Grsec/PaX: 3.1-{3.2.69,3.14.41,4.0.2}-20150510112220150510

63 files changed, 7087 insertions, 1249 deletions

diff --git a/3.14.41/0000_README b/3.14.41/0000_README
index 77861d5..74f54d4 100644
--- a/3.14.41/0000_README
+++ b/3.14.41/0000_README
@@ -6,7 +6,7 @@ Patch:	1040_linux-3.14.41.patch
 From:	http://www.kernel.org
 Desc:	Linux 3.14.41
 
-Patch:	4420_grsecurity-3.1-3.14.41-201505091723.patch
+Patch:	4420_grsecurity-3.1-3.14.41-201505101121.patch
 From:	http://www.grsecurity.net
 Desc:	hardened-sources base patch from upstream grsecurity
 
diff --git a/3.14.41/4420_grsecurity-3.1-3.14.41-201505091723.patch b/3.14.41/4420_grsecurity-3.1-3.14.41-201505101121.patch
index 9842fc2..4c28919 100644
--- a/3.14.41/4420_grsecurity-3.1-3.14.41-201505091723.patch
+++ b/3.14.41/4420_grsecurity-3.1-3.14.41-201505101121.patch
@@ -49025,6 +49025,28 @@ index a2515887..6d13233 100644
  	dev->net->dev_addr[ETH_ALEN-1] = ifacenum;
  
  	/* we will have to manufacture ethernet headers, prepare template */
+diff --git a/drivers/net/usb/usbnet.c b/drivers/net/usb/usbnet.c
+index f9e96c4..6b1faeb 100644
+--- a/drivers/net/usb/usbnet.c
++++ b/drivers/net/usb/usbnet.c
+@@ -1262,7 +1262,7 @@ netdev_tx_t usbnet_start_xmit (struct sk_buff *skb,
+ 				     struct net_device *net)
+ {
+ 	struct usbnet		*dev = netdev_priv(net);
+-	int			length;
++	unsigned int			length;
+ 	struct urb		*urb = NULL;
+ 	struct skb_data		*entry;
+ 	struct driver_info	*info = dev->driver_info;
+@@ -1378,7 +1378,7 @@ not_drop:
+ 		}
+ 	} else
+ 		netif_dbg(dev, tx_queued, dev->net,
+-			  "> tx, len %d, type 0x%x\n", length, skb->protocol);
++			  "> tx, len %u, type 0x%x\n", length, skb->protocol);
+ #ifdef CONFIG_PM
+ deferred:
+ #endif
 diff --git a/drivers/net/virtio_net.c b/drivers/net/virtio_net.c
 index 841b608..198a8b7 100644
 --- a/drivers/net/virtio_net.c
@@ -65590,7 +65612,7 @@ index ccb8000..ac58c5a 100644
  out:
  	return len;
 diff --git a/fs/namespace.c b/fs/namespace.c
-index 039f380..4239636 100644
+index 039f380..66bad91 100644
 --- a/fs/namespace.c
 +++ b/fs/namespace.c
 @@ -1373,6 +1373,9 @@ static int do_umount(struct mount *mnt, int flags)
@@ -65708,7 +65730,20 @@ index 039f380..4239636 100644
  	get_fs_root(current->fs, &root);
  	old_mp = lock_mount(&old);
  	error = PTR_ERR(old_mp);
-@@ -3076,7 +3100,7 @@ static int mntns_install(struct nsproxy *nsproxy, void *ns)
+@@ -3025,6 +3049,12 @@ bool fs_fully_visible(struct file_system_type *type)
+ 		if (mnt->mnt.mnt_sb->s_type != type)
+ 			continue;
+ 
++		/* This mount is not fully visible if it's root directory
++		 * is not the root directory of the filesystem.
++		 */
++		if (mnt->mnt.mnt_root != mnt->mnt.mnt_sb->s_root)
++			continue;
++
+ 		/* This mount is not fully visible if there are any child mounts
+ 		 * that cover anything except for empty directories.
+ 		 */
+@@ -3076,7 +3106,7 @@ static int mntns_install(struct nsproxy *nsproxy, void *ns)
  	    !ns_capable(current_user_ns(), CAP_SYS_ADMIN))
  		return -EPERM;
  
diff --git a/3.2.68/0000_README b/3.2.69/0000_README
index fb78cb8..7967083 100644
--- a/3.2.68/0000_README
+++ b/3.2.69/0000_README
@@ -190,7 +190,11 @@ Patch:	1067_linux-3.2.68.patch
 From:	http://www.kernel.org
 Desc:	Linux 3.2.68
 
-Patch:	4420_grsecurity-3.1-3.2.68-201505091720.patch
+Patch:	1068_linux-3.2.69.patch
+From:	http://www.kernel.org
+Desc:	Linux 3.2.69
+
+Patch:	4420_grsecurity-3.1-3.2.69-201505101117.patch
 From:	http://www.grsecurity.net
 Desc:	hardened-sources base patch from upstream grsecurity
 
