Grsec/PaX: 3.0-3.2.54-20140105164920140105

44 files changed, 7185 insertions, 787 deletions

diff --git a/3.2.53/0000_README b/3.2.54/0000_README
index 62ff1d5..ffb2597 100644
--- a/3.2.53/0000_README
+++ b/3.2.54/0000_README
@@ -130,7 +130,11 @@ Patch:	1052_linux-3.2.53.patch
 From:	http://www.kernel.org
 Desc:	Linux 3.2.53
 
-Patch:	4420_grsecurity-3.0-3.2.53-201312262018.patch
+Patch:	1053_linux-3.2.54.patch
+From:	http://www.kernel.org
+Desc:	Linux 3.2.54
+
+Patch:	4420_grsecurity-3.0-3.2.54-201401051649.patch
 From:	http://www.grsecurity.net
 Desc:	hardened-sources base patch from upstream grsecurity
 
diff --git a/3.2.53/1021_linux-3.2.22.patch b/3.2.54/1021_linux-3.2.22.patch
index e6ad93a..e6ad93a 100644
--- a/3.2.53/1021_linux-3.2.22.patch
+++ b/3.2.54/1021_linux-3.2.22.patch
diff --git a/3.2.53/1022_linux-3.2.23.patch b/3.2.54/1022_linux-3.2.23.patch
index 3d796d0..3d796d0 100644
--- a/3.2.53/1022_linux-3.2.23.patch
+++ b/3.2.54/1022_linux-3.2.23.patch
diff --git a/3.2.53/1023_linux-3.2.24.patch b/3.2.54/1023_linux-3.2.24.patch
index 4692eb4..4692eb4 100644
--- a/3.2.53/1023_linux-3.2.24.patch
+++ b/3.2.54/1023_linux-3.2.24.patch
diff --git a/3.2.53/1024_linux-3.2.25.patch b/3.2.54/1024_linux-3.2.25.patch
index e95c213..e95c213 100644
--- a/3.2.53/1024_linux-3.2.25.patch
+++ b/3.2.54/1024_linux-3.2.25.patch
diff --git a/3.2.53/1025_linux-3.2.26.patch b/3.2.54/1025_linux-3.2.26.patch
index 44065b9..44065b9 100644
--- a/3.2.53/1025_linux-3.2.26.patch
+++ b/3.2.54/1025_linux-3.2.26.patch
diff --git a/3.2.53/1026_linux-3.2.27.patch b/3.2.54/1026_linux-3.2.27.patch
index 5878eb4..5878eb4 100644
--- a/3.2.53/1026_linux-3.2.27.patch
+++ b/3.2.54/1026_linux-3.2.27.patch
diff --git a/3.2.53/1027_linux-3.2.28.patch b/3.2.54/1027_linux-3.2.28.patch
index 4dbba4b..4dbba4b 100644
--- a/3.2.53/1027_linux-3.2.28.patch
+++ b/3.2.54/1027_linux-3.2.28.patch
diff --git a/3.2.53/1028_linux-3.2.29.patch b/3.2.54/1028_linux-3.2.29.patch
index 3c65179..3c65179 100644
--- a/3.2.53/1028_linux-3.2.29.patch
+++ b/3.2.54/1028_linux-3.2.29.patch
diff --git a/3.2.53/1029_linux-3.2.30.patch b/3.2.54/1029_linux-3.2.30.patch
index 86aea4b..86aea4b 100644
--- a/3.2.53/1029_linux-3.2.30.patch
+++ b/3.2.54/1029_linux-3.2.30.patch
diff --git a/3.2.53/1030_linux-3.2.31.patch b/3.2.54/1030_linux-3.2.31.patch
index c6accf5..c6accf5 100644
--- a/3.2.53/1030_linux-3.2.31.patch
+++ b/3.2.54/1030_linux-3.2.31.patch
diff --git a/3.2.53/1031_linux-3.2.32.patch b/3.2.54/1031_linux-3.2.32.patch
index 247fc0b..247fc0b 100644
--- a/3.2.53/1031_linux-3.2.32.patch
+++ b/3.2.54/1031_linux-3.2.32.patch
diff --git a/3.2.53/1032_linux-3.2.33.patch b/3.2.54/1032_linux-3.2.33.patch
index c32fb75..c32fb75 100644
--- a/3.2.53/1032_linux-3.2.33.patch
+++ b/3.2.54/1032_linux-3.2.33.patch
diff --git a/3.2.53/1033_linux-3.2.34.patch b/3.2.54/1033_linux-3.2.34.patch
index d647b38..d647b38 100644
--- a/3.2.53/1033_linux-3.2.34.patch
+++ b/3.2.54/1033_linux-3.2.34.patch
diff --git a/3.2.53/1034_linux-3.2.35.patch b/3.2.54/1034_linux-3.2.35.patch
index 76a9c19..76a9c19 100644
--- a/3.2.53/1034_linux-3.2.35.patch
+++ b/3.2.54/1034_linux-3.2.35.patch
diff --git a/3.2.53/1035_linux-3.2.36.patch b/3.2.54/1035_linux-3.2.36.patch
index 5d192a3..5d192a3 100644
--- a/3.2.53/1035_linux-3.2.36.patch
+++ b/3.2.54/1035_linux-3.2.36.patch
diff --git a/3.2.53/1036_linux-3.2.37.patch b/3.2.54/1036_linux-3.2.37.patch
index ad13251..ad13251 100644
--- a/3.2.53/1036_linux-3.2.37.patch
+++ b/3.2.54/1036_linux-3.2.37.patch
diff --git a/3.2.53/1037_linux-3.2.38.patch b/3.2.54/1037_linux-3.2.38.patch
index a3c106f..a3c106f 100644
--- a/3.2.53/1037_linux-3.2.38.patch
+++ b/3.2.54/1037_linux-3.2.38.patch
diff --git a/3.2.53/1038_linux-3.2.39.patch b/3.2.54/1038_linux-3.2.39.patch
index 5639e92..5639e92 100644
--- a/3.2.53/1038_linux-3.2.39.patch
+++ b/3.2.54/1038_linux-3.2.39.patch
diff --git a/3.2.53/1039_linux-3.2.40.patch b/3.2.54/1039_linux-3.2.40.patch
index f26b39c..f26b39c 100644
--- a/3.2.53/1039_linux-3.2.40.patch
+++ b/3.2.54/1039_linux-3.2.40.patch
diff --git a/3.2.53/1040_linux-3.2.41.patch b/3.2.54/1040_linux-3.2.41.patch
index 0d27fcb..0d27fcb 100644
--- a/3.2.53/1040_linux-3.2.41.patch
+++ b/3.2.54/1040_linux-3.2.41.patch
diff --git a/3.2.53/1041_linux-3.2.42.patch b/3.2.54/1041_linux-3.2.42.patch
index 77a08ed..77a08ed 100644
--- a/3.2.53/1041_linux-3.2.42.patch
+++ b/3.2.54/1041_linux-3.2.42.patch
diff --git a/3.2.53/1042_linux-3.2.43.patch b/3.2.54/1042_linux-3.2.43.patch
index a3f878b..a3f878b 100644
--- a/3.2.53/1042_linux-3.2.43.patch
+++ b/3.2.54/1042_linux-3.2.43.patch
diff --git a/3.2.53/1043_linux-3.2.44.patch b/3.2.54/1043_linux-3.2.44.patch
index 3d5e6ff..3d5e6ff 100644
--- a/3.2.53/1043_linux-3.2.44.patch
+++ b/3.2.54/1043_linux-3.2.44.patch
diff --git a/3.2.53/1044_linux-3.2.45.patch b/3.2.54/1044_linux-3.2.45.patch
index 44e1767..44e1767 100644
--- a/3.2.53/1044_linux-3.2.45.patch
+++ b/3.2.54/1044_linux-3.2.45.patch
diff --git a/3.2.53/1045_linux-3.2.46.patch b/3.2.54/1045_linux-3.2.46.patch
index bc10efd..bc10efd 100644
--- a/3.2.53/1045_linux-3.2.46.patch
+++ b/3.2.54/1045_linux-3.2.46.patch
diff --git a/3.2.53/1046_linux-3.2.47.patch b/3.2.54/1046_linux-3.2.47.patch
index b74563c..b74563c 100644
--- a/3.2.53/1046_linux-3.2.47.patch
+++ b/3.2.54/1046_linux-3.2.47.patch
diff --git a/3.2.53/1047_linux-3.2.48.patch b/3.2.54/1047_linux-3.2.48.patch
index 6d55b1f..6d55b1f 100644
--- a/3.2.53/1047_linux-3.2.48.patch
+++ b/3.2.54/1047_linux-3.2.48.patch
diff --git a/3.2.53/1048_linux-3.2.49.patch b/3.2.54/1048_linux-3.2.49.patch
index 2dab0cf..2dab0cf 100644
--- a/3.2.53/1048_linux-3.2.49.patch
+++ b/3.2.54/1048_linux-3.2.49.patch
diff --git a/3.2.53/1049_linux-3.2.50.patch b/3.2.54/1049_linux-3.2.50.patch
index 20b3015..20b3015 100644
--- a/3.2.53/1049_linux-3.2.50.patch
+++ b/3.2.54/1049_linux-3.2.50.patch
diff --git a/3.2.53/1050_linux-3.2.51.patch b/3.2.54/1050_linux-3.2.51.patch
index 5d5832b..5d5832b 100644
--- a/3.2.53/1050_linux-3.2.51.patch
+++ b/3.2.54/1050_linux-3.2.51.patch
diff --git a/3.2.53/1051_linux-3.2.52.patch b/3.2.54/1051_linux-3.2.52.patch
index 94b9359..94b9359 100644
--- a/3.2.53/1051_linux-3.2.52.patch
+++ b/3.2.54/1051_linux-3.2.52.patch
diff --git a/3.2.53/1052_linux-3.2.53.patch b/3.2.54/1052_linux-3.2.53.patch
index 986d714..986d714 100644
--- a/3.2.53/1052_linux-3.2.53.patch
+++ b/3.2.54/1052_linux-3.2.53.patch
diff --git a/3.2.54/1053_linux-3.2.54.patch b/3.2.54/1053_linux-3.2.54.patch
new file mode 100644
index 0000000..a907496
--- /dev/null
+++ b/3.2.54/1053_linux-3.2.54.patch
@@ -0,0 +1,6825 @@
+diff --git a/Documentation/sysctl/kernel.txt b/Documentation/sysctl/kernel.txt
+index 1f24636..2a68089 100644
+--- a/Documentation/sysctl/kernel.txt
++++ b/Documentation/sysctl/kernel.txt
+@@ -283,13 +283,24 @@ Default value is "/sbin/hotplug".
+ kptr_restrict:
+ 
+ This toggle indicates whether restrictions are placed on
+-exposing kernel addresses via /proc and other interfaces.  When
+-kptr_restrict is set to (0), there are no restrictions.  When
+-kptr_restrict is set to (1), the default, kernel pointers
+-printed using the %pK format specifier will be replaced with 0's
+-unless the user has CAP_SYSLOG.  When kptr_restrict is set to
+-(2), kernel pointers printed using %pK will be replaced with 0's
+-regardless of privileges.
++exposing kernel addresses via /proc and other interfaces.
++
++When kptr_restrict is set to (0), the default, there are no restrictions.
++
++When kptr_restrict is set to (1), kernel pointers printed using the %pK
++format specifier will be replaced with 0's unless the user has CAP_SYSLOG
++and effective user and group ids are equal to the real ids. This is
++because %pK checks are done at read() time rather than open() time, so
++if permissions are elevated between the open() and the read() (e.g via
++a setuid binary) then %pK will not leak kernel pointers to unprivileged
++users. Note, this is a temporary solution only. The correct long-term
++solution is to do the permission checks at open() time. Consider removing
++world read permissions from files that use %pK, and using dmesg_restrict
++to protect against uses of %pK in dmesg(8) if leaking kernel pointer
++values to unprivileged users is a concern.
++
++When kptr_restrict is set to (2), kernel pointers printed using
++%pK will be replaced with 0's regardless of privileges.
+ 
+ ==============================================================
+ 
+diff --git a/Makefile b/Makefile
+index 90f57dc..848be26 100644
+--- a/Makefile
++++ b/Makefile
+@@ -1,6 +1,6 @@
+ VERSION = 3
+ PATCHLEVEL = 2
+-SUBLEVEL = 53
++SUBLEVEL = 54
+ EXTRAVERSION =
+ NAME = Saber-toothed Squirrel
+ 
+diff --git a/arch/arm/include/asm/assembler.h b/arch/arm/include/asm/assembler.h
+index 7bb8bf9..b7c5d5d 100644
+--- a/arch/arm/include/asm/assembler.h
++++ b/arch/arm/include/asm/assembler.h
+@@ -307,4 +307,12 @@
+ 	.size \name , . - \name
+ 	.endm
+ 
++	.macro check_uaccess, addr:req, size:req, limit:req, tmp:req, bad:req
++#ifndef CONFIG_CPU_USE_DOMAINS
++	adds	\tmp, \addr, #\size - 1
++	sbcccs	\tmp, \tmp, \limit
++	bcs	\bad
++#endif
++	.endm
++
+ #endif /* __ASM_ASSEMBLER_H__ */
+diff --git a/arch/arm/include/asm/uaccess.h b/arch/arm/include/asm/uaccess.h
+index b293616..292c3f8 100644
+--- a/arch/arm/include/asm/uaccess.h
++++ b/arch/arm/include/asm/uaccess.h
+@@ -101,28 +101,39 @@ extern int __get_user_1(void *);
+ extern int __get_user_2(void *);
+ extern int __get_user_4(void *);
+ 
+-#define __get_user_x(__r2,__p,__e,__s,__i...)				\
++#define __GUP_CLOBBER_1	"lr", "cc"
++#ifdef CONFIG_CPU_USE_DOMAINS
++#define __GUP_CLOBBER_2	"ip", "lr", "cc"
++#else
++#define __GUP_CLOBBER_2 "lr", "cc"
++#endif
++#define __GUP_CLOBBER_4	"lr", "cc"
++
++#define __get_user_x(__r2,__p,__e,__l,__s)				\
+ 	   __asm__ __volatile__ (					\
+ 		__asmeq("%0", "r0") __asmeq("%1", "r2")			\
++		__asmeq("%3", "r1")					\
+ 		"bl	__get_user_" #__s				\
+ 		: "=&r" (__e), "=r" (__r2)				\
+-		: "0" (__p)						\
+-		: __i, "cc")
++		: "0" (__p), "r" (__l)					\
++		: __GUP_CLOBBER_##__s)
+ 
+ #define get_user(x,p)							\
+ 	({								\
++		unsigned long __limit = current_thread_info()->addr_limit - 1; \
+ 		register const typeof(*(p)) __user *__p asm("r0") = (p);\
+ 		register unsigned long __r2 asm("r2");			\
++		register unsigned long __l asm("r1") = __limit;		\
+ 		register int __e asm("r0");				\
+ 		switch (sizeof(*(__p))) {				\
+ 		case 1:							\
+-			__get_user_x(__r2, __p, __e, 1, "lr");		\
+-	       		break;						\
++			__get_user_x(__r2, __p, __e, __l, 1);		\
++			break;						\
+ 		case 2:							\
+-			__get_user_x(__r2, __p, __e, 2, "r3", "lr");	\
++			__get_user_x(__r2, __p, __e, __l, 2);		\
+ 			break;						\
+ 		case 4:							\
+-	       		__get_user_x(__r2, __p, __e, 4, "lr");		\
++			__get_user_x(__r2, __p, __e, __l, 4);		\
+ 			break;						\
+ 		default: __e = __get_user_bad(); break;			\
+ 		}							\
+@@ -135,31 +146,34 @@ extern int __put_user_2(void *, unsigned int);
+ extern int __put_user_4(void *, unsigned int);
+ extern int __put_user_8(void *, unsigned long long);
+ 
+-#define __put_user_x(__r2,__p,__e,__s)					\
++#define __put_user_x(__r2,__p,__e,__l,__s)				\
+ 	   __asm__ __volatile__ (					\
+ 		__asmeq("%0", "r0") __asmeq("%2", "r2")			\
++		__asmeq("%3", "r1")					\
+ 		"bl	__put_user_" #__s				\
+ 		: "=&r" (__e)						\
+-		: "0" (__p), "r" (__r2)					\
++		: "0" (__p), "r" (__r2), "r" (__l)			\
+ 		: "ip", "lr", "cc")
+ 
+ #define put_user(x,p)							\
+ 	({								\
++		unsigned long __limit = current_thread_info()->addr_limit - 1; \
+ 		register const typeof(*(p)) __r2 asm("r2") = (x);	\
+ 		register const typeof(*(p)) __user *__p asm("r0") = (p);\
++		register unsigned long __l asm("r1") = __limit;		\
+ 		register int __e asm("r0");				\
+ 		switch (sizeof(*(__p))) {				\
+ 		case 1:							\
+-			__put_user_x(__r2, __p, __e, 1);		\
++			__put_user_x(__r2, __p, __e, __l, 1);		\
+ 			break;						\
+ 		case 2:							\
+-			__put_user_x(__r2, __p, __e, 2);		\
++			__put_user_x(__r2, __p, __e, __l, 2);		\
+ 			break;						\
+ 		case 4:							\
+-			__put_user_x(__r2, __p, __e, 4);		\
++			__put_user_x(__r2, __p, __e, __l, 4);		\
+ 			break;						\
+ 		case 8:							\
+-			__put_user_x(__r2, __p, __e, 8);		\
++			__put_user_x(__r2, __p, __e, __l, 8);		\
+ 			break;						\
+ 		default: __e = __put_user_bad(); break;			\
+ 		}							\
+diff --git a/arch/arm/kernel/process.c b/arch/arm/kernel/process.c
+index e68d251..d9e3c61 100644
+--- a/arch/arm/kernel/process.c
++++ b/arch/arm/kernel/process.c
+@@ -468,6 +468,7 @@ EXPORT_SYMBOL(kernel_thread);
+ unsigned long get_wchan(struct task_struct *p)
+ {
+ 	struct stackframe frame;
++	unsigned long stack_page;
+ 	int count = 0;
+ 	if (!p || p == current || p->state == TASK_RUNNING)
+ 		return 0;
+@@ -476,9 +477,11 @@ unsigned long get_wchan(struct task_struct *p)
+ 	frame.sp = thread_saved_sp(p);
+ 	frame.lr = 0;			/* recovered from the stack */
+ 	frame.pc = thread_saved_pc(p);
++	stack_page = (unsigned long)task_stack_page(p);
+ 	do {
+-		int ret = unwind_frame(&frame);
+-		if (ret < 0)
++		if (frame.sp < stack_page ||
++		    frame.sp >= stack_page + THREAD_SIZE ||
++		    unwind_frame(&frame) < 0)
+ 			return 0;
+ 		if (!in_sched_functions(frame.pc))
+ 			return frame.pc;
+diff --git a/arch/arm/kernel/stacktrace.c b/arch/arm/kernel/stacktrace.c
+index 00f79e5..af4e8c8 100644
+--- a/arch/arm/kernel/stacktrace.c
++++ b/arch/arm/kernel/stacktrace.c
+@@ -31,7 +31,7 @@ int notrace unwind_frame(struct stackframe *frame)
+ 	high = ALIGN(low, THREAD_SIZE);
+ 
+ 	/* check current frame pointer is within bounds */
+-	if (fp < (low + 12) || fp + 4 >= high)
++	if (fp < low + 12 || fp > high - 4)
+ 		return -EINVAL;
+ 
+ 	/* restore the registers from the stack frame */
+diff --git a/arch/arm/lib/getuser.S b/arch/arm/lib/getuser.S
+index 1b049cd..4306fbf 100644
+--- a/arch/arm/lib/getuser.S
++++ b/arch/arm/lib/getuser.S
+@@ -16,8 +16,9 @@
+  * __get_user_X
+  *
+  * Inputs:	r0 contains the address
++ *		r1 contains the address limit, which must be preserved
+  * Outputs:	r0 is the error code
+- *		r2, r3 contains the zero-extended value
++ *		r2 contains the zero-extended value
+  *		lr corrupted
+  *
+  * No other registers must be altered.  (see <asm/uaccess.h>
+@@ -27,33 +28,39 @@
+  * Note also that it is intended that __get_user_bad is not global.
+  */
+ #include <linux/linkage.h>
++#include <asm/assembler.h>
+ #include <asm/errno.h>
+ #include <asm/domain.h>
+ 
+ ENTRY(__get_user_1)
++	check_uaccess r0, 1, r1, r2, __get_user_bad
+ 1:	T(ldrb)	r2, [r0]
+ 	mov	r0, #0
+ 	mov	pc, lr
+ ENDPROC(__get_user_1)
+ 
+ ENTRY(__get_user_2)
+-#ifdef CONFIG_THUMB2_KERNEL
+-2:	T(ldrb)	r2, [r0]
+-3:	T(ldrb)	r3, [r0, #1]
++	check_uaccess r0, 2, r1, r2, __get_user_bad
++#ifdef CONFIG_CPU_USE_DOMAINS
++rb	.req	ip
++2:	ldrbt	r2, [r0], #1
++3:	ldrbt	rb, [r0], #0
+ #else
+-2:	T(ldrb)	r2, [r0], #1
+-3:	T(ldrb)	r3, [r0]
++rb	.req	r0
++2:	ldrb	r2, [r0]
++3:	ldrb	rb, [r0, #1]
+ #endif
+ #ifndef __ARMEB__
+-	orr	r2, r2, r3, lsl #8
++	orr	r2, r2, rb, lsl #8
+ #else
+-	orr	r2, r3, r2, lsl #8
++	orr	r2, rb, r2, lsl #8
+ #endif
+ 	mov	r0, #0
+ 	mov	pc, lr
+ ENDPROC(__get_user_2)
+ 
+ ENTRY(__get_user_4)
++	check_uaccess r0, 4, r1, r2, __get_user_bad
+ 4:	T(ldr)	r2, [r0]
+ 	mov	r0, #0
+ 	mov	pc, lr
+diff --git a/arch/arm/lib/putuser.S b/arch/arm/lib/putuser.S
+index c023fc1..9a897fa 100644
+--- a/arch/arm/lib/putuser.S
++++ b/arch/arm/lib/putuser.S
+@@ -16,6 +16,7 @@
+  * __put_user_X
+  *
+  * Inputs:	r0 contains the address
++ *		r1 contains the address limit, which must be preserved
+  *		r2, r3 contains the value
+  * Outputs:	r0 is the error code
+  *		lr corrupted
+@@ -27,16 +28,19 @@
+  * Note also that it is intended that __put_user_bad is not global.
+  */
+ #include <linux/linkage.h>
++#include <asm/assembler.h>
+ #include <asm/errno.h>
+ #include <asm/domain.h>
+ 
+ ENTRY(__put_user_1)
++	check_uaccess r0, 1, r1, ip, __put_user_bad
+ 1:	T(strb)	r2, [r0]
+ 	mov	r0, #0
+ 	mov	pc, lr
+ ENDPROC(__put_user_1)
+ 
+ ENTRY(__put_user_2)
++	check_uaccess r0, 2, r1, ip, __put_user_bad
+ 	mov	ip, r2, lsr #8
+ #ifdef CONFIG_THUMB2_KERNEL
+ #ifndef __ARMEB__
+@@ -60,12 +64,14 @@ ENTRY(__put_user_2)
+ ENDPROC(__put_user_2)
+ 
+ ENTRY(__put_user_4)
++	check_uaccess r0, 4, r1, ip, __put_user_bad
+ 4:	T(str)	r2, [r0]
+ 	mov	r0, #0
+ 	mov	pc, lr
+ ENDPROC(__put_user_4)
+ 
+ ENTRY(__put_user_8)
++	check_uaccess r0, 8, r1, ip, __put_user_bad
+ #ifdef CONFIG_THUMB2_KERNEL
+ 5:	T(str)	r2, [r0]
+ 6:	T(str)	r3, [r0, #4]
+diff --git a/arch/arm/mach-footbridge/common.c b/arch/arm/mach-footbridge/common.c
+index 38a44f9..5b91e45 100644
+--- a/arch/arm/mach-footbridge/common.c
++++ b/arch/arm/mach-footbridge/common.c
+@@ -15,6 +15,7 @@
+ #include <linux/init.h>
+ #include <linux/io.h>
+ #include <linux/spinlock.h>
++#include <video/vga.h>
+  
+ #include <asm/pgtable.h>
+ #include <asm/page.h>
+@@ -197,6 +198,8 @@ void __init footbridge_map_io(void)
+ 	 */
+ 	if (footbridge_cfn_mode())
+ 		iotable_init(ebsa285_host_io_desc, ARRAY_SIZE(ebsa285_host_io_desc));
++
++	vga_base = PCIMEM_BASE;
+ }
+ 
+ #ifdef CONFIG_FOOTBRIDGE_ADDIN
+diff --git a/arch/arm/mach-footbridge/dc21285.c b/arch/arm/mach-footbridge/dc21285.c
+index 18c32a5..a8dfa00 100644
+--- a/arch/arm/mach-footbridge/dc21285.c
++++ b/arch/arm/mach-footbridge/dc21285.c
+@@ -18,7 +18,6 @@
+ #include <linux/irq.h>
+ #include <linux/io.h>
+ #include <linux/spinlock.h>
+-#include <video/vga.h>
+ 
+ #include <asm/irq.h>
+ #include <asm/system.h>
+@@ -297,7 +296,6 @@ void __init dc21285_preinit(void)
+ 	int cfn_mode;
+ 
+ 	pcibios_min_mem = 0x81000000;
+-	vga_base = PCIMEM_BASE;
+ 
+ 	mem_size = (unsigned int)high_memory - PAGE_OFFSET;
+ 	for (mem_mask = 0x00100000; mem_mask < 0x10000000; mem_mask <<= 1)
+diff --git a/arch/arm/mach-integrator/integrator_cp.c b/arch/arm/mach-integrator/integrator_cp.c
+index 5de49c3..892d0d6 100644
+--- a/arch/arm/mach-integrator/integrator_cp.c
++++ b/arch/arm/mach-integrator/integrator_cp.c
+@@ -384,7 +384,8 @@ static struct amba_device aaci_device = {
+ static void cp_clcd_enable(struct clcd_fb *fb)
+ {
+ 	struct fb_var_screeninfo *var = &fb->fb.var;
+-	u32 val = CM_CTRL_STATIC1 | CM_CTRL_STATIC2;
++	u32 val = CM_CTRL_STATIC1 | CM_CTRL_STATIC2
++			| CM_CTRL_LCDEN0 | CM_CTRL_LCDEN1;
+ 
+ 	if (var->bits_per_pixel <= 8 ||
+ 	    (var->bits_per_pixel == 16 && var->green.length == 5))
+diff --git a/arch/arm/mach-pxa/reset.c b/arch/arm/mach-pxa/reset.c
+index 01e9d64..0e25348 100644
+--- a/arch/arm/mach-pxa/reset.c
++++ b/arch/arm/mach-pxa/reset.c
+@@ -12,6 +12,7 @@
+ 
+ #include <mach/regs-ost.h>
+ #include <mach/reset.h>
++#include <mach/smemc.h>
+ 
+ unsigned int reset_status;
+ EXPORT_SYMBOL(reset_status);
+@@ -79,6 +80,12 @@ static void do_hw_reset(void)
+ 	OWER = OWER_WME;
+ 	OSSR = OSSR_M3;
+ 	OSMR3 = OSCR + 368640;	/* ... in 100 ms */
++	/*
++	 * SDRAM hangs on watchdog reset on Marvell PXA270 (erratum 71)
++	 * we put SDRAM into self-refresh to prevent that
++	 */
++	while (1)
++		writel_relaxed(MDREFR_SLFRSH, MDREFR);
+ }
+ 
+ void arch_reset(char mode, const char *cmd)
+@@ -99,4 +106,3 @@ void arch_reset(char mode, const char *cmd)
+ 		break;
+ 	}
+ }
+-
+diff --git a/arch/arm/mach-pxa/tosa.c b/arch/arm/mach-pxa/tosa.c
+index 402b0c96..33dd57c 100644
+--- a/arch/arm/mach-pxa/tosa.c
++++ b/arch/arm/mach-pxa/tosa.c
+@@ -424,57 +424,57 @@ static struct platform_device tosa_power_device = {
+  * Tosa Keyboard
+  */
+ static const uint32_t tosakbd_keymap[] = {
+-	KEY(0, 2, KEY_W),
+-	KEY(0, 6, KEY_K),
+-	KEY(0, 7, KEY_BACKSPACE),
+-	KEY(0, 8, KEY_P),
+-	KEY(1, 1, KEY_Q),
+-	KEY(1, 2, KEY_E),
+-	KEY(1, 3, KEY_T),
+-	KEY(1, 4, KEY_Y),
+-	KEY(1, 6, KEY_O),
+-	KEY(1, 7, KEY_I),
+-	KEY(1, 8, KEY_COMMA),
+-	KEY(2, 1, KEY_A),
+-	KEY(2, 2, KEY_D),
+-	KEY(2, 3, KEY_G),
+-	KEY(2, 4, KEY_U),
+-	KEY(2, 6, KEY_L),
+-	KEY(2, 7, KEY_ENTER),
+-	KEY(2, 8, KEY_DOT),
+-	KEY(3, 1, KEY_Z),
+-	KEY(3, 2, KEY_C),
+-	KEY(3, 3, KEY_V),
+-	KEY(3, 4, KEY_J),
+-	KEY(3, 5, TOSA_KEY_ADDRESSBOOK),
+-	KEY(3, 6, TOSA_KEY_CANCEL),
+-	KEY(3, 7, TOSA_KEY_CENTER),
+-	KEY(3, 8, TOSA_KEY_OK),
+-	KEY(3, 9, KEY_LEFTSHIFT),
+-	KEY(4, 1, KEY_S),
+-	KEY(4, 2, KEY_R),
+-	KEY(4, 3, KEY_B),
+-	KEY(4, 4, KEY_N),
+-	KEY(4, 5, TOSA_KEY_CALENDAR),
+-	KEY(4, 6, TOSA_KEY_HOMEPAGE),
+-	KEY(4, 7, KEY_LEFTCTRL),
+-	KEY(4, 8, TOSA_KEY_LIGHT),
+-	KEY(4, 10, KEY_RIGHTSHIFT),
+-	KEY(5, 1, KEY_TAB),
+-	KEY(5, 2, KEY_SLASH),
+-	KEY(5, 3, KEY_H),
+-	KEY(5, 4, KEY_M),
+-	KEY(5, 5, TOSA_KEY_MENU),
+-	KEY(5, 7, KEY_UP),
+-	KEY(5, 11, TOSA_KEY_FN),
+-	KEY(6, 1, KEY_X),
+-	KEY(6, 2, KEY_F),
+-	KEY(6, 3, KEY_SPACE),
+-	KEY(6, 4, KEY_APOSTROPHE),
+-	KEY(6, 5, TOSA_KEY_MAIL),
+-	KEY(6, 6, KEY_LEFT),
+-	KEY(6, 7, KEY_DOWN),
+-	KEY(6, 8, KEY_RIGHT),
++	KEY(0, 1, KEY_W),
++	KEY(0, 5, KEY_K),
++	KEY(0, 6, KEY_BACKSPACE),
++	KEY(0, 7, KEY_P),
++	KEY(1, 0, KEY_Q),
++	KEY(1, 1, KEY_E),
++	KEY(1, 2, KEY_T),
++	KEY(1, 3, KEY_Y),
++	KEY(1, 5, KEY_O),
++	KEY(1, 6, KEY_I),
++	KEY(1, 7, KEY_COMMA),
++	KEY(2, 0, KEY_A),
++	KEY(2, 1, KEY_D),
++	KEY(2, 2, KEY_G),
++	KEY(2, 3, KEY_U),
++	KEY(2, 5, KEY_L),
++	KEY(2, 6, KEY_ENTER),
++	KEY(2, 7, KEY_DOT),
++	KEY(3, 0, KEY_Z),
++	KEY(3, 1, KEY_C),
++	KEY(3, 2, KEY_V),
++	KEY(3, 3, KEY_J),
++	KEY(3, 4, TOSA_KEY_ADDRESSBOOK),
++	KEY(3, 5, TOSA_KEY_CANCEL),
++	KEY(3, 6, TOSA_KEY_CENTER),
++	KEY(3, 7, TOSA_KEY_OK),
++	KEY(3, 8, KEY_LEFTSHIFT),
++	KEY(4, 0, KEY_S),
++	KEY(4, 1, KEY_R),
++	KEY(4, 2, KEY_B),
++	KEY(4, 3, KEY_N),
++	KEY(4, 4, TOSA_KEY_CALENDAR),
++	KEY(4, 5, TOSA_KEY_HOMEPAGE),
++	KEY(4, 6, KEY_LEFTCTRL),
++	KEY(4, 7, TOSA_KEY_LIGHT),
++	KEY(4, 9, KEY_RIGHTSHIFT),
++	KEY(5, 0, KEY_TAB),
++	KEY(5, 1, KEY_SLASH),
++	KEY(5, 2, KEY_H),
++	KEY(5, 3, KEY_M),
++	KEY(5, 4, TOSA_KEY_MENU),
++	KEY(5, 6, KEY_UP),
++	KEY(5, 10, TOSA_KEY_FN),
++	KEY(6, 0, KEY_X),
++	KEY(6, 1, KEY_F),
++	KEY(6, 2, KEY_SPACE),
++	KEY(6, 3, KEY_APOSTROPHE),
++	KEY(6, 4, TOSA_KEY_MAIL),
++	KEY(6, 5, KEY_LEFT),
++	KEY(6, 6, KEY_DOWN),
++	KEY(6, 7, KEY_RIGHT),
+ };
+ 
+ static struct matrix_keymap_data tosakbd_keymap_data = {
+diff --git a/arch/arm/mach-sa1100/assabet.c b/arch/arm/mach-sa1100/assabet.c
+index 3dd133f..ef8d9d8 100644
+--- a/arch/arm/mach-sa1100/assabet.c
++++ b/arch/arm/mach-sa1100/assabet.c
+@@ -411,6 +411,9 @@ static void __init assabet_map_io(void)
+ 	 * Its called GPCLKR0 in my SA1110 manual.
+ 	 */
+ 	Ser1SDCR0 |= SDCR0_SUS;
++	MSC1 = (MSC1 & ~0xffff) |
++		MSC_NonBrst | MSC_32BitStMem |
++		MSC_RdAcc(2) | MSC_WrAcc(2) | MSC_Rec(0);
+ 
+ 	if (machine_has_neponset()) {
+ #ifdef CONFIG_ASSABET_NEPONSET
+diff --git a/arch/avr32/boot/u-boot/head.S b/arch/avr32/boot/u-boot/head.S
+index 4488fa2..2ffc298 100644
+--- a/arch/avr32/boot/u-boot/head.S
++++ b/arch/avr32/boot/u-boot/head.S
+@@ -8,6 +8,8 @@
+  * published by the Free Software Foundation.
+  */
+ #include <asm/setup.h>
++#include <asm/thread_info.h>
++#include <asm/sysreg.h>
+ 
+ 	/*
+ 	 * The kernel is loaded where we want it to be and all caches
+@@ -20,11 +22,6 @@
+ 	.section .init.text,"ax"
+ 	.global _start
+ _start:
+-	/* Check if the boot loader actually provided a tag table */
+-	lddpc	r0, magic_number
+-	cp.w	r12, r0
+-	brne	no_tag_table
+-
+ 	/* Initialize .bss */
+ 	lddpc	r2, bss_start_addr
+ 	lddpc   r3, end_addr
+@@ -34,6 +31,25 @@ _start:
+ 	cp      r2, r3
+ 	brlo    1b
+ 
++	/* Initialize status register */
++	lddpc	r0, init_sr
++	mtsr	SYSREG_SR, r0
++
++	/* Set initial stack pointer */
++	lddpc	sp, stack_addr
++	sub	sp, -THREAD_SIZE
++
++#ifdef CONFIG_FRAME_POINTER
++	/* Mark last stack frame */
++	mov	lr, 0
++	mov	r7, 0
++#endif
++
++	/* Check if the boot loader actually provided a tag table */
++	lddpc	r0, magic_number
++	cp.w	r12, r0
++	brne	no_tag_table
++
+ 	/*
+ 	 * Save the tag table address for later use. This must be done
+ 	 * _after_ .bss has been initialized...
+@@ -53,8 +69,15 @@ bss_start_addr:
+ 	.long   __bss_start
+ end_addr:
+ 	.long   _end
++init_sr:
++	.long	0x007f0000	/* Supervisor mode, everything masked */
++stack_addr:
++	.long	init_thread_union
++panic_addr:
++	.long	panic
+ 
+ no_tag_table:
+ 	sub	r12, pc, (. - 2f)
+-	bral	panic
++	/* branch to panic() which can be far away with that construct */
++	lddpc	pc, panic_addr
+ 2:	.asciz	"Boot loader didn't provide correct magic number\n"
+diff --git a/arch/avr32/kernel/entry-avr32b.S b/arch/avr32/kernel/entry-avr32b.S
+index 169268c..a91e898 100644
+--- a/arch/avr32/kernel/entry-avr32b.S
++++ b/arch/avr32/kernel/entry-avr32b.S
+@@ -399,9 +399,10 @@ handle_critical:
+ 	/* We should never get here... */
+ bad_return:
+ 	sub	r12, pc, (. - 1f)
+-	bral	panic
++	lddpc	pc, 2f
+ 	.align	2
+ 1:	.asciz	"Return from critical exception!"
++2:	.long	panic
+ 
+ 	.align	1
+ do_bus_error_write:
+diff --git a/arch/avr32/kernel/head.S b/arch/avr32/kernel/head.S
+index 6163bd0..59eae6d 100644
+--- a/arch/avr32/kernel/head.S
++++ b/arch/avr32/kernel/head.S
+@@ -10,33 +10,13 @@
+ #include <linux/linkage.h>
+ 
+ #include <asm/page.h>
+-#include <asm/thread_info.h>
+-#include <asm/sysreg.h>
+ 
+ 	.section .init.text,"ax"
+ 	.global kernel_entry
+ kernel_entry:
+-	/* Initialize status register */
+-	lddpc   r0, init_sr
+-	mtsr	SYSREG_SR, r0
+-
+-	/* Set initial stack pointer */
+-	lddpc   sp, stack_addr
+-	sub	sp, -THREAD_SIZE
+-
+-#ifdef CONFIG_FRAME_POINTER
+-	/* Mark last stack frame */
+-	mov	lr, 0
+-	mov	r7, 0
+-#endif
+-
+ 	/* Start the show */
+ 	lddpc   pc, kernel_start_addr
+ 
+ 	.align  2
+-init_sr:
+-	.long   0x007f0000	/* Supervisor mode, everything masked */
+-stack_addr:
+-	.long   init_thread_union
+ kernel_start_addr:
+ 	.long   start_kernel
+diff --git a/arch/cris/include/asm/io.h b/arch/cris/include/asm/io.h
+index ac12ae2..db9a16c 100644
+--- a/arch/cris/include/asm/io.h
++++ b/arch/cris/include/asm/io.h
+@@ -3,6 +3,7 @@
+ 
+ #include <asm/page.h>   /* for __va, __pa */
+ #include <arch/io.h>
++#include <asm-generic/iomap.h>
+ #include <linux/kernel.h>
+ 
+ struct cris_io_operations
+diff --git a/arch/ia64/include/asm/processor.h b/arch/ia64/include/asm/processor.h
+index d9f397f..fba7696 100644
+--- a/arch/ia64/include/asm/processor.h
++++ b/arch/ia64/include/asm/processor.h
+@@ -320,7 +320,7 @@ struct thread_struct {
+ 	regs->loadrs = 0;									\
+ 	regs->r8 = get_dumpable(current->mm);	/* set "don't zap registers" flag */		\
+ 	regs->r12 = new_sp - 16;	/* allocate 16 byte scratch area */			\
+-	if (unlikely(!get_dumpable(current->mm))) {							\
++	if (unlikely(get_dumpable(current->mm) != SUID_DUMP_USER)) {	\
+ 		/*										\
+ 		 * Zap scratch regs to avoid leaking bits between processes with different	\
+ 		 * uid/privileges.								\
+diff --git a/arch/powerpc/kernel/signal_32.c b/arch/powerpc/kernel/signal_32.c
+index 836a5a1..fa1e56b 100644
+--- a/arch/powerpc/kernel/signal_32.c
++++ b/arch/powerpc/kernel/signal_32.c
+@@ -445,6 +445,12 @@ static int save_user_regs(struct pt_regs *regs, struct mcontext __user *frame,
+ #endif /* CONFIG_ALTIVEC */
+ 	if (copy_fpr_to_user(&frame->mc_fregs, current))
+ 		return 1;
++
++	/*
++	 * Clear the MSR VSX bit to indicate there is no valid state attached
++	 * to this context, except in the specific case below where we set it.
++	 */
++	msr &= ~MSR_VSX;
+ #ifdef CONFIG_VSX
+ 	/*
+ 	 * Copy VSR 0-31 upper half from thread_struct to local
+diff --git a/arch/powerpc/kernel/signal_64.c b/arch/powerpc/kernel/signal_64.c
+index a50b5ec..60d1f75 100644
+--- a/arch/powerpc/kernel/signal_64.c
++++ b/arch/powerpc/kernel/signal_64.c
+@@ -116,6 +116,12 @@ static long setup_sigcontext(struct sigcontext __user *sc, struct pt_regs *regs,
+ 	flush_fp_to_thread(current);
+ 	/* copy fpr regs and fpscr */
+ 	err |= copy_fpr_to_user(&sc->fp_regs, current);
++
++	/*
++	 * Clear the MSR VSX bit to indicate there is no valid state attached
++	 * to this context, except in the specific case below where we set it.
++	 */
++	msr &= ~MSR_VSX;
+ #ifdef CONFIG_VSX
+ 	/*
+ 	 * Copy VSX low doubleword to local buffer for formatting,
+diff --git a/arch/powerpc/kernel/time.c b/arch/powerpc/kernel/time.c
+index e74f86e..304680a 100644
+--- a/arch/powerpc/kernel/time.c
++++ b/arch/powerpc/kernel/time.c
+@@ -235,8 +235,6 @@ static u64 scan_dispatch_log(u64 stop_tb)
+ 	if (i == vpa->dtl_idx)
+ 		return 0;
+ 	while (i < vpa->dtl_idx) {
+-		if (dtl_consumer)
+-			dtl_consumer(dtl, i);
+ 		dtb = dtl->timebase;
+ 		tb_delta = dtl->enqueue_to_dispatch_time +
+ 			dtl->ready_to_enqueue_time;
+@@ -249,6 +247,8 @@ static u64 scan_dispatch_log(u64 stop_tb)
+ 		}
+ 		if (dtb > stop_tb)
+ 			break;
++		if (dtl_consumer)
++			dtl_consumer(dtl, i);
+ 		stolen += tb_delta;
+ 		++i;
+ 		++dtl;
+diff --git a/arch/powerpc/kernel/vio.c b/arch/powerpc/kernel/vio.c
+index f65af61..dfb1c19 100644
+--- a/arch/powerpc/kernel/vio.c
++++ b/arch/powerpc/kernel/vio.c
+@@ -1351,11 +1351,15 @@ static ssize_t modalias_show(struct device *dev, struct device_attribute *attr,
+ 	const char *cp;
+ 
+ 	dn = dev->of_node;
+-	if (!dn)
+-		return -ENODEV;
++	if (!dn) {
++		strcpy(buf, "\n");
++		return strlen(buf);
++	}
+ 	cp = of_get_property(dn, "compatible", NULL);
+-	if (!cp)
+-		return -ENODEV;
++	if (!cp) {
++		strcpy(buf, "\n");
++		return strlen(buf);
++	}
+ 
+ 	return sprintf(buf, "vio:T%sS%s\n", vio_dev->type, cp);
+ }
+diff --git a/arch/s390/crypto/aes_s390.c b/arch/s390/crypto/aes_s390.c
+index a9ce135..3ec8b39 100644
+--- a/arch/s390/crypto/aes_s390.c
++++ b/arch/s390/crypto/aes_s390.c
+@@ -35,7 +35,6 @@ static u8 *ctrblk;
+ static char keylen_flag;
+ 
+ struct s390_aes_ctx {
+-	u8 iv[AES_BLOCK_SIZE];
+ 	u8 key[AES_MAX_KEY_SIZE];
+ 	long enc;
+ 	long dec;
+@@ -56,8 +55,7 @@ struct pcc_param {
+ 
+ struct s390_xts_ctx {
+ 	u8 key[32];
+-	u8 xts_param[16];
+-	struct pcc_param pcc;
++	u8 pcc_key[32];
+ 	long enc;
+ 	long dec;
+ 	int key_len;
+@@ -442,29 +440,35 @@ static int cbc_aes_set_key(struct crypto_tfm *tfm, const u8 *in_key,
+ 	return aes_set_key(tfm, in_key, key_len);
+ }
+ 
+-static int cbc_aes_crypt(struct blkcipher_desc *desc, long func, void *param,
++static int cbc_aes_crypt(struct blkcipher_desc *desc, long func,
+ 			 struct blkcipher_walk *walk)
+ {
++	struct s390_aes_ctx *sctx = crypto_blkcipher_ctx(desc->tfm);
+ 	int ret = blkcipher_walk_virt(desc, walk);
+ 	unsigned int nbytes = walk->nbytes;
++	struct {
++		u8 iv[AES_BLOCK_SIZE];
++		u8 key[AES_MAX_KEY_SIZE];
++	} param;
+ 
+ 	if (!nbytes)
+ 		goto out;
+ 
+-	memcpy(param, walk->iv, AES_BLOCK_SIZE);
++	memcpy(param.iv, walk->iv, AES_BLOCK_SIZE);
++	memcpy(param.key, sctx->key, sctx->key_len);
+ 	do {
+ 		/* only use complete blocks */
+ 		unsigned int n = nbytes & ~(AES_BLOCK_SIZE - 1);
+ 		u8 *out = walk->dst.virt.addr;
+ 		u8 *in = walk->src.virt.addr;
+ 
+-		ret = crypt_s390_kmc(func, param, out, in, n);
++		ret = crypt_s390_kmc(func, &param, out, in, n);
+ 		BUG_ON((ret < 0) || (ret != n));
+ 
+ 		nbytes &= AES_BLOCK_SIZE - 1;
+ 		ret = blkcipher_walk_done(desc, walk, nbytes);
+ 	} while ((nbytes = walk->nbytes));
+-	memcpy(walk->iv, param, AES_BLOCK_SIZE);
++	memcpy(walk->iv, param.iv, AES_BLOCK_SIZE);
+ 
+ out:
+ 	return ret;
+@@ -481,7 +485,7 @@ static int cbc_aes_encrypt(struct blkcipher_desc *desc,
+ 		return fallback_blk_enc(desc, dst, src, nbytes);
+ 
+ 	blkcipher_walk_init(&walk, dst, src, nbytes);
+-	return cbc_aes_crypt(desc, sctx->enc, sctx->iv, &walk);
++	return cbc_aes_crypt(desc, sctx->enc, &walk);
+ }
+ 
+ static int cbc_aes_decrypt(struct blkcipher_desc *desc,
+@@ -495,7 +499,7 @@ static int cbc_aes_decrypt(struct blkcipher_desc *desc,
+ 		return fallback_blk_dec(desc, dst, src, nbytes);
+ 
+ 	blkcipher_walk_init(&walk, dst, src, nbytes);
+-	return cbc_aes_crypt(desc, sctx->dec, sctx->iv, &walk);
++	return cbc_aes_crypt(desc, sctx->dec, &walk);
+ }
+ 
+ static struct crypto_alg cbc_aes_alg = {
+@@ -587,7 +591,7 @@ static int xts_aes_set_key(struct crypto_tfm *tfm, const u8 *in_key,
+ 		xts_ctx->enc = KM_XTS_128_ENCRYPT;
+ 		xts_ctx->dec = KM_XTS_128_DECRYPT;
+ 		memcpy(xts_ctx->key + 16, in_key, 16);
+-		memcpy(xts_ctx->pcc.key + 16, in_key + 16, 16);
++		memcpy(xts_ctx->pcc_key + 16, in_key + 16, 16);
+ 		break;
+ 	case 48:
+ 		xts_ctx->enc = 0;
+@@ -598,7 +602,7 @@ static int xts_aes_set_key(struct crypto_tfm *tfm, const u8 *in_key,
+ 		xts_ctx->enc = KM_XTS_256_ENCRYPT;
+ 		xts_ctx->dec = KM_XTS_256_DECRYPT;
+ 		memcpy(xts_ctx->key, in_key, 32);
+-		memcpy(xts_ctx->pcc.key, in_key + 32, 32);
++		memcpy(xts_ctx->pcc_key, in_key + 32, 32);
+ 		break;
+ 	default:
+ 		*flags |= CRYPTO_TFM_RES_BAD_KEY_LEN;
+@@ -617,28 +621,32 @@ static int xts_aes_crypt(struct blkcipher_desc *desc, long func,
+ 	unsigned int nbytes = walk->nbytes;
+ 	unsigned int n;
+ 	u8 *in, *out;
+-	void *param;
++	struct pcc_param pcc_param;
++	struct {
++		u8 key[32];
++		u8 init[16];
++	} xts_param;
+ 
+ 	if (!nbytes)
+ 		goto out;
+ 
+-	memset(xts_ctx->pcc.block, 0, sizeof(xts_ctx->pcc.block));
+-	memset(xts_ctx->pcc.bit, 0, sizeof(xts_ctx->pcc.bit));
+-	memset(xts_ctx->pcc.xts, 0, sizeof(xts_ctx->pcc.xts));
+-	memcpy(xts_ctx->pcc.tweak, walk->iv, sizeof(xts_ctx->pcc.tweak));
+-	param = xts_ctx->pcc.key + offset;
+-	ret = crypt_s390_pcc(func, param);
++	memset(pcc_param.block, 0, sizeof(pcc_param.block));
++	memset(pcc_param.bit, 0, sizeof(pcc_param.bit));
++	memset(pcc_param.xts, 0, sizeof(pcc_param.xts));
++	memcpy(pcc_param.tweak, walk->iv, sizeof(pcc_param.tweak));
++	memcpy(pcc_param.key, xts_ctx->pcc_key, 32);
++	ret = crypt_s390_pcc(func, &pcc_param.key[offset]);
+ 	BUG_ON(ret < 0);
+ 
+-	memcpy(xts_ctx->xts_param, xts_ctx->pcc.xts, 16);
+-	param = xts_ctx->key + offset;
++	memcpy(xts_param.key, xts_ctx->key, 32);
++	memcpy(xts_param.init, pcc_param.xts, 16);
+ 	do {
+ 		/* only use complete blocks */
+ 		n = nbytes & ~(AES_BLOCK_SIZE - 1);
+ 		out = walk->dst.virt.addr;
+ 		in = walk->src.virt.addr;
+ 
+-		ret = crypt_s390_km(func, param, out, in, n);
++		ret = crypt_s390_km(func, &xts_param.key[offset], out, in, n);
+ 		BUG_ON(ret < 0 || ret != n);
+ 
+ 		nbytes &= AES_BLOCK_SIZE - 1;
+diff --git a/arch/um/os-Linux/start_up.c b/arch/um/os-Linux/start_up.c
+index 425162e..2f53b89 100644
+--- a/arch/um/os-Linux/start_up.c
++++ b/arch/um/os-Linux/start_up.c
+@@ -15,6 +15,8 @@
+ #include <sys/mman.h>
+ #include <sys/stat.h>
+ #include <sys/wait.h>
++#include <sys/time.h>
++#include <sys/resource.h>
+ #include <asm/unistd.h>
+ #include "init.h"
+ #include "os.h"
+diff --git a/arch/x86/boot/Makefile b/arch/x86/boot/Makefile
+index 95365a8..e80542b 100644
+--- a/arch/x86/boot/Makefile
++++ b/arch/x86/boot/Makefile
+@@ -51,18 +51,18 @@ $(obj)/cpustr.h: $(obj)/mkcpustr FORCE
+ 
+ # How to compile the 16-bit code.  Note we always compile for -march=i386,
+ # that way we can complain to the user if the CPU is insufficient.
+-KBUILD_CFLAGS	:= $(LINUXINCLUDE) -g -Os -D_SETUP -D__KERNEL__ \
++KBUILD_CFLAGS	:= $(LINUXINCLUDE) -m32 -g -Os -D_SETUP -D__KERNEL__ \
+ 		   -DDISABLE_BRANCH_PROFILING \
+ 		   -Wall -Wstrict-prototypes \
+ 		   -march=i386 -mregparm=3 \
+ 		   -include $(srctree)/$(src)/code16gcc.h \
+ 		   -fno-strict-aliasing -fomit-frame-pointer \
++		   -mno-mmx -mno-sse \
+ 		   $(call cc-option, -ffreestanding) \
+ 		   $(call cc-option, -fno-toplevel-reorder,\
+-			$(call cc-option, -fno-unit-at-a-time)) \
++		   $(call cc-option, -fno-unit-at-a-time)) \
+ 		   $(call cc-option, -fno-stack-protector) \
+ 		   $(call cc-option, -mpreferred-stack-boundary=2)
+-KBUILD_CFLAGS	+= $(call cc-option, -m32)
+ KBUILD_AFLAGS	:= $(KBUILD_CFLAGS) -D__ASSEMBLY__
+ GCOV_PROFILE := n
+ 
+diff --git a/arch/x86/boot/compressed/Makefile b/arch/x86/boot/compressed/Makefile
+index 77453c6..cda5cef 100644
+--- a/arch/x86/boot/compressed/Makefile
++++ b/arch/x86/boot/compressed/Makefile
+@@ -12,6 +12,7 @@ KBUILD_CFLAGS += -DDISABLE_BRANCH_PROFILING
+ cflags-$(CONFIG_X86_32) := -march=i386
+ cflags-$(CONFIG_X86_64) := -mcmodel=small
+ KBUILD_CFLAGS += $(cflags-y)
++KBUILD_CFLAGS += -mno-mmx -mno-sse
+ KBUILD_CFLAGS += $(call cc-option,-ffreestanding)
+ KBUILD_CFLAGS += $(call cc-option,-fno-stack-protector)
+ 
+diff --git a/arch/x86/kernel/crash.c b/arch/x86/kernel/crash.c
+index 13ad899..69e231b 100644
+--- a/arch/x86/kernel/crash.c
++++ b/arch/x86/kernel/crash.c
+@@ -95,10 +95,10 @@ void native_machine_crash_shutdown(struct pt_regs *regs)
+ 	cpu_emergency_vmxoff();
+ 	cpu_emergency_svm_disable();
+ 
+-	lapic_shutdown();
+ #if defined(CONFIG_X86_IO_APIC)
+ 	disable_IO_APIC();
+ #endif
++	lapic_shutdown();
+ #ifdef CONFIG_HPET_TIMER
+ 	hpet_disable();
+ #endif
+diff --git a/arch/x86/kernel/microcode_amd.c b/arch/x86/kernel/microcode_amd.c
+index 1ef962b..f9b9eaa 100644
+--- a/arch/x86/kernel/microcode_amd.c
++++ b/arch/x86/kernel/microcode_amd.c
+@@ -331,7 +331,7 @@ static enum ucode_state request_microcode_amd(int cpu, struct device *device)
+ 		snprintf(fw_name, sizeof(fw_name), "amd-ucode/microcode_amd_fam%.2xh.bin", c->x86);
+ 
+ 	if (request_firmware(&fw, (const char *)fw_name, device)) {
+-		pr_err("failed to load file %s\n", fw_name);
++		pr_debug("failed to load file %s\n", fw_name);
+ 		goto out;
+ 	}
+ 
+diff --git a/arch/x86/kernel/reboot.c b/arch/x86/kernel/reboot.c
+index a4e1b4b..f411aca 100644
+--- a/arch/x86/kernel/reboot.c
++++ b/arch/x86/kernel/reboot.c
+@@ -652,6 +652,13 @@ void native_machine_shutdown(void)
+ 
+ 	/* The boot cpu is always logical cpu 0 */
+ 	int reboot_cpu_id = 0;
++#endif
++
++#ifdef CONFIG_X86_IO_APIC
++	disable_IO_APIC();
++#endif
++
++#ifdef CONFIG_SMP
+ 
+ #ifdef CONFIG_X86_32
+ 	/* See if there has been given a command line override */
+@@ -675,10 +682,6 @@ void native_machine_shutdown(void)
+ 
+ 	lapic_shutdown();
+ 
+-#ifdef CONFIG_X86_IO_APIC
+-	disable_IO_APIC();
+-#endif
+-
+ #ifdef CONFIG_HPET_TIMER
+ 	hpet_disable();
+ #endif
+diff --git a/arch/x86/kvm/lapic.c b/arch/x86/kvm/lapic.c
+index 54abb40..43e7753 100644
+--- a/arch/x86/kvm/lapic.c
++++ b/arch/x86/kvm/lapic.c
+@@ -537,7 +537,8 @@ static u32 apic_get_tmcct(struct kvm_lapic *apic)
+ 	ASSERT(apic != NULL);
+ 
+ 	/* if initial count is 0, current count should also be 0 */
+-	if (apic_get_reg(apic, APIC_TMICT) == 0)
++	if (apic_get_reg(apic, APIC_TMICT) == 0 ||
++		apic->lapic_timer.period == 0)
+ 		return 0;
+ 
+ 	remaining = hrtimer_get_remaining(&apic->lapic_timer.timer);
+diff --git a/arch/x86/platform/efi/efi.c b/arch/x86/platform/efi/efi.c
+index a18d20d..bee75a6 100644
+--- a/arch/x86/platform/efi/efi.c
++++ b/arch/x86/platform/efi/efi.c
+@@ -614,11 +614,6 @@ void __init efi_init(void)
+ 
+ 	set_bit(EFI_MEMMAP, &x86_efi_facility);
+ 
+-#ifdef CONFIG_X86_32
+-	x86_platform.get_wallclock = efi_get_time;
+-	x86_platform.set_wallclock = efi_set_rtc_mmss;
+-#endif
+-
+ #if EFI_DEBUG
+ 	print_efi_memmap();
+ #endif
+diff --git a/block/blk-core.c b/block/blk-core.c
+index 49d9e91..a219c89 100644
+--- a/block/blk-core.c
++++ b/block/blk-core.c
+@@ -483,6 +483,7 @@ struct request_queue *blk_alloc_queue_node(gfp_t gfp_mask, int node_id)
+ 	}
+ 
+ 	if (blk_throtl_init(q)) {
++		bdi_destroy(&q->backing_dev_info);
+ 		kmem_cache_free(blk_requestq_cachep, q);
+ 		return NULL;
+ 	}
+@@ -2015,6 +2016,7 @@ void blk_start_request(struct request *req)
+ 	if (unlikely(blk_bidi_rq(req)))
+ 		req->next_rq->resid_len = blk_rq_bytes(req->next_rq);
+ 
++	BUG_ON(test_bit(REQ_ATOM_COMPLETE, &req->atomic_flags));
+ 	blk_add_timer(req);
+ }
+ EXPORT_SYMBOL(blk_start_request);
+diff --git a/block/blk-timeout.c b/block/blk-timeout.c
+index 7803548..b1182ea 100644
+--- a/block/blk-timeout.c
++++ b/block/blk-timeout.c
+@@ -90,8 +90,8 @@ static void blk_rq_timed_out(struct request *req)
+ 		__blk_complete_request(req);
+ 		break;
+ 	case BLK_EH_RESET_TIMER:
+-		blk_clear_rq_complete(req);
+ 		blk_add_timer(req);
++		blk_clear_rq_complete(req);
+ 		break;
+ 	case BLK_EH_NOT_HANDLED:
+ 		/*
+@@ -173,7 +173,6 @@ void blk_add_timer(struct request *req)
+ 		return;
+ 
+ 	BUG_ON(!list_empty(&req->timeout_list));
+-	BUG_ON(test_bit(REQ_ATOM_COMPLETE, &req->atomic_flags));
+ 
+ 	/*
+ 	 * Some LLDs, like scsi, peek at the timeout to prevent a
+diff --git a/crypto/algif_hash.c b/crypto/algif_hash.c
+index 0262210..8502462 100644
+--- a/crypto/algif_hash.c
++++ b/crypto/algif_hash.c
+@@ -114,6 +114,9 @@ static ssize_t hash_sendpage(struct socket *sock, struct page *page,
+ 	struct hash_ctx *ctx = ask->private;
+ 	int err;
+ 
++	if (flags & MSG_SENDPAGE_NOTLAST)
++		flags |= MSG_MORE;
++
+ 	lock_sock(sk);
+ 	sg_init_table(ctx->sgl.sg, 1);
+ 	sg_set_page(ctx->sgl.sg, page, size, offset);
+@@ -161,8 +164,6 @@ static int hash_recvmsg(struct kiocb *unused, struct socket *sock,
+ 	else if (len < ds)
+ 		msg->msg_flags |= MSG_TRUNC;
+ 
+-	msg->msg_namelen = 0;
+-
+ 	lock_sock(sk);
+ 	if (ctx->more) {
+ 		ctx->more = 0;
+diff --git a/crypto/algif_skcipher.c b/crypto/algif_skcipher.c
+index a1c4f0a..a19c027 100644
+--- a/crypto/algif_skcipher.c
++++ b/crypto/algif_skcipher.c
+@@ -378,6 +378,9 @@ static ssize_t skcipher_sendpage(struct socket *sock, struct page *page,
+ 	struct skcipher_sg_list *sgl;
+ 	int err = -EINVAL;
+ 
++	if (flags & MSG_SENDPAGE_NOTLAST)
++		flags |= MSG_MORE;
++
+ 	lock_sock(sk);
+ 	if (!ctx->more && ctx->used)
+ 		goto unlock;
+@@ -432,7 +435,6 @@ static int skcipher_recvmsg(struct kiocb *unused, struct socket *sock,
+ 	long copied = 0;
+ 
+ 	lock_sock(sk);
+-	msg->msg_namelen = 0;
+ 	for (iov = msg->msg_iov, iovlen = msg->msg_iovlen; iovlen > 0;
+ 	     iovlen--, iov++) {
+ 		unsigned long seglen = iov->iov_len;
+diff --git a/crypto/ansi_cprng.c b/crypto/ansi_cprng.c
+index ffa0245..6056178 100644
+--- a/crypto/ansi_cprng.c
++++ b/crypto/ansi_cprng.c
+@@ -230,11 +230,11 @@ remainder:
+ 	 */
+ 	if (byte_count < DEFAULT_BLK_SZ) {
+ empty_rbuf:
+-		for (; ctx->rand_data_valid < DEFAULT_BLK_SZ;
+-			ctx->rand_data_valid++) {
++		while (ctx->rand_data_valid < DEFAULT_BLK_SZ) {
+ 			*ptr = ctx->rand_data[ctx->rand_data_valid];
+ 			ptr++;
+ 			byte_count--;
++			ctx->rand_data_valid++;
+ 			if (byte_count == 0)
+ 				goto done;
+ 		}
+diff --git a/crypto/authenc.c b/crypto/authenc.c
+index 5ef7ba6..d21da2f 100644
+--- a/crypto/authenc.c
++++ b/crypto/authenc.c
+@@ -368,9 +368,10 @@ static void crypto_authenc_encrypt_done(struct crypto_async_request *req,
+ 	if (!err) {
+ 		struct crypto_aead *authenc = crypto_aead_reqtfm(areq);
+ 		struct crypto_authenc_ctx *ctx = crypto_aead_ctx(authenc);
+-		struct ablkcipher_request *abreq = aead_request_ctx(areq);
+-		u8 *iv = (u8 *)(abreq + 1) +
+-			 crypto_ablkcipher_reqsize(ctx->enc);
++		struct authenc_request_ctx *areq_ctx = aead_request_ctx(areq);
++		struct ablkcipher_request *abreq = (void *)(areq_ctx->tail
++							    + ctx->reqoff);
++		u8 *iv = (u8 *)abreq - crypto_ablkcipher_ivsize(ctx->enc);
+ 
+ 		err = crypto_authenc_genicv(areq, iv, 0);
+ 	}
+diff --git a/crypto/ccm.c b/crypto/ccm.c
+index c36d654..2002ca7 100644
+--- a/crypto/ccm.c
++++ b/crypto/ccm.c
+@@ -271,7 +271,8 @@ static int crypto_ccm_auth(struct aead_request *req, struct scatterlist *plain,
+ 	}
+ 
+ 	/* compute plaintext into mac */
+-	get_data_to_compute(cipher, pctx, plain, cryptlen);
++	if (cryptlen)
++		get_data_to_compute(cipher, pctx, plain, cryptlen);
+ 
+ out:
+ 	return err;
+diff --git a/drivers/ata/ahci.c b/drivers/ata/ahci.c
+index 0445f52..d29f6d5 100644
+--- a/drivers/ata/ahci.c
++++ b/drivers/ata/ahci.c
+@@ -303,6 +303,10 @@ static const struct pci_device_id ahci_pci_tbl[] = {
+ 	{ PCI_VDEVICE(INTEL, 0x8d66), board_ahci }, /* Wellsburg RAID */
+ 	{ PCI_VDEVICE(INTEL, 0x8d6e), board_ahci }, /* Wellsburg RAID */
+ 	{ PCI_VDEVICE(INTEL, 0x23a3), board_ahci }, /* Coleto Creek AHCI */
++	{ PCI_VDEVICE(INTEL, 0x9c83), board_ahci }, /* Wildcat Point-LP AHCI */
++	{ PCI_VDEVICE(INTEL, 0x9c85), board_ahci }, /* Wildcat Point-LP RAID */
++	{ PCI_VDEVICE(INTEL, 0x9c87), board_ahci }, /* Wildcat Point-LP RAID */
++	{ PCI_VDEVICE(INTEL, 0x9c8f), board_ahci }, /* Wildcat Point-LP RAID */
+ 
+ 	/* JMicron 360/1/3/5/6, match class to avoid IDE function */
+ 	{ PCI_VENDOR_ID_JMICRON, PCI_ANY_ID, PCI_ANY_ID, PCI_ANY_ID,
+@@ -437,6 +441,8 @@ static const struct pci_device_id ahci_pci_tbl[] = {
+ 	  .driver_data = board_ahci_yes_fbs },			/* 88se9172 on some Gigabyte */
+ 	{ PCI_DEVICE(0x1b4b, 0x91a3),
+ 	  .driver_data = board_ahci_yes_fbs },
++	{ PCI_DEVICE(PCI_VENDOR_ID_MARVELL_EXT, 0x9230),
++	  .driver_data = board_ahci_yes_fbs },
+ 
+ 	/* Promise */
+ 	{ PCI_VDEVICE(PROMISE, 0x3f20), board_ahci },	/* PDC42819 */
+diff --git a/drivers/ata/ahci_platform.c b/drivers/ata/ahci_platform.c
+index 43b8758..6692108 100644
+--- a/drivers/ata/ahci_platform.c
++++ b/drivers/ata/ahci_platform.c
+@@ -204,6 +204,7 @@ static int __devexit ahci_remove(struct platform_device *pdev)
+ 
+ static const struct of_device_id ahci_of_match[] = {
+ 	{ .compatible = "calxeda,hb-ahci", },
++	{ .compatible = "ibm,476gtr-ahci", },
+ 	{},
+ };
+ MODULE_DEVICE_TABLE(of, ahci_of_match);
+diff --git a/drivers/ata/libahci.c b/drivers/ata/libahci.c
+index 60def03..de2802c 100644
+--- a/drivers/ata/libahci.c
++++ b/drivers/ata/libahci.c
+@@ -1247,9 +1247,11 @@ int ahci_do_softreset(struct ata_link *link, unsigned int *class,
+ {
+ 	struct ata_port *ap = link->ap;
+ 	struct ahci_host_priv *hpriv = ap->host->private_data;
++	struct ahci_port_priv *pp = ap->private_data;
+ 	const char *reason = NULL;
+ 	unsigned long now, msecs;
+ 	struct ata_taskfile tf;
++	bool fbs_disabled = false;
+ 	int rc;
+ 
+ 	DPRINTK("ENTER\n");
+@@ -1259,6 +1261,16 @@ int ahci_do_softreset(struct ata_link *link, unsigned int *class,
+ 	if (rc && rc != -EOPNOTSUPP)
+ 		ata_link_warn(link, "failed to reset engine (errno=%d)\n", rc);
+ 
++	/*
++	 * According to AHCI-1.2 9.3.9: if FBS is enable, software shall
++	 * clear PxFBS.EN to '0' prior to issuing software reset to devices
++	 * that is attached to port multiplier.
++	 */
++	if (!ata_is_host_link(link) && pp->fbs_enabled) {
++		ahci_disable_fbs(ap);
++		fbs_disabled = true;
++	}
++
+ 	ata_tf_init(link->device, &tf);
+ 
+ 	/* issue the first D2H Register FIS */
+@@ -1299,6 +1311,10 @@ int ahci_do_softreset(struct ata_link *link, unsigned int *class,
+ 	} else
+ 		*class = ahci_dev_classify(ap);
+ 
++	/* re-enable FBS if disabled before */
++	if (fbs_disabled)
++		ahci_enable_fbs(ap);
++
+ 	DPRINTK("EXIT, class=%u\n", *class);
+ 	return 0;
+ 
+diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c
+index d54b7d6..a0a3987 100644
+--- a/drivers/ata/libata-core.c
++++ b/drivers/ata/libata-core.c
+@@ -4067,6 +4067,7 @@ static const struct ata_blacklist_entry ata_device_blacklist [] = {
+ 	{ "TORiSAN DVD-ROM DRD-N216", NULL,	ATA_HORKAGE_MAX_SEC_128 },
+ 	{ "QUANTUM DAT    DAT72-000", NULL,	ATA_HORKAGE_ATAPI_MOD16_DMA },
+ 	{ "Slimtype DVD A  DS8A8SH", NULL,	ATA_HORKAGE_MAX_SEC_LBA48 },
++	{ "Slimtype DVD A  DS8A9SH", NULL,	ATA_HORKAGE_MAX_SEC_LBA48 },
+ 
+ 	/* Devices we expect to fail diagnostics */
+ 
+diff --git a/drivers/ata/libata-transport.c b/drivers/ata/libata-transport.c
+index ce9dc62..c01f040 100644
+--- a/drivers/ata/libata-transport.c
++++ b/drivers/ata/libata-transport.c
+@@ -312,25 +312,25 @@ int ata_tport_add(struct device *parent,
+ /*
+  * ATA link attributes
+  */
++static int noop(int x) { return x; }
+ 
+-
+-#define ata_link_show_linkspeed(field)					\
++#define ata_link_show_linkspeed(field, format)			        \
+ static ssize_t								\
+ show_ata_link_##field(struct device *dev,				\
+ 		      struct device_attribute *attr, char *buf)		\
+ {									\
+ 	struct ata_link *link = transport_class_to_link(dev);		\
+ 									\
+-	return sprintf(buf,"%s\n", sata_spd_string(fls(link->field)));	\
++	return sprintf(buf, "%s\n", sata_spd_string(format(link->field))); \
+ }
+ 
+-#define ata_link_linkspeed_attr(field)					\
+-	ata_link_show_linkspeed(field)					\
++#define ata_link_linkspeed_attr(field, format)				\
++	ata_link_show_linkspeed(field, format)				\
+ static DEVICE_ATTR(field, S_IRUGO, show_ata_link_##field, NULL)
+ 
+-ata_link_linkspeed_attr(hw_sata_spd_limit);
+-ata_link_linkspeed_attr(sata_spd_limit);
+-ata_link_linkspeed_attr(sata_spd);
++ata_link_linkspeed_attr(hw_sata_spd_limit, fls);
++ata_link_linkspeed_attr(sata_spd_limit, fls);
++ata_link_linkspeed_attr(sata_spd, noop);
+ 
+ 
+ static DECLARE_TRANSPORT_CLASS(ata_link_class,
+diff --git a/drivers/atm/idt77252.c b/drivers/atm/idt77252.c
+index 1c05212..b0e75ce 100644
+--- a/drivers/atm/idt77252.c
++++ b/drivers/atm/idt77252.c
+@@ -3513,7 +3513,7 @@ init_card(struct atm_dev *dev)
+ 	tmp = dev_get_by_name(&init_net, tname);	/* jhs: was "tmp = dev_get(tname);" */
+ 	if (tmp) {
+ 		memcpy(card->atmdev->esi, tmp->dev_addr, 6);
+-
++		dev_put(tmp);
+ 		printk("%s: ESI %pM\n", card->name, card->atmdev->esi);
+ 	}
+ 	/*
+diff --git a/drivers/block/brd.c b/drivers/block/brd.c
+index 968a0d4..f35975f 100644
+--- a/drivers/block/brd.c
++++ b/drivers/block/brd.c
+@@ -547,7 +547,7 @@ static struct kobject *brd_probe(dev_t dev, int *part, void *data)
+ 
+ 	mutex_lock(&brd_devices_mutex);
+ 	brd = brd_init_one(MINOR(dev) >> part_shift);
+-	kobj = brd ? get_disk(brd->brd_disk) : ERR_PTR(-ENOMEM);
++	kobj = brd ? get_disk(brd->brd_disk) : NULL;
+ 	mutex_unlock(&brd_devices_mutex);
+ 
+ 	*part = 0;
+diff --git a/drivers/block/loop.c b/drivers/block/loop.c
+index a365562..d659135 100644
+--- a/drivers/block/loop.c
++++ b/drivers/block/loop.c
+@@ -1635,7 +1635,7 @@ static int loop_add(struct loop_device **l, int i)
+ 
+ 	lo->lo_queue = blk_alloc_queue(GFP_KERNEL);
+ 	if (!lo->lo_queue)
+-		goto out_free_dev;
++		goto out_free_idr;
+ 
+ 	disk = lo->lo_disk = alloc_disk(1 << part_shift);
+ 	if (!disk)
+@@ -1679,6 +1679,8 @@ static int loop_add(struct loop_device **l, int i)
+ 
+ out_free_queue:
+ 	blk_cleanup_queue(lo->lo_queue);
++out_free_idr:
++	idr_remove(&loop_index_idr, i);
+ out_free_dev:
+ 	kfree(lo);
+ out:
+@@ -1742,7 +1744,7 @@ static struct kobject *loop_probe(dev_t dev, int *part, void *data)
+ 	if (err < 0)
+ 		err = loop_add(&lo, MINOR(dev) >> part_shift);
+ 	if (err < 0)
+-		kobj = ERR_PTR(err);
++		kobj = NULL;
+ 	else
+ 		kobj = get_disk(lo->lo_disk);
+ 	mutex_unlock(&loop_index_mutex);
+diff --git a/drivers/char/i8k.c b/drivers/char/i8k.c
+index 6e40072..51efcbc 100644
+--- a/drivers/char/i8k.c
++++ b/drivers/char/i8k.c
+@@ -664,6 +664,13 @@ static struct dmi_system_id __initdata i8k_dmi_table[] = {
+ 			DMI_MATCH(DMI_PRODUCT_NAME, "Vostro"),
+ 		},
+ 	},
++	{
++		.ident = "Dell XPS421",
++		.matches = {
++			DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."),
++			DMI_MATCH(DMI_PRODUCT_NAME, "XPS L421X"),
++		},
++	},
+         { }
+ };
+ 
+diff --git a/drivers/connector/cn_proc.c b/drivers/connector/cn_proc.c
+index 66d5384..094a710 100644
+--- a/drivers/connector/cn_proc.c
++++ b/drivers/connector/cn_proc.c
+@@ -31,11 +31,23 @@
+ #include <linux/ptrace.h>
+ #include <linux/atomic.h>
+ 
+-#include <asm/unaligned.h>
+-
+ #include <linux/cn_proc.h>
+ 
+-#define CN_PROC_MSG_SIZE (sizeof(struct cn_msg) + sizeof(struct proc_event))
++/*
++ * Size of a cn_msg followed by a proc_event structure.  Since the
++ * sizeof struct cn_msg is a multiple of 4 bytes, but not 8 bytes, we
++ * add one 4-byte word to the size here, and then start the actual
++ * cn_msg structure 4 bytes into the stack buffer.  The result is that
++ * the immediately following proc_event structure is aligned to 8 bytes.
++ */
++#define CN_PROC_MSG_SIZE (sizeof(struct cn_msg) + sizeof(struct proc_event) + 4)
++
++/* See comment above; we test our assumption about sizeof struct cn_msg here. */
++static inline struct cn_msg *buffer_to_cn_msg(__u8 *buffer)
++{
++	BUILD_BUG_ON(sizeof(struct cn_msg) != 20);
++	return (struct cn_msg *)(buffer + 4);
++}
+ 
+ static atomic_t proc_event_num_listeners = ATOMIC_INIT(0);
+ static struct cb_id cn_proc_event_id = { CN_IDX_PROC, CN_VAL_PROC };
+@@ -55,19 +67,19 @@ void proc_fork_connector(struct task_struct *task)
+ {
+ 	struct cn_msg *msg;
+ 	struct proc_event *ev;
+-	__u8 buffer[CN_PROC_MSG_SIZE];
++	__u8 buffer[CN_PROC_MSG_SIZE] __aligned(8);
+ 	struct timespec ts;
+ 	struct task_struct *parent;
+ 
+ 	if (atomic_read(&proc_event_num_listeners) < 1)
+ 		return;
+ 
+-	msg = (struct cn_msg*)buffer;
++	msg = buffer_to_cn_msg(buffer);
+ 	ev = (struct proc_event*)msg->data;
+ 	memset(&ev->event_data, 0, sizeof(ev->event_data));
+ 	get_seq(&msg->seq, &ev->cpu);
+ 	ktime_get_ts(&ts); /* get high res monotonic timestamp */
+-	put_unaligned(timespec_to_ns(&ts), (__u64 *)&ev->timestamp_ns);
++	ev->timestamp_ns = timespec_to_ns(&ts);
+ 	ev->what = PROC_EVENT_FORK;
+ 	rcu_read_lock();
+ 	parent = rcu_dereference(task->real_parent);
+@@ -90,17 +102,17 @@ void proc_exec_connector(struct task_struct *task)
+ 	struct cn_msg *msg;
+ 	struct proc_event *ev;
+ 	struct timespec ts;
+-	__u8 buffer[CN_PROC_MSG_SIZE];
++	__u8 buffer[CN_PROC_MSG_SIZE] __aligned(8);
+ 
+ 	if (atomic_read(&proc_event_num_listeners) < 1)
+ 		return;
+ 
+-	msg = (struct cn_msg*)buffer;
++	msg = buffer_to_cn_msg(buffer);
+ 	ev = (struct proc_event*)msg->data;
+ 	memset(&ev->event_data, 0, sizeof(ev->event_data));
+ 	get_seq(&msg->seq, &ev->cpu);
+ 	ktime_get_ts(&ts); /* get high res monotonic timestamp */
+-	put_unaligned(timespec_to_ns(&ts), (__u64 *)&ev->timestamp_ns);
++	ev->timestamp_ns = timespec_to_ns(&ts);
+ 	ev->what = PROC_EVENT_EXEC;
+ 	ev->event_data.exec.process_pid = task->pid;
+ 	ev->event_data.exec.process_tgid = task->tgid;
+@@ -116,14 +128,14 @@ void proc_id_connector(struct task_struct *task, int which_id)
+ {
+ 	struct cn_msg *msg;
+ 	struct proc_event *ev;
+-	__u8 buffer[CN_PROC_MSG_SIZE];
++	__u8 buffer[CN_PROC_MSG_SIZE] __aligned(8);
+ 	struct timespec ts;
+ 	const struct cred *cred;
+ 
+ 	if (atomic_read(&proc_event_num_listeners) < 1)
+ 		return;
+ 
+-	msg = (struct cn_msg*)buffer;
++	msg = buffer_to_cn_msg(buffer);
+ 	ev = (struct proc_event*)msg->data;
+ 	memset(&ev->event_data, 0, sizeof(ev->event_data));
+ 	ev->what = which_id;
+@@ -144,7 +156,7 @@ void proc_id_connector(struct task_struct *task, int which_id)
+ 	rcu_read_unlock();
+ 	get_seq(&msg->seq, &ev->cpu);
+ 	ktime_get_ts(&ts); /* get high res monotonic timestamp */
+-	put_unaligned(timespec_to_ns(&ts), (__u64 *)&ev->timestamp_ns);
++	ev->timestamp_ns = timespec_to_ns(&ts);
+ 
+ 	memcpy(&msg->id, &cn_proc_event_id, sizeof(msg->id));
+ 	msg->ack = 0; /* not used */
+@@ -158,17 +170,17 @@ void proc_sid_connector(struct task_struct *task)
+ 	struct cn_msg *msg;
+ 	struct proc_event *ev;
+ 	struct timespec ts;
+-	__u8 buffer[CN_PROC_MSG_SIZE];
++	__u8 buffer[CN_PROC_MSG_SIZE] __aligned(8);
+ 
+ 	if (atomic_read(&proc_event_num_listeners) < 1)
+ 		return;
+ 
+-	msg = (struct cn_msg *)buffer;
++	msg = buffer_to_cn_msg(buffer);
+ 	ev = (struct proc_event *)msg->data;
+ 	memset(&ev->event_data, 0, sizeof(ev->event_data));
+ 	get_seq(&msg->seq, &ev->cpu);
+ 	ktime_get_ts(&ts); /* get high res monotonic timestamp */
+-	put_unaligned(timespec_to_ns(&ts), (__u64 *)&ev->timestamp_ns);
++	ev->timestamp_ns = timespec_to_ns(&ts);
+ 	ev->what = PROC_EVENT_SID;
+ 	ev->event_data.sid.process_pid = task->pid;
+ 	ev->event_data.sid.process_tgid = task->tgid;
+@@ -185,17 +197,17 @@ void proc_ptrace_connector(struct task_struct *task, int ptrace_id)
+ 	struct cn_msg *msg;
+ 	struct proc_event *ev;
+ 	struct timespec ts;
+-	__u8 buffer[CN_PROC_MSG_SIZE];
++	__u8 buffer[CN_PROC_MSG_SIZE] __aligned(8);
+ 
+ 	if (atomic_read(&proc_event_num_listeners) < 1)
+ 		return;
+ 
+-	msg = (struct cn_msg *)buffer;
++	msg = buffer_to_cn_msg(buffer);
+ 	ev = (struct proc_event *)msg->data;
+ 	memset(&ev->event_data, 0, sizeof(ev->event_data));
+ 	get_seq(&msg->seq, &ev->cpu);
+ 	ktime_get_ts(&ts); /* get high res monotonic timestamp */
+-	put_unaligned(timespec_to_ns(&ts), (__u64 *)&ev->timestamp_ns);
++	ev->timestamp_ns = timespec_to_ns(&ts);
+ 	ev->what = PROC_EVENT_PTRACE;
+ 	ev->event_data.ptrace.process_pid  = task->pid;
+ 	ev->event_data.ptrace.process_tgid = task->tgid;
+@@ -220,17 +232,17 @@ void proc_comm_connector(struct task_struct *task)
+ 	struct cn_msg *msg;
+ 	struct proc_event *ev;
+ 	struct timespec ts;
+-	__u8 buffer[CN_PROC_MSG_SIZE];
++	__u8 buffer[CN_PROC_MSG_SIZE] __aligned(8);
+ 
+ 	if (atomic_read(&proc_event_num_listeners) < 1)
+ 		return;
+ 
+-	msg = (struct cn_msg *)buffer;
++	msg = buffer_to_cn_msg(buffer);
+ 	ev = (struct proc_event *)msg->data;
+ 	memset(&ev->event_data, 0, sizeof(ev->event_data));
+ 	get_seq(&msg->seq, &ev->cpu);
+ 	ktime_get_ts(&ts); /* get high res monotonic timestamp */
+-	put_unaligned(timespec_to_ns(&ts), (__u64 *)&ev->timestamp_ns);
++	ev->timestamp_ns = timespec_to_ns(&ts);
+ 	ev->what = PROC_EVENT_COMM;
+ 	ev->event_data.comm.process_pid  = task->pid;
+ 	ev->event_data.comm.process_tgid = task->tgid;
+@@ -247,18 +259,18 @@ void proc_exit_connector(struct task_struct *task)
+ {
+ 	struct cn_msg *msg;
+ 	struct proc_event *ev;
+-	__u8 buffer[CN_PROC_MSG_SIZE];
++	__u8 buffer[CN_PROC_MSG_SIZE] __aligned(8);
+ 	struct timespec ts;
+ 
+ 	if (atomic_read(&proc_event_num_listeners) < 1)
+ 		return;
+ 
+-	msg = (struct cn_msg*)buffer;
++	msg = buffer_to_cn_msg(buffer);
+ 	ev = (struct proc_event*)msg->data;
+ 	memset(&ev->event_data, 0, sizeof(ev->event_data));
+ 	get_seq(&msg->seq, &ev->cpu);
+ 	ktime_get_ts(&ts); /* get high res monotonic timestamp */
+-	put_unaligned(timespec_to_ns(&ts), (__u64 *)&ev->timestamp_ns);
++	ev->timestamp_ns = timespec_to_ns(&ts);
+ 	ev->what = PROC_EVENT_EXIT;
+ 	ev->event_data.exit.process_pid = task->pid;
+ 	ev->event_data.exit.process_tgid = task->tgid;
+@@ -284,18 +296,18 @@ static void cn_proc_ack(int err, int rcvd_seq, int rcvd_ack)
+ {
+ 	struct cn_msg *msg;
+ 	struct proc_event *ev;
+-	__u8 buffer[CN_PROC_MSG_SIZE];
++	__u8 buffer[CN_PROC_MSG_SIZE] __aligned(8);
+ 	struct timespec ts;
+ 
+ 	if (atomic_read(&proc_event_num_listeners) < 1)
+ 		return;
+ 
+-	msg = (struct cn_msg*)buffer;
++	msg = buffer_to_cn_msg(buffer);
+ 	ev = (struct proc_event*)msg->data;
+ 	memset(&ev->event_data, 0, sizeof(ev->event_data));
+ 	msg->seq = rcvd_seq;
+ 	ktime_get_ts(&ts); /* get high res monotonic timestamp */
+-	put_unaligned(timespec_to_ns(&ts), (__u64 *)&ev->timestamp_ns);
++	ev->timestamp_ns = timespec_to_ns(&ts);
+ 	ev->cpu = -1;
+ 	ev->what = PROC_EVENT_NONE;
+ 	ev->event_data.ack.err = err;
+diff --git a/drivers/gpio/gpio-mpc8xxx.c b/drivers/gpio/gpio-mpc8xxx.c
+index edcffd6..34be13b 100644
+--- a/drivers/gpio/gpio-mpc8xxx.c
++++ b/drivers/gpio/gpio-mpc8xxx.c
+@@ -69,10 +69,14 @@ static int mpc8572_gpio_get(struct gpio_chip *gc, unsigned int gpio)
+ 	u32 val;
+ 	struct of_mm_gpio_chip *mm = to_of_mm_gpio_chip(gc);
+ 	struct mpc8xxx_gpio_chip *mpc8xxx_gc = to_mpc8xxx_gpio_chip(mm);
++	u32 out_mask, out_shadow;
+ 
+-	val = in_be32(mm->regs + GPIO_DAT) & ~in_be32(mm->regs + GPIO_DIR);
++	out_mask = in_be32(mm->regs + GPIO_DIR);
+ 
+-	return (val | mpc8xxx_gc->data) & mpc8xxx_gpio2mask(gpio);
++	val = in_be32(mm->regs + GPIO_DAT) & ~out_mask;
++	out_shadow = mpc8xxx_gc->data & out_mask;
++
++	return (val | out_shadow) & mpc8xxx_gpio2mask(gpio);
+ }
+ 
+ static int mpc8xxx_gpio_get(struct gpio_chip *gc, unsigned int gpio)
+diff --git a/drivers/gpu/drm/i915/intel_display.c b/drivers/gpu/drm/i915/intel_display.c
+index ee29c1f..6d36695 100644
+--- a/drivers/gpu/drm/i915/intel_display.c
