/[linux-patches]/genpatches-2.6/tags/2.6.32-47/1029_linux-2.6.32.30.patch
Gentoo

Contents of /genpatches-2.6/tags/2.6.32-47/1029_linux-2.6.32.30.patch

Parent Directory Parent Directory | Revision Log Revision Log


Revision 2037 - (show annotations) (download)
Wed Dec 28 14:38:55 2011 UTC (6 years, 5 months ago) by psomas
File size: 103625 byte(s)
2.6.32-47 release
1 diff --git a/arch/arm/kernel/signal.c b/arch/arm/kernel/signal.c
2 index e7714f3..962236a 100644
3 --- a/arch/arm/kernel/signal.c
4 +++ b/arch/arm/kernel/signal.c
5 @@ -389,7 +389,9 @@ setup_return(struct pt_regs *regs, struct k_sigaction *ka,
6 unsigned long handler = (unsigned long)ka->sa.sa_handler;
7 unsigned long retcode;
8 int thumb = 0;
9 - unsigned long cpsr = regs->ARM_cpsr & ~PSR_f;
10 + unsigned long cpsr = regs->ARM_cpsr & ~(PSR_f | PSR_E_BIT);
11 +
12 + cpsr |= PSR_ENDSTATE;
13
14 /*
15 * Maybe we need to deliver a 32-bit signal to a 26-bit task.
16 diff --git a/arch/s390/include/asm/processor.h b/arch/s390/include/asm/processor.h
17 index b427154..0262c28 100644
18 --- a/arch/s390/include/asm/processor.h
19 +++ b/arch/s390/include/asm/processor.h
20 @@ -150,11 +150,6 @@ extern int kernel_thread(int (*fn)(void *), void * arg, unsigned long flags);
21 */
22 extern unsigned long thread_saved_pc(struct task_struct *t);
23
24 -/*
25 - * Print register of task into buffer. Used in fs/proc/array.c.
26 - */
27 -extern void task_show_regs(struct seq_file *m, struct task_struct *task);
28 -
29 extern void show_code(struct pt_regs *regs);
30
31 unsigned long get_wchan(struct task_struct *p);
32 diff --git a/arch/s390/kernel/traps.c b/arch/s390/kernel/traps.c
33 index c2e42cc..6d3f00a 100644
34 --- a/arch/s390/kernel/traps.c
35 +++ b/arch/s390/kernel/traps.c
36 @@ -243,43 +243,6 @@ void show_regs(struct pt_regs *regs)
37 show_last_breaking_event(regs);
38 }
39
40 -/* This is called from fs/proc/array.c */
41 -void task_show_regs(struct seq_file *m, struct task_struct *task)
42 -{
43 - struct pt_regs *regs;
44 -
45 - regs = task_pt_regs(task);
46 - seq_printf(m, "task: %p, ksp: %p\n",
47 - task, (void *)task->thread.ksp);
48 - seq_printf(m, "User PSW : %p %p\n",
49 - (void *) regs->psw.mask, (void *)regs->psw.addr);
50 -
51 - seq_printf(m, "User GPRS: " FOURLONG,
52 - regs->gprs[0], regs->gprs[1],
53 - regs->gprs[2], regs->gprs[3]);
54 - seq_printf(m, " " FOURLONG,
55 - regs->gprs[4], regs->gprs[5],
56 - regs->gprs[6], regs->gprs[7]);
57 - seq_printf(m, " " FOURLONG,
58 - regs->gprs[8], regs->gprs[9],
59 - regs->gprs[10], regs->gprs[11]);
60 - seq_printf(m, " " FOURLONG,
61 - regs->gprs[12], regs->gprs[13],
62 - regs->gprs[14], regs->gprs[15]);
63 - seq_printf(m, "User ACRS: %08x %08x %08x %08x\n",
64 - task->thread.acrs[0], task->thread.acrs[1],
65 - task->thread.acrs[2], task->thread.acrs[3]);
66 - seq_printf(m, " %08x %08x %08x %08x\n",
67 - task->thread.acrs[4], task->thread.acrs[5],
68 - task->thread.acrs[6], task->thread.acrs[7]);
69 - seq_printf(m, " %08x %08x %08x %08x\n",
70 - task->thread.acrs[8], task->thread.acrs[9],
71 - task->thread.acrs[10], task->thread.acrs[11]);
72 - seq_printf(m, " %08x %08x %08x %08x\n",
73 - task->thread.acrs[12], task->thread.acrs[13],
74 - task->thread.acrs[14], task->thread.acrs[15]);
75 -}
76 -
77 static DEFINE_SPINLOCK(die_lock);
78
79 void die(const char * str, struct pt_regs * regs, long err)
80 diff --git a/arch/x86/include/asm/acpi.h b/arch/x86/include/asm/acpi.h
81 index 4518dc5..e0ea85a 100644
82 --- a/arch/x86/include/asm/acpi.h
83 +++ b/arch/x86/include/asm/acpi.h
84 @@ -89,6 +89,7 @@ extern int acpi_ht;
85 extern int acpi_pci_disabled;
86 extern int acpi_skip_timer_override;
87 extern int acpi_use_timer_override;
88 +extern int acpi_fix_pin2_polarity;
89
90 extern u8 acpi_sci_flags;
91 extern int acpi_sci_override_gsi;
92 diff --git a/arch/x86/include/asm/pvclock.h b/arch/x86/include/asm/pvclock.h
93 index 53235fd..daaacab 100644
94 --- a/arch/x86/include/asm/pvclock.h
95 +++ b/arch/x86/include/asm/pvclock.h
96 @@ -10,5 +10,6 @@ unsigned long pvclock_tsc_khz(struct pvclock_vcpu_time_info *src);
97 void pvclock_read_wallclock(struct pvclock_wall_clock *wall,
98 struct pvclock_vcpu_time_info *vcpu,
99 struct timespec *ts);
100 +void pvclock_resume(void);
101
102 #endif /* _ASM_X86_PVCLOCK_H */
103 diff --git a/arch/x86/kernel/acpi/boot.c b/arch/x86/kernel/acpi/boot.c
104 index 23c2da8..8ba08c7 100644
105 --- a/arch/x86/kernel/acpi/boot.c
106 +++ b/arch/x86/kernel/acpi/boot.c
107 @@ -70,6 +70,7 @@ u8 acpi_sci_flags __initdata;
108 int acpi_sci_override_gsi __initdata;
109 int acpi_skip_timer_override __initdata;
110 int acpi_use_timer_override __initdata;
111 +int acpi_fix_pin2_polarity __initdata;
112
113 #ifdef CONFIG_X86_LOCAL_APIC
114 static u64 acpi_lapic_addr __initdata = APIC_DEFAULT_PHYS_BASE;
115 @@ -360,10 +361,15 @@ acpi_parse_int_src_ovr(struct acpi_subtable_header * header,
116 return 0;
117 }
118
119 - if (acpi_skip_timer_override &&
120 - intsrc->source_irq == 0 && intsrc->global_irq == 2) {
121 - printk(PREFIX "BIOS IRQ0 pin2 override ignored.\n");
122 - return 0;
123 + if (intsrc->source_irq == 0 && intsrc->global_irq == 2) {
124 + if (acpi_skip_timer_override) {
125 + printk(PREFIX "BIOS IRQ0 pin2 override ignored.\n");
126 + return 0;
127 + }
128 + if (acpi_fix_pin2_polarity && (intsrc->inti_flags & ACPI_MADT_POLARITY_MASK)) {
129 + intsrc->inti_flags &= ~ACPI_MADT_POLARITY_MASK;
130 + printk(PREFIX "BIOS IRQ0 pin2 override: forcing polarity to high active.\n");
131 + }
132 }
133
134 mp_override_legacy_irq(intsrc->source_irq,
135 diff --git a/arch/x86/kernel/early-quirks.c b/arch/x86/kernel/early-quirks.c
136 index ebdb85c..ef01d3d 100644
137 --- a/arch/x86/kernel/early-quirks.c
138 +++ b/arch/x86/kernel/early-quirks.c
139 @@ -145,15 +145,10 @@ static void __init ati_bugs(int num, int slot, int func)
140
141 static u32 __init ati_sbx00_rev(int num, int slot, int func)
142 {
143 - u32 old, d;
144 + u32 d;
145
146 - d = read_pci_config(num, slot, func, 0x70);
147 - old = d;
148 - d &= ~(1<<8);
149 - write_pci_config(num, slot, func, 0x70, d);
150 d = read_pci_config(num, slot, func, 0x8);
151 d &= 0xff;
152 - write_pci_config(num, slot, func, 0x70, old);
153
154 return d;
155 }
156 @@ -162,13 +157,16 @@ static void __init ati_bugs_contd(int num, int slot, int func)
157 {
158 u32 d, rev;
159
160 - if (acpi_use_timer_override)
161 - return;
162 -
163 rev = ati_sbx00_rev(num, slot, func);
164 + if (rev >= 0x40)
165 + acpi_fix_pin2_polarity = 1;
166 +
167 if (rev > 0x13)
168 return;
169
170 + if (acpi_use_timer_override)
171 + return;
172 +
173 /* check for IRQ0 interrupt swap */
174 d = read_pci_config(num, slot, func, 0x64);
175 if (!(d & (1<<14)))
176 diff --git a/arch/x86/kernel/hpet.c b/arch/x86/kernel/hpet.c
177 index c771e1a..69cab24 100644
178 --- a/arch/x86/kernel/hpet.c
179 +++ b/arch/x86/kernel/hpet.c
180 @@ -606,6 +606,8 @@ static void hpet_msi_capability_lookup(unsigned int start_timer)
181 if (hpet_msi_disable)
182 return;
183
184 + if (boot_cpu_has(X86_FEATURE_ARAT))
185 + return;
186 id = hpet_readl(HPET_ID);
187
188 num_timers = ((id & HPET_ID_NUMBER) >> HPET_ID_NUMBER_SHIFT);
189 @@ -894,10 +896,8 @@ int __init hpet_enable(void)
190
191 if (id & HPET_ID_LEGSUP) {
192 hpet_legacy_clockevent_register();
193 - hpet_msi_capability_lookup(2);
194 return 1;
195 }
196 - hpet_msi_capability_lookup(0);
197 return 0;
198
199 out_nohpet:
200 @@ -930,12 +930,20 @@ static __init int hpet_late_init(void)
201 if (!hpet_virt_address)
202 return -ENODEV;
203
204 + if (hpet_readl(HPET_ID) & HPET_ID_LEGSUP)
205 + hpet_msi_capability_lookup(2);
206 + else
207 + hpet_msi_capability_lookup(0);
208 +
209 hpet_reserve_platform_timers(hpet_readl(HPET_ID));
210 hpet_print_config();
211
212 if (hpet_msi_disable)
213 return 0;
214
215 + if (boot_cpu_has(X86_FEATURE_ARAT))
216 + return 0;
217 +
218 for_each_online_cpu(cpu) {
219 hpet_cpuhp_notify(NULL, CPU_ONLINE, (void *)(long)cpu);
220 }
221 diff --git a/arch/x86/kernel/pvclock.c b/arch/x86/kernel/pvclock.c
222 index dfdfe46..b12fe8d 100644
223 --- a/arch/x86/kernel/pvclock.c
224 +++ b/arch/x86/kernel/pvclock.c
225 @@ -111,6 +111,11 @@ unsigned long pvclock_tsc_khz(struct pvclock_vcpu_time_info *src)
226
227 static atomic64_t last_value = ATOMIC64_INIT(0);
228
229 +void pvclock_resume(void)
230 +{
231 + atomic64_set(&last_value, 0);
232 +}
233 +
234 cycle_t pvclock_clocksource_read(struct pvclock_vcpu_time_info *src)
235 {
236 struct pvclock_shadow_time shadow;
237 diff --git a/arch/x86/xen/time.c b/arch/x86/xen/time.c
238 index 8e04980..3e81716 100644
239 --- a/arch/x86/xen/time.c
240 +++ b/arch/x86/xen/time.c
241 @@ -424,6 +424,8 @@ void xen_timer_resume(void)
242 {
243 int cpu;
244
245 + pvclock_resume();
246 +
247 if (xen_clockevent != &xen_vcpuop_clockevent)
248 return;
249
250 diff --git a/drivers/block/pktcdvd.c b/drivers/block/pktcdvd.c
251 index 68b5957..a5d585d 100644
252 --- a/drivers/block/pktcdvd.c
253 +++ b/drivers/block/pktcdvd.c
254 @@ -2408,7 +2408,7 @@ static void pkt_release_dev(struct pktcdvd_device *pd, int flush)
255 pkt_shrink_pktlist(pd);
256 }
257
258 -static struct pktcdvd_device *pkt_find_dev_from_minor(int dev_minor)
259 +static struct pktcdvd_device *pkt_find_dev_from_minor(unsigned int dev_minor)
260 {
261 if (dev_minor >= MAX_WRITERS)
262 return NULL;
263 diff --git a/drivers/isdn/hisax/config.c b/drivers/isdn/hisax/config.c
264 index 4fab18d..16e45b7 100644
265 --- a/drivers/isdn/hisax/config.c
266 +++ b/drivers/isdn/hisax/config.c
267 @@ -800,6 +800,16 @@ static void closecard(int cardnr)
268 ll_unload(csta);
269 }
270
271 +static irqreturn_t card_irq(int intno, void *dev_id)
272 +{
273 + struct IsdnCardState *cs = dev_id;
274 + irqreturn_t ret = cs->irq_func(intno, cs);
275 +
276 + if (ret == IRQ_HANDLED)
277 + cs->irq_cnt++;
278 + return ret;
279 +}
280 +
281 static int init_card(struct IsdnCardState *cs)
282 {
283 int irq_cnt, cnt = 3, ret;
284 @@ -808,10 +818,10 @@ static int init_card(struct IsdnCardState *cs)
285 ret = cs->cardmsg(cs, CARD_INIT, NULL);
286 return(ret);
287 }
288 - irq_cnt = kstat_irqs(cs->irq);
289 + irq_cnt = cs->irq_cnt = 0;
290 printk(KERN_INFO "%s: IRQ %d count %d\n", CardType[cs->typ],
291 cs->irq, irq_cnt);
292 - if (request_irq(cs->irq, cs->irq_func, cs->irq_flags, "HiSax", cs)) {
293 + if (request_irq(cs->irq, card_irq, cs->irq_flags, "HiSax", cs)) {
294 printk(KERN_WARNING "HiSax: couldn't get interrupt %d\n",
295 cs->irq);
296 return 1;
297 @@ -821,8 +831,8 @@ static int init_card(struct IsdnCardState *cs)
298 /* Timeout 10ms */
299 msleep(10);
300 printk(KERN_INFO "%s: IRQ %d count %d\n",
301 - CardType[cs->typ], cs->irq, kstat_irqs(cs->irq));
302 - if (kstat_irqs(cs->irq) == irq_cnt) {
303 + CardType[cs->typ], cs->irq, cs->irq_cnt);
304 + if (cs->irq_cnt == irq_cnt) {
305 printk(KERN_WARNING
306 "%s: IRQ(%d) getting no interrupts during init %d\n",
307 CardType[cs->typ], cs->irq, 4 - cnt);
308 diff --git a/drivers/isdn/hisax/hisax.h b/drivers/isdn/hisax/hisax.h
309 index 0685c19..85cf420 100644
310 --- a/drivers/isdn/hisax/hisax.h
311 +++ b/drivers/isdn/hisax/hisax.h
312 @@ -959,6 +959,7 @@ struct IsdnCardState {
313 u_long event;
314 struct work_struct tqueue;
315 struct timer_list dbusytimer;
316 + unsigned int irq_cnt;
317 #ifdef ERROR_STATISTIC
318 int err_crc;
319 int err_tx;
320 diff --git a/drivers/md/dm-raid1.c b/drivers/md/dm-raid1.c
321 index cc9dc79..6021d0a 100644
322 --- a/drivers/md/dm-raid1.c
323 +++ b/drivers/md/dm-raid1.c
324 @@ -659,7 +659,7 @@ static void do_writes(struct mirror_set *ms, struct bio_list *writes)
325 /*
326 * Dispatch io.
327 */
328 - if (unlikely(ms->log_failure)) {
329 + if (unlikely(ms->log_failure) && errors_handled(ms)) {
330 spin_lock_irq(&ms->lock);
331 bio_list_merge(&ms->failures, &sync);
332 spin_unlock_irq(&ms->lock);
333 diff --git a/drivers/md/dm-region-hash.c b/drivers/md/dm-region-hash.c
334 index 36dbe29..2d1abfd 100644
335 --- a/drivers/md/dm-region-hash.c
336 +++ b/drivers/md/dm-region-hash.c
337 @@ -643,10 +643,9 @@ void dm_rh_recovery_end(struct dm_region *reg, int success)
338 spin_lock_irq(&rh->region_lock);
339 if (success)
340 list_add(&reg->list, &reg->rh->recovered_regions);
341 - else {
342 - reg->state = DM_RH_NOSYNC;
343 + else
344 list_add(&reg->list, &reg->rh->failed_recovered_regions);
345 - }
346 +
347 spin_unlock_irq(&rh->region_lock);
348
349 rh->wakeup_workers(rh->context);
350 diff --git a/drivers/md/md.c b/drivers/md/md.c
351 index 68bfb68..697a2c7 100644
352 --- a/drivers/md/md.c
353 +++ b/drivers/md/md.c
354 @@ -305,6 +305,9 @@ static mddev_t * mddev_find(dev_t unit)
355 {
356 mddev_t *mddev, *new = NULL;
357
358 + if (unit && MAJOR(unit) != MD_MAJOR)
359 + unit &= ~((1<<MdpMinorShift)-1);
360 +
361 retry:
362 spin_lock(&all_mddevs_lock);
363
364 diff --git a/drivers/media/dvb/ttpci/av7110_ca.c b/drivers/media/dvb/ttpci/av7110_ca.c
365 index c7a65b1..c878dad 100644
366 --- a/drivers/media/dvb/ttpci/av7110_ca.c
367 +++ b/drivers/media/dvb/ttpci/av7110_ca.c
368 @@ -277,7 +277,7 @@ static int dvb_ca_ioctl(struct inode *inode, struct file *file,
369 {
370 ca_slot_info_t *info=(ca_slot_info_t *)parg;
371
372 - if (info->num > 1)
373 + if (info->num < 0 || info->num > 1)
374 return -EINVAL;
375 av7110->ci_slot[info->num].num = info->num;
376 av7110->ci_slot[info->num].type = FW_CI_LL_SUPPORT(av7110->arm_app) ?
