Grsec/PaX: 2.9.1-{2.6.32.60,3.2.35,3.6.9}-20121207164120121207

30 files changed, 3475 insertions, 405 deletions

diff --git a/2.6.32/0000_README b/2.6.32/0000_README
index 640e15f..1443d3a 100644
--- a/2.6.32/0000_README
+++ b/2.6.32/0000_README
@@ -34,7 +34,7 @@ Patch:	1059_linux-2.6.32.60.patch
 From:	http://www.kernel.org
 Desc:	Linux 2.6.32.59
 
-Patch:	4420_grsecurity-2.9.1-2.6.32.60-201212041903.patch
+Patch:	4420_grsecurity-2.9.1-2.6.32.60-201212071640.patch
 From:	http://www.grsecurity.net
 Desc:	hardened-sources base patch from upstream grsecurity
 
diff --git a/2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201212041903.patch b/2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201212071640.patch
index 585b0cc..06f7fb7 100644
--- a/2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201212041903.patch
+++ b/2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201212071640.patch
@@ -76791,7 +76791,7 @@ index ff57421..f65f88a 100644
  
  out_free_fd:
 diff --git a/fs/exec.c b/fs/exec.c
-index 86fafc6..ab06586 100644
+index 86fafc6..ddb5122 100644
 --- a/fs/exec.c
 +++ b/fs/exec.c
 @@ -56,12 +56,33 @@
@@ -77568,7 +77568,7 @@ index 86fafc6..ab06586 100644
  	audit_core_dumps(signr);
  
 +	if (signr == SIGSEGV || signr == SIGBUS || signr == SIGKILL || signr == SIGILL)
-+		gr_handle_brute_attach(current, mm->flags);
++		gr_handle_brute_attach(mm->flags);
 +
  	binfmt = mm->binfmt;
  	if (!binfmt || !binfmt->core_dump)
@@ -92700,10 +92700,10 @@ index 0000000..78f8733
 +}
 diff --git a/grsecurity/grsec_sig.c b/grsecurity/grsec_sig.c
 new file mode 100644
-index 0000000..c648492
+index 0000000..d450a74
 --- /dev/null
 +++ b/grsecurity/grsec_sig.c
-@@ -0,0 +1,206 @@
+@@ -0,0 +1,219 @@
 +#include <linux/kernel.h>
 +#include <linux/sched.h>
 +#include <linux/delay.h>
@@ -92781,6 +92781,7 @@ index 0000000..c648492
 +
 +#ifdef CONFIG_GRKERNSEC_BRUTE
 +#define GR_USER_BAN_TIME (15 * 60)
++#define GR_DAEMON_BRUTE_TIME (30 * 60)
 +
 +static int __get_dumpable(unsigned long mm_flags)
 +{
@@ -92791,10 +92792,12 @@ index 0000000..c648492
 +}
 +#endif
 +
-+void gr_handle_brute_attach(struct task_struct *p, unsigned long mm_flags)
++void gr_handle_brute_attach(unsigned long mm_flags)
 +{
 +#ifdef CONFIG_GRKERNSEC_BRUTE
++	struct task_struct *p = current;
 +	uid_t uid = 0;
++	int daemon = 0;
 +
 +	if (!grsec_enable_brute)
 +		return;
@@ -92802,9 +92805,11 @@ index 0000000..c648492
 +	rcu_read_lock();
 +	read_lock(&tasklist_lock);
 +	read_lock(&grsec_exec_file_lock);
-+	if (p->real_parent && p->real_parent->exec_file == p->exec_file)
++	if (p->real_parent && p->real_parent->exec_file == p->exec_file) {
++		p->real_parent->brute_expires = get_seconds() + GR_DAEMON_BRUTE_TIME;
 +		p->real_parent->brute = 1;
-+	else {
++		daemon = 1;
++	} else {
 +		const struct cred *cred = __task_cred(p), *cred2;
 +		struct task_struct *tsk, *tsk2;
 +
@@ -92836,6 +92841,8 @@ index 0000000..c648492
 +
 +	if (uid)
 +		printk(KERN_ALERT "grsec: bruteforce prevention initiated against uid %u, banning for %d minutes\n", uid, GR_USER_BAN_TIME / 60);
++	else if (daemon)
++		gr_log_noargs(GR_DONT_AUDIT, GR_BRUTE_DAEMON_MSG);
 +#endif
 +	return;
 +}
@@ -92843,8 +92850,14 @@ index 0000000..c648492
 +void gr_handle_brute_check(void)
 +{
 +#ifdef CONFIG_GRKERNSEC_BRUTE
-+	if (current->brute)
-+		msleep(30 * 1000);
++	struct task_struct *p = current;
++
++	if (unlikely(p->brute)) {
++		if (!grsec_enable_brute)
++			p->brute = 0;
++		else if (time_before(get_seconds(), p->brute_expires))
++			msleep(30 * 1000);
++	}
 +#endif
 +	return;
 +}
@@ -96667,10 +96680,10 @@ index 0000000..3322652
 +#endif
 diff --git a/include/linux/grmsg.h b/include/linux/grmsg.h
 new file mode 100644
-index 0000000..ac88734
+index 0000000..18863d1
 --- /dev/null
 +++ b/include/linux/grmsg.h
-@@ -0,0 +1,110 @@
+@@ -0,0 +1,111 @@
 +#define DEFAULTSECMSG "%.256s[%.16s:%d] uid/euid:%u/%u gid/egid:%u/%u, parent %.256s[%.16s:%d] uid/euid:%u/%u gid/egid:%u/%u"
 +#define GR_ACL_PROCACCT_MSG "%.256s[%.16s:%d] IP:%pI4 TTY:%.64s uid/euid:%u/%u gid/egid:%u/%u run time:[%ud %uh %um %us] cpu time:[%ud %uh %um %us] %s with exit code %ld, parent %.256s[%.16s:%d] IP:%pI4 TTY:%.64s uid/euid:%u/%u gid/egid:%u/%u"
 +#define GR_PTRACE_ACL_MSG "denied ptrace of %.950s(%.16s:%d) by "
@@ -96781,9 +96794,10 @@ index 0000000..ac88734
 +#define GR_INIT_TRANSFER_MSG "persistent special role transferred privilege to init by "
 +#define GR_BADPROCPID_MSG "denied read of sensitive /proc/pid/%s entry via fd passed across exec by "
 +#define GR_SYMLINKOWNER_MSG "denied following symlink %.950s since symlink owner %u does not match target owner %u, by "
++#define GR_BRUTE_DAEMON_MSG "bruteforce prevention initiated for the next 30 minutes or until service restarted, stalling each fork 30 seconds.  Please investigate the crash report for "
 diff --git a/include/linux/grsecurity.h b/include/linux/grsecurity.h
 new file mode 100644
-index 0000000..0e2a522
+index 0000000..6e2f8bc
 --- /dev/null
 +++ b/include/linux/grsecurity.h
 @@ -0,0 +1,226 @@
@@ -96809,7 +96823,7 @@ index 0000000..0e2a522
 +#error "CONFIG_PAX enabled, but no PaX options are enabled."
 +#endif
 +
-+void gr_handle_brute_attach(struct task_struct *p, unsigned long mm_flags);
++void gr_handle_brute_attach(unsigned long mm_flags);
 +void gr_handle_brute_check(void);
 +void gr_handle_kernel_exploit(void);
 +int gr_process_user_ban(void);
@@ -98401,7 +98415,7 @@ index 3392c59..a746428 100644
  #if defined(CONFIG_RFKILL) || defined(CONFIG_RFKILL_MODULE)
  /**
 diff --git a/include/linux/sched.h b/include/linux/sched.h
-index 71849bf..903514a 100644
+index 71849bf..42936d2 100644
 --- a/include/linux/sched.h
 +++ b/include/linux/sched.h
 @@ -101,6 +101,7 @@ struct bio;
@@ -98529,7 +98543,7 @@ index 71849bf..903514a 100644
  	struct io_context *io_context;
  
  	unsigned long ptrace_message;
-@@ -1519,6 +1544,27 @@ struct task_struct {
+@@ -1519,6 +1544,28 @@ struct task_struct {
  	unsigned long default_timer_slack_ns;
  
  	struct list_head	*scm_work_list;
@@ -98546,6 +98560,7 @@ index 71849bf..903514a 100644
 +	struct acl_subject_label *acl;
 +	struct acl_role_label *role;
 +	struct file *exec_file;
++	unsigned long brute_expires;
 +	u16 acl_role_id;
 +	/* is this the task that authenticated to the special role */
 +	u8 acl_sp_role;
@@ -98557,7 +98572,7 @@ index 71849bf..903514a 100644
  #ifdef CONFIG_FUNCTION_GRAPH_TRACER
  	/* Index of current stored adress in ret_stack */
  	int curr_ret_stack;
-@@ -1542,6 +1588,57 @@ struct task_struct {
+@@ -1542,6 +1589,57 @@ struct task_struct {
  #endif /* CONFIG_TRACING */
  };
  
@@ -98615,7 +98630,7 @@ index 71849bf..903514a 100644
  /* Future-safe accessor for struct task_struct's cpus_allowed. */
  #define tsk_cpumask(tsk) (&(tsk)->cpus_allowed)
  
-@@ -1740,7 +1837,7 @@ extern void thread_group_times(struct task_struct *p, cputime_t *ut, cputime_t *
+@@ -1740,7 +1838,7 @@ extern void thread_group_times(struct task_struct *p, cputime_t *ut, cputime_t *
  #define PF_DUMPCORE	0x00000200	/* dumped core */
  #define PF_SIGNALED	0x00000400	/* killed by a signal */
  #define PF_MEMALLOC	0x00000800	/* Allocating memory */
@@ -98624,7 +98639,7 @@ index 71849bf..903514a 100644
  #define PF_USED_MATH	0x00002000	/* if unset the fpu must be initialized before use */
  #define PF_FREEZING	0x00004000	/* freeze in progress. do not account to load */
  #define PF_NOFREEZE	0x00008000	/* this thread should not be frozen */
-@@ -1978,7 +2075,9 @@ void yield(void);
+@@ -1978,7 +2076,9 @@ void yield(void);
  extern struct exec_domain	default_exec_domain;
  
  union thread_union {
@@ -98634,7 +98649,7 @@ index 71849bf..903514a 100644
  	unsigned long stack[THREAD_SIZE/sizeof(long)];
  };
  
-@@ -2011,6 +2110,7 @@ extern struct pid_namespace init_pid_ns;
+@@ -2011,6 +2111,7 @@ extern struct pid_namespace init_pid_ns;
   */
  
  extern struct task_struct *find_task_by_vpid(pid_t nr);
@@ -98642,7 +98657,7 @@ index 71849bf..903514a 100644
  extern struct task_struct *find_task_by_pid_ns(pid_t nr,
  		struct pid_namespace *ns);
  
-@@ -2155,7 +2255,7 @@ extern void __cleanup_sighand(struct sighand_struct *);
+@@ -2155,7 +2256,7 @@ extern void __cleanup_sighand(struct sighand_struct *);
  extern void exit_itimers(struct signal_struct *);
  extern void flush_itimer_signals(void);
  
@@ -98651,7 +98666,7 @@ index 71849bf..903514a 100644
  
  extern void daemonize(const char *, ...);
  extern int allow_signal(int);
-@@ -2284,9 +2384,9 @@ static inline unsigned long *end_of_stack(struct task_struct *p)
+@@ -2284,9 +2385,9 @@ static inline unsigned long *end_of_stack(struct task_struct *p)
  
  #endif
  
@@ -98663,7 +98678,7 @@ index 71849bf..903514a 100644
  
  	return (obj >= stack) && (obj < (stack + THREAD_SIZE));
  }
-@@ -2616,6 +2716,23 @@ static inline unsigned long rlimit_max(unsigned int limit)
+@@ -2616,6 +2717,23 @@ static inline unsigned long rlimit_max(unsigned int limit)
  	return task_rlimit_max(current, limit);
  }
  
diff --git a/3.2.34/0000_README b/3.2.35/0000_README
index a6e67e7..d60b72b 100644
--- a/3.2.34/0000_README
+++ b/3.2.35/0000_README
@@ -54,7 +54,11 @@ Patch:	1033_linux-3.2.34.patch
 From:	http://www.kernel.org
 Desc:	Linux 3.2.34
 
-Patch:	4420_grsecurity-2.9.1-3.2.34-201212041903.patch
+Patch:	1034_linux-3.2.35.patch
+From:	http://www.kernel.org
+Desc:	Linux 3.2.35
+
+Patch:	4420_grsecurity-2.9.1-3.2.35-201212071641.patch
 From:	http://www.grsecurity.net
 Desc:	hardened-sources base patch from upstream grsecurity
 
