diff --git a/config/kernel/linux-rockchip-default.config b/config/kernel/linux-rockchip-default.config index f65560ace3..027388720f 100644 --- a/config/kernel/linux-rockchip-default.config +++ b/config/kernel/linux-rockchip-default.config @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/arm 4.4.176 Kernel Configuration +# Linux/arm 4.4.181 Kernel Configuration # CONFIG_ARM=y CONFIG_ARM_HAS_SG_CHAIN=y @@ -62,6 +62,7 @@ CONFIG_HAVE_ARCH_AUDITSYSCALL=y CONFIG_GENERIC_IRQ_PROBE=y CONFIG_GENERIC_IRQ_SHOW=y CONFIG_GENERIC_IRQ_SHOW_LEVEL=y +CONFIG_GENERIC_IRQ_MIGRATION=y CONFIG_HARDIRQS_SW_RESEND=y CONFIG_GENERIC_IRQ_CHIP=y CONFIG_IRQ_DOMAIN=y @@ -2185,6 +2186,7 @@ CONFIG_DEVPTS_MULTIPLE_INSTANCES=y # CONFIG_SERIAL_NONSTANDARD is not set # CONFIG_N_GSM is not set # CONFIG_TRACE_SINK is not set +CONFIG_LDISC_AUTOLOAD=y CONFIG_RK_CHAR_DRIVERS=y CONFIG_RK3288_DEVGPIOMEM=y CONFIG_DEVMEM=y @@ -2238,7 +2240,6 @@ CONFIG_HW_RANDOM=y # CONFIG_HW_RANDOM_TIMERIOMEM is not set CONFIG_HW_RANDOM_TPM=y CONFIG_HW_RANDOM_ROCKCHIP=m -# CONFIG_R3964 is not set # CONFIG_RAW_DRIVER is not set CONFIG_TCG_TPM=y # CONFIG_TCG_TIS_I2C_ATMEL is not set diff --git a/patch/kernel/rockchip-default/04-patch-4.4.176-177.patch b/patch/kernel/rockchip-default/04-patch-4.4.176-177.patch new file mode 100644 index 0000000000..fae97628ed --- /dev/null +++ b/patch/kernel/rockchip-default/04-patch-4.4.176-177.patch @@ -0,0 +1,8231 @@ +diff --git a/Makefile b/Makefile +index d7a3b832e0fd..1de443248119 100644 +--- a/Makefile ++++ b/Makefile +@@ -1,6 +1,6 @@ + VERSION = 4 + PATCHLEVEL = 4 +-SUBLEVEL = 176 ++SUBLEVEL = 177 + EXTRAVERSION = + NAME = Blurry Fish Butt + +diff --git a/arch/arc/include/asm/bitops.h b/arch/arc/include/asm/bitops.h +index 0352fb8d21b9..9623ae002f5b 100644 +--- a/arch/arc/include/asm/bitops.h ++++ b/arch/arc/include/asm/bitops.h +@@ -286,7 +286,7 @@ static inline __attribute__ ((const)) int __fls(unsigned long x) + /* + * __ffs: Similar to ffs, but zero based (0-31) + */ +-static inline __attribute__ ((const)) int __ffs(unsigned long word) ++static inline __attribute__ ((const)) unsigned long __ffs(unsigned long word) + { + if (!word) + return word; +@@ -346,9 +346,9 @@ static inline __attribute__ ((const)) int ffs(unsigned long x) + /* + * __ffs: Similar to ffs, but zero based (0-31) + */ +-static inline __attribute__ ((const)) int __ffs(unsigned long x) ++static inline __attribute__ ((const)) unsigned long __ffs(unsigned long x) + { +- int n; ++ unsigned long n; + + asm volatile( + " ffs.f %0, %1 \n" /* 0:31; 31(Z) if src 0 */ +diff --git a/arch/arc/include/asm/uaccess.h b/arch/arc/include/asm/uaccess.h +index 57387b567f34..f077a419cb51 100644 +--- a/arch/arc/include/asm/uaccess.h ++++ b/arch/arc/include/asm/uaccess.h +@@ -209,7 +209,7 @@ __arc_copy_from_user(void *to, const void __user *from, unsigned long n) + */ + "=&r" (tmp), "+r" (to), "+r" (from) + : +- : "lp_count", "lp_start", "lp_end", "memory"); ++ : "lp_count", "memory"); + + return n; + } +@@ -438,7 +438,7 @@ __arc_copy_to_user(void __user *to, const void *from, unsigned long n) + */ + "=&r" (tmp), "+r" (to), "+r" (from) + : +- : "lp_count", "lp_start", "lp_end", "memory"); ++ : "lp_count", "memory"); + + return n; + } +@@ -658,7 +658,7 @@ static inline unsigned long __arc_clear_user(void __user *to, unsigned long n) + " .previous \n" + : "+r"(d_char), "+r"(res) + : "i"(0) +- : "lp_count", "lp_start", "lp_end", "memory"); ++ : "lp_count", "memory"); + + return res; + } +@@ -691,7 +691,7 @@ __arc_strncpy_from_user(char *dst, const char __user *src, long count) + " .previous \n" + : "+r"(res), "+r"(dst), "+r"(src), "=r"(val) + : "g"(-EFAULT), "r"(count) +- : "lp_count", "lp_start", "lp_end", "memory"); ++ : "lp_count", "memory"); + + return res; + } +diff --git a/arch/arc/kernel/head.S b/arch/arc/kernel/head.S +index 689dd867fdff..cd64cb4ef7b0 100644 +--- a/arch/arc/kernel/head.S ++++ b/arch/arc/kernel/head.S +@@ -17,6 +17,7 @@ + #include + #include + #include ++#include + + .macro CPU_EARLY_SETUP + +@@ -47,6 +48,15 @@ + sr r5, [ARC_REG_DC_CTRL] + + 1: ++ ++#ifdef CONFIG_ISA_ARCV2 ++ ; Unaligned access is disabled at reset, so re-enable early as ++ ; gcc 7.3.1 (ARC GNU 2018.03) onwards generates unaligned access ++ ; by default ++ lr r5, [status32] ++ bset r5, r5, STATUS_AD_BIT ++ kflag r5 ++#endif + .endm + + .section .init.text, "ax",@progbits +diff --git a/arch/arm/Kconfig b/arch/arm/Kconfig +index 34e1569a11ee..3a0277c6c060 100644 +--- a/arch/arm/Kconfig ++++ b/arch/arm/Kconfig +@@ -1475,6 +1475,7 @@ config NR_CPUS + config HOTPLUG_CPU + bool "Support for hot-pluggable CPUs" + depends on SMP ++ select GENERIC_IRQ_MIGRATION + help + Say Y here to experiment with turning CPUs off and on. CPUs + can be controlled through /sys/devices/system/cpu. +diff --git a/arch/arm/boot/dts/exynos3250.dtsi b/arch/arm/boot/dts/exynos3250.dtsi +index 2f30d632f1cc..e81a27214188 100644 +--- a/arch/arm/boot/dts/exynos3250.dtsi ++++ b/arch/arm/boot/dts/exynos3250.dtsi +@@ -150,6 +150,9 @@ + interrupt-controller; + #interrupt-cells = <3>; + interrupt-parent = <&gic>; ++ clock-names = "clkout8"; ++ clocks = <&cmu CLK_FIN_PLL>; ++ #clock-cells = <1>; + }; + + mipi_phy: video-phy@10020710 { +diff --git a/arch/arm/boot/dts/exynos5420-tmu-sensor-conf.dtsi b/arch/arm/boot/dts/exynos5420-tmu-sensor-conf.dtsi +new file mode 100644 +index 000000000000..c8771c660550 +--- /dev/null ++++ b/arch/arm/boot/dts/exynos5420-tmu-sensor-conf.dtsi +@@ -0,0 +1,25 @@ ++/* ++ * Device tree sources for Exynos5420 TMU sensor configuration ++ * ++ * Copyright (c) 2014 Lukasz Majewski ++ * Copyright (c) 2017 Krzysztof Kozlowski ++ * ++ * This program is free software; you can redistribute it and/or modify ++ * it under the terms of the GNU General Public License version 2 as ++ * published by the Free Software Foundation. ++ * ++ */ ++ ++#include ++ ++#thermal-sensor-cells = <0>; ++samsung,tmu_gain = <8>; ++samsung,tmu_reference_voltage = <16>; ++samsung,tmu_noise_cancel_mode = <4>; ++samsung,tmu_efuse_value = <55>; ++samsung,tmu_min_efuse_value = <0>; ++samsung,tmu_max_efuse_value = <100>; ++samsung,tmu_first_point_trim = <25>; ++samsung,tmu_second_point_trim = <85>; ++samsung,tmu_default_temp_offset = <50>; ++samsung,tmu_cal_type = ; +diff --git a/arch/arm/boot/dts/exynos5420.dtsi b/arch/arm/boot/dts/exynos5420.dtsi +index 1b3d6c769a3c..d5edb7766942 100644 +--- a/arch/arm/boot/dts/exynos5420.dtsi ++++ b/arch/arm/boot/dts/exynos5420.dtsi +@@ -777,7 +777,7 @@ + interrupts = <0 65 0>; + clocks = <&clock CLK_TMU>; + clock-names = "tmu_apbif"; +- #include "exynos4412-tmu-sensor-conf.dtsi" ++ #include "exynos5420-tmu-sensor-conf.dtsi" + }; + + tmu_cpu1: tmu@10064000 { +@@ -786,7 +786,7 @@ + interrupts = <0 183 0>; + clocks = <&clock CLK_TMU>; + clock-names = "tmu_apbif"; +- #include "exynos4412-tmu-sensor-conf.dtsi" ++ #include "exynos5420-tmu-sensor-conf.dtsi" + }; + + tmu_cpu2: tmu@10068000 { +@@ -795,7 +795,7 @@ + interrupts = <0 184 0>; + clocks = <&clock CLK_TMU>, <&clock CLK_TMU>; + clock-names = "tmu_apbif", "tmu_triminfo_apbif"; +- #include "exynos4412-tmu-sensor-conf.dtsi" ++ #include "exynos5420-tmu-sensor-conf.dtsi" + }; + + tmu_cpu3: tmu@1006c000 { +@@ -804,7 +804,7 @@ + interrupts = <0 185 0>; + clocks = <&clock CLK_TMU>, <&clock CLK_TMU_GPU>; + clock-names = "tmu_apbif", "tmu_triminfo_apbif"; +- #include "exynos4412-tmu-sensor-conf.dtsi" ++ #include "exynos5420-tmu-sensor-conf.dtsi" + }; + + tmu_gpu: tmu@100a0000 { +@@ -813,7 +813,7 @@ + interrupts = <0 215 0>; + clocks = <&clock CLK_TMU_GPU>, <&clock CLK_TMU>; + clock-names = "tmu_apbif", "tmu_triminfo_apbif"; +- #include "exynos4412-tmu-sensor-conf.dtsi" ++ #include "exynos5420-tmu-sensor-conf.dtsi" + }; + + thermal-zones { +diff --git a/arch/arm/include/asm/irq.h b/arch/arm/include/asm/irq.h +index 1bd9510de1b9..cae4df39f02e 100644 +--- a/arch/arm/include/asm/irq.h ++++ b/arch/arm/include/asm/irq.h +@@ -24,7 +24,6 @@ + #ifndef __ASSEMBLY__ + struct irqaction; + struct pt_regs; +-extern void migrate_irqs(void); + + extern void asm_do_IRQ(unsigned int, struct pt_regs *); + void handle_IRQ(unsigned int, struct pt_regs *); +diff --git a/arch/arm/kernel/irq.c b/arch/arm/kernel/irq.c +index 1d45320ee125..900c591913d5 100644 +--- a/arch/arm/kernel/irq.c ++++ b/arch/arm/kernel/irq.c +@@ -31,7 +31,6 @@ + #include + #include + #include +-#include + #include + #include + #include +@@ -119,64 +118,3 @@ int __init arch_probe_nr_irqs(void) + return nr_irqs; + } + #endif +- +-#ifdef CONFIG_HOTPLUG_CPU +-static bool migrate_one_irq(struct irq_desc *desc) +-{ +- struct irq_data *d = irq_desc_get_irq_data(desc); +- const struct cpumask *affinity = irq_data_get_affinity_mask(d); +- struct irq_chip *c; +- bool ret = false; +- +- /* +- * If this is a per-CPU interrupt, or the affinity does not +- * include this CPU, then we have nothing to do. +- */ +- if (irqd_is_per_cpu(d) || !cpumask_test_cpu(smp_processor_id(), affinity)) +- return false; +- +- if (cpumask_any_and(affinity, cpu_online_mask) >= nr_cpu_ids) { +- affinity = cpu_online_mask; +- ret = true; +- } +- +- c = irq_data_get_irq_chip(d); +- if (!c->irq_set_affinity) +- pr_debug("IRQ%u: unable to set affinity\n", d->irq); +- else if (c->irq_set_affinity(d, affinity, false) == IRQ_SET_MASK_OK && ret) +- cpumask_copy(irq_data_get_affinity_mask(d), affinity); +- +- return ret; +-} +- +-/* +- * The current CPU has been marked offline. Migrate IRQs off this CPU. +- * If the affinity settings do not allow other CPUs, force them onto any +- * available CPU. +- * +- * Note: we must iterate over all IRQs, whether they have an attached +- * action structure or not, as we need to get chained interrupts too. +- */ +-void migrate_irqs(void) +-{ +- unsigned int i; +- struct irq_desc *desc; +- unsigned long flags; +- +- local_irq_save(flags); +- +- for_each_irq_desc(i, desc) { +- bool affinity_broken; +- +- raw_spin_lock(&desc->lock); +- affinity_broken = migrate_one_irq(desc); +- raw_spin_unlock(&desc->lock); +- +- if (affinity_broken) +- pr_warn_ratelimited("IRQ%u no longer affine to CPU%u\n", +- i, smp_processor_id()); +- } +- +- local_irq_restore(flags); +-} +-#endif /* CONFIG_HOTPLUG_CPU */ +diff --git