377 diff --git a/drivers/media/radio/radio-aimslab.c b/drivers/media/radio/radio-aimslab.c
378 index 30052db..2bd1c1b 100644
379 --- a/drivers/media/radio/radio-aimslab.c
380 +++ b/drivers/media/radio/radio-aimslab.c
381 @@ -31,6 +31,7 @@
382 #include <linux/module.h> /* Modules */
383 #include <linux/init.h> /* Initdata */
384 #include <linux/ioport.h> /* request_region */
385 +#include <linux/delay.h> /* msleep */
386 #include <linux/videodev2.h> /* kernel radio structs */
387 #include <linux/version.h> /* for KERNEL_VERSION MACRO */
388 #include <linux/io.h> /* outb, outb_p */
389 diff --git a/drivers/message/fusion/mptctl.c b/drivers/message/fusion/mptctl.c
390 index 352acd0..8c85632 100644
391 --- a/drivers/message/fusion/mptctl.c
392 +++ b/drivers/message/fusion/mptctl.c
393 @@ -577,6 +577,13 @@ mptctl_event_process(MPT_ADAPTER *ioc, EventNotificationReply_t *pEvReply)
394 }
395
396 static int
397 +mptctl_release(struct inode *inode, struct file *filep)
398 +{
399 + fasync_helper(-1, filep, 0, &async_queue);
400 + return 0;
401 +}
402 +
403 +static int
404 mptctl_fasync(int fd, struct file *filep, int mode)
405 {
406 MPT_ADAPTER *ioc;
407 @@ -2778,6 +2785,7 @@ static const struct file_operations mptctl_fops = {
408 .llseek = no_llseek,
409 .fasync = mptctl_fasync,
410 .unlocked_ioctl = mptctl_ioctl,
411 + .release = mptctl_release,
412 #ifdef CONFIG_COMPAT
413 .compat_ioctl = compat_mpctl_ioctl,
414 #endif
415 diff --git a/drivers/message/fusion/mptscsih.c b/drivers/message/fusion/mptscsih.c
416 index 56d98eb..bd096ca 100644
417 --- a/drivers/message/fusion/mptscsih.c
418 +++ b/drivers/message/fusion/mptscsih.c
419 @@ -1835,8 +1835,9 @@ mptscsih_abort(struct scsi_cmnd * SCpnt)
420 }
421
422 out:
423 - printk(MYIOC_s_INFO_FMT "task abort: %s (sc=%p)\n",
424 - ioc->name, ((retval == SUCCESS) ? "SUCCESS" : "FAILED"), SCpnt);
425 + printk(MYIOC_s_INFO_FMT "task abort: %s (rv=%04x) (sc=%p) (sn=%ld)\n",
426 + ioc->name, ((retval == SUCCESS) ? "SUCCESS" : "FAILED"), retval,
427 + SCpnt, SCpnt->serial_number);
428
429 return retval;
430 }
431 @@ -1873,7 +1874,7 @@ mptscsih_dev_reset(struct scsi_cmnd * SCpnt)
432
433 vdevice = SCpnt->device->hostdata;
434 if (!vdevice || !vdevice->vtarget) {
435 - retval = SUCCESS;
436 + retval = 0;
437 goto out;
438 }
439
440 diff --git a/drivers/net/benet/be.h b/drivers/net/benet/be.h
441 index 511b922..5c74ff0 100644
442 --- a/drivers/net/benet/be.h
443 +++ b/drivers/net/benet/be.h
444 @@ -165,6 +165,7 @@ struct be_drvr_stats {
445 ulong be_tx_jiffies;
446 u64 be_tx_bytes;
447 u64 be_tx_bytes_prev;
448 + u64 be_tx_pkts;
449 u32 be_tx_rate;
450
451 u32 cache_barrier[16];
452 @@ -176,6 +177,7 @@ struct be_drvr_stats {
453 ulong be_rx_jiffies;
454 u64 be_rx_bytes;
455 u64 be_rx_bytes_prev;
456 + u64 be_rx_pkts;
457 u32 be_rx_rate;
458 /* number of non ether type II frames dropped where
459 * frame len > length field of Mac Hdr */
460 diff --git a/drivers/net/benet/be_main.c b/drivers/net/benet/be_main.c
461 index ec983cb..000e377 100644
462 --- a/drivers/net/benet/be_main.c
463 +++ b/drivers/net/benet/be_main.c
464 @@ -146,13 +146,10 @@ void netdev_stats_update(struct be_adapter *adapter)
465 struct net_device_stats *dev_stats = &adapter->stats.net_stats;
466 struct be_erx_stats *erx_stats = &hw_stats->erx;
467
468 - dev_stats->rx_packets = port_stats->rx_total_frames;
469 - dev_stats->tx_packets = port_stats->tx_unicastframes +
470 - port_stats->tx_multicastframes + port_stats->tx_broadcastframes;
471 - dev_stats->rx_bytes = (u64) port_stats->rx_bytes_msd << 32 |
472 - (u64) port_stats->rx_bytes_lsd;
473 - dev_stats->tx_bytes = (u64) port_stats->tx_bytes_msd << 32 |
474 - (u64) port_stats->tx_bytes_lsd;
475 + dev_stats->rx_packets = drvr_stats(adapter)->be_rx_pkts;
476 + dev_stats->tx_packets = drvr_stats(adapter)->be_tx_pkts;
477 + dev_stats->rx_bytes = drvr_stats(adapter)->be_rx_bytes;
478 + dev_stats->tx_bytes = drvr_stats(adapter)->be_tx_bytes;
479
480 /* bad pkts received */
481 dev_stats->rx_errors = port_stats->rx_crc_errors +
482 @@ -309,12 +306,13 @@ static void be_tx_rate_update(struct be_adapter *adapter)
483 }
484
485 static void be_tx_stats_update(struct be_adapter *adapter,
486 - u32 wrb_cnt, u32 copied, bool stopped)
487 + u32 wrb_cnt, u32 copied, u32 gso_segs, bool stopped)
488 {
489 struct be_drvr_stats *stats = drvr_stats(adapter);
490 stats->be_tx_reqs++;
491 stats->be_tx_wrbs += wrb_cnt;
492 stats->be_tx_bytes += copied;
493 + stats->be_tx_pkts += (gso_segs ? gso_segs : 1);
494 if (stopped)
495 stats->be_tx_stops++;
496 }
497 @@ -462,7 +460,8 @@ static netdev_tx_t be_xmit(struct sk_buff *skb,
498
499 be_txq_notify(adapter, txq->id, wrb_cnt);
500
501 - be_tx_stats_update(adapter, wrb_cnt, copied, stopped);
502 + be_tx_stats_update(adapter, wrb_cnt, copied,
503 + skb_shinfo(skb)->gso_segs, stopped);
504 } else {
505 txq->head = start;
506 dev_kfree_skb_any(skb);
507 @@ -605,6 +604,7 @@ static void be_rx_stats_update(struct be_adapter *adapter,
508 stats->be_rx_compl++;
509 stats->be_rx_frags += numfrags;
510 stats->be_rx_bytes += pktsize;
511 + stats->be_rx_pkts++;
512 }
513
514 static inline bool do_pkt_csum(struct be_eth_rx_compl *rxcp, bool cso)
515 diff --git a/drivers/net/bonding/bond_ipv6.c b/drivers/net/bonding/bond_ipv6.c
516 index 83921ab..642a3b9 100644
517 --- a/drivers/net/bonding/bond_ipv6.c
518 +++ b/drivers/net/bonding/bond_ipv6.c
519 @@ -66,6 +66,13 @@ static void bond_na_send(struct net_device *slave_dev,
520 };
521 struct sk_buff *skb;
522
523 + /* The Ethernet header is built in ndisc_send_skb(), not
524 + * ndisc_build_skb(), so we cannot insert a VLAN tag. Only an
525 + * out-of-line tag inserted by the hardware will work.
526 + */
527 + if (vlan_id && !(slave_dev->features & NETIF_F_HW_VLAN_TX))
528 + return;
529 +
530 icmp6h.icmp6_router = router;
531 icmp6h.icmp6_solicited = 0;
532 icmp6h.icmp6_override = 1;
533 @@ -84,7 +91,7 @@ static void bond_na_send(struct net_device *slave_dev,
534 }
535
536 if (vlan_id) {
537 - skb = vlan_put_tag(skb, vlan_id);
538 + skb = __vlan_hwaccel_put_tag(skb, vlan_id);
539 if (!skb) {
540 pr_err(DRV_NAME ": failed to insert VLAN tag\n");
541 return;
542 diff --git a/drivers/net/ixgbe/ixgbe_82599.c b/drivers/net/ixgbe/ixgbe_82599.c
543 index 9c42149..23e521f 100644
544 --- a/drivers/net/ixgbe/ixgbe_82599.c
545 +++ b/drivers/net/ixgbe/ixgbe_82599.c
546 @@ -338,6 +338,7 @@ static enum ixgbe_media_type ixgbe_get_media_type_82599(struct ixgbe_hw *hw)
547 media_type = ixgbe_media_type_backplane;
548 break;
549 case IXGBE_DEV_ID_82599_SFP:
550 + case IXGBE_DEV_ID_82599_SFP_EM:
551 media_type = ixgbe_media_type_fiber;
552 break;
553 case IXGBE_DEV_ID_82599_CX4:
554 diff --git a/drivers/net/ixgbe/ixgbe_main.c b/drivers/net/ixgbe/ixgbe_main.c
555 index a873c5d..20db37e 100644
556 --- a/drivers/net/ixgbe/ixgbe_main.c
557 +++ b/drivers/net/ixgbe/ixgbe_main.c
558 @@ -100,6 +100,8 @@ static struct pci_device_id ixgbe_pci_tbl[] = {
559 board_82599 },
560 {PCI_VDEVICE(INTEL, IXGBE_DEV_ID_82599_SFP),
561 board_82599 },
562 + {PCI_VDEVICE(INTEL, IXGBE_DEV_ID_82599_SFP_EM),
563 + board_82599 },
564 {PCI_VDEVICE(INTEL, IXGBE_DEV_ID_82599_KX4_MEZZ),
565 board_82599 },
566 {PCI_VDEVICE(INTEL, IXGBE_DEV_ID_82599_CX4),
567 @@ -791,6 +793,7 @@ static bool ixgbe_clean_rx_irq(struct ixgbe_q_vector *q_vector,
568 break;
569 (*work_done)++;
570
571 + rmb(); /* read descriptor and rx_buffer_info after status DD */
572 if (rx_ring->flags & IXGBE_RING_RX_PS_ENABLED) {
573 hdr_info = le16_to_cpu(ixgbe_get_hdr_info(rx_desc));
574 len = (hdr_info & IXGBE_RXDADV_HDRBUFLEN_MASK) >>
575 diff --git a/drivers/net/ixgbe/ixgbe_type.h b/drivers/net/ixgbe/ixgbe_type.h
576 index 7d66f5b..b17aa73 100644
577 --- a/drivers/net/ixgbe/ixgbe_type.h
578 +++ b/drivers/net/ixgbe/ixgbe_type.h
579 @@ -53,6 +53,7 @@
580 #define IXGBE_DEV_ID_82599_KR 0x1517
581 #define IXGBE_DEV_ID_82599_CX4 0x10F9
582 #define IXGBE_DEV_ID_82599_SFP 0x10FB
583 +#define IXGBE_DEV_ID_82599_SFP_EM 0x1507
584 #define IXGBE_DEV_ID_82599_XAUI_LOM 0x10FC
585 #define IXGBE_DEV_ID_82599_COMBO_BACKPLANE 0x10F8
586
587 diff --git a/drivers/net/wireless/p54/p54pci.c b/drivers/net/wireless/p54/p54pci.c
588 index 3df13f5..d21fb27 100644
589 --- a/drivers/net/wireless/p54/p54pci.c
590 +++ b/drivers/net/wireless/p54/p54pci.c
591 @@ -198,6 +198,7 @@ static void p54p_check_rx_ring(struct ieee80211_hw *dev, u32 *index,
592 while (i != idx) {
593 u16 len;
594 struct sk_buff *skb;
595 + dma_addr_t dma_addr;
596 desc = &ring[i];
597 len = le16_to_cpu(desc->len);
598 skb = rx_buf[i];
599 @@ -215,17 +216,20 @@ static void p54p_check_rx_ring(struct ieee80211_hw *dev, u32 *index,
600
601 len = priv->common.rx_mtu;
602 }
603 + dma_addr = le32_to_cpu(desc->host_addr);
604 + pci_dma_sync_single_for_cpu(priv->pdev, dma_addr,
605 + priv->common.rx_mtu + 32, PCI_DMA_FROMDEVICE);
606 skb_put(skb, len);
607
608 if (p54_rx(dev, skb)) {
609 - pci_unmap_single(priv->pdev,
610 - le32_to_cpu(desc->host_addr),
611 - priv->common.rx_mtu + 32,
612 - PCI_DMA_FROMDEVICE);
613 + pci_unmap_single(priv->pdev, dma_addr,
614 + priv->common.rx_mtu + 32, PCI_DMA_FROMDEVICE);
615 rx_buf[i] = NULL;
616 - desc->host_addr = 0;
617 + desc->host_addr = cpu_to_le32(0);
618 } else {
619 skb_trim(skb, 0);
620 + pci_dma_sync_single_for_device(priv->pdev, dma_addr,
621 + priv->common.rx_mtu + 32, PCI_DMA_FROMDEVICE);
622 desc->len = cpu_to_le16(priv->common.rx_mtu + 32);
623 }
624
625 diff --git a/drivers/platform/x86/acer-wmi.c b/drivers/platform/x86/acer-wmi.c
626 index 454970d..52183c4 100644
627 --- a/drivers/platform/x86/acer-wmi.c
628 +++ b/drivers/platform/x86/acer-wmi.c
629 @@ -90,7 +90,7 @@ struct acer_quirks {
630 */
631 #define AMW0_GUID1 "67C3371D-95A3-4C37-BB61-DD47B491DAAB"
632 #define AMW0_GUID2 "431F16ED-0C2B-444C-B267-27DEB140CF9C"
633 -#define WMID_GUID1 "6AF4F258-B401-42fd-BE91-3D4AC2D7C0D3"
634 +#define WMID_GUID1 "6AF4F258-B401-42FD-BE91-3D4AC2D7C0D3"
635 #define WMID_GUID2 "95764E09-FB56-4e83-B31A-37761F60994A"
636
637 MODULE_ALIAS("wmi:67C3371D-95A3-4C37-BB61-DD47B491DAAB");
638 @@ -1065,7 +1065,7 @@ static ssize_t set_bool_threeg(struct device *dev,
639 return -EINVAL;
640 return count;
641 }
642 -static DEVICE_ATTR(threeg, S_IWUGO | S_IRUGO | S_IWUSR, show_bool_threeg,
643 +static DEVICE_ATTR(threeg, S_IRUGO | S_IWUSR, show_bool_threeg,
644 set_bool_threeg);
645
646 static ssize_t show_interface(struct device *dev, struct device_attribute *attr,
647 diff --git a/drivers/platform/x86/asus_acpi.c b/drivers/platform/x86/asus_acpi.c
648 index ddf5240..d66c07a 100644
649 --- a/drivers/platform/x86/asus_acpi.c
650 +++ b/drivers/platform/x86/asus_acpi.c
651 @@ -1001,14 +1001,8 @@ static int asus_hotk_add_fs(struct acpi_device *device)
652 struct proc_dir_entry *proc;
653 mode_t mode;
654
655 - /*
656 - * If parameter uid or gid is not changed, keep the default setting for
657 - * our proc entries (-rw-rw-rw-) else, it means we care about security,
658 - * and then set to -rw-rw----
659 - */
660 -
661 if ((asus_uid == 0) && (asus_gid == 0)) {
662 - mode = S_IFREG | S_IRUGO | S_IWUGO;
663 + mode = S_IFREG | S_IRUGO | S_IWUSR | S_IWGRP;
664 } else {
665 mode = S_IFREG | S_IRUSR | S_IRGRP | S_IWUSR | S_IWGRP;
666 printk(KERN_WARNING " asus_uid and asus_gid parameters are "
667 diff --git a/drivers/platform/x86/tc1100-wmi.c b/drivers/platform/x86/tc1100-wmi.c
668 index 4416600..00aabd3 100644
669 --- a/drivers/platform/x86/tc1100-wmi.c
670 +++ b/drivers/platform/x86/tc1100-wmi.c
671 @@ -177,7 +177,7 @@ set_bool_##value(struct device *dev, struct device_attribute *attr, \
672 return -EINVAL; \
673 return count; \
674 } \
675 -static DEVICE_ATTR(value, S_IWUGO | S_IRUGO | S_IWUSR, \
676 +static DEVICE_ATTR(value, S_IRUGO | S_IWUSR, \
677 show_bool_##value, set_bool_##value);
678
679 show_set_bool(wireless, TC1100_INSTANCE_WIRELESS);
680 diff --git a/drivers/scsi/device_handler/scsi_dh_alua.c b/drivers/scsi/device_handler/scsi_dh_alua.c
681 index b5cdefa..e2a3719 100644
682 --- a/drivers/scsi/device_handler/scsi_dh_alua.c
683 +++ b/drivers/scsi/device_handler/scsi_dh_alua.c
684 @@ -701,6 +701,8 @@ static const struct scsi_dh_devlist alua_dev_list[] = {
685 {"IBM", "2145" },
686 {"Pillar", "Axiom" },
687 {"Intel", "Multi-Flex"},
688 + {"NETAPP", "LUN"},
689 + {"AIX", "NVDISK"},
690 {NULL, NULL}
691 };
692
693 diff --git a/drivers/staging/usbip/vhci.h b/drivers/staging/usbip/vhci.h
694 index 5e37517..57f7946 100644
695 --- a/drivers/staging/usbip/vhci.h
696 +++ b/drivers/staging/usbip/vhci.h
697 @@ -100,9 +100,6 @@ struct vhci_hcd {
698 * But, the index of this array begins from 0.
