Grsec/PaX: 2.9.1-{2.6.32.61,3.2.47,3.9.6}-20130618203320130618

50 files changed, 5603 insertions, 308 deletions

diff --git a/2.6.32/0000_README b/2.6.32/0000_README
index 4d58a67..82857df 100644
--- a/2.6.32/0000_README
+++ b/2.6.32/0000_README
@@ -38,7 +38,7 @@ Patch:	1060_linux-2.6.32.61.patch
 From:	http://www.kernel.org
 Desc:	Linux 2.6.32.61
 
-Patch:	4420_grsecurity-2.9.1-2.6.32.61-201306102216.patch
+Patch:	4420_grsecurity-2.9.1-2.6.32.61-201306171902.patch
 From:	http://www.grsecurity.net
 Desc:	hardened-sources base patch from upstream grsecurity
 
diff --git a/2.6.32/4420_grsecurity-2.9.1-2.6.32.61-201306102216.patch b/2.6.32/4420_grsecurity-2.9.1-2.6.32.61-201306171902.patch
index 7ee0064..2aa8c14 100644
--- a/2.6.32/4420_grsecurity-2.9.1-2.6.32.61-201306102216.patch
+++ b/2.6.32/4420_grsecurity-2.9.1-2.6.32.61-201306171902.patch
@@ -43113,7 +43113,7 @@ index 918711a..4ffaf5e 100644
  	.clock_set = sgi_clock_set,
  	.clock_get = sgi_clock_get,
 diff --git a/drivers/char/mwave/tp3780i.c b/drivers/char/mwave/tp3780i.c
-index c689697..04e6d6a 100644
+index c689697..04e6d6a2 100644
 --- a/drivers/char/mwave/tp3780i.c
 +++ b/drivers/char/mwave/tp3780i.c
 @@ -479,6 +479,7 @@ int tp3780I_QueryAbilities(THINKPAD_BD_DATA * pBDData, MW_ABILITIES * pAbilities
@@ -64058,6 +64058,19 @@ index 80b19a4..dab3a45 100644
  	/* Offset of struct b43_dfs_file in struct b43_dfsentry */
  	size_t file_struct_offset;
  };
+diff --git a/drivers/net/wireless/b43/main.c b/drivers/net/wireless/b43/main.c
+index 94dae56..3cf2472 100644
+--- a/drivers/net/wireless/b43/main.c
++++ b/drivers/net/wireless/b43/main.c
+@@ -2257,7 +2257,7 @@ static int b43_request_firmware(struct b43_wldev *dev)
+ 	for (i = 0; i < B43_NR_FWTYPES; i++) {
+ 		errmsg = ctx->errors[i];
+ 		if (strlen(errmsg))
+-			b43err(dev->wl, errmsg);
++			b43err(dev->wl, "%s", errmsg);
+ 	}
+ 	b43_print_fw_helptext(dev->wl, 1);
+ 	err = -ENOENT;
 diff --git a/drivers/net/wireless/b43legacy/debugfs.c b/drivers/net/wireless/b43legacy/debugfs.c
 index 1f85ac5..c99b4b4 100644
 --- a/drivers/net/wireless/b43legacy/debugfs.c
@@ -68137,7 +68150,7 @@ index aa10f79..5cc79e4 100644
  
  	/* Used for deferred freeing of ELS data buffers */
 diff --git a/drivers/scsi/lpfc/lpfc_debugfs.c b/drivers/scsi/lpfc/lpfc_debugfs.c
-index 8d0f0de..7c77a62 100644
+index 8d0f0de..e679b1e 100644
 --- a/drivers/scsi/lpfc/lpfc_debugfs.c
 +++ b/drivers/scsi/lpfc/lpfc_debugfs.c
 @@ -124,7 +124,7 @@ struct lpfc_debug {
@@ -68210,6 +68223,15 @@ index 8d0f0de..7c77a62 100644
  	dtp->jif = jiffies;
  #endif
  	return;
+@@ -1072,7 +1074,7 @@ lpfc_debugfs_lseek(struct file *file, loff_t off, int whence)
+ 		pos = file->f_pos + off;
+ 		break;
+ 	case 2:
+-		pos = debug->len - off;
++		pos = debug->len + off;
+ 	}
+ 	return (pos < 0 || pos > debug->len) ? -EINVAL : (file->f_pos = pos);
+ }
 @@ -1364,7 +1366,7 @@ lpfc_debugfs_initialize(struct lpfc_vport *vport)
  						 "slow_ring buffer\n");
  				goto debug_failed;
@@ -102081,6 +102103,18 @@ index 0b4baba..0106e9e 100644
  struct scsi_host_template {
  	struct module *module;
  	const char *name;
+diff --git a/include/scsi/scsi_netlink.h b/include/scsi/scsi_netlink.h
+index 58ce8fe..4db1438 100644
+--- a/include/scsi/scsi_netlink.h
++++ b/include/scsi/scsi_netlink.h
+@@ -22,6 +22,7 @@
+ #ifndef SCSI_NETLINK_H
+ #define SCSI_NETLINK_H
+ 
++#include <linux/types.h>
+ #include <linux/netlink.h>
+ 
+ 
 diff --git a/include/scsi/scsi_transport_fc.h b/include/scsi/scsi_transport_fc.h
 index fc50bd6..81ba9cb 100644
 --- a/include/scsi/scsi_transport_fc.h
@@ -116800,7 +116834,7 @@ index b95699f..5fee919 100644
  	    (ip_vs_sync_state & IP_VS_STATE_MASTER) &&
  	    (((cp->protocol != IPPROTO_TCP ||
 diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c
-index 9bcd972..1cdb215 100644
+index 9bcd972..3e98c53 100644
 --- a/net/netfilter/ipvs/ip_vs_ctl.c
 +++ b/net/netfilter/ipvs/ip_vs_ctl.c
 @@ -792,7 +792,7 @@ __ip_vs_update_dest(struct ip_vs_service *svc,
@@ -116848,7 +116882,14 @@ index 9bcd972..1cdb215 100644
  };
  
  #endif
-@@ -2292,7 +2292,7 @@ __ip_vs_get_dest_entries(const struct ip_vs_get_dests *get,
+@@ -2286,13 +2286,14 @@ __ip_vs_get_dest_entries(const struct ip_vs_get_dests *get,
+ 		struct ip_vs_dest *dest;
+ 		struct ip_vs_dest_entry entry;
+ 
++		memset(&entry, 0, sizeof(entry));
+ 		list_for_each_entry(dest, &svc->destinations, n_list) {
+ 			if (count >= get->num_dests)
+ 				break;
  
  			entry.addr = dest->addr.ip;
  			entry.port = dest->port;
@@ -116857,7 +116898,7 @@ index 9bcd972..1cdb215 100644
  			entry.weight = atomic_read(&dest->weight);
  			entry.u_threshold = dest->u_threshold;
  			entry.l_threshold = dest->l_threshold;
-@@ -2353,6 +2353,8 @@ do_ip_vs_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
+@@ -2353,6 +2354,8 @@ do_ip_vs_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
  	unsigned char arg[128];
  	int ret = 0;
  
@@ -116866,7 +116907,7 @@ index 9bcd972..1cdb215 100644
  	if (!capable(CAP_NET_ADMIN))
  		return -EPERM;
  
-@@ -2803,7 +2805,7 @@ static int ip_vs_genl_fill_dest(struct sk_buff *skb, struct ip_vs_dest *dest)
+@@ -2803,7 +2806,7 @@ static int ip_vs_genl_fill_dest(struct sk_buff *skb, struct ip_vs_dest *dest)
  	NLA_PUT_U16(skb, IPVS_DEST_ATTR_PORT, dest->port);
  
  	NLA_PUT_U32(skb, IPVS_DEST_ATTR_FWD_METHOD,
@@ -117138,10 +117179,26 @@ index 7a83495..ab0062f 100644
  		*uaddr_len = sizeof(struct sockaddr_ax25);
  	}
 diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
-index 728c080..02b775c 100644
+index 728c080..ee6ea78 100644
 --- a/net/packet/af_packet.c
 +++ b/net/packet/af_packet.c
-@@ -1723,7 +1723,7 @@ packet_setsockopt(struct socket *sock, int level, int optname, char __user *optv
+@@ -1525,12 +1525,10 @@ static int packet_getname_spkt(struct socket *sock, struct sockaddr *uaddr,
+ 		return -EOPNOTSUPP;
+ 
+ 	uaddr->sa_family = AF_PACKET;
++	memset(uaddr->sa_data, 0, sizeof(uaddr->sa_data));
+ 	dev = dev_get_by_index(sock_net(sk), pkt_sk(sk)->ifindex);
+-	if (dev) {
+-		strncpy(uaddr->sa_data, dev->name, 14);
+-		dev_put(dev);
+-	} else
+-		memset(uaddr->sa_data, 0, 14);
++	if (dev)
++		strlcpy(uaddr->sa_data, dev->name, sizeof(uaddr->sa_data));
+ 	*uaddr_len = sizeof(*uaddr);
+ 
+ 	return 0;
+@@ -1723,7 +1721,7 @@ packet_setsockopt(struct socket *sock, int level, int optname, char __user *optv
  	case PACKET_DROP_MEMBERSHIP:
  	{
  		struct packet_mreq_max mreq;
@@ -117150,7 +117207,7 @@ index 728c080..02b775c 100644
  		memset(&mreq, 0, sizeof(mreq));
  		if (len < sizeof(struct packet_mreq))
  			return -EINVAL;
-@@ -1894,7 +1894,7 @@ static int packet_getsockopt(struct socket *sock, int level, int optname,
+@@ -1894,7 +1892,7 @@ static int packet_getsockopt(struct socket *sock, int level, int optname,
  	case PACKET_HDRLEN:
  		if (len > sizeof(int))
  			len = sizeof(int);
@@ -117159,7 +117216,7 @@ index 728c080..02b775c 100644
  			return -EFAULT;
  		switch (val) {
  		case TPACKET_V1:
-@@ -2428,7 +2428,11 @@ static int packet_seq_show(struct seq_file *seq, void *v)
+@@ -2428,7 +2426,11 @@ static int packet_seq_show(struct seq_file *seq, void *v)
  
  		seq_printf(seq,
  			   "%p %-6d %-4d %04x   %-5d %1d %-6u %-6u %-6lu\n",
@@ -117699,6 +117756,33 @@ index bb280e6..747720f 100644
  }
  
  /* Initialize IPv6 support and register with socket layer.  */
+diff --git a/net/sctp/outqueue.c b/net/sctp/outqueue.c
+index 23e5e97..bc423b4 100644
+--- a/net/sctp/outqueue.c
++++ b/net/sctp/outqueue.c
+@@ -203,6 +203,8 @@ static inline int sctp_cacc_skip(struct sctp_transport *primary,
+  */
+ void sctp_outq_init(struct sctp_association *asoc, struct sctp_outq *q)
+ {
++	memset(q, 0, sizeof(struct sctp_outq));
++
+ 	q->asoc = asoc;
+ 	INIT_LIST_HEAD(&q->out_chunk_list);
+ 	INIT_LIST_HEAD(&q->control_chunk_list);
+@@ -210,13 +212,7 @@ void sctp_outq_init(struct sctp_association *asoc, struct sctp_outq *q)
+ 	INIT_LIST_HEAD(&q->sacked);
+ 	INIT_LIST_HEAD(&q->abandoned);
+ 
+-	q->fast_rtx = 0;
+-	q->outstanding_bytes = 0;
+ 	q->empty = 1;
+-	q->cork  = 0;
+-
+-	q->malloced = 0;
+-	q->out_qlen = 0;
+ }
+ 
+ /* Free the outqueue structure and any related pending chunks.
 diff --git a/net/sctp/proc.c b/net/sctp/proc.c
 index d093cbf..9fc36fc 100644
 --- a/net/sctp/proc.c
diff --git a/3.2.46/0000_README b/3.2.47/0000_README
index a0ae244..2a74306 100644
--- a/3.2.46/0000_README
+++ b/3.2.47/0000_README
@@ -102,7 +102,11 @@ Patch:	1045_linux-3.2.46.patch
 From:	http://www.kernel.org
 Desc:	Linux 3.2.46
 
-Patch:	4420_grsecurity-2.9.1-3.2.46-201306102217.patch
+Patch:	1046_linux-3.2.47.patch
+From:	http://www.kernel.org
+Desc:	Linux 3.2.47
+
+Patch:	4420_grsecurity-2.9.1-3.2.47-201306191807.patch
 From:	http://www.grsecurity.net
 Desc:	hardened-sources base patch from upstream grsecurity
 