diff --git a/3.2.34/1021_linux-3.2.22.patch b/3.2.35/1021_linux-3.2.22.patch
index e6ad93a..e6ad93a 100644
--- a/3.2.34/1021_linux-3.2.22.patch
+++ b/3.2.35/1021_linux-3.2.22.patch
diff --git a/3.2.34/1022_linux-3.2.23.patch b/3.2.35/1022_linux-3.2.23.patch
index 3d796d0..3d796d0 100644
--- a/3.2.34/1022_linux-3.2.23.patch
+++ b/3.2.35/1022_linux-3.2.23.patch
diff --git a/3.2.34/1023_linux-3.2.24.patch b/3.2.35/1023_linux-3.2.24.patch
index 4692eb4..4692eb4 100644
--- a/3.2.34/1023_linux-3.2.24.patch
+++ b/3.2.35/1023_linux-3.2.24.patch
diff --git a/3.2.34/1024_linux-3.2.25.patch b/3.2.35/1024_linux-3.2.25.patch
index e95c213..e95c213 100644
--- a/3.2.34/1024_linux-3.2.25.patch
+++ b/3.2.35/1024_linux-3.2.25.patch
diff --git a/3.2.34/1025_linux-3.2.26.patch b/3.2.35/1025_linux-3.2.26.patch
index 44065b9..44065b9 100644
--- a/3.2.34/1025_linux-3.2.26.patch
+++ b/3.2.35/1025_linux-3.2.26.patch
diff --git a/3.2.34/1026_linux-3.2.27.patch b/3.2.35/1026_linux-3.2.27.patch
index 5878eb4..5878eb4 100644
--- a/3.2.34/1026_linux-3.2.27.patch
+++ b/3.2.35/1026_linux-3.2.27.patch
diff --git a/3.2.34/1027_linux-3.2.28.patch b/3.2.35/1027_linux-3.2.28.patch
index 4dbba4b..4dbba4b 100644
--- a/3.2.34/1027_linux-3.2.28.patch
+++ b/3.2.35/1027_linux-3.2.28.patch
diff --git a/3.2.34/1028_linux-3.2.29.patch b/3.2.35/1028_linux-3.2.29.patch
index 3c65179..3c65179 100644
--- a/3.2.34/1028_linux-3.2.29.patch
+++ b/3.2.35/1028_linux-3.2.29.patch
diff --git a/3.2.34/1029_linux-3.2.30.patch b/3.2.35/1029_linux-3.2.30.patch
index 86aea4b..86aea4b 100644
--- a/3.2.34/1029_linux-3.2.30.patch
+++ b/3.2.35/1029_linux-3.2.30.patch
diff --git a/3.2.34/1030_linux-3.2.31.patch b/3.2.35/1030_linux-3.2.31.patch
index c6accf5..c6accf5 100644
--- a/3.2.34/1030_linux-3.2.31.patch
+++ b/3.2.35/1030_linux-3.2.31.patch
diff --git a/3.2.34/1031_linux-3.2.32.patch b/3.2.35/1031_linux-3.2.32.patch
index 247fc0b..247fc0b 100644
--- a/3.2.34/1031_linux-3.2.32.patch
+++ b/3.2.35/1031_linux-3.2.32.patch
diff --git a/3.2.34/1032_linux-3.2.33.patch b/3.2.35/1032_linux-3.2.33.patch
index c32fb75..c32fb75 100644
--- a/3.2.34/1032_linux-3.2.33.patch
+++ b/3.2.35/1032_linux-3.2.33.patch
diff --git a/3.2.34/1033_linux-3.2.34.patch b/3.2.35/1033_linux-3.2.34.patch
index d647b38..d647b38 100644
--- a/3.2.34/1033_linux-3.2.34.patch
+++ b/3.2.35/1033_linux-3.2.34.patch
diff --git a/3.2.35/1034_linux-3.2.35.patch b/3.2.35/1034_linux-3.2.35.patch
new file mode 100644
index 0000000..76a9c19
--- /dev/null
+++ b/3.2.35/1034_linux-3.2.35.patch
@@ -0,0 +1,3014 @@
+diff --git a/Documentation/cgroups/memory.txt b/Documentation/cgroups/memory.txt
+index cc0ebc5..fd129f6 100644
+--- a/Documentation/cgroups/memory.txt
++++ b/Documentation/cgroups/memory.txt
+@@ -440,6 +440,10 @@ Note:
+ 5.3 swappiness
+ 
+ Similar to /proc/sys/vm/swappiness, but affecting a hierarchy of groups only.
++Please note that unlike the global swappiness, memcg knob set to 0
++really prevents from any swapping even if there is a swap storage
++available. This might lead to memcg OOM killer if there are no file
++pages to reclaim.
+ 
+ Following cgroups' swappiness can't be changed.
+ - root cgroup (uses /proc/sys/vm/swappiness).
+diff --git a/Documentation/dvb/get_dvb_firmware b/Documentation/dvb/get_dvb_firmware
+index e67be7a..48d25ea 100755
+--- a/Documentation/dvb/get_dvb_firmware
++++ b/Documentation/dvb/get_dvb_firmware
+@@ -115,7 +115,7 @@ sub tda10045 {
+ 
+ sub tda10046 {
+ 	my $sourcefile = "TT_PCI_2.19h_28_11_2006.zip";
+-	my $url = "http://www.tt-download.com/download/updates/219/$sourcefile";
++	my $url = "http://technotrend.com.ua/download/software/219/$sourcefile";
+ 	my $hash = "6a7e1e2f2644b162ff0502367553c72d";
+ 	my $outfile = "dvb-fe-tda10046.fw";
+ 	my $tmpdir = tempdir(DIR => "/tmp", CLEANUP => 1);
+diff --git a/Makefile b/Makefile
+index 14ebacf..d985af0 100644
+--- a/Makefile
++++ b/Makefile
+@@ -1,6 +1,6 @@
+ VERSION = 3
+ PATCHLEVEL = 2
+-SUBLEVEL = 34
++SUBLEVEL = 35
+ EXTRAVERSION =
+ NAME = Saber-toothed Squirrel
+ 
+diff --git a/arch/arm/Kconfig b/arch/arm/Kconfig
+index 9fdc151..27bcd12 100644
+--- a/arch/arm/Kconfig
++++ b/arch/arm/Kconfig
+@@ -542,6 +542,7 @@ config ARCH_KIRKWOOD
+ 	bool "Marvell Kirkwood"
+ 	select CPU_FEROCEON
+ 	select PCI
++	select PCI_QUIRKS
+ 	select ARCH_REQUIRE_GPIOLIB
+ 	select GENERIC_CLOCKEVENTS
+ 	select PLAT_ORION
+diff --git a/arch/arm/mach-dove/include/mach/pm.h b/arch/arm/mach-dove/include/mach/pm.h
+index 3ad9f94..11799c3 100644
+--- a/arch/arm/mach-dove/include/mach/pm.h
++++ b/arch/arm/mach-dove/include/mach/pm.h
+@@ -45,7 +45,7 @@ static inline int pmu_to_irq(int pin)
+ 
+ static inline int irq_to_pmu(int irq)
+ {
+-	if (IRQ_DOVE_PMU_START < irq && irq < NR_IRQS)
++	if (IRQ_DOVE_PMU_START <= irq && irq < NR_IRQS)
+ 		return irq - IRQ_DOVE_PMU_START;
+ 
+ 	return -EINVAL;
+diff --git a/arch/arm/mach-dove/irq.c b/arch/arm/mach-dove/irq.c
+index f07fd16..9f2fd10 100644
+--- a/arch/arm/mach-dove/irq.c
++++ b/arch/arm/mach-dove/irq.c
+@@ -61,8 +61,20 @@ static void pmu_irq_ack(struct irq_data *d)
+ 	int pin = irq_to_pmu(d->irq);
+ 	u32 u;
+ 
++	/*
++	 * The PMU mask register is not RW0C: it is RW.  This means that
++	 * the bits take whatever value is written to them; if you write
++	 * a '1', you will set the interrupt.
++	 *
++	 * Unfortunately this means there is NO race free way to clear
++	 * these interrupts.
++	 *
++	 * So, let's structure the code so that the window is as small as
++	 * possible.
++	 */
+ 	u = ~(1 << (pin & 31));
+-	writel(u, PMU_INTERRUPT_CAUSE);
++	u &= readl_relaxed(PMU_INTERRUPT_CAUSE);
++	writel_relaxed(u, PMU_INTERRUPT_CAUSE);
+ }
+ 
+ static struct irq_chip pmu_irq_chip = {
+diff --git a/arch/arm/mach-kirkwood/pcie.c b/arch/arm/mach-kirkwood/pcie.c
+index 74b992d..a881c54 100644
+--- a/arch/arm/mach-kirkwood/pcie.c
++++ b/arch/arm/mach-kirkwood/pcie.c
+@@ -213,14 +213,19 @@ static int __init kirkwood_pcie_setup(int nr, struct pci_sys_data *sys)
+ 	return 1;
+ }
+ 
++/*
++ * The root complex has a hardwired class of PCI_CLASS_MEMORY_OTHER, when it
++ * is operating as a root complex this needs to be switched to
++ * PCI_CLASS_BRIDGE_HOST or Linux will errantly try to process the BAR's on
++ * the device. Decoding setup is handled by the orion code.
++ */
+ static void __devinit rc_pci_fixup(struct pci_dev *dev)
+ {
+-	/*
+-	 * Prevent enumeration of root complex.
+-	 */
+ 	if (dev->bus->parent == NULL && dev->devfn == 0) {
+ 		int i;
+ 
++		dev->class &= 0xff;
++		dev->class |= PCI_CLASS_BRIDGE_HOST << 8;
+ 		for (i = 0; i < DEVICE_COUNT_RESOURCE; i++) {
+ 			dev->resource[i].start = 0;
+ 			dev->resource[i].end   = 0;
+diff --git a/arch/m68k/include/asm/signal.h b/arch/m68k/include/asm/signal.h
+index 60e8866..93fe83e 100644
+--- a/arch/m68k/include/asm/signal.h
++++ b/arch/m68k/include/asm/signal.h
+@@ -156,7 +156,7 @@ typedef struct sigaltstack {
+ static inline void sigaddset(sigset_t *set, int _sig)
+ {
+ 	asm ("bfset %0{%1,#1}"
+-		: "+od" (*set)
++		: "+o" (*set)
+ 		: "id" ((_sig - 1) ^ 31)
+ 		: "cc");
+ }
+@@ -164,7 +164,7 @@ static inline void sigaddset(sigset_t *set, int _sig)
+ static inline void sigdelset(sigset_t *set, int _sig)
+ {
+ 	asm ("bfclr %0{%1,#1}"
+-		: "+od" (*set)
++		: "+o" (*set)
+ 		: "id" ((_sig - 1) ^ 31)
+ 		: "cc");
+ }
+@@ -180,7 +180,7 @@ static inline int __gen_sigismember(sigset_t *set, int _sig)
+ 	int ret;
+ 	asm ("bfextu %1{%2,#1},%0"
+ 		: "=d" (ret)
+-		: "od" (*set), "id" ((_sig-1) ^ 31)
++		: "o" (*set), "id" ((_sig-1) ^ 31)
+ 		: "cc");
+ 	return ret;
+ }
+diff --git a/arch/parisc/kernel/signal32.c b/arch/parisc/kernel/signal32.c
+index e141324..d0ea054 100644
+--- a/arch/parisc/kernel/signal32.c
++++ b/arch/parisc/kernel/signal32.c
+@@ -67,7 +67,8 @@ put_sigset32(compat_sigset_t __user *up, sigset_t *set, size_t sz)
+ {
+ 	compat_sigset_t s;
+ 
+-	if (sz != sizeof *set) panic("put_sigset32()");
++	if (sz != sizeof *set)
++		return -EINVAL;
+ 	sigset_64to32(&s, set);
+ 
+ 	return copy_to_user(up, &s, sizeof s);
+@@ -79,7 +80,8 @@ get_sigset32(compat_sigset_t __user *up, sigset_t *set, size_t sz)
+ 	compat_sigset_t s;
+ 	int r;
+ 
+-	if (sz != sizeof *set) panic("put_sigset32()");
++	if (sz != sizeof *set)
++		return -EINVAL;
+ 
+ 	if ((r = copy_from_user(&s, up, sz)) == 0) {
+ 		sigset_32to64(set, &s);
+diff --git a/arch/parisc/kernel/sys_parisc.c b/arch/parisc/kernel/sys_parisc.c
+index c9b9322..7ea75d1 100644
+--- a/arch/parisc/kernel/sys_parisc.c
++++ b/arch/parisc/kernel/sys_parisc.c
+@@ -73,6 +73,8 @@ static unsigned long get_shared_area(struct address_space *mapping,
+ 	struct vm_area_struct *vma;
+ 	int offset = mapping ? get_offset(mapping) : 0;
+ 
++	offset = (offset + (pgoff << PAGE_SHIFT)) & 0x3FF000;
++
+ 	addr = DCACHE_ALIGN(addr - offset) + offset;
+ 
+ 	for (vma = find_vma(current->mm, addr); ; vma = vma->vm_next) {
+diff --git a/arch/s390/include/asm/compat.h b/arch/s390/include/asm/compat.h
+index 234f1d8..2e0a15b 100644
+--- a/arch/s390/include/asm/compat.h
++++ b/arch/s390/include/asm/compat.h
+@@ -20,7 +20,7 @@
+ #define PSW32_MASK_CC		0x00003000UL
+ #define PSW32_MASK_PM		0x00000f00UL
+ 
+-#define PSW32_MASK_USER		0x00003F00UL
++#define PSW32_MASK_USER		0x0000FF00UL
+ 
+ #define PSW32_ADDR_AMODE	0x80000000UL
+ #define PSW32_ADDR_INSN		0x7FFFFFFFUL
+diff --git a/arch/s390/include/asm/ptrace.h b/arch/s390/include/asm/ptrace.h
+index a658463..a5b4c48 100644
+--- a/arch/s390/include/asm/ptrace.h
++++ b/arch/s390/include/asm/ptrace.h
+@@ -240,7 +240,7 @@ typedef struct
+ #define PSW_MASK_EA		0x00000000UL
+ #define PSW_MASK_BA		0x00000000UL
+ 
+-#define PSW_MASK_USER		0x00003F00UL
++#define PSW_MASK_USER		0x0000FF00UL
+ 
+ #define PSW_ADDR_AMODE		0x80000000UL
+ #define PSW_ADDR_INSN		0x7FFFFFFFUL
+@@ -269,7 +269,7 @@ typedef struct
+ #define PSW_MASK_EA		0x0000000100000000UL
+ #define PSW_MASK_BA		0x0000000080000000UL
+ 
+-#define PSW_MASK_USER		0x00003F0180000000UL
++#define PSW_MASK_USER		0x0000FF0180000000UL
+ 
+ #define PSW_ADDR_AMODE		0x0000000000000000UL
+ #define PSW_ADDR_INSN		0xFFFFFFFFFFFFFFFFUL
+diff --git a/arch/s390/kernel/compat_signal.c b/arch/s390/kernel/compat_signal.c
+index 4f68c81..9fdd05d 100644
+--- a/arch/s390/kernel/compat_signal.c
++++ b/arch/s390/kernel/compat_signal.c
+@@ -312,6 +312,10 @@ static int restore_sigregs32(struct pt_regs *regs,_sigregs32 __user *sregs)
+ 	regs->psw.mask = (regs->psw.mask & ~PSW_MASK_USER) |
+ 		(__u64)(regs32.psw.mask & PSW32_MASK_USER) << 32 |
+ 		(__u64)(regs32.psw.addr & PSW32_ADDR_AMODE);
++	/* Check for invalid user address space control. */
++	if ((regs->psw.mask & PSW_MASK_ASC) >= (psw_kernel_bits & PSW_MASK_ASC))
++		regs->psw.mask = (psw_user_bits & PSW_MASK_ASC) |
++			(regs->psw.mask & ~PSW_MASK_ASC);
+ 	regs->psw.addr = (__u64)(regs32.psw.addr & PSW32_ADDR_INSN);
+ 	for (i = 0; i < NUM_GPRS; i++)
+ 		regs->gprs[i] = (__u64) regs32.gprs[i];
+@@ -493,7 +497,10 @@ static int setup_frame32(int sig, struct k_sigaction *ka,
+ 
+ 	/* Set up registers for signal handler */
+ 	regs->gprs[15] = (__force __u64) frame;
+-	regs->psw.mask |= PSW_MASK_BA;		/* force amode 31 */
++	/* Force 31 bit amode and default user address space control. */
++	regs->psw.mask = PSW_MASK_BA |
++		(psw_user_bits & PSW_MASK_ASC) |
++		(regs->psw.mask & ~PSW_MASK_ASC);
+ 	regs->psw.addr = (__force __u64) ka->sa.sa_handler;
+ 
+ 	regs->gprs[2] = map_signal(sig);
+@@ -557,7 +564,10 @@ static int setup_rt_frame32(int sig, struct k_sigaction *ka, siginfo_t *info,
+ 
+ 	/* Set up registers for signal handler */
+ 	regs->gprs[15] = (__force __u64) frame;
+-	regs->psw.mask |= PSW_MASK_BA;		/* force amode 31 */
++	/* Force 31 bit amode and default user address space control. */
++	regs->psw.mask = PSW_MASK_BA |
++		(psw_user_bits & PSW_MASK_ASC) |
++		(regs->psw.mask & ~PSW_MASK_ASC);
+ 	regs->psw.addr = (__u64) ka->sa.sa_handler;
+ 
+ 	regs->gprs[2] = map_signal(sig);
+diff --git a/arch/s390/kernel/signal.c b/arch/s390/kernel/signal.c
+index 5086553..d54d475 100644
+--- a/arch/s390/kernel/signal.c
++++ b/arch/s390/kernel/signal.c
+@@ -147,6 +147,10 @@ static int restore_sigregs(struct pt_regs *regs, _sigregs __user *sregs)
+ 	/* Use regs->psw.mask instead of psw_user_bits to preserve PER bit. */
+ 	regs->psw.mask = (regs->psw.mask & ~PSW_MASK_USER) |
+ 		(user_sregs.regs.psw.mask & PSW_MASK_USER);
++	/* Check for invalid user address space control. */
++	if ((regs->psw.mask & PSW_MASK_ASC) >= (psw_kernel_bits & PSW_MASK_ASC))
++		regs->psw.mask = (psw_user_bits & PSW_MASK_ASC) |
++			(regs->psw.mask & ~PSW_MASK_ASC);
+ 	/* Check for invalid amode */
+ 	if (regs->psw.mask & PSW_MASK_EA)
+ 		regs->psw.mask |= PSW_MASK_BA;
+@@ -293,7 +297,10 @@ static int setup_frame(int sig, struct k_sigaction *ka,
+ 
+ 	/* Set up registers for signal handler */
+ 	regs->gprs[15] = (unsigned long) frame;
+-	regs->psw.mask |= PSW_MASK_EA | PSW_MASK_BA;	/* 64 bit amode */
++	/* Force default amode and default user address space control. */
++	regs->psw.mask = PSW_MASK_EA | PSW_MASK_BA |
++		(psw_user_bits & PSW_MASK_ASC) |
++		(regs->psw.mask & ~PSW_MASK_ASC);
+ 	regs->psw.addr = (unsigned long) ka->sa.sa_handler | PSW_ADDR_AMODE;
+ 
+ 	regs->gprs[2] = map_signal(sig);
+@@ -362,7 +369,10 @@ static int setup_rt_frame(int sig, struct k_sigaction *ka, siginfo_t *info,
+ 
+ 	/* Set up registers for signal handler */
+ 	regs->gprs[15] = (unsigned long) frame;
+-	regs->psw.mask |= PSW_MASK_EA | PSW_MASK_BA;	/* 64 bit amode */
++	/* Force default amode and default user address space control. */
++	regs->psw.mask = PSW_MASK_EA | PSW_MASK_BA |
++		(psw_user_bits & PSW_MASK_ASC) |
++		(regs->psw.mask & ~PSW_MASK_ASC);
+ 	regs->psw.addr = (unsigned long) ka->sa.sa_handler | PSW_ADDR_AMODE;
+ 
+ 	regs->gprs[2] = map_signal(sig);
+diff --git a/arch/s390/mm/gup.c b/arch/s390/mm/gup.c
+index 65cb06e..4ccf9f5 100644
+--- a/arch/s390/mm/gup.c
++++ b/arch/s390/mm/gup.c
+@@ -183,7 +183,7 @@ int get_user_pages_fast(unsigned long start, int nr_pages, int write,
+ 	addr = start;
+ 	len = (unsigned long) nr_pages << PAGE_SHIFT;
+ 	end = start + len;
+-	if (end < start)
++	if ((end < start) || (end > TASK_SIZE))
+ 		goto slow_irqon;
+ 
+ 	/*
+diff --git a/arch/sparc/kernel/signal_64.c b/arch/sparc/kernel/signal_64.c
+index f0836cd..d58d3ed 100644
+--- a/arch/sparc/kernel/signal_64.c
++++ b/arch/sparc/kernel/signal_64.c
+@@ -307,9 +307,7 @@ void do_rt_sigreturn(struct pt_regs *regs)
+ 		err |= restore_fpu_state(regs, fpu_save);
+ 
+ 	err |= __copy_from_user(&set, &sf->mask, sizeof(sigset_t));
+-	err |= do_sigaltstack(&sf->stack, NULL, (unsigned long)sf);
+-
+-	if (err)
++	if (err || do_sigaltstack(&sf->stack, NULL, (unsigned long)sf) == -EFAULT)
+ 		goto segv;
+ 
+ 	err |= __get_user(rwin_save, &sf->rwin_save);
+diff --git a/arch/x86/include/asm/ptrace.h b/arch/x86/include/asm/ptrace.h
+index 3566454..3b96fd4 100644
+--- a/arch/x86/include/asm/ptrace.h
++++ b/arch/x86/include/asm/ptrace.h
+@@ -206,21 +206,14 @@ static inline bool user_64bit_mode(struct pt_regs *regs)
+ }
+ #endif
+ 
+-/*
+- * X86_32 CPUs don't save ss and esp if the CPU is already in kernel mode
+- * when it traps.  The previous stack will be directly underneath the saved
+- * registers, and 'sp/ss' won't even have been saved. Thus the '&regs->sp'.
+- *
+- * This is valid only for kernel mode traps.
+- */
+-static inline unsigned long kernel_stack_pointer(struct pt_regs *regs)
+-{
+ #ifdef CONFIG_X86_32
+-	return (unsigned long)(&regs->sp);
++extern unsigned long kernel_stack_pointer(struct pt_regs *regs);
+ #else
++static inline unsigned long kernel_stack_pointer(struct pt_regs *regs)
++{
+ 	return regs->sp;
+-#endif
+ }
++#endif
+ 
+ #define GET_IP(regs) ((regs)->ip)
+ #define GET_FP(regs) ((regs)->bp)
+diff --git a/arch/x86/kernel/cpu/amd.c b/arch/x86/kernel/cpu/amd.c
+index ff8557e..f07becc 100644
+--- a/arch/x86/kernel/cpu/amd.c
++++ b/arch/x86/kernel/cpu/amd.c
+@@ -587,6 +587,20 @@ static void __cpuinit init_amd(struct cpuinfo_x86 *c)
+ 		}
+ 	}
+ 
++	/*
++	 * The way access filter has a performance penalty on some workloads.
++	 * Disable it on the affected CPUs.
++	 */
++	if ((c->x86 == 0x15) &&
++	    (c->x86_model >= 0x02) && (c->x86_model < 0x20)) {
++		u64 val;
++
++		if (!rdmsrl_safe(0xc0011021, &val) && !(val & 0x1E)) {
++			val |= 0x1E;
++			checking_wrmsrl(0xc0011021, val);
++		}
++	}
++
+ 	cpu_detect_cache_sizes(c);
+ 
+ 	/* Multi core CPU? */
+diff --git a/arch/x86/kernel/cpu/mcheck/therm_throt.c b/arch/x86/kernel/cpu/mcheck/therm_throt.c
+index 787e06c..ce04b58 100644
+--- a/arch/x86/kernel/cpu/mcheck/therm_throt.c
++++ b/arch/x86/kernel/cpu/mcheck/therm_throt.c
+@@ -323,17 +323,6 @@ device_initcall(thermal_throttle_init_device);
+ 
+ #endif /* CONFIG_SYSFS */
+ 
+-/*
+- * Set up the most two significant bit to notify mce log that this thermal
+- * event type.
+- * This is a temp solution. May be changed in the future with mce log
+- * infrasture.
+- */
+-#define CORE_THROTTLED		(0)
+-#define CORE_POWER_LIMIT	((__u64)1 << 62)
+-#define PACKAGE_THROTTLED	((__u64)2 << 62)
+-#define PACKAGE_POWER_LIMIT	((__u64)3 << 62)
+-
+ static void notify_thresholds(__u64 msr_val)
+ {
+ 	/* check whether the interrupt handler is defined;
+@@ -363,27 +352,23 @@ static void intel_thermal_interrupt(void)
+ 	if (therm_throt_process(msr_val & THERM_STATUS_PROCHOT,
+ 				THERMAL_THROTTLING_EVENT,
+ 				CORE_LEVEL) != 0)
+-		mce_log_therm_throt_event(CORE_THROTTLED | msr_val);
++		mce_log_therm_throt_event(msr_val);
+ 
+ 	if (this_cpu_has(X86_FEATURE_PLN))
+-		if (therm_throt_process(msr_val & THERM_STATUS_POWER_LIMIT,
++		therm_throt_process(msr_val & THERM_STATUS_POWER_LIMIT,
+ 					POWER_LIMIT_EVENT,
+-					CORE_LEVEL) != 0)
+-			mce_log_therm_throt_event(CORE_POWER_LIMIT | msr_val);
++					CORE_LEVEL);
+ 
+ 	if (this_cpu_has(X86_FEATURE_PTS)) {
+ 		rdmsrl(MSR_IA32_PACKAGE_THERM_STATUS, msr_val);
+-		if (therm_throt_process(msr_val & PACKAGE_THERM_STATUS_PROCHOT,
++		therm_throt_process(msr_val & PACKAGE_THERM_STATUS_PROCHOT,
+ 					THERMAL_THROTTLING_EVENT,
+-					PACKAGE_LEVEL) != 0)
+-			mce_log_therm_throt_event(PACKAGE_THROTTLED | msr_val);
++					PACKAGE_LEVEL);
+ 		if (this_cpu_has(X86_FEATURE_PLN))
+-			if (therm_throt_process(msr_val &
++			therm_throt_process(msr_val &
+ 					PACKAGE_THERM_STATUS_POWER_LIMIT,
+ 					POWER_LIMIT_EVENT,
+-					PACKAGE_LEVEL) != 0)
+-				mce_log_therm_throt_event(PACKAGE_POWER_LIMIT
+-							  | msr_val);
++					PACKAGE_LEVEL);
+ 	}
+ }
+ 
+diff --git a/arch/x86/kernel/microcode_amd.c b/arch/x86/kernel/microcode_amd.c
+index ac52c15..1ef962b 100644
+--- a/arch/x86/kernel/microcode_amd.c
++++ b/arch/x86/kernel/microcode_amd.c
+@@ -163,6 +163,7 @@ static unsigned int verify_ucode_size(int cpu, const u8 *buf, unsigned int size)
+ #define F1XH_MPB_MAX_SIZE 2048
+ #define F14H_MPB_MAX_SIZE 1824
+ #define F15H_MPB_MAX_SIZE 4096
++#define F16H_MPB_MAX_SIZE 3458
+ 
+ 	switch (c->x86) {
+ 	case 0x14:
+@@ -171,6 +172,9 @@ static unsigned int verify_ucode_size(int cpu, const u8 *buf, unsigned int size)
+ 	case 0x15:
+ 		max_size = F15H_MPB_MAX_SIZE;
+ 		break;
++	case 0x16:
++		max_size = F16H_MPB_MAX_SIZE;
++		break;
+ 	default:
+ 		max_size = F1XH_MPB_MAX_SIZE;
+ 		break;
+diff --git a/arch/x86/kernel/ptrace.c b/arch/x86/kernel/ptrace.c
+index 8252879..2dc4121 100644
+--- a/arch/x86/kernel/ptrace.c
++++ b/arch/x86/kernel/ptrace.c
+@@ -21,6 +21,7 @@
+ #include <linux/signal.h>
+ #include <linux/perf_event.h>
+ #include <linux/hw_breakpoint.h>
++#include <linux/module.h>
+ 
+ #include <asm/uaccess.h>
+ #include <asm/pgtable.h>
+@@ -164,6 +165,35 @@ static inline bool invalid_selector(u16 value)
+ 
+ #define FLAG_MASK		FLAG_MASK_32
+ 
++/*
++ * X86_32 CPUs don't save ss and esp if the CPU is already in kernel mode
++ * when it traps.  The previous stack will be directly underneath the saved
++ * registers, and 'sp/ss' won't even have been saved. Thus the '&regs->sp'.
++ *
++ * Now, if the stack is empty, '&regs->sp' is out of range. In this
++ * case we try to take the previous stack. To always return a non-null
++ * stack pointer we fall back to regs as stack if no previous stack
++ * exists.
++ *
++ * This is valid only for kernel mode traps.
++ */
++unsigned long kernel_stack_pointer(struct pt_regs *regs)
++{
++	unsigned long context = (unsigned long)regs & ~(THREAD_SIZE - 1);
++	unsigned long sp = (unsigned long)&regs->sp;
++	struct thread_info *tinfo;
++
++	if (context == (sp & ~(THREAD_SIZE - 1)))
++		return sp;
++
++	tinfo = (struct thread_info *)context;
++	if (tinfo->previous_esp)
++		return tinfo->previous_esp;
++
++	return (unsigned long)regs;
++}
++EXPORT_SYMBOL_GPL(kernel_stack_pointer);
++
+ static unsigned long *pt_regs_access(struct pt_regs *regs, unsigned long regno)
+ {
+ 	BUILD_BUG_ON(offsetof(struct pt_regs, bx) != 0);
+diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
+index cf0ef98..0d403aa 100644
+--- a/arch/x86/kernel/setup.c
++++ b/arch/x86/kernel/setup.c
+@@ -937,8 +937,21 @@ void __init setup_arch(char **cmdline_p)
+ 
+ #ifdef CONFIG_X86_64
+ 	if (max_pfn > max_low_pfn) {
+-		max_pfn_mapped = init_memory_mapping(1UL<<32,
+-						     max_pfn<<PAGE_SHIFT);
++		int i;
++		for (i = 0; i < e820.nr_map; i++) {
++			struct e820entry *ei = &e820.map[i];
++
++			if (ei->addr + ei->size <= 1UL << 32)
++				continue;
++
++			if (ei->type == E820_RESERVED)
++				continue;
++
++			max_pfn_mapped = init_memory_mapping(
++				ei->addr < 1UL << 32 ? 1UL << 32 : ei->addr,
++				ei->addr + ei->size);
++		}
++
+ 		/* can we preseve max_low_pfn ?*/
+ 		max_low_pfn = max_pfn;
+ 	}
+diff --git a/arch/x86/mm/init.c b/arch/x86/mm/init.c
+index 87488b9..34a7f40 100644
+--- a/arch/x86/mm/init.c
++++ b/arch/x86/mm/init.c
+@@ -28,36 +28,50 @@ int direct_gbpages
+ #endif
+ ;
+ 
+-static void __init find_early_table_space(unsigned long end, int use_pse,
+-					  int use_gbpages)
++struct map_range {
++	unsigned long start;
++	unsigned long end;
++	unsigned page_size_mask;
++};
++
++/*
++ * First calculate space needed for kernel direct mapping page tables to cover
++ * mr[0].start to mr[nr_range - 1].end, while accounting for possible 2M and 1GB
++ * pages. Then find enough contiguous space for those page tables.
++ */
++static void __init find_early_table_space(struct map_range *mr, int nr_range)
+ {
+-	unsigned long puds, pmds, ptes, tables, start = 0, good_end = end;
++	int i;
++	unsigned long puds = 0, pmds = 0, ptes = 0, tables;
++	unsigned long start = 0, good_end;
+ 	phys_addr_t base;
+ 
+-	puds = (end + PUD_SIZE - 1) >> PUD_SHIFT;
+-	tables = roundup(puds * sizeof(pud_t), PAGE_SIZE);
++	for (i = 0; i < nr_range; i++) {
++		unsigned long range, extra;
+ 
+-	if (use_gbpages) {
+-		unsigned long extra;
++		range = mr[i].end - mr[i].start;
++		puds += (range + PUD_SIZE - 1) >> PUD_SHIFT;
+ 
+-		extra = end - ((end>>PUD_SHIFT) << PUD_SHIFT);
+-		pmds = (extra + PMD_SIZE - 1) >> PMD_SHIFT;
+-	} else
+-		pmds = (end + PMD_SIZE - 1) >> PMD_SHIFT;
+-
+-	tables += roundup(pmds * sizeof(pmd_t), PAGE_SIZE);
++		if (mr[i].page_size_mask & (1 << PG_LEVEL_1G)) {
++			extra = range - ((range >> PUD_SHIFT) << PUD_SHIFT);
++			pmds += (extra + PMD_SIZE - 1) >> PMD_SHIFT;
++		} else {
++			pmds += (range + PMD_SIZE - 1) >> PMD_SHIFT;
++		}
+ 
+-	if (use_pse) {
+-		unsigned long extra;
+-
+-		extra = end - ((end>>PMD_SHIFT) << PMD_SHIFT);
++		if (mr[i].page_size_mask & (1 << PG_LEVEL_2M)) {
++			extra = range - ((range >> PMD_SHIFT) << PMD_SHIFT);
+ #ifdef CONFIG_X86_32
+-		extra += PMD_SIZE;
++			extra += PMD_SIZE;
+ #endif
+-		ptes = (extra + PAGE_SIZE - 1) >> PAGE_SHIFT;
+-	} else
+-		ptes = (end + PAGE_SIZE - 1) >> PAGE_SHIFT;
++			ptes += (extra + PAGE_SIZE - 1) >> PAGE_SHIFT;
++		} else {
++			ptes += (range + PAGE_SIZE - 1) >> PAGE_SHIFT;
++		}
++	}
+ 
++	tables = roundup(puds * sizeof(pud_t), PAGE_SIZE);
++	tables += roundup(pmds * sizeof(pmd_t), PAGE_SIZE);
+ 	tables += roundup(ptes * sizeof(pte_t), PAGE_SIZE);
+ 
+ #ifdef CONFIG_X86_32
+@@ -75,7 +89,8 @@ static void __init find_early_table_space(unsigned long end, int use_pse,
+ 	pgt_buf_top = pgt_buf_start + (tables >> PAGE_SHIFT);
+ 
+ 	printk(KERN_DEBUG "kernel direct mapping tables up to %lx @ %lx-%lx\n",
+-		end, pgt_buf_start << PAGE_SHIFT, pgt_buf_top << PAGE_SHIFT);
++		mr[nr_range - 1].end, pgt_buf_start << PAGE_SHIFT,
++		pgt_buf_top << PAGE_SHIFT);
+ }
+ 
+ void __init native_pagetable_reserve(u64 start, u64 end)
+@@ -83,12 +98,6 @@ void __init native_pagetable_reserve(u64 start, u64 end)
+ 	memblock_x86_reserve_range(start, end, "PGTABLE");
+ }
+ 
+-struct map_range {
+-	unsigned long start;
+-	unsigned long end;
+-	unsigned page_size_mask;
+-};
+-
+ #ifdef CONFIG_X86_32
+ #define NR_RANGE_MR 3
+ #else /* CONFIG_X86_64 */
+@@ -260,7 +269,7 @@ unsigned long __init_refok init_memory_mapping(unsigned long start,
+ 	 * nodes are discovered.
+ 	 */
+ 	if (!after_bootmem)
+-		find_early_table_space(end, use_pse, use_gbpages);
++		find_early_table_space(mr, nr_range);
+ 
+ 	for (i = 0; i < nr_range; i++)
+ 		ret = kernel_physical_mapping_init(mr[i].start, mr[i].end,
+diff --git a/block/blk-exec.c b/block/blk-exec.c
+index 6053285..ac2c6e7 100644
+--- a/block/blk-exec.c
++++ b/block/blk-exec.c
+@@ -49,6 +49,7 @@ void blk_execute_rq_nowait(struct request_queue *q, struct gendisk *bd_disk,
+ 			   rq_end_io_fn *done)
+ {
+ 	int where = at_head ? ELEVATOR_INSERT_FRONT : ELEVATOR_INSERT_BACK;
++	bool is_pm_resume;
+ 
+ 	if (unlikely(blk_queue_dead(q))) {
+ 		rq->errors = -ENXIO;
+@@ -59,12 +60,18 @@ void blk_execute_rq_nowait(struct request_queue *q, struct gendisk *bd_disk,
+ 
+ 	rq->rq_disk = bd_disk;
+ 	rq->end_io = done;
++	/*
++	 * need to check this before __blk_run_queue(), because rq can
++	 * be freed before that returns.
++	 */
++	is_pm_resume = rq->cmd_type == REQ_TYPE_PM_RESUME;
++
+ 	WARN_ON(irqs_disabled());
+ 	spin_lock_irq(q->queue_lock);
+ 	__elv_add_request(q, rq, where);
+ 	__blk_run_queue(q);
+ 	/* the queue is stopped so it won't be run */
+-	if (rq->cmd_type == REQ_TYPE_PM_RESUME)
++	if (is_pm_resume)
+ 		q->request_fn(q);
+ 	spin_unlock_irq(q->queue_lock);
+ }
+diff --git a/drivers/gpu/drm/i915/i915_drv.h b/drivers/gpu/drm/i915/i915_drv.h
+index c364358..791df46 100644
+--- a/drivers/gpu/drm/i915/i915_drv.h
++++ b/drivers/gpu/drm/i915/i915_drv.h
+@@ -374,6 +374,8 @@ typedef struct drm_i915_private {
+ 	unsigned int lvds_use_ssc:1;
+ 	unsigned int display_clock_mode:1;
+ 	int lvds_ssc_freq;
++	unsigned int bios_lvds_val; /* initial [PCH_]LVDS reg val in VBIOS */
++	unsigned int lvds_val; /* used for checking LVDS channel mode */
+ 	struct {
+ 		int rate;
+ 		int lanes;
+diff --git a/drivers/gpu/drm/i915/intel_bios.c b/drivers/gpu/drm/i915/intel_bios.c
+index 22efb08..87bb87b 100644
+--- a/drivers/gpu/drm/i915/intel_bios.c
++++ b/drivers/gpu/drm/i915/intel_bios.c
+@@ -174,6 +174,28 @@ get_lvds_dvo_timing(const struct bdb_lvds_lfp_data *lvds_lfp_data,
+ 	return (struct lvds_dvo_timing *)(entry + dvo_timing_offset);
+ }
+ 
++/* get lvds_fp_timing entry
++ * this function may return NULL if the corresponding entry is invalid
++ */
++static const struct lvds_fp_timing *
++get_lvds_fp_timing(const struct bdb_header *bdb,
++		   const struct bdb_lvds_lfp_data *data,
++		   const struct bdb_lvds_lfp_data_ptrs *ptrs,
++		   int index)
++{
++	size_t data_ofs = (const u8 *)data - (const u8 *)bdb;
++	u16 data_size = ((const u16 *)data)[-1]; /* stored in header */
++	size_t ofs;
++
++	if (index >= ARRAY_SIZE(ptrs->ptr))
++		return NULL;
++	ofs = ptrs->ptr[index].fp_timing_offset;
++	if (ofs < data_ofs ||
++	    ofs + sizeof(struct lvds_fp_timing) > data_ofs + data_size)
++		return NULL;
++	return (const struct lvds_fp_timing *)((const u8 *)bdb + ofs);
++}
++
+ /* Try to find integrated panel data */
+ static void
+ parse_lfp_panel_data(struct drm_i915_private *dev_priv,
+@@ -183,6 +205,7 @@ parse_lfp_panel_data(struct drm_i915_private *dev_priv,
+ 	const struct bdb_lvds_lfp_data *lvds_lfp_data;
+ 	const struct bdb_lvds_lfp_data_ptrs *lvds_lfp_data_ptrs;
+ 	const struct lvds_dvo_timing *panel_dvo_timing;
++	const struct lvds_fp_timing *fp_timing;
+ 	struct drm_display_mode *panel_fixed_mode;
+ 	int i, downclock;
+ 
+@@ -244,6 +267,19 @@ parse_lfp_panel_data(struct drm_i915_private *dev_priv,
+ 			      "Normal Clock %dKHz, downclock %dKHz\n",
+ 			      panel_fixed_mode->clock, 10*downclock);
+ 	}
++
++	fp_timing = get_lvds_fp_timing(bdb, lvds_lfp_data,
++				       lvds_lfp_data_ptrs,
++				       lvds_options->panel_type);
++	if (fp_timing) {
++		/* check the resolution, just to be sure */
++		if (fp_timing->x_res == panel_fixed_mode->hdisplay &&
++		    fp_timing->y_res == panel_fixed_mode->vdisplay) {
++			dev_priv->bios_lvds_val = fp_timing->lvds_reg_val;
++			DRM_DEBUG_KMS("VBT initial LVDS value %x\n",
++				      dev_priv->bios_lvds_val);
++		}
++	}
+ }
+ 
+ /* Try to find sdvo panel data */
+diff --git a/drivers/gpu/drm/i915/intel_display.c b/drivers/gpu/drm/i915/intel_display.c
+index adac0dd..fdae61f 100644
+--- a/drivers/gpu/drm/i915/intel_display.c
++++ b/drivers/gpu/drm/i915/intel_display.c
+@@ -356,6 +356,27 @@ static const intel_limit_t intel_limits_ironlake_display_port = {
+ 	.find_pll = intel_find_pll_ironlake_dp,
+ };
+ 
++static bool is_dual_link_lvds(struct drm_i915_private *dev_priv,
++			      unsigned int reg)
++{
++	unsigned int val;
++
++	if (dev_priv->lvds_val)
++		val = dev_priv->lvds_val;
++	else {
++		/* BIOS should set the proper LVDS register value at boot, but
++		 * in reality, it doesn't set the value when the lid is closed;
++		 * we need to check "the value to be set" in VBT when LVDS
++		 * register is uninitialized.
++		 */
++		val = I915_READ(reg);
++		if (!(val & ~LVDS_DETECTED))
++			val = dev_priv->bios_lvds_val;
++		dev_priv->lvds_val = val;
++	}
++	return (val & LVDS_CLKB_POWER_MASK) == LVDS_CLKB_POWER_UP;
++}
++
+ static const intel_limit_t *intel_ironlake_limit(struct drm_crtc *crtc,
+ 						int refclk)
+ {
+@@ -364,8 +385,7 @@ static const intel_limit_t *intel_ironlake_limit(struct drm_crtc *crtc,
+ 	const intel_limit_t *limit;
+ 
+ 	if (intel_pipe_has_type(crtc, INTEL_OUTPUT_LVDS)) {
+-		if ((I915_READ(PCH_LVDS) & LVDS_CLKB_POWER_MASK) ==
+-		    LVDS_CLKB_POWER_UP) {
++		if (is_dual_link_lvds(dev_priv, PCH_LVDS)) {
+ 			/* LVDS dual channel */
+ 			if (refclk == 100000)
+ 				limit = &intel_limits_ironlake_dual_lvds_100m;
+@@ -393,8 +413,7 @@ static const intel_limit_t *intel_g4x_limit(struct drm_crtc *crtc)
+ 	const intel_limit_t *limit;
+ 
+ 	if (intel_pipe_has_type(crtc, INTEL_OUTPUT_LVDS)) {
+-		if ((I915_READ(LVDS) & LVDS_CLKB_POWER_MASK) ==
+-		    LVDS_CLKB_POWER_UP)
++		if (is_dual_link_lvds(dev_priv, LVDS))
+ 			/* LVDS with dual channel */
+ 			limit = &intel_limits_g4x_dual_channel_lvds;
+ 		else
+@@ -531,8 +550,7 @@ intel_find_best_PLL(const intel_limit_t *limit, struct drm_crtc *crtc,
+ 		 * reliably set up different single/dual channel state, if we
+ 		 * even can.
+ 		 */
+-		if ((I915_READ(LVDS) & LVDS_CLKB_POWER_MASK) ==
+-		    LVDS_CLKB_POWER_UP)
++		if (is_dual_link_lvds(dev_priv, LVDS))
+ 			clock.p2 = limit->p2.p2_fast;
+ 		else
+ 			clock.p2 = limit->p2.p2_slow;
+diff --git a/drivers/gpu/drm/i915/intel_sdvo.c b/drivers/gpu/drm/i915/intel_sdvo.c
+index 3f4afba..9e24670 100644
+--- a/drivers/gpu/drm/i915/intel_sdvo.c
++++ b/drivers/gpu/drm/i915/intel_sdvo.c
+@@ -2264,6 +2264,18 @@ intel_sdvo_output_setup(struct intel_sdvo *intel_sdvo, uint16_t flags)
+ 	return true;
+ }
+ 
++static void intel_sdvo_output_cleanup(struct intel_sdvo *intel_sdvo)
++{
++	struct drm_device *dev = intel_sdvo->base.base.dev;
++	struct drm_connector *connector, *tmp;
++
++	list_for_each_entry_safe(connector, tmp,
++				 &dev->mode_config.connector_list, head) {
++		if (intel_attached_encoder(connector) == &intel_sdvo->base)
++			intel_sdvo_destroy(connector);
++	}
++}
++
+ static bool intel_sdvo_tv_create_property(struct intel_sdvo *intel_sdvo,
+ 					  struct intel_sdvo_connector *intel_sdvo_connector,
+ 					  int type)
+@@ -2596,7 +2608,8 @@ bool intel_sdvo_init(struct drm_device *dev, int sdvo_reg)
+ 				    intel_sdvo->caps.output_flags) != true) {
+ 		DRM_DEBUG_KMS("SDVO output failed to setup on SDVO%c\n",
+ 			      IS_SDVOB(sdvo_reg) ? 'B' : 'C');
+-		goto err;
++		/* Output_setup can leave behind connectors! */
++		goto err_output;
+ 	}
+ 
+ 	/* Only enable the hotplug irq if we need it, to work around noisy
+@@ -2609,12 +2622,12 @@ bool intel_sdvo_init(struct drm_device *dev, int sdvo_reg)
+ 
+ 	/* Set the input timing to the screen. Assume always input 0. */
+ 	if (!intel_sdvo_set_target_input(intel_sdvo))
+-		goto err;
++		goto err_output;
+ 
+ 	if (!intel_sdvo_get_input_pixel_clock_range(intel_sdvo,
+ 						    &intel_sdvo->pixel_clock_min,
+ 						    &intel_sdvo->pixel_clock_max))
+-		goto err;
++		goto err_output;
+ 
+ 	DRM_DEBUG_KMS("%s device VID/DID: %02X:%02X.%02X, "
+ 			"clock range %dMHz - %dMHz, "
+@@ -2634,6 +2647,9 @@ bool intel_sdvo_init(struct drm_device *dev, int sdvo_reg)
+ 			(SDVO_OUTPUT_TMDS1 | SDVO_OUTPUT_RGB1) ? 'Y' : 'N');
+ 	return true;
+ 
++err_output:
++	intel_sdvo_output_cleanup(intel_sdvo);
++
+ err:
+ 	drm_encoder_cleanup(&intel_encoder->base);
+ 	i2c_del_adapter(&intel_sdvo->ddc);
+diff --git a/drivers/gpu/drm/radeon/atombios_encoders.c b/drivers/gpu/drm/radeon/atombios_encoders.c
+index 382e141..aca4755 100644
+--- a/drivers/gpu/drm/radeon/atombios_encoders.c
++++ b/drivers/gpu/drm/radeon/atombios_encoders.c
+@@ -1386,7 +1386,7 @@ radeon_atom_encoder_dpms_dig(struct drm_encoder *encoder, int mode)
+ 			atombios_dig_transmitter_setup(encoder, ATOM_TRANSMITTER_ACTION_SETUP, 0, 0);
+ 			atombios_dig_transmitter_setup(encoder, ATOM_TRANSMITTER_ACTION_ENABLE, 0, 0);
+ 			/* some early dce3.2 boards have a bug in their transmitter control table */
+-			if ((rdev->family != CHIP_RV710) || (rdev->family != CHIP_RV730))
++			if ((rdev->family != CHIP_RV710) && (rdev->family != CHIP_RV730))
+ 				atombios_dig_transmitter_setup(encoder, ATOM_TRANSMITTER_ACTION_ENABLE_OUTPUT, 0, 0);
+ 		}
+ 		if (ENCODER_MODE_IS_DP(atombios_get_encoder_mode(encoder)) && connector) {
+diff --git a/drivers/gpu/drm/radeon/evergreen.c b/drivers/gpu/drm/radeon/evergreen.c
+index ca94e23..b919b11 100644
+--- a/drivers/gpu/drm/radeon/evergreen.c
++++ b/drivers/gpu/drm/radeon/evergreen.c
+@@ -1122,6 +1122,8 @@ void evergreen_mc_stop(struct radeon_device *rdev, struct evergreen_mc_save *sav
+ 					break;
+ 				udelay(1);
+ 			}
++		} else {
++			save->crtc_enabled[i] = false;
+ 		}
+ 	}
+ 
+diff --git a/drivers/gpu/drm/radeon/radeon_agp.c b/drivers/gpu/drm/radeon/radeon_agp.c
+index bd2f33e..bc6b64f 100644
+--- a/drivers/gpu/drm/radeon/radeon_agp.c
++++ b/drivers/gpu/drm/radeon/radeon_agp.c
+@@ -70,9 +70,12 @@ static struct radeon_agpmode_quirk radeon_agpmode_quirk_list[] = {
+ 	/* Intel 82830 830 Chipset Host Bridge / Mobility M6 LY Needs AGPMode 2 (fdo #17360)*/
+ 	{ PCI_VENDOR_ID_INTEL, 0x3575, PCI_VENDOR_ID_ATI, 0x4c59,
+ 		PCI_VENDOR_ID_DELL, 0x00e3, 2},
+-	/* Intel 82852/82855 host bridge / Mobility FireGL 9000 R250 Needs AGPMode 1 (lp #296617) */
++	/* Intel 82852/82855 host bridge / Mobility FireGL 9000 RV250 Needs AGPMode 1 (lp #296617) */
+ 	{ PCI_VENDOR_ID_INTEL, 0x3580, PCI_VENDOR_ID_ATI, 0x4c66,
+ 		PCI_VENDOR_ID_DELL, 0x0149, 1},
++	/* Intel 82855PM host bridge / Mobility FireGL 9000 RV250 Needs AGPMode 1 for suspend/resume */
++	{ PCI_VENDOR_ID_INTEL, 0x3340, PCI_VENDOR_ID_ATI, 0x4c66,
++		PCI_VENDOR_ID_IBM, 0x0531, 1},
+ 	/* Intel 82852/82855 host bridge / Mobility 9600 M10 RV350 Needs AGPMode 1 (deb #467460) */
+ 	{ PCI_VENDOR_ID_INTEL, 0x3580, PCI_VENDOR_ID_ATI, 0x4e50,
+ 		0x1025, 0x0061, 1},
+diff --git a/drivers/gpu/drm/ttm/ttm_page_alloc.c b/drivers/gpu/drm/ttm/ttm_page_alloc.c
+index 727e93d..9e4313e 100644
+--- a/drivers/gpu/drm/ttm/ttm_page_alloc.c
++++ b/drivers/gpu/drm/ttm/ttm_page_alloc.c
+@@ -708,7 +708,10 @@ int ttm_get_pages(struct list_head *pages, int flags,
+ 	/* clear the pages coming from the pool if requested */
+ 	if (flags & TTM_PAGE_FLAG_ZERO_ALLOC) {
+ 		list_for_each_entry(p, pages, lru) {
+-			clear_page(page_address(p));
++			if (PageHighMem(p))
++				clear_highpage(p);
++			else
++				clear_page(page_address(p));
+ 		}
+ 	}
+ 
+diff --git a/drivers/hid/hid-ids.h b/drivers/hid/hid-ids.h
+index ab75a4e..652f230 100644
+--- a/drivers/hid/hid-ids.h
++++ b/drivers/hid/hid-ids.h
+@@ -277,6 +277,9 @@
+ #define USB_VENDOR_ID_EZKEY		0x0518
+ #define USB_DEVICE_ID_BTC_8193		0x0002
+ 
++#define USB_VENDOR_ID_FREESCALE		0x15A2
++#define USB_DEVICE_ID_FREESCALE_MX28	0x004F
++
+ #define USB_VENDOR_ID_GAMERON		0x0810
+ #define USB_DEVICE_ID_GAMERON_DUAL_PSX_ADAPTOR	0x0001
+ #define USB_DEVICE_ID_GAMERON_DUAL_PCS_ADAPTOR	0x0002
+diff --git a/drivers/hid/usbhid/hid-quirks.c b/drivers/hid/usbhid/hid-quirks.c
+index afb73af..aec3fa3 100644
+--- a/drivers/hid/usbhid/hid-quirks.c
++++ b/drivers/hid/usbhid/hid-quirks.c
+@@ -68,6 +68,7 @@ static const struct hid_blacklist {
+ 	{ USB_VENDOR_ID_CH, USB_DEVICE_ID_CH_AXIS_295, HID_QUIRK_NOGET },
+ 	{ USB_VENDOR_ID_DMI, USB_DEVICE_ID_DMI_ENC, HID_QUIRK_NOGET },
+ 	{ USB_VENDOR_ID_ELO, USB_DEVICE_ID_ELO_TS2700, HID_QUIRK_NOGET },
++	{ USB_VENDOR_ID_FREESCALE, USB_DEVICE_ID_FREESCALE_MX28, HID_QUIRK_NOGET },
+ 	{ USB_VENDOR_ID_MGE, USB_DEVICE_ID_MGE_UPS, HID_QUIRK_NOGET },
+ 	{ USB_VENDOR_ID_PIXART, USB_DEVICE_ID_PIXART_OPTICAL_TOUCH_SCREEN, HID_QUIRK_NO_INIT_REPORTS },
+ 	{ USB_VENDOR_ID_PIXART, USB_DEVICE_ID_PIXART_OPTICAL_TOUCH_SCREEN1, HID_QUIRK_NO_INIT_REPORTS },
+diff --git a/drivers/idle/intel_idle.c b/drivers/idle/intel_idle.c
+index 5b39216..3f28290 100644
+--- a/drivers/idle/intel_idle.c
++++ b/drivers/idle/intel_idle.c
+@@ -163,6 +163,38 @@ static struct cpuidle_state snb_cstates[MWAIT_MAX_NUM_CSTATES] = {
+ 		.enter = &intel_idle },
+ };
+ 
++static struct cpuidle_state ivb_cstates[MWAIT_MAX_NUM_CSTATES] = {
++	{ /* MWAIT C0 */ },
++	{ /* MWAIT C1 */
++		.name = "C1-IVB",
++		.desc = "MWAIT 0x00",
++		.flags = CPUIDLE_FLAG_TIME_VALID,
++		.exit_latency = 1,
++		.target_residency = 1,
++		.enter = &intel_idle },
++	{ /* MWAIT C2 */
++		.name = "C3-IVB",
++		.desc = "MWAIT 0x10",
++		.flags = CPUIDLE_FLAG_TIME_VALID | CPUIDLE_FLAG_TLB_FLUSHED,
++		.exit_latency = 59,
++		.target_residency = 156,
++		.enter = &intel_idle },
++	{ /* MWAIT C3 */
++		.name = "C6-IVB",
++		.desc = "MWAIT 0x20",
++		.flags = CPUIDLE_FLAG_TIME_VALID | CPUIDLE_FLAG_TLB_FLUSHED,
++		.exit_latency = 80,
++		.target_residency = 300,
++		.enter = &intel_idle },
++	{ /* MWAIT C4 */
++		.name = "C7-IVB",
++		.desc = "MWAIT 0x30",
++		.flags = CPUIDLE_FLAG_TIME_VALID | CPUIDLE_FLAG_TLB_FLUSHED,
++		.exit_latency = 87,
++		.target_residency = 300,
++		.enter = &intel_idle },
++};
++
+ static struct cpuidle_state atom_cstates[MWAIT_MAX_NUM_CSTATES] = {
+ 	{ /* MWAIT C0 */ },
+ 	{ /* MWAIT C1 */
+@@ -386,6 +418,11 @@ static int intel_idle_probe(void)
+ 		cpuidle_state_table = snb_cstates;
+ 		break;
+ 
++	case 0x3A:	/* IVB */
++	case 0x3E:	/* IVB Xeon */
++		cpuidle_state_table = ivb_cstates;
++		break;
++
+ 	default:
+ 		pr_debug(PREFIX "does not run on family %d model %d\n",
+ 			boot_cpu_data.x86, boot_cpu_data.x86_model);
+diff --git a/drivers/input/mouse/bcm5974.c b/drivers/input/mouse/bcm5974.c
+index ec58f48..1512bd8 100644
+--- a/drivers/input/mouse/bcm5974.c
++++ b/drivers/input/mouse/bcm5974.c
+@@ -453,6 +453,9 @@ static void setup_events_to_report(struct input_dev *input_dev,
+ 	__set_bit(BTN_TOOL_QUADTAP, input_dev->keybit);
+ 	__set_bit(BTN_LEFT, input_dev->keybit);
+ 
++	if (cfg->caps & HAS_INTEGRATED_BUTTON)
++		__set_bit(INPUT_PROP_BUTTONPAD, input_dev->propbit);
++
+ 	input_set_events_per_packet(input_dev, 60);
+ }
+ 
+diff --git a/drivers/input/serio/i8042.c b/drivers/input/serio/i8042.c
+index d37a48e..8656441 100644
+--- a/drivers/input/serio/i8042.c
++++ b/drivers/input/serio/i8042.c
+@@ -991,7 +991,7 @@ static int i8042_controller_init(void)
+  * Reset the controller and reset CRT to the original value set by BIOS.
+  */
+ 
+-static void i8042_controller_reset(void)
++static void i8042_controller_reset(bool force_reset)
+ {
+ 	i8042_flush();
+ 
+@@ -1016,7 +1016,7 @@ static void i8042_controller_reset(void)
+  * Reset the controller if requested.
+  */
+ 
+-	if (i8042_reset)
++	if (i8042_reset || force_reset)
+ 		i8042_controller_selftest();
+ 
+ /*
+@@ -1139,9 +1139,9 @@ static int i8042_controller_resume(bool force_reset)
+  * upsetting it.
+  */
+ 
+-static int i8042_pm_reset(struct device *dev)
++static int i8042_pm_suspend(struct device *dev)
+ {
+-	i8042_controller_reset();
++	i8042_controller_reset(true);
+ 
+ 	return 0;
+ }
+@@ -1163,13 +1163,20 @@ static int i8042_pm_thaw(struct device *dev)
+ 	return 0;
+ }
+ 
++static int i8042_pm_reset(struct device *dev)
++{
++	i8042_controller_reset(false);
++
++	return 0;
++}
++
+ static int i8042_pm_restore(struct device *dev)
+ {
+ 	return i8042_controller_resume(false);
+ }
+ 
+ static const struct dev_pm_ops i8042_pm_ops = {
+-	.suspend	= i8042_pm_reset,
++	.suspend	= i8042_pm_suspend,
+ 	.resume		= i8042_pm_resume,
+ 	.thaw		= i8042_pm_thaw,
+ 	.poweroff	= i8042_pm_reset,
+@@ -1185,7 +1192,7 @@ static const struct dev_pm_ops i8042_pm_ops = {
+ 
+ static void i8042_shutdown(struct platform_device *dev)
+ {
+-	i8042_controller_reset();
++	i8042_controller_reset(false);
+ }
+ 
+ static int __init i8042_create_kbd_port(void)
+@@ -1424,7 +1431,7 @@ static int __init i8042_probe(struct platform_device *dev)
+  out_fail:
+ 	i8042_free_aux_ports();	/* in case KBD failed but AUX not */
+ 	i8042_free_irqs();
+-	i8042_controller_reset();
++	i8042_controller_reset(false);
+ 	i8042_platform_device = NULL;
+ 
+ 	return error;
+@@ -1434,7 +1441,7 @@ static int __devexit i8042_remove(struct platform_device *dev)
+ {
+ 	i8042_unregister_ports();
+ 	i8042_free_irqs();
+-	i8042_controller_reset();
++	i8042_controller_reset(false);
+ 	i8042_platform_device = NULL;
+ 
+ 	return 0;
+diff --git a/drivers/isdn/gigaset/bas-gigaset.c b/drivers/isdn/gigaset/bas-gigaset.c
+index 3913f47..492aa52 100644
+--- a/drivers/isdn/gigaset/bas-gigaset.c
++++ b/drivers/isdn/gigaset/bas-gigaset.c
+@@ -616,7 +616,13 @@ static void int_in_work(struct work_struct *work)
+ 	if (rc == 0)
+ 		/* success, resubmit interrupt read URB */
+ 		rc = usb_submit_urb(urb, GFP_ATOMIC);
+-	if (rc != 0 && rc != -ENODEV) {
++
++	switch (rc) {
++	case 0:		/* success */
++	case -ENODEV:	/* device gone */
++	case -EINVAL:	/* URB already resubmitted, or terminal badness */
++		break;
++	default:	/* failure: try to recover by resetting the device */
+ 		dev_err(cs->dev, "clear halt failed: %s\n", get_usb_rcmsg(rc));
+ 		rc = usb_lock_device_for_reset(ucs->udev, ucs->interface);
+ 		if (rc == 0) {
+@@ -2437,7 +2443,9 @@ static void gigaset_disconnect(struct usb_interface *interface)
+ }
+ 
+ /* gigaset_suspend
+- * This function is called before the USB connection is suspended.
++ * This function is called before the USB connection is suspended
++ * or before the USB device is reset.
++ * In the latter case, message == PMSG_ON.
+  */
+ static int gigaset_suspend(struct usb_interface *intf, pm_message_t message)
+ {
+@@ -2493,7 +2501,12 @@ static int gigaset_suspend(struct usb_interface *intf, pm_message_t message)
+ 	del_timer_sync(&ucs->timer_atrdy);
+ 	del_timer_sync(&ucs->timer_cmd_in);
+ 	del_timer_sync(&ucs->timer_int_in);
+-	cancel_work_sync(&ucs->int_in_wq);
++
++	/* don't try to cancel int_in_wq from within reset as it
++	 * might be the one requesting the reset
++	 */
++	if (message.event != PM_EVENT_ON)
++		cancel_work_sync(&ucs->int_in_wq);
+ 
+ 	gig_dbg(DEBUG_SUSPEND, "suspend complete");
+ 	return 0;
+diff --git a/drivers/md/dm.c b/drivers/md/dm.c
+index 502dcf7..8953630 100644
+--- a/drivers/md/dm.c
++++ b/drivers/md/dm.c
+@@ -755,8 +755,14 @@ static void rq_completed(struct mapped_device *md, int rw, int run_queue)
+ 	if (!md_in_flight(md))
+ 		wake_up(&md->wait);
+ 
++	/*
++	 * Run this off this callpath, as drivers could invoke end_io while
++	 * inside their request_fn (and holding the queue lock). Calling
++	 * back into ->request_fn() could deadlock attempting to grab the
++	 * queue lock again.
++	 */
+ 	if (run_queue)
+-		blk_run_queue(md->queue);
++		blk_run_queue_async(md->queue);
+ 
+ 	/*
+ 	 * dm_put() must be at the end of this function. See the comment above
+diff --git a/drivers/md/md.c b/drivers/md/md.c
+index 2887f22..145e378e 100644
+--- a/drivers/md/md.c
++++ b/drivers/md/md.c
+@@ -1801,10 +1801,10 @@ retry:
+ 			memset(bbp, 0xff, PAGE_SIZE);
+ 
+ 			for (i = 0 ; i < bb->count ; i++) {
+-				u64 internal_bb = *p++;
++				u64 internal_bb = p[i];
+ 				u64 store_bb = ((BB_OFFSET(internal_bb) << 10)
+ 						| BB_LEN(internal_bb));
+-				*bbp++ = cpu_to_le64(store_bb);
++				bbp[i] = cpu_to_le64(store_bb);
+ 			}
+ 			bb->changed = 0;
+ 			if (read_seqretry(&bb->lock, seq))
+@@ -7650,9 +7650,9 @@ int md_is_badblock(struct badblocks *bb, sector_t s, int sectors,
+ 		   sector_t *first_bad, int *bad_sectors)
+ {
+ 	int hi;
+-	int lo = 0;
++	int lo;
+ 	u64 *p = bb->page;
+-	int rv = 0;
++	int rv;
+ 	sector_t target = s + sectors;
+ 	unsigned seq;
+ 
+@@ -7667,7 +7667,8 @@ int md_is_badblock(struct badblocks *bb, sector_t s, int sectors,
+ 
+ retry:
+ 	seq = read_seqbegin(&bb->lock);
+-
++	lo = 0;
++	rv = 0;
+ 	hi = bb->count;
+ 
+ 	/* Binary search between lo and hi for 'target'
+diff --git a/drivers/mtd/devices/slram.c b/drivers/mtd/devices/slram.c
+index e585263..f38c348 100644
+--- a/drivers/mtd/devices/slram.c
++++ b/drivers/mtd/devices/slram.c
+@@ -266,7 +266,7 @@ static int parse_cmdline(char *devname, char *szstart, char *szlength)
+ 
+ 	if (*(szlength) != '+') {
+ 		devlength = simple_strtoul(szlength, &buffer, 0);
+-		devlength = handle_unit(devlength, buffer) - devstart;
++		devlength = handle_unit(devlength, buffer);
+ 		if (devlength < devstart)
+ 			goto err_out;
+ 
+diff --git a/drivers/mtd/ofpart.c b/drivers/mtd/ofpart.c
+index 64be8f0..d9127e2 100644
+--- a/drivers/mtd/ofpart.c
++++ b/drivers/mtd/ofpart.c
+@@ -121,7 +121,7 @@ static int parse_ofoldpart_partitions(struct mtd_info *master,
+ 	nr_parts = plen / sizeof(part[0]);
+ 
+ 	*pparts = kzalloc(nr_parts * sizeof(*(*pparts)), GFP_KERNEL);
+-	if (!pparts)
++	if (!*pparts)
+ 		return -ENOMEM;
+ 
+ 	names = of_get_property(dp, "partition-names", &plen);
+diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_82599.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_82599.c
+index 4ae26a7..7720721 100644
+--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_82599.c
++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_82599.c
+@@ -356,6 +356,7 @@ static enum ixgbe_media_type ixgbe_get_media_type_82599(struct ixgbe_hw *hw)
+ 	case IXGBE_DEV_ID_82599_SFP_FCOE:
+ 	case IXGBE_DEV_ID_82599_SFP_EM:
+ 	case IXGBE_DEV_ID_82599_SFP_SF2:
++	case IXGBE_DEV_ID_82599_SFP_SF_QP:
+ 	case IXGBE_DEV_ID_82599EN_SFP:
+ 		media_type = ixgbe_media_type_fiber;
+ 		break;
+diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_common.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_common.c
+index f1365fe..2c14e85 100644
+--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_common.c
++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_common.c
+@@ -3157,6 +3157,7 @@ static s32 ixgbe_device_supports_autoneg_fc(struct ixgbe_hw *hw)
+ 
+ 	switch (hw->device_id) {
+ 	case IXGBE_DEV_ID_X540T:
++	case IXGBE_DEV_ID_X540T1:
+ 		return 0;
+ 	case IXGBE_DEV_ID_82599_T3_LOM:
+ 		return 0;
+diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c
+index 8ef92d1..cc96a5a 100644
+--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c
++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c
+@@ -106,6 +106,8 @@ static DEFINE_PCI_DEVICE_TABLE(ixgbe_pci_tbl) = {
+ 	{PCI_VDEVICE(INTEL, IXGBE_DEV_ID_82599_SFP_SF2), board_82599 },
+ 	{PCI_VDEVICE(INTEL, IXGBE_DEV_ID_82599_LS), board_82599 },
+ 	{PCI_VDEVICE(INTEL, IXGBE_DEV_ID_82599EN_SFP), board_82599 },
++	{PCI_VDEVICE(INTEL, IXGBE_DEV_ID_82599_SFP_SF_QP), board_82599 },
++	{PCI_VDEVICE(INTEL, IXGBE_DEV_ID_X540T1), board_X540 },
+ 	/* required last entry */
+ 	{0, }
+ };
+@@ -7611,6 +7613,7 @@ static int __devinit ixgbe_probe(struct pci_dev *pdev,
+ 		adapter->wol = IXGBE_WUFC_MAG;
+ 		break;
+ 	case IXGBE_DEV_ID_X540T:
++	case IXGBE_DEV_ID_X540T1:
+ 		/* Check eeprom to see if it is enabled */
+ 		hw->eeprom.ops.read(hw, 0x2c, &adapter->eeprom_cap);
+ 		wol_cap = adapter->eeprom_cap & IXGBE_DEVICE_CAPS_WOL_MASK;
+diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_type.h b/drivers/net/ethernet/intel/ixgbe/ixgbe_type.h
+index 6c5cca8..f00d6d5 100644
+--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_type.h
++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_type.h
+@@ -65,6 +65,8 @@
+ #define IXGBE_SUBDEV_ID_82599_KX4_KR_MEZZ  0x000C
+ #define IXGBE_DEV_ID_82599_LS            0x154F
+ #define IXGBE_DEV_ID_X540T               0x1528
++#define IXGBE_DEV_ID_82599_SFP_SF_QP     0x154A
++#define IXGBE_DEV_ID_X540T1              0x1560
+ 
+ /* VF Device IDs */
+ #define IXGBE_DEV_ID_82599_VF           0x10ED
+diff --git a/drivers/net/wireless/brcm80211/brcmsmac/ampdu.c b/drivers/net/wireless/brcm80211/brcmsmac/ampdu.c
+index 0515862..858a762 100644
+--- a/drivers/net/wireless/brcm80211/brcmsmac/ampdu.c
++++ b/drivers/net/wireless/brcm80211/brcmsmac/ampdu.c
+@@ -1072,9 +1072,9 @@ brcms_c_ampdu_dotxstatus_complete(struct ampdu_info *ampdu, struct scb *scb,
+ 				    IEEE80211_TX_STAT_AMPDU_NO_BACK;
+ 				skb_pull(p, D11_PHY_HDR_LEN);
+ 				skb_pull(p, D11_TXH_LEN);
+-				wiphy_err(wiphy, "%s: BA Timeout, seq %d, in_"
+-					"transit %d\n", "AMPDU status", seq,
+-					ini->tx_in_transit);
++				BCMMSG(wiphy,
++				       "BA Timeout, seq %d, in_transit %d\n",
++				       seq, ini->tx_in_transit);
+ 				ieee80211_tx_status_irqsafe(wlc->pub->ieee_hw,
+ 							    p);
+ 			}
+diff --git a/drivers/net/wireless/mwifiex/cmdevt.c b/drivers/net/wireless/mwifiex/cmdevt.c
+index 6e0a3ea..5a25dd2 100644
+--- a/drivers/net/wireless/mwifiex/cmdevt.c
++++ b/drivers/net/wireless/mwifiex/cmdevt.c
+@@ -816,9 +816,6 @@ mwifiex_cmd_timeout_func(unsigned long function_context)
+ 		return;
+ 	}
+ 	cmd_node = adapter->curr_cmd;
+-	if (cmd_node->wait_q_enabled)
+-		adapter->cmd_wait_q.status = -ETIMEDOUT;
+-
+ 	if (cmd_node) {
+ 		adapter->dbg.timeout_cmd_id =
+ 			adapter->dbg.last_cmd_id[adapter->dbg.last_cmd_index];
+@@ -863,6 +860,14 @@ mwifiex_cmd_timeout_func(unsigned long function_context)
+ 
+ 		dev_err(adapter->dev, "ps_mode=%d ps_state=%d\n",
+ 				adapter->ps_mode, adapter->ps_state);
++
++		if (cmd_node->wait_q_enabled) {
++			adapter->cmd_wait_q.status = -ETIMEDOUT;
++			wake_up_interruptible(&adapter->cmd_wait_q.wait);
++			mwifiex_cancel_pending_ioctl(adapter);
++			/* reset cmd_sent flag to unblock new commands */
++			adapter->cmd_sent = false;
++		}
+ 	}
+ 	if (adapter->hw_status == MWIFIEX_HW_STATUS_INITIALIZING)
+ 		mwifiex_init_fw_complete(adapter);
+diff --git a/drivers/net/wireless/mwifiex/sdio.c b/drivers/net/wireless/mwifiex/sdio.c
+index 283171b..3579a68 100644
+--- a/drivers/net/wireless/mwifiex/sdio.c
++++ b/drivers/net/wireless/mwifiex/sdio.c
+@@ -162,7 +162,6 @@ static int mwifiex_sdio_suspend(struct device *dev)
+ 	struct sdio_mmc_card *card;
+ 	struct mwifiex_adapter *adapter;
+ 	mmc_pm_flag_t pm_flag = 0;
+-	int hs_actived = 0;
+ 	int i;
+ 	int ret = 0;
+ 
+@@ -189,12 +188,14 @@ static int mwifiex_sdio_suspend(struct device *dev)
+ 	adapter = card->adapter;
+ 
+ 	/* Enable the Host Sleep */
+-	hs_actived = mwifiex_enable_hs(adapter);
+-	if (hs_actived) {
+-		pr_debug("cmd: suspend with MMC_PM_KEEP_POWER\n");
+-		ret = sdio_set_host_pm_flags(func, MMC_PM_KEEP_POWER);
++	if (!mwifiex_enable_hs(adapter)) {
++		dev_err(adapter->dev, "cmd: failed to suspend\n");
++		return -EFAULT;
+ 	}
+ 
++	dev_dbg(adapter->dev, "cmd: suspend with MMC_PM_KEEP_POWER\n");
++	ret = sdio_set_host_pm_flags(func, MMC_PM_KEEP_POWER);
++
+ 	/* Indicate device suspended */
+ 	adapter->is_suspended = true;
+ 
+diff --git a/drivers/net/wireless/rtlwifi/rtl8192cu/sw.c b/drivers/net/wireless/rtlwifi/rtl8192cu/sw.c
+index 0302148..a99be2d0 100644
+--- a/drivers/net/wireless/rtlwifi/rtl8192cu/sw.c
++++ b/drivers/net/wireless/rtlwifi/rtl8192cu/sw.c
+@@ -307,6 +307,7 @@ static struct usb_device_id rtl8192c_usb_ids[] = {
+ 	/*=== Customer ID ===*/
+ 	/****** 8188CU ********/
+ 	{RTL_USB_DEVICE(0x050d, 0x1102, rtl92cu_hal_cfg)}, /*Belkin - Edimax*/
++	{RTL_USB_DEVICE(0x050d, 0x11f2, rtl92cu_hal_cfg)}, /*Belkin - ISY*/
+ 	{RTL_USB_DEVICE(0x06f8, 0xe033, rtl92cu_hal_cfg)}, /*Hercules - Edimax*/
+ 	{RTL_USB_DEVICE(0x07b8, 0x8188, rtl92cu_hal_cfg)}, /*Abocom - Abocom*/
+ 	{RTL_USB_DEVICE(0x07b8, 0x8189, rtl92cu_hal_cfg)}, /*Funai - Abocom*/
+diff --git a/drivers/pci/setup-bus.c b/drivers/pci/setup-bus.c
+index 86b69f85..9d932f4 100644
+--- a/drivers/pci/setup-bus.c
++++ b/drivers/pci/setup-bus.c
+@@ -612,7 +612,7 @@ static void pbus_size_io(struct pci_bus *bus, resource_size_t min_size,
+ 	if (children_add_size > add_size)
+ 		add_size = children_add_size;
+ 	size1 = (!realloc_head || (realloc_head && !add_size)) ? size0 :
+-		calculate_iosize(size, min_size+add_size, size1,
++		calculate_iosize(size, min_size, add_size + size1,
+ 			resource_size(b_res), 4096);
+ 	if (!size0 && !size1) {
+ 		if (b_res->start || b_res->end)
+@@ -726,7 +726,7 @@ static int pbus_size_mem(struct pci_bus *bus, unsigned long mask,
+ 	if (children_add_size > add_size)
+ 		add_size = children_add_size;
+ 	size1 = (!realloc_head || (realloc_head && !add_size)) ? size0 :
+-		calculate_memsize(size, min_size+add_size, 0,
++		calculate_memsize(size, min_size, add_size,
+ 				resource_size(b_res), min_align);
+ 	if (!size0 && !size1) {
+ 		if (b_res->start || b_res->end)
+diff --git a/drivers/pci/setup-res.c b/drivers/pci/setup-res.c
+index 5717509b..8b25f9c 100644
+--- a/drivers/pci/setup-res.c
++++ b/drivers/pci/setup-res.c
+@@ -233,11 +233,12 @@ int pci_reassign_resource(struct pci_dev *dev, int resno, resource_size_t addsiz
+ 		return -EINVAL;
+ 	}
+ 
+-	new_size = resource_size(res) + addsize + min_align;
++	/* already aligned with min_align */
++	new_size = resource_size(res) + addsize;
+ 	ret = _pci_assign_resource(dev, resno, new_size, min_align);
+ 	if (!ret) {
+ 		res->flags &= ~IORESOURCE_STARTALIGN;
+-		dev_info(&dev->dev, "BAR %d: assigned %pR\n", resno, res);
++		dev_info(&dev->dev, "BAR %d: reassigned %pR\n", resno, res);
+ 		if (resno < PCI_BRIDGE_RESOURCES)
+ 			pci_update_resource(dev, resno);
+ 	}
+diff --git a/drivers/platform/x86/acer-wmi.c b/drivers/platform/x86/acer-wmi.c