699 */
700 struct vhci_device vdev[VHCI_NPORTS];
701 -
702 - /* vhci_device which has not been assiged its address yet */
703 - int pending_port;
704 };
705
706
707 @@ -119,6 +116,9 @@ void rh_port_disconnect(int rhport);
708 void vhci_rx_loop(struct usbip_task *ut);
709 void vhci_tx_loop(struct usbip_task *ut);
710
711 +struct urb *pickup_urb_and_free_priv(struct vhci_device *vdev,
712 + __u32 seqnum);
713 +
714 #define hardware (&the_controller->pdev.dev)
715
716 static inline struct vhci_device *port_to_vdev(__u32 port)
717 diff --git a/drivers/staging/usbip/vhci_hcd.c b/drivers/staging/usbip/vhci_hcd.c
718 index 5ea5d57..1c17319 100644
719 --- a/drivers/staging/usbip/vhci_hcd.c
720 +++ b/drivers/staging/usbip/vhci_hcd.c
721 @@ -137,8 +137,6 @@ void rh_port_connect(int rhport, enum usb_device_speed speed)
722 * the_controller->vdev[rhport].ud.status = VDEV_CONNECT;
723 * spin_unlock(&the_controller->vdev[rhport].ud.lock); */
724
725 - the_controller->pending_port = rhport;
726 -
727 spin_unlock_irqrestore(&the_controller->lock, flags);
728
729 usb_hcd_poll_rh_status(vhci_to_hcd(the_controller));
730 @@ -558,6 +556,7 @@ static int vhci_urb_enqueue(struct usb_hcd *hcd, struct urb *urb,
731 struct device *dev = &urb->dev->dev;
732 int ret = 0;
733 unsigned long flags;
734 + struct vhci_device *vdev;
735
736 usbip_dbg_vhci_hc("enter, usb_hcd %p urb %p mem_flags %d\n",
737 hcd, urb, mem_flags);
738 @@ -573,6 +572,18 @@ static int vhci_urb_enqueue(struct usb_hcd *hcd, struct urb *urb,
739 return urb->status;
740 }
741
742 + vdev = port_to_vdev(urb->dev->portnum-1);
743 +
744 + /* refuse enqueue for dead connection */
745 + spin_lock(&vdev->ud.lock);
746 + if (vdev->ud.status == VDEV_ST_NULL || vdev->ud.status == VDEV_ST_ERROR) {
747 + usbip_uerr("enqueue for inactive port %d\n", vdev->rhport);
748 + spin_unlock(&vdev->ud.lock);
749 + spin_unlock_irqrestore(&the_controller->lock, flags);
750 + return -ENODEV;
751 + }
752 + spin_unlock(&vdev->ud.lock);
753 +
754 ret = usb_hcd_link_urb_to_ep(hcd, urb);
755 if (ret)
756 goto no_need_unlink;
757 @@ -591,8 +602,6 @@ static int vhci_urb_enqueue(struct usb_hcd *hcd, struct urb *urb,
758 __u8 type = usb_pipetype(urb->pipe);
759 struct usb_ctrlrequest *ctrlreq =
760 (struct usb_ctrlrequest *) urb->setup_packet;
761 - struct vhci_device *vdev =
762 - port_to_vdev(the_controller->pending_port);
763
764 if (type != PIPE_CONTROL || !ctrlreq) {
765 dev_err(dev, "invalid request to devnum 0\n");
766 @@ -606,7 +615,9 @@ static int vhci_urb_enqueue(struct usb_hcd *hcd, struct urb *urb,
767 dev_info(dev, "SetAddress Request (%d) to port %d\n",
768 ctrlreq->wValue, vdev->rhport);
769
770 - vdev->udev = urb->dev;
771 + if (vdev->udev)
772 + usb_put_dev(vdev->udev);
773 + vdev->udev = usb_get_dev(urb->dev);
774
775 spin_lock(&vdev->ud.lock);
776 vdev->ud.status = VDEV_ST_USED;
777 @@ -626,8 +637,9 @@ static int vhci_urb_enqueue(struct usb_hcd *hcd, struct urb *urb,
778 "Get_Descriptor to device 0 "
779 "(get max pipe size)\n");
780
781 - /* FIXME: reference count? (usb_get_dev()) */
782 - vdev->udev = urb->dev;
783 + if (vdev->udev)
784 + usb_put_dev(vdev->udev);
785 + vdev->udev = usb_get_dev(urb->dev);
786 goto out;
787
788 default:
789 @@ -804,7 +816,6 @@ static int vhci_urb_dequeue(struct usb_hcd *hcd, struct urb *urb, int status)
790 return 0;
791 }
792
793 -
794 static void vhci_device_unlink_cleanup(struct vhci_device *vdev)
795 {
796 struct vhci_unlink *unlink, *tmp;
797 @@ -812,11 +823,34 @@ static void vhci_device_unlink_cleanup(struct vhci_device *vdev)
798 spin_lock(&vdev->priv_lock);
799
800 list_for_each_entry_safe(unlink, tmp, &vdev->unlink_tx, list) {
801 + usbip_uinfo("unlink cleanup tx %lu\n", unlink->unlink_seqnum);
802 list_del(&unlink->list);
803 kfree(unlink);
804 }
805
806 list_for_each_entry_safe(unlink, tmp, &vdev->unlink_rx, list) {
807 + struct urb *urb;
808 +
809 + /* give back URB of unanswered unlink request */
810 + usbip_uinfo("unlink cleanup rx %lu\n", unlink->unlink_seqnum);
811 +
812 + urb = pickup_urb_and_free_priv(vdev, unlink->unlink_seqnum);
813 + if (!urb) {
814 + usbip_uinfo("the urb (seqnum %lu) was already given back\n",
815 + unlink->unlink_seqnum);
816 + list_del(&unlink->list);
817 + kfree(unlink);
818 + continue;
819 + }
820 +
821 + urb->status = -ENODEV;
822 +
823 + spin_lock(&the_controller->lock);
824 + usb_hcd_unlink_urb_from_ep(vhci_to_hcd(the_controller), urb);
825 + spin_unlock(&the_controller->lock);
826 +
827 + usb_hcd_giveback_urb(vhci_to_hcd(the_controller), urb, urb->status);
828 +
829 list_del(&unlink->list);
830 kfree(unlink);
831 }
832 @@ -886,6 +920,10 @@ static void vhci_device_reset(struct usbip_device *ud)
833 vdev->speed = 0;
834 vdev->devid = 0;
835
836 + if (vdev->udev)
837 + usb_put_dev(vdev->udev);
838 + vdev->udev = NULL;
839 +
840 ud->tcp_socket = NULL;
841
842 ud->status = VDEV_ST_NULL;
843 diff --git a/drivers/staging/usbip/vhci_rx.c b/drivers/staging/usbip/vhci_rx.c
844 index 7636d86..2d989c4 100644
845 --- a/drivers/staging/usbip/vhci_rx.c
846 +++ b/drivers/staging/usbip/vhci_rx.c
847 @@ -21,16 +21,14 @@
848 #include "vhci.h"
849
850
851 -/* get URB from transmitted urb queue */
852 -static struct urb *pickup_urb_and_free_priv(struct vhci_device *vdev,
853 +/* get URB from transmitted urb queue. caller must hold vdev->priv_lock */
854 +struct urb *pickup_urb_and_free_priv(struct vhci_device *vdev,
855 __u32 seqnum)
856 {
857 struct vhci_priv *priv, *tmp;
858 struct urb *urb = NULL;
859 int status;
860
861 - spin_lock(&vdev->priv_lock);
862 -
863 list_for_each_entry_safe(priv, tmp, &vdev->priv_rx, list) {
864 if (priv->seqnum == seqnum) {
865 urb = priv->urb;
866 @@ -61,8 +59,6 @@ static struct urb *pickup_urb_and_free_priv(struct vhci_device *vdev,
867 }
868 }
869
870 - spin_unlock(&vdev->priv_lock);
871 -
872 return urb;
873 }
874
875 @@ -72,9 +68,11 @@ static void vhci_recv_ret_submit(struct vhci_device *vdev,
876 struct usbip_device *ud = &vdev->ud;
877 struct urb *urb;
878
879 + spin_lock(&vdev->priv_lock);
880
881 urb = pickup_urb_and_free_priv(vdev, pdu->base.seqnum);
882
883 + spin_unlock(&vdev->priv_lock);
884
885 if (!urb) {
886 usbip_uerr("cannot find a urb of seqnum %u\n",
887 @@ -159,7 +157,12 @@ static void vhci_recv_ret_unlink(struct vhci_device *vdev,
888 return;
889 }
890
891 + spin_lock(&vdev->priv_lock);
892 +
893 urb = pickup_urb_and_free_priv(vdev, unlink->unlink_seqnum);
894 +
895 + spin_unlock(&vdev->priv_lock);
896 +
897 if (!urb) {
898 /*
899 * I get the result of a unlink request. But, it seems that I
900 diff --git a/drivers/usb/core/hcd-pci.c b/drivers/usb/core/hcd-pci.c
901 index 91f2885..5915651 100644
902 --- a/drivers/usb/core/hcd-pci.c
903 +++ b/drivers/usb/core/hcd-pci.c
904 @@ -197,8 +197,10 @@ void usb_hcd_pci_shutdown(struct pci_dev *dev)
905 if (!hcd)
906 return;
907
908 - if (hcd->driver->shutdown)
909 + if (hcd->driver->shutdown) {
910 hcd->driver->shutdown(hcd);
911 + pci_disable_device(dev);
912 + }
913 }
914 EXPORT_SYMBOL_GPL(usb_hcd_pci_shutdown);
915
916 diff --git a/drivers/usb/core/quirks.c b/drivers/usb/core/quirks.c
917 index 80b062b..62e1cfd 100644
918 --- a/drivers/usb/core/quirks.c
919 +++ b/drivers/usb/core/quirks.c
920 @@ -48,6 +48,10 @@ static const struct usb_device_id usb_quirk_list[] = {
921 { USB_DEVICE(0x04b4, 0x0526), .driver_info =
922 USB_QUIRK_CONFIG_INTF_STRINGS },
923
924 + /* Samsung Android phone modem - ID conflict with SPH-I500 */
925 + { USB_DEVICE(0x04e8, 0x6601), .driver_info =
926 + USB_QUIRK_CONFIG_INTF_STRINGS },
927 +
928 /* Roland SC-8820 */
929 { USB_DEVICE(0x0582, 0x0007), .driver_info = USB_QUIRK_RESET_RESUME },
930
931 @@ -68,6 +72,10 @@ static const struct usb_device_id usb_quirk_list[] = {
932 /* M-Systems Flash Disk Pioneers */
933 { USB_DEVICE(0x08ec, 0x1000), .driver_info = USB_QUIRK_RESET_RESUME },
934
935 + /* Keytouch QWERTY Panel keyboard */
936 + { USB_DEVICE(0x0926, 0x3333), .driver_info =
937 + USB_QUIRK_CONFIG_INTF_STRINGS },
938 +
939 /* X-Rite/Gretag-Macbeth Eye-One Pro display colorimeter */
940 { USB_DEVICE(0x0971, 0x2000), .driver_info = USB_QUIRK_NO_SET_INTF },
941
942 diff --git a/drivers/usb/host/ohci-hcd.c b/drivers/usb/host/ohci-hcd.c
943 index 24eb747..48418f2 100644
944 --- a/drivers/usb/host/ohci-hcd.c
945 +++ b/drivers/usb/host/ohci-hcd.c
946 @@ -398,7 +398,14 @@ ohci_shutdown (struct usb_hcd *hcd)
947
948 ohci = hcd_to_ohci (hcd);
949 ohci_writel (ohci, OHCI_INTR_MIE, &ohci->regs->intrdisable);
950 - ohci_usb_reset (ohci);
951 + ohci->hc_control = ohci_readl(ohci, &ohci->regs->control);
952 +
953 + /* If the SHUTDOWN quirk is set, don't put the controller in RESET */
954 + ohci->hc_control &= (ohci->flags & OHCI_QUIRK_SHUTDOWN ?
955 + OHCI_CTRL_RWC | OHCI_CTRL_HCFS :
956 + OHCI_CTRL_RWC);
957 + ohci_writel(ohci, ohci->hc_control, &ohci->regs->control);
958 +
959 /* flush the writes */
960 (void) ohci_readl (ohci, &ohci->regs->control);
961 }
962 diff --git a/drivers/usb/host/ohci-pci.c b/drivers/usb/host/ohci-pci.c
963 index b8a1148..948a353 100644
964 --- a/drivers/usb/host/ohci-pci.c
965 +++ b/drivers/usb/host/ohci-pci.c
966 @@ -201,6 +201,20 @@ static int ohci_quirk_amd700(struct usb_hcd *hcd)
967 return 0;
968 }
969
970 +/* nVidia controllers continue to drive Reset signalling on the bus
971 + * even after system shutdown, wasting power. This flag tells the
972 + * shutdown routine to leave the controller OPERATIONAL instead of RESET.
973 + */
974 +static int ohci_quirk_nvidia_shutdown(struct usb_hcd *hcd)
975 +{
976 + struct ohci_hcd *ohci = hcd_to_ohci(hcd);
977 +
978 + ohci->flags |= OHCI_QUIRK_SHUTDOWN;
979 + ohci_dbg(ohci, "enabled nVidia shutdown quirk\n");
980 +
981 + return 0;
982 +}
983 +
984 /*
985 * The hardware normally enables the A-link power management feature, which
986 * lets the system lower the power consumption in idle states.
987 @@ -332,6 +346,10 @@ static const struct pci_device_id ohci_pci_quirks[] = {
988 PCI_DEVICE(PCI_VENDOR_ID_ATI, 0x4399),
989 .driver_data = (unsigned long)ohci_quirk_amd700,
990 },
991 + {
992 + PCI_DEVICE(PCI_VENDOR_ID_NVIDIA, PCI_ANY_ID),
993 + .driver_data = (unsigned long) ohci_quirk_nvidia_shutdown,
994 + },
995
996 /* FIXME for some of the early AMD 760 southbridges, OHCI
997 * won't work at all. blacklist them.
998 diff --git a/drivers/usb/host/ohci.h b/drivers/usb/host/ohci.h
999 index 5bf15fe..51facb9 100644
1000 --- a/drivers/usb/host/ohci.h
1001 +++ b/drivers/usb/host/ohci.h
1002 @@ -403,6 +403,7 @@ struct ohci_hcd {
1003 #define OHCI_QUIRK_HUB_POWER 0x100 /* distrust firmware power/oc setup */
1004 #define OHCI_QUIRK_AMD_ISO 0x200 /* ISO transfers*/
1005 #define OHCI_QUIRK_AMD_PREFETCH 0x400 /* pre-fetch for ISO transfer */
1006 +#define OHCI_QUIRK_SHUTDOWN 0x800 /* nVidia power bug */
1007 // there are also chip quirks/bugs in init logic
1008
1009 struct work_struct nec_work; /* Worker for NEC quirk */
1010 diff --git a/drivers/usb/host/pci-quirks.c b/drivers/usb/host/pci-quirks.c
1011 index 83b5f9c..464ed97 100644
1012 --- a/drivers/usb/host/pci-quirks.c
1013 +++ b/drivers/usb/host/pci-quirks.c
1014 @@ -169,6 +169,7 @@ static int __devinit mmio_resource_enabled(struct pci_dev *pdev, int idx)
1015 static void __devinit quirk_usb_handoff_ohci(struct pci_dev *pdev)
1016 {
1017 void __iomem *base;
1018 + u32 control;
1019
1020 if (!mmio_resource_enabled(pdev, 0))
1021 return;
1022 @@ -177,10 +178,14 @@ static void __devinit quirk_usb_handoff_ohci(struct pci_dev *pdev)
1023 if (base == NULL)
1024 return;
1025
1026 + control = readl(base + OHCI_CONTROL);
1027 +
1028 /* On PA-RISC, PDC can leave IR set incorrectly; ignore it there. */
1029 -#ifndef __hppa__
1030 -{
1031 - u32 control = readl(base + OHCI_CONTROL);
1032 +#ifdef __hppa__
1033 +#define OHCI_CTRL_MASK (OHCI_CTRL_RWC | OHCI_CTRL_IR)
1034 +#else
1035 +#define OHCI_CTRL_MASK OHCI_CTRL_RWC
1036 +
1037 if (control & OHCI_CTRL_IR) {
1038 int wait_time = 500; /* arbitrary; 5 seconds */
1039 writel(OHCI_INTR_OC, base + OHCI_INTRENABLE);
1040 @@ -194,13 +199,12 @@ static void __devinit quirk_usb_handoff_ohci(struct pci_dev *pdev)
1041 dev_warn(&pdev->dev, "OHCI: BIOS handoff failed"
1042 " (BIOS bug?) %08x\n",
1043 readl(base + OHCI_CONTROL));
1044 -
1045 - /* reset controller, preserving RWC */
1046 - writel(control & OHCI_CTRL_RWC, base + OHCI_CONTROL);
1047 }
1048 -}
1049 #endif
1050
1051 + /* reset controller, preserving RWC (and possibly IR) */
1052 + writel(control & OHCI_CTRL_MASK, base + OHCI_CONTROL);
1053 +
1054 /*
1055 * disable interrupts
1056 */
1057 diff --git a/drivers/usb/host/xhci-ring.c b/drivers/usb/host/xhci-ring.c
1058 index 6416a0f..974d492 100644
1059 --- a/drivers/usb/host/xhci-ring.c
1060 +++ b/drivers/usb/host/xhci-ring.c
1061 @@ -391,8 +391,11 @@ void xhci_find_new_dequeue_state(struct xhci_hcd *xhci,
1062 state->new_deq_seg = find_trb_seg(cur_td->start_seg,
1063 dev->eps[ep_index].stopped_trb,
1064 &state->new_cycle_state);
1065 - if (!state->new_deq_seg)
1066 - BUG();
1067 + if (!state->new_deq_seg) {
1068 + WARN_ON(1);
1069 + return;
1070 + }
1071 +
1072 /* Dig out the cycle state saved by the xHC during the stop ep cmd */
1073 xhci_dbg(xhci, "Finding endpoint context\n");
1074 ep_ctx = xhci_get_ep_ctx(xhci, dev->out_ctx, ep_index);
1075 @@ -403,8 +406,10 @@ void xhci_find_new_dequeue_state(struct xhci_hcd *xhci,
1076 state->new_deq_seg = find_trb_seg(state->new_deq_seg,
1077 state->new_deq_ptr,
1078 &state->new_cycle_state);
1079 - if (!state->new_deq_seg)
1080 - BUG();
1081 + if (!state->new_deq_seg) {
1082 + WARN_ON(1);
1083 + return;
1084 + }
1085
1086 trb = &state->new_deq_ptr->generic;
1087 if ((trb->field[3] & TRB_TYPE_BITMASK) == TRB_TYPE(TRB_LINK) &&
1088 @@ -1485,12 +1490,13 @@ static unsigned int count_sg_trbs_needed(struct xhci_hcd *xhci, struct urb *urb)
1089
1090 /* Scatter gather list entries may cross 64KB boundaries */
1091 running_total = TRB_MAX_BUFF_SIZE -
1092 - (sg_dma_address(sg) & ((1 << TRB_MAX_BUFF_SHIFT) - 1));
1093 + (sg_dma_address(sg) & (TRB_MAX_BUFF_SIZE - 1));
1094 + running_total &= TRB_MAX_BUFF_SIZE - 1;
1095 if (running_total != 0)
1096 num_trbs++;
1097
1098 /* How many more 64KB chunks to transfer, how many more TRBs? */
1099 - while (running_total < sg_dma_len(sg)) {
1100 + while (running_total < sg_dma_len(sg) && running_total < temp) {
1101 num_trbs++;
1102 running_total += TRB_MAX_BUFF_SIZE;
1103 }
1104 @@ -1515,11 +1521,11 @@ static unsigned int count_sg_trbs_needed(struct xhci_hcd *xhci, struct urb *urb)
1105 static void check_trb_math(struct urb *urb, int num_trbs, int running_total)
1106 {
1107 if (num_trbs != 0)
1108 - dev_dbg(&urb->dev->dev, "%s - ep %#x - Miscalculated number of "
1109 + dev_err(&urb->dev->dev, "%s - ep %#x - Miscalculated number of "
1110 "TRBs, %d left\n", __func__,
1111 urb->ep->desc.bEndpointAddress, num_trbs);
1112 if (running_total != urb->transfer_buffer_length)
1113 - dev_dbg(&urb->dev->dev, "%s - ep %#x - Miscalculated tx length, "
1114 + dev_err(&urb->dev->dev, "%s - ep %#x - Miscalculated tx length, "
1115 "queued %#x (%d), asked for %#x (%d)\n",
1116 __func__,
1117 urb->ep->desc.bEndpointAddress,
1118 @@ -1626,8 +1632,7 @@ static int queue_bulk_sg_tx(struct xhci_hcd *xhci, gfp_t mem_flags,
1119 sg = urb->sg->sg;
1120 addr = (u64) sg_dma_address(sg);
1121 this_sg_len = sg_dma_len(sg);
1122 - trb_buff_len = TRB_MAX_BUFF_SIZE -
1123 - (addr & ((1 << TRB_MAX_BUFF_SHIFT) - 1));
1124 + trb_buff_len = TRB_MAX_BUFF_SIZE - (addr & (TRB_MAX_BUFF_SIZE - 1));
1125 trb_buff_len = min_t(int, trb_buff_len, this_sg_len);
1126 if (trb_buff_len > urb->transfer_buffer_length)
1127 trb_buff_len = urb->transfer_buffer_length;
1128 @@ -1662,7 +1667,7 @@ static int queue_bulk_sg_tx(struct xhci_hcd *xhci, gfp_t mem_flags,
1129 (unsigned int) (addr + TRB_MAX_BUFF_SIZE) & ~(TRB_MAX_BUFF_SIZE - 1),
1130 (unsigned int) addr + trb_buff_len);
1131 if (TRB_MAX_BUFF_SIZE -
1132 - (addr & ((1 << TRB_MAX_BUFF_SHIFT) - 1)) < trb_buff_len) {
1133 + (addr & (TRB_MAX_BUFF_SIZE - 1)) < trb_buff_len) {
1134 xhci_warn(xhci, "WARN: sg dma xfer crosses 64KB boundaries!\n");
1135 xhci_dbg(xhci, "Next boundary at %#x, end dma = %#x\n",
1136 (unsigned int) (addr + TRB_MAX_BUFF_SIZE) & ~(TRB_MAX_BUFF_SIZE - 1),
1137 @@ -1700,7 +1705,7 @@ static int queue_bulk_sg_tx(struct xhci_hcd *xhci, gfp_t mem_flags,
1138 }
1139
1140 trb_buff_len = TRB_MAX_BUFF_SIZE -
1141 - (addr & ((1 << TRB_MAX_BUFF_SHIFT) - 1));
1142 + (addr & (TRB_MAX_BUFF_SIZE - 1));
1143 trb_buff_len = min_t(int, trb_buff_len, this_sg_len);
1144 if (running_total + trb_buff_len > urb->transfer_buffer_length)
1145 trb_buff_len =
1146 @@ -1735,7 +1740,8 @@ int xhci_queue_bulk_tx(struct xhci_hcd *xhci, gfp_t mem_flags,
1147 num_trbs = 0;
1148 /* How much data is (potentially) left before the 64KB boundary? */
1149 running_total = TRB_MAX_BUFF_SIZE -
1150 - (urb->transfer_dma & ((1 << TRB_MAX_BUFF_SHIFT) - 1));
1151 + (urb->transfer_dma & (TRB_MAX_BUFF_SIZE - 1));
1152 + running_total &= TRB_MAX_BUFF_SIZE - 1;
1153
1154 /* If there's some data on this 64KB chunk, or we have to send a
1155 * zero-length transfer, we need at least one TRB
1156 @@ -1774,8 +1780,8 @@ int xhci_queue_bulk_tx(struct xhci_hcd *xhci, gfp_t mem_flags,
1157 /* How much data is in the first TRB? */
1158 addr = (u64) urb->transfer_dma;
1159 trb_buff_len = TRB_MAX_BUFF_SIZE -
1160 - (urb->transfer_dma & ((1 << TRB_MAX_BUFF_SHIFT) - 1));
1161 - if (urb->transfer_buffer_length < trb_buff_len)
1162 + (urb->transfer_dma & (TRB_MAX_BUFF_SIZE - 1));
1163 + if (trb_buff_len > urb->transfer_buffer_length)
1164 trb_buff_len = urb->transfer_buffer_length;
1165
1166 first_trb = true;
1167 diff --git a/drivers/usb/musb/omap2430.c b/drivers/usb/musb/omap2430.c
1168 index 3487520..c76d102 100644
1169 --- a/drivers/usb/musb/omap2430.c
1170 +++ b/drivers/usb/musb/omap2430.c
1171 @@ -309,6 +309,7 @@ static int musb_platform_resume(struct musb *musb)
1172
1173 int musb_platform_exit(struct musb *musb)
1174 {
1175 + del_timer_sync(&musb_idle_timer);
1176
1177 omap_vbus_power(musb, 0 /*off*/, 1);
1178
1179 diff --git a/drivers/usb/serial/sierra.c b/drivers/usb/serial/sierra.c
1180 index 328578b..1b5c9f8 100644
1181 --- a/drivers/usb/serial/sierra.c
1182 +++ b/drivers/usb/serial/sierra.c
1183 @@ -266,6 +266,9 @@ static struct usb_device_id id_table [] = {
1184 { USB_DEVICE(0x1199, 0x68A3), /* Sierra Wireless Direct IP modems */
1185 .driver_info = (kernel_ulong_t)&direct_ip_interface_blacklist
1186 },
1187 + { USB_DEVICE(0x0f3d, 0x68A3), /* Airprime/Sierra Wireless Direct IP modems */
1188 + .driver_info = (kernel_ulong_t)&direct_ip_interface_blacklist
1189 + },
1190
1191 { }
1192 };
1193 diff --git a/drivers/usb/serial/visor.c b/drivers/usb/serial/visor.c
1194 index c140870..9af8c2f 100644
1195 --- a/drivers/usb/serial/visor.c
1196 +++ b/drivers/usb/serial/visor.c
1197 @@ -27,6 +27,7 @@
1198 #include <linux/uaccess.h>
1199 #include <linux/usb.h>
1200 #include <linux/usb/serial.h>
1201 +#include <linux/usb/cdc.h>
1202 #include "visor.h"
1203
1204 /*
1205 @@ -758,6 +759,17 @@ static int visor_probe(struct usb_serial *serial,
1206
1207 dbg("%s", __func__);
1208
1209 + /*
1210 + * some Samsung Android phones in modem mode have the same ID
1211 + * as SPH-I500, but they are ACM devices, so dont bind to them
1212 + */
1213 + if (id->idVendor == SAMSUNG_VENDOR_ID &&
1214 + id->idProduct == SAMSUNG_SPH_I500_ID &&
1215 + serial->dev->descriptor.bDeviceClass == USB_CLASS_COMM &&
1216 + serial->dev->descriptor.bDeviceSubClass ==
1217 + USB_CDC_SUBCLASS_ACM)
1218 + return -ENODEV;
1219 +
1220 if (serial->dev->actconfig->desc.bConfigurationValue != 1) {
1221 dev_err(&serial->dev->dev, "active config #%d != 1 ??\n",
1222 serial->dev->actconfig->desc.bConfigurationValue);
1223 diff --git a/fs/ecryptfs/inode.c b/fs/ecryptfs/inode.c
1224 index b582f09..88ba4d4 100644
1225 --- a/fs/ecryptfs/inode.c
1226 +++ b/fs/ecryptfs/inode.c
1227 @@ -988,6 +988,8 @@ int ecryptfs_getattr(struct vfsmount *mnt, struct dentry *dentry,
1228 rc = vfs_getattr(ecryptfs_dentry_to_lower_mnt(dentry),
1229 ecryptfs_dentry_to_lower(dentry), &lower_stat);
1230 if (!rc) {
1231 + fsstack_copy_attr_all(dentry->d_inode,
1232 + ecryptfs_inode_to_lower(dentry->d_inode), NULL);
1233 generic_fillattr(dentry->d_inode, stat);
1234 stat->blocks = lower_stat.blocks;
1235 }
1236 diff --git a/fs/eventpoll.c b/fs/eventpoll.c
1237 index 085c5c0..b0286c6 100644
1238 --- a/fs/eventpoll.c
1239 +++ b/fs/eventpoll.c
1240 @@ -63,6 +63,13 @@
1241 * cleanup path and it is also acquired by eventpoll_release_file()
1242 * if a file has been pushed inside an epoll set and it is then
1243 * close()d without a previous call toepoll_ctl(EPOLL_CTL_DEL).