diff --git a/3.2.46/1021_linux-3.2.22.patch b/3.2.47/1021_linux-3.2.22.patch
index e6ad93a..e6ad93a 100644
--- a/3.2.46/1021_linux-3.2.22.patch
+++ b/3.2.47/1021_linux-3.2.22.patch
diff --git a/3.2.46/1022_linux-3.2.23.patch b/3.2.47/1022_linux-3.2.23.patch
index 3d796d0..3d796d0 100644
--- a/3.2.46/1022_linux-3.2.23.patch
+++ b/3.2.47/1022_linux-3.2.23.patch
diff --git a/3.2.46/1023_linux-3.2.24.patch b/3.2.47/1023_linux-3.2.24.patch
index 4692eb4..4692eb4 100644
--- a/3.2.46/1023_linux-3.2.24.patch
+++ b/3.2.47/1023_linux-3.2.24.patch
diff --git a/3.2.46/1024_linux-3.2.25.patch b/3.2.47/1024_linux-3.2.25.patch
index e95c213..e95c213 100644
--- a/3.2.46/1024_linux-3.2.25.patch
+++ b/3.2.47/1024_linux-3.2.25.patch
diff --git a/3.2.46/1025_linux-3.2.26.patch b/3.2.47/1025_linux-3.2.26.patch
index 44065b9..44065b9 100644
--- a/3.2.46/1025_linux-3.2.26.patch
+++ b/3.2.47/1025_linux-3.2.26.patch
diff --git a/3.2.46/1026_linux-3.2.27.patch b/3.2.47/1026_linux-3.2.27.patch
index 5878eb4..5878eb4 100644
--- a/3.2.46/1026_linux-3.2.27.patch
+++ b/3.2.47/1026_linux-3.2.27.patch
diff --git a/3.2.46/1027_linux-3.2.28.patch b/3.2.47/1027_linux-3.2.28.patch
index 4dbba4b..4dbba4b 100644
--- a/3.2.46/1027_linux-3.2.28.patch
+++ b/3.2.47/1027_linux-3.2.28.patch
diff --git a/3.2.46/1028_linux-3.2.29.patch b/3.2.47/1028_linux-3.2.29.patch
index 3c65179..3c65179 100644
--- a/3.2.46/1028_linux-3.2.29.patch
+++ b/3.2.47/1028_linux-3.2.29.patch
diff --git a/3.2.46/1029_linux-3.2.30.patch b/3.2.47/1029_linux-3.2.30.patch
index 86aea4b..86aea4b 100644
--- a/3.2.46/1029_linux-3.2.30.patch
+++ b/3.2.47/1029_linux-3.2.30.patch
diff --git a/3.2.46/1030_linux-3.2.31.patch b/3.2.47/1030_linux-3.2.31.patch
index c6accf5..c6accf5 100644
--- a/3.2.46/1030_linux-3.2.31.patch
+++ b/3.2.47/1030_linux-3.2.31.patch
diff --git a/3.2.46/1031_linux-3.2.32.patch b/3.2.47/1031_linux-3.2.32.patch
index 247fc0b..247fc0b 100644
--- a/3.2.46/1031_linux-3.2.32.patch
+++ b/3.2.47/1031_linux-3.2.32.patch
diff --git a/3.2.46/1032_linux-3.2.33.patch b/3.2.47/1032_linux-3.2.33.patch
index c32fb75..c32fb75 100644
--- a/3.2.46/1032_linux-3.2.33.patch
+++ b/3.2.47/1032_linux-3.2.33.patch
diff --git a/3.2.46/1033_linux-3.2.34.patch b/3.2.47/1033_linux-3.2.34.patch
index d647b38..d647b38 100644
--- a/3.2.46/1033_linux-3.2.34.patch
+++ b/3.2.47/1033_linux-3.2.34.patch
diff --git a/3.2.46/1034_linux-3.2.35.patch b/3.2.47/1034_linux-3.2.35.patch
index 76a9c19..76a9c19 100644
--- a/3.2.46/1034_linux-3.2.35.patch
+++ b/3.2.47/1034_linux-3.2.35.patch
diff --git a/3.2.46/1035_linux-3.2.36.patch b/3.2.47/1035_linux-3.2.36.patch
index 5d192a3..5d192a3 100644
--- a/3.2.46/1035_linux-3.2.36.patch
+++ b/3.2.47/1035_linux-3.2.36.patch
diff --git a/3.2.46/1036_linux-3.2.37.patch b/3.2.47/1036_linux-3.2.37.patch
index ad13251..ad13251 100644
--- a/3.2.46/1036_linux-3.2.37.patch
+++ b/3.2.47/1036_linux-3.2.37.patch
diff --git a/3.2.46/1037_linux-3.2.38.patch b/3.2.47/1037_linux-3.2.38.patch
index a3c106f..a3c106f 100644
--- a/3.2.46/1037_linux-3.2.38.patch
+++ b/3.2.47/1037_linux-3.2.38.patch
diff --git a/3.2.46/1038_linux-3.2.39.patch b/3.2.47/1038_linux-3.2.39.patch
index 5639e92..5639e92 100644
--- a/3.2.46/1038_linux-3.2.39.patch
+++ b/3.2.47/1038_linux-3.2.39.patch
diff --git a/3.2.46/1039_linux-3.2.40.patch b/3.2.47/1039_linux-3.2.40.patch
index f26b39c..f26b39c 100644
--- a/3.2.46/1039_linux-3.2.40.patch
+++ b/3.2.47/1039_linux-3.2.40.patch
diff --git a/3.2.46/1040_linux-3.2.41.patch b/3.2.47/1040_linux-3.2.41.patch
index 0d27fcb..0d27fcb 100644
--- a/3.2.46/1040_linux-3.2.41.patch
+++ b/3.2.47/1040_linux-3.2.41.patch
diff --git a/3.2.46/1041_linux-3.2.42.patch b/3.2.47/1041_linux-3.2.42.patch
index 77a08ed..77a08ed 100644
--- a/3.2.46/1041_linux-3.2.42.patch
+++ b/3.2.47/1041_linux-3.2.42.patch
diff --git a/3.2.46/1042_linux-3.2.43.patch b/3.2.47/1042_linux-3.2.43.patch
index a3f878b..a3f878b 100644
--- a/3.2.46/1042_linux-3.2.43.patch
+++ b/3.2.47/1042_linux-3.2.43.patch
diff --git a/3.2.46/1043_linux-3.2.44.patch b/3.2.47/1043_linux-3.2.44.patch
index 3d5e6ff..3d5e6ff 100644
--- a/3.2.46/1043_linux-3.2.44.patch
+++ b/3.2.47/1043_linux-3.2.44.patch
diff --git a/3.2.46/1044_linux-3.2.45.patch b/3.2.47/1044_linux-3.2.45.patch
index 44e1767..44e1767 100644
--- a/3.2.46/1044_linux-3.2.45.patch
+++ b/3.2.47/1044_linux-3.2.45.patch
diff --git a/3.2.46/1045_linux-3.2.46.patch b/3.2.47/1045_linux-3.2.46.patch
index bc10efd..bc10efd 100644
--- a/3.2.46/1045_linux-3.2.46.patch
+++ b/3.2.47/1045_linux-3.2.46.patch
diff --git a/3.2.47/1046_linux-3.2.47.patch b/3.2.47/1046_linux-3.2.47.patch
new file mode 100644
index 0000000..b74563c
--- /dev/null
+++ b/3.2.47/1046_linux-3.2.47.patch
@@ -0,0 +1,3314 @@
+diff --git a/Makefile b/Makefile
+index f600582..40e2a11 100644
+--- a/Makefile
++++ b/Makefile
+@@ -1,6 +1,6 @@
+ VERSION = 3
+ PATCHLEVEL = 2
+-SUBLEVEL = 46
++SUBLEVEL = 47
+ EXTRAVERSION =
+ NAME = Saber-toothed Squirrel
+ 
+diff --git a/arch/arm/boot/compressed/Makefile b/arch/arm/boot/compressed/Makefile
+index 21f56ff..5954a1a 100644
+--- a/arch/arm/boot/compressed/Makefile
++++ b/arch/arm/boot/compressed/Makefile
+@@ -123,7 +123,6 @@ KBUILD_CFLAGS = $(subst -pg, , $(ORIG_CFLAGS))
+ endif
+ 
+ ccflags-y := -fpic -fno-builtin -I$(obj)
+-asflags-y := -Wa,-march=all
+ 
+ # Supply kernel BSS size to the decompressor via a linker symbol.
+ KBSS_SZ = $(shell size $(obj)/../../../../vmlinux | awk 'END{print $$3}')
+diff --git a/arch/arm/boot/compressed/head-sa1100.S b/arch/arm/boot/compressed/head-sa1100.S
+index 6179d94..3115e31 100644
+--- a/arch/arm/boot/compressed/head-sa1100.S
++++ b/arch/arm/boot/compressed/head-sa1100.S
+@@ -11,6 +11,7 @@
+ #include <asm/mach-types.h>
+ 
+ 		.section        ".start", "ax"
++		.arch	armv4
+ 
+ __SA1100_start:
+ 
+diff --git a/arch/arm/boot/compressed/head-shark.S b/arch/arm/boot/compressed/head-shark.S
+index 089c560..92b5689 100644
+--- a/arch/arm/boot/compressed/head-shark.S
++++ b/arch/arm/boot/compressed/head-shark.S
+@@ -18,6 +18,7 @@
+ 	
+ 		.section	".start", "ax"
+ 
++		.arch armv4
+ 		b	__beginning
+ 	
+ __ofw_data:	.long	0				@ the number of memory blocks
+diff --git a/arch/arm/boot/compressed/head.S b/arch/arm/boot/compressed/head.S
+index d63632f..8c57359 100644
+--- a/arch/arm/boot/compressed/head.S
++++ b/arch/arm/boot/compressed/head.S
+@@ -10,6 +10,7 @@
+  */
+ #include <linux/linkage.h>
+ 
++	.arch	armv7-a
+ /*
+  * Debugging stuff
+  *
+diff --git a/arch/arm/kernel/topology.c b/arch/arm/kernel/topology.c
+index 8200dea..140c817 100644
+--- a/arch/arm/kernel/topology.c
++++ b/arch/arm/kernel/topology.c
+@@ -13,6 +13,7 @@
+ 
+ #include <linux/cpu.h>
+ #include <linux/cpumask.h>
++#include <linux/export.h>
+ #include <linux/init.h>
+ #include <linux/percpu.h>
+ #include <linux/node.h>
+@@ -42,6 +43,7 @@
+ #define MPIDR_LEVEL2_SHIFT 16
+ 
+ struct cputopo_arm cpu_topology[NR_CPUS];
++EXPORT_SYMBOL_GPL(cpu_topology);
+ 
+ const struct cpumask *cpu_coregroup_mask(int cpu)
+ {
+diff --git a/arch/powerpc/kernel/exceptions-64s.S b/arch/powerpc/kernel/exceptions-64s.S
+index cf9c69b..8c3baa0 100644
+--- a/arch/powerpc/kernel/exceptions-64s.S
++++ b/arch/powerpc/kernel/exceptions-64s.S
+@@ -463,7 +463,7 @@ machine_check_common:
+ 	STD_EXCEPTION_COMMON(0xb00, trap_0b, .unknown_exception)
+ 	STD_EXCEPTION_COMMON(0xd00, single_step, .single_step_exception)
+ 	STD_EXCEPTION_COMMON(0xe00, trap_0e, .unknown_exception)
+-        STD_EXCEPTION_COMMON(0xe40, emulation_assist, .program_check_exception)
++	STD_EXCEPTION_COMMON(0xe40, emulation_assist, .emulation_assist_interrupt)
+         STD_EXCEPTION_COMMON(0xe60, hmi_exception, .unknown_exception)
+ 	STD_EXCEPTION_COMMON_IDLE(0xf00, performance_monitor, .performance_monitor_exception)
+ 	STD_EXCEPTION_COMMON(0x1300, instruction_breakpoint, .instruction_breakpoint_exception)
+diff --git a/arch/powerpc/kernel/traps.c b/arch/powerpc/kernel/traps.c
+index 82dcd4d..9844662 100644
+--- a/arch/powerpc/kernel/traps.c
++++ b/arch/powerpc/kernel/traps.c
+@@ -1036,6 +1036,16 @@ void __kprobes program_check_exception(struct pt_regs *regs)
+ 		_exception(SIGILL, regs, ILL_ILLOPC, regs->nip);
+ }
+ 
++/*
++ * This occurs when running in hypervisor mode on POWER6 or later
++ * and an illegal instruction is encountered.
++ */
++void __kprobes emulation_assist_interrupt(struct pt_regs *regs)
++{
++	regs->msr |= REASON_ILLEGAL;
++	program_check_exception(regs);
++}
++
+ void alignment_exception(struct pt_regs *regs)
+ {
+ 	int sig, code, fixed = 0;
+diff --git a/arch/x86/kernel/relocate_kernel_64.S b/arch/x86/kernel/relocate_kernel_64.S
+index 7a6f3b3..f2bb9c9 100644
+--- a/arch/x86/kernel/relocate_kernel_64.S
++++ b/arch/x86/kernel/relocate_kernel_64.S
+@@ -160,7 +160,7 @@ identity_mapped:
+ 	xorq    %rbp, %rbp
+ 	xorq	%r8,  %r8
+ 	xorq	%r9,  %r9
+-	xorq	%r10, %r9
++	xorq	%r10, %r10
+ 	xorq	%r11, %r11
+ 	xorq	%r12, %r12
+ 	xorq	%r13, %r13
+diff --git a/drivers/acpi/video.c b/drivers/acpi/video.c
+index 0e47949..e19898d 100644
+--- a/drivers/acpi/video.c
++++ b/drivers/acpi/video.c
+@@ -447,6 +447,38 @@ static struct dmi_system_id video_dmi_table[] __initdata = {
+ 		DMI_MATCH(DMI_PRODUCT_NAME, "HP Folio 13 - 2000 Notebook PC"),
+ 		},
+ 	},
++	{
++	 .callback = video_ignore_initial_backlight,
++	 .ident = "HP Pavilion dm4",
++	 .matches = {
++		DMI_MATCH(DMI_BOARD_VENDOR, "Hewlett-Packard"),
++		DMI_MATCH(DMI_PRODUCT_NAME, "HP Pavilion dm4 Notebook PC"),
++		},
++	},
++	{
++	 .callback = video_ignore_initial_backlight,
++	 .ident = "HP Pavilion g6 Notebook PC",
++	 .matches = {
++		 DMI_MATCH(DMI_BOARD_VENDOR, "Hewlett-Packard"),
++		 DMI_MATCH(DMI_PRODUCT_NAME, "HP Pavilion g6 Notebook PC"),
++		},
++	},
++	{
++	 .callback = video_ignore_initial_backlight,
++	 .ident = "HP 1000 Notebook PC",
++	 .matches = {
++		DMI_MATCH(DMI_BOARD_VENDOR, "Hewlett-Packard"),
++		DMI_MATCH(DMI_PRODUCT_NAME, "HP 1000 Notebook PC"),
++		},
++	},
++	{
++	 .callback = video_ignore_initial_backlight,
++	 .ident = "HP Pavilion m4",
++	 .matches = {
++		DMI_MATCH(DMI_BOARD_VENDOR, "Hewlett-Packard"),
++		DMI_MATCH(DMI_PRODUCT_NAME, "HP Pavilion m4 Notebook PC"),
++		},
++	},
+ 	{}
+ };
+ 
+diff --git a/drivers/ata/ata_piix.c b/drivers/ata/ata_piix.c
+index ddfc1c1..0e92326 100644
+--- a/drivers/ata/ata_piix.c
++++ b/drivers/ata/ata_piix.c
+@@ -151,6 +151,7 @@ enum piix_controller_ids {
+ 	piix_pata_vmw,			/* PIIX4 for VMware, spurious DMA_ERR */
+ 	ich8_sata_snb,
+ 	ich8_2port_sata_snb,
++	ich8_2port_sata_byt,
+ };
+ 
+ struct piix_map_db {
+@@ -356,6 +357,9 @@ static const struct pci_device_id piix_pci_tbl[] = {
+ 	{ 0x8086, 0x8d60, PCI_ANY_ID, PCI_ANY_ID, 0, 0, ich8_sata_snb },
+ 	/* SATA Controller IDE (Wellsburg) */
+ 	{ 0x8086, 0x8d68, PCI_ANY_ID, PCI_ANY_ID, 0, 0, ich8_2port_sata },
++	/* SATA Controller IDE (BayTrail) */
++	{ 0x8086, 0x0F20, PCI_ANY_ID, PCI_ANY_ID, 0, 0, ich8_2port_sata_byt },
++	{ 0x8086, 0x0F21, PCI_ANY_ID, PCI_ANY_ID, 0, 0, ich8_2port_sata_byt },
+ 
+ 	{ }	/* terminate list */
+ };
+@@ -521,6 +525,7 @@ static const struct piix_map_db *piix_map_db_table[] = {
+ 	[tolapai_sata]		= &tolapai_map_db,
+ 	[ich8_sata_snb]		= &ich8_map_db,
+ 	[ich8_2port_sata_snb]	= &ich8_2port_map_db,
++	[ich8_2port_sata_byt]	= &ich8_2port_map_db,
+ };
+ 
+ static struct ata_port_info piix_port_info[] = {
+@@ -672,6 +677,15 @@ static struct ata_port_info piix_port_info[] = {
+ 		.port_ops	= &piix_sata_ops,
+ 	},
+ 
++	[ich8_2port_sata_byt] =
++	{
++		.flags          = PIIX_SATA_FLAGS | PIIX_FLAG_SIDPR | PIIX_FLAG_PIO16,
++		.pio_mask       = ATA_PIO4,
++		.mwdma_mask     = ATA_MWDMA2,
++		.udma_mask      = ATA_UDMA6,
++		.port_ops       = &piix_sata_ops,
++	},
++
+ };
+ 
+ static struct pci_bits piix_enable_bits[] = {
+diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c
+index 288b635..d54b7d6 100644
+--- a/drivers/ata/libata-core.c
++++ b/drivers/ata/libata-core.c
+@@ -1598,6 +1598,12 @@ unsigned ata_exec_internal_sg(struct ata_device *dev,
+ 	qc->tf = *tf;
+ 	if (cdb)
+ 		memcpy(qc->cdb, cdb, ATAPI_CDB_LEN);
++
++	/* some SATA bridges need us to indicate data xfer direction */
++	if (tf->protocol == ATAPI_PROT_DMA && (dev->flags & ATA_DFLAG_DMADIR) &&
++	    dma_dir == DMA_FROM_DEVICE)
++		qc->tf.feature |= ATAPI_DMADIR;
++
+ 	qc->flags |= ATA_QCFLAG_RESULT_TF;
+ 	qc->dma_dir = dma_dir;
+ 	if (dma_dir != DMA_NONE) {
+diff --git a/drivers/block/cciss.c b/drivers/block/cciss.c
+index b0f553b..d3446f6 100644
+--- a/drivers/block/cciss.c
++++ b/drivers/block/cciss.c
+@@ -161,8 +161,6 @@ static irqreturn_t do_cciss_msix_intr(int irq, void *dev_id);
+ static int cciss_open(struct block_device *bdev, fmode_t mode);
+ static int cciss_unlocked_open(struct block_device *bdev, fmode_t mode);
+ static int cciss_release(struct gendisk *disk, fmode_t mode);
+-static int do_ioctl(struct block_device *bdev, fmode_t mode,
+-		    unsigned int cmd, unsigned long arg);
+ static int cciss_ioctl(struct block_device *bdev, fmode_t mode,
+ 		       unsigned int cmd, unsigned long arg);
+ static int cciss_getgeo(struct block_device *bdev, struct hd_geometry *geo);
+@@ -229,7 +227,7 @@ static const struct block_device_operations cciss_fops = {
+ 	.owner = THIS_MODULE,
+ 	.open = cciss_unlocked_open,
+ 	.release = cciss_release,
+-	.ioctl = do_ioctl,
++	.ioctl = cciss_ioctl,
+ 	.getgeo = cciss_getgeo,
+ #ifdef CONFIG_COMPAT
+ 	.compat_ioctl = cciss_compat_ioctl,
+@@ -1140,16 +1138,6 @@ static int cciss_release(struct gendisk *disk, fmode_t mode)
+ 	return 0;
+ }
+ 
+-static int do_ioctl(struct block_device *bdev, fmode_t mode,
+-		    unsigned cmd, unsigned long arg)
+-{
+-	int ret;
+-	mutex_lock(&cciss_mutex);
+-	ret = cciss_ioctl(bdev, mode, cmd, arg);
+-	mutex_unlock(&cciss_mutex);
+-	return ret;
+-}
+-
+ #ifdef CONFIG_COMPAT
+ 
+ static int cciss_ioctl32_passthru(struct block_device *bdev, fmode_t mode,
+@@ -1176,7 +1164,7 @@ static int cciss_compat_ioctl(struct block_device *bdev, fmode_t mode,
+ 	case CCISS_REGNEWD:
+ 	case CCISS_RESCANDISK:
+ 	case CCISS_GETLUNINFO:
+-		return do_ioctl(bdev, mode, cmd, arg);
++		return cciss_ioctl(bdev, mode, cmd, arg);
+ 
+ 	case CCISS_PASSTHRU32:
+ 		return cciss_ioctl32_passthru(bdev, mode, cmd, arg);
+@@ -1216,7 +1204,7 @@ static int cciss_ioctl32_passthru(struct block_device *bdev, fmode_t mode,
+ 	if (err)
+ 		return -EFAULT;
+ 
+-	err = do_ioctl(bdev, mode, CCISS_PASSTHRU, (unsigned long)p);
++	err = cciss_ioctl(bdev, mode, CCISS_PASSTHRU, (unsigned long)p);
+ 	if (err)
+ 		return err;
+ 	err |=
+@@ -1258,7 +1246,7 @@ static int cciss_ioctl32_big_passthru(struct block_device *bdev, fmode_t mode,
+ 	if (err)
+ 		return -EFAULT;
+ 
+-	err = do_ioctl(bdev, mode, CCISS_BIG_PASSTHRU, (unsigned long)p);
++	err = cciss_ioctl(bdev, mode, CCISS_BIG_PASSTHRU, (unsigned long)p);
+ 	if (err)
+ 		return err;
+ 	err |=
+@@ -1308,11 +1296,14 @@ static int cciss_getpciinfo(ctlr_info_t *h, void __user *argp)
+ static int cciss_getintinfo(ctlr_info_t *h, void __user *argp)
+ {
+ 	cciss_coalint_struct intinfo;
++	unsigned long flags;
+ 
+ 	if (!argp)
+ 		return -EINVAL;
++	spin_lock_irqsave(&h->lock, flags);
+ 	intinfo.delay = readl(&h->cfgtable->HostWrite.CoalIntDelay);
+ 	intinfo.count = readl(&h->cfgtable->HostWrite.CoalIntCount);
++	spin_unlock_irqrestore(&h->lock, flags);
+ 	if (copy_to_user
+ 	    (argp, &intinfo, sizeof(cciss_coalint_struct)))
+ 		return -EFAULT;
+@@ -1353,12 +1344,15 @@ static int cciss_setintinfo(ctlr_info_t *h, void __user *argp)
+ static int cciss_getnodename(ctlr_info_t *h, void __user *argp)
+ {
+ 	NodeName_type NodeName;
++	unsigned long flags;
+ 	int i;
+ 
+ 	if (!argp)
+ 		return -EINVAL;
++	spin_lock_irqsave(&h->lock, flags);
+ 	for (i = 0; i < 16; i++)
+ 		NodeName[i] = readb(&h->cfgtable->ServerName[i]);
++	spin_unlock_irqrestore(&h->lock, flags);
+ 	if (copy_to_user(argp, NodeName, sizeof(NodeName_type)))
+ 		return -EFAULT;
+ 	return 0;
+@@ -1395,10 +1389,13 @@ static int cciss_setnodename(ctlr_info_t *h, void __user *argp)
+ static int cciss_getheartbeat(ctlr_info_t *h, void __user *argp)
+ {
+ 	Heartbeat_type heartbeat;
++	unsigned long flags;
+ 
+ 	if (!argp)
+ 		return -EINVAL;
++	spin_lock_irqsave(&h->lock, flags);
+ 	heartbeat = readl(&h->cfgtable->HeartBeat);
++	spin_unlock_irqrestore(&h->lock, flags);
+ 	if (copy_to_user(argp, &heartbeat, sizeof(Heartbeat_type)))
+ 		return -EFAULT;
+ 	return 0;
+@@ -1407,10 +1404,13 @@ static int cciss_getheartbeat(ctlr_info_t *h, void __user *argp)
+ static int cciss_getbustypes(ctlr_info_t *h, void __user *argp)
+ {
+ 	BusTypes_type BusTypes;
++	unsigned long flags;
+ 
+ 	if (!argp)
+ 		return -EINVAL;
++	spin_lock_irqsave(&h->lock, flags);
+ 	BusTypes = readl(&h->cfgtable->BusTypes);
++	spin_unlock_irqrestore(&h->lock, flags);
+ 	if (copy_to_user(argp, &BusTypes, sizeof(BusTypes_type)))
+ 		return -EFAULT;
+ 	return 0;
+diff --git a/drivers/gpu/drm/drm_irq.c b/drivers/gpu/drm/drm_irq.c
+index 44a5d0a..73af885 100644
+--- a/drivers/gpu/drm/drm_irq.c
++++ b/drivers/gpu/drm/drm_irq.c
+@@ -981,7 +981,7 @@ EXPORT_SYMBOL(drm_vblank_off);
+  */
+ void drm_vblank_pre_modeset(struct drm_device *dev, int crtc)
+ {
+-	/* vblank is not initialized (IRQ not installed ?) */
++	/* vblank is not initialized (IRQ not installed ?), or has been freed */
+ 	if (!dev->num_crtcs)
+ 		return;
+ 	/*
+@@ -1003,6 +1003,10 @@ void drm_vblank_post_modeset(struct drm_device *dev, int crtc)
+ {
+ 	unsigned long irqflags;
+ 
++	/* vblank is not initialized (IRQ not installed ?), or has been freed */
++	if (!dev->num_crtcs)
++		return;
++
+ 	if (dev->vblank_inmodeset[crtc]) {
+ 		spin_lock_irqsave(&dev->vbl_lock, irqflags);
+ 		dev->vblank_disable_allowed = 1;
+diff --git a/drivers/gpu/drm/i915/intel_lvds.c b/drivers/gpu/drm/i915/intel_lvds.c
+index 876bac0..2ffa740 100644
+--- a/drivers/gpu/drm/i915/intel_lvds.c
++++ b/drivers/gpu/drm/i915/intel_lvds.c
+@@ -740,10 +740,10 @@ static const struct dmi_system_id intel_no_lvds[] = {
+ 	},
+ 	{
+ 		.callback = intel_no_lvds_dmi_callback,
+-		.ident = "Hewlett-Packard HP t5740e Thin Client",
++		.ident = "Hewlett-Packard HP t5740",
+ 		.matches = {
+ 			DMI_MATCH(DMI_BOARD_VENDOR, "Hewlett-Packard"),
+-			DMI_MATCH(DMI_PRODUCT_NAME, "HP t5740e Thin Client"),
++			DMI_MATCH(DMI_PRODUCT_NAME, " t5740"),
+ 		},
+ 	},
+ 	{
+diff --git a/drivers/gpu/drm/i915/intel_sdvo.c b/drivers/gpu/drm/i915/intel_sdvo.c
+index 9e24670..00ec0dd 100644
+--- a/drivers/gpu/drm/i915/intel_sdvo.c
++++ b/drivers/gpu/drm/i915/intel_sdvo.c
+@@ -1582,11 +1582,14 @@ static void intel_sdvo_get_lvds_modes(struct drm_connector *connector)
+ 	 * Assume that the preferred modes are
+ 	 * arranged in priority order.
+ 	 */
+-	intel_ddc_get_modes(connector, intel_sdvo->i2c);
+-	if (list_empty(&connector->probed_modes) == false)
+-		goto end;
++	intel_ddc_get_modes(connector, &intel_sdvo->ddc);
+ 
+-	/* Fetch modes from VBT */
++	/*
++	 * Fetch modes from VBT. For SDVO prefer the VBT mode since some
++	 * SDVO->LVDS transcoders can't cope with the EDID mode. Since
++	 * drm_mode_probed_add adds the mode at the head of the list we add it
++	 * last.
++	 */
+ 	if (dev_priv->sdvo_lvds_vbt_mode != NULL) {
+ 		newmode = drm_mode_duplicate(connector->dev,
+ 					     dev_priv->sdvo_lvds_vbt_mode);
+@@ -1598,7 +1601,6 @@ static void intel_sdvo_get_lvds_modes(struct drm_connector *connector)
+ 		}
+ 	}
+ 
+-end:
+ 	list_for_each_entry(newmode, &connector->probed_modes, head) {
+ 		if (newmode->type & DRM_MODE_TYPE_PREFERRED) {
+ 			intel_sdvo->sdvo_lvds_fixed_mode =
+diff --git a/drivers/gpu/drm/radeon/evergreen.c b/drivers/gpu/drm/radeon/evergreen.c
+index 0495a50..9bea4a6 100644
+--- a/drivers/gpu/drm/radeon/evergreen.c
++++ b/drivers/gpu/drm/radeon/evergreen.c
+@@ -3086,6 +3086,12 @@ static int evergreen_startup(struct radeon_device *rdev)
+ 		return r;
+ 
+ 	/* Enable IRQ */
++	if (!rdev->irq.installed) {
++		r = radeon_irq_kms_init(rdev);
++		if (r)
++			return r;
++	}
++
+ 	r = r600_irq_init(rdev);
+ 	if (r) {
+ 		DRM_ERROR("radeon: IH init failed (%d).\n", r);
+@@ -3218,10 +3224,6 @@ int evergreen_init(struct radeon_device *rdev)
+ 	if (r)
+ 		return r;
+ 
+-	r = radeon_irq_kms_init(rdev);
+-	if (r)
+-		return r;
+-
+ 	rdev->cp.ring_obj = NULL;
+ 	r600_ring_init(rdev, 1024 * 1024);
+ 
+diff --git a/drivers/gpu/drm/radeon/ni.c b/drivers/gpu/drm/radeon/ni.c
+index 636255b..3f9705b 100644
+--- a/drivers/gpu/drm/radeon/ni.c
++++ b/drivers/gpu/drm/radeon/ni.c
+@@ -1389,6 +1389,12 @@ static int cayman_startup(struct radeon_device *rdev)
+ 		return r;
+ 
+ 	/* Enable IRQ */
++	if (!rdev->irq.installed) {
++		r = radeon_irq_kms_init(rdev);
++		if (r)
++			return r;
++	}
++
+ 	r = r600_irq_init(rdev);
+ 	if (r) {
+ 		DRM_ERROR("radeon: IH init failed (%d).\n", r);
+@@ -1506,10 +1512,6 @@ int cayman_init(struct radeon_device *rdev)
+ 	if (r)
+ 		return r;
+ 
+-	r = radeon_irq_kms_init(rdev);
+-	if (r)
+-		return r;
+-
+ 	rdev->cp.ring_obj = NULL;
+ 	r600_ring_init(rdev, 1024 * 1024);
+ 
+diff --git a/drivers/gpu/drm/radeon/r100.c b/drivers/gpu/drm/radeon/r100.c
+index fad7cd1..76c1290 100644
+--- a/drivers/gpu/drm/radeon/r100.c
++++ b/drivers/gpu/drm/radeon/r100.c
+@@ -3905,6 +3905,12 @@ static int r100_startup(struct radeon_device *rdev)
+ 		return r;
+ 
+ 	/* Enable IRQ */
++	if (!rdev->irq.installed) {
++		r = radeon_irq_kms_init(rdev);
++		if (r)
++			return r;
++	}
++
+ 	r100_irq_set(rdev);
+ 	rdev->config.r100.hdp_cntl = RREG32(RADEON_HOST_PATH_CNTL);
+ 	/* 1M ring buffer */
+@@ -4050,9 +4056,6 @@ int r100_init(struct radeon_device *rdev)
+ 	r = radeon_fence_driver_init(rdev);
+ 	if (r)
+ 		return r;
+-	r = radeon_irq_kms_init(rdev);
+-	if (r)
+-		return r;
+ 	/* Memory manager */
+ 	r = radeon_bo_init(rdev);
+ 	if (r)
+diff --git a/drivers/gpu/drm/radeon/r300.c b/drivers/gpu/drm/radeon/r300.c
+index c93bc64..441570b 100644
+--- a/drivers/gpu/drm/radeon/r300.c
++++ b/drivers/gpu/drm/radeon/r300.c
+@@ -1397,6 +1397,12 @@ static int r300_startup(struct radeon_device *rdev)
+ 		return r;
+ 
+ 	/* Enable IRQ */
++	if (!rdev->irq.installed) {
++		r = radeon_irq_kms_init(rdev);
++		if (r)
++			return r;
++	}
++
+ 	r100_irq_set(rdev);
+ 	rdev->config.r300.hdp_cntl = RREG32(RADEON_HOST_PATH_CNTL);
+ 	/* 1M ring buffer */
+@@ -1521,9 +1527,6 @@ int r300_init(struct radeon_device *rdev)
+ 	r = radeon_fence_driver_init(rdev);
+ 	if (r)
+ 		return r;
+-	r = radeon_irq_kms_init(rdev);
+-	if (r)
+-		return r;
+ 	/* Memory manager */
+ 	r = radeon_bo_init(rdev);
+ 	if (r)
+diff --git a/drivers/gpu/drm/radeon/r420.c b/drivers/gpu/drm/radeon/r420.c
+index 417fab8..5b219b8 100644
+--- a/drivers/gpu/drm/radeon/r420.c
++++ b/drivers/gpu/drm/radeon/r420.c
+@@ -255,6 +255,12 @@ static int r420_startup(struct radeon_device *rdev)
+ 		return r;
+ 
+ 	/* Enable IRQ */
++	if (!rdev->irq.installed) {
++		r = radeon_irq_kms_init(rdev);
++		if (r)
++			return r;
++	}
++
+ 	r100_irq_set(rdev);
+ 	rdev->config.r300.hdp_cntl = RREG32(RADEON_HOST_PATH_CNTL);
+ 	/* 1M ring buffer */
+@@ -391,10 +397,6 @@ int r420_init(struct radeon_device *rdev)
+ 	if (r) {
+ 		return r;
+ 	}
+-	r = radeon_irq_kms_init(rdev);
+-	if (r) {
+-		return r;
+-	}
+ 	/* Memory manager */
+ 	r = radeon_bo_init(rdev);
+ 	if (r) {
+diff --git a/drivers/gpu/drm/radeon/r520.c b/drivers/gpu/drm/radeon/r520.c
+index 3081d07..f36a5c9 100644
+--- a/drivers/gpu/drm/radeon/r520.c
++++ b/drivers/gpu/drm/radeon/r520.c
+@@ -188,6 +188,12 @@ static int r520_startup(struct radeon_device *rdev)
+ 		return r;
+ 
+ 	/* Enable IRQ */
++	if (!rdev->irq.installed) {
++		r = radeon_irq_kms_init(rdev);
++		if (r)
++			return r;
++	}
++
+ 	rs600_irq_set(rdev);
+ 	rdev->config.r300.hdp_cntl = RREG32(RADEON_HOST_PATH_CNTL);
+ 	/* 1M ring buffer */
+@@ -281,9 +287,6 @@ int r520_init(struct radeon_device *rdev)
+ 	r = radeon_fence_driver_init(rdev);
+ 	if (r)
+ 		return r;
+-	r = radeon_irq_kms_init(rdev);
+-	if (r)
+-		return r;
+ 	/* Memory manager */
+ 	r = radeon_bo_init(rdev);
+ 	if (r)
+diff --git a/drivers/gpu/drm/radeon/r600.c b/drivers/gpu/drm/radeon/r600.c
+index bdfa82a..3d46d7d4 100644
+--- a/drivers/gpu/drm/radeon/r600.c
++++ b/drivers/gpu/drm/radeon/r600.c
+@@ -2449,6 +2449,12 @@ int r600_startup(struct radeon_device *rdev)
+ 		return r;
+ 
+ 	/* Enable IRQ */
++	if (!rdev->irq.installed) {
++		r = radeon_irq_kms_init(rdev);
++		if (r)
++			return r;
++	}
++
+ 	r = r600_irq_init(rdev);
+ 	if (r) {
+ 		DRM_ERROR("radeon: IH init failed (%d).\n", r);
+@@ -2592,10 +2598,6 @@ int r600_init(struct radeon_device *rdev)
+ 	if (r)
+ 		return r;
+ 
+-	r = radeon_irq_kms_init(rdev);
+-	if (r)
+-		return r;
+-
+ 	rdev->cp.ring_obj = NULL;
+ 	r600_ring_init(rdev, 1024 * 1024);
+ 
+diff --git a/drivers/gpu/drm/radeon/radeon_device.c b/drivers/gpu/drm/radeon/radeon_device.c
+index bd959c1..cd94abb 100644
+--- a/drivers/gpu/drm/radeon/radeon_device.c
++++ b/drivers/gpu/drm/radeon/radeon_device.c
+@@ -359,18 +359,17 @@ bool radeon_card_posted(struct radeon_device *rdev)
+ 		return false;
+ 
+ 	/* first check CRTCs */
+-	if (ASIC_IS_DCE41(rdev)) {
++	if (ASIC_IS_DCE4(rdev)) {
+ 		reg = RREG32(EVERGREEN_CRTC_CONTROL + EVERGREEN_CRTC0_REGISTER_OFFSET) |
+ 			RREG32(EVERGREEN_CRTC_CONTROL + EVERGREEN_CRTC1_REGISTER_OFFSET);
+-		if (reg & EVERGREEN_CRTC_MASTER_EN)
+-			return true;
+-	} else if (ASIC_IS_DCE4(rdev)) {
+-		reg = RREG32(EVERGREEN_CRTC_CONTROL + EVERGREEN_CRTC0_REGISTER_OFFSET) |
+-			RREG32(EVERGREEN_CRTC_CONTROL + EVERGREEN_CRTC1_REGISTER_OFFSET) |
+-			RREG32(EVERGREEN_CRTC_CONTROL + EVERGREEN_CRTC2_REGISTER_OFFSET) |
+-			RREG32(EVERGREEN_CRTC_CONTROL + EVERGREEN_CRTC3_REGISTER_OFFSET) |
+-			RREG32(EVERGREEN_CRTC_CONTROL + EVERGREEN_CRTC4_REGISTER_OFFSET) |
+-			RREG32(EVERGREEN_CRTC_CONTROL + EVERGREEN_CRTC5_REGISTER_OFFSET);
++			if (rdev->num_crtc >= 4) {
++				reg |= RREG32(EVERGREEN_CRTC_CONTROL + EVERGREEN_CRTC2_REGISTER_OFFSET) |
++					RREG32(EVERGREEN_CRTC_CONTROL + EVERGREEN_CRTC3_REGISTER_OFFSET);
++			}
++			if (rdev->num_crtc >= 6) {
++				reg |= RREG32(EVERGREEN_CRTC_CONTROL + EVERGREEN_CRTC4_REGISTER_OFFSET) |
++					RREG32(EVERGREEN_CRTC_CONTROL + EVERGREEN_CRTC5_REGISTER_OFFSET);
++			}
+ 		if (reg & EVERGREEN_CRTC_MASTER_EN)
+ 			return true;
+ 	} else if (ASIC_IS_AVIVO(rdev)) {
+diff --git a/drivers/gpu/drm/radeon/rs400.c b/drivers/gpu/drm/radeon/rs400.c
+index 06b90c8..4dd9512 100644
+--- a/drivers/gpu/drm/radeon/rs400.c
++++ b/drivers/gpu/drm/radeon/rs400.c
+@@ -411,6 +411,12 @@ static int rs400_startup(struct radeon_device *rdev)
+ 		return r;
+ 
+ 	/* Enable IRQ */
++	if (!rdev->irq.installed) {
++		r = radeon_irq_kms_init(rdev);
++		if (r)
++			return r;
++	}
++
+ 	r100_irq_set(rdev);
+ 	rdev->config.r300.hdp_cntl = RREG32(RADEON_HOST_PATH_CNTL);
+ 	/* 1M ring buffer */
+@@ -519,9 +525,6 @@ int rs400_init(struct radeon_device *rdev)
+ 	r = radeon_fence_driver_init(rdev);
+ 	if (r)
+ 		return r;
+-	r = radeon_irq_kms_init(rdev);
+-	if (r)
+-		return r;
+ 	/* Memory manager */
+ 	r = radeon_bo_init(rdev);
+ 	if (r)
+diff --git a/drivers/gpu/drm/radeon/rs600.c b/drivers/gpu/drm/radeon/rs600.c
+index ee898e9..cea482a 100644
+--- a/drivers/gpu/drm/radeon/rs600.c
++++ b/drivers/gpu/drm/radeon/rs600.c
+@@ -848,6 +848,12 @@ static int rs600_startup(struct radeon_device *rdev)
+ 		return r;
+ 
+ 	/* Enable IRQ */
++	if (!rdev->irq.installed) {
++		r = radeon_irq_kms_init(rdev);
++		if (r)
++			return r;
++	}
++
+ 	rs600_irq_set(rdev);
+ 	rdev->config.r300.hdp_cntl = RREG32(RADEON_HOST_PATH_CNTL);
+ 	/* 1M ring buffer */
+@@ -963,9 +969,6 @@ int rs600_init(struct radeon_device *rdev)
+ 	r = radeon_fence_driver_init(rdev);
+ 	if (r)
+ 		return r;
+-	r = radeon_irq_kms_init(rdev);
+-	if (r)
+-		return r;
+ 	/* Memory manager */
+ 	r = radeon_bo_init(rdev);
+ 	if (r)
+diff --git a/drivers/gpu/drm/radeon/rs690.c b/drivers/gpu/drm/radeon/rs690.c
+index a9049ed..93bce72 100644
+--- a/drivers/gpu/drm/radeon/rs690.c
++++ b/drivers/gpu/drm/radeon/rs690.c
+@@ -622,6 +622,12 @@ static int rs690_startup(struct radeon_device *rdev)
+ 		return r;
+ 
+ 	/* Enable IRQ */
++	if (!rdev->irq.installed) {
++		r = radeon_irq_kms_init(rdev);
++		if (r)
++			return r;
++	}
++
+ 	rs600_irq_set(rdev);
+ 	rdev->config.r300.hdp_cntl = RREG32(RADEON_HOST_PATH_CNTL);
+ 	/* 1M ring buffer */
+@@ -738,9 +744,6 @@ int rs690_init(struct radeon_device *rdev)
+ 	r = radeon_fence_driver_init(rdev);
+ 	if (r)
+ 		return r;
+-	r = radeon_irq_kms_init(rdev);
+-	if (r)
+-		return r;
+ 	/* Memory manager */
+ 	r = radeon_bo_init(rdev);
+ 	if (r)
+diff --git a/drivers/gpu/drm/radeon/rv515.c b/drivers/gpu/drm/radeon/rv515.c
+index d5f45b4..9103638 100644
+--- a/drivers/gpu/drm/radeon/rv515.c
++++ b/drivers/gpu/drm/radeon/rv515.c
+@@ -380,6 +380,12 @@ static int rv515_startup(struct radeon_device *rdev)
+ 		return r;
+ 
+ 	/* Enable IRQ */
++	if (!rdev->irq.installed) {
++		r = radeon_irq_kms_init(rdev);
++		if (r)
++			return r;
++	}
++
+ 	rs600_irq_set(rdev);
+ 	rdev->config.r300.hdp_cntl = RREG32(RADEON_HOST_PATH_CNTL);
+ 	/* 1M ring buffer */
+@@ -500,9 +506,6 @@ int rv515_init(struct radeon_device *rdev)
+ 	r = radeon_fence_driver_init(rdev);
+ 	if (r)
+ 		return r;
+-	r = radeon_irq_kms_init(rdev);
+-	if (r)
+-		return r;
+ 	/* Memory manager */
+ 	r = radeon_bo_init(rdev);
+ 	if (r)
+diff --git a/drivers/gpu/drm/radeon/rv770.c b/drivers/gpu/drm/radeon/rv770.c
+index cc79449..63db75d 100644
+--- a/drivers/gpu/drm/radeon/rv770.c
++++ b/drivers/gpu/drm/radeon/rv770.c
+@@ -1092,6 +1092,12 @@ static int rv770_startup(struct radeon_device *rdev)
+ 		return r;
+ 
+ 	/* Enable IRQ */
++	if (!rdev->irq.installed) {
++		r = radeon_irq_kms_init(rdev);
++		if (r)
++			return r;
++	}
++
+ 	r = r600_irq_init(rdev);
+ 	if (r) {
+ 		DRM_ERROR("radeon: IH init failed (%d).\n", r);
+@@ -1220,10 +1226,6 @@ int rv770_init(struct radeon_device *rdev)
+ 	if (r)
+ 		return r;
+ 
+-	r = radeon_irq_kms_init(rdev);
+-	if (r)
+-		return r;
+-
+ 	rdev->cp.ring_obj = NULL;
+ 	r600_ring_init(rdev, 1024 * 1024);
+ 
+diff --git a/drivers/hwmon/adm1021.c b/drivers/hwmon/adm1021.c
+index 1ad0a88..8178927 100644
+--- a/drivers/hwmon/adm1021.c
++++ b/drivers/hwmon/adm1021.c
+@@ -311,26 +311,68 @@ static int adm1021_detect(struct i2c_client *client,
+ 	man_id = i2c_smbus_read_byte_data(client, ADM1021_REG_MAN_ID);
+ 	dev_id = i2c_smbus_read_byte_data(client, ADM1021_REG_DEV_ID);
+ 
++	if (man_id < 0 || dev_id < 0)
++		return -ENODEV;
++
+ 	if (man_id == 0x4d && dev_id == 0x01)
+ 		type_name = "max1617a";
+ 	else if (man_id == 0x41) {
+ 		if ((dev_id & 0xF0) == 0x30)
+ 			type_name = "adm1023";
+-		else
++		else if ((dev_id & 0xF0) == 0x00)
+ 			type_name = "adm1021";
++		else
++			return -ENODEV;
+ 	} else if (man_id == 0x49)
+ 		type_name = "thmc10";
+ 	else if (man_id == 0x23)
+ 		type_name = "gl523sm";
+ 	else if (man_id == 0x54)
+ 		type_name = "mc1066";
+-	/* LM84 Mfr ID in a different place, and it has more unused bits */
+-	else if (conv_rate == 0x00
+-		 && (config & 0x7F) == 0x00
+-		 && (status & 0xAB) == 0x00)
+-		type_name = "lm84";
+-	else
+-		type_name = "max1617";
++	else {
++		int lte, rte, lhi, rhi, llo, rlo;
++
++		/* extra checks for LM84 and MAX1617 to avoid misdetections */
++
++		llo = i2c_smbus_read_byte_data(client, ADM1021_REG_THYST_R(0));
++		rlo = i2c_smbus_read_byte_data(client, ADM1021_REG_THYST_R(1));
++
++		/* fail if any of the additional register reads failed */
++		if (llo < 0 || rlo < 0)
++			return -ENODEV;
++
++		lte = i2c_smbus_read_byte_data(client, ADM1021_REG_TEMP(0));
++		rte = i2c_smbus_read_byte_data(client, ADM1021_REG_TEMP(1));
++		lhi = i2c_smbus_read_byte_data(client, ADM1021_REG_TOS_R(0));
++		rhi = i2c_smbus_read_byte_data(client, ADM1021_REG_TOS_R(1));
++
++		/*
++		 * Fail for negative temperatures and negative high limits.
++		 * This check also catches read errors on the tested registers.
++		 */
++		if ((s8)lte < 0 || (s8)rte < 0 || (s8)lhi < 0 || (s8)rhi < 0)
++			return -ENODEV;
++
++		/* fail if all registers hold the same value */
++		if (lte == rte && lte == lhi && lte == rhi && lte == llo
++		    && lte == rlo)
++			return -ENODEV;
++
++		/*
++		 * LM84 Mfr ID is in a different place,
++		 * and it has more unused bits.
++		 */
++		if (conv_rate == 0x00
++		    && (config & 0x7F) == 0x00
++		    && (status & 0xAB) == 0x00) {
++			type_name = "lm84";
++		} else {
++			/* fail if low limits are larger than high limits */
++			if ((s8)llo > lhi || (s8)rlo > rhi)
++				return -ENODEV;
++			type_name = "max1617";
++		}
++	}
+ 
+ 	pr_debug("adm1021: Detected chip %s at adapter %d, address 0x%02x.\n",
+ 		 type_name, i2c_adapter_id(adapter), client->addr);
+diff --git a/drivers/md/raid1.c b/drivers/md/raid1.c
+index 62306e5..298e02a 100644
+--- a/drivers/md/raid1.c
++++ b/drivers/md/raid1.c
+@@ -407,7 +407,17 @@ static void raid1_end_write_request(struct bio *bio, int error)
+ 
+ 		r1_bio->bios[mirror] = NULL;
+ 		to_put = bio;
+-		set_bit(R1BIO_Uptodate, &r1_bio->state);
++		/*
++		 * Do not set R1BIO_Uptodate if the current device is
++		 * rebuilding or Faulty. This is because we cannot use
++		 * such device for properly reading the data back (we could
++		 * potentially use it, if the current write would have felt
++		 * before rdev->recovery_offset, but for simplicity we don't
++		 * check this here.
++		 */
++		if (test_bit(In_sync, &conf->mirrors[mirror].rdev->flags) &&
++		    !test_bit(Faulty, &conf->mirrors[mirror].rdev->flags))
++			set_bit(R1BIO_Uptodate, &r1_bio->state);
+ 
+ 		/* Maybe we can clear some bad blocks. */
+ 		if (is_badblock(conf->mirrors[mirror].rdev,
+diff --git a/drivers/md/raid10.c b/drivers/md/raid10.c
+index 8f67c4d..8bba438 100644
+--- a/drivers/md/raid10.c
++++ b/drivers/md/raid10.c
+@@ -390,7 +390,17 @@ static void raid10_end_write_request(struct bio *bio, int error)
+ 		sector_t first_bad;
+ 		int bad_sectors;
+ 
+-		set_bit(R10BIO_Uptodate, &r10_bio->state);
++		/*
++		 * Do not set R10BIO_Uptodate if the current device is
++		 * rebuilding or Faulty. This is because we cannot use
++		 * such device for properly reading the data back (we could
++		 * potentially use it, if the current write would have felt
++		 * before rdev->recovery_offset, but for simplicity we don't
++		 * check this here.
++		 */
++		if (test_bit(In_sync, &conf->mirrors[dev].rdev->flags) &&
++		    !test_bit(Faulty, &conf->mirrors[dev].rdev->flags))
++			set_bit(R10BIO_Uptodate, &r10_bio->state);
+ 
+ 		/* Maybe we can clear some bad blocks. */
+ 		if (is_badblock(conf->mirrors[dev].rdev,
+diff --git a/drivers/net/ethernet/broadcom/tg3.c b/drivers/net/ethernet/broadcom/tg3.c
+index ec13a59..1bc927a 100644
+--- a/drivers/net/ethernet/broadcom/tg3.c
++++ b/drivers/net/ethernet/broadcom/tg3.c
+@@ -1620,6 +1620,9 @@ static int tg3_poll_fw(struct tg3 *tp)
+ 	int i;
+ 	u32 val;
+ 
++	if (tg3_flag(tp, NO_FWARE_REPORTED))
++		return 0;
++
+ 	if (GET_ASIC_REV(tp->pci_chip_rev_id) == ASIC_REV_5906) {
+ 		/* Wait up to 20ms for init done. */
+ 		for (i = 0; i < 200; i++) {
+@@ -8282,6 +8285,14 @@ static void tg3_setup_rxbd_thresholds(struct tg3 *tp)
+ 		tw32(JMB_REPLENISH_LWM, bdcache_maxcnt);
+ }
+ 
++static inline u32 tg3_lso_rd_dma_workaround_bit(struct tg3 *tp)
++{
++	if (GET_ASIC_REV(tp->pci_chip_rev_id) == ASIC_REV_5719)
++		return TG3_LSO_RD_DMA_TX_LENGTH_WA_5719;
++	else
++		return TG3_LSO_RD_DMA_TX_LENGTH_WA_5720;
++}
++
+ /* tp->lock is held. */
+ static int tg3_reset_hw(struct tg3 *tp, int reset_phy)
+ {
+@@ -8920,6 +8931,20 @@ static int tg3_reset_hw(struct tg3 *tp, int reset_phy)
+ 	tw32_f(RDMAC_MODE, rdmac_mode);
+ 	udelay(40);
+ 
++	if (GET_ASIC_REV(tp->pci_chip_rev_id) == ASIC_REV_5719 ||
++	    GET_ASIC_REV(tp->pci_chip_rev_id) == ASIC_REV_5720) {
++		for (i = 0; i < TG3_NUM_RDMA_CHANNELS; i++) {
++			if (tr32(TG3_RDMA_LENGTH + (i << 2)) > TG3_MAX_MTU(tp))
++				break;
++		}
++		if (i < TG3_NUM_RDMA_CHANNELS) {
++			val = tr32(TG3_LSO_RD_DMA_CRPTEN_CTRL);
++			val |= tg3_lso_rd_dma_workaround_bit(tp);
++			tw32(TG3_LSO_RD_DMA_CRPTEN_CTRL, val);
++			tg3_flag_set(tp, 5719_5720_RDMA_BUG);
++		}
++	}
++
+ 	tw32(RCVDCC_MODE, RCVDCC_MODE_ENABLE | RCVDCC_MODE_ATTN_ENABLE);
+ 	if (!tg3_flag(tp, 5705_PLUS))
+ 		tw32(MBFREE_MODE, MBFREE_MODE_ENABLE);
+@@ -9166,6 +9191,13 @@ static int tg3_reset_hw(struct tg3 *tp, int reset_phy)
+  */
+ static int tg3_init_hw(struct tg3 *tp, int reset_phy)
+ {
++	/* Chip may have been just powered on. If so, the boot code may still
++	 * be running initialization. Wait for it to finish to avoid races in
++	 * accessing the hardware.
++	 */
++	tg3_enable_register_access(tp);
++	tg3_poll_fw(tp);
++
+ 	tg3_switch_clocks(tp);
+ 
+ 	tw32(TG3PCI_MEM_WIN_BASE_ADDR, 0);
+@@ -9200,6 +9232,16 @@ static void tg3_periodic_fetch_stats(struct tg3 *tp)
+ 	TG3_STAT_ADD32(&sp->tx_ucast_packets, MAC_TX_STATS_UCAST);
+ 	TG3_STAT_ADD32(&sp->tx_mcast_packets, MAC_TX_STATS_MCAST);
+ 	TG3_STAT_ADD32(&sp->tx_bcast_packets, MAC_TX_STATS_BCAST);
++	if (unlikely(tg3_flag(tp, 5719_5720_RDMA_BUG) &&
++		     (sp->tx_ucast_packets.low + sp->tx_mcast_packets.low +
++		      sp->tx_bcast_packets.low) > TG3_NUM_RDMA_CHANNELS)) {
++		u32 val;
++
++		val = tr32(TG3_LSO_RD_DMA_CRPTEN_CTRL);
++		val &= ~tg3_lso_rd_dma_workaround_bit(tp);
++		tw32(TG3_LSO_RD_DMA_CRPTEN_CTRL, val);
++		tg3_flag_clear(tp, 5719_5720_RDMA_BUG);
++	}
+ 
+ 	TG3_STAT_ADD32(&sp->rx_octets, MAC_RX_STATS_OCTETS);
+ 	TG3_STAT_ADD32(&sp->rx_fragments, MAC_RX_STATS_FRAGMENTS);
+diff --git a/drivers/net/ethernet/broadcom/tg3.h b/drivers/net/ethernet/broadcom/tg3.h
+index 94b4bd0..da90ba5 100644
+--- a/drivers/net/ethernet/broadcom/tg3.h
++++ b/drivers/net/ethernet/broadcom/tg3.h
+@@ -1368,7 +1368,12 @@
+ #define TG3_LSO_RD_DMA_CRPTEN_CTRL	0x00004910
+ #define TG3_LSO_RD_DMA_CRPTEN_CTRL_BLEN_BD_4K	 0x00030000
+ #define TG3_LSO_RD_DMA_CRPTEN_CTRL_BLEN_LSO_4K	 0x000c0000
+-/* 0x4914 --> 0x4c00 unused */
++#define TG3_LSO_RD_DMA_TX_LENGTH_WA_5719	 0x02000000
++#define TG3_LSO_RD_DMA_TX_LENGTH_WA_5720	 0x00200000
++/* 0x4914 --> 0x4be0 unused */
++
++#define TG3_NUM_RDMA_CHANNELS		4
++#define TG3_RDMA_LENGTH			0x00004be0
+ 
+ /* Write DMA control registers */
+ #define WDMAC_MODE			0x00004c00
+@@ -2921,6 +2926,7 @@ enum TG3_FLAGS {
+ 	TG3_FLAG_APE_HAS_NCSI,
+ 	TG3_FLAG_5717_PLUS,
+ 	TG3_FLAG_4K_FIFO_LIMIT,
++	TG3_FLAG_5719_5720_RDMA_BUG,
+ 	TG3_FLAG_RESET_TASK_PENDING,
+ 
+ 	/* Add new flags before this comment and TG3_FLAG_NUMBER_OF_FLAGS */
+diff --git a/drivers/net/wireless/ath/ath9k/Kconfig b/drivers/net/wireless/ath/ath9k/Kconfig
+index d9c08c6..f4ed4d8 100644
+--- a/drivers/net/wireless/ath/ath9k/Kconfig
++++ b/drivers/net/wireless/ath/ath9k/Kconfig
+@@ -50,13 +50,17 @@ config ATH9K_DEBUGFS
+ 
+ 	  Also required for changing debug message flags at run time.
+ 
+-config ATH9K_RATE_CONTROL
++config ATH9K_LEGACY_RATE_CONTROL
+ 	bool "Atheros ath9k rate control"
+ 	depends on ATH9K
+-	default y
++	default n
+ 	---help---
+ 	  Say Y, if you want to use the ath9k specific rate control
+-	  module instead of minstrel_ht.
++	  module instead of minstrel_ht. Be warned that there are various
++	  issues with the ath9k RC and minstrel is a more robust algorithm.
++	  Note that even if this option is selected, "ath9k_rate_control"
++	  has to be passed to mac80211 using the module parameter,
++	  ieee80211_default_rc_algo.
+ 
+ config ATH9K_HTC
+        tristate "Atheros HTC based wireless cards support"
+diff --git a/drivers/net/wireless/ath/ath9k/Makefile b/drivers/net/wireless/ath/ath9k/Makefile
+index 36ed3c4..1cdb246 100644
+--- a/drivers/net/wireless/ath/ath9k/Makefile
++++ b/drivers/net/wireless/ath/ath9k/Makefile
+@@ -5,7 +5,7 @@ ath9k-y +=	beacon.o \
+ 		recv.o \
+ 		xmit.o \
+ 
+-ath9k-$(CONFIG_ATH9K_RATE_CONTROL) += rc.o
++ath9k-$(CONFIG_ATH9K_LEGACY_RATE_CONTROL) += rc.o
+ ath9k-$(CONFIG_ATH9K_PCI) += pci.o
+ ath9k-$(CONFIG_ATH9K_AHB) += ahb.o
+ ath9k-$(CONFIG_ATH9K_DEBUGFS) += debug.o
+diff --git a/drivers/net/wireless/ath/ath9k/init.c b/drivers/net/wireless/ath/ath9k/init.c
+index 57622e0..ba6a49c 100644
+--- a/drivers/net/wireless/ath/ath9k/init.c
++++ b/drivers/net/wireless/ath/ath9k/init.c
+@@ -691,8 +691,7 @@ void ath9k_set_hw_capab(struct ath_softc *sc, struct ieee80211_hw *hw)
+ 		BIT(NL80211_IFTYPE_ADHOC) |
+ 		BIT(NL80211_IFTYPE_MESH_POINT);
+ 
+-	if (AR_SREV_5416(sc->sc_ah))
+-		hw->wiphy->flags &= ~WIPHY_FLAG_PS_ON_BY_DEFAULT;
++	hw->wiphy->flags &= ~WIPHY_FLAG_PS_ON_BY_DEFAULT;
+ 
+ 	hw->wiphy->flags |= WIPHY_FLAG_IBSS_RSN;
+ 
+@@ -714,10 +713,6 @@ void ath9k_set_hw_capab(struct ath_softc *sc, struct ieee80211_hw *hw)
+ 	sc->ant_rx = hw->wiphy->available_antennas_rx;
+ 	sc->ant_tx = hw->wiphy->available_antennas_tx;
+ 
+-#ifdef CONFIG_ATH9K_RATE_CONTROL
+-	hw->rate_control_algorithm = "ath9k_rate_control";
+-#endif
+-
+ 	if (sc->sc_ah->caps.hw_caps & ATH9K_HW_CAP_2GHZ)
+ 		hw->wiphy->bands[IEEE80211_BAND_2GHZ] =
+ 			&sc->sbands[IEEE80211_BAND_2GHZ];
+diff --git a/drivers/net/wireless/ath/ath9k/rc.h b/drivers/net/wireless/ath/ath9k/rc.h
+index b7a4bcd..e8e1901 100644
+--- a/drivers/net/wireless/ath/ath9k/rc.h
++++ b/drivers/net/wireless/ath/ath9k/rc.h
+@@ -221,7 +221,7 @@ struct ath_rate_priv {
+ 	struct ath_rc_stats rcstats[RATE_TABLE_SIZE];
+ };
+ 
+-#ifdef CONFIG_ATH9K_RATE_CONTROL
++#ifdef CONFIG_ATH9K_LEGACY_RATE_CONTROL
+ int ath_rate_control_register(void);
+ void ath_rate_control_unregister(void);
+ #else
+diff --git a/drivers/net/wireless/b43/main.c b/drivers/net/wireless/b43/main.c
+index c0f2041..b0c2801 100644
+--- a/drivers/net/wireless/b43/main.c
++++ b/drivers/net/wireless/b43/main.c
+@@ -2421,7 +2421,7 @@ static int b43_request_firmware(struct b43_wldev *dev)
+ 	for (i = 0; i < B43_NR_FWTYPES; i++) {
+ 		errmsg = ctx->errors[i];
+ 		if (strlen(errmsg))
+-			b43err(dev->wl, errmsg);
++			b43err(dev->wl, "%s", errmsg);
+ 	}
+ 	b43_print_fw_helptext(dev->wl, 1);
+ 	err = -ENOENT;
+diff --git a/drivers/net/wireless/b43legacy/main.c b/drivers/net/wireless/b43legacy/main.c
+index c5ce163..71195cb 100644
+--- a/drivers/net/wireless/b43legacy/main.c
++++ b/drivers/net/wireless/b43legacy/main.c
+@@ -3837,6 +3837,8 @@ static void b43legacy_remove(struct ssb_device *dev)
+ 	cancel_work_sync(&wldev->restart_work);
+ 
+ 	B43legacy_WARN_ON(!wl);
++	if (!wldev->fw.ucode)
++		return;			/* NULL if fw never loaded */
+ 	if (wl->current_dev == wldev)
+ 		ieee80211_unregister_hw(wl->hw);
+ 
+diff --git a/drivers/net/wireless/iwlwifi/iwl-agn-sta.c b/drivers/net/wireless/iwlwifi/iwl-agn-sta.c
+index 3935994..bc30a5f 100644
+--- a/drivers/net/wireless/iwlwifi/iwl-agn-sta.c
++++ b/drivers/net/wireless/iwlwifi/iwl-agn-sta.c
+@@ -604,7 +604,7 @@ void iwl_restore_stations(struct iwl_priv *priv, struct iwl_rxon_context *ctx)
+ 					memcpy(&lq, priv->stations[i].lq,
+ 					       sizeof(struct iwl_link_quality_cmd));
+ 
+-				if (!memcmp(&lq, &zero_lq, sizeof(lq)))
++				if (memcmp(&lq, &zero_lq, sizeof(lq)))
+ 					send_lq = true;
+ 			}
+ 			spin_unlock_irqrestore(&priv->shrd->sta_lock,
+diff --git a/drivers/net/xen-netback/netback.c b/drivers/net/xen-netback/netback.c
+index 185a0eb..fd2b92d 100644
+--- a/drivers/net/xen-netback/netback.c
++++ b/drivers/net/xen-netback/netback.c
+@@ -46,11 +46,33 @@
+ #include <asm/xen/hypercall.h>
+ #include <asm/xen/page.h>
+ 
++/*
++ * This is the maximum slots a skb can have. If a guest sends a skb
++ * which exceeds this limit it is considered malicious.
++ */
++#define FATAL_SKB_SLOTS_DEFAULT 20
++static unsigned int fatal_skb_slots = FATAL_SKB_SLOTS_DEFAULT;
++module_param(fatal_skb_slots, uint, 0444);
++
++/*
++ * To avoid confusion, we define XEN_NETBK_LEGACY_SLOTS_MAX indicating
++ * the maximum slots a valid packet can use. Now this value is defined
++ * to be XEN_NETIF_NR_SLOTS_MIN, which is supposed to be supported by
++ * all backend.
++ */
++#define XEN_NETBK_LEGACY_SLOTS_MAX XEN_NETIF_NR_SLOTS_MIN
++
++typedef unsigned int pending_ring_idx_t;
++#define INVALID_PENDING_RING_IDX (~0U)
++
+ struct pending_tx_info {
+-	struct xen_netif_tx_request req;
++	struct xen_netif_tx_request req; /* coalesced tx request */
+ 	struct xenvif *vif;
++	pending_ring_idx_t head; /* head != INVALID_PENDING_RING_IDX
++				  * if it is head of one or more tx
++				  * reqs
++				  */
+ };
+-typedef unsigned int pending_ring_idx_t;
+ 
+ struct netbk_rx_meta {
+ 	int id;
+@@ -101,7 +123,11 @@ struct xen_netbk {
+ 	atomic_t netfront_count;
+ 
+ 	struct pending_tx_info pending_tx_info[MAX_PENDING_REQS];
+-	struct gnttab_copy tx_copy_ops[MAX_PENDING_REQS];
++	/* Coalescing tx requests before copying makes number of grant
++	 * copy ops greater or equal to number of slots required. In
++	 * worst case a tx request consumes 2 gnttab_copy.
++	 */
++	struct gnttab_copy tx_copy_ops[2*MAX_PENDING_REQS];
+ 
+ 	u16 pending_ring[MAX_PENDING_REQS];
+ 
+@@ -117,6 +143,16 @@ struct xen_netbk {
+ static struct xen_netbk *xen_netbk;
+ static int xen_netbk_group_nr;
+ 
++/*
++ * If head != INVALID_PENDING_RING_IDX, it means this tx request is head of
++ * one or more merged tx requests, otherwise it is the continuation of
++ * previous tx request.
++ */
++static inline int pending_tx_is_head(struct xen_netbk *netbk, RING_IDX idx)
++{
++	return netbk->pending_tx_info[idx].head != INVALID_PENDING_RING_IDX;
++}
++
+ void xen_netbk_add_xenvif(struct xenvif *vif)
+ {
+ 	int i;
+@@ -249,6 +285,7 @@ static int max_required_rx_slots(struct xenvif *vif)
+ {
+ 	int max = DIV_ROUND_UP(vif->dev->mtu, PAGE_SIZE);
+ 
++	/* XXX FIXME: RX path dependent on MAX_SKB_FRAGS */
+ 	if (vif->can_sg || vif->gso || vif->gso_prefix)
+ 		max += MAX_SKB_FRAGS + 1; /* extra_info + frags */
+ 
+@@ -627,6 +664,7 @@ static void xen_netbk_rx_action(struct xen_netbk *netbk)
+ 		__skb_queue_tail(&rxq, skb);
+ 
+ 		/* Filled the batch queue? */
++		/* XXX FIXME: RX path dependent on MAX_SKB_FRAGS */
+ 		if (count + MAX_SKB_FRAGS >= XEN_NETIF_RX_RING_SIZE)
+ 			break;
+ 	}
+@@ -874,47 +912,99 @@ static int netbk_count_requests(struct xenvif *vif,
+ 				int work_to_do)
+ {
+ 	RING_IDX cons = vif->tx.req_cons;
+-	int frags = 0;
++	int slots = 0;
++	int drop_err = 0;
++	int more_data;
+ 
+ 	if (!(first->flags & XEN_NETTXF_more_data))
+ 		return 0;
+ 
+ 	do {
+-		if (frags >= work_to_do) {
+-			netdev_err(vif->dev, "Need more frags\n");
++		struct xen_netif_tx_request dropped_tx = { 0 };
++
++		if (slots >= work_to_do) {
++			netdev_err(vif->dev,
++				   "Asked for %d slots but exceeds this limit\n",
++				   work_to_do);
+ 			netbk_fatal_tx_err(vif);
+ 			return -ENODATA;
+ 		}
+ 
+-		if (unlikely(frags >= MAX_SKB_FRAGS)) {
+-			netdev_err(vif->dev, "Too many frags\n");
++		/* This guest is really using too many slots and
++		 * considered malicious.
++		 */
++		if (unlikely(slots >= fatal_skb_slots)) {
++			netdev_err(vif->dev,
++				   "Malicious frontend using %d slots, threshold %u\n",
++				   slots, fatal_skb_slots);
+ 			netbk_fatal_tx_err(vif);
+ 			return -E2BIG;
+ 		}
+ 
+-		memcpy(txp, RING_GET_REQUEST(&vif->tx, cons + frags),
++		/* Xen network protocol had implicit dependency on
++		 * MAX_SKB_FRAGS. XEN_NETBK_LEGACY_SLOTS_MAX is set to
++		 * the historical MAX_SKB_FRAGS value 18 to honor the
++		 * same behavior as before. Any packet using more than
++		 * 18 slots but less than fatal_skb_slots slots is
++		 * dropped
++		 */
++		if (!drop_err && slots >= XEN_NETBK_LEGACY_SLOTS_MAX) {
++			if (net_ratelimit())
++				netdev_dbg(vif->dev,
++					   "Too many slots (%d) exceeding limit (%d), dropping packet\n",
++					   slots, XEN_NETBK_LEGACY_SLOTS_MAX);
++			drop_err = -E2BIG;
++		}
++
++		if (drop_err)
++			txp = &dropped_tx;
++
++		memcpy(txp, RING_GET_REQUEST(&vif->tx, cons + slots),
+ 		       sizeof(*txp));
+-		if (txp->size > first->size) {
+-			netdev_err(vif->dev, "Frag is bigger than frame.\n");
+-			netbk_fatal_tx_err(vif);
+-			return -EIO;
++
++		/* If the guest submitted a frame >= 64 KiB then
++		 * first->size overflowed and following slots will
++		 * appear to be larger than the frame.
++		 *
++		 * This cannot be fatal error as there are buggy
++		 * frontends that do this.
++		 *
++		 * Consume all slots and drop the packet.
++		 */
++		if (!drop_err && txp->size > first->size) {
++			if (net_ratelimit())
++				netdev_dbg(vif->dev,
++					   "Invalid tx request, slot size %u > remaining size %u\n",
++					   txp->size, first->size);
++			drop_err = -EIO;
+ 		}
+ 
+ 		first->size -= txp->size;
+-		frags++;
++		slots++;
+ 
+ 		if (unlikely((txp->offset + txp->size) > PAGE_SIZE)) {
+-			netdev_err(vif->dev, "txp->offset: %x, size: %u\n",
++			netdev_err(vif->dev, "Cross page boundary, txp->offset: %x, size: %u\n",
+ 				 txp->offset, txp->size);
+ 			netbk_fatal_tx_err(vif);
+ 			return -EINVAL;
+ 		}
+-	} while ((txp++)->flags & XEN_NETTXF_more_data);
+-	return frags;
++
++		more_data = txp->flags & XEN_NETTXF_more_data;
++
++		if (!drop_err)
++			txp++;
++
++	} while (more_data);
++
++	if (drop_err) {
++		netbk_tx_err(vif, first, cons + slots);
++		return drop_err;
++	}
++
++	return slots;
+ }
+ 
+ static struct page *xen_netbk_alloc_page(struct xen_netbk *netbk,
+-					 struct sk_buff *skb,
+ 					 u16 pending_idx)
+ {
+ 	struct page *page;
+@@ -935,50 +1025,114 @@ static struct gnttab_copy *xen_netbk_get_requests(struct xen_netbk *netbk,
+ 	struct skb_shared_info *shinfo = skb_shinfo(skb);
+ 	skb_frag_t *frags = shinfo->frags;
+ 	u16 pending_idx = *((u16 *)skb->data);
+-	int i, start;
++	u16 head_idx = 0;
++	int slot, start;
++	struct page *page;
++	pending_ring_idx_t index, start_idx = 0;
++	uint16_t dst_offset;
++	unsigned int nr_slots;
++	struct pending_tx_info *first = NULL;
++
++	/* At this point shinfo->nr_frags is in fact the number of
++	 * slots, which can be as large as XEN_NETBK_LEGACY_SLOTS_MAX.
++	 */
++	nr_slots = shinfo->nr_frags;
+ 
+ 	/* Skip first skb fragment if it is on same page as header fragment. */
+ 	start = (frag_get_pending_idx(&shinfo->frags[0]) == pending_idx);
+ 
+-	for (i = start; i < shinfo->nr_frags; i++, txp++) {
+-		struct page *page;
+-		pending_ring_idx_t index;
++	/* Coalesce tx requests, at this point the packet passed in
++	 * should be <= 64K. Any packets larger than 64K have been
++	 * handled in netbk_count_requests().
++	 */
++	for (shinfo->nr_frags = slot = start; slot < nr_slots;
++	     shinfo->nr_frags++) {
+ 		struct pending_tx_info *pending_tx_info =
+ 			netbk->pending_tx_info;
+ 
+-		index = pending_index(netbk->pending_cons++);
+-		pending_idx = netbk->pending_ring[index];
+-		page = xen_netbk_alloc_page(netbk, skb, pending_idx);
++		page = alloc_page(GFP_KERNEL|__GFP_COLD);
+ 		if (!page)
+ 			goto err;
+ 
+-		netbk->mmap_pages[pending_idx] = page;
+-
+-		gop->source.u.ref = txp->gref;
+-		gop->source.domid = vif->domid;
+-		gop->source.offset = txp->offset;
+-
+-		gop->dest.u.gmfn = virt_to_mfn(page_address(page));
+-		gop->dest.domid = DOMID_SELF;
+-		gop->dest.offset = txp->offset;
+-
+-		gop->len = txp->size;
+-		gop->flags = GNTCOPY_source_gref;
++		dst_offset = 0;
++		first = NULL;
++		while (dst_offset < PAGE_SIZE && slot < nr_slots) {
++			gop->flags = GNTCOPY_source_gref;
++
++			gop->source.u.ref = txp->gref;
++			gop->source.domid = vif->domid;
++			gop->source.offset = txp->offset;
++
++			gop->dest.domid = DOMID_SELF;
++
++			gop->dest.offset = dst_offset;
++			gop->dest.u.gmfn = virt_to_mfn(page_address(page));
++
++			if (dst_offset + txp->size > PAGE_SIZE) {
++				/* This page can only merge a portion
++				 * of tx request. Do not increment any
++				 * pointer / counter here. The txp
++				 * will be dealt with in future
++				 * rounds, eventually hitting the
++				 * `else` branch.
++				 */
++				gop->len = PAGE_SIZE - dst_offset;
++				txp->offset += gop->len;
++				txp->size -= gop->len;
++				dst_offset += gop->len; /* quit loop */
++			} else {
++				/* This tx request can be merged in the page */
++				gop->len = txp->size;
++				dst_offset += gop->len;
++
++				index = pending_index(netbk->pending_cons++);
++
++				pending_idx = netbk->pending_ring[index];
++
++				memcpy(&pending_tx_info[pending_idx].req, txp,
++				       sizeof(*txp));
++				xenvif_get(vif);
++
++				pending_tx_info[pending_idx].vif = vif;
++
++				/* Poison these fields, corresponding
++				 * fields for head tx req will be set
++				 * to correct values after the loop.
++				 */
++				netbk->mmap_pages[pending_idx] = (void *)(~0UL);
++				pending_tx_info[pending_idx].head =
++					INVALID_PENDING_RING_IDX;
++
++				if (!first) {
++					first = &pending_tx_info[pending_idx];
++					start_idx = index;
++					head_idx = pending_idx;
++				}
++
++				txp++;
++				slot++;
++			}
+ 
+-		gop++;
++			gop++;
++		}
+ 
+-		memcpy(&pending_tx_info[pending_idx].req, txp, sizeof(*txp));
+-		xenvif_get(vif);
+-		pending_tx_info[pending_idx].vif = vif;
+-		frag_set_pending_idx(&frags[i], pending_idx);
++		first->req.offset = 0;
++		first->req.size = dst_offset;
++		first->head = start_idx;
++		set_page_ext(page, netbk, head_idx);
++		netbk->mmap_pages[head_idx] = page;
++		frag_set_pending_idx(&frags[shinfo->nr_frags], head_idx);
+ 	}
+ 
++	BUG_ON(shinfo->nr_frags > MAX_SKB_FRAGS);
++
+ 	return gop;
+ err:
+ 	/* Unwind, freeing all pages and sending error responses. */
+-	while (i-- > start) {
+-		xen_netbk_idx_release(netbk, frag_get_pending_idx(&frags[i]),
+-				      XEN_NETIF_RSP_ERROR);
++	while (shinfo->nr_frags-- > start) {
++		xen_netbk_idx_release(netbk,
++				frag_get_pending_idx(&frags[shinfo->nr_frags]),
++				XEN_NETIF_RSP_ERROR);
+ 	}
+ 	/* The head too, if necessary. */
+ 	if (start)
+@@ -994,8 +1148,10 @@ static int xen_netbk_tx_check_gop(struct xen_netbk *netbk,
+ 	struct gnttab_copy *gop = *gopp;
+ 	u16 pending_idx = *((u16 *)skb->data);
+ 	struct skb_shared_info *shinfo = skb_shinfo(skb);
++	struct pending_tx_info *tx_info;
+ 	int nr_frags = shinfo->nr_frags;
+ 	int i, err, start;
++	u16 peek; /* peek into next tx request */
+ 
+ 	/* Check status of header. */
+ 	err = gop->status;
+@@ -1007,11 +1163,20 @@ static int xen_netbk_tx_check_gop(struct xen_netbk *netbk,
+ 
+ 	for (i = start; i < nr_frags; i++) {
+ 		int j, newerr;
++		pending_ring_idx_t head;
+ 
+ 		pending_idx = frag_get_pending_idx(&shinfo->frags[i]);
++		tx_info = &netbk->pending_tx_info[pending_idx];
++		head = tx_info->head;
+ 
+ 		/* Check error status: if okay then remember grant handle. */
+-		newerr = (++gop)->status;
++		do {
++			newerr = (++gop)->status;
++			if (newerr)
++				break;
++			peek = netbk->pending_ring[pending_index(++head)];
++		} while (!pending_tx_is_head(netbk, peek));
++
+ 		if (likely(!newerr)) {
+ 			/* Had a previous error? Invalidate this fragment. */
+ 			if (unlikely(err))
+@@ -1236,11 +1401,12 @@ static unsigned xen_netbk_tx_build_gops(struct xen_netbk *netbk)
+ 	struct sk_buff *skb;
+ 	int ret;
+ 
+-	while (((nr_pending_reqs(netbk) + MAX_SKB_FRAGS) < MAX_PENDING_REQS) &&
++	while ((nr_pending_reqs(netbk) + XEN_NETBK_LEGACY_SLOTS_MAX
++		< MAX_PENDING_REQS) &&
+ 		!list_empty(&netbk->net_schedule_list)) {
+ 		struct xenvif *vif;
+ 		struct xen_netif_tx_request txreq;
+-		struct xen_netif_tx_request txfrags[MAX_SKB_FRAGS];
++		struct xen_netif_tx_request txfrags[XEN_NETBK_LEGACY_SLOTS_MAX];
+ 		struct page *page;
+ 		struct xen_netif_extra_info extras[XEN_NETIF_EXTRA_TYPE_MAX-1];
+ 		u16 pending_idx;
+@@ -1328,7 +1494,7 @@ static unsigned xen_netbk_tx_build_gops(struct xen_netbk *netbk)
+ 		pending_idx = netbk->pending_ring[index];
+ 
+ 		data_len = (txreq.size > PKT_PROT_LEN &&
+-			    ret < MAX_SKB_FRAGS) ?
++			    ret < XEN_NETBK_LEGACY_SLOTS_MAX) ?
+ 			PKT_PROT_LEN : txreq.size;
+ 
+ 		skb = alloc_skb(data_len + NET_SKB_PAD + NET_IP_ALIGN,
+@@ -1355,15 +1521,13 @@ static unsigned xen_netbk_tx_build_gops(struct xen_netbk *netbk)
+ 		}
+ 
+ 		/* XXX could copy straight to head */
+-		page = xen_netbk_alloc_page(netbk, skb, pending_idx);
++		page = xen_netbk_alloc_page(netbk, pending_idx);
+ 		if (!page) {
+ 			kfree_skb(skb);
+ 			netbk_tx_err(vif, &txreq, idx);
+ 			continue;
+ 		}
+ 
+-		netbk->mmap_pages[pending_idx] = page;
+-
+ 		gop->source.u.ref = txreq.gref;
+ 		gop->source.domid = vif->domid;
+ 		gop->source.offset = txreq.offset;
+@@ -1380,6 +1544,7 @@ static unsigned xen_netbk_tx_build_gops(struct xen_netbk *netbk)
+ 		memcpy(&netbk->pending_tx_info[pending_idx].req,
+ 		       &txreq, sizeof(txreq));
+ 		netbk->pending_tx_info[pending_idx].vif = vif;
++		netbk->pending_tx_info[pending_idx].head = index;
+ 		*((u16 *)skb->data) = pending_idx;
+ 
+ 		__skb_put(skb, data_len);
+@@ -1510,7 +1675,10 @@ static void xen_netbk_idx_release(struct xen_netbk *netbk, u16 pending_idx,
+ {
+ 	struct xenvif *vif;
+ 	struct pending_tx_info *pending_tx_info;
+-	pending_ring_idx_t index;
++	pending_ring_idx_t head;
++	u16 peek; /* peek into next tx request */
++
++	BUG_ON(netbk->mmap_pages[pending_idx] == (void *)(~0UL));
+ 
+ 	/* Already complete? */
+ 	if (netbk->mmap_pages[pending_idx] == NULL)
+@@ -1519,19 +1687,40 @@ static void xen_netbk_idx_release(struct xen_netbk *netbk, u16 pending_idx,
+ 	pending_tx_info = &netbk->pending_tx_info[pending_idx];
+ 
+ 	vif = pending_tx_info->vif;
++	head = pending_tx_info->head;
++
++	BUG_ON(!pending_tx_is_head(netbk, head));
++	BUG_ON(netbk->pending_ring[pending_index(head)] != pending_idx);
+ 
+-	make_tx_response(vif, &pending_tx_info->req, status);
++	do {
++		pending_ring_idx_t index;
++		pending_ring_idx_t idx = pending_index(head);
++		u16 info_idx = netbk->pending_ring[idx];
+ 
+-	index = pending_index(netbk->pending_prod++);
+-	netbk->pending_ring[index] = pending_idx;
++		pending_tx_info = &netbk->pending_tx_info[info_idx];
++		make_tx_response(vif, &pending_tx_info->req, status);
+ 
+-	xenvif_put(vif);
++		/* Setting any number other than
++		 * INVALID_PENDING_RING_IDX indicates this slot is
++		 * starting a new packet / ending a previous packet.
++		 */
++		pending_tx_info->head = 0;
++
++		index = pending_index(netbk->pending_prod++);
++		netbk->pending_ring[index] = netbk->pending_ring[info_idx];
++
++		xenvif_put(vif);
++
++		peek = netbk->pending_ring[pending_index(++head)];
++
++	} while (!pending_tx_is_head(netbk, peek));
+ 
+ 	netbk->mmap_pages[pending_idx]->mapping = 0;
+ 	put_page(netbk->mmap_pages[pending_idx]);
+ 	netbk->mmap_pages[pending_idx] = NULL;
+ }
+ 
++
+ static void make_tx_response(struct xenvif *vif,
+ 			     struct xen_netif_tx_request *txp,
+ 			     s8       st)
+@@ -1584,8 +1773,9 @@ static inline int rx_work_todo(struct xen_netbk *netbk)
+ static inline int tx_work_todo(struct xen_netbk *netbk)
+ {
+ 
+-	if (((nr_pending_reqs(netbk) + MAX_SKB_FRAGS) < MAX_PENDING_REQS) &&
+-			!list_empty(&netbk->net_schedule_list))
++	if ((nr_pending_reqs(netbk) + XEN_NETBK_LEGACY_SLOTS_MAX
++	     < MAX_PENDING_REQS) &&
++	     !list_empty(&netbk->net_schedule_list))
+ 		return 1;
+ 
+ 	return 0;
+@@ -1668,6 +1858,13 @@ static int __init netback_init(void)
+ 	if (!xen_pv_domain())
+ 		return -ENODEV;
+ 
++	if (fatal_skb_slots < XEN_NETBK_LEGACY_SLOTS_MAX) {
++		printk(KERN_INFO
++		       "xen-netback: fatal_skb_slots too small (%d), bump it to XEN_NETBK_LEGACY_SLOTS_MAX (%d)\n",
