[kernel] r19768 - in dists/squeeze-security/linux-2.6: . debian debian/patches/bugfix/all debian/patches/bugfix/all/stable debian/patches/bugfix/ia64 debian/patches/bugfix/x86 debian/patches/debian debian/patches/features/all/hpsa debian/patches/features/all/megaraid_sas debian/patches/features/all/openvz debian/patches/features/all/vserver debian/patches/features/x86 debian/patches/features/x86/isci debian/patches/series

Dann Frazier dannf at alioth.debian.org
Tue Jan 22 06:01:57 UTC 2013


Author: dannf
Date: Tue Jan 22 06:01:55 2013
New Revision: 19768

Log:
merge 2.6.32-47

Added:
   dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/header-fix-broken-headers-for-user-space.patch
      - copied unchanged from r19767, releases/linux-2.6/2.6.32-47/debian/patches/bugfix/all/header-fix-broken-headers-for-user-space.patch
   dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/kernel-panic-when-mount-NFSv4.patch
      - copied unchanged from r19767, releases/linux-2.6/2.6.32-47/debian/patches/bugfix/all/kernel-panic-when-mount-NFSv4.patch
   dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/net-fix-route-cache-rebuilds.patch
      - copied unchanged from r19767, releases/linux-2.6/2.6.32-47/debian/patches/bugfix/all/net-fix-route-cache-rebuilds.patch
   dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/stable/2.6.32.60.patch
      - copied unchanged from r19767, releases/linux-2.6/2.6.32-47/debian/patches/bugfix/all/stable/2.6.32.60.patch
   dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/staging-fix-usbip-printk-format-warning.patch
      - copied unchanged from r19767, releases/linux-2.6/2.6.32-47/debian/patches/bugfix/all/staging-fix-usbip-printk-format-warning.patch
   dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/staging-fix-wlan-ng-printk-format-warning.patch
      - copied unchanged from r19767, releases/linux-2.6/2.6.32-47/debian/patches/bugfix/all/staging-fix-wlan-ng-printk-format-warning.patch
   dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/staging-rtl8192e-Use-skb_tail_pointer.patch
      - copied unchanged from r19767, releases/linux-2.6/2.6.32-47/debian/patches/bugfix/all/staging-rtl8192e-Use-skb_tail_pointer.patch
   dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/staging-speakup-fix-printk-format-warning.patch
      - copied unchanged from r19767, releases/linux-2.6/2.6.32-47/debian/patches/bugfix/all/staging-speakup-fix-printk-format-warning.patch
   dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/staging-usbip-changed-function-return-type-to-void.patch
      - copied unchanged from r19767, releases/linux-2.6/2.6.32-47/debian/patches/bugfix/all/staging-usbip-changed-function-return-type-to-void.patch
   dists/squeeze-security/linux-2.6/debian/patches/bugfix/ia64/revert-pcdp-use-early_ioremap-early_iounmap-to-acces.patch
      - copied unchanged from r19767, releases/linux-2.6/2.6.32-47/debian/patches/bugfix/ia64/revert-pcdp-use-early_ioremap-early_iounmap-to-acces.patch
   dists/squeeze-security/linux-2.6/debian/patches/bugfix/x86/drm-i915-Attempt-to-fix-watermark-setup-on-85x-v2.patch
      - copied unchanged from r19767, releases/linux-2.6/2.6.32-47/debian/patches/bugfix/x86/drm-i915-Attempt-to-fix-watermark-setup-on-85x-v2.patch
   dists/squeeze-security/linux-2.6/debian/patches/bugfix/x86/x86-Don-t-use-the-EFI-reboot-method-by-default.patch
      - copied unchanged from r19767, releases/linux-2.6/2.6.32-47/debian/patches/bugfix/x86/x86-Don-t-use-the-EFI-reboot-method-by-default.patch
   dists/squeeze-security/linux-2.6/debian/patches/bugfix/x86/xen-Fix-stack-corruption-in-xen_failsafe_callback-fo.patch
      - copied unchanged from r19767, releases/linux-2.6/2.6.32-47/debian/patches/bugfix/x86/xen-Fix-stack-corruption-in-xen_failsafe_callback-fo.patch
   dists/squeeze-security/linux-2.6/debian/patches/bugfix/x86/xen-x86-don-t-corrupt-eip-when-returning-from-a-sign.patch
      - copied unchanged from r19767, releases/linux-2.6/2.6.32-47/debian/patches/bugfix/x86/xen-x86-don-t-corrupt-eip-when-returning-from-a-sign.patch
   dists/squeeze-security/linux-2.6/debian/patches/debian/epoll-Avoid-ABI-change-in-file.patch
      - copied unchanged from r19767, releases/linux-2.6/2.6.32-47/debian/patches/debian/epoll-Avoid-ABI-change-in-file.patch
   dists/squeeze-security/linux-2.6/debian/patches/debian/random-Avoid-ABI-change-in-irq_desc.patch
      - copied unchanged from r19767, releases/linux-2.6/2.6.32-47/debian/patches/debian/random-Avoid-ABI-change-in-irq_desc.patch
   dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0080-hpsa-defend-against-zero-sized-buffers-in-passthru-i.patch
      - copied unchanged from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0080-hpsa-defend-against-zero-sized-buffers-in-passthru-i.patch
   dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0081-hpsa-fixup-DMA-address-before-freeing.patch
      - copied unchanged from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0081-hpsa-fixup-DMA-address-before-freeing.patch
   dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0082-hpsa-Remove-duplicate-defines-of-DIRECT_LOOKUP_-cons.patch
      - copied unchanged from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0082-hpsa-Remove-duplicate-defines-of-DIRECT_LOOKUP_-cons.patch
   dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0083-hpsa-fix-board-status-waiting-code.patch
      - copied unchanged from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0083-hpsa-fix-board-status-waiting-code.patch
   dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0084-hpsa-Use-kernel-provided-PCI-state-save-and-restore-.patch
      - copied unchanged from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0084-hpsa-Use-kernel-provided-PCI-state-save-and-restore-.patch
   dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0085-hpsa-limit-commands-allocated-on-reset_devices.patch
      - copied unchanged from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0085-hpsa-limit-commands-allocated-on-reset_devices.patch
   dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0086-hpsa-do-not-reset-unknown-boards-on-reset_devices.patch
      - copied unchanged from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0086-hpsa-do-not-reset-unknown-boards-on-reset_devices.patch
   dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0087-hpsa-take-the-adapter-lock-in-hpsa_wait_for_mode_cha.patch
      - copied unchanged from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0087-hpsa-take-the-adapter-lock-in-hpsa_wait_for_mode_cha.patch
   dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0088-hpsa-allow-driver-to-put-controller-in-either-simple.patch
      - copied unchanged from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0088-hpsa-allow-driver-to-put-controller-in-either-simple.patch
   dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0089-hpsa-Add-a-per-controller-commands_outstanding-entry.patch
      - copied unchanged from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0089-hpsa-Add-a-per-controller-commands_outstanding-entry.patch
   dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0090-hpsa-fix-use-of-uninitialized-variable-in-hpsa_add_m.patch
      - copied unchanged from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0090-hpsa-fix-use-of-uninitialized-variable-in-hpsa_add_m.patch
   dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0091-hpsa-Fix-problem-that-CMD_UNABORTABLE-command-status.patch
      - copied unchanged from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0091-hpsa-Fix-problem-that-CMD_UNABORTABLE-command-status.patch
   dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0092-hpsa-avoid-leaking-stack-contents-to-userland.patch
      - copied unchanged from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0092-hpsa-avoid-leaking-stack-contents-to-userland.patch
   dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0093-hpsa-do-not-re-order-commands-in-internal-queues.patch
      - copied unchanged from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0093-hpsa-do-not-re-order-commands-in-internal-queues.patch
   dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0094-hpsa-make-hpsa.hpsa_simple_mode-1-module-parameter-a.patch
      - copied unchanged from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0094-hpsa-make-hpsa.hpsa_simple_mode-1-module-parameter-a.patch
   dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0095-hpsa-Add-transport_mode-host-attribute-in-sys.patch
      - copied unchanged from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0095-hpsa-Add-transport_mode-host-attribute-in-sys.patch
   dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0096-hpsa-Inform-controller-we-are-using-32-bit-tags.patch
      - copied unchanged from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0096-hpsa-Inform-controller-we-are-using-32-bit-tags.patch
   dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0097-hpsa-Do-not-attempt-kdump-if-we-detect-resetting-con.patch
      - copied unchanged from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0097-hpsa-Do-not-attempt-kdump-if-we-detect-resetting-con.patch
   dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0098-hpsa-fix-bad-comparison.patch
      - copied unchanged from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0098-hpsa-fix-bad-comparison.patch
   dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0099-hpsa-fix-incorrect-PCI-IDs-and-add-two-new-ones-2nd-.patch
      - copied unchanged from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0099-hpsa-fix-incorrect-PCI-IDs-and-add-two-new-ones-2nd-.patch
   dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0100-hpsa-move-device-attributes-to-avoid-forward-declara.patch
      - copied unchanged from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0100-hpsa-move-device-attributes-to-avoid-forward-declara.patch
   dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0101-hpsa-export-resettable-host-attribute.patch
      - copied unchanged from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0101-hpsa-export-resettable-host-attribute.patch
   dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0102-hpsa-do-readl-after-writel-in-main-i-o-path-to-ensur.patch
      - copied unchanged from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0102-hpsa-do-readl-after-writel-in-main-i-o-path-to-ensur.patch
   dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0103-hpsa-add-readl-after-writel-in-interrupt-mask-settin.patch
      - copied unchanged from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0103-hpsa-add-readl-after-writel-in-interrupt-mask-settin.patch
   dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0104-hpsa-remove-unused-parameter-from-hpsa_complete_scsi.patch
      - copied unchanged from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0104-hpsa-remove-unused-parameter-from-hpsa_complete_scsi.patch
   dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0105-hpsa-delete-old-unused-padding-garbage.patch
      - copied unchanged from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0105-hpsa-delete-old-unused-padding-garbage.patch
   dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0106-hpsa-do-a-better-job-of-detecting-controller-reset-f.patch
      - copied unchanged from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0106-hpsa-do-a-better-job-of-detecting-controller-reset-f.patch
   dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0107-hpsa-wait-longer-for-no-op-to-complete-after-resetti.patch
      - copied unchanged from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0107-hpsa-wait-longer-for-no-op-to-complete-after-resetti.patch
   dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0108-hpsa-factor-out-cmd-pool-allocation-functions.patch
      - copied unchanged from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0108-hpsa-factor-out-cmd-pool-allocation-functions.patch
   dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0109-hpsa-factor-out-irq-request-code.patch
      - copied unchanged from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0109-hpsa-factor-out-irq-request-code.patch
   dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0110-hpsa-increase-time-to-wait-for-board-reset.patch
      - copied unchanged from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0110-hpsa-increase-time-to-wait-for-board-reset.patch
   dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0111-hpsa-clarify-messages-around-reset-behavior.patch
      - copied unchanged from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0111-hpsa-clarify-messages-around-reset-behavior.patch
   dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0112-hpsa-remove-atrophied-hpsa_scsi_setup-function.patch
      - copied unchanged from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0112-hpsa-remove-atrophied-hpsa_scsi_setup-function.patch
   dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0113-hpsa-use-new-doorbell-bit-5-reset-method.patch
      - copied unchanged from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0113-hpsa-use-new-doorbell-bit-5-reset-method.patch
   dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0114-hpsa-do-soft-reset-if-hard-reset-is-broken.patch
      - copied unchanged from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0114-hpsa-do-soft-reset-if-hard-reset-is-broken.patch
   dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0115-hpsa-remove-superfluous-sleeps-around-reset-code.patch
      - copied unchanged from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0115-hpsa-remove-superfluous-sleeps-around-reset-code.patch
   dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0116-hpsa-do-not-attempt-PCI-power-management-reset-metho.patch
      - copied unchanged from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0116-hpsa-do-not-attempt-PCI-power-management-reset-metho.patch
   dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0117-hpsa-add-P2000-to-list-of-shared-SAS-devices.patch
      - copied unchanged from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0117-hpsa-add-P2000-to-list-of-shared-SAS-devices.patch
   dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0118-hpsa-Change-memset-using-sizeof-ptr-to-sizeof-ptr.patch
      - copied unchanged from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0118-hpsa-Change-memset-using-sizeof-ptr-to-sizeof-ptr.patch
   dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0119-hpsa-fix-dma-unmap-error-in-hpsa_passthru_ioctl.patch
      - copied unchanged from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0119-hpsa-fix-dma-unmap-error-in-hpsa_passthru_ioctl.patch
   dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0120-hpsa-fix-potential-overrun-while-memcpy-ing-sense-da.patch
      - copied unchanged from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0120-hpsa-fix-potential-overrun-while-memcpy-ing-sense-da.patch
   dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0121-hpsa-do-not-attempt-to-read-from-a-write-only-regist.patch
      - copied unchanged from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0121-hpsa-do-not-attempt-to-read-from-a-write-only-regist.patch
   dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0122-hpsa-retry-commands-completing-with-status-of-UNSOLI.patch
      - copied unchanged from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0122-hpsa-retry-commands-completing-with-status-of-UNSOLI.patch
   dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0123-hpsa-fix-problem-that-OBDR-devices-are-not-detected.patch
      - copied unchanged from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0123-hpsa-fix-problem-that-OBDR-devices-are-not-detected.patch
   dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0124-hpsa-fix-physical-device-lun-and-target-numbering-pr.patch
      - copied unchanged from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0124-hpsa-fix-physical-device-lun-and-target-numbering-pr.patch
   dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0125-hpsa-change-confusing-message-to-be-more-clear.patch
      - copied unchanged from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0125-hpsa-change-confusing-message-to-be-more-clear.patch
   dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0126-hpsa-add-small-delay-when-using-PCI-Power-Management.patch
      - copied unchanged from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0126-hpsa-add-small-delay-when-using-PCI-Power-Management.patch
   dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0127-hpsa-set-max-sectors-instead-of-taking-the-default.patch
      - copied unchanged from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0127-hpsa-set-max-sectors-instead-of-taking-the-default.patch
   dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0128-hpsa-remove-unused-busy_initializing-and-busy_scanni.patch
      - copied unchanged from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0128-hpsa-remove-unused-busy_initializing-and-busy_scanni.patch
   dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0129-hpsa-rename-HPSA_MAX_SCSI_DEVS_PER_HBA.patch
      - copied unchanged from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0129-hpsa-rename-HPSA_MAX_SCSI_DEVS_PER_HBA.patch
   dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0130-hpsa-fix-potential-array-overflow-in-hpsa_update_scs.patch
      - copied unchanged from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0130-hpsa-fix-potential-array-overflow-in-hpsa_update_scs.patch
   dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0131-hpsa-fix-flush-cache-transfer-length.patch
      - copied unchanged from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0131-hpsa-fix-flush-cache-transfer-length.patch
   dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0132-hpsa-detect-controller-lockup.patch
      - copied unchanged from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0132-hpsa-detect-controller-lockup.patch
   dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0133-hpsa-Disable-ASPM.patch
      - copied unchanged from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0133-hpsa-Disable-ASPM.patch
   dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0134-hpsa-Fix-problem-with-MSA2xxx-devices.patch
      - copied unchanged from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0134-hpsa-Fix-problem-with-MSA2xxx-devices.patch
   dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0135-hpsa-Add-IRQF_SHARED-back-in-for-the-non-MSI-X-inter.patch
      - copied unchanged from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0135-hpsa-Add-IRQF_SHARED-back-in-for-the-non-MSI-X-inter.patch
   dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0136-hpsa-fix-handling-of-protocol-error.patch
      - copied unchanged from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0136-hpsa-fix-handling-of-protocol-error.patch
   dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0137-hpsa-Use-LUN-reset-instead-of-target-reset.patch
      - copied unchanged from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0137-hpsa-Use-LUN-reset-instead-of-target-reset.patch
   dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0138-hpsa-dial-down-lockup-detection-during-firmware-flas.patch
      - copied unchanged from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0138-hpsa-dial-down-lockup-detection-during-firmware-flas.patch
   dists/squeeze-security/linux-2.6/debian/patches/features/all/megaraid_sas/
      - copied from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/megaraid_sas/
   dists/squeeze-security/linux-2.6/debian/patches/features/x86/ALSA-HD-Audio-patch-for-Intel-Panther-Point.patch
      - copied unchanged from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/x86/ALSA-HD-Audio-patch-for-Intel-Panther-Point.patch
   dists/squeeze-security/linux-2.6/debian/patches/features/x86/ALSA-hda-Add-support-for-VMware-controller.patch
      - copied unchanged from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/x86/ALSA-hda-Add-support-for-VMware-controller.patch
   dists/squeeze-security/linux-2.6/debian/patches/features/x86/ALSA-hda-Reduce-pci-id-list-for-Intel-with-class-id.patch
      - copied unchanged from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/x86/ALSA-hda-Reduce-pci-id-list-for-Intel-with-class-id.patch
   dists/squeeze-security/linux-2.6/debian/patches/features/x86/ALSA-hda-add-Vortex86MX-PCI-ids.patch
      - copied unchanged from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/x86/ALSA-hda-add-Vortex86MX-PCI-ids.patch
   dists/squeeze-security/linux-2.6/debian/patches/features/x86/ALSA-hda_intel-ALSA-HD-Audio-patch-for-Intel-Patsbur.patch
      - copied unchanged from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/x86/ALSA-hda_intel-ALSA-HD-Audio-patch-for-Intel-Patsbur.patch
   dists/squeeze-security/linux-2.6/debian/patches/features/x86/isci/
      - copied from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/x86/isci/
   dists/squeeze-security/linux-2.6/debian/patches/series/47
      - copied unchanged from r19767, releases/linux-2.6/2.6.32-47/debian/patches/series/47
   dists/squeeze-security/linux-2.6/debian/patches/series/47squeeze1
      - copied unchanged from r19767, dists/squeeze-security/linux-2.6/debian/patches/series/46squeeze1
Deleted:
   dists/squeeze-security/linux-2.6/debian/patches/series/46squeeze1
Modified:
   dists/squeeze-security/linux-2.6/   (props changed)
   dists/squeeze-security/linux-2.6/debian/changelog
   dists/squeeze-security/linux-2.6/debian/patches/features/all/openvz/openvz.patch
   dists/squeeze-security/linux-2.6/debian/patches/features/all/vserver/vs2.3.0.36.29.8.patch

Modified: dists/squeeze-security/linux-2.6/debian/changelog
==============================================================================
--- dists/squeeze-security/linux-2.6/debian/changelog	Mon Jan 21 04:42:29 2013	(r19767)
+++ dists/squeeze-security/linux-2.6/debian/changelog	Tue Jan 22 06:01:55 2013	(r19768)
@@ -1,9 +1,106 @@
-linux-2.6 (2.6.32-46squeeze1) UNRELEASED; urgency=high
+linux-2.6 (2.6.32-47squeeze1) UNRELEASED; urgency=high
 
   * kmod: make __request_module() killable (CVE-2012-4398)
 
  -- dann frazier <dannf at debian.org>  Mon, 22 Oct 2012 20:34:13 -0500
 
+linux-2.6 (2.6.32-47) stable; urgency=low
+
+  [ Ben Hutchings ]
+  * [x86] ALSA: hda_intel: Add device/class IDs for Intel Patsburg,
+    Vortex86MX, VMware, Intel Panther Point and other Intel chips
+    (Closes: #689928)
+  * header: fix broken headers for user space (Closes: #692133)
+  * nfsv4: Fix kernel panic when mounting NFSv4 (Closes: #695872)
+  * hpsa: Backport changes up to Linux 3.2.35 (Closes: #690100)
+  * net: fix route cache rebuilds (Closes: #646063)
+  * Add longterm release 2.6.32.60, including:
+    - netxen: support for GbE port settings (Closes: #638921)
+    - futex: Fix uninterruptible loop due to gate_area
+    - time: Improve sanity checking of timekeeping inputs
+    - eCryptfs: Copy up lower inode attrs after setting lower xattr
+    - eCryptfs: Clear ECRYPTFS_NEW_FILE flag during truncate
+    - bonding: 802.3ad - fix agg_device_up
+    - usbnet: increase URB reference count before usb_unlink_urb
+    - usbnet: don't clear urb->dev in tx_complete
+    - xfs: Fix missing xfs_iunlock() on error recovery path in xfs_readlink()
+    - nilfs2: fix NULL pointer dereference in nilfs_load_super_block()
+    - ntp: Fix integer overflow when setting time
+    - ext4: check for zero length extent
+    - Bluetooth: add NULL pointer check in HCI
+    - Bluetooth: hci_ldisc: fix NULL-pointer dereference on tty_close
+    - phonet: Check input from user before allocating
+    - netlink: fix races after skb queueing
+    - net: fix a race in sock_queue_err_skb()
+    - net/ethernet: ks8851_mll fix rx frame buffer overflow
+    - NFSv4: Revalidate uid/gid after open (Closes: #659111)
+    - ext3: Fix error handling on inode bitmap corruption
+    - ext4: fix error handling on inode bitmap corruption
+    - SCSI: fix scsi_wait_scan
+    - fuse: fix stat call on 32 bit platforms
+    - udf: Improve table length check to avoid possible overflow
+    - eCryptfs: Properly check for O_RDONLY flag before doing privileged open
+    - mm: Hold a file reference in madvise_remove (CVE-2012-3511)
+    - SCSI: Avoid dangling pointer in scsi_requeue_command()
+    - usbdevfs: Correct amount of data copied to user in processcompl_compat
+    - ext4: don't let i_reserved_meta_blocks go negative
+    - sctp: Fix list corruption resulting from freeing an association on a list
+    - cipso: don't follow a NULL pointer when setsockopt() is called
+    - net/tun: fix ioctl() based info leaks
+    - futex: Test for pi_mutex on fault in futex_wait_requeue_pi()
+    - futex: Fix bug in WARN_ON for NULL q.pi_state
+    - futex: Forbid uaddr == uaddr2 in futex_wait_requeue_pi()
+    - mm: mmu_notifier: fix freed page still mapped in secondary MMU
+    - fuse: verify all ioctl retry iov elements
+    - vfs: missed source of ->f_pos races - compat_sys_{read,write}v()
+    - NFSv3: Ensure that do_proc_get_root() reports errors correctly
+    - Remove user-triggerable BUG from mpol_to_str
+    - udf: Fix data corruption for files in ICB
+    - ext3: Fix fdatasync() for files with only i_size changes
+    - dccp: check ccid before dereferencing
+    - [ia64] Add accept4() syscall (Closes: #647825)
+    - tcp: drop SYN+FIN messages
+    - [x86] amd, xen: Avoid NULL pointer paravirt references
+    - [x86] tls: Off by one limit check
+    - sparc64: Eliminate obsolete __handle_softirq() function
+    - udf: fix retun value on error path in udf_load_logicalvol
+    - epoll: introduce POLLFREE to flush ->signalfd_wqh before kfree()
+    - epoll: ep_unregister_pollwait() can use the freed pwq->whead
+    - Don't limit non-nested epoll paths
+    - epoll: limit paths (CVE-2011-1083)
+    - epoll: clear the tfile_check_list on -ELOOP (CVE-2012-3375)
+    - random: Improve random number generation on non-interactive systems
+      + random: Use arch_get_random_int instead of cycle counter if avail
+      + random: Use arch-specific RNG to initialize the entropy store
+      + random: make 'add_interrupt_randomness()' do something sane
+      + usb: feed USB device information to the /dev/random driver
+      + net: feed /dev/random with the MAC address when registering a device
+      + rtc: wm831x: Feed the write counter into device_add_randomness()
+      + mfd: wm831x: Feed the device UUID into device_add_randomness()
+      + dmi: Feed DMI table to /dev/random driver
+    For the complete list of changes, see:
+     http://www.kernel.org/pub/linux/kernel/v2.6/longterm/v2.6.32/ChangeLog-2.6.32.60
+    and the bug report which this closes: #698022.
+    - [ia64] Revert "pcdp: use early_ioremap/early_iounmap to access pcdp
+      table", which breaks compilation of this driver
+  * [x86] Don't use the EFI reboot method by default (Closes: #626022)
+  * [x86] drm/i915: Attempt to fix watermark setup on 85x (v2)
+    (Closes: #661696)
+  * [x86] isci: Backport changes up to Linux 3.2.35 (Closes: #698094)
+  * [amd64] rtl8192e: Fix transmit on 64-bit architectures (Closes: #698473)
+  * [x86] usbip: Fix loss of isochronous packets that require padding
+    (Closes: #698474)
+  * staging: Fix various log messages that were broken on 64-bit architectures
+    (Closes: #698475)
+  * [x86] xen/x86: don't corrupt %eip when returning from a signal handler
+  * [i386] xen: Fix stack corruption in xen_failsafe_callback for 32bit PVOPS
+    guests. (CVE-2013-0190)
+
+  [ Jonathan Nieder ]
+  * megaraid_sas: Backport changes up to Linux 3.0.56 (Closes: #666108)
+
+ -- Ben Hutchings <ben at decadent.org.uk>  Sat, 19 Jan 2013 05:00:07 +0000
+
 linux-2.6 (2.6.32-46) stable; urgency=high
 
   [ Bastian Blank ]

Copied: dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/header-fix-broken-headers-for-user-space.patch (from r19767, releases/linux-2.6/2.6.32-47/debian/patches/bugfix/all/header-fix-broken-headers-for-user-space.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/header-fix-broken-headers-for-user-space.patch	Tue Jan 22 06:01:55 2013	(r19768, copy of r19767, releases/linux-2.6/2.6.32-47/debian/patches/bugfix/all/header-fix-broken-headers-for-user-space.patch)
@@ -0,0 +1,39 @@
+From: Changli Gao <xiaosuo at gmail.com>
+Date: Sun, 22 Aug 2010 17:25:05 +0000
+Subject: header: fix broken headers for user space
+Bug-Debian: http://bugs.debian.org/692133
+
+commit 09cd2b99c6cdd1e14e84c1febca2fb91e9f4e5ba upstream.
+
+__packed is only defined in kernel space, so we should use
+__attribute__((packed)) for the code shared between kernel and user space.
+
+Two __attribute() annotations are replaced with __attribute__() too.
+
+Signed-off-by: Changli Gao <xiaosuo at gmail.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+[bwh: Backported to 2.6.32: most changes were unneeded, as the headers had
+ not yet been wrongly converted to use __packed]
+---
+--- a/include/linux/if_pppox.h
++++ b/include/linux/if_pppox.h
+@@ -92,7 +92,7 @@ struct pppoe_tag {
+ 	__be16 tag_type;
+ 	__be16 tag_len;
+ 	char tag_data[0];
+-} __attribute ((packed));
++} __attribute__ ((packed));
+ 
+ /* Tag identifiers */
+ #define PTT_EOL		__cpu_to_be16(0x0000)
+--- a/include/linux/rfkill.h
++++ b/include/linux/rfkill.h
+@@ -78,7 +78,7 @@ struct rfkill_event {
+ 	__u8  type;
+ 	__u8  op;
+ 	__u8  soft, hard;
+-} __packed;
++} __attribute__((packed));
+ 
+ /*
+  * We are planning to be backward and forward compatible with changes

Copied: dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/kernel-panic-when-mount-NFSv4.patch (from r19767, releases/linux-2.6/2.6.32-47/debian/patches/bugfix/all/kernel-panic-when-mount-NFSv4.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/kernel-panic-when-mount-NFSv4.patch	Tue Jan 22 06:01:55 2013	(r19768, copy of r19767, releases/linux-2.6/2.6.32-47/debian/patches/bugfix/all/kernel-panic-when-mount-NFSv4.patch)
@@ -0,0 +1,139 @@
+From: Trond Myklebust <Trond.Myklebust at netapp.com>
+Date: Mon, 20 Dec 2010 21:19:26 +0000
+Subject: kernel panic when mount NFSv4
+
+commit beb0f0a9fba1fa98b378329a9a5b0a73f25097ae upstream.
+
+On Tue, 2010-12-14 at 16:58 +0800, Mi Jinlong wrote:
+> Hi,
+>
+> When testing NFSv4 at RHEL6 with kernel 2.6.32, I got a kernel panic
+> at NFS client's __rpc_create_common function.
+>
+> The panic place is:
+>   rpc_mkpipe
+>     __rpc_lookup_create()          <=== find pipefile *idmap*
+>     __rpc_mkpipe()                 <=== pipefile is *idmap*
+>       __rpc_create_common()
+>        ******  BUG_ON(!d_unhashed(dentry)); ******    *panic*
+>
+> It means that the dentry's d_flags have be set DCACHE_UNHASHED,
+> but it should not be set here.
+>
+> Is someone known this bug? or give me some idea?
+>
+> A reproduce program is append, but it can't reproduce the bug every time.
+> the export is: "/nfsroot       *(rw,no_root_squash,fsid=0,insecure)"
+>
+> And the panic message is append.
+>
+> ============================================================================
+> #!/bin/sh
+>
+> LOOPTOTAL=768
+> LOOPCOUNT=0
+> ret=0
+>
+> while [ $LOOPCOUNT -ne $LOOPTOTAL ]
+> do
+> 	((LOOPCOUNT += 1))
+> 	service nfs restart
+> 	/usr/sbin/rpc.idmapd
+> 	mount -t nfs4 127.0.0.1:/ /mnt|| return 1;
+> 	ls -l /var/lib/nfs/rpc_pipefs/nfs/*/
+> 	umount /mnt
+> 	echo $LOOPCOUNT
+> done
+>
+> ===============================================================================
+> Code: af 60 01 00 00 89 fa 89 f0 e8 64 cf 89 f0 e8 5c 7c 64 cf 31 c0 8b 5c 24 10 8b
+> 74 24 14 8b 7c 24 18 8b 6c 24 1c 83 c4 20 c3 <0f> 0b eb fc 8b 46 28 c7 44 24 08 20
+> de ee f0 c7 44 24 04 56 ea
+> EIP:[<f0ee92ea>] __rpc_create_common+0x8a/0xc0 [sunrpc] SS:ESP 0068:eccb5d28
+> ---[ end trace 8f5606cd08928ed2]---
+> Kernel panic - not syncing: Fatal exception
+> Pid:7131, comm: mount.nfs4 Tainted: G     D   -------------------2.6.32 #1
+> Call Trace:
+>  [<c080ad18>] ? panic+0x42/0xed
+>  [<c080e42c>] ? oops_end+0xbc/0xd0
+>  [<c040b090>] ? do_invalid_op+0x0/0x90
+>  [<c040b10f>] ? do_invalid_op+0x7f/0x90
+>  [<f0ee92ea>] ? __rpc_create_common+0x8a/0xc0[sunrpc]
+>  [<f0edc433>] ? rpc_free_task+0x33/0x70[sunrpc]
+>  [<f0ed6508>] ? prc_call_sync+0x48/0x60[sunrpc]
+>  [<f0ed656e>] ? rpc_ping+0x4e/0x60[sunrpc]
+>  [<f0ed6eaf>] ? rpc_create+0x38f/0x4f0[sunrpc]
+>  [<c080d80b>] ? error_code+0x73/0x78
+>  [<f0ee92ea>] ? __rpc_create_common+0x8a/0xc0[sunrpc]
+>  [<c0532bda>] ? d_lookup+0x2a/0x40
+>  [<f0ee94b1>] ? rpc_mkpipe+0x111/0x1b0[sunrpc]
+>  [<f10a59f4>] ? nfs_create_rpc_client+0xb4/0xf0[nfs]
+>  [<f10d6c6d>] ? nfs_fscache_get_client_cookie+0x1d/0x50[nfs]
+>  [<f10d3fcb>] ? nfs_idmap_new+0x7b/0x140[nfs]
+>  [<c05e76aa>] ? strlcpy+0x3a/0x60
+>  [<f10a60ca>] ? nfs4_set_client+0xea/0x2b0[nfs]
+>  [<f10a6d0c>] ? nfs4_create_server+0xac/0x1b0[nfs]
+>  [<c04f1400>] ? krealloc+0x40/0x50
+>  [<f10b0e8b>] ? nfs4_remote_get_sb+0x6b/0x250[nfs]
+>  [<c04f14ec>] ? kstrdup+0x3c/0x60
+>  [<c0520739>] ? vfs_kern_mount+0x69/0x170
+>  [<f10b1a3c>] ? nfs_do_root_mount+0x6c/0xa0[nfs]
+>  [<f10b1b47>] ? nfs4_try_mount+0x37/0xa0[nfs]
+>  [<f10afe6d>] ? nfs4_validate_text_mount_data+-x7d/0xf0[nfs]
+>  [<f10b1c42>] ? nfs4_get_sb+0x92/0x2f0
+>  [<c0520739>] ? vfs_kern_mount+0x69/0x170
+>  [<c05366d2>] ? get_fs_type+0x32/0xb0
+>  [<c052089f>] ? do_kern_mount+0x3f/0xe0
+>  [<c053954f>] ? do_mount+0x2ef/0x740
+>  [<c0537740>] ? copy_mount_options+0xb0/0x120
+>  [<c0539a0e>] ? sys_mount+0x6e/0xa0
+
+Hi,
+
+Does the following patch fix the problem?
+
+Cheers
+  Trond
+
+--------------------------
+SUNRPC: Fix a BUG in __rpc_create_common
+
+From: Trond Myklebust <Trond.Myklebust at netapp.com>
+
+Mi Jinlong reports:
+
+When testing NFSv4 at RHEL6 with kernel 2.6.32, I got a kernel panic
+at NFS client's __rpc_create_common function.
+
+The panic place is:
+  rpc_mkpipe
+      __rpc_lookup_create()          <=== find pipefile *idmap*
+      __rpc_mkpipe()                 <=== pipefile is *idmap*
+        __rpc_create_common()
+         ******  BUG_ON(!d_unhashed(dentry)); ****** *panic*
+
+The test is wrong: we can find ourselves with a hashed negative dentry here
+if the idmapper tried to look up the file before we got round to creating
+it.
+
+Just replace the BUG_ON() with a d_drop(dentry).
+
+Reported-by: Mi Jinlong <mijinlong at cn.fujitsu.com>
+Signed-off-by: Trond Myklebust <Trond.Myklebust at netapp.com>
+---
+ net/sunrpc/rpc_pipe.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/sunrpc/rpc_pipe.c b/net/sunrpc/rpc_pipe.c
+index 10a17a3..5356d95 100644
+--- a/net/sunrpc/rpc_pipe.c
++++ b/net/sunrpc/rpc_pipe.c
+@@ -466,7 +466,7 @@ static int __rpc_create_common(struct inode *dir, struct dentry *dentry,
+ {
+ 	struct inode *inode;
+ 
+-	BUG_ON(!d_unhashed(dentry));
++	d_drop(dentry);
+ 	inode = rpc_get_inode(dir->i_sb, mode);
+ 	if (!inode)
+ 		goto out_err;

Copied: dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/net-fix-route-cache-rebuilds.patch (from r19767, releases/linux-2.6/2.6.32-47/debian/patches/bugfix/all/net-fix-route-cache-rebuilds.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/net-fix-route-cache-rebuilds.patch	Tue Jan 22 06:01:55 2013	(r19768, copy of r19767, releases/linux-2.6/2.6.32-47/debian/patches/bugfix/all/net-fix-route-cache-rebuilds.patch)
@@ -0,0 +1,145 @@
+From: Eric Dumazet <eric.dumazet at gmail.com>
+Date: Mon, 8 Mar 2010 03:20:00 +0000
+Subject: net: fix route cache rebuilds
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+commit 9837638727488922727b0cfd438039fa73364183 upstream.
+
+We added an automatic route cache rebuilding in commit 1080d709fb9d8cd43
+but had to correct few bugs. One of the assumption of original patch,
+was that entries where kept sorted in a given way.
+
+This assumption is known to be wrong (commit 1ddbcb005c395518 gave an
+explanation of this and corrected a leak) and expensive to respect.
+
+Paweł Staszewski reported to me one of his machine got its routing cache
+disabled after few messages like :
+
+[ 2677.850065] Route hash chain too long!
+[ 2677.850080] Adjust your secret_interval!
+[82839.662993] Route hash chain too long!
+[82839.662996] Adjust your secret_interval!
+[155843.731650] Route hash chain too long!
+[155843.731664] Adjust your secret_interval!
+[155843.811881] Route hash chain too long!
+[155843.811891] Adjust your secret_interval!
+[155843.858209] vlan0811: 5 rebuilds is over limit, route caching
+disabled
+[155843.858212] Route hash chain too long!
+[155843.858213] Adjust your secret_interval!
+
+This is because rt_intern_hash() might be fooled when computing a chain
+length, because multiple entries with same keys can differ because of
+TOS (or mark/oif) bits.
+
+In the rare case the fast algorithm see a too long chain, and before
+taking expensive path, we call a helper function in order to not count
+duplicates of same routes, that only differ with tos/mark/oif bits. This
+helper works with data already in cpu cache and is not be very
+expensive, despite its O(N^2) implementation.
+
+Paweł Staszewski sucessfully tested this patch on his loaded router.
+
+Reported-and-tested-by: Paweł Staszewski <pstaszewski at itcare.pl>
+Signed-off-by: Eric Dumazet <eric.dumazet at gmail.com>
+Acked-by: Neil Horman <nhorman at tuxdriver.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+---
+ net/ipv4/route.c |   50 ++++++++++++++++++++++++++++++++++++++------------
+ 1 file changed, 38 insertions(+), 12 deletions(-)
+
+diff --git a/net/ipv4/route.c b/net/ipv4/route.c
+index b2ba558..d9b4024 100644
+--- a/net/ipv4/route.c
++++ b/net/ipv4/route.c
+@@ -146,7 +146,6 @@ static struct dst_entry *ipv4_negative_advice(struct dst_entry *dst);
+ static void		 ipv4_link_failure(struct sk_buff *skb);
+ static void		 ip_rt_update_pmtu(struct dst_entry *dst, u32 mtu);
+ static int rt_garbage_collect(struct dst_ops *ops);
+-static void rt_emergency_hash_rebuild(struct net *net);
+ 
+ 
+ static struct dst_ops ipv4_dst_ops = {
+@@ -780,11 +779,30 @@ static void rt_do_flush(int process_context)
+ #define FRACT_BITS 3
+ #define ONE (1UL << FRACT_BITS)
+ 
++/*
++ * Given a hash chain and an item in this hash chain,
++ * find if a previous entry has the same hash_inputs
++ * (but differs on tos, mark or oif)
++ * Returns 0 if an alias is found.
++ * Returns ONE if rth has no alias before itself.
++ */
++static int has_noalias(const struct rtable *head, const struct rtable *rth)
++{
++	const struct rtable *aux = head;
++
++	while (aux != rth) {
++		if (compare_hash_inputs(&aux->fl, &rth->fl))
++			return 0;
++		aux = aux->u.dst.rt_next;
++	}
++	return ONE;
++}
++
+ static void rt_check_expire(void)
+ {
+ 	static unsigned int rover;
+ 	unsigned int i = rover, goal;
+-	struct rtable *rth, *aux, **rthp;
++	struct rtable *rth, **rthp;
+ 	unsigned long samples = 0;
+ 	unsigned long sum = 0, sum2 = 0;
+ 	unsigned long delta;
+@@ -835,15 +853,7 @@ nofree:
+ 					 * attributes don't unfairly skew
+ 					 * the length computation
+ 					 */
+-					for (aux = rt_hash_table[i].chain;;) {
+-						if (aux == rth) {
+-							length += ONE;
+-							break;
+-						}
+-						if (compare_hash_inputs(&aux->fl, &rth->fl))
+-							break;
+-						aux = aux->u.dst.rt_next;
+-					}
++					length += has_noalias(rt_hash_table[i].chain, rth);
+ 					continue;
+ 				}
+ 			} else if (!rt_may_expire(rth, tmo, ip_rt_gc_timeout))
+@@ -1073,6 +1083,21 @@ work_done:
+ out:	return 0;
+ }
+ 
++/*
++ * Returns number of entries in a hash chain that have different hash_inputs
++ */
++static int slow_chain_length(const struct rtable *head)
++{
++	int length = 0;
++	const struct rtable *rth = head;
++
++	while (rth) {
++		length += has_noalias(head, rth);
++		rth = rth->u.dst.rt_next;
++	}
++	return length >> FRACT_BITS;
++}
++
+ static int rt_intern_hash(unsigned hash, struct rtable *rt,
+ 			  struct rtable **rp, struct sk_buff *skb)
+ {
+@@ -1185,7 +1210,8 @@ restart:
+ 			rt_free(cand);
+ 		}
+ 	} else {
+-		if (chain_length > rt_chain_length_max) {
++		if (chain_length > rt_chain_length_max &&
++		    slow_chain_length(rt_hash_table[hash].chain) > rt_chain_length_max) {
+ 			struct net *net = dev_net(rt->u.dst.dev);
+ 			int num = ++net->ipv4.current_rt_cache_rebuild_count;
+ 			if (!rt_caching(dev_net(rt->u.dst.dev))) {