1244 + * It is also acquired when inserting an epoll fd onto another epoll
1245 + * fd. We do this so that we walk the epoll tree and ensure that this
1246 + * insertion does not create a cycle of epoll file descriptors, which
1247 + * could lead to deadlock. We need a global mutex to prevent two
1248 + * simultaneous inserts (A into B and B into A) from racing and
1249 + * constructing a cycle without either insert observing that it is
1250 + * going to.
1251 * It is possible to drop the "ep->mtx" and to use the global
1252 * mutex "epmutex" (together with "ep->lock") to have it working,
1253 * but having "ep->mtx" will make the interface more scalable.
1254 @@ -227,6 +234,9 @@ static int max_user_watches __read_mostly;
1255 */
1256 static DEFINE_MUTEX(epmutex);
1257
1258 +/* Used to check for epoll file descriptor inclusion loops */
1259 +static struct nested_calls poll_loop_ncalls;
1260 +
1261 /* Used for safe wake up implementation */
1262 static struct nested_calls poll_safewake_ncalls;
1263
1264 @@ -1182,6 +1192,62 @@ retry:
1265 return res;
1266 }
1267
1268 +/**
1269 + * ep_loop_check_proc - Callback function to be passed to the @ep_call_nested()
1270 + * API, to verify that adding an epoll file inside another
1271 + * epoll structure, does not violate the constraints, in
1272 + * terms of closed loops, or too deep chains (which can
1273 + * result in excessive stack usage).
1274 + *
1275 + * @priv: Pointer to the epoll file to be currently checked.
1276 + * @cookie: Original cookie for this call. This is the top-of-the-chain epoll
1277 + * data structure pointer.
1278 + * @call_nests: Current dept of the @ep_call_nested() call stack.
1279 + *
1280 + * Returns: Returns zero if adding the epoll @file inside current epoll
1281 + * structure @ep does not violate the constraints, or -1 otherwise.
1282 + */
1283 +static int ep_loop_check_proc(void *priv, void *cookie, int call_nests)
1284 +{
1285 + int error = 0;
1286 + struct file *file = priv;
1287 + struct eventpoll *ep = file->private_data;
1288 + struct rb_node *rbp;
1289 + struct epitem *epi;
1290 +
1291 + mutex_lock(&ep->mtx);
1292 + for (rbp = rb_first(&ep->rbr); rbp; rbp = rb_next(rbp)) {
1293 + epi = rb_entry(rbp, struct epitem, rbn);
1294 + if (unlikely(is_file_epoll(epi->ffd.file))) {
1295 + error = ep_call_nested(&poll_loop_ncalls, EP_MAX_NESTS,
1296 + ep_loop_check_proc, epi->ffd.file,
1297 + epi->ffd.file->private_data, current);
1298 + if (error != 0)
1299 + break;
1300 + }
1301 + }
1302 + mutex_unlock(&ep->mtx);
1303 +
1304 + return error;
1305 +}
1306 +
1307 +/**
1308 + * ep_loop_check - Performs a check to verify that adding an epoll file (@file)
1309 + * another epoll file (represented by @ep) does not create
1310 + * closed loops or too deep chains.
1311 + *
1312 + * @ep: Pointer to the epoll private data structure.
1313 + * @file: Pointer to the epoll file to be checked.
1314 + *
1315 + * Returns: Returns zero if adding the epoll @file inside current epoll
1316 + * structure @ep does not violate the constraints, or -1 otherwise.
1317 + */
1318 +static int ep_loop_check(struct eventpoll *ep, struct file *file)
1319 +{
1320 + return ep_call_nested(&poll_loop_ncalls, EP_MAX_NESTS,
1321 + ep_loop_check_proc, file, ep, current);
1322 +}
1323 +
1324 /*
1325 * Open an eventpoll file descriptor.
1326 */
1327 @@ -1230,6 +1296,7 @@ SYSCALL_DEFINE4(epoll_ctl, int, epfd, int, op, int, fd,
1328 struct epoll_event __user *, event)
1329 {
1330 int error;
1331 + int did_lock_epmutex = 0;
1332 struct file *file, *tfile;
1333 struct eventpoll *ep;
1334 struct epitem *epi;
1335 @@ -1271,6 +1338,25 @@ SYSCALL_DEFINE4(epoll_ctl, int, epfd, int, op, int, fd,
1336 */
1337 ep = file->private_data;
1338
1339 + /*
1340 + * When we insert an epoll file descriptor, inside another epoll file
1341 + * descriptor, there is the change of creating closed loops, which are
1342 + * better be handled here, than in more critical paths.
1343 + *
1344 + * We hold epmutex across the loop check and the insert in this case, in
1345 + * order to prevent two separate inserts from racing and each doing the
1346 + * insert "at the same time" such that ep_loop_check passes on both
1347 + * before either one does the insert, thereby creating a cycle.
1348 + */
1349 + if (unlikely(is_file_epoll(tfile) && op == EPOLL_CTL_ADD)) {
1350 + mutex_lock(&epmutex);
1351 + did_lock_epmutex = 1;
1352 + error = -ELOOP;
1353 + if (ep_loop_check(ep, tfile) != 0)
1354 + goto error_tgt_fput;
1355 + }
1356 +
1357 +
1358 mutex_lock(&ep->mtx);
1359
1360 /*
1361 @@ -1306,6 +1392,9 @@ SYSCALL_DEFINE4(epoll_ctl, int, epfd, int, op, int, fd,
1362 mutex_unlock(&ep->mtx);
1363
1364 error_tgt_fput:
1365 + if (unlikely(did_lock_epmutex))
1366 + mutex_unlock(&epmutex);
1367 +
1368 fput(tfile);
1369 error_fput:
1370 fput(file);
1371 @@ -1424,6 +1513,12 @@ static int __init eventpoll_init(void)
1372 max_user_watches = (((si.totalram - si.totalhigh) / 25) << PAGE_SHIFT) /
1373 EP_ITEM_COST;
1374
1375 + /*
1376 + * Initialize the structure used to perform epoll file descriptor
1377 + * inclusion loops checks.
1378 + */
1379 + ep_nested_calls_init(&poll_loop_ncalls);
1380 +
1381 /* Initialize the structure used to perform safe poll wait head wake ups */
1382 ep_nested_calls_init(&poll_safewake_ncalls);
1383
1384 diff --git a/fs/file_table.c b/fs/file_table.c
1385 index 666c7ce..464248f 100644
1386 --- a/fs/file_table.c
1387 +++ b/fs/file_table.c
1388 @@ -121,13 +121,13 @@ struct file *get_empty_filp(void)
1389 goto fail;
1390
1391 percpu_counter_inc(&nr_files);
1392 + f->f_cred = get_cred(cred);
1393 if (security_file_alloc(f))
1394 goto fail_sec;
1395
1396 INIT_LIST_HEAD(&f->f_u.fu_list);
1397 atomic_long_set(&f->f_count, 1);
1398 rwlock_init(&f->f_owner.lock);
1399 - f->f_cred = get_cred(cred);
1400 spin_lock_init(&f->f_lock);
1401 eventpoll_init_file(f);
1402 /* f->f_version: 0 */
1403 diff --git a/fs/gfs2/bmap.c b/fs/gfs2/bmap.c
1404 index 6d47379..583e823 100644
1405 --- a/fs/gfs2/bmap.c
1406 +++ b/fs/gfs2/bmap.c
1407 @@ -541,7 +541,7 @@ static int gfs2_bmap_alloc(struct inode *inode, const sector_t lblock,
1408 *ptr++ = cpu_to_be64(bn++);
1409 break;
1410 }
1411 - } while (state != ALLOC_DATA);
1412 + } while ((state != ALLOC_DATA) || !dblock);
1413
1414 ip->i_height = height;
1415 gfs2_add_inode_blocks(&ip->i_inode, alloced);
1416 diff --git a/fs/nfs/file.c b/fs/nfs/file.c
1417 index 6fed6cc..99545e2 100644
1418 --- a/fs/nfs/file.c
1419 +++ b/fs/nfs/file.c
1420 @@ -220,7 +220,7 @@ static int nfs_do_fsync(struct nfs_open_context *ctx, struct inode *inode)
1421 have_error |= test_bit(NFS_CONTEXT_ERROR_WRITE, &ctx->flags);
1422 if (have_error)
1423 ret = xchg(&ctx->error, 0);
1424 - if (!ret)
1425 + if (!ret && status < 0)
1426 ret = status;
1427 return ret;
1428 }
1429 diff --git a/fs/nfsd/nfs4xdr.c b/fs/nfsd/nfs4xdr.c
1430 index 12f62ff..e5bab6e 100644
1431 --- a/fs/nfsd/nfs4xdr.c
1432 +++ b/fs/nfsd/nfs4xdr.c
1433 @@ -323,8 +323,8 @@ nfsd4_decode_fattr(struct nfsd4_compoundargs *argp, u32 *bmval,
1434 READ_BUF(dummy32);
1435 len += (XDR_QUADLEN(dummy32) << 2);
1436 READMEM(buf, dummy32);
1437 - if ((host_err = nfsd_map_name_to_uid(argp->rqstp, buf, dummy32, &iattr->ia_uid)))
1438 - goto out_nfserr;
1439 + if ((status = nfsd_map_name_to_uid(argp->rqstp, buf, dummy32, &iattr->ia_uid)))
1440 + return status;
1441 iattr->ia_valid |= ATTR_UID;
1442 }
1443 if (bmval[1] & FATTR4_WORD1_OWNER_GROUP) {
1444 @@ -334,8 +334,8 @@ nfsd4_decode_fattr(struct nfsd4_compoundargs *argp, u32 *bmval,
1445 READ_BUF(dummy32);
1446 len += (XDR_QUADLEN(dummy32) << 2);
1447 READMEM(buf, dummy32);
1448 - if ((host_err = nfsd_map_name_to_gid(argp->rqstp, buf, dummy32, &iattr->ia_gid)))
1449 - goto out_nfserr;
1450 + if ((status = nfsd_map_name_to_gid(argp->rqstp, buf, dummy32, &iattr->ia_gid)))
1451 + return status;
1452 iattr->ia_valid |= ATTR_GID;
1453 }
1454 if (bmval[1] & FATTR4_WORD1_TIME_ACCESS_SET) {
1455 diff --git a/fs/nfsd/vfs.c b/fs/nfsd/vfs.c
1456 index 570dd1c..060a889 100644
1457 --- a/fs/nfsd/vfs.c
1458 +++ b/fs/nfsd/vfs.c
1459 @@ -823,7 +823,7 @@ nfsd_get_raparms(dev_t dev, ino_t ino)
1460 if (ra->p_count == 0)
1461 frap = rap;
1462 }
1463 - depth = nfsdstats.ra_size*11/10;
1464 + depth = nfsdstats.ra_size;
1465 if (!frap) {
1466 spin_unlock(&rab->pb_lock);
1467 return NULL;
1468 diff --git a/fs/ocfs2/stack_user.c b/fs/ocfs2/stack_user.c
1469 index ff4c798..f7c167a 100644
1470 --- a/fs/ocfs2/stack_user.c
1471 +++ b/fs/ocfs2/stack_user.c
1472 @@ -191,7 +191,7 @@ static struct ocfs2_live_connection *ocfs2_connection_find(const char *name)
1473 return c;
1474 }
1475
1476 - return c;
1477 + return NULL;
1478 }
1479
1480 /*
1481 diff --git a/fs/partitions/ldm.c b/fs/partitions/ldm.c
1482 index 8652fb9..2cd9e43 100644
1483 --- a/fs/partitions/ldm.c
1484 +++ b/fs/partitions/ldm.c
1485 @@ -251,6 +251,11 @@ static bool ldm_parse_vmdb (const u8 *data, struct vmdb *vm)
1486 }
1487
1488 vm->vblk_size = get_unaligned_be32(data + 0x08);
1489 + if (vm->vblk_size == 0) {
1490 + ldm_error ("Illegal VBLK size");
1491 + return false;
1492 + }
1493 +
1494 vm->vblk_offset = get_unaligned_be32(data + 0x0C);
1495 vm->last_vblk_seq = get_unaligned_be32(data + 0x04);
1496
1497 diff --git a/fs/partitions/mac.c b/fs/partitions/mac.c
1498 index d4a0fad..5765198 100644
1499 --- a/fs/partitions/mac.c
1500 +++ b/fs/partitions/mac.c
1501 @@ -29,10 +29,9 @@ static inline void mac_fix_string(char *stg, int len)
1502
1503 int mac_partition(struct parsed_partitions *state, struct block_device *bdev)
1504 {
1505 - int slot = 1;
1506 Sector sect;
1507 unsigned char *data;
1508 - int blk, blocks_in_map;
1509 + int slot, blocks_in_map;
1510 unsigned secsize;
1511 #ifdef CONFIG_PPC_PMAC
1512 int found_root = 0;
1513 @@ -59,10 +58,14 @@ int mac_partition(struct parsed_partitions *state, struct block_device *bdev)
1514 put_dev_sector(sect);
1515 return 0; /* not a MacOS disk */
1516 }
1517 - printk(" [mac]");
1518 blocks_in_map = be32_to_cpu(part->map_count);
1519 - for (blk = 1; blk <= blocks_in_map; ++blk) {
1520 - int pos = blk * secsize;
1521 + if (blocks_in_map < 0 || blocks_in_map >= DISK_MAX_PARTS) {
1522 + put_dev_sector(sect);
1523 + return 0;
1524 + }
1525 + printk(" [mac]");
1526 + for (slot = 1; slot <= blocks_in_map; ++slot) {
1527 + int pos = slot * secsize;
1528 put_dev_sector(sect);
1529 data = read_dev_sector(bdev, pos/512, &sect);
1530 if (!data)
1531 @@ -113,13 +116,11 @@ int mac_partition(struct parsed_partitions *state, struct block_device *bdev)
1532 }
1533
1534 if (goodness > found_root_goodness) {
1535 - found_root = blk;
1536 + found_root = slot;
1537 found_root_goodness = goodness;
1538 }
1539 }
1540 #endif /* CONFIG_PPC_PMAC */
1541 -
1542 - ++slot;
1543 }
1544 #ifdef CONFIG_PPC_PMAC
1545 if (found_root_goodness)
1546 diff --git a/fs/proc/array.c b/fs/proc/array.c
1547 index 42fdc76..2adedda 100644
1548 --- a/fs/proc/array.c
1549 +++ b/fs/proc/array.c
1550 @@ -172,7 +172,7 @@ static inline void task_state(struct seq_file *m, struct pid_namespace *ns,
1551 if (tracer)
1552 tpid = task_pid_nr_ns(tracer, ns);
1553 }
1554 - cred = get_cred((struct cred *) __task_cred(p));
1555 + cred = get_task_cred(p);
1556 seq_printf(m,
1557 "State:\t%s\n"
1558 "Tgid:\t%d\n"
1559 @@ -336,9 +336,6 @@ int proc_pid_status(struct seq_file *m, struct pid_namespace *ns,
1560 task_sig(m, task);
1561 task_cap(m, task);
1562 cpuset_task_status_allowed(m, task);
1563 -#if defined(CONFIG_S390)
1564 - task_show_regs(m, task);
1565 -#endif
1566 task_context_switch_counts(m, task);
1567 return 0;
1568 }
1569 diff --git a/fs/read_write.c b/fs/read_write.c
1570 index 3ac2898..b7f4a1f 100644
1571 --- a/fs/read_write.c
1572 +++ b/fs/read_write.c
1573 @@ -826,8 +826,6 @@ static ssize_t do_sendfile(int out_fd, int in_fd, loff_t *ppos,
1574 if (!(out_file->f_mode & FMODE_WRITE))
1575 goto fput_out;
1576 retval = -EINVAL;
1577 - if (!out_file->f_op || !out_file->f_op->sendpage)
1578 - goto fput_out;
1579 in_inode = in_file->f_path.dentry->d_inode;
1580 out_inode = out_file->f_path.dentry->d_inode;
1581 retval = rw_verify_area(WRITE, out_file, &out_file->f_pos, count);
1582 diff --git a/fs/splice.c b/fs/splice.c
1583 index e5efbb9..7737933 100644
1584 --- a/fs/splice.c
1585 +++ b/fs/splice.c
1586 @@ -638,9 +638,11 @@ static int pipe_to_sendpage(struct pipe_inode_info *pipe,
1587 ret = buf->ops->confirm(pipe, buf);
1588 if (!ret) {
1589 more = (sd->flags & SPLICE_F_MORE) || sd->len < sd->total_len;
1590 -
1591 - ret = file->f_op->sendpage(file, buf->page, buf->offset,
1592 - sd->len, &pos, more);
1593 + if (file->f_op && file->f_op->sendpage)
1594 + ret = file->f_op->sendpage(file, buf->page, buf->offset,
1595 + sd->len, &pos, more);
1596 + else
1597 + ret = -EINVAL;
1598 }
1599
1600 return ret;
1601 @@ -1058,8 +1060,9 @@ static long do_splice_from(struct pipe_inode_info *pipe, struct file *out,
1602 if (unlikely(ret < 0))
1603 return ret;
1604
1605 - splice_write = out->f_op->splice_write;
1606 - if (!splice_write)
1607 + if (out->f_op && out->f_op->splice_write)
1608 + splice_write = out->f_op->splice_write;
1609 + else
1610 splice_write = default_file_splice_write;
1611
1612 return splice_write(pipe, out, ppos, len, flags);
1613 @@ -1083,8 +1086,9 @@ static long do_splice_to(struct file *in, loff_t *ppos,
1614 if (unlikely(ret < 0))
1615 return ret;
1616
1617 - splice_read = in->f_op->splice_read;
1618 - if (!splice_read)
1619 + if (in->f_op && in->f_op->splice_read)
1620 + splice_read = in->f_op->splice_read;
1621 + else
1622 splice_read = default_file_splice_read;
1623
1624 return splice_read(in, ppos, pipe, len, flags);
1625 @@ -1306,7 +1310,8 @@ static long do_splice(struct file *in, loff_t __user *off_in,
1626 if (off_in)
1627 return -ESPIPE;
1628 if (off_out) {
1629 - if (out->f_op->llseek == no_llseek)
1630 + if (!out->f_op || !out->f_op->llseek ||
1631 + out->f_op->llseek == no_llseek)
1632 return -EINVAL;
1633 if (copy_from_user(&offset, off_out, sizeof(loff_t)))
1634 return -EFAULT;
1635 @@ -1326,7 +1331,8 @@ static long do_splice(struct file *in, loff_t __user *off_in,
1636 if (off_out)
1637 return -ESPIPE;
1638 if (off_in) {
1639 - if (in->f_op->llseek == no_llseek)
1640 + if (!in->f_op || !in->f_op->llseek ||
1641 + in->f_op->llseek == no_llseek)
1642 return -EINVAL;
1643 if (copy_from_user(&offset, off_in, sizeof(loff_t)))
1644 return -EFAULT;
1645 diff --git a/fs/xfs/linux-2.6/xfs_export.c b/fs/xfs/linux-2.6/xfs_export.c
1646 index 87b8cbd..2521171 100644
1647 --- a/fs/xfs/linux-2.6/xfs_export.c
1648 +++ b/fs/xfs/linux-2.6/xfs_export.c
1649 @@ -127,13 +127,12 @@ xfs_nfs_get_inode(
1650 return ERR_PTR(-ESTALE);
1651
1652 /*
1653 - * The XFS_IGET_BULKSTAT means that an invalid inode number is just
1654 - * fine and not an indication of a corrupted filesystem. Because
1655 - * clients can send any kind of invalid file handle, e.g. after
1656 - * a restore on the server we have to deal with this case gracefully.