+index 110e4af..7d47434 100644
+--- a/drivers/platform/x86/acer-wmi.c
++++ b/drivers/platform/x86/acer-wmi.c
+@@ -105,6 +105,7 @@ static const struct key_entry acer_wmi_keymap[] = {
+ 	{KE_KEY, 0x22, {KEY_PROG2} },    /* Arcade */
+ 	{KE_KEY, 0x23, {KEY_PROG3} },    /* P_Key */
+ 	{KE_KEY, 0x24, {KEY_PROG4} },    /* Social networking_Key */
++	{KE_KEY, 0x29, {KEY_PROG3} },    /* P_Key for TM8372 */
+ 	{KE_IGNORE, 0x41, {KEY_MUTE} },
+ 	{KE_IGNORE, 0x42, {KEY_PREVIOUSSONG} },
+ 	{KE_IGNORE, 0x43, {KEY_NEXTSONG} },
+diff --git a/drivers/scsi/isci/request.c b/drivers/scsi/isci/request.c
+index 192cb48..f3cbecc 100644
+--- a/drivers/scsi/isci/request.c
++++ b/drivers/scsi/isci/request.c
+@@ -1849,7 +1849,7 @@ sci_io_request_frame_handler(struct isci_request *ireq,
+ 								      frame_index,
+ 								      (void **)&frame_buffer);
+ 
+-			sci_controller_copy_sata_response(&ireq->stp.req,
++			sci_controller_copy_sata_response(&ireq->stp.rsp,
+ 							       frame_header,
+ 							       frame_buffer);
+ 
+diff --git a/drivers/usb/host/xhci-ring.c b/drivers/usb/host/xhci-ring.c
+index 0c6fb19..7de9993 100644
+--- a/drivers/usb/host/xhci-ring.c
++++ b/drivers/usb/host/xhci-ring.c
+@@ -1934,7 +1934,6 @@ static int process_ctrl_td(struct xhci_hcd *xhci, struct xhci_td *td,
+ 		}
+ 		break;
+ 	case COMP_SHORT_TX:
+-		xhci_warn(xhci, "WARN: short transfer on control ep\n");
+ 		if (td->urb->transfer_flags & URB_SHORT_NOT_OK)
+ 			*status = -EREMOTEIO;
+ 		else
+@@ -2291,7 +2290,7 @@ static int handle_tx_event(struct xhci_hcd *xhci,
+ 		xhci_dbg(xhci, "Stopped on No-op or Link TRB\n");
+ 		break;
+ 	case COMP_STALL:
+-		xhci_warn(xhci, "WARN: Stalled endpoint\n");
++		xhci_dbg(xhci, "Stalled endpoint\n");
+ 		ep->ep_state |= EP_HALTED;
+ 		status = -EPIPE;
+ 		break;
+@@ -2301,11 +2300,11 @@ static int handle_tx_event(struct xhci_hcd *xhci,
+ 		break;
+ 	case COMP_SPLIT_ERR:
+ 	case COMP_TX_ERR:
+-		xhci_warn(xhci, "WARN: transfer error on endpoint\n");
++		xhci_dbg(xhci, "Transfer error on endpoint\n");
+ 		status = -EPROTO;
+ 		break;
+ 	case COMP_BABBLE:
+-		xhci_warn(xhci, "WARN: babble error on endpoint\n");
++		xhci_dbg(xhci, "Babble error on endpoint\n");
+ 		status = -EOVERFLOW;
+ 		break;
+ 	case COMP_DB_ERR:
+diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c
+index 5a23f4d..dab05d1 100644
+--- a/drivers/usb/host/xhci.c
++++ b/drivers/usb/host/xhci.c
+@@ -206,14 +206,14 @@ static int xhci_setup_msi(struct xhci_hcd *xhci)
+ 
+ 	ret = pci_enable_msi(pdev);
+ 	if (ret) {
+-		xhci_err(xhci, "failed to allocate MSI entry\n");
++		xhci_dbg(xhci, "failed to allocate MSI entry\n");
+ 		return ret;
+ 	}
+ 
+ 	ret = request_irq(pdev->irq, (irq_handler_t)xhci_msi_irq,
+ 				0, "xhci_hcd", xhci_to_hcd(xhci));
+ 	if (ret) {
+-		xhci_err(xhci, "disable MSI interrupt\n");
++		xhci_dbg(xhci, "disable MSI interrupt\n");
+ 		pci_disable_msi(pdev);
+ 	}
+ 
+@@ -276,7 +276,7 @@ static int xhci_setup_msix(struct xhci_hcd *xhci)
+ 
+ 	ret = pci_enable_msix(pdev, xhci->msix_entries, xhci->msix_count);
+ 	if (ret) {
+-		xhci_err(xhci, "Failed to enable MSI-X\n");
++		xhci_dbg(xhci, "Failed to enable MSI-X\n");
+ 		goto free_entries;
+ 	}
+ 
+@@ -292,7 +292,7 @@ static int xhci_setup_msix(struct xhci_hcd *xhci)
+ 	return ret;
+ 
+ disable_msix:
+-	xhci_err(xhci, "disable MSI-X interrupt\n");
++	xhci_dbg(xhci, "disable MSI-X interrupt\n");
+ 	xhci_free_irq(xhci);
+ 	pci_disable_msix(pdev);
+ free_entries:
+diff --git a/drivers/usb/serial/option.c b/drivers/usb/serial/option.c
+index c334670..a5f875d 100644
+--- a/drivers/usb/serial/option.c
++++ b/drivers/usb/serial/option.c
+@@ -157,6 +157,7 @@ static void option_instat_callback(struct urb *urb);
+ #define NOVATELWIRELESS_PRODUCT_EVDO_EMBEDDED_HIGHSPEED	0x8001
+ #define NOVATELWIRELESS_PRODUCT_HSPA_EMBEDDED_FULLSPEED	0x9000
+ #define NOVATELWIRELESS_PRODUCT_HSPA_EMBEDDED_HIGHSPEED	0x9001
++#define NOVATELWIRELESS_PRODUCT_E362		0x9010
+ #define NOVATELWIRELESS_PRODUCT_G1		0xA001
+ #define NOVATELWIRELESS_PRODUCT_G1_M		0xA002
+ #define NOVATELWIRELESS_PRODUCT_G2		0xA010
+@@ -192,6 +193,9 @@ static void option_instat_callback(struct urb *urb);
+ #define DELL_PRODUCT_5730_MINICARD_TELUS	0x8181
+ #define DELL_PRODUCT_5730_MINICARD_VZW		0x8182
+ 
++#define DELL_PRODUCT_5800_MINICARD_VZW		0x8195  /* Novatel E362 */
++#define DELL_PRODUCT_5800_V2_MINICARD_VZW	0x8196  /* Novatel E362 */
++
+ #define KYOCERA_VENDOR_ID			0x0c88
+ #define KYOCERA_PRODUCT_KPC650			0x17da
+ #define KYOCERA_PRODUCT_KPC680			0x180a
+@@ -282,6 +286,7 @@ static void option_instat_callback(struct urb *urb);
+ /* ALCATEL PRODUCTS */
+ #define ALCATEL_VENDOR_ID			0x1bbb
+ #define ALCATEL_PRODUCT_X060S_X200		0x0000
++#define ALCATEL_PRODUCT_X220_X500D		0x0017
+ 
+ #define PIRELLI_VENDOR_ID			0x1266
+ #define PIRELLI_PRODUCT_C100_1			0x1002
+@@ -705,6 +710,7 @@ static const struct usb_device_id option_ids[] = {
+ 	{ USB_DEVICE(NOVATELWIRELESS_VENDOR_ID, NOVATELWIRELESS_PRODUCT_G2) },
+ 	/* Novatel Ovation MC551 a.k.a. Verizon USB551L */
+ 	{ USB_DEVICE_AND_INTERFACE_INFO(NOVATELWIRELESS_VENDOR_ID, NOVATELWIRELESS_PRODUCT_MC551, 0xff, 0xff, 0xff) },
++	{ USB_DEVICE_AND_INTERFACE_INFO(NOVATELWIRELESS_VENDOR_ID, NOVATELWIRELESS_PRODUCT_E362, 0xff, 0xff, 0xff) },
+ 
+ 	{ USB_DEVICE(AMOI_VENDOR_ID, AMOI_PRODUCT_H01) },
+ 	{ USB_DEVICE(AMOI_VENDOR_ID, AMOI_PRODUCT_H01A) },
+@@ -727,6 +733,8 @@ static const struct usb_device_id option_ids[] = {
+ 	{ USB_DEVICE(DELL_VENDOR_ID, DELL_PRODUCT_5730_MINICARD_SPRINT) },	/* Dell Wireless 5730 Mobile Broadband EVDO/HSPA Mini-Card */
+ 	{ USB_DEVICE(DELL_VENDOR_ID, DELL_PRODUCT_5730_MINICARD_TELUS) },	/* Dell Wireless 5730 Mobile Broadband EVDO/HSPA Mini-Card */
+ 	{ USB_DEVICE(DELL_VENDOR_ID, DELL_PRODUCT_5730_MINICARD_VZW) }, 	/* Dell Wireless 5730 Mobile Broadband EVDO/HSPA Mini-Card */
++	{ USB_DEVICE_AND_INTERFACE_INFO(DELL_VENDOR_ID, DELL_PRODUCT_5800_MINICARD_VZW, 0xff, 0xff, 0xff) },
++	{ USB_DEVICE_AND_INTERFACE_INFO(DELL_VENDOR_ID, DELL_PRODUCT_5800_V2_MINICARD_VZW, 0xff, 0xff, 0xff) },
+ 	{ USB_DEVICE(ANYDATA_VENDOR_ID, ANYDATA_PRODUCT_ADU_E100A) },	/* ADU-E100, ADU-310 */
+ 	{ USB_DEVICE(ANYDATA_VENDOR_ID, ANYDATA_PRODUCT_ADU_500A) },
+ 	{ USB_DEVICE(ANYDATA_VENDOR_ID, ANYDATA_PRODUCT_ADU_620UW) },
+@@ -1156,6 +1164,7 @@ static const struct usb_device_id option_ids[] = {
+ 	{ USB_DEVICE(ALCATEL_VENDOR_ID, ALCATEL_PRODUCT_X060S_X200),
+ 	  .driver_info = (kernel_ulong_t)&alcatel_x200_blacklist
+ 	},
++	{ USB_DEVICE(ALCATEL_VENDOR_ID, ALCATEL_PRODUCT_X220_X500D) },
+ 	{ USB_DEVICE(AIRPLUS_VENDOR_ID, AIRPLUS_PRODUCT_MCD650) },
+ 	{ USB_DEVICE(TLAYTECH_VENDOR_ID, TLAYTECH_PRODUCT_TEU800) },
+ 	{ USB_DEVICE(LONGCHEER_VENDOR_ID, FOUR_G_SYSTEMS_PRODUCT_W14),
+diff --git a/drivers/usb/serial/usb-serial.c b/drivers/usb/serial/usb-serial.c
+index 8bea45c..e5206de 100644
+--- a/drivers/usb/serial/usb-serial.c
++++ b/drivers/usb/serial/usb-serial.c
+@@ -764,7 +764,7 @@ int usb_serial_probe(struct usb_interface *interface,
+ 
+ 		if (retval) {
+ 			dbg("sub driver rejected device");
+-			kfree(serial);
++			usb_serial_put(serial);
+ 			module_put(type->driver.owner);
+ 			return retval;
+ 		}
+@@ -836,7 +836,7 @@ int usb_serial_probe(struct usb_interface *interface,
+ 		 */
+ 		if (num_bulk_in == 0 || num_bulk_out == 0) {
+ 			dev_info(&interface->dev, "PL-2303 hack: descriptors matched but endpoints did not\n");
+-			kfree(serial);
++			usb_serial_put(serial);
+ 			module_put(type->driver.owner);
+ 			return -ENODEV;
+ 		}
+@@ -850,7 +850,7 @@ int usb_serial_probe(struct usb_interface *interface,
+ 		if (num_ports == 0) {
+ 			dev_err(&interface->dev,
+ 			    "Generic device with no bulk out, not allowed.\n");
+-			kfree(serial);
++			usb_serial_put(serial);
+ 			module_put(type->driver.owner);
+ 			return -EIO;
+ 		}
+diff --git a/drivers/watchdog/iTCO_wdt.c b/drivers/watchdog/iTCO_wdt.c
+index 99796c5..bdf401b 100644
+--- a/drivers/watchdog/iTCO_wdt.c
++++ b/drivers/watchdog/iTCO_wdt.c
+@@ -36,6 +36,7 @@
+  *	document number TBD                   : Patsburg (PBG)
+  *	document number TBD                   : DH89xxCC
+  *	document number TBD                   : Panther Point
++ *	document number TBD                   : Lynx Point
+  */
+ 
+ /*
+@@ -126,6 +127,7 @@ enum iTCO_chipsets {
+ 	TCO_PBG,	/* Patsburg */
+ 	TCO_DH89XXCC,	/* DH89xxCC */
+ 	TCO_PPT,	/* Panther Point */
++	TCO_LPT,	/* Lynx Point */
+ };
+ 
+ static struct {
+@@ -189,6 +191,7 @@ static struct {
+ 	{"Patsburg", 2},
+ 	{"DH89xxCC", 2},
+ 	{"Panther Point", 2},
++	{"Lynx Point", 2},
+ 	{NULL, 0}
+ };
+ 
+@@ -331,6 +334,38 @@ static DEFINE_PCI_DEVICE_TABLE(iTCO_wdt_pci_tbl) = {
+ 	{ PCI_VDEVICE(INTEL, 0x1e5d), TCO_PPT},
+ 	{ PCI_VDEVICE(INTEL, 0x1e5e), TCO_PPT},
+ 	{ PCI_VDEVICE(INTEL, 0x1e5f), TCO_PPT},
++	{ PCI_VDEVICE(INTEL, 0x8c40), TCO_LPT},
++	{ PCI_VDEVICE(INTEL, 0x8c41), TCO_LPT},
++	{ PCI_VDEVICE(INTEL, 0x8c42), TCO_LPT},
++	{ PCI_VDEVICE(INTEL, 0x8c43), TCO_LPT},
++	{ PCI_VDEVICE(INTEL, 0x8c44), TCO_LPT},
++	{ PCI_VDEVICE(INTEL, 0x8c45), TCO_LPT},
++	{ PCI_VDEVICE(INTEL, 0x8c46), TCO_LPT},
++	{ PCI_VDEVICE(INTEL, 0x8c47), TCO_LPT},
++	{ PCI_VDEVICE(INTEL, 0x8c48), TCO_LPT},
++	{ PCI_VDEVICE(INTEL, 0x8c49), TCO_LPT},
++	{ PCI_VDEVICE(INTEL, 0x8c4a), TCO_LPT},
++	{ PCI_VDEVICE(INTEL, 0x8c4b), TCO_LPT},
++	{ PCI_VDEVICE(INTEL, 0x8c4c), TCO_LPT},
++	{ PCI_VDEVICE(INTEL, 0x8c4d), TCO_LPT},
++	{ PCI_VDEVICE(INTEL, 0x8c4e), TCO_LPT},
++	{ PCI_VDEVICE(INTEL, 0x8c4f), TCO_LPT},
++	{ PCI_VDEVICE(INTEL, 0x8c50), TCO_LPT},
++	{ PCI_VDEVICE(INTEL, 0x8c51), TCO_LPT},
++	{ PCI_VDEVICE(INTEL, 0x8c52), TCO_LPT},
++	{ PCI_VDEVICE(INTEL, 0x8c53), TCO_LPT},
++	{ PCI_VDEVICE(INTEL, 0x8c54), TCO_LPT},
++	{ PCI_VDEVICE(INTEL, 0x8c55), TCO_LPT},
++	{ PCI_VDEVICE(INTEL, 0x8c56), TCO_LPT},
++	{ PCI_VDEVICE(INTEL, 0x8c57), TCO_LPT},
++	{ PCI_VDEVICE(INTEL, 0x8c58), TCO_LPT},
++	{ PCI_VDEVICE(INTEL, 0x8c59), TCO_LPT},
++	{ PCI_VDEVICE(INTEL, 0x8c5a), TCO_LPT},
++	{ PCI_VDEVICE(INTEL, 0x8c5b), TCO_LPT},
++	{ PCI_VDEVICE(INTEL, 0x8c5c), TCO_LPT},
++	{ PCI_VDEVICE(INTEL, 0x8c5d), TCO_LPT},
++	{ PCI_VDEVICE(INTEL, 0x8c5e), TCO_LPT},
++	{ PCI_VDEVICE(INTEL, 0x8c5f), TCO_LPT},
+ 	{ 0, },			/* End of list */
+ };
+ MODULE_DEVICE_TABLE(pci, iTCO_wdt_pci_tbl);
+diff --git a/fs/gfs2/lops.c b/fs/gfs2/lops.c
+index 0301be6..465e49a 100644
+--- a/fs/gfs2/lops.c
++++ b/fs/gfs2/lops.c
+@@ -165,16 +165,14 @@ static void buf_lo_add(struct gfs2_sbd *sdp, struct gfs2_log_element *le)
+ 	struct gfs2_meta_header *mh;
+ 	struct gfs2_trans *tr;
+ 
+-	lock_buffer(bd->bd_bh);
+-	gfs2_log_lock(sdp);
+ 	if (!list_empty(&bd->bd_list_tr))
+-		goto out;
++		return;
+ 	tr = current->journal_info;
+ 	tr->tr_touched = 1;
+ 	tr->tr_num_buf++;
+ 	list_add(&bd->bd_list_tr, &tr->tr_list_buf);
+ 	if (!list_empty(&le->le_list))
+-		goto out;
++		return;
+ 	set_bit(GLF_LFLUSH, &bd->bd_gl->gl_flags);
+ 	set_bit(GLF_DIRTY, &bd->bd_gl->gl_flags);
+ 	gfs2_meta_check(sdp, bd->bd_bh);
+@@ -185,9 +183,6 @@ static void buf_lo_add(struct gfs2_sbd *sdp, struct gfs2_log_element *le)
+ 	sdp->sd_log_num_buf++;
+ 	list_add(&le->le_list, &sdp->sd_log_le_buf);
+ 	tr->tr_num_buf_new++;
+-out:
+-	gfs2_log_unlock(sdp);
+-	unlock_buffer(bd->bd_bh);
+ }
+ 
+ static void buf_lo_before_commit(struct gfs2_sbd *sdp)
+@@ -518,11 +513,9 @@ static void databuf_lo_add(struct gfs2_sbd *sdp, struct gfs2_log_element *le)
+ 	struct address_space *mapping = bd->bd_bh->b_page->mapping;
+ 	struct gfs2_inode *ip = GFS2_I(mapping->host);
+ 
+-	lock_buffer(bd->bd_bh);
+-	gfs2_log_lock(sdp);
+ 	if (tr) {
+ 		if (!list_empty(&bd->bd_list_tr))
+-			goto out;
++			return;
+ 		tr->tr_touched = 1;
+ 		if (gfs2_is_jdata(ip)) {
+ 			tr->tr_num_buf++;
+@@ -530,7 +523,7 @@ static void databuf_lo_add(struct gfs2_sbd *sdp, struct gfs2_log_element *le)
+ 		}
+ 	}
+ 	if (!list_empty(&le->le_list))
+-		goto out;
++		return;
+ 
+ 	set_bit(GLF_LFLUSH, &bd->bd_gl->gl_flags);
+ 	set_bit(GLF_DIRTY, &bd->bd_gl->gl_flags);
+@@ -542,9 +535,6 @@ static void databuf_lo_add(struct gfs2_sbd *sdp, struct gfs2_log_element *le)
+ 	} else {
+ 		list_add_tail(&le->le_list, &sdp->sd_log_le_ordered);
+ 	}
+-out:
+-	gfs2_log_unlock(sdp);
+-	unlock_buffer(bd->bd_bh);
+ }
+ 
+ static void gfs2_check_magic(struct buffer_head *bh)
+diff --git a/fs/gfs2/trans.c b/fs/gfs2/trans.c
+index 86ac75d..6ab2a77 100644
+--- a/fs/gfs2/trans.c
++++ b/fs/gfs2/trans.c
+@@ -145,14 +145,22 @@ void gfs2_trans_add_bh(struct gfs2_glock *gl, struct buffer_head *bh, int meta)
+ 	struct gfs2_sbd *sdp = gl->gl_sbd;
+ 	struct gfs2_bufdata *bd;
+ 
++	lock_buffer(bh);
++	gfs2_log_lock(sdp);
+ 	bd = bh->b_private;
+ 	if (bd)
+ 		gfs2_assert(sdp, bd->bd_gl == gl);
+ 	else {
++		gfs2_log_unlock(sdp);
++		unlock_buffer(bh);
+ 		gfs2_attach_bufdata(gl, bh, meta);
+ 		bd = bh->b_private;
++		lock_buffer(bh);
++		gfs2_log_lock(sdp);
+ 	}
+ 	lops_add(sdp, &bd->bd_le);
++	gfs2_log_unlock(sdp);
++	unlock_buffer(bh);
+ }
+ 
+ void gfs2_trans_add_revoke(struct gfs2_sbd *sdp, struct gfs2_bufdata *bd)
+diff --git a/fs/jbd/transaction.c b/fs/jbd/transaction.c
+index edac004..7c86b37 100644
+--- a/fs/jbd/transaction.c
++++ b/fs/jbd/transaction.c
+@@ -1957,7 +1957,9 @@ retry:
+ 			spin_unlock(&journal->j_list_lock);
+ 			jbd_unlock_bh_state(bh);
+ 			spin_unlock(&journal->j_state_lock);
++			unlock_buffer(bh);
+ 			log_wait_commit(journal, tid);
++			lock_buffer(bh);
+ 			goto retry;
+ 		}
+ 		/*
+diff --git a/fs/jffs2/file.c b/fs/jffs2/file.c
+index 61e6723..0095a70 100644
+--- a/fs/jffs2/file.c
++++ b/fs/jffs2/file.c
+@@ -135,33 +135,39 @@ static int jffs2_write_begin(struct file *filp, struct address_space *mapping,
+ 	struct page *pg;
+ 	struct inode *inode = mapping->host;
+ 	struct jffs2_inode_info *f = JFFS2_INODE_INFO(inode);
++	struct jffs2_sb_info *c = JFFS2_SB_INFO(inode->i_sb);
++	struct jffs2_raw_inode ri;
++	uint32_t alloc_len = 0;
+ 	pgoff_t index = pos >> PAGE_CACHE_SHIFT;
+ 	uint32_t pageofs = index << PAGE_CACHE_SHIFT;
+ 	int ret = 0;
+ 
++	D1(printk(KERN_DEBUG "%s()\n", __func__));
++
++	if (pageofs > inode->i_size) {
++		ret = jffs2_reserve_space(c, sizeof(ri), &alloc_len,
++					  ALLOC_NORMAL, JFFS2_SUMMARY_INODE_SIZE);
++		if (ret)
++			return ret;
++	}
++
++	mutex_lock(&f->sem);
+ 	pg = grab_cache_page_write_begin(mapping, index, flags);
+-	if (!pg)
++	if (!pg) {
++		if (alloc_len)
++			jffs2_complete_reservation(c);
++		mutex_unlock(&f->sem);
+ 		return -ENOMEM;
++	}
+ 	*pagep = pg;
+ 
+-	D1(printk(KERN_DEBUG "jffs2_write_begin()\n"));
+-
+-	if (pageofs > inode->i_size) {
++	if (alloc_len) {
+ 		/* Make new hole frag from old EOF to new page */
+-		struct jffs2_sb_info *c = JFFS2_SB_INFO(inode->i_sb);
+-		struct jffs2_raw_inode ri;
+ 		struct jffs2_full_dnode *fn;
+-		uint32_t alloc_len;
+ 
+ 		D1(printk(KERN_DEBUG "Writing new hole frag 0x%x-0x%x between current EOF and new page\n",
+ 			  (unsigned int)inode->i_size, pageofs));
+ 
+-		ret = jffs2_reserve_space(c, sizeof(ri), &alloc_len,
+-					  ALLOC_NORMAL, JFFS2_SUMMARY_INODE_SIZE);
+-		if (ret)
+-			goto out_page;
+-
+-		mutex_lock(&f->sem);
+ 		memset(&ri, 0, sizeof(ri));
+ 
+ 		ri.magic = cpu_to_je16(JFFS2_MAGIC_BITMASK);
+@@ -188,7 +194,6 @@ static int jffs2_write_begin(struct file *filp, struct address_space *mapping,
+ 		if (IS_ERR(fn)) {
+ 			ret = PTR_ERR(fn);
+ 			jffs2_complete_reservation(c);
+-			mutex_unlock(&f->sem);
+ 			goto out_page;
+ 		}
+ 		ret = jffs2_add_full_dnode_to_inode(c, f, fn);
+@@ -202,12 +207,10 @@ static int jffs2_write_begin(struct file *filp, struct address_space *mapping,
+ 			jffs2_mark_node_obsolete(c, fn->raw);
+ 			jffs2_free_full_dnode(fn);
+ 			jffs2_complete_reservation(c);
+-			mutex_unlock(&f->sem);
+ 			goto out_page;
+ 		}
+ 		jffs2_complete_reservation(c);
+ 		inode->i_size = pageofs;
+-		mutex_unlock(&f->sem);
+ 	}
+ 
+ 	/*
+@@ -216,18 +219,18 @@ static int jffs2_write_begin(struct file *filp, struct address_space *mapping,
+ 	 * case of a short-copy.
+ 	 */
+ 	if (!PageUptodate(pg)) {
+-		mutex_lock(&f->sem);
+ 		ret = jffs2_do_readpage_nolock(inode, pg);
+-		mutex_unlock(&f->sem);
+ 		if (ret)
+ 			goto out_page;
+ 	}
++	mutex_unlock(&f->sem);
+ 	D1(printk(KERN_DEBUG "end write_begin(). pg->flags %lx\n", pg->flags));
+ 	return ret;
+ 
+ out_page:
+ 	unlock_page(pg);
+ 	page_cache_release(pg);
++	mutex_unlock(&f->sem);
+ 	return ret;
+ }
+ 
+diff --git a/fs/reiserfs/inode.c b/fs/reiserfs/inode.c
+index 5809abb..fe677c0 100644
+--- a/fs/reiserfs/inode.c
++++ b/fs/reiserfs/inode.c
+@@ -1788,8 +1788,9 @@ int reiserfs_new_inode(struct reiserfs_transaction_handle *th,
+ 
+ 	BUG_ON(!th->t_trans_id);
+ 
+-	dquot_initialize(inode);
++	reiserfs_write_unlock(inode->i_sb);
+ 	err = dquot_alloc_inode(inode);
++	reiserfs_write_lock(inode->i_sb);
+ 	if (err)
+ 		goto out_end_trans;
+ 	if (!dir->i_nlink) {
+@@ -1985,8 +1986,10 @@ int reiserfs_new_inode(struct reiserfs_transaction_handle *th,
+ 
+       out_end_trans:
+ 	journal_end(th, th->t_super, th->t_blocks_allocated);
++	reiserfs_write_unlock(inode->i_sb);
+ 	/* Drop can be outside and it needs more credits so it's better to have it outside */
+ 	dquot_drop(inode);
++	reiserfs_write_lock(inode->i_sb);
+ 	inode->i_flags |= S_NOQUOTA;
+ 	make_bad_inode(inode);
+ 
+@@ -3109,10 +3112,9 @@ int reiserfs_setattr(struct dentry *dentry, struct iattr *attr)
+ 	/* must be turned off for recursive notify_change calls */
+ 	ia_valid = attr->ia_valid &= ~(ATTR_KILL_SUID|ATTR_KILL_SGID);
+ 
+-	depth = reiserfs_write_lock_once(inode->i_sb);
+ 	if (is_quota_modification(inode, attr))
+ 		dquot_initialize(inode);
+-
++	depth = reiserfs_write_lock_once(inode->i_sb);
+ 	if (attr->ia_valid & ATTR_SIZE) {
+ 		/* version 2 items will be caught by the s_maxbytes check
+ 		 ** done for us in vmtruncate
+@@ -3176,7 +3178,9 @@ int reiserfs_setattr(struct dentry *dentry, struct iattr *attr)
+ 		error = journal_begin(&th, inode->i_sb, jbegin_count);
+ 		if (error)
+ 			goto out;
++		reiserfs_write_unlock_once(inode->i_sb, depth);
+ 		error = dquot_transfer(inode, attr);
++		depth = reiserfs_write_lock_once(inode->i_sb);
+ 		if (error) {
+ 			journal_end(&th, inode->i_sb, jbegin_count);
+ 			goto out;
+diff --git a/fs/reiserfs/stree.c b/fs/reiserfs/stree.c
+index 313d39d..3ae9926 100644
+--- a/fs/reiserfs/stree.c
++++ b/fs/reiserfs/stree.c
+@@ -1968,7 +1968,9 @@ int reiserfs_paste_into_item(struct reiserfs_transaction_handle *th, struct tree
+ 		       key2type(&(key->on_disk_key)));
+ #endif
+ 
++	reiserfs_write_unlock(inode->i_sb);
+ 	retval = dquot_alloc_space_nodirty(inode, pasted_size);
++	reiserfs_write_lock(inode->i_sb);
+ 	if (retval) {
+ 		pathrelse(search_path);
+ 		return retval;
+@@ -2061,9 +2063,11 @@ int reiserfs_insert_item(struct reiserfs_transaction_handle *th,
+ 			       "reiserquota insert_item(): allocating %u id=%u type=%c",
+ 			       quota_bytes, inode->i_uid, head2type(ih));
+ #endif
++		reiserfs_write_unlock(inode->i_sb);
+ 		/* We can't dirty inode here. It would be immediately written but
+ 		 * appropriate stat item isn't inserted yet... */
+ 		retval = dquot_alloc_space_nodirty(inode, quota_bytes);
++		reiserfs_write_lock(inode->i_sb);
+ 		if (retval) {
+ 			pathrelse(path);
+ 			return retval;
+diff --git a/fs/reiserfs/super.c b/fs/reiserfs/super.c
+index 5e3527b..569498a 100644
+--- a/fs/reiserfs/super.c
++++ b/fs/reiserfs/super.c
+@@ -254,7 +254,9 @@ static int finish_unfinished(struct super_block *s)
+ 			retval = remove_save_link_only(s, &save_link_key, 0);
+ 			continue;
+ 		}
++		reiserfs_write_unlock(s);
+ 		dquot_initialize(inode);
++		reiserfs_write_lock(s);
+ 
+ 		if (truncate && S_ISDIR(inode->i_mode)) {
+ 			/* We got a truncate request for a dir which is impossible.
+@@ -1207,7 +1209,7 @@ static int reiserfs_remount(struct super_block *s, int *mount_flags, char *arg)
+ 				kfree(qf_names[i]);
+ #endif
+ 		err = -EINVAL;
+-		goto out_err;
++		goto out_unlock;
+ 	}
+ #ifdef CONFIG_QUOTA
+ 	handle_quota_files(s, qf_names, &qfmt);
+@@ -1250,7 +1252,7 @@ static int reiserfs_remount(struct super_block *s, int *mount_flags, char *arg)
+ 	if (blocks) {
+ 		err = reiserfs_resize(s, blocks);
+ 		if (err != 0)
+-			goto out_err;
++			goto out_unlock;
+ 	}
+ 
+ 	if (*mount_flags & MS_RDONLY) {
+@@ -1260,9 +1262,15 @@ static int reiserfs_remount(struct super_block *s, int *mount_flags, char *arg)
+ 			/* it is read-only already */
+ 			goto out_ok;
+ 
++		/*
++		 * Drop write lock. Quota will retake it when needed and lock
++		 * ordering requires calling dquot_suspend() without it.
++		 */
++		reiserfs_write_unlock(s);
+ 		err = dquot_suspend(s, -1);
+ 		if (err < 0)
+ 			goto out_err;
++		reiserfs_write_lock(s);
+ 
+ 		/* try to remount file system with read-only permissions */
+ 		if (sb_umount_state(rs) == REISERFS_VALID_FS
+@@ -1272,7 +1280,7 @@ static int reiserfs_remount(struct super_block *s, int *mount_flags, char *arg)
+ 
+ 		err = journal_begin(&th, s, 10);
+ 		if (err)
+-			goto out_err;
++			goto out_unlock;
+ 
+ 		/* Mounting a rw partition read-only. */
+ 		reiserfs_prepare_for_journal(s, SB_BUFFER_WITH_SB(s), 1);
+@@ -1287,7 +1295,7 @@ static int reiserfs_remount(struct super_block *s, int *mount_flags, char *arg)
+ 
+ 		if (reiserfs_is_journal_aborted(journal)) {
+ 			err = journal->j_errno;
+-			goto out_err;
++			goto out_unlock;
+ 		}
+ 
+ 		handle_data_mode(s, mount_options);
+@@ -1296,7 +1304,7 @@ static int reiserfs_remount(struct super_block *s, int *mount_flags, char *arg)
+ 		s->s_flags &= ~MS_RDONLY;	/* now it is safe to call journal_begin */
+ 		err = journal_begin(&th, s, 10);
+ 		if (err)
+-			goto out_err;
++			goto out_unlock;
+ 
+ 		/* Mount a partition which is read-only, read-write */
+ 		reiserfs_prepare_for_journal(s, SB_BUFFER_WITH_SB(s), 1);
+@@ -1313,11 +1321,17 @@ static int reiserfs_remount(struct super_block *s, int *mount_flags, char *arg)
+ 	SB_JOURNAL(s)->j_must_wait = 1;
+ 	err = journal_end(&th, s, 10);
+ 	if (err)
+-		goto out_err;
++		goto out_unlock;
+ 	s->s_dirt = 0;
+ 
+ 	if (!(*mount_flags & MS_RDONLY)) {
++		/*
++		 * Drop write lock. Quota will retake it when needed and lock
++		 * ordering requires calling dquot_resume() without it.
++		 */
++		reiserfs_write_unlock(s);
+ 		dquot_resume(s, -1);
++		reiserfs_write_lock(s);
+ 		finish_unfinished(s);
+ 		reiserfs_xattr_init(s, *mount_flags);
+ 	}
+@@ -1327,9 +1341,10 @@ out_ok:
+ 	reiserfs_write_unlock(s);
+ 	return 0;
+ 
++out_unlock:
++	reiserfs_write_unlock(s);
+ out_err:
+ 	kfree(new_opts);
+-	reiserfs_write_unlock(s);
+ 	return err;
+ }
+ 
+@@ -1953,13 +1968,15 @@ static int reiserfs_write_dquot(struct dquot *dquot)
+ 			  REISERFS_QUOTA_TRANS_BLOCKS(dquot->dq_sb));
+ 	if (ret)
+ 		goto out;
++	reiserfs_write_unlock(dquot->dq_sb);
+ 	ret = dquot_commit(dquot);
++	reiserfs_write_lock(dquot->dq_sb);
+ 	err =
+ 	    journal_end(&th, dquot->dq_sb,
+ 			REISERFS_QUOTA_TRANS_BLOCKS(dquot->dq_sb));
+ 	if (!ret && err)
+ 		ret = err;
+-      out:
++out:
+ 	reiserfs_write_unlock(dquot->dq_sb);
+ 	return ret;
+ }
+@@ -1975,13 +1992,15 @@ static int reiserfs_acquire_dquot(struct dquot *dquot)
+ 			  REISERFS_QUOTA_INIT_BLOCKS(dquot->dq_sb));
+ 	if (ret)
+ 		goto out;
++	reiserfs_write_unlock(dquot->dq_sb);
+ 	ret = dquot_acquire(dquot);
++	reiserfs_write_lock(dquot->dq_sb);
+ 	err =
+ 	    journal_end(&th, dquot->dq_sb,
+ 			REISERFS_QUOTA_INIT_BLOCKS(dquot->dq_sb));
+ 	if (!ret && err)
+ 		ret = err;
+-      out:
++out:
+ 	reiserfs_write_unlock(dquot->dq_sb);
+ 	return ret;
+ }
+@@ -1995,19 +2014,21 @@ static int reiserfs_release_dquot(struct dquot *dquot)
+ 	ret =
+ 	    journal_begin(&th, dquot->dq_sb,
+ 			  REISERFS_QUOTA_DEL_BLOCKS(dquot->dq_sb));
++	reiserfs_write_unlock(dquot->dq_sb);
+ 	if (ret) {
+ 		/* Release dquot anyway to avoid endless cycle in dqput() */
+ 		dquot_release(dquot);
+ 		goto out;
+ 	}
+ 	ret = dquot_release(dquot);
++	reiserfs_write_lock(dquot->dq_sb);
+ 	err =
+ 	    journal_end(&th, dquot->dq_sb,
+ 			REISERFS_QUOTA_DEL_BLOCKS(dquot->dq_sb));
+ 	if (!ret && err)
+ 		ret = err;
+-      out:
+ 	reiserfs_write_unlock(dquot->dq_sb);
++out:
+ 	return ret;
+ }
+ 
+@@ -2032,11 +2053,13 @@ static int reiserfs_write_info(struct super_block *sb, int type)
+ 	ret = journal_begin(&th, sb, 2);
+ 	if (ret)
+ 		goto out;
++	reiserfs_write_unlock(sb);
+ 	ret = dquot_commit_info(sb, type);
++	reiserfs_write_lock(sb);
+ 	err = journal_end(&th, sb, 2);
+ 	if (!ret && err)
+ 		ret = err;
+-      out:
++out:
+ 	reiserfs_write_unlock(sb);
+ 	return ret;
+ }
+@@ -2060,8 +2083,11 @@ static int reiserfs_quota_on(struct super_block *sb, int type, int format_id,
+ 	struct inode *inode;
+ 	struct reiserfs_transaction_handle th;
+ 
+-	if (!(REISERFS_SB(sb)->s_mount_opt & (1 << REISERFS_QUOTA)))
+-		return -EINVAL;
++	reiserfs_write_lock(sb);
++	if (!(REISERFS_SB(sb)->s_mount_opt & (1 << REISERFS_QUOTA))) {
++		err = -EINVAL;
++		goto out;
++	}
+ 
+ 	/* Quotafile not on the same filesystem? */
+ 	if (path->mnt->mnt_sb != sb) {
+@@ -2103,8 +2129,10 @@ static int reiserfs_quota_on(struct super_block *sb, int type, int format_id,
+ 		if (err)
+ 			goto out;
+ 	}
+-	err = dquot_quota_on(sb, type, format_id, path);
++	reiserfs_write_unlock(sb);
++	return dquot_quota_on(sb, type, format_id, path);
+ out:
++	reiserfs_write_unlock(sb);
+ 	return err;
+ }
+ 
+@@ -2178,7 +2206,9 @@ static ssize_t reiserfs_quota_write(struct super_block *sb, int type,
+ 		tocopy = sb->s_blocksize - offset < towrite ?
+ 		    sb->s_blocksize - offset : towrite;
+ 		tmp_bh.b_state = 0;
++		reiserfs_write_lock(sb);
+ 		err = reiserfs_get_block(inode, blk, &tmp_bh, GET_BLOCK_CREATE);
++		reiserfs_write_unlock(sb);
+ 		if (err)
+ 			goto out;
+ 		if (offset || tocopy != sb->s_blocksize)
+@@ -2194,10 +2224,12 @@ static ssize_t reiserfs_quota_write(struct super_block *sb, int type,
+ 		flush_dcache_page(bh->b_page);
+ 		set_buffer_uptodate(bh);
+ 		unlock_buffer(bh);
++		reiserfs_write_lock(sb);
+ 		reiserfs_prepare_for_journal(sb, bh, 1);
+ 		journal_mark_dirty(current->journal_info, sb, bh);
+ 		if (!journal_quota)
+ 			reiserfs_add_ordered_list(inode, bh);
++		reiserfs_write_unlock(sb);
+ 		brelse(bh);
+ 		offset = 0;
+ 		towrite -= tocopy;
+diff --git a/fs/ubifs/find.c b/fs/ubifs/find.c
+index 2559d17..5dc48ca 100644
+--- a/fs/ubifs/find.c
++++ b/fs/ubifs/find.c
+@@ -681,8 +681,16 @@ int ubifs_find_free_leb_for_idx(struct ubifs_info *c)
+ 	if (!lprops) {
+ 		lprops = ubifs_fast_find_freeable(c);
+ 		if (!lprops) {
+-			ubifs_assert(c->freeable_cnt == 0);
+-			if (c->lst.empty_lebs - c->lst.taken_empty_lebs > 0) {
++			/*
++			 * The first condition means the following: go scan the
++			 * LPT if there are uncategorized lprops, which means
++			 * there may be freeable LEBs there (UBIFS does not
++			 * store the information about freeable LEBs in the
++			 * master node).
++			 */
++			if (c->in_a_category_cnt != c->main_lebs ||
++			    c->lst.empty_lebs - c->lst.taken_empty_lebs > 0) {
++				ubifs_assert(c->freeable_cnt == 0);
+ 				lprops = scan_for_leb_for_idx(c);
+ 				if (IS_ERR(lprops)) {
+ 					err = PTR_ERR(lprops);
+diff --git a/fs/ubifs/lprops.c b/fs/ubifs/lprops.c
+index f8a181e..ea9d491 100644
+--- a/fs/ubifs/lprops.c
++++ b/fs/ubifs/lprops.c
+@@ -300,8 +300,11 @@ void ubifs_add_to_cat(struct ubifs_info *c, struct ubifs_lprops *lprops,
+ 	default:
+ 		ubifs_assert(0);
+ 	}
++
+ 	lprops->flags &= ~LPROPS_CAT_MASK;
+ 	lprops->flags |= cat;
++	c->in_a_category_cnt += 1;
++	ubifs_assert(c->in_a_category_cnt <= c->main_lebs);
+ }
+ 
+ /**
+@@ -334,6 +337,9 @@ static void ubifs_remove_from_cat(struct ubifs_info *c,
+ 	default:
+ 		ubifs_assert(0);
+ 	}
++
++	c->in_a_category_cnt -= 1;
++	ubifs_assert(c->in_a_category_cnt >= 0);
+ }
+ 
+ /**
+diff --git a/fs/ubifs/ubifs.h b/fs/ubifs/ubifs.h
+index 27f2255..8bbc99e 100644
+--- a/fs/ubifs/ubifs.h
++++ b/fs/ubifs/ubifs.h
+@@ -1187,6 +1187,8 @@ struct ubifs_debug_info;
+  * @freeable_list: list of freeable non-index LEBs (free + dirty == @leb_size)
+  * @frdi_idx_list: list of freeable index LEBs (free + dirty == @leb_size)
+  * @freeable_cnt: number of freeable LEBs in @freeable_list
++ * @in_a_category_cnt: count of lprops which are in a certain category, which
++ *                     basically meants that they were loaded from the flash
+  *
+  * @ltab_lnum: LEB number of LPT's own lprops table
+  * @ltab_offs: offset of LPT's own lprops table
+@@ -1416,6 +1418,7 @@ struct ubifs_info {
+ 	struct list_head freeable_list;
+ 	struct list_head frdi_idx_list;
+ 	int freeable_cnt;
++	int in_a_category_cnt;
+ 
+ 	int ltab_lnum;
+ 	int ltab_offs;
+diff --git a/fs/xfs/xfs_buf.c b/fs/xfs/xfs_buf.c
+index cf0ac05..2f5a8f7 100644
+--- a/fs/xfs/xfs_buf.c
++++ b/fs/xfs/xfs_buf.c
+@@ -1167,9 +1167,14 @@ xfs_buf_bio_end_io(
+ {
+ 	xfs_buf_t		*bp = (xfs_buf_t *)bio->bi_private;
+ 
+-	xfs_buf_ioerror(bp, -error);
++	/*
++	 * don't overwrite existing errors - otherwise we can lose errors on
++	 * buffers that require multiple bios to complete.
++	 */
++	if (!bp->b_error)
++		xfs_buf_ioerror(bp, -error);
+ 
+-	if (!error && xfs_buf_is_vmapped(bp) && (bp->b_flags & XBF_READ))
++	if (!bp->b_error && xfs_buf_is_vmapped(bp) && (bp->b_flags & XBF_READ))
+ 		invalidate_kernel_vmap_range(bp->b_addr, xfs_buf_vmap_len(bp));
+ 
+ 	_xfs_buf_ioend(bp, 1);
+@@ -1245,6 +1250,11 @@ next_chunk:
+ 		if (size)
+ 			goto next_chunk;
+ 	} else {
++		/*
++		 * This is guaranteed not to be the last io reference count
++		 * because the caller (xfs_buf_iorequest) holds a count itself.
++		 */
++		atomic_dec(&bp->b_io_remaining);
+ 		xfs_buf_ioerror(bp, EIO);
+ 		bio_put(bio);
+ 	}
+diff --git a/include/linux/ptp_clock_kernel.h b/include/linux/ptp_clock_kernel.h
+index dd2e44f..9d709d1 100644
+--- a/include/linux/ptp_clock_kernel.h
++++ b/include/linux/ptp_clock_kernel.h
+@@ -50,7 +50,8 @@ struct ptp_clock_request {
+  * clock operations
+  *
+  * @adjfreq:  Adjusts the frequency of the hardware clock.
+- *            parameter delta: Desired period change in parts per billion.
++ *            parameter delta: Desired frequency offset from nominal frequency
++ *            in parts per billion
+  *
+  * @adjtime:  Shifts the time of the hardware clock.
+  *            parameter delta: Desired change in nanoseconds.
+diff --git a/kernel/futex.c b/kernel/futex.c
+index 80fb1c6..77bccfc 100644
+--- a/kernel/futex.c
++++ b/kernel/futex.c
+@@ -716,7 +716,7 @@ static int futex_lock_pi_atomic(u32 __user *uaddr, struct futex_hash_bucket *hb,
+ 				struct futex_pi_state **ps,
+ 				struct task_struct *task, int set_waiters)
+ {
+-	int lock_taken, ret, ownerdied = 0;
++	int lock_taken, ret, force_take = 0;
+ 	u32 uval, newval, curval, vpid = task_pid_vnr(task);
+ 
+ retry:
+@@ -755,17 +755,15 @@ retry:
+ 	newval = curval | FUTEX_WAITERS;
+ 
+ 	/*
+-	 * There are two cases, where a futex might have no owner (the
+-	 * owner TID is 0): OWNER_DIED. We take over the futex in this
+-	 * case. We also do an unconditional take over, when the owner
+-	 * of the futex died.
+-	 *
+-	 * This is safe as we are protected by the hash bucket lock !
++	 * Should we force take the futex? See below.
+ 	 */
+-	if (unlikely(ownerdied || !(curval & FUTEX_TID_MASK))) {
+-		/* Keep the OWNER_DIED bit */
++	if (unlikely(force_take)) {
++		/*
++		 * Keep the OWNER_DIED and the WAITERS bit and set the
++		 * new TID value.
++		 */
+ 		newval = (curval & ~FUTEX_TID_MASK) | vpid;
+-		ownerdied = 0;
++		force_take = 0;
+ 		lock_taken = 1;
+ 	}
+ 
+@@ -775,7 +773,7 @@ retry:
+ 		goto retry;
+ 
+ 	/*
+-	 * We took the lock due to owner died take over.
++	 * We took the lock due to forced take over.
+ 	 */
+ 	if (unlikely(lock_taken))
+ 		return 1;
+@@ -790,20 +788,25 @@ retry:
+ 		switch (ret) {
+ 		case -ESRCH:
+ 			/*
+-			 * No owner found for this futex. Check if the
+-			 * OWNER_DIED bit is set to figure out whether
+-			 * this is a robust futex or not.
++			 * We failed to find an owner for this
++			 * futex. So we have no pi_state to block
++			 * on. This can happen in two cases:
++			 *
++			 * 1) The owner died
++			 * 2) A stale FUTEX_WAITERS bit
++			 *
++			 * Re-read the futex value.
+ 			 */
+ 			if (get_futex_value_locked(&curval, uaddr))
+ 				return -EFAULT;
+ 
+ 			/*
+-			 * We simply start over in case of a robust
+-			 * futex. The code above will take the futex
+-			 * and return happy.
++			 * If the owner died or we have a stale
++			 * WAITERS bit the owner TID in the user space
++			 * futex is 0.
+ 			 */
+-			if (curval & FUTEX_OWNER_DIED) {
+-				ownerdied = 1;
++			if (!(curval & FUTEX_TID_MASK)) {
++				force_take = 1;
+ 				goto retry;
+ 			}
+ 		default:
+@@ -840,6 +843,9 @@ static void wake_futex(struct futex_q *q)
+ {
+ 	struct task_struct *p = q->task;
+ 
++	if (WARN(q->pi_state || q->rt_waiter, "refusing to wake PI futex\n"))
++		return;
++
+ 	/*
+ 	 * We set q->lock_ptr = NULL _before_ we wake up the task. If
+ 	 * a non-futex wake up happens on another CPU then the task
+@@ -1075,6 +1081,10 @@ retry_private:
+ 
+ 	plist_for_each_entry_safe(this, next, head, list) {
+ 		if (match_futex (&this->key, &key1)) {
++			if (this->pi_state || this->rt_waiter) {
++				ret = -EINVAL;
++				goto out_unlock;
++			}
+ 			wake_futex(this);
+ 			if (++ret >= nr_wake)
+ 				break;
+@@ -1087,6 +1097,10 @@ retry_private:
+ 		op_ret = 0;
+ 		plist_for_each_entry_safe(this, next, head, list) {
+ 			if (match_futex (&this->key, &key2)) {
++				if (this->pi_state || this->rt_waiter) {
++					ret = -EINVAL;
++					goto out_unlock;
++				}
+ 				wake_futex(this);
+ 				if (++op_ret >= nr_wake2)
+ 					break;
+@@ -1095,6 +1109,7 @@ retry_private:
+ 		ret += op_ret;
+ 	}
+ 
++out_unlock:
+ 	double_unlock_hb(hb1, hb2);
+ out_put_keys:
+ 	put_futex_key(&key2);
+@@ -1384,9 +1399,13 @@ retry_private:
+ 		/*
+ 		 * FUTEX_WAIT_REQEUE_PI and FUTEX_CMP_REQUEUE_PI should always
+ 		 * be paired with each other and no other futex ops.
++		 *
++		 * We should never be requeueing a futex_q with a pi_state,
++		 * which is awaiting a futex_unlock_pi().
+ 		 */
+ 		if ((requeue_pi && !this->rt_waiter) ||
+-		    (!requeue_pi && this->rt_waiter)) {
++		    (!requeue_pi && this->rt_waiter) ||
++		    this->pi_state) {
+ 			ret = -EINVAL;
+ 			break;
+ 		}
+diff --git a/kernel/watchdog.c b/kernel/watchdog.c
+index 1d7bca7..a8bc4d9 100644
+--- a/kernel/watchdog.c
++++ b/kernel/watchdog.c
+@@ -113,7 +113,7 @@ static unsigned long get_timestamp(int this_cpu)
+ 	return cpu_clock(this_cpu) >> 30LL;  /* 2^30 ~= 10^9 */
+ }
+ 
+-static unsigned long get_sample_period(void)
++static u64 get_sample_period(void)
+ {
+ 	/*
+ 	 * convert watchdog_thresh from seconds to ns
+@@ -121,7 +121,7 @@ static unsigned long get_sample_period(void)
+ 	 * increment before the hardlockup detector generates
+ 	 * a warning
+ 	 */
+-	return get_softlockup_thresh() * (NSEC_PER_SEC / 5);
++	return get_softlockup_thresh() * ((u64)NSEC_PER_SEC / 5);
+ }
+ 
+ /* Commands for resetting the watchdog */
+diff --git a/kernel/workqueue.c b/kernel/workqueue.c
+index 43a19c5..d551d5f 100644
+--- a/kernel/workqueue.c
++++ b/kernel/workqueue.c
+@@ -2052,8 +2052,10 @@ static int rescuer_thread(void *__wq)
+ repeat:
+ 	set_current_state(TASK_INTERRUPTIBLE);
+ 
+-	if (kthread_should_stop())
++	if (kthread_should_stop()) {
++		__set_current_state(TASK_RUNNING);
+ 		return 0;
++	}
+ 
+ 	/*
+ 	 * See whether any cpu is asking for help.  Unbounded
+diff --git a/mm/memcontrol.c b/mm/memcontrol.c
+index c8425b1..d027a24 100644
+--- a/mm/memcontrol.c
++++ b/mm/memcontrol.c
+@@ -1457,17 +1457,26 @@ static int mem_cgroup_count_children(struct mem_cgroup *memcg)
+ u64 mem_cgroup_get_limit(struct mem_cgroup *memcg)
+ {
+ 	u64 limit;
+-	u64 memsw;
+ 
+ 	limit = res_counter_read_u64(&memcg->res, RES_LIMIT);
+-	limit += total_swap_pages << PAGE_SHIFT;
+ 
+-	memsw = res_counter_read_u64(&memcg->memsw, RES_LIMIT);
+ 	/*
+-	 * If memsw is finite and limits the amount of swap space available
+-	 * to this memcg, return that limit.
++	 * Do not consider swap space if we cannot swap due to swappiness
+ 	 */
+-	return min(limit, memsw);
++	if (mem_cgroup_swappiness(memcg)) {
++		u64 memsw;
++
++		limit += total_swap_pages << PAGE_SHIFT;
++		memsw = res_counter_read_u64(&memcg->memsw, RES_LIMIT);
++
++		/*
++		 * If memsw is finite and limits the amount of swap space
++		 * available to this memcg, return that limit.
++		 */
++		limit = min(limit, memsw);
++	}
++
++	return limit;
+ }
+ 
+ /*
+diff --git a/mm/memory-failure.c b/mm/memory-failure.c
+index 5bd5bb1..1b03878 100644
+--- a/mm/memory-failure.c
++++ b/mm/memory-failure.c
+@@ -1475,9 +1475,17 @@ int soft_offline_page(struct page *page, int flags)
+ {
+ 	int ret;
+ 	unsigned long pfn = page_to_pfn(page);
++	struct page *hpage = compound_trans_head(page);
+ 
+ 	if (PageHuge(page))
+ 		return soft_offline_huge_page(page, flags);
++	if (PageTransHuge(hpage)) {
++		if (PageAnon(hpage) && unlikely(split_huge_page(hpage))) {
++			pr_info("soft offline: %#lx: failed to split THP\n",
++				pfn);
++			return -EBUSY;
++		}
++	}
+ 
+ 	ret = get_any_page(page, pfn, flags);
+ 	if (ret < 0)
+diff --git a/mm/shmem.c b/mm/shmem.c
+index 126ca35..2d46e23 100644
+--- a/mm/shmem.c
++++ b/mm/shmem.c
+@@ -595,7 +595,7 @@ static void shmem_evict_inode(struct inode *inode)
+ 		kfree(xattr->name);
+ 		kfree(xattr);
+ 	}
+-	BUG_ON(inode->i_blocks);
++	WARN_ON(inode->i_blocks);
+ 	shmem_free_inode(inode->i_sb);
+ 	end_writeback(inode);
+ }
+diff --git a/mm/sparse.c b/mm/sparse.c
+index bf7d3cc..42935b5 100644
+--- a/mm/sparse.c
++++ b/mm/sparse.c
+@@ -622,7 +622,7 @@ static void __kfree_section_memmap(struct page *memmap, unsigned long nr_pages)
+ {
+ 	return; /* XXX: Not implemented yet */
+ }
+-static void free_map_bootmem(struct page *page, unsigned long nr_pages)
++static void free_map_bootmem(struct page *memmap, unsigned long nr_pages)
+ {
+ }
+ #else
+@@ -663,10 +663,11 @@ static void __kfree_section_memmap(struct page *memmap, unsigned long nr_pages)
+ 			   get_order(sizeof(struct page) * nr_pages));
+ }
+ 
+-static void free_map_bootmem(struct page *page, unsigned long nr_pages)
++static void free_map_bootmem(struct page *memmap, unsigned long nr_pages)
+ {
+ 	unsigned long maps_section_nr, removing_section_nr, i;
+ 	unsigned long magic;
++	struct page *page = virt_to_page(memmap);
+ 
+ 	for (i = 0; i < nr_pages; i++, page++) {
+ 		magic = (unsigned long) page->lru.next;
+@@ -715,13 +716,10 @@ static void free_section_usemap(struct page *memmap, unsigned long *usemap)
+ 	 */
+ 
+ 	if (memmap) {
+-		struct page *memmap_page;
+-		memmap_page = virt_to_page(memmap);
+-
+ 		nr_pages = PAGE_ALIGN(PAGES_PER_SECTION * sizeof(struct page))
+ 			>> PAGE_SHIFT;
+ 
+-		free_map_bootmem(memmap_page, nr_pages);
++		free_map_bootmem(memmap, nr_pages);
+ 	}
+ }
+ 
+diff --git a/mm/vmscan.c b/mm/vmscan.c
+index 313381c..1e4ee1a 100644
+--- a/mm/vmscan.c
++++ b/mm/vmscan.c
+@@ -2492,6 +2492,19 @@ unsigned long try_to_free_mem_cgroup_pages(struct mem_cgroup *mem_cont,
+ }
+ #endif
+ 
++static bool zone_balanced(struct zone *zone, int order,
++			  unsigned long balance_gap, int classzone_idx)
++{
++	if (!zone_watermark_ok_safe(zone, order, high_wmark_pages(zone) +
++				    balance_gap, classzone_idx, 0))
++		return false;
++
++	if (COMPACTION_BUILD && order && !compaction_suitable(zone, order))
++		return false;
++
++	return true;
++}
++
+ /*
+  * pgdat_balanced is used when checking if a node is balanced for high-order
+  * allocations. Only zones that meet watermarks and are in a zone allowed
+@@ -2551,8 +2564,7 @@ static bool sleeping_prematurely(pg_data_t *pgdat, int order, long remaining,
+ 			continue;
+ 		}
+ 
+-		if (!zone_watermark_ok_safe(zone, order, high_wmark_pages(zone),
+-							i, 0))
++		if (!zone_balanced(zone, order, 0, i))
+ 			all_zones_ok = false;
+ 		else
+ 			balanced += zone->present_pages;
+@@ -2655,8 +2667,7 @@ loop_again:
+ 				shrink_active_list(SWAP_CLUSTER_MAX, zone,
+ 							&sc, priority, 0);
+ 
+-			if (!zone_watermark_ok_safe(zone, order,
+-					high_wmark_pages(zone), 0, 0)) {
++			if (!zone_balanced(zone, order, 0, 0)) {
+ 				end_zone = i;
+ 				break;
+ 			} else {
+@@ -2717,9 +2728,8 @@ loop_again:
+ 				(zone->present_pages +
+ 					KSWAPD_ZONE_BALANCE_GAP_RATIO-1) /
+ 				KSWAPD_ZONE_BALANCE_GAP_RATIO);
+-			if (!zone_watermark_ok_safe(zone, order,
+-					high_wmark_pages(zone) + balance_gap,
+-					end_zone, 0)) {
++			if (!zone_balanced(zone, order,
++					   balance_gap, end_zone)) {
+ 				shrink_zone(priority, zone, &sc);
+ 
+ 				reclaim_state->reclaimed_slab = 0;
+@@ -2746,8 +2756,7 @@ loop_again:
+ 				continue;
+ 			}
+ 
+-			if (!zone_watermark_ok_safe(zone, order,
+-					high_wmark_pages(zone), end_zone, 0)) {
++			if (!zone_balanced(zone, order, 0, end_zone)) {
+ 				all_zones_ok = 0;
+ 				/*
+ 				 * We are still under min water mark.  This
+diff --git a/net/can/bcm.c b/net/can/bcm.c
+index 151b773..3910c1f 100644
+--- a/net/can/bcm.c
++++ b/net/can/bcm.c
+@@ -1084,6 +1084,9 @@ static int bcm_rx_setup(struct bcm_msg_head *msg_head, struct msghdr *msg,
+ 		op->sk = sk;
+ 		op->ifindex = ifindex;
+ 
++		/* ifindex for timeout events w/o previous frame reception */
++		op->rx_ifindex = ifindex;
++
+ 		/* initialize uninitialized (kzalloc) structure */
+ 		hrtimer_init(&op->timer, CLOCK_MONOTONIC, HRTIMER_MODE_REL);
+ 		op->timer.function = bcm_rx_timeout_handler;
+diff --git a/net/core/dev.c b/net/core/dev.c
+index 480be72..2aac4ec 100644
+--- a/net/core/dev.c
++++ b/net/core/dev.c
+@@ -2829,8 +2829,10 @@ static int get_rps_cpu(struct net_device *dev, struct sk_buff *skb,
+ 		if (unlikely(tcpu != next_cpu) &&
+ 		    (tcpu == RPS_NO_CPU || !cpu_online(tcpu) ||
+ 		     ((int)(per_cpu(softnet_data, tcpu).input_queue_head -
+-		      rflow->last_qtail)) >= 0))
++		      rflow->last_qtail)) >= 0)) {
++			tcpu = next_cpu;
+ 			rflow = set_rps_cpu(dev, skb, rflow, next_cpu);
++		}
+ 
+ 		if (tcpu != RPS_NO_CPU && cpu_online(tcpu)) {
+ 			*rflowp = rflow;
+diff --git a/net/core/dev_addr_lists.c b/net/core/dev_addr_lists.c
+index 277faef..0387da0 100644
+--- a/net/core/dev_addr_lists.c
++++ b/net/core/dev_addr_lists.c
+@@ -308,7 +308,8 @@ int dev_addr_del(struct net_device *dev, unsigned char *addr,
+ 	 */
+ 	ha = list_first_entry(&dev->dev_addrs.list,
+ 			      struct netdev_hw_addr, list);
+-	if (ha->addr == dev->dev_addr && ha->refcount == 1)
++	if (!memcmp(ha->addr, addr, dev->addr_len) &&
++	    ha->type == addr_type && ha->refcount == 1)
+ 		return -ENOENT;
+ 
+ 	err = __hw_addr_del(&dev->dev_addrs, addr, dev->addr_len,
+diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c
+index 09ff51b..0106d25 100644
+--- a/net/ipv4/ip_sockglue.c
++++ b/net/ipv4/ip_sockglue.c
+@@ -468,18 +468,27 @@ static int do_ip_setsockopt(struct sock *sk, int level,
+ 	struct inet_sock *inet = inet_sk(sk);
+ 	int val = 0, err;
+ 
+-	if (((1<<optname) & ((1<<IP_PKTINFO) | (1<<IP_RECVTTL) |
+-			     (1<<IP_RECVOPTS) | (1<<IP_RECVTOS) |
+-			     (1<<IP_RETOPTS) | (1<<IP_TOS) |
+-			     (1<<IP_TTL) | (1<<IP_HDRINCL) |
+-			     (1<<IP_MTU_DISCOVER) | (1<<IP_RECVERR) |
+-			     (1<<IP_ROUTER_ALERT) | (1<<IP_FREEBIND) |
+-			     (1<<IP_PASSSEC) | (1<<IP_TRANSPARENT) |
+-			     (1<<IP_MINTTL) | (1<<IP_NODEFRAG))) ||
+-	    optname == IP_MULTICAST_TTL ||
+-	    optname == IP_MULTICAST_ALL ||
+-	    optname == IP_MULTICAST_LOOP ||
+-	    optname == IP_RECVORIGDSTADDR) {
++	switch (optname) {
++	case IP_PKTINFO:
++	case IP_RECVTTL:
++	case IP_RECVOPTS:
++	case IP_RECVTOS:
++	case IP_RETOPTS:
++	case IP_TOS:
++	case IP_TTL:
++	case IP_HDRINCL:
++	case IP_MTU_DISCOVER:
++	case IP_RECVERR:
++	case IP_ROUTER_ALERT:
++	case IP_FREEBIND:
++	case IP_PASSSEC:
++	case IP_TRANSPARENT:
++	case IP_MINTTL:
++	case IP_NODEFRAG:
++	case IP_MULTICAST_TTL:
++	case IP_MULTICAST_ALL:
++	case IP_MULTICAST_LOOP:
++	case IP_RECVORIGDSTADDR:
+ 		if (optlen >= sizeof(int)) {
+ 			if (get_user(val, (int __user *) optval))
+ 				return -EFAULT;
+diff --git a/net/ipv4/netfilter/nf_nat_standalone.c b/net/ipv4/netfilter/nf_nat_standalone.c
+index 9290048..e32b542 100644
+--- a/net/ipv4/netfilter/nf_nat_standalone.c
++++ b/net/ipv4/netfilter/nf_nat_standalone.c
+@@ -194,7 +194,8 @@ nf_nat_out(unsigned int hooknum,
+ 
+ 		if ((ct->tuplehash[dir].tuple.src.u3.ip !=
+ 		     ct->tuplehash[!dir].tuple.dst.u3.ip) ||
+-		    (ct->tuplehash[dir].tuple.src.u.all !=
++		    (ct->tuplehash[dir].tuple.dst.protonum != IPPROTO_ICMP &&
++		     ct->tuplehash[dir].tuple.src.u.all !=
+ 		     ct->tuplehash[!dir].tuple.dst.u.all)
+ 		   )
+ 			return ip_xfrm_me_harder(skb) == 0 ? ret : NF_DROP;
+@@ -230,7 +231,8 @@ nf_nat_local_fn(unsigned int hooknum,
+ 				ret = NF_DROP;
+ 		}
+ #ifdef CONFIG_XFRM
+-		else if (ct->tuplehash[dir].tuple.dst.u.all !=
++		else if (ct->tuplehash[dir].tuple.dst.protonum != IPPROTO_ICMP &&
++			 ct->tuplehash[dir].tuple.dst.u.all !=
+ 			 ct->tuplehash[!dir].tuple.src.u.all)
+ 			if (ip_xfrm_me_harder(skb))
+ 				ret = NF_DROP;
+diff --git a/net/ipv6/ipv6_sockglue.c b/net/ipv6/ipv6_sockglue.c
+index 26cb08c..b204df8 100644
+--- a/net/ipv6/ipv6_sockglue.c
++++ b/net/ipv6/ipv6_sockglue.c
+@@ -798,6 +798,7 @@ pref_skip_coa:
+ 		if (val < 0 || val > 255)
+ 			goto e_inval;
+ 		np->min_hopcount = val;
++		retv = 0;
+ 		break;
+ 	case IPV6_DONTFRAG:
+ 		np->dontfrag = valbool;
+diff --git a/net/mac80211/ibss.c b/net/mac80211/ibss.c
+index 8c7364b..9e20cb8 100644
+--- a/net/mac80211/ibss.c
++++ b/net/mac80211/ibss.c
+@@ -965,10 +965,6 @@ int ieee80211_ibss_leave(struct ieee80211_sub_if_data *sdata)
+ 
+ 	mutex_lock(&sdata->u.ibss.mtx);
+ 
+-	sdata->u.ibss.state = IEEE80211_IBSS_MLME_SEARCH;
+-	memset(sdata->u.ibss.bssid, 0, ETH_ALEN);
+-	sdata->u.ibss.ssid_len = 0;
+-
+ 	active_ibss = ieee80211_sta_active_ibss(sdata);
+ 
+ 	if (!active_ibss && !is_zero_ether_addr(ifibss->bssid)) {
+@@ -989,6 +985,10 @@ int ieee80211_ibss_leave(struct ieee80211_sub_if_data *sdata)
+ 		}
+ 	}
+ 
++	ifibss->state = IEEE80211_IBSS_MLME_SEARCH;
++	memset(ifibss->bssid, 0, ETH_ALEN);
++	ifibss->ssid_len = 0;
++
+ 	sta_info_flush(sdata->local, sdata);
+ 
+ 	/* remove beacon */
+diff --git a/net/mac80211/sta_info.c b/net/mac80211/sta_info.c
+index 1fdd8ff..1c775f0 100644
+--- a/net/mac80211/sta_info.c
++++ b/net/mac80211/sta_info.c
+@@ -1129,6 +1129,7 @@ void ieee80211_sta_ps_deliver_wakeup(struct sta_info *sta)
+ 	struct ieee80211_local *local = sdata->local;
+ 	struct sk_buff_head pending;
+ 	int filtered = 0, buffered = 0, ac;
++	unsigned long flags;
+ 
+ 	clear_sta_flag(sta, WLAN_STA_SP);
+ 
+@@ -1144,12 +1145,16 @@ void ieee80211_sta_ps_deliver_wakeup(struct sta_info *sta)
+ 	for (ac = 0; ac < IEEE80211_NUM_ACS; ac++) {
+ 		int count = skb_queue_len(&pending), tmp;
+ 
++		spin_lock_irqsave(&sta->tx_filtered[ac].lock, flags);
+ 		skb_queue_splice_tail_init(&sta->tx_filtered[ac], &pending);
++		spin_unlock_irqrestore(&sta->tx_filtered[ac].lock, flags);
+ 		tmp = skb_queue_len(&pending);
+ 		filtered += tmp - count;
+ 		count = tmp;
+ 
++		spin_lock_irqsave(&sta->ps_tx_buf[ac].lock, flags);
+ 		skb_queue_splice_tail_init(&sta->ps_tx_buf[ac], &pending);
++		spin_unlock_irqrestore(&sta->ps_tx_buf[ac].lock, flags);
+ 		tmp = skb_queue_len(&pending);
+ 		buffered += tmp - count;
+ 	}
+diff --git a/net/netfilter/nf_conntrack_proto_tcp.c b/net/netfilter/nf_conntrack_proto_tcp.c
+index 8235b86..57ad466 100644
+--- a/net/netfilter/nf_conntrack_proto_tcp.c
++++ b/net/netfilter/nf_conntrack_proto_tcp.c
+@@ -159,21 +159,18 @@ static const u8 tcp_conntracks[2][6][TCP_CONNTRACK_MAX] = {
+  *	sCL -> sSS
+  */
+ /* 	     sNO, sSS, sSR, sES, sFW, sCW, sLA, sTW, sCL, sS2	*/
+-/*synack*/ { sIV, sIV, sIG, sIG, sIG, sIG, sIG, sIG, sIG, sSR },
++/*synack*/ { sIV, sIV, sSR, sIV, sIV, sIV, sIV, sIV, sIV, sSR },
+ /*
+  *	sNO -> sIV	Too late and no reason to do anything
+  *	sSS -> sIV	Client can't send SYN and then SYN/ACK
+  *	sS2 -> sSR	SYN/ACK sent to SYN2 in simultaneous open
+- *	sSR -> sIG
+- *	sES -> sIG	Error: SYNs in window outside the SYN_SENT state
+- *			are errors. Receiver will reply with RST
+- *			and close the connection.
+- *			Or we are not in sync and hold a dead connection.
+- *	sFW -> sIG
+- *	sCW -> sIG
+- *	sLA -> sIG
+- *	sTW -> sIG
+- *	sCL -> sIG
++ *	sSR -> sSR	Late retransmitted SYN/ACK in simultaneous open
++ *	sES -> sIV	Invalid SYN/ACK packets sent by the client
++ *	sFW -> sIV
++ *	sCW -> sIV
++ *	sLA -> sIV
++ *	sTW -> sIV
++ *	sCL -> sIV
+  */
+ /* 	     sNO, sSS, sSR, sES, sFW, sCW, sLA, sTW, sCL, sS2	*/
+ /*fin*/    { sIV, sIV, sFW, sFW, sLA, sLA, sLA, sTW, sCL, sIV },
+@@ -628,15 +625,9 @@ static bool tcp_in_window(const struct nf_conn *ct,
+ 		ack = sack = receiver->td_end;
+ 	}
+ 
+-	if (seq == end
+-	    && (!tcph->rst
+-		|| (seq == 0 && state->state == TCP_CONNTRACK_SYN_SENT)))
++	if (tcph->rst && seq == 0 && state->state == TCP_CONNTRACK_SYN_SENT)
+ 		/*
+-		 * Packets contains no data: we assume it is valid
+-		 * and check the ack value only.
+-		 * However RST segments are always validated by their
+-		 * SEQ number, except when seq == 0 (reset sent answering
+-		 * SYN.
++		 * RST sent answering SYN.
+ 		 */
+ 		seq = end = sender->td_end;
+ 
+diff --git a/net/wireless/reg.c b/net/wireless/reg.c
+index fa39731..0b08905 100644
+--- a/net/wireless/reg.c
++++ b/net/wireless/reg.c
+@@ -125,9 +125,8 @@ static const struct ieee80211_regdomain world_regdom = {
+ 	.reg_rules = {
+ 		/* IEEE 802.11b/g, channels 1..11 */
+ 		REG_RULE(2412-10, 2462+10, 40, 6, 20, 0),
+-		/* IEEE 802.11b/g, channels 12..13. No HT40
+-		 * channel fits here. */
+-		REG_RULE(2467-10, 2472+10, 20, 6, 20,
++		/* IEEE 802.11b/g, channels 12..13. */
++		REG_RULE(2467-10, 2472+10, 40, 6, 20,
+ 			NL80211_RRF_PASSIVE_SCAN |
+ 			NL80211_RRF_NO_IBSS),
+ 		/* IEEE 802.11 channel 14 - Only JP enables
+diff --git a/security/device_cgroup.c b/security/device_cgroup.c
+index 4450fbe..92e24bb 100644
+--- a/security/device_cgroup.c
++++ b/security/device_cgroup.c
+@@ -202,8 +202,8 @@ static void devcgroup_destroy(struct cgroup_subsys *ss,
+ 
+ 	dev_cgroup = cgroup_to_devcgroup(cgroup);
+ 	list_for_each_entry_safe(wh, tmp, &dev_cgroup->whitelist, list) {
+-		list_del(&wh->list);
+-		kfree(wh);
++		list_del_rcu(&wh->list);
++		kfree_rcu(wh, rcu);
+ 	}
+ 	kfree(dev_cgroup);
+ }
+@@ -278,7 +278,7 @@ static int may_access_whitelist(struct dev_cgroup *c,
+ {
+ 	struct dev_whitelist_item *whitem;
+ 
+-	list_for_each_entry(whitem, &c->whitelist, list) {
++	list_for_each_entry_rcu(whitem, &c->whitelist, list) {
+ 		if (whitem->type & DEV_ALL)
+ 			return 1;
+ 		if ((refwh->type & DEV_BLOCK) && !(whitem->type & DEV_BLOCK))
+diff --git a/security/selinux/netnode.c b/security/selinux/netnode.c
+index 3bf46ab..46a5b81 100644
+--- a/security/selinux/netnode.c
++++ b/security/selinux/netnode.c
+@@ -174,7 +174,8 @@ static void sel_netnode_insert(struct sel_netnode *node)
+ 	if (sel_netnode_hash[idx].size == SEL_NETNODE_HASH_BKT_LIMIT) {
+ 		struct sel_netnode *tail;
+ 		tail = list_entry(
+-			rcu_dereference(sel_netnode_hash[idx].list.prev),
++			rcu_dereference_protected(sel_netnode_hash[idx].list.prev,
++						  lockdep_is_held(&sel_netnode_lock)),
+ 			struct sel_netnode, list);
+ 		list_del_rcu(&tail->list);
+ 		kfree_rcu(tail, rcu);
+diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c
+index 3ce2da2..1a09fbf 100644
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -6026,6 +6026,9 @@ static const struct hda_codec_preset snd_hda_preset_realtek[] = {
+ 	{ .id = 0x10ec0276, .name = "ALC276", .patch = patch_alc269 },
+ 	{ .id = 0x10ec0280, .name = "ALC280", .patch = patch_alc269 },
+ 	{ .id = 0x10ec0282, .name = "ALC282", .patch = patch_alc269 },
++	{ .id = 0x10ec0283, .name = "ALC283", .patch = patch_alc269 },
++	{ .id = 0x10ec0290, .name = "ALC290", .patch = patch_alc269 },
++	{ .id = 0x10ec0292, .name = "ALC292", .patch = patch_alc269 },
+ 	{ .id = 0x10ec0861, .rev = 0x100340, .name = "ALC660",
+ 	  .patch = patch_alc861 },
+ 	{ .id = 0x10ec0660, .name = "ALC660-VD", .patch = patch_alc861vd },
+diff --git a/sound/soc/codecs/wm8978.c b/sound/soc/codecs/wm8978.c
+index 41ca4d9..f81b185 100644
+--- a/sound/soc/codecs/wm8978.c
++++ b/sound/soc/codecs/wm8978.c
+@@ -749,7 +749,7 @@ static int wm8978_hw_params(struct snd_pcm_substream *substream,
+ 		wm8978->mclk_idx = -1;
+ 		f_sel = wm8978->f_mclk;
+ 	} else {
+-		if (!wm8978->f_pllout) {
++		if (!wm8978->f_opclk) {
+ 			/* We only enter here, if OPCLK is not used */
+ 			int ret = wm8978_configure_pll(codec);
+ 			if (ret < 0)
+diff --git a/sound/soc/soc-dapm.c b/sound/soc/soc-dapm.c
+index 0dc441c..b516488 100644
+--- a/sound/soc/soc-dapm.c
++++ b/sound/soc/soc-dapm.c
+@@ -3009,7 +3009,7 @@ void snd_soc_dapm_shutdown(struct snd_soc_card *card)
+ {
+ 	struct snd_soc_codec *codec;
+ 
+-	list_for_each_entry(codec, &card->codec_dev_list, list) {
++	list_for_each_entry(codec, &card->codec_dev_list, card_list) {
+ 		soc_dapm_shutdown_codec(&codec->dapm);
+ 		if (codec->dapm.bias_level == SND_SOC_BIAS_STANDBY)
+ 			snd_soc_dapm_set_bias_level(&codec->dapm,
+diff --git a/sound/usb/midi.c b/sound/usb/midi.c
+index c83f614..eeefbce 100644
+--- a/sound/usb/midi.c
++++ b/sound/usb/midi.c
+@@ -148,6 +148,7 @@ struct snd_usb_midi_out_endpoint {
+ 		struct snd_usb_midi_out_endpoint* ep;
+ 		struct snd_rawmidi_substream *substream;
+ 		int active;
++		bool autopm_reference;
+ 		uint8_t cable;		/* cable number << 4 */
+ 		uint8_t state;
+ #define STATE_UNKNOWN	0
+@@ -1076,7 +1077,8 @@ static int snd_usbmidi_output_open(struct snd_rawmidi_substream *substream)
+ 		return -ENXIO;
+ 	}
+ 	err = usb_autopm_get_interface(umidi->iface);
+-	if (err < 0)
++	port->autopm_reference = err >= 0;
++	if (err < 0 && err != -EACCES)
+ 		return -EIO;
+ 	substream->runtime->private_data = port;
+ 	port->state = STATE_UNKNOWN;
+@@ -1087,9 +1089,11 @@ static int snd_usbmidi_output_open(struct snd_rawmidi_substream *substream)
+ static int snd_usbmidi_output_close(struct snd_rawmidi_substream *substream)
+ {
+ 	struct snd_usb_midi* umidi = substream->rmidi->private_data;
++	struct usbmidi_out_port *port = substream->runtime->private_data;
+ 
+ 	substream_open(substream, 0);
+-	usb_autopm_put_interface(umidi->iface);
++	if (port->autopm_reference)
++		usb_autopm_put_interface(umidi->iface);
+ 	return 0;
+ }
+ 
diff --git a/3.2.34/4420_grsecurity-2.9.1-3.2.34-201212041903.patch b/3.2.35/4420_grsecurity-2.9.1-3.2.35-201212071641.patch
index 3205faf..23da6f5 100644
--- a/3.2.34/4420_grsecurity-2.9.1-3.2.34-201212041903.patch
+++ b/3.2.35/4420_grsecurity-2.9.1-3.2.35-201212071641.patch
@@ -255,7 +255,7 @@ index 88fd7f5..b318a78 100644
  ==============================================================
  