diff --git a/3.2.68/1021_linux-3.2.22.patch b/3.2.69/1021_linux-3.2.22.patch
index e6ad93a..e6ad93a 100644
--- a/3.2.68/1021_linux-3.2.22.patch
+++ b/3.2.69/1021_linux-3.2.22.patch
diff --git a/3.2.68/1022_linux-3.2.23.patch b/3.2.69/1022_linux-3.2.23.patch
index 3d796d0..3d796d0 100644
--- a/3.2.68/1022_linux-3.2.23.patch
+++ b/3.2.69/1022_linux-3.2.23.patch
diff --git a/3.2.68/1023_linux-3.2.24.patch b/3.2.69/1023_linux-3.2.24.patch
index 4692eb4..4692eb4 100644
--- a/3.2.68/1023_linux-3.2.24.patch
+++ b/3.2.69/1023_linux-3.2.24.patch
diff --git a/3.2.68/1024_linux-3.2.25.patch b/3.2.69/1024_linux-3.2.25.patch
index e95c213..e95c213 100644
--- a/3.2.68/1024_linux-3.2.25.patch
+++ b/3.2.69/1024_linux-3.2.25.patch
diff --git a/3.2.68/1025_linux-3.2.26.patch b/3.2.69/1025_linux-3.2.26.patch
index 44065b9..44065b9 100644
--- a/3.2.68/1025_linux-3.2.26.patch
+++ b/3.2.69/1025_linux-3.2.26.patch
diff --git a/3.2.68/1026_linux-3.2.27.patch b/3.2.69/1026_linux-3.2.27.patch
index 5878eb4..5878eb4 100644
--- a/3.2.68/1026_linux-3.2.27.patch
+++ b/3.2.69/1026_linux-3.2.27.patch
diff --git a/3.2.68/1027_linux-3.2.28.patch b/3.2.69/1027_linux-3.2.28.patch
index 4dbba4b..4dbba4b 100644
--- a/3.2.68/1027_linux-3.2.28.patch
+++ b/3.2.69/1027_linux-3.2.28.patch
diff --git a/3.2.68/1028_linux-3.2.29.patch b/3.2.69/1028_linux-3.2.29.patch
index 3c65179..3c65179 100644
--- a/3.2.68/1028_linux-3.2.29.patch
+++ b/3.2.69/1028_linux-3.2.29.patch
diff --git a/3.2.68/1029_linux-3.2.30.patch b/3.2.69/1029_linux-3.2.30.patch
index 86aea4b..86aea4b 100644
--- a/3.2.68/1029_linux-3.2.30.patch
+++ b/3.2.69/1029_linux-3.2.30.patch
diff --git a/3.2.68/1030_linux-3.2.31.patch b/3.2.69/1030_linux-3.2.31.patch
index c6accf5..c6accf5 100644
--- a/3.2.68/1030_linux-3.2.31.patch
+++ b/3.2.69/1030_linux-3.2.31.patch
diff --git a/3.2.68/1031_linux-3.2.32.patch b/3.2.69/1031_linux-3.2.32.patch
index 247fc0b..247fc0b 100644
--- a/3.2.68/1031_linux-3.2.32.patch
+++ b/3.2.69/1031_linux-3.2.32.patch
diff --git a/3.2.68/1032_linux-3.2.33.patch b/3.2.69/1032_linux-3.2.33.patch
index c32fb75..c32fb75 100644
--- a/3.2.68/1032_linux-3.2.33.patch
+++ b/3.2.69/1032_linux-3.2.33.patch
diff --git a/3.2.68/1033_linux-3.2.34.patch b/3.2.69/1033_linux-3.2.34.patch
index d647b38..d647b38 100644
--- a/3.2.68/1033_linux-3.2.34.patch
+++ b/3.2.69/1033_linux-3.2.34.patch
diff --git a/3.2.68/1034_linux-3.2.35.patch b/3.2.69/1034_linux-3.2.35.patch
index 76a9c19..76a9c19 100644
--- a/3.2.68/1034_linux-3.2.35.patch
+++ b/3.2.69/1034_linux-3.2.35.patch
diff --git a/3.2.68/1035_linux-3.2.36.patch b/3.2.69/1035_linux-3.2.36.patch
index 5d192a3..5d192a3 100644
--- a/3.2.68/1035_linux-3.2.36.patch
+++ b/3.2.69/1035_linux-3.2.36.patch
diff --git a/3.2.68/1036_linux-3.2.37.patch b/3.2.69/1036_linux-3.2.37.patch
index ad13251..ad13251 100644
--- a/3.2.68/1036_linux-3.2.37.patch
+++ b/3.2.69/1036_linux-3.2.37.patch
diff --git a/3.2.68/1037_linux-3.2.38.patch b/3.2.69/1037_linux-3.2.38.patch
index a3c106f..a3c106f 100644
--- a/3.2.68/1037_linux-3.2.38.patch
+++ b/3.2.69/1037_linux-3.2.38.patch
diff --git a/3.2.68/1038_linux-3.2.39.patch b/3.2.69/1038_linux-3.2.39.patch
index 5639e92..5639e92 100644
--- a/3.2.68/1038_linux-3.2.39.patch
+++ b/3.2.69/1038_linux-3.2.39.patch
diff --git a/3.2.68/1039_linux-3.2.40.patch b/3.2.69/1039_linux-3.2.40.patch
index f26b39c..f26b39c 100644
--- a/3.2.68/1039_linux-3.2.40.patch
+++ b/3.2.69/1039_linux-3.2.40.patch
diff --git a/3.2.68/1040_linux-3.2.41.patch b/3.2.69/1040_linux-3.2.41.patch
index 0d27fcb..0d27fcb 100644
--- a/3.2.68/1040_linux-3.2.41.patch
+++ b/3.2.69/1040_linux-3.2.41.patch
diff --git a/3.2.68/1041_linux-3.2.42.patch b/3.2.69/1041_linux-3.2.42.patch
index 77a08ed..77a08ed 100644
--- a/3.2.68/1041_linux-3.2.42.patch
+++ b/3.2.69/1041_linux-3.2.42.patch
diff --git a/3.2.68/1042_linux-3.2.43.patch b/3.2.69/1042_linux-3.2.43.patch
index a3f878b..a3f878b 100644
--- a/3.2.68/1042_linux-3.2.43.patch
+++ b/3.2.69/1042_linux-3.2.43.patch
diff --git a/3.2.68/1043_linux-3.2.44.patch b/3.2.69/1043_linux-3.2.44.patch
index 3d5e6ff..3d5e6ff 100644
--- a/3.2.68/1043_linux-3.2.44.patch
+++ b/3.2.69/1043_linux-3.2.44.patch
diff --git a/3.2.68/1044_linux-3.2.45.patch b/3.2.69/1044_linux-3.2.45.patch
index 44e1767..44e1767 100644
--- a/3.2.68/1044_linux-3.2.45.patch
+++ b/3.2.69/1044_linux-3.2.45.patch
diff --git a/3.2.68/1045_linux-3.2.46.patch b/3.2.69/1045_linux-3.2.46.patch
index bc10efd..bc10efd 100644
--- a/3.2.68/1045_linux-3.2.46.patch
+++ b/3.2.69/1045_linux-3.2.46.patch
diff --git a/3.2.68/1046_linux-3.2.47.patch b/3.2.69/1046_linux-3.2.47.patch
index b74563c..b74563c 100644
--- a/3.2.68/1046_linux-3.2.47.patch
+++ b/3.2.69/1046_linux-3.2.47.patch
diff --git a/3.2.68/1047_linux-3.2.48.patch b/3.2.69/1047_linux-3.2.48.patch
index 6d55b1f..6d55b1f 100644
--- a/3.2.68/1047_linux-3.2.48.patch
+++ b/3.2.69/1047_linux-3.2.48.patch
diff --git a/3.2.68/1048_linux-3.2.49.patch b/3.2.69/1048_linux-3.2.49.patch
index 2dab0cf..2dab0cf 100644
--- a/3.2.68/1048_linux-3.2.49.patch
+++ b/3.2.69/1048_linux-3.2.49.patch
diff --git a/3.2.68/1049_linux-3.2.50.patch b/3.2.69/1049_linux-3.2.50.patch
index 20b3015..20b3015 100644
--- a/3.2.68/1049_linux-3.2.50.patch
+++ b/3.2.69/1049_linux-3.2.50.patch
diff --git a/3.2.68/1050_linux-3.2.51.patch b/3.2.69/1050_linux-3.2.51.patch
index 5d5832b..5d5832b 100644
--- a/3.2.68/1050_linux-3.2.51.patch
+++ b/3.2.69/1050_linux-3.2.51.patch
diff --git a/3.2.68/1051_linux-3.2.52.patch b/3.2.69/1051_linux-3.2.52.patch
index 94b9359..94b9359 100644
--- a/3.2.68/1051_linux-3.2.52.patch
+++ b/3.2.69/1051_linux-3.2.52.patch
diff --git a/3.2.68/1052_linux-3.2.53.patch b/3.2.69/1052_linux-3.2.53.patch
index 986d714..986d714 100644
--- a/3.2.68/1052_linux-3.2.53.patch
+++ b/3.2.69/1052_linux-3.2.53.patch
diff --git a/3.2.68/1053_linux-3.2.54.patch b/3.2.69/1053_linux-3.2.54.patch
index a907496..a907496 100644
--- a/3.2.68/1053_linux-3.2.54.patch
+++ b/3.2.69/1053_linux-3.2.54.patch
diff --git a/3.2.68/1054_linux-3.2.55.patch b/3.2.69/1054_linux-3.2.55.patch
index 6071ff5..6071ff5 100644
--- a/3.2.68/1054_linux-3.2.55.patch
+++ b/3.2.69/1054_linux-3.2.55.patch
diff --git a/3.2.68/1055_linux-3.2.56.patch b/3.2.69/1055_linux-3.2.56.patch
index 2e8239c..2e8239c 100644
--- a/3.2.68/1055_linux-3.2.56.patch
+++ b/3.2.69/1055_linux-3.2.56.patch
diff --git a/3.2.68/1056_linux-3.2.57.patch b/3.2.69/1056_linux-3.2.57.patch
index 7b8f174..7b8f174 100644
--- a/3.2.68/1056_linux-3.2.57.patch
+++ b/3.2.69/1056_linux-3.2.57.patch
diff --git a/3.2.68/1057_linux-3.2.58.patch b/3.2.69/1057_linux-3.2.58.patch
index db5723a..db5723a 100644
--- a/3.2.68/1057_linux-3.2.58.patch
+++ b/3.2.69/1057_linux-3.2.58.patch
diff --git a/3.2.68/1058_linux-3.2.59.patch b/3.2.69/1058_linux-3.2.59.patch
index cd59fe9..cd59fe9 100644
--- a/3.2.68/1058_linux-3.2.59.patch
+++ b/3.2.69/1058_linux-3.2.59.patch
diff --git a/3.2.68/1059_linux-3.2.60.patch b/3.2.69/1059_linux-3.2.60.patch
index c5a9389..c5a9389 100644
--- a/3.2.68/1059_linux-3.2.60.patch
+++ b/3.2.69/1059_linux-3.2.60.patch
diff --git a/3.2.68/1060_linux-3.2.61.patch b/3.2.69/1060_linux-3.2.61.patch
index a1bf580..a1bf580 100644
--- a/3.2.68/1060_linux-3.2.61.patch
+++ b/3.2.69/1060_linux-3.2.61.patch
diff --git a/3.2.68/1061_linux-3.2.62.patch b/3.2.69/1061_linux-3.2.62.patch
index 34217f0..34217f0 100644
--- a/3.2.68/1061_linux-3.2.62.patch
+++ b/3.2.69/1061_linux-3.2.62.patch
diff --git a/3.2.68/1062_linux-3.2.63.patch b/3.2.69/1062_linux-3.2.63.patch
index f7c7415..f7c7415 100644
--- a/3.2.68/1062_linux-3.2.63.patch
+++ b/3.2.69/1062_linux-3.2.63.patch
diff --git a/3.2.68/1063_linux-3.2.64.patch b/3.2.69/1063_linux-3.2.64.patch
index 862b4f0..862b4f0 100644
--- a/3.2.68/1063_linux-3.2.64.patch
+++ b/3.2.69/1063_linux-3.2.64.patch
diff --git a/3.2.68/1064_linux-3.2.65.patch b/3.2.69/1064_linux-3.2.65.patch
index c3ae4fa..c3ae4fa 100644
--- a/3.2.68/1064_linux-3.2.65.patch
+++ b/3.2.69/1064_linux-3.2.65.patch
diff --git a/3.2.68/1065_linux-3.2.66.patch b/3.2.69/1065_linux-3.2.66.patch
index 73fa646..73fa646 100644
--- a/3.2.68/1065_linux-3.2.66.patch
+++ b/3.2.69/1065_linux-3.2.66.patch
diff --git a/3.2.68/1066_linux-3.2.67.patch b/3.2.69/1066_linux-3.2.67.patch
index c0a9278..c0a9278 100644
--- a/3.2.68/1066_linux-3.2.67.patch
+++ b/3.2.69/1066_linux-3.2.67.patch
diff --git a/3.2.68/1067_linux-3.2.68.patch b/3.2.69/1067_linux-3.2.68.patch
index 200e8b8..200e8b8 100644
--- a/3.2.68/1067_linux-3.2.68.patch
+++ b/3.2.69/1067_linux-3.2.68.patch
diff --git a/3.2.69/1068_linux-3.2.69.patch b/3.2.69/1068_linux-3.2.69.patch
new file mode 100644
index 0000000..8848e8e
--- /dev/null
+++ b/3.2.69/1068_linux-3.2.69.patch
@@ -0,0 +1,6606 @@
+diff --git a/Documentation/usb/usb-serial.txt b/Documentation/usb/usb-serial.txt
+index 5bd7926..947fa62 100644
+--- a/Documentation/usb/usb-serial.txt
++++ b/Documentation/usb/usb-serial.txt
+@@ -145,7 +145,7 @@ Keyspan PDA Serial Adapter
+   Single port DB-9 serial adapter, pushed as a PDA adapter for iMacs (mostly
+   sold in Macintosh catalogs, comes in a translucent white/green dongle).
+   Fairly simple device. Firmware is homebrew.
+-  This driver also works for the Xircom/Entrgra single port serial adapter.
++  This driver also works for the Xircom/Entrega single port serial adapter.
+ 
+   Current status:
+    Things that work:
+diff --git a/Makefile b/Makefile
+index 2e7cbda..8071888 100644
+--- a/Makefile
++++ b/Makefile
+@@ -1,6 +1,6 @@
+ VERSION = 3
+ PATCHLEVEL = 2
+-SUBLEVEL = 68
++SUBLEVEL = 69
+ EXTRAVERSION =
+ NAME = Saber-toothed Squirrel
+ 
+diff --git a/arch/arm/mach-pxa/corgi.c b/arch/arm/mach-pxa/corgi.c
+index 549468d..e1715af 100644
+--- a/arch/arm/mach-pxa/corgi.c
++++ b/arch/arm/mach-pxa/corgi.c
+@@ -26,6 +26,7 @@
+ #include <linux/i2c.h>
+ #include <linux/i2c/pxa-i2c.h>
+ #include <linux/io.h>
++#include <linux/regulator/machine.h>
+ #include <linux/spi/spi.h>
+ #include <linux/spi/ads7846.h>
+ #include <linux/spi/corgi_lcd.h>
+@@ -704,6 +705,8 @@ static void __init corgi_init(void)
+ 		sharpsl_nand_partitions[1].size = 53 * 1024 * 1024;
+ 
+ 	platform_add_devices(devices, ARRAY_SIZE(devices));
++
++	regulator_has_full_constraints();
+ }
+ 
+ static void __init fixup_corgi(struct tag *tags, char **cmdline,
+diff --git a/arch/arm/mach-pxa/hx4700.c b/arch/arm/mach-pxa/hx4700.c
+index 6f6368e..a7be979 100644
+--- a/arch/arm/mach-pxa/hx4700.c
++++ b/arch/arm/mach-pxa/hx4700.c
+@@ -835,6 +835,8 @@ static void __init hx4700_init(void)
+ 	mdelay(10);
+ 	gpio_set_value(GPIO71_HX4700_ASIC3_nRESET, 1);
+ 	mdelay(10);
++
++	regulator_has_full_constraints();
+ }
+ 
+ MACHINE_START(H4700, "HP iPAQ HX4700")
+diff --git a/arch/arm/mach-pxa/poodle.c b/arch/arm/mach-pxa/poodle.c
+index 50c8331..fb645f4 100644
+--- a/arch/arm/mach-pxa/poodle.c
++++ b/arch/arm/mach-pxa/poodle.c
+@@ -25,6 +25,7 @@
+ #include <linux/gpio.h>
+ #include <linux/i2c.h>
+ #include <linux/i2c/pxa-i2c.h>
++#include <linux/regulator/machine.h>
+ #include <linux/spi/spi.h>
+ #include <linux/spi/ads7846.h>
+ #include <linux/spi/pxa2xx_spi.h>
+@@ -453,6 +454,7 @@ static void __init poodle_init(void)
+ 	pxa_set_i2c_info(NULL);
+ 	i2c_register_board_info(0, ARRAY_AND_SIZE(poodle_i2c_devices));
+ 	poodle_init_spi();
++	regulator_has_full_constraints();
+ }
+ 
+ static void __init fixup_poodle(struct tag *tags, char **cmdline,
+diff --git a/arch/arm/mach-pxa/spitz.c b/arch/arm/mach-pxa/spitz.c
+index 953a919..0451bbd 100644
+--- a/arch/arm/mach-pxa/spitz.c
++++ b/arch/arm/mach-pxa/spitz.c
+@@ -969,6 +969,8 @@ static void __init spitz_init(void)
+ 	spitz_nor_init();
+ 	spitz_nand_init();
+ 	spitz_i2c_init();
++
++	regulator_has_full_constraints();
+ }
+ 
+ static void __init spitz_fixup(struct tag *tags, char **cmdline,
+diff --git a/arch/arm/mach-sa1100/pm.c b/arch/arm/mach-sa1100/pm.c
+index bf85b8b..66c4845 100644
+--- a/arch/arm/mach-sa1100/pm.c
++++ b/arch/arm/mach-sa1100/pm.c
+@@ -81,6 +81,7 @@ static int sa11x0_pm_enter(suspend_state_t state)
+ 	/*
+ 	 * Ensure not to come back here if it wasn't intended
+ 	 */
++	RCSR = RCSR_SMR;
+ 	PSPR = 0;
+ 
+ 	/*
+diff --git a/arch/powerpc/sysdev/axonram.c b/arch/powerpc/sysdev/axonram.c
+index ba42719..9befade 100644
+--- a/arch/powerpc/sysdev/axonram.c
++++ b/arch/powerpc/sysdev/axonram.c
+@@ -156,7 +156,7 @@ axon_ram_direct_access(struct block_device *device, sector_t sector,
+ 	}
+ 
+ 	*kaddr = (void *)(bank->ph_addr + offset);
+-	*pfn = virt_to_phys(kaddr) >> PAGE_SHIFT;
++	*pfn = virt_to_phys(*kaddr) >> PAGE_SHIFT;
+ 
+ 	return 0;
+ }
+diff --git a/arch/s390/kvm/intercept.c b/arch/s390/kvm/intercept.c
+index bc486d0..a5f6eff 100644
+--- a/arch/s390/kvm/intercept.c
++++ b/arch/s390/kvm/intercept.c
+@@ -58,7 +58,6 @@ static int handle_lctlg(struct kvm_vcpu *vcpu)
+ 			break;
+ 		reg = (reg + 1) % 16;
+ 	} while (1);
+-	kvm_make_request(KVM_REQ_TLB_FLUSH, vcpu);
+ 	return 0;
+ }
+ 
+@@ -98,7 +97,6 @@ static int handle_lctl(struct kvm_vcpu *vcpu)
+ 			break;
+ 		reg = (reg + 1) % 16;
+ 	} while (1);
+-	kvm_make_request(KVM_REQ_TLB_FLUSH, vcpu);
+ 	return 0;
+ }
+ 
+diff --git a/arch/s390/kvm/kvm-s390.c b/arch/s390/kvm/kvm-s390.c
+index f6f41dd..b96b4de 100644
+--- a/arch/s390/kvm/kvm-s390.c
++++ b/arch/s390/kvm/kvm-s390.c
+@@ -311,7 +311,7 @@ int kvm_arch_vcpu_setup(struct kvm_vcpu *vcpu)
+ 	vcpu->arch.sie_block->ecb   = 6;
+ 	vcpu->arch.sie_block->eca   = 0xC1002001U;
+ 	vcpu->arch.sie_block->fac   = (int) (long) facilities;
+-	hrtimer_init(&vcpu->arch.ckc_timer, CLOCK_REALTIME, HRTIMER_MODE_ABS);
++	hrtimer_init(&vcpu->arch.ckc_timer, CLOCK_MONOTONIC, HRTIMER_MODE_REL);
+ 	tasklet_init(&vcpu->arch.tasklet, kvm_s390_tasklet,
+ 		     (unsigned long) vcpu);
+ 	vcpu->arch.ckc_timer.function = kvm_s390_idle_wakeup;
+diff --git a/arch/x86/crypto/aesni-intel_glue.c b/arch/x86/crypto/aesni-intel_glue.c
+index 16acf68..3b3a62f 100644
+--- a/arch/x86/crypto/aesni-intel_glue.c
++++ b/arch/x86/crypto/aesni-intel_glue.c
+@@ -1202,7 +1202,7 @@ static int __driver_rfc4106_decrypt(struct aead_request *req)
+ 		src = kmalloc(req->cryptlen + req->assoclen, GFP_ATOMIC);
+ 		if (!src)
+ 			return -ENOMEM;
+-		assoc = (src + req->cryptlen + auth_tag_len);
++		assoc = (src + req->cryptlen);
+ 		scatterwalk_map_and_copy(src, req->src, 0, req->cryptlen, 0);
+ 		scatterwalk_map_and_copy(assoc, req->assoc, 0,
+ 			req->assoclen, 0);
+@@ -1227,7 +1227,7 @@ static int __driver_rfc4106_decrypt(struct aead_request *req)
+ 		scatterwalk_done(&src_sg_walk, 0, 0);
+ 		scatterwalk_done(&assoc_sg_walk, 0, 0);
+ 	} else {
+-		scatterwalk_map_and_copy(dst, req->dst, 0, req->cryptlen, 1);
++		scatterwalk_map_and_copy(dst, req->dst, 0, tempCipherLen, 1);
+ 		kfree(src);
+ 	}
+ 	return retval;
+diff --git a/arch/x86/kernel/entry_64.S b/arch/x86/kernel/entry_64.S
+index 9d28dba..8d15c69 100644
+--- a/arch/x86/kernel/entry_64.S
++++ b/arch/x86/kernel/entry_64.S
+@@ -414,11 +414,14 @@ ENTRY(ret_from_fork)
+ 	testl $3, CS-ARGOFFSET(%rsp)		# from kernel_thread?
+ 	je   int_ret_from_sys_call
+ 
+-	testl $_TIF_IA32, TI_flags(%rcx)	# 32-bit compat task needs IRET
+-	jnz  int_ret_from_sys_call
+-
+-	RESTORE_TOP_OF_STACK %rdi, -ARGOFFSET
+-	jmp ret_from_sys_call			# go to the SYSRET fastpath
++	/*
++	 * By the time we get here, we have no idea whether our pt_regs,
++	 * ti flags, and ti status came from the 64-bit SYSCALL fast path,
++	 * the slow path, or one of the ia32entry paths.
++	 * Use int_ret_from_sys_call to return, since it can safely handle
++	 * all of the above.
++	 */
++	jmp  int_ret_from_sys_call
+ 
+ 	CFI_ENDPROC
+ END(ret_from_fork)
+diff --git a/arch/x86/kernel/reboot.c b/arch/x86/kernel/reboot.c
+index f411aca..41b2f57 100644
+--- a/arch/x86/kernel/reboot.c
++++ b/arch/x86/kernel/reboot.c
+@@ -279,14 +279,6 @@ static struct dmi_system_id __initdata reboot_dmi_table[] = {
+ 			DMI_MATCH(DMI_PRODUCT_NAME, "VGN-Z540N"),
+ 		},
+ 	},
+-	{	/* Handle problems with rebooting on CompuLab SBC-FITPC2 */
+-		.callback = set_bios_reboot,
+-		.ident = "CompuLab SBC-FITPC2",
+-		.matches = {
+-			DMI_MATCH(DMI_SYS_VENDOR, "CompuLab"),
+-			DMI_MATCH(DMI_PRODUCT_NAME, "SBC-FITPC2"),
+-		},
+-	},
+ 	{       /* Handle problems with rebooting on ASUS P4S800 */
+ 		.callback = set_bios_reboot,
+ 		.ident = "ASUS P4S800",
+@@ -295,14 +287,6 @@ static struct dmi_system_id __initdata reboot_dmi_table[] = {
+ 			DMI_MATCH(DMI_BOARD_NAME, "P4S800"),
+ 		},
+ 	},
+-	{	/* Handle problems with rebooting on VersaLogic Menlow boards */
+-		.callback = set_bios_reboot,
+-		.ident = "VersaLogic Menlow based board",
+-		.matches = {
+-			DMI_MATCH(DMI_BOARD_VENDOR, "VersaLogic Corporation"),
+-			DMI_MATCH(DMI_BOARD_NAME, "VersaLogic Menlow board"),
+-		},
+-	},
+ 	{ /* Handle reboot issue on Acer Aspire one */
+ 		.callback = set_kbd_reboot,
+ 		.ident = "Acer Aspire One A110",
+@@ -428,6 +412,24 @@ static struct dmi_system_id __initdata pci_reboot_dmi_table[] = {
+ 			DMI_MATCH(DMI_PRODUCT_NAME, "iMac9,1"),
+ 		},
+ 	},
++	/* ASRock */
++	{	/* Handle problems with rebooting on ASRock Q1900DC-ITX */
++		.callback = set_pci_reboot,
++		.ident = "ASRock Q1900DC-ITX",
++		.matches = {
++			DMI_MATCH(DMI_BOARD_VENDOR, "ASRock"),
++			DMI_MATCH(DMI_BOARD_NAME, "Q1900DC-ITX"),
++		},
++	},
++	/* Certec */
++	{       /* Handle problems with rebooting on Certec BPC600 */
++		.callback = set_pci_reboot,
++		.ident = "Certec BPC600",
++		.matches = {
++			DMI_MATCH(DMI_SYS_VENDOR, "Certec"),
++			DMI_MATCH(DMI_PRODUCT_NAME, "BPC600"),
++		},
++	},
+ 	{	/* Handle problems with rebooting on the Latitude E6320. */
+ 		.callback = set_pci_reboot,
+ 		.ident = "Dell Latitude E6320",
+@@ -436,6 +438,14 @@ static struct dmi_system_id __initdata pci_reboot_dmi_table[] = {
+ 			DMI_MATCH(DMI_PRODUCT_NAME, "Latitude E6320"),
+ 		},
+ 	},
++	{	/* Handle problems with rebooting on the Latitude E5410. */
++		.callback = set_pci_reboot,
++		.ident = "Dell Latitude E5410",
++		.matches = {
++			DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."),
++			DMI_MATCH(DMI_PRODUCT_NAME, "Latitude E5410"),
++		},
++	},
+ 	{	/* Handle problems with rebooting on the Latitude E5420. */
+ 		.callback = set_pci_reboot,
+ 		.ident = "Dell Latitude E5420",
+@@ -462,6 +472,22 @@ static struct dmi_system_id __initdata pci_reboot_dmi_table[] = {
+ 	},
+ 	{	/* Handle problems with rebooting on the Precision M6600. */
+ 		.callback = set_pci_reboot,
++		.ident = "Dell Precision M6600",
++		.matches = {
++			DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."),
++			DMI_MATCH(DMI_PRODUCT_NAME, "Precision M6600"),
++		},
++	},
++	{	/* Handle problems with rebooting on the Dell PowerEdge C6100. */
++		.callback = set_pci_reboot,
++		.ident = "Dell PowerEdge C6100",
++		.matches = {
++			DMI_MATCH(DMI_SYS_VENDOR, "Dell"),
++			DMI_MATCH(DMI_PRODUCT_NAME, "C6100"),
++		},
++	},
++	{	/* Handle problems with rebooting on the Precision M6600. */
++		.callback = set_pci_reboot,
+ 		.ident = "Dell OptiPlex 990",
+ 		.matches = {
+ 			DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."),
+diff --git a/arch/x86/kernel/traps.c b/arch/x86/kernel/traps.c
+index 2aff347..edbd30a 100644
+--- a/arch/x86/kernel/traps.c
++++ b/arch/x86/kernel/traps.c
+@@ -435,7 +435,7 @@ dotraplinkage void __kprobes do_debug(struct pt_regs *regs, long error_code)
+ 	 * then it's very likely the result of an icebp/int01 trap.
+ 	 * User wants a sigtrap for that.
+ 	 */
+-	if (!dr6 && user_mode(regs))
++	if (!dr6 && user_mode_vm(regs))
+ 		user_icebp = 1;
+ 
+ 	/* Catch kmemcheck conditions first of all! */
+diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c
+index bdad489..9af0b82 100644
+--- a/arch/x86/kvm/emulate.c
++++ b/arch/x86/kvm/emulate.c
+@@ -4014,7 +4014,8 @@ int x86_emulate_insn(struct x86_emulate_ctxt *ctxt)
+ 		if (rc != X86EMUL_CONTINUE)
+ 			goto done;
+ 	}
+-	ctxt->dst.orig_val = ctxt->dst.val;
++	/* Copy full 64-bit value for CMPXCHG8B.  */
++	ctxt->dst.orig_val64 = ctxt->dst.val64;
+ 
+ special_insn:
+ 
+diff --git a/arch/x86/mm/mmap.c b/arch/x86/mm/mmap.c
+index 5c1ae28..75f9e5d 100644
+--- a/arch/x86/mm/mmap.c
++++ b/arch/x86/mm/mmap.c
+@@ -35,12 +35,12 @@ struct __read_mostly va_alignment va_align = {
+ 	.flags = -1,
+ };
+ 
+-static unsigned int stack_maxrandom_size(void)
++static unsigned long stack_maxrandom_size(void)
+ {
+-	unsigned int max = 0;
++	unsigned long max = 0;
+ 	if ((current->flags & PF_RANDOMIZE) &&
+ 		!(current->personality & ADDR_NO_RANDOMIZE)) {
+-		max = ((-1U) & STACK_RND_MASK) << PAGE_SHIFT;
++		max = ((-1UL) & STACK_RND_MASK) << PAGE_SHIFT;
+ 	}
+ 
+ 	return max;
+diff --git a/arch/x86/vdso/vdso32/sigreturn.S b/arch/x86/vdso/vdso32/sigreturn.S
+index 31776d0..d7ec4e2 100644
+--- a/arch/x86/vdso/vdso32/sigreturn.S
++++ b/arch/x86/vdso/vdso32/sigreturn.S
+@@ -17,6 +17,7 @@
+ 	.text
+ 	.globl __kernel_sigreturn
+ 	.type __kernel_sigreturn,@function
++	nop /* this guy is needed for .LSTARTFDEDLSI1 below (watch for HACK) */
+ 	ALIGN
+ __kernel_sigreturn:
+ .LSTART_sigreturn:
+diff --git a/drivers/acpi/video.c b/drivers/acpi/video.c
+index 2ebfdd2..cb842a8 100644
+--- a/drivers/acpi/video.c
++++ b/drivers/acpi/video.c
+@@ -1854,6 +1854,17 @@ EXPORT_SYMBOL(acpi_video_unregister);
+ 
+ static int __init acpi_video_init(void)
+ {
++	/*
++	 * Let the module load even if ACPI is disabled (e.g. due to
++	 * a broken BIOS) so that i915.ko can still be loaded on such
++	 * old systems without an AcpiOpRegion.
++	 *
++	 * acpi_video_register() will report -ENODEV later as well due
++	 * to acpi_disabled when i915.ko tries to register itself afterwards.
++	 */
++	if (acpi_disabled)
++		return 0;
++
+ 	dmi_check_system(video_dmi_table);
+ 
+ 	if (intel_opregion_present())
+diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c
+index 5fb6885..788581e 100644
+--- a/drivers/block/nbd.c
++++ b/drivers/block/nbd.c
+@@ -773,10 +773,6 @@ static int __init nbd_init(void)
+ 		return -EINVAL;
+ 	}
+ 
+-	nbd_dev = kcalloc(nbds_max, sizeof(*nbd_dev), GFP_KERNEL);
+-	if (!nbd_dev)
+-		return -ENOMEM;
+-
+ 	part_shift = 0;
+ 	if (max_part > 0) {
+ 		part_shift = fls(max_part);
+@@ -798,6 +794,10 @@ static int __init nbd_init(void)
+ 	if (nbds_max > 1UL << (MINORBITS - part_shift))
+ 		return -EINVAL;
+ 
++	nbd_dev = kcalloc(nbds_max, sizeof(*nbd_dev), GFP_KERNEL);
++	if (!nbd_dev)
++		return -ENOMEM;
++
+ 	for (i = 0; i < nbds_max; i++) {
+ 		struct gendisk *disk = alloc_disk(1 << part_shift);
+ 		if (!disk)
+diff --git a/drivers/bluetooth/ath3k.c b/drivers/bluetooth/ath3k.c
+index 22775ae..3eb6ad2 100644
+--- a/drivers/bluetooth/ath3k.c
++++ b/drivers/bluetooth/ath3k.c
+@@ -106,6 +106,7 @@ static struct usb_device_id ath3k_table[] = {
+ 	{ USB_DEVICE(0x13d3, 0x3393) },
+ 	{ USB_DEVICE(0x13d3, 0x3402) },
+ 	{ USB_DEVICE(0x13d3, 0x3408) },
++	{ USB_DEVICE(0x13d3, 0x3423) },
+ 	{ USB_DEVICE(0x13d3, 0x3432) },
+ 
+ 	/* Atheros AR5BBU12 with sflash firmware */
+@@ -160,6 +161,7 @@ static struct usb_device_id ath3k_blist_tbl[] = {
+ 	{ USB_DEVICE(0x13d3, 0x3393), .driver_info = BTUSB_ATH3012 },
+ 	{ USB_DEVICE(0x13d3, 0x3402), .driver_info = BTUSB_ATH3012 },
+ 	{ USB_DEVICE(0x13d3, 0x3408), .driver_info = BTUSB_ATH3012 },
++	{ USB_DEVICE(0x13d3, 0x3423), .driver_info = BTUSB_ATH3012 },
+ 	{ USB_DEVICE(0x13d3, 0x3432), .driver_info = BTUSB_ATH3012 },
+ 
+ 	/* Atheros AR5BBU22 with sflash firmware */
+diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c
+index 2b479d6..5c385e5 100644
+--- a/drivers/bluetooth/btusb.c
++++ b/drivers/bluetooth/btusb.c
+@@ -191,6 +191,7 @@ static struct usb_device_id blacklist_table[] = {
+ 	{ USB_DEVICE(0x13d3, 0x3393), .driver_info = BTUSB_ATH3012 },
+ 	{ USB_DEVICE(0x13d3, 0x3402), .driver_info = BTUSB_ATH3012 },
+ 	{ USB_DEVICE(0x13d3, 0x3408), .driver_info = BTUSB_ATH3012 },
++	{ USB_DEVICE(0x13d3, 0x3423), .driver_info = BTUSB_ATH3012 },
+ 	{ USB_DEVICE(0x13d3, 0x3432), .driver_info = BTUSB_ATH3012 },
+ 
+ 	/* Atheros AR5BBU12 with sflash firmware */
+diff --git a/drivers/char/tpm/tpm.c b/drivers/char/tpm/tpm.c
+index c234b9e..f7395c4 100644
+--- a/drivers/char/tpm/tpm.c
++++ b/drivers/char/tpm/tpm.c
+@@ -1341,7 +1341,7 @@ struct tpm_chip *tpm_register_hardware(struct device *dev,
+ 
+ 	/* Make chip available */
+ 	spin_lock(&driver_lock);
+-	list_add_rcu(&chip->list, &tpm_chip_list);
++	list_add_tail_rcu(&chip->list, &tpm_chip_list);
+ 	spin_unlock(&driver_lock);
+ 
+ 	return chip;
+diff --git a/drivers/char/virtio_console.c b/drivers/char/virtio_console.c
+index c68b8ad..e9d18aa 100644
+--- a/drivers/char/virtio_console.c
++++ b/drivers/char/virtio_console.c
+@@ -124,6 +124,7 @@ struct ports_device {
+ 	 * notification
+ 	 */
+ 	struct work_struct control_work;
++	struct work_struct config_work;
+ 
+ 	struct list_head ports;
+ 
+@@ -1556,10 +1557,21 @@ static void config_intr(struct virtio_device *vdev)
+ 
+ 	portdev = vdev->priv;
+ 
++	if (!use_multiport(portdev))
++		schedule_work(&portdev->config_work);
++}
++
++static void config_work_handler(struct work_struct *work)
++{
++	struct ports_device *portdev;
++
++	portdev = container_of(work, struct ports_device, control_work);
+ 	if (!use_multiport(portdev)) {
++		struct virtio_device *vdev;
+ 		struct port *port;
+ 		u16 rows, cols;
+ 
++		vdev = portdev->vdev;
+ 		vdev->config->get(vdev,
+ 				  offsetof(struct virtio_console_config, cols),
+ 				  &cols, sizeof(u16));
+@@ -1731,6 +1743,8 @@ static int __devinit virtcons_probe(struct virtio_device *vdev)
+ 	spin_lock_init(&portdev->ports_lock);
+ 	INIT_LIST_HEAD(&portdev->ports);
+ 
++	INIT_WORK(&portdev->config_work, &config_work_handler);
++
+ 	if (multiport) {
+ 		unsigned int nr_added_bufs;
+ 
+@@ -1806,6 +1820,8 @@ static void virtcons_remove(struct virtio_device *vdev)
+ 	/* Finish up work that's lined up */
+ 	if (use_multiport(portdev))
+ 		cancel_work_sync(&portdev->control_work);
++	else
++		cancel_work_sync(&portdev->config_work);
+ 
+ 	list_for_each_entry_safe(port, port2, &portdev->ports, list)
+ 		unplug_port(port);
+diff --git a/drivers/cpufreq/speedstep-lib.c b/drivers/cpufreq/speedstep-lib.c
+index 8af2d2f..2c0345a 100644
+--- a/drivers/cpufreq/speedstep-lib.c
++++ b/drivers/cpufreq/speedstep-lib.c
+@@ -399,6 +399,7 @@ unsigned int speedstep_get_freqs(enum speedstep_processor processor,
+ 
+ 	pr_debug("previous speed is %u\n", prev_speed);
+ 
++	preempt_disable();
+ 	local_irq_save(flags);
+ 
+ 	/* switch to low state */
+@@ -463,6 +464,8 @@ unsigned int speedstep_get_freqs(enum speedstep_processor processor,
+ 
+ out:
+ 	local_irq_restore(flags);
++	preempt_enable();
++
+ 	return ret;
+ }
+ EXPORT_SYMBOL_GPL(speedstep_get_freqs);
+diff --git a/drivers/cpufreq/speedstep-smi.c b/drivers/cpufreq/speedstep-smi.c
+index c76ead3..8a97f94 100644
+--- a/drivers/cpufreq/speedstep-smi.c
++++ b/drivers/cpufreq/speedstep-smi.c
+@@ -187,6 +187,7 @@ static void speedstep_set_state(unsigned int state)
+ 		return;
+ 
+ 	/* Disable IRQs */
++	preempt_disable();
+ 	local_irq_save(flags);
+ 
+ 	command = (smi_sig & 0xffffff00) | (smi_cmd & 0xff);
+@@ -197,9 +198,19 @@ static void speedstep_set_state(unsigned int state)
+ 
+ 	do {
+ 		if (retry) {
++			/*
++			 * We need to enable interrupts, otherwise the blockage
++			 * won't resolve.
++			 *
++			 * We disable preemption so that other processes don't
++			 * run. If other processes were running, they could
++			 * submit more DMA requests, making the blockage worse.
++			 */
+ 			pr_debug("retry %u, previous result %u, waiting...\n",
+ 					retry, result);
++			local_irq_enable();
+ 			mdelay(retry * 50);
++			local_irq_disable();
+ 		}
+ 		retry++;
+ 		__asm__ __volatile__(
+@@ -216,6 +227,7 @@ static void speedstep_set_state(unsigned int state)
+ 
+ 	/* enable IRQs */
+ 	local_irq_restore(flags);
++	preempt_enable();
+ 
+ 	if (new_state == state)
+ 		pr_debug("change to %u MHz succeeded after %u tries "
+diff --git a/drivers/gpio/gpio-tps65912.c b/drivers/gpio/gpio-tps65912.c
+index 79e66c0..2712680 100644
+--- a/drivers/gpio/gpio-tps65912.c
++++ b/drivers/gpio/gpio-tps65912.c
+@@ -26,9 +26,12 @@ struct tps65912_gpio_data {
+ 	struct gpio_chip gpio_chip;
+ };
+ 
++#define to_tgd(gc) container_of(gc, struct tps65912_gpio_data, gpio_chip)
++
+ static int tps65912_gpio_get(struct gpio_chip *gc, unsigned offset)
+ {
+-	struct tps65912 *tps65912 = container_of(gc, struct tps65912, gpio);
++	struct tps65912_gpio_data *tps65912_gpio = to_tgd(gc);
++	struct tps65912 *tps65912 = tps65912_gpio->tps65912;
+ 	int val;
+ 
+ 	val = tps65912_reg_read(tps65912, TPS65912_GPIO1 + offset);
+@@ -42,7 +45,8 @@ static int tps65912_gpio_get(struct gpio_chip *gc, unsigned offset)
+ static void tps65912_gpio_set(struct gpio_chip *gc, unsigned offset,
+ 			      int value)
+ {
+-	struct tps65912 *tps65912 = container_of(gc, struct tps65912, gpio);
++	struct tps65912_gpio_data *tps65912_gpio = to_tgd(gc);
++	struct tps65912 *tps65912 = tps65912_gpio->tps65912;
+ 
+ 	if (value)
+ 		tps65912_set_bits(tps65912, TPS65912_GPIO1 + offset,
+@@ -55,7 +59,8 @@ static void tps65912_gpio_set(struct gpio_chip *gc, unsigned offset,
+ static int tps65912_gpio_output(struct gpio_chip *gc, unsigned offset,
+ 				int value)
+ {
+-	struct tps65912 *tps65912 = container_of(gc, struct tps65912, gpio);
++	struct tps65912_gpio_data *tps65912_gpio = to_tgd(gc);
++	struct tps65912 *tps65912 = tps65912_gpio->tps65912;
+ 
+ 	/* Set the initial value */
+ 	tps65912_gpio_set(gc, offset, value);
+@@ -66,7 +71,8 @@ static int tps65912_gpio_output(struct gpio_chip *gc, unsigned offset,
+ 
+ static int tps65912_gpio_input(struct gpio_chip *gc, unsigned offset)
+ {
+-	struct tps65912 *tps65912 = container_of(gc, struct tps65912, gpio);
++	struct tps65912_gpio_data *tps65912_gpio = to_tgd(gc);
++	struct tps65912 *tps65912 = tps65912_gpio->tps65912;
+ 
+ 	return tps65912_clear_bits(tps65912, TPS65912_GPIO1 + offset,
+ 								GPIO_CFG_MASK);
+diff --git a/drivers/gpu/drm/radeon/atombios_dp.c b/drivers/gpu/drm/radeon/atombios_dp.c
+index e8a3c31..3e34f1e 100644
+--- a/drivers/gpu/drm/radeon/atombios_dp.c
++++ b/drivers/gpu/drm/radeon/atombios_dp.c
+@@ -739,10 +739,8 @@ static int radeon_dp_link_train_init(struct radeon_dp_link_train_info *dp_info)
+ 		radeon_write_dpcd_reg(dp_info->radeon_connector,
+ 				      DP_DOWNSPREAD_CTRL, 0);
+ 
+-	if ((dp_info->connector->connector_type == DRM_MODE_CONNECTOR_eDP) &&
+-	    (dig->panel_mode == DP_PANEL_MODE_INTERNAL_DP2_MODE)) {
++	if (dig->panel_mode == DP_PANEL_MODE_INTERNAL_DP2_MODE)
+ 		radeon_write_dpcd_reg(dp_info->radeon_connector, DP_EDP_CONFIGURATION_SET, 1);
+-	}
+ 
+ 	/* set the lane count on the sink */
+ 	tmp = dp_info->dp_lane_count;
+diff --git a/drivers/gpu/drm/radeon/evergreen.c b/drivers/gpu/drm/radeon/evergreen.c
+index 9b3f787..5d78973 100644
+--- a/drivers/gpu/drm/radeon/evergreen.c
++++ b/drivers/gpu/drm/radeon/evergreen.c
+@@ -2631,6 +2631,9 @@ int evergreen_irq_set(struct radeon_device *rdev)
+ 	WREG32(DC_HPD5_INT_CONTROL, hpd5);
+ 	WREG32(DC_HPD6_INT_CONTROL, hpd6);
+ 
++	/* posting read */
++	RREG32(SRBM_STATUS);
++
+ 	return 0;
+ }
+ 
+diff --git a/drivers/gpu/drm/radeon/r100.c b/drivers/gpu/drm/radeon/r100.c
+index 76c1290..dfd1267 100644
+--- a/drivers/gpu/drm/radeon/r100.c
++++ b/drivers/gpu/drm/radeon/r100.c
+@@ -688,6 +688,10 @@ int r100_irq_set(struct radeon_device *rdev)
+ 		tmp |= RADEON_FP2_DETECT_MASK;
+ 	}
+ 	WREG32(RADEON_GEN_INT_CNTL, tmp);
++
++	/* read back to post the write */
++	RREG32(RADEON_GEN_INT_CNTL);
++
+ 	return 0;
+ }
+ 
+diff --git a/drivers/gpu/drm/radeon/r600.c b/drivers/gpu/drm/radeon/r600.c
+index ab46a99..e5299a0 100644
+--- a/drivers/gpu/drm/radeon/r600.c
++++ b/drivers/gpu/drm/radeon/r600.c
+@@ -3156,6 +3156,9 @@ int r600_irq_set(struct radeon_device *rdev)
+ 		WREG32(DC_HOT_PLUG_DETECT3_INT_CONTROL, hpd3);
+ 	}
+ 
++	/* posting read */
++	RREG32(R_000E50_SRBM_STATUS);
++
+ 	return 0;
+ }
+ 
+diff --git a/drivers/gpu/drm/radeon/radeon_bios.c b/drivers/gpu/drm/radeon/radeon_bios.c
+index ccf324b..6e98703 100644
+--- a/drivers/gpu/drm/radeon/radeon_bios.c
++++ b/drivers/gpu/drm/radeon/radeon_bios.c
+@@ -76,7 +76,7 @@ static bool igp_read_bios_from_vram(struct radeon_device *rdev)
+ 
+ static bool radeon_read_bios(struct radeon_device *rdev)
+ {
+-	uint8_t __iomem *bios;
++	uint8_t __iomem *bios, val1, val2;
+ 	size_t size;
+ 
+ 	rdev->bios = NULL;
+@@ -86,15 +86,19 @@ static bool radeon_read_bios(struct radeon_device *rdev)
+ 		return false;
+ 	}
+ 
+-	if (size == 0 || bios[0] != 0x55 || bios[1] != 0xaa) {
++	val1 = readb(&bios[0]);
++	val2 = readb(&bios[1]);
++
++	if (size == 0 || val1 != 0x55 || val2 != 0xaa) {
+ 		pci_unmap_rom(rdev->pdev, bios);
+ 		return false;
+ 	}
+-	rdev->bios = kmemdup(bios, size, GFP_KERNEL);
++	rdev->bios = kzalloc(size, GFP_KERNEL);
+ 	if (rdev->bios == NULL) {
+ 		pci_unmap_rom(rdev->pdev, bios);
+ 		return false;
+ 	}
++	memcpy_fromio(rdev->bios, bios, size);
+ 	pci_unmap_rom(rdev->pdev, bios);
+ 	return true;
+ }
+diff --git a/drivers/gpu/drm/radeon/radeon_cs.c b/drivers/gpu/drm/radeon/radeon_cs.c
+index 1f32557..0ddc08c 100644
+--- a/drivers/gpu/drm/radeon/radeon_cs.c
++++ b/drivers/gpu/drm/radeon/radeon_cs.c
+@@ -95,11 +95,13 @@ int radeon_cs_parser_init(struct radeon_cs_parser *p, void *data)
+ 	uint64_t *chunk_array_ptr;
+ 	unsigned size, i, flags = 0;
+ 
++	INIT_LIST_HEAD(&p->validated);
++
+ 	if (!cs->num_chunks) {
+ 		return 0;
+ 	}
++
+ 	/* get chunks */
+-	INIT_LIST_HEAD(&p->validated);
+ 	p->idx = 0;
+ 	p->chunk_ib_idx = -1;
+ 	p->chunk_relocs_idx = -1;
+diff --git a/drivers/gpu/drm/radeon/rs600.c b/drivers/gpu/drm/radeon/rs600.c
+index dc00155..fc37558 100644
+--- a/drivers/gpu/drm/radeon/rs600.c
++++ b/drivers/gpu/drm/radeon/rs600.c
+@@ -576,6 +576,10 @@ int rs600_irq_set(struct radeon_device *rdev)
+ 	WREG32(R_006540_DxMODE_INT_MASK, mode_int);
+ 	WREG32(R_007D08_DC_HOT_PLUG_DETECT1_INT_CONTROL, hpd1);
+ 	WREG32(R_007D18_DC_HOT_PLUG_DETECT2_INT_CONTROL, hpd2);
++
++	/* posting read */
++	RREG32(R_000040_GEN_INT_CNTL);
++
+ 	return 0;
+ }
+ 
+diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_drv.c b/drivers/gpu/drm/vmwgfx/vmwgfx_drv.c
+index b639536..f739fcf 100644
+--- a/drivers/gpu/drm/vmwgfx/vmwgfx_drv.c
++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_drv.c
+@@ -503,21 +503,6 @@ static int vmw_driver_load(struct drm_device *dev, unsigned long chipset)
+ 		goto out_err1;
+ 	}
+ 
+-	ret = ttm_bo_init_mm(&dev_priv->bdev, TTM_PL_VRAM,
+-			     (dev_priv->vram_size >> PAGE_SHIFT));
+-	if (unlikely(ret != 0)) {
+-		DRM_ERROR("Failed initializing memory manager for VRAM.\n");
+-		goto out_err2;
+-	}
+-
+-	dev_priv->has_gmr = true;
+-	if (ttm_bo_init_mm(&dev_priv->bdev, VMW_PL_GMR,
+-			   dev_priv->max_gmr_ids) != 0) {
+-		DRM_INFO("No GMR memory available. "
+-			 "Graphics memory resources are very limited.\n");
+-		dev_priv->has_gmr = false;
+-	}
+-
+ 	dev_priv->mmio_mtrr = drm_mtrr_add(dev_priv->mmio_start,
+ 					   dev_priv->mmio_size, DRM_MTRR_WC);
+ 
+@@ -570,6 +555,22 @@ static int vmw_driver_load(struct drm_device *dev, unsigned long chipset)
+ 	if (unlikely(dev_priv->fman == NULL))
+ 		goto out_no_fman;
+ 
++
++	ret = ttm_bo_init_mm(&dev_priv->bdev, TTM_PL_VRAM,
++			     (dev_priv->vram_size >> PAGE_SHIFT));
++	if (unlikely(ret != 0)) {
++		DRM_ERROR("Failed initializing memory manager for VRAM.\n");
++		goto out_no_vram;
++	}
++
++	dev_priv->has_gmr = true;
++	if (ttm_bo_init_mm(&dev_priv->bdev, VMW_PL_GMR,
++			   dev_priv->max_gmr_ids) != 0) {
++		DRM_INFO("No GMR memory available. "
++			 "Graphics memory resources are very limited.\n");
++		dev_priv->has_gmr = false;
++	}
++
+ 	/* Need to start the fifo to check if we can do screen objects */
+ 	ret = vmw_3d_resource_inc(dev_priv, true);
+ 	if (unlikely(ret != 0))
+@@ -620,6 +621,10 @@ out_no_kms:
+ 		vmw_3d_resource_dec(dev_priv, false);
+ 	}
+ out_no_fifo:
++	if (dev_priv->has_gmr)
++		(void) ttm_bo_clean_mm(&dev_priv->bdev, VMW_PL_GMR);
++	(void)ttm_bo_clean_mm(&dev_priv->bdev, TTM_PL_VRAM);
++out_no_vram:
+ 	vmw_fence_manager_takedown(dev_priv->fman);
+ out_no_fman:
+ 	if (dev_priv->stealth)
+@@ -633,10 +638,6 @@ out_err4:
+ out_err3:
+ 	drm_mtrr_del(dev_priv->mmio_mtrr, dev_priv->mmio_start,
+ 		     dev_priv->mmio_size, DRM_MTRR_WC);
+-	if (dev_priv->has_gmr)
+-		(void) ttm_bo_clean_mm(&dev_priv->bdev, VMW_PL_GMR);
+-	(void)ttm_bo_clean_mm(&dev_priv->bdev, TTM_PL_VRAM);
+-out_err2:
+ 	(void)ttm_bo_device_release(&dev_priv->bdev);
+ out_err1:
+ 	vmw_ttm_global_release(dev_priv);
+@@ -665,6 +666,11 @@ static int vmw_driver_unload(struct drm_device *dev)
+ 	}
+ 	vmw_kms_close(dev_priv);
+ 	vmw_overlay_close(dev_priv);
++
++	if (dev_priv->has_gmr)
++		(void)ttm_bo_clean_mm(&dev_priv->bdev, VMW_PL_GMR);
++	(void)ttm_bo_clean_mm(&dev_priv->bdev, TTM_PL_VRAM);
++
+ 	vmw_fence_manager_takedown(dev_priv->fman);
+ 	if (dev_priv->stealth)
+ 		pci_release_region(dev->pdev, 2);
+@@ -675,9 +681,6 @@ static int vmw_driver_unload(struct drm_device *dev)
+ 	iounmap(dev_priv->mmio_virt);
+ 	drm_mtrr_del(dev_priv->mmio_mtrr, dev_priv->mmio_start,
+ 		     dev_priv->mmio_size, DRM_MTRR_WC);
+-	if (dev_priv->has_gmr)
+-		(void)ttm_bo_clean_mm(&dev_priv->bdev, VMW_PL_GMR);
+-	(void)ttm_bo_clean_mm(&dev_priv->bdev, TTM_PL_VRAM);
+ 	(void)ttm_bo_device_release(&dev_priv->bdev);
+ 	vmw_ttm_global_release(dev_priv);
+ 	idr_destroy(&dev_priv->surface_idr);
+diff --git a/drivers/infiniband/core/umem.c b/drivers/infiniband/core/umem.c
+index a841123..055ebeb 100644
+--- a/drivers/infiniband/core/umem.c
++++ b/drivers/infiniband/core/umem.c
+@@ -94,6 +94,14 @@ struct ib_umem *ib_umem_get(struct ib_ucontext *context, unsigned long addr,
+ 	if (dmasync)
+ 		dma_set_attr(DMA_ATTR_WRITE_BARRIER, &attrs);
+ 
++	/*
++	 * If the combination of the addr and size requested for this memory
++	 * region causes an integer overflow, return error.
++	 */
++	if ((PAGE_ALIGN(addr + size) <= size) ||
++	    (PAGE_ALIGN(addr + size) <= addr))
++		return ERR_PTR(-EINVAL);
++
+ 	if (!can_do_mlock())
+ 		return ERR_PTR(-EPERM);
+ 
+diff --git a/drivers/infiniband/core/uverbs_main.c b/drivers/infiniband/core/uverbs_main.c
+index 8796367..9379b97 100644
+--- a/drivers/infiniband/core/uverbs_main.c
++++ b/drivers/infiniband/core/uverbs_main.c
+@@ -451,6 +451,7 @@ static void ib_uverbs_async_handler(struct ib_uverbs_file *file,
+ 
+ 	entry->desc.async.element    = element;
+ 	entry->desc.async.event_type = event;
++	entry->desc.async.reserved   = 0;
+ 	entry->counter               = counter;
+ 
+ 	list_add_tail(&entry->list, &file->async_file->event_list);
+diff --git a/drivers/infiniband/hw/mlx4/mad.c b/drivers/infiniband/hw/mlx4/mad.c
+index 77702c0..46b291e 100644
+--- a/drivers/infiniband/hw/mlx4/mad.c
++++ b/drivers/infiniband/hw/mlx4/mad.c
+@@ -44,6 +44,14 @@ enum {
+ 	MLX4_IB_VENDOR_CLASS2 = 0xa
+ };
+ 
++/* Counters should be saturate once they reach their maximum value */
++#define ASSIGN_32BIT_COUNTER(counter, value) do {\
++	if ((value) > (u32)~0U)			 \
++		counter = cpu_to_be32((u32)~0U); \
++	else					 \
++		counter = cpu_to_be32(value);	 \
++} while (0)
++
+ int mlx4_MAD_IFC(struct mlx4_ib_dev *dev, int ignore_mkey, int ignore_bkey,
+ 		 int port, struct ib_wc *in_wc, struct ib_grh *in_grh,
+ 		 void *in_mad, void *response_mad)
+@@ -303,10 +311,14 @@ static int ib_process_mad(struct ib_device *ibdev, int mad_flags, u8 port_num,
+ static void edit_counter(struct mlx4_counter *cnt,
+ 					struct ib_pma_portcounters *pma_cnt)
+ {
+-	pma_cnt->port_xmit_data = cpu_to_be32((be64_to_cpu(cnt->tx_bytes)>>2));
+-	pma_cnt->port_rcv_data  = cpu_to_be32((be64_to_cpu(cnt->rx_bytes)>>2));
+-	pma_cnt->port_xmit_packets = cpu_to_be32(be64_to_cpu(cnt->tx_frames));
+-	pma_cnt->port_rcv_packets  = cpu_to_be32(be64_to_cpu(cnt->rx_frames));
++	ASSIGN_32BIT_COUNTER(pma_cnt->port_xmit_data,
++			     (be64_to_cpu(cnt->tx_bytes) >> 2));
++	ASSIGN_32BIT_COUNTER(pma_cnt->port_rcv_data,
++			     (be64_to_cpu(cnt->rx_bytes) >> 2));
++	ASSIGN_32BIT_COUNTER(pma_cnt->port_xmit_packets,
++			     be64_to_cpu(cnt->tx_frames));
++	ASSIGN_32BIT_COUNTER(pma_cnt->port_rcv_packets,
++			     be64_to_cpu(cnt->rx_frames));
+ }
+ 
+ static int iboe_process_mad(struct ib_device *ibdev, int mad_flags, u8 port_num,
+diff --git a/drivers/infiniband/hw/qib/qib.h b/drivers/infiniband/hw/qib/qib.h
+index b881bdc..4c2b079 100644
+--- a/drivers/infiniband/hw/qib/qib.h
++++ b/drivers/infiniband/hw/qib/qib.h
+@@ -1005,12 +1005,6 @@ struct qib_devdata {
+ 	/* control high-level access to EEPROM */
+ 	struct mutex eep_lock;
+ 	uint64_t traffic_wds;
+-	/* active time is kept in seconds, but logged in hours */
+-	atomic_t active_time;
+-	/* Below are nominal shadow of EEPROM, new since last EEPROM update */
+-	uint8_t eep_st_errs[QIB_EEP_LOG_CNT];
+-	uint8_t eep_st_new_errs[QIB_EEP_LOG_CNT];
+-	uint16_t eep_hrs;
+ 	/*
+ 	 * masks for which bits of errs, hwerrs that cause
+ 	 * each of the counters to increment.
+@@ -1227,8 +1221,7 @@ int qib_twsi_blk_rd(struct qib_devdata *dd, int dev, int addr, void *buffer,
+ int qib_twsi_blk_wr(struct qib_devdata *dd, int dev, int addr,
+ 		    const void *buffer, int len);
+ void qib_get_eeprom_info(struct qib_devdata *);
+-int qib_update_eeprom_log(struct qib_devdata *dd);
+-void qib_inc_eeprom_err(struct qib_devdata *dd, u32 eidx, u32 incr);
++#define qib_inc_eeprom_err(dd, eidx, incr)
+ void qib_dump_lookup_output_queue(struct qib_devdata *);
+ void qib_force_pio_avail_update(struct qib_devdata *);
+ void qib_clear_symerror_on_linkup(unsigned long opaque);
+diff --git a/drivers/infiniband/hw/qib/qib_eeprom.c b/drivers/infiniband/hw/qib/qib_eeprom.c
+index 92d9cfe..6359c2f 100644
+--- a/drivers/infiniband/hw/qib/qib_eeprom.c
++++ b/drivers/infiniband/hw/qib/qib_eeprom.c
+@@ -263,189 +263,9 @@ void qib_get_eeprom_info(struct qib_devdata *dd)
+ 		qib_dev_err(dd, "Board SN %s did not pass functional "
+ 			    "test: %s\n", dd->serial, ifp->if_comment);
+ 
+-	memcpy(&dd->eep_st_errs, &ifp->if_errcntp, QIB_EEP_LOG_CNT);
+-	/*
+-	 * Power-on (actually "active") hours are kept as little-endian value
+-	 * in EEPROM, but as seconds in a (possibly as small as 24-bit)
+-	 * atomic_t while running.
+-	 */
+-	atomic_set(&dd->active_time, 0);
+-	dd->eep_hrs = ifp->if_powerhour[0] | (ifp->if_powerhour[1] << 8);
+-
+ done:
+ 	vfree(buf);
+ 
+ bail:;
+ }
+ 
+-/**
+- * qib_update_eeprom_log - copy active-time and error counters to eeprom
+- * @dd: the qlogic_ib device
+- *
+- * Although the time is kept as seconds in the qib_devdata struct, it is
+- * rounded to hours for re-write, as we have only 16 bits in EEPROM.
+- * First-cut code reads whole (expected) struct qib_flash, modifies,
+- * re-writes. Future direction: read/write only what we need, assuming
+- * that the EEPROM had to have been "good enough" for driver init, and
+- * if not, we aren't making it worse.
+- *
+- */
+-int qib_update_eeprom_log(struct qib_devdata *dd)
+-{
+-	void *buf;
+-	struct qib_flash *ifp;
+-	int len, hi_water;
+-	uint32_t new_time, new_hrs;
+-	u8 csum;
+-	int ret, idx;
+-	unsigned long flags;
+-
+-	/* first, check if we actually need to do anything. */
+-	ret = 0;
+-	for (idx = 0; idx < QIB_EEP_LOG_CNT; ++idx) {
+-		if (dd->eep_st_new_errs[idx]) {
+-			ret = 1;
+-			break;
+-		}
+-	}
+-	new_time = atomic_read(&dd->active_time);
+-
+-	if (ret == 0 && new_time < 3600)
+-		goto bail;
+-
+-	/*
+-	 * The quick-check above determined that there is something worthy
+-	 * of logging, so get current contents and do a more detailed idea.
+-	 * read full flash, not just currently used part, since it may have
+-	 * been written with a newer definition
+-	 */
+-	len = sizeof(struct qib_flash);
+-	buf = vmalloc(len);
+-	ret = 1;
+-	if (!buf) {
+-		qib_dev_err(dd, "Couldn't allocate memory to read %u "
+-			    "bytes from eeprom for logging\n", len);
+-		goto bail;
+-	}
+-
+-	/* Grab semaphore and read current EEPROM. If we get an
+-	 * error, let go, but if not, keep it until we finish write.
+-	 */
+-	ret = mutex_lock_interruptible(&dd->eep_lock);
+-	if (ret) {
+-		qib_dev_err(dd, "Unable to acquire EEPROM for logging\n");
+-		goto free_bail;
+-	}
+-	ret = qib_twsi_blk_rd(dd, dd->twsi_eeprom_dev, 0, buf, len);
+-	if (ret) {
+-		mutex_unlock(&dd->eep_lock);
+-		qib_dev_err(dd, "Unable read EEPROM for logging\n");
+-		goto free_bail;
+-	}
+-	ifp = (struct qib_flash *)buf;
+-
+-	csum = flash_csum(ifp, 0);
+-	if (csum != ifp->if_csum) {
+-		mutex_unlock(&dd->eep_lock);
+-		qib_dev_err(dd, "EEPROM cks err (0x%02X, S/B 0x%02X)\n",
+-			    csum, ifp->if_csum);
+-		ret = 1;
+-		goto free_bail;
+-	}
+-	hi_water = 0;
+-	spin_lock_irqsave(&dd->eep_st_lock, flags);
+-	for (idx = 0; idx < QIB_EEP_LOG_CNT; ++idx) {
+-		int new_val = dd->eep_st_new_errs[idx];
+-		if (new_val) {
+-			/*
+-			 * If we have seen any errors, add to EEPROM values
+-			 * We need to saturate at 0xFF (255) and we also
+-			 * would need to adjust the checksum if we were
+-			 * trying to minimize EEPROM traffic
+-			 * Note that we add to actual current count in EEPROM,
+-			 * in case it was altered while we were running.
+-			 */
+-			new_val += ifp->if_errcntp[idx];
+-			if (new_val > 0xFF)
+-				new_val = 0xFF;
+-			if (ifp->if_errcntp[idx] != new_val) {
+-				ifp->if_errcntp[idx] = new_val;
+-				hi_water = offsetof(struct qib_flash,
+-						    if_errcntp) + idx;
+-			}
+-			/*
+-			 * update our shadow (used to minimize EEPROM
+-			 * traffic), to match what we are about to write.
+-			 */
+-			dd->eep_st_errs[idx] = new_val;
+-			dd->eep_st_new_errs[idx] = 0;
+-		}
+-	}
+-	/*
+-	 * Now update active-time. We would like to round to the nearest hour
+-	 * but unless atomic_t are sure to be proper signed ints we cannot,
+-	 * because we need to account for what we "transfer" to EEPROM and
+-	 * if we log an hour at 31 minutes, then we would need to set
+-	 * active_time to -29 to accurately count the _next_ hour.
+-	 */
+-	if (new_time >= 3600) {
+-		new_hrs = new_time / 3600;
+-		atomic_sub((new_hrs * 3600), &dd->active_time);
+-		new_hrs += dd->eep_hrs;
+-		if (new_hrs > 0xFFFF)
+-			new_hrs = 0xFFFF;
+-		dd->eep_hrs = new_hrs;
+-		if ((new_hrs & 0xFF) != ifp->if_powerhour[0]) {
+-			ifp->if_powerhour[0] = new_hrs & 0xFF;
+-			hi_water = offsetof(struct qib_flash, if_powerhour);
+-		}
+-		if ((new_hrs >> 8) != ifp->if_powerhour[1]) {
+-			ifp->if_powerhour[1] = new_hrs >> 8;
+-			hi_water = offsetof(struct qib_flash, if_powerhour) + 1;
+-		}
+-	}
+-	/*
+-	 * There is a tiny possibility that we could somehow fail to write
+-	 * the EEPROM after updating our shadows, but problems from holding
+-	 * the spinlock too long are a much bigger issue.
+-	 */
+-	spin_unlock_irqrestore(&dd->eep_st_lock, flags);
+-	if (hi_water) {
+-		/* we made some change to the data, uopdate cksum and write */
+-		csum = flash_csum(ifp, 1);
+-		ret = eeprom_write_with_enable(dd, 0, buf, hi_water + 1);
+-	}
+-	mutex_unlock(&dd->eep_lock);
+-	if (ret)
+-		qib_dev_err(dd, "Failed updating EEPROM\n");
+-
+-free_bail:
+-	vfree(buf);
+-bail:
+-	return ret;
+-}
+-
+-/**
+- * qib_inc_eeprom_err - increment one of the four error counters
+- * that are logged to EEPROM.
+- * @dd: the qlogic_ib device
+- * @eidx: 0..3, the counter to increment
+- * @incr: how much to add
+- *
+- * Each counter is 8-bits, and saturates at 255 (0xFF). They
+- * are copied to the EEPROM (aka flash) whenever qib_update_eeprom_log()
+- * is called, but it can only be called in a context that allows sleep.
+- * This function can be called even at interrupt level.
+- */
+-void qib_inc_eeprom_err(struct qib_devdata *dd, u32 eidx, u32 incr)
+-{
+-	uint new_val;
+-	unsigned long flags;
+-
+-	spin_lock_irqsave(&dd->eep_st_lock, flags);
+-	new_val = dd->eep_st_new_errs[eidx] + incr;
+-	if (new_val > 255)
+-		new_val = 255;
+-	dd->eep_st_new_errs[eidx] = new_val;
+-	spin_unlock_irqrestore(&dd->eep_st_lock, flags);
+-}
+diff --git a/drivers/infiniband/hw/qib/qib_iba6120.c b/drivers/infiniband/hw/qib/qib_iba6120.c
+index 4f18e2d..2a0f7de 100644
+--- a/drivers/infiniband/hw/qib/qib_iba6120.c
++++ b/drivers/infiniband/hw/qib/qib_iba6120.c
+@@ -2674,8 +2674,6 @@ static void qib_get_6120_faststats(unsigned long opaque)
+ 	spin_lock_irqsave(&dd->eep_st_lock, flags);
+ 	traffic_wds -= dd->traffic_wds;
+ 	dd->traffic_wds += traffic_wds;
+-	if (traffic_wds  >= QIB_TRAFFIC_ACTIVE_THRESHOLD)
+-		atomic_add(5, &dd->active_time); /* S/B #define */
+ 	spin_unlock_irqrestore(&dd->eep_st_lock, flags);
+ 
+ 	qib_chk_6120_errormask(dd);
+diff --git a/drivers/infiniband/hw/qib/qib_iba7220.c b/drivers/infiniband/hw/qib/qib_iba7220.c
+index 7ec4048..4dc04e3 100644
+--- a/drivers/infiniband/hw/qib/qib_iba7220.c
++++ b/drivers/infiniband/hw/qib/qib_iba7220.c
+@@ -3292,8 +3292,6 @@ static void qib_get_7220_faststats(unsigned long opaque)
+ 	spin_lock_irqsave(&dd->eep_st_lock, flags);
+ 	traffic_wds -= dd->traffic_wds;
+ 	dd->traffic_wds += traffic_wds;
+-	if (traffic_wds  >= QIB_TRAFFIC_ACTIVE_THRESHOLD)
+-		atomic_add(5, &dd->active_time); /* S/B #define */
+ 	spin_unlock_irqrestore(&dd->eep_st_lock, flags);
+ done:
+ 	mod_timer(&dd->stats_timer, jiffies + HZ * ACTIVITY_TIMER);
+diff --git a/drivers/infiniband/hw/qib/qib_iba7322.c b/drivers/infiniband/hw/qib/qib_iba7322.c
+index d8517fc..44180c6 100644
+--- a/drivers/infiniband/hw/qib/qib_iba7322.c
++++ b/drivers/infiniband/hw/qib/qib_iba7322.c
+@@ -4793,8 +4793,6 @@ static void qib_get_7322_faststats(unsigned long opaque)
+ 		spin_lock_irqsave(&ppd->dd->eep_st_lock, flags);
+ 		traffic_wds -= ppd->dd->traffic_wds;
+ 		ppd->dd->traffic_wds += traffic_wds;
+-		if (traffic_wds >= QIB_TRAFFIC_ACTIVE_THRESHOLD)
+-			atomic_add(ACTIVITY_TIMER, &ppd->dd->active_time);
+ 		spin_unlock_irqrestore(&ppd->dd->eep_st_lock, flags);
+ 		if (ppd->cpspec->qdr_dfe_on && (ppd->link_speed_active &
+ 						QIB_IB_QDR) &&
+diff --git a/drivers/infiniband/hw/qib/qib_init.c b/drivers/infiniband/hw/qib/qib_init.c
+index 58b0f8a..9966ec2 100644
+--- a/drivers/infiniband/hw/qib/qib_init.c
++++ b/drivers/infiniband/hw/qib/qib_init.c
+@@ -765,7 +765,6 @@ static void qib_shutdown_device(struct qib_devdata *dd)
+ 		dd->f_quiet_serdes(ppd);
+ 	}
+ 
+-	qib_update_eeprom_log(dd);
+ }
+ 
+ /**
+diff --git a/drivers/infiniband/hw/qib/qib_sysfs.c b/drivers/infiniband/hw/qib/qib_sysfs.c
+index 78fbd56..c97224a 100644
+--- a/drivers/infiniband/hw/qib/qib_sysfs.c
++++ b/drivers/infiniband/hw/qib/qib_sysfs.c
+@@ -550,28 +550,6 @@ bail:
+ 	return ret < 0 ? ret : count;
+ }
+ 
+-static ssize_t show_logged_errs(struct device *device,
+-				struct device_attribute *attr, char *buf)
+-{
+-	struct qib_ibdev *dev =
+-		container_of(device, struct qib_ibdev, ibdev.dev);
+-	struct qib_devdata *dd = dd_from_dev(dev);
+-	int idx, count;
+-
+-	/* force consistency with actual EEPROM */
+-	if (qib_update_eeprom_log(dd) != 0)
+-		return -ENXIO;
+-
+-	count = 0;
+-	for (idx = 0; idx < QIB_EEP_LOG_CNT; ++idx) {
+-		count += scnprintf(buf + count, PAGE_SIZE - count, "%d%c",
+-				   dd->eep_st_errs[idx],
+-				   idx == (QIB_EEP_LOG_CNT - 1) ? '\n' : ' ');
+-	}
+-
+-	return count;
+-}
+-
+ /*
+  * Dump tempsense regs. in decimal, to ease shell-scripts.
+  */
+@@ -618,7 +596,6 @@ static DEVICE_ATTR(nctxts, S_IRUGO, show_nctxts, NULL);
+ static DEVICE_ATTR(nfreectxts, S_IRUGO, show_nfreectxts, NULL);
+ static DEVICE_ATTR(serial, S_IRUGO, show_serial, NULL);
+ static DEVICE_ATTR(boardversion, S_IRUGO, show_boardversion, NULL);
+-static DEVICE_ATTR(logged_errors, S_IRUGO, show_logged_errs, NULL);
+ static DEVICE_ATTR(tempsense, S_IRUGO, show_tempsense, NULL);
+ static DEVICE_ATTR(localbus_info, S_IRUGO, show_localbus_info, NULL);
+ static DEVICE_ATTR(chip_reset, S_IWUSR, NULL, store_chip_reset);
+@@ -632,7 +609,6 @@ static struct device_attribute *qib_attributes[] = {
+ 	&dev_attr_nfreectxts,
+ 	&dev_attr_serial,
+ 	&dev_attr_boardversion,
+-	&dev_attr_logged_errors,
+ 	&dev_attr_tempsense,
+ 	&dev_attr_localbus_info,
+ 	&dev_attr_chip_reset,
+diff --git a/drivers/input/mouse/synaptics.c b/drivers/input/mouse/synaptics.c
+index bb41f94..91e94ad 100644
+--- a/drivers/input/mouse/synaptics.c
++++ b/drivers/input/mouse/synaptics.c
+@@ -274,8 +274,14 @@ static int synaptics_resolution(struct psmouse *psmouse)
+ 		}
+ 	}
+ 
+-	if (SYN_EXT_CAP_REQUESTS(priv->capabilities) >= 7 &&
+-	    SYN_CAP_MIN_DIMENSIONS(priv->ext_cap_0c)) {
++	if (SYN_CAP_MIN_DIMENSIONS(priv->ext_cap_0c) &&
++	    (SYN_EXT_CAP_REQUESTS(priv->capabilities) >= 7 ||
++	     /*
++	      * Firmware v8.1 does not report proper number of extended
++	      * capabilities, but has been proven to report correct min
++	      * coordinates.
++	      */
++	     SYN_ID_FULL(priv->identity) == 0x801)) {
+ 		if (synaptics_send_cmd(psmouse, SYN_QUE_EXT_MIN_COORDS, resp)) {
+ 			psmouse_warn(psmouse,
+ 				     "device claims to have min coordinates query, but I'm not able to read it.\n");
+@@ -495,6 +501,18 @@ static void synaptics_parse_agm(const unsigned char buf[],
+ 	priv->agm_pending = true;
+ }
+ 
++static void synaptics_parse_ext_buttons(const unsigned char buf[],
++					struct synaptics_data *priv,
++					struct synaptics_hw_state *hw)
++{
++	unsigned int ext_bits =
++		(SYN_CAP_MULTI_BUTTON_NO(priv->ext_cap) + 1) >> 1;
++	unsigned int ext_mask = (1U << ext_bits) - 1;
++
++	hw->ext_buttons = buf[4] & ext_mask;
++	hw->ext_buttons |= (buf[5] & ext_mask) << ext_bits;
++}
++
+ static bool is_forcepad;
+ 
+ static int synaptics_parse_hw_state(const unsigned char buf[],
+@@ -581,28 +599,9 @@ static int synaptics_parse_hw_state(const unsigned char buf[],
+ 			hw->down = ((buf[0] ^ buf[3]) & 0x02) ? 1 : 0;
+ 		}
+ 
+-		if (SYN_CAP_MULTI_BUTTON_NO(priv->ext_cap) &&
++		if (SYN_CAP_MULTI_BUTTON_NO(priv->ext_cap) > 0 &&
+ 		    ((buf[0] ^ buf[3]) & 0x02)) {
+-			switch (SYN_CAP_MULTI_BUTTON_NO(priv->ext_cap) & ~0x01) {
+-			default:
+-				/*
+-				 * if nExtBtn is greater than 8 it should be
+-				 * considered invalid and treated as 0
+-				 */
+-				break;
+-			case 8:
+-				hw->ext_buttons |= ((buf[5] & 0x08)) ? 0x80 : 0;
+-				hw->ext_buttons |= ((buf[4] & 0x08)) ? 0x40 : 0;
+-			case 6:
+-				hw->ext_buttons |= ((buf[5] & 0x04)) ? 0x20 : 0;
+-				hw->ext_buttons |= ((buf[4] & 0x04)) ? 0x10 : 0;
+-			case 4:
+-				hw->ext_buttons |= ((buf[5] & 0x02)) ? 0x08 : 0;
+-				hw->ext_buttons |= ((buf[4] & 0x02)) ? 0x04 : 0;
+-			case 2:
+-				hw->ext_buttons |= ((buf[5] & 0x01)) ? 0x02 : 0;
+-				hw->ext_buttons |= ((buf[4] & 0x01)) ? 0x01 : 0;
+-			}
++			synaptics_parse_ext_buttons(buf, priv, hw);
+ 		}
+ 	} else {
+ 		hw->x = (((buf[1] & 0x1f) << 8) | buf[2]);
+@@ -664,12 +663,35 @@ static void synaptics_report_semi_mt_data(struct input_dev *dev,
+ 	}
+ }
+ 
++static void synaptics_report_ext_buttons(struct psmouse *psmouse,
++					 const struct synaptics_hw_state *hw)
++{
++	struct input_dev *dev = psmouse->dev;
++	struct synaptics_data *priv = psmouse->private;
++	int ext_bits = (SYN_CAP_MULTI_BUTTON_NO(priv->ext_cap) + 1) >> 1;
++	int i;
++
++	if (!SYN_CAP_MULTI_BUTTON_NO(priv->ext_cap))
++		return;
++
++	/* Bug in FW 8.1, buttons are reported only when ExtBit is 1 */
++	if (SYN_ID_FULL(priv->identity) == 0x801 &&
++	    !((psmouse->packet[0] ^ psmouse->packet[3]) & 0x02))
++		return;
++
++	for (i = 0; i < ext_bits; i++) {
++		input_report_key(dev, BTN_0 + 2 * i,
++			hw->ext_buttons & (1 << i));
++		input_report_key(dev, BTN_1 + 2 * i,
++			hw->ext_buttons & (1 << (i + ext_bits)));
++	}
++}
++
+ static void synaptics_report_buttons(struct psmouse *psmouse,
+ 				     const struct synaptics_hw_state *hw)
+ {
+ 	struct input_dev *dev = psmouse->dev;
+ 	struct synaptics_data *priv = psmouse->private;
+-	int i;
+ 
+ 	input_report_key(dev, BTN_LEFT, hw->left);
+ 	input_report_key(dev, BTN_RIGHT, hw->right);
+@@ -682,8 +704,7 @@ static void synaptics_report_buttons(struct psmouse *psmouse,
+ 		input_report_key(dev, BTN_BACK, hw->down);
+ 	}
+ 
+-	for (i = 0; i < SYN_CAP_MULTI_BUTTON_NO(priv->ext_cap); i++)
+-		input_report_key(dev, BTN_0 + i, hw->ext_buttons & (1 << i));
++	synaptics_report_ext_buttons(psmouse, hw);
+ }
+ 
+ static void synaptics_report_slot(struct input_dev *dev, int slot,
+diff --git a/drivers/md/dm-io.c b/drivers/md/dm-io.c
+index 39a08be..b8ed01b 100644
+--- a/drivers/md/dm-io.c
++++ b/drivers/md/dm-io.c
+@@ -299,6 +299,16 @@ static void do_region(int rw, unsigned region, struct dm_io_region *where,
+ 	sector_t remaining = where->count;
+ 	struct request_queue *q = bdev_get_queue(where->bdev);
+ 	sector_t discard_sectors;
++	unsigned int uninitialized_var(special_cmd_max_sectors);
++
++	/* Reject unsupported discard requests */
++	if (rw & REQ_DISCARD) {
++		special_cmd_max_sectors = q->limits.max_discard_sectors;
++		if (special_cmd_max_sectors == 0) {
++			dec_count(io, region, -EOPNOTSUPP);
++			return;
++		}
++	}
+ 
+ 	/*
+ 	 * where->count may be zero if rw holds a flush and we need to
+@@ -322,7 +332,7 @@ static void do_region(int rw, unsigned region, struct dm_io_region *where,
+ 		store_io_and_region_in_bio(bio, io, region);
+ 
+ 		if (rw & REQ_DISCARD) {
+-			discard_sectors = min_t(sector_t, q->limits.max_discard_sectors, remaining);
++			discard_sectors = min_t(sector_t, special_cmd_max_sectors, remaining);
+ 			bio->bi_size = discard_sectors << SECTOR_SHIFT;
+ 			remaining -= discard_sectors;
+ 		} else while (remaining) {
+diff --git a/drivers/md/dm-raid1.c b/drivers/md/dm-raid1.c
+index b7b649d..b4361eb 100644
+--- a/drivers/md/dm-raid1.c
++++ b/drivers/md/dm-raid1.c
+@@ -603,6 +603,15 @@ static void write_callback(unsigned long error, void *context)
+ 		return;
+ 	}
+ 
++	/*
++	 * If the bio is discard, return an error, but do not
++	 * degrade the array.
++	 */
++	if (bio->bi_rw & REQ_DISCARD) {
++		bio_endio(bio, -EOPNOTSUPP);
++		return;
++	}
++
+ 	for (i = 0; i < ms->nr_mirrors; i++)
+ 		if (test_bit(i, &error))
+ 			fail_mirror(ms->mirror + i, DM_RAID1_WRITE_ERROR);
+diff --git a/drivers/md/dm-snap.c b/drivers/md/dm-snap.c
+index fec79e7..6b94c3c 100644
+--- a/drivers/md/dm-snap.c
++++ b/drivers/md/dm-snap.c
+@@ -1444,8 +1444,6 @@ out:
+ 		full_bio->bi_end_io = pe->full_bio_end_io;
+ 		full_bio->bi_private = pe->full_bio_private;
+ 	}
+-	free_pending_exception(pe);
+-
+ 	increment_pending_exceptions_done_count();
+ 
+ 	up_write(&s->lock);
+@@ -1462,6 +1460,8 @@ out:
+ 	}
+ 
+ 	retry_origin_bios(s, origin_bios);
++
++	free_pending_exception(pe);
+ }
+ 
+ static void commit_callback(void *context, int success)
+diff --git a/drivers/md/dm.c b/drivers/md/dm.c
+index 7ead065..c00bcdc 100644
+--- a/drivers/md/dm.c
++++ b/drivers/md/dm.c
+@@ -2232,7 +2232,7 @@ int dm_setup_md_queue(struct mapped_device *md)
+ 	return 0;
+ }
+ 
+-static struct mapped_device *dm_find_md(dev_t dev)
++struct mapped_device *dm_get_md(dev_t dev)
+ {
+ 	struct mapped_device *md;
+ 	unsigned minor = MINOR(dev);
+@@ -2243,12 +2243,15 @@ static struct mapped_device *dm_find_md(dev_t dev)
+ 	spin_lock(&_minor_lock);
+ 
+ 	md = idr_find(&_minor_idr, minor);
+-	if (md && (md == MINOR_ALLOCED ||
+-		   (MINOR(disk_devt(dm_disk(md))) != minor) ||
+-		   dm_deleting_md(md) ||
+-		   test_bit(DMF_FREEING, &md->flags))) {
+-		md = NULL;
+-		goto out;
++	if (md) {
++		if ((md == MINOR_ALLOCED ||
++		     (MINOR(disk_devt(dm_disk(md))) != minor) ||
++		     dm_deleting_md(md) ||
++		     test_bit(DMF_FREEING, &md->flags))) {
++			md = NULL;
++			goto out;
++		}
++		dm_get(md);
+ 	}
+ 
+ out:
+@@ -2256,16 +2259,6 @@ out:
+ 
+ 	return md;
+ }
+-
+-struct mapped_device *dm_get_md(dev_t dev)
+-{
+-	struct mapped_device *md = dm_find_md(dev);
+-
+-	if (md)
+-		dm_get(md);
+-
+-	return md;
+-}
+ EXPORT_SYMBOL_GPL(dm_get_md);
+ 
+ void *dm_get_mdptr(struct mapped_device *md)
+@@ -2302,10 +2295,16 @@ static void __dm_destroy(struct mapped_device *md, bool wait)
+ 	set_bit(DMF_FREEING, &md->flags);
+ 	spin_unlock(&_minor_lock);
+ 
++	/*
++	 * Take suspend_lock so that presuspend and postsuspend methods
++	 * do not race with internal suspend.
++	 */
++	mutex_lock(&md->suspend_lock);
+ 	if (!dm_suspended_md(md)) {
+ 		dm_table_presuspend_targets(map);
+ 		dm_table_postsuspend_targets(map);
+ 	}
++	mutex_unlock(&md->suspend_lock);
+ 
+ 	/*
+ 	 * Rare, but there may be I/O requests still going to complete,
+diff --git a/drivers/media/dvb/dvb-usb/lmedm04.c b/drivers/media/dvb/dvb-usb/lmedm04.c
+index b922824..c7ad854 100644
+--- a/drivers/media/dvb/dvb-usb/lmedm04.c
++++ b/drivers/media/dvb/dvb-usb/lmedm04.c
+@@ -326,7 +326,9 @@ static void lme2510_int_response(struct urb *lme_urb)
+ 
+ static int lme2510_int_read(struct dvb_usb_adapter *adap)
+ {
++	struct dvb_usb_device *d = adap->dev;
+ 	struct lme2510_state *lme_int = adap->dev->priv;
++	struct usb_host_endpoint *ep;
+ 
+ 	lme_int->lme_urb = usb_alloc_urb(0, GFP_ATOMIC);
+ 
+@@ -348,6 +350,12 @@ static int lme2510_int_read(struct dvb_usb_adapter *adap)
+ 				adap,
+ 				8);
+ 
++	/* Quirk of pipe reporting PIPE_BULK but behaves as interrupt */
++	ep = usb_pipe_endpoint(d->udev, lme_int->lme_urb->pipe);
++
++	if (usb_endpoint_type(&ep->desc) == USB_ENDPOINT_XFER_BULK)
++		lme_int->lme_urb->pipe = usb_rcvbulkpipe(d->udev, 0xa),
++
+ 	lme_int->lme_urb->transfer_flags |= URB_NO_TRANSFER_DMA_MAP;
+ 
+ 	usb_submit_urb(lme_int->lme_urb, GFP_ATOMIC);
+diff --git a/drivers/net/can/dev.c b/drivers/net/can/dev.c
+index a25442e..db9100f 100644
+--- a/drivers/net/can/dev.c
++++ b/drivers/net/can/dev.c
+@@ -468,6 +468,11 @@ struct sk_buff *alloc_can_skb(struct net_device *dev, struct can_frame **cf)
+ 	skb->protocol = htons(ETH_P_CAN);
+ 	skb->pkt_type = PACKET_BROADCAST;
+ 	skb->ip_summed = CHECKSUM_UNNECESSARY;
++
++	skb_reset_mac_header(skb);
++	skb_reset_network_header(skb);
++	skb_reset_transport_header(skb);
++
+ 	*cf = (struct can_frame *)skb_put(skb, sizeof(struct can_frame));
+ 	memset(*cf, 0, sizeof(struct can_frame));
+ 
+diff --git a/drivers/net/ethernet/amd/pcnet32.c b/drivers/net/ethernet/amd/pcnet32.c
+index f92bc6e..c664abb 100644
+--- a/drivers/net/ethernet/amd/pcnet32.c
++++ b/drivers/net/ethernet/amd/pcnet32.c
+@@ -1524,7 +1524,7 @@ pcnet32_probe1(unsigned long ioaddr, int shared, struct pci_dev *pdev)
+ {
+ 	struct pcnet32_private *lp;
+ 	int i, media;
+-	int fdx, mii, fset, dxsuflo;
++	int fdx, mii, fset, dxsuflo, sram;
+ 	int chip_version;
+ 	char *chipname;
+ 	struct net_device *dev;
+@@ -1561,7 +1561,7 @@ pcnet32_probe1(unsigned long ioaddr, int shared, struct pci_dev *pdev)
+ 	}
+ 
+ 	/* initialize variables */
+-	fdx = mii = fset = dxsuflo = 0;
++	fdx = mii = fset = dxsuflo = sram = 0;
+ 	chip_version = (chip_version >> 12) & 0xffff;
+ 
+ 	switch (chip_version) {
+@@ -1594,6 +1594,7 @@ pcnet32_probe1(unsigned long ioaddr, int shared, struct pci_dev *pdev)
+ 		chipname = "PCnet/FAST III 79C973";	/* PCI */
+ 		fdx = 1;
+ 		mii = 1;
++		sram = 1;
+ 		break;
+ 	case 0x2626:
+ 		chipname = "PCnet/Home 79C978";	/* PCI */
+@@ -1617,6 +1618,7 @@ pcnet32_probe1(unsigned long ioaddr, int shared, struct pci_dev *pdev)
+ 		chipname = "PCnet/FAST III 79C975";	/* PCI */
+ 		fdx = 1;
+ 		mii = 1;
++		sram = 1;
+ 		break;
+ 	case 0x2628:
+ 		chipname = "PCnet/PRO 79C976";
+@@ -1645,6 +1647,31 @@ pcnet32_probe1(unsigned long ioaddr, int shared, struct pci_dev *pdev)
+ 		dxsuflo = 1;
+ 	}
+ 
++	/*
++	 * The Am79C973/Am79C975 controllers come with 12K of SRAM
++	 * which we can use for the Tx/Rx buffers but most importantly,
++	 * the use of SRAM allow us to use the BCR18:NOUFLO bit to avoid
++	 * Tx fifo underflows.
++	 */
++	if (sram) {
++		/*
++		 * The SRAM is being configured in two steps. First we
++		 * set the SRAM size in the BCR25:SRAM_SIZE bits. According
++		 * to the datasheet, each bit corresponds to a 512-byte
++		 * page so we can have at most 24 pages. The SRAM_SIZE
++		 * holds the value of the upper 8 bits of the 16-bit SRAM size.
++		 * The low 8-bits start at 0x00 and end at 0xff. So the
++		 * address range is from 0x0000 up to 0x17ff. Therefore,
++		 * the SRAM_SIZE is set to 0x17. The next step is to set
++		 * the BCR26:SRAM_BND midway through so the Tx and Rx
++		 * buffers can share the SRAM equally.
++		 */
++		a->write_bcr(ioaddr, 25, 0x17);
++		a->write_bcr(ioaddr, 26, 0xc);
++		/* And finally enable the NOUFLO bit */
++		a->write_bcr(ioaddr, 18, a->read_bcr(ioaddr, 18) | (1 << 11));
++	}
++
+ 	dev = alloc_etherdev(sizeof(*lp));
+ 	if (!dev) {
+ 		if (pcnet32_debug & NETIF_MSG_PROBE)
+diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c
+index 2f6361e..1042935 100644
+--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c
++++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c
+@@ -10325,6 +10325,10 @@ static int __devinit bnx2x_init_dev(struct pci_dev *pdev,
+ 	/* clean indirect addresses */
+ 	pci_write_config_dword(bp->pdev, PCICFG_GRC_ADDRESS,
+ 			       PCICFG_VENDOR_ID_OFFSET);
++
++	/* Set PCIe reset type to fundamental for EEH recovery */
++	pdev->needs_freset = 1;
++
+ 	/*
+ 	 * Clean the following indirect addresses for all functions since it
+ 	 * is not used by the driver.
+diff --git a/drivers/net/ethernet/broadcom/tg3.c b/drivers/net/ethernet/broadcom/tg3.c
+index 2ec19e7..d0ebf9c 100644
+--- a/drivers/net/ethernet/broadcom/tg3.c
++++ b/drivers/net/ethernet/broadcom/tg3.c
+@@ -5412,7 +5412,7 @@ static void tg3_tx(struct tg3_napi *tnapi)
+ 			sw_idx = NEXT_TX(sw_idx);
+ 		}
+ 
+-		dev_kfree_skb(skb);
++		dev_kfree_skb_any(skb);
+ 
+ 		if (unlikely(tx_bug)) {
+ 			tg3_tx_recover(tp);
+@@ -5702,7 +5702,7 @@ static int tg3_rx(struct tg3_napi *tnapi, int budget)
+ 
+ 		if (len > (tp->dev->mtu + ETH_HLEN) &&
+ 		    skb->protocol != htons(ETH_P_8021Q)) {
+-			dev_kfree_skb(skb);
++			dev_kfree_skb_any(skb);
+ 			goto drop_it_no_recycle;
+ 		}
+ 
+@@ -6609,7 +6609,7 @@ static int tigon3_dma_hwbug_workaround(struct tg3_napi *tnapi,
+ 					  PCI_DMA_TODEVICE);
+ 		/* Make sure the mapping succeeded */
+ 		if (pci_dma_mapping_error(tp->pdev, new_addr)) {
+-			dev_kfree_skb(new_skb);
++			dev_kfree_skb_any(new_skb);
+ 			ret = -1;
+ 		} else {
+ 			u32 save_entry = *entry;
+@@ -6624,13 +6624,13 @@ static int tigon3_dma_hwbug_workaround(struct tg3_napi *tnapi,
+ 					    new_skb->len, base_flags,
+ 					    mss, vlan)) {
+ 				tg3_tx_skb_unmap(tnapi, save_entry, -1);
+-				dev_kfree_skb(new_skb);
++				dev_kfree_skb_any(new_skb);
+ 				ret = -1;
+ 			}
+ 		}
+ 	}
+ 
+-	dev_kfree_skb(skb);
++	dev_kfree_skb_any(skb);
+ 	*pskb = new_skb;
+ 	return ret;
+ }
+@@ -6673,7 +6673,7 @@ static int tg3_tso_bug(struct tg3 *tp, struct sk_buff *skb)
+ 	} while (segs);
+ 
+ tg3_tso_bug_end:
+-	dev_kfree_skb(skb);
++	dev_kfree_skb_any(skb);
+ 
+ 	return NETDEV_TX_OK;
+ }
+@@ -6888,7 +6888,7 @@ dma_error:
+ 	tg3_tx_skb_unmap(tnapi, tnapi->tx_prod, --i);
+ 	tnapi->tx_buffers[tnapi->tx_prod].skb = NULL;
+ drop:
+-	dev_kfree_skb(skb);
++	dev_kfree_skb_any(skb);
+ drop_nofree:
+ 	tp->tx_dropped++;
+ 	return NETDEV_TX_OK;
+diff --git a/drivers/net/ethernet/emulex/benet/be_main.c b/drivers/net/ethernet/emulex/benet/be_main.c
+index 36c7c4e..10c9acf 100644
+--- a/drivers/net/ethernet/emulex/benet/be_main.c
++++ b/drivers/net/ethernet/emulex/benet/be_main.c
+@@ -1434,7 +1434,7 @@ static u16 be_tx_compl_process(struct be_adapter *adapter,
+ 		queue_tail_inc(txq);
+ 	} while (cur_index != last_index);
+ 
+-	kfree_skb(sent_skb);
++	dev_kfree_skb_any(sent_skb);
+ 	return num_wrbs;
+ }
+ 
+diff --git a/drivers/net/ethernet/freescale/gianfar.c b/drivers/net/ethernet/freescale/gianfar.c
+index fb9e7d3..b167e38 100644
+--- a/drivers/net/ethernet/freescale/gianfar.c
++++ b/drivers/net/ethernet/freescale/gianfar.c
+@@ -2092,10 +2092,10 @@ static int gfar_start_xmit(struct sk_buff *skb, struct net_device *dev)
+ 		skb_new = skb_realloc_headroom(skb, GMAC_FCB_LEN);
+ 		if (!skb_new) {
+ 			dev->stats.tx_errors++;
+-			kfree_skb(skb);
++			dev_kfree_skb_any(skb);
+ 			return NETDEV_TX_OK;
+ 		}
+-		kfree_skb(skb);
++		dev_kfree_skb_any(skb);
+ 		skb = skb_new;
+ 	}
+ 
+diff --git a/drivers/net/ethernet/intel/ixgb/ixgb_main.c b/drivers/net/ethernet/intel/ixgb/ixgb_main.c
+index e21148f..e17cfca 100644
+--- a/drivers/net/ethernet/intel/ixgb/ixgb_main.c
++++ b/drivers/net/ethernet/intel/ixgb/ixgb_main.c
+@@ -1539,12 +1539,12 @@ ixgb_xmit_frame(struct sk_buff *skb, struct net_device *netdev)
+ 	int tso;
+ 
+ 	if (test_bit(__IXGB_DOWN, &adapter->flags)) {
+-		dev_kfree_skb(skb);
++		dev_kfree_skb_any(skb);
+ 		return NETDEV_TX_OK;
+ 	}
+ 
+ 	if (skb->len <= 0) {
+-		dev_kfree_skb(skb);
++		dev_kfree_skb_any(skb);
+ 		return NETDEV_TX_OK;
+ 	}
+ 
+@@ -1561,7 +1561,7 @@ ixgb_xmit_frame(struct sk_buff *skb, struct net_device *netdev)
+ 
+ 	tso = ixgb_tso(adapter, skb);
+ 	if (tso < 0) {
+-		dev_kfree_skb(skb);
++		dev_kfree_skb_any(skb);
+ 		return NETDEV_TX_OK;
+ 	}
+ 
+diff --git a/drivers/net/ethernet/qlogic/netxen/netxen_nic_main.c b/drivers/net/ethernet/qlogic/netxen/netxen_nic_main.c
+index 4a238a4..8737e0d 100644
+--- a/drivers/net/ethernet/qlogic/netxen/netxen_nic_main.c
++++ b/drivers/net/ethernet/qlogic/netxen/netxen_nic_main.c
+@@ -2277,7 +2277,10 @@ static int netxen_nic_poll(struct napi_struct *napi, int budget)
+ 
+ 	work_done = netxen_process_rcv_ring(sds_ring, budget);
+ 
+-	if ((work_done < budget) && tx_complete) {
++	if (!tx_complete)
++		work_done = budget;
++
++	if (work_done < budget) {
+ 		napi_complete(&sds_ring->napi);
+ 		if (test_bit(__NX_DEV_UP, &adapter->state))
+ 			netxen_nic_enable_int(sds_ring);
+diff --git a/drivers/net/ethernet/realtek/8139cp.c b/drivers/net/ethernet/realtek/8139cp.c
+index 4aa830f..ab5c276 100644
+--- a/drivers/net/ethernet/realtek/8139cp.c
++++ b/drivers/net/ethernet/realtek/8139cp.c
+@@ -886,7 +886,7 @@ out_unlock:
+ 
+ 	return NETDEV_TX_OK;
+ out_dma_error:
+-	kfree_skb(skb);
++	dev_kfree_skb_any(skb);
+ 	cp->dev->stats.tx_dropped++;
+ 	goto out_unlock;
+ }
+diff --git a/drivers/net/ethernet/realtek/8139too.c b/drivers/net/ethernet/realtek/8139too.c
+index 4d6b254..728805f 100644
+--- a/drivers/net/ethernet/realtek/8139too.c
++++ b/drivers/net/ethernet/realtek/8139too.c
+@@ -1703,9 +1703,9 @@ static netdev_tx_t rtl8139_start_xmit (struct sk_buff *skb,
+ 		if (len < ETH_ZLEN)
+ 			memset(tp->tx_buf[entry], 0, ETH_ZLEN);
+ 		skb_copy_and_csum_dev(skb, tp->tx_buf[entry]);
+-		dev_kfree_skb(skb);
++		dev_kfree_skb_any(skb);
+ 	} else {
+-		dev_kfree_skb(skb);
++		dev_kfree_skb_any(skb);
+ 		dev->stats.tx_dropped++;
+ 		return NETDEV_TX_OK;
+ 	}
+diff --git a/drivers/net/ethernet/realtek/r8169.c b/drivers/net/ethernet/realtek/r8169.c
+index a3bd0ba..0c26787 100644
+--- a/drivers/net/ethernet/realtek/r8169.c
++++ b/drivers/net/ethernet/realtek/r8169.c
+@@ -5372,7 +5372,7 @@ static void rtl8169_tx_clear_range(struct rtl8169_private *tp, u32 start,
+ 					     tp->TxDescArray + entry);
+ 			if (skb) {
+ 				tp->dev->stats.tx_dropped++;
+-				dev_kfree_skb(skb);
++				dev_kfree_skb_any(skb);
+ 				tx_skb->skb = NULL;
+ 			}
+ 		}
+@@ -5651,7 +5651,7 @@ static netdev_tx_t rtl8169_start_xmit(struct sk_buff *skb,
+ err_dma_1:
+ 	rtl8169_unmap_tx_skb(d, tp->tx_skb + entry, txd);
+ err_dma_0:
+-	dev_kfree_skb(skb);
++	dev_kfree_skb_any(skb);
+ err_update_stats:
+ 	dev->stats.tx_dropped++;
+ 	return NETDEV_TX_OK;
+@@ -5734,7 +5734,7 @@ static void rtl8169_tx_interrupt(struct net_device *dev,
+ 		if (status & LastFrag) {
+ 			dev->stats.tx_packets++;
+ 			dev->stats.tx_bytes += tx_skb->skb->len;
+-			dev_kfree_skb(tx_skb->skb);
++			dev_kfree_skb_any(tx_skb->skb);
+ 			tx_skb->skb = NULL;
+ 		}
+ 		dirty_tx++;
+diff --git a/drivers/net/macvtap.c b/drivers/net/macvtap.c
+index 0e6e57e..7300447 100644
+--- a/drivers/net/macvtap.c
++++ b/drivers/net/macvtap.c
+@@ -667,11 +667,15 @@ static unsigned long iov_pages(const struct iovec *iv, int offset,
+ 	return pages;
+ }
+ 
++/* Neighbour code has some assumptions on HH_DATA_MOD alignment */
++#define MACVTAP_RESERVE HH_DATA_OFF(ETH_HLEN)
++
+ /* Get packet from user space buffer */
+ static ssize_t macvtap_get_user(struct macvtap_queue *q, struct msghdr *m,
+ 				const struct iovec *iv, unsigned long total_len,
+ 				size_t count, int noblock)
+ {
++	int good_linear = SKB_MAX_HEAD(MACVTAP_RESERVE);
+ 	struct sk_buff *skb;
+ 	struct macvlan_dev *vlan;
+ 	unsigned long len = total_len;
+@@ -714,6 +718,8 @@ static ssize_t macvtap_get_user(struct macvtap_queue *q, struct msghdr *m,
+ 
+ 	if (m && m->msg_control && sock_flag(&q->sk, SOCK_ZEROCOPY)) {
+ 		copylen = vnet_hdr.hdr_len ? vnet_hdr.hdr_len : GOODCOPY_LEN;
++		if (copylen > good_linear)
++			copylen = good_linear;
+ 		linear = copylen;
+ 		if (iov_pages(iv, vnet_hdr_len + copylen, count)
+ 		    <= MAX_SKB_FRAGS)
+@@ -722,10 +728,13 @@ static ssize_t macvtap_get_user(struct macvtap_queue *q, struct msghdr *m,
+ 
+ 	if (!zerocopy) {
+ 		copylen = len;
+-		linear = vnet_hdr.hdr_len;
++		if (vnet_hdr.hdr_len > good_linear)
++			linear = good_linear;
++		else
++			linear = vnet_hdr.hdr_len;
+ 	}
+ 
+-	skb = macvtap_alloc_skb(&q->sk, NET_IP_ALIGN, copylen,
++	skb = macvtap_alloc_skb(&q->sk, MACVTAP_RESERVE, copylen,
+ 				linear, noblock, &err);
+ 	if (!skb)
+ 		goto err;
+diff --git a/drivers/net/ppp/ppp_deflate.c b/drivers/net/ppp/ppp_deflate.c
+index 1dbdf82..43764cc 100644
+--- a/drivers/net/ppp/ppp_deflate.c
++++ b/drivers/net/ppp/ppp_deflate.c
+@@ -268,7 +268,7 @@ static int z_compress(void *arg, unsigned char *rptr, unsigned char *obuf,
+ 	/*
+ 	 * See if we managed to reduce the size of the packet.
+ 	 */
+-	if (olen < isize) {
++	if (olen < isize && olen <= osize) {
+ 		state->stats.comp_bytes += olen;
+ 		state->stats.comp_packets++;
+ 	} else {
+diff --git a/drivers/net/usb/plusb.c b/drivers/net/usb/plusb.c
+index 217aec8..4a09110 100644
+--- a/drivers/net/usb/plusb.c
++++ b/drivers/net/usb/plusb.c
+@@ -139,6 +139,11 @@ static const struct usb_device_id	products [] = {
+ }, {
+ 	USB_DEVICE(0x050d, 0x258a),     /* Belkin F5U258/F5U279 (PL-25A1) */
+ 	.driver_info =  (unsigned long) &prolific_info,
++}, {
++	USB_DEVICE(0x3923, 0x7825),     /* National Instruments USB
++					 * Host-to-Host Cable
++					 */
++	.driver_info =  (unsigned long) &prolific_info,
+ },
+ 
+ 	{ },		// END
+diff --git a/drivers/net/xen-netfront.c b/drivers/net/xen-netfront.c
+index 0d9914b..c64a60e 100644
+--- a/drivers/net/xen-netfront.c
++++ b/drivers/net/xen-netfront.c
+@@ -1053,8 +1053,7 @@ err:
+ 
+ static int xennet_change_mtu(struct net_device *dev, int mtu)
+ {
+-	int max = xennet_can_sg(dev) ?
+-		XEN_NETIF_MAX_TX_SIZE - MAX_TCP_HEADER : ETH_DATA_LEN;
++	int max = xennet_can_sg(dev) ? XEN_NETIF_MAX_TX_SIZE : ETH_DATA_LEN;
+ 
+ 	if (mtu > max)
+ 		return -EINVAL;
+@@ -1329,8 +1328,6 @@ static struct net_device * __devinit xennet_create_dev(struct xenbus_device *dev
+ 	SET_ETHTOOL_OPS(netdev, &xennet_ethtool_ops);
+ 	SET_NETDEV_DEV(netdev, &dev->dev);
+ 
+-	netif_set_gso_max_size(netdev, XEN_NETIF_MAX_TX_SIZE - MAX_TCP_HEADER);
+-
+ 	np->netdev = netdev;
+ 
+ 	netif_carrier_off(netdev);
+diff --git a/drivers/pci/hotplug.c b/drivers/pci/hotplug.c
+index 2b5352a..3b70f5c 100644
+--- a/drivers/pci/hotplug.c
++++ b/drivers/pci/hotplug.c
+@@ -27,7 +27,7 @@ int pci_uevent(struct device *dev, struct kobj_uevent_env *env)
+ 	if (add_uevent_var(env, "PCI_SLOT_NAME=%s", pci_name(pdev)))
+ 		return -ENOMEM;
+ 
+-	if (add_uevent_var(env, "MODALIAS=pci:v%08Xd%08Xsv%08Xsd%08Xbc%02Xsc%02Xi%02x",
++	if (add_uevent_var(env, "MODALIAS=pci:v%08Xd%08Xsv%08Xsd%08Xbc%02Xsc%02Xi%02X",
+ 			   pdev->vendor, pdev->device,
+ 			   pdev->subsystem_vendor, pdev->subsystem_device,
+ 			   (u8)(pdev->class >> 16), (u8)(pdev->class >> 8),
+diff --git a/drivers/pci/rom.c b/drivers/pci/rom.c
+index 48ebdb2..e31659c 100644
+--- a/drivers/pci/rom.c
++++ b/drivers/pci/rom.c
+@@ -69,6 +69,7 @@ size_t pci_get_rom_size(struct pci_dev *pdev, void __iomem *rom, size_t size)
+ {
+ 	void __iomem *image;
+ 	int last_image;
++	unsigned length;
+ 
+ 	image = rom;
+ 	do {
+@@ -91,9 +92,9 @@ size_t pci_get_rom_size(struct pci_dev *pdev, void __iomem *rom, size_t size)
+ 		if (readb(pds + 3) != 'R')
+ 			break;
+ 		last_image = readb(pds + 21) & 0x80;
+-		/* this length is reliable */
+-		image += readw(pds + 16) * 512;
+-	} while (!last_image);
++		length = readw(pds + 16);
++		image += length * 512;
++	} while (length && !last_image);
+ 
+ 	/* never return a size larger than the PCI resource window */
+ 	/* there are known ROMs that get the size wrong */
+diff --git a/drivers/scsi/be2iscsi/be_main.c b/drivers/scsi/be2iscsi/be_main.c
+index 379c696..b9ee9f3 100644
+--- a/drivers/scsi/be2iscsi/be_main.c
++++ b/drivers/scsi/be2iscsi/be_main.c
+@@ -424,7 +424,6 @@ static struct beiscsi_hba *beiscsi_hba_alloc(struct pci_dev *pcidev)
+ 			"iscsi_host_alloc failed\n");
+ 		return NULL;
+ 	}
+-	shost->dma_boundary = pcidev->dma_mask;
+ 	shost->max_id = BE2_MAX_SESSIONS;
+ 	shost->max_channel = 0;
+ 	shost->max_cmd_len = BEISCSI_MAX_CMD_LEN;
+@@ -4398,9 +4397,9 @@ free_port:
+ hba_free:
+ 	if (phba->msix_enabled)
+ 		pci_disable_msix(phba->pcidev);
+-	iscsi_host_remove(phba->shost);
+ 	pci_dev_put(phba->pcidev);
+ 	iscsi_host_free(phba->shost);
++	pci_set_drvdata(pcidev, NULL);
+ disable_pci:
+ 	pci_disable_device(pcidev);
+ 	return ret;
+diff --git a/drivers/scsi/libsas/sas_discover.c b/drivers/scsi/libsas/sas_discover.c
+index 54a5199..676e169 100644
+--- a/drivers/scsi/libsas/sas_discover.c
++++ b/drivers/scsi/libsas/sas_discover.c
+@@ -336,14 +336,16 @@ static void sas_revalidate_domain(struct work_struct *work)
+ 	struct sas_discovery_event *ev =
+ 		container_of(work, struct sas_discovery_event, work);
+ 	struct asd_sas_port *port = ev->port;
++	struct domain_device *ddev = port->port_dev;
+ 
+ 	sas_begin_event(DISCE_REVALIDATE_DOMAIN, &port->disc.disc_event_lock,
+ 			&port->disc.pending);
+ 
+ 	SAS_DPRINTK("REVALIDATING DOMAIN on port %d, pid:%d\n", port->id,
+ 		    task_pid_nr(current));
+-	if (port->port_dev)
+-		res = sas_ex_revalidate_domain(port->port_dev);
++	if (ddev && (ddev->dev_type == FANOUT_DEV ||
++		     ddev->dev_type == EDGE_DEV))
++		res = sas_ex_revalidate_domain(ddev);
+ 
+ 	SAS_DPRINTK("done REVALIDATING DOMAIN on port %d, pid:%d, res 0x%x\n",
+ 		    port->id, task_pid_nr(current), res);
+diff --git a/drivers/scsi/scsi_lib.c b/drivers/scsi/scsi_lib.c
+index 0bdc4a7..f6a464a 100644
+--- a/drivers/scsi/scsi_lib.c
++++ b/drivers/scsi/scsi_lib.c
+@@ -1206,9 +1206,11 @@ int scsi_prep_state_check(struct scsi_device *sdev, struct request *req)
+ 				    "rejecting I/O to dead device\n");
+ 			ret = BLKPREP_KILL;
+ 			break;
+-		case SDEV_QUIESCE:
+ 		case SDEV_BLOCK:
+ 		case SDEV_CREATED_BLOCK:
++			ret = BLKPREP_DEFER;
++			break;
++		case SDEV_QUIESCE:
+ 			/*
+ 			 * If the devices is blocked we defer normal commands.
+ 			 */
+diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c
+index 441a1c5..2d25616 100644
+--- a/drivers/scsi/sg.c
++++ b/drivers/scsi/sg.c
+@@ -498,7 +498,7 @@ static ssize_t
+ sg_new_read(Sg_fd * sfp, char __user *buf, size_t count, Sg_request * srp)
+ {
+ 	sg_io_hdr_t *hp = &srp->header;
+-	int err = 0;
++	int err = 0, err2;
+ 	int len;
+ 
+ 	if (count < SZ_SG_IO_HDR) {
+@@ -527,8 +527,8 @@ sg_new_read(Sg_fd * sfp, char __user *buf, size_t count, Sg_request * srp)
+ 		goto err_out;
+ 	}
+ err_out:
+-	err = sg_finish_rem_req(srp);
+-	return (0 == err) ? count : err;
++	err2 = sg_finish_rem_req(srp);
++	return err ? : err2 ? : count;
+ }
+ 
+ static ssize_t
+diff --git a/drivers/spi/spi-dw.c b/drivers/spi/spi-dw.c
+index bbdf0cf..9fc34e6 100644
+--- a/drivers/spi/spi-dw.c
++++ b/drivers/spi/spi-dw.c
+@@ -786,13 +786,13 @@ static void spi_hw_init(struct dw_spi *dws)
+ 	 */
+ 	if (!dws->fifo_len) {
+ 		u32 fifo;
+-		for (fifo = 2; fifo <= 256; fifo++) {
++		for (fifo = 1; fifo < 256; fifo++) {
+ 			dw_writew(dws, DW_SPI_TXFLTR, fifo);
+ 			if (fifo != dw_readw(dws, DW_SPI_TXFLTR))
+ 				break;
+ 		}
+ 
+-		dws->fifo_len = (fifo == 2) ? 0 : fifo - 1;
++		dws->fifo_len = (fifo == 1) ? 0 : fifo;
+ 		dw_writew(dws, DW_SPI_TXFLTR, 0);
+ 	}
+ }
+diff --git a/drivers/spi/spidev.c b/drivers/spi/spidev.c
+index 830adbe..1556db9 100644
+--- a/drivers/spi/spidev.c
++++ b/drivers/spi/spidev.c
+@@ -241,7 +241,10 @@ static int spidev_message(struct spidev_data *spidev,
+ 		k_tmp->len = u_tmp->len;
+ 
+ 		total += k_tmp->len;
+-		if (total > bufsiz) {
++		/* Check total length of transfers.  Also check each
++		 * transfer length to avoid arithmetic overflow.
++		 */
++		if (total > bufsiz || k_tmp->len > bufsiz) {
+ 			status = -EMSGSIZE;
+ 			goto done;
+ 		}
+diff --git a/drivers/staging/comedi/comedi_compat32.c b/drivers/staging/comedi/comedi_compat32.c
+index 41a7a62..a8a0c0f 100644
+--- a/drivers/staging/comedi/comedi_compat32.c
++++ b/drivers/staging/comedi/comedi_compat32.c
+@@ -271,7 +271,7 @@ static int compat_cmd(struct file *file, unsigned long arg)
+ {
+ 	struct comedi_cmd __user *cmd;
+ 	struct comedi32_cmd_struct __user *cmd32;
+-	int rc;
++	int rc, err;
+ 
+ 	cmd32 = compat_ptr(arg);
+ 	cmd = compat_alloc_user_space(sizeof(*cmd));
+@@ -280,7 +280,15 @@ static int compat_cmd(struct file *file, unsigned long arg)
+ 	if (rc)
+ 		return rc;
+ 
+-	return translated_ioctl(file, COMEDI_CMD, (unsigned long)cmd);
++	rc = translated_ioctl(file, COMEDI_CMD, (unsigned long)cmd);
++	if (rc == -EAGAIN) {
++		/* Special case: copy cmd back to user. */
++		err = put_compat_cmd(cmd32, cmd);
++		if (err)
++			rc = err;
++	}
++
++	return rc;
+ }
+ 
+ /* Handle 32-bit COMEDI_CMDTEST ioctl. */
+diff --git a/drivers/staging/iio/imu/adis16400_core.c b/drivers/staging/iio/imu/adis16400_core.c
+index d082a37..57cb92f 100644
+--- a/drivers/staging/iio/imu/adis16400_core.c
++++ b/drivers/staging/iio/imu/adis16400_core.c
+@@ -25,6 +25,7 @@
+ #include <linux/sysfs.h>
+ #include <linux/list.h>
+ #include <linux/module.h>
++#include <linux/bitops.h>
+ 
+ #include "../iio.h"
+ #include "../sysfs.h"
+@@ -541,7 +542,7 @@ static int adis16400_read_raw(struct iio_dev *indio_dev,
+ 		mutex_unlock(&indio_dev->mlock);
+ 		if (ret)
+ 			return ret;
+-		val16 = ((val16 & 0xFFF) << 4) >> 4;
++		val16 = sign_extend32(val16, 11);
+ 		*val = val16;
+ 		return IIO_VAL_INT;
+ 	case (1 << IIO_CHAN_INFO_OFFSET_SEPARATE):
+diff --git a/drivers/staging/iio/industrialio-core.c b/drivers/staging/iio/industrialio-core.c
+index aec9311..f0abf29 100644
+--- a/drivers/staging/iio/industrialio-core.c
++++ b/drivers/staging/iio/industrialio-core.c
+@@ -711,6 +711,7 @@ static void iio_device_unregister_sysfs(struct iio_dev *indio_dev)
+ 		iio_device_remove_and_free_read_attr(indio_dev, p);
+ 	}
+ 	kfree(indio_dev->chan_attr_group.attrs);
++	indio_dev->chan_attr_group.attrs = NULL;
+ }
+ 
+ static const char * const iio_ev_type_text[] = {
+@@ -986,6 +987,7 @@ static int iio_device_register_eventset(struct iio_dev *indio_dev)
+ error_free_setup_event_lines:
+ 	__iio_remove_event_config_attrs(indio_dev);
+ 	kfree(indio_dev->event_interface);
++	indio_dev->event_interface = NULL;
+ error_ret:
+ 
+ 	return ret;
+diff --git a/drivers/staging/vt6655/rf.c b/drivers/staging/vt6655/rf.c
+index b8ec783..3003363 100644
+--- a/drivers/staging/vt6655/rf.c
++++ b/drivers/staging/vt6655/rf.c
+@@ -1029,6 +1029,7 @@ unsigned char byPwrdBm = 0;
+ 		break;
+     case RATE_6M:
+     case RATE_9M:
++    case RATE_12M:
+     case RATE_18M:
+         byPwr = pDevice->abyOFDMPwrTbl[uCH];
+         if (pDevice->byRFType == RF_UW2452) {
+diff --git a/drivers/target/iscsi/iscsi_target_tq.c b/drivers/target/iscsi/iscsi_target_tq.c
+index 0baac5b..3f59a80 100644
+--- a/drivers/target/iscsi/iscsi_target_tq.c
++++ b/drivers/target/iscsi/iscsi_target_tq.c
+@@ -26,36 +26,22 @@
+ #include "iscsi_target_tq.h"
+ #include "iscsi_target.h"
+ 
+-static LIST_HEAD(active_ts_list);
+ static LIST_HEAD(inactive_ts_list);
+-static DEFINE_SPINLOCK(active_ts_lock);
+ static DEFINE_SPINLOCK(inactive_ts_lock);
+ static DEFINE_SPINLOCK(ts_bitmap_lock);
+ 
+-static void iscsi_add_ts_to_active_list(struct iscsi_thread_set *ts)
+-{
+-	spin_lock(&active_ts_lock);
+-	list_add_tail(&ts->ts_list, &active_ts_list);
+-	iscsit_global->active_ts++;
+-	spin_unlock(&active_ts_lock);
+-}
+-
+ extern void iscsi_add_ts_to_inactive_list(struct iscsi_thread_set *ts)
+ {
++	if (!list_empty(&ts->ts_list)) {
++		WARN_ON(1);
++		return;
++	}
+ 	spin_lock(&inactive_ts_lock);
+ 	list_add_tail(&ts->ts_list, &inactive_ts_list);
+ 	iscsit_global->inactive_ts++;
+ 	spin_unlock(&inactive_ts_lock);
+ }
+ 
+-static void iscsi_del_ts_from_active_list(struct iscsi_thread_set *ts)
+-{
+-	spin_lock(&active_ts_lock);
+-	list_del(&ts->ts_list);
+-	iscsit_global->active_ts--;
+-	spin_unlock(&active_ts_lock);
+-}
+-
+ static struct iscsi_thread_set *iscsi_get_ts_from_inactive_list(void)
+ {
+ 	struct iscsi_thread_set *ts;
+@@ -69,7 +55,7 @@ static struct iscsi_thread_set *iscsi_get_ts_from_inactive_list(void)
+ 	list_for_each_entry(ts, &inactive_ts_list, ts_list)
+ 		break;
+ 
+-	list_del(&ts->ts_list);
++	list_del_init(&ts->ts_list);
+ 	iscsit_global->inactive_ts--;
+ 	spin_unlock(&inactive_ts_lock);
+ 
+@@ -220,8 +206,6 @@ static void iscsi_deallocate_extra_thread_sets(void)
+ 
+ void iscsi_activate_thread_set(struct iscsi_conn *conn, struct iscsi_thread_set *ts)
+ {
+-	iscsi_add_ts_to_active_list(ts);
+-
+ 	spin_lock_bh(&ts->ts_state_lock);
+ 	conn->thread_set = ts;
+ 	ts->conn = conn;
+@@ -424,7 +408,6 @@ struct iscsi_conn *iscsi_rx_thread_pre_handler(struct iscsi_thread_set *ts)
+ 
+ 	if (ts->delay_inactive && (--ts->thread_count == 0)) {
+ 		spin_unlock_bh(&ts->ts_state_lock);
+-		iscsi_del_ts_from_active_list(ts);
+ 
+ 		if (!iscsit_global->in_shutdown)
+ 			iscsi_deallocate_extra_thread_sets();
+@@ -477,7 +460,6 @@ struct iscsi_conn *iscsi_tx_thread_pre_handler(struct iscsi_thread_set *ts)
+ 
+ 	if (ts->delay_inactive && (--ts->thread_count == 0)) {
+ 		spin_unlock_bh(&ts->ts_state_lock);
+-		iscsi_del_ts_from_active_list(ts);
+ 
+ 		if (!iscsit_global->in_shutdown)
+ 			iscsi_deallocate_extra_thread_sets();
+@@ -536,10 +518,8 @@ int iscsi_thread_set_init(void)
+ 		return -ENOMEM;
+ 	}
+ 
+-	spin_lock_init(&active_ts_lock);
+ 	spin_lock_init(&inactive_ts_lock);
+ 	spin_lock_init(&ts_bitmap_lock);
+-	INIT_LIST_HEAD(&active_ts_list);
+ 	INIT_LIST_HEAD(&inactive_ts_list);
+ 
+ 	return 0;
+diff --git a/drivers/target/target_core_pscsi.c b/drivers/target/target_core_pscsi.c
+index e813227..ebf9b60 100644
+--- a/drivers/target/target_core_pscsi.c
++++ b/drivers/target/target_core_pscsi.c
+@@ -1168,7 +1168,7 @@ static u32 pscsi_get_device_type(struct se_device *dev)
+ 	struct pscsi_dev_virt *pdv = dev->dev_ptr;
+ 	struct scsi_device *sd = pdv->pdv_sd;
+ 
+-	return sd->type;
++	return (sd) ? sd->type : TYPE_NO_LUN;
+ }
+ 
+ static sector_t pscsi_get_blocks(struct se_device *dev)
+diff --git a/drivers/target/tcm_fc/tfc_io.c b/drivers/target/tcm_fc/tfc_io.c
+index ada131c..cebd235 100644
+--- a/drivers/target/tcm_fc/tfc_io.c
++++ b/drivers/target/tcm_fc/tfc_io.c
+@@ -335,7 +335,7 @@ void ft_invl_hw_context(struct ft_cmd *cmd)
+ 		ep = fc_seq_exch(seq);
+ 		if (ep) {
+ 			lport = ep->lp;
+-			if (lport && (ep->xid <= lport->lro_xid))
++			if (lport && (ep->xid <= lport->lro_xid)) {
+ 				/*
+ 				 * "ddp_done" trigger invalidation of HW
+ 				 * specific DDP context
+@@ -350,6 +350,7 @@ void ft_invl_hw_context(struct ft_cmd *cmd)
+ 				 * identified using ep->xid)
+ 				 */
+ 				cmd->was_ddp_setup = 0;
++			}
+ 		}
+ 	}
+ }
+diff --git a/drivers/tty/pty.c b/drivers/tty/pty.c
+index 4735928..e753be2 100644
+--- a/drivers/tty/pty.c
++++ b/drivers/tty/pty.c
+@@ -175,6 +175,9 @@ static int pty_signal(struct tty_struct *tty, int sig)
+ 	unsigned long flags;
+ 	struct pid *pgrp;
+ 
++	if (sig != SIGINT && sig != SIGQUIT && sig != SIGTSTP)
++		return -EINVAL;
++
+ 	if (tty->link) {
+ 		spin_lock_irqsave(&tty->link->ctrl_lock, flags);
+ 		pgrp = get_pid(tty->link->pgrp);
+diff --git a/drivers/tty/serial/8250_pci.c b/drivers/tty/serial/8250_pci.c
+index ef24e96..c1c1e52 100644
+--- a/drivers/tty/serial/8250_pci.c
++++ b/drivers/tty/serial/8250_pci.c
+@@ -67,7 +67,7 @@ static void moan_device(const char *str, struct pci_dev *dev)
+ 	       "Please send the output of lspci -vv, this\n"
+ 	       "message (0x%04x,0x%04x,0x%04x,0x%04x), the\n"
+ 	       "manufacturer and name of serial board or\n"
+-	       "modem board to rmk+serial@arm.linux.org.uk.\n",
++	       "modem board to <linux-serial@vger.kernel.org>.\n",
+ 	       pci_name(dev), str, dev->vendor, dev->device,
+ 	       dev->subsystem_vendor, dev->subsystem_device);
+ }
+diff --git a/drivers/tty/tty_io.c b/drivers/tty/tty_io.c
+index 613f06a..fa59fbe 100644
+--- a/drivers/tty/tty_io.c
++++ b/drivers/tty/tty_io.c
+@@ -943,8 +943,8 @@ EXPORT_SYMBOL(start_tty);
+ /* We limit tty time update visibility to every 8 seconds or so. */
+ static void tty_update_time(struct timespec *time)
+ {
+-	unsigned long sec = get_seconds() & ~7;
+-	if ((long)(sec - time->tv_sec) > 0)
++	unsigned long sec = get_seconds();
++	if (abs(sec - time->tv_sec) & ~7)
+ 		time->tv_sec = sec;
+ }
+ 
+diff --git a/drivers/tty/tty_ioctl.c b/drivers/tty/tty_ioctl.c
+index 937f927..1740117 100644
+--- a/drivers/tty/tty_ioctl.c
++++ b/drivers/tty/tty_ioctl.c
+@@ -154,11 +154,17 @@ void tty_wait_until_sent(struct tty_struct *tty, long timeout)
+ #endif
+ 	if (!timeout)
+ 		timeout = MAX_SCHEDULE_TIMEOUT;
++
+ 	if (wait_event_interruptible_timeout(tty->write_wait,
+-			!tty_chars_in_buffer(tty), timeout) >= 0) {
+-		if (tty->ops->wait_until_sent)
+-			tty->ops->wait_until_sent(tty, timeout);
++			!tty_chars_in_buffer(tty), timeout) < 0) {
++		return;
+ 	}
++
++	if (timeout == MAX_SCHEDULE_TIMEOUT)
++		timeout = 0;
++
++	if (tty->ops->wait_until_sent)
++		tty->ops->wait_until_sent(tty, timeout);
+ }
+ EXPORT_SYMBOL(tty_wait_until_sent);
+ 
+diff --git a/drivers/tty/vt/vt.c b/drivers/tty/vt/vt.c
+index 632df54f..c51803f 100644
+--- a/drivers/tty/vt/vt.c
++++ b/drivers/tty/vt/vt.c
+@@ -499,6 +499,7 @@ void invert_screen(struct vc_data *vc, int offset, int count, int viewed)
+ #endif
+ 	if (DO_UPDATE(vc))
+ 		do_update_region(vc, (unsigned long) p, count);
++	notify_update(vc);
+ }
+ 
+ /* used by selection: complement pointer position */
+@@ -515,6 +516,7 @@ void complement_pos(struct vc_data *vc, int offset)
+ 		scr_writew(old, screenpos(vc, old_offset, 1));
+ 		if (DO_UPDATE(vc))
+ 			vc->vc_sw->con_putc(vc, old, oldy, oldx);
++		notify_update(vc);
+ 	}
+ 
+ 	old_offset = offset;
+@@ -532,8 +534,8 @@ void complement_pos(struct vc_data *vc, int offset)
+ 			oldy = (offset >> 1) / vc->vc_cols;
+ 			vc->vc_sw->con_putc(vc, new, oldy, oldx);
+ 		}
++		notify_update(vc);
+ 	}
+-
+ }
+ 
+ static void insert_char(struct vc_data *vc, unsigned int nr)
+diff --git a/drivers/usb/class/cdc-acm.c b/drivers/usb/class/cdc-acm.c
+index d38d88e..360ddb5 100644
+--- a/drivers/usb/class/cdc-acm.c
++++ b/drivers/usb/class/cdc-acm.c
+@@ -911,6 +911,7 @@ static int acm_probe(struct usb_interface *intf,
+ 	unsigned long quirks;
+ 	int num_rx_buf;
+ 	int i;
++	unsigned int elength = 0;
+ 	int combined_interfaces = 0;
+ 
+ 	/* normal quirks */
+@@ -950,9 +951,12 @@ static int acm_probe(struct usb_interface *intf,
+ 			dev_err(&intf->dev, "skipping garbage\n");
+ 			goto next_desc;
+ 		}
++		elength = buffer[0];
+ 
+ 		switch (buffer[2]) {
+ 		case USB_CDC_UNION_TYPE: /* we've found it */
++			if (elength < sizeof(struct usb_cdc_union_desc))
++				goto next_desc;
+ 			if (union_header) {
+ 				dev_err(&intf->dev, "More than one "
+ 					"union descriptor, skipping ...\n");
+@@ -961,31 +965,38 @@ static int acm_probe(struct usb_interface *intf,
+ 			union_header = (struct usb_cdc_union_desc *)buffer;
+ 			break;
+ 		case USB_CDC_COUNTRY_TYPE: /* export through sysfs*/
++			if (elength < sizeof(struct usb_cdc_country_functional_desc))
++				goto next_desc;
+ 			cfd = (struct usb_cdc_country_functional_desc *)buffer;
+ 			break;
+ 		case USB_CDC_HEADER_TYPE: /* maybe check version */
+ 			break; /* for now we ignore it */
+ 		case USB_CDC_ACM_TYPE:
++			if (elength < 4)
++				goto next_desc;
+ 			ac_management_function = buffer[3];
+ 			break;
+ 		case USB_CDC_CALL_MANAGEMENT_TYPE:
++			if (elength < 5)
++				goto next_desc;
+ 			call_management_function = buffer[3];
+ 			call_interface_num = buffer[4];
+ 			if ( (quirks & NOT_A_MODEM) == 0 && (call_management_function & 3) != 3)
+ 				dev_err(&intf->dev, "This device cannot do calls on its own. It is not a modem.\n");
+ 			break;
+ 		default:
+-			/* there are LOTS more CDC descriptors that
++			/*
++			 * there are LOTS more CDC descriptors that
+ 			 * could legitimately be found here.
+ 			 */
+ 			dev_dbg(&intf->dev, "Ignoring descriptor: "
+-					"type %02x, length %d\n",
+-					buffer[2], buffer[0]);
++					"type %02x, length %ud\n",
++					buffer[2], elength);
+ 			break;
+ 		}
+ next_desc:
+-		buflen -= buffer[0];
+-		buffer += buffer[0];
++		buflen -= elength;
++		buffer += elength;
+ 	}
+ 
+ 	if (!union_header) {
+diff --git a/drivers/usb/core/buffer.c b/drivers/usb/core/buffer.c
+index b0585e6..19fa68a 100644
+--- a/drivers/usb/core/buffer.c
++++ b/drivers/usb/core/buffer.c
+@@ -22,17 +22,25 @@
+  */
+ 
+ /* FIXME tune these based on pool statistics ... */
+-static const size_t	pool_max[HCD_BUFFER_POOLS] = {
+-	/* platforms without dma-friendly caches might need to
+-	 * prevent cacheline sharing...
+-	 */
+-	32,
+-	128,
+-	512,
+-	PAGE_SIZE / 2
+-	/* bigger --> allocate pages */
++static size_t pool_max[HCD_BUFFER_POOLS] = {
++	32, 128, 512, 2048,
+ };
+ 
++void __init usb_init_pool_max(void)
++{
++	/*
++	 * The pool_max values must never be smaller than
++	 * ARCH_KMALLOC_MINALIGN.
++	 */
++	if (ARCH_KMALLOC_MINALIGN <= 32)
++		;			/* Original value is okay */
++	else if (ARCH_KMALLOC_MINALIGN <= 64)
++		pool_max[0] = 64;
++	else if (ARCH_KMALLOC_MINALIGN <= 128)
++		pool_max[0] = 0;	/* Don't use this pool */
++	else
++		BUILD_BUG();		/* We don't allow this */
++}
+ 
+ /* SETUP primitives */
+ 
+diff --git a/drivers/usb/core/devio.c b/drivers/usb/core/devio.c
+index 49257b3..64340f3 100644
+--- a/drivers/usb/core/devio.c
++++ b/drivers/usb/core/devio.c
+@@ -406,6 +406,7 @@ static void async_completed(struct urb *urb)
+ 	as->status = urb->status;
+ 	signr = as->signr;
+ 	if (signr) {
++		memset(&sinfo, 0, sizeof(sinfo));
+ 		sinfo.si_signo = as->signr;
+ 		sinfo.si_errno = as->status;
+ 		sinfo.si_code = SI_ASYNCIO;
+@@ -2031,6 +2032,7 @@ static void usbdev_remove(struct usb_device *udev)
+ 		wake_up_all(&ps->wait);
+ 		list_del_init(&ps->list);
+ 		if (ps->discsignr) {
++			memset(&sinfo, 0, sizeof(sinfo));
+ 			sinfo.si_signo = ps->discsignr;
+ 			sinfo.si_errno = EPIPE;
+ 			sinfo.si_code = SI_ASYNCIO;
+diff --git a/drivers/usb/core/driver.c b/drivers/usb/core/driver.c
+index cc13abf..c105ba3 100644
+--- a/drivers/usb/core/driver.c
++++ b/drivers/usb/core/driver.c
+@@ -1664,6 +1664,18 @@ static int autosuspend_check(struct usb_device *udev)
+ 		dev_dbg(&udev->dev, "remote wakeup needed for autosuspend\n");
+ 		return -EOPNOTSUPP;
+ 	}
++
++	/*
++	 * If the device is a direct child of the root hub and the HCD
++	 * doesn't handle wakeup requests, don't allow autosuspend when
++	 * wakeup is needed.
++	 */
++	if (w && udev->parent == udev->bus->root_hub &&
++			bus_to_hcd(udev->bus)->cant_recv_wakeups) {
++		dev_dbg(&udev->dev, "HCD doesn't handle wakeup requests\n");
++		return -EOPNOTSUPP;
++	}
++
+ 	udev->do_remote_wakeup = w;
+ 	return 0;
+ }
+diff --git a/drivers/usb/core/hcd.c b/drivers/usb/core/hcd.c
+index c0ee52a..eb2c3bd 100644
+--- a/drivers/usb/core/hcd.c
++++ b/drivers/usb/core/hcd.c
+@@ -1542,6 +1542,7 @@ static int unlink1(struct usb_hcd *hcd, struct urb *urb, int status)
+ int usb_hcd_unlink_urb (struct urb *urb, int status)
+ {
+ 	struct usb_hcd		*hcd;
++	struct usb_device	*udev = urb->dev;
+ 	int			retval = -EIDRM;
+ 	unsigned long		flags;
+ 
+@@ -1553,20 +1554,19 @@ int usb_hcd_unlink_urb (struct urb *urb, int status)
+ 	spin_lock_irqsave(&hcd_urb_unlink_lock, flags);
+ 	if (atomic_read(&urb->use_count) > 0) {
+ 		retval = 0;
+-		usb_get_dev(urb->dev);
++		usb_get_dev(udev);
+ 	}
+ 	spin_unlock_irqrestore(&hcd_urb_unlink_lock, flags);
+ 	if (retval == 0) {
+ 		hcd = bus_to_hcd(urb->dev->bus);
+ 		retval = unlink1(hcd, urb, status);
+-		usb_put_dev(urb->dev);
++		if (retval == 0)
++			retval = -EINPROGRESS;
++		else if (retval != -EIDRM && retval != -EBUSY)
++			dev_dbg(&udev->dev, "hcd_unlink_urb %p fail %d\n",
++					urb, retval);
++		usb_put_dev(udev);
+ 	}
+-
+-	if (retval == 0)
+-		retval = -EINPROGRESS;
+-	else if (retval != -EIDRM && retval != -EBUSY)
+-		dev_dbg(&urb->dev->dev, "hcd_unlink_urb %p fail %d\n",
+-				urb, retval);
+ 	return retval;
+ }
+ 
+diff --git a/drivers/usb/core/usb.c b/drivers/usb/core/usb.c
+index 73cd900..9044ef6 100644
+--- a/drivers/usb/core/usb.c
++++ b/drivers/usb/core/usb.c
+@@ -1010,6 +1010,7 @@ static int __init usb_init(void)
+ 		pr_info("%s: USB support disabled\n", usbcore_name);
+ 		return 0;
+ 	}
++	usb_init_pool_max();
+ 
+ 	retval = usb_debugfs_init();
+ 	if (retval)
+diff --git a/drivers/usb/gadget/inode.c b/drivers/usb/gadget/inode.c
+index 7138540..ce7253b 100644
+--- a/drivers/usb/gadget/inode.c
++++ b/drivers/usb/gadget/inode.c
+@@ -570,6 +570,7 @@ static ssize_t ep_aio_read_retry(struct kiocb *iocb)
+ 			break;
+ 	}
+ 	kfree(priv->buf);
++	kfree(priv->iv);
+ 	kfree(priv);
+ 	return len;
+ }
+@@ -591,6 +592,7 @@ static void ep_aio_complete(struct usb_ep *ep, struct usb_request *req)
+ 	 */
+ 	if (priv->iv == NULL || unlikely(req->actual == 0)) {
+ 		kfree(req->buf);
++		kfree(priv->iv);
+ 		kfree(priv);
+ 		iocb->private = NULL;
+ 		/* aio_complete() reports bytes-transferred _and_ faults */
+@@ -626,7 +628,7 @@ ep_aio_rwtail(
+ 	struct usb_request	*req;
+ 	ssize_t			value;
+ 
+-	priv = kmalloc(sizeof *priv, GFP_KERNEL);
++	priv = kzalloc(sizeof *priv, GFP_KERNEL);
+ 	if (!priv) {
+ 		value = -ENOMEM;
+ fail:
+@@ -634,11 +636,19 @@ fail:
+ 		return value;
+ 	}
+ 	iocb->private = priv;
+-	priv->iv = iv;
++	if (iv) {
++		priv->iv = kmemdup(iv, nr_segs * sizeof(struct iovec),
++				   GFP_KERNEL);
++		if (!priv->iv) {
++			kfree(priv);
++			goto fail;
++		}
++	}
+ 	priv->nr_segs = nr_segs;
+ 
+ 	value = get_ready_ep(iocb->ki_filp->f_flags, epdata);
+ 	if (unlikely(value < 0)) {
++		kfree(priv->iv);
+ 		kfree(priv);
+ 		goto fail;
+ 	}
+@@ -672,6 +682,7 @@ fail:
+ 	mutex_unlock(&epdata->lock);
+ 
+ 	if (unlikely(value)) {
++		kfree(priv->iv);
+ 		kfree(priv);
+ 		put_ep(epdata);
+ 	} else
+diff --git a/drivers/usb/host/isp1760-hcd.c b/drivers/usb/host/isp1760-hcd.c
+index 27dfab8..a4c2369 100644
+--- a/drivers/usb/host/isp1760-hcd.c
++++ b/drivers/usb/host/isp1760-hcd.c
+@@ -2254,6 +2254,9 @@ struct usb_hcd *isp1760_register(phys_addr_t res_start, resource_size_t res_len,
+ 	hcd->rsrc_start = res_start;
+ 	hcd->rsrc_len = res_len;
+ 
++	/* This driver doesn't support wakeup requests */
++	hcd->cant_recv_wakeups = 1;
++
+ 	ret = usb_add_hcd(hcd, irq, irqflags);
+ 	if (ret)
+ 		goto err_unmap;
+diff --git a/drivers/usb/host/xhci-hub.c b/drivers/usb/host/xhci-hub.c
+index a8bbeed..c1fa92e 100644
+--- a/drivers/usb/host/xhci-hub.c
++++ b/drivers/usb/host/xhci-hub.c
+@@ -385,6 +385,10 @@ static void xhci_clear_port_change_bit(struct xhci_hcd *xhci, u16 wValue,
+ 		status = PORT_PLC;
+ 		port_change_bit = "link state";
+ 		break;
++	case USB_PORT_FEAT_C_PORT_CONFIG_ERROR:
++		status = PORT_CEC;
++		port_change_bit = "config error";
++		break;
+ 	default:
+ 		/* Should never happen */
+ 		return;
+@@ -592,6 +596,8 @@ int xhci_hub_control(struct usb_hcd *hcd, u16 typeReq, u16 wValue,
+ 				status |= USB_PORT_STAT_C_LINK_STATE << 16;
+ 			if ((temp & PORT_WRC))
+ 				status |= USB_PORT_STAT_C_BH_RESET << 16;
++			if ((temp & PORT_CEC))
++				status |= USB_PORT_STAT_C_CONFIG_ERROR << 16;
+ 		}
+ 
+ 		if (hcd->speed != HCD_USB3) {
+@@ -868,6 +874,7 @@ int xhci_hub_control(struct usb_hcd *hcd, u16 typeReq, u16 wValue,
+ 		case USB_PORT_FEAT_C_OVER_CURRENT:
+ 		case USB_PORT_FEAT_C_ENABLE:
+ 		case USB_PORT_FEAT_C_PORT_LINK_STATE:
++		case USB_PORT_FEAT_C_PORT_CONFIG_ERROR:
+ 			xhci_clear_port_change_bit(xhci, wValue, wIndex,
+ 					port_array[wIndex], temp);
+ 			break;
+@@ -916,7 +923,7 @@ int xhci_hub_status_data(struct usb_hcd *hcd, char *buf)
+ 	memset(buf, 0, retval);
+ 	status = 0;
+ 
+-	mask = PORT_CSC | PORT_PEC | PORT_OCC | PORT_PLC | PORT_WRC;
++	mask = PORT_CSC | PORT_PEC | PORT_OCC | PORT_PLC | PORT_WRC | PORT_CEC;
+ 
+ 	spin_lock_irqsave(&xhci->lock, flags);
+ 	/* For each port, did anything change?  If so, set that bit in buf. */
+diff --git a/drivers/usb/host/xhci-pci.c b/drivers/usb/host/xhci-pci.c
+index a464dbc..a30f9e5 100644
+--- a/drivers/usb/host/xhci-pci.c
++++ b/drivers/usb/host/xhci-pci.c
+@@ -36,6 +36,9 @@
+ 
+ #define PCI_DEVICE_ID_INTEL_LYNXPOINT_XHCI	0x8c31
+ #define PCI_DEVICE_ID_INTEL_LYNXPOINT_LP_XHCI	0x9c31
++#define PCI_DEVICE_ID_INTEL_CHERRYVIEW_XHCI		0x22b5
++#define PCI_DEVICE_ID_INTEL_SUNRISEPOINT_H_XHCI		0xa12f
++#define PCI_DEVICE_ID_INTEL_SUNRISEPOINT_LP_XHCI	0x9d2f
+ 
+ static const char hcd_name[] = "xhci_hcd";
+ 
+@@ -102,6 +105,8 @@ static void xhci_pci_quirks(struct device *dev, struct xhci_hcd *xhci)
+ 	if (pdev->vendor == PCI_VENDOR_ID_AMD)
+ 		xhci->quirks |= XHCI_TRUST_TX_LENGTH;
+ 
++	if (pdev->vendor == PCI_VENDOR_ID_INTEL)
++		xhci->quirks |= XHCI_AVOID_BEI;
+ 	if (pdev->vendor == PCI_VENDOR_ID_INTEL &&
+ 			pdev->device == PCI_DEVICE_ID_INTEL_PANTHERPOINT_XHCI) {
+ 		xhci->quirks |= XHCI_EP_LIMIT_QUIRK;
+@@ -116,7 +121,12 @@ static void xhci_pci_quirks(struct device *dev, struct xhci_hcd *xhci)
+ 		 * PPT chipsets.
+ 		 */
+ 		xhci->quirks |= XHCI_SPURIOUS_REBOOT;
+-		xhci->quirks |= XHCI_AVOID_BEI;
++	}
++	if (pdev->vendor == PCI_VENDOR_ID_INTEL &&
++		(pdev->device == PCI_DEVICE_ID_INTEL_SUNRISEPOINT_LP_XHCI ||
++		 pdev->device == PCI_DEVICE_ID_INTEL_SUNRISEPOINT_H_XHCI ||
++		 pdev->device == PCI_DEVICE_ID_INTEL_CHERRYVIEW_XHCI)) {
++		xhci->quirks |= XHCI_PME_STUCK_QUIRK;
+ 	}
+ 	if (pdev->vendor == PCI_VENDOR_ID_ETRON &&
+ 			pdev->device == PCI_DEVICE_ID_ASROCK_P67) {
+@@ -128,6 +138,21 @@ static void xhci_pci_quirks(struct device *dev, struct xhci_hcd *xhci)
+ 		xhci->quirks |= XHCI_RESET_ON_RESUME;
+ }
+ 
++/*
++ * Make sure PME works on some Intel xHCI controllers by writing 1 to clear
++ * the Internal PME flag bit in vendor specific PMCTRL register at offset 0x80a4
++ */
++static void xhci_pme_quirk(struct xhci_hcd *xhci)
++{
++	u32 val;
++	void __iomem *reg;
++
++	reg = (void __iomem *) xhci->cap_regs + 0x80a4;
++	val = readl(reg);
++	writel(val | BIT(28), reg);
++	readl(reg);
++}
++
+ /* called during probe() after chip reset completes */
+ static int xhci_pci_setup(struct usb_hcd *hcd)
+ {
+@@ -235,6 +260,9 @@ static int xhci_pci_suspend(struct usb_hcd *hcd, bool do_wakeup)
+ 			xhci->shared_hcd->state != HC_STATE_SUSPENDED)
+ 		return -EINVAL;
+ 
++	if (xhci->quirks & XHCI_PME_STUCK_QUIRK)
++		xhci_pme_quirk(xhci);
++
+ 	retval = xhci_suspend(xhci, do_wakeup);
+ 
+ 	return retval;
+@@ -265,6 +293,9 @@ static int xhci_pci_resume(struct usb_hcd *hcd, bool hibernated)
+ 	if (usb_is_intel_switchable_xhci(pdev))
+ 		usb_enable_xhci_ports(pdev);
+ 
++	if (xhci->quirks & XHCI_PME_STUCK_QUIRK)
++		xhci_pme_quirk(xhci);
++
+ 	retval = xhci_resume(xhci, hibernated);
+ 	return retval;
+ }
+diff --git a/drivers/usb/host/xhci-ring.c b/drivers/usb/host/xhci-ring.c
+index 3755274..25e9eb4 100644
+--- a/drivers/usb/host/xhci-ring.c
++++ b/drivers/usb/host/xhci-ring.c
+@@ -1980,7 +1980,7 @@ static int process_ctrl_td(struct xhci_hcd *xhci, struct xhci_td *td,
+ 	if (event_trb != ep_ring->dequeue) {
+ 		/* The event was for the status stage */
+ 		if (event_trb == td->last_trb) {
+-			if (td->urb->actual_length != 0) {
++			if (td->urb_length_set) {
+ 				/* Don't overwrite a previously set error code
+ 				 */
+ 				if ((*status == -EINPROGRESS || *status == 0) &&
+@@ -1994,7 +1994,13 @@ static int process_ctrl_td(struct xhci_hcd *xhci, struct xhci_td *td,
+ 					td->urb->transfer_buffer_length;
+ 			}
+ 		} else {
+-		/* Maybe the event was for the data stage? */
++			/*
++			 * Maybe the event was for the data stage? If so, update
++			 * already the actual_length of the URB and flag it as
++			 * set, so that it is not overwritten in the event for
++			 * the last TRB.
++			 */
++			td->urb_length_set = true;
+ 			td->urb->actual_length =
+ 				td->urb->transfer_buffer_length -
+ 				EVENT_TRB_LEN(le32_to_cpu(event->transfer_len));
+diff --git a/drivers/usb/host/xhci.h b/drivers/usb/host/xhci.h
+index 2090a03..efbdf83 100644
+--- a/drivers/usb/host/xhci.h
++++ b/drivers/usb/host/xhci.h
+@@ -1,3 +1,4 @@
++
+ /*
+  * xHCI host controller driver
+  *
+@@ -88,9 +89,10 @@ struct xhci_cap_regs {
+ #define HCS_IST(p)		(((p) >> 0) & 0xf)
+ /* bits 4:7, max number of Event Ring segments */
+ #define HCS_ERST_MAX(p)		(((p) >> 4) & 0xf)
++/* bits 21:25 Hi 5 bits of Scratchpad buffers SW must allocate for the HW */
+ /* bit 26 Scratchpad restore - for save/restore HW state - not used yet */
+-/* bits 27:31 number of Scratchpad buffers SW must allocate for the HW */
+-#define HCS_MAX_SCRATCHPAD(p)   (((p) >> 27) & 0x1f)
++/* bits 27:31 Lo 5 bits of Scratchpad buffers SW must allocate for the HW */
++#define HCS_MAX_SCRATCHPAD(p)   ((((p) >> 16) & 0x3e0) | (((p) >> 27) & 0x1f))
+ 
+ /* HCSPARAMS3 - hcs_params3 - bitmasks */
+ /* bits 0:7, Max U1 to U0 latency for the roothub ports */
+@@ -1255,6 +1257,8 @@ struct xhci_td {
+ 	struct xhci_segment	*start_seg;
+ 	union xhci_trb		*first_trb;
+ 	union xhci_trb		*last_trb;
++	/* actual_length of the URB has already been set */
++	bool			urb_length_set;
+ };
+ 
+ /* xHCI command default timeout value */
+@@ -1493,6 +1497,7 @@ struct xhci_hcd {
+ #define XHCI_AVOID_BEI		(1 << 15)
+ #define XHCI_SLOW_SUSPEND	(1 << 17)
+ #define XHCI_SPURIOUS_WAKEUP	(1 << 18)
++#define XHCI_PME_STUCK_QUIRK	(1 << 20)
+ 	unsigned int		num_active_eps;
+ 	unsigned int		limit_active_eps;
+ 	/* There are two roothubs to keep track of bus suspend info for */
+diff --git a/drivers/usb/serial/Kconfig b/drivers/usb/serial/Kconfig
+index 677f577..1888da7c 100644
+--- a/drivers/usb/serial/Kconfig
++++ b/drivers/usb/serial/Kconfig
+@@ -578,10 +578,10 @@ config USB_SERIAL_CYBERJACK
+ 	  If unsure, say N.
+ 
+ config USB_SERIAL_XIRCOM
+-	tristate "USB Xircom / Entregra Single Port Serial Driver"
++	tristate "USB Xircom / Entrega Single Port Serial Driver"
+ 	select USB_EZUSB
+ 	help
+-	  Say Y here if you want to use a Xircom or Entregra single port USB to
++	  Say Y here if you want to use a Xircom or Entrega single port USB to
+ 	  serial converter device.  This driver makes use of firmware
+ 	  developed from scratch by Brian Warner.
+ 
+diff --git a/drivers/usb/serial/bus.c b/drivers/usb/serial/bus.c
+index 7f547dc..a8dc799 100644
+--- a/drivers/usb/serial/bus.c
++++ b/drivers/usb/serial/bus.c
+@@ -52,6 +52,7 @@ static int usb_serial_device_probe(struct device *dev)
+ {
+ 	struct usb_serial_driver *driver;
+ 	struct usb_serial_port *port;
++	struct device *tty_dev;
+ 	int retval = 0;
+ 	int minor;
+ 
+@@ -73,12 +74,20 @@ static int usb_serial_device_probe(struct device *dev)
+ 	retval = device_create_file(dev, &dev_attr_port_number);
+ 	if (retval) {
+ 		if (driver->port_remove)
+-			retval = driver->port_remove(port);
++			driver->port_remove(port);
+ 		goto exit;
+ 	}
+ 
+ 	minor = port->number;
+-	tty_register_device(usb_serial_tty_driver, minor, dev);
++	tty_dev = tty_register_device(usb_serial_tty_driver, minor, dev);
++	if (IS_ERR(tty_dev)) {
++		retval = PTR_ERR(tty_dev);
++		device_remove_file(dev, &dev_attr_port_number);
++		if (driver->port_remove)
++			driver->port_remove(port);
++		goto exit;
++	}
++
+ 	dev_info(&port->serial->dev->dev,
+ 		 "%s converter now attached to ttyUSB%d\n",
+ 		 driver->description, minor);
+diff --git a/drivers/usb/serial/cp210x.c b/drivers/usb/serial/cp210x.c
+index e795a4c..7f32c74 100644
+--- a/drivers/usb/serial/cp210x.c
++++ b/drivers/usb/serial/cp210x.c
+@@ -63,6 +63,7 @@ static const struct usb_device_id id_table[] = {
+ 	{ USB_DEVICE(0x0846, 0x1100) }, /* NetGear Managed Switch M4100 series, M5300 series, M7100 series */
+ 	{ USB_DEVICE(0x08e6, 0x5501) }, /* Gemalto Prox-PU/CU contactless smartcard reader */
+ 	{ USB_DEVICE(0x08FD, 0x000A) }, /* Digianswer A/S , ZigBee/802.15.4 MAC Device */
++	{ USB_DEVICE(0x0908, 0x01FF) }, /* Siemens RUGGEDCOM USB Serial Console */
+ 	{ USB_DEVICE(0x0BED, 0x1100) }, /* MEI (TM) Cashflow-SC Bill/Voucher Acceptor */
+ 	{ USB_DEVICE(0x0BED, 0x1101) }, /* MEI series 2000 Combo Acceptor */
+ 	{ USB_DEVICE(0x0FCF, 0x1003) }, /* Dynastream ANT development board */
+@@ -152,6 +153,8 @@ static const struct usb_device_id id_table[] = {
+ 	{ USB_DEVICE(0x166A, 0x0305) }, /* Clipsal C-5000CT2 C-Bus Spectrum Colour Touchscreen */
+ 	{ USB_DEVICE(0x166A, 0x0401) }, /* Clipsal L51xx C-Bus Architectural Dimmer */
+ 	{ USB_DEVICE(0x166A, 0x0101) }, /* Clipsal 5560884 C-Bus Multi-room Audio Matrix Switcher */
++	{ USB_DEVICE(0x16C0, 0x09B0) }, /* Lunatico Seletek */
++	{ USB_DEVICE(0x16C0, 0x09B1) }, /* Lunatico Seletek */
+ 	{ USB_DEVICE(0x16D6, 0x0001) }, /* Jablotron serial interface */
+ 	{ USB_DEVICE(0x16DC, 0x0010) }, /* W-IE-NE-R Plein & Baus GmbH PL512 Power Supply */
+ 	{ USB_DEVICE(0x16DC, 0x0011) }, /* W-IE-NE-R Plein & Baus GmbH RCM Remote Control for MARATON Power Supply */
+diff --git a/drivers/usb/serial/ftdi_sio.c b/drivers/usb/serial/ftdi_sio.c
+index f6a6205..e13ebb0 100644
+--- a/drivers/usb/serial/ftdi_sio.c
++++ b/drivers/usb/serial/ftdi_sio.c
+@@ -628,6 +628,7 @@ static struct usb_device_id id_table_combined [] = {
+ 		.driver_info = (kernel_ulong_t)&ftdi_jtag_quirk },
+ 	{ USB_DEVICE(FTDI_VID, FTDI_NT_ORIONLXM_PID),
+ 		.driver_info = (kernel_ulong_t)&ftdi_jtag_quirk },
++	{ USB_DEVICE(FTDI_VID, FTDI_SYNAPSE_SS200_PID) },
+ 	/*
+ 	 * ELV devices:
+ 	 */
+@@ -823,6 +824,8 @@ static struct usb_device_id id_table_combined [] = {
+ 	{ USB_DEVICE(FTDI_VID, FTDI_ELSTER_UNICOM_PID) },
+ 	{ USB_DEVICE(FTDI_VID, FTDI_PROPOX_JTAGCABLEII_PID) },
+ 	{ USB_DEVICE(FTDI_VID, FTDI_PROPOX_ISPCABLEIII_PID) },
++	{ USB_DEVICE(FTDI_VID, CYBER_CORTEX_AV_PID),
++		.driver_info = (kernel_ulong_t)&ftdi_jtag_quirk },
+ 	{ USB_DEVICE(OLIMEX_VID, OLIMEX_ARM_USB_OCD_PID),
+ 		.driver_info = (kernel_ulong_t)&ftdi_jtag_quirk },
+ 	{ USB_DEVICE(OLIMEX_VID, OLIMEX_ARM_USB_OCD_H_PID),
+@@ -1000,6 +1003,23 @@ static struct usb_device_id id_table_combined [] = {
+ 	{ USB_DEVICE(FTDI_VID, FTDI_EKEY_CONV_USB_PID) },
+ 	/* GE Healthcare devices */
+ 	{ USB_DEVICE(GE_HEALTHCARE_VID, GE_HEALTHCARE_NEMO_TRACKER_PID) },
++	/* Active Research (Actisense) devices */
++	{ USB_DEVICE(FTDI_VID, ACTISENSE_NDC_PID) },
++	{ USB_DEVICE(FTDI_VID, ACTISENSE_USG_PID) },
++	{ USB_DEVICE(FTDI_VID, ACTISENSE_NGT_PID) },
++	{ USB_DEVICE(FTDI_VID, ACTISENSE_NGW_PID) },
++	{ USB_DEVICE(FTDI_VID, ACTISENSE_D9AC_PID) },
++	{ USB_DEVICE(FTDI_VID, ACTISENSE_D9AD_PID) },
++	{ USB_DEVICE(FTDI_VID, ACTISENSE_D9AE_PID) },
++	{ USB_DEVICE(FTDI_VID, ACTISENSE_D9AF_PID) },
++	{ USB_DEVICE(FTDI_VID, CHETCO_SEAGAUGE_PID) },
++	{ USB_DEVICE(FTDI_VID, CHETCO_SEASWITCH_PID) },
++	{ USB_DEVICE(FTDI_VID, CHETCO_SEASMART_NMEA2000_PID) },
++	{ USB_DEVICE(FTDI_VID, CHETCO_SEASMART_ETHERNET_PID) },
++	{ USB_DEVICE(FTDI_VID, CHETCO_SEASMART_WIFI_PID) },
++	{ USB_DEVICE(FTDI_VID, CHETCO_SEASMART_DISPLAY_PID) },
++	{ USB_DEVICE(FTDI_VID, CHETCO_SEASMART_LITE_PID) },
++	{ USB_DEVICE(FTDI_VID, CHETCO_SEASMART_ANALOG_PID) },
+ 	{ },					/* Optional parameter entry */
+ 	{ }					/* Terminating entry */
+ };
+@@ -1927,8 +1947,12 @@ static int ftdi_8u2232c_probe(struct usb_serial *serial)
+ 
+ 	dbg("%s", __func__);
+ 
+-	if ((udev->manufacturer && !strcmp(udev->manufacturer, "CALAO Systems")) ||
+-	    (udev->product && !strcmp(udev->product, "BeagleBone/XDS100V2")))
++	if (udev->manufacturer && !strcmp(udev->manufacturer, "CALAO Systems"))
++		return ftdi_jtag_probe(serial);
++
++	if (udev->product &&
++		(!strcmp(udev->product, "BeagleBone/XDS100V2") ||
++		 !strcmp(udev->product, "SNAP Connect E10")))
+ 		return ftdi_jtag_probe(serial);
+ 
+ 	return 0;
+diff --git a/drivers/usb/serial/ftdi_sio_ids.h b/drivers/usb/serial/ftdi_sio_ids.h
+index 5735fb7..361192c 100644
+--- a/drivers/usb/serial/ftdi_sio_ids.h
++++ b/drivers/usb/serial/ftdi_sio_ids.h
+@@ -38,6 +38,9 @@
+ 
+ #define FTDI_LUMEL_PD12_PID	0x6002
+ 
++/* Cyber Cortex AV by Fabulous Silicon (http://fabuloussilicon.com) */
++#define CYBER_CORTEX_AV_PID	0x8698
++
+ /*
+  * Marvell OpenRD Base, Client
+  * http://www.open-rd.org
+@@ -558,6 +561,12 @@
+  */
+ #define FTDI_NT_ORIONLXM_PID	0x7c90	/* OrionLXm Substation Automation Platform */
+ 
++/*
++ * Synapse Wireless product ids (FTDI_VID)
++ * http://www.synapse-wireless.com
++ */
++#define FTDI_SYNAPSE_SS200_PID 0x9090 /* SS200 - SNAP Stick 200 */
++
+ 
+ /********************************/
+ /** third-party VID/PID combos **/
+@@ -1432,3 +1441,23 @@
+  */
+ #define GE_HEALTHCARE_VID		0x1901
+ #define GE_HEALTHCARE_NEMO_TRACKER_PID	0x0015
++
++/*
++ * Active Research (Actisense) devices
++ */
++#define ACTISENSE_NDC_PID		0xD9A8 /* NDC USB Serial Adapter */
++#define ACTISENSE_USG_PID		0xD9A9 /* USG USB Serial Adapter */
++#define ACTISENSE_NGT_PID		0xD9AA /* NGT NMEA2000 Interface */
++#define ACTISENSE_NGW_PID		0xD9AB /* NGW NMEA2000 Gateway */
++#define ACTISENSE_D9AC_PID		0xD9AC /* Actisense Reserved */
++#define ACTISENSE_D9AD_PID		0xD9AD /* Actisense Reserved */
++#define ACTISENSE_D9AE_PID		0xD9AE /* Actisense Reserved */
++#define ACTISENSE_D9AF_PID		0xD9AF /* Actisense Reserved */
++#define CHETCO_SEAGAUGE_PID		0xA548 /* SeaGauge USB Adapter */
++#define CHETCO_SEASWITCH_PID		0xA549 /* SeaSwitch USB Adapter */
++#define CHETCO_SEASMART_NMEA2000_PID	0xA54A /* SeaSmart NMEA2000 Gateway */
++#define CHETCO_SEASMART_ETHERNET_PID	0xA54B /* SeaSmart Ethernet Gateway */
++#define CHETCO_SEASMART_WIFI_PID	0xA5AC /* SeaSmart Wifi Gateway */
++#define CHETCO_SEASMART_DISPLAY_PID	0xA5AD /* SeaSmart NMEA2000 Display */
++#define CHETCO_SEASMART_LITE_PID	0xA5AE /* SeaSmart Lite USB Adapter */
++#define CHETCO_SEASMART_ANALOG_PID	0xA5AF /* SeaSmart Analog Adapter */
+diff --git a/drivers/usb/serial/keyspan_pda.c b/drivers/usb/serial/keyspan_pda.c
+index d5c0c6a..661a1a2 100644
+--- a/drivers/usb/serial/keyspan_pda.c
++++ b/drivers/usb/serial/keyspan_pda.c
+@@ -1,5 +1,5 @@
+ /*
+- * USB Keyspan PDA / Xircom / Entregra Converter driver
++ * USB Keyspan PDA / Xircom / Entrega Converter driver
+  *
+  * Copyright (C) 1999 - 2001 Greg Kroah-Hartman	<greg@kroah.com>
+  * Copyright (C) 1999, 2000 Brian Warner	<warner@lothar.com>
+@@ -119,11 +119,12 @@ struct keyspan_pda_private {
+ #define KEYSPAN_PDA_FAKE_ID		0x0103
+ #define KEYSPAN_PDA_ID			0x0104 /* no clue */
+ 
+-/* For Xircom PGSDB9 and older Entregra version of the same device */
++/* For Xircom PGSDB9 and older Entrega version of the same device */
+ #define XIRCOM_VENDOR_ID		0x085a
+ #define XIRCOM_FAKE_ID			0x8027
+-#define ENTREGRA_VENDOR_ID		0x1645
+-#define ENTREGRA_FAKE_ID		0x8093
++#define XIRCOM_FAKE_ID_2		0x8025 /* "PGMFHUB" serial */
++#define ENTREGA_VENDOR_ID		0x1645
++#define ENTREGA_FAKE_ID			0x8093
+ 
+ static const struct usb_device_id id_table_combined[] = {
+ #ifdef KEYSPAN
+@@ -131,7 +132,8 @@ static const struct usb_device_id id_table_combined[] = {
+ #endif
+ #ifdef XIRCOM
+ 	{ USB_DEVICE(XIRCOM_VENDOR_ID, XIRCOM_FAKE_ID) },
+-	{ USB_DEVICE(ENTREGRA_VENDOR_ID, ENTREGRA_FAKE_ID) },
++	{ USB_DEVICE(XIRCOM_VENDOR_ID, XIRCOM_FAKE_ID_2) },
++	{ USB_DEVICE(ENTREGA_VENDOR_ID, ENTREGA_FAKE_ID) },
+ #endif
+ 	{ USB_DEVICE(KEYSPAN_VENDOR_ID, KEYSPAN_PDA_ID) },
+ 	{ }						/* Terminating entry */
+@@ -162,7 +164,8 @@ static const struct usb_device_id id_table_fake[] = {
+ #ifdef XIRCOM
+ static const struct usb_device_id id_table_fake_xircom[] = {
+ 	{ USB_DEVICE(XIRCOM_VENDOR_ID, XIRCOM_FAKE_ID) },
+-	{ USB_DEVICE(ENTREGRA_VENDOR_ID, ENTREGRA_FAKE_ID) },
++	{ USB_DEVICE(XIRCOM_VENDOR_ID, XIRCOM_FAKE_ID_2) },
++	{ USB_DEVICE(ENTREGA_VENDOR_ID, ENTREGA_FAKE_ID) },
+ 	{ }
+ };
+ #endif
+@@ -757,7 +760,7 @@ static int keyspan_pda_fake_startup(struct usb_serial *serial)
+ #endif
+ #ifdef XIRCOM
+ 	else if ((le16_to_cpu(serial->dev->descriptor.idVendor) == XIRCOM_VENDOR_ID) ||
+-		 (le16_to_cpu(serial->dev->descriptor.idVendor) == ENTREGRA_VENDOR_ID))
++		 (le16_to_cpu(serial->dev->descriptor.idVendor) == ENTREGA_VENDOR_ID))
+ 		fw_name = "keyspan_pda/xircom_pgs.fw";
+ #endif
+ 	else {
+@@ -848,7 +851,7 @@ static struct usb_serial_driver xircom_pgs_fake_device = {
+ 		.owner =	THIS_MODULE,
+ 		.name =		"xircom_no_firm",
+ 	},
+-	.description =		"Xircom / Entregra PGS - (prerenumeration)",
++	.description =		"Xircom / Entrega PGS - (prerenumeration)",
+ 	.usb_driver = 		&keyspan_pda_driver,
+ 	.id_table =		id_table_fake_xircom,
+ 	.num_ports =		1,
+diff --git a/drivers/xen/manage.c b/drivers/xen/manage.c
+index 6548417..caa3969 100644
+--- a/drivers/xen/manage.c
++++ b/drivers/xen/manage.c
+@@ -110,10 +110,16 @@ static void do_suspend(void)
+ 
+ 	err = freeze_processes();
+ 	if (err) {
