Magellan Linux

  • Back to homepage
    • /[pkg-src]/trunk/kernel26-magellan/patches-2.6.16-r12/0132-2.6.16.17-all-fixes.patch

    Contents of /trunk/kernel26-magellan/patches-2.6.16-r12/0132-2.6.16.17-all-fixes.patch

    Parent Directory Parent Directory | Revision Log Revision Log

    Revision 72 - (show annotations) (download)
    Mon Jun 5 09:25:38 2006 UTC (17 years, 11 months ago) by niro
    File size: 23659 byte(s) 
    ver bump to 2.6.16-r12:
- updated to linux-2.6.16.19
- updated to ck11
    1 diff --git a/block/elevator.c b/block/elevator.c
    2 index 24b702d..ef1e606 100644
    3 --- a/block/elevator.c
    4 +++ b/block/elevator.c
    5 @@ -314,6 +314,7 @@ void elv_insert(request_queue_t *q, stru
    6 {
    7 struct list_head *pos;
    8 unsigned ordseq;
    9 + int unplug_it = 1;
    10
    11 rq->q = q;
    12
    13 @@ -378,6 +379,11 @@ void elv_insert(request_queue_t *q, stru
    14 }
    15
    16 list_add_tail(&rq->queuelist, pos);
    17 + /*
    18 + * most requeues happen because of a busy condition, don't
    19 + * force unplug of the queue for that case.
    20 + */
    21 + unplug_it = 0;
    22 break;
    23
    24 default:
    25 @@ -386,7 +392,7 @@ void elv_insert(request_queue_t *q, stru
    26 BUG();
    27 }
    28
    29 - if (blk_queue_plugged(q)) {
    30 + if (unplug_it && blk_queue_plugged(q)) {
    31 int nrq = q->rq.count[READ] + q->rq.count[WRITE]
    32 - q->in_flight;
    33
    34 diff --git a/block/ll_rw_blk.c b/block/ll_rw_blk.c
    35 index 0ef2971..cd995c3 100644
    36 --- a/block/ll_rw_blk.c
    37 +++ b/block/ll_rw_blk.c
    38 @@ -1719,8 +1719,21 @@ void blk_run_queue(struct request_queue
    39
    40 spin_lock_irqsave(q->queue_lock, flags);
    41 blk_remove_plug(q);
    42 - if (!elv_queue_empty(q))
    43 - q->request_fn(q);
    44 +
    45 + /*
    46 + * Only recurse once to avoid overrunning the stack, let the unplug
    47 + * handling reinvoke the handler shortly if we already got there.
    48 + */
    49 + if (!elv_queue_empty(q)) {
    50 + if (!test_and_set_bit(QUEUE_FLAG_REENTER, &q->queue_flags)) {
    51 + q->request_fn(q);
    52 + clear_bit(QUEUE_FLAG_REENTER, &q->queue_flags);
    53 + } else {
    54 + blk_plug_device(q);
    55 + kblockd_schedule_work(&q->unplug_work);
    56 + }
    57 + }
    58 +
    59 spin_unlock_irqrestore(q->queue_lock, flags);
    60 }
    61 EXPORT_SYMBOL(blk_run_queue);
    62 diff --git a/drivers/block/ub.c b/drivers/block/ub.c
    63 index f04d864..a9485e5 100644
    64 --- a/drivers/block/ub.c
    65 +++ b/drivers/block/ub.c
    66 @@ -704,6 +704,9 @@ static void ub_cleanup(struct ub_dev *sc
    67 kfree(lun);
    68 }
    69
    70 + usb_set_intfdata(sc->intf, NULL);
    71 + usb_put_intf(sc->intf);
    72 + usb_put_dev(sc->dev);
    73 kfree(sc);
    74 }
    75
    76 @@ -2428,7 +2431,12 @@ static int ub_probe(struct usb_interface
    77 // sc->ifnum = intf->cur_altsetting->desc.bInterfaceNumber;
    78 usb_set_intfdata(intf, sc);
    79 usb_get_dev(sc->dev);
    80 - // usb_get_intf(sc->intf); /* Do we need this? */
    81 + /*
    82 + * Since we give the interface struct to the block level through
    83 + * disk->driverfs_dev, we have to pin it. Otherwise, block_uevent
    84 + * oopses on close after a disconnect (kernels 2.6.16 and up).