Copied: dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/stable/2.6.32.60.patch (from r19767, releases/linux-2.6/2.6.32-47/debian/patches/bugfix/all/stable/2.6.32.60.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/stable/2.6.32.60.patch	Tue Jan 22 06:01:55 2013	(r19768, copy of r19767, releases/linux-2.6/2.6.32-47/debian/patches/bugfix/all/stable/2.6.32.60.patch)
@@ -0,0 +1,7716 @@
+diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt
+index c840e7d..14c7fb0 100644
+--- a/Documentation/kernel-parameters.txt
++++ b/Documentation/kernel-parameters.txt
+@@ -1725,6 +1725,11 @@ and is between 256 and 4096 characters. It is defined in the file
+ 
+ 	noresidual	[PPC] Don't use residual data on PReP machines.
+ 
++	nordrand	[X86] Disable the direct use of the RDRAND
++			instruction even if it is supported by the
++			processor.  RDRAND is still available to user
++			space applications.
++
+ 	noresume	[SWSUSP] Disables resume and restores original swap
+ 			space.
+ 
+diff --git a/Documentation/stable_kernel_rules.txt b/Documentation/stable_kernel_rules.txt
+index e6e482f..3c9d7ac 100644
+--- a/Documentation/stable_kernel_rules.txt
++++ b/Documentation/stable_kernel_rules.txt
+@@ -12,6 +12,12 @@ Rules on what kind of patches are accepted, and which ones are not, into the
+    marked CONFIG_BROKEN), an oops, a hang, data corruption, a real
+    security issue, or some "oh, that's not good" issue.  In short, something
+    critical.
++ - Serious issues as reported by a user of a distribution kernel may also
++   be considered if they fix a notable performance or interactivity issue.
++   As these fixes are not as obvious and have a higher risk of a subtle
++   regression they should only be submitted by a distribution kernel
++   maintainer and include an addendum linking to a bugzilla entry if it
++   exists and additional information on the user-visible impact.
+  - New device IDs and quirks are also accepted.
+  - No "theoretical race condition" issues, unless an explanation of how the
+    race can be exploited is also provided.
+diff --git a/MAINTAINERS b/MAINTAINERS
+index 613da5d..334258c 100644
+--- a/MAINTAINERS
++++ b/MAINTAINERS
+@@ -4379,7 +4379,7 @@ F:	Documentation/blockdev/ramdisk.txt
+ F:	drivers/block/brd.c
+ 
+ RANDOM NUMBER DRIVER
+-M:	Matt Mackall <mpm at selenic.com>
++M:	Theodore Ts'o" <tytso at mit.edu>
+ S:	Maintained
+ F:	drivers/char/random.c
+ 
+diff --git a/Makefile b/Makefile
+index 3a9a721..b0e245e 100644
+diff --git a/arch/arm/kernel/sys_arm.c b/arch/arm/kernel/sys_arm.c
+index ae4027bd..2dd070f 100644
+--- a/arch/arm/kernel/sys_arm.c
++++ b/arch/arm/kernel/sys_arm.c
+@@ -240,7 +240,7 @@ int kernel_execve(const char *filename, char *const argv[], char *const envp[])
+ 		  "Ir" (THREAD_START_SP - sizeof(regs)),
+ 		  "r" (&regs),
+ 		  "Ir" (sizeof(regs))
+-		: "r0", "r1", "r2", "r3", "ip", "lr", "memory");
++		: "r0", "r1", "r2", "r3", "r8", "r9", "ip", "lr", "memory");
+ 
+  out:
+ 	return ret;
+diff --git a/arch/ia64/include/asm/unistd.h b/arch/ia64/include/asm/unistd.h
+index 5a5347f..08a0e5c 100644
+--- a/arch/ia64/include/asm/unistd.h
++++ b/arch/ia64/include/asm/unistd.h
+@@ -311,11 +311,12 @@
+ #define __NR_preadv			1319
+ #define __NR_pwritev			1320
+ #define __NR_rt_tgsigqueueinfo		1321
++#define __NR_accept4			1334
+ 
+ #ifdef __KERNEL__
+ 
+ 
+-#define NR_syscalls			298 /* length of syscall table */
++#define NR_syscalls			311 /* length of syscall table */
+ 
+ /*
+  * The following defines stop scripts/checksyscalls.sh from complaining about
+diff --git a/arch/ia64/kernel/entry.S b/arch/ia64/kernel/entry.S
+index d0e7d37..e3be543 100644
+--- a/arch/ia64/kernel/entry.S
++++ b/arch/ia64/kernel/entry.S
+@@ -1806,6 +1806,19 @@ sys_call_table:
+ 	data8 sys_preadv
+ 	data8 sys_pwritev			// 1320
+ 	data8 sys_rt_tgsigqueueinfo
++	data8 sys_ni_syscall
++	data8 sys_ni_syscall
++	data8 sys_ni_syscall
++	data8 sys_ni_syscall			// 1325
++	data8 sys_ni_syscall
++	data8 sys_ni_syscall
++	data8 sys_ni_syscall
++	data8 sys_ni_syscall
++	data8 sys_ni_syscall			// 1330
++	data8 sys_ni_syscall
++	data8 sys_ni_syscall
++	data8 sys_ni_syscall
++	data8 sys_accept4
+ 
+ 	.org sys_call_table + 8*NR_syscalls	// guard against failures to increase NR_syscalls
+ #endif /* __IA64_ASM_PARAVIRTUALIZED_NATIVE */
+diff --git a/arch/ia64/kernel/irq_ia64.c b/arch/ia64/kernel/irq_ia64.c
+index dd9d7b5..463b8a7 100644
+--- a/arch/ia64/kernel/irq_ia64.c
++++ b/arch/ia64/kernel/irq_ia64.c
+@@ -24,7 +24,6 @@
+ #include <linux/kernel_stat.h>
+ #include <linux/slab.h>
+ #include <linux/ptrace.h>
+-#include <linux/random.h>	/* for rand_initialize_irq() */
+ #include <linux/signal.h>
+ #include <linux/smp.h>
+ #include <linux/threads.h>
+diff --git a/arch/ia64/kvm/kvm-ia64.c b/arch/ia64/kvm/kvm-ia64.c
+index 2eb6365..0edba06 100644
+--- a/arch/ia64/kvm/kvm-ia64.c
++++ b/arch/ia64/kvm/kvm-ia64.c
+@@ -1185,6 +1185,11 @@ out:
+ 
+ #define PALE_RESET_ENTRY    0x80000000ffffffb0UL
+ 
++bool kvm_vcpu_compatible(struct kvm_vcpu *vcpu)
++{
++	return irqchip_in_kernel(vcpu->kvm) == (vcpu->arch.apic != NULL);
++}
++
+ int kvm_arch_vcpu_init(struct kvm_vcpu *vcpu)
+ {
+ 	struct kvm_vcpu *v;
+diff --git a/arch/mips/include/asm/thread_info.h b/arch/mips/include/asm/thread_info.h
+index 845da21..0e50757 100644
+--- a/arch/mips/include/asm/thread_info.h
++++ b/arch/mips/include/asm/thread_info.h
+@@ -60,6 +60,8 @@ struct thread_info {
+ register struct thread_info *__current_thread_info __asm__("$28");
+ #define current_thread_info()  __current_thread_info
+ 
++#endif /* !__ASSEMBLY__ */
++
+ /* thread information allocation */
+ #if defined(CONFIG_PAGE_SIZE_4KB) && defined(CONFIG_32BIT)
+ #define THREAD_SIZE_ORDER (1)
+@@ -93,8 +95,6 @@ register struct thread_info *__current_thread_info __asm__("$28");
+ 
+ #define free_thread_info(info) kfree(info)
+ 
+-#endif /* !__ASSEMBLY__ */
+-
+ #define PREEMPT_ACTIVE		0x10000000
+ 
+ /*
+diff --git a/arch/mips/kernel/vmlinux.lds.S b/arch/mips/kernel/vmlinux.lds.S
+index 162b299..d5c95d6 100644
+--- a/arch/mips/kernel/vmlinux.lds.S
++++ b/arch/mips/kernel/vmlinux.lds.S
+@@ -1,5 +1,6 @@
+ #include <asm/asm-offsets.h>
+ #include <asm/page.h>
++#include <asm/thread_info.h>
+ #include <asm-generic/vmlinux.lds.h>
+ 
+ #undef mips
+@@ -70,7 +71,7 @@ SECTIONS
+ 	.data : {	/* Data */
+ 		. = . + DATAOFFSET;		/* for CONFIG_MAPPED_KERNEL */
+ 
+-		INIT_TASK_DATA(PAGE_SIZE)
++		INIT_TASK_DATA(THREAD_SIZE)
+ 		NOSAVE_DATA
+ 		CACHELINE_ALIGNED_DATA(1 << CONFIG_MIPS_L1_CACHE_SHIFT)
+ 		DATA_DATA
+diff --git a/arch/parisc/include/asm/atomic.h b/arch/parisc/include/asm/atomic.h
+index 8bc9e96..6ee459d 100644
+--- a/arch/parisc/include/asm/atomic.h
++++ b/arch/parisc/include/asm/atomic.h
+@@ -248,7 +248,7 @@ static __inline__ int atomic_add_unless(atomic_t *v, int a, int u)
+ 
+ #define atomic_sub_and_test(i,v)	(atomic_sub_return((i),(v)) == 0)
+ 
+-#define ATOMIC_INIT(i)	((atomic_t) { (i) })
++#define ATOMIC_INIT(i)	{ (i) }
+ 
+ #define smp_mb__before_atomic_dec()	smp_mb()
+ #define smp_mb__after_atomic_dec()	smp_mb()
+@@ -257,7 +257,7 @@ static __inline__ int atomic_add_unless(atomic_t *v, int a, int u)
+ 
+ #ifdef CONFIG_64BIT
+ 
+-#define ATOMIC64_INIT(i) ((atomic64_t) { (i) })
++#define ATOMIC64_INIT(i) { (i) }
+ 
+ static __inline__ int
+ __atomic64_add_return(s64 i, atomic64_t *v)
+diff --git a/arch/powerpc/include/asm/reg.h b/arch/powerpc/include/asm/reg.h
+index 32a7c30..6ce44dd 100644
+--- a/arch/powerpc/include/asm/reg.h
++++ b/arch/powerpc/include/asm/reg.h
+@@ -870,7 +870,8 @@
+ /* Macros for setting and retrieving special purpose registers */
+ #ifndef __ASSEMBLY__
+ #define mfmsr()		({unsigned long rval; \
+-			asm volatile("mfmsr %0" : "=r" (rval)); rval;})
++			asm volatile("mfmsr %0" : "=r" (rval) : \
++						: "memory"); rval;})
+ #ifdef CONFIG_PPC64
+ #define __mtmsrd(v, l)	asm volatile("mtmsrd %0," __stringify(l) \
+ 				     : : "r" (v) : "memory")
+diff --git a/arch/powerpc/kernel/ftrace.c b/arch/powerpc/kernel/ftrace.c
+index ce1f3e4..eda40d2 100644
+--- a/arch/powerpc/kernel/ftrace.c
++++ b/arch/powerpc/kernel/ftrace.c
+@@ -244,9 +244,9 @@ __ftrace_make_nop(struct module *mod,
+ 
+ 	/*
+ 	 * On PPC32 the trampoline looks like:
+-	 *  0x3d, 0x60, 0x00, 0x00  lis r11,sym at ha
+-	 *  0x39, 0x6b, 0x00, 0x00  addi r11,r11,sym at l
+-	 *  0x7d, 0x69, 0x03, 0xa6  mtctr r11
++	 *  0x3d, 0x80, 0x00, 0x00  lis r12,sym at ha
++	 *  0x39, 0x8c, 0x00, 0x00  addi r12,r12,sym at l
++	 *  0x7d, 0x89, 0x03, 0xa6  mtctr r12
+ 	 *  0x4e, 0x80, 0x04, 0x20  bctr
+ 	 */
+ 
+@@ -261,9 +261,9 @@ __ftrace_make_nop(struct module *mod,
+ 	pr_devel(" %08x %08x ", jmp[0], jmp[1]);
+ 
+ 	/* verify that this is what we expect it to be */
+-	if (((jmp[0] & 0xffff0000) != 0x3d600000) ||
+-	    ((jmp[1] & 0xffff0000) != 0x396b0000) ||
+-	    (jmp[2] != 0x7d6903a6) ||
++	if (((jmp[0] & 0xffff0000) != 0x3d800000) ||
++	    ((jmp[1] & 0xffff0000) != 0x398c0000) ||
++	    (jmp[2] != 0x7d8903a6) ||
+ 	    (jmp[3] != 0x4e800420)) {
+ 		printk(KERN_ERR "Not a trampoline\n");
+ 		return -EINVAL;
+diff --git a/arch/powerpc/kernel/module_32.c b/arch/powerpc/kernel/module_32.c
+index f832773..449a7e0 100644
+--- a/arch/powerpc/kernel/module_32.c
++++ b/arch/powerpc/kernel/module_32.c
+@@ -187,8 +187,8 @@ int apply_relocate(Elf32_Shdr *sechdrs,
+ 
+ static inline int entry_matches(struct ppc_plt_entry *entry, Elf32_Addr val)
+ {
+-	if (entry->jump[0] == 0x3d600000 + ((val + 0x8000) >> 16)
+-	    && entry->jump[1] == 0x396b0000 + (val & 0xffff))
++	if (entry->jump[0] == 0x3d800000 + ((val + 0x8000) >> 16)
++	    && entry->jump[1] == 0x398c0000 + (val & 0xffff))
+ 		return 1;
+ 	return 0;
+ }
+@@ -215,10 +215,9 @@ static uint32_t do_plt_call(void *location,
+ 		entry++;
+ 	}
+ 
+-	/* Stolen from Paul Mackerras as well... */
+-	entry->jump[0] = 0x3d600000+((val+0x8000)>>16);	/* lis r11,sym at ha */
+-	entry->jump[1] = 0x396b0000 + (val&0xffff);	/* addi r11,r11,sym at l*/
+-	entry->jump[2] = 0x7d6903a6;			/* mtctr r11 */
++	entry->jump[0] = 0x3d800000+((val+0x8000)>>16); /* lis r12,sym at ha */
++	entry->jump[1] = 0x398c0000 + (val&0xffff);     /* addi r12,r12,sym at l*/
++	entry->jump[2] = 0x7d8903a6;                    /* mtctr r12 */
+ 	entry->jump[3] = 0x4e800420;			/* bctr */
+ 
+ 	DEBUGP("Initialized plt for 0x%x at %p\n", val, entry);
+diff --git a/arch/powerpc/platforms/powermac/smp.c b/arch/powerpc/platforms/powermac/smp.c
+index b40c22d..7f66d0c 100644
+--- a/arch/powerpc/platforms/powermac/smp.c
++++ b/arch/powerpc/platforms/powermac/smp.c
+@@ -402,7 +402,7 @@ static struct irqaction psurge_irqaction = {
+ 
+ static void __init smp_psurge_setup_cpu(int cpu_nr)
+ {
+-	if (cpu_nr != 0)
++	if (cpu_nr != 0 || !psurge_start)
+ 		return;
+ 
+ 	/* reset the entry point so if we get another intr we won't
+diff --git a/arch/sparc/Makefile b/arch/sparc/Makefile
+index 113225b..0538555 100644
+--- a/arch/sparc/Makefile
++++ b/arch/sparc/Makefile
+@@ -31,7 +31,7 @@ UTS_MACHINE    := sparc
+ 
+ #KBUILD_CFLAGS += -g -pipe -fcall-used-g5 -fcall-used-g7
+ KBUILD_CFLAGS += -m32 -pipe -mno-fpu -fcall-used-g5 -fcall-used-g7
+-KBUILD_AFLAGS += -m32
++KBUILD_AFLAGS += -m32 -Wa,-Av8
+ 
+ #LDFLAGS_vmlinux = -N -Ttext 0xf0004000
+ #  Since 2.5.40, the first stage is left not btfix-ed.
+diff --git a/arch/sparc/kernel/ds.c b/arch/sparc/kernel/ds.c
+index 4a700f4..6a831bd 100644
+--- a/arch/sparc/kernel/ds.c
++++ b/arch/sparc/kernel/ds.c
+@@ -1242,4 +1242,4 @@ static int __init ds_init(void)
+ 	return vio_register_driver(&ds_driver);
+ }
+ 
+-subsys_initcall(ds_init);
++fs_initcall(ds_init);
+diff --git a/arch/sparc/kernel/rtrap_64.S b/arch/sparc/kernel/rtrap_64.S
+index fd3cee4..cc4b1ff 100644
+--- a/arch/sparc/kernel/rtrap_64.S
++++ b/arch/sparc/kernel/rtrap_64.S
+@@ -20,11 +20,6 @@
+ 
+ 		.text
+ 		.align			32
+-__handle_softirq:
+-		call			do_softirq
+-		 nop
+-		ba,a,pt			%xcc, __handle_softirq_continue
+-		 nop
+ __handle_preemption:
+ 		call			schedule
+ 		 wrpr			%g0, RTRAP_PSTATE, %pstate
+@@ -159,9 +154,7 @@ rtrap:
+ 		cmp			%l1, 0
+ 
+ 		/* mm/ultra.S:xcall_report_regs KNOWS about this load. */
+-		bne,pn			%icc, __handle_softirq
+ 		 ldx			[%sp + PTREGS_OFF + PT_V9_TSTATE], %l1
+-__handle_softirq_continue:
+ rtrap_xcall:
+ 		sethi			%hi(0xf << 20), %l4
+ 		and			%l1, %l4, %l4
+diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
+index 73ae02a..aa889d6 100644
+--- a/arch/x86/Kconfig
++++ b/arch/x86/Kconfig
+@@ -1428,6 +1428,15 @@ config ARCH_USES_PG_UNCACHED
+ 	def_bool y
+ 	depends on X86_PAT
+ 
++config ARCH_RANDOM
++	def_bool y
++	prompt "x86 architectural random number generator" if EXPERT
++	---help---
++	  Enable the x86 architectural RDRAND instruction
++	  (Intel Bull Mountain technology) to generate random numbers.
++	  If supported, this is a high bandwidth, cryptographically
++	  secure hardware random number generator.
++
+ config EFI
+ 	bool "EFI runtime service support"
+ 	depends on ACPI
+diff --git a/arch/x86/include/asm/archrandom.h b/arch/x86/include/asm/archrandom.h
+new file mode 100644
+index 0000000..0d9ec77
+--- /dev/null
++++ b/arch/x86/include/asm/archrandom.h
+@@ -0,0 +1,75 @@
++/*
++ * This file is part of the Linux kernel.
++ *
++ * Copyright (c) 2011, Intel Corporation
++ * Authors: Fenghua Yu <fenghua.yu at intel.com>,
++ *          H. Peter Anvin <hpa at linux.intel.com>
++ *
++ * This program is free software; you can redistribute it and/or modify it
++ * under the terms and conditions of the GNU General Public License,
++ * version 2, as published by the Free Software Foundation.
++ *
++ * This program is distributed in the hope it will be useful, but WITHOUT
++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
++ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for
++ * more details.
++ *
++ * You should have received a copy of the GNU General Public License along with
++ * this program; if not, write to the Free Software Foundation, Inc.,
++ * 51 Franklin St - Fifth Floor, Boston, MA 02110-1301 USA.
++ *
++ */
++
++#ifndef ASM_X86_ARCHRANDOM_H
++#define ASM_X86_ARCHRANDOM_H
++
++#include <asm/processor.h>
++#include <asm/cpufeature.h>
++#include <asm/alternative.h>
++#include <asm/nops.h>
++
++#define RDRAND_RETRY_LOOPS	10
++
++#define RDRAND_INT	".byte 0x0f,0xc7,0xf0"
++#ifdef CONFIG_X86_64
++# define RDRAND_LONG	".byte 0x48,0x0f,0xc7,0xf0"
++#else
++# define RDRAND_LONG	RDRAND_INT
++#endif
++
++#ifdef CONFIG_ARCH_RANDOM
++
++#define GET_RANDOM(name, type, rdrand, nop)			\
++static inline int name(type *v)					\
++{								\
++	int ok;							\
++	alternative_io("movl $0, %0\n\t"			\
++		       nop,					\
++		       "\n1: " rdrand "\n\t"			\
++		       "jc 2f\n\t"				\
++		       "decl %0\n\t"                            \
++		       "jnz 1b\n\t"                             \
++		       "2:",                                    \
++		       X86_FEATURE_RDRAND,                      \
++		       ASM_OUTPUT2("=r" (ok), "=a" (*v)),       \
++		       "0" (RDRAND_RETRY_LOOPS));		\
++	return ok;						\
++}
++
++#ifdef CONFIG_X86_64
++
++GET_RANDOM(arch_get_random_long, unsigned long, RDRAND_LONG, ASM_NOP5);
++GET_RANDOM(arch_get_random_int, unsigned int, RDRAND_INT, ASM_NOP4);
++
++#else
++
++GET_RANDOM(arch_get_random_long, unsigned long, RDRAND_LONG, ASM_NOP3);
++GET_RANDOM(arch_get_random_int, unsigned int, RDRAND_INT, ASM_NOP3);
++
++#endif /* CONFIG_X86_64 */
++
++#endif  /* CONFIG_ARCH_RANDOM */
++
++extern void x86_init_rdrand(struct cpuinfo_x86 *c);
++
++#endif /* ASM_X86_ARCHRANDOM_H */
+diff --git a/arch/x86/include/asm/cpufeature.h b/arch/x86/include/asm/cpufeature.h
+index 1efb1fa..27929b8 100644
+--- a/arch/x86/include/asm/cpufeature.h
++++ b/arch/x86/include/asm/cpufeature.h
+@@ -124,6 +124,8 @@
+ #define X86_FEATURE_XSAVE	(4*32+26) /* XSAVE/XRSTOR/XSETBV/XGETBV */
+ #define X86_FEATURE_OSXSAVE	(4*32+27) /* "" XSAVE enabled in the OS */
+ #define X86_FEATURE_AVX		(4*32+28) /* Advanced Vector Extensions */
++#define X86_FEATURE_F16C	(4*32+29) /* 16-bit fp conversions */
++#define X86_FEATURE_RDRAND	(4*32+30) /* The RDRAND instruction */
+ #define X86_FEATURE_HYPERVISOR	(4*32+31) /* Running on a hypervisor */
+ 
+ /* VIA/Cyrix/Centaur-defined CPU features, CPUID level 0xC0000001, word 5 */
+diff --git a/arch/x86/include/asm/k8.h b/arch/x86/include/asm/k8.h
+index f0746f4..41845d2 100644
+--- a/arch/x86/include/asm/k8.h
++++ b/arch/x86/include/asm/k8.h
+@@ -1,11 +1,13 @@
+ #ifndef _ASM_X86_K8_H
+ #define _ASM_X86_K8_H
+ 
++#include <linux/ioport.h>
+ #include <linux/pci.h>
+ 
+ extern struct pci_device_id k8_nb_ids[];
+ 
+ extern int early_is_k8_nb(u32 value);
++extern struct resource *amd_get_mmconfig_range(struct resource *res);
+ extern struct pci_dev **k8_northbridges;
+ extern int num_k8_northbridges;
+ extern int cache_k8_northbridges(void);
+diff --git a/arch/x86/include/asm/kvm_emulate.h b/arch/x86/include/asm/kvm_emulate.h
+index 5ed59ec..cc44e3d 100644
+--- a/arch/x86/include/asm/kvm_emulate.h
++++ b/arch/x86/include/asm/kvm_emulate.h
+@@ -109,6 +109,8 @@ struct x86_emulate_ops {
+ 				unsigned int bytes,
+ 				struct kvm_vcpu *vcpu);
+ 
++	bool (*get_cpuid)(struct x86_emulate_ctxt *ctxt,
++			 u32 *eax, u32 *ebx, u32 *ecx, u32 *edx);
+ };
+ 
+ /* Type, address-of, and value of an instruction's operand. */
+@@ -190,6 +192,19 @@ struct x86_emulate_ctxt {
+ #define X86EMUL_MODE_HOST X86EMUL_MODE_PROT64
+ #endif
+ 
++/* CPUID vendors */
++#define X86EMUL_CPUID_VENDOR_AuthenticAMD_ebx 0x68747541
++#define X86EMUL_CPUID_VENDOR_AuthenticAMD_ecx 0x444d4163
++#define X86EMUL_CPUID_VENDOR_AuthenticAMD_edx 0x69746e65
++
++#define X86EMUL_CPUID_VENDOR_AMDisbetterI_ebx 0x69444d41
++#define X86EMUL_CPUID_VENDOR_AMDisbetterI_ecx 0x21726574
++#define X86EMUL_CPUID_VENDOR_AMDisbetterI_edx 0x74656273
++
++#define X86EMUL_CPUID_VENDOR_GenuineIntel_ebx 0x756e6547
++#define X86EMUL_CPUID_VENDOR_GenuineIntel_ecx 0x6c65746e
++#define X86EMUL_CPUID_VENDOR_GenuineIntel_edx 0x49656e69
++
+ int x86_decode_insn(struct x86_emulate_ctxt *ctxt,
+ 		    struct x86_emulate_ops *ops);
+ int x86_emulate_insn(struct x86_emulate_ctxt *ctxt,
+diff --git a/arch/x86/include/asm/timer.h b/arch/x86/include/asm/timer.h
+index b93a9aa..18e1ca7 100644
+--- a/arch/x86/include/asm/timer.h
++++ b/arch/x86/include/asm/timer.h
+@@ -63,14 +63,10 @@ DECLARE_PER_CPU(unsigned long long, cyc2ns_offset);
+ 
+ static inline unsigned long long __cycles_2_ns(unsigned long long cyc)
+ {
+-	unsigned long long quot;
+-	unsigned long long rem;
+ 	int cpu = smp_processor_id();
+ 	unsigned long long ns = per_cpu(cyc2ns_offset, cpu);
+-	quot = (cyc >> CYC2NS_SCALE_FACTOR);
+-	rem = cyc & ((1ULL << CYC2NS_SCALE_FACTOR) - 1);
+-	ns += quot * per_cpu(cyc2ns, cpu) +
+-		((rem * per_cpu(cyc2ns, cpu)) >> CYC2NS_SCALE_FACTOR);
++	ns += mult_frac(cyc, per_cpu(cyc2ns, cpu),
++			(1UL << CYC2NS_SCALE_FACTOR));
+ 	return ns;
+ }
+ 
+diff --git a/arch/x86/kernel/cpu/Makefile b/arch/x86/kernel/cpu/Makefile
+index ff502cc..1f537a2 100644
+--- a/arch/x86/kernel/cpu/Makefile
++++ b/arch/x86/kernel/cpu/Makefile
+@@ -14,6 +14,7 @@ CFLAGS_common.o		:= $(nostackp)
+ obj-y			:= intel_cacheinfo.o addon_cpuid_features.o
+ obj-y			+= proc.o capflags.o powerflags.o common.o
+ obj-y			+= vmware.o hypervisor.o sched.o
++obj-y			+= rdrand.o
+ 
+ obj-$(CONFIG_X86_32)	+= bugs.o cmpxchg.o
+ obj-$(CONFIG_X86_64)	+= bugs_64.o
+diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c
+index 4e34d10..ba1a1dd 100644
+--- a/arch/x86/kernel/cpu/common.c
++++ b/arch/x86/kernel/cpu/common.c
+@@ -15,6 +15,7 @@
+ #include <asm/stackprotector.h>
+ #include <asm/perf_event.h>
+ #include <asm/mmu_context.h>
++#include <asm/archrandom.h>
+ #include <asm/hypervisor.h>
+ #include <asm/processor.h>
+ #include <asm/sections.h>
+@@ -815,6 +816,7 @@ static void __cpuinit identify_cpu(struct cpuinfo_x86 *c)
+ #endif
+ 
+ 	init_hypervisor(c);
++	x86_init_rdrand(c);
+ 
+ 	/*
+ 	 * Clear/Set all flags overriden by options, need do it
+diff --git a/arch/x86/kernel/cpu/rdrand.c b/arch/x86/kernel/cpu/rdrand.c
+new file mode 100644
+index 0000000..feca286
+--- /dev/null
++++ b/arch/x86/kernel/cpu/rdrand.c
+@@ -0,0 +1,73 @@
++/*
++ * This file is part of the Linux kernel.
++ *
++ * Copyright (c) 2011, Intel Corporation
++ * Authors: Fenghua Yu <fenghua.yu at intel.com>,
++ *          H. Peter Anvin <hpa at linux.intel.com>
++ *
++ * This program is free software; you can redistribute it and/or modify it
++ * under the terms and conditions of the GNU General Public License,
++ * version 2, as published by the Free Software Foundation.
++ *
++ * This program is distributed in the hope it will be useful, but WITHOUT
++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
++ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for
++ * more details.
++ *
++ * You should have received a copy of the GNU General Public License along with
++ * this program; if not, write to the Free Software Foundation, Inc.,
++ * 51 Franklin St - Fifth Floor, Boston, MA 02110-1301 USA.
++ *
++ */
++
++#include <asm/processor.h>
++#include <asm/archrandom.h>
++#include <asm/sections.h>
++
++static int __init x86_rdrand_setup(char *s)
++{
++	setup_clear_cpu_cap(X86_FEATURE_RDRAND);
++	return 1;
++}
++__setup("nordrand", x86_rdrand_setup);
++
++/* We can't use arch_get_random_long() here since alternatives haven't run */
++static inline int rdrand_long(unsigned long *v)
++{
++	int ok;
++	asm volatile("1: " RDRAND_LONG "\n\t"
++		     "jc 2f\n\t"
++		     "decl %0\n\t"
++		     "jnz 1b\n\t"
++		     "2:"
++		     : "=r" (ok), "=a" (*v)
++		     : "0" (RDRAND_RETRY_LOOPS));
++	return ok;
++}
++
++/*
++ * Force a reseed cycle; we are architecturally guaranteed a reseed
++ * after no more than 512 128-bit chunks of random data.  This also
++ * acts as a test of the CPU capability.
++ */
++#define RESEED_LOOP ((512*128)/sizeof(unsigned long))
++
++void __cpuinit x86_init_rdrand(struct cpuinfo_x86 *c)
++{
++#ifdef CONFIG_ARCH_RANDOM
++	unsigned long tmp;
++	int i, count, ok;
++
++	if (!cpu_has(c, X86_FEATURE_RDRAND))
++		return;		/* Nothing to do */
++
++	for (count = i = 0; i < RESEED_LOOP; i++) {
++		ok = rdrand_long(&tmp);
++		if (ok)
++			count++;
++	}
++
++	if (count != RESEED_LOOP)
++		clear_cpu_cap(c, X86_FEATURE_RDRAND);
++#endif
++}
+diff --git a/arch/x86/kernel/k8.c b/arch/x86/kernel/k8.c
+index 9b89546..2831a32 100644
+--- a/arch/x86/kernel/k8.c
++++ b/arch/x86/kernel/k8.c
+@@ -87,6 +87,37 @@ int __init early_is_k8_nb(u32 device)
+ 	return 0;
+ }
+ 
++struct resource *amd_get_mmconfig_range(struct resource *res)
++{
++	u32 address;
++	u64 base, msr;
++	unsigned segn_busn_bits;
++
++	if (boot_cpu_data.x86_vendor != X86_VENDOR_AMD)
++		return NULL;
++
++	/* assume all cpus from fam10h have mmconfig */
++	if (boot_cpu_data.x86 < 0x10)
++		return NULL;
++
++	address = MSR_FAM10H_MMIO_CONF_BASE;
++	rdmsrl(address, msr);
++
++	/* mmconfig is not enabled */
++	if (!(msr & FAM10H_MMIO_CONF_ENABLE))
++		return NULL;
++
++	base = msr & (FAM10H_MMIO_CONF_BASE_MASK<<FAM10H_MMIO_CONF_BASE_SHIFT);
++
++	segn_busn_bits = (msr >> FAM10H_MMIO_CONF_BUSRANGE_SHIFT) &
++                         FAM10H_MMIO_CONF_BUSRANGE_MASK;
++
++	res->flags = IORESOURCE_MEM;
++	res->start = base;
++	res->end = base + (1ULL<<(segn_busn_bits + 20)) - 1;
++	return res;
++}
++
+ void k8_flush_garts(void)
+ {
+ 	int flushed, i;
+diff --git a/arch/x86/kernel/tls.c b/arch/x86/kernel/tls.c
+index 6bb7b85..bcfec2d 100644
+--- a/arch/x86/kernel/tls.c
++++ b/arch/x86/kernel/tls.c
+@@ -163,7 +163,7 @@ int regset_tls_get(struct task_struct *target, const struct user_regset *regset,
+ {
+ 	const struct desc_struct *tls;
+ 
+-	if (pos > GDT_ENTRY_TLS_ENTRIES * sizeof(struct user_desc) ||
++	if (pos >= GDT_ENTRY_TLS_ENTRIES * sizeof(struct user_desc) ||
+ 	    (pos % sizeof(struct user_desc)) != 0 ||
+ 	    (count % sizeof(struct user_desc)) != 0)
+ 		return -EINVAL;
+@@ -198,7 +198,7 @@ int regset_tls_set(struct task_struct *target, const struct user_regset *regset,
+ 	struct user_desc infobuf[GDT_ENTRY_TLS_ENTRIES];
+ 	const struct user_desc *info;
+ 
+-	if (pos > GDT_ENTRY_TLS_ENTRIES * sizeof(struct user_desc) ||
++	if (pos >= GDT_ENTRY_TLS_ENTRIES * sizeof(struct user_desc) ||
+ 	    (pos % sizeof(struct user_desc)) != 0 ||
+ 	    (count % sizeof(struct user_desc)) != 0)
+ 		return -EINVAL;
+diff --git a/arch/x86/kernel/tsc.c b/arch/x86/kernel/tsc.c
+index bc07543..9972276 100644
+--- a/arch/x86/kernel/tsc.c
++++ b/arch/x86/kernel/tsc.c
+@@ -623,7 +623,8 @@ static void set_cyc2ns_scale(unsigned long cpu_khz, int cpu)
+ 
+ 	if (cpu_khz) {
+ 		*scale = (NSEC_PER_MSEC << CYC2NS_SCALE_FACTOR)/cpu_khz;
+-		*offset = ns_now - (tsc_now * *scale >> CYC2NS_SCALE_FACTOR);
++		*offset = ns_now - mult_frac(tsc_now, *scale,
++					     (1UL << CYC2NS_SCALE_FACTOR));
+ 	}
+ 
+ 	sched_clock_idle_wakeup_event(0);
+diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c
+index 1350e43..aa2d905 100644
+--- a/arch/x86/kvm/emulate.c
++++ b/arch/x86/kvm/emulate.c
+@@ -1495,20 +1495,73 @@ setup_syscalls_segments(struct x86_emulate_ctxt *ctxt,
+ 	ss->present = 1;
+ }
+ 
++static bool em_syscall_is_enabled(struct x86_emulate_ctxt *ctxt,
++				  struct x86_emulate_ops *ops)
++{
++	u32 eax, ebx, ecx, edx;
++
++	/*
++	 * syscall should always be enabled in longmode - so only become
++	 * vendor specific (cpuid) if other modes are active...
++	 */
++	if (ctxt->mode == X86EMUL_MODE_PROT64)
++		return true;
++
++	eax = 0x00000000;
++	ecx = 0x00000000;
++	if (ops->get_cpuid(ctxt, &eax, &ebx, &ecx, &edx)) {
++		/*
++		 * Intel ("GenuineIntel")
++		 * remark: Intel CPUs only support "syscall" in 64bit
++		 * longmode. Also an 64bit guest with a
++		 * 32bit compat-app running will #UD !! While this
++		 * behaviour can be fixed (by emulating) into AMD
++		 * response - CPUs of AMD can't behave like Intel.
++		 */
++		if (ebx == X86EMUL_CPUID_VENDOR_GenuineIntel_ebx &&
++		    ecx == X86EMUL_CPUID_VENDOR_GenuineIntel_ecx &&
++		    edx == X86EMUL_CPUID_VENDOR_GenuineIntel_edx)
++			return false;
++
++		/* AMD ("AuthenticAMD") */
++		if (ebx == X86EMUL_CPUID_VENDOR_AuthenticAMD_ebx &&
++		    ecx == X86EMUL_CPUID_VENDOR_AuthenticAMD_ecx &&
++		    edx == X86EMUL_CPUID_VENDOR_AuthenticAMD_edx)
++			return true;
++
++		/* AMD ("AMDisbetter!") */
++		if (ebx == X86EMUL_CPUID_VENDOR_AMDisbetterI_ebx &&
++		    ecx == X86EMUL_CPUID_VENDOR_AMDisbetterI_ecx &&
++		    edx == X86EMUL_CPUID_VENDOR_AMDisbetterI_edx)
++			return true;
++	}
++
++	/* default: (not Intel, not AMD), apply Intel's stricter rules... */
++	return false;
++}
++
+ static int
+-emulate_syscall(struct x86_emulate_ctxt *ctxt)
++emulate_syscall(struct x86_emulate_ctxt *ctxt, struct x86_emulate_ops *ops)
+ {
+ 	struct decode_cache *c = &ctxt->decode;
+ 	struct kvm_segment cs, ss;
+ 	u64 msr_data;
++	u64 efer = 0;
+ 
+ 	/* syscall is not available in real mode */
+ 	if (c->lock_prefix || ctxt->mode == X86EMUL_MODE_REAL
+ 	    || ctxt->mode == X86EMUL_MODE_VM86)
+ 		return -1;
+ 
++	if (!(em_syscall_is_enabled(ctxt, ops)))
++		return -1;
++
++	kvm_x86_ops->get_msr(ctxt->vcpu, MSR_EFER, &efer);
+ 	setup_syscalls_segments(ctxt, &cs, &ss);
+ 
++	if (!(efer & EFER_SCE))
++		return -1;
++
+ 	kvm_x86_ops->get_msr(ctxt->vcpu, MSR_STAR, &msr_data);
+ 	msr_data >>= 32;
+ 	cs.selector = (u16)(msr_data & 0xfffc);
+@@ -2342,7 +2395,7 @@ twobyte_insn:
+ 		}
+ 		break;
+ 	case 0x05: 		/* syscall */
+-		if (emulate_syscall(ctxt) == -1)
++		if (emulate_syscall(ctxt, ops) == -1)
+ 			goto cannot_emulate;
+ 		else
+ 			goto writeback;
+diff --git a/arch/x86/kvm/i8254.c b/arch/x86/kvm/i8254.c
+index 88ad162..7e361b4 100644
+--- a/arch/x86/kvm/i8254.c
++++ b/arch/x86/kvm/i8254.c
+@@ -277,11 +277,15 @@ static struct kvm_timer_ops kpit_ops = {
+ 	.is_periodic = kpit_is_periodic,
+ };
+ 
+-static void create_pit_timer(struct kvm_kpit_state *ps, u32 val, int is_period)
++static void create_pit_timer(struct kvm *kvm, u32 val, int is_period)
+ {
++	struct kvm_kpit_state *ps = &kvm->arch.vpit->pit_state;
+ 	struct kvm_timer *pt = &ps->pit_timer;
+ 	s64 interval;
+ 
++	if (!irqchip_in_kernel(kvm))
++		return;
++
+ 	interval = muldiv64(val, NSEC_PER_SEC, KVM_PIT_FREQ);
+ 
+ 	pr_debug("pit: create pit timer, interval is %llu nsec\n", interval);
+@@ -333,13 +337,13 @@ static void pit_load_count(struct kvm *kvm, int channel, u32 val)
+         /* FIXME: enhance mode 4 precision */
+ 	case 4:
+ 		if (!(ps->flags & KVM_PIT_FLAGS_HPET_LEGACY)) {
+-			create_pit_timer(ps, val, 0);
++			create_pit_timer(kvm, val, 0);
+ 		}
+ 		break;
+ 	case 2:
+ 	case 3:
+ 		if (!(ps->flags & KVM_PIT_FLAGS_HPET_LEGACY)){
+-			create_pit_timer(ps, val, 1);
++			create_pit_timer(kvm, val, 1);
+ 		}
+ 		break;
+ 	default:
+diff --git a/arch/x86/kvm/irq.h b/arch/x86/kvm/irq.h
+index 7d6058a..85a8721 100644
+--- a/arch/x86/kvm/irq.h
++++ b/arch/x86/kvm/irq.h
+@@ -85,7 +85,11 @@ static inline struct kvm_pic *pic_irqchip(struct kvm *kvm)
+ 
+ static inline int irqchip_in_kernel(struct kvm *kvm)
+ {
+-	return pic_irqchip(kvm) != NULL;
++	int ret;
++
++	ret = (pic_irqchip(kvm) != NULL);
++	smp_rmb();
++	return ret;
+ }
+ 
+ void kvm_pic_reset(struct kvm_kpic_state *s);
+diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
+index df1cefb..271fddf 100644
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -2273,25 +2273,42 @@ long kvm_arch_vm_ioctl(struct file *filp,
+ 		if (r)
+ 			goto out;
+ 		break;
+-	case KVM_CREATE_IRQCHIP:
++	case KVM_CREATE_IRQCHIP: {
++		struct kvm_pic *vpic;
++
++		mutex_lock(&kvm->lock);
++		r = -EEXIST;
++		if (kvm->arch.vpic)
++			goto create_irqchip_unlock;
++		r = -EINVAL;
++		if (atomic_read(&kvm->online_vcpus))
++			goto create_irqchip_unlock;
+ 		r = -ENOMEM;
+-		kvm->arch.vpic = kvm_create_pic(kvm);
+-		if (kvm->arch.vpic) {
++		vpic = kvm_create_pic(kvm);
++		if (vpic) {
+ 			r = kvm_ioapic_init(kvm);
+ 			if (r) {
+-				kfree(kvm->arch.vpic);
+-				kvm->arch.vpic = NULL;
+-				goto out;
++				kfree(vpic);
++				goto create_irqchip_unlock;
+ 			}
+ 		} else
+-			goto out;
++			goto create_irqchip_unlock;
++		smp_wmb();
++		kvm->arch.vpic = vpic;
++		smp_wmb();
+ 		r = kvm_setup_default_irq_routing(kvm);
+ 		if (r) {
++			mutex_lock(&kvm->irq_lock);
+ 			kfree(kvm->arch.vpic);
+ 			kfree(kvm->arch.vioapic);
+-			goto out;
++			kvm->arch.vpic = NULL;
++			kvm->arch.vioapic = NULL;
++			mutex_unlock(&kvm->irq_lock);
+ 		}
++	create_irqchip_unlock:
++		mutex_unlock(&kvm->lock);
+ 		break;
++	}
+ 	case KVM_CREATE_PIT:
+ 		u.pit_config.flags = KVM_PIT_SPEAKER_DUMMY;
+ 		goto create_pit;
+@@ -2871,12 +2888,35 @@ void kvm_report_emulation_failure(struct kvm_vcpu *vcpu, const char *context)
+ }
+ EXPORT_SYMBOL_GPL(kvm_report_emulation_failure);
+ 
++static bool emulator_get_cpuid(struct x86_emulate_ctxt *ctxt,
++			       u32 *eax, u32 *ebx, u32 *ecx, u32 *edx)
++{
++	struct kvm_cpuid_entry2 *cpuid = NULL;
++
++	if (eax && ecx)
++		cpuid = kvm_find_cpuid_entry(ctxt->vcpu,
++					    *eax, *ecx);
++
++	if (cpuid) {
++		*eax = cpuid->eax;
++		*ecx = cpuid->ecx;
++		if (ebx)
++			*ebx = cpuid->ebx;
++		if (edx)
++			*edx = cpuid->edx;
++		return true;
++	}
++
++	return false;
++}
++
+ static struct x86_emulate_ops emulate_ops = {
+ 	.read_std            = kvm_read_guest_virt_system,
+ 	.fetch               = kvm_fetch_guest_virt,
+ 	.read_emulated       = emulator_read_emulated,
+ 	.write_emulated      = emulator_write_emulated,
+ 	.cmpxchg_emulated    = emulator_cmpxchg_emulated,
++	.get_cpuid           = emulator_get_cpuid,
+ };
+ 
+ static void cache_all_regs(struct kvm_vcpu *vcpu)
+@@ -4990,6 +5030,11 @@ void kvm_arch_check_processor_compat(void *rtn)
+ 	kvm_x86_ops->check_processor_compatibility(rtn);
+ }
+ 
++bool kvm_vcpu_compatible(struct kvm_vcpu *vcpu)
++{
++	return irqchip_in_kernel(vcpu->kvm) == (vcpu->arch.apic != NULL);
++}
++
+ int kvm_arch_vcpu_init(struct kvm_vcpu *vcpu)
+ {
+ 	struct page *page;
+diff --git a/arch/x86/lib/delay.c b/arch/x86/lib/delay.c
+index ff485d3..b6372ce 100644
+--- a/arch/x86/lib/delay.c
++++ b/arch/x86/lib/delay.c
+@@ -48,9 +48,9 @@ static void delay_loop(unsigned long loops)
+ }
+ 
+ /* TSC based delay: */
+-static void delay_tsc(unsigned long loops)
++static void delay_tsc(unsigned long __loops)
+ {
+-	unsigned long bclock, now;
++	u32 bclock, now, loops = __loops;
+ 	int cpu;
+ 
+ 	preempt_disable();
+diff --git a/arch/x86/mm/fault.c b/arch/x86/mm/fault.c
+index 8ac0d76..249ad57 100644
+--- a/arch/x86/mm/fault.c
++++ b/arch/x86/mm/fault.c
+@@ -223,15 +223,14 @@ void vmalloc_sync_all(void)
+ 	     address >= TASK_SIZE && address < FIXADDR_TOP;
+ 	     address += PMD_SIZE) {
+ 
+-		unsigned long flags;
+ 		struct page *page;
+ 
+-		spin_lock_irqsave(&pgd_lock, flags);
++		spin_lock(&pgd_lock);
+ 		list_for_each_entry(page, &pgd_list, lru) {
+ 			if (!vmalloc_sync_one(page_address(page), address))
+ 				break;
+ 		}
+-		spin_unlock_irqrestore(&pgd_lock, flags);
++		spin_unlock(&pgd_lock);
+ 	}
+ }
+ 
+@@ -331,13 +330,12 @@ void vmalloc_sync_all(void)
+ 	     address += PGDIR_SIZE) {
+ 
+ 		const pgd_t *pgd_ref = pgd_offset_k(address);
+-		unsigned long flags;
+ 		struct page *page;
+ 
+ 		if (pgd_none(*pgd_ref))
+ 			continue;
+ 
+-		spin_lock_irqsave(&pgd_lock, flags);
++		spin_lock(&pgd_lock);
+ 		list_for_each_entry(page, &pgd_list, lru) {
+ 			pgd_t *pgd;
+ 			pgd = (pgd_t *)page_address(page) + pgd_index(address);
+@@ -346,7 +344,7 @@ void vmalloc_sync_all(void)
+ 			else
+ 				BUG_ON(pgd_page_vaddr(*pgd) != pgd_page_vaddr(*pgd_ref));
+ 		}
+-		spin_unlock_irqrestore(&pgd_lock, flags);
++		spin_unlock(&pgd_lock);
+ 	}
+ }
+ 
+diff --git a/arch/x86/mm/pageattr.c b/arch/x86/mm/pageattr.c
+index dd38bfb..6d44087 100644
+--- a/arch/x86/mm/pageattr.c
++++ b/arch/x86/mm/pageattr.c
+@@ -56,12 +56,10 @@ static unsigned long direct_pages_count[PG_LEVEL_NUM];
+ 
+ void update_page_count(int level, unsigned long pages)
+ {
+-	unsigned long flags;
+-
+ 	/* Protect against CPA */
+-	spin_lock_irqsave(&pgd_lock, flags);
++	spin_lock(&pgd_lock);
+ 	direct_pages_count[level] += pages;
+-	spin_unlock_irqrestore(&pgd_lock, flags);
++	spin_unlock(&pgd_lock);
+ }
+ 
+ static void split_page_count(int level)
+@@ -354,7 +352,7 @@ static int
+ try_preserve_large_page(pte_t *kpte, unsigned long address,
+ 			struct cpa_data *cpa)
+ {
+-	unsigned long nextpage_addr, numpages, pmask, psize, flags, addr, pfn;
++	unsigned long nextpage_addr, numpages, pmask, psize, addr, pfn;
+ 	pte_t new_pte, old_pte, *tmp;
+ 	pgprot_t old_prot, new_prot;
+ 	int i, do_split = 1;
+@@ -363,7 +361,7 @@ try_preserve_large_page(pte_t *kpte, unsigned long address,
+ 	if (cpa->force_split)
+ 		return 1;
+ 
+-	spin_lock_irqsave(&pgd_lock, flags);
++	spin_lock(&pgd_lock);
+ 	/*
+ 	 * Check for races, another CPU might have split this page
+ 	 * up already:
+@@ -458,14 +456,14 @@ try_preserve_large_page(pte_t *kpte, unsigned long address,
+ 	}
+ 
+ out_unlock:
+-	spin_unlock_irqrestore(&pgd_lock, flags);
++	spin_unlock(&pgd_lock);
+ 
+ 	return do_split;
+ }
+ 
+ static int split_large_page(pte_t *kpte, unsigned long address)
+ {
+-	unsigned long flags, pfn, pfninc = 1;
++	unsigned long pfn, pfninc = 1;
+ 	unsigned int i, level;
+ 	pte_t *pbase, *tmp;
+ 	pgprot_t ref_prot;
+@@ -479,7 +477,7 @@ static int split_large_page(pte_t *kpte, unsigned long address)
+ 	if (!base)
+ 		return -ENOMEM;
+ 
+-	spin_lock_irqsave(&pgd_lock, flags);
++	spin_lock(&pgd_lock);
+ 	/*
+ 	 * Check for races, another CPU might have split this page
+ 	 * up for us already:
+@@ -551,7 +549,7 @@ out_unlock:
+ 	 */
+ 	if (base)
+ 		__free_page(base);
+-	spin_unlock_irqrestore(&pgd_lock, flags);
++	spin_unlock(&pgd_lock);
+ 
+ 	return 0;
+ }
+diff --git a/arch/x86/mm/pgtable.c b/arch/x86/mm/pgtable.c
+index e0e6fad..cb7cfc8 100644
+--- a/arch/x86/mm/pgtable.c
++++ b/arch/x86/mm/pgtable.c
+@@ -110,14 +110,12 @@ static void pgd_ctor(pgd_t *pgd)
+ 
+ static void pgd_dtor(pgd_t *pgd)
+ {
+-	unsigned long flags; /* can be called from interrupt context */
+-
+ 	if (SHARED_KERNEL_PMD)
+ 		return;
+ 
+-	spin_lock_irqsave(&pgd_lock, flags);
++	spin_lock(&pgd_lock);
+ 	pgd_list_del(pgd);
+-	spin_unlock_irqrestore(&pgd_lock, flags);
++	spin_unlock(&pgd_lock);
+ }
+ 
+ /*
+@@ -248,7 +246,6 @@ pgd_t *pgd_alloc(struct mm_struct *mm)
+ {
+ 	pgd_t *pgd;
+ 	pmd_t *pmds[PREALLOCATED_PMDS];
+-	unsigned long flags;
+ 
+ 	pgd = (pgd_t *)__get_free_page(PGALLOC_GFP);
+ 
+@@ -268,12 +265,12 @@ pgd_t *pgd_alloc(struct mm_struct *mm)
+ 	 * respect to anything walking the pgd_list, so that they
+ 	 * never see a partially populated pgd.
+ 	 */
+-	spin_lock_irqsave(&pgd_lock, flags);
++	spin_lock(&pgd_lock);
+ 
+ 	pgd_ctor(pgd);
+ 	pgd_prepopulate_pmd(mm, pgd, pmds);
+ 
+-	spin_unlock_irqrestore(&pgd_lock, flags);
++	spin_unlock(&pgd_lock);
+ 
+ 	return pgd;
+ 
+diff --git a/arch/x86/oprofile/backtrace.c b/arch/x86/oprofile/backtrace.c
+index 829edf0..b50a280 100644
+--- a/arch/x86/oprofile/backtrace.c
++++ b/arch/x86/oprofile/backtrace.c
+@@ -71,9 +71,9 @@ copy_from_user_nmi(void *to, const void __user *from, unsigned long n)
+ 		offset = addr & (PAGE_SIZE - 1);
+ 		size = min(PAGE_SIZE - offset, n - len);
+ 
+-		map = kmap_atomic(page, KM_USER0);
++		map = kmap_atomic(page, KM_NMI);
+ 		memcpy(to, map+offset, size);
+-		kunmap_atomic(map, KM_USER0);
++		kunmap_atomic(map, KM_NMI);
+ 		put_page(page);
+ 
+ 		len  += size;
+diff --git a/arch/x86/pci/amd_bus.c b/arch/x86/pci/amd_bus.c
+index 572ee97..aae9931 100644
+--- a/arch/x86/pci/amd_bus.c
++++ b/arch/x86/pci/amd_bus.c
+@@ -3,6 +3,7 @@
+ #include <linux/topology.h>
+ #include <linux/cpu.h>
+ #include <asm/pci_x86.h>
++#include <asm/k8.h>
+ 
+ #ifdef CONFIG_X86_64
+ #include <asm/pci-direct.h>
+@@ -190,34 +191,6 @@ static struct pci_hostbridge_probe pci_probes[] __initdata = {
+ 	{ 0, 0x18, PCI_VENDOR_ID_AMD, 0x1300 },
+ };
+ 
+-static u64 __initdata fam10h_mmconf_start;
+-static u64 __initdata fam10h_mmconf_end;
+-static void __init get_pci_mmcfg_amd_fam10h_range(void)
+-{
+-	u32 address;
+-	u64 base, msr;
+-	unsigned segn_busn_bits;
+-
+-	/* assume all cpus from fam10h have mmconf */
+-        if (boot_cpu_data.x86 < 0x10)
+-		return;
+-
+-	address = MSR_FAM10H_MMIO_CONF_BASE;
+-	rdmsrl(address, msr);
+-
+-	/* mmconfig is not enable */
+-	if (!(msr & FAM10H_MMIO_CONF_ENABLE))
+-		return;
+-
+-	base = msr & (FAM10H_MMIO_CONF_BASE_MASK<<FAM10H_MMIO_CONF_BASE_SHIFT);
+-
+-	segn_busn_bits = (msr >> FAM10H_MMIO_CONF_BUSRANGE_SHIFT) &
+-			 FAM10H_MMIO_CONF_BUSRANGE_MASK;
+-
+-	fam10h_mmconf_start = base;
+-	fam10h_mmconf_end = base + (1ULL<<(segn_busn_bits + 20)) - 1;
+-}
+-
+ /**
+  * early_fill_mp_bus_to_node()
+  * called before pcibios_scan_root and pci_scan_bus
+@@ -243,6 +216,9 @@ static int __init early_fill_mp_bus_info(void)
+ 	struct res_range range[RANGE_NUM];
+ 	u64 val;
+ 	u32 address;
++	struct resource fam10h_mmconf_res, *fam10h_mmconf;
++	u64 fam10h_mmconf_start;
++	u64 fam10h_mmconf_end;
+ 
+ 	if (!early_pci_allowed())
+ 		return -1;
+@@ -367,11 +343,16 @@ static int __init early_fill_mp_bus_info(void)
+ 		update_range(range, 0, end - 1);
+ 
+ 	/* get mmconfig */
+-	get_pci_mmcfg_amd_fam10h_range();
++	fam10h_mmconf = amd_get_mmconfig_range(&fam10h_mmconf_res);
+ 	/* need to take out mmconf range */
+-	if (fam10h_mmconf_end) {
+-		printk(KERN_DEBUG "Fam 10h mmconf [%llx, %llx]\n", fam10h_mmconf_start, fam10h_mmconf_end);
++	if (fam10h_mmconf) {
++		printk(KERN_DEBUG "Fam 10h mmconf %pR\n", fam10h_mmconf);
++		fam10h_mmconf_start = fam10h_mmconf->start;
++		fam10h_mmconf_end = fam10h_mmconf->end;
+ 		update_range(range, fam10h_mmconf_start, fam10h_mmconf_end);
++	} else {
++		fam10h_mmconf_start = 0;
++		fam10h_mmconf_end = 0;
+ 	}
+ 
+ 	/* mmio resource */
+diff --git a/arch/x86/xen/enlighten.c b/arch/x86/xen/enlighten.c
+index 0087b00..d52f895 100644
+--- a/arch/x86/xen/enlighten.c
++++ b/arch/x86/xen/enlighten.c
+@@ -945,7 +945,10 @@ static const struct pv_cpu_ops xen_cpu_ops __initdata = {
+ 	.wbinvd = native_wbinvd,
+ 
+ 	.read_msr = native_read_msr_safe,
++	.rdmsr_regs = native_rdmsr_safe_regs,
+ 	.write_msr = xen_write_msr_safe,
++	.wrmsr_regs = native_wrmsr_safe_regs,
++
+ 	.read_tsc = native_read_tsc,
+ 	.read_pmc = native_read_pmc,
+ 
+diff --git a/arch/x86/xen/mmu.c b/arch/x86/xen/mmu.c
+index 3f90a2c..8f4452c 100644
+--- a/arch/x86/xen/mmu.c
++++ b/arch/x86/xen/mmu.c
+@@ -987,10 +987,9 @@ static void xen_pgd_pin(struct mm_struct *mm)
+  */
+ void xen_mm_pin_all(void)
+ {
+-	unsigned long flags;
+ 	struct page *page;
+ 
+-	spin_lock_irqsave(&pgd_lock, flags);
++	spin_lock(&pgd_lock);
+ 
+ 	list_for_each_entry(page, &pgd_list, lru) {
+ 		if (!PagePinned(page)) {
+@@ -999,7 +998,7 @@ void xen_mm_pin_all(void)
+ 		}
+ 	}
+ 
+-	spin_unlock_irqrestore(&pgd_lock, flags);
++	spin_unlock(&pgd_lock);
+ }
+ 
+ /*
+@@ -1100,10 +1099,9 @@ static void xen_pgd_unpin(struct mm_struct *mm)
+  */
+ void xen_mm_unpin_all(void)
+ {
+-	unsigned long flags;
+ 	struct page *page;
+ 
+-	spin_lock_irqsave(&pgd_lock, flags);
++	spin_lock(&pgd_lock);
+ 
+ 	list_for_each_entry(page, &pgd_list, lru) {
+ 		if (PageSavePinned(page)) {
+@@ -1113,7 +1111,7 @@ void xen_mm_unpin_all(void)
+ 		}
+ 	}
+ 
+-	spin_unlock_irqrestore(&pgd_lock, flags);
++	spin_unlock(&pgd_lock);
+ }
+ 
+ void xen_activate_mm(struct mm_struct *prev, struct mm_struct *next)
+diff --git a/arch/x86/xen/xen-asm.S b/arch/x86/xen/xen-asm.S
+index 79d7362..3e45aa0 100644
+--- a/arch/x86/xen/xen-asm.S
++++ b/arch/x86/xen/xen-asm.S
+@@ -96,7 +96,7 @@ ENTRY(xen_restore_fl_direct)
+ 
+ 	/* check for unmasked and pending */
+ 	cmpw $0x0001, PER_CPU_VAR(xen_vcpu_info) + XEN_vcpu_info_pending
+-	jz 1f
++	jnz 1f
+ 2:	call check_events
+ 1:
+ ENDPATCH(xen_restore_fl_direct)
+diff --git a/block/blk-ioc.c b/block/blk-ioc.c
+index d4ed600..cbdabb0 100644
+--- a/block/blk-ioc.c
++++ b/block/blk-ioc.c
+@@ -66,22 +66,22 @@ static void cfq_exit(struct io_context *ioc)
+ }
+ 
+ /* Called by the exitting task */
+-void exit_io_context(void)
++void exit_io_context(struct task_struct *task)
+ {
+ 	struct io_context *ioc;
+ 
+-	task_lock(current);
+-	ioc = current->io_context;
+-	current->io_context = NULL;
+-	task_unlock(current);
++	task_lock(task);
++	ioc = task->io_context;
++	task->io_context = NULL;
++	task_unlock(task);
+ 
+ 	if (atomic_dec_and_test(&ioc->nr_tasks)) {
+ 		if (ioc->aic && ioc->aic->exit)
+ 			ioc->aic->exit(ioc->aic);
+ 		cfq_exit(ioc);
+ 
+-		put_io_context(ioc);
+ 	}
++	put_io_context(ioc);
+ }
+ 
+ struct io_context *alloc_io_context(gfp_t gfp_flags, int node)
+diff --git a/crypto/sha512_generic.c b/crypto/sha512_generic.c
+index 107f6f7..dd30f40 100644
+--- a/crypto/sha512_generic.c
++++ b/crypto/sha512_generic.c
+@@ -174,7 +174,7 @@ sha512_update(struct shash_desc *desc, const u8 *data, unsigned int len)
+ 	index = sctx->count[0] & 0x7f;
+ 
+ 	/* Update number of bytes */
+-	if (!(sctx->count[0] += len))
++	if ((sctx->count[0] += len) < len)
+ 		sctx->count[1]++;
+ 
+         part_len = 128 - index;
+diff --git a/drivers/acpi/ac.c b/drivers/acpi/ac.c
+index b6ed60b..bc3f918 100644
+--- a/drivers/acpi/ac.c
++++ b/drivers/acpi/ac.c
+@@ -287,7 +287,9 @@ static int acpi_ac_add(struct acpi_device *device)
+ 	ac->charger.properties = ac_props;
+ 	ac->charger.num_properties = ARRAY_SIZE(ac_props);
+ 	ac->charger.get_property = get_ac_property;
+-	power_supply_register(&ac->device->dev, &ac->charger);
++	result = power_supply_register(&ac->device->dev, &ac->charger);
++	if (result)
++		goto end;
+ #endif
+ 
+ 	printk(KERN_INFO PREFIX "%s [%s] (%s)\n",
+diff --git a/drivers/block/cciss_scsi.c b/drivers/block/cciss_scsi.c
+index 3315268..ad8e592 100644
+--- a/drivers/block/cciss_scsi.c
++++ b/drivers/block/cciss_scsi.c
+@@ -747,17 +747,7 @@ complete_scsi_command( CommandList_struct *cp, int timeout, __u32 tag)
+ 		{
+ 			case CMD_TARGET_STATUS:
+ 				/* Pass it up to the upper layers... */
+-				if( ei->ScsiStatus)
+-                		{
+-#if 0
+-                    			printk(KERN_WARNING "cciss: cmd %p "
+-					"has SCSI Status = %x\n",
+-                        			cp,  
+-						ei->ScsiStatus); 
+-#endif
+-					cmd->result |= (ei->ScsiStatus < 1);
+-                		}
+-				else {  /* scsi status is zero??? How??? */
++				if (!ei->ScsiStatus) {
+ 					
+ 	/* Ordinarily, this case should never happen, but there is a bug
+ 	   in some released firmware revisions that allows it to happen
+diff --git a/drivers/block/sx8.c b/drivers/block/sx8.c
+index a7c4184..bcbfc20 100644
+--- a/drivers/block/sx8.c
++++ b/drivers/block/sx8.c
+@@ -1116,7 +1116,7 @@ static inline void carm_handle_resp(struct carm_host *host,
+ 			break;
+ 		case MISC_GET_FW_VER: {
+ 			struct carm_fw_ver *ver = (struct carm_fw_ver *)
+-				mem + sizeof(struct carm_msg_get_fw_ver);
++				(mem + sizeof(struct carm_msg_get_fw_ver));
+ 			if (!error) {
+ 				host->fw_ver = le32_to_cpu(ver->version);
+ 				host->flags |= (ver->features & FL_FW_VER_MASK);
+diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c
+index 75185a6..a562761 100644
+--- a/drivers/bluetooth/btusb.c
++++ b/drivers/bluetooth/btusb.c
+@@ -470,15 +470,10 @@ static int btusb_submit_isoc_urb(struct hci_dev *hdev, gfp_t mem_flags)
+ 
+ 	pipe = usb_rcvisocpipe(data->udev, data->isoc_rx_ep->bEndpointAddress);
+ 
+-	urb->dev      = data->udev;
+-	urb->pipe     = pipe;
+-	urb->context  = hdev;
+-	urb->complete = btusb_isoc_complete;
+-	urb->interval = data->isoc_rx_ep->bInterval;
++	usb_fill_int_urb(urb, data->udev, pipe, buf, size, btusb_isoc_complete,
++				hdev, data->isoc_rx_ep->bInterval);
+ 
+ 	urb->transfer_flags  = URB_FREE_BUFFER | URB_ISO_ASAP;
+-	urb->transfer_buffer = buf;
+-	urb->transfer_buffer_length = size;
+ 
+ 	__fill_isoc_descriptor(urb, size,
+ 			le16_to_cpu(data->isoc_rx_ep->wMaxPacketSize));
+diff --git a/drivers/bluetooth/hci_ldisc.c b/drivers/bluetooth/hci_ldisc.c
+index e3d4eda..d68e2f5 100644
+--- a/drivers/bluetooth/hci_ldisc.c
++++ b/drivers/bluetooth/hci_ldisc.c
+@@ -312,9 +312,11 @@ static void hci_uart_tty_close(struct tty_struct *tty)
+ 			hci_uart_close(hdev);
+ 
+ 		if (test_and_clear_bit(HCI_UART_PROTO_SET, &hu->flags)) {
++			if (hdev) {
++				hci_unregister_dev(hdev);
++				hci_free_dev(hdev);
++			}
+ 			hu->proto->close(hu);
+-			hci_unregister_dev(hdev);
+-			hci_free_dev(hdev);
+ 		}
+ 	}
+ }
+diff --git a/drivers/char/random.c b/drivers/char/random.c
+index 3a19e2d..446b20a 100644
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -125,20 +125,32 @@
+  * The current exported interfaces for gathering environmental noise
+  * from the devices are:
+  *
++ *	void add_device_randomness(const void *buf, unsigned int size);
+  * 	void add_input_randomness(unsigned int type, unsigned int code,
+  *                                unsigned int value);
+- * 	void add_interrupt_randomness(int irq);
++ *	void add_interrupt_randomness(int irq, int irq_flags);
++ * 	void add_disk_randomness(struct gendisk *disk);
++ *
++ * add_device_randomness() is for adding data to the random pool that
++ * is likely to differ between two devices (or possibly even per boot).
++ * This would be things like MAC addresses or serial numbers, or the
++ * read-out of the RTC. This does *not* add any actual entropy to the
++ * pool, but it initializes the pool to different values for devices
++ * that might otherwise be identical and have very little entropy
++ * available to them (particularly common in the embedded world).
+  *
+  * add_input_randomness() uses the input layer interrupt timing, as well as
+  * the event type information from the hardware.
+  *
+- * add_interrupt_randomness() uses the inter-interrupt timing as random
+- * inputs to the entropy pool.  Note that not all interrupts are good
+- * sources of randomness!  For example, the timer interrupts is not a
+- * good choice, because the periodicity of the interrupts is too
+- * regular, and hence predictable to an attacker.  Disk interrupts are
+- * a better measure, since the timing of the disk interrupts are more
+- * unpredictable.
++ * add_interrupt_randomness() uses the interrupt timing as random
++ * inputs to the entropy pool. Using the cycle counters and the irq source
++ * as inputs, it feeds the randomness roughly once a second.
++ *
++ * add_disk_randomness() uses what amounts to the seek time of block
++ * layer request events, on a per-disk_devt basis, as input to the
++ * entropy pool. Note that high-speed solid state drives with very low
++ * seek times do not make for good sources of entropy, as their seek
++ * times are usually fairly consistent.
+  *
+  * All of these routines try to estimate how many bits of randomness a
+  * particular randomness source.  They do this by keeping track of the
+@@ -241,6 +253,8 @@
+ #include <linux/percpu.h>
+ #include <linux/cryptohash.h>
+ #include <linux/fips.h>
++#include <linux/ptrace.h>
++#include <linux/kmemcheck.h>
+ 
+ #ifdef CONFIG_GENERIC_HARDIRQS
+ # include <linux/irq.h>
+@@ -249,6 +263,7 @@
+ #include <asm/processor.h>
+ #include <asm/uaccess.h>
+ #include <asm/irq.h>
++#include <asm/irq_regs.h>
+ #include <asm/io.h>
+ 
+ /*
+@@ -257,6 +272,9 @@
+ #define INPUT_POOL_WORDS 128
+ #define OUTPUT_POOL_WORDS 32
+ #define SEC_XFER_SIZE 512
++#define EXTRACT_SIZE 10
++
++#define LONGS(x) (((x) + sizeof(unsigned long) - 1)/sizeof(unsigned long))
+ 
+ /*
+  * The minimum number of bits of entropy before we wake up a read on
+@@ -406,15 +424,17 @@ struct entropy_store {
+ 	struct poolinfo *poolinfo;
+ 	__u32 *pool;
+ 	const char *name;
+-	int limit;
+ 	struct entropy_store *pull;
++	int limit;
+ 
+ 	/* read-write data: */
+ 	spinlock_t lock;
+ 	unsigned add_ptr;
++	unsigned input_rotate;
+ 	int entropy_count;
+-	int input_rotate;
+-	__u8 *last_data;
++	int entropy_total;
++	unsigned int initialized:1;
++	__u8 last_data[EXTRACT_SIZE];
+ };
+ 
+ static __u32 input_pool_data[INPUT_POOL_WORDS];
+@@ -446,6 +466,10 @@ static struct entropy_store nonblocking_pool = {
+ 	.pool = nonblocking_pool_data
+ };
+ 
++static __u32 const twist_table[8] = {
++	0x00000000, 0x3b6e20c8, 0x76dc4190, 0x4db26158,
++	0xedb88320, 0xd6d6a3e8, 0x9b64c2b0, 0xa00ae278 };
++
+ /*
+  * This function adds bytes into the entropy "pool".  It does not
+  * update the entropy estimate.  The caller should call
+@@ -456,29 +480,24 @@ static struct entropy_store nonblocking_pool = {
+  * it's cheap to do so and helps slightly in the expected case where
+  * the entropy is concentrated in the low-order bits.
+  */
+-static void mix_pool_bytes_extract(struct entropy_store *r, const void *in,
+-				   int nbytes, __u8 out[64])
++static void __mix_pool_bytes(struct entropy_store *r, const void *in,
++			     int nbytes, __u8 out[64])
+ {
+-	static __u32 const twist_table[8] = {
+-		0x00000000, 0x3b6e20c8, 0x76dc4190, 0x4db26158,
+-		0xedb88320, 0xd6d6a3e8, 0x9b64c2b0, 0xa00ae278 };
+ 	unsigned long i, j, tap1, tap2, tap3, tap4, tap5;
+ 	int input_rotate;
+ 	int wordmask = r->poolinfo->poolwords - 1;
+ 	const char *bytes = in;
+ 	__u32 w;
+-	unsigned long flags;
+ 
+-	/* Taps are constant, so we can load them without holding r->lock.  */
+ 	tap1 = r->poolinfo->tap1;
+ 	tap2 = r->poolinfo->tap2;
+ 	tap3 = r->poolinfo->tap3;
+ 	tap4 = r->poolinfo->tap4;
+ 	tap5 = r->poolinfo->tap5;
+ 
+-	spin_lock_irqsave(&r->lock, flags);
+-	input_rotate = r->input_rotate;
+-	i = r->add_ptr;
++	smp_rmb();
++	input_rotate = ACCESS_ONCE(r->input_rotate);
++	i = ACCESS_ONCE(r->add_ptr);
+ 
+ 	/* mix one byte at a time to simplify size handling and churn faster */
+ 	while (nbytes--) {
+@@ -505,19 +524,53 @@ static void mix_pool_bytes_extract(struct entropy_store *r, const void *in,
+ 		input_rotate += i ? 7 : 14;
+ 	}
+ 
+-	r->input_rotate = input_rotate;
+-	r->add_ptr = i;
++	ACCESS_ONCE(r->input_rotate) = input_rotate;
++	ACCESS_ONCE(r->add_ptr) = i;
++	smp_wmb();
+ 
+ 	if (out)
+ 		for (j = 0; j < 16; j++)
+ 			((__u32 *)out)[j] = r->pool[(i - j) & wordmask];
++}
+ 
++static void mix_pool_bytes(struct entropy_store *r, const void *in,
++			     int nbytes, __u8 out[64])
++{
++	unsigned long flags;
++
++	spin_lock_irqsave(&r->lock, flags);
++	__mix_pool_bytes(r, in, nbytes, out);
+ 	spin_unlock_irqrestore(&r->lock, flags);
+ }
+ 
+-static void mix_pool_bytes(struct entropy_store *r, const void *in, int bytes)
++struct fast_pool {
++	__u32		pool[4];
++	unsigned long	last;
++	unsigned short	count;
++	unsigned char	rotate;
++	unsigned char	last_timer_intr;
++};
++
++/*
++ * This is a fast mixing routine used by the interrupt randomness
++ * collector.  It's hardcoded for an 128 bit pool and assumes that any
++ * locks that might be needed are taken by the caller.
++ */
++static void fast_mix(struct fast_pool *f, const void *in, int nbytes)
+ {
+-       mix_pool_bytes_extract(r, in, bytes, NULL);
++	const char	*bytes = in;
++	__u32		w;
++	unsigned	i = f->count;
++	unsigned	input_rotate = f->rotate;
++
++	while (nbytes--) {
++		w = rol32(*bytes++, input_rotate & 31) ^ f->pool[i & 3] ^
++			f->pool[(i + 1) & 3];
++		f->pool[i & 3] = (w >> 3) ^ twist_table[w & 7];
++		input_rotate += (i++ & 3) ? 7 : 14;
++	}
++	f->count = i;
++	f->rotate = input_rotate;
+ }
+ 
+ /*
+@@ -525,30 +578,34 @@ static void mix_pool_bytes(struct entropy_store *r, const void *in, int bytes)
+  */
+ static void credit_entropy_bits(struct entropy_store *r, int nbits)
+ {
+-	unsigned long flags;
+-	int entropy_count;
++	int entropy_count, orig;
+ 
+ 	if (!nbits)
+ 		return;
+ 
+-	spin_lock_irqsave(&r->lock, flags);
+-
+ 	DEBUG_ENT("added %d entropy credits to %s\n", nbits, r->name);
+-	entropy_count = r->entropy_count;
++retry:
++	entropy_count = orig = ACCESS_ONCE(r->entropy_count);
+ 	entropy_count += nbits;
+ 	if (entropy_count < 0) {
+ 		DEBUG_ENT("negative entropy/overflow\n");
+ 		entropy_count = 0;
+ 	} else if (entropy_count > r->poolinfo->POOLBITS)
+ 		entropy_count = r->poolinfo->POOLBITS;
+-	r->entropy_count = entropy_count;
++	if (cmpxchg(&r->entropy_count, orig, entropy_count) != orig)
++		goto retry;
++
++	if (!r->initialized && nbits > 0) {
++		r->entropy_total += nbits;
++		if (r->entropy_total > 128)
++			r->initialized = 1;
++	}
+ 
+ 	/* should we wake readers? */
+ 	if (r == &input_pool && entropy_count >= random_read_wakeup_thresh) {
+ 		wake_up_interruptible(&random_read_wait);
+ 		kill_fasync(&fasync, SIGIO, POLL_IN);
+ 	}
+-	spin_unlock_irqrestore(&r->lock, flags);
+ }
+ 
+ /*********************************************************************
+@@ -564,42 +621,24 @@ struct timer_rand_state {
+ 	unsigned dont_count_entropy:1;
+ };
+ 
+-#ifndef CONFIG_GENERIC_HARDIRQS
+-
+-static struct timer_rand_state *irq_timer_state[NR_IRQS];
+-
+-static struct timer_rand_state *get_timer_rand_state(unsigned int irq)
+-{
+-	return irq_timer_state[irq];
+-}
+-
+-static void set_timer_rand_state(unsigned int irq,
+-				 struct timer_rand_state *state)
+-{
+-	irq_timer_state[irq] = state;
+-}
+-
+-#else
+-
+-static struct timer_rand_state *get_timer_rand_state(unsigned int irq)
+-{
+-	struct irq_desc *desc;
+-
+-	desc = irq_to_desc(irq);
+-
+-	return desc->timer_rand_state;
+-}
+-
+-static void set_timer_rand_state(unsigned int irq,
+-				 struct timer_rand_state *state)
++/*
++ * Add device- or boot-specific data to the input and nonblocking
++ * pools to help initialize them to unique values.
++ *
++ * None of this adds any entropy, it is meant to avoid the
++ * problem of the nonblocking pool having similar initial state
++ * across largely identical devices.
++ */
++void add_device_randomness(const void *buf, unsigned int size)
+ {
+-	struct irq_desc *desc;
+-
+-	desc = irq_to_desc(irq);
++	unsigned long time = get_cycles() ^ jiffies;
+ 
+-	desc->timer_rand_state = state;
++	mix_pool_bytes(&input_pool, buf, size, NULL);
++	mix_pool_bytes(&input_pool, &time, sizeof(time), NULL);
++	mix_pool_bytes(&nonblocking_pool, buf, size, NULL);
++	mix_pool_bytes(&nonblocking_pool, &time, sizeof(time), NULL);
+ }
+-#endif
++EXPORT_SYMBOL(add_device_randomness);
+ 
+ static struct timer_rand_state input_timer_state;
+ 
+@@ -616,8 +655,8 @@ static struct timer_rand_state input_timer_state;
+ static void add_timer_randomness(struct timer_rand_state *state, unsigned num)
+ {
+ 	struct {
+-		cycles_t cycles;
+ 		long jiffies;
++		unsigned cycles;
+ 		unsigned num;
+ 	} sample;
+ 	long delta, delta2, delta3;
+@@ -631,7 +670,7 @@ static void add_timer_randomness(struct timer_rand_state *state, unsigned num)
+ 	sample.jiffies = jiffies;
+ 	sample.cycles = get_cycles();
+ 	sample.num = num;
+-	mix_pool_bytes(&input_pool, &sample, sizeof(sample));
++	mix_pool_bytes(&input_pool, &sample, sizeof(sample), NULL);
+ 
+ 	/*
+ 	 * Calculate number of bits of randomness we probably added.
+@@ -688,17 +727,48 @@ void add_input_randomness(unsigned int type, unsigned int code,
+ }
+ EXPORT_SYMBOL_GPL(add_input_randomness);
+ 
+-void add_interrupt_randomness(int irq)
++static DEFINE_PER_CPU(struct fast_pool, irq_randomness);
++
++void add_interrupt_randomness(int irq, int irq_flags)
+ {
+-	struct timer_rand_state *state;
++	struct entropy_store	*r;
++	struct fast_pool	*fast_pool = &__get_cpu_var(irq_randomness);
++	struct pt_regs		*regs = get_irq_regs();
++	unsigned long		now = jiffies;
++	__u32			input[4], cycles = get_cycles();
++
++	input[0] = cycles ^ jiffies;
++	input[1] = irq;
++	if (regs) {
++		__u64 ip = instruction_pointer(regs);
++		input[2] = ip;
++		input[3] = ip >> 32;
++	}
+ 
+-	state = get_timer_rand_state(irq);
++	fast_mix(fast_pool, input, sizeof(input));
+ 
+-	if (state == NULL)
++	if ((fast_pool->count & 1023) &&
++	    !time_after(now, fast_pool->last + HZ))
+ 		return;
+ 
+-	DEBUG_ENT("irq event %d\n", irq);
+-	add_timer_randomness(state, 0x100 + irq);
++	fast_pool->last = now;
++
++	r = nonblocking_pool.initialized ? &input_pool : &nonblocking_pool;
++	__mix_pool_bytes(r, &fast_pool->pool, sizeof(fast_pool->pool), NULL);
++	/*
++	 * If we don't have a valid cycle counter, and we see
++	 * back-to-back timer interrupts, then skip giving credit for
++	 * any entropy.
++	 */
++	if (cycles == 0) {
++		if (irq_flags & __IRQF_TIMER) {
++			if (fast_pool->last_timer_intr)
++				return;
++			fast_pool->last_timer_intr = 1;
++		} else
++			fast_pool->last_timer_intr = 0;
++	}
++	credit_entropy_bits(r, 1);
+ }
+ 
+ #ifdef CONFIG_BLOCK
+@@ -714,8 +784,6 @@ void add_disk_randomness(struct gendisk *disk)
+ }
+ #endif
+ 
+-#define EXTRACT_SIZE 10
+-
+ /*********************************************************************
+  *
+  * Entropy extraction routines
+@@ -732,7 +800,7 @@ static ssize_t extract_entropy(struct entropy_store *r, void *buf,
+  */
+ static void xfer_secondary_pool(struct entropy_store *r, size_t nbytes)
+ {
+-	__u32 tmp[OUTPUT_POOL_WORDS];
++	__u32	tmp[OUTPUT_POOL_WORDS];
+ 
+ 	if (r->pull && r->entropy_count < nbytes * 8 &&
+ 	    r->entropy_count < r->poolinfo->POOLBITS) {
+@@ -751,7 +819,7 @@ static void xfer_secondary_pool(struct entropy_store *r, size_t nbytes)
+ 
+ 		bytes = extract_entropy(r->pull, tmp, bytes,
+ 					random_read_wakeup_thresh / 8, rsvd);
+-		mix_pool_bytes(r, tmp, bytes);
++		mix_pool_bytes(r, tmp, bytes, NULL);
+ 		credit_entropy_bits(r, bytes*8);
+ 	}
+ }
+@@ -810,13 +878,19 @@ static size_t account(struct entropy_store *r, size_t nbytes, int min,
+ static void extract_buf(struct entropy_store *r, __u8 *out)
+ {
+ 	int i;
+-	__u32 hash[5], workspace[SHA_WORKSPACE_WORDS];
++	union {
++		__u32 w[5];
++		unsigned long l[LONGS(EXTRACT_SIZE)];
++	} hash;
++	__u32 workspace[SHA_WORKSPACE_WORDS];
+ 	__u8 extract[64];
++	unsigned long flags;
+ 
+ 	/* Generate a hash across the pool, 16 words (512 bits) at a time */
+-	sha_init(hash);
++	sha_init(hash.w);
++	spin_lock_irqsave(&r->lock, flags);
+ 	for (i = 0; i < r->poolinfo->poolwords; i += 16)
+-		sha_transform(hash, (__u8 *)(r->pool + i), workspace);
++		sha_transform(hash.w, (__u8 *)(r->pool + i), workspace);
+ 
+ 	/*
+ 	 * We mix the hash back into the pool to prevent backtracking
+@@ -827,13 +901,14 @@ static void extract_buf(struct entropy_store *r, __u8 *out)
+ 	 * brute-forcing the feedback as hard as brute-forcing the
+ 	 * hash.
+ 	 */
+-	mix_pool_bytes_extract(r, hash, sizeof(hash), extract);
++	__mix_pool_bytes(r, hash.w, sizeof(hash.w), extract);
++	spin_unlock_irqrestore(&r->lock, flags);
+ 
+ 	/*
+ 	 * To avoid duplicates, we atomically extract a portion of the
+ 	 * pool while mixing, and hash one final time.
+ 	 */
+-	sha_transform(hash, extract, workspace);
++	sha_transform(hash.w, extract, workspace);
+ 	memset(extract, 0, sizeof(extract));
+ 	memset(workspace, 0, sizeof(workspace));
+ 
+@@ -842,19 +917,30 @@ static void extract_buf(struct entropy_store *r, __u8 *out)
+ 	 * pattern, we fold it in half. Thus, we always feed back
+ 	 * twice as much data as we output.
+ 	 */
+-	hash[0] ^= hash[3];
+-	hash[1] ^= hash[4];
+-	hash[2] ^= rol32(hash[2], 16);
+-	memcpy(out, hash, EXTRACT_SIZE);
+-	memset(hash, 0, sizeof(hash));
++	hash.w[0] ^= hash.w[3];
++	hash.w[1] ^= hash.w[4];
++	hash.w[2] ^= rol32(hash.w[2], 16);
++
++	/*
++	 * If we have a architectural hardware random number
++	 * generator, mix that in, too.
++	 */
++	for (i = 0; i < LONGS(EXTRACT_SIZE); i++) {
++		unsigned long v;
++		if (!arch_get_random_long(&v))
++			break;
++		hash.l[i] ^= v;
++	}
++
++	memcpy(out, &hash, EXTRACT_SIZE);
++	memset(&hash, 0, sizeof(hash));
+ }
+ 
+ static ssize_t extract_entropy(struct entropy_store *r, void *buf,
+-			       size_t nbytes, int min, int reserved)
++				 size_t nbytes, int min, int reserved)
+ {
+ 	ssize_t ret = 0, i;
+ 	__u8 tmp[EXTRACT_SIZE];
+-	unsigned long flags;
+ 
+ 	xfer_secondary_pool(r, nbytes);
+ 	nbytes = account(r, nbytes, min, reserved);
+@@ -862,7 +948,9 @@ static ssize_t extract_entropy(struct entropy_store *r, void *buf,
+ 	while (nbytes) {
+ 		extract_buf(r, tmp);
+ 
+-		if (r->last_data) {
++		if (fips_enabled) {
++			unsigned long flags;
++
+ 			spin_lock_irqsave(&r->lock, flags);
+ 			if (!memcmp(tmp, r->last_data, EXTRACT_SIZE))
+ 				panic("Hardware RNG duplicated output!\n");
+@@ -921,8 +1009,9 @@ static ssize_t extract_entropy_user(struct entropy_store *r, void __user *buf,
+ 
+ /*
+  * This function is the exported kernel interface.  It returns some
+- * number of good random numbers, suitable for seeding TCP sequence
+- * numbers, etc.
++ * number of good random numbers, suitable for key generation, seeding
++ * TCP sequence numbers, etc.  It does not use the hw random number
++ * generator, if available; use get_random_bytes_arch() for that.
+  */
+ void get_random_bytes(void *buf, int nbytes)
+ {
+@@ -931,6 +1020,38 @@ void get_random_bytes(void *buf, int nbytes)
+ EXPORT_SYMBOL(get_random_bytes);
+ 
+ /*
++ * This function will use the architecture-specific hardware random
++ * number generator if it is available.  The arch-specific hw RNG will
++ * almost certainly be faster than what we can do in software, but it
++ * is impossible to verify that it is implemented securely (as
++ * opposed, to, say, the AES encryption of a sequence number using a
++ * key known by the NSA).  So it's useful if we need the speed, but
++ * only if we're willing to trust the hardware manufacturer not to
++ * have put in a back door.
++ */
++void get_random_bytes_arch(void *buf, int nbytes)
++{
++	char *p = buf;
++
++	while (nbytes) {
++		unsigned long v;
++		int chunk = min(nbytes, (int)sizeof(unsigned long));
++
++		if (!arch_get_random_long(&v))
++			break;
++
++		memcpy(p, &v, chunk);
++		p += chunk;
++		nbytes -= chunk;
++	}
++
++	if (nbytes)
++		extract_entropy(&nonblocking_pool, p, nbytes, 0, 0);
++}
++EXPORT_SYMBOL(get_random_bytes_arch);
++
++
++/*
+  * init_std_data - initialize pool with system data
+  *
+  * @r: pool to initialize
+@@ -941,21 +1062,31 @@ EXPORT_SYMBOL(get_random_bytes);
+  */
+ static void init_std_data(struct entropy_store *r)
+ {
+-	ktime_t now;
+-	unsigned long flags;
++	int i;
++	ktime_t now = ktime_get_real();
++	unsigned long rv;
+ 
+-	spin_lock_irqsave(&r->lock, flags);
+ 	r->entropy_count = 0;
+-	spin_unlock_irqrestore(&r->lock, flags);
+-
+-	now = ktime_get_real();
+-	mix_pool_bytes(r, &now, sizeof(now));
+-	mix_pool_bytes(r, utsname(), sizeof(*(utsname())));
+-	/* Enable continuous test in fips mode */
+-	if (fips_enabled)
+-		r->last_data = kmalloc(EXTRACT_SIZE, GFP_KERNEL);
++	r->entropy_total = 0;
++	mix_pool_bytes(r, &now, sizeof(now), NULL);
++	for (i = r->poolinfo->POOLBYTES; i > 0; i -= sizeof(rv)) {
++		if (!arch_get_random_long(&rv))
++			break;
++		mix_pool_bytes(r, &rv, sizeof(rv), NULL);
++	}
++	mix_pool_bytes(r, utsname(), sizeof(*(utsname())), NULL);
+ }
+ 
++/*
++ * Note that setup_arch() may call add_device_randomness()
++ * long before we get here. This allows seeding of the pools
++ * with some platform dependent data very early in the boot
++ * process. But it limits our options here. We must use
++ * statically allocated structures that already have all
++ * initializations complete at compile time. We should also
++ * take care not to overwrite the precious per platform data
++ * we were given.
++ */
+ static int rand_initialize(void)
+ {
+ 	init_std_data(&input_pool);
+@@ -965,24 +1096,6 @@ static int rand_initialize(void)
+ }
+ module_init(rand_initialize);
+ 
+-void rand_initialize_irq(int irq)
+-{
+-	struct timer_rand_state *state;
+-
+-	state = get_timer_rand_state(irq);
+-
+-	if (state)
+-		return;
+-
+-	/*
+-	 * If kzalloc returns null, we just won't use that entropy
+-	 * source.
+-	 */
+-	state = kzalloc(sizeof(struct timer_rand_state), GFP_KERNEL);
+-	if (state)
+-		set_timer_rand_state(irq, state);
+-}
+-
+ #ifdef CONFIG_BLOCK
+ void rand_initialize_disk(struct gendisk *disk)
+ {
+@@ -1090,7 +1203,7 @@ write_pool(struct entropy_store *r, const char __user *buffer, size_t count)
+ 		count -= bytes;
+ 		p += bytes;
+ 
+-		mix_pool_bytes(r, buf, bytes);
++		mix_pool_bytes(r, buf, bytes, NULL);
+ 		cond_resched();
+ 	}
+ 
+@@ -1231,10 +1344,15 @@ static int proc_do_uuid(ctl_table *table, int write,
+ 	uuid = table->data;
+ 	if (!uuid) {
+ 		uuid = tmp_uuid;
+-		uuid[8] = 0;
+-	}
+-	if (uuid[8] == 0)
+ 		generate_random_uuid(uuid);
++	} else {
++		static DEFINE_SPINLOCK(bootid_spinlock);
++
++		spin_lock(&bootid_spinlock);
++		if (!uuid[8])
++			generate_random_uuid(uuid);
++		spin_unlock(&bootid_spinlock);
++	}
+ 
+ 	sprintf(buf, "%02x%02x%02x%02x-%02x%02x-%02x%02x-%02x%02x-"
+ 		"%02x%02x%02x%02x%02x%02x",
+@@ -1357,9 +1475,14 @@ late_initcall(random_int_secret_init);
+ DEFINE_PER_CPU(__u32 [MD5_DIGEST_WORDS], get_random_int_hash);
+ unsigned int get_random_int(void)
+ {
+-	__u32 *hash = get_cpu_var(get_random_int_hash);
++	__u32 *hash;
+ 	unsigned int ret;
+ 
++	if (arch_get_random_int(&ret))
++		return ret;
++
++	hash = get_cpu_var(get_random_int_hash);
++
+ 	hash[0] += current->pid + jiffies + get_cycles();
+ 	md5_transform(hash, random_int_secret);
+ 	ret = hash[0];
+diff --git a/drivers/char/tty_audit.c b/drivers/char/tty_audit.c
+index ac16fbe..dd4691a 100644
+--- a/drivers/char/tty_audit.c
++++ b/drivers/char/tty_audit.c
+@@ -94,8 +94,10 @@ static void tty_audit_buf_push(struct task_struct *tsk, uid_t loginuid,
+ {
+ 	if (buf->valid == 0)
+ 		return;
+-	if (audit_enabled == 0)
++	if (audit_enabled == 0) {
++		buf->valid = 0;
+ 		return;
++	}
+ 	tty_audit_log("tty", tsk, loginuid, sessionid, buf->major, buf->minor,
+ 		      buf->data, buf->valid);
+ 	buf->valid = 0;
+diff --git a/drivers/dma/ioat/dma_v2.c b/drivers/dma/ioat/dma_v2.c
+index 5cc37af..d1be371 100644
+--- a/drivers/dma/ioat/dma_v2.c
++++ b/drivers/dma/ioat/dma_v2.c
+@@ -51,48 +51,40 @@ MODULE_PARM_DESC(ioat_ring_max_alloc_order,
+ 
+ void __ioat2_issue_pending(struct ioat2_dma_chan *ioat)
+ {
+-	void * __iomem reg_base = ioat->base.reg_base;
++	struct ioat_chan_common *chan = &ioat->base;
+ 
+-	ioat->pending = 0;
+ 	ioat->dmacount += ioat2_ring_pending(ioat);
+ 	ioat->issued = ioat->head;
+ 	/* make descriptor updates globally visible before notifying channel */
+ 	wmb();
+-	writew(ioat->dmacount, reg_base + IOAT_CHAN_DMACOUNT_OFFSET);
+-	dev_dbg(to_dev(&ioat->base),
++	writew(ioat->dmacount, chan->reg_base + IOAT_CHAN_DMACOUNT_OFFSET);
++	dev_dbg(to_dev(chan),
+ 		"%s: head: %#x tail: %#x issued: %#x count: %#x\n",
+ 		__func__, ioat->head, ioat->tail, ioat->issued, ioat->dmacount);
+ }
+ 
+-void ioat2_issue_pending(struct dma_chan *chan)
++void ioat2_issue_pending(struct dma_chan *c)
+ {
+-	struct ioat2_dma_chan *ioat = to_ioat2_chan(chan);
++	struct ioat2_dma_chan *ioat = to_ioat2_chan(c);
+ 
+-	spin_lock_bh(&ioat->ring_lock);
+-	if (ioat->pending == 1)
++	if (ioat2_ring_pending(ioat)) {
++		spin_lock_bh(&ioat->ring_lock);
+ 		__ioat2_issue_pending(ioat);
+-	spin_unlock_bh(&ioat->ring_lock);
++		spin_unlock_bh(&ioat->ring_lock);
++	}
+ }
+ 
+ /**
+  * ioat2_update_pending - log pending descriptors
+  * @ioat: ioat2+ channel
+  *
+- * set pending to '1' unless pending is already set to '2', pending == 2
+- * indicates that submission is temporarily blocked due to an in-flight
+- * reset.  If we are already above the ioat_pending_level threshold then
+- * just issue pending.
+- *
+- * called with ring_lock held
++ * Check if the number of unsubmitted descriptors has exceeded the
++ * watermark.  Called with ring_lock held
+  */
+ static void ioat2_update_pending(struct ioat2_dma_chan *ioat)
+ {
+-	if (unlikely(ioat->pending == 2))
+-		return;
+-	else if (ioat2_ring_pending(ioat) > ioat_pending_level)
++	if (ioat2_ring_pending(ioat) > ioat_pending_level)
+ 		__ioat2_issue_pending(ioat);
+-	else
+-		ioat->pending = 1;
+ }
+ 
+ static void __ioat2_start_null_desc(struct ioat2_dma_chan *ioat)
+@@ -546,7 +538,6 @@ int ioat2_alloc_chan_resources(struct dma_chan *c)
+ 	ioat->head = 0;
+ 	ioat->issued = 0;
+ 	ioat->tail = 0;
+-	ioat->pending = 0;
+ 	ioat->alloc_order = order;
+ 	spin_unlock_bh(&ioat->ring_lock);
+ 
+@@ -815,7 +806,6 @@ void ioat2_free_chan_resources(struct dma_chan *c)
+ 
+ 	chan->last_completion = 0;
+ 	chan->completion_dma = 0;
+-	ioat->pending = 0;
+ 	ioat->dmacount = 0;
+ }
+ 
+diff --git a/drivers/dma/ioat/dma_v2.h b/drivers/dma/ioat/dma_v2.h
+index 3afad8d..d211335 100644
+--- a/drivers/dma/ioat/dma_v2.h
++++ b/drivers/dma/ioat/dma_v2.h
+@@ -47,7 +47,6 @@ extern int ioat_ring_alloc_order;
+  * @head: allocated index
+  * @issued: hardware notification point
+  * @tail: cleanup index
+- * @pending: lock free indicator for issued != head
+  * @dmacount: identical to 'head' except for occasionally resetting to zero
+  * @alloc_order: log2 of the number of allocated descriptors
+  * @ring: software ring buffer implementation of hardware ring
+@@ -61,7 +60,6 @@ struct ioat2_dma_chan {
+ 	u16 tail;
+ 	u16 dmacount;
+ 	u16 alloc_order;
+-	int pending;
+ 	struct ioat_ring_ent **ring;
+ 	spinlock_t ring_lock;
+ };
+diff --git a/drivers/firmware/dmi_scan.c b/drivers/firmware/dmi_scan.c
+index 3a2ccb0..10a4246 100644
+--- a/drivers/firmware/dmi_scan.c
++++ b/drivers/firmware/dmi_scan.c
+@@ -6,6 +6,7 @@
+ #include <linux/efi.h>
+ #include <linux/bootmem.h>
+ #include <linux/slab.h>
++#include <linux/random.h>
+ #include <asm/dmi.h>
+ 
+ /*
+@@ -111,6 +112,8 @@ static int __init dmi_walk_early(void (*decode)(const struct dmi_header *,
+ 
+ 	dmi_table(buf, dmi_len, dmi_num, decode, NULL);
+ 
++	add_device_randomness(buf, dmi_len);
++
+ 	dmi_iounmap(buf, dmi_len);
+ 	return 0;
+ }
+diff --git a/drivers/firmware/pcdp.c b/drivers/firmware/pcdp.c
+index 51e0e2d..a330492 100644
+--- a/drivers/firmware/pcdp.c
++++ b/drivers/firmware/pcdp.c
+@@ -95,7 +95,7 @@ efi_setup_pcdp_console(char *cmdline)
+ 	if (efi.hcdp == EFI_INVALID_TABLE_ADDR)
+ 		return -ENODEV;
+ 
+-	pcdp = ioremap(efi.hcdp, 4096);
++	pcdp = early_ioremap(efi.hcdp, 4096);
+ 	printk(KERN_INFO "PCDP: v%d at 0x%lx\n", pcdp->rev, efi.hcdp);
+ 
+ 	if (strstr(cmdline, "console=hcdp")) {
+@@ -131,6 +131,6 @@ efi_setup_pcdp_console(char *cmdline)
+ 	}
+ 
+ out:
+-	iounmap(pcdp);
++	early_iounmap(pcdp, 4096);
+ 	return rc;
+ }
+diff --git a/drivers/gpu/drm/i915/intel_display.c b/drivers/gpu/drm/i915/intel_display.c
+index 79cc437..25b3e90 100644
+diff --git a/drivers/mfd/wm831x-otp.c b/drivers/mfd/wm831x-otp.c
+index f742745..b90f3e0 100644
+--- a/drivers/mfd/wm831x-otp.c
++++ b/drivers/mfd/wm831x-otp.c
+@@ -18,6 +18,7 @@
+ #include <linux/bcd.h>
+ #include <linux/delay.h>
+ #include <linux/mfd/core.h>
++#include <linux/random.h>
+ 
+ #include <linux/mfd/wm831x/core.h>
+ #include <linux/mfd/wm831x/otp.h>
+@@ -66,6 +67,7 @@ static DEVICE_ATTR(unique_id, 0444, wm831x_unique_id_show, NULL);
+ 
+ int wm831x_otp_init(struct wm831x *wm831x)
+ {
++	char uuid[WM831X_UNIQUE_ID_LEN];
+ 	int ret;
+ 
+ 	ret = device_create_file(wm831x->dev, &dev_attr_unique_id);
+@@ -73,6 +75,12 @@ int wm831x_otp_init(struct wm831x *wm831x)
+ 		dev_err(wm831x->dev, "Unique ID attribute not created: %d\n",
+ 			ret);
+ 
++	ret = wm831x_unique_id_read(wm831x, uuid);
++	if (ret == 0)
++		add_device_randomness(uuid, sizeof(uuid));
++	else
++		dev_err(wm831x->dev, "Failed to read UUID: %d\n", ret);
++
+ 	return ret;
+ }
+ 
+diff --git a/drivers/mtd/nand/cafe_nand.c b/drivers/mtd/nand/cafe_nand.c
+index c828d9a..97b9c7b 100644
+--- a/drivers/mtd/nand/cafe_nand.c
++++ b/drivers/mtd/nand/cafe_nand.c
+@@ -103,7 +103,7 @@ static const char *part_probes[] = { "cmdlinepart", "RedBoot", NULL };
+ static int cafe_device_ready(struct mtd_info *mtd)
+ {
+ 	struct cafe_priv *cafe = mtd->priv;
+-	int result = !!(cafe_readl(cafe, NAND_STATUS) | 0x40000000);
++	int result = !!(cafe_readl(cafe, NAND_STATUS) & 0x40000000);
+ 	uint32_t irqs = cafe_readl(cafe, NAND_IRQ);
+ 
+ 	cafe_writel(cafe, irqs, NAND_IRQ);
+diff --git a/drivers/net/atlx/atl1.c b/drivers/net/atlx/atl1.c
+index 403bfb6..adc862f 100644
+--- a/drivers/net/atlx/atl1.c
++++ b/drivers/net/atlx/atl1.c
+@@ -2478,7 +2478,7 @@ static irqreturn_t atl1_intr(int irq, void *data)
+ 					"pcie phy link down %x\n", status);
+ 			if (netif_running(adapter->netdev)) {	/* reset MAC */
+ 				iowrite32(0, adapter->hw.hw_addr + REG_IMR);
+-				schedule_work(&adapter->pcie_dma_to_rst_task);
++				schedule_work(&adapter->reset_dev_task);
+ 				return IRQ_HANDLED;
+ 			}
+ 		}
+@@ -2490,7 +2490,7 @@ static irqreturn_t atl1_intr(int irq, void *data)
+ 					"pcie DMA r/w error (status = 0x%x)\n",
+ 					status);
+ 			iowrite32(0, adapter->hw.hw_addr + REG_IMR);
+-			schedule_work(&adapter->pcie_dma_to_rst_task);
++			schedule_work(&adapter->reset_dev_task);
+ 			return IRQ_HANDLED;
+ 		}
+ 
+@@ -2635,10 +2635,10 @@ static void atl1_down(struct atl1_adapter *adapter)
+ 	atl1_clean_rx_ring(adapter);
+ }
+ 
+-static void atl1_tx_timeout_task(struct work_struct *work)
++static void atl1_reset_dev_task(struct work_struct *work)
+ {
+ 	struct atl1_adapter *adapter =
+-		container_of(work, struct atl1_adapter, tx_timeout_task);
++		container_of(work, struct atl1_adapter, reset_dev_task);
+ 	struct net_device *netdev = adapter->netdev;
+ 
+ 	netif_device_detach(netdev);
+@@ -3050,12 +3050,10 @@ static int __devinit atl1_probe(struct pci_dev *pdev,
+ 		    (unsigned long)adapter);
+ 	adapter->phy_timer_pending = false;
+ 
+-	INIT_WORK(&adapter->tx_timeout_task, atl1_tx_timeout_task);
++	INIT_WORK(&adapter->reset_dev_task, atl1_reset_dev_task);
+ 
+ 	INIT_WORK(&adapter->link_chg_task, atlx_link_chg_task);
+ 
+-	INIT_WORK(&adapter->pcie_dma_to_rst_task, atl1_tx_timeout_task);
+-
+ 	err = register_netdev(netdev);
+ 	if (err)
+ 		goto err_common;
+diff --git a/drivers/net/atlx/atl1.h b/drivers/net/atlx/atl1.h
+index 146372f..0494e514 100644
+--- a/drivers/net/atlx/atl1.h
++++ b/drivers/net/atlx/atl1.h
+@@ -762,9 +762,8 @@ struct atl1_adapter {
+ 	u16 link_speed;
+ 	u16 link_duplex;
+ 	spinlock_t lock;
+-	struct work_struct tx_timeout_task;
++	struct work_struct reset_dev_task;
+ 	struct work_struct link_chg_task;
+-	struct work_struct pcie_dma_to_rst_task;
+ 
+ 	struct timer_list phy_config_timer;
+ 	bool phy_timer_pending;
+diff --git a/drivers/net/atlx/atlx.c b/drivers/net/atlx/atlx.c
+index 3dc0142..ce09b95 100644
+--- a/drivers/net/atlx/atlx.c
++++ b/drivers/net/atlx/atlx.c
+@@ -189,7 +189,7 @@ static void atlx_tx_timeout(struct net_device *netdev)
+ {
+ 	struct atlx_adapter *adapter = netdev_priv(netdev);
+ 	/* Do the reset outside of interrupt context */
+-	schedule_work(&adapter->tx_timeout_task);
++	schedule_work(&adapter->reset_dev_task);
+ }
+ 
+ /*
+diff --git a/drivers/net/bonding/bond_3ad.c b/drivers/net/bonding/bond_3ad.c
+index 223990d..05308e6 100644
+--- a/drivers/net/bonding/bond_3ad.c
++++ b/drivers/net/bonding/bond_3ad.c
+@@ -1471,8 +1471,11 @@ static struct aggregator *ad_agg_selection_test(struct aggregator *best,
+ 
+ static int agg_device_up(const struct aggregator *agg)
+ {
+-	return (netif_running(agg->slave->dev) &&
+-		netif_carrier_ok(agg->slave->dev));
++	struct port *port = agg->lag_ports;
++	if (!port)
++		return 0;
++	return (netif_running(port->slave->dev) &&
++		netif_carrier_ok(port->slave->dev));
+ }
+ 
+ /**
+diff --git a/drivers/net/dl2k.c b/drivers/net/dl2k.c
+index 7fa7a90..c2f9313 100644
+--- a/drivers/net/dl2k.c
++++ b/drivers/net/dl2k.c
+@@ -1279,55 +1279,21 @@ rio_ioctl (struct net_device *dev, struct ifreq *rq, int cmd)
+ {
+ 	int phy_addr;
+ 	struct netdev_private *np = netdev_priv(dev);
+-	struct mii_data *miidata = (struct mii_data *) &rq->ifr_ifru;
+-
+-	struct netdev_desc *desc;
+-	int i;
++	struct mii_ioctl_data *miidata = if_mii(rq);
+ 
+ 	phy_addr = np->phy_addr;
+ 	switch (cmd) {
+-	case SIOCDEVPRIVATE:
+-		break;
+-
+-	case SIOCDEVPRIVATE + 1:
+-		miidata->out_value = mii_read (dev, phy_addr, miidata->reg_num);
++	case SIOCGMIIPHY:
++		miidata->phy_id = phy_addr;
+ 		break;
+-	case SIOCDEVPRIVATE + 2:
+-		mii_write (dev, phy_addr, miidata->reg_num, miidata->in_value);
++	case SIOCGMIIREG:
++		miidata->val_out = mii_read (dev, phy_addr, miidata->reg_num);
+ 		break;
+-	case SIOCDEVPRIVATE + 3:
+-		break;
+-	case SIOCDEVPRIVATE + 4:
+-		break;
+-	case SIOCDEVPRIVATE + 5:
+-		netif_stop_queue (dev);
++	case SIOCSMIIREG:
++		if (!capable(CAP_NET_ADMIN))
++			return -EPERM;
++		mii_write (dev, phy_addr, miidata->reg_num, miidata->val_in);
+ 		break;
+-	case SIOCDEVPRIVATE + 6:
+-		netif_wake_queue (dev);
+-		break;
+-	case SIOCDEVPRIVATE + 7:
+-		printk
+-		    ("tx_full=%x cur_tx=%lx old_tx=%lx cur_rx=%lx old_rx=%lx\n",
+-		     netif_queue_stopped(dev), np->cur_tx, np->old_tx, np->cur_rx,
+-		     np->old_rx);
+-		break;
+-	case SIOCDEVPRIVATE + 8:
+-		printk("TX ring:\n");
+-		for (i = 0; i < TX_RING_SIZE; i++) {
+-			desc = &np->tx_ring[i];
+-			printk
+-			    ("%02x:cur:%08x next:%08x status:%08x frag1:%08x frag0:%08x",
+-			     i,
+-			     (u32) (np->tx_ring_dma + i * sizeof (*desc)),
+-			     (u32)le64_to_cpu(desc->next_desc),
+-			     (u32)le64_to_cpu(desc->status),
+-			     (u32)(le64_to_cpu(desc->fraginfo) >> 32),
+-			     (u32)le64_to_cpu(desc->fraginfo));
+-			printk ("\n");
+-		}
+-		printk ("\n");
+-		break;
+-
+ 	default:
+ 		return -EOPNOTSUPP;
+ 	}
+@@ -1448,7 +1414,7 @@ mii_wait_link (struct net_device *dev, int wait)
+ 
+ 	do {
+ 		bmsr = mii_read (dev, phy_addr, MII_BMSR);
+-		if (bmsr & MII_BMSR_LINK_STATUS)
++		if (bmsr & BMSR_LSTATUS)
+ 			return 0;
+ 		mdelay (1);
+ 	} while (--wait > 0);
+@@ -1469,60 +1435,60 @@ mii_get_media (struct net_device *dev)
+ 
+ 	bmsr = mii_read (dev, phy_addr, MII_BMSR);
+ 	if (np->an_enable) {
+-		if (!(bmsr & MII_BMSR_AN_COMPLETE)) {
++		if (!(bmsr & BMSR_ANEGCOMPLETE)) {
+ 			/* Auto-Negotiation not completed */
+ 			return -1;
+ 		}
+-		negotiate = mii_read (dev, phy_addr, MII_ANAR) &
+-			mii_read (dev, phy_addr, MII_ANLPAR);
+-		mscr = mii_read (dev, phy_addr, MII_MSCR);
+-		mssr = mii_read (dev, phy_addr, MII_MSSR);
+-		if (mscr & MII_MSCR_1000BT_FD && mssr & MII_MSSR_LP_1000BT_FD) {
++		negotiate = mii_read (dev, phy_addr, MII_ADVERTISE) &
++			mii_read (dev, phy_addr, MII_LPA);
++		mscr = mii_read (dev, phy_addr, MII_CTRL1000);
++		mssr = mii_read (dev, phy_addr, MII_STAT1000);
++		if (mscr & ADVERTISE_1000FULL && mssr & LPA_1000FULL) {
+ 			np->speed = 1000;
+ 			np->full_duplex = 1;
+ 			printk (KERN_INFO "Auto 1000 Mbps, Full duplex\n");
+-		} else if (mscr & MII_MSCR_1000BT_HD && mssr & MII_MSSR_LP_1000BT_HD) {
++		} else if (mscr & ADVERTISE_1000HALF && mssr & LPA_1000HALF) {
+ 			np->speed = 1000;
+ 			np->full_duplex = 0;
+ 			printk (KERN_INFO "Auto 1000 Mbps, Half duplex\n");
+-		} else if (negotiate & MII_ANAR_100BX_FD) {
++		} else if (negotiate & ADVERTISE_100FULL) {
+ 			np->speed = 100;
+ 			np->full_duplex = 1;
+ 			printk (KERN_INFO "Auto 100 Mbps, Full duplex\n");
+-		} else if (negotiate & MII_ANAR_100BX_HD) {
++		} else if (negotiate & ADVERTISE_100HALF) {
+ 			np->speed = 100;
+ 			np->full_duplex = 0;
+ 			printk (KERN_INFO "Auto 100 Mbps, Half duplex\n");
+-		} else if (negotiate & MII_ANAR_10BT_FD) {
++		} else if (negotiate & ADVERTISE_10FULL) {
+ 			np->speed = 10;
+ 			np->full_duplex = 1;
+ 			printk (KERN_INFO "Auto 10 Mbps, Full duplex\n");
+-		} else if (negotiate & MII_ANAR_10BT_HD) {
++		} else if (negotiate & ADVERTISE_10HALF) {
+ 			np->speed = 10;
+ 			np->full_duplex = 0;
+ 			printk (KERN_INFO "Auto 10 Mbps, Half duplex\n");
+ 		}
+-		if (negotiate & MII_ANAR_PAUSE) {
++		if (negotiate & ADVERTISE_PAUSE_CAP) {
+ 			np->tx_flow &= 1;
+ 			np->rx_flow &= 1;
+-		} else if (negotiate & MII_ANAR_ASYMMETRIC) {
++		} else if (negotiate & ADVERTISE_PAUSE_ASYM) {
+ 			np->tx_flow = 0;
+ 			np->rx_flow &= 1;
+ 		}
+ 		/* else tx_flow, rx_flow = user select  */
+ 	} else {
+ 		__u16 bmcr = mii_read (dev, phy_addr, MII_BMCR);
+-		switch (bmcr & (MII_BMCR_SPEED_100 | MII_BMCR_SPEED_1000)) {
+-		case MII_BMCR_SPEED_1000:
++		switch (bmcr & (BMCR_SPEED100 | BMCR_SPEED1000)) {
++		case BMCR_SPEED1000:
+ 			printk (KERN_INFO "Operating at 1000 Mbps, ");
+ 			break;
+-		case MII_BMCR_SPEED_100:
++		case BMCR_SPEED100:
+ 			printk (KERN_INFO "Operating at 100 Mbps, ");
+ 			break;
+ 		case 0:
+ 			printk (KERN_INFO "Operating at 10 Mbps, ");
+ 		}
+-		if (bmcr & MII_BMCR_DUPLEX_MODE) {
++		if (bmcr & BMCR_FULLDPLX) {
+ 			printk (KERN_CONT "Full duplex\n");
+ 		} else {
+ 			printk (KERN_CONT "Half duplex\n");
+@@ -1556,24 +1522,22 @@ mii_set_media (struct net_device *dev)
+ 	if (np->an_enable) {
+ 		/* Advertise capabilities */
+ 		bmsr = mii_read (dev, phy_addr, MII_BMSR);
+-		anar = mii_read (dev, phy_addr, MII_ANAR) &
+-			     ~MII_ANAR_100BX_FD &
+-			     ~MII_ANAR_100BX_HD &
+-			     ~MII_ANAR_100BT4 &
+-			     ~MII_ANAR_10BT_FD &
+-			     ~MII_ANAR_10BT_HD;
+-		if (bmsr & MII_BMSR_100BX_FD)
+-			anar |= MII_ANAR_100BX_FD;
+-		if (bmsr & MII_BMSR_100BX_HD)
+-			anar |= MII_ANAR_100BX_HD;
+-		if (bmsr & MII_BMSR_100BT4)
+-			anar |= MII_ANAR_100BT4;
+-		if (bmsr & MII_BMSR_10BT_FD)
+-			anar |= MII_ANAR_10BT_FD;
+-		if (bmsr & MII_BMSR_10BT_HD)
+-			anar |= MII_ANAR_10BT_HD;
+-		anar |= MII_ANAR_PAUSE | MII_ANAR_ASYMMETRIC;
+-		mii_write (dev, phy_addr, MII_ANAR, anar);
++		anar = mii_read (dev, phy_addr, MII_ADVERTISE) &
++			~(ADVERTISE_100FULL | ADVERTISE_10FULL |
++			  ADVERTISE_100HALF | ADVERTISE_10HALF |
++			  ADVERTISE_100BASE4);
++		if (bmsr & BMSR_100FULL)
++			anar |= ADVERTISE_100FULL;
++		if (bmsr & BMSR_100HALF)
++			anar |= ADVERTISE_100HALF;
++		if (bmsr & BMSR_100BASE4)
++			anar |= ADVERTISE_100BASE4;
++		if (bmsr & BMSR_10FULL)
++			anar |= ADVERTISE_10FULL;
++		if (bmsr & BMSR_10HALF)
++			anar |= ADVERTISE_10HALF;
++		anar |= ADVERTISE_PAUSE_CAP | ADVERTISE_PAUSE_ASYM;
++		mii_write (dev, phy_addr, MII_ADVERTISE, anar);
+ 
+ 		/* Enable Auto crossover */
+ 		pscr = mii_read (dev, phy_addr, MII_PHY_SCR);
+@@ -1581,8 +1545,8 @@ mii_set_media (struct net_device *dev)
+ 		mii_write (dev, phy_addr, MII_PHY_SCR, pscr);
+ 
+ 		/* Soft reset PHY */
+-		mii_write (dev, phy_addr, MII_BMCR, MII_BMCR_RESET);
+-		bmcr = MII_BMCR_AN_ENABLE | MII_BMCR_RESTART_AN | MII_BMCR_RESET;
++		mii_write (dev, phy_addr, MII_BMCR, BMCR_RESET);
++		bmcr = BMCR_ANENABLE | BMCR_ANRESTART | BMCR_RESET;
+ 		mii_write (dev, phy_addr, MII_BMCR, bmcr);
+ 		mdelay(1);
+ 	} else {
+@@ -1594,7 +1558,7 @@ mii_set_media (struct net_device *dev)
+ 
+ 		/* 2) PHY Reset */
+ 		bmcr = mii_read (dev, phy_addr, MII_BMCR);
+-		bmcr |= MII_BMCR_RESET;
++		bmcr |= BMCR_RESET;
+ 		mii_write (dev, phy_addr, MII_BMCR, bmcr);
+ 
+ 		/* 3) Power Down */
+@@ -1603,25 +1567,25 @@ mii_set_media (struct net_device *dev)
+ 		mdelay (100);	/* wait a certain time */
+ 
+ 		/* 4) Advertise nothing */
+-		mii_write (dev, phy_addr, MII_ANAR, 0);
++		mii_write (dev, phy_addr, MII_ADVERTISE, 0);
+ 
+ 		/* 5) Set media and Power Up */
+-		bmcr = MII_BMCR_POWER_DOWN;
++		bmcr = BMCR_PDOWN;
+ 		if (np->speed == 100) {
+-			bmcr |= MII_BMCR_SPEED_100;
++			bmcr |= BMCR_SPEED100;
+ 			printk (KERN_INFO "Manual 100 Mbps, ");
+ 		} else if (np->speed == 10) {
+ 			printk (KERN_INFO "Manual 10 Mbps, ");
+ 		}
+ 		if (np->full_duplex) {
+-			bmcr |= MII_BMCR_DUPLEX_MODE;
++			bmcr |= BMCR_FULLDPLX;
+ 			printk (KERN_CONT "Full duplex\n");
+ 		} else {
+ 			printk (KERN_CONT "Half duplex\n");
+ 		}
+ #if 0
+ 		/* Set 1000BaseT Master/Slave setting */
+-		mscr = mii_read (dev, phy_addr, MII_MSCR);
++		mscr = mii_read (dev, phy_addr, MII_CTRL1000);
+ 		mscr |= MII_MSCR_CFG_ENABLE;
+ 		mscr &= ~MII_MSCR_CFG_VALUE = 0;
+ #endif
+@@ -1644,7 +1608,7 @@ mii_get_media_pcs (struct net_device *dev)
+ 
+ 	bmsr = mii_read (dev, phy_addr, PCS_BMSR);
+ 	if (np->an_enable) {
+-		if (!(bmsr & MII_BMSR_AN_COMPLETE)) {
++		if (!(bmsr & BMSR_ANEGCOMPLETE)) {
+ 			/* Auto-Negotiation not completed */
+ 			return -1;
+ 		}
+@@ -1669,7 +1633,7 @@ mii_get_media_pcs (struct net_device *dev)
+ 	} else {
+ 		__u16 bmcr = mii_read (dev, phy_addr, PCS_BMCR);
+ 		printk (KERN_INFO "Operating at 1000 Mbps, ");
+-		if (bmcr & MII_BMCR_DUPLEX_MODE) {
++		if (bmcr & BMCR_FULLDPLX) {
+ 			printk (KERN_CONT "Full duplex\n");
+ 		} else {
+ 			printk (KERN_CONT "Half duplex\n");
+@@ -1702,7 +1666,7 @@ mii_set_media_pcs (struct net_device *dev)
+ 	if (np->an_enable) {
+ 		/* Advertise capabilities */
+ 		esr = mii_read (dev, phy_addr, PCS_ESR);
+-		anar = mii_read (dev, phy_addr, MII_ANAR) &
++		anar = mii_read (dev, phy_addr, MII_ADVERTISE) &
+ 			~PCS_ANAR_HALF_DUPLEX &
+ 			~PCS_ANAR_FULL_DUPLEX;
+ 		if (esr & (MII_ESR_1000BT_HD | MII_ESR_1000BX_HD))
+@@ -1710,22 +1674,21 @@ mii_set_media_pcs (struct net_device *dev)
+ 		if (esr & (MII_ESR_1000BT_FD | MII_ESR_1000BX_FD))
+ 			anar |= PCS_ANAR_FULL_DUPLEX;
+ 		anar |= PCS_ANAR_PAUSE | PCS_ANAR_ASYMMETRIC;
+-		mii_write (dev, phy_addr, MII_ANAR, anar);
++		mii_write (dev, phy_addr, MII_ADVERTISE, anar);
+ 
+ 		/* Soft reset PHY */
+-		mii_write (dev, phy_addr, MII_BMCR, MII_BMCR_RESET);
+-		bmcr = MII_BMCR_AN_ENABLE | MII_BMCR_RESTART_AN |
+-		       MII_BMCR_RESET;
++		mii_write (dev, phy_addr, MII_BMCR, BMCR_RESET);
++		bmcr = BMCR_ANENABLE | BMCR_ANRESTART | BMCR_RESET;
+ 		mii_write (dev, phy_addr, MII_BMCR, bmcr);
+ 		mdelay(1);
+ 	} else {
+ 		/* Force speed setting */
+ 		/* PHY Reset */
+-		bmcr = MII_BMCR_RESET;
++		bmcr = BMCR_RESET;
+ 		mii_write (dev, phy_addr, MII_BMCR, bmcr);
+ 		mdelay(10);
+ 		if (np->full_duplex) {
+-			bmcr = MII_BMCR_DUPLEX_MODE;
++			bmcr = BMCR_FULLDPLX;
+ 			printk (KERN_INFO "Manual full duplex\n");
+ 		} else {
+ 			bmcr = 0;
+@@ -1735,7 +1698,7 @@ mii_set_media_pcs (struct net_device *dev)
+ 		mdelay(10);
+ 
+ 		/*  Advertise nothing */
+-		mii_write (dev, phy_addr, MII_ANAR, 0);
++		mii_write (dev, phy_addr, MII_ADVERTISE, 0);
+ 	}
+ 	return 0;
+ }
+diff --git a/drivers/net/dl2k.h b/drivers/net/dl2k.h
+index 266ec87..cde8ecd 100644
+--- a/drivers/net/dl2k.h
++++ b/drivers/net/dl2k.h
+@@ -28,6 +28,7 @@
+ #include <linux/init.h>
+ #include <linux/crc32.h>
+ #include <linux/ethtool.h>
++#include <linux/mii.h>
+ #include <linux/bitops.h>
+ #include <asm/processor.h>	/* Processor type for cache alignment. */
+ #include <asm/io.h>
+@@ -271,20 +272,9 @@ enum RFS_bits {
+ #define MII_RESET_TIME_OUT		10000
+ /* MII register */
+ enum _mii_reg {
+-	MII_BMCR = 0,
+-	MII_BMSR = 1,
+-	MII_PHY_ID1 = 2,
+-	MII_PHY_ID2 = 3,
+-	MII_ANAR = 4,
+-	MII_ANLPAR = 5,
+-	MII_ANER = 6,
+-	MII_ANNPT = 7,
+-	MII_ANLPRNP = 8,
+-	MII_MSCR = 9,
+-	MII_MSSR = 10,
+-	MII_ESR = 15,
+ 	MII_PHY_SCR = 16,
+ };
++
+ /* PCS register */
+ enum _pcs_reg {
+ 	PCS_BMCR = 0,
+@@ -297,102 +287,6 @@ enum _pcs_reg {
+ 	PCS_ESR = 15,
+ };
+ 
+-/* Basic Mode Control Register */
+-enum _mii_bmcr {
+-	MII_BMCR_RESET = 0x8000,
+-	MII_BMCR_LOOP_BACK = 0x4000,
+-	MII_BMCR_SPEED_LSB = 0x2000,
+-	MII_BMCR_AN_ENABLE = 0x1000,
+-	MII_BMCR_POWER_DOWN = 0x0800,
+-	MII_BMCR_ISOLATE = 0x0400,
+-	MII_BMCR_RESTART_AN = 0x0200,
+-	MII_BMCR_DUPLEX_MODE = 0x0100,
+-	MII_BMCR_COL_TEST = 0x0080,
+-	MII_BMCR_SPEED_MSB = 0x0040,
+-	MII_BMCR_SPEED_RESERVED = 0x003f,
+-	MII_BMCR_SPEED_10 = 0,
+-	MII_BMCR_SPEED_100 = MII_BMCR_SPEED_LSB,
+-	MII_BMCR_SPEED_1000 = MII_BMCR_SPEED_MSB,
+-};
+-
+-/* Basic Mode Status Register */
+-enum _mii_bmsr {
+-	MII_BMSR_100BT4 = 0x8000,
+-	MII_BMSR_100BX_FD = 0x4000,
+-	MII_BMSR_100BX_HD = 0x2000,
+-	MII_BMSR_10BT_FD = 0x1000,
+-	MII_BMSR_10BT_HD = 0x0800,
+-	MII_BMSR_100BT2_FD = 0x0400,
+-	MII_BMSR_100BT2_HD = 0x0200,
+-	MII_BMSR_EXT_STATUS = 0x0100,
+-	MII_BMSR_PREAMBLE_SUPP = 0x0040,
+-	MII_BMSR_AN_COMPLETE = 0x0020,
+-	MII_BMSR_REMOTE_FAULT = 0x0010,
+-	MII_BMSR_AN_ABILITY = 0x0008,
+-	MII_BMSR_LINK_STATUS = 0x0004,
+-	MII_BMSR_JABBER_DETECT = 0x0002,
+-	MII_BMSR_EXT_CAP = 0x0001,
+-};
+-
+-/* ANAR */
+-enum _mii_anar {
+-	MII_ANAR_NEXT_PAGE = 0x8000,
+-	MII_ANAR_REMOTE_FAULT = 0x4000,
+-	MII_ANAR_ASYMMETRIC = 0x0800,
+-	MII_ANAR_PAUSE = 0x0400,
+-	MII_ANAR_100BT4 = 0x0200,
+-	MII_ANAR_100BX_FD = 0x0100,
+-	MII_ANAR_100BX_HD = 0x0080,
+-	MII_ANAR_10BT_FD = 0x0020,
+-	MII_ANAR_10BT_HD = 0x0010,
+-	MII_ANAR_SELECTOR = 0x001f,
+-	MII_IEEE8023_CSMACD = 0x0001,
+-};
+-
+-/* ANLPAR */
+-enum _mii_anlpar {
+-	MII_ANLPAR_NEXT_PAGE = MII_ANAR_NEXT_PAGE,
+-	MII_ANLPAR_REMOTE_FAULT = MII_ANAR_REMOTE_FAULT,
+-	MII_ANLPAR_ASYMMETRIC = MII_ANAR_ASYMMETRIC,
+-	MII_ANLPAR_PAUSE = MII_ANAR_PAUSE,
+-	MII_ANLPAR_100BT4 = MII_ANAR_100BT4,
+-	MII_ANLPAR_100BX_FD = MII_ANAR_100BX_FD,
+-	MII_ANLPAR_100BX_HD = MII_ANAR_100BX_HD,
+-	MII_ANLPAR_10BT_FD = MII_ANAR_10BT_FD,
+-	MII_ANLPAR_10BT_HD = MII_ANAR_10BT_HD,
+-	MII_ANLPAR_SELECTOR = MII_ANAR_SELECTOR,
+-};
+-
+-/* Auto-Negotiation Expansion Register */
+-enum _mii_aner {
+-	MII_ANER_PAR_DETECT_FAULT = 0x0010,
+-	MII_ANER_LP_NEXTPAGABLE = 0x0008,
+-	MII_ANER_NETXTPAGABLE = 0x0004,
+-	MII_ANER_PAGE_RECEIVED = 0x0002,
+-	MII_ANER_LP_NEGOTIABLE = 0x0001,
+-};
+-
+-/* MASTER-SLAVE Control Register */
+-enum _mii_mscr {
+-	MII_MSCR_TEST_MODE = 0xe000,
+-	MII_MSCR_CFG_ENABLE = 0x1000,
+-	MII_MSCR_CFG_VALUE = 0x0800,
+-	MII_MSCR_PORT_VALUE = 0x0400,
+-	MII_MSCR_1000BT_FD = 0x0200,
+-	MII_MSCR_1000BT_HD = 0X0100,
+-};
+-
+-/* MASTER-SLAVE Status Register */
+-enum _mii_mssr {
+-	MII_MSSR_CFG_FAULT = 0x8000,
+-	MII_MSSR_CFG_RES = 0x4000,
+-	MII_MSSR_LOCAL_RCV_STATUS = 0x2000,
+-	MII_MSSR_REMOTE_RCVR = 0x1000,
+-	MII_MSSR_LP_1000BT_FD = 0x0800,
+-	MII_MSSR_LP_1000BT_HD = 0x0400,
+-	MII_MSSR_IDLE_ERR_COUNT = 0x00ff,
+-};
+-
+ /* IEEE Extened Status Register */
+ enum _mii_esr {
+ 	MII_ESR_1000BX_FD = 0x8000,
+@@ -471,13 +365,6 @@ struct ioctl_data {
+ 	char *data;
+ };
+ 
+-struct mii_data {
+-	__u16 reserved;
+-	__u16 reg_num;
+-	__u16 in_value;
+-	__u16 out_value;
+-};
+-
+ /* The Rx and Tx buffer descriptors. */
+ struct netdev_desc {
+ 	__le64 next_desc;
+diff --git a/drivers/net/ks8851_mll.c b/drivers/net/ks8851_mll.c
+index c0ceebc..4e3a69c 100644
+--- a/drivers/net/ks8851_mll.c
++++ b/drivers/net/ks8851_mll.c
+@@ -35,7 +35,7 @@
+ #define	DRV_NAME	"ks8851_mll"
+ 
+ static u8 KS_DEFAULT_MAC_ADDRESS[] = { 0x00, 0x10, 0xA1, 0x86, 0x95, 0x11 };
+-#define MAX_RECV_FRAMES			32
++#define MAX_RECV_FRAMES			255
+ #define MAX_BUF_SIZE			2048
+ #define TX_BUF_SIZE			2000
+ #define RX_BUF_SIZE			2000
+diff --git a/drivers/net/netxen/netxen_nic.h b/drivers/net/netxen/netxen_nic.h
+index e52af5b..50d2af8 100644
+--- a/drivers/net/netxen/netxen_nic.h
++++ b/drivers/net/netxen/netxen_nic.h
+@@ -700,7 +700,8 @@ struct netxen_recv_context {
+ #define NX_CDRP_CMD_READ_PEXQ_PARAMETERS	0x0000001c
+ #define NX_CDRP_CMD_GET_LIC_CAPABILITIES	0x0000001d
+ #define NX_CDRP_CMD_READ_MAX_LRO_PER_BOARD	0x0000001e
+-#define NX_CDRP_CMD_MAX				0x0000001f
++#define NX_CDRP_CMD_CONFIG_GBE_PORT		0x0000001f
++#define NX_CDRP_CMD_MAX				0x00000020
+ 
+ #define NX_RCODE_SUCCESS		0
+ #define NX_RCODE_NO_HOST_MEM		1
+@@ -1015,6 +1016,7 @@ typedef struct {
+ #define NX_FW_CAPABILITY_BDG			(1 << 8)
+ #define NX_FW_CAPABILITY_FVLANTX		(1 << 9)
+ #define NX_FW_CAPABILITY_HW_LRO			(1 << 10)
++#define NX_FW_CAPABILITY_GBE_LINK_CFG		(1 << 11)
+ 
+ /* module types */
+ #define LINKEVENT_MODULE_NOT_PRESENT			1
+@@ -1323,6 +1325,9 @@ int netxen_config_ipaddr(struct netxen_adapter *adapter, u32 ip, int cmd);
+ int netxen_linkevent_request(struct netxen_adapter *adapter, int enable);
+ void netxen_advert_link_change(struct netxen_adapter *adapter, int linkup);
+ 
++int nx_fw_cmd_set_gbe_port(struct netxen_adapter *adapter,
++		u32 speed, u32 duplex, u32 autoneg);
++
+ int nx_fw_cmd_set_mtu(struct netxen_adapter *adapter, int mtu);
+ int netxen_nic_change_mtu(struct net_device *netdev, int new_mtu);
+ int netxen_config_hw_lro(struct netxen_adapter *adapter, int enable);
+diff --git a/drivers/net/netxen/netxen_nic_ctx.c b/drivers/net/netxen/netxen_nic_ctx.c
+index 9cb8f68..f48cdb2 100644
+--- a/drivers/net/netxen/netxen_nic_ctx.c
++++ b/drivers/net/netxen/netxen_nic_ctx.c
+@@ -112,6 +112,21 @@ nx_fw_cmd_set_mtu(struct netxen_adapter *adapter, int mtu)
+ 	return 0;
+ }
+ 
++int
++nx_fw_cmd_set_gbe_port(struct netxen_adapter *adapter,
++	u32 speed, u32 duplex, u32 autoneg)
++{
++
++	return netxen_issue_cmd(adapter,
++		adapter->ahw.pci_func,
++		NXHAL_VERSION,
++		speed,
++		duplex,
++		autoneg,
++		NX_CDRP_CMD_CONFIG_GBE_PORT);
++
++}
++
+ static int
+ nx_fw_cmd_create_rx_ctx(struct netxen_adapter *adapter)
+ {
+diff --git a/drivers/net/netxen/netxen_nic_ethtool.c b/drivers/net/netxen/netxen_nic_ethtool.c
+index 714f387..7e34840 100644
+--- a/drivers/net/netxen/netxen_nic_ethtool.c
++++ b/drivers/net/netxen/netxen_nic_ethtool.c
+@@ -216,7 +216,6 @@ skip:
+ 			check_sfp_module = netif_running(dev) &&
+ 				adapter->has_link_events;
+ 		} else {
+-			ecmd->autoneg = AUTONEG_ENABLE;
+ 			ecmd->supported |= (SUPPORTED_TP |SUPPORTED_Autoneg);
+ 			ecmd->advertising |=
+ 				(ADVERTISED_TP | ADVERTISED_Autoneg);
+@@ -254,53 +253,24 @@ static int
+ netxen_nic_set_settings(struct net_device *dev, struct ethtool_cmd *ecmd)
+ {
+ 	struct netxen_adapter *adapter = netdev_priv(dev);
+-	__u32 status;
++	int ret;
+ 
+-	/* read which mode */
+-	if (adapter->ahw.port_type == NETXEN_NIC_GBE) {
+-		/* autonegotiation */
+-		if (adapter->phy_write
+-		    && adapter->phy_write(adapter,
+-					  NETXEN_NIU_GB_MII_MGMT_ADDR_AUTONEG,
+-					  ecmd->autoneg) != 0)
+-			return -EIO;
+-		else
+-			adapter->link_autoneg = ecmd->autoneg;
++	if (adapter->ahw.port_type != NETXEN_NIC_GBE)
++		return -EOPNOTSUPP;
+ 
+-		if (adapter->phy_read
+-		    && adapter->phy_read(adapter,
+-					 NETXEN_NIU_GB_MII_MGMT_ADDR_PHY_STATUS,
+-					 &status) != 0)
+-			return -EIO;
++	if (!(adapter->capabilities & NX_FW_CAPABILITY_GBE_LINK_CFG))
++		return -EOPNOTSUPP;
+ 
+-		/* speed */
+-		switch (ecmd->speed) {
+-		case SPEED_10:
+-			netxen_set_phy_speed(status, 0);
+-			break;
+-		case SPEED_100:
+-			netxen_set_phy_speed(status, 1);
+-			break;
+-		case SPEED_1000:
+-			netxen_set_phy_speed(status, 2);
+-			break;
+-		}
+-		/* set duplex mode */
+-		if (ecmd->duplex == DUPLEX_HALF)
+-			netxen_clear_phy_duplex(status);
+-		if (ecmd->duplex == DUPLEX_FULL)
+-			netxen_set_phy_duplex(status);
+-		if (adapter->phy_write
+-		    && adapter->phy_write(adapter,
+-					  NETXEN_NIU_GB_MII_MGMT_ADDR_PHY_STATUS,
+-					  *((int *)&status)) != 0)
+-			return -EIO;
+-		else {
+-			adapter->link_speed = ecmd->speed;
+-			adapter->link_duplex = ecmd->duplex;
+-		}
+-	} else
++	ret = nx_fw_cmd_set_gbe_port(adapter, ecmd->speed, ecmd->duplex,
++				     ecmd->autoneg);
++	if (ret == NX_RCODE_NOT_SUPPORTED)
+ 		return -EOPNOTSUPP;
++	else if (ret)
++		return -EIO;
++
++	adapter->link_speed = ecmd->speed;
++	adapter->link_duplex = ecmd->duplex;
++	adapter->link_autoneg = ecmd->autoneg;
+ 
+ 	if (!netif_running(dev))
+ 		return 0;
+diff --git a/drivers/net/tun.c b/drivers/net/tun.c
+index 0f77aca..894ad84 100644
+--- a/drivers/net/tun.c
++++ b/drivers/net/tun.c
+@@ -1121,10 +1121,12 @@ static long tun_chr_ioctl(struct file *file, unsigned int cmd,
+ 	int sndbuf;
+ 	int ret;
+ 
+-	if (cmd == TUNSETIFF || _IOC_TYPE(cmd) == 0x89)
++	if (cmd == TUNSETIFF || _IOC_TYPE(cmd) == 0x89) {
+ 		if (copy_from_user(&ifr, argp, sizeof ifr))
+ 			return -EFAULT;
+-
++	} else {
++		memset(&ifr, 0, sizeof(ifr));
++	}
+ 	if (cmd == TUNGETFEATURES) {
+ 		/* Currently this just means: "what IFF flags are valid?".
+ 		 * This is needed because we never checked for invalid flags on
+diff --git a/drivers/net/usb/kaweth.c b/drivers/net/usb/kaweth.c
+index e391ef9..fd8e335 100644
+--- a/drivers/net/usb/kaweth.c
++++ b/drivers/net/usb/kaweth.c
+@@ -1325,7 +1325,7 @@ static int kaweth_internal_control_msg(struct usb_device *usb_dev,
+         int retv;
+         int length = 0; /* shut up GCC */
+ 
+-        urb = usb_alloc_urb(0, GFP_NOIO);
++	urb = usb_alloc_urb(0, GFP_ATOMIC);
+         if (!urb)
+                 return -ENOMEM;
+ 
+diff --git a/drivers/net/usb/usbnet.c b/drivers/net/usb/usbnet.c
+index da33dce..07f69ee 100644
+--- a/drivers/net/usb/usbnet.c
++++ b/drivers/net/usb/usbnet.c
+@@ -584,6 +584,14 @@ static int unlink_urbs (struct usbnet *dev, struct sk_buff_head *q)
+ 		entry = (struct skb_data *) skb->cb;
+ 		urb = entry->urb;
+ 
++		/*
++		 * Get reference count of the URB to avoid it to be
++		 * freed during usb_unlink_urb, which may trigger
++		 * use-after-free problem inside usb_unlink_urb since
++		 * usb_unlink_urb is always racing with .complete
++		 * handler(include defer_bh).
++		 */
++		usb_get_urb(urb);
+ 		spin_unlock_irqrestore(&q->lock, flags);
+ 		// during some PM-driven resume scenarios,
+ 		// these (async) unlinks complete immediately
+@@ -592,6 +600,7 @@ static int unlink_urbs (struct usbnet *dev, struct sk_buff_head *q)
+ 			devdbg (dev, "unlink urb err, %d", retval);
+ 		else
+ 			count++;
++		usb_put_urb(urb);
+ 		spin_lock_irqsave(&q->lock, flags);
+ 	}
+ 	spin_unlock_irqrestore (&q->lock, flags);
+@@ -989,7 +998,6 @@ static void tx_complete (struct urb *urb)
+ 		}
+ 	}
+ 
+-	urb->dev = NULL;
+ 	entry->state = tx_done;
+ 	defer_bh(dev, skb, &dev->txq);
+ }
+diff --git a/drivers/pci/quirks.c b/drivers/pci/quirks.c
+index 1e42381..d0959af 100644
+--- a/drivers/pci/quirks.c
++++ b/drivers/pci/quirks.c
+@@ -2550,6 +2550,40 @@ static void __devinit fixup_ti816x_class(struct pci_dev* dev)
+ }
+ DECLARE_PCI_FIXUP_EARLY(PCI_VENDOR_ID_TI, 0xb800, fixup_ti816x_class);
+ 
++/*
++ * Some BIOS implementations leave the Intel GPU interrupts enabled,
++ * even though no one is handling them (f.e. i915 driver is never loaded).
++ * Additionally the interrupt destination is not set up properly
++ * and the interrupt ends up -somewhere-.
++ *
++ * These spurious interrupts are "sticky" and the kernel disables
++ * the (shared) interrupt line after 100.000+ generated interrupts.
++ *
++ * Fix it by disabling the still enabled interrupts.
++ * This resolves crashes often seen on monitor unplug.
++ */
++#define I915_DEIER_REG 0x4400c
++static void __devinit disable_igfx_irq(struct pci_dev *dev)
++{
++	void __iomem *regs = pci_iomap(dev, 0, 0);
++	if (regs == NULL) {
++		dev_warn(&dev->dev, "igfx quirk: Can't iomap PCI device\n");
++		return;
++	}
++
++	/* Check if any interrupt line is still enabled */
++	if (readl(regs + I915_DEIER_REG) != 0) {
++		dev_warn(&dev->dev, "BIOS left Intel GPU interrupts enabled; "
++			"disabling\n");
++
++		writel(0, regs + I915_DEIER_REG);
++	}
++
++	pci_iounmap(dev, regs);
++}
++DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_INTEL, 0x0102, disable_igfx_irq);
++DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_INTEL, 0x010a, disable_igfx_irq);
++
+ static void pci_do_fixups(struct pci_dev *dev, struct pci_fixup *f,
+ 			  struct pci_fixup *end)
+ {
+diff --git a/drivers/pnp/quirks.c b/drivers/pnp/quirks.c
+index eb39d26..253996c 100644
+--- a/drivers/pnp/quirks.c
++++ b/drivers/pnp/quirks.c
+@@ -300,9 +300,9 @@ static void quirk_system_pci_resources(struct pnp_dev *dev)
+ 	}
+ }
+ 
+-#ifdef CONFIG_AMD_NB
++#ifdef CONFIG_K8_NB
+ 
+-#include <asm/amd_nb.h>
++#include <asm/k8.h>
+ 
+ static void quirk_amd_mmconfig_area(struct pnp_dev *dev)
+ {
+@@ -366,7 +366,7 @@ static struct pnp_fixup pnp_fixups[] = {
+ 	/* PnP resources that might overlap PCI BARs */
+ 	{"PNP0c01", quirk_system_pci_resources},
+ 	{"PNP0c02", quirk_system_pci_resources},
+-#ifdef CONFIG_AMD_NB
++#ifdef CONFIG_K8_NB
+ 	{"PNP0c01", quirk_amd_mmconfig_area},
+ #endif
+ 	{""}
+diff --git a/drivers/rtc/rtc-wm831x.c b/drivers/rtc/rtc-wm831x.c
+index 79795cd..daefe66 100644
+--- a/drivers/rtc/rtc-wm831x.c
++++ b/drivers/rtc/rtc-wm831x.c
+@@ -23,7 +23,7 @@
+ #include <linux/mfd/wm831x/core.h>
+ #include <linux/delay.h>
+ #include <linux/platform_device.h>
+-
++#include <linux/random.h>
+ 
+ /*
+  * R16416 (0x4020) - RTC Write Counter
+@@ -95,6 +95,26 @@ struct wm831x_rtc {
+ 	unsigned int alarm_enabled:1;
+ };
+ 
++static void wm831x_rtc_add_randomness(struct wm831x *wm831x)
++{
++	int ret;
++	u16 reg;
++
++	/*
++	 * The write counter contains a pseudo-random number which is
++	 * regenerated every time we set the RTC so it should be a
++	 * useful per-system source of entropy.
++	 */
++	ret = wm831x_reg_read(wm831x, WM831X_RTC_WRITE_COUNTER);
++	if (ret >= 0) {
++		reg = ret;
++		add_device_randomness(&reg, sizeof(reg));
++	} else {
++		dev_warn(wm831x->dev, "Failed to read RTC write counter: %d\n",
++			 ret);
++	}
++}
++
+ /*
+  * Read current time and date in RTC
+  */
+@@ -464,6 +484,8 @@ static int wm831x_rtc_probe(struct platform_device *pdev)
+ 			alm_irq, ret);
+ 	}
+ 
++	wm831x_rtc_add_randomness(wm831x);
++
+ 	return 0;
+ 
+ err:
+diff --git a/drivers/scsi/libsas/sas_expander.c b/drivers/scsi/libsas/sas_expander.c
+index b10ee2a..1bdfde1 100644
+--- a/drivers/scsi/libsas/sas_expander.c
++++ b/drivers/scsi/libsas/sas_expander.c
+@@ -754,7 +754,7 @@ static struct domain_device *sas_ex_discover_end_dev(
+ }
+ 
+ /* See if this phy is part of a wide port */
+-static int sas_ex_join_wide_port(struct domain_device *parent, int phy_id)
++static bool sas_ex_join_wide_port(struct domain_device *parent, int phy_id)
+ {
+ 	struct ex_phy *phy = &parent->ex_dev.ex_phy[phy_id];
+ 	int i;
+@@ -770,11 +770,11 @@ static int sas_ex_join_wide_port(struct domain_device *parent, int phy_id)
+ 			sas_port_add_phy(ephy->port, phy->phy);
+ 			phy->port = ephy->port;
+ 			phy->phy_state = PHY_DEVICE_DISCOVERED;
+-			return 0;
++			return true;
+ 		}
+ 	}
+ 
+-	return -ENODEV;
++	return false;
+ }
+ 
+ static struct domain_device *sas_ex_discover_expander(
+@@ -912,8 +912,7 @@ static int sas_ex_discover_dev(struct domain_device *dev, int phy_id)
+ 		return res;
+ 	}
+ 
+-	res = sas_ex_join_wide_port(dev, phy_id);
+-	if (!res) {
++	if (sas_ex_join_wide_port(dev, phy_id)) {
+ 		SAS_DPRINTK("Attaching ex phy%d to wide port %016llx\n",
+ 			    phy_id, SAS_ADDR(ex_phy->attached_sas_addr));
+ 		return res;
+@@ -958,8 +957,7 @@ static int sas_ex_discover_dev(struct domain_device *dev, int phy_id)
+ 			if (SAS_ADDR(ex->ex_phy[i].attached_sas_addr) ==
+ 			    SAS_ADDR(child->sas_addr)) {
+ 				ex->ex_phy[i].phy_state= PHY_DEVICE_DISCOVERED;
+-				res = sas_ex_join_wide_port(dev, i);
+-				if (!res)
++				if (sas_ex_join_wide_port(dev, i))
+ 					SAS_DPRINTK("Attaching ex phy%d to wide port %016llx\n",
+ 						    i, SAS_ADDR(ex->ex_phy[i].attached_sas_addr));
+ 
+@@ -1812,32 +1810,20 @@ static int sas_discover_new(struct domain_device *dev, int phy_id)
+ {
+ 	struct ex_phy *ex_phy = &dev->ex_dev.ex_phy[phy_id];
+ 	struct domain_device *child;
+-	bool found = false;
+-	int res, i;
++	int res;
+ 
+ 	SAS_DPRINTK("ex %016llx phy%d new device attached\n",
+ 		    SAS_ADDR(dev->sas_addr), phy_id);
+ 	res = sas_ex_phy_discover(dev, phy_id);
+ 	if (res)
+-		goto out;
+-	/* to support the wide port inserted */
+-	for (i = 0; i < dev->ex_dev.num_phys; i++) {
+-		struct ex_phy *ex_phy_temp = &dev->ex_dev.ex_phy[i];
+-		if (i == phy_id)
+-			continue;
+-		if (SAS_ADDR(ex_phy_temp->attached_sas_addr) ==
+-		    SAS_ADDR(ex_phy->attached_sas_addr)) {
+-			found = true;
+-			break;
+-		}
+-	}
+-	if (found) {
+-		sas_ex_join_wide_port(dev, phy_id);
++		return res;
++
++	if (sas_ex_join_wide_port(dev, phy_id))
+ 		return 0;
+-	}
++
+ 	res = sas_ex_discover_devices(dev, phy_id);
+-	if (!res)
+-		goto out;
++	if (res)
++		return res;
+ 	list_for_each_entry(child, &dev->ex_dev.children, siblings) {
+ 		if (SAS_ADDR(child->sas_addr) ==
+ 		    SAS_ADDR(ex_phy->attached_sas_addr)) {
+@@ -1847,7 +1833,6 @@ static int sas_discover_new(struct domain_device *dev, int phy_id)
+ 			break;
+ 		}
+ 	}
+-out:
+ 	return res;
+ }
+ 
+@@ -1946,9 +1931,7 @@ int sas_ex_revalidate_domain(struct domain_device *port_dev)
+ 	struct domain_device *dev = NULL;
+ 
+ 	res = sas_find_bcast_dev(port_dev, &dev);
+-	if (res)
+-		goto out;
+-	if (dev) {
++	while (res == 0 && dev) {
+ 		struct expander_device *ex = &dev->ex_dev;
+ 		int i = 0, phy_id;
+ 
+@@ -1960,8 +1943,10 @@ int sas_ex_revalidate_domain(struct domain_device *port_dev)
+ 			res = sas_rediscover(dev, phy_id);
+ 			i = phy_id + 1;
+ 		} while (i < ex->num_phys);
++
++		dev = NULL;
++		res = sas_find_bcast_dev(port_dev, &dev);
+ 	}
+-out:
+ 	return res;
+ }
+ 
+diff --git a/drivers/scsi/scsi_error.c b/drivers/scsi/scsi_error.c
+index 573921d..3890793 100644
+--- a/drivers/scsi/scsi_error.c
++++ b/drivers/scsi/scsi_error.c
+@@ -1550,6 +1550,20 @@ static void scsi_restart_operations(struct Scsi_Host *shost)
+ 	 * requests are started.
+ 	 */
+ 	scsi_run_host_queues(shost);
++
++	/*
++	 * if eh is active and host_eh_scheduled is pending we need to re-run
++	 * recovery.  we do this check after scsi_run_host_queues() to allow
++	 * everything pent up since the last eh run a chance to make forward
++	 * progress before we sync again.  Either we'll immediately re-run
++	 * recovery or scsi_device_unbusy() will wake us again when these
++	 * pending commands complete.
++	 */
++	spin_lock_irqsave(shost->host_lock, flags);
++	if (shost->host_eh_scheduled)
++		if (scsi_host_set_state(shost, SHOST_RECOVERY))
++			WARN_ON(scsi_host_set_state(shost, SHOST_CANCEL_RECOVERY));
++	spin_unlock_irqrestore(shost->host_lock, flags);
+ }
+ 
+ /**
+diff --git a/drivers/scsi/scsi_lib.c b/drivers/scsi/scsi_lib.c
+index 8df12522..e28f9b0 100644
+--- a/drivers/scsi/scsi_lib.c
++++ b/drivers/scsi/scsi_lib.c
+@@ -482,15 +482,26 @@ static void scsi_run_queue(struct request_queue *q)
+  */
+ static void scsi_requeue_command(struct request_queue *q, struct scsi_cmnd *cmd)
+ {
++	struct scsi_device *sdev = cmd->device;
+ 	struct request *req = cmd->request;
+ 	unsigned long flags;
+ 
++	/*
++	 * We need to hold a reference on the device to avoid the queue being
++	 * killed after the unlock and before scsi_run_queue is invoked which
++	 * may happen because scsi_unprep_request() puts the command which
++	 * releases its reference on the device.
++	 */
++	get_device(&sdev->sdev_gendev);
++
+ 	spin_lock_irqsave(q->queue_lock, flags);
+ 	scsi_unprep_request(req);
+ 	blk_requeue_request(q, req);
+ 	spin_unlock_irqrestore(q->queue_lock, flags);
+ 
+ 	scsi_run_queue(q);
++
++	put_device(&sdev->sdev_gendev);
+ }
+ 
+ void scsi_next_command(struct scsi_cmnd *cmd)
+diff --git a/drivers/scsi/scsi_priv.h b/drivers/scsi/scsi_priv.h
+index 1fbf7c7..11c0085 100644
+--- a/drivers/scsi/scsi_priv.h
++++ b/drivers/scsi/scsi_priv.h
+@@ -107,6 +107,7 @@ extern void scsi_exit_procfs(void);
+ #endif /* CONFIG_PROC_FS */
+ 
+ /* scsi_scan.c */
++extern int scsi_complete_async_scans(void);
+ extern int scsi_scan_host_selected(struct Scsi_Host *, unsigned int,
+ 				   unsigned int, unsigned int, int);
+ extern void scsi_forget_host(struct Scsi_Host *);
+diff --git a/drivers/scsi/scsi_wait_scan.c b/drivers/scsi/scsi_wait_scan.c
+index 74708fc..5c22bda 100644
+--- a/drivers/scsi/scsi_wait_scan.c
++++ b/drivers/scsi/scsi_wait_scan.c
+@@ -13,6 +13,7 @@
+ #include <linux/module.h>
+ #include <linux/device.h>
+ #include <scsi/scsi_scan.h>
++#include "scsi_priv.h"
+ 
+ static int __init wait_scan_init(void)
+ {
+diff --git a/drivers/usb/class/cdc-acm.c b/drivers/usb/class/cdc-acm.c
+index 653f853..8ad9dfb 100644
+--- a/drivers/usb/class/cdc-acm.c
++++ b/drivers/usb/class/cdc-acm.c
+@@ -1120,7 +1120,8 @@ skip_normal_probe:
+ 	}
+ 
+ 
+-	if (data_interface->cur_altsetting->desc.bNumEndpoints < 2)
++	if (data_interface->cur_altsetting->desc.bNumEndpoints < 2 ||
++	    control_interface->cur_altsetting->desc.bNumEndpoints == 0)
+ 		return -EINVAL;
+ 
+ 	epctrl = &control_interface->cur_altsetting->endpoint[0].desc;
+diff --git a/drivers/usb/class/cdc-wdm.c b/drivers/usb/class/cdc-wdm.c
+index d71514b..37f2899 100644
+--- a/drivers/usb/class/cdc-wdm.c
++++ b/drivers/usb/class/cdc-wdm.c
+@@ -441,6 +441,8 @@ retry:
+ 			goto retry;
+ 		}
+ 		if (!desc->reslength) { /* zero length read */
++			dev_dbg(&desc->intf->dev, "%s: zero length - clearing WDM_READ\n", __func__);
++			clear_bit(WDM_READ, &desc->flags);
+ 			spin_unlock_irq(&desc->iuspin);
+ 			goto retry;
+ 		}
+diff --git a/drivers/usb/core/devio.c b/drivers/usb/core/devio.c
+index df1e873..48742ff 100644
+--- a/drivers/usb/core/devio.c
++++ b/drivers/usb/core/devio.c
+@@ -1454,10 +1454,14 @@ static int processcompl_compat(struct async *as, void __user * __user *arg)
+ 	void __user *addr = as->userurb;
+ 	unsigned int i;
+ 
+-	if (as->userbuffer && urb->actual_length)
+-		if (copy_to_user(as->userbuffer, urb->transfer_buffer,
+-				 urb->actual_length))
++	if (as->userbuffer && urb->actual_length) {
++		if (urb->number_of_packets > 0)		/* Isochronous */
++			i = urb->transfer_buffer_length;
++		else					/* Non-Isoc */
++			i = urb->actual_length;
++		if (copy_to_user(as->userbuffer, urb->transfer_buffer, i))
+ 			return -EFAULT;
++	}
+ 	if (put_user(as->status, &userurb->status))
+ 		return -EFAULT;
+ 	if (put_user(urb->actual_length, &userurb->actual_length))
+diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c
+index 2b428fc..02aad50 100644
+--- a/drivers/usb/core/hub.c
++++ b/drivers/usb/core/hub.c
+@@ -23,6 +23,7 @@
+ #include <linux/mutex.h>
+ #include <linux/freezer.h>
+ #include <linux/usb/quirks.h>
++#include <linux/random.h>
+ 
+ #include <asm/uaccess.h>
+ #include <asm/byteorder.h>
+@@ -458,10 +459,8 @@ hub_clear_tt_buffer (struct usb_device *hdev, u16 devinfo, u16 tt)
+  * talking to TTs must queue control transfers (not just bulk and iso), so
+  * both can talk to the same hub concurrently.
+  */
+-static void hub_tt_work(struct work_struct *work)
++void _hub_tt_work(struct usb_hub *hub)
+ {
+-	struct usb_hub		*hub =
+-		container_of(work, struct usb_hub, tt.clear_work);
+ 	unsigned long		flags;
+ 	int			limit = 100;
+ 
+@@ -496,6 +495,14 @@ static void hub_tt_work(struct work_struct *work)
+ 	spin_unlock_irqrestore (&hub->tt.lock, flags);
+ }
+ 
++void hub_tt_work(struct work_struct *work)
++{
++	struct usb_hub		*hub =
++		container_of(work, struct usb_hub, tt.clear_work);
++
++	_hub_tt_work(hub);
++}
++
+ /**
+  * usb_hub_clear_tt_buffer - clear control/bulk TT state in high speed hub
+  * @urb: an URB associated with the failed or incomplete split transaction
+@@ -543,7 +550,20 @@ int usb_hub_clear_tt_buffer(struct urb *urb)
+ 	/* tell keventd to clear state for this TT */
+ 	spin_lock_irqsave (&tt->lock, flags);
+ 	list_add_tail (&clear->clear_list, &tt->clear_list);
+-	schedule_work(&tt->clear_work);
++	/* don't schedule on kevent if we're running on keventd (e.g.,
++	 * in hid_reset we can get here on kevent) unless on >=2.6.36
++	 */
++	if (!current_is_keventd())
++		/* put it on keventd */
++		schedule_work(&tt->clear_work);
++	else {
++		/* let khubd do it */
++		struct usb_hub		*hub =
++			container_of(&tt->clear_work, struct usb_hub,
++					tt.clear_work);
++		kick_khubd(hub);
++	}
++
+ 	spin_unlock_irqrestore (&tt->lock, flags);
+ 	return 0;
+ }
+@@ -1812,6 +1832,14 @@ int usb_new_device(struct usb_device *udev)
+ 	/* Tell the world! */
+ 	announce_device(udev);
+ 
++	if (udev->serial)
++		add_device_randomness(udev->serial, strlen(udev->serial));
++	if (udev->product)
++		add_device_randomness(udev->product, strlen(udev->product));
++	if (udev->manufacturer)
++		add_device_randomness(udev->manufacturer,
++				      strlen(udev->manufacturer));
++
+ 	/* Register the device.  The device driver is responsible
+ 	 * for configuring the device and invoking the add-device
+ 	 * notifier chain (used by usbfs and possibly others).
+@@ -3274,6 +3302,10 @@ static void hub_events(void)
+ 		if (hub->quiescing)
+ 			goto loop_autopm;
+ 
++		/* _hub_tt_work usually run on keventd */
++		if (!list_empty(&hub->tt.clear_list))
++			_hub_tt_work(hub);
++
+ 		if (hub->error) {
+ 			dev_dbg (hub_dev, "resetting for error %d\n",
+ 				hub->error);
+diff --git a/drivers/usb/early/ehci-dbgp.c b/drivers/usb/early/ehci-dbgp.c
+index 1206a26..7565f55 100644
+--- a/drivers/usb/early/ehci-dbgp.c
++++ b/drivers/usb/early/ehci-dbgp.c
+@@ -449,7 +449,7 @@ static int dbgp_ehci_startup(void)
+ 	writel(FLAG_CF, &ehci_regs->configured_flag);
+ 
+ 	/* Wait until the controller is no longer halted */
+-	loop = 10;
++	loop = 1000;
+ 	do {
+ 		status = readl(&ehci_regs->status);
+ 		if (!(status & STS_HALT))
+diff --git a/drivers/usb/host/pci-quirks.c b/drivers/usb/host/pci-quirks.c
+index 0ff157a..981b604 100644
+--- a/drivers/usb/host/pci-quirks.c
++++ b/drivers/usb/host/pci-quirks.c
+@@ -458,9 +458,13 @@ static void __devinit quirk_usb_handoff_xhci(struct pci_dev *pdev)
+ 		}
+ 	}
+ 
+-	/* Disable any BIOS SMIs */
+-	writel(XHCI_LEGACY_DISABLE_SMI,
+-			base + ext_cap_offset + XHCI_LEGACY_CONTROL_OFFSET);
++	val = readl(base + ext_cap_offset + XHCI_LEGACY_CONTROL_OFFSET);
++	/* Mask off (turn off) any enabled SMIs */
++	val &= XHCI_LEGACY_DISABLE_SMI;
++	/* Mask all SMI events bits, RW1C */
++	val |= XHCI_LEGACY_SMI_EVENTS;
++	/* Disable any BIOS SMIs and clear all SMI events*/
++	writel(val, base + ext_cap_offset + XHCI_LEGACY_CONTROL_OFFSET);
+ 
+ hc_init:
+ 	op_reg_base = base + XHCI_HC_LENGTH(readl(base));
+diff --git a/drivers/usb/host/xhci-ext-caps.h b/drivers/usb/host/xhci-ext-caps.h
+index 78c4eda..e2acc97 100644
+--- a/drivers/usb/host/xhci-ext-caps.h
++++ b/drivers/usb/host/xhci-ext-caps.h
+@@ -62,8 +62,9 @@
+ /* USB Legacy Support Control and Status Register  - section 7.1.2 */
+ /* Add this offset, plus the value of xECP in HCCPARAMS to the base address */
+ #define XHCI_LEGACY_CONTROL_OFFSET	(0x04)
+-/* bits 1:2, 5:12, and 17:19 need to be preserved; bits 21:28 should be zero */
+-#define	XHCI_LEGACY_DISABLE_SMI		((0x3 << 1) + (0xff << 5) + (0x7 << 17))
++/* bits 1:3, 5:12, and 17:19 need to be preserved; bits 21:28 should be zero */
++#define	XHCI_LEGACY_DISABLE_SMI		((0x7 << 1) + (0xff << 5) + (0x7 << 17))
++#define XHCI_LEGACY_SMI_EVENTS		(0x7 << 29)
+ 
+ /* command register values to disable interrupts and halt the HC */
+ /* start/stop HC execution - do not write unless HC is halted*/
+diff --git a/drivers/usb/host/xhci-hcd.c b/drivers/usb/host/xhci-hcd.c
+index 56661a2..0641633 100644
+--- a/drivers/usb/host/xhci-hcd.c
++++ b/drivers/usb/host/xhci-hcd.c
+@@ -150,7 +150,7 @@ int xhci_reset(struct xhci_hcd *xhci)
+ 	xhci_to_hcd(xhci)->state = HC_STATE_HALT;
+ 
+ 	ret = handshake(xhci, &xhci->op_regs->command,
+-			CMD_RESET, 0, 250 * 1000);
++			CMD_RESET, 0, 10 * 1000 * 1000);
+ 	if (ret)
+ 		return ret;
+ 
+diff --git a/drivers/usb/host/xhci-mem.c b/drivers/usb/host/xhci-mem.c
+index 8c29073..776fd43 100644
+--- a/drivers/usb/host/xhci-mem.c
++++ b/drivers/usb/host/xhci-mem.c
+@@ -934,11 +934,6 @@ void xhci_mem_cleanup(struct xhci_hcd *xhci)
+ 	int i;
+ 
+ 	/* Free the Event Ring Segment Table and the actual Event Ring */
+-	if (xhci->ir_set) {
+-		xhci_writel(xhci, 0, &xhci->ir_set->erst_size);
+-		xhci_write_64(xhci, 0, &xhci->ir_set->erst_base);
+-		xhci_write_64(xhci, 0, &xhci->ir_set->erst_dequeue);
+-	}
+ 	size = sizeof(struct xhci_erst_entry)*(xhci->erst.num_entries);
+ 	if (xhci->erst.entries)
+ 		pci_free_consistent(pdev, size,
+@@ -950,7 +945,7 @@ void xhci_mem_cleanup(struct xhci_hcd *xhci)
+ 	xhci->event_ring = NULL;
+ 	xhci_dbg(xhci, "Freed event ring\n");
+ 
+-	xhci_write_64(xhci, 0, &xhci->op_regs->cmd_ring);
++	xhci->cmd_ring_reserved_trbs = 0;
+ 	if (xhci->cmd_ring)
+ 		xhci_ring_free(xhci, xhci->cmd_ring);
+ 	xhci->cmd_ring = NULL;
+@@ -969,7 +964,6 @@ void xhci_mem_cleanup(struct xhci_hcd *xhci)
+ 	xhci->device_pool = NULL;
+ 	xhci_dbg(xhci, "Freed device context pool\n");
+ 
+-	xhci_write_64(xhci, 0, &xhci->op_regs->dcbaa_ptr);
+ 	if (xhci->dcbaa)
+ 		pci_free_consistent(pdev, sizeof(*xhci->dcbaa),
+ 				xhci->dcbaa, xhci->dcbaa->dma);
+@@ -1146,6 +1140,8 @@ int xhci_mem_init(struct xhci_hcd *xhci, gfp_t flags)
+ 
+ fail:
+ 	xhci_warn(xhci, "Couldn't initialize memory\n");
++	xhci_halt(xhci);
++	xhci_reset(xhci);
+ 	xhci_mem_cleanup(xhci);
+ 	return -ENOMEM;
+ }
+diff --git a/drivers/usb/serial/ftdi_sio.c b/drivers/usb/serial/ftdi_sio.c
+index 0a1ccaa..c374beb 100644
+--- a/drivers/usb/serial/ftdi_sio.c
++++ b/drivers/usb/serial/ftdi_sio.c
+@@ -1784,7 +1784,8 @@ static int ftdi_8u2232c_probe(struct usb_serial *serial)
+ 
+ 	dbg("%s", __func__);
+ 
+-	if (strcmp(udev->manufacturer, "CALAO Systems") == 0)
++	if ((udev->manufacturer) &&
++	    (strcmp(udev->manufacturer, "CALAO Systems") == 0))
+ 		return ftdi_jtag_probe(serial);
+ 
+ 	return 0;
+diff --git a/drivers/usb/serial/mos7840.c b/drivers/usb/serial/mos7840.c
+index 9fdcee2..61829b8 100644
+--- a/drivers/usb/serial/mos7840.c
++++ b/drivers/usb/serial/mos7840.c
+@@ -1181,9 +1181,12 @@ static int mos7840_chars_in_buffer(struct tty_struct *tty)
+ 	}
+ 
+ 	spin_lock_irqsave(&mos7840_port->pool_lock, flags);
+-	for (i = 0; i < NUM_URBS; ++i)
+-		if (mos7840_port->busy[i])
+-			chars += URB_TRANSFER_BUFFER_SIZE;
++	for (i = 0; i < NUM_URBS; ++i) {
++		if (mos7840_port->busy[i]) {
++			struct urb *urb = mos7840_port->write_urb_pool[i];
++			chars += urb->transfer_buffer_length;
++		}
++	}
+ 	spin_unlock_irqrestore(&mos7840_port->pool_lock, flags);
+ 	dbg("%s - returns %d", __func__, chars);
+ 	return chars;
+diff --git a/drivers/usb/serial/usb-serial.c b/drivers/usb/serial/usb-serial.c
+index f23f3b4..5429bc5 100644
+--- a/drivers/usb/serial/usb-serial.c
++++ b/drivers/usb/serial/usb-serial.c
+@@ -1083,6 +1083,12 @@ int usb_serial_probe(struct usb_interface *interface,
+ 		serial->attached = 1;
+ 	}
+ 
++	/* Avoid race with tty_open and serial_install by setting the
++	 * disconnected flag and not clearing it until all ports have been
++	 * registered.
++	 */
++	serial->disconnected = 1;
++
+ 	if (get_free_serial(serial, num_ports, &minor) == NULL) {
+ 		dev_err(&interface->dev, "No more free serial devices\n");
+ 		goto probe_error;
+@@ -1105,6 +1111,8 @@ int usb_serial_probe(struct usb_interface *interface,
+ 		}
+ 	}
+ 
++	serial->disconnected = 0;
++
+ 	usb_serial_console_init(debug, minor);
+ 
+ exit:
+diff --git a/drivers/video/uvesafb.c b/drivers/video/uvesafb.c
+index 54fbb29..6623a2e 100644
+--- a/drivers/video/uvesafb.c
++++ b/drivers/video/uvesafb.c
+@@ -814,8 +814,15 @@ static int __devinit uvesafb_vbe_init(struct fb_info *info)
+ 	par->pmi_setpal = pmi_setpal;
+ 	par->ypan = ypan;
+ 
+-	if (par->pmi_setpal || par->ypan)
+-		uvesafb_vbe_getpmi(task, par);
++	if (par->pmi_setpal || par->ypan) {
++		if (__supported_pte_mask & _PAGE_NX) {
++			par->pmi_setpal = par->ypan = 0;
++			printk(KERN_WARNING "uvesafb: NX protection is actively."
++				"We have better not to use the PMI.\n");
++		} else {
++			uvesafb_vbe_getpmi(task, par);
++		}
++	}
+ #else
+ 	/* The protected mode interface is not available on non-x86. */
+ 	par->pmi_setpal = par->ypan = 0;
+diff --git a/fs/btrfs/async-thread.c b/fs/btrfs/async-thread.c
+index c0861e7..8aac2d6 100644
+--- a/fs/btrfs/async-thread.c
++++ b/fs/btrfs/async-thread.c
+@@ -211,10 +211,17 @@ static noinline int run_ordered_completions(struct btrfs_workers *workers,
+ 
+ 		work->ordered_func(work);
+ 
+-		/* now take the lock again and call the freeing code */
++		/* now take the lock again and drop our item from the list */
+ 		spin_lock(&workers->order_lock);
+ 		list_del(&work->order_list);
++		spin_unlock(&workers->order_lock);
++
++		/*
++		 * we don't want to call the ordered free functions
++		 * with the lock held though
++		 */
+ 		work->ordered_free(work);
++		spin_lock(&workers->order_lock);
+ 	}
+ 
+ 	spin_unlock(&workers->order_lock);
+diff --git a/fs/compat.c b/fs/compat.c
+index d1e2411..46b93d1 100644
+--- a/fs/compat.c
++++ b/fs/compat.c
+@@ -1208,11 +1208,14 @@ compat_sys_readv(unsigned long fd, const struct compat_iovec __user *vec,
+ 	struct file *file;
+ 	int fput_needed;
+ 	ssize_t ret;
++	loff_t pos;
+ 
+ 	file = fget_light(fd, &fput_needed);
+ 	if (!file)
+ 		return -EBADF;
+-	ret = compat_readv(file, vec, vlen, &file->f_pos);
++	pos = file->f_pos;
++	ret = compat_readv(file, vec, vlen, &pos);
++	file->f_pos = pos;
+ 	fput_light(file, fput_needed);
+ 	return ret;
+ }
+@@ -1265,11 +1268,14 @@ compat_sys_writev(unsigned long fd, const struct compat_iovec __user *vec,
+ 	struct file *file;
+ 	int fput_needed;
+ 	ssize_t ret;
++	loff_t pos;
+ 
+ 	file = fget_light(fd, &fput_needed);
+ 	if (!file)
+ 		return -EBADF;
+-	ret = compat_writev(file, vec, vlen, &file->f_pos);
++	pos = file->f_pos;
++	ret = compat_writev(file, vec, vlen, &pos);
++	file->f_pos = pos;
+ 	fput_light(file, fput_needed);
+ 	return ret;
+ }
+diff --git a/fs/ecryptfs/inode.c b/fs/ecryptfs/inode.c
+index 90a6087..3c1dbc0 100644
+--- a/fs/ecryptfs/inode.c
++++ b/fs/ecryptfs/inode.c
+@@ -777,6 +777,9 @@ static int truncate_upper(struct dentry *dentry, struct iattr *ia,
+ 		goto out;
+ 	}
+ 	crypt_stat = &ecryptfs_inode_to_private(dentry->d_inode)->crypt_stat;
++	if (crypt_stat->flags & ECRYPTFS_NEW_FILE)
++		crypt_stat->flags &= ~(ECRYPTFS_NEW_FILE);
++
+ 	/* Set up a fake ecryptfs file, this is used to interface with
+ 	 * the file in the underlying filesystem so that the
+ 	 * truncation has an effect there as well. */
+@@ -1035,6 +1038,8 @@ ecryptfs_setxattr(struct dentry *dentry, const char *name, const void *value,
+ 	rc = lower_dentry->d_inode->i_op->setxattr(lower_dentry, name, value,
+ 						   size, flags);
+ 	mutex_unlock(&lower_dentry->d_inode->i_mutex);
++	if (!rc)
++		fsstack_copy_attr_all(dentry->d_inode, lower_dentry->d_inode, NULL);
+ out:
+ 	return rc;
+ }
+diff --git a/fs/ecryptfs/kthread.c b/fs/ecryptfs/kthread.c
+index e14cf7e..5ffc900 100644
+--- a/fs/ecryptfs/kthread.c
++++ b/fs/ecryptfs/kthread.c
+@@ -148,7 +148,7 @@ int ecryptfs_privileged_open(struct file **lower_file,
+ 	(*lower_file) = dentry_open(lower_dentry, lower_mnt, flags, cred);
+ 	if (!IS_ERR(*lower_file))
+ 		goto out;
+-	if (flags & O_RDONLY) {
++	if ((flags & O_ACCMODE) == O_RDONLY) {
+ 		rc = PTR_ERR((*lower_file));
+ 		goto out;
+ 	}
+diff --git a/fs/eventpoll.c b/fs/eventpoll.c
+index f539204..ff57421 100644
+--- a/fs/eventpoll.c
++++ b/fs/eventpoll.c
+@@ -200,6 +200,12 @@ struct eventpoll {
+ 
+ 	/* The user that created the eventpoll descriptor */
+ 	struct user_struct *user;
++
++	struct file *file;
++
++	/* used to optimize loop detection check */
++	int visited;
++	struct list_head visited_list_link;
+ };
+ 
+ /* Wait structure used by the poll hooks */
+@@ -258,6 +264,15 @@ static struct kmem_cache *epi_cache __read_mostly;
+ /* Slab cache used to allocate "struct eppoll_entry" */
+ static struct kmem_cache *pwq_cache __read_mostly;
+ 
++/* Visited nodes during ep_loop_check(), so we can unset them when we finish */
++static LIST_HEAD(visited_list);
++
++/*
++ * List of files with newly added links, where we may need to limit the number
++ * of emanating paths. Protected by the epmutex.
++ */
++static LIST_HEAD(tfile_check_list);
++
+ #ifdef CONFIG_SYSCTL
+ 
+ #include <linux/sysctl.h>
+@@ -277,6 +292,12 @@ ctl_table epoll_table[] = {
+ };
+ #endif /* CONFIG_SYSCTL */
+ 
++static const struct file_operations eventpoll_fops;
++
++static inline int is_file_epoll(struct file *f)
++{
++	return f->f_op == &eventpoll_fops;
++}
+ 
+ /* Setup the structure that is used as key for the RB tree */
+ static inline void ep_set_ffd(struct epoll_filefd *ffd,
+@@ -300,6 +321,11 @@ static inline int ep_is_linked(struct list_head *p)
+ 	return !list_empty(p);
+ }
+ 
++static inline struct eppoll_entry *ep_pwq_from_wait(wait_queue_t *p)
++{
++	return container_of(p, struct eppoll_entry, wait);
++}
++
+ /* Get the "struct epitem" from a wait queue pointer */
+ static inline struct epitem *ep_item_from_wait(wait_queue_t *p)
+ {
+@@ -434,6 +460,18 @@ static void ep_poll_safewake(wait_queue_head_t *wq)
+ 	put_cpu();
+ }
+ 
++static void ep_remove_wait_queue(struct eppoll_entry *pwq)
++{
++	wait_queue_head_t *whead;
++
++	rcu_read_lock();
++	/* If it is cleared by POLLFREE, it should be rcu-safe */
++	whead = rcu_dereference(pwq->whead);
++	if (whead)
++		remove_wait_queue(whead, &pwq->wait);
++	rcu_read_unlock();
++}
++
+ /*
+  * This function unregisters poll callbacks from the associated file
+  * descriptor.  Must be called with "mtx" held (or "epmutex" if called from
+@@ -448,7 +486,7 @@ static void ep_unregister_pollwait(struct eventpoll *ep, struct epitem *epi)
+ 		pwq = list_first_entry(lsthead, struct eppoll_entry, llink);
+ 
+ 		list_del(&pwq->llink);
+-		remove_wait_queue(pwq->whead, &pwq->wait);
++		ep_remove_wait_queue(pwq);
+ 		kmem_cache_free(pwq_cache, pwq);
+ 	}
+ }
+@@ -698,12 +736,6 @@ static const struct file_operations eventpoll_fops = {
+ 	.poll		= ep_eventpoll_poll
+ };
+ 
+-/* Fast test to see if the file is an evenpoll file */
+-static inline int is_file_epoll(struct file *f)
+-{
+-	return f->f_op == &eventpoll_fops;
+-}
+-
+ /*
+  * This is called from eventpoll_release() to unlink files from the eventpoll
+  * interface. We need to have this facility to cleanup correctly files that are
+@@ -814,6 +846,17 @@ static int ep_poll_callback(wait_queue_t *wait, unsigned mode, int sync, void *k
+ 	struct epitem *epi = ep_item_from_wait(wait);
+ 	struct eventpoll *ep = epi->ep;
+ 
++	if ((unsigned long)key & POLLFREE) {
++		ep_pwq_from_wait(wait)->whead = NULL;
++		/*
++		 * whead = NULL above can race with ep_remove_wait_queue()
++		 * which can do another remove_wait_queue() after us, so we
++		 * can't use __remove_wait_queue(). whead->lock is held by
++		 * the caller.
++		 */
++		list_del_init(&wait->task_list);
++	}
++
+ 	spin_lock_irqsave(&ep->lock, flags);
+ 
+ 	/*
+@@ -913,6 +956,103 @@ static void ep_rbtree_insert(struct eventpoll *ep, struct epitem *epi)
+ 	rb_insert_color(&epi->rbn, &ep->rbr);
+ }
+ 
++
++
++#define PATH_ARR_SIZE 5
++/*
++ * These are the number paths of length 1 to 5, that we are allowing to emanate
++ * from a single file of interest. For example, we allow 1000 paths of length
++ * 1, to emanate from each file of interest. This essentially represents the
++ * potential wakeup paths, which need to be limited in order to avoid massive
++ * uncontrolled wakeup storms. The common use case should be a single ep which
++ * is connected to n file sources. In this case each file source has 1 path
++ * of length 1. Thus, the numbers below should be more than sufficient. These
++ * path limits are enforced during an EPOLL_CTL_ADD operation, since a modify
++ * and delete can't add additional paths. Protected by the epmutex.
++ */
++static const int path_limits[PATH_ARR_SIZE] = { 1000, 500, 100, 50, 10 };
++static int path_count[PATH_ARR_SIZE];
++
++static int path_count_inc(int nests)
++{
++	/* Allow an arbitrary number of depth 1 paths */
++	if (nests == 0)
++		return 0;
++
++	if (++path_count[nests] > path_limits[nests])
++		return -1;
++	return 0;
++}
++
++static void path_count_init(void)
++{
++	int i;
++
++	for (i = 0; i < PATH_ARR_SIZE; i++)
++		path_count[i] = 0;
++}
++
++static int reverse_path_check_proc(void *priv, void *cookie, int call_nests)
++{
++	int error = 0;
++	struct file *file = priv;
++	struct file *child_file;
++	struct epitem *epi;
++
++	list_for_each_entry(epi, &file->f_ep_links, fllink) {
++		child_file = epi->ep->file;
++		if (is_file_epoll(child_file)) {
++			if (list_empty(&child_file->f_ep_links)) {
++				if (path_count_inc(call_nests)) {
++					error = -1;
++					break;
++				}
++			} else {
++				error = ep_call_nested(&poll_loop_ncalls,
++							EP_MAX_NESTS,
++							reverse_path_check_proc,
++							child_file, child_file,
++							current);
++			}
++			if (error != 0)
++				break;
++		} else {
++			printk(KERN_ERR "reverse_path_check_proc: "
++				"file is not an ep!\n");
++		}
++	}
++	return error;
++}
++
++/**
++ * reverse_path_check - The tfile_check_list is list of file *, which have
++ *                      links that are proposed to be newly added. We need to
++ *                      make sure that those added links don't add too many
++ *                      paths such that we will spend all our time waking up
++ *                      eventpoll objects.
++ *
++ * Returns: Returns zero if the proposed links don't create too many paths,
++ *	    -1 otherwise.
++ */
++static int reverse_path_check(void)
++{
++	int length = 0;
++	int error = 0;
++	struct file *current_file;
++
++	/* let's call this for all tfiles */
++	list_for_each_entry(current_file, &tfile_check_list, f_tfile_llink) {
++		length++;
++		path_count_init();
++		error = ep_call_nested(&poll_loop_ncalls, EP_MAX_NESTS,
++					reverse_path_check_proc, current_file,
++					current_file, current);
++		if (error)
++			break;
++	}
++	return error;
++}
++
+ /*
+  * Must be called with "mtx" held.
+  */
+@@ -973,6 +1113,11 @@ static int ep_insert(struct eventpoll *ep, struct epoll_event *event,
+ 	 */
+ 	ep_rbtree_insert(ep, epi);
+ 
++	/* now check if we've created too many backpaths */
++	error = -EINVAL;
++	if (reverse_path_check())
++		goto error_remove_epi;
++
+ 	/* We have to drop the new item inside our item list to keep track of it */
+ 	spin_lock_irqsave(&ep->lock, flags);
+ 
+@@ -997,6 +1142,14 @@ static int ep_insert(struct eventpoll *ep, struct epoll_event *event,
+ 
+ 	return 0;
+ 
++error_remove_epi:
++	spin_lock(&tfile->f_lock);
++	if (ep_is_linked(&epi->fllink))
++		list_del_init(&epi->fllink);
++	spin_unlock(&tfile->f_lock);
++
++	rb_erase(&epi->rbn, &ep->rbr);
++
+ error_unregister:
+ 	ep_unregister_pollwait(ep, epi);
+ 
+@@ -1223,18 +1376,36 @@ static int ep_loop_check_proc(void *priv, void *cookie, int call_nests)
+ 	int error = 0;
+ 	struct file *file = priv;
+ 	struct eventpoll *ep = file->private_data;
++	struct eventpoll *ep_tovisit;
+ 	struct rb_node *rbp;
+ 	struct epitem *epi;
+ 
+ 	mutex_lock_nested(&ep->mtx, call_nests + 1);
++	ep->visited = 1;
++	list_add(&ep->visited_list_link, &visited_list);
+ 	for (rbp = rb_first(&ep->rbr); rbp; rbp = rb_next(rbp)) {
+ 		epi = rb_entry(rbp, struct epitem, rbn);
+ 		if (unlikely(is_file_epoll(epi->ffd.file))) {
++			ep_tovisit = epi->ffd.file->private_data;
++			if (ep_tovisit->visited)
++				continue;
+ 			error = ep_call_nested(&poll_loop_ncalls, EP_MAX_NESTS,
+-					       ep_loop_check_proc, epi->ffd.file,
+-					       epi->ffd.file->private_data, current);
++					ep_loop_check_proc, epi->ffd.file,
++					ep_tovisit, current);
+ 			if (error != 0)
+ 				break;
++		} else {
++			/*
++			 * If we've reached a file that is not associated with
++			 * an ep, then we need to check if the newly added
++			 * links are going to add too many wakeup paths. We do
++			 * this by adding it to the tfile_check_list, if it's
++			 * not already there, and calling reverse_path_check()
++			 * during ep_insert().
++			 */
++			if (list_empty(&epi->ffd.file->f_tfile_llink))
++				list_add(&epi->ffd.file->f_tfile_llink,
++					 &tfile_check_list);
+ 		}
+ 	}
+ 	mutex_unlock(&ep->mtx);
+@@ -1255,8 +1426,31 @@ static int ep_loop_check_proc(void *priv, void *cookie, int call_nests)
+  */
+ static int ep_loop_check(struct eventpoll *ep, struct file *file)
+ {
+-	return ep_call_nested(&poll_loop_ncalls, EP_MAX_NESTS,
++	int ret;
++	struct eventpoll *ep_cur, *ep_next;
++
++	ret = ep_call_nested(&poll_loop_ncalls, EP_MAX_NESTS,
+ 			      ep_loop_check_proc, file, ep, current);
++	/* clear visited list */
++	list_for_each_entry_safe(ep_cur, ep_next, &visited_list,
++							visited_list_link) {
++		ep_cur->visited = 0;
++		list_del(&ep_cur->visited_list_link);
++	}
++	return ret;
++}
++
++static void clear_tfile_check_list(void)
++{
++	struct file *file;
++
++	/* first clear the tfile_check_list */
++	while (!list_empty(&tfile_check_list)) {
++		file = list_first_entry(&tfile_check_list, struct file,
++					f_tfile_llink);
++		list_del_init(&file->f_tfile_llink);
++	}
++	INIT_LIST_HEAD(&tfile_check_list);
+ }
+ 
+ /*
+@@ -1264,8 +1458,9 @@ static int ep_loop_check(struct eventpoll *ep, struct file *file)
+  */
+ SYSCALL_DEFINE1(epoll_create1, int, flags)
+ {
+-	int error;
++	int error, fd;
+ 	struct eventpoll *ep = NULL;
++	struct file *file;
+ 
+ 	/* Check the EPOLL_* constant for consistency.  */
+ 	BUILD_BUG_ON(EPOLL_CLOEXEC != O_CLOEXEC);
+@@ -1282,11 +1477,25 @@ SYSCALL_DEFINE1(epoll_create1, int, flags)
+ 	 * Creates all the items needed to setup an eventpoll file. That is,
+ 	 * a file structure and a free file descriptor.
+ 	 */
+-	error = anon_inode_getfd("[eventpoll]", &eventpoll_fops, ep,
+-				 flags & O_CLOEXEC);
+-	if (error < 0)
+-		ep_free(ep);
+-
++	fd = get_unused_fd_flags(O_RDWR | (flags & O_CLOEXEC));
++	if (fd < 0) {
++		error = fd;
++		goto out_free_ep;
++	}
++	file = anon_inode_getfile("[eventpoll]", &eventpoll_fops, ep,
++				 O_RDWR | (flags & O_CLOEXEC));
++	if (IS_ERR(file)) {
++		error = PTR_ERR(file);
++		goto out_free_fd;
++	}
++	fd_install(fd, file);
++	ep->file = file;
++	return fd;
++
++out_free_fd:
++	put_unused_fd(fd);
++out_free_ep:
++	ep_free(ep);
+ 	return error;
+ }
+ 
+@@ -1352,21 +1561,29 @@ SYSCALL_DEFINE4(epoll_ctl, int, epfd, int, op, int, fd,
+ 	/*
+ 	 * When we insert an epoll file descriptor, inside another epoll file
+ 	 * descriptor, there is the change of creating closed loops, which are
+-	 * better be handled here, than in more critical paths.
++	 * better be handled here, than in more critical paths. While we are
++	 * checking for loops we also determine the list of files reachable
++	 * and hang them on the tfile_check_list, so we can check that we
++	 * haven't created too many possible wakeup paths.
+ 	 *
+-	 * We hold epmutex across the loop check and the insert in this case, in
+-	 * order to prevent two separate inserts from racing and each doing the
+-	 * insert "at the same time" such that ep_loop_check passes on both
+-	 * before either one does the insert, thereby creating a cycle.
++	 * We need to hold the epmutex across both ep_insert and ep_remove
++	 * b/c we want to make sure we are looking at a coherent view of
++	 * epoll network.
+ 	 */
+-	if (unlikely(is_file_epoll(tfile) && op == EPOLL_CTL_ADD)) {
++	if (op == EPOLL_CTL_ADD || op == EPOLL_CTL_DEL) {
+ 		mutex_lock(&epmutex);
+ 		did_lock_epmutex = 1;
+-		error = -ELOOP;
+-		if (ep_loop_check(ep, tfile) != 0)
+-			goto error_tgt_fput;
+ 	}
+-
++	if (op == EPOLL_CTL_ADD) {
++		if (is_file_epoll(tfile)) {
++			error = -ELOOP;
++			if (ep_loop_check(ep, tfile) != 0) {
++				clear_tfile_check_list();
++				goto error_tgt_fput;
++			}
++		} else
++			list_add(&tfile->f_tfile_llink, &tfile_check_list);
++	}
+ 
+ 	mutex_lock_nested(&ep->mtx, 0);
+ 
+@@ -1385,6 +1602,7 @@ SYSCALL_DEFINE4(epoll_ctl, int, epfd, int, op, int, fd,
+ 			error = ep_insert(ep, &epds, tfile, fd);
+ 		} else
+ 			error = -EEXIST;
++		clear_tfile_check_list();
+ 		break;
+ 	case EPOLL_CTL_DEL:
+ 		if (epi)
+@@ -1403,7 +1621,7 @@ SYSCALL_DEFINE4(epoll_ctl, int, epfd, int, op, int, fd,
+ 	mutex_unlock(&ep->mtx);
+ 
+ error_tgt_fput:
+-	if (unlikely(did_lock_epmutex))
++	if (did_lock_epmutex)
+ 		mutex_unlock(&epmutex);
+ 
+ 	fput(tfile);
+diff --git a/fs/ext3/ialloc.c b/fs/ext3/ialloc.c
+index b399912..108f4fc 100644
+--- a/fs/ext3/ialloc.c
++++ b/fs/ext3/ialloc.c
+@@ -575,8 +575,12 @@ got:
+ 	if (IS_DIRSYNC(inode))
+ 		handle->h_sync = 1;
+ 	if (insert_inode_locked(inode) < 0) {
+-		err = -EINVAL;
+-		goto fail_drop;
++		/*
++		 * Likely a bitmap corruption causing inode to be allocated
++		 * twice.
++		 */
++		err = -EIO;
++		goto fail;
+ 	}
+ 	spin_lock(&sbi->s_next_gen_lock);
+ 	inode->i_generation = sbi->s_next_generation++;
+diff --git a/fs/ext3/inode.c b/fs/ext3/inode.c
+index f9d6937..3191a30 100644
+--- a/fs/ext3/inode.c
++++ b/fs/ext3/inode.c
+@@ -2948,6 +2948,8 @@ static int ext3_do_update_inode(handle_t *handle,
+ 	struct ext3_inode_info *ei = EXT3_I(inode);
+ 	struct buffer_head *bh = iloc->bh;
+ 	int err = 0, rc, block;
++	int need_datasync = 0;
++	__le32 disksize;
+ 
+ again:
+ 	/* we can't allow multiple procs in here at once, its a bit racey */
+@@ -2985,7 +2987,11 @@ again:
+ 		raw_inode->i_gid_high = 0;
+ 	}
+ 	raw_inode->i_links_count = cpu_to_le16(inode->i_nlink);
+-	raw_inode->i_size = cpu_to_le32(ei->i_disksize);
++	disksize = cpu_to_le32(ei->i_disksize);
++	if (disksize != raw_inode->i_size) {
++		need_datasync = 1;
++		raw_inode->i_size = disksize;
++	}
+ 	raw_inode->i_atime = cpu_to_le32(inode->i_atime.tv_sec);
+ 	raw_inode->i_ctime = cpu_to_le32(inode->i_ctime.tv_sec);
+ 	raw_inode->i_mtime = cpu_to_le32(inode->i_mtime.tv_sec);
+@@ -3001,8 +3007,11 @@ again:
+ 	if (!S_ISREG(inode->i_mode)) {
+ 		raw_inode->i_dir_acl = cpu_to_le32(ei->i_dir_acl);
+ 	} else {
+-		raw_inode->i_size_high =
+-			cpu_to_le32(ei->i_disksize >> 32);
++		disksize = cpu_to_le32(ei->i_disksize >> 32);
++		if (disksize != raw_inode->i_size_high) {
++			raw_inode->i_size_high = disksize;
++			need_datasync = 1;
++		}
+ 		if (ei->i_disksize > 0x7fffffffULL) {
+ 			struct super_block *sb = inode->i_sb;
+ 			if (!EXT3_HAS_RO_COMPAT_FEATURE(sb,
+@@ -3055,6 +3064,8 @@ again:
+ 	ei->i_state &= ~EXT3_STATE_NEW;
+ 
+ 	atomic_set(&ei->i_sync_tid, handle->h_transaction->t_tid);
++	if (need_datasync)
++		atomic_set(&ei->i_datasync_tid, handle->h_transaction->t_tid);
+ out_brelse:
+ 	brelse (bh);
+ 	ext3_std_error(inode->i_sb, err);
+diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c
+index 93f7999..b4402c8 100644
+--- a/fs/ext4/extents.c
++++ b/fs/ext4/extents.c
+@@ -358,6 +358,8 @@ static int ext4_valid_extent(struct inode *inode, struct ext4_extent *ext)
+ 	ext4_fsblk_t block = ext_pblock(ext);
+ 	int len = ext4_ext_get_actual_len(ext);
+ 
++	if (len == 0)
++		return 0;
+ 	return ext4_data_block_valid(EXT4_SB(inode->i_sb), block, len);
+ }
+ 
+diff --git a/fs/ext4/ialloc.c b/fs/ext4/ialloc.c
+index 55a93f5..29d9055 100644
+--- a/fs/ext4/ialloc.c
++++ b/fs/ext4/ialloc.c
+@@ -1015,8 +1015,12 @@ got:
+ 	if (IS_DIRSYNC(inode))
+ 		ext4_handle_sync(handle);
+ 	if (insert_inode_locked(inode) < 0) {
+-		err = -EINVAL;
+-		goto fail_drop;
++		/*
++		 * Likely a bitmap corruption causing inode to be allocated
++		 * twice.
++		 */
++		err = -EIO;
++		goto fail;
+ 	}
+ 	spin_lock(&sbi->s_next_gen_lock);
+ 	inode->i_generation = sbi->s_next_generation++;
+diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c
+index 72ba88f..efe6363 100644
+--- a/fs/ext4/inode.c
++++ b/fs/ext4/inode.c
+@@ -1112,6 +1112,15 @@ void ext4_da_update_reserve_space(struct inode *inode,
+ 		used = ei->i_reserved_data_blocks;
+ 	}
+ 
++	if (unlikely(ei->i_allocated_meta_blocks > ei->i_reserved_meta_blocks)) {
++		ext4_msg(inode->i_sb, KERN_NOTICE, "%s: ino %lu, allocated %d "
++			 "with only %d reserved metadata blocks\n", __func__,
++			 inode->i_ino, ei->i_allocated_meta_blocks,
++			 ei->i_reserved_meta_blocks);
++		WARN_ON(1);
++		ei->i_allocated_meta_blocks = ei->i_reserved_meta_blocks;
++	}
++
+ 	/* Update per-inode reservations */
+ 	ei->i_reserved_data_blocks -= used;
+ 	used += ei->i_allocated_meta_blocks;
+diff --git a/fs/fuse/dir.c b/fs/fuse/dir.c
+index 4787ae6..b359543 100644
+--- a/fs/fuse/dir.c
++++ b/fs/fuse/dir.c
+@@ -855,6 +855,7 @@ int fuse_update_attributes(struct inode *inode, struct kstat *stat,
+ 		if (stat) {
+ 			generic_fillattr(inode, stat);
+ 			stat->mode = fi->orig_i_mode;
++			stat->ino = fi->orig_ino;
+ 		}
+ 	}
+ 
+diff --git a/fs/fuse/file.c b/fs/fuse/file.c
+index f6104a95..102d582 100644
+--- a/fs/fuse/file.c
++++ b/fs/fuse/file.c
+@@ -1664,7 +1664,7 @@ static int fuse_verify_ioctl_iov(struct iovec *iov, size_t count)
+ 	size_t n;
+ 	u32 max = FUSE_MAX_PAGES_PER_REQ << PAGE_SHIFT;
+ 
+-	for (n = 0; n < count; n++) {
++	for (n = 0; n < count; n++, iov++) {
+ 		if (iov->iov_len > (size_t) max)
+ 			return -ENOMEM;
+ 		max -= iov->iov_len;
+diff --git a/fs/fuse/fuse_i.h b/fs/fuse/fuse_i.h
+index e6d614d..829acee 100644
+--- a/fs/fuse/fuse_i.h
++++ b/fs/fuse/fuse_i.h
+@@ -76,6 +76,9 @@ struct fuse_inode {
+ 	    preserve the original mode */
+ 	mode_t orig_i_mode;
+ 
++	/** 64 bit inode number */
++	u64 orig_ino;
++
+ 	/** Version of last attribute change */
+ 	u64 attr_version;
+ 
+diff --git a/fs/fuse/inode.c b/fs/fuse/inode.c
+index 1a822ce..c95186c 100644
+--- a/fs/fuse/inode.c
++++ b/fs/fuse/inode.c
+@@ -86,6 +86,7 @@ static struct inode *fuse_alloc_inode(struct super_block *sb)
+ 	fi->nlookup = 0;
+ 	fi->attr_version = 0;
+ 	fi->writectr = 0;
++	fi->orig_ino = 0;
+ 	INIT_LIST_HEAD(&fi->write_files);
+ 	INIT_LIST_HEAD(&fi->queued_writes);
+ 	INIT_LIST_HEAD(&fi->writepages);
+@@ -140,6 +141,18 @@ static int fuse_remount_fs(struct super_block *sb, int *flags, char *data)
+ 	return 0;
+ }
+ 
++/*
++ * ino_t is 32-bits on 32-bit arch. We have to squash the 64-bit value down
++ * so that it will fit.
++ */
++static ino_t fuse_squash_ino(u64 ino64)
++{
++	ino_t ino = (ino_t) ino64;
++	if (sizeof(ino_t) < sizeof(u64))
++		ino ^= ino64 >> (sizeof(u64) - sizeof(ino_t)) * 8;
++	return ino;
++}
++
+ void fuse_change_attributes_common(struct inode *inode, struct fuse_attr *attr,
+ 				   u64 attr_valid)
+ {
+@@ -149,7 +162,7 @@ void fuse_change_attributes_common(struct inode *inode, struct fuse_attr *attr,
+ 	fi->attr_version = ++fc->attr_version;
+ 	fi->i_time = attr_valid;
+ 
+-	inode->i_ino     = attr->ino;
++	inode->i_ino     = fuse_squash_ino(attr->ino);
+ 	inode->i_mode    = (inode->i_mode & S_IFMT) | (attr->mode & 07777);
+ 	inode->i_nlink   = attr->nlink;
+ 	inode->i_uid     = attr->uid;
+@@ -175,6 +188,8 @@ void fuse_change_attributes_common(struct inode *inode, struct fuse_attr *attr,
+ 	fi->orig_i_mode = inode->i_mode;
+ 	if (!(fc->flags & FUSE_DEFAULT_PERMISSIONS))
+ 		inode->i_mode &= ~S_ISVTX;
++
++	fi->orig_ino = attr->ino;
+ }
+ 
+ void fuse_change_attributes(struct inode *inode, struct fuse_attr *attr,
+diff --git a/fs/hfsplus/catalog.c b/fs/hfsplus/catalog.c
+index f6874ac..a0786c6 100644
+--- a/fs/hfsplus/catalog.c
++++ b/fs/hfsplus/catalog.c
+@@ -329,6 +329,10 @@ int hfsplus_rename_cat(u32 cnid,
+ 	err = hfs_brec_find(&src_fd);
+ 	if (err)
+ 		goto out;
++	if (src_fd.entrylength > sizeof(entry) || src_fd.entrylength < 0) {
++		err = -EIO;
++		goto out;
++	}
+ 
+ 	hfs_bnode_read(src_fd.bnode, &entry, src_fd.entryoffset,
+ 				src_fd.entrylength);
+diff --git a/fs/hfsplus/dir.c b/fs/hfsplus/dir.c
+index 5f40236..f4300ff7 100644
+--- a/fs/hfsplus/dir.c
++++ b/fs/hfsplus/dir.c
+@@ -138,6 +138,11 @@ static int hfsplus_readdir(struct file *filp, void *dirent, filldir_t filldir)
+ 		filp->f_pos++;
+ 		/* fall through */
+ 	case 1:
++		if (fd.entrylength > sizeof(entry) || fd.entrylength < 0) {
++			err = -EIO;
++			goto out;
++		}
++
+ 		hfs_bnode_read(fd.bnode, &entry, fd.entryoffset, fd.entrylength);
+ 		if (be16_to_cpu(entry.type) != HFSPLUS_FOLDER_THREAD) {
+ 			printk(KERN_ERR "hfs: bad catalog folder thread\n");
+@@ -168,6 +173,12 @@ static int hfsplus_readdir(struct file *filp, void *dirent, filldir_t filldir)
+ 			err = -EIO;
+ 			goto out;
+ 		}
++
++		if (fd.entrylength > sizeof(entry) || fd.entrylength < 0) {
++			err = -EIO;
++			goto out;
++		}
++
+ 		hfs_bnode_read(fd.bnode, &entry, fd.entryoffset, fd.entrylength);
+ 		type = be16_to_cpu(entry.type);
+ 		len = HFSPLUS_MAX_STRLEN;
+diff --git a/fs/hugetlbfs/inode.c b/fs/hugetlbfs/inode.c
+index 87a1258..2179de8 100644
+--- a/fs/hugetlbfs/inode.c
++++ b/fs/hugetlbfs/inode.c
+@@ -601,9 +601,15 @@ static int hugetlbfs_statfs(struct dentry *dentry, struct kstatfs *buf)
+ 		spin_lock(&sbinfo->stat_lock);
+ 		/* If no limits set, just report 0 for max/free/used
+ 		 * blocks, like simple_statfs() */
+-		if (sbinfo->max_blocks >= 0) {
+-			buf->f_blocks = sbinfo->max_blocks;
+-			buf->f_bavail = buf->f_bfree = sbinfo->free_blocks;
++		if (sbinfo->spool) {
++			long free_pages;
++
++			spin_lock(&sbinfo->spool->lock);
++			buf->f_blocks = sbinfo->spool->max_hpages;
++			free_pages = sbinfo->spool->max_hpages
++				- sbinfo->spool->used_hpages;
++			buf->f_bavail = buf->f_bfree = free_pages;
++			spin_unlock(&sbinfo->spool->lock);
+ 			buf->f_files = sbinfo->max_inodes;
+ 			buf->f_ffree = sbinfo->free_inodes;
+ 		}
+@@ -619,6 +625,10 @@ static void hugetlbfs_put_super(struct super_block *sb)
+ 
+ 	if (sbi) {
+ 		sb->s_fs_info = NULL;
++
++		if (sbi->spool)
++			hugepage_put_subpool(sbi->spool);
++
+ 		kfree(sbi);
+ 	}
+ }
+@@ -842,10 +852,14 @@ hugetlbfs_fill_super(struct super_block *sb, void *data, int silent)
+ 	sb->s_fs_info = sbinfo;
+ 	sbinfo->hstate = config.hstate;
+ 	spin_lock_init(&sbinfo->stat_lock);
+-	sbinfo->max_blocks = config.nr_blocks;
+-	sbinfo->free_blocks = config.nr_blocks;
+ 	sbinfo->max_inodes = config.nr_inodes;
+ 	sbinfo->free_inodes = config.nr_inodes;
++	sbinfo->spool = NULL;
++	if (config.nr_blocks != -1) {
++		sbinfo->spool = hugepage_new_subpool(config.nr_blocks);
++		if (!sbinfo->spool)
++			goto out_free;
++	}
+ 	sb->s_maxbytes = MAX_LFS_FILESIZE;
+ 	sb->s_blocksize = huge_page_size(config.hstate);
+ 	sb->s_blocksize_bits = huge_page_shift(config.hstate);
+@@ -865,38 +879,12 @@ hugetlbfs_fill_super(struct super_block *sb, void *data, int silent)
+ 	sb->s_root = root;
+ 	return 0;
+ out_free:
++	if (sbinfo->spool)
++		kfree(sbinfo->spool);
+ 	kfree(sbinfo);
+ 	return -ENOMEM;
+ }
+ 
+-int hugetlb_get_quota(struct address_space *mapping, long delta)
+-{
+-	int ret = 0;
+-	struct hugetlbfs_sb_info *sbinfo = HUGETLBFS_SB(mapping->host->i_sb);
+-
+-	if (sbinfo->free_blocks > -1) {
+-		spin_lock(&sbinfo->stat_lock);
+-		if (sbinfo->free_blocks - delta >= 0)
+-			sbinfo->free_blocks -= delta;
+-		else
+-			ret = -ENOMEM;
+-		spin_unlock(&sbinfo->stat_lock);
+-	}
+-
+-	return ret;
+-}
+-
+-void hugetlb_put_quota(struct address_space *mapping, long delta)
+-{
+-	struct hugetlbfs_sb_info *sbinfo = HUGETLBFS_SB(mapping->host->i_sb);
+-
+-	if (sbinfo->free_blocks > -1) {
+-		spin_lock(&sbinfo->stat_lock);
+-		sbinfo->free_blocks += delta;
+-		spin_unlock(&sbinfo->stat_lock);
+-	}
+-}
+-
+ static int hugetlbfs_get_sb(struct file_system_type *fs_type,
+ 	int flags, const char *dev_name, void *data, struct vfsmount *mnt)
+ {
+diff --git a/fs/jbd2/transaction.c b/fs/jbd2/transaction.c
+index a051270..5c156ad 100644
+--- a/fs/jbd2/transaction.c
++++ b/fs/jbd2/transaction.c
+@@ -1822,6 +1822,8 @@ zap_buffer_unlocked:
+ 	clear_buffer_mapped(bh);
+ 	clear_buffer_req(bh);
+ 	clear_buffer_new(bh);
++	clear_buffer_delay(bh);
++	clear_buffer_unwritten(bh);
+ 	bh->b_bdev = NULL;
+ 	return may_free;
+ }
+diff --git a/fs/locks.c b/fs/locks.c
+index a8794f2..fde92d1 100644
+--- a/fs/locks.c
++++ b/fs/locks.c
+@@ -291,7 +291,7 @@ static int flock_make_lock(struct file *filp, struct file_lock **lock,
+ 	return 0;
+ }
+ 
+-static int assign_type(struct file_lock *fl, int type)
++static int assign_type(struct file_lock *fl, long type)
+ {
+ 	switch (type) {
+ 	case F_RDLCK:
+@@ -444,7 +444,7 @@ static const struct lock_manager_operations lease_manager_ops = {
+ /*
+  * Initialize a lease, use the default lock manager operations
+  */
+-static int lease_init(struct file *filp, int type, struct file_lock *fl)
++static int lease_init(struct file *filp, long type, struct file_lock *fl)
+  {
+ 	if (assign_type(fl, type) != 0)
+ 		return -EINVAL;
+@@ -462,7 +462,7 @@ static int lease_init(struct file *filp, int type, struct file_lock *fl)
+ }
+ 
+ /* Allocate a file_lock initialised to this type of lease */
+-static struct file_lock *lease_alloc(struct file *filp, int type)
++static struct file_lock *lease_alloc(struct file *filp, long type)
+ {
+ 	struct file_lock *fl = locks_alloc_lock();
+ 	int error = -ENOMEM;
+diff --git a/fs/nfs/nfs3proc.c b/fs/nfs/nfs3proc.c
+index 3f8881d..59d9304 100644
+--- a/fs/nfs/nfs3proc.c
++++ b/fs/nfs/nfs3proc.c
+@@ -66,7 +66,7 @@ do_proc_get_root(struct rpc_clnt *client, struct nfs_fh *fhandle,
+ 	nfs_fattr_init(info->fattr);
+ 	status = rpc_call_sync(client, &msg, 0);
+ 	dprintk("%s: reply fsinfo: %d\n", __func__, status);
+-	if (!(info->fattr->valid & NFS_ATTR_FATTR)) {
++	if (status == 0 && !(info->fattr->valid & NFS_ATTR_FATTR)) {
+ 		msg.rpc_proc = &nfs3_procedures[NFS3PROC_GETATTR];
+ 		msg.rpc_resp = info->fattr;
+ 		status = rpc_call_sync(client, &msg, 0);
+diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c
+index 3c759df..21c7190 100644
+--- a/fs/nfs/nfs4proc.c
++++ b/fs/nfs/nfs4proc.c
+@@ -1586,6 +1586,7 @@ static int _nfs4_do_open(struct inode *dir, struct path *path, fmode_t fmode, in
+ 		goto err_opendata_put;
+ 	if (server->caps & NFS_CAP_POSIX_LOCK)
+ 		set_bit(NFS_STATE_POSIX_LOCKS, &state->flags);
++	nfs_revalidate_inode(server, state->inode);
+ 	nfs4_opendata_put(opendata);
+ 	nfs4_put_state_owner(sp);
+ 	*res = state;
+diff --git a/fs/nfs/super.c b/fs/nfs/super.c
+index c346808..9a3f15b 100644
+--- a/fs/nfs/super.c
++++ b/fs/nfs/super.c
+@@ -2934,4 +2934,6 @@ out:
+ 	return error;
+ }
+ 
++MODULE_ALIAS("nfs4");
++
+ #endif /* CONFIG_NFS_V4 */
+diff --git a/fs/nfsd/nfs4xdr.c b/fs/nfsd/nfs4xdr.c
+index 4a82a96..6d27757 100644
+--- a/fs/nfsd/nfs4xdr.c
++++ b/fs/nfsd/nfs4xdr.c
+@@ -1955,7 +1955,7 @@ out_acl:
+ 	if (bmval0 & FATTR4_WORD0_CASE_INSENSITIVE) {
+ 		if ((buflen -= 4) < 0)
+ 			goto out_resource;
+-		WRITE32(1);
++		WRITE32(0);
+ 	}
+ 	if (bmval0 & FATTR4_WORD0_CASE_PRESERVING) {
+ 		if ((buflen -= 4) < 0)
+diff --git a/fs/nilfs2/the_nilfs.c b/fs/nilfs2/the_nilfs.c
+index ad391a8..149a8a1 100644
+--- a/fs/nilfs2/the_nilfs.c
++++ b/fs/nilfs2/the_nilfs.c
+@@ -478,6 +478,7 @@ static int nilfs_load_super_block(struct the_nilfs *nilfs,
+ 		brelse(sbh[1]);
+ 		sbh[1] = NULL;
+ 		sbp[1] = NULL;
++		valid[1] = 0;
+ 		swp = 0;
+ 	}
+ 	if (!valid[swp]) {
+diff --git a/fs/signalfd.c b/fs/signalfd.c
+index d98bea8..02c25d7 100644
+--- a/fs/signalfd.c
++++ b/fs/signalfd.c
+@@ -29,6 +29,21 @@
+ #include <linux/signalfd.h>
+ #include <linux/syscalls.h>
+ 
++void signalfd_cleanup(struct sighand_struct *sighand)
++{
++	wait_queue_head_t *wqh = &sighand->signalfd_wqh;
++	/*
++	 * The lockless check can race with remove_wait_queue() in progress,
++	 * but in this case its caller should run under rcu_read_lock() and
++	 * sighand_cachep is SLAB_DESTROY_BY_RCU, we can safely return.
++	 */
++	if (likely(!waitqueue_active(wqh)))
++		return;
++
++	/* wait_queue_t->func(POLLFREE) should do remove_wait_queue() */
++	wake_up_poll(wqh, POLLHUP | POLLFREE);
++}
++
+ struct signalfd_ctx {
+ 	sigset_t sigmask;
+ };
+diff --git a/fs/udf/file.c b/fs/udf/file.c
+index b80cbd7..78bdef3 100644
+--- a/fs/udf/file.c
++++ b/fs/udf/file.c
+@@ -40,20 +40,24 @@
+ #include "udf_i.h"
+ #include "udf_sb.h"
+ 
+-static int udf_adinicb_readpage(struct file *file, struct page *page)
++static void __udf_adinicb_readpage(struct page *page)
+ {
+ 	struct inode *inode = page->mapping->host;
+ 	char *kaddr;
+ 	struct udf_inode_info *iinfo = UDF_I(inode);
+ 
+-	BUG_ON(!PageLocked(page));
+-
+ 	kaddr = kmap(page);
+-	memset(kaddr, 0, PAGE_CACHE_SIZE);
+ 	memcpy(kaddr, iinfo->i_ext.i_data + iinfo->i_lenEAttr, inode->i_size);
++	memset(kaddr + inode->i_size, 0, PAGE_CACHE_SIZE - inode->i_size);
+ 	flush_dcache_page(page);
+ 	SetPageUptodate(page);
+ 	kunmap(page);
++}
++
++static int udf_adinicb_readpage(struct file *file, struct page *page)
++{
++	BUG_ON(!PageLocked(page));
++	__udf_adinicb_readpage(page);
+ 	unlock_page(page);
+ 
+ 	return 0;
+@@ -78,6 +82,25 @@ static int udf_adinicb_writepage(struct page *page,
+ 	return 0;
+ }
+ 
++static int udf_adinicb_write_begin(struct file *file,
++			struct address_space *mapping, loff_t pos,
++			unsigned len, unsigned flags, struct page **pagep,
++			void **fsdata)
++{
++	struct page *page;
++
++	if (WARN_ON_ONCE(pos >= PAGE_CACHE_SIZE))
++		return -EIO;
++	page = grab_cache_page_write_begin(mapping, 0, flags);
++	if (!page)
++		return -ENOMEM;
++	*pagep = page;
++
++	if (!PageUptodate(page) && len != PAGE_CACHE_SIZE)
++		__udf_adinicb_readpage(page);
++	return 0;
++}
++
+ static int udf_adinicb_write_end(struct file *file,
+ 			struct address_space *mapping,
+ 			loff_t pos, unsigned len, unsigned copied,
+@@ -100,8 +123,8 @@ const struct address_space_operations udf_adinicb_aops = {
+ 	.readpage	= udf_adinicb_readpage,
+ 	.writepage	= udf_adinicb_writepage,
+ 	.sync_page	= block_sync_page,
+-	.write_begin = simple_write_begin,
+-	.write_end = udf_adinicb_write_end,
++	.write_begin	= udf_adinicb_write_begin,
++	.write_end	= udf_adinicb_write_end,
+ };
+ 
+ static ssize_t udf_file_aio_write(struct kiocb *iocb, const struct iovec *iov,
+diff --git a/fs/udf/super.c b/fs/udf/super.c
+index ee6b3af..0045ebc 100644
+--- a/fs/udf/super.c
++++ b/fs/udf/super.c
+@@ -57,6 +57,7 @@
+ #include <linux/seq_file.h>
+ #include <linux/bitmap.h>
+ #include <linux/crc-itu-t.h>
++#include <linux/log2.h>
+ #include <asm/byteorder.h>
+ 
+ #include "udf_sb.h"
+@@ -1239,16 +1240,65 @@ out_bh:
+ 	return ret;
+ }
+ 
++static int udf_load_sparable_map(struct super_block *sb,
++				 struct udf_part_map *map,
++				 struct sparablePartitionMap *spm)
++{
++	uint32_t loc;
++	uint16_t ident;
++	struct sparingTable *st;
++	struct udf_sparing_data *sdata = &map->s_type_specific.s_sparing;
++	int i;
++	struct buffer_head *bh;
++
++	map->s_partition_type = UDF_SPARABLE_MAP15;
++	sdata->s_packet_len = le16_to_cpu(spm->packetLength);
++	if (!is_power_of_2(sdata->s_packet_len)) {
++		udf_error(sb, __func__, "error loading logical volume descriptor: "
++			"Invalid packet length %u\n",
++			(unsigned)sdata->s_packet_len);
++		return -EIO;
++	}
++	if (spm->numSparingTables > 4) {
++		udf_error(sb, __func__, "error loading logical volume descriptor: "
++			"Too many sparing tables (%d)\n",
++			(int)spm->numSparingTables);
++		return -EIO;
++	}
++
++	for (i = 0; i < spm->numSparingTables; i++) {
++		loc = le32_to_cpu(spm->locSparingTable[i]);
++		bh = udf_read_tagged(sb, loc, loc, &ident);
++		if (!bh)
++			continue;
++
++		st = (struct sparingTable *)bh->b_data;
++		if (ident != 0 ||
++		    strncmp(st->sparingIdent.ident, UDF_ID_SPARING,
++			    strlen(UDF_ID_SPARING)) ||
++		    sizeof(*st) + le16_to_cpu(st->reallocationTableLen) >
++							sb->s_blocksize) {
++			brelse(bh);
++			continue;
++		}
++
++		sdata->s_spar_map[i] = bh;
++	}
++	map->s_partition_func = udf_get_pblock_spar15;
++	return 0;
++}
++
+ static int udf_load_logicalvol(struct super_block *sb, sector_t block,
+ 			       struct kernel_lb_addr *fileset)
+ {
+ 	struct logicalVolDesc *lvd;
+-	int i, j, offset;
++	int i, offset;
+ 	uint8_t type;
+ 	struct udf_sb_info *sbi = UDF_SB(sb);
+ 	struct genericPartitionMap *gpm;
+ 	uint16_t ident;
+ 	struct buffer_head *bh;
++	unsigned int table_len;
+ 	int ret = 0;
+ 
+ 	bh = udf_read_tagged(sb, block, block, &ident);
+@@ -1257,6 +1307,15 @@ static int udf_load_logicalvol(struct super_block *sb, sector_t block,
+ 	BUG_ON(ident != TAG_IDENT_LVD);
+ 	lvd = (struct logicalVolDesc *)bh->b_data;
+ 
++	table_len = le32_to_cpu(lvd->mapTableLength);
++	if (table_len > sb->s_blocksize - sizeof(*lvd)) {
++		udf_error(sb, __func__, "error loading logical volume descriptor: "
++		          "Partition table too long (%u > %lu)\n", table_len,
++		          sb->s_blocksize - sizeof(*lvd));
++		ret = 1;
++		goto out_bh;
++	}
++
+ 	i = udf_sb_alloc_partition_maps(sb, le32_to_cpu(lvd->numPartitionMaps));
+ 	if (i != 0) {
+ 		ret = i;
+@@ -1264,7 +1323,7 @@ static int udf_load_logicalvol(struct super_block *sb, sector_t block,
+ 	}
+ 
+ 	for (i = 0, offset = 0;
+-	     i < sbi->s_partitions && offset < le32_to_cpu(lvd->mapTableLength);
++	     i < sbi->s_partitions && offset < table_len;
+ 	     i++, offset += gpm->partitionMapLength) {
+ 		struct udf_part_map *map = &sbi->s_partmaps[i];
+ 		gpm = (struct genericPartitionMap *)
+@@ -1299,38 +1358,11 @@ static int udf_load_logicalvol(struct super_block *sb, sector_t block,
+ 			} else if (!strncmp(upm2->partIdent.ident,
+ 						UDF_ID_SPARABLE,
+ 						strlen(UDF_ID_SPARABLE))) {
+-				uint32_t loc;
+-				struct sparingTable *st;
+-				struct sparablePartitionMap *spm =
+-					(struct sparablePartitionMap *)gpm;
+-
+-				map->s_partition_type = UDF_SPARABLE_MAP15;
+-				map->s_type_specific.s_sparing.s_packet_len =
+-						le16_to_cpu(spm->packetLength);
+-				for (j = 0; j < spm->numSparingTables; j++) {
+-					struct buffer_head *bh2;
+-
+-					loc = le32_to_cpu(
+-						spm->locSparingTable[j]);
+-					bh2 = udf_read_tagged(sb, loc, loc,
+-							     &ident);
+-					map->s_type_specific.s_sparing.
+-							s_spar_map[j] = bh2;
+-
+-					if (bh2 == NULL)
+-						continue;
+-
+-					st = (struct sparingTable *)bh2->b_data;
+-					if (ident != 0 || strncmp(
+-						st->sparingIdent.ident,
+-						UDF_ID_SPARING,
+-						strlen(UDF_ID_SPARING))) {
+-						brelse(bh2);
+-						map->s_type_specific.s_sparing.
+-							s_spar_map[j] = NULL;
+-					}
++				if (udf_load_sparable_map(sb, map,
++				    (struct sparablePartitionMap *)gpm) < 0) {
++					ret = 1;
++					goto out_bh;
+ 				}
+-				map->s_partition_func = udf_get_pblock_spar15;
+ 			} else if (!strncmp(upm2->partIdent.ident,
+ 						UDF_ID_METADATA,
+ 						strlen(UDF_ID_METADATA))) {
+diff --git a/fs/xfs/xfs_log_recover.c b/fs/xfs/xfs_log_recover.c
+index 844a99b..bae2c99 100644
+--- a/fs/xfs/xfs_log_recover.c
++++ b/fs/xfs/xfs_log_recover.c
+@@ -3298,37 +3298,26 @@ xlog_recover_process_iunlinks(
+ 			 */
+ 			continue;
+ 		}
++		/*
++		 * Unlock the buffer so that it can be acquired in the normal
++		 * course of the transaction to truncate and free each inode.
++		 * Because we are not racing with anyone else here for the AGI
++		 * buffer, we don't even need to hold it locked to read the
++		 * initial unlinked bucket entries out of the buffer. We keep
++		 * buffer reference though, so that it stays pinned in memory
++		 * while we need the buffer.
++		 */
+ 		agi = XFS_BUF_TO_AGI(agibp);
++		xfs_buf_unlock(agibp);
+ 
+ 		for (bucket = 0; bucket < XFS_AGI_UNLINKED_BUCKETS; bucket++) {
+ 			agino = be32_to_cpu(agi->agi_unlinked[bucket]);
+ 			while (agino != NULLAGINO) {
+-				/*
+-				 * Release the agi buffer so that it can
+-				 * be acquired in the normal course of the
+-				 * transaction to truncate and free the inode.
+-				 */
+-				xfs_buf_relse(agibp);
+-
+ 				agino = xlog_recover_process_one_iunlink(mp,
+ 							agno, agino, bucket);
+-
+-				/*
+-				 * Reacquire the agibuffer and continue around
+-				 * the loop. This should never fail as we know
+-				 * the buffer was good earlier on.
+-				 */
+-				error = xfs_read_agi(mp, NULL, agno, &agibp);
+-				ASSERT(error == 0);
+-				agi = XFS_BUF_TO_AGI(agibp);
+ 			}
+ 		}
+-
+-		/*
+-		 * Release the buffer for the current agi so we can
+-		 * go on to the next one.
+-		 */
+-		xfs_buf_relse(agibp);
++		xfs_buf_rele(agibp);
+ 	}
+ 
+ 	mp->m_dmevmask = mp_dmevmask;
+diff --git a/fs/xfs/xfs_vnodeops.c b/fs/xfs/xfs_vnodeops.c
+index 8f32f50..1a07e03 100644
+--- a/fs/xfs/xfs_vnodeops.c
++++ b/fs/xfs/xfs_vnodeops.c
+@@ -554,7 +554,7 @@ xfs_readlink(
+ 	char		*link)
+ {
+ 	xfs_mount_t	*mp = ip->i_mount;
+-	int		pathlen;
++	xfs_fsize_t	pathlen;
+ 	int		error = 0;
+ 
+ 	xfs_itrace_entry(ip);
+@@ -564,13 +564,21 @@ xfs_readlink(
+ 
+ 	xfs_ilock(ip, XFS_ILOCK_SHARED);
+ 
+-	ASSERT((ip->i_d.di_mode & S_IFMT) == S_IFLNK);
+-	ASSERT(ip->i_d.di_size <= MAXPATHLEN);
+-
+ 	pathlen = ip->i_d.di_size;
+ 	if (!pathlen)
+ 		goto out;
+ 
++	if (pathlen < 0 || pathlen > MAXPATHLEN) {
++		xfs_fs_cmn_err(CE_ALERT, mp,
++			 "%s: inode (%llu) bad symlink length (%lld)",
++			 __func__, (unsigned long long) ip->i_ino,
++			 (long long) pathlen);
++		ASSERT(0);
++		error = XFS_ERROR(EFSCORRUPTED);
++		goto out;
++	}
++
++
+ 	if (ip->i_df.if_flags & XFS_IFINLINE) {
+ 		memcpy(link, ip->i_df.if_u1.if_data, pathlen);
+ 		link[pathlen] = '\0';
+diff --git a/include/asm-generic/poll.h b/include/asm-generic/poll.h
+index 44bce83..9ce7f44 100644
+--- a/include/asm-generic/poll.h
++++ b/include/asm-generic/poll.h
+@@ -28,6 +28,8 @@
+ #define POLLRDHUP       0x2000
+ #endif
+ 
++#define POLLFREE	0x4000	/* currently only for epoll */
++
+ struct pollfd {
+ 	int fd;
+ 	short events;
+diff --git a/include/linux/eventpoll.h b/include/linux/eventpoll.h
+index f6856a5..ca399c5 100644
+--- a/include/linux/eventpoll.h
++++ b/include/linux/eventpoll.h
+@@ -61,6 +61,7 @@ struct file;
+ static inline void eventpoll_init_file(struct file *file)
+ {
+ 	INIT_LIST_HEAD(&file->f_ep_links);
++	INIT_LIST_HEAD(&file->f_tfile_llink);
+ }
+ 
+ 
+diff --git a/include/linux/fs.h b/include/linux/fs.h
+index 1b9a47a..860cb6d 100644
+--- a/include/linux/fs.h
++++ b/include/linux/fs.h
+@@ -941,6 +941,7 @@ struct file {
+ #ifdef CONFIG_EPOLL
+ 	/* Used by fs/eventpoll.c to link all the hooks to this file */
+ 	struct list_head	f_ep_links;
++	struct list_head	f_tfile_llink;
+ #endif /* #ifdef CONFIG_EPOLL */
+ 	struct address_space	*f_mapping;
+ #ifdef CONFIG_DEBUG_WRITECOUNT
+diff --git a/include/linux/hrtimer.h b/include/linux/hrtimer.h
+index 040b679..b4f0b3f 100644
+--- a/include/linux/hrtimer.h
++++ b/include/linux/hrtimer.h
+@@ -159,6 +159,7 @@ struct hrtimer_clock_base {
+  *			and timers
+  * @clock_base:		array of clock bases for this cpu
+  * @curr_timer:		the timer which is executing a callback right now
++ * @clock_was_set:	Indicates that clock was set from irq context.
+  * @expires_next:	absolute time of the next event which was scheduled
+  *			via clock_set_next_event()
+  * @hres_active:	State of high resolution mode
+@@ -171,6 +172,7 @@ struct hrtimer_clock_base {
+ struct hrtimer_cpu_base {
+ 	spinlock_t			lock;
+ 	struct hrtimer_clock_base	clock_base[HRTIMER_MAX_CLOCK_BASES];
++	unsigned int			clock_was_set;
+ #ifdef CONFIG_HIGH_RES_TIMERS
+ 	ktime_t				expires_next;
+ 	int				hres_active;
+@@ -280,6 +282,8 @@ extern void hrtimer_peek_ahead_timers(void);
+ # define MONOTONIC_RES_NSEC	HIGH_RES_NSEC
+ # define KTIME_MONOTONIC_RES	KTIME_HIGH_RES
+ 
++extern void clock_was_set_delayed(void);
++
+ #else
+ 
+ # define MONOTONIC_RES_NSEC	LOW_RES_NSEC
+@@ -308,11 +312,14 @@ static inline int hrtimer_is_hres_active(struct hrtimer *timer)
+ {
+ 	return 0;
+ }
++
++static inline void clock_was_set_delayed(void) { }
++
+ #endif
+ 
+ extern ktime_t ktime_get(void);
+ extern ktime_t ktime_get_real(void);
+-
++extern ktime_t ktime_get_update_offsets(ktime_t *offs_real);
+ 
+ DECLARE_PER_CPU(struct tick_device, tick_cpu_device);
+ 
+diff --git a/include/linux/hugetlb.h b/include/linux/hugetlb.h
+index 41a59af..6b3feef 100644
+--- a/include/linux/hugetlb.h
++++ b/include/linux/hugetlb.h
+@@ -12,6 +12,15 @@ struct user_struct;
+ #include <linux/shm.h>
+ #include <asm/tlbflush.h>
+ 
++struct hugepage_subpool {
++	spinlock_t lock;
++	long count;
++	long max_hpages, used_hpages;
++};
++
++struct hugepage_subpool *hugepage_new_subpool(long nr_blocks);
++void hugepage_put_subpool(struct hugepage_subpool *spool);
++
+ int PageHuge(struct page *page);
+ 
+ static inline int is_vm_hugetlb_page(struct vm_area_struct *vma)
+@@ -138,12 +147,11 @@ struct hugetlbfs_config {
+ };
+ 
+ struct hugetlbfs_sb_info {
+-	long	max_blocks;   /* blocks allowed */
+-	long	free_blocks;  /* blocks free */
+ 	long	max_inodes;   /* inodes allowed */
+ 	long	free_inodes;  /* inodes free */
+ 	spinlock_t	stat_lock;
+ 	struct hstate *hstate;
++	struct hugepage_subpool *spool;
+ };
+ 
+ 
+@@ -166,8 +174,6 @@ extern const struct file_operations hugetlbfs_file_operations;
+ extern const struct vm_operations_struct hugetlb_vm_ops;
+ struct file *hugetlb_file_setup(const char *name, size_t size, int acct,
+ 				struct user_struct **user, int creat_flags);
+-int hugetlb_get_quota(struct address_space *mapping, long delta);
+-void hugetlb_put_quota(struct address_space *mapping, long delta);
+ 
+ static inline int is_file_hugepages(struct file *file)
+ {
+diff --git a/include/linux/iocontext.h b/include/linux/iocontext.h
+index eb73632..19abfc1 100644
+--- a/include/linux/iocontext.h
++++ b/include/linux/iocontext.h
+@@ -94,14 +94,15 @@ static inline struct io_context *ioc_task_link(struct io_context *ioc)
+ 	return NULL;
+ }
+ 
++struct task_struct;
+ #ifdef CONFIG_BLOCK
+ int put_io_context(struct io_context *ioc);
+-void exit_io_context(void);
++void exit_io_context(struct task_struct *task);
+ struct io_context *get_io_context(gfp_t gfp_flags, int node);
+ struct io_context *alloc_io_context(gfp_t gfp_flags, int node);
+ void copy_io_context(struct io_context **pdst, struct io_context **psrc);
+ #else
+-static inline void exit_io_context(void)
++static inline void exit_io_context(struct task_struct *task)
+ {
+ }
+ 
+diff --git a/include/linux/irq.h b/include/linux/irq.h
+index 9e5f45a..2333710 100644
+--- a/include/linux/irq.h
++++ b/include/linux/irq.h
+@@ -174,7 +174,6 @@ struct irq_2_iommu;
+  */
+ struct irq_desc {
+ 	unsigned int		irq;
+-	struct timer_rand_state *timer_rand_state;
+ 	unsigned int            *kstat_irqs;
+ #ifdef CONFIG_INTR_REMAP
+ 	struct irq_2_iommu      *irq_2_iommu;
+diff --git a/include/linux/kernel.h b/include/linux/kernel.h
+index 9acb92d..3526cd4 100644
+--- a/include/linux/kernel.h
++++ b/include/linux/kernel.h
+@@ -55,6 +55,19 @@ extern const char linux_proc_banner[];
+ }							\
+ )
+ 
++/*
++ * Multiplies an integer by a fraction, while avoiding unnecessary
++ * overflow or loss of precision.
++ */
++#define mult_frac(x, numer, denom)(			\
++{							\
++	typeof(x) quot = (x) / (denom);			\
++	typeof(x) rem  = (x) % (denom);			\
++	(quot * (numer)) + ((rem * (numer)) / (denom));	\
++}							\
++)
++
++
+ #define _RET_IP_		(unsigned long)__builtin_return_address(0)
+ #define _THIS_IP_  ({ __label__ __here; __here: (unsigned long)&&__here; })
+ 
+diff --git a/include/linux/ktime.h b/include/linux/ktime.h
+index ce59832..ecdf64e 100644
+--- a/include/linux/ktime.h
++++ b/include/linux/ktime.h
+@@ -58,13 +58,6 @@ union ktime {
+ 
+ typedef union ktime ktime_t;		/* Kill this */
+ 
+-#define KTIME_MAX			((s64)~((u64)1 << 63))
+-#if (BITS_PER_LONG == 64)
+-# define KTIME_SEC_MAX			(KTIME_MAX / NSEC_PER_SEC)
+-#else
+-# define KTIME_SEC_MAX			LONG_MAX
+-#endif
+-
+ /*
+  * ktime_t definitions when using the 64-bit scalar representation:
+  */
+diff --git a/include/linux/kvm_host.h b/include/linux/kvm_host.h
+index c728a50..8bfed57 100644
+--- a/include/linux/kvm_host.h
++++ b/include/linux/kvm_host.h
+@@ -556,5 +556,12 @@ static inline bool kvm_vcpu_is_bsp(struct kvm_vcpu *vcpu)
+ {
+ 	return vcpu->kvm->bsp_vcpu_id == vcpu->vcpu_id;
+ }
++
++bool kvm_vcpu_compatible(struct kvm_vcpu *vcpu);
++
++#else
++
++static inline bool kvm_vcpu_compatible(struct kvm_vcpu *vcpu) { return true; }
++
+ #endif
+ #endif
+diff --git a/include/linux/random.h b/include/linux/random.h
+index 2948046..1864957 100644
+--- a/include/linux/random.h
++++ b/include/linux/random.h
+@@ -44,13 +44,13 @@ struct rand_pool_info {
+ 
+ #ifdef __KERNEL__
+ 
+-extern void rand_initialize_irq(int irq);
+-
++extern void add_device_randomness(const void *, unsigned int);
+ extern void add_input_randomness(unsigned int type, unsigned int code,
+ 				 unsigned int value);
+-extern void add_interrupt_randomness(int irq);
++extern void add_interrupt_randomness(int irq, int irq_flags);
+ 
+ extern void get_random_bytes(void *buf, int nbytes);
++extern void get_random_bytes_arch(void *buf, int nbytes);
+ void generate_random_uuid(unsigned char uuid_out[16]);
+ 
+ #ifndef MODULE
+@@ -63,6 +63,19 @@ unsigned long randomize_range(unsigned long start, unsigned long end, unsigned l
+ u32 random32(void);
+ void srandom32(u32 seed);
+ 
++#ifdef CONFIG_ARCH_RANDOM
++# include <asm/archrandom.h>
++#else
++static inline int arch_get_random_long(unsigned long *v)
++{
++	return 0;
++}
++static inline int arch_get_random_int(unsigned int *v)
++{
++	return 0;
++}
++#endif
++
+ #endif /* __KERNEL___ */
+ 
+ #endif /* _LINUX_RANDOM_H */
+diff --git a/include/linux/signalfd.h b/include/linux/signalfd.h
+index b363b91..ed9b65e 100644
+--- a/include/linux/signalfd.h
++++ b/include/linux/signalfd.h
+@@ -60,13 +60,16 @@ static inline void signalfd_notify(struct task_struct *tsk, int sig)
+ 		wake_up(&tsk->sighand->signalfd_wqh);
+ }
+ 
++extern void signalfd_cleanup(struct sighand_struct *sighand);
++
+ #else /* CONFIG_SIGNALFD */
+ 
+ static inline void signalfd_notify(struct task_struct *tsk, int sig) { }
+ 
++static inline void signalfd_cleanup(struct sighand_struct *sighand) { }
++
+ #endif /* CONFIG_SIGNALFD */
+ 
+ #endif /* __KERNEL__ */
+ 
+ #endif /* _LINUX_SIGNALFD_H */
+-
+diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h
+index bcdd660..4e647bb 100644
+--- a/include/linux/skbuff.h
++++ b/include/linux/skbuff.h
+@@ -1312,6 +1312,16 @@ static inline void skb_set_mac_header(struct sk_buff *skb, const int offset)
+ }
+ #endif /* NET_SKBUFF_DATA_USES_OFFSET */
+ 
++static inline void skb_mac_header_rebuild(struct sk_buff *skb)
++{
++	if (skb_mac_header_was_set(skb)) {
++		const unsigned char *old_mac = skb_mac_header(skb);
++
++		skb_set_mac_header(skb, -skb->mac_len);
++		memmove(skb_mac_header(skb), old_mac, skb->mac_len);
++	}
++}
++
+ static inline int skb_transport_offset(const struct sk_buff *skb)
+ {
+ 	return skb_transport_header(skb) - skb->data;
+diff --git a/include/linux/time.h b/include/linux/time.h
+index 6e026e4..bc93987 100644
+--- a/include/linux/time.h
++++ b/include/linux/time.h
+@@ -91,11 +91,36 @@ static inline struct timespec timespec_sub(struct timespec lhs,
+ 	return ts_delta;
+ }
+ 
++#define KTIME_MAX			((s64)~((u64)1 << 63))
++#if (BITS_PER_LONG == 64)
++# define KTIME_SEC_MAX			(KTIME_MAX / NSEC_PER_SEC)
++#else
++# define KTIME_SEC_MAX			LONG_MAX
++#endif
++
+ /*
+  * Returns true if the timespec is norm, false if denorm:
+  */
+-#define timespec_valid(ts) \
+-	(((ts)->tv_sec >= 0) && (((unsigned long) (ts)->tv_nsec) < NSEC_PER_SEC))
++static inline bool timespec_valid(const struct timespec *ts)
++{
++	/* Dates before 1970 are bogus */
++	if (ts->tv_sec < 0)
++		return false;
++	/* Can't have more nanoseconds then a second */
++	if ((unsigned long)ts->tv_nsec >= NSEC_PER_SEC)
++		return false;
++	return true;
++}
++
++static inline bool timespec_valid_strict(const struct timespec *ts)
++{
++	if (!timespec_valid(ts))
++		return false;
++	/* Disallow values that could overflow ktime_t */
++	if ((unsigned long long)ts->tv_sec >= KTIME_SEC_MAX)
++		return false;
++	return true;
++}
+ 
+ extern struct timespec xtime;
+ extern struct timespec wall_to_monotonic;
+diff --git a/include/linux/timex.h b/include/linux/timex.h
+index e6967d1..3b587b4 100644
+--- a/include/linux/timex.h
++++ b/include/linux/timex.h
+@@ -271,7 +271,7 @@ static inline int ntp_synced(void)
+ /* Returns how long ticks are at present, in ns / 2^NTP_SCALE_SHIFT. */
+ extern u64 tick_length;
+ 
+-extern void second_overflow(void);
++extern int second_overflow(unsigned long secs);
+ extern void update_ntp_one_tick(void);
+ extern int do_adjtimex(struct timex *);
+ 
+diff --git a/include/net/rose.h b/include/net/rose.h
+index 5ba9f02..555dd19 100644
+--- a/include/net/rose.h
++++ b/include/net/rose.h
+@@ -14,6 +14,12 @@
+ 
+ #define	ROSE_MIN_LEN			3
+ 
++#define	ROSE_CALL_REQ_ADDR_LEN_OFF	3
++#define	ROSE_CALL_REQ_ADDR_LEN_VAL	0xAA	/* each address is 10 digits */
++#define	ROSE_CALL_REQ_DEST_ADDR_OFF	4
++#define	ROSE_CALL_REQ_SRC_ADDR_OFF	9
++#define	ROSE_CALL_REQ_FACILITIES_OFF	14
++
+ #define	ROSE_GFI			0x10
+ #define	ROSE_Q_BIT			0x80
+ #define	ROSE_D_BIT			0x40
+@@ -214,7 +220,7 @@ extern void rose_requeue_frames(struct sock *);
+ extern int  rose_validate_nr(struct sock *, unsigned short);
+ extern void rose_write_internal(struct sock *, int);
+ extern int  rose_decode(struct sk_buff *, int *, int *, int *, int *, int *);
+-extern int  rose_parse_facilities(unsigned char *, struct rose_facilities_struct *);
++extern int  rose_parse_facilities(unsigned char *, unsigned int, struct rose_facilities_struct *);
+ extern void rose_disconnect(struct sock *, int, int, int);
+ 
+ /* rose_timer.c */
+diff --git a/kernel/cred.c b/kernel/cred.c
+index 0b5b5fc..9c06d10 100644
+--- a/kernel/cred.c
++++ b/kernel/cred.c
+@@ -443,6 +443,8 @@ int copy_creds(struct task_struct *p, unsigned long clone_flags)
+ 
+ 	mutex_init(&p->cred_guard_mutex);
+ 
++	p->replacement_session_keyring = NULL;
++
+ 	if (
+ #ifdef CONFIG_KEYS
+ 		!p->cred->thread_keyring &&
+diff --git a/kernel/exit.c b/kernel/exit.c
+index 0f8fae3..a2a1659 100644
+--- a/kernel/exit.c
++++ b/kernel/exit.c
+@@ -1020,7 +1020,7 @@ NORET_TYPE void do_exit(long code)
+ 	tsk->flags |= PF_EXITPIDONE;
+ 
+ 	if (tsk->io_context)
+-		exit_io_context();
++		exit_io_context(tsk);
+ 
+ 	if (tsk->splice_pipe)
+ 		__free_pipe_info(tsk->splice_pipe);
+diff --git a/kernel/fork.c b/kernel/fork.c
+index 4bde56f..c28f804 100644
+--- a/kernel/fork.c
++++ b/kernel/fork.c
+@@ -64,6 +64,7 @@
+ #include <linux/magic.h>
+ #include <linux/perf_event.h>
+ #include <linux/posix-timers.h>
++#include <linux/signalfd.h>
+ 
+ #include <asm/pgtable.h>
+ #include <asm/pgalloc.h>
+@@ -815,8 +816,10 @@ static int copy_sighand(unsigned long clone_flags, struct task_struct *tsk)
+ 
+ void __cleanup_sighand(struct sighand_struct *sighand)
+ {
+-	if (atomic_dec_and_test(&sighand->count))
++	if (atomic_dec_and_test(&sighand->count)) {
++		signalfd_cleanup(sighand);
+ 		kmem_cache_free(sighand_cachep, sighand);
++	}
+ }
+ 
+ 
+@@ -1299,7 +1302,8 @@ bad_fork_free_pid:
+ 	if (pid != &init_struct_pid)
+ 		free_pid(pid);
+ bad_fork_cleanup_io:
+-	put_io_context(p->io_context);
++	if (p->io_context)
++		exit_io_context(p);
+ bad_fork_cleanup_namespaces:
+ 	exit_task_namespaces(p);
+ bad_fork_cleanup_mm:
+diff --git a/kernel/futex.c b/kernel/futex.c
+index fb98c9f..9c5ffe1 100644
+--- a/kernel/futex.c
++++ b/kernel/futex.c
+@@ -264,17 +264,29 @@ again:
+ 
+ 	page = compound_head(page);
+ 	lock_page(page);
++
++	/*
++	 * If page->mapping is NULL, then it cannot be a PageAnon
++	 * page; but it might be the ZERO_PAGE or in the gate area or
++	 * in a special mapping (all cases which we are happy to fail);
++	 * or it may have been a good file page when get_user_pages_fast
++	 * found it, but truncated or holepunched or subjected to
++	 * invalidate_complete_page2 before we got the page lock (also
++	 * cases which we are happy to fail).  And we hold a reference,
++	 * so refcount care in invalidate_complete_page's remove_mapping
++	 * prevents drop_caches from setting mapping to NULL beneath us.
++	 *
++	 * The case we do have to guard against is when memory pressure made
++	 * shmem_writepage move it from filecache to swapcache beneath us:
++	 * an unlikely race, but we do need to retry for page->mapping.
++	 */
+ 	if (!page->mapping) {
++		int shmem_swizzled = PageSwapCache(page);
+ 		unlock_page(page);
+ 		put_page(page);
+-		/*
+-		* ZERO_PAGE pages don't have a mapping. Avoid a busy loop
+-		* trying to find one. RW mapping would have COW'd (and thus
+-		* have a mapping) so this page is RO and won't ever change.
+-		*/
+-		if ((page == ZERO_PAGE(address)))
+-			return -EFAULT;
+-		goto again;
++		if (shmem_swizzled)
++			goto again;
++		return -EFAULT;
+ 	}
+ 
+ 	/*
+@@ -2192,11 +2204,11 @@ int handle_early_requeue_pi_wakeup(struct futex_hash_bucket *hb,
+  * @uaddr2:	the pi futex we will take prior to returning to user-space
+  *
+  * The caller will wait on uaddr and will be requeued by futex_requeue() to
+- * uaddr2 which must be PI aware.  Normal wakeup will wake on uaddr2 and
+- * complete the acquisition of the rt_mutex prior to returning to userspace.
+- * This ensures the rt_mutex maintains an owner when it has waiters; without
+- * one, the pi logic wouldn't know which task to boost/deboost, if there was a
+- * need to.
++ * uaddr2 which must be PI aware and unique from uaddr.  Normal wakeup will wake
++ * on uaddr2 and complete the acquisition of the rt_mutex prior to returning to
++ * userspace.  This ensures the rt_mutex maintains an owner when it has waiters;
++ * without one, the pi logic would not know which task to boost/deboost, if
++ * there was a need to.
+  *
+  * We call schedule in futex_wait_queue_me() when we enqueue and return there
+  * via the following:
+@@ -2233,6 +2245,9 @@ static int futex_wait_requeue_pi(u32 __user *uaddr, int fshared,
+ 	struct futex_q q;
+ 	int res, ret;
+ 
++	if (uaddr == uaddr2)
++		return -EINVAL;
++
+ 	if (!bitset)
+ 		return -EINVAL;
+ 
+@@ -2306,7 +2321,7 @@ static int futex_wait_requeue_pi(u32 __user *uaddr, int fshared,
+ 		 * signal.  futex_unlock_pi() will not destroy the lock_ptr nor
+ 		 * the pi_state.
+ 		 */
+-		WARN_ON(!&q.pi_state);
++		WARN_ON(!q.pi_state);
+ 		pi_mutex = &q.pi_state->pi_mutex;
+ 		ret = rt_mutex_finish_proxy_lock(pi_mutex, to, &rt_waiter, 1);
+ 		debug_rt_mutex_free_waiter(&rt_waiter);
+@@ -2333,7 +2348,7 @@ static int futex_wait_requeue_pi(u32 __user *uaddr, int fshared,
+ 	 * fault, unlock the rt_mutex and return the fault to userspace.
+ 	 */
+ 	if (ret == -EFAULT) {
+-		if (rt_mutex_owner(pi_mutex) == current)
++		if (pi_mutex && rt_mutex_owner(pi_mutex) == current)
+ 			rt_mutex_unlock(pi_mutex);
+ 	} else if (ret == -EINTR) {
+ 		/*
+diff --git a/kernel/hrtimer.c b/kernel/hrtimer.c
+index a6e9d00..2818422 100644
+--- a/kernel/hrtimer.c
++++ b/kernel/hrtimer.c
+@@ -603,6 +603,12 @@ static int hrtimer_reprogram(struct hrtimer *timer,
+ 	return res;
+ }
+ 
++static inline ktime_t hrtimer_update_base(struct hrtimer_cpu_base *base)
++{
++	ktime_t *offs_real = &base->clock_base[CLOCK_REALTIME].offset;
++
++	return ktime_get_update_offsets(offs_real);
++}
+ 
+ /*
+  * Retrigger next event is called after clock was set
+@@ -612,26 +618,15 @@ static int hrtimer_reprogram(struct hrtimer *timer,
+ static void retrigger_next_event(void *arg)
+ {
+ 	struct hrtimer_cpu_base *base;
+-	struct timespec realtime_offset;
+-	unsigned long seq;
+ 
+ 	if (!hrtimer_hres_active())
+ 		return;
+ 
+-	do {
+-		seq = read_seqbegin(&xtime_lock);
+-		set_normalized_timespec(&realtime_offset,
+-					-wall_to_monotonic.tv_sec,
+-					-wall_to_monotonic.tv_nsec);
+-	} while (read_seqretry(&xtime_lock, seq));
+-
+ 	base = &__get_cpu_var(hrtimer_bases);
+ 
+ 	/* Adjust CLOCK_REALTIME offset */
+ 	spin_lock(&base->lock);
+-	base->clock_base[CLOCK_REALTIME].offset =
+-		timespec_to_ktime(realtime_offset);
+-
++	hrtimer_update_base(base);
+ 	hrtimer_force_reprogram(base, 0);
+ 	spin_unlock(&base->lock);
+ }
+@@ -731,13 +726,25 @@ static int hrtimer_switch_to_hres(void)
+ 	base->clock_base[CLOCK_MONOTONIC].resolution = KTIME_HIGH_RES;
+ 
+ 	tick_setup_sched_timer();
+-
+ 	/* "Retrigger" the interrupt to get things going */
+ 	retrigger_next_event(NULL);
+ 	local_irq_restore(flags);
+ 	return 1;
+ }
+ 
++/*
++ * Called from timekeeping code to reprogramm the hrtimer interrupt
++ * device. If called from the timer interrupt context we defer it to
++ * softirq context.
++ */
++void clock_was_set_delayed(void)
++{
++	struct hrtimer_cpu_base *cpu_base = &__get_cpu_var(hrtimer_bases);
++
++	cpu_base->clock_was_set = 1;
++	__raise_softirq_irqoff(HRTIMER_SOFTIRQ);
++}
++
+ #else
+ 
+ static inline int hrtimer_hres_active(void) { return 0; }
+@@ -1250,11 +1257,10 @@ void hrtimer_interrupt(struct clock_event_device *dev)
+ 	cpu_base->nr_events++;
+ 	dev->next_event.tv64 = KTIME_MAX;
+ 
+-	entry_time = now = ktime_get();
++	spin_lock(&cpu_base->lock);
++	entry_time = now = hrtimer_update_base(cpu_base);
+ retry:
+ 	expires_next.tv64 = KTIME_MAX;
+-
+-	spin_lock(&cpu_base->lock);
+ 	/*
+ 	 * We set expires_next to KTIME_MAX here with cpu_base->lock
+ 	 * held to prevent that a timer is enqueued in our queue via
+@@ -1328,8 +1334,12 @@ retry:
+ 	 * We need to prevent that we loop forever in the hrtimer
+ 	 * interrupt routine. We give it 3 attempts to avoid
+ 	 * overreacting on some spurious event.
++	 *
++	 * Acquire base lock for updating the offsets and retrieving
++	 * the current time.
+ 	 */
+-	now = ktime_get();
++	spin_lock(&cpu_base->lock);
++	now = hrtimer_update_base(cpu_base);
+ 	cpu_base->nr_retries++;
+ 	if (++retries < 3)
+ 		goto retry;
+@@ -1341,6 +1351,7 @@ retry:
+ 	 */
+ 	cpu_base->nr_hangs++;
+ 	cpu_base->hang_detected = 1;
++	spin_unlock(&cpu_base->lock);
+ 	delta = ktime_sub(now, entry_time);
+ 	if (delta.tv64 > cpu_base->max_hang_time.tv64)
+ 		cpu_base->max_hang_time = delta;
+@@ -1393,6 +1404,13 @@ void hrtimer_peek_ahead_timers(void)
+ 
+ static void run_hrtimer_softirq(struct softirq_action *h)
+ {
++	struct hrtimer_cpu_base *cpu_base = &__get_cpu_var(hrtimer_bases);
++
++	if (cpu_base->clock_was_set) {
++		cpu_base->clock_was_set = 0;
++		clock_was_set();
++	}
++
+ 	hrtimer_peek_ahead_timers();
+ }
+ 
+diff --git a/kernel/irq/handle.c b/kernel/irq/handle.c
+index 17c71bb..27fd0a6 100644
+--- a/kernel/irq/handle.c
++++ b/kernel/irq/handle.c
+@@ -370,7 +370,7 @@ static void warn_no_thread(unsigned int irq, struct irqaction *action)
+ irqreturn_t handle_IRQ_event(unsigned int irq, struct irqaction *action)
+ {
+ 	irqreturn_t ret, retval = IRQ_NONE;
+-	unsigned int status = 0;
++	unsigned int flags = 0;
+ 
+ 	if (!(action->flags & IRQF_DISABLED))
+ 		local_irq_enable_in_hardirq();
+@@ -413,7 +413,7 @@ irqreturn_t handle_IRQ_event(unsigned int irq, struct irqaction *action)
+ 
+ 			/* Fall through to add to randomness */
+ 		case IRQ_HANDLED:
+-			status |= action->flags;
++			flags |= action->flags;
+ 			break;
+ 
+ 		default:
+@@ -424,8 +424,7 @@ irqreturn_t handle_IRQ_event(unsigned int irq, struct irqaction *action)
+ 		action = action->next;
+ 	} while (action);
+ 
+-	if (status & IRQF_SAMPLE_RANDOM)
+-		add_interrupt_randomness(irq);
++	add_interrupt_randomness(irq, flags);
+ 	local_irq_disable();
+ 
+ 	return retval;
+diff --git a/kernel/irq/manage.c b/kernel/irq/manage.c
+index 315705c..5dd29f3 100644
+--- a/kernel/irq/manage.c
++++ b/kernel/irq/manage.c
+@@ -633,22 +633,6 @@ __setup_irq(unsigned int irq, struct irq_desc *desc, struct irqaction *new)
+ 
+ 	if (desc->chip == &no_irq_chip)
+ 		return -ENOSYS;
+-	/*
+-	 * Some drivers like serial.c use request_irq() heavily,
+-	 * so we have to be careful not to interfere with a
+-	 * running system.
+-	 */
+-	if (new->flags & IRQF_SAMPLE_RANDOM) {
+-		/*
+-		 * This function might sleep, we want to call it first,
+-		 * outside of the atomic block.
+-		 * Yes, this might clear the entropy pool if the wrong
+-		 * driver is attempted to be loaded, without actually
+-		 * installing a new handler, but is this really a problem,
+-		 * only the sysadmin is able to do this.
+-		 */
+-		rand_initialize_irq(irq);
+-	}
+ 
+ 	/* Oneshot interrupts are not allowed with shared */
+ 	if ((new->flags & IRQF_ONESHOT) && (new->flags & IRQF_SHARED))
+@@ -1021,7 +1005,6 @@ EXPORT_SYMBOL(free_irq);
+  *
+  *	IRQF_SHARED		Interrupt is shared
+  *	IRQF_DISABLED	Disable local interrupts while processing
+- *	IRQF_SAMPLE_RANDOM	The interrupt can be used for entropy
+  *	IRQF_TRIGGER_*		Specify active edge(s) or level
+  *
+  */
+diff --git a/kernel/sched_fair.c b/kernel/sched_fair.c
+index cd9a40b..fd6e5f2 100644
+--- a/kernel/sched_fair.c
++++ b/kernel/sched_fair.c
+@@ -862,6 +862,9 @@ check_preempt_tick(struct cfs_rq *cfs_rq, struct sched_entity *curr)
+ 		struct sched_entity *se = __pick_next_entity(cfs_rq);
+ 		s64 delta = curr->vruntime - se->vruntime;
+ 
++		if (delta < 0)
++			return;
++
+ 		if (delta > ideal_runtime)
+ 			resched_task(rq_of(cfs_rq)->curr);
+ 	}
+diff --git a/kernel/time/ntp.c b/kernel/time/ntp.c
+index 4800f93..264928c 100644
+--- a/kernel/time/ntp.c
++++ b/kernel/time/ntp.c
+@@ -28,8 +28,6 @@ unsigned long			tick_nsec;
+ u64				tick_length;
+ static u64			tick_length_base;
+ 
+-static struct hrtimer		leap_timer;
+-
+ #define MAX_TICKADJ		500LL		/* usecs */
+ #define MAX_TICKADJ_SCALED \
+ 	(((MAX_TICKADJ * NSEC_PER_USEC) << NTP_SCALE_SHIFT) / NTP_INTERVAL_FREQ)
+@@ -108,7 +106,7 @@ static inline s64 ntp_update_offset_fll(s64 offset64, long secs)
+ {
+ 	time_status &= ~STA_MODE;
+ 
+-	if (secs < MINSEC)
++	if ((s32)secs < MINSEC)
+ 		return 0;
+ 
+ 	if (!(time_status & STA_FLL) && (secs <= MAXSEC))
+@@ -180,60 +178,64 @@ void ntp_clear(void)
+ }
+ 
+ /*
+- * Leap second processing. If in leap-insert state at the end of the
+- * day, the system clock is set back one second; if in leap-delete
+- * state, the system clock is set ahead one second.
++ * this routine handles the overflow of the microsecond field
++ *
++ * The tricky bits of code to handle the accurate clock support
++ * were provided by Dave Mills (Mills at UDEL.EDU) of NTP fame.
++ * They were originally developed for SUN and DEC kernels.
++ * All the kudos should go to Dave for this stuff.
++ *
++ * Also handles leap second processing, and returns leap offset
+  */
+-static enum hrtimer_restart ntp_leap_second(struct hrtimer *timer)
++int second_overflow(unsigned long secs)
+ {
+-	enum hrtimer_restart res = HRTIMER_NORESTART;
+-
+-	write_seqlock(&xtime_lock);
++	int leap = 0;
++	s64 delta;
+ 
++	/*
++	 * Leap second processing. If in leap-insert state at the end of the
++	 * day, the system clock is set back one second; if in leap-delete
++	 * state, the system clock is set ahead one second.
++	 */
+ 	switch (time_state) {
+ 	case TIME_OK:
++		if (time_status & STA_INS)
++			time_state = TIME_INS;
++		else if (time_status & STA_DEL)
++			time_state = TIME_DEL;
+ 		break;
+ 	case TIME_INS:
+-		timekeeping_leap_insert(-1);
+-		time_state = TIME_OOP;
+-		printk(KERN_NOTICE
+-			"Clock: inserting leap second 23:59:60 UTC\n");
+-		hrtimer_add_expires_ns(&leap_timer, NSEC_PER_SEC);
+-		res = HRTIMER_RESTART;
++		if (!(time_status & STA_INS))
++			time_state = TIME_OK;
++		else if (secs % 86400 == 0) {
++			leap = -1;
++			time_state = TIME_OOP;
++			time_tai++;
++			printk(KERN_NOTICE
++				"Clock: inserting leap second 23:59:60 UTC\n");
++		}
+ 		break;
+ 	case TIME_DEL:
+-		timekeeping_leap_insert(1);
+-		time_tai--;
+-		time_state = TIME_WAIT;
+-		printk(KERN_NOTICE
+-			"Clock: deleting leap second 23:59:59 UTC\n");
++		if (!(time_status & STA_DEL))
++			time_state = TIME_OK;
++		else if ((secs + 1) % 86400 == 0) {
++			leap = 1;
++			time_tai--;
++			time_state = TIME_WAIT;
++			printk(KERN_NOTICE
++				"Clock: deleting leap second 23:59:59 UTC\n");
++		}
+ 		break;
+ 	case TIME_OOP:
+-		time_tai++;
+ 		time_state = TIME_WAIT;
+-		/* fall through */
++		break;
++
+ 	case TIME_WAIT:
+ 		if (!(time_status & (STA_INS | STA_DEL)))
+ 			time_state = TIME_OK;
+ 		break;
+ 	}
+ 
+-	write_sequnlock(&xtime_lock);
+-
+-	return res;
+-}
+-
+-/*
+- * this routine handles the overflow of the microsecond field
+- *
+- * The tricky bits of code to handle the accurate clock support
+- * were provided by Dave Mills (Mills at UDEL.EDU) of NTP fame.
+- * They were originally developed for SUN and DEC kernels.
+- * All the kudos should go to Dave for this stuff.
+- */
+-void second_overflow(void)
+-{
+-	s64 delta;
+ 
+ 	/* Bump the maxerror field */
+ 	time_maxerror += MAXFREQ / NSEC_PER_USEC;
+@@ -253,23 +255,25 @@ void second_overflow(void)
+ 	tick_length	+= delta;
+ 
+ 	if (!time_adjust)
+-		return;
++		goto out;
+ 
+ 	if (time_adjust > MAX_TICKADJ) {
+ 		time_adjust -= MAX_TICKADJ;
+ 		tick_length += MAX_TICKADJ_SCALED;
+-		return;
++		goto out;
+ 	}
+ 
+ 	if (time_adjust < -MAX_TICKADJ) {
+ 		time_adjust += MAX_TICKADJ;
+ 		tick_length -= MAX_TICKADJ_SCALED;
+-		return;
++		goto out;
+ 	}
+ 
+ 	tick_length += (s64)(time_adjust * NSEC_PER_USEC / NTP_INTERVAL_FREQ)
+ 							 << NTP_SCALE_SHIFT;
+ 	time_adjust = 0;
++out:
++	return leap;
+ }
+ 
+ #ifdef CONFIG_GENERIC_CMOS_UPDATE
+@@ -331,27 +335,6 @@ static void notify_cmos_timer(void)
+ static inline void notify_cmos_timer(void) { }
+ #endif
+ 
+-/*
+- * Start the leap seconds timer:
+- */
+-static inline void ntp_start_leap_timer(struct timespec *ts)
+-{
+-	long now = ts->tv_sec;
+-
+-	if (time_status & STA_INS) {
+-		time_state = TIME_INS;
+-		now += 86400 - now % 86400;
+-		hrtimer_start(&leap_timer, ktime_set(now, 0), HRTIMER_MODE_ABS);
+-
+-		return;
+-	}
+-
+-	if (time_status & STA_DEL) {
+-		time_state = TIME_DEL;
+-		now += 86400 - (now + 1) % 86400;
+-		hrtimer_start(&leap_timer, ktime_set(now, 0), HRTIMER_MODE_ABS);
+-	}
+-}
+ 
+ /*
+  * Propagate a new txc->status value into the NTP state:
+@@ -374,22 +357,6 @@ static inline void process_adj_status(struct timex *txc, struct timespec *ts)
+ 	time_status &= STA_RONLY;
+ 	time_status |= txc->status & ~STA_RONLY;
+ 
+-	switch (time_state) {
+-	case TIME_OK:
+-		ntp_start_leap_timer(ts);
+-		break;
+-	case TIME_INS:
+-	case TIME_DEL:
+-		time_state = TIME_OK;
+-		ntp_start_leap_timer(ts);
+-	case TIME_WAIT:
+-		if (!(time_status & (STA_INS | STA_DEL)))
+-			time_state = TIME_OK;
+-		break;
+-	case TIME_OOP:
+-		hrtimer_restart(&leap_timer);
+-		break;
+-	}
+ }
+ /*
+  * Called with the xtime lock held, so we can access and modify
+@@ -469,9 +436,6 @@ int do_adjtimex(struct timex *txc)
+ 		    (txc->tick <  900000/USER_HZ ||
+ 		     txc->tick > 1100000/USER_HZ))
+ 			return -EINVAL;
+-
+-		if (txc->modes & ADJ_STATUS && time_state != TIME_OK)
+-			hrtimer_cancel(&leap_timer);
+ 	}
+ 
+ 	getnstimeofday(&ts);
+@@ -549,6 +513,4 @@ __setup("ntp_tick_adj=", ntp_tick_adj_setup);
+ void __init ntp_init(void)
+ {
+ 	ntp_clear();
+-	hrtimer_init(&leap_timer, CLOCK_REALTIME, HRTIMER_MODE_ABS);
+-	leap_timer.function = ntp_leap_second;
+ }
+diff --git a/kernel/time/timekeeping.c b/kernel/time/timekeeping.c
+index 4a71cff..3d35af3 100644
+--- a/kernel/time/timekeeping.c
++++ b/kernel/time/timekeeping.c
+@@ -161,11 +161,39 @@ struct timespec xtime __attribute__ ((aligned (16)));
+ struct timespec wall_to_monotonic __attribute__ ((aligned (16)));
+ static struct timespec total_sleep_time;
+ 
++/* Offset clock monotonic -> clock realtime */
++static ktime_t offs_real;
++
++/* Offset clock monotonic -> clock boottime */
++static ktime_t offs_boot;
++
+ /*
+  * The raw monotonic time for the CLOCK_MONOTONIC_RAW posix clock.
+  */
+ struct timespec raw_time;
+ 
++/* must hold write on xtime_lock */
++static void update_rt_offset(void)
++{
++	struct timespec tmp, *wtm = &wall_to_monotonic;
++
++	set_normalized_timespec(&tmp, -wtm->tv_sec, -wtm->tv_nsec);
++	offs_real = timespec_to_ktime(tmp);
++}
++
++/* must hold write on xtime_lock */
++static void timekeeping_update(bool clearntp)
++{
++	if (clearntp) {
++		timekeeper.ntp_error = 0;
++		ntp_clear();
++	}
++	update_rt_offset();
++	update_vsyscall(&xtime, timekeeper.clock, timekeeper.mult);
++}
++
++
++
+ /* flag for if timekeeping is suspended */
+ int __read_mostly timekeeping_suspended;
+ 
+@@ -183,14 +211,6 @@ void update_xtime_cache(u64 nsec)
+ 	ACCESS_ONCE(xtime_cache) = ts;
+ }
+ 
+-/* must hold xtime_lock */
+-void timekeeping_leap_insert(int leapsecond)
+-{
+-	xtime.tv_sec += leapsecond;
+-	wall_to_monotonic.tv_sec -= leapsecond;
+-	update_vsyscall(&xtime, timekeeper.clock, timekeeper.mult);
+-}
+-
+ #ifdef CONFIG_GENERIC_TIME
+ 
+ /**
+@@ -334,7 +354,7 @@ int do_settimeofday(struct timespec *tv)
+ 	struct timespec ts_delta;
+ 	unsigned long flags;
+ 
+-	if ((unsigned long)tv->tv_nsec >= NSEC_PER_SEC)
++	if (!timespec_valid_strict(tv))
+ 		return -EINVAL;
+ 
+ 	write_seqlock_irqsave(&xtime_lock, flags);
+@@ -349,10 +369,7 @@ int do_settimeofday(struct timespec *tv)
+ 
+ 	update_xtime_cache(0);
+ 
+-	timekeeper.ntp_error = 0;
+-	ntp_clear();
+-
+-	update_vsyscall(&xtime, timekeeper.clock, timekeeper.mult);
++	timekeeping_update(true);
+ 
+ 	write_sequnlock_irqrestore(&xtime_lock, flags);
+ 
+@@ -553,7 +570,20 @@ void __init timekeeping_init(void)
+ 	struct timespec now, boot;
+ 
+ 	read_persistent_clock(&now);
++	if (!timespec_valid_strict(&now)) {
++		printk("WARNING: Persistent clock returned invalid value!\n"
++			"         Check your CMOS/BIOS settings.\n");
++		now.tv_sec = 0;
++		now.tv_nsec = 0;
++	}
++
+ 	read_boot_clock(&boot);
++	if (!timespec_valid_strict(&boot)) {
++		printk("WARNING: Boot clock returned invalid value!\n"
++			"         Check your CMOS/BIOS settings.\n");
++		boot.tv_sec = 0;
++		boot.tv_nsec = 0;
++	}
+ 
+ 	write_seqlock_irqsave(&xtime_lock, flags);
+ 
+@@ -575,6 +605,7 @@ void __init timekeeping_init(void)
+ 	set_normalized_timespec(&wall_to_monotonic,
+ 				-boot.tv_sec, -boot.tv_nsec);
+ 	update_xtime_cache(0);
++	update_rt_offset();
+ 	total_sleep_time.tv_sec = 0;
+ 	total_sleep_time.tv_nsec = 0;
+ 	write_sequnlock_irqrestore(&xtime_lock, flags);
+@@ -583,6 +614,12 @@ void __init timekeeping_init(void)
+ /* time in seconds when suspend began */
+ static struct timespec timekeeping_suspend_time;
+ 
++static void update_sleep_time(struct timespec t)
++{
++	total_sleep_time = t;
++	offs_boot = timespec_to_ktime(t);
++}
++
+ /**
+  * timekeeping_resume - Resumes the generic timekeeping subsystem.
+  * @dev:	unused
+@@ -606,13 +643,14 @@ static int timekeeping_resume(struct sys_device *dev)
+ 		ts = timespec_sub(ts, timekeeping_suspend_time);
+ 		xtime = timespec_add_safe(xtime, ts);
+ 		wall_to_monotonic = timespec_sub(wall_to_monotonic, ts);
+-		total_sleep_time = timespec_add_safe(total_sleep_time, ts);
++		update_sleep_time(timespec_add_safe(total_sleep_time, ts));
+ 	}
+ 	update_xtime_cache(0);
+ 	/* re-base the last cycle value */
+ 	timekeeper.clock->cycle_last = timekeeper.clock->read(timekeeper.clock);
+ 	timekeeper.ntp_error = 0;
+ 	timekeeping_suspended = 0;
++	timekeeping_update(false);
+ 	write_sequnlock_irqrestore(&xtime_lock, flags);
+ 
+ 	touch_softlockup_watchdog();
+@@ -769,6 +807,10 @@ void update_wall_time(void)
+ #else
+ 	offset = timekeeper.cycle_interval;
+ #endif
++	/* Check if there's really nothing to do */
++	if (offset < timekeeper.cycle_interval)
++		return;
++
+ 	timekeeper.xtime_nsec = (s64)xtime.tv_nsec << timekeeper.shift;
+ 
+ 	/* normally this loop will run just once, however in the
+@@ -783,9 +825,14 @@ void update_wall_time(void)
+ 
+ 		timekeeper.xtime_nsec += timekeeper.xtime_interval;
+ 		if (timekeeper.xtime_nsec >= nsecps) {
++			int leap;
+ 			timekeeper.xtime_nsec -= nsecps;
+ 			xtime.tv_sec++;
+-			second_overflow();
++			leap = second_overflow(xtime.tv_sec);
++			xtime.tv_sec += leap;
++			wall_to_monotonic.tv_sec -= leap;
++			if (leap)
++				clock_was_set_delayed();
+ 		}
+ 
+ 		raw_time.tv_nsec += timekeeper.raw_interval;
+@@ -837,8 +884,7 @@ void update_wall_time(void)
+ 	nsecs = clocksource_cyc2ns(offset, timekeeper.mult, timekeeper.shift);
+ 	update_xtime_cache(nsecs);
+ 
+-	/* check to see if there is a new clocksource to use */
+-	update_vsyscall(&xtime, timekeeper.clock, timekeeper.mult);
++	timekeeping_update(false);
+ }
+ 
+ /**
+@@ -915,3 +961,35 @@ struct timespec get_monotonic_coarse(void)
+ 				now.tv_nsec + mono.tv_nsec);
+ 	return now;
+ }
++
++#ifdef CONFIG_HIGH_RES_TIMERS
++/**
++ * ktime_get_update_offsets - hrtimer helper
++ * @real:	pointer to storage for monotonic -> realtime offset
++ *
++ * Returns current monotonic time and updates the offsets
++ * Called from hrtimer_interupt() or retrigger_next_event()
++ */
++ktime_t ktime_get_update_offsets(ktime_t *real)
++{
++	ktime_t now;
++	unsigned int seq;
++	u64 secs, nsecs;
++
++	do {
++		seq = read_seqbegin(&xtime_lock);
++
++		secs = xtime.tv_sec;
++		nsecs = xtime.tv_nsec;
++		nsecs += timekeeping_get_ns();
++		/* If arch requires, add in gettimeoffset() */
++		nsecs += arch_gettimeoffset();
++
++		*real = offs_real;
++	} while (read_seqretry(&xtime_lock, seq));
++
++	now = ktime_add_ns(ktime_set(secs, 0), nsecs);
++	now = ktime_sub(now, *real);
++	return now;
++}
++#endif
+diff --git a/kernel/workqueue.c b/kernel/workqueue.c
+index 67e526b..b617e0c 100644
+--- a/kernel/workqueue.c
++++ b/kernel/workqueue.c
+@@ -772,6 +772,7 @@ int current_is_keventd(void)
+ 	return ret;
+ 
+ }
++EXPORT_SYMBOL_GPL(current_is_keventd);
+ 
+ static struct cpu_workqueue_struct *
+ init_cpu_workqueue(struct workqueue_struct *wq, int cpu)
+diff --git a/mm/hugetlb.c b/mm/hugetlb.c
+index 5e1e508..20f9240 100644
+--- a/mm/hugetlb.c
++++ b/mm/hugetlb.c
+@@ -49,6 +49,84 @@ static unsigned long __initdata default_hstate_size;
+  */
+ static DEFINE_SPINLOCK(hugetlb_lock);
+ 
++static inline void unlock_or_release_subpool(struct hugepage_subpool *spool)
++{
++	bool free = (spool->count == 0) && (spool->used_hpages == 0);
++
++	spin_unlock(&spool->lock);
++
++	/* If no pages are used, and no other handles to the subpool
++	 * remain, free the subpool the subpool remain */
++	if (free)
++		kfree(spool);
++}
++
++struct hugepage_subpool *hugepage_new_subpool(long nr_blocks)
++{
++	struct hugepage_subpool *spool;
++
++	spool = kmalloc(sizeof(*spool), GFP_KERNEL);
++	if (!spool)
++		return NULL;
++
++	spin_lock_init(&spool->lock);
++	spool->count = 1;
++	spool->max_hpages = nr_blocks;
++	spool->used_hpages = 0;
++
++	return spool;
++}
++
++void hugepage_put_subpool(struct hugepage_subpool *spool)
++{
++	spin_lock(&spool->lock);
++	BUG_ON(!spool->count);
++	spool->count--;
++	unlock_or_release_subpool(spool);
++}
++
++static int hugepage_subpool_get_pages(struct hugepage_subpool *spool,
++				      long delta)
++{
++	int ret = 0;
++
++	if (!spool)
++		return 0;
++
++	spin_lock(&spool->lock);
++	if ((spool->used_hpages + delta) <= spool->max_hpages) {
++		spool->used_hpages += delta;
++	} else {
++		ret = -ENOMEM;
++	}
++	spin_unlock(&spool->lock);
++
++	return ret;
++}
++
++static void hugepage_subpool_put_pages(struct hugepage_subpool *spool,
++				       long delta)
++{
++	if (!spool)
++		return;
++
++	spin_lock(&spool->lock);
++	spool->used_hpages -= delta;
++	/* If hugetlbfs_put_super couldn't free spool due to
++	* an outstanding quota reference, free it now. */
++	unlock_or_release_subpool(spool);
++}
++
++static inline struct hugepage_subpool *subpool_inode(struct inode *inode)
++{
++	return HUGETLBFS_SB(inode->i_sb)->spool;
++}
++
++static inline struct hugepage_subpool *subpool_vma(struct vm_area_struct *vma)
++{
++	return subpool_inode(vma->vm_file->f_dentry->d_inode);
++}
++
+ /*
+  * Region tracking -- allows tracking of reservations and instantiated pages
+  *                    across the pages in a mapping.
+@@ -541,9 +619,9 @@ static void free_huge_page(struct page *page)
+ 	 */
+ 	struct hstate *h = page_hstate(page);
+ 	int nid = page_to_nid(page);
+-	struct address_space *mapping;
++	struct hugepage_subpool *spool =
++		(struct hugepage_subpool *)page_private(page);
+ 
+-	mapping = (struct address_space *) page_private(page);
+ 	set_page_private(page, 0);
+ 	page->mapping = NULL;
+ 	BUG_ON(page_count(page));
+@@ -558,8 +636,7 @@ static void free_huge_page(struct page *page)
+ 		enqueue_huge_page(h, page);
+ 	}
+ 	spin_unlock(&hugetlb_lock);
+-	if (mapping)
+-		hugetlb_put_quota(mapping, 1);
++	hugepage_subpool_put_pages(spool, 1);
+ }
+ 
+ static void prep_new_huge_page(struct hstate *h, struct page *page, int nid)
+@@ -927,11 +1004,12 @@ static void return_unused_surplus_pages(struct hstate *h,
+ /*
+  * Determine if the huge page at addr within the vma has an associated
+  * reservation.  Where it does not we will need to logically increase
+- * reservation and actually increase quota before an allocation can occur.
+- * Where any new reservation would be required the reservation change is
+- * prepared, but not committed.  Once the page has been quota'd allocated
+- * an instantiated the change should be committed via vma_commit_reservation.
+- * No action is required on failure.
++ * reservation and actually increase subpool usage before an allocation
++ * can occur.  Where any new reservation would be required the
++ * reservation change is prepared, but not committed.  Once the page
++ * has been allocated from the subpool and instantiated the change should
++ * be committed via vma_commit_reservation.  No action is required on
++ * failure.
+  */
+ static long vma_needs_reservation(struct hstate *h,
+ 			struct vm_area_struct *vma, unsigned long addr)
+@@ -980,24 +1058,24 @@ static void vma_commit_reservation(struct hstate *h,
+ static struct page *alloc_huge_page(struct vm_area_struct *vma,
+ 				    unsigned long addr, int avoid_reserve)
+ {
++	struct hugepage_subpool *spool = subpool_vma(vma);
+ 	struct hstate *h = hstate_vma(vma);
+ 	struct page *page;
+-	struct address_space *mapping = vma->vm_file->f_mapping;
+-	struct inode *inode = mapping->host;
+ 	long chg;
+ 
+ 	/*
+-	 * Processes that did not create the mapping will have no reserves and
+-	 * will not have accounted against quota. Check that the quota can be
+-	 * made before satisfying the allocation
+-	 * MAP_NORESERVE mappings may also need pages and quota allocated
+-	 * if no reserve mapping overlaps.
++	 * Processes that did not create the mapping will have no
++	 * reserves and will not have accounted against subpool
++	 * limit. Check that the subpool limit can be made before
++	 * satisfying the allocation MAP_NORESERVE mappings may also
++	 * need pages and subpool limit allocated allocated if no reserve
++	 * mapping overlaps.
+ 	 */
+ 	chg = vma_needs_reservation(h, vma, addr);
+ 	if (chg < 0)
+ 		return ERR_PTR(-VM_FAULT_OOM);
+ 	if (chg)
+-		if (hugetlb_get_quota(inode->i_mapping, chg))
++		if (hugepage_subpool_get_pages(spool, chg))
+ 			return ERR_PTR(-VM_FAULT_SIGBUS);
+ 
+ 	spin_lock(&hugetlb_lock);
+@@ -1007,13 +1085,13 @@ static struct page *alloc_huge_page(struct vm_area_struct *vma,
+ 	if (!page) {
+ 		page = alloc_buddy_huge_page(h, vma, addr);
+ 		if (!page) {
+-			hugetlb_put_quota(inode->i_mapping, chg);
++			hugepage_subpool_put_pages(spool, chg);
+ 			return ERR_PTR(-VM_FAULT_SIGBUS);
+ 		}
+ 	}
+ 
+ 	set_page_refcounted(page);
+-	set_page_private(page, (unsigned long) mapping);
++	set_page_private(page, (unsigned long)spool);
+ 
+ 	vma_commit_reservation(h, vma, addr);
+ 
+@@ -1698,6 +1776,7 @@ static void hugetlb_vm_op_close(struct vm_area_struct *vma)
+ {
+ 	struct hstate *h = hstate_vma(vma);
+ 	struct resv_map *reservations = vma_resv_map(vma);
++	struct hugepage_subpool *spool = subpool_vma(vma);
+ 	unsigned long reserve;
+ 	unsigned long start;
+ 	unsigned long end;
+@@ -1713,7 +1792,7 @@ static void hugetlb_vm_op_close(struct vm_area_struct *vma)
+ 
+ 		if (reserve) {
+ 			hugetlb_acct_memory(h, -reserve);
+-			hugetlb_put_quota(vma->vm_file->f_mapping, reserve);
++			hugepage_subpool_put_pages(spool, reserve);
+ 		}
+ 	}
+ }
+@@ -1910,7 +1989,7 @@ static int unmap_ref_private(struct mm_struct *mm, struct vm_area_struct *vma,
+ 	address = address & huge_page_mask(h);
+ 	pgoff = ((address - vma->vm_start) >> PAGE_SHIFT)
+ 		+ (vma->vm_pgoff >> PAGE_SHIFT);
+-	mapping = (struct address_space *)page_private(page);
++	mapping = vma->vm_file->f_dentry->d_inode->i_mapping;
+ 
+ 	vma_prio_tree_foreach(iter_vma, &iter, &mapping->i_mmap, pgoff, pgoff) {
+ 		/* Do not unmap the current VMA */
+@@ -2364,11 +2443,12 @@ int hugetlb_reserve_pages(struct inode *inode,
+ {
+ 	long ret, chg;
+ 	struct hstate *h = hstate_inode(inode);
++	struct hugepage_subpool *spool = subpool_inode(inode);
+ 
+ 	/*
+ 	 * Only apply hugepage reservation if asked. At fault time, an
+ 	 * attempt will be made for VM_NORESERVE to allocate a page
+-	 * and filesystem quota without using reserves
++	 * without using reserves
+ 	 */
+ 	if (acctflag & VM_NORESERVE)
+ 		return 0;
+@@ -2395,17 +2475,17 @@ int hugetlb_reserve_pages(struct inode *inode,
+ 	if (chg < 0)
+ 		return chg;
+ 
+-	/* There must be enough filesystem quota for the mapping */
+-	if (hugetlb_get_quota(inode->i_mapping, chg))
++	/* There must be enough pages in the subpool for the mapping */
++	if (hugepage_subpool_get_pages(spool, chg))
+ 		return -ENOSPC;
+ 
+ 	/*
+ 	 * Check enough hugepages are available for the reservation.
+-	 * Hand back the quota if there are not
++	 * Hand the pages back to the subpool if there are not
+ 	 */
+ 	ret = hugetlb_acct_memory(h, chg);
+ 	if (ret < 0) {
+-		hugetlb_put_quota(inode->i_mapping, chg);
++		hugepage_subpool_put_pages(spool, chg);
+ 		return ret;
+ 	}
+ 
+@@ -2429,11 +2509,12 @@ void hugetlb_unreserve_pages(struct inode *inode, long offset, long freed)
+ {
+ 	struct hstate *h = hstate_inode(inode);
+ 	long chg = region_truncate(&inode->i_mapping->private_list, offset);
++	struct hugepage_subpool *spool = subpool_inode(inode);
+ 
+ 	spin_lock(&inode->i_lock);
+ 	inode->i_blocks -= (blocks_per_huge_page(h) * freed);
+ 	spin_unlock(&inode->i_lock);
+ 
+-	hugetlb_put_quota(inode->i_mapping, (chg - freed));
++	hugepage_subpool_put_pages(spool, (chg - freed));
+ 	hugetlb_acct_memory(h, -(chg - freed));
+ }
+diff --git a/mm/madvise.c b/mm/madvise.c
+index 35b1479..e405c5f 100644
+--- a/mm/madvise.c
++++ b/mm/madvise.c
+@@ -12,6 +12,7 @@
+ #include <linux/hugetlb.h>
+ #include <linux/sched.h>
+ #include <linux/ksm.h>
++#include <linux/file.h>
+ 
+ /*
+  * Any behaviour which results in changes to the vma->vm_flags needs to
+@@ -190,14 +191,16 @@ static long madvise_remove(struct vm_area_struct *vma,
+ 	struct address_space *mapping;
+ 	loff_t offset, endoff;
+ 	int error;
++	struct file *f;
+ 
+ 	*prev = NULL;	/* tell sys_madvise we drop mmap_sem */
+ 
+ 	if (vma->vm_flags & (VM_LOCKED|VM_NONLINEAR|VM_HUGETLB))
+ 		return -EINVAL;
+ 
+-	if (!vma->vm_file || !vma->vm_file->f_mapping
+-		|| !vma->vm_file->f_mapping->host) {
++	f = vma->vm_file;
++
++	if (!f || !f->f_mapping || !f->f_mapping->host) {
+ 			return -EINVAL;
+ 	}
+ 
+@@ -211,9 +214,16 @@ static long madvise_remove(struct vm_area_struct *vma,
+ 	endoff = (loff_t)(end - vma->vm_start - 1)
+ 			+ ((loff_t)vma->vm_pgoff << PAGE_SHIFT);
+ 
+-	/* vmtruncate_range needs to take i_mutex and i_alloc_sem */
++	/*
++	 * vmtruncate_range may need to take i_mutex and i_alloc_sem.
++	 * We need to explicitly grab a reference because the vma (and
++	 * hence the vma's reference to the file) can go away as soon as
++	 * we drop mmap_sem.
++	 */
++	get_file(f);
+ 	up_read(&current->mm->mmap_sem);
+ 	error = vmtruncate_range(mapping->host, offset, endoff);
++	fput(f);
+ 	down_read(&current->mm->mmap_sem);
+ 	return error;
+ }
+diff --git a/mm/mempolicy.c b/mm/mempolicy.c
+index 3c6e3e2..a6563fb 100644
+--- a/mm/mempolicy.c
++++ b/mm/mempolicy.c
+@@ -2259,7 +2259,7 @@ int mpol_to_str(char *buffer, int maxlen, struct mempolicy *pol, int no_context)
+ 		break;
+ 
+ 	default:
+-		BUG();
++		return -EINVAL;
+ 	}
+ 
+ 	l = strlen(policy_types[mode]);
+diff --git a/mm/mmu_notifier.c b/mm/mmu_notifier.c
+index 7e33f2c..8aa875c 100644
+--- a/mm/mmu_notifier.c
++++ b/mm/mmu_notifier.c
+@@ -32,6 +32,24 @@
+ void __mmu_notifier_release(struct mm_struct *mm)
+ {
+ 	struct mmu_notifier *mn;
++	struct hlist_node *n;
++
++	/*
++	 * RCU here will block mmu_notifier_unregister until
++	 * ->release returns.
++	 */
++	rcu_read_lock();
++	hlist_for_each_entry_rcu(mn, n, &mm->mmu_notifier_mm->list, hlist)
++		/*
++		 * if ->release runs before mmu_notifier_unregister it
++		 * must be handled as it's the only way for the driver
++		 * to flush all existing sptes and stop the driver
++		 * from establishing any more sptes before all the
++		 * pages in the mm are freed.
++		 */
++		if (mn->ops->release)
++			mn->ops->release(mn, mm);
++	rcu_read_unlock();
+ 
+ 	spin_lock(&mm->mmu_notifier_mm->lock);
+ 	while (unlikely(!hlist_empty(&mm->mmu_notifier_mm->list))) {
+@@ -45,23 +63,6 @@ void __mmu_notifier_release(struct mm_struct *mm)
+ 		 * mmu_notifier_unregister to return.
+ 		 */
+ 		hlist_del_init_rcu(&mn->hlist);
+-		/*
+-		 * RCU here will block mmu_notifier_unregister until
+-		 * ->release returns.
+-		 */
+-		rcu_read_lock();
+-		spin_unlock(&mm->mmu_notifier_mm->lock);
+-		/*
+-		 * if ->release runs before mmu_notifier_unregister it
+-		 * must be handled as it's the only way for the driver
+-		 * to flush all existing sptes and stop the driver
+-		 * from establishing any more sptes before all the
+-		 * pages in the mm are freed.
+-		 */
+-		if (mn->ops->release)
+-			mn->ops->release(mn, mm);
+-		rcu_read_unlock();
+-		spin_lock(&mm->mmu_notifier_mm->lock);
+ 	}
+ 	spin_unlock(&mm->mmu_notifier_mm->lock);
+ 
+@@ -263,16 +264,13 @@ void mmu_notifier_unregister(struct mmu_notifier *mn, struct mm_struct *mm)
+ {
+ 	BUG_ON(atomic_read(&mm->mm_count) <= 0);
+ 
+-	spin_lock(&mm->mmu_notifier_mm->lock);
+ 	if (!hlist_unhashed(&mn->hlist)) {
+-		hlist_del_rcu(&mn->hlist);
+-
+ 		/*
+ 		 * RCU here will force exit_mmap to wait ->release to finish
+ 		 * before freeing the pages.
+ 		 */
+ 		rcu_read_lock();
+-		spin_unlock(&mm->mmu_notifier_mm->lock);
++
+ 		/*
+ 		 * exit_mmap will block in mmu_notifier_release to
+ 		 * guarantee ->release is called before freeing the
+@@ -281,8 +279,11 @@ void mmu_notifier_unregister(struct mmu_notifier *mn, struct mm_struct *mm)
+ 		if (mn->ops->release)
+ 			mn->ops->release(mn, mm);
+ 		rcu_read_unlock();
+-	} else
++
++		spin_lock(&mm->mmu_notifier_mm->lock);
++		hlist_del_rcu(&mn->hlist);
+ 		spin_unlock(&mm->mmu_notifier_mm->lock);
++	}
+ 
+ 	/*
+ 	 * Wait any running method to finish, of course including
+diff --git a/net/core/dev.c b/net/core/dev.c
+index 84a0705..46e2a29 100644
+--- a/net/core/dev.c
++++ b/net/core/dev.c
+@@ -1133,6 +1133,7 @@ int dev_open(struct net_device *dev)
+ 		/*
+ 		 *	... and announce new interface.
+ 		 */
++		add_device_randomness(dev->dev_addr, dev->addr_len);
+ 		call_netdevice_notifiers(NETDEV_UP, dev);
+ 	}
+ 
+@@ -4268,6 +4269,7 @@ int dev_set_mac_address(struct net_device *dev, struct sockaddr *sa)
+ 	err = ops->ndo_set_mac_address(dev, sa);
+ 	if (!err)
+ 		call_netdevice_notifiers(NETDEV_CHANGEADDR, dev);
++	add_device_randomness(dev->dev_addr, dev->addr_len);
+ 	return err;
+ }
+ EXPORT_SYMBOL(dev_set_mac_address);
+@@ -4871,6 +4873,7 @@ int register_netdevice(struct net_device *dev)
+ 	dev_init_scheduler(dev);
+ 	dev_hold(dev);
+ 	list_netdevice(dev);
++	add_device_randomness(dev->dev_addr, dev->addr_len);
+ 
+ 	/* Notify protocols, that a new device appeared. */
+ 	ret = call_netdevice_notifiers(NETDEV_REGISTER, dev);
+diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
+index d4fd895..9d70042 100644
+--- a/net/core/rtnetlink.c
++++ b/net/core/rtnetlink.c
+@@ -817,6 +817,7 @@ static int do_setlink(struct net_device *dev, struct ifinfomsg *ifm,
+ 			goto errout;
+ 		send_addr_notify = 1;
+ 		modified = 1;
++		add_device_randomness(dev->dev_addr, dev->addr_len);
+ 	}
+ 
+ 	if (tb[IFLA_MTU]) {
+diff --git a/net/core/skbuff.c b/net/core/skbuff.c
+index 025f924..72ff527 100644
+--- a/net/core/skbuff.c
++++ b/net/core/skbuff.c
+@@ -2989,6 +2989,8 @@ static void sock_rmem_free(struct sk_buff *skb)
+  */
+ int sock_queue_err_skb(struct sock *sk, struct sk_buff *skb)
+ {
++	int len = skb->len;
++
+ 	if (atomic_read(&sk->sk_rmem_alloc) + skb->truesize >=
+ 	    (unsigned)sk->sk_rcvbuf)
+ 		return -ENOMEM;
+@@ -3000,7 +3002,7 @@ int sock_queue_err_skb(struct sock *sk, struct sk_buff *skb)
+ 
+ 	skb_queue_tail(&sk->sk_error_queue, skb);
+ 	if (!sock_flag(sk, SOCK_DEAD))
+-		sk->sk_data_ready(sk, skb->len);
++		sk->sk_data_ready(sk, len);
+ 	return 0;
+ }
+ EXPORT_SYMBOL(sock_queue_err_skb);
+diff --git a/net/core/sock.c b/net/core/sock.c
+index 6605e75..4538a34 100644
+--- a/net/core/sock.c
++++ b/net/core/sock.c
+@@ -1391,6 +1391,11 @@ struct sk_buff *sock_alloc_send_pskb(struct sock *sk, unsigned long header_len,
+ 	gfp_t gfp_mask;
+ 	long timeo;
+ 	int err;
++	int npages = (data_len + (PAGE_SIZE - 1)) >> PAGE_SHIFT;
++
++	err = -EMSGSIZE;
++	if (npages > MAX_SKB_FRAGS)
++		goto failure;
+ 
+ 	gfp_mask = sk->sk_allocation;
+ 	if (gfp_mask & __GFP_WAIT)
+@@ -1409,14 +1414,12 @@ struct sk_buff *sock_alloc_send_pskb(struct sock *sk, unsigned long header_len,
+ 		if (atomic_read(&sk->sk_wmem_alloc) < sk->sk_sndbuf) {
+ 			skb = alloc_skb(header_len, gfp_mask);
+ 			if (skb) {
+-				int npages;
+ 				int i;
+ 
+ 				/* No pages, we're done... */
+ 				if (!data_len)
+ 					break;
+ 
+-				npages = (data_len + (PAGE_SIZE - 1)) >> PAGE_SHIFT;
+ 				skb->truesize += data_len;
+ 				skb_shinfo(skb)->nr_frags = npages;
+ 				for (i = 0; i < npages; i++) {
+diff --git a/net/dccp/ccid.h b/net/dccp/ccid.h
+index facedd2..ab260b0 100644
+--- a/net/dccp/ccid.h
++++ b/net/dccp/ccid.h
+@@ -214,7 +214,7 @@ static inline int ccid_hc_rx_getsockopt(struct ccid *ccid, struct sock *sk,
+ 					u32 __user *optval, int __user *optlen)
+ {
+ 	int rc = -ENOPROTOOPT;
+-	if (ccid->ccid_ops->ccid_hc_rx_getsockopt != NULL)
++	if (ccid != NULL && ccid->ccid_ops->ccid_hc_rx_getsockopt != NULL)
+ 		rc = ccid->ccid_ops->ccid_hc_rx_getsockopt(sk, optname, len,
+ 						 optval, optlen);
+ 	return rc;
+@@ -225,7 +225,7 @@ static inline int ccid_hc_tx_getsockopt(struct ccid *ccid, struct sock *sk,
+ 					u32 __user *optval, int __user *optlen)
+ {
+ 	int rc = -ENOPROTOOPT;
+-	if (ccid->ccid_ops->ccid_hc_tx_getsockopt != NULL)
++	if (ccid != NULL && ccid->ccid_ops->ccid_hc_tx_getsockopt != NULL)
+ 		rc = ccid->ccid_ops->ccid_hc_tx_getsockopt(sk, optname, len,
+ 						 optval, optlen);
+ 	return rc;
+diff --git a/net/ipv4/cipso_ipv4.c b/net/ipv4/cipso_ipv4.c
+index 039cc1f..10f8f8d 100644
+--- a/net/ipv4/cipso_ipv4.c
++++ b/net/ipv4/cipso_ipv4.c
+@@ -1726,8 +1726,10 @@ int cipso_v4_validate(const struct sk_buff *skb, unsigned char **option)
+ 		case CIPSO_V4_TAG_LOCAL:
+ 			/* This is a non-standard tag that we only allow for
+ 			 * local connections, so if the incoming interface is
+-			 * not the loopback device drop the packet. */
+-			if (!(skb->dev->flags & IFF_LOOPBACK)) {
++			 * not the loopback device drop the packet. Further,
++			 * there is no legitimate reason for setting this from
++			 * userspace so reject it if skb is NULL. */
++			if (skb == NULL || !(skb->dev->flags & IFF_LOOPBACK)) {
+ 				err_offset = opt_iter;
+ 				goto validate_return_locked;
+ 			}
+diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
+index f095659..b9644d8 100644
+--- a/net/ipv4/tcp.c
++++ b/net/ipv4/tcp.c
+@@ -838,8 +838,7 @@ new_segment:
+ wait_for_sndbuf:
+ 		set_bit(SOCK_NOSPACE, &sk->sk_socket->flags);
+ wait_for_memory:
+-		if (copied)
+-			tcp_push(sk, flags & ~MSG_MORE, mss_now, TCP_NAGLE_PUSH);
++		tcp_push(sk, flags & ~MSG_MORE, mss_now, TCP_NAGLE_PUSH);
+ 
+ 		if ((err = sk_stream_wait_memory(sk, &timeo)) != 0)
+ 			goto do_error;
+diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
+index ce1ce82..db755c4 100644
+--- a/net/ipv4/tcp_input.c
++++ b/net/ipv4/tcp_input.c
+@@ -5239,7 +5239,9 @@ int tcp_rcv_established(struct sock *sk, struct sk_buff *skb,
+ 			if (tp->copied_seq == tp->rcv_nxt &&
+ 			    len - tcp_header_len <= tp->ucopy.len) {
+ #ifdef CONFIG_NET_DMA
+-				if (tcp_dma_try_early_copy(sk, skb, tcp_header_len)) {
++				if (tp->ucopy.task == current &&
++				    sock_owned_by_user(sk) &&
++				    tcp_dma_try_early_copy(sk, skb, tcp_header_len)) {
+ 					copied_early = 1;
+ 					eaten = 1;
+ 				}
+@@ -5632,6 +5634,8 @@ int tcp_rcv_state_process(struct sock *sk, struct sk_buff *skb,
+ 			goto discard;
+ 
+ 		if (th->syn) {
++			if (th->fin)
++				goto discard;
+ 			if (icsk->icsk_af_ops->conn_request(sk, skb) < 0)
+ 				return 1;
+ 
+diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
+index 6fc7961..6a4e832 100644
+--- a/net/ipv4/tcp_ipv4.c
++++ b/net/ipv4/tcp_ipv4.c
+@@ -406,6 +406,9 @@ void tcp_v4_err(struct sk_buff *icmp_skb, u32 info)
+ 		    !icsk->icsk_backoff)
+ 			break;
+ 
++		if (sock_owned_by_user(sk))
++			break;
++
+ 		icsk->icsk_backoff--;
+ 		inet_csk(sk)->icsk_rto = __tcp_set_rto(tp) <<
+ 					 icsk->icsk_backoff;
+@@ -420,11 +423,6 @@ void tcp_v4_err(struct sk_buff *icmp_skb, u32 info)
+ 		if (remaining) {
+ 			inet_csk_reset_xmit_timer(sk, ICSK_TIME_RETRANS,
+ 						  remaining, TCP_RTO_MAX);
+-		} else if (sock_owned_by_user(sk)) {
+-			/* RTO revert clocked out retransmission,
+-			 * but socket is locked. Will defer. */
+-			inet_csk_reset_xmit_timer(sk, ICSK_TIME_RETRANS,
+-						  HZ/20, TCP_RTO_MAX);
+ 		} else {
+ 			/* RTO revert clocked out retransmission.
+ 			 * Will retransmit now */
+diff --git a/net/ipv4/xfrm4_mode_beet.c b/net/ipv4/xfrm4_mode_beet.c
+index 6341818..e3db3f9 100644
+--- a/net/ipv4/xfrm4_mode_beet.c
++++ b/net/ipv4/xfrm4_mode_beet.c
+@@ -110,10 +110,7 @@ static int xfrm4_beet_input(struct xfrm_state *x, struct sk_buff *skb)
+ 
+ 	skb_push(skb, sizeof(*iph));
+ 	skb_reset_network_header(skb);
+-
+-	memmove(skb->data - skb->mac_len, skb_mac_header(skb),
+-		skb->mac_len);
+-	skb_set_mac_header(skb, -skb->mac_len);
++	skb_mac_header_rebuild(skb);
+ 
+ 	xfrm4_beet_make_header(skb);
+ 
+diff --git a/net/ipv4/xfrm4_mode_tunnel.c b/net/ipv4/xfrm4_mode_tunnel.c
+index 3444f3b..5d1d1fd 100644
+--- a/net/ipv4/xfrm4_mode_tunnel.c
++++ b/net/ipv4/xfrm4_mode_tunnel.c
+@@ -65,7 +65,6 @@ static int xfrm4_mode_tunnel_output(struct xfrm_state *x, struct sk_buff *skb)
+ 
+ static int xfrm4_mode_tunnel_input(struct xfrm_state *x, struct sk_buff *skb)
+ {
+-	const unsigned char *old_mac;
+ 	int err = -EINVAL;
+ 
+ 	if (XFRM_MODE_SKB_CB(skb)->protocol != IPPROTO_IPIP)
+@@ -83,10 +82,9 @@ static int xfrm4_mode_tunnel_input(struct xfrm_state *x, struct sk_buff *skb)
+ 	if (!(x->props.flags & XFRM_STATE_NOECN))
+ 		ipip_ecn_decapsulate(skb);
+ 
+-	old_mac = skb_mac_header(skb);
+-	skb_set_mac_header(skb, -skb->mac_len);
+-	memmove(skb_mac_header(skb), old_mac, skb->mac_len);
+ 	skb_reset_network_header(skb);
++	skb_mac_header_rebuild(skb);
++
+ 	err = 0;
+ 
+ out:
+diff --git a/net/ipv6/xfrm6_mode_beet.c b/net/ipv6/xfrm6_mode_beet.c
+index bbd48b1..6cc7a45 100644
+--- a/net/ipv6/xfrm6_mode_beet.c
++++ b/net/ipv6/xfrm6_mode_beet.c
+@@ -82,7 +82,6 @@ static int xfrm6_beet_output(struct xfrm_state *x, struct sk_buff *skb)
+ static int xfrm6_beet_input(struct xfrm_state *x, struct sk_buff *skb)
+ {
+ 	struct ipv6hdr *ip6h;
+-	const unsigned char *old_mac;
+ 	int size = sizeof(struct ipv6hdr);
+ 	int err;
+ 
+@@ -92,10 +91,7 @@ static int xfrm6_beet_input(struct xfrm_state *x, struct sk_buff *skb)
+ 
+ 	__skb_push(skb, size);
+ 	skb_reset_network_header(skb);
+-
+-	old_mac = skb_mac_header(skb);
+-	skb_set_mac_header(skb, -skb->mac_len);
+-	memmove(skb_mac_header(skb), old_mac, skb->mac_len);
++	skb_mac_header_rebuild(skb);
+ 
+ 	xfrm6_beet_make_header(skb);
+ 
+diff --git a/net/ipv6/xfrm6_mode_tunnel.c b/net/ipv6/xfrm6_mode_tunnel.c
+index 3927832..672c0da 100644
+--- a/net/ipv6/xfrm6_mode_tunnel.c
++++ b/net/ipv6/xfrm6_mode_tunnel.c
+@@ -61,7 +61,6 @@ static int xfrm6_mode_tunnel_output(struct xfrm_state *x, struct sk_buff *skb)
+ static int xfrm6_mode_tunnel_input(struct xfrm_state *x, struct sk_buff *skb)
+ {
+ 	int err = -EINVAL;
+-	const unsigned char *old_mac;
+ 
+ 	if (XFRM_MODE_SKB_CB(skb)->protocol != IPPROTO_IPV6)
+ 		goto out;
+@@ -78,10 +77,9 @@ static int xfrm6_mode_tunnel_input(struct xfrm_state *x, struct sk_buff *skb)
+ 	if (!(x->props.flags & XFRM_STATE_NOECN))
+ 		ipip6_ecn_decapsulate(skb);
+ 
+-	old_mac = skb_mac_header(skb);
+-	skb_set_mac_header(skb, -skb->mac_len);
+-	memmove(skb_mac_header(skb), old_mac, skb->mac_len);
+ 	skb_reset_network_header(skb);
++	skb_mac_header_rebuild(skb);
++
+ 	err = 0;
+ 
+ out:
+diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
+index 5a7dcdf..fc91ff6 100644
+--- a/net/netlink/af_netlink.c
++++ b/net/netlink/af_netlink.c
+@@ -821,12 +821,19 @@ int netlink_attachskb(struct sock *sk, struct sk_buff *skb,
+ 	return 0;
+ }
+ 
+-int netlink_sendskb(struct sock *sk, struct sk_buff *skb)
++static int __netlink_sendskb(struct sock *sk, struct sk_buff *skb)
+ {
+ 	int len = skb->len;
+ 
+ 	skb_queue_tail(&sk->sk_receive_queue, skb);
+ 	sk->sk_data_ready(sk, len);
++	return len;
++}
++
++int netlink_sendskb(struct sock *sk, struct sk_buff *skb)
++{
++	int len = __netlink_sendskb(sk, skb);
++
+ 	sock_put(sk);
+ 	return len;
+ }
+@@ -951,8 +958,7 @@ static inline int netlink_broadcast_deliver(struct sock *sk,
+ 	if (atomic_read(&sk->sk_rmem_alloc) <= sk->sk_rcvbuf &&
+ 	    !test_bit(0, &nlk->state)) {
+ 		skb_set_owner_r(skb, sk);
+-		skb_queue_tail(&sk->sk_receive_queue, skb);
+-		sk->sk_data_ready(sk, skb->len);
++		__netlink_sendskb(sk, skb);
+ 		return atomic_read(&sk->sk_rmem_alloc) > sk->sk_rcvbuf;
+ 	}
+ 	return -1;
+@@ -1665,10 +1671,8 @@ static int netlink_dump(struct sock *sk)
+ 
+ 		if (sk_filter(sk, skb))
+ 			kfree_skb(skb);
+-		else {
+-			skb_queue_tail(&sk->sk_receive_queue, skb);
+-			sk->sk_data_ready(sk, skb->len);
+-		}
++		else
++			__netlink_sendskb(sk, skb);
+ 		return 0;
+ 	}
+ 
+@@ -1680,10 +1684,8 @@ static int netlink_dump(struct sock *sk)
+ 
+ 	if (sk_filter(sk, skb))
+ 		kfree_skb(skb);
+-	else {
+-		skb_queue_tail(&sk->sk_receive_queue, skb);
+-		sk->sk_data_ready(sk, skb->len);
+-	}
++	else
++		__netlink_sendskb(sk, skb);
+ 
+ 	if (cb->done)
+ 		cb->done(cb);
+diff --git a/net/phonet/pep.c b/net/phonet/pep.c
+index 9cdd35e..7481d70 100644
+--- a/net/phonet/pep.c
++++ b/net/phonet/pep.c
+@@ -851,6 +851,9 @@ static int pep_sendmsg(struct kiocb *iocb, struct sock *sk,
+ 	int flags = msg->msg_flags;
+ 	int err, done;
+ 
++	if (len > 65535)
++		return -EMSGSIZE;
++
+ 	if (msg->msg_flags & MSG_OOB || !(msg->msg_flags & MSG_EOR))
+ 		return -EOPNOTSUPP;
+ 
+diff --git a/net/rose/af_rose.c b/net/rose/af_rose.c
+index 7d188bc..523efbb 100644
+--- a/net/rose/af_rose.c
++++ b/net/rose/af_rose.c
+@@ -983,7 +983,7 @@ int rose_rx_call_request(struct sk_buff *skb, struct net_device *dev, struct ros
+ 	struct sock *make;
+ 	struct rose_sock *make_rose;
+ 	struct rose_facilities_struct facilities;
+-	int n, len;
++	int n;
+ 
+ 	skb->sk = NULL;		/* Initially we don't know who it's for */
+ 
+@@ -992,9 +992,9 @@ int rose_rx_call_request(struct sk_buff *skb, struct net_device *dev, struct ros
+ 	 */
+ 	memset(&facilities, 0x00, sizeof(struct rose_facilities_struct));
+ 
+-	len  = (((skb->data[3] >> 4) & 0x0F) + 1) >> 1;
+-	len += (((skb->data[3] >> 0) & 0x0F) + 1) >> 1;
+-	if (!rose_parse_facilities(skb->data + len + 4, &facilities)) {
++	if (!rose_parse_facilities(skb->data + ROSE_CALL_REQ_FACILITIES_OFF,
++				   skb->len - ROSE_CALL_REQ_FACILITIES_OFF,
++				   &facilities)) {
+ 		rose_transmit_clear_request(neigh, lci, ROSE_INVALID_FACILITY, 76);
+ 		return 0;
+ 	}
+diff --git a/net/rose/rose_loopback.c b/net/rose/rose_loopback.c
+index 114df6e..37965b8 100644
+--- a/net/rose/rose_loopback.c
++++ b/net/rose/rose_loopback.c
+@@ -72,9 +72,20 @@ static void rose_loopback_timer(unsigned long param)
+ 	unsigned int lci_i, lci_o;
+ 
+ 	while ((skb = skb_dequeue(&loopback_queue)) != NULL) {
++		if (skb->len < ROSE_MIN_LEN) {
++			kfree_skb(skb);
++			continue;
++		}
+ 		lci_i     = ((skb->data[0] << 8) & 0xF00) + ((skb->data[1] << 0) & 0x0FF);
+ 		frametype = skb->data[2];
+-		dest      = (rose_address *)(skb->data + 4);
++		if (frametype == ROSE_CALL_REQUEST &&
++		    (skb->len <= ROSE_CALL_REQ_FACILITIES_OFF ||
++		     skb->data[ROSE_CALL_REQ_ADDR_LEN_OFF] !=
++		     ROSE_CALL_REQ_ADDR_LEN_VAL)) {
++			kfree_skb(skb);
++			continue;
++		}
++		dest      = (rose_address *)(skb->data + ROSE_CALL_REQ_DEST_ADDR_OFF);
+ 		lci_o     = 0xFFF - lci_i;
+ 
+ 		skb_reset_transport_header(skb);
+diff --git a/net/rose/rose_route.c b/net/rose/rose_route.c
+index 08230fa..1646b25 100644
+--- a/net/rose/rose_route.c
++++ b/net/rose/rose_route.c
+@@ -852,7 +852,7 @@ int rose_route_frame(struct sk_buff *skb, ax25_cb *ax25)
+ 	unsigned int lci, new_lci;
+ 	unsigned char cause, diagnostic;
+ 	struct net_device *dev;
+-	int len, res = 0;
++	int res = 0;
+ 	char buf[11];
+ 
+ #if 0
+@@ -860,10 +860,17 @@ int rose_route_frame(struct sk_buff *skb, ax25_cb *ax25)
+ 		return res;
+ #endif
+ 
++	if (skb->len < ROSE_MIN_LEN)
++		return res;
+ 	frametype = skb->data[2];
+ 	lci = ((skb->data[0] << 8) & 0xF00) + ((skb->data[1] << 0) & 0x0FF);
+-	src_addr  = (rose_address *)(skb->data + 9);
+-	dest_addr = (rose_address *)(skb->data + 4);
++	if (frametype == ROSE_CALL_REQUEST &&
++	    (skb->len <= ROSE_CALL_REQ_FACILITIES_OFF ||
++	     skb->data[ROSE_CALL_REQ_ADDR_LEN_OFF] !=
++	     ROSE_CALL_REQ_ADDR_LEN_VAL))
++		return res;
++	src_addr  = (rose_address *)(skb->data + ROSE_CALL_REQ_SRC_ADDR_OFF);
++	dest_addr = (rose_address *)(skb->data + ROSE_CALL_REQ_DEST_ADDR_OFF);
+ 
+ 	spin_lock_bh(&rose_neigh_list_lock);
+ 	spin_lock_bh(&rose_route_list_lock);
+@@ -1001,12 +1008,11 @@ int rose_route_frame(struct sk_buff *skb, ax25_cb *ax25)
+ 		goto out;
+ 	}
+ 
+-	len  = (((skb->data[3] >> 4) & 0x0F) + 1) >> 1;
+-	len += (((skb->data[3] >> 0) & 0x0F) + 1) >> 1;
+-
+ 	memset(&facilities, 0x00, sizeof(struct rose_facilities_struct));
+ 
+-	if (!rose_parse_facilities(skb->data + len + 4, &facilities)) {
++	if (!rose_parse_facilities(skb->data + ROSE_CALL_REQ_FACILITIES_OFF,
++				   skb->len - ROSE_CALL_REQ_FACILITIES_OFF,
++				   &facilities)) {
+ 		rose_transmit_clear_request(rose_neigh, lci, ROSE_INVALID_FACILITY, 76);
+ 		goto out;
+ 	}
+diff --git a/net/rose/rose_subr.c b/net/rose/rose_subr.c
+index 07bca7d..32e5c9f 100644
+--- a/net/rose/rose_subr.c
++++ b/net/rose/rose_subr.c
+@@ -141,7 +141,7 @@ void rose_write_internal(struct sock *sk, int frametype)
+ 		*dptr++ = ROSE_GFI | lci1;
+ 		*dptr++ = lci2;
+ 		*dptr++ = frametype;
+-		*dptr++ = 0xAA;
++		*dptr++ = ROSE_CALL_REQ_ADDR_LEN_VAL;
+ 		memcpy(dptr, &rose->dest_addr,  ROSE_ADDR_LEN);
+ 		dptr   += ROSE_ADDR_LEN;
+ 		memcpy(dptr, &rose->source_addr, ROSE_ADDR_LEN);
+@@ -245,12 +245,16 @@ static int rose_parse_national(unsigned char *p, struct rose_facilities_struct *
+ 	do {
+ 		switch (*p & 0xC0) {
+ 		case 0x00:
++			if (len < 2)
++				return -1;
+ 			p   += 2;
+ 			n   += 2;
+ 			len -= 2;
+ 			break;
+ 
+ 		case 0x40:
++			if (len < 3)
++				return -1;
+ 			if (*p == FAC_NATIONAL_RAND)
+ 				facilities->rand = ((p[1] << 8) & 0xFF00) + ((p[2] << 0) & 0x00FF);
+ 			p   += 3;
+@@ -259,32 +263,48 @@ static int rose_parse_national(unsigned char *p, struct rose_facilities_struct *
+ 			break;
+ 
+ 		case 0x80:
++			if (len < 4)
++				return -1;
+ 			p   += 4;
+ 			n   += 4;
+ 			len -= 4;
+ 			break;
+ 
+ 		case 0xC0:
++			if (len < 2)
++				return -1;
+ 			l = p[1];
++			if (len < 2 + l)
++				return -1;
+ 			if (*p == FAC_NATIONAL_DEST_DIGI) {
+ 				if (!fac_national_digis_received) {
++					if (l < AX25_ADDR_LEN)
++						return -1;
+ 					memcpy(&facilities->source_digis[0], p + 2, AX25_ADDR_LEN);
+ 					facilities->source_ndigis = 1;
+ 				}
+ 			}
+ 			else if (*p == FAC_NATIONAL_SRC_DIGI) {
+ 				if (!fac_national_digis_received) {
++					if (l < AX25_ADDR_LEN)
++						return -1;
+ 					memcpy(&facilities->dest_digis[0], p + 2, AX25_ADDR_LEN);
+ 					facilities->dest_ndigis = 1;
+ 				}
+ 			}
+ 			else if (*p == FAC_NATIONAL_FAIL_CALL) {
++				if (l < AX25_ADDR_LEN)
++					return -1;
+ 				memcpy(&facilities->fail_call, p + 2, AX25_ADDR_LEN);
+ 			}
+ 			else if (*p == FAC_NATIONAL_FAIL_ADD) {
++				if (l < 1 + ROSE_ADDR_LEN)
++					return -1;
+ 				memcpy(&facilities->fail_addr, p + 3, ROSE_ADDR_LEN);
+ 			}
+ 			else if (*p == FAC_NATIONAL_DIGIS) {
++				if (l % AX25_ADDR_LEN)
++					return -1;
+ 				fac_national_digis_received = 1;
+ 				facilities->source_ndigis = 0;
+ 				facilities->dest_ndigis   = 0;
+@@ -318,24 +338,32 @@ static int rose_parse_ccitt(unsigned char *p, struct rose_facilities_struct *fac
+ 	do {
+ 		switch (*p & 0xC0) {
+ 		case 0x00:
++			if (len < 2)
++				return -1;
+ 			p   += 2;
+ 			n   += 2;
+ 			len -= 2;
+ 			break;
+ 
+ 		case 0x40:
++			if (len < 3)
++				return -1;
+ 			p   += 3;
+ 			n   += 3;
+ 			len -= 3;
+ 			break;
+ 
+ 		case 0x80:
++			if (len < 4)
++				return -1;
+ 			p   += 4;
+ 			n   += 4;
+ 			len -= 4;
+ 			break;
+ 
+ 		case 0xC0:
++			if (len < 2)
++				return -1;
+ 			l = p[1];
+ 
+ 			/* Prevent overflows*/
+@@ -364,49 +392,44 @@ static int rose_parse_ccitt(unsigned char *p, struct rose_facilities_struct *fac
+ 	return n;
+ }
+ 
+-int rose_parse_facilities(unsigned char *p,
++int rose_parse_facilities(unsigned char *p, unsigned packet_len,
+ 	struct rose_facilities_struct *facilities)
+ {
+ 	int facilities_len, len;
+ 
+ 	facilities_len = *p++;
+ 
+-	if (facilities_len == 0)
++	if (facilities_len == 0 || (unsigned)facilities_len > packet_len)
+ 		return 0;
+ 
+-	while (facilities_len > 0) {
+-		if (*p == 0x00) {
+-			facilities_len--;
+-			p++;
+-
+-			switch (*p) {
+-			case FAC_NATIONAL:		/* National */
+-				len = rose_parse_national(p + 1, facilities, facilities_len - 1);
+-				if (len < 0)
+-					return 0;
+-				facilities_len -= len + 1;
+-				p += len + 1;
+-				break;
+-
+-			case FAC_CCITT:		/* CCITT */
+-				len = rose_parse_ccitt(p + 1, facilities, facilities_len - 1);
+-				if (len < 0)
+-					return 0;
+-				facilities_len -= len + 1;
+-				p += len + 1;
+-				break;
+-
+-			default:
+-				printk(KERN_DEBUG "ROSE: rose_parse_facilities - unknown facilities family %02X\n", *p);
+-				facilities_len--;
+-				p++;
+-				break;
+-			}
+-		} else
+-			break;	/* Error in facilities format */
++	while (facilities_len >= 3 && *p == 0x00) {
++		facilities_len--;
++		p++;
++
++		switch (*p) {
++		case FAC_NATIONAL:		/* National */
++			len = rose_parse_national(p + 1, facilities, facilities_len - 1);
++			break;
++
++		case FAC_CCITT:		/* CCITT */
++			len = rose_parse_ccitt(p + 1, facilities, facilities_len - 1);
++			break;
++
++		default:
++			printk(KERN_DEBUG "ROSE: rose_parse_facilities - unknown facilities family %02X\n", *p);
++			len = 1;
++			break;
++		}
++
++		if (len < 0)
++			return 0;
++		if (WARN_ON(len >= facilities_len))
++			return 0;
++		facilities_len -= len + 1;
++		p += len + 1;
+ 	}
+ 
+-	return 1;
++	return facilities_len == 0;
+ }
+ 
+ static int rose_create_facilities(unsigned char *buffer, struct rose_sock *rose)
+diff --git a/net/sched/sch_gred.c b/net/sched/sch_gred.c
+index 40408d5..bf98414 100644
+--- a/net/sched/sch_gred.c
++++ b/net/sched/sch_gred.c
+@@ -544,11 +544,8 @@ static int gred_dump(struct Qdisc *sch, struct sk_buff *skb)
+ 		opt.packets	= q->packetsin;
+ 		opt.bytesin	= q->bytesin;
+ 
+-		if (gred_wred_mode(table)) {
+-			q->parms.qidlestart =
+-				table->tab[table->def]->parms.qidlestart;
+-			q->parms.qavg = table->tab[table->def]->parms.qavg;
+-		}
++		if (gred_wred_mode(table))
++			gred_load_wred_set(table, q);
+ 
+ 		opt.qave = red_calc_qavg(&q->parms, q->parms.qavg);
+ 
+diff --git a/net/sched/sch_netem.c b/net/sched/sch_netem.c
+index 2b88295..0ae345a 100644
+--- a/net/sched/sch_netem.c
++++ b/net/sched/sch_netem.c
+@@ -199,12 +199,10 @@ static int netem_enqueue(struct sk_buff *skb, struct Qdisc *sch)
+ 	 * do it now in software before we mangle it.
+ 	 */
+ 	if (q->corrupt && q->corrupt >= get_crandom(&q->corrupt_cor)) {
+-		if (!(skb = skb_unshare(skb, GFP_ATOMIC))
+-		    || (skb->ip_summed == CHECKSUM_PARTIAL
+-			&& skb_checksum_help(skb))) {
+-			sch->qstats.drops++;
+-			return NET_XMIT_DROP;
+-		}
++		if (!(skb = skb_unshare(skb, GFP_ATOMIC)) ||
++		    (skb->ip_summed == CHECKSUM_PARTIAL &&
++		     skb_checksum_help(skb)))
++			return qdisc_drop(skb, sch);
+ 
+ 		skb->data[net_random() % skb_headlen(skb)] ^= 1<<(net_random() % 8);
+ 	}
+diff --git a/net/sctp/input.c b/net/sctp/input.c
+index 254afea..e8e73f1 100644
+--- a/net/sctp/input.c
++++ b/net/sctp/input.c
+@@ -739,15 +739,12 @@ static void __sctp_unhash_endpoint(struct sctp_endpoint *ep)
+ 
+ 	epb = &ep->base;
+ 
+-	if (hlist_unhashed(&epb->node))
+-		return;
+-
+ 	epb->hashent = sctp_ep_hashfn(epb->bind_addr.port);
+ 
+ 	head = &sctp_ep_hashtable[epb->hashent];
+ 
+ 	sctp_write_lock(&head->lock);
+-	__hlist_del(&epb->node);
++	hlist_del_init(&epb->node);
+ 	sctp_write_unlock(&head->lock);
+ }
+ 
+@@ -828,7 +825,7 @@ static void __sctp_unhash_established(struct sctp_association *asoc)
+ 	head = &sctp_assoc_hashtable[epb->hashent];
+ 
+ 	sctp_write_lock(&head->lock);
+-	__hlist_del(&epb->node);
++	hlist_del_init(&epb->node);
+ 	sctp_write_unlock(&head->lock);
+ }
+ 
+diff --git a/net/sctp/socket.c b/net/sctp/socket.c
+index 3a95fcb..1f9843e 100644
+--- a/net/sctp/socket.c
++++ b/net/sctp/socket.c
+@@ -1142,8 +1142,14 @@ out_free:
+ 	SCTP_DEBUG_PRINTK("About to exit __sctp_connect() free asoc: %p"
+ 			  " kaddrs: %p err: %d\n",
+ 			  asoc, kaddrs, err);
+-	if (asoc)
++	if (asoc) {
++		/* sctp_primitive_ASSOCIATE may have added this association
++		 * To the hash table, try to unhash it, just in case, its a noop
++		 * if it wasn't hashed so we're safe
++		 */
++		sctp_unhash_established(asoc);
+ 		sctp_association_free(asoc);
++	}
+ 	return err;
+ }
+ 
+@@ -1851,8 +1857,10 @@ SCTP_STATIC int sctp_sendmsg(struct kiocb *iocb, struct sock *sk,
+ 	goto out_unlock;
+ 
+ out_free:
+-	if (new_asoc)
++	if (new_asoc) {
++		sctp_unhash_established(asoc);
+ 		sctp_association_free(asoc);
++	}
+ out_unlock:
+ 	sctp_release_sock(sk);
+ 
+diff --git a/net/sunrpc/cache.c b/net/sunrpc/cache.c
+index 25f7801..e3fea46 100644
+--- a/net/sunrpc/cache.c
++++ b/net/sunrpc/cache.c
+@@ -719,6 +719,8 @@ static ssize_t cache_do_downcall(char *kaddr, const char __user *buf,
+ {
+ 	ssize_t ret;
+ 
++	if (count == 0)
++		return -EINVAL;
+ 	if (copy_from_user(kaddr, buf, count))
+ 		return -EFAULT;
+ 	kaddr[count] = '\0';
+diff --git a/net/sunrpc/sched.c b/net/sunrpc/sched.c
+index ac94477..9b3941d 100644
+--- a/net/sunrpc/sched.c
++++ b/net/sunrpc/sched.c
+@@ -485,14 +485,18 @@ EXPORT_SYMBOL_GPL(rpc_wake_up_next);
+  */
+ void rpc_wake_up(struct rpc_wait_queue *queue)
+ {
+-	struct rpc_task *task, *next;
+ 	struct list_head *head;
+ 
+ 	spin_lock_bh(&queue->lock);
+ 	head = &queue->tasks[queue->maxpriority];
+ 	for (;;) {
+-		list_for_each_entry_safe(task, next, head, u.tk_wait.list)
++		while (!list_empty(head)) {
++			struct rpc_task *task;
++			task = list_first_entry(head,
++					struct rpc_task,
++					u.tk_wait.list);
+ 			rpc_wake_up_task_queue_locked(queue, task);
++		}
+ 		if (head == &queue->tasks[0])
+ 			break;
+ 		head--;
+@@ -510,13 +514,16 @@ EXPORT_SYMBOL_GPL(rpc_wake_up);
+  */
+ void rpc_wake_up_status(struct rpc_wait_queue *queue, int status)
+ {
+-	struct rpc_task *task, *next;
+ 	struct list_head *head;
+ 
+ 	spin_lock_bh(&queue->lock);
+ 	head = &queue->tasks[queue->maxpriority];
+ 	for (;;) {
+-		list_for_each_entry_safe(task, next, head, u.tk_wait.list) {
++		while (!list_empty(head)) {
++			struct rpc_task *task;
++			task = list_first_entry(head,
++					struct rpc_task,
++					u.tk_wait.list);
+ 			task->tk_status = status;
+ 			rpc_wake_up_task_queue_locked(queue, task);
+ 		}
+diff --git a/net/sunrpc/svc_xprt.c b/net/sunrpc/svc_xprt.c
+index 314320a..8d72660 100644
+--- a/net/sunrpc/svc_xprt.c
++++ b/net/sunrpc/svc_xprt.c
+@@ -304,7 +304,6 @@ static void svc_thread_dequeue(struct svc_pool *pool, struct svc_rqst *rqstp)
+  */
+ void svc_xprt_enqueue(struct svc_xprt *xprt)
+ {
+-	struct svc_serv	*serv = xprt->xpt_server;
+ 	struct svc_pool *pool;
+ 	struct svc_rqst	*rqstp;
+ 	int cpu;
+@@ -381,8 +380,6 @@ void svc_xprt_enqueue(struct svc_xprt *xprt)
+ 				rqstp, rqstp->rq_xprt);
+ 		rqstp->rq_xprt = xprt;
+ 		svc_xprt_get(xprt);
+-		rqstp->rq_reserved = serv->sv_max_mesg;
+-		atomic_add(rqstp->rq_reserved, &xprt->xpt_reserved);
+ 		rqstp->rq_waking = 1;
+ 		pool->sp_nwaking++;
+ 		pool->sp_stats.threads_woken++;
+@@ -667,8 +664,6 @@ int svc_recv(struct svc_rqst *rqstp, long timeout)
+ 	if (xprt) {
+ 		rqstp->rq_xprt = xprt;
+ 		svc_xprt_get(xprt);
+-		rqstp->rq_reserved = serv->sv_max_mesg;
+-		atomic_add(rqstp->rq_reserved, &xprt->xpt_reserved);
+ 	} else {
+ 		/* No data pending. Go to sleep */
+ 		svc_thread_enqueue(pool, rqstp);
+@@ -758,6 +753,8 @@ int svc_recv(struct svc_rqst *rqstp, long timeout)
+ 		} else
+ 			len = xprt->xpt_ops->xpo_recvfrom(rqstp);
+ 		dprintk("svc: got len=%d\n", len);
++		rqstp->rq_reserved = serv->sv_max_mesg;
++		atomic_add(rqstp->rq_reserved, &xprt->xpt_reserved);
+ 	}
+ 
+ 	/* No data, incomplete (TCP) read, or accept() */
+@@ -811,7 +808,8 @@ int svc_send(struct svc_rqst *rqstp)
+ 
+ 	/* Grab mutex to serialize outgoing data. */
+ 	mutex_lock(&xprt->xpt_mutex);
+-	if (test_bit(XPT_DEAD, &xprt->xpt_flags))
++	if (test_bit(XPT_DEAD, &xprt->xpt_flags)
++			|| test_bit(XPT_CLOSE, &xprt->xpt_flags))
+ 		len = -ENOTCONN;
+ 	else
+ 		len = xprt->xpt_ops->xpo_sendto(rqstp);
+diff --git a/net/wanrouter/wanmain.c b/net/wanrouter/wanmain.c
+index 258daa8..0d8380a 100644
+--- a/net/wanrouter/wanmain.c
++++ b/net/wanrouter/wanmain.c
+@@ -603,36 +603,31 @@ static int wanrouter_device_new_if(struct wan_device *wandev,
+ 		 * successfully, add it to the interface list.
+ 		 */
+ 
+-		if (dev->name == NULL) {
+-			err = -EINVAL;
+-		} else {
++#ifdef WANDEBUG
++		printk(KERN_INFO "%s: registering interface %s...\n",
++		       wanrouter_modname, dev->name);
++#endif
+ 
+-			#ifdef WANDEBUG
+-			printk(KERN_INFO "%s: registering interface %s...\n",
+-				wanrouter_modname, dev->name);
+-			#endif
+-
+-			err = register_netdev(dev);
+-			if (!err) {
+-				struct net_device *slave = NULL;
+-				unsigned long smp_flags=0;
+-
+-				lock_adapter_irq(&wandev->lock, &smp_flags);
+-
+-				if (wandev->dev == NULL) {
+-					wandev->dev = dev;
+-				} else {
+-					for (slave=wandev->dev;
+-					     DEV_TO_SLAVE(slave);
+-					     slave = DEV_TO_SLAVE(slave))
+-						DEV_TO_SLAVE(slave) = dev;
+-				}
+-				++wandev->ndev;
+-
+-				unlock_adapter_irq(&wandev->lock, &smp_flags);
+-				err = 0;	/* done !!! */
+-				goto out;
++		err = register_netdev(dev);
++		if (!err) {
++			struct net_device *slave = NULL;
++			unsigned long smp_flags=0;
++
++			lock_adapter_irq(&wandev->lock, &smp_flags);
++
++			if (wandev->dev == NULL) {
++				wandev->dev = dev;
++			} else {
++				for (slave=wandev->dev;
++				     DEV_TO_SLAVE(slave);
++				     slave = DEV_TO_SLAVE(slave))
++					DEV_TO_SLAVE(slave) = dev;
+ 			}
++			++wandev->ndev;
++
++			unlock_adapter_irq(&wandev->lock, &smp_flags);
++			err = 0;	/* done !!! */
++			goto out;
+ 		}
+ 		if (wandev->del_if)
+ 			wandev->del_if(wandev, dev);
+diff --git a/security/commoncap.c b/security/commoncap.c
+index fe30751..ee9d623 100644
+--- a/security/commoncap.c
++++ b/security/commoncap.c
+@@ -27,6 +27,7 @@
+ #include <linux/sched.h>
+ #include <linux/prctl.h>
+ #include <linux/securebits.h>
++#include <linux/personality.h>
+ 
+ /*
+  * If a non-root user executes a setuid-root binary in
+@@ -511,6 +512,11 @@ int cap_bprm_set_creds(struct linux_binprm *bprm)
+ 	}
+ skip:
+ 
++	/* if we have fs caps, clear dangerous personality flags */
++	if (!cap_issubset(new->cap_permitted, old->cap_permitted))
++		bprm->per_clear |= PER_CLEAR_ON_SETID;
++
++
+ 	/* Don't let someone trace a set[ug]id/setpcap binary with the revised
+ 	 * credentials unless they have the appropriate permit
+ 	 */
+diff --git a/sound/drivers/mpu401/mpu401_uart.c b/sound/drivers/mpu401/mpu401_uart.c
+index 2af0999..74f5a3d 100644
+--- a/sound/drivers/mpu401/mpu401_uart.c
++++ b/sound/drivers/mpu401/mpu401_uart.c
+@@ -554,6 +554,7 @@ int snd_mpu401_uart_new(struct snd_card *card, int device,
+ 	spin_lock_init(&mpu->output_lock);
+ 	spin_lock_init(&mpu->timer_lock);
+ 	mpu->hardware = hardware;
++	mpu->irq = -1;
+ 	if (! (info_flags & MPU401_INFO_INTEGRATED)) {
+ 		int res_size = hardware == MPU401_HW_PC98II ? 4 : 2;
+ 		mpu->res = request_region(port, res_size, "MPU401 UART");
+diff --git a/sound/pci/echoaudio/echoaudio_dsp.c b/sound/pci/echoaudio/echoaudio_dsp.c
+index 4df51ef..5d14b7a 100644
+--- a/sound/pci/echoaudio/echoaudio_dsp.c
++++ b/sound/pci/echoaudio/echoaudio_dsp.c
+@@ -474,7 +474,7 @@ static int load_firmware(struct echoaudio *chip)
+ 	const struct firmware *fw;
+ 	int box_type, err;
+ 
+-	if (snd_BUG_ON(!chip->dsp_code_to_load || !chip->comm_page))
++	if (snd_BUG_ON(!chip->comm_page))
+ 		return -EPERM;
+ 
+ 	/* See if the ASIC is present and working - only if the DSP is already loaded */
+diff --git a/sound/pci/hda/hda_proc.c b/sound/pci/hda/hda_proc.c
+index 2b3d859..9294d40 100644
+--- a/sound/pci/hda/hda_proc.c
++++ b/sound/pci/hda/hda_proc.c
+@@ -340,7 +340,7 @@ static void print_digital_conv(struct snd_info_buffer *buffer,
+ 	if (digi1 & AC_DIG1_EMPHASIS)
+ 		snd_iprintf(buffer, " Preemphasis");
+ 	if (digi1 & AC_DIG1_COPYRIGHT)
+-		snd_iprintf(buffer, " Copyright");
++		snd_iprintf(buffer, " Non-Copyright");
+ 	if (digi1 & AC_DIG1_NONAUDIO)
+ 		snd_iprintf(buffer, " Non-Audio");
+ 	if (digi1 & AC_DIG1_PROFESSIONAL)
+diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c
+index 4f3434f..82b6fdc 100644
+--- a/virt/kvm/kvm_main.c
++++ b/virt/kvm/kvm_main.c
+@@ -43,6 +43,8 @@
+ #include <linux/swap.h>
+ #include <linux/bitops.h>
+ #include <linux/spinlock.h>
++#include <linux/namei.h>
++#include <linux/fs.h>
+ 
+ #include <asm/processor.h>
+ #include <asm/io.h>
+@@ -575,12 +577,76 @@ out:
+ 	return r;
+ }
+ 
++/*
++ * We want to test whether the caller has been granted permissions to
++ * use this device.  To be able to configure and control the device,
++ * the user needs access to PCI configuration space and BAR resources.
++ * These are accessed through PCI sysfs.  PCI config space is often
++ * passed to the process calling this ioctl via file descriptor, so we
++ * can't rely on access to that file.  We can check for permissions
++ * on each of the BAR resource files, which is a pretty clear
++ * indicator that the user has been granted access to the device.
++ */
++static int probe_sysfs_permissions(struct pci_dev *dev)
++{
++#ifdef CONFIG_SYSFS
++	int i;
++	bool bar_found = false;
++
++	for (i = PCI_STD_RESOURCES; i <= PCI_STD_RESOURCE_END; i++) {
++		char *kpath, *syspath;
++		struct path path;
++		struct inode *inode;
++		int r;
++
++		if (!pci_resource_len(dev, i))
++			continue;
++
++		kpath = kobject_get_path(&dev->dev.kobj, GFP_KERNEL);
++		if (!kpath)
++			return -ENOMEM;
++
++		/* Per sysfs-rules, sysfs is always at /sys */
++		syspath = kasprintf(GFP_KERNEL, "/sys%s/resource%d", kpath, i);
++		kfree(kpath);
++		if (!syspath)
++			return -ENOMEM;
++
++		r = kern_path(syspath, LOOKUP_FOLLOW, &path);
++		kfree(syspath);
++		if (r)
++			return r;
++
++		inode = path.dentry->d_inode;
++
++		r = inode_permission(inode, MAY_READ | MAY_WRITE | MAY_ACCESS);
++		path_put(&path);
++		if (r)
++			return r;
++
++		bar_found = true;
++	}
++
++	/* If no resources, probably something special */
++	if (!bar_found)
++		return -EPERM;
++
++	return 0;
++#else
++	return -EINVAL; /* No way to control the device without sysfs */
++#endif
++}
++
+ static int kvm_vm_ioctl_assign_device(struct kvm *kvm,
+ 				      struct kvm_assigned_pci_dev *assigned_dev)
+ {
+ 	int r = 0;
+ 	struct kvm_assigned_dev_kernel *match;
+ 	struct pci_dev *dev;
++	u8 header_type;
++
++	if (!(assigned_dev->flags & KVM_DEV_ASSIGN_ENABLE_IOMMU))
++		return -EINVAL;
+ 
+ 	down_read(&kvm->slots_lock);
+ 	mutex_lock(&kvm->lock);
+@@ -607,6 +673,18 @@ static int kvm_vm_ioctl_assign_device(struct kvm *kvm,
+ 		r = -EINVAL;
+ 		goto out_free;
+ 	}
++
++	/* Don't allow bridges to be assigned */
++	pci_read_config_byte(dev, PCI_HEADER_TYPE, &header_type);
++	if ((header_type & PCI_HEADER_TYPE) != PCI_HEADER_TYPE_NORMAL) {
++		r = -EPERM;
++		goto out_put;
++	}
++
++	r = probe_sysfs_permissions(dev);
++	if (r)
++		goto out_put;
++
+ 	if (pci_enable_device(dev)) {
+ 		printk(KERN_INFO "%s: Could not enable PCI device\n", __func__);
+ 		r = -EBUSY;
+@@ -635,16 +713,14 @@ static int kvm_vm_ioctl_assign_device(struct kvm *kvm,
+ 
+ 	list_add(&match->list, &kvm->arch.assigned_dev_head);
+ 
+-	if (assigned_dev->flags & KVM_DEV_ASSIGN_ENABLE_IOMMU) {
+-		if (!kvm->arch.iommu_domain) {
+-			r = kvm_iommu_map_guest(kvm);
+-			if (r)
+-				goto out_list_del;
+-		}
+-		r = kvm_assign_device(kvm, match);
++	if (!kvm->arch.iommu_domain) {
++		r = kvm_iommu_map_guest(kvm);
+ 		if (r)
+ 			goto out_list_del;
+ 	}
++	r = kvm_assign_device(kvm, match);
++	if (r)
++		goto out_list_del;
+ 
+ out:
+ 	mutex_unlock(&kvm->lock);
+@@ -683,8 +759,7 @@ static int kvm_vm_ioctl_deassign_device(struct kvm *kvm,
+ 		goto out;
+ 	}
+ 
+-	if (match->flags & KVM_DEV_ASSIGN_ENABLE_IOMMU)
+-		kvm_deassign_device(kvm, match);
++	kvm_deassign_device(kvm, match);
+ 
+ 	kvm_free_assigned_device(kvm, match);
+ 
+@@ -1782,6 +1857,10 @@ static int kvm_vm_ioctl_create_vcpu(struct kvm *kvm, u32 id)
+ 		return r;
+ 
+ 	mutex_lock(&kvm->lock);
++	if (!kvm_vcpu_compatible(vcpu)) {
++		r = -EINVAL;
++		goto vcpu_destroy;
++	}
+ 	if (atomic_read(&kvm->online_vcpus) == KVM_MAX_VCPUS) {
+ 		r = -EINVAL;
+ 		goto vcpu_destroy;

