	pushq	%rsi
-+	/*
-+	 * The entry point for the PE/COFF executable is 0x210, so only
-+	 * legacy boot loaders will execute this jmp.
-+	 */
-+	jmp	preferred_addr
-+
-+	.org 0x210
- 	mov	%rcx, %rdi
- 	mov	%rdx, %rsi
- 	call	efi_main
--	popq	%rsi
--	cmpq	$0,%rax
--	je	preferred_addr
- 	movq	%rax,%rsi
--	call	1f
-+	cmpq	$0,%rax
-+	jne	2f
- 1:
-+	/* EFI init failed, so hang. */
-+	hlt
-+	jmp	1b
-+2:
-+	call	3f
-+3:
- 	popq	%rax
--	subq	$1b, %rax
-+	subq	$3b, %rax
- 	subq	BP_pref_address(%rsi), %rax
- 	add	BP_code32_start(%esi), %eax
- 	leaq	preferred_addr(%rax), %rax
-diff --git a/arch/x86/boot/compressed/mkpiggy.c b/arch/x86/boot/compressed/mkpiggy.c
-index 46a8238..958a641 100644
---- a/arch/x86/boot/compressed/mkpiggy.c
-+++ b/arch/x86/boot/compressed/mkpiggy.c
-@@ -29,14 +29,7 @@
- #include <stdio.h>
- #include <string.h>
- #include <inttypes.h>
--
--static uint32_t getle32(const void *p)
--{
--	const uint8_t *cp = p;
--
--	return (uint32_t)cp[0] + ((uint32_t)cp[1] << 8) +
--		((uint32_t)cp[2] << 16) + ((uint32_t)cp[3] << 24);
--}
-+#include <tools/le_byteshift.h>
- 
- int main(int argc, char *argv[])
- {
-@@ -69,7 +62,7 @@ int main(int argc, char *argv[])
- 	}
- 
- 	ilen = ftell(f);
--	olen = getle32(&olen);
-+	olen = get_unaligned_le32(&olen);
- 	fclose(f);
- 
- 	/*
-diff --git a/arch/x86/boot/tools/build.c b/arch/x86/boot/tools/build.c
-index 4e9bd6b..09ce870 100644
---- a/arch/x86/boot/tools/build.c
-+++ b/arch/x86/boot/tools/build.c
-@@ -34,6 +34,7 @@
- #include <fcntl.h>
- #include <sys/mman.h>
- #include <asm/boot.h>
-+#include <tools/le_byteshift.h>
- 
- typedef unsigned char  u8;
- typedef unsigned short u16;
-@@ -41,6 +42,7 @@ typedef unsigned long  u32;
- 
- #define DEFAULT_MAJOR_ROOT 0
- #define DEFAULT_MINOR_ROOT 0
-+#define DEFAULT_ROOT_DEV (DEFAULT_MAJOR_ROOT << 8 | DEFAULT_MINOR_ROOT)
- 
- /* Minimal number of setup sectors */
- #define SETUP_SECT_MIN 5
-@@ -159,7 +161,7 @@ int main(int argc, char ** argv)
- 		die("read-error on `setup'");
- 	if (c < 1024)
- 		die("The setup must be at least 1024 bytes");
--	if (buf[510] != 0x55 || buf[511] != 0xaa)
-+	if (get_unaligned_le16(&buf[510]) != 0xAA55)
- 		die("Boot block hasn't got boot flag (0xAA55)");
- 	fclose(file);
- 
-@@ -171,8 +173,7 @@ int main(int argc, char ** argv)
- 	memset(buf+c, 0, i-c);
- 
- 	/* Set the default root device */
--	buf[508] = DEFAULT_MINOR_ROOT;
--	buf[509] = DEFAULT_MAJOR_ROOT;
-+	put_unaligned_le16(DEFAULT_ROOT_DEV, &buf[508]);
- 
- 	fprintf(stderr, "Setup is %d bytes (padded to %d bytes).\n", c, i);
- 
-@@ -192,44 +193,49 @@ int main(int argc, char ** argv)
- 
- 	/* Patch the setup code with the appropriate size parameters */
- 	buf[0x1f1] = setup_sectors-1;
--	buf[0x1f4] = sys_size;
--	buf[0x1f5] = sys_size >> 8;
--	buf[0x1f6] = sys_size >> 16;
--	buf[0x1f7] = sys_size >> 24;
-+	put_unaligned_le32(sys_size, &buf[0x1f4]);
- 
- #ifdef CONFIG_EFI_STUB
- 	file_sz = sz + i + ((sys_size * 16) - sz);
- 
--	pe_header = *(unsigned int *)&buf[0x3c];
-+	pe_header = get_unaligned_le32(&buf[0x3c]);
- 
- 	/* Size of code */
--	*(unsigned int *)&buf[pe_header + 0x1c] = file_sz;
-+	put_unaligned_le32(file_sz, &buf[pe_header + 0x1c]);
- 
- 	/* Size of image */
--	*(unsigned int *)&buf[pe_header + 0x50] = file_sz;
-+	put_unaligned_le32(file_sz, &buf[pe_header + 0x50]);
- 
- #ifdef CONFIG_X86_32
--	/* Address of entry point */
--	*(unsigned int *)&buf[pe_header + 0x28] = i;
-+	/*
-+	 * Address of entry point.
-+	 *
-+	 * The EFI stub entry point is +16 bytes from the start of
-+	 * the .text section.
-+	 */
-+	put_unaligned_le32(i + 16, &buf[pe_header + 0x28]);
- 
- 	/* .text size */
--	*(unsigned int *)&buf[pe_header + 0xb0] = file_sz;
-+	put_unaligned_le32(file_sz, &buf[pe_header + 0xb0]);
- 
- 	/* .text size of initialised data */
--	*(unsigned int *)&buf[pe_header + 0xb8] = file_sz;
-+	put_unaligned_le32(file_sz, &buf[pe_header + 0xb8]);
- #else
- 	/*
- 	 * Address of entry point. startup_32 is at the beginning and
- 	 * the 64-bit entry point (startup_64) is always 512 bytes
--	 * after.
-+	 * after. The EFI stub entry point is 16 bytes after that, as
-+	 * the first instruction allows legacy loaders to jump over
-+	 * the EFI stub initialisation
- 	 */
--	*(unsigned int *)&buf[pe_header + 0x28] = i + 512;
-+	put_unaligned_le32(i + 528, &buf[pe_header + 0x28]);
- 
- 	/* .text size */
--	*(unsigned int *)&buf[pe_header + 0xc0] = file_sz;
-+	put_unaligned_le32(file_sz, &buf[pe_header + 0xc0]);
- 
- 	/* .text size of initialised data */
--	*(unsigned int *)&buf[pe_header + 0xc8] = file_sz;
-+	put_unaligned_le32(file_sz, &buf[pe_header + 0xc8]);
-+
- #endif /* CONFIG_X86_32 */
- #endif /* CONFIG_EFI_STUB */
- 
-diff --git a/arch/x86/include/asm/x86_init.h b/arch/x86/include/asm/x86_init.h
-index 517d476..a609c39 100644
---- a/arch/x86/include/asm/x86_init.h
-+++ b/arch/x86/include/asm/x86_init.h
-@@ -189,6 +189,5 @@ extern struct x86_msi_ops x86_msi;
- 
- extern void x86_init_noop(void);
- extern void x86_init_uint_noop(unsigned int unused);
--extern void x86_default_fixup_cpu_id(struct cpuinfo_x86 *c, int node);
- 
- #endif
-diff --git a/arch/x86/kernel/apic/apic.c b/arch/x86/kernel/apic/apic.c
-index 2eec05b..5b3f88e 100644
---- a/arch/x86/kernel/apic/apic.c
-+++ b/arch/x86/kernel/apic/apic.c
-@@ -1632,9 +1632,11 @@ static int __init apic_verify(void)
- 	mp_lapic_addr = APIC_DEFAULT_PHYS_BASE;
- 
- 	/* The BIOS may have set up the APIC at some other address */
--	rdmsr(MSR_IA32_APICBASE, l, h);
--	if (l & MSR_IA32_APICBASE_ENABLE)
--		mp_lapic_addr = l & MSR_IA32_APICBASE_BASE;
-+	if (boot_cpu_data.x86 >= 6) {
-+		rdmsr(MSR_IA32_APICBASE, l, h);
-+		if (l & MSR_IA32_APICBASE_ENABLE)
-+			mp_lapic_addr = l & MSR_IA32_APICBASE_BASE;
-+	}
- 
- 	pr_info("Found and enabled local APIC!\n");
- 	return 0;
-@@ -1652,13 +1654,15 @@ int __init apic_force_enable(unsigned long addr)
- 	 * MSR. This can only be done in software for Intel P6 or later
- 	 * and AMD K7 (Model > 1) or later.
- 	 */
--	rdmsr(MSR_IA32_APICBASE, l, h);
--	if (!(l & MSR_IA32_APICBASE_ENABLE)) {
--		pr_info("Local APIC disabled by BIOS -- reenabling.\n");
--		l &= ~MSR_IA32_APICBASE_BASE;
--		l |= MSR_IA32_APICBASE_ENABLE | addr;
--		wrmsr(MSR_IA32_APICBASE, l, h);
--		enabled_via_apicbase = 1;
-+	if (boot_cpu_data.x86 >= 6) {
-+		rdmsr(MSR_IA32_APICBASE, l, h);
-+		if (!(l & MSR_IA32_APICBASE_ENABLE)) {
-+			pr_info("Local APIC disabled by BIOS -- reenabling.\n");
-+			l &= ~MSR_IA32_APICBASE_BASE;
-+			l |= MSR_IA32_APICBASE_ENABLE | addr;
-+			wrmsr(MSR_IA32_APICBASE, l, h);
-+			enabled_via_apicbase = 1;
-+		}
- 	}
- 	return apic_verify();
- }
-@@ -2204,10 +2208,12 @@ static void lapic_resume(void)
- 		 * FIXME! This will be wrong if we ever support suspend on
- 		 * SMP! We'll need to do this as part of the CPU restore!
- 		 */
--		rdmsr(MSR_IA32_APICBASE, l, h);
--		l &= ~MSR_IA32_APICBASE_BASE;
--		l |= MSR_IA32_APICBASE_ENABLE | mp_lapic_addr;
--		wrmsr(MSR_IA32_APICBASE, l, h);
-+		if (boot_cpu_data.x86 >= 6) {
-+			rdmsr(MSR_IA32_APICBASE, l, h);
-+			l &= ~MSR_IA32_APICBASE_BASE;
-+			l |= MSR_IA32_APICBASE_ENABLE | mp_lapic_addr;
-+			wrmsr(MSR_IA32_APICBASE, l, h);
-+		}
- 	}
- 
- 	maxlvt = lapic_get_maxlvt();
-diff --git a/arch/x86/kernel/apic/apic_numachip.c b/arch/x86/kernel/apic/apic_numachip.c
-index 09d3d8c..ade0182 100644
---- a/arch/x86/kernel/apic/apic_numachip.c
-+++ b/arch/x86/kernel/apic/apic_numachip.c
-@@ -201,8 +201,11 @@ static void __init map_csrs(void)
- 
- static void fixup_cpu_id(struct cpuinfo_x86 *c, int node)
- {
--	c->phys_proc_id = node;
--	per_cpu(cpu_llc_id, smp_processor_id()) = node;
-+
-+	if (c->phys_proc_id != node) {
-+		c->phys_proc_id = node;
-+		per_cpu(cpu_llc_id, smp_processor_id()) = node;
-+	}
- }
- 
- static int __init numachip_system_init(void)
-diff --git a/arch/x86/kernel/cpu/amd.c b/arch/x86/kernel/cpu/amd.c
-index f4773f4..80ab83d 100644
---- a/arch/x86/kernel/cpu/amd.c
-+++ b/arch/x86/kernel/cpu/amd.c
-@@ -352,10 +352,11 @@ static void __cpuinit srat_detect_node(struct cpuinfo_x86 *c)
- 		node = per_cpu(cpu_llc_id, cpu);
- 
- 	/*
--	 * If core numbers are inconsistent, it's likely a multi-fabric platform,
--	 * so invoke platform-specific handler
-+	 * On multi-fabric platform (e.g. Numascale NumaChip) a
-+	 * platform-specific handler needs to be called to fixup some
-+	 * IDs of the CPU.
- 	 */
--	if (c->phys_proc_id != node)
-+	if (x86_cpuinit.fixup_cpu_id)
- 		x86_cpuinit.fixup_cpu_id(c, node);
- 
- 	if (!node_online(node)) {
-diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c
-index c0f7d68..1a810e4 100644
---- a/arch/x86/kernel/cpu/common.c
-+++ b/arch/x86/kernel/cpu/common.c
-@@ -1163,15 +1163,6 @@ static void dbg_restore_debug_regs(void)
- #endif /* ! CONFIG_KGDB */
- 
- /*
-- * Prints an error where the NUMA and configured core-number mismatch and the
-- * platform didn't override this to fix it up
-- */
--void __cpuinit x86_default_fixup_cpu_id(struct cpuinfo_x86 *c, int node)
--{
--	pr_err("NUMA core number %d differs from configured core number %d\n", node, c->phys_proc_id);
--}
--
--/*
-  * cpu_init() initializes state that is per-CPU. Some data is already
-  * initialized (naturally) in the bootstrap process, such as the GDT
-  * and IDT. We reload them nevertheless, this function acts as a
-diff --git a/arch/x86/kernel/i387.c b/arch/x86/kernel/i387.c
-index 739d859..f239f30 100644
---- a/arch/x86/kernel/i387.c
-+++ b/arch/x86/kernel/i387.c
-@@ -154,6 +154,7 @@ int init_fpu(struct task_struct *tsk)
- 	if (tsk_used_math(tsk)) {
- 		if (HAVE_HWFP && tsk == current)
- 			unlazy_fpu(tsk);
-+		tsk->thread.fpu.last_cpu = ~0;
- 		return 0;
- 	}
- 
-diff --git a/arch/x86/kernel/microcode_amd.c b/arch/x86/kernel/microcode_amd.c
-index 73465aa..8a2ce8f 100644
---- a/arch/x86/kernel/microcode_amd.c
-+++ b/arch/x86/kernel/microcode_amd.c
-@@ -82,11 +82,6 @@ static int collect_cpu_info_amd(int cpu, struct cpu_signature *csig)
- {
- 	struct cpuinfo_x86 *c = &cpu_data(cpu);
- 
--	if (c->x86_vendor != X86_VENDOR_AMD || c->x86 < 0x10) {
--		pr_warning("CPU%d: family %d not supported\n", cpu, c->x86);
--		return -1;
--	}
--
- 	csig->rev = c->microcode;
- 	pr_info("CPU%d: patch_level=0x%08x\n", cpu, csig->rev);
- 
-@@ -380,6 +375,13 @@ static struct microcode_ops microcode_amd_ops = {
- 
- struct microcode_ops * __init init_amd_microcode(void)
- {
-+	struct cpuinfo_x86 *c = &cpu_data(0);
-+
-+	if (c->x86_vendor != X86_VENDOR_AMD || c->x86 < 0x10) {
-+		pr_warning("AMD CPU family 0x%x not supported\n", c->x86);
-+		return NULL;
-+	}
-+
- 	patch = (void *)get_zeroed_page(GFP_KERNEL);
- 	if (!patch)
- 		return NULL;
-diff --git a/arch/x86/kernel/microcode_core.c b/arch/x86/kernel/microcode_core.c
-index fda91c3..50a5875 100644
---- a/arch/x86/kernel/microcode_core.c
-+++ b/arch/x86/kernel/microcode_core.c
-@@ -418,10 +418,8 @@ static int mc_device_add(struct device *dev, struct subsys_interface *sif)
- 	if (err)
- 		return err;
- 
--	if (microcode_init_cpu(cpu) == UCODE_ERROR) {
--		sysfs_remove_group(&dev->kobj, &mc_attr_group);
-+	if (microcode_init_cpu(cpu) == UCODE_ERROR)
- 		return -EINVAL;
--	}
- 
- 	return err;
- }
-@@ -513,11 +511,11 @@ static int __init microcode_init(void)
- 		microcode_ops = init_intel_microcode();
- 	else if (c->x86_vendor == X86_VENDOR_AMD)
- 		microcode_ops = init_amd_microcode();
--
--	if (!microcode_ops) {
-+	else
- 		pr_err("no support for this CPU vendor\n");
-+
-+	if (!microcode_ops)
- 		return -ENODEV;
--	}
- 
- 	microcode_pdev = platform_device_register_simple("microcode", -1,
- 							 NULL, 0);
-diff --git a/arch/x86/kernel/x86_init.c b/arch/x86/kernel/x86_init.c
-index 947a06c..83b05ad 100644
---- a/arch/x86/kernel/x86_init.c
-+++ b/arch/x86/kernel/x86_init.c
-@@ -92,7 +92,6 @@ struct x86_init_ops x86_init __initdata = {
- 
- struct x86_cpuinit_ops x86_cpuinit __cpuinitdata = {
- 	.setup_percpu_clockev		= setup_secondary_APIC_clock,
--	.fixup_cpu_id			= x86_default_fixup_cpu_id,
- };
- 
- static void default_nmi_init(void) { };
-diff --git a/arch/x86/xen/smp.c b/arch/x86/xen/smp.c
-index 501d4e0..f2ce60a 100644
---- a/arch/x86/xen/smp.c
-+++ b/arch/x86/xen/smp.c
-@@ -172,6 +172,7 @@ static void __init xen_fill_possible_map(void)
- static void __init xen_filter_cpu_maps(void)
- {
- 	int i, rc;
-+	unsigned int subtract = 0;
- 
- 	if (!xen_initial_domain())
- 		return;
-@@ -186,8 +187,22 @@ static void __init xen_filter_cpu_maps(void)
- 		} else {
- 			set_cpu_possible(i, false);
- 			set_cpu_present(i, false);
-+			subtract++;
- 		}
- 	}
-+#ifdef CONFIG_HOTPLUG_CPU
-+	/* This is akin to using 'nr_cpus' on the Linux command line.
-+	 * Which is OK as when we use 'dom0_max_vcpus=X' we can only
-+	 * have up to X, while nr_cpu_ids is greater than X. This
-+	 * normally is not a problem, except when CPU hotplugging
-+	 * is involved and then there might be more than X CPUs
-+	 * in the guest - which will not work as there is no
-+	 * hypercall to expand the max number of VCPUs an already
-+	 * running guest has. So cap it up to X. */
-+	if (subtract)
-+		nr_cpu_ids = nr_cpu_ids - subtract;
-+#endif
-+
- }
- 
- static void __init xen_smp_prepare_boot_cpu(void)
-diff --git a/arch/x86/xen/xen-asm.S b/arch/x86/xen/xen-asm.S
-index 79d7362..3e45aa0 100644
---- a/arch/x86/xen/xen-asm.S
-+++ b/arch/x86/xen/xen-asm.S
-@@ -96,7 +96,7 @@ ENTRY(xen_restore_fl_direct)
- 
- 	/* check for unmasked and pending */
- 	cmpw $0x0001, PER_CPU_VAR(xen_vcpu_info) + XEN_vcpu_info_pending
--	jz 1f
-+	jnz 1f
- 2:	call check_events
- 1:
- ENDPATCH(xen_restore_fl_direct)
-diff --git a/drivers/ata/libata-eh.c b/drivers/ata/libata-eh.c
-index a9b2820..58db834 100644
---- a/drivers/ata/libata-eh.c
-+++ b/drivers/ata/libata-eh.c
-@@ -3500,7 +3500,8 @@ static int ata_count_probe_trials_cb(struct ata_ering_entry *ent, void *void_arg
- 	u64 now = get_jiffies_64();
- 	int *trials = void_arg;
- 
--	if (ent->timestamp < now - min(now, interval))
-+	if ((ent->eflags & ATA_EFLAG_OLD_ER) ||
-+	    (ent->timestamp < now - min(now, interval)))
- 		return -1;
- 
- 	(*trials)++;
-diff --git a/drivers/crypto/talitos.c b/drivers/crypto/talitos.c
-index 2d8c789..b28dbfa 100644
---- a/drivers/crypto/talitos.c
-+++ b/drivers/crypto/talitos.c
-@@ -124,6 +124,9 @@ struct talitos_private {
- 	void __iomem *reg;
- 	int irq[2];
- 
-+	/* SEC global registers lock  */
-+	spinlock_t reg_lock ____cacheline_aligned;
-+
- 	/* SEC version geometry (from device tree node) */
- 	unsigned int num_channels;
- 	unsigned int chfifo_len;
-@@ -412,6 +415,7 @@ static void talitos_done_##name(unsigned long data)			\
- {									\
- 	struct device *dev = (struct device *)data;			\
- 	struct talitos_private *priv = dev_get_drvdata(dev);		\
-+	unsigned long flags;						\
- 									\
- 	if (ch_done_mask & 1)						\
- 		flush_channel(dev, 0, 0, 0);				\
-@@ -427,8 +431,10 @@ static void talitos_done_##name(unsigned long data)			\
- out:									\
- 	/* At this point, all completed channels have been processed */	\
- 	/* Unmask done interrupts for channels completed later on. */	\
-+	spin_lock_irqsave(&priv->reg_lock, flags);			\
- 	setbits32(priv->reg + TALITOS_IMR, ch_done_mask);		\
- 	setbits32(priv->reg + TALITOS_IMR_LO, TALITOS_IMR_LO_INIT);	\
-+	spin_unlock_irqrestore(&priv->reg_lock, flags);			\
- }
- DEF_TALITOS_DONE(4ch, TALITOS_ISR_4CHDONE)
- DEF_TALITOS_DONE(ch0_2, TALITOS_ISR_CH_0_2_DONE)
-@@ -619,22 +625,28 @@ static irqreturn_t talitos_interrupt_##name(int irq, void *data)	       \
- 	struct device *dev = data;					       \
- 	struct talitos_private *priv = dev_get_drvdata(dev);		       \
- 	u32 isr, isr_lo;						       \
-+	unsigned long flags;						       \
- 									       \
-+	spin_lock_irqsave(&priv->reg_lock, flags);			       \
- 	isr = in_be32(priv->reg + TALITOS_ISR);				       \
- 	isr_lo = in_be32(priv->reg + TALITOS_ISR_LO);			       \
- 	/* Acknowledge interrupt */					       \
- 	out_be32(priv->reg + TALITOS_ICR, isr & (ch_done_mask | ch_err_mask)); \
- 	out_be32(priv->reg + TALITOS_ICR_LO, isr_lo);			       \
- 									       \
--	if (unlikely((isr & ~TALITOS_ISR_4CHDONE) & ch_err_mask || isr_lo))    \
--		talitos_error(dev, isr, isr_lo);			       \
--	else								       \
-+	if (unlikely(isr & ch_err_mask || isr_lo)) {			       \
-+		spin_unlock_irqrestore(&priv->reg_lock, flags);		       \
-+		talitos_error(dev, isr & ch_err_mask, isr_lo);		       \
-+	}								       \
-+	else {								       \
- 		if (likely(isr & ch_done_mask)) {			       \
- 			/* mask further done interrupts. */		       \
- 			clrbits32(priv->reg + TALITOS_IMR, ch_done_mask);      \
- 			/* done_task will unmask done interrupts at exit */    \
- 			tasklet_schedule(&priv->done_task[tlet]);	       \
- 		}							       \
-+		spin_unlock_irqrestore(&priv->reg_lock, flags);		       \
-+	}								       \
- 									       \
- 	return (isr & (ch_done_mask | ch_err_mask) || isr_lo) ? IRQ_HANDLED :  \
- 								IRQ_NONE;      \
-@@ -2718,6 +2730,8 @@ static int talitos_probe(struct platform_device *ofdev)
- 
- 	priv->ofdev = ofdev;
- 
-+	spin_lock_init(&priv->reg_lock);
-+
- 	err = talitos_probe_irq(ofdev);
- 	if (err)
- 		goto err_out;
-diff --git a/drivers/dma/at_hdmac.c b/drivers/dma/at_hdmac.c
-index f4aed5f..a342873 100644
---- a/drivers/dma/at_hdmac.c
-+++ b/drivers/dma/at_hdmac.c
-@@ -241,10 +241,6 @@ static void atc_dostart(struct at_dma_chan *atchan, struct at_desc *first)
- 
- 	vdbg_dump_regs(atchan);
- 
--	/* clear any pending interrupt */
--	while (dma_readl(atdma, EBCISR))
--		cpu_relax();
--
- 	channel_writel(atchan, SADDR, 0);
- 	channel_writel(atchan, DADDR, 0);
- 	channel_writel(atchan, CTRLA, 0);
-diff --git a/drivers/firmware/efivars.c b/drivers/firmware/efivars.c
-index d25599f..47408e8 100644
---- a/drivers/firmware/efivars.c
-+++ b/drivers/firmware/efivars.c
-@@ -191,6 +191,190 @@ utf16_strncmp(const efi_char16_t *a, const efi_char16_t *b, size_t len)
- 	}
- }
- 
-+static bool
-+validate_device_path(struct efi_variable *var, int match, u8 *buffer,
-+		     unsigned long len)
-+{
-+	struct efi_generic_dev_path *node;
-+	int offset = 0;
-+
-+	node = (struct efi_generic_dev_path *)buffer;
-+
-+	if (len < sizeof(*node))
-+		return false;
-+
-+	while (offset <= len - sizeof(*node) &&
-+	       node->length >= sizeof(*node) &&
-+		node->length <= len - offset) {
-+		offset += node->length;
-+
-+		if ((node->type == EFI_DEV_END_PATH ||
-+		     node->type == EFI_DEV_END_PATH2) &&
-+		    node->sub_type == EFI_DEV_END_ENTIRE)
-+			return true;
-+
-+		node = (struct efi_generic_dev_path *)(buffer + offset);
-+	}
-+
-+	/*
-+	 * If we're here then either node->length pointed past the end
-+	 * of the buffer or we reached the end of the buffer without
-+	 * finding a device path end node.
-+	 */
-+	return false;
-+}
-+
-+static bool
-+validate_boot_order(struct efi_variable *var, int match, u8 *buffer,
-+		    unsigned long len)
-+{
-+	/* An array of 16-bit integers */
-+	if ((len % 2) != 0)
-+		return false;
-+
-+	return true;
-+}
-+
-+static bool
-+validate_load_option(struct efi_variable *var, int match, u8 *buffer,
-+		     unsigned long len)
-+{
-+	u16 filepathlength;
-+	int i, desclength = 0, namelen;
-+
-+	namelen = utf16_strnlen(var->VariableName, sizeof(var->VariableName));
-+
-+	/* Either "Boot" or "Driver" followed by four digits of hex */
-+	for (i = match; i < match+4; i++) {
-+		if (var->VariableName[i] > 127 ||
-+		    hex_to_bin(var->VariableName[i] & 0xff) < 0)
-+			return true;
-+	}
-+
-+	/* Reject it if there's 4 digits of hex and then further content */
-+	if (namelen > match + 4)
-+		return false;
-+
-+	/* A valid entry must be at least 8 bytes */
-+	if (len < 8)
-+		return false;
-+
-+	filepathlength = buffer[4] | buffer[5] << 8;
-+
-+	/*
-+	 * There's no stored length for the description, so it has to be
-+	 * found by hand
-+	 */
-+	desclength = utf16_strsize((efi_char16_t *)(buffer + 6), len - 6) + 2;
-+
-+	/* Each boot entry must have a descriptor */
-+	if (!desclength)
-+		return false;
-+
-+	/*
-+	 * If the sum of the length of the description, the claimed filepath
-+	 * length and the original header are greater than the length of the
-+	 * variable, it's malformed
-+	 */
-+	if ((desclength + filepathlength + 6) > len)
-+		return false;
-+
-+	/*
-+	 * And, finally, check the filepath
-+	 */
-+	return validate_device_path(var, match, buffer + desclength + 6,
-+				    filepathlength);
-+}
-+
-+static bool
-+validate_uint16(struct efi_variable *var, int match, u8 *buffer,
-+		unsigned long len)
-+{
-+	/* A single 16-bit integer */
-+	if (len != 2)
-+		return false;
-+
-+	return true;
-+}
-+
-+static bool
-+validate_ascii_string(struct efi_variable *var, int match, u8 *buffer,
-+		      unsigned long len)
-+{
-+	int i;
-+
-+	for (i = 0; i < len; i++) {
-+		if (buffer[i] > 127)
-+			return false;
-+
-+		if (buffer[i] == 0)
-+			return true;
-+	}
-+
-+	return false;
-+}
-+
-+struct variable_validate {
-+	char *name;
-+	bool (*validate)(struct efi_variable *var, int match, u8 *data,
-+			 unsigned long len);
-+};
-+
-+static const struct variable_validate variable_validate[] = {
-+	{ "BootNext", validate_uint16 },
-+	{ "BootOrder", validate_boot_order },
-+	{ "DriverOrder", validate_boot_order },
-+	{ "Boot*", validate_load_option },
-+	{ "Driver*", validate_load_option },
-+	{ "ConIn", validate_device_path },
-+	{ "ConInDev", validate_device_path },
-+	{ "ConOut", validate_device_path },
-+	{ "ConOutDev", validate_device_path },
-+	{ "ErrOut", validate_device_path },
-+	{ "ErrOutDev", validate_device_path },
-+	{ "Timeout", validate_uint16 },
-+	{ "Lang", validate_ascii_string },
-+	{ "PlatformLang", validate_ascii_string },
-+	{ "", NULL },
-+};
-+
-+static bool
-+validate_var(struct efi_variable *var, u8 *data, unsigned long len)
-+{
-+	int i;
-+	u16 *unicode_name = var->VariableName;
-+
-+	for (i = 0; variable_validate[i].validate != NULL; i++) {
-+		const char *name = variable_validate[i].name;
-+		int match;
-+
-+		for (match = 0; ; match++) {
-+			char c = name[match];
-+			u16 u = unicode_name[match];
-+
-+			/* All special variables are plain ascii */
-+			if (u > 127)
-+				return true;
-+
-+			/* Wildcard in the matching name means we've matched */
-+			if (c == '*')
-+				return variable_validate[i].validate(var,
-+							     match, data, len);
-+
-+			/* Case sensitive match */
-+			if (c != u)
-+				break;
-+
-+			/* Reached the end of the string while matching */
-+			if (!c)
-+				return variable_validate[i].validate(var,
-+							     match, data, len);
-+		}
-+	}
-+
-+	return true;
-+}
-+
- static efi_status_t
- get_var_data_locked(struct efivars *efivars, struct efi_variable *var)
- {
-@@ -324,6 +508,12 @@ efivar_store_raw(struct efivar_entry *entry, const char *buf, size_t count)
- 		return -EINVAL;
- 	}
- 
-+	if ((new_var->Attributes & ~EFI_VARIABLE_MASK) != 0 ||
-+	    validate_var(new_var, new_var->Data, new_var->DataSize) == false) {
-+		printk(KERN_ERR "efivars: Malformed variable content\n");
-+		return -EINVAL;
-+	}
-+
- 	spin_lock(&efivars->lock);
- 	status = efivars->ops->set_variable(new_var->VariableName,
- 					    &new_var->VendorGuid,
-@@ -626,6 +816,12 @@ static ssize_t efivar_create(struct file *filp, struct kobject *kobj,
- 	if (!capable(CAP_SYS_ADMIN))
- 		return -EACCES;
- 
-+	if ((new_var->Attributes & ~EFI_VARIABLE_MASK) != 0 ||
-+	    validate_var(new_var, new_var->Data, new_var->DataSize) == false) {
-+		printk(KERN_ERR "efivars: Malformed variable content\n");
-+		return -EINVAL;
-+	}
-+
- 	spin_lock(&efivars->lock);
- 
- 	/*
-diff --git a/drivers/gpu/drm/i915/i915_gem_execbuffer.c b/drivers/gpu/drm/i915/i915_gem_execbuffer.c
-index 65e1f00..e159e33 100644
---- a/drivers/gpu/drm/i915/i915_gem_execbuffer.c
-+++ b/drivers/gpu/drm/i915/i915_gem_execbuffer.c
-@@ -1082,6 +1082,11 @@ i915_gem_do_execbuffer(struct drm_device *dev, void *data,
- 			return -EINVAL;
- 		}
- 
-+		if (args->num_cliprects > UINT_MAX / sizeof(*cliprects)) {
-+			DRM_DEBUG("execbuf with %u cliprects\n",
-+				  args->num_cliprects);
-+			return -EINVAL;
-+		}
- 		cliprects = kmalloc(args->num_cliprects * sizeof(*cliprects),
- 				    GFP_KERNEL);
- 		if (cliprects == NULL) {
-@@ -1353,7 +1358,8 @@ i915_gem_execbuffer2(struct drm_device *dev, void *data,
- 	struct drm_i915_gem_exec_object2 *exec2_list = NULL;
- 	int ret;
- 
--	if (args->buffer_count < 1) {
-+	if (args->buffer_count < 1 ||
-+	    args->buffer_count > UINT_MAX / sizeof(*exec2_list)) {
- 		DRM_ERROR("execbuf2 with %d buffers\n", args->buffer_count);
- 		return -EINVAL;
- 	}
-diff --git a/drivers/gpu/drm/i915/i915_reg.h b/drivers/gpu/drm/i915/i915_reg.h
-index 3e6429a..ac38d21 100644
---- a/drivers/gpu/drm/i915/i915_reg.h
-+++ b/drivers/gpu/drm/i915/i915_reg.h
-@@ -523,6 +523,7 @@
- #define   CM0_MASK_SHIFT          16
- #define   CM0_IZ_OPT_DISABLE      (1<<6)
- #define   CM0_ZR_OPT_DISABLE      (1<<5)
-+#define	  CM0_STC_EVICT_DISABLE_LRA_SNB	(1<<5)
- #define   CM0_DEPTH_EVICT_DISABLE (1<<4)
- #define   CM0_COLOR_EVICT_DISABLE (1<<3)
- #define   CM0_DEPTH_WRITE_DISABLE (1<<1)
-diff --git a/drivers/gpu/drm/i915/intel_ringbuffer.c b/drivers/gpu/drm/i915/intel_ringbuffer.c
-index cbc3c04..99f71af 100644
---- a/drivers/gpu/drm/i915/intel_ringbuffer.c
-+++ b/drivers/gpu/drm/i915/intel_ringbuffer.c
-@@ -417,6 +417,14 @@ static int init_render_ring(struct intel_ring_buffer *ring)
- 	if (INTEL_INFO(dev)->gen >= 6) {
- 		I915_WRITE(INSTPM,
- 			   INSTPM_FORCE_ORDERING << 16 | INSTPM_FORCE_ORDERING);
-+
-+		/* From the Sandybridge PRM, volume 1 part 3, page 24:
-+		 * "If this bit is set, STCunit will have LRA as replacement
-+		 *  policy. [...] This bit must be reset.  LRA replacement
-+		 *  policy is not supported."
-+		 */
-+		I915_WRITE(CACHE_MODE_0,
-+			   CM0_STC_EVICT_DISABLE_LRA_SNB << CM0_MASK_SHIFT);
- 	}
- 
- 	return ret;
-diff --git a/drivers/gpu/drm/i915/intel_sdvo.c b/drivers/gpu/drm/i915/intel_sdvo.c
-index e334ec3..0a877dd 100644
---- a/drivers/gpu/drm/i915/intel_sdvo.c
-+++ b/drivers/gpu/drm/i915/intel_sdvo.c
-@@ -731,6 +731,7 @@ static void intel_sdvo_get_dtd_from_mode(struct intel_sdvo_dtd *dtd,
- 	uint16_t width, height;
- 	uint16_t h_blank_len, h_sync_len, v_blank_len, v_sync_len;
- 	uint16_t h_sync_offset, v_sync_offset;
-+	int mode_clock;
- 
- 	width = mode->crtc_hdisplay;
- 	height = mode->crtc_vdisplay;
-@@ -745,7 +746,11 @@ static void intel_sdvo_get_dtd_from_mode(struct intel_sdvo_dtd *dtd,
- 	h_sync_offset = mode->crtc_hsync_start - mode->crtc_hblank_start;
- 	v_sync_offset = mode->crtc_vsync_start - mode->crtc_vblank_start;
- 
--	dtd->part1.clock = mode->clock / 10;
-+	mode_clock = mode->clock;
-+	mode_clock /= intel_mode_get_pixel_multiplier(mode) ?: 1;
-+	mode_clock /= 10;
-+	dtd->part1.clock = mode_clock;
-+
- 	dtd->part1.h_active = width & 0xff;
- 	dtd->part1.h_blank = h_blank_len & 0xff;
- 	dtd->part1.h_high = (((width >> 8) & 0xf) << 4) |
-@@ -997,7 +1002,7 @@ static void intel_sdvo_mode_set(struct drm_encoder *encoder,
- 	struct intel_sdvo *intel_sdvo = to_intel_sdvo(encoder);
- 	u32 sdvox;
- 	struct intel_sdvo_in_out_map in_out;
--	struct intel_sdvo_dtd input_dtd;
-+	struct intel_sdvo_dtd input_dtd, output_dtd;
- 	int pixel_multiplier = intel_mode_get_pixel_multiplier(adjusted_mode);
- 	int rate;
- 
-@@ -1022,20 +1027,13 @@ static void intel_sdvo_mode_set(struct drm_encoder *encoder,
- 					  intel_sdvo->attached_output))
- 		return;
- 
--	/* We have tried to get input timing in mode_fixup, and filled into
--	 * adjusted_mode.
--	 */
--	if (intel_sdvo->is_tv || intel_sdvo->is_lvds) {
--		input_dtd = intel_sdvo->input_dtd;
--	} else {
--		/* Set the output timing to the screen */
--		if (!intel_sdvo_set_target_output(intel_sdvo,
--						  intel_sdvo->attached_output))
--			return;
--
--		intel_sdvo_get_dtd_from_mode(&input_dtd, adjusted_mode);
--		(void) intel_sdvo_set_output_timing(intel_sdvo, &input_dtd);
--	}
-+	/* lvds has a special fixed output timing. */
-+	if (intel_sdvo->is_lvds)
-+		intel_sdvo_get_dtd_from_mode(&output_dtd,
-+					     intel_sdvo->sdvo_lvds_fixed_mode);
-+	else
-+		intel_sdvo_get_dtd_from_mode(&output_dtd, mode);
-+	(void) intel_sdvo_set_output_timing(intel_sdvo, &output_dtd);
- 
- 	/* Set the input timing to the screen. Assume always input 0. */
- 	if (!intel_sdvo_set_target_input(intel_sdvo))
-@@ -1053,6 +1051,10 @@ static void intel_sdvo_mode_set(struct drm_encoder *encoder,
- 	    !intel_sdvo_set_tv_format(intel_sdvo))
- 		return;
- 
-+	/* We have tried to get input timing in mode_fixup, and filled into
-+	 * adjusted_mode.
-+	 */
-+	intel_sdvo_get_dtd_from_mode(&input_dtd, adjusted_mode);
- 	(void) intel_sdvo_set_input_timing(intel_sdvo, &input_dtd);
- 
- 	switch (pixel_multiplier) {
-diff --git a/drivers/gpu/drm/nouveau/nouveau_acpi.c b/drivers/gpu/drm/nouveau/nouveau_acpi.c
-index 7814a76..284bd25 100644
---- a/drivers/gpu/drm/nouveau/nouveau_acpi.c
-+++ b/drivers/gpu/drm/nouveau/nouveau_acpi.c
-@@ -270,7 +270,7 @@ static bool nouveau_dsm_detect(void)
- 	struct acpi_buffer buffer = {sizeof(acpi_method_name), acpi_method_name};
- 	struct pci_dev *pdev = NULL;
- 	int has_dsm = 0;
--	int has_optimus;
-+	int has_optimus = 0;
- 	int vga_count = 0;
- 	bool guid_valid;
- 	int retval;
-diff --git a/drivers/gpu/drm/radeon/atombios_crtc.c b/drivers/gpu/drm/radeon/atombios_crtc.c
-index 24ed306..2dab552 100644
---- a/drivers/gpu/drm/radeon/atombios_crtc.c
-+++ b/drivers/gpu/drm/radeon/atombios_crtc.c
-@@ -912,8 +912,8 @@ static void atombios_crtc_set_pll(struct drm_crtc *crtc, struct drm_display_mode
- 		break;
- 	}
- 
--	if (radeon_encoder->active_device &
--	    (ATOM_DEVICE_LCD_SUPPORT | ATOM_DEVICE_DFP_SUPPORT)) {
-+	if ((radeon_encoder->active_device & (ATOM_DEVICE_LCD_SUPPORT | ATOM_DEVICE_DFP_SUPPORT)) ||
-+	    (radeon_encoder_get_dp_bridge_encoder_id(encoder) != ENCODER_OBJECT_ID_NONE)) {
- 		struct radeon_encoder_atom_dig *dig = radeon_encoder->enc_priv;
- 		struct drm_connector *connector =
- 			radeon_get_connector_for_encoder(encoder);
-diff --git a/drivers/hwmon/coretemp.c b/drivers/hwmon/coretemp.c
-index a6c6ec3..1248ee4 100644
---- a/drivers/hwmon/coretemp.c
-+++ b/drivers/hwmon/coretemp.c
-@@ -51,7 +51,7 @@ module_param_named(tjmax, force_tjmax, int, 0444);
- MODULE_PARM_DESC(tjmax, "TjMax value in degrees Celsius");
- 
- #define BASE_SYSFS_ATTR_NO	2	/* Sysfs Base attr no for coretemp */
--#define NUM_REAL_CORES		16	/* Number of Real cores per cpu */
-+#define NUM_REAL_CORES		32	/* Number of Real cores per cpu */
- #define CORETEMP_NAME_LENGTH	17	/* String Length of attrs */
- #define MAX_CORE_ATTRS		4	/* Maximum no of basic attrs */
- #define TOTAL_ATTRS		(MAX_CORE_ATTRS + 1)
-@@ -708,6 +708,10 @@ static void __cpuinit put_core_offline(unsigned int cpu)
- 
- 	indx = TO_ATTR_NO(cpu);
- 
-+	/* The core id is too big, just return */
-+	if (indx > MAX_CORE_DATA - 1)
-+		return;
-+
- 	if (pdata->core_data[indx] && pdata->core_data[indx]->cpu == cpu)
- 		coretemp_remove_core(pdata, &pdev->dev, indx);
- 
-diff --git a/drivers/hwmon/fam15h_power.c b/drivers/hwmon/fam15h_power.c
-index 930370d..9a4c3ab 100644
---- a/drivers/hwmon/fam15h_power.c
-+++ b/drivers/hwmon/fam15h_power.c
-@@ -122,6 +122,41 @@ static bool __devinit fam15h_power_is_internal_node0(struct pci_dev *f4)
- 	return true;
- }
- 
-+/*
-+ * Newer BKDG versions have an updated recommendation on how to properly
-+ * initialize the running average range (was: 0xE, now: 0x9). This avoids
-+ * counter saturations resulting in bogus power readings.
-+ * We correct this value ourselves to cope with older BIOSes.
-+ */
-+static DEFINE_PCI_DEVICE_TABLE(affected_device) = {
-+	{ PCI_VDEVICE(AMD, PCI_DEVICE_ID_AMD_15H_NB_F4) },
-+	{ 0 }
-+};
-+
-+static void __devinit tweak_runavg_range(struct pci_dev *pdev)
-+{
-+	u32 val;
-+
-+	/*
-+	 * let this quirk apply only to the current version of the
-+	 * northbridge, since future versions may change the behavior
-+	 */
-+	if (!pci_match_id(affected_device, pdev))
-+		return;
-+
-+	pci_bus_read_config_dword(pdev->bus,
-+		PCI_DEVFN(PCI_SLOT(pdev->devfn), 5),
-+		REG_TDP_RUNNING_AVERAGE, &val);
-+	if ((val & 0xf) != 0xe)
-+		return;
-+
-+	val &= ~0xf;
-+	val |=  0x9;
-+	pci_bus_write_config_dword(pdev->bus,
-+		PCI_DEVFN(PCI_SLOT(pdev->devfn), 5),
-+		REG_TDP_RUNNING_AVERAGE, val);
-+}
-+
- static void __devinit fam15h_power_init_data(struct pci_dev *f4,
- 					     struct fam15h_power_data *data)
- {
-@@ -155,6 +190,13 @@ static int __devinit fam15h_power_probe(struct pci_dev *pdev,
- 	struct device *dev;
- 	int err;
- 
-+	/*
-+	 * though we ignore every other northbridge, we still have to
-+	 * do the tweaking on _each_ node in MCM processors as the counters
-+	 * are working hand-in-hand
-+	 */
-+	tweak_runavg_range(pdev);
-+
- 	if (!fam15h_power_is_internal_node0(pdev)) {
- 		err = -ENODEV;
- 		goto exit;
-diff --git a/drivers/i2c/busses/i2c-pnx.c b/drivers/i2c/busses/i2c-pnx.c
-index 04be9f8..eb8ad53 100644
---- a/drivers/i2c/busses/i2c-pnx.c
-+++ b/drivers/i2c/busses/i2c-pnx.c
-@@ -546,8 +546,7 @@ static int i2c_pnx_controller_suspend(struct platform_device *pdev,
- {
- 	struct i2c_pnx_algo_data *alg_data = platform_get_drvdata(pdev);
- 
--	/* FIXME: shouldn't this be clk_disable? */
--	clk_enable(alg_data->clk);
-+	clk_disable(alg_data->clk);
- 
- 	return 0;
- }
-diff --git a/drivers/input/mouse/synaptics.c b/drivers/input/mouse/synaptics.c
-index 8081a0a..a4b14a4 100644
---- a/drivers/input/mouse/synaptics.c
-+++ b/drivers/input/mouse/synaptics.c
-@@ -274,7 +274,8 @@ static int synaptics_set_advanced_gesture_mode(struct psmouse *psmouse)
- 	static unsigned char param = 0xc8;
- 	struct synaptics_data *priv = psmouse->private;
- 
--	if (!SYN_CAP_ADV_GESTURE(priv->ext_cap_0c))