+-		printk(KERN_ERR "xen suspend: freeze failed %d\n", err);
++		pr_err("%s: freeze processes failed %d\n", __func__, err);
+ 		goto out;
+ 	}
+ 
++	err = freeze_kernel_threads();
++	if (err) {
++		pr_err("%s: freeze kernel threads failed %d\n", __func__, err);
++		goto out_thaw;
++	}
++
+ 	err = dpm_suspend_start(PMSG_FREEZE);
+ 	if (err) {
+ 		printk(KERN_ERR "xen suspend: dpm_suspend_start %d\n", err);
+diff --git a/drivers/xen/xen-pciback/conf_space.c b/drivers/xen/xen-pciback/conf_space.c
+index 52fed16..82ab1c3 100644
+--- a/drivers/xen/xen-pciback/conf_space.c
++++ b/drivers/xen/xen-pciback/conf_space.c
+@@ -16,7 +16,7 @@
+ #include "conf_space.h"
+ #include "conf_space_quirks.h"
+ 
+-static int permissive;
++bool permissive;
+ module_param(permissive, bool, 0644);
+ 
+ /* This is where xen_pcibk_read_config_byte, xen_pcibk_read_config_word,
+diff --git a/drivers/xen/xen-pciback/conf_space.h b/drivers/xen/xen-pciback/conf_space.h
+index e56c934..2e1d73d 100644
+--- a/drivers/xen/xen-pciback/conf_space.h
++++ b/drivers/xen/xen-pciback/conf_space.h
+@@ -64,6 +64,8 @@ struct config_field_entry {
+ 	void *data;
+ };
+ 
++extern bool permissive;
++
+ #define OFFSET(cfg_entry) ((cfg_entry)->base_offset+(cfg_entry)->field->offset)
+ 
+ /* Add fields to a device - the add_fields macro expects to get a pointer to
+diff --git a/drivers/xen/xen-pciback/conf_space_header.c b/drivers/xen/xen-pciback/conf_space_header.c
+index 3daf862..a5bb81a 100644
+--- a/drivers/xen/xen-pciback/conf_space_header.c
++++ b/drivers/xen/xen-pciback/conf_space_header.c
+@@ -9,6 +9,10 @@
+ #include "pciback.h"
+ #include "conf_space.h"
+ 
++struct pci_cmd_info {
++	u16 val;
++};
++
+ struct pci_bar_info {
+ 	u32 val;
+ 	u32 len_val;
+@@ -18,22 +22,36 @@ struct pci_bar_info {
+ #define is_enable_cmd(value) ((value)&(PCI_COMMAND_MEMORY|PCI_COMMAND_IO))
+ #define is_master_cmd(value) ((value)&PCI_COMMAND_MASTER)
+ 
+-static int command_read(struct pci_dev *dev, int offset, u16 *value, void *data)
++/* Bits guests are allowed to control in permissive mode. */
++#define PCI_COMMAND_GUEST (PCI_COMMAND_MASTER|PCI_COMMAND_SPECIAL| \
++			   PCI_COMMAND_INVALIDATE|PCI_COMMAND_VGA_PALETTE| \
++			   PCI_COMMAND_WAIT|PCI_COMMAND_FAST_BACK)
++
++static void *command_init(struct pci_dev *dev, int offset)
+ {
+-	int i;
+-	int ret;
+-
+-	ret = xen_pcibk_read_config_word(dev, offset, value, data);
+-	if (!pci_is_enabled(dev))
+-		return ret;
+-
+-	for (i = 0; i < PCI_ROM_RESOURCE; i++) {
+-		if (dev->resource[i].flags & IORESOURCE_IO)
+-			*value |= PCI_COMMAND_IO;
+-		if (dev->resource[i].flags & IORESOURCE_MEM)
+-			*value |= PCI_COMMAND_MEMORY;
++	struct pci_cmd_info *cmd = kmalloc(sizeof(*cmd), GFP_KERNEL);
++	int err;
++
++	if (!cmd)
++		return ERR_PTR(-ENOMEM);
++
++	err = pci_read_config_word(dev, PCI_COMMAND, &cmd->val);
++	if (err) {
++		kfree(cmd);
++		return ERR_PTR(err);
+ 	}
+ 
++	return cmd;
++}
++
++static int command_read(struct pci_dev *dev, int offset, u16 *value, void *data)
++{
++	int ret = pci_read_config_word(dev, offset, value);
++	const struct pci_cmd_info *cmd = data;
++
++	*value &= PCI_COMMAND_GUEST;
++	*value |= cmd->val & ~PCI_COMMAND_GUEST;
++
+ 	return ret;
+ }
+ 
+@@ -41,6 +59,8 @@ static int command_write(struct pci_dev *dev, int offset, u16 value, void *data)
+ {
+ 	struct xen_pcibk_dev_data *dev_data;
+ 	int err;
++	u16 val;
++	struct pci_cmd_info *cmd = data;
+ 
+ 	dev_data = pci_get_drvdata(dev);
+ 	if (!pci_is_enabled(dev) && is_enable_cmd(value)) {
+@@ -83,6 +103,19 @@ static int command_write(struct pci_dev *dev, int offset, u16 value, void *data)
+ 		}
+ 	}
+ 
++	cmd->val = value;
++
++	if (!permissive && (!dev_data || !dev_data->permissive))
++		return 0;
++
++	/* Only allow the guest to control certain bits. */
++	err = pci_read_config_word(dev, offset, &val);
++	if (err || val == value)
++		return err;
++
++	value &= PCI_COMMAND_GUEST;
++	value |= val & ~PCI_COMMAND_GUEST;
++
+ 	return pci_write_config_word(dev, offset, value);
+ }
+ 
+@@ -282,6 +315,8 @@ static const struct config_field header_common[] = {
+ 	{
+ 	 .offset    = PCI_COMMAND,
+ 	 .size      = 2,
++	 .init      = command_init,
++	 .release   = bar_release,
+ 	 .u.w.read  = command_read,
+ 	 .u.w.write = command_write,
+ 	},
+diff --git a/fs/autofs4/dev-ioctl.c b/fs/autofs4/dev-ioctl.c
+index de54271..62d7a6d 100644
+--- a/fs/autofs4/dev-ioctl.c
++++ b/fs/autofs4/dev-ioctl.c
+@@ -95,7 +95,7 @@ static int check_dev_ioctl_version(int cmd, struct autofs_dev_ioctl *param)
+  */
+ static struct autofs_dev_ioctl *copy_dev_ioctl(struct autofs_dev_ioctl __user *in)
+ {
+-	struct autofs_dev_ioctl tmp;
++	struct autofs_dev_ioctl tmp, *res;
+ 
+ 	if (copy_from_user(&tmp, in, sizeof(tmp)))
+ 		return ERR_PTR(-EFAULT);
+@@ -103,7 +103,14 @@ static struct autofs_dev_ioctl *copy_dev_ioctl(struct autofs_dev_ioctl __user *i
+ 	if (tmp.size < sizeof(tmp))
+ 		return ERR_PTR(-EINVAL);
+ 
+-	return memdup_user(in, tmp.size);
++	if (tmp.size > (PATH_MAX + sizeof(tmp)))
++		return ERR_PTR(-ENAMETOOLONG);
++
++	res = memdup_user(in, tmp.size);
++	if (!IS_ERR(res))
++		res->size = tmp.size;
++
++	return res;
+ }
+ 
+ static inline void free_dev_ioctl(struct autofs_dev_ioctl *param)
+diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c
+index 8dd615c..2aed667 100644
+--- a/fs/binfmt_elf.c
++++ b/fs/binfmt_elf.c
+@@ -542,11 +542,12 @@ out:
+ 
+ static unsigned long randomize_stack_top(unsigned long stack_top)
+ {
+-	unsigned int random_variable = 0;
++	unsigned long random_variable = 0;
+ 
+ 	if ((current->flags & PF_RANDOMIZE) &&
+ 		!(current->personality & ADDR_NO_RANDOMIZE)) {
+-		random_variable = get_random_int() & STACK_RND_MASK;
++		random_variable = (unsigned long) get_random_int();
++		random_variable &= STACK_RND_MASK;
+ 		random_variable <<= PAGE_SHIFT;
+ 	}
+ #ifdef CONFIG_STACK_GROWSUP
+diff --git a/fs/cifs/file.c b/fs/cifs/file.c
+index aa05d5e..f9d2863 100644
+--- a/fs/cifs/file.c
++++ b/fs/cifs/file.c
+@@ -1608,6 +1608,7 @@ refind_writable:
+ 			cifsFileInfo_put(inv_file);
+ 			spin_lock(&cifs_file_list_lock);
+ 			++refind;
++			inv_file = NULL;
+ 			goto refind_writable;
+ 		}
+ 	}
+diff --git a/fs/debugfs/inode.c b/fs/debugfs/inode.c
+index 6ac0893..a15f1e2 100644
+--- a/fs/debugfs/inode.c
++++ b/fs/debugfs/inode.c
+@@ -125,11 +125,30 @@ static inline int debugfs_positive(struct dentry *dentry)
+ 	return dentry->d_inode && !d_unhashed(dentry);
+ }
+ 
++static void debugfs_evict_inode(struct inode *inode)
++{
++	truncate_inode_pages(&inode->i_data, 0);
++	end_writeback(inode);
++	if (S_ISLNK(inode->i_mode))
++		kfree(inode->i_private);
++}
++
++static const struct super_operations debugfs_super_operations = {
++	.evict_inode	= debugfs_evict_inode,
++};
++
+ static int debug_fill_super(struct super_block *sb, void *data, int silent)
+ {
+ 	static struct tree_descr debug_files[] = {{""}};
++	int err;
+ 
+-	return simple_fill_super(sb, DEBUGFS_MAGIC, debug_files);
++	err = simple_fill_super(sb, DEBUGFS_MAGIC, debug_files);
++	if (err)
++		return err;
++
++	sb->s_op = &debugfs_super_operations;
++
++	return 0;
+ }
+ 
+ static struct dentry *debug_mount(struct file_system_type *fs_type,
+@@ -312,23 +331,14 @@ static int __debugfs_remove(struct dentry *dentry, struct dentry *parent)
+ 	int ret = 0;
+ 
+ 	if (debugfs_positive(dentry)) {
+-		if (dentry->d_inode) {
+-			dget(dentry);
+-			switch (dentry->d_inode->i_mode & S_IFMT) {
+-			case S_IFDIR:
+-				ret = simple_rmdir(parent->d_inode, dentry);
+-				break;
+-			case S_IFLNK:
+-				kfree(dentry->d_inode->i_private);
+-				/* fall through */
+-			default:
+-				simple_unlink(parent->d_inode, dentry);
+-				break;
+-			}
+-			if (!ret)
+-				d_delete(dentry);
+-			dput(dentry);
+-		}
++		dget(dentry);
++		if (S_ISDIR(dentry->d_inode->i_mode))
++			ret = simple_rmdir(parent->d_inode, dentry);
++		else
++			simple_unlink(parent->d_inode, dentry);
++		if (!ret)
++			d_delete(dentry);
++		dput(dentry);
+ 	}
+ 	return ret;
+ }
+diff --git a/fs/ecryptfs/file.c b/fs/ecryptfs/file.c
+index 80fc876..464fe1f 100644
+--- a/fs/ecryptfs/file.c
++++ b/fs/ecryptfs/file.c
+@@ -307,9 +307,23 @@ ecryptfs_unlocked_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
+ 
+ 	if (ecryptfs_file_to_private(file))
+ 		lower_file = ecryptfs_file_to_lower(file);
+-	if (lower_file && lower_file->f_op && lower_file->f_op->unlocked_ioctl)
++	if (!(lower_file && lower_file->f_op && lower_file->f_op->unlocked_ioctl))
++		return rc;
++
++	switch (cmd) {
++	case FITRIM:
++	case FS_IOC_GETFLAGS:
++	case FS_IOC_SETFLAGS:
++	case FS_IOC_GETVERSION:
++	case FS_IOC_SETVERSION:
+ 		rc = lower_file->f_op->unlocked_ioctl(lower_file, cmd, arg);
+-	return rc;
++		fsstack_copy_attr_all(file->f_path.dentry->d_inode,
++				      lower_file->f_path.dentry->d_inode);
++
++		return rc;
++	default:
++		return rc;
++	}
+ }
+ 
+ #ifdef CONFIG_COMPAT
+@@ -321,9 +335,23 @@ ecryptfs_compat_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
+ 
+ 	if (ecryptfs_file_to_private(file))
+ 		lower_file = ecryptfs_file_to_lower(file);
+-	if (lower_file && lower_file->f_op && lower_file->f_op->compat_ioctl)
++	if (!(lower_file && lower_file->f_op && lower_file->f_op->compat_ioctl))
++		return rc;
++
++	switch (cmd) {
++	case FITRIM:
++	case FS_IOC32_GETFLAGS:
++	case FS_IOC32_SETFLAGS:
++	case FS_IOC32_GETVERSION:
++	case FS_IOC32_SETVERSION:
+ 		rc = lower_file->f_op->compat_ioctl(lower_file, cmd, arg);
+-	return rc;
++		fsstack_copy_attr_all(file->f_path.dentry->d_inode,
++				      lower_file->f_path.dentry->d_inode);
++
++		return rc;
++	default:
++		return rc;
++	}
+ }
+ #endif
+ 
+diff --git a/fs/exec.c b/fs/exec.c
+index 78199eb..7adb43f 100644
+--- a/fs/exec.c
++++ b/fs/exec.c
+@@ -1282,6 +1282,45 @@ int check_unsafe_exec(struct linux_binprm *bprm)
+ 	return res;
+ }
+ 
++static void bprm_fill_uid(struct linux_binprm *bprm)
++{
++	struct inode *inode;
++	unsigned int mode;
++	uid_t uid;
++	gid_t gid;
++
++	/* clear any previous set[ug]id data from a previous binary */
++	bprm->cred->euid = current_euid();
++	bprm->cred->egid = current_egid();
++
++	if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
++		return;
++
++	inode = bprm->file->f_path.dentry->d_inode;
++	mode = ACCESS_ONCE(inode->i_mode);
++	if (!(mode & (S_ISUID|S_ISGID)))
++		return;
++
++	/* Be careful if suid/sgid is set */
++	mutex_lock(&inode->i_mutex);
++
++	/* reload atomically mode/uid/gid now that lock held */
++	mode = inode->i_mode;
++	uid = inode->i_uid;
++	gid = inode->i_gid;
++	mutex_unlock(&inode->i_mutex);
++
++	if (mode & S_ISUID) {
++		bprm->per_clear |= PER_CLEAR_ON_SETID;
++		bprm->cred->euid = uid;
++	}
++
++	if ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP)) {
++		bprm->per_clear |= PER_CLEAR_ON_SETID;
++		bprm->cred->egid = gid;
++	}
++}
++
+ /* 
+  * Fill the binprm structure from the inode. 
+  * Check permissions, then read the first 128 (BINPRM_BUF_SIZE) bytes
+@@ -1290,36 +1329,12 @@ int check_unsafe_exec(struct linux_binprm *bprm)
+  */
+ int prepare_binprm(struct linux_binprm *bprm)
+ {
+-	umode_t mode;
+-	struct inode * inode = bprm->file->f_path.dentry->d_inode;
+ 	int retval;
+ 
+-	mode = inode->i_mode;
+ 	if (bprm->file->f_op == NULL)
+ 		return -EACCES;
+ 
+-	/* clear any previous set[ug]id data from a previous binary */
+-	bprm->cred->euid = current_euid();
+-	bprm->cred->egid = current_egid();
+-
+-	if (!(bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)) {
+-		/* Set-uid? */
+-		if (mode & S_ISUID) {
+-			bprm->per_clear |= PER_CLEAR_ON_SETID;
+-			bprm->cred->euid = inode->i_uid;
+-		}
+-
+-		/* Set-gid? */
+-		/*
+-		 * If setgid is set but no group execute bit then this
+-		 * is a candidate for mandatory locking, not a setgid
+-		 * executable.
+-		 */
+-		if ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP)) {
+-			bprm->per_clear |= PER_CLEAR_ON_SETID;
+-			bprm->cred->egid = inode->i_gid;
+-		}
+-	}
++	bprm_fill_uid(bprm);
+ 
+ 	/* fill in binprm security blob */
+ 	retval = security_bprm_set_creds(bprm);
+diff --git a/fs/fuse/dev.c b/fs/fuse/dev.c
+index cf0098d..81970d7 100644
+--- a/fs/fuse/dev.c
++++ b/fs/fuse/dev.c
+@@ -717,8 +717,8 @@ static int fuse_try_move_page(struct fuse_copy_state *cs, struct page **pagep)
+ 
+ 	newpage = buf->page;
+ 
+-	if (WARN_ON(!PageUptodate(newpage)))
+-		return -EIO;
++	if (!PageUptodate(newpage))
++		SetPageUptodate(newpage);
+ 
+ 	ClearPageMappedToDisk(newpage);
+ 
+@@ -1570,6 +1570,9 @@ copy_finish:
+ static int fuse_notify(struct fuse_conn *fc, enum fuse_notify_code code,
+ 		       unsigned int size, struct fuse_copy_state *cs)
+ {
++	/* Don't try to move pages (yet) */
++	cs->move_pages = 0;
++
+ 	switch (code) {
+ 	case FUSE_NOTIFY_POLL:
+ 		return fuse_notify_poll(fc, size, cs);
+diff --git a/fs/hfsplus/brec.c b/fs/hfsplus/brec.c
+index 2a734cf..7429c40 100644
+--- a/fs/hfsplus/brec.c
++++ b/fs/hfsplus/brec.c
+@@ -130,13 +130,16 @@ skip:
+ 	hfs_bnode_write(node, entry, data_off + key_len, entry_len);
+ 	hfs_bnode_dump(node);
+ 
+-	if (new_node) {
+-		/* update parent key if we inserted a key
+-		 * at the start of the first node
+-		 */
+-		if (!rec && new_node != node)
+-			hfs_brec_update_parent(fd);
++	/*
++	 * update parent key if we inserted a key
++	 * at the start of the node and it is not the new node
++	 */
++	if (!rec && new_node != node) {
++		hfs_bnode_read_key(node, fd->search_key, data_off + size);
++		hfs_brec_update_parent(fd);
++	}
+ 
++	if (new_node) {
+ 		hfs_bnode_put(fd->bnode);
+ 		if (!new_node->parent) {
+ 			hfs_btree_inc_height(tree);
+@@ -166,9 +169,6 @@ skip:
+ 		goto again;
+ 	}
+ 
+-	if (!rec)
+-		hfs_brec_update_parent(fd);
+-
+ 	return 0;
+ }
+ 
+@@ -368,6 +368,8 @@ again:
+ 	if (IS_ERR(parent))
+ 		return PTR_ERR(parent);
+ 	__hfs_brec_find(parent, fd);
++	if (fd->record < 0)
++		return -ENOENT;
+ 	hfs_bnode_dump(parent);
+ 	rec = fd->record;
+ 
+diff --git a/fs/jffs2/scan.c b/fs/jffs2/scan.c
+index 28107ca..327cc17 100644
+--- a/fs/jffs2/scan.c
++++ b/fs/jffs2/scan.c
+@@ -503,6 +503,10 @@ static int jffs2_scan_eraseblock (struct jffs2_sb_info *c, struct jffs2_eraseblo
+ 				sumlen = c->sector_size - je32_to_cpu(sm->offset);
+ 				sumptr = buf + buf_size - sumlen;
+ 
++				/* sm->offset maybe wrong but MAGIC maybe right */
++				if (sumlen > c->sector_size)
++					goto full_scan;
++
+ 				/* Now, make sure the summary itself is available */
+ 				if (sumlen > buf_size) {
+ 					/* Need to kmalloc for this. */
+@@ -537,6 +541,7 @@ static int jffs2_scan_eraseblock (struct jffs2_sb_info *c, struct jffs2_eraseblo
+ 		}
+ 	}
+ 
++full_scan:
+ 	buf_ofs = jeb->offset;
+ 
+ 	if (!buf_size) {
+diff --git a/fs/jfs/jfs_dtree.c b/fs/jfs/jfs_dtree.c
+index 9f7c758..f6f32fa 100644
+--- a/fs/jfs/jfs_dtree.c
++++ b/fs/jfs/jfs_dtree.c
+@@ -3103,7 +3103,7 @@ int jfs_readdir(struct file *filp, void *dirent, filldir_t filldir)
+ 				 * self "."
+ 				 */
+ 				filp->f_pos = 1;
+-				if (filldir(dirent, ".", 1, 0, ip->i_ino,
++				if (filldir(dirent, ".", 1, 1, ip->i_ino,
+ 					    DT_DIR))
+ 					return 0;
+ 			}
+@@ -3111,7 +3111,7 @@ int jfs_readdir(struct file *filp, void *dirent, filldir_t filldir)
+ 			 * parent ".."
+ 			 */
+ 			filp->f_pos = 2;
+-			if (filldir(dirent, "..", 2, 1, PARENT(ip), DT_DIR))
++			if (filldir(dirent, "..", 2, 2, PARENT(ip), DT_DIR))
+ 				return 0;
+ 
+ 			/*
+diff --git a/fs/nfs/callback.c b/fs/nfs/callback.c
+index 516f337..3172b51 100644
+--- a/fs/nfs/callback.c
++++ b/fs/nfs/callback.c
+@@ -149,22 +149,24 @@ nfs41_callback_svc(void *vrqstp)
+ 	set_freezable();
+ 
+ 	while (!kthread_should_stop()) {
+-		prepare_to_wait(&serv->sv_cb_waitq, &wq, TASK_INTERRUPTIBLE);
++		prepare_to_wait(&serv->sv_cb_waitq, &wq, TASK_UNINTERRUPTIBLE);
+ 		spin_lock_bh(&serv->sv_cb_lock);
+ 		if (!list_empty(&serv->sv_cb_list)) {
+ 			req = list_first_entry(&serv->sv_cb_list,
+ 					struct rpc_rqst, rq_bc_list);
+ 			list_del(&req->rq_bc_list);
+ 			spin_unlock_bh(&serv->sv_cb_lock);
++			finish_wait(&serv->sv_cb_waitq, &wq);
+ 			dprintk("Invoking bc_svc_process()\n");
+ 			error = bc_svc_process(serv, req, rqstp);
+ 			dprintk("bc_svc_process() returned w/ error code= %d\n",
+ 				error);
+ 		} else {
+ 			spin_unlock_bh(&serv->sv_cb_lock);
+-			schedule();
++			/* schedule_timeout to game the hung task watchdog */
++			schedule_timeout(60 * HZ);
++			finish_wait(&serv->sv_cb_waitq, &wq);
+ 		}
+-		finish_wait(&serv->sv_cb_waitq, &wq);
+ 	}
+ 	return 0;
+ }
+diff --git a/fs/nfs/callback_xdr.c b/fs/nfs/callback_xdr.c
+index 3fde055..6d22d35 100644
+--- a/fs/nfs/callback_xdr.c
++++ b/fs/nfs/callback_xdr.c
+@@ -459,8 +459,10 @@ static __be32 decode_cb_sequence_args(struct svc_rqst *rqstp,
+ 
+ 		for (i = 0; i < args->csa_nrclists; i++) {
+ 			status = decode_rc_list(xdr, &args->csa_rclists[i]);
+-			if (status)
++			if (status) {
++				args->csa_nrclists = i;
+ 				goto out_free;
++			}
+ 		}
+ 	}
+ 	status = 0;
+diff --git a/fs/nfs/delegation.c b/fs/nfs/delegation.c
+index ac889af..92cf07d 100644
+--- a/fs/nfs/delegation.c
++++ b/fs/nfs/delegation.c
+@@ -149,8 +149,8 @@ void nfs_inode_reclaim_delegation(struct inode *inode, struct rpc_cred *cred,
+ 				  &delegation->flags);
+ 			NFS_I(inode)->delegation_state = delegation->type;
+ 			spin_unlock(&delegation->lock);
+-			put_rpccred(oldcred);
+ 			rcu_read_unlock();
++			put_rpccred(oldcred);
+ 		} else {
+ 			/* We appear to have raced with a delegation return. */
+ 			spin_unlock(&delegation->lock);
+diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c
+index 351989e..e83786f 100644
+--- a/fs/nfs/nfs4proc.c
++++ b/fs/nfs/nfs4proc.c
+@@ -267,7 +267,7 @@ static int nfs4_handle_exception(struct nfs_server *server, int errorcode, struc
+ 		case 0:
+ 			return 0;
+ 		case -NFS4ERR_OPENMODE:
+-			if (nfs_have_delegation(inode, FMODE_READ)) {
++			if (inode && nfs_have_delegation(inode, FMODE_READ)) {
+ 				nfs_inode_return_delegation(inode);
+ 				exception->retry = 1;
+ 				return 0;
+@@ -279,10 +279,9 @@ static int nfs4_handle_exception(struct nfs_server *server, int errorcode, struc
+ 		case -NFS4ERR_DELEG_REVOKED:
+ 		case -NFS4ERR_ADMIN_REVOKED:
+ 		case -NFS4ERR_BAD_STATEID:
+-			if (state != NULL)
+-				nfs_remove_bad_delegation(state->inode);
+ 			if (state == NULL)
+ 				break;
++			nfs_remove_bad_delegation(state->inode);
+ 			nfs4_schedule_stateid_recovery(server, state);
+ 			goto wait_on_recovery;
+ 		case -NFS4ERR_EXPIRED:
+@@ -3746,8 +3745,9 @@ nfs4_async_handle_error(struct rpc_task *task, const struct nfs_server *server,
+ 		case -NFS4ERR_DELEG_REVOKED:
+ 		case -NFS4ERR_ADMIN_REVOKED:
+ 		case -NFS4ERR_BAD_STATEID:
+-			if (state != NULL)
+-				nfs_remove_bad_delegation(state->inode);
++			if (state == NULL)
++				break;
++			nfs_remove_bad_delegation(state->inode);
+ 		case -NFS4ERR_OPENMODE:
+ 			if (state == NULL)
+ 				break;
+diff --git a/fs/nilfs2/btree.c b/fs/nilfs2/btree.c
+index b2e3ff3..ecdbae1 100644
+--- a/fs/nilfs2/btree.c
++++ b/fs/nilfs2/btree.c
+@@ -31,6 +31,8 @@
+ #include "alloc.h"
+ #include "dat.h"
+ 
++static void __nilfs_btree_init(struct nilfs_bmap *bmap);
++
+ static struct nilfs_btree_path *nilfs_btree_alloc_path(void)
+ {
+ 	struct nilfs_btree_path *path;
+@@ -368,6 +370,34 @@ static int nilfs_btree_node_broken(const struct nilfs_btree_node *node,
+ 	return ret;
+ }
+ 
++/**
++ * nilfs_btree_root_broken - verify consistency of btree root node
++ * @node: btree root node to be examined
++ * @ino: inode number
++ *
++ * Return Value: If node is broken, 1 is returned. Otherwise, 0 is returned.
++ */
++static int nilfs_btree_root_broken(const struct nilfs_btree_node *node,
++				   unsigned long ino)
++{
++	int level, flags, nchildren;
++	int ret = 0;
++
++	level = nilfs_btree_node_get_level(node);
++	flags = nilfs_btree_node_get_flags(node);
++	nchildren = nilfs_btree_node_get_nchildren(node);
++
++	if (unlikely(level < NILFS_BTREE_LEVEL_NODE_MIN ||
++		     level > NILFS_BTREE_LEVEL_MAX ||
++		     nchildren < 0 ||
++		     nchildren > NILFS_BTREE_ROOT_NCHILDREN_MAX)) {
++		pr_crit("NILFS: bad btree root (inode number=%lu): level = %d, flags = 0x%x, nchildren = %d\n",
++			ino, level, flags, nchildren);
++		ret = 1;
++	}
++	return ret;
++}
++
+ int nilfs_btree_broken_node_block(struct buffer_head *bh)
+ {
+ 	int ret;
+@@ -1713,7 +1743,7 @@ nilfs_btree_commit_convert_and_insert(struct nilfs_bmap *btree,
+ 
+ 	/* convert and insert */
+ 	dat = NILFS_BMAP_USE_VBN(btree) ? nilfs_bmap_get_dat(btree) : NULL;
+-	nilfs_btree_init(btree);
++	__nilfs_btree_init(btree);
+ 	if (nreq != NULL) {
+ 		nilfs_bmap_commit_alloc_ptr(btree, dreq, dat);
+ 		nilfs_bmap_commit_alloc_ptr(btree, nreq, dat);
+@@ -2294,12 +2324,23 @@ static const struct nilfs_bmap_operations nilfs_btree_ops_gc = {
+ 	.bop_gather_data	=	NULL,
+ };
+ 
+-int nilfs_btree_init(struct nilfs_bmap *bmap)
++static void __nilfs_btree_init(struct nilfs_bmap *bmap)
+ {
+ 	bmap->b_ops = &nilfs_btree_ops;
+ 	bmap->b_nchildren_per_block =
+ 		NILFS_BTREE_NODE_NCHILDREN_MAX(nilfs_btree_node_size(bmap));
+-	return 0;
++}
++
++int nilfs_btree_init(struct nilfs_bmap *bmap)
++{
++	int ret = 0;
++
++	__nilfs_btree_init(bmap);
++
++	if (nilfs_btree_root_broken(nilfs_btree_get_root(bmap),
++				    bmap->b_inode->i_ino))
++		ret = -EIO;
++	return ret;
+ }
+ 
+ void nilfs_btree_init_gc(struct nilfs_bmap *bmap)
+diff --git a/fs/nilfs2/segment.c b/fs/nilfs2/segment.c
+index eb7f6a6..6bba106 100644
+--- a/fs/nilfs2/segment.c
++++ b/fs/nilfs2/segment.c
+@@ -1903,6 +1903,7 @@ static void nilfs_segctor_drop_written_files(struct nilfs_sc_info *sci,
+ 					     struct the_nilfs *nilfs)
+ {
+ 	struct nilfs_inode_info *ii, *n;
++	int during_mount = !(sci->sc_super->s_flags & MS_ACTIVE);
+ 	int defer_iput = false;
+ 
+ 	spin_lock(&nilfs->ns_inode_lock);
+@@ -1915,10 +1916,10 @@ static void nilfs_segctor_drop_written_files(struct nilfs_sc_info *sci,
+ 		brelse(ii->i_bh);
+ 		ii->i_bh = NULL;
+ 		list_del_init(&ii->i_dirty);
+-		if (!ii->vfs_inode.i_nlink) {
++		if (!ii->vfs_inode.i_nlink || during_mount) {
+ 			/*
+-			 * Defer calling iput() to avoid a deadlock
+-			 * over I_SYNC flag for inodes with i_nlink == 0
++			 * Defer calling iput() to avoid deadlocks if
++			 * i_nlink == 0 or mount is not yet finished.
+ 			 */
+ 			list_add_tail(&ii->i_dirty, &sci->sc_iput_queue);
+ 			defer_iput = true;
+diff --git a/fs/ocfs2/file.c b/fs/ocfs2/file.c
+index 0de24a2..6a7a3d9 100644
+--- a/fs/ocfs2/file.c
++++ b/fs/ocfs2/file.c
+@@ -2387,10 +2387,14 @@ out_dio:
+ 	/* buffered aio wouldn't have proper lock coverage today */
+ 	BUG_ON(ret == -EIOCBQUEUED && !(file->f_flags & O_DIRECT));
+ 
++	if (unlikely(written <= 0))
++		goto no_sync;
++
+ 	if (((file->f_flags & O_DSYNC) && !direct_io) || IS_SYNC(inode) ||
+ 	    ((file->f_flags & O_DIRECT) && !direct_io)) {
+-		ret = filemap_fdatawrite_range(file->f_mapping, *ppos,
+-					       *ppos + count - 1);
++		ret = filemap_fdatawrite_range(file->f_mapping,
++					       iocb->ki_pos - written,
++					       iocb->ki_pos - 1);
+ 		if (ret < 0)
+ 			written = ret;
+ 
+@@ -2403,10 +2407,12 @@ out_dio:
+ 		}
+ 
+ 		if (!ret)
+-			ret = filemap_fdatawait_range(file->f_mapping, *ppos,
+-						      *ppos + count - 1);
++			ret = filemap_fdatawait_range(file->f_mapping,
++						      iocb->ki_pos - written,
++						      iocb->ki_pos - 1);
+ 	}
+ 
++no_sync:
+ 	/*
+ 	 * deep in g_f_a_w_n()->ocfs2_direct_IO we pass in a ocfs2_dio_end_io
+ 	 * function pointer which is called when o_direct io completes so that
+diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c
+index ef1740d..d1bd6a9 100644
+--- a/fs/proc/task_mmu.c
++++ b/fs/proc/task_mmu.c
+@@ -864,9 +864,19 @@ out:
+ 	return ret;
+ }
+ 
++static int pagemap_open(struct inode *inode, struct file *file)
++{
++	/* do not disclose physical addresses to unprivileged
++	   userspace (closes a rowhammer attack vector) */
++	if (!capable(CAP_SYS_ADMIN))
++		return -EPERM;
++	return 0;
++}
++
+ const struct file_operations proc_pagemap_operations = {
+ 	.llseek		= mem_lseek, /* borrow this */
+ 	.read		= pagemap_read,
++	.open		= pagemap_open,
+ };
+ #endif /* CONFIG_PROC_PAGE_MONITOR */
+ 
+diff --git a/fs/udf/inode.c b/fs/udf/inode.c
+index 2a706bb..e081440 100644
+--- a/fs/udf/inode.c
++++ b/fs/udf/inode.c
+@@ -1271,6 +1271,7 @@ static void udf_fill_inode(struct inode *inode, struct buffer_head *bh)
+ 	struct udf_sb_info *sbi = UDF_SB(inode->i_sb);
+ 	struct udf_inode_info *iinfo = UDF_I(inode);
+ 	unsigned int link_count;
++	int bs = inode->i_sb->s_blocksize;
+ 
+ 	fe = (struct fileEntry *)bh->b_data;
+ 	efe = (struct extendedFileEntry *)bh->b_data;
+@@ -1291,41 +1292,38 @@ static void udf_fill_inode(struct inode *inode, struct buffer_head *bh)
+ 	if (fe->descTag.tagIdent == cpu_to_le16(TAG_IDENT_EFE)) {
+ 		iinfo->i_efe = 1;
+ 		iinfo->i_use = 0;
+-		if (udf_alloc_i_data(inode, inode->i_sb->s_blocksize -
++		if (udf_alloc_i_data(inode, bs -
+ 					sizeof(struct extendedFileEntry))) {
+ 			make_bad_inode(inode);
+ 			return;
+ 		}
+ 		memcpy(iinfo->i_ext.i_data,
+ 		       bh->b_data + sizeof(struct extendedFileEntry),
+-		       inode->i_sb->s_blocksize -
+-					sizeof(struct extendedFileEntry));
++		       bs - sizeof(struct extendedFileEntry));
+ 	} else if (fe->descTag.tagIdent == cpu_to_le16(TAG_IDENT_FE)) {
+ 		iinfo->i_efe = 0;
+ 		iinfo->i_use = 0;
+-		if (udf_alloc_i_data(inode, inode->i_sb->s_blocksize -
+-						sizeof(struct fileEntry))) {
++		if (udf_alloc_i_data(inode, bs - sizeof(struct fileEntry))) {
+ 			make_bad_inode(inode);
+ 			return;
+ 		}
+ 		memcpy(iinfo->i_ext.i_data,
+ 		       bh->b_data + sizeof(struct fileEntry),
+-		       inode->i_sb->s_blocksize - sizeof(struct fileEntry));
++		       bs - sizeof(struct fileEntry));
+ 	} else if (fe->descTag.tagIdent == cpu_to_le16(TAG_IDENT_USE)) {
+ 		iinfo->i_efe = 0;
+ 		iinfo->i_use = 1;
+ 		iinfo->i_lenAlloc = le32_to_cpu(
+ 				((struct unallocSpaceEntry *)bh->b_data)->
+ 				 lengthAllocDescs);
+-		if (udf_alloc_i_data(inode, inode->i_sb->s_blocksize -
++		if (udf_alloc_i_data(inode, bs -
+ 					sizeof(struct unallocSpaceEntry))) {
+ 			make_bad_inode(inode);
+ 			return;
+ 		}
+ 		memcpy(iinfo->i_ext.i_data,
+ 		       bh->b_data + sizeof(struct unallocSpaceEntry),
+-		       inode->i_sb->s_blocksize -
+-					sizeof(struct unallocSpaceEntry));
++		       bs - sizeof(struct unallocSpaceEntry));
+ 		return;
+ 	}
+ 
+@@ -1403,6 +1401,19 @@ static void udf_fill_inode(struct inode *inode, struct buffer_head *bh)
+ 							iinfo->i_lenEAttr;
+ 	}
+ 
++	/*
++	 * Sanity check length of allocation descriptors and extended attrs to
++	 * avoid integer overflows
++	 */
++	if (iinfo->i_lenEAttr > bs || iinfo->i_lenAlloc > bs) {
++		make_bad_inode(inode);
++		return;
++	}
++	/* Now do exact checks */
++	if (udf_file_entry_alloc_offset(inode) + iinfo->i_lenAlloc > bs) {
++		make_bad_inode(inode);
++		return;
++	}
+ 	/* Sanity checks for files in ICB so that we don't get confused later */
+ 	if (iinfo->i_alloc_type == ICBTAG_FLAG_AD_IN_ICB) {
+ 		/*
+@@ -1414,8 +1425,7 @@ static void udf_fill_inode(struct inode *inode, struct buffer_head *bh)
+ 			return;
+ 		}
+ 		/* File in ICB has to fit in there... */
+-		if (inode->i_size > inode->i_sb->s_blocksize -
+-					udf_file_entry_alloc_offset(inode)) {
++		if (inode->i_size > bs - udf_file_entry_alloc_offset(inode)) {
+ 			make_bad_inode(inode);
+ 			return;
+ 		}
+diff --git a/fs/xfs/xfs_file.c b/fs/xfs/xfs_file.c
+index 753ed9b..8ae937a 100644
+--- a/fs/xfs/xfs_file.c
++++ b/fs/xfs/xfs_file.c
+@@ -516,7 +516,8 @@ STATIC int				/* error (positive) */
+ xfs_zero_last_block(
+ 	xfs_inode_t	*ip,
+ 	xfs_fsize_t	offset,
+-	xfs_fsize_t	isize)
++	xfs_fsize_t	isize,
++	bool		*did_zeroing)
+ {
+ 	xfs_fileoff_t	last_fsb;
+ 	xfs_mount_t	*mp = ip->i_mount;
+@@ -560,6 +561,7 @@ xfs_zero_last_block(
+ 	zero_len = mp->m_sb.sb_blocksize - zero_offset;
+ 	if (isize + zero_len > offset)
+ 		zero_len = offset - isize;
++	*did_zeroing = true;
+ 	error = xfs_iozero(ip, isize, zero_len);
+ 
+ 	xfs_ilock(ip, XFS_ILOCK_EXCL);
+@@ -582,7 +584,8 @@ int					/* error (positive) */
+ xfs_zero_eof(
+ 	xfs_inode_t	*ip,
+ 	xfs_off_t	offset,		/* starting I/O offset */
+-	xfs_fsize_t	isize)		/* current inode size */
++	xfs_fsize_t	isize,		/* current inode size */
++	bool		*did_zeroing)
+ {
+ 	xfs_mount_t	*mp = ip->i_mount;
+ 	xfs_fileoff_t	start_zero_fsb;
+@@ -602,7 +605,7 @@ xfs_zero_eof(
+ 	 * First handle zeroing the block on which isize resides.
+ 	 * We only zero a part of that block so it is handled specially.
+ 	 */
+-	error = xfs_zero_last_block(ip, offset, isize);
++	error = xfs_zero_last_block(ip, offset, isize, did_zeroing);
+ 	if (error) {
+ 		ASSERT(xfs_isilocked(ip, XFS_ILOCK_EXCL|XFS_IOLOCK_EXCL));
+ 		return error;
+@@ -672,6 +675,7 @@ xfs_zero_eof(
+ 			goto out_lock;
+ 		}
+ 
++		*did_zeroing = true;
+ 		start_zero_fsb = imap.br_startoff + imap.br_blockcount;
+ 		ASSERT(start_zero_fsb <= (end_zero_fsb + 1));
+ 
+@@ -729,13 +733,15 @@ restart:
+ 	 */
+ 	if ((ip->i_new_size && *pos > ip->i_new_size) ||
+ 	    (!ip->i_new_size && *pos > ip->i_size)) {
++		bool	zero = false;
++
+ 		if (*iolock == XFS_IOLOCK_SHARED) {
+ 			xfs_rw_iunlock(ip, XFS_ILOCK_EXCL | *iolock);
+ 			*iolock = XFS_IOLOCK_EXCL;
+ 			xfs_rw_ilock(ip, XFS_ILOCK_EXCL | *iolock);
+ 			goto restart;
+ 		}
+-		error = -xfs_zero_eof(ip, *pos, ip->i_size);
++		error = -xfs_zero_eof(ip, *pos, ip->i_size, &zero);
+ 	}
+ 
+ 	/*
+diff --git a/fs/xfs/xfs_iops.c b/fs/xfs/xfs_iops.c
+index bd2fb43..1c01f04 100644
+--- a/fs/xfs/xfs_iops.c
++++ b/fs/xfs/xfs_iops.c
+@@ -766,6 +766,7 @@ xfs_setattr_size(
+ 	int			error;
+ 	uint			lock_flags;
+ 	uint			commit_flags = 0;
++	bool			did_zeroing = false;
+ 
+ 	trace_xfs_setattr(ip);
+ 
+@@ -812,20 +813,16 @@ xfs_setattr_size(
+ 		goto out_unlock;
+ 
+ 	/*
+-	 * Now we can make the changes.  Before we join the inode to the
+-	 * transaction, take care of the part of the truncation that must be
+-	 * done without the inode lock.  This needs to be done before joining
+-	 * the inode to the transaction, because the inode cannot be unlocked
+-	 * once it is a part of the transaction.
++	 * File data changes must be complete before we start the transaction to
++	 * modify the inode.  This needs to be done before joining the inode to
++	 * the transaction because the inode cannot be unlocked once it is a
++	 * part of the transaction.
++	 *
++	 * Start with zeroing any data block beyond EOF that we may expose on
++	 * file extension.
+ 	 */
+ 	if (iattr->ia_size > ip->i_size) {
+-		/*
+-		 * Do the first part of growing a file: zero any data in the
+-		 * last block that is beyond the old EOF.  We need to do this
+-		 * before the inode is joined to the transaction to modify
+-		 * i_size.
+-		 */
+-		error = xfs_zero_eof(ip, iattr->ia_size, ip->i_size);
++		error = xfs_zero_eof(ip, iattr->ia_size, ip->i_size, &did_zeroing);
+ 		if (error)
+ 			goto out_unlock;
+ 	}
+@@ -837,23 +834,18 @@ xfs_setattr_size(
+ 	 * any previous writes that are beyond the on disk EOF and the new
+ 	 * EOF that have not been written out need to be written here.  If we
+ 	 * do not write the data out, we expose ourselves to the null files
+-	 * problem.
+-	 *
+-	 * Only flush from the on disk size to the smaller of the in memory
+-	 * file size or the new size as that's the range we really care about
+-	 * here and prevents waiting for other data not within the range we
+-	 * care about here.
++	 * problem. Note that this includes any block zeroing we did above;
++	 * otherwise those blocks may not be zeroed after a crash.
+ 	 */
+-	if (ip->i_size != ip->i_d.di_size && iattr->ia_size > ip->i_d.di_size) {
++	if (iattr->ia_size > ip->i_d.di_size &&
++	    (ip->i_size != ip->i_d.di_size || did_zeroing)) {
+ 		error = xfs_flush_pages(ip, ip->i_d.di_size, iattr->ia_size, 0,
+ 					FI_NONE);
+ 		if (error)
+ 			goto out_unlock;
+ 	}
+ 
+-	/*
+-	 * Wait for all direct I/O to complete.
+-	 */
++	/* Now wait for all direct I/O to complete. */
+ 	inode_dio_wait(inode);
+ 
+ 	error = -block_truncate_page(inode->i_mapping, iattr->ia_size,
+diff --git a/fs/xfs/xfs_vnodeops.h b/fs/xfs/xfs_vnodeops.h
+index 35d3d51..c0f7714 100644
+--- a/fs/xfs/xfs_vnodeops.h
++++ b/fs/xfs/xfs_vnodeops.h
+@@ -59,6 +59,7 @@ int xfs_flush_pages(struct xfs_inode *ip, xfs_off_t first,
+ 		xfs_off_t last, uint64_t flags, int fiopt);
+ int xfs_wait_on_pages(struct xfs_inode *ip, xfs_off_t first, xfs_off_t last);
+ 
+-int xfs_zero_eof(struct xfs_inode *, xfs_off_t, xfs_fsize_t);
++int	xfs_zero_eof(struct xfs_inode *ip, xfs_off_t offset,
++		     xfs_fsize_t isize, bool *did_zeroing);
+ 
+ #endif /* _XFS_VNODEOPS_H */
+diff --git a/include/linux/blk_types.h b/include/linux/blk_types.h
+index 4053cbd..ddce23d 100644
+--- a/include/linux/blk_types.h
++++ b/include/linux/blk_types.h
+@@ -144,7 +144,9 @@ enum rq_flag_bits {
+ 	__REQ_ELVPRIV,		/* elevator private data attached */
+ 	__REQ_FAILED,		/* set if the request failed */
+ 	__REQ_QUIET,		/* don't worry about errors */
+-	__REQ_PREEMPT,		/* set for "ide_preempt" requests */
++	__REQ_PREEMPT,		/* set for "ide_preempt" requests and also
++				   for requests for which the SCSI "quiesce"
++				   state must be ignored. */
+ 	__REQ_ALLOCED,		/* request came from our alloc pool */
+ 	__REQ_COPY_USER,	/* contains copies of user pages */
+ 	__REQ_FLUSH_SEQ,	/* request for flush sequence */
+diff --git a/include/linux/compiler-gcc4.h b/include/linux/compiler-gcc4.h
+index e2a360a..59a7e4c 100644
+--- a/include/linux/compiler-gcc4.h
++++ b/include/linux/compiler-gcc4.h
+@@ -29,6 +29,8 @@
+    the kernel context */
+ #define __cold			__attribute__((__cold__))
+ 
++#define __linktime_error(message) __attribute__((__error__(message)))
++
+ /*
+  * GCC 'asm goto' miscompiles certain code sequences:
+  *
+diff --git a/include/linux/compiler.h b/include/linux/compiler.h
+index 7c7546b..65c8b78 100644
+--- a/include/linux/compiler.h
++++ b/include/linux/compiler.h
+@@ -297,7 +297,9 @@ void ftrace_likely_update(struct ftrace_branch_data *f, int val, int expect);
+ #ifndef __compiletime_error
+ # define __compiletime_error(message)
+ #endif
+-
++#ifndef __linktime_error
++# define __linktime_error(message)
++#endif
+ /*
+  * Prevent the compiler from merging or refetching accesses.  The compiler
+  * is also forbidden from reordering successive instances of ACCESS_ONCE(),
+diff --git a/include/linux/fsnotify.h b/include/linux/fsnotify.h
+index 2a53f10..dad4f61 100644
+--- a/include/linux/fsnotify.h
++++ b/include/linux/fsnotify.h
+@@ -100,8 +100,10 @@ static inline void fsnotify_move(struct inode *old_dir, struct inode *new_dir,
+ 		new_dir_mask |= FS_ISDIR;
+ 	}
+ 
+-	fsnotify(old_dir, old_dir_mask, old_dir, FSNOTIFY_EVENT_INODE, old_name, fs_cookie);
+-	fsnotify(new_dir, new_dir_mask, new_dir, FSNOTIFY_EVENT_INODE, new_name, fs_cookie);
++	fsnotify(old_dir, old_dir_mask, source, FSNOTIFY_EVENT_INODE, old_name,
++		 fs_cookie);
++	fsnotify(new_dir, new_dir_mask, source, FSNOTIFY_EVENT_INODE, new_name,
++		 fs_cookie);
+ 
+ 	if (target)
+ 		fsnotify_link_count(target);
+diff --git a/include/linux/kernel.h b/include/linux/kernel.h
+index 0b8ca35..dcf6a8b 100644
+--- a/include/linux/kernel.h
++++ b/include/linux/kernel.h
+@@ -679,6 +679,7 @@ static inline void ftrace_dump(enum ftrace_dump_mode oops_dump_mode) { }
+ #define BUILD_BUG_ON_ZERO(e) (0)
+ #define BUILD_BUG_ON_NULL(e) ((void*)0)
+ #define BUILD_BUG_ON(condition)
++#define BUILD_BUG() (0)
+ #else /* __CHECKER__ */
+ 
+ /* Force a compilation error if a constant expression is not a power of 2 */
+@@ -717,6 +718,21 @@ extern int __build_bug_on_failed;
+ 		if (condition) __build_bug_on_failed = 1;	\
+ 	} while(0)
+ #endif
++
++/**
++ * BUILD_BUG - break compile if used.
++ *
++ * If you have some code that you expect the compiler to eliminate at
++ * build time, you should use BUILD_BUG to detect if it is
++ * unexpectedly used.
++ */
++#define BUILD_BUG()						\
++	do {							\
++		extern void __build_bug_failed(void)		\
++			__linktime_error("BUILD_BUG failed");	\
++		__build_bug_failed();				\
++	} while (0)
++
+ #endif	/* __CHECKER__ */
+ 
+ /* Trap pasters of __FUNCTION__ at compile-time */
+diff --git a/include/linux/usb/hcd.h b/include/linux/usb/hcd.h
+index 0daa46b..4fc3e5d 100644
+--- a/include/linux/usb/hcd.h
++++ b/include/linux/usb/hcd.h
+@@ -128,6 +128,8 @@ struct usb_hcd {
+ 	unsigned		wireless:1;	/* Wireless USB HCD */
+ 	unsigned		authorized_default:1;
+ 	unsigned		has_tt:1;	/* Integrated TT in root hub */
++	unsigned		cant_recv_wakeups:1;
++			/* wakeup requests from downstream aren't received */
+ 
+ 	int			irq;		/* irq allocated */
+ 	void __iomem		*regs;		/* device memory/io */
+@@ -401,6 +403,7 @@ extern const struct dev_pm_ops usb_hcd_pci_pm_ops;
+ #endif /* CONFIG_PCI */
+ 
+ /* pci-ish (pdev null is ok) buffer alloc/mapping support */
++void usb_init_pool_max(void);
+ int hcd_buffer_create(struct usb_hcd *hcd);
+ void hcd_buffer_destroy(struct usb_hcd *hcd);
+ 
+diff --git a/include/net/netfilter/nf_conntrack_extend.h b/include/net/netfilter/nf_conntrack_extend.h
+index 2dcf317..d918074 100644
+--- a/include/net/netfilter/nf_conntrack_extend.h
++++ b/include/net/netfilter/nf_conntrack_extend.h
+@@ -33,8 +33,8 @@ enum nf_ct_ext_id {
+ /* Extensions: optional stuff which isn't permanently in struct. */
+ struct nf_ct_ext {
+ 	struct rcu_head rcu;
+-	u8 offset[NF_CT_EXT_NUM];
+-	u8 len;
++	u16 offset[NF_CT_EXT_NUM];
++	u16 len;
+ 	char data[0];
+ };
+ 
+diff --git a/kernel/debug/kdb/kdb_main.c b/kernel/debug/kdb/kdb_main.c
+index 63786e7..f56af55 100644
+--- a/kernel/debug/kdb/kdb_main.c
++++ b/kernel/debug/kdb/kdb_main.c
+@@ -2595,7 +2595,7 @@ static int kdb_summary(int argc, const char **argv)
+ #define K(x) ((x) << (PAGE_SHIFT - 10))
+ 	kdb_printf("\nMemTotal:       %8lu kB\nMemFree:        %8lu kB\n"
+ 		   "Buffers:        %8lu kB\n",
+-		   val.totalram, val.freeram, val.bufferram);
++		   K(val.totalram), K(val.freeram), K(val.bufferram));
+ 	return 0;
+ }
+ 
+diff --git a/kernel/events/core.c b/kernel/events/core.c
+index 2a4bf43..4277095 100644
+--- a/kernel/events/core.c
++++ b/kernel/events/core.c
+@@ -3956,6 +3956,13 @@ static void perf_pending_event(struct irq_work *entry)
+ {
+ 	struct perf_event *event = container_of(entry,
+ 			struct perf_event, pending);
++	int rctx;
++
++	rctx = perf_swevent_get_recursion_context();
++	/*
++	 * If we 'fail' here, that's OK, it means recursion is already disabled
++	 * and we won't recurse 'further'.
++	 */
+ 
+ 	if (event->pending_disable) {
+ 		event->pending_disable = 0;
+@@ -3966,6 +3973,9 @@ static void perf_pending_event(struct irq_work *entry)
+ 		event->pending_wakeup = 0;
+ 		perf_event_wakeup(event);
+ 	}
++
++	if (rctx >= 0)
++		perf_swevent_put_recursion_context(rctx);
+ }
+ 
+ /*
+diff --git a/kernel/printk.c b/kernel/printk.c
+index 8fac434..c073f43 100644
+--- a/kernel/printk.c
++++ b/kernel/printk.c
+@@ -123,7 +123,7 @@ static struct console *exclusive_console;
+  */
+ struct console_cmdline
+ {
+-	char	name[8];			/* Name of the driver	    */
++	char	name[16];			/* Name of the driver	    */
+ 	int	index;				/* Minor dev. to use	    */
+ 	char	*options;			/* Options for the driver   */
+ #ifdef CONFIG_A11Y_BRAILLE_CONSOLE
+@@ -1477,6 +1477,7 @@ void register_console(struct console *newcon)
+ 	 */
+ 	for (i = 0; i < MAX_CMDLINECONSOLES && console_cmdline[i].name[0];
+ 			i++) {
++		BUILD_BUG_ON(sizeof(console_cmdline[i].name) != sizeof(newcon->name));
+ 		if (strcmp(console_cmdline[i].name, newcon->name) != 0)
+ 			continue;
+ 		if (newcon->index >= 0 &&
+diff --git a/kernel/sched.c b/kernel/sched.c
+index ea85b0d..fe33d0f 100644
+--- a/kernel/sched.c
++++ b/kernel/sched.c
+@@ -5224,8 +5224,11 @@ void rt_mutex_setprio(struct task_struct *p, int prio)
+ 
+ 	if (rt_prio(prio))
+ 		p->sched_class = &rt_sched_class;
+-	else
++	else {
++		if (rt_prio(oldprio))
++			p->rt.timeout = 0;
+ 		p->sched_class = &fair_sched_class;
++	}
+ 
+ 	p->prio = prio;
+ 
+@@ -9104,6 +9107,12 @@ static inline int tg_has_rt_tasks(struct task_group *tg)
+ {
+ 	struct task_struct *g, *p;
+ 
++	/*
++	 * Autogroups do not have RT tasks; see autogroup_create().
++	 */
++	if (task_group_is_autogroup(tg))
++		return 0;
++
+ 	do_each_thread(g, p) {
+ 		if (rt_task(p) && rt_rq_of_se(&p->rt)->tg == tg)
+ 			return 1;
+diff --git a/kernel/sched_autogroup.c b/kernel/sched_autogroup.c
+index f280df1..cb0a950 100644
+--- a/kernel/sched_autogroup.c
++++ b/kernel/sched_autogroup.c
+@@ -86,8 +86,7 @@ static inline struct autogroup *autogroup_create(void)
+ 	 * so we don't have to move tasks around upon policy change,
+ 	 * or flail around trying to allocate bandwidth on the fly.
+ 	 * A bandwidth exception in __sched_setscheduler() allows
+-	 * the policy change to proceed.  Thereafter, task_group()
+-	 * returns &root_task_group, so zero bandwidth is required.
++	 * the policy change to proceed.
+ 	 */
+ 	free_rt_sched_group(tg);
+ 	tg->rt_se = root_task_group.rt_se;
+@@ -114,9 +113,6 @@ task_wants_autogroup(struct task_struct *p, struct task_group *tg)
+ 	if (tg != &root_task_group)
+ 		return false;
+ 
+-	if (p->sched_class != &fair_sched_class)
+-		return false;
+-
+ 	/*
+ 	 * We can only assume the task group can't go away on us if
+ 	 * autogroup_move_group() can see us on ->thread_group list.
+diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c
+index dcbafed..08e043b 100644
+--- a/kernel/trace/ftrace.c
++++ b/kernel/trace/ftrace.c
+@@ -935,6 +935,12 @@ static __init void ftrace_profile_debugfs(struct dentry *d_tracer)
+ 
+ static struct pid * const ftrace_swapper_pid = &init_struct_pid;
+ 
++#ifdef CONFIG_FUNCTION_GRAPH_TRACER
++static int ftrace_graph_active;
++#else
++# define ftrace_graph_active 0
++#endif
++
+ static loff_t
+ ftrace_filter_lseek(struct file *file, loff_t offset, int whence)
+ {
+@@ -1810,24 +1816,36 @@ static int ftrace_shutdown(struct ftrace_ops *ops, int command)
+ 
+ static void ftrace_startup_sysctl(void)
+ {
++	int command;
++
+ 	if (unlikely(ftrace_disabled))
+ 		return;
+ 
+ 	/* Force update next time */
+ 	saved_ftrace_func = NULL;
+ 	/* ftrace_start_up is true if we want ftrace running */
+-	if (ftrace_start_up)
+-		ftrace_run_update_code(FTRACE_UPDATE_CALLS);
++	if (ftrace_start_up) {
++		command = FTRACE_UPDATE_CALLS;
++		if (ftrace_graph_active)
++			command |= FTRACE_START_FUNC_RET;
++		ftrace_startup_enable(command);
++	}
+ }
+ 
+ static void ftrace_shutdown_sysctl(void)
+ {
++	int command;
++
+ 	if (unlikely(ftrace_disabled))
+ 		return;
+ 
+ 	/* ftrace_start_up is true if ftrace is running */
+-	if (ftrace_start_up)
+-		ftrace_run_update_code(FTRACE_DISABLE_CALLS);
++	if (ftrace_start_up) {
++		command = FTRACE_DISABLE_CALLS;
++		if (ftrace_graph_active)
++			command |= FTRACE_STOP_FUNC_RET;
++		ftrace_run_update_code(command);
++	}
+ }
+ 
+ static cycle_t		ftrace_update_time;
+@@ -4024,12 +4042,12 @@ ftrace_enable_sysctl(struct ctl_table *table, int write,
+ 
+ 	if (ftrace_enabled) {
+ 
+-		ftrace_startup_sysctl();
+-
+ 		/* we are starting ftrace again */
+ 		if (ftrace_ops_list != &ftrace_list_end)
+ 			update_ftrace_function();
+ 
++		ftrace_startup_sysctl();
++
+ 	} else {
+ 		/* stopping ftrace calls (just send to ftrace_stub) */
+ 		ftrace_trace_function = ftrace_stub;
+@@ -4044,7 +4062,6 @@ ftrace_enable_sysctl(struct ctl_table *table, int write,
+ 
+ #ifdef CONFIG_FUNCTION_GRAPH_TRACER
+ 
+-static int ftrace_graph_active;
+ static struct notifier_block ftrace_suspend_notifier;
+ 
+ int ftrace_graph_entry_stub(struct ftrace_graph_ent *trace)
+diff --git a/mm/hugetlb.c b/mm/hugetlb.c
+index d2c43a2..26922da 100644
+--- a/mm/hugetlb.c
++++ b/mm/hugetlb.c
+@@ -2418,9 +2418,10 @@ void __unmap_hugepage_range(struct vm_area_struct *vma, unsigned long start,
+ 			continue;
+ 
+ 		/*
+-		 * HWPoisoned hugepage is already unmapped and dropped reference
++		 * Migrating hugepage or HWPoisoned hugepage is already
++		 * unmapped and its refcount is dropped
+ 		 */
+-		if (unlikely(is_hugetlb_entry_hwpoisoned(pte)))
++		if (unlikely(!pte_present(pte)))
+ 			continue;
+ 
+ 		page = pte_page(pte);
+@@ -2798,6 +2799,7 @@ int hugetlb_fault(struct mm_struct *mm, struct vm_area_struct *vma,
+ 	struct page *pagecache_page = NULL;
+ 	static DEFINE_MUTEX(hugetlb_instantiation_mutex);
+ 	struct hstate *h = hstate_vma(vma);
++	int need_wait_lock = 0;
+ 
+ 	ptep = huge_pte_offset(mm, address);
+ 	if (ptep) {
+@@ -2829,6 +2831,16 @@ int hugetlb_fault(struct mm_struct *mm, struct vm_area_struct *vma,
+ 	ret = 0;
+ 
+ 	/*
++	 * entry could be a migration/hwpoison entry at this point, so this
++	 * check prevents the kernel from going below assuming that we have
++	 * a active hugepage in pagecache. This goto expects the 2nd page fault,
++	 * and is_hugetlb_entry_(migration|hwpoisoned) check will properly
++	 * handle it.
++	 */
++	if (!pte_present(entry))
++		goto out_mutex;
++
++	/*
+ 	 * If we are going to COW the mapping later, we examine the pending
+ 	 * reservations for this page now. This will ensure that any
+ 	 * allocations necessary to record that reservation occur outside the
+@@ -2847,29 +2859,30 @@ int hugetlb_fault(struct mm_struct *mm, struct vm_area_struct *vma,
+ 								vma, address);
+ 	}
+ 
++	spin_lock(&mm->page_table_lock);
++	/* Check for a racing update before calling hugetlb_cow */
++	if (unlikely(!pte_same(entry, huge_ptep_get(ptep))))
++		goto out_page_table_lock;
++
+ 	/*
+ 	 * hugetlb_cow() requires page locks of pte_page(entry) and
+ 	 * pagecache_page, so here we need take the former one
+ 	 * when page != pagecache_page or !pagecache_page.
+-	 * Note that locking order is always pagecache_page -> page,
+-	 * so no worry about deadlock.
+ 	 */
+ 	page = pte_page(entry);
+-	get_page(page);
+ 	if (page != pagecache_page)
+-		lock_page(page);
+-
+-	spin_lock(&mm->page_table_lock);
+-	/* Check for a racing update before calling hugetlb_cow */
+-	if (unlikely(!pte_same(entry, huge_ptep_get(ptep))))
+-		goto out_page_table_lock;
++		if (!trylock_page(page)) {
++			need_wait_lock = 1;
++			goto out_page_table_lock;
++		}
+ 
++	get_page(page);
+ 
+ 	if (flags & FAULT_FLAG_WRITE) {
+ 		if (!pte_write(entry)) {
+ 			ret = hugetlb_cow(mm, vma, address, ptep, entry,
+ 							pagecache_page);
+-			goto out_page_table_lock;
++			goto out_put_page;
+ 		}
+ 		entry = pte_mkdirty(entry);
+ 	}
+@@ -2877,7 +2890,10 @@ int hugetlb_fault(struct mm_struct *mm, struct vm_area_struct *vma,
+ 	if (huge_ptep_set_access_flags(vma, address, ptep, entry,
+ 						flags & FAULT_FLAG_WRITE))
+ 		update_mmu_cache(vma, address, ptep);
+-
++out_put_page:
++	if (page != pagecache_page)
++		unlock_page(page);
++	put_page(page);
+ out_page_table_lock:
+ 	spin_unlock(&mm->page_table_lock);
+ 
+@@ -2885,13 +2901,18 @@ out_page_table_lock:
+ 		unlock_page(pagecache_page);
+ 		put_page(pagecache_page);
+ 	}
+-	if (page != pagecache_page)
+-		unlock_page(page);
+-	put_page(page);
+-
+ out_mutex:
+ 	mutex_unlock(&hugetlb_instantiation_mutex);
+ 
++	/*
++	 * Generally it's safe to hold refcount during waiting page lock. But
++	 * here we just wait to defer the next page fault to avoid busy loop and
++	 * the page is not used after unlocked before returning from the current
++	 * page fault. So we are safe from accessing freed page, even if we wait
++	 * here without taking refcount.
++	 */
++	if (need_wait_lock)
++		wait_on_page_locked(page);
+ 	return ret;
+ }
+ 
+@@ -3017,7 +3038,22 @@ void hugetlb_change_protection(struct vm_area_struct *vma,
+ 			continue;
+ 		if (huge_pmd_unshare(mm, &address, ptep))
+ 			continue;
+-		if (!huge_pte_none(huge_ptep_get(ptep))) {
++		pte = huge_ptep_get(ptep);
++		if (unlikely(is_hugetlb_entry_hwpoisoned(pte)))
++			continue;
++		if (unlikely(is_hugetlb_entry_migration(pte))) {
++			swp_entry_t entry = pte_to_swp_entry(pte);
++
++			if (is_write_migration_entry(entry)) {
++				pte_t newpte;
++
++				make_migration_entry_read(&entry);
++				newpte = swp_entry_to_pte(entry);
++				set_huge_pte_at(mm, address, ptep, newpte);
++			}
++			continue;
++		}
++		if (!huge_pte_none(pte)) {
+ 			pte = huge_ptep_get_and_clear(mm, address, ptep);
+ 			pte = pte_mkhuge(pte_modify(pte, newprot));
+ 			set_huge_pte_at(mm, address, ptep, pte);
+diff --git a/mm/memory.c b/mm/memory.c
+index 0a7bb38..452b8ba 100644
+--- a/mm/memory.c
++++ b/mm/memory.c
+@@ -3831,7 +3831,7 @@ int generic_access_phys(struct vm_area_struct *vma, unsigned long addr,
+ 	if (follow_phys(vma, addr, write, &prot, &phys_addr))
+ 		return -EINVAL;
+ 
+-	maddr = ioremap_prot(phys_addr, PAGE_SIZE, prot);
++	maddr = ioremap_prot(phys_addr, PAGE_ALIGN(len + offset), prot);
+ 	if (write)
+ 		memcpy_toio(maddr + offset, buf, len);
+ 	else
+diff --git a/mm/mmap.c b/mm/mmap.c
+index 13b5685..94f4e34 100644
+--- a/mm/mmap.c
++++ b/mm/mmap.c
+@@ -111,7 +111,7 @@ struct percpu_counter vm_committed_as ____cacheline_aligned_in_smp;
+  */
+ int __vm_enough_memory(struct mm_struct *mm, long pages, int cap_sys_admin)
+ {
+-	unsigned long free, allowed;
++	long free, allowed;
+ 
+ 	vm_acct_memory(pages);
+ 
+@@ -541,10 +541,8 @@ again:			remove_next = 1 + (end > next->vm_end);
+ 
+ 			importer->anon_vma = exporter->anon_vma;
+ 			error = anon_vma_clone(importer, exporter);
+-			if (error) {
+-				importer->anon_vma = NULL;
++			if (error)
+ 				return error;
+-			}
+ 		}
+ 	}
+ 
+diff --git a/mm/nommu.c b/mm/nommu.c
+index 1db7971..d0cb11f 100644
+--- a/mm/nommu.c
++++ b/mm/nommu.c
+@@ -1885,7 +1885,7 @@ EXPORT_SYMBOL(unmap_mapping_range);
+  */
+ int __vm_enough_memory(struct mm_struct *mm, long pages, int cap_sys_admin)
+ {
+-	unsigned long free, allowed;
++	long free, allowed;
+ 
+ 	vm_acct_memory(pages);
+ 
+diff --git a/mm/page-writeback.c b/mm/page-writeback.c
+index aad22aa..1bf1f74 100644
+--- a/mm/page-writeback.c
++++ b/mm/page-writeback.c
+@@ -661,8 +661,11 @@ static void bdi_update_write_bandwidth(struct backing_dev_info *bdi,
+ 	 *                   bw * elapsed + write_bandwidth * (period - elapsed)
+ 	 * write_bandwidth = ---------------------------------------------------
+ 	 *                                          period
++	 *
++	 * @written may have decreased due to account_page_redirty().
++	 * Avoid underflowing @bw calculation.
+ 	 */
+-	bw = written - bdi->written_stamp;
++	bw = written - min(written, bdi->written_stamp);
+ 	bw *= HZ;
+ 	if (unlikely(elapsed > period)) {
+ 		do_div(bw, elapsed);
+@@ -726,7 +729,7 @@ static void global_update_bandwidth(unsigned long thresh,
+ 				    unsigned long now)
+ {
+ 	static DEFINE_SPINLOCK(dirty_lock);
+-	static unsigned long update_time;
++	static unsigned long update_time = INITIAL_JIFFIES;
+ 
+ 	/*
+ 	 * check locklessly first to optimize away locking for the most time
+diff --git a/mm/rmap.c b/mm/rmap.c
+index 2c4ee3e..98f0bf7f 100644
+--- a/mm/rmap.c
++++ b/mm/rmap.c
+@@ -295,6 +295,13 @@ int anon_vma_clone(struct vm_area_struct *dst, struct vm_area_struct *src)
+ 	return 0;
+ 
+  enomem_failure:
++	/*
++	 * dst->anon_vma is dropped here otherwise its degree can be incorrectly
++	 * decremented in unlink_anon_vmas().
++	 * We can safely do this because callers of anon_vma_clone() don't care
++	 * about dst->anon_vma if anon_vma_clone() failed.
++	 */
++	dst->anon_vma = NULL;
+ 	unlink_anon_vmas(dst);
+ 	return -ENOMEM;
+ }
+diff --git a/net/caif/caif_socket.c b/net/caif/caif_socket.c
+index 7fac75f..7eed9eb 100644
+--- a/net/caif/caif_socket.c
++++ b/net/caif/caif_socket.c
+@@ -317,7 +317,7 @@ static int caif_seqpkt_recvmsg(struct kiocb *iocb, struct socket *sock,
+ 	int copylen;
+ 
+ 	ret = -EOPNOTSUPP;
+-	if (m->msg_flags&MSG_OOB)
++	if (flags & MSG_OOB)
+ 		goto read_error;
+ 
+ 	skb = skb_recv_datagram(sk, flags, 0 , &ret);
+diff --git a/net/can/af_can.c b/net/can/af_can.c
+index 0ce2ad0..7d9dff222 100644
+--- a/net/can/af_can.c
++++ b/net/can/af_can.c
+@@ -244,6 +244,9 @@ int can_send(struct sk_buff *skb, int loop)
+ 	}
+ 
+ 	skb->protocol = htons(ETH_P_CAN);
++	skb->ip_summed = CHECKSUM_UNNECESSARY;
++
++	skb_reset_mac_header(skb);
+ 	skb_reset_network_header(skb);
+ 	skb_reset_transport_header(skb);
+ 
+diff --git a/net/ceph/osd_client.c b/net/ceph/osd_client.c
+index a70f426..2df98a6 100644
+--- a/net/ceph/osd_client.c
++++ b/net/ceph/osd_client.c
+@@ -678,12 +678,22 @@ static void put_osd(struct ceph_osd *osd)
+  */
+ static void __remove_osd(struct ceph_osd_client *osdc, struct ceph_osd *osd)
+ {
+-	dout("__remove_osd %p\n", osd);
++	dout("%s %p osd%d\n", __func__, osd, osd->o_osd);
+ 	BUG_ON(!list_empty(&osd->o_requests));
+-	rb_erase(&osd->o_node, &osdc->osds);
+ 	list_del_init(&osd->o_osd_lru);
+-	ceph_con_close(&osd->o_con);
+-	put_osd(osd);
++	rb_erase(&osd->o_node, &osdc->osds);
++	RB_CLEAR_NODE(&osd->o_node);
++}
++
++static void remove_osd(struct ceph_osd_client *osdc, struct ceph_osd *osd)
++{
++	dout("%s %p osd%d\n", __func__, osd, osd->o_osd);
++
++	if (!RB_EMPTY_NODE(&osd->o_node)) {
++		ceph_con_close(&osd->o_con);
++		__remove_osd(osdc, osd);
++		put_osd(osd);
++	}
+ }
+ 
+ static void remove_all_osds(struct ceph_osd_client *osdc)
+@@ -693,7 +703,7 @@ static void remove_all_osds(struct ceph_osd_client *osdc)
+ 	while (!RB_EMPTY_ROOT(&osdc->osds)) {
+ 		struct ceph_osd *osd = rb_entry(rb_first(&osdc->osds),
+ 						struct ceph_osd, o_node);
+-		__remove_osd(osdc, osd);
++		remove_osd(osdc, osd);
+ 	}
+ 	mutex_unlock(&osdc->request_mutex);
+ }
+@@ -723,7 +733,7 @@ static void remove_old_osds(struct ceph_osd_client *osdc)
+ 	list_for_each_entry_safe(osd, nosd, &osdc->osd_lru, o_osd_lru) {
+ 		if (time_before(jiffies, osd->lru_ttl))
+ 			break;
+-		__remove_osd(osdc, osd);
++		remove_osd(osdc, osd);
+ 	}
+ 	mutex_unlock(&osdc->request_mutex);
+ }
+@@ -739,7 +749,7 @@ static int __reset_osd(struct ceph_osd_client *osdc, struct ceph_osd *osd)
+ 	dout("__reset_osd %p osd%d\n", osd, osd->o_osd);
+ 	if (list_empty(&osd->o_requests) &&
+ 	    list_empty(&osd->o_linger_requests)) {
+-		__remove_osd(osdc, osd);
++		remove_osd(osdc, osd);
+ 	} else if (memcmp(&osdc->osdmap->osd_addr[osd->o_osd],
+ 			  &osd->o_con.peer_addr,
+ 			  sizeof(osd->o_con.peer_addr)) == 0 &&
+@@ -1271,6 +1281,7 @@ static void reset_changed_osds(struct ceph_osd_client *osdc)
+ {
+ 	struct rb_node *p, *n;
+ 
++	dout("%s %p\n", __func__, osdc);
+ 	for (p = rb_first(&osdc->osds); p; p = n) {
+ 		struct ceph_osd *osd = rb_entry(p, struct ceph_osd, o_node);
+ 
+diff --git a/net/compat.c b/net/compat.c
+index 759e542..f06994d 100644
+--- a/net/compat.c
++++ b/net/compat.c
+@@ -71,6 +71,13 @@ int get_compat_msghdr(struct msghdr *kmsg, struct compat_msghdr __user *umsg)
+ 	    __get_user(kmsg->msg_controllen, &umsg->msg_controllen) ||
+ 	    __get_user(kmsg->msg_flags, &umsg->msg_flags))
+ 		return -EFAULT;
++
++	if (!tmp1)
++		kmsg->msg_namelen = 0;
++
++	if (kmsg->msg_namelen < 0)
++		return -EINVAL;
++
+ 	if (kmsg->msg_namelen > sizeof(struct sockaddr_storage))
+ 		kmsg->msg_namelen = sizeof(struct sockaddr_storage);
+ 	kmsg->msg_name = compat_ptr(tmp1);
+@@ -737,24 +744,18 @@ static unsigned char nas[21] = {
+ 
+ asmlinkage long compat_sys_sendmsg(int fd, struct compat_msghdr __user *msg, unsigned flags)
+ {
+-	if (flags & MSG_CMSG_COMPAT)
+-		return -EINVAL;
+ 	return __sys_sendmsg(fd, (struct msghdr __user *)msg, flags | MSG_CMSG_COMPAT);
+ }
+ 
+ asmlinkage long compat_sys_sendmmsg(int fd, struct compat_mmsghdr __user *mmsg,
+ 				    unsigned vlen, unsigned int flags)
+ {
+-	if (flags & MSG_CMSG_COMPAT)
+-		return -EINVAL;
+ 	return __sys_sendmmsg(fd, (struct mmsghdr __user *)mmsg, vlen,
+ 			      flags | MSG_CMSG_COMPAT);
+ }
+ 
+ asmlinkage long compat_sys_recvmsg(int fd, struct compat_msghdr __user *msg, unsigned int flags)
+ {
+-	if (flags & MSG_CMSG_COMPAT)
+-		return -EINVAL;
+ 	return __sys_recvmsg(fd, (struct msghdr __user *)msg, flags | MSG_CMSG_COMPAT);
+ }
+ 
+@@ -777,9 +778,6 @@ asmlinkage long compat_sys_recvmmsg(int fd, struct compat_mmsghdr __user *mmsg,
+ 	int datagrams;
+ 	struct timespec ktspec;
+ 
+-	if (flags & MSG_CMSG_COMPAT)
+-		return -EINVAL;
+-
+ 	if (timeout == NULL)
+ 		return __sys_recvmmsg(fd, (struct mmsghdr __user *)mmsg, vlen,
+ 				      flags | MSG_CMSG_COMPAT, NULL);
+diff --git a/net/core/dev.c b/net/core/dev.c
+index fcb5133..1c0d862 100644
+--- a/net/core/dev.c
++++ b/net/core/dev.c
+@@ -859,7 +859,7 @@ int dev_valid_name(const char *name)
+ 		return 0;
+ 
+ 	while (*name) {
+-		if (*name == '/' || isspace(*name))
++		if (*name == '/' || *name == ':' || isspace(*name))
+ 			return 0;
+ 		name++;
+ 	}
+@@ -6338,10 +6338,20 @@ static int dev_cpu_callback(struct notifier_block *nfb,
+ 		oldsd->output_queue = NULL;
+ 		oldsd->output_queue_tailp = &oldsd->output_queue;
+ 	}
+-	/* Append NAPI poll list from offline CPU. */
+-	if (!list_empty(&oldsd->poll_list)) {
+-		list_splice_init(&oldsd->poll_list, &sd->poll_list);
+-		raise_softirq_irqoff(NET_RX_SOFTIRQ);
++	/* Append NAPI poll list from offline CPU, with one exception :
++	 * process_backlog() must be called by cpu owning percpu backlog.
++	 * We properly handle process_queue & input_pkt_queue later.
++	 */
++	while (!list_empty(&oldsd->poll_list)) {
++		struct napi_struct *napi = list_first_entry(&oldsd->poll_list,
++							    struct napi_struct,
++							    poll_list);
++
++		list_del_init(&napi->poll_list);
++		if (napi->poll == process_backlog)
++			napi->state = 0;
++		else
++			____napi_schedule(sd, napi);
+ 	}
+ 
+ 	raise_softirq_irqoff(NET_TX_SOFTIRQ);
+@@ -6352,7 +6362,7 @@ static int dev_cpu_callback(struct notifier_block *nfb,
+ 		netif_rx(skb);
+ 		input_queue_head_incr(oldsd);
+ 	}
+-	while ((skb = __skb_dequeue(&oldsd->input_pkt_queue))) {
++	while ((skb = skb_dequeue(&oldsd->input_pkt_queue))) {
+ 		netif_rx(skb);
+ 		input_queue_head_incr(oldsd);
+ 	}
+diff --git a/net/core/gen_stats.c b/net/core/gen_stats.c
+index 0452eb2..91080c1 100644
+--- a/net/core/gen_stats.c
++++ b/net/core/gen_stats.c
+@@ -31,6 +31,9 @@ gnet_stats_copy(struct gnet_dump *d, int type, void *buf, int size)
+ 	return 0;
+ 
+ nla_put_failure:
++	kfree(d->xstats);
++	d->xstats = NULL;
++	d->xstats_len = 0;
+ 	spin_unlock_bh(d->lock);
+ 	return -1;
+ }
+@@ -204,7 +207,9 @@ int
+ gnet_stats_copy_app(struct gnet_dump *d, void *st, int len)
+ {
+ 	if (d->compat_xstats) {
+-		d->xstats = st;
++		d->xstats = kmemdup(st, len, GFP_ATOMIC);
++		if (!d->xstats)
++			goto err_out;
+ 		d->xstats_len = len;
+ 	}
+ 
+@@ -212,6 +217,11 @@ gnet_stats_copy_app(struct gnet_dump *d, void *st, int len)
+ 		return gnet_stats_copy(d, TCA_STATS_APP, st, len);
+ 
+ 	return 0;
++
++err_out:
++	d->xstats_len = 0;
++	spin_unlock_bh(d->lock);
++	return -1;
+ }
+ EXPORT_SYMBOL(gnet_stats_copy_app);
+ 
+@@ -244,6 +254,9 @@ gnet_stats_finish_copy(struct gnet_dump *d)
+ 			return -1;
+ 	}
+ 
++	kfree(d->xstats);
++	d->xstats = NULL;
++	d->xstats_len = 0;
+ 	spin_unlock_bh(d->lock);
+ 	return 0;
+ }
+diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
+index 0900a17..5b412f0 100644
+--- a/net/core/rtnetlink.c
++++ b/net/core/rtnetlink.c
+@@ -1152,14 +1152,10 @@ static const struct nla_policy ifla_vfinfo_policy[IFLA_VF_INFO_MAX+1] = {
+ };
+ 
+ static const struct nla_policy ifla_vf_policy[IFLA_VF_MAX+1] = {
+-	[IFLA_VF_MAC]		= { .type = NLA_BINARY,
+-				    .len = sizeof(struct ifla_vf_mac) },
+-	[IFLA_VF_VLAN]		= { .type = NLA_BINARY,
+-				    .len = sizeof(struct ifla_vf_vlan) },
+-	[IFLA_VF_TX_RATE]	= { .type = NLA_BINARY,
+-				    .len = sizeof(struct ifla_vf_tx_rate) },
+-	[IFLA_VF_SPOOFCHK]	= { .type = NLA_BINARY,
+-				    .len = sizeof(struct ifla_vf_spoofchk) },
++	[IFLA_VF_MAC]		= { .len = sizeof(struct ifla_vf_mac) },
++	[IFLA_VF_VLAN]		= { .len = sizeof(struct ifla_vf_vlan) },
++	[IFLA_VF_TX_RATE]	= { .len = sizeof(struct ifla_vf_tx_rate) },
++	[IFLA_VF_SPOOFCHK]	= { .len = sizeof(struct ifla_vf_spoofchk) },
+ };
+ 
+ static const struct nla_policy ifla_port_policy[IFLA_PORT_MAX+1] = {
+@@ -1705,10 +1701,10 @@ static int rtnl_group_changelink(struct net *net, int group,
+ 		struct ifinfomsg *ifm,
+ 		struct nlattr **tb)
+ {
+-	struct net_device *dev;
++	struct net_device *dev, *aux;
+ 	int err;
+ 
+-	for_each_netdev(net, dev) {
++	for_each_netdev_safe(net, dev, aux) {
+ 		if (dev->group == group) {
+ 			err = do_setlink(dev, ifm, tb, NULL, 0);
+ 			if (err < 0)
+@@ -1864,8 +1860,16 @@ replay:
+ 			goto out;
+ 
+ 		err = rtnl_configure_link(dev, ifm);
+-		if (err < 0)
+-			unregister_netdevice(dev);
++		if (err < 0) {
++			if (ops->newlink) {
++				LIST_HEAD(list_kill);
++
++				ops->dellink(dev, &list_kill);
++				unregister_netdevice_many(&list_kill);
++			} else {
++				unregister_netdevice(dev);
++			}
++		}
+ out:
+ 		put_net(dest_net);
+ 		return err;
+diff --git a/net/core/sysctl_net_core.c b/net/core/sysctl_net_core.c
+index f0bdd36..f9496c4 100644
+--- a/net/core/sysctl_net_core.c
++++ b/net/core/sysctl_net_core.c
+@@ -21,6 +21,8 @@
+ 
+ static int zero = 0;
+ static int ushort_max = USHRT_MAX;
++static int min_sndbuf = SOCK_MIN_SNDBUF;
++static int min_rcvbuf = SOCK_MIN_RCVBUF;
+ 
+ #ifdef CONFIG_RPS
+ static int rps_sock_flow_sysctl(ctl_table *table, int write,
+@@ -89,28 +91,32 @@ static struct ctl_table net_core_table[] = {
+ 		.data		= &sysctl_wmem_max,
+ 		.maxlen		= sizeof(int),
+ 		.mode		= 0644,
+-		.proc_handler	= proc_dointvec
++		.proc_handler	= proc_dointvec_minmax,
++		.extra1		= &min_sndbuf,
+ 	},
+ 	{
+ 		.procname	= "rmem_max",
+ 		.data		= &sysctl_rmem_max,
+ 		.maxlen		= sizeof(int),
+ 		.mode		= 0644,
+-		.proc_handler	= proc_dointvec
++		.proc_handler	= proc_dointvec_minmax,
++		.extra1		= &min_rcvbuf,
+ 	},
+ 	{
+ 		.procname	= "wmem_default",
+ 		.data		= &sysctl_wmem_default,
+ 		.maxlen		= sizeof(int),
+ 		.mode		= 0644,
+-		.proc_handler	= proc_dointvec
++		.proc_handler	= proc_dointvec_minmax,
++		.extra1		= &min_sndbuf,
+ 	},
+ 	{
+ 		.procname	= "rmem_default",
+ 		.data		= &sysctl_rmem_default,
+ 		.maxlen		= sizeof(int),
+ 		.mode		= 0644,
+-		.proc_handler	= proc_dointvec
++		.proc_handler	= proc_dointvec_minmax,
++		.extra1		= &min_rcvbuf,
+ 	},
+ 	{
+ 		.procname	= "dev_weight",
+diff --git a/net/ipv4/ip_forward.c b/net/ipv4/ip_forward.c
+index 29a07b6..bcd78a3 100644
+--- a/net/ipv4/ip_forward.c
++++ b/net/ipv4/ip_forward.c
+@@ -57,6 +57,9 @@ int ip_forward(struct sk_buff *skb)
+ 	struct rtable *rt;	/* Route we use */
+ 	struct ip_options * opt	= &(IPCB(skb)->opt);
+ 
++	if (unlikely(skb->sk))
++		goto drop;
++
+ 	if (skb_warn_if_lro(skb))
+ 		goto drop;
+ 
+diff --git a/net/ipv4/ip_fragment.c b/net/ipv4/ip_fragment.c
+index 8f441b2..16e25a4 100644
+--- a/net/ipv4/ip_fragment.c
++++ b/net/ipv4/ip_fragment.c
+@@ -692,27 +692,30 @@ EXPORT_SYMBOL(ip_defrag);
+ struct sk_buff *ip_check_defrag(struct sk_buff *skb, u32 user)
+ {
+ 	struct iphdr iph;
++	int netoff;
+ 	u32 len;
+ 
+ 	if (skb->protocol != htons(ETH_P_IP))
+ 		return skb;
+ 
+-	if (!skb_copy_bits(skb, 0, &iph, sizeof(iph)))
++	netoff = skb_network_offset(skb);
++
++	if (skb_copy_bits(skb, netoff, &iph, sizeof(iph)) < 0)
+ 		return skb;
+ 
+ 	if (iph.ihl < 5 || iph.version != 4)
+ 		return skb;
+ 
+ 	len = ntohs(iph.tot_len);
+-	if (skb->len < len || len < (iph.ihl * 4))
++	if (skb->len < netoff + len || len < (iph.ihl * 4))
+ 		return skb;
+ 
+ 	if (ip_is_fragment(&iph)) {
+ 		skb = skb_share_check(skb, GFP_ATOMIC);
+ 		if (skb) {
+-			if (!pskb_may_pull(skb, iph.ihl*4))
++			if (!pskb_may_pull(skb, netoff + iph.ihl * 4))
+ 				return skb;
+-			if (pskb_trim_rcsum(skb, len))
++			if (pskb_trim_rcsum(skb, netoff + len))
+ 				return skb;
+ 			memset(IPCB(skb), 0, sizeof(struct inet_skb_parm));
+ 			if (ip_defrag(skb, user))
+diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c
+index bf2e54b..013f59b 100644
+--- a/net/ipv4/ip_output.c
++++ b/net/ipv4/ip_output.c
+@@ -834,7 +834,8 @@ static int __ip_append_data(struct sock *sk,
+ 	cork->length += length;
+ 	if (((length > mtu) || (skb && skb_has_frags(skb))) &&
+ 	    (sk->sk_protocol == IPPROTO_UDP) &&
+-	    (rt->dst.dev->features & NETIF_F_UFO) && !rt->dst.header_len) {
++	    (rt->dst.dev->features & NETIF_F_UFO) && !rt->dst.header_len &&
++	    (sk->sk_type == SOCK_DGRAM)) {
+ 		err = ip_ufo_append_data(sk, queue, getfrag, from, length,
+ 					 hh_len, fragheaderlen, transhdrlen,
+ 					 maxfraglen, flags);
+diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c
+index 542a9c1..043d882 100644
+--- a/net/ipv4/ip_sockglue.c
++++ b/net/ipv4/ip_sockglue.c
+@@ -416,15 +416,11 @@ int ip_recv_error(struct sock *sk, struct msghdr *msg, int len, int *addr_len)
+ 
+ 	memcpy(&errhdr.ee, &serr->ee, sizeof(struct sock_extended_err));
+ 	sin = &errhdr.offender;
+-	sin->sin_family = AF_UNSPEC;
++	memset(sin, 0, sizeof(*sin));
+ 	if (serr->ee.ee_origin == SO_EE_ORIGIN_ICMP) {
+-		struct inet_sock *inet = inet_sk(sk);
+-
+ 		sin->sin_family = AF_INET;
+ 		sin->sin_addr.s_addr = ip_hdr(skb)->saddr;
+-		sin->sin_port = 0;
+-		memset(&sin->sin_zero, 0, sizeof(sin->sin_zero));
+-		if (inet->cmsg_flags)
++		if (inet_sk(sk)->cmsg_flags)
+ 			ip_cmsg_recv(msg, skb);
+ 	}
+ 
+diff --git a/net/ipv4/ping.c b/net/ipv4/ping.c
+index d495d4b..7aa6225 100644
+--- a/net/ipv4/ping.c
++++ b/net/ipv4/ping.c
+@@ -139,6 +139,7 @@ static void ping_v4_unhash(struct sock *sk)
+ 	if (sk_hashed(sk)) {
+ 		write_lock_bh(&ping_table.lock);
+ 		hlist_nulls_del(&sk->sk_nulls_node);
++		sk_nulls_node_init(&sk->sk_nulls_node);
+ 		sock_put(sk);
+ 		isk->inet_num = isk->inet_sport = 0;
+ 		sock_prot_inuse_add(sock_net(sk), sk->sk_prot, -1);
+@@ -257,6 +258,11 @@ static int ping_bind(struct sock *sk, struct sockaddr *uaddr, int addr_len)
+ 	if (addr_len < sizeof(struct sockaddr_in))
+ 		return -EINVAL;
+ 
++	if (addr->sin_family != AF_INET &&
++	    !(addr->sin_family == AF_UNSPEC &&
++	      addr->sin_addr.s_addr == htonl(INADDR_ANY)))
++		return -EAFNOSUPPORT;
++
+ 	pr_debug("ping_v4_bind(sk=%p,sa_addr=%08x,sa_port=%d)\n",
+ 		sk, addr->sin_addr.s_addr, ntohs(addr->sin_port));
+ 
+@@ -504,7 +510,7 @@ static int ping_sendmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg,
+ 		if (msg->msg_namelen < sizeof(*usin))
+ 			return -EINVAL;
+ 		if (usin->sin_family != AF_INET)
+-			return -EINVAL;
++			return -EAFNOSUPPORT;
+ 		daddr = usin->sin_addr.s_addr;
+ 		/* no remote port */
+ 	} else {
+@@ -716,8 +722,11 @@ void ping_rcv(struct sk_buff *skb)
+ 	sk = ping_v4_lookup(net, saddr, daddr, ntohs(icmph->un.echo.id),
+ 			    skb->dev->ifindex);
+ 	if (sk != NULL) {
++		struct sk_buff *skb2 = skb_clone(skb, GFP_ATOMIC);
++
+ 		pr_debug("rcv on socket %p\n", sk);
+-		ping_queue_rcv_skb(sk, skb_get(skb));
++		if (skb2)
++			ping_queue_rcv_skb(sk, skb2);
+ 		sock_put(sk);
+ 		return;
+ 	}
+diff --git a/net/ipv4/sysctl_net_ipv4.c b/net/ipv4/sysctl_net_ipv4.c
+index 739b073..253dd80 100644
+--- a/net/ipv4/sysctl_net_ipv4.c
++++ b/net/ipv4/sysctl_net_ipv4.c
+@@ -24,7 +24,7 @@
+ #include <net/inet_frag.h>
+ #include <net/ping.h>
+ 
+-static int zero;
++static int one = 1;
+ static int tcp_retr1_max = 255;
+ static int ip_local_port_range_min[] = { 1, 1 };
+ static int ip_local_port_range_max[] = { 65535, 65535 };
+@@ -448,14 +448,16 @@ static struct ctl_table ipv4_table[] = {
+ 		.data		= &sysctl_tcp_wmem,
+ 		.maxlen		= sizeof(sysctl_tcp_wmem),
+ 		.mode		= 0644,
+-		.proc_handler	= proc_dointvec
++		.proc_handler	= proc_dointvec_minmax,
++		.extra1		= &one,
+ 	},
+ 	{
+ 		.procname	= "tcp_rmem",
+ 		.data		= &sysctl_tcp_rmem,
+ 		.maxlen		= sizeof(sysctl_tcp_rmem),
+ 		.mode		= 0644,
+-		.proc_handler	= proc_dointvec
++		.proc_handler	= proc_dointvec_minmax,
++		.extra1		= &one,
+ 	},
+ 	{
+ 		.procname	= "tcp_app_win",
+@@ -662,7 +664,7 @@ static struct ctl_table ipv4_table[] = {
+ 		.maxlen		= sizeof(sysctl_udp_rmem_min),
+ 		.mode		= 0644,
+ 		.proc_handler	= proc_dointvec_minmax,
+-		.extra1		= &zero
++		.extra1		= &one
+ 	},
+ 	{
+ 		.procname	= "udp_wmem_min",
+@@ -670,7 +672,7 @@ static struct ctl_table ipv4_table[] = {
+ 		.maxlen		= sizeof(sysctl_udp_wmem_min),
+ 		.mode		= 0644,
+ 		.proc_handler	= proc_dointvec_minmax,
+-		.extra1		= &zero
++		.extra1		= &one
+ 	},
+ 	{ }
+ };
+diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
+index 3a37f54..e614810 100644
+--- a/net/ipv4/tcp_output.c
++++ b/net/ipv4/tcp_output.c
+@@ -2320,33 +2320,40 @@ begin_fwd:
+ 	}
+ }
+ 
+-/* Send a fin.  The caller locks the socket for us.  This cannot be
+- * allowed to fail queueing a FIN frame under any circumstances.
++/* Send a FIN. The caller locks the socket for us.
++ * We should try to send a FIN packet really hard, but eventually give up.
+  */
+ void tcp_send_fin(struct sock *sk)
+ {
++	struct sk_buff *skb, *tskb = tcp_write_queue_tail(sk);
+ 	struct tcp_sock *tp = tcp_sk(sk);
+-	struct sk_buff *skb = tcp_write_queue_tail(sk);
+-	int mss_now;
+ 
+-	/* Optimization, tack on the FIN if we have a queue of
+-	 * unsent frames.  But be careful about outgoing SACKS
+-	 * and IP options.
++	/* Optimization, tack on the FIN if we have one skb in write queue and
++	 * this skb was not yet sent, or we are under memory pressure.
++	 * Note: in the latter case, FIN packet will be sent after a timeout,
++	 * as TCP stack thinks it has already been transmitted.
+ 	 */
+-	mss_now = tcp_current_mss(sk);
+-
+-	if (tcp_send_head(sk) != NULL) {
+-		TCP_SKB_CB(skb)->tcp_flags |= TCPHDR_FIN;
+-		TCP_SKB_CB(skb)->end_seq++;
++	if (tskb && (tcp_send_head(sk) || tcp_memory_pressure)) {
++coalesce:
++		TCP_SKB_CB(tskb)->tcp_flags |= TCPHDR_FIN;
++		TCP_SKB_CB(tskb)->end_seq++;
+ 		tp->write_seq++;
++		if (!tcp_send_head(sk)) {
++			/* This means tskb was already sent.
++			 * Pretend we included the FIN on previous transmit.
++			 * We need to set tp->snd_nxt to the value it would have
++			 * if FIN had been sent. This is because retransmit path
++			 * does not change tp->snd_nxt.
++			 */
++			tp->snd_nxt++;
++			return;
++		}
+ 	} else {
+-		/* Socket is locked, keep trying until memory is available. */
+-		for (;;) {
+-			skb = alloc_skb_fclone(MAX_TCP_HEADER,
+-					       sk->sk_allocation);
+-			if (skb)
+-				break;
+-			yield();
++		skb = alloc_skb_fclone(MAX_TCP_HEADER, sk->sk_allocation);
++		if (unlikely(!skb)) {
++			if (tskb)
++				goto coalesce;
++			return;
+ 		}
+ 
+ 		/* Reserve space for headers and prepare control bits. */
+@@ -2356,7 +2363,7 @@ void tcp_send_fin(struct sock *sk)
+ 				     TCPHDR_ACK | TCPHDR_FIN);
+ 		tcp_queue_skb(sk, skb);
+ 	}
+-	__tcp_push_pending_frames(sk, mss_now, TCP_NAGLE_OFF);
++	__tcp_push_pending_frames(sk, tcp_current_mss(sk), TCP_NAGLE_OFF);
+ }
+ 
+ /* We get here when a process closes a file descriptor (either due to
+@@ -2632,13 +2639,10 @@ int tcp_connect(struct sock *sk)
+ 
+ 	tcp_connect_init(sk);
+ 
+-	buff = alloc_skb_fclone(MAX_TCP_HEADER + 15, sk->sk_allocation);
+-	if (unlikely(buff == NULL))
++	buff = sk_stream_alloc_skb(sk, 0, sk->sk_allocation);
++	if (unlikely(!buff))
+ 		return -ENOBUFS;
+ 
+-	/* Reserve space for headers. */
+-	skb_reserve(buff, MAX_TCP_HEADER);
+-
+ 	tp->snd_nxt = tp->write_seq;
+ 	tcp_init_nondata_skb(buff, tp->write_seq++, TCPHDR_SYN);
+ 	TCP_ECN_send_syn(sk, buff);
+diff --git a/net/ipv6/datagram.c b/net/ipv6/datagram.c
+index 3c7c948..33719b7 100644
+--- a/net/ipv6/datagram.c
++++ b/net/ipv6/datagram.c
+@@ -371,12 +371,10 @@ int ipv6_recv_error(struct sock *sk, struct msghdr *msg, int len, int *addr_len)
+ 
+ 	memcpy(&errhdr.ee, &serr->ee, sizeof(struct sock_extended_err));
+ 	sin = &errhdr.offender;
+-	sin->sin6_family = AF_UNSPEC;
++	memset(sin, 0, sizeof(*sin));
++
+ 	if (serr->ee.ee_origin != SO_EE_ORIGIN_LOCAL) {
+ 		sin->sin6_family = AF_INET6;
+-		sin->sin6_flowinfo = 0;
+-		sin->sin6_port = 0;
+-		sin->sin6_scope_id = 0;
+ 		if (skb->protocol == htons(ETH_P_IPV6)) {
+ 			ipv6_addr_copy(&sin->sin6_addr, &ipv6_hdr(skb)->saddr);
+ 			if (np->rxopt.all)
+@@ -384,11 +382,9 @@ int ipv6_recv_error(struct sock *sk, struct msghdr *msg, int len, int *addr_len)
+ 			if (ipv6_addr_type(&sin->sin6_addr) & IPV6_ADDR_LINKLOCAL)
+ 				sin->sin6_scope_id = IP6CB(skb)->iif;
+ 		} else {
+-			struct inet_sock *inet = inet_sk(sk);
+-
+ 			ipv6_addr_set_v4mapped(ip_hdr(skb)->saddr,
+ 					       &sin->sin6_addr);
+-			if (inet->cmsg_flags)
++			if (inet_sk(sk)->cmsg_flags)
+ 				ip_cmsg_recv(msg, skb);
+ 		}
+ 	}
+diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
+index 2215d6b..6b3edff 100644
+--- a/net/ipv6/ip6_output.c
++++ b/net/ipv6/ip6_output.c
+@@ -1339,7 +1339,8 @@ int ip6_append_data(struct sock *sk, int getfrag(void *from, char *to,
+ 	if (((length > mtu) ||
+ 	     (skb && skb_has_frags(skb))) &&
+ 	    (sk->sk_protocol == IPPROTO_UDP) &&
+-	    (rt->dst.dev->features & NETIF_F_UFO)) {
++	    (rt->dst.dev->features & NETIF_F_UFO) &&
++	    (sk->sk_type == SOCK_DGRAM)) {
+ 		err = ip6_ufo_append_data(sk, getfrag, from, length,
+ 					  hh_len, fragheaderlen,
+ 					  transhdrlen, mtu, flags, rt);
+diff --git a/net/ipv6/ndisc.c b/net/ipv6/ndisc.c
+index 62096d8..884d45f 100644
+--- a/net/ipv6/ndisc.c
++++ b/net/ipv6/ndisc.c
+@@ -1277,7 +1277,14 @@ static void ndisc_router_discovery(struct sk_buff *skb)
+ 		rt->rt6i_expires = jiffies + (HZ * lifetime);
+ 
+ 	if (ra_msg->icmph.icmp6_hop_limit) {
+-		in6_dev->cnf.hop_limit = ra_msg->icmph.icmp6_hop_limit;
++		/* Only set hop_limit on the interface if it is higher than
++		 * the current hop_limit.
++		 */
++		if (in6_dev->cnf.hop_limit < ra_msg->icmph.icmp6_hop_limit) {
++			in6_dev->cnf.hop_limit = ra_msg->icmph.icmp6_hop_limit;
++		} else {
++			ND_PRINTK2(KERN_WARNING "RA: Got route advertisement with lower hop_limit than current\n");
++		}
+ 		if (rt)
+ 			dst_metric_set(&rt->dst, RTAX_HOPLIMIT,
+ 				       ra_msg->icmph.icmp6_hop_limit);
+diff --git a/net/ipv6/route.c b/net/ipv6/route.c
+index 782f67a..d89d1a6 100644
+--- a/net/ipv6/route.c
++++ b/net/ipv6/route.c
+@@ -106,7 +106,7 @@ static u32 *ipv6_cow_metrics(struct dst_entry *dst, unsigned long old)
+ 	u32 *p = NULL;
+ 
+ 	if (!(rt->dst.flags & DST_HOST))
+-		return NULL;
++		return dst_cow_metrics_generic(dst, old);
+ 
+ 	if (!rt->rt6i_peer)
+ 		rt6_bind_peer(rt, 1);
+@@ -1018,12 +1018,9 @@ static void ip6_rt_update_pmtu(struct dst_entry *dst, u32 mtu)
+ 
+ 	if (mtu < dst_mtu(dst) && rt6->rt6i_dst.plen == 128) {
+ 		rt6->rt6i_flags |= RTF_MODIFIED;
+-		if (mtu < IPV6_MIN_MTU) {
+-			u32 features = dst_metric(dst, RTAX_FEATURES);
++		if (mtu < IPV6_MIN_MTU)
+ 			mtu = IPV6_MIN_MTU;
+-			features |= RTAX_FEATURE_ALLFRAG;
+-			dst_metric_set(dst, RTAX_FEATURES, features);
+-		}
++
+ 		dst_metric_set(dst, RTAX_MTU, mtu);
+ 	}
+ }
+diff --git a/net/irda/ircomm/ircomm_tty.c b/net/irda/ircomm/ircomm_tty.c
+index 253695d..cf368dd 100644
+--- a/net/irda/ircomm/ircomm_tty.c
++++ b/net/irda/ircomm/ircomm_tty.c
+@@ -848,7 +848,9 @@ static void ircomm_tty_wait_until_sent(struct tty_struct *tty, int timeout)
+ 	orig_jiffies = jiffies;
+ 
+ 	/* Set poll time to 200 ms */
+-	poll_time = IRDA_MIN(timeout, msecs_to_jiffies(200));
++	poll_time = msecs_to_jiffies(200);
++	if (timeout)
++		poll_time = min_t(unsigned long, timeout, poll_time);
+ 
+ 	spin_lock_irqsave(&self->spinlock, flags);
+ 	while (self->tx_skb && self->tx_skb->len) {
+diff --git a/net/llc/sysctl_net_llc.c b/net/llc/sysctl_net_llc.c
+index e2ebe35..be078ec 100644
+--- a/net/llc/sysctl_net_llc.c
++++ b/net/llc/sysctl_net_llc.c
+@@ -17,28 +17,28 @@ static struct ctl_table llc2_timeout_table[] = {
+ 	{
+ 		.procname	= "ack",
+ 		.data		= &sysctl_llc2_ack_timeout,
+-		.maxlen		= sizeof(long),
++		.maxlen		= sizeof(sysctl_llc2_ack_timeout),
+ 		.mode		= 0644,
+ 		.proc_handler   = proc_dointvec_jiffies,
+ 	},
+ 	{
+ 		.procname	= "busy",
+ 		.data		= &sysctl_llc2_busy_timeout,
+-		.maxlen		= sizeof(long),
++		.maxlen		= sizeof(sysctl_llc2_busy_timeout),
+ 		.mode		= 0644,
+ 		.proc_handler   = proc_dointvec_jiffies,
+ 	},
+ 	{
+ 		.procname	= "p",
+ 		.data		= &sysctl_llc2_p_timeout,
+-		.maxlen		= sizeof(long),
++		.maxlen		= sizeof(sysctl_llc2_p_timeout),
+ 		.mode		= 0644,
+ 		.proc_handler   = proc_dointvec_jiffies,
+ 	},
+ 	{
+ 		.procname	= "rej",
+ 		.data		= &sysctl_llc2_rej_timeout,
+-		.maxlen		= sizeof(long),
++		.maxlen		= sizeof(sysctl_llc2_rej_timeout),
+ 		.mode		= 0644,
+ 		.proc_handler   = proc_dointvec_jiffies,
+ 	},
+diff --git a/net/mac80211/agg-rx.c b/net/mac80211/agg-rx.c
+index aea1559..6174785 100644
+--- a/net/mac80211/agg-rx.c
++++ b/net/mac80211/agg-rx.c
+@@ -49,8 +49,6 @@ static void ieee80211_free_tid_rx(struct rcu_head *h)
+ 		container_of(h, struct tid_ampdu_rx, rcu_head);
+ 	int i;
+ 
+-	del_timer_sync(&tid_rx->reorder_timer);
+-
+ 	for (i = 0; i < tid_rx->buf_size; i++)
+ 		dev_kfree_skb(tid_rx->reorder_buf[i]);
+ 	kfree(tid_rx->reorder_buf);
+@@ -91,6 +89,12 @@ void ___ieee80211_stop_rx_ba_session(struct sta_info *sta, u16 tid,
+ 
+ 	del_timer_sync(&tid_rx->session_timer);
+ 
++	/* make sure ieee80211_sta_reorder_release() doesn't re-arm the timer */
++	spin_lock_bh(&tid_rx->reorder_lock);
++	tid_rx->removed = true;
++	spin_unlock_bh(&tid_rx->reorder_lock);
++	del_timer_sync(&tid_rx->reorder_timer);
++
+ 	call_rcu(&tid_rx->rcu_head, ieee80211_free_tid_rx);
+ }
+ 
+diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h
+index a9cf593..8da371c5 100644
+--- a/net/mac80211/ieee80211_i.h
++++ b/net/mac80211/ieee80211_i.h
+@@ -53,11 +53,25 @@ struct ieee80211_local;
+ 
+ #define TU_TO_EXP_TIME(x)	(jiffies + usecs_to_jiffies((x) * 1024))
+ 
+-#define IEEE80211_DEFAULT_UAPSD_QUEUES \
+-	(IEEE80211_WMM_IE_STA_QOSINFO_AC_BK |	\
+-	 IEEE80211_WMM_IE_STA_QOSINFO_AC_BE |	\
+-	 IEEE80211_WMM_IE_STA_QOSINFO_AC_VI |	\
+-	 IEEE80211_WMM_IE_STA_QOSINFO_AC_VO)
++/*
++ * Some APs experience problems when working with U-APSD. Decreasing the
++ * probability of that happening by using legacy mode for all ACs but VO isn't
++ * enough.
++ *
++ * Cisco 4410N originally forced us to enable VO by default only because it
++ * treated non-VO ACs as legacy.
++ *
++ * However some APs (notably Netgear R7000) silently reclassify packets to
++ * different ACs. Since u-APSD ACs require trigger frames for frame retrieval
++ * clients would never see some frames (e.g. ARP responses) or would fetch them
++ * accidentally after a long time.
++ *
++ * It makes little sense to enable u-APSD queues by default because it needs
++ * userspace applications to be aware of it to actually take advantage of the
++ * possible additional powersavings. Implicitly depending on driver autotrigger
++ * frame support doesn't make much sense.
++ */
++#define IEEE80211_DEFAULT_UAPSD_QUEUES 0
+ 
+ #define IEEE80211_DEFAULT_MAX_SP_LEN		\
+ 	IEEE80211_WMM_IE_STA_QOSINFO_SP_ALL
+diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c
+index c0444a0..7c53eff 100644
+--- a/net/mac80211/rx.c
++++ b/net/mac80211/rx.c
+@@ -670,9 +670,10 @@ static void ieee80211_sta_reorder_release(struct ieee80211_hw *hw,
+ 
+  set_release_timer:
+ 
+-		mod_timer(&tid_agg_rx->reorder_timer,
+-			  tid_agg_rx->reorder_time[j] + 1 +
+-			  HT_RX_REORDER_BUF_TIMEOUT);
++		if (!tid_agg_rx->removed)
++			mod_timer(&tid_agg_rx->reorder_timer,
++				  tid_agg_rx->reorder_time[j] + 1 +
++				  HT_RX_REORDER_BUF_TIMEOUT);
+ 	} else {
+ 		del_timer(&tid_agg_rx->reorder_timer);
+ 	}
+@@ -1921,6 +1922,9 @@ ieee80211_rx_h_mesh_fwding(struct ieee80211_rx_data *rx)
+ 	hdr = (struct ieee80211_hdr *) skb->data;
+ 	mesh_hdr = (struct ieee80211s_hdr *) (skb->data + hdrlen);
+ 
++	if (ieee80211_drop_unencrypted(rx, hdr->frame_control))
++		return RX_DROP_MONITOR;
++
+ 	/* frame is in RMC, don't forward */
+ 	if (ieee80211_is_data(hdr->frame_control) &&
+ 	    is_multicast_ether_addr(hdr->addr1) &&
+diff --git a/net/mac80211/sta_info.h b/net/mac80211/sta_info.h
+index a68155f..556fbcc 100644
+--- a/net/mac80211/sta_info.h
++++ b/net/mac80211/sta_info.h
+@@ -138,6 +138,7 @@ struct tid_ampdu_tx {
+  * @dialog_token: dialog token for aggregation session
+  * @rcu_head: RCU head used for freeing this struct
+  * @reorder_lock: serializes access to reorder buffer, see below.
++ * @removed: this session is removed (but might have been found due to RCU)
+  *
+  * This structure's lifetime is managed by RCU, assignments to
+  * the array holding it must hold the aggregation mutex.
+@@ -160,6 +161,7 @@ struct tid_ampdu_rx {
+ 	u16 buf_size;
+ 	u16 timeout;
+ 	u8 dialog_token;
++	bool removed;
+ };
+ 
+ /**
+diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c
+index 25bbb2e..65df296 100644
+--- a/net/mac80211/tx.c
++++ b/net/mac80211/tx.c
+@@ -537,9 +537,11 @@ ieee80211_tx_h_check_control_port_protocol(struct ieee80211_tx_data *tx)
+ {
+ 	struct ieee80211_tx_info *info = IEEE80211_SKB_CB(tx->skb);
+ 
+-	if (unlikely(tx->sdata->control_port_protocol == tx->skb->protocol &&
+-		     tx->sdata->control_port_no_encrypt))
+-		info->flags |= IEEE80211_TX_INTFL_DONT_ENCRYPT;
++	if (unlikely(tx->sdata->control_port_protocol == tx->skb->protocol)) {
++		if (tx->sdata->control_port_no_encrypt)
++			info->flags |= IEEE80211_TX_INTFL_DONT_ENCRYPT;
++		info->flags |= IEEE80211_TX_CTL_USE_MINRATE;
++	}
+ 
+ 	return TX_CONTINUE;
+ }
+diff --git a/net/netfilter/ipvs/ip_vs_core.c b/net/netfilter/ipvs/ip_vs_core.c
+index 6dc7d7d..d864aaf 100644
+--- a/net/netfilter/ipvs/ip_vs_core.c
++++ b/net/netfilter/ipvs/ip_vs_core.c
+@@ -662,16 +662,24 @@ static inline int ip_vs_gather_frags_v6(struct sk_buff *skb, u_int32_t user)
+ }
+ #endif
+ 
+-static int ip_vs_route_me_harder(int af, struct sk_buff *skb)
++static int ip_vs_route_me_harder(int af, struct sk_buff *skb,
++				 unsigned int hooknum)
+ {
++	if (!sysctl_snat_reroute(skb))
++		return 0;
++	/* Reroute replies only to remote clients (FORWARD and LOCAL_OUT) */
++	if (NF_INET_LOCAL_IN == hooknum)
++		return 0;
+ #ifdef CONFIG_IP_VS_IPV6
+ 	if (af == AF_INET6) {
+-		if (sysctl_snat_reroute(skb) && ip6_route_me_harder(skb) != 0)
++		struct dst_entry *dst = skb_dst(skb);
++
++		if (dst->dev && !(dst->dev->flags & IFF_LOOPBACK) &&
++		    ip6_route_me_harder(skb) != 0)
+ 			return 1;
+ 	} else
+ #endif
+-		if ((sysctl_snat_reroute(skb) ||
+-		     skb_rtable(skb)->rt_flags & RTCF_LOCAL) &&
++		if (!(skb_rtable(skb)->rt_flags & RTCF_LOCAL) &&
+ 		    ip_route_me_harder(skb, RTN_LOCAL) != 0)
+ 			return 1;
+ 
+@@ -782,7 +790,8 @@ static int handle_response_icmp(int af, struct sk_buff *skb,
+ 				union nf_inet_addr *snet,
+ 				__u8 protocol, struct ip_vs_conn *cp,
+ 				struct ip_vs_protocol *pp,
+-				unsigned int offset, unsigned int ihl)
++				unsigned int offset, unsigned int ihl,
++				unsigned int hooknum)
+ {
+ 	unsigned int verdict = NF_DROP;
+ 
+@@ -812,7 +821,7 @@ static int handle_response_icmp(int af, struct sk_buff *skb,
+ #endif
+ 		ip_vs_nat_icmp(skb, pp, cp, 1);
+ 
+-	if (ip_vs_route_me_harder(af, skb))
++	if (ip_vs_route_me_harder(af, skb, hooknum))
+ 		goto out;
+ 
+ 	/* do the statistics and put it back */
+@@ -908,7 +917,7 @@ static int ip_vs_out_icmp(struct sk_buff *skb, int *related,
+ 
+ 	snet.ip = iph->saddr;
+ 	return handle_response_icmp(AF_INET, skb, &snet, cih->protocol, cp,
+-				    pp, offset, ihl);
++				    pp, offset, ihl, hooknum);
+ }
+ 
+ #ifdef CONFIG_IP_VS_IPV6
+@@ -985,7 +994,8 @@ static int ip_vs_out_icmp_v6(struct sk_buff *skb, int *related,
+ 
+ 	ipv6_addr_copy(&snet.in6, &iph->saddr);
+ 	return handle_response_icmp(AF_INET6, skb, &snet, cih->nexthdr, cp,
+-				    pp, offset, sizeof(struct ipv6hdr));
++				    pp, offset, sizeof(struct ipv6hdr),
++				    hooknum);
+ }
+ #endif
+ 
+@@ -1018,7 +1028,7 @@ static inline int is_tcp_reset(const struct sk_buff *skb, int nh_len)
+  */
+ static unsigned int
+ handle_response(int af, struct sk_buff *skb, struct ip_vs_proto_data *pd,
+-		struct ip_vs_conn *cp, int ihl)
++		struct ip_vs_conn *cp, int ihl, unsigned int hooknum)
+ {
+ 	struct ip_vs_protocol *pp = pd->pp;
+ 
+@@ -1056,7 +1066,7 @@ handle_response(int af, struct sk_buff *skb, struct ip_vs_proto_data *pd,
+ 	 * if it came from this machine itself.  So re-compute
+ 	 * the routing information.
+ 	 */
+-	if (ip_vs_route_me_harder(af, skb))
++	if (ip_vs_route_me_harder(af, skb, hooknum))
+ 		goto drop;
+ 
+ 	IP_VS_DBG_PKT(10, af, pp, skb, 0, "After SNAT");
+@@ -1169,7 +1179,7 @@ ip_vs_out(unsigned int hooknum, struct sk_buff *skb, int af)
+ 	cp = pp->conn_out_get(af, skb, &iph, iph.len, 0);
+ 
+ 	if (likely(cp))
+-		return handle_response(af, skb, pd, cp, iph.len);
++		return handle_response(af, skb, pd, cp, iph.len, hooknum);
+ 	if (sysctl_nat_icmp_send(net) &&
+ 	    (pp->protocol == IPPROTO_TCP ||
+ 	     pp->protocol == IPPROTO_UDP ||
+diff --git a/net/netfilter/ipvs/ip_vs_ftp.c b/net/netfilter/ipvs/ip_vs_ftp.c
+index 538d74e..365163f 100644
+--- a/net/netfilter/ipvs/ip_vs_ftp.c
++++ b/net/netfilter/ipvs/ip_vs_ftp.c
+@@ -183,6 +183,8 @@ static int ip_vs_ftp_out(struct ip_vs_app *app, struct ip_vs_conn *cp,
+ 	struct nf_conn *ct;
+ 	struct net *net;
+ 
++	*diff = 0;
++
+ #ifdef CONFIG_IP_VS_IPV6
+ 	/* This application helper doesn't work with IPv6 yet,
+ 	 * so turn this into a no-op for IPv6 packets
+@@ -191,8 +193,6 @@ static int ip_vs_ftp_out(struct ip_vs_app *app, struct ip_vs_conn *cp,
+ 		return 1;
+ #endif
+ 
+-	*diff = 0;
+-
+ 	/* Only useful for established sessions */
+ 	if (cp->state != IP_VS_TCP_S_ESTABLISHED)
+ 		return 1;
+@@ -318,6 +318,9 @@ static int ip_vs_ftp_in(struct ip_vs_app *app, struct ip_vs_conn *cp,
+ 	struct ip_vs_conn *n_cp;
+ 	struct net *net;
+ 
++	/* no diff required for incoming packets */
++	*diff = 0;
++
+ #ifdef CONFIG_IP_VS_IPV6
+ 	/* This application helper doesn't work with IPv6 yet,
+ 	 * so turn this into a no-op for IPv6 packets
+@@ -326,9 +329,6 @@ static int ip_vs_ftp_in(struct ip_vs_app *app, struct ip_vs_conn *cp,
+ 		return 1;
+ #endif
+ 
+-	/* no diff required for incoming packets */
+-	*diff = 0;
+-
+ 	/* Only useful for established sessions */
+ 	if (cp->state != IP_VS_TCP_S_ESTABLISHED)
+ 		return 1;
+diff --git a/net/netfilter/ipvs/ip_vs_sync.c b/net/netfilter/ipvs/ip_vs_sync.c
+index 2b6678c0..2cbcc83 100644
+--- a/net/netfilter/ipvs/ip_vs_sync.c
++++ b/net/netfilter/ipvs/ip_vs_sync.c
+@@ -763,6 +763,8 @@ static void ip_vs_proc_conn(struct net *net, struct ip_vs_conn_param *param,
+ 			IP_VS_DBG(2, "BACKUP, add new conn. failed\n");
+ 			return;
+ 		}
++		if (!(flags & IP_VS_CONN_F_TEMPLATE))
++			kfree(param->pe_data);
+ 	} else if (!cp->dest) {
+ 		dest = ip_vs_try_bind_dest(cp);
+ 		if (dest)
+@@ -1064,6 +1066,7 @@ static inline int ip_vs_proc_sync_conn(struct net *net, __u8 *p, __u8 *msg_end)
+ 				(opt_flags & IPVS_OPT_F_SEQ_DATA ? &opt : NULL)
+ 				);
+ #endif
++	ip_vs_pe_put(param.pe);
+ 	return 0;
+ 	/* Error exit */
+ out:
+diff --git a/net/netfilter/nf_queue.c b/net/netfilter/nf_queue.c
+index b3a7db6..6d70533 100644
+--- a/net/netfilter/nf_queue.c
++++ b/net/netfilter/nf_queue.c
+@@ -233,7 +233,7 @@ int nf_queue(struct sk_buff *skb,
+ 	 * returned by nf_queue.  For instance, callers rely on -ECANCELED to mean
+ 	 * 'ignore this hook'.
+ 	 */
+-	if (IS_ERR(segs))
++	if (IS_ERR_OR_NULL(segs))
+ 		return -EINVAL;
+ 
+ 	queued = 0;
+diff --git a/net/netfilter/xt_socket.c b/net/netfilter/xt_socket.c
+index fe39f7e..c4706be 100644
+--- a/net/netfilter/xt_socket.c
++++ b/net/netfilter/xt_socket.c
+@@ -205,12 +205,13 @@ static int
+ extract_icmp6_fields(const struct sk_buff *skb,
+ 		     unsigned int outside_hdrlen,
+ 		     int *protocol,
+-		     struct in6_addr **raddr,
+-		     struct in6_addr **laddr,
++		     const struct in6_addr **raddr,
++		     const struct in6_addr **laddr,
+ 		     __be16 *rport,
+-		     __be16 *lport)
++		     __be16 *lport,
++		     struct ipv6hdr *ipv6_var)
+ {
+-	struct ipv6hdr *inside_iph, _inside_iph;
++	const struct ipv6hdr *inside_iph;
+ 	struct icmp6hdr *icmph, _icmph;
+ 	__be16 *ports, _ports[2];
+ 	u8 inside_nexthdr;
+@@ -224,12 +225,15 @@ extract_icmp6_fields(const struct sk_buff *skb,
+ 	if (icmph->icmp6_type & ICMPV6_INFOMSG_MASK)
+ 		return 1;
+ 
+-	inside_iph = skb_header_pointer(skb, outside_hdrlen + sizeof(_icmph), sizeof(_inside_iph), &_inside_iph);
++	inside_iph = skb_header_pointer(skb, outside_hdrlen + sizeof(_icmph),
++					sizeof(*ipv6_var), ipv6_var);
+ 	if (inside_iph == NULL)
+ 		return 1;
+ 	inside_nexthdr = inside_iph->nexthdr;
+ 
+-	inside_hdrlen = ipv6_skip_exthdr(skb, outside_hdrlen + sizeof(_icmph) + sizeof(_inside_iph), &inside_nexthdr);
++	inside_hdrlen = ipv6_skip_exthdr(skb, outside_hdrlen + sizeof(_icmph) +
++					      sizeof(*ipv6_var),
++					 &inside_nexthdr);
+ 	if (inside_hdrlen < 0)
+ 		return 1; /* hjm: Packet has no/incomplete transport layer headers. */
+ 
+@@ -256,10 +260,10 @@ extract_icmp6_fields(const struct sk_buff *skb,
+ static bool
+ socket_mt6_v1(const struct sk_buff *skb, struct xt_action_param *par)
+ {
+-	struct ipv6hdr *iph = ipv6_hdr(skb);
++	struct ipv6hdr ipv6_var, *iph = ipv6_hdr(skb);
+ 	struct udphdr _hdr, *hp = NULL;
+ 	struct sock *sk;
+-	struct in6_addr *daddr, *saddr;
++	const struct in6_addr *daddr, *saddr;
+ 	__be16 dport, sport;
+ 	int thoff, tproto;
+ 	const struct xt_socket_mtinfo1 *info = (struct xt_socket_mtinfo1 *) par->matchinfo;
+@@ -283,7 +287,7 @@ socket_mt6_v1(const struct sk_buff *skb, struct xt_action_param *par)
+ 
+ 	} else if (tproto == IPPROTO_ICMPV6) {
+ 		if (extract_icmp6_fields(skb, thoff, &tproto, &saddr, &daddr,
+-					 &sport, &dport))
++					 &sport, &dport, &ipv6_var))
+ 			return false;
+ 	} else {
+ 		return false;
+diff --git a/net/rds/iw_rdma.c b/net/rds/iw_rdma.c
+index 4e1de17..83725f3 100644
+--- a/net/rds/iw_rdma.c
++++ b/net/rds/iw_rdma.c
+@@ -88,7 +88,9 @@ static unsigned int rds_iw_unmap_fastreg_list(struct rds_iw_mr_pool *pool,
+ 			int *unpinned);
+ static void rds_iw_destroy_fastreg(struct rds_iw_mr_pool *pool, struct rds_iw_mr *ibmr);
+ 
+-static int rds_iw_get_device(struct rds_sock *rs, struct rds_iw_device **rds_iwdev, struct rdma_cm_id **cm_id)
++static int rds_iw_get_device(struct sockaddr_in *src, struct sockaddr_in *dst,
++			     struct rds_iw_device **rds_iwdev,
++			     struct rdma_cm_id **cm_id)
+ {
+ 	struct rds_iw_device *iwdev;
+ 	struct rds_iw_cm_id *i_cm_id;
+@@ -112,15 +114,15 @@ static int rds_iw_get_device(struct rds_sock *rs, struct rds_iw_device **rds_iwd
+ 				src_addr->sin_port,
+ 				dst_addr->sin_addr.s_addr,
+ 				dst_addr->sin_port,
+-				rs->rs_bound_addr,
+-				rs->rs_bound_port,
+-				rs->rs_conn_addr,
+-				rs->rs_conn_port);
++				src->sin_addr.s_addr,
++				src->sin_port,
++				dst->sin_addr.s_addr,
++				dst->sin_port);
+ #ifdef WORKING_TUPLE_DETECTION
+-			if (src_addr->sin_addr.s_addr == rs->rs_bound_addr &&
+-			    src_addr->sin_port == rs->rs_bound_port &&
+-			    dst_addr->sin_addr.s_addr == rs->rs_conn_addr &&
+-			    dst_addr->sin_port == rs->rs_conn_port) {
++			if (src_addr->sin_addr.s_addr == src->sin_addr.s_addr &&
++			    src_addr->sin_port == src->sin_port &&
++			    dst_addr->sin_addr.s_addr == dst->sin_addr.s_addr &&
++			    dst_addr->sin_port == dst->sin_port) {
+ #else
+ 			/* FIXME - needs to compare the local and remote
+ 			 * ipaddr/port tuple, but the ipaddr is the only
+@@ -128,7 +130,7 @@ static int rds_iw_get_device(struct rds_sock *rs, struct rds_iw_device **rds_iwd
+ 			 * zero'ed.  It doesn't appear to be properly populated
+ 			 * during connection setup...
+ 			 */
+-			if (src_addr->sin_addr.s_addr == rs->rs_bound_addr) {
++			if (src_addr->sin_addr.s_addr == src->sin_addr.s_addr) {
+ #endif
+ 				spin_unlock_irq(&iwdev->spinlock);
+ 				*rds_iwdev = iwdev;
+@@ -180,19 +182,13 @@ int rds_iw_update_cm_id(struct rds_iw_device *rds_iwdev, struct rdma_cm_id *cm_i
+ {
+ 	struct sockaddr_in *src_addr, *dst_addr;
+ 	struct rds_iw_device *rds_iwdev_old;
+-	struct rds_sock rs;
+ 	struct rdma_cm_id *pcm_id;
+ 	int rc;
+ 
+ 	src_addr = (struct sockaddr_in *)&cm_id->route.addr.src_addr;
+ 	dst_addr = (struct sockaddr_in *)&cm_id->route.addr.dst_addr;
+ 
+-	rs.rs_bound_addr = src_addr->sin_addr.s_addr;
+-	rs.rs_bound_port = src_addr->sin_port;
+-	rs.rs_conn_addr = dst_addr->sin_addr.s_addr;
+-	rs.rs_conn_port = dst_addr->sin_port;
+-
+-	rc = rds_iw_get_device(&rs, &rds_iwdev_old, &pcm_id);
++	rc = rds_iw_get_device(src_addr, dst_addr, &rds_iwdev_old, &pcm_id);
+ 	if (rc)
+ 		rds_iw_remove_cm_id(rds_iwdev, cm_id);
+ 
+@@ -611,9 +607,17 @@ void *rds_iw_get_mr(struct scatterlist *sg, unsigned long nents,
+ 	struct rds_iw_device *rds_iwdev;
+ 	struct rds_iw_mr *ibmr = NULL;
+ 	struct rdma_cm_id *cm_id;
++	struct sockaddr_in src = {
++		.sin_addr.s_addr = rs->rs_bound_addr,
++		.sin_port = rs->rs_bound_port,
++	};
++	struct sockaddr_in dst = {
++		.sin_addr.s_addr = rs->rs_conn_addr,
++		.sin_port = rs->rs_conn_port,
++	};
+ 	int ret;
+ 
+-	ret = rds_iw_get_device(rs, &rds_iwdev, &cm_id);
++	ret = rds_iw_get_device(&src, &dst, &rds_iwdev, &cm_id);
+ 	if (ret || !cm_id) {
+ 		ret = -ENODEV;
+ 		goto out;
+diff --git a/net/rds/sysctl.c b/net/rds/sysctl.c
+index 25ad0c7..065026f 100644
+--- a/net/rds/sysctl.c
++++ b/net/rds/sysctl.c
+@@ -71,14 +71,14 @@ static ctl_table rds_sysctl_rds_table[] = {
+ 	{
+ 		.procname	= "max_unacked_packets",
+ 		.data		= &rds_sysctl_max_unacked_packets,
+-		.maxlen         = sizeof(unsigned long),
++		.maxlen         = sizeof(int),
+ 		.mode           = 0644,
+ 		.proc_handler   = proc_dointvec,
+ 	},
+ 	{
+ 		.procname	= "max_unacked_bytes",
+ 		.data		= &rds_sysctl_max_unacked_bytes,
+-		.maxlen         = sizeof(unsigned long),
++		.maxlen         = sizeof(int),
+ 		.mode           = 0644,
+ 		.proc_handler   = proc_dointvec,
+ 	},
+diff --git a/net/rxrpc/ar-recvmsg.c b/net/rxrpc/ar-recvmsg.c
+index 898492a..5cc2da5 100644
+--- a/net/rxrpc/ar-recvmsg.c
++++ b/net/rxrpc/ar-recvmsg.c
+@@ -87,7 +87,7 @@ int rxrpc_recvmsg(struct kiocb *iocb, struct socket *sock,
+ 		if (!skb) {
+ 			/* nothing remains on the queue */
+ 			if (copied &&
+-			    (msg->msg_flags & MSG_PEEK || timeo == 0))
++			    (flags & MSG_PEEK || timeo == 0))
+ 				goto out;
+ 
+ 			/* wait for a message to turn up */
+diff --git a/net/sched/ematch.c b/net/sched/ematch.c
+index 88d93eb..088342f 100644
+--- a/net/sched/ematch.c
++++ b/net/sched/ematch.c
+@@ -227,6 +227,7 @@ static int tcf_em_validate(struct tcf_proto *tp,
+ 				 * to replay the request.
+ 				 */
+ 				module_put(em->ops->owner);
++				em->ops = NULL;
+ 				err = -EAGAIN;
+ 			}
+ #endif
+diff --git a/net/socket.c b/net/socket.c
+index 3faa358..116cf9d 100644
+--- a/net/socket.c
++++ b/net/socket.c
+@@ -1885,6 +1885,9 @@ static int copy_msghdr_from_user(struct msghdr *kmsg,
+ 	if (copy_from_user(kmsg, umsg, sizeof(struct msghdr)))
+ 		return -EFAULT;
+ 
++	if (kmsg->msg_name == NULL)
++		kmsg->msg_namelen = 0;
++
+ 	if (kmsg->msg_namelen < 0)
+ 		return -EINVAL;
+ 
+diff --git a/net/sunrpc/cache.c b/net/sunrpc/cache.c
+index 237a2ee..7de935a 100644
+--- a/net/sunrpc/cache.c
++++ b/net/sunrpc/cache.c
+@@ -909,7 +909,7 @@ static unsigned int cache_poll(struct file *filp, poll_table *wait,
+ 	poll_wait(filp, &queue_wait, wait);
+ 
+ 	/* alway allow write */
+-	mask = POLL_OUT | POLLWRNORM;
++	mask = POLLOUT | POLLWRNORM;
+ 
+ 	if (!rp)
+ 		return mask;
+diff --git a/net/sunrpc/xprtrdma/verbs.c b/net/sunrpc/xprtrdma/verbs.c
+index 28236ba..37e4484 100644
+--- a/net/sunrpc/xprtrdma/verbs.c
++++ b/net/sunrpc/xprtrdma/verbs.c
+@@ -485,7 +485,7 @@ rpcrdma_ia_open(struct rpcrdma_xprt *xprt, struct sockaddr *addr, int memreg)
+ 	if (rc) {
+ 		dprintk("RPC:       %s: ib_query_device failed %d\n",
+ 			__func__, rc);
+-		goto out2;
++		goto out3;
+ 	}
+ 
+ 	if (devattr.device_cap_flags & IB_DEVICE_LOCAL_DMA_LKEY) {
+@@ -587,7 +587,7 @@ rpcrdma_ia_open(struct rpcrdma_xprt *xprt, struct sockaddr *addr, int memreg)
+ 		printk(KERN_ERR "%s: invalid memory registration mode %d\n",
+ 				__func__, memreg);
+ 		rc = -EINVAL;
+-		goto out2;
++		goto out3;
+ 	}
+ 	dprintk("RPC:       %s: memory registration strategy is %d\n",
+ 		__func__, memreg);
+@@ -596,6 +596,10 @@ rpcrdma_ia_open(struct rpcrdma_xprt *xprt, struct sockaddr *addr, int memreg)
+ 	ia->ri_memreg_strategy = memreg;
+ 
+ 	return 0;
++
++out3:
++	ib_dealloc_pd(ia->ri_pd);
++	ia->ri_pd = NULL;
+ out2:
+ 	rdma_destroy_id(ia->ri_id);
+ 	ia->ri_id = NULL;
+diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
+index cb4168e..e1f73b6 100644
+--- a/net/wireless/nl80211.c
++++ b/net/wireless/nl80211.c
+@@ -2650,6 +2650,14 @@ static int nl80211_new_station(struct sk_buff *skb, struct genl_info *info)
+ 	if (parse_station_flags(info, &params))
+ 		return -EINVAL;
+ 
++	/* HT requires QoS, but if we don't have that just ignore HT/VHT
++	 * as userspace might just pass through the capabilities from the IEs
++	 * directly, rather than enforcing this restriction and returning an
++	 * error in this case.
++	 */
++	if (!(params.sta_flags_set & BIT(NL80211_STA_FLAG_WME)))
++		params.ht_capa = NULL;
++
+ 	/* parse WME attributes if sta is WME capable */
+ 	if ((rdev->wiphy.flags & WIPHY_FLAG_AP_UAPSD) &&
+ 	    (params.sta_flags_set & BIT(NL80211_STA_FLAG_WME)) &&
+diff --git a/net/xfrm/xfrm_output.c b/net/xfrm/xfrm_output.c
+index 47bacd8..e49d5f4 100644
+--- a/net/xfrm/xfrm_output.c
++++ b/net/xfrm/xfrm_output.c
+@@ -151,6 +151,8 @@ static int xfrm_output_gso(struct sk_buff *skb)
+ 	kfree_skb(skb);
+ 	if (IS_ERR(segs))
+ 		return PTR_ERR(segs);
++	if (segs == NULL)
++		return -EINVAL;
+ 
+ 	do {
+ 		struct sk_buff *nskb = segs->next;
+diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c
+index 4dd8dcf..bac8928 100644
+--- a/security/selinux/selinuxfs.c
++++ b/security/selinux/selinuxfs.c
+@@ -150,7 +150,7 @@ static ssize_t sel_write_enforce(struct file *file, const char __user *buf,
+ 		goto out;
+ 
+ 	/* No partial writes. */
+-	length = EINVAL;
++	length = -EINVAL;
+ 	if (*ppos != 0)
+ 		goto out;
+ 
+diff --git a/security/smack/smack.h b/security/smack/smack.h
+index 2ad0065..bd88b73 100644
+--- a/security/smack/smack.h
++++ b/security/smack/smack.h
+@@ -272,6 +272,16 @@ static inline char *smk_of_task(const struct task_smack *tsp)
+ 	return tsp->smk_task;
+ }
+ 
++static inline char *smk_of_task_struct(const struct task_struct *t)
++{
++	char *skp;
++
++	rcu_read_lock();
++	skp = smk_of_task(__task_cred(t)->security);
++	rcu_read_unlock();
++	return skp;
++}
++
+ /*
+  * Present a pointer to the forked smack label in an task blob.
+  */
+diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
+index e3adb49..774c159 100644
+--- a/security/smack/smack_lsm.c
++++ b/security/smack/smack_lsm.c
+@@ -38,8 +38,6 @@
+ #include <linux/personality.h>
+ #include "smack.h"
+ 
+-#define task_security(task)	(task_cred_xxx((task), security))
+-
+ #define TRANS_TRUE	"TRUE"
+ #define TRANS_TRUE_SIZE	4
+ 
+@@ -161,7 +159,7 @@ static int smack_ptrace_access_check(struct task_struct *ctp, unsigned int mode)
+ 	if (rc != 0)
+ 		return rc;
+ 
+-	tsp = smk_of_task(task_security(ctp));
++	tsp = smk_of_task_struct(ctp);
+ 	smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK);
+ 	smk_ad_setfield_u_tsk(&ad, ctp);
+ 
+@@ -187,7 +185,7 @@ static int smack_ptrace_traceme(struct task_struct *ptp)
+ 	if (rc != 0)
+ 		return rc;
+ 
+-	tsp = smk_of_task(task_security(ptp));
++	tsp = smk_of_task_struct(ptp);
+ 	smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK);
+ 	smk_ad_setfield_u_tsk(&ad, ptp);
+ 
+@@ -1515,7 +1513,7 @@ static int smk_curacc_on_task(struct task_struct *p, int access,
+ 
+ 	smk_ad_init(&ad, caller, LSM_AUDIT_DATA_TASK);
+ 	smk_ad_setfield_u_tsk(&ad, p);
+-	return smk_curacc(smk_of_task(task_security(p)), access, &ad);
++	return smk_curacc(smk_of_task_struct(p), access, &ad);
+ }
+ 
+ /**
+@@ -1561,7 +1559,7 @@ static int smack_task_getsid(struct task_struct *p)
+  */
+ static void smack_task_getsecid(struct task_struct *p, u32 *secid)
+ {
+-	*secid = smack_to_secid(smk_of_task(task_security(p)));
++	*secid = smack_to_secid(smk_of_task_struct(p));
+ }
+ 
+ /**
+@@ -1673,7 +1671,7 @@ static int smack_task_kill(struct task_struct *p, struct siginfo *info,
+ 	 * can write the receiver.
+ 	 */
+ 	if (secid == 0)
+-		return smk_curacc(smk_of_task(task_security(p)), MAY_WRITE,
++		return smk_curacc(smk_of_task_struct(p), MAY_WRITE,
+ 				  &ad);
+ 	/*
+ 	 * If the secid isn't 0 we're dealing with some USB IO
+@@ -1681,7 +1679,7 @@ static int smack_task_kill(struct task_struct *p, struct siginfo *info,
+ 	 * we can't take privilege into account.
+ 	 */
+ 	return smk_access(smack_from_secid(secid),
+-			  smk_of_task(task_security(p)), MAY_WRITE, &ad);
++			  smk_of_task_struct(p), MAY_WRITE, &ad);
+ }
+ 
+ /**
+@@ -1694,9 +1692,13 @@ static int smack_task_wait(struct task_struct *p)
+ {
+ 	struct smk_audit_info ad;
+ 	char *sp = smk_of_current();
+-	char *tsp = smk_of_forked(task_security(p));
++	char *tsp;
+ 	int rc;
+ 
++	rcu_read_lock();
++	tsp = smk_of_forked(__task_cred(p)->security);
++	rcu_read_unlock();
++
+ 	/* we don't log here, we can be overriden */
+ 	rc = smk_access(tsp, sp, MAY_WRITE, NULL);
+ 	if (rc == 0)
+@@ -1733,7 +1735,7 @@ static int smack_task_wait(struct task_struct *p)
+ static void smack_task_to_inode(struct task_struct *p, struct inode *inode)
+ {
+ 	struct inode_smack *isp = inode->i_security;
+-	isp->smk_inode = smk_of_task(task_security(p));
++	isp->smk_inode = smk_of_task_struct(p);
+ }
+ 
+ /*
+@@ -2714,7 +2716,7 @@ static int smack_getprocattr(struct task_struct *p, char *name, char **value)
+ 	if (strcmp(name, "current") != 0)
+ 		return -EINVAL;
+ 
+-	cp = kstrdup(smk_of_task(task_security(p)), GFP_KERNEL);
++	cp = kstrdup(smk_of_task_struct(p), GFP_KERNEL);
+ 	if (cp == NULL)
+ 		return -ENOMEM;
+ 
+diff --git a/sound/core/control.c b/sound/core/control.c
+index 9210594..1ba5d33 100644
+--- a/sound/core/control.c
++++ b/sound/core/control.c
+@@ -1164,6 +1164,10 @@ static int snd_ctl_elem_add(struct snd_ctl_file *file,
+ 
+ 	if (info->count < 1)
+ 		return -EINVAL;
++	if (!*info->id.name)
++		return -EINVAL;
++	if (strnlen(info->id.name, sizeof(info->id.name)) >= sizeof(info->id.name))
++		return -EINVAL;
+ 	access = info->access == 0 ? SNDRV_CTL_ELEM_ACCESS_READWRITE :
+ 		(info->access & (SNDRV_CTL_ELEM_ACCESS_READWRITE|
+ 				 SNDRV_CTL_ELEM_ACCESS_INACTIVE|
+diff --git a/sound/core/pcm_native.c b/sound/core/pcm_native.c
+index 638600b..8a00555 100644
+--- a/sound/core/pcm_native.c
++++ b/sound/core/pcm_native.c
+@@ -1382,6 +1382,8 @@ static int snd_pcm_do_drain_init(struct snd_pcm_substream *substream, int state)
+ 			if (! snd_pcm_playback_empty(substream)) {
+ 				snd_pcm_do_start(substream, SNDRV_PCM_STATE_DRAINING);
+ 				snd_pcm_post_start(substream, SNDRV_PCM_STATE_DRAINING);
++			} else {
++				runtime->status->state = SNDRV_PCM_STATE_SETUP;
+ 			}
+ 			break;
+ 		case SNDRV_PCM_STATE_RUNNING:
+diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c
+index d10a6ef..6d19f99 100644
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -737,7 +737,7 @@ static void alc_auto_setup_eapd(struct hda_codec *codec, bool on)
+ {
+ 	/* We currently only handle front, HP */
+ 	static hda_nid_t pins[] = {
+-		0x0f, 0x10, 0x14, 0x15, 0
++		0x0f, 0x10, 0x14, 0x15, 0x17, 0
+ 	};
+ 	hda_nid_t *p;
+ 	for (p = pins; *p; p++)
+diff --git a/sound/pci/riptide/riptide.c b/sound/pci/riptide/riptide.c
+index dcbedd3..c86044f 100644
+--- a/sound/pci/riptide/riptide.c
++++ b/sound/pci/riptide/riptide.c
+@@ -2026,32 +2026,43 @@ snd_riptide_joystick_probe(struct pci_dev *pci, const struct pci_device_id *id)
+ {
+ 	static int dev;
+ 	struct gameport *gameport;
++	int ret;
+ 
+ 	if (dev >= SNDRV_CARDS)
+ 		return -ENODEV;
++
+ 	if (!enable[dev]) {
+-		dev++;
+-		return -ENOENT;
++		ret = -ENOENT;
++		goto inc_dev;
+ 	}
+ 
+-	if (!joystick_port[dev++])
+-		return 0;
++	if (!joystick_port[dev]) {
++		ret = 0;
++		goto inc_dev;
++	}
+ 
+ 	gameport = gameport_allocate_port();
+-	if (!gameport)
+-		return -ENOMEM;
++	if (!gameport) {
++		ret = -ENOMEM;
++		goto inc_dev;
++	}
+ 	if (!request_region(joystick_port[dev], 8, "Riptide gameport")) {
+ 		snd_printk(KERN_WARNING
+ 			   "Riptide: cannot grab gameport 0x%x\n",
+ 			   joystick_port[dev]);
+ 		gameport_free_port(gameport);
+-		return -EBUSY;
++		ret = -EBUSY;
++		goto inc_dev;
+ 	}
+ 
+ 	gameport->io = joystick_port[dev];
+ 	gameport_register_port(gameport);
+ 	pci_set_drvdata(pci, gameport);
+-	return 0;
++
++	ret = 0;
++inc_dev:
++	dev++;
++	return ret;
+ }
+ 
+ static void __devexit snd_riptide_joystick_remove(struct pci_dev *pci)
+diff --git a/sound/pci/rme9652/hdspm.c b/sound/pci/rme9652/hdspm.c
+index 19ee220..71a3d52 100644
+--- a/sound/pci/rme9652/hdspm.c
++++ b/sound/pci/rme9652/hdspm.c
+@@ -5966,6 +5966,9 @@ static int snd_hdspm_playback_open(struct snd_pcm_substream *substream)
+ 		snd_pcm_hw_constraint_minmax(runtime,
+ 					     SNDRV_PCM_HW_PARAM_PERIOD_SIZE,
+ 					     64, 8192);
++		snd_pcm_hw_constraint_minmax(runtime,
++					     SNDRV_PCM_HW_PARAM_PERIODS,
++					     2, 2);
+ 		break;
+ 	}
+ 
+@@ -6040,6 +6043,9 @@ static int snd_hdspm_capture_open(struct snd_pcm_substream *substream)
+ 		snd_pcm_hw_constraint_minmax(runtime,
+ 					     SNDRV_PCM_HW_PARAM_PERIOD_SIZE,
+ 					     64, 8192);
++		snd_pcm_hw_constraint_minmax(runtime,
++					     SNDRV_PCM_HW_PARAM_PERIODS,
++					     2, 2);
+ 		break;
+ 	}
+ 
+diff --git a/sound/soc/codecs/adav80x.c b/sound/soc/codecs/adav80x.c
+index f9f0894..b23d979 100644
+--- a/sound/soc/codecs/adav80x.c
++++ b/sound/soc/codecs/adav80x.c
+@@ -307,7 +307,7 @@ static int adav80x_put_deemph(struct snd_kcontrol *kcontrol,
+ {
+ 	struct snd_soc_codec *codec = snd_kcontrol_chip(kcontrol);
+ 	struct adav80x *adav80x = snd_soc_codec_get_drvdata(codec);
+-	unsigned int deemph = ucontrol->value.enumerated.item[0];
++	unsigned int deemph = ucontrol->value.integer.value[0];
+ 
+ 	if (deemph > 1)
+ 		return -EINVAL;
+@@ -323,7 +323,7 @@ static int adav80x_get_deemph(struct snd_kcontrol *kcontrol,
+ 	struct snd_soc_codec *codec = snd_kcontrol_chip(kcontrol);
+ 	struct adav80x *adav80x = snd_soc_codec_get_drvdata(codec);
+ 
+-	ucontrol->value.enumerated.item[0] = adav80x->deemph;
++	ucontrol->value.integer.value[0] = adav80x->deemph;
+ 	return 0;
+ };
+ 
+diff --git a/sound/soc/codecs/ak4641.c b/sound/soc/codecs/ak4641.c
+index 7783858..60891f6 100644
+--- a/sound/soc/codecs/ak4641.c
++++ b/sound/soc/codecs/ak4641.c
+@@ -75,7 +75,7 @@ static int ak4641_put_deemph(struct snd_kcontrol *kcontrol,
+ {
+ 	struct snd_soc_codec *codec = snd_kcontrol_chip(kcontrol);
+ 	struct ak4641_priv *ak4641 = snd_soc_codec_get_drvdata(codec);
+-	int deemph = ucontrol->value.enumerated.item[0];
++	int deemph = ucontrol->value.integer.value[0];
+ 
+ 	if (deemph > 1)
+ 		return -EINVAL;
+@@ -91,7 +91,7 @@ static int ak4641_get_deemph(struct snd_kcontrol *kcontrol,
+ 	struct snd_soc_codec *codec = snd_kcontrol_chip(kcontrol);
+ 	struct ak4641_priv *ak4641 = snd_soc_codec_get_drvdata(codec);
+ 
+-	ucontrol->value.enumerated.item[0] = ak4641->deemph;
++	ucontrol->value.integer.value[0] = ak4641->deemph;
+ 	return 0;
+ };
+ 
+diff --git a/sound/soc/codecs/cs4271.c b/sound/soc/codecs/cs4271.c
+index 69fde15..561d5e0 100644
+--- a/sound/soc/codecs/cs4271.c
++++ b/sound/soc/codecs/cs4271.c
+@@ -261,7 +261,7 @@ static int cs4271_get_deemph(struct snd_kcontrol *kcontrol,
+ 	struct snd_soc_codec *codec = snd_kcontrol_chip(kcontrol);
+ 	struct cs4271_private *cs4271 = snd_soc_codec_get_drvdata(codec);
+ 
+-	ucontrol->value.enumerated.item[0] = cs4271->deemph;
++	ucontrol->value.integer.value[0] = cs4271->deemph;
+ 	return 0;
+ }
+ 
+@@ -271,7 +271,7 @@ static int cs4271_put_deemph(struct snd_kcontrol *kcontrol,
+ 	struct snd_soc_codec *codec = snd_kcontrol_chip(kcontrol);
+ 	struct cs4271_private *cs4271 = snd_soc_codec_get_drvdata(codec);
+ 
+-	cs4271->deemph = ucontrol->value.enumerated.item[0];
++	cs4271->deemph = ucontrol->value.integer.value[0];
+ 	return cs4271_set_deemph(codec);
+ }
+ 
+diff --git a/sound/soc/codecs/sgtl5000.c b/sound/soc/codecs/sgtl5000.c
+index c8cdf91..ed07d83 100644
+--- a/sound/soc/codecs/sgtl5000.c
++++ b/sound/soc/codecs/sgtl5000.c
+@@ -1098,13 +1098,7 @@ static int sgtl5000_set_power_regs(struct snd_soc_codec *codec)
+ 		/* Enable VDDC charge pump */
+ 		ana_pwr |= SGTL5000_VDDC_CHRGPMP_POWERUP;
+ 	} else if (vddio >= 3100 && vdda >= 3100) {
+-		/*
+-		 * if vddio and vddd > 3.1v,
+-		 * charge pump should be clean before set ana_pwr
+-		 */
+-		snd_soc_update_bits(codec, SGTL5000_CHIP_ANA_POWER,
+-				SGTL5000_VDDC_CHRGPMP_POWERUP, 0);
+-
++		ana_pwr &= ~SGTL5000_VDDC_CHRGPMP_POWERUP;
+ 		/* VDDC use VDDIO rail */
+ 		lreg_ctrl |= SGTL5000_VDDC_ASSN_OVRD;
+ 		lreg_ctrl |= SGTL5000_VDDC_MAN_ASSN_VDDIO <<
+diff --git a/sound/soc/codecs/wm2000.c b/sound/soc/codecs/wm2000.c
+index ba03dc2..d421140 100644
+--- a/sound/soc/codecs/wm2000.c
++++ b/sound/soc/codecs/wm2000.c
+@@ -614,7 +614,7 @@ static int wm2000_anc_mode_get(struct snd_kcontrol *kcontrol,
+ {
+ 	struct wm2000_priv *wm2000 = dev_get_drvdata(&wm2000_i2c->dev);
+ 
+-	ucontrol->value.enumerated.item[0] = wm2000->anc_active;
++	ucontrol->value.integer.value[0] = wm2000->anc_active;
+ 
+ 	return 0;
+ }
+@@ -623,7 +623,7 @@ static int wm2000_anc_mode_put(struct snd_kcontrol *kcontrol,
+ 			       struct snd_ctl_elem_value *ucontrol)
+ {
+ 	struct wm2000_priv *wm2000 = dev_get_drvdata(&wm2000_i2c->dev);
+-	int anc_active = ucontrol->value.enumerated.item[0];
++	int anc_active = ucontrol->value.integer.value[0];
+ 
+ 	if (anc_active > 1)
+ 		return -EINVAL;
+@@ -638,7 +638,7 @@ static int wm2000_speaker_get(struct snd_kcontrol *kcontrol,
+ {
+ 	struct wm2000_priv *wm2000 = dev_get_drvdata(&wm2000_i2c->dev);
+ 
+-	ucontrol->value.enumerated.item[0] = wm2000->spk_ena;
++	ucontrol->value.integer.value[0] = wm2000->spk_ena;
+ 
+ 	return 0;
+ }
+@@ -647,7 +647,7 @@ static int wm2000_speaker_put(struct snd_kcontrol *kcontrol,
+ 			      struct snd_ctl_elem_value *ucontrol)
+ {
+ 	struct wm2000_priv *wm2000 = dev_get_drvdata(&wm2000_i2c->dev);
+-	int val = ucontrol->value.enumerated.item[0];
++	int val = ucontrol->value.integer.value[0];
+ 
+ 	if (val > 1)
+ 		return -EINVAL;
+diff --git a/sound/soc/codecs/wm8731.c b/sound/soc/codecs/wm8731.c
+index 6cfd4f7..dffede1 100644
+--- a/sound/soc/codecs/wm8731.c
++++ b/sound/soc/codecs/wm8731.c
+@@ -106,7 +106,7 @@ static int wm8731_get_deemph(struct snd_kcontrol *kcontrol,
+ 	struct snd_soc_codec *codec = snd_kcontrol_chip(kcontrol);
+ 	struct wm8731_priv *wm8731 = snd_soc_codec_get_drvdata(codec);
+ 
+-	ucontrol->value.enumerated.item[0] = wm8731->deemph;
++	ucontrol->value.integer.value[0] = wm8731->deemph;
+ 
+ 	return 0;
+ }
+@@ -116,7 +116,7 @@ static int wm8731_put_deemph(struct snd_kcontrol *kcontrol,
+ {
+ 	struct snd_soc_codec *codec = snd_kcontrol_chip(kcontrol);
+ 	struct wm8731_priv *wm8731 = snd_soc_codec_get_drvdata(codec);
+-	int deemph = ucontrol->value.enumerated.item[0];
++	int deemph = ucontrol->value.integer.value[0];
+ 	int ret = 0;
+ 
+ 	if (deemph > 1)
+diff --git a/sound/soc/codecs/wm8903.c b/sound/soc/codecs/wm8903.c
+index 4352ffb..16c0ec5 100644
+--- a/sound/soc/codecs/wm8903.c
++++ b/sound/soc/codecs/wm8903.c
+@@ -464,7 +464,7 @@ static int wm8903_get_deemph(struct snd_kcontrol *kcontrol,
+ 	struct snd_soc_codec *codec = snd_kcontrol_chip(kcontrol);
+ 	struct wm8903_priv *wm8903 = snd_soc_codec_get_drvdata(codec);
+ 
+-	ucontrol->value.enumerated.item[0] = wm8903->deemph;
++	ucontrol->value.integer.value[0] = wm8903->deemph;
+ 
+ 	return 0;
+ }
+@@ -474,7 +474,7 @@ static int wm8903_put_deemph(struct snd_kcontrol *kcontrol,
+ {
+ 	struct snd_soc_codec *codec = snd_kcontrol_chip(kcontrol);
+ 	struct wm8903_priv *wm8903 = snd_soc_codec_get_drvdata(codec);
+-	int deemph = ucontrol->value.enumerated.item[0];
++	int deemph = ucontrol->value.integer.value[0];
+ 	int ret = 0;
+ 
+ 	if (deemph > 1)
+diff --git a/sound/soc/codecs/wm8904.c b/sound/soc/codecs/wm8904.c
+index fafb76f..79bfa52 100644
+--- a/sound/soc/codecs/wm8904.c
++++ b/sound/soc/codecs/wm8904.c
+@@ -814,7 +814,7 @@ static int wm8904_get_deemph(struct snd_kcontrol *kcontrol,
+ 	struct snd_soc_codec *codec = snd_kcontrol_chip(kcontrol);
+ 	struct wm8904_priv *wm8904 = snd_soc_codec_get_drvdata(codec);
+ 
+-	ucontrol->value.enumerated.item[0] = wm8904->deemph;
++	ucontrol->value.integer.value[0] = wm8904->deemph;
+ 	return 0;
+ }
+ 
+@@ -823,7 +823,7 @@ static int wm8904_put_deemph(struct snd_kcontrol *kcontrol,
+ {
+ 	struct snd_soc_codec *codec = snd_kcontrol_chip(kcontrol);
+ 	struct wm8904_priv *wm8904 = snd_soc_codec_get_drvdata(codec);
+-	int deemph = ucontrol->value.enumerated.item[0];
++	int deemph = ucontrol->value.integer.value[0];
+ 
+ 	if (deemph > 1)
+ 		return -EINVAL;
+diff --git a/sound/soc/codecs/wm8955.c b/sound/soc/codecs/wm8955.c
+index 3c71987..77ff1d7 100644
+--- a/sound/soc/codecs/wm8955.c
++++ b/sound/soc/codecs/wm8955.c
+@@ -377,7 +377,7 @@ static int wm8955_get_deemph(struct snd_kcontrol *kcontrol,
+ 	struct snd_soc_codec *codec = snd_kcontrol_chip(kcontrol);
+ 	struct wm8955_priv *wm8955 = snd_soc_codec_get_drvdata(codec);
+ 
+-	ucontrol->value.enumerated.item[0] = wm8955->deemph;
++	ucontrol->value.integer.value[0] = wm8955->deemph;
+ 	return 0;
+ }
+ 
+@@ -386,7 +386,7 @@ static int wm8955_put_deemph(struct snd_kcontrol *kcontrol,
+ {
+ 	struct snd_soc_codec *codec = snd_kcontrol_chip(kcontrol);
+ 	struct wm8955_priv *wm8955 = snd_soc_codec_get_drvdata(codec);
+-	int deemph = ucontrol->value.enumerated.item[0];
++	int deemph = ucontrol->value.integer.value[0];
+ 
+ 	if (deemph > 1)
+ 		return -EINVAL;
+diff --git a/sound/soc/codecs/wm8960.c b/sound/soc/codecs/wm8960.c
+index 3551705..b2abe93 100644
+--- a/sound/soc/codecs/wm8960.c
++++ b/sound/soc/codecs/wm8960.c
+@@ -135,7 +135,7 @@ static int wm8960_get_deemph(struct snd_kcontrol *kcontrol,
+ 	struct snd_soc_codec *codec = snd_kcontrol_chip(kcontrol);
+ 	struct wm8960_priv *wm8960 = snd_soc_codec_get_drvdata(codec);
+ 
+-	ucontrol->value.enumerated.item[0] = wm8960->deemph;
++	ucontrol->value.integer.value[0] = wm8960->deemph;
+ 	return 0;
+ }
+ 
+@@ -144,7 +144,7 @@ static int wm8960_put_deemph(struct snd_kcontrol *kcontrol,
+ {
+ 	struct snd_soc_codec *codec = snd_kcontrol_chip(kcontrol);
+ 	struct wm8960_priv *wm8960 = snd_soc_codec_get_drvdata(codec);
+-	int deemph = ucontrol->value.enumerated.item[0];
++	int deemph = ucontrol->value.integer.value[0];
+ 
+ 	if (deemph > 1)
+ 		return -EINVAL;
+diff --git a/sound/soc/omap/omap-pcm.c b/sound/soc/omap/omap-pcm.c
+index 6ede7dc..9563728 100644
+--- a/sound/soc/omap/omap-pcm.c
++++ b/sound/soc/omap/omap-pcm.c
+@@ -333,7 +333,7 @@ static struct snd_pcm_ops omap_pcm_ops = {
+ 	.mmap		= omap_pcm_mmap,
+ };
+ 
+-static u64 omap_pcm_dmamask = DMA_BIT_MASK(64);
++static u64 omap_pcm_dmamask = DMA_BIT_MASK(32);
+ 
+ static int omap_pcm_preallocate_dma_buffer(struct snd_pcm *pcm,
+ 	int stream)
+@@ -385,7 +385,7 @@ static int omap_pcm_new(struct snd_soc_pcm_runtime *rtd)
+ 	if (!card->dev->dma_mask)
+ 		card->dev->dma_mask = &omap_pcm_dmamask;
+ 	if (!card->dev->coherent_dma_mask)
+-		card->dev->coherent_dma_mask = DMA_BIT_MASK(64);
++		card->dev->coherent_dma_mask = DMA_BIT_MASK(32);
+ 
+ 	if (dai->driver->playback.channels_min) {
+ 		ret = omap_pcm_preallocate_dma_buffer(pcm,
+diff --git a/sound/usb/mixer_quirks.c b/sound/usb/mixer_quirks.c
+index fb95069..040d101 100644
+--- a/sound/usb/mixer_quirks.c
++++ b/sound/usb/mixer_quirks.c
+@@ -64,6 +64,7 @@ static const struct rc_config {
+ 	{ USB_ID(0x041e, 0x3040), 2, 2, 6, 6,  2,  0x6e91 }, /* Live! 24-bit */
+ 	{ USB_ID(0x041e, 0x3042), 0, 1, 1, 1,  1,  0x000d }, /* Usb X-Fi S51 */
+ 	{ USB_ID(0x041e, 0x30df), 0, 1, 1, 1,  1,  0x000d }, /* Usb X-Fi S51 Pro */
++	{ USB_ID(0x041e, 0x3237), 0, 1, 1, 1,  1,  0x000d }, /* Usb X-Fi S51 Pro */
+ 	{ USB_ID(0x041e, 0x3048), 2, 2, 6, 6,  2,  0x6e91 }, /* Toshiba SB0500 */
+ };
+ 
+diff --git a/sound/usb/quirks-table.h b/sound/usb/quirks-table.h
+index 2aacb96..b38dde0 100644
+--- a/sound/usb/quirks-table.h
++++ b/sound/usb/quirks-table.h
+@@ -1803,6 +1803,36 @@ YAMAHA_DEVICE(0x7010, "UB99"),
+ 		}
+ 	}
+ },
++{
++	USB_DEVICE(0x0582, 0x0159),
++	.driver_info = (unsigned long) & (const struct snd_usb_audio_quirk) {
++		/* .vendor_name = "Roland", */
++		/* .product_name = "UA-22", */
++		.ifnum = QUIRK_ANY_INTERFACE,
++		.type = QUIRK_COMPOSITE,
++		.data = (const struct snd_usb_audio_quirk[]) {
++			{
++				.ifnum = 0,
++				.type = QUIRK_AUDIO_STANDARD_INTERFACE
++			},
++			{
++				.ifnum = 1,
++				.type = QUIRK_AUDIO_STANDARD_INTERFACE
++			},
++			{
++				.ifnum = 2,
++				.type = QUIRK_MIDI_FIXED_ENDPOINT,
++				.data = & (const struct snd_usb_midi_endpoint_info) {
++					.out_cables = 0x0001,
++					.in_cables = 0x0001
++				}
++			},
++			{
++				.ifnum = -1
++			}
++		}
++	}
++},
+ 
+ /* Guillemot devices */
+ {
diff --git a/3.2.68/4420_grsecurity-3.1-3.2.68-201505091720.patch b/3.2.69/4420_grsecurity-3.1-3.2.69-201505101117.patch
index eaddb1d..c3a359c 100644
--- a/3.2.68/4420_grsecurity-3.1-3.2.68-201505091720.patch
+++ b/3.2.69/4420_grsecurity-3.1-3.2.69-201505101117.patch
@@ -282,7 +282,7 @@ index 88fd7f5..b318a78 100644
  ==============================================================
  