1657 + * The XFS_IGET_UNTRUSTED means that an invalid inode number is just
1658 + * fine and not an indication of a corrupted filesystem as clients can
1659 + * send invalid file handles and we have to handle it gracefully..
1660 */
1661 - error = xfs_iget(mp, NULL, ino, XFS_IGET_BULKSTAT,
1662 - XFS_ILOCK_SHARED, &ip, 0);
1663 + error = xfs_iget(mp, NULL, ino, XFS_IGET_UNTRUSTED,
1664 + XFS_ILOCK_SHARED, &ip);
1665 if (error) {
1666 /*
1667 * EINVAL means the inode cluster doesn't exist anymore.
1668 diff --git a/fs/xfs/linux-2.6/xfs_ioctl.c b/fs/xfs/linux-2.6/xfs_ioctl.c
1669 index 98fe0db..61496c6 100644
1670 --- a/fs/xfs/linux-2.6/xfs_ioctl.c
1671 +++ b/fs/xfs/linux-2.6/xfs_ioctl.c
1672 @@ -673,10 +673,9 @@ xfs_ioc_bulkstat(
1673 error = xfs_bulkstat_single(mp, &inlast,
1674 bulkreq.ubuffer, &done);
1675 else /* XFS_IOC_FSBULKSTAT */
1676 - error = xfs_bulkstat(mp, &inlast, &count,
1677 - (bulkstat_one_pf)xfs_bulkstat_one, NULL,
1678 - sizeof(xfs_bstat_t), bulkreq.ubuffer,
1679 - BULKSTAT_FG_QUICK, &done);
1680 + error = xfs_bulkstat(mp, &inlast, &count, xfs_bulkstat_one,
1681 + sizeof(xfs_bstat_t), bulkreq.ubuffer,
1682 + &done);
1683
1684 if (error)
1685 return -error;
1686 diff --git a/fs/xfs/linux-2.6/xfs_ioctl32.c b/fs/xfs/linux-2.6/xfs_ioctl32.c
1687 index eafcc7c..bad485a 100644
1688 --- a/fs/xfs/linux-2.6/xfs_ioctl32.c
1689 +++ b/fs/xfs/linux-2.6/xfs_ioctl32.c
1690 @@ -235,15 +235,12 @@ xfs_bulkstat_one_compat(
1691 xfs_ino_t ino, /* inode number to get data for */
1692 void __user *buffer, /* buffer to place output in */
1693 int ubsize, /* size of buffer */
1694 - void *private_data, /* my private data */
1695 - xfs_daddr_t bno, /* starting bno of inode cluster */
1696 int *ubused, /* bytes used by me */
1697 - void *dibuff, /* on-disk inode buffer */
1698 int *stat) /* BULKSTAT_RV_... */
1699 {
1700 return xfs_bulkstat_one_int(mp, ino, buffer, ubsize,
1701 - xfs_bulkstat_one_fmt_compat, bno,
1702 - ubused, dibuff, stat);
1703 + xfs_bulkstat_one_fmt_compat,
1704 + ubused, stat);
1705 }
1706
1707 /* copied from xfs_ioctl.c */
1708 @@ -296,13 +293,11 @@ xfs_compat_ioc_bulkstat(
1709 int res;
1710
1711 error = xfs_bulkstat_one_compat(mp, inlast, bulkreq.ubuffer,
1712 - sizeof(compat_xfs_bstat_t),
1713 - NULL, 0, NULL, NULL, &res);
1714 + sizeof(compat_xfs_bstat_t), 0, &res);
1715 } else if (cmd == XFS_IOC_FSBULKSTAT_32) {
1716 error = xfs_bulkstat(mp, &inlast, &count,
1717 - xfs_bulkstat_one_compat, NULL,
1718 - sizeof(compat_xfs_bstat_t), bulkreq.ubuffer,
1719 - BULKSTAT_FG_QUICK, &done);
1720 + xfs_bulkstat_one_compat, sizeof(compat_xfs_bstat_t),
1721 + bulkreq.ubuffer, &done);
1722 } else
1723 error = XFS_ERROR(EINVAL);
1724 if (error)
1725 diff --git a/fs/xfs/quota/xfs_qm.c b/fs/xfs/quota/xfs_qm.c
1726 index 45b1bfe..6b7e171 100644
1727 --- a/fs/xfs/quota/xfs_qm.c
1728 +++ b/fs/xfs/quota/xfs_qm.c
1729 @@ -1606,10 +1606,7 @@ xfs_qm_dqusage_adjust(
1730 xfs_ino_t ino, /* inode number to get data for */
1731 void __user *buffer, /* not used */
1732 int ubsize, /* not used */
1733 - void *private_data, /* not used */
1734 - xfs_daddr_t bno, /* starting block of inode cluster */
1735 int *ubused, /* not used */
1736 - void *dip, /* on-disk inode pointer (not used) */
1737 int *res) /* result code value */
1738 {
1739 xfs_inode_t *ip;
1740 @@ -1634,7 +1631,7 @@ xfs_qm_dqusage_adjust(
1741 * the case in all other instances. It's OK that we do this because
1742 * quotacheck is done only at mount time.
1743 */
1744 - if ((error = xfs_iget(mp, NULL, ino, 0, XFS_ILOCK_EXCL, &ip, bno))) {
1745 + if ((error = xfs_iget(mp, NULL, ino, 0, XFS_ILOCK_EXCL, &ip))) {
1746 *res = BULKSTAT_RV_NOTHING;
1747 return error;
1748 }
1749 @@ -1766,12 +1763,13 @@ xfs_qm_quotacheck(
1750 * Iterate thru all the inodes in the file system,
1751 * adjusting the corresponding dquot counters in core.
1752 */
1753 - if ((error = xfs_bulkstat(mp, &lastino, &count,
1754 - xfs_qm_dqusage_adjust, NULL,
1755 - structsz, NULL, BULKSTAT_FG_IGET, &done)))
1756 + error = xfs_bulkstat(mp, &lastino, &count,
1757 + xfs_qm_dqusage_adjust,
1758 + structsz, NULL, &done);
1759 + if (error)
1760 break;
1761
1762 - } while (! done);
1763 + } while (!done);
1764
1765 /*
1766 * We've made all the changes that we need to make incore.
1767 @@ -1859,14 +1857,14 @@ xfs_qm_init_quotainos(
1768 mp->m_sb.sb_uquotino != NULLFSINO) {
1769 ASSERT(mp->m_sb.sb_uquotino > 0);
1770 if ((error = xfs_iget(mp, NULL, mp->m_sb.sb_uquotino,
1771 - 0, 0, &uip, 0)))
1772 + 0, 0, &uip)))
1773 return XFS_ERROR(error);
1774 }
1775 if (XFS_IS_OQUOTA_ON(mp) &&
1776 mp->m_sb.sb_gquotino != NULLFSINO) {
1777 ASSERT(mp->m_sb.sb_gquotino > 0);
1778 if ((error = xfs_iget(mp, NULL, mp->m_sb.sb_gquotino,
1779 - 0, 0, &gip, 0))) {
1780 + 0, 0, &gip))) {
1781 if (uip)
1782 IRELE(uip);
1783 return XFS_ERROR(error);
1784 diff --git a/fs/xfs/quota/xfs_qm_syscalls.c b/fs/xfs/quota/xfs_qm_syscalls.c
1785 index 60fe358..407ddab 100644
1786 --- a/fs/xfs/quota/xfs_qm_syscalls.c
1787 +++ b/fs/xfs/quota/xfs_qm_syscalls.c
1788 @@ -266,7 +266,7 @@ xfs_qm_scall_trunc_qfiles(
1789 }
1790
1791 if ((flags & XFS_DQ_USER) && mp->m_sb.sb_uquotino != NULLFSINO) {
1792 - error = xfs_iget(mp, NULL, mp->m_sb.sb_uquotino, 0, 0, &qip, 0);
1793 + error = xfs_iget(mp, NULL, mp->m_sb.sb_uquotino, 0, 0, &qip);
1794 if (!error) {
1795 error = xfs_truncate_file(mp, qip);
1796 IRELE(qip);
1797 @@ -275,7 +275,7 @@ xfs_qm_scall_trunc_qfiles(
1798
1799 if ((flags & (XFS_DQ_GROUP|XFS_DQ_PROJ)) &&
1800 mp->m_sb.sb_gquotino != NULLFSINO) {
1801 - error2 = xfs_iget(mp, NULL, mp->m_sb.sb_gquotino, 0, 0, &qip, 0);
1802 + error2 = xfs_iget(mp, NULL, mp->m_sb.sb_gquotino, 0, 0, &qip);
1803 if (!error2) {
1804 error2 = xfs_truncate_file(mp, qip);
1805 IRELE(qip);
1806 @@ -420,12 +420,12 @@ xfs_qm_scall_getqstat(
1807 }
1808 if (!uip && mp->m_sb.sb_uquotino != NULLFSINO) {
1809 if (xfs_iget(mp, NULL, mp->m_sb.sb_uquotino,
1810 - 0, 0, &uip, 0) == 0)
1811 + 0, 0, &uip) == 0)
1812 tempuqip = B_TRUE;
1813 }
1814 if (!gip && mp->m_sb.sb_gquotino != NULLFSINO) {
1815 if (xfs_iget(mp, NULL, mp->m_sb.sb_gquotino,
1816 - 0, 0, &gip, 0) == 0)
1817 + 0, 0, &gip) == 0)
1818 tempgqip = B_TRUE;
1819 }
1820 if (uip) {
1821 @@ -1114,10 +1114,7 @@ xfs_qm_internalqcheck_adjust(
1822 xfs_ino_t ino, /* inode number to get data for */
1823 void __user *buffer, /* not used */
1824 int ubsize, /* not used */
1825 - void *private_data, /* not used */
1826 - xfs_daddr_t bno, /* starting block of inode cluster */
1827 int *ubused, /* not used */
1828 - void *dip, /* not used */
1829 int *res) /* bulkstat result code */
1830 {
1831 xfs_inode_t *ip;
1832 @@ -1139,7 +1136,7 @@ xfs_qm_internalqcheck_adjust(
1833 ipreleased = B_FALSE;
1834 again:
1835 lock_flags = XFS_ILOCK_SHARED;
1836 - if ((error = xfs_iget(mp, NULL, ino, 0, lock_flags, &ip, bno))) {
1837 + if ((error = xfs_iget(mp, NULL, ino, 0, lock_flags, &ip))) {
1838 *res = BULKSTAT_RV_NOTHING;
1839 return (error);
1840 }
1841 @@ -1212,15 +1209,15 @@ xfs_qm_internalqcheck(
1842 * Iterate thru all the inodes in the file system,
1843 * adjusting the corresponding dquot counters
1844 */
1845 - if ((error = xfs_bulkstat(mp, &lastino, &count,
1846 - xfs_qm_internalqcheck_adjust, NULL,
1847 - 0, NULL, BULKSTAT_FG_IGET, &done))) {
1848 + error = xfs_bulkstat(mp, &lastino, &count,
1849 + xfs_qm_internalqcheck_adjust,
1850 + 0, NULL, &done);
1851 + if (error) {
1852 + cmn_err(CE_DEBUG, "Bulkstat returned error 0x%x", error);
1853 break;
1854 }
1855 - } while (! done);
1856 - if (error) {
1857 - cmn_err(CE_DEBUG, "Bulkstat returned error 0x%x", error);
1858 - }
1859 + } while (!done);
1860 +
1861 cmn_err(CE_DEBUG, "Checking results against system dquots");
1862 for (i = 0; i < qmtest_hashmask; i++) {
1863 h1 = &qmtest_udqtab[i];
1864 diff --git a/fs/xfs/xfs_ialloc.c b/fs/xfs/xfs_ialloc.c
1865 index 0785797..7acab06 100644
1866 --- a/fs/xfs/xfs_ialloc.c
1867 +++ b/fs/xfs/xfs_ialloc.c
1868 @@ -1206,6 +1206,69 @@ error0:
1869 return error;
1870 }
1871
1872 +STATIC int
1873 +xfs_imap_lookup(
1874 + struct xfs_mount *mp,
1875 + struct xfs_trans *tp,
1876 + xfs_agnumber_t agno,
1877 + xfs_agino_t agino,
1878 + xfs_agblock_t agbno,
1879 + xfs_agblock_t *chunk_agbno,
1880 + xfs_agblock_t *offset_agbno,
1881 + int flags)
1882 +{
1883 + struct xfs_inobt_rec_incore rec;
1884 + struct xfs_btree_cur *cur;
1885 + struct xfs_buf *agbp;
1886 + int error;
1887 + int i;
1888 +
1889 + down_read(&mp->m_peraglock);
1890 + error = xfs_ialloc_read_agi(mp, tp, agno, &agbp);
1891 + up_read(&mp->m_peraglock);
1892 + if (error) {
1893 + xfs_fs_cmn_err(CE_ALERT, mp, "xfs_imap: "
1894 + "xfs_ialloc_read_agi() returned "
1895 + "error %d, agno %d",
1896 + error, agno);
1897 + return error;
1898 + }
1899 +
1900 + /*
1901 + * Lookup the inode record for the given agino. If the record cannot be
1902 + * found, then it's an invalid inode number and we should abort. Once
1903 + * we have a record, we need to ensure it contains the inode number
1904 + * we are looking up.
1905 + */
1906 + cur = xfs_inobt_init_cursor(mp, tp, agbp, agno);
1907 + error = xfs_inobt_lookup(cur, agino, XFS_LOOKUP_LE, &i);
1908 + if (!error) {
1909 + if (i)
1910 + error = xfs_inobt_get_rec(cur, &rec, &i);
1911 + if (!error && i == 0)
1912 + error = EINVAL;
1913 + }
1914 +
1915 + xfs_trans_brelse(tp, agbp);
1916 + xfs_btree_del_cursor(cur, XFS_BTREE_NOERROR);
1917 + if (error)
1918 + return error;
1919 +
1920 + /* check that the returned record contains the required inode */
1921 + if (rec.ir_startino > agino ||
1922 + rec.ir_startino + XFS_IALLOC_INODES(mp) <= agino)
1923 + return EINVAL;
1924 +
1925 + /* for untrusted inodes check it is allocated first */
1926 + if ((flags & XFS_IGET_UNTRUSTED) &&
1927 + (rec.ir_free & XFS_INOBT_MASK(agino - rec.ir_startino)))
1928 + return EINVAL;
1929 +
1930 + *chunk_agbno = XFS_AGINO_TO_AGBNO(mp, rec.ir_startino);
1931 + *offset_agbno = agbno - *chunk_agbno;
1932 + return 0;
1933 +}
1934 +
1935 /*
1936 * Return the location of the inode in imap, for mapping it into a buffer.