-+	if (!(SYN_CAP_ADV_GESTURE(priv->ext_cap_0c) ||
-+	      SYN_CAP_IMAGE_SENSOR(priv->ext_cap_0c)))
- 		return 0;
- 
- 	if (psmouse_sliced_command(psmouse, SYN_QUE_MODEL))
-diff --git a/drivers/md/raid5.c b/drivers/md/raid5.c
-index 360f2b9..d1162e5 100644
---- a/drivers/md/raid5.c
-+++ b/drivers/md/raid5.c
-@@ -3277,12 +3277,14 @@ static void analyse_stripe(struct stripe_head *sh, struct stripe_head_state *s)
- 		/* If there is a failed device being replaced,
- 		 *     we must be recovering.
- 		 * else if we are after recovery_cp, we must be syncing
-+		 * else if MD_RECOVERY_REQUESTED is set, we also are syncing.
- 		 * else we can only be replacing
- 		 * sync and recovery both need to read all devices, and so
- 		 * use the same flag.
- 		 */
- 		if (do_recovery ||
--		    sh->sector >= conf->mddev->recovery_cp)
-+		    sh->sector >= conf->mddev->recovery_cp ||
-+		    test_bit(MD_RECOVERY_REQUESTED, &(conf->mddev->recovery)))
- 			s->syncing = 1;
- 		else
- 			s->replacing = 1;
-diff --git a/drivers/net/wireless/b43/main.c b/drivers/net/wireless/b43/main.c
-index 23ffb1b..11ab4a4 100644
---- a/drivers/net/wireless/b43/main.c
-+++ b/drivers/net/wireless/b43/main.c
-@@ -4841,8 +4841,14 @@ static int b43_op_start(struct ieee80211_hw *hw)
-  out_mutex_unlock:
- 	mutex_unlock(&wl->mutex);
- 
--	/* reload configuration */
--	b43_op_config(hw, ~0);
-+	/*
-+	 * Configuration may have been overwritten during initialization.
-+	 * Reload the configuration, but only if initialization was
-+	 * successful. Reloading the configuration after a failed init
-+	 * may hang the system.
-+	 */
-+	if (!err)
-+		b43_op_config(hw, ~0);
- 
- 	return err;
- }
-diff --git a/drivers/net/wireless/ipw2x00/ipw2200.c b/drivers/net/wireless/ipw2x00/ipw2200.c
-index 4fcdac6..cb33e6c 100644
---- a/drivers/net/wireless/ipw2x00/ipw2200.c
-+++ b/drivers/net/wireless/ipw2x00/ipw2200.c
-@@ -2191,6 +2191,7 @@ static int __ipw_send_cmd(struct ipw_priv *priv, struct host_cmd *cmd)
- {
- 	int rc = 0;
- 	unsigned long flags;
-+	unsigned long now, end;
- 
- 	spin_lock_irqsave(&priv->lock, flags);
- 	if (priv->status & STATUS_HCMD_ACTIVE) {
-@@ -2232,10 +2233,20 @@ static int __ipw_send_cmd(struct ipw_priv *priv, struct host_cmd *cmd)
- 	}
- 	spin_unlock_irqrestore(&priv->lock, flags);
- 
-+	now = jiffies;
-+	end = now + HOST_COMPLETE_TIMEOUT;
-+again:
- 	rc = wait_event_interruptible_timeout(priv->wait_command_queue,
- 					      !(priv->
- 						status & STATUS_HCMD_ACTIVE),
--					      HOST_COMPLETE_TIMEOUT);
-+					      end - now);
-+	if (rc < 0) {
-+		now = jiffies;
-+		if (time_before(now, end))
-+			goto again;
-+		rc = 0;
-+	}
-+
- 	if (rc == 0) {
- 		spin_lock_irqsave(&priv->lock, flags);
- 		if (priv->status & STATUS_HCMD_ACTIVE) {
-diff --git a/drivers/net/wireless/iwlwifi/iwl-1000.c b/drivers/net/wireless/iwlwifi/iwl-1000.c
-index 1ef7bfc..9fcd417 100644
---- a/drivers/net/wireless/iwlwifi/iwl-1000.c
-+++ b/drivers/net/wireless/iwlwifi/iwl-1000.c
-@@ -45,8 +45,8 @@
- #include "iwl-cfg.h"
- 
- /* Highest firmware API version supported */
--#define IWL1000_UCODE_API_MAX 6
--#define IWL100_UCODE_API_MAX 6
-+#define IWL1000_UCODE_API_MAX 5
-+#define IWL100_UCODE_API_MAX 5
- 
- /* Oldest version we won't warn about */
- #define IWL1000_UCODE_API_OK 5
-@@ -235,5 +235,5 @@ struct iwl_cfg iwl100_bg_cfg = {
- 	IWL_DEVICE_100,
- };
- 
--MODULE_FIRMWARE(IWL1000_MODULE_FIRMWARE(IWL1000_UCODE_API_MAX));
--MODULE_FIRMWARE(IWL100_MODULE_FIRMWARE(IWL100_UCODE_API_MAX));
-+MODULE_FIRMWARE(IWL1000_MODULE_FIRMWARE(IWL1000_UCODE_API_OK));
-+MODULE_FIRMWARE(IWL100_MODULE_FIRMWARE(IWL100_UCODE_API_OK));
-diff --git a/drivers/net/wireless/iwlwifi/iwl-2000.c b/drivers/net/wireless/iwlwifi/iwl-2000.c
-index 0946933..369d6b1 100644
---- a/drivers/net/wireless/iwlwifi/iwl-2000.c
-+++ b/drivers/net/wireless/iwlwifi/iwl-2000.c
-@@ -51,10 +51,10 @@
- #define IWL135_UCODE_API_MAX 6
- 
- /* Oldest version we won't warn about */
--#define IWL2030_UCODE_API_OK 5
--#define IWL2000_UCODE_API_OK 5
--#define IWL105_UCODE_API_OK 5
--#define IWL135_UCODE_API_OK 5
-+#define IWL2030_UCODE_API_OK 6
-+#define IWL2000_UCODE_API_OK 6
-+#define IWL105_UCODE_API_OK 6
-+#define IWL135_UCODE_API_OK 6
- 
- /* Lowest firmware API version supported */
- #define IWL2030_UCODE_API_MIN 5
-@@ -338,7 +338,7 @@ struct iwl_cfg iwl135_bgn_cfg = {
- 	.ht_params = &iwl2000_ht_params,
- };
- 
--MODULE_FIRMWARE(IWL2000_MODULE_FIRMWARE(IWL2000_UCODE_API_MAX));
--MODULE_FIRMWARE(IWL2030_MODULE_FIRMWARE(IWL2030_UCODE_API_MAX));
--MODULE_FIRMWARE(IWL105_MODULE_FIRMWARE(IWL105_UCODE_API_MAX));
--MODULE_FIRMWARE(IWL135_MODULE_FIRMWARE(IWL135_UCODE_API_MAX));
-+MODULE_FIRMWARE(IWL2000_MODULE_FIRMWARE(IWL2000_UCODE_API_OK));
-+MODULE_FIRMWARE(IWL2030_MODULE_FIRMWARE(IWL2030_UCODE_API_OK));
-+MODULE_FIRMWARE(IWL105_MODULE_FIRMWARE(IWL105_UCODE_API_OK));
-+MODULE_FIRMWARE(IWL135_MODULE_FIRMWARE(IWL135_UCODE_API_OK));
-diff --git a/drivers/net/wireless/iwlwifi/iwl-5000.c b/drivers/net/wireless/iwlwifi/iwl-5000.c
-index b3a365f..3ce542e 100644
---- a/drivers/net/wireless/iwlwifi/iwl-5000.c
-+++ b/drivers/net/wireless/iwlwifi/iwl-5000.c
-@@ -50,6 +50,10 @@
- #define IWL5000_UCODE_API_MAX 5
- #define IWL5150_UCODE_API_MAX 2
- 
-+/* Oldest version we won't warn about */
-+#define IWL5000_UCODE_API_OK 5
-+#define IWL5150_UCODE_API_OK 2
-+
- /* Lowest firmware API version supported */
- #define IWL5000_UCODE_API_MIN 1
- #define IWL5150_UCODE_API_MIN 1
-@@ -359,6 +363,7 @@ static struct iwl_ht_params iwl5000_ht_params = {
- #define IWL_DEVICE_5000						\
- 	.fw_name_pre = IWL5000_FW_PRE,				\
- 	.ucode_api_max = IWL5000_UCODE_API_MAX,			\
-+	.ucode_api_ok = IWL5000_UCODE_API_OK,			\
- 	.ucode_api_min = IWL5000_UCODE_API_MIN,			\
- 	.eeprom_ver = EEPROM_5000_EEPROM_VERSION,		\
- 	.eeprom_calib_ver = EEPROM_5000_TX_POWER_VERSION,	\
-@@ -402,6 +407,7 @@ struct iwl_cfg iwl5350_agn_cfg = {
- 	.name = "Intel(R) WiMAX/WiFi Link 5350 AGN",
- 	.fw_name_pre = IWL5000_FW_PRE,
- 	.ucode_api_max = IWL5000_UCODE_API_MAX,
-+	.ucode_api_ok = IWL5000_UCODE_API_OK,
- 	.ucode_api_min = IWL5000_UCODE_API_MIN,
- 	.eeprom_ver = EEPROM_5050_EEPROM_VERSION,
- 	.eeprom_calib_ver = EEPROM_5050_TX_POWER_VERSION,
-@@ -415,6 +421,7 @@ struct iwl_cfg iwl5350_agn_cfg = {
- #define IWL_DEVICE_5150						\
- 	.fw_name_pre = IWL5150_FW_PRE,				\
- 	.ucode_api_max = IWL5150_UCODE_API_MAX,			\
-+	.ucode_api_ok = IWL5150_UCODE_API_OK,			\
- 	.ucode_api_min = IWL5150_UCODE_API_MIN,			\
- 	.eeprom_ver = EEPROM_5050_EEPROM_VERSION,		\
- 	.eeprom_calib_ver = EEPROM_5050_TX_POWER_VERSION,	\
-@@ -436,5 +443,5 @@ struct iwl_cfg iwl5150_abg_cfg = {
- 	IWL_DEVICE_5150,
- };
- 
--MODULE_FIRMWARE(IWL5000_MODULE_FIRMWARE(IWL5000_UCODE_API_MAX));
--MODULE_FIRMWARE(IWL5150_MODULE_FIRMWARE(IWL5150_UCODE_API_MAX));
-+MODULE_FIRMWARE(IWL5000_MODULE_FIRMWARE(IWL5000_UCODE_API_OK));
-+MODULE_FIRMWARE(IWL5150_MODULE_FIRMWARE(IWL5150_UCODE_API_OK));
-diff --git a/drivers/net/wireless/iwlwifi/iwl-6000.c b/drivers/net/wireless/iwlwifi/iwl-6000.c
-index 54b7533..cf806ae 100644
---- a/drivers/net/wireless/iwlwifi/iwl-6000.c
-+++ b/drivers/net/wireless/iwlwifi/iwl-6000.c
-@@ -53,6 +53,8 @@
- /* Oldest version we won't warn about */
- #define IWL6000_UCODE_API_OK 4
- #define IWL6000G2_UCODE_API_OK 5
-+#define IWL6050_UCODE_API_OK 5
-+#define IWL6000G2B_UCODE_API_OK 6
- 
- /* Lowest firmware API version supported */
- #define IWL6000_UCODE_API_MIN 4
-@@ -389,7 +391,7 @@ struct iwl_cfg iwl6005_2agn_d_cfg = {
- #define IWL_DEVICE_6030						\
- 	.fw_name_pre = IWL6030_FW_PRE,				\
- 	.ucode_api_max = IWL6000G2_UCODE_API_MAX,		\
--	.ucode_api_ok = IWL6000G2_UCODE_API_OK,			\
-+	.ucode_api_ok = IWL6000G2B_UCODE_API_OK,		\
- 	.ucode_api_min = IWL6000G2_UCODE_API_MIN,		\
- 	.eeprom_ver = EEPROM_6030_EEPROM_VERSION,		\
- 	.eeprom_calib_ver = EEPROM_6030_TX_POWER_VERSION,	\
-@@ -548,6 +550,6 @@ struct iwl_cfg iwl6000_3agn_cfg = {
- };
- 
- MODULE_FIRMWARE(IWL6000_MODULE_FIRMWARE(IWL6000_UCODE_API_OK));
--MODULE_FIRMWARE(IWL6050_MODULE_FIRMWARE(IWL6050_UCODE_API_MAX));
--MODULE_FIRMWARE(IWL6005_MODULE_FIRMWARE(IWL6000G2_UCODE_API_MAX));
--MODULE_FIRMWARE(IWL6030_MODULE_FIRMWARE(IWL6000G2_UCODE_API_MAX));
-+MODULE_FIRMWARE(IWL6050_MODULE_FIRMWARE(IWL6050_UCODE_API_OK));
-+MODULE_FIRMWARE(IWL6005_MODULE_FIRMWARE(IWL6000G2_UCODE_API_OK));
-+MODULE_FIRMWARE(IWL6030_MODULE_FIRMWARE(IWL6000G2B_UCODE_API_OK));
-diff --git a/drivers/net/wireless/iwlwifi/iwl-agn.c b/drivers/net/wireless/iwlwifi/iwl-agn.c
-index b5c7c5f..2db9cd7 100644
---- a/drivers/net/wireless/iwlwifi/iwl-agn.c
-+++ b/drivers/net/wireless/iwlwifi/iwl-agn.c
-@@ -1403,7 +1403,6 @@ static void iwl_bg_run_time_calib_work(struct work_struct *work)
- 
- void iwlagn_prepare_restart(struct iwl_priv *priv)
- {
--	struct iwl_rxon_context *ctx;
- 	bool bt_full_concurrent;
- 	u8 bt_ci_compliance;
- 	u8 bt_load;
-@@ -1412,8 +1411,6 @@ void iwlagn_prepare_restart(struct iwl_priv *priv)
- 
- 	lockdep_assert_held(&priv->shrd->mutex);
- 
--	for_each_context(priv, ctx)
--		ctx->vif = NULL;
- 	priv->is_open = 0;
- 
- 	/*
-diff --git a/drivers/net/wireless/iwlwifi/iwl-fh.h b/drivers/net/wireless/iwlwifi/iwl-fh.h
-index 5bede9d..aae992a 100644
---- a/drivers/net/wireless/iwlwifi/iwl-fh.h
-+++ b/drivers/net/wireless/iwlwifi/iwl-fh.h
-@@ -104,15 +104,29 @@
-  * (see struct iwl_tfd_frame).  These 16 pointer registers are offset by 0x04
-  * bytes from one another.  Each TFD circular buffer in DRAM must be 256-byte
-  * aligned (address bits 0-7 must be 0).
-+ * Later devices have 20 (5000 series) or 30 (higher) queues, but the registers
-+ * for them are in different places.
-  *
-  * Bit fields in each pointer register:
-  *  27-0: TFD CB physical base address [35:8], must be 256-byte aligned
-  */
--#define FH_MEM_CBBC_LOWER_BOUND          (FH_MEM_LOWER_BOUND + 0x9D0)
--#define FH_MEM_CBBC_UPPER_BOUND          (FH_MEM_LOWER_BOUND + 0xA10)
--
--/* Find TFD CB base pointer for given queue (range 0-15). */
--#define FH_MEM_CBBC_QUEUE(x)  (FH_MEM_CBBC_LOWER_BOUND + (x) * 0x4)
-+#define FH_MEM_CBBC_0_15_LOWER_BOUND		(FH_MEM_LOWER_BOUND + 0x9D0)
-+#define FH_MEM_CBBC_0_15_UPPER_BOUND		(FH_MEM_LOWER_BOUND + 0xA10)
-+#define FH_MEM_CBBC_16_19_LOWER_BOUND		(FH_MEM_LOWER_BOUND + 0xBF0)
-+#define FH_MEM_CBBC_16_19_UPPER_BOUND		(FH_MEM_LOWER_BOUND + 0xC00)
-+#define FH_MEM_CBBC_20_31_LOWER_BOUND		(FH_MEM_LOWER_BOUND + 0xB20)
-+#define FH_MEM_CBBC_20_31_UPPER_BOUND		(FH_MEM_LOWER_BOUND + 0xB80)
-+
-+/* Find TFD CB base pointer for given queue */
-+static inline unsigned int FH_MEM_CBBC_QUEUE(unsigned int chnl)
-+{
-+	if (chnl < 16)
-+		return FH_MEM_CBBC_0_15_LOWER_BOUND + 4 * chnl;
-+	if (chnl < 20)
-+		return FH_MEM_CBBC_16_19_LOWER_BOUND + 4 * (chnl - 16);
-+	WARN_ON_ONCE(chnl >= 32);
-+	return FH_MEM_CBBC_20_31_LOWER_BOUND + 4 * (chnl - 20);
-+}
- 
- 
- /**
-diff --git a/drivers/net/wireless/iwlwifi/iwl-mac80211.c b/drivers/net/wireless/iwlwifi/iwl-mac80211.c
-index f980e57..4fd5199 100644
---- a/drivers/net/wireless/iwlwifi/iwl-mac80211.c
-+++ b/drivers/net/wireless/iwlwifi/iwl-mac80211.c
-@@ -1226,6 +1226,7 @@ static int iwlagn_mac_add_interface(struct ieee80211_hw *hw,
- 	struct iwl_rxon_context *tmp, *ctx = NULL;
- 	int err;
- 	enum nl80211_iftype viftype = ieee80211_vif_type_p2p(vif);
-+	bool reset = false;
- 
- 	IWL_DEBUG_MAC80211(priv, "enter: type %d, addr %pM\n",
- 			   viftype, vif->addr);
-@@ -1247,6 +1248,13 @@ static int iwlagn_mac_add_interface(struct ieee80211_hw *hw,
- 			tmp->interface_modes | tmp->exclusive_interface_modes;
- 
- 		if (tmp->vif) {
-+			/* On reset we need to add the same interface again */
-+			if (tmp->vif == vif) {
-+				reset = true;
-+				ctx = tmp;
-+				break;
-+			}
-+
- 			/* check if this busy context is exclusive */
- 			if (tmp->exclusive_interface_modes &
- 						BIT(tmp->vif->type)) {
-@@ -1273,7 +1281,7 @@ static int iwlagn_mac_add_interface(struct ieee80211_hw *hw,
- 	ctx->vif = vif;
- 
- 	err = iwl_setup_interface(priv, ctx);
--	if (!err)
-+	if (!err || reset)
- 		goto out;
- 
- 	ctx->vif = NULL;
-diff --git a/drivers/net/wireless/iwlwifi/iwl-prph.h b/drivers/net/wireless/iwlwifi/iwl-prph.h
-index bebdd82..d9b089e 100644
---- a/drivers/net/wireless/iwlwifi/iwl-prph.h
-+++ b/drivers/net/wireless/iwlwifi/iwl-prph.h
-@@ -227,12 +227,33 @@
- #define SCD_AIT			(SCD_BASE + 0x0c)
- #define SCD_TXFACT		(SCD_BASE + 0x10)
- #define SCD_ACTIVE		(SCD_BASE + 0x14)
--#define SCD_QUEUE_WRPTR(x)	(SCD_BASE + 0x18 + (x) * 4)
--#define SCD_QUEUE_RDPTR(x)	(SCD_BASE + 0x68 + (x) * 4)
- #define SCD_QUEUECHAIN_SEL	(SCD_BASE + 0xe8)
- #define SCD_AGGR_SEL		(SCD_BASE + 0x248)
- #define SCD_INTERRUPT_MASK	(SCD_BASE + 0x108)
--#define SCD_QUEUE_STATUS_BITS(x)	(SCD_BASE + 0x10c + (x) * 4)
-+
-+static inline unsigned int SCD_QUEUE_WRPTR(unsigned int chnl)
-+{
-+	if (chnl < 20)
-+		return SCD_BASE + 0x18 + chnl * 4;
-+	WARN_ON_ONCE(chnl >= 32);
-+	return SCD_BASE + 0x284 + (chnl - 20) * 4;
-+}
-+
-+static inline unsigned int SCD_QUEUE_RDPTR(unsigned int chnl)
-+{
-+	if (chnl < 20)
-+		return SCD_BASE + 0x68 + chnl * 4;
-+	WARN_ON_ONCE(chnl >= 32);
-+	return SCD_BASE + 0x2B4 + (chnl - 20) * 4;
-+}
-+
-+static inline unsigned int SCD_QUEUE_STATUS_BITS(unsigned int chnl)
-+{
-+	if (chnl < 20)
-+		return SCD_BASE + 0x10c + chnl * 4;
-+	WARN_ON_ONCE(chnl >= 32);
-+	return SCD_BASE + 0x384 + (chnl - 20) * 4;
-+}
- 
- /*********************** END TX SCHEDULER *************************************/
- 
-diff --git a/drivers/net/wireless/rtlwifi/pci.c b/drivers/net/wireless/rtlwifi/pci.c
-index c694cae..b588ca8 100644
---- a/drivers/net/wireless/rtlwifi/pci.c
-+++ b/drivers/net/wireless/rtlwifi/pci.c
-@@ -1955,6 +1955,7 @@ void rtl_pci_disconnect(struct pci_dev *pdev)
- 		rtl_deinit_deferred_work(hw);
- 		rtlpriv->intf_ops->adapter_stop(hw);
- 	}
-+	rtlpriv->cfg->ops->disable_interrupt(hw);
- 
- 	/*deinit rfkill */
- 	rtl_deinit_rfkill(hw);
-diff --git a/drivers/net/wireless/wl1251/main.c b/drivers/net/wireless/wl1251/main.c
-index ba3268e..40c1574 100644
---- a/drivers/net/wireless/wl1251/main.c
-+++ b/drivers/net/wireless/wl1251/main.c
-@@ -479,6 +479,7 @@ static void wl1251_op_stop(struct ieee80211_hw *hw)
- 	cancel_work_sync(&wl->irq_work);
- 	cancel_work_sync(&wl->tx_work);
- 	cancel_work_sync(&wl->filter_work);
-+	cancel_delayed_work_sync(&wl->elp_work);
- 
- 	mutex_lock(&wl->mutex);
- 
-diff --git a/drivers/net/wireless/wl1251/sdio.c b/drivers/net/wireless/wl1251/sdio.c
-index f786942..1b851f6 100644
---- a/drivers/net/wireless/wl1251/sdio.c
-+++ b/drivers/net/wireless/wl1251/sdio.c
-@@ -315,8 +315,8 @@ static void __devexit wl1251_sdio_remove(struct sdio_func *func)
- 
- 	if (wl->irq)
- 		free_irq(wl->irq, wl);
--	kfree(wl_sdio);
- 	wl1251_free_hw(wl);
-+	kfree(wl_sdio);
- 
- 	sdio_claim_host(func);
- 	sdio_release_irq(func);
-diff --git a/drivers/platform/x86/dell-laptop.c b/drivers/platform/x86/dell-laptop.c
-index 92e42d4..1d3bcce 100644
---- a/drivers/platform/x86/dell-laptop.c
-+++ b/drivers/platform/x86/dell-laptop.c
-@@ -211,6 +211,7 @@ static struct dmi_system_id __devinitdata dell_quirks[] = {
- 		},
- 		.driver_data = &quirk_dell_vostro_v130,
- 	},
-+	{ }
- };
- 
- static struct calling_interface_buffer *buffer;
-diff --git a/drivers/scsi/libsas/sas_expander.c b/drivers/scsi/libsas/sas_expander.c
-index 1b831c5..e48ba4b 100644
---- a/drivers/scsi/libsas/sas_expander.c
-+++ b/drivers/scsi/libsas/sas_expander.c
-@@ -192,7 +192,14 @@ static void sas_set_ex_phy(struct domain_device *dev, int phy_id,
- 	phy->attached_sata_ps   = dr->attached_sata_ps;
- 	phy->attached_iproto = dr->iproto << 1;
- 	phy->attached_tproto = dr->tproto << 1;
--	memcpy(phy->attached_sas_addr, dr->attached_sas_addr, SAS_ADDR_SIZE);
-+	/* help some expanders that fail to zero sas_address in the 'no
-+	 * device' case
-+	 */
-+	if (phy->attached_dev_type == NO_DEVICE ||
-+	    phy->linkrate < SAS_LINK_RATE_1_5_GBPS)
-+		memset(phy->attached_sas_addr, 0, SAS_ADDR_SIZE);
-+	else
-+		memcpy(phy->attached_sas_addr, dr->attached_sas_addr, SAS_ADDR_SIZE);
- 	phy->attached_phy_id = dr->attached_phy_id;
- 	phy->phy_change_count = dr->change_count;
- 	phy->routing_attr = dr->routing_attr;
-@@ -1643,9 +1650,17 @@ static int sas_find_bcast_phy(struct domain_device *dev, int *phy_id,
- 		int phy_change_count = 0;
- 
- 		res = sas_get_phy_change_count(dev, i, &phy_change_count);
--		if (res)
--			goto out;
--		else if (phy_change_count != ex->ex_phy[i].phy_change_count) {
-+		switch (res) {
-+		case SMP_RESP_PHY_VACANT:
-+		case SMP_RESP_NO_PHY:
-+			continue;
-+		case SMP_RESP_FUNC_ACC:
-+			break;
-+		default:
-+			return res;
-+		}
-+
-+		if (phy_change_count != ex->ex_phy[i].phy_change_count) {
- 			if (update)
- 				ex->ex_phy[i].phy_change_count =
- 					phy_change_count;
-@@ -1653,8 +1668,7 @@ static int sas_find_bcast_phy(struct domain_device *dev, int *phy_id,
- 			return 0;
- 		}
- 	}
--out:
--	return res;
-+	return 0;
- }
- 
- static int sas_get_ex_change_count(struct domain_device *dev, int *ecc)
-diff --git a/drivers/usb/class/cdc-wdm.c b/drivers/usb/class/cdc-wdm.c
-index 2f085fb..7b45f66 100644
---- a/drivers/usb/class/cdc-wdm.c
-+++ b/drivers/usb/class/cdc-wdm.c
-@@ -108,8 +108,9 @@ static void wdm_out_callback(struct urb *urb)
- 	spin_lock(&desc->iuspin);
- 	desc->werr = urb->status;
- 	spin_unlock(&desc->iuspin);
--	clear_bit(WDM_IN_USE, &desc->flags);
- 	kfree(desc->outbuf);
-+	desc->outbuf = NULL;
-+	clear_bit(WDM_IN_USE, &desc->flags);
- 	wake_up(&desc->wait);
- }
- 
-@@ -312,7 +313,7 @@ static ssize_t wdm_write
- 	if (we < 0)
- 		return -EIO;
- 
--	desc->outbuf = buf = kmalloc(count, GFP_KERNEL);
-+	buf = kmalloc(count, GFP_KERNEL);
- 	if (!buf) {
- 		rv = -ENOMEM;
- 		goto outnl;
-@@ -376,10 +377,12 @@ static ssize_t wdm_write
- 	req->wIndex = desc->inum;
- 	req->wLength = cpu_to_le16(count);
- 	set_bit(WDM_IN_USE, &desc->flags);
-+	desc->outbuf = buf;
- 
- 	rv = usb_submit_urb(desc->command, GFP_KERNEL);
- 	if (rv < 0) {
- 		kfree(buf);
-+		desc->outbuf = NULL;
- 		clear_bit(WDM_IN_USE, &desc->flags);
- 		dev_err(&desc->intf->dev, "Tx URB error: %d\n", rv);
- 	} else {
-diff --git a/drivers/usb/core/hcd-pci.c b/drivers/usb/core/hcd-pci.c
-index 81e2c0d..c4dfcc0 100644
---- a/drivers/usb/core/hcd-pci.c
-+++ b/drivers/usb/core/hcd-pci.c
-@@ -491,6 +491,15 @@ static int hcd_pci_suspend_noirq(struct device *dev)
- 
- 	pci_save_state(pci_dev);
- 
-+	/*
-+	 * Some systems crash if an EHCI controller is in D3 during
-+	 * a sleep transition.  We have to leave such controllers in D0.
-+	 */
-+	if (hcd->broken_pci_sleep) {
-+		dev_dbg(dev, "Staying in PCI D0\n");
-+		return retval;
-+	}
-+
- 	/* If the root hub is dead rather than suspended, disallow remote
- 	 * wakeup.  usb_hc_died() should ensure that both hosts are marked as
- 	 * dying, so we only need to check the primary roothub.
-diff --git a/drivers/usb/gadget/dummy_hcd.c b/drivers/usb/gadget/dummy_hcd.c
-index db815c2..9098642 100644
---- a/drivers/usb/gadget/dummy_hcd.c
-+++ b/drivers/usb/gadget/dummy_hcd.c
-@@ -924,7 +924,6 @@ static int dummy_udc_stop(struct usb_gadget *g,
- 
- 	dum->driver = NULL;
- 
--	dummy_pullup(&dum->gadget, 0);
- 	return 0;
- }
- 
-diff --git a/drivers/usb/gadget/f_mass_storage.c b/drivers/usb/gadget/f_mass_storage.c
-index ee8ceec..1d7682d 100644
---- a/drivers/usb/gadget/f_mass_storage.c
-+++ b/drivers/usb/gadget/f_mass_storage.c
-@@ -2190,7 +2190,7 @@ unknown_cmnd:
- 		common->data_size_from_cmnd = 0;
- 		sprintf(unknown, "Unknown x%02x", common->cmnd[0]);
- 		reply = check_command(common, common->cmnd_size,
--				      DATA_DIR_UNKNOWN, 0xff, 0, unknown);
-+				      DATA_DIR_UNKNOWN, ~0, 0, unknown);
- 		if (reply == 0) {
- 			common->curlun->sense_data = SS_INVALID_COMMAND;
- 			reply = -EINVAL;
-diff --git a/drivers/usb/gadget/file_storage.c b/drivers/usb/gadget/file_storage.c
-index 47766f0..18d96e0 100644
---- a/drivers/usb/gadget/file_storage.c
-+++ b/drivers/usb/gadget/file_storage.c
-@@ -2579,7 +2579,7 @@ static int do_scsi_command(struct fsg_dev *fsg)
- 		fsg->data_size_from_cmnd = 0;
- 		sprintf(unknown, "Unknown x%02x", fsg->cmnd[0]);
- 		if ((reply = check_command(fsg, fsg->cmnd_size,
--				DATA_DIR_UNKNOWN, 0xff, 0, unknown)) == 0) {
-+				DATA_DIR_UNKNOWN, ~0, 0, unknown)) == 0) {
- 			fsg->curlun->sense_data = SS_INVALID_COMMAND;
- 			reply = -EINVAL;
- 		}
-diff --git a/drivers/usb/gadget/uvc.h b/drivers/usb/gadget/uvc.h
-index bc78c60..ca4e03a 100644
---- a/drivers/usb/gadget/uvc.h
-+++ b/drivers/usb/gadget/uvc.h
-@@ -28,7 +28,7 @@
- 
- struct uvc_request_data
- {
--	unsigned int length;
-+	__s32 length;
- 	__u8 data[60];
- };
- 
-diff --git a/drivers/usb/gadget/uvc_v4l2.c b/drivers/usb/gadget/uvc_v4l2.c
-index f6e083b..54d7ca5 100644
---- a/drivers/usb/gadget/uvc_v4l2.c
-+++ b/drivers/usb/gadget/uvc_v4l2.c
-@@ -39,7 +39,7 @@ uvc_send_response(struct uvc_device *uvc, struct uvc_request_data *data)
- 	if (data->length < 0)
- 		return usb_ep_set_halt(cdev->gadget->ep0);
- 
--	req->length = min(uvc->event_length, data->length);
-+	req->length = min_t(unsigned int, uvc->event_length, data->length);
- 	req->zero = data->length < uvc->event_length;
- 	req->dma = DMA_ADDR_INVALID;
- 
-diff --git a/drivers/usb/host/ehci-pci.c b/drivers/usb/host/ehci-pci.c
-index 01bb7241d..fe8dc06 100644
---- a/drivers/usb/host/ehci-pci.c
-+++ b/drivers/usb/host/ehci-pci.c
-@@ -144,6 +144,14 @@ static int ehci_pci_setup(struct usb_hcd *hcd)
- 			hcd->has_tt = 1;
- 			tdi_reset(ehci);
- 		}
-+		if (pdev->subsystem_vendor == PCI_VENDOR_ID_ASUSTEK) {
-+			/* EHCI #1 or #2 on 6 Series/C200 Series chipset */
-+			if (pdev->device == 0x1c26 || pdev->device == 0x1c2d) {
-+				ehci_info(ehci, "broken D3 during system sleep on ASUS\n");
-+				hcd->broken_pci_sleep = 1;
-+				device_set_wakeup_capable(&pdev->dev, false);
-+			}
-+		}
- 		break;
- 	case PCI_VENDOR_ID_TDI:
- 		if (pdev->device == PCI_DEVICE_ID_TDI_EHCI) {
-diff --git a/drivers/usb/host/ehci-tegra.c b/drivers/usb/host/ehci-tegra.c
-index dbc7fe8..de36b8c 100644
---- a/drivers/usb/host/ehci-tegra.c
-+++ b/drivers/usb/host/ehci-tegra.c
-@@ -601,7 +601,6 @@ static int setup_vbus_gpio(struct platform_device *pdev)
- 		dev_err(&pdev->dev, "can't enable vbus\n");
- 		return err;
- 	}
--	gpio_set_value(gpio, 1);
- 
- 	return err;
- }
-diff --git a/fs/autofs4/autofs_i.h b/fs/autofs4/autofs_i.h
-index eb1cc92..908e184 100644
---- a/fs/autofs4/autofs_i.h
-+++ b/fs/autofs4/autofs_i.h
-@@ -110,7 +110,6 @@ struct autofs_sb_info {
- 	int sub_version;
- 	int min_proto;
- 	int max_proto;
--	int compat_daemon;
- 	unsigned long exp_timeout;
- 	unsigned int type;
- 	int reghost_enabled;
-@@ -270,6 +269,17 @@ int autofs4_fill_super(struct super_block *, void *, int);
- struct autofs_info *autofs4_new_ino(struct autofs_sb_info *);
- void autofs4_clean_ino(struct autofs_info *);
- 
-+static inline int autofs_prepare_pipe(struct file *pipe)
-+{
-+	if (!pipe->f_op || !pipe->f_op->write)
-+		return -EINVAL;
-+	if (!S_ISFIFO(pipe->f_dentry->d_inode->i_mode))
-+		return -EINVAL;
-+	/* We want a packet pipe */
-+	pipe->f_flags |= O_DIRECT;
-+	return 0;
-+}
-+
- /* Queue management functions */
- 
- int autofs4_wait(struct autofs_sb_info *,struct dentry *, enum autofs_notify);
-diff --git a/fs/autofs4/dev-ioctl.c b/fs/autofs4/dev-ioctl.c
-index 85f1fcd..d06d95a 100644
---- a/fs/autofs4/dev-ioctl.c
-+++ b/fs/autofs4/dev-ioctl.c
-@@ -376,7 +376,7 @@ static int autofs_dev_ioctl_setpipefd(struct file *fp,
- 			err = -EBADF;
- 			goto out;
- 		}
--		if (!pipe->f_op || !pipe->f_op->write) {
-+		if (autofs_prepare_pipe(pipe) < 0) {
- 			err = -EPIPE;
- 			fput(pipe);
- 			goto out;
-@@ -385,7 +385,6 @@ static int autofs_dev_ioctl_setpipefd(struct file *fp,
- 		sbi->pipefd = pipefd;
- 		sbi->pipe = pipe;
- 		sbi->catatonic = 0;
--		sbi->compat_daemon = is_compat_task();
- 	}
- out:
- 	mutex_unlock(&sbi->wq_mutex);
-diff --git a/fs/autofs4/inode.c b/fs/autofs4/inode.c
-index 06858d9..9ef53a6 100644
---- a/fs/autofs4/inode.c
-+++ b/fs/autofs4/inode.c
-@@ -19,7 +19,6 @@
- #include <linux/parser.h>
- #include <linux/bitops.h>
- #include <linux/magic.h>
--#include <linux/compat.h>
- #include "autofs_i.h"
- #include <linux/module.h>
- 
-@@ -225,7 +224,6 @@ int autofs4_fill_super(struct super_block *s, void *data, int silent)
- 	set_autofs_type_indirect(&sbi->type);
- 	sbi->min_proto = 0;
- 	sbi->max_proto = 0;
--	sbi->compat_daemon = is_compat_task();
- 	mutex_init(&sbi->wq_mutex);
- 	mutex_init(&sbi->pipe_mutex);
- 	spin_lock_init(&sbi->fs_lock);
-@@ -295,7 +293,7 @@ int autofs4_fill_super(struct super_block *s, void *data, int silent)
- 		printk("autofs: could not open pipe file descriptor\n");
- 		goto fail_dput;
- 	}
--	if (!pipe->f_op || !pipe->f_op->write)
-+	if (autofs_prepare_pipe(pipe) < 0)
- 		goto fail_fput;
- 	sbi->pipe = pipe;
- 	sbi->pipefd = pipefd;
-diff --git a/fs/autofs4/waitq.c b/fs/autofs4/waitq.c
-index 9c098db..f624cd0 100644
---- a/fs/autofs4/waitq.c
-+++ b/fs/autofs4/waitq.c
-@@ -92,23 +92,6 @@ static int autofs4_write(struct autofs_sb_info *sbi,
- 	return (bytes > 0);
- }
- 
--/*
-- * The autofs_v5 packet was misdesigned.
-- *
-- * The packets are identical on x86-32 and x86-64, but have different
-- * alignment. Which means that 'sizeof()' will give different results.
-- * Fix it up for the case of running 32-bit user mode on a 64-bit kernel.
-- */
--static noinline size_t autofs_v5_packet_size(struct autofs_sb_info *sbi)
--{
--	size_t pktsz = sizeof(struct autofs_v5_packet);
--#if defined(CONFIG_X86_64) && defined(CONFIG_COMPAT)
--	if (sbi->compat_daemon > 0)
--		pktsz -= 4;
--#endif
--	return pktsz;
--}
--
- static void autofs4_notify_daemon(struct autofs_sb_info *sbi,
- 				 struct autofs_wait_queue *wq,
- 				 int type)
-@@ -172,7 +155,8 @@ static void autofs4_notify_daemon(struct autofs_sb_info *sbi,
- 	{
- 		struct autofs_v5_packet *packet = &pkt.v5_pkt.v5_packet;
- 
--		pktsz = autofs_v5_packet_size(sbi);
-+		pktsz = sizeof(*packet);
-+
- 		packet->wait_queue_token = wq->wait_queue_token;
- 		packet->len = wq->name.len;
- 		memcpy(packet->name, wq->name.name, wq->name.len);
-diff --git a/fs/exec.c b/fs/exec.c
-index 153dee1..ae42277 100644
---- a/fs/exec.c
-+++ b/fs/exec.c
-@@ -975,6 +975,9 @@ static int de_thread(struct task_struct *tsk)
- 	sig->notify_count = 0;
- 
- no_thread_group:
-+	/* we have changed execution domain */
-+	tsk->exit_signal = SIGCHLD;
-+
- 	if (current->mm)
- 		setmax_mm_hiwater_rss(&sig->maxrss, current->mm);
- 
-diff --git a/fs/hfsplus/catalog.c b/fs/hfsplus/catalog.c
-index 4dfbfec..ec2a9c2 100644
---- a/fs/hfsplus/catalog.c
-+++ b/fs/hfsplus/catalog.c
-@@ -366,6 +366,10 @@ int hfsplus_rename_cat(u32 cnid,
- 	err = hfs_brec_find(&src_fd);
- 	if (err)
- 		goto out;
-+	if (src_fd.entrylength > sizeof(entry) || src_fd.entrylength < 0) {
-+		err = -EIO;
-+		goto out;
-+	}
- 
- 	hfs_bnode_read(src_fd.bnode, &entry, src_fd.entryoffset,
- 				src_fd.entrylength);
-diff --git a/fs/hfsplus/dir.c b/fs/hfsplus/dir.c
-index 88e155f..26b53fb 100644
---- a/fs/hfsplus/dir.c
-+++ b/fs/hfsplus/dir.c
-@@ -150,6 +150,11 @@ static int hfsplus_readdir(struct file *filp, void *dirent, filldir_t filldir)
- 		filp->f_pos++;
- 		/* fall through */
- 	case 1:
-+		if (fd.entrylength > sizeof(entry) || fd.entrylength < 0) {
-+			err = -EIO;
-+			goto out;
-+		}
-+
- 		hfs_bnode_read(fd.bnode, &entry, fd.entryoffset,
- 			fd.entrylength);
- 		if (be16_to_cpu(entry.type) != HFSPLUS_FOLDER_THREAD) {
-@@ -181,6 +186,12 @@ static int hfsplus_readdir(struct file *filp, void *dirent, filldir_t filldir)
- 			err = -EIO;
- 			goto out;
- 		}
-+
-+		if (fd.entrylength > sizeof(entry) || fd.entrylength < 0) {
-+			err = -EIO;
-+			goto out;
-+		}
-+
- 		hfs_bnode_read(fd.bnode, &entry, fd.entryoffset,
- 			fd.entrylength);
- 		type = be16_to_cpu(entry.type);
-diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c
-index 9a54c9e..2612223 100644
---- a/fs/nfs/nfs4proc.c
-+++ b/fs/nfs/nfs4proc.c
-@@ -4460,7 +4460,9 @@ static int _nfs4_do_setlk(struct nfs4_state *state, int cmd, struct file_lock *f
- static int nfs4_lock_reclaim(struct nfs4_state *state, struct file_lock *request)
- {
- 	struct nfs_server *server = NFS_SERVER(state->inode);
--	struct nfs4_exception exception = { };
-+	struct nfs4_exception exception = {
-+		.inode = state->inode,
-+	};
- 	int err;
- 
- 	do {
-@@ -4478,7 +4480,9 @@ static int nfs4_lock_reclaim(struct nfs4_state *state, struct file_lock *request
- static int nfs4_lock_expired(struct nfs4_state *state, struct file_lock *request)
- {
- 	struct nfs_server *server = NFS_SERVER(state->inode);
--	struct nfs4_exception exception = { };
-+	struct nfs4_exception exception = {
-+		.inode = state->inode,
-+	};
- 	int err;
- 
- 	err = nfs4_set_lock_state(state, request);
-@@ -4558,6 +4562,7 @@ static int nfs4_proc_setlk(struct nfs4_state *state, int cmd, struct file_lock *
- {
- 	struct nfs4_exception exception = {
- 		.state = state,
-+		.inode = state->inode,
- 	};
- 	int err;
- 
-@@ -4603,6 +4608,20 @@ nfs4_proc_lock(struct file *filp, int cmd, struct file_lock *request)
- 
- 	if (state == NULL)
- 		return -ENOLCK;
-+	/*
-+	 * Don't rely on the VFS having checked the file open mode,
-+	 * since it won't do this for flock() locks.
-+	 */
-+	switch (request->fl_type & (F_RDLCK|F_WRLCK|F_UNLCK)) {
-+	case F_RDLCK:
-+		if (!(filp->f_mode & FMODE_READ))
-+			return -EBADF;
-+		break;
-+	case F_WRLCK:
-+		if (!(filp->f_mode & FMODE_WRITE))
-+			return -EBADF;
-+	}
-+
- 	do {
- 		status = nfs4_proc_setlk(state, cmd, request);
- 		if ((status != -EAGAIN) || IS_SETLK(cmd))
-diff --git a/fs/nfs/read.c b/fs/nfs/read.c
-index cfa175c..41bae32 100644
---- a/fs/nfs/read.c
-+++ b/fs/nfs/read.c
-@@ -324,7 +324,7 @@ out_bad:
- 	while (!list_empty(res)) {
- 		data = list_entry(res->next, struct nfs_read_data, list);
- 		list_del(&data->list);
--		nfs_readdata_free(data);
-+		nfs_readdata_release(data);
- 	}
- 	nfs_readpage_release(req);
- 	return -ENOMEM;
-diff --git a/fs/nfs/super.c b/fs/nfs/super.c
-index 3dfa4f1..e4622ee 100644
---- a/fs/nfs/super.c
-+++ b/fs/nfs/super.c
-@@ -2707,11 +2707,15 @@ static struct vfsmount *nfs_do_root_mount(struct file_system_type *fs_type,
- 	char *root_devname;
- 	size_t len;
- 
--	len = strlen(hostname) + 3;
-+	len = strlen(hostname) + 5;
- 	root_devname = kmalloc(len, GFP_KERNEL);
- 	if (root_devname == NULL)
- 		return ERR_PTR(-ENOMEM);
--	snprintf(root_devname, len, "%s:/", hostname);
-+	/* Does hostname needs to be enclosed in brackets? */
-+	if (strchr(hostname, ':'))
-+		snprintf(root_devname, len, "[%s]:/", hostname);
-+	else
-+		snprintf(root_devname, len, "%s:/", hostname);
- 	root_mnt = vfs_kern_mount(fs_type, flags, root_devname, data);
- 	kfree(root_devname);
- 	return root_mnt;
-diff --git a/fs/nfs/write.c b/fs/nfs/write.c
-index 834f0fe..8fcc23a 100644
---- a/fs/nfs/write.c
-+++ b/fs/nfs/write.c
-@@ -974,7 +974,7 @@ out_bad:
- 	while (!list_empty(res)) {
- 		data = list_entry(res->next, struct nfs_write_data, list);
- 		list_del(&data->list);
--		nfs_writedata_free(data);
-+		nfs_writedata_release(data);
- 	}
- 	nfs_redirty_request(req);
- 	return -ENOMEM;
-diff --git a/fs/pipe.c b/fs/pipe.c
-index a932ced..82e651b 100644
---- a/fs/pipe.c
-+++ b/fs/pipe.c
-@@ -345,6 +345,16 @@ static const struct pipe_buf_operations anon_pipe_buf_ops = {
- 	.get = generic_pipe_buf_get,
- };
- 
-+static const struct pipe_buf_operations packet_pipe_buf_ops = {
-+	.can_merge = 0,
-+	.map = generic_pipe_buf_map,
-+	.unmap = generic_pipe_buf_unmap,
-+	.confirm = generic_pipe_buf_confirm,
-+	.release = anon_pipe_buf_release,
-+	.steal = generic_pipe_buf_steal,
-+	.get = generic_pipe_buf_get,
-+};
-+
- static ssize_t
- pipe_read(struct kiocb *iocb, const struct iovec *_iov,
- 	   unsigned long nr_segs, loff_t pos)
-@@ -406,6 +416,13 @@ redo:
- 			ret += chars;
- 			buf->offset += chars;
- 			buf->len -= chars;
-+
-+			/* Was it a packet buffer? Clean up and exit */
-+			if (buf->flags & PIPE_BUF_FLAG_PACKET) {
-+				total_len = chars;
-+				buf->len = 0;
-+			}
-+
- 			if (!buf->len) {
- 				buf->ops = NULL;
- 				ops->release(pipe, buf);
-@@ -458,6 +475,11 @@ redo:
- 	return ret;
- }
- 
-+static inline int is_packetized(struct file *file)
-+{
-+	return (file->f_flags & O_DIRECT) != 0;
-+}
-+
- static ssize_t
- pipe_write(struct kiocb *iocb, const struct iovec *_iov,
- 	    unsigned long nr_segs, loff_t ppos)
-@@ -592,6 +614,11 @@ redo2:
- 			buf->ops = &anon_pipe_buf_ops;
- 			buf->offset = 0;
- 			buf->len = chars;
-+			buf->flags = 0;
-+			if (is_packetized(filp)) {
-+				buf->ops = &packet_pipe_buf_ops;
-+				buf->flags = PIPE_BUF_FLAG_PACKET;
-+			}
- 			pipe->nrbufs = ++bufs;
- 			pipe->tmp_page = NULL;
- 
-@@ -1012,7 +1039,7 @@ struct file *create_write_pipe(int flags)
- 		goto err_dentry;
- 	f->f_mapping = inode->i_mapping;
- 
--	f->f_flags = O_WRONLY | (flags & O_NONBLOCK);
-+	f->f_flags = O_WRONLY | (flags & (O_NONBLOCK | O_DIRECT));
- 	f->f_version = 0;
- 
- 	return f;
-@@ -1056,7 +1083,7 @@ int do_pipe_flags(int *fd, int flags)
- 	int error;
- 	int fdw, fdr;
- 
--	if (flags & ~(O_CLOEXEC | O_NONBLOCK))
-+	if (flags & ~(O_CLOEXEC | O_NONBLOCK | O_DIRECT))
- 		return -EINVAL;
- 
- 	fw = create_write_pipe(flags);
-diff --git a/include/linux/efi.h b/include/linux/efi.h
-index 37c3007..7cce0ea 100644
---- a/include/linux/efi.h
-+++ b/include/linux/efi.h
-@@ -510,7 +510,18 @@ extern int __init efi_setup_pcdp_console(char *);
- #define EFI_VARIABLE_NON_VOLATILE       0x0000000000000001
- #define EFI_VARIABLE_BOOTSERVICE_ACCESS 0x0000000000000002
- #define EFI_VARIABLE_RUNTIME_ACCESS     0x0000000000000004
--
-+#define EFI_VARIABLE_HARDWARE_ERROR_RECORD 0x0000000000000008
-+#define EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS 0x0000000000000010