++++ b/drivers/gpu/drm/i915/intel_display.c
+@@ -6063,7 +6063,9 @@ static void i9xx_update_cursor(struct drm_crtc *crtc, u32 base)
+ 		intel_crtc->cursor_visible = visible;
+ 	}
+ 	/* and commit changes on next vblank */
++	POSTING_READ(CURCNTR(pipe));
+ 	I915_WRITE(CURBASE(pipe), base);
++	POSTING_READ(CURBASE(pipe));
+ }
+ 
+ static void ivb_update_cursor(struct drm_crtc *crtc, u32 base)
+@@ -6088,7 +6090,9 @@ static void ivb_update_cursor(struct drm_crtc *crtc, u32 base)
+ 		intel_crtc->cursor_visible = visible;
+ 	}
+ 	/* and commit changes on next vblank */
++	POSTING_READ(CURCNTR_IVB(pipe));
+ 	I915_WRITE(CURBASE_IVB(pipe), base);
++	POSTING_READ(CURBASE_IVB(pipe));
+ }
+ 
+ /* If no-part of the cursor is visible on the framebuffer, then the GPU may hang... */
+diff --git a/drivers/gpu/drm/nouveau/nouveau_gem.c b/drivers/gpu/drm/nouveau/nouveau_gem.c
+index 7ce3fde..bd0b1fc 100644
+--- a/drivers/gpu/drm/nouveau/nouveau_gem.c
++++ b/drivers/gpu/drm/nouveau/nouveau_gem.c
+@@ -281,7 +281,8 @@ validate_fini_list(struct list_head *list, struct nouveau_fence *fence)
+ 	list_for_each_safe(entry, tmp, list) {
+ 		nvbo = list_entry(entry, struct nouveau_bo, entry);
+ 
+-		nouveau_bo_fence(nvbo, fence);
++		if (likely(fence))
++			nouveau_bo_fence(nvbo, fence);
+ 
+ 		if (unlikely(nvbo->validate_mapped)) {
+ 			ttm_bo_kunmap(&nvbo->kmap);
+diff --git a/drivers/gpu/drm/radeon/radeon_legacy_crtc.c b/drivers/gpu/drm/radeon/radeon_legacy_crtc.c
+index daadf21..a9238b0 100644
+--- a/drivers/gpu/drm/radeon/radeon_legacy_crtc.c
++++ b/drivers/gpu/drm/radeon/radeon_legacy_crtc.c
+@@ -416,12 +416,40 @@ int radeon_crtc_do_set_base(struct drm_crtc *crtc,
+ 	/* Pin framebuffer & get tilling informations */
+ 	obj = radeon_fb->obj;
+ 	rbo = gem_to_radeon_bo(obj);
++retry:
+ 	r = radeon_bo_reserve(rbo, false);
+ 	if (unlikely(r != 0))
+ 		return r;
+ 	r = radeon_bo_pin(rbo, RADEON_GEM_DOMAIN_VRAM, &base);
+ 	if (unlikely(r != 0)) {
+ 		radeon_bo_unreserve(rbo);
++
++		/* On old GPU like RN50 with little vram pining can fails because
++		 * current fb is taking all space needed. So instead of unpining
++		 * the old buffer after pining the new one, first unpin old one
++		 * and then retry pining new one.
++		 *
++		 * As only master can set mode only master can pin and it is
++		 * unlikely the master client will race with itself especialy
++		 * on those old gpu with single crtc.
++		 *
++		 * We don't shutdown the display controller because new buffer
++		 * will end up in same spot.
++		 */
++		if (!atomic && fb && fb != crtc->fb) {
++			struct radeon_bo *old_rbo;
++			unsigned long nsize, osize;
++
++			old_rbo = gem_to_radeon_bo(to_radeon_framebuffer(fb)->obj);
++			osize = radeon_bo_size(old_rbo);
++			nsize = radeon_bo_size(rbo);
++			if (nsize <= osize && !radeon_bo_reserve(old_rbo, false)) {
++				radeon_bo_unpin(old_rbo);
++				radeon_bo_unreserve(old_rbo);
++				fb = NULL;
++				goto retry;
++			}
++		}
+ 		return -EINVAL;
+ 	}
+ 	radeon_bo_get_tiling_flags(rbo, &tiling_flags, NULL);
+diff --git a/drivers/gpu/drm/ttm/ttm_bo.c b/drivers/gpu/drm/ttm/ttm_bo.c
+index 0d27bff..22a89cd 100644
+--- a/drivers/gpu/drm/ttm/ttm_bo.c
++++ b/drivers/gpu/drm/ttm/ttm_bo.c
+@@ -1101,24 +1101,32 @@ out_unlock:
+ 	return ret;
+ }
+ 
+-static int ttm_bo_mem_compat(struct ttm_placement *placement,
+-			     struct ttm_mem_reg *mem)
++static bool ttm_bo_mem_compat(struct ttm_placement *placement,
++			      struct ttm_mem_reg *mem,
++			      uint32_t *new_flags)
+ {
+ 	int i;
+ 
+ 	if (mem->mm_node && placement->lpfn != 0 &&
+ 	    (mem->start < placement->fpfn ||
+ 	     mem->start + mem->num_pages > placement->lpfn))
+-		return -1;
++		return false;
+ 
+ 	for (i = 0; i < placement->num_placement; i++) {
+-		if ((placement->placement[i] & mem->placement &
+-			TTM_PL_MASK_CACHING) &&
+-			(placement->placement[i] & mem->placement &
+-			TTM_PL_MASK_MEM))
+-			return i;
++		*new_flags = placement->placement[i];
++		if ((*new_flags & mem->placement & TTM_PL_MASK_CACHING) &&
++		    (*new_flags & mem->placement & TTM_PL_MASK_MEM))
++			return true;
++	}
++
++	for (i = 0; i < placement->num_busy_placement; i++) {
++		*new_flags = placement->busy_placement[i];
++		if ((*new_flags & mem->placement & TTM_PL_MASK_CACHING) &&
++		    (*new_flags & mem->placement & TTM_PL_MASK_MEM))
++			return true;
+ 	}
+-	return -1;
++
++	return false;
+ }
+ 
+ int ttm_bo_validate(struct ttm_buffer_object *bo,
+@@ -1127,6 +1135,7 @@ int ttm_bo_validate(struct ttm_buffer_object *bo,
+ 			bool no_wait_gpu)
+ {
+ 	int ret;
++	uint32_t new_flags;
+ 
+ 	BUG_ON(!atomic_read(&bo->reserved));
+ 	/* Check that range is valid */
+@@ -1137,8 +1146,7 @@ int ttm_bo_validate(struct ttm_buffer_object *bo,
+ 	/*
+ 	 * Check whether we need to move buffer.
+ 	 */
+-	ret = ttm_bo_mem_compat(placement, &bo->mem);
+-	if (ret < 0) {
++	if (!ttm_bo_mem_compat(placement, &bo->mem, &new_flags)) {
+ 		ret = ttm_bo_move_buffer(bo, placement, interruptible, no_wait_reserve, no_wait_gpu);
+ 		if (ret)
+ 			return ret;
+@@ -1147,7 +1155,7 @@ int ttm_bo_validate(struct ttm_buffer_object *bo,
+ 		 * Use the access and other non-mapping-related flag bits from
+ 		 * the compatible memory placement flags to the active flags
+ 		 */
+-		ttm_flag_masked(&bo->mem.placement, placement->placement[ret],
++		ttm_flag_masked(&bo->mem.placement, new_flags,
+ 				~TTM_PL_MASK_MEMTYPE);
+ 	}
+ 	/*
+diff --git a/drivers/hid/hid-multitouch.c b/drivers/hid/hid-multitouch.c
+index 13af0f1..a605ba1 100644
+--- a/drivers/hid/hid-multitouch.c
++++ b/drivers/hid/hid-multitouch.c
+@@ -66,7 +66,7 @@ struct mt_device {
+ 	unsigned last_field_index;	/* last field index of the report */
+ 	unsigned last_slot_field;	/* the last field of a slot */
+ 	int last_mt_collection;	/* last known mt-related collection */
+-	__s8 inputmode;		/* InputMode HID feature, -1 if non-existent */
++	__s16 inputmode;	/* InputMode HID feature, -1 if non-existent */
+ 	__u8 num_received;	/* how many contacts we received */
+ 	__u8 num_expected;	/* expected last contact index */
+ 	__u8 maxcontacts;
+diff --git a/drivers/hwmon/lm78.c b/drivers/hwmon/lm78.c
+index 6df0b46..a42a7b0 100644
+--- a/drivers/hwmon/lm78.c
++++ b/drivers/hwmon/lm78.c
+@@ -90,6 +90,8 @@ static inline u8 FAN_TO_REG(long rpm, int div)
+ {
+ 	if (rpm <= 0)
+ 		return 255;
++	if (rpm > 1350000)
++		return 1;
+ 	return SENSORS_LIMIT((1350000 + rpm * div / 2) / (rpm * div), 1, 254);
+ }
+ 
+diff --git a/drivers/hwmon/lm90.c b/drivers/hwmon/lm90.c
+index 615bc4f..6d5ece1 100644
+--- a/drivers/hwmon/lm90.c
++++ b/drivers/hwmon/lm90.c
+@@ -268,7 +268,7 @@ static const struct lm90_params lm90_params[] = {
+ 	[max6696] = {
+ 		.flags = LM90_HAVE_EMERGENCY
+ 		  | LM90_HAVE_EMERGENCY_ALARM | LM90_HAVE_TEMP3,
+-		.alert_alarms = 0x187c,
++		.alert_alarms = 0x1c7c,
+ 		.max_convrate = 6,
+ 		.reg_local_ext = MAX6657_REG_R_LOCAL_TEMPL,
+ 	},
+@@ -1474,19 +1474,22 @@ static void lm90_alert(struct i2c_client *client, unsigned int flag)
+ 	if ((alarms & 0x7f) == 0 && (alarms2 & 0xfe) == 0) {
+ 		dev_info(&client->dev, "Everything OK\n");
+ 	} else {
+-		if (alarms & 0x61)
++		if ((alarms & 0x61) || (alarms2 & 0x80))
+ 			dev_warn(&client->dev,
+ 				 "temp%d out of range, please check!\n", 1);
+-		if (alarms & 0x1a)
++		if ((alarms & 0x1a) || (alarms2 & 0x20))
+ 			dev_warn(&client->dev,
+ 				 "temp%d out of range, please check!\n", 2);
+ 		if (alarms & 0x04)
+ 			dev_warn(&client->dev,
+ 				 "temp%d diode open, please check!\n", 2);
+ 
+-		if (alarms2 & 0x18)
++		if (alarms2 & 0x5a)
+ 			dev_warn(&client->dev,
+ 				 "temp%d out of range, please check!\n", 3);
++		if (alarms2 & 0x04)
++			dev_warn(&client->dev,
++				 "temp%d diode open, please check!\n", 3);
+ 
+ 		/* Disable ALERT# output, because these chips don't implement
+ 		  SMBus alert correctly; they should only hold the alert line
+diff --git a/drivers/hwmon/sis5595.c b/drivers/hwmon/sis5595.c
+index 47d7ce9..5ab6953 100644
+--- a/drivers/hwmon/sis5595.c
++++ b/drivers/hwmon/sis5595.c
+@@ -133,6 +133,8 @@ static inline u8 FAN_TO_REG(long rpm, int div)
+ {
+ 	if (rpm <= 0)
+ 		return 255;
++	if (rpm > 1350000)
++		return 1;
+ 	return SENSORS_LIMIT((1350000 + rpm * div / 2) / (rpm * div), 1, 254);
+ }
+ 
+diff --git a/drivers/hwmon/vt8231.c b/drivers/hwmon/vt8231.c
+index db3b2e8..6df67a9 100644
+--- a/drivers/hwmon/vt8231.c
++++ b/drivers/hwmon/vt8231.c
+@@ -139,7 +139,7 @@ static const u8 regtempmin[] = { 0x3a, 0x3e, 0x2c, 0x2e, 0x30, 0x32 };
+ */
+ static inline u8 FAN_TO_REG(long rpm, int div)
+ {
+-	if (rpm == 0)
++	if (rpm <= 0 || rpm > 1310720)
+ 		return 0;
+ 	return SENSORS_LIMIT(1310720 / (rpm * div), 1, 255);
+ }
+diff --git a/drivers/hwmon/w83l786ng.c b/drivers/hwmon/w83l786ng.c
+index 0254e18..b9c0a7f 100644
+--- a/drivers/hwmon/w83l786ng.c
++++ b/drivers/hwmon/w83l786ng.c
+@@ -447,8 +447,11 @@ store_pwm(struct device *dev, struct device_attribute *attr,
+ 	struct w83l786ng_data *data = i2c_get_clientdata(client);
+ 	u32 val = SENSORS_LIMIT(simple_strtoul(buf, NULL, 10), 0, 255);
+ 
++	val = DIV_ROUND_CLOSEST(val, 0x11);
++
+ 	mutex_lock(&data->update_lock);
+-	data->pwm[nr] = val;
++	data->pwm[nr] = val * 0x11;
++	val |= w83l786ng_read_value(client, W83L786NG_REG_PWM[nr]) & 0xf0;
+ 	w83l786ng_write_value(client, W83L786NG_REG_PWM[nr], val);
+ 	mutex_unlock(&data->update_lock);
+ 	return count;
+@@ -471,7 +474,7 @@ store_pwm_enable(struct device *dev, struct device_attribute *attr,
+ 	mutex_lock(&data->update_lock);
+ 	reg = w83l786ng_read_value(client, W83L786NG_REG_FAN_CFG);
+ 	data->pwm_enable[nr] = val;
+-	reg &= ~(0x02 << W83L786NG_PWM_ENABLE_SHIFT[nr]);
++	reg &= ~(0x03 << W83L786NG_PWM_ENABLE_SHIFT[nr]);
+ 	reg |= (val - 1) << W83L786NG_PWM_ENABLE_SHIFT[nr];
+ 	w83l786ng_write_value(client, W83L786NG_REG_FAN_CFG, reg);
+ 	mutex_unlock(&data->update_lock);
+@@ -740,9 +743,10 @@ static struct w83l786ng_data *w83l786ng_update_device(struct device *dev)
+ 			    ((pwmcfg >> W83L786NG_PWM_MODE_SHIFT[i]) & 1)
+ 			    ? 0 : 1;
+ 			data->pwm_enable[i] =
+-			    ((pwmcfg >> W83L786NG_PWM_ENABLE_SHIFT[i]) & 2) + 1;
+-			data->pwm[i] = w83l786ng_read_value(client,
+-			    W83L786NG_REG_PWM[i]);
++			    ((pwmcfg >> W83L786NG_PWM_ENABLE_SHIFT[i]) & 3) + 1;
++			data->pwm[i] =
++			    (w83l786ng_read_value(client, W83L786NG_REG_PWM[i])
++			     & 0x0f) * 0x11;
+ 		}
+ 
+ 
+diff --git a/drivers/infiniband/hw/ipath/ipath_user_sdma.c b/drivers/infiniband/hw/ipath/ipath_user_sdma.c
+index f5cb13b..cc04b7b 100644
+--- a/drivers/infiniband/hw/ipath/ipath_user_sdma.c
++++ b/drivers/infiniband/hw/ipath/ipath_user_sdma.c
+@@ -280,9 +280,7 @@ static int ipath_user_sdma_pin_pages(const struct ipath_devdata *dd,
+ 	int j;
+ 	int ret;
+ 
+-	ret = get_user_pages(current, current->mm, addr,
+-			     npages, 0, 1, pages, NULL);
+-
++	ret = get_user_pages_fast(addr, npages, 0, pages);
+ 	if (ret != npages) {
+ 		int i;
+ 
+@@ -811,10 +809,7 @@ int ipath_user_sdma_writev(struct ipath_devdata *dd,
+ 	while (dim) {
+ 		const int mxp = 8;
+ 
+-		down_write(&current->mm->mmap_sem);
+ 		ret = ipath_user_sdma_queue_pkts(dd, pq, &list, iov, dim, mxp);
+-		up_write(&current->mm->mmap_sem);
+-
+ 		if (ret <= 0)
+ 			goto done_unlock;
+ 		else {
+diff --git a/drivers/infiniband/hw/qib/qib_user_sdma.c b/drivers/infiniband/hw/qib/qib_user_sdma.c
+index 8244208..573b460 100644
+--- a/drivers/infiniband/hw/qib/qib_user_sdma.c
++++ b/drivers/infiniband/hw/qib/qib_user_sdma.c
+@@ -284,8 +284,7 @@ static int qib_user_sdma_pin_pages(const struct qib_devdata *dd,
+ 	int j;
+ 	int ret;
+ 
+-	ret = get_user_pages(current, current->mm, addr,
+-			     npages, 0, 1, pages, NULL);
++	ret = get_user_pages_fast(addr, npages, 0, pages);
+ 
+ 	if (ret != npages) {
+ 		int i;
+@@ -830,10 +829,7 @@ int qib_user_sdma_writev(struct qib_ctxtdata *rcd,
+ 	while (dim) {
+ 		const int mxp = 8;
+ 
+-		down_write(&current->mm->mmap_sem);
+ 		ret = qib_user_sdma_queue_pkts(dd, pq, &list, iov, dim, mxp);
+-		up_write(&current->mm->mmap_sem);
+-
+ 		if (ret <= 0)
+ 			goto done_unlock;
+ 		else {
+diff --git a/drivers/isdn/isdnloop/isdnloop.c b/drivers/isdn/isdnloop/isdnloop.c
+index 509135f..4df80fb 100644
+--- a/drivers/isdn/isdnloop/isdnloop.c
++++ b/drivers/isdn/isdnloop/isdnloop.c
+@@ -1083,8 +1083,10 @@ isdnloop_start(isdnloop_card * card, isdnloop_sdef * sdefp)
+ 				spin_unlock_irqrestore(&card->isdnloop_lock, flags);
+ 				return -ENOMEM;
+ 			}
+-			for (i = 0; i < 3; i++)
+-				strcpy(card->s0num[i], sdef.num[i]);
++			for (i = 0; i < 3; i++) {
++				strlcpy(card->s0num[i], sdef.num[i],
++					sizeof(card->s0num[0]));
++			}
+ 			break;
+ 		case ISDN_PTYPE_1TR6:
+ 			if (isdnloop_fake(card, "DRV1.04TC-1TR6-CAPI-CNS-BASIS-29.11.95",
+@@ -1097,7 +1099,7 @@ isdnloop_start(isdnloop_card * card, isdnloop_sdef * sdefp)
+ 				spin_unlock_irqrestore(&card->isdnloop_lock, flags);
+ 				return -ENOMEM;
+ 			}
+-			strcpy(card->s0num[0], sdef.num[0]);
++			strlcpy(card->s0num[0], sdef.num[0], sizeof(card->s0num[0]));
+ 			card->s0num[1][0] = '\0';
+ 			card->s0num[2][0] = '\0';
+ 			break;
+diff --git a/drivers/isdn/mISDN/socket.c b/drivers/isdn/mISDN/socket.c
+index 738ea8d..98e8274 100644
+--- a/drivers/isdn/mISDN/socket.c
++++ b/drivers/isdn/mISDN/socket.c
+@@ -117,7 +117,6 @@ mISDN_sock_recvmsg(struct kiocb *iocb, struct socket *sock,
+ {
+ 	struct sk_buff		*skb;
+ 	struct sock		*sk = sock->sk;
+-	struct sockaddr_mISDN	*maddr;
+ 
+ 	int		copied, err;
+ 
+@@ -135,9 +134,9 @@ mISDN_sock_recvmsg(struct kiocb *iocb, struct socket *sock,
+ 	if (!skb)
+ 		return err;
+ 
+-	if (msg->msg_namelen >= sizeof(struct sockaddr_mISDN)) {
+-		msg->msg_namelen = sizeof(struct sockaddr_mISDN);
+-		maddr = (struct sockaddr_mISDN *)msg->msg_name;
++	if (msg->msg_name) {
++		struct sockaddr_mISDN *maddr = msg->msg_name;
++
+ 		maddr->family = AF_ISDN;
+ 		maddr->dev = _pms(sk)->dev->id;
+ 		if ((sk->sk_protocol == ISDN_P_LAPD_TE) ||
+@@ -150,11 +149,7 @@ mISDN_sock_recvmsg(struct kiocb *iocb, struct socket *sock,
+ 			maddr->sapi = _pms(sk)->ch.addr & 0xFF;
+ 			maddr->tei =  (_pms(sk)->ch.addr >> 8) & 0xFF;
+ 		}
+-	} else {
+-		if (msg->msg_namelen)
+-			printk(KERN_WARNING "%s: too small namelen %d\n",
+-			    __func__, msg->msg_namelen);
+-		msg->msg_namelen = 0;
++		msg->msg_namelen = sizeof(*maddr);
+ 	}
+ 
+ 	copied = skb->len + MISDN_HEADER_LEN;
+diff --git a/drivers/md/dm-bufio.c b/drivers/md/dm-bufio.c
+index a5dfcc0..910d2f8 100644
+--- a/drivers/md/dm-bufio.c
++++ b/drivers/md/dm-bufio.c
+@@ -1611,6 +1611,11 @@ static int __init dm_bufio_init(void)
+ {
+ 	__u64 mem;
+ 
++	dm_bufio_allocated_kmem_cache = 0;
++	dm_bufio_allocated_get_free_pages = 0;
++	dm_bufio_allocated_vmalloc = 0;
++	dm_bufio_current_allocated = 0;
++
+ 	memset(&dm_bufio_caches, 0, sizeof dm_bufio_caches);
+ 	memset(&dm_bufio_cache_names, 0, sizeof dm_bufio_cache_names);
+ 
+diff --git a/drivers/md/dm-delay.c b/drivers/md/dm-delay.c
+index 11431ac..3f123f1 100644
+--- a/drivers/md/dm-delay.c
++++ b/drivers/md/dm-delay.c
+@@ -20,6 +20,7 @@
+ struct delay_c {
+ 	struct timer_list delay_timer;
+ 	struct mutex timer_lock;
++	struct workqueue_struct *kdelayd_wq;
+ 	struct work_struct flush_expired_bios;
+ 	struct list_head delayed_bios;
+ 	atomic_t may_delay;
+@@ -45,14 +46,13 @@ struct dm_delay_info {
+ 
+ static DEFINE_MUTEX(delayed_bios_lock);
+ 
+-static struct workqueue_struct *kdelayd_wq;
+ static struct kmem_cache *delayed_cache;
+ 
+ static void handle_delayed_timer(unsigned long data)
+ {
+ 	struct delay_c *dc = (struct delay_c *)data;
+ 
+-	queue_work(kdelayd_wq, &dc->flush_expired_bios);
++	queue_work(dc->kdelayd_wq, &dc->flush_expired_bios);
+ }
+ 
+ static void queue_timeout(struct delay_c *dc, unsigned long expires)
+@@ -190,6 +190,12 @@ out:
+ 		goto bad_dev_write;
+ 	}
+ 
++	dc->kdelayd_wq = alloc_workqueue("kdelayd", WQ_MEM_RECLAIM, 0);
++	if (!dc->kdelayd_wq) {
++		DMERR("Couldn't start kdelayd");
++		goto bad_queue;
++	}
++
+ 	setup_timer(&dc->delay_timer, handle_delayed_timer, (unsigned long)dc);
+ 
+ 	INIT_WORK(&dc->flush_expired_bios, flush_expired_bios);
+@@ -202,6 +208,8 @@ out:
+ 	ti->private = dc;
+ 	return 0;
+ 
++bad_queue:
++	mempool_destroy(dc->delayed_pool);
+ bad_dev_write:
+ 	if (dc->dev_write)
+ 		dm_put_device(ti, dc->dev_write);
+@@ -216,7 +224,7 @@ static void delay_dtr(struct dm_target *ti)
+ {
+ 	struct delay_c *dc = ti->private;
+ 
+-	flush_workqueue(kdelayd_wq);
++	destroy_workqueue(dc->kdelayd_wq);
+ 
+ 	dm_put_device(ti, dc->dev_read);
+ 
+@@ -350,12 +358,6 @@ static int __init dm_delay_init(void)
+ {
+ 	int r = -ENOMEM;
+ 
+-	kdelayd_wq = alloc_workqueue("kdelayd", WQ_MEM_RECLAIM, 0);
+-	if (!kdelayd_wq) {
+-		DMERR("Couldn't start kdelayd");
+-		goto bad_queue;
+-	}
+-
+ 	delayed_cache = KMEM_CACHE(dm_delay_info, 0);
+ 	if (!delayed_cache) {
+ 		DMERR("Couldn't create delayed bio cache.");
+@@ -373,8 +375,6 @@ static int __init dm_delay_init(void)
+ bad_register:
+ 	kmem_cache_destroy(delayed_cache);
+ bad_memcache:
+-	destroy_workqueue(kdelayd_wq);
+-bad_queue:
+ 	return r;
+ }
+ 
+@@ -382,7 +382,6 @@ static void __exit dm_delay_exit(void)
+ {
+ 	dm_unregister_target(&delay_target);
+ 	kmem_cache_destroy(delayed_cache);
+-	destroy_workqueue(kdelayd_wq);
+ }
+ 
+ /* Module hooks */
+diff --git a/drivers/md/dm-mpath.c b/drivers/md/dm-mpath.c
+index 7e766f92..84ad530 100644
+--- a/drivers/md/dm-mpath.c
++++ b/drivers/md/dm-mpath.c
+@@ -84,6 +84,7 @@ struct multipath {
+ 	unsigned queue_io;		/* Must we queue all I/O? */
+ 	unsigned queue_if_no_path;	/* Queue I/O if last path fails? */
+ 	unsigned saved_queue_if_no_path;/* Saved state during suspension */
++	unsigned pg_init_disabled:1;	/* pg_init is not currently allowed */
+ 	unsigned pg_init_retries;	/* Number of times to retry pg_init */
+ 	unsigned pg_init_count;		/* Number of times pg_init called */
+ 	unsigned pg_init_delay_msecs;	/* Number of msecs before pg_init retry */
+@@ -473,7 +474,8 @@ static void process_queued_ios(struct work_struct *work)
+ 	    (!pgpath && !m->queue_if_no_path))
+ 		must_queue = 0;
+ 
+-	if (m->pg_init_required && !m->pg_init_in_progress && pgpath)
++	if (m->pg_init_required && !m->pg_init_in_progress && pgpath &&
++	    !m->pg_init_disabled)
+ 		__pg_init_all_paths(m);
+ 
+ out:
+@@ -887,10 +889,20 @@ static void multipath_wait_for_pg_init_completion(struct multipath *m)
+ 
+ static void flush_multipath_work(struct multipath *m)
+ {
++	unsigned long flags;
++
++	spin_lock_irqsave(&m->lock, flags);
++	m->pg_init_disabled = 1;
++	spin_unlock_irqrestore(&m->lock, flags);
++
+ 	flush_workqueue(kmpath_handlerd);
+ 	multipath_wait_for_pg_init_completion(m);
+ 	flush_workqueue(kmultipathd);
+ 	flush_work_sync(&m->trigger_event);
++
++	spin_lock_irqsave(&m->lock, flags);
++	m->pg_init_disabled = 0;
++	spin_unlock_irqrestore(&m->lock, flags);
+ }
+ 
+ static void multipath_dtr(struct dm_target *ti)
+@@ -1111,7 +1123,7 @@ static int pg_init_limit_reached(struct multipath *m, struct pgpath *pgpath)
+ 
+ 	spin_lock_irqsave(&m->lock, flags);
+ 
+-	if (m->pg_init_count <= m->pg_init_retries)
++	if (m->pg_init_count <= m->pg_init_retries && !m->pg_init_disabled)
+ 		m->pg_init_required = 1;
+ 	else
+ 		limit_reached = 1;
+@@ -1621,7 +1633,7 @@ out:
+  *---------------------------------------------------------------*/
+ static struct target_type multipath_target = {
+ 	.name = "multipath",
+-	.version = {1, 3, 1},
++	.version = {1, 3, 2},
+ 	.module = THIS_MODULE,
+ 	.ctr = multipath_ctr,
+ 	.dtr = multipath_dtr,
+diff --git a/drivers/md/dm-snap.c b/drivers/md/dm-snap.c
+index 5c30316..fec79e7 100644
+--- a/drivers/md/dm-snap.c
++++ b/drivers/md/dm-snap.c
+@@ -66,6 +66,18 @@ struct dm_snapshot {
+ 
+ 	atomic_t pending_exceptions_count;
+ 
++	/* Protected by "lock" */
++	sector_t exception_start_sequence;
++
++	/* Protected by kcopyd single-threaded callback */
++	sector_t exception_complete_sequence;
++
++	/*
++	 * A list of pending exceptions that completed out of order.
++	 * Protected by kcopyd single-threaded callback.
++	 */
++	struct list_head out_of_order_list;
++
+ 	mempool_t *pending_pool;
+ 
+ 	struct dm_exception_table pending;
+@@ -171,6 +183,14 @@ struct dm_snap_pending_exception {
+ 	 */
+ 	int started;
+ 
++	/* There was copying error. */
++	int copy_error;
++
++	/* A sequence number, it is used for in-order completion. */
++	sector_t exception_sequence;
++
++	struct list_head out_of_order_entry;
++
+ 	/*
+ 	 * For writing a complete chunk, bypassing the copy.
+ 	 */
+@@ -1090,6 +1110,9 @@ static int snapshot_ctr(struct dm_target *ti, unsigned int argc, char **argv)
+ 	s->valid = 1;
+ 	s->active = 0;
+ 	atomic_set(&s->pending_exceptions_count, 0);
++	s->exception_start_sequence = 0;
++	s->exception_complete_sequence = 0;
++	INIT_LIST_HEAD(&s->out_of_order_list);
+ 	init_rwsem(&s->lock);
+ 	INIT_LIST_HEAD(&s->list);
+ 	spin_lock_init(&s->pe_lock);
+@@ -1448,6 +1471,19 @@ static void commit_callback(void *context, int success)
+ 	pending_complete(pe, success);
+ }
+ 
++static void complete_exception(struct dm_snap_pending_exception *pe)
++{
++	struct dm_snapshot *s = pe->snap;
++
++	if (unlikely(pe->copy_error))
++		pending_complete(pe, 0);
++
++	else
++		/* Update the metadata if we are persistent */
++		s->store->type->commit_exception(s->store, &pe->e,
++						 commit_callback, pe);
++}
++
+ /*
+  * Called when the copy I/O has finished.  kcopyd actually runs
+  * this code so don't block.
+@@ -1457,13 +1493,32 @@ static void copy_callback(int read_err, unsigned long write_err, void *context)
+ 	struct dm_snap_pending_exception *pe = context;
+ 	struct dm_snapshot *s = pe->snap;
+ 
+-	if (read_err || write_err)
+-		pending_complete(pe, 0);
++	pe->copy_error = read_err || write_err;
+ 
+-	else
+-		/* Update the metadata if we are persistent */
+-		s->store->type->commit_exception(s->store, &pe->e,
+-						 commit_callback, pe);
++	if (pe->exception_sequence == s->exception_complete_sequence) {
++		s->exception_complete_sequence++;
++		complete_exception(pe);
++
++		while (!list_empty(&s->out_of_order_list)) {
++			pe = list_entry(s->out_of_order_list.next,
++					struct dm_snap_pending_exception, out_of_order_entry);
++			if (pe->exception_sequence != s->exception_complete_sequence)
++				break;
++			s->exception_complete_sequence++;
++			list_del(&pe->out_of_order_entry);
++			complete_exception(pe);
++		}
++	} else {
++		struct list_head *lh;
++		struct dm_snap_pending_exception *pe2;
++
++		list_for_each_prev(lh, &s->out_of_order_list) {
++			pe2 = list_entry(lh, struct dm_snap_pending_exception, out_of_order_entry);
++			if (pe2->exception_sequence < pe->exception_sequence)
++				break;
++		}
++		list_add(&pe->out_of_order_entry, lh);
++	}
+ }
+ 
+ /*
+@@ -1558,6 +1613,8 @@ __find_pending_exception(struct dm_snapshot *s,
+ 		return NULL;
+ 	}
+ 
++	pe->exception_sequence = s->exception_start_sequence++;
++
+ 	dm_insert_exception(&s->pending, &pe->e);
+ 
+ 	return pe;
+@@ -2200,7 +2257,7 @@ static struct target_type origin_target = {
+ 
+ static struct target_type snapshot_target = {
+ 	.name    = "snapshot",
+-	.version = {1, 10, 1},
++	.version = {1, 10, 2},
+ 	.module  = THIS_MODULE,
+ 	.ctr     = snapshot_ctr,
+ 	.dtr     = snapshot_dtr,
+diff --git a/drivers/md/dm-table.c b/drivers/md/dm-table.c
+index 52848ab..5c52582 100644
+--- a/drivers/md/dm-table.c
++++ b/drivers/md/dm-table.c
+@@ -215,6 +215,11 @@ int dm_table_create(struct dm_table **result, fmode_t mode,
+ 
+ 	num_targets = dm_round_up(num_targets, KEYS_PER_NODE);
+ 
++	if (!num_targets) {
++		kfree(t);
++		return -ENOMEM;
++	}
++
+ 	if (alloc_targets(t, num_targets)) {
+ 		kfree(t);
+ 		t = NULL;
+@@ -581,14 +586,28 @@ static int adjoin(struct dm_table *table, struct dm_target *ti)
+ 
+ /*
+  * Used to dynamically allocate the arg array.
++ *
++ * We do first allocation with GFP_NOIO because dm-mpath and dm-thin must
++ * process messages even if some device is suspended. These messages have a
++ * small fixed number of arguments.
++ *
++ * On the other hand, dm-switch needs to process bulk data using messages and
++ * excessive use of GFP_NOIO could cause trouble.
+  */
+ static char **realloc_argv(unsigned *array_size, char **old_argv)
+ {
+ 	char **argv;
+ 	unsigned new_size;
++	gfp_t gfp;
+ 
+-	new_size = *array_size ? *array_size * 2 : 64;
+-	argv = kmalloc(new_size * sizeof(*argv), GFP_KERNEL);
++	if (*array_size) {
++		new_size = *array_size * 2;
++		gfp = GFP_KERNEL;
++	} else {
++		new_size = 8;
++		gfp = GFP_NOIO;
++	}
++	argv = kmalloc(new_size * sizeof(*argv), gfp);
+ 	if (argv) {
+ 		memcpy(argv, old_argv, *array_size * sizeof(*argv));
+ 		*array_size = new_size;
+diff --git a/drivers/media/video/saa7164/saa7164-core.c b/drivers/media/video/saa7164/saa7164-core.c
+index 3b7d7b4..8f3c47e 100644
+--- a/drivers/media/video/saa7164/saa7164-core.c
++++ b/drivers/media/video/saa7164/saa7164-core.c
+@@ -1386,9 +1386,11 @@ static int __devinit saa7164_initdev(struct pci_dev *pci_dev,
+ 		if (fw_debug) {
+ 			dev->kthread = kthread_run(saa7164_thread_function, dev,
+ 				"saa7164 debug");
+-			if (!dev->kthread)
++			if (IS_ERR(dev->kthread)) {
++				dev->kthread = NULL;
+ 				printk(KERN_ERR "%s() Failed to create "
+ 					"debug kernel thread\n", __func__);
++			}
+ 		}
+ 
+ 	} /* != BOARD_UNKNOWN */
+diff --git a/drivers/misc/enclosure.c b/drivers/misc/enclosure.c
+index 00e5fcac8..cbee842 100644
+--- a/drivers/misc/enclosure.c
++++ b/drivers/misc/enclosure.c
+@@ -198,6 +198,13 @@ static void enclosure_remove_links(struct enclosure_component *cdev)
+ {
+ 	char name[ENCLOSURE_NAME_SIZE];
+ 
++	/*
++	 * In odd circumstances, like multipath devices, something else may
++	 * already have removed the links, so check for this condition first.
++	 */
++	if (!cdev->dev->kobj.sd)
++		return;
++
+ 	enclosure_link_name(cdev, name);
+ 	sysfs_remove_link(&cdev->dev->kobj, name);
+ 	sysfs_remove_link(&cdev->cdev.kobj, "device");
+diff --git a/drivers/mmc/card/block.c b/drivers/mmc/card/block.c
+index 74793af..4802f7f 100644
+--- a/drivers/mmc/card/block.c
++++ b/drivers/mmc/card/block.c
+@@ -634,7 +634,7 @@ static int mmc_blk_cmd_error(struct request *req, const char *name, int error,
+  * Otherwise we don't understand what happened, so abort.
+  */
+ static int mmc_blk_cmd_recovery(struct mmc_card *card, struct request *req,
+-	struct mmc_blk_request *brq, int *ecc_err)
++	struct mmc_blk_request *brq, int *ecc_err, int *gen_err)
+ {
+ 	bool prev_cmd_status_valid = true;
+ 	u32 status, stop_status = 0;
+@@ -665,6 +665,16 @@ static int mmc_blk_cmd_recovery(struct mmc_card *card, struct request *req,
+ 	    (brq->cmd.resp[0] & R1_CARD_ECC_FAILED))
+ 		*ecc_err = 1;
+ 
++	/* Flag General errors */
++	if (!mmc_host_is_spi(card->host) && rq_data_dir(req) != READ)
++		if ((status & R1_ERROR) ||
++			(brq->stop.resp[0] & R1_ERROR)) {
++			pr_err("%s: %s: general error sending stop or status command, stop cmd response %#x, card status %#x\n",
++			       req->rq_disk->disk_name, __func__,
++			       brq->stop.resp[0], status);
++			*gen_err = 1;
++		}
++
+ 	/*
+ 	 * Check the current card state.  If it is in some data transfer
+ 	 * mode, tell it to stop (and hopefully transition back to TRAN.)
+@@ -684,6 +694,13 @@ static int mmc_blk_cmd_recovery(struct mmc_card *card, struct request *req,
+ 			return ERR_ABORT;
+ 		if (stop_status & R1_CARD_ECC_FAILED)
+ 			*ecc_err = 1;
++		if (!mmc_host_is_spi(card->host) && rq_data_dir(req) != READ)
++			if (stop_status & R1_ERROR) {
++				pr_err("%s: %s: general error sending stop command, stop cmd response %#x\n",
++				       req->rq_disk->disk_name, __func__,
++				       stop_status);
++				*gen_err = 1;
++			}
+ 	}
+ 
+ 	/* Check for set block count errors */
+@@ -933,7 +950,7 @@ static int mmc_blk_err_check(struct mmc_card *card,
+ 						    mmc_active);
+ 	struct mmc_blk_request *brq = &mq_mrq->brq;
+ 	struct request *req = mq_mrq->req;
+-	int ecc_err = 0;
++	int ecc_err = 0, gen_err = 0;
+ 
+ 	/*
+ 	 * sbc.error indicates a problem with the set block count
+@@ -947,7 +964,7 @@ static int mmc_blk_err_check(struct mmc_card *card,
+ 	 */
+ 	if (brq->sbc.error || brq->cmd.error || brq->stop.error ||
+ 	    brq->data.error) {
+-		switch (mmc_blk_cmd_recovery(card, req, brq, &ecc_err)) {
++		switch (mmc_blk_cmd_recovery(card, req, brq, &ecc_err, &gen_err)) {
+ 		case ERR_RETRY:
+ 			return MMC_BLK_RETRY;
+ 		case ERR_ABORT:
+@@ -975,6 +992,15 @@ static int mmc_blk_err_check(struct mmc_card *card,
+ 	 */
+ 	if (!mmc_host_is_spi(card->host) && rq_data_dir(req) != READ) {
+ 		u32 status;
++
++		/* Check stop command response */
++		if (brq->stop.resp[0] & R1_ERROR) {
++			pr_err("%s: %s: general error sending stop command, stop cmd response %#x\n",
++			       req->rq_disk->disk_name, __func__,
++			       brq->stop.resp[0]);
++			gen_err = 1;
++		}
++
+ 		do {
+ 			int err = get_card_status(card, &status, 5);
+ 			if (err) {
+@@ -982,6 +1008,14 @@ static int mmc_blk_err_check(struct mmc_card *card,
+ 				       req->rq_disk->disk_name, err);
+ 				return MMC_BLK_CMD_ERR;
+ 			}
++
++			if (status & R1_ERROR) {
++				pr_err("%s: %s: general error sending status command, card status %#x\n",
++				       req->rq_disk->disk_name, __func__,
++				       status);
++				gen_err = 1;
++			}
++
+ 			/*
+ 			 * Some cards mishandle the status bits,
+ 			 * so make sure to check both the busy
+@@ -991,6 +1025,13 @@ static int mmc_blk_err_check(struct mmc_card *card,
+ 			 (R1_CURRENT_STATE(status) == R1_STATE_PRG));
+ 	}
+ 
++	/* if general error occurs, retry the write operation. */
++	if (gen_err) {
++		pr_warning("%s: retrying write for general error\n",
++				req->rq_disk->disk_name);
++		return MMC_BLK_RETRY;
++	}
++
+ 	if (brq->data.error) {
+ 		pr_err("%s: error %d transferring data, sector %u, nr %u, cmd response %#x, card status %#x\n",
+ 		       req->rq_disk->disk_name, brq->data.error,
+diff --git a/drivers/mtd/devices/m25p80.c b/drivers/mtd/devices/m25p80.c
+index 9f9982f..3d6beb7 100644
+--- a/drivers/mtd/devices/m25p80.c
++++ b/drivers/mtd/devices/m25p80.c
+@@ -71,7 +71,7 @@
+ 
+ /* Define max times to check status register before we give up. */
+ #define	MAX_READY_WAIT_JIFFIES	(40 * HZ)	/* M25P16 specs 40s max chip erase */
+-#define	MAX_CMD_SIZE		5
++#define	MAX_CMD_SIZE		6
+ 
+ #ifdef CONFIG_M25PXX_USE_FAST_READ
+ #define OPCODE_READ 	OPCODE_FAST_READ
+@@ -874,14 +874,13 @@ static int __devinit m25p_probe(struct spi_device *spi)
+ 		}
+ 	}
+ 
+-	flash = kzalloc(sizeof *flash, GFP_KERNEL);
++	flash = devm_kzalloc(&spi->dev, sizeof(*flash), GFP_KERNEL);
+ 	if (!flash)
+ 		return -ENOMEM;
+-	flash->command = kmalloc(MAX_CMD_SIZE + FAST_READ_DUMMY_BYTE, GFP_KERNEL);
+-	if (!flash->command) {
+-		kfree(flash);
++
++	flash->command = devm_kzalloc(&spi->dev, MAX_CMD_SIZE, GFP_KERNEL);
++	if (!flash->command)
+ 		return -ENOMEM;
+-	}
+ 
+ 	flash->spi = spi;
+ 	mutex_init(&flash->lock);
+@@ -978,14 +977,10 @@ static int __devinit m25p_probe(struct spi_device *spi)
+ static int __devexit m25p_remove(struct spi_device *spi)
+ {
+ 	struct m25p	*flash = dev_get_drvdata(&spi->dev);
+-	int		status;
+ 
+ 	/* Clean up MTD stuff. */
+-	status = mtd_device_unregister(&flash->mtd);
+-	if (status == 0) {
+-		kfree(flash->command);
+-		kfree(flash);
+-	}
++	mtd_device_unregister(&flash->mtd);
++
+ 	return 0;
+ }
+ 
+diff --git a/drivers/mtd/nand/gpmi-nand/gpmi-nand.c b/drivers/mtd/nand/gpmi-nand/gpmi-nand.c
+index f39f83e..d6a7764 100644
+--- a/drivers/mtd/nand/gpmi-nand/gpmi-nand.c
++++ b/drivers/mtd/nand/gpmi-nand/gpmi-nand.c
+@@ -227,8 +227,6 @@ static void dma_irq_callback(void *param)
+ 	struct gpmi_nand_data *this = param;
+ 	struct completion *dma_c = &this->dma_done;
+ 
+-	complete(dma_c);
+-
+ 	switch (this->dma_type) {
+ 	case DMA_FOR_COMMAND:
+ 		dma_unmap_sg(this->dev, &this->cmd_sgl, 1, DMA_TO_DEVICE);
+@@ -253,6 +251,8 @@ static void dma_irq_callback(void *param)
+ 	default:
+ 		pr_err("in wrong DMA operation.\n");
+ 	}
++
++	complete(dma_c);
+ }
+ 
+ int start_dma_without_bch_irq(struct gpmi_nand_data *this,
+diff --git a/drivers/mtd/nand/nand_base.c b/drivers/mtd/nand/nand_base.c
+index daed698..46ed296 100644
+--- a/drivers/mtd/nand/nand_base.c
++++ b/drivers/mtd/nand/nand_base.c
+@@ -2895,10 +2895,22 @@ static int nand_flash_detect_onfi(struct mtd_info *mtd, struct nand_chip *chip,
+ 	sanitize_string(p->model, sizeof(p->model));
+ 	if (!mtd->name)
+ 		mtd->name = p->model;
++
+ 	mtd->writesize = le32_to_cpu(p->byte_per_page);
+-	mtd->erasesize = le32_to_cpu(p->pages_per_block) * mtd->writesize;
++
++	/*
++	 * pages_per_block and blocks_per_lun may not be a power-of-2 size
++	 * (don't ask me who thought of this...). MTD assumes that these
++	 * dimensions will be power-of-2, so just truncate the remaining area.
++	 */
++	mtd->erasesize = 1 << (fls(le32_to_cpu(p->pages_per_block)) - 1);
++	mtd->erasesize *= mtd->writesize;
++
+ 	mtd->oobsize = le16_to_cpu(p->spare_bytes_per_page);
+-	chip->chipsize = (uint64_t)le32_to_cpu(p->blocks_per_lun) * mtd->erasesize;
++
++	/* See erasesize comment */
++	chip->chipsize = 1 << (fls(le32_to_cpu(p->blocks_per_lun)) - 1);
++	chip->chipsize *= (uint64_t)mtd->erasesize;
+ 	*busw = 0;
+ 	if (le16_to_cpu(p->features) & 1)
+ 		*busw = NAND_BUSWIDTH_16;
+diff --git a/drivers/net/bonding/bond_sysfs.c b/drivers/net/bonding/bond_sysfs.c
+index 8ed48c2..cf95bd8 100644
+--- a/drivers/net/bonding/bond_sysfs.c
++++ b/drivers/net/bonding/bond_sysfs.c
+@@ -534,8 +534,9 @@ static ssize_t bonding_store_arp_interval(struct device *d,
+ 		goto out;
+ 	}
+ 	if (bond->params.mode == BOND_MODE_ALB ||
+-	    bond->params.mode == BOND_MODE_TLB) {
+-		pr_info("%s: ARP monitoring cannot be used with ALB/TLB. Only MII monitoring is supported on %s.\n",
++	    bond->params.mode == BOND_MODE_TLB ||
++	    bond->params.mode == BOND_MODE_8023AD) {
++		pr_info("%s: ARP monitoring cannot be used with ALB/TLB/802.3ad. Only MII monitoring is supported on %s.\n",
+ 			bond->dev->name, bond->dev->name);
+ 		ret = -EINVAL;
+ 		goto out;
+@@ -693,6 +694,8 @@ static ssize_t bonding_store_downdelay(struct device *d,
+ 	int new_value, ret = count;
+ 	struct bonding *bond = to_bond(d);
+ 
++	if (!rtnl_trylock())
++		return restart_syscall();
+ 	if (!(bond->params.miimon)) {
+ 		pr_err("%s: Unable to set down delay as MII monitoring is disabled\n",
+ 		       bond->dev->name);
+@@ -726,6 +729,7 @@ static ssize_t bonding_store_downdelay(struct device *d,
+ 	}
+ 
+ out:
++	rtnl_unlock();
+ 	return ret;
+ }
+ static DEVICE_ATTR(downdelay, S_IRUGO | S_IWUSR,
+@@ -748,6 +752,8 @@ static ssize_t bonding_store_updelay(struct device *d,
+ 	int new_value, ret = count;
+ 	struct bonding *bond = to_bond(d);
+ 
++	if (!rtnl_trylock())
++		return restart_syscall();
+ 	if (!(bond->params.miimon)) {
+ 		pr_err("%s: Unable to set up delay as MII monitoring is disabled\n",
+ 		       bond->dev->name);
+@@ -781,6 +787,7 @@ static ssize_t bonding_store_updelay(struct device *d,
+ 	}
+ 
+ out:
++	rtnl_unlock();
+ 	return ret;
+ }
+ static DEVICE_ATTR(updelay, S_IRUGO | S_IWUSR,
+diff --git a/drivers/net/can/c_can/c_can.c b/drivers/net/can/c_can/c_can.c
+index 64647d4..91d1b5a 100644
+--- a/drivers/net/can/c_can/c_can.c
++++ b/drivers/net/can/c_can/c_can.c
+@@ -764,9 +764,6 @@ static int c_can_do_rx_poll(struct net_device *dev, int quota)
+ 			msg_ctrl_save = priv->read_reg(priv,
+ 					&priv->regs->ifregs[0].msg_cntrl);
+ 
+-			if (msg_ctrl_save & IF_MCONT_EOB)
+-				return num_rx_pkts;
+-
+ 			if (msg_ctrl_save & IF_MCONT_MSGLST) {
+ 				c_can_handle_lost_msg_obj(dev, 0, msg_obj);
+ 				num_rx_pkts++;
+@@ -774,6 +771,9 @@ static int c_can_do_rx_poll(struct net_device *dev, int quota)
+ 				continue;
+ 			}
+ 
++			if (msg_ctrl_save & IF_MCONT_EOB)
++				return num_rx_pkts;
++
+ 			if (!(msg_ctrl_save & IF_MCONT_NEWDAT))
+ 				continue;
+ 
+diff --git a/drivers/net/can/sja1000/sja1000.c b/drivers/net/can/sja1000/sja1000.c
+index 6a1acfe..568b821 100644
+--- a/drivers/net/can/sja1000/sja1000.c
++++ b/drivers/net/can/sja1000/sja1000.c
+@@ -488,19 +488,19 @@ irqreturn_t sja1000_interrupt(int irq, void *dev_id)
+ 	uint8_t isrc, status;
+ 	int n = 0;
+ 
+-	/* Shared interrupts and IRQ off? */
+-	if (priv->read_reg(priv, REG_IER) == IRQ_OFF)
+-		return IRQ_NONE;
+-
+ 	if (priv->pre_irq)
+ 		priv->pre_irq(priv);
+ 
++	/* Shared interrupts and IRQ off? */
++	if (priv->read_reg(priv, REG_IER) == IRQ_OFF)
++		goto out;
++
+ 	while ((isrc = priv->read_reg(priv, REG_IR)) && (n < SJA1000_MAX_IRQ)) {
+-		n++;
++
+ 		status = priv->read_reg(priv, SJA1000_REG_SR);
+ 		/* check for absent controller due to hw unplug */
+ 		if (status == 0xFF && sja1000_is_absent(priv))
+-			return IRQ_NONE;
++			goto out;
+ 
+ 		if (isrc & IRQ_WUI)
+ 			dev_warn(dev->dev.parent, "wakeup interrupt\n");
+@@ -519,7 +519,7 @@ irqreturn_t sja1000_interrupt(int irq, void *dev_id)
+ 				status = priv->read_reg(priv, SJA1000_REG_SR);
+ 				/* check for absent controller */
+ 				if (status == 0xFF && sja1000_is_absent(priv))
+-					return IRQ_NONE;
++					goto out;
+ 			}
+ 		}
+ 		if (isrc & (IRQ_DOI | IRQ_EI | IRQ_BEI | IRQ_EPI | IRQ_ALI)) {
+@@ -527,8 +527,9 @@ irqreturn_t sja1000_interrupt(int irq, void *dev_id)
+ 			if (sja1000_err(dev, isrc, status))
+ 				break;
+ 		}
++		n++;
+ 	}
+-
++out:
+ 	if (priv->post_irq)
+ 		priv->post_irq(priv);
+ 
+diff --git a/drivers/net/ethernet/smsc/smc91x.h b/drivers/net/ethernet/smsc/smc91x.h
+index 5f53fbb..ff1af41 100644
+--- a/drivers/net/ethernet/smsc/smc91x.h
++++ b/drivers/net/ethernet/smsc/smc91x.h
+@@ -46,7 +46,8 @@
+     defined(CONFIG_MACH_LITTLETON) ||\
+     defined(CONFIG_MACH_ZYLONITE2) ||\
+     defined(CONFIG_ARCH_VIPER) ||\
+-    defined(CONFIG_MACH_STARGATE2)
++    defined(CONFIG_MACH_STARGATE2) ||\
++    defined(CONFIG_ARCH_VERSATILE)
+ 
+ #include <asm/mach-types.h>
+ 
+@@ -154,6 +155,8 @@ static inline void SMC_outw(u16 val, void __iomem *ioaddr, int reg)
+ #define SMC_outl(v, a, r)	writel(v, (a) + (r))
+ #define SMC_insl(a, r, p, l)	readsl((a) + (r), p, l)
+ #define SMC_outsl(a, r, p, l)	writesl((a) + (r), p, l)
++#define SMC_insw(a, r, p, l)	readsw((a) + (r), p, l)
++#define SMC_outsw(a, r, p, l)	writesw((a) + (r), p, l)
+ #define SMC_IRQ_FLAGS		(-1)	/* from resource */
+ 
+ /* We actually can't write halfwords properly if not word aligned */
+@@ -206,23 +209,6 @@ SMC_outw(u16 val, void __iomem *ioaddr, int reg)
+ #define RPC_LSA_DEFAULT		RPC_LED_TX_RX
+ #define RPC_LSB_DEFAULT		RPC_LED_100_10
+ 
+-#elif	defined(CONFIG_ARCH_VERSATILE)
+-
+-#define SMC_CAN_USE_8BIT	1
+-#define SMC_CAN_USE_16BIT	1
+-#define SMC_CAN_USE_32BIT	1
+-#define SMC_NOWAIT		1
+-
+-#define SMC_inb(a, r)		readb((a) + (r))
+-#define SMC_inw(a, r)		readw((a) + (r))
+-#define SMC_inl(a, r)		readl((a) + (r))
+-#define SMC_outb(v, a, r)	writeb(v, (a) + (r))
+-#define SMC_outw(v, a, r)	writew(v, (a) + (r))
+-#define SMC_outl(v, a, r)	writel(v, (a) + (r))
+-#define SMC_insl(a, r, p, l)	readsl((a) + (r), p, l)
+-#define SMC_outsl(a, r, p, l)	writesl((a) + (r), p, l)
+-#define SMC_IRQ_FLAGS		(-1)	/* from resource */
+-
+ #elif defined(CONFIG_MN10300)
+ 
+ /*
+diff --git a/drivers/net/ppp/pppoe.c b/drivers/net/ppp/pppoe.c
+index 1161584..2f319d1 100644
+--- a/drivers/net/ppp/pppoe.c
++++ b/drivers/net/ppp/pppoe.c
+@@ -985,8 +985,6 @@ static int pppoe_recvmsg(struct kiocb *iocb, struct socket *sock,
+ 	if (error < 0)
+ 		goto end;
+ 
+-	m->msg_namelen = 0;
+-
+ 	if (skb) {
+ 		total_len = min_t(size_t, total_len, skb->len);
+ 		error = skb_copy_datagram_iovec(skb, 0, m->msg_iov, total_len);
+diff --git a/drivers/net/wireless/libertas/debugfs.c b/drivers/net/wireless/libertas/debugfs.c
+index d8d8f0d..35d86fa 100644
+--- a/drivers/net/wireless/libertas/debugfs.c
++++ b/drivers/net/wireless/libertas/debugfs.c
+@@ -919,7 +919,10 @@ static ssize_t lbs_debugfs_write(struct file *f, const char __user *buf,
+ 	char *p2;
+ 	struct debug_data *d = f->private_data;
+ 
+-	pdata = kmalloc(cnt, GFP_KERNEL);
++	if (cnt == 0)
++		return 0;
++
++	pdata = kmalloc(cnt + 1, GFP_KERNEL);
+ 	if (pdata == NULL)
+ 		return 0;
+ 
+@@ -928,6 +931,7 @@ static ssize_t lbs_debugfs_write(struct file *f, const char __user *buf,
+ 		kfree(pdata);
+ 		return 0;
+ 	}
++	pdata[cnt] = '\0';
+ 
+ 	p0 = pdata;
+ 	for (i = 0; i < num_of_items; i++) {
+diff --git a/drivers/net/wireless/mwifiex/sdio.c b/drivers/net/wireless/mwifiex/sdio.c
+index 17f8720..72b253d2 100644
+--- a/drivers/net/wireless/mwifiex/sdio.c
++++ b/drivers/net/wireless/mwifiex/sdio.c
+@@ -936,7 +936,10 @@ static int mwifiex_decode_rx_packet(struct mwifiex_adapter *adapter,
+ 				    struct sk_buff *skb, u32 upld_typ)
+ {
+ 	u8 *cmd_buf;
++	__le16 *curr_ptr = (__le16 *)skb->data;
++	u16 pkt_len = le16_to_cpu(*curr_ptr);
+ 
++	skb_trim(skb, pkt_len);
+ 	skb_pull(skb, INTF_HEADER_LEN);
+ 
+ 	switch (upld_typ) {
+diff --git a/drivers/net/wireless/prism54/islpci_dev.c b/drivers/net/wireless/prism54/islpci_dev.c
+index 5d0f615..e2fa538 100644
+--- a/drivers/net/wireless/prism54/islpci_dev.c
++++ b/drivers/net/wireless/prism54/islpci_dev.c
+@@ -812,6 +812,10 @@ static const struct net_device_ops islpci_netdev_ops = {
+ 	.ndo_validate_addr	= eth_validate_addr,
+ };
+ 
++static struct device_type wlan_type = {
++	.name	= "wlan",
++};
++
+ struct net_device *
+ islpci_setup(struct pci_dev *pdev)
+ {
+@@ -822,9 +826,8 @@ islpci_setup(struct pci_dev *pdev)
+ 		return ndev;
+ 
+ 	pci_set_drvdata(pdev, ndev);
+-#if defined(SET_NETDEV_DEV)
+ 	SET_NETDEV_DEV(ndev, &pdev->dev);
+-#endif
++	SET_NETDEV_DEVTYPE(ndev, &wlan_type);
+ 
+ 	/* setup the structure members */
+ 	ndev->base_addr = pci_resource_start(pdev, 0);
+diff --git a/drivers/net/wireless/rt2x00/rt2400pci.c b/drivers/net/wireless/rt2x00/rt2400pci.c
+index 0ea85f4..131b22b 100644
+--- a/drivers/net/wireless/rt2x00/rt2400pci.c
++++ b/drivers/net/wireless/rt2x00/rt2400pci.c
+@@ -1253,7 +1253,7 @@ static void rt2400pci_fill_rxdone(struct queue_entry *entry,
+ 	 */
+ 	rxdesc->timestamp = ((u64)rx_high << 32) | rx_low;
+ 	rxdesc->signal = rt2x00_get_field32(word2, RXD_W2_SIGNAL) & ~0x08;
+-	rxdesc->rssi = rt2x00_get_field32(word2, RXD_W3_RSSI) -
++	rxdesc->rssi = rt2x00_get_field32(word3, RXD_W3_RSSI) -
+ 	    entry->queue->rt2x00dev->rssi_offset;
+ 	rxdesc->size = rt2x00_get_field32(word0, RXD_W0_DATABYTE_COUNT);
+ 
+diff --git a/drivers/net/wireless/rt2x00/rt2x00mac.c b/drivers/net/wireless/rt2x00/rt2x00mac.c
+index 921da9a..5c38281 100644
+--- a/drivers/net/wireless/rt2x00/rt2x00mac.c
++++ b/drivers/net/wireless/rt2x00/rt2x00mac.c
+@@ -771,6 +771,9 @@ void rt2x00mac_flush(struct ieee80211_hw *hw, bool drop)
+ 	struct rt2x00_dev *rt2x00dev = hw->priv;
+ 	struct data_queue *queue;
+ 
++	if (!test_bit(DEVICE_STATE_PRESENT, &rt2x00dev->flags))
++		return;
++
+ 	tx_queue_for_each(rt2x00dev, queue)
+ 		rt2x00queue_flush_queue(queue, drop);
+ }
+diff --git a/drivers/net/wireless/rtlwifi/base.c b/drivers/net/wireless/rtlwifi/base.c
+index b4ce934..a917a22 100644
+--- a/drivers/net/wireless/rtlwifi/base.c
++++ b/drivers/net/wireless/rtlwifi/base.c
+@@ -31,6 +31,7 @@
+ 
+ #include <linux/ip.h>
+ #include <linux/module.h>
++#include <linux/udp.h>
+ #include "wifi.h"
+ #include "rc.h"
+ #include "base.h"
+@@ -956,60 +957,51 @@ u8 rtl_is_special_data(struct ieee80211_hw *hw, struct sk_buff *skb, u8 is_tx)
+ 	if (!ieee80211_is_data(fc))
+ 		return false;
+ 
++	ip = (const struct iphdr *)(skb->data + mac_hdr_len +
++				    SNAP_SIZE + PROTOC_TYPE_SIZE);
++	ether_type = be16_to_cpup((__be16 *)
++				  (skb->data + mac_hdr_len + SNAP_SIZE));
+ 
+-	ip = (struct iphdr *)((u8 *) skb->data + mac_hdr_len +
+-			      SNAP_SIZE + PROTOC_TYPE_SIZE);
+-	ether_type = *(u16 *) ((u8 *) skb->data + mac_hdr_len + SNAP_SIZE);
+-	/*	ether_type = ntohs(ether_type); */
+-
+-	if (ETH_P_IP == ether_type) {
+-		if (IPPROTO_UDP == ip->protocol) {
+-			struct udphdr *udp = (struct udphdr *)((u8 *) ip +
+-							       (ip->ihl << 2));
+-			if (((((u8 *) udp)[1] == 68) &&
+-			     (((u8 *) udp)[3] == 67)) ||
+-			    ((((u8 *) udp)[1] == 67) &&
+-			     (((u8 *) udp)[3] == 68))) {
+-				/*
+-				 * 68 : UDP BOOTP client
+-				 * 67 : UDP BOOTP server
+-				 */
+-				RT_TRACE(rtlpriv, (COMP_SEND | COMP_RECV),
+-					 DBG_DMESG, ("dhcp %s !!\n",
+-						     (is_tx) ? "Tx" : "Rx"));
+-
+-				if (is_tx) {
+-					rtl_lps_leave(hw);
+-					ppsc->last_delaylps_stamp_jiffies =
+-					    jiffies;
+-				}
+-
+-				return true;
+-			}
+-		}
+-	} else if (ETH_P_ARP == ether_type) {
+-		if (is_tx) {
+-			rtl_lps_leave(hw);
+-			ppsc->last_delaylps_stamp_jiffies = jiffies;
+-		}
++	switch (ether_type) {
++	case ETH_P_IP: {
++		struct udphdr *udp;
++		u16 src;
++		u16 dst;
+ 
+-		return true;
+-	} else if (ETH_P_PAE == ether_type) {
+-		RT_TRACE(rtlpriv, (COMP_SEND | COMP_RECV), DBG_DMESG,
+-			 ("802.1X %s EAPOL pkt!!\n", (is_tx) ? "Tx" : "Rx"));
++		if (ip->protocol != IPPROTO_UDP)
++			return false;
++		udp = (struct udphdr *)((u8 *)ip + (ip->ihl << 2));
++		src = be16_to_cpu(udp->source);
++		dst = be16_to_cpu(udp->dest);
+ 
+-		if (is_tx) {
+-			rtl_lps_leave(hw);
+-			ppsc->last_delaylps_stamp_jiffies = jiffies;
+-		}
++		/* If this case involves port 68 (UDP BOOTP client) connecting
++		 * with port 67 (UDP BOOTP server), then return true so that
++		 * the lowest speed is used.
++		 */
++		if (!((src == 68 && dst == 67) || (src == 67 && dst == 68)))
++			return false;
+ 
+-		return true;
+-	} else if (ETH_P_IPV6 == ether_type) {
+-		/* IPv6 */
+-		return true;
++		RT_TRACE(rtlpriv, (COMP_SEND | COMP_RECV), DBG_DMESG,
++			 ("dhcp %s !!\n", is_tx ? "Tx" : "Rx"));
++		break;
+ 	}
+-
+-	return false;
++	case ETH_P_ARP:
++		break;
++	case ETH_P_PAE:
++		RT_TRACE(rtlpriv, (COMP_SEND | COMP_RECV), DBG_DMESG,
++			 ("802.1X %s EAPOL pkt!!\n", is_tx ? "Tx" : "Rx"));
++		break;
++	case ETH_P_IPV6:
++		/* TODO: Is this right? */
++		return false;
++	default:
++		return false;
++	}
++	if (is_tx) {
++		rtl_lps_leave(hw);
++		ppsc->last_delaylps_stamp_jiffies = jiffies;
++	}
++	return true;
+ }
+ 
+ /*********************************************************
+diff --git a/drivers/net/wireless/rtlwifi/rtl8192cu/mac.c b/drivers/net/wireless/rtlwifi/rtl8192cu/mac.c
+index 060a06f..5515215 100644
+--- a/drivers/net/wireless/rtlwifi/rtl8192cu/mac.c
++++ b/drivers/net/wireless/rtlwifi/rtl8192cu/mac.c
+@@ -782,7 +782,7 @@ static long _rtl92c_signal_scale_mapping(struct ieee80211_hw *hw,
+ 
+ static void _rtl92c_query_rxphystatus(struct ieee80211_hw *hw,
+ 				      struct rtl_stats *pstats,
+-				      struct rx_desc_92c *pdesc,
++				      struct rx_desc_92c *p_desc,
+ 				      struct rx_fwinfo_92c *p_drvinfo,
+ 				      bool packet_match_bssid,
+ 				      bool packet_toself,
+@@ -797,11 +797,11 @@ static void _rtl92c_query_rxphystatus(struct ieee80211_hw *hw,
+ 	u32 rssi, total_rssi = 0;
+ 	bool in_powersavemode = false;
+ 	bool is_cck_rate;
++	u8 *pdesc = (u8 *)p_desc;
+ 
+-	is_cck_rate = RX_HAL_IS_CCK_RATE(pdesc);
++	is_cck_rate = RX_HAL_IS_CCK_RATE(p_desc);
+ 	pstats->packet_matchbssid = packet_match_bssid;
+ 	pstats->packet_toself = packet_toself;
+-	pstats->is_cck = is_cck_rate;
+ 	pstats->packet_beacon = packet_beacon;
+ 	pstats->is_cck = is_cck_rate;
+ 	pstats->RX_SIGQ[0] = -1;
+diff --git a/drivers/net/wireless/rtlwifi/rtl8192cu/trx.c b/drivers/net/wireless/rtlwifi/rtl8192cu/trx.c
+index a7e1a2c..a6ea2d9 100644
+--- a/drivers/net/wireless/rtlwifi/rtl8192cu/trx.c
++++ b/drivers/net/wireless/rtlwifi/rtl8192cu/trx.c
+@@ -303,10 +303,10 @@ out:
+ bool rtl92cu_rx_query_desc(struct ieee80211_hw *hw,
+ 			   struct rtl_stats *stats,
+ 			   struct ieee80211_rx_status *rx_status,
+-			   u8 *p_desc, struct sk_buff *skb)
++			   u8 *pdesc, struct sk_buff *skb)
+ {
+ 	struct rx_fwinfo_92c *p_drvinfo;
+-	struct rx_desc_92c *pdesc = (struct rx_desc_92c *)p_desc;
++	struct rx_desc_92c *p_desc = (struct rx_desc_92c *)pdesc;
+ 	u32 phystatus = GET_RX_DESC_PHY_STATUS(pdesc);
+ 
+ 	stats->length = (u16) GET_RX_DESC_PKT_LEN(pdesc);
+@@ -345,11 +345,11 @@ bool rtl92cu_rx_query_desc(struct ieee80211_hw *hw,
+ 	if (phystatus) {
+ 		p_drvinfo = (struct rx_fwinfo_92c *)(skb->data +
+ 						     stats->rx_bufshift);
+-		rtl92c_translate_rx_signal_stuff(hw, skb, stats, pdesc,
++		rtl92c_translate_rx_signal_stuff(hw, skb, stats, p_desc,
+ 						 p_drvinfo);
+ 	}
+ 	/*rx_status->qual = stats->signal; */
+-	rx_status->signal = stats->rssi + 10;
++	rx_status->signal = stats->recvsignalpower + 10;
+ 	/*rx_status->noise = -stats->noise; */
+ 	return true;
+ }
+diff --git a/drivers/net/wireless/rtlwifi/rtl8192de/trx.c b/drivers/net/wireless/rtlwifi/rtl8192de/trx.c
+index 3637c0c..639b57b 100644
+--- a/drivers/net/wireless/rtlwifi/rtl8192de/trx.c
++++ b/drivers/net/wireless/rtlwifi/rtl8192de/trx.c
+@@ -529,7 +529,7 @@ bool rtl92de_rx_query_desc(struct ieee80211_hw *hw,	struct rtl_stats *stats,
+ 						   p_drvinfo);
+ 	}
+ 	/*rx_status->qual = stats->signal; */
+-	rx_status->signal = stats->rssi + 10;
++	rx_status->signal = stats->recvsignalpower + 10;
+ 	/*rx_status->noise = -stats->noise; */
+ 	return true;
+ }
+diff --git a/drivers/net/wireless/rtlwifi/rtl8192se/rf.c b/drivers/net/wireless/rtlwifi/rtl8192se/rf.c
+index 0ad50fe..13081d9 100644
+--- a/drivers/net/wireless/rtlwifi/rtl8192se/rf.c
++++ b/drivers/net/wireless/rtlwifi/rtl8192se/rf.c
+@@ -274,7 +274,7 @@ static void _rtl92s_get_txpower_writeval_byregulatory(struct ieee80211_hw *hw,
+ 				    rtlefuse->pwrgroup_ht40
+ 				    [RF90_PATH_A][chnl - 1]) {
+ 					pwrdiff_limit[i] =
+-					  rtlefuse->pwrgroup_ht20
++					  rtlefuse->pwrgroup_ht40
+ 					  [RF90_PATH_A][chnl - 1];
+ 				}
+ 			} else {
+diff --git a/drivers/net/wireless/rtlwifi/rtl8192se/trx.c b/drivers/net/wireless/rtlwifi/rtl8192se/trx.c
+index fbebe3e..542a871 100644
+--- a/drivers/net/wireless/rtlwifi/rtl8192se/trx.c
++++ b/drivers/net/wireless/rtlwifi/rtl8192se/trx.c
+@@ -582,7 +582,7 @@ bool rtl92se_rx_query_desc(struct ieee80211_hw *hw, struct rtl_stats *stats,
+ 	}
+ 
+ 	/*rx_status->qual = stats->signal; */
+-	rx_status->signal = stats->rssi + 10;
++	rx_status->signal = stats->recvsignalpower + 10;
+ 	/*rx_status->noise = -stats->noise; */
+ 
+ 	return true;
+diff --git a/drivers/net/wireless/rtlwifi/wifi.h b/drivers/net/wireless/rtlwifi/wifi.h
+index 82baaa2..5764ef7 100644
+--- a/drivers/net/wireless/rtlwifi/wifi.h
++++ b/drivers/net/wireless/rtlwifi/wifi.h
+@@ -73,11 +73,7 @@
+ #define RTL_SLOT_TIME_9				9
+ #define RTL_SLOT_TIME_20			20
+ 
+-/*related with tcp/ip. */
+-/*if_ehther.h*/
+-#define ETH_P_PAE		0x888E	/*Port Access Entity (IEEE 802.1X) */
+-#define ETH_P_IP		0x0800	/*Internet Protocol packet */
+-#define ETH_P_ARP		0x0806	/*Address Resolution packet */
++/*related to tcp/ip. */
+ #define SNAP_SIZE		6
+ #define PROTOC_TYPE_SIZE	2
+ 
+diff --git a/drivers/pci/pcie/portdrv_pci.c b/drivers/pci/pcie/portdrv_pci.c
+index e0610bd..7e41b70 100644
+--- a/drivers/pci/pcie/portdrv_pci.c
++++ b/drivers/pci/pcie/portdrv_pci.c
+@@ -151,7 +151,6 @@ static int __devinit pcie_portdrv_probe(struct pci_dev *dev,
+ static void pcie_portdrv_remove(struct pci_dev *dev)
+ {
+ 	pcie_port_device_remove(dev);
+-	pci_disable_device(dev);
+ }
+ 
+ static int error_detected_iter(struct device *device, void *data)
+diff --git a/drivers/rtc/rtc-at91rm9200.c b/drivers/rtc/rtc-at91rm9200.c
+index e39b77a..15406d5 100644
+--- a/drivers/rtc/rtc-at91rm9200.c
++++ b/drivers/rtc/rtc-at91rm9200.c
+@@ -156,6 +156,8 @@ static int at91_rtc_setalarm(struct device *dev, struct rtc_wkalrm *alrm)
+ 
+ 	at91_alarm_year = tm.tm_year;
+ 
++	tm.tm_mon = alrm->time.tm_mon;
++	tm.tm_mday = alrm->time.tm_mday;
+ 	tm.tm_hour = alrm->time.tm_hour;
+ 	tm.tm_min = alrm->time.tm_min;
+ 	tm.tm_sec = alrm->time.tm_sec;
+diff --git a/drivers/s390/net/qeth_core_main.c b/drivers/s390/net/qeth_core_main.c
+index fff57de..55f6488 100644
+--- a/drivers/s390/net/qeth_core_main.c
++++ b/drivers/s390/net/qeth_core_main.c
+@@ -4322,7 +4322,7 @@ int qeth_snmp_command(struct qeth_card *card, char __user *udata)
+ 	struct qeth_cmd_buffer *iob;
+ 	struct qeth_ipa_cmd *cmd;
+ 	struct qeth_snmp_ureq *ureq;
+-	int req_len;
++	unsigned int req_len;
+ 	struct qeth_arp_query_info qinfo = {0, };
+ 	int rc = 0;
+ 
+@@ -4338,6 +4338,10 @@ int qeth_snmp_command(struct qeth_card *card, char __user *udata)
+ 	/* skip 4 bytes (data_len struct member) to get req_len */
+ 	if (copy_from_user(&req_len, udata + sizeof(int), sizeof(int)))
+ 		return -EFAULT;
++	if (req_len > (QETH_BUFSIZE - IPA_PDU_HEADER_SIZE -
++		       sizeof(struct qeth_ipacmd_hdr) -
++		       sizeof(struct qeth_ipacmd_setadpparms_hdr)))
++		return -EINVAL;
+ 	ureq = memdup_user(udata, req_len + sizeof(struct qeth_snmp_ureq_hdr));
+ 	if (IS_ERR(ureq)) {
+ 		QETH_CARD_TEXT(card, 2, "snmpnome");
+diff --git a/drivers/scsi/aacraid/commctrl.c b/drivers/scsi/aacraid/commctrl.c
+index 8a0b330..1254431 100644
+--- a/drivers/scsi/aacraid/commctrl.c
++++ b/drivers/scsi/aacraid/commctrl.c
+@@ -508,7 +508,8 @@ static int aac_send_raw_srb(struct aac_dev* dev, void __user * arg)
+ 		goto cleanup;
+ 	}
+ 
+-	if (fibsize > (dev->max_fib_size - sizeof(struct aac_fibhdr))) {
++	if ((fibsize < (sizeof(struct user_aac_srb) - sizeof(struct user_sgentry))) ||
++	    (fibsize > (dev->max_fib_size - sizeof(struct aac_fibhdr)))) {
+ 		rcode = -EINVAL;
+ 		goto cleanup;
+ 	}
+diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c
+index 0f48550..5b7e1bf 100644
+--- a/drivers/scsi/hpsa.c
++++ b/drivers/scsi/hpsa.c
+@@ -1186,7 +1186,7 @@ static void complete_scsi_command(struct CommandList *cp)
+ 					"has check condition: aborted command: "
+ 					"ASC: 0x%x, ASCQ: 0x%x\n",
+ 					cp, asc, ascq);
+-				cmd->result = DID_SOFT_ERROR << 16;
++				cmd->result |= DID_SOFT_ERROR << 16;
+ 				break;
+ 			}
+ 			/* Must be some other type of check condition */
+@@ -4465,7 +4465,7 @@ reinit_after_soft_reset:
+ 	hpsa_hba_inquiry(h);
+ 	hpsa_register_scsi(h);	/* hook ourselves into SCSI subsystem */
+ 	start_controller_lockup_detector(h);
+-	return 1;
++	return 0;
+ 
+ clean4:
+ 	hpsa_free_sg_chain_blocks(h);
+diff --git a/drivers/scsi/libsas/sas_ata.c b/drivers/scsi/libsas/sas_ata.c
+index 4868fc9..5e170e3 100644
+--- a/drivers/scsi/libsas/sas_ata.c
++++ b/drivers/scsi/libsas/sas_ata.c
+@@ -197,7 +197,7 @@ static unsigned int sas_ata_qc_issue(struct ata_queued_cmd *qc)
+ 		qc->tf.nsect = 0;
+ 	}
+ 
+-	ata_tf_to_fis(&qc->tf, 1, 0, (u8*)&task->ata_task.fis);
++	ata_tf_to_fis(&qc->tf, qc->dev->link->pmp, 1, (u8 *)&task->ata_task.fis);
+ 	task->uldd_task = qc;
+ 	if (ata_is_atapi(qc->tf.protocol)) {
+ 		memcpy(task->ata_task.atapi_packet, qc->cdb, qc->dev->cdb_len);
+diff --git a/drivers/staging/tidspbridge/Kconfig b/drivers/staging/tidspbridge/Kconfig
+index 93de4f2..b27d9aa 100644
+--- a/drivers/staging/tidspbridge/Kconfig
++++ b/drivers/staging/tidspbridge/Kconfig
+@@ -4,7 +4,7 @@
+ 
+ menuconfig TIDSPBRIDGE
+ 	tristate "DSP Bridge driver"
+-	depends on ARCH_OMAP3
++	depends on ARCH_OMAP3 && BROKEN
+ 	select OMAP_MBOX_FWK
+ 	help
+ 	  DSP/BIOS Bridge is designed for platforms that contain a GPP and
+diff --git a/drivers/staging/zram/zram_sysfs.c b/drivers/staging/zram/zram_sysfs.c
+index 1fae1e9..fc552d8 100644
+--- a/drivers/staging/zram/zram_sysfs.c
++++ b/drivers/staging/zram/zram_sysfs.c
+@@ -95,20 +95,27 @@ static ssize_t reset_store(struct device *dev,
+ 	zram = dev_to_zram(dev);
+ 	bdev = bdget_disk(zram->disk, 0);
+ 
++	if (!bdev)
++		return -ENOMEM;
++
+ 	/* Do not reset an active device! */
+-	if (bdev->bd_holders)
+-		return -EBUSY;
++	if (bdev->bd_holders) {
++		ret = -EBUSY;
++		goto out;
++	}
+ 
+ 	ret = strict_strtoul(buf, 10, &do_reset);
+ 	if (ret)
+-		return ret;
++		goto out;
+ 
+-	if (!do_reset)
+-		return -EINVAL;
++	if (!do_reset) {
++		ret = -EINVAL;
++		goto out;
++	}
+ 
+ 	/* Make sure all pending I/O is finished */
+-	if (bdev)
+-		fsync_bdev(bdev);
++	fsync_bdev(bdev);
++	bdput(bdev);
+ 
+ 	down_write(&zram->init_lock);
+ 	if (zram->init_done)
+@@ -116,6 +123,10 @@ static ssize_t reset_store(struct device *dev,
+ 	up_write(&zram->init_lock);
+ 
+ 	return len;
++
++out:
++	bdput(bdev);
++	return ret;
+ }
+ 
+ static ssize_t num_reads_show(struct device *dev,
+diff --git a/drivers/target/iscsi/iscsi_target_auth.c b/drivers/target/iscsi/iscsi_target_auth.c
+index 1cd6ce3..59e7378 100644
+--- a/drivers/target/iscsi/iscsi_target_auth.c
++++ b/drivers/target/iscsi/iscsi_target_auth.c
+@@ -172,6 +172,7 @@ static int chap_server_compute_md5(
+ 	unsigned char client_digest[MD5_SIGNATURE_SIZE];
+ 	unsigned char server_digest[MD5_SIGNATURE_SIZE];
+ 	unsigned char chap_n[MAX_CHAP_N_SIZE], chap_r[MAX_RESPONSE_LENGTH];
++	size_t compare_len;
+ 	struct iscsi_chap *chap = (struct iscsi_chap *) conn->auth_protocol;
+ 	struct crypto_hash *tfm;
+ 	struct hash_desc desc;
+@@ -210,7 +211,9 @@ static int chap_server_compute_md5(
+ 		goto out;
+ 	}
+ 
+-	if (memcmp(chap_n, auth->userid, strlen(auth->userid)) != 0) {
++	/* Include the terminating NULL in the compare */
++	compare_len = strlen(auth->userid) + 1;
++	if (strncmp(chap_n, auth->userid, compare_len) != 0) {
+ 		pr_err("CHAP_N values do not match!\n");
+ 		goto out;
+ 	}
+diff --git a/drivers/target/iscsi/iscsi_target_nego.c b/drivers/target/iscsi/iscsi_target_nego.c
+index 7d85f88..3486d12 100644
+--- a/drivers/target/iscsi/iscsi_target_nego.c
++++ b/drivers/target/iscsi/iscsi_target_nego.c
+@@ -89,7 +89,7 @@ int extract_param(
+ 	if (len < 0)
+ 		return -1;
+ 
+-	if (len > max_length) {
++	if (len >= max_length) {
+ 		pr_err("Length of input: %d exeeds max_length:"
+ 			" %d\n", len, max_length);
+ 		return -1;
+diff --git a/drivers/usb/class/cdc-acm.c b/drivers/usb/class/cdc-acm.c
+index 0cdff38..636ee9e 100644
+--- a/drivers/usb/class/cdc-acm.c
++++ b/drivers/usb/class/cdc-acm.c
+@@ -1448,6 +1448,8 @@ static int acm_reset_resume(struct usb_interface *intf)
+ 
+ static const struct usb_device_id acm_ids[] = {
+ 	/* quirky and broken devices */
++	{ USB_DEVICE(0x17ef, 0x7000), /* Lenovo USB modem */
++	.driver_info = NO_UNION_NORMAL, },/* has no union descriptor */
+ 	{ USB_DEVICE(0x0870, 0x0001), /* Metricom GS Modem */
+ 	.driver_info = NO_UNION_NORMAL, /* has no union descriptor */
+ 	},
+diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c
+index a5ea85f..7013165 100644
+--- a/drivers/usb/core/hub.c
++++ b/drivers/usb/core/hub.c
+@@ -900,6 +900,11 @@ static void hub_activate(struct usb_hub *hub, enum hub_activation_type type)
+ 			clear_port_feature(hub->hdev, port1,
+ 					USB_PORT_FEAT_C_PORT_LINK_STATE);
+ 		}
++		if (portchange & USB_PORT_STAT_C_RESET) {
++			need_debounce_delay = true;
++			clear_port_feature(hub->hdev, port1,
++					USB_PORT_FEAT_C_RESET);
++		}
+ 
+ 		if ((portchange & USB_PORT_STAT_C_BH_RESET) &&
+ 				hub_is_superspeed(hub->hdev)) {
+@@ -3749,8 +3754,9 @@ static void hub_events(void)
+ 					hub->hdev->children[i - 1];
+ 
+ 				dev_dbg(hub_dev, "warm reset port %d\n", i);
+-				if (!udev || !(portstatus &
+-						USB_PORT_STAT_CONNECTION)) {
++				if (!udev ||
++				    !(portstatus & USB_PORT_STAT_CONNECTION) ||
++				    udev->state == USB_STATE_NOTATTACHED) {
+ 					status = hub_port_reset(hub, i,
+ 							NULL, HUB_BH_RESET_TIME,
+ 							true);
+@@ -4018,6 +4024,12 @@ static int usb_reset_and_verify_device(struct usb_device *udev)