 diff --git a/Makefile b/Makefile
-index 2e7cbda..ed00cfe 100644
+index 8071888..3889f72 100644
 --- a/Makefile
 +++ b/Makefile
 @@ -245,8 +245,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \
@@ -11408,28 +11408,6 @@ index 3470624..9b476a3 100644
  	ret
 +ENDPROC(aesni_ctr_enc)
  #endif
-diff --git a/arch/x86/crypto/aesni-intel_glue.c b/arch/x86/crypto/aesni-intel_glue.c
-index 16acf68..3b3a62f 100644
---- a/arch/x86/crypto/aesni-intel_glue.c
-+++ b/arch/x86/crypto/aesni-intel_glue.c
-@@ -1202,7 +1202,7 @@ static int __driver_rfc4106_decrypt(struct aead_request *req)
- 		src = kmalloc(req->cryptlen + req->assoclen, GFP_ATOMIC);
- 		if (!src)
- 			return -ENOMEM;
--		assoc = (src + req->cryptlen + auth_tag_len);
-+		assoc = (src + req->cryptlen);
- 		scatterwalk_map_and_copy(src, req->src, 0, req->cryptlen, 0);
- 		scatterwalk_map_and_copy(assoc, req->assoc, 0,
- 			req->assoclen, 0);
-@@ -1227,7 +1227,7 @@ static int __driver_rfc4106_decrypt(struct aead_request *req)
- 		scatterwalk_done(&src_sg_walk, 0, 0);
- 		scatterwalk_done(&assoc_sg_walk, 0, 0);
- 	} else {
--		scatterwalk_map_and_copy(dst, req->dst, 0, req->cryptlen, 1);
-+		scatterwalk_map_and_copy(dst, req->dst, 0, tempCipherLen, 1);
- 		kfree(src);
- 	}
- 	return retval;
 diff --git a/arch/x86/crypto/blowfish-x86_64-asm_64.S b/arch/x86/crypto/blowfish-x86_64-asm_64.S
 index 391d245..c73d634 100644
 --- a/arch/x86/crypto/blowfish-x86_64-asm_64.S
@@ -19838,7 +19816,7 @@ index 0fa4f89..dbbfa58 100644
  