Copied: dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/staging-fix-usbip-printk-format-warning.patch (from r19767, releases/linux-2.6/2.6.32-47/debian/patches/bugfix/all/staging-fix-usbip-printk-format-warning.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/staging-fix-usbip-printk-format-warning.patch	Tue Jan 22 06:01:55 2013	(r19768, copy of r19767, releases/linux-2.6/2.6.32-47/debian/patches/bugfix/all/staging-fix-usbip-printk-format-warning.patch)
@@ -0,0 +1,25 @@
+From: Randy Dunlap <randy.dunlap at oracle.com>
+Date: Thu, 7 Jul 2011 10:49:54 -0700
+Subject: staging: fix usbip printk format warning
+
+commit 6394c5a0379d0733396edd9452e31282e0684a3c upstream.
+
+Fix usbip printk format warning for size_t:
+
+drivers/staging/usbip/stub_tx.c:236: warning: format '%lu' expects type 'long unsigned int', but argument 4 has type 'size_t'
+
+Signed-off-by: Randy Dunlap <randy.dunlap at oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+[bwh: Backported to 2.6.32: adjusted context]
+---
+--- a/drivers/staging/usbip/stub_tx.c
++++ b/drivers/staging/usbip/stub_tx.c
+@@ -237,7 +237,7 @@ static int stub_send_ret_submit(struct stub_device *sdev)
+ 
+ 			if (txsize != sizeof(pdu_header) + urb->actual_length) {
+ 				dev_err(&sdev->interface->dev,
+-					"actual length of urb (%d) does not match iso packet sizes (%d)\n",
++					"actual length of urb (%d) does not match iso packet sizes %zu\n",
+ 					urb->actual_length, txsize-sizeof(pdu_header));
+ 				kfree(iov);
+ 				usbip_event_add(&sdev->ud, SDEV_EVENT_ERROR_TCP);