    85 + */
    86 + usb_get_intf(sc->intf);
    87
    88 snprintf(sc->name, 12, DRV_NAME "(%d.%d)",
    89 sc->dev->bus->busnum, sc->dev->devnum);
    90 @@ -2509,7 +2517,7 @@ #endif
    91 err_diag:
    92 err_dev_desc:
    93 usb_set_intfdata(intf, NULL);
    94 - // usb_put_intf(sc->intf);
    95 + usb_put_intf(sc->intf);
    96 usb_put_dev(sc->dev);
    97 kfree(sc);
    98 err_core:
    99 @@ -2688,12 +2696,6 @@ static void ub_disconnect(struct usb_int
    100 */
    101
    102 device_remove_file(&sc->intf->dev, &dev_attr_diag);
    103 - usb_set_intfdata(intf, NULL);
    104 - // usb_put_intf(sc->intf);
    105 - sc->intf = NULL;
    106 - usb_put_dev(sc->dev);
    107 - sc->dev = NULL;
    108 -
    109 ub_put(sc);
    110 }
    111
    112 diff --git a/drivers/char/pcmcia/cm4000_cs.c b/drivers/char/pcmcia/cm4000_cs.c
    113 index 5fdf185..b61354a 100644
    114 --- a/drivers/char/pcmcia/cm4000_cs.c
    115 +++ b/drivers/char/pcmcia/cm4000_cs.c
    116 @@ -2010,10 +2010,6 @@ static int __init cmm_init(void)
    117 if (!cmm_class)
    118 return -1;
    119
    120 - rc = pcmcia_register_driver(&cm4000_driver);
    121 - if (rc < 0)
    122 - return rc;
    123 -
    124 major = register_chrdev(0, DEVICE_NAME, &cm4000_fops);
    125 if (major < 0) {
    126 printk(KERN_WARNING MODULE_NAME
    127 @@ -2021,6 +2017,12 @@ static int __init cmm_init(void)
    128 return -1;
    129 }
    130
    131 + rc = pcmcia_register_driver(&cm4000_driver);
    132 + if (rc < 0) {
    133 + unregister_chrdev(major, DEVICE_NAME);
    134 + return rc;
    135 + }
    136 +
    137 return 0;
    138 }
    139
    140 diff --git a/drivers/char/pcmcia/cm4040_cs.c b/drivers/char/pcmcia/cm4040_cs.c
    141 index 466e33b..744b57d 100644
    142 --- a/drivers/char/pcmcia/cm4040_cs.c
    143 +++ b/drivers/char/pcmcia/cm4040_cs.c
    144 @@ -769,16 +769,19 @@ static int __init cm4040_init(void)
    145 if (!cmx_class)
    146 return -1;
    147
    148 - rc = pcmcia_register_driver(&reader_driver);
    149 - if (rc < 0)
    150 - return rc;
    151 -
    152 major = register_chrdev(0, DEVICE_NAME, &reader_fops);
    153 if (major < 0) {
    154 printk(KERN_WARNING MODULE_NAME
    155 ": could not get major number\n");
    156 return -1;
    157 }
    158 +
    159 + rc = pcmcia_register_driver(&reader_driver);
    160 + if (rc < 0) {
    161 + unregister_chrdev(major, DEVICE_NAME);
    162 + return rc;
    163 + }
    164 +
    165 return 0;
    166 }
    167
    168 diff --git a/drivers/i2c/busses/scx200_acb.c b/drivers/i2c/busses/scx200_acb.c
    169 index d3478e0..ad44dd5 100644
    170 --- a/drivers/i2c/busses/scx200_acb.c
    171 +++ b/drivers/i2c/busses/scx200_acb.c
    172 @@ -440,7 +440,6 @@ static int __init scx200_acb_create(int
    173 struct scx200_acb_iface *iface;
    174 struct i2c_adapter *adapter;
    175 int rc = 0;
    176 - char description[64];
    177
    178 iface = kzalloc(sizeof(*iface), GFP_KERNEL);
    179 if (!iface) {
    180 @@ -459,8 +458,7 @@ static int __init scx200_acb_create(int
    181
    182 init_MUTEX(&iface->sem);
    183
    184 - snprintf(description, sizeof(description), "NatSemi SCx200 ACCESS.bus [%s]", adapter->name);
    185 - if (request_region(base, 8, description) == 0) {
    186 + if (!request_region(base, 8, adapter->name)) {
    187 dev_err(&adapter->dev, "can't allocate io 0x%x-0x%x\n",
    188 base, base + 8-1);
    189 rc = -EBUSY;
    190 diff --git a/drivers/md/raid10.c b/drivers/md/raid10.c
    191 index ab90a6d..039ed49 100644
    192 --- a/drivers/md/raid10.c
    193 +++ b/drivers/md/raid10.c