 diff --git a/Makefile b/Makefile
-index 14ebacf..f7e0add 100644
+index d985af0..163e574 100644
 --- a/Makefile
 +++ b/Makefile
 @@ -245,8 +245,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \
@@ -3515,32 +3515,8 @@ index 5e34ccf..672bc9c 100644
  
  	DEBUGP("register_unwind_table(), sect = %d at 0x%p - 0x%p (gp=0x%lx)\n",
  	       me->arch.unwind_section, table, end, gp);
-diff --git a/arch/parisc/kernel/signal32.c b/arch/parisc/kernel/signal32.c
-index e141324..d0ea054 100644
---- a/arch/parisc/kernel/signal32.c
-+++ b/arch/parisc/kernel/signal32.c
-@@ -67,7 +67,8 @@ put_sigset32(compat_sigset_t __user *up, sigset_t *set, size_t sz)
- {
- 	compat_sigset_t s;
- 
--	if (sz != sizeof *set) panic("put_sigset32()");
-+	if (sz != sizeof *set)
-+		return -EINVAL;
- 	sigset_64to32(&s, set);
- 
- 	return copy_to_user(up, &s, sizeof s);
-@@ -79,7 +80,8 @@ get_sigset32(compat_sigset_t __user *up, sigset_t *set, size_t sz)
- 	compat_sigset_t s;
- 	int r;
- 
--	if (sz != sizeof *set) panic("put_sigset32()");
-+	if (sz != sizeof *set)
-+		return -EINVAL;
- 
- 	if ((r = copy_from_user(&s, up, sz)) == 0) {
- 		sigset_32to64(set, &s);
 diff --git a/arch/parisc/kernel/sys_parisc.c b/arch/parisc/kernel/sys_parisc.c
-index c9b9322..02d8940 100644
+index 7ea75d1..7b64ef5 100644
 --- a/arch/parisc/kernel/sys_parisc.c
 +++ b/arch/parisc/kernel/sys_parisc.c
 @@ -43,7 +43,7 @@ static unsigned long get_unshared_area(unsigned long addr, unsigned long len)
@@ -3552,7 +3528,7 @@ index c9b9322..02d8940 100644
  			return addr;
  		addr = vma->vm_end;
  	}
-@@ -79,7 +79,7 @@ static unsigned long get_shared_area(struct address_space *mapping,
+@@ -81,7 +81,7 @@ static unsigned long get_shared_area(struct address_space *mapping,
  		/* At this point:  (!vma || addr < vma->vm_end). */
  		if (TASK_SIZE - len < addr)
  			return -ENOMEM;
@@ -3561,7 +3537,7 @@ index c9b9322..02d8940 100644
  			return addr;
  		addr = DCACHE_ALIGN(vma->vm_end - offset) + offset;
  		if (addr < vma->vm_end) /* handle wraparound */
-@@ -98,7 +98,7 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr,
+@@ -100,7 +100,7 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr,
  	if (flags & MAP_FIXED)
  		return addr;
  	if (!addr)
@@ -12116,7 +12092,7 @@ index f7c89e2..07d412d 100644
  