  /*
 diff --git a/arch/x86/kernel/entry_64.S b/arch/x86/kernel/entry_64.S
-index 9d28dbac..30e8c80 100644
+index 8d15c69..30e8c80 100644
 --- a/arch/x86/kernel/entry_64.S
 +++ b/arch/x86/kernel/entry_64.S
 @@ -56,6 +56,8 @@
@@ -20321,7 +20299,7 @@ index 9d28dbac..30e8c80 100644
  
  /*
   * A newly forked process directly context switches into this address.
-@@ -411,17 +726,20 @@ ENTRY(ret_from_fork)
+@@ -411,7 +726,7 @@ ENTRY(ret_from_fork)
  
  	RESTORE_REST
  
@@ -20329,19 +20307,9 @@ index 9d28dbac..30e8c80 100644
 +	testb $3, CS-ARGOFFSET(%rsp)		# from kernel_thread?
  	je   int_ret_from_sys_call
  
--	testl $_TIF_IA32, TI_flags(%rcx)	# 32-bit compat task needs IRET
--	jnz  int_ret_from_sys_call
--
--	RESTORE_TOP_OF_STACK %rdi, -ARGOFFSET
--	jmp ret_from_sys_call			# go to the SYSRET fastpath
-+	/*
-+	 * By the time we get here, we have no idea whether our pt_regs,
-+	 * ti flags, and ti status came from the 64-bit SYSCALL fast path,
-+	 * the slow path, or one of the ia32entry paths.
-+	 * Use int_ret_from_sys_call to return, since it can safely handle
-+	 * all of the above.
-+	 */
-+	jmp  int_ret_from_sys_call
+ 	/*
+@@ -424,7 +739,7 @@ ENTRY(ret_from_fork)
+ 	jmp  int_ret_from_sys_call
  
  	CFI_ENDPROC
 -END(ret_from_fork)
@@ -20349,7 +20317,7 @@ index 9d28dbac..30e8c80 100644
  
  /*
   * System call entry. Up to 6 arguments in registers are supported.
-@@ -457,7 +775,7 @@ END(ret_from_fork)
+@@ -460,7 +775,7 @@ END(ret_from_fork)
  ENTRY(system_call)
  	CFI_STARTPROC	simple
  	CFI_SIGNAL_FRAME
@@ -20358,7 +20326,7 @@ index 9d28dbac..30e8c80 100644
  	CFI_REGISTER	rip,rcx
  	/*CFI_REGISTER	rflags,r11*/
  	SWAPGS_UNSAFE_STACK
-@@ -470,12 +788,18 @@ ENTRY(system_call_after_swapgs)
+@@ -473,12 +788,18 @@ ENTRY(system_call_after_swapgs)
  
  	movq	%rsp,PER_CPU_VAR(old_rsp)
  	movq	PER_CPU_VAR(kernel_stack),%rsp
@@ -20378,7 +20346,7 @@ index 9d28dbac..30e8c80 100644
  	movq  %rax,ORIG_RAX-ARGOFFSET(%rsp)
  	movq  %rcx,RIP-ARGOFFSET(%rsp)
  	CFI_REL_OFFSET rip,RIP-ARGOFFSET
-@@ -504,6 +828,8 @@ sysret_check:
+@@ -507,6 +828,8 @@ sysret_check:
  	andl %edi,%edx
  	jnz  sysret_careful
  	CFI_REMEMBER_STATE
@@ -20387,7 +20355,7 @@ index 9d28dbac..30e8c80 100644
  	/*
  	 * sysretq will re-enable interrupts:
  	 */
-@@ -562,6 +888,9 @@ auditsys:
+@@ -565,6 +888,9 @@ auditsys:
  	movq %rax,%rsi			/* 2nd arg: syscall number */
  	movl $AUDIT_ARCH_X86_64,%edi	/* 1st arg: audit arch */
  	call audit_syscall_entry
@@ -20397,7 +20365,7 @@ index 9d28dbac..30e8c80 100644
  	LOAD_ARGS 0		/* reload call-clobbered registers */
  	jmp system_call_fastpath
  