Copied: dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/staging-fix-wlan-ng-printk-format-warning.patch (from r19767, releases/linux-2.6/2.6.32-47/debian/patches/bugfix/all/staging-fix-wlan-ng-printk-format-warning.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/staging-fix-wlan-ng-printk-format-warning.patch	Tue Jan 22 06:01:55 2013	(r19768, copy of r19767, releases/linux-2.6/2.6.32-47/debian/patches/bugfix/all/staging-fix-wlan-ng-printk-format-warning.patch)
@@ -0,0 +1,29 @@
+From: Randy Dunlap <randy.dunlap at oracle.com>
+Date: Thu, 25 Feb 2010 09:55:03 -0800
+Subject: Staging: fix wlan-ng printk format warning
+
+commit 83a0f9bc658b20b06740691d9ee711c5d14b6e8a upstream.
+
+Fix prism2fw.c printk format warning:
+
+drivers/staging/wlan-ng/prism2fw.c:209: warning: format '%d' expects type 'int', but argument 3 has type 'size_t'
+
+Signed-off-by: Randy Dunlap <randy.dunlap at oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+---
+ drivers/staging/wlan-ng/prism2fw.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/staging/wlan-ng/prism2fw.c b/drivers/staging/wlan-ng/prism2fw.c
+index baa20a7..b576012 100644
+--- a/drivers/staging/wlan-ng/prism2fw.c
++++ b/drivers/staging/wlan-ng/prism2fw.c
+@@ -205,7 +205,7 @@ int prism2_fwtry(struct usb_device *udev, wlandevice_t *wlandev)
+ 		return 1;
+ 	}
+ 
+-	printk(KERN_INFO "prism2_usb: %s will be processed, size %d\n",
++	printk(KERN_INFO "prism2_usb: %s will be processed, size %zu\n",
+ 	       PRISM2_USB_FWFILE, fw_entry->size);
+ 	prism2_fwapply((const struct ihex_binrec *)fw_entry->data, wlandev);
+ 