  /* Get/set a process' ability to use the timestamp counter instruction */
 diff --git a/arch/x86/include/asm/ptrace.h b/arch/x86/include/asm/ptrace.h
-index 3566454..4bdfb8c 100644
+index 3b96fd4..8790004 100644
 --- a/arch/x86/include/asm/ptrace.h
 +++ b/arch/x86/include/asm/ptrace.h
 @@ -156,28 +156,29 @@ static inline unsigned long regs_return_value(struct pt_regs *regs)
@@ -14234,10 +14210,10 @@ index 25f24dc..4094a7f 100644
  obj-y			+= proc.o capflags.o powerflags.o common.o
  obj-y			+= vmware.o hypervisor.o sched.o mshyperv.o
 diff --git a/arch/x86/kernel/cpu/amd.c b/arch/x86/kernel/cpu/amd.c
-index ff8557e..8b1007b 100644
+index f07becc..b17b101 100644
 --- a/arch/x86/kernel/cpu/amd.c
 +++ b/arch/x86/kernel/cpu/amd.c
-@@ -680,7 +680,7 @@ static unsigned int __cpuinit amd_size_cache(struct cpuinfo_x86 *c,
+@@ -694,7 +694,7 @@ static unsigned int __cpuinit amd_size_cache(struct cpuinfo_x86 *c,
  							unsigned int size)
  {
  	/* AMD errata T13 (order #21922) */
@@ -18909,10 +18885,29 @@ index 6a364a6..b147d11 100644
  		ip = *(u64 *)(fp+8);
  		if (!in_sched_functions(ip))
 diff --git a/arch/x86/kernel/ptrace.c b/arch/x86/kernel/ptrace.c
-index 8252879..bc7cda1 100644
+index 2dc4121..3c2bbcd 100644
 --- a/arch/x86/kernel/ptrace.c
 +++ b/arch/x86/kernel/ptrace.c
-@@ -822,7 +822,7 @@ long arch_ptrace(struct task_struct *child, long request,
+@@ -181,14 +181,13 @@ unsigned long kernel_stack_pointer(struct pt_regs *regs)
+ {
+ 	unsigned long context = (unsigned long)regs & ~(THREAD_SIZE - 1);
+ 	unsigned long sp = (unsigned long)&regs->sp;
+-	struct thread_info *tinfo;
+ 
+-	if (context == (sp & ~(THREAD_SIZE - 1)))
++	if (context == ((sp + 8) & ~(THREAD_SIZE - 1)))
+ 		return sp;
+ 
+-	tinfo = (struct thread_info *)context;
+-	if (tinfo->previous_esp)
+-		return tinfo->previous_esp;
++	sp = *(unsigned long *)context;
++	if (sp)
++		return sp;
+ 
+ 	return (unsigned long)regs;
+ }
+@@ -852,7 +851,7 @@ long arch_ptrace(struct task_struct *child, long request,
  		 unsigned long addr, unsigned long data)
  {
  	int ret;
@@ -18921,7 +18916,7 @@ index 8252879..bc7cda1 100644
  