++		       fatal_skb_slots, XEN_NETBK_LEGACY_SLOTS_MAX);
++		fatal_skb_slots = XEN_NETBK_LEGACY_SLOTS_MAX;
++	}
++
+ 	xen_netbk_group_nr = num_online_cpus();
+ 	xen_netbk = vzalloc(sizeof(struct xen_netbk) * xen_netbk_group_nr);
+ 	if (!xen_netbk) {
+diff --git a/drivers/net/xen-netfront.c b/drivers/net/xen-netfront.c
+index 9b9843e..0d9914b 100644
+--- a/drivers/net/xen-netfront.c
++++ b/drivers/net/xen-netfront.c
+@@ -36,7 +36,7 @@
+ #include <linux/skbuff.h>
+ #include <linux/ethtool.h>
+ #include <linux/if_ether.h>
+-#include <linux/tcp.h>
++#include <net/tcp.h>
+ #include <linux/udp.h>
+ #include <linux/moduleparam.h>
+ #include <linux/mm.h>
+@@ -490,6 +490,16 @@ static int xennet_start_xmit(struct sk_buff *skb, struct net_device *dev)
+ 	unsigned int offset = offset_in_page(data);
+ 	unsigned int len = skb_headlen(skb);
+ 
++	/* If skb->len is too big for wire format, drop skb and alert
++	 * user about misconfiguration.
++	 */
++	if (unlikely(skb->len > XEN_NETIF_MAX_TX_SIZE)) {
++		net_alert_ratelimited(
++			"xennet: skb->len = %u, too big for wire format\n",
++			skb->len);
++		goto drop;
++	}
++
+ 	frags += DIV_ROUND_UP(offset + len, PAGE_SIZE);
+ 	if (unlikely(frags > MAX_SKB_FRAGS + 1)) {
+ 		printk(KERN_ALERT "xennet: skb rides the rocket: %d frags\n",
+@@ -1043,7 +1053,8 @@ err:
+ 
+ static int xennet_change_mtu(struct net_device *dev, int mtu)
+ {
+-	int max = xennet_can_sg(dev) ? 65535 - ETH_HLEN : ETH_DATA_LEN;
++	int max = xennet_can_sg(dev) ?
++		XEN_NETIF_MAX_TX_SIZE - MAX_TCP_HEADER : ETH_DATA_LEN;
+ 
+ 	if (mtu > max)
+ 		return -EINVAL;
+@@ -1318,6 +1329,8 @@ static struct net_device * __devinit xennet_create_dev(struct xenbus_device *dev
+ 	SET_ETHTOOL_OPS(netdev, &xennet_ethtool_ops);
+ 	SET_NETDEV_DEV(netdev, &dev->dev);
+ 
++	netif_set_gso_max_size(netdev, XEN_NETIF_MAX_TX_SIZE - MAX_TCP_HEADER);
++
+ 	np->netdev = netdev;
+ 
+ 	netif_carrier_off(netdev);
+diff --git a/drivers/platform/x86/thinkpad_acpi.c b/drivers/platform/x86/thinkpad_acpi.c
+index 7b82868..8e6c4fa 100644
+--- a/drivers/platform/x86/thinkpad_acpi.c
++++ b/drivers/platform/x86/thinkpad_acpi.c
+@@ -8665,6 +8665,13 @@ static int __must_check __init get_thinkpad_model_data(
+ 		tp->model_str = kstrdup(s, GFP_KERNEL);
+ 		if (!tp->model_str)
+ 			return -ENOMEM;
++	} else {
++		s = dmi_get_system_info(DMI_BIOS_VENDOR);
++		if (s && !(strnicmp(s, "Lenovo", 6))) {
++			tp->model_str = kstrdup(s, GFP_KERNEL);
++			if (!tp->model_str)
++				return -ENOMEM;
++		}
+ 	}
+ 
+ 	s = dmi_get_system_info(DMI_PRODUCT_NAME);
+diff --git a/drivers/rapidio/devices/tsi721.c b/drivers/rapidio/devices/tsi721.c
+index 23ef16c..84eab3f 100644
+--- a/drivers/rapidio/devices/tsi721.c
++++ b/drivers/rapidio/devices/tsi721.c
+@@ -555,7 +555,7 @@ static irqreturn_t tsi721_irqhandler(int irq, void *ptr)
+ 	/* For MSI mode re-enable device-level interrupts */
+ 	if (priv->flags & TSI721_USING_MSI) {
+ 		dev_int = TSI721_DEV_INT_SR2PC_CH | TSI721_DEV_INT_SRIO |
+-			TSI721_DEV_INT_SMSG_CH | TSI721_DEV_INT_BDMA_CH;
++			TSI721_DEV_INT_SMSG_CH;
+ 		iowrite32(dev_int, priv->regs + TSI721_DEV_INTE);
+ 	}
+ 
+diff --git a/drivers/rtc/rtc-twl.c b/drivers/rtc/rtc-twl.c
+index a3e98f1..b37c8b0 100644
+--- a/drivers/rtc/rtc-twl.c
++++ b/drivers/rtc/rtc-twl.c
+@@ -490,6 +490,7 @@ static int __devinit twl_rtc_probe(struct platform_device *pdev)
+ 	}
+ 
+ 	platform_set_drvdata(pdev, rtc);
++	device_init_wakeup(&pdev->dev, 1);
+ 	return 0;
+ 
+ out2:
+diff --git a/drivers/staging/gma500/cdv_intel_display.c b/drivers/staging/gma500/cdv_intel_display.c
+index 7b97c60..626ae47 100644
+--- a/drivers/staging/gma500/cdv_intel_display.c
++++ b/drivers/staging/gma500/cdv_intel_display.c
+@@ -1457,6 +1457,19 @@ static void cdv_intel_crtc_destroy(struct drm_crtc *crtc)
+ 	kfree(psb_intel_crtc);
+ }
+ 
++static void cdv_intel_crtc_disable(struct drm_crtc *crtc)
++{
++	struct gtt_range *gt;
++	struct drm_crtc_helper_funcs *crtc_funcs = crtc->helper_private;
++
++	crtc_funcs->dpms(crtc, DRM_MODE_DPMS_OFF);
++
++	if (crtc->fb) {
++		gt = to_psb_fb(crtc->fb)->gtt;
++		psb_gtt_unpin(gt);
++	}
++}
++
+ const struct drm_crtc_helper_funcs cdv_intel_helper_funcs = {
+ 	.dpms = cdv_intel_crtc_dpms,
+ 	.mode_fixup = cdv_intel_crtc_mode_fixup,
+@@ -1464,6 +1477,7 @@ const struct drm_crtc_helper_funcs cdv_intel_helper_funcs = {
+ 	.mode_set_base = cdv_intel_pipe_set_base,
+ 	.prepare = cdv_intel_crtc_prepare,
+ 	.commit = cdv_intel_crtc_commit,
++	.disable = cdv_intel_crtc_disable,
+ };
+ 
+ const struct drm_crtc_funcs cdv_intel_crtc_funcs = {
+diff --git a/drivers/staging/gma500/framebuffer.c b/drivers/staging/gma500/framebuffer.c
+index 3f39a37..d28fdc2 100644
+--- a/drivers/staging/gma500/framebuffer.c
++++ b/drivers/staging/gma500/framebuffer.c
+@@ -831,8 +831,8 @@ void psb_modeset_init(struct drm_device *dev)
+ 	for (i = 0; i < dev_priv->num_pipe; i++)
+ 		psb_intel_crtc_init(dev, i, mode_dev);
+ 
+-	dev->mode_config.max_width = 2048;
+-	dev->mode_config.max_height = 2048;
++	dev->mode_config.max_width = 4096;
++	dev->mode_config.max_height = 4096;
+ 
+ 	psb_setup_outputs(dev);
+ }
+diff --git a/drivers/staging/gma500/psb_intel_display.c b/drivers/staging/gma500/psb_intel_display.c
+index caa9d86..0d872e9 100644
+--- a/drivers/staging/gma500/psb_intel_display.c
++++ b/drivers/staging/gma500/psb_intel_display.c
+@@ -1255,6 +1255,19 @@ void psb_intel_crtc_destroy(struct drm_crtc *crtc)
+ 	kfree(psb_intel_crtc);
+ }
+ 
++static void psb_intel_crtc_disable(struct drm_crtc *crtc)
++{
++	struct gtt_range *gt;
++	struct drm_crtc_helper_funcs *crtc_funcs = crtc->helper_private;
++
++	crtc_funcs->dpms(crtc, DRM_MODE_DPMS_OFF);
++
++	if (crtc->fb) {
++		gt = to_psb_fb(crtc->fb)->gtt;
++		psb_gtt_unpin(gt);
++	}
++}
++
+ const struct drm_crtc_helper_funcs psb_intel_helper_funcs = {
+ 	.dpms = psb_intel_crtc_dpms,
+ 	.mode_fixup = psb_intel_crtc_mode_fixup,
+@@ -1262,6 +1275,7 @@ const struct drm_crtc_helper_funcs psb_intel_helper_funcs = {
+ 	.mode_set_base = psb_intel_pipe_set_base,
+ 	.prepare = psb_intel_crtc_prepare,
+ 	.commit = psb_intel_crtc_commit,
++	.disable = psb_intel_crtc_disable,
+ };
+ 
+ const struct drm_crtc_funcs psb_intel_crtc_funcs = {
+diff --git a/drivers/target/iscsi/iscsi_target_parameters.c b/drivers/target/iscsi/iscsi_target_parameters.c
+index 5b77316..db313ba 100644
+--- a/drivers/target/iscsi/iscsi_target_parameters.c
++++ b/drivers/target/iscsi/iscsi_target_parameters.c
+@@ -713,9 +713,9 @@ static int iscsi_add_notunderstood_response(
+ 	}
+ 	INIT_LIST_HEAD(&extra_response->er_list);
+ 
+-	strncpy(extra_response->key, key, strlen(key) + 1);
+-	strncpy(extra_response->value, NOTUNDERSTOOD,
+-			strlen(NOTUNDERSTOOD) + 1);
++	strlcpy(extra_response->key, key, sizeof(extra_response->key));
++	strlcpy(extra_response->value, NOTUNDERSTOOD,
++		sizeof(extra_response->value));
+ 
+ 	list_add_tail(&extra_response->er_list,
+ 			&param_list->extra_response_list);
+@@ -1572,8 +1572,6 @@ int iscsi_decode_text_input(
+ 
+ 		if (phase & PHASE_SECURITY) {
+ 			if (iscsi_check_for_auth_key(key) > 0) {
+-				char *tmpptr = key + strlen(key);
+-				*tmpptr = '=';
+ 				kfree(tmpbuf);
+ 				return 1;
+ 			}
+diff --git a/drivers/target/iscsi/iscsi_target_parameters.h b/drivers/target/iscsi/iscsi_target_parameters.h
+index 6a37fd6..83eed65 100644
+--- a/drivers/target/iscsi/iscsi_target_parameters.h
++++ b/drivers/target/iscsi/iscsi_target_parameters.h
+@@ -1,8 +1,10 @@
+ #ifndef ISCSI_PARAMETERS_H
+ #define ISCSI_PARAMETERS_H
+ 
++#include <scsi/iscsi_proto.h>
++
+ struct iscsi_extra_response {
+-	char key[64];
++	char key[KEY_MAXLEN];
+ 	char value[32];
+ 	struct list_head er_list;
+ } ____cacheline_aligned;
+diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c
+index e9637f9..b368b83 100644
+--- a/drivers/usb/dwc3/gadget.c
++++ b/drivers/usb/dwc3/gadget.c
+@@ -1310,10 +1310,19 @@ static void dwc3_gadget_free_endpoints(struct dwc3 *dwc)
+ 
+ 	for (epnum = 0; epnum < DWC3_ENDPOINTS_NUM; epnum++) {
+ 		dep = dwc->eps[epnum];
+-		dwc3_free_trb_pool(dep);
+-
+-		if (epnum != 0 && epnum != 1)
++		/*
++		 * Physical endpoints 0 and 1 are special; they form the
++		 * bi-directional USB endpoint 0.
++		 *
++		 * For those two physical endpoints, we don't allocate a TRB
++		 * pool nor do we add them the endpoints list. Due to that, we
++		 * shouldn't do these two operations otherwise we would end up
++		 * with all sorts of bugs when removing dwc3.ko.
++		 */
++		if (epnum != 0 && epnum != 1) {
++			dwc3_free_trb_pool(dep);
+ 			list_del(&dep->endpoint.ep_list);
++		}
+ 
+ 		kfree(dep);
+ 	}
+diff --git a/drivers/usb/host/ehci-sched.c b/drivers/usb/host/ehci-sched.c
+index 08e470f..34655d0 100644
+--- a/drivers/usb/host/ehci-sched.c
++++ b/drivers/usb/host/ehci-sched.c
+@@ -236,7 +236,7 @@ static inline unsigned char tt_start_uframe(struct ehci_hcd *ehci, __hc32 mask)
+ }
+ 
+ static const unsigned char
+-max_tt_usecs[] = { 125, 125, 125, 125, 125, 125, 125, 25 };
++max_tt_usecs[] = { 125, 125, 125, 125, 125, 125, 30, 0 };
+ 
+ /* carryover low/fullspeed bandwidth that crosses uframe boundries */
+ static inline void carryover_tt_bandwidth(unsigned short tt_usecs[8])
+diff --git a/drivers/usb/host/xhci-mem.c b/drivers/usb/host/xhci-mem.c
+index 430c1d5..5018e33 100644
+--- a/drivers/usb/host/xhci-mem.c
++++ b/drivers/usb/host/xhci-mem.c
+@@ -1755,6 +1755,9 @@ void xhci_mem_cleanup(struct xhci_hcd *xhci)
+ 	}
+ 	spin_unlock_irqrestore(&xhci->lock, flags);
+ 
++	if (!xhci->rh_bw)
++		goto no_bw;
++
+ 	num_ports = HCS_MAX_PORTS(xhci->hcs_params1);
+ 	for (i = 0; i < num_ports; i++) {
+ 		struct xhci_interval_bw_table *bwt = &xhci->rh_bw[i].bw_table;
+@@ -1773,6 +1776,7 @@ void xhci_mem_cleanup(struct xhci_hcd *xhci)
+ 		}
+ 	}
+ 
++no_bw:
+ 	xhci->num_usb2_ports = 0;
+ 	xhci->num_usb3_ports = 0;
+ 	xhci->num_active_eps = 0;
+@@ -2184,6 +2188,9 @@ int xhci_mem_init(struct xhci_hcd *xhci, gfp_t flags)
+ 	u32 page_size;
+ 	int i;
+ 
++	INIT_LIST_HEAD(&xhci->lpm_failed_devs);
++	INIT_LIST_HEAD(&xhci->cancel_cmd_list);
++
+ 	page_size = xhci_readl(xhci, &xhci->op_regs->page_size);
+ 	xhci_dbg(xhci, "Supported page size register = 0x%x\n", page_size);
+ 	for (i = 0; i < 16; i++) {
+@@ -2262,7 +2269,6 @@ int xhci_mem_init(struct xhci_hcd *xhci, gfp_t flags)
+ 	xhci->cmd_ring = xhci_ring_alloc(xhci, 1, true, false, flags);
+ 	if (!xhci->cmd_ring)
+ 		goto fail;
+-	INIT_LIST_HEAD(&xhci->cancel_cmd_list);
+ 	xhci_dbg(xhci, "Allocated command ring at %p\n", xhci->cmd_ring);
+ 	xhci_dbg(xhci, "First segment DMA is 0x%llx\n",
+ 			(unsigned long long)xhci->cmd_ring->first_seg->dma);
+@@ -2363,8 +2369,6 @@ int xhci_mem_init(struct xhci_hcd *xhci, gfp_t flags)
+ 	if (xhci_setup_port_arrays(xhci, flags))
+ 		goto fail;
+ 
+-	INIT_LIST_HEAD(&xhci->lpm_failed_devs);
+-
+ 	return 0;
+ 
+ fail:
+diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c
+index 2c0350f..136c357 100644
+--- a/drivers/usb/host/xhci.c
++++ b/drivers/usb/host/xhci.c
+@@ -938,6 +938,7 @@ int xhci_resume(struct xhci_hcd *xhci, bool hibernated)
+ 	struct usb_hcd		*hcd = xhci_to_hcd(xhci);
+ 	struct usb_hcd		*secondary_hcd;
+ 	int			retval = 0;
++	bool			comp_timer_running = false;
+ 
+ 	/* Wait a bit if either of the roothubs need to settle from the
+ 	 * transition into bus suspend.
+@@ -975,6 +976,13 @@ int xhci_resume(struct xhci_hcd *xhci, bool hibernated)
+ 
+ 	/* If restore operation fails, re-initialize the HC during resume */
+ 	if ((temp & STS_SRE) || hibernated) {
++
++		if ((xhci->quirks & XHCI_COMP_MODE_QUIRK) &&
++				!(xhci_all_ports_seen_u0(xhci))) {
++			del_timer_sync(&xhci->comp_mode_recovery_timer);
++			xhci_dbg(xhci, "Compliance Mode Recovery Timer deleted!\n");
++		}
++
+ 		/* Let the USB core know _both_ roothubs lost power. */
+ 		usb_root_hub_lost_power(xhci->main_hcd->self.root_hub);
+ 		usb_root_hub_lost_power(xhci->shared_hcd->self.root_hub);
+@@ -1017,6 +1025,8 @@ int xhci_resume(struct xhci_hcd *xhci, bool hibernated)
+ 		retval = xhci_init(hcd->primary_hcd);
+ 		if (retval)
+ 			return retval;
++		comp_timer_running = true;
++
+ 		xhci_dbg(xhci, "Start the primary HCD\n");
+ 		retval = xhci_run(hcd->primary_hcd);
+ 		if (!retval) {
+@@ -1058,7 +1068,7 @@ int xhci_resume(struct xhci_hcd *xhci, bool hibernated)
+ 	 * to suffer the Compliance Mode issue again. It doesn't matter if
+ 	 * ports have entered previously to U0 before system's suspension.
+ 	 */
+-	if (xhci->quirks & XHCI_COMP_MODE_QUIRK)
++	if ((xhci->quirks & XHCI_COMP_MODE_QUIRK) && !comp_timer_running)
+ 		compliance_mode_recovery_timer_init(xhci);
+ 
+ 	/* Re-enable port polling. */
+diff --git a/drivers/usb/serial/ark3116.c b/drivers/usb/serial/ark3116.c
+index 3ca6c0d..1a715f6 100644
+--- a/drivers/usb/serial/ark3116.c
++++ b/drivers/usb/serial/ark3116.c
+@@ -49,7 +49,7 @@ static int debug;
+ #define DRIVER_NAME "ark3116"
+ 
+ /* usb timeout of 1 second */
+-#define ARK_TIMEOUT (1*HZ)
++#define ARK_TIMEOUT 1000
+ 
+ static const struct usb_device_id id_table[] = {
+ 	{ USB_DEVICE(0x6547, 0x0232) },
+diff --git a/drivers/usb/serial/cypress_m8.c b/drivers/usb/serial/cypress_m8.c
+index 01a44d3..10c30ad 100644
+--- a/drivers/usb/serial/cypress_m8.c
++++ b/drivers/usb/serial/cypress_m8.c
+@@ -96,6 +96,7 @@ static const struct usb_device_id id_table_earthmate[] = {
+ static const struct usb_device_id id_table_cyphidcomrs232[] = {
+ 	{ USB_DEVICE(VENDOR_ID_CYPRESS, PRODUCT_ID_CYPHIDCOM) },
+ 	{ USB_DEVICE(VENDOR_ID_POWERCOM, PRODUCT_ID_UPS) },
++	{ USB_DEVICE(VENDOR_ID_FRWD, PRODUCT_ID_CYPHIDCOM_FRWD) },
+ 	{ }						/* Terminating entry */
+ };
+ 
+@@ -109,6 +110,7 @@ static const struct usb_device_id id_table_combined[] = {
+ 	{ USB_DEVICE(VENDOR_ID_DELORME, PRODUCT_ID_EARTHMATEUSB_LT20) },
+ 	{ USB_DEVICE(VENDOR_ID_CYPRESS, PRODUCT_ID_CYPHIDCOM) },
+ 	{ USB_DEVICE(VENDOR_ID_POWERCOM, PRODUCT_ID_UPS) },
++	{ USB_DEVICE(VENDOR_ID_FRWD, PRODUCT_ID_CYPHIDCOM_FRWD) },
+ 	{ USB_DEVICE(VENDOR_ID_DAZZLE, PRODUCT_ID_CA42) },
+ 	{ }						/* Terminating entry */
+ };
+@@ -267,6 +269,12 @@ static struct usb_serial_driver cypress_ca42v2_device = {
+  * Cypress serial helper functions
+  *****************************************************************************/
+ 
++/* FRWD Dongle hidcom needs to skip reset and speed checks */
++static inline bool is_frwd(struct usb_device *dev)
++{
++	return ((le16_to_cpu(dev->descriptor.idVendor) == VENDOR_ID_FRWD) &&
++		(le16_to_cpu(dev->descriptor.idProduct) == PRODUCT_ID_CYPHIDCOM_FRWD));
++}
+ 
+ static int analyze_baud_rate(struct usb_serial_port *port, speed_t new_rate)
+ {
+@@ -276,6 +284,10 @@ static int analyze_baud_rate(struct usb_serial_port *port, speed_t new_rate)
+ 	if (unstable_bauds)
+ 		return new_rate;
+ 
++	/* FRWD Dongle uses 115200 bps */
++	if (is_frwd(port->serial->dev))
++		return new_rate;
++
+ 	/*
+ 	 * The general purpose firmware for the Cypress M8 allows for
+ 	 * a maximum speed of 57600bps (I have no idea whether DeLorme
+@@ -488,7 +500,11 @@ static int generic_startup(struct usb_serial *serial)
+ 		return -ENOMEM;
+ 	}
+ 
+-	usb_reset_configuration(serial->dev);
++	/* Skip reset for FRWD device. It is a workaound:
++	   device hangs if it receives SET_CONFIGURE in Configured
++	   state. */
++	if (!is_frwd(serial->dev))
++		usb_reset_configuration(serial->dev);
+ 
+ 	priv->cmd_ctrl = 0;
+ 	priv->line_control = 0;
+diff --git a/drivers/usb/serial/cypress_m8.h b/drivers/usb/serial/cypress_m8.h
+index 67cf608..b461311 100644
+--- a/drivers/usb/serial/cypress_m8.h
++++ b/drivers/usb/serial/cypress_m8.h
+@@ -24,6 +24,10 @@
+ #define VENDOR_ID_CYPRESS		0x04b4
+ #define PRODUCT_ID_CYPHIDCOM		0x5500
+ 
++/* FRWD Dongle - a GPS sports watch */
++#define VENDOR_ID_FRWD			0x6737
++#define PRODUCT_ID_CYPHIDCOM_FRWD	0x0001
++
+ /* Powercom UPS, chip CY7C63723 */
+ #define VENDOR_ID_POWERCOM		0x0d9f
+ #define PRODUCT_ID_UPS			0x0002
+diff --git a/drivers/usb/serial/ftdi_sio.c b/drivers/usb/serial/ftdi_sio.c
+index 918ec98..ce9f87f 100644
+--- a/drivers/usb/serial/ftdi_sio.c
++++ b/drivers/usb/serial/ftdi_sio.c
+@@ -2169,6 +2169,9 @@ static void ftdi_set_termios(struct tty_struct *tty,
+ 
+ 	cflag = termios->c_cflag;
+ 
++	if (!old_termios)
++		goto no_skip;
++
+ 	if (old_termios->c_cflag == termios->c_cflag
+ 	    && old_termios->c_ispeed == termios->c_ispeed
+ 	    && old_termios->c_ospeed == termios->c_ospeed)
+@@ -2182,6 +2185,7 @@ static void ftdi_set_termios(struct tty_struct *tty,
+ 	    (termios->c_cflag & (CSIZE|PARODD|PARENB|CMSPAR|CSTOPB)))
+ 		goto no_data_parity_stop_changes;
+ 
++no_skip:
+ 	/* Set number of data bits, parity, stop bits */
+ 
+ 	urb_value = 0;
+diff --git a/drivers/usb/serial/iuu_phoenix.c b/drivers/usb/serial/iuu_phoenix.c
+index 6aca631..cf2668e 100644
+--- a/drivers/usb/serial/iuu_phoenix.c
++++ b/drivers/usb/serial/iuu_phoenix.c
+@@ -327,7 +327,7 @@ static int bulk_immediate(struct usb_serial_port *port, u8 *buf, u8 count)
+ 	    usb_bulk_msg(serial->dev,
+ 			 usb_sndbulkpipe(serial->dev,
+ 					 port->bulk_out_endpointAddress), buf,
+-			 count, &actual, HZ * 1);
++			 count, &actual, 1000);
+ 
+ 	if (status != IUU_OPERATION_OK)
+ 		dbg("%s - error = %2x", __func__, status);
+@@ -350,7 +350,7 @@ static int read_immediate(struct usb_serial_port *port, u8 *buf, u8 count)
+ 	    usb_bulk_msg(serial->dev,
+ 			 usb_rcvbulkpipe(serial->dev,
+ 					 port->bulk_in_endpointAddress), buf,
+-			 count, &actual, HZ * 1);
++			 count, &actual, 1000);
+ 
+ 	if (status != IUU_OPERATION_OK)
+ 		dbg("%s - error = %2x", __func__, status);
+diff --git a/drivers/usb/serial/keyspan.c b/drivers/usb/serial/keyspan.c
+index a442352..4f415e28 100644
+--- a/drivers/usb/serial/keyspan.c
++++ b/drivers/usb/serial/keyspan.c
+@@ -1833,7 +1833,7 @@ static int keyspan_usa26_send_setup(struct usb_serial *serial,
+ 	d_details = s_priv->device_details;
+ 	device_port = port->number - port->serial->minor;
+ 
+-	outcont_urb = d_details->outcont_endpoints[port->number];
++	outcont_urb = d_details->outcont_endpoints[device_port];
+ 	this_urb = p_priv->outcont_urb;
+ 
+ 	dbg("%s - endpoint %d", __func__, usb_pipeendpoint(this_urb->pipe));
+diff --git a/drivers/usb/serial/mos7720.c b/drivers/usb/serial/mos7720.c
+index 3524a10..9580679 100644
+--- a/drivers/usb/serial/mos7720.c
++++ b/drivers/usb/serial/mos7720.c
+@@ -44,7 +44,7 @@
+ #define DRIVER_DESC "Moschip USB Serial Driver"
+ 
+ /* default urb timeout */
+-#define MOS_WDR_TIMEOUT	(HZ * 5)
++#define MOS_WDR_TIMEOUT	5000
+ 
+ #define MOS_MAX_PORT	0x02
+ #define MOS_WRITE	0x0E
+@@ -234,11 +234,22 @@ static int read_mos_reg(struct usb_serial *serial, unsigned int serial_portnum,
+ 	__u8 requesttype = (__u8)0xc0;
+ 	__u16 index = get_reg_index(reg);
+ 	__u16 value = get_reg_value(reg, serial_portnum);
+-	int status = usb_control_msg(usbdev, pipe, request, requesttype, value,
+-				     index, data, 1, MOS_WDR_TIMEOUT);
+-	if (status < 0)
++	u8 *buf;
++	int status;
++
++	buf = kmalloc(1, GFP_KERNEL);
++	if (!buf)
++		return -ENOMEM;
++
++	status = usb_control_msg(usbdev, pipe, request, requesttype, value,
++				     index, buf, 1, MOS_WDR_TIMEOUT);
++	if (status == 1)
++		*data = *buf;
++	else if (status < 0)
+ 		dev_err(&usbdev->dev,
+ 			"mos7720: usb_control_msg() failed: %d", status);
++	kfree(buf);
++
+ 	return status;
+ }
+ 
+@@ -1700,7 +1711,7 @@ static void change_port_settings(struct tty_struct *tty,
+ 		mos7720_port->shadowMCR |= (UART_MCR_XONANY);
+ 		/* To set hardware flow control to the specified *
+ 		 * serial port, in SP1/2_CONTROL_REG             */
+-		if (port->number)
++		if (port_number)
+ 			write_mos_reg(serial, dummy, SP_CONTROL_REG, 0x01);
+ 		else
+ 			write_mos_reg(serial, dummy, SP_CONTROL_REG, 0x02);
+@@ -2112,7 +2123,7 @@ static int mos7720_startup(struct usb_serial *serial)
+ 
+ 	/* setting configuration feature to one */
+ 	usb_control_msg(serial->dev, usb_sndctrlpipe(serial->dev, 0),
+-			(__u8)0x03, 0x00, 0x01, 0x00, NULL, 0x00, 5*HZ);
++			(__u8)0x03, 0x00, 0x01, 0x00, NULL, 0x00, 5000);
+ 
+ 	/* start the interrupt urb */
+ 	ret_val = usb_submit_urb(serial->port[0]->interrupt_in_urb, GFP_KERNEL);
+@@ -2157,7 +2168,7 @@ static void mos7720_release(struct usb_serial *serial)
+ 		/* wait for synchronous usb calls to return */
+ 		if (mos_parport->msg_pending)
+ 			wait_for_completion_timeout(&mos_parport->syncmsg_compl,
+-						    MOS_WDR_TIMEOUT);
++					    msecs_to_jiffies(MOS_WDR_TIMEOUT));
+ 
+ 		parport_remove_port(mos_parport->pp);
+ 		usb_set_serial_data(serial, NULL);
+diff --git a/drivers/usb/serial/option.c b/drivers/usb/serial/option.c
+index 59c4997..8ea37bc 100644
+--- a/drivers/usb/serial/option.c
++++ b/drivers/usb/serial/option.c
+@@ -593,6 +593,8 @@ static const struct usb_device_id option_ids[] = {
+ 		.driver_info = (kernel_ulong_t) &huawei_cdc12_blacklist },
+ 	{ USB_DEVICE_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, HUAWEI_PRODUCT_K3765, 0xff, 0xff, 0xff),
+ 		.driver_info = (kernel_ulong_t) &huawei_cdc12_blacklist },
++	{ USB_DEVICE_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0x14ac, 0xff, 0xff, 0xff),	/* Huawei E1820 */
++		.driver_info = (kernel_ulong_t) &net_intf1_blacklist },
+ 	{ USB_DEVICE_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, HUAWEI_PRODUCT_K4605, 0xff, 0xff, 0xff),
+ 		.driver_info = (kernel_ulong_t) &huawei_cdc12_blacklist },
+ 	{ USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0xff, 0xff) },
+diff --git a/drivers/usb/serial/pl2303.c b/drivers/usb/serial/pl2303.c
+index fd86e0e..317e503 100644
+--- a/drivers/usb/serial/pl2303.c
++++ b/drivers/usb/serial/pl2303.c
+@@ -270,7 +270,7 @@ static void pl2303_set_termios(struct tty_struct *tty,
+ 	   serial settings even to the same values as before. Thus
+ 	   we actually need to filter in this specific case */
+ 
+-	if (!tty_termios_hw_change(tty->termios, old_termios))
++	if (old_termios && !tty_termios_hw_change(tty->termios, old_termios))
+ 		return;
+ 
+ 	cflag = tty->termios->c_cflag;
+@@ -279,7 +279,8 @@ static void pl2303_set_termios(struct tty_struct *tty,
+ 	if (!buf) {
+ 		dev_err(&port->dev, "%s - out of memory.\n", __func__);
+ 		/* Report back no change occurred */
+-		*tty->termios = *old_termios;
++		if (old_termios)
++			*tty->termios = *old_termios;
+ 		return;
+ 	}
+ 
+@@ -419,7 +420,7 @@ static void pl2303_set_termios(struct tty_struct *tty,
+ 	control = priv->line_control;
+ 	if ((cflag & CBAUD) == B0)
+ 		priv->line_control &= ~(CONTROL_DTR | CONTROL_RTS);
+-	else if ((old_termios->c_cflag & CBAUD) == B0)
++	else if (old_termios && (old_termios->c_cflag & CBAUD) == B0)
+ 		priv->line_control |= (CONTROL_DTR | CONTROL_RTS);
+ 	if (control != priv->line_control) {
+ 		control = priv->line_control;
+@@ -480,7 +481,6 @@ static void pl2303_close(struct usb_serial_port *port)
+ 
+ static int pl2303_open(struct tty_struct *tty, struct usb_serial_port *port)
+ {
+-	struct ktermios tmp_termios;
+ 	struct usb_serial *serial = port->serial;
+ 	struct pl2303_private *priv = usb_get_serial_port_data(port);
+ 	int result;
+@@ -498,7 +498,7 @@ static int pl2303_open(struct tty_struct *tty, struct usb_serial_port *port)
+ 
+ 	/* Setup termios */
+ 	if (tty)
+-		pl2303_set_termios(tty, port, &tmp_termios);
++		pl2303_set_termios(tty, port, NULL);
+ 
+ 	dbg("%s - submitting read urb", __func__);
+ 	result = usb_serial_generic_submit_read_urb(port, GFP_KERNEL);
+diff --git a/drivers/usb/serial/qcserial.c b/drivers/usb/serial/qcserial.c
+index 14c4a82..5535c3a 100644
+--- a/drivers/usb/serial/qcserial.c
++++ b/drivers/usb/serial/qcserial.c
+@@ -115,6 +115,7 @@ static const struct usb_device_id id_table[] = {
+ 	{USB_DEVICE(0x1199, 0x9019)},	/* Sierra Wireless Gobi 3000 Modem device */
+ 	{USB_DEVICE(0x12D1, 0x14F0)},	/* Sony Gobi 3000 QDL */
+ 	{USB_DEVICE(0x12D1, 0x14F1)},	/* Sony Gobi 3000 Composite */
++	{USB_DEVICE(0x0AF0, 0x8120)},	/* Option GTM681W */
+ 	{ }				/* Terminating entry */
+ };
+ MODULE_DEVICE_TABLE(usb, id_table);
+diff --git a/drivers/usb/serial/spcp8x5.c b/drivers/usb/serial/spcp8x5.c
+index ba6b438..f3179b0 100644
+--- a/drivers/usb/serial/spcp8x5.c
++++ b/drivers/usb/serial/spcp8x5.c
+@@ -338,7 +338,6 @@ static void spcp8x5_set_termios(struct tty_struct *tty,
+ 	struct spcp8x5_private *priv = usb_get_serial_port_data(port);
+ 	unsigned long flags;
+ 	unsigned int cflag = tty->termios->c_cflag;
+-	unsigned int old_cflag = old_termios->c_cflag;
+ 	unsigned short uartdata;
+ 	unsigned char buf[2] = {0, 0};
+ 	int baud;
+@@ -347,15 +346,15 @@ static void spcp8x5_set_termios(struct tty_struct *tty,
+ 
+ 
+ 	/* check that they really want us to change something */
+-	if (!tty_termios_hw_change(tty->termios, old_termios))
++	if (old_termios && !tty_termios_hw_change(tty->termios, old_termios))
+ 		return;
+ 
+ 	/* set DTR/RTS active */
+ 	spin_lock_irqsave(&priv->lock, flags);
+ 	control = priv->line_control;
+-	if ((old_cflag & CBAUD) == B0) {
++	if (old_termios && (old_termios->c_cflag & CBAUD) == B0) {
+ 		priv->line_control |= MCR_DTR;
+-		if (!(old_cflag & CRTSCTS))
++		if (!(old_termios->c_cflag & CRTSCTS))
+ 			priv->line_control |= MCR_RTS;
+ 	}
+ 	if (control != priv->line_control) {
+@@ -445,7 +444,6 @@ static void spcp8x5_set_termios(struct tty_struct *tty,
+  * status of the device. */
+ static int spcp8x5_open(struct tty_struct *tty, struct usb_serial_port *port)
+ {
+-	struct ktermios tmp_termios;
+ 	struct usb_serial *serial = port->serial;
+ 	struct spcp8x5_private *priv = usb_get_serial_port_data(port);
+ 	int ret;
+@@ -468,7 +466,7 @@ static int spcp8x5_open(struct tty_struct *tty, struct usb_serial_port *port)
+ 
+ 	/* Setup termios */
+ 	if (tty)
+-		spcp8x5_set_termios(tty, port, &tmp_termios);
++		spcp8x5_set_termios(tty, port, NULL);
+ 
+ 	spcp8x5_get_msr(serial->dev, &status, priv->type);
+ 
+diff --git a/drivers/usb/serial/visor.c b/drivers/usb/serial/visor.c
+index 1c11959..80a6ff6 100644
+--- a/drivers/usb/serial/visor.c
++++ b/drivers/usb/serial/visor.c
+@@ -599,7 +599,9 @@ static int treo_attach(struct usb_serial *serial)
+ 		dest->read_urb = src->read_urb;				\
+ 		dest->bulk_in_endpointAddress = src->bulk_in_endpointAddress;\
+ 		dest->bulk_in_buffer = src->bulk_in_buffer;		\
++		dest->bulk_in_size = src->bulk_in_size;			\
+ 		dest->interrupt_in_urb = src->interrupt_in_urb;		\
++		dest->interrupt_in_urb->context = dest;			\
+ 		dest->interrupt_in_endpointAddress = \
+ 					src->interrupt_in_endpointAddress;\
+ 		dest->interrupt_in_buffer = src->interrupt_in_buffer;	\
+diff --git a/drivers/usb/serial/whiteheat.c b/drivers/usb/serial/whiteheat.c
+index 59d646d..0ec60cd 100644
+--- a/drivers/usb/serial/whiteheat.c
++++ b/drivers/usb/serial/whiteheat.c
+@@ -1209,7 +1209,7 @@ static void firm_setup_port(struct tty_struct *tty)
+ 	struct whiteheat_port_settings port_settings;
+ 	unsigned int cflag = tty->termios->c_cflag;
+ 
+-	port_settings.port = port->number + 1;
++	port_settings.port = port->number - port->serial->minor + 1;
+ 
+ 	/* get the byte size */
+ 	switch (cflag & CSIZE) {
+diff --git a/drivers/xen/events.c b/drivers/xen/events.c
+index fec1204..11d7b64 100644
+--- a/drivers/xen/events.c
++++ b/drivers/xen/events.c
+@@ -1176,7 +1176,7 @@ static void __xen_evtchn_do_upcall(void)
+ {
+ 	int start_word_idx, start_bit_idx;
+ 	int word_idx, bit_idx;
+-	int i;
++	int i, irq;
+ 	int cpu = get_cpu();
+ 	struct shared_info *s = HYPERVISOR_shared_info;
+ 	struct vcpu_info *vcpu_info = __this_cpu_read(xen_vcpu);
+@@ -1184,6 +1184,8 @@ static void __xen_evtchn_do_upcall(void)
+ 
+ 	do {
+ 		unsigned long pending_words;
++		unsigned long pending_bits;
++		struct irq_desc *desc;
+ 
+ 		vcpu_info->evtchn_upcall_pending = 0;
+ 
+@@ -1194,6 +1196,17 @@ static void __xen_evtchn_do_upcall(void)
+ 		/* Clear master flag /before/ clearing selector flag. */
+ 		wmb();
+ #endif
++		if ((irq = per_cpu(virq_to_irq, cpu)[VIRQ_TIMER]) != -1) {
++			int evtchn = evtchn_from_irq(irq);
++			word_idx = evtchn / BITS_PER_LONG;
++			pending_bits = evtchn % BITS_PER_LONG;
++			if (active_evtchns(cpu, s, word_idx) & (1ULL << pending_bits)) {
++				desc = irq_to_desc(irq);
++				if (desc)
++					generic_handle_irq_desc(irq, desc);
++			}
++		}
++
+ 		pending_words = xchg(&vcpu_info->evtchn_pending_sel, 0);
+ 
+ 		start_word_idx = __this_cpu_read(current_word_idx);
+@@ -1202,7 +1215,6 @@ static void __xen_evtchn_do_upcall(void)
+ 		word_idx = start_word_idx;
+ 
+ 		for (i = 0; pending_words != 0; i++) {
+-			unsigned long pending_bits;
+ 			unsigned long words;
+ 
+ 			words = MASK_LSBS(pending_words, word_idx);
+@@ -1231,8 +1243,7 @@ static void __xen_evtchn_do_upcall(void)
+ 
+ 			do {
+ 				unsigned long bits;
+-				int port, irq;
+-				struct irq_desc *desc;
++				int port;
+ 
+ 				bits = MASK_LSBS(pending_bits, bit_idx);
+ 
+diff --git a/fs/cifs/cifs_dfs_ref.c b/fs/cifs/cifs_dfs_ref.c
+index 2263144..d0e5fc5 100644
+--- a/fs/cifs/cifs_dfs_ref.c
++++ b/fs/cifs/cifs_dfs_ref.c
+@@ -18,6 +18,7 @@
+ #include <linux/slab.h>
+ #include <linux/vfs.h>
+ #include <linux/fs.h>
++#include <linux/inet.h>
+ #include "cifsglob.h"
+ #include "cifsproto.h"
+ #include "cifsfs.h"
+@@ -150,7 +151,8 @@ char *cifs_compose_mount_options(const char *sb_mountdata,
+ 	 * assuming that we have 'unc=' and 'ip=' in
+ 	 * the original sb_mountdata
+ 	 */
+-	md_len = strlen(sb_mountdata) + rc + strlen(ref->node_name) + 12;
++	md_len = strlen(sb_mountdata) + rc + strlen(ref->node_name) + 12 +
++			INET6_ADDRSTRLEN;
+ 	mountdata = kzalloc(md_len+1, GFP_KERNEL);
+ 	if (mountdata == NULL) {
+ 		rc = -ENOMEM;
+diff --git a/fs/ext4/super.c b/fs/ext4/super.c
+index cc386b2..259e950 100644
+--- a/fs/ext4/super.c
++++ b/fs/ext4/super.c
+@@ -2260,7 +2260,9 @@ static void ext4_orphan_cleanup(struct super_block *sb,
+ 				__func__, inode->i_ino, inode->i_size);
+ 			jbd_debug(2, "truncating inode %lu to %lld bytes\n",
+ 				  inode->i_ino, inode->i_size);
++			mutex_lock(&inode->i_mutex);
+ 			ext4_truncate(inode);
++			mutex_unlock(&inode->i_mutex);
+ 			nr_truncates++;
+ 		} else {
+ 			ext4_msg(sb, KERN_DEBUG,
+diff --git a/fs/jfs/inode.c b/fs/jfs/inode.c
+index 77b69b2..13fc885 100644
+--- a/fs/jfs/inode.c
++++ b/fs/jfs/inode.c
+@@ -125,7 +125,7 @@ int jfs_write_inode(struct inode *inode, struct writeback_control *wbc)
+ {
+ 	int wait = wbc->sync_mode == WB_SYNC_ALL;
+ 
+-	if (test_cflag(COMMIT_Nolink, inode))
++	if (inode->i_nlink == 0)
+ 		return 0;
+ 	/*
+ 	 * If COMMIT_DIRTY is not set, the inode isn't really dirty.
+diff --git a/fs/jfs/jfs_logmgr.c b/fs/jfs/jfs_logmgr.c
+index cc5f811..bfb2a91 100644
+--- a/fs/jfs/jfs_logmgr.c
++++ b/fs/jfs/jfs_logmgr.c
+@@ -1058,7 +1058,8 @@ static int lmLogSync(struct jfs_log * log, int hard_sync)
+  */
+ void jfs_syncpt(struct jfs_log *log, int hard_sync)
+ {	LOG_LOCK(log);
+-	lmLogSync(log, hard_sync);
++	if (!test_bit(log_QUIESCE, &log->flag))
++		lmLogSync(log, hard_sync);
+ 	LOG_UNLOCK(log);
+ }
+ 
+diff --git a/fs/xfs/xfs_iops.c b/fs/xfs/xfs_iops.c
+index 23ce927..bd2fb43 100644
+--- a/fs/xfs/xfs_iops.c
++++ b/fs/xfs/xfs_iops.c
+@@ -507,6 +507,28 @@ xfs_vn_getattr(
+ 	return 0;
+ }
+ 
++static void
++xfs_setattr_mode(
++	struct xfs_trans	*tp,
++	struct xfs_inode	*ip,
++	struct iattr		*iattr)
++{
++	struct inode	*inode = VFS_I(ip);
++	umode_t		mode = iattr->ia_mode;
++
++	ASSERT(tp);
++	ASSERT(xfs_isilocked(ip, XFS_ILOCK_EXCL));
++
++	if (!in_group_p(inode->i_gid) && !capable(CAP_FSETID))
++		mode &= ~S_ISGID;
++
++	ip->i_d.di_mode &= S_IFMT;
++	ip->i_d.di_mode |= mode & ~S_IFMT;
++
++	inode->i_mode &= S_IFMT;
++	inode->i_mode |= mode & ~S_IFMT;
++}
++
+ int
+ xfs_setattr_nonsize(
+ 	struct xfs_inode	*ip,
+@@ -658,18 +680,8 @@ xfs_setattr_nonsize(
+ 	/*
+ 	 * Change file access modes.
+ 	 */
+-	if (mask & ATTR_MODE) {
+-		umode_t mode = iattr->ia_mode;
+-
+-		if (!in_group_p(inode->i_gid) && !capable(CAP_FSETID))
+-			mode &= ~S_ISGID;
+-
+-		ip->i_d.di_mode &= S_IFMT;
+-		ip->i_d.di_mode |= mode & ~S_IFMT;
+-
+-		inode->i_mode &= S_IFMT;
+-		inode->i_mode |= mode & ~S_IFMT;
+-	}
++	if (mask & ATTR_MODE)
++		xfs_setattr_mode(tp, ip, iattr);
+ 
+ 	/*
+ 	 * Change file access or modified times.
+@@ -768,9 +780,8 @@ xfs_setattr_size(
+ 		return XFS_ERROR(error);
+ 
+ 	ASSERT(S_ISREG(ip->i_d.di_mode));
+-	ASSERT((mask & (ATTR_MODE|ATTR_UID|ATTR_GID|ATTR_ATIME|ATTR_ATIME_SET|
+-			ATTR_MTIME_SET|ATTR_KILL_SUID|ATTR_KILL_SGID|
+-			ATTR_KILL_PRIV|ATTR_TIMES_SET)) == 0);
++	ASSERT((mask & (ATTR_UID|ATTR_GID|ATTR_ATIME|ATTR_ATIME_SET|
++			ATTR_MTIME_SET|ATTR_KILL_PRIV|ATTR_TIMES_SET)) == 0);
+ 
+ 	lock_flags = XFS_ILOCK_EXCL;
+ 	if (!(flags & XFS_ATTR_NOLOCK))
+@@ -902,6 +913,12 @@ xfs_setattr_size(
+ 		xfs_iflags_set(ip, XFS_ITRUNCATED);
+ 	}
+ 
++	/*
++	 * Change file access modes.
++	 */
++	if (mask & ATTR_MODE)
++		xfs_setattr_mode(tp, ip, iattr);
++
+ 	if (mask & ATTR_CTIME) {
+ 		inode->i_ctime = iattr->ia_ctime;
+ 		ip->i_d.di_ctime.t_sec = iattr->ia_ctime.tv_sec;
+diff --git a/include/linux/cpu.h b/include/linux/cpu.h
+index c692acc..9c3e071 100644
+--- a/include/linux/cpu.h
++++ b/include/linux/cpu.h
+@@ -168,6 +168,8 @@ extern struct sysdev_class cpu_sysdev_class;
+ 
+ extern void get_online_cpus(void);
+ extern void put_online_cpus(void);
++extern void cpu_hotplug_disable(void);
++extern void cpu_hotplug_enable(void);
+ #define hotcpu_notifier(fn, pri)	cpu_notifier(fn, pri)
+ #define register_hotcpu_notifier(nb)	register_cpu_notifier(nb)
+ #define unregister_hotcpu_notifier(nb)	unregister_cpu_notifier(nb)
+@@ -190,6 +192,8 @@ static inline void cpu_hotplug_driver_unlock(void)
+ 
+ #define get_online_cpus()	do { } while (0)
+ #define put_online_cpus()	do { } while (0)
++#define cpu_hotplug_disable()	do { } while (0)
++#define cpu_hotplug_enable()	do { } while (0)
+ #define hotcpu_notifier(fn, pri)	do { (void)(fn); } while (0)
+ /* These aren't inline functions due to a GCC bug. */
+ #define register_hotcpu_notifier(nb)	({ (void)(nb); 0; })
+diff --git a/include/linux/net.h b/include/linux/net.h
+index b299230..b7ca08e 100644
+--- a/include/linux/net.h
++++ b/include/linux/net.h
+@@ -249,6 +249,29 @@ extern struct socket *sockfd_lookup(int fd, int *err);
+ #define		     sockfd_put(sock) fput(sock->file)
+ extern int	     net_ratelimit(void);
+ 
++#define net_ratelimited_function(function, ...)			\
++do {								\
++	if (net_ratelimit())					\
++		function(__VA_ARGS__);				\
++} while (0)
++
++#define net_emerg_ratelimited(fmt, ...)				\
++	net_ratelimited_function(pr_emerg, fmt, ##__VA_ARGS__)
++#define net_alert_ratelimited(fmt, ...)				\
++	net_ratelimited_function(pr_alert, fmt, ##__VA_ARGS__)
++#define net_crit_ratelimited(fmt, ...)				\
++	net_ratelimited_function(pr_crit, fmt, ##__VA_ARGS__)
++#define net_err_ratelimited(fmt, ...)				\
++	net_ratelimited_function(pr_err, fmt, ##__VA_ARGS__)
++#define net_notice_ratelimited(fmt, ...)			\
++	net_ratelimited_function(pr_notice, fmt, ##__VA_ARGS__)
++#define net_warn_ratelimited(fmt, ...)				\
++	net_ratelimited_function(pr_warn, fmt, ##__VA_ARGS__)
++#define net_info_ratelimited(fmt, ...)				\
++	net_ratelimited_function(pr_info, fmt, ##__VA_ARGS__)
++#define net_dbg_ratelimited(fmt, ...)				\
++	net_ratelimited_function(pr_debug, fmt, ##__VA_ARGS__)
++
+ #define net_random()		random32()
+ #define net_srandom(seed)	srandom32((__force u32)seed)
+ 
+diff --git a/include/linux/swapops.h b/include/linux/swapops.h
+index d6955607..7f62faf 100644
+--- a/include/linux/swapops.h
++++ b/include/linux/swapops.h
+@@ -136,6 +136,7 @@ static inline void make_migration_entry_read(swp_entry_t *entry)
+ 
+ extern void migration_entry_wait(struct mm_struct *mm, pmd_t *pmd,
+ 					unsigned long address);
++extern void migration_entry_wait_huge(struct mm_struct *mm, pte_t *pte);
+ #else
+ 
+ #define make_migration_entry(page, write) swp_entry(0, 0)
+@@ -147,6 +148,8 @@ static inline int is_migration_entry(swp_entry_t swp)
+ static inline void make_migration_entry_read(swp_entry_t *entryp) { }
+ static inline void migration_entry_wait(struct mm_struct *mm, pmd_t *pmd,
+ 					 unsigned long address) { }
++static inline void migration_entry_wait_huge(struct mm_struct *mm,
++					pte_t *pte) { }
+ static inline int is_write_migration_entry(swp_entry_t entry)
+ {
+ 	return 0;
+diff --git a/include/xen/interface/io/netif.h b/include/xen/interface/io/netif.h
+index cb94668..d4635cd 100644
+--- a/include/xen/interface/io/netif.h
++++ b/include/xen/interface/io/netif.h
+@@ -13,6 +13,24 @@
+ #include "../grant_table.h"
+ 
+ /*
++ * Older implementation of Xen network frontend / backend has an
++ * implicit dependency on the MAX_SKB_FRAGS as the maximum number of
++ * ring slots a skb can use. Netfront / netback may not work as
++ * expected when frontend and backend have different MAX_SKB_FRAGS.
++ *
++ * A better approach is to add mechanism for netfront / netback to
++ * negotiate this value. However we cannot fix all possible
++ * frontends, so we need to define a value which states the minimum
++ * slots backend must support.
++ *
++ * The minimum value derives from older Linux kernel's MAX_SKB_FRAGS
++ * (18), which is proved to work with most frontends. Any new backend
++ * which doesn't negotiate with frontend should expect frontend to
++ * send a valid packet using slots up to this value.
++ */
++#define XEN_NETIF_NR_SLOTS_MIN 18
++
++/*
+  * Notifications after enqueuing any type of message should be conditional on
+  * the appropriate req_event or rsp_event field in the shared ring.
+  * If the client sends notification for rx requests then it should specify
+@@ -47,6 +65,7 @@
+ #define _XEN_NETTXF_extra_info		(3)
+ #define  XEN_NETTXF_extra_info		(1U<<_XEN_NETTXF_extra_info)
+ 
++#define XEN_NETIF_MAX_TX_SIZE 0xFFFF
+ struct xen_netif_tx_request {
+     grant_ref_t gref;      /* Reference to buffer page */
+     uint16_t offset;       /* Offset within buffer page */
+diff --git a/kernel/audit.c b/kernel/audit.c
+index 09fae26..d4bc594 100644
+--- a/kernel/audit.c
++++ b/kernel/audit.c
+@@ -1167,7 +1167,7 @@ struct audit_buffer *audit_log_start(struct audit_context *ctx, gfp_t gfp_mask,
+ 
+ 			/* Wait for auditd to drain the queue a little */
+ 			DECLARE_WAITQUEUE(wait, current);
+-			set_current_state(TASK_INTERRUPTIBLE);
++			set_current_state(TASK_UNINTERRUPTIBLE);
+ 			add_wait_queue(&audit_backlog_wait, &wait);
+ 
+ 			if (audit_backlog_limit &&
+diff --git a/kernel/cpu.c b/kernel/cpu.c
+index 563f136..82c91f1 100644
+--- a/kernel/cpu.c
++++ b/kernel/cpu.c
+@@ -124,6 +124,27 @@ static void cpu_hotplug_done(void)
+ 	mutex_unlock(&cpu_hotplug.lock);
+ }
+ 
++/*
++ * Wait for currently running CPU hotplug operations to complete (if any) and
++ * disable future CPU hotplug (from sysfs). The 'cpu_add_remove_lock' protects
++ * the 'cpu_hotplug_disabled' flag. The same lock is also acquired by the
++ * hotplug path before performing hotplug operations. So acquiring that lock
++ * guarantees mutual exclusion from any currently running hotplug operations.
++ */
++void cpu_hotplug_disable(void)
++{
++	cpu_maps_update_begin();
++	cpu_hotplug_disabled = 1;
++	cpu_maps_update_done();
++}
++
++void cpu_hotplug_enable(void)
++{
++	cpu_maps_update_begin();
++	cpu_hotplug_disabled = 0;
++	cpu_maps_update_done();
++}
++
+ #else /* #if CONFIG_HOTPLUG_CPU */
+ static void cpu_hotplug_begin(void) {}
+ static void cpu_hotplug_done(void) {}
+@@ -479,36 +500,6 @@ static int alloc_frozen_cpus(void)
+ core_initcall(alloc_frozen_cpus);
+ 
+ /*
+- * Prevent regular CPU hotplug from racing with the freezer, by disabling CPU
+- * hotplug when tasks are about to be frozen. Also, don't allow the freezer
+- * to continue until any currently running CPU hotplug operation gets
+- * completed.
+- * To modify the 'cpu_hotplug_disabled' flag, we need to acquire the
+- * 'cpu_add_remove_lock'. And this same lock is also taken by the regular
+- * CPU hotplug path and released only after it is complete. Thus, we
+- * (and hence the freezer) will block here until any currently running CPU
+- * hotplug operation gets completed.
+- */
+-void cpu_hotplug_disable_before_freeze(void)
+-{
+-	cpu_maps_update_begin();
+-	cpu_hotplug_disabled = 1;
+-	cpu_maps_update_done();
+-}
+-
+-
+-/*
+- * When tasks have been thawed, re-enable regular CPU hotplug (which had been
+- * disabled while beginning to freeze tasks).
+- */
+-void cpu_hotplug_enable_after_thaw(void)
+-{
+-	cpu_maps_update_begin();
+-	cpu_hotplug_disabled = 0;
+-	cpu_maps_update_done();
+-}
+-
+-/*
+  * When callbacks for CPU hotplug notifications are being executed, we must
+  * ensure that the state of the system with respect to the tasks being frozen
+  * or not, as reported by the notification, remains unchanged *throughout the
+@@ -527,12 +518,12 @@ cpu_hotplug_pm_callback(struct notifier_block *nb,
+ 
+ 	case PM_SUSPEND_PREPARE:
+ 	case PM_HIBERNATION_PREPARE:
+-		cpu_hotplug_disable_before_freeze();
++		cpu_hotplug_disable();
+ 		break;
+ 
+ 	case PM_POST_SUSPEND:
+ 	case PM_POST_HIBERNATION:
+-		cpu_hotplug_enable_after_thaw();
++		cpu_hotplug_enable();
+ 		break;
+ 
+ 	default:
+diff --git a/kernel/sys.c b/kernel/sys.c
+index be5fa8b..9d557df 100644
+--- a/kernel/sys.c
++++ b/kernel/sys.c
+@@ -353,6 +353,29 @@ int unregister_reboot_notifier(struct notifier_block *nb)
+ }
+ EXPORT_SYMBOL(unregister_reboot_notifier);
+ 
++/* Add backwards compatibility for stable trees. */
++#ifndef PF_NO_SETAFFINITY
++#define PF_NO_SETAFFINITY		PF_THREAD_BOUND
++#endif
++
++static void migrate_to_reboot_cpu(void)
++{
++	/* The boot cpu is always logical cpu 0 */
++	int cpu = 0;
++
++	cpu_hotplug_disable();
++
++	/* Make certain the cpu I'm about to reboot on is online */
++	if (!cpu_online(cpu))
++		cpu = cpumask_first(cpu_online_mask);
++
++	/* Prevent races with other tasks migrating this task */
++	current->flags |= PF_NO_SETAFFINITY;
++
++	/* Make certain I only run on the appropriate processor */
++	set_cpus_allowed_ptr(current, cpumask_of(cpu));
++}
++
+ /**
+  *	kernel_restart - reboot the system
+  *	@cmd: pointer to buffer containing command to execute for restart
+@@ -364,7 +387,7 @@ EXPORT_SYMBOL(unregister_reboot_notifier);
+ void kernel_restart(char *cmd)
+ {
+ 	kernel_restart_prepare(cmd);
+-	disable_nonboot_cpus();
++	migrate_to_reboot_cpu();
+ 	syscore_shutdown();
+ 	if (!cmd)
+ 		printk(KERN_EMERG "Restarting system.\n");
+@@ -391,7 +414,7 @@ static void kernel_shutdown_prepare(enum system_states state)
+ void kernel_halt(void)
+ {
+ 	kernel_shutdown_prepare(SYSTEM_HALT);
+-	disable_nonboot_cpus();
++	migrate_to_reboot_cpu();
+ 	syscore_shutdown();
+ 	printk(KERN_EMERG "System halted.\n");
+ 	kmsg_dump(KMSG_DUMP_HALT);
+@@ -410,7 +433,7 @@ void kernel_power_off(void)
+ 	kernel_shutdown_prepare(SYSTEM_POWER_OFF);
+ 	if (pm_power_off_prepare)
+ 		pm_power_off_prepare();
+-	disable_nonboot_cpus();
++	migrate_to_reboot_cpu();
+ 	syscore_shutdown();
+ 	printk(KERN_EMERG "Power down.\n");
+ 	kmsg_dump(KMSG_DUMP_POWEROFF);
+diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c
+index 24b3759..226776b 100644
+--- a/kernel/trace/ftrace.c
++++ b/kernel/trace/ftrace.c
+@@ -929,6 +929,19 @@ static __init void ftrace_profile_debugfs(struct dentry *d_tracer)
+ 
+ static struct pid * const ftrace_swapper_pid = &init_struct_pid;
+ 
++static loff_t
++ftrace_filter_lseek(struct file *file, loff_t offset, int whence)
++{
++	loff_t ret;
++
++	if (file->f_mode & FMODE_READ)
++		ret = seq_lseek(file, offset, whence);
++	else
++		file->f_pos = ret = 1;
++
++	return ret;
++}
++
+ #ifdef CONFIG_DYNAMIC_FTRACE
+ 
+ #ifndef CONFIG_FTRACE_MCOUNT_RECORD
+@@ -2315,19 +2328,6 @@ ftrace_notrace_open(struct inode *inode, struct file *file)
+ 				 inode, file);
+ }
+ 
+-static loff_t
+-ftrace_filter_lseek(struct file *file, loff_t offset, int origin)
+-{
+-	loff_t ret;
+-
+-	if (file->f_mode & FMODE_READ)
+-		ret = seq_lseek(file, offset, origin);
+-	else
+-		file->f_pos = ret = 1;
+-
+-	return ret;
+-}
+-
+ static int ftrace_match(char *str, char *regex, int len, int type)
+ {
+ 	int matched = 0;
+diff --git a/mm/hugetlb.c b/mm/hugetlb.c
+index 70b4733..2dcd716 100644
+--- a/mm/hugetlb.c
++++ b/mm/hugetlb.c
+@@ -2751,7 +2751,7 @@ int hugetlb_fault(struct mm_struct *mm, struct vm_area_struct *vma,
+ 	if (ptep) {
+ 		entry = huge_ptep_get(ptep);
+ 		if (unlikely(is_hugetlb_entry_migration(entry))) {
+-			migration_entry_wait(mm, (pmd_t *)ptep, address);
++			migration_entry_wait_huge(mm, ptep);
+ 			return 0;
+ 		} else if (unlikely(is_hugetlb_entry_hwpoisoned(entry)))
+ 			return VM_FAULT_HWPOISON_LARGE |
+diff --git a/mm/migrate.c b/mm/migrate.c
+index e1052d1..09d6a9d 100644
+--- a/mm/migrate.c
++++ b/mm/migrate.c
+@@ -184,15 +184,14 @@ static void remove_migration_ptes(struct page *old, struct page *new)
+  *
+  * This function is called from do_swap_page().
+  */
+-void migration_entry_wait(struct mm_struct *mm, pmd_t *pmd,
+-				unsigned long address)
++static void __migration_entry_wait(struct mm_struct *mm, pte_t *ptep,
++				spinlock_t *ptl)
+ {
+-	pte_t *ptep, pte;
+-	spinlock_t *ptl;
++	pte_t pte;
+ 	swp_entry_t entry;
+ 	struct page *page;
+ 
+-	ptep = pte_offset_map_lock(mm, pmd, address, &ptl);
++	spin_lock(ptl);
+ 	pte = *ptep;
+ 	if (!is_swap_pte(pte))
+ 		goto out;
+@@ -220,6 +219,20 @@ out:
+ 	pte_unmap_unlock(ptep, ptl);
+ }
+ 
++void migration_entry_wait(struct mm_struct *mm, pmd_t *pmd,
++				unsigned long address)
++{
++	spinlock_t *ptl = pte_lockptr(mm, pmd);
++	pte_t *ptep = pte_offset_map(pmd, address);
++	__migration_entry_wait(mm, ptep, ptl);
++}
++
++void migration_entry_wait_huge(struct mm_struct *mm, pte_t *pte)
++{
++	spinlock_t *ptl = &(mm)->page_table_lock;
++	__migration_entry_wait(mm, pte, ptl);
++}
++
+ #ifdef CONFIG_BLOCK
+ /* Returns true if all buffers are successfully locked */
+ static bool buffer_migrate_lock_buffers(struct buffer_head *head,
+diff --git a/mm/swap_state.c b/mm/swap_state.c
+index 7704d9c..7b3dadd 100644
+--- a/mm/swap_state.c
++++ b/mm/swap_state.c
+@@ -314,8 +314,24 @@ struct page *read_swap_cache_async(swp_entry_t entry, gfp_t gfp_mask,
+ 		 * Swap entry may have been freed since our caller observed it.
+ 		 */
+ 		err = swapcache_prepare(entry);
+-		if (err == -EEXIST) {	/* seems racy */
++		if (err == -EEXIST) {
+ 			radix_tree_preload_end();
++			/*
++			 * We might race against get_swap_page() and stumble
++			 * across a SWAP_HAS_CACHE swap_map entry whose page
++			 * has not been brought into the swapcache yet, while
++			 * the other end is scheduled away waiting on discard
++			 * I/O completion at scan_swap_map().
++			 *
++			 * In order to avoid turning this transitory state
++			 * into a permanent loop around this -EEXIST case
++			 * if !CONFIG_PREEMPT and the I/O completion happens
++			 * to be waiting on the CPU waitqueue where we are now
++			 * busy looping, we just conditionally invoke the
++			 * scheduler here, if there are some more important
++			 * tasks to run.
++			 */
++			cond_resched();
+ 			continue;
+ 		}
+ 		if (err) {		/* swp entry is obsolete ? */
+diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
+index 04175d9..a0b6c50 100644
+--- a/net/bluetooth/l2cap_core.c
++++ b/net/bluetooth/l2cap_core.c
+@@ -2297,10 +2297,15 @@ done:
+ 	}
+ }
+ 
+-static inline int l2cap_command_rej(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
++static inline int l2cap_command_rej(struct l2cap_conn *conn,
++				    struct l2cap_cmd_hdr *cmd, u16 cmd_len,
++				    u8 *data)
+ {
+ 	struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
+ 
++	if (cmd_len < sizeof(*rej))
++		return -EPROTO;
++
+ 	if (rej->reason != L2CAP_REJ_NOT_UNDERSTOOD)
+ 		return 0;
+ 
+@@ -2317,7 +2322,8 @@ static inline int l2cap_command_rej(struct l2cap_conn *conn, struct l2cap_cmd_hd
+ 	return 0;
+ }
+ 
+-static inline int l2cap_connect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
++static int l2cap_connect_req(struct l2cap_conn *conn,
++			     struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
+ {
+ 	struct l2cap_conn_req *req = (struct l2cap_conn_req *) data;
+ 	struct l2cap_conn_rsp rsp;
+@@ -2325,8 +2331,14 @@ static inline int l2cap_connect_req(struct l2cap_conn *conn, struct l2cap_cmd_hd
+ 	struct sock *parent, *sk = NULL;
+ 	int result, status = L2CAP_CS_NO_INFO;
+ 
+-	u16 dcid = 0, scid = __le16_to_cpu(req->scid);
+-	__le16 psm = req->psm;
++	u16 dcid = 0, scid;
++	__le16 psm;
++
++	if (cmd_len < sizeof(struct l2cap_conn_req))
++		return -EPROTO;
++
++	scid = __le16_to_cpu(req->scid);
++	psm = req->psm;
+ 
+ 	BT_DBG("psm 0x%2.2x scid 0x%4.4x", psm, scid);
+ 
+@@ -2451,7 +2463,9 @@ sendresp:
+ 	return 0;
+ }
+ 
+-static inline int l2cap_connect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
++static int l2cap_connect_rsp(struct l2cap_conn *conn,
++			      struct l2cap_cmd_hdr *cmd, u16 cmd_len,
++			      u8 *data)
+ {
+ 	struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
+ 	u16 scid, dcid, result, status;
+@@ -2459,6 +2473,9 @@ static inline int l2cap_connect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hd
+ 	struct sock *sk;
+ 	u8 req[128];
+ 
++	if (cmd_len < sizeof(*rsp))
++		return -EPROTO;
++
+ 	scid   = __le16_to_cpu(rsp->scid);
+ 	dcid   = __le16_to_cpu(rsp->dcid);
+ 	result = __le16_to_cpu(rsp->result);
+@@ -2534,6 +2551,9 @@ static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr
+ 	struct sock *sk;
+ 	int len;
+ 
++	if (cmd_len < sizeof(*req))
++		return -EPROTO;
++
+ 	dcid  = __le16_to_cpu(req->dcid);
+ 	flags = __le16_to_cpu(req->flags);
+ 
+@@ -2559,7 +2579,7 @@ static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr
+ 
+ 	/* Reject if config buffer is too small. */
+ 	len = cmd_len - sizeof(*req);
+-	if (len < 0 || chan->conf_len + len > sizeof(chan->conf_req)) {
++	if (chan->conf_len + len > sizeof(chan->conf_req)) {
+ 		l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
+ 				l2cap_build_conf_rsp(chan, rsp,
+ 					L2CAP_CONF_REJECT, flags), rsp);
+@@ -2621,13 +2641,18 @@ unlock:
+ 	return 0;
+ }
+ 
+-static inline int l2cap_config_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
++static inline int l2cap_config_rsp(struct l2cap_conn *conn,
++				   struct l2cap_cmd_hdr *cmd, u16 cmd_len,
++				   u8 *data)
+ {
+ 	struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
+ 	u16 scid, flags, result;
+ 	struct l2cap_chan *chan;
+ 	struct sock *sk;
+-	int len = cmd->len - sizeof(*rsp);
++	int len = cmd_len - sizeof(*rsp);
++
++	if (cmd_len < sizeof(*rsp))
++		return -EPROTO;
+ 
+ 	scid   = __le16_to_cpu(rsp->scid);
+ 	flags  = __le16_to_cpu(rsp->flags);
+@@ -2703,7 +2728,9 @@ done:
+ 	return 0;
+ }
+ 
+-static inline int l2cap_disconnect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
++static inline int l2cap_disconnect_req(struct l2cap_conn *conn,
++				       struct l2cap_cmd_hdr *cmd, u16 cmd_len,
++				       u8 *data)
+ {
+ 	struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
+ 	struct l2cap_disconn_rsp rsp;
+@@ -2711,6 +2738,9 @@ static inline int l2cap_disconnect_req(struct l2cap_conn *conn, struct l2cap_cmd
+ 	struct l2cap_chan *chan;
+ 	struct sock *sk;
+ 
++	if (cmd_len != sizeof(*req))
++		return -EPROTO;
++
+ 	scid = __le16_to_cpu(req->scid);
+ 	dcid = __le16_to_cpu(req->dcid);
+ 
+@@ -2744,13 +2774,18 @@ static inline int l2cap_disconnect_req(struct l2cap_conn *conn, struct l2cap_cmd
+ 	return 0;
+ }
+ 
+-static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
++static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn,
++				       struct l2cap_cmd_hdr *cmd, u16 cmd_len,
++				       u8 *data)
+ {
+ 	struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
+ 	u16 dcid, scid;
+ 	struct l2cap_chan *chan;
+ 	struct sock *sk;
+ 
++	if (cmd_len != sizeof(*rsp))
++		return -EPROTO;
++
+ 	scid = __le16_to_cpu(rsp->scid);
+ 	dcid = __le16_to_cpu(rsp->dcid);
+ 
+@@ -2778,11 +2813,16 @@ static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn, struct l2cap_cmd
+ 	return 0;
+ }
+ 
+-static inline int l2cap_information_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
++static inline int l2cap_information_req(struct l2cap_conn *conn,
++					struct l2cap_cmd_hdr *cmd, u16 cmd_len,
++					u8 *data)
+ {
+ 	struct l2cap_info_req *req = (struct l2cap_info_req *) data;
+ 	u16 type;
+ 
++	if (cmd_len != sizeof(*req))
++		return -EPROTO;
++
+ 	type = __le16_to_cpu(req->type);
+ 
+ 	BT_DBG("type 0x%4.4x", type);
+@@ -2818,11 +2858,16 @@ static inline int l2cap_information_req(struct l2cap_conn *conn, struct l2cap_cm
+ 	return 0;
+ }
+ 
+-static inline int l2cap_information_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
++static inline int l2cap_information_rsp(struct l2cap_conn *conn,
++					struct l2cap_cmd_hdr *cmd, u16 cmd_len,
++					u8 *data)
+ {
+ 	struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
+ 	u16 type, result;
+ 
++	if (cmd_len != sizeof(*rsp))
++		return -EPROTO;
++
+ 	type   = __le16_to_cpu(rsp->type);
+ 	result = __le16_to_cpu(rsp->result);
+ 
+@@ -2941,15 +2986,15 @@ static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn,
+ 
+ 	switch (cmd->code) {
+ 	case L2CAP_COMMAND_REJ:
+-		l2cap_command_rej(conn, cmd, data);
++		l2cap_command_rej(conn, cmd, cmd_len, data);
+ 		break;
+ 
+ 	case L2CAP_CONN_REQ:
+-		err = l2cap_connect_req(conn, cmd, data);
++		err = l2cap_connect_req(conn, cmd, cmd_len, data);
+ 		break;
+ 
+ 	case L2CAP_CONN_RSP:
+-		err = l2cap_connect_rsp(conn, cmd, data);
++		err = l2cap_connect_rsp(conn, cmd, cmd_len, data);
+ 		break;
+ 
+ 	case L2CAP_CONF_REQ:
+@@ -2957,15 +3002,15 @@ static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn,
+ 		break;
+ 
+ 	case L2CAP_CONF_RSP:
+-		err = l2cap_config_rsp(conn, cmd, data);
++		err = l2cap_config_rsp(conn, cmd, cmd_len, data);
+ 		break;
+ 
+ 	case L2CAP_DISCONN_REQ:
+-		err = l2cap_disconnect_req(conn, cmd, data);
++		err = l2cap_disconnect_req(conn, cmd, cmd_len, data);
+ 		break;
+ 
+ 	case L2CAP_DISCONN_RSP:
+-		err = l2cap_disconnect_rsp(conn, cmd, data);
++		err = l2cap_disconnect_rsp(conn, cmd, cmd_len, data);
+ 		break;
+ 
+ 	case L2CAP_ECHO_REQ:
+@@ -2976,11 +3021,11 @@ static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn,
+ 		break;
+ 
+ 	case L2CAP_INFO_REQ:
+-		err = l2cap_information_req(conn, cmd, data);
++		err = l2cap_information_req(conn, cmd, cmd_len, data);
+ 		break;
+ 
+ 	case L2CAP_INFO_RSP:
+-		err = l2cap_information_rsp(conn, cmd, data);
++		err = l2cap_information_rsp(conn, cmd, cmd_len, data);
+ 		break;
+ 
+ 	default:
+diff --git a/net/mac80211/iface.c b/net/mac80211/iface.c
+index f4ddf34..8260cd5 100644
+--- a/net/mac80211/iface.c
++++ b/net/mac80211/iface.c
+@@ -1242,6 +1242,15 @@ void ieee80211_remove_interfaces(struct ieee80211_local *local)
+ 
+ 	ASSERT_RTNL();
+ 
++	/*
++	 * Close all AP_VLAN interfaces first, as otherwise they
++	 * might be closed while the AP interface they belong to
++	 * is closed, causing unregister_netdevice_many() to crash.
++	 */
++	list_for_each_entry(sdata, &local->interfaces, list)
++		if (sdata->vif.type == NL80211_IFTYPE_AP_VLAN)
++			dev_close(sdata->dev);
++
+ 	mutex_lock(&local->iflist_mtx);
+ 	list_for_each_entry_safe(sdata, tmp, &local->interfaces, list) {
+ 		list_del(&sdata->list);
+diff --git a/net/wireless/sme.c b/net/wireless/sme.c
+index 0acfdc9..c1c6e6d 100644
+--- a/net/wireless/sme.c
++++ b/net/wireless/sme.c
+@@ -220,6 +220,9 @@ void cfg80211_conn_work(struct work_struct *work)
+ 	mutex_lock(&rdev->devlist_mtx);
+ 
+ 	list_for_each_entry(wdev, &rdev->netdev_list, list) {
++		if (!wdev->netdev)
++			continue;
++
+ 		wdev_lock(wdev);
+ 		if (!netif_running(wdev->netdev)) {
+ 			wdev_unlock(wdev);
+diff --git a/sound/usb/card.h b/sound/usb/card.h
+index 2b7559c..0a7ca6c 100644
+--- a/sound/usb/card.h
++++ b/sound/usb/card.h
+@@ -1,6 +1,7 @@
+ #ifndef __USBAUDIO_CARD_H
+ #define __USBAUDIO_CARD_H
+ 
++#define MAX_NR_RATES	1024
+ #define MAX_PACKS	20
+ #define MAX_PACKS_HS	(MAX_PACKS * 8)	/* in high speed mode */
+ #define MAX_URBS	8
+diff --git a/sound/usb/format.c b/sound/usb/format.c
+index 89421d1..ddfef57 100644
+--- a/sound/usb/format.c
++++ b/sound/usb/format.c
+@@ -226,7 +226,7 @@ static int parse_uac2_sample_rate_range(struct audioformat *fp, int nr_triplets,
+ 		int min = combine_quad(&data[2 + 12 * i]);
+ 		int max = combine_quad(&data[6 + 12 * i]);
+ 		int res = combine_quad(&data[10 + 12 * i]);
+-		int rate;
++		unsigned int rate;
+ 
+ 		if ((max < 0) || (min < 0) || (res < 0) || (max < min))
+ 			continue;
+@@ -253,6 +253,10 @@ static int parse_uac2_sample_rate_range(struct audioformat *fp, int nr_triplets,
+ 			fp->rates |= snd_pcm_rate_to_rate_bit(rate);
+ 
+ 			nr_rates++;
++			if (nr_rates >= MAX_NR_RATES) {
++				snd_printk(KERN_ERR "invalid uac2 rates\n");
++				break;
++			}
+ 
+ 			/* avoid endless loop */
+ 			if (res == 0)
+diff --git a/sound/usb/mixer.c b/sound/usb/mixer.c
+index f4540bf..97ec155 100644
+--- a/sound/usb/mixer.c
++++ b/sound/usb/mixer.c
+@@ -822,6 +822,7 @@ static void volume_control_quirks(struct usb_mixer_elem_info *cval,
+ 	case USB_ID(0x046d, 0x0808):
+ 	case USB_ID(0x046d, 0x0809):
+ 	case USB_ID(0x046d, 0x081d): /* HD Webcam c510 */
++	case USB_ID(0x046d, 0x0825): /* HD Webcam c270 */
+ 	case USB_ID(0x046d, 0x0991):
+ 	/* Most audio usb devices lie about volume resolution.
+ 	 * Most Logitech webcams have res = 384.
+diff --git a/sound/usb/quirks-table.h b/sound/usb/quirks-table.h
+index 4e25148..e467a58 100644
+--- a/sound/usb/quirks-table.h
++++ b/sound/usb/quirks-table.h
+@@ -157,7 +157,13 @@
+ 	.bInterfaceSubClass = USB_SUBCLASS_AUDIOCONTROL
+ },
+ {
+-	USB_DEVICE(0x046d, 0x0990),
++	.match_flags = USB_DEVICE_ID_MATCH_DEVICE |
++		       USB_DEVICE_ID_MATCH_INT_CLASS |
++		       USB_DEVICE_ID_MATCH_INT_SUBCLASS,
++	.idVendor = 0x046d,
++	.idProduct = 0x0990,
++	.bInterfaceClass = USB_CLASS_AUDIO,
++	.bInterfaceSubClass = USB_SUBCLASS_AUDIOCONTROL,
+ 	.driver_info = (unsigned long) & (const struct snd_usb_audio_quirk) {
+ 		.vendor_name = "Logitech, Inc.",
+ 		.product_name = "QuickCam Pro 9000",
+diff --git a/sound/usb/quirks.c b/sound/usb/quirks.c
+index 42eeee8..9c82f8b 100644
+--- a/sound/usb/quirks.c
++++ b/sound/usb/quirks.c
+@@ -132,10 +132,14 @@ static int create_fixed_stream_quirk(struct snd_usb_audio *chip,
+ 	unsigned *rate_table = NULL;
+ 
+ 	fp = kmemdup(quirk->data, sizeof(*fp), GFP_KERNEL);
+-	if (! fp) {
++	if (!fp) {
+ 		snd_printk(KERN_ERR "cannot memdup\n");
+ 		return -ENOMEM;
+ 	}
++	if (fp->nr_rates > MAX_NR_RATES) {
++		kfree(fp);
++		return -EINVAL;
++	}
+ 	if (fp->nr_rates > 0) {
+ 		rate_table = kmemdup(fp->rate_table,
+ 				     sizeof(int) * fp->nr_rates, GFP_KERNEL);
diff --git a/3.2.46/4420_grsecurity-2.9.1-3.2.46-201306102217.patch b/3.2.47/4420_grsecurity-2.9.1-3.2.47-201306191807.patch
index b788f3b..579f1c1 100644
--- a/3.2.46/4420_grsecurity-2.9.1-3.2.46-201306102217.patch
+++ b/3.2.47/4420_grsecurity-2.9.1-3.2.47-201306191807.patch
@@ -262,7 +262,7 @@ index 88fd7f5..b318a78 100644
  ==============================================================
  