Copied: dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/staging-rtl8192e-Use-skb_tail_pointer.patch (from r19767, releases/linux-2.6/2.6.32-47/debian/patches/bugfix/all/staging-rtl8192e-Use-skb_tail_pointer.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/staging-rtl8192e-Use-skb_tail_pointer.patch	Tue Jan 22 06:01:55 2013	(r19768, copy of r19767, releases/linux-2.6/2.6.32-47/debian/patches/bugfix/all/staging-rtl8192e-Use-skb_tail_pointer.patch)
@@ -0,0 +1,52 @@
+From: Jeff Mahoney <jeffm at suse.com>
+Date: Mon, 11 Jan 2010 10:54:27 -0500
+Subject: Staging: rtl8192e: Use skb_tail_pointer
+
+commit 1c7ec2e8e0fb6e8acda4f6b9a682cf7f8e650e2f upstream.
+
+rtl8192e uses skb->tail directly. This patch uses the tail pointer macros
+instead.
+
+Signed-off-by: Jeff Mahoney <jeffm at suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+---
+ drivers/staging/rtl8192e/r8192E_core.c   |    5 ++---
+ drivers/staging/rtl8192e/r819xE_cmdpkt.c |    2 +-
+ 2 files changed, 3 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/staging/rtl8192e/r8192E_core.c b/drivers/staging/rtl8192e/r8192E_core.c
+index 50c7602..886105d 100644
+--- a/drivers/staging/rtl8192e/r8192E_core.c
++++ b/drivers/staging/rtl8192e/r8192E_core.c
+@@ -1807,7 +1807,7 @@ static short rtl8192_alloc_rx_desc_ring(struct net_device *dev)
+             return 0;
+         priv->rx_buf[i] = skb;
+         mapping = (dma_addr_t *)skb->cb;
+-        *mapping = pci_map_single(priv->pdev, skb->tail,//skb_tail_pointer(skb),
++        *mapping = pci_map_single(priv->pdev, skb_tail_pointer(skb),
+                 priv->rxbuffersize, PCI_DMA_FROMDEVICE);
+ 
+         entry->BufferAddress = cpu_to_le32(*mapping);
+@@ -6287,8 +6287,7 @@ static void rtl8192_rx(struct net_device *dev)
+ 
+                 skb = new_skb;
+                 priv->rx_buf[priv->rx_idx] = skb;
+-                *((dma_addr_t *) skb->cb) = pci_map_single(priv->pdev, skb->tail, priv->rxbuffersize, PCI_DMA_FROMDEVICE);
+-//                *((dma_addr_t *) skb->cb) = pci_map_single(priv->pdev, skb_tail_pointer(skb), priv->rxbuffersize, PCI_DMA_FROMDEVICE);
++                *((dma_addr_t *) skb->cb) = pci_map_single(priv->pdev, skb_tail_pointer(skb), priv->rxbuffersize, PCI_DMA_FROMDEVICE);
+             }
+ 
+         }
+diff --git a/drivers/staging/rtl8192e/r819xE_cmdpkt.c b/drivers/staging/rtl8192e/r819xE_cmdpkt.c
+index 2aaa4e1..87c334f 100644
+--- a/drivers/staging/rtl8192e/r819xE_cmdpkt.c
++++ b/drivers/staging/rtl8192e/r819xE_cmdpkt.c
+@@ -135,7 +135,7 @@ RT_STATUS cmpk_message_handle_tx(
+              * Transform from little endian to big endian
+              * and pending  zero
+              */
+-            seg_ptr = skb->tail;
++            seg_ptr = skb_tail_pointer(skb);
+             for(i=0 ; i < frag_length; i+=4) {
+                 *seg_ptr++ = ((i+0)<frag_length)?code_virtual_address[i+3]:0;
+                 *seg_ptr++ = ((i+1)<frag_length)?code_virtual_address[i+2]:0;

Copied: dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/staging-speakup-fix-printk-format-warning.patch (from r19767, releases/linux-2.6/2.6.32-47/debian/patches/bugfix/all/staging-speakup-fix-printk-format-warning.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/staging-speakup-fix-printk-format-warning.patch	Tue Jan 22 06:01:55 2013	(r19768, copy of r19767, releases/linux-2.6/2.6.32-47/debian/patches/bugfix/all/staging-speakup-fix-printk-format-warning.patch)
@@ -0,0 +1,30 @@
+From: Randy Dunlap <randy.dunlap at oracle.com>
+Date: Wed, 13 Oct 2010 13:10:49 -0700
+Subject: staging: speakup: fix printk format warning
+
+commit 0a652b96287ef61c97a2acab2bcc3d0f319b50e4 upstream.
+
+Fix printk format warning:
+
+drivers/staging/speakup/serialio.c:44: warning: format '%x' expects type 'unsigned int', but argument 2 has type 'long unsigned int'
+
+Signed-off-by: Randy Dunlap <randy.dunlap at oracle.com>
+Cc: <speakup at braille.uwo.ca>
+Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+---
+ drivers/staging/speakup/serialio.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/staging/speakup/serialio.c b/drivers/staging/speakup/serialio.c
+index bafd62f..65772ec 100644
+--- a/drivers/staging/speakup/serialio.c
++++ b/drivers/staging/speakup/serialio.c
+@@ -41,7 +41,7 @@ struct serial_state *spk_serial_init(int index)
+ 		__release_region(&ioport_resource, ser->port, 8);
+ 		err = synth_request_region(ser->port, 8);
+ 		if (err) {
+-			pr_warn("Unable to allocate port at %x, errno %i", ser->port, err);
++			pr_warn("Unable to allocate port at %lx, errno %i", ser->port, err);
+ 			return NULL;
+ 		}
+ 	}

Copied: dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/staging-usbip-changed-function-return-type-to-void.patch (from r19767, releases/linux-2.6/2.6.32-47/debian/patches/bugfix/all/staging-usbip-changed-function-return-type-to-void.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/staging-usbip-changed-function-return-type-to-void.patch	Tue Jan 22 06:01:55 2013	(r19768, copy of r19767, releases/linux-2.6/2.6.32-47/debian/patches/bugfix/all/staging-usbip-changed-function-return-type-to-void.patch)
@@ -0,0 +1,76 @@
+From: Bart Westgeest <bart at elbrys.com>
+Date: Mon, 23 Jan 2012 10:55:46 -0500
+Subject: staging: usbip: changed function return type to void
+
+commit ac2b41acfa3efe4650102067a99251587a806d70 upstream.
+
+The function usbip_pad_iso never returns anything but 0 (success).
+
+Signed-off-by: Bart Westgeest <bart at elbrys.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
+[bwh: Backported to 2.6.32: adjust context]
+---
+--- a/drivers/staging/usbip/usbip_common.c
++++ b/drivers/staging/usbip/usbip_common.c
+@@ -961,26 +961,25 @@ EXPORT_SYMBOL_GPL(usbip_recv_iso);
+  * buffer and iso packets need to be stored and be in propeper endian in urb
+  * before calling this function
+  */
+-int usbip_pad_iso(struct usbip_device *ud, struct urb *urb)
++void usbip_pad_iso(struct usbip_device *ud, struct urb *urb)
+ {
+ 	int np = urb->number_of_packets;
+ 	int i;
+-	int ret;
+ 	int actualoffset = urb->actual_length;
+ 
+ 	if (!usb_pipeisoc(urb->pipe))
+-		return 0;
++		return;
+ 
+ 	/* if no packets or length of data is 0, then nothing to unpack */
+ 	if (np == 0 || urb->actual_length == 0)
+-		return 0;
++		return;
+ 
+ 	/*
+ 	 * if actual_length is transfer_buffer_length then no padding is
+ 	 * present.
+ 	*/
+ 	if (urb->actual_length == urb->transfer_buffer_length)
+-		return 0;
++		return;
+ 
+ 	/*
+ 	 * loop over all packets from last to first (to prevent overwritting
+@@ -992,7 +991,6 @@ int usbip_pad_iso(struct usbip_device *ud, struct urb *urb)
+ 				  urb->transfer_buffer + actualoffset,
+ 				  urb->iso_frame_desc[i].actual_length);
+ 	}
+-	return ret;
+ }
+ EXPORT_SYMBOL_GPL(usbip_pad_iso);
+ 
+--- a/drivers/staging/usbip/usbip_common.h
++++ b/drivers/staging/usbip/usbip_common.h
+@@ -394,7 +394,7 @@ void usbip_header_correct_endian(struct usbip_header *pdu, int send);
+ /* some members of urb must be substituted before. */
+ int usbip_recv_iso(struct usbip_device *ud, struct urb *urb);
+ /* some members of urb must be substituted before. */
+-int usbip_pad_iso(struct usbip_device *ud, struct urb *urb);
++void usbip_pad_iso(struct usbip_device *ud, struct urb *urb);
+ void *usbip_alloc_iso_desc_pdu(struct urb *urb, ssize_t *bufflen);
+ 
+ 
+--- a/drivers/staging/usbip/vhci_rx.c
++++ b/drivers/staging/usbip/vhci_rx.c
+@@ -99,8 +99,7 @@ static void vhci_recv_ret_submit(struct vhci_device *vdev,
+ 		return;
+ 
+ 	/* restore the padding in iso packets */
+-	if (usbip_pad_iso(ud, urb) < 0)
+-		return;
++	usbip_pad_iso(ud, urb);
+ 
+ 	if (usbip_dbg_flag_vhci_rx)
+ 		usbip_dump_urb(urb);

Copied: dists/squeeze-security/linux-2.6/debian/patches/bugfix/ia64/revert-pcdp-use-early_ioremap-early_iounmap-to-acces.patch (from r19767, releases/linux-2.6/2.6.32-47/debian/patches/bugfix/ia64/revert-pcdp-use-early_ioremap-early_iounmap-to-acces.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/ia64/revert-pcdp-use-early_ioremap-early_iounmap-to-acces.patch	Tue Jan 22 06:01:55 2013	(r19768, copy of r19767, releases/linux-2.6/2.6.32-47/debian/patches/bugfix/ia64/revert-pcdp-use-early_ioremap-early_iounmap-to-acces.patch)
@@ -0,0 +1,40 @@
+From 9f10d301a441cfe32aeb55cf3181cbd70fa33564 Mon Sep 17 00:00:00 2001
+From: Ben Hutchings <ben at decadent.org.uk>
+Date: Sat, 12 Jan 2013 21:04:48 +0000
+Subject: [PATCH] Revert "pcdp: use early_ioremap/early_iounmap to access pcdp
+ table"
+
+This reverts commit 2af3af56e7d4756b21a2e0d86e4fc4e5b7f0df24, which was
+commit 6c4088ac3a4d82779903433bcd5f048c58fb1aca upstream.
+
+This was purported to be a fix for x86_64 systems, but this driver
+cannot even be selected on x86_64, even in current mainline!
+Additionally, the early_io{remap,unmap}() functions were not defined
+for ia64 until Linux 2.6.33.
+
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ drivers/firmware/pcdp.c |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/firmware/pcdp.c b/drivers/firmware/pcdp.c
+index a330492..51e0e2d 100644
+--- a/drivers/firmware/pcdp.c
++++ b/drivers/firmware/pcdp.c
+@@ -95,7 +95,7 @@ efi_setup_pcdp_console(char *cmdline)
+ 	if (efi.hcdp == EFI_INVALID_TABLE_ADDR)
+ 		return -ENODEV;
+ 
+-	pcdp = early_ioremap(efi.hcdp, 4096);
++	pcdp = ioremap(efi.hcdp, 4096);
+ 	printk(KERN_INFO "PCDP: v%d at 0x%lx\n", pcdp->rev, efi.hcdp);
+ 
+ 	if (strstr(cmdline, "console=hcdp")) {
+@@ -131,6 +131,6 @@ efi_setup_pcdp_console(char *cmdline)
+ 	}
+ 
+ out:
+-	early_iounmap(pcdp, 4096);
++	iounmap(pcdp);
+ 	return rc;
+ }

Copied: dists/squeeze-security/linux-2.6/debian/patches/bugfix/x86/drm-i915-Attempt-to-fix-watermark-setup-on-85x-v2.patch (from r19767, releases/linux-2.6/2.6.32-47/debian/patches/bugfix/x86/drm-i915-Attempt-to-fix-watermark-setup-on-85x-v2.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/x86/drm-i915-Attempt-to-fix-watermark-setup-on-85x-v2.patch	Tue Jan 22 06:01:55 2013	(r19768, copy of r19767, releases/linux-2.6/2.6.32-47/debian/patches/bugfix/x86/drm-i915-Attempt-to-fix-watermark-setup-on-85x-v2.patch)
@@ -0,0 +1,46 @@
+From: Adam Jackson <ajax at redhat.com>
+Date: Fri, 16 Apr 2010 18:20:57 -0400
+Subject: drm/i915: Attempt to fix watermark setup on 85x (v2)
+
+commit 8f4695ed1c9e068772bcce4cd4ff03f88d57a008 upstream.
+
+IS_MOBILE() catches 85x, so we'd always try to use the 9xx FIFO sizing;
+since there's an explicit 85x version, this seems wrong.
+
+v2: Handle 830m correctly too.
+
+Signed-off-by: Adam Jackson <ajax at redhat.com>
+Reviewed-by: Eric Anholt <eric at anholt.net>
+Signed-off-by: Eric Anholt <eric at anholt.net>
+---
+ drivers/gpu/drm/i915/intel_display.c |   11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/gpu/drm/i915/intel_display.c b/drivers/gpu/drm/i915/intel_display.c
+index e7356fb..c7502b6 100644
+--- a/drivers/gpu/drm/i915/intel_display.c
++++ b/drivers/gpu/drm/i915/intel_display.c
+@@ -4853,17 +4853,18 @@ static void intel_init_display(struct drm_device *dev)
+ 		dev_priv->display.update_wm = g4x_update_wm;
+ 	else if (IS_I965G(dev))
+ 		dev_priv->display.update_wm = i965_update_wm;
+-	else if (IS_I9XX(dev) || IS_MOBILE(dev)) {
++	else if (IS_I9XX(dev)) {
+ 		dev_priv->display.update_wm = i9xx_update_wm;
+ 		dev_priv->display.get_fifo_size = i9xx_get_fifo_size;
++	} else if (IS_I85X(dev)) {
++		dev_priv->display.update_wm = i9xx_update_wm;
++		dev_priv->display.get_fifo_size = i85x_get_fifo_size;
+ 	} else {
+-		if (IS_I85X(dev))
+-			dev_priv->display.get_fifo_size = i85x_get_fifo_size;
+-		else if (IS_845G(dev))
++		dev_priv->display.update_wm = i830_update_wm;
++		if (IS_845G(dev))
+ 			dev_priv->display.get_fifo_size = i845_get_fifo_size;
+ 		else
+ 			dev_priv->display.get_fifo_size = i830_get_fifo_size;
+-		dev_priv->display.update_wm = i830_update_wm;
+ 	}
+ }
+ 

Copied: dists/squeeze-security/linux-2.6/debian/patches/bugfix/x86/x86-Don-t-use-the-EFI-reboot-method-by-default.patch (from r19767, releases/linux-2.6/2.6.32-47/debian/patches/bugfix/x86/x86-Don-t-use-the-EFI-reboot-method-by-default.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/x86/x86-Don-t-use-the-EFI-reboot-method-by-default.patch	Tue Jan 22 06:01:55 2013	(r19768, copy of r19767, releases/linux-2.6/2.6.32-47/debian/patches/bugfix/x86/x86-Don-t-use-the-EFI-reboot-method-by-default.patch)
@@ -0,0 +1,38 @@
+From: Matthew Garrett <mjg at redhat.com>
+Date: Wed, 6 Jul 2011 16:52:37 -0400
+Subject: x86: Don't use the EFI reboot method by default
+
+commit f70e957cda22d309c769805cbb932407a5232219 upstream.
+
+Testing suggests that at least some Lenovos and some Intels will
+fail to reboot via EFI, attempting to jump to an unmapped
+physical address. In the long run we could handle this by
+providing a page table with a 1:1 mapping of physical addresses,
+but for now it's probably just easier to assume that ACPI or
+legacy methods will be present and reboot via those.
+
+Signed-off-by: Matthew Garrett <mjg at redhat.com>
+Cc: Linus Torvalds <torvalds at linux-foundation.org>
+Cc: Andrew Morton <akpm at linux-foundation.org>
+Cc: Alan Cox <alan at linux.intel.com>
+Link: http://lkml.kernel.org/r/1309985557-15350-1-git-send-email-mjg@redhat.com
+Signed-off-by: Ingo Molnar <mingo at elte.hu>
+[bwh: Backported to 2.6.32: adjust filename]
+---
+ arch/x86/kernel/efi.c |    3 ---
+ 1 file changed, 3 deletions(-)
+
+diff --git a/arch/x86/platform/efi/efi.c b/arch/x86/platform/efi/efi.c
+index 474356b..899e393 100644
+--- a/arch/x86/kernel/efi.c
++++ b/arch/x86/kernel/efi.c
+@@ -504,9 +504,6 @@ void __init efi_init(void)
+ 	x86_platform.set_wallclock = efi_set_rtc_mmss;
+ #endif
+ 
+-	/* Setup for EFI runtime service */
+-	reboot_type = BOOT_EFI;
+-
+ #if EFI_DEBUG
+ 	print_efi_memmap();
+ #endif

Copied: dists/squeeze-security/linux-2.6/debian/patches/bugfix/x86/xen-Fix-stack-corruption-in-xen_failsafe_callback-fo.patch (from r19767, releases/linux-2.6/2.6.32-47/debian/patches/bugfix/x86/xen-Fix-stack-corruption-in-xen_failsafe_callback-fo.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/x86/xen-Fix-stack-corruption-in-xen_failsafe_callback-fo.patch	Tue Jan 22 06:01:55 2013	(r19768, copy of r19767, releases/linux-2.6/2.6.32-47/debian/patches/bugfix/x86/xen-Fix-stack-corruption-in-xen_failsafe_callback-fo.patch)
@@ -0,0 +1,59 @@
+From: Andrew Cooper <andrew.cooper3 at citrix.com>
+Date: Wed, 16 Jan 2013 12:00:55 +0000
+Subject: xen: Fix stack corruption in xen_failsafe_callback for 32bit PVOPS
+ guests.
+
+commit 9174adbee4a9a49d0139f5d71969852b36720809 upstream.
+
+This fixes CVE-2013-0190 / XSA-40
+
+There has been an error on the xen_failsafe_callback path for failed
+iret, which causes the stack pointer to be wrong when entering the
+iret_exc error path.  This can result in the kernel crashing.
+
+In the classic kernel case, the relevant code looked a little like:
+
+        popl %eax      # Error code from hypervisor
+        jz 5f
+        addl $16,%esp
+        jmp iret_exc   # Hypervisor said iret fault
+5:      addl $16,%esp
+                       # Hypervisor said segment selector fault
+
+Here, there are two identical addls on either option of a branch which
+appears to have been optimised by hoisting it above the jz, and
+converting it to an lea, which leaves the flags register unaffected.
+
+In the PVOPS case, the code looks like:
+
+        popl_cfi %eax         # Error from the hypervisor
+        lea 16(%esp),%esp     # Add $16 before choosing fault path
+        CFI_ADJUST_CFA_OFFSET -16
+        jz 5f
+        addl $16,%esp         # Incorrectly adjust %esp again
+        jmp iret_exc
+
+It is possible unprivileged userspace applications to cause this
+behaviour, for example by loading an LDT code selector, then changing
+the code selector to be not-present.  At this point, there is a race
+condition where it is possible for the hypervisor to return back to
+userspace from an interrupt, fault on its own iret, and inject a
+failsafe_callback into the kernel.
+
+This bug has been present since the introduction of Xen PVOPS support
+in commit 5ead97c84 (xen: Core Xen implementation), in 2.6.23.
+
+Signed-off-by: Frediano Ziglio <frediano.ziglio at citrix.com>
+Signed-off-by: Andrew Cooper <andrew.cooper3 at citrix.com>
+Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk at oracle.com>
+---
+--- a/arch/x86/kernel/entry_32.S
++++ b/arch/x86/kernel/entry_32.S
+@@ -1059,7 +1059,6 @@ ENTRY(xen_failsafe_callback)
+ 	lea 16(%esp),%esp
+ 	CFI_ADJUST_CFA_OFFSET -16
+ 	jz 5f
+-	addl $16,%esp
+ 	jmp iret_exc
+ 5:	pushl $-1 /* orig_ax = -1 => not a system call */
+ 	CFI_ADJUST_CFA_OFFSET 4

Copied: dists/squeeze-security/linux-2.6/debian/patches/bugfix/x86/xen-x86-don-t-corrupt-eip-when-returning-from-a-sign.patch (from r19767, releases/linux-2.6/2.6.32-47/debian/patches/bugfix/x86/xen-x86-don-t-corrupt-eip-when-returning-from-a-sign.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/x86/xen-x86-don-t-corrupt-eip-when-returning-from-a-sign.patch	Tue Jan 22 06:01:55 2013	(r19768, copy of r19767, releases/linux-2.6/2.6.32-47/debian/patches/bugfix/x86/xen-x86-don-t-corrupt-eip-when-returning-from-a-sign.patch)
@@ -0,0 +1,90 @@
+From: David Vrabel <david.vrabel at citrix.com>
+Date: Fri, 19 Oct 2012 17:29:07 +0100
+Subject: xen/x86: don't corrupt %eip when returning from a signal handler
+
+commit a349e23d1cf746f8bdc603dcc61fae9ee4a695f6 upstream.
+
+In 32 bit guests, if a userspace process has %eax == -ERESTARTSYS
+(-512) or -ERESTARTNOINTR (-513) when it is interrupted by an event
+/and/ the process has a pending signal then %eip (and %eax) are
+corrupted when returning to the main process after handling the
+signal.  The application may then crash with SIGSEGV or a SIGILL or it
+may have subtly incorrect behaviour (depending on what instruction it
+returned to).
+
+The occurs because handle_signal() is incorrectly thinking that there
+is a system call that needs to restarted so it adjusts %eip and %eax
+to re-execute the system call instruction (even though user space had
+not done a system call).
+
+If %eax == -514 (-ERESTARTNOHAND (-514) or -ERESTART_RESTARTBLOCK
+(-516) then handle_signal() only corrupted %eax (by setting it to
+-EINTR).  This may cause the application to crash or have incorrect
+behaviour.
+
+handle_signal() assumes that regs->orig_ax >= 0 means a system call so
+any kernel entry point that is not for a system call must push a
+negative value for orig_ax.  For example, for physical interrupts on
+bare metal the inverse of the vector is pushed and page_fault() sets
+regs->orig_ax to -1, overwriting the hardware provided error code.
+
+xen_hypervisor_callback() was incorrectly pushing 0 for orig_ax
+instead of -1.
+
+Classic Xen kernels pushed %eax which works as %eax cannot be both
+non-negative and -RESTARTSYS (etc.), but using -1 is consistent with
+other non-system call entry points and avoids some of the tests in
+handle_signal().
+
+There were similar bugs in xen_failsafe_callback() of both 32 and
+64-bit guests. If the fault was corrected and the normal return path
+was used then 0 was incorrectly pushed as the value for orig_ax.
+
+Signed-off-by: David Vrabel <david.vrabel at citrix.com>
+Acked-by: Jan Beulich <JBeulich at suse.com>
+Acked-by: Ian Campbell <ian.campbell at citrix.com>
+Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk at oracle.com>
+[bwh: Backported to 2.6.32: adjust context; no pushl_cfi]
+---
+--- a/arch/x86/kernel/entry_32.S
++++ b/arch/x86/kernel/entry_32.S
+@@ -1007,7 +1007,7 @@ ENTRY(xen_sysenter_target)
+ 
+ ENTRY(xen_hypervisor_callback)
+ 	CFI_STARTPROC
+-	pushl $0
++	pushl $-1 /* orig_ax = -1 => not a system call */
+ 	CFI_ADJUST_CFA_OFFSET 4
+ 	SAVE_ALL
+ 	TRACE_IRQS_OFF
+@@ -1051,15 +1051,17 @@ ENTRY(xen_failsafe_callback)
+ 2:	mov 8(%esp),%es
+ 3:	mov 12(%esp),%fs
+ 4:	mov 16(%esp),%gs
++	/* EAX == 0 => Category 1 (Bad segment)
++	   EAX != 0 => Category 2 (Bad IRET) */
+ 	testl %eax,%eax
+ 	popl %eax
+ 	CFI_ADJUST_CFA_OFFSET -4
+ 	lea 16(%esp),%esp
+ 	CFI_ADJUST_CFA_OFFSET -16
+ 	jz 5f
+ 	addl $16,%esp
+-	jmp iret_exc		# EAX != 0 => Category 2 (Bad IRET)
+-5:	pushl $0		# EAX == 0 => Category 1 (Bad segment)
++	jmp iret_exc
++5:	pushl $-1 /* orig_ax = -1 => not a system call */
+ 	CFI_ADJUST_CFA_OFFSET 4
+ 	SAVE_ALL
+ 	jmp ret_from_exception
+--- a/arch/x86/kernel/entry_64.S
++++ b/arch/x86/kernel/entry_64.S
+@@ -1358,7 +1358,7 @@ ENTRY(xen_failsafe_callback)
+ 	CFI_RESTORE r11
+ 	addq $0x30,%rsp
+ 	CFI_ADJUST_CFA_OFFSET -0x30
+-	pushq_cfi $0
++	pushq_cfi $-1 /* orig_ax = -1 => not a system call */
+ 	SAVE_ALL
+ 	jmp error_exit
+ 	CFI_ENDPROC

Copied: dists/squeeze-security/linux-2.6/debian/patches/debian/epoll-Avoid-ABI-change-in-file.patch (from r19767, releases/linux-2.6/2.6.32-47/debian/patches/debian/epoll-Avoid-ABI-change-in-file.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/debian/epoll-Avoid-ABI-change-in-file.patch	Tue Jan 22 06:01:55 2013	(r19768, copy of r19767, releases/linux-2.6/2.6.32-47/debian/patches/debian/epoll-Avoid-ABI-change-in-file.patch)
@@ -0,0 +1,31 @@
+From: Ben Hutchings <ben at decadent.org.uk>
+Subject: epoll: Avoid ABI change in struct file
+Date: Sun, 23 Dec 2012 19:05:04 +0000
+
+commit 28d82dc1c4ed ('epoll: limit paths') added the member
+f_tfile_llink to the middle of struct file and was backported in Linux
+2.6.32.60.  This structure is always allocated in filp_open(), with a
+few exceptions that are not exposed to userland (so not used with
+epoll), so we can add this member at the end.  Move it there and hide
+it from genksyms.
+
+--- a/include/linux/fs.h
++++ b/include/linux/fs.h
+@@ -940,12 +940,16 @@ struct file {
+ #ifdef CONFIG_EPOLL
+ 	/* Used by fs/eventpoll.c to link all the hooks to this file */
+ 	struct list_head	f_ep_links;
+-	struct list_head	f_tfile_llink;
+ #endif /* #ifdef CONFIG_EPOLL */
+ 	struct address_space	*f_mapping;
+ #ifdef CONFIG_DEBUG_WRITECOUNT
+ 	unsigned long f_mnt_write_state;
+ #endif
++#ifndef __GENKSYMS__
++#ifdef CONFIG_EPOLL
++	struct list_head	f_tfile_llink;
++#endif
++#endif
+ };
+ extern spinlock_t files_lock;
+ #define file_list_lock() spin_lock(&files_lock);

Copied: dists/squeeze-security/linux-2.6/debian/patches/debian/random-Avoid-ABI-change-in-irq_desc.patch (from r19767, releases/linux-2.6/2.6.32-47/debian/patches/debian/random-Avoid-ABI-change-in-irq_desc.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/debian/random-Avoid-ABI-change-in-irq_desc.patch	Tue Jan 22 06:01:55 2013	(r19768, copy of r19767, releases/linux-2.6/2.6.32-47/debian/patches/debian/random-Avoid-ABI-change-in-irq_desc.patch)
@@ -0,0 +1,18 @@
+From: Ben Hutchings <ben at decadent.org.uk>
+Subject: random: Avoid ABI change in irq_desc
+Date: Sun, 23 Dec 2012 18:51:34 +0000
+
+commit c5857ccf2939 ('random: remove rand_initialize_irq()') removed
+irq_desc::timer_rand_state and was backported in Linux 2.6.32.60.
+We need to put it back to maintain the structure layout.
+
+--- a/include/linux/irq.h
++++ b/include/linux/irq.h
+@@ -174,6 +174,7 @@ struct irq_2_iommu;
+  */
+ struct irq_desc {
+ 	unsigned int		irq;
++	struct timer_rand_state	*timer_rand_state; /* now unused */
+ 	unsigned int            *kstat_irqs;
+ #ifdef CONFIG_INTR_REMAP
+ 	struct irq_2_iommu      *irq_2_iommu;

Copied: dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0080-hpsa-defend-against-zero-sized-buffers-in-passthru-i.patch (from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0080-hpsa-defend-against-zero-sized-buffers-in-passthru-i.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0080-hpsa-defend-against-zero-sized-buffers-in-passthru-i.patch	Tue Jan 22 06:01:55 2013	(r19768, copy of r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0080-hpsa-defend-against-zero-sized-buffers-in-passthru-i.patch)
@@ -0,0 +1,90 @@
+From f9fe8698b191d79e9a4e78013f52453c8f6a317d Mon Sep 17 00:00:00 2001
+From: "Stephen M. Cameron" <scameron at beardog.cce.hp.com>
+Date: Thu, 6 Jan 2011 14:47:48 -0600
+Subject: [PATCH 080/136] hpsa: defend against zero sized buffers in passthru
+ ioctls
+
+commit b03a7771c81a0d5f026250c8cd4091d9ee767fdc upstream.
+
+Signed-off-by: Stephen M. Cameron <scameron at beardog.cce.hp.com>
+Signed-off-by: James Bottomley <James.Bottomley at suse.de>
+---
+ drivers/scsi/hpsa.c |   36 ++++++++++++++++--------------------
+ 1 file changed, 16 insertions(+), 20 deletions(-)
+
+diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c
+index 3c7c9a7..eb7ace9 100644
+--- a/drivers/scsi/hpsa.c
++++ b/drivers/scsi/hpsa.c
+@@ -2405,15 +2405,17 @@ static int hpsa_passthru_ioctl(struct ctlr_info *h, void __user *argp)
+ 		buff = kmalloc(iocommand.buf_size, GFP_KERNEL);
+ 		if (buff == NULL)
+ 			return -EFAULT;
+-	}
+-	if (iocommand.Request.Type.Direction == XFER_WRITE) {
+-		/* Copy the data into the buffer we created */
+-		if (copy_from_user(buff, iocommand.buf, iocommand.buf_size)) {
+-			kfree(buff);
+-			return -EFAULT;
++		if (iocommand.Request.Type.Direction == XFER_WRITE) {
++			/* Copy the data into the buffer we created */
++			if (copy_from_user(buff, iocommand.buf,
++				iocommand.buf_size)) {
++				kfree(buff);
++				return -EFAULT;
++			}
++		} else {
++			memset(buff, 0, iocommand.buf_size);
+ 		}
+-	} else
+-		memset(buff, 0, iocommand.buf_size);
++	}
+ 	c = cmd_special_alloc(h);
+ 	if (c == NULL) {
+ 		kfree(buff);
+@@ -2459,8 +2461,8 @@ static int hpsa_passthru_ioctl(struct ctlr_info *h, void __user *argp)
+ 		cmd_special_free(h, c);
+ 		return -EFAULT;
+ 	}
+-
+-	if (iocommand.Request.Type.Direction == XFER_READ) {
++	if (iocommand.Request.Type.Direction == XFER_READ &&
++		iocommand.buf_size > 0) {
+ 		/* Copy the data out of the buffer we created */
+ 		if (copy_to_user(iocommand.buf, buff, iocommand.buf_size)) {
+ 			kfree(buff);
+@@ -2553,14 +2555,7 @@ static int hpsa_big_passthru_ioctl(struct ctlr_info *h, void __user *argp)
+ 	}
+ 	c->cmd_type = CMD_IOCTL_PEND;
+ 	c->Header.ReplyQueue = 0;
+-
+-	if (ioc->buf_size > 0) {
+-		c->Header.SGList = sg_used;
+-		c->Header.SGTotal = sg_used;
+-	} else {
+-		c->Header.SGList = 0;
+-		c->Header.SGTotal = 0;
+-	}
++	c->Header.SGList = c->Header.SGTotal = sg_used;
+ 	memcpy(&c->Header.LUN, &ioc->LUN_info, sizeof(c->Header.LUN));
+ 	c->Header.Tag.lower = c->busaddr;
+ 	memcpy(&c->Request, &ioc->Request, sizeof(c->Request));
+@@ -2577,7 +2572,8 @@ static int hpsa_big_passthru_ioctl(struct ctlr_info *h, void __user *argp)
+ 		}
+ 	}
+ 	hpsa_scsi_do_simple_cmd_core(h, c);
+-	hpsa_pci_unmap(h->pdev, c, sg_used, PCI_DMA_BIDIRECTIONAL);
++	if (sg_used)
++		hpsa_pci_unmap(h->pdev, c, sg_used, PCI_DMA_BIDIRECTIONAL);
+ 	check_ioctl_unit_attention(h, c);
+ 	/* Copy the error information out */
+ 	memcpy(&ioc->error_info, c->err_info, sizeof(ioc->error_info));
+@@ -2586,7 +2582,7 @@ static int hpsa_big_passthru_ioctl(struct ctlr_info *h, void __user *argp)
+ 		status = -EFAULT;
+ 		goto cleanup1;
+ 	}
+-	if (ioc->Request.Type.Direction == XFER_READ) {
++	if (ioc->Request.Type.Direction == XFER_READ && ioc->buf_size > 0) {
+ 		/* Copy the data out of the buffer we created */
+ 		BYTE __user *ptr = ioc->buf;
+ 		for (i = 0; i < sg_used; i++) {

Copied: dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0081-hpsa-fixup-DMA-address-before-freeing.patch (from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0081-hpsa-fixup-DMA-address-before-freeing.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0081-hpsa-fixup-DMA-address-before-freeing.patch	Tue Jan 22 06:01:55 2013	(r19768, copy of r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0081-hpsa-fixup-DMA-address-before-freeing.patch)
@@ -0,0 +1,49 @@
+From 5c17c7e0af831bdb5d5b2e27909f697d3bd898b6 Mon Sep 17 00:00:00 2001
+From: "Stephen M. Cameron" <StephenM.Cameron>
+Date: Thu, 6 Jan 2011 14:47:53 -0600
+Subject: [PATCH 081/136] hpsa: fixup DMA address before freeing.
+
+commit d896f3f3d129f1e2fbb4e3824242bc0dc2fb1a07 upstream.
+
+Some low bits might have been set by the driver, causing
+a message like this to come out:
+
+ [   13.288062] ------------[ cut here ]------------
+ [   13.293211] WARNING: at lib/dma-debug.c:803 check_unmap+0x1a1/0x654()
+ [   13.300387] Hardware name: ProLiant DL180 G6
+ [   13.305335] hpsa 0000:06:00.0: DMA-API: device driver tries to free
+ DMA memory it has not allocated [device address=0x000000007f81e001]
+ [size=640 bytes]
+
+Signed-off-by: Stephen M. Cameron <scameron at beardog.cce.hp.com>
+Signed-off-by: James Bottomley <James.Bottomley at suse.de>
+---
+ drivers/scsi/hpsa.c     |    2 +-
+ drivers/scsi/hpsa_cmd.h |    1 +
+ 2 files changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c
+index eb7ace9..f6f53e5 100644
+--- a/drivers/scsi/hpsa.c
++++ b/drivers/scsi/hpsa.c
+@@ -2239,7 +2239,7 @@ static void cmd_special_free(struct ctlr_info *h, struct CommandList *c)
+ 	pci_free_consistent(h->pdev, sizeof(*c->err_info),
+ 			    c->err_info, (dma_addr_t) temp64.val);
+ 	pci_free_consistent(h->pdev, sizeof(*c),
+-			    c, (dma_addr_t) c->busaddr);
++			    c, (dma_addr_t) (c->busaddr & DIRECT_LOOKUP_MASK));
+ }
+ 
+ #ifdef CONFIG_COMPAT
+diff --git a/drivers/scsi/hpsa_cmd.h b/drivers/scsi/hpsa_cmd.h
+index f5c4c3c..7910c14 100644
+--- a/drivers/scsi/hpsa_cmd.h
++++ b/drivers/scsi/hpsa_cmd.h
+@@ -265,6 +265,7 @@ struct ErrorInfo {
+ 
+ #define DIRECT_LOOKUP_SHIFT 5
+ #define DIRECT_LOOKUP_BIT 0x10
++#define DIRECT_LOOKUP_MASK (~((1 << DIRECT_LOOKUP_SHIFT) - 1))
+ 
+ #define HPSA_ERROR_BIT          0x02
+ struct ctlr_info; /* defined in hpsa.h */

Copied: dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0082-hpsa-Remove-duplicate-defines-of-DIRECT_LOOKUP_-cons.patch (from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0082-hpsa-Remove-duplicate-defines-of-DIRECT_LOOKUP_-cons.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0082-hpsa-Remove-duplicate-defines-of-DIRECT_LOOKUP_-cons.patch	Tue Jan 22 06:01:55 2013	(r19768, copy of r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0082-hpsa-Remove-duplicate-defines-of-DIRECT_LOOKUP_-cons.patch)
@@ -0,0 +1,34 @@
+From 1d59adeeba7f7e2b0228888e19d2d2dea5e6637e Mon Sep 17 00:00:00 2001
+From: "Stephen M. Cameron" <StephenM.Cameron>
+Date: Thu, 6 Jan 2011 14:47:58 -0600
+Subject: [PATCH 082/136] hpsa: Remove duplicate defines of DIRECT_LOOKUP_
+ constants
+
+commit 922a9e4da34270d81e216728f929c6e11e169794 upstream.
+
+They are defined in hpsa_cmd.h
+
+Signed-off-by: Stephen M. Cameron <scameron at beardog.cce.hp.com>
+Signed-off-by: James Bottomley <James.Bottomley at suse.de>
+---
+ drivers/scsi/hpsa.c |    2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c
+index f6f53e5..61fc7e8 100644
+--- a/drivers/scsi/hpsa.c
++++ b/drivers/scsi/hpsa.c
+@@ -2835,13 +2835,11 @@ static inline void finish_cmd(struct CommandList *c, u32 raw_tag)
+ 
+ static inline u32 hpsa_tag_contains_index(u32 tag)
+ {
+-#define DIRECT_LOOKUP_BIT 0x10
+ 	return tag & DIRECT_LOOKUP_BIT;
+ }
+ 
+ static inline u32 hpsa_tag_to_index(u32 tag)
+ {
+-#define DIRECT_LOOKUP_SHIFT 5
+ 	return tag >> DIRECT_LOOKUP_SHIFT;
+ }
+ 

Copied: dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0083-hpsa-fix-board-status-waiting-code.patch (from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0083-hpsa-fix-board-status-waiting-code.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0083-hpsa-fix-board-status-waiting-code.patch	Tue Jan 22 06:01:55 2013	(r19768, copy of r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0083-hpsa-fix-board-status-waiting-code.patch)
@@ -0,0 +1,123 @@
+From 2f25d644826dd5b85ec8634328b58b3107ca8399 Mon Sep 17 00:00:00 2001
+From: "Stephen M. Cameron" <scameron at beardog.cce.hp.com>
+Date: Thu, 6 Jan 2011 14:48:03 -0600
+Subject: [PATCH 083/136] hpsa: fix board status waiting code
+
+commit fe5389c87f13c16cd77d976801c93422d0c05a49 upstream.
+
+After a reset, we should first wait for the board to become "not ready",
+and then wait for it to become "ready", instead of immediately
+waiting for it to become "ready", and do this waiting *after*
+restoring PCI config space registers.  Also, only wait 10 secs
+for board to become "not ready" after a reset (it should quickly
+become not ready.)
+
+Signed-off-by: Stephen M. Cameron <scameron at beardog.cce.hp.com>
+Signed-off-by: James Bottomley <James.Bottomley at suse.de>
+---
+ drivers/scsi/hpsa.c |   44 ++++++++++++++++++++++++++++++++++++--------
+ drivers/scsi/hpsa.h |    4 ++++
+ 2 files changed, 40 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c
+index 61fc7e8..053ecce 100644
+--- a/drivers/scsi/hpsa.c
++++ b/drivers/scsi/hpsa.c
+@@ -165,6 +165,10 @@ static int __devinit hpsa_find_cfg_addrs(struct pci_dev *pdev,
+ static int __devinit hpsa_pci_find_memory_BAR(struct pci_dev *pdev,
+ 	unsigned long *memory_bar);
+ static int __devinit hpsa_lookup_board_id(struct pci_dev *pdev, u32 *board_id);
++static int __devinit hpsa_wait_for_board_state(struct pci_dev *pdev,
++	void __iomem *vaddr, int wait_for_ready);
++#define BOARD_NOT_READY 0
++#define BOARD_READY 1
+ 
+ static DEVICE_ATTR(raid_level, S_IRUGO, raid_level_show, NULL);
+ static DEVICE_ATTR(lunid, S_IRUGO, lunid_show, NULL);
+@@ -3209,6 +3213,20 @@ static __devinit int hpsa_kdump_hard_reset_controller(struct pci_dev *pdev)
+ 	   need a little pause here */
+ 	msleep(HPSA_POST_RESET_PAUSE_MSECS);
+ 
++	/* Wait for board to become not ready, then ready. */
++	dev_info(&pdev->dev, "Waiting for board to become ready.\n");
++	rc = hpsa_wait_for_board_state(pdev, vaddr, BOARD_NOT_READY);
++	if (rc)
++		dev_warn(&pdev->dev,
++			"failed waiting for board to become not ready\n");
++	rc = hpsa_wait_for_board_state(pdev, vaddr, BOARD_READY);
++	if (rc) {
++		dev_warn(&pdev->dev,
++			"failed waiting for board to become ready\n");
++		goto unmap_cfgtable;
++	}
++	dev_info(&pdev->dev, "board ready.\n");
++
+ 	/* Controller should be in simple mode at this point.  If it's not,
+ 	 * It means we're on one of those controllers which doesn't support
+ 	 * the doorbell reset method and on which the PCI power management reset
+@@ -3404,18 +3422,28 @@ static int __devinit hpsa_pci_find_memory_BAR(struct pci_dev *pdev,
+ 	return -ENODEV;
+ }
+ 
+-static int __devinit hpsa_wait_for_board_ready(struct ctlr_info *h)
++static int __devinit hpsa_wait_for_board_state(struct pci_dev *pdev,
++	void __iomem *vaddr, int wait_for_ready)
+ {
+-	int i;
++	int i, iterations;
+ 	u32 scratchpad;
++	if (wait_for_ready)
++		iterations = HPSA_BOARD_READY_ITERATIONS;
++	else
++		iterations = HPSA_BOARD_NOT_READY_ITERATIONS;
+ 
+-	for (i = 0; i < HPSA_BOARD_READY_ITERATIONS; i++) {
+-		scratchpad = readl(h->vaddr + SA5_SCRATCHPAD_OFFSET);
+-		if (scratchpad == HPSA_FIRMWARE_READY)
+-			return 0;
++	for (i = 0; i < iterations; i++) {
++		scratchpad = readl(vaddr + SA5_SCRATCHPAD_OFFSET);
++		if (wait_for_ready) {
++			if (scratchpad == HPSA_FIRMWARE_READY)
++				return 0;
++		} else {
++			if (scratchpad != HPSA_FIRMWARE_READY)
++				return 0;
++		}
+ 		msleep(HPSA_BOARD_READY_POLL_INTERVAL_MSECS);
+ 	}
+-	dev_warn(&h->pdev->dev, "board not ready, timed out.\n");
++	dev_warn(&pdev->dev, "board not ready, timed out.\n");
+ 	return -ENODEV;
+ }
+ 
+@@ -3607,7 +3635,7 @@ static int __devinit hpsa_pci_init(struct ctlr_info *h)
+ 		err = -ENOMEM;
+ 		goto err_out_free_res;
+ 	}
+-	err = hpsa_wait_for_board_ready(h);
++	err = hpsa_wait_for_board_state(h->pdev, h->vaddr, BOARD_READY);
+ 	if (err)
+ 		goto err_out_free_res;
+ 	err = hpsa_find_cfgtables(h);
+diff --git a/drivers/scsi/hpsa.h b/drivers/scsi/hpsa.h
+index 19586e1..074d237 100644
+--- a/drivers/scsi/hpsa.h
++++ b/drivers/scsi/hpsa.h
+@@ -154,12 +154,16 @@ struct ctlr_info {
+  * HPSA_BOARD_READY_ITERATIONS are derived from those.
+  */
+ #define HPSA_BOARD_READY_WAIT_SECS (120)
++#define HPSA_BOARD_NOT_READY_WAIT_SECS (10)
+ #define HPSA_BOARD_READY_POLL_INTERVAL_MSECS (100)
+ #define HPSA_BOARD_READY_POLL_INTERVAL \
+ 	((HPSA_BOARD_READY_POLL_INTERVAL_MSECS * HZ) / 1000)
+ #define HPSA_BOARD_READY_ITERATIONS \
+ 	((HPSA_BOARD_READY_WAIT_SECS * 1000) / \
+ 		HPSA_BOARD_READY_POLL_INTERVAL_MSECS)
++#define HPSA_BOARD_NOT_READY_ITERATIONS \
++	((HPSA_BOARD_NOT_READY_WAIT_SECS * 1000) / \
++		HPSA_BOARD_READY_POLL_INTERVAL_MSECS)
+ #define HPSA_POST_RESET_PAUSE_MSECS (3000)
+ #define HPSA_POST_RESET_NOOP_RETRIES (12)
+ 

Copied: dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0084-hpsa-Use-kernel-provided-PCI-state-save-and-restore-.patch (from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0084-hpsa-Use-kernel-provided-PCI-state-save-and-restore-.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0084-hpsa-Use-kernel-provided-PCI-state-save-and-restore-.patch	Tue Jan 22 06:01:55 2013	(r19768, copy of r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0084-hpsa-Use-kernel-provided-PCI-state-save-and-restore-.patch)
@@ -0,0 +1,159 @@
+From c9b2fbc21a082f18582b75e4791ae1391c37d308 Mon Sep 17 00:00:00 2001
+From: "Stephen M. Cameron" <scameron at beardog.cce.hp.com>
+Date: Thu, 6 Jan 2011 14:48:08 -0600
+Subject: [PATCH 084/136] hpsa: Use kernel provided PCI state save and restore
+ functions
+
+commit 270d05de2b8d82df4ed19955f6c0c7400f6ffbf5 upstream.
+
+and use the doorbell reset method if available (which doesn't
+lock up the controller if you properly save and restore all
+the PCI registers that you're supposed to.)
+
+Signed-off-by: Stephen M. Cameron <scameron at beardog.cce.hp.com>
+Signed-off-by: James Bottomley <James.Bottomley at suse.de>
+---
+ drivers/scsi/hpsa.c |   81 ++++++++++-----------------------------------------
+ 1 file changed, 15 insertions(+), 66 deletions(-)
+
+diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c
+index 053ecce..c5dae04 100644
+--- a/drivers/scsi/hpsa.c
++++ b/drivers/scsi/hpsa.c
+@@ -3025,38 +3025,6 @@ static __devinit int hpsa_message(struct pci_dev *pdev, unsigned char opcode,
+ #define hpsa_soft_reset_controller(p) hpsa_message(p, 1, 0)
+ #define hpsa_noop(p) hpsa_message(p, 3, 0)
+ 
+-static __devinit int hpsa_reset_msi(struct pci_dev *pdev)
+-{
+-/* the #defines are stolen from drivers/pci/msi.h. */
+-#define msi_control_reg(base)		(base + PCI_MSI_FLAGS)
+-#define PCI_MSIX_FLAGS_ENABLE		(1 << 15)
+-
+-	int pos;
+-	u16 control = 0;
+-
+-	pos = pci_find_capability(pdev, PCI_CAP_ID_MSI);
+-	if (pos) {
+-		pci_read_config_word(pdev, msi_control_reg(pos), &control);
+-		if (control & PCI_MSI_FLAGS_ENABLE) {
+-			dev_info(&pdev->dev, "resetting MSI\n");
+-			pci_write_config_word(pdev, msi_control_reg(pos),
+-					control & ~PCI_MSI_FLAGS_ENABLE);
+-		}
+-	}
+-
+-	pos = pci_find_capability(pdev, PCI_CAP_ID_MSIX);
+-	if (pos) {
+-		pci_read_config_word(pdev, msi_control_reg(pos), &control);
+-		if (control & PCI_MSIX_FLAGS_ENABLE) {
+-			dev_info(&pdev->dev, "resetting MSI-X\n");
+-			pci_write_config_word(pdev, msi_control_reg(pos),
+-					control & ~PCI_MSIX_FLAGS_ENABLE);
+-		}
+-	}
+-
+-	return 0;
+-}
+-
+ static int hpsa_controller_hard_reset(struct pci_dev *pdev,
+ 	void * __iomem vaddr, bool use_doorbell)
+ {
+@@ -3112,17 +3080,17 @@ static int hpsa_controller_hard_reset(struct pci_dev *pdev,
+  */
+ static __devinit int hpsa_kdump_hard_reset_controller(struct pci_dev *pdev)
+ {
+-	u16 saved_config_space[32];
+ 	u64 cfg_offset;
+ 	u32 cfg_base_addr;
+ 	u64 cfg_base_addr_index;
+ 	void __iomem *vaddr;
+ 	unsigned long paddr;
+ 	u32 misc_fw_support, active_transport;
+-	int rc, i;
++	int rc;
+ 	struct CfgTable __iomem *cfgtable;
+ 	bool use_doorbell;
+ 	u32 board_id;
++	u16 command_register;
+ 
+ 	/* For controllers as old as the P600, this is very nearly
+ 	 * the same thing as
+@@ -3132,14 +3100,6 @@ static __devinit int hpsa_kdump_hard_reset_controller(struct pci_dev *pdev)
+ 	 * pci_set_power_state(pci_dev, PCI_D0);
+ 	 * pci_restore_state(pci_dev);
+ 	 *
+-	 * but we can't use these nice canned kernel routines on
+-	 * kexec, because they also check the MSI/MSI-X state in PCI
+-	 * configuration space and do the wrong thing when it is
+-	 * set/cleared.  Also, the pci_save/restore_state functions
+-	 * violate the ordering requirements for restoring the
+-	 * configuration space from the CCISS document (see the
+-	 * comment below).  So we roll our own ....
+-	 *
+ 	 * For controllers newer than the P600, the pci power state
+ 	 * method of resetting doesn't work so we have another way
+ 	 * using the doorbell register.
+@@ -3156,9 +3116,13 @@ static __devinit int hpsa_kdump_hard_reset_controller(struct pci_dev *pdev)
+ 	if (board_id == 0x409C0E11 || board_id == 0x409D0E11)
+ 		return -ENOTSUPP;
+ 
+-	for (i = 0; i < 32; i++)
+-		pci_read_config_word(pdev, 2*i, &saved_config_space[i]);
+-
++	/* Save the PCI command register */
++	pci_read_config_word(pdev, 4, &command_register);
++	/* Turn the board off.  This is so that later pci_restore_state()
++	 * won't turn the board on before the rest of config space is ready.
++	 */
++	pci_disable_device(pdev);
++	pci_save_state(pdev);
+ 
+ 	/* find the first memory BAR, so we can find the cfg table */
+ 	rc = hpsa_pci_find_memory_BAR(pdev, &paddr);
+@@ -3184,30 +3148,17 @@ static __devinit int hpsa_kdump_hard_reset_controller(struct pci_dev *pdev)
+ 	misc_fw_support = readl(&cfgtable->misc_fw_support);
+ 	use_doorbell = misc_fw_support & MISC_FW_DOORBELL_RESET;
+ 
+-	/* The doorbell reset seems to cause lockups on some Smart
+-	 * Arrays (e.g. P410, P410i, maybe others).  Until this is
+-	 * fixed or at least isolated, avoid the doorbell reset.
+-	 */
+-	use_doorbell = 0;
+-
+ 	rc = hpsa_controller_hard_reset(pdev, vaddr, use_doorbell);
+ 	if (rc)
+ 		goto unmap_cfgtable;
+ 
+-	/* Restore the PCI configuration space.  The Open CISS
+-	 * Specification says, "Restore the PCI Configuration
+-	 * Registers, offsets 00h through 60h. It is important to
+-	 * restore the command register, 16-bits at offset 04h,
+-	 * last. Do not restore the configuration status register,
+-	 * 16-bits at offset 06h."  Note that the offset is 2*i.
+-	 */
+-	for (i = 0; i < 32; i++) {
+-		if (i == 2 || i == 3)
+-			continue;
+-		pci_write_config_word(pdev, 2*i, saved_config_space[i]);
++	pci_restore_state(pdev);
++	rc = pci_enable_device(pdev);
++	if (rc) {
++		dev_warn(&pdev->dev, "failed to enable device.\n");
++		goto unmap_cfgtable;
+ 	}
+-	wmb();
+-	pci_write_config_word(pdev, 4, saved_config_space[2]);
++	pci_write_config_word(pdev, 4, command_register);
+ 
+ 	/* Some devices (notably the HP Smart Array 5i Controller)
+ 	   need a little pause here */
+@@ -3704,8 +3655,6 @@ static __devinit int hpsa_init_reset_devices(struct pci_dev *pdev)
+ 		return 0; /* just try to do the kdump anyhow. */
+ 	if (rc)
+ 		return -ENODEV;
+-	if (hpsa_reset_msi(pdev))
+-		return -ENODEV;
+ 
+ 	/* Now try to get the controller to respond to a no-op */
+ 	for (i = 0; i < HPSA_POST_RESET_NOOP_RETRIES; i++) {

Copied: dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0085-hpsa-limit-commands-allocated-on-reset_devices.patch (from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0085-hpsa-limit-commands-allocated-on-reset_devices.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0085-hpsa-limit-commands-allocated-on-reset_devices.patch	Tue Jan 22 06:01:55 2013	(r19768, copy of r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0085-hpsa-limit-commands-allocated-on-reset_devices.patch)
@@ -0,0 +1,31 @@
+From 49dd47ee22a6d53e7583fea7db49b837c5cb7107 Mon Sep 17 00:00:00 2001
+From: "Stephen M. Cameron" <scameron at beardog.cce.hp.com>
+Date: Thu, 6 Jan 2011 14:48:13 -0600
+Subject: [PATCH 085/136] hpsa: limit commands allocated on reset_devices
+
+commit 72ceeaecb748dff3d35b10d7518bed651b895f3e upstream.
+
+This is to conserve memory in a memory-limited kdump scenario
+
+Signed-off-by: Stephen M. Cameron <scameron at beardog.cce.hp.com>
+Signed-off-by: James Bottomley <James.Bottomley at suse.de>
+---
+ drivers/scsi/hpsa.c |    5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c
+index c5dae04..ce422d2 100644
+--- a/drivers/scsi/hpsa.c
++++ b/drivers/scsi/hpsa.c
+@@ -3442,6 +3442,11 @@ static int __devinit hpsa_find_cfgtables(struct ctlr_info *h)
+ static void __devinit hpsa_get_max_perf_mode_cmds(struct ctlr_info *h)
+ {
+ 	h->max_commands = readl(&(h->cfgtable->MaxPerformantModeCommands));
++
++	/* Limit commands in memory limited kdump scenario. */
++	if (reset_devices && h->max_commands > 32)
++		h->max_commands = 32;
++
+ 	if (h->max_commands < 16) {
+ 		dev_warn(&h->pdev->dev, "Controller reports "
+ 			"max supported commands of %d, an obvious lie. "