-+#define EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS 0x0000000000000020
-+#define EFI_VARIABLE_APPEND_WRITE	0x0000000000000040
-+
-+#define EFI_VARIABLE_MASK 	(EFI_VARIABLE_NON_VOLATILE | \
-+				EFI_VARIABLE_BOOTSERVICE_ACCESS | \
-+				EFI_VARIABLE_RUNTIME_ACCESS | \
-+				EFI_VARIABLE_HARDWARE_ERROR_RECORD | \
-+				EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS | \
-+				EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS | \
-+				EFI_VARIABLE_APPEND_WRITE)
- /*
-  * The type of search to perform when calling boottime->locate_handle
-  */
-diff --git a/include/linux/pipe_fs_i.h b/include/linux/pipe_fs_i.h
-index 77257c9..0072a53 100644
---- a/include/linux/pipe_fs_i.h
-+++ b/include/linux/pipe_fs_i.h
-@@ -8,6 +8,7 @@
- #define PIPE_BUF_FLAG_LRU	0x01	/* page is on the LRU */
- #define PIPE_BUF_FLAG_ATOMIC	0x02	/* was atomically mapped */
- #define PIPE_BUF_FLAG_GIFT	0x04	/* page is a gift */
-+#define PIPE_BUF_FLAG_PACKET	0x08	/* read() as a packet */
- 
- /**
-  *	struct pipe_buffer - a linux kernel pipe buffer
-diff --git a/include/linux/usb/hcd.h b/include/linux/usb/hcd.h
-index b2f62f3..05695ba 100644
---- a/include/linux/usb/hcd.h
-+++ b/include/linux/usb/hcd.h
-@@ -126,6 +126,8 @@ struct usb_hcd {
- 	unsigned		wireless:1;	/* Wireless USB HCD */
- 	unsigned		authorized_default:1;
- 	unsigned		has_tt:1;	/* Integrated TT in root hub */
-+	unsigned		broken_pci_sleep:1;	/* Don't put the
-+			controller in PCI-D3 for system sleep */
- 
- 	int			irq;		/* irq allocated */
- 	void __iomem		*regs;		/* device memory/io */
-diff --git a/kernel/exit.c b/kernel/exit.c
-index 4b4042f..46c8b14 100644
---- a/kernel/exit.c
-+++ b/kernel/exit.c
-@@ -818,25 +818,6 @@ static void exit_notify(struct task_struct *tsk, int group_dead)
- 	if (group_dead)
- 		kill_orphaned_pgrp(tsk->group_leader, NULL);
- 
--	/* Let father know we died
--	 *
--	 * Thread signals are configurable, but you aren't going to use
--	 * that to send signals to arbitrary processes.
--	 * That stops right now.
--	 *
--	 * If the parent exec id doesn't match the exec id we saved
--	 * when we started then we know the parent has changed security
--	 * domain.
--	 *
--	 * If our self_exec id doesn't match our parent_exec_id then
--	 * we have changed execution domain as these two values started
--	 * the same after a fork.
--	 */
--	if (thread_group_leader(tsk) && tsk->exit_signal != SIGCHLD &&
--	    (tsk->parent_exec_id != tsk->real_parent->self_exec_id ||
--	     tsk->self_exec_id != tsk->parent_exec_id))
--		tsk->exit_signal = SIGCHLD;
--
- 	if (unlikely(tsk->ptrace)) {
- 		int sig = thread_group_leader(tsk) &&
- 				thread_group_empty(tsk) &&
-diff --git a/kernel/power/swap.c b/kernel/power/swap.c
-index 8742fd0..eef311a 100644
---- a/kernel/power/swap.c
-+++ b/kernel/power/swap.c
-@@ -51,6 +51,23 @@
- 
- #define MAP_PAGE_ENTRIES	(PAGE_SIZE / sizeof(sector_t) - 1)
- 
-+/*
-+ * Number of free pages that are not high.
-+ */
-+static inline unsigned long low_free_pages(void)
-+{
-+	return nr_free_pages() - nr_free_highpages();
-+}
-+
-+/*
-+ * Number of pages required to be kept free while writing the image. Always
-+ * half of all available low pages before the writing starts.
-+ */
-+static inline unsigned long reqd_free_pages(void)
-+{
-+	return low_free_pages() / 2;
-+}
-+
- struct swap_map_page {
- 	sector_t entries[MAP_PAGE_ENTRIES];
- 	sector_t next_swap;
-@@ -72,7 +89,7 @@ struct swap_map_handle {
- 	sector_t cur_swap;
- 	sector_t first_sector;
- 	unsigned int k;
--	unsigned long nr_free_pages, written;
-+	unsigned long reqd_free_pages;
- 	u32 crc32;
- };
- 
-@@ -316,8 +333,7 @@ static int get_swap_writer(struct swap_map_handle *handle)
- 		goto err_rel;
- 	}
- 	handle->k = 0;
--	handle->nr_free_pages = nr_free_pages() >> 1;
--	handle->written = 0;
-+	handle->reqd_free_pages = reqd_free_pages();
- 	handle->first_sector = handle->cur_swap;
- 	return 0;
- err_rel:
-@@ -352,11 +368,11 @@ static int swap_write_page(struct swap_map_handle *handle, void *buf,
- 		handle->cur_swap = offset;
- 		handle->k = 0;
- 	}
--	if (bio_chain && ++handle->written > handle->nr_free_pages) {
-+	if (bio_chain && low_free_pages() <= handle->reqd_free_pages) {
- 		error = hib_wait_on_bio_chain(bio_chain);
- 		if (error)
- 			goto out;
--		handle->written = 0;
-+		handle->reqd_free_pages = reqd_free_pages();
- 	}
-  out:
- 	return error;
-@@ -618,7 +634,7 @@ static int save_image_lzo(struct swap_map_handle *handle,
- 	 * Adjust number of free pages after all allocations have been done.
- 	 * We don't want to run out of pages when writing.
- 	 */
--	handle->nr_free_pages = nr_free_pages() >> 1;
-+	handle->reqd_free_pages = reqd_free_pages();
- 
- 	/*
- 	 * Start the CRC32 thread.
-diff --git a/kernel/sched/core.c b/kernel/sched/core.c
-index b342f57..478a04c 100644
---- a/kernel/sched/core.c
-+++ b/kernel/sched/core.c
-@@ -2266,13 +2266,10 @@ calc_load_n(unsigned long load, unsigned long exp,
-  * Once we've updated the global active value, we need to apply the exponential
-  * weights adjusted to the number of cycles missed.
-  */
--static void calc_global_nohz(unsigned long ticks)
-+static void calc_global_nohz(void)
- {
- 	long delta, active, n;
- 
--	if (time_before(jiffies, calc_load_update))
--		return;
--
- 	/*
- 	 * If we crossed a calc_load_update boundary, make sure to fold
- 	 * any pending idle changes, the respective CPUs might have
-@@ -2284,31 +2281,25 @@ static void calc_global_nohz(unsigned long ticks)
- 		atomic_long_add(delta, &calc_load_tasks);
- 
- 	/*
--	 * If we were idle for multiple load cycles, apply them.
-+	 * It could be the one fold was all it took, we done!
- 	 */
--	if (ticks >= LOAD_FREQ) {
--		n = ticks / LOAD_FREQ;
-+	if (time_before(jiffies, calc_load_update + 10))
-+		return;
- 
--		active = atomic_long_read(&calc_load_tasks);
--		active = active > 0 ? active * FIXED_1 : 0;
-+	/*
-+	 * Catch-up, fold however many we are behind still
-+	 */
-+	delta = jiffies - calc_load_update - 10;
-+	n = 1 + (delta / LOAD_FREQ);
- 
--		avenrun[0] = calc_load_n(avenrun[0], EXP_1, active, n);
--		avenrun[1] = calc_load_n(avenrun[1], EXP_5, active, n);
--		avenrun[2] = calc_load_n(avenrun[2], EXP_15, active, n);
-+	active = atomic_long_read(&calc_load_tasks);
-+	active = active > 0 ? active * FIXED_1 : 0;
- 
--		calc_load_update += n * LOAD_FREQ;
--	}
-+	avenrun[0] = calc_load_n(avenrun[0], EXP_1, active, n);
-+	avenrun[1] = calc_load_n(avenrun[1], EXP_5, active, n);
-+	avenrun[2] = calc_load_n(avenrun[2], EXP_15, active, n);
- 
--	/*
--	 * Its possible the remainder of the above division also crosses
--	 * a LOAD_FREQ period, the regular check in calc_global_load()
--	 * which comes after this will take care of that.
--	 *
--	 * Consider us being 11 ticks before a cycle completion, and us
--	 * sleeping for 4*LOAD_FREQ + 22 ticks, then the above code will
--	 * age us 4 cycles, and the test in calc_global_load() will
--	 * pick up the final one.
--	 */
-+	calc_load_update += n * LOAD_FREQ;
- }
- #else
- void calc_load_account_idle(struct rq *this_rq)
-@@ -2320,7 +2311,7 @@ static inline long calc_load_fold_idle(void)
- 	return 0;
- }
- 
--static void calc_global_nohz(unsigned long ticks)
-+static void calc_global_nohz(void)
- {
- }
- #endif
-@@ -2348,8 +2339,6 @@ void calc_global_load(unsigned long ticks)
- {
- 	long active;
- 
--	calc_global_nohz(ticks);
--
- 	if (time_before(jiffies, calc_load_update + 10))
- 		return;
- 
-@@ -2361,6 +2350,16 @@ void calc_global_load(unsigned long ticks)
- 	avenrun[2] = calc_load(avenrun[2], EXP_15, active);
- 
- 	calc_load_update += LOAD_FREQ;
-+
-+	/*
-+	 * Account one period with whatever state we found before
-+	 * folding in the nohz state and ageing the entire idle period.
-+	 *
-+	 * This avoids loosing a sample when we go idle between
-+	 * calc_load_account_active() (10 ticks ago) and now and thus
-+	 * under-accounting.
-+	 */
-+	calc_global_nohz();
- }
- 
- /*
-@@ -6334,16 +6333,26 @@ static void __sdt_free(const struct cpumask *cpu_map)
- 		struct sd_data *sdd = &tl->data;
- 
- 		for_each_cpu(j, cpu_map) {
--			struct sched_domain *sd = *per_cpu_ptr(sdd->sd, j);
--			if (sd && (sd->flags & SD_OVERLAP))
--				free_sched_groups(sd->groups, 0);
--			kfree(*per_cpu_ptr(sdd->sd, j));
--			kfree(*per_cpu_ptr(sdd->sg, j));
--			kfree(*per_cpu_ptr(sdd->sgp, j));
-+			struct sched_domain *sd;
-+
-+			if (sdd->sd) {
-+				sd = *per_cpu_ptr(sdd->sd, j);
-+				if (sd && (sd->flags & SD_OVERLAP))
-+					free_sched_groups(sd->groups, 0);
-+				kfree(*per_cpu_ptr(sdd->sd, j));
-+			}
-+
-+			if (sdd->sg)
-+				kfree(*per_cpu_ptr(sdd->sg, j));
-+			if (sdd->sgp)
-+				kfree(*per_cpu_ptr(sdd->sgp, j));
- 		}
- 		free_percpu(sdd->sd);
-+		sdd->sd = NULL;
- 		free_percpu(sdd->sg);
-+		sdd->sg = NULL;
- 		free_percpu(sdd->sgp);
-+		sdd->sgp = NULL;
- 	}
- }
- 
-diff --git a/kernel/signal.c b/kernel/signal.c
-index c73c428..b09cf3b 100644
---- a/kernel/signal.c
-+++ b/kernel/signal.c
-@@ -1642,6 +1642,15 @@ bool do_notify_parent(struct task_struct *tsk, int sig)
- 	BUG_ON(!tsk->ptrace &&
- 	       (tsk->group_leader != tsk || !thread_group_empty(tsk)));
- 
-+	if (sig != SIGCHLD) {
-+		/*
-+		 * This is only possible if parent == real_parent.
-+		 * Check if it has changed security domain.
-+		 */
-+		if (tsk->parent_exec_id != tsk->parent->self_exec_id)
-+			sig = SIGCHLD;
-+	}
-+
- 	info.si_signo = sig;
- 	info.si_errno = 0;
- 	/*
-diff --git a/kernel/trace/trace_output.c b/kernel/trace/trace_output.c
-index 0d6ff35..d9c07f0 100644
---- a/kernel/trace/trace_output.c
-+++ b/kernel/trace/trace_output.c
-@@ -650,6 +650,8 @@ int trace_print_lat_context(struct trace_iterator *iter)
- {
- 	u64 next_ts;
- 	int ret;
-+	/* trace_find_next_entry will reset ent_size */
-+	int ent_size = iter->ent_size;
- 	struct trace_seq *s = &iter->seq;
- 	struct trace_entry *entry = iter->ent,
- 			   *next_entry = trace_find_next_entry(iter, NULL,
-@@ -658,6 +660,9 @@ int trace_print_lat_context(struct trace_iterator *iter)
- 	unsigned long abs_usecs = ns2usecs(iter->ts - iter->tr->time_start);
- 	unsigned long rel_usecs;
- 
-+	/* Restore the original ent_size */
-+	iter->ent_size = ent_size;
-+
- 	if (!next_entry)
- 		next_ts = iter->ts;
- 	rel_usecs = ns2usecs(next_ts - iter->ts);
-diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c
-index e05667c..6a31cea 100644
---- a/net/mac80211/tx.c
-+++ b/net/mac80211/tx.c
-@@ -1144,7 +1144,8 @@ ieee80211_tx_prepare(struct ieee80211_sub_if_data *sdata,
- 		tx->sta = rcu_dereference(sdata->u.vlan.sta);
- 		if (!tx->sta && sdata->dev->ieee80211_ptr->use_4addr)
- 			return TX_DROP;
--	} else if (info->flags & IEEE80211_TX_CTL_INJECTED) {
-+	} else if (info->flags & IEEE80211_TX_CTL_INJECTED ||
-+		   tx->sdata->control_port_protocol == tx->skb->protocol) {
- 		tx->sta = sta_info_get_bss(sdata, hdr->addr1);
- 	}
- 	if (!tx->sta)
-diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
-index afeea32..bf945c9 100644
---- a/net/wireless/nl80211.c
-+++ b/net/wireless/nl80211.c
-@@ -1293,6 +1293,11 @@ static int nl80211_set_wiphy(struct sk_buff *skb, struct genl_info *info)
- 			goto bad_res;
- 		}
- 
-+		if (!netif_running(netdev)) {
-+			result = -ENETDOWN;
-+			goto bad_res;
-+		}
-+
- 		nla_for_each_nested(nl_txq_params,
- 				    info->attrs[NL80211_ATTR_WIPHY_TXQ_PARAMS],
- 				    rem_txq_params) {
-@@ -6262,7 +6267,7 @@ static struct genl_ops nl80211_ops[] = {
- 		.doit = nl80211_get_key,
- 		.policy = nl80211_policy,
- 		.flags = GENL_ADMIN_PERM,
--		.internal_flags = NL80211_FLAG_NEED_NETDEV |
-+		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
- 				  NL80211_FLAG_NEED_RTNL,
- 	},
- 	{
-@@ -6294,7 +6299,7 @@ static struct genl_ops nl80211_ops[] = {
- 		.policy = nl80211_policy,
- 		.flags = GENL_ADMIN_PERM,
- 		.doit = nl80211_addset_beacon,
--		.internal_flags = NL80211_FLAG_NEED_NETDEV |
-+		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
- 				  NL80211_FLAG_NEED_RTNL,
- 	},
- 	{
-@@ -6302,7 +6307,7 @@ static struct genl_ops nl80211_ops[] = {
- 		.policy = nl80211_policy,
- 		.flags = GENL_ADMIN_PERM,
- 		.doit = nl80211_addset_beacon,
--		.internal_flags = NL80211_FLAG_NEED_NETDEV |
-+		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
- 				  NL80211_FLAG_NEED_RTNL,
- 	},
- 	{
-@@ -6326,7 +6331,7 @@ static struct genl_ops nl80211_ops[] = {
- 		.doit = nl80211_set_station,
- 		.policy = nl80211_policy,
- 		.flags = GENL_ADMIN_PERM,
--		.internal_flags = NL80211_FLAG_NEED_NETDEV |
-+		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
- 				  NL80211_FLAG_NEED_RTNL,
- 	},
- 	{
-@@ -6342,7 +6347,7 @@ static struct genl_ops nl80211_ops[] = {
- 		.doit = nl80211_del_station,
- 		.policy = nl80211_policy,
- 		.flags = GENL_ADMIN_PERM,
--		.internal_flags = NL80211_FLAG_NEED_NETDEV |
-+		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
- 				  NL80211_FLAG_NEED_RTNL,
- 	},
- 	{
-@@ -6375,7 +6380,7 @@ static struct genl_ops nl80211_ops[] = {
- 		.doit = nl80211_del_mpath,
- 		.policy = nl80211_policy,
- 		.flags = GENL_ADMIN_PERM,
--		.internal_flags = NL80211_FLAG_NEED_NETDEV |
-+		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
- 				  NL80211_FLAG_NEED_RTNL,
- 	},
- 	{
-@@ -6383,7 +6388,7 @@ static struct genl_ops nl80211_ops[] = {
- 		.doit = nl80211_set_bss,
- 		.policy = nl80211_policy,
- 		.flags = GENL_ADMIN_PERM,
--		.internal_flags = NL80211_FLAG_NEED_NETDEV |
-+		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
- 				  NL80211_FLAG_NEED_RTNL,
- 	},
- 	{
-@@ -6409,7 +6414,7 @@ static struct genl_ops nl80211_ops[] = {
- 		.doit = nl80211_get_mesh_config,
- 		.policy = nl80211_policy,
- 		/* can be retrieved by unprivileged users */
--		.internal_flags = NL80211_FLAG_NEED_NETDEV |
-+		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
- 				  NL80211_FLAG_NEED_RTNL,
- 	},
- 	{
-@@ -6542,7 +6547,7 @@ static struct genl_ops nl80211_ops[] = {
- 		.doit = nl80211_setdel_pmksa,
- 		.policy = nl80211_policy,
- 		.flags = GENL_ADMIN_PERM,
--		.internal_flags = NL80211_FLAG_NEED_NETDEV |
-+		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
- 				  NL80211_FLAG_NEED_RTNL,
- 	},
- 	{
-@@ -6550,7 +6555,7 @@ static struct genl_ops nl80211_ops[] = {
- 		.doit = nl80211_setdel_pmksa,
- 		.policy = nl80211_policy,
- 		.flags = GENL_ADMIN_PERM,
--		.internal_flags = NL80211_FLAG_NEED_NETDEV |
-+		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
- 				  NL80211_FLAG_NEED_RTNL,
- 	},
- 	{
-@@ -6558,7 +6563,7 @@ static struct genl_ops nl80211_ops[] = {
- 		.doit = nl80211_flush_pmksa,
- 		.policy = nl80211_policy,
- 		.flags = GENL_ADMIN_PERM,
--		.internal_flags = NL80211_FLAG_NEED_NETDEV |
-+		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
- 				  NL80211_FLAG_NEED_RTNL,
- 	},
- 	{
-@@ -6718,7 +6723,7 @@ static struct genl_ops nl80211_ops[] = {
- 		.doit = nl80211_probe_client,
- 		.policy = nl80211_policy,
- 		.flags = GENL_ADMIN_PERM,
--		.internal_flags = NL80211_FLAG_NEED_NETDEV |
-+		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
- 				  NL80211_FLAG_NEED_RTNL,
- 	},
- 	{
-diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c
-index e5153ea..0960ece 100644
---- a/sound/pci/hda/patch_realtek.c
-+++ b/sound/pci/hda/patch_realtek.c
-@@ -5402,6 +5402,7 @@ static const struct alc_fixup alc269_fixups[] = {
- };
- 
- static const struct snd_pci_quirk alc269_fixup_tbl[] = {
-+	SND_PCI_QUIRK(0x1043, 0x1427, "Asus Zenbook UX31E", ALC269VB_FIXUP_DMIC),
- 	SND_PCI_QUIRK(0x1043, 0x1a13, "Asus G73Jw", ALC269_FIXUP_ASUS_G73JW),
- 	SND_PCI_QUIRK(0x1043, 0x16e3, "ASUS UX50", ALC269_FIXUP_STEREO_DMIC),
- 	SND_PCI_QUIRK(0x1043, 0x831a, "ASUS P901", ALC269_FIXUP_STEREO_DMIC),
-diff --git a/sound/soc/codecs/wm8994.c b/sound/soc/codecs/wm8994.c
-index 900c91b..e5cc616 100644
---- a/sound/soc/codecs/wm8994.c
-+++ b/sound/soc/codecs/wm8994.c
-@@ -929,61 +929,170 @@ static void wm8994_update_class_w(struct snd_soc_codec *codec)
- 	}
- }
- 
--static int late_enable_ev(struct snd_soc_dapm_widget *w,
--			  struct snd_kcontrol *kcontrol, int event)
-+static int aif1clk_ev(struct snd_soc_dapm_widget *w,
-+		      struct snd_kcontrol *kcontrol, int event)
- {
- 	struct snd_soc_codec *codec = w->codec;
--	struct wm8994_priv *wm8994 = snd_soc_codec_get_drvdata(codec);
-+	struct wm8994 *control = codec->control_data;
-+	int mask = WM8994_AIF1DAC1L_ENA | WM8994_AIF1DAC1R_ENA;
-+	int dac;
-+	int adc;
-+	int val;
-+
-+	switch (control->type) {
-+	case WM8994:
-+	case WM8958:
-+		mask |= WM8994_AIF1DAC2L_ENA | WM8994_AIF1DAC2R_ENA;
-+		break;
-+	default:
-+		break;
-+	}
- 
- 	switch (event) {
- 	case SND_SOC_DAPM_PRE_PMU:
--		if (wm8994->aif1clk_enable) {
--			snd_soc_update_bits(codec, WM8994_AIF1_CLOCKING_1,
--					    WM8994_AIF1CLK_ENA_MASK,
--					    WM8994_AIF1CLK_ENA);
--			wm8994->aif1clk_enable = 0;
--		}
--		if (wm8994->aif2clk_enable) {
--			snd_soc_update_bits(codec, WM8994_AIF2_CLOCKING_1,
--					    WM8994_AIF2CLK_ENA_MASK,
--					    WM8994_AIF2CLK_ENA);
--			wm8994->aif2clk_enable = 0;
--		}
-+		val = snd_soc_read(codec, WM8994_AIF1_CONTROL_1);
-+		if ((val & WM8994_AIF1ADCL_SRC) &&
-+		    (val & WM8994_AIF1ADCR_SRC))
-+			adc = WM8994_AIF1ADC1R_ENA | WM8994_AIF1ADC2R_ENA;
-+		else if (!(val & WM8994_AIF1ADCL_SRC) &&
-+			 !(val & WM8994_AIF1ADCR_SRC))
-+			adc = WM8994_AIF1ADC1L_ENA | WM8994_AIF1ADC2L_ENA;
-+		else
-+			adc = WM8994_AIF1ADC1R_ENA | WM8994_AIF1ADC2R_ENA |
-+				WM8994_AIF1ADC1L_ENA | WM8994_AIF1ADC2L_ENA;
-+
-+		val = snd_soc_read(codec, WM8994_AIF1_CONTROL_2);
-+		if ((val & WM8994_AIF1DACL_SRC) &&
-+		    (val & WM8994_AIF1DACR_SRC))
-+			dac = WM8994_AIF1DAC1R_ENA | WM8994_AIF1DAC2R_ENA;
-+		else if (!(val & WM8994_AIF1DACL_SRC) &&
-+			 !(val & WM8994_AIF1DACR_SRC))
-+			dac = WM8994_AIF1DAC1L_ENA | WM8994_AIF1DAC2L_ENA;
-+		else
-+			dac = WM8994_AIF1DAC1R_ENA | WM8994_AIF1DAC2R_ENA |
-+				WM8994_AIF1DAC1L_ENA | WM8994_AIF1DAC2L_ENA;
-+
-+		snd_soc_update_bits(codec, WM8994_POWER_MANAGEMENT_4,
-+				    mask, adc);
-+		snd_soc_update_bits(codec, WM8994_POWER_MANAGEMENT_5,
-+				    mask, dac);
-+		snd_soc_update_bits(codec, WM8994_CLOCKING_1,
-+				    WM8994_AIF1DSPCLK_ENA |
-+				    WM8994_SYSDSPCLK_ENA,
-+				    WM8994_AIF1DSPCLK_ENA |
-+				    WM8994_SYSDSPCLK_ENA);
-+		snd_soc_update_bits(codec, WM8994_POWER_MANAGEMENT_4, mask,
-+				    WM8994_AIF1ADC1R_ENA |
-+				    WM8994_AIF1ADC1L_ENA |
-+				    WM8994_AIF1ADC2R_ENA |
-+				    WM8994_AIF1ADC2L_ENA);
-+		snd_soc_update_bits(codec, WM8994_POWER_MANAGEMENT_5, mask,
-+				    WM8994_AIF1DAC1R_ENA |
-+				    WM8994_AIF1DAC1L_ENA |
-+				    WM8994_AIF1DAC2R_ENA |
-+				    WM8994_AIF1DAC2L_ENA);
-+		break;
-+
-+	case SND_SOC_DAPM_PRE_PMD:
-+	case SND_SOC_DAPM_POST_PMD:
-+		snd_soc_update_bits(codec, WM8994_POWER_MANAGEMENT_5,
-+				    mask, 0);
-+		snd_soc_update_bits(codec, WM8994_POWER_MANAGEMENT_4,
-+				    mask, 0);
-+
-+		val = snd_soc_read(codec, WM8994_CLOCKING_1);
-+		if (val & WM8994_AIF2DSPCLK_ENA)
-+			val = WM8994_SYSDSPCLK_ENA;
-+		else
-+			val = 0;
-+		snd_soc_update_bits(codec, WM8994_CLOCKING_1,
-+				    WM8994_SYSDSPCLK_ENA |
-+				    WM8994_AIF1DSPCLK_ENA, val);
- 		break;
- 	}
- 
--	/* We may also have postponed startup of DSP, handle that. */
--	wm8958_aif_ev(w, kcontrol, event);
--
- 	return 0;
- }
- 
--static int late_disable_ev(struct snd_soc_dapm_widget *w,
--			   struct snd_kcontrol *kcontrol, int event)
-+static int aif2clk_ev(struct snd_soc_dapm_widget *w,
-+		      struct snd_kcontrol *kcontrol, int event)
- {
- 	struct snd_soc_codec *codec = w->codec;
--	struct wm8994_priv *wm8994 = snd_soc_codec_get_drvdata(codec);
-+	int dac;
-+	int adc;
-+	int val;
- 
- 	switch (event) {
-+	case SND_SOC_DAPM_PRE_PMU:
-+		val = snd_soc_read(codec, WM8994_AIF2_CONTROL_1);
-+		if ((val & WM8994_AIF2ADCL_SRC) &&
-+		    (val & WM8994_AIF2ADCR_SRC))
-+			adc = WM8994_AIF2ADCR_ENA;
-+		else if (!(val & WM8994_AIF2ADCL_SRC) &&
-+			 !(val & WM8994_AIF2ADCR_SRC))
-+			adc = WM8994_AIF2ADCL_ENA;
-+		else
-+			adc = WM8994_AIF2ADCL_ENA | WM8994_AIF2ADCR_ENA;
-+
-+
-+		val = snd_soc_read(codec, WM8994_AIF2_CONTROL_2);
-+		if ((val & WM8994_AIF2DACL_SRC) &&
-+		    (val & WM8994_AIF2DACR_SRC))
-+			dac = WM8994_AIF2DACR_ENA;
-+		else if (!(val & WM8994_AIF2DACL_SRC) &&
-+			 !(val & WM8994_AIF2DACR_SRC))
-+			dac = WM8994_AIF2DACL_ENA;
-+		else
-+			dac = WM8994_AIF2DACL_ENA | WM8994_AIF2DACR_ENA;
-+
-+		snd_soc_update_bits(codec, WM8994_POWER_MANAGEMENT_4,
-+				    WM8994_AIF2ADCL_ENA |
-+				    WM8994_AIF2ADCR_ENA, adc);
-+		snd_soc_update_bits(codec, WM8994_POWER_MANAGEMENT_5,
-+				    WM8994_AIF2DACL_ENA |
-+				    WM8994_AIF2DACR_ENA, dac);
-+		snd_soc_update_bits(codec, WM8994_CLOCKING_1,
-+				    WM8994_AIF2DSPCLK_ENA |
-+				    WM8994_SYSDSPCLK_ENA,
-+				    WM8994_AIF2DSPCLK_ENA |
-+				    WM8994_SYSDSPCLK_ENA);
-+		snd_soc_update_bits(codec, WM8994_POWER_MANAGEMENT_4,
-+				    WM8994_AIF2ADCL_ENA |
-+				    WM8994_AIF2ADCR_ENA,
-+				    WM8994_AIF2ADCL_ENA |
-+				    WM8994_AIF2ADCR_ENA);
-+		snd_soc_update_bits(codec, WM8994_POWER_MANAGEMENT_5,
-+				    WM8994_AIF2DACL_ENA |
-+				    WM8994_AIF2DACR_ENA,
-+				    WM8994_AIF2DACL_ENA |
-+				    WM8994_AIF2DACR_ENA);
-+		break;
-+
-+	case SND_SOC_DAPM_PRE_PMD:
- 	case SND_SOC_DAPM_POST_PMD:
--		if (wm8994->aif1clk_disable) {
--			snd_soc_update_bits(codec, WM8994_AIF1_CLOCKING_1,
--					    WM8994_AIF1CLK_ENA_MASK, 0);
--			wm8994->aif1clk_disable = 0;
--		}
--		if (wm8994->aif2clk_disable) {
--			snd_soc_update_bits(codec, WM8994_AIF2_CLOCKING_1,
--					    WM8994_AIF2CLK_ENA_MASK, 0);
--			wm8994->aif2clk_disable = 0;
--		}
-+		snd_soc_update_bits(codec, WM8994_POWER_MANAGEMENT_5,
-+				    WM8994_AIF2DACL_ENA |
-+				    WM8994_AIF2DACR_ENA, 0);
-+		snd_soc_update_bits(codec, WM8994_POWER_MANAGEMENT_5,
-+				    WM8994_AIF2ADCL_ENA |
-+				    WM8994_AIF2ADCR_ENA, 0);
-+
-+		val = snd_soc_read(codec, WM8994_CLOCKING_1);
-+		if (val & WM8994_AIF1DSPCLK_ENA)
-+			val = WM8994_SYSDSPCLK_ENA;
-+		else
-+			val = 0;
-+		snd_soc_update_bits(codec, WM8994_CLOCKING_1,
-+				    WM8994_SYSDSPCLK_ENA |
-+				    WM8994_AIF2DSPCLK_ENA, val);
- 		break;
- 	}
- 
- 	return 0;
- }
- 
--static int aif1clk_ev(struct snd_soc_dapm_widget *w,
--		      struct snd_kcontrol *kcontrol, int event)
-+static int aif1clk_late_ev(struct snd_soc_dapm_widget *w,
-+			   struct snd_kcontrol *kcontrol, int event)
- {
- 	struct snd_soc_codec *codec = w->codec;
- 	struct wm8994_priv *wm8994 = snd_soc_codec_get_drvdata(codec);
-@@ -1000,8 +1109,8 @@ static int aif1clk_ev(struct snd_soc_dapm_widget *w,
- 	return 0;
- }
- 
--static int aif2clk_ev(struct snd_soc_dapm_widget *w,
--		      struct snd_kcontrol *kcontrol, int event)
-+static int aif2clk_late_ev(struct snd_soc_dapm_widget *w,
-+			   struct snd_kcontrol *kcontrol, int event)
- {
- 	struct snd_soc_codec *codec = w->codec;
- 	struct wm8994_priv *wm8994 = snd_soc_codec_get_drvdata(codec);
-@@ -1018,6 +1127,63 @@ static int aif2clk_ev(struct snd_soc_dapm_widget *w,
- 	return 0;
- }
- 
-+static int late_enable_ev(struct snd_soc_dapm_widget *w,
-+			  struct snd_kcontrol *kcontrol, int event)
-+{
-+	struct snd_soc_codec *codec = w->codec;
-+	struct wm8994_priv *wm8994 = snd_soc_codec_get_drvdata(codec);
-+
-+	switch (event) {
-+	case SND_SOC_DAPM_PRE_PMU:
-+		if (wm8994->aif1clk_enable) {
-+			aif1clk_ev(w, kcontrol, event);
-+			snd_soc_update_bits(codec, WM8994_AIF1_CLOCKING_1,
-+					    WM8994_AIF1CLK_ENA_MASK,
-+					    WM8994_AIF1CLK_ENA);
-+			wm8994->aif1clk_enable = 0;
-+		}
-+		if (wm8994->aif2clk_enable) {
-+			aif2clk_ev(w, kcontrol, event);
-+			snd_soc_update_bits(codec, WM8994_AIF2_CLOCKING_1,
-+					    WM8994_AIF2CLK_ENA_MASK,
-+					    WM8994_AIF2CLK_ENA);
-+			wm8994->aif2clk_enable = 0;
-+		}
-+		break;
-+	}
-+
-+	/* We may also have postponed startup of DSP, handle that. */
-+	wm8958_aif_ev(w, kcontrol, event);
-+
-+	return 0;
-+}
-+
-+static int late_disable_ev(struct snd_soc_dapm_widget *w,
-+			   struct snd_kcontrol *kcontrol, int event)
-+{
-+	struct snd_soc_codec *codec = w->codec;
-+	struct wm8994_priv *wm8994 = snd_soc_codec_get_drvdata(codec);
-+
-+	switch (event) {
-+	case SND_SOC_DAPM_POST_PMD:
-+		if (wm8994->aif1clk_disable) {
-+			snd_soc_update_bits(codec, WM8994_AIF1_CLOCKING_1,
-+					    WM8994_AIF1CLK_ENA_MASK, 0);
-+			aif1clk_ev(w, kcontrol, event);
-+			wm8994->aif1clk_disable = 0;
-+		}
-+		if (wm8994->aif2clk_disable) {
-+			snd_soc_update_bits(codec, WM8994_AIF2_CLOCKING_1,
-+					    WM8994_AIF2CLK_ENA_MASK, 0);
-+			aif2clk_ev(w, kcontrol, event);
-+			wm8994->aif2clk_disable = 0;
-+		}
-+		break;
-+	}
-+
-+	return 0;
-+}
-+
- static int adc_mux_ev(struct snd_soc_dapm_widget *w,
- 		      struct snd_kcontrol *kcontrol, int event)
- {
-@@ -1314,9 +1480,9 @@ static const struct snd_kcontrol_new aif2dacr_src_mux =
- 	SOC_DAPM_ENUM("AIF2DACR Mux", aif2dacr_src_enum);
- 
- static const struct snd_soc_dapm_widget wm8994_lateclk_revd_widgets[] = {
--SND_SOC_DAPM_SUPPLY("AIF1CLK", SND_SOC_NOPM, 0, 0, aif1clk_ev,
-+SND_SOC_DAPM_SUPPLY("AIF1CLK", SND_SOC_NOPM, 0, 0, aif1clk_late_ev,
- 	SND_SOC_DAPM_PRE_PMU | SND_SOC_DAPM_POST_PMD),
--SND_SOC_DAPM_SUPPLY("AIF2CLK", SND_SOC_NOPM, 0, 0, aif2clk_ev,
-+SND_SOC_DAPM_SUPPLY("AIF2CLK", SND_SOC_NOPM, 0, 0, aif2clk_late_ev,
- 	SND_SOC_DAPM_PRE_PMU | SND_SOC_DAPM_POST_PMD),
- 
- SND_SOC_DAPM_PGA_E("Late DAC1L Enable PGA", SND_SOC_NOPM, 0, 0, NULL, 0,
-@@ -1345,8 +1511,10 @@ SND_SOC_DAPM_POST("Late Disable PGA", late_disable_ev)
- };
- 
- static const struct snd_soc_dapm_widget wm8994_lateclk_widgets[] = {
--SND_SOC_DAPM_SUPPLY("AIF1CLK", WM8994_AIF1_CLOCKING_1, 0, 0, NULL, 0),
--SND_SOC_DAPM_SUPPLY("AIF2CLK", WM8994_AIF2_CLOCKING_1, 0, 0, NULL, 0),
-+SND_SOC_DAPM_SUPPLY("AIF1CLK", WM8994_AIF1_CLOCKING_1, 0, 0, aif1clk_ev,
-+		    SND_SOC_DAPM_PRE_PMU | SND_SOC_DAPM_PRE_PMD),
-+SND_SOC_DAPM_SUPPLY("AIF2CLK", WM8994_AIF2_CLOCKING_1, 0, 0, aif2clk_ev,
-+		    SND_SOC_DAPM_PRE_PMU | SND_SOC_DAPM_PRE_PMD),
- SND_SOC_DAPM_PGA("Direct Voice", SND_SOC_NOPM, 0, 0, NULL, 0),
- SND_SOC_DAPM_MIXER("SPKL", WM8994_POWER_MANAGEMENT_3, 8, 0,
- 		   left_speaker_mixer, ARRAY_SIZE(left_speaker_mixer)),
-@@ -1399,30 +1567,30 @@ SND_SOC_DAPM_SUPPLY("VMID", SND_SOC_NOPM, 0, 0, vmid_event,
- SND_SOC_DAPM_SUPPLY("CLK_SYS", SND_SOC_NOPM, 0, 0, clk_sys_event,
- 		    SND_SOC_DAPM_POST_PMU | SND_SOC_DAPM_PRE_PMD),
- 
--SND_SOC_DAPM_SUPPLY("DSP1CLK", WM8994_CLOCKING_1, 3, 0, NULL, 0),
--SND_SOC_DAPM_SUPPLY("DSP2CLK", WM8994_CLOCKING_1, 2, 0, NULL, 0),
--SND_SOC_DAPM_SUPPLY("DSPINTCLK", WM8994_CLOCKING_1, 1, 0, NULL, 0),
-+SND_SOC_DAPM_SUPPLY("DSP1CLK", SND_SOC_NOPM, 3, 0, NULL, 0),
-+SND_SOC_DAPM_SUPPLY("DSP2CLK", SND_SOC_NOPM, 2, 0, NULL, 0),
-+SND_SOC_DAPM_SUPPLY("DSPINTCLK", SND_SOC_NOPM, 1, 0, NULL, 0),
- 
- SND_SOC_DAPM_AIF_OUT("AIF1ADC1L", NULL,
--		     0, WM8994_POWER_MANAGEMENT_4, 9, 0),
-+		     0, SND_SOC_NOPM, 9, 0),
- SND_SOC_DAPM_AIF_OUT("AIF1ADC1R", NULL,
--		     0, WM8994_POWER_MANAGEMENT_4, 8, 0),
-+		     0, SND_SOC_NOPM, 8, 0),
- SND_SOC_DAPM_AIF_IN_E("AIF1DAC1L", NULL, 0,
--		      WM8994_POWER_MANAGEMENT_5, 9, 0, wm8958_aif_ev,
-+		      SND_SOC_NOPM, 9, 0, wm8958_aif_ev,
- 		      SND_SOC_DAPM_POST_PMU | SND_SOC_DAPM_POST_PMD),
- SND_SOC_DAPM_AIF_IN_E("AIF1DAC1R", NULL, 0,
--		      WM8994_POWER_MANAGEMENT_5, 8, 0, wm8958_aif_ev,
-+		      SND_SOC_NOPM, 8, 0, wm8958_aif_ev,
- 		      SND_SOC_DAPM_POST_PMU | SND_SOC_DAPM_POST_PMD),
- 
- SND_SOC_DAPM_AIF_OUT("AIF1ADC2L", NULL,
--		     0, WM8994_POWER_MANAGEMENT_4, 11, 0),
-+		     0, SND_SOC_NOPM, 11, 0),
- SND_SOC_DAPM_AIF_OUT("AIF1ADC2R", NULL,
--		     0, WM8994_POWER_MANAGEMENT_4, 10, 0),
-+		     0, SND_SOC_NOPM, 10, 0),
- SND_SOC_DAPM_AIF_IN_E("AIF1DAC2L", NULL, 0,
--		      WM8994_POWER_MANAGEMENT_5, 11, 0, wm8958_aif_ev,
-+		      SND_SOC_NOPM, 11, 0, wm8958_aif_ev,
- 		      SND_SOC_DAPM_POST_PMU | SND_SOC_DAPM_POST_PMD),
- SND_SOC_DAPM_AIF_IN_E("AIF1DAC2R", NULL, 0,
--		      WM8994_POWER_MANAGEMENT_5, 10, 0, wm8958_aif_ev,
-+		      SND_SOC_NOPM, 10, 0, wm8958_aif_ev,
- 		      SND_SOC_DAPM_POST_PMU | SND_SOC_DAPM_POST_PMD),
- 
- SND_SOC_DAPM_MIXER("AIF1ADC1L Mixer", SND_SOC_NOPM, 0, 0,
-@@ -1449,14 +1617,14 @@ SND_SOC_DAPM_MIXER("DAC1R Mixer", SND_SOC_NOPM, 0, 0,
- 		   dac1r_mix, ARRAY_SIZE(dac1r_mix)),
- 
- SND_SOC_DAPM_AIF_OUT("AIF2ADCL", NULL, 0,
--		     WM8994_POWER_MANAGEMENT_4, 13, 0),
-+		     SND_SOC_NOPM, 13, 0),
- SND_SOC_DAPM_AIF_OUT("AIF2ADCR", NULL, 0,
--		     WM8994_POWER_MANAGEMENT_4, 12, 0),
-+		     SND_SOC_NOPM, 12, 0),
- SND_SOC_DAPM_AIF_IN_E("AIF2DACL", NULL, 0,
--		      WM8994_POWER_MANAGEMENT_5, 13, 0, wm8958_aif_ev,
-+		      SND_SOC_NOPM, 13, 0, wm8958_aif_ev,
- 		      SND_SOC_DAPM_POST_PMU | SND_SOC_DAPM_PRE_PMD),
- SND_SOC_DAPM_AIF_IN_E("AIF2DACR", NULL, 0,
--		      WM8994_POWER_MANAGEMENT_5, 12, 0, wm8958_aif_ev,
-+		      SND_SOC_NOPM, 12, 0, wm8958_aif_ev,
- 		      SND_SOC_DAPM_POST_PMU | SND_SOC_DAPM_PRE_PMD),
- 
- SND_SOC_DAPM_AIF_IN("AIF1DACDAT", "AIF1 Playback", 0, SND_SOC_NOPM, 0, 0),
-diff --git a/sound/soc/soc-dapm.c b/sound/soc/soc-dapm.c
-index 1315663..ac6b869 100644
---- a/sound/soc/soc-dapm.c
-+++ b/sound/soc/soc-dapm.c
-@@ -70,6 +70,7 @@ static int dapm_up_seq[] = {
- 	[snd_soc_dapm_out_drv] = 10,
- 	[snd_soc_dapm_hp] = 10,
- 	[snd_soc_dapm_spk] = 10,
-+	[snd_soc_dapm_line] = 10,
- 	[snd_soc_dapm_post] = 11,
- };
- 
-@@ -78,6 +79,7 @@ static int dapm_down_seq[] = {
- 	[snd_soc_dapm_adc] = 1,
- 	[snd_soc_dapm_hp] = 2,
- 	[snd_soc_dapm_spk] = 2,
-+	[snd_soc_dapm_line] = 2,
- 	[snd_soc_dapm_out_drv] = 2,
- 	[snd_soc_dapm_pga] = 4,
- 	[snd_soc_dapm_mixer_named_ctl] = 5,
-diff --git a/tools/include/tools/be_byteshift.h b/tools/include/tools/be_byteshift.h
-new file mode 100644
-index 0000000..f4912e2
---- /dev/null
-+++ b/tools/include/tools/be_byteshift.h
-@@ -0,0 +1,70 @@
-+#ifndef _TOOLS_BE_BYTESHIFT_H
-+#define _TOOLS_BE_BYTESHIFT_H
-+
-+#include <linux/types.h>
-+
-+static inline __u16 __get_unaligned_be16(const __u8 *p)
-+{
-+	return p[0] << 8 | p[1];
-+}
-+
-+static inline __u32 __get_unaligned_be32(const __u8 *p)
-+{
-+	return p[0] << 24 | p[1] << 16 | p[2] << 8 | p[3];
-+}
-+
-+static inline __u64 __get_unaligned_be64(const __u8 *p)
-+{
-+	return (__u64)__get_unaligned_be32(p) << 32 |
-+	       __get_unaligned_be32(p + 4);
-+}
-+
-+static inline void __put_unaligned_be16(__u16 val, __u8 *p)
-+{
-+	*p++ = val >> 8;
-+	*p++ = val;
-+}
-+
-+static inline void __put_unaligned_be32(__u32 val, __u8 *p)
-+{
-+	__put_unaligned_be16(val >> 16, p);
-+	__put_unaligned_be16(val, p + 2);
-+}
-+
-+static inline void __put_unaligned_be64(__u64 val, __u8 *p)
-+{
-+	__put_unaligned_be32(val >> 32, p);
-+	__put_unaligned_be32(val, p + 4);
-+}
-+
-+static inline __u16 get_unaligned_be16(const void *p)
-+{
-+	return __get_unaligned_be16((const __u8 *)p);
-+}
-+
-+static inline __u32 get_unaligned_be32(const void *p)
-+{
-+	return __get_unaligned_be32((const __u8 *)p);
-+}
-+
-+static inline __u64 get_unaligned_be64(const void *p)
-+{
-+	return __get_unaligned_be64((const __u8 *)p);
-+}
-+
-+static inline void put_unaligned_be16(__u16 val, void *p)
-+{
-+	__put_unaligned_be16(val, p);
-+}
-+
-+static inline void put_unaligned_be32(__u32 val, void *p)
-+{
-+	__put_unaligned_be32(val, p);
-+}
-+
-+static inline void put_unaligned_be64(__u64 val, void *p)
-+{
-+	__put_unaligned_be64(val, p);
-+}
-+
-+#endif /* _TOOLS_BE_BYTESHIFT_H */
-diff --git a/tools/include/tools/le_byteshift.h b/tools/include/tools/le_byteshift.h
-new file mode 100644
-index 0000000..c99d45a
---- /dev/null
-+++ b/tools/include/tools/le_byteshift.h
-@@ -0,0 +1,70 @@
-+#ifndef _TOOLS_LE_BYTESHIFT_H
-+#define _TOOLS_LE_BYTESHIFT_H
-+
-+#include <linux/types.h>
-+
-+static inline __u16 __get_unaligned_le16(const __u8 *p)
-+{
-+	return p[0] | p[1] << 8;
-+}
-+
-+static inline __u32 __get_unaligned_le32(const __u8 *p)
-+{
-+	return p[0] | p[1] << 8 | p[2] << 16 | p[3] << 24;
-+}
-+
-+static inline __u64 __get_unaligned_le64(const __u8 *p)
-+{
-+	return (__u64)__get_unaligned_le32(p + 4) << 32 |
-+	       __get_unaligned_le32(p);
-+}
-+
-+static inline void __put_unaligned_le16(__u16 val, __u8 *p)
-+{
-+	*p++ = val;
-+	*p++ = val >> 8;
-+}
-+
-+static inline void __put_unaligned_le32(__u32 val, __u8 *p)
-+{
-+	__put_unaligned_le16(val >> 16, p + 2);
-+	__put_unaligned_le16(val, p);
-+}
-+
-+static inline void __put_unaligned_le64(__u64 val, __u8 *p)
-+{
-+	__put_unaligned_le32(val >> 32, p + 4);
-+	__put_unaligned_le32(val, p);
-+}
-+
-+static inline __u16 get_unaligned_le16(const void *p)
-+{
-+	return __get_unaligned_le16((const __u8 *)p);
-+}
-+
-+static inline __u32 get_unaligned_le32(const void *p)
-+{
-+	return __get_unaligned_le32((const __u8 *)p);
-+}
-+
-+static inline __u64 get_unaligned_le64(const void *p)
-+{
-+	return __get_unaligned_le64((const __u8 *)p);
-+}
-+
-+static inline void put_unaligned_le16(__u16 val, void *p)
-+{
-+	__put_unaligned_le16(val, p);
-+}
-+
-+static inline void put_unaligned_le32(__u32 val, void *p)
-+{
-+	__put_unaligned_le32(val, p);
-+}
-+
-+static inline void put_unaligned_le64(__u64 val, void *p)
-+{
-+	__put_unaligned_le64(val, p);
-+}
-+
-+#endif /* _TOOLS_LE_BYTESHIFT_H */
diff --git a/3.3.5/0000_README b/3.3.6/0000_README
index 9dc6525..f827d9b 100644
--- a/3.3.5/0000_README
+++ b/3.3.6/0000_README
@@ -2,11 +2,11 @@ README
 -----------------------------------------------------------------------------
 Individual Patch Descriptions:
 -----------------------------------------------------------------------------
-Patch:	1004_linux-3.3.5.patch
+Patch:	1005_linux-3.3.6.patch
 From:	http://www.kernel.org
-Desc:	Linux 3.3.5
+Desc:	Linux 3.3.6
 