+ 	}
+ 	parent_hub = hdev_to_hub(parent_hdev);
+ 
++	/* Disable USB2 hardware LPM.
++	 * It will be re-enabled by the enumeration process.
++	 */
++	if (udev->usb2_hw_lpm_enabled == 1)
++		usb_set_usb2_hardware_lpm(udev, 0);
++
+ 	set_bit(port1, parent_hub->busy_bits);
+ 	for (i = 0; i < SET_CONFIG_TRIES; ++i) {
+ 
+diff --git a/drivers/usb/dwc3/ep0.c b/drivers/usb/dwc3/ep0.c
+index c0dcf69..c4134e8 100644
+--- a/drivers/usb/dwc3/ep0.c
++++ b/drivers/usb/dwc3/ep0.c
+@@ -394,6 +394,8 @@ static int dwc3_ep0_handle_feature(struct dwc3 *dwc,
+ 			dep =  dwc3_wIndex_to_dep(dwc, ctrl->wIndex);
+ 			if (!dep)
+ 				return -EINVAL;
++			if (set == 0 && (dep->flags & DWC3_EP_WEDGE))
++				break;
+ 			ret = __dwc3_gadget_ep_set_halt(dep, set);
+ 			if (ret)
+ 				return -EINVAL;
+diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c
+index 619ee19..5f2e3d0 100644
+--- a/drivers/usb/dwc3/gadget.c
++++ b/drivers/usb/dwc3/gadget.c
+@@ -903,9 +903,6 @@ int __dwc3_gadget_ep_set_halt(struct dwc3_ep *dep, int value)
+ 		else
+ 			dep->flags |= DWC3_EP_STALL;
+ 	} else {
+-		if (dep->flags & DWC3_EP_WEDGE)
+-			return 0;
+-
+ 		ret = dwc3_send_gadget_ep_cmd(dwc, dep->number,
+ 			DWC3_DEPCMD_CLEARSTALL, &params);
+ 		if (ret)
+@@ -913,7 +910,7 @@ int __dwc3_gadget_ep_set_halt(struct dwc3_ep *dep, int value)
+ 					value ? "set" : "clear",
+ 					dep->name);
+ 		else
+-			dep->flags &= ~DWC3_EP_STALL;
++			dep->flags &= ~(DWC3_EP_STALL | DWC3_EP_WEDGE);
+ 	}
+ 
+ 	return ret;
+diff --git a/drivers/usb/gadget/composite.c b/drivers/usb/gadget/composite.c
+index f71b078..4484ef1 100644
+--- a/drivers/usb/gadget/composite.c
++++ b/drivers/usb/gadget/composite.c
+@@ -585,6 +585,7 @@ static void reset_config(struct usb_composite_dev *cdev)
+ 		bitmap_zero(f->endpoints, 32);
+ 	}
+ 	cdev->config = NULL;
++	cdev->delayed_status = 0;
+ }
+ 
+ static int set_config(struct usb_composite_dev *cdev,
+diff --git a/drivers/usb/serial/ftdi_sio.c b/drivers/usb/serial/ftdi_sio.c
+index a3f6fe0..85504bb 100644
+--- a/drivers/usb/serial/ftdi_sio.c
++++ b/drivers/usb/serial/ftdi_sio.c
+@@ -2192,6 +2192,20 @@ static void ftdi_set_termios(struct tty_struct *tty,
+ 		termios->c_cflag |= CRTSCTS;
+ 	}
+ 
++	/*
++	 * All FTDI UART chips are limited to CS7/8. We won't pretend to
++	 * support CS5/6 and revert the CSIZE setting instead.
++	 */
++	if ((C_CSIZE(tty) != CS8) && (C_CSIZE(tty) != CS7)) {
++		dev_warn(&port->dev, "requested CSIZE setting not supported\n");
++
++		termios->c_cflag &= ~CSIZE;
++		if (old_termios)
++			termios->c_cflag |= old_termios->c_cflag & CSIZE;
++		else
++			termios->c_cflag |= CS8;
++	}
++
+ 	cflag = termios->c_cflag;
+ 
+ 	if (!old_termios)
+@@ -2228,13 +2242,16 @@ no_skip:
+ 	} else {
+ 		urb_value |= FTDI_SIO_SET_DATA_PARITY_NONE;
+ 	}
+-	if (cflag & CSIZE) {
+-		switch (cflag & CSIZE) {
+-		case CS7: urb_value |= 7; dbg("Setting CS7"); break;
+-		case CS8: urb_value |= 8; dbg("Setting CS8"); break;
+-		default:
+-			dev_err(&port->dev, "CSIZE was set but not CS7-CS8\n");
+-		}
++	switch (cflag & CSIZE) {
++	case CS7:
++		urb_value |= 7;
++		dev_dbg(&port->dev, "Setting CS7\n");
++		break;
++	default:
++	case CS8:
++		urb_value |= 8;
++		dev_dbg(&port->dev, "Setting CS8\n");
++		break;
+ 	}
+ 
+ 	/* This is needed by the break command since it uses the same command
+diff --git a/drivers/usb/serial/generic.c b/drivers/usb/serial/generic.c
+index 9f0b2bf..c0e6486 100644
+--- a/drivers/usb/serial/generic.c
++++ b/drivers/usb/serial/generic.c
+@@ -228,14 +228,7 @@ retry:
+ 		return result;
+ 	}
+ 
+-	/* Try sending off another urb, unless in irq context (in which case
+-	 * there will be no free urb). */
+-	if (!in_irq())
+-		goto retry;
+-
+-	clear_bit_unlock(USB_SERIAL_WRITE_BUSY, &port->flags);
+-
+-	return 0;
++	goto retry;	/* try sending off another urb */
+ }
+ 
+ /**
+diff --git a/drivers/usb/serial/mos7840.c b/drivers/usb/serial/mos7840.c
+index 5d2501e..80fc40a 100644
+--- a/drivers/usb/serial/mos7840.c
++++ b/drivers/usb/serial/mos7840.c
+@@ -1689,7 +1689,11 @@ static int mos7840_tiocmget(struct tty_struct *tty)
+ 		return -ENODEV;
+ 
+ 	status = mos7840_get_uart_reg(port, MODEM_STATUS_REGISTER, &msr);
++	if (status != 1)
++		return -EIO;
+ 	status = mos7840_get_uart_reg(port, MODEM_CONTROL_REGISTER, &mcr);
++	if (status != 1)
++		return -EIO;
+ 	result = ((mcr & MCR_DTR) ? TIOCM_DTR : 0)
+ 	    | ((mcr & MCR_RTS) ? TIOCM_RTS : 0)
+ 	    | ((mcr & MCR_LOOPBACK) ? TIOCM_LOOP : 0)
+@@ -1983,25 +1987,25 @@ static void mos7840_change_port_settings(struct tty_struct *tty,
+ 	iflag = tty->termios->c_iflag;
+ 
+ 	/* Change the number of bits */
+-	if (cflag & CSIZE) {
+-		switch (cflag & CSIZE) {
+-		case CS5:
+-			lData = LCR_BITS_5;
+-			break;
++	switch (cflag & CSIZE) {
++	case CS5:
++		lData = LCR_BITS_5;
++		break;
+ 
+-		case CS6:
+-			lData = LCR_BITS_6;
+-			break;
++	case CS6:
++		lData = LCR_BITS_6;
++		break;
+ 
+-		case CS7:
+-			lData = LCR_BITS_7;
+-			break;
+-		default:
+-		case CS8:
+-			lData = LCR_BITS_8;
+-			break;
+-		}
++	case CS7:
++		lData = LCR_BITS_7;
++		break;
++
++	default:
++	case CS8:
++		lData = LCR_BITS_8;
++		break;
+ 	}
++
+ 	/* Change the Parity bit */
+ 	if (cflag & PARENB) {
+ 		if (cflag & PARODD) {
+diff --git a/drivers/usb/serial/option.c b/drivers/usb/serial/option.c
+index d8ace82..d6d0fb4 100644
+--- a/drivers/usb/serial/option.c
++++ b/drivers/usb/serial/option.c
+@@ -85,6 +85,7 @@ static void option_instat_callback(struct urb *urb);
+ #define HUAWEI_PRODUCT_K4505			0x1464
+ #define HUAWEI_PRODUCT_K3765			0x1465
+ #define HUAWEI_PRODUCT_K4605			0x14C6
++#define HUAWEI_PRODUCT_E173S6			0x1C07
+ 
+ #define QUANTA_VENDOR_ID			0x0408
+ #define QUANTA_PRODUCT_Q101			0xEA02
+@@ -586,6 +587,8 @@ static const struct usb_device_id option_ids[] = {
+ 	{ USB_DEVICE_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0x1c23, USB_CLASS_COMM, 0x02, 0xff) },
+ 	{ USB_DEVICE_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, HUAWEI_PRODUCT_E173, 0xff, 0xff, 0xff),
+ 		.driver_info = (kernel_ulong_t) &net_intf1_blacklist },
++	{ USB_DEVICE_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, HUAWEI_PRODUCT_E173S6, 0xff, 0xff, 0xff),
++		.driver_info = (kernel_ulong_t) &net_intf1_blacklist },
+ 	{ USB_DEVICE_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, HUAWEI_PRODUCT_E1750, 0xff, 0xff, 0xff),
+ 		.driver_info = (kernel_ulong_t) &net_intf2_blacklist },
+ 	{ USB_DEVICE_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0x1441, USB_CLASS_COMM, 0x02, 0xff) },
+@@ -648,6 +651,10 @@ static const struct usb_device_id option_ids[] = {
+ 	{ USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x01, 0x6D) },
+ 	{ USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x01, 0x6E) },
+ 	{ USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x01, 0x6F) },
++	{ USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x01, 0x72) },
++	{ USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x01, 0x73) },
++	{ USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x01, 0x74) },
++	{ USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x01, 0x75) },
+ 	{ USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x01, 0x78) },
+ 	{ USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x01, 0x79) },
+ 	{ USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x01, 0x7A) },
+@@ -702,6 +709,10 @@ static const struct usb_device_id option_ids[] = {
+ 	{ USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x02, 0x6D) },
+ 	{ USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x02, 0x6E) },
+ 	{ USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x02, 0x6F) },
++	{ USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x02, 0x72) },
++	{ USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x02, 0x73) },
++	{ USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x02, 0x74) },
++	{ USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x02, 0x75) },
+ 	{ USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x02, 0x78) },
+ 	{ USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x02, 0x79) },
+ 	{ USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x02, 0x7A) },
+@@ -756,6 +767,10 @@ static const struct usb_device_id option_ids[] = {
+ 	{ USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x03, 0x6D) },
+ 	{ USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x03, 0x6E) },
+ 	{ USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x03, 0x6F) },
++	{ USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x03, 0x72) },
++	{ USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x03, 0x73) },
++	{ USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x03, 0x74) },
++	{ USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x03, 0x75) },
+ 	{ USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x03, 0x78) },
+ 	{ USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x03, 0x79) },
+ 	{ USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x03, 0x7A) },
+@@ -810,6 +825,10 @@ static const struct usb_device_id option_ids[] = {
+ 	{ USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x04, 0x6D) },
+ 	{ USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x04, 0x6E) },
+ 	{ USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x04, 0x6F) },
++	{ USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x04, 0x72) },
++	{ USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x04, 0x73) },
++	{ USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x04, 0x74) },
++	{ USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x04, 0x75) },
+ 	{ USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x04, 0x78) },
+ 	{ USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x04, 0x79) },
+ 	{ USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x04, 0x7A) },
+@@ -864,6 +883,10 @@ static const struct usb_device_id option_ids[] = {
+ 	{ USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x05, 0x6D) },
+ 	{ USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x05, 0x6E) },
+ 	{ USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x05, 0x6F) },
++	{ USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x05, 0x72) },
++	{ USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x05, 0x73) },
++	{ USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x05, 0x74) },
++	{ USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x05, 0x75) },
+ 	{ USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x05, 0x78) },
+ 	{ USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x05, 0x79) },
+ 	{ USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x05, 0x7A) },
+@@ -918,6 +941,10 @@ static const struct usb_device_id option_ids[] = {
+ 	{ USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x06, 0x6D) },
+ 	{ USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x06, 0x6E) },
+ 	{ USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x06, 0x6F) },
++	{ USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x06, 0x72) },
++	{ USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x06, 0x73) },
++	{ USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x06, 0x74) },
++	{ USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x06, 0x75) },
+ 	{ USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x06, 0x78) },
+ 	{ USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x06, 0x79) },
+ 	{ USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x06, 0x7A) },
+@@ -1391,6 +1418,23 @@ static const struct usb_device_id option_ids[] = {
+ 		.driver_info = (kernel_ulong_t)&net_intf2_blacklist },
+ 	{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1426, 0xff, 0xff, 0xff),  /* ZTE MF91 */
+ 		.driver_info = (kernel_ulong_t)&net_intf2_blacklist },
++	{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1533, 0xff, 0xff, 0xff) },
++	{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1534, 0xff, 0xff, 0xff) },
++	{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1535, 0xff, 0xff, 0xff) },
++	{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1545, 0xff, 0xff, 0xff) },
++	{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1546, 0xff, 0xff, 0xff) },
++	{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1547, 0xff, 0xff, 0xff) },
++	{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1565, 0xff, 0xff, 0xff) },
++	{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1566, 0xff, 0xff, 0xff) },
++	{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1567, 0xff, 0xff, 0xff) },
++	{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1589, 0xff, 0xff, 0xff) },
++	{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1590, 0xff, 0xff, 0xff) },
++	{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1591, 0xff, 0xff, 0xff) },
++	{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1592, 0xff, 0xff, 0xff) },
++	{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1594, 0xff, 0xff, 0xff) },
++	{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1596, 0xff, 0xff, 0xff) },
++	{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1598, 0xff, 0xff, 0xff) },
++	{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1600, 0xff, 0xff, 0xff) },
+ 	{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x2002, 0xff,
+ 	  0xff, 0xff), .driver_info = (kernel_ulong_t)&zte_k3765_z_blacklist },
+ 	{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x2003, 0xff, 0xff, 0xff) },
+diff --git a/drivers/usb/serial/pl2303.c b/drivers/usb/serial/pl2303.c
+index 317e503..e3936c1 100644
+--- a/drivers/usb/serial/pl2303.c
++++ b/drivers/usb/serial/pl2303.c
+@@ -290,24 +290,21 @@ static void pl2303_set_termios(struct tty_struct *tty,
+ 	dbg("0xa1:0x21:0:0  %d - %x %x %x %x %x %x %x", i,
+ 	    buf[0], buf[1], buf[2], buf[3], buf[4], buf[5], buf[6]);
+ 
+-	if (cflag & CSIZE) {
+-		switch (cflag & CSIZE) {
+-		case CS5:
+-			buf[6] = 5;
+-			break;
+-		case CS6:
+-			buf[6] = 6;
+-			break;
+-		case CS7:
+-			buf[6] = 7;
+-			break;
+-		default:
+-		case CS8:
+-			buf[6] = 8;
+-			break;
+-		}
+-		dbg("%s - data bits = %d", __func__, buf[6]);
++	switch (C_CSIZE(tty)) {
++	case CS5:
++		buf[6] = 5;
++		break;
++	case CS6:
++		buf[6] = 6;
++		break;
++	case CS7:
++		buf[6] = 7;
++		break;
++	default:
++	case CS8:
++		buf[6] = 8;
+ 	}
++	dev_dbg(&port->dev, "data bits = %d\n", buf[6]);
+ 
+ 	/* For reference buf[0]:buf[3] baud rate value */
+ 	/* NOTE: Only the values defined in baud_sup are supported !
+diff --git a/drivers/usb/serial/spcp8x5.c b/drivers/usb/serial/spcp8x5.c
+index f3179b0..2f67b99 100644
+--- a/drivers/usb/serial/spcp8x5.c
++++ b/drivers/usb/serial/spcp8x5.c
+@@ -394,22 +394,20 @@ static void spcp8x5_set_termios(struct tty_struct *tty,
+ 	}
+ 
+ 	/* Set Data Length : 00:5bit, 01:6bit, 10:7bit, 11:8bit */
+-	if (cflag & CSIZE) {
+-		switch (cflag & CSIZE) {
+-		case CS5:
+-			buf[1] |= SET_UART_FORMAT_SIZE_5;
+-			break;
+-		case CS6:
+-			buf[1] |= SET_UART_FORMAT_SIZE_6;
+-			break;
+-		case CS7:
+-			buf[1] |= SET_UART_FORMAT_SIZE_7;
+-			break;
+-		default:
+-		case CS8:
+-			buf[1] |= SET_UART_FORMAT_SIZE_8;
+-			break;
+-		}
++	switch (cflag & CSIZE) {
++	case CS5:
++		buf[1] |= SET_UART_FORMAT_SIZE_5;
++		break;
++	case CS6:
++		buf[1] |= SET_UART_FORMAT_SIZE_6;
++		break;
++	case CS7:
++		buf[1] |= SET_UART_FORMAT_SIZE_7;
++		break;
++	default:
++	case CS8:
++		buf[1] |= SET_UART_FORMAT_SIZE_8;
++		break;
+ 	}
+ 
+ 	/* Set Stop bit2 : 0:1bit 1:2bit */
+diff --git a/drivers/usb/wusbcore/wa-rpipe.c b/drivers/usb/wusbcore/wa-rpipe.c
+index f0d546c..ca1031b 100644
+--- a/drivers/usb/wusbcore/wa-rpipe.c
++++ b/drivers/usb/wusbcore/wa-rpipe.c
+@@ -332,7 +332,10 @@ static int rpipe_aim(struct wa_rpipe *rpipe, struct wahc *wa,
+ 	/* FIXME: compute so seg_size > ep->maxpktsize */
+ 	rpipe->descr.wBlocks = cpu_to_le16(16);		/* given */
+ 	/* ep0 maxpktsize is 0x200 (WUSB1.0[4.8.1]) */
+-	rpipe->descr.wMaxPacketSize = cpu_to_le16(ep->desc.wMaxPacketSize);
++	if (usb_endpoint_xfer_isoc(&ep->desc))
++		rpipe->descr.wMaxPacketSize = epcd->wOverTheAirPacketSize;
++	else
++		rpipe->descr.wMaxPacketSize = ep->desc.wMaxPacketSize;
+ 	rpipe->descr.bHSHubAddress = 0;			/* reserved: zero */
+ 	rpipe->descr.bHSHubPort = wusb_port_no_to_idx(urb->dev->portnum);
+ 	/* FIXME: use maximum speed as supported or recommended by device */
+diff --git a/drivers/usb/wusbcore/wa-xfer.c b/drivers/usb/wusbcore/wa-xfer.c
+index 57c01ab..5f6df6e 100644
+--- a/drivers/usb/wusbcore/wa-xfer.c
++++ b/drivers/usb/wusbcore/wa-xfer.c
+@@ -90,7 +90,8 @@
+ #include "wusbhc.h"
+ 
+ enum {
+-	WA_SEGS_MAX = 255,
++	/* [WUSB] section 8.3.3 allocates 7 bits for the segment index. */
++	WA_SEGS_MAX = 128,
+ };
+ 
+ enum wa_seg_status {
+@@ -444,7 +445,7 @@ static ssize_t __wa_xfer_setup_sizes(struct wa_xfer *xfer,
+ 	xfer->seg_size = (xfer->seg_size / maxpktsize) * maxpktsize;
+ 	xfer->segs = (urb->transfer_buffer_length + xfer->seg_size - 1)
+ 		/ xfer->seg_size;
+-	if (xfer->segs >= WA_SEGS_MAX) {
++	if (xfer->segs > WA_SEGS_MAX) {
+ 		dev_err(dev, "BUG? ops, number of segments %d bigger than %d\n",
+ 			(int)(urb->transfer_buffer_length / xfer->seg_size),
+ 			WA_SEGS_MAX);
+diff --git a/drivers/video/backlight/atmel-pwm-bl.c b/drivers/video/backlight/atmel-pwm-bl.c
+index 0443a4f..dab3a0c 100644
+--- a/drivers/video/backlight/atmel-pwm-bl.c
++++ b/drivers/video/backlight/atmel-pwm-bl.c
+@@ -70,7 +70,7 @@ static int atmel_pwm_bl_set_intensity(struct backlight_device *bd)
+ static int atmel_pwm_bl_get_intensity(struct backlight_device *bd)
+ {
+ 	struct atmel_pwm_bl *pwmbl = bl_get_data(bd);
+-	u8 intensity;
++	u32 intensity;
+ 
+ 	if (pwmbl->pdata->pwm_active_low) {
+ 		intensity = pwm_channel_readl(&pwmbl->pwmc, PWM_CDTY) -
+@@ -80,7 +80,7 @@ static int atmel_pwm_bl_get_intensity(struct backlight_device *bd)
+ 			pwm_channel_readl(&pwmbl->pwmc, PWM_CDTY);
+ 	}
+ 
+-	return intensity;
++	return intensity & 0xffff;
+ }
+ 
+ static int atmel_pwm_bl_init_pwm(struct atmel_pwm_bl *pwmbl)
+@@ -211,7 +211,8 @@ static int __exit atmel_pwm_bl_remove(struct platform_device *pdev)
+ 	struct atmel_pwm_bl *pwmbl = platform_get_drvdata(pdev);
+ 
+ 	if (pwmbl->gpio_on != -1) {
+-		gpio_set_value(pwmbl->gpio_on, 0);
++		gpio_set_value(pwmbl->gpio_on,
++					0 ^ pwmbl->pdata->on_active_low);
+ 		gpio_free(pwmbl->gpio_on);
+ 	}
+ 	pwm_channel_disable(&pwmbl->pwmc);
+diff --git a/fs/cifs/cifssmb.c b/fs/cifs/cifssmb.c
+index c858a29..969f74f 100644
+--- a/fs/cifs/cifssmb.c
++++ b/fs/cifs/cifssmb.c
+@@ -3437,11 +3437,13 @@ static __u16 ACL_to_cifs_posix(char *parm_data, const char *pACL,
+ 		return 0;
+ 	}
+ 	cifs_acl->version = cpu_to_le16(1);
+-	if (acl_type == ACL_TYPE_ACCESS)
++	if (acl_type == ACL_TYPE_ACCESS) {
+ 		cifs_acl->access_entry_count = cpu_to_le16(count);
+-	else if (acl_type == ACL_TYPE_DEFAULT)
++		cifs_acl->default_entry_count = __constant_cpu_to_le16(0xFFFF);
++	} else if (acl_type == ACL_TYPE_DEFAULT) {
+ 		cifs_acl->default_entry_count = cpu_to_le16(count);
+-	else {
++		cifs_acl->access_entry_count = __constant_cpu_to_le16(0xFFFF);
++	} else {
+ 		cFYI(1, "unknown ACL type %d", acl_type);
+ 		return 0;
+ 	}
+diff --git a/fs/configfs/dir.c b/fs/configfs/dir.c
+index 9a37a9b..5ef72c8 100644
+--- a/fs/configfs/dir.c
++++ b/fs/configfs/dir.c
+@@ -56,10 +56,19 @@ static void configfs_d_iput(struct dentry * dentry,
+ 	struct configfs_dirent *sd = dentry->d_fsdata;
+ 
+ 	if (sd) {
+-		BUG_ON(sd->s_dentry != dentry);
+ 		/* Coordinate with configfs_readdir */
+ 		spin_lock(&configfs_dirent_lock);
+-		sd->s_dentry = NULL;
++		/* Coordinate with configfs_attach_attr where will increase
++		 * sd->s_count and update sd->s_dentry to new allocated one.
++		 * Only set sd->dentry to null when this dentry is the only
++		 * sd owner.
++		 * If not do so, configfs_d_iput may run just after
++		 * configfs_attach_attr and set sd->s_dentry to null
++		 * even it's still in use.
++		 */
++		if (atomic_read(&sd->s_count) <= 2)
++			sd->s_dentry = NULL;
++
+ 		spin_unlock(&configfs_dirent_lock);
+ 		configfs_put(sd);
+ 	}
+@@ -436,8 +445,11 @@ static int configfs_attach_attr(struct configfs_dirent * sd, struct dentry * den
+ 	struct configfs_attribute * attr = sd->s_element;
+ 	int error;
+ 
++	spin_lock(&configfs_dirent_lock);
+ 	dentry->d_fsdata = configfs_get(sd);
+ 	sd->s_dentry = dentry;
++	spin_unlock(&configfs_dirent_lock);
++
+ 	error = configfs_create(dentry, (attr->ca_mode & S_IALLUGO) | S_IFREG,
+ 				configfs_init_file);
+ 	if (error) {
+diff --git a/fs/devpts/inode.c b/fs/devpts/inode.c
+index d5d5297..2a95047 100644
+--- a/fs/devpts/inode.c
++++ b/fs/devpts/inode.c
+@@ -413,6 +413,7 @@ static void devpts_kill_sb(struct super_block *sb)
+ {
+ 	struct pts_fs_info *fsi = DEVPTS_SB(sb);
+ 
++	ida_destroy(&fsi->allocated_ptys);
+ 	kfree(fsi);
+ 	kill_litter_super(sb);
+ }
+diff --git a/fs/exec.c b/fs/exec.c
+index a2d0e51..78199eb 100644
+--- a/fs/exec.c
++++ b/fs/exec.c
+@@ -2032,6 +2032,12 @@ static int __get_dumpable(unsigned long mm_flags)
+ 	return (ret >= 2) ? 2 : ret;
+ }
+ 
++/*
++ * This returns the actual value of the suid_dumpable flag. For things
++ * that are using this for checking for privilege transitions, it must
++ * test against SUID_DUMP_USER rather than treating it as a boolean
++ * value.
++ */
+ int get_dumpable(struct mm_struct *mm)
+ {
+ 	return __get_dumpable(mm->flags);
+diff --git a/fs/ext4/xattr.c b/fs/ext4/xattr.c
+index b4e9f3f..05617bd 100644
+--- a/fs/ext4/xattr.c
++++ b/fs/ext4/xattr.c
+@@ -1271,6 +1271,7 @@ retry:
+ 					new_extra_isize = s_min_extra_isize;
+ 					kfree(is); is = NULL;
+ 					kfree(bs); bs = NULL;
++					brelse(bh);
+ 					goto retry;
+ 				}
+ 				error = -1;
+diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c
+index 5639efd..3d02931 100644
+--- a/fs/nfs/nfs4proc.c
++++ b/fs/nfs/nfs4proc.c
+@@ -3764,8 +3764,7 @@ nfs4_async_handle_error(struct rpc_task *task, const struct nfs_server *server,
+ 			dprintk("%s ERROR %d, Reset session\n", __func__,
+ 				task->tk_status);
+ 			nfs4_schedule_session_recovery(clp->cl_session);
+-			task->tk_status = 0;
+-			return -EAGAIN;
++			goto wait_on_recovery;
+ #endif /* CONFIG_NFS_V4_1 */
+ 		case -NFS4ERR_DELAY:
+ 			nfs_inc_server_stats(server, NFSIOS_DELAY);
+@@ -3887,11 +3886,17 @@ static void nfs4_delegreturn_done(struct rpc_task *task, void *calldata)
+ 		return;
+ 
+ 	switch (task->tk_status) {
+-	case -NFS4ERR_STALE_STATEID:
+-	case -NFS4ERR_EXPIRED:
+ 	case 0:
+ 		renew_lease(data->res.server, data->timestamp);
+ 		break;
++	case -NFS4ERR_ADMIN_REVOKED:
++	case -NFS4ERR_DELEG_REVOKED:
++	case -NFS4ERR_BAD_STATEID:
++	case -NFS4ERR_OLD_STATEID:
++	case -NFS4ERR_STALE_STATEID:
++	case -NFS4ERR_EXPIRED:
++		task->tk_status = 0;
++		break;
+ 	default:
+ 		if (nfs4_async_handle_error(task, data->res.server, NULL) ==
+ 				-EAGAIN) {
+@@ -4052,6 +4057,7 @@ static int _nfs4_proc_getlk(struct nfs4_state *state, int cmd, struct file_lock
+ 			status = 0;
+ 	}
+ 	request->fl_ops->fl_release_private(request);
++	request->fl_ops = NULL;
+ out:
+ 	return status;
+ }
+diff --git a/fs/nfsd/nfs4xdr.c b/fs/nfsd/nfs4xdr.c
+index 99625b8..ade5316 100644
+--- a/fs/nfsd/nfs4xdr.c
++++ b/fs/nfsd/nfs4xdr.c
+@@ -177,8 +177,8 @@ static __be32 *read_buf(struct nfsd4_compoundargs *argp, u32 nbytes)
+ 	 */
+ 	memcpy(p, argp->p, avail);
+ 	/* step to next page */
+-	argp->pagelist++;
+ 	argp->p = page_address(argp->pagelist[0]);
++	argp->pagelist++;
+ 	if (argp->pagelen < PAGE_SIZE) {
+ 		argp->end = argp->p + (argp->pagelen>>2);
+ 		argp->pagelen = 0;
+diff --git a/fs/nfsd/vfs.c b/fs/nfsd/vfs.c
+index 61b697e..6a66fc0 100644
+--- a/fs/nfsd/vfs.c
++++ b/fs/nfsd/vfs.c
+@@ -297,41 +297,12 @@ commit_metadata(struct svc_fh *fhp)
+ }
+ 
+ /*
+- * Set various file attributes.
+- * N.B. After this call fhp needs an fh_put
++ * Go over the attributes and take care of the small differences between
++ * NFS semantics and what Linux expects.
+  */
+-__be32
+-nfsd_setattr(struct svc_rqst *rqstp, struct svc_fh *fhp, struct iattr *iap,
+-	     int check_guard, time_t guardtime)
++static void
++nfsd_sanitize_attrs(struct inode *inode, struct iattr *iap)
+ {
+-	struct dentry	*dentry;
+-	struct inode	*inode;
+-	int		accmode = NFSD_MAY_SATTR;
+-	int		ftype = 0;
+-	__be32		err;
+-	int		host_err;
+-	int		size_change = 0;
+-
+-	if (iap->ia_valid & (ATTR_ATIME | ATTR_MTIME | ATTR_SIZE))
+-		accmode |= NFSD_MAY_WRITE|NFSD_MAY_OWNER_OVERRIDE;
+-	if (iap->ia_valid & ATTR_SIZE)
+-		ftype = S_IFREG;
+-
+-	/* Get inode */
+-	err = fh_verify(rqstp, fhp, ftype, accmode);
+-	if (err)
+-		goto out;
+-
+-	dentry = fhp->fh_dentry;
+-	inode = dentry->d_inode;
+-
+-	/* Ignore any mode updates on symlinks */
+-	if (S_ISLNK(inode->i_mode))
+-		iap->ia_valid &= ~ATTR_MODE;
+-
+-	if (!iap->ia_valid)
+-		goto out;
+-
+ 	/*
+ 	 * NFSv2 does not differentiate between "set-[ac]time-to-now"
+ 	 * which only requires access, and "set-[ac]time-to-X" which
+@@ -341,8 +312,7 @@ nfsd_setattr(struct svc_rqst *rqstp, struct svc_fh *fhp, struct iattr *iap,
+ 	 * convert to "set to now" instead of "set to explicit time"
+ 	 *
+ 	 * We only call inode_change_ok as the last test as technically
+-	 * it is not an interface that we should be using.  It is only
+-	 * valid if the filesystem does not define it's own i_op->setattr.
++	 * it is not an interface that we should be using.
+ 	 */
+ #define BOTH_TIME_SET (ATTR_ATIME_SET | ATTR_MTIME_SET)
+ #define	MAX_TOUCH_TIME_ERROR (30*60)
+@@ -368,30 +338,6 @@ nfsd_setattr(struct svc_rqst *rqstp, struct svc_fh *fhp, struct iattr *iap,
+ 			iap->ia_valid &= ~BOTH_TIME_SET;
+ 		}
+ 	}
+-	    
+-	/*
+-	 * The size case is special.
+-	 * It changes the file as well as the attributes.
+-	 */
+-	if (iap->ia_valid & ATTR_SIZE) {
+-		if (iap->ia_size < inode->i_size) {
+-			err = nfsd_permission(rqstp, fhp->fh_export, dentry,
+-					NFSD_MAY_TRUNC|NFSD_MAY_OWNER_OVERRIDE);
+-			if (err)
+-				goto out;
+-		}
+-
+-		host_err = get_write_access(inode);
+-		if (host_err)
+-			goto out_nfserr;
+-
+-		size_change = 1;
+-		host_err = locks_verify_truncate(inode, NULL, iap->ia_size);
+-		if (host_err) {
+-			put_write_access(inode);
+-			goto out_nfserr;
+-		}
+-	}
+ 
+ 	/* sanitize the mode change */
+ 	if (iap->ia_valid & ATTR_MODE) {
+@@ -414,32 +360,111 @@ nfsd_setattr(struct svc_rqst *rqstp, struct svc_fh *fhp, struct iattr *iap,
+ 			iap->ia_valid |= (ATTR_KILL_SUID | ATTR_KILL_SGID);
+ 		}
+ 	}
++}
+ 
+-	/* Change the attributes. */
++static __be32
++nfsd_get_write_access(struct svc_rqst *rqstp, struct svc_fh *fhp,
++		struct iattr *iap)
++{
++	struct inode *inode = fhp->fh_dentry->d_inode;
++	int host_err;
+ 
+-	iap->ia_valid |= ATTR_CTIME;
++	if (iap->ia_size < inode->i_size) {
++		__be32 err;
+ 
+-	err = nfserr_notsync;
+-	if (!check_guard || guardtime == inode->i_ctime.tv_sec) {
+-		host_err = nfsd_break_lease(inode);
+-		if (host_err)
+-			goto out_nfserr;
+-		fh_lock(fhp);
++		err = nfsd_permission(rqstp, fhp->fh_export, fhp->fh_dentry,
++				NFSD_MAY_TRUNC | NFSD_MAY_OWNER_OVERRIDE);
++		if (err)
++			return err;
++	}
+ 
+-		host_err = notify_change(dentry, iap);
+-		err = nfserrno(host_err);
+-		fh_unlock(fhp);
++	host_err = get_write_access(inode);
++	if (host_err)
++		goto out_nfserrno;
++
++	host_err = locks_verify_truncate(inode, NULL, iap->ia_size);
++	if (host_err)
++		goto out_put_write_access;
++	return 0;
++
++out_put_write_access:
++	put_write_access(inode);
++out_nfserrno:
++	return nfserrno(host_err);
++}
++
++/*
++ * Set various file attributes.  After this call fhp needs an fh_put.
++ */
++__be32
++nfsd_setattr(struct svc_rqst *rqstp, struct svc_fh *fhp, struct iattr *iap,
++	     int check_guard, time_t guardtime)
++{
++	struct dentry	*dentry;
++	struct inode	*inode;
++	int		accmode = NFSD_MAY_SATTR;
++	int		ftype = 0;
++	__be32		err;
++	int		host_err;
++	int		size_change = 0;
++
++	if (iap->ia_valid & (ATTR_ATIME | ATTR_MTIME | ATTR_SIZE))
++		accmode |= NFSD_MAY_WRITE|NFSD_MAY_OWNER_OVERRIDE;
++	if (iap->ia_valid & ATTR_SIZE)
++		ftype = S_IFREG;
++
++	/* Get inode */
++	err = fh_verify(rqstp, fhp, ftype, accmode);
++	if (err)
++		goto out;
++
++	dentry = fhp->fh_dentry;
++	inode = dentry->d_inode;
++
++	/* Ignore any mode updates on symlinks */
++	if (S_ISLNK(inode->i_mode))
++		iap->ia_valid &= ~ATTR_MODE;
++
++	if (!iap->ia_valid)
++		goto out;
++
++	nfsd_sanitize_attrs(inode, iap);
++
++	/*
++	 * The size case is special, it changes the file in addition to the
++	 * attributes.
++	 */
++	if (iap->ia_valid & ATTR_SIZE) {
++		err = nfsd_get_write_access(rqstp, fhp, iap);
++		if (err)
++			goto out;
++		size_change = 1;
+ 	}
++
++	iap->ia_valid |= ATTR_CTIME;
++
++	if (check_guard && guardtime != inode->i_ctime.tv_sec) {
++		err = nfserr_notsync;
++		goto out_put_write_access;
++	}
++
++	host_err = nfsd_break_lease(inode);
++	if (host_err)
++		goto out_put_write_access_nfserror;
++
++	fh_lock(fhp);
++	host_err = notify_change(dentry, iap);
++	fh_unlock(fhp);
++
++out_put_write_access_nfserror:
++	err = nfserrno(host_err);
++out_put_write_access:
+ 	if (size_change)
+ 		put_write_access(inode);
+ 	if (!err)
+ 		commit_metadata(fhp);
+ out:
+ 	return err;
+-
+-out_nfserr:
+-	err = nfserrno(host_err);
+-	goto out;
+ }
+ 
+ #if defined(CONFIG_NFSD_V2_ACL) || \
+diff --git a/fs/xfs/xfs_ioctl.c b/fs/xfs/xfs_ioctl.c
+index d99a905..eb519de 100644
+--- a/fs/xfs/xfs_ioctl.c
++++ b/fs/xfs/xfs_ioctl.c
+@@ -404,7 +404,8 @@ xfs_attrlist_by_handle(
+ 		return -XFS_ERROR(EPERM);
+ 	if (copy_from_user(&al_hreq, arg, sizeof(xfs_fsop_attrlist_handlereq_t)))
+ 		return -XFS_ERROR(EFAULT);
+-	if (al_hreq.buflen > XATTR_LIST_MAX)
++	if (al_hreq.buflen < sizeof(struct attrlist) ||
++	    al_hreq.buflen > XATTR_LIST_MAX)
+ 		return -XFS_ERROR(EINVAL);
+ 
+ 	/*
+diff --git a/fs/xfs/xfs_ioctl32.c b/fs/xfs/xfs_ioctl32.c
+index 54e623b..0d685b3 100644
+--- a/fs/xfs/xfs_ioctl32.c
++++ b/fs/xfs/xfs_ioctl32.c
+@@ -361,7 +361,8 @@ xfs_compat_attrlist_by_handle(
+ 	if (copy_from_user(&al_hreq, arg,
+ 			   sizeof(compat_xfs_fsop_attrlist_handlereq_t)))
+ 		return -XFS_ERROR(EFAULT);
+-	if (al_hreq.buflen > XATTR_LIST_MAX)
++	if (al_hreq.buflen < sizeof(struct attrlist) ||
++	    al_hreq.buflen > XATTR_LIST_MAX)
+ 		return -XFS_ERROR(EINVAL);
+ 
+ 	/*
+diff --git a/include/crypto/scatterwalk.h b/include/crypto/scatterwalk.h
+index 4fd95a3..0532279 100644
+--- a/include/crypto/scatterwalk.h
++++ b/include/crypto/scatterwalk.h
+@@ -58,6 +58,7 @@ static inline void scatterwalk_sg_chain(struct scatterlist *sg1, int num,
+ {
+ 	sg_set_page(&sg1[num - 1], (void *)sg2, 0, 0);
+ 	sg1[num - 1].page_link &= ~0x02;
++	sg1[num - 1].page_link |= 0x01;
+ }
+ 
+ static inline struct scatterlist *scatterwalk_sg_next(struct scatterlist *sg)
+@@ -65,7 +66,7 @@ static inline struct scatterlist *scatterwalk_sg_next(struct scatterlist *sg)
+ 	if (sg_is_last(sg))
+ 		return NULL;
+ 
+-	return (++sg)->length ? sg : (void *)sg_page(sg);
++	return (++sg)->length ? sg : sg_chain_ptr(sg);
+ }
+ 
+ static inline void scatterwalk_crypto_chain(struct scatterlist *head,
+diff --git a/include/linux/binfmts.h b/include/linux/binfmts.h
+index acd8d4b..d337419 100644
+--- a/include/linux/binfmts.h
++++ b/include/linux/binfmts.h
+@@ -112,9 +112,6 @@ extern void setup_new_exec(struct linux_binprm * bprm);
+ extern void would_dump(struct linux_binprm *, struct file *);
+ 
+ extern int suid_dumpable;
+-#define SUID_DUMP_DISABLE	0	/* No setuid dumping */
+-#define SUID_DUMP_USER		1	/* Dump as user of process */
+-#define SUID_DUMP_ROOT		2	/* Dump as root */
+ 
+ /* Stack area protections */
+ #define EXSTACK_DEFAULT   0	/* Whatever the arch defaults to */
+diff --git a/include/linux/compiler-intel.h b/include/linux/compiler-intel.h
+index d8e636e..cba9593 100644
+--- a/include/linux/compiler-intel.h
++++ b/include/linux/compiler-intel.h
+@@ -27,5 +27,3 @@
+ #define __must_be_array(a) 0
+ 
+ #endif
+-
+-#define uninitialized_var(x) x
+diff --git a/include/linux/msg.h b/include/linux/msg.h
+index 56abf155..70fc369 100644
+--- a/include/linux/msg.h
++++ b/include/linux/msg.h
+@@ -76,9 +76,9 @@ struct msginfo {
+ 
+ /* one msg_msg structure for each message */
+ struct msg_msg {
+-	struct list_head m_list; 
+-	long  m_type;          
+-	int m_ts;           /* message text size */
++	struct list_head m_list;
++	long m_type;
++	size_t m_ts;		/* message text size */
+ 	struct msg_msgseg* next;
+ 	void *security;
+ 	/* the actual message follows immediately */
+diff --git a/include/linux/mtd/map.h b/include/linux/mtd/map.h
+index daad4e6..3887901 100644
+--- a/include/linux/mtd/map.h
++++ b/include/linux/mtd/map.h
+@@ -361,7 +361,7 @@ static inline map_word map_word_load_partial(struct map_info *map, map_word orig
+ 			bitpos = (map_bankwidth(map)-1-i)*8;
+ #endif
+ 			orig.x[0] &= ~(0xff << bitpos);
+-			orig.x[0] |= buf[i-start] << bitpos;
++			orig.x[0] |= (unsigned long)buf[i-start] << bitpos;
+ 		}
+ 	}
+ 	return orig;
+@@ -380,7 +380,7 @@ static inline map_word map_word_ff(struct map_info *map)
+ 
+ 	if (map_bankwidth(map) < MAP_FF_LIMIT) {
+ 		int bw = 8 * map_bankwidth(map);
+-		r.x[0] = (1 << bw) - 1;
++		r.x[0] = (1UL << bw) - 1;
+ 	} else {
+ 		for (i=0; i<map_words(map); i++)
+ 			r.x[i] = ~0UL;
+diff --git a/include/linux/net.h b/include/linux/net.h
+index b7ca08e..bd4f6c7 100644
+--- a/include/linux/net.h
++++ b/include/linux/net.h
+@@ -197,6 +197,14 @@ struct proto_ops {
+ #endif
+ 	int		(*sendmsg)   (struct kiocb *iocb, struct socket *sock,
+ 				      struct msghdr *m, size_t total_len);
++	/* Notes for implementing recvmsg:
++	 * ===============================
++	 * msg->msg_namelen should get updated by the recvmsg handlers
++	 * iff msg_name != NULL. It is by default 0 to prevent
++	 * returning uninitialized memory to user space.  The recvfrom
++	 * handlers can assume that msg.msg_name is either NULL or has
++	 * a minimum size of sizeof(struct sockaddr_storage).
++	 */
+ 	int		(*recvmsg)   (struct kiocb *iocb, struct socket *sock,
+ 				      struct msghdr *m, size_t total_len,
+ 				      int flags);
+diff --git a/include/linux/pci_ids.h b/include/linux/pci_ids.h
+index 3db3da1..d93f417 100644
+--- a/include/linux/pci_ids.h
++++ b/include/linux/pci_ids.h
+@@ -1579,6 +1579,7 @@
+ #define PCI_SUBDEVICE_ID_KEYSPAN_SX2	0x5334
+ 
+ #define PCI_VENDOR_ID_MARVELL		0x11ab
++#define PCI_VENDOR_ID_MARVELL_EXT	0x1b4b
+ #define PCI_DEVICE_ID_MARVELL_GT64111	0x4146
+ #define PCI_DEVICE_ID_MARVELL_GT64260	0x6430
+ #define PCI_DEVICE_ID_MARVELL_MV64360	0x6460
+diff --git a/include/linux/random.h b/include/linux/random.h
+index 7e77cee..f5e1311 100644
+--- a/include/linux/random.h
++++ b/include/linux/random.h
+@@ -89,9 +89,9 @@ static inline void prandom32_seed(struct rnd_state *state, u64 seed)
+ {
+ 	u32 i = (seed >> 32) ^ (seed << 10) ^ seed;
+ 
+-	state->s1 = __seed(i, 1);
+-	state->s2 = __seed(i, 7);
+-	state->s3 = __seed(i, 15);
++	state->s1 = __seed(i, 2);
++	state->s2 = __seed(i, 8);
++	state->s3 = __seed(i, 16);
+ }
+ 
+ #ifdef CONFIG_ARCH_RANDOM
+diff --git a/include/linux/sched.h b/include/linux/sched.h
+index 8204898..312d047 100644
+--- a/include/linux/sched.h
++++ b/include/linux/sched.h
+@@ -403,6 +403,10 @@ static inline void arch_pick_mmap_layout(struct mm_struct *mm) {}
+ extern void set_dumpable(struct mm_struct *mm, int value);
+ extern int get_dumpable(struct mm_struct *mm);
+ 
++#define SUID_DUMP_DISABLE	0	/* No setuid dumping */
++#define SUID_DUMP_USER		1	/* Dump as user of process */
++#define SUID_DUMP_ROOT		2	/* Dump as root */
++
+ /* mm flags */
+ /* dumpable bits */
+ #define MMF_DUMPABLE      0  /* core dump is permitted */
+diff --git a/include/net/ip.h b/include/net/ip.h
+index 06aed72..b935e6c 100644
+--- a/include/net/ip.h
++++ b/include/net/ip.h
+@@ -466,7 +466,7 @@ extern int	compat_ip_getsockopt(struct sock *sk, int level,
+ 			int optname, char __user *optval, int __user *optlen);
+ extern int	ip_ra_control(struct sock *sk, unsigned char on, void (*destructor)(struct sock *));
+ 
+-extern int 	ip_recv_error(struct sock *sk, struct msghdr *msg, int len);
++extern int 	ip_recv_error(struct sock *sk, struct msghdr *msg, int len, int *addr_len);
+ extern void	ip_icmp_error(struct sock *sk, struct sk_buff *skb, int err, 
+ 			      __be16 port, u32 info, u8 *payload);
+ extern void	ip_local_error(struct sock *sk, int err, __be32 daddr, __be16 dport,
+diff --git a/include/net/ipv6.h b/include/net/ipv6.h
+index 4d549cf..0580673 100644
+--- a/include/net/ipv6.h
++++ b/include/net/ipv6.h
+@@ -602,8 +602,10 @@ extern int			compat_ipv6_getsockopt(struct sock *sk,
+ extern int			ip6_datagram_connect(struct sock *sk, 
+ 						     struct sockaddr *addr, int addr_len);
+ 
+-extern int 			ipv6_recv_error(struct sock *sk, struct msghdr *msg, int len);
+-extern int 			ipv6_recv_rxpmtu(struct sock *sk, struct msghdr *msg, int len);
++extern int 			ipv6_recv_error(struct sock *sk, struct msghdr *msg, int len,
++						int *addr_len);
++extern int 			ipv6_recv_rxpmtu(struct sock *sk, struct msghdr *msg, int len,
++						 int *addr_len);
+ extern void			ipv6_icmp_error(struct sock *sk, struct sk_buff *skb, int err, __be16 port,
+ 						u32 info, u8 *payload);
+ extern void			ipv6_local_error(struct sock *sk, int err, struct flowi6 *fl6, u32 info);
+diff --git a/include/sound/memalloc.h b/include/sound/memalloc.h
+index c425062..ab240bb 100644
+--- a/include/sound/memalloc.h
++++ b/include/sound/memalloc.h
+@@ -101,7 +101,7 @@ static inline unsigned int snd_sgbuf_aligned_pages(size_t size)
+ static inline dma_addr_t snd_sgbuf_get_addr(struct snd_sg_buf *sgbuf, size_t offset)
+ {
+ 	dma_addr_t addr = sgbuf->table[offset >> PAGE_SHIFT].addr;
+-	addr &= PAGE_MASK;
++	addr &= ~((dma_addr_t)PAGE_SIZE - 1);
+ 	return addr + offset % PAGE_SIZE;
+ }
+ 
+diff --git a/include/trace/ftrace.h b/include/trace/ftrace.h
+index 7697249..763bf05 100644
+--- a/include/trace/ftrace.h
++++ b/include/trace/ftrace.h
+@@ -379,7 +379,8 @@ ftrace_define_fields_##call(struct ftrace_event_call *event_call)	\
+ 	__data_size += (len) * sizeof(type);
+ 
+ #undef __string
+-#define __string(item, src) __dynamic_array(char, item, strlen(src) + 1)
++#define __string(item, src) __dynamic_array(char, item,			\
++		    strlen((src) ? (const char *)(src) : "(null)") + 1)
+ 
+ #undef DECLARE_EVENT_CLASS
+ #define DECLARE_EVENT_CLASS(call, proto, args, tstruct, assign, print)	\
+@@ -504,7 +505,7 @@ static inline notrace int ftrace_get_offsets_##call(			\
+ 
+ #undef __assign_str
+ #define __assign_str(dst, src)						\
+-	strcpy(__get_str(dst), src);
++	strcpy(__get_str(dst), (src) ? (const char *)(src) : "(null)");
+ 
+ #undef TP_fast_assign
+ #define TP_fast_assign(args...) args
+diff --git a/ipc/msgutil.c b/ipc/msgutil.c
+index 5652101..fc6fded 100644
+--- a/ipc/msgutil.c
++++ b/ipc/msgutil.c
+@@ -37,15 +37,15 @@ struct msg_msgseg {
+ 	/* the next part of the message follows immediately */
+ };
+ 
+-#define DATALEN_MSG	(PAGE_SIZE-sizeof(struct msg_msg))
+-#define DATALEN_SEG	(PAGE_SIZE-sizeof(struct msg_msgseg))
++#define DATALEN_MSG	((size_t)PAGE_SIZE-sizeof(struct msg_msg))
++#define DATALEN_SEG	((size_t)PAGE_SIZE-sizeof(struct msg_msgseg))
+ 
+-struct msg_msg *load_msg(const void __user *src, int len)
++struct msg_msg *load_msg(const void __user *src, size_t len)
+ {
+ 	struct msg_msg *msg;
+ 	struct msg_msgseg **pseg;
+ 	int err;
+-	int alen;
++	size_t alen;
+ 
+ 	alen = len;
+ 	if (alen > DATALEN_MSG)
+@@ -99,9 +99,9 @@ out_err:
+ 	return ERR_PTR(err);
+ }
+ 
+-int store_msg(void __user *dest, struct msg_msg *msg, int len)
++int store_msg(void __user *dest, struct msg_msg *msg, size_t len)
+ {
+-	int alen;
++	size_t alen;
+ 	struct msg_msgseg *seg;
+ 
+ 	alen = len;
+diff --git a/ipc/util.h b/ipc/util.h
+index 6f5c20b..0bfc934 100644
+--- a/ipc/util.h
++++ b/ipc/util.h
+@@ -138,8 +138,8 @@ int ipc_parse_version (int *cmd);
+ #endif
+ 
+ extern void free_msg(struct msg_msg *msg);
+-extern struct msg_msg *load_msg(const void __user *src, int len);
+-extern int store_msg(void __user *dest, struct msg_msg *msg, int len);
++extern struct msg_msg *load_msg(const void __user *src, size_t len);
++extern int store_msg(void __user *dest, struct msg_msg *msg, size_t len);
+ 
+ extern void recompute_msgmni(struct ipc_namespace *);
+ 
+diff --git a/kernel/audit.c b/kernel/audit.c
+index d4bc594..e14bc74 100644
+--- a/kernel/audit.c
++++ b/kernel/audit.c
+@@ -625,7 +625,7 @@ static int audit_log_common_recv_msg(struct audit_buffer **ab, u16 msg_type,
+ 	char *ctx = NULL;
+ 	u32 len;
+ 
+-	if (!audit_enabled) {
++	if (!audit_enabled && msg_type != AUDIT_USER_AVC) {
+ 		*ab = NULL;
+ 		return rc;
+ 	}
+@@ -684,6 +684,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
+ 
+ 	switch (msg_type) {
+ 	case AUDIT_GET:
++		status_set.mask		 = 0;
+ 		status_set.enabled	 = audit_enabled;
+ 		status_set.failure	 = audit_failure;
+ 		status_set.pid		 = audit_pid;
+@@ -695,7 +696,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
+ 				 &status_set, sizeof(status_set));
+ 		break;
+ 	case AUDIT_SET:
+-		if (nlh->nlmsg_len < sizeof(struct audit_status))
++		if (nlmsg_len(nlh) < sizeof(struct audit_status))
+ 			return -EINVAL;
+ 		status_get   = (struct audit_status *)data;
+ 		if (status_get->mask & AUDIT_STATUS_ENABLED) {
+@@ -899,7 +900,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
+ 		struct task_struct *tsk;
+ 		unsigned long flags;
+ 
+-		if (nlh->nlmsg_len < sizeof(struct audit_tty_status))
++		if (nlmsg_len(nlh) < sizeof(struct audit_tty_status))
+ 			return -EINVAL;
+ 		s = data;
+ 		if (s->enabled != 0 && s->enabled != 1)
+diff --git a/kernel/cpuset.c b/kernel/cpuset.c
+index 835eee6..57eb98d 100644
+--- a/kernel/cpuset.c
++++ b/kernel/cpuset.c
+@@ -983,8 +983,10 @@ static void cpuset_change_task_nodemask(struct task_struct *tsk,
+ 	need_loop = task_has_mempolicy(tsk) ||
+ 			!nodes_intersects(*newmems, tsk->mems_allowed);
+ 
+-	if (need_loop)
++	if (need_loop) {
++		local_irq_disable();
+ 		write_seqcount_begin(&tsk->mems_allowed_seq);
++	}
+ 
+ 	nodes_or(tsk->mems_allowed, tsk->mems_allowed, *newmems);
+ 	mpol_rebind_task(tsk, newmems, MPOL_REBIND_STEP1);
+@@ -992,8 +994,10 @@ static void cpuset_change_task_nodemask(struct task_struct *tsk,
+ 	mpol_rebind_task(tsk, newmems, MPOL_REBIND_STEP2);
+ 	tsk->mems_allowed = *newmems;
+ 
+-	if (need_loop)
++	if (need_loop) {
+ 		write_seqcount_end(&tsk->mems_allowed_seq);
++		local_irq_enable();
++	}
+ 
+ 	task_unlock(tsk);
+ }
+diff --git a/kernel/futex.c b/kernel/futex.c
+index 1d0538e..8888815 100644
+--- a/kernel/futex.c
++++ b/kernel/futex.c
+@@ -285,7 +285,7 @@ again:
+ 		put_page(page);
+ 		/* serialize against __split_huge_page_splitting() */
+ 		local_irq_disable();
+-		if (likely(__get_user_pages_fast(address, 1, 1, &page) == 1)) {
++		if (likely(__get_user_pages_fast(address, 1, !ro, &page) == 1)) {
+ 			page_head = compound_head(page);
+ 			/*
+ 			 * page_head is valid pointer but we must pin
+diff --git a/kernel/irq/pm.c b/kernel/irq/pm.c
+index 15e53b1..dcd3f97 100644
+--- a/kernel/irq/pm.c
++++ b/kernel/irq/pm.c
+@@ -50,7 +50,7 @@ static void resume_irqs(bool want_early)
+ 		bool is_early = desc->action &&
+ 			desc->action->flags & IRQF_EARLY_RESUME;
+ 
+-		if (is_early != want_early)
++		if (!is_early && want_early)
+ 			continue;
+ 
+ 		raw_spin_lock_irqsave(&desc->lock, flags);
+diff --git a/kernel/power/snapshot.c b/kernel/power/snapshot.c
+index cbe2c14..380291e 100644
+--- a/kernel/power/snapshot.c
++++ b/kernel/power/snapshot.c
+@@ -1390,7 +1390,11 @@ int hibernate_preallocate_memory(void)
+ 	 * highmem and non-highmem zones separately.
+ 	 */
+ 	pages_highmem = preallocate_image_highmem(highmem / 2);
+-	alloc = (count - max_size) - pages_highmem;
++	alloc = count - max_size;
++	if (alloc > pages_highmem)
++		alloc -= pages_highmem;
++	else
++		alloc = 0;
+ 	pages = preallocate_image_memory(alloc, avail_normal);
+ 	if (pages < alloc) {
+ 		/* We have exhausted non-highmem pages, try highmem. */
+diff --git a/kernel/ptrace.c b/kernel/ptrace.c
+index 67fedad..f79803a 100644
+--- a/kernel/ptrace.c
++++ b/kernel/ptrace.c
+@@ -246,7 +246,8 @@ ok:
+ 	smp_rmb();
+ 	if (task->mm)
+ 		dumpable = get_dumpable(task->mm);
+-	if (!dumpable && !task_ns_capable(task, CAP_SYS_PTRACE))
++	if (dumpable != SUID_DUMP_USER &&
++	    !task_ns_capable(task, CAP_SYS_PTRACE))
+ 		return -EPERM;
+ 
+ 	return security_ptrace_access_check(task, mode);
+diff --git a/kernel/sched_debug.c b/kernel/sched_debug.c
+index a6710a1..f4010e2 100644
+--- a/kernel/sched_debug.c
++++ b/kernel/sched_debug.c
+@@ -213,6 +213,14 @@ void print_cfs_rq(struct seq_file *m, int cpu, struct cfs_rq *cfs_rq)
+ 	SEQ_printf(m, "  .%-30s: %d\n", "load_tg",
+ 			atomic_read(&cfs_rq->tg->load_weight));
+ #endif
++#ifdef CONFIG_CFS_BANDWIDTH
++	SEQ_printf(m, "  .%-30s: %d\n", "tg->cfs_bandwidth.timer_active",
++			cfs_rq->tg->cfs_bandwidth.timer_active);
++	SEQ_printf(m, "  .%-30s: %d\n", "throttled",
++			cfs_rq->throttled);
++	SEQ_printf(m, "  .%-30s: %d\n", "throttle_count",
++			cfs_rq->throttle_count);
++#endif
+ 
+ 	print_cfs_group_stats(m, cpu, cfs_rq->tg);
+ #endif
+diff --git a/kernel/sched_fair.c b/kernel/sched_fair.c
+index c261da7..5b9e456 100644
+--- a/kernel/sched_fair.c
++++ b/kernel/sched_fair.c
+@@ -1527,6 +1527,8 @@ static void throttle_cfs_rq(struct cfs_rq *cfs_rq)
+ 	cfs_rq->throttled_timestamp = rq->clock;
+ 	raw_spin_lock(&cfs_b->lock);
+ 	list_add_tail_rcu(&cfs_rq->throttled_list, &cfs_b->throttled_cfs_rq);
++	if (!cfs_b->timer_active)
++		__start_cfs_bandwidth(cfs_b);
+ 	raw_spin_unlock(&cfs_b->lock);
+ }
+ 
+diff --git a/kernel/time/alarmtimer.c b/kernel/time/alarmtimer.c
+index 8a46f5d..0907e43 100644
+--- a/kernel/time/alarmtimer.c
++++ b/kernel/time/alarmtimer.c
+@@ -468,7 +468,7 @@ static int alarm_clock_getres(const clockid_t which_clock, struct timespec *tp)
+ 	clockid_t baseid = alarm_bases[clock2alarm(which_clock)].base_clockid;
+ 
+ 	if (!alarmtimer_get_rtcdev())
+-		return -ENOTSUPP;
++		return -EINVAL;
+ 
+ 	return hrtimer_get_res(baseid, tp);
+ }
+@@ -485,7 +485,7 @@ static int alarm_clock_get(clockid_t which_clock, struct timespec *tp)
+ 	struct alarm_base *base = &alarm_bases[clock2alarm(which_clock)];
+ 
+ 	if (!alarmtimer_get_rtcdev())
+-		return -ENOTSUPP;
++		return -EINVAL;
+ 
+ 	*tp = ktime_to_timespec(base->gettime());
+ 	return 0;
+diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c
+index 226776b..d40d7f6 100644
+--- a/kernel/trace/ftrace.c
++++ b/kernel/trace/ftrace.c
+@@ -259,9 +259,6 @@ static int remove_ftrace_ops(struct ftrace_ops **list, struct ftrace_ops *ops)
+ 
+ static int __register_ftrace_function(struct ftrace_ops *ops)
+ {
+-	if (ftrace_disabled)
+-		return -ENODEV;
+-
+ 	if (FTRACE_WARN_ON(ops == &global_ops))
+ 		return -EINVAL;
+ 
+@@ -290,9 +287,6 @@ static int __unregister_ftrace_function(struct ftrace_ops *ops)
+ {
+ 	int ret;
+ 
+-	if (ftrace_disabled)
+-		return -ENODEV;
+-
+ 	if (WARN_ON(!(ops->flags & FTRACE_OPS_FL_ENABLED)))
+ 		return -EBUSY;
+ 
+@@ -1017,6 +1011,11 @@ static struct ftrace_page	*ftrace_pages;
+ 
+ static struct dyn_ftrace *ftrace_free_records;
+ 
++static bool ftrace_hash_empty(struct ftrace_hash *hash)
++{
++	return !hash || !hash->count;
++}
++
+ static struct ftrace_func_entry *
+ ftrace_lookup_ip(struct ftrace_hash *hash, unsigned long ip)
+ {
+@@ -1025,7 +1024,7 @@ ftrace_lookup_ip(struct ftrace_hash *hash, unsigned long ip)
+ 	struct hlist_head *hhd;
+ 	struct hlist_node *n;
+ 
+-	if (!hash->count)
++	if (ftrace_hash_empty(hash))
+ 		return NULL;
+ 
+ 	if (hash->size_bits > 0)
+@@ -1169,7 +1168,7 @@ alloc_and_copy_ftrace_hash(int size_bits, struct ftrace_hash *hash)
+ 		return NULL;
+ 
+ 	/* Empty hash? */
+-	if (!hash || !hash->count)
++	if (ftrace_hash_empty(hash))
+ 		return new_hash;
+ 
+ 	size = 1 << hash->size_bits;
+@@ -1294,9 +1293,9 @@ ftrace_ops_test(struct ftrace_ops *ops, unsigned long ip)
+ 	filter_hash = rcu_dereference_raw(ops->filter_hash);
+ 	notrace_hash = rcu_dereference_raw(ops->notrace_hash);
+ 
+-	if ((!filter_hash || !filter_hash->count ||
++	if ((ftrace_hash_empty(filter_hash) ||
+ 	     ftrace_lookup_ip(filter_hash, ip)) &&
+-	    (!notrace_hash || !notrace_hash->count ||
++	    (ftrace_hash_empty(notrace_hash) ||
+ 	     !ftrace_lookup_ip(notrace_hash, ip)))
+ 		ret = 1;
+ 	else
+@@ -1348,7 +1347,7 @@ static void __ftrace_hash_rec_update(struct ftrace_ops *ops,
+ 	if (filter_hash) {
+ 		hash = ops->filter_hash;
+ 		other_hash = ops->notrace_hash;
+-		if (!hash || !hash->count)
++		if (ftrace_hash_empty(hash))
+ 			all = 1;
+ 	} else {
+ 		inc = !inc;
+@@ -1358,7 +1357,7 @@ static void __ftrace_hash_rec_update(struct ftrace_ops *ops,
+ 		 * If the notrace hash has no items,
+ 		 * then there's nothing to do.
+ 		 */
+-		if (hash && !hash->count)
++		if (ftrace_hash_empty(hash))
+ 			return;
+ 	}
+ 
+@@ -1375,8 +1374,8 @@ static void __ftrace_hash_rec_update(struct ftrace_ops *ops,
+ 			if (!other_hash || !ftrace_lookup_ip(other_hash, rec->ip))
+ 				match = 1;
+ 		} else {
+-			in_hash = hash && !!ftrace_lookup_ip(hash, rec->ip);
+-			in_other_hash = other_hash && !!ftrace_lookup_ip(other_hash, rec->ip);
++			in_hash = !!ftrace_lookup_ip(hash, rec->ip);
++			in_other_hash = !!ftrace_lookup_ip(other_hash, rec->ip);
+ 
+ 			/*
+ 			 *
+@@ -1384,7 +1383,7 @@ static void __ftrace_hash_rec_update(struct ftrace_ops *ops,
+ 			if (filter_hash && in_hash && !in_other_hash)
+ 				match = 1;
+ 			else if (!filter_hash && in_hash &&
+-				 (in_other_hash || !other_hash->count))
++				 (in_other_hash || ftrace_hash_empty(other_hash)))
+ 				match = 1;
+ 		}
+ 		if (!match)
+@@ -1698,10 +1697,15 @@ static void ftrace_startup_enable(int command)
+ static int ftrace_startup(struct ftrace_ops *ops, int command)
+ {
+ 	bool hash_enable = true;
++	int ret;
+ 
+ 	if (unlikely(ftrace_disabled))
+ 		return -ENODEV;
+ 
++	ret = __register_ftrace_function(ops);
++	if (ret)
++		return ret;
++
+ 	ftrace_start_up++;
+ 	command |= FTRACE_UPDATE_CALLS;
+ 
+@@ -1723,12 +1727,17 @@ static int ftrace_startup(struct ftrace_ops *ops, int command)
+ 	return 0;
+ }
+ 
+-static void ftrace_shutdown(struct ftrace_ops *ops, int command)
++static int ftrace_shutdown(struct ftrace_ops *ops, int command)
+ {
+ 	bool hash_disable = true;
++	int ret;
+ 
+ 	if (unlikely(ftrace_disabled))
+-		return;
++		return -ENODEV;
++
++	ret = __unregister_ftrace_function(ops);
++	if (ret)
++		return ret;
+ 
+ 	ftrace_start_up--;
+ 	/*
+@@ -1763,9 +1772,10 @@ static void ftrace_shutdown(struct ftrace_ops *ops, int command)
+ 	}
+ 
+ 	if (!command || !ftrace_enabled)
+-		return;
++		return 0;
+ 
+ 	ftrace_run_update_code(command);
++	return 0;
+ }
+ 
+ static void ftrace_startup_sysctl(void)
+@@ -1794,12 +1804,57 @@ static cycle_t		ftrace_update_time;
+ static unsigned long	ftrace_update_cnt;
+ unsigned long		ftrace_update_tot_cnt;
+ 
+-static int ops_traces_mod(struct ftrace_ops *ops)
++static inline int ops_traces_mod(struct ftrace_ops *ops)
+ {
+-	struct ftrace_hash *hash;
++	/*
++	 * Filter_hash being empty will default to trace module.
++	 * But notrace hash requires a test of individual module functions.
++	 */
++	return ftrace_hash_empty(ops->filter_hash) &&
++		ftrace_hash_empty(ops->notrace_hash);
++}
+ 
+-	hash = ops->filter_hash;
+-	return !!(!hash || !hash->count);
++/*
++ * Check if the current ops references the record.
++ *
++ * If the ops traces all functions, then it was already accounted for.
++ * If the ops does not trace the current record function, skip it.
++ * If the ops ignores the function via notrace filter, skip it.
++ */
++static inline bool
++ops_references_rec(struct ftrace_ops *ops, struct dyn_ftrace *rec)
++{
++	/* If ops isn't enabled, ignore it */
++	if (!(ops->flags & FTRACE_OPS_FL_ENABLED))
++		return 0;
++
++	/* If ops traces all mods, we already accounted for it */
++	if (ops_traces_mod(ops))
++		return 0;
++
++	/* The function must be in the filter */
++	if (!ftrace_hash_empty(ops->filter_hash) &&
++	    !ftrace_lookup_ip(ops->filter_hash, rec->ip))
++		return 0;
++
++	/* If in notrace hash, we ignore it too */
++	if (ftrace_lookup_ip(ops->notrace_hash, rec->ip))
++		return 0;
++
++	return 1;
++}
++
++static int referenced_filters(struct dyn_ftrace *rec)
++{
++	struct ftrace_ops *ops;
++	int cnt = 0;
++
++	for (ops = ftrace_ops_list; ops != &ftrace_list_end; ops = ops->next) {
++		if (ops_references_rec(ops, rec))
++		    cnt++;
++	}
++
++	return cnt;
+ }
+ 
+ static int ftrace_update_code(struct module *mod)
+@@ -1807,6 +1862,7 @@ static int ftrace_update_code(struct module *mod)
+ 	struct dyn_ftrace *p;
+ 	cycle_t start, stop;
+ 	unsigned long ref = 0;
++	bool test = false;
+ 
+ 	/*
+ 	 * When adding a module, we need to check if tracers are
+@@ -1819,9 +1875,12 @@ static int ftrace_update_code(struct module *mod)
+ 
+ 		for (ops = ftrace_ops_list;
+ 		     ops != &ftrace_list_end; ops = ops->next) {
+-			if (ops->flags & FTRACE_OPS_FL_ENABLED &&
+-			    ops_traces_mod(ops))
+-				ref++;
++			if (ops->flags & FTRACE_OPS_FL_ENABLED) {
++				if (ops_traces_mod(ops))
++					ref++;
++				else
++					test = true;
++			}
+ 		}
+ 	}
+ 
+@@ -1829,6 +1888,7 @@ static int ftrace_update_code(struct module *mod)
+ 	ftrace_update_cnt = 0;
+ 
+ 	while (ftrace_new_addrs) {
++		int cnt = ref;
+ 
+ 		/* If something went wrong, bail without enabling anything */
+ 		if (unlikely(ftrace_disabled))
+@@ -1836,7 +1896,9 @@ static int ftrace_update_code(struct module *mod)
+ 
+ 		p = ftrace_new_addrs;
+ 		ftrace_new_addrs = p->newlist;
+-		p->flags = ref;
++		if (test)
++			cnt += referenced_filters(p);
++		p->flags = cnt;
+ 
+ 		/*
+ 		 * Do the initial record conversion from mcount jump
+@@ -1859,7 +1921,7 @@ static int ftrace_update_code(struct module *mod)
+ 		 * conversion puts the module to the correct state, thus
+ 		 * passing the ftrace_make_call check.
+ 		 */
+-		if (ftrace_start_up && ref) {
++		if (ftrace_start_up && cnt) {
+ 			int failed = __ftrace_replace_code(p, 1);
+ 			if (failed) {
+ 				ftrace_bug(failed, p->ip);
+@@ -2112,7 +2174,8 @@ static void *t_start(struct seq_file *m, loff_t *pos)
+ 	 * off, we can short cut and just print out that all
+ 	 * functions are enabled.
+ 	 */
+-	if (iter->flags & FTRACE_ITER_FILTER && !ops->filter_hash->count) {
++	if (iter->flags & FTRACE_ITER_FILTER &&
++	    ftrace_hash_empty(ops->filter_hash)) {
+ 		if (*pos > 0)
+ 			return t_hash_start(m, pos);
+ 		iter->flags |= FTRACE_ITER_PRINTALL;
+@@ -2564,16 +2627,13 @@ static void __enable_ftrace_function_probe(void)
+ 	if (i == FTRACE_FUNC_HASHSIZE)
+ 		return;
+ 
+-	ret = __register_ftrace_function(&trace_probe_ops);
+-	if (!ret)
+-		ret = ftrace_startup(&trace_probe_ops, 0);
++	ret = ftrace_startup(&trace_probe_ops, 0);
+ 
+ 	ftrace_probe_registered = 1;
+ }
+ 
+ static void __disable_ftrace_function_probe(void)
+ {
+-	int ret;
+ 	int i;
+ 
+ 	if (!ftrace_probe_registered)
+@@ -2586,9 +2646,7 @@ static void __disable_ftrace_function_probe(void)
+ 	}
+ 
+ 	/* no more funcs left */
+-	ret = __unregister_ftrace_function(&trace_probe_ops);
+-	if (!ret)
+-		ftrace_shutdown(&trace_probe_ops, 0);
++	ftrace_shutdown(&trace_probe_ops, 0);
+ 
+ 	ftrace_probe_registered = 0;
+ }
+@@ -3561,12 +3619,15 @@ device_initcall(ftrace_nodyn_init);
+ static inline int ftrace_init_dyn_debugfs(struct dentry *d_tracer) { return 0; }
+ static inline void ftrace_startup_enable(int command) { }
+ /* Keep as macros so we do not need to define the commands */
+-# define ftrace_startup(ops, command)			\
+-	({						\
+-		(ops)->flags |= FTRACE_OPS_FL_ENABLED;	\
+-		0;					\
++# define ftrace_startup(ops, command)					\
++	({								\
++		int ___ret = __register_ftrace_function(ops);		\
++		if (!___ret)						\
++			(ops)->flags |= FTRACE_OPS_FL_ENABLED;		\
++		___ret;							\
+ 	})
+-# define ftrace_shutdown(ops, command)	do { } while (0)
++# define ftrace_shutdown(ops, command) __unregister_ftrace_function(ops)
++
+ # define ftrace_startup_sysctl()	do { } while (0)
+ # define ftrace_shutdown_sysctl()	do { } while (0)
+ 
+@@ -3906,15 +3967,8 @@ int register_ftrace_function(struct ftrace_ops *ops)
+ 
+ 	mutex_lock(&ftrace_lock);
+ 
+-	if (unlikely(ftrace_disabled))
+-		goto out_unlock;
+-
+-	ret = __register_ftrace_function(ops);
+-	if (!ret)
+-		ret = ftrace_startup(ops, 0);
+-
++	ret = ftrace_startup(ops, 0);
+ 
+- out_unlock:
+ 	mutex_unlock(&ftrace_lock);
+ 	return ret;
+ }
+@@ -3931,9 +3985,7 @@ int unregister_ftrace_function(struct ftrace_ops *ops)
+ 	int ret;
+ 
+ 	mutex_lock(&ftrace_lock);
+-	ret = __unregister_ftrace_function(ops);
+-	if (!ret)
+-		ftrace_shutdown(ops, 0);
++	ret = ftrace_shutdown(ops, 0);
+ 	mutex_unlock(&ftrace_lock);
+ 
+ 	return ret;
+@@ -4127,6 +4179,12 @@ ftrace_suspend_notifier_call(struct notifier_block *bl, unsigned long state,
+ 	return NOTIFY_DONE;
+ }
+ 
++/* Just a place holder for function graph */
++static struct ftrace_ops fgraph_ops __read_mostly = {
++	.func		= ftrace_stub,
++	.flags		= FTRACE_OPS_FL_GLOBAL,
++};
++
+ int register_ftrace_graph(trace_func_graph_ret_t retfunc,
+ 			trace_func_graph_ent_t entryfunc)
+ {
+@@ -4153,7 +4211,7 @@ int register_ftrace_graph(trace_func_graph_ret_t retfunc,
+ 	ftrace_graph_return = retfunc;
+ 	ftrace_graph_entry = entryfunc;
+ 
+-	ret = ftrace_startup(&global_ops, FTRACE_START_FUNC_RET);
++	ret = ftrace_startup(&fgraph_ops, FTRACE_START_FUNC_RET);
+ 
+ out:
+ 	mutex_unlock(&ftrace_lock);
+@@ -4170,7 +4228,7 @@ void unregister_ftrace_graph(void)
+ 	ftrace_graph_active--;
+ 	ftrace_graph_return = (trace_func_graph_ret_t)ftrace_stub;
+ 	ftrace_graph_entry = ftrace_graph_entry_stub;
+-	ftrace_shutdown(&global_ops, FTRACE_STOP_FUNC_RET);
++	ftrace_shutdown(&fgraph_ops, FTRACE_STOP_FUNC_RET);
+ 	unregister_pm_notifier(&ftrace_suspend_notifier);
+ 	unregister_trace_sched_switch(ftrace_graph_probe_sched_switch, NULL);
+ 
+diff --git a/lib/random32.c b/lib/random32.c
+index fc3545a..1f44bdc 100644
+--- a/lib/random32.c
++++ b/lib/random32.c
+@@ -92,7 +92,7 @@ void srandom32(u32 entropy)
+ 	 */
+ 	for_each_possible_cpu (i) {
+ 		struct rnd_state *state = &per_cpu(net_rand_state, i);
+-		state->s1 = __seed(state->s1 ^ entropy, 1);
++		state->s1 = __seed(state->s1 ^ entropy, 2);
+ 	}
+ }
+ EXPORT_SYMBOL(srandom32);
+@@ -109,9 +109,9 @@ static int __init random32_init(void)
+ 		struct rnd_state *state = &per_cpu(net_rand_state,i);
+ 
+ #define LCG(x)	((x) * 69069)	/* super-duper LCG */
+-		state->s1 = __seed(LCG(i + jiffies), 1);
+-		state->s2 = __seed(LCG(state->s1), 7);
+-		state->s3 = __seed(LCG(state->s2), 15);
++		state->s1 = __seed(LCG(i + jiffies), 2);
++		state->s2 = __seed(LCG(state->s1), 8);
++		state->s3 = __seed(LCG(state->s2), 16);
+ 
+ 		/* "warm it up" */
+ 		prandom32(state);
+@@ -138,9 +138,9 @@ static int __init random32_reseed(void)
+ 		u32 seeds[3];
+ 
+ 		get_random_bytes(&seeds, sizeof(seeds));
+-		state->s1 = __seed(seeds[0], 1);
+-		state->s2 = __seed(seeds[1], 7);
+-		state->s3 = __seed(seeds[2], 15);
++		state->s1 = __seed(seeds[0], 2);
++		state->s2 = __seed(seeds[1], 8);
++		state->s3 = __seed(seeds[2], 16);
+ 
+ 		/* mix it in */
+ 		prandom32(state);
+diff --git a/lib/vsprintf.c b/lib/vsprintf.c
+index d74c317..ae02e42 100644
+--- a/lib/vsprintf.c
++++ b/lib/vsprintf.c
+@@ -25,6 +25,7 @@
+ #include <linux/kallsyms.h>