 diff --git a/Makefile b/Makefile
-index f600582..30efca3 100644
+index 40e2a11..8c31286 100644
 --- a/Makefile
 +++ b/Makefile
 @@ -245,8 +245,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \
@@ -4725,7 +4725,7 @@ index 429983c..7af363b 100644
  	ld	r4,_DAR(r1)
  	bl	.bad_page_fault
 diff --git a/arch/powerpc/kernel/exceptions-64s.S b/arch/powerpc/kernel/exceptions-64s.S
-index cf9c69b..ebc9640 100644
+index 8c3baa0..4d8c6f1 100644
 --- a/arch/powerpc/kernel/exceptions-64s.S
 +++ b/arch/powerpc/kernel/exceptions-64s.S
 @@ -1004,10 +1004,10 @@ handle_page_fault:
@@ -4996,7 +4996,7 @@ index 55be64d..94d8783 100644
  };
  
 diff --git a/arch/powerpc/kernel/traps.c b/arch/powerpc/kernel/traps.c
-index 82dcd4d..a80088a 100644
+index 9844662..04a2a1e 100644
 --- a/arch/powerpc/kernel/traps.c
 +++ b/arch/powerpc/kernel/traps.c
 @@ -98,6 +98,8 @@ static void pmac_backlight_unblank(void)
@@ -20735,7 +20735,7 @@ index 47f4e5f..849a8a6 100644
  	.shutdown = native_machine_shutdown,
  	.emergency_restart = native_machine_emergency_restart,
 diff --git a/arch/x86/kernel/relocate_kernel_64.S b/arch/x86/kernel/relocate_kernel_64.S
-index 7a6f3b3..bed145d7 100644
+index f2bb9c9..bed145d7 100644
 --- a/arch/x86/kernel/relocate_kernel_64.S
 +++ b/arch/x86/kernel/relocate_kernel_64.S
 @@ -11,6 +11,7 @@
@@ -20746,15 +20746,7 @@ index 7a6f3b3..bed145d7 100644
  