a/arch/arm/kernel/smp.c b/arch/arm/kernel/smp.c +index e42be5800f37..08ce9e36dc5a 100644 +--- a/arch/arm/kernel/smp.c ++++ b/arch/arm/kernel/smp.c +@@ -218,7 +218,7 @@ int __cpu_disable(void) + /* + * OK - migrate IRQs away from this CPU + */ +- migrate_irqs(); ++ irq_migrate_all_off_this_cpu(); + + /* + * Flush user cache and TLB mappings, and then remove this CPU +diff --git a/arch/arm/kvm/mmio.c b/arch/arm/kvm/mmio.c +index 885cd0e0015b..ae61e2ea7255 100644 +--- a/arch/arm/kvm/mmio.c ++++ b/arch/arm/kvm/mmio.c +@@ -87,11 +87,10 @@ static unsigned long mmio_read_buf(char *buf, unsigned int len) + + /** + * kvm_handle_mmio_return -- Handle MMIO loads after user space emulation ++ * or in-kernel IO emulation ++ * + * @vcpu: The VCPU pointer + * @run: The VCPU run struct containing the mmio data +- * +- * This should only be called after returning from userspace for MMIO load +- * emulation. + */ + int kvm_handle_mmio_return(struct kvm_vcpu *vcpu, struct kvm_run *run) + { +@@ -207,14 +206,17 @@ int io_mem_abort(struct kvm_vcpu *vcpu, struct kvm_run *run, + run->mmio.is_write = is_write; + run->mmio.phys_addr = fault_ipa; + run->mmio.len = len; +- memcpy(run->mmio.data, data_buf, len); + + if (!ret) { + /* We handled the access successfully in the kernel. */ ++ if (!is_write) ++ memcpy(run->mmio.data, data_buf, len); + kvm_handle_mmio_return(vcpu, run); + return 1; + } + ++ if (is_write) ++ memcpy(run->mmio.data, data_buf, len); + run->exit_reason = KVM_EXIT_MMIO; + return 0; + } +diff --git a/arch/arm/mach-omap2/display.c b/arch/arm/mach-omap2/display.c +index 6ab13d18c636..cde86d1199cf 100644 +--- a/arch/arm/mach-omap2/display.c ++++ b/arch/arm/mach-omap2/display.c +@@ -115,6 +115,7 @@ static int omap4_dsi_mux_pads(int dsi_id, unsigned lanes) + u32 enable_mask, enable_shift; + u32 pipd_mask, pipd_shift; + u32 reg; ++ int ret; + + if (dsi_id == 0) { + enable_mask = OMAP4_DSI1_LANEENABLE_MASK; +@@ -130,7 +131,11 @@ static int omap4_dsi_mux_pads(int dsi_id, unsigned lanes) + return -ENODEV; + } + +- regmap_read(omap4_dsi_mux_syscon, OMAP4_DSIPHY_SYSCON_OFFSET, ®); ++ ret = regmap_read(omap4_dsi_mux_syscon, ++ OMAP4_DSIPHY_SYSCON_OFFSET, ++ ®); ++ if (ret) ++ return ret; + + reg &= ~enable_mask; + reg &= ~pipd_mask; +diff --git a/arch/arm/mach-s3c24xx/mach-osiris-dvs.c b/arch/arm/mach-s3c24xx/mach-osiris-dvs.c +index ce2db235dbaf..5e8a306163de 100644 +--- a/arch/arm/mach-s3c24xx/mach-osiris-dvs.c ++++ b/arch/arm/mach-s3c24xx/mach-osiris-dvs.c +@@ -70,16 +70,16 @@ static int osiris_dvs_notify(struct notifier_block *nb, + + switch (val) { + case CPUFREQ_PRECHANGE: +- if (old_dvs & !new_dvs || +- cur_dvs & !new_dvs) { ++ if ((old_dvs && !new_dvs) || ++ (cur_dvs && !new_dvs)) { + pr_debug("%s: exiting dvs\n", __func__); + cur_dvs = false; + gpio_set_value(OSIRIS_GPIO_DVS, 1); + } + break; + case CPUFREQ_POSTCHANGE: +- if (!old_dvs & new_dvs || +- !cur_dvs & new_dvs) { ++ if ((!old_dvs && new_dvs) || ++ (!cur_dvs && new_dvs)) { + pr_debug("entering dvs\n"); + cur_dvs = true; + gpio_set_value(OSIRIS_GPIO_DVS, 0); +diff --git a/arch/arm/plat-pxa/ssp.c b/arch/arm/plat-pxa/ssp.c +index daa1a65f2eb7..6748827c2ec8 100644 +--- a/arch/arm/plat-pxa/ssp.c ++++ b/arch/arm/plat-pxa/ssp.c +@@ -238,8 +238,6 @@ static int pxa_ssp_remove(struct platform_device *pdev) + if (ssp == NULL) + return -ENODEV; + +- iounmap(ssp->mmio_base); +- + res = platform_get_resource(pdev, IORESOURCE_MEM, 0); + release_mem_region(res->start, resource_size(res)); + +@@ -249,7 +247,6 @@ static int pxa_ssp_remove(struct platform_device *pdev) + list_del(&ssp->node); + mutex_unlock(&ssp_lock); + +- kfree(ssp); + return 0; + } + +diff --git a/arch/arm64/crypto/aes-ce-ccm-core.S b/arch/arm64/crypto/aes-ce-ccm-core.S +index 3363560c79b7..7bc459d9235c 100644 +--- a/arch/arm64/crypto/aes-ce-ccm-core.S ++++ b/arch/arm64/crypto/aes-ce-ccm-core.S +@@ -74,12 +74,13 @@ ENTRY(ce_aes_ccm_auth_data) + beq 10f + ext v0.16b, v0.16b, v0.16b, #1 /* rotate out the mac bytes */ + b 7b +-8: mov w7, w8 ++8: cbz w8, 91f ++ mov w7, w8 + add w8, w8, #16 + 9: ext v1.16b, v1.16b, v1.16b, #1 + adds w7, w7, #1 + bne 9b +- eor v0.16b, v0.16b, v1.16b ++91: eor v0.16b, v0.16b, v1.16b + st1 {v0.16b}, [x0] + 10: str w8, [x3] + ret +diff --git a/arch/arm64/kernel/head.S b/arch/arm64/kernel/head.S +index 0382eba4bf7b..6299a8a361ee 100644 +--- a/arch/arm64/kernel/head.S ++++ b/arch/arm64/kernel/head.S +@@ -478,8 +478,7 @@ CPU_LE( bic x0, x0, #(3 << 24) ) // Clear the EE and E0E bits for EL1 + /* GICv3 system register access */ + mrs x0, id_aa64pfr0_el1 + ubfx x0, x0, #24, #4 +- cmp x0, #1 +- b.ne 3f ++ cbz x0, 3f + + mrs_s x0, ICC_SRE_EL2 + orr x0, x0, #ICC_SRE_EL2_SRE // Set ICC_SRE_EL2.SRE==1 +diff --git a/arch/m68k/Makefile b/arch/m68k/Makefile +index 0b29dcfef69f..0c736ed58abd 100644 +--- a/arch/m68k/Makefile ++++ b/arch/m68k/Makefile +@@ -59,7 +59,10 @@ cpuflags-$(CONFIG_M5206e) := $(call cc-option,-mcpu=5206e,-m5200) + cpuflags-$(CONFIG_M5206) := $(call cc-option,-mcpu=5206,-m5200) + + KBUILD_AFLAGS += $(cpuflags-y) +-KBUILD_CFLAGS += $(cpuflags-y) -pipe ++KBUILD_CFLAGS += $(cpuflags-y) ++ ++KBUILD_CFLAGS += -pipe -ffreestanding ++ + ifdef CONFIG_MMU + # without -fno-strength-reduce the 53c7xx.c driver fails ;-( + KBUILD_CFLAGS += -fno-strength-reduce -ffixed-a2 +diff --git a/arch/mips/configs/ath79_defconfig b/arch/mips/configs/ath79_defconfig +index 134879c1310a..4ed369c0ec6a 100644 +--- a/arch/mips/configs/ath79_defconfig ++++ b/arch/mips/configs/ath79_defconfig +@@ -74,6 +74,7 @@ CONFIG_SERIAL_8250_CONSOLE=y + # CONFIG_SERIAL_8250_PCI is not set + CONFIG_SERIAL_8250_NR_UARTS=1 + CONFIG_SERIAL_8250_RUNTIME_UARTS=1 ++CONFIG_SERIAL_OF_PLATFORM=y + CONFIG_SERIAL_AR933X=y + CONFIG_SERIAL_AR933X_CONSOLE=y + # CONFIG_HW_RANDOM is not set +diff --git a/arch/mips/jazz/jazzdma.c b/arch/mips/jazz/jazzdma.c +index db6f5afff4ff..ea897912bc71 100644 +--- a/arch/mips/jazz/jazzdma.c ++++ b/arch/mips/jazz/jazzdma.c +@@ -71,14 +71,15 @@ static int __init vdma_init(void) + get_order(VDMA_PGTBL_SIZE)); + BUG_ON(!pgtbl); + dma_cache_wback_inv((unsigned long)pgtbl, VDMA_PGTBL_SIZE); +- pgtbl = (VDMA_PGTBL_ENTRY *)KSEG1ADDR(pgtbl); ++ pgtbl = (VDMA_PGTBL_ENTRY *)CKSEG1ADDR((unsigned long)pgtbl); + + /* + * Clear the R4030 translation table + */ + vdma_pgtbl_init(); + +- r4030_write_reg32(JAZZ_R4030_TRSTBL_BASE, CPHYSADDR(pgtbl)); ++ r4030_write_reg32(JAZZ_R4030_TRSTBL_BASE, ++ CPHYSADDR((unsigned long)pgtbl)); + r4030_write_reg32(JAZZ_R4030_TRSTBL_LIM, VDMA_PGTBL_SIZE); + r4030_write_reg32(JAZZ_R4030_TRSTBL_INV, 0); + +diff --git a/arch/mips/kernel/irq.c b/arch/mips/kernel/irq.c +index dc1180a8bfa1..66736397af9f 100644 +--- a/arch/mips/kernel/irq.c ++++ b/arch/mips/kernel/irq.c +@@ -52,6 +52,7 @@ asmlinkage void spurious_interrupt(void) + void __init init_IRQ(void) + { + int i; ++ unsigned int order = get_order(IRQ_STACK_SIZE); + + for (i = 0; i < NR_IRQS; i++) + irq_set_noprobe(i); +@@ -59,8 +60,7 @@ void __init init_IRQ(void) + arch_init_irq(); + + for_each_possible_cpu(i) { +- int irq_pages = IRQ_STACK_SIZE / PAGE_SIZE; +- void *s = (void *)__get_free_pages(GFP_KERNEL, irq_pages); ++ void *s = (void *)__get_free_pages(GFP_KERNEL, order); + + irq_stack[i] = s; + pr_debug("CPU%d IRQ stack at 0x%p - 0x%p\n", i, +diff --git a/arch/mips/kernel/process.c b/arch/mips/kernel/process.c +index ebd8a715fe38..e6102775892d 100644 +--- a/arch/mips/kernel/process.c ++++ b/arch/mips/kernel/process.c +@@ -339,7 +339,7 @@ static inline int is_sp_move_ins(union mips_instruction *ip) + static int get_frame_info(struct mips_frame_info *info) + { + bool is_mmips = IS_ENABLED(CONFIG_CPU_MICROMIPS); +- union mips_instruction insn, *ip, *ip_end; ++ union mips_instruction insn, *ip; + const unsigned int max_insns = 128; + unsigned int last_insn_size = 0; + unsigned int i; +@@ -351,10 +351,9 @@ static int get_frame_info(struct mips_frame_info *info) + if (!ip) + goto err; + +- ip_end = (void *)ip + info->func_size; +- +- for (i = 0; i < max_insns && ip < ip_end; i++) { ++ for (i = 0; i < max_insns; i++) { + ip = (void *)ip + last_insn_size; ++ + if (is_mmips && mm_insn_16bit(ip->halfword[0])) { + insn.halfword[0] = 0; + insn.halfword[1] = ip->halfword[0]; +diff --git a/arch/powerpc/include/asm/epapr_hcalls.h b/arch/powerpc/include/asm/epapr_hcalls.h +index 334459ad145b..90863245df53 100644 +--- a/arch/powerpc/include/asm/epapr_hcalls.h ++++ b/arch/powerpc/include/asm/epapr_hcalls.h +@@ -508,7 +508,7 @@ static unsigned long epapr_hypercall(unsigned long *in, + + static inline long epapr_hypercall0_1(unsigned int nr, unsigned long *r2) + { +- unsigned long in[8]; ++ unsigned long in[8] = {0}; + unsigned long out[8]; + unsigned long r; + +@@ -520,7 +520,7 @@ static inline long epapr_hypercall0_1(unsigned int nr, unsigned long *r2) + + static inline long epapr_hypercall0(unsigned int nr) + { +- unsigned long in[8]; ++ unsigned long in[8] = {0}; + unsigned long out[8]; + + return epapr_hypercall(in, out, nr); +@@ -528,7 +528,7 @@ static inline long epapr_hypercall0(unsigned int nr) + + static inline long epapr_hypercall1(unsigned int nr, unsigned long p1) + { +- unsigned long in[8]; ++ unsigned long in[8] = {0}; + unsigned long out[8]; + + in[0] = p1; +@@ -538,7 +538,7 @@ static inline long epapr_hypercall1(unsigned int nr, unsigned long p1) + static inline long epapr_hypercall2(unsigned int nr, unsigned long p1, + unsigned long p2) + { +- unsigned long in[8]; ++ unsigned long in[8] = {0}; + unsigned long out[8]; + + in[0] = p1; +@@ -549,7 +549,7 @@ static inline long epapr_hypercall2(unsigned int nr, unsigned long p1, + static inline long epapr_hypercall3(unsigned int nr, unsigned long p1, + unsigned long p2, unsigned long p3) + { +- unsigned long in[8]; ++ unsigned long in[8] = {0}; + unsigned long out[8]; + + in[0] = p1; +@@ -562,7 +562,7 @@ static inline long epapr_hypercall4(unsigned int nr, unsigned long p1, + unsigned long p2, unsigned long p3, + unsigned long p4) + { +- unsigned long in[8]; ++ unsigned long in[8] = {0}; + unsigned long out[8]; + + in[0] = p1; +diff --git a/arch/powerpc/kernel/entry_32.S b/arch/powerpc/kernel/entry_32.S +index 2405631e91a2..3728e617e17e 100644 +--- a/arch/powerpc/kernel/entry_32.S ++++ b/arch/powerpc/kernel/entry_32.S +@@ -685,6 +685,9 @@ fast_exception_return: + mtcr r10 + lwz r10,_LINK(r11) + mtlr r10 ++ /* Clear the exception_marker on the stack to avoid confusing stacktrace */ ++ li r10, 0 ++ stw r10, 8(r11) + REST_GPR(10, r11) + mtspr SPRN_SRR1,r9 + mtspr SPRN_SRR0,r12 +@@ -915,6 +918,9 @@ END_FTR_SECTION_IFSET(CPU_FTR_NEED_PAIRED_STWCX) + mtcrf 0xFF,r10 + mtlr r11 + ++ /* Clear the exception_marker on the stack to avoid confusing stacktrace */ ++ li r10, 0 ++ stw r10, 8(r1) + /* + * Once we put values in SRR0 and SRR1, we are in a state + * where exceptions are not recoverable, since taking an +@@ -952,6 +958,9 @@ exc_exit_restart_end: + mtlr r11 + lwz r10,_CCR(r1) + mtcrf 0xff,r10 ++ /* Clear the exception_marker on the stack to avoid confusing stacktrace */ ++ li r10, 0 ++ stw r10, 8(r1) + REST_2GPRS(9, r1) + .globl exc_exit_restart + exc_exit_restart: +diff --git a/arch/powerpc/platforms/83xx/suspend-asm.S b/arch/powerpc/platforms/83xx/suspend-asm.S +index 3d1ecd211776..8137f77abad5 100644 +--- a/arch/powerpc/platforms/83xx/suspend-asm.S ++++ b/arch/powerpc/platforms/83xx/suspend-asm.S +@@ -26,13 +26,13 @@ + #define SS_MSR 0x74 + #define SS_SDR1 0x78 + #define SS_LR 0x7c +-#define SS_SPRG 0x80 /* 4 SPRGs */ +-#define SS_DBAT 0x90 /* 8 DBATs */ +-#define SS_IBAT 0xd0 /* 8 IBATs */ +-#define SS_TB 0x110 +-#define SS_CR 0x118 +-#define SS_GPREG 0x11c /* r12-r31 */ +-#define STATE_SAVE_SIZE 0x16c ++#define SS_SPRG 0x80 /* 8 SPRGs */ ++#define SS_DBAT 0xa0 /* 8 DBATs */ ++#define SS_IBAT 0xe0 /* 8 IBATs */ ++#define SS_TB 0x120 ++#define SS_CR 0x128 ++#define SS_GPREG 0x12c /* r12-r31 */ ++#define STATE_SAVE_SIZE 0x17c + + .section .data + .align 5 +@@ -103,6 +103,16 @@ _GLOBAL(mpc83xx_enter_deep_sleep) + stw r7, SS_SPRG+12(r3) + stw r8, SS_SDR1(r3) + ++ mfspr r4, SPRN_SPRG4 ++ mfspr r5, SPRN_SPRG5 ++ mfspr r6, SPRN_SPRG6 ++ mfspr r7, SPRN_SPRG7 ++ ++ stw r4, SS_SPRG+16(r3) ++ stw r5, SS_SPRG+20(r3) ++ stw r6, SS_SPRG+24(r3) ++ stw r7, SS_SPRG+28(r3) ++ + mfspr r4, SPRN_DBAT0U + mfspr r5, SPRN_DBAT0L + mfspr r6, SPRN_DBAT1U +@@ -493,6 +503,16 @@ mpc83xx_deep_resume: + mtspr SPRN_IBAT7U, r6 + mtspr SPRN_IBAT7L, r7 + ++ lwz r4, SS_SPRG+16(r3) ++ lwz r5, SS_SPRG+20(r3) ++ lwz r6, SS_SPRG+24(r3) ++ lwz r7, SS_SPRG+28(r3) ++ ++ mtspr SPRN_SPRG4, r4 ++ mtspr SPRN_SPRG5, r5 ++ mtspr SPRN_SPRG6, r6 ++ mtspr SPRN_SPRG7, r7 ++ + lwz r4, SS_SPRG+0(r3) + lwz r5, SS_SPRG+4(r3) + lwz r6, SS_SPRG+8(r3) +diff --git a/arch/powerpc/platforms/embedded6xx/wii.c b/arch/powerpc/platforms/embedded6xx/wii.c +index 352592d3e44e..7fd19a480422 100644 +--- a/arch/powerpc/platforms/embedded6xx/wii.c ++++ b/arch/powerpc/platforms/embedded6xx/wii.c +@@ -104,6 +104,10 @@ unsigned long __init wii_mmu_mapin_mem2(unsigned long top) + /* MEM2 64MB@0x10000000 */ + delta = wii_hole_start + wii_hole_size; + size = top - delta; ++ ++ if (__map_without_bats) ++ return delta; ++ + for (bl = 128<<10; bl < max_size; bl <<= 1) { + if (bl * 2 > size) + break; +diff --git a/arch/powerpc/platforms/powernv/opal-msglog.c b/arch/powerpc/platforms/powernv/opal-msglog.c +index 44ed78af1a0d..9021b7272889 100644 +--- a/arch/powerpc/platforms/powernv/opal-msglog.c ++++ b/arch/powerpc/platforms/powernv/opal-msglog.c +@@ -92,7 +92,7 @@ out: + } + + static struct bin_attribute opal_msglog_attr = { +- .attr = {.name = "msglog", .mode = 0444}, ++ .attr = {.name = "msglog", .mode = 0400}, + .read = opal_msglog_read + }; + +diff --git a/arch/x86/include/asm/page_64_types.h b/arch/x86/include/asm/page_64_types.h +index 4928cf0d5af0..fb1251946b45 100644 +--- a/arch/x86/include/asm/page_64_types.h ++++ b/arch/x86/include/asm/page_64_types.h +@@ -2,7 +2,11 @@ + #define _ASM_X86_PAGE_64_DEFS_H + + #ifdef CONFIG_KASAN ++#ifdef CONFIG_KASAN_EXTRA ++#define KASAN_STACK_ORDER 2 ++#else + #define KASAN_STACK_ORDER 1 ++#endif + #else + #define KASAN_STACK_ORDER 0 + #endif +diff --git a/arch/x86/include/asm/uaccess.h b/arch/x86/include/asm/uaccess.h +index 6f8eadf0681f..ac6932bf1a01 100644 +--- a/arch/x86/include/asm/uaccess.h ++++ b/arch/x86/include/asm/uaccess.h +@@ -314,8 +314,7 @@ do { \ + __put_user_asm(x, ptr, retval, "l", "k", "ir", errret); \ + break; \ + case 8: \ +- __put_user_asm_u64((__typeof__(*ptr))(x), ptr, retval, \ +- errret); \ ++ __put_user_asm_u64(x, ptr, retval, errret); \ + break; \ + default: \ + __put_user_bad(); \ +@@ -426,8 +425,10 @@ do { \ + #define __put_user_nocheck(x, ptr, size) \ + ({ \ + int __pu_err; \ ++ __typeof__(*(ptr)) __pu_val; \ ++ __pu_val = x; \ + __uaccess_begin(); \ +- __put_user_size((x), (ptr), (size), __pu_err, -EFAULT); \ ++ __put_user_size(__pu_val, (ptr), (size), __pu_err, -EFAULT);\ + __uaccess_end(); \ + __builtin_expect(__pu_err, 0); \ + }) +diff --git a/arch/x86/include/asm/uv/bios.h b/arch/x86/include/asm/uv/bios.h +index 8b7594f2d48f..71605c7d5c5c 100644 +--- a/arch/x86/include/asm/uv/bios.h ++++ b/arch/x86/include/asm/uv/bios.h +@@ -48,8 +48,7 @@ enum { + BIOS_STATUS_SUCCESS = 0, + BIOS_STATUS_UNIMPLEMENTED = -ENOSYS, + BIOS_STATUS_EINVAL = -EINVAL, +- BIOS_STATUS_UNAVAIL = -EBUSY, +- BIOS_STATUS_ABORT = -EINTR, ++ BIOS_STATUS_UNAVAIL = -EBUSY + }; + + /* +@@ -112,9 +111,4 @@ extern long system_serial_number; + + extern struct kobject *sgi_uv_kobj; /* /sys/firmware/sgi_uv */ + +-/* +- * EFI runtime lock; cf. firmware/efi/runtime-wrappers.c for details +- */ +-extern struct semaphore __efi_uv_runtime_lock; +- + #endif /* _ASM_X86_UV_BIOS_H */ +diff --git a/arch/x86/kernel/cpu/amd.c b/arch/x86/kernel/cpu/amd.c +index 9f6151884249..e94e6f16172b 100644 +--- a/arch/x86/kernel/cpu/amd.c ++++ b/arch/x86/kernel/cpu/amd.c +@@ -716,11 +716,9 @@ static void init_amd_bd(struct cpuinfo_x86 *c) + static void init_amd_zn(struct cpuinfo_x86 *c) + { + set_cpu_cap(c, X86_FEATURE_ZEN); +- /* +- * Fix erratum 1076: CPB feature bit not being set in CPUID. It affects +- * all up to and including B1. +- */ +- if (c->x86_model <= 1 && c->x86_mask <= 1) ++ ++ /* Fix erratum 1076: CPB feature bit not being set in CPUID. */ ++ if (!cpu_has(c, X86_FEATURE_CPB)) + set_cpu_cap(c, X86_FEATURE_CPB); + } + +diff --git a/arch/x86/kernel/kexec-bzimage64.c b/arch/x86/kernel/kexec-bzimage64.c +index 0f8a6bbaaa44..0bf17576dd2a 100644 +--- a/arch/x86/kernel/kexec-bzimage64.c ++++ b/arch/x86/kernel/kexec-bzimage64.c +@@ -168,6 +168,9 @@ setup_efi_state(struct boot_params *params, unsigned long params_load_addr, + struct efi_info *current_ei = &boot_params.efi_info; + struct efi_info *ei = ¶ms->efi_info; + ++ if (!efi_enabled(EFI_RUNTIME_SERVICES)) ++ return 0; ++ + if (!current_ei->efi_memmap_size) + return 0; + +diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c +index 7ce1a19d9d8b..acbde1249b6f 100644 +--- a/arch/x86/kvm/svm.c ++++ b/arch/x86/kvm/svm.c +@@ -2388,6 +2388,14 @@ static int nested_svm_vmexit(struct vcpu_svm *svm) + kvm_mmu_reset_context(&svm->vcpu); + kvm_mmu_load(&svm->vcpu); + ++ /* ++ * Drop what we picked up for L2 via svm_complete_interrupts() so it ++ * doesn't end up in L1. ++ */ ++ svm->vcpu.arch.nmi_injected = false; ++ kvm_clear_exception_queue(&svm->vcpu); ++ kvm_clear_interrupt_queue(&svm->vcpu); ++ + return 0; + } + +diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c +index 14553f6c03a6..098be61a6b4c 100644 +--- a/arch/x86/kvm/vmx.c ++++ b/arch/x86/kvm/vmx.c +@@ -5574,6 +5574,7 @@ static int handle_external_interrupt(struct kvm_vcpu *vcpu) + static int handle_triple_fault(struct kvm_vcpu *vcpu) + { + vcpu->run->exit_reason = KVM_EXIT_SHUTDOWN; ++ vcpu->mmio_needed = 0; + return 0; + } + +@@ -6656,6 +6657,10 @@ static int get_vmx_mem_address(struct kvm_vcpu *vcpu, + /* Addr = segment_base + offset */ + /* offset = base + [index * scale] + displacement */ + off = exit_qualification; /* holds the displacement */ ++ if (addr_size == 1) ++ off = (gva_t)sign_extend64(off, 31); ++ else if (addr_size == 0) ++ off = (gva_t)sign_extend64(off, 15); + if (base_is_valid) + off += kvm_register_read(vcpu, base_reg); + if (index_is_valid) +@@ -6698,10 +6703,16 @@ static int get_vmx_mem_address(struct kvm_vcpu *vcpu, + /* Protected mode: #GP(0)/#SS(0) if the segment is unusable. + */ + exn = (s.unusable != 0); +- /* Protected mode: #GP(0)/#SS(0) if the memory +- * operand is outside the segment limit. ++ ++ /* ++ * Protected mode: #GP(0)/#SS(0) if the memory operand is ++ * outside the segment limit. All CPUs that support VMX ignore ++ * limit checks for flat segments, i.e. segments with base==0, ++ * limit==0xffffffff and of type expand-up data or code. + */ +- exn = exn || (off + sizeof(u64) > s.limit); ++ if (!(s.base == 0 && s.limit == 0xffffffff && ++ ((s.type & 8) || !(s.type & 4)))) ++ exn = exn || (off + sizeof(u64) > s.limit); + } + if (exn) { + kvm_queue_exception_e(vcpu, +diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c +index 6bd0538d8ebf..706c5d63a53f 100644 +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -6478,6 +6478,7 @@ static int vcpu_enter_guest(struct kvm_vcpu *vcpu) + } + if (kvm_check_request(KVM_REQ_TRIPLE_FAULT, vcpu)) { + vcpu->run->exit_reason = KVM_EXIT_SHUTDOWN; ++ vcpu->mmio_needed = 0; + r = 0; + goto out; + } +diff --git a/arch/x86/platform/uv/bios_uv.c b/arch/x86/platform/uv/bios_uv.c +index a45a1c5aabea..1584cbed0dce 100644 +--- a/arch/x86/platform/uv/bios_uv.c ++++ b/arch/x86/platform/uv/bios_uv.c +@@ -28,8 +28,7 @@ + + static struct uv_systab uv_systab; + +-static s64 __uv_bios_call(enum uv_bios_cmd which, u64 a1, u64 a2, u64 a3, +- u64 a4, u64 a5) ++s64 uv_bios_call(enum uv_bios_cmd which, u64 a1, u64 a2, u64 a3, u64 a4, u64 a5) + { + struct uv_systab *tab = &uv_systab; + s64 ret; +@@ -44,19 +43,6 @@ static s64 __uv_bios_call(enum uv_bios_cmd which, u64 a1, u64 a2, u64 a3, + a1, a2, a3, a4, a5); + return ret; + } +- +-s64 uv_bios_call(enum uv_bios_cmd which, u64 a1, u64 a2, u64 a3, u64 a4, u64 a5) +-{ +- s64 ret; +- +- if (down_interruptible(&__efi_uv_runtime_lock)) +- return BIOS_STATUS_ABORT; +- +- ret = __uv_bios_call(which, a1, a2, a3, a4, a5); +- up(&__efi_uv_runtime_lock); +- +- return ret; +-} + EXPORT_SYMBOL_GPL(uv_bios_call); + + s64 uv_bios_call_irqsave(enum uv_bios_cmd which, u64 a1, u64 a2, u64 a3, +@@ -65,15 +51,10 @@ s64 