    194 @@ -1436,9 +1436,9 @@ static void raid10d(mddev_t *mddev)
    195 sl--;
    196 d = r10_bio->devs[sl].devnum;
    197 rdev = conf->mirrors[d].rdev;
    198 - atomic_add(s, &rdev->corrected_errors);
    199 if (rdev &&
    200 test_bit(In_sync, &rdev->flags)) {
    201 + atomic_add(s, &rdev->corrected_errors);
    202 if (sync_page_io(rdev->bdev,
    203 r10_bio->devs[sl].addr +
    204 sect + rdev->data_offset,
    205 diff --git a/drivers/net/tg3.c b/drivers/net/tg3.c
    206 index caf4102..7d00722 100644
    207 --- a/drivers/net/tg3.c
    208 +++ b/drivers/net/tg3.c
    209 @@ -7368,21 +7368,23 @@ static int tg3_get_settings(struct net_d
    210 cmd->supported |= (SUPPORTED_1000baseT_Half |
    211 SUPPORTED_1000baseT_Full);
    212
    213 - if (!(tp->tg3_flags2 & TG3_FLG2_ANY_SERDES))
    214 + if (!(tp->tg3_flags2 & TG3_FLG2_ANY_SERDES)) {
    215 cmd->supported |= (SUPPORTED_100baseT_Half |
    216 SUPPORTED_100baseT_Full |
    217 SUPPORTED_10baseT_Half |
    218 SUPPORTED_10baseT_Full |
    219 SUPPORTED_MII);
    220 - else
    221 + cmd->port = PORT_TP;
    222 + } else {
    223 cmd->supported |= SUPPORTED_FIBRE;
    224 + cmd->port = PORT_FIBRE;
    225 + }
    226
    227 cmd->advertising = tp->link_config.advertising;
    228 if (netif_running(dev)) {
    229 cmd->speed = tp->link_config.active_speed;
    230 cmd->duplex = tp->link_config.active_duplex;
    231 }
    232 - cmd->port = 0;
    233 cmd->phy_address = PHY_ADDR;
    234 cmd->transceiver = 0;
    235 cmd->autoneg = tp->link_config.autoneg;
    236 diff --git a/drivers/net/via-rhine.c b/drivers/net/via-rhine.c
    237 index 2418715..56864ff 100644
    238 --- a/drivers/net/via-rhine.c
    239 +++ b/drivers/net/via-rhine.c
    240 @@ -129,6 +129,7 @@
    241 - Massive clean-up
    242 - Rewrite PHY, media handling (remove options, full_duplex, backoff)
    243 - Fix Tx engine race for good
    244 + - Craig Brind: Zero padded aligned buffers for short packets.
    245
    246 */
    247
    248 @@ -1306,7 +1307,12 @@ static int rhine_start_tx(struct sk_buff
    249 rp->stats.tx_dropped++;
    250 return 0;
    251 }
    252 +
    253 + /* Padding is not copied and so must be redone. */
    254 skb_copy_and_csum_dev(skb, rp->tx_buf[entry]);
    255 + if (skb->len < ETH_ZLEN)
    256 + memset(rp->tx_buf[entry] + skb->len, 0,
    257 + ETH_ZLEN - skb->len);
    258 rp->tx_skbuff_dma[entry] = 0;
    259 rp->tx_ring[entry].addr = cpu_to_le32(rp->tx_bufs_dma +
    260 (rp->tx_buf[entry] -
    261 diff --git a/drivers/pci/pci-acpi.c b/drivers/pci/pci-acpi.c
    262 index 6917c6c..c2ecae5 100644
    263 --- a/drivers/pci/pci-acpi.c
    264 +++ b/drivers/pci/pci-acpi.c
    265 @@ -33,13 +33,10 @@ acpi_query_osc (
    266 acpi_status status;
    267 struct acpi_object_list input;
    268 union acpi_object in_params[4];
    269 - struct acpi_buffer output;
    270 - union acpi_object out_obj;
    271 + struct acpi_buffer output = {ACPI_ALLOCATE_BUFFER, NULL};
    272 + union acpi_object *out_obj;
    273 u32 osc_dw0;
    274
    275 - /* Setting up output buffer */
    276 - output.length = sizeof(out_obj) + 3*sizeof(u32);
    277 - output.pointer = &out_obj;
    278
    279 /* Setting up input parameters */
    280 input.count = 4;
    281 @@ -61,12 +58,15 @@ acpi_query_osc (
    282 "Evaluate _OSC Set fails. Status = 0x%04x\n", status);
    283 return status;
    284 }
    285 - if (out_obj.type != ACPI_TYPE_BUFFER) {
    286 + out_obj = output.pointer;
    287 +
    288 + if (out_obj->type != ACPI_TYPE_BUFFER) {
    289 printk(KERN_DEBUG
    290 "Evaluate _OSC returns wrong type\n");