  /*
   * Must be relocatable PIC code callable as a C function
-@@ -160,13 +161,14 @@ identity_mapped:
- 	xorq    %rbp, %rbp
- 	xorq	%r8,  %r8
- 	xorq	%r9,  %r9
--	xorq	%r10, %r9
-+	xorq	%r10, %r10
- 	xorq	%r11, %r11
- 	xorq	%r12, %r12
- 	xorq	%r13, %r13
+@@ -167,6 +168,7 @@ identity_mapped:
  	xorq	%r14, %r14
  	xorq	%r15, %r15
  
@@ -30317,10 +30309,10 @@ index 3c92dbd..008b08b 100644
  				unsigned long timeout_msec)
  {
 diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c
-index 288b635..455273d 100644
+index d54b7d6..33e80e0 100644
 --- a/drivers/ata/libata-core.c
 +++ b/drivers/ata/libata-core.c
-@@ -4739,7 +4739,7 @@ void ata_qc_free(struct ata_queued_cmd *qc)
+@@ -4745,7 +4745,7 @@ void ata_qc_free(struct ata_queued_cmd *qc)
  	struct ata_port *ap;
  	unsigned int tag;
  
@@ -30329,7 +30321,7 @@ index 288b635..455273d 100644
  	ap = qc->ap;
  
  	qc->flags = 0;
-@@ -4755,7 +4755,7 @@ void __ata_qc_complete(struct ata_queued_cmd *qc)
+@@ -4761,7 +4761,7 @@ void __ata_qc_complete(struct ata_queued_cmd *qc)
  	struct ata_port *ap;
  	struct ata_link *link;
  
@@ -30338,7 +30330,7 @@ index 288b635..455273d 100644
  	WARN_ON_ONCE(!(qc->flags & ATA_QCFLAG_ACTIVE));
  	ap = qc->ap;
  	link = qc->dev->link;
-@@ -5760,6 +5760,7 @@ static void ata_finalize_port_ops(struct ata_port_operations *ops)
+@@ -5766,6 +5766,7 @@ static void ata_finalize_port_ops(struct ata_port_operations *ops)
  		return;
  
  	spin_lock(&lock);
@@ -30346,7 +30338,7 @@ index 288b635..455273d 100644
  
  	for (cur = ops->inherits; cur; cur = cur->inherits) {
  		void **inherit = (void **)cur;
-@@ -5773,8 +5774,9 @@ static void ata_finalize_port_ops(struct ata_port_operations *ops)
+@@ -5779,8 +5780,9 @@ static void ata_finalize_port_ops(struct ata_port_operations *ops)
  		if (IS_ERR(*pp))
  			*pp = NULL;
  
@@ -31479,10 +31471,10 @@ index e8d11b6..7b1b36f 100644
  }
  EXPORT_SYMBOL_GPL(unregister_syscore_ops);
 diff --git a/drivers/block/cciss.c b/drivers/block/cciss.c
-index b0f553b..77b928b 100644
+index d3446f6..12de1df 100644
 --- a/drivers/block/cciss.c
 +++ b/drivers/block/cciss.c
-@@ -1198,6 +1198,8 @@ static int cciss_ioctl32_passthru(struct block_device *bdev, fmode_t mode,
+@@ -1186,6 +1186,8 @@ static int cciss_ioctl32_passthru(struct block_device *bdev, fmode_t mode,
  	int err;
  	u32 cp;
  
@@ -32444,7 +32436,7 @@ index 1451790..d42d89d 100644
  
  static int memory_open(struct inode *inode, struct file *filp)
 diff --git a/drivers/char/mwave/tp3780i.c b/drivers/char/mwave/tp3780i.c
-index c689697..04e6d6a 100644
+index c689697..04e6d6a2 100644
 --- a/drivers/char/mwave/tp3780i.c
 +++ b/drivers/char/mwave/tp3780i.c
 @@ -479,6 +479,7 @@ int tp3780I_QueryAbilities(THINKPAD_BD_DATA * pBDData, MW_ABILITIES * pAbilities
@@ -34508,7 +34500,7 @@ index a9e33ce..09edd4b 100644
  
  #endif
 diff --git a/drivers/gpu/drm/radeon/evergreen.c b/drivers/gpu/drm/radeon/evergreen.c
-index 0495a50..6d67dd7 100644
+index 9bea4a6..31ee257 100644
 --- a/drivers/gpu/drm/radeon/evergreen.c
 +++ b/drivers/gpu/drm/radeon/evergreen.c
 @@ -3076,7 +3076,9 @@ static int evergreen_startup(struct radeon_device *rdev)
@@ -34544,7 +34536,7 @@ index 5a82b6b..9e69c73 100644
  	if (regcomp
  	    (&mask_rex, "(0x[0-9a-fA-F]*) *([_a-zA-Z0-9]*)", REG_EXTENDED)) {
 diff --git a/drivers/gpu/drm/radeon/ni.c b/drivers/gpu/drm/radeon/ni.c
-index 636255b..4b2411d 100644
+index 3f9705b..5d4f642 100644
 --- a/drivers/gpu/drm/radeon/ni.c
 +++ b/drivers/gpu/drm/radeon/ni.c
 @@ -1379,7 +1379,9 @@ static int cayman_startup(struct radeon_device *rdev)
@@ -34559,7 +34551,7 @@ index 636255b..4b2411d 100644
  	}
  
 diff --git a/drivers/gpu/drm/radeon/r100.c b/drivers/gpu/drm/radeon/r100.c
-index fad7cd1..56ef262 100644
+index 76c1290..865d31e 100644
 --- a/drivers/gpu/drm/radeon/r100.c
 +++ b/drivers/gpu/drm/radeon/r100.c
 @@ -592,8 +592,10 @@ int r100_pci_gart_init(struct radeon_device *rdev)
@@ -34576,7 +34568,7 @@ index fad7cd1..56ef262 100644
  }
  
 diff --git a/drivers/gpu/drm/radeon/r300.c b/drivers/gpu/drm/radeon/r300.c
-index c93bc64..5a58f5b 100644
+index 441570b..8896094 100644
 --- a/drivers/gpu/drm/radeon/r300.c
 +++ b/drivers/gpu/drm/radeon/r300.c
 @@ -105,8 +105,10 @@ int rv370_pcie_gart_init(struct radeon_device *rdev)
@@ -34593,7 +34585,7 @@ index c93bc64..5a58f5b 100644
  }
  
 diff --git a/drivers/gpu/drm/radeon/r600.c b/drivers/gpu/drm/radeon/r600.c
-index bdfa82a..96e91ee 100644
+index 3d46d7d4..82a26ab 100644
 --- a/drivers/gpu/drm/radeon/r600.c
 +++ b/drivers/gpu/drm/radeon/r600.c
 @@ -2439,7 +2439,9 @@ int r600_startup(struct radeon_device *rdev)
@@ -34689,10 +34681,10 @@ index a2e1eae..8e4a0ec 100644
  
  	return 0;
 diff --git a/drivers/gpu/drm/radeon/radeon_device.c b/drivers/gpu/drm/radeon/radeon_device.c
-index bd959c1..46dba3b 100644
+index cd94abb..5a6052d 100644
 --- a/drivers/gpu/drm/radeon/radeon_device.c
 +++ b/drivers/gpu/drm/radeon/radeon_device.c
-@@ -688,7 +688,7 @@ static bool radeon_switcheroo_can_switch(struct pci_dev *pdev)
+@@ -687,7 +687,7 @@ static bool radeon_switcheroo_can_switch(struct pci_dev *pdev)
  	bool can_switch;
  
  	spin_lock(&dev->count_lock);
@@ -34916,7 +34908,7 @@ index 0b5468b..7ecf242 100644
  
  #endif
 diff --git a/drivers/gpu/drm/radeon/rs690.c b/drivers/gpu/drm/radeon/rs690.c
-index a9049ed..501f284 100644
+index 93bce72..00332c1 100644
 --- a/drivers/gpu/drm/radeon/rs690.c
 +++ b/drivers/gpu/drm/radeon/rs690.c
 @@ -304,9 +304,11 @@ void rs690_crtc_bandwidth_compute(struct radeon_device *rdev,
@@ -34933,7 +34925,7 @@ index a9049ed..501f284 100644
  		if (rdev->pm.max_bandwidth.full > rdev->pm.k8_bandwidth.full &&
  			rdev->pm.k8_bandwidth.full)
 diff --git a/drivers/gpu/drm/radeon/rv770.c b/drivers/gpu/drm/radeon/rv770.c
-index cc79449..611b32a 100644
+index 63db75d..999004d 100644
 --- a/drivers/gpu/drm/radeon/rv770.c
 +++ b/drivers/gpu/drm/radeon/rv770.c
 @@ -1082,7 +1082,9 @@ static int rv770_startup(struct radeon_device *rdev)
@@ -35915,7 +35907,7 @@ index f21dc2a..d051cd2 100644
  	.init_chipset	= init_chipset_sl82c105,
  	.enablebits	= {{0x40,0x01,0x01}, {0x40,0x10,0x10}},
 diff --git a/drivers/ide/slc90e66.c b/drivers/ide/slc90e66.c
-index 864ffe0..863a5e9 100644
+index 864ffe0..863a5e92 100644
 --- a/drivers/ide/slc90e66.c
 +++ b/drivers/ide/slc90e66.c
 @@ -132,7 +132,7 @@ static const struct ide_port_ops slc90e66_port_ops = {
@@ -37753,10 +37745,10 @@ index 1cbfc6b..56e1dbb 100644
  /*----------------------------------------------------------------*/
  
 diff --git a/drivers/md/raid1.c b/drivers/md/raid1.c
-index 62306e5..c32000a 100644
+index 298e02a..b7f2f93 100644
 --- a/drivers/md/raid1.c
 +++ b/drivers/md/raid1.c
-@@ -1581,7 +1581,7 @@ static int fix_sync_read_error(struct r1bio *r1_bio)
+@@ -1591,7 +1591,7 @@ static int fix_sync_read_error(struct r1bio *r1_bio)
  			if (r1_sync_page_io(rdev, sect, s,
  					    bio->bi_io_vec[idx].bv_page,
  					    READ) != 0)
@@ -37765,7 +37757,7 @@ index 62306e5..c32000a 100644
  		}
  		sectors -= s;
  		sect += s;
-@@ -1800,7 +1800,7 @@ static void fix_read_error(struct r1conf *conf, int read_disk,
+@@ -1810,7 +1810,7 @@ static void fix_read_error(struct r1conf *conf, int read_disk,
  			    test_bit(In_sync, &rdev->flags)) {
  				if (r1_sync_page_io(rdev, sect, s,
  						    conf->tmppage, READ)) {
@@ -37775,10 +37767,10 @@ index 62306e5..c32000a 100644
  					       "md/raid1:%s: read error corrected "
  					       "(%d sectors at %llu on %s)\n",
 diff --git a/drivers/md/raid10.c b/drivers/md/raid10.c
-index 8f67c4d..cea5925 100644
+index 8bba438..f065cc3 100644
 --- a/drivers/md/raid10.c
 +++ b/drivers/md/raid10.c
-@@ -1455,7 +1455,7 @@ static void end_sync_read(struct bio *bio, int error)
+@@ -1465,7 +1465,7 @@ static void end_sync_read(struct bio *bio, int error)
  		/* The write handler will notice the lack of
  		 * R10BIO_Uptodate and record any errors etc
  		 */
@@ -37787,7 +37779,7 @@ index 8f67c4d..cea5925 100644
  			   &conf->mirrors[d].rdev->corrected_errors);
  
  	/* for reconstruct, we always reschedule after a read.
-@@ -1755,7 +1755,7 @@ static void check_decay_read_errors(struct mddev *mddev, struct md_rdev *rdev)
+@@ -1765,7 +1765,7 @@ static void check_decay_read_errors(struct mddev *mddev, struct md_rdev *rdev)
  {
  	struct timespec cur_time_mon;
  	unsigned long hours_since_last;
@@ -37796,7 +37788,7 @@ index 8f67c4d..cea5925 100644
  
  	ktime_get_ts(&cur_time_mon);
  
-@@ -1777,9 +1777,9 @@ static void check_decay_read_errors(struct mddev *mddev, struct md_rdev *rdev)
+@@ -1787,9 +1787,9 @@ static void check_decay_read_errors(struct mddev *mddev, struct md_rdev *rdev)
  	 * overflowing the shift of read_errors by hours_since_last.
  	 */
  	if (hours_since_last >= 8 * sizeof(read_errors))
@@ -37808,7 +37800,7 @@ index 8f67c4d..cea5925 100644
  }
  
  static int r10_sync_page_io(struct md_rdev *rdev, sector_t sector,
-@@ -1829,8 +1829,8 @@ static void fix_read_error(struct r10conf *conf, struct mddev *mddev, struct r10
+@@ -1839,8 +1839,8 @@ static void fix_read_error(struct r10conf *conf, struct mddev *mddev, struct r10
  		return;
  
  	check_decay_read_errors(mddev, rdev);
@@ -37819,7 +37811,7 @@ index 8f67c4d..cea5925 100644
  		char b[BDEVNAME_SIZE];
  		bdevname(rdev->bdev, b);
  
-@@ -1838,7 +1838,7 @@ static void fix_read_error(struct r10conf *conf, struct mddev *mddev, struct r10
+@@ -1848,7 +1848,7 @@ static void fix_read_error(struct r10conf *conf, struct mddev *mddev, struct r10
  		       "md/raid10:%s: %s: Raid device exceeded "
  		       "read_error threshold [cur %d:max %d]\n",
  		       mdname(mddev), b,
@@ -37828,7 +37820,7 @@ index 8f67c4d..cea5925 100644
  		printk(KERN_NOTICE
  		       "md/raid10:%s: %s: Failing raid device\n",
  		       mdname(mddev), b);
-@@ -1983,7 +1983,7 @@ static void fix_read_error(struct r10conf *conf, struct mddev *mddev, struct r10
+@@ -1993,7 +1993,7 @@ static void fix_read_error(struct r10conf *conf, struct mddev *mddev, struct r10
  				       (unsigned long long)(
  					       sect + rdev->data_offset),
  				       bdevname(rdev->bdev, b));
@@ -39063,7 +39055,7 @@ index 9a517c2..6d245e1 100644
  /**
   * Send and RX_MODE ramrod according to the provided parameters.
 diff --git a/drivers/net/ethernet/broadcom/tg3.h b/drivers/net/ethernet/broadcom/tg3.h
-index 94b4bd0..73c02de 100644
+index da90ba5..dcba1fd 100644
 --- a/drivers/net/ethernet/broadcom/tg3.h
 +++ b/drivers/net/ethernet/broadcom/tg3.h
 @@ -134,6 +134,7 @@
@@ -40465,6 +40457,46 @@ index 523ad55..f8c5dc5 100644
  	}
  
  	spin_lock_init(&hwsim_radio_lock);
+diff --git a/drivers/net/wireless/mwifiex/debugfs.c b/drivers/net/wireless/mwifiex/debugfs.c
+index d26a78b..156ad04 100644
+--- a/drivers/net/wireless/mwifiex/debugfs.c
++++ b/drivers/net/wireless/mwifiex/debugfs.c
+@@ -26,10 +26,17 @@
+ static struct dentry *mwifiex_dfs_dir;
+ 
+ static char *bss_modes[] = {
+-	"Unknown",
+-	"Ad-hoc",
+-	"Managed",
+-	"Auto"
++	"UNSPECIFIED",
++	"ADHOC",
++	"STATION",
++	"AP",
++	"AP_VLAN",
++	"WDS",
++	"MONITOR",
++	"MESH_POINT",
++	"P2P_CLIENT",
++	"P2P_GO",
++	"P2P_DEVICE",
+ };
+ 
+ /* size/addr for mwifiex_debug_info */
+@@ -213,7 +220,12 @@ mwifiex_info_read(struct file *file, char __user *ubuf,
+ 	p += sprintf(p, "driver_version = %s", fmt);
+ 	p += sprintf(p, "\nverext = %s", priv->version_str);
+ 	p += sprintf(p, "\ninterface_name=\"%s\"\n", netdev->name);
+-	p += sprintf(p, "bss_mode=\"%s\"\n", bss_modes[info.bss_mode]);
++
++	if (info.bss_mode >= ARRAY_SIZE(bss_modes))
++		p += sprintf(p, "bss_mode=\"%d\"\n", info.bss_mode);
++	else
++		p += sprintf(p, "bss_mode=\"%s\"\n", bss_modes[info.bss_mode]);
++
+ 	p += sprintf(p, "media_state=\"%s\"\n",
+ 		     (!priv->media_connected ? "Disconnected" : "Connected"));
+ 	p += sprintf(p, "mac_address=\"%pM\"\n", netdev->dev_addr);
 diff --git a/drivers/net/wireless/rndis_wlan.c b/drivers/net/wireless/rndis_wlan.c
 index 0c13840..a5c3ed6 100644
 --- a/drivers/net/wireless/rndis_wlan.c
@@ -40953,7 +40985,7 @@ index f204643..9ccea74 100644
  	/* disable hardware control by fn key */
  	result = ec_read(MSI_STANDARD_EC_SCM_LOAD_ADDRESS, &data);
 diff --git a/drivers/platform/x86/thinkpad_acpi.c b/drivers/platform/x86/thinkpad_acpi.c
-index 7b82868..b9344c9 100644
+index 8e6c4fa..a7539b3 100644
 --- a/drivers/platform/x86/thinkpad_acpi.c
 +++ b/drivers/platform/x86/thinkpad_acpi.c
 @@ -2094,7 +2094,7 @@ static int hotkey_mask_get(void)
@@ -41382,6 +41414,19 @@ index 546d46b..642fa5b 100644
  
  /*
   * Queue element to wait for room in request queue. FIFO order is
+diff --git a/drivers/scsi/bfa/bfad_debugfs.c b/drivers/scsi/bfa/bfad_debugfs.c
+index dee1a09..24adab6 100644
+--- a/drivers/scsi/bfa/bfad_debugfs.c
++++ b/drivers/scsi/bfa/bfad_debugfs.c
+@@ -186,7 +186,7 @@ bfad_debugfs_lseek(struct file *file, loff_t offset, int orig)
+ 		file->f_pos += offset;
+ 		break;
+ 	case 2:
+-		file->f_pos = debug->buffer_len - offset;
++		file->f_pos = debug->buffer_len + offset;
+ 		break;
+ 	default:
+ 		return -EINVAL;
 diff --git a/drivers/scsi/hosts.c b/drivers/scsi/hosts.c
 index ee77a58..af9d518 100644
 --- a/drivers/scsi/hosts.c
@@ -41716,7 +41761,7 @@ index bb4c8e0..f33d849 100644
  	struct dentry *idiag_root;
  	struct dentry *idiag_pci_cfg;
 diff --git a/drivers/scsi/lpfc/lpfc_debugfs.c b/drivers/scsi/lpfc/lpfc_debugfs.c
-index 2838259..a07cfb5 100644
+index 2838259..35b747a 100644
 --- a/drivers/scsi/lpfc/lpfc_debugfs.c
 +++ b/drivers/scsi/lpfc/lpfc_debugfs.c
 @@ -106,7 +106,7 @@ MODULE_PARM_DESC(lpfc_debugfs_mask_disc_trc,
@@ -41780,6 +41825,15 @@ index 2838259..a07cfb5 100644
  	dtp->jif = jiffies;
  #endif
  	return;
+@@ -1151,7 +1151,7 @@ lpfc_debugfs_lseek(struct file *file, loff_t off, int whence)
+ 		pos = file->f_pos + off;
+ 		break;
+ 	case 2:
+-		pos = debug->len - off;
++		pos = debug->len + off;
+ 	}
+ 	return (pos < 0 || pos > debug->len) ? -EINVAL : (file->f_pos = pos);
+ }
 @@ -3986,7 +3986,7 @@ lpfc_debugfs_initialize(struct lpfc_vport *vport)
  						 "slow_ring buffer\n");
  				goto debug_failed;
@@ -42675,48 +42729,6 @@ index 3effde2..dda7d46 100644
  			if (hdr->flags & ISCSI_FLAG_CMD_FINAL)
  				if (--cmd->outstanding_r2ts < 1) {
  					iscsit_stop_dataout_timer(cmd);
-diff --git a/drivers/target/iscsi/iscsi_target_parameters.c b/drivers/target/iscsi/iscsi_target_parameters.c
-index 5b77316..db313ba 100644
---- a/drivers/target/iscsi/iscsi_target_parameters.c
-+++ b/drivers/target/iscsi/iscsi_target_parameters.c
-@@ -713,9 +713,9 @@ static int iscsi_add_notunderstood_response(
- 	}
- 	INIT_LIST_HEAD(&extra_response->er_list);
- 
--	strncpy(extra_response->key, key, strlen(key) + 1);
--	strncpy(extra_response->value, NOTUNDERSTOOD,
--			strlen(NOTUNDERSTOOD) + 1);
-+	strlcpy(extra_response->key, key, sizeof(extra_response->key));
-+	strlcpy(extra_response->value, NOTUNDERSTOOD,
-+		sizeof(extra_response->value));
- 
- 	list_add_tail(&extra_response->er_list,
- 			&param_list->extra_response_list);
-@@ -1572,8 +1572,6 @@ int iscsi_decode_text_input(
- 
- 		if (phase & PHASE_SECURITY) {
- 			if (iscsi_check_for_auth_key(key) > 0) {
--				char *tmpptr = key + strlen(key);
--				*tmpptr = '=';
- 				kfree(tmpbuf);
- 				return 1;
- 			}
-diff --git a/drivers/target/iscsi/iscsi_target_parameters.h b/drivers/target/iscsi/iscsi_target_parameters.h
-index 6a37fd6..83eed65 100644
---- a/drivers/target/iscsi/iscsi_target_parameters.h
-+++ b/drivers/target/iscsi/iscsi_target_parameters.h
-@@ -1,8 +1,10 @@
- #ifndef ISCSI_PARAMETERS_H
- #define ISCSI_PARAMETERS_H
- 
-+#include <scsi/iscsi_proto.h>
-+
- struct iscsi_extra_response {
--	char key[64];
-+	char key[KEY_MAXLEN];
- 	char value[32];
- 	struct list_head er_list;
- } ____cacheline_aligned;
 diff --git a/drivers/target/target_core_tmr.c b/drivers/target/target_core_tmr.c
 index 6845228..df77141 100644
 --- a/drivers/target/target_core_tmr.c
@@ -50886,7 +50898,7 @@ index 9243103..750691a 100644
  
  	return 0;
 diff --git a/fs/ext4/super.c b/fs/ext4/super.c
-index cc386b2..22725d2 100644
+index 259e950..ee9c9f3 100644
 --- a/fs/ext4/super.c
 +++ b/fs/ext4/super.c
 @@ -92,6 +92,8 @@ static struct file_system_type ext2_fs_type = {
@@ -50907,7 +50919,7 @@ index cc386b2..22725d2 100644
  #define IS_EXT3_SB(sb) ((sb)->s_bdev->bd_holder == &ext3_fs_type)
  #else
  #define IS_EXT3_SB(sb) (0)
-@@ -2467,7 +2471,7 @@ struct ext4_attr {
+@@ -2469,7 +2473,7 @@ struct ext4_attr {
  	ssize_t (*store)(struct ext4_attr *, struct ext4_sb_info *,
  			 const char *, size_t);
  	int offset;
@@ -50916,7 +50928,7 @@ index cc386b2..22725d2 100644
  
  static int parse_strtoul(const char *buf,
  		unsigned long max, unsigned long *value)
-@@ -3173,7 +3177,6 @@ int ext4_calculate_overhead(struct super_block *sb)
+@@ -3175,7 +3179,6 @@ int ext4_calculate_overhead(struct super_block *sb)
  	ext4_fsblk_t overhead = 0;
  	char *buf = (char *) get_zeroed_page(GFP_KERNEL);
  
@@ -50924,7 +50936,7 @@ index cc386b2..22725d2 100644
  	if (!buf)
  		return -ENOMEM;
  
-@@ -5035,7 +5038,6 @@ static inline int ext2_feature_set_ok(struct super_block *sb)
+@@ -5037,7 +5040,6 @@ static inline int ext2_feature_set_ok(struct super_block *sb)
  		return 0;
  	return 1;
  }
@@ -50932,7 +50944,7 @@ index cc386b2..22725d2 100644
  #else
  static inline void register_as_ext2(void) { }
  static inline void unregister_as_ext2(void) { }
-@@ -5068,7 +5070,6 @@ static inline int ext3_feature_set_ok(struct super_block *sb)
+@@ -5070,7 +5072,6 @@ static inline int ext3_feature_set_ok(struct super_block *sb)
  		return 0;
  	return 1;
  }
@@ -50940,7 +50952,7 @@ index cc386b2..22725d2 100644
  #else
  static inline void register_as_ext3(void) { }
  static inline void unregister_as_ext3(void) { }
-@@ -5082,6 +5083,7 @@ static struct file_system_type ext4_fs_type = {
+@@ -5084,6 +5085,7 @@ static struct file_system_type ext4_fs_type = {
  	.kill_sb	= kill_block_super,
  	.fs_flags	= FS_REQUIRES_DEV,
  };
@@ -56907,7 +56919,7 @@ index d99a905..9f88202 100644
  		goto out_put;
  
 diff --git a/fs/xfs/xfs_iops.c b/fs/xfs/xfs_iops.c
-index 23ce927..86fd3e8d 100644
+index bd2fb43..86fd3e8d 100644
 --- a/fs/xfs/xfs_iops.c
 +++ b/fs/xfs/xfs_iops.c
 @@ -447,7 +447,7 @@ xfs_vn_put_link(
@@ -56919,81 +56931,6 @@ index 23ce927..86fd3e8d 100644
  
  	if (!IS_ERR(s))
  		kfree(s);
-@@ -507,6 +507,28 @@ xfs_vn_getattr(
- 	return 0;
- }
- 
-+static void
-+xfs_setattr_mode(
-+	struct xfs_trans	*tp,
-+	struct xfs_inode	*ip,
-+	struct iattr		*iattr)
-+{
-+	struct inode	*inode = VFS_I(ip);
-+	umode_t		mode = iattr->ia_mode;
-+
-+	ASSERT(tp);
-+	ASSERT(xfs_isilocked(ip, XFS_ILOCK_EXCL));
-+
-+	if (!in_group_p(inode->i_gid) && !capable(CAP_FSETID))
-+		mode &= ~S_ISGID;
-+
-+	ip->i_d.di_mode &= S_IFMT;
-+	ip->i_d.di_mode |= mode & ~S_IFMT;
-+
-+	inode->i_mode &= S_IFMT;
-+	inode->i_mode |= mode & ~S_IFMT;
-+}
-+
- int
- xfs_setattr_nonsize(
- 	struct xfs_inode	*ip,
-@@ -658,18 +680,8 @@ xfs_setattr_nonsize(
- 	/*
- 	 * Change file access modes.
- 	 */
--	if (mask & ATTR_MODE) {
--		umode_t mode = iattr->ia_mode;
--
--		if (!in_group_p(inode->i_gid) && !capable(CAP_FSETID))
--			mode &= ~S_ISGID;
--
--		ip->i_d.di_mode &= S_IFMT;
--		ip->i_d.di_mode |= mode & ~S_IFMT;
--
--		inode->i_mode &= S_IFMT;
--		inode->i_mode |= mode & ~S_IFMT;
--	}
-+	if (mask & ATTR_MODE)
-+		xfs_setattr_mode(tp, ip, iattr);
- 
- 	/*
- 	 * Change file access or modified times.
-@@ -768,9 +780,8 @@ xfs_setattr_size(
- 		return XFS_ERROR(error);
- 
- 	ASSERT(S_ISREG(ip->i_d.di_mode));
--	ASSERT((mask & (ATTR_MODE|ATTR_UID|ATTR_GID|ATTR_ATIME|ATTR_ATIME_SET|
--			ATTR_MTIME_SET|ATTR_KILL_SUID|ATTR_KILL_SGID|
--			ATTR_KILL_PRIV|ATTR_TIMES_SET)) == 0);
-+	ASSERT((mask & (ATTR_UID|ATTR_GID|ATTR_ATIME|ATTR_ATIME_SET|
-+			ATTR_MTIME_SET|ATTR_KILL_PRIV|ATTR_TIMES_SET)) == 0);
- 
- 	lock_flags = XFS_ILOCK_EXCL;
- 	if (!(flags & XFS_ATTR_NOLOCK))
-@@ -902,6 +913,12 @@ xfs_setattr_size(
- 		xfs_iflags_set(ip, XFS_ITRUNCATED);
- 	}
- 
-+	/*
-+	 * Change file access modes.
-+	 */
-+	if (mask & ATTR_MODE)
-+		xfs_setattr_mode(tp, ip, iattr);
-+
- 	if (mask & ATTR_CTIME) {
- 		inode->i_ctime = iattr->ia_ctime;
- 		ip->i_d.di_ctime.t_sec = iattr->ia_ctime.tv_sec;
 diff --git a/fs/xfs/xfs_rtalloc.c b/fs/xfs/xfs_rtalloc.c
 index 87323f1..dab9d00 100644
 --- a/fs/xfs/xfs_rtalloc.c
@@ -68275,7 +68212,7 @@ index 3081c58..7714c00 100644
  /*
   * Users often need to create attribute structures for their configurable
 diff --git a/include/linux/cpu.h b/include/linux/cpu.h
-index c692acc..95bcc75 100644
+index 9c3e071..8a8ebea 100644
 --- a/include/linux/cpu.h
 +++ b/include/linux/cpu.h
 @@ -108,7 +108,7 @@ enum {
@@ -70400,6 +70337,21 @@ index cc6d2aa..c10ee83 100644
  /**
   * list_move - delete from one list and add as another's head
   * @list: the entry to move
+diff --git a/include/linux/lsm_audit.h b/include/linux/lsm_audit.h
+index 88e78de..c63979a 100644
+--- a/include/linux/lsm_audit.h
++++ b/include/linux/lsm_audit.h
+@@ -124,6 +124,10 @@ struct common_audit_data {
+ 					u32 denied;
+ 					uid_t ouid;
+ 				} fs;
++				struct {
++					int type, protocol;
++					struct sock *sk;
++				} net;
+ 			};
+ 		} apparmor_audit_data;
+ #endif
 diff --git a/include/linux/math64.h b/include/linux/math64.h
 index b8ba855..0148090 100644
 --- a/include/linux/math64.h
@@ -71011,7 +70963,7 @@ index ffc0213..2c1f2cb 100644
  	return nd->saved_names[nd->depth];
  }
 diff --git a/include/linux/net.h b/include/linux/net.h
-index b299230..4915063 100644
+index b7ca08e..c8350cb 100644
 --- a/include/linux/net.h
 +++ b/include/linux/net.h
 @@ -216,7 +216,7 @@ struct net_proto_family {
@@ -74628,7 +74580,7 @@ index fa7eb3d..7faf116 100644
  	current->signal->rlim[RLIMIT_FSIZE].rlim_cur = flim;
  	set_fs(fs);
 diff --git a/kernel/audit.c b/kernel/audit.c
-index 09fae26..ed71d5b 100644
+index d4bc594..cf6b5d7 100644
 --- a/kernel/audit.c
 +++ b/kernel/audit.c
 @@ -115,7 +115,7 @@ u32		audit_sig_sid = 0;
@@ -75202,7 +75154,7 @@ index 63786e7..0780cac 100644
  #ifdef CONFIG_MODULE_UNLOAD
  		{
 diff --git a/kernel/events/core.c b/kernel/events/core.c
-index 9f21915..840113c 100644
+index 9f21915..73a9f27 100644
 --- a/kernel/events/core.c
 +++ b/kernel/events/core.c
 @@ -145,8 +145,15 @@ static struct srcu_struct pmus_srcu;
@@ -75214,7 +75166,7 @@ index 9f21915..840113c 100644
 -int sysctl_perf_event_paranoid __read_mostly = 1;
 +#ifdef CONFIG_GRKERNSEC_PERF_HARDEN
 +int sysctl_perf_event_legitimately_concerned __read_mostly = 3;
-+#elif CONFIG_GRKERNSEC_HIDESYM
++#elif defined(CONFIG_GRKERNSEC_HIDESYM)
 +int sysctl_perf_event_legitimately_concerned __read_mostly = 2;
 +#else
 +int sysctl_perf_event_legitimately_concerned __read_mostly = 1;
@@ -78786,7 +78738,7 @@ index 2f194e9..2c05ea9 100644
  	.priority	= 10,
  };
 diff --git a/kernel/sys.c b/kernel/sys.c
-index be5fa8b..a8c2090 100644
+index 9d557df..691558c 100644
 --- a/kernel/sys.c
 +++ b/kernel/sys.c
 @@ -158,6 +158,12 @@ static int set_one_prio(struct task_struct *p, int niceval, int error)
@@ -78802,7 +78754,7 @@ index be5fa8b..a8c2090 100644
  	no_nice = security_task_setnice(p, niceval);
  	if (no_nice) {
  		error = no_nice;
-@@ -574,6 +580,9 @@ SYSCALL_DEFINE2(setregid, gid_t, rgid, gid_t, egid)
+@@ -597,6 +603,9 @@ SYSCALL_DEFINE2(setregid, gid_t, rgid, gid_t, egid)
  			goto error;
  	}
  
@@ -78812,7 +78764,7 @@ index be5fa8b..a8c2090 100644
  	if (rgid != (gid_t) -1 ||
  	    (egid != (gid_t) -1 && egid != old->gid))
  		new->sgid = new->egid;
-@@ -603,6 +612,10 @@ SYSCALL_DEFINE1(setgid, gid_t, gid)
+@@ -626,6 +635,10 @@ SYSCALL_DEFINE1(setgid, gid_t, gid)
  	old = current_cred();
  
  	retval = -EPERM;
@@ -78823,7 +78775,7 @@ index be5fa8b..a8c2090 100644
  	if (nsown_capable(CAP_SETGID))
  		new->gid = new->egid = new->sgid = new->fsgid = gid;
  	else if (gid == old->gid || gid == old->sgid)
-@@ -620,7 +633,7 @@ error:
+@@ -643,7 +656,7 @@ error:
  /*
   * change the user struct in a credentials set to match the new UID
   */
@@ -78832,7 +78784,7 @@ index be5fa8b..a8c2090 100644
  {
  	struct user_struct *new_user;
  
-@@ -690,6 +703,9 @@ SYSCALL_DEFINE2(setreuid, uid_t, ruid, uid_t, euid)
+@@ -713,6 +726,9 @@ SYSCALL_DEFINE2(setreuid, uid_t, ruid, uid_t, euid)
  			goto error;
  	}
  
@@ -78842,7 +78794,7 @@ index be5fa8b..a8c2090 100644
  	if (new->uid != old->uid) {
  		retval = set_user(new);
  		if (retval < 0)
-@@ -734,6 +750,12 @@ SYSCALL_DEFINE1(setuid, uid_t, uid)
+@@ -757,6 +773,12 @@ SYSCALL_DEFINE1(setuid, uid_t, uid)
  	old = current_cred();
  
  	retval = -EPERM;
@@ -78855,7 +78807,7 @@ index be5fa8b..a8c2090 100644
  	if (nsown_capable(CAP_SETUID)) {
  		new->suid = new->uid = uid;
  		if (uid != old->uid) {
-@@ -788,6 +810,9 @@ SYSCALL_DEFINE3(setresuid, uid_t, ruid, uid_t, euid, uid_t, suid)
+@@ -811,6 +833,9 @@ SYSCALL_DEFINE3(setresuid, uid_t, ruid, uid_t, euid, uid_t, suid)
  			goto error;
  	}
  
@@ -78865,7 +78817,7 @@ index be5fa8b..a8c2090 100644
  	if (ruid != (uid_t) -1) {
  		new->uid = ruid;
  		if (ruid != old->uid) {
-@@ -852,6 +877,9 @@ SYSCALL_DEFINE3(setresgid, gid_t, rgid, gid_t, egid, gid_t, sgid)
+@@ -875,6 +900,9 @@ SYSCALL_DEFINE3(setresgid, gid_t, rgid, gid_t, egid, gid_t, sgid)
  			goto error;
  	}
  
@@ -78875,7 +78827,7 @@ index be5fa8b..a8c2090 100644
  	if (rgid != (gid_t) -1)
  		new->gid = rgid;
  	if (egid != (gid_t) -1)
-@@ -902,12 +930,16 @@ SYSCALL_DEFINE1(setfsuid, uid_t, uid)
+@@ -925,12 +953,16 @@ SYSCALL_DEFINE1(setfsuid, uid_t, uid)
  	    uid == old->suid || uid == old->fsuid ||
  	    nsown_capable(CAP_SETUID)) {
  		if (uid != old_fsuid) {
@@ -78892,7 +78844,7 @@ index be5fa8b..a8c2090 100644
  	abort_creds(new);
  	return old_fsuid;
  
-@@ -934,12 +966,16 @@ SYSCALL_DEFINE1(setfsgid, gid_t, gid)
+@@ -957,12 +989,16 @@ SYSCALL_DEFINE1(setfsgid, gid_t, gid)
  	if (gid == old->gid  || gid == old->egid  ||
  	    gid == old->sgid || gid == old->fsgid ||
  	    nsown_capable(CAP_SETGID)) {
@@ -78909,7 +78861,7 @@ index be5fa8b..a8c2090 100644
  	abort_creds(new);
  	return old_fsgid;
  
-@@ -1247,19 +1283,19 @@ SYSCALL_DEFINE1(olduname, struct oldold_utsname __user *, name)
+@@ -1270,19 +1306,19 @@ SYSCALL_DEFINE1(olduname, struct oldold_utsname __user *, name)
  		return -EFAULT;
  
  	down_read(&uts_sem);
@@ -78934,7 +78886,7 @@ index be5fa8b..a8c2090 100644
  				__OLD_UTS_LEN);
  	error |= __put_user(0, name->machine + __OLD_UTS_LEN);
  	up_read(&uts_sem);
-@@ -1461,6 +1497,13 @@ int do_prlimit(struct task_struct *tsk, unsigned int resource,
+@@ -1484,6 +1520,13 @@ int do_prlimit(struct task_struct *tsk, unsigned int resource,
  			 */
  			new_rlim->rlim_cur = 1;
  		}
@@ -78948,7 +78900,7 @@ index be5fa8b..a8c2090 100644
  	}
  	if (!retval) {
  		if (old_rlim)
-@@ -1724,7 +1767,7 @@ SYSCALL_DEFINE5(prctl, int, option, unsigned long, arg2, unsigned long, arg3,
+@@ -1747,7 +1790,7 @@ SYSCALL_DEFINE5(prctl, int, option, unsigned long, arg2, unsigned long, arg3,
  			error = get_dumpable(me->mm);
  			break;
  		case PR_SET_DUMPABLE:
@@ -79682,10 +79634,10 @@ index 16fc34a..efd8bb8 100644
  	ret = -EIO;
  	bt->dropped_file = debugfs_create_file("dropped", 0444, dir, bt,
 diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c
-index 24b3759..e460d0b 100644
+index 226776b..175300f 100644
 --- a/kernel/trace/ftrace.c
 +++ b/kernel/trace/ftrace.c
-@@ -1586,12 +1586,17 @@ ftrace_code_disable(struct module *mod, struct dyn_ftrace *rec)
+@@ -1599,12 +1599,17 @@ ftrace_code_disable(struct module *mod, struct dyn_ftrace *rec)
  	if (unlikely(ftrace_disabled))
  		return 0;
  
@@ -81054,7 +81006,7 @@ index d80ac4b..9fd73bc 100644
  	/* if an huge pmd materialized from under us just retry later */
  	if (unlikely(pmd_trans_huge(*pmd)))
 diff --git a/mm/hugetlb.c b/mm/hugetlb.c
-index 70b4733..ab692a7 100644
+index 2dcd716..984ad56 100644
 --- a/mm/hugetlb.c
 +++ b/mm/hugetlb.c
 @@ -1973,15 +1973,17 @@ static int hugetlb_sysctl_handler_common(bool obey_mempolicy,
@@ -82202,10 +82154,10 @@ index 4d1e637..9e0a005 100644
  		err = -EPERM;
  		goto out;
 diff --git a/mm/migrate.c b/mm/migrate.c
-index e1052d1..61c9e50 100644
+index 09d6a9d..c514c22 100644
 --- a/mm/migrate.c
 +++ b/mm/migrate.c
-@@ -1376,6 +1376,14 @@ SYSCALL_DEFINE6(move_pages, pid_t, pid, unsigned long, nr_pages,
+@@ -1389,6 +1389,14 @@ SYSCALL_DEFINE6(move_pages, pid_t, pid, unsigned long, nr_pages,
  	if (!mm)
  		return -EINVAL;
  
@@ -82220,7 +82172,7 @@ index e1052d1..61c9e50 100644
  	/*
  	 * Check if this process has the right to modify the specified
  	 * process. The right exists if the process has administrative
-@@ -1385,8 +1393,7 @@ SYSCALL_DEFINE6(move_pages, pid_t, pid, unsigned long, nr_pages,
+@@ -1398,8 +1406,7 @@ SYSCALL_DEFINE6(move_pages, pid_t, pid, unsigned long, nr_pages,
  	rcu_read_lock();
  	tcred = __task_cred(task);
  	if (cred->euid != tcred->suid && cred->euid != tcred->uid &&
@@ -86191,7 +86143,7 @@ index 0274157..f8afbf3c7 100644
  	hid->dev.parent = hidp_get_device(session);
  	hid->ll_driver = &hidp_hid_driver;
 diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
-index 04175d9..26291c1 100644
+index a0b6c50..5b22003 100644
 --- a/net/bluetooth/l2cap_core.c
 +++ b/net/bluetooth/l2cap_core.c
 @@ -2178,8 +2178,10 @@ static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len, voi
@@ -89408,6 +89360,33 @@ index 93a41a0..d4b4edb 100644
  