Copied: dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0086-hpsa-do-not-reset-unknown-boards-on-reset_devices.patch (from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0086-hpsa-do-not-reset-unknown-boards-on-reset_devices.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0086-hpsa-do-not-reset-unknown-boards-on-reset_devices.patch	Tue Jan 22 06:01:55 2013	(r19768, copy of r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0086-hpsa-do-not-reset-unknown-boards-on-reset_devices.patch)
@@ -0,0 +1,33 @@
+From fc59111199675969a6a3804e0cd2c896534ceafe Mon Sep 17 00:00:00 2001
+From: "Stephen M. Cameron" <scameron at beardog.cce.hp.com>
+Date: Thu, 6 Jan 2011 14:48:18 -0600
+Subject: [PATCH 086/136] hpsa: do not reset unknown boards on reset_devices
+
+commit 25c1e56a04e60af2414f8d81eda0fd10b8e7b961 upstream.
+
+This is to prevent hpsa from resetting older boards
+which the cciss driver may be controlling.
+
+Signed-off-by: Stephen M. Cameron <scameron at beardog.cce.hp.com>
+Signed-off-by: James Bottomley <James.Bottomley at suse.de>
+---
+ drivers/scsi/hpsa.c |    6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c
+index ce422d2..be9540a 100644
+--- a/drivers/scsi/hpsa.c
++++ b/drivers/scsi/hpsa.c
+@@ -3112,7 +3112,11 @@ static __devinit int hpsa_kdump_hard_reset_controller(struct pci_dev *pdev)
+ 	 * likely not be happy.  Just forbid resetting this conjoined mess.
+ 	 * The 640x isn't really supported by hpsa anyway.
+ 	 */
+-	hpsa_lookup_board_id(pdev, &board_id);
++	rc = hpsa_lookup_board_id(pdev, &board_id);
++	if (rc < 0) {
++		dev_warn(&pdev->dev, "Not resetting device.\n");
++		return -ENODEV;
++	}
+ 	if (board_id == 0x409C0E11 || board_id == 0x409D0E11)
+ 		return -ENOTSUPP;
+ 

Copied: dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0087-hpsa-take-the-adapter-lock-in-hpsa_wait_for_mode_cha.patch (from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0087-hpsa-take-the-adapter-lock-in-hpsa_wait_for_mode_cha.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0087-hpsa-take-the-adapter-lock-in-hpsa_wait_for_mode_cha.patch	Tue Jan 22 06:01:55 2013	(r19768, copy of r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0087-hpsa-take-the-adapter-lock-in-hpsa_wait_for_mode_cha.patch)
@@ -0,0 +1,59 @@
+From 4fd0ada1b0a83466ba65155431dba7ec4ae301b1 Mon Sep 17 00:00:00 2001
+From: "Stephen M. Cameron" <scameron at beardog.cce.hp.com>
+Date: Thu, 6 Jan 2011 14:48:24 -0600
+Subject: [PATCH 087/136] hpsa: take the adapter lock in
+ hpsa_wait_for_mode_change_ack
+
+commit 6eaf46fdc719991a3ccda1e14b274e9adb515978 upstream.
+
+Need to take the lock while accessing the register to check to
+see if config table changes have taken effect.
+
+Signed-off-by: Stephen M. Cameron <scameron at beardog.cce.hp.com>
+Signed-off-by: James Bottomley <James.Bottomley at suse.de>
+---
+ drivers/scsi/hpsa.c |   11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c
+index be9540a..76f34d9 100644
+--- a/drivers/scsi/hpsa.c
++++ b/drivers/scsi/hpsa.c
+@@ -3525,13 +3525,18 @@ static inline void hpsa_p600_dma_prefetch_quirk(struct ctlr_info *h)
+ static void __devinit hpsa_wait_for_mode_change_ack(struct ctlr_info *h)
+ {
+ 	int i;
++	u32 doorbell_value;
++	unsigned long flags;
+ 
+ 	/* under certain very rare conditions, this can take awhile.
+ 	 * (e.g.: hot replace a failed 144GB drive in a RAID 5 set right
+ 	 * as we enter this code.)
+ 	 */
+ 	for (i = 0; i < MAX_CONFIG_WAIT; i++) {
+-		if (!(readl(h->vaddr + SA5_DOORBELL) & CFGTBL_ChangeReq))
++		spin_lock_irqsave(&h->lock, flags);
++		doorbell_value = readl(h->vaddr + SA5_DOORBELL);
++		spin_unlock_irqrestore(&h->lock, flags);
++		if (!doorbell_value & CFGTBL_ChangeReq)
+ 			break;
+ 		/* delay and try again */
+ 		msleep(10);
+@@ -3703,6 +3708,8 @@ static int __devinit hpsa_init_one(struct pci_dev *pdev,
+ 	h->busy_initializing = 1;
+ 	INIT_HLIST_HEAD(&h->cmpQ);
+ 	INIT_HLIST_HEAD(&h->reqQ);
++	spin_lock_init(&h->lock);
++	spin_lock_init(&h->scan_lock);
+ 	rc = hpsa_pci_init(h);
+ 	if (rc != 0)
+ 		goto clean1;
+@@ -3762,8 +3769,6 @@ static int __devinit hpsa_init_one(struct pci_dev *pdev,
+ 	}
+ 	if (hpsa_allocate_sg_chain_blocks(h))
+ 		goto clean4;
+-	spin_lock_init(&h->lock);
+-	spin_lock_init(&h->scan_lock);
+ 	init_waitqueue_head(&h->scan_wait_queue);
+ 	h->scan_finished = 1; /* no scan currently in progress */
+ 

Copied: dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0088-hpsa-allow-driver-to-put-controller-in-either-simple.patch (from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0088-hpsa-allow-driver-to-put-controller-in-either-simple.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0088-hpsa-allow-driver-to-put-controller-in-either-simple.patch	Tue Jan 22 06:01:55 2013	(r19768, copy of r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0088-hpsa-allow-driver-to-put-controller-in-either-simple.patch)
@@ -0,0 +1,39 @@
+From eed7e66b40b1c85ad0a389163e5d1bc03d406d2e Mon Sep 17 00:00:00 2001
+From: "Stephen M. Cameron" <scameron at beardog.cce.hp.com>
+Date: Thu, 6 Jan 2011 14:48:29 -0600
+Subject: [PATCH 088/136] hpsa: allow driver to put controller in either
+ simple or performant mode
+
+commit 02ec19c82e87e3748d326ca5e15e7ddb18c73476 upstream.
+
+Signed-off-by: Stephen M. Cameron <scameron at beardog.cce.hp.com>
+Signed-off-by: James Bottomley <James.Bottomley at suse.de>
+---
+ drivers/scsi/hpsa.c |    7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c
+index 76f34d9..7f488db 100644
+--- a/drivers/scsi/hpsa.c
++++ b/drivers/scsi/hpsa.c
+@@ -74,6 +74,10 @@ static int hpsa_allow_any;
+ module_param(hpsa_allow_any, int, S_IRUGO|S_IWUSR);
+ MODULE_PARM_DESC(hpsa_allow_any,
+ 		"Allow hpsa driver to access unknown HP Smart Array hardware");
++static int hpsa_simple_mode;
++module_param(hpsa_simple_mode, int, S_IRUGO|S_IWUSR);
++MODULE_PARM_DESC(hpsa_simple_mode,
++	"Use 'simple mode' rather than 'performant mode'");
+ 
+ /* define the PCI info for the cards we can control */
+ static const struct pci_device_id hpsa_pci_device_id[] = {
+@@ -4010,6 +4014,9 @@ static __devinit void hpsa_put_ctlr_into_performant_mode(struct ctlr_info *h)
+ {
+ 	u32 trans_support;
+ 
++	if (hpsa_simple_mode)
++		return;
++
+ 	trans_support = readl(&(h->cfgtable->TransportSupport));
+ 	if (!(trans_support & PERFORMANT_MODE))
+ 		return;

Copied: dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0089-hpsa-Add-a-per-controller-commands_outstanding-entry.patch (from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0089-hpsa-Add-a-per-controller-commands_outstanding-entry.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0089-hpsa-Add-a-per-controller-commands_outstanding-entry.patch	Tue Jan 22 06:01:55 2013	(r19768, copy of r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0089-hpsa-Add-a-per-controller-commands_outstanding-entry.patch)
@@ -0,0 +1,60 @@
+From 48f6a79fe7ded6d8f2331c16f6c79679b11ae5ce Mon Sep 17 00:00:00 2001
+From: "Stephen M. Cameron" <scameron at beardog.cce.hp.com>
+Date: Thu, 6 Jan 2011 14:48:39 -0600
+Subject: [PATCH 089/136] hpsa: Add a per controller commands_outstanding
+ entry in /sys
+
+commit 94a136495a3fbe59b960c46fba3574b1159e8489 upstream.
+
+Signed-off-by: Stephen M. Cameron <scameron at beardog.cce.hp.com>
+Signed-off-by: James Bottomley <James.Bottomley at suse.de>
+---
+ drivers/scsi/hpsa.c |   14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c
+index 7f488db..fef7931 100644
+--- a/drivers/scsi/hpsa.c
++++ b/drivers/scsi/hpsa.c
+@@ -151,6 +151,8 @@ static ssize_t unique_id_show(struct device *dev,
+ 	struct device_attribute *attr, char *buf);
+ static ssize_t host_show_firmware_revision(struct device *dev,
+ 	     struct device_attribute *attr, char *buf);
++static ssize_t host_show_commands_outstanding(struct device *dev,
++	     struct device_attribute *attr, char *buf);
+ static void hpsa_update_scsi_devices(struct ctlr_info *h, int hostno);
+ static ssize_t host_store_rescan(struct device *dev,
+ 	 struct device_attribute *attr, const char *buf, size_t count);
+@@ -180,6 +182,8 @@ static DEVICE_ATTR(unique_id, S_IRUGO, unique_id_show, NULL);
+ static DEVICE_ATTR(rescan, S_IWUSR, NULL, host_store_rescan);
+ static DEVICE_ATTR(firmware_revision, S_IRUGO,
+ 	host_show_firmware_revision, NULL);
++static DEVICE_ATTR(commands_outstanding, S_IRUGO,
++	host_show_commands_outstanding, NULL);
+ 
+ static struct device_attribute *hpsa_sdev_attrs[] = {
+ 	&dev_attr_raid_level,
+@@ -191,6 +195,7 @@ static struct device_attribute *hpsa_sdev_attrs[] = {
+ static struct device_attribute *hpsa_shost_attrs[] = {
+ 	&dev_attr_rescan,
+ 	&dev_attr_firmware_revision,
++	&dev_attr_commands_outstanding,
+ 	NULL,
+ };
+ 
+@@ -290,6 +295,15 @@ static ssize_t host_show_firmware_revision(struct device *dev,
+ 		fwrev[0], fwrev[1], fwrev[2], fwrev[3]);
+ }
+ 
++static ssize_t host_show_commands_outstanding(struct device *dev,
++	     struct device_attribute *attr, char *buf)
++{
++	struct Scsi_Host *shost = class_to_shost(dev);
++	struct ctlr_info *h = shost_to_hba(shost);
++
++	return snprintf(buf, 20, "%d\n", h->commands_outstanding);
++}
++
+ /* Enqueuing and dequeuing functions for cmdlists. */
+ static inline void addQ(struct hlist_head *list, struct CommandList *c)
+ {

Copied: dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0090-hpsa-fix-use-of-uninitialized-variable-in-hpsa_add_m.patch (from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0090-hpsa-fix-use-of-uninitialized-variable-in-hpsa_add_m.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0090-hpsa-fix-use-of-uninitialized-variable-in-hpsa_add_m.patch	Tue Jan 22 06:01:55 2013	(r19768, copy of r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0090-hpsa-fix-use-of-uninitialized-variable-in-hpsa_add_m.patch)
@@ -0,0 +1,38 @@
+From 57bb0a0b5b6ae6fb87df50877c317925ec320c74 Mon Sep 17 00:00:00 2001
+From: "Stephen M. Cameron" <scameron at beardog.cce.hp.com>
+Date: Fri, 7 Jan 2011 10:55:43 -0600
+Subject: [PATCH 090/136] hpsa: fix use of uninitialized variable in
+ hpsa_add_msa2xxx_enclosure_device()
+
+commit c4f8a299d04bd083643ba93e982ab910219dd1f0 upstream.
+
+Thanks to Scott Teel for noticing this.
+
+Signed-off-by: Stephen M. Cameron <scameron at beardog.cce.hp.com>
+Signed-off-by: James Bottomley <James.Bottomley at suse.de>
+---
+ drivers/scsi/hpsa.c |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c
+index fef7931..3ae6f3b 100644
+--- a/drivers/scsi/hpsa.c
++++ b/drivers/scsi/hpsa.c
+@@ -1608,6 +1608,8 @@ static int add_msa2xxx_enclosure_device(struct ctlr_info *h,
+ 	if (lun == 0) /* if lun is 0, then obviously we have a lun 0. */
+ 		return 0;
+ 
++	memset(scsi3addr, 0, 8);
++	scsi3addr[3] = target;
+ 	if (is_hba_lunid(scsi3addr))
+ 		return 0; /* Don't add the RAID controller here. */
+ 
+@@ -1622,8 +1624,6 @@ static int add_msa2xxx_enclosure_device(struct ctlr_info *h,
+ 		return 0;
+ 	}
+ 
+-	memset(scsi3addr, 0, 8);
+-	scsi3addr[3] = target;
+ 	if (hpsa_update_device_info(h, scsi3addr, this_device))
+ 		return 0;
+ 	(*nmsa2xxx_enclosures)++;

Copied: dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0091-hpsa-Fix-problem-that-CMD_UNABORTABLE-command-status.patch (from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0091-hpsa-Fix-problem-that-CMD_UNABORTABLE-command-status.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0091-hpsa-Fix-problem-that-CMD_UNABORTABLE-command-status.patch	Tue Jan 22 06:01:55 2013	(r19768, copy of r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0091-hpsa-Fix-problem-that-CMD_UNABORTABLE-command-status.patch)
@@ -0,0 +1,39 @@
+From d27d3c0d4aa3ad016886557f9f9fbd4e3e2f6c95 Mon Sep 17 00:00:00 2001
+From: "Stephen M. Cameron" <StephenM.Cameron>
+Date: Fri, 7 Jan 2011 10:55:48 -0600
+Subject: [PATCH 091/136] hpsa: Fix problem that CMD_UNABORTABLE command
+ status was treated as unknown
+
+commit 1d5e2ed0805bf426226b7daa54b3e60af78baa10 upstream.
+
+Signed-off-by: Stephen M. Cameron <scameron at beardog.cce.hp.com>
+Signed-off-by: James Bottomley <James.Bottomley at suse.de>
+---
+ drivers/scsi/hpsa.c |    7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c
+index 3ae6f3b..51acff6 100644
+--- a/drivers/scsi/hpsa.c
++++ b/drivers/scsi/hpsa.c
+@@ -1143,6 +1143,10 @@ static void complete_scsi_command(struct CommandList *cp,
+ 		cmd->result = DID_TIME_OUT << 16;
+ 		dev_warn(&h->pdev->dev, "cp %p timedout\n", cp);
+ 		break;
++	case CMD_UNABORTABLE:
++		cmd->result = DID_ERROR << 16;
++		dev_warn(&h->pdev->dev, "Command unabortable\n");
++		break;
+ 	default:
+ 		cmd->result = DID_ERROR << 16;
+ 		dev_warn(&h->pdev->dev, "cp %p returned unknown status %x\n",
+@@ -1308,6 +1312,9 @@ static void hpsa_scsi_interpret_error(struct CommandList *cp)
+ 	case CMD_TIMEOUT:
+ 		dev_warn(d, "cp %p timed out\n", cp);
+ 		break;
++	case CMD_UNABORTABLE:
++		dev_warn(d, "Command unabortable\n");
++		break;
+ 	default:
+ 		dev_warn(d, "cp %p returned unknown status %x\n", cp,
+ 				ei->CommandStatus);

Copied: dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0092-hpsa-avoid-leaking-stack-contents-to-userland.patch (from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0092-hpsa-avoid-leaking-stack-contents-to-userland.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0092-hpsa-avoid-leaking-stack-contents-to-userland.patch	Tue Jan 22 06:01:55 2013	(r19768, copy of r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0092-hpsa-avoid-leaking-stack-contents-to-userland.patch)
@@ -0,0 +1,37 @@
+From c6bda971d4c6d0b2d4f71ae74d4afa39d7359c5e Mon Sep 17 00:00:00 2001
+From: Vasiliy Kulikov <segooon at gmail.com>
+Date: Fri, 7 Jan 2011 10:55:53 -0600
+Subject: [PATCH 092/136] hpsa: avoid leaking stack contents to userland
+
+commit 938abd8449c27fc67203e1a7c350199cea1158da upstream.
+
+memset arg64 to zero in the passthrough ioctls to avoid leaking contents
+of kernel stack memory to userland via uninitialized padding fields
+inserted by the compiler for alignment reasons.
+
+Signed-off-by: Stephen M. Cameron <scameron at beardog.cce.hp.com>
+Signed-off-by: James Bottomley <James.Bottomley at suse.de>
+---
+ drivers/scsi/hpsa.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c
+index 51acff6..2043392 100644
+--- a/drivers/scsi/hpsa.c
++++ b/drivers/scsi/hpsa.c
+@@ -2282,6 +2282,7 @@ static int hpsa_ioctl32_passthru(struct scsi_device *dev, int cmd, void *arg)
+ 	int err;
+ 	u32 cp;
+ 
++	memset(&arg64, 0, sizeof(arg64));
+ 	err = 0;
+ 	err |= copy_from_user(&arg64.LUN_info, &arg32->LUN_info,
+ 			   sizeof(arg64.LUN_info));
+@@ -2318,6 +2319,7 @@ static int hpsa_ioctl32_big_passthru(struct scsi_device *dev,
+ 	int err;
+ 	u32 cp;
+ 
++	memset(&arg64, 0, sizeof(arg64));
+ 	err = 0;
+ 	err |= copy_from_user(&arg64.LUN_info, &arg32->LUN_info,
+ 			   sizeof(arg64.LUN_info));

Copied: dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0093-hpsa-do-not-re-order-commands-in-internal-queues.patch (from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0093-hpsa-do-not-re-order-commands-in-internal-queues.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0093-hpsa-do-not-re-order-commands-in-internal-queues.patch	Tue Jan 22 06:01:55 2013	(r19768, copy of r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0093-hpsa-do-not-re-order-commands-in-internal-queues.patch)
@@ -0,0 +1,126 @@
+From 366de2b726f4a6237f2dcc4856baaf8fc43dee7d Mon Sep 17 00:00:00 2001
+From: "Stephen M. Cameron" <scameron at beardog.cce.hp.com>
+Date: Tue, 15 Feb 2011 15:32:48 -0600
+Subject: [PATCH 093/136] hpsa: do not re-order commands in internal queues
+
+commit 9e0fc764eaec082cd2ffcf82568dfdd086935934 upstream.
+
+Driver's internal queues should be FIFO, not LIFO.
+This is a port of an almost identical patch from cciss by Jens Axboe.
+
+Signed-off-by: Stephen M. Cameron <scameron at beardog.cce.hp.com>
+Signed-off-by: James Bottomley <James.Bottomley at suse.de>
+---
+ drivers/scsi/hpsa.c     |   23 +++++++++++------------
+ drivers/scsi/hpsa.h     |    4 ++--
+ drivers/scsi/hpsa_cmd.h |    2 +-
+ 3 files changed, 14 insertions(+), 15 deletions(-)
+
+diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c
+index 2043392..5a62a0f 100644
+--- a/drivers/scsi/hpsa.c
++++ b/drivers/scsi/hpsa.c
+@@ -305,9 +305,9 @@ static ssize_t host_show_commands_outstanding(struct device *dev,
+ }
+ 
+ /* Enqueuing and dequeuing functions for cmdlists. */
+-static inline void addQ(struct hlist_head *list, struct CommandList *c)
++static inline void addQ(struct list_head *list, struct CommandList *c)
+ {
+-	hlist_add_head(&c->list, list);
++	list_add_tail(&c->list, list);
+ }
+ 
+ static inline u32 next_command(struct ctlr_info *h)
+@@ -357,9 +357,9 @@ static void enqueue_cmd_and_start_io(struct ctlr_info *h,
+ 
+ static inline void removeQ(struct CommandList *c)
+ {
+-	if (WARN_ON(hlist_unhashed(&c->list)))
++	if (WARN_ON(list_empty(&c->list)))
+ 		return;
+-	hlist_del_init(&c->list);
++	list_del_init(&c->list);
+ }
+ 
+ static inline int is_hba_lunid(unsigned char scsi3addr[])
+@@ -2200,7 +2200,7 @@ static struct CommandList *cmd_alloc(struct ctlr_info *h)
+ 
+ 	c->cmdindex = i;
+ 
+-	INIT_HLIST_NODE(&c->list);
++	INIT_LIST_HEAD(&c->list);
+ 	c->busaddr = (u32) cmd_dma_handle;
+ 	temp64.val = (u64) err_dma_handle;
+ 	c->ErrDesc.Addr.lower = temp64.val32.lower;
+@@ -2238,7 +2238,7 @@ static struct CommandList *cmd_special_alloc(struct ctlr_info *h)
+ 	}
+ 	memset(c->err_info, 0, sizeof(*c->err_info));
+ 
+-	INIT_HLIST_NODE(&c->list);
++	INIT_LIST_HEAD(&c->list);
+ 	c->busaddr = (u32) cmd_dma_handle;
+ 	temp64.val = (u64) err_dma_handle;
+ 	c->ErrDesc.Addr.lower = temp64.val32.lower;
+@@ -2809,8 +2809,8 @@ static void start_io(struct ctlr_info *h)
+ {
+ 	struct CommandList *c;
+ 
+-	while (!hlist_empty(&h->reqQ)) {
+-		c = hlist_entry(h->reqQ.first, struct CommandList, list);
++	while (!list_empty(&h->reqQ)) {
++		c = list_entry(h->reqQ.next, struct CommandList, list);
+ 		/* can't do anything if fifo is full */
+ 		if ((h->access.fifo_full(h))) {
+ 			dev_warn(&h->pdev->dev, "fifo full\n");
+@@ -2901,10 +2901,9 @@ static inline u32 process_nonindexed_cmd(struct ctlr_info *h,
+ {
+ 	u32 tag;
+ 	struct CommandList *c = NULL;
+-	struct hlist_node *tmp;
+ 
+ 	tag = hpsa_tag_discard_error_bits(raw_tag);
+-	hlist_for_each_entry(c, tmp, &h->cmpQ, list) {
++	list_for_each_entry(c, &h->cmpQ, list) {
+ 		if ((c->busaddr & 0xFFFFFFE0) == (tag & 0xFFFFFFE0)) {
+ 			finish_cmd(c, raw_tag);
+ 			return next_command(h);
+@@ -3733,8 +3732,8 @@ static int __devinit hpsa_init_one(struct pci_dev *pdev,
+ 
+ 	h->pdev = pdev;
+ 	h->busy_initializing = 1;
+-	INIT_HLIST_HEAD(&h->cmpQ);
+-	INIT_HLIST_HEAD(&h->reqQ);
++	INIT_LIST_HEAD(&h->cmpQ);
++	INIT_LIST_HEAD(&h->reqQ);
+ 	spin_lock_init(&h->lock);
+ 	spin_lock_init(&h->scan_lock);
+ 	rc = hpsa_pci_init(h);
+diff --git a/drivers/scsi/hpsa.h b/drivers/scsi/hpsa.h
+index 074d237..e898193 100644
+--- a/drivers/scsi/hpsa.h
++++ b/drivers/scsi/hpsa.h
+@@ -75,8 +75,8 @@ struct ctlr_info {
+ 	struct access_method access;
+ 
+ 	/* queue and queue Info */
+-	struct hlist_head reqQ;
+-	struct hlist_head cmpQ;
++	struct list_head reqQ;
++	struct list_head cmpQ;
+ 	unsigned int Qdepth;
+ 	unsigned int maxQsinceinit;
+ 	unsigned int maxSG;
+diff --git a/drivers/scsi/hpsa_cmd.h b/drivers/scsi/hpsa_cmd.h
+index 7910c14..785abdd 100644
+--- a/drivers/scsi/hpsa_cmd.h
++++ b/drivers/scsi/hpsa_cmd.h
+@@ -292,7 +292,7 @@ struct CommandList {
+ 	struct ctlr_info	   *h;
+ 	int			   cmd_type;
+ 	long			   cmdindex;
+-	struct hlist_node list;
++	struct list_head list;
+ 	struct request *rq;
+ 	struct completion *waiting;
+ 	void   *scsi_cmd;

Copied: dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0094-hpsa-make-hpsa.hpsa_simple_mode-1-module-parameter-a.patch (from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0094-hpsa-make-hpsa.hpsa_simple_mode-1-module-parameter-a.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0094-hpsa-make-hpsa.hpsa_simple_mode-1-module-parameter-a.patch	Tue Jan 22 06:01:55 2013	(r19768, copy of r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0094-hpsa-make-hpsa.hpsa_simple_mode-1-module-parameter-a.patch)
@@ -0,0 +1,155 @@
+From b7e25a46a70a9dd756b5a144a52a07e030b5121c Mon Sep 17 00:00:00 2001
+From: "Stephen M. Cameron" <scameron at beardog.cce.hp.com>
+Date: Tue, 15 Feb 2011 15:32:53 -0600
+Subject: [PATCH 094/136] hpsa: make hpsa.hpsa_simple_mode=1 module parameter
+ actually work
+
+commit a9a3a2739a44fc05dcaba0d4d36e52dc444c294f upstream.
+
+It's not enough to simple avoid putting the board into performant
+mode, as we have to set up the interrupts differently, etc.  When
+I originally tested this module parameter, I tested it incorrectly
+without realizing it, and the driver was running in performant mode
+the whole time unbeknownst to me.
+
+Signed-off-by: Stephen M. Cameron <scameron at beardog.cce.hp.com>
+Signed-off-by: James Bottomley <James.Bottomley at suse.de>
+---
+ drivers/scsi/hpsa.c |   37 +++++++++++++++++++++++--------------
+ drivers/scsi/hpsa.h |    1 +
+ 2 files changed, 24 insertions(+), 14 deletions(-)
+
+diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c
+index 5a62a0f..dc00910 100644
+--- a/drivers/scsi/hpsa.c
++++ b/drivers/scsi/hpsa.c
+@@ -1177,7 +1177,7 @@ static int hpsa_scsi_detect(struct ctlr_info *h)
+ 	sh->sg_tablesize = h->maxsgentries;
+ 	h->scsi_host = sh;
+ 	sh->hostdata[0] = (unsigned long) h;
+-	sh->irq = h->intr[PERF_MODE_INT];
++	sh->irq = h->intr[h->intr_mode];
+ 	sh->unique_id = sh->irq;
+ 	error = scsi_add_host(sh, &h->pdev->dev);
+ 	if (error)
+@@ -2874,10 +2874,14 @@ static inline u32 hpsa_tag_to_index(u32 tag)
+ 	return tag >> DIRECT_LOOKUP_SHIFT;
+ }
+ 
+-static inline u32 hpsa_tag_discard_error_bits(u32 tag)
++
++static inline u32 hpsa_tag_discard_error_bits(struct ctlr_info *h, u32 tag)
+ {
+-#define HPSA_ERROR_BITS 0x03
+-	return tag & ~HPSA_ERROR_BITS;
++#define HPSA_PERF_ERROR_BITS ((1 << DIRECT_LOOKUP_SHIFT) - 1)
++#define HPSA_SIMPLE_ERROR_BITS 0x03
++	if (unlikely(h->transMethod != CFGTBL_Trans_Performant))
++		return tag & ~HPSA_SIMPLE_ERROR_BITS;
++	return tag & ~HPSA_PERF_ERROR_BITS;
+ }
+ 
+ /* process completion of an indexed ("direct lookup") command */
+@@ -2902,7 +2906,7 @@ static inline u32 process_nonindexed_cmd(struct ctlr_info *h,
+ 	u32 tag;
+ 	struct CommandList *c = NULL;
+ 
+-	tag = hpsa_tag_discard_error_bits(raw_tag);
++	tag = hpsa_tag_discard_error_bits(h, raw_tag);
+ 	list_for_each_entry(c, &h->cmpQ, list) {
+ 		if ((c->busaddr & 0xFFFFFFE0) == (tag & 0xFFFFFFE0)) {
+ 			finish_cmd(c, raw_tag);
+@@ -2953,7 +2957,10 @@ static irqreturn_t do_hpsa_intr_msi(int irq, void *dev_id)
+ 	return IRQ_HANDLED;
+ }
+ 
+-/* Send a message CDB to the firmware. */
++/* Send a message CDB to the firmware. Careful, this only works
++ * in simple mode, not performant mode due to the tag lookup.
++ * We only ever use this immediately after a controller reset.
++ */
+ static __devinit int hpsa_message(struct pci_dev *pdev, unsigned char opcode,
+ 						unsigned char type)
+ {
+@@ -3019,7 +3026,7 @@ static __devinit int hpsa_message(struct pci_dev *pdev, unsigned char opcode,
+ 
+ 	for (i = 0; i < HPSA_MSG_SEND_RETRY_LIMIT; i++) {
+ 		tag = readl(vaddr + SA5_REPLY_PORT_OFFSET);
+-		if (hpsa_tag_discard_error_bits(tag) == paddr32)
++		if ((tag & ~HPSA_SIMPLE_ERROR_BITS) == paddr32)
+ 			break;
+ 		msleep(HPSA_MSG_SEND_RETRY_INTERVAL_MSECS);
+ 	}
+@@ -3351,7 +3358,7 @@ static void __devinit hpsa_interrupt_mode(struct ctlr_info *h)
+ default_int_mode:
+ #endif				/* CONFIG_PCI_MSI */
+ 	/* if we get here we're going to use the default interrupt mode */
+-	h->intr[PERF_MODE_INT] = h->pdev->irq;
++	h->intr[h->intr_mode] = h->pdev->irq;
+ }
+ 
+ static int __devinit hpsa_lookup_board_id(struct pci_dev *pdev, u32 *board_id)
+@@ -3732,6 +3739,8 @@ static int __devinit hpsa_init_one(struct pci_dev *pdev,
+ 
+ 	h->pdev = pdev;
+ 	h->busy_initializing = 1;
++	h->intr_mode = hpsa_simple_mode ? SIMPLE_MODE_INT : PERF_MODE_INT;
++	printk(KERN_WARNING "hpsa_simple_mode is %d\n", hpsa_simple_mode);
+ 	INIT_LIST_HEAD(&h->cmpQ);
+ 	INIT_LIST_HEAD(&h->reqQ);
+ 	spin_lock_init(&h->lock);
+@@ -3762,20 +3771,20 @@ static int __devinit hpsa_init_one(struct pci_dev *pdev,
+ 	h->access.set_intr_mask(h, HPSA_INTR_OFF);
+ 
+ 	if (h->msix_vector || h->msi_vector)
+-		rc = request_irq(h->intr[PERF_MODE_INT], do_hpsa_intr_msi,
++		rc = request_irq(h->intr[h->intr_mode], do_hpsa_intr_msi,
+ 				IRQF_DISABLED, h->devname, h);
+ 	else
+-		rc = request_irq(h->intr[PERF_MODE_INT], do_hpsa_intr_intx,
++		rc = request_irq(h->intr[h->intr_mode], do_hpsa_intr_intx,
+ 				IRQF_DISABLED, h->devname, h);
+ 	if (rc) {
+ 		dev_err(&pdev->dev, "unable to get irq %d for %s\n",
+-		       h->intr[PERF_MODE_INT], h->devname);
++		       h->intr[h->intr_mode], h->devname);
+ 		goto clean2;
+ 	}
+ 
+ 	dev_info(&pdev->dev, "%s: <0x%x> at IRQ %d%s using DAC\n",
+ 	       h->devname, pdev->device,
+-	       h->intr[PERF_MODE_INT], dac ? "" : " not");
++	       h->intr[h->intr_mode], dac ? "" : " not");
+ 
+ 	h->cmd_pool_bits =
+ 	    kmalloc(((h->nr_cmds + BITS_PER_LONG -
+@@ -3826,7 +3835,7 @@ clean4:
+ 			    h->nr_cmds * sizeof(struct ErrorInfo),
+ 			    h->errinfo_pool,
+ 			    h->errinfo_pool_dhandle);
+-	free_irq(h->intr[PERF_MODE_INT], h);
++	free_irq(h->intr[h->intr_mode], h);
+ clean2:
+ clean1:
+ 	h->busy_initializing = 0;
+@@ -3870,7 +3879,7 @@ static void hpsa_shutdown(struct pci_dev *pdev)
+ 	 */
+ 	hpsa_flush_cache(h);
+ 	h->access.set_intr_mask(h, HPSA_INTR_OFF);
+-	free_irq(h->intr[PERF_MODE_INT], h);
++	free_irq(h->intr[h->intr_mode], h);
+ #ifdef CONFIG_PCI_MSI
+ 	if (h->msix_vector)
+ 		pci_disable_msix(h->pdev);
+diff --git a/drivers/scsi/hpsa.h b/drivers/scsi/hpsa.h
+index e898193..621a153 100644
+--- a/drivers/scsi/hpsa.h
++++ b/drivers/scsi/hpsa.h
+@@ -72,6 +72,7 @@ struct ctlr_info {
+ 	unsigned int intr[4];
+ 	unsigned int msix_vector;
+ 	unsigned int msi_vector;
++	int intr_mode; /* either PERF_MODE_INT or SIMPLE_MODE_INT */
+ 	struct access_method access;
+ 
+ 	/* queue and queue Info */

Copied: dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0095-hpsa-Add-transport_mode-host-attribute-in-sys.patch (from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0095-hpsa-Add-transport_mode-host-attribute-in-sys.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0095-hpsa-Add-transport_mode-host-attribute-in-sys.patch	Tue Jan 22 06:01:55 2013	(r19768, copy of r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0095-hpsa-Add-transport_mode-host-attribute-in-sys.patch)
@@ -0,0 +1,70 @@
+From a0fde39e480c3d4ee24cbb859b6ce1edcd81d773 Mon Sep 17 00:00:00 2001
+From: "Stephen M. Cameron" <scameron at beardog.cce.hp.com>
+Date: Tue, 15 Feb 2011 15:32:58 -0600
+Subject: [PATCH 095/136] hpsa: Add transport_mode host attribute in /sys
+
+commit 745a7a25bc0f6dc77db72656b7bc8d17b6ee8e53 upstream.
+
+Signed-off-by: Stephen M. Cameron <scameron at beardog.cce.hp.com>
+Signed-off-by: James Bottomley <James.Bottomley at suse.de>
+---
+ drivers/scsi/hpsa.c |   18 +++++++++++++++++-
+ 1 file changed, 17 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c
+index dc00910..c1e2319 100644
+--- a/drivers/scsi/hpsa.c
++++ b/drivers/scsi/hpsa.c
+@@ -153,6 +153,8 @@ static ssize_t host_show_firmware_revision(struct device *dev,
+ 	     struct device_attribute *attr, char *buf);
+ static ssize_t host_show_commands_outstanding(struct device *dev,
+ 	     struct device_attribute *attr, char *buf);
++static ssize_t host_show_transport_mode(struct device *dev,
++	struct device_attribute *attr, char *buf);
+ static void hpsa_update_scsi_devices(struct ctlr_info *h, int hostno);
+ static ssize_t host_store_rescan(struct device *dev,
+ 	 struct device_attribute *attr, const char *buf, size_t count);
+@@ -184,6 +186,8 @@ static DEVICE_ATTR(firmware_revision, S_IRUGO,
+ 	host_show_firmware_revision, NULL);
+ static DEVICE_ATTR(commands_outstanding, S_IRUGO,
+ 	host_show_commands_outstanding, NULL);
++static DEVICE_ATTR(transport_mode, S_IRUGO,
++	host_show_transport_mode, NULL);
+ 
+ static struct device_attribute *hpsa_sdev_attrs[] = {
+ 	&dev_attr_raid_level,
+@@ -196,6 +200,7 @@ static struct device_attribute *hpsa_shost_attrs[] = {
+ 	&dev_attr_rescan,
+ 	&dev_attr_firmware_revision,
+ 	&dev_attr_commands_outstanding,
++	&dev_attr_transport_mode,
+ 	NULL,
+ };
+ 
+@@ -304,6 +309,18 @@ static ssize_t host_show_commands_outstanding(struct device *dev,
+ 	return snprintf(buf, 20, "%d\n", h->commands_outstanding);
+ }
+ 
++static ssize_t host_show_transport_mode(struct device *dev,
++	struct device_attribute *attr, char *buf)
++{
++	struct ctlr_info *h;
++	struct Scsi_Host *shost = class_to_shost(dev);
++
++	h = shost_to_hba(shost);
++	return snprintf(buf, 20, "%s\n",
++		h->transMethod == CFGTBL_Trans_Performant ?
++			"performant" : "simple");
++}
++
+ /* Enqueuing and dequeuing functions for cmdlists. */
+ static inline void addQ(struct list_head *list, struct CommandList *c)
+ {
+@@ -3740,7 +3757,6 @@ static int __devinit hpsa_init_one(struct pci_dev *pdev,
+ 	h->pdev = pdev;
+ 	h->busy_initializing = 1;
+ 	h->intr_mode = hpsa_simple_mode ? SIMPLE_MODE_INT : PERF_MODE_INT;
+-	printk(KERN_WARNING "hpsa_simple_mode is %d\n", hpsa_simple_mode);
+ 	INIT_LIST_HEAD(&h->cmpQ);
+ 	INIT_LIST_HEAD(&h->reqQ);
+ 	spin_lock_init(&h->lock);

Copied: dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0096-hpsa-Inform-controller-we-are-using-32-bit-tags.patch (from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0096-hpsa-Inform-controller-we-are-using-32-bit-tags.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0096-hpsa-Inform-controller-we-are-using-32-bit-tags.patch	Tue Jan 22 06:01:55 2013	(r19768, copy of r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0096-hpsa-Inform-controller-we-are-using-32-bit-tags.patch)
@@ -0,0 +1,122 @@
+From 8672b6f8e803d0c1394ccd0a7030da3e7fbca512 Mon Sep 17 00:00:00 2001
+From: "Stephen M. Cameron" <scameron at beardog.cce.hp.com>
+Date: Tue, 15 Feb 2011 15:33:03 -0600
+Subject: [PATCH 096/136] hpsa: Inform controller we are using 32-bit tags.
+
+commit 960a30e7a73affcc441b9ceaff3b1b9e73e99c1f upstream.
+
+Controller will transfer only 32-bits on completion if it
+knows we are only using 32-bit tags.  Also, some newer controllers
+apparently (and erroneously) require that we only use 32-bit tags,
+and that we inform the controller of this.
+
+Signed-off-by: Stephen M. Cameron <scameron at beardog.cce.hp.com>
+Signed-off-by: James Bottomley <James.Bottomley at suse.de>
+---
+ drivers/scsi/hpsa.c     |   24 +++++++++++++-----------
+ drivers/scsi/hpsa_cmd.h |    1 +
+ 2 files changed, 14 insertions(+), 11 deletions(-)
+
+diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c
+index c1e2319..747c31b 100644
+--- a/drivers/scsi/hpsa.c
++++ b/drivers/scsi/hpsa.c
+@@ -317,7 +317,7 @@ static ssize_t host_show_transport_mode(struct device *dev,
+ 
+ 	h = shost_to_hba(shost);
+ 	return snprintf(buf, 20, "%s\n",
+-		h->transMethod == CFGTBL_Trans_Performant ?
++		h->transMethod & CFGTBL_Trans_Performant ?
+ 			"performant" : "simple");
+ }
+ 
+@@ -331,7 +331,7 @@ static inline u32 next_command(struct ctlr_info *h)
+ {
+ 	u32 a;
+ 
+-	if (unlikely(h->transMethod != CFGTBL_Trans_Performant))
++	if (unlikely(!(h->transMethod & CFGTBL_Trans_Performant)))
+ 		return h->access.command_completed(h);
+ 
+ 	if ((*(h->reply_pool_head) & 1) == (h->reply_pool_wraparound)) {
+@@ -355,7 +355,7 @@ static inline u32 next_command(struct ctlr_info *h)
+  */
+ static void set_performant_mode(struct ctlr_info *h, struct CommandList *c)
+ {
+-	if (likely(h->transMethod == CFGTBL_Trans_Performant))
++	if (likely(h->transMethod & CFGTBL_Trans_Performant))
+ 		c->busaddr |= 1 | (h->blockFetchTable[c->Header.SGList] << 1);
+ }
+ 
+@@ -2896,7 +2896,7 @@ static inline u32 hpsa_tag_discard_error_bits(struct ctlr_info *h, u32 tag)
+ {
+ #define HPSA_PERF_ERROR_BITS ((1 << DIRECT_LOOKUP_SHIFT) - 1)
+ #define HPSA_SIMPLE_ERROR_BITS 0x03
+-	if (unlikely(h->transMethod != CFGTBL_Trans_Performant))
++	if (unlikely(!(h->transMethod & CFGTBL_Trans_Performant)))
+ 		return tag & ~HPSA_SIMPLE_ERROR_BITS;
+ 	return tag & ~HPSA_PERF_ERROR_BITS;
+ }
+@@ -3612,6 +3612,7 @@ static int __devinit hpsa_enter_simple_mode(struct ctlr_info *h)
+ 			"unable to get board into simple mode\n");
+ 		return -ENODEV;
+ 	}
++	h->transMethod = CFGTBL_Trans_Simple;
+ 	return 0;
+ }
+ 
+@@ -3997,7 +3998,8 @@ static void  calc_bucket_map(int bucket[], int num_buckets,
+ 	}
+ }
+ 
+-static __devinit void hpsa_enter_performant_mode(struct ctlr_info *h)
++static __devinit void hpsa_enter_performant_mode(struct ctlr_info *h,
++	u32 use_short_tags)
+ {
+ 	int i;
+ 	unsigned long register_value;
+@@ -4045,7 +4047,7 @@ static __devinit void hpsa_enter_performant_mode(struct ctlr_info *h)
+ 	writel(0, &h->transtable->RepQCtrAddrHigh32);
+ 	writel(h->reply_pool_dhandle, &h->transtable->RepQAddr0Low32);
+ 	writel(0, &h->transtable->RepQAddr0High32);
+-	writel(CFGTBL_Trans_Performant,
++	writel(CFGTBL_Trans_Performant | use_short_tags,
+ 		&(h->cfgtable->HostWrite.TransportRequest));
+ 	writel(CFGTBL_ChangeReq, h->vaddr + SA5_DOORBELL);
+ 	hpsa_wait_for_mode_change_ack(h);
+@@ -4055,6 +4057,9 @@ static __devinit void hpsa_enter_performant_mode(struct ctlr_info *h)
+ 					" performant mode\n");
+ 		return;
+ 	}
++	/* Change the access methods to the performant access methods */
++	h->access = SA5_performant_access;
++	h->transMethod = CFGTBL_Trans_Performant;
+ }
+ 
+ static __devinit void hpsa_put_ctlr_into_performant_mode(struct ctlr_info *h)
+@@ -4083,11 +4088,8 @@ static __devinit void hpsa_put_ctlr_into_performant_mode(struct ctlr_info *h)
+ 		|| (h->blockFetchTable == NULL))
+ 		goto clean_up;
+ 
+-	hpsa_enter_performant_mode(h);
+-
+-	/* Change the access methods to the performant access methods */
+-	h->access = SA5_performant_access;
+-	h->transMethod = CFGTBL_Trans_Performant;
++	hpsa_enter_performant_mode(h,
++		trans_support & CFGTBL_Trans_use_short_tags);
+ 
+ 	return;
+ 
+diff --git a/drivers/scsi/hpsa_cmd.h b/drivers/scsi/hpsa_cmd.h
+index 785abdd..1846490 100644
+--- a/drivers/scsi/hpsa_cmd.h
++++ b/drivers/scsi/hpsa_cmd.h
+@@ -104,6 +104,7 @@
+ 
+ #define CFGTBL_Trans_Simple     0x00000002l
+ #define CFGTBL_Trans_Performant 0x00000004l
++#define CFGTBL_Trans_use_short_tags 0x20000000l
+ 
+ #define CFGTBL_BusType_Ultra2   0x00000001l
+ #define CFGTBL_BusType_Ultra3   0x00000002l

Copied: dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0097-hpsa-Do-not-attempt-kdump-if-we-detect-resetting-con.patch (from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0097-hpsa-Do-not-attempt-kdump-if-we-detect-resetting-con.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0097-hpsa-Do-not-attempt-kdump-if-we-detect-resetting-con.patch	Tue Jan 22 06:01:55 2013	(r19768, copy of r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0097-hpsa-Do-not-attempt-kdump-if-we-detect-resetting-con.patch)
@@ -0,0 +1,39 @@
+From 6d2736e5d6e72c2b2d9b01c9035c4a140228b229 Mon Sep 17 00:00:00 2001
+From: "Stephen M. Cameron" <scameron at beardog.cce.hp.com>
+Date: Tue, 15 Feb 2011 15:33:08 -0600
+Subject: [PATCH 097/136] hpsa: Do not attempt kdump if we detect resetting
+ controller failed.
+
+commit ba95e2ac6bfeb9af92153058a353fc47e1addc02 upstream.
+
+We can get completions left over from before the attempted reset which
+will interfere with the kdump.  Better to just not make the attempt in
+that case.
+
+Signed-off-by: Stephen M. Cameron <scameron at beardog.cce.hp.com>
+Signed-off-by: James Bottomley <James.Bottomley at suse.de>
+---
+ drivers/scsi/hpsa.c |    6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c
+index 747c31b..087a77b 100644
+--- a/drivers/scsi/hpsa.c
++++ b/drivers/scsi/hpsa.c
+@@ -3236,13 +3236,13 @@ static __devinit int hpsa_kdump_hard_reset_controller(struct pci_dev *pdev)
+ 	 * It means we're on one of those controllers which doesn't support
+ 	 * the doorbell reset method and on which the PCI power management reset
+ 	 * method doesn't work (P800, for example.)
+-	 * In those cases, pretend the reset worked and hope for the best.
++	 * In those cases, don't try to proceed, as it generally doesn't work.
+ 	 */
+ 	active_transport = readl(&cfgtable->TransportActive);
+ 	if (active_transport & PERFORMANT_MODE) {
+ 		dev_warn(&pdev->dev, "Unable to successfully reset controller,"
+-			" proceeding anyway.\n");
+-		rc = -ENOTSUPP;
++			" Ignoring controller.\n");
++		rc = -ENODEV;
+ 	}
+ 
+ unmap_cfgtable:

Copied: dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0098-hpsa-fix-bad-comparison.patch (from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0098-hpsa-fix-bad-comparison.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0098-hpsa-fix-bad-comparison.patch	Tue Jan 22 06:01:55 2013	(r19768, copy of r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0098-hpsa-fix-bad-comparison.patch)
@@ -0,0 +1,30 @@
+From 82544351c81e6bb64eee4a7c8a76784de854ea2a Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <error27 at gmail.com>
+Date: Tue, 15 Feb 2011 15:33:13 -0600
+Subject: [PATCH 098/136] hpsa: fix bad comparison
+
+commit 382be668c5a284844f9dcbb5b1cb8ffba2386d80 upstream.
+
+'!' has higher precedence than '&'.  CFGTBL_ChangeReq is 0x1 so the
+original code is equivelent to if (!doorbell_value) {...
+
+Signed-off-by: Dan Carpenter <error27 at gmail.com>
+Acked-by: Stephen M. Cameron <scameron at beardog.cce.hp.com>
+Signed-off-by: James Bottomley <James.Bottomley at suse.de>
+---
+ drivers/scsi/hpsa.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c
+index 087a77b..0f5979a 100644
+--- a/drivers/scsi/hpsa.c
++++ b/drivers/scsi/hpsa.c
+@@ -3586,7 +3586,7 @@ static void __devinit hpsa_wait_for_mode_change_ack(struct ctlr_info *h)
+ 		spin_lock_irqsave(&h->lock, flags);
+ 		doorbell_value = readl(h->vaddr + SA5_DOORBELL);
+ 		spin_unlock_irqrestore(&h->lock, flags);
+-		if (!doorbell_value & CFGTBL_ChangeReq)
++		if (!(doorbell_value & CFGTBL_ChangeReq))
+ 			break;
+ 		/* delay and try again */
+ 		msleep(10);

Copied: dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0099-hpsa-fix-incorrect-PCI-IDs-and-add-two-new-ones-2nd-.patch (from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0099-hpsa-fix-incorrect-PCI-IDs-and-add-two-new-ones-2nd-.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0099-hpsa-fix-incorrect-PCI-IDs-and-add-two-new-ones-2nd-.patch	Tue Jan 22 06:01:55 2013	(r19768, copy of r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0099-hpsa-fix-incorrect-PCI-IDs-and-add-two-new-ones-2nd-.patch)
@@ -0,0 +1,74 @@
+From 7cab8a9728ccfb9c0843d2f64e1d544389ba9888 Mon Sep 17 00:00:00 2001
+From: "scameron at beardog.cce.hp.com" <scameron at beardog.cce.hp.com>
+Date: Mon, 7 Mar 2011 10:44:16 -0600
+Subject: [PATCH 099/136] hpsa: fix incorrect PCI IDs and add two new ones
+ (2nd try)
+
+commit 9143a9612277abc6e4ddced2bc54a120734834c6 upstream.
+
+My first attempt was botched, got the wrong PCI Device ID
+(used PCI_DEVICE_ID_HP_CISSE, should have been PCI_DEVICE_ID_HP_CISSF)
+
+Signed-off-by: Stephen M. Cameron <scameron at beardog.cce.hp.com>
+Signed-off-by: James Bottomley <James.Bottomley at suse.de>
+[bwh: Backported to 2.6.32: also add the device ID to <linux/pci_ids.h>,
+ added upstream in commit 6362beea8914cbd4630ccde3617d944aeca2d48f]
+---
+ drivers/scsi/hpsa.c     |   24 ++++++++++++++----------
+ include/linux/pci_ids.h |    1 +
+ 2 files changed, 15 insertions(+), 10 deletions(-)
+
+diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c
+index 0f5979a..a410aca 100644
+--- a/drivers/scsi/hpsa.c
++++ b/drivers/scsi/hpsa.c
+@@ -82,11 +82,13 @@ MODULE_PARM_DESC(hpsa_simple_mode,
+ /* define the PCI info for the cards we can control */
+ static const struct pci_device_id hpsa_pci_device_id[] = {
+ 	{PCI_VENDOR_ID_HP,     PCI_DEVICE_ID_HP_CISSE,     0x103C, 0x3233},
+-	{PCI_VENDOR_ID_HP,     PCI_DEVICE_ID_HP_CISSE,     0x103C, 0x3250},
+-	{PCI_VENDOR_ID_HP,     PCI_DEVICE_ID_HP_CISSE,     0x103C, 0x3251},
+-	{PCI_VENDOR_ID_HP,     PCI_DEVICE_ID_HP_CISSE,     0x103C, 0x3252},
+-	{PCI_VENDOR_ID_HP,     PCI_DEVICE_ID_HP_CISSE,     0x103C, 0x3253},
+-	{PCI_VENDOR_ID_HP,     PCI_DEVICE_ID_HP_CISSE,     0x103C, 0x3254},
++	{PCI_VENDOR_ID_HP,     PCI_DEVICE_ID_HP_CISSF,     0x103C, 0x3350},
++	{PCI_VENDOR_ID_HP,     PCI_DEVICE_ID_HP_CISSF,     0x103C, 0x3351},
++	{PCI_VENDOR_ID_HP,     PCI_DEVICE_ID_HP_CISSF,     0x103C, 0x3352},
++	{PCI_VENDOR_ID_HP,     PCI_DEVICE_ID_HP_CISSF,     0x103C, 0x3353},
++	{PCI_VENDOR_ID_HP,     PCI_DEVICE_ID_HP_CISSF,     0x103C, 0x3354},
++	{PCI_VENDOR_ID_HP,     PCI_DEVICE_ID_HP_CISSF,     0x103C, 0x3355},
++	{PCI_VENDOR_ID_HP,     PCI_DEVICE_ID_HP_CISSF,     0x103C, 0x3356},
+ 	{PCI_VENDOR_ID_HP,     PCI_ANY_ID,	PCI_ANY_ID, PCI_ANY_ID,
+ 		PCI_CLASS_STORAGE_RAID << 8, 0xffff << 8, 0},
+ 	{0,}
+@@ -106,11 +108,13 @@ static struct board_type products[] = {
+ 	{0x3249103C, "Smart Array P812", &SA5_access},
+ 	{0x324a103C, "Smart Array P712m", &SA5_access},
+ 	{0x324b103C, "Smart Array P711m", &SA5_access},
+-	{0x3250103C, "Smart Array", &SA5_access},
+-	{0x3250113C, "Smart Array", &SA5_access},
+-	{0x3250123C, "Smart Array", &SA5_access},
+-	{0x3250133C, "Smart Array", &SA5_access},
+-	{0x3250143C, "Smart Array", &SA5_access},
++	{0x3350103C, "Smart Array", &SA5_access},
++	{0x3351103C, "Smart Array", &SA5_access},
++	{0x3352103C, "Smart Array", &SA5_access},
++	{0x3353103C, "Smart Array", &SA5_access},
++	{0x3354103C, "Smart Array", &SA5_access},
++	{0x3355103C, "Smart Array", &SA5_access},
++	{0x3356103C, "Smart Array", &SA5_access},
+ 	{0xFFFF103C, "Unknown Smart Array", &SA5_access},
+ };
+ 
+diff --git a/include/linux/pci_ids.h b/include/linux/pci_ids.h
+index 96077a5..b987a66 100644
+--- a/include/linux/pci_ids.h
++++ b/include/linux/pci_ids.h
+@@ -744,6 +744,7 @@
+ #define PCI_DEVICE_ID_HP_CISSC		0x3230
+ #define PCI_DEVICE_ID_HP_CISSD		0x3238
+ #define PCI_DEVICE_ID_HP_CISSE		0x323a
++#define PCI_DEVICE_ID_HP_CISSF		0x323b
+ #define PCI_DEVICE_ID_HP_ZX2_IOC	0x4031
+ 
+ #define PCI_VENDOR_ID_PCTECH		0x1042

Copied: dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0100-hpsa-move-device-attributes-to-avoid-forward-declara.patch (from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0100-hpsa-move-device-attributes-to-avoid-forward-declara.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0100-hpsa-move-device-attributes-to-avoid-forward-declara.patch	Tue Jan 22 06:01:55 2013	(r19768, copy of r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0100-hpsa-move-device-attributes-to-avoid-forward-declara.patch)
@@ -0,0 +1,304 @@
+From aa98bec461822222293c009fd7a3ef3d712968d0 Mon Sep 17 00:00:00 2001
+From: "Stephen M. Cameron" <scameron at beardog.cce.hp.com>
+Date: Wed, 9 Mar 2011 17:00:01 -0600
+Subject: [PATCH 100/136] hpsa: move device attributes to avoid forward
+ declarations
+
+commit 3f5eac3a040a2ea61a575f713aabedecdd23c3f8 upstream.
+
+Signed-off-by: Stephen M. Cameron <scameron at beardog.cce.hp.com>
+Signed-off-by: James Bottomley <James.Bottomley at suse.de>
+[bwh: Backported to 2.6.32: no scsi_host_template::change_queue_depth]
+---
+ drivers/scsi/hpsa.c |  251 ++++++++++++++++++++++++---------------------------
+ 1 file changed, 119 insertions(+), 132 deletions(-)
+
+diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c
+index a410aca..3eb21da 100644
+--- a/drivers/scsi/hpsa.c
++++ b/drivers/scsi/hpsa.c
+@@ -147,21 +147,7 @@ static int hpsa_eh_device_reset_handler(struct scsi_cmnd *scsicmd);
+ static int hpsa_slave_alloc(struct scsi_device *sdev);
+ static void hpsa_slave_destroy(struct scsi_device *sdev);
+ 
+-static ssize_t raid_level_show(struct device *dev,
+-	struct device_attribute *attr, char *buf);
+-static ssize_t lunid_show(struct device *dev,
+-	struct device_attribute *attr, char *buf);
+-static ssize_t unique_id_show(struct device *dev,
+-	struct device_attribute *attr, char *buf);
+-static ssize_t host_show_firmware_revision(struct device *dev,
+-	     struct device_attribute *attr, char *buf);
+-static ssize_t host_show_commands_outstanding(struct device *dev,
+-	     struct device_attribute *attr, char *buf);
+-static ssize_t host_show_transport_mode(struct device *dev,
+-	struct device_attribute *attr, char *buf);
+ static void hpsa_update_scsi_devices(struct ctlr_info *h, int hostno);
+-static ssize_t host_store_rescan(struct device *dev,
+-	 struct device_attribute *attr, const char *buf, size_t count);
+ static int check_for_unit_attention(struct ctlr_info *h,
+ 	struct CommandList *c);
+ static void check_ioctl_unit_attention(struct ctlr_info *h,
+@@ -182,52 +168,6 @@ static int __devinit hpsa_wait_for_board_state(struct pci_dev *pdev,
+ #define BOARD_NOT_READY 0
+ #define BOARD_READY 1
+ 
+-static DEVICE_ATTR(raid_level, S_IRUGO, raid_level_show, NULL);
+-static DEVICE_ATTR(lunid, S_IRUGO, lunid_show, NULL);
+-static DEVICE_ATTR(unique_id, S_IRUGO, unique_id_show, NULL);
+-static DEVICE_ATTR(rescan, S_IWUSR, NULL, host_store_rescan);
+-static DEVICE_ATTR(firmware_revision, S_IRUGO,
+-	host_show_firmware_revision, NULL);
+-static DEVICE_ATTR(commands_outstanding, S_IRUGO,
+-	host_show_commands_outstanding, NULL);
+-static DEVICE_ATTR(transport_mode, S_IRUGO,
+-	host_show_transport_mode, NULL);
+-
+-static struct device_attribute *hpsa_sdev_attrs[] = {
+-	&dev_attr_raid_level,
+-	&dev_attr_lunid,
+-	&dev_attr_unique_id,
+-	NULL,
+-};
+-
+-static struct device_attribute *hpsa_shost_attrs[] = {
+-	&dev_attr_rescan,
+-	&dev_attr_firmware_revision,
+-	&dev_attr_commands_outstanding,
+-	&dev_attr_transport_mode,
+-	NULL,
+-};
+-
+-static struct scsi_host_template hpsa_driver_template = {
+-	.module			= THIS_MODULE,
+-	.name			= "hpsa",
+-	.proc_name		= "hpsa",
+-	.queuecommand		= hpsa_scsi_queue_command,
+-	.scan_start		= hpsa_scan_start,
+-	.scan_finished		= hpsa_scan_finished,
+-	.this_id		= -1,
+-	.use_clustering		= ENABLE_CLUSTERING,
+-	.eh_device_reset_handler = hpsa_eh_device_reset_handler,
+-	.ioctl			= hpsa_ioctl,
+-	.slave_alloc		= hpsa_slave_alloc,
+-	.slave_destroy		= hpsa_slave_destroy,
+-#ifdef CONFIG_COMPAT
+-	.compat_ioctl		= hpsa_compat_ioctl,
+-#endif
+-	.sdev_attrs = hpsa_sdev_attrs,
+-	.shost_attrs = hpsa_shost_attrs,
+-};
+-
+ static inline struct ctlr_info *sdev_to_hba(struct scsi_device *sdev)
+ {
+ 	unsigned long *priv = shost_priv(sdev->host);
+@@ -325,83 +265,11 @@ static ssize_t host_show_transport_mode(struct device *dev,
+ 			"performant" : "simple");
+ }
+ 
+-/* Enqueuing and dequeuing functions for cmdlists. */
+-static inline void addQ(struct list_head *list, struct CommandList *c)
+-{
+-	list_add_tail(&c->list, list);
+-}
+-
+-static inline u32 next_command(struct ctlr_info *h)
+-{
+-	u32 a;
+-
+-	if (unlikely(!(h->transMethod & CFGTBL_Trans_Performant)))
+-		return h->access.command_completed(h);
+-
+-	if ((*(h->reply_pool_head) & 1) == (h->reply_pool_wraparound)) {
+-		a = *(h->reply_pool_head); /* Next cmd in ring buffer */
+-		(h->reply_pool_head)++;
+-		h->commands_outstanding--;
+-	} else {
+-		a = FIFO_EMPTY;
+-	}
+-	/* Check for wraparound */
+-	if (h->reply_pool_head == (h->reply_pool + h->max_commands)) {
+-		h->reply_pool_head = h->reply_pool;
+-		h->reply_pool_wraparound ^= 1;
+-	}
+-	return a;
+-}
+-
+-/* set_performant_mode: Modify the tag for cciss performant
+- * set bit 0 for pull model, bits 3-1 for block fetch
+- * register number
+- */
+-static void set_performant_mode(struct ctlr_info *h, struct CommandList *c)
+-{
+-	if (likely(h->transMethod & CFGTBL_Trans_Performant))
+-		c->busaddr |= 1 | (h->blockFetchTable[c->Header.SGList] << 1);
+-}
+-
+-static void enqueue_cmd_and_start_io(struct ctlr_info *h,
+-	struct CommandList *c)
+-{
+-	unsigned long flags;
+-
+-	set_performant_mode(h, c);
+-	spin_lock_irqsave(&h->lock, flags);
+-	addQ(&h->reqQ, c);
+-	h->Qdepth++;
+-	start_io(h);
+-	spin_unlock_irqrestore(&h->lock, flags);
+-}
+-
+-static inline void removeQ(struct CommandList *c)
+-{
+-	if (WARN_ON(list_empty(&c->list)))
+-		return;
+-	list_del_init(&c->list);
+-}
+-
+-static inline int is_hba_lunid(unsigned char scsi3addr[])
+-{
+-	return memcmp(scsi3addr, RAID_CTLR_LUNID, 8) == 0;
+-}
+-
+ static inline int is_logical_dev_addr_mode(unsigned char scsi3addr[])
+ {
+ 	return (scsi3addr[3] & 0xC0) == 0x40;
+ }
+ 
+-static inline int is_scsi_rev_5(struct ctlr_info *h)
+-{
+-	if (!h->hba_inquiry_data)
+-		return 0;
+-	if ((h->hba_inquiry_data[2] & 0x07) == 5)
+-		return 1;
+-	return 0;
+-}
+-
+ static const char *raid_label[] = { "0", "4", "1(1+0)", "5", "5+1", "ADG",
+ 	"UNKNOWN"
+ };
+@@ -493,6 +361,125 @@ static ssize_t unique_id_show(struct device *dev,
+ 			sn[12], sn[13], sn[14], sn[15]);
+ }
+ 
++static DEVICE_ATTR(raid_level, S_IRUGO, raid_level_show, NULL);
++static DEVICE_ATTR(lunid, S_IRUGO, lunid_show, NULL);
++static DEVICE_ATTR(unique_id, S_IRUGO, unique_id_show, NULL);
++static DEVICE_ATTR(rescan, S_IWUSR, NULL, host_store_rescan);
++static DEVICE_ATTR(firmware_revision, S_IRUGO,
++	host_show_firmware_revision, NULL);
++static DEVICE_ATTR(commands_outstanding, S_IRUGO,
++	host_show_commands_outstanding, NULL);
++static DEVICE_ATTR(transport_mode, S_IRUGO,
++	host_show_transport_mode, NULL);
++
++static struct device_attribute *hpsa_sdev_attrs[] = {
++	&dev_attr_raid_level,
++	&dev_attr_lunid,
++	&dev_attr_unique_id,
++	NULL,
++};
++
++static struct device_attribute *hpsa_shost_attrs[] = {
++	&dev_attr_rescan,
++	&dev_attr_firmware_revision,
++	&dev_attr_commands_outstanding,
++	&dev_attr_transport_mode,
++	NULL,
++};
++
++static struct scsi_host_template hpsa_driver_template = {
++	.module			= THIS_MODULE,
++	.name			= "hpsa",
++	.proc_name		= "hpsa",
++	.queuecommand		= hpsa_scsi_queue_command,
++	.scan_start		= hpsa_scan_start,
++	.scan_finished		= hpsa_scan_finished,
++	.this_id		= -1,
++	.use_clustering		= ENABLE_CLUSTERING,
++	.eh_device_reset_handler = hpsa_eh_device_reset_handler,
++	.ioctl			= hpsa_ioctl,
++	.slave_alloc		= hpsa_slave_alloc,
++	.slave_destroy		= hpsa_slave_destroy,
++#ifdef CONFIG_COMPAT
++	.compat_ioctl		= hpsa_compat_ioctl,
++#endif
++	.sdev_attrs = hpsa_sdev_attrs,
++	.shost_attrs = hpsa_shost_attrs,
++};
++
++
++/* Enqueuing and dequeuing functions for cmdlists. */
++static inline void addQ(struct list_head *list, struct CommandList *c)
++{
++	list_add_tail(&c->list, list);
++}
++
++static inline u32 next_command(struct ctlr_info *h)
++{
++	u32 a;
++
++	if (unlikely(!(h->transMethod & CFGTBL_Trans_Performant)))
++		return h->access.command_completed(h);
++
++	if ((*(h->reply_pool_head) & 1) == (h->reply_pool_wraparound)) {
++		a = *(h->reply_pool_head); /* Next cmd in ring buffer */
++		(h->reply_pool_head)++;
++		h->commands_outstanding--;
++	} else {
++		a = FIFO_EMPTY;
++	}
++	/* Check for wraparound */
++	if (h->reply_pool_head == (h->reply_pool + h->max_commands)) {
++		h->reply_pool_head = h->reply_pool;
++		h->reply_pool_wraparound ^= 1;
++	}
++	return a;
++}
++
++/* set_performant_mode: Modify the tag for cciss performant
++ * set bit 0 for pull model, bits 3-1 for block fetch
++ * register number
++ */
++static void set_performant_mode(struct ctlr_info *h, struct CommandList *c)
++{
++	if (likely(h->transMethod & CFGTBL_Trans_Performant))
++		c->busaddr |= 1 | (h->blockFetchTable[c->Header.SGList] << 1);
++}
++
++static void enqueue_cmd_and_start_io(struct ctlr_info *h,
++	struct CommandList *c)
++{
++	unsigned long flags;
++
++	set_performant_mode(h, c);
++	spin_lock_irqsave(&h->lock, flags);
++	addQ(&h->reqQ, c);
++	h->Qdepth++;
++	start_io(h);
++	spin_unlock_irqrestore(&h->lock, flags);
++}
++
++static inline void removeQ(struct CommandList *c)
++{
++	if (WARN_ON(list_empty(&c->list)))
++		return;
++	list_del_init(&c->list);
++}
++
++static inline int is_hba_lunid(unsigned char scsi3addr[])
++{
++	return memcmp(scsi3addr, RAID_CTLR_LUNID, 8) == 0;
++}
++
++static inline int is_scsi_rev_5(struct ctlr_info *h)
++{
++	if (!h->hba_inquiry_data)
++		return 0;
++	if ((h->hba_inquiry_data[2] & 0x07) == 5)
++		return 1;
++	return 0;
++}
++
+ static int hpsa_find_target_lun(struct ctlr_info *h,
+ 	unsigned char scsi3addr[], int bus, int *target, int *lun)
+ {

Copied: dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0101-hpsa-export-resettable-host-attribute.patch (from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0101-hpsa-export-resettable-host-attribute.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0101-hpsa-export-resettable-host-attribute.patch	Tue Jan 22 06:01:55 2013	(r19768, copy of r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0101-hpsa-export-resettable-host-attribute.patch)
@@ -0,0 +1,86 @@
+From 9910b190678f5204ff108439a77f86172f632595 Mon Sep 17 00:00:00 2001
+From: "Stephen M. Cameron" <scameron at beardog.cce.hp.com>
+Date: Wed, 9 Mar 2011 17:00:06 -0600
+Subject: [PATCH 101/136] hpsa: export resettable host attribute
+
+commit 941b1cdae83039c99fc5c1884a98d2afd39760e5 upstream.
+
+This attribute, requested by Redhat, allows kexec-tools to know
+whether the controller can honor the reset_devices kernel parameter
+and actually reset the controller.  For kdump to work properly it
+is necessary that the reset_devices parameter be honored.  This
+attribute enables kexec-tools to warn the user if they attempt to
+designate a non-resettable controller as the dump device.
+
+Signed-off-by: Stephen M. Cameron <scameron at beardog.cce.hp.com>
+Signed-off-by: James Bottomley <James.Bottomley at suse.de>
+---
+ drivers/scsi/hpsa.c |   41 +++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 41 insertions(+)
+
+diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c
+index 3eb21da..fa52ad9 100644
+--- a/drivers/scsi/hpsa.c
++++ b/drivers/scsi/hpsa.c
+@@ -265,6 +265,44 @@ static ssize_t host_show_transport_mode(struct device *dev,
+ 			"performant" : "simple");
+ }
+ 
++/* List of controllers which cannot be reset on kexec with reset_devices */
++static u32 unresettable_controller[] = {
++	0x324a103C, /* Smart Array P712m */
++	0x324b103C, /* SmartArray P711m */
++	0x3223103C, /* Smart Array P800 */
++	0x3234103C, /* Smart Array P400 */
++	0x3235103C, /* Smart Array P400i */
++	0x3211103C, /* Smart Array E200i */
++	0x3212103C, /* Smart Array E200 */
++	0x3213103C, /* Smart Array E200i */
++	0x3214103C, /* Smart Array E200i */
++	0x3215103C, /* Smart Array E200i */
++	0x3237103C, /* Smart Array E500 */
++	0x323D103C, /* Smart Array P700m */
++	0x409C0E11, /* Smart Array 6400 */
++	0x409D0E11, /* Smart Array 6400 EM */
++};
++
++static int ctlr_is_resettable(struct ctlr_info *h)
++{
++	int i;
++
++	for (i = 0; i < ARRAY_SIZE(unresettable_controller); i++)
++		if (unresettable_controller[i] == h->board_id)
++			return 0;
++	return 1;
++}
++
++static ssize_t host_show_resettable(struct device *dev,
++	struct device_attribute *attr, char *buf)
++{
++	struct ctlr_info *h;
++	struct Scsi_Host *shost = class_to_shost(dev);
++
++	h = shost_to_hba(shost);
++	return snprintf(buf, 20, "%d\n", ctlr_is_resettable(h));
++}
++
+ static inline int is_logical_dev_addr_mode(unsigned char scsi3addr[])
+ {
+ 	return (scsi3addr[3] & 0xC0) == 0x40;
+@@ -371,6 +409,8 @@ static DEVICE_ATTR(commands_outstanding, S_IRUGO,
+ 	host_show_commands_outstanding, NULL);
+ static DEVICE_ATTR(transport_mode, S_IRUGO,
+ 	host_show_transport_mode, NULL);
++static DEVICE_ATTR(resettable, S_IRUGO,
++	host_show_resettable, NULL);
+ 
+ static struct device_attribute *hpsa_sdev_attrs[] = {
+ 	&dev_attr_raid_level,
+@@ -384,6 +424,7 @@ static struct device_attribute *hpsa_shost_attrs[] = {
+ 	&dev_attr_firmware_revision,
+ 	&dev_attr_commands_outstanding,
+ 	&dev_attr_transport_mode,
++	&dev_attr_resettable,
+ 	NULL,
+ };
+ 

Copied: dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0102-hpsa-do-readl-after-writel-in-main-i-o-path-to-ensur.patch (from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0102-hpsa-do-readl-after-writel-in-main-i-o-path-to-ensur.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0102-hpsa-do-readl-after-writel-in-main-i-o-path-to-ensur.patch	Tue Jan 22 06:01:55 2013	(r19768, copy of r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0102-hpsa-do-readl-after-writel-in-main-i-o-path-to-ensur.patch)
@@ -0,0 +1,30 @@
+From bebca693eb5bde267011b46fbcca723047b0c1b4 Mon Sep 17 00:00:00 2001
+From: "Stephen M. Cameron" <scameron at beardog.cce.hp.com>
+Date: Tue, 3 May 2011 14:58:49 -0500
+Subject: [PATCH 102/136] hpsa: do readl after writel in main i/o path to
+ ensure commands don't get lost.
+
+commit d0be5ec8693944c2e2fc0de70fda9dbc1b93bd7d upstream.
+
+Apparently we've been doin it rong for a decade, but only lately do we
+run into problems.
+
+Signed-off-by: Stephen M. Cameron <scameron at beardog.cce.hp.com>
+Signed-off-by: James Bottomley <jbottomley at parallels.com>
+Signed-off-by: James Bottomley <James.Bottomley at suse.de>
+---
+ drivers/scsi/hpsa.h |    1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/scsi/hpsa.h b/drivers/scsi/hpsa.h
+index 621a153..98c97ca 100644
+--- a/drivers/scsi/hpsa.h
++++ b/drivers/scsi/hpsa.h
+@@ -212,6 +212,7 @@ static void SA5_submit_command(struct ctlr_info *h,
+ 	dev_dbg(&h->pdev->dev, "Sending %x, tag = %x\n", c->busaddr,
+ 		c->Header.Tag.lower);
+ 	writel(c->busaddr, h->vaddr + SA5_REQUEST_PORT_OFFSET);
++	(void) readl(h->vaddr + SA5_REQUEST_PORT_OFFSET);
+ 	h->commands_outstanding++;
+ 	if (h->commands_outstanding > h->max_outstanding)
+ 		h->max_outstanding = h->commands_outstanding;

Copied: dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0103-hpsa-add-readl-after-writel-in-interrupt-mask-settin.patch (from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0103-hpsa-add-readl-after-writel-in-interrupt-mask-settin.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0103-hpsa-add-readl-after-writel-in-interrupt-mask-settin.patch	Tue Jan 22 06:01:55 2013	(r19768, copy of r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0103-hpsa-add-readl-after-writel-in-interrupt-mask-settin.patch)
@@ -0,0 +1,48 @@
+From 6cdd7154301c0975c5c4c41ed0b37b313355f01a Mon Sep 17 00:00:00 2001
+From: "Stephen M. Cameron" <scameron at beardog.cce.hp.com>
+Date: Tue, 3 May 2011 14:58:55 -0500
+Subject: [PATCH 103/136] hpsa: add readl after writel in interrupt mask
+ setting code
+
+commit 8cd21da71c952843f9cc215436286cf7f991cc6e upstream.
+
+This is to ensure the board interrupts are really off when
+these functions return.
+
+Signed-off-by: Stephen M. Cameron <scameron at beardog.cce.hp.com>
+Signed-off-by: James Bottomley <jbottomley at parallels.com>
+Signed-off-by: James Bottomley <James.Bottomley at suse.de>
+---
+ drivers/scsi/hpsa.h |    4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/scsi/hpsa.h b/drivers/scsi/hpsa.h
+index 98c97ca..7eec397 100644
+--- a/drivers/scsi/hpsa.h
++++ b/drivers/scsi/hpsa.h
+@@ -228,10 +228,12 @@ static void SA5_intr_mask(struct ctlr_info *h, unsigned long val)
+ 	if (val) { /* Turn interrupts on */
+ 		h->interrupts_enabled = 1;
+ 		writel(0, h->vaddr + SA5_REPLY_INTR_MASK_OFFSET);
++		(void) readl(h->vaddr + SA5_REPLY_INTR_MASK_OFFSET);
+ 	} else { /* Turn them off */
+ 		h->interrupts_enabled = 0;
+ 		writel(SA5_INTR_OFF,
+ 			h->vaddr + SA5_REPLY_INTR_MASK_OFFSET);
++		(void) readl(h->vaddr + SA5_REPLY_INTR_MASK_OFFSET);
+ 	}
+ }
+ 
+@@ -240,10 +242,12 @@ static void SA5_performant_intr_mask(struct ctlr_info *h, unsigned long val)
+ 	if (val) { /* turn on interrupts */
+ 		h->interrupts_enabled = 1;
+ 		writel(0, h->vaddr + SA5_REPLY_INTR_MASK_OFFSET);
++		(void) readl(h->vaddr + SA5_REPLY_INTR_MASK_OFFSET);
+ 	} else {
+ 		h->interrupts_enabled = 0;
+ 		writel(SA5_PERF_INTR_OFF,
+ 			h->vaddr + SA5_REPLY_INTR_MASK_OFFSET);
++		(void) readl(h->vaddr + SA5_REPLY_INTR_MASK_OFFSET);
+ 	}
+ }
+ 

Copied: dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0104-hpsa-remove-unused-parameter-from-hpsa_complete_scsi.patch (from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0104-hpsa-remove-unused-parameter-from-hpsa_complete_scsi.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0104-hpsa-remove-unused-parameter-from-hpsa_complete_scsi.patch	Tue Jan 22 06:01:55 2013	(r19768, copy of r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0104-hpsa-remove-unused-parameter-from-hpsa_complete_scsi.patch)
@@ -0,0 +1,38 @@
+From 73be737a0b5e3de570dfecc9fd43fa9dda590eca Mon Sep 17 00:00:00 2001
+From: "Stephen M. Cameron" <scameron at beardog.cce.hp.com>
+Date: Tue, 3 May 2011 14:59:00 -0500
+Subject: [PATCH 104/136] hpsa: remove unused parameter from
+ hpsa_complete_scsi_command()
+
+commit 1fb011fb05b6bac4fb8eabd324a6983116f7594d upstream.
+
+Signed-off-by: Stephen M. Cameron <scameron at beardog.cce.hp.com>
+Signed-off-by: James Bottomley <jbottomley at parallels.com>
+Signed-off-by: James Bottomley <James.Bottomley at suse.de>
+---
+ drivers/scsi/hpsa.c |    5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c
+index fa52ad9..a5b47a9 100644
+--- a/drivers/scsi/hpsa.c
++++ b/drivers/scsi/hpsa.c
+@@ -997,8 +997,7 @@ static void hpsa_unmap_sg_chain_block(struct ctlr_info *h,
+ 	pci_unmap_single(h->pdev, temp64.val, chain_sg->Len, PCI_DMA_TODEVICE);
+ }
+ 
+-static void complete_scsi_command(struct CommandList *cp,
+-	int timeout, u32 tag)
++static void complete_scsi_command(struct CommandList *cp)
+ {
+ 	struct scsi_cmnd *cmd;
+ 	struct ctlr_info *h;
+@@ -2908,7 +2907,7 @@ static inline void finish_cmd(struct CommandList *c, u32 raw_tag)
+ {
+ 	removeQ(c);
+ 	if (likely(c->cmd_type == CMD_SCSI))
+-		complete_scsi_command(c, 0, raw_tag);
++		complete_scsi_command(c);
+ 	else if (c->cmd_type == CMD_IOCTL_PEND)
+ 		complete(c->waiting);
+ }

Copied: dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0105-hpsa-delete-old-unused-padding-garbage.patch (from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0105-hpsa-delete-old-unused-padding-garbage.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0105-hpsa-delete-old-unused-padding-garbage.patch	Tue Jan 22 06:01:55 2013	(r19768, copy of r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0105-hpsa-delete-old-unused-padding-garbage.patch)
@@ -0,0 +1,33 @@
+From eee0ac89f0ce7c0f30cdf2c094c2bd3081f68082 Mon Sep 17 00:00:00 2001
+From: "Stephen M. Cameron" <scameron at beardog.cce.hp.com>
+Date: Tue, 3 May 2011 14:59:05 -0500
+Subject: [PATCH 105/136] hpsa: delete old unused padding garbage
+
+commit a2a431a4fd3b11c6808933ca1bdb2d28a8fa0634 upstream.
+
+Signed-off-by: Stephen M. Cameron <scameron at beardog.cce.hp.com>
+Signed-off-by: James Bottomley <jbottomley at parallels.com>
+Signed-off-by: James Bottomley <James.Bottomley at suse.de>
+---
+ drivers/scsi/hpsa_cmd.h |    8 --------
+ 1 file changed, 8 deletions(-)
+
+diff --git a/drivers/scsi/hpsa_cmd.h b/drivers/scsi/hpsa_cmd.h
+index 1846490..0500740 100644
+--- a/drivers/scsi/hpsa_cmd.h
++++ b/drivers/scsi/hpsa_cmd.h
+@@ -256,14 +256,6 @@ struct ErrorInfo {
+ #define CMD_IOCTL_PEND  0x01
+ #define CMD_SCSI	0x03
+ 
+-/* This structure needs to be divisible by 32 for new
+- * indexing method and performant mode.
+- */
+-#define PAD32 32
+-#define PAD64DIFF 0
+-#define USEEXTRA ((sizeof(void *) - 4)/4)
+-#define PADSIZE (PAD32 + PAD64DIFF * USEEXTRA)
+-
+ #define DIRECT_LOOKUP_SHIFT 5
+ #define DIRECT_LOOKUP_BIT 0x10
+ #define DIRECT_LOOKUP_MASK (~((1 << DIRECT_LOOKUP_SHIFT) - 1))

Copied: dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0106-hpsa-do-a-better-job-of-detecting-controller-reset-f.patch (from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0106-hpsa-do-a-better-job-of-detecting-controller-reset-f.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0106-hpsa-do-a-better-job-of-detecting-controller-reset-f.patch	Tue Jan 22 06:01:55 2013	(r19768, copy of r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0106-hpsa-do-a-better-job-of-detecting-controller-reset-f.patch)
@@ -0,0 +1,154 @@
+From 66c1eae0fb9d6eba75effd5aeb23a7431ef4176f Mon Sep 17 00:00:00 2001
+From: "Stephen M. Cameron" <scameron at beardog.cce.hp.com>
+Date: Tue, 3 May 2011 14:59:10 -0500
+Subject: [PATCH 106/136] hpsa: do a better job of detecting controller reset
+ failure
+
+commit 580ada3c1e2f23b4b0f3c254cae3eb278f92d494 upstream.
+
+Detect failure of controller reset by noticing if the 32 bytes of
+"driver version" we store on the hardware in the config table
+fail to get zeroed out.  Previously we noticed if the controller
+did not transition to "simple mode", but this did not detect reset
+failure if the controller was already in simple mode prior to
+the reset attempt (e.g. due to module parameter hpsa_simple_mode=1).
+
+Signed-off-by: Stephen M. Cameron <scameron at beardog.cce.hp.com>
+Signed-off-by: James Bottomley <jbottomley at parallels.com>
+Signed-off-by: James Bottomley <James.Bottomley at suse.de>
+---
+ drivers/scsi/hpsa.c     |   76 ++++++++++++++++++++++++++++++++++++++++-------
+ drivers/scsi/hpsa_cmd.h |    1 +
+ 2 files changed, 67 insertions(+), 10 deletions(-)
+
+diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c
+index a5b47a9..dcdf55a 100644
+--- a/drivers/scsi/hpsa.c
++++ b/drivers/scsi/hpsa.c
+@@ -3156,6 +3156,59 @@ static int hpsa_controller_hard_reset(struct pci_dev *pdev,
+ 	return 0;
+ }
+ 
++static __devinit void init_driver_version(char *driver_version, int len)
++{
++	memset(driver_version, 0, len);
++	strncpy(driver_version, "hpsa " HPSA_DRIVER_VERSION, len - 1);
++}
++
++static __devinit int write_driver_ver_to_cfgtable(
++	struct CfgTable __iomem *cfgtable)
++{
++	char *driver_version;
++	int i, size = sizeof(cfgtable->driver_version);
++
++	driver_version = kmalloc(size, GFP_KERNEL);
++	if (!driver_version)
++		return -ENOMEM;
++
++	init_driver_version(driver_version, size);
++	for (i = 0; i < size; i++)
++		writeb(driver_version[i], &cfgtable->driver_version[i]);
++	kfree(driver_version);
++	return 0;
++}
++
++static __devinit void read_driver_ver_from_cfgtable(
++	struct CfgTable __iomem *cfgtable, unsigned char *driver_ver)
++{
++	int i;
++
++	for (i = 0; i < sizeof(cfgtable->driver_version); i++)
++		driver_ver[i] = readb(&cfgtable->driver_version[i]);
++}
++
++static __devinit int controller_reset_failed(
++	struct CfgTable __iomem *cfgtable)
++{
++
++	char *driver_ver, *old_driver_ver;
++	int rc, size = sizeof(cfgtable->driver_version);
++
++	old_driver_ver = kmalloc(2 * size, GFP_KERNEL);
++	if (!old_driver_ver)
++		return -ENOMEM;
++	driver_ver = old_driver_ver + size;
++
++	/* After a reset, the 32 bytes of "driver version" in the cfgtable
++	 * should have been changed, otherwise we know the reset failed.
++	 */
++	init_driver_version(old_driver_ver, size);
++	read_driver_ver_from_cfgtable(cfgtable, driver_ver);
++	rc = !memcmp(driver_ver, old_driver_ver, size);
++	kfree(old_driver_ver);
++	return rc;
++}
+ /* This does a hard reset of the controller using PCI power management
+  * states or the using the doorbell register.
+  */
+@@ -3166,7 +3219,7 @@ static __devinit int hpsa_kdump_hard_reset_controller(struct pci_dev *pdev)
+ 	u64 cfg_base_addr_index;
+ 	void __iomem *vaddr;
+ 	unsigned long paddr;
+-	u32 misc_fw_support, active_transport;
++	u32 misc_fw_support;
+ 	int rc;
+ 	struct CfgTable __iomem *cfgtable;
+ 	bool use_doorbell;
+@@ -3228,6 +3281,9 @@ static __devinit int hpsa_kdump_hard_reset_controller(struct pci_dev *pdev)
+ 		rc = -ENOMEM;
+ 		goto unmap_vaddr;
+ 	}
++	rc = write_driver_ver_to_cfgtable(cfgtable);
++	if (rc)
++		goto unmap_vaddr;
+ 
+ 	/* If reset via doorbell register is supported, use that. */
+ 	misc_fw_support = readl(&cfgtable->misc_fw_support);
+@@ -3261,19 +3317,16 @@ static __devinit int hpsa_kdump_hard_reset_controller(struct pci_dev *pdev)
+ 			"failed waiting for board to become ready\n");
+ 		goto unmap_cfgtable;
+ 	}
+-	dev_info(&pdev->dev, "board ready.\n");
+ 
+-	/* Controller should be in simple mode at this point.  If it's not,
+-	 * It means we're on one of those controllers which doesn't support
+-	 * the doorbell reset method and on which the PCI power management reset
+-	 * method doesn't work (P800, for example.)
+-	 * In those cases, don't try to proceed, as it generally doesn't work.
+-	 */
+-	active_transport = readl(&cfgtable->TransportActive);
+-	if (active_transport & PERFORMANT_MODE) {
++	rc = controller_reset_failed(vaddr);
++	if (rc < 0)
++		goto unmap_cfgtable;
++	if (rc) {
+ 		dev_warn(&pdev->dev, "Unable to successfully reset controller,"
+ 			" Ignoring controller.\n");
+ 		rc = -ENODEV;
++	} else {
++		dev_info(&pdev->dev, "board ready.\n");
+ 	}
+ 
+ unmap_cfgtable:
+@@ -3514,6 +3567,9 @@ static int __devinit hpsa_find_cfgtables(struct ctlr_info *h)
+ 		       cfg_base_addr_index) + cfg_offset, sizeof(*h->cfgtable));
+ 	if (!h->cfgtable)
+ 		return -ENOMEM;
++	rc = write_driver_ver_to_cfgtable(h->cfgtable);
++	if (rc)
++		return rc;
+ 	/* Find performant mode table. */
+ 	trans_offset = readl(&h->cfgtable->TransMethodOffset);
+ 	h->transtable = remap_pci_mem(pci_resource_start(h->pdev,
+diff --git a/drivers/scsi/hpsa_cmd.h b/drivers/scsi/hpsa_cmd.h
+index 0500740..8fd35a7 100644
+--- a/drivers/scsi/hpsa_cmd.h
++++ b/drivers/scsi/hpsa_cmd.h
+@@ -337,6 +337,7 @@ struct CfgTable {
+ 	u8		reserved[0x78 - 0x58];
+ 	u32		misc_fw_support; /* offset 0x78 */
+ #define			MISC_FW_DOORBELL_RESET (0x02)
++	u8		driver_version[32];
+ };
+ 
+ #define NUM_BLOCKFETCH_ENTRIES 8

Copied: dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0107-hpsa-wait-longer-for-no-op-to-complete-after-resetti.patch (from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0107-hpsa-wait-longer-for-no-op-to-complete-after-resetti.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0107-hpsa-wait-longer-for-no-op-to-complete-after-resetti.patch	Tue Jan 22 06:01:55 2013	(r19768, copy of r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0107-hpsa-wait-longer-for-no-op-to-complete-after-resetti.patch)
@@ -0,0 +1,31 @@
+From cab8825b8a2cb4fd848a4e5bf9d0c952a1801b53 Mon Sep 17 00:00:00 2001
+From: "Stephen M. Cameron" <scameron at beardog.cce.hp.com>
+Date: Tue, 3 May 2011 14:59:15 -0500
+Subject: [PATCH 107/136] hpsa: wait longer for no-op to complete after
+ resetting controller
+
+commit 516fda49e8596904a741693059c8746f11ce579c upstream.
+
+This is to avoid the usual two or three messages about the command
+timing out.  We're obviously not waiting long enough.
+
+Signed-off-by: Stephen M. Cameron <scameron at beardog.cce.hp.com>
+Signed-off-by: James Bottomley <jbottomley at parallels.com>
+Signed-off-by: James Bottomley <James.Bottomley at suse.de>
+---
+ drivers/scsi/hpsa.h |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/hpsa.h b/drivers/scsi/hpsa.h
+index 7eec397..7a4ee73 100644
+--- a/drivers/scsi/hpsa.h
++++ b/drivers/scsi/hpsa.h
+@@ -130,7 +130,7 @@ struct ctlr_info {
+ #define HPSA_BUS_RESET_MSG 2
+ #define HPSA_HOST_RESET_MSG 3
+ #define HPSA_MSG_SEND_RETRY_LIMIT 10
+-#define HPSA_MSG_SEND_RETRY_INTERVAL_MSECS 1000
++#define HPSA_MSG_SEND_RETRY_INTERVAL_MSECS (10000)
+ 
+ /* Maximum time in seconds driver will wait for command completions
+  * when polling before giving up.