    291 - return AE_TYPE;
    292 + status = AE_TYPE;
    293 + goto query_osc_out;
    294 }
    295 - osc_dw0 = *((u32 *) out_obj.buffer.pointer);
    296 + osc_dw0 = *((u32 *) out_obj->buffer.pointer);
    297 if (osc_dw0) {
    298 if (osc_dw0 & OSC_REQUEST_ERROR)
    299 printk(KERN_DEBUG "_OSC request fails\n");
    300 @@ -76,15 +76,21 @@ acpi_query_osc (
    301 printk(KERN_DEBUG "_OSC invalid revision\n");
    302 if (osc_dw0 & OSC_CAPABILITIES_MASK_ERROR) {
    303 /* Update Global Control Set */
    304 - global_ctrlsets = *((u32 *)(out_obj.buffer.pointer+8));
    305 - return AE_OK;
    306 + global_ctrlsets = *((u32 *)(out_obj->buffer.pointer+8));
    307 + status = AE_OK;
    308 + goto query_osc_out;
    309 }
    310 - return AE_ERROR;
    311 + status = AE_ERROR;
    312 + goto query_osc_out;
    313 }
    314
    315 /* Update Global Control Set */
    316 - global_ctrlsets = *((u32 *)(out_obj.buffer.pointer + 8));
    317 - return AE_OK;
    318 + global_ctrlsets = *((u32 *)(out_obj->buffer.pointer + 8));
    319 + status = AE_OK;
    320 +
    321 +query_osc_out:
    322 + kfree(output.pointer);
    323 + return status;
    324 }
    325
    326
    327 @@ -96,14 +102,10 @@ acpi_run_osc (
    328 acpi_status status;
    329 struct acpi_object_list input;
    330 union acpi_object in_params[4];
    331 - struct acpi_buffer output;
    332 - union acpi_object out_obj;
    333 + struct acpi_buffer output = {ACPI_ALLOCATE_BUFFER, NULL};
    334 + union acpi_object *out_obj;
    335 u32 osc_dw0;
    336
    337 - /* Setting up output buffer */
    338 - output.length = sizeof(out_obj) + 3*sizeof(u32);
    339 - output.pointer = &out_obj;
    340 -
    341 /* Setting up input parameters */
    342 input.count = 4;
    343 input.pointer = in_params;
    344 @@ -124,12 +126,14 @@ acpi_run_osc (
    345 "Evaluate _OSC Set fails. Status = 0x%04x\n", status);
    346 return status;
    347 }
    348 - if (out_obj.type != ACPI_TYPE_BUFFER) {
    349 + out_obj = output.pointer;
    350 + if (out_obj->type != ACPI_TYPE_BUFFER) {
    351 printk(KERN_DEBUG
    352 "Evaluate _OSC returns wrong type\n");
    353 - return AE_TYPE;
    354 + status = AE_TYPE;
    355 + goto run_osc_out;
    356 }
    357 - osc_dw0 = *((u32 *) out_obj.buffer.pointer);
    358 + osc_dw0 = *((u32 *) out_obj->buffer.pointer);
    359 if (osc_dw0) {
    360 if (osc_dw0 & OSC_REQUEST_ERROR)
    361 printk(KERN_DEBUG "_OSC request fails\n");
    362 @@ -139,11 +143,17 @@ acpi_run_osc (
    363 printk(KERN_DEBUG "_OSC invalid revision\n");
    364 if (osc_dw0 & OSC_CAPABILITIES_MASK_ERROR) {
    365 printk(KERN_DEBUG "_OSC FW not grant req. control\n");
    366 - return AE_SUPPORT;
    367 + status = AE_SUPPORT;
    368 + goto run_osc_out;
    369 }
    370 - return AE_ERROR;
    371 + status = AE_ERROR;
    372 + goto run_osc_out;
    373 }
    374 - return AE_OK;
    375 + status = AE_OK;
    376 +
    377 +run_osc_out:
    378 + kfree(output.pointer);
    379 + return status;
    380 }
    381
    382 /**
    383 diff --git a/drivers/pci/quirks.c b/drivers/pci/quirks.c
    384 index dda6099..381f36b 100644
    385 --- a/drivers/pci/quirks.c
    386 +++ b/drivers/pci/quirks.c
    387 @@ -631,6 +631,9 @@ DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_V
    388 * non-x86 architectures (yes Via exists on PPC among other places),
    389 * we must mask the PCI_INTERRUPT_LINE value versus 0xf to get
    390 * interrupts delivered properly.
    391 + *
    392 + * Some of the on-chip devices are actually '586 devices' so they are
    393 + * listed here.