+ #include <linux/uaccess.h>
+ #include <linux/ioport.h>
++#include <linux/cred.h>
+ #include <net/addrconf.h>
+ 
+ #include <asm/page.h>		/* for PAGE_SIZE */
+@@ -892,10 +893,35 @@ char *pointer(const char *fmt, char *buf, char *end, void *ptr,
+ 				spec.field_width = 2 * sizeof(void *);
+ 			return string(buf, end, "pK-error", spec);
+ 		}
+-		if (!((kptr_restrict == 0) ||
+-		      (kptr_restrict == 1 &&
+-		       has_capability_noaudit(current, CAP_SYSLOG))))
++
++		switch (kptr_restrict) {
++		case 0:
++			/* Always print %pK values */
++			break;
++		case 1: {
++			/*
++			 * Only print the real pointer value if the current
++			 * process has CAP_SYSLOG and is running with the
++			 * same credentials it started with. This is because
++			 * access to files is checked at open() time, but %pK
++			 * checks permission at read() time. We don't want to
++			 * leak pointer values if a binary opens a file using
++			 * %pK and then elevates privileges before reading it.
++			 */
++			const struct cred *cred = current_cred();
++
++			if (!has_capability_noaudit(current, CAP_SYSLOG) ||
++			    cred->euid != cred->uid ||
++			    cred->egid != cred->gid)
++				ptr = NULL;
++			break;
++		}
++		case 2:
++		default:
++			/* Always print 0's for %pK */
+ 			ptr = NULL;
++			break;
++		}
+ 		break;
+ 	}
+ 	spec.flags |= SMALL;
+diff --git a/net/appletalk/ddp.c b/net/appletalk/ddp.c
+index bfa9ab93..334d4cd 100644
+--- a/net/appletalk/ddp.c
++++ b/net/appletalk/ddp.c
+@@ -1740,7 +1740,6 @@ static int atalk_recvmsg(struct kiocb *iocb, struct socket *sock, struct msghdr
+ 			 size_t size, int flags)
+ {
+ 	struct sock *sk = sock->sk;
+-	struct sockaddr_at *sat = (struct sockaddr_at *)msg->msg_name;
+ 	struct ddpehdr *ddp;
+ 	int copied = 0;
+ 	int offset = 0;
+@@ -1769,14 +1768,13 @@ static int atalk_recvmsg(struct kiocb *iocb, struct socket *sock, struct msghdr
+ 	}
+ 	err = skb_copy_datagram_iovec(skb, offset, msg->msg_iov, copied);
+ 
+-	if (!err) {
+-		if (sat) {
+-			sat->sat_family      = AF_APPLETALK;
+-			sat->sat_port        = ddp->deh_sport;
+-			sat->sat_addr.s_node = ddp->deh_snode;
+-			sat->sat_addr.s_net  = ddp->deh_snet;
+-		}
+-		msg->msg_namelen = sizeof(*sat);
++	if (!err && msg->msg_name) {
++		struct sockaddr_at *sat = msg->msg_name;
++		sat->sat_family      = AF_APPLETALK;
++		sat->sat_port        = ddp->deh_sport;
++		sat->sat_addr.s_node = ddp->deh_snode;
++		sat->sat_addr.s_net  = ddp->deh_snet;
++		msg->msg_namelen     = sizeof(*sat);
+ 	}
+ 
+ 	skb_free_datagram(sk, skb);	/* Free the datagram. */
+diff --git a/net/atm/common.c b/net/atm/common.c
+index 43b6bfe..0ca06e8 100644
+--- a/net/atm/common.c
++++ b/net/atm/common.c
+@@ -500,8 +500,6 @@ int vcc_recvmsg(struct kiocb *iocb, struct socket *sock, struct msghdr *msg,
+ 	struct sk_buff *skb;
+ 	int copied, error = -EINVAL;
+ 
+-	msg->msg_namelen = 0;
+-
+ 	if (sock->state != SS_CONNECTED)
+ 		return -ENOTCONN;
+ 	if (flags & ~MSG_DONTWAIT)		/* only handle MSG_DONTWAIT */
+diff --git a/net/ax25/af_ax25.c b/net/ax25/af_ax25.c
+index 86ac37f..7b8db0e 100644
+--- a/net/ax25/af_ax25.c
++++ b/net/ax25/af_ax25.c
+@@ -1635,11 +1635,11 @@ static int ax25_recvmsg(struct kiocb *iocb, struct socket *sock,
+ 
+ 	skb_copy_datagram_iovec(skb, 0, msg->msg_iov, copied);
+ 
+-	if (msg->msg_namelen != 0) {
+-		struct sockaddr_ax25 *sax = (struct sockaddr_ax25 *)msg->msg_name;
++	if (msg->msg_name) {
+ 		ax25_digi digi;
+ 		ax25_address src;
+ 		const unsigned char *mac = skb_mac_header(skb);
++		struct sockaddr_ax25 *sax = msg->msg_name;
+ 
+ 		memset(sax, 0, sizeof(struct full_sockaddr_ax25));
+ 		ax25_addr_parse(mac + 1, skb->data - mac - 1, &src, NULL,
+diff --git a/net/bluetooth/af_bluetooth.c b/net/bluetooth/af_bluetooth.c
+index 838f113..0938f6b 100644
+--- a/net/bluetooth/af_bluetooth.c
++++ b/net/bluetooth/af_bluetooth.c
+@@ -245,8 +245,6 @@ int bt_sock_recvmsg(struct kiocb *iocb, struct socket *sock,
+ 	if (flags & (MSG_OOB))
+ 		return -EOPNOTSUPP;
+ 
+-	msg->msg_namelen = 0;
+-
+ 	skb = skb_recv_datagram(sk, flags, noblock, &err);
+ 	if (!skb) {
+ 		if (sk->sk_shutdown & RCV_SHUTDOWN)
+@@ -311,8 +309,6 @@ int bt_sock_stream_recvmsg(struct kiocb *iocb, struct socket *sock,
+ 	if (flags & MSG_OOB)
+ 		return -EOPNOTSUPP;
+ 
+-	msg->msg_namelen = 0;
+-
+ 	BT_DBG("sk %p size %zu", sk, size);
+ 
+ 	lock_sock(sk);
+diff --git a/net/bluetooth/hci_sock.c b/net/bluetooth/hci_sock.c
+index 8361ee4..bb78c75 100644
+--- a/net/bluetooth/hci_sock.c
++++ b/net/bluetooth/hci_sock.c
+@@ -448,8 +448,6 @@ static int hci_sock_recvmsg(struct kiocb *iocb, struct socket *sock,
+ 	if (!skb)
+ 		return err;
+ 
+-	msg->msg_namelen = 0;
+-
+ 	copied = skb->len;
+ 	if (len < copied) {
+ 		msg->msg_flags |= MSG_TRUNC;
+diff --git a/net/bluetooth/rfcomm/sock.c b/net/bluetooth/rfcomm/sock.c
+index 82ce164..14c4864 100644
+--- a/net/bluetooth/rfcomm/sock.c
++++ b/net/bluetooth/rfcomm/sock.c
+@@ -627,7 +627,6 @@ static int rfcomm_sock_recvmsg(struct kiocb *iocb, struct socket *sock,
+ 
+ 	if (test_and_clear_bit(RFCOMM_DEFER_SETUP, &d->flags)) {
+ 		rfcomm_dlc_accept(d);
+-		msg->msg_namelen = 0;
+ 		return 0;
+ 	}
+ 
+diff --git a/net/bridge/br_if.c b/net/bridge/br_if.c
+index f3f75ad..56693c3 100644
+--- a/net/bridge/br_if.c
++++ b/net/bridge/br_if.c
+@@ -170,6 +170,8 @@ void br_dev_delete(struct net_device *dev, struct list_head *head)
+ 		del_nbp(p);
+ 	}
+ 
++	br_fdb_delete_by_port(br, NULL, 1);
++
+ 	del_timer_sync(&br->gc_timer);
+ 
+ 	br_sysfs_delbr(br->dev);
+diff --git a/net/caif/caif_socket.c b/net/caif/caif_socket.c
+index 53a8e37..7fac75f 100644
+--- a/net/caif/caif_socket.c
++++ b/net/caif/caif_socket.c
+@@ -320,8 +320,6 @@ static int caif_seqpkt_recvmsg(struct kiocb *iocb, struct socket *sock,
+ 	if (m->msg_flags&MSG_OOB)
+ 		goto read_error;
+ 
+-	m->msg_namelen = 0;
+-
+ 	skb = skb_recv_datagram(sk, flags, 0 , &ret);
+ 	if (!skb)
+ 		goto read_error;
+@@ -395,8 +393,6 @@ static int caif_stream_recvmsg(struct kiocb *iocb, struct socket *sock,
+ 	if (flags&MSG_OOB)
+ 		goto out;
+ 
+-	msg->msg_namelen = 0;
+-
+ 	/*
+ 	 * Lock the socket to prevent queue disordering
+ 	 * while sleeps in memcpy_tomsg
+diff --git a/net/compat.c b/net/compat.c
+index 3139ef2..41724c9 100644
+--- a/net/compat.c
++++ b/net/compat.c
+@@ -72,7 +72,7 @@ int get_compat_msghdr(struct msghdr *kmsg, struct compat_msghdr __user *umsg)
+ 	    __get_user(kmsg->msg_flags, &umsg->msg_flags))
+ 		return -EFAULT;
+ 	if (kmsg->msg_namelen > sizeof(struct sockaddr_storage))
+-		return -EINVAL;
++		kmsg->msg_namelen = sizeof(struct sockaddr_storage);
+ 	kmsg->msg_name = compat_ptr(tmp1);
+ 	kmsg->msg_iov = compat_ptr(tmp2);
+ 	kmsg->msg_control = compat_ptr(tmp3);
+@@ -93,7 +93,8 @@ int verify_compat_iovec(struct msghdr *kern_msg, struct iovec *kern_iov,
+ 			if (err < 0)
+ 				return err;
+ 		}
+-		kern_msg->msg_name = kern_address;
++		if (kern_msg->msg_name)
++			kern_msg->msg_name = kern_address;
+ 	} else
+ 		kern_msg->msg_name = NULL;
+ 
+diff --git a/net/core/dev.c b/net/core/dev.c
+index 8e455b8..7bcf37d 100644
+--- a/net/core/dev.c
++++ b/net/core/dev.c
+@@ -2609,6 +2609,8 @@ ip:
+ 			goto done;
+ 
+ 		ip = (const struct iphdr *) (skb->data + nhoff);
++		if (ip->ihl < 5)
++			goto done;
+ 		if (ip_is_fragment(ip))
+ 			ip_proto = 0;
+ 		else
+@@ -4515,7 +4517,7 @@ static void dev_change_rx_flags(struct net_device *dev, int flags)
+ {
+ 	const struct net_device_ops *ops = dev->netdev_ops;
+ 
+-	if ((dev->flags & IFF_UP) && ops->ndo_change_rx_flags)
++	if (ops->ndo_change_rx_flags)
+ 		ops->ndo_change_rx_flags(dev, flags);
+ }
+ 
+diff --git a/net/core/fib_rules.c b/net/core/fib_rules.c
+index c02e63c..c0c21b1 100644
+--- a/net/core/fib_rules.c
++++ b/net/core/fib_rules.c
+@@ -443,7 +443,8 @@ static int fib_nl_delrule(struct sk_buff *skb, struct nlmsghdr* nlh, void *arg)
+ 		if (frh->action && (frh->action != rule->action))
+ 			continue;
+ 
+-		if (frh->table && (frh_get_table(frh, tb) != rule->table))
++		if (frh_get_table(frh, tb) &&
++		    (frh_get_table(frh, tb) != rule->table))
+ 			continue;
+ 
+ 		if (tb[FRA_PRIORITY] &&
+diff --git a/net/core/iovec.c b/net/core/iovec.c
+index c40f27e..139ef93 100644
+--- a/net/core/iovec.c
++++ b/net/core/iovec.c
+@@ -48,7 +48,8 @@ int verify_iovec(struct msghdr *m, struct iovec *iov, struct sockaddr *address,
+ 			if (err < 0)
+ 				return err;
+ 		}
+-		m->msg_name = address;
++		if (m->msg_name)
++			m->msg_name = address;
+ 	} else {
+ 		m->msg_name = NULL;
+ 	}
+diff --git a/net/core/pktgen.c b/net/core/pktgen.c
+index 2ef7da0..80aeac9 100644
+--- a/net/core/pktgen.c
++++ b/net/core/pktgen.c
+@@ -2524,6 +2524,8 @@ static int process_ipsec(struct pktgen_dev *pkt_dev,
+ 		if (x) {
+ 			int ret;
+ 			__u8 *eth;
++			struct iphdr *iph;
++
+ 			nhead = x->props.header_len - skb_headroom(skb);
+ 			if (nhead > 0) {
+ 				ret = pskb_expand_head(skb, nhead, 0, GFP_ATOMIC);
+@@ -2545,6 +2547,11 @@ static int process_ipsec(struct pktgen_dev *pkt_dev,
+ 			eth = (__u8 *) skb_push(skb, ETH_HLEN);
+ 			memcpy(eth, pkt_dev->hh, 12);
+ 			*(u16 *) &eth[12] = protocol;
++
++			/* Update IPv4 header len as well as checksum value */
++			iph = ip_hdr(skb);
++			iph->tot_len = htons(skb->len - ETH_HLEN);
++			ip_send_check(iph);
+ 		}
+ 	}
+ 	return 1;
+diff --git a/net/ieee802154/6lowpan.c b/net/ieee802154/6lowpan.c
+index 19d6aef..5d42df2 100644
+--- a/net/ieee802154/6lowpan.c
++++ b/net/ieee802154/6lowpan.c
+@@ -563,7 +563,7 @@ lowpan_process_data(struct sk_buff *skb)
+ 	 * Traffic class carried in-line
+ 	 * ECN + DSCP (1 byte), Flow Label is elided
+ 	 */
+-	case 1: /* 10b */
++	case 2: /* 10b */
+ 		if (!skb->len)
+ 			goto drop;
+ 		tmp = lowpan_fetch_skb_u8(skb);
+@@ -576,7 +576,7 @@ lowpan_process_data(struct sk_buff *skb)
+ 	 * Flow Label carried in-line
+ 	 * ECN + 2-bit Pad + Flow Label (3 bytes), DSCP is elided
+ 	 */
+-	case 2: /* 01b */
++	case 1: /* 01b */
+ 		if (!skb->len)
+ 			goto drop;
+ 		tmp = lowpan_fetch_skb_u8(skb);
+diff --git a/net/ipv4/datagram.c b/net/ipv4/datagram.c
+index 424fafb..ec07510 100644
+--- a/net/ipv4/datagram.c
++++ b/net/ipv4/datagram.c
+@@ -57,7 +57,7 @@ int ip4_datagram_connect(struct sock *sk, struct sockaddr *uaddr, int addr_len)
+ 	if (IS_ERR(rt)) {
+ 		err = PTR_ERR(rt);
+ 		if (err == -ENETUNREACH)
+-			IP_INC_STATS_BH(sock_net(sk), IPSTATS_MIB_OUTNOROUTES);
++			IP_INC_STATS(sock_net(sk), IPSTATS_MIB_OUTNOROUTES);
+ 		goto out;
+ 	}
+ 
+diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c
+index 3b36002..542a9c1 100644
+--- a/net/ipv4/ip_sockglue.c
++++ b/net/ipv4/ip_sockglue.c
+@@ -374,7 +374,7 @@ void ip_local_error(struct sock *sk, int err, __be32 daddr, __be16 port, u32 inf
+ /*
+  *	Handle MSG_ERRQUEUE
+  */
+-int ip_recv_error(struct sock *sk, struct msghdr *msg, int len)
++int ip_recv_error(struct sock *sk, struct msghdr *msg, int len, int *addr_len)
+ {
+ 	struct sock_exterr_skb *serr;
+ 	struct sk_buff *skb, *skb2;
+@@ -411,6 +411,7 @@ int ip_recv_error(struct sock *sk, struct msghdr *msg, int len)
+ 						   serr->addr_offset);
+ 		sin->sin_port = serr->port;
+ 		memset(&sin->sin_zero, 0, sizeof(sin->sin_zero));
++		*addr_len = sizeof(*sin);
+ 	}
+ 
+ 	memcpy(&errhdr.ee, &serr->ee, sizeof(struct sock_extended_err));
+diff --git a/net/ipv4/ping.c b/net/ipv4/ping.c
+index 294a380..00975b6 100644
+--- a/net/ipv4/ping.c
++++ b/net/ipv4/ping.c
+@@ -567,7 +567,7 @@ static int ping_sendmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg,
+ 		err = PTR_ERR(rt);
+ 		rt = NULL;
+ 		if (err == -ENETUNREACH)
+-			IP_INC_STATS_BH(net, IPSTATS_MIB_OUTNOROUTES);
++			IP_INC_STATS(net, IPSTATS_MIB_OUTNOROUTES);
+ 		goto out;
+ 	}
+ 
+@@ -623,7 +623,6 @@ static int ping_recvmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg,
+ 			size_t len, int noblock, int flags, int *addr_len)
+ {
+ 	struct inet_sock *isk = inet_sk(sk);
+-	struct sockaddr_in *sin = (struct sockaddr_in *)msg->msg_name;
+ 	struct sk_buff *skb;
+ 	int copied, err;
+ 
+@@ -632,11 +631,8 @@ static int ping_recvmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg,
+ 	if (flags & MSG_OOB)
+ 		goto out;
+ 
+-	if (addr_len)
+-		*addr_len = sizeof(*sin);
+-
+ 	if (flags & MSG_ERRQUEUE)
+-		return ip_recv_error(sk, msg, len);
++		return ip_recv_error(sk, msg, len, addr_len);
+ 
+ 	skb = skb_recv_datagram(sk, flags, noblock, &err);
+ 	if (!skb)
+@@ -656,11 +652,14 @@ static int ping_recvmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg,
+ 	sock_recv_timestamp(msg, sk, skb);
+ 
+ 	/* Copy the address. */
+-	if (sin) {
++	if (msg->msg_name) {
++		struct sockaddr_in *sin = (struct sockaddr_in *)msg->msg_name;
++
+ 		sin->sin_family = AF_INET;
+ 		sin->sin_port = 0 /* skb->h.uh->source */;
+ 		sin->sin_addr.s_addr = ip_hdr(skb)->saddr;
+ 		memset(sin->sin_zero, 0, sizeof(sin->sin_zero));
++		*addr_len = sizeof(*sin);
+ 	}
+ 	if (isk->cmsg_flags)
+ 		ip_cmsg_recv(msg, skb);
+diff --git a/net/ipv4/raw.c b/net/ipv4/raw.c
+index 2815014..cfded93 100644
+--- a/net/ipv4/raw.c
++++ b/net/ipv4/raw.c
+@@ -686,11 +686,8 @@ static int raw_recvmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg,
+ 	if (flags & MSG_OOB)
+ 		goto out;
+ 
+-	if (addr_len)
+-		*addr_len = sizeof(*sin);
+-
+ 	if (flags & MSG_ERRQUEUE) {
+-		err = ip_recv_error(sk, msg, len);
++		err = ip_recv_error(sk, msg, len, addr_len);
+ 		goto out;
+ 	}
+ 
+@@ -716,6 +713,7 @@ static int raw_recvmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg,
+ 		sin->sin_addr.s_addr = ip_hdr(skb)->saddr;
+ 		sin->sin_port = 0;
+ 		memset(&sin->sin_zero, 0, sizeof(sin->sin_zero));
++		*addr_len = sizeof(*sin);
+ 	}
+ 	if (inet->cmsg_flags)
+ 		ip_cmsg_recv(msg, skb);
+diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
+index a97c9ad..92d7138 100644
+--- a/net/ipv4/tcp_ipv4.c
++++ b/net/ipv4/tcp_ipv4.c
+@@ -182,7 +182,7 @@ int tcp_v4_connect(struct sock *sk, struct sockaddr *uaddr, int addr_len)
+ 	if (IS_ERR(rt)) {
+ 		err = PTR_ERR(rt);
+ 		if (err == -ENETUNREACH)
+-			IP_INC_STATS_BH(sock_net(sk), IPSTATS_MIB_OUTNOROUTES);
++			IP_INC_STATS(sock_net(sk), IPSTATS_MIB_OUTNOROUTES);
+ 		return err;
+ 	}
+ 
+diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
+index 5decc93..8c2e259 100644
+--- a/net/ipv4/udp.c
++++ b/net/ipv4/udp.c
+@@ -937,7 +937,7 @@ int udp_sendmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg,
+ 			err = PTR_ERR(rt);
+ 			rt = NULL;
+ 			if (err == -ENETUNREACH)
+-				IP_INC_STATS_BH(net, IPSTATS_MIB_OUTNOROUTES);
++				IP_INC_STATS(net, IPSTATS_MIB_OUTNOROUTES);
+ 			goto out;
+ 		}
+ 
+@@ -1036,6 +1036,9 @@ int udp_sendpage(struct sock *sk, struct page *page, int offset,
+ 	struct udp_sock *up = udp_sk(sk);
+ 	int ret;
+ 
++	if (flags & MSG_SENDPAGE_NOTLAST)
++		flags |= MSG_MORE;
++
+ 	if (!up->pending) {
+ 		struct msghdr msg = {	.msg_flags = flags|MSG_MORE };
+ 
+@@ -1171,14 +1174,8 @@ int udp_recvmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg,
+ 	int is_udplite = IS_UDPLITE(sk);
+ 	bool slow;
+ 
+-	/*
+-	 *	Check any passed addresses
+-	 */
+-	if (addr_len)
+-		*addr_len = sizeof(*sin);
+-
+ 	if (flags & MSG_ERRQUEUE)
+-		return ip_recv_error(sk, msg, len);
++		return ip_recv_error(sk, msg, len, addr_len);
+ 
+ try_again:
+ 	skb = __skb_recv_datagram(sk, flags | (noblock ? MSG_DONTWAIT : 0),
+@@ -1231,6 +1228,7 @@ try_again:
+ 		sin->sin_port = udp_hdr(skb)->source;
+ 		sin->sin_addr.s_addr = ip_hdr(skb)->saddr;
+ 		memset(sin->sin_zero, 0, sizeof(sin->sin_zero));
++		*addr_len = sizeof(*sin);
+ 	}
+ 	if (inet->cmsg_flags)
+ 		ip_cmsg_recv(msg, skb);
+diff --git a/net/ipv6/datagram.c b/net/ipv6/datagram.c
+index e248069..3c7c948 100644
+--- a/net/ipv6/datagram.c
++++ b/net/ipv6/datagram.c
+@@ -315,7 +315,7 @@ void ipv6_local_rxpmtu(struct sock *sk, struct flowi6 *fl6, u32 mtu)
+ /*
+  *	Handle MSG_ERRQUEUE
+  */
+-int ipv6_recv_error(struct sock *sk, struct msghdr *msg, int len)
++int ipv6_recv_error(struct sock *sk, struct msghdr *msg, int len, int *addr_len)
+ {
+ 	struct ipv6_pinfo *np = inet6_sk(sk);
+ 	struct sock_exterr_skb *serr;
+@@ -366,6 +366,7 @@ int ipv6_recv_error(struct sock *sk, struct msghdr *msg, int len)
+ 			ipv6_addr_set_v4mapped(*(__be32 *)(nh + serr->addr_offset),
+ 					       &sin->sin6_addr);
+ 		}
++		*addr_len = sizeof(*sin);
+ 	}
+ 
+ 	memcpy(&errhdr.ee, &serr->ee, sizeof(struct sock_extended_err));
+@@ -374,6 +375,7 @@ int ipv6_recv_error(struct sock *sk, struct msghdr *msg, int len)
+ 	if (serr->ee.ee_origin != SO_EE_ORIGIN_LOCAL) {
+ 		sin->sin6_family = AF_INET6;
+ 		sin->sin6_flowinfo = 0;
++		sin->sin6_port = 0;
+ 		sin->sin6_scope_id = 0;
+ 		if (skb->protocol == htons(ETH_P_IPV6)) {
+ 			ipv6_addr_copy(&sin->sin6_addr, &ipv6_hdr(skb)->saddr);
+@@ -418,7 +420,8 @@ out:
+ /*
+  *	Handle IPV6_RECVPATHMTU
+  */
+-int ipv6_recv_rxpmtu(struct sock *sk, struct msghdr *msg, int len)
++int ipv6_recv_rxpmtu(struct sock *sk, struct msghdr *msg, int len,
++		     int *addr_len)
+ {
+ 	struct ipv6_pinfo *np = inet6_sk(sk);
+ 	struct sk_buff *skb;
+@@ -452,6 +455,7 @@ int ipv6_recv_rxpmtu(struct sock *sk, struct msghdr *msg, int len)
+ 		sin->sin6_port = 0;
+ 		sin->sin6_scope_id = mtu_info.ip6m_addr.sin6_scope_id;
+ 		ipv6_addr_copy(&sin->sin6_addr, &mtu_info.ip6m_addr.sin6_addr);
++		*addr_len = sizeof(*sin);
+ 	}
+ 
+ 	put_cmsg(msg, SOL_IPV6, IPV6_PATHMTU, sizeof(mtu_info), &mtu_info);
+diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
+index 97675bf..d3fde7e 100644
+--- a/net/ipv6/ip6_output.c
++++ b/net/ipv6/ip6_output.c
+@@ -144,8 +144,8 @@ static int ip6_finish_output2(struct sk_buff *skb)
+ 		return res;
+ 	}
+ 	rcu_read_unlock();
+-	IP6_INC_STATS_BH(dev_net(dst->dev),
+-			 ip6_dst_idev(dst), IPSTATS_MIB_OUTNOROUTES);
++	IP6_INC_STATS(dev_net(dst->dev),
++		      ip6_dst_idev(dst), IPSTATS_MIB_OUTNOROUTES);
+ 	kfree_skb(skb);
+ 	return -EINVAL;
+ }
+diff --git a/net/ipv6/raw.c b/net/ipv6/raw.c
+index 6e6c2c4..9ecbc84 100644
+--- a/net/ipv6/raw.c
++++ b/net/ipv6/raw.c
+@@ -456,14 +456,11 @@ static int rawv6_recvmsg(struct kiocb *iocb, struct sock *sk,
+ 	if (flags & MSG_OOB)
+ 		return -EOPNOTSUPP;
+ 
+-	if (addr_len)
+-		*addr_len=sizeof(*sin6);
+-
+ 	if (flags & MSG_ERRQUEUE)
+-		return ipv6_recv_error(sk, msg, len);
++		return ipv6_recv_error(sk, msg, len, addr_len);
+ 
+ 	if (np->rxpmtu && np->rxopt.bits.rxpmtu)
+-		return ipv6_recv_rxpmtu(sk, msg, len);
++		return ipv6_recv_rxpmtu(sk, msg, len, addr_len);
+ 
+ 	skb = skb_recv_datagram(sk, flags, noblock, &err);
+ 	if (!skb)
+@@ -498,6 +495,7 @@ static int rawv6_recvmsg(struct kiocb *iocb, struct sock *sk,
+ 		sin6->sin6_scope_id = 0;
+ 		if (ipv6_addr_type(&sin6->sin6_addr) & IPV6_ADDR_LINKLOCAL)
+ 			sin6->sin6_scope_id = IP6CB(skb)->iif;
++		*addr_len = sizeof(*sin6);
+ 	}
+ 
+ 	sock_recv_ts_and_drops(msg, sk, skb);
+diff --git a/net/ipv6/route.c b/net/ipv6/route.c
+index bc9103d..1768238 100644
+--- a/net/ipv6/route.c
++++ b/net/ipv6/route.c
+@@ -592,8 +592,11 @@ int rt6_route_rcv(struct net_device *dev, u8 *opt, int len,
+ 		prefix = &prefix_buf;
+ 	}
+ 
+-	rt = rt6_get_route_info(net, prefix, rinfo->prefix_len, gwaddr,
+-				dev->ifindex);
++	if (rinfo->prefix_len == 0)
++		rt = rt6_get_dflt_router(gwaddr, dev);
++	else
++		rt = rt6_get_route_info(net, prefix, rinfo->prefix_len,
++					gwaddr, dev->ifindex);
+ 
+ 	if (rt && !lifetime) {
+ 		ip6_del_rt(rt);
+diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c
+index f9e496b..f8bec1e 100644
+--- a/net/ipv6/udp.c
++++ b/net/ipv6/udp.c
+@@ -347,14 +347,11 @@ int udpv6_recvmsg(struct kiocb *iocb, struct sock *sk,
+ 	int is_udp4;
+ 	bool slow;
+ 
+-	if (addr_len)
+-		*addr_len=sizeof(struct sockaddr_in6);
+-
+ 	if (flags & MSG_ERRQUEUE)
+-		return ipv6_recv_error(sk, msg, len);
++		return ipv6_recv_error(sk, msg, len, addr_len);
+ 
+ 	if (np->rxpmtu && np->rxopt.bits.rxpmtu)
+-		return ipv6_recv_rxpmtu(sk, msg, len);
++		return ipv6_recv_rxpmtu(sk, msg, len, addr_len);
+ 
+ try_again:
+ 	skb = __skb_recv_datagram(sk, flags | (noblock ? MSG_DONTWAIT : 0),
+@@ -423,7 +420,7 @@ try_again:
+ 			if (ipv6_addr_type(&sin6->sin6_addr) & IPV6_ADDR_LINKLOCAL)
+ 				sin6->sin6_scope_id = IP6CB(skb)->iif;
+ 		}
+-
++		*addr_len = sizeof(*sin6);
+ 	}
+ 	if (is_udp4) {
+ 		if (inet->cmsg_flags)
+diff --git a/net/ipx/af_ipx.c b/net/ipx/af_ipx.c
+index 9680226..8c06a50 100644
+--- a/net/ipx/af_ipx.c
++++ b/net/ipx/af_ipx.c
+@@ -1835,8 +1835,6 @@ static int ipx_recvmsg(struct kiocb *iocb, struct socket *sock,
+ 	if (skb->tstamp.tv64)
+ 		sk->sk_stamp = skb->tstamp;
+ 
+-	msg->msg_namelen = sizeof(*sipx);
+-
+ 	if (sipx) {
+ 		sipx->sipx_family	= AF_IPX;
+ 		sipx->sipx_port		= ipx->ipx_source.sock;
+@@ -1844,6 +1842,7 @@ static int ipx_recvmsg(struct kiocb *iocb, struct socket *sock,
+ 		sipx->sipx_network	= IPX_SKB_CB(skb)->ipx_source_net;
+ 		sipx->sipx_type 	= ipx->ipx_type;
+ 		sipx->sipx_zero		= 0;
++		msg->msg_namelen	= sizeof(*sipx);
+ 	}
+ 	rc = copied;
+ 
+diff --git a/net/irda/af_irda.c b/net/irda/af_irda.c
+index 91821e9..f5d011a 100644
+--- a/net/irda/af_irda.c
++++ b/net/irda/af_irda.c
+@@ -1386,8 +1386,6 @@ static int irda_recvmsg_dgram(struct kiocb *iocb, struct socket *sock,
+ 
+ 	IRDA_DEBUG(4, "%s()\n", __func__);
+ 
+-	msg->msg_namelen = 0;
+-
+ 	skb = skb_recv_datagram(sk, flags & ~MSG_DONTWAIT,
+ 				flags & MSG_DONTWAIT, &err);
+ 	if (!skb)
+@@ -1452,8 +1450,6 @@ static int irda_recvmsg_stream(struct kiocb *iocb, struct socket *sock,
+ 	target = sock_rcvlowat(sk, flags & MSG_WAITALL, size);
+ 	timeo = sock_rcvtimeo(sk, noblock);
+ 
+-	msg->msg_namelen = 0;
+-
+ 	do {
+ 		int chunk;
+ 		struct sk_buff *skb = skb_dequeue(&sk->sk_receive_queue);
+diff --git a/net/iucv/af_iucv.c b/net/iucv/af_iucv.c
+index e836140..cf98d62 100644
+--- a/net/iucv/af_iucv.c
++++ b/net/iucv/af_iucv.c
+@@ -1356,8 +1356,6 @@ static int iucv_sock_recvmsg(struct kiocb *iocb, struct socket *sock,
+ 	int blen;
+ 	int err = 0;
+ 
+-	msg->msg_namelen = 0;
+-
+ 	if ((sk->sk_state == IUCV_DISCONN || sk->sk_state == IUCV_SEVERED) &&
+ 	    skb_queue_empty(&iucv->backlog_skb_q) &&
+ 	    skb_queue_empty(&sk->sk_receive_queue) &&
+diff --git a/net/key/af_key.c b/net/key/af_key.c
+index 8dbdb8e..dc8d7ef 100644
+--- a/net/key/af_key.c
++++ b/net/key/af_key.c
+@@ -3595,7 +3595,6 @@ static int pfkey_recvmsg(struct kiocb *kiocb,
+ 	if (flags & ~(MSG_PEEK|MSG_DONTWAIT|MSG_TRUNC|MSG_CMSG_COMPAT))
+ 		goto out;
+ 
+-	msg->msg_namelen = 0;
+ 	skb = skb_recv_datagram(sk, flags, flags & MSG_DONTWAIT, &err);
+ 	if (skb == NULL)
+ 		goto out;
+diff --git a/net/l2tp/l2tp_ip.c b/net/l2tp/l2tp_ip.c
+index 6c7e609..334a93d 100644
+--- a/net/l2tp/l2tp_ip.c
++++ b/net/l2tp/l2tp_ip.c
+@@ -568,9 +568,6 @@ static int l2tp_ip_recvmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *m
+ 	if (flags & MSG_OOB)
+ 		goto out;
+ 
+-	if (addr_len)
+-		*addr_len = sizeof(*sin);
+-
+ 	skb = skb_recv_datagram(sk, flags, noblock, &err);
+ 	if (!skb)
+ 		goto out;
+@@ -593,6 +590,7 @@ static int l2tp_ip_recvmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *m
+ 		sin->sin_addr.s_addr = ip_hdr(skb)->saddr;
+ 		sin->sin_port = 0;
+ 		memset(&sin->sin_zero, 0, sizeof(sin->sin_zero));
++		*addr_len = sizeof(*sin);
+ 	}
+ 	if (inet->cmsg_flags)
+ 		ip_cmsg_recv(msg, skb);
+diff --git a/net/l2tp/l2tp_ppp.c b/net/l2tp/l2tp_ppp.c
+index 8570079..969cd3e 100644
+--- a/net/l2tp/l2tp_ppp.c
++++ b/net/l2tp/l2tp_ppp.c
+@@ -200,8 +200,6 @@ static int pppol2tp_recvmsg(struct kiocb *iocb, struct socket *sock,
+ 	if (sk->sk_state & PPPOX_BOUND)
+ 		goto end;
+ 
+-	msg->msg_namelen = 0;
+-
+ 	err = 0;
+ 	skb = skb_recv_datagram(sk, flags & ~MSG_DONTWAIT,
+ 				flags & MSG_DONTWAIT, &err);
+diff --git a/net/llc/af_llc.c b/net/llc/af_llc.c
+index e5565c7..99a60d5 100644
+--- a/net/llc/af_llc.c
++++ b/net/llc/af_llc.c
+@@ -720,8 +720,6 @@ static int llc_ui_recvmsg(struct kiocb *iocb, struct socket *sock,
+ 	int target;	/* Read at least this many bytes */
+ 	long timeo;
+ 
+-	msg->msg_namelen = 0;
+-
+ 	lock_sock(sk);
+ 	copied = -ENOTCONN;
+ 	if (unlikely(sk->sk_type == SOCK_STREAM && sk->sk_state == TCP_LISTEN))
+diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c
+index db01d02..71d8564 100644
+--- a/net/mac80211/rx.c
++++ b/net/mac80211/rx.c
+@@ -764,7 +764,8 @@ static void ieee80211_rx_reorder_ampdu(struct ieee80211_rx_data *rx)
+ 	u16 sc;
+ 	int tid;
+ 
+-	if (!ieee80211_is_data_qos(hdr->frame_control))
++	if (!ieee80211_is_data_qos(hdr->frame_control) ||
++	    is_multicast_ether_addr(hdr->addr1))
+ 		goto dont_reorder;
+ 
+ 	/*
+diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
+index 3d1d55d..2369e96 100644
+--- a/net/netlink/af_netlink.c
++++ b/net/netlink/af_netlink.c
+@@ -1445,8 +1445,6 @@ static int netlink_recvmsg(struct kiocb *kiocb, struct socket *sock,
+ 	}
+ #endif
+ 
+-	msg->msg_namelen = 0;
+-
+ 	copied = data_skb->len;
+ 	if (len < copied) {
+ 		msg->msg_flags |= MSG_TRUNC;
+diff --git a/net/netrom/af_netrom.c b/net/netrom/af_netrom.c
+index 3df7c5a..b4d889b 100644
+--- a/net/netrom/af_netrom.c
++++ b/net/netrom/af_netrom.c
+@@ -1182,10 +1182,9 @@ static int nr_recvmsg(struct kiocb *iocb, struct socket *sock,
+ 		sax->sax25_family = AF_NETROM;
+ 		skb_copy_from_linear_data_offset(skb, 7, sax->sax25_call.ax25_call,
+ 			      AX25_ADDR_LEN);
++		msg->msg_namelen = sizeof(*sax);
+ 	}
+ 
+-	msg->msg_namelen = sizeof(*sax);
+-
+ 	skb_free_datagram(sk, skb);
+ 
+ 	release_sock(sk);
+diff --git a/net/nfc/rawsock.c b/net/nfc/rawsock.c
+index 7a167fc..0d570d3 100644
+--- a/net/nfc/rawsock.c
++++ b/net/nfc/rawsock.c
+@@ -248,8 +248,6 @@ static int rawsock_recvmsg(struct kiocb *iocb, struct socket *sock,
+ 	if (!skb)
+ 		return rc;
+ 
+-	msg->msg_namelen = 0;
+-
+ 	copied = skb->len;
+ 	if (len < copied) {
+ 		msg->msg_flags |= MSG_TRUNC;
+diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
+index a2ac2c3..4f19bf2 100644
+--- a/net/packet/af_packet.c
++++ b/net/packet/af_packet.c
+@@ -295,6 +295,7 @@ struct packet_sock {
+ 	unsigned int		tp_reserve;
+ 	unsigned int		tp_loss:1;
+ 	unsigned int		tp_tstamp;
++	struct net_device __rcu	*cached_dev;
+ 	struct packet_type	prot_hook ____cacheline_aligned_in_smp;
+ };
+ 
+@@ -350,11 +351,15 @@ static void __fanout_link(struct sock *sk, struct packet_sock *po);
+ static void register_prot_hook(struct sock *sk)
+ {
+ 	struct packet_sock *po = pkt_sk(sk);
++
+ 	if (!po->running) {
+-		if (po->fanout)
++		if (po->fanout) {
+ 			__fanout_link(sk, po);
+-		else
++		} else {
+ 			dev_add_pack(&po->prot_hook);
++			rcu_assign_pointer(po->cached_dev, po->prot_hook.dev);
++		}
++
+ 		sock_hold(sk);
+ 		po->running = 1;
+ 	}
+@@ -372,10 +377,13 @@ static void __unregister_prot_hook(struct sock *sk, bool sync)
+ 	struct packet_sock *po = pkt_sk(sk);
+ 
+ 	po->running = 0;
+-	if (po->fanout)
++	if (po->fanout) {
+ 		__fanout_unlink(sk, po);
+-	else
++	} else {
+ 		__dev_remove_pack(&po->prot_hook);
++		RCU_INIT_POINTER(po->cached_dev, NULL);
++	}
++
+ 	__sock_put(sk);
+ 
+ 	if (sync) {
+@@ -497,9 +505,9 @@ static void prb_shutdown_retire_blk_timer(struct packet_sock *po,
+ 
+ 	pkc = tx_ring ? &po->tx_ring.prb_bdqc : &po->rx_ring.prb_bdqc;
+ 
+-	spin_lock(&rb_queue->lock);
++	spin_lock_bh(&rb_queue->lock);
+ 	pkc->delete_blk_timer = 1;
+-	spin_unlock(&rb_queue->lock);
++	spin_unlock_bh(&rb_queue->lock);
+ 
+ 	prb_del_retire_blk_timer(pkc);
+ }
+@@ -2032,12 +2040,24 @@ static int tpacket_fill_skb(struct packet_sock *po, struct sk_buff *skb,
+ 	return tp_len;
+ }
+ 
++static struct net_device *packet_cached_dev_get(struct packet_sock *po)
++{
++	struct net_device *dev;
++
++	rcu_read_lock();
++	dev = rcu_dereference(po->cached_dev);
++	if (dev)
++		dev_hold(dev);
++	rcu_read_unlock();
++
++	return dev;
++}
++
+ static int tpacket_snd(struct packet_sock *po, struct msghdr *msg)
+ {
+ 	struct sk_buff *skb;
+ 	struct net_device *dev;
+ 	__be16 proto;
+-	bool need_rls_dev = false;
+ 	int err, reserve = 0;
+ 	void *ph;
+ 	struct sockaddr_ll *saddr = (struct sockaddr_ll *)msg->msg_name;
+@@ -2050,7 +2070,7 @@ static int tpacket_snd(struct packet_sock *po, struct msghdr *msg)
+ 
+ 	err = -EBUSY;
+ 	if (saddr == NULL) {
+-		dev = po->prot_hook.dev;
++		dev	= packet_cached_dev_get(po);
+ 		proto	= po->num;
+ 		addr	= NULL;
+ 	} else {
+@@ -2064,19 +2084,17 @@ static int tpacket_snd(struct packet_sock *po, struct msghdr *msg)
+ 		proto	= saddr->sll_protocol;
+ 		addr	= saddr->sll_addr;
+ 		dev = dev_get_by_index(sock_net(&po->sk), saddr->sll_ifindex);
+-		need_rls_dev = true;
+ 	}
+ 
+ 	err = -ENXIO;
+ 	if (unlikely(dev == NULL))
+ 		goto out;
+-
+-	reserve = dev->hard_header_len;
+-
+ 	err = -ENETDOWN;
+ 	if (unlikely(!(dev->flags & IFF_UP)))
+ 		goto out_put;
+ 
++	reserve = dev->hard_header_len;
++
+ 	size_max = po->tx_ring.frame_size
+ 		- (po->tp_hdrlen - sizeof(struct sockaddr_ll));
+ 
+@@ -2152,8 +2170,7 @@ out_status:
+ 	__packet_set_status(po, ph, status);
+ 	kfree_skb(skb);
+ out_put:
+-	if (need_rls_dev)
+-		dev_put(dev);
++	dev_put(dev);
+ out:
+ 	mutex_unlock(&po->pg_vec_lock);
+ 	return err;
+@@ -2191,7 +2208,6 @@ static int packet_snd(struct socket *sock,
+ 	struct sk_buff *skb;
+ 	struct net_device *dev;
+ 	__be16 proto;
+-	bool need_rls_dev = false;
+ 	unsigned char *addr;
+ 	int err, reserve = 0;
+ 	struct virtio_net_hdr vnet_hdr = { 0 };
+@@ -2205,7 +2221,7 @@ static int packet_snd(struct socket *sock,
+ 	 */
+ 
+ 	if (saddr == NULL) {
+-		dev = po->prot_hook.dev;
++		dev	= packet_cached_dev_get(po);
+ 		proto	= po->num;
+ 		addr	= NULL;
+ 	} else {
+@@ -2217,19 +2233,17 @@ static int packet_snd(struct socket *sock,
+ 		proto	= saddr->sll_protocol;
+ 		addr	= saddr->sll_addr;
+ 		dev = dev_get_by_index(sock_net(sk), saddr->sll_ifindex);
+-		need_rls_dev = true;
+ 	}
+ 
+ 	err = -ENXIO;
+-	if (dev == NULL)
++	if (unlikely(dev == NULL))
+ 		goto out_unlock;
+-	if (sock->type == SOCK_RAW)
+-		reserve = dev->hard_header_len;
+-
+ 	err = -ENETDOWN;
+-	if (!(dev->flags & IFF_UP))
++	if (unlikely(!(dev->flags & IFF_UP)))
+ 		goto out_unlock;
+ 
++	if (sock->type == SOCK_RAW)
++		reserve = dev->hard_header_len;
+ 	if (po->has_vnet_hdr) {
+ 		vnet_hdr_len = sizeof(vnet_hdr);
+ 
+@@ -2350,15 +2364,14 @@ static int packet_snd(struct socket *sock,
+ 	if (err > 0 && (err = net_xmit_errno(err)) != 0)
+ 		goto out_unlock;
+ 
+-	if (need_rls_dev)
+-		dev_put(dev);
++	dev_put(dev);
+ 
+ 	return len;
+ 
+ out_free:
+ 	kfree_skb(skb);
+ out_unlock:
+-	if (dev && need_rls_dev)
++	if (dev)
+ 		dev_put(dev);
+ out:
+ 	return err;
+@@ -2575,6 +2588,7 @@ static int packet_create(struct net *net, struct socket *sock, int protocol,
+ 	po = pkt_sk(sk);
+ 	sk->sk_family = PF_PACKET;
+ 	po->num = proto;
++	RCU_INIT_POINTER(po->cached_dev, NULL);
+ 
+ 	sk->sk_destruct = packet_sock_destruct;
+ 	sk_refcnt_debug_inc(sk);
+@@ -2663,7 +2677,6 @@ static int packet_recvmsg(struct kiocb *iocb, struct socket *sock,
+ 	struct sock *sk = sock->sk;
+ 	struct sk_buff *skb;
+ 	int copied, err;
+-	struct sockaddr_ll *sll;
+ 	int vnet_hdr_len = 0;
+ 
+ 	err = -EINVAL;
+@@ -2746,22 +2759,10 @@ static int packet_recvmsg(struct kiocb *iocb, struct socket *sock,
+ 			goto out_free;
+ 	}
+ 
+-	/*
+-	 *	If the address length field is there to be filled in, we fill
+-	 *	it in now.
++	/* You lose any data beyond the buffer you gave. If it worries
++	 * a user program they can ask the device for its MTU
++	 * anyway.
+ 	 */
+-
+-	sll = &PACKET_SKB_CB(skb)->sa.ll;
+-	if (sock->type == SOCK_PACKET)
+-		msg->msg_namelen = sizeof(struct sockaddr_pkt);
+-	else
+-		msg->msg_namelen = sll->sll_halen + offsetof(struct sockaddr_ll, sll_addr);
+-
+-	/*
+-	 *	You lose any data beyond the buffer you gave. If it worries a
+-	 *	user program they can ask the device for its MTU anyway.
+-	 */
+-
+ 	copied = skb->len;
+ 	if (copied > len) {
+ 		copied = len;
+@@ -2774,9 +2775,20 @@ static int packet_recvmsg(struct kiocb *iocb, struct socket *sock,
+ 
+ 	sock_recv_ts_and_drops(msg, sk, skb);
+ 
+-	if (msg->msg_name)
++	if (msg->msg_name) {
++		/* If the address length field is there to be filled
++		 * in, we fill it in now.
++		 */
++		if (sock->type == SOCK_PACKET) {
++			msg->msg_namelen = sizeof(struct sockaddr_pkt);
++		} else {
++			struct sockaddr_ll *sll = &PACKET_SKB_CB(skb)->sa.ll;
++			msg->msg_namelen = sll->sll_halen +
++				offsetof(struct sockaddr_ll, sll_addr);
++		}
+ 		memcpy(msg->msg_name, &PACKET_SKB_CB(skb)->sa,
+ 		       msg->msg_namelen);
++	}
+ 
+ 	if (pkt_sk(sk)->auxdata) {
+ 		struct tpacket_auxdata aux;
+diff --git a/net/phonet/datagram.c b/net/phonet/datagram.c
+index bf35b4e..b25f2d3 100644
+--- a/net/phonet/datagram.c
++++ b/net/phonet/datagram.c
+@@ -139,9 +139,6 @@ static int pn_recvmsg(struct kiocb *iocb, struct sock *sk,
+ 			MSG_CMSG_COMPAT))
+ 		goto out_nofree;
+ 
+-	if (addr_len)
+-		*addr_len = sizeof(sa);
+-
+ 	skb = skb_recv_datagram(sk, flags, noblock, &rval);
+ 	if (skb == NULL)
+ 		goto out_nofree;
+@@ -162,8 +159,10 @@ static int pn_recvmsg(struct kiocb *iocb, struct sock *sk,
+ 
+ 	rval = (flags & MSG_TRUNC) ? skb->len : copylen;
+ 
+-	if (msg->msg_name != NULL)
+-		memcpy(msg->msg_name, &sa, sizeof(struct sockaddr_pn));
++	if (msg->msg_name != NULL) {
++		memcpy(msg->msg_name, &sa, sizeof(sa));
++		*addr_len = sizeof(sa);
++	}
+ 
+ out:
+ 	skb_free_datagram(sk, skb);
+diff --git a/net/rds/recv.c b/net/rds/recv.c
+index fc57d31..96a1239 100644
+--- a/net/rds/recv.c
++++ b/net/rds/recv.c
+@@ -410,8 +410,6 @@ int rds_recvmsg(struct kiocb *iocb, struct socket *sock, struct msghdr *msg,
+ 
+ 	rdsdebug("size %zu flags 0x%x timeo %ld\n", size, msg_flags, timeo);
+ 
+-	msg->msg_namelen = 0;
+-
+ 	if (msg_flags & MSG_OOB)
+ 		goto out;
+ 
+diff --git a/net/rose/af_rose.c b/net/rose/af_rose.c
+index 1f96fb9..bf76dec7 100644
+--- a/net/rose/af_rose.c
++++ b/net/rose/af_rose.c
+@@ -1221,7 +1221,6 @@ static int rose_recvmsg(struct kiocb *iocb, struct socket *sock,
+ {
+ 	struct sock *sk = sock->sk;
+ 	struct rose_sock *rose = rose_sk(sk);
+-	struct sockaddr_rose *srose = (struct sockaddr_rose *)msg->msg_name;
+ 	size_t copied;
+ 	unsigned char *asmptr;
+ 	struct sk_buff *skb;
+@@ -1257,8 +1256,11 @@ static int rose_recvmsg(struct kiocb *iocb, struct socket *sock,
+ 
+ 	skb_copy_datagram_iovec(skb, 0, msg->msg_iov, copied);
+ 
+-	if (srose != NULL) {
+-		memset(srose, 0, msg->msg_namelen);
++	if (msg->msg_name) {
++		struct sockaddr_rose *srose;
++
++		memset(msg->msg_name, 0, sizeof(struct full_sockaddr_rose));
++		srose = msg->msg_name;
+ 		srose->srose_family = AF_ROSE;
+ 		srose->srose_addr   = rose->dest_addr;
+ 		srose->srose_call   = rose->dest_call;
+diff --git a/net/rxrpc/ar-recvmsg.c b/net/rxrpc/ar-recvmsg.c
+index 4b48687..898492a 100644
+--- a/net/rxrpc/ar-recvmsg.c
++++ b/net/rxrpc/ar-recvmsg.c
+@@ -143,10 +143,13 @@ int rxrpc_recvmsg(struct kiocb *iocb, struct socket *sock,
+ 
+ 		/* copy the peer address and timestamp */
+ 		if (!continue_call) {
+-			if (msg->msg_name && msg->msg_namelen > 0)
++			if (msg->msg_name) {
++				size_t len =
++					sizeof(call->conn->trans->peer->srx);
+ 				memcpy(msg->msg_name,
+-				       &call->conn->trans->peer->srx,
+-				       sizeof(call->conn->trans->peer->srx));
++				       &call->conn->trans->peer->srx, len);
++				msg->msg_namelen = len;
++			}
+ 			sock_recv_ts_and_drops(msg, &rx->sk, skb);
+ 		}
+ 
+diff --git a/net/socket.c b/net/socket.c
+index bf7adaa..d4faade 100644
+--- a/net/socket.c
++++ b/net/socket.c
+@@ -215,12 +215,13 @@ static int move_addr_to_user(struct sockaddr *kaddr, int klen,
+ 	int err;
+ 	int len;
+ 
++	BUG_ON(klen > sizeof(struct sockaddr_storage));
+ 	err = get_user(len, ulen);
+ 	if (err)
+ 		return err;
+ 	if (len > klen)
+ 		len = klen;
+-	if (len < 0 || len > sizeof(struct sockaddr_storage))
++	if (len < 0)
+ 		return -EINVAL;
+ 	if (len) {
+ 		if (audit_sockaddr(klen, kaddr))
+@@ -1752,8 +1753,10 @@ SYSCALL_DEFINE6(recvfrom, int, fd, void __user *, ubuf, size_t, size,
+ 	msg.msg_iov = &iov;
+ 	iov.iov_len = size;
+ 	iov.iov_base = ubuf;
+-	msg.msg_name = (struct sockaddr *)&address;
+-	msg.msg_namelen = sizeof(address);
++	/* Save some cycles and don't copy the address if not needed */
++	msg.msg_name = addr ? (struct sockaddr *)&address : NULL;
++	/* We assume all kernel code knows the size of sockaddr_storage */
++	msg.msg_namelen = 0;
+ 	if (sock->file->f_flags & O_NONBLOCK)
+ 		flags |= MSG_DONTWAIT;
+ 	err = sock_recvmsg(sock, &msg, size, flags);
+@@ -1882,7 +1885,7 @@ static int copy_msghdr_from_user(struct msghdr *kmsg,
+ 	if (copy_from_user(kmsg, umsg, sizeof(struct msghdr)))
+ 		return -EFAULT;
+ 	if (kmsg->msg_namelen > sizeof(struct sockaddr_storage))
+-		return -EINVAL;
++		kmsg->msg_namelen = sizeof(struct sockaddr_storage);
+ 	return 0;
+ }
+ 
+@@ -2142,18 +2145,16 @@ static int ___sys_recvmsg(struct socket *sock, struct msghdr __user *msg,
+ 			goto out;
+ 	}
+ 
+-	/*
+-	 *      Save the user-mode address (verify_iovec will change the
+-	 *      kernel msghdr to use the kernel address space)
++	/* Save the user-mode address (verify_iovec will change the
++	 * kernel msghdr to use the kernel address space)
+ 	 */
+-
+ 	uaddr = (__force void __user *)msg_sys->msg_name;
+ 	uaddr_len = COMPAT_NAMELEN(msg);
+-	if (MSG_CMSG_COMPAT & flags) {
++	if (MSG_CMSG_COMPAT & flags)
+ 		err = verify_compat_iovec(msg_sys, iov,
+ 					  (struct sockaddr *)&addr,
+ 					  VERIFY_WRITE);
+-	} else
++	else
+ 		err = verify_iovec(msg_sys, iov,
+ 				   (struct sockaddr *)&addr,
+ 				   VERIFY_WRITE);
+@@ -2164,6 +2165,9 @@ static int ___sys_recvmsg(struct socket *sock, struct msghdr __user *msg,
+ 	cmsg_ptr = (unsigned long)msg_sys->msg_control;
+ 	msg_sys->msg_flags = flags & (MSG_CMSG_CLOEXEC|MSG_CMSG_COMPAT);
+ 
++	/* We assume all kernel code knows the size of sockaddr_storage */
++	msg_sys->msg_namelen = 0;
++
+ 	if (sock->file->f_flags & O_NONBLOCK)
+ 		flags |= MSG_DONTWAIT;
+ 	err = (nosec ? sock_recvmsg_nosec : sock_recvmsg)(sock, msg_sys,
+diff --git a/net/sunrpc/xprtsock.c b/net/sunrpc/xprtsock.c
+index 65fe23b..bfb78fa 100644
+--- a/net/sunrpc/xprtsock.c
++++ b/net/sunrpc/xprtsock.c
+@@ -390,8 +390,10 @@ static int xs_send_kvec(struct socket *sock, struct sockaddr *addr, int addrlen,
+ 	return kernel_sendmsg(sock, &msg, NULL, 0, 0);
+ }
+ 
+-static int xs_send_pagedata(struct socket *sock, struct xdr_buf *xdr, unsigned int base, int more)
++static int xs_send_pagedata(struct socket *sock, struct xdr_buf *xdr, unsigned int base, int more, bool zerocopy)
+ {
++	ssize_t (*do_sendpage)(struct socket *sock, struct page *page,
++			int offset, size_t size, int flags);
+ 	struct page **ppage;
+ 	unsigned int remainder;
+ 	int err, sent = 0;
+@@ -400,6 +402,9 @@ static int xs_send_pagedata(struct socket *sock, struct xdr_buf *xdr, unsigned i
+ 	base += xdr->page_base;
+ 	ppage = xdr->pages + (base >> PAGE_SHIFT);
+ 	base &= ~PAGE_MASK;
++	do_sendpage = sock->ops->sendpage;
++	if (!zerocopy)
++		do_sendpage = sock_no_sendpage;
+ 	for(;;) {
+ 		unsigned int len = min_t(unsigned int, PAGE_SIZE - base, remainder);
+ 		int flags = XS_SENDMSG_FLAGS;
+@@ -407,7 +412,7 @@ static int xs_send_pagedata(struct socket *sock, struct xdr_buf *xdr, unsigned i
+ 		remainder -= len;
+ 		if (remainder != 0 || more)
+ 			flags |= MSG_MORE;
+-		err = sock->ops->sendpage(sock, *ppage, base, len, flags);
++		err = do_sendpage(sock, *ppage, base, len, flags);
+ 		if (remainder == 0 || err != len)
+ 			break;
+ 		sent += err;
+@@ -428,9 +433,10 @@ static int xs_send_pagedata(struct socket *sock, struct xdr_buf *xdr, unsigned i
+  * @addrlen: UDP only -- length of destination address
+  * @xdr: buffer containing this request
+  * @base: starting position in the buffer
++ * @zerocopy: true if it is safe to use sendpage()
+  *
+  */
+-static int xs_sendpages(struct socket *sock, struct sockaddr *addr, int addrlen, struct xdr_buf *xdr, unsigned int base)
++static int xs_sendpages(struct socket *sock, struct sockaddr *addr, int addrlen, struct xdr_buf *xdr, unsigned int base, bool zerocopy)
+ {
+ 	unsigned int remainder = xdr->len - base;
+ 	int err, sent = 0;
+@@ -458,7 +464,7 @@ static int xs_sendpages(struct socket *sock, struct sockaddr *addr, int addrlen,
+ 	if (base < xdr->page_len) {
+ 		unsigned int len = xdr->page_len - base;
+ 		remainder -= len;
+-		err = xs_send_pagedata(sock, xdr, base, remainder != 0);
++		err = xs_send_pagedata(sock, xdr, base, remainder != 0, zerocopy);
+ 		if (remainder == 0 || err != len)
+ 			goto out;
+ 		sent += err;
+@@ -561,7 +567,7 @@ static int xs_local_send_request(struct rpc_task *task)
+ 			req->rq_svec->iov_base, req->rq_svec->iov_len);
+ 
+ 	status = xs_sendpages(transport->sock, NULL, 0,
+-						xdr, req->rq_bytes_sent);
++						xdr, req->rq_bytes_sent, true);
+ 	dprintk("RPC:       %s(%u) = %d\n",
+ 			__func__, xdr->len - req->rq_bytes_sent, status);
+ 	if (likely(status >= 0)) {
+@@ -617,7 +623,7 @@ static int xs_udp_send_request(struct rpc_task *task)
+ 	status = xs_sendpages(transport->sock,
+ 			      xs_addr(xprt),
+ 			      xprt->addrlen, xdr,
+-			      req->rq_bytes_sent);
++			      req->rq_bytes_sent, true);
+ 
+ 	dprintk("RPC:       xs_udp_send_request(%u) = %d\n",
+ 			xdr->len - req->rq_bytes_sent, status);
+@@ -688,6 +694,7 @@ static int xs_tcp_send_request(struct rpc_task *task)
+ 	struct rpc_xprt *xprt = req->rq_xprt;
+ 	struct sock_xprt *transport = container_of(xprt, struct sock_xprt, xprt);
+ 	struct xdr_buf *xdr = &req->rq_snd_buf;
++	bool zerocopy = true;
+ 	int status;
+ 
+ 	xs_encode_stream_record_marker(&req->rq_snd_buf);
+@@ -695,13 +702,20 @@ static int xs_tcp_send_request(struct rpc_task *task)
+ 	xs_pktdump("packet data:",
+ 				req->rq_svec->iov_base,
+ 				req->rq_svec->iov_len);
++	/* Don't use zero copy if this is a resend. If the RPC call
++	 * completes while the socket holds a reference to the pages,
++	 * then we may end up resending corrupted data.
++	 */
++	if (task->tk_flags & RPC_TASK_SENT)
++		zerocopy = false;
+ 
+ 	/* Continue transmitting the packet/record. We must be careful
+ 	 * to cope with writespace callbacks arriving _after_ we have
+ 	 * called sendmsg(). */
+ 	while (1) {
+ 		status = xs_sendpages(transport->sock,
+-					NULL, 0, xdr, req->rq_bytes_sent);
++					NULL, 0, xdr, req->rq_bytes_sent,
++					zerocopy);
+ 
+ 		dprintk("RPC:       xs_tcp_send_request(%u) = %d\n",
+ 				xdr->len - req->rq_bytes_sent, status);
+diff --git a/net/tipc/socket.c b/net/tipc/socket.c
+index fdf34af..058941e 100644
+--- a/net/tipc/socket.c
++++ b/net/tipc/socket.c
+@@ -949,9 +949,6 @@ static int recv_msg(struct kiocb *iocb, struct socket *sock,
+ 		goto exit;
+ 	}
+ 
+-	/* will be updated in set_orig_addr() if needed */
+-	m->msg_namelen = 0;
+-
+ 	timeout = sock_rcvtimeo(sk, flags & MSG_DONTWAIT);
+ restart:
+ 
+@@ -1078,9 +1075,6 @@ static int recv_stream(struct kiocb *iocb, struct socket *sock,
+ 		goto exit;
+ 	}
+ 
+-	/* will be updated in set_orig_addr() if needed */
+-	m->msg_namelen = 0;
+-
+ 	target = sock_rcvlowat(sk, flags & MSG_WAITALL, buf_len);
+ 	timeout = sock_rcvtimeo(sk, flags & MSG_DONTWAIT);
+ restart:
+diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
+index 5122b22..9338ccc 100644
+--- a/net/unix/af_unix.c
++++ b/net/unix/af_unix.c
+@@ -1744,7 +1744,6 @@ static void unix_copy_addr(struct msghdr *msg, struct sock *sk)
+ {
+ 	struct unix_sock *u = unix_sk(sk);
+ 
+-	msg->msg_namelen = 0;
+ 	if (u->addr) {
+ 		msg->msg_namelen = u->addr->len;
+ 		memcpy(msg->msg_name, u->addr->name, u->addr->len);
+@@ -1767,8 +1766,6 @@ static int unix_dgram_recvmsg(struct kiocb *iocb, struct socket *sock,
+ 	if (flags&MSG_OOB)
+ 		goto out;
+ 
+-	msg->msg_namelen = 0;
+-
+ 	err = mutex_lock_interruptible(&u->readlock);
+ 	if (err) {
+ 		err = sock_intr_errno(sock_rcvtimeo(sk, noblock));
+@@ -1902,8 +1899,6 @@ static int unix_stream_recvmsg(struct kiocb *iocb, struct socket *sock,
+ 	target = sock_rcvlowat(sk, flags&MSG_WAITALL, size);
+ 	timeo = sock_rcvtimeo(sk, flags&MSG_DONTWAIT);
+ 
+-	msg->msg_namelen = 0;
+-
+ 	/* Lock the socket to prevent queue disordering
+ 	 * while sleeps in memcpy_tomsg
+ 	 */
+diff --git a/net/x25/af_x25.c b/net/x25/af_x25.c
+index dc24ba9..07b9973 100644
+--- a/net/x25/af_x25.c
++++ b/net/x25/af_x25.c
+@@ -1343,10 +1343,9 @@ static int x25_recvmsg(struct kiocb *iocb, struct socket *sock,
+ 	if (sx25) {
+ 		sx25->sx25_family = AF_X25;
+ 		sx25->sx25_addr   = x25->dest_addr;
++		msg->msg_namelen = sizeof(*sx25);
+ 	}
+ 
+-	msg->msg_namelen = sizeof(struct sockaddr_x25);
+-
+ 	x25_check_rbuf(sk);
+ 	rc = copied;
+ out_free_dgram:
+diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
+index 1126c10..5898f34 100644
+--- a/security/selinux/hooks.c
++++ b/security/selinux/hooks.c
+@@ -53,6 +53,7 @@
+ #include <net/icmp.h>
+ #include <net/ip.h>		/* for local_port_range[] */
+ #include <net/tcp.h>		/* struct or_callable used in sock_rcv_skb */
++#include <net/inet_connection_sock.h>
+ #include <net/net_namespace.h>
+ #include <net/netlabel.h>
+ #include <linux/uaccess.h>
+@@ -3704,6 +3705,30 @@ static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
+ 	return 0;
+ }
+ 
++/**
++ * selinux_conn_sid - Determine the child socket label for a connection
++ * @sk_sid: the parent socket's SID
++ * @skb_sid: the packet's SID
++ * @conn_sid: the resulting connection SID
++ *
++ * If @skb_sid is valid then the user:role:type information from @sk_sid is
++ * combined with the MLS information from @skb_sid in order to create
++ * @conn_sid.  If @skb_sid is not valid then then @conn_sid is simply a copy
++ * of @sk_sid.  Returns zero on success, negative values on failure.
++ *
++ */
++static int selinux_conn_sid(u32 sk_sid, u32 skb_sid, u32 *conn_sid)
++{
++	int err = 0;
++
++	if (skb_sid != SECSID_NULL)
++		err = security_sid_mls_copy(sk_sid, skb_sid, conn_sid);
++	else
++		*conn_sid = sk_sid;
++
++	return err;
++}
++
+ /* socket security operations */
+ 
+ static int socket_sockcreate_sid(const struct task_security_struct *tsec,
+@@ -4295,7 +4320,7 @@ static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
+ 	struct sk_security_struct *sksec = sk->sk_security;
+ 	int err;
+ 	u16 family = sk->sk_family;
+-	u32 newsid;
++	u32 connsid;
+ 	u32 peersid;
+ 
+ 	/* handle mapped IPv4 packets arriving via IPv6 sockets */
+@@ -4305,16 +4330,11 @@ static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
+ 	err = selinux_skb_peerlbl_sid(skb, family, &peersid);
+ 	if (err)
+ 		return err;
+-	if (peersid == SECSID_NULL) {
+-		req->secid = sksec->sid;
+-		req->peer_secid = SECSID_NULL;
+-	} else {
+-		err = security_sid_mls_copy(sksec->sid, peersid, &newsid);
+-		if (err)
+-			return err;
+-		req->secid = newsid;
+-		req->peer_secid = peersid;
+-	}
++	err = selinux_conn_sid(sksec->sid, peersid, &connsid);
++	if (err)
++		return err;
++	req->secid = connsid;
++	req->peer_secid = peersid;
+ 
+ 	return selinux_netlbl_inet_conn_request(req, family);
+ }
+@@ -4542,6 +4562,7 @@ static unsigned int selinux_ipv6_forward(unsigned int hooknum,
+ static unsigned int selinux_ip_output(struct sk_buff *skb,
+ 				      u16 family)
+ {
++	struct sock *sk;
+ 	u32 sid;
+ 
+ 	if (!netlbl_enabled())
+@@ -4550,8 +4571,27 @@ static unsigned int selinux_ip_output(struct sk_buff *skb,
+ 	/* we do this in the LOCAL_OUT path and not the POST_ROUTING path
+ 	 * because we want to make sure we apply the necessary labeling
+ 	 * before IPsec is applied so we can leverage AH protection */
+-	if (skb->sk) {
+-		struct sk_security_struct *sksec = skb->sk->sk_security;
++	sk = skb->sk;
++	if (sk) {
++		struct sk_security_struct *sksec;
++
++		if (sk->sk_state == TCP_LISTEN)
++			/* if the socket is the listening state then this
++			 * packet is a SYN-ACK packet which means it needs to
++			 * be labeled based on the connection/request_sock and
++			 * not the parent socket.  unfortunately, we can't
++			 * lookup the request_sock yet as it isn't queued on
++			 * the parent socket until after the SYN-ACK is sent.
++			 * the "solution" is to simply pass the packet as-is
++			 * as any IP option based labeling should be copied
++			 * from the initial connection request (in the IP
++			 * layer).  it is far from ideal, but until we get a
++			 * security label in the packet itself this is the
++			 * best we can do. */
++			return NF_ACCEPT;
++
++		/* standard practice, label using the parent socket */
++		sksec = sk->sk_security;
+ 		sid = sksec->sid;
+ 	} else
+ 		sid = SECINITSID_KERNEL;
+@@ -4633,12 +4673,12 @@ static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
+ 	if (!secmark_active && !peerlbl_active)
+ 		return NF_ACCEPT;
+ 
+-	/* if the packet is being forwarded then get the peer label from the
+-	 * packet itself; otherwise check to see if it is from a local
+-	 * application or the kernel, if from an application get the peer label
+-	 * from the sending socket, otherwise use the kernel's sid */
+ 	sk = skb->sk;
+ 	if (sk == NULL) {
++		/* Without an associated socket the packet is either coming
++		 * from the kernel or it is being forwarded; check the packet
++		 * to determine which and if the packet is being forwarded
++		 * query the packet directly to determine the security label. */
+ 		if (skb->skb_iif) {
+ 			secmark_perm = PACKET__FORWARD_OUT;
+ 			if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
+@@ -4647,7 +4687,26 @@ static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
+ 			secmark_perm = PACKET__SEND;
+ 			peer_sid = SECINITSID_KERNEL;
+ 		}
++	} else if (sk->sk_state == TCP_LISTEN) {
++		/* Locally generated packet but the associated socket is in the
++		 * listening state which means this is a SYN-ACK packet.  In
++		 * this particular case the correct security label is assigned
++		 * to the connection/request_sock but unfortunately we can't
++		 * query the request_sock as it isn't queued on the parent
++		 * socket until after the SYN-ACK packet is sent; the only
++		 * viable choice is to regenerate the label like we do in
++		 * selinux_inet_conn_request().  See also selinux_ip_output()
++		 * for similar problems. */
++		u32 skb_sid;
++		struct sk_security_struct *sksec = sk->sk_security;
++		if (selinux_skb_peerlbl_sid(skb, family, &skb_sid))
++			return NF_DROP;
++		if (selinux_conn_sid(sksec->sid, skb_sid, &peer_sid))
++			return NF_DROP;
++		secmark_perm = PACKET__SEND;
+ 	} else {
++		/* Locally generated packet, fetch the security label from the
++		 * associated socket. */
+ 		struct sk_security_struct *sksec = sk->sk_security;
+ 		peer_sid = sksec->sid;
+ 		secmark_perm = PACKET__SEND;
+diff --git a/security/selinux/netlabel.c b/security/selinux/netlabel.c
+index da4b8b2..6235d05 100644
+--- a/security/selinux/netlabel.c
++++ b/security/selinux/netlabel.c
+@@ -442,8 +442,7 @@ int selinux_netlbl_socket_connect(struct sock *sk, struct sockaddr *addr)
+ 	    sksec->nlbl_state != NLBL_CONNLABELED)
+ 		return 0;
+ 
+-	local_bh_disable();
+-	bh_lock_sock_nested(sk);
++	lock_sock(sk);
+ 
+ 	/* connected sockets are allowed to disconnect when the address family
+ 	 * is set to AF_UNSPEC, if that is what is happening we want to reset
+@@ -464,7 +463,6 @@ int selinux_netlbl_socket_connect(struct sock *sk, struct sockaddr *addr)
+ 		sksec->nlbl_state = NLBL_CONNLABELED;
+ 
+ socket_connect_return:
+-	bh_unlock_sock(sk);
+-	local_bh_enable();
++	release_sock(sk);
+ 	return rc;
+ }
+diff --git a/sound/drivers/pcsp/pcsp.c b/sound/drivers/pcsp/pcsp.c
+index 946a0cb..e6ad8d4 100644
+--- a/sound/drivers/pcsp/pcsp.c
++++ b/sound/drivers/pcsp/pcsp.c
+@@ -187,8 +187,8 @@ static int __devinit pcsp_probe(struct platform_device *dev)
+ static int __devexit pcsp_remove(struct platform_device *dev)
+ {
+ 	struct snd_pcsp *chip = platform_get_drvdata(dev);
+-	alsa_card_pcsp_exit(chip);
+ 	pcspkr_input_remove(chip->input_dev);
++	alsa_card_pcsp_exit(chip);
+ 	platform_set_drvdata(dev, NULL);
+ 	return 0;
+ }
+diff --git a/sound/isa/msnd/msnd_pinnacle.c b/sound/isa/msnd/msnd_pinnacle.c
+index 0961e2c..a9cc687 100644
+--- a/sound/isa/msnd/msnd_pinnacle.c
++++ b/sound/isa/msnd/msnd_pinnacle.c
+@@ -73,9 +73,11 @@
+ #ifdef MSND_CLASSIC
+ #  include "msnd_classic.h"
+ #  define LOGNAME			"msnd_classic"
++#  define DEV_NAME			"msnd-classic"
+ #else
+ #  include "msnd_pinnacle.h"
+ #  define LOGNAME			"snd_msnd_pinnacle"
++#  define DEV_NAME			"msnd-pinnacle"
+ #endif
+ 
+ static void __devinit set_default_audio_parameters(struct snd_msnd *chip)
+@@ -1068,8 +1070,6 @@ static int __devexit snd_msnd_isa_remove(struct device *pdev, unsigned int dev)
+ 	return 0;
+ }
+ 
+-#define DEV_NAME "msnd-pinnacle"
+-
+ static struct isa_driver snd_msnd_driver = {
+ 	.match		= snd_msnd_isa_match,
+ 	.probe		= snd_msnd_isa_probe,
+diff --git a/sound/pci/hda/patch_conexant.c b/sound/pci/hda/patch_conexant.c
+index 984b5b1..843d9f3 100644
+--- a/sound/pci/hda/patch_conexant.c
++++ b/sound/pci/hda/patch_conexant.c
+@@ -4610,6 +4610,8 @@ static const struct hda_codec_preset snd_hda_preset_conexant[] = {
+ 	  .patch = patch_conexant_auto },
+ 	{ .id = 0x14f15115, .name = "CX20757",
+ 	  .patch = patch_conexant_auto },
++	{ .id = 0x14f151d7, .name = "CX20952",
++	  .patch = patch_conexant_auto },
+ 	{} /* terminator */
+ };
+ 
+@@ -4636,6 +4638,7 @@ MODULE_ALIAS("snd-hda-codec-id:14f15111");
+ MODULE_ALIAS("snd-hda-codec-id:14f15113");
+ MODULE_ALIAS("snd-hda-codec-id:14f15114");
+ MODULE_ALIAS("snd-hda-codec-id:14f15115");
++MODULE_ALIAS("snd-hda-codec-id:14f151d7");
+ 
+ MODULE_LICENSE("GPL");
+ MODULE_DESCRIPTION("Conexant HD-audio codec");
+diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c
+index 92c913d..1f78ca6 100644
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -5943,6 +5943,7 @@ static int patch_alc662(struct hda_codec *codec)
+ 		case 0x10ec0272:
+ 		case 0x10ec0663:
+ 		case 0x10ec0665:
++		case 0x10ec0668:
+ 			set_beep_amp(spec, 0x0b, 0x04, HDA_INPUT);
+ 			break;
+ 		case 0x10ec0273:
+@@ -6019,6 +6020,7 @@ static int patch_alc680(struct hda_codec *codec)
+  */
+ static const struct hda_codec_preset snd_hda_preset_realtek[] = {
+ 	{ .id = 0x10ec0221, .name = "ALC221", .patch = patch_alc269 },
++	{ .id = 0x10ec0231, .name = "ALC231", .patch = patch_alc269 },
+ 	{ .id = 0x10ec0260, .name = "ALC260", .patch = patch_alc260 },
+ 	{ .id = 0x10ec0262, .name = "ALC262", .patch = patch_alc262 },
+ 	{ .id = 0x10ec0267, .name = "ALC267", .patch = patch_alc268 },
+diff --git a/sound/soc/codecs/ak4642.c b/sound/soc/codecs/ak4642.c
+index 1c4999d..f2dac5c 100644
+--- a/sound/soc/codecs/ak4642.c
++++ b/sound/soc/codecs/ak4642.c
+@@ -214,7 +214,7 @@ static int ak4642_dai_startup(struct snd_pcm_substream *substream,
+ 		 * This operation came from example code of
+ 		 * "ASAHI KASEI AK4642" (japanese) manual p94.
+ 		 */
+-		snd_soc_write(codec, SG_SL1, PMMP | MGAIN0);
++		snd_soc_update_bits(codec, SG_SL1, PMMP | MGAIN0, PMMP | MGAIN0);
+ 		snd_soc_write(codec, TIMER, ZTM(0x3) | WTM(0x3));
+ 		snd_soc_write(codec, ALC_CTL1, ALC | LMTH0);
+ 		snd_soc_update_bits(codec, PW_MGMT1, PMVCM | PMADL,
+diff --git a/sound/soc/codecs/wm8731.c b/sound/soc/codecs/wm8731.c
+index a7c9ae1..6cfd4f7 100644
+--- a/sound/soc/codecs/wm8731.c
++++ b/sound/soc/codecs/wm8731.c
+@@ -392,10 +392,10 @@ static int wm8731_set_dai_fmt(struct snd_soc_dai *codec_dai,
+ 		iface |= 0x0001;
+ 		break;
+ 	case SND_SOC_DAIFMT_DSP_A:
+-		iface |= 0x0003;
++		iface |= 0x0013;
+ 		break;
+ 	case SND_SOC_DAIFMT_DSP_B:
+-		iface |= 0x0013;
++		iface |= 0x0003;
+ 		break;
+ 	default:
+ 		return -EINVAL;
+diff --git a/sound/soc/codecs/wm8990.c b/sound/soc/codecs/wm8990.c
+index d29a962..cfa5bea 100644
+--- a/sound/soc/codecs/wm8990.c
++++ b/sound/soc/codecs/wm8990.c
+@@ -1266,6 +1266,8 @@ static int wm8990_set_bias_level(struct snd_soc_codec *codec,
+ 
+ 		/* disable POBCTRL, SOFT_ST and BUFDCOPEN */
+ 		snd_soc_write(codec, WM8990_ANTIPOP2, 0x0);
++
++		codec->cache_sync = 1;
+ 		break;
+ 	}
+ 
+diff --git a/sound/usb/6fire/chip.c b/sound/usb/6fire/chip.c
+index c7dca7b..46a2816 100644
+--- a/sound/usb/6fire/chip.c
++++ b/sound/usb/6fire/chip.c
+@@ -102,7 +102,7 @@ static int __devinit usb6fire_chip_probe(struct usb_interface *intf,
+ 			usb_set_intfdata(intf, chips[i]);
+ 			mutex_unlock(&register_mutex);
+ 			return 0;
+-		} else if (regidx < 0)
++		} else if (!devices[i] && regidx < 0)
+ 			regidx = i;
+ 	}
+ 	if (regidx < 0) {
+diff --git a/virt/kvm/iommu.c b/virt/kvm/iommu.c
+index 533db33..5dbb35d 100644
+--- a/virt/kvm/iommu.c
++++ b/virt/kvm/iommu.c
+@@ -101,6 +101,10 @@ int kvm_iommu_map_pages(struct kvm *kvm, struct kvm_memory_slot *slot)
+ 		while ((gfn << PAGE_SHIFT) & (page_size - 1))
+ 			page_size >>= 1;
+ 
++		/* Make sure hva is aligned to the page size we want to map */
++		while (gfn_to_hva_memslot(slot, gfn) & (page_size - 1))
++			page_size >>= 1;
++
+ 		/*
+ 		 * Pin all pages we are about to map in memory. This is
+ 		 * important because we unmap and unpin in 4kb steps later.
+diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c
+index 8bf05f0..d83aa5e 100644
+--- a/virt/kvm/kvm_main.c
++++ b/virt/kvm/kvm_main.c
+@@ -774,7 +774,7 @@ skip_lpage:
+ 		new.userspace_addr = mem->userspace_addr;
+ #endif /* not defined CONFIG_S390 */
+ 
+-	if (!npages) {
++	if (!npages || base_gfn != old.base_gfn) {
+ 		r = -ENOMEM;
+ 		slots = kzalloc(sizeof(struct kvm_memslots), GFP_KERNEL);
+ 		if (!slots)
+@@ -788,8 +788,10 @@ skip_lpage:
+ 		old_memslots = kvm->memslots;
+ 		rcu_assign_pointer(kvm->memslots, slots);
+ 		synchronize_srcu_expedited(&kvm->srcu);
+-		/* From this point no new shadow pages pointing to a deleted
+-		 * memslot will be created.
++		/* slot was deleted or moved, clear iommu mapping */
++		kvm_iommu_unmap_pages(kvm, &old);
++		/* From this point no new shadow pages pointing to a deleted,
++		 * or moved, memslot will be created.
+ 		 *
+ 		 * validation of sp->gfn happens in:
+ 		 * 	- gfn_to_hva (kvm_read_guest, gfn_to_pfn)
+@@ -803,14 +805,6 @@ skip_lpage:
+ 	if (r)
+ 		goto out_free;
+ 
+-	/* map/unmap the pages in iommu page table */
+-	if (npages) {
+-		r = kvm_iommu_map_pages(kvm, &new);
+-		if (r)
+-			goto out_free;
+-	} else
+-		kvm_iommu_unmap_pages(kvm, &old);
+-
+ 	r = -ENOMEM;
+ 	slots = kzalloc(sizeof(struct kvm_memslots), GFP_KERNEL);
+ 	if (!slots)
+@@ -820,6 +814,13 @@ skip_lpage:
+ 		slots->nmemslots = mem->slot + 1;
+ 	slots->generation++;
+ 
++	/* map new memory slot into the iommu */
++	if (npages) {
++		r = kvm_iommu_map_pages(kvm, &new);
++		if (r)
++			goto out_slots;
++	}
++
+ 	/* actual memory is freed via old in kvm_free_physmem_slot below */
+ 	if (!npages) {
+ 		new.rmap = NULL;
+@@ -847,6 +848,8 @@ skip_lpage:
+ 
+ 	return 0;
+ 
++out_slots:
++	kfree(slots);
+ out_free:
+ 	kvm_free_physmem_slot(&new, &old);
+ out:
+@@ -1683,6 +1686,9 @@ static int kvm_vm_ioctl_create_vcpu(struct kvm *kvm, u32 id)
+ 	int r;
+ 	struct kvm_vcpu *vcpu, *v;
+ 
++	if (id >= KVM_MAX_VCPUS)
++		return -EINVAL;
++
+ 	vcpu = kvm_arch_vcpu_create(kvm, id);
+ 	if (IS_ERR(vcpu))
+ 		return PTR_ERR(vcpu);
diff --git a/3.2.53/4420_grsecurity-3.0-3.2.53-201312262018.patch b/3.2.54/4420_grsecurity-3.0-3.2.54-201401051649.patch
index 02cb583..3e204e8 100644
--- a/3.2.53/4420_grsecurity-3.0-3.2.53-201312262018.patch
+++ b/3.2.54/4420_grsecurity-3.0-3.2.54-201401051649.patch
@@ -270,7 +270,7 @@ index 88fd7f5..b318a78 100644
  ==============================================================
  