Copied: dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0108-hpsa-factor-out-cmd-pool-allocation-functions.patch (from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0108-hpsa-factor-out-cmd-pool-allocation-functions.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0108-hpsa-factor-out-cmd-pool-allocation-functions.patch	Tue Jan 22 06:01:55 2013	(r19768, copy of r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0108-hpsa-factor-out-cmd-pool-allocation-functions.patch)
@@ -0,0 +1,112 @@
+From 65214eeec0a7660174f59dbd1e2bcc9173c5c9c7 Mon Sep 17 00:00:00 2001
+From: "Stephen M. Cameron" <scameron at beardog.cce.hp.com>
+Date: Tue, 3 May 2011 14:59:20 -0500
+Subject: [PATCH 108/136] hpsa: factor out cmd pool allocation functions
+
+commit 2e9d1b3626c4383362df30bb853a1b57c2798300 upstream.
+
+Signed-off-by: Stephen M. Cameron <scameron at beardog.cce.hp.com>
+Signed-off-by: James Bottomley <jbottomley at parallels.com>
+Signed-off-by: James Bottomley <James.Bottomley at suse.de>
+---
+ drivers/scsi/hpsa.c |   66 ++++++++++++++++++++++++++++-----------------------
+ 1 file changed, 36 insertions(+), 30 deletions(-)
+
+diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c
+index dcdf55a..385fddd 100644
+--- a/drivers/scsi/hpsa.c
++++ b/drivers/scsi/hpsa.c
+@@ -3819,6 +3819,40 @@ static __devinit int hpsa_init_reset_devices(struct pci_dev *pdev)
+ 	return 0;
+ }
+ 
++static __devinit int hpsa_allocate_cmd_pool(struct ctlr_info *h)
++{
++	h->cmd_pool_bits = kzalloc(
++		DIV_ROUND_UP(h->nr_cmds, BITS_PER_LONG) *
++		sizeof(unsigned long), GFP_KERNEL);
++	h->cmd_pool = pci_alloc_consistent(h->pdev,
++		    h->nr_cmds * sizeof(*h->cmd_pool),
++		    &(h->cmd_pool_dhandle));
++	h->errinfo_pool = pci_alloc_consistent(h->pdev,
++		    h->nr_cmds * sizeof(*h->errinfo_pool),
++		    &(h->errinfo_pool_dhandle));
++	if ((h->cmd_pool_bits == NULL)
++	    || (h->cmd_pool == NULL)
++	    || (h->errinfo_pool == NULL)) {
++		dev_err(&h->pdev->dev, "out of memory in %s", __func__);
++		return -ENOMEM;
++	}
++	return 0;
++}
++
++static void hpsa_free_cmd_pool(struct ctlr_info *h)
++{
++	kfree(h->cmd_pool_bits);
++	if (h->cmd_pool)
++		pci_free_consistent(h->pdev,
++			    h->nr_cmds * sizeof(struct CommandList),
++			    h->cmd_pool, h->cmd_pool_dhandle);
++	if (h->errinfo_pool)
++		pci_free_consistent(h->pdev,
++			    h->nr_cmds * sizeof(struct ErrorInfo),
++			    h->errinfo_pool,
++			    h->errinfo_pool_dhandle);
++}
++
+ static int __devinit hpsa_init_one(struct pci_dev *pdev,
+ 				    const struct pci_device_id *ent)
+ {
+@@ -3889,33 +3923,14 @@ static int __devinit hpsa_init_one(struct pci_dev *pdev,
+ 	dev_info(&pdev->dev, "%s: <0x%x> at IRQ %d%s using DAC\n",
+ 	       h->devname, pdev->device,
+ 	       h->intr[h->intr_mode], dac ? "" : " not");
+-
+-	h->cmd_pool_bits =
+-	    kmalloc(((h->nr_cmds + BITS_PER_LONG -
+-		      1) / BITS_PER_LONG) * sizeof(unsigned long), GFP_KERNEL);
+-	h->cmd_pool = pci_alloc_consistent(h->pdev,
+-		    h->nr_cmds * sizeof(*h->cmd_pool),
+-		    &(h->cmd_pool_dhandle));
+-	h->errinfo_pool = pci_alloc_consistent(h->pdev,
+-		    h->nr_cmds * sizeof(*h->errinfo_pool),
+-		    &(h->errinfo_pool_dhandle));
+-	if ((h->cmd_pool_bits == NULL)
+-	    || (h->cmd_pool == NULL)
+-	    || (h->errinfo_pool == NULL)) {
+-		dev_err(&pdev->dev, "out of memory");
+-		rc = -ENOMEM;
++	if (hpsa_allocate_cmd_pool(h))
+ 		goto clean4;
+-	}
+ 	if (hpsa_allocate_sg_chain_blocks(h))
+ 		goto clean4;
+ 	init_waitqueue_head(&h->scan_wait_queue);
+ 	h->scan_finished = 1; /* no scan currently in progress */
+ 
+ 	pci_set_drvdata(pdev, h);
+-	memset(h->cmd_pool_bits, 0,
+-	       ((h->nr_cmds + BITS_PER_LONG -
+-		 1) / BITS_PER_LONG) * sizeof(unsigned long));
+-
+ 	hpsa_scsi_setup(h);
+ 
+ 	/* Turn the interrupts on so we can service requests */
+@@ -3929,16 +3944,7 @@ static int __devinit hpsa_init_one(struct pci_dev *pdev,
+ 
+ clean4:
+ 	hpsa_free_sg_chain_blocks(h);
+-	kfree(h->cmd_pool_bits);
+-	if (h->cmd_pool)
+-		pci_free_consistent(h->pdev,
+-			    h->nr_cmds * sizeof(struct CommandList),
+-			    h->cmd_pool, h->cmd_pool_dhandle);
+-	if (h->errinfo_pool)
+-		pci_free_consistent(h->pdev,
+-			    h->nr_cmds * sizeof(struct ErrorInfo),
+-			    h->errinfo_pool,
+-			    h->errinfo_pool_dhandle);
++	hpsa_free_cmd_pool(h);
+ 	free_irq(h->intr[h->intr_mode], h);
+ clean2:
+ clean1:

Copied: dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0109-hpsa-factor-out-irq-request-code.patch (from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0109-hpsa-factor-out-irq-request-code.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0109-hpsa-factor-out-irq-request-code.patch	Tue Jan 22 06:01:55 2013	(r19768, copy of r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0109-hpsa-factor-out-irq-request-code.patch)
@@ -0,0 +1,65 @@
+From cbe6b1e444cd01e6e30fe84af46c0d06718899e9 Mon Sep 17 00:00:00 2001
+From: "Stephen M. Cameron" <scameron at beardog.cce.hp.com>
+Date: Tue, 3 May 2011 14:59:25 -0500
+Subject: [PATCH 109/136] hpsa: factor out irq request code
+
+commit 0ae01a32cb4a89ef0ed49bb6f49bd5830b13ab3e upstream.
+
+Signed-off-by: Stephen M. Cameron <scameron at beardog.cce.hp.com>
+Signed-off-by: James Bottomley <jbottomley at parallels.com>
+Signed-off-by: James Bottomley <James.Bottomley at suse.de>
+---
+ drivers/scsi/hpsa.c |   32 +++++++++++++++++++++-----------
+ 1 file changed, 21 insertions(+), 11 deletions(-)
+
+diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c
+index 385fddd..af883b6 100644
+--- a/drivers/scsi/hpsa.c
++++ b/drivers/scsi/hpsa.c
+@@ -3853,6 +3853,26 @@ static void hpsa_free_cmd_pool(struct ctlr_info *h)
+ 			    h->errinfo_pool_dhandle);
+ }
+ 
++static int hpsa_request_irq(struct ctlr_info *h,
++	irqreturn_t (*msixhandler)(int, void *),
++	irqreturn_t (*intxhandler)(int, void *))
++{
++	int rc;
++
++	if (h->msix_vector || h->msi_vector)
++		rc = request_irq(h->intr[h->intr_mode], msixhandler,
++				IRQF_DISABLED, h->devname, h);
++	else
++		rc = request_irq(h->intr[h->intr_mode], intxhandler,
++				IRQF_DISABLED, h->devname, h);
++	if (rc) {
++		dev_err(&h->pdev->dev, "unable to get irq %d for %s\n",
++		       h->intr[h->intr_mode], h->devname);
++		return -ENODEV;
++	}
++	return 0;
++}
++
+ static int __devinit hpsa_init_one(struct pci_dev *pdev,
+ 				    const struct pci_device_id *ent)
+ {
+@@ -3908,18 +3928,8 @@ static int __devinit hpsa_init_one(struct pci_dev *pdev,
+ 	/* make sure the board interrupts are off */
+ 	h->access.set_intr_mask(h, HPSA_INTR_OFF);
+ 
+-	if (h->msix_vector || h->msi_vector)
+-		rc = request_irq(h->intr[h->intr_mode], do_hpsa_intr_msi,
+-				IRQF_DISABLED, h->devname, h);
+-	else
+-		rc = request_irq(h->intr[h->intr_mode], do_hpsa_intr_intx,
+-				IRQF_DISABLED, h->devname, h);
+-	if (rc) {
+-		dev_err(&pdev->dev, "unable to get irq %d for %s\n",
+-		       h->intr[h->intr_mode], h->devname);
++	if (hpsa_request_irq(h, do_hpsa_intr_msi, do_hpsa_intr_intx))
+ 		goto clean2;
+-	}
+-
+ 	dev_info(&pdev->dev, "%s: <0x%x> at IRQ %d%s using DAC\n",
+ 	       h->devname, pdev->device,
+ 	       h->intr[h->intr_mode], dac ? "" : " not");

Copied: dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0110-hpsa-increase-time-to-wait-for-board-reset.patch (from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0110-hpsa-increase-time-to-wait-for-board-reset.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0110-hpsa-increase-time-to-wait-for-board-reset.patch	Tue Jan 22 06:01:55 2013	(r19768, copy of r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0110-hpsa-increase-time-to-wait-for-board-reset.patch)
@@ -0,0 +1,27 @@
+From cf37da8207b8daf6830e81d803e9c04e7fae0e5d Mon Sep 17 00:00:00 2001
+From: "Stephen M. Cameron" <scameron at beardog.cce.hp.com>
+Date: Tue, 3 May 2011 14:59:31 -0500
+Subject: [PATCH 110/136] hpsa: increase time to wait for board reset
+
+commit 2ed7127bceb10a6a7d5a38c30ab65176d4e4bc0f upstream.
+
+Signed-off-by: Stephen M. Cameron <scameron at beardog.cce.hp.com>
+Signed-off-by: James Bottomley <jbottomley at parallels.com>
+Signed-off-by: James Bottomley <James.Bottomley at suse.de>
+---
+ drivers/scsi/hpsa.h |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/hpsa.h b/drivers/scsi/hpsa.h
+index 7a4ee73..b1412a7 100644
+--- a/drivers/scsi/hpsa.h
++++ b/drivers/scsi/hpsa.h
+@@ -155,7 +155,7 @@ struct ctlr_info {
+  * HPSA_BOARD_READY_ITERATIONS are derived from those.
+  */
+ #define HPSA_BOARD_READY_WAIT_SECS (120)
+-#define HPSA_BOARD_NOT_READY_WAIT_SECS (10)
++#define HPSA_BOARD_NOT_READY_WAIT_SECS (100)
+ #define HPSA_BOARD_READY_POLL_INTERVAL_MSECS (100)
+ #define HPSA_BOARD_READY_POLL_INTERVAL \
+ 	((HPSA_BOARD_READY_POLL_INTERVAL_MSECS * HZ) / 1000)

Copied: dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0111-hpsa-clarify-messages-around-reset-behavior.patch (from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0111-hpsa-clarify-messages-around-reset-behavior.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0111-hpsa-clarify-messages-around-reset-behavior.patch	Tue Jan 22 06:01:55 2013	(r19768, copy of r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0111-hpsa-clarify-messages-around-reset-behavior.patch)
@@ -0,0 +1,47 @@
+From 943f2a951a285ef8affdab4fb237e1b6bbc6ceca Mon Sep 17 00:00:00 2001
+From: "Stephen M. Cameron" <scameron at beardog.cce.hp.com>
+Date: Tue, 3 May 2011 14:59:36 -0500
+Subject: [PATCH 111/136] hpsa: clarify messages around reset behavior
+
+commit 2b870cb30000477e425666f9c6d83cca8fddc7c0 upstream.
+
+When waiting for the board to become "not ready"
+don't print a message saying "waiting for board to
+become ready" (possibly followed by a message saying
+"failed waiting for board to become not ready".  Instead,
+it should be "waiting for board to reset" and "failed
+waiting for board to reset."
+
+Signed-off-by: Stephen M. Cameron <scameron at beardog.cce.hp.com>
+Signed-off-by: James Bottomley <jbottomley at parallels.com>
+Signed-off-by: James Bottomley <James.Bottomley at suse.de>
+---
+ drivers/scsi/hpsa.c |    5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c
+index af883b6..c9e26a5 100644
+--- a/drivers/scsi/hpsa.c
++++ b/drivers/scsi/hpsa.c
+@@ -3306,11 +3306,11 @@ static __devinit int hpsa_kdump_hard_reset_controller(struct pci_dev *pdev)
+ 	msleep(HPSA_POST_RESET_PAUSE_MSECS);
+ 
+ 	/* Wait for board to become not ready, then ready. */
+-	dev_info(&pdev->dev, "Waiting for board to become ready.\n");
++	dev_info(&pdev->dev, "Waiting for board to reset.\n");
+ 	rc = hpsa_wait_for_board_state(pdev, vaddr, BOARD_NOT_READY);
+ 	if (rc)
+ 		dev_warn(&pdev->dev,
+-			"failed waiting for board to become not ready\n");
++			"failed waiting for board to reset\n");
+ 	rc = hpsa_wait_for_board_state(pdev, vaddr, BOARD_READY);
+ 	if (rc) {
+ 		dev_warn(&pdev->dev,
+@@ -3809,6 +3809,7 @@ static __devinit int hpsa_init_reset_devices(struct pci_dev *pdev)
+ 		return -ENODEV;
+ 
+ 	/* Now try to get the controller to respond to a no-op */
++	dev_warn(&pdev->dev, "Waiting for controller to respond to no-op\n");
+ 	for (i = 0; i < HPSA_POST_RESET_NOOP_RETRIES; i++) {
+ 		if (hpsa_noop(pdev) == 0)
+ 			break;

Copied: dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0112-hpsa-remove-atrophied-hpsa_scsi_setup-function.patch (from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0112-hpsa-remove-atrophied-hpsa_scsi_setup-function.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0112-hpsa-remove-atrophied-hpsa_scsi_setup-function.patch	Tue Jan 22 06:01:55 2013	(r19768, copy of r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0112-hpsa-remove-atrophied-hpsa_scsi_setup-function.patch)
@@ -0,0 +1,46 @@
+From 014dd58b2c620e56b168ec767427bd6a83a15886 Mon Sep 17 00:00:00 2001
+From: "Stephen M. Cameron" <scameron at beardog.cce.hp.com>
+Date: Tue, 3 May 2011 14:59:41 -0500
+Subject: [PATCH 112/136] hpsa: remove atrophied hpsa_scsi_setup function
+
+commit 9a41338e5b474add499a7ca2a5a76148e5076805 upstream.
+
+hpsa_scsi_setup at one time contained enough code to justify
+its existence, but that time has passed.
+
+Signed-off-by: Stephen M. Cameron <scameron at beardog.cce.hp.com>
+Signed-off-by: James Bottomley <jbottomley at parallels.com>
+Signed-off-by: James Bottomley <James.Bottomley at suse.de>
+---
+ drivers/scsi/hpsa.c |   11 +++--------
+ 1 file changed, 3 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c
+index c9e26a5..dd30bfd 100644
+--- a/drivers/scsi/hpsa.c
++++ b/drivers/scsi/hpsa.c
+@@ -920,13 +920,6 @@ static void hpsa_slave_destroy(struct scsi_device *sdev)
+ 	/* nothing to do. */
+ }
+ 
+-static void hpsa_scsi_setup(struct ctlr_info *h)
+-{
+-	h->ndevices = 0;
+-	h->scsi_host = NULL;
+-	spin_lock_init(&h->devlock);
+-}
+-
+ static void hpsa_free_sg_chain_blocks(struct ctlr_info *h)
+ {
+ 	int i;
+@@ -3942,7 +3935,9 @@ static int __devinit hpsa_init_one(struct pci_dev *pdev,
+ 	h->scan_finished = 1; /* no scan currently in progress */
+ 
+ 	pci_set_drvdata(pdev, h);
+-	hpsa_scsi_setup(h);
++	h->ndevices = 0;
++	h->scsi_host = NULL;
++	spin_lock_init(&h->devlock);
+ 
+ 	/* Turn the interrupts on so we can service requests */
+ 	h->access.set_intr_mask(h, HPSA_INTR_ON);

Copied: dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0113-hpsa-use-new-doorbell-bit-5-reset-method.patch (from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0113-hpsa-use-new-doorbell-bit-5-reset-method.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0113-hpsa-use-new-doorbell-bit-5-reset-method.patch	Tue Jan 22 06:01:55 2013	(r19768, copy of r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0113-hpsa-use-new-doorbell-bit-5-reset-method.patch)
@@ -0,0 +1,99 @@
+From 10d448eedfaf5e81e3298e2804449932f1dabb8f Mon Sep 17 00:00:00 2001
+From: "Stephen M. Cameron" <scameron at beardog.cce.hp.com>
+Date: Tue, 3 May 2011 14:59:46 -0500
+Subject: [PATCH 113/136] hpsa: use new doorbell-bit-5 reset method
+
+commit cf0b08d0cd87ada9d284925834d08fb8026da888 upstream.
+
+The bit-2-doorbell reset method seemed to cause (survivable) NMIs
+on some systems and (unsurvivable) IOCK NMIs on some G7 servers.
+Firmware guys implemented a new doorbell method to alleviate these
+problems triggered by bit 5 of the doorbell register.  We want to
+use it if it's available.
+
+Signed-off-by: Stephen M. Cameron <scameron at beardog.cce.hp.com>
+Signed-off-by: James Bottomley <jbottomley at parallels.com>
+Signed-off-by: James Bottomley <James.Bottomley at suse.de>
+---
+ drivers/scsi/hpsa.c     |   25 ++++++++++++++++++++-----
+ drivers/scsi/hpsa_cmd.h |    2 ++
+ 2 files changed, 22 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c
+index dd30bfd..eece647 100644
+--- a/drivers/scsi/hpsa.c
++++ b/drivers/scsi/hpsa.c
+@@ -3100,7 +3100,7 @@ static __devinit int hpsa_message(struct pci_dev *pdev, unsigned char opcode,
+ #define hpsa_noop(p) hpsa_message(p, 3, 0)
+ 
+ static int hpsa_controller_hard_reset(struct pci_dev *pdev,
+-	void * __iomem vaddr, bool use_doorbell)
++	void * __iomem vaddr, u32 use_doorbell)
+ {
+ 	u16 pmcsr;
+ 	int pos;
+@@ -3111,7 +3111,7 @@ static int hpsa_controller_hard_reset(struct pci_dev *pdev,
+ 		 * other way using the doorbell register.
+ 		 */
+ 		dev_info(&pdev->dev, "using doorbell to reset controller\n");
+-		writel(DOORBELL_CTLR_RESET, vaddr + SA5_DOORBELL);
++		writel(use_doorbell, vaddr + SA5_DOORBELL);
+ 		msleep(1000);
+ 	} else { /* Try to do it the PCI power state way */
+ 
+@@ -3215,7 +3215,7 @@ static __devinit int hpsa_kdump_hard_reset_controller(struct pci_dev *pdev)
+ 	u32 misc_fw_support;
+ 	int rc;
+ 	struct CfgTable __iomem *cfgtable;
+-	bool use_doorbell;
++	u32 use_doorbell;
+ 	u32 board_id;
+ 	u16 command_register;
+ 
+@@ -3278,9 +3278,24 @@ static __devinit int hpsa_kdump_hard_reset_controller(struct pci_dev *pdev)
+ 	if (rc)
+ 		goto unmap_vaddr;
+ 
+-	/* If reset via doorbell register is supported, use that. */
++	/* If reset via doorbell register is supported, use that.
++	 * There are two such methods.  Favor the newest method.
++	 */
+ 	misc_fw_support = readl(&cfgtable->misc_fw_support);
+-	use_doorbell = misc_fw_support & MISC_FW_DOORBELL_RESET;
++	use_doorbell = misc_fw_support & MISC_FW_DOORBELL_RESET2;
++	if (use_doorbell) {
++		use_doorbell = DOORBELL_CTLR_RESET2;
++	} else {
++		use_doorbell = misc_fw_support & MISC_FW_DOORBELL_RESET;
++		if (use_doorbell) {
++			dev_warn(&pdev->dev, "Controller claims that "
++				"'Bit 2 doorbell reset' is "
++				"supported, but not 'bit 5 doorbell reset'.  "
++				"Firmware update is recommended.\n");
++			rc = -ENODEV;
++			goto unmap_cfgtable;
++		}
++	}
+ 
+ 	rc = hpsa_controller_hard_reset(pdev, vaddr, use_doorbell);
+ 	if (rc)
+diff --git a/drivers/scsi/hpsa_cmd.h b/drivers/scsi/hpsa_cmd.h
+index 8fd35a7..55d741b 100644
+--- a/drivers/scsi/hpsa_cmd.h
++++ b/drivers/scsi/hpsa_cmd.h
+@@ -101,6 +101,7 @@
+ #define CFGTBL_ChangeReq        0x00000001l
+ #define CFGTBL_AccCmds          0x00000001l
+ #define DOORBELL_CTLR_RESET	0x00000004l
++#define DOORBELL_CTLR_RESET2	0x00000020l
+ 
+ #define CFGTBL_Trans_Simple     0x00000002l
+ #define CFGTBL_Trans_Performant 0x00000004l
+@@ -337,6 +338,7 @@ struct CfgTable {
+ 	u8		reserved[0x78 - 0x58];
+ 	u32		misc_fw_support; /* offset 0x78 */
+ #define			MISC_FW_DOORBELL_RESET (0x02)
++#define			MISC_FW_DOORBELL_RESET2 (0x010)
+ 	u8		driver_version[32];
+ };
+ 

Copied: dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0114-hpsa-do-soft-reset-if-hard-reset-is-broken.patch (from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0114-hpsa-do-soft-reset-if-hard-reset-is-broken.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0114-hpsa-do-soft-reset-if-hard-reset-is-broken.patch	Tue Jan 22 06:01:55 2013	(r19768, copy of r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0114-hpsa-do-soft-reset-if-hard-reset-is-broken.patch)
@@ -0,0 +1,361 @@
+From 679d87a9511524282791dd411777a13a14ee5581 Mon Sep 17 00:00:00 2001
+From: "Stephen M. Cameron" <scameron at beardog.cce.hp.com>
+Date: Tue, 3 May 2011 14:59:51 -0500
+Subject: [PATCH 114/136] hpsa: do soft reset if hard reset is broken
+
+commit 64670ac8702ec37a00ad6e479f3cacbde0fd4efa upstream.
+
+on driver load, if reset_devices is set, and the hard reset
+attempts fail, try to bring up the controller to the point that
+a command can be sent, and send it a soft reset command, then
+after the reset undo whatever driver initialization was done to get
+it to the point to take a command, and re-do it after the reset.
+
+This is to get kdump to work on all the "non-resettable" controllers
+(except 64xx controllers which can't be reset due to the potentially
+shared cache module.)
+
+Signed-off-by: Stephen M. Cameron <scameron at beardog.cce.hp.com>
+Signed-off-by: James Bottomley <jbottomley at parallels.com>
+Signed-off-by: James Bottomley <James.Bottomley at suse.de>
+---
+ drivers/scsi/hpsa.c |  226 +++++++++++++++++++++++++++++++++++++++++++++++----
+ drivers/scsi/hpsa.h |    6 +-
+ 2 files changed, 216 insertions(+), 16 deletions(-)
+
+diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c
+index eece647..71389ed 100644
+--- a/drivers/scsi/hpsa.c
++++ b/drivers/scsi/hpsa.c
+@@ -2715,6 +2715,26 @@ static int hpsa_ioctl(struct scsi_device *dev, int cmd, void *arg)
+ 	}
+ }
+ 
++static int __devinit hpsa_send_host_reset(struct ctlr_info *h,
++	unsigned char *scsi3addr, u8 reset_type)
++{
++	struct CommandList *c;
++
++	c = cmd_alloc(h);
++	if (!c)
++		return -ENOMEM;
++	fill_cmd(c, HPSA_DEVICE_RESET_MSG, h, NULL, 0, 0,
++		RAID_CTLR_LUNID, TYPE_MSG);
++	c->Request.CDB[1] = reset_type; /* fill_cmd defaults to target reset */
++	c->waiting = NULL;
++	enqueue_cmd_and_start_io(h, c);
++	/* Don't wait for completion, the reset won't complete.  Don't free
++	 * the command either.  This is the last command we will send before
++	 * re-initializing everything, so it doesn't matter and won't leak.
++	 */
++	return 0;
++}
++
+ static void fill_cmd(struct CommandList *c, u8 cmd, struct ctlr_info *h,
+ 	void *buff, size_t size, u8 page_code, unsigned char *scsi3addr,
+ 	int cmd_type)
+@@ -2792,7 +2812,8 @@ static void fill_cmd(struct CommandList *c, u8 cmd, struct ctlr_info *h,
+ 			c->Request.Type.Attribute = ATTR_SIMPLE;
+ 			c->Request.Type.Direction = XFER_NONE;
+ 			c->Request.Timeout = 0; /* Don't time out */
+-			c->Request.CDB[0] =  0x01; /* RESET_MSG is 0x01 */
++			memset(&c->Request.CDB[0], 0, sizeof(c->Request.CDB));
++			c->Request.CDB[0] =  cmd;
+ 			c->Request.CDB[1] = 0x03;  /* Reset target above */
+ 			/* If bytes 4-7 are zero, it means reset the */
+ 			/* LunID device */
+@@ -2958,6 +2979,63 @@ static inline u32 process_nonindexed_cmd(struct ctlr_info *h,
+ 	return next_command(h);
+ }
+ 
++/* Some controllers, like p400, will give us one interrupt
++ * after a soft reset, even if we turned interrupts off.
++ * Only need to check for this in the hpsa_xxx_discard_completions
++ * functions.
++ */
++static int ignore_bogus_interrupt(struct ctlr_info *h)
++{
++	if (likely(!reset_devices))
++		return 0;
++
++	if (likely(h->interrupts_enabled))
++		return 0;
++
++	dev_info(&h->pdev->dev, "Received interrupt while interrupts disabled "
++		"(known firmware bug.)  Ignoring.\n");
++
++	return 1;
++}
++
++static irqreturn_t hpsa_intx_discard_completions(int irq, void *dev_id)
++{
++	struct ctlr_info *h = dev_id;
++	unsigned long flags;
++	u32 raw_tag;
++
++	if (ignore_bogus_interrupt(h))
++		return IRQ_NONE;
++
++	if (interrupt_not_for_us(h))
++		return IRQ_NONE;
++	spin_lock_irqsave(&h->lock, flags);
++	while (interrupt_pending(h)) {
++		raw_tag = get_next_completion(h);
++		while (raw_tag != FIFO_EMPTY)
++			raw_tag = next_command(h);
++	}
++	spin_unlock_irqrestore(&h->lock, flags);
++	return IRQ_HANDLED;
++}
++
++static irqreturn_t hpsa_msix_discard_completions(int irq, void *dev_id)
++{
++	struct ctlr_info *h = dev_id;
++	unsigned long flags;
++	u32 raw_tag;
++
++	if (ignore_bogus_interrupt(h))
++		return IRQ_NONE;
++
++	spin_lock_irqsave(&h->lock, flags);
++	raw_tag = get_next_completion(h);
++	while (raw_tag != FIFO_EMPTY)
++		raw_tag = next_command(h);
++	spin_unlock_irqrestore(&h->lock, flags);
++	return IRQ_HANDLED;
++}
++
+ static irqreturn_t do_hpsa_intr_intx(int irq, void *dev_id)
+ {
+ 	struct ctlr_info *h = dev_id;
+@@ -3096,7 +3174,6 @@ static __devinit int hpsa_message(struct pci_dev *pdev, unsigned char opcode,
+ 	return 0;
+ }
+ 
+-#define hpsa_soft_reset_controller(p) hpsa_message(p, 1, 0)
+ #define hpsa_noop(p) hpsa_message(p, 3, 0)
+ 
+ static int hpsa_controller_hard_reset(struct pci_dev *pdev,
+@@ -3292,7 +3369,7 @@ static __devinit int hpsa_kdump_hard_reset_controller(struct pci_dev *pdev)
+ 				"'Bit 2 doorbell reset' is "
+ 				"supported, but not 'bit 5 doorbell reset'.  "
+ 				"Firmware update is recommended.\n");
+-			rc = -ENODEV;
++			rc = -ENOTSUPP; /* try soft reset */
+ 			goto unmap_cfgtable;
+ 		}
+ 	}
+@@ -3316,13 +3393,18 @@ static __devinit int hpsa_kdump_hard_reset_controller(struct pci_dev *pdev)
+ 	/* Wait for board to become not ready, then ready. */
+ 	dev_info(&pdev->dev, "Waiting for board to reset.\n");
+ 	rc = hpsa_wait_for_board_state(pdev, vaddr, BOARD_NOT_READY);
+-	if (rc)
++	if (rc) {
+ 		dev_warn(&pdev->dev,
+-			"failed waiting for board to reset\n");
++			"failed waiting for board to reset."
++			" Will try soft reset.\n");
++		rc = -ENOTSUPP; /* Not expected, but try soft reset later */
++		goto unmap_cfgtable;
++	}
+ 	rc = hpsa_wait_for_board_state(pdev, vaddr, BOARD_READY);
+ 	if (rc) {
+ 		dev_warn(&pdev->dev,
+-			"failed waiting for board to become ready\n");
++			"failed waiting for board to become ready "
++			"after hard reset\n");
+ 		goto unmap_cfgtable;
+ 	}
+ 
+@@ -3330,11 +3412,11 @@ static __devinit int hpsa_kdump_hard_reset_controller(struct pci_dev *pdev)
+ 	if (rc < 0)
+ 		goto unmap_cfgtable;
+ 	if (rc) {
+-		dev_warn(&pdev->dev, "Unable to successfully reset controller,"
+-			" Ignoring controller.\n");
+-		rc = -ENODEV;
++		dev_warn(&pdev->dev, "Unable to successfully reset "
++			"controller. Will try soft reset.\n");
++		rc = -ENOTSUPP;
+ 	} else {
+-		dev_info(&pdev->dev, "board ready.\n");
++		dev_info(&pdev->dev, "board ready after hard reset.\n");
+ 	}
+ 
+ unmap_cfgtable:
+@@ -3812,7 +3894,7 @@ static __devinit int hpsa_init_reset_devices(struct pci_dev *pdev)
+ 	 * due to concerns about shared bbwc between 6402/6404 pair.
+ 	 */
+ 	if (rc == -ENOTSUPP)
+-		return 0; /* just try to do the kdump anyhow. */
++		return rc; /* just try to do the kdump anyhow. */
+ 	if (rc)
+ 		return -ENODEV;
+ 
+@@ -3882,18 +3964,79 @@ static int hpsa_request_irq(struct ctlr_info *h,
+ 	return 0;
+ }
+ 
++static int __devinit hpsa_kdump_soft_reset(struct ctlr_info *h)
++{
++	if (hpsa_send_host_reset(h, RAID_CTLR_LUNID,
++		HPSA_RESET_TYPE_CONTROLLER)) {
++		dev_warn(&h->pdev->dev, "Resetting array controller failed.\n");
++		return -EIO;
++	}
++
++	dev_info(&h->pdev->dev, "Waiting for board to soft reset.\n");
++	if (hpsa_wait_for_board_state(h->pdev, h->vaddr, BOARD_NOT_READY)) {
++		dev_warn(&h->pdev->dev, "Soft reset had no effect.\n");
++		return -1;
++	}
++
++	dev_info(&h->pdev->dev, "Board reset, awaiting READY status.\n");
++	if (hpsa_wait_for_board_state(h->pdev, h->vaddr, BOARD_READY)) {
++		dev_warn(&h->pdev->dev, "Board failed to become ready "
++			"after soft reset.\n");
++		return -1;
++	}
++
++	return 0;
++}
++
++static void hpsa_undo_allocations_after_kdump_soft_reset(struct ctlr_info *h)
++{
++	free_irq(h->intr[h->intr_mode], h);
++#ifdef CONFIG_PCI_MSI
++	if (h->msix_vector)
++		pci_disable_msix(h->pdev);
++	else if (h->msi_vector)
++		pci_disable_msi(h->pdev);
++#endif /* CONFIG_PCI_MSI */
++	hpsa_free_sg_chain_blocks(h);
++	hpsa_free_cmd_pool(h);
++	kfree(h->blockFetchTable);
++	pci_free_consistent(h->pdev, h->reply_pool_size,
++		h->reply_pool, h->reply_pool_dhandle);
++	if (h->vaddr)
++		iounmap(h->vaddr);
++	if (h->transtable)
++		iounmap(h->transtable);
++	if (h->cfgtable)
++		iounmap(h->cfgtable);
++	pci_release_regions(h->pdev);
++	kfree(h);
++}
++
+ static int __devinit hpsa_init_one(struct pci_dev *pdev,
+ 				    const struct pci_device_id *ent)
+ {
+ 	int dac, rc;
+ 	struct ctlr_info *h;
++	int try_soft_reset = 0;
++	unsigned long flags;
+ 
+ 	if (number_of_controllers == 0)
+ 		printk(KERN_INFO DRIVER_NAME "\n");
+ 
+ 	rc = hpsa_init_reset_devices(pdev);
+-	if (rc)
+-		return rc;
++	if (rc) {
++		if (rc != -ENOTSUPP)
++			return rc;
++		/* If the reset fails in a particular way (it has no way to do
++		 * a proper hard reset, so returns -ENOTSUPP) we can try to do
++		 * a soft reset once we get the controller configured up to the
++		 * point that it can accept a command.
++		 */
++		try_soft_reset = 1;
++		rc = 0;
++	}
++
++reinit_after_soft_reset:
+ 
+ 	/* Command structures must be aligned on a 32-byte boundary because
+ 	 * the 5 lower bits of the address are used by the hardware. and by
+@@ -3953,11 +4096,66 @@ static int __devinit hpsa_init_one(struct pci_dev *pdev,
+ 	h->ndevices = 0;
+ 	h->scsi_host = NULL;
+ 	spin_lock_init(&h->devlock);
++	hpsa_put_ctlr_into_performant_mode(h);
++
++	/* At this point, the controller is ready to take commands.
++	 * Now, if reset_devices and the hard reset didn't work, try
++	 * the soft reset and see if that works.
++	 */
++	if (try_soft_reset) {
++
++		/* This is kind of gross.  We may or may not get a completion
++		 * from the soft reset command, and if we do, then the value
++		 * from the fifo may or may not be valid.  So, we wait 10 secs
++		 * after the reset throwing away any completions we get during
++		 * that time.  Unregister the interrupt handler and register
++		 * fake ones to scoop up any residual completions.
++		 */
++		spin_lock_irqsave(&h->lock, flags);
++		h->access.set_intr_mask(h, HPSA_INTR_OFF);
++		spin_unlock_irqrestore(&h->lock, flags);
++		free_irq(h->intr[h->intr_mode], h);
++		rc = hpsa_request_irq(h, hpsa_msix_discard_completions,
++					hpsa_intx_discard_completions);
++		if (rc) {
++			dev_warn(&h->pdev->dev, "Failed to request_irq after "
++				"soft reset.\n");
++			goto clean4;
++		}
++
++		rc = hpsa_kdump_soft_reset(h);
++		if (rc)
++			/* Neither hard nor soft reset worked, we're hosed. */
++			goto clean4;
++
++		dev_info(&h->pdev->dev, "Board READY.\n");
++		dev_info(&h->pdev->dev,
++			"Waiting for stale completions to drain.\n");
++		h->access.set_intr_mask(h, HPSA_INTR_ON);
++		msleep(10000);
++		h->access.set_intr_mask(h, HPSA_INTR_OFF);
++
++		rc = controller_reset_failed(h->cfgtable);
++		if (rc)
++			dev_info(&h->pdev->dev,
++				"Soft reset appears to have failed.\n");
++
++		/* since the controller's reset, we have to go back and re-init
++		 * everything.  Easiest to just forget what we've done and do it
++		 * all over again.
++		 */
++		hpsa_undo_allocations_after_kdump_soft_reset(h);
++		try_soft_reset = 0;
++		if (rc)
++			/* don't go to clean4, we already unallocated */
++			return -ENODEV;
++
++		goto reinit_after_soft_reset;
++	}
+ 
+ 	/* Turn the interrupts on so we can service requests */
+ 	h->access.set_intr_mask(h, HPSA_INTR_ON);
+ 
+-	hpsa_put_ctlr_into_performant_mode(h);
+ 	hpsa_hba_inquiry(h);
+ 	hpsa_register_scsi(h);	/* hook ourselves into SCSI subsystem */
+ 	h->busy_initializing = 0;
+diff --git a/drivers/scsi/hpsa.h b/drivers/scsi/hpsa.h
+index b1412a7..6d8dcd4 100644
+--- a/drivers/scsi/hpsa.h
++++ b/drivers/scsi/hpsa.h
+@@ -127,8 +127,10 @@ struct ctlr_info {
+ };
+ #define HPSA_ABORT_MSG 0
+ #define HPSA_DEVICE_RESET_MSG 1
+-#define HPSA_BUS_RESET_MSG 2
+-#define HPSA_HOST_RESET_MSG 3
++#define HPSA_RESET_TYPE_CONTROLLER 0x00
++#define HPSA_RESET_TYPE_BUS 0x01
++#define HPSA_RESET_TYPE_TARGET 0x03
++#define HPSA_RESET_TYPE_LUN 0x04
+ #define HPSA_MSG_SEND_RETRY_LIMIT 10
+ #define HPSA_MSG_SEND_RETRY_INTERVAL_MSECS (10000)
+ 

Copied: dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0115-hpsa-remove-superfluous-sleeps-around-reset-code.patch (from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0115-hpsa-remove-superfluous-sleeps-around-reset-code.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0115-hpsa-remove-superfluous-sleeps-around-reset-code.patch	Tue Jan 22 06:01:55 2013	(r19768, copy of r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0115-hpsa-remove-superfluous-sleeps-around-reset-code.patch)
@@ -0,0 +1,35 @@
+From 74ea21428ef9fbf84f6c4ee2cf3f8eb576cb31a6 Mon Sep 17 00:00:00 2001
+From: "Stephen M. Cameron" <scameron at beardog.cce.hp.com>
+Date: Tue, 3 May 2011 14:59:56 -0500
+Subject: [PATCH 115/136] hpsa: remove superfluous sleeps around reset code
+
+commit dfc2224828c5fc4ec7e11587b9d6b97283aa2d01 upstream.
+
+Signed-off-by: Stephen M. Cameron <scameron at beardog.cce.hp.com>
+Signed-off-by: James Bottomley <jbottomley at parallels.com>
+Signed-off-by: James Bottomley <James.Bottomley at suse.de>
+---
+ drivers/scsi/hpsa.c |    3 ---
+ 1 file changed, 3 deletions(-)
+
+diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c
+index 71389ed..518dd07 100644
+--- a/drivers/scsi/hpsa.c
++++ b/drivers/scsi/hpsa.c
+@@ -3189,7 +3189,6 @@ static int hpsa_controller_hard_reset(struct pci_dev *pdev,
+ 		 */
+ 		dev_info(&pdev->dev, "using doorbell to reset controller\n");
+ 		writel(use_doorbell, vaddr + SA5_DOORBELL);
+-		msleep(1000);
+ 	} else { /* Try to do it the PCI power state way */
+ 
+ 		/* Quoting from the Open CISS Specification: "The Power
+@@ -3220,8 +3219,6 @@ static int hpsa_controller_hard_reset(struct pci_dev *pdev,
+ 		pmcsr &= ~PCI_PM_CTRL_STATE_MASK;
+ 		pmcsr |= PCI_D0;
+ 		pci_write_config_word(pdev, pos + PCI_PM_CTRL, pmcsr);
+-
+-		msleep(500);
+ 	}
+ 	return 0;
+ }

Copied: dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0116-hpsa-do-not-attempt-PCI-power-management-reset-metho.patch (from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0116-hpsa-do-not-attempt-PCI-power-management-reset-metho.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0116-hpsa-do-not-attempt-PCI-power-management-reset-metho.patch	Tue Jan 22 06:01:55 2013	(r19768, copy of r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0116-hpsa-do-not-attempt-PCI-power-management-reset-metho.patch)
@@ -0,0 +1,113 @@
+From 048a06e370eb474566f59cafea6af8df80456673 Mon Sep 17 00:00:00 2001
+From: "Stephen M. Cameron" <scameron at beardog.cce.hp.com>
+Date: Tue, 3 May 2011 15:00:01 -0500
+Subject: [PATCH 116/136] hpsa: do not attempt PCI power management reset
+ method if we know it won't work.
+
+commit 4638078697574be43816779845e26bf05ae70d9d upstream.
+
+Just go straight to the soft-reset method instead.
+
+Signed-off-by: Stephen M. Cameron <scameron at beardog.cce.hp.com>
+Signed-off-by: James Bottomley <jbottomley at parallels.com>
+Signed-off-by: James Bottomley <James.Bottomley at suse.de>
+---
+ drivers/scsi/hpsa.c |   52 +++++++++++++++++++++++++++++++++++++--------------
+ 1 file changed, 38 insertions(+), 14 deletions(-)
+
+diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c
+index 518dd07..70a35a0 100644
+--- a/drivers/scsi/hpsa.c
++++ b/drivers/scsi/hpsa.c
+@@ -265,7 +265,7 @@ static ssize_t host_show_transport_mode(struct device *dev,
+ 			"performant" : "simple");
+ }
+ 
+-/* List of controllers which cannot be reset on kexec with reset_devices */
++/* List of controllers which cannot be hard reset on kexec with reset_devices */
+ static u32 unresettable_controller[] = {
+ 	0x324a103C, /* Smart Array P712m */
+ 	0x324b103C, /* SmartArray P711m */
+@@ -283,16 +283,45 @@ static u32 unresettable_controller[] = {
+ 	0x409D0E11, /* Smart Array 6400 EM */
+ };
+ 
+-static int ctlr_is_resettable(struct ctlr_info *h)
++/* List of controllers which cannot even be soft reset */
++static u32 soft_unresettable_controller[] = {
++	/* Exclude 640x boards.  These are two pci devices in one slot
++	 * which share a battery backed cache module.  One controls the
++	 * cache, the other accesses the cache through the one that controls
++	 * it.  If we reset the one controlling the cache, the other will
++	 * likely not be happy.  Just forbid resetting this conjoined mess.
++	 * The 640x isn't really supported by hpsa anyway.
++	 */
++	0x409C0E11, /* Smart Array 6400 */
++	0x409D0E11, /* Smart Array 6400 EM */
++};
++
++static int ctlr_is_hard_resettable(u32 board_id)
+ {
+ 	int i;
+ 
+ 	for (i = 0; i < ARRAY_SIZE(unresettable_controller); i++)
+-		if (unresettable_controller[i] == h->board_id)
++		if (unresettable_controller[i] == board_id)
++			return 0;
++	return 1;
++}
++
++static int ctlr_is_soft_resettable(u32 board_id)
++{
++	int i;
++
++	for (i = 0; i < ARRAY_SIZE(soft_unresettable_controller); i++)
++		if (soft_unresettable_controller[i] == board_id)
+ 			return 0;
+ 	return 1;
+ }
+ 
++static int ctlr_is_resettable(u32 board_id)
++{
++	return ctlr_is_hard_resettable(board_id) ||
++		ctlr_is_soft_resettable(board_id);
++}
++
+ static ssize_t host_show_resettable(struct device *dev,
+ 	struct device_attribute *attr, char *buf)
+ {
+@@ -300,7 +329,7 @@ static ssize_t host_show_resettable(struct device *dev,
+ 	struct Scsi_Host *shost = class_to_shost(dev);
+ 
+ 	h = shost_to_hba(shost);
+-	return snprintf(buf, 20, "%d\n", ctlr_is_resettable(h));
++	return snprintf(buf, 20, "%d\n", ctlr_is_resettable(h->board_id));
+ }
+ 
+ static inline int is_logical_dev_addr_mode(unsigned char scsi3addr[])
+@@ -3306,20 +3335,15 @@ static __devinit int hpsa_kdump_hard_reset_controller(struct pci_dev *pdev)
+ 	 * using the doorbell register.
+ 	 */
+ 
+-	/* Exclude 640x boards.  These are two pci devices in one slot
+-	 * which share a battery backed cache module.  One controls the
+-	 * cache, the other accesses the cache through the one that controls
+-	 * it.  If we reset the one controlling the cache, the other will
+-	 * likely not be happy.  Just forbid resetting this conjoined mess.
+-	 * The 640x isn't really supported by hpsa anyway.
+-	 */
+ 	rc = hpsa_lookup_board_id(pdev, &board_id);
+-	if (rc < 0) {
++	if (rc < 0 || !ctlr_is_resettable(board_id)) {
+ 		dev_warn(&pdev->dev, "Not resetting device.\n");
+ 		return -ENODEV;
+ 	}
+-	if (board_id == 0x409C0E11 || board_id == 0x409D0E11)
+-		return -ENOTSUPP;
++
++	/* if controller is soft- but not hard resettable... */
++	if (!ctlr_is_hard_resettable(board_id))
++		return -ENOTSUPP; /* try soft reset later. */
+ 
+ 	/* Save the PCI command register */
+ 	pci_read_config_word(pdev, 4, &command_register);

Copied: dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0117-hpsa-add-P2000-to-list-of-shared-SAS-devices.patch (from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0117-hpsa-add-P2000-to-list-of-shared-SAS-devices.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0117-hpsa-add-P2000-to-list-of-shared-SAS-devices.patch	Tue Jan 22 06:01:55 2013	(r19768, copy of r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0117-hpsa-add-P2000-to-list-of-shared-SAS-devices.patch)
@@ -0,0 +1,26 @@
+From 6d7872997a66af084ac19cf49878564bba217e23 Mon Sep 17 00:00:00 2001
+From: "Stephen M. Cameron" <scameron at beardog.cce.hp.com>
+Date: Tue, 3 May 2011 15:00:07 -0500
+Subject: [PATCH 117/136] hpsa: add P2000 to list of shared SAS devices
+
+commit fda38518f236cbd965110938e324f6c6fcc91f38 upstream.
+
+Signed-off-by: Scott Teel <scott.stacy.teel at hp.com>
+Signed-off-by: James Bottomley <jbottomley at parallels.com>
+Signed-off-by: James Bottomley <James.Bottomley at suse.de>
+---
+ drivers/scsi/hpsa.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c
+index 70a35a0..d5bd28a 100644
+--- a/drivers/scsi/hpsa.c
++++ b/drivers/scsi/hpsa.c
+@@ -1582,6 +1582,7 @@ static unsigned char *msa2xxx_model[] = {
+ 	"MSA2024",
+ 	"MSA2312",
+ 	"MSA2324",
++	"P2000 G3 SAS",
+ 	NULL,
+ };
+ 

Copied: dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0118-hpsa-Change-memset-using-sizeof-ptr-to-sizeof-ptr.patch (from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0118-hpsa-Change-memset-using-sizeof-ptr-to-sizeof-ptr.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0118-hpsa-Change-memset-using-sizeof-ptr-to-sizeof-ptr.patch	Tue Jan 22 06:01:55 2013	(r19768, copy of r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0118-hpsa-Change-memset-using-sizeof-ptr-to-sizeof-ptr.patch)
@@ -0,0 +1,42 @@
+From e6a95e129df6f74d862606175853f9dafb57f603 Mon Sep 17 00:00:00 2001
+From: Joe Perches <joe at perches.com>
+Date: Sun, 8 May 2011 23:32:40 -0700
+Subject: [PATCH 118/136] hpsa: Change memset using sizeof(ptr) to
+ sizeof(*ptr)
+
+commit 7630abd0c690e90cea9412846f596fe1565aaa0e upstream.
+
+Not at all sure this is correct or appropriate to change,
+but this seems odd.
+
+Found via coccinelle script
+
+@@
+type T;
+T* ptr;
+expression E1;
+@@
+
+* memset(E1, 0, sizeof(ptr));
+
+Signed-off-by: Joe Perches <joe at perches.com>
+Acked-by: Stephen M. Cameron <scameron at beardog.cce.hp.com>
+Signed-off-by: James Bottomley <jbottomley at parallels.com>
+Signed-off-by: James Bottomley <James.Bottomley at suse.de>
+---
+ drivers/scsi/hpsa.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c
+index d5bd28a..7592975 100644
+--- a/drivers/scsi/hpsa.c
++++ b/drivers/scsi/hpsa.c
+@@ -1320,7 +1320,7 @@ static void hpsa_scsi_do_simple_cmd_with_retry(struct ctlr_info *h,
+ 	int retry_count = 0;
+ 
+ 	do {
+-		memset(c->err_info, 0, sizeof(c->err_info));
++		memset(c->err_info, 0, sizeof(*c->err_info));
+ 		hpsa_scsi_do_simple_cmd_core(h, c);
+ 		retry_count++;
+ 	} while (check_for_unit_attention(h, c) && retry_count <= 3);

Copied: dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0119-hpsa-fix-dma-unmap-error-in-hpsa_passthru_ioctl.patch (from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0119-hpsa-fix-dma-unmap-error-in-hpsa_passthru_ioctl.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0119-hpsa-fix-dma-unmap-error-in-hpsa_passthru_ioctl.patch	Tue Jan 22 06:01:55 2013	(r19768, copy of r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0119-hpsa-fix-dma-unmap-error-in-hpsa_passthru_ioctl.patch)
@@ -0,0 +1,27 @@
+From 5ac805964e5192d41f39fa7695a19a34a9633991 Mon Sep 17 00:00:00 2001
+From: "Stephen M. Cameron" <scameron at beardog.cce.hp.com>
+Date: Fri, 3 Jun 2011 09:57:29 -0500
+Subject: [PATCH 119/136] hpsa: fix dma unmap error in hpsa_passthru_ioctl
+
+commit c2dd32e02648d77466f320d6edd157b5080e7c99 upstream.
+
+Signed-off-by: Stephen M. Cameron <scameron at beardog.cce.hp.com>
+Signed-off-by: James Bottomley <JBottomley at Parallels.com>
+---
+ drivers/scsi/hpsa.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c
+index 7592975..ffb555c3 100644
+--- a/drivers/scsi/hpsa.c
++++ b/drivers/scsi/hpsa.c
+@@ -2552,7 +2552,8 @@ static int hpsa_passthru_ioctl(struct ctlr_info *h, void __user *argp)
+ 		c->SG[0].Ext = 0; /* we are not chaining*/
+ 	}
+ 	hpsa_scsi_do_simple_cmd_core(h, c);
+-	hpsa_pci_unmap(h->pdev, c, 1, PCI_DMA_BIDIRECTIONAL);
++	if (iocommand.buf_size > 0)
++		hpsa_pci_unmap(h->pdev, c, 1, PCI_DMA_BIDIRECTIONAL);
+ 	check_ioctl_unit_attention(h, c);
+ 
+ 	/* Copy the error information out */

Copied: dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0120-hpsa-fix-potential-overrun-while-memcpy-ing-sense-da.patch (from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0120-hpsa-fix-potential-overrun-while-memcpy-ing-sense-da.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0120-hpsa-fix-potential-overrun-while-memcpy-ing-sense-da.patch	Tue Jan 22 06:01:55 2013	(r19768, copy of r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0120-hpsa-fix-potential-overrun-while-memcpy-ing-sense-da.patch)
@@ -0,0 +1,62 @@
+From 1cf4a81224ce81d9da2d745ed755f1ad5e5cda27 Mon Sep 17 00:00:00 2001
+From: "Stephen M. Cameron" <scameron at beardog.cce.hp.com>
+Date: Fri, 3 Jun 2011 09:57:34 -0500
+Subject: [PATCH 120/136] hpsa: fix potential overrun while memcpy'ing sense
+ data
+
+commit db111e18ec19bbadbf44a60f73bf2ff5991dc915 upstream.
+
+This memcpy:
+
+   memcpy(cmd->sense_buffer, ei->SenseInfo,
+	   ei->SenseLen > SCSI_SENSE_BUFFERSIZE ?
+		   SCSI_SENSE_BUFFERSIZE :
+		   ei->SenseLen);
+
+The ei->SenseLen field is filled in by the Smart Array.  For requests to
+logical drives, it will not exceed 32 bytes, so should be ok, but for physical
+requests it depends on the target device, not the Smart Array.  It's conceivable
+that this could exceed the 32 byte size of ei->SenseInfo.  In that case, the memcpy
+would read past the end of ei->SenseInfo, copying data from the next command,
+as if it were sense data, or, if it happened to be the very last command in the
+block of allocated commands, could fall off the end of the allocated area and
+crash.  I'm not aware of anyone ever encountering this behavior, but it could
+conceivably happen.  This bug was found by Coverity.
+
+Signed-off-by: Stephen M. Cameron <scameron at beardog.cce.hp.com>
+Signed-off-by: James Bottomley <JBottomley at Parallels.com>
+---
+ drivers/scsi/hpsa.c |   13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c
+index ffb555c3..2eff302 100644
+--- a/drivers/scsi/hpsa.c
++++ b/drivers/scsi/hpsa.c
+@@ -1028,6 +1028,7 @@ static void complete_scsi_command(struct CommandList *cp)
+ 	unsigned char sense_key;
+ 	unsigned char asc;      /* additional sense code */
+ 	unsigned char ascq;     /* additional sense code qualifier */
++	unsigned long sense_data_size;
+ 
+ 	ei = cp->err_info;
+ 	cmd = (struct scsi_cmnd *) cp->scsi_cmd;
+@@ -1042,10 +1043,14 @@ static void complete_scsi_command(struct CommandList *cp)
+ 	cmd->result |= ei->ScsiStatus;
+ 
+ 	/* copy the sense data whether we need to or not. */
+-	memcpy(cmd->sense_buffer, ei->SenseInfo,
+-		ei->SenseLen > SCSI_SENSE_BUFFERSIZE ?
+-			SCSI_SENSE_BUFFERSIZE :
+-			ei->SenseLen);
++	if (SCSI_SENSE_BUFFERSIZE < sizeof(ei->SenseInfo))
++		sense_data_size = SCSI_SENSE_BUFFERSIZE;
++	else
++		sense_data_size = sizeof(ei->SenseInfo);
++	if (ei->SenseLen < sense_data_size)
++		sense_data_size = ei->SenseLen;
++
++	memcpy(cmd->sense_buffer, ei->SenseInfo, sense_data_size);
+ 	scsi_set_resid(cmd, ei->ResidualCnt);
+ 
+ 	if (ei->CommandStatus == 0) {

Copied: dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0121-hpsa-do-not-attempt-to-read-from-a-write-only-regist.patch (from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0121-hpsa-do-not-attempt-to-read-from-a-write-only-regist.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0121-hpsa-do-not-attempt-to-read-from-a-write-only-regist.patch	Tue Jan 22 06:01:55 2013	(r19768, copy of r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0121-hpsa-do-not-attempt-to-read-from-a-write-only-regist.patch)
@@ -0,0 +1,31 @@
+From ce9532c00d55dec1fb71bca497e6bb0fccabc31e Mon Sep 17 00:00:00 2001
+From: "Stephen M. Cameron" <scameron at beardog.cce.hp.com>
+Date: Thu, 21 Jul 2011 13:16:05 -0500
+Subject: [PATCH 121/136] hpsa: do not attempt to read from a write-only
+ register
+
+commit fec62c368b9c8b05d5124ca6c3b8336b537f26f3 upstream.
+
+Most smartarrays tolerate it, but a few new ones don't.
+Without this change some newer Smart Arrays will lock up
+and i/o will grind to a halt.
+
+Signed-off-by: Stephen M. Cameron <scameron at beardog.cce.hp.com>
+Signed-off-by: James Bottomley <JBottomley at Parallels.com>
+---
+ drivers/scsi/hpsa.h |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/hpsa.h b/drivers/scsi/hpsa.h
+index 6d8dcd4..7f53ceaa 100644
+--- a/drivers/scsi/hpsa.h
++++ b/drivers/scsi/hpsa.h
+@@ -214,7 +214,7 @@ static void SA5_submit_command(struct ctlr_info *h,
+ 	dev_dbg(&h->pdev->dev, "Sending %x, tag = %x\n", c->busaddr,
+ 		c->Header.Tag.lower);
+ 	writel(c->busaddr, h->vaddr + SA5_REQUEST_PORT_OFFSET);
+-	(void) readl(h->vaddr + SA5_REQUEST_PORT_OFFSET);
++	(void) readl(h->vaddr + SA5_SCRATCHPAD_OFFSET);
+ 	h->commands_outstanding++;
+ 	if (h->commands_outstanding > h->max_outstanding)
+ 		h->max_outstanding = h->commands_outstanding;

Copied: dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0122-hpsa-retry-commands-completing-with-status-of-UNSOLI.patch (from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0122-hpsa-retry-commands-completing-with-status-of-UNSOLI.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0122-hpsa-retry-commands-completing-with-status-of-UNSOLI.patch	Tue Jan 22 06:01:55 2013	(r19768, copy of r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0122-hpsa-retry-commands-completing-with-status-of-UNSOLI.patch)
@@ -0,0 +1,35 @@
+From 401be4064af671b528803b7867ffeeb078130780 Mon Sep 17 00:00:00 2001
+From: "Stephen M. Cameron" <scameron at beardog.cce.hp.com>
+Date: Tue, 26 Jul 2011 11:08:52 -0500
+Subject: [PATCH 122/136] hpsa: retry commands completing with status of
+ UNSOLICITED_ABORT
+
+commit f6e76055ba778c56716ba79e106db28297775e87 upstream.
+
+In a shared SAS setup, target devices may be reset by one of
+several hosts, and outstanding commands on that device will be
+completed to corresponding hosts with status of UNSOLICITED_ABORT.
+Such commands should be retried instead of being treated as i/o
+errors.  Also fixed a nearby spelling error.
+
+Signed-off-by: Stephen M. Cameron <scameron at beardog.cce.hp.com>
+Signed-off-by: James Bottomley <JBottomley at Parallels.com>
+---
+ drivers/scsi/hpsa.c |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c
+index 2eff302..8b3a238 100644
+--- a/drivers/scsi/hpsa.c
++++ b/drivers/scsi/hpsa.c
+@@ -1210,8 +1210,8 @@ static void complete_scsi_command(struct CommandList *cp)
+ 		dev_warn(&h->pdev->dev, "cp %p reports abort failed\n", cp);
+ 		break;
+ 	case CMD_UNSOLICITED_ABORT:
+-		cmd->result = DID_RESET << 16;
+-		dev_warn(&h->pdev->dev, "cp %p aborted do to an unsolicited "
++		cmd->result = DID_SOFT_ERROR << 16; /* retry the command */
++		dev_warn(&h->pdev->dev, "cp %p aborted due to an unsolicited "
+ 			"abort\n", cp);
+ 		break;
+ 	case CMD_TIMEOUT:

Copied: dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0123-hpsa-fix-problem-that-OBDR-devices-are-not-detected.patch (from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0123-hpsa-fix-problem-that-OBDR-devices-are-not-detected.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0123-hpsa-fix-problem-that-OBDR-devices-are-not-detected.patch	Tue Jan 22 06:01:55 2013	(r19768, copy of r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0123-hpsa-fix-problem-that-OBDR-devices-are-not-detected.patch)
@@ -0,0 +1,145 @@
+From 294be65bc3311f1b733693d55155e06ce94c7bff Mon Sep 17 00:00:00 2001
+From: "Stephen M. Cameron" <scameron at beardog.cce.hp.com>
+Date: Tue, 9 Aug 2011 08:17:30 -0500
+Subject: [PATCH 123/136] hpsa: fix problem that OBDR devices are not detected
+
+commit 0b0e1d6cbcc8627970e0399df8f06edd690ec7d9 upstream.
+
+The test to detect OBDR ("One Button Disaster Recovery")
+cd-rom devices was comparing against uninitialized data.
+
+Fixed by moving the test for the device to where the
+inquiry data is collected, and uninitialized variable
+altogether as it wasn't really being used.
+
+Signed-off-by: Stephen M. Cameron <scameron at beardog.cce.hp.com>
+Signed-off-by: James Bottomley <JBottomley at Parallels.com>
+---
+ drivers/scsi/hpsa.c |   47 +++++++++++++++++++++++++++--------------------
+ 1 file changed, 27 insertions(+), 20 deletions(-)
+
+diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c
+index 8b3a238..91f4d9c 100644
+--- a/drivers/scsi/hpsa.c
++++ b/drivers/scsi/hpsa.c
+@@ -1539,10 +1539,17 @@ static inline void hpsa_set_bus_target_lun(struct hpsa_scsi_dev_t *device,
+ }
+ 
+ static int hpsa_update_device_info(struct ctlr_info *h,
+-	unsigned char scsi3addr[], struct hpsa_scsi_dev_t *this_device)
++	unsigned char scsi3addr[], struct hpsa_scsi_dev_t *this_device,
++	unsigned char *is_OBDR_device)
+ {
+-#define OBDR_TAPE_INQ_SIZE 49
++
++#define OBDR_SIG_OFFSET 43
++#define OBDR_TAPE_SIG "$DR-10"
++#define OBDR_SIG_LEN (sizeof(OBDR_TAPE_SIG) - 1)
++#define OBDR_TAPE_INQ_SIZE (OBDR_SIG_OFFSET + OBDR_SIG_LEN)
++
+ 	unsigned char *inq_buff;
++	unsigned char *obdr_sig;
+ 
+ 	inq_buff = kzalloc(OBDR_TAPE_INQ_SIZE, GFP_KERNEL);
+ 	if (!inq_buff)
+@@ -1574,6 +1581,16 @@ static int hpsa_update_device_info(struct ctlr_info *h,
+ 	else
+ 		this_device->raid_level = RAID_UNKNOWN;
+ 
++	if (is_OBDR_device) {
++		/* See if this is a One-Button-Disaster-Recovery device
++		 * by looking for "$DR-10" at offset 43 in inquiry data.
++		 */
++		obdr_sig = &inq_buff[OBDR_SIG_OFFSET];
++		*is_OBDR_device = (this_device->devtype == TYPE_ROM &&
++					strncmp(obdr_sig, OBDR_TAPE_SIG,
++						OBDR_SIG_LEN) == 0);
++	}
++
+ 	kfree(inq_buff);
+ 	return 0;
+ 
+@@ -1707,7 +1724,7 @@ static int add_msa2xxx_enclosure_device(struct ctlr_info *h,
+ 		return 0;
+ 	}
+ 
+-	if (hpsa_update_device_info(h, scsi3addr, this_device))
++	if (hpsa_update_device_info(h, scsi3addr, this_device, NULL))
+ 		return 0;
+ 	(*nmsa2xxx_enclosures)++;
+ 	hpsa_set_bus_target_lun(this_device, bus, target, 0);
+@@ -1799,7 +1816,6 @@ static void hpsa_update_scsi_devices(struct ctlr_info *h, int hostno)
+ 	 */
+ 	struct ReportLUNdata *physdev_list = NULL;
+ 	struct ReportLUNdata *logdev_list = NULL;
+-	unsigned char *inq_buff = NULL;
+ 	u32 nphysicals = 0;
+ 	u32 nlogicals = 0;
+ 	u32 ndev_allocated = 0;
+@@ -1815,11 +1831,9 @@ static void hpsa_update_scsi_devices(struct ctlr_info *h, int hostno)
+ 		GFP_KERNEL);
+ 	physdev_list = kzalloc(reportlunsize, GFP_KERNEL);
+ 	logdev_list = kzalloc(reportlunsize, GFP_KERNEL);
+-	inq_buff = kmalloc(OBDR_TAPE_INQ_SIZE, GFP_KERNEL);
+ 	tmpdevice = kzalloc(sizeof(*tmpdevice), GFP_KERNEL);
+ 
+-	if (!currentsd || !physdev_list || !logdev_list ||
+-		!inq_buff || !tmpdevice) {
++	if (!currentsd || !physdev_list || !logdev_list || !tmpdevice) {
+ 		dev_err(&h->pdev->dev, "out of memory\n");
+ 		goto out;
+ 	}
+@@ -1854,7 +1868,7 @@ static void hpsa_update_scsi_devices(struct ctlr_info *h, int hostno)
+ 	/* adjust our table of devices */
+ 	nmsa2xxx_enclosures = 0;
+ 	for (i = 0; i < nphysicals + nlogicals + 1; i++) {
+-		u8 *lunaddrbytes;
++		u8 *lunaddrbytes, is_OBDR = 0;
+ 
+ 		/* Figure out where the LUN ID info is coming from */
+ 		lunaddrbytes = figure_lunaddrbytes(h, raid_ctlr_position,
+@@ -1865,7 +1879,8 @@ static void hpsa_update_scsi_devices(struct ctlr_info *h, int hostno)
+ 			continue;
+ 
+ 		/* Get device type, vendor, model, device id */
+-		if (hpsa_update_device_info(h, lunaddrbytes, tmpdevice))
++		if (hpsa_update_device_info(h, lunaddrbytes, tmpdevice,
++							&is_OBDR))
+ 			continue; /* skip it if we can't talk to it. */
+ 		figure_bus_target_lun(h, lunaddrbytes, &bus, &target, &lun,
+ 			tmpdevice);
+@@ -1889,7 +1904,7 @@ static void hpsa_update_scsi_devices(struct ctlr_info *h, int hostno)
+ 		hpsa_set_bus_target_lun(this_device, bus, target, lun);
+ 
+ 		switch (this_device->devtype) {
+-		case TYPE_ROM: {
++		case TYPE_ROM:
+ 			/* We don't *really* support actual CD-ROM devices,
+ 			 * just "One Button Disaster Recovery" tape drive
+ 			 * which temporarily pretends to be a CD-ROM drive.
+@@ -1897,15 +1912,8 @@ static void hpsa_update_scsi_devices(struct ctlr_info *h, int hostno)
+ 			 * device by checking for "$DR-10" in bytes 43-48 of
+ 			 * the inquiry data.
+ 			 */
+-				char obdr_sig[7];
+-#define OBDR_TAPE_SIG "$DR-10"
+-				strncpy(obdr_sig, &inq_buff[43], 6);
+-				obdr_sig[6] = '\0';
+-				if (strncmp(obdr_sig, OBDR_TAPE_SIG, 6) != 0)
+-					/* Not OBDR device, ignore it. */
+-					break;
+-			}
+-			ncurrent++;
++			if (is_OBDR)
++				ncurrent++;
+ 			break;
+ 		case TYPE_DISK:
+ 			if (i < nphysicals)
+@@ -1938,7 +1946,6 @@ out:
+ 	for (i = 0; i < ndev_allocated; i++)
+ 		kfree(currentsd[i]);
+ 	kfree(currentsd);
+-	kfree(inq_buff);
+ 	kfree(physdev_list);
+ 	kfree(logdev_list);
+ }

Copied: dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0124-hpsa-fix-physical-device-lun-and-target-numbering-pr.patch (from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0124-hpsa-fix-physical-device-lun-and-target-numbering-pr.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0124-hpsa-fix-physical-device-lun-and-target-numbering-pr.patch	Tue Jan 22 06:01:55 2013	(r19768, copy of r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0124-hpsa-fix-physical-device-lun-and-target-numbering-pr.patch)
@@ -0,0 +1,45 @@
+From 2fc73aeb60fbbbb7b3f709174a46b1fa0b5f4816 Mon Sep 17 00:00:00 2001
+From: "Stephen M. Cameron" <scameron at beardog.cce.hp.com>
+Date: Tue, 9 Aug 2011 08:18:01 -0500
+Subject: [PATCH 124/136] hpsa: fix physical device lun and target numbering
+ problem
+
+commit 01350d05539d1c95ef3568d062d864ab76ae7670 upstream.
+
+If a physical device exposed to the OS by hpsa
+is replaced (e.g. one hot plug tape drive is replaced
+by another, or a tape drive is placed into "OBDR" mode
+in which it acts like a CD-ROM device) and a rescan is
+initiated, the replaced device will be added to the
+SCSI midlayer with target and lun numbers set to -1.
+After that, a panic is likely to ensue.  When a physical
+device is replaced, the lun and target number should be
+preserved.
+
+Signed-off-by: Stephen M. Cameron <scameron at beardog.cce.hp.com>
+Signed-off-by: James Bottomley <JBottomley at Parallels.com>
+---
+ drivers/scsi/hpsa.c |   10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c
+index 91f4d9c..f0f2f2c 100644
+--- a/drivers/scsi/hpsa.c
++++ b/drivers/scsi/hpsa.c
+@@ -667,6 +667,16 @@ static void hpsa_scsi_replace_entry(struct ctlr_info *h, int hostno,
+ 	BUG_ON(entry < 0 || entry >= HPSA_MAX_SCSI_DEVS_PER_HBA);
+ 	removed[*nremoved] = h->dev[entry];
+ 	(*nremoved)++;
++
++	/*
++	 * New physical devices won't have target/lun assigned yet
++	 * so we need to preserve the values in the slot we are replacing.
++	 */
++	if (new_entry->target == -1) {
++		new_entry->target = h->dev[entry]->target;
++		new_entry->lun = h->dev[entry]->lun;
++	}
++
+ 	h->dev[entry] = new_entry;
+ 	added[*nadded] = new_entry;
+ 	(*nadded)++;

Copied: dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0125-hpsa-change-confusing-message-to-be-more-clear.patch (from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0125-hpsa-change-confusing-message-to-be-more-clear.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0125-hpsa-change-confusing-message-to-be-more-clear.patch	Tue Jan 22 06:01:55 2013	(r19768, copy of r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0125-hpsa-change-confusing-message-to-be-more-clear.patch)
@@ -0,0 +1,40 @@
+From dfab1ab22543a45ff50b22fdd4bf000cabf1d7d4 Mon Sep 17 00:00:00 2001
+From: Mike Miller <mike.miller at hp.com>
+Date: Thu, 13 Oct 2011 11:44:06 -0500
+Subject: [PATCH 125/136] hpsa: change confusing message to be more clear
+
+commit fba63097b8614a4a158226c02eec0318f41cd24f upstream.
+
+The following warning message may be confusing to some users:
+
+dev_warn(&pdev->dev, "Controller claims that "
+		"'Bit 2 doorbell reset' is "
+		"supported, but not 'bit 5 doorbell reset'.  "
+		"Firmware update is recommended.\n");
+
+Most users don't know or care what bit we may be hitting. Also change
+"recommended" to "required."
+
+Signed-off-by: Mike Miller <mike.miller at hp.com>
+Signed-off-by: James Bottomley <JBottomley at Parallels.com>
+---
+ drivers/scsi/hpsa.c |    6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c
+index f0f2f2c..efddc2e 100644
+--- a/drivers/scsi/hpsa.c
++++ b/drivers/scsi/hpsa.c
+@@ -3410,10 +3410,8 @@ static __devinit int hpsa_kdump_hard_reset_controller(struct pci_dev *pdev)
+ 	} else {
+ 		use_doorbell = misc_fw_support & MISC_FW_DOORBELL_RESET;
+ 		if (use_doorbell) {
+-			dev_warn(&pdev->dev, "Controller claims that "
+-				"'Bit 2 doorbell reset' is "
+-				"supported, but not 'bit 5 doorbell reset'.  "
+-				"Firmware update is recommended.\n");
++			dev_warn(&pdev->dev, "Soft reset not supported. "
++				"Firmware update is required.\n");
+ 			rc = -ENOTSUPP; /* try soft reset */
+ 			goto unmap_cfgtable;
+ 		}

Copied: dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0126-hpsa-add-small-delay-when-using-PCI-Power-Management.patch (from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0126-hpsa-add-small-delay-when-using-PCI-Power-Management.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0126-hpsa-add-small-delay-when-using-PCI-Power-Management.patch	Tue Jan 22 06:01:55 2013	(r19768, copy of r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0126-hpsa-add-small-delay-when-using-PCI-Power-Management.patch)
@@ -0,0 +1,36 @@
+From 51f0555d32145fee9bf450a9dcb6ce88c54f3196 Mon Sep 17 00:00:00 2001
+From: Mike Miller <mike.miller at hp.com>
+Date: Fri, 21 Oct 2011 08:19:43 +0200
+Subject: [PATCH 126/136] hpsa: add small delay when using PCI Power
+ Management to reset for kump
+
+commit c4853efec665134b2e6fc9c13447323240980351 upstream.
+
+The P600 requires a small delay when changing states. Otherwise we may think
+the board did not reset and we bail. This for kdump only and is particular
+to the P600.
+
+Signed-off-by: Mike Miller <mike.miller at hp.com>
+Signed-off-by: Jens Axboe <axboe at kernel.dk>
+---
+ drivers/scsi/hpsa.c |    7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c
+index efddc2e..ac63093 100644
+--- a/drivers/scsi/hpsa.c
++++ b/drivers/scsi/hpsa.c
+@@ -3272,6 +3272,13 @@ static int hpsa_controller_hard_reset(struct pci_dev *pdev,
+ 		pmcsr &= ~PCI_PM_CTRL_STATE_MASK;
+ 		pmcsr |= PCI_D0;
+ 		pci_write_config_word(pdev, pos + PCI_PM_CTRL, pmcsr);
++
++		/*
++		 * The P600 requires a small delay when changing states.
++		 * Otherwise we may think the board did not reset and we bail.
++		 * This for kdump only and is particular to the P600.
++		 */
++		msleep(500);
+ 	}
+ 	return 0;
+ }

Copied: dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0127-hpsa-set-max-sectors-instead-of-taking-the-default.patch (from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0127-hpsa-set-max-sectors-instead-of-taking-the-default.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0127-hpsa-set-max-sectors-instead-of-taking-the-default.patch	Tue Jan 22 06:01:55 2013	(r19768, copy of r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0127-hpsa-set-max-sectors-instead-of-taking-the-default.patch)
@@ -0,0 +1,29 @@
+From 2635d44221632c7855e6e1c33bccaf8fb4441127 Mon Sep 17 00:00:00 2001
+From: "Stephen M. Cameron" <scameron at beardog.cce.hp.com>
+Date: Wed, 26 Oct 2011 16:20:53 -0500
+Subject: [PATCH 127/136] hpsa: set max sectors instead of taking the default
+
+commit c0d6a4d17b3848750b0285861b7a807811a0cfa6 upstream.
+
+Set the max hardware sectors in the SCSI host template to 8192
+to allow for larger i/o's (8192 is the same limit the cciss
+driver currently has.)
+
+Signed-off-by: Stephen M. Cameron <scameron at beardog.cce.hp.com>
+Signed-off-by: James Bottomley <JBottomley at Parallels.com>
+---
+ drivers/scsi/hpsa.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c
+index ac63093..b98d507 100644
+--- a/drivers/scsi/hpsa.c
++++ b/drivers/scsi/hpsa.c
+@@ -475,6 +475,7 @@ static struct scsi_host_template hpsa_driver_template = {
+ #endif
+ 	.sdev_attrs = hpsa_sdev_attrs,
+ 	.shost_attrs = hpsa_shost_attrs,
++	.max_sectors = 8192,
+ };
+ 
+ 

Copied: dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0128-hpsa-remove-unused-busy_initializing-and-busy_scanni.patch (from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0128-hpsa-remove-unused-busy_initializing-and-busy_scanni.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0128-hpsa-remove-unused-busy_initializing-and-busy_scanni.patch	Tue Jan 22 06:01:55 2013	(r19768, copy of r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0128-hpsa-remove-unused-busy_initializing-and-busy_scanni.patch)
@@ -0,0 +1,56 @@
+From 0159e4f4ed46880a00975a566db680527ccf80cc Mon Sep 17 00:00:00 2001
+From: "Stephen M. Cameron" <scameron at beardog.cce.hp.com>
+Date: Wed, 26 Oct 2011 16:20:58 -0500
+Subject: [PATCH 128/136] hpsa: remove unused busy_initializing and
+ busy_scanning
+
+commit 03ab31f4c14f259bfa160543c83dbfd93d6fb3e2 upstream.
+
+Signed-off-by: Stephen M. Cameron <scameron at beardog.cce.hp.com>
+Signed-off-by: James Bottomley <JBottomley at Parallels.com>
+---
+ drivers/scsi/hpsa.c |    3 ---
+ drivers/scsi/hpsa.h |    2 --
+ 2 files changed, 5 deletions(-)
+
+diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c
+index b98d507..64a8ec4 100644
+--- a/drivers/scsi/hpsa.c
++++ b/drivers/scsi/hpsa.c
+@@ -4100,7 +4100,6 @@ reinit_after_soft_reset:
+ 		return -ENOMEM;
+ 
+ 	h->pdev = pdev;
+-	h->busy_initializing = 1;
+ 	h->intr_mode = hpsa_simple_mode ? SIMPLE_MODE_INT : PERF_MODE_INT;
+ 	INIT_LIST_HEAD(&h->cmpQ);
+ 	INIT_LIST_HEAD(&h->reqQ);
+@@ -4209,7 +4208,6 @@ reinit_after_soft_reset:
+ 
+ 	hpsa_hba_inquiry(h);
+ 	hpsa_register_scsi(h);	/* hook ourselves into SCSI subsystem */
+-	h->busy_initializing = 0;
+ 	return 1;
+ 
+ clean4:
+@@ -4218,7 +4216,6 @@ clean4:
+ 	free_irq(h->intr[h->intr_mode], h);
+ clean2:
+ clean1:
+-	h->busy_initializing = 0;
+ 	kfree(h);
+ 	return rc;
+ }
+diff --git a/drivers/scsi/hpsa.h b/drivers/scsi/hpsa.h
+index 7f53ceaa..111b79e 100644
+--- a/drivers/scsi/hpsa.h
++++ b/drivers/scsi/hpsa.h
+@@ -95,8 +95,6 @@ struct ctlr_info {
+ 	unsigned long  		*cmd_pool_bits;
+ 	int			nr_allocs;
+ 	int			nr_frees;
+-	int			busy_initializing;
+-	int			busy_scanning;
+ 	int			scan_finished;
+ 	spinlock_t		scan_lock;
+ 	wait_queue_head_t	scan_wait_queue;

Copied: dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0129-hpsa-rename-HPSA_MAX_SCSI_DEVS_PER_HBA.patch (from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0129-hpsa-rename-HPSA_MAX_SCSI_DEVS_PER_HBA.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0129-hpsa-rename-HPSA_MAX_SCSI_DEVS_PER_HBA.patch	Tue Jan 22 06:01:55 2013	(r19768, copy of r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0129-hpsa-rename-HPSA_MAX_SCSI_DEVS_PER_HBA.patch)
@@ -0,0 +1,115 @@
+From 307b9ca1a1e7a9830131379487b593060e93fecb Mon Sep 17 00:00:00 2001
+From: Scott Teel <scott.teel at hp.com>
+Date: Wed, 26 Oct 2011 16:21:07 -0500
+Subject: [PATCH 129/136] hpsa: rename HPSA_MAX_SCSI_DEVS_PER_HBA
+
+commit cfe5badcab2e993e71ebebbc07c21c270e5580c0 upstream.
+
+Rename HPSA_MAX_SCSI_DEVS_PER_HBA to HPSA_MAX_DEVICES
+
+Signed-off-by: Scott Teel <scott.teel at hp.com>
+Signed-off-by: Stephen M. Cameron <scameron at beardog.cce.hp.com>
+Signed-off-by: James Bottomley <JBottomley at Parallels.com>
+---
+ drivers/scsi/hpsa.c |   23 ++++++++++-------------
+ drivers/scsi/hpsa.h |    4 ++--
+ 2 files changed, 12 insertions(+), 15 deletions(-)
+
+diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c
+index 64a8ec4..62e87fa 100644
+--- a/drivers/scsi/hpsa.c
++++ b/drivers/scsi/hpsa.c
+@@ -558,16 +558,16 @@ static int hpsa_find_target_lun(struct ctlr_info *h,
+ 	 * assumes h->devlock is held
+ 	 */
+ 	int i, found = 0;
+-	DECLARE_BITMAP(lun_taken, HPSA_MAX_SCSI_DEVS_PER_HBA);
++	DECLARE_BITMAP(lun_taken, HPSA_MAX_DEVICES);
+ 
+-	memset(&lun_taken[0], 0, HPSA_MAX_SCSI_DEVS_PER_HBA >> 3);
++	memset(&lun_taken[0], 0, HPSA_MAX_DEVICES >> 3);
+ 
+ 	for (i = 0; i < h->ndevices; i++) {
+ 		if (h->dev[i]->bus == bus && h->dev[i]->target != -1)
+ 			set_bit(h->dev[i]->target, lun_taken);
+ 	}
+ 
+-	for (i = 0; i < HPSA_MAX_SCSI_DEVS_PER_HBA; i++) {
++	for (i = 0; i < HPSA_MAX_DEVICES; i++) {
+ 		if (!test_bit(i, lun_taken)) {
+ 			/* *bus = 1; */
+ 			*target = i;
+@@ -590,7 +590,7 @@ static int hpsa_scsi_add_entry(struct ctlr_info *h, int hostno,
+ 	unsigned char addr1[8], addr2[8];
+ 	struct hpsa_scsi_dev_t *sd;
+ 
+-	if (n >= HPSA_MAX_SCSI_DEVS_PER_HBA) {
++	if (n >= HPSA_MAX_DEVICES) {
+ 		dev_err(&h->pdev->dev, "too many devices, some will be "
+ 			"inaccessible.\n");
+ 		return -1;
+@@ -665,7 +665,7 @@ static void hpsa_scsi_replace_entry(struct ctlr_info *h, int hostno,
+ 	struct hpsa_scsi_dev_t *removed[], int *nremoved)
+ {
+ 	/* assumes h->devlock is held */
+-	BUG_ON(entry < 0 || entry >= HPSA_MAX_SCSI_DEVS_PER_HBA);
++	BUG_ON(entry < 0 || entry >= HPSA_MAX_DEVICES);
+ 	removed[*nremoved] = h->dev[entry];
+ 	(*nremoved)++;
+ 
+@@ -694,7 +694,7 @@ static void hpsa_scsi_remove_entry(struct ctlr_info *h, int hostno, int entry,
+ 	int i;
+ 	struct hpsa_scsi_dev_t *sd;
+ 
+-	BUG_ON(entry < 0 || entry >= HPSA_MAX_SCSI_DEVS_PER_HBA);
++	BUG_ON(entry < 0 || entry >= HPSA_MAX_DEVICES);
+ 
+ 	sd = h->dev[entry];
+ 	removed[*nremoved] = h->dev[entry];
+@@ -806,10 +806,8 @@ static void adjust_hpsa_scsi_table(struct ctlr_info *h, int hostno,
+ 	int nadded, nremoved;
+ 	struct Scsi_Host *sh = NULL;
+ 
+-	added = kzalloc(sizeof(*added) * HPSA_MAX_SCSI_DEVS_PER_HBA,
+-		GFP_KERNEL);
+-	removed = kzalloc(sizeof(*removed) * HPSA_MAX_SCSI_DEVS_PER_HBA,
+-		GFP_KERNEL);
++	added = kzalloc(sizeof(*added) * HPSA_MAX_DEVICES, GFP_KERNEL);
++	removed = kzalloc(sizeof(*removed) * HPSA_MAX_DEVICES, GFP_KERNEL);
+ 
+ 	if (!added || !removed) {
+ 		dev_warn(&h->pdev->dev, "out of memory in "
+@@ -1838,8 +1836,7 @@ static void hpsa_update_scsi_devices(struct ctlr_info *h, int hostno)
+ 	int raid_ctlr_position;
+ 	DECLARE_BITMAP(lunzerobits, HPSA_MAX_TARGETS_PER_CTLR);
+ 
+-	currentsd = kzalloc(sizeof(*currentsd) * HPSA_MAX_SCSI_DEVS_PER_HBA,
+-		GFP_KERNEL);
++	currentsd = kzalloc(sizeof(*currentsd) * HPSA_MAX_DEVICES, GFP_KERNEL);
+ 	physdev_list = kzalloc(reportlunsize, GFP_KERNEL);
+ 	logdev_list = kzalloc(reportlunsize, GFP_KERNEL);
+ 	tmpdevice = kzalloc(sizeof(*tmpdevice), GFP_KERNEL);
+@@ -1948,7 +1945,7 @@ static void hpsa_update_scsi_devices(struct ctlr_info *h, int hostno)
+ 		default:
+ 			break;
+ 		}
+-		if (ncurrent >= HPSA_MAX_SCSI_DEVS_PER_HBA)
++		if (ncurrent >= HPSA_MAX_DEVICES)
+ 			break;
+ 	}
+ 	adjust_hpsa_scsi_table(h, hostno, currentsd, ncurrent);
+diff --git a/drivers/scsi/hpsa.h b/drivers/scsi/hpsa.h
+index 111b79e..4de9f71 100644
+--- a/drivers/scsi/hpsa.h
++++ b/drivers/scsi/hpsa.h
+@@ -102,8 +102,8 @@ struct ctlr_info {
+ 	struct Scsi_Host *scsi_host;
+ 	spinlock_t devlock; /* to protect hba[ctlr]->dev[];  */
+ 	int ndevices; /* number of used elements in .dev[] array. */
+-#define HPSA_MAX_SCSI_DEVS_PER_HBA 256
+-	struct hpsa_scsi_dev_t *dev[HPSA_MAX_SCSI_DEVS_PER_HBA];
++#define HPSA_MAX_DEVICES 256
++	struct hpsa_scsi_dev_t *dev[HPSA_MAX_DEVICES];
+ 	/*
+ 	 * Performant mode tables.
+ 	 */