    394 */
    395 static void quirk_via_irq(struct pci_dev *dev)
    396 {
    397 @@ -639,13 +642,19 @@ static void quirk_via_irq(struct pci_dev
    398 new_irq = dev->irq & 0xf;
    399 pci_read_config_byte(dev, PCI_INTERRUPT_LINE, &irq);
    400 if (new_irq != irq) {
    401 - printk(KERN_INFO "PCI: Via IRQ fixup for %s, from %d to %d\n",
    402 + printk(KERN_INFO "PCI: VIA IRQ fixup for %s, from %d to %d\n",
    403 pci_name(dev), irq, new_irq);
    404 udelay(15); /* unknown if delay really needed */
    405 pci_write_config_byte(dev, PCI_INTERRUPT_LINE, new_irq);
    406 }
    407 }
    408 -DECLARE_PCI_FIXUP_ENABLE(PCI_VENDOR_ID_VIA, PCI_ANY_ID, quirk_via_irq);
    409 +DECLARE_PCI_FIXUP_ENABLE(PCI_VENDOR_ID_VIA, PCI_DEVICE_ID_VIA_82C586_0, quirk_via_irq);
    410 +DECLARE_PCI_FIXUP_ENABLE(PCI_VENDOR_ID_VIA, PCI_DEVICE_ID_VIA_82C586_1, quirk_via_irq);
    411 +DECLARE_PCI_FIXUP_ENABLE(PCI_VENDOR_ID_VIA, PCI_DEVICE_ID_VIA_82C586_2, quirk_via_irq);
    412 +DECLARE_PCI_FIXUP_ENABLE(PCI_VENDOR_ID_VIA, PCI_DEVICE_ID_VIA_82C586_3, quirk_via_irq);
    413 +DECLARE_PCI_FIXUP_ENABLE(PCI_VENDOR_ID_VIA, PCI_DEVICE_ID_VIA_82C686, quirk_via_irq);
    414 +DECLARE_PCI_FIXUP_ENABLE(PCI_VENDOR_ID_VIA, PCI_DEVICE_ID_VIA_82C686_4, quirk_via_irq);
    415 +DECLARE_PCI_FIXUP_ENABLE(PCI_VENDOR_ID_VIA, PCI_DEVICE_ID_VIA_82C686_5, quirk_via_irq);
    416
    417 /*
    418 * VIA VT82C598 has its device ID settable and many BIOSes
    419 @@ -861,6 +870,7 @@ static void __init quirk_eisa_bridge(str
    420 }
    421 DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_82375, quirk_eisa_bridge );
    422
    423 +#ifndef CONFIG_ACPI_SLEEP
    424 /*
    425 * On ASUS P4B boards, the SMBus PCI Device within the ICH2/4 southbridge
    426 * is not activated. The myth is that Asus said that they do not want the
    427 @@ -872,8 +882,12 @@ DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_I
    428 * bridge. Unfortunately, this device has no subvendor/subdevice ID. So it
    429 * becomes necessary to do this tweak in two steps -- I've chosen the Host
    430 * bridge as trigger.
    431 + *
    432 + * Actually, leaving it unhidden and not redoing the quirk over suspend2ram
    433 + * will cause thermal management to break down, and causing machine to
    434 + * overheat.
    435 */
    436 -static int __initdata asus_hides_smbus = 0;
    437 +static int __initdata asus_hides_smbus;
    438
    439 static void __init asus_hides_smbus_hostbridge(struct pci_dev *dev)
    440 {
    441 @@ -1008,6 +1022,8 @@ static void __init asus_hides_smbus_lpc_
    442 }
    443 DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_ICH6_1, asus_hides_smbus_lpc_ich6 );
    444
    445 +#endif
    446 +
    447 /*
    448 * SiS 96x south bridge: BIOS typically hides SMBus device...
    449 */
    450 diff --git a/fs/compat.c b/fs/compat.c
    451 index 04f6fb5..8491bb8 100644
    452 --- a/fs/compat.c
    453 +++ b/fs/compat.c
    454 @@ -1901,7 +1901,7 @@ asmlinkage long compat_sys_ppoll(struct
    455 }
    456
    457 if (sigmask) {
    458 - if (sigsetsize |= sizeof(compat_sigset_t))
    459 + if (sigsetsize != sizeof(compat_sigset_t))
    460 return -EINVAL;
    461 if (copy_from_user(&ss32, sigmask, sizeof(ss32)))
    462 return -EFAULT;
    463 diff --git a/fs/locks.c b/fs/locks.c
    464 index aa7f660..39b038b 100644
    465 --- a/fs/locks.c
    466 +++ b/fs/locks.c
    467 @@ -714,8 +714,9 @@ EXPORT_SYMBOL(posix_locks_deadlock);
    468 * at the head of the list, but that's secret knowledge known only to
    469 * flock_lock_file and posix_lock_file.