 diff --git a/Makefile b/Makefile
-index 90f57dc..1082409 100644
+index 848be26..3deab0e 100644
 --- a/Makefile
 +++ b/Makefile
 @@ -245,8 +245,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \
@@ -850,7 +850,7 @@ index fadd5f8..904e73a 100644
  		/* Allow reads even for write-only mappings */
  		if (!(vma->vm_flags & (VM_READ | VM_WRITE)))
 diff --git a/arch/arm/include/asm/assembler.h b/arch/arm/include/asm/assembler.h
-index 7bb8bf9..4b0c4ed 100644
+index b7c5d5d..4b0c4ed 100644
 --- a/arch/arm/include/asm/assembler.h
 +++ b/arch/arm/include/asm/assembler.h
 @@ -231,7 +231,7 @@
@@ -871,19 +871,6 @@ index 7bb8bf9..4b0c4ed 100644
  	.rept	\rept
  9999:
  	.if	\inc == 1
-@@ -307,4 +307,12 @@
- 	.size \name , . - \name
- 	.endm
- 
-+	.macro check_uaccess, addr:req, size:req, limit:req, tmp:req, bad:req
-+#ifndef CONFIG_CPU_USE_DOMAINS
-+	adds	\tmp, \addr, #\size - 1
-+	sbcccs	\tmp, \tmp, \limit
-+	bcs	\bad
-+#endif
-+	.endm
-+
- #endif /* __ASM_ASSEMBLER_H__ */
 diff --git a/arch/arm/include/asm/atomic.h b/arch/arm/include/asm/atomic.h
 index 86976d0..269b872 100644
 --- a/arch/arm/include/asm/atomic.h
@@ -1748,98 +1735,10 @@ index 7b5cc8d..5d70d88 100644
  /*
   * Change these and you break ASM code in entry-common.S
 diff --git a/arch/arm/include/asm/uaccess.h b/arch/arm/include/asm/uaccess.h
-index b293616..47aa55e 100644
+index 292c3f8..47aa55e 100644
 --- a/arch/arm/include/asm/uaccess.h
 +++ b/arch/arm/include/asm/uaccess.h
-@@ -101,28 +101,39 @@ extern int __get_user_1(void *);
- extern int __get_user_2(void *);
- extern int __get_user_4(void *);
- 
--#define __get_user_x(__r2,__p,__e,__s,__i...)				\
-+#define __GUP_CLOBBER_1	"lr", "cc"
-+#ifdef CONFIG_CPU_USE_DOMAINS
-+#define __GUP_CLOBBER_2	"ip", "lr", "cc"
-+#else
-+#define __GUP_CLOBBER_2 "lr", "cc"
-+#endif
-+#define __GUP_CLOBBER_4	"lr", "cc"
-+
-+#define __get_user_x(__r2,__p,__e,__l,__s)				\
- 	   __asm__ __volatile__ (					\
- 		__asmeq("%0", "r0") __asmeq("%1", "r2")			\
-+		__asmeq("%3", "r1")					\
- 		"bl	__get_user_" #__s				\
- 		: "=&r" (__e), "=r" (__r2)				\
--		: "0" (__p)						\
--		: __i, "cc")
-+		: "0" (__p), "r" (__l)					\
-+		: __GUP_CLOBBER_##__s)
- 
- #define get_user(x,p)							\
- 	({								\
-+		unsigned long __limit = current_thread_info()->addr_limit - 1; \
- 		register const typeof(*(p)) __user *__p asm("r0") = (p);\
- 		register unsigned long __r2 asm("r2");			\
-+		register unsigned long __l asm("r1") = __limit;		\
- 		register int __e asm("r0");				\
- 		switch (sizeof(*(__p))) {				\
- 		case 1:							\
--			__get_user_x(__r2, __p, __e, 1, "lr");		\
--	       		break;						\
-+			__get_user_x(__r2, __p, __e, __l, 1);		\
-+			break;						\
- 		case 2:							\
--			__get_user_x(__r2, __p, __e, 2, "r3", "lr");	\
-+			__get_user_x(__r2, __p, __e, __l, 2);		\
- 			break;						\
- 		case 4:							\
--	       		__get_user_x(__r2, __p, __e, 4, "lr");		\
-+			__get_user_x(__r2, __p, __e, __l, 4);		\
- 			break;						\
- 		default: __e = __get_user_bad(); break;			\
- 		}							\
-@@ -135,31 +146,34 @@ extern int __put_user_2(void *, unsigned int);
- extern int __put_user_4(void *, unsigned int);
- extern int __put_user_8(void *, unsigned long long);
- 
--#define __put_user_x(__r2,__p,__e,__s)					\
-+#define __put_user_x(__r2,__p,__e,__l,__s)				\
- 	   __asm__ __volatile__ (					\
- 		__asmeq("%0", "r0") __asmeq("%2", "r2")			\
-+		__asmeq("%3", "r1")					\
- 		"bl	__put_user_" #__s				\
- 		: "=&r" (__e)						\
--		: "0" (__p), "r" (__r2)					\
-+		: "0" (__p), "r" (__r2), "r" (__l)			\
- 		: "ip", "lr", "cc")
- 
- #define put_user(x,p)							\
- 	({								\
-+		unsigned long __limit = current_thread_info()->addr_limit - 1; \
- 		register const typeof(*(p)) __r2 asm("r2") = (x);	\
- 		register const typeof(*(p)) __user *__p asm("r0") = (p);\
-+		register unsigned long __l asm("r1") = __limit;		\
- 		register int __e asm("r0");				\
- 		switch (sizeof(*(__p))) {				\
- 		case 1:							\
--			__put_user_x(__r2, __p, __e, 1);		\
-+			__put_user_x(__r2, __p, __e, __l, 1);		\
- 			break;						\
- 		case 2:							\
--			__put_user_x(__r2, __p, __e, 2);		\
-+			__put_user_x(__r2, __p, __e, __l, 2);		\
- 			break;						\
- 		case 4:							\
--			__put_user_x(__r2, __p, __e, 4);		\
-+			__put_user_x(__r2, __p, __e, __l, 4);		\
- 			break;						\
- 		case 8:							\
--			__put_user_x(__r2, __p, __e, 8);		\
-+			__put_user_x(__r2, __p, __e, __l, 8);		\
- 			break;						\
- 		default: __e = __put_user_bad(); break;			\
- 		}							\
-@@ -227,7 +241,7 @@ do {									\
+@@ -241,7 +241,7 @@ do {									\
  