  	switch (request) {
  	/* read the word at location addr in the USER area. */
-@@ -907,14 +907,14 @@ long arch_ptrace(struct task_struct *child, long request,
+@@ -937,14 +936,14 @@ long arch_ptrace(struct task_struct *child, long request,
  		if ((int) addr < 0)
  			return -EIO;
  		ret = do_get_thread_area(child, addr,
@@ -18938,7 +18933,7 @@ index 8252879..bc7cda1 100644
  		break;
  #endif
  
-@@ -1331,7 +1331,7 @@ static void fill_sigtrap_info(struct task_struct *tsk,
+@@ -1361,7 +1360,7 @@ static void fill_sigtrap_info(struct task_struct *tsk,
  	memset(info, 0, sizeof(*info));
  	info->si_signo = SIGTRAP;
  	info->si_code = si_code;
@@ -18947,7 +18942,7 @@ index 8252879..bc7cda1 100644
  }
  
  void user_single_step_siginfo(struct task_struct *tsk,
-@@ -1360,6 +1360,10 @@ void send_sigtrap(struct task_struct *tsk, struct pt_regs *regs,
+@@ -1390,6 +1389,10 @@ void send_sigtrap(struct task_struct *tsk, struct pt_regs *regs,
  # define IS_IA32	0
  #endif
  
@@ -18958,7 +18953,7 @@ index 8252879..bc7cda1 100644
  /*
   * We must return the syscall number to actually look up in the table.
   * This can be -1L to skip running any syscall at all.
-@@ -1368,6 +1372,11 @@ long syscall_trace_enter(struct pt_regs *regs)
+@@ -1398,6 +1401,11 @@ long syscall_trace_enter(struct pt_regs *regs)
  {
  	long ret = 0;
  
@@ -18970,7 +18965,7 @@ index 8252879..bc7cda1 100644
  	/*
  	 * If we stepped into a sysenter/syscall insn, it trapped in
  	 * kernel mode; do_debug() cleared TF and set TIF_SINGLESTEP.
-@@ -1413,6 +1422,11 @@ void syscall_trace_leave(struct pt_regs *regs)
+@@ -1443,6 +1451,11 @@ void syscall_trace_leave(struct pt_regs *regs)
  {
  	bool step;
  
@@ -19180,7 +19175,7 @@ index 7a6f3b3..bed145d7 100644
  
  1:
 diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
-index cf0ef98..e3f780b 100644
+index 0d403aa..42a31fa 100644
 --- a/arch/x86/kernel/setup.c
 +++ b/arch/x86/kernel/setup.c
 @@ -447,7 +447,7 @@ static void __init parse_setup_data(void)
@@ -24891,7 +24886,7 @@ index df7d12c..abafe9e 100644
  	}
  	if (mm->get_unmapped_area == arch_get_unmapped_area)
 diff --git a/arch/x86/mm/init.c b/arch/x86/mm/init.c
-index 87488b9..ec24280 100644
+index 34a7f40..579f383 100644
 --- a/arch/x86/mm/init.c
 +++ b/arch/x86/mm/init.c
 @@ -3,6 +3,7 @@
@@ -24911,16 +24906,16 @@ index 87488b9..ec24280 100644
  
  unsigned long __initdata pgt_buf_start;
  unsigned long __meminitdata pgt_buf_end;
-@@ -31,7 +34,7 @@ int direct_gbpages
- static void __init find_early_table_space(unsigned long end, int use_pse,
- 					  int use_gbpages)
+@@ -43,7 +46,7 @@ static void __init find_early_table_space(struct map_range *mr, int nr_range)
  {
--	unsigned long puds, pmds, ptes, tables, start = 0, good_end = end;
-+	unsigned long puds, pmds, ptes, tables, start = 0x100000, good_end = end;
+ 	int i;
+ 	unsigned long puds = 0, pmds = 0, ptes = 0, tables;
+-	unsigned long start = 0, good_end;
++	unsigned long start = 0x100000, good_end;
  	phys_addr_t base;
  
- 	puds = (end + PUD_SIZE - 1) >> PUD_SHIFT;
-@@ -310,10 +313,40 @@ unsigned long __init_refok init_memory_mapping(unsigned long start,
+ 	for (i = 0; i < nr_range; i++) {
+@@ -319,10 +322,40 @@ unsigned long __init_refok init_memory_mapping(unsigned long start,
   * Access has to be given to non-kernel-ram areas as well, these contain the PCI
   * mmio resources as well as potential bios/acpi data regions.
   */
@@ -24962,7 +24957,7 @@ index 87488b9..ec24280 100644
  	if (iomem_is_exclusive(pagenr << PAGE_SHIFT))
  		return 0;
  	if (!page_is_ram(pagenr))
-@@ -370,8 +403,117 @@ void free_init_pages(char *what, unsigned long begin, unsigned long end)
+@@ -379,8 +412,117 @@ void free_init_pages(char *what, unsigned long begin, unsigned long end)
  #endif
  }
  
@@ -31310,7 +31305,7 @@ index ca67338..0003ba7 100644
  	return can_switch;
  }
 diff --git a/drivers/gpu/drm/i915/i915_drv.h b/drivers/gpu/drm/i915/i915_drv.h
-index c364358..317c8de 100644
+index 791df46..88fc1f9 100644
 --- a/drivers/gpu/drm/i915/i915_drv.h
 +++ b/drivers/gpu/drm/i915/i915_drv.h
 @@ -229,7 +229,7 @@ struct drm_i915_display_funcs {
@@ -31331,7 +31326,7 @@ index c364358..317c8de 100644
  
  	/* protects the irq masks */
  	spinlock_t irq_lock;
-@@ -894,7 +894,7 @@ struct drm_i915_gem_object {
+@@ -896,7 +896,7 @@ struct drm_i915_gem_object {
  	 * will be page flipped away on the next vblank.  When it
  	 * reaches 0, dev_priv->pending_flip_queue will be woken up.
  	 */
@@ -31340,7 +31335,7 @@ index c364358..317c8de 100644
  };
  
  #define to_intel_bo(x) container_of(x, struct drm_i915_gem_object, base)
-@@ -1271,7 +1271,7 @@ extern int intel_setup_gmbus(struct drm_device *dev);
+@@ -1273,7 +1273,7 @@ extern int intel_setup_gmbus(struct drm_device *dev);
  extern void intel_teardown_gmbus(struct drm_device *dev);
  extern void intel_gmbus_set_speed(struct i2c_adapter *adapter, int speed);
  extern void intel_gmbus_force_bit(struct i2c_adapter *adapter, bool force_bit);
@@ -31424,10 +31419,10 @@ index 2812d7b..c35ade7 100644
  	INIT_WORK(&dev_priv->hotplug_work, i915_hotplug_work_func);
  	INIT_WORK(&dev_priv->error_work, i915_error_work_func);
 diff --git a/drivers/gpu/drm/i915/intel_display.c b/drivers/gpu/drm/i915/intel_display.c
-index adac0dd..bb551dd 100644
+index fdae61f..6aecf8b 100644
 --- a/drivers/gpu/drm/i915/intel_display.c
 +++ b/drivers/gpu/drm/i915/intel_display.c
-@@ -2196,7 +2196,7 @@ intel_finish_fb(struct drm_framebuffer *old_fb)
+@@ -2214,7 +2214,7 @@ intel_finish_fb(struct drm_framebuffer *old_fb)
  
  	wait_event(dev_priv->pending_flip_queue,
  		   atomic_read(&dev_priv->mm.wedged) ||
@@ -31436,7 +31431,7 @@ index adac0dd..bb551dd 100644
  
  	/* Big Hammer, we also need to ensure that any pending
  	 * MI_WAIT_FOR_EVENT inside a user batch buffer on the
-@@ -6971,8 +6971,7 @@ static void do_intel_finish_page_flip(struct drm_device *dev,
+@@ -6989,8 +6989,7 @@ static void do_intel_finish_page_flip(struct drm_device *dev,
  
  	obj = work->old_fb_obj;
  
@@ -31446,7 +31441,7 @@ index adac0dd..bb551dd 100644
  
  	wake_up(&dev_priv->pending_flip_queue);
  	schedule_work(&work->work);
-@@ -7167,7 +7166,13 @@ static int intel_gen6_queue_flip(struct drm_device *dev,
+@@ -7185,7 +7184,13 @@ static int intel_gen6_queue_flip(struct drm_device *dev,
  	OUT_RING(fb->pitch | obj->tiling_mode);
  	OUT_RING(obj->gtt_offset);
  
@@ -31461,7 +31456,7 @@ index adac0dd..bb551dd 100644
  	pipesrc = I915_READ(PIPESRC(intel_crtc->pipe)) & 0x0fff0fff;
  	OUT_RING(pf | pipesrc);
  	ADVANCE_LP_RING();
-@@ -7299,7 +7304,7 @@ static int intel_crtc_page_flip(struct drm_crtc *crtc,
+@@ -7317,7 +7322,7 @@ static int intel_crtc_page_flip(struct drm_crtc *crtc,
  	/* Block clients from rendering to the new back buffer until
  	 * the flip occurs and the object is no longer visible.
  	 */
@@ -31470,7 +31465,7 @@ index adac0dd..bb551dd 100644
  
  	ret = dev_priv->display.queue_flip(dev, crtc, fb, obj);
  	if (ret)
-@@ -7313,7 +7318,7 @@ static int intel_crtc_page_flip(struct drm_crtc *crtc,
+@@ -7331,7 +7336,7 @@ static int intel_crtc_page_flip(struct drm_crtc *crtc,
  	return 0;
  
  cleanup_pending:
@@ -31953,7 +31948,7 @@ index a9049ed..501f284 100644
  		if (rdev->pm.max_bandwidth.full > rdev->pm.k8_bandwidth.full &&
  			rdev->pm.k8_bandwidth.full)
 diff --git a/drivers/gpu/drm/ttm/ttm_page_alloc.c b/drivers/gpu/drm/ttm/ttm_page_alloc.c
-index 727e93d..1565650 100644
+index 9e4313e..46fad36 100644
 --- a/drivers/gpu/drm/ttm/ttm_page_alloc.c
 +++ b/drivers/gpu/drm/ttm/ttm_page_alloc.c
 @@ -398,9 +398,9 @@ static int ttm_pool_get_num_unused_pages(void)
@@ -34301,7 +34296,7 @@ index 237571a..fb6d19b 100644
  	pmd->bl_info.value_type.inc = data_block_inc;
  	pmd->bl_info.value_type.dec = data_block_dec;
 diff --git a/drivers/md/dm.c b/drivers/md/dm.c
-index 502dcf7..27f0a1e 100644
+index 8953630..29b12d9 100644
 --- a/drivers/md/dm.c
 +++ b/drivers/md/dm.c
 @@ -177,9 +177,9 @@ struct mapped_device {
@@ -34316,7 +34311,7 @@ index 502dcf7..27f0a1e 100644
  	struct list_head uevent_list;
  	spinlock_t uevent_lock; /* Protect access to uevent_list */
  
-@@ -1865,8 +1865,8 @@ static struct mapped_device *alloc_dev(int minor)
+@@ -1871,8 +1871,8 @@ static struct mapped_device *alloc_dev(int minor)
  	rwlock_init(&md->map_lock);
  	atomic_set(&md->holders, 1);
  	atomic_set(&md->open_count, 0);
@@ -34327,7 +34322,7 @@ index 502dcf7..27f0a1e 100644
  	INIT_LIST_HEAD(&md->uevent_list);
  	spin_lock_init(&md->uevent_lock);
  
-@@ -2000,7 +2000,7 @@ static void event_callback(void *context)
+@@ -2006,7 +2006,7 @@ static void event_callback(void *context)
  
  	dm_send_uevents(&uevents, &disk_to_dev(md->disk)->kobj);
  
@@ -34336,7 +34331,7 @@ index 502dcf7..27f0a1e 100644
  	wake_up(&md->eventq);
  }
  
-@@ -2642,18 +2642,18 @@ int dm_kobject_uevent(struct mapped_device *md, enum kobject_action action,
+@@ -2648,18 +2648,18 @@ int dm_kobject_uevent(struct mapped_device *md, enum kobject_action action,
  
  uint32_t dm_next_uevent_seq(struct mapped_device *md)
  {
@@ -34359,7 +34354,7 @@ index 502dcf7..27f0a1e 100644
  
  void dm_uevent_add(struct mapped_device *md, struct list_head *elist)
 diff --git a/drivers/md/md.c b/drivers/md/md.c
-index 2887f22..1c9aaa4 100644
+index 145e378e..f65704c 100644
 --- a/drivers/md/md.c
 +++ b/drivers/md/md.c
 @@ -278,10 +278,10 @@ EXPORT_SYMBOL_GPL(md_trim_bio);
@@ -36051,10 +36046,10 @@ index d7ed58f..64cde36 100644
  	u32 timeout;
  	u32 usec_delay;
 diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_type.h b/drivers/net/ethernet/intel/ixgbe/ixgbe_type.h
-index 6c5cca8..de8ef63 100644
+index f00d6d5..81dcf1d 100644
 --- a/drivers/net/ethernet/intel/ixgbe/ixgbe_type.h
 +++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_type.h
-@@ -2708,6 +2708,7 @@ struct ixgbe_eeprom_operations {
+@@ -2710,6 +2710,7 @@ struct ixgbe_eeprom_operations {
  	s32 (*update_checksum)(struct ixgbe_hw *);
  	u16 (*calc_checksum)(struct ixgbe_hw *);
  };
@@ -36062,7 +36057,7 @@ index 6c5cca8..de8ef63 100644
  
  struct ixgbe_mac_operations {
  	s32 (*init_hw)(struct ixgbe_hw *);
-@@ -2769,6 +2770,7 @@ struct ixgbe_mac_operations {
+@@ -2771,6 +2772,7 @@ struct ixgbe_mac_operations {
  	/* Manageability interface */
  	s32 (*set_fw_drv_ver)(struct ixgbe_hw *, u8, u8, u8, u8);
  };
@@ -36070,7 +36065,7 @@ index 6c5cca8..de8ef63 100644
  
  struct ixgbe_phy_operations {
  	s32 (*identify)(struct ixgbe_hw *);
-@@ -2788,9 +2790,10 @@ struct ixgbe_phy_operations {
+@@ -2790,9 +2792,10 @@ struct ixgbe_phy_operations {
  	s32 (*write_i2c_eeprom)(struct ixgbe_hw *, u8, u8);
  	s32 (*check_overtemp)(struct ixgbe_hw *);
  };
@@ -36082,7 +36077,7 @@ index 6c5cca8..de8ef63 100644
  	enum ixgbe_eeprom_type          type;
  	u32                             semaphore_delay;
  	u16                             word_size;
-@@ -2800,7 +2803,7 @@ struct ixgbe_eeprom_info {
+@@ -2802,7 +2805,7 @@ struct ixgbe_eeprom_info {
  
  #define IXGBE_FLAGS_DOUBLE_RESET_REQUIRED	0x01
  struct ixgbe_mac_info {
@@ -36091,7 +36086,7 @@ index 6c5cca8..de8ef63 100644
  	enum ixgbe_mac_type             type;
  	u8                              addr[IXGBE_ETH_LENGTH_OF_ADDRESS];
  	u8                              perm_addr[IXGBE_ETH_LENGTH_OF_ADDRESS];
-@@ -2828,7 +2831,7 @@ struct ixgbe_mac_info {
+@@ -2830,7 +2833,7 @@ struct ixgbe_mac_info {
  };
  
  struct ixgbe_phy_info {
@@ -36100,7 +36095,7 @@ index 6c5cca8..de8ef63 100644
  	struct mdio_if_info		mdio;
  	enum ixgbe_phy_type             type;
  	u32                             id;
-@@ -2856,6 +2859,7 @@ struct ixgbe_mbx_operations {
+@@ -2858,6 +2861,7 @@ struct ixgbe_mbx_operations {
  	s32 (*check_for_ack)(struct ixgbe_hw *, u16);
  	s32 (*check_for_rst)(struct ixgbe_hw *, u16);
  };
@@ -36108,7 +36103,7 @@ index 6c5cca8..de8ef63 100644
  
  struct ixgbe_mbx_stats {
  	u32 msgs_tx;
-@@ -2867,7 +2871,7 @@ struct ixgbe_mbx_stats {
+@@ -2869,7 +2873,7 @@ struct ixgbe_mbx_stats {
  };
  
  struct ixgbe_mbx_info {
@@ -45429,7 +45424,7 @@ index a6f3763..f38ed00 100644
  
  out_free_fd:
 diff --git a/fs/exec.c b/fs/exec.c
-index 121ccae..d0404a2 100644
+index 121ccae..c3cc8b9 100644
 --- a/fs/exec.c
 +++ b/fs/exec.c
 @@ -55,12 +55,33 @@
@@ -46268,7 +46263,7 @@ index 121ccae..d0404a2 100644
  	audit_core_dumps(signr);
  