1937 */
1938 @@ -1238,8 +1301,11 @@ xfs_imap(
1939 if (agno >= mp->m_sb.sb_agcount || agbno >= mp->m_sb.sb_agblocks ||
1940 ino != XFS_AGINO_TO_INO(mp, agno, agino)) {
1941 #ifdef DEBUG
1942 - /* no diagnostics for bulkstat, ino comes from userspace */
1943 - if (flags & XFS_IGET_BULKSTAT)
1944 + /*
1945 + * Don't output diagnostic information for untrusted inodes
1946 + * as they can be invalid without implying corruption.
1947 + */
1948 + if (flags & XFS_IGET_UNTRUSTED)
1949 return XFS_ERROR(EINVAL);
1950 if (agno >= mp->m_sb.sb_agcount) {
1951 xfs_fs_cmn_err(CE_ALERT, mp,
1952 @@ -1266,6 +1332,23 @@ xfs_imap(
1953 return XFS_ERROR(EINVAL);
1954 }
1955
1956 + blks_per_cluster = XFS_INODE_CLUSTER_SIZE(mp) >> mp->m_sb.sb_blocklog;
1957 +
1958 + /*
1959 + * For bulkstat and handle lookups, we have an untrusted inode number
1960 + * that we have to verify is valid. We cannot do this just by reading
1961 + * the inode buffer as it may have been unlinked and removed leaving
1962 + * inodes in stale state on disk. Hence we have to do a btree lookup
1963 + * in all cases where an untrusted inode number is passed.
1964 + */
1965 + if (flags & XFS_IGET_UNTRUSTED) {
1966 + error = xfs_imap_lookup(mp, tp, agno, agino, agbno,
1967 + &chunk_agbno, &offset_agbno, flags);
1968 + if (error)
1969 + return error;
1970 + goto out_map;
1971 + }
1972 +
1973 /*
1974 * If the inode cluster size is the same as the blocksize or
1975 * smaller we get to the buffer by simple arithmetics.
1976 @@ -1280,24 +1363,6 @@ xfs_imap(
1977 return 0;
1978 }
1979
1980 - blks_per_cluster = XFS_INODE_CLUSTER_SIZE(mp) >> mp->m_sb.sb_blocklog;
1981 -
1982 - /*
1983 - * If we get a block number passed from bulkstat we can use it to
1984 - * find the buffer easily.
1985 - */
1986 - if (imap->im_blkno) {
1987 - offset = XFS_INO_TO_OFFSET(mp, ino);
1988 - ASSERT(offset < mp->m_sb.sb_inopblock);
1989 -
1990 - cluster_agbno = xfs_daddr_to_agbno(mp, imap->im_blkno);
1991 - offset += (agbno - cluster_agbno) * mp->m_sb.sb_inopblock;
1992 -
1993 - imap->im_len = XFS_FSB_TO_BB(mp, blks_per_cluster);
1994 - imap->im_boffset = (ushort)(offset << mp->m_sb.sb_inodelog);
1995 - return 0;
1996 - }
1997 -
1998 /*
1999 * If the inode chunks are aligned then use simple maths to
2000 * find the location. Otherwise we have to do a btree
2001 @@ -1307,52 +1372,13 @@ xfs_imap(
2002 offset_agbno = agbno & mp->m_inoalign_mask;
2003 chunk_agbno = agbno - offset_agbno;
2004 } else {
2005 - xfs_btree_cur_t *cur; /* inode btree cursor */
2006 - xfs_inobt_rec_incore_t chunk_rec;
2007 - xfs_buf_t *agbp; /* agi buffer */
2008 - int i; /* temp state */
2009 -
2010 - down_read(&mp->m_peraglock);
2011 - error = xfs_ialloc_read_agi(mp, tp, agno, &agbp);
2012 - up_read(&mp->m_peraglock);
2013 - if (error) {
2014 - xfs_fs_cmn_err(CE_ALERT, mp, "xfs_imap: "
2015 - "xfs_ialloc_read_agi() returned "
2016 - "error %d, agno %d",
2017 - error, agno);
2018 - return error;
2019 - }
2020 -
2021 - cur = xfs_inobt_init_cursor(mp, tp, agbp, agno);
2022 - error = xfs_inobt_lookup(cur, agino, XFS_LOOKUP_LE, &i);
2023 - if (error) {
2024 - xfs_fs_cmn_err(CE_ALERT, mp, "xfs_imap: "
2025 - "xfs_inobt_lookup() failed");
2026 - goto error0;
2027 - }
2028 -
2029 - error = xfs_inobt_get_rec(cur, &chunk_rec, &i);
2030 - if (error) {
2031 - xfs_fs_cmn_err(CE_ALERT, mp, "xfs_imap: "
2032 - "xfs_inobt_get_rec() failed");
2033 - goto error0;
2034 - }
2035 - if (i == 0) {
2036 -#ifdef DEBUG
2037 - xfs_fs_cmn_err(CE_ALERT, mp, "xfs_imap: "
2038 - "xfs_inobt_get_rec() failed");
2039 -#endif /* DEBUG */
2040 - error = XFS_ERROR(EINVAL);
2041 - }
2042 - error0:
2043 - xfs_trans_brelse(tp, agbp);
2044 - xfs_btree_del_cursor(cur, XFS_BTREE_NOERROR);
2045 + error = xfs_imap_lookup(mp, tp, agno, agino, agbno,
2046 + &chunk_agbno, &offset_agbno, flags);
2047 if (error)
2048 return error;
2049 - chunk_agbno = XFS_AGINO_TO_AGBNO(mp, chunk_rec.ir_startino);
2050 - offset_agbno = agbno - chunk_agbno;
2051 }
2052
2053 +out_map:
2054 ASSERT(agbno >= chunk_agbno);
2055 cluster_agbno = chunk_agbno +
2056 ((offset_agbno / blks_per_cluster) * blks_per_cluster);
2057 diff --git a/fs/xfs/xfs_iget.c b/fs/xfs/xfs_iget.c
2058 index a04a72f..16b6a33 100644
2059 --- a/fs/xfs/xfs_iget.c
2060 +++ b/fs/xfs/xfs_iget.c
2061 @@ -295,7 +295,6 @@ xfs_iget_cache_miss(
2062 xfs_trans_t *tp,
2063 xfs_ino_t ino,
2064 struct xfs_inode **ipp,
2065 - xfs_daddr_t bno,
2066 int flags,
2067 int lock_flags) __releases(pag->pag_ici_lock)
2068 {
2069 @@ -308,7 +307,7 @@ xfs_iget_cache_miss(
2070 if (!ip)
2071 return ENOMEM;
2072
2073 - error = xfs_iread(mp, tp, ip, bno, flags);
2074 + error = xfs_iread(mp, tp, ip, flags);
2075 if (error)
2076 goto out_destroy;
2077
2078 @@ -392,8 +391,6 @@ out_destroy:
2079 * within the file system for the inode being requested.
2080 * lock_flags -- flags indicating how to lock the inode. See the comment
2081 * for xfs_ilock() for a list of valid values.
2082 - * bno -- the block number starting the buffer containing the inode,
2083 - * if known (as by bulkstat), else 0.
2084 */
2085 int
2086 xfs_iget(
2087 @@ -402,8 +399,7 @@ xfs_iget(
2088 xfs_ino_t ino,
2089 uint flags,
2090 uint lock_flags,
2091 - xfs_inode_t **ipp,
2092 - xfs_daddr_t bno)
2093 + xfs_inode_t **ipp)
2094 {
2095 xfs_inode_t *ip;
2096 int error;
2097 @@ -434,7 +430,7 @@ again:
2098 read_unlock(&pag->pag_ici_lock);
2099 XFS_STATS_INC(xs_ig_missed);
2100
2101 - error = xfs_iget_cache_miss(mp, pag, tp, ino, &ip, bno,
2102 + error = xfs_iget_cache_miss(mp, pag, tp, ino, &ip,
2103 flags, lock_flags);
2104 if (error)
2105 goto out_error_or_again;
2106 diff --git a/fs/xfs/xfs_inode.c b/fs/xfs/xfs_inode.c
2107 index 523a1ae..8f43bab 100644
2108 --- a/fs/xfs/xfs_inode.c
2109 +++ b/fs/xfs/xfs_inode.c
2110 @@ -177,7 +177,7 @@ xfs_imap_to_bp(
2111 if (unlikely(XFS_TEST_ERROR(!di_ok, mp,
2112 XFS_ERRTAG_ITOBP_INOTOBP,
2113 XFS_RANDOM_ITOBP_INOTOBP))) {
2114 - if (iget_flags & XFS_IGET_BULKSTAT) {
2115 + if (iget_flags & XFS_IGET_UNTRUSTED) {
2116 xfs_trans_brelse(tp, bp);
2117 return XFS_ERROR(EINVAL);
2118 }
2119 @@ -787,7 +787,6 @@ xfs_iread(
2120 xfs_mount_t *mp,
2121 xfs_trans_t *tp,
2122 xfs_inode_t *ip,
2123 - xfs_daddr_t bno,
2124 uint iget_flags)
2125 {
2126 xfs_buf_t *bp;
2127 @@ -797,11 +796,9 @@ xfs_iread(
2128 /*
2129 * Fill in the location information in the in-core inode.
2130 */
2131 - ip->i_imap.im_blkno = bno;
2132 error = xfs_imap(mp, tp, ip->i_ino, &ip->i_imap, iget_flags);
2133 if (error)
2134 return error;
2135 - ASSERT(bno == 0 || bno == ip->i_imap.im_blkno);
2136
2137 /*
2138 * Get pointers to the on-disk inode and the buffer containing it.
2139 diff --git a/fs/xfs/xfs_inode.h b/fs/xfs/xfs_inode.h
2140 index 41555de..7a86389 100644
2141 --- a/fs/xfs/xfs_inode.h
2142 +++ b/fs/xfs/xfs_inode.h
2143 @@ -468,7 +468,7 @@ static inline void xfs_ifunlock(xfs_inode_t *ip)
2144 * xfs_iget.c prototypes.
2145 */
2146 int xfs_iget(struct xfs_mount *, struct xfs_trans *, xfs_ino_t,
2147 - uint, uint, xfs_inode_t **, xfs_daddr_t);
2148 + uint, uint, xfs_inode_t **);
2149 void xfs_iput(xfs_inode_t *, uint);
2150 void xfs_iput_new(xfs_inode_t *, uint);
2151 void xfs_ilock(xfs_inode_t *, uint);
2152 @@ -558,7 +558,7 @@ do { \
2153 * Flags for xfs_iget()
2154 */
2155 #define XFS_IGET_CREATE 0x1
2156 -#define XFS_IGET_BULKSTAT 0x2
2157 +#define XFS_IGET_UNTRUSTED 0x2
2158
2159 int xfs_inotobp(struct xfs_mount *, struct xfs_trans *,
2160 xfs_ino_t, struct xfs_dinode **,
2161 @@ -567,7 +567,7 @@ int xfs_itobp(struct xfs_mount *, struct xfs_trans *,
2162 struct xfs_inode *, struct xfs_dinode **,
2163 struct xfs_buf **, uint);
2164 int xfs_iread(struct xfs_mount *, struct xfs_trans *,
2165 - struct xfs_inode *, xfs_daddr_t, uint);
2166 + struct xfs_inode *, uint);
2167 void xfs_dinode_to_disk(struct xfs_dinode *,
2168 struct xfs_icdinode *);
2169 void xfs_idestroy_fork(struct xfs_inode *, int);
2170 diff --git a/fs/xfs/xfs_itable.c b/fs/xfs/xfs_itable.c
2171 index 62efab2..7a4621a 100644
2172 --- a/fs/xfs/xfs_itable.c
2173 +++ b/fs/xfs/xfs_itable.c
2174 @@ -49,24 +49,40 @@ xfs_internal_inum(
2175 (ino == mp->m_sb.sb_uquotino || ino == mp->m_sb.sb_gquotino)));
2176 }
2177
2178 -STATIC int
2179 -xfs_bulkstat_one_iget(
2180 - xfs_mount_t *mp, /* mount point for filesystem */
2181 - xfs_ino_t ino, /* inode number to get data for */
2182 - xfs_daddr_t bno, /* starting bno of inode cluster */
2183 - xfs_bstat_t *buf, /* return buffer */
2184 - int *stat) /* BULKSTAT_RV_... */
2185 +/*
2186 + * Return stat information for one inode.
2187 + * Return 0 if ok, else errno.
2188 + */
2189 +int
2190 +xfs_bulkstat_one_int(
2191 + struct xfs_mount *mp, /* mount point for filesystem */
2192 + xfs_ino_t ino, /* inode to get data for */
2193 + void __user *buffer, /* buffer to place output in */
2194 + int ubsize, /* size of buffer */
2195 + bulkstat_one_fmt_pf formatter, /* formatter, copy to user */
2196 + int *ubused, /* bytes used by me */
2197 + int *stat) /* BULKSTAT_RV_... */
2198 {
2199 - xfs_icdinode_t *dic; /* dinode core info pointer */
2200 - xfs_inode_t *ip; /* incore inode pointer */
2201 - struct inode *inode;
2202 - int error;
2203 + struct xfs_icdinode *dic; /* dinode core info pointer */
2204 + struct xfs_inode *ip; /* incore inode pointer */
2205 + struct inode *inode;
2206 + struct xfs_bstat *buf; /* return buffer */
2207 + int error = 0; /* error value */
2208 +
2209 + *stat = BULKSTAT_RV_NOTHING;
2210 +
2211 + if (!buffer || xfs_internal_inum(mp, ino))
2212 + return XFS_ERROR(EINVAL);
2213 +
2214 + buf = kmem_alloc(sizeof(*buf), KM_SLEEP | KM_MAYFAIL);
2215 + if (!buf)
2216 + return XFS_ERROR(ENOMEM);
2217
2218 error = xfs_iget(mp, NULL, ino,
2219 - XFS_IGET_BULKSTAT, XFS_ILOCK_SHARED, &ip, bno);
2220 + XFS_IGET_UNTRUSTED, XFS_ILOCK_SHARED, &ip);
2221 if (error) {
2222 *stat = BULKSTAT_RV_NOTHING;
2223 - return error;
2224 + goto out_free;
2225 }
2226
2227 ASSERT(ip != NULL);
2228 @@ -126,76 +142,16 @@ xfs_bulkstat_one_iget(
2229 buf->bs_blocks = dic->di_nblocks + ip->i_delayed_blks;
2230 break;
2231 }
2232 -
2233 xfs_iput(ip, XFS_ILOCK_SHARED);
2234 - return error;
2235 -}
2236
2237 -STATIC void
2238 -xfs_bulkstat_one_dinode(
2239 - xfs_mount_t *mp, /* mount point for filesystem */
2240 - xfs_ino_t ino, /* inode number to get data for */
2241 - xfs_dinode_t *dic, /* dinode inode pointer */
2242 - xfs_bstat_t *buf) /* return buffer */
2243 -{
2244 - /*
2245 - * The inode format changed when we moved the link count and
2246 - * made it 32 bits long. If this is an old format inode,
2247 - * convert it in memory to look like a new one. If it gets
2248 - * flushed to disk we will convert back before flushing or
2249 - * logging it. We zero out the new projid field and the old link
2250 - * count field. We'll handle clearing the pad field (the remains
2251 - * of the old uuid field) when we actually convert the inode to
2252 - * the new format. We don't change the version number so that we
2253 - * can distinguish this from a real new format inode.
2254 - */
2255 - if (dic->di_version == 1) {
2256 - buf->bs_nlink = be16_to_cpu(dic->di_onlink);
2257 - buf->bs_projid = 0;
2258 - } else {
2259 - buf->bs_nlink = be32_to_cpu(dic->di_nlink);
2260 - buf->bs_projid = be16_to_cpu(dic->di_projid);
2261 - }
2262 + error = formatter(buffer, ubsize, ubused, buf);
2263
2264 - buf->bs_ino = ino;
2265 - buf->bs_mode = be16_to_cpu(dic->di_mode);
2266 - buf->bs_uid = be32_to_cpu(dic->di_uid);
2267 - buf->bs_gid = be32_to_cpu(dic->di_gid);
2268 - buf->bs_size = be64_to_cpu(dic->di_size);
2269 - buf->bs_atime.tv_sec = be32_to_cpu(dic->di_atime.t_sec);
2270 - buf->bs_atime.tv_nsec = be32_to_cpu(dic->di_atime.t_nsec);
2271 - buf->bs_mtime.tv_sec = be32_to_cpu(dic->di_mtime.t_sec);
2272 - buf->bs_mtime.tv_nsec = be32_to_cpu(dic->di_mtime.t_nsec);
2273 - buf->bs_ctime.tv_sec = be32_to_cpu(dic->di_ctime.t_sec);
2274 - buf->bs_ctime.tv_nsec = be32_to_cpu(dic->di_ctime.t_nsec);
2275 - buf->bs_xflags = xfs_dic2xflags(dic);
2276 - buf->bs_extsize = be32_to_cpu(dic->di_extsize) << mp->m_sb.sb_blocklog;
2277 - buf->bs_extents = be32_to_cpu(dic->di_nextents);
2278 - buf->bs_gen = be32_to_cpu(dic->di_gen);
2279 - memset(buf->bs_pad, 0, sizeof(buf->bs_pad));
2280 - buf->bs_dmevmask = be32_to_cpu(dic->di_dmevmask);
2281 - buf->bs_dmstate = be16_to_cpu(dic->di_dmstate);
2282 - buf->bs_aextents = be16_to_cpu(dic->di_anextents);
2283 + if (!error)
2284 + *stat = BULKSTAT_RV_DIDONE;
2285
2286 - switch (dic->di_format) {
2287 - case XFS_DINODE_FMT_DEV:
2288 - buf->bs_rdev = xfs_dinode_get_rdev(dic);
2289 - buf->bs_blksize = BLKDEV_IOSIZE;
2290 - buf->bs_blocks = 0;
2291 - break;
2292 - case XFS_DINODE_FMT_LOCAL:
2293 - case XFS_DINODE_FMT_UUID:
2294 - buf->bs_rdev = 0;
2295 - buf->bs_blksize = mp->m_sb.sb_blocksize;
2296 - buf->bs_blocks = 0;
2297 - break;
2298 - case XFS_DINODE_FMT_EXTENTS:
2299 - case XFS_DINODE_FMT_BTREE:
2300 - buf->bs_rdev = 0;
2301 - buf->bs_blksize = mp->m_sb.sb_blocksize;
2302 - buf->bs_blocks = be64_to_cpu(dic->di_nblocks);
2303 - break;
2304 - }
2305 + out_free:
2306 + kmem_free(buf);
2307 + return error;
2308 }
2309
2310 /* Return 0 on success or positive error */
2311 @@ -215,118 +171,17 @@ xfs_bulkstat_one_fmt(
2312 return 0;
2313 }
2314
2315 -/*
2316 - * Return stat information for one inode.
2317 - * Return 0 if ok, else errno.