    470 */
    471 -static int flock_lock_file(struct file *filp, struct file_lock *new_fl)
    472 +static int flock_lock_file(struct file *filp, struct file_lock *request)
    473 {
    474 + struct file_lock *new_fl = NULL;
    475 struct file_lock **before;
    476 struct inode * inode = filp->f_dentry->d_inode;
    477 int error = 0;
    478 @@ -730,17 +731,19 @@ static int flock_lock_file(struct file *
    479 continue;
    480 if (filp != fl->fl_file)
    481 continue;
    482 - if (new_fl->fl_type == fl->fl_type)
    483 + if (request->fl_type == fl->fl_type)
    484 goto out;
    485 found = 1;
    486 locks_delete_lock(before);
    487 break;
    488 }
    489 - unlock_kernel();
    490
    491 - if (new_fl->fl_type == F_UNLCK)
    492 - return 0;
    493 + if (request->fl_type == F_UNLCK)
    494 + goto out;
    495
    496 + new_fl = locks_alloc_lock();
    497 + if (new_fl == NULL)
    498 + goto out;
    499 /*
    500 * If a higher-priority process was blocked on the old file lock,
    501 * give it the opportunity to lock the file.
    502 @@ -748,26 +751,27 @@ static int flock_lock_file(struct file *
    503 if (found)
    504 cond_resched();
    505
    506 - lock_kernel();
    507 for_each_lock(inode, before) {
    508 struct file_lock *fl = *before;
    509 if (IS_POSIX(fl))
    510 break;
    511 if (IS_LEASE(fl))
    512 continue;
    513 - if (!flock_locks_conflict(new_fl, fl))
    514 + if (!flock_locks_conflict(request, fl))
    515 continue;
    516 error = -EAGAIN;
    517 - if (new_fl->fl_flags & FL_SLEEP) {
    518 - locks_insert_block(fl, new_fl);
    519 - }
    520 + if (request->fl_flags & FL_SLEEP)
    521 + locks_insert_block(fl, request);
    522 goto out;
    523 }
    524 + locks_copy_lock(new_fl, request);
    525 locks_insert_lock(&inode->i_flock, new_fl);
    526 - error = 0;
    527 + new_fl = NULL;
    528
    529 out:
    530 unlock_kernel();
    531 + if (new_fl)
    532 + locks_free_lock(new_fl);
    533 return error;
    534 }
    535
    536 @@ -1532,9 +1536,7 @@ asmlinkage long sys_flock(unsigned int f
    537 error = flock_lock_file_wait(filp, lock);
    538
    539 out_free:
    540 - if (list_empty(&lock->fl_link)) {
    541 - locks_free_lock(lock);
    542 - }
    543 + locks_free_lock(lock);
    544
    545 out_putf:
    546 fput(filp);
    547 diff --git a/fs/smbfs/request.c b/fs/smbfs/request.c
    548 index c71c375..c71dd27 100644
    549 --- a/fs/smbfs/request.c
    550 +++ b/fs/smbfs/request.c
    551 @@ -339,9 +339,11 @@ #endif
    552 /*
    553 * On timeout or on interrupt we want to try and remove the
    554 * request from the recvq/xmitq.
    555 + * First check if the request is still part of a queue. (May
    556 + * have been removed by some error condition)
    557 */
    558 smb_lock_server(server);
    559 - if (!(req->rq_flags & SMB_REQ_RECEIVED)) {
    560 + if (!list_empty(&req->rq_queue)) {
    561 list_del_init(&req->rq_queue);
    562 smb_rput(req);
    563 }
    564 diff --git a/include/net/sctp/sctp.h b/include/net/sctp/sctp.h
    565 index e673b2c..aa6033c 100644
    566 --- a/include/net/sctp/sctp.h
    567 +++ b/include/net/sctp/sctp.h
    568 @@ -461,12 +461,12 @@ static inline int sctp_frag_point(const
    569 * there is room for a param header too.