-@@ -592,12 +921,15 @@ tracesys:
+@@ -595,12 +921,15 @@ tracesys:
  	FIXUP_TOP_OF_STACK %rdi
  	movq %rsp,%rdi
  	call syscall_trace_enter
@@ -20414,7 +20382,7 @@ index 9d28dbac..30e8c80 100644
  	RESTORE_REST
  	cmpq $__NR_syscall_max,%rax
  	ja   int_ret_from_sys_call	/* RAX(%rsp) set to -ENOSYS above */
-@@ -613,7 +945,7 @@ tracesys:
+@@ -616,7 +945,7 @@ tracesys:
  GLOBAL(int_ret_from_sys_call)
  	DISABLE_INTERRUPTS(CLBR_NONE)
  	TRACE_IRQS_OFF
@@ -20423,7 +20391,7 @@ index 9d28dbac..30e8c80 100644
  	je retint_restore_args
  	movl $_TIF_ALLWORK_MASK,%edi
  	/* edi:	mask to check */
-@@ -624,7 +956,9 @@ GLOBAL(int_with_check)
+@@ -627,7 +956,9 @@ GLOBAL(int_with_check)
  	andl %edi,%edx
  	jnz   int_careful
  	andl    $~TS_COMPAT,TI_status(%rcx)
@@ -20434,7 +20402,7 @@ index 9d28dbac..30e8c80 100644
  
  	/* Either reschedule or signal or syscall exit tracking needed. */
  	/* First do a reschedule test. */
-@@ -670,7 +1004,7 @@ int_restore_rest:
+@@ -673,7 +1004,7 @@ int_restore_rest:
  	TRACE_IRQS_OFF
  	jmp int_with_check
  	CFI_ENDPROC
@@ -20443,7 +20411,7 @@ index 9d28dbac..30e8c80 100644
  
  /*
   * Certain special system calls that need to save a complete full stack frame.
-@@ -678,15 +1012,13 @@ END(system_call)
+@@ -681,15 +1012,13 @@ END(system_call)
  	.macro PTREGSCALL label,func,arg
  ENTRY(\label)
  	PARTIAL_FRAME 1 8		/* offset 8: return address */
@@ -20460,7 +20428,7 @@ index 9d28dbac..30e8c80 100644
  	.endm
  
  	PTREGSCALL stub_clone, sys_clone, %r8
-@@ -701,12 +1033,17 @@ ENTRY(ptregscall_common)
+@@ -704,12 +1033,17 @@ ENTRY(ptregscall_common)
  	movq_cfi_restore R15+8, r15
  	movq_cfi_restore R14+8, r14
  	movq_cfi_restore R13+8, r13
@@ -20480,7 +20448,7 @@ index 9d28dbac..30e8c80 100644
  
  ENTRY(stub_execve)
  	CFI_STARTPROC
-@@ -721,7 +1058,7 @@ ENTRY(stub_execve)
+@@ -724,7 +1058,7 @@ ENTRY(stub_execve)
  	RESTORE_REST
  	jmp int_ret_from_sys_call
  	CFI_ENDPROC
@@ -20489,7 +20457,7 @@ index 9d28dbac..30e8c80 100644
  
  /*
   * sigreturn is special because it needs to restore all registers on return.
-@@ -739,7 +1076,7 @@ ENTRY(stub_rt_sigreturn)
+@@ -742,7 +1076,7 @@ ENTRY(stub_rt_sigreturn)
  	RESTORE_REST
  	jmp int_ret_from_sys_call
  	CFI_ENDPROC
@@ -20498,7 +20466,7 @@ index 9d28dbac..30e8c80 100644
  
  /*
   * Build the entry stubs and pointer table with some assembler magic.
-@@ -774,7 +1111,7 @@ vector=vector+1
+@@ -777,7 +1111,7 @@ vector=vector+1
  2:	jmp common_interrupt
  .endr
  	CFI_ENDPROC
@@ -20507,7 +20475,7 @@ index 9d28dbac..30e8c80 100644
  
  .previous
  END(interrupt)
-@@ -791,8 +1128,8 @@ END(interrupt)
+@@ -794,8 +1128,8 @@ END(interrupt)
  /* 0(%rsp): ~(interrupt number) */
  	.macro interrupt func
  	/* reserve pt_regs for scratch regs and rbp */
@@ -20518,7 +20486,7 @@ index 9d28dbac..30e8c80 100644
  	SAVE_ARGS_IRQ
  	call \func
  	.endm
-@@ -819,13 +1156,13 @@ ret_from_intr:
+@@ -822,13 +1156,13 @@ ret_from_intr:
  	/* Restore saved previous stack */
  	popq %rsi
  	CFI_DEF_CFA_REGISTER	rsi
@@ -20535,7 +20503,7 @@ index 9d28dbac..30e8c80 100644
  	je retint_kernel
  
  	/* Interrupt came from user space */
-@@ -847,12 +1184,16 @@ retint_swapgs:		/* return to user-space */
+@@ -850,12 +1184,16 @@ retint_swapgs:		/* return to user-space */
  	 * The iretq could re-enable interrupts:
  	 */
  	DISABLE_INTERRUPTS(CLBR_ANY)
@@ -20552,7 +20520,7 @@ index 9d28dbac..30e8c80 100644
  	/*
  	 * The iretq could re-enable interrupts:
  	 */
-@@ -890,15 +1231,15 @@ native_irq_return_ldt:
+@@ -893,15 +1231,15 @@ native_irq_return_ldt:
  	SWAPGS
  	movq PER_CPU_VAR(espfix_waddr),%rdi
  	movq %rax,(0*8)(%rdi)	/* RAX */
@@ -20573,7 +20541,7 @@ index 9d28dbac..30e8c80 100644
  	movq %rax,(4*8)(%rdi)
  	andl $0xffff0000,%eax
  	popq_cfi %rdi
-@@ -954,7 +1295,7 @@ ENTRY(retint_kernel)
+@@ -957,7 +1295,7 @@ ENTRY(retint_kernel)
  	jmp exit_intr
  #endif
  	CFI_ENDPROC
@@ -20582,7 +20550,7 @@ index 9d28dbac..30e8c80 100644
  
  /*
   * End of kprobes section
-@@ -971,7 +1312,7 @@ ENTRY(\sym)
+@@ -974,7 +1312,7 @@ ENTRY(\sym)
  	interrupt \do_sym
  	jmp ret_from_intr
  	CFI_ENDPROC
@@ -20591,7 +20559,7 @@ index 9d28dbac..30e8c80 100644
  .endm
  
  #ifdef CONFIG_SMP
-@@ -1041,7 +1382,7 @@ ENTRY(\sym)
+@@ -1044,7 +1382,7 @@ ENTRY(\sym)
  	call \do_sym
  	jmp error_exit		/* %ebx: no swapgs flag */
  	CFI_ENDPROC
@@ -20600,7 +20568,7 @@ index 9d28dbac..30e8c80 100644
  .endm
  
  .macro paranoidzeroentry sym do_sym
-@@ -1058,10 +1399,10 @@ ENTRY(\sym)
+@@ -1061,10 +1399,10 @@ ENTRY(\sym)
  	call \do_sym
  	jmp paranoid_exit	/* %ebx: no swapgs flag */
  	CFI_ENDPROC
@@ -20613,7 +20581,7 @@ index 9d28dbac..30e8c80 100644
  .macro paranoidzeroentry_ist sym do_sym ist
  ENTRY(\sym)
  	INTR_FRAME
-@@ -1073,12 +1414,18 @@ ENTRY(\sym)
+@@ -1076,12 +1414,18 @@ ENTRY(\sym)
  	TRACE_IRQS_OFF
  	movq %rsp,%rdi		/* pt_regs pointer */
  	xorl %esi,%esi		/* no error code */
@@ -20633,7 +20601,7 @@ index 9d28dbac..30e8c80 100644
  .endm
  
  .macro errorentry sym do_sym
-@@ -1095,7 +1442,7 @@ ENTRY(\sym)
+@@ -1098,7 +1442,7 @@ ENTRY(\sym)
  	call \do_sym
  	jmp error_exit			/* %ebx: no swapgs flag */
  	CFI_ENDPROC
@@ -20642,7 +20610,7 @@ index 9d28dbac..30e8c80 100644
  .endm
  
  	/* error code is on the stack already */
-@@ -1114,7 +1461,7 @@ ENTRY(\sym)
+@@ -1117,7 +1461,7 @@ ENTRY(\sym)
  	call \do_sym
  	jmp paranoid_exit		/* %ebx: no swapgs flag */
  	CFI_ENDPROC
@@ -20651,7 +20619,7 @@ index 9d28dbac..30e8c80 100644
  .endm
  
  zeroentry divide_error do_divide_error
-@@ -1144,9 +1491,10 @@ gs_change:
+@@ -1147,9 +1491,10 @@ gs_change:
  2:	mfence		/* workaround */
  	SWAPGS
  	popfq_cfi
@@ -20663,7 +20631,7 @@ index 9d28dbac..30e8c80 100644
  
  	.section __ex_table,"a"
  	.align 8
-@@ -1168,13 +1516,14 @@ ENTRY(kernel_thread_helper)
+@@ -1171,13 +1516,14 @@ ENTRY(kernel_thread_helper)
  	 * Here we are in the child and the registers are set as they were
  	 * at kernel_thread() invocation in the parent.
  	 */
@@ -20679,7 +20647,7 @@ index 9d28dbac..30e8c80 100644
  
  /*
   * execve(). This function needs to use IRET, not SYSRET, to set up all state properly.
-@@ -1201,11 +1550,11 @@ ENTRY(kernel_execve)
+@@ -1204,11 +1550,11 @@ ENTRY(kernel_execve)
  	RESTORE_REST
  	testq %rax,%rax
  	je int_ret_from_sys_call
@@ -20693,7 +20661,7 @@ index 9d28dbac..30e8c80 100644
  
  /* Call softirq on interrupt stack. Interrupts are off. */
  ENTRY(call_softirq)
-@@ -1223,9 +1572,10 @@ ENTRY(call_softirq)
+@@ -1226,9 +1572,10 @@ ENTRY(call_softirq)
  	CFI_DEF_CFA_REGISTER	rsp
  	CFI_ADJUST_CFA_OFFSET   -8
  	decl PER_CPU_VAR(irq_count)
@@ -20705,7 +20673,7 @@ index 9d28dbac..30e8c80 100644
  
  #ifdef CONFIG_XEN
  zeroentry xen_hypervisor_callback xen_do_hypervisor_callback
-@@ -1263,7 +1613,7 @@ ENTRY(xen_do_hypervisor_callback)   # do_hypervisor_callback(struct *pt_regs)
+@@ -1266,7 +1613,7 @@ ENTRY(xen_do_hypervisor_callback)   # do_hypervisor_callback(struct *pt_regs)
  	decl PER_CPU_VAR(irq_count)
  	jmp  error_exit
  	CFI_ENDPROC
@@ -20714,7 +20682,7 @@ index 9d28dbac..30e8c80 100644
  
  /*
   * Hypervisor uses this for application faults while it executes.
-@@ -1322,7 +1672,7 @@ ENTRY(xen_failsafe_callback)
+@@ -1325,7 +1672,7 @@ ENTRY(xen_failsafe_callback)
  	SAVE_ALL
  	jmp error_exit
  	CFI_ENDPROC
@@ -20723,7 +20691,7 @@ index 9d28dbac..30e8c80 100644
  
  apicinterrupt XEN_HVM_EVTCHN_CALLBACK \
  	xen_hvm_callback_vector xen_evtchn_do_upcall
-@@ -1371,16 +1721,31 @@ ENTRY(paranoid_exit)
+@@ -1374,16 +1721,31 @@ ENTRY(paranoid_exit)
  	TRACE_IRQS_OFF
  	testl %ebx,%ebx				/* swapgs needed? */
  	jnz paranoid_restore
@@ -20756,7 +20724,7 @@ index 9d28dbac..30e8c80 100644
  	jmp irq_return
  paranoid_userspace:
  	GET_THREAD_INFO(%rcx)
-@@ -1409,7 +1774,7 @@ paranoid_schedule:
+@@ -1412,7 +1774,7 @@ paranoid_schedule:
  	TRACE_IRQS_OFF
  	jmp paranoid_userspace
  	CFI_ENDPROC
@@ -20765,7 +20733,7 @@ index 9d28dbac..30e8c80 100644
  
  /*
   * Exception entry point. This expects an error code/orig_rax on the stack.
-@@ -1436,12 +1801,23 @@ ENTRY(error_entry)
+@@ -1439,12 +1801,23 @@ ENTRY(error_entry)
  	movq_cfi r14, R14+8
  	movq_cfi r15, R15+8
  	xorl %ebx,%ebx
@@ -20790,7 +20758,7 @@ index 9d28dbac..30e8c80 100644
  	ret
  
  /*
-@@ -1475,7 +1851,7 @@ error_bad_iret:
+@@ -1478,7 +1851,7 @@ error_bad_iret:
  	decl %ebx	/* Return to usergs */
  	jmp error_sti
  	CFI_ENDPROC
@@ -20799,7 +20767,7 @@ index 9d28dbac..30e8c80 100644
  
  
  /* ebx:	no swapgs flag (1: don't need swapgs, 0: need it) */
-@@ -1495,7 +1871,7 @@ ENTRY(error_exit)
+@@ -1498,7 +1871,7 @@ ENTRY(error_exit)
  	jnz retint_careful
  	jmp retint_swapgs
  	CFI_ENDPROC
@@ -20808,7 +20776,7 @@ index 9d28dbac..30e8c80 100644
  
  
  	/* runs on exception stack */
-@@ -1507,6 +1883,7 @@ ENTRY(nmi)
+@@ -1510,6 +1883,7 @@ ENTRY(nmi)
  	CFI_ADJUST_CFA_OFFSET ORIG_RAX-R15
  	call save_paranoid
  	DEFAULT_FRAME 0
@@ -20816,7 +20784,7 @@ index 9d28dbac..30e8c80 100644
  	/* paranoidentry do_nmi, 0; without TRACE_IRQS_OFF */
  	movq %rsp,%rdi
  	movq $-1,%rsi
-@@ -1517,12 +1894,28 @@ ENTRY(nmi)
+@@ -1520,12 +1894,28 @@ ENTRY(nmi)
  	DISABLE_INTERRUPTS(CLBR_NONE)
  	testl %ebx,%ebx				/* swapgs needed? */
  	jnz nmi_restore
@@ -20846,7 +20814,7 @@ index 9d28dbac..30e8c80 100644
  	jmp irq_return
  nmi_userspace:
  	GET_THREAD_INFO(%rcx)
-@@ -1551,14 +1944,14 @@ nmi_schedule:
+@@ -1554,14 +1944,14 @@ nmi_schedule:
  	jmp paranoid_exit
  	CFI_ENDPROC
  #endif
@@ -23514,7 +23482,7 @@ index 42eb330..139955c 100644
  
  	return ret;
 diff --git a/arch/x86/kernel/reboot.c b/arch/x86/kernel/reboot.c
-index f411aca..e436e0a 100644
+index 41b2f57..9dd7145 100644
 --- a/arch/x86/kernel/reboot.c
 +++ b/arch/x86/kernel/reboot.c
 @@ -35,7 +35,7 @@ void (*pm_power_off)(void);
@@ -23535,7 +23503,7 @@ index f411aca..e436e0a 100644
  	{	/* Handle problems with rebooting on Dell E520's */
  		.callback = set_bios_reboot,
  		.ident = "Dell E520",
-@@ -324,13 +324,17 @@ core_initcall(reboot_init);
+@@ -308,13 +308,17 @@ core_initcall(reboot_init);
  extern const unsigned char machine_real_restart_asm[];
  extern const u64 machine_real_restart_gdt[3];
  
@@ -23555,7 +23523,7 @@ index f411aca..e436e0a 100644
  	local_irq_disable();
  
  	/* Write zero to CMOS register number 0x0f, which the BIOS POST
-@@ -356,14 +360,14 @@ void machine_real_restart(unsigned int type)
+@@ -340,14 +344,14 @@ void machine_real_restart(unsigned int type)
  	   boot)".  This seems like a fairly standard thing that gets set by
  	   REBOOT.COM programs, and the previous reset routine did this
  	   too. */
@@ -23572,7 +23540,7 @@ index f411aca..e436e0a 100644
  
  	/* GDT[0]: GDT self-pointer */
  	lowmem_gdt[0] =
-@@ -374,7 +378,35 @@ void machine_real_restart(unsigned int type)
+@@ -358,7 +362,35 @@ void machine_real_restart(unsigned int type)
  		GDT_ENTRY(0x009b, restart_pa, 0xffff);
  
  	/* Jump to the identity-mapped low memory code */
@@ -23608,7 +23576,7 @@ index f411aca..e436e0a 100644
  }
  #ifdef CONFIG_APM_MODULE
  EXPORT_SYMBOL(machine_real_restart);
-@@ -564,7 +596,7 @@ void __attribute__((weak)) mach_reboot_fixups(void)
+@@ -590,7 +622,7 @@ void __attribute__((weak)) mach_reboot_fixups(void)
   * try to force a triple fault and then cycle between hitting the keyboard
   * controller and doing that
   */
@@ -23617,7 +23585,7 @@ index f411aca..e436e0a 100644
  {
  	int i;
  	int attempt = 0;
-@@ -691,13 +723,13 @@ void native_machine_shutdown(void)
+@@ -717,13 +749,13 @@ void native_machine_shutdown(void)
  #endif
  }
  
@@ -23633,7 +23601,7 @@ index f411aca..e436e0a 100644
  {
  	printk("machine restart\n");
  
-@@ -706,7 +738,7 @@ static void native_machine_restart(char *__unused)
+@@ -732,7 +764,7 @@ static void native_machine_restart(char *__unused)
  	__machine_emergency_restart(0);
  }
  
@@ -23642,7 +23610,7 @@ index f411aca..e436e0a 100644
  {
  	/* stop other cpus and apics */
  	machine_shutdown();
-@@ -717,7 +749,7 @@ static void native_machine_halt(void)
+@@ -743,7 +775,7 @@ static void native_machine_halt(void)
  	stop_this_cpu(NULL);
  }
  
@@ -23651,7 +23619,7 @@ index f411aca..e436e0a 100644
  {
  	if (pm_power_off) {
  		if (!reboot_force)
-@@ -726,9 +758,10 @@ static void native_machine_power_off(void)
+@@ -752,9 +784,10 @@ static void native_machine_power_off(void)
  	}
  	/* a fallback in case there is no PM info available */
  	tboot_shutdown(TB_SHUTDOWN_HALT);
@@ -24603,7 +24571,7 @@ index 09ff517..df19fbff 100644
  	.short 0
  	.quad	0x00cf9b000000ffff	# __KERNEL32_CS
 diff --git a/arch/x86/kernel/traps.c b/arch/x86/kernel/traps.c
-index 2aff347..d83c9a9 100644
+index edbd30a..d83c9a9 100644
 --- a/arch/x86/kernel/traps.c
 +++ b/arch/x86/kernel/traps.c
 @@ -70,12 +70,6 @@ asmlinkage int system_call(void);
@@ -24751,6 +24719,15 @@ index 2aff347..d83c9a9 100644
  	return new_stack;
  }
  #endif
+@@ -435,7 +472,7 @@ dotraplinkage void __kprobes do_debug(struct pt_regs *regs, long error_code)
+ 	 * then it's very likely the result of an icebp/int01 trap.
+ 	 * User wants a sigtrap for that.
+ 	 */
+-	if (!dr6 && user_mode_vm(regs))
++	if (!dr6 && user_mode(regs))
+ 		user_icebp = 1;
+ 
+ 	/* Catch kmemcheck conditions first of all! */
 @@ -460,7 +497,7 @@ dotraplinkage void __kprobes do_debug(struct pt_regs *regs, long error_code)
  	/* It's safe to allow irq's after DR6 has been saved */
  	preempt_conditional_sti(regs);
@@ -25262,7 +25239,7 @@ index 7110911..069da9c 100644
  		/*
  		 * Encountered an error while doing the restore from the
 diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c
-index bdad489..43849f4 100644
+index 9af0b82..086874c 100644
 --- a/arch/x86/kvm/emulate.c
 +++ b/arch/x86/kvm/emulate.c
 @@ -249,6 +249,7 @@ struct gprefix {
@@ -30161,10 +30138,10 @@ index d87dd6d..bf3fa66 100644
  
  	pte = kmemcheck_pte_lookup(address);
 diff --git a/arch/x86/mm/mmap.c b/arch/x86/mm/mmap.c
-index 5c1ae28..45f4ac9 100644
+index 75f9e5d..77b1e62 100644
 --- a/arch/x86/mm/mmap.c
 +++ b/arch/x86/mm/mmap.c
-@@ -52,7 +52,7 @@ static unsigned int stack_maxrandom_size(void)
+@@ -52,7 +52,7 @@ static unsigned long stack_maxrandom_size(void)
   * Leave an at least ~128 MB hole with possible stack randomization.
   */
  #define MIN_GAP (128*1024*1024UL + stack_maxrandom_size())
@@ -33547,7 +33524,7 @@ index 48fbc64..d0a31d4 100644
  	 * Award BIOS on this AOpen makes thermal control almost worthless.
  	 * http://bugzilla.kernel.org/show_bug.cgi?id=8842
 diff --git a/drivers/acpi/video.c b/drivers/acpi/video.c
-index 2ebfdd2..fa1ce82 100644
+index cb842a8..6688e24 100644
 --- a/drivers/acpi/video.c
 +++ b/drivers/acpi/video.c
 @@ -395,7 +395,7 @@ static int video_ignore_initial_backlight(const struct dmi_system_id *d)
@@ -37501,7 +37478,7 @@ index 1ee8ce7..586718d 100644
  		.ident = "Sony Vaio",
  		.matches = {
 diff --git a/drivers/char/tpm/tpm.c b/drivers/char/tpm/tpm.c
-index c234b9e..34c325d 100644
+index f7395c4..93bcc43 100644
 --- a/drivers/char/tpm/tpm.c
 +++ b/drivers/char/tpm/tpm.c
 @@ -414,7 +414,7 @@ static ssize_t tpm_transmit(struct tpm_chip *chip, const char *buf,
@@ -37561,10 +37538,10 @@ index 0636520..169c1d0 100644
  	acpi_os_unmap_memory(virt, len);
  	return 0;
 diff --git a/drivers/char/virtio_console.c b/drivers/char/virtio_console.c
-index c68b8ad..ef7a702 100644
+index e9d18aa..d0369bc 100644
 --- a/drivers/char/virtio_console.c
 +++ b/drivers/char/virtio_console.c
-@@ -570,7 +570,7 @@ static ssize_t fill_readbuf(struct port *port, char *out_buf, size_t out_count,
+@@ -571,7 +571,7 @@ static ssize_t fill_readbuf(struct port *port, char *out_buf, size_t out_count,
  	if (to_user) {
  		ssize_t ret;
  
@@ -37573,7 +37550,7 @@ index c68b8ad..ef7a702 100644
  		if (ret)
  			return -EFAULT;
  	} else {
-@@ -673,7 +673,7 @@ static ssize_t port_fops_read(struct file *filp, char __user *ubuf,
+@@ -674,7 +674,7 @@ static ssize_t port_fops_read(struct file *filp, char __user *ubuf,
  	if (!port_has_data(port) && !port->host_connected)
  		return 0;
  
@@ -39543,10 +39520,10 @@ index a9e33ce..09edd4b 100644
  
  #endif
 diff --git a/drivers/gpu/drm/radeon/evergreen.c b/drivers/gpu/drm/radeon/evergreen.c
-index 9b3f787..e9ad3ce 100644
+index 5d78973..2c1fe27 100644
 --- a/drivers/gpu/drm/radeon/evergreen.c
 +++ b/drivers/gpu/drm/radeon/evergreen.c
-@@ -3095,7 +3095,9 @@ static int evergreen_startup(struct radeon_device *rdev)
+@@ -3098,7 +3098,9 @@ static int evergreen_startup(struct radeon_device *rdev)
  	r = evergreen_blit_init(rdev);
  	if (r) {
  		r600_blit_fini(rdev);
@@ -39594,7 +39571,7 @@ index 77e6fb1..43e5aae 100644
  	}
  
 diff --git a/drivers/gpu/drm/radeon/r100.c b/drivers/gpu/drm/radeon/r100.c
-index 76c1290..865d31e 100644
+index dfd1267..e7251ec 100644
 --- a/drivers/gpu/drm/radeon/r100.c
 +++ b/drivers/gpu/drm/radeon/r100.c
 @@ -592,8 +592,10 @@ int r100_pci_gart_init(struct radeon_device *rdev)
@@ -39628,7 +39605,7 @@ index 441570b..8896094 100644
  }
  
 diff --git a/drivers/gpu/drm/radeon/r600.c b/drivers/gpu/drm/radeon/r600.c
-index ab46a99..5d73299 100644
+index e5299a0..eb205af 100644
 --- a/drivers/gpu/drm/radeon/r600.c
 +++ b/drivers/gpu/drm/radeon/r600.c
 @@ -2442,7 +2442,9 @@ int r600_startup(struct radeon_device *rdev)
@@ -41482,25 +41459,6 @@ index 176c8f9..2627b62 100644
  				wake_up_process(pool->thread);
  			}
  		}
-diff --git a/drivers/infiniband/core/umem.c b/drivers/infiniband/core/umem.c
-index a841123..055ebeb 100644
---- a/drivers/infiniband/core/umem.c
-+++ b/drivers/infiniband/core/umem.c
-@@ -94,6 +94,14 @@ struct ib_umem *ib_umem_get(struct ib_ucontext *context, unsigned long addr,
- 	if (dmasync)
- 		dma_set_attr(DMA_ATTR_WRITE_BARRIER, &attrs);
- 
-+	/*
-+	 * If the combination of the addr and size requested for this memory
-+	 * region causes an integer overflow, return error.
-+	 */
-+	if ((PAGE_ALIGN(addr + size) <= size) ||
-+	    (PAGE_ALIGN(addr + size) <= addr))
-+		return ERR_PTR(-EINVAL);
-+
- 	if (!can_do_mlock())
- 		return ERR_PTR(-EPERM);
- 
 diff --git a/drivers/infiniband/core/uverbs_cmd.c b/drivers/infiniband/core/uverbs_cmd.c
 index a8445b8..e43f9b9 100644
 --- a/drivers/infiniband/core/uverbs_cmd.c
@@ -42188,7 +42146,7 @@ index 330eb6e..a4bc52b 100644
  
  	/* Blow away the connection if it exists. */
 diff --git a/drivers/infiniband/hw/qib/qib.h b/drivers/infiniband/hw/qib/qib.h
-index b881bdc..c2e360c 100644
+index 4c2b079..76a0feb 100644
 --- a/drivers/infiniband/hw/qib/qib.h
 +++ b/drivers/infiniband/hw/qib/qib.h
 @@ -51,6 +51,7 @@
@@ -43091,7 +43049,7 @@ index e5bd3ef..c69d0b7 100644
  
  	spin_lock(&receiving_list_lock);
 diff --git a/drivers/md/dm-raid1.c b/drivers/md/dm-raid1.c
-index b7b649d..fcf5ef7 100644
+index b4361eb..4ad13a0 100644
 --- a/drivers/md/dm-raid1.c
 +++ b/drivers/md/dm-raid1.c
 @@ -40,7 +40,7 @@ enum dm_raid1_error {
@@ -43148,7 +43106,7 @@ index b7b649d..fcf5ef7 100644
  			m = NULL;
  
  		if (likely(m))
-@@ -937,7 +937,7 @@ static int get_mirror(struct mirror_set *ms, struct dm_target *ti,
+@@ -946,7 +946,7 @@ static int get_mirror(struct mirror_set *ms, struct dm_target *ti,
  	}
  
  	ms->mirror[mirror].ms = ms;
@@ -43157,7 +43115,7 @@ index b7b649d..fcf5ef7 100644
  	ms->mirror[mirror].error_type = 0;
  	ms->mirror[mirror].offset = offset;
  
-@@ -1348,7 +1348,7 @@ static void mirror_resume(struct dm_target *ti)
+@@ -1357,7 +1357,7 @@ static void mirror_resume(struct dm_target *ti)
   */
  static char device_status_char(struct mirror *m)
  {
@@ -43253,7 +43211,7 @@ index 237571a..fb6d19b 100644
  	pmd->bl_info.value_type.inc = data_block_inc;
  	pmd->bl_info.value_type.dec = data_block_dec;
 diff --git a/drivers/md/dm.c b/drivers/md/dm.c
-index 7ead065..832d24d 100644
+index c00bcdc..bb5792b 100644
 --- a/drivers/md/dm.c
 +++ b/drivers/md/dm.c
 @@ -177,9 +177,9 @@ struct mapped_device {
@@ -43288,7 +43246,7 @@ index 7ead065..832d24d 100644
  	wake_up(&md->eventq);
  }
  
-@@ -2649,18 +2649,18 @@ int dm_kobject_uevent(struct mapped_device *md, enum kobject_action action,
+@@ -2648,18 +2648,18 @@ int dm_kobject_uevent(struct mapped_device *md, enum kobject_action action,
  
  uint32_t dm_next_uevent_seq(struct mapped_device *md)
  {
@@ -45518,10 +45476,10 @@ index cf95bd8d..f61f675 100644
  	/* check to see if we are clearing active */
  	if (!strlen(ifname) || buf[0] == '\n') {
 diff --git a/drivers/net/can/dev.c b/drivers/net/can/dev.c
-index a25442e..d1235bc 100644
+index db9100f..612019d 100644
 --- a/drivers/net/can/dev.c
 +++ b/drivers/net/can/dev.c
-@@ -725,7 +725,7 @@ static int can_newlink(struct net *src_net, struct net_device *dev,
+@@ -730,7 +730,7 @@ static int can_newlink(struct net *src_net, struct net_device *dev,
  	return -EOPNOTSUPP;
  }
  
@@ -45783,7 +45741,7 @@ index dcd7f7a..ecb7fb3 100644
  	{"D-Link DFE-550FX 100Mbps Fiber-optics Adapter"},
  	{"D-Link DFE-580TX 4 port Server Adapter"},
 diff --git a/drivers/net/ethernet/emulex/benet/be_main.c b/drivers/net/ethernet/emulex/benet/be_main.c
-index 36c7c4e..7de1382 100644
+index 10c9acf..d1a0b0f 100644
 --- a/drivers/net/ethernet/emulex/benet/be_main.c
 +++ b/drivers/net/ethernet/emulex/benet/be_main.c
 @@ -397,7 +397,7 @@ static void accumulate_16bit_val(u32 *acc, u16 val)
@@ -46153,7 +46111,7 @@ index 49b549f..13d648c 100644
  
  	mac->phydev = phydev;
 diff --git a/drivers/net/ethernet/realtek/r8169.c b/drivers/net/ethernet/realtek/r8169.c
-index a3bd0ba..8a34a90 100644
+index 0c26787..f847e66 100644
 --- a/drivers/net/ethernet/realtek/r8169.c
 +++ b/drivers/net/ethernet/realtek/r8169.c
 @@ -704,17 +704,17 @@ struct rtl8169_private {
@@ -46315,7 +46273,7 @@ index fed39de..8adf3152 100644
  };
  
 diff --git a/drivers/net/macvtap.c b/drivers/net/macvtap.c
-index 0e6e57e..060e208 100644
+index 7300447..fa23d39 100644
 --- a/drivers/net/macvtap.c
 +++ b/drivers/net/macvtap.c
 @@ -351,7 +351,7 @@ static void macvtap_setup(struct net_device *dev)
@@ -46327,7 +46285,7 @@ index 0e6e57e..060e208 100644
  	.kind		= "macvtap",
  	.setup		= macvtap_setup,
  	.newlink	= macvtap_newlink,
-@@ -927,7 +927,7 @@ static long macvtap_ioctl(struct file *file, unsigned int cmd,
+@@ -936,7 +936,7 @@ static long macvtap_ioctl(struct file *file, unsigned int cmd,
  			return -ENOLINK;
  
  		ret = 0;
@@ -46336,7 +46294,7 @@ index 0e6e57e..060e208 100644
  		    put_user(q->flags, &ifr->ifr_flags))
  			ret = -EFAULT;
  		dev_put(vlan->dev);
-@@ -1088,7 +1088,7 @@ static int macvtap_device_event(struct notifier_block *unused,
+@@ -1097,7 +1097,7 @@ static int macvtap_device_event(struct notifier_block *unused,
  	return NOTIFY_DONE;
  }
  
@@ -46367,19 +46325,6 @@ index 83a5a5a..9a9d0ae 100644
  	int r;
  
  	r = get_phy_id(bus, addr, &phy_id);
-diff --git a/drivers/net/ppp/ppp_deflate.c b/drivers/net/ppp/ppp_deflate.c
-index 1dbdf82..43764cc 100644
---- a/drivers/net/ppp/ppp_deflate.c
-+++ b/drivers/net/ppp/ppp_deflate.c
-@@ -268,7 +268,7 @@ static int z_compress(void *arg, unsigned char *rptr, unsigned char *obuf,
- 	/*
- 	 * See if we managed to reduce the size of the packet.
- 	 */
--	if (olen < isize) {
-+	if (olen < isize && olen <= osize) {
- 		state->stats.comp_bytes += olen;
- 		state->stats.comp_packets++;
- 	} else {
 diff --git a/drivers/net/ppp/ppp_generic.c b/drivers/net/ppp/ppp_generic.c
 index 4782d79..359f1b9 100644
 --- a/drivers/net/ppp/ppp_generic.c
@@ -46746,7 +46691,7 @@ index e773250..9ee61ab 100644
  
  	/* we will have to manufacture ethernet headers, prepare template */
 diff --git a/drivers/net/usb/usbnet.c b/drivers/net/usb/usbnet.c
-index 3d21742..ddf9899 100644
+index 3d21742..b8e03e7 100644
 --- a/drivers/net/usb/usbnet.c
 +++ b/drivers/net/usb/usbnet.c
 @@ -344,6 +344,12 @@ static int rx_submit (struct usbnet *dev, struct urb *urb, gfp_t flags)
@@ -46792,6 +46737,24 @@ index 3d21742..ddf9899 100644
  	// delay posting reads until we're fully open
  	tasklet_schedule (&dev->bh);
  	if (info->manage_power) {
+@@ -1078,7 +1100,7 @@ netdev_tx_t usbnet_start_xmit (struct sk_buff *skb,
+ 				     struct net_device *net)
+ {
+ 	struct usbnet		*dev = netdev_priv(net);
+-	int			length;
++	unsigned int			length;
+ 	struct urb		*urb = NULL;
+ 	struct skb_data		*entry;
+ 	struct driver_info	*info = dev->driver_info;
+@@ -1187,7 +1209,7 @@ not_drop:
+ 		usb_free_urb (urb);
+ 	} else
+ 		netif_dbg(dev, tx_queued, dev->net,
+-			  "> tx, len %d, type 0x%x\n", length, skb->protocol);
++			  "> tx, len %u, type 0x%x\n", length, skb->protocol);
+ #ifdef CONFIG_PM
+ deferred:
+ #endif
 @@ -1222,6 +1244,9 @@ static void usbnet_bh (unsigned long param)
  		}
  	}
@@ -49684,10 +49647,10 @@ index 831db24..aef1598 100644
  	/* check if the device is still usable */
  	if (unlikely(cmd->device->sdev_state == SDEV_DEL)) {
 diff --git a/drivers/scsi/scsi_lib.c b/drivers/scsi/scsi_lib.c
-index 0bdc4a7..89011d6 100644
+index f6a464a..797b84d 100644
 --- a/drivers/scsi/scsi_lib.c
 +++ b/drivers/scsi/scsi_lib.c
-@@ -1435,7 +1435,7 @@ static void scsi_kill_request(struct request *req, struct request_queue *q)
+@@ -1437,7 +1437,7 @@ static void scsi_kill_request(struct request *req, struct request_queue *q)
  	shost = sdev->host;
  	scsi_init_cmd_errh(cmd);
  	cmd->result = DID_NO_CONNECT << 16;
@@ -49696,7 +49659,7 @@ index 0bdc4a7..89011d6 100644
  
  	/*
  	 * SCSI request completion path will do scsi_device_unbusy(),
-@@ -1461,9 +1461,9 @@ static void scsi_softirq_done(struct request *rq)
+@@ -1463,9 +1463,9 @@ static void scsi_softirq_done(struct request *rq)
  
  	INIT_LIST_HEAD(&cmd->eh_entry);
  
@@ -49850,7 +49813,7 @@ index 5c6b5f5..475317d 100644
  	if (device_add(&sdkp->dev))
  		goto out_free_index;
 diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c
-index 441a1c5..07cece7 100644
+index 2d25616..7502cde 100644
 --- a/drivers/scsi/sg.c
 +++ b/drivers/scsi/sg.c
 @@ -1077,7 +1077,7 @@ sg_ioctl(struct file *filp, unsigned int cmd_in, unsigned long arg)
@@ -50895,7 +50858,7 @@ index 72d0f3f..ba3ff3c 100644
  	if (!channels)
  		return -ENOMEM;
 diff --git a/drivers/staging/iio/industrialio-core.c b/drivers/staging/iio/industrialio-core.c
-index aec9311..ddc3103 100644
+index f0abf29..7f8ccd26 100644
 --- a/drivers/staging/iio/industrialio-core.c
 +++ b/drivers/staging/iio/industrialio-core.c
 @@ -398,7 +398,7 @@ static ssize_t iio_write_channel_info(struct device *dev,
@@ -51988,10 +51951,10 @@ index bac83d8..0b87bf6 100644
  }
  EXPORT_SYMBOL_GPL(n_tty_inherit_ops);
 diff --git a/drivers/tty/pty.c b/drivers/tty/pty.c
-index 4735928..e80860a 100644
+index e753be2..9a8de18 100644
 --- a/drivers/tty/pty.c
 +++ b/drivers/tty/pty.c
-@@ -775,8 +775,10 @@ static void __init unix98_pty_init(void)
+@@ -778,8 +778,10 @@ static void __init unix98_pty_init(void)
  	register_sysctl_table(pty_root_table);
  
  	/* Now create the /dev/ptmx special device */
@@ -52204,20 +52167,9 @@ index 43db715..82134aa 100644
  
  		if (get_user(c, buf))
 diff --git a/drivers/tty/tty_io.c b/drivers/tty/tty_io.c
-index 613f06a..751b0f8 100644
+index fa59fbe..751b0f8 100644
 --- a/drivers/tty/tty_io.c
 +++ b/drivers/tty/tty_io.c
-@@ -943,8 +943,8 @@ EXPORT_SYMBOL(start_tty);
- /* We limit tty time update visibility to every 8 seconds or so. */
- static void tty_update_time(struct timespec *time)
- {
--	unsigned long sec = get_seconds() & ~7;
--	if ((long)(sec - time->tv_sec) > 0)
-+	unsigned long sec = get_seconds();
-+	if (abs(sec - time->tv_sec) & ~7)
- 		time->tv_sec = sec;
- }
- 
 @@ -1089,7 +1089,7 @@ static inline ssize_t do_tty_write(
  		cond_resched();
  	}
@@ -52236,31 +52188,6 @@ index 613f06a..751b0f8 100644
  }
  
  /*
-diff --git a/drivers/tty/tty_ioctl.c b/drivers/tty/tty_ioctl.c
-index 937f927..1740117 100644
---- a/drivers/tty/tty_ioctl.c
-+++ b/drivers/tty/tty_ioctl.c
-@@ -154,11 +154,17 @@ void tty_wait_until_sent(struct tty_struct *tty, long timeout)
- #endif
- 	if (!timeout)
- 		timeout = MAX_SCHEDULE_TIMEOUT;
-+
- 	if (wait_event_interruptible_timeout(tty->write_wait,
--			!tty_chars_in_buffer(tty), timeout) >= 0) {
--		if (tty->ops->wait_until_sent)
--			tty->ops->wait_until_sent(tty, timeout);
-+			!tty_chars_in_buffer(tty), timeout) < 0) {
-+		return;
- 	}
-+
-+	if (timeout == MAX_SCHEDULE_TIMEOUT)
-+		timeout = 0;
-+
-+	if (tty->ops->wait_until_sent)
-+		tty->ops->wait_until_sent(tty, timeout);
- }
- EXPORT_SYMBOL(tty_wait_until_sent);
- 
 diff --git a/drivers/tty/tty_ldisc.c b/drivers/tty/tty_ldisc.c
 index 8e0924f..4204eb4 100644
 --- a/drivers/tty/tty_ldisc.c
@@ -52622,7 +52549,7 @@ index 3440812..2a4ef1f 100644
  		file->f_version = event_count;
  		return POLLIN | POLLRDNORM;
 diff --git a/drivers/usb/core/devio.c b/drivers/usb/core/devio.c
-index 49257b3..13133cd 100644
+index 64340f3..88c4041 100644
 --- a/drivers/usb/core/devio.c
 +++ b/drivers/usb/core/devio.c
 @@ -147,7 +147,7 @@ static ssize_t usbdev_read(struct file *file, char __user *buf, size_t nbytes,
@@ -52662,7 +52589,7 @@ index 49257b3..13133cd 100644
  				    dev->rawdescriptors[i] + (*ppos - pos),
  				    min(len, alloclen))) {
 diff --git a/drivers/usb/core/hcd.c b/drivers/usb/core/hcd.c
-index c0ee52a..145ce87 100644
+index eb2c3bd..5236c12 100644
 --- a/drivers/usb/core/hcd.c
 +++ b/drivers/usb/core/hcd.c
 @@ -1475,7 +1475,7 @@ int usb_hcd_submit_urb (struct urb *urb, gfp_t mem_flags)
@@ -52750,7 +52677,7 @@ index 662c0cf..6880fbb 100644
  static DEVICE_ATTR(urbnum, S_IRUGO, show_urbnum, NULL);
  
 diff --git a/drivers/usb/core/usb.c b/drivers/usb/core/usb.c
-index 73cd900..40502a4 100644
+index 9044ef6..dcda063 100644
 --- a/drivers/usb/core/usb.c
 +++ b/drivers/usb/core/usb.c
 @@ -396,7 +396,7 @@ struct usb_device *usb_alloc_dev(struct usb_device *parent,
@@ -52847,10 +52774,10 @@ index db2d607..3a25028 100644
  	/* Find out how many LUNs there should be */
  	i = mod_data.nluns;
 diff --git a/drivers/usb/gadget/inode.c b/drivers/usb/gadget/inode.c
-index 7138540..2370195 100644
+index ce7253b..754242d 100644
 --- a/drivers/usb/gadget/inode.c
 +++ b/drivers/usb/gadget/inode.c
-@@ -2121,6 +2121,7 @@ static struct file_system_type gadgetfs_type = {
+@@ -2132,6 +2132,7 @@ static struct file_system_type gadgetfs_type = {
  	.mount		= gadgetfs_mount,
  	.kill_sb	= gadgetfs_kill_sb,
  };
@@ -56866,35 +56793,6 @@ index b8f55c4..4c2b80c 100644
  		if (limit != RLIM_INFINITY && offset > limit)
  			goto out_sig;
  		if (offset > inode->i_sb->s_maxbytes)
-diff --git a/fs/autofs4/dev-ioctl.c b/fs/autofs4/dev-ioctl.c
-index de54271..62d7a6d 100644
---- a/fs/autofs4/dev-ioctl.c
-+++ b/fs/autofs4/dev-ioctl.c
-@@ -95,7 +95,7 @@ static int check_dev_ioctl_version(int cmd, struct autofs_dev_ioctl *param)
-  */
- static struct autofs_dev_ioctl *copy_dev_ioctl(struct autofs_dev_ioctl __user *in)
- {
--	struct autofs_dev_ioctl tmp;
-+	struct autofs_dev_ioctl tmp, *res;
- 
- 	if (copy_from_user(&tmp, in, sizeof(tmp)))
- 		return ERR_PTR(-EFAULT);
-@@ -103,7 +103,14 @@ static struct autofs_dev_ioctl *copy_dev_ioctl(struct autofs_dev_ioctl __user *i
- 	if (tmp.size < sizeof(tmp))
- 		return ERR_PTR(-EINVAL);
- 
--	return memdup_user(in, tmp.size);
-+	if (tmp.size > (PATH_MAX + sizeof(tmp)))
-+		return ERR_PTR(-ENAMETOOLONG);
-+
-+	res = memdup_user(in, tmp.size);
-+	if (!IS_ERR(res))
-+		res->size = tmp.size;
-+
-+	return res;
- }
- 
- static inline void free_dev_ioctl(struct autofs_dev_ioctl *param)
 diff --git a/fs/autofs4/init.c b/fs/autofs4/init.c
 index c038727..4ba2927 100644
 --- a/fs/autofs4/init.c
@@ -57104,7 +57002,7 @@ index a6395bd..f1e376a 100644
  		(unsigned long) create_aout_tables((char __user *) bprm->p, bprm);
  #ifdef __alpha__
 diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c
-index 8dd615c..3ecdf113 100644
+index 2aed667..52b96fd 100644
 --- a/fs/binfmt_elf.c
 +++ b/fs/binfmt_elf.c
 @@ -32,6 +32,7 @@
@@ -57625,7 +57523,7 @@ index 8dd615c..3ecdf113 100644
   * libraries.  There is no binary dependent code anywhere else.
 @@ -544,6 +905,11 @@ static unsigned long randomize_stack_top(unsigned long stack_top)
  {
- 	unsigned int random_variable = 0;
+ 	unsigned long random_variable = 0;
  
 +#ifdef CONFIG_PAX_RANDUSTACK
 +	if (current->mm->pax_flags & MF_PAX_RANDMMAP)
@@ -57634,8 +57532,8 @@ index 8dd615c..3ecdf113 100644
 +
  	if ((current->flags & PF_RANDOMIZE) &&
  		!(current->personality & ADDR_NO_RANDOMIZE)) {
- 		random_variable = get_random_int() & STACK_RND_MASK;
-@@ -562,7 +928,7 @@ static int load_elf_binary(struct linux_binprm *bprm, struct pt_regs *regs)
+ 		random_variable = (unsigned long) get_random_int();
+@@ -563,7 +929,7 @@ static int load_elf_binary(struct linux_binprm *bprm, struct pt_regs *regs)
   	unsigned long load_addr = 0, load_bias = 0;
  	int load_addr_set = 0;
  	char * elf_interpreter = NULL;
@@ -57644,7 +57542,7 @@ index 8dd615c..3ecdf113 100644
  	struct elf_phdr *elf_ppnt, *elf_phdata;
  	unsigned long elf_bss, elf_brk;
  	int retval, i;
-@@ -572,11 +938,11 @@ static int load_elf_binary(struct linux_binprm *bprm, struct pt_regs *regs)
+@@ -573,11 +939,11 @@ static int load_elf_binary(struct linux_binprm *bprm, struct pt_regs *regs)
  	unsigned long start_code, end_code, start_data, end_data;
  	unsigned long reloc_func_desc __maybe_unused = 0;
  	int executable_stack = EXSTACK_DEFAULT;
@@ -57657,7 +57555,7 @@ index 8dd615c..3ecdf113 100644
  
  	loc = kmalloc(sizeof(*loc), GFP_KERNEL);
  	if (!loc) {
-@@ -713,11 +1079,82 @@ static int load_elf_binary(struct linux_binprm *bprm, struct pt_regs *regs)
+@@ -714,11 +1080,82 @@ static int load_elf_binary(struct linux_binprm *bprm, struct pt_regs *regs)
  
  	/* OK, This is the point of no return */
  	current->flags &= ~PF_FORKNOEXEC;
@@ -57741,7 +57639,7 @@ index 8dd615c..3ecdf113 100644
  	if (elf_read_implies_exec(loc->elf_ex, executable_stack))
  		current->personality |= READ_IMPLIES_EXEC;
  
-@@ -808,6 +1245,20 @@ static int load_elf_binary(struct linux_binprm *bprm, struct pt_regs *regs)
+@@ -809,6 +1246,20 @@ static int load_elf_binary(struct linux_binprm *bprm, struct pt_regs *regs)
  #else
  			load_bias = ELF_PAGESTART(ELF_ET_DYN_BASE - vaddr);
  #endif
@@ -57762,7 +57660,7 @@ index 8dd615c..3ecdf113 100644
  		}
  
  		error = elf_map(bprm->file, load_bias + vaddr, elf_ppnt,
-@@ -840,9 +1291,9 @@ static int load_elf_binary(struct linux_binprm *bprm, struct pt_regs *regs)
+@@ -841,9 +1292,9 @@ static int load_elf_binary(struct linux_binprm *bprm, struct pt_regs *regs)
  		 * allowed task size. Note that p_filesz must always be
  		 * <= p_memsz so it is only necessary to check p_memsz.
  		 */
@@ -57775,7 +57673,7 @@ index 8dd615c..3ecdf113 100644
  			/* set_brk can never work. Avoid overflows. */
  			send_sig(SIGKILL, current, 0);
  			retval = -EINVAL;
-@@ -881,17 +1332,44 @@ static int load_elf_binary(struct linux_binprm *bprm, struct pt_regs *regs)
+@@ -882,17 +1333,44 @@ static int load_elf_binary(struct linux_binprm *bprm, struct pt_regs *regs)
  		goto out_free_dentry;
  	}
  	if (likely(elf_bss != elf_brk) && unlikely(padzero(elf_bss))) {
@@ -57826,7 +57724,7 @@ index 8dd615c..3ecdf113 100644
  					    load_bias);
  		if (!IS_ERR((void *)elf_entry)) {
  			/*
-@@ -1098,7 +1576,7 @@ out:
+@@ -1099,7 +1577,7 @@ out:
   * Decide what to dump of a segment, part, all or none.
   */
  static unsigned long vma_dump_size(struct vm_area_struct *vma,
@@ -57835,7 +57733,7 @@ index 8dd615c..3ecdf113 100644
  {
  #define FILTER(type)	(mm_flags & (1UL << MMF_DUMP_##type))
  
-@@ -1132,7 +1610,7 @@ static unsigned long vma_dump_size(struct vm_area_struct *vma,
+@@ -1133,7 +1611,7 @@ static unsigned long vma_dump_size(struct vm_area_struct *vma,
  	if (vma->vm_file == NULL)
  		return 0;
  
@@ -57844,7 +57742,7 @@ index 8dd615c..3ecdf113 100644
  		goto whole;
  
  	/*
-@@ -1354,9 +1832,9 @@ static void fill_auxv_note(struct memelfnote *note, struct mm_struct *mm)
+@@ -1355,9 +1833,9 @@ static void fill_auxv_note(struct memelfnote *note, struct mm_struct *mm)
  {
  	elf_addr_t *auxv = (elf_addr_t *) mm->saved_auxv;
  	int i = 0;
@@ -57856,7 +57754,7 @@ index 8dd615c..3ecdf113 100644
  	fill_note(note, "CORE", NT_AUXV, i * sizeof(elf_addr_t), auxv);
  }
  
-@@ -1851,14 +2329,14 @@ static void fill_extnum_info(struct elfhdr *elf, struct elf_shdr *shdr4extnum,
+@@ -1852,14 +2330,14 @@ static void fill_extnum_info(struct elfhdr *elf, struct elf_shdr *shdr4extnum,
  }
  
  static size_t elf_core_vma_data_size(struct vm_area_struct *gate_vma,
@@ -57873,7 +57771,7 @@ index 8dd615c..3ecdf113 100644
  	return size;
  }
  
-@@ -1952,7 +2430,7 @@ static int elf_core_dump(struct coredump_params *cprm)
+@@ -1953,7 +2431,7 @@ static int elf_core_dump(struct coredump_params *cprm)
  
  	dataoff = offset = roundup(offset, ELF_EXEC_PAGESIZE);
  
@@ -57882,7 +57780,7 @@ index 8dd615c..3ecdf113 100644
  	offset += elf_core_extra_data_size();
  	e_shoff = offset;
  
-@@ -1966,10 +2444,12 @@ static int elf_core_dump(struct coredump_params *cprm)
+@@ -1967,10 +2445,12 @@ static int elf_core_dump(struct coredump_params *cprm)
  	offset = dataoff;
  
  	size += sizeof(*elf);
@@ -57895,7 +57793,7 @@ index 8dd615c..3ecdf113 100644
  	if (size > cprm->limit
  	    || !dump_write(cprm->file, phdr4note, sizeof(*phdr4note)))
  		goto end_coredump;
-@@ -1983,7 +2463,7 @@ static int elf_core_dump(struct coredump_params *cprm)
+@@ -1984,7 +2464,7 @@ static int elf_core_dump(struct coredump_params *cprm)
  		phdr.p_offset = offset;
  		phdr.p_vaddr = vma->vm_start;
  		phdr.p_paddr = 0;
@@ -57904,7 +57802,7 @@ index 8dd615c..3ecdf113 100644
  		phdr.p_memsz = vma->vm_end - vma->vm_start;
  		offset += phdr.p_filesz;
  		phdr.p_flags = vma->vm_flags & VM_READ ? PF_R : 0;
-@@ -1994,6 +2474,7 @@ static int elf_core_dump(struct coredump_params *cprm)
+@@ -1995,6 +2475,7 @@ static int elf_core_dump(struct coredump_params *cprm)
  		phdr.p_align = ELF_EXEC_PAGESIZE;
  
  		size += sizeof(phdr);
@@ -57912,7 +57810,7 @@ index 8dd615c..3ecdf113 100644
  		if (size > cprm->limit
  		    || !dump_write(cprm->file, &phdr, sizeof(phdr)))
  			goto end_coredump;
-@@ -2018,7 +2499,7 @@ static int elf_core_dump(struct coredump_params *cprm)
+@@ -2019,7 +2500,7 @@ static int elf_core_dump(struct coredump_params *cprm)
  		unsigned long addr;
  		unsigned long end;
  
@@ -57921,7 +57819,7 @@ index 8dd615c..3ecdf113 100644
  
  		for (addr = vma->vm_start; addr < end; addr += PAGE_SIZE) {
  			struct page *page;
-@@ -2027,6 +2508,7 @@ static int elf_core_dump(struct coredump_params *cprm)
+@@ -2028,6 +2509,7 @@ static int elf_core_dump(struct coredump_params *cprm)
  			page = get_dump_page(addr);
  			if (page) {
  				void *kaddr = kmap(page);
@@ -57929,7 +57827,7 @@ index 8dd615c..3ecdf113 100644
  				stop = ((size += PAGE_SIZE) > cprm->limit) ||
  					!dump_write(cprm->file, kaddr,
  						    PAGE_SIZE);
-@@ -2044,6 +2526,7 @@ static int elf_core_dump(struct coredump_params *cprm)
+@@ -2045,6 +2527,7 @@ static int elf_core_dump(struct coredump_params *cprm)
  
  	if (e_phnum == PN_XNUM) {
  		size += sizeof(*shdr4extnum);
@@ -57937,7 +57835,7 @@ index 8dd615c..3ecdf113 100644
  		if (size > cprm->limit
  		    || !dump_write(cprm->file, shdr4extnum,
  				   sizeof(*shdr4extnum)))
-@@ -2064,6 +2547,167 @@ out:
+@@ -2065,6 +2548,167 @@ out:
  
  #endif		/* CONFIG_ELF_CORE */
  
@@ -58751,10 +58649,10 @@ index 7b68088..17a275b 100644
  GLOBAL_EXTERN atomic_t smBufAllocCount;
  GLOBAL_EXTERN atomic_t midCount;
 diff --git a/fs/cifs/file.c b/fs/cifs/file.c
-index aa05d5e..4c7ee5d 100644
+index f9d2863..12e111d 100644
 --- a/fs/cifs/file.c
 +++ b/fs/cifs/file.c
-@@ -1690,10 +1690,14 @@ static int cifs_writepages(struct address_space *mapping,
+@@ -1691,10 +1691,14 @@ static int cifs_writepages(struct address_space *mapping,
  		index = mapping->writeback_index; /* Start from prev offset */
  		end = -1;
  	} else {
@@ -59192,10 +59090,10 @@ index 8bc98af..a49e6f0 100644
  	dcache_init();
  	inode_init();
 diff --git a/fs/debugfs/inode.c b/fs/debugfs/inode.c
-index 6ac0893..6edd689 100644
+index a15f1e2..3077628 100644
 --- a/fs/debugfs/inode.c
 +++ b/fs/debugfs/inode.c
-@@ -145,6 +145,7 @@ static struct file_system_type debug_fs_type = {
+@@ -164,6 +164,7 @@ static struct file_system_type debug_fs_type = {
  	.mount =	debug_mount,
  	.kill_sb =	kill_litter_super,
  };
@@ -59203,7 +59101,7 @@ index 6ac0893..6edd689 100644
  
  static int debugfs_create_by_name(const char *name, mode_t mode,
  				  struct dentry *parent,
-@@ -258,11 +259,20 @@ EXPORT_SYMBOL_GPL(debugfs_create_file);
+@@ -277,11 +278,20 @@ EXPORT_SYMBOL_GPL(debugfs_create_file);
   * If debugfs is not enabled in the kernel, the value -%ENODEV will be
   * returned.
   */
@@ -59355,7 +59253,7 @@ index 451b9b8..12e5a03 100644
  
  out_free_fd:
 diff --git a/fs/exec.c b/fs/exec.c
-index 78199eb..ffeac65 100644
+index 7adb43f..9b2005c 100644
 --- a/fs/exec.c
 +++ b/fs/exec.c
 @@ -55,12 +55,35 @@
@@ -59797,99 +59695,28 @@ index 78199eb..ffeac65 100644
  		bprm->unsafe |= LSM_UNSAFE_SHARE;
  	} else {
  		res = -EAGAIN;
-@@ -1282,45 +1373,60 @@ int check_unsafe_exec(struct linux_binprm *bprm)
- 	return res;
- }
- 
--/* 
-- * Fill the binprm structure from the inode. 
-- * Check permissions, then read the first 128 (BINPRM_BUF_SIZE) bytes
-- *
-- * This may be called multiple times for binary chains (scripts for example).
-- */
--int prepare_binprm(struct linux_binprm *bprm)
-+static void bprm_fill_uid(struct linux_binprm *bprm)
- {
--	umode_t mode;
--	struct inode * inode = bprm->file->f_path.dentry->d_inode;
--	int retval;
--
--	mode = inode->i_mode;
--	if (bprm->file->f_op == NULL)
--		return -EACCES;
-+	struct inode *inode;
-+	unsigned int mode;
-+	uid_t uid;
-+	gid_t gid;
- 
- 	/* clear any previous set[ug]id data from a previous binary */
- 	bprm->cred->euid = current_euid();
- 	bprm->cred->egid = current_egid();
+@@ -1296,6 +1387,9 @@ static void bprm_fill_uid(struct linux_binprm *bprm)
+ 	if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
+ 		return;
  
--	if (!(bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)) {
--		/* Set-uid? */
--		if (mode & S_ISUID) {
--			bprm->per_clear |= PER_CLEAR_ON_SETID;
--			bprm->cred->euid = inode->i_uid;
--		}
--
--		/* Set-gid? */
--		/*
--		 * If setgid is set but no group execute bit then this
--		 * is a candidate for mandatory locking, not a setgid
--		 * executable.
--		 */
--		if ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP)) {
--			bprm->per_clear |= PER_CLEAR_ON_SETID;
--			bprm->cred->egid = inode->i_gid;
--		}
-+	if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
-+		return;
-+
 +	if (current->no_new_privs)
 +		return;
 +
-+	inode = bprm->file->f_path.dentry->d_inode;
-+	mode = ACCESS_ONCE(inode->i_mode);
-+	if (!(mode & (S_ISUID|S_ISGID)))
-+		return;
-+
-+	/* Be careful if suid/sgid is set */
-+	mutex_lock(&inode->i_mutex);
-+
-+	/* reload atomically mode/uid/gid now that lock held */
-+	mode = inode->i_mode;
-+	uid = inode->i_uid;
-+	gid = inode->i_gid;
-+	mutex_unlock(&inode->i_mutex);
-+
-+	if (mode & S_ISUID) {
-+		bprm->per_clear |= PER_CLEAR_ON_SETID;
-+		bprm->cred->euid = uid;
+ 	inode = bprm->file->f_path.dentry->d_inode;
+ 	mode = ACCESS_ONCE(inode->i_mode);
+ 	if (!(mode & (S_ISUID|S_ISGID)))
+@@ -1321,8 +1415,8 @@ static void bprm_fill_uid(struct linux_binprm *bprm)
  	}
+ }
  
-+	if ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP)) {
-+		bprm->per_clear |= PER_CLEAR_ON_SETID;
-+		bprm->cred->egid = gid;
-+	}
-+}
-+
+-/* 
+- * Fill the binprm structure from the inode. 
 +/*
 + * Fill the binprm structure from the inode.
-+ * Check permissions, then read the first 128 (BINPRM_BUF_SIZE) bytes
-+ *
-+ * This may be called multiple times for binary chains (scripts for example).
-+ */
-+int prepare_binprm(struct linux_binprm *bprm)
-+{
-+	int retval;
-+
-+	bprm_fill_uid(bprm);
-+
- 	/* fill in binprm security blob */
- 	retval = security_bprm_set_creds(bprm);
- 	if (retval)
-@@ -1463,6 +1569,31 @@ int search_binary_handler(struct linux_binprm *bprm,struct pt_regs *regs)
+  * Check permissions, then read the first 128 (BINPRM_BUF_SIZE) bytes
+  *
+  * This may be called multiple times for binary chains (scripts for example).
+@@ -1478,6 +1572,31 @@ int search_binary_handler(struct linux_binprm *bprm,struct pt_regs *regs)
  
  EXPORT_SYMBOL(search_binary_handler);
  
@@ -59921,7 +59748,7 @@ index 78199eb..ffeac65 100644
  /*
   * sys_execve() executes a new program.
   */
-@@ -1471,6 +1602,11 @@ static int do_execve_common(const char *filename,
+@@ -1486,6 +1605,11 @@ static int do_execve_common(const char *filename,
  				struct user_arg_ptr envp,
  				struct pt_regs *regs)
  {
@@ -59933,7 +59760,7 @@ index 78199eb..ffeac65 100644
  	struct linux_binprm *bprm;
  	struct file *file;
  	struct files_struct *displaced;
-@@ -1478,6 +1614,8 @@ static int do_execve_common(const char *filename,
+@@ -1493,6 +1617,8 @@ static int do_execve_common(const char *filename,
  	int retval;
  	const struct cred *cred = current_cred();
  
@@ -59942,7 +59769,7 @@ index 78199eb..ffeac65 100644
  	/*
  	 * We move the actual failure in case of RLIMIT_NPROC excess from
  	 * set*uid() to execve() because too many poorly written programs
-@@ -1518,12 +1656,22 @@ static int do_execve_common(const char *filename,
+@@ -1533,12 +1659,22 @@ static int do_execve_common(const char *filename,
  	if (IS_ERR(file))
  		goto out_unmark;
  
@@ -59965,7 +59792,7 @@ index 78199eb..ffeac65 100644
  	retval = bprm_mm_init(bprm);
  	if (retval)
  		goto out_file;
-@@ -1540,24 +1688,70 @@ static int do_execve_common(const char *filename,
+@@ -1555,24 +1691,70 @@ static int do_execve_common(const char *filename,
  	if (retval < 0)
  		goto out;
  
@@ -60040,7 +59867,7 @@ index 78199eb..ffeac65 100644
  	current->fs->in_exec = 0;
  	current->in_execve = 0;
  	acct_update_integrals(current);
-@@ -1566,6 +1760,14 @@ static int do_execve_common(const char *filename,
+@@ -1581,6 +1763,14 @@ static int do_execve_common(const char *filename,
  		put_files_struct(displaced);
  	return retval;
  
@@ -60055,7 +59882,7 @@ index 78199eb..ffeac65 100644
  out:
  	if (bprm->mm) {
  		acct_arg_size(bprm, 0);
-@@ -1639,7 +1841,7 @@ static int expand_corename(struct core_name *cn)
+@@ -1654,7 +1844,7 @@ static int expand_corename(struct core_name *cn)
  {
  	char *old_corename = cn->corename;
  
@@ -60064,7 +59891,7 @@ index 78199eb..ffeac65 100644
  	cn->corename = krealloc(old_corename, cn->size, GFP_KERNEL);
  
  	if (!cn->corename) {
-@@ -1736,7 +1938,7 @@ static int format_corename(struct core_name *cn, long signr)
+@@ -1751,7 +1941,7 @@ static int format_corename(struct core_name *cn, long signr)
  	int pid_in_pattern = 0;
  	int err = 0;
  
@@ -60073,7 +59900,7 @@ index 78199eb..ffeac65 100644
  	cn->corename = kmalloc(cn->size, GFP_KERNEL);
  	cn->used = 0;
  
-@@ -1833,6 +2035,309 @@ out:
+@@ -1848,6 +2038,309 @@ out:
  	return ispipe;
  }
  
@@ -60383,7 +60210,7 @@ index 78199eb..ffeac65 100644
  static int zap_process(struct task_struct *start, int exit_code)
  {
  	struct task_struct *t;
-@@ -2006,17 +2511,17 @@ static void coredump_finish(struct mm_struct *mm)
+@@ -2021,17 +2514,17 @@ static void coredump_finish(struct mm_struct *mm)
  void set_dumpable(struct mm_struct *mm, int value)
  {
  	switch (value) {
@@ -60404,7 +60231,7 @@ index 78199eb..ffeac65 100644
  		set_bit(MMF_DUMP_SECURELY, &mm->flags);
  		smp_wmb();
  		set_bit(MMF_DUMPABLE, &mm->flags);
-@@ -2029,7 +2534,7 @@ static int __get_dumpable(unsigned long mm_flags)
+@@ -2044,7 +2537,7 @@ static int __get_dumpable(unsigned long mm_flags)
  	int ret;
  
  	ret = mm_flags & MMF_DUMPABLE_MASK;
@@ -60413,7 +60240,7 @@ index 78199eb..ffeac65 100644
  }
  
  /*
-@@ -2050,17 +2555,17 @@ static void wait_for_dump_helpers(struct file *file)
+@@ -2065,17 +2558,17 @@ static void wait_for_dump_helpers(struct file *file)
  	pipe = file->f_path.dentry->d_inode->i_pipe;
  
  	pipe_lock(pipe);
@@ -60436,7 +60263,7 @@ index 78199eb..ffeac65 100644
  	pipe_unlock(pipe);
  
  }
-@@ -2121,7 +2626,8 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs)
+@@ -2136,7 +2629,8 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs)
  	int retval = 0;
  	int flag = 0;
  	int ispipe;
@@ -60446,7 +60273,7 @@ index 78199eb..ffeac65 100644
  	struct coredump_params cprm = {
  		.signr = signr,
  		.regs = regs,
-@@ -2136,6 +2642,9 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs)
+@@ -2151,6 +2645,9 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs)
  
  	audit_core_dumps(signr);
  
@@ -60456,7 +60283,7 @@ index 78199eb..ffeac65 100644
  	binfmt = mm->binfmt;
  	if (!binfmt || !binfmt->core_dump)
  		goto fail;
-@@ -2146,14 +2655,16 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs)
+@@ -2161,14 +2658,16 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs)
  	if (!cred)
  		goto fail;
  	/*
@@ -60477,7 +60304,7 @@ index 78199eb..ffeac65 100644
  	}
  
  	retval = coredump_wait(exit_code, &core_state);
-@@ -2203,7 +2714,7 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs)
+@@ -2218,7 +2717,7 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs)
  		}
  		cprm.limit = RLIM_INFINITY;
  
@@ -60486,7 +60313,7 @@ index 78199eb..ffeac65 100644
  		if (core_pipe_limit && (core_pipe_limit < dump_count)) {
  			printk(KERN_WARNING "Pid %d(%s) over core_pipe_limit\n",
  			       task_tgid_vnr(current), current->comm);
-@@ -2230,9 +2741,19 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs)
+@@ -2245,9 +2744,19 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs)
  	} else {
  		struct inode *inode;
  
@@ -60506,7 +60333,7 @@ index 78199eb..ffeac65 100644
  		cprm.file = filp_open(cn.corename,
  				 O_CREAT | 2 | O_NOFOLLOW | O_LARGEFILE | flag,
  				 0600);
-@@ -2273,7 +2794,7 @@ close_fail:
+@@ -2288,7 +2797,7 @@ close_fail:
  		filp_close(cprm.file, NULL);
  fail_dropcount:
  	if (ispipe)
@@ -60515,7 +60342,7 @@ index 78199eb..ffeac65 100644
  fail_unlock:
  	kfree(cn.corename);
  fail_corename:
-@@ -2292,7 +2813,7 @@ fail:
+@@ -2307,7 +2816,7 @@ fail:
   */
  int dump_write(struct file *file, const void *addr, int nr)
  {
@@ -62694,7 +62521,7 @@ index 3426521..3b75162 100644
  	cuse_class = class_create(THIS_MODULE, "cuse");
  	if (IS_ERR(cuse_class))
 diff --git a/fs/fuse/dev.c b/fs/fuse/dev.c
-index cf0098d..a849907 100644
+index 81970d7..594b748 100644
 --- a/fs/fuse/dev.c
 +++ b/fs/fuse/dev.c
 @@ -1226,7 +1226,7 @@ static ssize_t fuse_dev_splice_read(struct file *in, loff_t *ppos,
@@ -63854,10 +63681,10 @@ index cbd1a61..b43f68b 100644
  static int __init init_ncp_fs(void)
  {
 diff --git a/fs/nfs/callback.c b/fs/nfs/callback.c
-index 516f337..82a82df 100644
+index 3172b51..98740f4 100644
 --- a/fs/nfs/callback.c
 +++ b/fs/nfs/callback.c
-@@ -250,7 +250,6 @@ int nfs_callback_up(u32 minorversion, struct rpc_xprt *xprt)
+@@ -252,7 +252,6 @@ int nfs_callback_up(u32 minorversion, struct rpc_xprt *xprt)
  	struct svc_rqst *rqstp;
  	int (*callback_svc)(void *vrqstp);
  	struct nfs_callback_data *cb_info = &nfs_callback_info[minorversion];
@@ -63865,7 +63692,7 @@ index 516f337..82a82df 100644
  	int ret = 0;
  	int minorversion_setup;
  