  	NLA_PUT_U32(skb, L2TP_ATTR_CONN_ID, tunnel->tunnel_id);
  	NLA_PUT_U32(skb, L2TP_ATTR_SESSION_ID, session->session_id);
+diff --git a/net/l2tp/l2tp_ppp.c b/net/l2tp/l2tp_ppp.c
+index 6f60175..74410e6 100644
+--- a/net/l2tp/l2tp_ppp.c
++++ b/net/l2tp/l2tp_ppp.c
+@@ -350,19 +350,19 @@ static int pppol2tp_sendmsg(struct kiocb *iocb, struct socket *sock, struct msgh
+ 	skb_put(skb, 2);
+ 
+ 	/* Copy user data into skb */
+-	error = memcpy_fromiovec(skb->data, m->msg_iov, total_len);
++	error = memcpy_fromiovec(skb_put(skb, total_len), m->msg_iov,
++				 total_len);
+ 	if (error < 0) {
+ 		kfree_skb(skb);
+ 		goto error_put_sess_tun;
+ 	}
+-	skb_put(skb, total_len);
+ 
+ 	l2tp_xmit_skb(session, skb, session->hdr_len);
+ 
+ 	sock_put(ps->tunnel_sock);
+ 	sock_put(sk);
+ 
+-	return error;
++	return total_len;
+ 
+ error_put_sess_tun:
+ 	sock_put(ps->tunnel_sock);
 diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h
 index 73495f1..ad51356 100644
 --- a/net/mac80211/ieee80211_i.h
@@ -89430,7 +89409,7 @@ index 73495f1..ad51356 100644
  	/* number of interfaces with corresponding FIF_ flags */
  	int fif_fcsfail, fif_plcpfail, fif_control, fif_other_bss, fif_pspoll,
 diff --git a/net/mac80211/iface.c b/net/mac80211/iface.c
-index f4ddf34..842d3b5 100644
+index 8260cd5..f13516d 100644
 --- a/net/mac80211/iface.c
 +++ b/net/mac80211/iface.c
 @@ -211,7 +211,7 @@ static int ieee80211_do_open(struct net_device *dev, bool coming_up)
@@ -89683,7 +89662,7 @@ index 6dc7d7d..e45913a 100644
  	if ((ipvs->sync_state & IP_VS_STATE_MASTER) &&
  	    cp->protocol == IPPROTO_SCTP) {
 diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c
-index 72f4253..f5222ae 100644
+index 72f4253..c9a3f57 100644
 --- a/net/netfilter/ipvs/ip_vs_ctl.c
 +++ b/net/netfilter/ipvs/ip_vs_ctl.c
 @@ -788,7 +788,7 @@ __ip_vs_update_dest(struct ip_vs_service *svc, struct ip_vs_dest *dest,
@@ -89722,7 +89701,14 @@ index 72f4253..f5222ae 100644
  					   atomic_read(&dest->weight),
  					   atomic_read(&dest->activeconns),
  					   atomic_read(&dest->inactconns));
-@@ -2509,7 +2509,7 @@ __ip_vs_get_dest_entries(struct net *net, const struct ip_vs_get_dests *get,
+@@ -2503,13 +2503,14 @@ __ip_vs_get_dest_entries(struct net *net, const struct ip_vs_get_dests *get,
+ 		struct ip_vs_dest *dest;
+ 		struct ip_vs_dest_entry entry;
+ 
++		memset(&entry, 0, sizeof(entry));
+ 		list_for_each_entry(dest, &svc->destinations, n_list) {
+ 			if (count >= get->num_dests)
+ 				break;
  
  			entry.addr = dest->addr.ip;
  			entry.port = dest->port;
@@ -89731,7 +89717,7 @@ index 72f4253..f5222ae 100644
  			entry.weight = atomic_read(&dest->weight);
  			entry.u_threshold = dest->u_threshold;
  			entry.l_threshold = dest->l_threshold;
-@@ -3043,7 +3043,7 @@ static int ip_vs_genl_fill_dest(struct sk_buff *skb, struct ip_vs_dest *dest)
+@@ -3043,7 +3044,7 @@ static int ip_vs_genl_fill_dest(struct sk_buff *skb, struct ip_vs_dest *dest)
  	NLA_PUT_U16(skb, IPVS_DEST_ATTR_PORT, dest->port);
  
  	NLA_PUT_U32(skb, IPVS_DEST_ATTR_FWD_METHOD,
@@ -89740,7 +89726,7 @@ index 72f4253..f5222ae 100644
  	NLA_PUT_U32(skb, IPVS_DEST_ATTR_WEIGHT, atomic_read(&dest->weight));
  	NLA_PUT_U32(skb, IPVS_DEST_ATTR_U_THRESH, dest->u_threshold);
  	NLA_PUT_U32(skb, IPVS_DEST_ATTR_L_THRESH, dest->l_threshold);
-@@ -3626,7 +3626,7 @@ int __net_init ip_vs_control_net_init_sysctl(struct net *net)
+@@ -3626,7 +3627,7 @@ int __net_init ip_vs_control_net_init_sysctl(struct net *net)
  {
  	int idx;
  	struct netns_ipvs *ipvs = net_ipvs(net);
@@ -90173,7 +90159,7 @@ index 3df7c5a..8f324b0 100644
  		*uaddr_len = sizeof(struct sockaddr_ax25);
  	}
 diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
-index 5a70215..379f8ee 100644
+index 5a70215..070be35 100644
 --- a/net/packet/af_packet.c
 +++ b/net/packet/af_packet.c
 @@ -1670,7 +1670,7 @@ static int packet_rcv(struct sk_buff *skb, struct net_device *dev,
@@ -90213,7 +90199,22 @@ index 5a70215..379f8ee 100644
  
  	msg->msg_flags |= MSG_ERRQUEUE;
  	err = copied;
-@@ -3262,7 +3264,7 @@ static int packet_getsockopt(struct socket *sock, int level, int optname,
+@@ -2820,12 +2822,11 @@ static int packet_getname_spkt(struct socket *sock, struct sockaddr *uaddr,
+ 		return -EOPNOTSUPP;
+ 
+ 	uaddr->sa_family = AF_PACKET;
++	memset(uaddr->sa_data, 0, sizeof(uaddr->sa_data));
+ 	rcu_read_lock();
+ 	dev = dev_get_by_index_rcu(sock_net(sk), pkt_sk(sk)->ifindex);
+ 	if (dev)
+-		strncpy(uaddr->sa_data, dev->name, 14);
+-	else
+-		memset(uaddr->sa_data, 0, 14);
++		strlcpy(uaddr->sa_data, dev->name, sizeof(uaddr->sa_data));
+ 	rcu_read_unlock();
+ 	*uaddr_len = sizeof(*uaddr);
+ 
+@@ -3262,7 +3263,7 @@ static int packet_getsockopt(struct socket *sock, int level, int optname,
  	case PACKET_HDRLEN:
  		if (len > sizeof(int))
  			len = sizeof(int);
@@ -90222,7 +90223,7 @@ index 5a70215..379f8ee 100644
  			return -EFAULT;
  		switch (val) {
  		case TPACKET_V1:
-@@ -3312,7 +3314,11 @@ static int packet_getsockopt(struct socket *sock, int level, int optname,
+@@ -3312,7 +3313,11 @@ static int packet_getsockopt(struct socket *sock, int level, int optname,
  
  	if (put_user(len, optlen))
  		return -EFAULT;
@@ -90791,6 +90792,33 @@ index 8104278..300d89d 100644
  }
  
  /* Initialize IPv6 support and register with socket layer.  */
+diff --git a/net/sctp/outqueue.c b/net/sctp/outqueue.c
+index 96eb168..3dd7207 100644
+--- a/net/sctp/outqueue.c
++++ b/net/sctp/outqueue.c
+@@ -205,6 +205,8 @@ static inline int sctp_cacc_skip(struct sctp_transport *primary,
+  */
+ void sctp_outq_init(struct sctp_association *asoc, struct sctp_outq *q)
+ {
++	memset(q, 0, sizeof(struct sctp_outq));
++
+ 	q->asoc = asoc;
+ 	INIT_LIST_HEAD(&q->out_chunk_list);
+ 	INIT_LIST_HEAD(&q->control_chunk_list);
+@@ -212,13 +214,7 @@ void sctp_outq_init(struct sctp_association *asoc, struct sctp_outq *q)
+ 	INIT_LIST_HEAD(&q->sacked);
+ 	INIT_LIST_HEAD(&q->abandoned);
+ 
+-	q->fast_rtx = 0;
+-	q->outstanding_bytes = 0;
+ 	q->empty = 1;
+-	q->cork  = 0;
+-
+-	q->malloced = 0;
+-	q->out_qlen = 0;
+ }
+ 
+ /* Free the outqueue structure and any related pending chunks.
 diff --git a/net/sctp/probe.c b/net/sctp/probe.c
 index bc6cd75..749e4eb 100644
 --- a/net/sctp/probe.c
@@ -90875,7 +90903,7 @@ index 9032d50..49eb875 100644
  	sctp_generate_t1_cookie_event,
  	sctp_generate_t1_init_event,
 diff --git a/net/sctp/socket.c b/net/sctp/socket.c
-index 5e0d86e..e2a4da1 100644
+index 5e0d86e..f09fd13 100644
 --- a/net/sctp/socket.c
 +++ b/net/sctp/socket.c
 @@ -2157,11 +2157,13 @@ static int sctp_setsockopt_events(struct sock *sk, char __user *optval,
@@ -90893,7 +90921,20 @@ index 5e0d86e..e2a4da1 100644
  
  	/*
  	 * At the time when a user app subscribes to SCTP_SENDER_DRY_EVENT,
-@@ -4141,13 +4143,16 @@ static int sctp_getsockopt_disable_fragments(struct sock *sk, int len,
+@@ -3929,6 +3931,12 @@ SCTP_STATIC void sctp_destroy_sock(struct sock *sk)
+ 
+ 	/* Release our hold on the endpoint. */
+ 	sp = sctp_sk(sk);
++	/* This could happen during socket init, thus we bail out
++	 * early, since the rest of the below is not setup either.
++	 */
++	if (sp->ep == NULL)
++		return;
++
+ 	if (sp->do_auto_asconf) {
+ 		sp->do_auto_asconf = 0;
+ 		list_del(&sp->auto_asconf_list);
+@@ -4141,13 +4149,16 @@ static int sctp_getsockopt_disable_fragments(struct sock *sk, int len,
  static int sctp_getsockopt_events(struct sock *sk, int len, char __user *optval,
  				  int __user *optlen)
  {
@@ -90911,7 +90952,7 @@ index 5e0d86e..e2a4da1 100644
  		return -EFAULT;
  	return 0;
  }
-@@ -4165,6 +4170,8 @@ static int sctp_getsockopt_events(struct sock *sk, int len, char __user *optval,
+@@ -4165,6 +4176,8 @@ static int sctp_getsockopt_events(struct sock *sk, int len, char __user *optval,
   */
  static int sctp_getsockopt_autoclose(struct sock *sk, int len, char __user *optval, int __user *optlen)
  {
@@ -90920,7 +90961,7 @@ index 5e0d86e..e2a4da1 100644
  	/* Applicable to UDP-style socket only */
  	if (sctp_style(sk, TCP))
  		return -EOPNOTSUPP;
-@@ -4173,7 +4180,8 @@ static int sctp_getsockopt_autoclose(struct sock *sk, int len, char __user *optv
+@@ -4173,7 +4186,8 @@ static int sctp_getsockopt_autoclose(struct sock *sk, int len, char __user *optv
  	len = sizeof(int);
  	if (put_user(len, optlen))
  		return -EFAULT;
@@ -90930,7 +90971,7 @@ index 5e0d86e..e2a4da1 100644
  		return -EFAULT;
  	return 0;
  }
-@@ -4537,12 +4545,15 @@ static int sctp_getsockopt_delayed_ack(struct sock *sk, int len,
+@@ -4537,12 +4551,15 @@ static int sctp_getsockopt_delayed_ack(struct sock *sk, int len,
   */
  static int sctp_getsockopt_initmsg(struct sock *sk, int len, char __user *optval, int __user *optlen)
  {
@@ -90947,7 +90988,7 @@ index 5e0d86e..e2a4da1 100644
  		return -EFAULT;
  	return 0;
  }
-@@ -4583,6 +4594,8 @@ static int sctp_getsockopt_peer_addrs(struct sock *sk, int len,
+@@ -4583,6 +4600,8 @@ static int sctp_getsockopt_peer_addrs(struct sock *sk, int len,
  		addrlen = sctp_get_af_specific(temp.sa.sa_family)->sockaddr_len;
  		if (space_left < addrlen)
  			return -ENOMEM;
@@ -93513,19 +93554,926 @@ index 51bd5a0..7b71be9 100644
  	default 65536
  	help
  	  This is the portion of low virtual memory which should be protected
+diff --git a/security/apparmor/Kconfig b/security/apparmor/Kconfig
+index 9b9013b..51ebf96 100644
+--- a/security/apparmor/Kconfig
++++ b/security/apparmor/Kconfig
+@@ -29,3 +29,12 @@ config SECURITY_APPARMOR_BOOTPARAM_VALUE
+ 	  boot.
+ 
+ 	  If you are unsure how to answer this question, answer 1.
++
++config SECURITY_APPARMOR_COMPAT_24
++	bool "Enable AppArmor 2.4 compatability"
++	depends on SECURITY_APPARMOR
++	default y
++	help
++	  This option enables compatability with AppArmor 2.4.  It is
++          recommended if compatability with older versions of AppArmor
++          is desired.
+diff --git a/security/apparmor/Makefile b/security/apparmor/Makefile
+index 2dafe50..0bb604b 100644
+--- a/security/apparmor/Makefile
++++ b/security/apparmor/Makefile
+@@ -4,9 +4,10 @@ obj-$(CONFIG_SECURITY_APPARMOR) += apparmor.o
+ 
+ apparmor-y := apparmorfs.o audit.o capability.o context.o ipc.o lib.o match.o \
+               path.o domain.o policy.o policy_unpack.o procattr.o lsm.o \
+-              resource.o sid.o file.o
++              resource.o sid.o file.o net.o
++apparmor-$(CONFIG_SECURITY_APPARMOR_COMPAT_24) += apparmorfs-24.o
+ 
+-clean-files := capability_names.h rlim_names.h
++clean-files := capability_names.h rlim_names.h af_names.h
+ 
+ 
+ # Build a lower case string table of capability names
+@@ -44,9 +45,24 @@ cmd_make-rlim = echo "static const char *rlim_names[] = {" > $@ ;\
+ 	sed -r -n "s/^\# ?define[ \t]+(RLIMIT_[A-Z0-9_]+).*/\1,/p" $< >> $@ ;\
+ 	echo "};" >> $@
+ 
++# Build a lower case string table of address family names.
++# Transform lines from
++# #define AF_INET		2	/* Internet IP Protocol 	*/
++# to
++# [2] = "inet",
++quiet_cmd_make-af = GEN     $@
++cmd_make-af = echo "static const char *address_family_names[] = {" > $@ ;\
++	sed $< >> $@ -r -n -e "/AF_MAX/d" -e "/AF_LOCAL/d" -e \
++	  's/^\#define[ \t]+AF_([A-Z0-9_]+)[ \t]+([0-9]+).*/[\2] = "\L\1",/p';\
++	echo "};" >> $@
++
++
+ $(obj)/capability.o : $(obj)/capability_names.h
+ $(obj)/resource.o : $(obj)/rlim_names.h
++$(obj)/net.o : $(obj)/af_names.h
+ $(obj)/capability_names.h : $(srctree)/include/linux/capability.h
+ 	$(call cmd,make-caps)
+ $(obj)/rlim_names.h : $(srctree)/include/asm-generic/resource.h
+ 	$(call cmd,make-rlim)
++$(obj)/af_names.h : $(srctree)/include/linux/socket.h
++	$(call cmd,make-af)
+\ No newline at end of file
+diff --git a/security/apparmor/apparmorfs-24.c b/security/apparmor/apparmorfs-24.c
+new file mode 100644
+index 0000000..dc8c744
+--- /dev/null
++++ b/security/apparmor/apparmorfs-24.c
+@@ -0,0 +1,287 @@
++/*
++ * AppArmor security module
++ *
++ * This file contains AppArmor /sys/kernel/secrutiy/apparmor interface functions
++ *
++ * Copyright (C) 1998-2008 Novell/SUSE
++ * Copyright 2009-2010 Canonical Ltd.
++ *
++ * This program is free software; you can redistribute it and/or
++ * modify it under the terms of the GNU General Public License as
++ * published by the Free Software Foundation, version 2 of the
++ * License.
++ *
++ *
++ * This file contain functions providing an interface for <= AppArmor 2.4
++ * compatibility.  It is dependent on CONFIG_SECURITY_APPARMOR_COMPAT_24
++ * being set (see Makefile).
++ */
++
++#include <linux/security.h>
++#include <linux/vmalloc.h>
++#include <linux/module.h>
++#include <linux/seq_file.h>
++#include <linux/uaccess.h>
++#include <linux/namei.h>
++
++#include "include/apparmor.h"
++#include "include/audit.h"
++#include "include/context.h"
++#include "include/policy.h"
++
++
++/* apparmor/matching */
++static ssize_t aa_matching_read(struct file *file, char __user *buf,
++				size_t size, loff_t *ppos)
++{
++	const char matching[] = "pattern=aadfa audit perms=crwxamlk/ "
++	    "user::other";
++
++	return simple_read_from_buffer(buf, size, ppos, matching,
++				       sizeof(matching) - 1);
++}
++
++const struct file_operations aa_fs_matching_fops = {
++	.read = aa_matching_read,
++};
++
++/* apparmor/features */
++static ssize_t aa_features_read(struct file *file, char __user *buf,
++				size_t size, loff_t *ppos)
++{
++	const char features[] = "file=3.1 capability=2.0 network=1.0 "
++	    "change_hat=1.5 change_profile=1.1 " "aanamespaces=1.1 rlimit=1.1";
++
++	return simple_read_from_buffer(buf, size, ppos, features,
++				       sizeof(features) - 1);
++}
++
++const struct file_operations aa_fs_features_fops = {
++	.read = aa_features_read,
++};
++
++/**
++ * __next_namespace - find the next namespace to list
++ * @root: root namespace to stop search at (NOT NULL)
++ * @ns: current ns position (NOT NULL)
++ *
++ * Find the next namespace from @ns under @root and handle all locking needed
++ * while switching current namespace.
++ *
++ * Returns: next namespace or NULL if at last namespace under @root
++ * NOTE: will not unlock root->lock
++ */
++static struct aa_namespace *__next_namespace(struct aa_namespace *root,
++					     struct aa_namespace *ns)
++{
++	struct aa_namespace *parent;
++
++	/* is next namespace a child */
++	if (!list_empty(&ns->sub_ns)) {
++		struct aa_namespace *next;
++		next = list_first_entry(&ns->sub_ns, typeof(*ns), base.list);
++		read_lock(&next->lock);
++		return next;
++	}
++
++	/* check if the next ns is a sibling, parent, gp, .. */
++	parent = ns->parent;
++	while (parent) {
++		read_unlock(&ns->lock);
++		list_for_each_entry_continue(ns, &parent->sub_ns, base.list) {
++			read_lock(&ns->lock);
++			return ns;
++		}
++		if (parent == root)
++			return NULL;
++		ns = parent;
++		parent = parent->parent;
++	}
++
++	return NULL;
++}
++
++/**
++ * __first_profile - find the first profile in a namespace
++ * @root: namespace that is root of profiles being displayed (NOT NULL)
++ * @ns: namespace to start in   (NOT NULL)
++ *
++ * Returns: unrefcounted profile or NULL if no profile
++ */
++static struct aa_profile *__first_profile(struct aa_namespace *root,
++					  struct aa_namespace *ns)
++{
++	for ( ; ns; ns = __next_namespace(root, ns)) {
++		if (!list_empty(&ns->base.profiles))
++			return list_first_entry(&ns->base.profiles,
++						struct aa_profile, base.list);
++	}
++	return NULL;
++}
++
++/**
++ * __next_profile - step to the next profile in a profile tree
++ * @profile: current profile in tree (NOT NULL)
++ *
++ * Perform a depth first taversal on the profile tree in a namespace
++ *
++ * Returns: next profile or NULL if done
++ * Requires: profile->ns.lock to be held
++ */
++static struct aa_profile *__next_profile(struct aa_profile *p)
++{
++	struct aa_profile *parent;
++	struct aa_namespace *ns = p->ns;
++
++	/* is next profile a child */
++	if (!list_empty(&p->base.profiles))
++		return list_first_entry(&p->base.profiles, typeof(*p),
++					base.list);
++
++	/* is next profile a sibling, parent sibling, gp, subling, .. */
++	parent = p->parent;
++	while (parent) {
++		list_for_each_entry_continue(p, &parent->base.profiles,
++					     base.list)
++				return p;
++		p = parent;
++		parent = parent->parent;
++	}
++
++	/* is next another profile in the namespace */
++	list_for_each_entry_continue(p, &ns->base.profiles, base.list)
++		return p;
++
++	return NULL;
++}
++
++/**
++ * next_profile - step to the next profile in where ever it may be
++ * @root: root namespace  (NOT NULL)
++ * @profile: current profile  (NOT NULL)
++ *
++ * Returns: next profile or NULL if there isn't one
++ */
++static struct aa_profile *next_profile(struct aa_namespace *root,
++				       struct aa_profile *profile)
++{
++	struct aa_profile *next = __next_profile(profile);
++	if (next)
++		return next;
++
++	/* finished all profiles in namespace move to next namespace */
++	return __first_profile(root, __next_namespace(root, profile->ns));
++}
++
++/**
++ * p_start - start a depth first traversal of profile tree
++ * @f: seq_file to fill
++ * @pos: current position
++ *
++ * Returns: first profile under current namespace or NULL if none found
++ *
++ * acquires first ns->lock
++ */
++static void *p_start(struct seq_file *f, loff_t *pos)
++	__acquires(root->lock)
++{
++	struct aa_profile *profile = NULL;
++	struct aa_namespace *root = aa_current_profile()->ns;
++	loff_t l = *pos;
++	f->private = aa_get_namespace(root);
++
++
++	/* find the first profile */
++	read_lock(&root->lock);
++	profile = __first_profile(root, root);
++
++	/* skip to position */
++	for (; profile && l > 0; l--)
++		profile = next_profile(root, profile);
++
++	return profile;
++}
++
++/**
++ * p_next - read the next profile entry
++ * @f: seq_file to fill
++ * @p: profile previously returned
++ * @pos: current position
++ *
++ * Returns: next profile after @p or NULL if none
++ *
++ * may acquire/release locks in namespace tree as necessary
++ */
++static void *p_next(struct seq_file *f, void *p, loff_t *pos)
++{
++	struct aa_profile *profile = p;
++	struct aa_namespace *root = f->private;
++	(*pos)++;
++
++	return next_profile(root, profile);
++}
++
++/**
++ * p_stop - stop depth first traversal
++ * @f: seq_file we are filling
++ * @p: the last profile writen
++ *
++ * Release all locking done by p_start/p_next on namespace tree
++ */
++static void p_stop(struct seq_file *f, void *p)
++	__releases(root->lock)
++{
++	struct aa_profile *profile = p;
++	struct aa_namespace *root = f->private, *ns;
++
++	if (profile) {
++		for (ns = profile->ns; ns && ns != root; ns = ns->parent)
++			read_unlock(&ns->lock);
++	}
++	read_unlock(&root->lock);
++	aa_put_namespace(root);
++}
++
++/**
++ * seq_show_profile - show a profile entry
++ * @f: seq_file to file
++ * @p: current position (profile)    (NOT NULL)
++ *
++ * Returns: error on failure
++ */
++static int seq_show_profile(struct seq_file *f, void *p)
++{
++	struct aa_profile *profile = (struct aa_profile *)p;
++	struct aa_namespace *root = f->private;
++
++	if (profile->ns != root)
++		seq_printf(f, ":%s://", aa_ns_name(root, profile->ns));
++	seq_printf(f, "%s (%s)\n", profile->base.hname,
++		   COMPLAIN_MODE(profile) ? "complain" : "enforce");
++
++	return 0;
++}
++
++static const struct seq_operations aa_fs_profiles_op = {
++	.start = p_start,
++	.next = p_next,
++	.stop = p_stop,
++	.show = seq_show_profile,
++};
++
++static int profiles_open(struct inode *inode, struct file *file)
++{
++	return seq_open(file, &aa_fs_profiles_op);
++}
++
++static int profiles_release(struct inode *inode, struct file *file)
++{
++	return seq_release(inode, file);
++}
++
++const struct file_operations aa_fs_profiles_fops = {
++	.open = profiles_open,
++	.read = seq_read,
++	.llseek = seq_lseek,
++	.release = profiles_release,
++};
+diff --git a/security/apparmor/apparmorfs.c b/security/apparmor/apparmorfs.c
+index 69ddb47..be0f0f9 100644
+--- a/security/apparmor/apparmorfs.c
++++ b/security/apparmor/apparmorfs.c
+@@ -187,7 +187,11 @@ void __init aa_destroy_aafs(void)
+ 		aafs_remove(".remove");
+ 		aafs_remove(".replace");
+ 		aafs_remove(".load");
+-
++#ifdef CONFIG_SECURITY_APPARMOR_COMPAT_24
++		aafs_remove("profiles");
++		aafs_remove("matching");
++		aafs_remove("features");
++#endif
+ 		securityfs_remove(aa_fs_dentry);
+ 		aa_fs_dentry = NULL;
+ 	}
+@@ -218,7 +222,17 @@ static int __init aa_create_aafs(void)
+ 		aa_fs_dentry = NULL;
+ 		goto error;
+ 	}
+-
++#ifdef CONFIG_SECURITY_APPARMOR_COMPAT_24
++	error = aafs_create("matching", 0444, &aa_fs_matching_fops);
++	if (error)
++		goto error;
++	error = aafs_create("features", 0444, &aa_fs_features_fops);
++	if (error)
++		goto error;
++	error = aafs_create("profiles", 0440, &aa_fs_profiles_fops);
++	if (error)
++		goto error;
++#endif
+ 	error = aafs_create(".load", 0640, &aa_fs_profile_load);
+ 	if (error)
+ 		goto error;
+diff --git a/security/apparmor/include/apparmorfs.h b/security/apparmor/include/apparmorfs.h
+index cb1e93a..14f955c 100644
+--- a/security/apparmor/include/apparmorfs.h
++++ b/security/apparmor/include/apparmorfs.h
+@@ -17,4 +17,10 @@
+ 
+ extern void __init aa_destroy_aafs(void);
+ 
++#ifdef CONFIG_SECURITY_APPARMOR_COMPAT_24
++extern const struct file_operations aa_fs_matching_fops;
++extern const struct file_operations aa_fs_features_fops;
++extern const struct file_operations aa_fs_profiles_fops;
++#endif
++
+ #endif /* __AA_APPARMORFS_H */
+diff --git a/security/apparmor/include/net.h b/security/apparmor/include/net.h
+new file mode 100644
+index 0000000..3c7d599
+--- /dev/null
++++ b/security/apparmor/include/net.h
+@@ -0,0 +1,40 @@
++/*
++ * AppArmor security module
++ *
++ * This file contains AppArmor network mediation definitions.
++ *
++ * Copyright (C) 1998-2008 Novell/SUSE
++ * Copyright 2009-2010 Canonical Ltd.
++ *
++ * This program is free software; you can redistribute it and/or
++ * modify it under the terms of the GNU General Public License as
++ * published by the Free Software Foundation, version 2 of the
++ * License.
++ */
++
++#ifndef __AA_NET_H
++#define __AA_NET_H
++
++#include <net/sock.h>
++
++/* struct aa_net - network confinement data
++ * @allowed: basic network families permissions
++ * @audit_network: which network permissions to force audit
++ * @quiet_network: which network permissions to quiet rejects
++ */
++struct aa_net {
++	u16 allow[AF_MAX];
++	u16 audit[AF_MAX];
++	u16 quiet[AF_MAX];
++};
++
++extern int aa_net_perm(int op, struct aa_profile *profile, u16 family,
++		       int type, int protocol, struct sock *sk);
++extern int aa_revalidate_sk(int op, struct sock *sk);
++
++static inline void aa_free_net_rules(struct aa_net *new)
++{
++	/* NOP */
++}
++
++#endif /* __AA_NET_H */
+diff --git a/security/apparmor/include/policy.h b/security/apparmor/include/policy.h
+index aeda5cf..6776929 100644
+--- a/security/apparmor/include/policy.h
++++ b/security/apparmor/include/policy.h
+@@ -27,6 +27,7 @@
+ #include "capability.h"
+ #include "domain.h"
+ #include "file.h"
++#include "net.h"
+ #include "resource.h"
+ 
+ extern const char *profile_mode_names[];
+@@ -145,6 +146,7 @@ struct aa_namespace {
+  * @size: the memory consumed by this profiles rules
+  * @file: The set of rules governing basic file access and domain transitions
+  * @caps: capabilities for the profile
++ * @net: network controls for the profile
+  * @rlimits: rlimits for the profile
+  *
+  * The AppArmor profile contains the basic confinement data.  Each profile
+@@ -181,6 +183,7 @@ struct aa_profile {
+ 
+ 	struct aa_file_rules file;
+ 	struct aa_caps caps;
++	struct aa_net net;
+ 	struct aa_rlimit rlimits;
+ };
+ 
 diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
-index 3783202..1852837 100644
+index 3783202..d70ae70 100644
 --- a/security/apparmor/lsm.c
 +++ b/security/apparmor/lsm.c
-@@ -621,7 +621,7 @@ static int apparmor_task_setrlimit(struct task_struct *task,
+@@ -32,6 +32,7 @@
+ #include "include/context.h"
+ #include "include/file.h"
+ #include "include/ipc.h"
++#include "include/net.h"
+ #include "include/path.h"
+ #include "include/policy.h"
+ #include "include/procattr.h"
+@@ -621,7 +622,105 @@ static int apparmor_task_setrlimit(struct task_struct *task,
  	return error;
  }
  
 -static struct security_operations apparmor_ops = {
++static int apparmor_socket_create(int family, int type, int protocol, int kern)
++{
++	struct aa_profile *profile;
++	int error = 0;
++
++	if (kern)
++		return 0;
++
++	profile = __aa_current_profile();
++	if (!unconfined(profile))
++		error = aa_net_perm(OP_CREATE, profile, family, type, protocol,
++				    NULL);
++	return error;
++}
++
++static int apparmor_socket_bind(struct socket *sock,
++				struct sockaddr *address, int addrlen)
++{
++	struct sock *sk = sock->sk;
++
++	return aa_revalidate_sk(OP_BIND, sk);
++}
++
++static int apparmor_socket_connect(struct socket *sock,
++				   struct sockaddr *address, int addrlen)
++{
++	struct sock *sk = sock->sk;
++
++	return aa_revalidate_sk(OP_CONNECT, sk);
++}
++
++static int apparmor_socket_listen(struct socket *sock, int backlog)
++{
++	struct sock *sk = sock->sk;
++
++	return aa_revalidate_sk(OP_LISTEN, sk);
++}
++
++static int apparmor_socket_accept(struct socket *sock, struct socket *newsock)
++{
++	struct sock *sk = sock->sk;
++
++	return aa_revalidate_sk(OP_ACCEPT, sk);
++}
++
++static int apparmor_socket_sendmsg(struct socket *sock,
++				   struct msghdr *msg, int size)
++{
++	struct sock *sk = sock->sk;
++
++	return aa_revalidate_sk(OP_SENDMSG, sk);
++}
++
++static int apparmor_socket_recvmsg(struct socket *sock,
++				   struct msghdr *msg, int size, int flags)
++{
++	struct sock *sk = sock->sk;
++
++	return aa_revalidate_sk(OP_RECVMSG, sk);
++}
++
++static int apparmor_socket_getsockname(struct socket *sock)
++{
++	struct sock *sk = sock->sk;
++
++	return aa_revalidate_sk(OP_GETSOCKNAME, sk);
++}
++
++static int apparmor_socket_getpeername(struct socket *sock)
++{
++	struct sock *sk = sock->sk;
++
++	return aa_revalidate_sk(OP_GETPEERNAME, sk);
++}
++
++static int apparmor_socket_getsockopt(struct socket *sock, int level,
++				      int optname)
++{
++	struct sock *sk = sock->sk;
++
++	return aa_revalidate_sk(OP_GETSOCKOPT, sk);
++}
++
++static int apparmor_socket_setsockopt(struct socket *sock, int level,
++				      int optname)
++{
++	struct sock *sk = sock->sk;
++
++	return aa_revalidate_sk(OP_SETSOCKOPT, sk);
++}
++
++static int apparmor_socket_shutdown(struct socket *sock, int how)
++{
++	struct sock *sk = sock->sk;
++
++	return aa_revalidate_sk(OP_SOCK_SHUTDOWN, sk);
++}
++
 +static struct security_operations apparmor_ops __read_only = {
  	.name =				"apparmor",
  
  	.ptrace_access_check =		apparmor_ptrace_access_check,
+@@ -652,6 +751,19 @@ static struct security_operations apparmor_ops = {
+ 	.getprocattr =			apparmor_getprocattr,
+ 	.setprocattr =			apparmor_setprocattr,
+ 
++	.socket_create =		apparmor_socket_create,
++	.socket_bind =			apparmor_socket_bind,
++	.socket_connect =		apparmor_socket_connect,
++	.socket_listen =		apparmor_socket_listen,
++	.socket_accept =		apparmor_socket_accept,
++	.socket_sendmsg =		apparmor_socket_sendmsg,
++	.socket_recvmsg =		apparmor_socket_recvmsg,
++	.socket_getsockname =		apparmor_socket_getsockname,
++	.socket_getpeername =		apparmor_socket_getpeername,
++	.socket_getsockopt =		apparmor_socket_getsockopt,
++	.socket_setsockopt =		apparmor_socket_setsockopt,
++	.socket_shutdown =		apparmor_socket_shutdown,
++
+ 	.cred_alloc_blank =		apparmor_cred_alloc_blank,
+ 	.cred_free =			apparmor_cred_free,
+ 	.cred_prepare =			apparmor_cred_prepare,
+diff --git a/security/apparmor/match.c b/security/apparmor/match.c
+index 94de6b4..081491e 100644
+--- a/security/apparmor/match.c
++++ b/security/apparmor/match.c
+@@ -57,8 +57,17 @@ static struct table_header *unpack_table(char *blob, size_t bsize)
+ 	if (bsize < tsize)
+ 		goto out;
+ 
++	/* Pad table allocation for next/check by 256 entries to remain
++	 * backwards compatible with old (buggy) tools and remain safe without
++	 * run time checks
++	 */
++	if (th.td_id == YYTD_ID_NXT || th.td_id == YYTD_ID_CHK)
++		tsize += 256 * th.td_flags;
++
+ 	table = kvmalloc(tsize);
+ 	if (table) {
++		/* ensure the pad is clear, else there will be errors */
++		memset(table, 0, tsize);
+ 		*table = th;
+ 		if (th.td_flags == YYTD_DATA8)
+ 			UNPACK_ARRAY(table->td_data, blob, th.td_lolen,
+@@ -134,11 +143,19 @@ static int verify_dfa(struct aa_dfa *dfa, int flags)
+ 		goto out;
+ 
+ 	if (flags & DFA_FLAG_VERIFY_STATES) {
++		int warning = 0;
+ 		for (i = 0; i < state_count; i++) {
+ 			if (DEFAULT_TABLE(dfa)[i] >= state_count)
+ 				goto out;
+ 			/* TODO: do check that DEF state recursion terminates */
+ 			if (BASE_TABLE(dfa)[i] + 255 >= trans_count) {
++				if (warning)
++					continue;
++				printk(KERN_WARNING "AppArmor DFA next/check "
++				       "upper bounds error fixed, upgrade "
++				       "user space tools \n");
++				warning = 1;
++			} else if (BASE_TABLE(dfa)[i] >= trans_count) {
+ 				printk(KERN_ERR "AppArmor DFA next/check upper "
+ 				       "bounds error\n");
+ 				goto out;
+diff --git a/security/apparmor/net.c b/security/apparmor/net.c
+new file mode 100644
+index 0000000..1765901
+--- /dev/null
++++ b/security/apparmor/net.c
+@@ -0,0 +1,170 @@
++/*
++ * AppArmor security module
++ *
++ * This file contains AppArmor network mediation
++ *
++ * Copyright (C) 1998-2008 Novell/SUSE
++ * Copyright 2009-2010 Canonical Ltd.
++ *
++ * This program is free software; you can redistribute it and/or
++ * modify it under the terms of the GNU General Public License as
++ * published by the Free Software Foundation, version 2 of the
++ * License.
++ */
++
++#include "include/apparmor.h"
++#include "include/audit.h"
++#include "include/context.h"
++#include "include/net.h"
++#include "include/policy.h"
++
++#include "af_names.h"
++
++static const char *sock_type_names[] = {
++	"unknown(0)",
++	"stream",
++	"dgram",
++	"raw",
++	"rdm",
++	"seqpacket",
++	"dccp",
++	"unknown(7)",
++	"unknown(8)",
++	"unknown(9)",
++	"packet",
++};
++
++/* audit callback for net specific fields */
++static void audit_cb(struct audit_buffer *ab, void *va)
++{
++	struct common_audit_data *sa = va;
++
++	audit_log_format(ab, " family=");
++	if (address_family_names[sa->u.net.family]) {
++		audit_log_string(ab, address_family_names[sa->u.net.family]);
++	} else {
++		audit_log_format(ab, " \"unknown(%d)\"", sa->u.net.family);
++	}
++
++	audit_log_format(ab, " sock_type=");
++	if (sock_type_names[sa->aad.net.type]) {
++		audit_log_string(ab, sock_type_names[sa->aad.net.type]);
++	} else {
++		audit_log_format(ab, "\"unknown(%d)\"", sa->aad.net.type);
++	}
++
++	audit_log_format(ab, " protocol=%d", sa->aad.net.protocol);
++}
++
++/**
++ * audit_net - audit network access
++ * @profile: profile being enforced  (NOT NULL)
++ * @op: operation being checked
++ * @family: network family
++ * @type:   network type
++ * @protocol: network protocol
++ * @sk: socket auditing is being applied to
++ * @error: error code for failure else 0
++ *
++ * Returns: %0 or sa->error else other errorcode on failure
++ */
++static int audit_net(struct aa_profile *profile, int op, u16 family, int type,
++		     int protocol, struct sock *sk, int error)
++{
++	int audit_type = AUDIT_APPARMOR_AUTO;
++	struct common_audit_data sa;
++	if (sk) {
++		COMMON_AUDIT_DATA_INIT(&sa, NET);
++	} else {
++		COMMON_AUDIT_DATA_INIT(&sa, NONE);
++	}
++	/* todo fill in socket addr info */
++
++	sa.aad.op = op,
++	sa.u.net.family = family;
++	sa.u.net.sk = sk;
++	sa.aad.net.type = type;
++	sa.aad.net.protocol = protocol;
++	sa.aad.error = error;
++
++	if (likely(!sa.aad.error)) {
++		u16 audit_mask = profile->net.audit[sa.u.net.family];
++		if (likely((AUDIT_MODE(profile) != AUDIT_ALL) &&
++			   !(1 << sa.aad.net.type & audit_mask)))
++			return 0;
++		audit_type = AUDIT_APPARMOR_AUDIT;
++	} else {
++		u16 quiet_mask = profile->net.quiet[sa.u.net.family];
++		u16 kill_mask = 0;
++		u16 denied = (1 << sa.aad.net.type) & ~quiet_mask;
++
++		if (denied & kill_mask)
++			audit_type = AUDIT_APPARMOR_KILL;
++
++		if ((denied & quiet_mask) &&
++		    AUDIT_MODE(profile) != AUDIT_NOQUIET &&
++		    AUDIT_MODE(profile) != AUDIT_ALL)
++			return COMPLAIN_MODE(profile) ? 0 : sa.aad.error;
++	}
++
++	return aa_audit(audit_type, profile, GFP_KERNEL, &sa, audit_cb);
++}
++
++/**
++ * aa_net_perm - very course network access check
++ * @op: operation being checked
++ * @profile: profile being enforced  (NOT NULL)
++ * @family: network family
++ * @type:   network type
++ * @protocol: network protocol
++ *
++ * Returns: %0 else error if permission denied
++ */
++int aa_net_perm(int op, struct aa_profile *profile, u16 family, int type,
++		int protocol, struct sock *sk)
++{
++	u16 family_mask;
++	int error;
++
++	if ((family < 0) || (family >= AF_MAX))
++		return -EINVAL;
++
++	if ((type < 0) || (type >= SOCK_MAX))
++		return -EINVAL;
++
++	/* unix domain and netlink sockets are handled by ipc */
++	if (family == AF_UNIX || family == AF_NETLINK)
++		return 0;
++
++	family_mask = profile->net.allow[family];
++
++	error = (family_mask & (1 << type)) ? 0 : -EACCES;
++
++	return audit_net(profile, op, family, type, protocol, sk, error);
++}
++
++/**
++ * aa_revalidate_sk - Revalidate access to a sock
++ * @op: operation being checked
++ * @sk: sock being revalidated  (NOT NULL)
++ *
++ * Returns: %0 else error if permission denied
++ */
++int aa_revalidate_sk(int op, struct sock *sk)
++{
++	struct aa_profile *profile;
++	int error = 0;
++
++	/* aa_revalidate_sk should not be called from interrupt context
++	 * don't mediate these calls as they are not task related
++	 */
++	if (in_interrupt())
++		return 0;
++
++	profile = __aa_current_profile();
++	if (!unconfined(profile))
++		error = aa_net_perm(op, profile, sk->sk_family, sk->sk_type,
++				    sk->sk_protocol, sk);
++
++	return error;
++}
+diff --git a/security/apparmor/policy.c b/security/apparmor/policy.c
+index 4f0eade..4d5ce13 100644
+--- a/security/apparmor/policy.c
++++ b/security/apparmor/policy.c
+@@ -745,6 +745,7 @@ static void free_profile(struct aa_profile *profile)
+ 
+ 	aa_free_file_rules(&profile->file);
+ 	aa_free_cap_rules(&profile->caps);
++	aa_free_net_rules(&profile->net);
+ 	aa_free_rlimit_rules(&profile->rlimits);
+ 
+ 	aa_free_sid(profile->sid);
+diff --git a/security/apparmor/policy_unpack.c b/security/apparmor/policy_unpack.c
+index 741dd13..ee8043e 100644
+--- a/security/apparmor/policy_unpack.c
++++ b/security/apparmor/policy_unpack.c
+@@ -190,6 +190,19 @@ fail:
+ 	return 0;
+ }
+ 
++static bool unpack_u16(struct aa_ext *e, u16 *data, const char *name)
++{
++	if (unpack_nameX(e, AA_U16, name)) {
++		if (!inbounds(e, sizeof(u16)))
++			return 0;
++		if (data)
++			*data = le16_to_cpu(get_unaligned((u16 *) e->pos));
++		e->pos += sizeof(u16);
++		return 1;
++	}
++	return 0;
++}
++
+ static bool unpack_u32(struct aa_ext *e, u32 *data, const char *name)
+ {
+ 	if (unpack_nameX(e, AA_U32, name)) {
+@@ -468,7 +481,8 @@ static struct aa_profile *unpack_profile(struct aa_ext *e)
+ {
+ 	struct aa_profile *profile = NULL;
+ 	const char *name = NULL;
+-	int error = -EPROTO;
++	size_t size = 0;
++	int i, error = -EPROTO;
+ 	kernel_cap_t tmpcap;
+ 	u32 tmp;
+ 
+@@ -559,6 +573,38 @@ static struct aa_profile *unpack_profile(struct aa_ext *e)
+ 	if (!unpack_rlimits(e, profile))
+ 		goto fail;
+ 
++	size = unpack_array(e, "net_allowed_af");
++	if (size) {
++
++		for (i = 0; i < size; i++) {
++			/* discard extraneous rules that this kernel will
++			 * never request
++			 */
++			if (i >= AF_MAX) {
++				u16 tmp;
++				if (!unpack_u16(e, &tmp, NULL) ||
++				    !unpack_u16(e, &tmp, NULL) ||
++				    !unpack_u16(e, &tmp, NULL))
++					goto fail;
++				continue;
++			}
++			if (!unpack_u16(e, &profile->net.allow[i], NULL))
++				goto fail;
++			if (!unpack_u16(e, &profile->net.audit[i], NULL))
++				goto fail;
++			if (!unpack_u16(e, &profile->net.quiet[i], NULL))
++				goto fail;
++		}
++		if (!unpack_nameX(e, AA_ARRAYEND, NULL))
++			goto fail;
++		/*
++		 * allow unix domain and netlink sockets they are handled
++		 * by IPC
++		 */
++	}
++	profile->net.allow[AF_UNIX] = 0xffff;
++	profile->net.allow[AF_NETLINK] = 0xffff;
++
+ 	/* get file rules */
+ 	profile->file.dfa = unpack_dfa(e);
+ 	if (IS_ERR(profile->file.dfa)) {
 diff --git a/security/commoncap.c b/security/commoncap.c
 index 12440ee..e16cba1 100644
 --- a/security/commoncap.c
@@ -94460,10 +95408,10 @@ index ee15337..ab0ec34 100644
  
  	if (playback)
 diff --git a/sound/usb/card.h b/sound/usb/card.h
-index 2b7559c..3a42a04 100644
+index 0a7ca6c..f4b948c 100644
 --- a/sound/usb/card.h
 +++ b/sound/usb/card.h
-@@ -44,6 +44,7 @@ struct snd_urb_ops {
+@@ -45,6 +45,7 @@ struct snd_urb_ops {
  	int (*prepare_sync)(struct snd_usb_substream *subs, struct snd_pcm_runtime *runtime, struct urb *u);
  	int (*retire_sync)(struct snd_usb_substream *subs, struct snd_pcm_runtime *runtime, struct urb *u);
  };
@@ -94471,7 +95419,7 @@ index 2b7559c..3a42a04 100644
  
  struct snd_usb_substream {
  	struct snd_usb_stream *stream;
-@@ -95,7 +96,7 @@ struct snd_usb_substream {
+@@ -96,7 +97,7 @@ struct snd_usb_substream {
  	struct snd_pcm_hw_constraint_list rate_list;	/* limited rates */
  	spinlock_t lock;
  