-Patch:	4420_grsecurity-2.9-3.3.5-201205071839.patch
+Patch:	4420_grsecurity-2.9-3.3.6-201205131658.patch
 From:	http://www.grsecurity.net
 Desc:	hardened-sources base patch from upstream grsecurity
 
diff --git a/3.3.6/1005_linux-3.3.6.patch b/3.3.6/1005_linux-3.3.6.patch
new file mode 100644
index 0000000..f02721b
--- /dev/null
+++ b/3.3.6/1005_linux-3.3.6.patch
@@ -0,0 +1,1832 @@
+diff --git a/Documentation/networking/ip-sysctl.txt b/Documentation/networking/ip-sysctl.txt
+index ad3e80e..d18bbac 100644
+--- a/Documentation/networking/ip-sysctl.txt
++++ b/Documentation/networking/ip-sysctl.txt
+@@ -147,7 +147,7 @@ tcp_adv_win_scale - INTEGER
+ 	(if tcp_adv_win_scale > 0) or bytes-bytes/2^(-tcp_adv_win_scale),
+ 	if it is <= 0.
+ 	Possible values are [-31, 31], inclusive.
+-	Default: 2
++	Default: 1
+ 
+ tcp_allowed_congestion_control - STRING
+ 	Show/set the congestion control choices available to non-privileged
+@@ -410,7 +410,7 @@ tcp_rmem - vector of 3 INTEGERs: min, default, max
+ 	net.core.rmem_max.  Calling setsockopt() with SO_RCVBUF disables
+ 	automatic tuning of that socket's receive buffer size, in which
+ 	case this value is ignored.
+-	Default: between 87380B and 4MB, depending on RAM size.
++	Default: between 87380B and 6MB, depending on RAM size.
+ 
+ tcp_sack - BOOLEAN
+ 	Enable select acknowledgments (SACKS).
+diff --git a/Makefile b/Makefile
+index 64615e9..9cd6941 100644
+--- a/Makefile
++++ b/Makefile
+@@ -1,6 +1,6 @@
+ VERSION = 3
+ PATCHLEVEL = 3
+-SUBLEVEL = 5
++SUBLEVEL = 6
+ EXTRAVERSION =
+ NAME = Saber-toothed Squirrel
+ 
+diff --git a/arch/arm/kernel/ptrace.c b/arch/arm/kernel/ptrace.c
+index ede6443..f5ce8ab 100644
+--- a/arch/arm/kernel/ptrace.c
++++ b/arch/arm/kernel/ptrace.c
+@@ -905,27 +905,14 @@ long arch_ptrace(struct task_struct *child, long request,
+ 	return ret;
+ }
+ 
+-#ifdef __ARMEB__
+-#define AUDIT_ARCH_NR AUDIT_ARCH_ARMEB
+-#else
+-#define AUDIT_ARCH_NR AUDIT_ARCH_ARM
+-#endif
+-
+ asmlinkage int syscall_trace(int why, struct pt_regs *regs, int scno)
+ {
+ 	unsigned long ip;
+ 
+-	/*
+-	 * Save IP.  IP is used to denote syscall entry/exit:
+-	 *  IP = 0 -> entry, = 1 -> exit
+-	 */
+-	ip = regs->ARM_ip;
+-	regs->ARM_ip = why;
+-
+-	if (!ip)
++	if (why)
+ 		audit_syscall_exit(regs);
+ 	else
+-		audit_syscall_entry(AUDIT_ARCH_NR, scno, regs->ARM_r0,
++		audit_syscall_entry(AUDIT_ARCH_ARM, scno, regs->ARM_r0,
+ 				    regs->ARM_r1, regs->ARM_r2, regs->ARM_r3);
+ 
+ 	if (!test_thread_flag(TIF_SYSCALL_TRACE))
+@@ -935,6 +922,13 @@ asmlinkage int syscall_trace(int why, struct pt_regs *regs, int scno)
+ 
+ 	current_thread_info()->syscall = scno;
+ 
++	/*
++	 * IP is used to denote syscall entry/exit:
++	 * IP = 0 -> entry, =1 -> exit
++	 */
++	ip = regs->ARM_ip;
++	regs->ARM_ip = why;
++
+ 	/* the 0x80 provides a way for the tracing parent to distinguish
+ 	   between a syscall stop and SIGTRAP delivery */
+ 	ptrace_notify(SIGTRAP | ((current->ptrace & PT_TRACESYSGOOD)
+diff --git a/arch/arm/kernel/smp.c b/arch/arm/kernel/smp.c
+index cdeb727..31c2567 100644
+--- a/arch/arm/kernel/smp.c
++++ b/arch/arm/kernel/smp.c
+@@ -255,8 +255,6 @@ asmlinkage void __cpuinit secondary_start_kernel(void)
+ 	struct mm_struct *mm = &init_mm;
+ 	unsigned int cpu = smp_processor_id();
+ 
+-	printk("CPU%u: Booted secondary processor\n", cpu);
+-
+ 	/*
+ 	 * All kernel threads share the same mm context; grab a
+ 	 * reference and switch to it.
+@@ -268,6 +266,8 @@ asmlinkage void __cpuinit secondary_start_kernel(void)
+ 	enter_lazy_tlb(mm, current);
+ 	local_flush_tlb_all();
+ 
++	printk("CPU%u: Booted secondary processor\n", cpu);
++
+ 	cpu_init();
+ 	preempt_disable();
+ 	trace_hardirqs_off();
+diff --git a/arch/arm/kernel/sys_arm.c b/arch/arm/kernel/sys_arm.c
+index d2b1779..76cbb05 100644
+--- a/arch/arm/kernel/sys_arm.c
++++ b/arch/arm/kernel/sys_arm.c
+@@ -115,7 +115,7 @@ int kernel_execve(const char *filename,
+ 		  "Ir" (THREAD_START_SP - sizeof(regs)),
+ 		  "r" (&regs),
+ 		  "Ir" (sizeof(regs))
+-		: "r0", "r1", "r2", "r3", "ip", "lr", "memory");
++		: "r0", "r1", "r2", "r3", "r8", "r9", "ip", "lr", "memory");
+ 
+  out:
+ 	return ret;
+diff --git a/arch/arm/mach-omap2/include/mach/ctrl_module_pad_core_44xx.h b/arch/arm/mach-omap2/include/mach/ctrl_module_pad_core_44xx.h
+index 1e2d332..c88420d 100644
+--- a/arch/arm/mach-omap2/include/mach/ctrl_module_pad_core_44xx.h
++++ b/arch/arm/mach-omap2/include/mach/ctrl_module_pad_core_44xx.h
+@@ -941,10 +941,10 @@
+ #define OMAP4_DSI2_LANEENABLE_MASK				(0x7 << 29)
+ #define OMAP4_DSI1_LANEENABLE_SHIFT				24
+ #define OMAP4_DSI1_LANEENABLE_MASK				(0x1f << 24)
+-#define OMAP4_DSI2_PIPD_SHIFT					19
+-#define OMAP4_DSI2_PIPD_MASK					(0x1f << 19)
+-#define OMAP4_DSI1_PIPD_SHIFT					14
+-#define OMAP4_DSI1_PIPD_MASK					(0x1f << 14)
++#define OMAP4_DSI1_PIPD_SHIFT					19
++#define OMAP4_DSI1_PIPD_MASK					(0x1f << 19)
++#define OMAP4_DSI2_PIPD_SHIFT					14
++#define OMAP4_DSI2_PIPD_MASK					(0x1f << 14)
+ 
+ /* CONTROL_MCBSPLP */
+ #define OMAP4_ALBCTRLRX_FSX_SHIFT				31
+diff --git a/arch/arm/mach-orion5x/mpp.h b/arch/arm/mach-orion5x/mpp.h
+index eac6897..db70e79 100644
+--- a/arch/arm/mach-orion5x/mpp.h
++++ b/arch/arm/mach-orion5x/mpp.h
+@@ -65,8 +65,8 @@
+ #define MPP8_GIGE               MPP(8,  0x1, 0, 0, 1,   1,   1)
+ 
+ #define MPP9_UNUSED		MPP(9,  0x0, 0, 0, 1,   1,   1)
+-#define MPP9_GPIO		MPP(9,  0x0, 0, 0, 1,   1,   1)
+-#define MPP9_GIGE               MPP(9,  0x1, 1, 1, 1,   1,   1)
++#define MPP9_GPIO		MPP(9,  0x0, 1, 1, 1,   1,   1)
++#define MPP9_GIGE               MPP(9,  0x1, 0, 0, 1,   1,   1)
+ 
+ #define MPP10_UNUSED		MPP(10, 0x0, 0, 0, 1,   1,   1)
+ #define MPP10_GPIO		MPP(10, 0x0, 1, 1, 1,   1,   1)
+diff --git a/arch/arm/mm/cache-l2x0.c b/arch/arm/mm/cache-l2x0.c
+index b1e192b..db7bcc0 100644
+--- a/arch/arm/mm/cache-l2x0.c
++++ b/arch/arm/mm/cache-l2x0.c
+@@ -32,6 +32,7 @@ static void __iomem *l2x0_base;
+ static DEFINE_RAW_SPINLOCK(l2x0_lock);
+ static uint32_t l2x0_way_mask;	/* Bitmask of active ways */
+ static uint32_t l2x0_size;
++static unsigned long sync_reg_offset = L2X0_CACHE_SYNC;
+ 
+ struct l2x0_regs l2x0_saved_regs;
+ 
+@@ -61,12 +62,7 @@ static inline void cache_sync(void)
+ {
+ 	void __iomem *base = l2x0_base;
+ 
+-#ifdef CONFIG_PL310_ERRATA_753970
+-	/* write to an unmmapped register */
+-	writel_relaxed(0, base + L2X0_DUMMY_REG);
+-#else
+-	writel_relaxed(0, base + L2X0_CACHE_SYNC);
+-#endif
++	writel_relaxed(0, base + sync_reg_offset);
+ 	cache_wait(base + L2X0_CACHE_SYNC, 1);
+ }
+ 
+@@ -85,10 +81,13 @@ static inline void l2x0_inv_line(unsigned long addr)
+ }
+ 
+ #if defined(CONFIG_PL310_ERRATA_588369) || defined(CONFIG_PL310_ERRATA_727915)
++static inline void debug_writel(unsigned long val)
++{
++	if (outer_cache.set_debug)
++		outer_cache.set_debug(val);
++}
+ 
+-#define debug_writel(val)	outer_cache.set_debug(val)
+-
+-static void l2x0_set_debug(unsigned long val)
++static void pl310_set_debug(unsigned long val)
+ {
+ 	writel_relaxed(val, l2x0_base + L2X0_DEBUG_CTRL);
+ }
+@@ -98,7 +97,7 @@ static inline void debug_writel(unsigned long val)
+ {
+ }
+ 
+-#define l2x0_set_debug	NULL
++#define pl310_set_debug	NULL
+ #endif
+ 
+ #ifdef CONFIG_PL310_ERRATA_588369
+@@ -331,6 +330,11 @@ void __init l2x0_init(void __iomem *base, __u32 aux_val, __u32 aux_mask)
+ 		else
+ 			ways = 8;
+ 		type = "L310";
++#ifdef CONFIG_PL310_ERRATA_753970
++		/* Unmapped register. */
++		sync_reg_offset = L2X0_DUMMY_REG;
++#endif
++		outer_cache.set_debug = pl310_set_debug;
+ 		break;
+ 	case L2X0_CACHE_ID_PART_L210:
+ 		ways = (aux >> 13) & 0xf;
+@@ -379,7 +383,6 @@ void __init l2x0_init(void __iomem *base, __u32 aux_val, __u32 aux_mask)
+ 	outer_cache.flush_all = l2x0_flush_all;
+ 	outer_cache.inv_all = l2x0_inv_all;
+ 	outer_cache.disable = l2x0_disable;
+-	outer_cache.set_debug = l2x0_set_debug;
+ 
+ 	printk(KERN_INFO "%s cache controller enabled\n", type);
+ 	printk(KERN_INFO "l2x0: %d ways, CACHE_ID 0x%08x, AUX_CTRL 0x%08x, Cache size: %d B\n",
+diff --git a/arch/ia64/kvm/kvm-ia64.c b/arch/ia64/kvm/kvm-ia64.c
+index 4050520..8c25855 100644
+--- a/arch/ia64/kvm/kvm-ia64.c
++++ b/arch/ia64/kvm/kvm-ia64.c
+@@ -1169,6 +1169,11 @@ out:
+ 
+ #define PALE_RESET_ENTRY    0x80000000ffffffb0UL
+ 
++bool kvm_vcpu_compatible(struct kvm_vcpu *vcpu)
++{
++	return irqchip_in_kernel(vcpu->kcm) == (vcpu->arch.apic != NULL);
++}
++
+ int kvm_arch_vcpu_init(struct kvm_vcpu *vcpu)
+ {
+ 	struct kvm_vcpu *v;
+diff --git a/arch/s390/kvm/intercept.c b/arch/s390/kvm/intercept.c
+index 0243454..a5f6eff 100644
+--- a/arch/s390/kvm/intercept.c
++++ b/arch/s390/kvm/intercept.c
+@@ -133,13 +133,6 @@ static int handle_stop(struct kvm_vcpu *vcpu)
+ 
+ 	vcpu->stat.exit_stop_request++;
+ 	spin_lock_bh(&vcpu->arch.local_int.lock);
+-	if (vcpu->arch.local_int.action_bits & ACTION_STORE_ON_STOP) {
+-		vcpu->arch.local_int.action_bits &= ~ACTION_STORE_ON_STOP;
+-		rc = kvm_s390_vcpu_store_status(vcpu,
+-						  KVM_S390_STORE_STATUS_NOADDR);
+-		if (rc >= 0)
+-			rc = -EOPNOTSUPP;
+-	}
+ 
+ 	if (vcpu->arch.local_int.action_bits & ACTION_RELOADVCPU_ON_STOP) {
+ 		vcpu->arch.local_int.action_bits &= ~ACTION_RELOADVCPU_ON_STOP;
+@@ -155,7 +148,18 @@ static int handle_stop(struct kvm_vcpu *vcpu)
+ 		rc = -EOPNOTSUPP;
+ 	}
+ 
+-	spin_unlock_bh(&vcpu->arch.local_int.lock);
++	if (vcpu->arch.local_int.action_bits & ACTION_STORE_ON_STOP) {
++		vcpu->arch.local_int.action_bits &= ~ACTION_STORE_ON_STOP;
++		/* store status must be called unlocked. Since local_int.lock
++		 * only protects local_int.* and not guest memory we can give
++		 * up the lock here */
++		spin_unlock_bh(&vcpu->arch.local_int.lock);
++		rc = kvm_s390_vcpu_store_status(vcpu,
++						KVM_S390_STORE_STATUS_NOADDR);
++		if (rc >= 0)
++			rc = -EOPNOTSUPP;
++	} else
++		spin_unlock_bh(&vcpu->arch.local_int.lock);
+ 	return rc;
+ }
+ 
+diff --git a/arch/s390/kvm/kvm-s390.c b/arch/s390/kvm/kvm-s390.c
+index d1c44573..d3cb86c 100644
+--- a/arch/s390/kvm/kvm-s390.c
++++ b/arch/s390/kvm/kvm-s390.c
+@@ -418,7 +418,7 @@ int kvm_arch_vcpu_ioctl_get_sregs(struct kvm_vcpu *vcpu,
+ int kvm_arch_vcpu_ioctl_set_fpu(struct kvm_vcpu *vcpu, struct kvm_fpu *fpu)
+ {
+ 	memcpy(&vcpu->arch.guest_fpregs.fprs, &fpu->fprs, sizeof(fpu->fprs));
+-	vcpu->arch.guest_fpregs.fpc = fpu->fpc;
++	vcpu->arch.guest_fpregs.fpc = fpu->fpc & FPC_VALID_MASK;
+ 	restore_fp_regs(&vcpu->arch.guest_fpregs);
+ 	return 0;
+ }
+diff --git a/arch/x86/boot/compressed/relocs.c b/arch/x86/boot/compressed/relocs.c
+index 89bbf4e..e77f4e4 100644
+--- a/arch/x86/boot/compressed/relocs.c
++++ b/arch/x86/boot/compressed/relocs.c
+@@ -402,13 +402,11 @@ static void print_absolute_symbols(void)
+ 	for (i = 0; i < ehdr.e_shnum; i++) {
+ 		struct section *sec = &secs[i];
+ 		char *sym_strtab;
+-		Elf32_Sym *sh_symtab;
+ 		int j;
+ 
+ 		if (sec->shdr.sh_type != SHT_SYMTAB) {
+ 			continue;
+ 		}
+-		sh_symtab = sec->symtab;
+ 		sym_strtab = sec->link->strtab;
+ 		for (j = 0; j < sec->shdr.sh_size/sizeof(Elf32_Sym); j++) {
+ 			Elf32_Sym *sym;
+diff --git a/arch/x86/kernel/setup_percpu.c b/arch/x86/kernel/setup_percpu.c
+index 71f4727..5a98aa2 100644
+--- a/arch/x86/kernel/setup_percpu.c
++++ b/arch/x86/kernel/setup_percpu.c
+@@ -185,10 +185,22 @@ void __init setup_per_cpu_areas(void)
+ #endif
+ 	rc = -EINVAL;
+ 	if (pcpu_chosen_fc != PCPU_FC_PAGE) {
+-		const size_t atom_size = cpu_has_pse ? PMD_SIZE : PAGE_SIZE;
+ 		const size_t dyn_size = PERCPU_MODULE_RESERVE +
+ 			PERCPU_DYNAMIC_RESERVE - PERCPU_FIRST_CHUNK_RESERVE;
++		size_t atom_size;
+ 
++		/*
++		 * On 64bit, use PMD_SIZE for atom_size so that embedded
++		 * percpu areas are aligned to PMD.  This, in the future,
++		 * can also allow using PMD mappings in vmalloc area.  Use
++		 * PAGE_SIZE on 32bit as vmalloc space is highly contended
++		 * and large vmalloc area allocs can easily fail.
++		 */
++#ifdef CONFIG_X86_64
++		atom_size = PMD_SIZE;
++#else
++		atom_size = PAGE_SIZE;
++#endif
+ 		rc = pcpu_embed_first_chunk(PERCPU_FIRST_CHUNK_RESERVE,
+ 					    dyn_size, atom_size,
+ 					    pcpu_cpu_distance,
+diff --git a/arch/x86/kvm/pmu.c b/arch/x86/kvm/pmu.c
+index 7aad544..3e48c1d 100644
+--- a/arch/x86/kvm/pmu.c
++++ b/arch/x86/kvm/pmu.c
+@@ -413,7 +413,7 @@ int kvm_pmu_read_pmc(struct kvm_vcpu *vcpu, unsigned pmc, u64 *data)
+ 	struct kvm_pmc *counters;
+ 	u64 ctr;
+ 
+-	pmc &= (3u << 30) - 1;
++	pmc &= ~(3u << 30);
+ 	if (!fixed && pmc >= pmu->nr_arch_gp_counters)
+ 		return 1;
+ 	if (fixed && pmc >= pmu->nr_arch_fixed_counters)
+diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
+index 3b4c8d8..a7a6f60 100644
+--- a/arch/x86/kvm/vmx.c
++++ b/arch/x86/kvm/vmx.c
+@@ -1678,7 +1678,7 @@ static int nested_pf_handled(struct kvm_vcpu *vcpu)
+ 	struct vmcs12 *vmcs12 = get_vmcs12(vcpu);
+ 
+ 	/* TODO: also check PFEC_MATCH/MASK, not just EB.PF. */
+-	if (!(vmcs12->exception_bitmap & PF_VECTOR))
++	if (!(vmcs12->exception_bitmap & (1u << PF_VECTOR)))
+ 		return 0;
+ 
+ 	nested_vmx_vmexit(vcpu);
+@@ -2219,6 +2219,12 @@ static int vmx_set_msr(struct kvm_vcpu *vcpu, u32 msr_index, u64 data)
+ 		msr = find_msr_entry(vmx, msr_index);
+ 		if (msr) {
+ 			msr->data = data;
++			if (msr - vmx->guest_msrs < vmx->save_nmsrs) {
++				preempt_disable();
++				kvm_set_shared_msr(msr->index, msr->data,
++						   msr->mask);
++				preempt_enable();
++			}
+ 			break;
+ 		}
+ 		ret = kvm_set_msr_common(vcpu, msr_index, data);
+@@ -3915,7 +3921,9 @@ static int vmx_vcpu_reset(struct kvm_vcpu *vcpu)
+ 		vmcs_write16(VIRTUAL_PROCESSOR_ID, vmx->vpid);
+ 
+ 	vmx->vcpu.arch.cr0 = X86_CR0_NW | X86_CR0_CD | X86_CR0_ET;
++	vcpu->srcu_idx = srcu_read_lock(&vcpu->kvm->srcu);
+ 	vmx_set_cr0(&vmx->vcpu, kvm_read_cr0(vcpu)); /* enter rmode */
++	srcu_read_unlock(&vcpu->kvm->srcu, vcpu->srcu_idx);
+ 	vmx_set_cr4(&vmx->vcpu, 0);
+ 	vmx_set_efer(&vmx->vcpu, 0);
+ 	vmx_fpu_activate(&vmx->vcpu);
+diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
+index 9cbfc06..8d1c6c6 100644
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -2997,6 +2997,8 @@ static void write_protect_slot(struct kvm *kvm,
+ 			       unsigned long *dirty_bitmap,
+ 			       unsigned long nr_dirty_pages)
+ {
++	spin_lock(&kvm->mmu_lock);
++
+ 	/* Not many dirty pages compared to # of shadow pages. */
+ 	if (nr_dirty_pages < kvm->arch.n_used_mmu_pages) {
+ 		unsigned long gfn_offset;
+@@ -3004,16 +3006,13 @@ static void write_protect_slot(struct kvm *kvm,
+ 		for_each_set_bit(gfn_offset, dirty_bitmap, memslot->npages) {
+ 			unsigned long gfn = memslot->base_gfn + gfn_offset;
+ 
+-			spin_lock(&kvm->mmu_lock);
+ 			kvm_mmu_rmap_write_protect(kvm, gfn, memslot);
+-			spin_unlock(&kvm->mmu_lock);
+ 		}
+ 		kvm_flush_remote_tlbs(kvm);
+-	} else {
+-		spin_lock(&kvm->mmu_lock);
++	} else
+ 		kvm_mmu_slot_remove_write_access(kvm, memslot->id);
+-		spin_unlock(&kvm->mmu_lock);
+-	}
++
++	spin_unlock(&kvm->mmu_lock);
+ }
+ 
+ /*
+@@ -3132,6 +3131,9 @@ long kvm_arch_vm_ioctl(struct file *filp,
+ 		r = -EEXIST;
+ 		if (kvm->arch.vpic)
+ 			goto create_irqchip_unlock;
++		r = -EINVAL;
++		if (atomic_read(&kvm->online_vcpus))
++			goto create_irqchip_unlock;
+ 		r = -ENOMEM;
+ 		vpic = kvm_create_pic(kvm);
+ 		if (vpic) {
+@@ -5957,6 +5959,11 @@ void kvm_arch_check_processor_compat(void *rtn)
+ 	kvm_x86_ops->check_processor_compatibility(rtn);
+ }
+ 
++bool kvm_vcpu_compatible(struct kvm_vcpu *vcpu)
++{
++	return irqchip_in_kernel(vcpu->kvm) == (vcpu->arch.apic != NULL);
++}
++
+ int kvm_arch_vcpu_init(struct kvm_vcpu *vcpu)
+ {
+ 	struct page *page;
+diff --git a/arch/x86/xen/enlighten.c b/arch/x86/xen/enlighten.c
+index 4172af8..4e517d4 100644
+--- a/arch/x86/xen/enlighten.c
++++ b/arch/x86/xen/enlighten.c
+@@ -62,6 +62,7 @@
+ #include <asm/reboot.h>
+ #include <asm/stackprotector.h>
+ #include <asm/hypervisor.h>
++#include <asm/pci_x86.h>
+ 
+ #include "xen-ops.h"
+ #include "mmu.h"
+@@ -1274,8 +1275,10 @@ asmlinkage void __init xen_start_kernel(void)
+ 		/* Make sure ACS will be enabled */
+ 		pci_request_acs();
+ 	}
+-		
+-
++#ifdef CONFIG_PCI
++	/* PCI BIOS service won't work from a PV guest. */
++	pci_probe &= ~PCI_PROBE_BIOS;
++#endif
+ 	xen_raw_console_write("about to get started...\n");
+ 
+ 	xen_setup_runstate_info(0);
+diff --git a/arch/x86/xen/mmu.c b/arch/x86/xen/mmu.c
+index 95c1cf6..dc19347 100644
+--- a/arch/x86/xen/mmu.c
++++ b/arch/x86/xen/mmu.c
+@@ -353,8 +353,13 @@ static pteval_t pte_mfn_to_pfn(pteval_t val)
+ {
+ 	if (val & _PAGE_PRESENT) {
+ 		unsigned long mfn = (val & PTE_PFN_MASK) >> PAGE_SHIFT;
++		unsigned long pfn = mfn_to_pfn(mfn);
++
+ 		pteval_t flags = val & PTE_FLAGS_MASK;
+-		val = ((pteval_t)mfn_to_pfn(mfn) << PAGE_SHIFT) | flags;
++		if (unlikely(pfn == ~0))
++			val = flags & ~_PAGE_PRESENT;
++		else
++			val = ((pteval_t)pfn << PAGE_SHIFT) | flags;
+ 	}
+ 
+ 	return val;
+diff --git a/drivers/block/mtip32xx/Kconfig b/drivers/block/mtip32xx/Kconfig
+index b5dd14e..0ba837f 100644
+--- a/drivers/block/mtip32xx/Kconfig
++++ b/drivers/block/mtip32xx/Kconfig
+@@ -4,6 +4,6 @@
+ 
+ config BLK_DEV_PCIESSD_MTIP32XX
+ 	tristate "Block Device Driver for Micron PCIe SSDs"
+-	depends on HOTPLUG_PCI_PCIE
++	depends on PCI
+ 	help
+           This enables the block driver for Micron PCIe SSDs.
+diff --git a/drivers/block/mtip32xx/mtip32xx.c b/drivers/block/mtip32xx/mtip32xx.c
+index 8eb81c9..c37073d 100644
+--- a/drivers/block/mtip32xx/mtip32xx.c
++++ b/drivers/block/mtip32xx/mtip32xx.c
+@@ -422,6 +422,10 @@ static void mtip_init_port(struct mtip_port *port)
+ 	/* Clear any pending interrupts for this port */
+ 	writel(readl(port->mmio + PORT_IRQ_STAT), port->mmio + PORT_IRQ_STAT);
+ 
++	/* Clear any pending interrupts on the HBA. */
++	writel(readl(port->dd->mmio + HOST_IRQ_STAT),
++					port->dd->mmio + HOST_IRQ_STAT);
++
+ 	/* Enable port interrupts */
+ 	writel(DEF_PORT_IRQ, port->mmio + PORT_IRQ_MASK);
+ }
+@@ -490,11 +494,9 @@ static void mtip_restart_port(struct mtip_port *port)
+ 		dev_warn(&port->dd->pdev->dev,
+ 			"COM reset failed\n");
+ 
+-	/* Clear SError, the PxSERR.DIAG.x should be set so clear it */
+-	writel(readl(port->mmio + PORT_SCR_ERR), port->mmio + PORT_SCR_ERR);
++	mtip_init_port(port);
++	mtip_start_port(port);
+ 
+-	/* Enable the DMA engine */
+-	mtip_enable_engine(port, 1);
+ }
+ 
+ /*
+@@ -3359,9 +3361,6 @@ static int mtip_pci_probe(struct pci_dev *pdev,
+ 		return -ENOMEM;
+ 	}
+ 
+-	/* Set the atomic variable as 1 in case of SRSI */
+-	atomic_set(&dd->drv_cleanup_done, true);
+-
+ 	atomic_set(&dd->resumeflag, false);
+ 
+ 	/* Attach the private data to this PCI device.  */
+@@ -3434,8 +3433,8 @@ iomap_err:
+ 	pci_set_drvdata(pdev, NULL);
+ 	return rv;
+ done:
+-	/* Set the atomic variable as 0 in case of SRSI */
+-	atomic_set(&dd->drv_cleanup_done, true);
++	/* Set the atomic variable as 0 */
++	atomic_set(&dd->drv_cleanup_done, false);
+ 
+ 	return rv;
+ }
+@@ -3463,8 +3462,6 @@ static void mtip_pci_remove(struct pci_dev *pdev)
+ 			}
+ 		}
+ 	}
+-	/* Set the atomic variable as 1 in case of SRSI */
+-	atomic_set(&dd->drv_cleanup_done, true);
+ 
+ 	/* Clean up the block layer. */
+ 	mtip_block_remove(dd);
+@@ -3608,18 +3605,25 @@ MODULE_DEVICE_TABLE(pci, mtip_pci_tbl);
+  */
+ static int __init mtip_init(void)
+ {
++	int error;
++
+ 	printk(KERN_INFO MTIP_DRV_NAME " Version " MTIP_DRV_VERSION "\n");
+ 
+ 	/* Allocate a major block device number to use with this driver. */
+-	mtip_major = register_blkdev(0, MTIP_DRV_NAME);
+-	if (mtip_major < 0) {
++	error = register_blkdev(0, MTIP_DRV_NAME);
++	if (error <= 0) {
+ 		printk(KERN_ERR "Unable to register block device (%d)\n",
+-		mtip_major);
++		error);
+ 		return -EBUSY;
+ 	}
++	mtip_major = error;
+ 
+ 	/* Register our PCI operations. */
+-	return pci_register_driver(&mtip_pci_driver);
++	error = pci_register_driver(&mtip_pci_driver);
++	if (error)
++		unregister_blkdev(mtip_major, MTIP_DRV_NAME);
++
++	return error;
+ }
+ 
+ /*
+diff --git a/drivers/gpu/drm/i915/intel_hdmi.c b/drivers/gpu/drm/i915/intel_hdmi.c
+index 64541f7..9cd81ba 100644
+--- a/drivers/gpu/drm/i915/intel_hdmi.c
++++ b/drivers/gpu/drm/i915/intel_hdmi.c
+@@ -136,7 +136,7 @@ static void i9xx_write_infoframe(struct drm_encoder *encoder,
+ 
+ 	val &= ~VIDEO_DIP_SELECT_MASK;
+ 
+-	I915_WRITE(VIDEO_DIP_CTL, val | port | flags);
++	I915_WRITE(VIDEO_DIP_CTL, VIDEO_DIP_ENABLE | val | port | flags);
+ 
+ 	for (i = 0; i < len; i += 4) {
+ 		I915_WRITE(VIDEO_DIP_DATA, *data);
+diff --git a/drivers/gpu/drm/i915/intel_ringbuffer.c b/drivers/gpu/drm/i915/intel_ringbuffer.c
+index 99f71af..6753f59 100644
+--- a/drivers/gpu/drm/i915/intel_ringbuffer.c
++++ b/drivers/gpu/drm/i915/intel_ringbuffer.c
+@@ -414,10 +414,8 @@ static int init_render_ring(struct intel_ring_buffer *ring)
+ 			return ret;
+ 	}
+ 
+-	if (INTEL_INFO(dev)->gen >= 6) {
+-		I915_WRITE(INSTPM,
+-			   INSTPM_FORCE_ORDERING << 16 | INSTPM_FORCE_ORDERING);
+ 
++	if (IS_GEN6(dev)) {
+ 		/* From the Sandybridge PRM, volume 1 part 3, page 24:
+ 		 * "If this bit is set, STCunit will have LRA as replacement
+ 		 *  policy. [...] This bit must be reset.  LRA replacement
+@@ -427,6 +425,11 @@ static int init_render_ring(struct intel_ring_buffer *ring)
+ 			   CM0_STC_EVICT_DISABLE_LRA_SNB << CM0_MASK_SHIFT);
+ 	}
+ 
++	if (INTEL_INFO(dev)->gen >= 6) {
++		I915_WRITE(INSTPM,
++			   INSTPM_FORCE_ORDERING << 16 | INSTPM_FORCE_ORDERING);
++	}
++
+ 	return ret;
+ }
+ 
+diff --git a/drivers/gpu/drm/i915/intel_sdvo.c b/drivers/gpu/drm/i915/intel_sdvo.c
+index 0a877dd..8eddcca 100644
+--- a/drivers/gpu/drm/i915/intel_sdvo.c
++++ b/drivers/gpu/drm/i915/intel_sdvo.c
+@@ -1221,8 +1221,14 @@ static bool intel_sdvo_get_capabilities(struct intel_sdvo *intel_sdvo, struct in
+ 
+ static int intel_sdvo_supports_hotplug(struct intel_sdvo *intel_sdvo)
+ {
++	struct drm_device *dev = intel_sdvo->base.base.dev;
+ 	u8 response[2];
+ 
++	/* HW Erratum: SDVO Hotplug is broken on all i945G chips, there's noise
++	 * on the line. */
++	if (IS_I945G(dev) || IS_I945GM(dev))
++		return false;
++
+ 	return intel_sdvo_get_value(intel_sdvo, SDVO_CMD_GET_HOT_PLUG_SUPPORT,
+ 				    &response, 2) && response[0];
+ }
+diff --git a/drivers/net/ethernet/broadcom/tg3.c b/drivers/net/ethernet/broadcom/tg3.c
+index 83047783..ecbd765 100644
+--- a/drivers/net/ethernet/broadcom/tg3.c
++++ b/drivers/net/ethernet/broadcom/tg3.c
+@@ -879,8 +879,13 @@ static inline unsigned int tg3_has_work(struct tg3_napi *tnapi)
+ 		if (sblk->status & SD_STATUS_LINK_CHG)
+ 			work_exists = 1;
+ 	}
+-	/* check for RX/TX work to do */
+-	if (sblk->idx[0].tx_consumer != tnapi->tx_cons ||
++
++	/* check for TX work to do */
++	if (sblk->idx[0].tx_consumer != tnapi->tx_cons)
++		work_exists = 1;
++
++	/* check for RX work to do */
++	if (tnapi->rx_rcb_prod_idx &&
+ 	    *(tnapi->rx_rcb_prod_idx) != tnapi->rx_rcb_ptr)
+ 		work_exists = 1;
+ 
+@@ -5877,6 +5882,9 @@ static int tg3_poll_work(struct tg3_napi *tnapi, int work_done, int budget)
+ 			return work_done;
+ 	}
+ 
++	if (!tnapi->rx_rcb_prod_idx)
++		return work_done;
++
+ 	/* run RX thread, within the bounds set by NAPI.
+ 	 * All RX "locking" is done by ensuring outside
+ 	 * code synchronizes with tg3->napi.poll()
+@@ -7428,6 +7436,12 @@ static int tg3_alloc_consistent(struct tg3 *tp)
+ 		 */
+ 		switch (i) {
+ 		default:
++			if (tg3_flag(tp, ENABLE_RSS)) {
++				tnapi->rx_rcb_prod_idx = NULL;
++				break;
++			}
++			/* Fall through */
++		case 1:
+ 			tnapi->rx_rcb_prod_idx = &sblk->idx[0].rx_producer;
+ 			break;
+ 		case 2:
+diff --git a/drivers/net/ethernet/intel/e1000/e1000_main.c b/drivers/net/ethernet/intel/e1000/e1000_main.c
+index d94d64b..b444f21 100644
+--- a/drivers/net/ethernet/intel/e1000/e1000_main.c
++++ b/drivers/net/ethernet/intel/e1000/e1000_main.c
+@@ -164,6 +164,8 @@ static int e1000_82547_fifo_workaround(struct e1000_adapter *adapter,
+ static bool e1000_vlan_used(struct e1000_adapter *adapter);
+ static void e1000_vlan_mode(struct net_device *netdev,
+ 			    netdev_features_t features);
++static void e1000_vlan_filter_on_off(struct e1000_adapter *adapter,
++				     bool filter_on);
+ static int e1000_vlan_rx_add_vid(struct net_device *netdev, u16 vid);
+ static int e1000_vlan_rx_kill_vid(struct net_device *netdev, u16 vid);
+ static void e1000_restore_vlan(struct e1000_adapter *adapter);
+@@ -1213,7 +1215,7 @@ static int __devinit e1000_probe(struct pci_dev *pdev,
+ 	if (err)
+ 		goto err_register;
+ 
+-	e1000_vlan_mode(netdev, netdev->features);
++	e1000_vlan_filter_on_off(adapter, false);
+ 
+ 	/* print bus type/speed/width info */
+ 	e_info(probe, "(PCI%s:%dMHz:%d-bit) %pM\n",
+@@ -4549,6 +4551,22 @@ static bool e1000_vlan_used(struct e1000_adapter *adapter)
+ 	return false;
+ }
+ 
++static void __e1000_vlan_mode(struct e1000_adapter *adapter,
++			      netdev_features_t features)
++{
++	struct e1000_hw *hw = &adapter->hw;
++	u32 ctrl;
++
++	ctrl = er32(CTRL);
++	if (features & NETIF_F_HW_VLAN_RX) {
++		/* enable VLAN tag insert/strip */
++		ctrl |= E1000_CTRL_VME;
++	} else {
++		/* disable VLAN tag insert/strip */
++		ctrl &= ~E1000_CTRL_VME;
++	}
++	ew32(CTRL, ctrl);
++}
+ static void e1000_vlan_filter_on_off(struct e1000_adapter *adapter,
+ 				     bool filter_on)
+ {
+@@ -4558,6 +4576,7 @@ static void e1000_vlan_filter_on_off(struct e1000_adapter *adapter,
+ 	if (!test_bit(__E1000_DOWN, &adapter->flags))
+ 		e1000_irq_disable(adapter);
+ 
++	__e1000_vlan_mode(adapter, adapter->netdev->features);
+ 	if (filter_on) {
+ 		/* enable VLAN receive filtering */
+ 		rctl = er32(RCTL);
+@@ -4578,24 +4597,14 @@ static void e1000_vlan_filter_on_off(struct e1000_adapter *adapter,
+ }
+ 
+ static void e1000_vlan_mode(struct net_device *netdev,
+-	netdev_features_t features)
++			    netdev_features_t features)
+ {
+ 	struct e1000_adapter *adapter = netdev_priv(netdev);
+-	struct e1000_hw *hw = &adapter->hw;
+-	u32 ctrl;
+ 
+ 	if (!test_bit(__E1000_DOWN, &adapter->flags))
+ 		e1000_irq_disable(adapter);
+ 
+-	ctrl = er32(CTRL);
+-	if (features & NETIF_F_HW_VLAN_RX) {
+-		/* enable VLAN tag insert/strip */
+-		ctrl |= E1000_CTRL_VME;
+-	} else {
+-		/* disable VLAN tag insert/strip */
+-		ctrl &= ~E1000_CTRL_VME;
+-	}
+-	ew32(CTRL, ctrl);
++	__e1000_vlan_mode(adapter, features);
+ 
+ 	if (!test_bit(__E1000_DOWN, &adapter->flags))
+ 		e1000_irq_enable(adapter);
+diff --git a/drivers/net/ethernet/marvell/sky2.c b/drivers/net/ethernet/marvell/sky2.c
+index ec6136f..1d04182 100644
+--- a/drivers/net/ethernet/marvell/sky2.c
++++ b/drivers/net/ethernet/marvell/sky2.c
+@@ -2483,8 +2483,13 @@ static struct sk_buff *receive_copy(struct sky2_port *sky2,
+ 		skb_copy_from_linear_data(re->skb, skb->data, length);
+ 		skb->ip_summed = re->skb->ip_summed;
+ 		skb->csum = re->skb->csum;
++		skb->rxhash = re->skb->rxhash;
++		skb->vlan_tci = re->skb->vlan_tci;
++
+ 		pci_dma_sync_single_for_device(sky2->hw->pdev, re->data_addr,
+ 					       length, PCI_DMA_FROMDEVICE);
++		re->skb->vlan_tci = 0;
++		re->skb->rxhash = 0;
+ 		re->skb->ip_summed = CHECKSUM_NONE;
+ 		skb_put(skb, length);
+ 	}
+@@ -2569,9 +2574,6 @@ static struct sk_buff *sky2_receive(struct net_device *dev,
+ 	struct sk_buff *skb = NULL;
+ 	u16 count = (status & GMR_FS_LEN) >> 16;
+ 
+-	if (status & GMR_FS_VLAN)
+-		count -= VLAN_HLEN;	/* Account for vlan tag */
+-
+ 	netif_printk(sky2, rx_status, KERN_DEBUG, dev,
+ 		     "rx slot %u status 0x%x len %d\n",
+ 		     sky2->rx_next, status, length);
+@@ -2579,6 +2581,9 @@ static struct sk_buff *sky2_receive(struct net_device *dev,
+ 	sky2->rx_next = (sky2->rx_next + 1) % sky2->rx_pending;
+ 	prefetch(sky2->rx_ring + sky2->rx_next);
+ 
++	if (vlan_tx_tag_present(re->skb))
++		count -= VLAN_HLEN;	/* Account for vlan tag */
++
+ 	/* This chip has hardware problems that generates bogus status.
+ 	 * So do only marginal checking and expect higher level protocols
+ 	 * to handle crap frames.
+@@ -2636,11 +2641,8 @@ static inline void sky2_tx_done(struct net_device *dev, u16 last)
+ }
+ 
+ static inline void sky2_skb_rx(const struct sky2_port *sky2,
+-			       u32 status, struct sk_buff *skb)
++			       struct sk_buff *skb)
+ {
+-	if (status & GMR_FS_VLAN)
+-		__vlan_hwaccel_put_tag(skb, be16_to_cpu(sky2->rx_tag));
+-
+ 	if (skb->ip_summed == CHECKSUM_NONE)
+ 		netif_receive_skb(skb);
+ 	else
+@@ -2694,6 +2696,14 @@ static void sky2_rx_checksum(struct sky2_port *sky2, u32 status)
+ 	}
+ }
+ 
++static void sky2_rx_tag(struct sky2_port *sky2, u16 length)
++{
++	struct sk_buff *skb;
++
++	skb = sky2->rx_ring[sky2->rx_next].skb;
++	__vlan_hwaccel_put_tag(skb, be16_to_cpu(length));
++}
++
+ static void sky2_rx_hash(struct sky2_port *sky2, u32 status)
+ {
+ 	struct sk_buff *skb;
+@@ -2752,8 +2762,7 @@ static int sky2_status_intr(struct sky2_hw *hw, int to_do, u16 idx)
+ 			}
+ 
+ 			skb->protocol = eth_type_trans(skb, dev);
+-
+-			sky2_skb_rx(sky2, status, skb);
++			sky2_skb_rx(sky2, skb);
+ 
+ 			/* Stop after net poll weight */
+ 			if (++work_done >= to_do)
+@@ -2761,11 +2770,11 @@ static int sky2_status_intr(struct sky2_hw *hw, int to_do, u16 idx)
+ 			break;
+ 
+ 		case OP_RXVLAN:
+-			sky2->rx_tag = length;
++			sky2_rx_tag(sky2, length);
+ 			break;
+ 
+ 		case OP_RXCHKSVLAN:
+-			sky2->rx_tag = length;
++			sky2_rx_tag(sky2, length);
+ 			/* fall through */
+ 		case OP_RXCHKS:
+ 			if (likely(dev->features & NETIF_F_RXCSUM))
+diff --git a/drivers/net/ethernet/marvell/sky2.h b/drivers/net/ethernet/marvell/sky2.h
+index ff6f58b..3c896ce 100644
+--- a/drivers/net/ethernet/marvell/sky2.h
++++ b/drivers/net/ethernet/marvell/sky2.h
+@@ -2241,7 +2241,6 @@ struct sky2_port {
+ 	u16		     rx_pending;
+ 	u16		     rx_data_size;
+ 	u16		     rx_nfrags;
+-	u16		     rx_tag;
+ 
+ 	struct {
+ 		unsigned long last;
+diff --git a/drivers/net/ethernet/sun/sungem.c b/drivers/net/ethernet/sun/sungem.c
+index 31441a8..d14a011 100644
+--- a/drivers/net/ethernet/sun/sungem.c
++++ b/drivers/net/ethernet/sun/sungem.c
+@@ -2340,7 +2340,7 @@ static int gem_suspend(struct pci_dev *pdev, pm_message_t state)
+ 	netif_device_detach(dev);
+ 
+ 	/* Switch off chip, remember WOL setting */
+-	gp->asleep_wol = gp->wake_on_lan;
++	gp->asleep_wol = !!gp->wake_on_lan;
+ 	gem_do_stop(dev, gp->asleep_wol);
+ 
+ 	/* Unlock the network stack */
+diff --git a/drivers/net/usb/asix.c b/drivers/net/usb/asix.c
+index d6da5ee..c7ada22 100644
+--- a/drivers/net/usb/asix.c
++++ b/drivers/net/usb/asix.c
+@@ -403,7 +403,7 @@ static struct sk_buff *asix_tx_fixup(struct usbnet *dev, struct sk_buff *skb,
+ 	u32 packet_len;
+ 	u32 padbytes = 0xffff0000;
+ 
+-	padlen = ((skb->len + 4) % 512) ? 0 : 4;
++	padlen = ((skb->len + 4) & (dev->maxpacket - 1)) ? 0 : 4;
+ 
+ 	if ((!skb_cloned(skb)) &&
+ 	    ((headroom + tailroom) >= (4 + padlen))) {
+@@ -425,7 +425,7 @@ static struct sk_buff *asix_tx_fixup(struct usbnet *dev, struct sk_buff *skb,
+ 	cpu_to_le32s(&packet_len);
+ 	skb_copy_to_linear_data(skb, &packet_len, sizeof(packet_len));
+ 
+-	if ((skb->len % 512) == 0) {
++	if (padlen) {
+ 		cpu_to_le32s(&padbytes);
+ 		memcpy(skb_tail_pointer(skb), &padbytes, sizeof(padbytes));
+ 		skb_put(skb, sizeof(padbytes));
+diff --git a/drivers/net/usb/smsc95xx.c b/drivers/net/usb/smsc95xx.c
+index d45520e..f1e77b1 100644
+--- a/drivers/net/usb/smsc95xx.c
++++ b/drivers/net/usb/smsc95xx.c
+@@ -1191,7 +1191,7 @@ static const struct driver_info smsc95xx_info = {
+ 	.rx_fixup	= smsc95xx_rx_fixup,
+ 	.tx_fixup	= smsc95xx_tx_fixup,
+ 	.status		= smsc95xx_status,
+-	.flags		= FLAG_ETHER | FLAG_SEND_ZLP,
++	.flags		= FLAG_ETHER | FLAG_SEND_ZLP | FLAG_LINK_INTR,
+ };
+ 
+ static const struct usb_device_id products[] = {
+diff --git a/drivers/platform/x86/sony-laptop.c b/drivers/platform/x86/sony-laptop.c
+index c006dee..40c4705 100644
+--- a/drivers/platform/x86/sony-laptop.c
++++ b/drivers/platform/x86/sony-laptop.c
+@@ -127,7 +127,7 @@ MODULE_PARM_DESC(minor,
+ 		 "default is -1 (automatic)");
+ #endif
+ 
+-static int kbd_backlight;	/* = 1 */
++static int kbd_backlight = 1;
+ module_param(kbd_backlight, int, 0444);
+ MODULE_PARM_DESC(kbd_backlight,
+ 		 "set this to 0 to disable keyboard backlight, "
+diff --git a/drivers/regulator/max8997.c b/drivers/regulator/max8997.c
+index d26e864..cf73ab2 100644
+--- a/drivers/regulator/max8997.c
++++ b/drivers/regulator/max8997.c
+@@ -689,7 +689,7 @@ static int max8997_set_voltage_buck(struct regulator_dev *rdev,
+ 		}
+ 
+ 		new_val++;
+-	} while (desc->min + desc->step + new_val <= desc->max);
++	} while (desc->min + desc->step * new_val <= desc->max);
+ 
+ 	new_idx = tmp_idx;
+ 	new_val = tmp_val;
+diff --git a/drivers/usb/gadget/udc-core.c b/drivers/usb/gadget/udc-core.c
+index ec02ed0..4e2e13e 100644
+--- a/drivers/usb/gadget/udc-core.c
++++ b/drivers/usb/gadget/udc-core.c
+@@ -211,8 +211,8 @@ static void usb_gadget_remove_driver(struct usb_udc *udc)
+ 
+ 	if (udc_is_newstyle(udc)) {
+ 		udc->driver->disconnect(udc->gadget);
+-		udc->driver->unbind(udc->gadget);
+ 		usb_gadget_disconnect(udc->gadget);
++		udc->driver->unbind(udc->gadget);
+ 		usb_gadget_udc_stop(udc->gadget, udc->driver);
+ 	} else {
+ 		usb_gadget_stop(udc->gadget, udc->driver);
+@@ -363,9 +363,9 @@ static ssize_t usb_udc_softconn_store(struct device *dev,
+ 			usb_gadget_udc_start(udc->gadget, udc->driver);
+ 		usb_gadget_connect(udc->gadget);
+ 	} else if (sysfs_streq(buf, "disconnect")) {
++		usb_gadget_disconnect(udc->gadget);
+ 		if (udc_is_newstyle(udc))
+ 			usb_gadget_udc_stop(udc->gadget, udc->driver);
+-		usb_gadget_disconnect(udc->gadget);
+ 	} else {
+ 		dev_err(dev, "unsupported command '%s'\n", buf);
+ 		return -EINVAL;
+diff --git a/fs/cifs/cifssmb.c b/fs/cifs/cifssmb.c
+index cd66b76..1250bba 100644
+--- a/fs/cifs/cifssmb.c
++++ b/fs/cifs/cifssmb.c
+@@ -4831,8 +4831,12 @@ parse_DFS_referrals(TRANSACTION2_GET_DFS_REFER_RSP *pSMBr,
+ 		max_len = data_end - temp;
+ 		node->node_name = cifs_strndup_from_utf16(temp, max_len,
+ 						is_unicode, nls_codepage);
+-		if (!node->node_name)
++		if (!node->node_name) {
+ 			rc = -ENOMEM;
++			goto parse_DFS_referrals_exit;
++		}
++
++		ref++;
+ 	}
+ 
+ parse_DFS_referrals_exit:
+diff --git a/fs/hugetlbfs/inode.c b/fs/hugetlbfs/inode.c
+index 3645cd3..c60267e 100644
+--- a/fs/hugetlbfs/inode.c
++++ b/fs/hugetlbfs/inode.c
+@@ -600,9 +600,15 @@ static int hugetlbfs_statfs(struct dentry *dentry, struct kstatfs *buf)
+ 		spin_lock(&sbinfo->stat_lock);
+ 		/* If no limits set, just report 0 for max/free/used
+ 		 * blocks, like simple_statfs() */
+-		if (sbinfo->max_blocks >= 0) {
+-			buf->f_blocks = sbinfo->max_blocks;
+-			buf->f_bavail = buf->f_bfree = sbinfo->free_blocks;
++		if (sbinfo->spool) {
++			long free_pages;
++
++			spin_lock(&sbinfo->spool->lock);
++			buf->f_blocks = sbinfo->spool->max_hpages;
++			free_pages = sbinfo->spool->max_hpages
++				- sbinfo->spool->used_hpages;
++			buf->f_bavail = buf->f_bfree = free_pages;
++			spin_unlock(&sbinfo->spool->lock);
+ 			buf->f_files = sbinfo->max_inodes;
+ 			buf->f_ffree = sbinfo->free_inodes;
+ 		}
+@@ -618,6 +624,10 @@ static void hugetlbfs_put_super(struct super_block *sb)
+ 
+ 	if (sbi) {
+ 		sb->s_fs_info = NULL;
++
++		if (sbi->spool)
++			hugepage_put_subpool(sbi->spool);
++
+ 		kfree(sbi);
+ 	}
+ }
+@@ -848,10 +858,14 @@ hugetlbfs_fill_super(struct super_block *sb, void *data, int silent)
+ 	sb->s_fs_info = sbinfo;
+ 	sbinfo->hstate = config.hstate;
+ 	spin_lock_init(&sbinfo->stat_lock);
+-	sbinfo->max_blocks = config.nr_blocks;
+-	sbinfo->free_blocks = config.nr_blocks;
+ 	sbinfo->max_inodes = config.nr_inodes;
+ 	sbinfo->free_inodes = config.nr_inodes;
++	sbinfo->spool = NULL;
++	if (config.nr_blocks != -1) {
++		sbinfo->spool = hugepage_new_subpool(config.nr_blocks);
++		if (!sbinfo->spool)
++			goto out_free;
++	}
+ 	sb->s_maxbytes = MAX_LFS_FILESIZE;
+ 	sb->s_blocksize = huge_page_size(config.hstate);
+ 	sb->s_blocksize_bits = huge_page_shift(config.hstate);
+@@ -870,38 +884,12 @@ hugetlbfs_fill_super(struct super_block *sb, void *data, int silent)
+ 	sb->s_root = root;
+ 	return 0;
+ out_free:
++	if (sbinfo->spool)
++		kfree(sbinfo->spool);
+ 	kfree(sbinfo);
+ 	return -ENOMEM;
+ }
+ 
+-int hugetlb_get_quota(struct address_space *mapping, long delta)
+-{
+-	int ret = 0;
+-	struct hugetlbfs_sb_info *sbinfo = HUGETLBFS_SB(mapping->host->i_sb);
+-
+-	if (sbinfo->free_blocks > -1) {
+-		spin_lock(&sbinfo->stat_lock);
+-		if (sbinfo->free_blocks - delta >= 0)
+-			sbinfo->free_blocks -= delta;
+-		else
+-			ret = -ENOMEM;
+-		spin_unlock(&sbinfo->stat_lock);
+-	}
+-
+-	return ret;
+-}
+-
+-void hugetlb_put_quota(struct address_space *mapping, long delta)
+-{
+-	struct hugetlbfs_sb_info *sbinfo = HUGETLBFS_SB(mapping->host->i_sb);
+-
+-	if (sbinfo->free_blocks > -1) {
+-		spin_lock(&sbinfo->stat_lock);
+-		sbinfo->free_blocks += delta;
+-		spin_unlock(&sbinfo->stat_lock);
+-	}
+-}
+-
+ static struct dentry *hugetlbfs_mount(struct file_system_type *fs_type,
+ 	int flags, const char *dev_name, void *data)
+ {
+diff --git a/fs/nfsd/nfs4proc.c b/fs/nfsd/nfs4proc.c
+index de3fa1a..2c1244b 100644
+--- a/fs/nfsd/nfs4proc.c
++++ b/fs/nfsd/nfs4proc.c
+@@ -231,17 +231,17 @@ do_open_lookup(struct svc_rqst *rqstp, struct svc_fh *current_fh, struct nfsd4_o
+ 		 */
+ 		if (open->op_createmode == NFS4_CREATE_EXCLUSIVE && status == 0)
+ 			open->op_bmval[1] = (FATTR4_WORD1_TIME_ACCESS |
+-						FATTR4_WORD1_TIME_MODIFY);
++							FATTR4_WORD1_TIME_MODIFY);
+ 	} else {
+ 		status = nfsd_lookup(rqstp, current_fh,
+ 				     open->op_fname.data, open->op_fname.len, &resfh);
+ 		fh_unlock(current_fh);
+-		if (status)
+-			goto out;
+-		status = nfsd_check_obj_isreg(&resfh);
+ 	}
+ 	if (status)
+ 		goto out;
++	status = nfsd_check_obj_isreg(&resfh);
++	if (status)
++		goto out;
+ 
+ 	if (is_create_with_attrs(open) && open->op_acl != NULL)
+ 		do_set_nfs4_acl(rqstp, &resfh, open->op_acl, open->op_bmval);
+diff --git a/fs/nfsd/vfs.c b/fs/nfsd/vfs.c
+index edf6d3e..b96fe94 100644
+--- a/fs/nfsd/vfs.c
++++ b/fs/nfsd/vfs.c
+@@ -1450,7 +1450,7 @@ do_nfsd_create(struct svc_rqst *rqstp, struct svc_fh *fhp,
+ 		switch (createmode) {
+ 		case NFS3_CREATE_UNCHECKED:
+ 			if (! S_ISREG(dchild->d_inode->i_mode))
+-				err = nfserr_exist;
++				goto out;
+ 			else if (truncp) {
+ 				/* in nfsv4, we need to treat this case a little
+ 				 * differently.  we don't want to truncate the
+diff --git a/include/asm-generic/statfs.h b/include/asm-generic/statfs.h
+index 0fd28e0..c749af9 100644
+--- a/include/asm-generic/statfs.h
++++ b/include/asm-generic/statfs.h
+@@ -15,7 +15,7 @@ typedef __kernel_fsid_t	fsid_t;
+  * with a 10' pole.
+  */
+ #ifndef __statfs_word
+-#if BITS_PER_LONG == 64
++#if __BITS_PER_LONG == 64
+ #define __statfs_word long
+ #else
+ #define __statfs_word __u32
+diff --git a/include/linux/hugetlb.h b/include/linux/hugetlb.h
+index d9d6c86..c5ed2f1 100644
+--- a/include/linux/hugetlb.h
++++ b/include/linux/hugetlb.h
+@@ -14,6 +14,15 @@ struct user_struct;
+ #include <linux/shm.h>
+ #include <asm/tlbflush.h>
+ 
++struct hugepage_subpool {
++	spinlock_t lock;
++	long count;
++	long max_hpages, used_hpages;
++};
++
++struct hugepage_subpool *hugepage_new_subpool(long nr_blocks);
++void hugepage_put_subpool(struct hugepage_subpool *spool);
++
+ int PageHuge(struct page *page);
+ 
+ void reset_vma_resv_huge_pages(struct vm_area_struct *vma);
+@@ -138,12 +147,11 @@ struct hugetlbfs_config {
+ };
+ 
+ struct hugetlbfs_sb_info {
+-	long	max_blocks;   /* blocks allowed */
+-	long	free_blocks;  /* blocks free */
+ 	long	max_inodes;   /* inodes allowed */
+ 	long	free_inodes;  /* inodes free */
+ 	spinlock_t	stat_lock;
+ 	struct hstate *hstate;
++	struct hugepage_subpool *spool;
+ };
+ 
+ 
+@@ -166,8 +174,6 @@ extern const struct file_operations hugetlbfs_file_operations;
+ extern const struct vm_operations_struct hugetlb_vm_ops;
+ struct file *hugetlb_file_setup(const char *name, size_t size, vm_flags_t acct,
+ 				struct user_struct **user, int creat_flags);
+-int hugetlb_get_quota(struct address_space *mapping, long delta);
+-void hugetlb_put_quota(struct address_space *mapping, long delta);
+ 
+ static inline int is_file_hugepages(struct file *file)
+ {
+diff --git a/include/linux/kvm_host.h b/include/linux/kvm_host.h
+index bc21720..4c4e83d 100644
+--- a/include/linux/kvm_host.h
++++ b/include/linux/kvm_host.h
+@@ -775,6 +775,13 @@ static inline bool kvm_vcpu_is_bsp(struct kvm_vcpu *vcpu)
+ {
+ 	return vcpu->kvm->bsp_vcpu_id == vcpu->vcpu_id;
+ }
++
++bool kvm_vcpu_compatible(struct kvm_vcpu *vcpu);
++
++#else
++
++static inline bool kvm_vcpu_compatible(struct kvm_vcpu *vcpu) { return true; }
++
+ #endif
+ 
+ #ifdef __KVM_HAVE_DEVICE_ASSIGNMENT
+diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h
+index 4f3b01a..7e472b7 100644
+--- a/include/linux/netdevice.h
++++ b/include/linux/netdevice.h
+@@ -1898,12 +1898,22 @@ static inline void netdev_tx_sent_queue(struct netdev_queue *dev_queue,
+ {
+ #ifdef CONFIG_BQL
+ 	dql_queued(&dev_queue->dql, bytes);
+-	if (unlikely(dql_avail(&dev_queue->dql) < 0)) {
+-		set_bit(__QUEUE_STATE_STACK_XOFF, &dev_queue->state);
+-		if (unlikely(dql_avail(&dev_queue->dql) >= 0))
+-			clear_bit(__QUEUE_STATE_STACK_XOFF,
+-			    &dev_queue->state);
+-	}
++
++	if (likely(dql_avail(&dev_queue->dql) >= 0))
++		return;
++
++	set_bit(__QUEUE_STATE_STACK_XOFF, &dev_queue->state);
++
++	/*
++	 * The XOFF flag must be set before checking the dql_avail below,
++	 * because in netdev_tx_completed_queue we update the dql_completed
++	 * before checking the XOFF flag.
++	 */
++	smp_mb();
++
++	/* check again in case another CPU has just made room avail */
++	if (unlikely(dql_avail(&dev_queue->dql) >= 0))
++		clear_bit(__QUEUE_STATE_STACK_XOFF, &dev_queue->state);
+ #endif
+ }
+ 
+@@ -1916,16 +1926,23 @@ static inline void netdev_tx_completed_queue(struct netdev_queue *dev_queue,
+ 					     unsigned pkts, unsigned bytes)
+ {
+ #ifdef CONFIG_BQL
+-	if (likely(bytes)) {
+-		dql_completed(&dev_queue->dql, bytes);
+-		if (unlikely(test_bit(__QUEUE_STATE_STACK_XOFF,
+-		    &dev_queue->state) &&
+-		    dql_avail(&dev_queue->dql) >= 0)) {
+-			if (test_and_clear_bit(__QUEUE_STATE_STACK_XOFF,
+-			     &dev_queue->state))
+-				netif_schedule_queue(dev_queue);
+-		}
+-	}
++	if (unlikely(!bytes))
++		return;
++
++	dql_completed(&dev_queue->dql, bytes);
++
++	/*
++	 * Without the memory barrier there is a small possiblity that
++	 * netdev_tx_sent_queue will miss the update and cause the queue to
++	 * be stopped forever
++	 */
++	smp_mb();
++
++	if (dql_avail(&dev_queue->dql) < 0)
++		return;
++
++	if (test_and_clear_bit(__QUEUE_STATE_STACK_XOFF, &dev_queue->state))
++		netif_schedule_queue(dev_queue);
+ #endif
+ }
+ 
+@@ -1938,6 +1955,7 @@ static inline void netdev_completed_queue(struct net_device *dev,
+ static inline void netdev_tx_reset_queue(struct netdev_queue *q)
+ {
+ #ifdef CONFIG_BQL
++	clear_bit(__QUEUE_STATE_STACK_XOFF, &q->state);
+ 	dql_reset(&q->dql);
+ #endif
+ }
+diff --git a/include/linux/seqlock.h b/include/linux/seqlock.h
+index c6db9fb..bb1fac5 100644
+--- a/include/linux/seqlock.h
++++ b/include/linux/seqlock.h
+@@ -141,7 +141,7 @@ static inline unsigned __read_seqcount_begin(const seqcount_t *s)
+ 	unsigned ret;
+ 
+ repeat:
+-	ret = s->sequence;
++	ret = ACCESS_ONCE(s->sequence);
+ 	if (unlikely(ret & 1)) {
+ 		cpu_relax();
+ 		goto repeat;
+diff --git a/mm/hugetlb.c b/mm/hugetlb.c
+index a7cf829..24b1787 100644
+--- a/mm/hugetlb.c
++++ b/mm/hugetlb.c
+@@ -53,6 +53,84 @@ static unsigned long __initdata default_hstate_size;
+  */
+ static DEFINE_SPINLOCK(hugetlb_lock);
+ 
++static inline void unlock_or_release_subpool(struct hugepage_subpool *spool)
++{
++	bool free = (spool->count == 0) && (spool->used_hpages == 0);
++
++	spin_unlock(&spool->lock);
++
++	/* If no pages are used, and no other handles to the subpool
++	 * remain, free the subpool the subpool remain */
++	if (free)
++		kfree(spool);
++}
++
++struct hugepage_subpool *hugepage_new_subpool(long nr_blocks)
++{
++	struct hugepage_subpool *spool;
++
++	spool = kmalloc(sizeof(*spool), GFP_KERNEL);
++	if (!spool)
++		return NULL;
++
++	spin_lock_init(&spool->lock);
++	spool->count = 1;
++	spool->max_hpages = nr_blocks;
++	spool->used_hpages = 0;
++
++	return spool;
++}
++
++void hugepage_put_subpool(struct hugepage_subpool *spool)
++{
++	spin_lock(&spool->lock);
++	BUG_ON(!spool->count);
++	spool->count--;
++	unlock_or_release_subpool(spool);
++}
++
++static int hugepage_subpool_get_pages(struct hugepage_subpool *spool,
++				      long delta)
++{
++	int ret = 0;
++
++	if (!spool)
++		return 0;
++
++	spin_lock(&spool->lock);
++	if ((spool->used_hpages + delta) <= spool->max_hpages) {
++		spool->used_hpages += delta;
++	} else {
++		ret = -ENOMEM;
++	}
++	spin_unlock(&spool->lock);
++
++	return ret;
++}
++
++static void hugepage_subpool_put_pages(struct hugepage_subpool *spool,
++				       long delta)
++{
++	if (!spool)
++		return;
++
++	spin_lock(&spool->lock);
++	spool->used_hpages -= delta;
++	/* If hugetlbfs_put_super couldn't free spool due to
++	* an outstanding quota reference, free it now. */
++	unlock_or_release_subpool(spool);
++}
++
++static inline struct hugepage_subpool *subpool_inode(struct inode *inode)
++{
++	return HUGETLBFS_SB(inode->i_sb)->spool;
++}
++
++static inline struct hugepage_subpool *subpool_vma(struct vm_area_struct *vma)
++{
++	return subpool_inode(vma->vm_file->f_dentry->d_inode);
++}
++
+ /*
+  * Region tracking -- allows tracking of reservations and instantiated pages
+  *                    across the pages in a mapping.
+@@ -533,9 +611,9 @@ static void free_huge_page(struct page *page)
+ 	 */
+ 	struct hstate *h = page_hstate(page);
+ 	int nid = page_to_nid(page);
+-	struct address_space *mapping;
++	struct hugepage_subpool *spool =
++		(struct hugepage_subpool *)page_private(page);
+ 
+-	mapping = (struct address_space *) page_private(page);
+ 	set_page_private(page, 0);
+ 	page->mapping = NULL;
+ 	BUG_ON(page_count(page));
+@@ -551,8 +629,7 @@ static void free_huge_page(struct page *page)
+ 		enqueue_huge_page(h, page);
+ 	}
+ 	spin_unlock(&hugetlb_lock);
+-	if (mapping)
+-		hugetlb_put_quota(mapping, 1);
++	hugepage_subpool_put_pages(spool, 1);
+ }
+ 
+ static void prep_new_huge_page(struct hstate *h, struct page *page, int nid)
+@@ -966,11 +1043,12 @@ static void return_unused_surplus_pages(struct hstate *h,
+ /*
+  * Determine if the huge page at addr within the vma has an associated
+  * reservation.  Where it does not we will need to logically increase
+- * reservation and actually increase quota before an allocation can occur.
+- * Where any new reservation would be required the reservation change is
+- * prepared, but not committed.  Once the page has been quota'd allocated
+- * an instantiated the change should be committed via vma_commit_reservation.
+- * No action is required on failure.
++ * reservation and actually increase subpool usage before an allocation
++ * can occur.  Where any new reservation would be required the
++ * reservation change is prepared, but not committed.  Once the page
++ * has been allocated from the subpool and instantiated the change should
++ * be committed via vma_commit_reservation.  No action is required on
++ * failure.
+  */
+ static long vma_needs_reservation(struct hstate *h,
+ 			struct vm_area_struct *vma, unsigned long addr)
+@@ -1019,24 +1097,24 @@ static void vma_commit_reservation(struct hstate *h,
+ static struct page *alloc_huge_page(struct vm_area_struct *vma,
+ 				    unsigned long addr, int avoid_reserve)
+ {
++	struct hugepage_subpool *spool = subpool_vma(vma);
+ 	struct hstate *h = hstate_vma(vma);
+ 	struct page *page;
+-	struct address_space *mapping = vma->vm_file->f_mapping;
+-	struct inode *inode = mapping->host;
+ 	long chg;
+ 
+ 	/*
+-	 * Processes that did not create the mapping will have no reserves and
+-	 * will not have accounted against quota. Check that the quota can be
+-	 * made before satisfying the allocation
+-	 * MAP_NORESERVE mappings may also need pages and quota allocated
+-	 * if no reserve mapping overlaps.
++	 * Processes that did not create the mapping will have no
++	 * reserves and will not have accounted against subpool
++	 * limit. Check that the subpool limit can be made before
++	 * satisfying the allocation MAP_NORESERVE mappings may also
++	 * need pages and subpool limit allocated allocated if no reserve
++	 * mapping overlaps.
+ 	 */
+ 	chg = vma_needs_reservation(h, vma, addr);
+ 	if (chg < 0)
+ 		return ERR_PTR(-VM_FAULT_OOM);
+ 	if (chg)
+-		if (hugetlb_get_quota(inode->i_mapping, chg))
++		if (hugepage_subpool_get_pages(spool, chg))
+ 			return ERR_PTR(-VM_FAULT_SIGBUS);
+ 
+ 	spin_lock(&hugetlb_lock);
+@@ -1046,12 +1124,12 @@ static struct page *alloc_huge_page(struct vm_area_struct *vma,
+ 	if (!page) {
+ 		page = alloc_buddy_huge_page(h, NUMA_NO_NODE);
+ 		if (!page) {
+-			hugetlb_put_quota(inode->i_mapping, chg);
++			hugepage_subpool_put_pages(spool, chg);
+ 			return ERR_PTR(-VM_FAULT_SIGBUS);
+ 		}
+ 	}
+ 
+-	set_page_private(page, (unsigned long) mapping);
++	set_page_private(page, (unsigned long)spool);
+ 
+ 	vma_commit_reservation(h, vma, addr);
+ 
+@@ -2072,6 +2150,7 @@ static void hugetlb_vm_op_close(struct vm_area_struct *vma)
+ {
+ 	struct hstate *h = hstate_vma(vma);
+ 	struct resv_map *reservations = vma_resv_map(vma);
++	struct hugepage_subpool *spool = subpool_vma(vma);
+ 	unsigned long reserve;
+ 	unsigned long start;
+ 	unsigned long end;
+@@ -2087,7 +2166,7 @@ static void hugetlb_vm_op_close(struct vm_area_struct *vma)
+ 
+ 		if (reserve) {
+ 			hugetlb_acct_memory(h, -reserve);
+-			hugetlb_put_quota(vma->vm_file->f_mapping, reserve);
++			hugepage_subpool_put_pages(spool, reserve);
+ 		}
+ 	}
+ }
+@@ -2316,7 +2395,7 @@ static int unmap_ref_private(struct mm_struct *mm, struct vm_area_struct *vma,
+ 	 */
+ 	address = address & huge_page_mask(h);
+ 	pgoff = vma_hugecache_offset(h, vma, address);
+-	mapping = (struct address_space *)page_private(page);
++	mapping = vma->vm_file->f_dentry->d_inode->i_mapping;
+ 
+ 	/*
+ 	 * Take the mapping lock for the duration of the table walk. As
+@@ -2871,11 +2950,12 @@ int hugetlb_reserve_pages(struct inode *inode,
+ {
+ 	long ret, chg;
+ 	struct hstate *h = hstate_inode(inode);
++	struct hugepage_subpool *spool = subpool_inode(inode);
+ 
+ 	/*
+ 	 * Only apply hugepage reservation if asked. At fault time, an
+ 	 * attempt will be made for VM_NORESERVE to allocate a page
+-	 * and filesystem quota without using reserves
++	 * without using reserves
+ 	 */
+ 	if (vm_flags & VM_NORESERVE)
+ 		return 0;
+@@ -2902,17 +2982,17 @@ int hugetlb_reserve_pages(struct inode *inode,
+ 	if (chg < 0)
+ 		return chg;
+ 
+-	/* There must be enough filesystem quota for the mapping */
+-	if (hugetlb_get_quota(inode->i_mapping, chg))
++	/* There must be enough pages in the subpool for the mapping */
++	if (hugepage_subpool_get_pages(spool, chg))
+ 		return -ENOSPC;
+ 
+ 	/*
+ 	 * Check enough hugepages are available for the reservation.
+-	 * Hand back the quota if there are not
++	 * Hand the pages back to the subpool if there are not
+ 	 */
+ 	ret = hugetlb_acct_memory(h, chg);
+ 	if (ret < 0) {
+-		hugetlb_put_quota(inode->i_mapping, chg);
++		hugepage_subpool_put_pages(spool, chg);
+ 		return ret;
+ 	}
+ 
+@@ -2936,12 +3016,13 @@ void hugetlb_unreserve_pages(struct inode *inode, long offset, long freed)
+ {
+ 	struct hstate *h = hstate_inode(inode);
+ 	long chg = region_truncate(&inode->i_mapping->private_list, offset);
++	struct hugepage_subpool *spool = subpool_inode(inode);
+ 
+ 	spin_lock(&inode->i_lock);
+ 	inode->i_blocks -= (blocks_per_huge_page(h) * freed);
+ 	spin_unlock(&inode->i_lock);
+ 
+-	hugetlb_put_quota(inode->i_mapping, (chg - freed));
++	hugepage_subpool_put_pages(spool, (chg - freed));
+ 	hugetlb_acct_memory(h, -(chg - freed));
+ }
+ 
+diff --git a/net/core/dev.c b/net/core/dev.c
+index 7f72c9c..0336374 100644
+--- a/net/core/dev.c
++++ b/net/core/dev.c
+@@ -1412,14 +1412,34 @@ EXPORT_SYMBOL(register_netdevice_notifier);
+  *	register_netdevice_notifier(). The notifier is unlinked into the
+  *	kernel structures and may then be reused. A negative errno code
+  *	is returned on a failure.
++ *
++ * 	After unregistering unregister and down device events are synthesized
++ *	for all devices on the device list to the removed notifier to remove
++ *	the need for special case cleanup code.
+  */
+ 
+ int unregister_netdevice_notifier(struct notifier_block *nb)
+ {
++	struct net_device *dev;
++	struct net *net;
+ 	int err;
+ 
+ 	rtnl_lock();
+ 	err = raw_notifier_chain_unregister(&netdev_chain, nb);
++	if (err)
++		goto unlock;
++
++	for_each_net(net) {
++		for_each_netdev(net, dev) {
++			if (dev->flags & IFF_UP) {
++				nb->notifier_call(nb, NETDEV_GOING_DOWN, dev);
++				nb->notifier_call(nb, NETDEV_DOWN, dev);
++			}
++			nb->notifier_call(nb, NETDEV_UNREGISTER, dev);
++			nb->notifier_call(nb, NETDEV_UNREGISTER_BATCH, dev);
++		}
++	}
++unlock:
+ 	rtnl_unlock();
+ 	return err;
+ }
+diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
+index 8c85021..e2327db 100644
+--- a/net/ipv4/tcp.c
++++ b/net/ipv4/tcp.c
+@@ -3240,7 +3240,7 @@ void __init tcp_init(void)
+ {
+ 	struct sk_buff *skb = NULL;
+ 	unsigned long limit;
+-	int max_share, cnt;
++	int max_rshare, max_wshare, cnt;
+ 	unsigned int i;
+ 	unsigned long jiffy = jiffies;
+ 
+@@ -3300,15 +3300,16 @@ void __init tcp_init(void)
+ 	tcp_init_mem(&init_net);
+ 	/* Set per-socket limits to no more than 1/128 the pressure threshold */
+ 	limit = nr_free_buffer_pages() << (PAGE_SHIFT - 7);
+-	max_share = min(4UL*1024*1024, limit);
++	max_wshare = min(4UL*1024*1024, limit);
++	max_rshare = min(6UL*1024*1024, limit);
+ 
+ 	sysctl_tcp_wmem[0] = SK_MEM_QUANTUM;
+ 	sysctl_tcp_wmem[1] = 16*1024;
+-	sysctl_tcp_wmem[2] = max(64*1024, max_share);
++	sysctl_tcp_wmem[2] = max(64*1024, max_wshare);
+ 
+ 	sysctl_tcp_rmem[0] = SK_MEM_QUANTUM;
+ 	sysctl_tcp_rmem[1] = 87380;
+-	sysctl_tcp_rmem[2] = max(87380, max_share);
++	sysctl_tcp_rmem[2] = max(87380, max_rshare);
+ 
+ 	printk(KERN_INFO "TCP: Hash tables configured "
+ 	       "(established %u bind %u)\n",
+diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
+index 1c30511..169f3a6 100644
+--- a/net/ipv4/tcp_input.c
++++ b/net/ipv4/tcp_input.c
+@@ -83,7 +83,7 @@ int sysctl_tcp_ecn __read_mostly = 2;
+ EXPORT_SYMBOL(sysctl_tcp_ecn);
+ int sysctl_tcp_dsack __read_mostly = 1;
+ int sysctl_tcp_app_win __read_mostly = 31;
+-int sysctl_tcp_adv_win_scale __read_mostly = 2;
++int sysctl_tcp_adv_win_scale __read_mostly = 1;
+ EXPORT_SYMBOL(sysctl_tcp_adv_win_scale);
+ 
+ int sysctl_tcp_stdurg __read_mostly;
+@@ -2866,11 +2866,14 @@ static inline void tcp_complete_cwr(struct sock *sk)
+ 
+ 	/* Do not moderate cwnd if it's already undone in cwr or recovery. */
+ 	if (tp->undo_marker) {
+-		if (inet_csk(sk)->icsk_ca_state == TCP_CA_CWR)
++		if (inet_csk(sk)->icsk_ca_state == TCP_CA_CWR) {
+ 			tp->snd_cwnd = min(tp->snd_cwnd, tp->snd_ssthresh);
+-		else /* PRR */
++			tp->snd_cwnd_stamp = tcp_time_stamp;
++		} else if (tp->snd_ssthresh < TCP_INFINITE_SSTHRESH) {
++			/* PRR algorithm. */
+ 			tp->snd_cwnd = tp->snd_ssthresh;
+-		tp->snd_cwnd_stamp = tcp_time_stamp;
++			tp->snd_cwnd_stamp = tcp_time_stamp;
++		}
+ 	}
+ 	tcp_ca_event(sk, CA_EVENT_COMPLETE_CWR);
+ }
+diff --git a/net/l2tp/l2tp_ip.c b/net/l2tp/l2tp_ip.c
+index 55670ec..2a2a3e7 100644
+--- a/net/l2tp/l2tp_ip.c
++++ b/net/l2tp/l2tp_ip.c
+@@ -441,8 +441,9 @@ static int l2tp_ip_sendmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *m
+ 
+ 		daddr = lip->l2tp_addr.s_addr;
+ 	} else {
++		rc = -EDESTADDRREQ;
+ 		if (sk->sk_state != TCP_ESTABLISHED)
+-			return -EDESTADDRREQ;
++			goto out;
+ 
+ 		daddr = inet->inet_daddr;
+ 		connected = 1;
+diff --git a/net/sched/sch_netem.c b/net/sched/sch_netem.c
+index 5da548f..ebd2296 100644
+--- a/net/sched/sch_netem.c
++++ b/net/sched/sch_netem.c
+@@ -408,10 +408,8 @@ static int netem_enqueue(struct sk_buff *skb, struct Qdisc *sch)
+ 	if (q->corrupt && q->corrupt >= get_crandom(&q->corrupt_cor)) {
+ 		if (!(skb = skb_unshare(skb, GFP_ATOMIC)) ||
+ 		    (skb->ip_summed == CHECKSUM_PARTIAL &&
+-		     skb_checksum_help(skb))) {
+-			sch->qstats.drops++;
+-			return NET_XMIT_DROP;
+-		}
++		     skb_checksum_help(skb)))
++			return qdisc_drop(skb, sch);
+ 
+ 		skb->data[net_random() % skb_headlen(skb)] ^= 1<<(net_random() % 8);
+ 	}
+diff --git a/sound/soc/codecs/tlv320aic23.c b/sound/soc/codecs/tlv320aic23.c
+index dfa41a9..e7de911 100644
+--- a/sound/soc/codecs/tlv320aic23.c
++++ b/sound/soc/codecs/tlv320aic23.c
+@@ -472,7 +472,7 @@ static int tlv320aic23_set_dai_sysclk(struct snd_soc_dai *codec_dai,
+ static int tlv320aic23_set_bias_level(struct snd_soc_codec *codec,
+ 				      enum snd_soc_bias_level level)
+ {
+-	u16 reg = snd_soc_read(codec, TLV320AIC23_PWR) & 0xff7f;
++	u16 reg = snd_soc_read(codec, TLV320AIC23_PWR) & 0x17f;
+ 
+ 	switch (level) {
+ 	case SND_SOC_BIAS_ON:
+@@ -491,7 +491,7 @@ static int tlv320aic23_set_bias_level(struct snd_soc_codec *codec,
+ 	case SND_SOC_BIAS_OFF:
+ 		/* everything off, dac mute, inactive */
+ 		snd_soc_write(codec, TLV320AIC23_ACTIVE, 0x0);
+-		snd_soc_write(codec, TLV320AIC23_PWR, 0xffff);
++		snd_soc_write(codec, TLV320AIC23_PWR, 0x1ff);
+ 		break;
+ 	}
+ 	codec->dapm.bias_level = level;
+diff --git a/sound/soc/soc-core.c b/sound/soc/soc-core.c
+index 92cee24..48e91cd 100644
+--- a/sound/soc/soc-core.c
++++ b/sound/soc/soc-core.c
+@@ -3420,10 +3420,10 @@ int snd_soc_of_parse_audio_routing(struct snd_soc_card *card,
+ 	int i, ret;
+ 
+ 	num_routes = of_property_count_strings(np, propname);
+-	if (num_routes & 1) {
++	if (num_routes < 0 || num_routes & 1) {
+ 		dev_err(card->dev,
+-			"Property '%s's length is not even\n",
+-			propname);
++		     "Property '%s' does not exist or its length is not even\n",
++		     propname);
+ 		return -EINVAL;
+ 	}
+ 	num_routes /= 2;
+diff --git a/virt/kvm/iommu.c b/virt/kvm/iommu.c
+index fec1723..e9fff98 100644
+--- a/virt/kvm/iommu.c
++++ b/virt/kvm/iommu.c
+@@ -240,9 +240,13 @@ int kvm_iommu_map_guest(struct kvm *kvm)
+ 		return -ENODEV;
+ 	}
+ 
++	mutex_lock(&kvm->slots_lock);
++
+ 	kvm->arch.iommu_domain = iommu_domain_alloc(&pci_bus_type);
+-	if (!kvm->arch.iommu_domain)
+-		return -ENOMEM;
++	if (!kvm->arch.iommu_domain) {
++		r = -ENOMEM;
++		goto out_unlock;
++	}
+ 
+ 	if (!allow_unsafe_assigned_interrupts &&
+ 	    !iommu_domain_has_cap(kvm->arch.iommu_domain,
+@@ -253,17 +257,16 @@ int kvm_iommu_map_guest(struct kvm *kvm)
+ 		       " module option.\n", __func__);
+ 		iommu_domain_free(kvm->arch.iommu_domain);
+ 		kvm->arch.iommu_domain = NULL;
+-		return -EPERM;
++		r = -EPERM;
++		goto out_unlock;
+ 	}
+ 
+ 	r = kvm_iommu_map_memslots(kvm);
+ 	if (r)
+-		goto out_unmap;
+-
+-	return 0;
++		kvm_iommu_unmap_memslots(kvm);
+ 
+-out_unmap:
+-	kvm_iommu_unmap_memslots(kvm);
++out_unlock:
++	mutex_unlock(&kvm->slots_lock);
+ 	return r;
+ }
+ 
+@@ -340,7 +343,11 @@ int kvm_iommu_unmap_guest(struct kvm *kvm)
+ 	if (!domain)
+ 		return 0;
+ 
++	mutex_lock(&kvm->slots_lock);
+ 	kvm_iommu_unmap_memslots(kvm);
++	kvm->arch.iommu_domain = NULL;
++	mutex_unlock(&kvm->slots_lock);
++
+ 	iommu_domain_free(domain);
+ 	return 0;
+ }
+diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c
+index c4ac57e..7858228 100644
+--- a/virt/kvm/kvm_main.c
++++ b/virt/kvm/kvm_main.c
+@@ -289,15 +289,15 @@ static void kvm_mmu_notifier_invalidate_page(struct mmu_notifier *mn,
+ 	 */
+ 	idx = srcu_read_lock(&kvm->srcu);
+ 	spin_lock(&kvm->mmu_lock);
++
+ 	kvm->mmu_notifier_seq++;
+ 	need_tlb_flush = kvm_unmap_hva(kvm, address) | kvm->tlbs_dirty;
+-	spin_unlock(&kvm->mmu_lock);
+-	srcu_read_unlock(&kvm->srcu, idx);
+-
+ 	/* we've to flush the tlb before the pages can be freed */
+ 	if (need_tlb_flush)
+ 		kvm_flush_remote_tlbs(kvm);
+ 
++	spin_unlock(&kvm->mmu_lock);
++	srcu_read_unlock(&kvm->srcu, idx);
+ }
+ 
+ static void kvm_mmu_notifier_change_pte(struct mmu_notifier *mn,
+@@ -335,12 +335,12 @@ static void kvm_mmu_notifier_invalidate_range_start(struct mmu_notifier *mn,
+ 	for (; start < end; start += PAGE_SIZE)
+ 		need_tlb_flush |= kvm_unmap_hva(kvm, start);
+ 	need_tlb_flush |= kvm->tlbs_dirty;
+-	spin_unlock(&kvm->mmu_lock);
+-	srcu_read_unlock(&kvm->srcu, idx);
+-
+ 	/* we've to flush the tlb before the pages can be freed */
+ 	if (need_tlb_flush)
+ 		kvm_flush_remote_tlbs(kvm);
++
++	spin_unlock(&kvm->mmu_lock);
++	srcu_read_unlock(&kvm->srcu, idx);
+ }
+ 
+ static void kvm_mmu_notifier_invalidate_range_end(struct mmu_notifier *mn,
+@@ -378,13 +378,14 @@ static int kvm_mmu_notifier_clear_flush_young(struct mmu_notifier *mn,
+ 
+ 	idx = srcu_read_lock(&kvm->srcu);
+ 	spin_lock(&kvm->mmu_lock);
+-	young = kvm_age_hva(kvm, address);
+-	spin_unlock(&kvm->mmu_lock);
+-	srcu_read_unlock(&kvm->srcu, idx);
+ 
++	young = kvm_age_hva(kvm, address);
+ 	if (young)
+ 		kvm_flush_remote_tlbs(kvm);
+ 
++	spin_unlock(&kvm->mmu_lock);
++	srcu_read_unlock(&kvm->srcu, idx);
++
+ 	return young;
+ }
+ 
+@@ -1719,6 +1720,10 @@ static int kvm_vm_ioctl_create_vcpu(struct kvm *kvm, u32 id)
+ 		goto vcpu_destroy;
+ 
+ 	mutex_lock(&kvm->lock);
++	if (!kvm_vcpu_compatible(vcpu)) {
++		r = -EINVAL;
++		goto unlock_vcpu_destroy;
++	}
+ 	if (atomic_read(&kvm->online_vcpus) == KVM_MAX_VCPUS) {
+ 		r = -EINVAL;
+ 		goto unlock_vcpu_destroy;
diff --git a/3.3.5/4420_grsecurity-2.9-3.3.5-201205071839.patch b/3.3.6/4420_grsecurity-2.9-3.3.6-201205131658.patch
index 222eccd..0bad506 100644
--- a/3.3.5/4420_grsecurity-2.9-3.3.5-201205071839.patch
+++ b/3.3.6/4420_grsecurity-2.9-3.3.6-201205131658.patch
@@ -195,7 +195,7 @@ index d99fd9c..8689fef 100644
  