-@@ -280,10 +279,9 @@ int nfs_callback_up(u32 minorversion, struct rpc_xprt *xprt)
+@@ -282,10 +281,9 @@ int nfs_callback_up(u32 minorversion, struct rpc_xprt *xprt)
  
  	svc_sock_update_bufs(serv);
  
@@ -63878,7 +63705,7 @@ index 516f337..82a82df 100644
  		ret = PTR_ERR(cb_info->task);
  		svc_exit_thread(cb_info->rqst);
 diff --git a/fs/nfs/callback_xdr.c b/fs/nfs/callback_xdr.c
-index 3fde055..de27202 100644
+index 6d22d35..548abd8 100644
 --- a/fs/nfs/callback_xdr.c
 +++ b/fs/nfs/callback_xdr.c
 @@ -50,7 +50,7 @@ struct callback_op {
@@ -63947,10 +63774,10 @@ index b78b5b6..c64d84f 100644
  
  void nfs_fattr_init(struct nfs_fattr *fattr)
 diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c
-index 351989e..8b551bb 100644
+index e83786f..c6f7fd6 100644
 --- a/fs/nfs/nfs4proc.c
 +++ b/fs/nfs/nfs4proc.c
-@@ -1037,7 +1037,7 @@ static struct nfs4_state *nfs4_try_open_cached(struct nfs4_opendata *opendata)
+@@ -1036,7 +1036,7 @@ static struct nfs4_state *nfs4_try_open_cached(struct nfs4_opendata *opendata)
  	struct nfs4_state *state = opendata->state;
  	struct nfs_inode *nfsi = NFS_I(state->inode);
  	struct nfs_delegation *delegation;
@@ -66283,7 +66110,7 @@ index 81a48d1..b2275ba 100644
  			"cpu%d %llu %llu %llu %llu %llu %llu %llu %llu %llu "
  			"%llu\n",
 diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c
-index ef1740d..9a18b87 100644
+index d1bd6a9..872017c 100644
 --- a/fs/proc/task_mmu.c
 +++ b/fs/proc/task_mmu.c
 @@ -11,12 +11,19 @@
@@ -66468,7 +66295,7 @@ index ef1740d..9a18b87 100644
  	ret = PTR_ERR(mm);
  	if (!mm || IS_ERR(mm))
  		goto out_free;
-@@ -1024,6 +1075,13 @@ static int show_numa_map(struct seq_file *m, void *v)
+@@ -1034,6 +1085,13 @@ static int show_numa_map(struct seq_file *m, void *v)
  	int n;
  	char buffer[50];
  
@@ -66482,7 +66309,7 @@ index ef1740d..9a18b87 100644
  	if (!mm)
  		return 0;
  
-@@ -1041,11 +1099,15 @@ static int show_numa_map(struct seq_file *m, void *v)
+@@ -1051,11 +1109,15 @@ static int show_numa_map(struct seq_file *m, void *v)
  	mpol_to_str(buffer, sizeof(buffer), pol, 0);
  	mpol_cond_put(pol);
  
@@ -67496,296 +67323,6 @@ index 201bcfc..cee4d16 100644
  
  /*
   * Inode slab cache constructor.
-diff --git a/fs/udf/inode.c b/fs/udf/inode.c
-index 2a706bb..f1e984a 100644
---- a/fs/udf/inode.c
-+++ b/fs/udf/inode.c
-@@ -50,7 +50,6 @@ MODULE_LICENSE("GPL");
- 
- static mode_t udf_convert_permissions(struct fileEntry *);
- static int udf_update_inode(struct inode *, int);
--static void udf_fill_inode(struct inode *, struct buffer_head *);
- static int udf_sync_inode(struct inode *inode);
- static int udf_alloc_i_data(struct inode *inode, size_t size);
- static struct buffer_head *inode_getblk(struct inode *, sector_t, int *,
-@@ -1183,15 +1182,28 @@ update_time:
-  */
- #define UDF_MAX_ICB_NESTING 1024
- 
--static void __udf_read_inode(struct inode *inode)
-+static int udf_read_inode(struct inode *inode)
- {
- 	struct buffer_head *bh = NULL;
- 	struct fileEntry *fe;
-+	struct extendedFileEntry *efe;
- 	uint16_t ident;
- 	struct udf_inode_info *iinfo = UDF_I(inode);
-+	struct udf_sb_info *sbi = UDF_SB(inode->i_sb);
-+	struct kernel_lb_addr *iloc = &iinfo->i_location;
-+	unsigned int link_count;
-+
- 	unsigned int indirections = 0;
-+	int ret = -EIO;
- 
- reread:
-+	if (iloc->logicalBlockNum >=
-+	    sbi->s_partmaps[iloc->partitionReferenceNum].s_partition_len) {
-+		udf_debug("block=%d, partition=%d out of range\n",
-+			  iloc->logicalBlockNum, iloc->partitionReferenceNum);
-+		return -EIO;
-+	}
-+
- 	/*
- 	 * Set defaults, but the inode is still incomplete!
- 	 * Note: get_new_inode() sets the following on a new inode:
-@@ -1204,29 +1216,26 @@ reread:
- 	 *      i_nlink = 1
- 	 *      i_op = NULL;
- 	 */
--	bh = udf_read_ptagged(inode->i_sb, &iinfo->i_location, 0, &ident);
-+	bh = udf_read_ptagged(inode->i_sb, iloc, 0, &ident);
- 	if (!bh) {
- 		udf_err(inode->i_sb, "(ino %ld) failed !bh\n", inode->i_ino);
--		make_bad_inode(inode);
--		return;
-+		return -EIO;
- 	}
- 
- 	if (ident != TAG_IDENT_FE && ident != TAG_IDENT_EFE &&
- 	    ident != TAG_IDENT_USE) {
- 		udf_err(inode->i_sb, "(ino %ld) failed ident=%d\n",
- 			inode->i_ino, ident);
--		brelse(bh);
--		make_bad_inode(inode);
--		return;
-+		goto out;
- 	}
- 
- 	fe = (struct fileEntry *)bh->b_data;
-+	efe = (struct extendedFileEntry *)bh->b_data;
- 
- 	if (fe->icbTag.strategyType == cpu_to_le16(4096)) {
- 		struct buffer_head *ibh;
- 
--		ibh = udf_read_ptagged(inode->i_sb, &iinfo->i_location, 1,
--					&ident);
-+		ibh = udf_read_ptagged(inode->i_sb, iloc, 1, &ident);
- 		if (ident == TAG_IDENT_IE && ibh) {
- 			struct kernel_lb_addr loc;
- 			struct indirectEntry *ie;
-@@ -1235,7 +1244,6 @@ reread:
- 			loc = lelb_to_cpu(ie->indirectICB.extLocation);
- 
- 			if (ie->indirectICB.extLength) {
--				brelse(bh);
- 				brelse(ibh);
- 				memcpy(&iinfo->i_location, &loc,
- 				       sizeof(struct kernel_lb_addr));
-@@ -1244,9 +1252,9 @@ reread:
- 						"too many ICBs in ICB hierarchy"
- 						" (max %d supported)\n",
- 						UDF_MAX_ICB_NESTING);
--					make_bad_inode(inode);
--					return;
-+					goto out;
- 				}
-+				brelse(bh);
- 				goto reread;
- 			}
- 		}
-@@ -1254,27 +1262,8 @@ reread:
- 	} else if (fe->icbTag.strategyType != cpu_to_le16(4)) {
- 		udf_err(inode->i_sb, "unsupported strategy type: %d\n",
- 			le16_to_cpu(fe->icbTag.strategyType));
--		brelse(bh);
--		make_bad_inode(inode);
--		return;
-+		goto out;
- 	}
--	udf_fill_inode(inode, bh);
--
--	brelse(bh);
--}
--
--static void udf_fill_inode(struct inode *inode, struct buffer_head *bh)
--{
--	struct fileEntry *fe;
--	struct extendedFileEntry *efe;
--	int offset;
--	struct udf_sb_info *sbi = UDF_SB(inode->i_sb);
--	struct udf_inode_info *iinfo = UDF_I(inode);
--	unsigned int link_count;
--
--	fe = (struct fileEntry *)bh->b_data;
--	efe = (struct extendedFileEntry *)bh->b_data;
--
- 	if (fe->icbTag.strategyType == cpu_to_le16(4))
- 		iinfo->i_strat4096 = 0;
- 	else /* if (fe->icbTag.strategyType == cpu_to_le16(4096)) */
-@@ -1291,11 +1280,10 @@ static void udf_fill_inode(struct inode *inode, struct buffer_head *bh)
- 	if (fe->descTag.tagIdent == cpu_to_le16(TAG_IDENT_EFE)) {
- 		iinfo->i_efe = 1;
- 		iinfo->i_use = 0;
--		if (udf_alloc_i_data(inode, inode->i_sb->s_blocksize -
--					sizeof(struct extendedFileEntry))) {
--			make_bad_inode(inode);
--			return;
--		}
-+		ret = udf_alloc_i_data(inode, inode->i_sb->s_blocksize -
-+					sizeof(struct extendedFileEntry));
-+		if (ret)
-+			goto out;
- 		memcpy(iinfo->i_ext.i_data,
- 		       bh->b_data + sizeof(struct extendedFileEntry),
- 		       inode->i_sb->s_blocksize -
-@@ -1303,11 +1291,10 @@ static void udf_fill_inode(struct inode *inode, struct buffer_head *bh)
- 	} else if (fe->descTag.tagIdent == cpu_to_le16(TAG_IDENT_FE)) {
- 		iinfo->i_efe = 0;
- 		iinfo->i_use = 0;
--		if (udf_alloc_i_data(inode, inode->i_sb->s_blocksize -
--						sizeof(struct fileEntry))) {
--			make_bad_inode(inode);
--			return;
--		}
-+		ret = udf_alloc_i_data(inode, inode->i_sb->s_blocksize -
-+						sizeof(struct fileEntry));
-+		if (ret)
-+			goto out;
- 		memcpy(iinfo->i_ext.i_data,
- 		       bh->b_data + sizeof(struct fileEntry),
- 		       inode->i_sb->s_blocksize - sizeof(struct fileEntry));
-@@ -1317,18 +1304,18 @@ static void udf_fill_inode(struct inode *inode, struct buffer_head *bh)
- 		iinfo->i_lenAlloc = le32_to_cpu(
- 				((struct unallocSpaceEntry *)bh->b_data)->
- 				 lengthAllocDescs);
--		if (udf_alloc_i_data(inode, inode->i_sb->s_blocksize -
--					sizeof(struct unallocSpaceEntry))) {
--			make_bad_inode(inode);
--			return;
--		}
-+		ret = udf_alloc_i_data(inode, inode->i_sb->s_blocksize -
-+					sizeof(struct unallocSpaceEntry));
-+		if (ret)
-+			goto out;
- 		memcpy(iinfo->i_ext.i_data,
- 		       bh->b_data + sizeof(struct unallocSpaceEntry),
- 		       inode->i_sb->s_blocksize -
- 					sizeof(struct unallocSpaceEntry));
--		return;
-+		return 0;
- 	}
- 
-+	ret = -EIO;
- 	read_lock(&sbi->s_cred_lock);
- 	inode->i_uid = le32_to_cpu(fe->uid);
- 	if (inode->i_uid == -1 ||
-@@ -1378,7 +1365,6 @@ static void udf_fill_inode(struct inode *inode, struct buffer_head *bh)
- 		iinfo->i_unique = le64_to_cpu(fe->uniqueID);
- 		iinfo->i_lenEAttr = le32_to_cpu(fe->lengthExtendedAttr);
- 		iinfo->i_lenAlloc = le32_to_cpu(fe->lengthAllocDescs);
--		offset = sizeof(struct fileEntry) + iinfo->i_lenEAttr;
- 	} else {
- 		inode->i_blocks = le64_to_cpu(efe->logicalBlocksRecorded) <<
- 		    (inode->i_sb->s_blocksize_bits - 9);
-@@ -1399,8 +1385,20 @@ static void udf_fill_inode(struct inode *inode, struct buffer_head *bh)
- 		iinfo->i_unique = le64_to_cpu(efe->uniqueID);
- 		iinfo->i_lenEAttr = le32_to_cpu(efe->lengthExtendedAttr);
- 		iinfo->i_lenAlloc = le32_to_cpu(efe->lengthAllocDescs);
--		offset = sizeof(struct extendedFileEntry) +
--							iinfo->i_lenEAttr;
-+	}
-+
-+	/* Sanity checks for files in ICB so that we don't get confused later */
-+	if (iinfo->i_alloc_type == ICBTAG_FLAG_AD_IN_ICB) {
-+		/*
-+		 * For file in ICB data is stored in allocation descriptor
-+		 * so sizes should match
-+		 */
-+		if (iinfo->i_lenAlloc != inode->i_size)
-+			goto out;
-+		/* File in ICB has to fit in there... */
-+		if (inode->i_size > inode->i_sb->s_blocksize -
-+					udf_file_entry_alloc_offset(inode))
-+			goto out;
- 	}
- 
- 	/* Sanity checks for files in ICB so that we don't get confused later */
-@@ -1469,8 +1467,7 @@ static void udf_fill_inode(struct inode *inode, struct buffer_head *bh)
- 	default:
- 		udf_err(inode->i_sb, "(ino %ld) failed unknown file type=%d\n",
- 			inode->i_ino, fe->icbTag.fileType);
--		make_bad_inode(inode);
--		return;
-+		goto out;
- 	}
- 	if (S_ISCHR(inode->i_mode) || S_ISBLK(inode->i_mode)) {
- 		struct deviceSpec *dsea =
-@@ -1481,8 +1478,12 @@ static void udf_fill_inode(struct inode *inode, struct buffer_head *bh)
- 				      le32_to_cpu(dsea->minorDeviceIdent)));
- 			/* Developer ID ??? */
- 		} else
--			make_bad_inode(inode);
-+			goto out;
- 	}
-+	ret = 0;
-+out:
-+	brelse(bh);
-+	return ret;
- }
- 
- static int udf_alloc_i_data(struct inode *inode, size_t size)
-@@ -1595,7 +1596,7 @@ static int udf_update_inode(struct inode *inode, int do_sync)
- 		     FE_PERM_U_DELETE | FE_PERM_U_CHATTR));
- 	fe->permissions = cpu_to_le32(udfperms);
- 
--	if (S_ISDIR(inode->i_mode))
-+	if (S_ISDIR(inode->i_mode) && inode->i_nlink > 0)
- 		fe->fileLinkCount = cpu_to_le16(inode->i_nlink - 1);
- 	else
- 		fe->fileLinkCount = cpu_to_le16(inode->i_nlink);
-@@ -1756,32 +1757,23 @@ struct inode *udf_iget(struct super_block *sb, struct kernel_lb_addr *ino)
- {
- 	unsigned long block = udf_get_lb_pblock(sb, ino, 0);
- 	struct inode *inode = iget_locked(sb, block);
-+	int err;
- 
- 	if (!inode)
--		return NULL;
-+		return ERR_PTR(-ENOMEM);
- 
--	if (inode->i_state & I_NEW) {
--		memcpy(&UDF_I(inode)->i_location, ino, sizeof(struct kernel_lb_addr));
--		__udf_read_inode(inode);
--		unlock_new_inode(inode);
--	}
--
--	if (is_bad_inode(inode))
--		goto out_iput;
-+	if (!(inode->i_state & I_NEW))
-+		return inode;
- 
--	if (ino->logicalBlockNum >= UDF_SB(sb)->
--			s_partmaps[ino->partitionReferenceNum].s_partition_len) {
--		udf_debug("block=%d, partition=%d out of range\n",
--			  ino->logicalBlockNum, ino->partitionReferenceNum);
--		make_bad_inode(inode);
--		goto out_iput;
-+	memcpy(&UDF_I(inode)->i_location, ino, sizeof(struct kernel_lb_addr));
-+	err = udf_read_inode(inode);
-+	if (err < 0) {
-+		iget_failed(inode);
-+		return ERR_PTR(err);
- 	}
-+	unlock_new_inode(inode);
- 
- 	return inode;
--
-- out_iput:
--	iput(inode);
--	return NULL;
- }
- 
- int udf_add_aext(struct inode *inode, struct extent_position *epos,
 diff --git a/fs/udf/misc.c b/fs/udf/misc.c
 index c175b4d..8f36a16 100644
 --- a/fs/udf/misc.c
@@ -68375,7 +67912,7 @@ index eb519de..a7569b5 100644
  		goto out_put;
  
 diff --git a/fs/xfs/xfs_iops.c b/fs/xfs/xfs_iops.c
-index bd2fb43..86fd3e8d 100644
+index 1c01f04..28fd95b 100644
 --- a/fs/xfs/xfs_iops.c
 +++ b/fs/xfs/xfs_iops.c
 @@ -447,7 +447,7 @@ xfs_vn_put_link(
@@ -80926,10 +80463,10 @@ index d42bd48..a20850d 100644
  /*
   * epoll (fs/eventpoll.c) compat bits follow ...
 diff --git a/include/linux/compiler-gcc4.h b/include/linux/compiler-gcc4.h
-index e2a360a..1d61efb 100644
+index 59a7e4c..8feb590 100644
 --- a/include/linux/compiler-gcc4.h
 +++ b/include/linux/compiler-gcc4.h
-@@ -42,6 +42,26 @@
+@@ -44,6 +44,26 @@
  #define asm_volatile_goto(x...)	do { asm goto(x); asm (""); } while (0)
  
  #if __GNUC_MINOR__ >= 5
@@ -80956,7 +80493,7 @@ index e2a360a..1d61efb 100644
  /*
   * Mark a position in code as unreachable.  This can be used to
   * suppress control flow warnings after asm blocks that transfer
-@@ -57,6 +77,11 @@
+@@ -59,6 +79,11 @@
  #define __noclone	__attribute__((__noclone__))
  
  #endif
@@ -81008,7 +80545,7 @@ index cdd1cc2..2401b2e 100644
   * (asm goto is automatically volatile - the naming reflects this.)
   */
 diff --git a/include/linux/compiler.h b/include/linux/compiler.h
-index 7c7546b..588d7d2 100644
+index 65c8b78..5d8ba14 100644
 --- a/include/linux/compiler.h
 +++ b/include/linux/compiler.h
 @@ -5,31 +5,51 @@
@@ -81138,7 +80675,7 @@ index 7c7546b..588d7d2 100644
  /* Compile time object size, -1 for unknown */
  #ifndef __compiletime_object_size
  # define __compiletime_object_size(obj) -1
-@@ -296,6 +360,18 @@ void ftrace_likely_update(struct ftrace_branch_data *f, int val, int expect);
+@@ -296,10 +360,24 @@ void ftrace_likely_update(struct ftrace_branch_data *f, int val, int expect);
  #endif
  #ifndef __compiletime_error
  # define __compiletime_error(message)
@@ -81146,7 +80683,11 @@ index 7c7546b..588d7d2 100644
 +	do { ((void)sizeof(char[1 - 2*!!(condition)])); } while (0)
 +#else
 +# define __compiletime_error_fallback(condition) do { } while (0)
-+#endif
+ #endif
++
+ #ifndef __linktime_error
+ # define __linktime_error(message)
+ #endif
 +
 +#ifndef __size_overflow
 +# define __size_overflow(...)
@@ -81154,10 +80695,12 @@ index 7c7546b..588d7d2 100644
 +
 +#ifndef __intentional_overflow
 +# define __intentional_overflow(...)
- #endif
- 
++#endif
++
  /*
-@@ -310,6 +386,7 @@ void ftrace_likely_update(struct ftrace_branch_data *f, int val, int expect);
+  * Prevent the compiler from merging or refetching accesses.  The compiler
+  * is also forbidden from reordering successive instances of ACCESS_ONCE(),
+@@ -312,6 +390,7 @@ void ftrace_likely_update(struct ftrace_branch_data *f, int val, int expect);
   * use is to mediate communication between process-level code and irq/NMI
   * handlers, all running on the same CPU.
   */
@@ -81825,10 +81368,10 @@ index 9ec20de..8007b8a 100644
  /*
   * fscache cached network filesystem type
 diff --git a/include/linux/fsnotify.h b/include/linux/fsnotify.h
-index 2a53f10..e3cd3e0 100644
+index dad4f61..ce486de 100644
 --- a/include/linux/fsnotify.h
 +++ b/include/linux/fsnotify.h
-@@ -194,6 +194,9 @@ static inline void fsnotify_access(struct file *file)
+@@ -196,6 +196,9 @@ static inline void fsnotify_access(struct file *file)
  	struct inode *inode = path->dentry->d_inode;
  	__u32 mask = FS_ACCESS;
  
@@ -81838,7 +81381,7 @@ index 2a53f10..e3cd3e0 100644
  	if (S_ISDIR(inode->i_mode))
  		mask |= FS_ISDIR;
  
-@@ -212,6 +215,9 @@ static inline void fsnotify_modify(struct file *file)
+@@ -214,6 +217,9 @@ static inline void fsnotify_modify(struct file *file)
  	struct inode *inode = path->dentry->d_inode;
  	__u32 mask = FS_MODIFY;
  
@@ -81848,7 +81391,7 @@ index 2a53f10..e3cd3e0 100644
  	if (S_ISDIR(inode->i_mode))
  		mask |= FS_ISDIR;
  
-@@ -314,7 +320,7 @@ static inline void fsnotify_change(struct dentry *dentry, unsigned int ia_valid)
+@@ -316,7 +322,7 @@ static inline void fsnotify_change(struct dentry *dentry, unsigned int ia_valid)
   */
  static inline const unsigned char *fsnotify_oldname_init(const unsigned char *name)
  {
@@ -83557,10 +83100,10 @@ index 3875719..4663bc3 100644
  /* This macro allows us to keep printk typechecking */
  static __printf(1, 2)
 diff --git a/include/linux/kernel.h b/include/linux/kernel.h
-index 0b8ca35..bf1dd28 100644
+index dcf6a8b..e1f7aa5 100644
 --- a/include/linux/kernel.h
 +++ b/include/linux/kernel.h
-@@ -697,24 +697,30 @@ static inline void ftrace_dump(enum ftrace_dump_mode oops_dump_mode) { }
+@@ -698,24 +698,30 @@ static inline void ftrace_dump(enum ftrace_dump_mode oops_dump_mode) { }
   * @condition: the condition which the compiler should know is false.
   *
   * If you have some code which relies on certain constants being equal, or
@@ -83602,7 +83145,7 @@ index 0b8ca35..bf1dd28 100644
 +		__compiletime_error_fallback(__cond);			\
  	} while(0)
  #endif
- #endif	/* __CHECKER__ */
+ 
 diff --git a/include/linux/key-type.h b/include/linux/key-type.h
 index 9efd081..19f989c 100644
 --- a/include/linux/key-type.h
@@ -87774,21 +87317,6 @@ index 8ba8ce2..99b7fff 100644
  		struct sk_buff *skb, int offset, struct iovec *to,
  		size_t len, struct dma_pinned_list *pinned_list);
  
-diff --git a/include/net/netfilter/nf_conntrack_extend.h b/include/net/netfilter/nf_conntrack_extend.h
-index 2dcf317..d918074 100644
---- a/include/net/netfilter/nf_conntrack_extend.h
-+++ b/include/net/netfilter/nf_conntrack_extend.h
-@@ -33,8 +33,8 @@ enum nf_ct_ext_id {
- /* Extensions: optional stuff which isn't permanently in struct. */
- struct nf_ct_ext {
- 	struct rcu_head rcu;
--	u8 offset[NF_CT_EXT_NUM];
--	u8 len;
-+	u16 offset[NF_CT_EXT_NUM];
-+	u16 len;
- 	char data[0];
- };
- 
 diff --git a/include/net/netfilter/nf_queue.h b/include/net/netfilter/nf_queue.h
 index 252fd10..aa1421f 100644
 --- a/include/net/netfilter/nf_queue.h
@@ -90174,7 +89702,7 @@ index 7fda904..59f620c 100644
  }
  EXPORT_SYMBOL_GPL(kgdb_schedule_breakpoint);
 diff --git a/kernel/debug/kdb/kdb_main.c b/kernel/debug/kdb/kdb_main.c
-index 63786e7..0780cac 100644
+index f56af55..657c675 100644
 --- a/kernel/debug/kdb/kdb_main.c
 +++ b/kernel/debug/kdb/kdb_main.c
 @@ -1980,7 +1980,7 @@ static int kdb_lsmod(int argc, const char **argv)
@@ -90196,7 +89724,7 @@ index 63786e7..0780cac 100644
  #ifdef CONFIG_MODULE_UNLOAD
  		{
 diff --git a/kernel/events/core.c b/kernel/events/core.c
-index 2a4bf43..9f6ecac 100644
+index 4277095..836fd7d 100644
 --- a/kernel/events/core.c
 +++ b/kernel/events/core.c
 @@ -146,8 +146,15 @@ static struct srcu_struct pmus_srcu;
@@ -90259,7 +89787,7 @@ index 2a4bf43..9f6ecac 100644
  
  	barrier();
  	++userpg->lock;
-@@ -4067,11 +4074,11 @@ static void perf_output_read_one(struct perf_output_handle *handle,
+@@ -4077,11 +4084,11 @@ static void perf_output_read_one(struct perf_output_handle *handle,
  	values[n++] = perf_event_count(event);
  	if (read_format & PERF_FORMAT_TOTAL_TIME_ENABLED) {
  		values[n++] = enabled +
@@ -90273,7 +89801,7 @@ index 2a4bf43..9f6ecac 100644
  	}
  	if (read_format & PERF_FORMAT_ID)
  		values[n++] = primary_event_id(event);
-@@ -4722,12 +4729,12 @@ static void perf_event_mmap_event(struct perf_mmap_event *mmap_event)
+@@ -4732,12 +4739,12 @@ static void perf_event_mmap_event(struct perf_mmap_event *mmap_event)
  		 * need to add enough zero bytes after the string to handle
  		 * the 64bit alignment we do later.
  		 */
@@ -90288,7 +89816,7 @@ index 2a4bf43..9f6ecac 100644
  		if (IS_ERR(name)) {
  			name = strncpy(tmp, "//toolong", sizeof(tmp));
  			goto got_name;
-@@ -6093,7 +6100,7 @@ perf_event_alloc(struct perf_event_attr *attr, int cpu,
+@@ -6103,7 +6110,7 @@ perf_event_alloc(struct perf_event_attr *attr, int cpu,
  	event->parent		= parent_event;
  
  	event->ns		= get_pid_ns(current->nsproxy->pid_ns);
@@ -90297,7 +89825,7 @@ index 2a4bf43..9f6ecac 100644
  
  	event->state		= PERF_EVENT_STATE_INACTIVE;
  
-@@ -6339,6 +6346,11 @@ SYSCALL_DEFINE5(perf_event_open,
+@@ -6349,6 +6356,11 @@ SYSCALL_DEFINE5(perf_event_open,
  	if (flags & ~PERF_FLAG_ALL)
  		return -EINVAL;
  
@@ -90309,7 +89837,7 @@ index 2a4bf43..9f6ecac 100644
  	err = perf_copy_attr(attr_uptr, &attr);
  	if (err)
  		return err;
-@@ -6637,10 +6649,10 @@ static void sync_child_event(struct perf_event *child_event,
+@@ -6647,10 +6659,10 @@ static void sync_child_event(struct perf_event *child_event,
  	/*
  	 * Add back the child's count to the parent's count:
  	 */
@@ -93015,18 +92543,9 @@ index 3d4b954..11af930 100644
  
  		if (pm_wakeup_pending()) {
 diff --git a/kernel/printk.c b/kernel/printk.c
-index 8fac434..ced569b 100644
+index c073f43..ced569b 100644
 --- a/kernel/printk.c
 +++ b/kernel/printk.c
-@@ -123,7 +123,7 @@ static struct console *exclusive_console;
-  */
- struct console_cmdline
- {
--	char	name[8];			/* Name of the driver	    */
-+	char	name[16];			/* Name of the driver	    */
- 	int	index;				/* Minor dev. to use	    */
- 	char	*options;			/* Options for the driver   */
- #ifdef CONFIG_A11Y_BRAILLE_CONSOLE
 @@ -313,6 +313,11 @@ static int check_syslog_permissions(int type, bool from_file)
  	if (from_file && type != SYSLOG_ACTION_OPEN)
  		return 0;
@@ -93039,14 +92558,6 @@ index 8fac434..ced569b 100644
  	if (syslog_action_restricted(type)) {
  		if (capable(CAP_SYSLOG))
  			return 0;
-@@ -1477,6 +1482,7 @@ void register_console(struct console *newcon)
- 	 */
- 	for (i = 0; i < MAX_CMDLINECONSOLES && console_cmdline[i].name[0];
- 			i++) {
-+		BUILD_BUG_ON(sizeof(console_cmdline[i].name) != sizeof(newcon->name));
- 		if (strcmp(console_cmdline[i].name, newcon->name) != 0)
- 			continue;
- 		if (newcon->index >= 0 &&
 diff --git a/kernel/profile.c b/kernel/profile.c
 index 76b8e77..a2930e8 100644
 --- a/kernel/profile.c
@@ -93788,7 +93299,7 @@ index 3d9f31c..7fefc9e 100644
  
  	default:
 diff --git a/kernel/sched.c b/kernel/sched.c
-index ea85b0d..633af22 100644
+index fe33d0f..b5d0b8a 100644
 --- a/kernel/sched.c
 +++ b/kernel/sched.c
 @@ -3307,8 +3307,10 @@ context_switch(struct rq *rq, struct task_struct *prev,
@@ -93830,7 +93341,7 @@ index ea85b0d..633af22 100644
  wait_for_completion_killable_timeout(struct completion *x,
  				     unsigned long timeout)
  {
-@@ -5297,6 +5299,8 @@ int can_nice(const struct task_struct *p, const int nice)
+@@ -5300,6 +5302,8 @@ int can_nice(const struct task_struct *p, const int nice)
  	/* convert nice value [19,-20] to rlimit style value [1,40] */
  	int nice_rlim = 20 - nice;
  
@@ -93839,7 +93350,7 @@ index ea85b0d..633af22 100644
  	return (nice_rlim <= task_rlimit(p, RLIMIT_NICE) ||
  		capable(CAP_SYS_NICE));
  }
-@@ -5330,7 +5334,8 @@ SYSCALL_DEFINE1(nice, int, increment)
+@@ -5333,7 +5337,8 @@ SYSCALL_DEFINE1(nice, int, increment)
  	if (nice > 19)
  		nice = 19;
  
@@ -93849,7 +93360,7 @@ index ea85b0d..633af22 100644
  		return -EPERM;
  
  	retval = security_task_setnice(current, nice);
-@@ -5487,6 +5492,7 @@ recheck:
+@@ -5490,6 +5495,7 @@ recheck:
  			unsigned long rlim_rtprio =
  					task_rlimit(p, RLIMIT_RTPRIO);
  
@@ -93857,7 +93368,7 @@ index ea85b0d..633af22 100644
  			/* can't set/change the rt policy */
  			if (policy != p->policy && !rlim_rtprio)
  				return -EPERM;
-@@ -6521,8 +6527,10 @@ void idle_task_exit(void)
+@@ -6524,8 +6530,10 @@ void idle_task_exit(void)
  
  	BUG_ON(cpu_online(smp_processor_id()));
  
@@ -93869,7 +93380,7 @@ index ea85b0d..633af22 100644
  	mmdrop(mm);
  }
  
-@@ -6629,7 +6637,7 @@ static void unthrottle_offline_cfs_rqs(struct rq *rq) {}
+@@ -6632,7 +6640,7 @@ static void unthrottle_offline_cfs_rqs(struct rq *rq) {}
  
  #if defined(CONFIG_SCHED_DEBUG) && defined(CONFIG_SYSCTL)
  
@@ -93878,7 +93389,7 @@ index ea85b0d..633af22 100644
  	{
  		.procname	= "sched_domain",
  		.mode		= 0555,
-@@ -6646,17 +6654,17 @@ static struct ctl_table sd_ctl_root[] = {
+@@ -6649,17 +6657,17 @@ static struct ctl_table sd_ctl_root[] = {
  	{}
  };
  
@@ -93900,7 +93411,7 @@ index ea85b0d..633af22 100644
  
  	/*
  	 * In the intermediate directories, both the child directory and
-@@ -6664,22 +6672,25 @@ static void sd_free_ctl_entry(struct ctl_table **tablep)
+@@ -6667,22 +6675,25 @@ static void sd_free_ctl_entry(struct ctl_table **tablep)
  	 * will always be set. In the lowest directory the names are
  	 * static strings and all have proc handlers.
  	 */
@@ -93932,7 +93443,7 @@ index ea85b0d..633af22 100644
  		const char *procname, void *data, int maxlen,
  		mode_t mode, proc_handler *proc_handler,
  		bool load_idx)
-@@ -6699,7 +6710,7 @@ set_table_entry(struct ctl_table *entry,
+@@ -6702,7 +6713,7 @@ set_table_entry(struct ctl_table *entry,
  static struct ctl_table *
  sd_alloc_ctl_domain_table(struct sched_domain *sd)
  {
@@ -93941,7 +93452,7 @@ index ea85b0d..633af22 100644
  
  	if (table == NULL)
  		return NULL;
-@@ -6734,9 +6745,9 @@ sd_alloc_ctl_domain_table(struct sched_domain *sd)
+@@ -6737,9 +6748,9 @@ sd_alloc_ctl_domain_table(struct sched_domain *sd)
  	return table;
  }
  
@@ -93953,7 +93464,7 @@ index ea85b0d..633af22 100644
  	struct sched_domain *sd;
  	int domain_num = 0, i;
  	char buf[32];
-@@ -6763,11 +6774,13 @@ static struct ctl_table_header *sd_sysctl_header;
+@@ -6766,11 +6777,13 @@ static struct ctl_table_header *sd_sysctl_header;
  static void register_sched_domain_sysctl(void)
  {
  	int i, cpu_num = num_possible_cpus();
@@ -93968,7 +93479,7 @@ index ea85b0d..633af22 100644
  
  	if (entry == NULL)
  		return;
-@@ -6790,8 +6803,12 @@ static void unregister_sched_domain_sysctl(void)
+@@ -6793,8 +6806,12 @@ static void unregister_sched_domain_sysctl(void)
  	if (sd_sysctl_header)
  		unregister_sysctl_table(sd_sysctl_header);
  	sd_sysctl_header = NULL;
@@ -93983,7 +93494,7 @@ index ea85b0d..633af22 100644
  }
  #else
  static void register_sched_domain_sysctl(void)
-@@ -6889,7 +6906,7 @@ migration_call(struct notifier_block *nfb, unsigned long action, void *hcpu)
+@@ -6892,7 +6909,7 @@ migration_call(struct notifier_block *nfb, unsigned long action, void *hcpu)
   * happens before everything else.  This has to be lower priority than
   * the notifier in the perf_event subsystem, though.
   */
@@ -93993,7 +93504,7 @@ index ea85b0d..633af22 100644
  	.priority = CPU_PRI_MIGRATION,
  };
 diff --git a/kernel/sched_autogroup.c b/kernel/sched_autogroup.c
-index f280df1..da1281d 100644
+index cb0a950..47dfae9 100644
 --- a/kernel/sched_autogroup.c
 +++ b/kernel/sched_autogroup.c
 @@ -7,7 +7,7 @@
@@ -95741,10 +95252,10 @@ index 92cac05..89f0de9 100644
  	ret = -EIO;
  	bt->dropped_file = debugfs_create_file("dropped", 0444, dir, bt,
 diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c
-index dcbafed..bba19b9 100644
+index 08e043b..a000091 100644
 --- a/kernel/trace/ftrace.c
 +++ b/kernel/trace/ftrace.c
-@@ -1610,12 +1610,17 @@ ftrace_code_disable(struct module *mod, struct dyn_ftrace *rec)
+@@ -1616,12 +1616,17 @@ ftrace_code_disable(struct module *mod, struct dyn_ftrace *rec)
  	if (unlikely(ftrace_disabled))
  		return 0;
  
@@ -95764,7 +95275,7 @@ index dcbafed..bba19b9 100644
  }
  
  /*
-@@ -2695,7 +2700,7 @@ static void ftrace_free_entry_rcu(struct rcu_head *rhp)
+@@ -2713,7 +2718,7 @@ static void ftrace_free_entry_rcu(struct rcu_head *rhp)
  
  int
  register_ftrace_function_probe(char *glob, struct ftrace_probe_ops *ops,
@@ -95773,16 +95284,16 @@ index dcbafed..bba19b9 100644
  {
  	struct ftrace_func_probe *entry;
  	struct ftrace_page *pg;
-@@ -4045,8 +4050,6 @@ ftrace_enable_sysctl(struct ctl_table *table, int write,
+@@ -4062,8 +4067,6 @@ ftrace_enable_sysctl(struct ctl_table *table, int write,
+ 
  #ifdef CONFIG_FUNCTION_GRAPH_TRACER
  
- static int ftrace_graph_active;
 -static struct notifier_block ftrace_suspend_notifier;
 -
  int ftrace_graph_entry_stub(struct ftrace_graph_ent *trace)
  {
  	return 0;
-@@ -4088,7 +4091,7 @@ static int alloc_retstack_tasklist(struct ftrace_ret_stack **ret_stack_list)
+@@ -4105,7 +4108,7 @@ static int alloc_retstack_tasklist(struct ftrace_ret_stack **ret_stack_list)
  
  		if (t->ret_stack == NULL) {
  			atomic_set(&t->tracing_graph_pause, 0);
@@ -95791,7 +95302,7 @@ index dcbafed..bba19b9 100644
  			t->curr_ret_stack = -1;
  			/* Make sure the tasks see the -1 first: */
  			smp_wmb();
-@@ -4191,6 +4194,10 @@ ftrace_suspend_notifier_call(struct notifier_block *bl, unsigned long state,
+@@ -4208,6 +4211,10 @@ ftrace_suspend_notifier_call(struct notifier_block *bl, unsigned long state,
  	return NOTIFY_DONE;
  }
  
@@ -95802,7 +95313,7 @@ index dcbafed..bba19b9 100644
  /* Just a place holder for function graph */
  static struct ftrace_ops fgraph_ops __read_mostly = {
  	.func		= ftrace_stub,
-@@ -4234,7 +4241,6 @@ int register_ftrace_graph(trace_func_graph_ret_t retfunc,
+@@ -4251,7 +4258,6 @@ int register_ftrace_graph(trace_func_graph_ret_t retfunc,
  		goto out;
  	}
  
@@ -95810,7 +95321,7 @@ index dcbafed..bba19b9 100644
  	register_pm_notifier(&ftrace_suspend_notifier);
  
  	ftrace_graph_active++;
-@@ -4288,7 +4294,7 @@ static void
+@@ -4305,7 +4311,7 @@ static void
  graph_init_task(struct task_struct *t, struct ftrace_ret_stack *ret_stack)
  {
  	atomic_set(&t->tracing_graph_pause, 0);
@@ -97934,7 +97445,7 @@ index 79166c2..7ce048f 100644
  			entry = maybe_mkwrite(pte_mkdirty(entry), vma);
  			if (!pmd_write(*pmd))
 diff --git a/mm/hugetlb.c b/mm/hugetlb.c
-index d2c43a2..2213df3 100644
+index 26922da..73f8544 100644
 --- a/mm/hugetlb.c
 +++ b/mm/hugetlb.c
 @@ -2009,15 +2009,17 @@ static int hugetlb_sysctl_handler_common(bool obey_mempolicy,
@@ -97979,7 +97490,7 @@ index d2c43a2..2213df3 100644
  	if (ret)
  		goto out;
  
-@@ -2517,6 +2521,27 @@ static int unmap_ref_private(struct mm_struct *mm, struct vm_area_struct *vma,
+@@ -2518,6 +2522,27 @@ static int unmap_ref_private(struct mm_struct *mm, struct vm_area_struct *vma,
  	return 1;
  }
  
@@ -98007,7 +97518,7 @@ index d2c43a2..2213df3 100644
  /*
   * Hugetlb_cow() should be called with page lock of the original hugepage held.
   */
-@@ -2619,6 +2644,11 @@ retry_avoidcopy:
+@@ -2620,6 +2645,11 @@ retry_avoidcopy:
  				make_huge_pte(vma, new_page, 1));
  		page_remove_rmap(old_page);
  		hugepage_add_new_anon_rmap(new_page, vma, address);
@@ -98019,7 +97530,7 @@ index d2c43a2..2213df3 100644
  		/* Make the old page be freed below */
  		new_page = old_page;
  		mmu_notifier_invalidate_range_end(mm,
-@@ -2770,6 +2800,10 @@ retry:
+@@ -2771,6 +2801,10 @@ retry:
  				&& (vma->vm_flags & VM_SHARED)));
  	set_huge_pte_at(mm, address, ptep, new_pte);
  
@@ -98030,9 +97541,9 @@ index d2c43a2..2213df3 100644
  	if ((flags & FAULT_FLAG_WRITE) && !(vma->vm_flags & VM_SHARED)) {
  		/* Optimization, do the COW without a second fault */
  		ret = hugetlb_cow(mm, vma, address, ptep, new_pte, page);
-@@ -2799,6 +2833,10 @@ int hugetlb_fault(struct mm_struct *mm, struct vm_area_struct *vma,
- 	static DEFINE_MUTEX(hugetlb_instantiation_mutex);
+@@ -2801,6 +2835,10 @@ int hugetlb_fault(struct mm_struct *mm, struct vm_area_struct *vma,
  	struct hstate *h = hstate_vma(vma);
+ 	int need_wait_lock = 0;
  
 +#ifdef CONFIG_PAX_SEGMEXEC
 +	struct vm_area_struct *vma_m;
@@ -98041,7 +97552,7 @@ index d2c43a2..2213df3 100644
  	ptep = huge_pte_offset(mm, address);
  	if (ptep) {
  		entry = huge_ptep_get(ptep);
-@@ -2810,6 +2848,26 @@ int hugetlb_fault(struct mm_struct *mm, struct vm_area_struct *vma,
+@@ -2812,6 +2850,26 @@ int hugetlb_fault(struct mm_struct *mm, struct vm_area_struct *vma,
  			       VM_FAULT_SET_HINDEX(h - hstates);
  	}
  
@@ -98314,7 +97825,7 @@ index 51901b1..79af2f4 100644
  	/* keep elevated page count for bad page */
  	return ret;
 diff --git a/mm/memory.c b/mm/memory.c
-index 0a7bb38..4efd48c 100644
+index 452b8ba..d322be8 100644
 --- a/mm/memory.c
 +++ b/mm/memory.c
 @@ -462,8 +462,12 @@ static inline void free_pmd_range(struct mmu_gather *tlb, pud_t *pud,
@@ -99256,7 +98767,7 @@ index 1ffd97a..ed75674 100644
  int mminit_loglevel;
  
 diff --git a/mm/mmap.c b/mm/mmap.c
-index 13b5685..39383bb 100644
+index 94f4e34..294492d 100644
 --- a/mm/mmap.c
 +++ b/mm/mmap.c
 @@ -30,6 +30,7 @@
@@ -99341,7 +98852,7 @@ index 13b5685..39383bb 100644
  	if (rlim < RLIM_INFINITY && (brk - mm->start_brk) +
  			(mm->end_data - mm->start_data) > rlim)
  		goto out;
-@@ -694,6 +722,12 @@ static int
+@@ -692,6 +720,12 @@ static int
  can_vma_merge_before(struct vm_area_struct *vma, unsigned long vm_flags,
  	struct anon_vma *anon_vma, struct file *file, pgoff_t vm_pgoff)
  {
@@ -99354,7 +98865,7 @@ index 13b5685..39383bb 100644
  	if (is_mergeable_vma(vma, file, vm_flags) &&
  	    is_mergeable_anon_vma(anon_vma, vma->anon_vma, vma)) {
  		if (vma->vm_pgoff == vm_pgoff)
-@@ -713,6 +747,12 @@ static int
+@@ -711,6 +745,12 @@ static int
  can_vma_merge_after(struct vm_area_struct *vma, unsigned long vm_flags,
  	struct anon_vma *anon_vma, struct file *file, pgoff_t vm_pgoff)
  {
@@ -99367,7 +98878,7 @@ index 13b5685..39383bb 100644
  	if (is_mergeable_vma(vma, file, vm_flags) &&
  	    is_mergeable_anon_vma(anon_vma, vma->anon_vma, vma)) {
  		pgoff_t vm_pglen;
-@@ -755,13 +795,20 @@ can_vma_merge_after(struct vm_area_struct *vma, unsigned long vm_flags,
+@@ -753,13 +793,20 @@ can_vma_merge_after(struct vm_area_struct *vma, unsigned long vm_flags,
  struct vm_area_struct *vma_merge(struct mm_struct *mm,
  			struct vm_area_struct *prev, unsigned long addr,
  			unsigned long end, unsigned long vm_flags,
@@ -99389,7 +98900,7 @@ index 13b5685..39383bb 100644
  	/*
  	 * We later require that vma->vm_flags == vm_flags,
  	 * so this tests vma->vm_flags & VM_SPECIAL, too.
-@@ -777,6 +824,15 @@ struct vm_area_struct *vma_merge(struct mm_struct *mm,
+@@ -775,6 +822,15 @@ struct vm_area_struct *vma_merge(struct mm_struct *mm,
  	if (next && next->vm_end == end)		/* cases 6, 7, 8 */
  		next = next->vm_next;
  
@@ -99405,7 +98916,7 @@ index 13b5685..39383bb 100644
  	/*
  	 * Can it merge with the predecessor?
  	 */
-@@ -796,9 +852,24 @@ struct vm_area_struct *vma_merge(struct mm_struct *mm,
+@@ -794,9 +850,24 @@ struct vm_area_struct *vma_merge(struct mm_struct *mm,
  							/* cases 1, 6 */
  			err = vma_adjust(prev, prev->vm_start,
  				next->vm_end, prev->vm_pgoff, NULL);
@@ -99431,7 +98942,7 @@ index 13b5685..39383bb 100644
  		if (err)
  			return NULL;
  		khugepaged_enter_vma_merge(prev, vm_flags);
-@@ -812,12 +883,27 @@ struct vm_area_struct *vma_merge(struct mm_struct *mm,
+@@ -810,12 +881,27 @@ struct vm_area_struct *vma_merge(struct mm_struct *mm,
   			mpol_equal(policy, vma_policy(next)) &&
  			can_vma_merge_before(next, vm_flags,
  					anon_vma, file, pgoff+pglen)) {
@@ -99461,7 +98972,7 @@ index 13b5685..39383bb 100644
  		if (err)
  			return NULL;
  		khugepaged_enter_vma_merge(area, vm_flags);
-@@ -926,15 +1012,22 @@ none:
+@@ -924,15 +1010,22 @@ none:
  void vm_stat_account(struct mm_struct *mm, unsigned long flags,
  						struct file *file, long pages)
  {
@@ -99487,7 +98998,7 @@ index 13b5685..39383bb 100644
  	if (flags & (VM_RESERVED|VM_IO))
  		mm->reserved_vm += pages;
  }
-@@ -960,7 +1053,7 @@ unsigned long do_mmap_pgoff(struct file *file, unsigned long addr,
+@@ -958,7 +1051,7 @@ unsigned long do_mmap_pgoff(struct file *file, unsigned long addr,
  	 * (the exception is when the underlying filesystem is noexec
  	 *  mounted, in which case we dont add PROT_EXEC.)
  	 */
@@ -99496,7 +99007,7 @@ index 13b5685..39383bb 100644
  		if (!(file && (file->f_path.mnt->mnt_flags & MNT_NOEXEC)))
  			prot |= PROT_EXEC;
  
-@@ -986,7 +1079,7 @@ unsigned long do_mmap_pgoff(struct file *file, unsigned long addr,
+@@ -984,7 +1077,7 @@ unsigned long do_mmap_pgoff(struct file *file, unsigned long addr,
  	/* Obtain the address to map to. we verify (or select) it and ensure
  	 * that it represents a valid section of the address space.
  	 */
@@ -99505,7 +99016,7 @@ index 13b5685..39383bb 100644
  	if (addr & ~PAGE_MASK)
  		return addr;
  
-@@ -997,6 +1090,43 @@ unsigned long do_mmap_pgoff(struct file *file, unsigned long addr,
+@@ -995,6 +1088,43 @@ unsigned long do_mmap_pgoff(struct file *file, unsigned long addr,
  	vm_flags = calc_vm_prot_bits(prot) | calc_vm_flag_bits(flags) |
  			mm->def_flags | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC;
  
@@ -99549,7 +99060,7 @@ index 13b5685..39383bb 100644
  	if (flags & MAP_LOCKED)
  		if (!can_do_mlock())
  			return -EPERM;
-@@ -1008,6 +1138,7 @@ unsigned long do_mmap_pgoff(struct file *file, unsigned long addr,
+@@ -1006,6 +1136,7 @@ unsigned long do_mmap_pgoff(struct file *file, unsigned long addr,
  		locked += mm->locked_vm;
  		lock_limit = rlimit(RLIMIT_MEMLOCK);
  		lock_limit >>= PAGE_SHIFT;
@@ -99557,7 +99068,7 @@ index 13b5685..39383bb 100644
  		if (locked > lock_limit && !capable(CAP_IPC_LOCK))
  			return -EAGAIN;
  	}
-@@ -1078,6 +1209,9 @@ unsigned long do_mmap_pgoff(struct file *file, unsigned long addr,
+@@ -1076,6 +1207,9 @@ unsigned long do_mmap_pgoff(struct file *file, unsigned long addr,
  	if (error)
  		return error;
  
@@ -99567,7 +99078,7 @@ index 13b5685..39383bb 100644
  	return mmap_region(file, addr, len, flags, vm_flags, pgoff);
  }
  EXPORT_SYMBOL(do_mmap_pgoff);
-@@ -1158,7 +1292,7 @@ int vma_wants_writenotify(struct vm_area_struct *vma)
+@@ -1156,7 +1290,7 @@ int vma_wants_writenotify(struct vm_area_struct *vma)
  	vm_flags_t vm_flags = vma->vm_flags;
  
  	/* If it was private or non-writable, the write bit is already clear */
@@ -99576,7 +99087,7 @@ index 13b5685..39383bb 100644
  		return 0;
  
  	/* The backer wishes to know when pages are first written to? */
-@@ -1207,17 +1341,32 @@ unsigned long mmap_region(struct file *file, unsigned long addr,
+@@ -1205,17 +1339,32 @@ unsigned long mmap_region(struct file *file, unsigned long addr,
  	unsigned long charged = 0;
  	struct inode *inode =  file ? file->f_path.dentry->d_inode : NULL;
  
@@ -99611,7 +99122,7 @@ index 13b5685..39383bb 100644
  	if (!may_expand_vm(mm, len >> PAGE_SHIFT))
  		return -ENOMEM;
  
-@@ -1263,6 +1412,16 @@ munmap_back:
+@@ -1261,6 +1410,16 @@ munmap_back:
  		goto unacct_error;
  	}
  
@@ -99628,7 +99139,7 @@ index 13b5685..39383bb 100644
  	vma->vm_mm = mm;
  	vma->vm_start = addr;
  	vma->vm_end = addr + len;
-@@ -1271,8 +1430,9 @@ munmap_back:
+@@ -1269,8 +1428,9 @@ munmap_back:
  	vma->vm_pgoff = pgoff;
  	INIT_LIST_HEAD(&vma->anon_vma_chain);
  
@@ -99639,7 +99150,7 @@ index 13b5685..39383bb 100644
  		if (vm_flags & (VM_GROWSDOWN|VM_GROWSUP))
  			goto free_vma;
  		if (vm_flags & VM_DENYWRITE) {
-@@ -1286,6 +1446,19 @@ munmap_back:
+@@ -1284,6 +1444,19 @@ munmap_back:
  		error = file->f_op->mmap(file, vma);
  		if (error)
  			goto unmap_and_free_vma;
@@ -99659,7 +99170,7 @@ index 13b5685..39383bb 100644
  		if (vm_flags & VM_EXECUTABLE)
  			added_exe_file_vma(mm);
  
-@@ -1298,6 +1471,8 @@ munmap_back:
+@@ -1296,6 +1469,8 @@ munmap_back:
  		pgoff = vma->vm_pgoff;
  		vm_flags = vma->vm_flags;
  	} else if (vm_flags & VM_SHARED) {
@@ -99668,7 +99179,7 @@ index 13b5685..39383bb 100644
  		error = shmem_zero_setup(vma);
  		if (error)
  			goto free_vma;
-@@ -1321,14 +1496,19 @@ munmap_back:
+@@ -1319,14 +1494,19 @@ munmap_back:
  	vma_link(mm, vma, prev, rb_link, rb_parent);
  	file = vma->vm_file;
  
@@ -99689,7 +99200,7 @@ index 13b5685..39383bb 100644
  	if (vm_flags & VM_LOCKED) {
  		if (!mlock_vma_pages_range(vma, addr, addr + len))
  			mm->locked_vm += (len >> PAGE_SHIFT);
-@@ -1346,6 +1526,12 @@ unmap_and_free_vma:
+@@ -1344,6 +1524,12 @@ unmap_and_free_vma:
  	unmap_region(mm, vma, prev, vma->vm_start, vma->vm_end);
  	charged = 0;
  free_vma:
@@ -99702,7 +99213,7 @@ index 13b5685..39383bb 100644
  	kmem_cache_free(vm_area_cachep, vma);
  unacct_error:
  	if (charged)
-@@ -1353,6 +1539,73 @@ unacct_error:
+@@ -1351,6 +1537,73 @@ unacct_error:
  	return error;
  }
  
@@ -99776,7 +99287,7 @@ index 13b5685..39383bb 100644
  /* Get an address range which is currently unmapped.
   * For shmat() with addr=0.
   *
-@@ -1372,6 +1625,7 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr,
+@@ -1370,6 +1623,7 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr,
  	struct mm_struct *mm = current->mm;
  	struct vm_area_struct *vma;
  	unsigned long start_addr;
@@ -99784,7 +99295,7 @@ index 13b5685..39383bb 100644
  
  	if (len > TASK_SIZE - mmap_min_addr)
  		return -ENOMEM;
-@@ -1379,18 +1633,23 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr,
+@@ -1377,18 +1631,23 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr,
  	if (flags & MAP_FIXED)
  		return addr;
  
@@ -99815,7 +99326,7 @@ index 13b5685..39383bb 100644
  	}
  
  full_search:
-@@ -1401,34 +1660,40 @@ full_search:
+@@ -1399,34 +1658,40 @@ full_search:
  			 * Start a new search - just in case we missed
  			 * some holes.
  			 */
@@ -99867,7 +99378,7 @@ index 13b5685..39383bb 100644
  		mm->free_area_cache = addr;
  		mm->cached_hole_size = ~0UL;
  	}
-@@ -1446,7 +1711,8 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
+@@ -1444,7 +1709,8 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
  {
  	struct vm_area_struct *vma;
  	struct mm_struct *mm = current->mm;
@@ -99877,7 +99388,7 @@ index 13b5685..39383bb 100644
  	unsigned long low_limit = max(PAGE_SIZE, mmap_min_addr);
  
  	/* requested length too big for entire address space */
-@@ -1456,13 +1722,18 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
+@@ -1454,13 +1720,18 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
  	if (flags & MAP_FIXED)
  		return addr;
  
@@ -99900,7 +99411,7 @@ index 13b5685..39383bb 100644
  	}
  
  	/* check if free_area_cache is useful for us */
-@@ -1476,10 +1747,11 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
+@@ -1474,10 +1745,11 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
  
  	/* make sure it can fit in the remaining address space */
  	if (addr >= low_limit + len) {
@@ -99915,7 +99426,7 @@ index 13b5685..39383bb 100644
  	}
  
  	if (mm->mmap_base < low_limit + len)
-@@ -1494,7 +1766,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
+@@ -1492,7 +1764,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
  		 * return with success:
  		 */
  		vma = find_vma(mm, addr);
@@ -99924,7 +99435,7 @@ index 13b5685..39383bb 100644
  			/* remember the address as a hint for next time */
  			return (mm->free_area_cache = addr);
  
-@@ -1503,8 +1775,8 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
+@@ -1501,8 +1773,8 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
   		        mm->cached_hole_size = vma->vm_start - addr;
  
  		/* try just below the current vma->vm_start */
@@ -99935,7 +99446,7 @@ index 13b5685..39383bb 100644
  
  bottomup:
  	/*
-@@ -1513,13 +1785,21 @@ bottomup:
+@@ -1511,13 +1783,21 @@ bottomup:
  	 * can happen with large stack limits and large mmap()
  	 * allocations.
  	 */
@@ -99959,7 +99470,7 @@ index 13b5685..39383bb 100644
  	mm->cached_hole_size = ~0UL;
  
  	return addr;
-@@ -1528,6 +1808,12 @@ bottomup:
+@@ -1526,6 +1806,12 @@ bottomup:
  
  void arch_unmap_area_topdown(struct mm_struct *mm, unsigned long addr)
  {
@@ -99972,7 +99483,7 @@ index 13b5685..39383bb 100644
  	/*
  	 * Is this a new hole at the highest possible address?
  	 */
-@@ -1535,8 +1821,10 @@ void arch_unmap_area_topdown(struct mm_struct *mm, unsigned long addr)
+@@ -1533,8 +1819,10 @@ void arch_unmap_area_topdown(struct mm_struct *mm, unsigned long addr)
  		mm->free_area_cache = addr;
  
  	/* dont allow allocations above current base */
@@ -99984,7 +99495,7 @@ index 13b5685..39383bb 100644
  }
  
  unsigned long
-@@ -1609,40 +1897,50 @@ struct vm_area_struct *find_vma(struct mm_struct *mm, unsigned long addr)
+@@ -1607,40 +1895,50 @@ struct vm_area_struct *find_vma(struct mm_struct *mm, unsigned long addr)
  
  EXPORT_SYMBOL(find_vma);
  
@@ -100060,7 +99571,7 @@ index 13b5685..39383bb 100644
  
  /*
   * Verify that the stack growth is acceptable and
-@@ -1653,17 +1951,15 @@ static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, uns
+@@ -1651,17 +1949,15 @@ static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, uns
  {
  	struct mm_struct *mm = vma->vm_mm;
  	struct rlimit *rlim = current->signal->rlim;
@@ -100081,7 +99592,7 @@ index 13b5685..39383bb 100644
  		return -ENOMEM;
  
  	/* mlock limit tests */
-@@ -1673,6 +1969,7 @@ static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, uns
+@@ -1671,6 +1967,7 @@ static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, uns
  		locked = mm->locked_vm + grow;
  		limit = ACCESS_ONCE(rlim[RLIMIT_MEMLOCK].rlim_cur);
  		limit >>= PAGE_SHIFT;
@@ -100089,7 +99600,7 @@ index 13b5685..39383bb 100644
  		if (locked > limit && !capable(CAP_IPC_LOCK))
  			return -ENOMEM;
  	}
-@@ -1691,7 +1988,6 @@ static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, uns
+@@ -1689,7 +1986,6 @@ static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, uns
  		return -ENOMEM;
  
  	/* Ok, everything looks good - let it rip */
@@ -100097,7 +99608,7 @@ index 13b5685..39383bb 100644
  	if (vma->vm_flags & VM_LOCKED)
  		mm->locked_vm += grow;
  	vm_stat_account(mm, vma->vm_flags, vma->vm_file, grow);
-@@ -1703,37 +1999,48 @@ static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, uns
+@@ -1701,37 +1997,48 @@ static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, uns
   * PA-RISC uses this for its stack; IA64 for its Register Backing Store.
   * vma is the last one with address > vma->vm_end.  Have to extend vma.
   */
@@ -100155,7 +99666,7 @@ index 13b5685..39383bb 100644
  		unsigned long size, grow;
  
  		size = address - vma->vm_start;
-@@ -1748,6 +2055,8 @@ int expand_upwards(struct vm_area_struct *vma, unsigned long address)
+@@ -1746,6 +2053,8 @@ int expand_upwards(struct vm_area_struct *vma, unsigned long address)
  			}
  		}
  	}
@@ -100164,7 +99675,7 @@ index 13b5685..39383bb 100644
  	vma_unlock_anon_vma(vma);
  	khugepaged_enter_vma_merge(vma, vma->vm_flags);
  	return error;
-@@ -1761,6 +2070,8 @@ int expand_downwards(struct vm_area_struct *vma,
+@@ -1759,6 +2068,8 @@ int expand_downwards(struct vm_area_struct *vma,
  				   unsigned long address)
  {
  	int error;
@@ -100173,7 +99684,7 @@ index 13b5685..39383bb 100644
  
  	/*
  	 * We must make sure the anon_vma is allocated
-@@ -1774,6 +2085,15 @@ int expand_downwards(struct vm_area_struct *vma,
+@@ -1772,6 +2083,15 @@ int expand_downwards(struct vm_area_struct *vma,
  	if (error)
  		return error;
  
@@ -100189,7 +99700,7 @@ index 13b5685..39383bb 100644
  	vma_lock_anon_vma(vma);
  
  	/*
-@@ -1783,9 +2103,17 @@ int expand_downwards(struct vm_area_struct *vma,
+@@ -1781,9 +2101,17 @@ int expand_downwards(struct vm_area_struct *vma,
  	 */
  
  	/* Somebody else might have raced and expanded it already */
@@ -100208,7 +99719,7 @@ index 13b5685..39383bb 100644
  		size = vma->vm_end - address;
  		grow = (vma->vm_start - address) >> PAGE_SHIFT;
  
-@@ -1795,18 +2123,48 @@ int expand_downwards(struct vm_area_struct *vma,
+@@ -1793,18 +2121,48 @@ int expand_downwards(struct vm_area_struct *vma,
  			if (!error) {
  				vma->vm_start = address;
  				vma->vm_pgoff -= grow;
@@ -100257,7 +99768,7 @@ index 13b5685..39383bb 100644
  	return expand_upwards(vma, address);
  }
  
-@@ -1829,6 +2187,14 @@ find_extend_vma(struct mm_struct *mm, unsigned long addr)
+@@ -1827,6 +2185,14 @@ find_extend_vma(struct mm_struct *mm, unsigned long addr)
  #else
  int expand_stack(struct vm_area_struct *vma, unsigned long address)
  {
@@ -100272,7 +99783,7 @@ index 13b5685..39383bb 100644
  	return expand_downwards(vma, address);
  }
  
-@@ -1869,7 +2235,13 @@ static void remove_vma_list(struct mm_struct *mm, struct vm_area_struct *vma)
+@@ -1867,7 +2233,13 @@ static void remove_vma_list(struct mm_struct *mm, struct vm_area_struct *vma)
  	do {
  		long nrpages = vma_pages(vma);
  
@@ -100287,7 +99798,7 @@ index 13b5685..39383bb 100644
  		vm_stat_account(mm, vma->vm_flags, vma->vm_file, -nrpages);
  		vma = remove_vma(vma);
  	} while (vma);
-@@ -1914,6 +2286,16 @@ detach_vmas_to_be_unmapped(struct mm_struct *mm, struct vm_area_struct *vma,
+@@ -1912,6 +2284,16 @@ detach_vmas_to_be_unmapped(struct mm_struct *mm, struct vm_area_struct *vma,
  	insertion_point = (prev ? &prev->vm_next : &mm->mmap);
  	vma->vm_prev = NULL;
  	do {
@@ -100304,7 +99815,7 @@ index 13b5685..39383bb 100644
  		rb_erase(&vma->vm_rb, &mm->mm_rb);
  		mm->map_count--;
  		tail_vma = vma;
-@@ -1942,14 +2324,33 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
+@@ -1940,14 +2322,33 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
  	struct vm_area_struct *new;
  	int err = -ENOMEM;
  
@@ -100338,7 +99849,7 @@ index 13b5685..39383bb 100644
  	/* most fields are the same, copy all, and then fixup */
  	*new = *vma;
  
-@@ -1962,6 +2363,22 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
+@@ -1960,6 +2361,22 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
  		new->vm_pgoff += ((addr - vma->vm_start) >> PAGE_SHIFT);
  	}
  
@@ -100361,7 +99872,7 @@ index 13b5685..39383bb 100644
  	pol = mpol_dup(vma_policy(vma));
  	if (IS_ERR(pol)) {
  		err = PTR_ERR(pol);
-@@ -1987,6 +2404,42 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
+@@ -1985,6 +2402,42 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
  	else
  		err = vma_adjust(vma, vma->vm_start, addr, vma->vm_pgoff, new);
  
@@ -100404,7 +99915,7 @@ index 13b5685..39383bb 100644
  	/* Success. */
  	if (!err)
  		return 0;
-@@ -1999,10 +2452,18 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
+@@ -1997,10 +2450,18 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
  			removed_exe_file_vma(mm);
  		fput(new->vm_file);
  	}
@@ -100424,7 +99935,7 @@ index 13b5685..39383bb 100644
  	kmem_cache_free(vm_area_cachep, new);
   out_err:
  	return err;
-@@ -2015,6 +2476,15 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
+@@ -2013,6 +2474,15 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
  int split_vma(struct mm_struct *mm, struct vm_area_struct *vma,
  	      unsigned long addr, int new_below)
  {
@@ -100440,7 +99951,7 @@ index 13b5685..39383bb 100644
  	if (mm->map_count >= sysctl_max_map_count)
  		return -ENOMEM;
  
-@@ -2026,11 +2496,30 @@ int split_vma(struct mm_struct *mm, struct vm_area_struct *vma,
+@@ -2024,11 +2494,30 @@ int split_vma(struct mm_struct *mm, struct vm_area_struct *vma,
   * work.  This now handles partial unmappings.
   * Jeremy Fitzhardinge <jeremy@goop.org>
   */
@@ -100471,7 +99982,7 @@ index 13b5685..39383bb 100644
  	if ((start & ~PAGE_MASK) || start > TASK_SIZE || len > TASK_SIZE-start)
  		return -EINVAL;
  
-@@ -2105,6 +2594,8 @@ int do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
+@@ -2103,6 +2592,8 @@ int do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
  	/* Fix up all other VM information */
  	remove_vma_list(mm, vma);
  
@@ -100480,7 +99991,7 @@ index 13b5685..39383bb 100644
  	return 0;
  }
  
-@@ -2117,22 +2608,18 @@ SYSCALL_DEFINE2(munmap, unsigned long, addr, size_t, len)
+@@ -2115,22 +2606,18 @@ SYSCALL_DEFINE2(munmap, unsigned long, addr, size_t, len)
  
  	profile_munmap(addr);
  
@@ -100509,7 +100020,7 @@ index 13b5685..39383bb 100644
  /*
   *  this is really a simplified "do_mmap".  it only handles
   *  anonymous maps.  eventually we may be able to do some
-@@ -2146,6 +2633,7 @@ unsigned long do_brk(unsigned long addr, unsigned long len)
+@@ -2144,6 +2631,7 @@ unsigned long do_brk(unsigned long addr, unsigned long len)
  	struct rb_node ** rb_link, * rb_parent;
  	pgoff_t pgoff = addr >> PAGE_SHIFT;
  	int error;
@@ -100517,7 +100028,7 @@ index 13b5685..39383bb 100644
  
  	len = PAGE_ALIGN(len);
  	if (!len)
-@@ -2157,16 +2645,30 @@ unsigned long do_brk(unsigned long addr, unsigned long len)
+@@ -2155,16 +2643,30 @@ unsigned long do_brk(unsigned long addr, unsigned long len)
  
  	flags = VM_DATA_DEFAULT_FLAGS | VM_ACCOUNT | mm->def_flags;
  
@@ -100549,7 +100060,7 @@ index 13b5685..39383bb 100644
  		locked += mm->locked_vm;
  		lock_limit = rlimit(RLIMIT_MEMLOCK);
  		lock_limit >>= PAGE_SHIFT;
-@@ -2183,22 +2685,22 @@ unsigned long do_brk(unsigned long addr, unsigned long len)
+@@ -2181,22 +2683,22 @@ unsigned long do_brk(unsigned long addr, unsigned long len)
  	/*
  	 * Clear old maps.  this also does some error checking for us
  	 */
@@ -100576,7 +100087,7 @@ index 13b5685..39383bb 100644
  		return -ENOMEM;
  