  #define __get_user_asm_byte(x,addr,err)				\
  	__asm__ __volatile__(					\
@@ -1848,7 +1747,7 @@ index b293616..47aa55e 100644
  	"2:\n"							\
  	"	.pushsection .fixup,\"ax\"\n"			\
  	"	.align	2\n"					\
-@@ -263,7 +277,7 @@ do {									\
+@@ -277,7 +277,7 @@ do {									\
  
  #define __get_user_asm_word(x,addr,err)				\
  	__asm__ __volatile__(					\
@@ -1857,7 +1756,7 @@ index b293616..47aa55e 100644
  	"2:\n"							\
  	"	.pushsection .fixup,\"ax\"\n"			\
  	"	.align	2\n"					\
-@@ -308,7 +322,7 @@ do {									\
+@@ -322,7 +322,7 @@ do {									\
  
  #define __put_user_asm_byte(x,__pu_addr,err)			\
  	__asm__ __volatile__(					\
@@ -1866,7 +1765,7 @@ index b293616..47aa55e 100644
  	"2:\n"							\
  	"	.pushsection .fixup,\"ax\"\n"			\
  	"	.align	2\n"					\
-@@ -341,7 +355,7 @@ do {									\
+@@ -355,7 +355,7 @@ do {									\
  
  #define __put_user_asm_word(x,__pu_addr,err)			\
  	__asm__ __volatile__(					\
@@ -1875,7 +1774,7 @@ index b293616..47aa55e 100644
  	"2:\n"							\
  	"	.pushsection .fixup,\"ax\"\n"			\
  	"	.align	2\n"					\
-@@ -366,10 +380,10 @@ do {									\
+@@ -380,10 +380,10 @@ do {									\
  
  #define __put_user_asm_dword(x,__pu_addr,err)			\
  	__asm__ __volatile__(					\
@@ -1890,7 +1789,7 @@ index b293616..47aa55e 100644
  	"3:\n"							\
  	"	.pushsection .fixup,\"ax\"\n"			\
  	"	.align	2\n"					\
-@@ -387,8 +401,21 @@ do {									\
+@@ -401,8 +401,21 @@ do {									\
  
  
  #ifdef CONFIG_MMU
@@ -1914,7 +1813,7 @@ index b293616..47aa55e 100644
  extern unsigned long __must_check __copy_to_user_std(void __user *to, const void *from, unsigned long n);
  extern unsigned long __must_check __clear_user(void __user *addr, unsigned long n);
  extern unsigned long __must_check __clear_user_std(void __user *addr, unsigned long n);
-@@ -403,6 +430,9 @@ extern unsigned long __must_check __strnlen_user(const char __user *s, long n);
+@@ -417,6 +430,9 @@ extern unsigned long __must_check __strnlen_user(const char __user *s, long n);
  
  static inline unsigned long __must_check copy_from_user(void *to, const void __user *from, unsigned long n)
  {
@@ -1924,7 +1823,7 @@ index b293616..47aa55e 100644
  	if (access_ok(VERIFY_READ, from, n))
  		n = __copy_from_user(to, from, n);
  	else /* security hole - plug it */
-@@ -412,6 +442,9 @@ static inline unsigned long __must_check copy_from_user(void *to, const void __u
+@@ -426,6 +442,9 @@ static inline unsigned long __must_check copy_from_user(void *to, const void __u
  
  static inline unsigned long __must_check copy_to_user(void __user *to, const void *from, unsigned long n)
  {
@@ -2013,7 +1912,7 @@ index 1e9be5d..4e0f470 100644
  				GFP_KERNEL, PAGE_KERNEL_EXEC, -1,
  				__builtin_return_address(0));
 diff --git a/arch/arm/kernel/process.c b/arch/arm/kernel/process.c
-index e68d251..c5bac2c 100644
+index d9e3c61..9cf9513 100644
 --- a/arch/arm/kernel/process.c
 +++ b/arch/arm/kernel/process.c
 @@ -28,7 +28,6 @@
@@ -2061,7 +1960,7 @@ index e68d251..c5bac2c 100644
  	printk("pc : [<%08lx>]    lr : [<%08lx>]    psr: %08lx\n"
  	       "sp : %08lx  ip : %08lx  fp : %08lx\n",
  		regs->ARM_pc, regs->ARM_lr, regs->ARM_cpsr,
-@@ -486,12 +486,6 @@ unsigned long get_wchan(struct task_struct *p)
+@@ -489,12 +489,6 @@ unsigned long get_wchan(struct task_struct *p)
  	return 0;
  }
  
@@ -2219,100 +2118,41 @@ index d066df6..df28194 100644
  
  	.pushsection .fixup,"ax"
 diff --git a/arch/arm/lib/getuser.S b/arch/arm/lib/getuser.S
-index 1b049cd..9b06bb4 100644
+index 4306fbf..9b06bb4 100644
 --- a/arch/arm/lib/getuser.S
 +++ b/arch/arm/lib/getuser.S
-@@ -16,8 +16,9 @@
-  * __get_user_X
-  *
-  * Inputs:	r0 contains the address
-+ *		r1 contains the address limit, which must be preserved
-  * Outputs:	r0 is the error code
-- *		r2, r3 contains the zero-extended value
-+ *		r2 contains the zero-extended value
-  *		lr corrupted
-  *
-  * No other registers must be altered.  (see <asm/uaccess.h>
-@@ -27,34 +28,40 @@
-  * Note also that it is intended that __get_user_bad is not global.
-  */
- #include <linux/linkage.h>
-+#include <asm/assembler.h>
- #include <asm/errno.h>
- #include <asm/domain.h>
+@@ -34,7 +34,7 @@
  
  ENTRY(__get_user_1)
+ 	check_uaccess r0, 1, r1, r2, __get_user_bad
 -1:	T(ldrb)	r2, [r0]
-+	check_uaccess r0, 1, r1, r2, __get_user_bad
 +1: TUSER(ldrb)	r2, [r0]
  	mov	r0, #0
  	mov	pc, lr
  ENDPROC(__get_user_1)
- 
- ENTRY(__get_user_2)
--#ifdef CONFIG_THUMB2_KERNEL
--2:	T(ldrb)	r2, [r0]
--3:	T(ldrb)	r3, [r0, #1]
-+	check_uaccess r0, 2, r1, r2, __get_user_bad
-+#ifdef CONFIG_CPU_USE_DOMAINS
-+rb	.req	ip
-+2:	ldrbt	r2, [r0], #1
-+3:	ldrbt	rb, [r0], #0
- #else
--2:	T(ldrb)	r2, [r0], #1
--3:	T(ldrb)	r3, [r0]
-+rb	.req	r0
-+2:	ldrb	r2, [r0]
-+3:	ldrb	rb, [r0, #1]
- #endif
- #ifndef __ARMEB__
--	orr	r2, r2, r3, lsl #8
-+	orr	r2, r2, rb, lsl #8
- #else
--	orr	r2, r3, r2, lsl #8
-+	orr	r2, rb, r2, lsl #8
- #endif
- 	mov	r0, #0
- 	mov	pc, lr
- ENDPROC(__get_user_2)
+@@ -61,7 +61,7 @@ ENDPROC(__get_user_2)
  
  ENTRY(__get_user_4)
+ 	check_uaccess r0, 4, r1, r2, __get_user_bad
 -4:	T(ldr)	r2, [r0]
-+	check_uaccess r0, 4, r1, r2, __get_user_bad
 +4: TUSER(ldr)	r2, [r0]
  	mov	r0, #0
  	mov	pc, lr
  ENDPROC(__get_user_4)
 diff --git a/arch/arm/lib/putuser.S b/arch/arm/lib/putuser.S
-index c023fc1..3d73dcb 100644
+index 9a897fa..3d73dcb 100644
 --- a/arch/arm/lib/putuser.S
 +++ b/arch/arm/lib/putuser.S
-@@ -16,6 +16,7 @@
-  * __put_user_X
-  *
-  * Inputs:	r0 contains the address
-+ *		r1 contains the address limit, which must be preserved
-  *		r2, r3 contains the value
-  * Outputs:	r0 is the error code
-  *		lr corrupted
-@@ -27,32 +28,35 @@
-  * Note also that it is intended that __put_user_bad is not global.
-  */
- #include <linux/linkage.h>
-+#include <asm/assembler.h>
- #include <asm/errno.h>
- #include <asm/domain.h>
+@@ -34,7 +34,7 @@
  
  ENTRY(__put_user_1)
+ 	check_uaccess r0, 1, r1, ip, __put_user_bad
 -1:	T(strb)	r2, [r0]
-+	check_uaccess r0, 1, r1, ip, __put_user_bad
 +1: TUSER(strb)	r2, [r0]
  	mov	r0, #0
  	mov	pc, lr
  ENDPROC(__put_user_1)
- 
- ENTRY(__put_user_2)
-+	check_uaccess r0, 2, r1, ip, __put_user_bad
+@@ -44,19 +44,19 @@ ENTRY(__put_user_2)
  	mov	ip, r2, lsr #8
  #ifdef CONFIG_THUMB2_KERNEL
  #ifndef __ARMEB__
@@ -2340,19 +2180,18 @@ index c023fc1..3d73dcb 100644
  #endif
  #endif	/* CONFIG_THUMB2_KERNEL */
  	mov	r0, #0
-@@ -60,18 +64,20 @@ ENTRY(__put_user_2)
- ENDPROC(__put_user_2)
+@@ -65,7 +65,7 @@ ENDPROC(__put_user_2)
  
  ENTRY(__put_user_4)
+ 	check_uaccess r0, 4, r1, ip, __put_user_bad
 -4:	T(str)	r2, [r0]
-+	check_uaccess r0, 4, r1, ip, __put_user_bad
 +4: TUSER(str)	r2, [r0]
  	mov	r0, #0
  	mov	pc, lr
  ENDPROC(__put_user_4)
- 
+@@ -73,11 +73,11 @@ ENDPROC(__put_user_4)
  ENTRY(__put_user_8)
-+	check_uaccess r0, 8, r1, ip, __put_user_bad
+ 	check_uaccess r0, 8, r1, ip, __put_user_bad
  #ifdef CONFIG_THUMB2_KERNEL
 -5:	T(str)	r2, [r0]
 -6:	T(str)	r3, [r0, #4]
@@ -3286,15 +3125,15 @@ index 1a97af3..7529d31 100644
  #define PAGE_KERNEL	__pgprot(__DIRTY_BITS  | _PAGE_PL_0 | _PAGE_AR_RWX)
  #define PAGE_KERNELRX	__pgprot(__ACCESS_BITS | _PAGE_PL_0 | _PAGE_AR_RX)
 diff --git a/arch/ia64/include/asm/processor.h b/arch/ia64/include/asm/processor.h
-index d9f397f..70d477b 100644
+index fba7696..a7650fd 100644
 --- a/arch/ia64/include/asm/processor.h
 +++ b/arch/ia64/include/asm/processor.h
 @@ -320,7 +320,7 @@ struct thread_struct {
  	regs->loadrs = 0;									\
  	regs->r8 = get_dumpable(current->mm);	/* set "don't zap registers" flag */		\
  	regs->r12 = new_sp - 16;	/* allocate 16 byte scratch area */			\
--	if (unlikely(!get_dumpable(current->mm))) {							\
-+	if (unlikely(get_dumpable(current->mm) != SUID_DUMPABLE_ENABLED)) {			\
+-	if (unlikely(get_dumpable(current->mm) != SUID_DUMP_USER)) {	\
++	if (unlikely(get_dumpable(current->mm) != SUID_DUMP_USER)) {				\
  		/*										\
  		 * Zap scratch regs to avoid leaking bits between processes with different	\
  		 * uid/privileges.								\
@@ -5644,10 +5483,10 @@ index 5de73db..a05f61c 100644
  		audit_syscall_exit((regs->ccr&0x10000000)?AUDITSC_FAILURE:AUDITSC_SUCCESS,
  				   regs->result);
 diff --git a/arch/powerpc/kernel/signal_32.c b/arch/powerpc/kernel/signal_32.c
-index 836a5a1..27289a3 100644
+index fa1e56b..e8ef867 100644
 --- a/arch/powerpc/kernel/signal_32.c
 +++ b/arch/powerpc/kernel/signal_32.c
-@@ -859,7 +859,7 @@ int handle_rt_signal32(unsigned long sig, struct k_sigaction *ka,
+@@ -865,7 +865,7 @@ int handle_rt_signal32(unsigned long sig, struct k_sigaction *ka,
  	/* Save user registers on the stack */
  	frame = &rt_sf->uc.uc_mcontext;
  	addr = frame;
@@ -5657,10 +5496,10 @@ index 836a5a1..27289a3 100644
  			goto badframe;
  		regs->link = current->mm->context.vdso_base + vdso32_rt_sigtramp;
 diff --git a/arch/powerpc/kernel/signal_64.c b/arch/powerpc/kernel/signal_64.c
-index a50b5ec..547078a 100644
+index 60d1f75..2c29348 100644
 --- a/arch/powerpc/kernel/signal_64.c
 +++ b/arch/powerpc/kernel/signal_64.c
-@@ -429,7 +429,7 @@ int handle_rt_signal64(int signr, struct k_sigaction *ka, siginfo_t *info,
+@@ -435,7 +435,7 @@ int handle_rt_signal64(int signr, struct k_sigaction *ka, siginfo_t *info,
  	current->thread.fpscr.val = 0;
  
  	/* Set up to return from userspace. */
@@ -9753,13 +9592,13 @@ index 03dbc7f5b..e1aa479 100644
 +archprepare:
 +	$(if $(LDFLAGS_BUILD_ID),,$(error $(OLD_LD)))
 diff --git a/arch/x86/boot/Makefile b/arch/x86/boot/Makefile
-index 95365a8..88aadd2 100644
+index e80542b..c5099c3 100644
 --- a/arch/x86/boot/Makefile
 +++ b/arch/x86/boot/Makefile
-@@ -63,6 +63,9 @@ KBUILD_CFLAGS	:= $(LINUXINCLUDE) -g -Os -D_SETUP -D__KERNEL__ \
+@@ -63,6 +63,9 @@ KBUILD_CFLAGS	:= $(LINUXINCLUDE) -m32 -g -Os -D_SETUP -D__KERNEL__ \
+ 		   $(call cc-option, -fno-unit-at-a-time)) \
  		   $(call cc-option, -fno-stack-protector) \
  		   $(call cc-option, -mpreferred-stack-boundary=2)
- KBUILD_CFLAGS	+= $(call cc-option, -m32)
 +ifdef CONSTIFY_PLUGIN
 +KBUILD_CFLAGS	+= -fplugin-arg-constify_plugin-no-constify
 +endif
@@ -9811,11 +9650,11 @@ index c7093bd..d4247ffe0 100644
  	return diff;
  }
 diff --git a/arch/x86/boot/compressed/Makefile b/arch/x86/boot/compressed/Makefile
-index 77453c6..6235831 100644
+index cda5cef..c1f26aa 100644
 --- a/arch/x86/boot/compressed/Makefile
 +++ b/arch/x86/boot/compressed/Makefile
-@@ -14,6 +14,9 @@ cflags-$(CONFIG_X86_64) := -mcmodel=small
- KBUILD_CFLAGS += $(cflags-y)
+@@ -15,6 +15,9 @@ KBUILD_CFLAGS += $(cflags-y)
+ KBUILD_CFLAGS += -mno-mmx -mno-sse
  KBUILD_CFLAGS += $(call cc-option,-ffreestanding)
  KBUILD_CFLAGS += $(call cc-option,-fno-stack-protector)
 +ifdef CONSTIFY_PLUGIN
@@ -17367,7 +17206,7 @@ index 212a6a4..322f5d9 100644
  	.notifier_call = cpuid_class_cpu_callback,
  };
 diff --git a/arch/x86/kernel/crash.c b/arch/x86/kernel/crash.c
-index 13ad899..f642b9a 100644
+index 69e231b..8b4e1c6 100644
 --- a/arch/x86/kernel/crash.c
 +++ b/arch/x86/kernel/crash.c
 @@ -36,10 +36,8 @@ static void kdump_nmi_callback(int cpu, struct pt_regs *regs)
@@ -22157,7 +21996,7 @@ index 42eb330..139955c 100644
  
  	return ret;
 diff --git a/arch/x86/kernel/reboot.c b/arch/x86/kernel/reboot.c
-index a4e1b4b..0460044 100644
+index f411aca..bd2aa3b 100644
 --- a/arch/x86/kernel/reboot.c
 +++ b/arch/x86/kernel/reboot.c
 @@ -35,7 +35,7 @@ void (*pm_power_off)(void);
@@ -22251,7 +22090,7 @@ index a4e1b4b..0460044 100644
  {
  	int i;
  	int attempt = 0;
-@@ -688,13 +720,13 @@ void native_machine_shutdown(void)
+@@ -691,13 +723,13 @@ void native_machine_shutdown(void)
  #endif
  }
  
@@ -22267,7 +22106,7 @@ index a4e1b4b..0460044 100644
  {
  	printk("machine restart\n");
  
-@@ -703,7 +735,7 @@ static void native_machine_restart(char *__unused)
+@@ -706,7 +738,7 @@ static void native_machine_restart(char *__unused)
  	__machine_emergency_restart(0);
  }
  
@@ -22276,7 +22115,7 @@ index a4e1b4b..0460044 100644
  {
  	/* stop other cpus and apics */
  	machine_shutdown();
-@@ -714,7 +746,7 @@ static void native_machine_halt(void)
+@@ -717,7 +749,7 @@ static void native_machine_halt(void)
  	stop_this_cpu(NULL);
  }
  
@@ -22285,7 +22124,7 @@ index a4e1b4b..0460044 100644
  {
  	if (pm_power_off) {
  		if (!reboot_force)
-@@ -723,9 +755,10 @@ static void native_machine_power_off(void)
+@@ -726,9 +758,10 @@ static void native_machine_power_off(void)
  	}
  	/* a fallback in case there is no PM info available */
  	tboot_shutdown(TB_SHUTDOWN_HALT);
@@ -23880,7 +23719,7 @@ index f5302da..6ee193e 100644
  
  /* instruction has only one source operand, destination is implicit (e.g. mul, div, imul, idiv) */
 diff --git a/arch/x86/kvm/lapic.c b/arch/x86/kvm/lapic.c
-index 54abb40..fbcaf81 100644
+index 43e7753..873f4440 100644
 --- a/arch/x86/kvm/lapic.c
 +++ b/arch/x86/kvm/lapic.c
 @@ -53,7 +53,7 @@
@@ -23892,15 +23731,6 @@ index 54abb40..fbcaf81 100644
  
  #define APIC_LVT_NUM			6
  /* 14 is the version for Xeon and Pentium 8.4.8*/
-@@ -537,7 +537,7 @@ static u32 apic_get_tmcct(struct kvm_lapic *apic)
- 	ASSERT(apic != NULL);
- 
- 	/* if initial count is 0, current count should also be 0 */
--	if (apic_get_reg(apic, APIC_TMICT) == 0)
-+	if (apic_get_reg(apic, APIC_TMICT) == 0 || apic->lapic_timer.period == 0)
- 		return 0;
- 
- 	remaining = hrtimer_get_remaining(&apic->lapic_timer.timer);
 diff --git a/arch/x86/kvm/mmu.c b/arch/x86/kvm/mmu.c
 index f1b36cf..af8a124 100644
 --- a/arch/x86/kvm/mmu.c
@@ -31852,7 +31682,7 @@ index 240a244..bc6239e 100644
  static void delete_gpe_attr_array(void)
  {
 diff --git a/drivers/ata/libahci.c b/drivers/ata/libahci.c
-index 60def03..dcbb9ac 100644
+index de2802c..2260da9 100644
 --- a/drivers/ata/libahci.c
 +++ b/drivers/ata/libahci.c
 @@ -1211,7 +1211,7 @@ int ahci_kick_engine(struct ata_port *ap)
@@ -31865,10 +31695,10 @@ index 60def03..dcbb9ac 100644
  				unsigned long timeout_msec)
  {
 diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c
-index d54b7d6..33e80e0 100644
+index a0a3987..d029614 100644
 --- a/drivers/ata/libata-core.c
 +++ b/drivers/ata/libata-core.c
-@@ -4745,7 +4745,7 @@ void ata_qc_free(struct ata_queued_cmd *qc)
+@@ -4746,7 +4746,7 @@ void ata_qc_free(struct ata_queued_cmd *qc)
  	struct ata_port *ap;
  	unsigned int tag;
  
@@ -31877,7 +31707,7 @@ index d54b7d6..33e80e0 100644
  	ap = qc->ap;
  
  	qc->flags = 0;
-@@ -4761,7 +4761,7 @@ void __ata_qc_complete(struct ata_queued_cmd *qc)
+@@ -4762,7 +4762,7 @@ void __ata_qc_complete(struct ata_queued_cmd *qc)
  	struct ata_port *ap;
  	struct ata_link *link;
  
@@ -31886,7 +31716,7 @@ index d54b7d6..33e80e0 100644
  	WARN_ON_ONCE(!(qc->flags & ATA_QCFLAG_ACTIVE));
  	ap = qc->ap;
  	link = qc->dev->link;
-@@ -5766,6 +5766,7 @@ static void ata_finalize_port_ops(struct ata_port_operations *ops)
+@@ -5767,6 +5767,7 @@ static void ata_finalize_port_ops(struct ata_port_operations *ops)
  		return;
  
  	spin_lock(&lock);
@@ -31894,7 +31724,7 @@ index d54b7d6..33e80e0 100644
  
  	for (cur = ops->inherits; cur; cur = cur->inherits) {
  		void **inherit = (void **)cur;
-@@ -5779,8 +5780,9 @@ static void ata_finalize_port_ops(struct ata_port_operations *ops)
+@@ -5780,8 +5781,9 @@ static void ata_finalize_port_ops(struct ata_port_operations *ops)
  		if (IS_ERR(*pp))
  			*pp = NULL;
  
@@ -32289,7 +32119,7 @@ index b812103..e391a49 100644
  	// free the skb
  	hrz_kfree_skb (skb);
 diff --git a/drivers/atm/idt77252.c b/drivers/atm/idt77252.c
-index 1c05212..c28e200 100644
+index b0e75ce..035bf7e 100644
 --- a/drivers/atm/idt77252.c
 +++ b/drivers/atm/idt77252.c
 @@ -812,7 +812,7 @@ drain_scq(struct idt77252_dev *card, struct vc_map *vc)
@@ -33600,7 +33430,7 @@ index 13cbdd3..d374957 100644
  static struct asender_cmd *get_asender_cmd(int cmd)
  {
 diff --git a/drivers/block/loop.c b/drivers/block/loop.c
-index a365562..933bbbd 100644
+index d659135..45fe633 100644
 --- a/drivers/block/loop.c
 +++ b/drivers/block/loop.c
 @@ -227,7 +227,7 @@ static int __do_lo_send_write(struct file *file,
@@ -37061,7 +36891,7 @@ index 93e74fb..4a1182d 100644
  	INIT_WORK(&dev_priv->hotplug_work, i915_hotplug_work_func);
  	INIT_WORK(&dev_priv->error_work, i915_error_work_func);
 diff --git a/drivers/gpu/drm/i915/intel_display.c b/drivers/gpu/drm/i915/intel_display.c
-index ee29c1f..07609a4 100644
+index 6d36695..4a3e870 100644
 --- a/drivers/gpu/drm/i915/intel_display.c
 +++ b/drivers/gpu/drm/i915/intel_display.c
 @@ -2215,7 +2215,7 @@ intel_finish_fb(struct drm_framebuffer *old_fb)
@@ -37073,7 +36903,7 @@ index ee29c1f..07609a4 100644
  
  	/* Big Hammer, we also need to ensure that any pending
  	 * MI_WAIT_FOR_EVENT inside a user batch buffer on the
-@@ -6987,8 +6987,7 @@ static void do_intel_finish_page_flip(struct drm_device *dev,
+@@ -6991,8 +6991,7 @@ static void do_intel_finish_page_flip(struct drm_device *dev,
  
  	obj = work->old_fb_obj;
  
@@ -37083,7 +36913,7 @@ index ee29c1f..07609a4 100644
  
  	wake_up(&dev_priv->pending_flip_queue);
  	schedule_work(&work->work);
-@@ -7197,7 +7196,13 @@ static int intel_gen6_queue_flip(struct drm_device *dev,
+@@ -7201,7 +7200,13 @@ static int intel_gen6_queue_flip(struct drm_device *dev,
  	OUT_RING(fb->pitch | obj->tiling_mode);
  	OUT_RING(obj->gtt_offset);
  
@@ -37098,7 +36928,7 @@ index ee29c1f..07609a4 100644
  	pipesrc = I915_READ(PIPESRC(intel_crtc->pipe)) & 0x0fff0fff;
  	OUT_RING(pf | pipesrc);
  
-@@ -7329,7 +7334,7 @@ static int intel_crtc_page_flip(struct drm_crtc *crtc,
+@@ -7333,7 +7338,7 @@ static int intel_crtc_page_flip(struct drm_crtc *crtc,
  	/* Block clients from rendering to the new back buffer until
  	 * the flip occurs and the object is no longer visible.
  	 */
@@ -37107,7 +36937,7 @@ index ee29c1f..07609a4 100644
  
  	ret = dev_priv->display.queue_flip(dev, crtc, fb, obj);
  	if (ret)
-@@ -7343,7 +7348,7 @@ static int intel_crtc_page_flip(struct drm_crtc *crtc,
+@@ -7347,7 +7352,7 @@ static int intel_crtc_page_flip(struct drm_crtc *crtc,
  	return 0;
  
  cleanup_pending:
@@ -37116,7 +36946,7 @@ index ee29c1f..07609a4 100644
  	crtc->fb = old_fb;
  	drm_gem_object_unreference(&work->old_fb_obj->base);
  	drm_gem_object_unreference(&obj->base);
-@@ -7478,11 +7483,15 @@ static void intel_crtc_init(struct drm_device *dev, int pipe)
+@@ -7482,11 +7487,15 @@ static void intel_crtc_init(struct drm_device *dev, int pipe)
  	if (HAS_PCH_SPLIT(dev)) {
  		if (pipe == 2 && IS_IVYBRIDGE(dev))
  			intel_crtc->no_pll = true;
@@ -37136,7 +36966,7 @@ index ee29c1f..07609a4 100644
  	}
  
  	drm_crtc_helper_add(&intel_crtc->base, &intel_helper_funcs);
-@@ -8858,7 +8867,7 @@ struct intel_quirk {
+@@ -8862,7 +8871,7 @@ struct intel_quirk {
  	int subsystem_vendor;
  	int subsystem_device;
  	void (*hook)(struct drm_device *dev);
@@ -37328,10 +37158,10 @@ index 2f6daae..c9d7b9e 100644
  }
  
 diff --git a/drivers/gpu/drm/nouveau/nouveau_gem.c b/drivers/gpu/drm/nouveau/nouveau_gem.c
-index 7ce3fde..cb3ea04 100644
+index bd0b1fc..c082986 100644
 --- a/drivers/gpu/drm/nouveau/nouveau_gem.c
 +++ b/drivers/gpu/drm/nouveau/nouveau_gem.c
-@@ -314,7 +314,7 @@ validate_init(struct nouveau_channel *chan, struct drm_file *file_priv,
+@@ -315,7 +315,7 @@ validate_init(struct nouveau_channel *chan, struct drm_file *file_priv,
  	int trycnt = 0;
  	int ret, i;
  
@@ -38208,7 +38038,7 @@ index 9ac4389..5c05af3 100644
  	hid_debug_register(hdev, dev_name(&hdev->dev));
  	ret = device_add(&hdev->dev);
 diff --git a/drivers/hid/hid-multitouch.c b/drivers/hid/hid-multitouch.c
-index 13af0f1..dc797c9 100644
+index a605ba1..fb91952 100644
 --- a/drivers/hid/hid-multitouch.c
 +++ b/drivers/hid/hid-multitouch.c
 @@ -195,6 +195,9 @@ static void mt_feature_mapping(struct hid_device *hdev,
@@ -40345,28 +40175,6 @@ index 1f355bb..43f1fea 100644
  				return -EFAULT;
  		} else
  			memcpy(msg, buf, count);
-diff --git a/drivers/isdn/isdnloop/isdnloop.c b/drivers/isdn/isdnloop/isdnloop.c
-index 509135f..c8645eb 100644
---- a/drivers/isdn/isdnloop/isdnloop.c
-+++ b/drivers/isdn/isdnloop/isdnloop.c
-@@ -1084,7 +1084,7 @@ isdnloop_start(isdnloop_card * card, isdnloop_sdef * sdefp)
- 				return -ENOMEM;
- 			}
- 			for (i = 0; i < 3; i++)
--				strcpy(card->s0num[i], sdef.num[i]);
-+				strlcpy(card->s0num[i], sdef.num[i], sizeof(card->s0num[0]));
- 			break;
- 		case ISDN_PTYPE_1TR6:
- 			if (isdnloop_fake(card, "DRV1.04TC-1TR6-CAPI-CNS-BASIS-29.11.95",
-@@ -1097,7 +1097,7 @@ isdnloop_start(isdnloop_card * card, isdnloop_sdef * sdefp)
- 				spin_unlock_irqrestore(&card->isdnloop_lock, flags);
- 				return -ENOMEM;
- 			}
--			strcpy(card->s0num[0], sdef.num[0]);
-+			strlcpy(card->s0num[0], sdef.num[0], sizeof(card->s0num[0]));
- 			card->s0num[1][0] = '\0';
- 			card->s0num[2][0] = '\0';
- 			break;
 diff --git a/drivers/isdn/mISDN/dsp_cmx.c b/drivers/isdn/mISDN/dsp_cmx.c
 index 4d395de..c504763 100644
 --- a/drivers/isdn/mISDN/dsp_cmx.c
@@ -40728,10 +40536,10 @@ index cbd41d2..1717044 100644
  				schedule_work(&sc->trigger_event);
  		}
 diff --git a/drivers/md/dm-table.c b/drivers/md/dm-table.c
-index 52848ab..b8a17d4 100644
+index 5c52582..91793db 100644
 --- a/drivers/md/dm-table.c
 +++ b/drivers/md/dm-table.c
-@@ -323,7 +323,7 @@ static struct dm_dev_internal *find_device(struct list_head *l, dev_t dev)
+@@ -328,7 +328,7 @@ static struct dm_dev_internal *find_device(struct list_head *l, dev_t dev)
  static int open_dev(struct dm_dev_internal *d, dev_t dev,
  		    struct mapped_device *md)
  {
@@ -40740,7 +40548,7 @@ index 52848ab..b8a17d4 100644
  	struct block_device *bdev;
  
  	int r;
-@@ -391,7 +391,7 @@ static int device_area_is_invalid(struct dm_target *ti, struct dm_dev *dev,
+@@ -396,7 +396,7 @@ static int device_area_is_invalid(struct dm_target *ti, struct dm_dev *dev,
  	if (!dev_size)
  		return 0;
  
@@ -42364,10 +42172,10 @@ index 1bf36ac..55c534e 100644
  #ifdef CONFIG_NET_POLL_CONTROLLER
  	/*
 diff --git a/drivers/net/bonding/bond_sysfs.c b/drivers/net/bonding/bond_sysfs.c
-index 8ed48c2..ae2cb9a 100644
+index cf95bd8d..f61f675 100644
 --- a/drivers/net/bonding/bond_sysfs.c
 +++ b/drivers/net/bonding/bond_sysfs.c
-@@ -1056,7 +1056,7 @@ static ssize_t bonding_store_primary(struct device *d,
+@@ -1063,7 +1063,7 @@ static ssize_t bonding_store_primary(struct device *d,
  		goto out;
  	}
  
@@ -42376,7 +42184,7 @@ index 8ed48c2..ae2cb9a 100644
  
  	/* check to see if we are clearing primary */
  	if (!strlen(ifname) || buf[0] == '\n') {
-@@ -1229,7 +1229,7 @@ static ssize_t bonding_store_active_slave(struct device *d,
+@@ -1236,7 +1236,7 @@ static ssize_t bonding_store_active_slave(struct device *d,
  		goto out;
  	}
  
@@ -43966,30 +43774,6 @@ index 75da4bc..7737dff 100644
  	int csr;
  
  	memset(buf, 0, sizeof(buf));
-diff --git a/drivers/net/wireless/libertas/debugfs.c b/drivers/net/wireless/libertas/debugfs.c
-index d8d8f0d..35d86fa 100644
---- a/drivers/net/wireless/libertas/debugfs.c
-+++ b/drivers/net/wireless/libertas/debugfs.c
-@@ -919,7 +919,10 @@ static ssize_t lbs_debugfs_write(struct file *f, const char __user *buf,
- 	char *p2;
- 	struct debug_data *d = f->private_data;
- 
--	pdata = kmalloc(cnt, GFP_KERNEL);
-+	if (cnt == 0)
-+		return 0;
-+
-+	pdata = kmalloc(cnt + 1, GFP_KERNEL);
- 	if (pdata == NULL)
- 		return 0;
- 
-@@ -928,6 +931,7 @@ static ssize_t lbs_debugfs_write(struct file *f, const char __user *buf,
- 		kfree(pdata);
- 		return 0;
- 	}
-+	pdata[cnt] = '\0';
- 
- 	p0 = pdata;
- 	for (i = 0; i < num_of_items; i++) {
 diff --git a/drivers/net/wireless/mac80211_hwsim.c b/drivers/net/wireless/mac80211_hwsim.c
 index 523ad55..f8c5dc5 100644
 --- a/drivers/net/wireless/mac80211_hwsim.c
@@ -45084,44 +44868,6 @@ index 2836538..30edf9d 100644
  
  	ret = sysfs_create_bin_file(&pdev->dev.kobj, &m48t59_nvram_attr);
  	if (ret) {
-diff --git a/drivers/s390/net/qeth_core_main.c b/drivers/s390/net/qeth_core_main.c
-index fff57de..55f6488 100644
---- a/drivers/s390/net/qeth_core_main.c
-+++ b/drivers/s390/net/qeth_core_main.c
-@@ -4322,7 +4322,7 @@ int qeth_snmp_command(struct qeth_card *card, char __user *udata)
- 	struct qeth_cmd_buffer *iob;
- 	struct qeth_ipa_cmd *cmd;
- 	struct qeth_snmp_ureq *ureq;
--	int req_len;
-+	unsigned int req_len;
- 	struct qeth_arp_query_info qinfo = {0, };
- 	int rc = 0;
- 
-@@ -4338,6 +4338,10 @@ int qeth_snmp_command(struct qeth_card *card, char __user *udata)
- 	/* skip 4 bytes (data_len struct member) to get req_len */
- 	if (copy_from_user(&req_len, udata + sizeof(int), sizeof(int)))
- 		return -EFAULT;
-+	if (req_len > (QETH_BUFSIZE - IPA_PDU_HEADER_SIZE -
-+		       sizeof(struct qeth_ipacmd_hdr) -
-+		       sizeof(struct qeth_ipacmd_setadpparms_hdr)))
-+		return -EINVAL;
- 	ureq = memdup_user(udata, req_len + sizeof(struct qeth_snmp_ureq_hdr));
- 	if (IS_ERR(ureq)) {
- 		QETH_CARD_TEXT(card, 2, "snmpnome");
-diff --git a/drivers/scsi/aacraid/commctrl.c b/drivers/scsi/aacraid/commctrl.c
-index 8a0b330..1254431 100644
---- a/drivers/scsi/aacraid/commctrl.c
-+++ b/drivers/scsi/aacraid/commctrl.c
-@@ -508,7 +508,8 @@ static int aac_send_raw_srb(struct aac_dev* dev, void __user * arg)
- 		goto cleanup;
- 	}
- 
--	if (fibsize > (dev->max_fib_size - sizeof(struct aac_fibhdr))) {
-+	if ((fibsize < (sizeof(struct user_aac_srb) - sizeof(struct user_sgentry))) ||
-+	    (fibsize > (dev->max_fib_size - sizeof(struct aac_fibhdr)))) {
- 		rcode = -EINVAL;
- 		goto cleanup;
- 	}
 diff --git a/drivers/scsi/aacraid/linit.c b/drivers/scsi/aacraid/linit.c
 index 2e658d2..46f4afb 100644
 --- a/drivers/scsi/aacraid/linit.c
@@ -45282,7 +45028,7 @@ index ee77a58..af9d518 100644
  
  	/* These three are default values which can be overridden */
 diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c
-index 0f48550..e3fb2d8 100644
+index 5b7e1bf..6e5521a 100644
 --- a/drivers/scsi/hpsa.c
 +++ b/drivers/scsi/hpsa.c
 @@ -523,7 +523,7 @@ static inline u32 next_command(struct ctlr_info *h)
@@ -45547,7 +45293,7 @@ index 9de9db2..1e09660 100644
  	fc_frame_free(fp);
  }
 diff --git a/drivers/scsi/libsas/sas_ata.c b/drivers/scsi/libsas/sas_ata.c
-index 4868fc9..7f2e028 100644
+index 5e170e3..1e87efc 100644
 --- a/drivers/scsi/libsas/sas_ata.c
 +++ b/drivers/scsi/libsas/sas_ata.c
 @@ -368,7 +368,7 @@ static struct ata_port_operations sas_sata_ops = {
@@ -47725,7 +47471,7 @@ index 032e5a6..bc422e4 100644
  			wake_up(&usb_kill_urb_queue);
  		usb_put_urb(urb);
 diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c
-index a5ea85f..6530989 100644
+index 7013165..608be1a 100644
 --- a/drivers/usb/core/hub.c
 +++ b/drivers/usb/core/hub.c
 @@ -25,6 +25,7 @@
@@ -47736,7 +47482,7 @@ index a5ea85f..6530989 100644
  
  #include <asm/uaccess.h>
  #include <asm/byteorder.h>
-@@ -3405,6 +3406,9 @@ static void hub_port_connect_change(struct usb_hub *hub, int port1,
+@@ -3410,6 +3411,9 @@ static void hub_port_connect_change(struct usb_hub *hub, int port1,
  		return;
  	}
  
@@ -47983,10 +47729,10 @@ index d6bea3e..60b250e 100644
  
  /**
 diff --git a/drivers/usb/wusbcore/wa-xfer.c b/drivers/usb/wusbcore/wa-xfer.c
-index 57c01ab..8a05959 100644
+index 5f6df6e..0a16602 100644
 --- a/drivers/usb/wusbcore/wa-xfer.c
 +++ b/drivers/usb/wusbcore/wa-xfer.c
-@@ -296,7 +296,7 @@ out:
+@@ -297,7 +297,7 @@ out:
   */
  static void wa_xfer_id_init(struct wa_xfer *xfer)
  {
@@ -53541,27 +53287,6 @@ index 7b68088..17a275b 100644
  #endif
  GLOBAL_EXTERN atomic_t smBufAllocCount;
  GLOBAL_EXTERN atomic_t midCount;
-diff --git a/fs/cifs/cifssmb.c b/fs/cifs/cifssmb.c
-index c858a29..969f74f 100644
---- a/fs/cifs/cifssmb.c
-+++ b/fs/cifs/cifssmb.c
-@@ -3437,11 +3437,13 @@ static __u16 ACL_to_cifs_posix(char *parm_data, const char *pACL,
- 		return 0;
- 	}
- 	cifs_acl->version = cpu_to_le16(1);
--	if (acl_type == ACL_TYPE_ACCESS)
-+	if (acl_type == ACL_TYPE_ACCESS) {
- 		cifs_acl->access_entry_count = cpu_to_le16(count);
--	else if (acl_type == ACL_TYPE_DEFAULT)
-+		cifs_acl->default_entry_count = __constant_cpu_to_le16(0xFFFF);
-+	} else if (acl_type == ACL_TYPE_DEFAULT) {
- 		cifs_acl->default_entry_count = cpu_to_le16(count);
--	else {
-+		cifs_acl->access_entry_count = __constant_cpu_to_le16(0xFFFF);
-+	} else {
- 		cFYI(1, "unknown ACL type %d", acl_type);
- 		return 0;
- 	}
 diff --git a/fs/cifs/file.c b/fs/cifs/file.c
 index c55808e..c1814ab 100644
 --- a/fs/cifs/file.c
@@ -53885,10 +53610,10 @@ index f854cf9..d513829 100644
  		return 1;
  	if (a < b)
 diff --git a/fs/configfs/dir.c b/fs/configfs/dir.c
-index 9a37a9b..80968f3 100644
+index 5ef72c8..0c72810 100644
 --- a/fs/configfs/dir.c
 +++ b/fs/configfs/dir.c
-@@ -1047,10 +1047,11 @@ static int configfs_dump(struct configfs_dirent *sd, int level)
+@@ -1059,10 +1059,11 @@ static int configfs_dump(struct configfs_dirent *sd, int level)
  static int configfs_depend_prep(struct dentry *origin,
  				struct config_item *target)
  {
@@ -53902,7 +53627,7 @@ index 9a37a9b..80968f3 100644
  
  	if (sd->s_element == target)  /* Boo-yah */
  		goto out;
-@@ -1575,7 +1576,8 @@ static int configfs_readdir(struct file * filp, void * dirent, filldir_t filldir
+@@ -1587,7 +1588,8 @@ static int configfs_readdir(struct file * filp, void * dirent, filldir_t filldir
  			}
  			for (p=q->next; p!= &parent_sd->s_children; p=p->next) {
  				struct configfs_dirent *next;
@@ -53912,7 +53637,7 @@ index 9a37a9b..80968f3 100644
  				int len;
  				struct inode *inode = NULL;
  
-@@ -1585,7 +1587,12 @@ static int configfs_readdir(struct file * filp, void * dirent, filldir_t filldir
+@@ -1597,7 +1599,12 @@ static int configfs_readdir(struct file * filp, void * dirent, filldir_t filldir
  					continue;
  
  				name = configfs_get_name(next);
@@ -54132,7 +53857,7 @@ index 451b9b8..12e5a03 100644
  
  out_free_fd:
 diff --git a/fs/exec.c b/fs/exec.c
-index a2d0e51..64ad6ea 100644
+index 78199eb..e6c84a8 100644
 --- a/fs/exec.c
 +++ b/fs/exec.c
 @@ -55,12 +55,35 @@
@@ -55067,8 +54792,8 @@ index a2d0e51..64ad6ea 100644
 +	return (ret > SUID_DUMPABLE_ENABLED) ? SUID_DUMPABLE_SAFE : ret;
  }
  
- int get_dumpable(struct mm_struct *mm)
-@@ -2044,17 +2513,17 @@ static void wait_for_dump_helpers(struct file *file)
+ /*
+@@ -2050,17 +2519,17 @@ static void wait_for_dump_helpers(struct file *file)
  	pipe = file->f_path.dentry->d_inode->i_pipe;
  
  	pipe_lock(pipe);
@@ -55091,7 +54816,7 @@ index a2d0e51..64ad6ea 100644
  	pipe_unlock(pipe);
  
  }
-@@ -2115,7 +2584,8 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs)
+@@ -2121,7 +2590,8 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs)
  	int retval = 0;
  	int flag = 0;
  	int ispipe;
@@ -55101,7 +54826,7 @@ index a2d0e51..64ad6ea 100644
  	struct coredump_params cprm = {
  		.signr = signr,
  		.regs = regs,
-@@ -2130,6 +2600,9 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs)
+@@ -2136,6 +2606,9 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs)
  
  	audit_core_dumps(signr);
  
@@ -55111,7 +54836,7 @@ index a2d0e51..64ad6ea 100644
  	binfmt = mm->binfmt;
  	if (!binfmt || !binfmt->core_dump)
  		goto fail;
-@@ -2140,14 +2613,16 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs)
+@@ -2146,14 +2619,16 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs)
  	if (!cred)
  		goto fail;
  	/*
@@ -55132,7 +54857,7 @@ index a2d0e51..64ad6ea 100644
  	}
  
  	retval = coredump_wait(exit_code, &core_state);
-@@ -2197,7 +2672,7 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs)
+@@ -2203,7 +2678,7 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs)
  		}
  		cprm.limit = RLIM_INFINITY;
  
@@ -55141,7 +54866,7 @@ index a2d0e51..64ad6ea 100644
  		if (core_pipe_limit && (core_pipe_limit < dump_count)) {
  			printk(KERN_WARNING "Pid %d(%s) over core_pipe_limit\n",
  			       task_tgid_vnr(current), current->comm);
-@@ -2224,9 +2699,19 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs)
+@@ -2230,9 +2705,19 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs)
  	} else {
  		struct inode *inode;
  
@@ -55161,7 +54886,7 @@ index a2d0e51..64ad6ea 100644
  		cprm.file = filp_open(cn.corename,
  				 O_CREAT | 2 | O_NOFOLLOW | O_LARGEFILE | flag,
  				 0600);
-@@ -2267,7 +2752,7 @@ close_fail:
+@@ -2273,7 +2758,7 @@ close_fail:
  		filp_close(cprm.file, NULL);
  fail_dropcount:
  	if (ispipe)
@@ -55170,7 +54895,7 @@ index a2d0e51..64ad6ea 100644
  fail_unlock:
  	kfree(cn.corename);
  fail_corename:
-@@ -2286,7 +2771,7 @@ fail:
+@@ -2292,7 +2777,7 @@ fail:
   */
  int dump_write(struct file *file, const void *addr, int nr)
  {
@@ -55547,7 +55272,7 @@ index 84f84bf..a8770cd 100644
  static int __init ext4_init_feat_adverts(void)
  {
 diff --git a/fs/ext4/xattr.c b/fs/ext4/xattr.c
-index b4e9f3f..14a9eca 100644
+index 05617bd..aac23ad 100644
 --- a/fs/ext4/xattr.c
 +++ b/fs/ext4/xattr.c
 @@ -328,7 +328,7 @@ static int
@@ -58477,7 +58202,7 @@ index b78b5b6..c64d84f 100644
  
  void nfs_fattr_init(struct nfs_fattr *fattr)
 diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c
-index 5639efd..4531174 100644
+index 3d02931..e2b575a 100644
 --- a/fs/nfs/nfs4proc.c
 +++ b/fs/nfs/nfs4proc.c
 @@ -1037,7 +1037,7 @@ static struct nfs4_state *nfs4_try_open_cached(struct nfs4_opendata *opendata)
@@ -58531,7 +58256,7 @@ index e065497..258fa11 100644
  static struct nfsd4_operation nfsd4_ops[];
  
 diff --git a/fs/nfsd/nfs4xdr.c b/fs/nfsd/nfs4xdr.c
-index 99625b8..7e04dea 100644
+index ade5316..f1a6152 100644
 --- a/fs/nfsd/nfs4xdr.c
 +++ b/fs/nfsd/nfs4xdr.c
 @@ -1445,7 +1445,7 @@ nfsd4_decode_notsupp(struct nfsd4_compoundargs *argp, void *p)
@@ -58598,10 +58323,10 @@ index c45a2ea..1a6bd66 100644
  #ifdef CONFIG_PROC_FS
  static int create_proc_exports_entry(void)
 diff --git a/fs/nfsd/vfs.c b/fs/nfsd/vfs.c
-index 61b697e..eb6503c 100644
+index 6a66fc0..cfdadae 100644
 --- a/fs/nfsd/vfs.c
 +++ b/fs/nfsd/vfs.c
-@@ -923,7 +923,7 @@ nfsd_vfs_read(struct svc_rqst *rqstp, struct svc_fh *fhp, struct file *file,
+@@ -948,7 +948,7 @@ nfsd_vfs_read(struct svc_rqst *rqstp, struct svc_fh *fhp, struct file *file,
  	} else {
  		oldfs = get_fs();
  		set_fs(KERNEL_DS);
@@ -58610,7 +58335,7 @@ index 61b697e..eb6503c 100644
  		set_fs(oldfs);
  	}
  