  	pcd.		[PARIDE]
 diff --git a/Makefile b/Makefile
-index 64615e9..64d72ce 100644
+index 9cd6941..92e68ff 100644
 --- a/Makefile
 +++ b/Makefile
 @@ -245,8 +245,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \
@@ -1457,6 +1457,36 @@ index e4c96cc..1145653 100644
  #endif /* __ASSEMBLY__ */
  
  #define arch_align_stack(x) (x)
+diff --git a/arch/arm/include/asm/thread_info.h b/arch/arm/include/asm/thread_info.h
+index d4c24d4..4ac53e8 100644
+--- a/arch/arm/include/asm/thread_info.h
++++ b/arch/arm/include/asm/thread_info.h
+@@ -141,6 +141,12 @@ extern void vfp_flush_hwstate(struct thread_info *);
+ #define TIF_NOTIFY_RESUME	2	/* callback before returning to user */
+ #define TIF_SYSCALL_TRACE	8
+ #define TIF_SYSCALL_AUDIT	9
++
++/* within 8 bits of TIF_SYSCALL_TRACE
++   to meet flexible second operand requirements
++*/
++#define TIF_GRSEC_SETXID	10
++
+ #define TIF_POLLING_NRFLAG	16
+ #define TIF_USING_IWMMXT	17
+ #define TIF_MEMDIE		18	/* is terminating due to OOM killer */
+@@ -156,9 +162,11 @@ extern void vfp_flush_hwstate(struct thread_info *);
+ #define _TIF_USING_IWMMXT	(1 << TIF_USING_IWMMXT)
+ #define _TIF_RESTORE_SIGMASK	(1 << TIF_RESTORE_SIGMASK)
+ #define _TIF_SECCOMP		(1 << TIF_SECCOMP)
++#define _TIF_GRSEC_SETXID	(1 << TIF_GRSEC_SETXID)
+ 
+ /* Checks for any syscall work in entry-common.S */
+-#define _TIF_SYSCALL_WORK (_TIF_SYSCALL_TRACE | _TIF_SYSCALL_AUDIT)
++#define _TIF_SYSCALL_WORK (_TIF_SYSCALL_TRACE | _TIF_SYSCALL_AUDIT | \
++			   _TIF_GRSEC_SETXID)
+ 
+ /*
+  * Change these and you break ASM code in entry-common.S
 diff --git a/arch/arm/include/asm/uaccess.h b/arch/arm/include/asm/uaccess.h
 index 2958976..12ccac4 100644
 --- a/arch/arm/include/asm/uaccess.h
@@ -1568,6 +1598,30 @@ index 971d65c..cc936fb 100644
  #ifdef CONFIG_MMU
  /*
   * The vectors page is always readable from user space for the
+diff --git a/arch/arm/kernel/ptrace.c b/arch/arm/kernel/ptrace.c
+index f5ce8ab..4b73893 100644
+--- a/arch/arm/kernel/ptrace.c
++++ b/arch/arm/kernel/ptrace.c
+@@ -905,10 +905,19 @@ long arch_ptrace(struct task_struct *child, long request,
+ 	return ret;
+ }
+ 
++#ifdef CONFIG_GRKERNSEC_SETXID
++extern void gr_delayed_cred_worker(void);
++#endif
++
+ asmlinkage int syscall_trace(int why, struct pt_regs *regs, int scno)
+ {
+ 	unsigned long ip;
+ 
++#ifdef CONFIG_GRKERNSEC_SETXID
++	if (unlikely(test_and_clear_thread_flag(TIF_GRSEC_SETXID)))
++		gr_delayed_cred_worker();
++#endif
++
+ 	if (why)
+ 		audit_syscall_exit(regs);
+ 	else
 diff --git a/arch/arm/kernel/setup.c b/arch/arm/kernel/setup.c
 index a255c39..4a19b25 100644
 --- a/arch/arm/kernel/setup.c
@@ -2791,6 +2845,40 @@ index 6018c80..7c37203 100644
 +#define arch_align_stack(x) ((x) & ~0xfUL)
  