    570 */
    571 #define sctp_walk_params(pos, chunk, member)\
    572 -_sctp_walk_params((pos), (chunk), WORD_ROUND(ntohs((chunk)->chunk_hdr.length)), member)
    573 +_sctp_walk_params((pos), (chunk), ntohs((chunk)->chunk_hdr.length), member)
    574
    575 #define _sctp_walk_params(pos, chunk, end, member)\
    576 for (pos.v = chunk->member;\
    577 pos.v <= (void *)chunk + end - sizeof(sctp_paramhdr_t) &&\
    578 - pos.v <= (void *)chunk + end - WORD_ROUND(ntohs(pos.p->length)) &&\
    579 + pos.v <= (void *)chunk + end - ntohs(pos.p->length) &&\
    580 ntohs(pos.p->length) >= sizeof(sctp_paramhdr_t);\
    581 pos.v += WORD_ROUND(ntohs(pos.p->length)))
    582
    583 @@ -477,7 +477,7 @@ #define _sctp_walk_errors(err, chunk_hdr
    584 for (err = (sctp_errhdr_t *)((void *)chunk_hdr + \
    585 sizeof(sctp_chunkhdr_t));\
    586 (void *)err <= (void *)chunk_hdr + end - sizeof(sctp_errhdr_t) &&\
    587 - (void *)err <= (void *)chunk_hdr + end - WORD_ROUND(ntohs(err->length)) &&\
    588 + (void *)err <= (void *)chunk_hdr + end - ntohs(err->length) &&\
    589 ntohs(err->length) >= sizeof(sctp_errhdr_t); \
    590 err = (sctp_errhdr_t *)((void *)err + WORD_ROUND(ntohs(err->length))))
    591
    592 diff --git a/kernel/ptrace.c b/kernel/ptrace.c
    593 index b5eaeb9..48453c3 100644
    594 --- a/kernel/ptrace.c
    595 +++ b/kernel/ptrace.c
    596 @@ -149,12 +149,34 @@ int ptrace_may_attach(struct task_struct
    597 int ptrace_attach(struct task_struct *task)
    598 {
    599 int retval;
    600 - task_lock(task);
    601 +
    602 retval = -EPERM;
    603 if (task->pid <= 1)
    604 - goto bad;
    605 + goto out;
    606 if (task->tgid == current->tgid)
    607 - goto bad;
    608 + goto out;
    609 +
    610 +repeat:
    611 + /*
    612 + * Nasty, nasty.
    613 + *
    614 + * We want to hold both the task-lock and the
    615 + * tasklist_lock for writing at the same time.
    616 + * But that's against the rules (tasklist_lock
    617 + * is taken for reading by interrupts on other
    618 + * cpu's that may have task_lock).
    619 + */
    620 + task_lock(task);
    621 + local_irq_disable();
    622 + if (!write_trylock(&tasklist_lock)) {
    623 + local_irq_enable();
    624 + task_unlock(task);
    625 + do {
    626 + cpu_relax();
    627 + } while (!write_can_lock(&tasklist_lock));
    628 + goto repeat;
    629 + }
    630 +
    631 /* the same process cannot be attached many times */
    632 if (task->ptrace & PT_PTRACED)
    633 goto bad;
    634 @@ -167,17 +189,15 @@ int ptrace_attach(struct task_struct *ta
    635 ? PT_ATTACHED : 0);
    636 if (capable(CAP_SYS_PTRACE))
    637 task->ptrace |= PT_PTRACE_CAP;
    638 - task_unlock(task);
    639
    640 - write_lock_irq(&tasklist_lock);
    641 __ptrace_link(task, current);
    642 - write_unlock_irq(&tasklist_lock);
    643
    644 force_sig_specific(SIGSTOP, task);
    645 - return 0;
    646
    647 bad:
    648 + write_unlock_irq(&tasklist_lock);
    649 task_unlock(task);
    650 +out:
    651 return retval;
    652 }
    653
    654 @@ -418,21 +438,22 @@ #endif
    655 */
    656 int ptrace_traceme(void)
    657 {
    658 - int ret;
    659 + int ret = -EPERM;
    660
    661 /*
    662 * Are we already being traced?
    663 */
    664 - if (current->ptrace & PT_PTRACED)
    665 - return -EPERM;
    666 - ret = security_ptrace(current->parent, current);
    667 - if (ret)
    668 - return -EPERM;
    669 - /*
    670 - * Set the ptrace bit in the process ptrace flags.
    671 - */
    672 - current->ptrace |= PT_PTRACED;
    673 - return 0;
    674 + task_lock(current);
    675 + if (!(current->ptrace & PT_PTRACED)) {
    676 + ret = security_ptrace(current->parent, current);
    677 + /*
    678 + * Set the ptrace bit in the process ptrace flags.