-@@ -1027,7 +1027,7 @@ nfsd_vfs_write(struct svc_rqst *rqstp, struct svc_fh *fhp, struct file *file,
+@@ -1052,7 +1052,7 @@ nfsd_vfs_write(struct svc_rqst *rqstp, struct svc_fh *fhp, struct file *file,
  
  	/* Write the data. */
  	oldfs = get_fs(); set_fs(KERNEL_DS);
@@ -58619,7 +58344,7 @@ index 61b697e..eb6503c 100644
  	set_fs(oldfs);
  	if (host_err < 0)
  		goto out_nfserr;
-@@ -1568,7 +1568,7 @@ nfsd_readlink(struct svc_rqst *rqstp, struct svc_fh *fhp, char *buf, int *lenp)
+@@ -1593,7 +1593,7 @@ nfsd_readlink(struct svc_rqst *rqstp, struct svc_fh *fhp, char *buf, int *lenp)
  	 */
  
  	oldfs = get_fs(); set_fs(KERNEL_DS);
@@ -61824,7 +61549,7 @@ index 79d05e8..e3e5861 100644
  			*offset = off & 0x7fffffff;
  			return 0;
 diff --git a/fs/xfs/xfs_ioctl.c b/fs/xfs/xfs_ioctl.c
-index d99a905..a7569b5 100644
+index eb519de..a7569b5 100644
 --- a/fs/xfs/xfs_ioctl.c
 +++ b/fs/xfs/xfs_ioctl.c
 @@ -128,7 +128,7 @@ xfs_find_handle(
@@ -61836,30 +61561,6 @@ index d99a905..a7569b5 100644
  	    copy_to_user(hreq->ohandlen, &hsize, sizeof(__s32)))
  		goto out_put;
  
-@@ -404,7 +404,8 @@ xfs_attrlist_by_handle(
- 		return -XFS_ERROR(EPERM);
- 	if (copy_from_user(&al_hreq, arg, sizeof(xfs_fsop_attrlist_handlereq_t)))
- 		return -XFS_ERROR(EFAULT);
--	if (al_hreq.buflen > XATTR_LIST_MAX)
-+	if (al_hreq.buflen < sizeof(struct attrlist) ||
-+	    al_hreq.buflen > XATTR_LIST_MAX)
- 		return -XFS_ERROR(EINVAL);
- 
- 	/*
-diff --git a/fs/xfs/xfs_ioctl32.c b/fs/xfs/xfs_ioctl32.c
-index 54e623b..0d685b3 100644
---- a/fs/xfs/xfs_ioctl32.c
-+++ b/fs/xfs/xfs_ioctl32.c
-@@ -361,7 +361,8 @@ xfs_compat_attrlist_by_handle(
- 	if (copy_from_user(&al_hreq, arg,
- 			   sizeof(compat_xfs_fsop_attrlist_handlereq_t)))
- 		return -XFS_ERROR(EFAULT);
--	if (al_hreq.buflen > XATTR_LIST_MAX)
-+	if (al_hreq.buflen < sizeof(struct attrlist) ||
-+	    al_hreq.buflen > XATTR_LIST_MAX)
- 		return -XFS_ERROR(EINVAL);
- 
- 	/*
 diff --git a/fs/xfs/xfs_iops.c b/fs/xfs/xfs_iops.c
 index bd2fb43..86fd3e8d 100644
 --- a/fs/xfs/xfs_iops.c
@@ -73726,7 +73427,7 @@ index 2f81c6f..225b4e4 100644
  #define audit_get_loginuid(t) (-1)
  #define audit_get_sessionid(t) (-1)
 diff --git a/include/linux/binfmts.h b/include/linux/binfmts.h
-index acd8d4b..c87c74b 100644
+index d337419..c87c74b 100644
 --- a/include/linux/binfmts.h
 +++ b/include/linux/binfmts.h
 @@ -18,7 +18,7 @@ struct pt_regs;
@@ -73758,16 +73459,6 @@ index acd8d4b..c87c74b 100644
  
  extern int __register_binfmt(struct linux_binfmt *fmt, int insert);
  
-@@ -112,9 +115,6 @@ extern void setup_new_exec(struct linux_binprm * bprm);
- extern void would_dump(struct linux_binprm *, struct file *);
- 
- extern int suid_dumpable;
--#define SUID_DUMP_DISABLE	0	/* No setuid dumping */
--#define SUID_DUMP_USER		1	/* Dump as user of process */
--#define SUID_DUMP_ROOT		2	/* Dump as root */
- 
- /* Stack area protections */
- #define EXSTACK_DEFAULT   0	/* Whatever the arch defaults to */
 diff --git a/include/linux/bitops.h b/include/linux/bitops.h
 index fc8a3ff..ad5938b 100644
 --- a/include/linux/bitops.h
@@ -77283,10 +76974,10 @@ index ffc0213..2c1f2cb 100644
  	return nd->saved_names[nd->depth];
  }
 diff --git a/include/linux/net.h b/include/linux/net.h
-index b7ca08e..c8350cb 100644
+index bd4f6c7..e9b8bb8 100644
 --- a/include/linux/net.h
 +++ b/include/linux/net.h
-@@ -216,7 +216,7 @@ struct net_proto_family {
+@@ -224,7 +224,7 @@ struct net_proto_family {
  	int		(*create)(struct net *net, struct socket *sock,
  				  int protocol, int kern);
  	struct module	*owner;
@@ -77745,7 +77436,7 @@ index 800f113..13b3715 100644
  }
  
 diff --git a/include/linux/random.h b/include/linux/random.h
-index 7e77cee..d51eec7 100644
+index f5e1311..d51eec7 100644
 --- a/include/linux/random.h
 +++ b/include/linux/random.h
 @@ -41,19 +41,27 @@ struct rand_pool_info {
@@ -77824,9 +77515,9 @@ index 7e77cee..d51eec7 100644
  {
  	u32 i = (seed >> 32) ^ (seed << 10) ^ seed;
  
--	state->s1 = __seed(i, 1);
--	state->s2 = __seed(i, 7);
--	state->s3 = __seed(i, 15);
+-	state->s1 = __seed(i, 2);
+-	state->s2 = __seed(i, 8);
+-	state->s3 = __seed(i, 16);
 +	state->s1 = __seed(i, 2U);
 +	state->s2 = __seed(i, 8U);
 +	state->s3 = __seed(i, 16U);
@@ -78015,7 +77706,7 @@ index 2148b12..519b820 100644
  
  static inline void anon_vma_merge(struct vm_area_struct *vma,
 diff --git a/include/linux/sched.h b/include/linux/sched.h
-index 8204898..d17b99e 100644
+index 312d047..dbf4637 100644
 --- a/include/linux/sched.h
 +++ b/include/linux/sched.h
 @@ -101,6 +101,7 @@ struct bio_list;
@@ -78068,10 +77759,10 @@ index 8204898..d17b99e 100644
 +#define SUID_DUMPABLE_ENABLED	1
 +#define SUID_DUMPABLE_SAFE	2
 +
- /* mm flags */
- /* dumpable bits */
- #define MMF_DUMPABLE      0  /* core dump is permitted */
-@@ -630,6 +649,17 @@ struct signal_struct {
+ #define SUID_DUMP_DISABLE	0	/* No setuid dumping */
+ #define SUID_DUMP_USER		1	/* Dump as user of process */
+ #define SUID_DUMP_ROOT		2	/* Dump as root */
+@@ -634,6 +653,17 @@ struct signal_struct {
  #ifdef CONFIG_TASKSTATS
  	struct taskstats *stats;
  #endif
@@ -78089,7 +77780,7 @@ index 8204898..d17b99e 100644
  #ifdef CONFIG_AUDIT
  	unsigned audit_tty;
  	struct tty_audit_buf *tty_audit_buf;
-@@ -711,6 +741,14 @@ struct user_struct {
+@@ -715,6 +745,14 @@ struct user_struct {
  	struct key *session_keyring;	/* UID's default session keyring */
  #endif
  
@@ -78104,7 +77795,7 @@ index 8204898..d17b99e 100644
  	/* Hash table maintenance information */
  	struct hlist_node uidhash_node;
  	uid_t uid;
-@@ -1125,7 +1163,7 @@ struct sched_class {
+@@ -1129,7 +1167,7 @@ struct sched_class {
  #ifdef CONFIG_FAIR_GROUP_SCHED
  	void (*task_move_group) (struct task_struct *p, int on_rq);
  #endif
@@ -78113,7 +77804,7 @@ index 8204898..d17b99e 100644
  
  struct load_weight {
  	unsigned long weight, inv_weight;
-@@ -1301,6 +1339,8 @@ struct task_struct {
+@@ -1305,6 +1343,8 @@ struct task_struct {
  				 * execve */
  	unsigned in_iowait:1;
  
@@ -78122,7 +77813,7 @@ index 8204898..d17b99e 100644
  
  	/* Revert to default priority/policy when forking */
  	unsigned sched_reset_on_fork:1;
-@@ -1341,8 +1381,8 @@ struct task_struct {
+@@ -1345,8 +1385,8 @@ struct task_struct {
  	struct list_head thread_group;
  
  	struct completion *vfork_done;		/* for vfork() */
@@ -78133,7 +77824,7 @@ index 8204898..d17b99e 100644
  
  	cputime_t utime, stime, utimescaled, stimescaled;
  	cputime_t gtime;
-@@ -1358,13 +1398,6 @@ struct task_struct {
+@@ -1362,13 +1402,6 @@ struct task_struct {
  	struct task_cputime cputime_expires;
  	struct list_head cpu_timers[3];
  
@@ -78147,7 +77838,7 @@ index 8204898..d17b99e 100644
  	char comm[TASK_COMM_LEN]; /* executable name excluding path
  				     - access with [gs]et_task_comm (which lock
  				       it with task_lock())
-@@ -1381,8 +1414,16 @@ struct task_struct {
+@@ -1385,8 +1418,16 @@ struct task_struct {
  #endif
  /* CPU-specific state of this task */
  	struct thread_struct thread;
@@ -78164,7 +77855,7 @@ index 8204898..d17b99e 100644
  /* open file information */
  	struct files_struct *files;
  /* namespaces */
-@@ -1405,7 +1446,7 @@ struct task_struct {
+@@ -1409,7 +1450,7 @@ struct task_struct {
  	uid_t loginuid;
  	unsigned int sessionid;
  #endif
@@ -78173,7 +77864,7 @@ index 8204898..d17b99e 100644
  
  /* Thread group tracking */
     	u32 parent_exec_id;
-@@ -1429,6 +1470,11 @@ struct task_struct {
+@@ -1433,6 +1474,11 @@ struct task_struct {
  	struct rt_mutex_waiter *pi_blocked_on;
  #endif
  
@@ -78185,7 +77876,7 @@ index 8204898..d17b99e 100644
  #ifdef CONFIG_DEBUG_MUTEXES
  	/* mutex deadlock detection */
  	struct mutex_waiter *blocked_on;
-@@ -1544,6 +1590,30 @@ struct task_struct {
+@@ -1548,6 +1594,30 @@ struct task_struct {
  	unsigned long default_timer_slack_ns;
  
  	struct list_head	*scm_work_list;
@@ -78216,7 +77907,7 @@ index 8204898..d17b99e 100644
  #ifdef CONFIG_FUNCTION_GRAPH_TRACER
  	/* Index of current stored address in ret_stack */
  	int curr_ret_stack;
-@@ -1578,6 +1648,52 @@ struct task_struct {
+@@ -1582,6 +1652,52 @@ struct task_struct {
  #endif
  };
  
@@ -78269,7 +77960,7 @@ index 8204898..d17b99e 100644
  /* Future-safe accessor for struct task_struct's cpus_allowed. */
  #define tsk_cpus_allowed(tsk) (&(tsk)->cpus_allowed)
  
-@@ -2093,7 +2209,9 @@ void yield(void);
+@@ -2097,7 +2213,9 @@ void yield(void);
  extern struct exec_domain	default_exec_domain;
  
  union thread_union {
@@ -78279,7 +77970,7 @@ index 8204898..d17b99e 100644
  	unsigned long stack[THREAD_SIZE/sizeof(long)];
  };
  
-@@ -2126,6 +2244,7 @@ extern struct pid_namespace init_pid_ns;
+@@ -2130,6 +2248,7 @@ extern struct pid_namespace init_pid_ns;
   */
  
  extern struct task_struct *find_task_by_vpid(pid_t nr);
@@ -78287,7 +77978,7 @@ index 8204898..d17b99e 100644
  extern struct task_struct *find_task_by_pid_ns(pid_t nr,
  		struct pid_namespace *ns);
  
-@@ -2247,6 +2366,12 @@ static inline void mmdrop(struct mm_struct * mm)
+@@ -2251,6 +2370,12 @@ static inline void mmdrop(struct mm_struct * mm)
  extern void mmput(struct mm_struct *);
  /* Grab a reference to a task's mm, if it is not already going away */
  extern struct mm_struct *get_task_mm(struct task_struct *task);
@@ -78300,7 +77991,7 @@ index 8204898..d17b99e 100644
  /* Remove the current tasks stale references to the old mm_struct */
  extern void mm_release(struct task_struct *, struct mm_struct *);
  /* Allocate a new mm structure and copy contents from tsk->mm */
-@@ -2263,9 +2388,8 @@ extern void __cleanup_sighand(struct sighand_struct *);
+@@ -2267,9 +2392,8 @@ extern void __cleanup_sighand(struct sighand_struct *);
  extern void exit_itimers(struct signal_struct *);
  extern void flush_itimer_signals(void);
  
@@ -78311,7 +78002,7 @@ index 8204898..d17b99e 100644
  extern int allow_signal(int);
  extern int disallow_signal(int);
  
-@@ -2428,9 +2552,9 @@ static inline unsigned long *end_of_stack(struct task_struct *p)
+@@ -2432,9 +2556,9 @@ static inline unsigned long *end_of_stack(struct task_struct *p)
  
  #endif
  
@@ -79789,7 +79480,7 @@ index 34b06da..03b1d34 100644
  
  #endif /* _NET_INETPEER_H */
 diff --git a/include/net/ip.h b/include/net/ip.h
-index 06aed72..54fbf5b 100644
+index b935e6c..511250f 100644
 --- a/include/net/ip.h
 +++ b/include/net/ip.h
 @@ -214,7 +214,7 @@ extern struct local_ports {
@@ -81590,7 +81281,7 @@ index fa7eb3d..7faf116 100644
  	current->signal->rlim[RLIMIT_FSIZE].rlim_cur = flim;
  	set_fs(fs);
 diff --git a/kernel/audit.c b/kernel/audit.c
-index d4bc594..b26065d 100644
+index e14bc74..bdf7f6c 100644
 --- a/kernel/audit.c
 +++ b/kernel/audit.c
 @@ -115,7 +115,7 @@ u32		audit_sig_sid = 0;
@@ -81620,13 +81311,7 @@ index d4bc594..b26065d 100644
  				audit_rate_limit,
  				audit_backlog_limit);
  		audit_panic(message);
-@@ -684,18 +684,19 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
- 
- 	switch (msg_type) {
- 	case AUDIT_GET:
-+		status_set.mask		 = 0;
- 		status_set.enabled	 = audit_enabled;
- 		status_set.failure	 = audit_failure;
+@@ -690,7 +690,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
  		status_set.pid		 = audit_pid;
  		status_set.rate_limit	 = audit_rate_limit;
  		status_set.backlog_limit = audit_backlog_limit;
@@ -81635,23 +81320,7 @@ index d4bc594..b26065d 100644
  		status_set.backlog	 = skb_queue_len(&audit_skb_queue);
  		audit_send_reply(NETLINK_CB(skb).pid, seq, AUDIT_GET, 0, 0,
  				 &status_set, sizeof(status_set));
- 		break;
- 	case AUDIT_SET:
--		if (nlh->nlmsg_len < sizeof(struct audit_status))
-+		if (nlmsg_len(nlh) < sizeof(struct audit_status))
- 			return -EINVAL;
- 		status_get   = (struct audit_status *)data;
- 		if (status_get->mask & AUDIT_STATUS_ENABLED) {
-@@ -899,7 +900,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
- 		struct task_struct *tsk;
- 		unsigned long flags;
- 
--		if (nlh->nlmsg_len < sizeof(struct audit_tty_status))
-+		if (nlmsg_len(nlh) < sizeof(struct audit_tty_status))
- 			return -EINVAL;
- 		s = data;
- 		if (s->enabled != 0 && s->enabled != 1)
-@@ -1260,12 +1261,13 @@ static void audit_log_vformat(struct audit_buffer *ab, const char *fmt,
+@@ -1261,12 +1261,13 @@ static void audit_log_vformat(struct audit_buffer *ab, const char *fmt,
  		avail = audit_expand(ab,
  			max_t(unsigned, AUDIT_BUFSIZ, 1+len-avail));
  		if (!avail)
@@ -81667,7 +81336,7 @@ index d4bc594..b26065d 100644
  out:
  	return;
  }
-@@ -1306,7 +1308,7 @@ void audit_log_n_hex(struct audit_buffer *ab, const unsigned char *buf,
+@@ -1307,7 +1308,7 @@ void audit_log_n_hex(struct audit_buffer *ab, const unsigned char *buf,
  	int i, avail, new_len;
  	unsigned char *ptr;
  	struct sk_buff *skb;
@@ -82962,7 +82631,7 @@ index ce0c182..c6ec99a 100644
  			else
  				new_fs = fs;
 diff --git a/kernel/futex.c b/kernel/futex.c
-index 1d0538e..9a6f6fb 100644
+index 8888815..9a6f6fb 100644
 --- a/kernel/futex.c
 +++ b/kernel/futex.c
 @@ -54,6 +54,7 @@
@@ -82985,15 +82654,6 @@ index 1d0538e..9a6f6fb 100644
  	/*
  	 * The futex address must be "naturally" aligned.
  	 */
-@@ -285,7 +291,7 @@ again:
- 		put_page(page);
- 		/* serialize against __split_huge_page_splitting() */
- 		local_irq_disable();
--		if (likely(__get_user_pages_fast(address, 1, 1, &page) == 1)) {
-+		if (likely(__get_user_pages_fast(address, 1, !ro, &page) == 1)) {
- 			page_head = compound_head(page);
- 			/*
- 			 * page_head is valid pointer but we must pin
 @@ -438,7 +444,7 @@ static int cmpxchg_futex_value_locked(u32 *curval, u32 __user *uaddr,
  
  static int get_futex_value_locked(u32 *dest, u32 __user *from)
@@ -84999,7 +84659,7 @@ index 76b8e77..a2930e8 100644
  }
  
 diff --git a/kernel/ptrace.c b/kernel/ptrace.c
-index 67fedad..8a94754 100644
+index f79803a..0dcc1be 100644
 --- a/kernel/ptrace.c
 +++ b/kernel/ptrace.c
 @@ -211,7 +211,8 @@ int ptrace_check_attach(struct task_struct *child, bool ignore_state)
@@ -85022,18 +84682,17 @@ index 67fedad..8a94754 100644
  		goto ok;
  	rcu_read_unlock();
  	return -EPERM;
-@@ -246,7 +248,9 @@ ok:
- 	smp_rmb();
+@@ -247,7 +249,8 @@ ok:
  	if (task->mm)
  		dumpable = get_dumpable(task->mm);
--	if (!dumpable && !task_ns_capable(task, CAP_SYS_PTRACE))
-+	if (dumpable != SUID_DUMPABLE_ENABLED &&
+ 	if (dumpable != SUID_DUMP_USER &&
+-	    !task_ns_capable(task, CAP_SYS_PTRACE))
 +		((!log && !task_ns_capable_nolog(task, CAP_SYS_PTRACE)) ||
 +		 (log && !task_ns_capable(task, CAP_SYS_PTRACE))))
  		return -EPERM;
  
  	return security_ptrace_access_check(task, mode);
-@@ -256,7 +260,21 @@ bool ptrace_may_access(struct task_struct *task, unsigned int mode)
+@@ -257,7 +260,21 @@ bool ptrace_may_access(struct task_struct *task, unsigned int mode)
  {
  	int err;
  	task_lock(task);
@@ -85056,7 +84715,7 @@ index 67fedad..8a94754 100644
  	task_unlock(task);
  	return !err;
  }
-@@ -301,7 +319,7 @@ static int ptrace_attach(struct task_struct *task, long request,
+@@ -302,7 +319,7 @@ static int ptrace_attach(struct task_struct *task, long request,
  		goto out;
  
  	task_lock(task);
@@ -85065,7 +84724,7 @@ index 67fedad..8a94754 100644
  	task_unlock(task);
  	if (retval)
  		goto unlock_creds;
-@@ -316,7 +334,7 @@ static int ptrace_attach(struct task_struct *task, long request,
+@@ -317,7 +334,7 @@ static int ptrace_attach(struct task_struct *task, long request,
  	task->ptrace = PT_PTRACED;
  	if (seize)
  		task->ptrace |= PT_SEIZED;
@@ -85074,7 +84733,7 @@ index 67fedad..8a94754 100644
  		task->ptrace |= PT_PTRACE_CAP;
  
  	__ptrace_link(task, current);
-@@ -522,7 +540,7 @@ int ptrace_readdata(struct task_struct *tsk, unsigned long src, char __user *dst
+@@ -523,7 +540,7 @@ int ptrace_readdata(struct task_struct *tsk, unsigned long src, char __user *dst
  				break;
  			return -EIO;
  		}
@@ -85083,7 +84742,7 @@ index 67fedad..8a94754 100644
  			return -EFAULT;
  		copied += retval;
  		src += retval;
-@@ -582,6 +600,9 @@ static int ptrace_setoptions(struct task_struct *child, unsigned long data)
+@@ -583,6 +600,9 @@ static int ptrace_setoptions(struct task_struct *child, unsigned long data)
  	if (data & PTRACE_O_TRACEEXIT)
  		child->ptrace |= PT_TRACE_EXIT;
  
@@ -85093,7 +84752,7 @@ index 67fedad..8a94754 100644
  	return (data & ~PTRACE_O_MASK) ? -EINVAL : 0;
  }
  
-@@ -719,7 +740,7 @@ int ptrace_request(struct task_struct *child, long request,
+@@ -720,7 +740,7 @@ int ptrace_request(struct task_struct *child, long request,
  	bool seized = child->ptrace & PT_SEIZED;
  	int ret = -EIO;
  	siginfo_t siginfo, *si;
@@ -85102,7 +84761,7 @@ index 67fedad..8a94754 100644
  	unsigned long __user *datalp = datavp;
  	unsigned long flags;
  
-@@ -921,14 +942,21 @@ SYSCALL_DEFINE4(ptrace, long, request, long, pid, unsigned long, addr,
+@@ -922,14 +942,21 @@ SYSCALL_DEFINE4(ptrace, long, request, long, pid, unsigned long, addr,
  		goto out;
  	}
  
@@ -85125,7 +84784,7 @@ index 67fedad..8a94754 100644
  		goto out_put_task_struct;
  	}
  
-@@ -956,7 +984,7 @@ int generic_ptrace_peekdata(struct task_struct *tsk, unsigned long addr,
+@@ -957,7 +984,7 @@ int generic_ptrace_peekdata(struct task_struct *tsk, unsigned long addr,
  	copied = access_process_vm(tsk, addr, &tmp, sizeof(tmp), 0);
  	if (copied != sizeof(tmp))
  		return -EIO;
@@ -85134,7 +84793,7 @@ index 67fedad..8a94754 100644
  }
  
  int generic_ptrace_pokedata(struct task_struct *tsk, unsigned long addr,
-@@ -1050,7 +1078,7 @@ int compat_ptrace_request(struct task_struct *child, compat_long_t request,
+@@ -1051,7 +1078,7 @@ int compat_ptrace_request(struct task_struct *child, compat_long_t request,
  }
  
  asmlinkage long compat_sys_ptrace(compat_long_t request, compat_long_t pid,
@@ -85143,7 +84802,7 @@ index 67fedad..8a94754 100644
  {
  	struct task_struct *child;
  	long ret;
-@@ -1066,14 +1094,21 @@ asmlinkage long compat_sys_ptrace(compat_long_t request, compat_long_t pid,
+@@ -1067,14 +1094,21 @@ asmlinkage long compat_sys_ptrace(compat_long_t request, compat_long_t pid,
  		goto out;
  	}
  
@@ -85882,10 +85541,10 @@ index f280df1..da1281d 100644
  #ifdef CONFIG_RT_GROUP_SCHED
  	/*
 diff --git a/kernel/sched_fair.c b/kernel/sched_fair.c
-index c261da7..4e5221ad 100644
+index 5b9e456..03c74cd 100644
 --- a/kernel/sched_fair.c
 +++ b/kernel/sched_fair.c
-@@ -4801,7 +4801,7 @@ static void nohz_idle_balance(int this_cpu, enum cpu_idle_type idle) { }
+@@ -4803,7 +4803,7 @@ static void nohz_idle_balance(int this_cpu, enum cpu_idle_type idle) { }
   * run_rebalance_domains is triggered when needed from the scheduler tick.
   * Also triggered for nohz idle balancing (with nohz_balancing_kick set).
   */
@@ -87361,7 +87020,7 @@ index 73e416d..cfc6f69 100644
  		sys_tz = *tz;
  		update_vsyscall_tz();
 diff --git a/kernel/time/alarmtimer.c b/kernel/time/alarmtimer.c
-index 8a46f5d..bbe6f9c 100644
+index 0907e43..56a6a92 100644
 --- a/kernel/time/alarmtimer.c
 +++ b/kernel/time/alarmtimer.c
 @@ -773,7 +773,7 @@ static int __init alarmtimer_init(void)
@@ -87588,10 +87247,10 @@ index 16fc34a..efd8bb8 100644
  	ret = -EIO;
  	bt->dropped_file = debugfs_create_file("dropped", 0444, dir, bt,
 diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c
-index 226776b..175300f 100644
+index d40d7f6..b4e9662 100644
 --- a/kernel/trace/ftrace.c
 +++ b/kernel/trace/ftrace.c
-@@ -1599,12 +1599,17 @@ ftrace_code_disable(struct module *mod, struct dyn_ftrace *rec)
+@@ -1598,12 +1598,17 @@ ftrace_code_disable(struct module *mod, struct dyn_ftrace *rec)
  	if (unlikely(ftrace_disabled))
  		return 0;
  
@@ -87611,7 +87270,7 @@ index 226776b..175300f 100644
  }
  
  /*
-@@ -2607,7 +2612,7 @@ static void ftrace_free_entry_rcu(struct rcu_head *rhp)
+@@ -2665,7 +2670,7 @@ static void ftrace_free_entry_rcu(struct rcu_head *rhp)
  
  int
  register_ftrace_function_probe(char *glob, struct ftrace_probe_ops *ops,
@@ -87620,7 +87279,7 @@ index 226776b..175300f 100644
  {
  	struct ftrace_func_probe *entry;
  	struct ftrace_page *pg;
-@@ -3982,8 +3987,6 @@ ftrace_enable_sysctl(struct ctl_table *table, int write,
+@@ -4034,8 +4039,6 @@ ftrace_enable_sysctl(struct ctl_table *table, int write,
  #ifdef CONFIG_FUNCTION_GRAPH_TRACER
  
  static int ftrace_graph_active;
@@ -87629,7 +87288,7 @@ index 226776b..175300f 100644
  int ftrace_graph_entry_stub(struct ftrace_graph_ent *trace)
  {
  	return 0;
-@@ -4127,6 +4130,10 @@ ftrace_suspend_notifier_call(struct notifier_block *bl, unsigned long state,
+@@ -4179,6 +4182,10 @@ ftrace_suspend_notifier_call(struct notifier_block *bl, unsigned long state,
  	return NOTIFY_DONE;
  }
  
@@ -87637,10 +87296,10 @@ index 226776b..175300f 100644
 +	.notifier_call = ftrace_suspend_notifier_call
 +};
 +
- int register_ftrace_graph(trace_func_graph_ret_t retfunc,
- 			trace_func_graph_ent_t entryfunc)
- {
-@@ -4140,7 +4147,6 @@ int register_ftrace_graph(trace_func_graph_ret_t retfunc,
+ /* Just a place holder for function graph */
+ static struct ftrace_ops fgraph_ops __read_mostly = {
+ 	.func		= ftrace_stub,
+@@ -4198,7 +4205,6 @@ int register_ftrace_graph(trace_func_graph_ret_t retfunc,
  		goto out;
  	}
  
@@ -88781,7 +88440,7 @@ index d9df745..e73c2fe 100644
  static inline void *ptr_to_indirect(void *ptr)
  {
 diff --git a/lib/random32.c b/lib/random32.c
-index fc3545a..1e5b2df 100644
+index 1f44bdc..1e5b2df 100644
 --- a/lib/random32.c
 +++ b/lib/random32.c
 @@ -2,19 +2,19 @@
@@ -88983,7 +88642,7 @@ index fc3545a..1e5b2df 100644
  	 */
  	for_each_possible_cpu (i) {
  		struct rnd_state *state = &per_cpu(net_rand_state, i);
--		state->s1 = __seed(state->s1 ^ entropy, 1);
+-		state->s1 = __seed(state->s1 ^ entropy, 2);
 +
 +		state->s1 = __seed(state->s1 ^ entropy, 2U);
 +		prandom_warmup(state);
@@ -89010,9 +88669,9 @@ index fc3545a..1e5b2df 100644
  		struct rnd_state *state = &per_cpu(net_rand_state,i);
  
 -#define LCG(x)	((x) * 69069)	/* super-duper LCG */
--		state->s1 = __seed(LCG(i + jiffies), 1);
--		state->s2 = __seed(LCG(state->s1), 7);
--		state->s3 = __seed(LCG(state->s2), 15);
+-		state->s1 = __seed(LCG(i + jiffies), 2);
+-		state->s2 = __seed(LCG(state->s1), 8);
+-		state->s3 = __seed(LCG(state->s2), 16);
 -
 -		/* "warm it up" */
 -		prandom32(state);
@@ -89078,9 +88737,9 @@ index fc3545a..1e5b2df 100644
 +		u32 seeds[4];
  
  		get_random_bytes(&seeds, sizeof(seeds));
--		state->s1 = __seed(seeds[0], 1);
--		state->s2 = __seed(seeds[1], 7);
--		state->s3 = __seed(seeds[2], 15);
+-		state->s1 = __seed(seeds[0], 2);
+-		state->s2 = __seed(seeds[1], 8);
+-		state->s3 = __seed(seeds[2], 16);
 +		state->s1 = __seed(seeds[0],   2U);
 +		state->s2 = __seed(seeds[1],   8U);
 +		state->s3 = __seed(seeds[2],  16U);
@@ -89270,7 +88929,7 @@ index fc3545a..1e5b2df 100644
 +}
 +#endif
 diff --git a/lib/vsprintf.c b/lib/vsprintf.c
-index d74c317..1170419 100644
+index ae02e42..4ffc938 100644
 --- a/lib/vsprintf.c
 +++ b/lib/vsprintf.c
 @@ -16,6 +16,9 @@
@@ -89283,7 +88942,7 @@ index d74c317..1170419 100644
  #include <stdarg.h>
  #include <linux/module.h>
  #include <linux/types.h>
-@@ -413,7 +416,7 @@ char *symbol_string(char *buf, char *end, void *ptr,
+@@ -414,7 +417,7 @@ char *symbol_string(char *buf, char *end, void *ptr,
  	char sym[KSYM_SYMBOL_LEN];
  	if (ext == 'B')
  		sprint_backtrace(sym, value);
@@ -89292,7 +88951,7 @@ index d74c317..1170419 100644
  		sprint_symbol(sym, value);
  	else
  		kallsyms_lookup(value, NULL, NULL, NULL, sym);
-@@ -777,7 +780,11 @@ char *uuid_string(char *buf, char *end, const u8 *addr,
+@@ -778,7 +781,11 @@ char *uuid_string(char *buf, char *end, const u8 *addr,
  	return string(buf, end, uuid, spec);
  }
  
@@ -89304,7 +88963,7 @@ index d74c317..1170419 100644
  
  /*
   * Show a '%p' thing.  A kernel extension is that the '%p' is followed
-@@ -791,6 +798,8 @@ int kptr_restrict __read_mostly;
+@@ -792,6 +799,8 @@ int kptr_restrict __read_mostly;
   * - 'S' For symbolic direct pointers with offset
   * - 's' For symbolic direct pointers without offset
   * - 'B' For backtraced symbolic direct pointers with offset
@@ -89313,7 +88972,7 @@ index d74c317..1170419 100644
   * - 'R' For decoded struct resource, e.g., [mem 0x0-0x1f 64bit pref]
   * - 'r' For raw struct resource, e.g., [mem 0x0-0x1f flags 0x201]
   * - 'M' For a 6-byte MAC address, it prints the address in the
-@@ -835,12 +844,12 @@ char *pointer(const char *fmt, char *buf, char *end, void *ptr,
+@@ -836,12 +845,12 @@ char *pointer(const char *fmt, char *buf, char *end, void *ptr,
  {
  	if (!ptr && *fmt != 'K') {
  		/*
@@ -89328,7 +88987,7 @@ index d74c317..1170419 100644
  	}
  
  	switch (*fmt) {
-@@ -850,6 +859,13 @@ char *pointer(const char *fmt, char *buf, char *end, void *ptr,
+@@ -851,6 +860,13 @@ char *pointer(const char *fmt, char *buf, char *end, void *ptr,
  		/* Fallthrough */
  	case 'S':
  	case 's':
@@ -89342,7 +89001,7 @@ index d74c317..1170419 100644
  	case 'B':
  		return symbol_string(buf, end, ptr, spec, *fmt);
  	case 'R':
-@@ -878,9 +894,17 @@ char *pointer(const char *fmt, char *buf, char *end, void *ptr,
+@@ -879,9 +895,17 @@ char *pointer(const char *fmt, char *buf, char *end, void *ptr,
  	case 'U':
  		return uuid_string(buf, end, ptr, spec, fmt);
  	case 'V':
@@ -89363,8 +89022,8 @@ index d74c317..1170419 100644
  	case 'K':
  		/*
  		 * %pK cannot be used in IRQ context because its test
-@@ -898,6 +922,21 @@ char *pointer(const char *fmt, char *buf, char *end, void *ptr,
- 			ptr = NULL;
+@@ -924,6 +948,21 @@ char *pointer(const char *fmt, char *buf, char *end, void *ptr,
+ 		}
  		break;
  	}
 +
@@ -89385,7 +89044,7 @@ index d74c317..1170419 100644
  	spec.flags |= SMALL;
  	if (spec.field_width == -1) {
  		spec.field_width = 2 * sizeof(void *);
-@@ -1609,11 +1648,11 @@ int bstr_printf(char *buf, size_t size, const char *fmt, const u32 *bin_buf)
+@@ -1635,11 +1674,11 @@ int bstr_printf(char *buf, size_t size, const char *fmt, const u32 *bin_buf)
  	typeof(type) value;						\
  	if (sizeof(type) == 8) {					\
  		args = PTR_ALIGN(args, sizeof(u32));			\
@@ -89400,7 +89059,7 @@ index d74c317..1170419 100644
  	}								\
  	args += sizeof(type);						\
  	value;								\
-@@ -1676,7 +1715,7 @@ int bstr_printf(char *buf, size_t size, const char *fmt, const u32 *bin_buf)
+@@ -1702,7 +1741,7 @@ int bstr_printf(char *buf, size_t size, const char *fmt, const u32 *bin_buf)
  		case FORMAT_TYPE_STR: {
  			const char *str_arg = args;
  			args += strlen(str_arg) + 1;
@@ -94865,10 +94524,10 @@ index aa12649..a22d595 100644
  	hci_send_cmd(hdev, HCI_OP_LE_LTK_REPLY, sizeof(cp), &cp);
  }
 diff --git a/net/bluetooth/hci_sock.c b/net/bluetooth/hci_sock.c
-index 8361ee4..a4f0f18 100644
+index bb78c75..a48650e 100644
 --- a/net/bluetooth/hci_sock.c
 +++ b/net/bluetooth/hci_sock.c
-@@ -607,7 +607,7 @@ static int hci_sock_setsockopt(struct socket *sock, int level, int optname, char
+@@ -605,7 +605,7 @@ static int hci_sock_setsockopt(struct socket *sock, int level, int optname, char
  			uf.event_mask[1] = *((u32 *) f->event_mask + 1);
  		}
  
@@ -94963,10 +94622,10 @@ index 158887a..1b70c49 100644
  			err = -EFAULT;
  			break;
 diff --git a/net/bluetooth/rfcomm/sock.c b/net/bluetooth/rfcomm/sock.c
-index 82ce164..00bd057 100644
+index 14c4864..77ff888 100644
 --- a/net/bluetooth/rfcomm/sock.c
 +++ b/net/bluetooth/rfcomm/sock.c
-@@ -685,7 +685,7 @@ static int rfcomm_sock_setsockopt(struct socket *sock, int level, int optname, c
+@@ -684,7 +684,7 @@ static int rfcomm_sock_setsockopt(struct socket *sock, int level, int optname, c
  	struct sock *sk = sock->sk;
  	struct bt_security sec;
  	int err = 0;
@@ -94975,7 +94634,7 @@ index 82ce164..00bd057 100644
  	u32 opt;
  
  	BT_DBG("sk %p", sk);
-@@ -707,7 +707,7 @@ static int rfcomm_sock_setsockopt(struct socket *sock, int level, int optname, c
+@@ -706,7 +706,7 @@ static int rfcomm_sock_setsockopt(struct socket *sock, int level, int optname, c
  
  		sec.level = BT_SECURITY_LOW;
  
@@ -95069,7 +94728,7 @@ index 5864cc4..6ddb362 100644
  			break;
  		}
 diff --git a/net/caif/caif_socket.c b/net/caif/caif_socket.c
-index 53a8e37..45c033e 100644
+index 7fac75f..5d8351b 100644
 --- a/net/caif/caif_socket.c
 +++ b/net/caif/caif_socket.c
 @@ -48,19 +48,20 @@ static struct dentry *debugfsdir;
@@ -95174,7 +94833,7 @@ index 53a8e37..45c033e 100644
  			set_rx_flow_on(cf_sk);
  			caif_flow_ctrl(sk, CAIF_MODEMCMD_FLOW_ON_REQ);
  	}
-@@ -856,7 +857,7 @@ static int caif_connect(struct socket *sock, struct sockaddr *uaddr,
+@@ -852,7 +853,7 @@ static int caif_connect(struct socket *sock, struct sockaddr *uaddr,
  	/*ifindex = id of the interface.*/
  	cf_sk->conn_req.ifindex = cf_sk->sk.sk_bound_dev_if;
  
@@ -95183,7 +94842,7 @@ index 53a8e37..45c033e 100644
  	cf_sk->layer.receive = caif_sktrecv_cb;
  
  	err = caif_connect_client(sock_net(sk), &cf_sk->conn_req,
-@@ -945,7 +946,7 @@ static int caif_release(struct socket *sock)
+@@ -941,7 +942,7 @@ static int caif_release(struct socket *sock)
  	spin_unlock_bh(&sk->sk_receive_queue.lock);
  	sock->sk = NULL;
  
@@ -95192,7 +94851,7 @@ index 53a8e37..45c033e 100644
  
  	WARN_ON(IS_ERR(cf_sk->debugfs_socket_dir));
  	if (cf_sk->debugfs_socket_dir != NULL)
-@@ -1124,7 +1125,7 @@ static int caif_create(struct net *net, struct socket *sock, int protocol,
+@@ -1120,7 +1121,7 @@ static int caif_create(struct net *net, struct socket *sock, int protocol,
  	cf_sk->conn_req.protocol = protocol;
  	/* Increase the number of sockets created. */
  	dbfs_atomic_inc(&cnt.caif_nr_socks);
@@ -95363,18 +95022,16 @@ index f78f898..d7aa843 100644
  
  	if (__rtnl_register(PF_CAN, RTM_GETROUTE, NULL, cgw_dump_jobs, NULL)) {
 diff --git a/net/compat.c b/net/compat.c
-index 3139ef2..2717671 100644
+index 41724c9..630f046 100644
 --- a/net/compat.c
 +++ b/net/compat.c
-@@ -72,10 +72,10 @@ int get_compat_msghdr(struct msghdr *kmsg, struct compat_msghdr __user *umsg)
- 	    __get_user(kmsg->msg_flags, &umsg->msg_flags))
+@@ -73,9 +73,9 @@ int get_compat_msghdr(struct msghdr *kmsg, struct compat_msghdr __user *umsg)
  		return -EFAULT;
  	if (kmsg->msg_namelen > sizeof(struct sockaddr_storage))
--		return -EINVAL;
+ 		kmsg->msg_namelen = sizeof(struct sockaddr_storage);
 -	kmsg->msg_name = compat_ptr(tmp1);
 -	kmsg->msg_iov = compat_ptr(tmp2);
 -	kmsg->msg_control = compat_ptr(tmp3);
-+		kmsg->msg_namelen = sizeof(struct sockaddr_storage);
 +	kmsg->msg_name = (void __force_kernel *)compat_ptr(tmp1);
 +	kmsg->msg_iov = (void __force_kernel *)compat_ptr(tmp2);
 +	kmsg->msg_control = (void __force_kernel *)compat_ptr(tmp3);
@@ -95390,7 +95047,7 @@ index 3139ef2..2717671 100644
  						      kern_msg->msg_namelen,
  						      kern_address);
  			if (err < 0)
-@@ -98,7 +98,7 @@ int verify_compat_iovec(struct msghdr *kern_msg, struct iovec *kern_iov,
+@@ -99,7 +99,7 @@ int verify_compat_iovec(struct msghdr *kern_msg, struct iovec *kern_iov,
  		kern_msg->msg_name = NULL;
  
  	tot_len = iov_from_user_compat_to_kern(kern_iov,
@@ -95399,7 +95056,7 @@ index 3139ef2..2717671 100644
  					  kern_msg->msg_iovlen);
  	if (tot_len >= 0)
  		kern_msg->msg_iov = kern_iov;
-@@ -118,20 +118,20 @@ int verify_compat_iovec(struct msghdr *kern_msg, struct iovec *kern_iov,
+@@ -119,20 +119,20 @@ int verify_compat_iovec(struct msghdr *kern_msg, struct iovec *kern_iov,
  
  #define CMSG_COMPAT_FIRSTHDR(msg)			\
  	(((msg)->msg_controllen) >= sizeof(struct compat_cmsghdr) ?	\
@@ -95423,7 +95080,7 @@ index 3139ef2..2717671 100644
  			msg->msg_controllen)
  		return NULL;
  	return (struct compat_cmsghdr __user *)ptr;
-@@ -223,7 +223,7 @@ int put_cmsg_compat(struct msghdr *kmsg, int level, int type, int len, void *dat
+@@ -224,7 +224,7 @@ int put_cmsg_compat(struct msghdr *kmsg, int level, int type, int len, void *dat
  {
  	struct compat_timeval ctv;
  	struct compat_timespec cts[3];
@@ -95432,7 +95089,7 @@ index 3139ef2..2717671 100644
  	struct compat_cmsghdr cmhdr;
  	int cmlen;
  
-@@ -275,7 +275,7 @@ int put_cmsg_compat(struct msghdr *kmsg, int level, int type, int len, void *dat
+@@ -276,7 +276,7 @@ int put_cmsg_compat(struct msghdr *kmsg, int level, int type, int len, void *dat
  
  void scm_detach_fds_compat(struct msghdr *kmsg, struct scm_cookie *scm)
  {
@@ -95441,7 +95098,7 @@ index 3139ef2..2717671 100644
  	int fdmax = (kmsg->msg_controllen - sizeof(struct compat_cmsghdr)) / sizeof(int);
  	int fdnum = scm->fp->count;
  	struct file **fp = scm->fp->fp;
-@@ -328,14 +328,6 @@ void scm_detach_fds_compat(struct msghdr *kmsg, struct scm_cookie *scm)
+@@ -329,14 +329,6 @@ void scm_detach_fds_compat(struct msghdr *kmsg, struct scm_cookie *scm)
  	__scm_destroy(scm);
  }
  
@@ -95456,7 +95113,7 @@ index 3139ef2..2717671 100644
  static int do_set_attach_filter(struct socket *sock, int level, int optname,
  				char __user *optval, unsigned int optlen)
  {
-@@ -372,7 +364,7 @@ static int do_set_sock_timeout(struct socket *sock, int level,
+@@ -373,7 +365,7 @@ static int do_set_sock_timeout(struct socket *sock, int level,
  		return -EFAULT;
  	old_fs = get_fs();
  	set_fs(KERNEL_DS);
@@ -95465,7 +95122,7 @@ index 3139ef2..2717671 100644
  	set_fs(old_fs);
  
  	return err;
-@@ -433,7 +425,7 @@ static int do_get_sock_timeout(struct socket *sock, int level, int optname,
+@@ -434,7 +426,7 @@ static int do_get_sock_timeout(struct socket *sock, int level, int optname,
  	len = sizeof(ktime);
  	old_fs = get_fs();
  	set_fs(KERNEL_DS);
@@ -95474,7 +95131,7 @@ index 3139ef2..2717671 100644
  	set_fs(old_fs);
  
  	if (!err) {
-@@ -568,7 +560,7 @@ int compat_mc_setsockopt(struct sock *sock, int level, int optname,
+@@ -569,7 +561,7 @@ int compat_mc_setsockopt(struct sock *sock, int level, int optname,
  	case MCAST_JOIN_GROUP:
  	case MCAST_LEAVE_GROUP:
  	{
@@ -95483,7 +95140,7 @@ index 3139ef2..2717671 100644
  		struct group_req __user *kgr =
  			compat_alloc_user_space(sizeof(struct group_req));
  		u32 interface;
-@@ -589,7 +581,7 @@ int compat_mc_setsockopt(struct sock *sock, int level, int optname,
+@@ -590,7 +582,7 @@ int compat_mc_setsockopt(struct sock *sock, int level, int optname,
  	case MCAST_BLOCK_SOURCE:
  	case MCAST_UNBLOCK_SOURCE:
  	{
@@ -95492,7 +95149,7 @@ index 3139ef2..2717671 100644
  		struct group_source_req __user *kgsr = compat_alloc_user_space(
  			sizeof(struct group_source_req));
  		u32 interface;
-@@ -610,7 +602,7 @@ int compat_mc_setsockopt(struct sock *sock, int level, int optname,
+@@ -611,7 +603,7 @@ int compat_mc_setsockopt(struct sock *sock, int level, int optname,
  	}
  	case MCAST_MSFILTER:
  	{
@@ -95501,7 +95158,7 @@ index 3139ef2..2717671 100644
  		struct group_filter __user *kgf;
  		u32 interface, fmode, numsrc;
  
-@@ -648,7 +640,7 @@ int compat_mc_getsockopt(struct sock *sock, int level, int optname,
+@@ -649,7 +641,7 @@ int compat_mc_getsockopt(struct sock *sock, int level, int optname,
  	char __user *optval, int __user *optlen,
  	int (*getsockopt)(struct sock *, int, int, char __user *, int __user *))
  {
@@ -95510,7 +95167,7 @@ index 3139ef2..2717671 100644
  	struct group_filter __user *kgf;
  	int __user	*koptlen;
  	u32 interface, fmode, numsrc;
-@@ -801,7 +793,7 @@ asmlinkage long compat_sys_socketcall(int call, u32 __user *args)
+@@ -802,7 +794,7 @@ asmlinkage long compat_sys_socketcall(int call, u32 __user *args)
  
  	if (call < SYS_SOCKET || call > SYS_SENDMMSG)
  		return -EINVAL;
@@ -95533,7 +95190,7 @@ index 68bbf9f..5ef0d12 100644
  
  	return err;
 diff --git a/net/core/dev.c b/net/core/dev.c
-index 8e455b8..4ebd90f 100644
+index 7bcf37d..15d6bb8 100644
 --- a/net/core/dev.c
 +++ b/net/core/dev.c
 @@ -1142,10 +1142,14 @@ void dev_load(struct net *net, const char *name)
@@ -95578,7 +95235,7 @@ index 8e455b8..4ebd90f 100644
  
  #define DEV_GSO_CB(skb) ((struct dev_gso_cb *)(skb)->cb)
  
-@@ -2967,7 +2971,7 @@ enqueue:
+@@ -2969,7 +2973,7 @@ enqueue:
  
  	local_irq_restore(flags);
  
@@ -95587,7 +95244,7 @@ index 8e455b8..4ebd90f 100644
  	kfree_skb(skb);
  	return NET_RX_DROP;
  }
-@@ -3041,7 +3045,7 @@ int netif_rx_ni(struct sk_buff *skb)
+@@ -3043,7 +3047,7 @@ int netif_rx_ni(struct sk_buff *skb)
  }
  EXPORT_SYMBOL(netif_rx_ni);
  
@@ -95596,7 +95253,7 @@ index 8e455b8..4ebd90f 100644
  {
  	struct softnet_data *sd = &__get_cpu_var(softnet_data);
  
-@@ -3340,7 +3344,7 @@ ncls:
+@@ -3342,7 +3346,7 @@ ncls:
  	if (pt_prev) {
  		ret = pt_prev->func(skb, skb->dev, pt_prev, orig_dev);
  	} else {
@@ -95605,7 +95262,7 @@ index 8e455b8..4ebd90f 100644
  		kfree_skb(skb);
  		/* Jamal, now you will not able to escape explaining
  		 * me how you were going to use this. :-)
-@@ -3905,7 +3909,7 @@ void netif_napi_del(struct napi_struct *napi)
+@@ -3907,7 +3911,7 @@ void netif_napi_del(struct napi_struct *napi)
  }
  EXPORT_SYMBOL(netif_napi_del);
  
@@ -95614,7 +95271,7 @@ index 8e455b8..4ebd90f 100644
  {
  	struct softnet_data *sd = &__get_cpu_var(softnet_data);
  	unsigned long time_limit = jiffies + 2;
-@@ -4375,8 +4379,13 @@ static int ptype_seq_show(struct seq_file *seq, void *v)
+@@ -4377,8 +4381,13 @@ static int ptype_seq_show(struct seq_file *seq, void *v)
  		else
  			seq_printf(seq, "%04x", ntohs(pt->type));
  
@@ -95628,7 +95285,7 @@ index 8e455b8..4ebd90f 100644
  	}
  
  	return 0;
-@@ -4438,7 +4447,7 @@ static void __net_exit dev_proc_net_exit(struct net *net)
+@@ -4440,7 +4449,7 @@ static void __net_exit dev_proc_net_exit(struct net *net)
  	proc_net_remove(net, "dev");
  }
  
@@ -95637,7 +95294,7 @@ index 8e455b8..4ebd90f 100644
  	.init = dev_proc_net_init,
  	.exit = dev_proc_net_exit,
  };
-@@ -5933,7 +5942,7 @@ struct rtnl_link_stats64 *dev_get_stats(struct net_device *dev,
+@@ -5935,7 +5944,7 @@ struct rtnl_link_stats64 *dev_get_stats(struct net_device *dev,
  	} else {
  		netdev_stats_to_stats64(storage, &dev->stats);
  	}
@@ -95646,7 +95303,7 @@ index 8e455b8..4ebd90f 100644
  	return storage;
  }
  EXPORT_SYMBOL(dev_get_stats);
-@@ -6512,7 +6521,7 @@ static void __net_exit netdev_exit(struct net *net)
+@@ -6514,7 +6523,7 @@ static void __net_exit netdev_exit(struct net *net)
  	kfree(net->dev_index_head);
  }
  
@@ -95655,7 +95312,7 @@ index 8e455b8..4ebd90f 100644
  	.init = netdev_init,
  	.exit = netdev_exit,
  };
-@@ -6574,7 +6583,7 @@ static void __net_exit default_device_exit_batch(struct list_head *net_list)
+@@ -6576,7 +6585,7 @@ static void __net_exit default_device_exit_batch(struct list_head *net_list)
  	rtnl_unlock();
  }
  
@@ -95784,7 +95441,7 @@ index e318c7e..168b1d0 100644
  			fle->object = flo;
  		else
 diff --git a/net/core/iovec.c b/net/core/iovec.c
-index c40f27e..7f49254 100644
+index 139ef93..7afaa2f 100644
 --- a/net/core/iovec.c
 +++ b/net/core/iovec.c
 @@ -42,7 +42,7 @@ int verify_iovec(struct msghdr *m, struct iovec *iov, struct sockaddr *address,
@@ -95796,7 +95453,7 @@ index c40f27e..7f49254 100644
  			err = move_addr_to_kernel(namep, m->msg_namelen,
  						  address);
  			if (err < 0)
-@@ -54,7 +54,7 @@ int verify_iovec(struct msghdr *m, struct iovec *iov, struct sockaddr *address,
+@@ -55,7 +55,7 @@ int verify_iovec(struct msghdr *m, struct iovec *iov, struct sockaddr *address,
  	}
  
  	size = m->msg_iovlen * sizeof(struct iovec);
@@ -96215,7 +95872,7 @@ index 39a2d29..f39c0fe 100644
  	  Econet is a fairly old and slow networking protocol mainly used by
  	  Acorn computers to access file and print servers. It uses native
 diff --git a/net/ieee802154/6lowpan.c b/net/ieee802154/6lowpan.c
-index 19d6aef..4f610f4 100644
+index 5d42df2..10638af 100644
 --- a/net/ieee802154/6lowpan.c
 +++ b/net/ieee802154/6lowpan.c
 @@ -329,7 +329,7 @@ static int lowpan_header_create(struct sk_buff *skb,
@@ -96325,19 +95982,6 @@ index 59a7041..060976d 100644
  	memset(NEIGH_CB(skb), 0, sizeof(struct neighbour_cb));
  
  	return NF_HOOK(NFPROTO_ARP, NF_ARP_IN, skb, dev, NULL, arp_process);
-diff --git a/net/ipv4/datagram.c b/net/ipv4/datagram.c
-index 424fafb..ec07510 100644
---- a/net/ipv4/datagram.c
-+++ b/net/ipv4/datagram.c
-@@ -57,7 +57,7 @@ int ip4_datagram_connect(struct sock *sk, struct sockaddr *uaddr, int addr_len)
- 	if (IS_ERR(rt)) {
- 		err = PTR_ERR(rt);
- 		if (err == -ENETUNREACH)
--			IP_INC_STATS_BH(sock_net(sk), IPSTATS_MIB_OUTNOROUTES);
-+			IP_INC_STATS(sock_net(sk), IPSTATS_MIB_OUTNOROUTES);
- 		goto out;
- 	}
- 
 diff --git a/net/ipv4/devinet.c b/net/ipv4/devinet.c
 index e41c40f..fbed7a7 100644
 --- a/net/ipv4/devinet.c
@@ -96715,10 +96359,10 @@ index 5f28fab..ebd7a97 100644
  	.maxtype	= IFLA_GRE_MAX,
  	.policy		= ipgre_policy,
 diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c
-index 3b36002..27e6634 100644
+index 542a9c1..5b792eb 100644
 --- a/net/ipv4/ip_sockglue.c
 +++ b/net/ipv4/ip_sockglue.c
-@@ -1120,7 +1120,8 @@ static int do_ip_getsockopt(struct sock *sk, int level, int optname,
+@@ -1121,7 +1121,8 @@ static int do_ip_getsockopt(struct sock *sk, int level, int optname,
  		len = min_t(unsigned int, len, opt->optlen);
  		if (put_user(len, optlen))
  			return -EFAULT;
@@ -96728,7 +96372,7 @@ index 3b36002..27e6634 100644
  			return -EFAULT;
  		return 0;
  	}
-@@ -1248,7 +1249,7 @@ static int do_ip_getsockopt(struct sock *sk, int level, int optname,
+@@ -1249,7 +1250,7 @@ static int do_ip_getsockopt(struct sock *sk, int level, int optname,
  		if (sk->sk_type != SOCK_STREAM)
  			return -ENOPROTOOPT;
  
@@ -96917,10 +96561,10 @@ index b550815..c3b44d5 100644
  	/* copy_len <= skb->len, so can't fail. */
  	if (skb_copy_bits(skb, 0, pm->payload, copy_len) < 0)
 diff --git a/net/ipv4/ping.c b/net/ipv4/ping.c
-index 294a380..885a292 100644
+index 00975b6..e922b06 100644
 --- a/net/ipv4/ping.c
 +++ b/net/ipv4/ping.c
-@@ -836,7 +836,7 @@ static void ping_format_sock(struct sock *sp, struct seq_file *f,
+@@ -835,7 +835,7 @@ static void ping_format_sock(struct sock *sp, struct seq_file *f,
  		sk_rmem_alloc_get(sp),
  		0, 0L, 0, sock_i_uid(sp), 0, sock_i_ino(sp),
  		atomic_read(&sp->sk_refcnt), sp,
@@ -96943,7 +96587,7 @@ index f7fdbe9..63740b7 100644
  	.exit = ip_proc_exit_net,
  };
 diff --git a/net/ipv4/raw.c b/net/ipv4/raw.c
-index 2815014..1d39ae6 100644
+index cfded93..7b72cc0 100644
 --- a/net/ipv4/raw.c
 +++ b/net/ipv4/raw.c
 @@ -305,7 +305,7 @@ static int raw_rcv_skb(struct sock * sk, struct sk_buff * skb)
@@ -96955,7 +96599,7 @@ index 2815014..1d39ae6 100644
  		kfree_skb(skb);
  		return NET_RX_DROP;
  	}
-@@ -740,16 +740,20 @@ static int raw_init(struct sock *sk)
+@@ -738,16 +738,20 @@ static int raw_init(struct sock *sk)
  
  static int raw_seticmpfilter(struct sock *sk, char __user *optval, int optlen)
  {
@@ -96977,7 +96621,7 @@ index 2815014..1d39ae6 100644
  
  	if (get_user(len, optlen))
  		goto out;
-@@ -759,8 +763,8 @@ static int raw_geticmpfilter(struct sock *sk, char __user *optval, int __user *o
+@@ -757,8 +761,8 @@ static int raw_geticmpfilter(struct sock *sk, char __user *optval, int __user *o
  	if (len > sizeof(struct icmp_filter))
  		len = sizeof(struct icmp_filter);
  	ret = -EFAULT;
@@ -96988,7 +96632,7 @@ index 2815014..1d39ae6 100644
  		goto out;
  	ret = 0;
  out:	return ret;
-@@ -988,7 +992,13 @@ static void raw_sock_seq_show(struct seq_file *seq, struct sock *sp, int i)
+@@ -986,7 +990,13 @@ static void raw_sock_seq_show(struct seq_file *seq, struct sock *sp, int i)
  		sk_wmem_alloc_get(sp),
  		sk_rmem_alloc_get(sp),
  		0, 0L, 0, sock_i_uid(sp), 0, sock_i_ino(sp),
@@ -97003,7 +96647,7 @@ index 2815014..1d39ae6 100644
  }
  
  static int raw_seq_show(struct seq_file *seq, void *v)
-@@ -1051,7 +1061,7 @@ static __net_exit void raw_exit_net(struct net *net)
+@@ -1049,7 +1059,7 @@ static __net_exit void raw_exit_net(struct net *net)
  	proc_net_remove(net, "raw");
  }
  
@@ -97325,7 +96969,7 @@ index c1ed01e..bb914c3 100644
  	/* step 6: check the URG bit */
  	tcp_urg(sk, skb, th);
 diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
-index a97c9ad..640d986 100644
+index 92d7138..df6f00f 100644
 --- a/net/ipv4/tcp_ipv4.c
 +++ b/net/ipv4/tcp_ipv4.c
 @@ -87,6 +87,9 @@ int sysctl_tcp_tw_reuse __read_mostly;
@@ -97514,7 +97158,7 @@ index 2e0f0af..e2948bf 100644
  				  syn_set ? 0 : icsk->icsk_user_timeout, syn_set)) {
  		/* Has it gone just too far? */
 diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
-index 5decc93..79830d4 100644
+index 8c2e259..076bc5b 100644
 --- a/net/ipv4/udp.c
 +++ b/net/ipv4/udp.c
 @@ -86,6 +86,7 @@
@@ -97565,7 +97209,7 @@ index 5decc93..79830d4 100644
  		daddr = inet->inet_daddr;
  		dport = inet->inet_dport;
  		/* Open fast path for connected socket.
-@@ -1100,7 +1117,7 @@ static unsigned int first_packet_length(struct sock *sk)
+@@ -1103,7 +1120,7 @@ static unsigned int first_packet_length(struct sock *sk)
  		udp_lib_checksum_complete(skb)) {
  		UDP_INC_STATS_BH(sock_net(sk), UDP_MIB_INERRORS,
  				 IS_UDPLITE(sk));
@@ -97574,7 +97218,7 @@ index 5decc93..79830d4 100644
  		__skb_unlink(skb, rcvq);
  		__skb_queue_tail(&list_kill, skb);
  	}
-@@ -1186,6 +1203,10 @@ try_again:
+@@ -1183,6 +1200,10 @@ try_again:
  	if (!skb)
  		goto out;
  
@@ -97585,7 +97229,7 @@ index 5decc93..79830d4 100644
  	ulen = skb->len - sizeof(struct udphdr);
  	copied = len;
  	if (copied > ulen)
-@@ -1488,7 +1509,7 @@ int udp_queue_rcv_skb(struct sock *sk, struct sk_buff *skb)
+@@ -1486,7 +1507,7 @@ int udp_queue_rcv_skb(struct sock *sk, struct sk_buff *skb)
  
  drop:
  	UDP_INC_STATS_BH(sock_net(sk), UDP_MIB_INERRORS, is_udplite);
@@ -97594,7 +97238,7 @@ index 5decc93..79830d4 100644
  	kfree_skb(skb);
  	return -1;
  }
-@@ -1507,7 +1528,7 @@ static void flush_stack(struct sock **stack, unsigned int count,
+@@ -1505,7 +1526,7 @@ static void flush_stack(struct sock **stack, unsigned int count,
  			skb1 = (i == final) ? skb : skb_clone(skb, GFP_ATOMIC);
  
  		if (!skb1) {
@@ -97603,7 +97247,7 @@ index 5decc93..79830d4 100644
  			UDP_INC_STATS_BH(sock_net(sk), UDP_MIB_RCVBUFERRORS,
  					 IS_UDPLITE(sk));
  			UDP_INC_STATS_BH(sock_net(sk), UDP_MIB_INERRORS,
-@@ -1676,6 +1697,9 @@ int __udp4_lib_rcv(struct sk_buff *skb, struct udp_table *udptable,
+@@ -1674,6 +1695,9 @@ int __udp4_lib_rcv(struct sk_buff *skb, struct udp_table *udptable,
  		goto csum_error;
  
  	UDP_INC_STATS_BH(net, UDP_MIB_NOPORTS, proto == IPPROTO_UDPLITE);
@@ -97613,7 +97257,7 @@ index 5decc93..79830d4 100644
  	icmp_send(skb, ICMP_DEST_UNREACH, ICMP_PORT_UNREACH, 0);
  