 +	if (signr == SIGSEGV || signr == SIGBUS || signr == SIGKILL || signr == SIGILL)
-+		gr_handle_brute_attach(current, cprm.mm_flags);
++		gr_handle_brute_attach(cprm.mm_flags);
 +
  	binfmt = mm->binfmt;
  	if (!binfmt || !binfmt->core_dump)
@@ -60514,10 +60509,10 @@ index 0000000..f7f29aa
 +}
 diff --git a/grsecurity/grsec_sig.c b/grsecurity/grsec_sig.c
 new file mode 100644
-index 0000000..7a5b2de
+index 0000000..1080a03
 --- /dev/null
 +++ b/grsecurity/grsec_sig.c
-@@ -0,0 +1,207 @@
+@@ -0,0 +1,220 @@
 +#include <linux/kernel.h>
 +#include <linux/sched.h>
 +#include <linux/delay.h>
@@ -60595,6 +60590,7 @@ index 0000000..7a5b2de
 +
 +#ifdef CONFIG_GRKERNSEC_BRUTE
 +#define GR_USER_BAN_TIME (15 * 60)
++#define GR_DAEMON_BRUTE_TIME (30 * 60)
 +
 +static int __get_dumpable(unsigned long mm_flags)
 +{
@@ -60605,10 +60601,12 @@ index 0000000..7a5b2de
 +}
 +#endif
 +
-+void gr_handle_brute_attach(struct task_struct *p, unsigned long mm_flags)
++void gr_handle_brute_attach(unsigned long mm_flags)
 +{
 +#ifdef CONFIG_GRKERNSEC_BRUTE
++	struct task_struct *p = current;
 +	uid_t uid = 0;
++	int daemon = 0;
 +
 +	if (!grsec_enable_brute)
 +		return;
@@ -60616,9 +60614,11 @@ index 0000000..7a5b2de
 +	rcu_read_lock();
 +	read_lock(&tasklist_lock);
 +	read_lock(&grsec_exec_file_lock);
-+	if (p->real_parent && p->real_parent->exec_file == p->exec_file)
++	if (p->real_parent && p->real_parent->exec_file == p->exec_file) {
++		p->real_parent->brute_expires = get_seconds() + GR_DAEMON_BRUTE_TIME;
 +		p->real_parent->brute = 1;
-+	else {
++		daemon = 1;
++	} else {
 +		const struct cred *cred = __task_cred(p), *cred2;
 +		struct task_struct *tsk, *tsk2;
 +
@@ -60650,6 +60650,8 @@ index 0000000..7a5b2de
 +
 +	if (uid)
 +		printk(KERN_ALERT "grsec: bruteforce prevention initiated against uid %u, banning for %d minutes\n", uid, GR_USER_BAN_TIME / 60);
++	else if (daemon)
++		gr_log_noargs(GR_DONT_AUDIT, GR_BRUTE_DAEMON_MSG);
 +
 +#endif
 +	return;
@@ -60658,8 +60660,14 @@ index 0000000..7a5b2de
 +void gr_handle_brute_check(void)
 +{
 +#ifdef CONFIG_GRKERNSEC_BRUTE
-+	if (current->brute)
-+		msleep(30 * 1000);
++	struct task_struct *p = current;
++
++	if (unlikely(p->brute)) {
++		if (!grsec_enable_brute)
++			p->brute = 0;
++		else if (time_before(get_seconds(), p->brute_expires))
++			msleep(30 * 1000);
++	}
 +#endif
 +	return;
 +}
@@ -63732,10 +63740,10 @@ index 0000000..c9292f7
 +#endif
 diff --git a/include/linux/grmsg.h b/include/linux/grmsg.h
 new file mode 100644
-index 0000000..54f4e85
+index 0000000..2bd4c8d
 --- /dev/null
 +++ b/include/linux/grmsg.h
-@@ -0,0 +1,110 @@
+@@ -0,0 +1,111 @@
 +#define DEFAULTSECMSG "%.256s[%.16s:%d] uid/euid:%u/%u gid/egid:%u/%u, parent %.256s[%.16s:%d] uid/euid:%u/%u gid/egid:%u/%u"
 +#define GR_ACL_PROCACCT_MSG "%.256s[%.16s:%d] IP:%pI4 TTY:%.64s uid/euid:%u/%u gid/egid:%u/%u run time:[%ud %uh %um %us] cpu time:[%ud %uh %um %us] %s with exit code %ld, parent %.256s[%.16s:%d] IP:%pI4 TTY:%.64s uid/euid:%u/%u gid/egid:%u/%u"
 +#define GR_PTRACE_ACL_MSG "denied ptrace of %.950s(%.16s:%d) by "
@@ -63846,9 +63854,10 @@ index 0000000..54f4e85
 +#define GR_INIT_TRANSFER_MSG "persistent special role transferred privilege to init by "
 +#define GR_BADPROCPID_MSG "denied read of sensitive /proc/pid/%s entry via fd passed across exec by "
 +#define GR_SYMLINKOWNER_MSG "denied following symlink %.950s since symlink owner %u does not match target owner %u, by "
++#define GR_BRUTE_DAEMON_MSG "bruteforce prevention initiated for the next 30 minutes or until service restarted, stalling each fork 30 seconds.  Please investigate the crash report for "
 diff --git a/include/linux/grsecurity.h b/include/linux/grsecurity.h
 new file mode 100644
-index 0000000..90ccf22
+index 0000000..88c3d04
 --- /dev/null
 +++ b/include/linux/grsecurity.h
 @@ -0,0 +1,236 @@
@@ -63887,7 +63896,7 @@ index 0000000..90ccf22
 +	} ptr;
 +};
 +
-+void gr_handle_brute_attach(struct task_struct *p, unsigned long mm_flags);
++void gr_handle_brute_attach(unsigned long mm_flags);
 +void gr_handle_brute_check(void);
 +void gr_handle_kernel_exploit(void);
 +int gr_process_user_ban(void);
@@ -64481,6 +64490,40 @@ index 6bea2c2..a27245a 100644
  
  /*
   * Kernel text modification mutex, used for code patching. Users of this lock
+diff --git a/include/linux/mempolicy.h b/include/linux/mempolicy.h
+index 3e8f2f7..f85c5ab 100644
+--- a/include/linux/mempolicy.h
++++ b/include/linux/mempolicy.h
+@@ -137,16 +137,6 @@ static inline void mpol_cond_put(struct mempolicy *pol)
+ 		__mpol_put(pol);
+ }
+ 
+-extern struct mempolicy *__mpol_cond_copy(struct mempolicy *tompol,
+-					  struct mempolicy *frompol);
+-static inline struct mempolicy *mpol_cond_copy(struct mempolicy *tompol,
+-						struct mempolicy *frompol)
+-{
+-	if (!frompol)
+-		return frompol;
+-	return __mpol_cond_copy(tompol, frompol);
+-}
+-
+ extern struct mempolicy *__mpol_dup(struct mempolicy *pol);
+ static inline struct mempolicy *mpol_dup(struct mempolicy *pol)
+ {
+@@ -270,12 +260,6 @@ static inline void mpol_cond_put(struct mempolicy *pol)
+ {
+ }
+ 
+-static inline struct mempolicy *mpol_cond_copy(struct mempolicy *to,
+-						struct mempolicy *from)
+-{
+-	return from;
+-}
+-
+ static inline void mpol_get(struct mempolicy *pol)
+ {
+ }
 diff --git a/include/linux/mfd/abx500.h b/include/linux/mfd/abx500.h
 index 9970337..9444122 100644
 --- a/include/linux/mfd/abx500.h
@@ -65376,7 +65419,7 @@ index 2148b12..519b820 100644
  
  static inline void anon_vma_merge(struct vm_area_struct *vma,
 diff --git a/include/linux/sched.h b/include/linux/sched.h
-index 1e86bb4..37d6860 100644
+index 1e86bb4..ab37e2e 100644
 --- a/include/linux/sched.h
 +++ b/include/linux/sched.h
 @@ -101,6 +101,7 @@ struct bio_list;
@@ -65497,7 +65540,7 @@ index 1e86bb4..37d6860 100644
  #ifdef CONFIG_DEBUG_MUTEXES
  	/* mutex deadlock detection */
  	struct mutex_waiter *blocked_on;
-@@ -1544,6 +1575,27 @@ struct task_struct {
+@@ -1544,6 +1575,28 @@ struct task_struct {
  	unsigned long default_timer_slack_ns;
  
  	struct list_head	*scm_work_list;
@@ -65514,6 +65557,7 @@ index 1e86bb4..37d6860 100644
 +	struct acl_subject_label *acl;
 +	struct acl_role_label *role;
 +	struct file *exec_file;
++	unsigned long brute_expires;
 +	u16 acl_role_id;
 +	/* is this the task that authenticated to the special role */
 +	u8 acl_sp_role;
@@ -65525,7 +65569,7 @@ index 1e86bb4..37d6860 100644
  #ifdef CONFIG_FUNCTION_GRAPH_TRACER
  	/* Index of current stored address in ret_stack */
  	int curr_ret_stack;
-@@ -1578,6 +1630,51 @@ struct task_struct {
+@@ -1578,6 +1631,51 @@ struct task_struct {
  #endif
  };
  
@@ -65577,7 +65621,7 @@ index 1e86bb4..37d6860 100644
  /* Future-safe accessor for struct task_struct's cpus_allowed. */
  #define tsk_cpus_allowed(tsk) (&(tsk)->cpus_allowed)
  
-@@ -2093,7 +2190,9 @@ void yield(void);
+@@ -2093,7 +2191,9 @@ void yield(void);
  extern struct exec_domain	default_exec_domain;
  
  union thread_union {
@@ -65587,7 +65631,7 @@ index 1e86bb4..37d6860 100644
  	unsigned long stack[THREAD_SIZE/sizeof(long)];
  };
  
-@@ -2126,6 +2225,7 @@ extern struct pid_namespace init_pid_ns;
+@@ -2126,6 +2226,7 @@ extern struct pid_namespace init_pid_ns;
   */
  
  extern struct task_struct *find_task_by_vpid(pid_t nr);
@@ -65595,7 +65639,7 @@ index 1e86bb4..37d6860 100644
  extern struct task_struct *find_task_by_pid_ns(pid_t nr,
  		struct pid_namespace *ns);
  
-@@ -2247,6 +2347,12 @@ static inline void mmdrop(struct mm_struct * mm)
+@@ -2247,6 +2348,12 @@ static inline void mmdrop(struct mm_struct * mm)
  extern void mmput(struct mm_struct *);
  /* Grab a reference to a task's mm, if it is not already going away */
  extern struct mm_struct *get_task_mm(struct task_struct *task);
@@ -65608,7 +65652,7 @@ index 1e86bb4..37d6860 100644
  /* Remove the current tasks stale references to the old mm_struct */
  extern void mm_release(struct task_struct *, struct mm_struct *);
  /* Allocate a new mm structure and copy contents from tsk->mm */
-@@ -2263,7 +2369,7 @@ extern void __cleanup_sighand(struct sighand_struct *);
+@@ -2263,7 +2370,7 @@ extern void __cleanup_sighand(struct sighand_struct *);
  extern void exit_itimers(struct signal_struct *);
  extern void flush_itimer_signals(void);
  
@@ -65617,7 +65661,7 @@ index 1e86bb4..37d6860 100644
  
  extern void daemonize(const char *, ...);
  extern int allow_signal(int);
-@@ -2428,9 +2534,9 @@ static inline unsigned long *end_of_stack(struct task_struct *p)
+@@ -2428,9 +2535,9 @@ static inline unsigned long *end_of_stack(struct task_struct *p)
  
  #endif
  
@@ -68937,7 +68981,7 @@ index 222457a..de637ca 100644
  			else
  				new_fs = fs;
 diff --git a/kernel/futex.c b/kernel/futex.c
-index 80fb1c6..f2b5e1f 100644
+index 77bccfc..f2b5e1f 100644
 --- a/kernel/futex.c
 +++ b/kernel/futex.c
 @@ -54,6 +54,7 @@
@@ -68960,139 +69004,7 @@ index 80fb1c6..f2b5e1f 100644
  	/*
  	 * The futex address must be "naturally" aligned.
  	 */
-@@ -716,7 +722,7 @@ static int futex_lock_pi_atomic(u32 __user *uaddr, struct futex_hash_bucket *hb,
- 				struct futex_pi_state **ps,
- 				struct task_struct *task, int set_waiters)
- {
--	int lock_taken, ret, ownerdied = 0;
-+	int lock_taken, ret, force_take = 0;
- 	u32 uval, newval, curval, vpid = task_pid_vnr(task);
- 
- retry:
-@@ -755,17 +761,15 @@ retry:
- 	newval = curval | FUTEX_WAITERS;
- 
- 	/*
--	 * There are two cases, where a futex might have no owner (the
--	 * owner TID is 0): OWNER_DIED. We take over the futex in this
--	 * case. We also do an unconditional take over, when the owner
--	 * of the futex died.
--	 *
--	 * This is safe as we are protected by the hash bucket lock !
-+	 * Should we force take the futex? See below.
- 	 */
--	if (unlikely(ownerdied || !(curval & FUTEX_TID_MASK))) {
--		/* Keep the OWNER_DIED bit */
-+	if (unlikely(force_take)) {
-+		/*
-+		 * Keep the OWNER_DIED and the WAITERS bit and set the
-+		 * new TID value.
-+		 */
- 		newval = (curval & ~FUTEX_TID_MASK) | vpid;
--		ownerdied = 0;
-+		force_take = 0;
- 		lock_taken = 1;
- 	}
- 
-@@ -775,7 +779,7 @@ retry:
- 		goto retry;
- 
- 	/*
--	 * We took the lock due to owner died take over.
-+	 * We took the lock due to forced take over.
- 	 */
- 	if (unlikely(lock_taken))
- 		return 1;
-@@ -790,20 +794,25 @@ retry:
- 		switch (ret) {
- 		case -ESRCH:
- 			/*
--			 * No owner found for this futex. Check if the
--			 * OWNER_DIED bit is set to figure out whether
--			 * this is a robust futex or not.
-+			 * We failed to find an owner for this
-+			 * futex. So we have no pi_state to block
-+			 * on. This can happen in two cases:
-+			 *
-+			 * 1) The owner died
-+			 * 2) A stale FUTEX_WAITERS bit
-+			 *
-+			 * Re-read the futex value.
- 			 */
- 			if (get_futex_value_locked(&curval, uaddr))
- 				return -EFAULT;
- 
- 			/*
--			 * We simply start over in case of a robust
--			 * futex. The code above will take the futex
--			 * and return happy.
-+			 * If the owner died or we have a stale
-+			 * WAITERS bit the owner TID in the user space
-+			 * futex is 0.
- 			 */
--			if (curval & FUTEX_OWNER_DIED) {
--				ownerdied = 1;
-+			if (!(curval & FUTEX_TID_MASK)) {
-+				force_take = 1;
- 				goto retry;
- 			}
- 		default:
-@@ -840,6 +849,9 @@ static void wake_futex(struct futex_q *q)
- {
- 	struct task_struct *p = q->task;
- 
-+	if (WARN(q->pi_state || q->rt_waiter, "refusing to wake PI futex\n"))
-+		return;
-+
- 	/*
- 	 * We set q->lock_ptr = NULL _before_ we wake up the task. If
- 	 * a non-futex wake up happens on another CPU then the task
-@@ -1075,6 +1087,10 @@ retry_private:
- 
- 	plist_for_each_entry_safe(this, next, head, list) {
- 		if (match_futex (&this->key, &key1)) {
-+			if (this->pi_state || this->rt_waiter) {
-+				ret = -EINVAL;
-+				goto out_unlock;
-+			}
- 			wake_futex(this);
- 			if (++ret >= nr_wake)
- 				break;
-@@ -1087,6 +1103,10 @@ retry_private:
- 		op_ret = 0;
- 		plist_for_each_entry_safe(this, next, head, list) {
- 			if (match_futex (&this->key, &key2)) {
-+				if (this->pi_state || this->rt_waiter) {
-+					ret = -EINVAL;
-+					goto out_unlock;
-+				}
- 				wake_futex(this);
- 				if (++op_ret >= nr_wake2)
- 					break;
-@@ -1095,6 +1115,7 @@ retry_private:
- 		ret += op_ret;
- 	}
- 
-+out_unlock:
- 	double_unlock_hb(hb1, hb2);
- out_put_keys:
- 	put_futex_key(&key2);
-@@ -1384,9 +1405,13 @@ retry_private:
- 		/*
- 		 * FUTEX_WAIT_REQEUE_PI and FUTEX_CMP_REQUEUE_PI should always
- 		 * be paired with each other and no other futex ops.
-+		 *
-+		 * We should never be requeueing a futex_q with a pi_state,
-+		 * which is awaiting a futex_unlock_pi().
- 		 */
- 		if ((requeue_pi && !this->rt_waiter) ||
--		    (!requeue_pi && this->rt_waiter)) {
-+		    (!requeue_pi && this->rt_waiter) ||
-+		    this->pi_state) {
- 			ret = -EINVAL;
- 			break;
- 		}
-@@ -2724,6 +2749,7 @@ static int __init futex_init(void)
+@@ -2743,6 +2749,7 @@ static int __init futex_init(void)
  {
  	u32 curval;
  	int i;
@@ -69100,7 +69012,7 @@ index 80fb1c6..f2b5e1f 100644
  
  	/*
  	 * This will fail and we want it. Some arch implementations do
-@@ -2735,8 +2761,11 @@ static int __init futex_init(void)
+@@ -2754,8 +2761,11 @@ static int __init futex_init(void)
  	 * implementation, the non-functional ones will return
  	 * -ENOSYS.
  	 */
@@ -72777,22 +72689,10 @@ index 209b379..7f76423 100644
  			put_task_struct(tsk);
  		}
 diff --git a/kernel/workqueue.c b/kernel/workqueue.c
-index 43a19c5..a6ca577 100644
+index d551d5f..a6ca577 100644
 --- a/kernel/workqueue.c
 +++ b/kernel/workqueue.c
-@@ -2052,8 +2052,10 @@ static int rescuer_thread(void *__wq)
- repeat:
- 	set_current_state(TASK_INTERRUPTIBLE);
- 
--	if (kthread_should_stop())
-+	if (kthread_should_stop()) {
-+		__set_current_state(TASK_RUNNING);
- 		return 0;
-+	}
- 
- 	/*
- 	 * See whether any cpu is asking for help.  Unbounded
-@@ -3468,7 +3470,7 @@ static int __cpuinit trustee_thread(void *__gcwq)
+@@ -3470,7 +3470,7 @@ static int __cpuinit trustee_thread(void *__gcwq)
  		 */
  		worker_flags |= WORKER_REBIND;
  		worker_flags &= ~WORKER_ROGUE;
@@ -73531,7 +73431,7 @@ index 23d3a6b..e10d35a 100644
  	if (end == start)
  		goto out;
 diff --git a/mm/memory-failure.c b/mm/memory-failure.c
-index 5bd5bb1..de5405e 100644
+index 1b03878..de5405e 100644
 --- a/mm/memory-failure.c
 +++ b/mm/memory-failure.c
 @@ -61,7 +61,7 @@ int sysctl_memory_failure_early_kill __read_mostly = 0;
@@ -73606,25 +73506,7 @@ index 5bd5bb1..de5405e 100644
  	set_page_hwpoison_huge_page(hpage);
  	dequeue_hwpoisoned_huge_page(hpage);
  	/* keep elevated page count for bad page */
-@@ -1475,9 +1475,17 @@ int soft_offline_page(struct page *page, int flags)
- {
- 	int ret;
- 	unsigned long pfn = page_to_pfn(page);
-+	struct page *hpage = compound_trans_head(page);
- 
- 	if (PageHuge(page))
- 		return soft_offline_huge_page(page, flags);
-+	if (PageTransHuge(hpage)) {
-+		if (PageAnon(hpage) && unlikely(split_huge_page(hpage))) {
-+			pr_info("soft offline: %#lx: failed to split THP\n",
-+				pfn);
-+			return -EBUSY;
-+		}
-+	}
- 
- 	ret = get_any_page(page, pfn, flags);
- 	if (ret < 0)
-@@ -1573,7 +1581,7 @@ int soft_offline_page(struct page *page, int flags)
+@@ -1581,7 +1581,7 @@ int soft_offline_page(struct page *page, int flags)
  		return ret;
  
  done:
@@ -74314,7 +74196,7 @@ index 9ad7d1e..09d87b7 100644
  
  	writeback_set_ratelimit();
 diff --git a/mm/mempolicy.c b/mm/mempolicy.c
-index 4c82c21..d7fdbbd 100644
+index 4c82c21..16ca616 100644
 --- a/mm/mempolicy.c
 +++ b/mm/mempolicy.c
 @@ -655,6 +655,10 @@ static int mbind_range(struct mm_struct *mm, unsigned long start,
@@ -74388,6 +74270,35 @@ index 4c82c21..d7fdbbd 100644
  		rcu_read_unlock();
  		err = -EPERM;
  		goto out;
+@@ -1999,28 +2031,6 @@ struct mempolicy *__mpol_dup(struct mempolicy *old)
+ 	return new;
+ }
+ 
+-/*
+- * If *frompol needs [has] an extra ref, copy *frompol to *tompol ,
+- * eliminate the * MPOL_F_* flags that require conditional ref and
+- * [NOTE!!!] drop the extra ref.  Not safe to reference *frompol directly
+- * after return.  Use the returned value.
+- *
+- * Allows use of a mempolicy for, e.g., multiple allocations with a single
+- * policy lookup, even if the policy needs/has extra ref on lookup.
+- * shmem_readahead needs this.
+- */
+-struct mempolicy *__mpol_cond_copy(struct mempolicy *tompol,
+-						struct mempolicy *frompol)
+-{
+-	if (!mpol_needs_cond_ref(frompol))
+-		return frompol;
+-
+-	*tompol = *frompol;
+-	tompol->flags &= ~MPOL_F_SHARED;	/* copy doesn't need unref */
+-	__mpol_put(frompol);
+-	return tompol;
+-}
+-
+ /* Slow path of a mempolicy comparison */
+ int __mpol_equal(struct mempolicy *a, struct mempolicy *b)
+ {
 diff --git a/mm/migrate.c b/mm/migrate.c
 index 180d97f..c75ef28 100644
 --- a/mm/migrate.c
@@ -76489,7 +76400,7 @@ index 8685697..b490361 100644
  	struct anon_vma_chain *avc;
  	struct anon_vma *anon_vma;
 diff --git a/mm/shmem.c b/mm/shmem.c
-index 126ca35..a89cd4c 100644
+index 2d46e23..5118865 100644
 --- a/mm/shmem.c
 +++ b/mm/shmem.c
 @@ -31,7 +31,7 @@
@@ -76510,7 +76421,59 @@ index 126ca35..a89cd4c 100644
  
  struct shmem_xattr {
  	struct list_head list;	/* anchored by shmem_inode_info->xattr_list */
-@@ -1803,6 +1803,11 @@ static const struct xattr_handler *shmem_xattr_handlers[] = {
+@@ -798,24 +798,28 @@ static struct mempolicy *shmem_get_sbmpol(struct shmem_sb_info *sbinfo)
+ static struct page *shmem_swapin(swp_entry_t swap, gfp_t gfp,
+ 			struct shmem_inode_info *info, pgoff_t index)
+ {
+-	struct mempolicy mpol, *spol;
+ 	struct vm_area_struct pvma;
+-
+-	spol = mpol_cond_copy(&mpol,
+-			mpol_shared_policy_lookup(&info->policy, index));
++	struct page *page;
+ 
+ 	/* Create a pseudo vma that just contains the policy */
+ 	pvma.vm_start = 0;
+ 	pvma.vm_pgoff = index;
+ 	pvma.vm_ops = NULL;
+-	pvma.vm_policy = spol;
+-	return swapin_readahead(swap, gfp, &pvma, 0);
++	pvma.vm_policy = mpol_shared_policy_lookup(&info->policy, index);
++
++	page = swapin_readahead(swap, gfp, &pvma, 0);
++
++	/* Drop reference taken by mpol_shared_policy_lookup() */
++	mpol_cond_put(pvma.vm_policy);
++
++	return page;
+ }
+ 
+ static struct page *shmem_alloc_page(gfp_t gfp,
+ 			struct shmem_inode_info *info, pgoff_t index)
+ {
+ 	struct vm_area_struct pvma;
++	struct page *page;
+ 
+ 	/* Create a pseudo vma that just contains the policy */
+ 	pvma.vm_start = 0;
+@@ -823,10 +827,12 @@ static struct page *shmem_alloc_page(gfp_t gfp,
+ 	pvma.vm_ops = NULL;
+ 	pvma.vm_policy = mpol_shared_policy_lookup(&info->policy, index);
+ 
+-	/*
+-	 * alloc_page_vma() will drop the shared policy reference
+-	 */
+-	return alloc_page_vma(gfp, &pvma, 0);
++	page = alloc_page_vma(gfp, &pvma, 0);
++
++	/* Drop reference taken by mpol_shared_policy_lookup() */
++	mpol_cond_put(pvma.vm_policy);
++
++	return page;
+ }
+ #else /* !CONFIG_NUMA */
+ #ifdef CONFIG_TMPFS
+@@ -1803,6 +1809,11 @@ static const struct xattr_handler *shmem_xattr_handlers[] = {
  static int shmem_xattr_validate(const char *name)
  {
  	struct { const char *prefix; size_t len; } arr[] = {
@@ -76522,7 +76485,7 @@ index 126ca35..a89cd4c 100644
  		{ XATTR_SECURITY_PREFIX, XATTR_SECURITY_PREFIX_LEN },
  		{ XATTR_TRUSTED_PREFIX, XATTR_TRUSTED_PREFIX_LEN }
  	};
-@@ -1856,6 +1861,15 @@ static int shmem_setxattr(struct dentry *dentry, const char *name,
+@@ -1856,6 +1867,15 @@ static int shmem_setxattr(struct dentry *dentry, const char *name,
  	if (err)
  		return err;
  
@@ -76538,7 +76501,7 @@ index 126ca35..a89cd4c 100644
  	if (size == 0)
  		value = "";  /* empty EA, do not remove */
  
-@@ -2183,8 +2197,7 @@ int shmem_fill_super(struct super_block *sb, void *data, int silent)
+@@ -2183,8 +2203,7 @@ int shmem_fill_super(struct super_block *sb, void *data, int silent)
  	int err = -ENOMEM;
  
  	/* Round up to L1_CACHE_BYTES to resist false sharing */
@@ -77428,47 +77391,6 @@ index 1b7e22a..3fcd4f3 100644
  	}
  	return pgd;
  }
-diff --git a/mm/sparse.c b/mm/sparse.c
-index bf7d3cc..42935b5 100644
---- a/mm/sparse.c
-+++ b/mm/sparse.c
-@@ -622,7 +622,7 @@ static void __kfree_section_memmap(struct page *memmap, unsigned long nr_pages)
- {
- 	return; /* XXX: Not implemented yet */
- }
--static void free_map_bootmem(struct page *page, unsigned long nr_pages)
-+static void free_map_bootmem(struct page *memmap, unsigned long nr_pages)
- {
- }
- #else
-@@ -663,10 +663,11 @@ static void __kfree_section_memmap(struct page *memmap, unsigned long nr_pages)
- 			   get_order(sizeof(struct page) * nr_pages));
- }
- 
--static void free_map_bootmem(struct page *page, unsigned long nr_pages)
-+static void free_map_bootmem(struct page *memmap, unsigned long nr_pages)
- {
- 	unsigned long maps_section_nr, removing_section_nr, i;
- 	unsigned long magic;
-+	struct page *page = virt_to_page(memmap);
- 
- 	for (i = 0; i < nr_pages; i++, page++) {
- 		magic = (unsigned long) page->lru.next;
-@@ -715,13 +716,10 @@ static void free_section_usemap(struct page *memmap, unsigned long *usemap)
- 	 */
- 
- 	if (memmap) {
--		struct page *memmap_page;
--		memmap_page = virt_to_page(memmap);
--
- 		nr_pages = PAGE_ALIGN(PAGES_PER_SECTION * sizeof(struct page))
- 			>> PAGE_SHIFT;
- 
--		free_map_bootmem(memmap_page, nr_pages);
-+		free_map_bootmem(memmap, nr_pages);
- 	}
- }
- 
 diff --git a/mm/swap.c b/mm/swap.c
 index 55b266d..a532537 100644
 --- a/mm/swap.c
@@ -78480,20 +78402,6 @@ index 8656909..a2ae45d 100644
  	}
  
  	/* Update statistics. */
-diff --git a/net/can/bcm.c b/net/can/bcm.c
-index 151b773..3910c1f 100644
---- a/net/can/bcm.c
-+++ b/net/can/bcm.c
-@@ -1084,6 +1084,9 @@ static int bcm_rx_setup(struct bcm_msg_head *msg_head, struct msghdr *msg,
- 		op->sk = sk;
- 		op->ifindex = ifindex;
- 
-+		/* ifindex for timeout events w/o previous frame reception */
-+		op->rx_ifindex = ifindex;
-+
- 		/* initialize uninitialized (kzalloc) structure */
- 		hrtimer_init(&op->timer, CLOCK_MONOTONIC, HRTIMER_MODE_REL);
- 		op->timer.function = bcm_rx_timeout_handler;
 diff --git a/net/can/gw.c b/net/can/gw.c
 index 3d79b12..8de85fa 100644
 --- a/net/can/gw.c
@@ -78661,7 +78569,7 @@ index 68bbf9f..5ef0d12 100644
  
  	return err;
 diff --git a/net/core/dev.c b/net/core/dev.c
-index 480be72..cd4758c 100644
+index 2aac4ec..2f9871c 100644
 --- a/net/core/dev.c
 +++ b/net/core/dev.c
 @@ -1142,10 +1142,14 @@ void dev_load(struct net *net, const char *name)
@@ -78706,7 +78614,7 @@ index 480be72..cd4758c 100644
  
  #define DEV_GSO_CB(skb) ((struct dev_gso_cb *)(skb)->cb)
  
-@@ -2964,7 +2968,7 @@ enqueue:
+@@ -2966,7 +2970,7 @@ enqueue:
  
  	local_irq_restore(flags);
  
@@ -78715,7 +78623,7 @@ index 480be72..cd4758c 100644
  	kfree_skb(skb);
  	return NET_RX_DROP;
  }
-@@ -3038,7 +3042,7 @@ int netif_rx_ni(struct sk_buff *skb)
+@@ -3040,7 +3044,7 @@ int netif_rx_ni(struct sk_buff *skb)
  }
  EXPORT_SYMBOL(netif_rx_ni);
  
@@ -78724,7 +78632,7 @@ index 480be72..cd4758c 100644
  {
  	struct softnet_data *sd = &__get_cpu_var(softnet_data);
  
-@@ -3330,7 +3334,7 @@ ncls:
+@@ -3332,7 +3336,7 @@ ncls:
  	if (pt_prev) {
  		ret = pt_prev->func(skb, skb->dev, pt_prev, orig_dev);
  	} else {
@@ -78733,7 +78641,7 @@ index 480be72..cd4758c 100644
  		kfree_skb(skb);
  		/* Jamal, now you will not able to escape explaining
  		 * me how you were going to use this. :-)
-@@ -3895,7 +3899,7 @@ void netif_napi_del(struct napi_struct *napi)
+@@ -3897,7 +3901,7 @@ void netif_napi_del(struct napi_struct *napi)
  }
  EXPORT_SYMBOL(netif_napi_del);
  
@@ -78742,7 +78650,7 @@ index 480be72..cd4758c 100644
  {
  	struct softnet_data *sd = &__get_cpu_var(softnet_data);
  	unsigned long time_limit = jiffies + 2;
-@@ -4365,8 +4369,13 @@ static int ptype_seq_show(struct seq_file *seq, void *v)
+@@ -4367,8 +4371,13 @@ static int ptype_seq_show(struct seq_file *seq, void *v)
  		else
  			seq_printf(seq, "%04x", ntohs(pt->type));
  