    679 + */
    680 + if (!ret)
    681 + current->ptrace |= PT_PTRACED;
    682 + }
    683 + task_unlock(current);
    684 + return ret;
    685 }
    686
    687 /**
    688 diff --git a/mm/mempolicy.c b/mm/mempolicy.c
    689 index b21869a..8d7ddf0 100644
    690 --- a/mm/mempolicy.c
    691 +++ b/mm/mempolicy.c
    692 @@ -1796,7 +1796,6 @@ static void gather_stats(struct page *pa
    693 md->mapcount_max = count;
    694
    695 md->node[page_to_nid(page)]++;
    696 - cond_resched();
    697 }
    698
    699 #ifdef CONFIG_HUGETLB_PAGE
    700 diff --git a/mm/shmem.c b/mm/shmem.c
    701 index 7c455fb..f0eb2f2 100644
    702 --- a/mm/shmem.c
    703 +++ b/mm/shmem.c
    704 @@ -2172,6 +2172,7 @@ #ifdef CONFIG_TMPFS
    705 .prepare_write = shmem_prepare_write,
    706 .commit_write = simple_commit_write,
    707 #endif
    708 + .migratepage = migrate_page,
    709 };
    710
    711 static struct file_operations shmem_file_operations = {
    712 diff --git a/mm/vmscan.c b/mm/vmscan.c
    713 index 4fe7e3a..1d64dc1 100644
    714 --- a/mm/vmscan.c
    715 +++ b/mm/vmscan.c
    716 @@ -949,6 +949,17 @@ redo:
    717 goto unlock_both;
    718 }
    719
    720 + /* Make sure the dirty bit is up to date */
    721 + if (try_to_unmap(page, 1) == SWAP_FAIL) {
    722 + rc = -EPERM;
    723 + goto unlock_both;
    724 + }
    725 +
    726 + if (page_mapcount(page)) {
    727 + rc = -EAGAIN;
    728 + goto unlock_both;
    729 + }
    730 +
    731 /*
    732 * Default handling if a filesystem does not provide
    733 * a migration function. We can only migrate clean
    734 diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
    735 index 7d7ab94..12bfc25 100644
    736 --- a/net/ipv4/netfilter/arp_tables.c
    737 +++ b/net/ipv4/netfilter/arp_tables.c
    738 @@ -941,7 +941,7 @@ static int do_add_counters(void __user *
    739
    740 write_lock_bh(&t->lock);
    741 private = t->private;
    742 - if (private->number != paddc->num_counters) {
    743 + if (private->number != tmp.num_counters) {
    744 ret = -EINVAL;
    745 goto unlock_up_free;
    746 }
    747 diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
    748 index 16f47c6..735d5ff 100644
    749 --- a/net/ipv4/netfilter/ip_tables.c
    750 +++ b/net/ipv4/netfilter/ip_tables.c
    751 @@ -1063,7 +1063,7 @@ do_add_counters(void __user *user, unsig
    752
    753 write_lock_bh(&t->lock);
    754 private = t->private;
    755 - if (private->number != paddc->num_counters) {
    756 + if (private->number != tmp.num_counters) {
    757 ret = -EINVAL;
    758 goto unlock_up_free;
    759 }
    760 diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
    761 index 74ff56c..dd6ad42 100644
    762 --- a/net/ipv6/netfilter/ip6_tables.c
    763 +++ b/net/ipv6/netfilter/ip6_tables.c
    764 @@ -1120,7 +1120,7 @@ do_add_counters(void __user *user, unsig
    765
    766 write_lock_bh(&t->lock);
    767 private = t->private;
    768 - if (private->number != paddc->num_counters) {
    769 + if (private->number != tmp.num_counters) {
    770 ret = -EINVAL;
    771 goto unlock_up_free;
    772 }
    773 diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c
    774 index 8cdba51..9395e09 100644
    775 --- a/net/sctp/sm_statefuns.c
    776 +++ b/net/sctp/sm_statefuns.c
    777 @@ -1030,6 +1030,12 @@ sctp_disposition_t sctp_sf_backbeat_8_3(
    778 commands);
    779
    780 hbinfo = (sctp_sender_hb_info_t *) chunk->skb->data;
    781 + /* Make sure that the length of the parameter is what we expect */
    782 + if (ntohs(hbinfo->param_hdr.length) !=
    783 + sizeof(sctp_sender_hb_info_t)) {
    784 + return SCTP_DISPOSITION_DISCARD;
    785 + }
    786 +
    787 from_addr = hbinfo->daddr;
    788 link = sctp_assoc_lookup_paddr(asoc, &from_addr);
    789
    790 diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
    791 index 8a76492..6375dd5 100644
    792 --- a/security/selinux/ss/services.c
    793 +++ b/security/selinux/ss/services.c
    794 @@ -592,6 +592,10 @@ int security_sid_to_context(u32 sid, cha
    795
    796 *scontext_len = strlen(initial_sid_to_string[sid]) + 1;
    797 scontextp = kmalloc(*scontext_len,GFP_ATOMIC);
    798 + if (!scontextp) {
    799 + rc = -ENOMEM;
    800 + goto out;
    801 + }
    802 strcpy(scontextp, initial_sid_to_string[sid]);
    803 *scontext = scontextp;
    804 goto out;