  #endif /* _ASM_SYSTEM_H */
+diff --git a/arch/mips/include/asm/thread_info.h b/arch/mips/include/asm/thread_info.h
+index 0d85d8e..ec71487 100644
+--- a/arch/mips/include/asm/thread_info.h
++++ b/arch/mips/include/asm/thread_info.h
+@@ -123,6 +123,8 @@ register struct thread_info *__current_thread_info __asm__("$28");
+ #define TIF_32BIT_ADDR		23	/* 32-bit address space (o32/n32) */
+ #define TIF_FPUBOUND		24	/* thread bound to FPU-full CPU set */
+ #define TIF_LOAD_WATCH		25	/* If set, load watch registers */
++/* li takes a 32bit immediate */
++#define TIF_GRSEC_SETXID	29	/* update credentials on syscall entry/exit */
+ #define TIF_SYSCALL_TRACE	31	/* syscall trace active */
+ 
+ #ifdef CONFIG_MIPS32_O32
+@@ -146,15 +148,18 @@ register struct thread_info *__current_thread_info __asm__("$28");
+ #define _TIF_32BIT_ADDR		(1<<TIF_32BIT_ADDR)
+ #define _TIF_FPUBOUND		(1<<TIF_FPUBOUND)
+ #define _TIF_LOAD_WATCH		(1<<TIF_LOAD_WATCH)
++#define _TIF_GRSEC_SETXID	(1<<TIF_GRSEC_SETXID)
++
++#define _TIF_SYSCALL_WORK	(_TIF_SYSCALL_TRACE | _TIF_SYSCALL_AUDIT | _TIF_GRSEC_SETXID)
+ 
+ /* work to do in syscall_trace_leave() */
+-#define _TIF_WORK_SYSCALL_EXIT	(_TIF_SYSCALL_TRACE | _TIF_SYSCALL_AUDIT)
++#define _TIF_WORK_SYSCALL_EXIT	(_TIF_SYSCALL_TRACE | _TIF_SYSCALL_AUDIT | _TIF_GRSEC_SETXID)
+ 
+ /* work to do on interrupt/exception return */
+ #define _TIF_WORK_MASK		(0x0000ffef &				\
+ 					~(_TIF_SECCOMP | _TIF_SYSCALL_AUDIT))
+ /* work to do on any return to u-space */
+-#define _TIF_ALLWORK_MASK	(0x8000ffff & ~_TIF_SECCOMP)
++#define _TIF_ALLWORK_MASK	((0x8000ffff & ~_TIF_SECCOMP) | _TIF_GRSEC_SETXID)
+ 
+ #endif /* __KERNEL__ */
+ 
 diff --git a/arch/mips/kernel/binfmt_elfn32.c b/arch/mips/kernel/binfmt_elfn32.c
 index 9fdd8bc..4bd7f1a 100644
 --- a/arch/mips/kernel/binfmt_elfn32.c
@@ -2847,6 +2935,85 @@ index 7955409..ceaea7c 100644
 -
 -	return sp & ALMASK;
 -}
+diff --git a/arch/mips/kernel/ptrace.c b/arch/mips/kernel/ptrace.c
+index 7786b60..3e38c72 100644
+--- a/arch/mips/kernel/ptrace.c
++++ b/arch/mips/kernel/ptrace.c
+@@ -529,6 +529,10 @@ static inline int audit_arch(void)
+ 	return arch;
+ }
+ 
++#ifdef CONFIG_GRKERNSEC_SETXID
++extern void gr_delayed_cred_worker(void);
++#endif
++
+ /*
+  * Notification of system call entry/exit
+  * - triggered by current->work.syscall_trace
+@@ -538,6 +542,11 @@ asmlinkage void syscall_trace_enter(struct pt_regs *regs)
+ 	/* do the secure computing check first */
+ 	secure_computing(regs->regs[2]);
+ 
++#ifdef CONFIG_GRKERNSEC_SETXID
++	if (unlikely(test_and_clear_thread_flag(TIF_GRSEC_SETXID)))
++		gr_delayed_cred_worker();
++#endif
++
+ 	if (!(current->ptrace & PT_PTRACED))
+ 		goto out;
+ 
+diff --git a/arch/mips/kernel/scall32-o32.S b/arch/mips/kernel/scall32-o32.S
+index a632bc1..0b77c7c 100644
+--- a/arch/mips/kernel/scall32-o32.S
++++ b/arch/mips/kernel/scall32-o32.S
+@@ -52,7 +52,7 @@ NESTED(handle_sys, PT_SIZE, sp)
+ 
+ stack_done:
+ 	lw	t0, TI_FLAGS($28)	# syscall tracing enabled?
+-	li	t1, _TIF_SYSCALL_TRACE | _TIF_SYSCALL_AUDIT
++	li	t1, _TIF_SYSCALL_WORK
+ 	and	t0, t1
+ 	bnez	t0, syscall_trace_entry	# -> yes
+ 
+diff --git a/arch/mips/kernel/scall64-64.S b/arch/mips/kernel/scall64-64.S
+index 3b5a5e9..e1ee86d 100644
+--- a/arch/mips/kernel/scall64-64.S
++++ b/arch/mips/kernel/scall64-64.S
+@@ -54,7 +54,7 @@ NESTED(handle_sys64, PT_SIZE, sp)
+ 
+ 	sd	a3, PT_R26(sp)		# save a3 for syscall restarting
+ 
+-	li	t1, _TIF_SYSCALL_TRACE | _TIF_SYSCALL_AUDIT
++	li	t1, _TIF_SYSCALL_WORK
+ 	LONG_L	t0, TI_FLAGS($28)	# syscall tracing enabled?
+ 	and	t0, t1, t0
+ 	bnez	t0, syscall_trace_entry
+diff --git a/arch/mips/kernel/scall64-n32.S b/arch/mips/kernel/scall64-n32.S
+index 6be6f70..1859577 100644
+--- a/arch/mips/kernel/scall64-n32.S
++++ b/arch/mips/kernel/scall64-n32.S
+@@ -53,7 +53,7 @@ NESTED(handle_sysn32, PT_SIZE, sp)
+ 
+ 	sd	a3, PT_R26(sp)		# save a3 for syscall restarting
+ 
+-	li	t1, _TIF_SYSCALL_TRACE | _TIF_SYSCALL_AUDIT
++	li	t1, _TIF_SYSCALL_WORK
+ 	LONG_L	t0, TI_FLAGS($28)	# syscall tracing enabled?
+ 	and	t0, t1, t0
+ 	bnez	t0, n32_syscall_trace_entry
+diff --git a/arch/mips/kernel/scall64-o32.S b/arch/mips/kernel/scall64-o32.S
+index 5422855..74e63a3 100644
+--- a/arch/mips/kernel/scall64-o32.S
++++ b/arch/mips/kernel/scall64-o32.S
+@@ -81,7 +81,7 @@ NESTED(handle_sys, PT_SIZE, sp)
+ 	PTR	4b, bad_stack
+ 	.previous
+ 
+-	li	t1, _TIF_SYSCALL_TRACE | _TIF_SYSCALL_AUDIT
++	li	t1, _TIF_SYSCALL_WORK
+ 	LONG_L	t0, TI_FLAGS($28)	# syscall tracing enabled?
+ 	and	t0, t1, t0
+ 	bnez	t0, trace_a_syscall
 diff --git a/arch/mips/mm/fault.c b/arch/mips/mm/fault.c
 index 69ebd58..e4bff83 100644
 --- a/arch/mips/mm/fault.c
@@ -3689,6 +3856,40 @@ index c377457..3c69fbc 100644
  