2318 - */
2319 -int /* error status */
2320 -xfs_bulkstat_one_int(
2321 - xfs_mount_t *mp, /* mount point for filesystem */
2322 - xfs_ino_t ino, /* inode number to get data for */
2323 - void __user *buffer, /* buffer to place output in */
2324 - int ubsize, /* size of buffer */
2325 - bulkstat_one_fmt_pf formatter, /* formatter, copy to user */
2326 - xfs_daddr_t bno, /* starting bno of inode cluster */
2327 - int *ubused, /* bytes used by me */
2328 - void *dibuff, /* on-disk inode buffer */
2329 - int *stat) /* BULKSTAT_RV_... */
2330 -{
2331 - xfs_bstat_t *buf; /* return buffer */
2332 - int error = 0; /* error value */
2333 - xfs_dinode_t *dip; /* dinode inode pointer */
2334 -
2335 - dip = (xfs_dinode_t *)dibuff;
2336 - *stat = BULKSTAT_RV_NOTHING;
2337 -
2338 - if (!buffer || xfs_internal_inum(mp, ino))
2339 - return XFS_ERROR(EINVAL);
2340 -
2341 - buf = kmem_alloc(sizeof(*buf), KM_SLEEP);
2342 -
2343 - if (dip == NULL) {
2344 - /* We're not being passed a pointer to a dinode. This happens
2345 - * if BULKSTAT_FG_IGET is selected. Do the iget.
2346 - */
2347 - error = xfs_bulkstat_one_iget(mp, ino, bno, buf, stat);
2348 - if (error)
2349 - goto out_free;
2350 - } else {
2351 - xfs_bulkstat_one_dinode(mp, ino, dip, buf);
2352 - }
2353 -
2354 - error = formatter(buffer, ubsize, ubused, buf);
2355 - if (error)
2356 - goto out_free;
2357 -
2358 - *stat = BULKSTAT_RV_DIDONE;
2359 -
2360 - out_free:
2361 - kmem_free(buf);
2362 - return error;
2363 -}
2364 -
2365 int
2366 xfs_bulkstat_one(
2367 xfs_mount_t *mp, /* mount point for filesystem */
2368 xfs_ino_t ino, /* inode number to get data for */
2369 void __user *buffer, /* buffer to place output in */
2370 int ubsize, /* size of buffer */
2371 - void *private_data, /* my private data */
2372 - xfs_daddr_t bno, /* starting bno of inode cluster */
2373 int *ubused, /* bytes used by me */
2374 - void *dibuff, /* on-disk inode buffer */
2375 int *stat) /* BULKSTAT_RV_... */
2376 {
2377 return xfs_bulkstat_one_int(mp, ino, buffer, ubsize,
2378 - xfs_bulkstat_one_fmt, bno,
2379 - ubused, dibuff, stat);
2380 -}
2381 -
2382 -/*
2383 - * Test to see whether we can use the ondisk inode directly, based
2384 - * on the given bulkstat flags, filling in dipp accordingly.
2385 - * Returns zero if the inode is dodgey.
2386 - */
2387 -STATIC int
2388 -xfs_bulkstat_use_dinode(
2389 - xfs_mount_t *mp,
2390 - int flags,
2391 - xfs_buf_t *bp,
2392 - int clustidx,
2393 - xfs_dinode_t **dipp)
2394 -{
2395 - xfs_dinode_t *dip;
2396 - unsigned int aformat;
2397 -
2398 - *dipp = NULL;
2399 - if (!bp || (flags & BULKSTAT_FG_IGET))
2400 - return 1;
2401 - dip = (xfs_dinode_t *)
2402 - xfs_buf_offset(bp, clustidx << mp->m_sb.sb_inodelog);
2403 - /*
2404 - * Check the buffer containing the on-disk inode for di_mode == 0.
2405 - * This is to prevent xfs_bulkstat from picking up just reclaimed
2406 - * inodes that have their in-core state initialized but not flushed
2407 - * to disk yet. This is a temporary hack that would require a proper
2408 - * fix in the future.
2409 - */
2410 - if (be16_to_cpu(dip->di_magic) != XFS_DINODE_MAGIC ||
2411 - !XFS_DINODE_GOOD_VERSION(dip->di_version) ||
2412 - !dip->di_mode)
2413 - return 0;
2414 - if (flags & BULKSTAT_FG_QUICK) {
2415 - *dipp = dip;
2416 - return 1;
2417 - }
2418 - /* BULKSTAT_FG_INLINE: if attr fork is local, or not there, use it */
2419 - aformat = dip->di_aformat;
2420 - if ((XFS_DFORK_Q(dip) == 0) ||
2421 - (aformat == XFS_DINODE_FMT_LOCAL) ||
2422 - (aformat == XFS_DINODE_FMT_EXTENTS && !dip->di_anextents)) {
2423 - *dipp = dip;
2424 - return 1;
2425 - }
2426 - return 1;
2427 + xfs_bulkstat_one_fmt, ubused, stat);
2428 }
2429
2430 #define XFS_BULKSTAT_UBLEFT(ubleft) ((ubleft) >= statstruct_size)
2431 @@ -340,10 +195,8 @@ xfs_bulkstat(
2432 xfs_ino_t *lastinop, /* last inode returned */
2433 int *ubcountp, /* size of buffer/count returned */
2434 bulkstat_one_pf formatter, /* func that'd fill a single buf */
2435 - void *private_data,/* private data for formatter */
2436 size_t statstruct_size, /* sizeof struct filling */
2437 char __user *ubuffer, /* buffer with inode stats */
2438 - int flags, /* defined in xfs_itable.h */
2439 int *done) /* 1 if there are more stats to get */
2440 {
2441 xfs_agblock_t agbno=0;/* allocation group block number */
2442 @@ -378,14 +231,12 @@ xfs_bulkstat(
2443 int ubelem; /* spaces used in user's buffer */
2444 int ubused; /* bytes used by formatter */
2445 xfs_buf_t *bp; /* ptr to on-disk inode cluster buf */
2446 - xfs_dinode_t *dip; /* ptr into bp for specific inode */
2447
2448 /*
2449 * Get the last inode value, see if there's nothing to do.
2450 */
2451 ino = (xfs_ino_t)*lastinop;
2452 lastino = ino;
2453 - dip = NULL;
2454 agno = XFS_INO_TO_AGNO(mp, ino);
2455 agino = XFS_INO_TO_AGINO(mp, ino);
2456 if (agno >= mp->m_sb.sb_agcount ||
2457 @@ -610,37 +461,6 @@ xfs_bulkstat(
2458 irbp->ir_startino) +
2459 ((chunkidx & nimask) >>
2460 mp->m_sb.sb_inopblog);
2461 -
2462 - if (flags & (BULKSTAT_FG_QUICK |
2463 - BULKSTAT_FG_INLINE)) {
2464 - int offset;
2465 -
2466 - ino = XFS_AGINO_TO_INO(mp, agno,
2467 - agino);
2468 - bno = XFS_AGB_TO_DADDR(mp, agno,
2469 - agbno);
2470 -
2471 - /*
2472 - * Get the inode cluster buffer
2473 - */
2474 - if (bp)
2475 - xfs_buf_relse(bp);
2476 -
2477 - error = xfs_inotobp(mp, NULL, ino, &dip,
2478 - &bp, &offset,
2479 - XFS_IGET_BULKSTAT);
2480 -
2481 - if (!error)
2482 - clustidx = offset / mp->m_sb.sb_inodesize;
2483 - if (XFS_TEST_ERROR(error != 0,
2484 - mp, XFS_ERRTAG_BULKSTAT_READ_CHUNK,
2485 - XFS_RANDOM_BULKSTAT_READ_CHUNK)) {
2486 - bp = NULL;
2487 - ubleft = 0;
2488 - rval = error;
2489 - break;
2490 - }
2491 - }
2492 }
2493 ino = XFS_AGINO_TO_INO(mp, agno, agino);
2494 bno = XFS_AGB_TO_DADDR(mp, agno, agbno);
2495 @@ -656,35 +476,13 @@ xfs_bulkstat(
2496 * when the chunk is used up.
2497 */
2498 irbp->ir_freecount++;
2499 - if (!xfs_bulkstat_use_dinode(mp, flags, bp,
2500 - clustidx, &dip)) {
2501 - lastino = ino;
2502 - continue;
2503 - }
2504 - /*
2505 - * If we need to do an iget, cannot hold bp.
2506 - * Drop it, until starting the next cluster.
2507 - */
2508 - if ((flags & BULKSTAT_FG_INLINE) && !dip) {
2509 - if (bp)
2510 - xfs_buf_relse(bp);
2511 - bp = NULL;
2512 - }
2513
2514 /*
2515 * Get the inode and fill in a single buffer.
2516 - * BULKSTAT_FG_QUICK uses dip to fill it in.
2517 - * BULKSTAT_FG_IGET uses igets.
2518 - * BULKSTAT_FG_INLINE uses dip if we have an
2519 - * inline attr fork, else igets.
2520 - * See: xfs_bulkstat_one & xfs_dm_bulkstat_one.
2521 - * This is also used to count inodes/blks, etc
2522 - * in xfs_qm_quotacheck.
2523 */
2524 ubused = statstruct_size;
2525 - error = formatter(mp, ino, ubufp,
2526 - ubleft, private_data,
2527 - bno, &ubused, dip, &fmterror);
2528 + error = formatter(mp, ino, ubufp, ubleft,
2529 + &ubused, &fmterror);
2530 if (fmterror == BULKSTAT_RV_NOTHING) {
2531 if (error && error != ENOENT &&
2532 error != EINVAL) {
2533 @@ -776,8 +574,7 @@ xfs_bulkstat_single(
2534 */
2535
2536 ino = (xfs_ino_t)*lastinop;
2537 - error = xfs_bulkstat_one(mp, ino, buffer, sizeof(xfs_bstat_t),
2538 - NULL, 0, NULL, NULL, &res);
2539 + error = xfs_bulkstat_one(mp, ino, buffer, sizeof(xfs_bstat_t), 0, &res);
2540 if (error) {
2541 /*
2542 * Special case way failed, do it the "long" way
2543 @@ -786,8 +583,7 @@ xfs_bulkstat_single(
2544 (*lastinop)--;
2545 count = 1;
2546 if (xfs_bulkstat(mp, lastinop, &count, xfs_bulkstat_one,
2547 - NULL, sizeof(xfs_bstat_t), buffer,
2548 - BULKSTAT_FG_IGET, done))
2549 + sizeof(xfs_bstat_t), buffer, done))
2550 return error;
2551 if (count == 0 || (xfs_ino_t)*lastinop != ino)
2552 return error == EFSCORRUPTED ?
2553 diff --git a/fs/xfs/xfs_itable.h b/fs/xfs/xfs_itable.h
2554 index 20792bf..97295d9 100644
2555 --- a/fs/xfs/xfs_itable.h
2556 +++ b/fs/xfs/xfs_itable.h
2557 @@ -27,10 +27,7 @@ typedef int (*bulkstat_one_pf)(struct xfs_mount *mp,
2558 xfs_ino_t ino,
2559 void __user *buffer,
2560 int ubsize,
2561 - void *private_data,
2562 - xfs_daddr_t bno,
2563 int *ubused,
2564 - void *dip,
2565 int *stat);
2566
2567 /*
2568 @@ -41,13 +38,6 @@ typedef int (*bulkstat_one_pf)(struct xfs_mount *mp,
2569 #define BULKSTAT_RV_GIVEUP 2
2570
2571 /*
2572 - * Values for bulkstat flag argument.
2573 - */
2574 -#define BULKSTAT_FG_IGET 0x1 /* Go through the buffer cache */
2575 -#define BULKSTAT_FG_QUICK 0x2 /* No iget, walk the dinode cluster */
2576 -#define BULKSTAT_FG_INLINE 0x4 /* No iget if inline attrs */
2577 -
2578 -/*
2579 * Return stat information in bulk (by-inode) for the filesystem.
2580 */
2581 int /* error status */
2582 @@ -56,10 +46,8 @@ xfs_bulkstat(
2583 xfs_ino_t *lastino, /* last inode returned */
2584 int *count, /* size of buffer/count returned */
2585 bulkstat_one_pf formatter, /* func that'd fill a single buf */
2586 - void *private_data, /* private data for formatter */
2587 size_t statstruct_size,/* sizeof struct that we're filling */
2588 char __user *ubuffer,/* buffer with inode stats */
2589 - int flags, /* flag to control access method */
2590 int *done); /* 1 if there are more stats to get */
2591
2592 int
2593 @@ -82,9 +70,7 @@ xfs_bulkstat_one_int(
2594 void __user *buffer,
2595 int ubsize,
2596 bulkstat_one_fmt_pf formatter,
2597 - xfs_daddr_t bno,
2598 int *ubused,
2599 - void *dibuff,
2600 int *stat);
2601
2602 int
2603 @@ -93,10 +79,7 @@ xfs_bulkstat_one(
2604 xfs_ino_t ino,
2605 void __user *buffer,
2606 int ubsize,
2607 - void *private_data,
2608 - xfs_daddr_t bno,
2609 int *ubused,
2610 - void *dibuff,
2611 int *stat);
2612
2613 typedef int (*inumbers_fmt_pf)(
2614 diff --git a/fs/xfs/xfs_log_recover.c b/fs/xfs/xfs_log_recover.c
2615 index b5b0d80..844a99b 100644
2616 --- a/fs/xfs/xfs_log_recover.c
2617 +++ b/fs/xfs/xfs_log_recover.c
2618 @@ -3209,7 +3209,7 @@ xlog_recover_process_one_iunlink(
2619 int error;
2620
2621 ino = XFS_AGINO_TO_INO(mp, agno, agino);
2622 - error = xfs_iget(mp, NULL, ino, 0, 0, &ip, 0);
2623 + error = xfs_iget(mp, NULL, ino, 0, 0, &ip);
2624 if (error)
2625 goto fail;
2626
2627 diff --git a/fs/xfs/xfs_mount.c b/fs/xfs/xfs_mount.c
2628 index 4d509f7..0a25d9e 100644
2629 --- a/fs/xfs/xfs_mount.c
2630 +++ b/fs/xfs/xfs_mount.c
2631 @@ -1207,7 +1207,7 @@ xfs_mountfs(
2632 * Get and sanity-check the root inode.
2633 * Save the pointer to it in the mount structure.
2634 */
2635 - error = xfs_iget(mp, NULL, sbp->sb_rootino, 0, XFS_ILOCK_EXCL, &rip, 0);
2636 + error = xfs_iget(mp, NULL, sbp->sb_rootino, 0, XFS_ILOCK_EXCL, &rip);
2637 if (error) {
2638 cmn_err(CE_WARN, "XFS: failed to read root inode");
2639 goto out_log_dealloc;
2640 diff --git a/fs/xfs/xfs_rtalloc.c b/fs/xfs/xfs_rtalloc.c
2641 index 385f6dc..be69135 100644
2642 --- a/fs/xfs/xfs_rtalloc.c
2643 +++ b/fs/xfs/xfs_rtalloc.c
2644 @@ -2274,12 +2274,12 @@ xfs_rtmount_inodes(
2645 sbp = &mp->m_sb;
2646 if (sbp->sb_rbmino == NULLFSINO)
2647 return 0;
2648 - error = xfs_iget(mp, NULL, sbp->sb_rbmino, 0, 0, &mp->m_rbmip, 0);
2649 + error = xfs_iget(mp, NULL, sbp->sb_rbmino, 0, 0, &mp->m_rbmip);
2650 if (error)
2651 return error;
2652 ASSERT(mp->m_rbmip != NULL);
2653 ASSERT(sbp->sb_rsumino != NULLFSINO);
2654 - error = xfs_iget(mp, NULL, sbp->sb_rsumino, 0, 0, &mp->m_rsumip, 0);
2655 + error = xfs_iget(mp, NULL, sbp->sb_rsumino, 0, 0, &mp->m_rsumip);
2656 if (error) {
2657 IRELE(mp->m_rbmip);
2658 return error;
2659 diff --git a/fs/xfs/xfs_trans_inode.c b/fs/xfs/xfs_trans_inode.c
2660 index 785ff10..2559dfe 100644
2661 --- a/fs/xfs/xfs_trans_inode.c
2662 +++ b/fs/xfs/xfs_trans_inode.c
2663 @@ -62,7 +62,7 @@ xfs_trans_iget(
2664 {
2665 int error;
2666
2667 - error = xfs_iget(mp, tp, ino, flags, lock_flags, ipp, 0);
2668 + error = xfs_iget(mp, tp, ino, flags, lock_flags, ipp);
2669 if (!error && tp)
2670 xfs_trans_ijoin(tp, *ipp, lock_flags);
2671 return error;
2672 diff --git a/fs/xfs/xfs_vnodeops.c b/fs/xfs/xfs_vnodeops.c
2673 index 38a6324..8f32f50 100644
2674 --- a/fs/xfs/xfs_vnodeops.c
2675 +++ b/fs/xfs/xfs_vnodeops.c
2676 @@ -1371,7 +1371,7 @@ xfs_lookup(
2677 if (error)
2678 goto out;
2679
2680 - error = xfs_iget(dp->i_mount, NULL, inum, 0, 0, ipp, 0);
2681 + error = xfs_iget(dp->i_mount, NULL, inum, 0, 0, ipp);
2682 if (error)
2683 goto out_free_name;
2684
2685 diff --git a/include/linux/cred.h b/include/linux/cred.h
2686 index 4e3387a..ad64471 100644
2687 --- a/include/linux/cred.h
2688 +++ b/include/linux/cred.h
2689 @@ -153,6 +153,7 @@ struct cred {
2690 extern void __put_cred(struct cred *);
2691 extern void exit_creds(struct task_struct *);
2692 extern int copy_creds(struct task_struct *, unsigned long);
2693 +extern const struct cred *get_task_cred(struct task_struct *);
2694 extern struct cred *cred_alloc_blank(void);
2695 extern struct cred *prepare_creds(void);
2696 extern struct cred *prepare_exec_creds(void);
2697 @@ -283,26 +284,6 @@ static inline void put_cred(const struct cred *_cred)
2698 ((const struct cred *)(rcu_dereference((task)->real_cred)))
2699
2700 /**
2701 - * get_task_cred - Get another task's objective credentials
2702 - * @task: The task to query
2703 - *
2704 - * Get the objective credentials of a task, pinning them so that they can't go
2705 - * away. Accessing a task's credentials directly is not permitted.
2706 - *
2707 - * The caller must make sure task doesn't go away, either by holding a ref on
2708 - * task or by holding tasklist_lock to prevent it from being unlinked.
2709 - */
2710 -#define get_task_cred(task) \
2711 -({ \
2712 - struct cred *__cred; \
2713 - rcu_read_lock(); \
2714 - __cred = (struct cred *) __task_cred((task)); \
2715 - get_cred(__cred); \
2716 - rcu_read_unlock(); \
2717 - __cred; \
2718 -})
2719 -
2720 -/**
2721 * get_current_cred - Get the current task's subjective credentials
2722 *
2723 * Get the subjective credentials of the current task, pinning them so that
2724 diff --git a/kernel/cred.c b/kernel/cred.c
2725 index 5fce398..0b5b5fc 100644
2726 --- a/kernel/cred.c
2727 +++ b/kernel/cred.c
2728 @@ -208,6 +208,31 @@ void exit_creds(struct task_struct *tsk)
2729 }
2730 }
2731
2732 +/**
2733 + * get_task_cred - Get another task's objective credentials
2734 + * @task: The task to query
2735 + *
2736 + * Get the objective credentials of a task, pinning them so that they can't go
2737 + * away. Accessing a task's credentials directly is not permitted.
2738 + *
2739 + * The caller must also make sure task doesn't get deleted, either by holding a
2740 + * ref on task or by holding tasklist_lock to prevent it from being unlinked.
2741 + */
2742 +const struct cred *get_task_cred(struct task_struct *task)
2743 +{
2744 + const struct cred *cred;
2745 +
2746 + rcu_read_lock();
2747 +
2748 + do {
2749 + cred = __task_cred((task));
2750 + BUG_ON(!cred);
2751 + } while (!atomic_inc_not_zero(&((struct cred *)cred)->usage));
2752 +
2753 + rcu_read_unlock();
2754 + return cred;
2755 +}
2756 +
2757 /*
2758 * Allocate blank credentials, such that the credentials can be filled in at a
2759 * later date without risk of ENOMEM.