Copied: dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0130-hpsa-fix-potential-array-overflow-in-hpsa_update_scs.patch (from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0130-hpsa-fix-potential-array-overflow-in-hpsa_update_scs.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0130-hpsa-fix-potential-array-overflow-in-hpsa_update_scs.patch	Tue Jan 22 06:01:55 2013	(r19768, copy of r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0130-hpsa-fix-potential-array-overflow-in-hpsa_update_scs.patch)
@@ -0,0 +1,83 @@
+From 634686b1e377f822b7be5a45888eeabef7585498 Mon Sep 17 00:00:00 2001
+From: Scott Teel <scott.teel at hp.com>
+Date: Wed, 26 Oct 2011 16:21:12 -0500
+Subject: [PATCH 130/136] hpsa: fix potential array overflow in
+ hpsa_update_scsi_devices
+
+commit b7ec021fe6fe979dbd4e62604a4942f964b12864 upstream.
+
+The currentsd[] array in hpsa_update_scsi_devices had room for
+256 devices.  The code was iterating over however many physical
+and logical devices plus an additional number of possible external
+MSA2XXX controllers, which together could potentially exceed 256.
+
+We increased the size of the currentsd array to 1024 + 1024 + 32 + 1
+elements to reflect a reasonable maximum possible number of devices
+which might be encountered.  We also don't just walk off the end
+of the array if the array controller reports more devices than we
+are prepared to handle, we just ignore the excessive devices.
+
+Signed-off-by: Scott Teel <scott.teel at hp.com>
+Signed-off-by: Stephen M. Cameron <scameron at beardog.cce.hp.com>
+Signed-off-by: James Bottomley <JBottomley at Parallels.com>
+---
+ drivers/scsi/hpsa.c     |    8 +++++++-
+ drivers/scsi/hpsa.h     |    1 -
+ drivers/scsi/hpsa_cmd.h |    5 ++++-
+ 3 files changed, 11 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c
+index 62e87fa..f19b4a4 100644
+--- a/drivers/scsi/hpsa.c
++++ b/drivers/scsi/hpsa.c
+@@ -1725,7 +1725,6 @@ static int add_msa2xxx_enclosure_device(struct ctlr_info *h,
+ 	if (is_scsi_rev_5(h))
+ 		return 0; /* p1210m doesn't need to do this. */
+ 
+-#define MAX_MSA2XXX_ENCLOSURES 32
+ 	if (*nmsa2xxx_enclosures >= MAX_MSA2XXX_ENCLOSURES) {
+ 		dev_warn(&h->pdev->dev, "Maximum number of MSA2XXX "
+ 			"enclosures exceeded.  Check your hardware "
+@@ -1859,6 +1858,13 @@ static void hpsa_update_scsi_devices(struct ctlr_info *h, int hostno)
+ 
+ 	/* Allocate the per device structures */
+ 	for (i = 0; i < ndevs_to_allocate; i++) {
++		if (i >= HPSA_MAX_DEVICES) {
++			dev_warn(&h->pdev->dev, "maximum devices (%d) exceeded."
++				"  %d devices ignored.\n", HPSA_MAX_DEVICES,
++				ndevs_to_allocate - HPSA_MAX_DEVICES);
++			break;
++		}
++
+ 		currentsd[i] = kzalloc(sizeof(*currentsd[i]), GFP_KERNEL);
+ 		if (!currentsd[i]) {
+ 			dev_warn(&h->pdev->dev, "out of memory at %s:%d\n",
+diff --git a/drivers/scsi/hpsa.h b/drivers/scsi/hpsa.h
+index 4de9f71..73858bc 100644
+--- a/drivers/scsi/hpsa.h
++++ b/drivers/scsi/hpsa.h
+@@ -102,7 +102,6 @@ struct ctlr_info {
+ 	struct Scsi_Host *scsi_host;
+ 	spinlock_t devlock; /* to protect hba[ctlr]->dev[];  */
+ 	int ndevices; /* number of used elements in .dev[] array. */
+-#define HPSA_MAX_DEVICES 256
+ 	struct hpsa_scsi_dev_t *dev[HPSA_MAX_DEVICES];
+ 	/*
+ 	 * Performant mode tables.
+diff --git a/drivers/scsi/hpsa_cmd.h b/drivers/scsi/hpsa_cmd.h
+index 55d741b..3fd4715 100644
+--- a/drivers/scsi/hpsa_cmd.h
++++ b/drivers/scsi/hpsa_cmd.h
+@@ -123,8 +123,11 @@ union u64bit {
+ 
+ /* FIXME this is a per controller value (barf!) */
+ #define HPSA_MAX_TARGETS_PER_CTLR 16
+-#define HPSA_MAX_LUN 256
++#define HPSA_MAX_LUN 1024
+ #define HPSA_MAX_PHYS_LUN 1024
++#define MAX_MSA2XXX_ENCLOSURES 32
++#define HPSA_MAX_DEVICES (HPSA_MAX_PHYS_LUN + HPSA_MAX_LUN + \
++	MAX_MSA2XXX_ENCLOSURES + 1) /* + 1 is for the controller itself */
+ 
+ /* SCSI-3 Commands */
+ #pragma pack(1)

Copied: dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0131-hpsa-fix-flush-cache-transfer-length.patch (from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0131-hpsa-fix-flush-cache-transfer-length.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0131-hpsa-fix-flush-cache-transfer-length.patch	Tue Jan 22 06:01:55 2013	(r19768, copy of r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0131-hpsa-fix-flush-cache-transfer-length.patch)
@@ -0,0 +1,31 @@
+From 95a1e574f28db303656af6b72873ec9a3324c34c Mon Sep 17 00:00:00 2001
+From: "Stephen M. Cameron" <scameron at beardog.cce.hp.com>
+Date: Wed, 26 Oct 2011 16:21:17 -0500
+Subject: [PATCH 131/136] hpsa: fix flush cache transfer length
+
+commit bb158eabda984851d7964d968b9859383f98a701 upstream.
+
+We weren't filling in the transfer length of the
+flush cache command (it transfers 4 bytes of zeroes).
+Firmware didn't seem to be bothered by this, but it
+should be fixed.
+
+Signed-off-by: Stephen M. Cameron <scameron at beardog.cce.hp.com>
+Signed-off-by: James Bottomley <JBottomley at Parallels.com>
+---
+ drivers/scsi/hpsa.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c
+index f19b4a4..086a639 100644
+--- a/drivers/scsi/hpsa.c
++++ b/drivers/scsi/hpsa.c
+@@ -2848,6 +2848,8 @@ static void fill_cmd(struct CommandList *c, u8 cmd, struct ctlr_info *h,
+ 			c->Request.Timeout = 0;
+ 			c->Request.CDB[0] = BMIC_WRITE;
+ 			c->Request.CDB[6] = BMIC_CACHE_FLUSH;
++			c->Request.CDB[7] = (size >> 8) & 0xFF;
++			c->Request.CDB[8] = size & 0xFF;
+ 			break;
+ 		case TEST_UNIT_READY:
+ 			c->Request.CDBLen = 6;

Copied: dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0132-hpsa-detect-controller-lockup.patch (from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0132-hpsa-detect-controller-lockup.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0132-hpsa-detect-controller-lockup.patch	Tue Jan 22 06:01:55 2013	(r19768, copy of r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0132-hpsa-detect-controller-lockup.patch)
@@ -0,0 +1,318 @@
+From 6bfb4ac0fba2b1c66cc13987ed62ce8066a6512f Mon Sep 17 00:00:00 2001
+From: "Stephen M. Cameron" <scameron at beardog.cce.hp.com>
+Date: Wed, 26 Oct 2011 16:22:04 -0500
+Subject: [PATCH 132/136] hpsa: detect controller lockup
+
+commit a0c124137a40fc22730ae87caf17e821f2dce1ed upstream.
+
+When controller lockup condition is detected,
+we should fail all outstanding commands and disable
+the controller.  This will enable multipath solutions
+to recover gracefully.
+
+Signed-off-by: Stephen M. Cameron <scameron at beardog.cce.hp.com>
+Signed-off-by: James Bottomley <JBottomley at Parallels.com>
+---
+ drivers/scsi/hpsa.c |  184 +++++++++++++++++++++++++++++++++++++++++++++++++--
+ drivers/scsi/hpsa.h |    5 ++
+ 2 files changed, 185 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c
+index 086a639..d4a1d44 100644
+--- a/drivers/scsi/hpsa.c
++++ b/drivers/scsi/hpsa.c
+@@ -48,6 +48,7 @@
+ #include <linux/bitmap.h>
+ #include <asm/atomic.h>
+ #include <linux/kthread.h>
++#include <linux/jiffies.h>
+ #include "hpsa_cmd.h"
+ #include "hpsa.h"
+ 
+@@ -120,6 +121,10 @@ static struct board_type products[] = {
+ 
+ static int number_of_controllers;
+ 
++static struct list_head hpsa_ctlr_list = LIST_HEAD_INIT(hpsa_ctlr_list);
++static spinlock_t lockup_detector_lock;
++static struct task_struct *hpsa_lockup_detector;
++
+ static irqreturn_t do_hpsa_intr_intx(int irq, void *dev_id);
+ static irqreturn_t do_hpsa_intr_msi(int irq, void *dev_id);
+ static int hpsa_ioctl(struct scsi_device *dev, int cmd, void *arg);
+@@ -1328,6 +1333,22 @@ static inline void hpsa_scsi_do_simple_cmd_core(struct ctlr_info *h,
+ 	wait_for_completion(&wait);
+ }
+ 
++static void hpsa_scsi_do_simple_cmd_core_if_no_lockup(struct ctlr_info *h,
++	struct CommandList *c)
++{
++	unsigned long flags;
++
++	/* If controller lockup detected, fake a hardware error. */
++	spin_lock_irqsave(&h->lock, flags);
++	if (unlikely(h->lockup_detected)) {
++		spin_unlock_irqrestore(&h->lock, flags);
++		c->err_info->CommandStatus = CMD_HARDWARE_ERR;
++	} else {
++		spin_unlock_irqrestore(&h->lock, flags);
++		hpsa_scsi_do_simple_cmd_core(h, c);
++	}
++}
++
+ static void hpsa_scsi_do_simple_cmd_with_retry(struct ctlr_info *h,
+ 	struct CommandList *c, int data_direction)
+ {
+@@ -2043,8 +2064,14 @@ static int hpsa_scsi_queue_command(struct scsi_cmnd *cmd,
+ 	}
+ 	memcpy(scsi3addr, dev->scsi3addr, sizeof(scsi3addr));
+ 
+-	/* Need a lock as this is being allocated from the pool */
+ 	spin_lock_irqsave(&h->lock, flags);
++	if (unlikely(h->lockup_detected)) {
++		spin_unlock_irqrestore(&h->lock, flags);
++		cmd->result = DID_ERROR << 16;
++		done(cmd);
++		return 0;
++	}
++	/* Need a lock as this is being allocated from the pool */
+ 	c = cmd_alloc(h);
+ 	spin_unlock_irqrestore(&h->lock, flags);
+ 	if (c == NULL) {			/* trouble... */
+@@ -2577,7 +2604,7 @@ static int hpsa_passthru_ioctl(struct ctlr_info *h, void __user *argp)
+ 		c->SG[0].Len = iocommand.buf_size;
+ 		c->SG[0].Ext = 0; /* we are not chaining*/
+ 	}
+-	hpsa_scsi_do_simple_cmd_core(h, c);
++	hpsa_scsi_do_simple_cmd_core_if_no_lockup(h, c);
+ 	if (iocommand.buf_size > 0)
+ 		hpsa_pci_unmap(h->pdev, c, 1, PCI_DMA_BIDIRECTIONAL);
+ 	check_ioctl_unit_attention(h, c);
+@@ -2700,7 +2727,7 @@ static int hpsa_big_passthru_ioctl(struct ctlr_info *h, void __user *argp)
+ 			c->SG[i].Ext = 0;
+ 		}
+ 	}
+-	hpsa_scsi_do_simple_cmd_core(h, c);
++	hpsa_scsi_do_simple_cmd_core_if_no_lockup(h, c);
+ 	if (sg_used)
+ 		hpsa_pci_unmap(h->pdev, c, sg_used, PCI_DMA_BIDIRECTIONAL);
+ 	check_ioctl_unit_attention(h, c);
+@@ -3069,6 +3096,7 @@ static irqreturn_t hpsa_intx_discard_completions(int irq, void *dev_id)
+ 	if (interrupt_not_for_us(h))
+ 		return IRQ_NONE;
+ 	spin_lock_irqsave(&h->lock, flags);
++	h->last_intr_timestamp = get_jiffies_64();
+ 	while (interrupt_pending(h)) {
+ 		raw_tag = get_next_completion(h);
+ 		while (raw_tag != FIFO_EMPTY)
+@@ -3088,6 +3116,7 @@ static irqreturn_t hpsa_msix_discard_completions(int irq, void *dev_id)
+ 		return IRQ_NONE;
+ 
+ 	spin_lock_irqsave(&h->lock, flags);
++	h->last_intr_timestamp = get_jiffies_64();
+ 	raw_tag = get_next_completion(h);
+ 	while (raw_tag != FIFO_EMPTY)
+ 		raw_tag = next_command(h);
+@@ -3104,6 +3133,7 @@ static irqreturn_t do_hpsa_intr_intx(int irq, void *dev_id)
+ 	if (interrupt_not_for_us(h))
+ 		return IRQ_NONE;
+ 	spin_lock_irqsave(&h->lock, flags);
++	h->last_intr_timestamp = get_jiffies_64();
+ 	while (interrupt_pending(h)) {
+ 		raw_tag = get_next_completion(h);
+ 		while (raw_tag != FIFO_EMPTY) {
+@@ -3124,6 +3154,7 @@ static irqreturn_t do_hpsa_intr_msi(int irq, void *dev_id)
+ 	u32 raw_tag;
+ 
+ 	spin_lock_irqsave(&h->lock, flags);
++	h->last_intr_timestamp = get_jiffies_64();
+ 	raw_tag = get_next_completion(h);
+ 	while (raw_tag != FIFO_EMPTY) {
+ 		if (hpsa_tag_contains_index(raw_tag))
+@@ -4068,6 +4099,149 @@ static void hpsa_undo_allocations_after_kdump_soft_reset(struct ctlr_info *h)
+ 	kfree(h);
+ }
+ 
++static void remove_ctlr_from_lockup_detector_list(struct ctlr_info *h)
++{
++	assert_spin_locked(&lockup_detector_lock);
++	if (!hpsa_lockup_detector)
++		return;
++	if (h->lockup_detected)
++		return; /* already stopped the lockup detector */
++	list_del(&h->lockup_list);
++}
++
++/* Called when controller lockup detected. */
++static void fail_all_cmds_on_list(struct ctlr_info *h, struct list_head *list)
++{
++	struct CommandList *c = NULL;
++
++	assert_spin_locked(&h->lock);
++	/* Mark all outstanding commands as failed and complete them. */
++	while (!list_empty(list)) {
++		c = list_entry(list->next, struct CommandList, list);
++		c->err_info->CommandStatus = CMD_HARDWARE_ERR;
++		finish_cmd(c, c->Header.Tag.lower);
++	}
++}
++
++static void controller_lockup_detected(struct ctlr_info *h)
++{
++	unsigned long flags;
++
++	assert_spin_locked(&lockup_detector_lock);
++	remove_ctlr_from_lockup_detector_list(h);
++	h->access.set_intr_mask(h, HPSA_INTR_OFF);
++	spin_lock_irqsave(&h->lock, flags);
++	h->lockup_detected = readl(h->vaddr + SA5_SCRATCHPAD_OFFSET);
++	spin_unlock_irqrestore(&h->lock, flags);
++	dev_warn(&h->pdev->dev, "Controller lockup detected: 0x%08x\n",
++			h->lockup_detected);
++	pci_disable_device(h->pdev);
++	spin_lock_irqsave(&h->lock, flags);
++	fail_all_cmds_on_list(h, &h->cmpQ);
++	fail_all_cmds_on_list(h, &h->reqQ);
++	spin_unlock_irqrestore(&h->lock, flags);
++}
++
++#define HEARTBEAT_SAMPLE_INTERVAL (10 * HZ)
++#define HEARTBEAT_CHECK_MINIMUM_INTERVAL (HEARTBEAT_SAMPLE_INTERVAL / 2)
++
++static void detect_controller_lockup(struct ctlr_info *h)
++{
++	u64 now;
++	u32 heartbeat;
++	unsigned long flags;
++
++	assert_spin_locked(&lockup_detector_lock);
++	now = get_jiffies_64();
++	/* If we've received an interrupt recently, we're ok. */
++	if (time_after64(h->last_intr_timestamp +
++				(HEARTBEAT_CHECK_MINIMUM_INTERVAL), now))
++		return;
++
++	/*
++	 * If we've already checked the heartbeat recently, we're ok.
++	 * This could happen if someone sends us a signal. We
++	 * otherwise don't care about signals in this thread.
++	 */
++	if (time_after64(h->last_heartbeat_timestamp +
++				(HEARTBEAT_CHECK_MINIMUM_INTERVAL), now))
++		return;
++
++	/* If heartbeat has not changed since we last looked, we're not ok. */
++	spin_lock_irqsave(&h->lock, flags);
++	heartbeat = readl(&h->cfgtable->HeartBeat);
++	spin_unlock_irqrestore(&h->lock, flags);
++	if (h->last_heartbeat == heartbeat) {
++		controller_lockup_detected(h);
++		return;
++	}
++
++	/* We're ok. */
++	h->last_heartbeat = heartbeat;
++	h->last_heartbeat_timestamp = now;
++}
++
++static int detect_controller_lockup_thread(void *notused)
++{
++	struct ctlr_info *h;
++	unsigned long flags;
++
++	while (1) {
++		struct list_head *this, *tmp;
++
++		schedule_timeout_interruptible(HEARTBEAT_SAMPLE_INTERVAL);
++		if (kthread_should_stop())
++			break;
++		spin_lock_irqsave(&lockup_detector_lock, flags);
++		list_for_each_safe(this, tmp, &hpsa_ctlr_list) {
++			h = list_entry(this, struct ctlr_info, lockup_list);
++			detect_controller_lockup(h);
++		}
++		spin_unlock_irqrestore(&lockup_detector_lock, flags);
++	}
++	return 0;
++}
++
++static void add_ctlr_to_lockup_detector_list(struct ctlr_info *h)
++{
++	unsigned long flags;
++
++	spin_lock_irqsave(&lockup_detector_lock, flags);
++	list_add_tail(&h->lockup_list, &hpsa_ctlr_list);
++	spin_unlock_irqrestore(&lockup_detector_lock, flags);
++}
++
++static void start_controller_lockup_detector(struct ctlr_info *h)
++{
++	/* Start the lockup detector thread if not already started */
++	if (!hpsa_lockup_detector) {
++		spin_lock_init(&lockup_detector_lock);
++		hpsa_lockup_detector =
++			kthread_run(detect_controller_lockup_thread,
++						NULL, "hpsa");
++	}
++	if (!hpsa_lockup_detector) {
++		dev_warn(&h->pdev->dev,
++			"Could not start lockup detector thread\n");
++		return;
++	}
++	add_ctlr_to_lockup_detector_list(h);
++}
++
++static void stop_controller_lockup_detector(struct ctlr_info *h)
++{
++	unsigned long flags;
++
++	spin_lock_irqsave(&lockup_detector_lock, flags);
++	remove_ctlr_from_lockup_detector_list(h);
++	/* If the list of ctlr's to monitor is empty, stop the thread */
++	if (list_empty(&hpsa_ctlr_list)) {
++		kthread_stop(hpsa_lockup_detector);
++		hpsa_lockup_detector = NULL;
++	}
++	spin_unlock_irqrestore(&lockup_detector_lock, flags);
++}
++
+ static int __devinit hpsa_init_one(struct pci_dev *pdev,
+ 				    const struct pci_device_id *ent)
+ {
+@@ -4213,6 +4387,7 @@ reinit_after_soft_reset:
+ 
+ 	hpsa_hba_inquiry(h);
+ 	hpsa_register_scsi(h);	/* hook ourselves into SCSI subsystem */
++	start_controller_lockup_detector(h);
+ 	return 1;
+ 
+ clean4:
+@@ -4275,10 +4450,11 @@ static void __devexit hpsa_remove_one(struct pci_dev *pdev)
+ 	struct ctlr_info *h;
+ 
+ 	if (pci_get_drvdata(pdev) == NULL) {
+-		dev_err(&pdev->dev, "unable to remove device \n");
++		dev_err(&pdev->dev, "unable to remove device\n");
+ 		return;
+ 	}
+ 	h = pci_get_drvdata(pdev);
++	stop_controller_lockup_detector(h);
+ 	hpsa_unregister_scsi(h);	/* unhook from SCSI subsystem */
+ 	hpsa_shutdown(pdev);
+ 	iounmap(h->vaddr);
+diff --git a/drivers/scsi/hpsa.h b/drivers/scsi/hpsa.h
+index 73858bc..91edafb 100644
+--- a/drivers/scsi/hpsa.h
++++ b/drivers/scsi/hpsa.h
+@@ -121,6 +121,11 @@ struct ctlr_info {
+ 	unsigned char reply_pool_wraparound;
+ 	u32 *blockFetchTable;
+ 	unsigned char *hba_inquiry_data;
++	u64 last_intr_timestamp;
++	u32 last_heartbeat;
++	u64 last_heartbeat_timestamp;
++	u32 lockup_detected;
++	struct list_head lockup_list;
+ };
+ #define HPSA_ABORT_MSG 0
+ #define HPSA_DEVICE_RESET_MSG 1

Copied: dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0133-hpsa-Disable-ASPM.patch (from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0133-hpsa-Disable-ASPM.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0133-hpsa-Disable-ASPM.patch	Tue Jan 22 06:01:55 2013	(r19768, copy of r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0133-hpsa-Disable-ASPM.patch)
@@ -0,0 +1,40 @@
+From 7e7d4c0815f86b5d2f60e00d3fb10a7cbc985b74 Mon Sep 17 00:00:00 2001
+From: Matthew Garrett <mjg at redhat.com>
+Date: Fri, 11 Nov 2011 11:14:23 -0500
+Subject: [PATCH 133/136] hpsa: Disable ASPM
+
+commit e5a44df85e8d78e5c2d3d2e4f59b460905691e2f upstream.
+
+The Windows driver .inf disables ASPM on hpsa devices. Do the same because the
+selection of a non default ASPM policy can cause the device to hang.
+
+Signed-off-by: Matthew Garrett <mjg at redhat.com>
+Acked-by: Mike Miller <mike.miller at hp.com>
+Signed-off-by: James Bottomley <JBottomley at Parallels.com>
+---
+ drivers/scsi/hpsa.c |    5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c
+index d4a1d44..4b3ea9d 100644
+--- a/drivers/scsi/hpsa.c
++++ b/drivers/scsi/hpsa.c
+@@ -23,6 +23,7 @@
+ #include <linux/interrupt.h>
+ #include <linux/types.h>
+ #include <linux/pci.h>
++#include <linux/pci-aspm.h>
+ #include <linux/kernel.h>
+ #include <linux/slab.h>
+ #include <linux/delay.h>
+@@ -3894,6 +3895,10 @@ static int __devinit hpsa_pci_init(struct ctlr_info *h)
+ 		dev_warn(&h->pdev->dev, "controller appears to be disabled\n");
+ 		return -ENODEV;
+ 	}
++
++	pci_disable_link_state(h->pdev, PCIE_LINK_STATE_L0S |
++			       PCIE_LINK_STATE_L1 | PCIE_LINK_STATE_CLKPM);
++
+ 	err = pci_enable_device(h->pdev);
+ 	if (err) {
+ 		dev_warn(&h->pdev->dev, "unable to enable PCI device\n");

Copied: dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0134-hpsa-Fix-problem-with-MSA2xxx-devices.patch (from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0134-hpsa-Fix-problem-with-MSA2xxx-devices.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0134-hpsa-Fix-problem-with-MSA2xxx-devices.patch	Tue Jan 22 06:01:55 2013	(r19768, copy of r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0134-hpsa-Fix-problem-with-MSA2xxx-devices.patch)
@@ -0,0 +1,74 @@
+From af4c8bf2cceec44a21069553d8b1fd44a28d2b4e Mon Sep 17 00:00:00 2001
+From: "Stephen M. Cameron" <scameron at beardog.cce.hp.com>
+Date: Thu, 19 Jan 2012 14:01:04 -0600
+Subject: [PATCH 134/136] hpsa: Fix problem with MSA2xxx devices
+
+commit 9bc3711cbb67ac620bf09b4a147cbab45b2c36c0 upstream.
+
+Upgraded firmware on Smart Array P7xx (and some others) made them show up as
+SCSI revision 5 devices and this caused the driver to fail to map MSA2xxx
+logical drives to the correct bus/target/lun.  A symptom of this would be that
+the target ID of the logical drives as presented by the external storage array
+is ignored, and all such logical drives are assigned to target zero,
+differentiated only by LUN.  Some multipath software reportedly does not deal
+well with this behavior, failing to recognize different paths to the same
+device as such.
+
+Signed-off-by: Stephen M. Cameron <scameron at beardog.cce.hp.com>
+Signed-off-by: Scott Teel <scott.teel at hp.com>
+Signed-off-by: James Bottomley <JBottomley at Parallels.com>
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ drivers/scsi/hpsa.c |   34 +++++++++++++++-------------------
+ 1 file changed, 15 insertions(+), 19 deletions(-)
+
+diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c
+index 4b3ea9d..59dda57 100644
+--- a/drivers/scsi/hpsa.c
++++ b/drivers/scsi/hpsa.c
+@@ -1665,30 +1665,26 @@ static void figure_bus_target_lun(struct ctlr_info *h,
+ 
+ 	if (is_logical_dev_addr_mode(lunaddrbytes)) {
+ 		/* logical device */
+-		if (unlikely(is_scsi_rev_5(h))) {
+-			/* p1210m, logical drives lun assignments
+-			 * match SCSI REPORT LUNS data.
++		lunid = le32_to_cpu(*((__le32 *) lunaddrbytes));
++		if (is_msa2xxx(h, device)) {
++			/* msa2xxx way, put logicals on bus 1
++			 * and match target/lun numbers box
++			 * reports.
+ 			 */
+-			lunid = le32_to_cpu(*((__le32 *) lunaddrbytes));
+-			*bus = 0;
+-			*target = 0;
+-			*lun = (lunid & 0x3fff) + 1;
++			*bus = 1;
++			*target = (lunid >> 16) & 0x3fff;
++			*lun = lunid & 0x00ff;
+ 		} else {
+-			/* not p1210m... */
+-			lunid = le32_to_cpu(*((__le32 *) lunaddrbytes));
+-			if (is_msa2xxx(h, device)) {
+-				/* msa2xxx way, put logicals on bus 1
+-				 * and match target/lun numbers box
+-				 * reports.
+-				 */
+-				*bus = 1;
+-				*target = (lunid >> 16) & 0x3fff;
+-				*lun = lunid & 0x00ff;
++			if (likely(is_scsi_rev_5(h))) {
++				/* All current smart arrays (circa 2011) */
++				*bus = 0;
++				*target = 0;
++				*lun = (lunid & 0x3fff) + 1;
+ 			} else {
+-				/* Traditional smart array way. */
++				/* Traditional old smart array way. */
+ 				*bus = 0;
+-				*lun = 0;
+ 				*target = lunid & 0x3fff;
++				*lun = 0;
+ 			}
+ 		}
+ 	} else {

Copied: dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0135-hpsa-Add-IRQF_SHARED-back-in-for-the-non-MSI-X-inter.patch (from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0135-hpsa-Add-IRQF_SHARED-back-in-for-the-non-MSI-X-inter.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0135-hpsa-Add-IRQF_SHARED-back-in-for-the-non-MSI-X-inter.patch	Tue Jan 22 06:01:55 2013	(r19768, copy of r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0135-hpsa-Add-IRQF_SHARED-back-in-for-the-non-MSI-X-inter.patch)
@@ -0,0 +1,39 @@
+From e1ce5fac21628998a31d295320b93f00f3aa6bbd Mon Sep 17 00:00:00 2001
+From: "Stephen M. Cameron" <scameron at beardog.cce.hp.com>
+Date: Mon, 28 Nov 2011 10:15:20 -0600
+Subject: [PATCH 135/136] hpsa: Add IRQF_SHARED back in for the non-MSI(X)
+ interrupt handler
+
+commit 45bcf018d1a4779d592764ef57517c92589d55d7 upstream.
+
+IRQF_SHARED is required for older controllers that don't support MSI(X)
+and which may end up sharing an interrupt.  All the controllers hpsa
+normally supports have MSI(X) capability, but older controllers may be
+encountered via the hpsa_allow_any=1 module parameter.
+
+Also remove deprecated IRQF_DISABLED.
+
+Signed-off-by: Stephen M. Cameron <scameron at beardog.cce.hp.com>
+Signed-off-by: James Bottomley <JBottomley at Parallels.com>
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ drivers/scsi/hpsa.c |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c
+index 59dda57..5b9cc14 100644
+--- a/drivers/scsi/hpsa.c
++++ b/drivers/scsi/hpsa.c
+@@ -4040,10 +4040,10 @@ static int hpsa_request_irq(struct ctlr_info *h,
+ 
+ 	if (h->msix_vector || h->msi_vector)
+ 		rc = request_irq(h->intr[h->intr_mode], msixhandler,
+-				IRQF_DISABLED, h->devname, h);
++				0, h->devname, h);
+ 	else
+ 		rc = request_irq(h->intr[h->intr_mode], intxhandler,
+-				IRQF_DISABLED, h->devname, h);
++				IRQF_SHARED, h->devname, h);
+ 	if (rc) {
+ 		dev_err(&h->pdev->dev, "unable to get irq %d for %s\n",
+ 		       h->intr[h->intr_mode], h->devname);

Copied: dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0136-hpsa-fix-handling-of-protocol-error.patch (from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0136-hpsa-fix-handling-of-protocol-error.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0136-hpsa-fix-handling-of-protocol-error.patch	Tue Jan 22 06:01:55 2013	(r19768, copy of r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0136-hpsa-fix-handling-of-protocol-error.patch)
@@ -0,0 +1,44 @@
+From 2f626bc37b11406310eb6600e98d5c0ffce9de76 Mon Sep 17 00:00:00 2001
+From: "Stephen M. Cameron" <scameron at beardog.cce.hp.com>
+Date: Fri, 14 Sep 2012 16:34:25 -0500
+Subject: [PATCH 136/136] hpsa: fix handling of protocol error
+
+commit 256d0eaac87da1e993190846064f339f4c7a63f5 upstream.
+
+If a command status of CMD_PROTOCOL_ERR is received, this
+information should be conveyed to the SCSI mid layer, not
+dropped on the floor.  CMD_PROTOCOL_ERR may be received
+from the Smart Array for any commands destined for an external
+RAID controller such as a P2000, or commands destined for tape
+drives or CD/DVD-ROM drives, if for instance a cable is
+disconnected.  This mostly affects multipath configurations, as
+disconnecting a cable on a non-multipath configuration is not
+going to do anything good regardless of whether CMD_PROTOCOL_ERR
+is handled correctly or not.  Not handling CMD_PROTOCOL_ERR
+correctly in a multipath configaration involving external RAID
+controllers may cause data corruption, so this is quite a serious
+bug.  This bug should not normally cause a problem for direct
+attached disk storage.
+
+Signed-off-by: Stephen M. Cameron <scameron at beardog.cce.hp.com>
+Signed-off-by: James Bottomley <JBottomley at Parallels.com>
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ drivers/scsi/hpsa.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c
+index 5b9cc14..8eb56ff 100644
+--- a/drivers/scsi/hpsa.c
++++ b/drivers/scsi/hpsa.c
+@@ -1204,8 +1204,9 @@ static void complete_scsi_command(struct CommandList *cp)
+ 	}
+ 		break;
+ 	case CMD_PROTOCOL_ERR:
++		cmd->result = DID_ERROR << 16;
+ 		dev_warn(&h->pdev->dev, "cp %p has "
+-			"protocol error \n", cp);
++			"protocol error\n", cp);
+ 		break;
+ 	case CMD_HARDWARE_ERR:
+ 		cmd->result = DID_ERROR << 16;

Copied: dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0137-hpsa-Use-LUN-reset-instead-of-target-reset.patch (from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0137-hpsa-Use-LUN-reset-instead-of-target-reset.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0137-hpsa-Use-LUN-reset-instead-of-target-reset.patch	Tue Jan 22 06:01:55 2013	(r19768, copy of r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0137-hpsa-Use-LUN-reset-instead-of-target-reset.patch)
@@ -0,0 +1,52 @@
+From 2239182005cc209df395cae2316f4e6688642b8d Mon Sep 17 00:00:00 2001
+From: "Stephen M. Cameron" <scameron at beardog.cce.hp.com>
+Date: Thu, 26 Jul 2012 11:34:10 -0500
+Subject: [PATCH 137/138] hpsa: Use LUN reset instead of target reset
+
+commit 21e89afd325849eb38adccf382df16cc895911f9 upstream.
+
+It turns out Smart Array logical drives do not support target
+reset and when the target reset fails, the logical drive will
+be taken off line.  Symptoms look like this:
+
+hpsa 0000:03:00.0: Abort request on C1:B0:T0:L0
+hpsa 0000:03:00.0: resetting device 1:0:0:0
+hpsa 0000:03:00.0: cp ffff880037c56000 is reported invalid (probably means target device no longer present)
+hpsa 0000:03:00.0: resetting device failed.
+sd 1:0:0:0: Device offlined - not ready after error recovery
+sd 1:0:0:0: rejecting I/O to offline device
+EXT3-fs error (device sdb1): read_block_bitmap:
+
+LUN reset is supported though, and is what we should be using.
+Target reset is also disruptive in shared SAS situations,
+for example, an external MSA1210m which does support target
+reset attached to Smart Arrays in multiple hosts -- a target
+reset from one host is disruptive to other hosts as all LUNs
+on the target will be reset and will abort all outstanding i/os
+back to all the attached hosts.  So we should use LUN reset,
+not target reset.
+
+Tested this with Smart Array logical drives and with tape drives.
+Not sure how this bug survived since 2009, except it must be very
+rare for a Smart Array to require more than 30s to complete a request.
+
+Signed-off-by: Stephen M. Cameron <scameron at beardog.cce.hp.com>
+Signed-off-by: James Bottomley <JBottomley at Parallels.com>
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ drivers/scsi/hpsa.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c
+index be9aad8..a133724 100644
+--- a/drivers/scsi/hpsa.c
++++ b/drivers/scsi/hpsa.c
+@@ -2926,7 +2926,7 @@ static void fill_cmd(struct CommandList *c, u8 cmd, struct ctlr_info *h,
+ 			c->Request.Timeout = 0; /* Don't time out */
+ 			memset(&c->Request.CDB[0], 0, sizeof(c->Request.CDB));
+ 			c->Request.CDB[0] =  cmd;
+-			c->Request.CDB[1] = 0x03;  /* Reset target above */
++			c->Request.CDB[1] = HPSA_RESET_TYPE_LUN;
+ 			/* If bytes 4-7 are zero, it means reset the */
+ 			/* LunID device */
+ 			c->Request.CDB[4] = 0x00;

Copied: dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0138-hpsa-dial-down-lockup-detection-during-firmware-flas.patch (from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0138-hpsa-dial-down-lockup-detection-during-firmware-flas.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/features/all/hpsa/0138-hpsa-dial-down-lockup-detection-during-firmware-flas.patch	Tue Jan 22 06:01:55 2013	(r19768, copy of r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/all/hpsa/0138-hpsa-dial-down-lockup-detection-during-firmware-flas.patch)
@@ -0,0 +1,144 @@
+From def274ac605a69628f7d0d2d666484d209b0b6ee Mon Sep 17 00:00:00 2001
+From: "Stephen M. Cameron" <scameron at beardog.cce.hp.com>
+Date: Tue, 1 May 2012 11:43:42 -0500
+Subject: [PATCH 138/138] hpsa: dial down lockup detection during firmware flash
+
+commit e85c59746957fd6e3595d02cf614370056b5816e upstream.
+
+Dial back the aggressiveness of the controller lockup detection thread.
+Currently it will declare the controller to be locked up if it goes
+for 10 seconds with no interrupts and no change in the heartbeat
+register.  Dial back this to 30 seconds with no heartbeat change, and
+also snoop the ioctl path and if a firmware flash command is detected,
+dial it back further to 4 minutes until the firmware flash command
+completes.  The reason for this is that during the firmware flash
+operation, the controller apparently doesn't update the heartbeat
+register as frequently as it is supposed to, and we can get a false
+positive.
+
+Signed-off-by: Stephen M. Cameron <scameron at beardog.cce.hp.com>
+Signed-off-by: James Bottomley <JBottomley at Parallels.com>
+[bwh: Backported to 3.2: adjust context]
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ drivers/scsi/hpsa.c     |   39 ++++++++++++++++++++++++++++++++++-----
+ drivers/scsi/hpsa.h     |    2 ++
+ drivers/scsi/hpsa_cmd.h |    1 +
+ 3 files changed, 37 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c
+index a133724..22523aa 100644
+--- a/drivers/scsi/hpsa.c
++++ b/drivers/scsi/hpsa.c
+@@ -532,12 +532,42 @@ static void set_performant_mode(struct ctlr_info *h, struct CommandList *c)
+ 		c->busaddr |= 1 | (h->blockFetchTable[c->Header.SGList] << 1);
+ }
+ 
++static int is_firmware_flash_cmd(u8 *cdb)
++{
++	return cdb[0] == BMIC_WRITE && cdb[6] == BMIC_FLASH_FIRMWARE;
++}
++
++/*
++ * During firmware flash, the heartbeat register may not update as frequently
++ * as it should.  So we dial down lockup detection during firmware flash. and
++ * dial it back up when firmware flash completes.
++ */
++#define HEARTBEAT_SAMPLE_INTERVAL_DURING_FLASH (240 * HZ)
++#define HEARTBEAT_SAMPLE_INTERVAL (30 * HZ)
++static void dial_down_lockup_detection_during_fw_flash(struct ctlr_info *h,
++		struct CommandList *c)
++{
++	if (!is_firmware_flash_cmd(c->Request.CDB))
++		return;
++	atomic_inc(&h->firmware_flash_in_progress);
++	h->heartbeat_sample_interval = HEARTBEAT_SAMPLE_INTERVAL_DURING_FLASH;
++}
++
++static void dial_up_lockup_detection_on_fw_flash_complete(struct ctlr_info *h,
++		struct CommandList *c)
++{
++	if (is_firmware_flash_cmd(c->Request.CDB) &&
++		atomic_dec_and_test(&h->firmware_flash_in_progress))
++		h->heartbeat_sample_interval = HEARTBEAT_SAMPLE_INTERVAL;
++}
++
+ static void enqueue_cmd_and_start_io(struct ctlr_info *h,
+ 	struct CommandList *c)
+ {
+ 	unsigned long flags;
+ 
+ 	set_performant_mode(h, c);
++	dial_down_lockup_detection_during_fw_flash(h, c);
+ 	spin_lock_irqsave(&h->lock, flags);
+ 	addQ(&h->reqQ, c);
+ 	h->Qdepth++;
+@@ -3032,6 +3062,7 @@ static inline int bad_tag(struct ctlr_info *h, u32 tag_index,
+ static inline void finish_cmd(struct CommandList *c, u32 raw_tag)
+ {
+ 	removeQ(c);
++	dial_up_lockup_detection_on_fw_flash_complete(c->h, c);
+ 	if (likely(c->cmd_type == CMD_SCSI))
+ 		complete_scsi_command(c);
+ 	else if (c->cmd_type == CMD_IOCTL_PEND)
+@@ -4172,9 +4203,6 @@ static void controller_lockup_detected(struct ctlr_info *h)
+ 	spin_unlock_irqrestore(&h->lock, flags);
+ }
+ 
+-#define HEARTBEAT_SAMPLE_INTERVAL (10 * HZ)
+-#define HEARTBEAT_CHECK_MINIMUM_INTERVAL (HEARTBEAT_SAMPLE_INTERVAL / 2)
+-
+ static void detect_controller_lockup(struct ctlr_info *h)
+ {
+ 	u64 now;
+@@ -4185,7 +4213,7 @@ static void detect_controller_lockup(struct ctlr_info *h)
+ 	now = get_jiffies_64();
+ 	/* If we've received an interrupt recently, we're ok. */
+ 	if (time_after64(h->last_intr_timestamp +
+-				(HEARTBEAT_CHECK_MINIMUM_INTERVAL), now))
++				(h->heartbeat_sample_interval), now))
+ 		return;
+ 
+ 	/*
+@@ -4194,7 +4222,7 @@ static void detect_controller_lockup(struct ctlr_info *h)
+ 	 * otherwise don't care about signals in this thread.
+ 	 */
+ 	if (time_after64(h->last_heartbeat_timestamp +
+-				(HEARTBEAT_CHECK_MINIMUM_INTERVAL), now))
++				(h->heartbeat_sample_interval), now))
+ 		return;
+ 
+ 	/* If heartbeat has not changed since we last looked, we're not ok. */
+@@ -4236,6 +4264,7 @@ static void add_ctlr_to_lockup_detector_list(struct ctlr_info *h)
+ {
+ 	unsigned long flags;
+ 
++	h->heartbeat_sample_interval = HEARTBEAT_SAMPLE_INTERVAL;
+ 	spin_lock_irqsave(&lockup_detector_lock, flags);
+ 	list_add_tail(&h->lockup_list, &hpsa_ctlr_list);
+ 	spin_unlock_irqrestore(&lockup_detector_lock, flags);
+diff --git a/drivers/scsi/hpsa.h b/drivers/scsi/hpsa.h
+index 91edafb..c721509 100644
+--- a/drivers/scsi/hpsa.h
++++ b/drivers/scsi/hpsa.h
+@@ -124,6 +124,8 @@ struct ctlr_info {
+ 	u64 last_intr_timestamp;
+ 	u32 last_heartbeat;
+ 	u64 last_heartbeat_timestamp;
++	u32 heartbeat_sample_interval;
++	atomic_t firmware_flash_in_progress;
+ 	u32 lockup_detected;
+ 	struct list_head lockup_list;
+ };
+diff --git a/drivers/scsi/hpsa_cmd.h b/drivers/scsi/hpsa_cmd.h
+index 3fd4715..e4ea0a3 100644
+--- a/drivers/scsi/hpsa_cmd.h
++++ b/drivers/scsi/hpsa_cmd.h
+@@ -163,6 +163,7 @@ struct SenseSubsystem_info {
+ #define BMIC_WRITE 0x27
+ #define BMIC_CACHE_FLUSH 0xc2
+ #define HPSA_CACHE_FLUSH 0x01	/* C2 was already being used by HPSA */
++#define BMIC_FLASH_FIRMWARE 0xF7
+ 
+ /* Command List Structure */
+ union SCSI3Addr {

Modified: dists/squeeze-security/linux-2.6/debian/patches/features/all/openvz/openvz.patch
==============================================================================
--- dists/squeeze-security/linux-2.6/debian/patches/features/all/openvz/openvz.patch	Mon Jan 21 04:42:29 2013	(r19767)
+++ dists/squeeze-security/linux-2.6/debian/patches/features/all/openvz/openvz.patch	Tue Jan 22 06:01:55 2013	(r19768)
@@ -6541,6 +6541,12 @@
 [bwh: Fix context for changes to lease_alloc() after commit
  79549c6dfda0603dba9a70a53467ce62d9335c33 ('cred: copy_process() should
  clear child->replacement_session_keyring')]
+[bwh: Update definition of struct eventpoll that this moves, to include
+ additions in 2.6.32.60]
+[bwh: Fix context for changes to fs/signalfd.c, include/linux/signalfd.h
+ and kernel/fork.c following addition of signalfd_cleanup() in 2.6.32.60]
+[bwh: Fix content for changes to do_tcp_sendpages() after 2.6.32.60]
+[bwh: Fix context for changes to struct file after 2.6.32.60]
 
 diff --git a/COPYING.Parallels b/COPYING.Parallels
 new file mode 100644
@@ -16575,7 +16581,7 @@
  /*
   * Structure used to track possible nested calls, for too deep recursions
   * and loop cycles.
-@@ -110,82 +106,6 @@ struct nested_calls {
+@@ -110,88 +106,6 @@ struct nested_calls {
  	spinlock_t lock;
  };
  
@@ -16653,6 +16659,12 @@
 -
 -	/* The user that created the eventpoll descriptor */
 -	struct user_struct *user;
+-
+-	struct file *file;
+-
+-	/* used to optimize loop detection check */
+-	int visited;
+-	struct list_head visited_list_link;
 -};
 -
  /* Wait structure used by the poll hooks */
@@ -16668,6 +16680,15 @@
  
  /* Used to check for epoll file descriptor inclusion loops */
  static struct nested_calls poll_loop_ncalls;
+@@ -286,7 +207,7 @@
+ };
+ #endif /* CONFIG_SYSCTL */
+ 
+-static const struct file_operations eventpoll_fops;
++const struct file_operations eventpoll_fops;
+ 
+ static inline int is_file_epoll(struct file *f)
+ {
 @@ -672,10 +593,11 @@ static unsigned int ep_eventpoll_poll(struct file *file, poll_table *wait)
  }
  
@@ -16679,8 +16700,8 @@
  };
 +EXPORT_SYMBOL(eventpoll_fops);
  
- /* Fast test to see if the file is an evenpoll file */
- static inline int is_file_epoll(struct file *f)
+ /*
+  * This is called from eventpoll_release() to unlink files from the eventpoll
 @@ -757,7 +679,7 @@ free_uid:
   * are protected by the "mtx" mutex, and ep_find() must be called with
   * "mtx" held.
@@ -27722,18 +27743,25 @@
 index d98bea8..d0c9670 100644
 --- a/fs/signalfd.c
 +++ b/fs/signalfd.c
-@@ -28,10 +28,7 @@
+@@ -28,6 +28,7 @@
  #include <linux/anon_inodes.h>
  #include <linux/signalfd.h>
  #include <linux/syscalls.h>
--
++#include <linux/module.h>
+ 
+ void signalfd_cleanup(struct sighand_struct *sighand)
+ {
+@@ -44,10 +44,6 @@
+ 	wake_up_poll(wqh, POLLHUP | POLLFREE);
+ }
+ 
 -struct signalfd_ctx {
 -	sigset_t sigmask;
 -};
-+#include <linux/module.h>
- 
+-
  static int signalfd_release(struct inode *inode, struct file *file)
  {
+ 	kfree(file->private_data);
 @@ -201,17 +198,17 @@ static ssize_t signalfd_read(struct file *file, char __user *buf, size_t count,
  	return total ? total: ret;
  }
@@ -33081,7 +33109,7 @@
  
  /* Flags for epoll_create1.  */
  #define EPOLL_CLOEXEC O_CLOEXEC
-@@ -63,6 +64,94 @@ static inline void eventpoll_init_file(struct file *file)
+@@ -63,6 +64,106 @@ static inline void eventpoll_init_file(struct file *file)
  	INIT_LIST_HEAD(&file->f_ep_links);
  }
  
@@ -33128,6 +33156,12 @@
 +
 +	/* The user that created the eventpoll descriptor */
 +	struct user_struct *user;
++
++	struct file *file;
++
++	/* used to optimize loop detection check */
++	int visited;
++	struct list_head visited_list_link;
 +};
 +
 +/*
@@ -33167,6 +33201,12 @@
 +
 +	/* The user that created the eventpoll descriptor */
 +	struct user_struct *user;
++
++	struct file *file;
++
++	/* used to optimize loop detection check */
++	int visited;
++	struct list_head visited_list_link;
 +};
 +
 +extern struct semaphore epsem;
@@ -33462,9 +33502,9 @@
  	unsigned long f_mnt_write_state;
  #endif
 +	struct ve_struct	*owner_env;
- };
- extern spinlock_t files_lock;
- #define file_list_lock() spin_lock(&files_lock);
+ #ifndef __GENKSYMS__
+ #ifdef CONFIG_EPOLL
+ 	struct list_head	f_tfile_llink;
 @@ -1063,6 +1083,9 @@ struct file_lock {
  	fl_owner_t fl_owner;
  	unsigned char fl_flags;
@@ -35592,8 +35632,8 @@
 --- a/include/linux/signalfd.h
 +++ b/include/linux/signalfd.h
 @@ -60,6 +60,12 @@ static inline void signalfd_notify(struct task_struct *tsk, int sig)
- 		wake_up(&tsk->sighand->signalfd_wqh);
- }
+ 
+ extern void signalfd_cleanup(struct sighand_struct *sighand);
  
 +struct signalfd_ctx {
 +	sigset_t sigmask;
@@ -69737,9 +69777,9 @@
 --- a/kernel/fork.c
 +++ b/kernel/fork.c
 @@ -64,6 +64,8 @@
- #include <linux/magic.h>
  #include <linux/perf_event.h>
  #include <linux/posix-timers.h>
+ #include <linux/signalfd.h>
 +#include <linux/virtinfo.h>
 +#include <linux/ve.h>
  
@@ -85416,7 +85456,7 @@
  			goto wait_for_memory;
  
  		if (can_coalesce) {
-@@ -838,10 +866,15 @@ new_segment:
+@@ -838,9 +866,14 @@ new_segment:
  wait_for_sndbuf:
  		set_bit(SOCK_NOSPACE, &sk->sk_socket->flags);
  wait_for_memory:
@@ -85424,8 +85464,7 @@
 +			skb_charge_size(MAX_TCP_HEADER + tp->mss_cache));
 +		chargesize = 0;
 +wait_for_ubspace:
- 		if (copied)
- 			tcp_push(sk, flags & ~MSG_MORE, mss_now, TCP_NAGLE_PUSH);
+ 		tcp_push(sk, flags & ~MSG_MORE, mss_now, TCP_NAGLE_PUSH);
  
 -		if ((err = sk_stream_wait_memory(sk, &timeo)) != 0)
 +		err = __sk_stream_wait_memory(sk, &timeo, chargesize);

Modified: dists/squeeze-security/linux-2.6/debian/patches/features/all/vserver/vs2.3.0.36.29.8.patch
==============================================================================
--- dists/squeeze-security/linux-2.6/debian/patches/features/all/vserver/vs2.3.0.36.29.8.patch	Mon Jan 21 04:42:29 2013	(r19767)
+++ dists/squeeze-security/linux-2.6/debian/patches/features/all/vserver/vs2.3.0.36.29.8.patch	Tue Jan 22 06:01:55 2013	(r19768)
@@ -1,4 +1,6 @@
 [bwh: Adjust context in drivers/block/Kconfig changed by drbd backport]
+[bwh: Adjust context in fs/ext3/inode.c and kernel/fork.c changed by
+ 2.6.32.60]
 
 --- a/Documentation/scheduler/sched-cfs-hard-limits.txt	1970-01-01 01:00:00.000000000 +0100
 +++ a/Documentation/scheduler/sched-cfs-hard-limits.txt	2011-06-10 13:03:02.000000000 +0200
@@ -3115,8 +3117,8 @@
 +	uid_t uid = TAGINO_UID(DX_TAG(inode), inode->i_uid, inode->i_tag);
 +	gid_t gid = TAGINO_GID(DX_TAG(inode), inode->i_gid, inode->i_tag);
  	int err = 0, rc, block;
- 
- again:
+ 	int need_datasync = 0;
+ 	__le32 disksize;
 @@ -2961,29 +2995,32 @@ again:
  	ext3_get_inode_flags(ei);
  	raw_inode->i_mode = cpu_to_le16(inode->i_mode);
@@ -3154,8 +3156,8 @@
 +	raw_inode->i_raw_tag = cpu_to_le16(inode->i_tag);
 +#endif
  	raw_inode->i_links_count = cpu_to_le16(inode->i_nlink);
- 	raw_inode->i_size = cpu_to_le32(ei->i_disksize);
- 	raw_inode->i_atime = cpu_to_le32(inode->i_atime.tv_sec);
+ 	disksize = cpu_to_le32(ei->i_disksize);
+ 	if (disksize != raw_inode->i_size) {
 @@ -3141,7 +3178,8 @@ int ext3_setattr(struct dentry *dentry, 
  		return error;
  
@@ -14885,9 +14887,9 @@
 --- a/kernel/fork.c	2011-08-08 22:29:45.000000000 +0200
 +++ a/kernel/fork.c	2011-06-10 13:03:02.000000000 +0200
 @@ -64,6 +64,10 @@
- #include <linux/magic.h>
  #include <linux/perf_event.h>
  #include <linux/posix-timers.h>
+ #include <linux/signalfd.h>
 +#include <linux/vs_context.h>
 +#include <linux/vs_network.h>
 +#include <linux/vs_limit.h>

Copied: dists/squeeze-security/linux-2.6/debian/patches/features/x86/ALSA-HD-Audio-patch-for-Intel-Panther-Point.patch (from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/x86/ALSA-HD-Audio-patch-for-Intel-Panther-Point.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/features/x86/ALSA-HD-Audio-patch-for-Intel-Panther-Point.patch	Tue Jan 22 06:01:55 2013	(r19768, copy of r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/x86/ALSA-HD-Audio-patch-for-Intel-Panther-Point.patch)
@@ -0,0 +1,35 @@
+From: Seth Heasley <seth.heasley at intel.com>
+Date: Wed, 20 Apr 2011 10:59:57 -0700
+Subject: ALSA: hda - ALSA HD Audio patch for Intel Panther Point DeviceIDs
+
+commit d2edeb7c6f1dada8ca7d5c23e42d604e92ae0c76 upstream.
+
+This patch adds the HD Audio Controller DeviceIDs for the Intel Panther Point PCH.
+
+Signed-off-by: Seth Heasley <seth.heasley at intel.com>
+Signed-off-by: Takashi Iwai <tiwai at suse.de>
+---
+ sound/pci/hda/hda_intel.c |    3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/sound/pci/hda/hda_intel.c b/sound/pci/hda/hda_intel.c
+index 70a9d32..6f891ee 100644
+--- a/sound/pci/hda/hda_intel.c
++++ b/sound/pci/hda/hda_intel.c
+@@ -126,6 +126,7 @@ MODULE_SUPPORTED_DEVICE("{{Intel, ICH6},"
+ 			 "{Intel, ICH10},"
+ 			 "{Intel, PCH},"
+ 			 "{Intel, CPT},"
++			 "{Intel, PPT},"
+ 			 "{Intel, PBG},"
+ 			 "{Intel, SCH},"
+ 			 "{ATI, SB450},"
+@@ -2759,6 +2760,8 @@ static DEFINE_PCI_DEVICE_TABLE(azx_ids) = {
+ 	{ PCI_DEVICE(0x8086, 0x1c20), .driver_data = AZX_DRIVER_PCH },
+ 	/* PBG */
+ 	{ PCI_DEVICE(0x8086, 0x1d20), .driver_data = AZX_DRIVER_PCH },
++	/* Panther Point */
++	{ PCI_DEVICE(0x8086, 0x1e20), .driver_data = AZX_DRIVER_PCH },
+ 	/* SCH */
+ 	{ PCI_DEVICE(0x8086, 0x811b), .driver_data = AZX_DRIVER_SCH },
+ 	/* Generic Intel */

Copied: dists/squeeze-security/linux-2.6/debian/patches/features/x86/ALSA-hda-Add-support-for-VMware-controller.patch (from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/x86/ALSA-hda-Add-support-for-VMware-controller.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/features/x86/ALSA-hda-Add-support-for-VMware-controller.patch	Tue Jan 22 06:01:55 2013	(r19768, copy of r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/x86/ALSA-hda-Add-support-for-VMware-controller.patch)
@@ -0,0 +1,30 @@
+From: Bankim Bhavsar <bbhavsar at vmware.com>
+Date: Mon, 17 Jan 2011 15:23:21 +0100
+Subject: ALSA: hda - Add support for VMware controller
+
+commit 0f0714c5ed0a98fdeaa2287d3b159989bbe6d842 upstream.
+
+Add the new PCI ID 0x15ad and device ID 0x1977 for VMware HDAudio
+Controller.
+
+[changed to use AZX_DRIVER_GENERIC by tiwai]
+
+Signed-off-by: Bankim Bhavsar <bbhavsar at vmware.com>
+Signed-off-by: Takashi Iwai <tiwai at suse.de>
+---
+ sound/pci/hda/hda_intel.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/sound/pci/hda/hda_intel.c b/sound/pci/hda/hda_intel.c
+index a1c4008..07c522f 100644
+--- a/sound/pci/hda/hda_intel.c
++++ b/sound/pci/hda/hda_intel.c
+@@ -2806,6 +2806,8 @@ static DEFINE_PCI_DEVICE_TABLE(azx_ids) = {
+ #endif
+ 	/* Vortex86MX */
+ 	{ PCI_DEVICE(0x17f3, 0x3010), .driver_data = AZX_DRIVER_GENERIC },
++	/* VMware HDAudio */
++	{ PCI_DEVICE(0x15ad, 0x1977), .driver_data = AZX_DRIVER_GENERIC },
+ 	/* AMD/ATI Generic, PCI class code and Vendor ID for HD Audio */
+ 	{ PCI_DEVICE(PCI_VENDOR_ID_ATI, PCI_ANY_ID),
+ 	  .class = PCI_CLASS_MULTIMEDIA_HD_AUDIO << 8,

Copied: dists/squeeze-security/linux-2.6/debian/patches/features/x86/ALSA-hda-Reduce-pci-id-list-for-Intel-with-class-id.patch (from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/x86/ALSA-hda-Reduce-pci-id-list-for-Intel-with-class-id.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/features/x86/ALSA-hda-Reduce-pci-id-list-for-Intel-with-class-id.patch	Tue Jan 22 06:01:55 2013	(r19768, copy of r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/x86/ALSA-hda-Reduce-pci-id-list-for-Intel-with-class-id.patch)
@@ -0,0 +1,51 @@
+From: Takashi Iwai <tiwai at suse.de>
+Date: Wed, 15 Sep 2010 10:17:26 +0200
+Subject: ALSA: hda - Reduce pci id list for Intel with class id
+
+commit b686453543fd56332e8730a2abd7bf5bca756149 upstream.
+
+Most of Intel controllers work as generic HD-audio without quirks,
+and it'll be hopefully so in future.  Let's mark pci id with the
+PCI_CLASS_MULTIMEDIA_HD_AUDIO for Intel so that the driver will work
+with any new control chips in future.
+
+Signed-off-by: Takashi Iwai <tiwai at suse.de>
+---
+ sound/pci/hda/hda_intel.c |   18 +++++-------------
+ 1 file changed, 5 insertions(+), 13 deletions(-)
+
+diff --git a/sound/pci/hda/hda_intel.c b/sound/pci/hda/hda_intel.c
+index 34940a0..5f6f903 100644
+--- a/sound/pci/hda/hda_intel.c
++++ b/sound/pci/hda/hda_intel.c
+@@ -2735,25 +2735,17 @@ static void __devexit azx_remove(struct pci_dev *pci)
+ 
+ /* PCI IDs */
+ static struct pci_device_id azx_ids[] = {
+-	/* ICH 6..10 */
+-	{ PCI_DEVICE(0x8086, 0x2668), .driver_data = AZX_DRIVER_ICH },
+-	{ PCI_DEVICE(0x8086, 0x27d8), .driver_data = AZX_DRIVER_ICH },
+-	{ PCI_DEVICE(0x8086, 0x269a), .driver_data = AZX_DRIVER_ICH },
+-	{ PCI_DEVICE(0x8086, 0x284b), .driver_data = AZX_DRIVER_ICH },
+-	{ PCI_DEVICE(0x8086, 0x2911), .driver_data = AZX_DRIVER_ICH },
+-	{ PCI_DEVICE(0x8086, 0x293e), .driver_data = AZX_DRIVER_ICH },
+-	{ PCI_DEVICE(0x8086, 0x293f), .driver_data = AZX_DRIVER_ICH },
+-	{ PCI_DEVICE(0x8086, 0x3a3e), .driver_data = AZX_DRIVER_ICH },
+-	{ PCI_DEVICE(0x8086, 0x3a6e), .driver_data = AZX_DRIVER_ICH },
+-	/* PCH */
+-	{ PCI_DEVICE(0x8086, 0x3b56), .driver_data = AZX_DRIVER_ICH },
+-	{ PCI_DEVICE(0x8086, 0x3b57), .driver_data = AZX_DRIVER_ICH },
+ 	/* CPT */
+ 	{ PCI_DEVICE(0x8086, 0x1c20), .driver_data = AZX_DRIVER_PCH },
+ 	/* PBG */
+ 	{ PCI_DEVICE(0x8086, 0x1d20), .driver_data = AZX_DRIVER_PCH },
+ 	/* SCH */
+ 	{ PCI_DEVICE(0x8086, 0x811b), .driver_data = AZX_DRIVER_SCH },
++	/* Generic Intel */
++	{ PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_ANY_ID),
++	  .class = PCI_CLASS_MULTIMEDIA_HD_AUDIO << 8,
++	  .class_mask = 0xffffff,
++	  .driver_data = AZX_DRIVER_ICH },
+ 	/* ATI SB 450/600 */
+ 	{ PCI_DEVICE(0x1002, 0x437b), .driver_data = AZX_DRIVER_ATI },
+ 	{ PCI_DEVICE(0x1002, 0x4383), .driver_data = AZX_DRIVER_ATI },

Copied: dists/squeeze-security/linux-2.6/debian/patches/features/x86/ALSA-hda-add-Vortex86MX-PCI-ids.patch (from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/x86/ALSA-hda-add-Vortex86MX-PCI-ids.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/features/x86/ALSA-hda-add-Vortex86MX-PCI-ids.patch	Tue Jan 22 06:01:55 2013	(r19768, copy of r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/x86/ALSA-hda-add-Vortex86MX-PCI-ids.patch)
@@ -0,0 +1,25 @@
+From: Otavio Salvador <otavio at ossystems.com.br>
+Date: Sun, 26 Sep 2010 23:35:06 -0300
+Subject: ALSA: hda: add Vortex86MX PCI ids
+
+commit e35d4b119578a054515ccb4ed5dddc4e8a81ec15 upstream.
+
+Signed-off-by: Otavio Salvador <otavio at ossystems.com.br>
+Signed-off-by: Takashi Iwai <tiwai at suse.de>
+---
+ sound/pci/hda/hda_intel.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/sound/pci/hda/hda_intel.c b/sound/pci/hda/hda_intel.c
+index 5f6f903..ec07e47 100644
+--- a/sound/pci/hda/hda_intel.c
++++ b/sound/pci/hda/hda_intel.c
+@@ -2791,6 +2791,8 @@ static DEFINE_PCI_DEVICE_TABLE(azx_ids) = {
+ 	/* this entry seems still valid -- i.e. without emu20kx chip */
+ 	{ PCI_DEVICE(0x1102, 0x0009), .driver_data = AZX_DRIVER_GENERIC },
+ #endif
++	/* Vortex86MX */
++	{ PCI_DEVICE(0x17f3, 0x3010), .driver_data = AZX_DRIVER_GENERIC },
+ 	/* AMD/ATI Generic, PCI class code and Vendor ID for HD Audio */
+ 	{ PCI_DEVICE(PCI_VENDOR_ID_ATI, PCI_ANY_ID),
+ 	  .class = PCI_CLASS_MULTIMEDIA_HD_AUDIO << 8,

Copied: dists/squeeze-security/linux-2.6/debian/patches/features/x86/ALSA-hda_intel-ALSA-HD-Audio-patch-for-Intel-Patsbur.patch (from r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/x86/ALSA-hda_intel-ALSA-HD-Audio-patch-for-Intel-Patsbur.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/features/x86/ALSA-hda_intel-ALSA-HD-Audio-patch-for-Intel-Patsbur.patch	Tue Jan 22 06:01:55 2013	(r19768, copy of r19767, releases/linux-2.6/2.6.32-47/debian/patches/features/x86/ALSA-hda_intel-ALSA-HD-Audio-patch-for-Intel-Patsbur.patch)
@@ -0,0 +1,35 @@
+From: Seth Heasley <seth.heasley at intel.com>
+Date: Fri, 10 Sep 2010 16:29:56 -0700
+Subject: ALSA: hda_intel: ALSA HD Audio patch for Intel Patsburg DeviceIDs
+
+commit cea310e8f8702226f982f09386cfd3c5793c5e2f upstream.
+
+This patch adds the Intel Patsburg (PCH) HD Audio Controller DeviceIDs.
+
+Signed-off-by: Seth Heasley <seth.heasley at intel.com>
+Signed-off-by: Takashi Iwai <tiwai at suse.de>
+---
+ sound/pci/hda/hda_intel.c |    3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/sound/pci/hda/hda_intel.c b/sound/pci/hda/hda_intel.c
+index 1053fff..34940a0 100644
+--- a/sound/pci/hda/hda_intel.c
++++ b/sound/pci/hda/hda_intel.c
+@@ -126,6 +126,7 @@ MODULE_SUPPORTED_DEVICE("{{Intel, ICH6},"
+ 			 "{Intel, ICH10},"
+ 			 "{Intel, PCH},"
+ 			 "{Intel, CPT},"
++			 "{Intel, PBG},"
+ 			 "{Intel, SCH},"
+ 			 "{ATI, SB450},"
+ 			 "{ATI, SB600},"
+@@ -2749,6 +2750,8 @@ static DEFINE_PCI_DEVICE_TABLE(azx_ids) = {
+ 	{ PCI_DEVICE(0x8086, 0x3b57), .driver_data = AZX_DRIVER_ICH },
+ 	/* CPT */
+ 	{ PCI_DEVICE(0x8086, 0x1c20), .driver_data = AZX_DRIVER_PCH },
++	/* PBG */
++	{ PCI_DEVICE(0x8086, 0x1d20), .driver_data = AZX_DRIVER_PCH },
+ 	/* SCH */
+ 	{ PCI_DEVICE(0x8086, 0x811b), .driver_data = AZX_DRIVER_SCH },
+ 	/* ATI SB 450/600 */

Copied: dists/squeeze-security/linux-2.6/debian/patches/series/47 (from r19767, releases/linux-2.6/2.6.32-47/debian/patches/series/47)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/series/47	Tue Jan 22 06:01:55 2013	(r19768, copy of r19767, releases/linux-2.6/2.6.32-47/debian/patches/series/47)
@@ -0,0 +1,205 @@
++ features/x86/ALSA-hda_intel-ALSA-HD-Audio-patch-for-Intel-Patsbur.patch
++ features/x86/ALSA-hda-Reduce-pci-id-list-for-Intel-with-class-id.patch
++ features/x86/ALSA-hda-add-Vortex86MX-PCI-ids.patch
++ features/x86/ALSA-hda-Add-support-for-VMware-controller.patch
++ features/x86/ALSA-HD-Audio-patch-for-Intel-Panther-Point.patch
++ bugfix/all/header-fix-broken-headers-for-user-space.patch
++ bugfix/all/kernel-panic-when-mount-NFSv4.patch
+
+# Update hpsa to 3.2.35
++ features/all/hpsa/0080-hpsa-defend-against-zero-sized-buffers-in-passthru-i.patch
++ features/all/hpsa/0081-hpsa-fixup-DMA-address-before-freeing.patch
++ features/all/hpsa/0082-hpsa-Remove-duplicate-defines-of-DIRECT_LOOKUP_-cons.patch
++ features/all/hpsa/0083-hpsa-fix-board-status-waiting-code.patch
++ features/all/hpsa/0084-hpsa-Use-kernel-provided-PCI-state-save-and-restore-.patch
++ features/all/hpsa/0085-hpsa-limit-commands-allocated-on-reset_devices.patch
++ features/all/hpsa/0086-hpsa-do-not-reset-unknown-boards-on-reset_devices.patch
++ features/all/hpsa/0087-hpsa-take-the-adapter-lock-in-hpsa_wait_for_mode_cha.patch
++ features/all/hpsa/0088-hpsa-allow-driver-to-put-controller-in-either-simple.patch
++ features/all/hpsa/0089-hpsa-Add-a-per-controller-commands_outstanding-entry.patch
++ features/all/hpsa/0090-hpsa-fix-use-of-uninitialized-variable-in-hpsa_add_m.patch
++ features/all/hpsa/0091-hpsa-Fix-problem-that-CMD_UNABORTABLE-command-status.patch
++ features/all/hpsa/0092-hpsa-avoid-leaking-stack-contents-to-userland.patch
++ features/all/hpsa/0093-hpsa-do-not-re-order-commands-in-internal-queues.patch
++ features/all/hpsa/0094-hpsa-make-hpsa.hpsa_simple_mode-1-module-parameter-a.patch
++ features/all/hpsa/0095-hpsa-Add-transport_mode-host-attribute-in-sys.patch
++ features/all/hpsa/0096-hpsa-Inform-controller-we-are-using-32-bit-tags.patch
++ features/all/hpsa/0097-hpsa-Do-not-attempt-kdump-if-we-detect-resetting-con.patch
++ features/all/hpsa/0098-hpsa-fix-bad-comparison.patch
++ features/all/hpsa/0099-hpsa-fix-incorrect-PCI-IDs-and-add-two-new-ones-2nd-.patch
++ features/all/hpsa/0100-hpsa-move-device-attributes-to-avoid-forward-declara.patch
++ features/all/hpsa/0101-hpsa-export-resettable-host-attribute.patch
++ features/all/hpsa/0102-hpsa-do-readl-after-writel-in-main-i-o-path-to-ensur.patch
++ features/all/hpsa/0103-hpsa-add-readl-after-writel-in-interrupt-mask-settin.patch
++ features/all/hpsa/0104-hpsa-remove-unused-parameter-from-hpsa_complete_scsi.patch
++ features/all/hpsa/0105-hpsa-delete-old-unused-padding-garbage.patch
++ features/all/hpsa/0106-hpsa-do-a-better-job-of-detecting-controller-reset-f.patch
++ features/all/hpsa/0107-hpsa-wait-longer-for-no-op-to-complete-after-resetti.patch
++ features/all/hpsa/0108-hpsa-factor-out-cmd-pool-allocation-functions.patch
++ features/all/hpsa/0109-hpsa-factor-out-irq-request-code.patch
++ features/all/hpsa/0110-hpsa-increase-time-to-wait-for-board-reset.patch
++ features/all/hpsa/0111-hpsa-clarify-messages-around-reset-behavior.patch
++ features/all/hpsa/0112-hpsa-remove-atrophied-hpsa_scsi_setup-function.patch
++ features/all/hpsa/0113-hpsa-use-new-doorbell-bit-5-reset-method.patch
++ features/all/hpsa/0114-hpsa-do-soft-reset-if-hard-reset-is-broken.patch
++ features/all/hpsa/0115-hpsa-remove-superfluous-sleeps-around-reset-code.patch
++ features/all/hpsa/0116-hpsa-do-not-attempt-PCI-power-management-reset-metho.patch
++ features/all/hpsa/0117-hpsa-add-P2000-to-list-of-shared-SAS-devices.patch
++ features/all/hpsa/0118-hpsa-Change-memset-using-sizeof-ptr-to-sizeof-ptr.patch
++ features/all/hpsa/0119-hpsa-fix-dma-unmap-error-in-hpsa_passthru_ioctl.patch
++ features/all/hpsa/0120-hpsa-fix-potential-overrun-while-memcpy-ing-sense-da.patch
++ features/all/hpsa/0121-hpsa-do-not-attempt-to-read-from-a-write-only-regist.patch
++ features/all/hpsa/0122-hpsa-retry-commands-completing-with-status-of-UNSOLI.patch
++ features/all/hpsa/0123-hpsa-fix-problem-that-OBDR-devices-are-not-detected.patch
++ features/all/hpsa/0124-hpsa-fix-physical-device-lun-and-target-numbering-pr.patch
++ features/all/hpsa/0125-hpsa-change-confusing-message-to-be-more-clear.patch
++ features/all/hpsa/0126-hpsa-add-small-delay-when-using-PCI-Power-Management.patch
++ features/all/hpsa/0127-hpsa-set-max-sectors-instead-of-taking-the-default.patch
++ features/all/hpsa/0128-hpsa-remove-unused-busy_initializing-and-busy_scanni.patch
++ features/all/hpsa/0129-hpsa-rename-HPSA_MAX_SCSI_DEVS_PER_HBA.patch
++ features/all/hpsa/0130-hpsa-fix-potential-array-overflow-in-hpsa_update_scs.patch
++ features/all/hpsa/0131-hpsa-fix-flush-cache-transfer-length.patch
++ features/all/hpsa/0132-hpsa-detect-controller-lockup.patch
++ features/all/hpsa/0133-hpsa-Disable-ASPM.patch
++ features/all/hpsa/0134-hpsa-Fix-problem-with-MSA2xxx-devices.patch
++ features/all/hpsa/0135-hpsa-Add-IRQF_SHARED-back-in-for-the-non-MSI-X-inter.patch
++ features/all/hpsa/0136-hpsa-fix-handling-of-protocol-error.patch
++ features/all/hpsa/0137-hpsa-Use-LUN-reset-instead-of-target-reset.patch
++ features/all/hpsa/0138-hpsa-dial-down-lockup-detection-during-firmware-flas.patch
+
+# Update megaraid_sas to 3.0.56
+# First 5 commits already applied in -29
++ features/all/megaraid_sas/0006-megaraid_sas-infrastructure-to-get-pds-from-fw.patch
++ features/all/megaraid_sas/0007-megaraid_sas-add-the-support-for-updating-the-os-after-adding-removing-the-devices-from-fw.patch
++ features/all/megaraid_sas/0008-megaraid_sas-add-the-logical-drive-list-to-driver.patch
++ features/all/megaraid_sas/0009-megaraid_sas-driver-fixed-the-device-update-issue.patch
++ features/all/megaraid_sas/0010-megaraid_sas-add-the-ieee-sge-support-to-sas2-controller.patch
++ features/all/megaraid_sas/0011-megaraid_sas-add-online-controller-reset-to-megaraid-sas-drive.patch
++ features/all/megaraid_sas/0012-megaraid_sas-rename-megaraid_sas.c-to-megaraid_sas_base.c.patch
++ features/all/megaraid_sas/0013-megaraid_sas-add-msi-x-support-and-msix_disable-module-parameter.patch
++ features/all/megaraid_sas/0014-megaraid_sas-make-driver-pci-legacy-i-o-port-free-driver.patch
++ features/all/megaraid_sas/0015-megaraid_sas-use-lowest-memory-bar-for-sr-iov-vf-support.patch
++ features/all/megaraid_sas/0016-megaraid_sas-add-struct-megasas_instance_template-changes.patch
++ features/all/megaraid_sas/0017-megaraid_sas-add-9565-9285-specific-code.patch
++ features/all/megaraid_sas/0018-megaraid_sas-fix-instance-access-in-megasas_reset_timer.patch
++ features/all/megaraid_sas/0019-megaraid_sas-tape-drive-support-fix.patch
++ features/all/megaraid_sas/0020-megaraid_sas-report-system-pds-to-os.patch
++ features/all/megaraid_sas/0021-megaraid_sas-use-the-firmware-boot-timeout-when-waiting-for-commands.patch
++ features/all/megaraid_sas/0022-megaraid_sas-update-version-number-and-documentation.patch
++ features/all/megaraid_sas/0023-megaraid_sas-zero-pad_0-in-mfi-structure.patch
++ features/all/megaraid_sas/0024-megaraid_sas-version-and-documentation-update.patch
++ features/all/megaraid_sas/0025-megaraid_sas-support-devices-update-flag.patch
++ features/all/megaraid_sas/0026-megaraid_sas-add-input-parameter-for-max_sectors.patch
++ features/all/megaraid_sas/0027-megaraid_sas-add-three-times-online-controller-reset.patch
++ features/all/megaraid_sas/0028-megaraid_sas-version-and-documentation-update.patch
++ features/all/megaraid_sas/0029-megaraid_sas-update-gpl-headers.patch
++ features/all/megaraid_sas/0030-megaraid_sas-fix-failure-gotos.patch
++ features/all/megaraid_sas/0031-megaraid_sas-add-missing-check_and_restore_queue_depth-call.patch
++ features/all/megaraid_sas/0032-megaraid_sas-enable-msi-x-before-calling-megasas_init_fw.patch
++ features/all/megaraid_sas/0033-megaraid_sas-call-tasklet_schedule-for-msi-x.patch
++ features/all/megaraid_sas/0034-megaraid_sas-fix-probe_one-to-clear-msi-x-flags-in-kdump.patch
++ features/all/megaraid_sas/0035-megaraid_sas-fix-megasas_build_dcdb_fusion-to-not-filter-by-type_disk.patch
++ features/all/megaraid_sas/0036-megaraid_sas-fix-megasas_build_dcdb_fusion-to-use-correct-lun-field.patch
++ features/all/megaraid_sas/0037-megaraid_sas-add-cfg_cleared-aen.patch
++ features/all/megaraid_sas/0038-megaraid_sas-fix-tasklet_init-call.patch
++ features/all/megaraid_sas/0039-megaraid_sas-fix-fault-state-handling.patch
++ features/all/megaraid_sas/0040-megaraid_sas-fix-max_sectors-for-ieee-sgl.patch
++ features/all/megaraid_sas/0041-megaraid_sas-fix-imr-ocr-support-to-work-correctly.patch
++ features/all/megaraid_sas/0042-megaraid_sas-documentation-update.patch
++ features/all/megaraid_sas/0043-megaraid_sas-add-9565-9285-specific-code-version-bump.patch
++ features/all/megaraid_sas/0044-megaraid_sas-version-and-changelog-update.patch
++ features/all/megaraid_sas/0045-megaraid_sas-remove-msi-x-black-list-use-mfi_reg_state-instead.patch
++ features/all/megaraid_sas/0046-megaraid_sas-remove-un-used-function.patch
++ features/all/megaraid_sas/0047-megaraid_sas-check-mfi_reg_state.fault.resetadapter.patch
++ features/all/megaraid_sas/0048-megaraid_sas-disable-interrupts-free_irq-in-megasas_shutdown.patch
++ features/all/megaraid_sas/0049-megaraid_sas-fix-bug-where-aens-could-be-lost-in-probe-and-resume.patch
++ features/all/megaraid_sas/0050-megaraid_sas-convert-6-10-12-byte-cdb-s-for-fastpath-io.patch
++ features/all/megaraid_sas/0051-megaraid_sas-add-1078-ocr-support.patch
++ features/all/megaraid_sas/0052-megaraid_sas-version-and-changelog-update.patch
++ features/all/megaraid_sas/0053-megaraid_sas-move-poll_aen_lock-initializer.patch
++ features/all/megaraid_sas/0054-megaraid_sas-cosmetic-changes.patch
+
++ bugfix/all/net-fix-route-cache-rebuilds.patch
+
+- bugfix/all/udf-Avoid-run-away-loop-when-partition-table-length-is-corrupted.patch
+- bugfix/all/udf-Fortify-loading-of-sparing-table.patch
+- bugfix/all/locks-fix-checking-of-fcntl_setlease-argument.patch
+- bugfix/all/tcp-Don-t-change-unlocked-socket-state-in-tcp_v4_err.patch
+- bugfix/all/cred-copy_process-should-clear-child-replacement_session_keyring.patch
+- bugfix/all/mm-fix-vma_resv_map-NULL-pointer.patch
+- bugfix/all/hugetlb-fix-resv_map-leak-in-error-path.patch
+- bugfix/all/hfsplus-Fix-potential-buffer-overflows.patch
+- bugfix/all/dl2k-Clean-up-rio_ioctl.patch
+- bugfix/all/dl2k-use-standard-defines-from-mii.h.patch
+- bugfix/all/net-sock-validate-data_len-before-allocating-skb-in-sock_alloc_send_pskb.patch
+- debian/timer-Avoid_ABI-change-from-leap-second-fix.patch
+- bugfix/all/0011-Fix-for-leap-second-deadlock-and-hrtimer-futex-issue.patch
+- bugfix/all/0010-Fix-for-leap-second-deadlock-and-hrtimer-futex-issue.patch
+- bugfix/all/0009-Fix-for-leap-second-deadlock-and-hrtimer-futex-issue.patch
+- bugfix/all/0008-Fix-for-leap-second-deadlock-and-hrtimer-futex-issue.patch
+- bugfix/all/0007-Fix-for-leap-second-deadlock-and-hrtimer-futex-issue.patch
+- bugfix/all/0006-Fix-for-leap-second-deadlock-and-hrtimer-futex-issue.patch
+- bugfix/all/0005-Fix-for-leap-second-deadlock-and-hrtimer-futex-issue.patch
+- bugfix/all/0004-Fix-for-leap-second-deadlock-and-hrtimer-futex-issue.patch
+- bugfix/all/0003-Fix-for-leap-second-deadlock-and-hrtimer-futex-issue.patch
+- bugfix/all/0002-Fix-for-leap-second-deadlock-and-hrtimer-futex-issue.patch
+- bugfix/all/0001-Fix-for-leap-second-deadlock-and-hrtimer-futex-issue.patch
+- bugfix/x86/usb-Fix-deadlock-in-hid_reset-when-Dell-iDRAC.patch
+- debian/security-Avoid-ABI-change-due-to-personality.h-include.patch
+- bugfix/all/jbd2-clear-BH_Delay-BH_Unwritten-in-journal_unmap_buffer.patch
+- bugfix/all/security-fix-compile-error-in-commoncap.c.patch
+- bugfix/all/fcaps-clear-the-same-personality-flags-as-suid-when-fcaps-are-used.patch
+- bugfix/all/hugepages-fix-use-after-free-bug-in-quota-handling.patch
+- bugfix/x86/KVM-Ensure-all-vcpus-are-consistent-with-in-kernel-irqchip-settings.patch
+- bugfix/x86/KVM-disallow-multiple-KVM_CREATE_IRQCHIP.patch
+- bugfix/all/block-Fix-io_context-leak-after-failure-of-clone-with-CLONE_IO.patch
+- bugfix/all/block-Fix-io_context-leak-after-clone-with-CLONE_IO.patch
+- bugfix/x86/x86-mm-Fix-pgd_lock-deadlock.patch
+- bugfix/x86/KVM-fix-missing-checks-in-syscall-emulation.patch
+- bugfix/x86/KVM-extend-struct-x86_emulate_ops-with-get_cpuid.patch
+- bugfix/all/KVM-Device-assignment-permission-checks.patch
+- bugfix/all/KVM-Remove-ability-to-assign-a-device-without-iommu-support.patch
+- bugfix/all/rose-add-length-checks-to-CALL_REQUEST-parsing.patch
+- bugfix/x86/kvm-prevent-starting-pit-timers-in-the-absence-of-irqchip-support.patch
+- bugfix/all/xfs-fix-possible-memory-corruption-in-xfs_readlink.patch
++ bugfix/all/stable/2.6.32.60.patch
++ bugfix/ia64/revert-pcdp-use-early_ioremap-early_iounmap-to-acces.patch
++ debian/security-Avoid-ABI-change-due-to-personality.h-include.patch
++ debian/timer-Avoid_ABI-change-from-leap-second-fix.patch
++ bugfix/all/hugetlb-fix-resv_map-leak-in-error-path.patch
++ bugfix/all/mm-fix-vma_resv_map-NULL-pointer.patch
++ bugfix/x86/x86-Don-t-use-the-EFI-reboot-method-by-default.patch
++ debian/random-Avoid-ABI-change-in-irq_desc.patch
++ debian/epoll-Avoid-ABI-change-in-file.patch
+
++ bugfix/x86/drm-i915-Attempt-to-fix-watermark-setup-on-85x-v2.patch
+
++ features/x86/isci/0002-treewide-remove-extra-semicolons-from-various-parts-.patch
++ features/x86/isci/0005-SCSI-isci-fix-support-for-large-smp-requests.patch
++ features/x86/isci/0006-SCSI-isci-fix-missed-unlock-in-apc_agent_timeout.patch
++ features/x86/isci/0007-SCSI-isci-atapi-support.patch
++ features/x86/isci/0008-SCSI-isci-SATA-STP-I-O-is-only-returned-in-the-norma.patch
++ features/x86/isci/0009-SCSI-isci-fix-decode-of-DONE_CRC_ERR-TC-completion-s.patch
++ features/x86/isci/0010-SCSI-isci-The-port-state-should-be-set-to-stopping-o.patch
++ features/x86/isci/0012-SCSI-isci-Lookup-device-references-through-requests-.patch
++ features/x86/isci/0013-SCSI-isci-Immediately-fail-I-O-to-removed-devices.patch
++ features/x86/isci/0014-SCSI-isci-Fix-tag-leak-in-tasks-and-terminated-reque.patch
++ features/x86/isci/0015-SCSI-isci-Handle-task-request-timeouts-correctly.patch
++ features/x86/isci/0016-SCSI-isci-No-task_done-callbacks-in-error-handler-pa.patch
++ features/x86/isci/0017-SCSI-isci-Fix-task-management-for-SMP-SATA-and-on-de.patch
++ features/x86/isci/0018-SCSI-isci-Remove-redundant-isci_request.ttype-field.patch
++ features/x86/isci/0019-SCSI-isci-No-need-to-manage-the-pending-reset-bit-on.patch
++ features/x86/isci/0020-SCSI-isci-Fix-hard-reset-timeout-conditions.patch
++ features/x86/isci/0021-SCSI-isci-revert-bcn-filtering.patch
++ features/x86/isci/0022-SCSI-isci-overriding-max_concurr_spinup-oem-paramete.patch
++ features/x86/isci/0023-isci-fix-oem-parameter-validation-on-single-controll.patch
++ features/x86/isci/0024-isci-fix-isci_pci_probe-generates-warning-on-efi-fai.patch
++ features/x86/isci/0025-isci-copy-fis-0x34-response-into-proper-buffer.patch
+
++ bugfix/all/staging-rtl8192e-Use-skb_tail_pointer.patch
++ bugfix/all/staging-fix-usbip-printk-format-warning.patch
++ bugfix/all/staging-usbip-changed-function-return-type-to-void.patch
++ bugfix/all/staging-speakup-fix-printk-format-warning.patch
++ bugfix/all/staging-fix-wlan-ng-printk-format-warning.patch
++ bugfix/x86/xen-x86-don-t-corrupt-eip-when-returning-from-a-sign.patch
++ bugfix/x86/xen-Fix-stack-corruption-in-xen_failsafe_callback-fo.patch

Copied: dists/squeeze-security/linux-2.6/debian/patches/series/47squeeze1 (from r19767, dists/squeeze-security/linux-2.6/debian/patches/series/46squeeze1)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/series/47squeeze1	Tue Jan 22 06:01:55 2013	(r19768, copy of r19767, dists/squeeze-security/linux-2.6/debian/patches/series/46squeeze1)
@@ -0,0 +1,5 @@
++ bugfix/all/usermodehelper-introduce-umh_complete.patch
++ bugfix/all/usermodehelper-implement-UMH_KILLABLE.patch
++ bugfix/all/usermodehelper-____call_usermodehelper-doesnt-need-do_exit.patch
++ bugfix/all/kmod-introduce-call_modprobe-helper.patch
++ bugfix/all/kmod-make-__request_module-killable.patch



More information about the Kernel-svn-changes mailing list