@@ -78756,7 +78664,7 @@ index 480be72..cd4758c 100644
  	}
  
  	return 0;
-@@ -5923,7 +5932,7 @@ struct rtnl_link_stats64 *dev_get_stats(struct net_device *dev,
+@@ -5925,7 +5934,7 @@ struct rtnl_link_stats64 *dev_get_stats(struct net_device *dev,
  	} else {
  		netdev_stats_to_stats64(storage, &dev->stats);
  	}
@@ -79184,10 +79092,10 @@ index fdaabf2..0ec3205 100644
  
  	rc = qp->q.fragments && (end - start) > max;
 diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c
-index 09ff51b..d3968eb 100644
+index 0106d25..cc0b33e 100644
 --- a/net/ipv4/ip_sockglue.c
 +++ b/net/ipv4/ip_sockglue.c
-@@ -1111,7 +1111,8 @@ static int do_ip_getsockopt(struct sock *sk, int level, int optname,
+@@ -1120,7 +1120,8 @@ static int do_ip_getsockopt(struct sock *sk, int level, int optname,
  		len = min_t(unsigned int, len, opt->optlen);
  		if (put_user(len, optlen))
  			return -EFAULT;
@@ -79197,7 +79105,7 @@ index 09ff51b..d3968eb 100644
  			return -EFAULT;
  		return 0;
  	}
-@@ -1239,7 +1240,7 @@ static int do_ip_getsockopt(struct sock *sk, int level, int optname,
+@@ -1248,7 +1249,7 @@ static int do_ip_getsockopt(struct sock *sk, int level, int optname,
  		if (sk->sk_type != SOCK_STREAM)
  			return -ENOPROTOOPT;
  
@@ -79821,10 +79729,10 @@ index 1567fb1..29af910 100644
  			dst = NULL;
  		}
 diff --git a/net/ipv6/ipv6_sockglue.c b/net/ipv6/ipv6_sockglue.c
-index 26cb08c..8af9877 100644
+index b204df8..8f274f4 100644
 --- a/net/ipv6/ipv6_sockglue.c
 +++ b/net/ipv6/ipv6_sockglue.c
-@@ -960,7 +960,7 @@ static int do_ipv6_getsockopt(struct sock *sk, int level, int optname,
+@@ -961,7 +961,7 @@ static int do_ipv6_getsockopt(struct sock *sk, int level, int optname,
  		if (sk->sk_type != SOCK_STREAM)
  			return -ENOPROTOOPT;
  
diff --git a/3.2.34/4425-tmpfs-user-namespace.patch b/3.2.35/4425-tmpfs-user-namespace.patch
index a7d2649..e919350 100644
--- a/3.2.34/4425-tmpfs-user-namespace.patch
+++ b/3.2.35/4425-tmpfs-user-namespace.patch
@@ -13,12 +13,11 @@ Signed-off-by: Anthony G. Basile <blueness@gentoo.org>
 ---
 
 diff --git a/mm/shmem.c b/mm/shmem.c
-index 67afba5..697a181 100644
 --- a/mm/shmem.c
 +++ b/mm/shmem.c
-@@ -1804,7 +1804,8 @@ static int shmem_xattr_validate(const char *name)
- {
- 	struct { const char *prefix; size_t len; } arr[] = {
+@@ -1815,7 +1815,8 @@
+ #endif
+ 
  		{ XATTR_SECURITY_PREFIX, XATTR_SECURITY_PREFIX_LEN },
 -		{ XATTR_TRUSTED_PREFIX, XATTR_TRUSTED_PREFIX_LEN }
 +		{ XATTR_TRUSTED_PREFIX, XATTR_TRUSTED_PREFIX_LEN },
diff --git a/3.2.34/4430_grsec-remove-localversion-grsec.patch b/3.2.35/4430_grsec-remove-localversion-grsec.patch
index 31cf878..31cf878 100644
--- a/3.2.34/4430_grsec-remove-localversion-grsec.patch
+++ b/3.2.35/4430_grsec-remove-localversion-grsec.patch
diff --git a/3.2.34/4435_grsec-mute-warnings.patch b/3.2.35/4435_grsec-mute-warnings.patch
index e85abd6..e85abd6 100644
--- a/3.2.34/4435_grsec-mute-warnings.patch
+++ b/3.2.35/4435_grsec-mute-warnings.patch
diff --git a/3.2.34/4440_grsec-remove-protected-paths.patch b/3.2.35/4440_grsec-remove-protected-paths.patch
index 637934a..637934a 100644
--- a/3.2.34/4440_grsec-remove-protected-paths.patch
+++ b/3.2.35/4440_grsec-remove-protected-paths.patch
diff --git a/3.2.34/4450_grsec-kconfig-default-gids.patch b/3.2.35/4450_grsec-kconfig-default-gids.patch
index d4b0b7e..5c5b013 100644
--- a/3.2.34/4450_grsec-kconfig-default-gids.patch
+++ b/3.2.35/4450_grsec-kconfig-default-gids.patch
@@ -16,7 +16,7 @@ from shooting themselves in the foot.
 diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
 --- a/grsecurity/Kconfig	2012-10-13 09:51:35.000000000 -0400
 +++ b/grsecurity/Kconfig	2012-10-13 09:52:32.000000000 -0400
-@@ -522,7 +522,7 @@
+@@ -539,7 +539,7 @@
  config GRKERNSEC_AUDIT_GID
  	int "GID for auditing"
  	depends on GRKERNSEC_AUDIT_GROUP
@@ -25,7 +25,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
  
  config GRKERNSEC_EXECLOG
  	bool "Exec logging"
-@@ -742,7 +742,7 @@
+@@ -759,7 +759,7 @@
  config GRKERNSEC_TPE_UNTRUSTED_GID
  	int "GID for TPE-untrusted users"
  	depends on GRKERNSEC_TPE && !GRKERNSEC_TPE_INVERT
@@ -34,7 +34,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
  	help
  	  Setting this GID determines what group TPE restrictions will be
  	  *enabled* for.  If the sysctl option is enabled, a sysctl option
-@@ -751,7 +751,7 @@
+@@ -768,7 +768,7 @@
  config GRKERNSEC_TPE_TRUSTED_GID
  	int "GID for TPE-trusted users"
  	depends on GRKERNSEC_TPE && GRKERNSEC_TPE_INVERT
@@ -43,7 +43,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
  	help
  	  Setting this GID determines what group TPE restrictions will be
  	  *disabled* for.  If the sysctl option is enabled, a sysctl option
-@@ -826,7 +826,7 @@
+@@ -843,7 +843,7 @@
  config GRKERNSEC_SOCKET_ALL_GID
  	int "GID to deny all sockets for"
  	depends on GRKERNSEC_SOCKET_ALL
@@ -52,7 +52,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
  	help
  	  Here you can choose the GID to disable socket access for. Remember to
  	  add the users you want socket access disabled for to the GID
-@@ -847,7 +847,7 @@
+@@ -864,7 +864,7 @@
  config GRKERNSEC_SOCKET_CLIENT_GID
  	int "GID to deny client sockets for"
  	depends on GRKERNSEC_SOCKET_CLIENT
@@ -61,7 +61,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
  	help
  	  Here you can choose the GID to disable client socket access for.
  	  Remember to add the users you want client socket access disabled for to
-@@ -865,7 +865,7 @@
+@@ -882,7 +882,7 @@
  config GRKERNSEC_SOCKET_SERVER_GID
  	int "GID to deny server sockets for"
  	depends on GRKERNSEC_SOCKET_SERVER
diff --git a/3.2.34/4465_selinux-avc_audit-log-curr_ip.patch b/3.2.35/4465_selinux-avc_audit-log-curr_ip.patch
index 3ea7bcc..439ddca 100644
--- a/3.2.34/4465_selinux-avc_audit-log-curr_ip.patch
+++ b/3.2.35/4465_selinux-avc_audit-log-curr_ip.patch
@@ -28,7 +28,7 @@ Signed-off-by: Lorenzo Hernandez Garcia-Hierro <lorenzo@gnu.org>
 diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
 --- a/grsecurity/Kconfig	2011-04-17 19:25:54.000000000 -0400
 +++ b/grsecurity/Kconfig	2011-04-17 19:32:53.000000000 -0400
-@@ -924,6 +924,27 @@
+@@ -941,6 +941,27 @@
  menu "Logging Options"
  depends on GRKERNSEC
  
diff --git a/3.2.34/4470_disable-compat_vdso.patch b/3.2.35/4470_disable-compat_vdso.patch
index 4742d01..4742d01 100644
--- a/3.2.34/4470_disable-compat_vdso.patch
+++ b/3.2.35/4470_disable-compat_vdso.patch
diff --git a/3.6.9/0000_README b/3.6.9/0000_README
index 8e5aecd..a275502 100644
--- a/3.6.9/0000_README
+++ b/3.6.9/0000_README
@@ -6,7 +6,7 @@ Patch:	1008_linux-3.6.9.patch
 From:	http://www.kernel.org
 Desc:	Linux 3.6.9
 
-Patch:	4420_grsecurity-2.9.1-3.6.9-201212041903.patch
+Patch:	4420_grsecurity-2.9.1-3.6.9-201212071641.patch
 From:	http://www.grsecurity.net
 Desc:	hardened-sources base patch from upstream grsecurity
 
diff --git a/3.6.9/4420_grsecurity-2.9.1-3.6.9-201212041903.patch b/3.6.9/4420_grsecurity-2.9.1-3.6.9-201212071641.patch
index af317c3..9724617 100644
--- a/3.6.9/4420_grsecurity-2.9.1-3.6.9-201212041903.patch
+++ b/3.6.9/4420_grsecurity-2.9.1-3.6.9-201212071641.patch
@@ -28237,7 +28237,7 @@ index f9b983a..887b9d8 100644
  	return 0;
  }
 diff --git a/drivers/atm/ambassador.c b/drivers/atm/ambassador.c
-index 89b30f3..7964211 100644
+index 89b30f3..7964211d4 100644
 --- a/drivers/atm/ambassador.c
 +++ b/drivers/atm/ambassador.c
 @@ -454,7 +454,7 @@ static void tx_complete (amb_dev * dev, tx_out * tx) {
@@ -45262,7 +45262,7 @@ index b2a34a1..162fa69 100644
  	return rc;
  }
 diff --git a/fs/exec.c b/fs/exec.c
-index fab2c6d..6a13dff 100644
+index fab2c6d..9b2fad8 100644
 --- a/fs/exec.c
 +++ b/fs/exec.c
 @@ -55,6 +55,15 @@
@@ -46010,7 +46010,7 @@ index fab2c6d..6a13dff 100644
  	audit_core_dumps(signr);
  
 +	if (signr == SIGSEGV || signr == SIGBUS || signr == SIGKILL || signr == SIGILL)
-+		gr_handle_brute_attach(current, cprm.mm_flags);
++		gr_handle_brute_attach(cprm.mm_flags);
 +
  	binfmt = mm->binfmt;
  	if (!binfmt || !binfmt->core_dump)
@@ -59887,10 +59887,10 @@ index 0000000..f7f29aa
 +}
 diff --git a/grsecurity/grsec_sig.c b/grsecurity/grsec_sig.c
 new file mode 100644
-index 0000000..b4ac94c
+index 0000000..5c00416
 --- /dev/null
 +++ b/grsecurity/grsec_sig.c
-@@ -0,0 +1,209 @@
+@@ -0,0 +1,222 @@
 +#include <linux/kernel.h>
 +#include <linux/sched.h>
 +#include <linux/delay.h>
@@ -59968,6 +59968,7 @@ index 0000000..b4ac94c
 +
 +#ifdef CONFIG_GRKERNSEC_BRUTE
 +#define GR_USER_BAN_TIME (15 * 60)
++#define GR_DAEMON_BRUTE_TIME (30 * 60)
 +
 +static int __get_dumpable(unsigned long mm_flags)
 +{
@@ -59978,10 +59979,12 @@ index 0000000..b4ac94c
 +}
 +#endif
 +
-+void gr_handle_brute_attach(struct task_struct *p, unsigned long mm_flags)
++void gr_handle_brute_attach(unsigned long mm_flags)
 +{
 +#ifdef CONFIG_GRKERNSEC_BRUTE
++	struct task_struct *p = current;
 +	kuid_t uid = GLOBAL_ROOT_UID;
++	int daemon = 0;
 +
 +	if (!grsec_enable_brute)
 +		return;
@@ -59989,9 +59992,11 @@ index 0000000..b4ac94c
 +	rcu_read_lock();
 +	read_lock(&tasklist_lock);
 +	read_lock(&grsec_exec_file_lock);
-+	if (p->real_parent && p->real_parent->exec_file == p->exec_file)
++	if (p->real_parent && p->real_parent->exec_file == p->exec_file) {
++		p->real_parent->brute_expires = get_seconds() + GR_DAEMON_BRUTE_TIME;
 +		p->real_parent->brute = 1;
-+	else {
++		daemon = 1;
++	} else {
 +		const struct cred *cred = __task_cred(p), *cred2;
 +		struct task_struct *tsk, *tsk2;
 +
@@ -60024,6 +60029,8 @@ index 0000000..b4ac94c
 +	if (!uid_eq(uid, GLOBAL_ROOT_UID))
 +		printk(KERN_ALERT "grsec: bruteforce prevention initiated against uid %u, banning for %d minutes\n",
 +			from_kuid_munged(&init_user_ns, uid), GR_USER_BAN_TIME / 60);
++	else if (daemon)
++		gr_log_noargs(GR_DONT_AUDIT, GR_BRUTE_DAEMON_MSG);
 +
 +#endif
 +	return;
@@ -60032,8 +60039,14 @@ index 0000000..b4ac94c
 +void gr_handle_brute_check(void)
 +{
 +#ifdef CONFIG_GRKERNSEC_BRUTE
-+	if (current->brute)
-+		msleep(30 * 1000);
++	struct task_struct *p = current;
++
++	if (unlikely(p->brute)) {
++		if (!grsec_enable_brute)
++			p->brute = 0;
++		else if (time_before(get_seconds(), p->brute_expires))
++			msleep(30 * 1000);
++	}
 +#endif
 +	return;
 +}
@@ -63091,10 +63104,10 @@ index 0000000..c9292f7
 +#endif
 diff --git a/include/linux/grmsg.h b/include/linux/grmsg.h
 new file mode 100644
-index 0000000..54f4e85
+index 0000000..2bd4c8d
 --- /dev/null
 +++ b/include/linux/grmsg.h
-@@ -0,0 +1,110 @@
+@@ -0,0 +1,111 @@
 +#define DEFAULTSECMSG "%.256s[%.16s:%d] uid/euid:%u/%u gid/egid:%u/%u, parent %.256s[%.16s:%d] uid/euid:%u/%u gid/egid:%u/%u"
 +#define GR_ACL_PROCACCT_MSG "%.256s[%.16s:%d] IP:%pI4 TTY:%.64s uid/euid:%u/%u gid/egid:%u/%u run time:[%ud %uh %um %us] cpu time:[%ud %uh %um %us] %s with exit code %ld, parent %.256s[%.16s:%d] IP:%pI4 TTY:%.64s uid/euid:%u/%u gid/egid:%u/%u"
 +#define GR_PTRACE_ACL_MSG "denied ptrace of %.950s(%.16s:%d) by "
@@ -63205,9 +63218,10 @@ index 0000000..54f4e85
 +#define GR_INIT_TRANSFER_MSG "persistent special role transferred privilege to init by "
 +#define GR_BADPROCPID_MSG "denied read of sensitive /proc/pid/%s entry via fd passed across exec by "
 +#define GR_SYMLINKOWNER_MSG "denied following symlink %.950s since symlink owner %u does not match target owner %u, by "
++#define GR_BRUTE_DAEMON_MSG "bruteforce prevention initiated for the next 30 minutes or until service restarted, stalling each fork 30 seconds.  Please investigate the crash report for "
 diff --git a/include/linux/grsecurity.h b/include/linux/grsecurity.h
 new file mode 100644
-index 0000000..187b3ed
+index 0000000..28d8b19
 --- /dev/null
 +++ b/include/linux/grsecurity.h
 @@ -0,0 +1,239 @@
@@ -63246,7 +63260,7 @@ index 0000000..187b3ed
 +	} ptr;
 +};
 +
-+void gr_handle_brute_attach(struct task_struct *p, unsigned long mm_flags);
++void gr_handle_brute_attach(unsigned long mm_flags);
 +void gr_handle_brute_check(void);
 +void gr_handle_kernel_exploit(void);
 +int gr_process_user_ban(void);
@@ -63829,6 +63843,40 @@ index ff9a9f8..c715deb 100644
  
  /*
   * Kernel text modification mutex, used for code patching. Users of this lock
+diff --git a/include/linux/mempolicy.h b/include/linux/mempolicy.h
+index df08254..5f6c835 100644
+--- a/include/linux/mempolicy.h
++++ b/include/linux/mempolicy.h
+@@ -137,16 +137,6 @@ static inline void mpol_cond_put(struct mempolicy *pol)
+ 		__mpol_put(pol);
+ }
+ 
+-extern struct mempolicy *__mpol_cond_copy(struct mempolicy *tompol,
+-					  struct mempolicy *frompol);
+-static inline struct mempolicy *mpol_cond_copy(struct mempolicy *tompol,
+-						struct mempolicy *frompol)
+-{
+-	if (!frompol)
+-		return frompol;
+-	return __mpol_cond_copy(tompol, frompol);
+-}
+-
+ extern struct mempolicy *__mpol_dup(struct mempolicy *pol);
+ static inline struct mempolicy *mpol_dup(struct mempolicy *pol)
+ {
+@@ -270,12 +260,6 @@ static inline void mpol_cond_put(struct mempolicy *pol)
+ {
+ }
+ 
+-static inline struct mempolicy *mpol_cond_copy(struct mempolicy *to,
+-						struct mempolicy *from)
+-{
+-	return from;
+-}
+-
+ static inline void mpol_get(struct mempolicy *pol)
+ {
+ }
 diff --git a/include/linux/mfd/abx500.h b/include/linux/mfd/abx500.h
 index 1318ca6..7521340 100644
 --- a/include/linux/mfd/abx500.h
@@ -64657,7 +64705,7 @@ index 3fce545..b4fed6e 100644
  static inline void anon_vma_merge(struct vm_area_struct *vma,
  				  struct vm_area_struct *next)
 diff --git a/include/linux/sched.h b/include/linux/sched.h
-index 23bddac..5976055 100644
+index 23bddac..e08f087 100644
 --- a/include/linux/sched.h
 +++ b/include/linux/sched.h
 @@ -101,6 +101,7 @@ struct bio_list;
@@ -64768,7 +64816,7 @@ index 23bddac..5976055 100644
  #ifdef CONFIG_FUTEX
  	struct robust_list_head __user *robust_list;
  #ifdef CONFIG_COMPAT
-@@ -1589,8 +1616,74 @@ struct task_struct {
+@@ -1589,8 +1616,75 @@ struct task_struct {
  #ifdef CONFIG_UPROBES
  	struct uprobe_task *utask;
  #endif
@@ -64785,6 +64833,7 @@ index 23bddac..5976055 100644
 +	struct acl_subject_label *acl;
 +	struct acl_role_label *role;
 +	struct file *exec_file;
++	unsigned long brute_expires;
 +	u16 acl_role_id;
 +	/* is this the task that authenticated to the special role */
 +	u8 acl_sp_role;
@@ -64843,7 +64892,7 @@ index 23bddac..5976055 100644
  /* Future-safe accessor for struct task_struct's cpus_allowed. */
  #define tsk_cpus_allowed(tsk) (&(tsk)->cpus_allowed)
  
-@@ -2125,7 +2218,9 @@ void yield(void);
+@@ -2125,7 +2219,9 @@ void yield(void);
  extern struct exec_domain	default_exec_domain;
  
  union thread_union {
@@ -64853,7 +64902,7 @@ index 23bddac..5976055 100644
  	unsigned long stack[THREAD_SIZE/sizeof(long)];
  };
  
-@@ -2158,6 +2253,7 @@ extern struct pid_namespace init_pid_ns;
+@@ -2158,6 +2254,7 @@ extern struct pid_namespace init_pid_ns;
   */
  
  extern struct task_struct *find_task_by_vpid(pid_t nr);
@@ -64861,7 +64910,7 @@ index 23bddac..5976055 100644
  extern struct task_struct *find_task_by_pid_ns(pid_t nr,
  		struct pid_namespace *ns);
  
-@@ -2314,7 +2410,7 @@ extern void __cleanup_sighand(struct sighand_struct *);
+@@ -2314,7 +2411,7 @@ extern void __cleanup_sighand(struct sighand_struct *);
  extern void exit_itimers(struct signal_struct *);
  extern void flush_itimer_signals(void);
  
@@ -64870,7 +64919,7 @@ index 23bddac..5976055 100644
  
  extern void daemonize(const char *, ...);
  extern int allow_signal(int);
-@@ -2515,9 +2611,9 @@ static inline unsigned long *end_of_stack(struct task_struct *p)
+@@ -2515,9 +2612,9 @@ static inline unsigned long *end_of_stack(struct task_struct *p)
  
  #endif
  
@@ -73238,7 +73287,7 @@ index 5736170..8e04800 100644
  	return 0;
  }
 diff --git a/mm/mempolicy.c b/mm/mempolicy.c
-index 3d64b36..c6ab69c 100644
+index 3d64b36..5c2d5d3 100644
 --- a/mm/mempolicy.c
 +++ b/mm/mempolicy.c
 @@ -655,6 +655,10 @@ static int mbind_range(struct mm_struct *mm, unsigned long start,
@@ -73317,6 +73366,35 @@ index 3d64b36..c6ab69c 100644
  	err = do_migrate_pages(mm, old, new,
  		capable(CAP_SYS_NICE) ? MPOL_MF_MOVE_ALL : MPOL_MF_MOVE);
  
+@@ -2035,28 +2069,6 @@ struct mempolicy *__mpol_dup(struct mempolicy *old)
+ 	return new;
+ }
+ 
+-/*
+- * If *frompol needs [has] an extra ref, copy *frompol to *tompol ,
+- * eliminate the * MPOL_F_* flags that require conditional ref and
+- * [NOTE!!!] drop the extra ref.  Not safe to reference *frompol directly
+- * after return.  Use the returned value.
+- *
+- * Allows use of a mempolicy for, e.g., multiple allocations with a single
+- * policy lookup, even if the policy needs/has extra ref on lookup.
+- * shmem_readahead needs this.
+- */
+-struct mempolicy *__mpol_cond_copy(struct mempolicy *tompol,
+-						struct mempolicy *frompol)
+-{
+-	if (!mpol_needs_cond_ref(frompol))
+-		return frompol;
+-
+-	*tompol = *frompol;
+-	tompol->flags &= ~MPOL_F_SHARED;	/* copy doesn't need unref */
+-	__mpol_put(frompol);
+-	return tompol;
+-}
+-
+ /* Slow path of a mempolicy comparison */
+ bool __mpol_equal(struct mempolicy *a, struct mempolicy *b)
+ {
 diff --git a/mm/migrate.c b/mm/migrate.c
 index 77ed2d7..317d528 100644
 --- a/mm/migrate.c
@@ -75265,7 +75343,7 @@ index aa95e59..b681a63 100644
  	struct anon_vma_chain *avc;
  	struct anon_vma *anon_vma;
 diff --git a/mm/shmem.c b/mm/shmem.c
-index 31e1506..dbf3647 100644
+index 31e1506..7b42549 100644
 --- a/mm/shmem.c
 +++ b/mm/shmem.c
 @@ -31,7 +31,7 @@
@@ -75286,7 +75364,60 @@ index 31e1506..dbf3647 100644
  
  struct shmem_xattr {
  	struct list_head list;	/* anchored by shmem_inode_info->xattr_list */
-@@ -2219,6 +2219,11 @@ static const struct xattr_handler *shmem_xattr_handlers[] = {
+@@ -921,25 +921,29 @@ static struct mempolicy *shmem_get_sbmpol(struct shmem_sb_info *sbinfo)
+ static struct page *shmem_swapin(swp_entry_t swap, gfp_t gfp,
+ 			struct shmem_inode_info *info, pgoff_t index)
+ {
+-	struct mempolicy mpol, *spol;
+ 	struct vm_area_struct pvma;
+-
+-	spol = mpol_cond_copy(&mpol,
+-			mpol_shared_policy_lookup(&info->policy, index));
++	struct page *page;
+ 
+ 	/* Create a pseudo vma that just contains the policy */
+ 	pvma.vm_start = 0;
+ 	/* Bias interleave by inode number to distribute better across nodes */
+ 	pvma.vm_pgoff = index + info->vfs_inode.i_ino;
+ 	pvma.vm_ops = NULL;
+-	pvma.vm_policy = spol;
+-	return swapin_readahead(swap, gfp, &pvma, 0);
++	pvma.vm_policy = mpol_shared_policy_lookup(&info->policy, index);
++
++	page = swapin_readahead(swap, gfp, &pvma, 0);
++
++	/* Drop reference taken by mpol_shared_policy_lookup() */
++	mpol_cond_put(pvma.vm_policy);
++
++	return page;
+ }
+ 
+ static struct page *shmem_alloc_page(gfp_t gfp,
+ 			struct shmem_inode_info *info, pgoff_t index)
+ {
+ 	struct vm_area_struct pvma;
++	struct page *page;
+ 
+ 	/* Create a pseudo vma that just contains the policy */
+ 	pvma.vm_start = 0;
+@@ -948,10 +952,12 @@ static struct page *shmem_alloc_page(gfp_t gfp,
+ 	pvma.vm_ops = NULL;
+ 	pvma.vm_policy = mpol_shared_policy_lookup(&info->policy, index);
+ 
+-	/*
+-	 * alloc_page_vma() will drop the shared policy reference
+-	 */
+-	return alloc_page_vma(gfp, &pvma, 0);
++	page = alloc_page_vma(gfp, &pvma, 0);
++
++	/* Drop reference taken by mpol_shared_policy_lookup() */
++	mpol_cond_put(pvma.vm_policy);
++
++	return page;
+ }
+ #else /* !CONFIG_NUMA */
+ #ifdef CONFIG_TMPFS
+@@ -2219,6 +2225,11 @@ static const struct xattr_handler *shmem_xattr_handlers[] = {
  static int shmem_xattr_validate(const char *name)
  {
  	struct { const char *prefix; size_t len; } arr[] = {
@@ -75298,7 +75429,7 @@ index 31e1506..dbf3647 100644
  		{ XATTR_SECURITY_PREFIX, XATTR_SECURITY_PREFIX_LEN },
  		{ XATTR_TRUSTED_PREFIX, XATTR_TRUSTED_PREFIX_LEN }
  	};
-@@ -2272,6 +2277,15 @@ static int shmem_setxattr(struct dentry *dentry, const char *name,
+@@ -2272,6 +2283,15 @@ static int shmem_setxattr(struct dentry *dentry, const char *name,
  	if (err)
  		return err;
  
@@ -75314,7 +75445,7 @@ index 31e1506..dbf3647 100644
  	if (size == 0)
  		value = "";  /* empty EA, do not remove */
  
-@@ -2606,8 +2620,7 @@ int shmem_fill_super(struct super_block *sb, void *data, int silent)
+@@ -2606,8 +2626,7 @@ int shmem_fill_super(struct super_block *sb, void *data, int silent)
  	int err = -ENOMEM;
  
  	/* Round up to L1_CACHE_BYTES to resist false sharing */
diff --git a/3.6.9/4425-tmpfs-user-namespace.patch b/3.6.9/4425-tmpfs-user-namespace.patch
index b48d735..f5f4f20 100644
--- a/3.6.9/4425-tmpfs-user-namespace.patch
+++ b/3.6.9/4425-tmpfs-user-namespace.patch
@@ -13,12 +13,11 @@ Signed-off-by: Anthony G. Basile <blueness@gentoo.org>
 ---
 
 diff --git a/mm/shmem.c b/mm/shmem.c
-index 67afba5..697a181 100644
 --- a/mm/shmem.c
 +++ b/mm/shmem.c
-@@ -2208,7 +2208,8 @@ static int shmem_xattr_validate(const char *name)
- {
- 	struct { const char *prefix; size_t len; } arr[] = {
+@@ -2231,7 +2231,8 @@
+ #endif
+ 
  		{ XATTR_SECURITY_PREFIX, XATTR_SECURITY_PREFIX_LEN },
 -		{ XATTR_TRUSTED_PREFIX, XATTR_TRUSTED_PREFIX_LEN }
 +		{ XATTR_TRUSTED_PREFIX, XATTR_TRUSTED_PREFIX_LEN },
diff --git a/3.6.9/4450_grsec-kconfig-default-gids.patch b/3.6.9/4450_grsec-kconfig-default-gids.patch
index d4b0b7e..5c5b013 100644
--- a/3.6.9/4450_grsec-kconfig-default-gids.patch
+++ b/3.6.9/4450_grsec-kconfig-default-gids.patch
@@ -16,7 +16,7 @@ from shooting themselves in the foot.
 diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
 --- a/grsecurity/Kconfig	2012-10-13 09:51:35.000000000 -0400
 +++ b/grsecurity/Kconfig	2012-10-13 09:52:32.000000000 -0400
-@@ -522,7 +522,7 @@
+@@ -539,7 +539,7 @@
  config GRKERNSEC_AUDIT_GID
  	int "GID for auditing"
  	depends on GRKERNSEC_AUDIT_GROUP
@@ -25,7 +25,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
  
  config GRKERNSEC_EXECLOG
  	bool "Exec logging"
-@@ -742,7 +742,7 @@
+@@ -759,7 +759,7 @@
  config GRKERNSEC_TPE_UNTRUSTED_GID
  	int "GID for TPE-untrusted users"
  	depends on GRKERNSEC_TPE && !GRKERNSEC_TPE_INVERT
@@ -34,7 +34,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
  	help
  	  Setting this GID determines what group TPE restrictions will be
  	  *enabled* for.  If the sysctl option is enabled, a sysctl option
-@@ -751,7 +751,7 @@
+@@ -768,7 +768,7 @@
  config GRKERNSEC_TPE_TRUSTED_GID
  	int "GID for TPE-trusted users"
  	depends on GRKERNSEC_TPE && GRKERNSEC_TPE_INVERT
@@ -43,7 +43,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
  	help
  	  Setting this GID determines what group TPE restrictions will be
  	  *disabled* for.  If the sysctl option is enabled, a sysctl option
-@@ -826,7 +826,7 @@
+@@ -843,7 +843,7 @@
  config GRKERNSEC_SOCKET_ALL_GID
  	int "GID to deny all sockets for"
  	depends on GRKERNSEC_SOCKET_ALL
@@ -52,7 +52,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
  	help
  	  Here you can choose the GID to disable socket access for. Remember to
  	  add the users you want socket access disabled for to the GID
-@@ -847,7 +847,7 @@
+@@ -864,7 +864,7 @@
  config GRKERNSEC_SOCKET_CLIENT_GID
  	int "GID to deny client sockets for"
  	depends on GRKERNSEC_SOCKET_CLIENT
@@ -61,7 +61,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
  	help
  	  Here you can choose the GID to disable client socket access for.
  	  Remember to add the users you want client socket access disabled for to
-@@ -865,7 +865,7 @@
+@@ -882,7 +882,7 @@
  config GRKERNSEC_SOCKET_SERVER_GID
  	int "GID to deny server sockets for"
  	depends on GRKERNSEC_SOCKET_SERVER
diff --git a/3.6.9/4465_selinux-avc_audit-log-curr_ip.patch b/3.6.9/4465_selinux-avc_audit-log-curr_ip.patch
index 4fb50f4..217480f 100644
--- a/3.6.9/4465_selinux-avc_audit-log-curr_ip.patch
+++ b/3.6.9/4465_selinux-avc_audit-log-curr_ip.patch
@@ -28,7 +28,7 @@ Signed-off-by: Lorenzo Hernandez Garcia-Hierro <lorenzo@gnu.org>
 diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
 --- a/grsecurity/Kconfig	2011-04-17 19:25:54.000000000 -0400
 +++ b/grsecurity/Kconfig	2011-04-17 19:32:53.000000000 -0400
-@@ -924,6 +924,27 @@
+@@ -941,6 +941,27 @@
  menu "Logging Options"
  depends on GRKERNSEC