diff --git a/3.2.46/4425_grsec_remove_EI_PAX.patch b/3.2.47/4425_grsec_remove_EI_PAX.patch
index 7d06ac2..7d06ac2 100644
--- a/3.2.46/4425_grsec_remove_EI_PAX.patch
+++ b/3.2.47/4425_grsec_remove_EI_PAX.patch
diff --git a/3.2.46/4427_force_XATTR_PAX_tmpfs.patch b/3.2.47/4427_force_XATTR_PAX_tmpfs.patch
index 8c7a533..8c7a533 100644
--- a/3.2.46/4427_force_XATTR_PAX_tmpfs.patch
+++ b/3.2.47/4427_force_XATTR_PAX_tmpfs.patch
diff --git a/3.2.46/4430_grsec-remove-localversion-grsec.patch b/3.2.47/4430_grsec-remove-localversion-grsec.patch
index 31cf878..31cf878 100644
--- a/3.2.46/4430_grsec-remove-localversion-grsec.patch
+++ b/3.2.47/4430_grsec-remove-localversion-grsec.patch
diff --git a/3.2.46/4435_grsec-mute-warnings.patch b/3.2.47/4435_grsec-mute-warnings.patch
index f099757..f099757 100644
--- a/3.2.46/4435_grsec-mute-warnings.patch
+++ b/3.2.47/4435_grsec-mute-warnings.patch
diff --git a/3.2.46/4440_grsec-remove-protected-paths.patch b/3.2.47/4440_grsec-remove-protected-paths.patch
index 637934a..637934a 100644
--- a/3.2.46/4440_grsec-remove-protected-paths.patch
+++ b/3.2.47/4440_grsec-remove-protected-paths.patch
diff --git a/3.2.46/4450_grsec-kconfig-default-gids.patch b/3.2.47/4450_grsec-kconfig-default-gids.patch
index c882e28..c882e28 100644
--- a/3.2.46/4450_grsec-kconfig-default-gids.patch
+++ b/3.2.47/4450_grsec-kconfig-default-gids.patch
diff --git a/3.2.46/4465_selinux-avc_audit-log-curr_ip.patch b/3.2.47/4465_selinux-avc_audit-log-curr_ip.patch
index 5607ab4..5607ab4 100644
--- a/3.2.46/4465_selinux-avc_audit-log-curr_ip.patch
+++ b/3.2.47/4465_selinux-avc_audit-log-curr_ip.patch
diff --git a/3.2.46/4470_disable-compat_vdso.patch b/3.2.47/4470_disable-compat_vdso.patch
index 99c691b..99c691b 100644
--- a/3.2.46/4470_disable-compat_vdso.patch
+++ b/3.2.47/4470_disable-compat_vdso.patch
diff --git a/3.2.46/4475_emutramp_default_on.patch b/3.2.47/4475_emutramp_default_on.patch
index 30f6978..30f6978 100644
--- a/3.2.46/4475_emutramp_default_on.patch
+++ b/3.2.47/4475_emutramp_default_on.patch
diff --git a/3.9.5/0000_README b/3.9.6/0000_README
index 39f1bd8..39efc0a 100644
--- a/3.9.5/0000_README
+++ b/3.9.6/0000_README
@@ -2,7 +2,7 @@ README
 -----------------------------------------------------------------------------
 Individual Patch Descriptions:
 -----------------------------------------------------------------------------
-Patch:	4420_grsecurity-2.9.1-3.9.5-201306111850.patch
+Patch:	4420_grsecurity-2.9.1-3.9.6-201306182033.patch
 From:	http://www.grsecurity.net
 Desc:	hardened-sources base patch from upstream grsecurity
 
diff --git a/3.9.5/4420_grsecurity-2.9.1-3.9.5-201306111850.patch b/3.9.6/4420_grsecurity-2.9.1-3.9.6-201306182033.patch
index 183d9f7..5702fad 100644
--- a/3.9.5/4420_grsecurity-2.9.1-3.9.5-201306111850.patch
+++ b/3.9.6/4420_grsecurity-2.9.1-3.9.6-201306182033.patch
@@ -259,7 +259,7 @@ index 8ccbf27..afffeb4 100644
  
  	pcd.		[PARIDE]
 diff --git a/Makefile b/Makefile
-index 8818c95..ced0bb1 100644
+index 4a40307..9ac699b 100644
 --- a/Makefile
 +++ b/Makefile
 @@ -241,8 +241,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \
@@ -6682,10 +6682,10 @@ index 2e3200c..72095ce 100644
  	/* Find this entry, or if that fails, the next avail. entry */
  	while (entry->jump[0]) {
 diff --git a/arch/powerpc/kernel/process.c b/arch/powerpc/kernel/process.c
-index 16e77a8..4501b41 100644
+index 9600c36..0c156d7 100644
 --- a/arch/powerpc/kernel/process.c
 +++ b/arch/powerpc/kernel/process.c
-@@ -870,8 +870,8 @@ void show_regs(struct pt_regs * regs)
+@@ -871,8 +871,8 @@ void show_regs(struct pt_regs * regs)
  	 * Lookup NIP late so we have the best change of getting the
  	 * above info out without failing
  	 */
@@ -6696,7 +6696,7 @@ index 16e77a8..4501b41 100644
  #endif
  #ifdef CONFIG_PPC_TRANSACTIONAL_MEM
  	printk("PACATMSCRATCH [%llx]\n", get_paca()->tm_scratch);
-@@ -1330,10 +1330,10 @@ void show_stack(struct task_struct *tsk, unsigned long *stack)
+@@ -1331,10 +1331,10 @@ void show_stack(struct task_struct *tsk, unsigned long *stack)
  		newsp = stack[0];
  		ip = stack[STACK_FRAME_LR_SAVE];
  		if (!firstframe || ip != lr) {
@@ -6709,7 +6709,7 @@ index 16e77a8..4501b41 100644
  				       (void *)current->ret_stack[curr_frame].ret);
  				curr_frame--;
  			}
-@@ -1353,7 +1353,7 @@ void show_stack(struct task_struct *tsk, unsigned long *stack)
+@@ -1354,7 +1354,7 @@ void show_stack(struct task_struct *tsk, unsigned long *stack)
  			struct pt_regs *regs = (struct pt_regs *)
  				(sp + STACK_FRAME_OVERHEAD);
  			lr = regs->link;
@@ -6718,7 +6718,7 @@ index 16e77a8..4501b41 100644
  			       regs->trap, (void *)regs->nip, (void *)lr);
  			firstframe = 1;
  		}
-@@ -1395,58 +1395,3 @@ void __ppc64_runlatch_off(void)
+@@ -1396,58 +1396,3 @@ void __ppc64_runlatch_off(void)
  	mtspr(SPRN_CTRLT, ctrl);
  }
  #endif /* CONFIG_PPC64 */
@@ -6856,7 +6856,7 @@ index 3ce1f86..c30e629 100644
  };
  
 diff --git a/arch/powerpc/kernel/traps.c b/arch/powerpc/kernel/traps.c
-index 1c22b2d..3b56e67 100644
+index 29857c6..bd31e27 100644
 --- a/arch/powerpc/kernel/traps.c
 +++ b/arch/powerpc/kernel/traps.c
 @@ -142,6 +142,8 @@ static unsigned __kprobes long oops_begin(struct pt_regs *regs)
@@ -31363,10 +31363,10 @@ index e006c18..b9a7d6c 100644
  	.alloc_pud = xen_alloc_pmd_init,
  	.release_pud = xen_release_pmd_init,
 diff --git a/arch/x86/xen/smp.c b/arch/x86/xen/smp.c
-index 22c800a..8915f1e 100644
+index 96c4e85..284fded 100644
 --- a/arch/x86/xen/smp.c
 +++ b/arch/x86/xen/smp.c
-@@ -229,11 +229,6 @@ static void __init xen_smp_prepare_boot_cpu(void)
+@@ -230,11 +230,6 @@ static void __init xen_smp_prepare_boot_cpu(void)
  {
  	BUG_ON(smp_processor_id() != 0);
  	native_smp_prepare_boot_cpu();
@@ -31378,7 +31378,7 @@ index 22c800a..8915f1e 100644
  	xen_filter_cpu_maps();
  	xen_setup_vcpu_info_placement();
  }
-@@ -303,7 +298,7 @@ cpu_initialize_context(unsigned int cpu, struct task_struct *idle)
+@@ -304,7 +299,7 @@ cpu_initialize_context(unsigned int cpu, struct task_struct *idle)
  	ctxt->user_regs.ss = __KERNEL_DS;
  #ifdef CONFIG_X86_32
  	ctxt->user_regs.fs = __KERNEL_PERCPU;
@@ -31387,7 +31387,7 @@ index 22c800a..8915f1e 100644
  #else
  	ctxt->gs_base_kernel = per_cpu_offset(cpu);
  #endif
-@@ -313,8 +308,8 @@ cpu_initialize_context(unsigned int cpu, struct task_struct *idle)
+@@ -314,8 +309,8 @@ cpu_initialize_context(unsigned int cpu, struct task_struct *idle)
  
  	{
  		ctxt->user_regs.eflags = 0x1000; /* IOPL_RING1 */
@@ -31398,7 +31398,7 @@ index 22c800a..8915f1e 100644
  
  		xen_copy_trap_info(ctxt->trap_ctxt);
  
-@@ -359,13 +354,12 @@ static int __cpuinit xen_cpu_up(unsigned int cpu, struct task_struct *idle)
+@@ -360,13 +355,12 @@ static int __cpuinit xen_cpu_up(unsigned int cpu, struct task_struct *idle)
  	int rc;
  
  	per_cpu(current_task, cpu) = idle;
@@ -31414,7 +31414,7 @@ index 22c800a..8915f1e 100644
  #endif
  	xen_setup_runstate_info(cpu);
  	xen_setup_timer(cpu);
-@@ -634,7 +628,7 @@ static const struct smp_ops xen_smp_ops __initconst = {
+@@ -642,7 +636,7 @@ static const struct smp_ops xen_smp_ops __initconst = {
  
  void __init xen_smp_init(void)
  {
@@ -33945,7 +33945,7 @@ index 2c644af..d4d7f17 100644
  
  static int memory_open(struct inode *inode, struct file *filp)
 diff --git a/drivers/char/mwave/tp3780i.c b/drivers/char/mwave/tp3780i.c
-index c689697..04e6d6a 100644
+index c689697..04e6d6a2 100644
 --- a/drivers/char/mwave/tp3780i.c
 +++ b/drivers/char/mwave/tp3780i.c
 @@ -479,6 +479,7 @@ int tp3780I_QueryAbilities(THINKPAD_BD_DATA * pBDData, MW_ABILITIES * pAbilities
@@ -34259,7 +34259,7 @@ index ade7513..069445f 100644
  };
  
 diff --git a/drivers/cpufreq/acpi-cpufreq.c b/drivers/cpufreq/acpi-cpufreq.c
-index 57a8774..545e993 100644
+index bb5939b..d9accb7 100644
 --- a/drivers/cpufreq/acpi-cpufreq.c
 +++ b/drivers/cpufreq/acpi-cpufreq.c
 @@ -172,7 +172,7 @@ static ssize_t show_global_boost(struct kobject *kobj,
@@ -35394,10 +35394,10 @@ index 3c7bb04..182e049 100644
  	iir = I915_READ(IIR);
  
 diff --git a/drivers/gpu/drm/i915/intel_display.c b/drivers/gpu/drm/i915/intel_display.c
-index c2d173a..f4357cc 100644
+index 2ab65b4..acbd821 100644
 --- a/drivers/gpu/drm/i915/intel_display.c
 +++ b/drivers/gpu/drm/i915/intel_display.c
-@@ -8722,13 +8722,13 @@ struct intel_quirk {
+@@ -8742,13 +8742,13 @@ struct intel_quirk {
  	int subsystem_vendor;
  	int subsystem_device;
  	void (*hook)(struct drm_device *dev);
@@ -35413,7 +35413,7 @@ index c2d173a..f4357cc 100644
  
  static int intel_dmi_reverse_brightness(const struct dmi_system_id *id)
  {
-@@ -8736,18 +8736,20 @@ static int intel_dmi_reverse_brightness(const struct dmi_system_id *id)
+@@ -8756,18 +8756,20 @@ static int intel_dmi_reverse_brightness(const struct dmi_system_id *id)
  	return 1;
  }
  
@@ -35927,7 +35927,7 @@ index 6c0ce89..66f6d65 100644
  #endif
  	return radeon_debugfs_add_files(rdev, radeon_mem_types_list, i);
 diff --git a/drivers/gpu/drm/radeon/rs690.c b/drivers/gpu/drm/radeon/rs690.c
-index 5706d2a..17aedaa 100644
+index fad6633..4ff94de 100644
 --- a/drivers/gpu/drm/radeon/rs690.c
 +++ b/drivers/gpu/drm/radeon/rs690.c
 @@ -304,9 +304,11 @@ static void rs690_crtc_bandwidth_compute(struct radeon_device *rdev,
@@ -39635,6 +39635,19 @@ index 25309bf..fcfd54c 100644
  #define  CHIPREV_ID_5750_C2		 0x4202
  #define  CHIPREV_ID_5752_A0_HW		 0x5000
  #define  CHIPREV_ID_5752_A0		 0x6000
+diff --git a/drivers/net/ethernet/brocade/bna/bnad_debugfs.c b/drivers/net/ethernet/brocade/bna/bnad_debugfs.c
+index 6e8bc9d..94d957d 100644
+--- a/drivers/net/ethernet/brocade/bna/bnad_debugfs.c
++++ b/drivers/net/ethernet/brocade/bna/bnad_debugfs.c
+@@ -244,7 +244,7 @@ bnad_debugfs_lseek(struct file *file, loff_t offset, int orig)
+ 		file->f_pos += offset;
+ 		break;
+ 	case 2:
+-		file->f_pos = debug->buffer_len - offset;
++		file->f_pos = debug->buffer_len + offset;
+ 		break;
+ 	default:
+ 		return -EINVAL;
 diff --git a/drivers/net/ethernet/chelsio/cxgb3/l2t.h b/drivers/net/ethernet/chelsio/cxgb3/l2t.h
 index 8cffcdf..aadf043 100644
 --- a/drivers/net/ethernet/chelsio/cxgb3/l2t.h
@@ -40374,6 +40387,19 @@ index 784e81c..349e01e 100644
  
  struct ath_nf_limits {
  	s16 max;
+diff --git a/drivers/net/wireless/b43/main.c b/drivers/net/wireless/b43/main.c
+index 64b637a..911c4c0 100644
+--- a/drivers/net/wireless/b43/main.c
++++ b/drivers/net/wireless/b43/main.c
+@@ -2451,7 +2451,7 @@ static void b43_request_firmware(struct work_struct *work)
+ 	for (i = 0; i < B43_NR_FWTYPES; i++) {
+ 		errmsg = ctx->errors[i];
+ 		if (strlen(errmsg))
+-			b43err(dev->wl, errmsg);
++			b43err(dev->wl, "%s", errmsg);
+ 	}
+ 	b43_print_fw_helptext(dev->wl, 1);
+ 	goto out;
 diff --git a/drivers/net/wireless/iwlegacy/3945-mac.c b/drivers/net/wireless/iwlegacy/3945-mac.c
 index c353b5f..62aaca2 100644
 --- a/drivers/net/wireless/iwlegacy/3945-mac.c
@@ -40575,6 +40601,46 @@ index 2b49f48..14fc244 100644
  	}
  
  	spin_lock_init(&hwsim_radio_lock);
+diff --git a/drivers/net/wireless/mwifiex/debugfs.c b/drivers/net/wireless/mwifiex/debugfs.c
+index 753b568..a5f9875 100644
+--- a/drivers/net/wireless/mwifiex/debugfs.c
++++ b/drivers/net/wireless/mwifiex/debugfs.c
+@@ -26,10 +26,17 @@
+ static struct dentry *mwifiex_dfs_dir;
+ 
+ static char *bss_modes[] = {
+-	"Unknown",
+-	"Ad-hoc",
+-	"Managed",
+-	"Auto"
++	"UNSPECIFIED",
++	"ADHOC",
++	"STATION",
++	"AP",
++	"AP_VLAN",
++	"WDS",
++	"MONITOR",
++	"MESH_POINT",
++	"P2P_CLIENT",
++	"P2P_GO",
++	"P2P_DEVICE",
+ };
+ 
+ /* size/addr for mwifiex_debug_info */
+@@ -200,7 +207,12 @@ mwifiex_info_read(struct file *file, char __user *ubuf,
+ 	p += sprintf(p, "driver_version = %s", fmt);
+ 	p += sprintf(p, "\nverext = %s", priv->version_str);
+ 	p += sprintf(p, "\ninterface_name=\"%s\"\n", netdev->name);
+-	p += sprintf(p, "bss_mode=\"%s\"\n", bss_modes[info.bss_mode]);
++
++	if (info.bss_mode >= ARRAY_SIZE(bss_modes))
++		p += sprintf(p, "bss_mode=\"%d\"\n", info.bss_mode);
++	else
++		p += sprintf(p, "bss_mode=\"%s\"\n", bss_modes[info.bss_mode]);
++
+ 	p += sprintf(p, "media_state=\"%s\"\n",
+ 		     (!priv->media_connected ? "Disconnected" : "Connected"));
+ 	p += sprintf(p, "mac_address=\"%pM\"\n", netdev->dev_addr);
 diff --git a/drivers/net/wireless/rndis_wlan.c b/drivers/net/wireless/rndis_wlan.c
 index 525fd75..6c9f791 100644
 --- a/drivers/net/wireless/rndis_wlan.c
@@ -41068,7 +41134,7 @@ index d320df6..ca9a8f6 100644
  #define ASPM_STATE_ALL		(ASPM_STATE_L0S | ASPM_STATE_L1)
  
 diff --git a/drivers/pci/probe.c b/drivers/pci/probe.c
-index 5427787..8df273b 100644
+index 563771f..4e3c368 100644
 --- a/drivers/pci/probe.c
 +++ b/drivers/pci/probe.c
 @@ -173,7 +173,7 @@ int __pci_read_base(struct pci_dev *dev, enum pci_bar_type type,
@@ -41613,6 +41679,32 @@ index 23a90e7..9cf04ee 100644
  
  /*
   * Queue element to wait for room in request queue. FIFO order is
+diff --git a/drivers/scsi/bfa/bfad_debugfs.c b/drivers/scsi/bfa/bfad_debugfs.c
+index 439c012..b63d534 100644
+--- a/drivers/scsi/bfa/bfad_debugfs.c
++++ b/drivers/scsi/bfa/bfad_debugfs.c
+@@ -186,7 +186,7 @@ bfad_debugfs_lseek(struct file *file, loff_t offset, int orig)
+ 		file->f_pos += offset;
+ 		break;
+ 	case 2:
+-		file->f_pos = debug->buffer_len - offset;
++		file->f_pos = debug->buffer_len + offset;
+ 		break;
+ 	default:
+ 		return -EINVAL;
+diff --git a/drivers/scsi/fnic/fnic_debugfs.c b/drivers/scsi/fnic/fnic_debugfs.c
+index adc1f7f..85e1ffd 100644
+--- a/drivers/scsi/fnic/fnic_debugfs.c
++++ b/drivers/scsi/fnic/fnic_debugfs.c
+@@ -174,7 +174,7 @@ static loff_t fnic_trace_debugfs_lseek(struct file *file,
+ 		pos = file->f_pos + offset;
+ 		break;
+ 	case 2:
+-		pos = fnic_dbg_prt->buffer_len - offset;
++		pos = fnic_dbg_prt->buffer_len + offset;
+ 	}
+ 	return (pos < 0 || pos > fnic_dbg_prt->buffer_len) ?
+ 			  -EINVAL : (file->f_pos = pos);
 diff --git a/drivers/scsi/hosts.c b/drivers/scsi/hosts.c
 index df0c3c7..b00e1d0 100644
 --- a/drivers/scsi/hosts.c
@@ -41967,7 +42059,7 @@ index 7706c99..3b4fc0c 100644
  	struct dentry *idiag_root;
  	struct dentry *idiag_pci_cfg;
 diff --git a/drivers/scsi/lpfc/lpfc_debugfs.c b/drivers/scsi/lpfc/lpfc_debugfs.c
-index f63f5ff..de29189 100644
+index f63f5ff..32549a4 100644
 --- a/drivers/scsi/lpfc/lpfc_debugfs.c
 +++ b/drivers/scsi/lpfc/lpfc_debugfs.c
 @@ -106,7 +106,7 @@ MODULE_PARM_DESC(lpfc_debugfs_mask_disc_trc,
@@ -42031,6 +42123,15 @@ index f63f5ff..de29189 100644
  	dtp->jif = jiffies;
  #endif
  	return;
+@@ -1178,7 +1178,7 @@ lpfc_debugfs_lseek(struct file *file, loff_t off, int whence)
+ 		pos = file->f_pos + off;
+ 		break;
+ 	case 2:
+-		pos = debug->len - off;
++		pos = debug->len + off;
+ 	}
+ 	return (pos < 0 || pos > debug->len) ? -EINVAL : (file->f_pos = pos);
+ }
 @@ -4182,7 +4182,7 @@ lpfc_debugfs_initialize(struct lpfc_vport *vport)
  						 "slow_ring buffer\n");
  				goto debug_failed;
@@ -51123,6 +51224,45 @@ index f3190ab..84ffb21 100644
  	trace_ext4_mballoc_discard(sb, NULL, group, bit, pa->pa_len);
  
  	return 0;
+diff --git a/fs/ext4/resize.c b/fs/ext4/resize.c
+index 3beae6a..8cc5637 100644
+--- a/fs/ext4/resize.c
++++ b/fs/ext4/resize.c
+@@ -79,12 +79,20 @@ static int verify_group_input(struct super_block *sb,
+ 	ext4_fsblk_t end = start + input->blocks_count;
+ 	ext4_group_t group = input->group;
+ 	ext4_fsblk_t itend = input->inode_table + sbi->s_itb_per_group;
+-	unsigned overhead = ext4_group_overhead_blocks(sb, group);
+-	ext4_fsblk_t metaend = start + overhead;
++	unsigned overhead;
++	ext4_fsblk_t metaend;
+ 	struct buffer_head *bh = NULL;
+ 	ext4_grpblk_t free_blocks_count, offset;
+ 	int err = -EINVAL;
+ 
++	if (group != sbi->s_groups_count) {
++		ext4_warning(sb, "Cannot add at group %u (only %u groups)",
++			     input->group, sbi->s_groups_count);
++		return -EINVAL;
++	}
++
++	overhead = ext4_group_overhead_blocks(sb, group);
++	metaend = start + overhead;
+ 	input->free_blocks_count = free_blocks_count =
+ 		input->blocks_count - 2 - overhead - sbi->s_itb_per_group;
+ 
+@@ -96,10 +104,7 @@ static int verify_group_input(struct super_block *sb,
+ 		       free_blocks_count, input->reserved_blocks);
+ 
+ 	ext4_get_group_no_and_offset(sb, start, NULL, &offset);
+-	if (group != sbi->s_groups_count)
+-		ext4_warning(sb, "Cannot add at group %u (only %u groups)",
+-			     input->group, sbi->s_groups_count);
+-	else if (offset != 0)
++	if (offset != 0)
+ 			ext4_warning(sb, "Last group not full");
+ 	else if (input->reserved_blocks > input->blocks_count / 5)
+ 		ext4_warning(sb, "Reserved blocks too high (%u)",
 diff --git a/fs/ext4/super.c b/fs/ext4/super.c
 index febbe0e..782c4fd 100644
 --- a/fs/ext4/super.c
@@ -71468,6 +71608,20 @@ index e8d702e..0a56eb4 100644
  
  int sock_diag_register(const struct sock_diag_handler *h);
  void sock_diag_unregister(const struct sock_diag_handler *h);
+diff --git a/include/linux/socket.h b/include/linux/socket.h
+index 2b9f74b..e897bdc 100644
+--- a/include/linux/socket.h
++++ b/include/linux/socket.h
+@@ -321,6 +321,9 @@ extern int put_cmsg(struct msghdr*, int level, int type, int len, void *data);
+ 
+ struct timespec;
+ 
++/* The __sys_...msg variants allow MSG_CMSG_COMPAT */
++extern long __sys_recvmsg(int fd, struct msghdr __user *msg, unsigned flags);
++extern long __sys_sendmsg(int fd, struct msghdr __user *msg, unsigned flags);
+ extern int __sys_recvmmsg(int fd, struct mmsghdr __user *mmsg, unsigned int vlen,
+ 			  unsigned int flags, struct timespec *timeout);
+ extern int __sys_sendmmsg(int fd, struct mmsghdr __user *mmsg,
 diff --git a/include/linux/sonet.h b/include/linux/sonet.h
 index 680f9a3..f13aeb0 100644
 --- a/include/linux/sonet.h
@@ -74611,7 +74765,7 @@ index 00eb8f7..d7e3244 100644
  #ifdef CONFIG_MODULE_UNLOAD
  		{
 diff --git a/kernel/events/core.c b/kernel/events/core.c
-index 9fcb094..8370228 100644
+index 9fcb094..353baaaf 100644
 --- a/kernel/events/core.c
 +++ b/kernel/events/core.c
 @@ -154,8 +154,15 @@ static struct srcu_struct pmus_srcu;
@@ -74623,7 +74777,7 @@ index 9fcb094..8370228 100644
 -int sysctl_perf_event_paranoid __read_mostly = 1;
 +#ifdef CONFIG_GRKERNSEC_PERF_HARDEN
 +int sysctl_perf_event_legitimately_concerned __read_mostly = 3;
-+#elif CONFIG_GRKERNSEC_HIDESYM
++#elif defined(CONFIG_GRKERNSEC_HIDESYM)
 +int sysctl_perf_event_legitimately_concerned __read_mostly = 2;
 +#else
 +int sysctl_perf_event_legitimately_concerned __read_mostly = 1;
@@ -78324,7 +78478,7 @@ index 02fc5c9..e54c335 100644
  	mutex_unlock(&smpboot_threads_lock);
  	put_online_cpus();
 diff --git a/kernel/softirq.c b/kernel/softirq.c
-index 14d7758..012121f 100644
+index d93dcb1..1cd8a71 100644
 --- a/kernel/softirq.c
 +++ b/kernel/softirq.c
 @@ -53,11 +53,11 @@ irq_cpustat_t irq_stat[NR_CPUS] ____cacheline_aligned;
@@ -78341,7 +78495,7 @@ index 14d7758..012121f 100644
  	"HI", "TIMER", "NET_TX", "NET_RX", "BLOCK", "BLOCK_IOPOLL",
  	"TASKLET", "SCHED", "HRTIMER", "RCU"
  };
-@@ -244,7 +244,7 @@ restart:
+@@ -250,7 +250,7 @@ restart:
  			kstat_incr_softirqs_this_cpu(vec_nr);
  
  			trace_softirq_entry(vec_nr);
@@ -78350,7 +78504,7 @@ index 14d7758..012121f 100644
  			trace_softirq_exit(vec_nr);
  			if (unlikely(prev_count != preempt_count())) {
  				printk(KERN_ERR "huh, entered softirq %u %s %p"
-@@ -389,7 +389,7 @@ void __raise_softirq_irqoff(unsigned int nr)
+@@ -396,7 +396,7 @@ void __raise_softirq_irqoff(unsigned int nr)
  	or_softirq_pending(1UL << nr);
  }
  
@@ -78359,7 +78513,7 @@ index 14d7758..012121f 100644
  {
  	softirq_vec[nr].action = action;
  }
-@@ -445,7 +445,7 @@ void __tasklet_hi_schedule_first(struct tasklet_struct *t)
+@@ -452,7 +452,7 @@ void __tasklet_hi_schedule_first(struct tasklet_struct *t)
  
  EXPORT_SYMBOL(__tasklet_hi_schedule_first);
  
@@ -78368,7 +78522,7 @@ index 14d7758..012121f 100644
  {
  	struct tasklet_struct *list;
  
-@@ -480,7 +480,7 @@ static void tasklet_action(struct softirq_action *a)
+@@ -487,7 +487,7 @@ static void tasklet_action(struct softirq_action *a)
  	}
  }
  
@@ -78377,7 +78531,7 @@ index 14d7758..012121f 100644
  {
  	struct tasklet_struct *list;
  
-@@ -716,7 +716,7 @@ static int __cpuinit remote_softirq_cpu_notify(struct notifier_block *self,
+@@ -723,7 +723,7 @@ static int __cpuinit remote_softirq_cpu_notify(struct notifier_block *self,
  	return NOTIFY_OK;
  }
  
@@ -78386,7 +78540,7 @@ index 14d7758..012121f 100644
  	.notifier_call	= remote_softirq_cpu_notify,
  };
  
-@@ -833,11 +833,11 @@ static int __cpuinit cpu_callback(struct notifier_block *nfb,
+@@ -840,11 +840,11 @@ static int __cpuinit cpu_callback(struct notifier_block *nfb,
  	return NOTIFY_OK;
  }
  
@@ -78912,7 +79066,7 @@ index 90ad470..1814e9a 100644
  			tick_broadcast_clear_oneshot(cpu);
  		} else {
 diff --git a/kernel/time/timekeeping.c b/kernel/time/timekeeping.c
-index 9a0bc98..fceb7d0 100644
+index 183df62..59b1442 100644
 --- a/kernel/time/timekeeping.c
 +++ b/kernel/time/timekeeping.c
 @@ -15,6 +15,7 @@
@@ -81653,7 +81807,7 @@ index 79b7cf7..9944291 100644
  	    capable(CAP_IPC_LOCK))
  		ret = do_mlockall(flags);
 diff --git a/mm/mmap.c b/mm/mmap.c
-index 0dceed8..671951c 100644
+index 0dceed8..e7cfc40 100644
 --- a/mm/mmap.c
 +++ b/mm/mmap.c
 @@ -33,6 +33,7 @@
@@ -82402,11 +82556,10 @@ index 0dceed8..671951c 100644
  		size = vma->vm_end - address;
  		grow = (vma->vm_start - address) >> PAGE_SHIFT;
  
-@@ -2184,6 +2492,18 @@ int expand_downwards(struct vm_area_struct *vma,
+@@ -2184,13 +2492,27 @@ int expand_downwards(struct vm_area_struct *vma,
  				vma->vm_pgoff -= grow;
  				anon_vma_interval_tree_post_update_vma(vma);
  				vma_gap_update(vma);
-+				track_exec_limit(vma->vm_mm, vma->vm_start, vma->vm_end, vma->vm_flags);
 +
 +#ifdef CONFIG_PAX_SEGMEXEC
 +				if (vma_m) {
@@ -82420,8 +82573,18 @@ index 0dceed8..671951c 100644
 +
  				spin_unlock(&vma->vm_mm->page_table_lock);
  
++				track_exec_limit(vma->vm_mm, vma->vm_start, vma->vm_end, vma->vm_flags);
  				perf_event_mmap(vma);
-@@ -2288,6 +2608,13 @@ static void remove_vma_list(struct mm_struct *mm, struct vm_area_struct *vma)
+ 			}
+ 		}
+ 	}
+ 	vma_unlock_anon_vma(vma);
++	if (lockprev)
++		vma_unlock_anon_vma(prev);
+ 	khugepaged_enter_vma_merge(vma);
+ 	validate_mm(vma->vm_mm);
+ 	return error;
+@@ -2288,6 +2610,13 @@ static void remove_vma_list(struct mm_struct *mm, struct vm_area_struct *vma)
  	do {
  		long nrpages = vma_pages(vma);
  
@@ -82435,7 +82598,7 @@ index 0dceed8..671951c 100644
  		if (vma->vm_flags & VM_ACCOUNT)
  			nr_accounted += nrpages;
  		vm_stat_account(mm, vma->vm_flags, vma->vm_file, -nrpages);
-@@ -2333,6 +2660,16 @@ detach_vmas_to_be_unmapped(struct mm_struct *mm, struct vm_area_struct *vma,
+@@ -2333,6 +2662,16 @@ detach_vmas_to_be_unmapped(struct mm_struct *mm, struct vm_area_struct *vma,
  	insertion_point = (prev ? &prev->vm_next : &mm->mmap);
  	vma->vm_prev = NULL;
  	do {
@@ -82452,7 +82615,7 @@ index 0dceed8..671951c 100644
  		vma_rb_erase(vma, &mm->mm_rb);
  		mm->map_count--;
  		tail_vma = vma;
-@@ -2364,14 +2701,33 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
+@@ -2364,14 +2703,33 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
  	struct vm_area_struct *new;
  	int err = -ENOMEM;
  
@@ -82486,7 +82649,7 @@ index 0dceed8..671951c 100644
  	/* most fields are the same, copy all, and then fixup */
  	*new = *vma;
  
-@@ -2384,6 +2740,22 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
+@@ -2384,6 +2742,22 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
  		new->vm_pgoff += ((addr - vma->vm_start) >> PAGE_SHIFT);
  	}
  
@@ -82509,7 +82672,7 @@ index 0dceed8..671951c 100644
  	pol = mpol_dup(vma_policy(vma));
  	if (IS_ERR(pol)) {
  		err = PTR_ERR(pol);
-@@ -2406,6 +2778,36 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
+@@ -2406,6 +2780,36 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
  	else
  		err = vma_adjust(vma, vma->vm_start, addr, vma->vm_pgoff, new);
  
@@ -82546,7 +82709,7 @@ index 0dceed8..671951c 100644
  	/* Success. */
  	if (!err)
  		return 0;
-@@ -2415,10 +2817,18 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
+@@ -2415,10 +2819,18 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
  		new->vm_ops->close(new);
  	if (new->vm_file)
  		fput(new->vm_file);
@@ -82566,7 +82729,7 @@ index 0dceed8..671951c 100644
  	kmem_cache_free(vm_area_cachep, new);
   out_err:
  	return err;
-@@ -2431,6 +2841,15 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
+@@ -2431,6 +2843,15 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
  int split_vma(struct mm_struct *mm, struct vm_area_struct *vma,
  	      unsigned long addr, int new_below)
  {
@@ -82582,7 +82745,7 @@ index 0dceed8..671951c 100644
  	if (mm->map_count >= sysctl_max_map_count)
  		return -ENOMEM;
  
-@@ -2442,11 +2861,30 @@ int split_vma(struct mm_struct *mm, struct vm_area_struct *vma,
+@@ -2442,11 +2863,30 @@ int split_vma(struct mm_struct *mm, struct vm_area_struct *vma,
   * work.  This now handles partial unmappings.
   * Jeremy Fitzhardinge <jeremy@goop.org>
   */
@@ -82613,7 +82776,7 @@ index 0dceed8..671951c 100644
  	if ((start & ~PAGE_MASK) || start > TASK_SIZE || len > TASK_SIZE-start)
  		return -EINVAL;
  
-@@ -2521,6 +2959,8 @@ int do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
+@@ -2521,6 +2961,8 @@ int do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
  	/* Fix up all other VM information */
  	remove_vma_list(mm, vma);
  
@@ -82622,7 +82785,7 @@ index 0dceed8..671951c 100644
  	return 0;
  }
  
-@@ -2529,6 +2969,13 @@ int vm_munmap(unsigned long start, size_t len)
+@@ -2529,6 +2971,13 @@ int vm_munmap(unsigned long start, size_t len)
  	int ret;
  	struct mm_struct *mm = current->mm;
  
@@ -82636,7 +82799,7 @@ index 0dceed8..671951c 100644
  	down_write(&mm->mmap_sem);
  	ret = do_munmap(mm, start, len);
  	up_write(&mm->mmap_sem);
-@@ -2542,16 +2989,6 @@ SYSCALL_DEFINE2(munmap, unsigned long, addr, size_t, len)
+@@ -2542,16 +2991,6 @@ SYSCALL_DEFINE2(munmap, unsigned long, addr, size_t, len)
  	return vm_munmap(addr, len);
  }
  
@@ -82653,7 +82816,7 @@ index 0dceed8..671951c 100644
  /*
   *  this is really a simplified "do_mmap".  it only handles
   *  anonymous maps.  eventually we may be able to do some
-@@ -2565,6 +3002,7 @@ static unsigned long do_brk(unsigned long addr, unsigned long len)
+@@ -2565,6 +3004,7 @@ static unsigned long do_brk(unsigned long addr, unsigned long len)
  	struct rb_node ** rb_link, * rb_parent;
  	pgoff_t pgoff = addr >> PAGE_SHIFT;
  	int error;
@@ -82661,7 +82824,7 @@ index 0dceed8..671951c 100644
  
  	len = PAGE_ALIGN(len);
  	if (!len)
-@@ -2572,16 +3010,30 @@ static unsigned long do_brk(unsigned long addr, unsigned long len)
+@@ -2572,16 +3012,30 @@ static unsigned long do_brk(unsigned long addr, unsigned long len)
  
  	flags = VM_DATA_DEFAULT_FLAGS | VM_ACCOUNT | mm->def_flags;
  
@@ -82693,7 +82856,7 @@ index 0dceed8..671951c 100644
  		locked += mm->locked_vm;
  		lock_limit = rlimit(RLIMIT_MEMLOCK);
  		lock_limit >>= PAGE_SHIFT;
-@@ -2598,21 +3050,20 @@ static unsigned long do_brk(unsigned long addr, unsigned long len)
+@@ -2598,21 +3052,20 @@ static unsigned long do_brk(unsigned long addr, unsigned long len)
  	/*
  	 * Clear old maps.  this also does some error checking for us
  	 */
@@ -82718,7 +82881,7 @@ index 0dceed8..671951c 100644
  		return -ENOMEM;
  
  	/* Can we just expand an old private anonymous mapping? */
-@@ -2626,7 +3077,7 @@ static unsigned long do_brk(unsigned long addr, unsigned long len)
+@@ -2626,7 +3079,7 @@ static unsigned long do_brk(unsigned long addr, unsigned long len)
  	 */
  	vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
  	if (!vma) {
@@ -82727,7 +82890,7 @@ index 0dceed8..671951c 100644
  		return -ENOMEM;
  	}
  
-@@ -2640,9 +3091,10 @@ static unsigned long do_brk(unsigned long addr, unsigned long len)
+@@ -2640,9 +3093,10 @@ static unsigned long do_brk(unsigned long addr, unsigned long len)
  	vma_link(mm, vma, prev, rb_link, rb_parent);
  out:
  	perf_event_mmap(vma);
@@ -82740,7 +82903,7 @@ index 0dceed8..671951c 100644
  	return addr;
  }
  
-@@ -2704,6 +3156,7 @@ void exit_mmap(struct mm_struct *mm)
+@@ -2704,6 +3158,7 @@ void exit_mmap(struct mm_struct *mm)
  	while (vma) {
  		if (vma->vm_flags & VM_ACCOUNT)
  			nr_accounted += vma_pages(vma);
@@ -82748,7 +82911,7 @@ index 0dceed8..671951c 100644
  		vma = remove_vma(vma);
  	}
  	vm_unacct_memory(nr_accounted);
-@@ -2720,6 +3173,13 @@ int insert_vm_struct(struct mm_struct *mm, struct vm_area_struct *vma)
+@@ -2720,6 +3175,13 @@ int insert_vm_struct(struct mm_struct *mm, struct vm_area_struct *vma)
  	struct vm_area_struct *prev;
  	struct rb_node **rb_link, *rb_parent;
  
@@ -82762,7 +82925,7 @@ index 0dceed8..671951c 100644
  	/*
  	 * The vm_pgoff of a purely anonymous vma should be irrelevant
  	 * until its first write fault, when page's anon_vma and index
-@@ -2743,7 +3203,21 @@ int insert_vm_struct(struct mm_struct *mm, struct vm_area_struct *vma)
+@@ -2743,7 +3205,21 @@ int insert_vm_struct(struct mm_struct *mm, struct vm_area_struct *vma)
  	     security_vm_enough_memory_mm(mm, vma_pages(vma)))
  		return -ENOMEM;
  
@@ -82784,7 +82947,7 @@ index 0dceed8..671951c 100644
  	return 0;
  }
  
-@@ -2763,6 +3237,8 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap,
+@@ -2763,6 +3239,8 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap,
  	struct mempolicy *pol;
  	bool faulted_in_anon_vma = true;
  
@@ -82793,7 +82956,7 @@ index 0dceed8..671951c 100644
  	/*
  	 * If anonymous vma has not yet been faulted, update new pgoff
  	 * to match new location, to increase its chance of merging.
-@@ -2829,6 +3305,39 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap,
+@@ -2829,6 +3307,39 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap,
  	return NULL;
  }
  
@@ -82833,7 +82996,7 @@ index 0dceed8..671951c 100644
  /*
   * Return true if the calling process may expand its vm space by the passed
   * number of pages
-@@ -2840,6 +3349,7 @@ int may_expand_vm(struct mm_struct *mm, unsigned long npages)
+@@ -2840,6 +3351,7 @@ int may_expand_vm(struct mm_struct *mm, unsigned long npages)
  
  	lim = rlimit(RLIMIT_AS) >> PAGE_SHIFT;
  
@@ -82841,7 +83004,7 @@ index 0dceed8..671951c 100644
  	if (cur + npages > lim)
  		return 0;
  	return 1;
-@@ -2910,6 +3420,22 @@ int install_special_mapping(struct mm_struct *mm,
+@@ -2910,6 +3422,22 @@ int install_special_mapping(struct mm_struct *mm,
  	vma->vm_start = addr;
  	vma->vm_end = addr + len;
  