  	/*
-@@ -2099,8 +2123,13 @@ static void udp4_format_sock(struct sock *sp, struct seq_file *f,
+@@ -2097,8 +2121,13 @@ static void udp4_format_sock(struct sock *sp, struct seq_file *f,
  		sk_wmem_alloc_get(sp),
  		sk_rmem_alloc_get(sp),
  		0, 0L, 0, sock_i_uid(sp), 0, sock_i_ino(sp),
@@ -97730,7 +97374,7 @@ index 1567fb1..29af910 100644
  			dst = NULL;
  		}
 diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
-index 97675bf..7dc5e62 100644
+index d3fde7e..f526e49 100644
 --- a/net/ipv6/ip6_output.c
 +++ b/net/ipv6/ip6_output.c
 @@ -600,8 +600,8 @@ int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr)
@@ -97825,7 +97469,7 @@ index 94874b0..a47969c 100644
  
  	case IP6T_SO_GET_ENTRIES:
 diff --git a/net/ipv6/raw.c b/net/ipv6/raw.c
-index 6e6c2c4..c97891e 100644
+index 9ecbc84..7dd6ff7 100644
 --- a/net/ipv6/raw.c
 +++ b/net/ipv6/raw.c
 @@ -109,7 +109,7 @@ found:
@@ -97864,7 +97508,7 @@ index 6e6c2c4..c97891e 100644
  			kfree_skb(skb);
  			return NET_RX_DROP;
  		}
-@@ -600,7 +600,7 @@ out:
+@@ -598,7 +598,7 @@ out:
  	return err;
  }
  
@@ -97873,7 +97517,7 @@ index 6e6c2c4..c97891e 100644
  			struct flowi6 *fl6, struct dst_entry **dstp,
  			unsigned int flags)
  {
-@@ -908,12 +908,15 @@ do_confirm:
+@@ -906,12 +906,15 @@ do_confirm:
  static int rawv6_seticmpfilter(struct sock *sk, int level, int optname,
  			       char __user *optval, int optlen)
  {
@@ -97890,7 +97534,7 @@ index 6e6c2c4..c97891e 100644
  		return 0;
  	default:
  		return -ENOPROTOOPT;
-@@ -926,6 +929,7 @@ static int rawv6_geticmpfilter(struct sock *sk, int level, int optname,
+@@ -924,6 +927,7 @@ static int rawv6_geticmpfilter(struct sock *sk, int level, int optname,
  			       char __user *optval, int __user *optlen)
  {
  	int len;
@@ -97898,7 +97542,7 @@ index 6e6c2c4..c97891e 100644
  
  	switch (optname) {
  	case ICMPV6_FILTER:
-@@ -937,7 +941,8 @@ static int rawv6_geticmpfilter(struct sock *sk, int level, int optname,
+@@ -935,7 +939,8 @@ static int rawv6_geticmpfilter(struct sock *sk, int level, int optname,
  			len = sizeof(struct icmp6_filter);
  		if (put_user(len, optlen))
  			return -EFAULT;
@@ -97908,7 +97552,7 @@ index 6e6c2c4..c97891e 100644
  			return -EFAULT;
  		return 0;
  	default:
-@@ -1244,7 +1249,13 @@ static void raw6_sock_seq_show(struct seq_file *seq, struct sock *sp, int i)
+@@ -1242,7 +1247,13 @@ static void raw6_sock_seq_show(struct seq_file *seq, struct sock *sp, int i)
  		   0, 0L, 0,
  		   sock_i_uid(sp), 0,
  		   sock_i_ino(sp),
@@ -97965,10 +97609,10 @@ index eba5deb..61e026f 100644
  	return -ENOMEM;
  }
 diff --git a/net/ipv6/route.c b/net/ipv6/route.c
-index bc9103d..48a383f 100644
+index 1768238..b28b21a 100644
 --- a/net/ipv6/route.c
 +++ b/net/ipv6/route.c
-@@ -2809,7 +2809,7 @@ ctl_table ipv6_route_table_template[] = {
+@@ -2812,7 +2812,7 @@ ctl_table ipv6_route_table_template[] = {
  
  struct ctl_table * __net_init ipv6_route_sysctl_init(struct net *net)
  {
@@ -98094,7 +97738,7 @@ index c69358c..d1e5855 100644
  
  static int tcp6_seq_show(struct seq_file *seq, void *v)
 diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c
-index f9e496b..729da61 100644
+index f8bec1e..8628321 100644
 --- a/net/ipv6/udp.c
 +++ b/net/ipv6/udp.c
 @@ -50,6 +50,10 @@
@@ -98108,7 +97752,7 @@ index f9e496b..729da61 100644
  int ipv6_rcv_saddr_equal(const struct sock *sk, const struct sock *sk2)
  {
  	const struct in6_addr *sk_rcv_saddr6 = &inet6_sk(sk)->rcv_saddr;
-@@ -549,7 +553,7 @@ int udpv6_queue_rcv_skb(struct sock * sk, struct sk_buff *skb)
+@@ -546,7 +550,7 @@ int udpv6_queue_rcv_skb(struct sock * sk, struct sk_buff *skb)
  
  	return 0;
  drop:
@@ -98117,7 +97761,7 @@ index f9e496b..729da61 100644
  drop_no_sk_drops_inc:
  	UDP6_INC_STATS_BH(sock_net(sk), UDP_MIB_INERRORS, is_udplite);
  	kfree_skb(skb);
-@@ -625,7 +629,7 @@ static void flush_stack(struct sock **stack, unsigned int count,
+@@ -622,7 +626,7 @@ static void flush_stack(struct sock **stack, unsigned int count,
  			continue;
  		}
  drop:
@@ -98126,7 +97770,7 @@ index f9e496b..729da61 100644
  		UDP6_INC_STATS_BH(sock_net(sk),
  				UDP_MIB_RCVBUFERRORS, IS_UDPLITE(sk));
  		UDP6_INC_STATS_BH(sock_net(sk),
-@@ -780,6 +784,9 @@ int __udp6_lib_rcv(struct sk_buff *skb, struct udp_table *udptable,
+@@ -777,6 +781,9 @@ int __udp6_lib_rcv(struct sk_buff *skb, struct udp_table *udptable,
  		UDP6_INC_STATS_BH(net, UDP_MIB_NOPORTS,
  				proto == IPPROTO_UDPLITE);
  
@@ -98136,7 +97780,7 @@ index f9e496b..729da61 100644
  		icmpv6_send(skb, ICMPV6_DEST_UNREACH, ICMPV6_PORT_UNREACH, 0);
  
  		kfree_skb(skb);
-@@ -796,7 +803,7 @@ int __udp6_lib_rcv(struct sk_buff *skb, struct udp_table *udptable,
+@@ -793,7 +800,7 @@ int __udp6_lib_rcv(struct sk_buff *skb, struct udp_table *udptable,
  	if (!sock_owned_by_user(sk))
  		udpv6_queue_rcv_skb(sk, skb);
  	else if (sk_add_backlog(sk, skb)) {
@@ -98145,7 +97789,7 @@ index f9e496b..729da61 100644
  		bh_unlock_sock(sk);
  		sock_put(sk);
  		goto discard;
-@@ -1412,8 +1419,13 @@ static void udp6_sock_seq_show(struct seq_file *seq, struct sock *sp, int bucket
+@@ -1409,8 +1416,13 @@ static void udp6_sock_seq_show(struct seq_file *seq, struct sock *sp, int bucket
  		   0, 0L, 0,
  		   sock_i_uid(sp), 0,
  		   sock_i_ino(sp),
@@ -98349,7 +97993,7 @@ index 32e3bb0..a4e5eb8 100644
  	}
  
 diff --git a/net/iucv/af_iucv.c b/net/iucv/af_iucv.c
-index e836140..f8ec098 100644
+index cf98d62..7bf2972 100644
 --- a/net/iucv/af_iucv.c
 +++ b/net/iucv/af_iucv.c
 @@ -786,10 +786,10 @@ static int iucv_sock_autobind(struct sock *sk)
@@ -98379,7 +98023,7 @@ index 403be43..87f09da 100644
  };
  
 diff --git a/net/key/af_key.c b/net/key/af_key.c
-index 8dbdb8e..50f4169 100644
+index dc8d7ef..9d37285 100644
 --- a/net/key/af_key.c
 +++ b/net/key/af_key.c
 @@ -1097,7 +1097,8 @@ static struct xfrm_state * pfkey_msg2xfrm_state(struct net *net,
@@ -99326,7 +98970,7 @@ index 4fe4fb4..87a89e5 100644
  	return 0;
  }
 diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
-index 3d1d55d..1ee2a18 100644
+index 2369e96..3c3f7de 100644
 --- a/net/netlink/af_netlink.c
 +++ b/net/netlink/af_netlink.c
 @@ -753,7 +753,7 @@ static void netlink_overrun(struct sock *sk)
@@ -99338,7 +98982,7 @@ index 3d1d55d..1ee2a18 100644
  }
  
  static struct sock *netlink_getsockbypid(struct sock *ssk, u32 pid)
-@@ -2013,7 +2013,7 @@ static int netlink_seq_show(struct seq_file *seq, void *v)
+@@ -2011,7 +2011,7 @@ static int netlink_seq_show(struct seq_file *seq, void *v)
  			   sk_wmem_alloc_get(s),
  			   nlk->cb,
  			   atomic_read(&s->sk_refcnt),
@@ -99347,7 +98991,7 @@ index 3d1d55d..1ee2a18 100644
  			   sock_i_ino(s)
  			);
  
-@@ -2120,7 +2120,7 @@ static void __init netlink_add_usersock_entry(void)
+@@ -2118,7 +2118,7 @@ static void __init netlink_add_usersock_entry(void)
  	netlink_table_ungrab();
  }
  
@@ -99399,7 +99043,7 @@ index 874f8ff..339bb58 100644
  		}
  	}
 diff --git a/net/netrom/af_netrom.c b/net/netrom/af_netrom.c
-index 3df7c5a..8f324b0 100644
+index b4d889b..bb33240 100644
 --- a/net/netrom/af_netrom.c
 +++ b/net/netrom/af_netrom.c
 @@ -839,6 +839,7 @@ static int nr_getname(struct socket *sock, struct sockaddr *uaddr,
@@ -99419,10 +99063,10 @@ index 3df7c5a..8f324b0 100644
  		*uaddr_len = sizeof(struct sockaddr_ax25);
  	}
 diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
-index a2ac2c3..070be35 100644
+index 4f19bf2..5770069 100644
 --- a/net/packet/af_packet.c
 +++ b/net/packet/af_packet.c
-@@ -1670,7 +1670,7 @@ static int packet_rcv(struct sk_buff *skb, struct net_device *dev,
+@@ -1678,7 +1678,7 @@ static int packet_rcv(struct sk_buff *skb, struct net_device *dev,
  
  	spin_lock(&sk->sk_receive_queue.lock);
  	po->stats.tp_packets++;
@@ -99431,7 +99075,7 @@ index a2ac2c3..070be35 100644
  	__skb_queue_tail(&sk->sk_receive_queue, skb);
  	spin_unlock(&sk->sk_receive_queue.lock);
  	sk->sk_data_ready(sk, skb->len);
-@@ -1679,7 +1679,7 @@ static int packet_rcv(struct sk_buff *skb, struct net_device *dev,
+@@ -1687,7 +1687,7 @@ static int packet_rcv(struct sk_buff *skb, struct net_device *dev,
  drop_n_acct:
  	spin_lock(&sk->sk_receive_queue.lock);
  	po->stats.tp_drops++;
@@ -99440,7 +99084,7 @@ index a2ac2c3..070be35 100644
  	spin_unlock(&sk->sk_receive_queue.lock);
  
  drop_n_restore:
-@@ -2609,6 +2609,7 @@ out:
+@@ -2623,6 +2623,7 @@ out:
  
  static int packet_recv_error(struct sock *sk, struct msghdr *msg, int len)
  {
@@ -99448,7 +99092,7 @@ index a2ac2c3..070be35 100644
  	struct sock_exterr_skb *serr;
  	struct sk_buff *skb, *skb2;
  	int copied, err;
-@@ -2630,8 +2631,9 @@ static int packet_recv_error(struct sock *sk, struct msghdr *msg, int len)
+@@ -2644,8 +2645,9 @@ static int packet_recv_error(struct sock *sk, struct msghdr *msg, int len)
  	sock_recv_timestamp(msg, sk, skb);
  
  	serr = SKB_EXT_ERR(skb);
@@ -99459,7 +99103,7 @@ index a2ac2c3..070be35 100644
  
  	msg->msg_flags |= MSG_ERRQUEUE;
  	err = copied;
-@@ -3261,7 +3263,7 @@ static int packet_getsockopt(struct socket *sock, int level, int optname,
+@@ -3273,7 +3275,7 @@ static int packet_getsockopt(struct socket *sock, int level, int optname,
  	case PACKET_HDRLEN:
  		if (len > sizeof(int))
  			len = sizeof(int);
@@ -99468,7 +99112,7 @@ index a2ac2c3..070be35 100644
  			return -EFAULT;
  		switch (val) {
  		case TPACKET_V1:
-@@ -3311,7 +3313,11 @@ static int packet_getsockopt(struct socket *sock, int level, int optname,
+@@ -3323,7 +3325,11 @@ static int packet_getsockopt(struct socket *sock, int level, int optname,
  
  	if (put_user(len, optlen))
  		return -EFAULT;
@@ -100256,7 +99900,7 @@ index 8da4481..d02565e 100644
  			+ (rtt >> sctp_rto_alpha);
  	} else {
 diff --git a/net/socket.c b/net/socket.c
-index bf7adaa..997cbc7 100644
+index d4faade..2492841 100644
 --- a/net/socket.c
 +++ b/net/socket.c
 @@ -88,6 +88,7 @@
@@ -100285,7 +99929,7 @@ index bf7adaa..997cbc7 100644
  
  /*
   *	Statistics counters of the socket lists
-@@ -321,7 +324,7 @@ static struct dentry *sockfs_mount(struct file_system_type *fs_type,
+@@ -322,7 +325,7 @@ static struct dentry *sockfs_mount(struct file_system_type *fs_type,
  		&sockfs_dentry_operations, SOCKFS_MAGIC);
  }
  
@@ -100294,7 +99938,7 @@ index bf7adaa..997cbc7 100644
  
  static struct file_system_type sock_fs_type = {
  	.name =		"sockfs",
-@@ -1187,6 +1190,8 @@ int __sock_create(struct net *net, int family, int type, int protocol,
+@@ -1188,6 +1191,8 @@ int __sock_create(struct net *net, int family, int type, int protocol,
  		return -EAFNOSUPPORT;
  	if (type < 0 || type >= SOCK_MAX)
  		return -EINVAL;
@@ -100303,7 +99947,7 @@ index bf7adaa..997cbc7 100644
  
  	/* Compatibility.
  
-@@ -1207,6 +1212,20 @@ int __sock_create(struct net *net, int family, int type, int protocol,
+@@ -1208,6 +1213,20 @@ int __sock_create(struct net *net, int family, int type, int protocol,
  	if (err)
  		return err;
  
@@ -100324,7 +99968,7 @@ index bf7adaa..997cbc7 100644
  	/*
  	 *	Allocate the socket and allow the family to set things up. if
  	 *	the protocol is 0, the family is instructed to select an appropriate
-@@ -1431,6 +1450,14 @@ SYSCALL_DEFINE3(bind, int, fd, struct sockaddr __user *, umyaddr, int, addrlen)
+@@ -1432,6 +1451,14 @@ SYSCALL_DEFINE3(bind, int, fd, struct sockaddr __user *, umyaddr, int, addrlen)
  	if (sock) {
  		err = move_addr_to_kernel(umyaddr, addrlen, (struct sockaddr *)&address);
  		if (err >= 0) {
@@ -100339,7 +99983,7 @@ index bf7adaa..997cbc7 100644
  			err = security_socket_bind(sock,
  						   (struct sockaddr *)&address,
  						   addrlen);
-@@ -1439,6 +1466,7 @@ SYSCALL_DEFINE3(bind, int, fd, struct sockaddr __user *, umyaddr, int, addrlen)
+@@ -1440,6 +1467,7 @@ SYSCALL_DEFINE3(bind, int, fd, struct sockaddr __user *, umyaddr, int, addrlen)
  						      (struct sockaddr *)
  						      &address, addrlen);
  		}
@@ -100347,7 +99991,7 @@ index bf7adaa..997cbc7 100644
  		fput_light(sock->file, fput_needed);
  	}
  	return err;
-@@ -1462,10 +1490,20 @@ SYSCALL_DEFINE2(listen, int, fd, int, backlog)
+@@ -1463,10 +1491,20 @@ SYSCALL_DEFINE2(listen, int, fd, int, backlog)
  		if ((unsigned)backlog > somaxconn)
  			backlog = somaxconn;
  
@@ -100368,7 +100012,7 @@ index bf7adaa..997cbc7 100644
  		fput_light(sock->file, fput_needed);
  	}
  	return err;
-@@ -1509,6 +1547,18 @@ SYSCALL_DEFINE4(accept4, int, fd, struct sockaddr __user *, upeer_sockaddr,
+@@ -1510,6 +1548,18 @@ SYSCALL_DEFINE4(accept4, int, fd, struct sockaddr __user *, upeer_sockaddr,
  	newsock->type = sock->type;
  	newsock->ops = sock->ops;
  
@@ -100387,7 +100031,7 @@ index bf7adaa..997cbc7 100644
  	/*
  	 * We don't need try_module_get here, as the listening socket (sock)
  	 * has the protocol module (sock->ops->owner) held.
-@@ -1547,6 +1597,8 @@ SYSCALL_DEFINE4(accept4, int, fd, struct sockaddr __user *, upeer_sockaddr,
+@@ -1548,6 +1598,8 @@ SYSCALL_DEFINE4(accept4, int, fd, struct sockaddr __user *, upeer_sockaddr,
  	fd_install(newfd, newfile);
  	err = newfd;
  
@@ -100396,7 +100040,7 @@ index bf7adaa..997cbc7 100644
  out_put:
  	fput_light(sock->file, fput_needed);
  out:
-@@ -1579,6 +1631,7 @@ SYSCALL_DEFINE3(connect, int, fd, struct sockaddr __user *, uservaddr,
+@@ -1580,6 +1632,7 @@ SYSCALL_DEFINE3(connect, int, fd, struct sockaddr __user *, uservaddr,
  		int, addrlen)
  {
  	struct socket *sock;
@@ -100404,7 +100048,7 @@ index bf7adaa..997cbc7 100644
  	struct sockaddr_storage address;
  	int err, fput_needed;
  
-@@ -1589,6 +1642,17 @@ SYSCALL_DEFINE3(connect, int, fd, struct sockaddr __user *, uservaddr,
+@@ -1590,6 +1643,17 @@ SYSCALL_DEFINE3(connect, int, fd, struct sockaddr __user *, uservaddr,
  	if (err < 0)
  		goto out_put;
  
@@ -100422,7 +100066,7 @@ index bf7adaa..997cbc7 100644
  	err =
  	    security_socket_connect(sock, (struct sockaddr *)&address, addrlen);
  	if (err)
-@@ -1670,6 +1734,8 @@ SYSCALL_DEFINE3(getpeername, int, fd, struct sockaddr __user *, usockaddr,
+@@ -1671,6 +1735,8 @@ SYSCALL_DEFINE3(getpeername, int, fd, struct sockaddr __user *, usockaddr,
   *	the protocol.
   */
  
@@ -100431,7 +100075,7 @@ index bf7adaa..997cbc7 100644
  SYSCALL_DEFINE6(sendto, int, fd, void __user *, buff, size_t, len,
  		unsigned, flags, struct sockaddr __user *, addr,
  		int, addr_len)
-@@ -1736,7 +1802,7 @@ SYSCALL_DEFINE6(recvfrom, int, fd, void __user *, ubuf, size_t, size,
+@@ -1737,7 +1803,7 @@ SYSCALL_DEFINE6(recvfrom, int, fd, void __user *, ubuf, size_t, size,
  	struct socket *sock;
  	struct iovec iov;
  	struct msghdr msg;
@@ -100440,16 +100084,7 @@ index bf7adaa..997cbc7 100644
  	int err, err2;
  	int fput_needed;
  
-@@ -1882,7 +1948,7 @@ static int copy_msghdr_from_user(struct msghdr *kmsg,
- 	if (copy_from_user(kmsg, umsg, sizeof(struct msghdr)))
- 		return -EFAULT;
- 	if (kmsg->msg_namelen > sizeof(struct sockaddr_storage))
--		return -EINVAL;
-+		kmsg->msg_namelen = sizeof(struct sockaddr_storage);
- 	return 0;
- }
- 
-@@ -1963,7 +2029,7 @@ static int ___sys_sendmsg(struct socket *sock, struct msghdr __user *msg,
+@@ -1966,7 +2032,7 @@ static int ___sys_sendmsg(struct socket *sock, struct msghdr __user *msg,
  		 * checking falls down on this.
  		 */
  		if (copy_from_user(ctl_buf,
@@ -100458,7 +100093,7 @@ index bf7adaa..997cbc7 100644
  				   ctl_len))
  			goto out_freectl;
  		msg_sys->msg_control = ctl_buf;
-@@ -2114,7 +2180,7 @@ static int ___sys_recvmsg(struct socket *sock, struct msghdr __user *msg,
+@@ -2117,7 +2183,7 @@ static int ___sys_recvmsg(struct socket *sock, struct msghdr __user *msg,
  	int err, iov_size, total_len, len;
  
  	/* kernel mode address */
@@ -100467,16 +100102,17 @@ index bf7adaa..997cbc7 100644
  
  	/* user mode address pointers */
  	struct sockaddr __user *uaddr;
-@@ -2147,7 +2213,7 @@ static int ___sys_recvmsg(struct socket *sock, struct msghdr __user *msg,
- 	 *      kernel msghdr to use the kernel address space)
+@@ -2148,7 +2214,8 @@ static int ___sys_recvmsg(struct socket *sock, struct msghdr __user *msg,
+ 	/* Save the user-mode address (verify_iovec will change the
+ 	 * kernel msghdr to use the kernel address space)
  	 */
- 
 -	uaddr = (__force void __user *)msg_sys->msg_name;
++
 +	uaddr = (void __force_user *)msg_sys->msg_name;
  	uaddr_len = COMPAT_NAMELEN(msg);
- 	if (MSG_CMSG_COMPAT & flags) {
+ 	if (MSG_CMSG_COMPAT & flags)
  		err = verify_compat_iovec(msg_sys, iov,
-@@ -2788,7 +2854,7 @@ static int ethtool_ioctl(struct net *net, struct compat_ifreq __user *ifr32)
+@@ -2792,7 +2859,7 @@ static int ethtool_ioctl(struct net *net, struct compat_ifreq __user *ifr32)
  	}
  
  	ifr = compat_alloc_user_space(buf_size);
@@ -100485,7 +100121,7 @@ index bf7adaa..997cbc7 100644
  
  	if (copy_in_user(&ifr->ifr_name, &ifr32->ifr_name, IFNAMSIZ))
  		return -EFAULT;
-@@ -2812,12 +2878,12 @@ static int ethtool_ioctl(struct net *net, struct compat_ifreq __user *ifr32)
+@@ -2816,12 +2883,12 @@ static int ethtool_ioctl(struct net *net, struct compat_ifreq __user *ifr32)
  			offsetof(struct ethtool_rxnfc, fs.ring_cookie));
  
  		if (copy_in_user(rxnfc, compat_rxnfc,
@@ -100502,7 +100138,7 @@ index bf7adaa..997cbc7 100644
  		    copy_in_user(&rxnfc->rule_cnt, &compat_rxnfc->rule_cnt,
  				 sizeof(rxnfc->rule_cnt)))
  			return -EFAULT;
-@@ -2829,12 +2895,12 @@ static int ethtool_ioctl(struct net *net, struct compat_ifreq __user *ifr32)
+@@ -2833,12 +2900,12 @@ static int ethtool_ioctl(struct net *net, struct compat_ifreq __user *ifr32)
  
  	if (convert_out) {
  		if (copy_in_user(compat_rxnfc, rxnfc,
@@ -100519,7 +100155,7 @@ index bf7adaa..997cbc7 100644
  		    copy_in_user(&compat_rxnfc->rule_cnt, &rxnfc->rule_cnt,
  				 sizeof(rxnfc->rule_cnt)))
  			return -EFAULT;
-@@ -2904,7 +2970,7 @@ static int bond_ioctl(struct net *net, unsigned int cmd,
+@@ -2908,7 +2975,7 @@ static int bond_ioctl(struct net *net, unsigned int cmd,
  		old_fs = get_fs();
  		set_fs(KERNEL_DS);
  		err = dev_ioctl(net, cmd,
@@ -100528,7 +100164,7 @@ index bf7adaa..997cbc7 100644
  		set_fs(old_fs);
  
  		return err;
-@@ -3013,7 +3079,7 @@ static int compat_sioc_ifmap(struct net *net, unsigned int cmd,
+@@ -3017,7 +3084,7 @@ static int compat_sioc_ifmap(struct net *net, unsigned int cmd,
  
  	old_fs = get_fs();
  	set_fs(KERNEL_DS);
@@ -100537,7 +100173,7 @@ index bf7adaa..997cbc7 100644
  	set_fs(old_fs);
  
  	if (cmd == SIOCGIFMAP && !err) {
-@@ -3118,7 +3184,7 @@ static int routing_ioctl(struct net *net, struct socket *sock,
+@@ -3122,7 +3189,7 @@ static int routing_ioctl(struct net *net, struct socket *sock,
  		ret |= __get_user(rtdev, &(ur4->rt_dev));
  		if (rtdev) {
  			ret |= copy_from_user(devname, compat_ptr(rtdev), 15);
@@ -100546,7 +100182,7 @@ index bf7adaa..997cbc7 100644
  			devname[15] = 0;
  		} else
  			r4.rt_dev = NULL;
-@@ -3358,8 +3424,8 @@ int kernel_getsockopt(struct socket *sock, int level, int optname,
+@@ -3362,8 +3429,8 @@ int kernel_getsockopt(struct socket *sock, int level, int optname,
  	int __user *uoptlen;
  	int err;
  
@@ -100557,7 +100193,7 @@ index bf7adaa..997cbc7 100644
  
  	set_fs(KERNEL_DS);
  	if (level == SOL_SOCKET)
-@@ -3379,7 +3445,7 @@ int kernel_setsockopt(struct socket *sock, int level, int optname,
+@@ -3383,7 +3450,7 @@ int kernel_setsockopt(struct socket *sock, int level, int optname,
  	char __user *uoptval;
  	int err;
  
@@ -101372,7 +101008,7 @@ index 1983717..4d6102c 100644
  
  	sub->evt.event = htohl(event, sub->swap);
 diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
-index 5122b22..25b11eb 100644
+index 9338ccc..9bc732b 100644
 --- a/net/unix/af_unix.c
 +++ b/net/unix/af_unix.c
 @@ -766,6 +766,12 @@ static struct sock *unix_find_other(struct net *net,
@@ -101421,7 +101057,7 @@ index 5122b22..25b11eb 100644
  		mutex_unlock(&path.dentry->d_inode->i_mutex);
  		dput(path.dentry);
  		path.dentry = dentry;
-@@ -2270,9 +2290,13 @@ static int unix_seq_show(struct seq_file *seq, void *v)
+@@ -2265,9 +2285,13 @@ static int unix_seq_show(struct seq_file *seq, void *v)
  		seq_puts(seq, "Num       RefCount Protocol Flags    Type St "
  			 "Inode Path\n");
  	else {
@@ -101436,7 +101072,7 @@ index 5122b22..25b11eb 100644
  
  		seq_printf(seq, "%pK: %08X %08X %08X %04X %02X %5lu",
  			s,
-@@ -2299,8 +2323,10 @@ static int unix_seq_show(struct seq_file *seq, void *v)
+@@ -2294,8 +2318,10 @@ static int unix_seq_show(struct seq_file *seq, void *v)
  			}
  			for ( ; i < len; i++)
  				seq_putc(seq, u->addr->name->sun_path[i]);
@@ -104640,10 +104276,10 @@ index dca1c22..4fa4591 100644
  		lock = &avc_cache.slots_lock[hvalue];
  
 diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
-index 1126c10..3bd5447 100644
+index 5898f34..f44199b 100644
 --- a/security/selinux/hooks.c
 +++ b/security/selinux/hooks.c
-@@ -94,8 +94,6 @@
+@@ -95,8 +95,6 @@
  
  #define NUM_SEL_MNT_OPTS 5
  
@@ -104652,7 +104288,7 @@ index 1126c10..3bd5447 100644
  /* SECMARK reference count */
  static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
  
-@@ -2000,6 +1998,13 @@ static int selinux_bprm_set_creds(struct linux_binprm *bprm)
+@@ -2001,6 +1999,13 @@ static int selinux_bprm_set_creds(struct linux_binprm *bprm)
  		new_tsec->sid = old_tsec->exec_sid;
  		/* Reset exec SID on execve. */
  		new_tsec->exec_sid = 0;
@@ -104666,7 +104302,7 @@ index 1126c10..3bd5447 100644
  	} else {
  		/* Check for a default transition on this program. */
  		rc = security_transition_sid(old_tsec->sid, isec->sid,
-@@ -2012,7 +2017,8 @@ static int selinux_bprm_set_creds(struct linux_binprm *bprm)
+@@ -2013,7 +2018,8 @@ static int selinux_bprm_set_creds(struct linux_binprm *bprm)
  	COMMON_AUDIT_DATA_INIT(&ad, PATH);
  	ad.u.path = bprm->file->f_path;
  
@@ -104676,7 +104312,7 @@ index 1126c10..3bd5447 100644
  		new_tsec->sid = old_tsec->sid;
  
  	if (new_tsec->sid == old_tsec->sid) {
-@@ -4156,8 +4162,10 @@ static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
+@@ -4181,8 +4187,10 @@ static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
  		}
  		err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
  				   PEER__RECV, &ad);
@@ -104688,7 +104324,7 @@ index 1126c10..3bd5447 100644
  	}
  
  	if (secmark_active) {
-@@ -5313,11 +5321,11 @@ static int selinux_setprocattr(struct task_struct *p,
+@@ -5372,11 +5380,11 @@ static int selinux_setprocattr(struct task_struct *p,
  		/* Check for ptracing, and update the task SID if ok.
  		   Otherwise, leave SID unchanged and fail. */
  		ptsid = 0;
@@ -104702,7 +104338,7 @@ index 1126c10..3bd5447 100644
  
  		if (tracer) {
  			error = avc_has_perm(ptsid, sid, SECCLASS_PROCESS,
-@@ -5449,7 +5457,7 @@ static int selinux_key_getsecurity(struct key *key, char **_buffer)
+@@ -5508,7 +5516,7 @@ static int selinux_key_getsecurity(struct key *key, char **_buffer)
  
  #endif
  
@@ -104711,7 +104347,7 @@ index 1126c10..3bd5447 100644
  	.name =				"selinux",
  
  	.ptrace_access_check =		selinux_ptrace_access_check,
-@@ -5795,6 +5803,9 @@ static void selinux_nf_ip_exit(void)
+@@ -5854,6 +5862,9 @@ static void selinux_nf_ip_exit(void)
  #ifdef CONFIG_SECURITY_SELINUX_DISABLE
  static int selinux_disabled;
  
@@ -104721,7 +104357,7 @@ index 1126c10..3bd5447 100644
  int selinux_disable(void)
  {
  	if (ss_initialized) {
-@@ -5812,7 +5823,9 @@ int selinux_disable(void)
+@@ -5871,7 +5882,9 @@ int selinux_disable(void)
  	selinux_disabled = 1;
  	selinux_enabled = 0;
  
@@ -107395,10 +107031,10 @@ index 0000000..679b9ef
 +}
 diff --git a/tools/gcc/size_overflow_hash.data b/tools/gcc/size_overflow_hash.data
 new file mode 100644
-index 0000000..c4e61fd
+index 0000000..2d131cc
 --- /dev/null
 +++ b/tools/gcc/size_overflow_hash.data
-@@ -0,0 +1,5995 @@
+@@ -0,0 +1,5998 @@
 +intel_fake_agp_alloc_by_type_1 intel_fake_agp_alloc_by_type 1 1 NULL
 +ocfs2_get_refcount_tree_3 ocfs2_get_refcount_tree 0 3 NULL
 +storvsc_connect_to_vsp_22 storvsc_connect_to_vsp 2 22 NULL
@@ -108022,8 +107658,8 @@ index 0000000..c4e61fd
 +send_mpa_reject_7135 send_mpa_reject 3 7135 NULL
 +ipv6_recv_rxpmtu_7142 ipv6_recv_rxpmtu 3 7142 NULL
 +ocfs2_get_left_path_7159 ocfs2_get_left_path 0 7159 NULL
-+utf16_strsize_7203 utf16_strsize 0 7203 NULL nohasharray
-+__alloc_objio_seg_7203 __alloc_objio_seg 1 7203 &utf16_strsize_7203
++__alloc_objio_seg_7203 __alloc_objio_seg 1 7203 NULL nohasharray
++utf16_strsize_7203 utf16_strsize 0 7203 &__alloc_objio_seg_7203
 +sys32_ipc_7238 sys32_ipc 3 7238 NULL
 +hdlc_loop_7255 hdlc_loop 0 7255 NULL
 +snd_mask_refine_7267 snd_mask_refine 0 7267 NULL
@@ -108189,8 +107825,8 @@ index 0000000..c4e61fd
 +usb_allocate_stream_buffers_8964 usb_allocate_stream_buffers 3 8964 NULL
 +qib_qsfp_dump_8966 qib_qsfp_dump 0-3 8966 NULL
 +venus_mkdir_8967 venus_mkdir 4 8967 NULL
-+seq_open_net_8968 seq_open_net 4 8968 NULL nohasharray
-+vol_cdev_read_8968 vol_cdev_read 3 8968 &seq_open_net_8968
++vol_cdev_read_8968 vol_cdev_read 3 8968 NULL nohasharray
++seq_open_net_8968 seq_open_net 4 8968 &vol_cdev_read_8968
 +bio_integrity_get_tag_8974 bio_integrity_get_tag 3 8974 NULL
 +btrfs_alloc_free_block_8986 btrfs_alloc_free_block 8 8986 NULL
 +get_pipes_9008 get_pipes 0 9008 NULL
@@ -108342,8 +107978,8 @@ index 0000000..c4e61fd
 +do_compat_pselect_10398 do_compat_pselect 1 10398 NULL
 +event_phy_transmit_error_read_10471 event_phy_transmit_error_read 3 10471 NULL
 +qib_alloc_fast_reg_page_list_10507 qib_alloc_fast_reg_page_list 2 10507 NULL
-+rbd_get_segment_10511 rbd_get_segment 0-3-4 10511 NULL nohasharray
-+sel_write_disable_10511 sel_write_disable 3 10511 &rbd_get_segment_10511
++sel_write_disable_10511 sel_write_disable 3 10511 NULL nohasharray
++rbd_get_segment_10511 rbd_get_segment 0-3-4 10511 &sel_write_disable_10511
 +osd_req_write_sg_kern_10514 osd_req_write_sg_kern 5 10514 NULL
 +rds_message_alloc_10517 rds_message_alloc 1 10517 NULL
 +snd_pcm_hw_params_user_10520 snd_pcm_hw_params_user 0 10520 NULL
@@ -108738,8 +108374,8 @@ index 0000000..c4e61fd
 +cmd_complete_14502 cmd_complete 5 14502 NULL
 +ocfs2_debug_read_14507 ocfs2_debug_read 3 14507 NULL
 +prepare_data_14536 prepare_data 3 14536 NULL nohasharray
-+dataflash_read_user_otp_14536 dataflash_read_user_otp 3-2 14536 &prepare_data_14536 nohasharray
-+ep0_write_14536 ep0_write 3 14536 &dataflash_read_user_otp_14536
++ep0_write_14536 ep0_write 3 14536 &prepare_data_14536 nohasharray
++dataflash_read_user_otp_14536 dataflash_read_user_otp 3-2 14536 &ep0_write_14536
 +register_trace_sched_switch_14545 register_trace_sched_switch 0 14545 NULL
 +l2cap_send_cmd_14548 l2cap_send_cmd 4 14548 NULL
 +picolcd_debug_eeprom_read_14549 picolcd_debug_eeprom_read 3 14549 NULL
@@ -108765,8 +108401,8 @@ index 0000000..c4e61fd
 +ext4_kvmalloc_14796 ext4_kvmalloc 1 14796 NULL
 +__kfifo_in_14797 __kfifo_in 3-0 14797 NULL
 +nfs_parse_server_name_14800 nfs_parse_server_name 2 14800 NULL
-+hpet_readl_14801 hpet_readl 0 14801 NULL nohasharray
-+snd_als300_gcr_read_14801 snd_als300_gcr_read 0 14801 &hpet_readl_14801
++snd_als300_gcr_read_14801 snd_als300_gcr_read 0 14801 NULL nohasharray
++hpet_readl_14801 hpet_readl 0 14801 &snd_als300_gcr_read_14801
 +__i2400ms_rx_get_size_14826 __i2400ms_rx_get_size 0 14826 NULL
 +do_tune_cpucache_14828 do_tune_cpucache 2 14828 NULL
 +__mutex_fastpath_lock_retval_14844 __mutex_fastpath_lock_retval 0 14844 NULL
@@ -109538,8 +109174,8 @@ index 0000000..c4e61fd
 +pipe_iov_copy_from_user_23102 pipe_iov_copy_from_user 3 23102 NULL
 +dgram_recvmsg_23104 dgram_recvmsg 4 23104 NULL
 +ip_recv_error_23109 ip_recv_error 3 23109 NULL
-+mwl8k_cmd_set_beacon_23110 mwl8k_cmd_set_beacon 4 23110 NULL nohasharray
-+msix_setup_entries_23110 msix_setup_entries 0 23110 &mwl8k_cmd_set_beacon_23110
++msix_setup_entries_23110 msix_setup_entries 0 23110 NULL nohasharray
++mwl8k_cmd_set_beacon_23110 mwl8k_cmd_set_beacon 4 23110 &msix_setup_entries_23110
 +nl80211_send_rx_auth_23111 nl80211_send_rx_auth 4 23111 NULL
 +__clear_user_23118 __clear_user 0-2 23118 NULL
 +iwl_legacy_dbgfs_interrupt_write_23122 iwl_legacy_dbgfs_interrupt_write 3 23122 NULL nohasharray
@@ -109956,9 +109592,9 @@ index 0000000..c4e61fd
 +cxio_hal_pblpool_alloc_27714 cxio_hal_pblpool_alloc 2 27714 NULL
 +evm_write_key_27715 evm_write_key 3 27715 NULL
 +ieee80211_if_fmt_dot11MeshGateAnnouncementProtocol_27722 ieee80211_if_fmt_dot11MeshGateAnnouncementProtocol 3 27722 NULL
-+reg_w_buf_27724 reg_w_buf 3 27724 NULL nohasharray
-+pstore_write_27724 pstore_write 3 27724 &reg_w_buf_27724 nohasharray
-+iwl_dbgfs_traffic_log_write_27724 iwl_dbgfs_traffic_log_write 3 27724 &pstore_write_27724
++pstore_write_27724 pstore_write 3 27724 NULL nohasharray
++iwl_dbgfs_traffic_log_write_27724 iwl_dbgfs_traffic_log_write 3 27724 &pstore_write_27724 nohasharray
++reg_w_buf_27724 reg_w_buf 3 27724 &iwl_dbgfs_traffic_log_write_27724
 +xfs_dir2_block_sfsize_27727 xfs_dir2_block_sfsize 0 27727 NULL
 +kcalloc_27770 kcalloc 2-1 27770 NULL
 +ttm_object_file_init_27804 ttm_object_file_init 2 27804 NULL
@@ -110075,8 +109711,8 @@ index 0000000..c4e61fd
 +hci_sock_setsockopt_28993 hci_sock_setsockopt 5 28993 NULL
 +bin_uuid_28999 bin_uuid 3 28999 NULL
 +sys_fcntl64_29031 sys_fcntl64 3 29031 NULL
-+ProcessGetHostMibs_29049 ProcessGetHostMibs 0 29049 NULL nohasharray
-+rxrpc_sendmsg_29049 rxrpc_sendmsg 4 29049 &ProcessGetHostMibs_29049
++rxrpc_sendmsg_29049 rxrpc_sendmsg 4 29049 NULL nohasharray
++ProcessGetHostMibs_29049 ProcessGetHostMibs 0 29049 &rxrpc_sendmsg_29049
 +tso_fragment_29050 tso_fragment 3 29050 NULL
 +split_bvec_29058 split_bvec 5 29058 NULL
 +iso_packets_buffer_init_29061 iso_packets_buffer_init 3-4 29061 NULL
@@ -110155,7 +109791,8 @@ index 0000000..c4e61fd
 +pin_code_reply_29893 pin_code_reply 4 29893 NULL
 +write_file_queue_29922 write_file_queue 3 29922 NULL
 +ext4_xattr_set_acl_29930 ext4_xattr_set_acl 4 29930 NULL
-+__btrfs_getxattr_29947 __btrfs_getxattr 0 29947 NULL
++__btrfs_getxattr_29947 __btrfs_getxattr 0 29947 NULL nohasharray
++ipv6_recv_error_29947 ipv6_recv_error 3 29947 &__btrfs_getxattr_29947
 +xfrm_count_auth_supported_29957 xfrm_count_auth_supported 0 29957 NULL
 +irias_add_octseq_attrib_29983 irias_add_octseq_attrib 4 29983 NULL
 +arch_setup_dmar_msi_29992 arch_setup_dmar_msi 1-0 29992 NULL
@@ -110889,8 +110526,8 @@ index 0000000..c4e61fd
 +snd_pcm_playback_rewind_38249 snd_pcm_playback_rewind 0-2 38249 NULL
 +ieee80211_if_read_auto_open_plinks_38268 ieee80211_if_read_auto_open_plinks 3 38268 NULL nohasharray
 +mthca_alloc_icm_table_38268 mthca_alloc_icm_table 3-4 38268 &ieee80211_if_read_auto_open_plinks_38268
-+xfs_bmdr_to_bmbt_38275 xfs_bmdr_to_bmbt 5 38275 NULL nohasharray
-+xfs_bmbt_to_bmdr_38275 xfs_bmbt_to_bmdr 3 38275 &xfs_bmdr_to_bmbt_38275
++xfs_bmbt_to_bmdr_38275 xfs_bmbt_to_bmdr 3 38275 NULL nohasharray
++xfs_bmdr_to_bmbt_38275 xfs_bmdr_to_bmbt 5 38275 &xfs_bmbt_to_bmdr_38275
 +zd_mac_rx_38296 zd_mac_rx 3 38296 NULL
 +isr_rx_headers_read_38325 isr_rx_headers_read 3 38325 NULL
 +ida_simple_get_38326 ida_simple_get 2 38326 NULL
@@ -111387,8 +111024,8 @@ index 0000000..c4e61fd
 +msi_capability_init_43423 msi_capability_init 0 43423 &__alloc_bootmem_low_43423
 +usb_alloc_urb_43436 usb_alloc_urb 1 43436 NULL
 +ocfs2_rotate_tree_left_43442 ocfs2_rotate_tree_left 0 43442 NULL
-+usemap_size_43443 usemap_size 0-2-1 43443 NULL nohasharray
-+usb_string_43443 usb_string 0 43443 &usemap_size_43443
++usb_string_43443 usb_string 0 43443 NULL nohasharray
++usemap_size_43443 usemap_size 0-2-1 43443 &usb_string_43443
 +__data_list_add_eb_43472 __data_list_add_eb 0 43472 NULL
 +alloc_new_reservation_43480 alloc_new_reservation 4-0-2 43480 NULL
 +nf_nat_ftp_fmt_cmd_43495 nf_nat_ftp_fmt_cmd 0 43495 NULL
@@ -111605,6 +111242,7 @@ index 0000000..c4e61fd
 +pcpu_alloc_alloc_info_45813 pcpu_alloc_alloc_info 1-2 45813 NULL
 +fm_v4l2_init_video_device_45821 fm_v4l2_init_video_device 2 45821 NULL
 +r600_texture_size_45823 r600_texture_size 6-5-4 45823 NULL
++ipv6_recv_rxpmtu_45830 ipv6_recv_rxpmtu 3 45830 NULL
 +amthi_read_45831 amthi_read 4 45831 NULL
 +audit_make_reply_45835 audit_make_reply 7 45835 NULL
 +__ip_select_ident_45851 __ip_select_ident 3 45851 NULL
@@ -111793,8 +111431,8 @@ index 0000000..c4e61fd
 +iwl_dbgfs_ucode_tracing_read_47983 iwl_dbgfs_ucode_tracing_read 3 47983 NULL nohasharray
 +mempool_resize_47983 mempool_resize 2 47983 &iwl_dbgfs_ucode_tracing_read_47983
 +pnpacpi_parse_allocated_irqresource_47986 pnpacpi_parse_allocated_irqresource 2 47986 NULL
-+dbg_port_buf_47990 dbg_port_buf 2 47990 NULL nohasharray
-+mgmt_pending_add_47990 mgmt_pending_add 5 47990 &dbg_port_buf_47990
++mgmt_pending_add_47990 mgmt_pending_add 5 47990 NULL nohasharray
++dbg_port_buf_47990 dbg_port_buf 2 47990 &mgmt_pending_add_47990
 +ib_umad_write_47993 ib_umad_write 3 47993 NULL
 +ocfs2_find_refcount_split_pos_48001 ocfs2_find_refcount_split_pos 0 48001 NULL
 +ffs_epfile_write_48014 ffs_epfile_write 3 48014 NULL
@@ -111839,8 +111477,8 @@ index 0000000..c4e61fd
 +r8712_usbctrl_vendorreq_48489 r8712_usbctrl_vendorreq 6 48489 NULL
 +send_control_msg_48498 send_control_msg 6 48498 NULL
 +mlx4_en_create_tx_ring_48501 mlx4_en_create_tx_ring 4 48501 NULL
-+iwl_legacy_dbgfs_status_read_48508 iwl_legacy_dbgfs_status_read 3 48508 NULL nohasharray
-+diva_os_copy_to_user_48508 diva_os_copy_to_user 4 48508 &iwl_legacy_dbgfs_status_read_48508
++diva_os_copy_to_user_48508 diva_os_copy_to_user 4 48508 NULL nohasharray
++iwl_legacy_dbgfs_status_read_48508 iwl_legacy_dbgfs_status_read 3 48508 &diva_os_copy_to_user_48508
 +phantom_get_free_48514 phantom_get_free 0 48514 NULL
 +ubi_dbg_check_write_48525 ubi_dbg_check_write 0 48525 NULL
 +wiimote_hid_send_48528 wiimote_hid_send 3 48528 NULL
@@ -112399,8 +112037,8 @@ index 0000000..c4e61fd
 +pn_raw_send_54330 pn_raw_send 2 54330 NULL
 +br_fdb_fillbuf_54339 br_fdb_fillbuf 0 54339 NULL
 +__alloc_dev_table_54343 __alloc_dev_table 2 54343 NULL
-+__get_free_pages_54352 __get_free_pages 0 54352 NULL nohasharray
-+_osd_realloc_seg_54352 _osd_realloc_seg 3 54352 &__get_free_pages_54352
++_osd_realloc_seg_54352 _osd_realloc_seg 3 54352 NULL nohasharray
++__get_free_pages_54352 __get_free_pages 0 54352 &_osd_realloc_seg_54352
 +tcf_hash_create_54360 tcf_hash_create 4 54360 NULL
 +read_file_credit_dist_stats_54367 read_file_credit_dist_stats 3 54367 NULL
 +vfs_readlink_54368 vfs_readlink 3 54368 NULL
@@ -112628,8 +112266,8 @@ index 0000000..c4e61fd
 +pvr2_debugifc_print_status_56890 pvr2_debugifc_print_status 3 56890 NULL
 +__bitmap_clear_bits_56912 __bitmap_clear_bits 3 56912 NULL
 +__kfifo_out_56927 __kfifo_out 0-3 56927 NULL
-+CopyBufferToControlPacket_56933 CopyBufferToControlPacket 0 56933 NULL nohasharray
-+journal_init_revoke_56933 journal_init_revoke 2 56933 &CopyBufferToControlPacket_56933
++journal_init_revoke_56933 journal_init_revoke 2 56933 NULL nohasharray
++CopyBufferToControlPacket_56933 CopyBufferToControlPacket 0 56933 &journal_init_revoke_56933
 +diva_get_driver_info_56967 diva_get_driver_info 0 56967 NULL
 +vlsi_alloc_ring_57003 vlsi_alloc_ring 3-4 57003 NULL
 +btrfs_super_csum_size_57004 btrfs_super_csum_size 0 57004 NULL
@@ -112723,8 +112361,8 @@ index 0000000..c4e61fd
 +tt_response_fill_table_57902 tt_response_fill_table 1 57902 NULL
 +xt_alloc_table_info_57903 xt_alloc_table_info 1 57903 NULL
 +emi26_writememory_57908 emi26_writememory 4 57908 NULL
-+iio_read_first_n_kfifo_57910 iio_read_first_n_kfifo 2 57910 NULL nohasharray
-+atomic_add_return_unchecked_57910 atomic_add_return_unchecked 0-1 57910 &iio_read_first_n_kfifo_57910
++atomic_add_return_unchecked_57910 atomic_add_return_unchecked 0-1 57910 NULL nohasharray
++iio_read_first_n_kfifo_57910 iio_read_first_n_kfifo 2 57910 &atomic_add_return_unchecked_57910
 +__snd_gf1_look16_57925 __snd_gf1_look16 0 57925 NULL
 +sel_read_handle_unknown_57933 sel_read_handle_unknown 3 57933 NULL
 +xfs_mru_cache_create_57943 xfs_mru_cache_create 3 57943 NULL
@@ -112917,8 +112555,8 @@ index 0000000..c4e61fd
 +sys_sched_getaffinity_60033 sys_sched_getaffinity 2 60033 NULL
 +bio_integrity_hw_sectors_60039 bio_integrity_hw_sectors 0-2 60039 NULL
 +do_ip6t_set_ctl_60040 do_ip6t_set_ctl 4 60040 NULL
-+pin_2_irq_60050 pin_2_irq 0-3 60050 NULL nohasharray
-+vcs_size_60050 vcs_size 0 60050 &pin_2_irq_60050
++vcs_size_60050 vcs_size 0 60050 NULL nohasharray
++pin_2_irq_60050 pin_2_irq 0-3 60050 &vcs_size_60050
 +load_module_60056 load_module 2 60056 NULL nohasharray
 +gru_alloc_gts_60056 gru_alloc_gts 3-2 60056 &load_module_60056
 +compat_writev_60063 compat_writev 3 60063 NULL
@@ -113098,6 +112736,7 @@ index 0000000..c4e61fd
 +pcpu_alloc_bootmem_62074 pcpu_alloc_bootmem 2 62074 NULL
 +get_domain_for_dev_62099 get_domain_for_dev 2 62099 NULL
 +jffs2_security_setxattr_62107 jffs2_security_setxattr 4 62107 NULL
++ip_recv_error_62117 ip_recv_error 3 62117 NULL
 +generic_block_fiemap_62122 generic_block_fiemap 4 62122 NULL
 +llc_ui_header_len_62131 llc_ui_header_len 0 62131 NULL
 +qib_diag_write_62133 qib_diag_write 3 62133 NULL nohasharray
@@ -117973,7 +117612,7 @@ index 547628e..74de9f2 100644
 +
  #endif
 diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c
-index 8bf05f0..e097f17 100644
+index d83aa5e..e097f17 100644
 --- a/virt/kvm/kvm_main.c
 +++ b/virt/kvm/kvm_main.c
 @@ -75,12 +75,17 @@ LIST_HEAD(vm_list);
@@ -118005,67 +117644,7 @@ index 8bf05f0..e097f17 100644
  			(void __user *)(unsigned long)mem->userspace_addr,
  			mem->memory_size)))
  		goto out;
-@@ -774,7 +779,7 @@ skip_lpage:
- 		new.userspace_addr = mem->userspace_addr;
- #endif /* not defined CONFIG_S390 */
- 
--	if (!npages) {
-+	if (!npages || base_gfn != old.base_gfn) {
- 		r = -ENOMEM;
- 		slots = kzalloc(sizeof(struct kvm_memslots), GFP_KERNEL);
- 		if (!slots)
-@@ -788,8 +793,10 @@ skip_lpage:
- 		old_memslots = kvm->memslots;
- 		rcu_assign_pointer(kvm->memslots, slots);
- 		synchronize_srcu_expedited(&kvm->srcu);
--		/* From this point no new shadow pages pointing to a deleted
--		 * memslot will be created.
-+		/* slot was deleted or moved, clear iommu mapping */
-+		kvm_iommu_unmap_pages(kvm, &old);
-+		/* From this point no new shadow pages pointing to a deleted,
-+		 * or moved, memslot will be created.
- 		 *
- 		 * validation of sp->gfn happens in:
- 		 * 	- gfn_to_hva (kvm_read_guest, gfn_to_pfn)
-@@ -803,14 +810,6 @@ skip_lpage:
- 	if (r)
- 		goto out_free;
- 
--	/* map/unmap the pages in iommu page table */
--	if (npages) {
--		r = kvm_iommu_map_pages(kvm, &new);
--		if (r)
--			goto out_free;
--	} else
--		kvm_iommu_unmap_pages(kvm, &old);
--
- 	r = -ENOMEM;
- 	slots = kzalloc(sizeof(struct kvm_memslots), GFP_KERNEL);
- 	if (!slots)
-@@ -820,6 +819,13 @@ skip_lpage:
- 		slots->nmemslots = mem->slot + 1;
- 	slots->generation++;
- 
-+	/* map new memory slot into the iommu */
-+	if (npages) {
-+		r = kvm_iommu_map_pages(kvm, &new);
-+		if (r)
-+			goto out_slots;
-+	}
-+
- 	/* actual memory is freed via old in kvm_free_physmem_slot below */
- 	if (!npages) {
- 		new.rmap = NULL;
-@@ -847,6 +853,8 @@ skip_lpage:
- 
- 	return 0;
- 
-+out_slots:
-+	kfree(slots);
- out_free:
- 	kvm_free_physmem_slot(&new, &old);
- out:
-@@ -1657,7 +1665,7 @@ static int kvm_vcpu_release(struct inode *inode, struct file *filp)
+@@ -1660,7 +1665,7 @@ static int kvm_vcpu_release(struct inode *inode, struct file *filp)
  	return 0;
  }
  
@@ -118074,17 +117653,7 @@ index 8bf05f0..e097f17 100644
  	.release        = kvm_vcpu_release,
  	.unlocked_ioctl = kvm_vcpu_ioctl,
  #ifdef CONFIG_COMPAT
-@@ -1683,6 +1691,9 @@ static int kvm_vm_ioctl_create_vcpu(struct kvm *kvm, u32 id)
- 	int r;
- 	struct kvm_vcpu *vcpu, *v;
- 
-+	if (id >= KVM_MAX_VCPUS)
-+		return -EINVAL;
-+
- 	vcpu = kvm_arch_vcpu_create(kvm, id);
- 	if (IS_ERR(vcpu))
- 		return PTR_ERR(vcpu);
-@@ -2177,7 +2188,7 @@ static int kvm_vm_mmap(struct file *file, struct vm_area_struct *vma)
+@@ -2183,7 +2188,7 @@ static int kvm_vm_mmap(struct file *file, struct vm_area_struct *vma)
  	return 0;
  }
  
@@ -118093,7 +117662,7 @@ index 8bf05f0..e097f17 100644
  	.release        = kvm_vm_release,
  	.unlocked_ioctl = kvm_vm_ioctl,
  #ifdef CONFIG_COMPAT
-@@ -2275,7 +2286,7 @@ out:
+@@ -2281,7 +2286,7 @@ out:
  	return r;
  }
  
@@ -118102,7 +117671,7 @@ index 8bf05f0..e097f17 100644
  	.unlocked_ioctl = kvm_dev_ioctl,
  	.compat_ioctl   = kvm_dev_ioctl,
  	.llseek		= noop_llseek,
-@@ -2301,7 +2312,7 @@ static void hardware_enable_nolock(void *junk)
+@@ -2307,7 +2312,7 @@ static void hardware_enable_nolock(void *junk)
  
  	if (r) {
  		cpumask_clear_cpu(cpu, cpus_hardware_enabled);
@@ -118111,7 +117680,7 @@ index 8bf05f0..e097f17 100644
  		printk(KERN_INFO "kvm: enabling virtualization on "
  				 "CPU%d failed\n", cpu);
  	}
-@@ -2355,10 +2366,10 @@ static int hardware_enable_all(void)
+@@ -2361,10 +2366,10 @@ static int hardware_enable_all(void)
  
  	kvm_usage_count++;
  	if (kvm_usage_count == 1) {
@@ -118124,7 +117693,7 @@ index 8bf05f0..e097f17 100644
  			hardware_disable_all_nolock();
  			r = -EBUSY;
  		}
-@@ -2709,7 +2720,7 @@ static void kvm_sched_out(struct preempt_notifier *pn,
+@@ -2715,7 +2720,7 @@ static void kvm_sched_out(struct preempt_notifier *pn,
  	kvm_arch_vcpu_put(vcpu);
  }
  
@@ -118133,7 +117702,7 @@ index 8bf05f0..e097f17 100644
  		  struct module *module)
  {
  	int r;
-@@ -2772,7 +2783,7 @@ int kvm_init(void *opaque, unsigned vcpu_size, unsigned vcpu_align,
+@@ -2778,7 +2783,7 @@ int kvm_init(void *opaque, unsigned vcpu_size, unsigned vcpu_align,
  	if (!vcpu_align)
  		vcpu_align = __alignof__(struct kvm_vcpu);
  	kvm_vcpu_cache = kmem_cache_create("kvm_vcpu", vcpu_size, vcpu_align,
@@ -118142,7 +117711,7 @@ index 8bf05f0..e097f17 100644
  	if (!kvm_vcpu_cache) {
  		r = -ENOMEM;
  		goto out_free_3;
-@@ -2782,9 +2793,11 @@ int kvm_init(void *opaque, unsigned vcpu_size, unsigned vcpu_align,
+@@ -2788,9 +2793,11 @@ int kvm_init(void *opaque, unsigned vcpu_size, unsigned vcpu_align,
  	if (r)
  		goto out_free;
  
@@ -118154,7 +117723,7 @@ index 8bf05f0..e097f17 100644
  
  	r = misc_register(&kvm_dev);
  	if (r) {
-@@ -2794,9 +2807,6 @@ int kvm_init(void *opaque, unsigned vcpu_size, unsigned vcpu_align,
+@@ -2800,9 +2807,6 @@ int kvm_init(void *opaque, unsigned vcpu_size, unsigned vcpu_align,
  
  	register_syscore_ops(&kvm_syscore_ops);
  
diff --git a/3.2.53/4425_grsec_remove_EI_PAX.patch b/3.2.54/4425_grsec_remove_EI_PAX.patch
index 415fda5..415fda5 100644
--- a/3.2.53/4425_grsec_remove_EI_PAX.patch
+++ b/3.2.54/4425_grsec_remove_EI_PAX.patch
diff --git a/3.2.53/4427_force_XATTR_PAX_tmpfs.patch b/3.2.54/4427_force_XATTR_PAX_tmpfs.patch
index 8c7a533..8c7a533 100644
--- a/3.2.53/4427_force_XATTR_PAX_tmpfs.patch
+++ b/3.2.54/4427_force_XATTR_PAX_tmpfs.patch
diff --git a/3.2.53/4430_grsec-remove-localversion-grsec.patch b/3.2.54/4430_grsec-remove-localversion-grsec.patch
index 31cf878..31cf878 100644
--- a/3.2.53/4430_grsec-remove-localversion-grsec.patch
+++ b/3.2.54/4430_grsec-remove-localversion-grsec.patch
diff --git a/3.2.53/4435_grsec-mute-warnings.patch b/3.2.54/4435_grsec-mute-warnings.patch
index f099757..f099757 100644
--- a/3.2.53/4435_grsec-mute-warnings.patch
+++ b/3.2.54/4435_grsec-mute-warnings.patch
diff --git a/3.2.53/4440_grsec-remove-protected-paths.patch b/3.2.54/4440_grsec-remove-protected-paths.patch
index 05710b1..05710b1 100644
--- a/3.2.53/4440_grsec-remove-protected-paths.patch
+++ b/3.2.54/4440_grsec-remove-protected-paths.patch
diff --git a/3.2.53/4450_grsec-kconfig-default-gids.patch b/3.2.54/4450_grsec-kconfig-default-gids.patch
index 8c7b0b2..55a02aa 100644
--- a/3.2.53/4450_grsec-kconfig-default-gids.patch
+++ b/3.2.54/4450_grsec-kconfig-default-gids.patch
@@ -16,7 +16,7 @@ from shooting themselves in the foot.
 diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
 --- a/grsecurity/Kconfig	2012-10-13 09:51:35.000000000 -0400
 +++ b/grsecurity/Kconfig	2012-10-13 09:52:32.000000000 -0400
-@@ -612,7 +612,7 @@
+@@ -617,7 +617,7 @@
  config GRKERNSEC_AUDIT_GID
  	int "GID for auditing"
  	depends on GRKERNSEC_AUDIT_GROUP
@@ -25,7 +25,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
  
  config GRKERNSEC_EXECLOG
  	bool "Exec logging"
-@@ -821,7 +821,7 @@
+@@ -826,7 +826,7 @@
  config GRKERNSEC_TPE_UNTRUSTED_GID
  	int "GID for TPE-untrusted users"
  	depends on GRKERNSEC_TPE && !GRKERNSEC_TPE_INVERT
@@ -34,7 +34,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
  	help
  	  Setting this GID determines what group TPE restrictions will be
  	  *enabled* for.  If the sysctl option is enabled, a sysctl option
-@@ -830,7 +830,7 @@
+@@ -835,7 +835,7 @@
  config GRKERNSEC_TPE_TRUSTED_GID
  	int "GID for TPE-trusted users"
  	depends on GRKERNSEC_TPE && GRKERNSEC_TPE_INVERT
@@ -43,7 +43,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
  	help
  	  Setting this GID determines what group TPE restrictions will be
  	  *disabled* for.  If the sysctl option is enabled, a sysctl option
-@@ -923,7 +923,7 @@
+@@ -928,7 +928,7 @@
  config GRKERNSEC_SOCKET_ALL_GID
  	int "GID to deny all sockets for"
  	depends on GRKERNSEC_SOCKET_ALL
@@ -52,7 +52,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
  	help
  	  Here you can choose the GID to disable socket access for. Remember to
  	  add the users you want socket access disabled for to the GID
-@@ -944,7 +944,7 @@
+@@ -949,7 +949,7 @@
  config GRKERNSEC_SOCKET_CLIENT_GID
  	int "GID to deny client sockets for"
  	depends on GRKERNSEC_SOCKET_CLIENT
@@ -61,7 +61,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
  	help
  	  Here you can choose the GID to disable client socket access for.
  	  Remember to add the users you want client socket access disabled for to
-@@ -962,7 +962,7 @@
+@@ -967,7 +967,7 @@
  config GRKERNSEC_SOCKET_SERVER_GID
  	int "GID to deny server sockets for"
  	depends on GRKERNSEC_SOCKET_SERVER
diff --git a/3.2.53/4465_selinux-avc_audit-log-curr_ip.patch b/3.2.54/4465_selinux-avc_audit-log-curr_ip.patch
index 687ae4c..a946b66 100644
--- a/3.2.53/4465_selinux-avc_audit-log-curr_ip.patch
+++ b/3.2.54/4465_selinux-avc_audit-log-curr_ip.patch
@@ -28,7 +28,7 @@ Signed-off-by: Lorenzo Hernandez Garcia-Hierro <lorenzo@gnu.org>
 diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
 --- a/grsecurity/Kconfig	2011-04-17 19:25:54.000000000 -0400
 +++ b/grsecurity/Kconfig	2011-04-17 19:32:53.000000000 -0400
-@@ -1057,6 +1057,27 @@
+@@ -1062,6 +1062,27 @@
  menu "Logging Options"
  depends on GRKERNSEC
  
diff --git a/3.2.53/4470_disable-compat_vdso.patch b/3.2.54/4470_disable-compat_vdso.patch
index 6905571..6905571 100644
--- a/3.2.53/4470_disable-compat_vdso.patch
+++ b/3.2.54/4470_disable-compat_vdso.patch
diff --git a/3.2.53/4475_emutramp_default_on.patch b/3.2.54/4475_emutramp_default_on.patch
index cfde6f8..cfde6f8 100644
--- a/3.2.53/4475_emutramp_default_on.patch
+++ b/3.2.54/4475_emutramp_default_on.patch