2760 @@ -230,13 +255,13 @@ struct cred *cred_alloc_blank(void)
2761 #endif
2762
2763 atomic_set(&new->usage, 1);
2764 +#ifdef CONFIG_DEBUG_CREDENTIALS
2765 + new->magic = CRED_MAGIC;
2766 +#endif
2767
2768 if (security_cred_alloc_blank(new, GFP_KERNEL) < 0)
2769 goto error;
2770
2771 -#ifdef CONFIG_DEBUG_CREDENTIALS
2772 - new->magic = CRED_MAGIC;
2773 -#endif
2774 return new;
2775
2776 error:
2777 @@ -693,6 +718,8 @@ struct cred *prepare_kernel_cred(struct task_struct *daemon)
2778 validate_creds(old);
2779
2780 *new = *old;
2781 + atomic_set(&new->usage, 1);
2782 + set_cred_subscribers(new, 0);
2783 get_uid(new->user);
2784 get_group_info(new->group_info);
2785
2786 @@ -710,8 +737,6 @@ struct cred *prepare_kernel_cred(struct task_struct *daemon)
2787 if (security_prepare_creds(new, old, GFP_KERNEL) < 0)
2788 goto error;
2789
2790 - atomic_set(&new->usage, 1);
2791 - set_cred_subscribers(new, 0);
2792 put_cred(old);
2793 validate_creds(new);
2794 return new;
2795 @@ -784,7 +809,11 @@ bool creds_are_invalid(const struct cred *cred)
2796 if (cred->magic != CRED_MAGIC)
2797 return true;
2798 #ifdef CONFIG_SECURITY_SELINUX
2799 - if (selinux_is_enabled()) {
2800 + /*
2801 + * cred->security == NULL if security_cred_alloc_blank() or
2802 + * security_prepare_creds() returned an error.
2803 + */
2804 + if (selinux_is_enabled() && cred->security) {
2805 if ((unsigned long) cred->security < PAGE_SIZE)
2806 return true;
2807 if ((*(u32 *)cred->security & 0xffffff00) ==
2808 diff --git a/kernel/irq/manage.c b/kernel/irq/manage.c
2809 index f34e231..5fad88b 100644
2810 --- a/kernel/irq/manage.c
2811 +++ b/kernel/irq/manage.c
2812 @@ -1079,7 +1079,7 @@ int request_threaded_irq(unsigned int irq, irq_handler_t handler,
2813 if (retval)
2814 kfree(action);
2815
2816 -#ifdef CONFIG_DEBUG_SHIRQ
2817 +#ifdef CONFIG_DEBUG_SHIRQ_FIXME
2818 if (irqflags & IRQF_SHARED) {
2819 /*
2820 * It's a shared IRQ -- the driver ought to be prepared for it
2821 diff --git a/kernel/power/snapshot.c b/kernel/power/snapshot.c
2822 index fc9ed15..a8520b0 100644
2823 --- a/kernel/power/snapshot.c
2824 +++ b/kernel/power/snapshot.c
2825 @@ -1466,11 +1466,8 @@ static int
2826 swsusp_alloc(struct memory_bitmap *orig_bm, struct memory_bitmap *copy_bm,
2827 unsigned int nr_pages, unsigned int nr_highmem)
2828 {
2829 - int error = 0;
2830 -
2831 if (nr_highmem > 0) {
2832 - error = get_highmem_buffer(PG_ANY);
2833 - if (error)
2834 + if (get_highmem_buffer(PG_ANY))
2835 goto err_out;
2836 if (nr_highmem > alloc_highmem) {
2837 nr_highmem -= alloc_highmem;
2838 @@ -1493,7 +1490,7 @@ swsusp_alloc(struct memory_bitmap *orig_bm, struct memory_bitmap *copy_bm,
2839
2840 err_out:
2841 swsusp_free();
2842 - return error;
2843 + return -ENOMEM;
2844 }
2845
2846 asmlinkage int swsusp_save(void)
2847 diff --git a/lib/swiotlb.c b/lib/swiotlb.c
2848 index ac25cd2..7740ee8 100644
2849 --- a/lib/swiotlb.c
2850 +++ b/lib/swiotlb.c
2851 @@ -631,8 +631,10 @@ dma_addr_t swiotlb_map_page(struct device *dev, struct page *page,
2852 /*
2853 * Ensure that the address returned is DMA'ble
2854 */
2855 - if (!dma_capable(dev, dev_addr, size))
2856 - panic("map_single: bounce buffer is not DMA'ble");
2857 + if (!dma_capable(dev, dev_addr, size)) {
2858 + swiotlb_tbl_unmap_single(dev, map, size, dir);
2859 + dev_addr = swiotlb_virt_to_bus(dev, io_tlb_overflow_buffer);
2860 + }
2861
2862 return dev_addr;
2863 }
2864 diff --git a/net/core/filter.c b/net/core/filter.c
2865 index d1d779c..0127397 100644
2866 --- a/net/core/filter.c
2867 +++ b/net/core/filter.c
2868 @@ -111,39 +111,41 @@ EXPORT_SYMBOL(sk_filter);
2869 */
2870 unsigned int sk_run_filter(struct sk_buff *skb, struct sock_filter *filter, int flen)
2871 {
2872 - struct sock_filter *fentry; /* We walk down these */
2873 void *ptr;
2874 u32 A = 0; /* Accumulator */
2875 u32 X = 0; /* Index Register */
2876 u32 mem[BPF_MEMWORDS]; /* Scratch Memory Store */
2877 + unsigned long memvalid = 0;
2878 u32 tmp;
2879 int k;
2880 int pc;
2881
2882 + BUILD_BUG_ON(BPF_MEMWORDS > BITS_PER_LONG);
2883 /*
2884 * Process array of filter instructions.
2885 */
2886 for (pc = 0; pc < flen; pc++) {
2887 - fentry = &filter[pc];
2888 + const struct sock_filter *fentry = &filter[pc];
2889 + u32 f_k = fentry->k;
2890
2891 switch (fentry->code) {
2892 case BPF_ALU|BPF_ADD|BPF_X:
2893 A += X;
2894 continue;
2895 case BPF_ALU|BPF_ADD|BPF_K:
2896 - A += fentry->k;
2897 + A += f_k;
2898 continue;
2899 case BPF_ALU|BPF_SUB|BPF_X:
2900 A -= X;
2901 continue;
2902 case BPF_ALU|BPF_SUB|BPF_K:
2903 - A -= fentry->k;
2904 + A -= f_k;
2905 continue;
2906 case BPF_ALU|BPF_MUL|BPF_X:
2907 A *= X;
2908 continue;
2909 case BPF_ALU|BPF_MUL|BPF_K:
2910 - A *= fentry->k;
2911 + A *= f_k;
2912 continue;
2913 case BPF_ALU|BPF_DIV|BPF_X:
2914 if (X == 0)
2915 @@ -151,49 +153,49 @@ unsigned int sk_run_filter(struct sk_buff *skb, struct sock_filter *filter, int
2916 A /= X;
2917 continue;
2918 case BPF_ALU|BPF_DIV|BPF_K:
2919 - A /= fentry->k;
2920 + A /= f_k;
2921 continue;
2922 case BPF_ALU|BPF_AND|BPF_X:
2923 A &= X;
2924 continue;
2925 case BPF_ALU|BPF_AND|BPF_K:
2926 - A &= fentry->k;
2927 + A &= f_k;
2928 continue;
2929 case BPF_ALU|BPF_OR|BPF_X:
2930 A |= X;
2931 continue;
2932 case BPF_ALU|BPF_OR|BPF_K:
2933 - A |= fentry->k;
2934 + A |= f_k;
2935 continue;
2936 case BPF_ALU|BPF_LSH|BPF_X:
2937 A <<= X;
2938 continue;
2939 case BPF_ALU|BPF_LSH|BPF_K:
2940 - A <<= fentry->k;
2941 + A <<= f_k;
2942 continue;
2943 case BPF_ALU|BPF_RSH|BPF_X:
2944 A >>= X;
2945 continue;
2946 case BPF_ALU|BPF_RSH|BPF_K:
2947 - A >>= fentry->k;
2948 + A >>= f_k;
2949 continue;
2950 case BPF_ALU|BPF_NEG:
2951 A = -A;
2952 continue;
2953 case BPF_JMP|BPF_JA:
2954 - pc += fentry->k;
2955 + pc += f_k;
2956 continue;
2957 case BPF_JMP|BPF_JGT|BPF_K:
2958 - pc += (A > fentry->k) ? fentry->jt : fentry->jf;
2959 + pc += (A > f_k) ? fentry->jt : fentry->jf;
2960 continue;
2961 case BPF_JMP|BPF_JGE|BPF_K:
2962 - pc += (A >= fentry->k) ? fentry->jt : fentry->jf;
2963 + pc += (A >= f_k) ? fentry->jt : fentry->jf;
2964 continue;
2965 case BPF_JMP|BPF_JEQ|BPF_K:
2966 - pc += (A == fentry->k) ? fentry->jt : fentry->jf;
2967 + pc += (A == f_k) ? fentry->jt : fentry->jf;
2968 continue;
2969 case BPF_JMP|BPF_JSET|BPF_K:
2970 - pc += (A & fentry->k) ? fentry->jt : fentry->jf;
2971 + pc += (A & f_k) ? fentry->jt : fentry->jf;
2972 continue;
2973 case BPF_JMP|BPF_JGT|BPF_X:
2974 pc += (A > X) ? fentry->jt : fentry->jf;
2975 @@ -208,7 +210,7 @@ unsigned int sk_run_filter(struct sk_buff *skb, struct sock_filter *filter, int
2976 pc += (A & X) ? fentry->jt : fentry->jf;
2977 continue;
2978 case BPF_LD|BPF_W|BPF_ABS:
2979 - k = fentry->k;
2980 + k = f_k;
2981 load_w:
2982 ptr = load_pointer(skb, k, 4, &tmp);
2983 if (ptr != NULL) {
2984 @@ -217,7 +219,7 @@ load_w:
2985 }
2986 break;
2987 case BPF_LD|BPF_H|BPF_ABS:
2988 - k = fentry->k;
2989 + k = f_k;
2990 load_h:
2991 ptr = load_pointer(skb, k, 2, &tmp);
2992 if (ptr != NULL) {
2993 @@ -226,7 +228,7 @@ load_h:
2994 }
2995 break;
2996 case BPF_LD|BPF_B|BPF_ABS:
2997 - k = fentry->k;
2998 + k = f_k;
2999 load_b:
3000 ptr = load_pointer(skb, k, 1, &tmp);
3001 if (ptr != NULL) {
3002 @@ -241,32 +243,34 @@ load_b:
3003 X = skb->len;
3004 continue;
3005 case BPF_LD|BPF_W|BPF_IND:
3006 - k = X + fentry->k;
3007 + k = X + f_k;
3008 goto load_w;
3009 case BPF_LD|BPF_H|BPF_IND:
3010 - k = X + fentry->k;
3011 + k = X + f_k;
3012 goto load_h;
3013 case BPF_LD|BPF_B|BPF_IND:
3014 - k = X + fentry->k;
3015 + k = X + f_k;
3016 goto load_b;
3017 case BPF_LDX|BPF_B|BPF_MSH:
3018 - ptr = load_pointer(skb, fentry->k, 1, &tmp);
3019 + ptr = load_pointer(skb, f_k, 1, &tmp);
3020 if (ptr != NULL) {
3021 X = (*(u8 *)ptr & 0xf) << 2;
3022 continue;
3023 }
3024 return 0;
3025 case BPF_LD|BPF_IMM:
3026 - A = fentry->k;
3027 + A = f_k;
3028 continue;
3029 case BPF_LDX|BPF_IMM:
3030 - X = fentry->k;
3031 + X = f_k;
3032 continue;
3033 case BPF_LD|BPF_MEM:
3034 - A = mem[fentry->k];
3035 + A = (memvalid & (1UL << f_k)) ?
3036 + mem[f_k] : 0;
3037 continue;
3038 case BPF_LDX|BPF_MEM:
3039 - X = mem[fentry->k];
3040 + X = (memvalid & (1UL << f_k)) ?
3041 + mem[f_k] : 0;
3042 continue;
3043 case BPF_MISC|BPF_TAX:
3044 X = A;
3045 @@ -275,14 +279,16 @@ load_b:
3046 A = X;
3047 continue;
3048 case BPF_RET|BPF_K:
3049 - return fentry->k;
3050 + return f_k;
3051 case BPF_RET|BPF_A:
3052 return A;
3053 case BPF_ST:
3054 - mem[fentry->k] = A;
3055 + memvalid |= 1UL << f_k;
3056 + mem[f_k] = A;
3057 continue;
3058 case BPF_STX:
3059 - mem[fentry->k] = X;
3060 + memvalid |= 1UL << f_k;
3061 + mem[f_k] = X;
3062 continue;
3063 default:
3064 WARN_ON(1);
3065 diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
3066 index 734fe94..f095659 100644
3067 --- a/net/ipv4/tcp.c
3068 +++ b/net/ipv4/tcp.c
3069 @@ -2117,7 +2117,7 @@ static int do_tcp_setsockopt(struct sock *sk, int level,
3070 /* Values greater than interface MTU won't take effect. However
3071 * at the point when this call is done we typically don't yet
3072 * know which interface is going to be used */
3073 - if (val < 8 || val > MAX_TCP_WINDOW) {
3074 + if (val < TCP_MIN_MSS || val > MAX_TCP_WINDOW) {
3075 err = -EINVAL;
3076 break;
3077 }
3078 diff --git a/net/sctp/auth.c b/net/sctp/auth.c
3079 index 56935bb..914c419 100644
3080 --- a/net/sctp/auth.c
3081 +++ b/net/sctp/auth.c
3082 @@ -542,16 +542,20 @@ struct sctp_hmac *sctp_auth_asoc_get_hmac(const struct sctp_association *asoc)
3083 id = ntohs(hmacs->hmac_ids[i]);
3084
3085 /* Check the id is in the supported range */
3086 - if (id > SCTP_AUTH_HMAC_ID_MAX)
3087 + if (id > SCTP_AUTH_HMAC_ID_MAX) {
3088 + id = 0;
3089 continue;
3090 + }
3091
3092 /* See is we support the id. Supported IDs have name and
3093 * length fields set, so that we can allocated and use
3094 * them. We can safely just check for name, for without the
3095 * name, we can't allocate the TFM.
3096 */
3097 - if (!sctp_hmac_list[id].hmac_name)
3098 + if (!sctp_hmac_list[id].hmac_name) {
3099 + id = 0;
3100 continue;
3101 + }
3102
3103 break;
3104 }
3105 diff --git a/net/sunrpc/cache.c b/net/sunrpc/cache.c
3106 index d6eee29..25f7801 100644
3107 --- a/net/sunrpc/cache.c
3108 +++ b/net/sunrpc/cache.c
3109 @@ -1234,8 +1234,10 @@ static int content_open(struct inode *inode, struct file *file,
3110 if (!cd || !try_module_get(cd->owner))
3111 return -EACCES;
3112 han = __seq_open_private(file, &cache_content_op, sizeof(*han));
3113 - if (han == NULL)
3114 + if (han == NULL) {
3115 + module_put(cd->owner);
3116 return -ENOMEM;
3117 + }
3118
3119 han->cd = cd;
3120 return 0;
3121 diff --git a/net/x25/x25_link.c b/net/x25/x25_link.c
3122 index e4e1b6e..3f1816a 100644
3123 --- a/net/x25/x25_link.c
3124 +++ b/net/x25/x25_link.c
3125 @@ -391,8 +391,12 @@ void __exit x25_link_free(void)
3126 write_lock_bh(&x25_neigh_list_lock);
3127
3128 list_for_each_safe(entry, tmp, &x25_neigh_list) {
3129 + struct net_device *dev;
3130 +
3131 nb = list_entry(entry, struct x25_neigh, node);
3132 + dev = nb->dev;
3133 __x25_remove_neigh(nb);
3134 + dev_put(dev);
3135 }
3136 write_unlock_bh(&x25_neigh_list_lock);
3137 }
3138 diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
3139 index 0b90dc9..a106754 100644
3140 --- a/security/selinux/hooks.c
3141 +++ b/security/selinux/hooks.c
3142 @@ -3262,7 +3262,11 @@ static void selinux_cred_free(struct cred *cred)
3143 {
3144 struct task_security_struct *tsec = cred->security;
3145
3146 - BUG_ON((unsigned long) cred->security < PAGE_SIZE);
3147 + /*
3148 + * cred->security == NULL if security_cred_alloc_blank() or
3149 + * security_prepare_creds() returned an error.
3150 + */
3151 + BUG_ON(cred->security && (unsigned long) cred->security < PAGE_SIZE);
3152 cred->security = (void *) 0x7UL;
3153 kfree(tsec);
3154 }
3155 diff --git a/sound/pci/hda/hda_intel.c b/sound/pci/hda/hda_intel.c
3156 index ca73fe9..dbe35ed 100644
3157 --- a/sound/pci/hda/hda_intel.c
3158 +++ b/sound/pci/hda/hda_intel.c
3159 @@ -2236,6 +2236,7 @@ static struct snd_pci_quirk position_fix_list[] __devinitdata = {
3160 SND_PCI_QUIRK(0x1043, 0x813d, "ASUS P5AD2", POS_FIX_LPIB),
3161 SND_PCI_QUIRK(0x1043, 0x81b3, "ASUS", POS_FIX_LPIB),
3162 SND_PCI_QUIRK(0x1043, 0x81e7, "ASUS M2V", POS_FIX_LPIB),
3163 + SND_PCI_QUIRK(0x1043, 0x8410, "ASUS", POS_FIX_LPIB),
3164 SND_PCI_QUIRK(0x104d, 0x9069, "Sony VPCS11V9E", POS_FIX_LPIB),
3165 SND_PCI_QUIRK(0x1106, 0x3288, "ASUS M2V-MX SE", POS_FIX_LPIB),
3166 SND_PCI_QUIRK(0x1179, 0xff10, "Toshiba A100-259", POS_FIX_LPIB),
3167 diff --git a/sound/usb/caiaq/audio.c b/sound/usb/caiaq/audio.c
3168 index 86b2c3b..007b4bf 100644
3169 --- a/sound/usb/caiaq/audio.c
3170 +++ b/sound/usb/caiaq/audio.c
3171 @@ -639,7 +639,7 @@ int snd_usb_caiaq_audio_init(struct snd_usb_caiaqdev *dev)
3172 }
3173
3174 dev->pcm->private_data = dev;
3175 - strcpy(dev->pcm->name, dev->product_name);
3176 + strlcpy(dev->pcm->name, dev->product_name, sizeof(dev->pcm->name));
3177
3178 memset(dev->sub_playback, 0, sizeof(dev->sub_playback));
3179 memset(dev->sub_capture, 0, sizeof(dev->sub_capture));
3180 diff --git a/sound/usb/caiaq/midi.c b/sound/usb/caiaq/midi.c
3181 index 538e8c0..bd55649 100644
3182 --- a/sound/usb/caiaq/midi.c
3183 +++ b/sound/usb/caiaq/midi.c
3184 @@ -135,7 +135,7 @@ int snd_usb_caiaq_midi_init(struct snd_usb_caiaqdev *device)
3185 if (ret < 0)
3186 return ret;
3187
3188 - strcpy(rmidi->name, device->product_name);
3189 + strlcpy(rmidi->name, device->product_name, sizeof(rmidi->name));
3190
3191 rmidi->info_flags = SNDRV_RAWMIDI_INFO_DUPLEX;
3192 rmidi->private_data = device;

  ViewVC Help
Powered by ViewVC 1.1.20