  /* Used in very early kernel initialization. */
  extern unsigned long reloc_offset(void);
+diff --git a/arch/powerpc/include/asm/thread_info.h b/arch/powerpc/include/asm/thread_info.h
+index 96471494..60ed5a2 100644
+--- a/arch/powerpc/include/asm/thread_info.h
++++ b/arch/powerpc/include/asm/thread_info.h
+@@ -104,13 +104,15 @@ static inline struct thread_info *current_thread_info(void)
+ #define TIF_PERFMON_CTXSW	6	/* perfmon needs ctxsw calls */
+ #define TIF_SYSCALL_AUDIT	7	/* syscall auditing active */
+ #define TIF_SINGLESTEP		8	/* singlestepping active */
+-#define TIF_MEMDIE		9	/* is terminating due to OOM killer */
+ #define TIF_SECCOMP		10	/* secure computing */
+ #define TIF_RESTOREALL		11	/* Restore all regs (implies NOERROR) */
+ #define TIF_NOERROR		12	/* Force successful syscall return */
+ #define TIF_NOTIFY_RESUME	13	/* callback before returning to user */
+ #define TIF_SYSCALL_TRACEPOINT	15	/* syscall tracepoint instrumentation */
+ #define TIF_RUNLATCH		16	/* Is the runlatch enabled? */
++#define TIF_MEMDIE		17	/* is terminating due to OOM killer */
++/* mask must be expressable within 16 bits to satisfy 'andi' instruction reqs */
++#define TIF_GRSEC_SETXID	9	/* update credentials on syscall entry/exit */
+ 
+ /* as above, but as bit values */
+ #define _TIF_SYSCALL_TRACE	(1<<TIF_SYSCALL_TRACE)
+@@ -128,8 +130,11 @@ static inline struct thread_info *current_thread_info(void)
+ #define _TIF_NOTIFY_RESUME	(1<<TIF_NOTIFY_RESUME)
+ #define _TIF_SYSCALL_TRACEPOINT	(1<<TIF_SYSCALL_TRACEPOINT)
+ #define _TIF_RUNLATCH		(1<<TIF_RUNLATCH)
++#define _TIF_GRSEC_SETXID	(1<<TIF_GRSEC_SETXID)
++
+ #define _TIF_SYSCALL_T_OR_A	(_TIF_SYSCALL_TRACE | _TIF_SYSCALL_AUDIT | \
+-				 _TIF_SECCOMP | _TIF_SYSCALL_TRACEPOINT)
++				 _TIF_SECCOMP | _TIF_SYSCALL_TRACEPOINT \
++				 _TIF_GRSEC_SETXID)
+ 
+ #define _TIF_USER_WORK_MASK	(_TIF_SIGPENDING | _TIF_NEED_RESCHED | \
+ 				 _TIF_NOTIFY_RESUME)
 diff --git a/arch/powerpc/include/asm/uaccess.h b/arch/powerpc/include/asm/uaccess.h
 index bd0fb84..a42a14b 100644
 --- a/arch/powerpc/include/asm/uaccess.h
@@ -4065,6 +4266,45 @@ index d817ab0..b23b18e 100644
 -
 -	return ret;
 -}
+diff --git a/arch/powerpc/kernel/ptrace.c b/arch/powerpc/kernel/ptrace.c
+index 5b43325..94a5bb4 100644
+--- a/arch/powerpc/kernel/ptrace.c
++++ b/arch/powerpc/kernel/ptrace.c
+@@ -1702,6 +1702,10 @@ long arch_ptrace(struct task_struct *child, long request,
+ 	return ret;
+ }
+ 
++#ifdef CONFIG_GRKERNSEC_SETXID
++extern void gr_delayed_cred_worker(void);
++#endif
++
+ /*
+  * We must return the syscall number to actually look up in the table.
+  * This can be -1L to skip running any syscall at all.
+@@ -1712,6 +1716,11 @@ long do_syscall_trace_enter(struct pt_regs *regs)
+ 
+ 	secure_computing(regs->gpr[0]);
+ 
++#ifdef CONFIG_GRKERNSEC_SETXID
++	if (unlikely(test_and_clear_thread_flag(TIF_GRSEC_SETXID)))
++		gr_delayed_cred_worker();
++#endif
++
+ 	if (test_thread_flag(TIF_SYSCALL_TRACE) &&
+ 	    tracehook_report_syscall_entry(regs))
+ 		/*
+@@ -1746,6 +1755,11 @@ void do_syscall_trace_leave(struct pt_regs *regs)
+ {
+ 	int step;
+ 
++#ifdef CONFIG_GRKERNSEC_SETXID
++	if (unlikely(test_and_clear_thread_flag(TIF_GRSEC_SETXID)))
++		gr_delayed_cred_worker();
++#endif
++
+ 	audit_syscall_exit(regs);
+ 
+ 	if (unlikely(test_thread_flag(TIF_SYSCALL_TRACEPOINT)))
 diff --git a/arch/powerpc/kernel/signal_32.c b/arch/powerpc/kernel/signal_32.c
 index 836a5a1..27289a3 100644
 --- a/arch/powerpc/kernel/signal_32.c
@@ -5253,7 +5493,7 @@ index c2a1080..21ed218 100644
  
  /*
 diff --git a/arch/sparc/include/asm/thread_info_64.h b/arch/sparc/include/asm/thread_info_64.h
-index 01d057f..0a02f7e 100644
+index 01d057f..13a7d2f 100644
 --- a/arch/sparc/include/asm/thread_info_64.h
 +++ b/arch/sparc/include/asm/thread_info_64.h
 @@ -63,6 +63,8 @@ struct thread_info {
@@ -5265,6 +5505,38 @@ index 01d057f..0a02f7e 100644
  	unsigned long		fpregs[0] __attribute__ ((aligned(64)));
  };
  
+@@ -214,10 +216,11 @@ register struct thread_info *current_thread_info_reg asm("g6");
+ #define TIF_UNALIGNED		5	/* allowed to do unaligned accesses */
+ /* flag bit 6 is available */
+ #define TIF_32BIT		7	/* 32-bit binary */
+-/* flag bit 8 is available */
++#define TIF_GRSEC_SETXID	8	/* update credentials on syscall entry/exit */
+ #define TIF_SECCOMP		9	/* secure computing */
+ #define TIF_SYSCALL_AUDIT	10	/* syscall auditing active */
+ #define TIF_SYSCALL_TRACEPOINT	11	/* syscall tracepoint instrumentation */
++
+ /* NOTE: Thread flags >= 12 should be ones we have no interest
+  *       in using in assembly, else we can't use the mask as
+  *       an immediate value in instructions such as andcc.
+@@ -236,12 +239,18 @@ register struct thread_info *current_thread_info_reg asm("g6");
+ #define _TIF_SYSCALL_AUDIT	(1<<TIF_SYSCALL_AUDIT)
+ #define _TIF_SYSCALL_TRACEPOINT	(1<<TIF_SYSCALL_TRACEPOINT)
+ #define _TIF_POLLING_NRFLAG	(1<<TIF_POLLING_NRFLAG)
++#define _TIF_GRSEC_SETXID	(1<<TIF_GRSEC_SETXID)
+ 
+ #define _TIF_USER_WORK_MASK	((0xff << TI_FLAG_WSAVED_SHIFT) | \
+ 				 _TIF_DO_NOTIFY_RESUME_MASK | \
+ 				 _TIF_NEED_RESCHED)
+ #define _TIF_DO_NOTIFY_RESUME_MASK	(_TIF_NOTIFY_RESUME | _TIF_SIGPENDING)
+ 
++#define _TIF_WORK_SYSCALL		\
++	(_TIF_SYSCALL_TRACE | _TIF_SECCOMP | _TIF_SYSCALL_AUDIT | \
++	 _TIF_SYSCALL_TRACEPOINT | _TIF_GRSEC_SETXID)
++
++
+ /*
+  * Thread-synchronous status.
+  *
 diff --git a/arch/sparc/include/asm/uaccess.h b/arch/sparc/include/asm/uaccess.h
 index e88fbe5..96b0ce5 100644
 --- a/arch/sparc/include/asm/uaccess.h
@@ -5475,6 +5747,45 @@ index 39d8b05..d1a7d90 100644
  			       (void *) gp->tpc,
  			       (void *) gp->o7,
  			       (void *) gp->i7,
+diff --git a/arch/sparc/kernel/ptrace_64.c b/arch/sparc/kernel/ptrace_64.c
+index 9388844..0075fd2 100644
+--- a/arch/sparc/kernel/ptrace_64.c
++++ b/arch/sparc/kernel/ptrace_64.c
+@@ -1058,6 +1058,10 @@ long arch_ptrace(struct task_struct *child, long request,
+ 	return ret;
+ }
+ 
++#ifdef CONFIG_GRKERNSEC_SETXID
++extern void gr_delayed_cred_worker(void);
++#endif
++
+ asmlinkage int syscall_trace_enter(struct pt_regs *regs)
+ {
+ 	int ret = 0;
+@@ -1065,6 +1069,11 @@ asmlinkage int syscall_trace_enter(struct pt_regs *regs)
+ 	/* do the secure computing check first */
+ 	secure_computing(regs->u_regs[UREG_G1]);
+ 
++#ifdef CONFIG_GRKERNSEC_SETXID
++	if (unlikely(test_and_clear_thread_flag(TIF_GRSEC_SETXID)))
++		gr_delayed_cred_worker();
++#endif
++
+ 	if (test_thread_flag(TIF_SYSCALL_TRACE))
+ 		ret = tracehook_report_syscall_entry(regs);
+ 
+@@ -1085,6 +1094,11 @@ asmlinkage int syscall_trace_enter(struct pt_regs *regs)
+ 
+ asmlinkage void syscall_trace_leave(struct pt_regs *regs)
+ {
++#ifdef CONFIG_GRKERNSEC_SETXID
++	if (unlikely(test_and_clear_thread_flag(TIF_GRSEC_SETXID)))
++		gr_delayed_cred_worker();
++#endif
++
+ 	audit_syscall_exit(regs);
+ 
+ 	if (unlikely(test_thread_flag(TIF_SYSCALL_TRACEPOINT)))
 diff --git a/arch/sparc/kernel/sys_sparc_32.c b/arch/sparc/kernel/sys_sparc_32.c
 index 42b282f..28ce9f2 100644
 --- a/arch/sparc/kernel/sys_sparc_32.c
@@ -5648,6 +5959,55 @@ index 232df99..cee1f9c 100644
  		mm->get_unmapped_area = arch_get_unmapped_area_topdown;
  		mm->unmap_area = arch_unmap_area_topdown;
  	}
+diff --git a/arch/sparc/kernel/syscalls.S b/arch/sparc/kernel/syscalls.S
+index 1d7e274..b39c527 100644
+--- a/arch/sparc/kernel/syscalls.S
++++ b/arch/sparc/kernel/syscalls.S
+@@ -62,7 +62,7 @@ sys32_rt_sigreturn:
+ #endif
+ 	.align	32
+ 1:	ldx	[%g6 + TI_FLAGS], %l5
+-	andcc	%l5, (_TIF_SYSCALL_TRACE|_TIF_SECCOMP|_TIF_SYSCALL_AUDIT|_TIF_SYSCALL_TRACEPOINT), %g0
++	andcc	%l5, _TIF_WORK_SYSCALL, %g0
+ 	be,pt	%icc, rtrap
+ 	 nop
+ 	call	syscall_trace_leave
+@@ -179,7 +179,7 @@ linux_sparc_syscall32:
+ 
+ 	srl	%i5, 0, %o5				! IEU1
+ 	srl	%i2, 0, %o2				! IEU0	Group
+-	andcc	%l0, (_TIF_SYSCALL_TRACE|_TIF_SECCOMP|_TIF_SYSCALL_AUDIT|_TIF_SYSCALL_TRACEPOINT), %g0
++	andcc	%l0, _TIF_WORK_SYSCALL, %g0
+ 	bne,pn	%icc, linux_syscall_trace32		! CTI
+ 	 mov	%i0, %l5				! IEU1
+ 	call	%l7					! CTI	Group brk forced
+@@ -202,7 +202,7 @@ linux_sparc_syscall:
+ 
+ 	mov	%i3, %o3				! IEU1
+ 	mov	%i4, %o4				! IEU0	Group
+-	andcc	%l0, (_TIF_SYSCALL_TRACE|_TIF_SECCOMP|_TIF_SYSCALL_AUDIT|_TIF_SYSCALL_TRACEPOINT), %g0
++	andcc	%l0, _TIF_WORK_SYSCALL, %g0
+ 	bne,pn	%icc, linux_syscall_trace		! CTI	Group
+ 	 mov	%i0, %l5				! IEU0
+ 2:	call	%l7					! CTI	Group brk forced
+@@ -226,7 +226,7 @@ ret_sys_call:
+ 
+ 	cmp	%o0, -ERESTART_RESTARTBLOCK
+ 	bgeu,pn	%xcc, 1f
+-	 andcc	%l0, (_TIF_SYSCALL_TRACE|_TIF_SECCOMP|_TIF_SYSCALL_AUDIT|_TIF_SYSCALL_TRACEPOINT), %l6
++	 andcc	%l0, _TIF_WORK_SYSCALL, %l6
+ 80:
+ 	/* System call success, clear Carry condition code. */
+ 	andn	%g3, %g2, %g3
+@@ -241,7 +241,7 @@ ret_sys_call:
+ 	/* System call failure, set Carry condition code.
+ 	 * Also, get abs(errno) to return to the process.
+ 	 */
+-	andcc	%l0, (_TIF_SYSCALL_TRACE|_TIF_SECCOMP|_TIF_SYSCALL_AUDIT|_TIF_SYSCALL_TRACEPOINT), %l6	
++	andcc	%l0, _TIF_WORK_SYSCALL, %l6	
+ 	sub	%g0, %o0, %o0
+ 	or	%g3, %g2, %g3
+ 	stx	%o0, [%sp + PTREGS_OFF + PT_V9_I0]
 diff --git a/arch/sparc/kernel/traps_32.c b/arch/sparc/kernel/traps_32.c
 index 591f20c..0f1b925 100644
 --- a/arch/sparc/kernel/traps_32.c
@@ -7519,7 +7879,7 @@ index 7116dcb..d9ae1d7 100644
  #endif
  
 diff --git a/arch/x86/boot/compressed/relocs.c b/arch/x86/boot/compressed/relocs.c
-index 89bbf4e..869908e 100644
+index e77f4e4..17e511f 100644
 --- a/arch/x86/boot/compressed/relocs.c
 +++ b/arch/x86/boot/compressed/relocs.c
 @@ -13,8 +13,11 @@
@@ -7624,7 +7984,7 @@ index 89bbf4e..869908e 100644
  			rel->r_info   = elf32_to_cpu(rel->r_info);
  		}
  	}
-@@ -396,14 +440,14 @@ static void read_relocs(FILE *fp)
+@@ -396,13 +440,13 @@ static void read_relocs(FILE *fp)
  
  static void print_absolute_symbols(void)
  {
@@ -7635,13 +7995,12 @@ index 89bbf4e..869908e 100644
  	for (i = 0; i < ehdr.e_shnum; i++) {
  		struct section *sec = &secs[i];
  		char *sym_strtab;
- 		Elf32_Sym *sh_symtab;
 -		int j;
 +		unsigned int j;
  
  		if (sec->shdr.sh_type != SHT_SYMTAB) {
  			continue;
-@@ -431,14 +475,14 @@ static void print_absolute_symbols(void)
+@@ -429,14 +473,14 @@ static void print_absolute_symbols(void)
  
  static void print_absolute_relocs(void)
  {
@@ -7658,7 +8017,7 @@ index 89bbf4e..869908e 100644
  		if (sec->shdr.sh_type != SHT_REL) {
  			continue;
  		}
-@@ -499,13 +543,13 @@ static void print_absolute_relocs(void)
+@@ -497,13 +541,13 @@ static void print_absolute_relocs(void)
  
  static void walk_relocs(void (*visit)(Elf32_Rel *rel, Elf32_Sym *sym))
  {
@@ -7674,7 +8033,7 @@ index 89bbf4e..869908e 100644
  		struct section *sec = &secs[i];
  
  		if (sec->shdr.sh_type != SHT_REL) {
-@@ -530,6 +574,22 @@ static void walk_relocs(void (*visit)(Elf32_Rel *rel, Elf32_Sym *sym))
+@@ -528,6 +572,22 @@ static void walk_relocs(void (*visit)(Elf32_Rel *rel, Elf32_Sym *sym))
  			    !is_rel_reloc(sym_name(sym_strtab, sym))) {
  				continue;
  			}
@@ -7697,7 +8056,7 @@ index 89bbf4e..869908e 100644
  			switch (r_type) {
  			case R_386_NONE:
  			case R_386_PC32:
-@@ -571,7 +631,7 @@ static int cmp_relocs(const void *va, const void *vb)
+@@ -569,7 +629,7 @@ static int cmp_relocs(const void *va, const void *vb)
  
  static void emit_relocs(int as_text)
  {
@@ -7706,7 +8065,7 @@ index 89bbf4e..869908e 100644
  	/* Count how many relocations I have and allocate space for them. */
  	reloc_count = 0;
  	walk_relocs(count_reloc);
-@@ -665,6 +725,7 @@ int main(int argc, char **argv)
+@@ -663,6 +723,7 @@ int main(int argc, char **argv)
  			fname, strerror(errno));
  	}
  	read_ehdr(fp);
@@ -12132,7 +12491,7 @@ index 2d2f01c..f985723 100644
  /*
   * Force strict CPU ordering.
 diff --git a/arch/x86/include/asm/thread_info.h b/arch/x86/include/asm/thread_info.h
-index cfd8144..1b1127d 100644
+index cfd8144..664ac89 100644
 --- a/arch/x86/include/asm/thread_info.h
 +++ b/arch/x86/include/asm/thread_info.h
 @@ -10,6 +10,7 @@
@@ -12182,7 +12541,45 @@ index cfd8144..1b1127d 100644
  #define init_stack		(init_thread_union.stack)
  
  #else /* !__ASSEMBLY__ */
-@@ -169,45 +163,40 @@ struct thread_info {
+@@ -95,6 +89,7 @@ struct thread_info {
+ #define TIF_BLOCKSTEP		25	/* set when we want DEBUGCTLMSR_BTF */
+ #define TIF_LAZY_MMU_UPDATES	27	/* task is updating the mmu lazily */
+ #define TIF_SYSCALL_TRACEPOINT	28	/* syscall tracepoint instrumentation */
++#define TIF_GRSEC_SETXID	29	/* update credentials on syscall entry/exit */
+ 
+ #define _TIF_SYSCALL_TRACE	(1 << TIF_SYSCALL_TRACE)
+ #define _TIF_NOTIFY_RESUME	(1 << TIF_NOTIFY_RESUME)
+@@ -116,16 +111,17 @@ struct thread_info {
+ #define _TIF_BLOCKSTEP		(1 << TIF_BLOCKSTEP)
+ #define _TIF_LAZY_MMU_UPDATES	(1 << TIF_LAZY_MMU_UPDATES)
+ #define _TIF_SYSCALL_TRACEPOINT	(1 << TIF_SYSCALL_TRACEPOINT)
++#define _TIF_GRSEC_SETXID	(1 << TIF_GRSEC_SETXID)
+ 
+ /* work to do in syscall_trace_enter() */
+ #define _TIF_WORK_SYSCALL_ENTRY	\
+ 	(_TIF_SYSCALL_TRACE | _TIF_SYSCALL_EMU | _TIF_SYSCALL_AUDIT |	\
+-	 _TIF_SECCOMP | _TIF_SINGLESTEP | _TIF_SYSCALL_TRACEPOINT)
++	 _TIF_SECCOMP | _TIF_SINGLESTEP | _TIF_SYSCALL_TRACEPOINT | _TIF_GRSEC_SETXID)
+ 
+ /* work to do in syscall_trace_leave() */
+ #define _TIF_WORK_SYSCALL_EXIT	\
+ 	(_TIF_SYSCALL_TRACE | _TIF_SYSCALL_AUDIT | _TIF_SINGLESTEP |	\
+-	 _TIF_SYSCALL_TRACEPOINT)
++	 _TIF_SYSCALL_TRACEPOINT | _TIF_GRSEC_SETXID)
+ 
+ /* work to do on interrupt/exception return */
+ #define _TIF_WORK_MASK							\
+@@ -135,7 +131,8 @@ struct thread_info {
+ 
+ /* work to do on any return to user space */
+ #define _TIF_ALLWORK_MASK						\
+-	((0x0000FFFF & ~_TIF_SECCOMP) | _TIF_SYSCALL_TRACEPOINT)
++	((0x0000FFFF & ~_TIF_SECCOMP) | _TIF_SYSCALL_TRACEPOINT |	\
++	 _TIF_GRSEC_SETXID)
+ 
+ /* Only used for 64 bit */
+ #define _TIF_DO_NOTIFY_MASK						\
+@@ -169,45 +166,40 @@ struct thread_info {
  	ret;								\
  })
  
@@ -12253,7 +12650,7 @@ index cfd8144..1b1127d 100644
  /*
   * macros/functions for gaining access to the thread information structure
   * preempt_count needs to be 1 initially, until the scheduler is functional.
-@@ -215,27 +204,8 @@ static inline struct thread_info *current_thread_info(void)
+@@ -215,27 +207,8 @@ static inline struct thread_info *current_thread_info(void)
  #ifndef __ASSEMBLY__
  DECLARE_PER_CPU(unsigned long, kernel_stack);
  
@@ -12283,7 +12680,7 @@ index cfd8144..1b1127d 100644
  #endif
  
  #endif /* !X86_32 */
-@@ -269,5 +239,16 @@ extern void arch_task_cache_init(void);
+@@ -269,5 +242,16 @@ extern void arch_task_cache_init(void);
  extern void free_thread_info(struct thread_info *ti);
  extern int arch_dup_task_struct(struct task_struct *dst, struct task_struct *src);
  #define arch_task_cache_init arch_task_cache_init
@@ -14606,7 +15003,7 @@ index 9b9f18b..9fcaa04 100644
  #include <asm/processor.h>
  #include <asm/fcntl.h>
 diff --git a/arch/x86/kernel/entry_32.S b/arch/x86/kernel/entry_32.S
-index 7b784f4..76aaad7 100644
+index 7b784f4..db6b628 100644
 --- a/arch/x86/kernel/entry_32.S
 +++ b/arch/x86/kernel/entry_32.S
 @@ -179,13 +179,146 @@
@@ -14799,7 +15196,7 @@ index 7b784f4..76aaad7 100644
 +#ifdef CONFIG_PAX_KERNEXEC
 +	jae resume_userspace
 +
-+	PAX_EXIT_KERNEL
++	pax_exit_kernel
 +	jmp resume_kernel
 +#else
  	jb resume_kernel		# not returning to v8086 or userspace
@@ -18533,7 +18930,7 @@ index cfa5c90..4facd28 100644
  		ip = *(u64 *)(fp+8);
  		if (!in_sched_functions(ip))
 diff --git a/arch/x86/kernel/ptrace.c b/arch/x86/kernel/ptrace.c
-index 5026738..e1b5aa8 100644
+index 5026738..574f70a 100644
 --- a/arch/x86/kernel/ptrace.c
 +++ b/arch/x86/kernel/ptrace.c
 @@ -792,6 +792,10 @@ static int ioperm_active(struct task_struct *target,
@@ -18582,6 +18979,41 @@ index 5026738..e1b5aa8 100644
  }
  
  void user_single_step_siginfo(struct task_struct *tsk,
+@@ -1361,6 +1365,10 @@ void send_sigtrap(struct task_struct *tsk, struct pt_regs *regs,
+ # define IS_IA32	0
+ #endif
+ 
++#ifdef CONFIG_GRKERNSEC_SETXID
++extern void gr_delayed_cred_worker(void);
++#endif
++
+ /*
+  * We must return the syscall number to actually look up in the table.
+  * This can be -1L to skip running any syscall at all.
+@@ -1369,6 +1377,11 @@ long syscall_trace_enter(struct pt_regs *regs)
+ {
+ 	long ret = 0;
+ 
++#ifdef CONFIG_GRKERNSEC_SETXID
++	if (unlikely(test_and_clear_thread_flag(TIF_GRSEC_SETXID)))
++                gr_delayed_cred_worker();
++#endif		
++
+ 	/*
+ 	 * If we stepped into a sysenter/syscall insn, it trapped in
+ 	 * kernel mode; do_debug() cleared TF and set TIF_SINGLESTEP.
+@@ -1412,6 +1425,11 @@ void syscall_trace_leave(struct pt_regs *regs)
+ {
+ 	bool step;
+ 
++#ifdef CONFIG_GRKERNSEC_SETXID
++	if (unlikely(test_and_clear_thread_flag(TIF_GRSEC_SETXID)))
++                gr_delayed_cred_worker();
++#endif		
++
+ 	audit_syscall_exit(regs);
+ 
+ 	if (unlikely(test_thread_flag(TIF_SYSCALL_TRACEPOINT)))
 diff --git a/arch/x86/kernel/pvclock.c b/arch/x86/kernel/pvclock.c
 index 42eb330..139955c 100644
 --- a/arch/x86/kernel/pvclock.c
@@ -18820,7 +19252,7 @@ index d7d5099..28555d0 100644
  	bss_resource.start = virt_to_phys(&__bss_start);
  	bss_resource.end = virt_to_phys(&__bss_stop)-1;
 diff --git a/arch/x86/kernel/setup_percpu.c b/arch/x86/kernel/setup_percpu.c
-index 71f4727..217419b 100644
+index 5a98aa2..848d2be 100644
 --- a/arch/x86/kernel/setup_percpu.c
 +++ b/arch/x86/kernel/setup_percpu.c
 @@ -21,19 +21,17 @@
@@ -18879,7 +19311,7 @@ index 71f4727..217419b 100644
  	write_gdt_entry(get_cpu_gdt_table(cpu),
  			GDT_ENTRY_PERCPU, &gdt, DESCTYPE_S);
  #endif
-@@ -207,6 +209,11 @@ void __init setup_per_cpu_areas(void)
+@@ -219,6 +221,11 @@ void __init setup_per_cpu_areas(void)
  	/* alrighty, percpu areas up and running */
  	delta = (unsigned long)pcpu_base_addr - (unsigned long)__per_cpu_start;
  	for_each_possible_cpu(cpu) {
@@ -18891,7 +19323,7 @@ index 71f4727..217419b 100644
  		per_cpu_offset(cpu) = delta + pcpu_unit_offsets[cpu];
  		per_cpu(this_cpu_off, cpu) = per_cpu_offset(cpu);
  		per_cpu(cpu_number, cpu) = cpu;
-@@ -247,6 +254,12 @@ void __init setup_per_cpu_areas(void)
+@@ -259,6 +266,12 @@ void __init setup_per_cpu_areas(void)
  		 */
  		set_cpu_numa_node(cpu, early_cpu_to_node(cpu));
  #endif
@@ -20334,7 +20766,7 @@ index e385214..f8df033 100644
  
  	local_irq_disable();
 diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
-index 3b4c8d8..f457b63 100644
+index a7a6f60..04b745a 100644
 --- a/arch/x86/kvm/vmx.c
 +++ b/arch/x86/kvm/vmx.c
 @@ -1306,7 +1306,11 @@ static void reload_tss(void)
@@ -20349,7 +20781,7 @@ index 3b4c8d8..f457b63 100644
  	load_TR_desc();
  }
  
-@@ -2631,8 +2635,11 @@ static __init int hardware_setup(void)
+@@ -2637,8 +2641,11 @@ static __init int hardware_setup(void)
  	if (!cpu_has_vmx_flexpriority())
  		flexpriority_enabled = 0;
  
@@ -20363,7 +20795,7 @@ index 3b4c8d8..f457b63 100644
  
  	if (enable_ept && !cpu_has_vmx_ept_2m_page())
  		kvm_disable_largepages();
-@@ -3648,7 +3655,7 @@ static void vmx_set_constant_host_state(void)
+@@ -3654,7 +3661,7 @@ static void vmx_set_constant_host_state(void)
  	vmcs_writel(HOST_IDTR_BASE, dt.address);   /* 22.2.4 */
  
  	asm("mov $.Lkvm_vmx_return, %0" : "=r"(tmpl));
@@ -20372,7 +20804,7 @@ index 3b4c8d8..f457b63 100644
  
  	rdmsr(MSR_IA32_SYSENTER_CS, low32, high32);
  	vmcs_write32(HOST_IA32_SYSENTER_CS, low32);
-@@ -6184,6 +6191,12 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu)
+@@ -6192,6 +6199,12 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu)
  		"jmp .Lkvm_vmx_return \n\t"
  		".Llaunched: " __ex(ASM_VMX_VMRESUME) "\n\t"
  		".Lkvm_vmx_return: "
@@ -20385,7 +20817,7 @@ index 3b4c8d8..f457b63 100644
  		/* Save guest registers, load host registers, keep flags */
  		"mov %0, %c[wordsize](%%"R"sp) \n\t"
  		"pop %0 \n\t"
-@@ -6232,6 +6245,11 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu)
+@@ -6240,6 +6253,11 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu)
  #endif
  		[cr2]"i"(offsetof(struct vcpu_vmx, vcpu.arch.cr2)),
  		[wordsize]"i"(sizeof(ulong))
@@ -20397,7 +20829,7 @@ index 3b4c8d8..f457b63 100644
  	      : "cc", "memory"
  		, R"ax", R"bx", R"di", R"si"
  #ifdef CONFIG_X86_64
-@@ -6260,7 +6278,16 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu)
+@@ -6268,7 +6286,16 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu)
  		}
  	}
  
@@ -20416,7 +20848,7 @@ index 3b4c8d8..f457b63 100644
  
  	vmx->exit_reason = vmcs_read32(VM_EXIT_REASON);
 diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
-index 9cbfc06..943ffa6 100644
+index 8d1c6c6..6e6d611 100644
 --- a/arch/x86/kvm/x86.c
 +++ b/arch/x86/kvm/x86.c
 @@ -873,6 +873,7 @@ static int do_set_msr(struct kvm_vcpu *vcpu, unsigned index, u64 *data)
@@ -20461,7 +20893,7 @@ index 9cbfc06..943ffa6 100644
  		return -EINVAL;
  	if (irqchip_in_kernel(vcpu->kvm))
  		return -ENXIO;
-@@ -3497,6 +3501,9 @@ gpa_t kvm_mmu_gva_to_gpa_system(struct kvm_vcpu *vcpu, gva_t gva,
+@@ -3499,6 +3503,9 @@ gpa_t kvm_mmu_gva_to_gpa_system(struct kvm_vcpu *vcpu, gva_t gva,
  
  static int kvm_read_guest_virt_helper(gva_t addr, void *val, unsigned int bytes,
  				      struct kvm_vcpu *vcpu, u32 access,
@@ -20471,7 +20903,7 @@ index 9cbfc06..943ffa6 100644
  				      struct x86_exception *exception)
  {
  	void *data = val;
-@@ -3528,6 +3535,9 @@ out:
+@@ -3530,6 +3537,9 @@ out:
  /* used for instruction fetching */
  static int kvm_fetch_guest_virt(struct x86_emulate_ctxt *ctxt,
  				gva_t addr, void *val, unsigned int bytes,
@@ -20481,7 +20913,7 @@ index 9cbfc06..943ffa6 100644
  				struct x86_exception *exception)
  {
  	struct kvm_vcpu *vcpu = emul_to_vcpu(ctxt);
-@@ -3552,6 +3562,9 @@ EXPORT_SYMBOL_GPL(kvm_read_guest_virt);
+@@ -3554,6 +3564,9 @@ EXPORT_SYMBOL_GPL(kvm_read_guest_virt);
  
  static int kvm_read_guest_virt_system(struct x86_emulate_ctxt *ctxt,
  				      gva_t addr, void *val, unsigned int bytes,
@@ -20491,7 +20923,7 @@ index 9cbfc06..943ffa6 100644
  				      struct x86_exception *exception)
  {
  	struct kvm_vcpu *vcpu = emul_to_vcpu(ctxt);
-@@ -3665,12 +3678,16 @@ static int read_prepare(struct kvm_vcpu *vcpu, void *val, int bytes)
+@@ -3667,12 +3680,16 @@ static int read_prepare(struct kvm_vcpu *vcpu, void *val, int bytes)
  }
  
  static int read_emulate(struct kvm_vcpu *vcpu, gpa_t gpa,
@@ -20508,7 +20940,7 @@ index 9cbfc06..943ffa6 100644
  			 void *val, int bytes)
  {
  	return emulator_write_phys(vcpu, gpa, val, bytes);
-@@ -3821,6 +3838,12 @@ static int emulator_cmpxchg_emulated(struct x86_emulate_ctxt *ctxt,
+@@ -3823,6 +3840,12 @@ static int emulator_cmpxchg_emulated(struct x86_emulate_ctxt *ctxt,
  				     const void *old,
  				     const void *new,
  				     unsigned int bytes,
@@ -20521,7 +20953,7 @@ index 9cbfc06..943ffa6 100644
  				     struct x86_exception *exception)
  {
  	struct kvm_vcpu *vcpu = emul_to_vcpu(ctxt);
-@@ -4780,7 +4803,7 @@ static void kvm_set_mmio_spte_mask(void)
+@@ -4782,7 +4805,7 @@ static void kvm_set_mmio_spte_mask(void)
  	kvm_mmu_set_mmio_spte_mask(mask);
  }
  
@@ -20906,7 +21338,7 @@ index e8e7e0d..56fd1b0 100644
  	movl %eax,  (v)
  	movl %edx, 4(v)
 diff --git a/arch/x86/lib/atomic64_cx8_32.S b/arch/x86/lib/atomic64_cx8_32.S
-index 391a083..d658e9f 100644
+index 391a083..3a2cf39 100644
 --- a/arch/x86/lib/atomic64_cx8_32.S
 +++ b/arch/x86/lib/atomic64_cx8_32.S
 @@ -35,10 +35,20 @@ ENTRY(atomic64_read_cx8)
@@ -21017,7 +21449,7 @@ index 391a083..d658e9f 100644
  
 -.macro incdec_return func ins insc
 -ENTRY(atomic64_\func\()_return_cx8)
-+.macro incdec_return func ins insc unchecked
++.macro incdec_return func ins insc unchecked=""
 +ENTRY(atomic64_\func\()_return\unchecked\()_cx8)
  	CFI_STARTPROC
  	SAVE ebx
@@ -24310,7 +24742,7 @@ index f4f29b1..5cac4fb 100644
  
  	return (void *)vaddr;
 diff --git a/arch/x86/mm/hugetlbpage.c b/arch/x86/mm/hugetlbpage.c
-index 8ecbb4b..29efd37 100644
+index 8ecbb4b..a269cab 100644
 --- a/arch/x86/mm/hugetlbpage.c
 +++ b/arch/x86/mm/hugetlbpage.c
 @@ -266,13 +266,20 @@ static unsigned long hugetlb_get_unmapped_area_bottomup(struct file *file,
@@ -24386,7 +24818,7 @@ index 8ecbb4b..29efd37 100644
  
  	/* don't allow allocations above current base */
  	if (mm->free_area_cache > base)
-@@ -321,66 +328,63 @@ static unsigned long hugetlb_get_unmapped_area_topdown(struct file *file,
+@@ -321,14 +328,15 @@ static unsigned long hugetlb_get_unmapped_area_topdown(struct file *file,
  	        largest_hole = 0;
  		mm->free_area_cache  = base;
  	}
@@ -24401,16 +24833,10 @@ index 8ecbb4b..29efd37 100644
 +	addr = (mm->free_area_cache - len);
  	do {
 +		addr &= huge_page_mask(h);
-+		vma = find_vma(mm, addr);
  		/*
  		 * Lookup failure means no vma is above this address,
  		 * i.e. return with success:
--		 */
--		vma = find_vma(mm, addr);
--		if (!vma)
--			return addr;
--
--		/*
+@@ -341,46 +349,47 @@ try_again:
  		 * new region fits between prev_vma->vm_end and
  		 * vma->vm_start, use it:
  		 */
@@ -24483,7 +24909,7 @@ index 8ecbb4b..29efd37 100644
  	mm->cached_hole_size = ~0UL;
  	addr = hugetlb_get_unmapped_area_bottomup(file, addr0,
  			len, pgoff, flags);
-@@ -388,6 +392,7 @@ fail:
+@@ -388,6 +397,7 @@ fail:
  	/*
  	 * Restore the topdown base:
  	 */
@@ -24491,7 +24917,7 @@ index 8ecbb4b..29efd37 100644
  	mm->free_area_cache = base;
  	mm->cached_hole_size = ~0UL;
  
-@@ -401,10 +406,19 @@ hugetlb_get_unmapped_area(struct file *file, unsigned long addr,
+@@ -401,10 +411,19 @@ hugetlb_get_unmapped_area(struct file *file, unsigned long addr,
  	struct hstate *h = hstate_file(file);
  	struct mm_struct *mm = current->mm;
  	struct vm_area_struct *vma;
@@ -24512,7 +24938,7 @@ index 8ecbb4b..29efd37 100644
  		return -ENOMEM;
  
  	if (flags & MAP_FIXED) {
-@@ -416,8 +430,7 @@ hugetlb_get_unmapped_area(struct file *file, unsigned long addr,
+@@ -416,8 +435,7 @@ hugetlb_get_unmapped_area(struct file *file, unsigned long addr,
  	if (addr) {
  		addr = ALIGN(addr, huge_page_size(h));
  		vma = find_vma(mm, addr);
@@ -24940,7 +25366,7 @@ index 8663f6c..829ae76 100644
  	printk(KERN_INFO "Write protecting the kernel text: %luk\n",
  		size >> 10);
 diff --git a/arch/x86/mm/init_64.c b/arch/x86/mm/init_64.c
-index 436a030..2b60088 100644
+index 436a030..4f97ffc 100644
 --- a/arch/x86/mm/init_64.c
 +++ b/arch/x86/mm/init_64.c
 @@ -75,7 +75,7 @@ early_param("gbpages", parse_direct_gbpages_on);
@@ -25057,6 +25483,15 @@ index 436a030..2b60088 100644
  	adr = (void *)(((unsigned long)adr) | left);
  
  	return adr;
+@@ -546,7 +560,7 @@ phys_pud_init(pud_t *pud_page, unsigned long addr, unsigned long end,
+ 		unmap_low_page(pmd);
+ 
+ 		spin_lock(&init_mm.page_table_lock);
+-		pud_populate(&init_mm, pud, __va(pmd_phys));
++		pud_populate_kernel(&init_mm, pud, __va(pmd_phys));
+ 		spin_unlock(&init_mm.page_table_lock);
+ 	}
+ 	__flush_tlb_all();
 @@ -592,7 +606,7 @@ kernel_physical_mapping_init(unsigned long start,
  		unmap_low_page(pud);
  