  	/* Can we just expand an old private anonymous mapping? */
-@@ -2212,7 +2714,7 @@ unsigned long do_brk(unsigned long addr, unsigned long len)
+@@ -2210,7 +2712,7 @@ unsigned long do_brk(unsigned long addr, unsigned long len)
  	 */
  	vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
  	if (!vma) {
@@ -100585,7 +100096,7 @@ index 13b5685..39383bb 100644
  		return -ENOMEM;
  	}
  
-@@ -2226,11 +2728,12 @@ unsigned long do_brk(unsigned long addr, unsigned long len)
+@@ -2224,11 +2726,12 @@ unsigned long do_brk(unsigned long addr, unsigned long len)
  	vma_link(mm, vma, prev, rb_link, rb_parent);
  out:
  	perf_event_mmap(vma);
@@ -100600,7 +100111,7 @@ index 13b5685..39383bb 100644
  	return addr;
  }
  
-@@ -2277,8 +2780,10 @@ void exit_mmap(struct mm_struct *mm)
+@@ -2275,8 +2778,10 @@ void exit_mmap(struct mm_struct *mm)
  	 * Walk the list again, actually closing and freeing it,
  	 * with preemption enabled, without holding any MM locks.
  	 */
@@ -100612,7 +100123,7 @@ index 13b5685..39383bb 100644
  
  	BUG_ON(mm->nr_ptes > (FIRST_USER_ADDRESS+PMD_SIZE-1)>>PMD_SHIFT);
  }
-@@ -2292,6 +2797,13 @@ int insert_vm_struct(struct mm_struct * mm, struct vm_area_struct * vma)
+@@ -2290,6 +2795,13 @@ int insert_vm_struct(struct mm_struct * mm, struct vm_area_struct * vma)
  	struct vm_area_struct * __vma, * prev;
  	struct rb_node ** rb_link, * rb_parent;
  
@@ -100626,7 +100137,7 @@ index 13b5685..39383bb 100644
  	/*
  	 * The vm_pgoff of a purely anonymous vma should be irrelevant
  	 * until its first write fault, when page's anon_vma and index
-@@ -2314,7 +2826,22 @@ int insert_vm_struct(struct mm_struct * mm, struct vm_area_struct * vma)
+@@ -2312,7 +2824,22 @@ int insert_vm_struct(struct mm_struct * mm, struct vm_area_struct * vma)
  	if ((vma->vm_flags & VM_ACCOUNT) &&
  	     security_vm_enough_memory_mm(mm, vma_pages(vma)))
  		return -ENOMEM;
@@ -100649,7 +100160,7 @@ index 13b5685..39383bb 100644
  	return 0;
  }
  
-@@ -2332,6 +2859,8 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap,
+@@ -2330,6 +2857,8 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap,
  	struct rb_node **rb_link, *rb_parent;
  	struct mempolicy *pol;
  
@@ -100658,7 +100169,7 @@ index 13b5685..39383bb 100644
  	/*
  	 * If anonymous vma has not yet been faulted, update new pgoff
  	 * to match new location, to increase its chance of merging.
-@@ -2382,6 +2911,39 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap,
+@@ -2380,6 +2909,39 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap,
  	return NULL;
  }
  
@@ -100698,7 +100209,7 @@ index 13b5685..39383bb 100644
  /*
   * Return true if the calling process may expand its vm space by the passed
   * number of pages
-@@ -2393,6 +2955,7 @@ int may_expand_vm(struct mm_struct *mm, unsigned long npages)
+@@ -2391,6 +2953,7 @@ int may_expand_vm(struct mm_struct *mm, unsigned long npages)
  
  	lim = rlimit(RLIMIT_AS) >> PAGE_SHIFT;
  
@@ -100706,7 +100217,7 @@ index 13b5685..39383bb 100644
  	if (cur + npages > lim)
  		return 0;
  	return 1;
-@@ -2463,6 +3026,22 @@ int install_special_mapping(struct mm_struct *mm,
+@@ -2461,6 +3024,22 @@ int install_special_mapping(struct mm_struct *mm,
  	vma->vm_start = addr;
  	vma->vm_end = addr + len;
  
@@ -101133,7 +100644,7 @@ index 07c08c4..8d4ad26 100644
  	return count;
  }
 diff --git a/mm/nommu.c b/mm/nommu.c
-index 1db7971..5dba7b6 100644
+index d0cb11f..e0a7fea 100644
 --- a/mm/nommu.c
 +++ b/mm/nommu.c
 @@ -62,7 +62,6 @@ int sysctl_overcommit_memory = OVERCOMMIT_GUESS; /* heuristic overcommit */
@@ -101200,7 +100711,7 @@ index 1db7971..5dba7b6 100644
  	struct mm_struct *mm;
  
 diff --git a/mm/page-writeback.c b/mm/page-writeback.c
-index aad22aa..ad60f09 100644
+index 1bf1f74..5e27559 100644
 --- a/mm/page-writeback.c
 +++ b/mm/page-writeback.c
 @@ -522,7 +522,7 @@ unsigned long bdi_dirty_limit(struct backing_dev_info *bdi, unsigned long dirty)
@@ -101212,7 +100723,7 @@ index aad22aa..ad60f09 100644
  					unsigned long thresh,
  					unsigned long bg_thresh,
  					unsigned long dirty,
-@@ -1370,7 +1370,7 @@ ratelimit_handler(struct notifier_block *self, unsigned long u, void *v)
+@@ -1373,7 +1373,7 @@ ratelimit_handler(struct notifier_block *self, unsigned long u, void *v)
  	return NOTIFY_DONE;
  }
  
@@ -101418,7 +100929,7 @@ index cbcbb02..dfdc1de 100644
  				   pgoff_t offset, unsigned long max)
  {
 diff --git a/mm/rmap.c b/mm/rmap.c
-index 2c4ee3e..8eebe1d 100644
+index 98f0bf7f..b7d8cdc 100644
 --- a/mm/rmap.c
 +++ b/mm/rmap.c
 @@ -156,6 +156,10 @@ int anon_vma_prepare(struct vm_area_struct *vma)
@@ -101501,7 +101012,7 @@ index 2c4ee3e..8eebe1d 100644
  {
  	struct anon_vma_chain *avc, *pavc;
  	struct anon_vma *root = NULL;
-@@ -304,7 +341,7 @@ int anon_vma_clone(struct vm_area_struct *dst, struct vm_area_struct *src)
+@@ -311,7 +348,7 @@ int anon_vma_clone(struct vm_area_struct *dst, struct vm_area_struct *src)
   * the corresponding VMA in the parent process is attached to.
   * Returns 0 on success, non-zero on failure.
   */
@@ -101510,7 +101021,7 @@ index 2c4ee3e..8eebe1d 100644
  {
  	struct anon_vma_chain *avc;
  	struct anon_vma *anon_vma;
-@@ -422,8 +459,10 @@ static void anon_vma_ctor(void *data)
+@@ -429,8 +466,10 @@ static void anon_vma_ctor(void *data)
  void __init anon_vma_init(void)
  {
  	anon_vma_cachep = kmem_cache_create("anon_vma", sizeof(struct anon_vma),
@@ -103882,7 +103393,7 @@ index 45f93f8..550f429 100644
  			break;
  		}
 diff --git a/net/caif/caif_socket.c b/net/caif/caif_socket.c
-index 7fac75f..5d8351b 100644
+index 7eed9eb..fd7291e 100644
 --- a/net/caif/caif_socket.c
 +++ b/net/caif/caif_socket.c
 @@ -48,19 +48,20 @@ static struct dentry *debugfsdir;
@@ -104141,10 +103652,10 @@ index b525aec..9659b25 100644
  	.priv_size	= sizeof(struct chnl_net),
  	.setup		= ipcaif_net_setup,
 diff --git a/net/can/af_can.c b/net/can/af_can.c
-index 0ce2ad0..cb92a90 100644
+index 7d9dff222..a1e901b 100644
 --- a/net/can/af_can.c
 +++ b/net/can/af_can.c
-@@ -818,7 +818,7 @@ static const struct net_proto_family can_family_ops = {
+@@ -821,7 +821,7 @@ static const struct net_proto_family can_family_ops = {
  };
  
  /* notifier block for netdevice event */
@@ -104211,11 +103722,11 @@ index ba873c3..3b00036 100644
  	if (!can_dir) {
  		printk(KERN_INFO "can: failed to create /proc/net/can . "
 diff --git a/net/compat.c b/net/compat.c
-index 759e542..7cf6606 100644
+index f06994d..b7fd27f 100644
 --- a/net/compat.c
 +++ b/net/compat.c
-@@ -73,9 +73,9 @@ int get_compat_msghdr(struct msghdr *kmsg, struct compat_msghdr __user *umsg)
- 		return -EFAULT;
+@@ -80,9 +80,9 @@ int get_compat_msghdr(struct msghdr *kmsg, struct compat_msghdr __user *umsg)
+ 
  	if (kmsg->msg_namelen > sizeof(struct sockaddr_storage))
  		kmsg->msg_namelen = sizeof(struct sockaddr_storage);
 -	kmsg->msg_name = compat_ptr(tmp1);
@@ -104227,7 +103738,7 @@ index 759e542..7cf6606 100644
  	return 0;
  }
  
-@@ -87,7 +87,7 @@ int verify_compat_iovec(struct msghdr *kern_msg, struct iovec *kern_iov,
+@@ -94,7 +94,7 @@ int verify_compat_iovec(struct msghdr *kern_msg, struct iovec *kern_iov,
  
  	if (kern_msg->msg_name && kern_msg->msg_namelen) {
  		if (mode == VERIFY_READ) {
@@ -104236,7 +103747,7 @@ index 759e542..7cf6606 100644
  						      kern_msg->msg_namelen,
  						      kern_address);
  			if (err < 0)
-@@ -100,7 +100,7 @@ int verify_compat_iovec(struct msghdr *kern_msg, struct iovec *kern_iov,
+@@ -107,7 +107,7 @@ int verify_compat_iovec(struct msghdr *kern_msg, struct iovec *kern_iov,
  	}
  
  	tot_len = iov_from_user_compat_to_kern(kern_iov,
@@ -104245,7 +103756,7 @@ index 759e542..7cf6606 100644
  					  kern_msg->msg_iovlen);
  	if (tot_len >= 0)
  		kern_msg->msg_iov = kern_iov;
-@@ -120,20 +120,20 @@ int verify_compat_iovec(struct msghdr *kern_msg, struct iovec *kern_iov,
+@@ -127,20 +127,20 @@ int verify_compat_iovec(struct msghdr *kern_msg, struct iovec *kern_iov,
  
  #define CMSG_COMPAT_FIRSTHDR(msg)			\
  	(((msg)->msg_controllen) >= sizeof(struct compat_cmsghdr) ?	\
@@ -104269,7 +103780,7 @@ index 759e542..7cf6606 100644
  			msg->msg_controllen)
  		return NULL;
  	return (struct compat_cmsghdr __user *)ptr;
-@@ -225,7 +225,7 @@ int put_cmsg_compat(struct msghdr *kmsg, int level, int type, int len, void *dat
+@@ -232,7 +232,7 @@ int put_cmsg_compat(struct msghdr *kmsg, int level, int type, int len, void *dat
  {
  	struct compat_timeval ctv;
  	struct compat_timespec cts[3];
@@ -104278,7 +103789,7 @@ index 759e542..7cf6606 100644
  	struct compat_cmsghdr cmhdr;
  	int cmlen;
  
-@@ -277,7 +277,7 @@ int put_cmsg_compat(struct msghdr *kmsg, int level, int type, int len, void *dat
+@@ -284,7 +284,7 @@ int put_cmsg_compat(struct msghdr *kmsg, int level, int type, int len, void *dat
  
  void scm_detach_fds_compat(struct msghdr *kmsg, struct scm_cookie *scm)
  {
@@ -104287,7 +103798,7 @@ index 759e542..7cf6606 100644
  	int fdmax = (kmsg->msg_controllen - sizeof(struct compat_cmsghdr)) / sizeof(int);
  	int fdnum = scm->fp->count;
  	struct file **fp = scm->fp->fp;
-@@ -330,14 +330,6 @@ void scm_detach_fds_compat(struct msghdr *kmsg, struct scm_cookie *scm)
+@@ -337,14 +337,6 @@ void scm_detach_fds_compat(struct msghdr *kmsg, struct scm_cookie *scm)
  	__scm_destroy(scm);
  }
  
@@ -104302,7 +103813,7 @@ index 759e542..7cf6606 100644
  static int do_set_attach_filter(struct socket *sock, int level, int optname,
  				char __user *optval, unsigned int optlen)
  {
-@@ -374,7 +366,7 @@ static int do_set_sock_timeout(struct socket *sock, int level,
+@@ -381,7 +373,7 @@ static int do_set_sock_timeout(struct socket *sock, int level,
  		return -EFAULT;
  	old_fs = get_fs();
  	set_fs(KERNEL_DS);
@@ -104311,7 +103822,7 @@ index 759e542..7cf6606 100644
  	set_fs(old_fs);
  
  	return err;
-@@ -435,7 +427,7 @@ static int do_get_sock_timeout(struct socket *sock, int level, int optname,
+@@ -442,7 +434,7 @@ static int do_get_sock_timeout(struct socket *sock, int level, int optname,
  	len = sizeof(ktime);
  	old_fs = get_fs();
  	set_fs(KERNEL_DS);
@@ -104320,7 +103831,7 @@ index 759e542..7cf6606 100644
  	set_fs(old_fs);
  
  	if (!err) {
-@@ -570,7 +562,7 @@ int compat_mc_setsockopt(struct sock *sock, int level, int optname,
+@@ -577,7 +569,7 @@ int compat_mc_setsockopt(struct sock *sock, int level, int optname,
  	case MCAST_JOIN_GROUP:
  	case MCAST_LEAVE_GROUP:
  	{
@@ -104329,7 +103840,7 @@ index 759e542..7cf6606 100644
  		struct group_req __user *kgr =
  			compat_alloc_user_space(sizeof(struct group_req));
  		u32 interface;
-@@ -591,7 +583,7 @@ int compat_mc_setsockopt(struct sock *sock, int level, int optname,
+@@ -598,7 +590,7 @@ int compat_mc_setsockopt(struct sock *sock, int level, int optname,
  	case MCAST_BLOCK_SOURCE:
  	case MCAST_UNBLOCK_SOURCE:
  	{
@@ -104338,7 +103849,7 @@ index 759e542..7cf6606 100644
  		struct group_source_req __user *kgsr = compat_alloc_user_space(
  			sizeof(struct group_source_req));
  		u32 interface;
-@@ -612,7 +604,7 @@ int compat_mc_setsockopt(struct sock *sock, int level, int optname,
+@@ -619,7 +611,7 @@ int compat_mc_setsockopt(struct sock *sock, int level, int optname,
  	}
  	case MCAST_MSFILTER:
  	{
@@ -104347,7 +103858,7 @@ index 759e542..7cf6606 100644
  		struct group_filter __user *kgf;
  		u32 interface, fmode, numsrc;
  
-@@ -650,7 +642,7 @@ int compat_mc_getsockopt(struct sock *sock, int level, int optname,
+@@ -657,7 +649,7 @@ int compat_mc_getsockopt(struct sock *sock, int level, int optname,
  	char __user *optval, int __user *optlen,
  	int (*getsockopt)(struct sock *, int, int, char __user *, int __user *))
  {
@@ -104356,7 +103867,7 @@ index 759e542..7cf6606 100644
  	struct group_filter __user *kgf;
  	int __user	*koptlen;
  	u32 interface, fmode, numsrc;
-@@ -803,7 +795,7 @@ asmlinkage long compat_sys_socketcall(int call, u32 __user *args)
+@@ -801,7 +793,7 @@ asmlinkage long compat_sys_socketcall(int call, u32 __user *args)
  
  	if (call < SYS_SOCKET || call > SYS_SENDMMSG)
  		return -EINVAL;
@@ -104379,7 +103890,7 @@ index 68bbf9f..5ef0d12 100644
  
  	return err;
 diff --git a/net/core/dev.c b/net/core/dev.c
-index fcb5133..5d5223c 100644
+index 1c0d862..6117f53 100644
 --- a/net/core/dev.c
 +++ b/net/core/dev.c
 @@ -1142,10 +1142,14 @@ void dev_load(struct net *net, const char *name)
@@ -104525,7 +104036,7 @@ index fcb5133..5d5223c 100644
  	return storage;
  }
  EXPORT_SYMBOL(dev_get_stats);
-@@ -6518,7 +6533,7 @@ static void __net_exit netdev_exit(struct net *net)
+@@ -6528,7 +6543,7 @@ static void __net_exit netdev_exit(struct net *net)
  	kfree(net->dev_index_head);
  }
  
@@ -104534,7 +104045,7 @@ index fcb5133..5d5223c 100644
  	.init = netdev_init,
  	.exit = netdev_exit,
  };
-@@ -6580,7 +6595,7 @@ static void __net_exit default_device_exit_batch(struct list_head *net_list)
+@@ -6590,7 +6605,7 @@ static void __net_exit default_device_exit_batch(struct list_head *net_list)
  	rtnl_unlock();
  }
  
@@ -104852,7 +104363,7 @@ index 80aeac9..b08d0a8 100644
  		return -ENODEV;
  
 diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
-index 0900a17..f3fb6aa 100644
+index 5b412f0..e251eea 100644
 --- a/net/core/rtnetlink.c
 +++ b/net/core/rtnetlink.c
 @@ -57,7 +57,7 @@ struct rtnl_link {
@@ -105112,19 +104623,10 @@ index e093528..3966d08 100644
  	.exit = proto_exit_net,
  };
 diff --git a/net/core/sysctl_net_core.c b/net/core/sysctl_net_core.c
-index f0bdd36..5345e58 100644
+index f9496c4..5345e58 100644
 --- a/net/core/sysctl_net_core.c
 +++ b/net/core/sysctl_net_core.c
-@@ -21,6 +21,8 @@
- 
- static int zero = 0;
- static int ushort_max = USHRT_MAX;
-+static int min_sndbuf = SOCK_MIN_SNDBUF;
-+static int min_rcvbuf = SOCK_MIN_RCVBUF;
- 
- #ifdef CONFIG_RPS
- static int rps_sock_flow_sysctl(ctl_table *table, int write,
-@@ -28,7 +30,7 @@ static int rps_sock_flow_sysctl(ctl_table *table, int write,
+@@ -30,7 +30,7 @@ static int rps_sock_flow_sysctl(ctl_table *table, int write,
  {
  	unsigned int orig_size, size;
  	int ret, i;
@@ -105133,44 +104635,7 @@ index f0bdd36..5345e58 100644
  		.data = &size,
  		.maxlen = sizeof(size),
  		.mode = table->mode
-@@ -89,28 +91,32 @@ static struct ctl_table net_core_table[] = {
- 		.data		= &sysctl_wmem_max,
- 		.maxlen		= sizeof(int),
- 		.mode		= 0644,
--		.proc_handler	= proc_dointvec
-+		.proc_handler	= proc_dointvec_minmax,
-+		.extra1		= &min_sndbuf,
- 	},
- 	{
- 		.procname	= "rmem_max",
- 		.data		= &sysctl_rmem_max,
- 		.maxlen		= sizeof(int),
- 		.mode		= 0644,
--		.proc_handler	= proc_dointvec
-+		.proc_handler	= proc_dointvec_minmax,
-+		.extra1		= &min_rcvbuf,
- 	},
- 	{
- 		.procname	= "wmem_default",
- 		.data		= &sysctl_wmem_default,
- 		.maxlen		= sizeof(int),
- 		.mode		= 0644,
--		.proc_handler	= proc_dointvec
-+		.proc_handler	= proc_dointvec_minmax,
-+		.extra1		= &min_sndbuf,
- 	},
- 	{
- 		.procname	= "rmem_default",
- 		.data		= &sysctl_rmem_default,
- 		.maxlen		= sizeof(int),
- 		.mode		= 0644,
--		.proc_handler	= proc_dointvec
-+		.proc_handler	= proc_dointvec_minmax,
-+		.extra1		= &min_rcvbuf,
- 	},
- 	{
- 		.procname	= "dev_weight",
-@@ -210,29 +216,27 @@ __net_initdata struct ctl_path net_core_path[] = {
+@@ -216,29 +216,27 @@ __net_initdata struct ctl_path net_core_path[] = {
  
  static __net_init int sysctl_core_net_init(struct net *net)
  {
@@ -105206,7 +104671,7 @@ index f0bdd36..5345e58 100644
  err_dup:
  	return -ENOMEM;
  }
-@@ -247,7 +251,7 @@ static __net_exit void sysctl_core_net_exit(struct net *net)
+@@ -253,7 +251,7 @@ static __net_exit void sysctl_core_net_exit(struct net *net)
  	kfree(tbl);
  }
  
@@ -105703,7 +105168,7 @@ index 9d74cc7..5a73694 100644
  		p->metrics[RTAX_LOCK-1] = INETPEER_METRICS_NEW;
  		p->rate_tokens = 0;
 diff --git a/net/ipv4/ip_fragment.c b/net/ipv4/ip_fragment.c
-index 8f441b2..a56d38e 100644
+index 16e25a4..cbb0cd5 100644
 --- a/net/ipv4/ip_fragment.c
 +++ b/net/ipv4/ip_fragment.c
 @@ -315,7 +315,7 @@ static inline int ip_frag_too_far(struct ipq *qp)
@@ -105715,7 +105180,7 @@ index 8f441b2..a56d38e 100644
  	qp->rid = end;
  
  	rc = qp->q.fragments && (end - start) > max;
-@@ -773,21 +773,21 @@ static struct ctl_table ip4_frags_ctl_table[] = {
+@@ -776,21 +776,21 @@ static struct ctl_table ip4_frags_ctl_table[] = {
  
  static int __net_init ip4_frags_ns_ctl_register(struct net *net)
  {
@@ -105742,7 +105207,7 @@ index 8f441b2..a56d38e 100644
  	if (hdr == NULL)
  		goto err_reg;
  
-@@ -795,8 +795,7 @@ static int __net_init ip4_frags_ns_ctl_register(struct net *net)
+@@ -798,8 +798,7 @@ static int __net_init ip4_frags_ns_ctl_register(struct net *net)
  	return 0;
  
  err_reg:
@@ -105809,29 +105274,10 @@ index 073a9b0..8c29a4f 100644
  						  ICMP_PROT_UNREACH, 0);
  				}
 diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c
-index 542a9c1..9f73775 100644
+index 043d882..d938245 100644
 --- a/net/ipv4/ip_sockglue.c
 +++ b/net/ipv4/ip_sockglue.c
-@@ -416,15 +416,12 @@ int ip_recv_error(struct sock *sk, struct msghdr *msg, int len, int *addr_len)
- 
- 	memcpy(&errhdr.ee, &serr->ee, sizeof(struct sock_extended_err));
- 	sin = &errhdr.offender;
--	sin->sin_family = AF_UNSPEC;
-+	memset(sin, 0, sizeof(*sin));
-+
- 	if (serr->ee.ee_origin == SO_EE_ORIGIN_ICMP) {
--		struct inet_sock *inet = inet_sk(sk);
--
- 		sin->sin_family = AF_INET;
- 		sin->sin_addr.s_addr = ip_hdr(skb)->saddr;
--		sin->sin_port = 0;
--		memset(&sin->sin_zero, 0, sizeof(sin->sin_zero));
--		if (inet->cmsg_flags)
-+		if (inet_sk(sk)->cmsg_flags)
- 			ip_cmsg_recv(msg, skb);
- 	}
- 
-@@ -1121,7 +1118,8 @@ static int do_ip_getsockopt(struct sock *sk, int level, int optname,
+@@ -1117,7 +1117,8 @@ static int do_ip_getsockopt(struct sock *sk, int level, int optname,
  		len = min_t(unsigned int, len, opt->optlen);
  		if (put_user(len, optlen))
  			return -EFAULT;
@@ -105841,7 +105287,7 @@ index 542a9c1..9f73775 100644
  			return -EFAULT;
  		return 0;
  	}
-@@ -1249,7 +1247,7 @@ static int do_ip_getsockopt(struct sock *sk, int level, int optname,
+@@ -1245,7 +1246,7 @@ static int do_ip_getsockopt(struct sock *sk, int level, int optname,
  		if (sk->sk_type != SOCK_STREAM)
  			return -ENOPROTOOPT;
  
@@ -106008,52 +105454,10 @@ index a639967..8f44480 100644
  		pr_err("Unable to proc dir entry\n");
  		ret = -ENOMEM;
 diff --git a/net/ipv4/ping.c b/net/ipv4/ping.c
-index d495d4b..31e741e 100644
+index 7aa6225..31e741e 100644
 --- a/net/ipv4/ping.c
 +++ b/net/ipv4/ping.c
-@@ -139,6 +139,7 @@ static void ping_v4_unhash(struct sock *sk)
- 	if (sk_hashed(sk)) {
- 		write_lock_bh(&ping_table.lock);
- 		hlist_nulls_del(&sk->sk_nulls_node);
-+		sk_nulls_node_init(&sk->sk_nulls_node);
- 		sock_put(sk);
- 		isk->inet_num = isk->inet_sport = 0;
- 		sock_prot_inuse_add(sock_net(sk), sk->sk_prot, -1);
-@@ -257,6 +258,11 @@ static int ping_bind(struct sock *sk, struct sockaddr *uaddr, int addr_len)
- 	if (addr_len < sizeof(struct sockaddr_in))
- 		return -EINVAL;
- 
-+	if (addr->sin_family != AF_INET &&
-+	    !(addr->sin_family == AF_UNSPEC &&
-+	      addr->sin_addr.s_addr == htonl(INADDR_ANY)))
-+		return -EAFNOSUPPORT;
-+
- 	pr_debug("ping_v4_bind(sk=%p,sa_addr=%08x,sa_port=%d)\n",
- 		sk, addr->sin_addr.s_addr, ntohs(addr->sin_port));
- 
-@@ -504,7 +510,7 @@ static int ping_sendmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg,
- 		if (msg->msg_namelen < sizeof(*usin))
- 			return -EINVAL;
- 		if (usin->sin_family != AF_INET)
--			return -EINVAL;
-+			return -EAFNOSUPPORT;
- 		daddr = usin->sin_addr.s_addr;
- 		/* no remote port */
- 	} else {
-@@ -716,8 +722,11 @@ void ping_rcv(struct sk_buff *skb)
- 	sk = ping_v4_lookup(net, saddr, daddr, ntohs(icmph->un.echo.id),
- 			    skb->dev->ifindex);
- 	if (sk != NULL) {
-+		struct sk_buff *skb2 = skb_clone(skb, GFP_ATOMIC);
-+
- 		pr_debug("rcv on socket %p\n", sk);
--		ping_queue_rcv_skb(sk, skb_get(skb));
-+		if (skb2)
-+			ping_queue_rcv_skb(sk, skb2);
- 		sock_put(sk);
- 		return;
- 	}
-@@ -842,7 +851,7 @@ static void ping_format_sock(struct sock *sp, struct seq_file *f,
+@@ -851,7 +851,7 @@ static void ping_format_sock(struct sock *sp, struct seq_file *f,
  		sk_rmem_alloc_get(sp),
  		0, 0L, 0, sock_i_uid(sp), 0, sock_i_ino(sp),
  		atomic_read(&sp->sk_refcnt), sp,
@@ -106415,7 +105819,7 @@ index 8a1bed2..d41ac11 100644
  	return mssind < ARRAY_SIZE(msstab) ? msstab[mssind] : 0;
  }
 diff --git a/net/ipv4/sysctl_net_ipv4.c b/net/ipv4/sysctl_net_ipv4.c
-index 739b073..7ac6591 100644
+index 253dd80..ceba12a 100644
 --- a/net/ipv4/sysctl_net_ipv4.c
 +++ b/net/ipv4/sysctl_net_ipv4.c
 @@ -53,7 +53,7 @@ static int ipv4_local_port_range(ctl_table *table, int write,
@@ -106472,7 +105876,7 @@ index 739b073..7ac6591 100644
  		.maxlen		= 65536,
  		.mode		= 0644,
  		.proc_handler	= proc_do_large_bitmap,
-@@ -744,11 +744,10 @@ EXPORT_SYMBOL_GPL(net_ipv4_ctl_path);
+@@ -746,11 +746,10 @@ EXPORT_SYMBOL_GPL(net_ipv4_ctl_path);
  
  static __net_init int ipv4_sysctl_init_net(struct net *net)
  {
@@ -106486,7 +105890,7 @@ index 739b073..7ac6591 100644
  		if (table == NULL)
  			goto err_alloc;
  
-@@ -780,16 +779,17 @@ static __net_init int ipv4_sysctl_init_net(struct net *net)
+@@ -782,16 +781,17 @@ static __net_init int ipv4_sysctl_init_net(struct net *net)
  
  	net->ipv4.sysctl_rt_cache_rebuild_count = 4;
  
@@ -106508,7 +105912,7 @@ index 739b073..7ac6591 100644
  err_alloc:
  	return -ENOMEM;
  }
-@@ -803,7 +803,7 @@ static __net_exit void ipv4_sysctl_exit_net(struct net *net)
+@@ -805,7 +805,7 @@ static __net_exit void ipv4_sysctl_exit_net(struct net *net)
  	kfree(table);
  }
  
@@ -106517,7 +105921,7 @@ index 739b073..7ac6591 100644
  	.init = ipv4_sysctl_init_net,
  	.exit = ipv4_sysctl_exit_net,
  };
-@@ -811,16 +811,6 @@ static __net_initdata struct pernet_operations ipv4_sysctl_ops = {
+@@ -813,16 +813,6 @@ static __net_initdata struct pernet_operations ipv4_sysctl_ops = {
  static __init int sysctl_ipv4_init(void)
  {
  	struct ctl_table_header *hdr;
@@ -106753,7 +106157,7 @@ index 00e1530..47b4f16 100644
  		req->rsk_ops->send_reset(sk, skb);
  
 diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
-index 3a37f54..109c484 100644
+index e614810..c4f2ee7 100644
 --- a/net/ipv4/tcp_output.c
 +++ b/net/ipv4/tcp_output.c
 @@ -1319,7 +1319,7 @@ static void tcp_cwnd_validate(struct sock *sk)
@@ -106998,38 +106402,6 @@ index 3afdd78..2f630fb 100644
  }
  
  static struct pernet_operations if6_proc_net_ops = {
-diff --git a/net/ipv6/datagram.c b/net/ipv6/datagram.c
-index 3c7c948..33719b7 100644
---- a/net/ipv6/datagram.c
-+++ b/net/ipv6/datagram.c
-@@ -371,12 +371,10 @@ int ipv6_recv_error(struct sock *sk, struct msghdr *msg, int len, int *addr_len)
- 
- 	memcpy(&errhdr.ee, &serr->ee, sizeof(struct sock_extended_err));
- 	sin = &errhdr.offender;
--	sin->sin6_family = AF_UNSPEC;
-+	memset(sin, 0, sizeof(*sin));
-+
- 	if (serr->ee.ee_origin != SO_EE_ORIGIN_LOCAL) {
- 		sin->sin6_family = AF_INET6;
--		sin->sin6_flowinfo = 0;
--		sin->sin6_port = 0;
--		sin->sin6_scope_id = 0;
- 		if (skb->protocol == htons(ETH_P_IPV6)) {
- 			ipv6_addr_copy(&sin->sin6_addr, &ipv6_hdr(skb)->saddr);
- 			if (np->rxopt.all)
-@@ -384,11 +382,9 @@ int ipv6_recv_error(struct sock *sk, struct msghdr *msg, int len, int *addr_len)
- 			if (ipv6_addr_type(&sin->sin6_addr) & IPV6_ADDR_LINKLOCAL)
- 				sin->sin6_scope_id = IP6CB(skb)->iif;
- 		} else {
--			struct inet_sock *inet = inet_sk(sk);
--
- 			ipv6_addr_set_v4mapped(ip_hdr(skb)->saddr,
- 					       &sin->sin6_addr);
--			if (inet->cmsg_flags)
-+			if (inet_sk(sk)->cmsg_flags)
- 				ip_cmsg_recv(msg, skb);
- 		}
- 	}
 diff --git a/net/ipv6/esp6.c b/net/ipv6/esp6.c
 index 65dd543..e6c6e6d 100644
 --- a/net/ipv6/esp6.c
@@ -107315,25 +106687,10 @@ index eba5deb..61e026f 100644
  	return -ENOMEM;
  }
 diff --git a/net/ipv6/route.c b/net/ipv6/route.c
-index 782f67a..2dc56bf 100644
+index d89d1a6..61d0fe9 100644
 --- a/net/ipv6/route.c
 +++ b/net/ipv6/route.c
-@@ -1018,12 +1018,9 @@ static void ip6_rt_update_pmtu(struct dst_entry *dst, u32 mtu)
- 
- 	if (mtu < dst_mtu(dst) && rt6->rt6i_dst.plen == 128) {
- 		rt6->rt6i_flags |= RTF_MODIFIED;
--		if (mtu < IPV6_MIN_MTU) {
--			u32 features = dst_metric(dst, RTAX_FEATURES);
-+		if (mtu < IPV6_MIN_MTU)
- 			mtu = IPV6_MIN_MTU;
--			features |= RTAX_FEATURE_ALLFRAG;
--			dst_metric_set(dst, RTAX_FEATURES, features);
--		}
-+
- 		dst_metric_set(dst, RTAX_MTU, mtu);
- 	}
- }
-@@ -2809,7 +2806,7 @@ ctl_table ipv6_route_table_template[] = {
+@@ -2806,7 +2806,7 @@ ctl_table ipv6_route_table_template[] = {
  
  struct ctl_table * __net_init ipv6_route_sysctl_init(struct net *net)
  {
@@ -107693,7 +107050,7 @@ index f8ba30d..927a4aa 100644
  	if (!ipx_proc_dir)
  		goto out;
 diff --git a/net/irda/ircomm/ircomm_tty.c b/net/irda/ircomm/ircomm_tty.c
-index 253695d..9481ce8 100644
+index cf368dd..d507600 100644
 --- a/net/irda/ircomm/ircomm_tty.c
 +++ b/net/irda/ircomm/ircomm_tty.c
 @@ -282,16 +282,16 @@ static int ircomm_tty_block_til_ready(struct ircomm_tty_cb *self,
@@ -107800,7 +107157,7 @@ index 253695d..9481ce8 100644
  		if (self->close_delay)
  			schedule_timeout_interruptible(self->close_delay);
  		wake_up_interruptible(&self->open_wait);
-@@ -1013,7 +1013,7 @@ static void ircomm_tty_hangup(struct tty_struct *tty)
+@@ -1015,7 +1015,7 @@ static void ircomm_tty_hangup(struct tty_struct *tty)
  	spin_lock_irqsave(&self->spinlock, flags);
  	self->flags &= ~ASYNC_NORMAL_ACTIVE;
  	self->tty = NULL;
@@ -107809,7 +107166,7 @@ index 253695d..9481ce8 100644
  	spin_unlock_irqrestore(&self->spinlock, flags);
  
  	wake_up_interruptible(&self->open_wait);
-@@ -1360,7 +1360,7 @@ static void ircomm_tty_line_info(struct ircomm_tty_cb *self, struct seq_file *m)
+@@ -1362,7 +1362,7 @@ static void ircomm_tty_line_info(struct ircomm_tty_cb *self, struct seq_file *m)
  	seq_putc(m, '\n');
  
  	seq_printf(m, "Role: %s\n", self->client ? "client" : "server");
@@ -108004,45 +107361,8 @@ index a1839c0..4e06b9b 100644
  	if (!llc_proc_dir)
  		goto out;
  
-diff --git a/net/llc/sysctl_net_llc.c b/net/llc/sysctl_net_llc.c
-index e2ebe35..be078ec 100644
---- a/net/llc/sysctl_net_llc.c
-+++ b/net/llc/sysctl_net_llc.c
-@@ -17,28 +17,28 @@ static struct ctl_table llc2_timeout_table[] = {
- 	{
- 		.procname	= "ack",
- 		.data		= &sysctl_llc2_ack_timeout,
--		.maxlen		= sizeof(long),
-+		.maxlen		= sizeof(sysctl_llc2_ack_timeout),
- 		.mode		= 0644,
- 		.proc_handler   = proc_dointvec_jiffies,
- 	},
- 	{
- 		.procname	= "busy",
- 		.data		= &sysctl_llc2_busy_timeout,
--		.maxlen		= sizeof(long),
-+		.maxlen		= sizeof(sysctl_llc2_busy_timeout),
- 		.mode		= 0644,
- 		.proc_handler   = proc_dointvec_jiffies,
- 	},
- 	{
- 		.procname	= "p",
- 		.data		= &sysctl_llc2_p_timeout,
--		.maxlen		= sizeof(long),
-+		.maxlen		= sizeof(sysctl_llc2_p_timeout),
- 		.mode		= 0644,
- 		.proc_handler   = proc_dointvec_jiffies,
- 	},
- 	{
- 		.procname	= "rej",
- 		.data		= &sysctl_llc2_rej_timeout,
--		.maxlen		= sizeof(long),
-+		.maxlen		= sizeof(sysctl_llc2_rej_timeout),
- 		.mode		= 0644,
- 		.proc_handler   = proc_dointvec_jiffies,
- 	},
 diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h
-index a9cf593..b04a2d5 100644
+index 8da371c5..bd541cf 100644
 --- a/net/mac80211/ieee80211_i.h
 +++ b/net/mac80211/ieee80211_i.h
 @@ -27,6 +27,7 @@
@@ -108053,7 +107373,7 @@ index a9cf593..b04a2d5 100644
  #include "key.h"
  #include "sta_info.h"
  
-@@ -767,7 +768,7 @@ struct ieee80211_local {
+@@ -781,7 +782,7 @@ struct ieee80211_local {
  	/* also used to protect ampdu_ac_queue and amdpu_ac_stop_refcnt */
  	spinlock_t queue_stop_reason_lock;
  
@@ -108307,7 +107627,7 @@ index 6422845..2c19968 100644
  
  	if (!todrop_rate[i]) return 0;
 diff --git a/net/netfilter/ipvs/ip_vs_core.c b/net/netfilter/ipvs/ip_vs_core.c
-index 6dc7d7d..e45913a 100644
+index d864aaf..d6afbda 100644
 --- a/net/netfilter/ipvs/ip_vs_core.c
 +++ b/net/netfilter/ipvs/ip_vs_core.c
 @@ -562,7 +562,7 @@ int ip_vs_leave(struct ip_vs_service *svc, struct sk_buff *skb,
@@ -108319,7 +107639,7 @@ index 6dc7d7d..e45913a 100644
  		ip_vs_conn_put(cp);
  		return ret;
  	}
-@@ -1611,7 +1611,7 @@ ip_vs_in(unsigned int hooknum, struct sk_buff *skb, int af)
+@@ -1621,7 +1621,7 @@ ip_vs_in(unsigned int hooknum, struct sk_buff *skb, int af)
  	if (cp->flags & IP_VS_CONN_F_ONE_PACKET)
  		pkts = sysctl_sync_threshold(ipvs);
  	else
@@ -108429,7 +107749,7 @@ index eec797f..6f3ec56 100644
  		.procname	= "lblcr_expiration",
  		.data		= NULL,
 diff --git a/net/netfilter/ipvs/ip_vs_sync.c b/net/netfilter/ipvs/ip_vs_sync.c
-index 2b6678c0..aaa41fc 100644
+index 2cbcc83..2efc3e8 100644
 --- a/net/netfilter/ipvs/ip_vs_sync.c
 +++ b/net/netfilter/ipvs/ip_vs_sync.c
 @@ -649,7 +649,7 @@ control:
@@ -108441,7 +107761,7 @@ index 2b6678c0..aaa41fc 100644
  
  		if (pkts % sysctl_sync_period(ipvs) != 1)
  			return;
-@@ -795,7 +795,7 @@ static void ip_vs_proc_conn(struct net *net, struct ip_vs_conn_param *param,
+@@ -797,7 +797,7 @@ static void ip_vs_proc_conn(struct net *net, struct ip_vs_conn_param *param,
  
  	if (opt)
  		memcpy(&cp->in_seq, opt, sizeof(*opt));
@@ -108658,19 +107978,6 @@ index 957374a..dcbce7a 100644
  		mutex_unlock(&nf_log_mutex);
  	}
  
-diff --git a/net/netfilter/nf_queue.c b/net/netfilter/nf_queue.c
-index b3a7db6..6d70533 100644
---- a/net/netfilter/nf_queue.c
-+++ b/net/netfilter/nf_queue.c
-@@ -233,7 +233,7 @@ int nf_queue(struct sk_buff *skb,
- 	 * returned by nf_queue.  For instance, callers rely on -ECANCELED to mean
- 	 * 'ignore this hook'.
- 	 */
--	if (IS_ERR(segs))
-+	if (IS_ERR_OR_NULL(segs))
- 		return -EINVAL;
- 
- 	queued = 0;
 diff --git a/net/netfilter/nf_sockopt.c b/net/netfilter/nf_sockopt.c
 index f042ae5..30ea486 100644
 --- a/net/netfilter/nf_sockopt.c
@@ -109367,94 +108674,6 @@ index 9556d28..f046d0e 100644
  #else
  	ic->i_ack_next = 0;
  #endif
-diff --git a/net/rds/iw_rdma.c b/net/rds/iw_rdma.c
-index 4e1de17..83725f3 100644
---- a/net/rds/iw_rdma.c
-+++ b/net/rds/iw_rdma.c
-@@ -88,7 +88,9 @@ static unsigned int rds_iw_unmap_fastreg_list(struct rds_iw_mr_pool *pool,
- 			int *unpinned);
- static void rds_iw_destroy_fastreg(struct rds_iw_mr_pool *pool, struct rds_iw_mr *ibmr);
- 
--static int rds_iw_get_device(struct rds_sock *rs, struct rds_iw_device **rds_iwdev, struct rdma_cm_id **cm_id)
-+static int rds_iw_get_device(struct sockaddr_in *src, struct sockaddr_in *dst,
-+			     struct rds_iw_device **rds_iwdev,
-+			     struct rdma_cm_id **cm_id)
- {
- 	struct rds_iw_device *iwdev;
- 	struct rds_iw_cm_id *i_cm_id;
-@@ -112,15 +114,15 @@ static int rds_iw_get_device(struct rds_sock *rs, struct rds_iw_device **rds_iwd
- 				src_addr->sin_port,
- 				dst_addr->sin_addr.s_addr,
- 				dst_addr->sin_port,
--				rs->rs_bound_addr,
--				rs->rs_bound_port,
--				rs->rs_conn_addr,
--				rs->rs_conn_port);
-+				src->sin_addr.s_addr,
-+				src->sin_port,
-+				dst->sin_addr.s_addr,
-+				dst->sin_port);
- #ifdef WORKING_TUPLE_DETECTION
--			if (src_addr->sin_addr.s_addr == rs->rs_bound_addr &&
--			    src_addr->sin_port == rs->rs_bound_port &&
--			    dst_addr->sin_addr.s_addr == rs->rs_conn_addr &&
--			    dst_addr->sin_port == rs->rs_conn_port) {
-+			if (src_addr->sin_addr.s_addr == src->sin_addr.s_addr &&
-+			    src_addr->sin_port == src->sin_port &&
-+			    dst_addr->sin_addr.s_addr == dst->sin_addr.s_addr &&
-+			    dst_addr->sin_port == dst->sin_port) {
- #else
- 			/* FIXME - needs to compare the local and remote
- 			 * ipaddr/port tuple, but the ipaddr is the only
-@@ -128,7 +130,7 @@ static int rds_iw_get_device(struct rds_sock *rs, struct rds_iw_device **rds_iwd
- 			 * zero'ed.  It doesn't appear to be properly populated
- 			 * during connection setup...
- 			 */
--			if (src_addr->sin_addr.s_addr == rs->rs_bound_addr) {
-+			if (src_addr->sin_addr.s_addr == src->sin_addr.s_addr) {
- #endif
- 				spin_unlock_irq(&iwdev->spinlock);
- 				*rds_iwdev = iwdev;
-@@ -180,19 +182,13 @@ int rds_iw_update_cm_id(struct rds_iw_device *rds_iwdev, struct rdma_cm_id *cm_i
- {
- 	struct sockaddr_in *src_addr, *dst_addr;
- 	struct rds_iw_device *rds_iwdev_old;
--	struct rds_sock rs;
- 	struct rdma_cm_id *pcm_id;
- 	int rc;
- 
- 	src_addr = (struct sockaddr_in *)&cm_id->route.addr.src_addr;
- 	dst_addr = (struct sockaddr_in *)&cm_id->route.addr.dst_addr;
- 
--	rs.rs_bound_addr = src_addr->sin_addr.s_addr;
--	rs.rs_bound_port = src_addr->sin_port;
--	rs.rs_conn_addr = dst_addr->sin_addr.s_addr;
--	rs.rs_conn_port = dst_addr->sin_port;
--
--	rc = rds_iw_get_device(&rs, &rds_iwdev_old, &pcm_id);
-+	rc = rds_iw_get_device(src_addr, dst_addr, &rds_iwdev_old, &pcm_id);
- 	if (rc)
- 		rds_iw_remove_cm_id(rds_iwdev, cm_id);
- 
-@@ -611,9 +607,17 @@ void *rds_iw_get_mr(struct scatterlist *sg, unsigned long nents,
- 	struct rds_iw_device *rds_iwdev;
- 	struct rds_iw_mr *ibmr = NULL;
- 	struct rdma_cm_id *cm_id;
-+	struct sockaddr_in src = {
-+		.sin_addr.s_addr = rs->rs_bound_addr,
-+		.sin_port = rs->rs_bound_port,
-+	};
-+	struct sockaddr_in dst = {
-+		.sin_addr.s_addr = rs->rs_conn_addr,
-+		.sin_port = rs->rs_conn_port,
-+	};
- 	int ret;
- 
--	ret = rds_iw_get_device(rs, &rds_iwdev, &cm_id);
-+	ret = rds_iw_get_device(&src, &dst, &rds_iwdev, &cm_id);
- 	if (ret || !cm_id) {
- 		ret = -ENODEV;
- 		goto out;
 diff --git a/net/rds/iw_recv.c b/net/rds/iw_recv.c
 index 5e57347..3916042 100644
 --- a/net/rds/iw_recv.c
@@ -109646,27 +108865,6 @@ index 88eace5..f33ba5d 100644
  			continue;
  		}
  		list_del_init(&rm->m_conn_item);
-diff --git a/net/rds/sysctl.c b/net/rds/sysctl.c
-index 25ad0c7..065026f 100644
---- a/net/rds/sysctl.c
-+++ b/net/rds/sysctl.c
-@@ -71,14 +71,14 @@ static ctl_table rds_sysctl_rds_table[] = {
- 	{
- 		.procname	= "max_unacked_packets",
- 		.data		= &rds_sysctl_max_unacked_packets,
--		.maxlen         = sizeof(unsigned long),
-+		.maxlen         = sizeof(int),
- 		.mode           = 0644,
- 		.proc_handler   = proc_dointvec,
- 	},
- 	{
- 		.procname	= "max_unacked_bytes",
- 		.data		= &rds_sysctl_max_unacked_bytes,
--		.maxlen         = sizeof(unsigned long),
-+		.maxlen         = sizeof(int),
- 		.mode           = 0644,
- 		.proc_handler   = proc_dointvec,
- 	},
 diff --git a/net/rds/tcp.c b/net/rds/tcp.c
 index edac9ef..16bcb98 100644
 --- a/net/rds/tcp.c
@@ -110234,7 +109432,7 @@ index 8da4481..d02565e 100644
  			+ (rtt >> sctp_rto_alpha);
  	} else {
 diff --git a/net/socket.c b/net/socket.c
-index 3faa358..a13ae17 100644
+index 116cf9d..a13ae17 100644
 --- a/net/socket.c
 +++ b/net/socket.c
 @@ -88,6 +88,7 @@
@@ -110418,17 +109616,7 @@ index 3faa358..a13ae17 100644
  	int err, err2;
  	int fput_needed;
  
-@@ -1885,6 +1951,9 @@ static int copy_msghdr_from_user(struct msghdr *kmsg,
- 	if (copy_from_user(kmsg, umsg, sizeof(struct msghdr)))
- 		return -EFAULT;
- 
-+	if (kmsg->msg_name == NULL)
-+		kmsg->msg_namelen = 0;
-+
- 	if (kmsg->msg_namelen < 0)
- 		return -EINVAL;
- 
-@@ -1970,7 +2039,7 @@ static int ___sys_sendmsg(struct socket *sock, struct msghdr __user *msg,
+@@ -1973,7 +2039,7 @@ static int ___sys_sendmsg(struct socket *sock, struct msghdr __user *msg,
  		 * checking falls down on this.
  		 */
  		if (copy_from_user(ctl_buf,
@@ -110437,7 +109625,7 @@ index 3faa358..a13ae17 100644
  				   ctl_len))
  			goto out_freectl;
  		msg_sys->msg_control = ctl_buf;
-@@ -2121,7 +2190,7 @@ static int ___sys_recvmsg(struct socket *sock, struct msghdr __user *msg,
+@@ -2124,7 +2190,7 @@ static int ___sys_recvmsg(struct socket *sock, struct msghdr __user *msg,
  	int err, iov_size, total_len, len;
  
  	/* kernel mode address */
@@ -110446,7 +109634,7 @@ index 3faa358..a13ae17 100644
  
  	/* user mode address pointers */
  	struct sockaddr __user *uaddr;
-@@ -2152,7 +2221,8 @@ static int ___sys_recvmsg(struct socket *sock, struct msghdr __user *msg,
+@@ -2155,7 +2221,8 @@ static int ___sys_recvmsg(struct socket *sock, struct msghdr __user *msg,
  	/* Save the user-mode address (verify_iovec will change the
  	 * kernel msghdr to use the kernel address space)
  	 */
@@ -110456,7 +109644,7 @@ index 3faa358..a13ae17 100644
  	uaddr_len = COMPAT_NAMELEN(msg);
  	if (MSG_CMSG_COMPAT & flags)
  		err = verify_compat_iovec(msg_sys, iov,
-@@ -2796,9 +2866,9 @@ static int ethtool_ioctl(struct net *net, struct compat_ifreq __user *ifr32)
+@@ -2799,9 +2866,9 @@ static int ethtool_ioctl(struct net *net, struct compat_ifreq __user *ifr32)
  	}
  
  	ifr = compat_alloc_user_space(buf_size);
@@ -110468,7 +109656,7 @@ index 3faa358..a13ae17 100644
  		return -EFAULT;
  
  	if (put_user(convert_in ? rxnfc : compat_ptr(data),
-@@ -2820,12 +2890,12 @@ static int ethtool_ioctl(struct net *net, struct compat_ifreq __user *ifr32)
+@@ -2823,12 +2890,12 @@ static int ethtool_ioctl(struct net *net, struct compat_ifreq __user *ifr32)
  			offsetof(struct ethtool_rxnfc, fs.ring_cookie));
  
  		if (copy_in_user(rxnfc, compat_rxnfc,
@@ -110485,7 +109673,7 @@ index 3faa358..a13ae17 100644
  		    copy_in_user(&rxnfc->rule_cnt, &compat_rxnfc->rule_cnt,
  				 sizeof(rxnfc->rule_cnt)))
  			return -EFAULT;
-@@ -2837,12 +2907,12 @@ static int ethtool_ioctl(struct net *net, struct compat_ifreq __user *ifr32)
+@@ -2840,12 +2907,12 @@ static int ethtool_ioctl(struct net *net, struct compat_ifreq __user *ifr32)
  
  	if (convert_out) {
  		if (copy_in_user(compat_rxnfc, rxnfc,
@@ -110502,7 +109690,7 @@ index 3faa358..a13ae17 100644
  		    copy_in_user(&compat_rxnfc->rule_cnt, &rxnfc->rule_cnt,
  				 sizeof(rxnfc->rule_cnt)))
  			return -EFAULT;
-@@ -2912,14 +2982,14 @@ static int bond_ioctl(struct net *net, unsigned int cmd,
+@@ -2915,14 +2982,14 @@ static int bond_ioctl(struct net *net, unsigned int cmd,
  		old_fs = get_fs();
  		set_fs(KERNEL_DS);
  		err = dev_ioctl(net, cmd,
@@ -110519,7 +109707,7 @@ index 3faa358..a13ae17 100644
  			return -EFAULT;
  
  		if (get_user(data, &ifr32->ifr_ifru.ifru_data))
-@@ -3021,7 +3091,7 @@ static int compat_sioc_ifmap(struct net *net, unsigned int cmd,
+@@ -3024,7 +3091,7 @@ static int compat_sioc_ifmap(struct net *net, unsigned int cmd,
  
  	old_fs = get_fs();
  	set_fs(KERNEL_DS);
@@ -110528,7 +109716,7 @@ index 3faa358..a13ae17 100644
  	set_fs(old_fs);
  
  	if (cmd == SIOCGIFMAP && !err) {
-@@ -3126,7 +3196,7 @@ static int routing_ioctl(struct net *net, struct socket *sock,
+@@ -3129,7 +3196,7 @@ static int routing_ioctl(struct net *net, struct socket *sock,
  		ret |= __get_user(rtdev, &(ur4->rt_dev));
  		if (rtdev) {
  			ret |= copy_from_user(devname, compat_ptr(rtdev), 15);
@@ -110537,7 +109725,7 @@ index 3faa358..a13ae17 100644
  			devname[15] = 0;
  		} else
  			r4.rt_dev = NULL;
-@@ -3366,8 +3436,8 @@ int kernel_getsockopt(struct socket *sock, int level, int optname,
+@@ -3369,8 +3436,8 @@ int kernel_getsockopt(struct socket *sock, int level, int optname,
  	int __user *uoptlen;
  	int err;
  
@@ -110548,7 +109736,7 @@ index 3faa358..a13ae17 100644
  
  	set_fs(KERNEL_DS);
  	if (level == SOL_SOCKET)
-@@ -3387,7 +3457,7 @@ int kernel_setsockopt(struct socket *sock, int level, int optname,
+@@ -3390,7 +3457,7 @@ int kernel_setsockopt(struct socket *sock, int level, int optname,
  	char __user *uoptval;
  	int err;
  
@@ -110558,18 +109746,9 @@ index 3faa358..a13ae17 100644
  	set_fs(KERNEL_DS);
  	if (level == SOL_SOCKET)
 diff --git a/net/sunrpc/cache.c b/net/sunrpc/cache.c
-index 237a2ee..9e69f3e 100644
+index 7de935a..9e69f3e 100644
 --- a/net/sunrpc/cache.c
 +++ b/net/sunrpc/cache.c
-@@ -909,7 +909,7 @@ static unsigned int cache_poll(struct file *filp, poll_table *wait,
- 	poll_wait(filp, &queue_wait, wait);
- 
- 	/* alway allow write */
--	mask = POLL_OUT | POLLWRNORM;
-+	mask = POLLOUT | POLLWRNORM;
- 
- 	if (!rp)
- 		return mask;
 @@ -1587,7 +1587,7 @@ static int create_cache_proc_entries(struct cache_detail *cd, struct net *net)
  	struct sunrpc_net *sn;
  
@@ -111602,19 +110781,6 @@ index 2ffde46..76f0432 100644
  	if (!x25_proc_dir)
  		goto out;
  
-diff --git a/net/xfrm/xfrm_output.c b/net/xfrm/xfrm_output.c
-index 47bacd8..e49d5f4 100644
---- a/net/xfrm/xfrm_output.c
-+++ b/net/xfrm/xfrm_output.c
-@@ -151,6 +151,8 @@ static int xfrm_output_gso(struct sk_buff *skb)
- 	kfree_skb(skb);
- 	if (IS_ERR(segs))
- 		return PTR_ERR(segs);
-+	if (segs == NULL)
-+		return -EINVAL;
- 
- 	do {
- 		struct sk_buff *nskb = segs->next;
 diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
 index 113d20e..2bb5a4e 100644
 --- a/net/xfrm/xfrm_policy.c
@@ -115105,24 +114271,11 @@ index b43813c..74be837 100644
  }
  #else
  static inline int selinux_xfrm_enabled(void)
-diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c
-index 4dd8dcf..bac8928 100644
---- a/security/selinux/selinuxfs.c
-+++ b/security/selinux/selinuxfs.c
-@@ -150,7 +150,7 @@ static ssize_t sel_write_enforce(struct file *file, const char __user *buf,
- 		goto out;
- 
- 	/* No partial writes. */
--	length = EINVAL;
-+	length = -EINVAL;
- 	if (*ppos != 0)
- 		goto out;
- 
 diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
-index e3adb49..9798c61 100644
+index 774c159..801c50d 100644
 --- a/security/smack/smack_lsm.c
 +++ b/security/smack/smack_lsm.c
-@@ -3481,7 +3481,7 @@ static int smack_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
+@@ -3483,7 +3483,7 @@ static int smack_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
  	return 0;
  }
  
@@ -115422,10 +114575,10 @@ index 4dbb66e..eda2998 100644
  	if (err < 0)
  		return err;
 diff --git a/sound/core/pcm_native.c b/sound/core/pcm_native.c
-index 638600b..2e6b1fd 100644
+index 8a00555..48f07fe 100644
 --- a/sound/core/pcm_native.c
 +++ b/sound/core/pcm_native.c
-@@ -2788,11 +2788,11 @@ int snd_pcm_kernel_ioctl(struct snd_pcm_substream *substream,
+@@ -2790,11 +2790,11 @@ int snd_pcm_kernel_ioctl(struct snd_pcm_substream *substream,
  	switch (substream->stream) {
  	case SNDRV_PCM_STREAM_PLAYBACK:
  		result = snd_pcm_playback_ioctl1(NULL, substream, cmd,
@@ -124162,10 +123315,10 @@ index 0000000..4378111
 +}
 diff --git a/tools/gcc/size_overflow_plugin/size_overflow_hash.data b/tools/gcc/size_overflow_plugin/size_overflow_hash.data
 new file mode 100644
-index 0000000..6e35346
+index 0000000..cd3c18f
 --- /dev/null
 +++ b/tools/gcc/size_overflow_plugin/size_overflow_hash.data
-@@ -0,0 +1,5133 @@
+@@ -0,0 +1,5138 @@
 +intel_fake_agp_alloc_by_type_1 intel_fake_agp_alloc_by_type 1 1 NULL
 +storvsc_connect_to_vsp_22 storvsc_connect_to_vsp 2 22 NULL
 +compat_sock_setsockopt_23 compat_sock_setsockopt 5 23 NULL
@@ -124402,7 +123555,8 @@ index 0000000..6e35346
 +encrypted_instantiate_3168 encrypted_instantiate 3 3168 NULL
 +uv_num_possible_blades_3177 uv_num_possible_blades 0 3177 NULL
 +compat_do_ip6t_set_ctl_3184 compat_do_ip6t_set_ctl 4 3184 NULL
-+alloc_context_3194 alloc_context 1 3194 NULL
++alloc_context_3194 alloc_context 1 3194 NULL nohasharray
++ep_aio_read_3194 ep_aio_read 3 3194 &alloc_context_3194
 +codec_reg_write_file_3204 codec_reg_write_file 3 3204 NULL
 +ath6kl_mgmt_tx_3230 ath6kl_mgmt_tx 9 3230 NULL
 +btrfs_next_leaf_3232 btrfs_next_leaf 0 3232 NULL
@@ -125314,6 +124468,7 @@ index 0000000..6e35346
 +oo_objects_14319 oo_objects 0 14319 NULL
 +iwl_legacy_dbgfs_interrupt_read_14324 iwl_legacy_dbgfs_interrupt_read 3 14324 NULL
 +p9_client_zc_rpc_14345 p9_client_zc_rpc 7 14345 NULL
++ep_aio_rwtail_14347 ep_aio_rwtail 6 14347 NULL
 +snd_pcm_lib_readv_14363 snd_pcm_lib_readv 3-0 14363 NULL
 +ath6kl_regdump_read_14393 ath6kl_regdump_read 3 14393 NULL
 +smk_write_onlycap_14400 smk_write_onlycap 3 14400 NULL
@@ -126509,6 +125664,7 @@ index 0000000..6e35346
 +tcp_sendpage_29829 tcp_sendpage 4-3 29829 NULL
 +__probe_kernel_write_29842 __probe_kernel_write 3 29842 NULL
 +count_partial_29850 count_partial 0 29850 NULL
++extract_icmp6_fields_29870 extract_icmp6_fields 2 29870 NULL
 +ipv6_setsockopt_29871 ipv6_setsockopt 5 29871 NULL
 +scsi_end_request_29876 scsi_end_request 3 29876 NULL
 +crypto_aead_alignmask_29885 crypto_aead_alignmask 0 29885 NULL
@@ -127737,6 +126893,7 @@ index 0000000..6e35346
 +unix_dgram_sendmsg_45699 unix_dgram_sendmsg 4 45699 &bscnl_emit_45699
 +sg_proc_write_adio_45704 sg_proc_write_adio 3 45704 NULL
 +dvb_ca_en50221_init_45718 dvb_ca_en50221_init 4 45718 NULL
++handle_response_icmp_45733 handle_response_icmp 7 45733 NULL
 +snd_cs46xx_io_read_45734 snd_cs46xx_io_read 5 45734 NULL
 +v4l2_ctrl_new_std_45748 v4l2_ctrl_new_std 5 45748 NULL
 +lkdtm_debugfs_read_45752 lkdtm_debugfs_read 3 45752 NULL
@@ -128013,6 +127170,7 @@ index 0000000..6e35346
 +root_nfs_cat_49192 root_nfs_cat 3 49192 NULL
 +iwl_dbgfs_ucode_general_stats_read_49199 iwl_dbgfs_ucode_general_stats_read 3 49199 NULL
 +do_jffs2_getxattr_49210 do_jffs2_getxattr 0 49210 NULL
++handle_response_49269 handle_response 5 49269 NULL
 +osd_req_add_get_attr_list_49278 osd_req_add_get_attr_list 3 49278 NULL
 +__ext4_ext_dirty_49284 __ext4_ext_dirty 0 49284 NULL
 +viafb_dfph_proc_write_49288 viafb_dfph_proc_write 3 49288 NULL
diff --git a/3.2.68/4425_grsec_remove_EI_PAX.patch b/3.2.69/4425_grsec_remove_EI_PAX.patch
index ba92792..ba92792 100644
--- a/3.2.68/4425_grsec_remove_EI_PAX.patch
+++ b/3.2.69/4425_grsec_remove_EI_PAX.patch
diff --git a/3.2.68/4427_force_XATTR_PAX_tmpfs.patch b/3.2.69/4427_force_XATTR_PAX_tmpfs.patch
index caaeed1..caaeed1 100644
--- a/3.2.68/4427_force_XATTR_PAX_tmpfs.patch
+++ b/3.2.69/4427_force_XATTR_PAX_tmpfs.patch
diff --git a/3.2.68/4430_grsec-remove-localversion-grsec.patch b/3.2.69/4430_grsec-remove-localversion-grsec.patch
index 31cf878..31cf878 100644
--- a/3.2.68/4430_grsec-remove-localversion-grsec.patch
+++ b/3.2.69/4430_grsec-remove-localversion-grsec.patch
diff --git a/3.2.68/4435_grsec-mute-warnings.patch b/3.2.69/4435_grsec-mute-warnings.patch
index da01ac7..da01ac7 100644
--- a/3.2.68/4435_grsec-mute-warnings.patch
+++ b/3.2.69/4435_grsec-mute-warnings.patch
diff --git a/3.2.68/4440_grsec-remove-protected-paths.patch b/3.2.69/4440_grsec-remove-protected-paths.patch
index 741546d..741546d 100644
--- a/3.2.68/4440_grsec-remove-protected-paths.patch
+++ b/3.2.69/4440_grsec-remove-protected-paths.patch
diff --git a/3.2.68/4450_grsec-kconfig-default-gids.patch b/3.2.69/4450_grsec-kconfig-default-gids.patch
index 5e1cb04..5e1cb04 100644
--- a/3.2.68/4450_grsec-kconfig-default-gids.patch
+++ b/3.2.69/4450_grsec-kconfig-default-gids.patch
diff --git a/3.2.68/4465_selinux-avc_audit-log-curr_ip.patch b/3.2.69/4465_selinux-avc_audit-log-curr_ip.patch
index f73d198..f73d198 100644
--- a/3.2.68/4465_selinux-avc_audit-log-curr_ip.patch
+++ b/3.2.69/4465_selinux-avc_audit-log-curr_ip.patch
diff --git a/3.2.68/4470_disable-compat_vdso.patch b/3.2.69/4470_disable-compat_vdso.patch
index 34d46de..34d46de 100644
--- a/3.2.68/4470_disable-compat_vdso.patch
+++ b/3.2.69/4470_disable-compat_vdso.patch
diff --git a/3.2.68/4475_emutramp_default_on.patch b/3.2.69/4475_emutramp_default_on.patch
index 2db58ab..2db58ab 100644
--- a/3.2.68/4475_emutramp_default_on.patch
+++ b/3.2.69/4475_emutramp_default_on.patch
diff --git a/4.0.2/0000_README b/4.0.2/0000_README
index f34197d..2d4e7a4 100644
--- a/4.0.2/0000_README
+++ b/4.0.2/0000_README
@@ -6,7 +6,7 @@ Patch:	1002_linux-4.0.2.patch
 From:	http://www.kernel.org
 Desc:	Linux 4.0.2
 
-Patch:	4420_grsecurity-3.1-4.0.2-201505091724.patch
+Patch:	4420_grsecurity-3.1-4.0.2-201505101122.patch
 From:	http://www.grsecurity.net
 Desc:	hardened-sources base patch from upstream grsecurity
 
diff --git a/4.0.2/4420_grsecurity-3.1-4.0.2-201505091724.patch b/4.0.2/4420_grsecurity-3.1-4.0.2-201505101122.patch
index 86c9e65..334f5da 100644
--- a/4.0.2/4420_grsecurity-3.1-4.0.2-201505091724.patch
+++ b/4.0.2/4420_grsecurity-3.1-4.0.2-201505101122.patch
@@ -49152,6 +49152,28 @@ index a2515887..6d13233 100644
  	dev->net->dev_addr[ETH_ALEN-1] = ifacenum;
  
  	/* we will have to manufacture ethernet headers, prepare template */
+diff --git a/drivers/net/usb/usbnet.c b/drivers/net/usb/usbnet.c
+index 777757a..395a767 100644
+--- a/drivers/net/usb/usbnet.c
++++ b/drivers/net/usb/usbnet.c
+@@ -1285,7 +1285,7 @@ netdev_tx_t usbnet_start_xmit (struct sk_buff *skb,
+ 				     struct net_device *net)
+ {
+ 	struct usbnet		*dev = netdev_priv(net);
+-	int			length;
++	unsigned int			length;
+ 	struct urb		*urb = NULL;
+ 	struct skb_data		*entry;
+ 	struct driver_info	*info = dev->driver_info;
+@@ -1413,7 +1413,7 @@ not_drop:
+ 		}
+ 	} else
+ 		netif_dbg(dev, tx_queued, dev->net,
+-			  "> tx, len %d, type 0x%x\n", length, skb->protocol);
++			  "> tx, len %u, type 0x%x\n", length, skb->protocol);
+ #ifdef CONFIG_PM
+ deferred:
+ #endif
 diff --git a/drivers/net/virtio_net.c b/drivers/net/virtio_net.c
 index 59b0e97..a6ed579 100644
 --- a/drivers/net/virtio_net.c
@@ -65536,7 +65558,7 @@ index caa38a2..44c470a 100644
  out:
  	return len;
 diff --git a/fs/namespace.c b/fs/namespace.c
-index 4622ee3..2db42e3 100644
+index 4622ee3..8500e56 100644
 --- a/fs/namespace.c
 +++ b/fs/namespace.c
 @@ -1480,6 +1480,9 @@ static int do_umount(struct mount *mnt, int flags)
@@ -65655,7 +65677,20 @@ index 4622ee3..2db42e3 100644
  	get_fs_root(current->fs, &root);
  	old_mp = lock_mount(&old);
  	error = PTR_ERR(old_mp);
-@@ -3229,7 +3253,7 @@ static int mntns_install(struct nsproxy *nsproxy, struct ns_common *ns)
+@@ -3178,6 +3202,12 @@ bool fs_fully_visible(struct file_system_type *type)
+ 		if (mnt->mnt.mnt_sb->s_type != type)
+ 			continue;
+ 
++		/* This mount is not fully visible if it's root directory
++		 * is not the root directory of the filesystem.
++		 */
++		if (mnt->mnt.mnt_root != mnt->mnt.mnt_sb->s_root)
++			continue;
++
+ 		/* This mount is not fully visible if there are any child mounts
+ 		 * that cover anything except for empty directories.
+ 		 */
+@@ -3229,7 +3259,7 @@ static int mntns_install(struct nsproxy *nsproxy, struct ns_common *ns)
  	    !ns_capable(current_user_ns(), CAP_SYS_ADMIN))
  		return -EPERM;