@@ -85239,7 +85402,7 @@ index 6a93614..1415549 100644
  			err = -EFAULT;
  			break;
 diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
-index 7c7e932..7a7815d 100644
+index 7c7e932..8d23158 100644
 --- a/net/bluetooth/l2cap_core.c
 +++ b/net/bluetooth/l2cap_core.c
 @@ -3395,8 +3395,10 @@ static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len,
@@ -85255,6 +85418,223 @@ index 7c7e932..7a7815d 100644
  
  			if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state) &&
  			    rfc.mode != chan->mode)
+@@ -3568,10 +3570,14 @@ static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len)
+ }
+ 
+ static inline int l2cap_command_rej(struct l2cap_conn *conn,
+-				    struct l2cap_cmd_hdr *cmd, u8 *data)
++				    struct l2cap_cmd_hdr *cmd, u16 cmd_len,
++				    u8 *data)
+ {
+ 	struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
+ 
++	if (cmd_len < sizeof(*rej))
++		return -EPROTO;
++
+ 	if (rej->reason != L2CAP_REJ_NOT_UNDERSTOOD)
+ 		return 0;
+ 
+@@ -3720,11 +3726,14 @@ sendresp:
+ }
+ 
+ static int l2cap_connect_req(struct l2cap_conn *conn,
+-			     struct l2cap_cmd_hdr *cmd, u8 *data)
++			     struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
+ {
+ 	struct hci_dev *hdev = conn->hcon->hdev;
+ 	struct hci_conn *hcon = conn->hcon;
+ 
++	if (cmd_len < sizeof(struct l2cap_conn_req))
++		return -EPROTO;
++
+ 	hci_dev_lock(hdev);
+ 	if (test_bit(HCI_MGMT, &hdev->dev_flags) &&
+ 	    !test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &hcon->flags))
+@@ -3738,7 +3747,8 @@ static int l2cap_connect_req(struct l2cap_conn *conn,
+ }
+ 
+ static int l2cap_connect_create_rsp(struct l2cap_conn *conn,
+-				    struct l2cap_cmd_hdr *cmd, u8 *data)
++				    struct l2cap_cmd_hdr *cmd, u16 cmd_len,
++				    u8 *data)
+ {
+ 	struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
+ 	u16 scid, dcid, result, status;
+@@ -3746,6 +3756,9 @@ static int l2cap_connect_create_rsp(struct l2cap_conn *conn,
+ 	u8 req[128];
+ 	int err;
+ 
++	if (cmd_len < sizeof(*rsp))
++		return -EPROTO;
++
+ 	scid   = __le16_to_cpu(rsp->scid);
+ 	dcid   = __le16_to_cpu(rsp->dcid);
+ 	result = __le16_to_cpu(rsp->result);
+@@ -3843,6 +3856,9 @@ static inline int l2cap_config_req(struct l2cap_conn *conn,
+ 	struct l2cap_chan *chan;
+ 	int len, err = 0;
+ 
++	if (cmd_len < sizeof(*req))
++		return -EPROTO;
++
+ 	dcid  = __le16_to_cpu(req->dcid);
+ 	flags = __le16_to_cpu(req->flags);
+ 
+@@ -3866,7 +3882,7 @@ static inline int l2cap_config_req(struct l2cap_conn *conn,
+ 
+ 	/* Reject if config buffer is too small. */
+ 	len = cmd_len - sizeof(*req);
+-	if (len < 0 || chan->conf_len + len > sizeof(chan->conf_req)) {
++	if (chan->conf_len + len > sizeof(chan->conf_req)) {
+ 		l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
+ 			       l2cap_build_conf_rsp(chan, rsp,
+ 			       L2CAP_CONF_REJECT, flags), rsp);
+@@ -3944,14 +3960,18 @@ unlock:
+ }
+ 
+ static inline int l2cap_config_rsp(struct l2cap_conn *conn,
+-				   struct l2cap_cmd_hdr *cmd, u8 *data)
++				   struct l2cap_cmd_hdr *cmd, u16 cmd_len,
++				   u8 *data)
+ {
+ 	struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
+ 	u16 scid, flags, result;
+ 	struct l2cap_chan *chan;
+-	int len = le16_to_cpu(cmd->len) - sizeof(*rsp);
++	int len = cmd_len - sizeof(*rsp);
+ 	int err = 0;
+ 
++	if (cmd_len < sizeof(*rsp))
++		return -EPROTO;
++
+ 	scid   = __le16_to_cpu(rsp->scid);
+ 	flags  = __le16_to_cpu(rsp->flags);
+ 	result = __le16_to_cpu(rsp->result);
+@@ -4052,7 +4072,8 @@ done:
+ }
+ 
+ static inline int l2cap_disconnect_req(struct l2cap_conn *conn,
+-				       struct l2cap_cmd_hdr *cmd, u8 *data)
++				       struct l2cap_cmd_hdr *cmd, u16 cmd_len,
++				       u8 *data)
+ {
+ 	struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
+ 	struct l2cap_disconn_rsp rsp;
+@@ -4060,6 +4081,9 @@ static inline int l2cap_disconnect_req(struct l2cap_conn *conn,
+ 	struct l2cap_chan *chan;
+ 	struct sock *sk;
+ 
++	if (cmd_len != sizeof(*req))
++		return -EPROTO;
++
+ 	scid = __le16_to_cpu(req->scid);
+ 	dcid = __le16_to_cpu(req->dcid);
+ 
+@@ -4099,12 +4123,16 @@ static inline int l2cap_disconnect_req(struct l2cap_conn *conn,
+ }
+ 
+ static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn,
+-				       struct l2cap_cmd_hdr *cmd, u8 *data)
++				       struct l2cap_cmd_hdr *cmd, u16 cmd_len,
++				       u8 *data)
+ {
+ 	struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
+ 	u16 dcid, scid;
+ 	struct l2cap_chan *chan;
+ 
++	if (cmd_len != sizeof(*rsp))
++		return -EPROTO;
++
+ 	scid = __le16_to_cpu(rsp->scid);
+ 	dcid = __le16_to_cpu(rsp->dcid);
+ 
+@@ -4134,11 +4162,15 @@ static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn,
+ }
+ 
+ static inline int l2cap_information_req(struct l2cap_conn *conn,
+-					struct l2cap_cmd_hdr *cmd, u8 *data)
++					struct l2cap_cmd_hdr *cmd, u16 cmd_len,
++					u8 *data)
+ {
+ 	struct l2cap_info_req *req = (struct l2cap_info_req *) data;
+ 	u16 type;
+ 
++	if (cmd_len != sizeof(*req))
++		return -EPROTO;
++
+ 	type = __le16_to_cpu(req->type);
+ 
+ 	BT_DBG("type 0x%4.4x", type);
+@@ -4185,11 +4217,15 @@ static inline int l2cap_information_req(struct l2cap_conn *conn,
+ }
+ 
+ static inline int l2cap_information_rsp(struct l2cap_conn *conn,
+-					struct l2cap_cmd_hdr *cmd, u8 *data)
++					struct l2cap_cmd_hdr *cmd, u16 cmd_len,
++					u8 *data)
+ {
+ 	struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
+ 	u16 type, result;
+ 
++	if (cmd_len != sizeof(*rsp))
++		return -EPROTO;
++
+ 	type   = __le16_to_cpu(rsp->type);
+ 	result = __le16_to_cpu(rsp->result);
+ 
+@@ -5055,16 +5091,16 @@ static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn,
+ 
+ 	switch (cmd->code) {
+ 	case L2CAP_COMMAND_REJ:
+-		l2cap_command_rej(conn, cmd, data);
++		l2cap_command_rej(conn, cmd, cmd_len, data);
+ 		break;
+ 
+ 	case L2CAP_CONN_REQ:
+-		err = l2cap_connect_req(conn, cmd, data);
++		err = l2cap_connect_req(conn, cmd, cmd_len, data);
+ 		break;
+ 
+ 	case L2CAP_CONN_RSP:
+ 	case L2CAP_CREATE_CHAN_RSP:
+-		err = l2cap_connect_create_rsp(conn, cmd, data);
++		err = l2cap_connect_create_rsp(conn, cmd, cmd_len, data);
+ 		break;
+ 
+ 	case L2CAP_CONF_REQ:
+@@ -5072,15 +5108,15 @@ static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn,
+ 		break;
+ 
+ 	case L2CAP_CONF_RSP:
+-		err = l2cap_config_rsp(conn, cmd, data);
++		err = l2cap_config_rsp(conn, cmd, cmd_len, data);
+ 		break;
+ 
+ 	case L2CAP_DISCONN_REQ:
+-		err = l2cap_disconnect_req(conn, cmd, data);
++		err = l2cap_disconnect_req(conn, cmd, cmd_len, data);
+ 		break;
+ 
+ 	case L2CAP_DISCONN_RSP:
+-		err = l2cap_disconnect_rsp(conn, cmd, data);
++		err = l2cap_disconnect_rsp(conn, cmd, cmd_len, data);
+ 		break;
+ 
+ 	case L2CAP_ECHO_REQ:
+@@ -5091,11 +5127,11 @@ static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn,
+ 		break;
+ 
+ 	case L2CAP_INFO_REQ:
+-		err = l2cap_information_req(conn, cmd, data);
++		err = l2cap_information_req(conn, cmd, cmd_len, data);
+ 		break;
+ 
+ 	case L2CAP_INFO_RSP:
+-		err = l2cap_information_rsp(conn, cmd, data);
++		err = l2cap_information_rsp(conn, cmd, cmd_len, data);
+ 		break;
+ 
+ 	case L2CAP_CREATE_CHAN_REQ:
 diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c
 index 1bcfb84..dad9f98 100644
 --- a/net/bluetooth/l2cap_sock.c
@@ -85486,7 +85866,7 @@ index 117814a..ad4fb73 100644
  
  	if (__rtnl_register(PF_CAN, RTM_GETROUTE, NULL, cgw_dump_jobs, NULL)) {
 diff --git a/net/compat.c b/net/compat.c
-index 79ae884..17c5c09 100644
+index 79ae884..0541331 100644
 --- a/net/compat.c
 +++ b/net/compat.c
 @@ -71,9 +71,9 @@ int get_compat_msghdr(struct msghdr *kmsg, struct compat_msghdr __user *umsg)
@@ -85616,7 +85996,45 @@ index 79ae884..17c5c09 100644
  	struct group_filter __user *kgf;
  	int __user	*koptlen;
  	u32 interface, fmode, numsrc;
-@@ -796,7 +796,7 @@ asmlinkage long compat_sys_socketcall(int call, u32 __user *args)
+@@ -734,19 +734,25 @@ static unsigned char nas[21] = {
+ 
+ asmlinkage long compat_sys_sendmsg(int fd, struct compat_msghdr __user *msg, unsigned int flags)
+ {
+-	return sys_sendmsg(fd, (struct msghdr __user *)msg, flags | MSG_CMSG_COMPAT);
++	if (flags & MSG_CMSG_COMPAT)
++		return -EINVAL;
++	return __sys_sendmsg(fd, (struct msghdr __user *)msg, flags | MSG_CMSG_COMPAT);
+ }
+ 
+ asmlinkage long compat_sys_sendmmsg(int fd, struct compat_mmsghdr __user *mmsg,
+ 				    unsigned int vlen, unsigned int flags)
+ {
++	if (flags & MSG_CMSG_COMPAT)
++		return -EINVAL;
+ 	return __sys_sendmmsg(fd, (struct mmsghdr __user *)mmsg, vlen,
+ 			      flags | MSG_CMSG_COMPAT);
+ }
+ 
+ asmlinkage long compat_sys_recvmsg(int fd, struct compat_msghdr __user *msg, unsigned int flags)
+ {
+-	return sys_recvmsg(fd, (struct msghdr __user *)msg, flags | MSG_CMSG_COMPAT);
++	if (flags & MSG_CMSG_COMPAT)
++		return -EINVAL;
++	return __sys_recvmsg(fd, (struct msghdr __user *)msg, flags | MSG_CMSG_COMPAT);
+ }
+ 
+ asmlinkage long compat_sys_recv(int fd, void __user *buf, size_t len, unsigned int flags)
+@@ -768,6 +774,9 @@ asmlinkage long compat_sys_recvmmsg(int fd, struct compat_mmsghdr __user *mmsg,
+ 	int datagrams;
+ 	struct timespec ktspec;
+ 
++	if (flags & MSG_CMSG_COMPAT)
++		return -EINVAL;
++
+ 	if (COMPAT_USE_64BIT_TIME)
+ 		return __sys_recvmmsg(fd, (struct mmsghdr __user *)mmsg, vlen,
+ 				      flags | MSG_CMSG_COMPAT,
+@@ -796,7 +805,7 @@ asmlinkage long compat_sys_socketcall(int call, u32 __user *args)
  
  	if (call < SYS_SOCKET || call > SYS_SENDMMSG)
  		return -EINVAL;
@@ -86559,7 +86977,7 @@ index d9c4f11..02b82dbc 100644
  		msg.msg_flags = flags;
  
 diff --git a/net/ipv4/ip_vti.c b/net/ipv4/ip_vti.c
-index c3a4233..1412161 100644
+index c3a4233..7df5626 100644
 --- a/net/ipv4/ip_vti.c
 +++ b/net/ipv4/ip_vti.c
 @@ -47,7 +47,7 @@
@@ -86571,7 +86989,17 @@ index c3a4233..1412161 100644
  
  static int vti_net_id __read_mostly;
  struct vti_net {
-@@ -886,7 +886,7 @@ static const struct nla_policy vti_policy[IFLA_VTI_MAX + 1] = {
+@@ -399,8 +399,7 @@ static netdev_tx_t vti_tunnel_xmit(struct sk_buff *skb, struct net_device *dev)
+ 			tunnel->err_count = 0;
+ 	}
+ 
+-	IPCB(skb)->flags &= ~(IPSKB_XFRM_TUNNEL_SIZE | IPSKB_XFRM_TRANSFORMED |
+-			      IPSKB_REROUTED);
++	memset(IPCB(skb), 0, sizeof(*IPCB(skb)));
+ 	skb_dst_drop(skb);
+ 	skb_dst_set(skb, &rt->dst);
+ 	nf_reset(skb);
+@@ -886,7 +885,7 @@ static const struct nla_policy vti_policy[IFLA_VTI_MAX + 1] = {
  	[IFLA_VTI_REMOTE]	= { .len = FIELD_SIZEOF(struct iphdr, daddr) },
  };
  
@@ -88040,6 +88468,33 @@ index 5b1e5af..2358147 100644
  	} while (!res);
  	return res;
  }
+diff --git a/net/l2tp/l2tp_ppp.c b/net/l2tp/l2tp_ppp.c
+index 637a341..8dec687 100644
+--- a/net/l2tp/l2tp_ppp.c
++++ b/net/l2tp/l2tp_ppp.c
+@@ -346,19 +346,19 @@ static int pppol2tp_sendmsg(struct kiocb *iocb, struct socket *sock, struct msgh
+ 	skb_put(skb, 2);
+ 
+ 	/* Copy user data into skb */
+-	error = memcpy_fromiovec(skb->data, m->msg_iov, total_len);
++	error = memcpy_fromiovec(skb_put(skb, total_len), m->msg_iov,
++				 total_len);
+ 	if (error < 0) {
+ 		kfree_skb(skb);
+ 		goto error_put_sess_tun;
+ 	}
+-	skb_put(skb, total_len);
+ 
+ 	l2tp_xmit_skb(session, skb, session->hdr_len);
+ 
+ 	sock_put(ps->tunnel_sock);
+ 	sock_put(sk);
+ 
+-	return error;
++	return total_len;
+ 
+ error_put_sess_tun:
+ 	sock_put(ps->tunnel_sock);
 diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c
 index 843d8c4..cb04fa1 100644
 --- a/net/mac80211/cfg.c
@@ -88344,7 +88799,7 @@ index 61f49d2..6c8c5bc 100644
  	if (ipvs->sync_state & IP_VS_STATE_MASTER)
  		ip_vs_sync_conn(net, cp, pkts);
 diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c
-index 9e2d1cc..7f8f569 100644
+index 9e2d1cc..6ed0748 100644
 --- a/net/netfilter/ipvs/ip_vs_ctl.c
 +++ b/net/netfilter/ipvs/ip_vs_ctl.c
 @@ -787,7 +787,7 @@ __ip_vs_update_dest(struct ip_vs_service *svc, struct ip_vs_dest *dest,
@@ -88383,7 +88838,14 @@ index 9e2d1cc..7f8f569 100644
  					   atomic_read(&dest->weight),
  					   atomic_read(&dest->activeconns),
  					   atomic_read(&dest->inactconns));
-@@ -2568,7 +2568,7 @@ __ip_vs_get_dest_entries(struct net *net, const struct ip_vs_get_dests *get,
+@@ -2562,13 +2562,14 @@ __ip_vs_get_dest_entries(struct net *net, const struct ip_vs_get_dests *get,
+ 		struct ip_vs_dest *dest;
+ 		struct ip_vs_dest_entry entry;
+ 
++		memset(&entry, 0, sizeof(entry));
+ 		list_for_each_entry(dest, &svc->destinations, n_list) {
+ 			if (count >= get->num_dests)
+ 				break;
  
  			entry.addr = dest->addr.ip;
  			entry.port = dest->port;
@@ -88392,7 +88854,7 @@ index 9e2d1cc..7f8f569 100644
  			entry.weight = atomic_read(&dest->weight);
  			entry.u_threshold = dest->u_threshold;
  			entry.l_threshold = dest->l_threshold;
-@@ -3104,7 +3104,7 @@ static int ip_vs_genl_fill_dest(struct sk_buff *skb, struct ip_vs_dest *dest)
+@@ -3104,7 +3105,7 @@ static int ip_vs_genl_fill_dest(struct sk_buff *skb, struct ip_vs_dest *dest)
  	if (nla_put(skb, IPVS_DEST_ATTR_ADDR, sizeof(dest->addr), &dest->addr) ||
  	    nla_put_u16(skb, IPVS_DEST_ATTR_PORT, dest->port) ||
  	    nla_put_u32(skb, IPVS_DEST_ATTR_FWD_METHOD,
@@ -88401,7 +88863,7 @@ index 9e2d1cc..7f8f569 100644
  			 IP_VS_CONN_F_FWD_MASK)) ||
  	    nla_put_u32(skb, IPVS_DEST_ATTR_WEIGHT,
  			atomic_read(&dest->weight)) ||
-@@ -3694,7 +3694,7 @@ static int __net_init ip_vs_control_net_init_sysctl(struct net *net)
+@@ -3694,7 +3695,7 @@ static int __net_init ip_vs_control_net_init_sysctl(struct net *net)
  {
  	int idx;
  	struct netns_ipvs *ipvs = net_ipvs(net);
@@ -88847,7 +89309,7 @@ index 103bd70..f21aad3 100644
  		*uaddr_len = sizeof(struct sockaddr_ax25);
  	}
 diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
-index f83e172..b57140d 100644
+index f83e172..223ffe1 100644
 --- a/net/packet/af_packet.c
 +++ b/net/packet/af_packet.c
 @@ -1571,7 +1571,7 @@ static int packet_rcv(struct sk_buff *skb, struct net_device *dev,
@@ -88887,7 +89349,22 @@ index f83e172..b57140d 100644
  
  	msg->msg_flags |= MSG_ERRQUEUE;
  	err = copied;
-@@ -3205,7 +3207,7 @@ static int packet_getsockopt(struct socket *sock, int level, int optname,
+@@ -2769,12 +2771,11 @@ static int packet_getname_spkt(struct socket *sock, struct sockaddr *uaddr,
+ 		return -EOPNOTSUPP;
+ 
+ 	uaddr->sa_family = AF_PACKET;
++	memset(uaddr->sa_data, 0, sizeof(uaddr->sa_data));
+ 	rcu_read_lock();
+ 	dev = dev_get_by_index_rcu(sock_net(sk), pkt_sk(sk)->ifindex);
+ 	if (dev)
+-		strncpy(uaddr->sa_data, dev->name, 14);
+-	else
+-		memset(uaddr->sa_data, 0, 14);
++		strlcpy(uaddr->sa_data, dev->name, sizeof(uaddr->sa_data));
+ 	rcu_read_unlock();
+ 	*uaddr_len = sizeof(*uaddr);
+ 
+@@ -3205,7 +3206,7 @@ static int packet_getsockopt(struct socket *sock, int level, int optname,
  	case PACKET_HDRLEN:
  		if (len > sizeof(int))
  			len = sizeof(int);
@@ -88896,7 +89373,7 @@ index f83e172..b57140d 100644
  			return -EFAULT;
  		switch (val) {
  		case TPACKET_V1:
-@@ -3247,7 +3249,7 @@ static int packet_getsockopt(struct socket *sock, int level, int optname,
+@@ -3247,7 +3248,7 @@ static int packet_getsockopt(struct socket *sock, int level, int optname,
  		len = lv;
  	if (put_user(len, optlen))
  		return -EFAULT;
@@ -89432,6 +89909,33 @@ index 391a245..296b3d7 100644
  }
  
  /* Initialize IPv6 support and register with socket layer.  */
+diff --git a/net/sctp/outqueue.c b/net/sctp/outqueue.c
+index 01dca75..e9426bb 100644
+--- a/net/sctp/outqueue.c
++++ b/net/sctp/outqueue.c
+@@ -206,6 +206,8 @@ static inline int sctp_cacc_skip(struct sctp_transport *primary,
+  */
+ void sctp_outq_init(struct sctp_association *asoc, struct sctp_outq *q)
+ {
++	memset(q, 0, sizeof(struct sctp_outq));
++
+ 	q->asoc = asoc;
+ 	INIT_LIST_HEAD(&q->out_chunk_list);
+ 	INIT_LIST_HEAD(&q->control_chunk_list);
+@@ -213,13 +215,7 @@ void sctp_outq_init(struct sctp_association *asoc, struct sctp_outq *q)
+ 	INIT_LIST_HEAD(&q->sacked);
+ 	INIT_LIST_HEAD(&q->abandoned);
+ 
+-	q->fast_rtx = 0;
+-	q->outstanding_bytes = 0;
+ 	q->empty = 1;
+-	q->cork  = 0;
+-
+-	q->malloced = 0;
+-	q->out_qlen = 0;
+ }
+ 
+ /* Free the outqueue structure and any related pending chunks.
 diff --git a/net/sctp/probe.c b/net/sctp/probe.c
 index ad0dba8..e62c225 100644
 --- a/net/sctp/probe.c
@@ -89516,7 +90020,7 @@ index 8aab894..f6b7e7d 100644
  	sctp_generate_t1_cookie_event,
  	sctp_generate_t1_init_event,
 diff --git a/net/sctp/socket.c b/net/sctp/socket.c
-index b907073..57fef6c 100644
+index b907073..7bea2ca 100644
 --- a/net/sctp/socket.c
 +++ b/net/sctp/socket.c
 @@ -2166,11 +2166,13 @@ static int sctp_setsockopt_events(struct sock *sk, char __user *optval,
@@ -89534,7 +90038,20 @@ index b907073..57fef6c 100644
  
  	/*
  	 * At the time when a user app subscribes to SCTP_SENDER_DRY_EVENT,
-@@ -4215,13 +4217,16 @@ static int sctp_getsockopt_disable_fragments(struct sock *sk, int len,
+@@ -4002,6 +4004,12 @@ SCTP_STATIC void sctp_destroy_sock(struct sock *sk)
+ 
+ 	/* Release our hold on the endpoint. */
+ 	sp = sctp_sk(sk);
++	/* This could happen during socket init, thus we bail out
++	 * early, since the rest of the below is not setup either.
++	 */
++	if (sp->ep == NULL)
++		return;
++
+ 	if (sp->do_auto_asconf) {
+ 		sp->do_auto_asconf = 0;
+ 		list_del(&sp->auto_asconf_list);
+@@ -4215,13 +4223,16 @@ static int sctp_getsockopt_disable_fragments(struct sock *sk, int len,
  static int sctp_getsockopt_events(struct sock *sk, int len, char __user *optval,
  				  int __user *optlen)
  {
@@ -89552,7 +90069,7 @@ index b907073..57fef6c 100644
  		return -EFAULT;
  	return 0;
  }
-@@ -4239,6 +4244,8 @@ static int sctp_getsockopt_events(struct sock *sk, int len, char __user *optval,
+@@ -4239,6 +4250,8 @@ static int sctp_getsockopt_events(struct sock *sk, int len, char __user *optval,
   */
  static int sctp_getsockopt_autoclose(struct sock *sk, int len, char __user *optval, int __user *optlen)
  {
@@ -89561,7 +90078,7 @@ index b907073..57fef6c 100644
  	/* Applicable to UDP-style socket only */
  	if (sctp_style(sk, TCP))
  		return -EOPNOTSUPP;
-@@ -4247,7 +4254,8 @@ static int sctp_getsockopt_autoclose(struct sock *sk, int len, char __user *optv
+@@ -4247,7 +4260,8 @@ static int sctp_getsockopt_autoclose(struct sock *sk, int len, char __user *optv
  	len = sizeof(int);
  	if (put_user(len, optlen))
  		return -EFAULT;
@@ -89571,7 +90088,7 @@ index b907073..57fef6c 100644
  		return -EFAULT;
  	return 0;
  }
-@@ -4619,12 +4627,15 @@ static int sctp_getsockopt_delayed_ack(struct sock *sk, int len,
+@@ -4619,12 +4633,15 @@ static int sctp_getsockopt_delayed_ack(struct sock *sk, int len,
   */
  static int sctp_getsockopt_initmsg(struct sock *sk, int len, char __user *optval, int __user *optlen)
  {
@@ -89588,7 +90105,7 @@ index b907073..57fef6c 100644
  		return -EFAULT;
  	return 0;
  }
-@@ -4665,6 +4676,8 @@ static int sctp_getsockopt_peer_addrs(struct sock *sk, int len,
+@@ -4665,6 +4682,8 @@ static int sctp_getsockopt_peer_addrs(struct sock *sk, int len,
  		addrlen = sctp_get_af_specific(temp.sa.sa_family)->sockaddr_len;
  		if (space_left < addrlen)
  			return -ENOMEM;
@@ -89620,7 +90137,7 @@ index bf3c6e8..376d8d0 100644
  
  	table = kmemdup(sctp_net_table, sizeof(sctp_net_table), GFP_KERNEL);
 diff --git a/net/socket.c b/net/socket.c
-index 88f759a..c6933de 100644
+index 88f759a..74be616 100644
 --- a/net/socket.c
 +++ b/net/socket.c
 @@ -88,6 +88,7 @@
@@ -89791,6 +90308,15 @@ index 88f759a..c6933de 100644
  	int err, err2;
  	int fput_needed;
  
+@@ -1978,7 +2040,7 @@ struct used_address {
+ 	unsigned int name_len;
+ };
+ 
+-static int __sys_sendmsg(struct socket *sock, struct msghdr __user *msg,
++static int ___sys_sendmsg(struct socket *sock, struct msghdr __user *msg,
+ 			 struct msghdr *msg_sys, unsigned int flags,
+ 			 struct used_address *used_address)
+ {
 @@ -2045,7 +2107,7 @@ static int __sys_sendmsg(struct socket *sock, struct msghdr __user *msg,
  		 * checking falls down on this.
  		 */
@@ -89800,7 +90326,83 @@ index 88f759a..c6933de 100644
  				   ctl_len))
  			goto out_freectl;
  		msg_sys->msg_control = ctl_buf;
-@@ -2185,7 +2247,7 @@ static int __sys_recvmsg(struct socket *sock, struct msghdr __user *msg,
+@@ -2093,20 +2155,28 @@ out:
+  *	BSD sendmsg interface
+  */
+ 
++long __sys_sendmsg(int fd, struct msghdr __user *msg, unsigned flags)
++{
++	int fput_needed, err;
++	struct msghdr msg_sys;
++	struct socket *sock;
++
++	sock = sockfd_lookup_light(fd, &err, &fput_needed);
++	if (!sock)
++		goto out;
++
++	err = ___sys_sendmsg(sock, msg, &msg_sys, flags, NULL);
++
++	fput_light(sock->file, fput_needed);
++out:
++	return err;
++}
++
+ SYSCALL_DEFINE3(sendmsg, int, fd, struct msghdr __user *, msg, unsigned int, flags)
+ {
+-	int fput_needed, err;
+-	struct msghdr msg_sys;
+-	struct socket *sock = sockfd_lookup_light(fd, &err, &fput_needed);
+-
+-	if (!sock)
+-		goto out;
+-
+-	err = __sys_sendmsg(sock, msg, &msg_sys, flags, NULL);
+-
+-	fput_light(sock->file, fput_needed);
+-out:
+-	return err;
++	if (flags & MSG_CMSG_COMPAT)
++		return -EINVAL;
++	return __sys_sendmsg(fd, msg, flags);
+ }
+ 
+ /*
+@@ -2139,15 +2209,16 @@ int __sys_sendmmsg(int fd, struct mmsghdr __user *mmsg, unsigned int vlen,
+ 
+ 	while (datagrams < vlen) {
+ 		if (MSG_CMSG_COMPAT & flags) {
+-			err = __sys_sendmsg(sock, (struct msghdr __user *)compat_entry,
+-					    &msg_sys, flags, &used_address);
++			err = ___sys_sendmsg(sock, (struct msghdr __user *)compat_entry,
++					     &msg_sys, flags, &used_address);
+ 			if (err < 0)
+ 				break;
+ 			err = __put_user(err, &compat_entry->msg_len);
+ 			++compat_entry;
+ 		} else {
+-			err = __sys_sendmsg(sock, (struct msghdr __user *)entry,
+-					    &msg_sys, flags, &used_address);
++			err = ___sys_sendmsg(sock,
++					     (struct msghdr __user *)entry,
++					     &msg_sys, flags, &used_address);
+ 			if (err < 0)
+ 				break;
+ 			err = put_user(err, &entry->msg_len);
+@@ -2171,10 +2242,12 @@ int __sys_sendmmsg(int fd, struct mmsghdr __user *mmsg, unsigned int vlen,
+ SYSCALL_DEFINE4(sendmmsg, int, fd, struct mmsghdr __user *, mmsg,
+ 		unsigned int, vlen, unsigned int, flags)
+ {
++	if (flags & MSG_CMSG_COMPAT)
++		return -EINVAL;
+ 	return __sys_sendmmsg(fd, mmsg, vlen, flags);
+ }
+ 
+-static int __sys_recvmsg(struct socket *sock, struct msghdr __user *msg,
++static int ___sys_recvmsg(struct socket *sock, struct msghdr __user *msg,
+ 			 struct msghdr *msg_sys, unsigned int flags, int nosec)
+ {
+ 	struct compat_msghdr __user *msg_compat =
+@@ -2185,7 +2258,7 @@ static int __sys_recvmsg(struct socket *sock, struct msghdr __user *msg,
  	int err, total_len, len;
  
  	/* kernel mode address */
@@ -89809,7 +90411,7 @@ index 88f759a..c6933de 100644
  
  	/* user mode address pointers */
  	struct sockaddr __user *uaddr;
-@@ -2213,7 +2275,7 @@ static int __sys_recvmsg(struct socket *sock, struct msghdr __user *msg,
+@@ -2213,7 +2286,7 @@ static int __sys_recvmsg(struct socket *sock, struct msghdr __user *msg,
  	 *      kernel msghdr to use the kernel address space)
  	 */
  
@@ -89818,7 +90420,84 @@ index 88f759a..c6933de 100644
  	uaddr_len = COMPAT_NAMELEN(msg);
  	if (MSG_CMSG_COMPAT & flags) {
  		err = verify_compat_iovec(msg_sys, iov, &addr, VERIFY_WRITE);
-@@ -2952,7 +3014,7 @@ static int bond_ioctl(struct net *net, unsigned int cmd,
+@@ -2266,21 +2339,29 @@ out:
+  *	BSD recvmsg interface
+  */
+ 
++long __sys_recvmsg(int fd, struct msghdr __user *msg, unsigned flags)
++{
++	int fput_needed, err;
++	struct msghdr msg_sys;
++	struct socket *sock;
++
++	sock = sockfd_lookup_light(fd, &err, &fput_needed);
++	if (!sock)
++		goto out;
++
++	err = ___sys_recvmsg(sock, msg, &msg_sys, flags, 0);
++
++	fput_light(sock->file, fput_needed);
++out:
++	return err;
++}
++
+ SYSCALL_DEFINE3(recvmsg, int, fd, struct msghdr __user *, msg,
+ 		unsigned int, flags)
+ {
+-	int fput_needed, err;
+-	struct msghdr msg_sys;
+-	struct socket *sock = sockfd_lookup_light(fd, &err, &fput_needed);
+-
+-	if (!sock)
+-		goto out;
+-
+-	err = __sys_recvmsg(sock, msg, &msg_sys, flags, 0);
+-
+-	fput_light(sock->file, fput_needed);
+-out:
+-	return err;
++	if (flags & MSG_CMSG_COMPAT)
++		return -EINVAL;
++	return __sys_recvmsg(fd, msg, flags);
+ }
+ 
+ /*
+@@ -2320,17 +2401,18 @@ int __sys_recvmmsg(int fd, struct mmsghdr __user *mmsg, unsigned int vlen,
+ 		 * No need to ask LSM for more than the first datagram.
+ 		 */
+ 		if (MSG_CMSG_COMPAT & flags) {
+-			err = __sys_recvmsg(sock, (struct msghdr __user *)compat_entry,
+-					    &msg_sys, flags & ~MSG_WAITFORONE,
+-					    datagrams);
++			err = ___sys_recvmsg(sock, (struct msghdr __user *)compat_entry,
++					     &msg_sys, flags & ~MSG_WAITFORONE,
++					     datagrams);
+ 			if (err < 0)
+ 				break;
+ 			err = __put_user(err, &compat_entry->msg_len);
+ 			++compat_entry;
+ 		} else {
+-			err = __sys_recvmsg(sock, (struct msghdr __user *)entry,
+-					    &msg_sys, flags & ~MSG_WAITFORONE,
+-					    datagrams);
++			err = ___sys_recvmsg(sock,
++					     (struct msghdr __user *)entry,
++					     &msg_sys, flags & ~MSG_WAITFORONE,
++					     datagrams);
+ 			if (err < 0)
+ 				break;
+ 			err = put_user(err, &entry->msg_len);
+@@ -2397,6 +2479,9 @@ SYSCALL_DEFINE5(recvmmsg, int, fd, struct mmsghdr __user *, mmsg,
+ 	int datagrams;
+ 	struct timespec timeout_sys;
+ 
++	if (flags & MSG_CMSG_COMPAT)
++		return -EINVAL;
++
+ 	if (!timeout)
+ 		return __sys_recvmmsg(fd, mmsg, vlen, flags, NULL);
+ 
+@@ -2952,7 +3037,7 @@ static int bond_ioctl(struct net *net, unsigned int cmd,
  		old_fs = get_fs();
  		set_fs(KERNEL_DS);
  		err = dev_ioctl(net, cmd,
@@ -89827,7 +90506,7 @@ index 88f759a..c6933de 100644
  		set_fs(old_fs);
  
  		return err;
-@@ -3061,7 +3123,7 @@ static int compat_sioc_ifmap(struct net *net, unsigned int cmd,
+@@ -3061,7 +3146,7 @@ static int compat_sioc_ifmap(struct net *net, unsigned int cmd,
  
  	old_fs = get_fs();
  	set_fs(KERNEL_DS);
@@ -89836,7 +90515,7 @@ index 88f759a..c6933de 100644
  	set_fs(old_fs);
  
  	if (cmd == SIOCGIFMAP && !err) {
-@@ -3166,7 +3228,7 @@ static int routing_ioctl(struct net *net, struct socket *sock,
+@@ -3166,7 +3251,7 @@ static int routing_ioctl(struct net *net, struct socket *sock,
  		ret |= __get_user(rtdev, &(ur4->rt_dev));
  		if (rtdev) {
  			ret |= copy_from_user(devname, compat_ptr(rtdev), 15);
@@ -89845,7 +90524,7 @@ index 88f759a..c6933de 100644
  			devname[15] = 0;
  		} else
  			r4.rt_dev = NULL;
-@@ -3392,8 +3454,8 @@ int kernel_getsockopt(struct socket *sock, int level, int optname,
+@@ -3392,8 +3477,8 @@ int kernel_getsockopt(struct socket *sock, int level, int optname,
  	int __user *uoptlen;
  	int err;
  
@@ -89856,7 +90535,7 @@ index 88f759a..c6933de 100644
  
  	set_fs(KERNEL_DS);
  	if (level == SOL_SOCKET)
-@@ -3413,7 +3475,7 @@ int kernel_setsockopt(struct socket *sock, int level, int optname,
+@@ -3413,7 +3498,7 @@ int kernel_setsockopt(struct socket *sock, int level, int optname,
  	char __user *uoptval;
  	int err;
  
@@ -91959,6 +92638,272 @@ index e9c6ac7..e6254cf 100644
  	default 65536
  	help
  	  This is the portion of low virtual memory which should be protected
+diff --git a/security/apparmor/Kconfig b/security/apparmor/Kconfig
+index 9b9013b..51ebf96 100644
+--- a/security/apparmor/Kconfig
++++ b/security/apparmor/Kconfig
+@@ -29,3 +29,12 @@ config SECURITY_APPARMOR_BOOTPARAM_VALUE
+ 	  boot.
+ 
+ 	  If you are unsure how to answer this question, answer 1.
++
++config SECURITY_APPARMOR_COMPAT_24
++	bool "Enable AppArmor 2.4 compatability"
++	depends on SECURITY_APPARMOR
++	default y
++	help
++	  This option enables compatability with AppArmor 2.4.  It is
++          recommended if compatability with older versions of AppArmor
++          is desired.
+diff --git a/security/apparmor/apparmorfs.c b/security/apparmor/apparmorfs.c
+index 16c15ec..42b7c9f 100644
+--- a/security/apparmor/apparmorfs.c
++++ b/security/apparmor/apparmorfs.c
+@@ -182,6 +182,234 @@ const struct file_operations aa_fs_seq_file_ops = {
+ 	.release	= single_release,
+ };
+ 
++#ifdef CONFIG_SECURITY_APPARMOR_COMPAT_24
++/**
++ * __next_namespace - find the next namespace to list
++ * @root: root namespace to stop search at (NOT NULL)
++ * @ns: current ns position (NOT NULL)
++ *
++ * Find the next namespace from @ns under @root and handle all locking needed
++ * while switching current namespace.
++ *
++ * Returns: next namespace or NULL if at last namespace under @root
++ * NOTE: will not unlock root->lock
++ */
++static struct aa_namespace *__next_namespace(struct aa_namespace *root,
++					     struct aa_namespace *ns)
++{
++	struct aa_namespace *parent;
++
++	/* is next namespace a child */
++	if (!list_empty(&ns->sub_ns)) {
++		struct aa_namespace *next;
++		next = list_first_entry(&ns->sub_ns, typeof(*ns), base.list);
++		read_lock(&next->lock);
++		return next;
++	}
++
++	/* check if the next ns is a sibling, parent, gp, .. */
++	parent = ns->parent;
++	while (parent) {
++		read_unlock(&ns->lock);
++		list_for_each_entry_continue(ns, &parent->sub_ns, base.list) {
++			read_lock(&ns->lock);
++			return ns;
++		}
++		if (parent == root)
++			return NULL;
++		ns = parent;
++		parent = parent->parent;
++	}
++
++	return NULL;
++}
++
++/**
++ * __first_profile - find the first profile in a namespace
++ * @root: namespace that is root of profiles being displayed (NOT NULL)
++ * @ns: namespace to start in   (NOT NULL)
++ *
++ * Returns: unrefcounted profile or NULL if no profile
++ */
++static struct aa_profile *__first_profile(struct aa_namespace *root,
++					  struct aa_namespace *ns)
++{
++	for ( ; ns; ns = __next_namespace(root, ns)) {
++		if (!list_empty(&ns->base.profiles))
++			return list_first_entry(&ns->base.profiles,
++						struct aa_profile, base.list);
++	}
++	return NULL;
++}
++
++/**
++ * __next_profile - step to the next profile in a profile tree
++ * @profile: current profile in tree (NOT NULL)
++ *
++ * Perform a depth first taversal on the profile tree in a namespace
++ *
++ * Returns: next profile or NULL if done
++ * Requires: profile->ns.lock to be held
++ */
++static struct aa_profile *__next_profile(struct aa_profile *p)
++{
++	struct aa_profile *parent;
++	struct aa_namespace *ns = p->ns;
++
++	/* is next profile a child */
++	if (!list_empty(&p->base.profiles))
++		return list_first_entry(&p->base.profiles, typeof(*p),
++					base.list);
++
++	/* is next profile a sibling, parent sibling, gp, subling, .. */
++	parent = p->parent;
++	while (parent) {
++		list_for_each_entry_continue(p, &parent->base.profiles,
++					     base.list)
++				return p;
++		p = parent;
++		parent = parent->parent;
++	}
++
++	/* is next another profile in the namespace */
++	list_for_each_entry_continue(p, &ns->base.profiles, base.list)
++		return p;
++
++	return NULL;
++}
++
++/**
++ * next_profile - step to the next profile in where ever it may be
++ * @root: root namespace  (NOT NULL)
++ * @profile: current profile  (NOT NULL)
++ *
++ * Returns: next profile or NULL if there isn't one
++ */
++static struct aa_profile *next_profile(struct aa_namespace *root,
++				       struct aa_profile *profile)
++{
++	struct aa_profile *next = __next_profile(profile);
++	if (next)
++		return next;
++
++	/* finished all profiles in namespace move to next namespace */
++	return __first_profile(root, __next_namespace(root, profile->ns));
++}
++
++/**
++ * p_start - start a depth first traversal of profile tree
++ * @f: seq_file to fill
++ * @pos: current position
++ *
++ * Returns: first profile under current namespace or NULL if none found
++ *
++ * acquires first ns->lock
++ */
++static void *p_start(struct seq_file *f, loff_t *pos)
++	__acquires(root->lock)
++{
++	struct aa_profile *profile = NULL;
++	struct aa_namespace *root = aa_current_profile()->ns;
++	loff_t l = *pos;
++	f->private = aa_get_namespace(root);
++
++
++	/* find the first profile */
++	read_lock(&root->lock);
++	profile = __first_profile(root, root);
++
++	/* skip to position */
++	for (; profile && l > 0; l--)
++		profile = next_profile(root, profile);
++
++	return profile;
++}
++
++/**
++ * p_next - read the next profile entry
++ * @f: seq_file to fill
++ * @p: profile previously returned
++ * @pos: current position
++ *
++ * Returns: next profile after @p or NULL if none
++ *
++ * may acquire/release locks in namespace tree as necessary
++ */
++static void *p_next(struct seq_file *f, void *p, loff_t *pos)
++{
++	struct aa_profile *profile = p;
++	struct aa_namespace *root = f->private;
++	(*pos)++;
++
++	return next_profile(root, profile);
++}
++
++/**
++ * p_stop - stop depth first traversal
++ * @f: seq_file we are filling
++ * @p: the last profile writen
++ *
++ * Release all locking done by p_start/p_next on namespace tree
++ */
++static void p_stop(struct seq_file *f, void *p)
++	__releases(root->lock)
++{
++	struct aa_profile *profile = p;
++	struct aa_namespace *root = f->private, *ns;
++
++	if (profile) {
++		for (ns = profile->ns; ns && ns != root; ns = ns->parent)
++			read_unlock(&ns->lock);
++	}
++	read_unlock(&root->lock);
++	aa_put_namespace(root);
++}
++
++/**
++ * seq_show_profile - show a profile entry
++ * @f: seq_file to file
++ * @p: current position (profile)    (NOT NULL)
++ *
++ * Returns: error on failure
++ */
++static int seq_show_profile(struct seq_file *f, void *p)
++{
++	struct aa_profile *profile = (struct aa_profile *)p;
++	struct aa_namespace *root = f->private;
++
++	if (profile->ns != root)
++		seq_printf(f, ":%s://", aa_ns_name(root, profile->ns));
++	seq_printf(f, "%s (%s)\n", profile->base.hname,
++		   COMPLAIN_MODE(profile) ? "complain" : "enforce");
++
++	return 0;
++}
++
++static const struct seq_operations aa_fs_profiles_op = {
++	.start = p_start,
++	.next = p_next,
++	.stop = p_stop,
++	.show = seq_show_profile,
++};
++
++static int profiles_open(struct inode *inode, struct file *file)
++{
++	return seq_open(file, &aa_fs_profiles_op);
++}
++
++static int profiles_release(struct inode *inode, struct file *file)
++{
++	return seq_release(inode, file);
++}
++
++const struct file_operations aa_fs_profiles_fops = {
++	.open = profiles_open,
++	.read = seq_read,
++	.llseek = seq_lseek,
++	.release = profiles_release,
++};
++#endif /* CONFIG_SECURITY_APPARMOR_COMPAT_24 */
++
+ /** Base file system setup **/
+ 
+ static struct aa_fs_entry aa_fs_entry_file[] = {
+@@ -210,6 +438,9 @@ static struct aa_fs_entry aa_fs_entry_apparmor[] = {
+ 	AA_FS_FILE_FOPS(".load", 0640, &aa_fs_profile_load),
+ 	AA_FS_FILE_FOPS(".replace", 0640, &aa_fs_profile_replace),
+ 	AA_FS_FILE_FOPS(".remove", 0640, &aa_fs_profile_remove),
++#ifdef CONFIG_SECURITY_APPARMOR_COMPAT_24
++	AA_FS_FILE_FOPS("profiles", 0640, &aa_fs_profiles_fops),
++#endif
+ 	AA_FS_DIR("features", aa_fs_entry_features),
+ 	{ }
+ };
 diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
 index b21830e..a7d1a17 100644
 --- a/security/apparmor/lsm.c
diff --git a/3.9.5/4425_grsec_remove_EI_PAX.patch b/3.9.6/4425_grsec_remove_EI_PAX.patch
index 415fda5..415fda5 100644
--- a/3.9.5/4425_grsec_remove_EI_PAX.patch
+++ b/3.9.6/4425_grsec_remove_EI_PAX.patch
diff --git a/3.9.5/4427_force_XATTR_PAX_tmpfs.patch b/3.9.6/4427_force_XATTR_PAX_tmpfs.patch
index e2a9551..e2a9551 100644
--- a/3.9.5/4427_force_XATTR_PAX_tmpfs.patch
+++ b/3.9.6/4427_force_XATTR_PAX_tmpfs.patch
diff --git a/3.9.5/4430_grsec-remove-localversion-grsec.patch b/3.9.6/4430_grsec-remove-localversion-grsec.patch
index 31cf878..31cf878 100644
--- a/3.9.5/4430_grsec-remove-localversion-grsec.patch
+++ b/3.9.6/4430_grsec-remove-localversion-grsec.patch
diff --git a/3.9.5/4435_grsec-mute-warnings.patch b/3.9.6/4435_grsec-mute-warnings.patch
index ed941d5..ed941d5 100644
--- a/3.9.5/4435_grsec-mute-warnings.patch
+++ b/3.9.6/4435_grsec-mute-warnings.patch
diff --git a/3.9.5/4440_grsec-remove-protected-paths.patch b/3.9.6/4440_grsec-remove-protected-paths.patch
index 637934a..637934a 100644
--- a/3.9.5/4440_grsec-remove-protected-paths.patch
+++ b/3.9.6/4440_grsec-remove-protected-paths.patch
diff --git a/3.9.5/4450_grsec-kconfig-default-gids.patch b/3.9.6/4450_grsec-kconfig-default-gids.patch
index f144c0e..f144c0e 100644
--- a/3.9.5/4450_grsec-kconfig-default-gids.patch
+++ b/3.9.6/4450_grsec-kconfig-default-gids.patch
diff --git a/3.9.5/4465_selinux-avc_audit-log-curr_ip.patch b/3.9.6/4465_selinux-avc_audit-log-curr_ip.patch
index b0786d4..b0786d4 100644
--- a/3.9.5/4465_selinux-avc_audit-log-curr_ip.patch
+++ b/3.9.6/4465_selinux-avc_audit-log-curr_ip.patch
diff --git a/3.9.5/4470_disable-compat_vdso.patch b/3.9.6/4470_disable-compat_vdso.patch
index 424d91f..424d91f 100644
--- a/3.9.5/4470_disable-compat_vdso.patch
+++ b/3.9.6/4470_disable-compat_vdso.patch
diff --git a/3.9.5/4475_emutramp_default_on.patch b/3.9.6/4475_emutramp_default_on.patch
index 27bfc2d..27bfc2d 100644
--- a/3.9.5/4475_emutramp_default_on.patch
+++ b/3.9.6/4475_emutramp_default_on.patch