@@ -26837,10 +27272,10 @@ index 153407c..611cba9 100644
 -}
 -__setup("vdso=", vdso_setup);
 diff --git a/arch/x86/xen/enlighten.c b/arch/x86/xen/enlighten.c
-index 4172af8..2c8ed7f 100644
+index 4e517d4..68a48f5 100644
 --- a/arch/x86/xen/enlighten.c
 +++ b/arch/x86/xen/enlighten.c
-@@ -85,8 +85,6 @@ EXPORT_SYMBOL_GPL(xen_start_info);
+@@ -86,8 +86,6 @@ EXPORT_SYMBOL_GPL(xen_start_info);
  
  struct shared_info xen_dummy_shared_info;
  
@@ -26849,7 +27284,7 @@ index 4172af8..2c8ed7f 100644
  RESERVE_BRK(shared_info_page_brk, PAGE_SIZE);
  __read_mostly int xen_have_vector_callback;
  EXPORT_SYMBOL_GPL(xen_have_vector_callback);
-@@ -1029,30 +1027,30 @@ static const struct pv_apic_ops xen_apic_ops __initconst = {
+@@ -1030,30 +1028,30 @@ static const struct pv_apic_ops xen_apic_ops __initconst = {
  #endif
  };
  
@@ -26887,7 +27322,7 @@ index 4172af8..2c8ed7f 100644
  {
  	if (pm_power_off)
  		pm_power_off();
-@@ -1155,7 +1153,17 @@ asmlinkage void __init xen_start_kernel(void)
+@@ -1156,7 +1154,17 @@ asmlinkage void __init xen_start_kernel(void)
  	__userpte_alloc_gfp &= ~__GFP_HIGHMEM;
  
  	/* Work out if we support NX */
@@ -26906,7 +27341,7 @@ index 4172af8..2c8ed7f 100644
  
  	xen_setup_features();
  
-@@ -1186,13 +1194,6 @@ asmlinkage void __init xen_start_kernel(void)
+@@ -1187,13 +1195,6 @@ asmlinkage void __init xen_start_kernel(void)
  
  	machine_ops = xen_machine_ops;
  
@@ -26921,10 +27356,10 @@ index 4172af8..2c8ed7f 100644
  
  #ifdef CONFIG_ACPI_NUMA
 diff --git a/arch/x86/xen/mmu.c b/arch/x86/xen/mmu.c
-index 95c1cf6..4bfa5be 100644
+index dc19347..1b07a2c 100644
 --- a/arch/x86/xen/mmu.c
 +++ b/arch/x86/xen/mmu.c
-@@ -1733,6 +1733,9 @@ pgd_t * __init xen_setup_kernel_pagetable(pgd_t *pgd,
+@@ -1738,6 +1738,9 @@ pgd_t * __init xen_setup_kernel_pagetable(pgd_t *pgd,
  	convert_pfn_mfn(init_level4_pgt);
  	convert_pfn_mfn(level3_ident_pgt);
  	convert_pfn_mfn(level3_kernel_pgt);
@@ -26934,7 +27369,7 @@ index 95c1cf6..4bfa5be 100644
  
  	l3 = m2v(pgd[pgd_index(__START_KERNEL_map)].pgd);
  	l2 = m2v(l3[pud_index(__START_KERNEL_map)].pud);
-@@ -1751,7 +1754,11 @@ pgd_t * __init xen_setup_kernel_pagetable(pgd_t *pgd,
+@@ -1756,7 +1759,11 @@ pgd_t * __init xen_setup_kernel_pagetable(pgd_t *pgd,
  	set_page_prot(init_level4_pgt, PAGE_KERNEL_RO);
  	set_page_prot(level3_ident_pgt, PAGE_KERNEL_RO);
  	set_page_prot(level3_kernel_pgt, PAGE_KERNEL_RO);
@@ -26946,7 +27381,7 @@ index 95c1cf6..4bfa5be 100644
  	set_page_prot(level2_kernel_pgt, PAGE_KERNEL_RO);
  	set_page_prot(level2_fixmap_pgt, PAGE_KERNEL_RO);
  
-@@ -1958,6 +1965,7 @@ static void __init xen_post_allocator_init(void)
+@@ -1963,6 +1970,7 @@ static void __init xen_post_allocator_init(void)
  	pv_mmu_ops.set_pud = xen_set_pud;
  #if PAGETABLE_LEVELS == 4
  	pv_mmu_ops.set_pgd = xen_set_pgd;
@@ -26954,7 +27389,7 @@ index 95c1cf6..4bfa5be 100644
  #endif
  
  	/* This will work as long as patching hasn't happened yet
-@@ -2039,6 +2047,7 @@ static const struct pv_mmu_ops xen_mmu_ops __initconst = {
+@@ -2044,6 +2052,7 @@ static const struct pv_mmu_ops xen_mmu_ops __initconst = {
  	.pud_val = PV_CALLEE_SAVE(xen_pud_val),
  	.make_pud = PV_CALLEE_SAVE(xen_make_pud),
  	.set_pgd = xen_set_pgd_hyper,
@@ -46851,10 +47286,10 @@ index 5698746..6086012 100644
  		kfree(s);
  }
 diff --git a/fs/hugetlbfs/inode.c b/fs/hugetlbfs/inode.c
-index 3645cd3..786809c 100644
+index c60267e..193d9e4 100644
 --- a/fs/hugetlbfs/inode.c
 +++ b/fs/hugetlbfs/inode.c
-@@ -914,7 +914,7 @@ static struct file_system_type hugetlbfs_fs_type = {
+@@ -902,7 +902,7 @@ static struct file_system_type hugetlbfs_fs_type = {
  	.kill_sb	= kill_litter_super,
  };
  
@@ -47597,7 +48032,7 @@ index f649fba..236bf92 100644
  
  void nfs_fattr_init(struct nfs_fattr *fattr)
 diff --git a/fs/nfsd/vfs.c b/fs/nfsd/vfs.c
-index edf6d3e..bdd1da7 100644
+index b96fe94..a4dbece 100644
 --- a/fs/nfsd/vfs.c
 +++ b/fs/nfsd/vfs.c
 @@ -925,7 +925,7 @@ nfsd_vfs_read(struct svc_rqst *rqstp, struct svc_fh *fhp, struct file *file,
@@ -49831,10 +50266,10 @@ index ab30253..4d86958 100644
  		kfree(s);
 diff --git a/grsecurity/Kconfig b/grsecurity/Kconfig
 new file mode 100644
-index 0000000..4089e05
+index 0000000..2645296
 --- /dev/null
 +++ b/grsecurity/Kconfig
-@@ -0,0 +1,1078 @@
+@@ -0,0 +1,1079 @@
 +#
 +# grecurity configuration
 +#
@@ -49969,7 +50404,7 @@ index 0000000..4089e05
 +	select GRKERNSEC_PROC_ADD
 +	select GRKERNSEC_CHROOT_CHMOD
 +	select GRKERNSEC_CHROOT_NICE
-+	select GRKERNSEC_SETXID
++	select GRKERNSEC_SETXID if (X86 || SPARC64 || PPC || ARM || MIPS)
 +	select GRKERNSEC_AUDIT_MOUNT
 +	select GRKERNSEC_MODHARDEN if (MODULES)
 +	select GRKERNSEC_HARDEN_PTRACE
@@ -50664,6 +51099,7 @@ index 0000000..4089e05
 +
 +config GRKERNSEC_SETXID
 +	bool "Enforce consistent multithreaded privileges"
++	depends on (X86 || SPARC64 || PPC || ARM || MIPS)
 +	help
 +	  If you say Y here, a change from a root uid to a non-root uid
 +	  in a multithreaded application will cause the resulting uids,
@@ -50959,10 +51395,10 @@ index 0000000..1b9afa9
 +endif
 diff --git a/grsecurity/gracl.c b/grsecurity/gracl.c
 new file mode 100644
-index 0000000..42813ac
+index 0000000..a6d83f0
 --- /dev/null
 +++ b/grsecurity/gracl.c
-@@ -0,0 +1,4192 @@
+@@ -0,0 +1,4193 @@
 +#include <linux/kernel.h>
 +#include <linux/module.h>
 +#include <linux/sched.h>
@@ -54820,21 +55256,22 @@ index 0000000..42813ac
 +	if (unlikely(!(gr_status & GR_READY)))
 +		return 0;
 +#endif
++	if (request == PTRACE_ATTACH || request == PTRACE_SEIZE) {
++		read_lock(&tasklist_lock);
++		while (tmp->pid > 0) {
++			if (tmp == curtemp)
++				break;
++			tmp = tmp->real_parent;
++		}
 +
-+	read_lock(&tasklist_lock);
-+	while (tmp->pid > 0) {
-+		if (tmp == curtemp)
-+			break;
-+		tmp = tmp->real_parent;
-+	}
-+
-+	if (tmp->pid == 0 && ((grsec_enable_harden_ptrace && current_uid() && !(gr_status & GR_READY)) ||
-+				((gr_status & GR_READY)	&& !(current->acl->mode & GR_RELAXPTRACE)))) {
++		if (tmp->pid == 0 && ((grsec_enable_harden_ptrace && current_uid() && !(gr_status & GR_READY)) ||
++					((gr_status & GR_READY)	&& !(current->acl->mode & GR_RELAXPTRACE)))) {
++			read_unlock(&tasklist_lock);
++			gr_log_ptrace(GR_DONT_AUDIT, GR_PTRACE_ACL_MSG, task);
++			return 1;
++		}
 +		read_unlock(&tasklist_lock);
-+		gr_log_ptrace(GR_DONT_AUDIT, GR_PTRACE_ACL_MSG, task);
-+		return 1;
 +	}
-+	read_unlock(&tasklist_lock);
 +
 +#ifdef CONFIG_GRKERNSEC_HARDEN_PTRACE
 +	if (!(gr_status & GR_READY))
@@ -62544,7 +62981,7 @@ index 9c07dce..a92fa71 100644
  	if (atomic_sub_and_test((int) count, &kref->refcount)) {
  		release(kref);
 diff --git a/include/linux/kvm_host.h b/include/linux/kvm_host.h
-index bc21720..098aefa 100644
+index 4c4e83d..5f16617 100644
 --- a/include/linux/kvm_host.h
 +++ b/include/linux/kvm_host.h
 @@ -326,7 +326,7 @@ void kvm_vcpu_uninit(struct kvm_vcpu *vcpu);
@@ -63114,7 +63551,7 @@ index ffc0213..2c1f2cb 100644
  	return nd->saved_names[nd->depth];
  }
 diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h
-index 4f3b01a..8256d1a 100644
+index 7e472b7..212d381 100644
 --- a/include/linux/netdevice.h
 +++ b/include/linux/netdevice.h
 @@ -1002,6 +1002,7 @@ struct net_device_ops {
@@ -66076,7 +66513,7 @@ index 42e8fa0..9e7406b 100644
  		return -ENOMEM;
  
 diff --git a/kernel/cred.c b/kernel/cred.c
-index 48c6fd3..3342f00 100644
+index 48c6fd3..8398912 100644
 --- a/kernel/cred.c
 +++ b/kernel/cred.c
 @@ -204,6 +204,15 @@ void exit_creds(struct task_struct *tsk)
@@ -66113,7 +66550,7 @@ index 48c6fd3..3342f00 100644
  	/* dumpability changes */
  	if (old->euid != new->euid ||
  	    old->egid != new->egid ||
-@@ -540,6 +551,92 @@ int commit_creds(struct cred *new)
+@@ -540,6 +551,101 @@ int commit_creds(struct cred *new)
  	put_cred(old);
  	return 0;
  }
@@ -66179,6 +66616,8 @@ index 48c6fd3..3342f00 100644
 +int commit_creds(struct cred *new)
 +{
 +#ifdef CONFIG_GRKERNSEC_SETXID
++	int ret;
++	int schedule_it = 0;
 +	struct task_struct *t;
 +
 +	/* we won't get called with tasklist_lock held for writing
@@ -66187,20 +66626,27 @@ index 48c6fd3..3342f00 100644
 +	*/
 +	if (grsec_enable_setxid && !current_is_single_threaded() &&
 +	    !current_uid() && new->uid) {
++		schedule_it = 1;
++	}
++	ret = __commit_creds(new);
++	if (schedule_it) {
 +		rcu_read_lock();
 +		read_lock(&tasklist_lock);
 +		for (t = next_thread(current); t != current;
 +		     t = next_thread(t)) {
 +			if (t->delayed_cred == NULL) {
 +				t->delayed_cred = get_cred(new);
++				set_tsk_thread_flag(t, TIF_GRSEC_SETXID);
 +				set_tsk_need_resched(t);
 +			}
 +		}
 +		read_unlock(&tasklist_lock);
 +		rcu_read_unlock();
 +	}
-+#endif
++	return ret;
++#else
 +	return __commit_creds(new);
++#endif
 +}
 +
  EXPORT_SYMBOL(commit_creds);
@@ -69073,39 +69519,10 @@ index e8a1f83..363d17d 100644
  #ifdef CONFIG_RT_GROUP_SCHED
  	/*
 diff --git a/kernel/sched/core.c b/kernel/sched/core.c
-index 478a04c..6970d99 100644
+index 478a04c..e16339a 100644
 --- a/kernel/sched/core.c
 +++ b/kernel/sched/core.c
-@@ -3142,6 +3142,19 @@ pick_next_task(struct rq *rq)
- 	BUG(); /* the idle class will always have a runnable task */
- }
- 
-+#ifdef CONFIG_GRKERNSEC_SETXID
-+extern void gr_delayed_cred_worker(void);
-+static inline void gr_cred_schedule(void)
-+{
-+	if (unlikely(current->delayed_cred))
-+		gr_delayed_cred_worker();
-+}
-+#else
-+static inline void gr_cred_schedule(void)
-+{
-+}
-+#endif
-+
- /*
-  * __schedule() is the main scheduler function.
-  */
-@@ -3161,6 +3174,8 @@ need_resched:
- 
- 	schedule_debug(prev);
- 
-+	gr_cred_schedule();
-+
- 	if (sched_feat(HRTICK))
- 		hrtick_clear(rq);
- 
-@@ -3851,6 +3866,8 @@ int can_nice(const struct task_struct *p, const int nice)
+@@ -3851,6 +3851,8 @@ int can_nice(const struct task_struct *p, const int nice)
  	/* convert nice value [19,-20] to rlimit style value [1,40] */
  	int nice_rlim = 20 - nice;
  
@@ -69114,7 +69531,7 @@ index 478a04c..6970d99 100644
  	return (nice_rlim <= task_rlimit(p, RLIMIT_NICE) ||
  		capable(CAP_SYS_NICE));
  }
-@@ -3884,7 +3901,8 @@ SYSCALL_DEFINE1(nice, int, increment)
+@@ -3884,7 +3886,8 @@ SYSCALL_DEFINE1(nice, int, increment)
  	if (nice > 19)
  		nice = 19;
  
@@ -69124,7 +69541,7 @@ index 478a04c..6970d99 100644
  		return -EPERM;
  
  	retval = security_task_setnice(current, nice);
-@@ -4041,6 +4059,7 @@ recheck:
+@@ -4041,6 +4044,7 @@ recheck:
  			unsigned long rlim_rtprio =
  					task_rlimit(p, RLIMIT_RTPRIO);
  
@@ -70448,6 +70865,28 @@ index 013a761..c28f3fc 100644
  #define free(a) kfree(a)
  #endif
  
+diff --git a/lib/ioremap.c b/lib/ioremap.c
+index da4e2ad..6373b5f 100644
+--- a/lib/ioremap.c
++++ b/lib/ioremap.c
+@@ -38,7 +38,7 @@ static inline int ioremap_pmd_range(pud_t *pud, unsigned long addr,
+ 	unsigned long next;
+ 
+ 	phys_addr -= addr;
+-	pmd = pmd_alloc(&init_mm, pud, addr);
++	pmd = pmd_alloc_kernel(&init_mm, pud, addr);
+ 	if (!pmd)
+ 		return -ENOMEM;
+ 	do {
+@@ -56,7 +56,7 @@ static inline int ioremap_pud_range(pgd_t *pgd, unsigned long addr,
+ 	unsigned long next;
+ 
+ 	phys_addr -= addr;
+-	pud = pud_alloc(&init_mm, pgd, addr);
++	pud = pud_alloc_kernel(&init_mm, pgd, addr);
+ 	if (!pud)
+ 		return -ENOMEM;
+ 	do {
 diff --git a/lib/is_single_threaded.c b/lib/is_single_threaded.c
 index bd2bea9..6b3c95e 100644
 --- a/lib/is_single_threaded.c
@@ -70677,10 +71116,10 @@ index 8f7fc39..69bf1e9 100644
  	/* if an huge pmd materialized from under us just retry later */
  	if (unlikely(pmd_trans_huge(*pmd)))
 diff --git a/mm/hugetlb.c b/mm/hugetlb.c
-index a7cf829..d60e0e1 100644
+index 24b1787..e0fbc01 100644
 --- a/mm/hugetlb.c
 +++ b/mm/hugetlb.c
-@@ -2346,6 +2346,27 @@ static int unmap_ref_private(struct mm_struct *mm, struct vm_area_struct *vma,
+@@ -2425,6 +2425,27 @@ static int unmap_ref_private(struct mm_struct *mm, struct vm_area_struct *vma,
  	return 1;
  }
  
@@ -70708,7 +71147,7 @@ index a7cf829..d60e0e1 100644
  /*
   * Hugetlb_cow() should be called with page lock of the original hugepage held.
   * Called with hugetlb_instantiation_mutex held and pte_page locked so we
-@@ -2459,6 +2480,11 @@ retry_avoidcopy:
+@@ -2538,6 +2559,11 @@ retry_avoidcopy:
  				make_huge_pte(vma, new_page, 1));
  		page_remove_rmap(old_page);
  		hugepage_add_new_anon_rmap(new_page, vma, address);
@@ -70720,7 +71159,7 @@ index a7cf829..d60e0e1 100644
  		/* Make the old page be freed below */
  		new_page = old_page;
  		mmu_notifier_invalidate_range_end(mm,
-@@ -2613,6 +2639,10 @@ retry:
+@@ -2692,6 +2718,10 @@ retry:
  				&& (vma->vm_flags & VM_SHARED)));
  	set_huge_pte_at(mm, address, ptep, new_pte);
  
@@ -70731,7 +71170,7 @@ index a7cf829..d60e0e1 100644
  	if ((flags & FAULT_FLAG_WRITE) && !(vma->vm_flags & VM_SHARED)) {
  		/* Optimization, do the COW without a second fault */
  		ret = hugetlb_cow(mm, vma, address, ptep, new_pte, page);
-@@ -2642,6 +2672,10 @@ int hugetlb_fault(struct mm_struct *mm, struct vm_area_struct *vma,
+@@ -2721,6 +2751,10 @@ int hugetlb_fault(struct mm_struct *mm, struct vm_area_struct *vma,
  	static DEFINE_MUTEX(hugetlb_instantiation_mutex);
  	struct hstate *h = hstate_vma(vma);
  
@@ -70742,7 +71181,7 @@ index a7cf829..d60e0e1 100644
  	address &= huge_page_mask(h);
  
  	ptep = huge_pte_offset(mm, address);
-@@ -2655,6 +2689,26 @@ int hugetlb_fault(struct mm_struct *mm, struct vm_area_struct *vma,
+@@ -2734,6 +2768,26 @@ int hugetlb_fault(struct mm_struct *mm, struct vm_area_struct *vma,
  			       VM_FAULT_SET_HINDEX(h - hstates);
  	}
  
@@ -70982,7 +71421,7 @@ index 56080ea..115071e 100644
  	/* keep elevated page count for bad page */
  	return ret;
 diff --git a/mm/memory.c b/mm/memory.c
-index 10b4dda..b1f60ad 100644
+index 10b4dda..06857f3 100644
 --- a/mm/memory.c
 +++ b/mm/memory.c
 @@ -457,8 +457,12 @@ static inline void free_pmd_range(struct mmu_gather *tlb, pud_t *pud,
@@ -71109,7 +71548,29 @@ index 10b4dda..b1f60ad 100644
  
  	if (addr < vma->vm_start || addr >= vma->vm_end)
  		return -EFAULT;
-@@ -2472,6 +2485,186 @@ static inline void cow_user_page(struct page *dst, struct page *src, unsigned lo
+@@ -2364,7 +2377,9 @@ static int apply_to_pmd_range(struct mm_struct *mm, pud_t *pud,
+ 
+ 	BUG_ON(pud_huge(*pud));
+ 
+-	pmd = pmd_alloc(mm, pud, addr);
++	pmd = (mm == &init_mm) ?
++		pmd_alloc_kernel(mm, pud, addr) :
++		pmd_alloc(mm, pud, addr);
+ 	if (!pmd)
+ 		return -ENOMEM;
+ 	do {
+@@ -2384,7 +2399,9 @@ static int apply_to_pud_range(struct mm_struct *mm, pgd_t *pgd,
+ 	unsigned long next;
+ 	int err;
+ 
+-	pud = pud_alloc(mm, pgd, addr);
++	pud = (mm == &init_mm) ?
++		pud_alloc_kernel(mm, pgd, addr) :
++		pud_alloc(mm, pgd, addr);
+ 	if (!pud)
+ 		return -ENOMEM;
+ 	do {
+@@ -2472,6 +2489,186 @@ static inline void cow_user_page(struct page *dst, struct page *src, unsigned lo
  		copy_user_highpage(dst, src, va, vma);
  }
  
@@ -71296,7 +71757,7 @@ index 10b4dda..b1f60ad 100644
  /*
   * This routine handles present pages, when users try to write
   * to a shared page. It is done by copying the page to a new address
-@@ -2683,6 +2876,12 @@ gotten:
+@@ -2683,6 +2880,12 @@ gotten:
  	 */
  	page_table = pte_offset_map_lock(mm, pmd, address, &ptl);
  	if (likely(pte_same(*page_table, orig_pte))) {
@@ -71309,7 +71770,7 @@ index 10b4dda..b1f60ad 100644
  		if (old_page) {
  			if (!PageAnon(old_page)) {
  				dec_mm_counter_fast(mm, MM_FILEPAGES);
-@@ -2734,6 +2933,10 @@ gotten:
+@@ -2734,6 +2937,10 @@ gotten:
  			page_remove_rmap(old_page);
  		}
  
@@ -71320,7 +71781,7 @@ index 10b4dda..b1f60ad 100644
  		/* Free the old page.. */
  		new_page = old_page;
  		ret |= VM_FAULT_WRITE;
-@@ -3013,6 +3216,11 @@ static int do_swap_page(struct mm_struct *mm, struct vm_area_struct *vma,
+@@ -3013,6 +3220,11 @@ static int do_swap_page(struct mm_struct *mm, struct vm_area_struct *vma,
  	swap_free(entry);
  	if (vm_swap_full() || (vma->vm_flags & VM_LOCKED) || PageMlocked(page))
  		try_to_free_swap(page);
@@ -71332,7 +71793,7 @@ index 10b4dda..b1f60ad 100644
  	unlock_page(page);
  	if (swapcache) {
  		/*
-@@ -3036,6 +3244,11 @@ static int do_swap_page(struct mm_struct *mm, struct vm_area_struct *vma,
+@@ -3036,6 +3248,11 @@ static int do_swap_page(struct mm_struct *mm, struct vm_area_struct *vma,
  
  	/* No need to invalidate - it was non-present before */
  	update_mmu_cache(vma, address, page_table);
@@ -71344,7 +71805,7 @@ index 10b4dda..b1f60ad 100644
  unlock:
  	pte_unmap_unlock(page_table, ptl);
  out:
-@@ -3055,40 +3268,6 @@ out_release:
+@@ -3055,40 +3272,6 @@ out_release:
  }
  
  /*
@@ -71385,7 +71846,7 @@ index 10b4dda..b1f60ad 100644
   * We enter with non-exclusive mmap_sem (to exclude vma changes,
   * but allow concurrent faults), and pte mapped but not yet locked.
   * We return with mmap_sem still held, but pte unmapped and unlocked.
-@@ -3097,27 +3276,23 @@ static int do_anonymous_page(struct mm_struct *mm, struct vm_area_struct *vma,
+@@ -3097,27 +3280,23 @@ static int do_anonymous_page(struct mm_struct *mm, struct vm_area_struct *vma,
  		unsigned long address, pte_t *page_table, pmd_t *pmd,
  		unsigned int flags)
  {
@@ -71418,7 +71879,7 @@ index 10b4dda..b1f60ad 100644
  	if (unlikely(anon_vma_prepare(vma)))
  		goto oom;
  	page = alloc_zeroed_user_highpage_movable(vma, address);
-@@ -3136,6 +3311,11 @@ static int do_anonymous_page(struct mm_struct *mm, struct vm_area_struct *vma,
+@@ -3136,6 +3315,11 @@ static int do_anonymous_page(struct mm_struct *mm, struct vm_area_struct *vma,
  	if (!pte_none(*page_table))
  		goto release;
  
@@ -71430,7 +71891,7 @@ index 10b4dda..b1f60ad 100644
  	inc_mm_counter_fast(mm, MM_ANONPAGES);
  	page_add_new_anon_rmap(page, vma, address);
  setpte:
-@@ -3143,6 +3323,12 @@ setpte:
+@@ -3143,6 +3327,12 @@ setpte:
  
  	/* No need to invalidate - it was non-present before */
  	update_mmu_cache(vma, address, page_table);
@@ -71443,7 +71904,7 @@ index 10b4dda..b1f60ad 100644
  unlock:
  	pte_unmap_unlock(page_table, ptl);
  	return 0;
-@@ -3286,6 +3472,12 @@ static int __do_fault(struct mm_struct *mm, struct vm_area_struct *vma,
+@@ -3286,6 +3476,12 @@ static int __do_fault(struct mm_struct *mm, struct vm_area_struct *vma,
  	 */
  	/* Only go through if we didn't race with anybody else... */
  	if (likely(pte_same(*page_table, orig_pte))) {
@@ -71456,7 +71917,7 @@ index 10b4dda..b1f60ad 100644
  		flush_icache_page(vma, page);
  		entry = mk_pte(page, vma->vm_page_prot);
  		if (flags & FAULT_FLAG_WRITE)
-@@ -3305,6 +3497,14 @@ static int __do_fault(struct mm_struct *mm, struct vm_area_struct *vma,
+@@ -3305,6 +3501,14 @@ static int __do_fault(struct mm_struct *mm, struct vm_area_struct *vma,
  
  		/* no need to invalidate: a not-present page won't be cached */
  		update_mmu_cache(vma, address, page_table);
@@ -71471,7 +71932,7 @@ index 10b4dda..b1f60ad 100644
  	} else {
  		if (cow_page)
  			mem_cgroup_uncharge_page(cow_page);
-@@ -3458,6 +3658,12 @@ int handle_pte_fault(struct mm_struct *mm,
+@@ -3458,6 +3662,12 @@ int handle_pte_fault(struct mm_struct *mm,
  		if (flags & FAULT_FLAG_WRITE)
  			flush_tlb_fix_spurious_fault(vma, address);
  	}
@@ -71484,7 +71945,7 @@ index 10b4dda..b1f60ad 100644
  unlock:
  	pte_unmap_unlock(pte, ptl);
  	return 0;
-@@ -3474,6 +3680,10 @@ int handle_mm_fault(struct mm_struct *mm, struct vm_area_struct *vma,
+@@ -3474,6 +3684,10 @@ int handle_mm_fault(struct mm_struct *mm, struct vm_area_struct *vma,
  	pmd_t *pmd;
  	pte_t *pte;
  
@@ -71495,7 +71956,7 @@ index 10b4dda..b1f60ad 100644
  	__set_current_state(TASK_RUNNING);
  
  	count_vm_event(PGFAULT);
-@@ -3485,6 +3695,34 @@ int handle_mm_fault(struct mm_struct *mm, struct vm_area_struct *vma,
+@@ -3485,6 +3699,34 @@ int handle_mm_fault(struct mm_struct *mm, struct vm_area_struct *vma,
  	if (unlikely(is_vm_hugetlb_page(vma)))
  		return hugetlb_fault(mm, vma, address, flags);
  
@@ -71530,7 +71991,7 @@ index 10b4dda..b1f60ad 100644
  	pgd = pgd_offset(mm, address);
  	pud = pud_alloc(mm, pgd, address);
  	if (!pud)
-@@ -3514,7 +3752,7 @@ int handle_mm_fault(struct mm_struct *mm, struct vm_area_struct *vma,
+@@ -3514,7 +3756,7 @@ int handle_mm_fault(struct mm_struct *mm, struct vm_area_struct *vma,
  	 * run pte_offset_map on the pmd, if an huge pmd could
  	 * materialize from under us from a different thread.
  	 */
@@ -71539,7 +72000,7 @@ index 10b4dda..b1f60ad 100644
  		return VM_FAULT_OOM;
  	/* if an huge pmd materialized from under us just retry later */
  	if (unlikely(pmd_trans_huge(*pmd)))
-@@ -3551,6 +3789,23 @@ int __pud_alloc(struct mm_struct *mm, pgd_t *pgd, unsigned long address)
+@@ -3551,6 +3793,23 @@ int __pud_alloc(struct mm_struct *mm, pgd_t *pgd, unsigned long address)
  	spin_unlock(&mm->page_table_lock);
  	return 0;
  }
@@ -71563,7 +72024,7 @@ index 10b4dda..b1f60ad 100644
  #endif /* __PAGETABLE_PUD_FOLDED */
  
  #ifndef __PAGETABLE_PMD_FOLDED
-@@ -3581,6 +3836,30 @@ int __pmd_alloc(struct mm_struct *mm, pud_t *pud, unsigned long address)
+@@ -3581,6 +3840,30 @@ int __pmd_alloc(struct mm_struct *mm, pud_t *pud, unsigned long address)
  	spin_unlock(&mm->page_table_lock);
  	return 0;
  }
@@ -71594,7 +72055,7 @@ index 10b4dda..b1f60ad 100644
  #endif /* __PAGETABLE_PMD_FOLDED */
  
  int make_pages_present(unsigned long addr, unsigned long end)
-@@ -3618,7 +3897,7 @@ static int __init gate_vma_init(void)
+@@ -3618,7 +3901,7 @@ static int __init gate_vma_init(void)
  	gate_vma.vm_start = FIXADDR_USER_START;
  	gate_vma.vm_end = FIXADDR_USER_END;
  	gate_vma.vm_flags = VM_READ | VM_MAYREAD | VM_EXEC | VM_MAYEXEC;
@@ -75428,7 +75889,7 @@ index 68bbf9f..5ef0d12 100644
  
  	return err;
 diff --git a/net/core/dev.c b/net/core/dev.c
-index 7f72c9c..e29943b 100644
+index 0336374..659088a 100644
 --- a/net/core/dev.c
 +++ b/net/core/dev.c
 @@ -1138,10 +1138,14 @@ void dev_load(struct net *net, const char *name)
@@ -75446,7 +75907,7 @@ index 7f72c9c..e29943b 100644
  	}
  }
  EXPORT_SYMBOL(dev_load);
-@@ -1585,7 +1589,7 @@ int dev_forward_skb(struct net_device *dev, struct sk_buff *skb)
+@@ -1605,7 +1609,7 @@ int dev_forward_skb(struct net_device *dev, struct sk_buff *skb)
  {
  	if (skb_shinfo(skb)->tx_flags & SKBTX_DEV_ZEROCOPY) {
  		if (skb_copy_ubufs(skb, GFP_ATOMIC)) {
@@ -75455,7 +75916,7 @@ index 7f72c9c..e29943b 100644
  			kfree_skb(skb);
  			return NET_RX_DROP;
  		}
-@@ -1595,7 +1599,7 @@ int dev_forward_skb(struct net_device *dev, struct sk_buff *skb)
+@@ -1615,7 +1619,7 @@ int dev_forward_skb(struct net_device *dev, struct sk_buff *skb)
  	nf_reset(skb);
  
  	if (unlikely(!is_skb_forwardable(dev, skb))) {
@@ -75464,7 +75925,7 @@ index 7f72c9c..e29943b 100644
  		kfree_skb(skb);
  		return NET_RX_DROP;
  	}
-@@ -2057,7 +2061,7 @@ static int illegal_highdma(struct net_device *dev, struct sk_buff *skb)
+@@ -2077,7 +2081,7 @@ static int illegal_highdma(struct net_device *dev, struct sk_buff *skb)
  
  struct dev_gso_cb {
  	void (*destructor)(struct sk_buff *skb);
@@ -75473,7 +75934,7 @@ index 7f72c9c..e29943b 100644
  
  #define DEV_GSO_CB(skb) ((struct dev_gso_cb *)(skb)->cb)
  
-@@ -2913,7 +2917,7 @@ enqueue:
+@@ -2933,7 +2937,7 @@ enqueue:
  
  	local_irq_restore(flags);
  
@@ -75482,7 +75943,7 @@ index 7f72c9c..e29943b 100644
  	kfree_skb(skb);
  	return NET_RX_DROP;
  }
-@@ -2985,7 +2989,7 @@ int netif_rx_ni(struct sk_buff *skb)
+@@ -3005,7 +3009,7 @@ int netif_rx_ni(struct sk_buff *skb)
  }
  EXPORT_SYMBOL(netif_rx_ni);
  
@@ -75491,7 +75952,7 @@ index 7f72c9c..e29943b 100644
  {
  	struct softnet_data *sd = &__get_cpu_var(softnet_data);
  
-@@ -3273,7 +3277,7 @@ ncls:
+@@ -3293,7 +3297,7 @@ ncls:
  	if (pt_prev) {
  		ret = pt_prev->func(skb, skb->dev, pt_prev, orig_dev);
  	} else {
@@ -75500,7 +75961,7 @@ index 7f72c9c..e29943b 100644
  		kfree_skb(skb);
  		/* Jamal, now you will not able to escape explaining
  		 * me how you were going to use this. :-)
-@@ -3833,7 +3837,7 @@ void netif_napi_del(struct napi_struct *napi)
+@@ -3853,7 +3857,7 @@ void netif_napi_del(struct napi_struct *napi)
  }
  EXPORT_SYMBOL(netif_napi_del);
  
@@ -75509,7 +75970,7 @@ index 7f72c9c..e29943b 100644
  {
  	struct softnet_data *sd = &__get_cpu_var(softnet_data);
  	unsigned long time_limit = jiffies + 2;
-@@ -5858,7 +5862,7 @@ struct rtnl_link_stats64 *dev_get_stats(struct net_device *dev,
+@@ -5878,7 +5882,7 @@ struct rtnl_link_stats64 *dev_get_stats(struct net_device *dev,
  	} else {
  		netdev_stats_to_stats64(storage, &dev->stats);
  	}
@@ -86454,7 +86915,7 @@ index af0f22f..9a7d479 100644
                         break;
         }
 diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c
-index c4ac57e..527711d 100644
+index 7858228..2919715 100644
 --- a/virt/kvm/kvm_main.c
 +++ b/virt/kvm/kvm_main.c
 @@ -75,7 +75,7 @@ LIST_HEAD(vm_list);
@@ -86466,7 +86927,7 @@ index c4ac57e..527711d 100644
  
  struct kmem_cache *kvm_vcpu_cache;
  EXPORT_SYMBOL_GPL(kvm_vcpu_cache);
-@@ -2313,7 +2313,7 @@ static void hardware_enable_nolock(void *junk)
+@@ -2318,7 +2318,7 @@ static void hardware_enable_nolock(void *junk)
  
  	if (r) {
  		cpumask_clear_cpu(cpu, cpus_hardware_enabled);
@@ -86475,7 +86936,7 @@ index c4ac57e..527711d 100644
  		printk(KERN_INFO "kvm: enabling virtualization on "
  				 "CPU%d failed\n", cpu);
  	}
-@@ -2367,10 +2367,10 @@ static int hardware_enable_all(void)
+@@ -2372,10 +2372,10 @@ static int hardware_enable_all(void)
  
  	kvm_usage_count++;
  	if (kvm_usage_count == 1) {
@@ -86488,7 +86949,7 @@ index c4ac57e..527711d 100644
  			hardware_disable_all_nolock();
  			r = -EBUSY;
  		}
-@@ -2733,7 +2733,7 @@ static void kvm_sched_out(struct preempt_notifier *pn,
+@@ -2738,7 +2738,7 @@ static void kvm_sched_out(struct preempt_notifier *pn,
  	kvm_arch_vcpu_put(vcpu);
  }
  
@@ -86497,7 +86958,7 @@ index c4ac57e..527711d 100644
  		  struct module *module)
  {
  	int r;
-@@ -2796,7 +2796,7 @@ int kvm_init(void *opaque, unsigned vcpu_size, unsigned vcpu_align,
+@@ -2801,7 +2801,7 @@ int kvm_init(void *opaque, unsigned vcpu_size, unsigned vcpu_align,
  	if (!vcpu_align)
  		vcpu_align = __alignof__(struct kvm_vcpu);
  	kvm_vcpu_cache = kmem_cache_create("kvm_vcpu", vcpu_size, vcpu_align,
@@ -86506,7 +86967,7 @@ index c4ac57e..527711d 100644
  	if (!kvm_vcpu_cache) {
  		r = -ENOMEM;
  		goto out_free_3;
-@@ -2806,9 +2806,11 @@ int kvm_init(void *opaque, unsigned vcpu_size, unsigned vcpu_align,
+@@ -2811,9 +2811,11 @@ int kvm_init(void *opaque, unsigned vcpu_size, unsigned vcpu_align,
  	if (r)
  		goto out_free;
  
diff --git a/3.3.5/4430_grsec-remove-localversion-grsec.patch b/3.3.6/4430_grsec-remove-localversion-grsec.patch
index 31cf878..31cf878 100644
--- a/3.3.5/4430_grsec-remove-localversion-grsec.patch
+++ b/3.3.6/4430_grsec-remove-localversion-grsec.patch
diff --git a/3.3.5/4435_grsec-mute-warnings.patch b/3.3.6/4435_grsec-mute-warnings.patch
index e85abd6..e85abd6 100644
--- a/3.3.5/4435_grsec-mute-warnings.patch
+++ b/3.3.6/4435_grsec-mute-warnings.patch
diff --git a/3.3.5/4440_grsec-remove-protected-paths.patch b/3.3.6/4440_grsec-remove-protected-paths.patch
index 637934a..637934a 100644
--- a/3.3.5/4440_grsec-remove-protected-paths.patch
+++ b/3.3.6/4440_grsec-remove-protected-paths.patch
diff --git a/3.3.5/4445_grsec-pax-without-grsec.patch b/3.3.6/4445_grsec-pax-without-grsec.patch
index 35255c2..35255c2 100644
--- a/3.3.5/4445_grsec-pax-without-grsec.patch
+++ b/3.3.6/4445_grsec-pax-without-grsec.patch
diff --git a/3.3.5/4450_grsec-kconfig-default-gids.patch b/3.3.6/4450_grsec-kconfig-default-gids.patch
index 123f877..123f877 100644
--- a/3.3.5/4450_grsec-kconfig-default-gids.patch
+++ b/3.3.6/4450_grsec-kconfig-default-gids.patch
diff --git a/3.3.5/4455_grsec-kconfig-gentoo.patch b/3.3.6/4455_grsec-kconfig-gentoo.patch
index b9dc3e5..b9dc3e5 100644
--- a/3.3.5/4455_grsec-kconfig-gentoo.patch
+++ b/3.3.6/4455_grsec-kconfig-gentoo.patch
diff --git a/3.3.5/4460-grsec-kconfig-proc-user.patch b/3.3.6/4460-grsec-kconfig-proc-user.patch
index b2b3188..b2b3188 100644
--- a/3.3.5/4460-grsec-kconfig-proc-user.patch
+++ b/3.3.6/4460-grsec-kconfig-proc-user.patch
diff --git a/3.3.5/4465_selinux-avc_audit-log-curr_ip.patch b/3.3.6/4465_selinux-avc_audit-log-curr_ip.patch
index 5a9d80c..5a9d80c 100644
--- a/3.3.5/4465_selinux-avc_audit-log-curr_ip.patch
+++ b/3.3.6/4465_selinux-avc_audit-log-curr_ip.patch
diff --git a/3.3.5/4470_disable-compat_vdso.patch b/3.3.6/4470_disable-compat_vdso.patch
index c40f44f..c40f44f 100644
--- a/3.3.5/4470_disable-compat_vdso.patch
+++ b/3.3.6/4470_disable-compat_vdso.patch