uv_bios_call_irqsave(enum uv_bios_cmd which, u64 a1, u64 a2, u64 a3, + unsigned long bios_flags; + s64 ret; + +- if (down_interruptible(&__efi_uv_runtime_lock)) +- return BIOS_STATUS_ABORT; +- + local_irq_save(bios_flags); +- ret = __uv_bios_call(which, a1, a2, a3, a4, a5); ++ ret = uv_bios_call(which, a1, a2, a3, a4, a5); + local_irq_restore(bios_flags); + +- up(&__efi_uv_runtime_lock); +- + return ret; + } + +diff --git a/arch/xtensa/configs/smp_lx200_defconfig b/arch/xtensa/configs/smp_lx200_defconfig +index 22eeacba37cc..199e05f85e89 100644 +--- a/arch/xtensa/configs/smp_lx200_defconfig ++++ b/arch/xtensa/configs/smp_lx200_defconfig +@@ -35,6 +35,7 @@ CONFIG_SMP=y + CONFIG_HOTPLUG_CPU=y + # CONFIG_INITIALIZE_XTENSA_MMU_INSIDE_VMLINUX is not set + # CONFIG_PCI is not set ++CONFIG_VECTORS_OFFSET=0x00002000 + CONFIG_XTENSA_PLATFORM_XTFPGA=y + CONFIG_CMDLINE_BOOL=y + CONFIG_CMDLINE="earlycon=uart8250,mmio32,0xfd050020,115200n8 console=ttyS0,115200n8 ip=dhcp root=/dev/nfs rw debug" +diff --git a/arch/xtensa/kernel/head.S b/arch/xtensa/kernel/head.S +index c7b3bedbfffe..e3823b4f9d08 100644 +--- a/arch/xtensa/kernel/head.S ++++ b/arch/xtensa/kernel/head.S +@@ -286,12 +286,13 @@ should_never_return: + + movi a2, cpu_start_ccount + 1: ++ memw + l32i a3, a2, 0 + beqi a3, 0, 1b + movi a3, 0 + s32i a3, a2, 0 +- memw + 1: ++ memw + l32i a3, a2, 0 + beqi a3, 0, 1b + wsr a3, ccount +@@ -328,11 +329,13 @@ ENTRY(cpu_restart) + rsr a0, prid + neg a2, a0 + movi a3, cpu_start_id ++ memw + s32i a2, a3, 0 + #if XCHAL_DCACHE_IS_WRITEBACK + dhwbi a3, 0 + #endif + 1: ++ memw + l32i a2, a3, 0 + dhi a3, 0 + bne a2, a0, 1b +diff --git a/arch/xtensa/kernel/smp.c b/arch/xtensa/kernel/smp.c +index 4d02e38514f5..54bb8e0473a0 100644 +--- a/arch/xtensa/kernel/smp.c ++++ b/arch/xtensa/kernel/smp.c +@@ -80,7 +80,7 @@ void __init smp_prepare_cpus(unsigned int max_cpus) + { + unsigned i; + +- for (i = 0; i < max_cpus; ++i) ++ for_each_possible_cpu(i) + set_cpu_present(i, true); + } + +@@ -93,6 +93,11 @@ void __init smp_init_cpus(void) + pr_info("%s: Core Count = %d\n", __func__, ncpus); + pr_info("%s: Core Id = %d\n", __func__, core_id); + ++ if (ncpus > NR_CPUS) { ++ ncpus = NR_CPUS; ++ pr_info("%s: limiting core count by %d\n", __func__, ncpus); ++ } ++ + for (i = 0; i < ncpus; ++i) + set_cpu_possible(i, true); + } +@@ -192,9 +197,11 @@ static int boot_secondary(unsigned int cpu, struct task_struct *ts) + int i; + + #ifdef CONFIG_HOTPLUG_CPU +- cpu_start_id = cpu; +- system_flush_invalidate_dcache_range( +- (unsigned long)&cpu_start_id, sizeof(cpu_start_id)); ++ WRITE_ONCE(cpu_start_id, cpu); ++ /* Pairs with the third memw in the cpu_restart */ ++ mb(); ++ system_flush_invalidate_dcache_range((unsigned long)&cpu_start_id, ++ sizeof(cpu_start_id)); + #endif + smp_call_function_single(0, mx_cpu_start, (void *)cpu, 1); + +@@ -203,18 +210,21 @@ static int boot_secondary(unsigned int cpu, struct task_struct *ts) + ccount = get_ccount(); + while (!ccount); + +- cpu_start_ccount = ccount; ++ WRITE_ONCE(cpu_start_ccount, ccount); + +- while (time_before(jiffies, timeout)) { ++ do { ++ /* ++ * Pairs with the first two memws in the ++ * .Lboot_secondary. ++ */ + mb(); +- if (!cpu_start_ccount) +- break; +- } ++ ccount = READ_ONCE(cpu_start_ccount); ++ } while (ccount && time_before(jiffies, timeout)); + +- if (cpu_start_ccount) { ++ if (ccount) { + smp_call_function_single(0, mx_cpu_stop, +- (void *)cpu, 1); +- cpu_start_ccount = 0; ++ (void *)cpu, 1); ++ WRITE_ONCE(cpu_start_ccount, 0); + return -EIO; + } + } +@@ -234,6 +244,7 @@ int __cpu_up(unsigned int cpu, struct task_struct *idle) + pr_debug("%s: Calling wakeup_secondary(cpu:%d, idle:%p, sp: %08lx)\n", + __func__, cpu, idle, start_info.stack); + ++ init_completion(&cpu_running); + ret = boot_secondary(cpu, idle); + if (ret == 0) { + wait_for_completion_timeout(&cpu_running, +@@ -295,8 +306,10 @@ void __cpu_die(unsigned int cpu) + unsigned long timeout = jiffies + msecs_to_jiffies(1000); + while (time_before(jiffies, timeout)) { + system_invalidate_dcache_range((unsigned long)&cpu_start_id, +- sizeof(cpu_start_id)); +- if (cpu_start_id == -cpu) { ++ sizeof(cpu_start_id)); ++ /* Pairs with the second memw in the cpu_restart */ ++ mb(); ++ if (READ_ONCE(cpu_start_id) == -cpu) { + platform_cpu_kill(cpu); + return; + } +diff --git a/arch/xtensa/kernel/time.c b/arch/xtensa/kernel/time.c +index b9ad9feadc2d..a992cb6a47db 100644 +--- a/arch/xtensa/kernel/time.c ++++ b/arch/xtensa/kernel/time.c +@@ -87,7 +87,7 @@ static int ccount_timer_shutdown(struct clock_event_device *evt) + container_of(evt, struct ccount_timer, evt); + + if (timer->irq_enabled) { +- disable_irq(evt->irq); ++ disable_irq_nosync(evt->irq); + timer->irq_enabled = 0; + } + return 0; +diff --git a/crypto/ahash.c b/crypto/ahash.c +index 6978ad86e516..595c4f3657ff 100644 +--- a/crypto/ahash.c ++++ b/crypto/ahash.c +@@ -85,17 +85,17 @@ static int hash_walk_new_entry(struct crypto_hash_walk *walk) + int crypto_hash_walk_done(struct crypto_hash_walk *walk, int err) + { + unsigned int alignmask = walk->alignmask; +- unsigned int nbytes = walk->entrylen; + + walk->data -= walk->offset; + +- if (nbytes && walk->offset & alignmask && !err) { +- walk->offset = ALIGN(walk->offset, alignmask + 1); +- nbytes = min(nbytes, +- ((unsigned int)(PAGE_SIZE)) - walk->offset); +- walk->entrylen -= nbytes; ++ if (walk->entrylen && (walk->offset & alignmask) && !err) { ++ unsigned int nbytes; + ++ walk->offset = ALIGN(walk->offset, alignmask + 1); ++ nbytes = min(walk->entrylen, ++ (unsigned int)(PAGE_SIZE - walk->offset)); + if (nbytes) { ++ walk->entrylen -= nbytes; + walk->data += walk->offset; + return nbytes; + } +@@ -115,7 +115,7 @@ int crypto_hash_walk_done(struct crypto_hash_walk *walk, int err) + if (err) + return err; + +- if (nbytes) { ++ if (walk->entrylen) { + walk->offset = 0; + walk->pg++; + return hash_walk_next(walk); +diff --git a/crypto/pcbc.c b/crypto/pcbc.c +index f654965f0933..de81f716cf26 100644 +--- a/crypto/pcbc.c ++++ b/crypto/pcbc.c +@@ -52,7 +52,7 @@ static int crypto_pcbc_encrypt_segment(struct blkcipher_desc *desc, + unsigned int nbytes = walk->nbytes; + u8 *src = walk->src.virt.addr; + u8 *dst = walk->dst.virt.addr; +- u8 *iv = walk->iv; ++ u8 * const iv = walk->iv; + + do { + crypto_xor(iv, src, bsize); +@@ -76,7 +76,7 @@ static int crypto_pcbc_encrypt_inplace(struct blkcipher_desc *desc, + int bsize = crypto_cipher_blocksize(tfm); + unsigned int nbytes = walk->nbytes; + u8 *src = walk->src.virt.addr; +- u8 *iv = walk->iv; ++ u8 * const iv = walk->iv; + u8 tmpbuf[bsize]; + + do { +@@ -89,8 +89,6 @@ static int crypto_pcbc_encrypt_inplace(struct blkcipher_desc *desc, + src += bsize; + } while ((nbytes -= bsize) >= bsize); + +- memcpy(walk->iv, iv, bsize); +- + return nbytes; + } + +@@ -130,7 +128,7 @@ static int crypto_pcbc_decrypt_segment(struct blkcipher_desc *desc, + unsigned int nbytes = walk->nbytes; + u8 *src = walk->src.virt.addr; + u8 *dst = walk->dst.virt.addr; +- u8 *iv = walk->iv; ++ u8 * const iv = walk->iv; + + do { + fn(crypto_cipher_tfm(tfm), dst, src); +@@ -142,8 +140,6 @@ static int crypto_pcbc_decrypt_segment(struct blkcipher_desc *desc, + dst += bsize; + } while ((nbytes -= bsize) >= bsize); + +- memcpy(walk->iv, iv, bsize); +- + return nbytes; + } + +@@ -156,7 +152,7 @@ static int crypto_pcbc_decrypt_inplace(struct blkcipher_desc *desc, + int bsize = crypto_cipher_blocksize(tfm); + unsigned int nbytes = walk->nbytes; + u8 *src = walk->src.virt.addr; +- u8 *iv = walk->iv; ++ u8 * const iv = walk->iv; + u8 tmpbuf[bsize]; + + do { +@@ -169,8 +165,6 @@ static int crypto_pcbc_decrypt_inplace(struct blkcipher_desc *desc, + src += bsize; + } while ((nbytes -= bsize) >= bsize); + +- memcpy(walk->iv, iv, bsize); +- + return nbytes; + } + +diff --git a/drivers/acpi/device_sysfs.c b/drivers/acpi/device_sysfs.c +index 1521d9a41d25..a899a7abcf63 100644 +--- a/drivers/acpi/device_sysfs.c ++++ b/drivers/acpi/device_sysfs.c +@@ -202,11 +202,15 @@ static int create_of_modalias(struct acpi_device *acpi_dev, char *modalias, + { + struct acpi_buffer buf = { ACPI_ALLOCATE_BUFFER }; + const union acpi_object *of_compatible, *obj; ++ acpi_status status; + int len, count; + int i, nval; + char *c; + +- acpi_get_name(acpi_dev->handle, ACPI_SINGLE_NAME, &buf); ++ status = acpi_get_name(acpi_dev->handle, ACPI_SINGLE_NAME, &buf); ++ if (ACPI_FAILURE(status)) ++ return -ENODEV; ++ + /* DT strings are all in lower case */ + for (c = buf.pointer; *c != '\0'; c++) + *c = tolower(*c); +diff --git a/drivers/atm/he.c b/drivers/atm/he.c +index 0f5cb37636bc..010581e8bee0 100644 +--- a/drivers/atm/he.c ++++ b/drivers/atm/he.c +@@ -717,7 +717,7 @@ static int he_init_cs_block_rcm(struct he_dev *he_dev) + instead of '/ 512', use '>> 9' to prevent a call + to divdu3 on x86 platforms + */ +- rate_cps = (unsigned long long) (1 << exp) * (man + 512) >> 9; ++ rate_cps = (unsigned long long) (1UL << exp) * (man + 512) >> 9; + + if (rate_cps < 10) + rate_cps = 10; /* 2.2.1 minimum payload rate is 10 cps */ +diff --git a/drivers/base/power/wakeup.c b/drivers/base/power/wakeup.c +index e613633ffe9c..4e01bf65317a 100644 +--- a/drivers/base/power/wakeup.c ++++ b/drivers/base/power/wakeup.c +@@ -113,7 +113,6 @@ void wakeup_source_drop(struct wakeup_source *ws) + if (!ws) + return; + +- del_timer_sync(&ws->timer); + __pm_relax(ws); + } + EXPORT_SYMBOL_GPL(wakeup_source_drop); +@@ -201,6 +200,13 @@ void wakeup_source_remove(struct wakeup_source *ws) + list_del_rcu(&ws->entry); + spin_unlock_irqrestore(&events_lock, flags); + synchronize_srcu(&wakeup_srcu); ++ ++ del_timer_sync(&ws->timer); ++ /* ++ * Clear timer.function to make wakeup_source_not_registered() treat ++ * this wakeup source as not registered. ++ */ ++ ws->timer.function = NULL; + } + EXPORT_SYMBOL_GPL(wakeup_source_remove); + +diff --git a/drivers/char/applicom.c b/drivers/char/applicom.c +index 14790304b84b..9fcd51095d13 100644 +--- a/drivers/char/applicom.c ++++ b/drivers/char/applicom.c +@@ -32,6 +32,7 @@ + #include + #include + #include ++#include + + #include + #include +@@ -386,7 +387,11 @@ static ssize_t ac_write(struct file *file, const char __user *buf, size_t count, + TicCard = st_loc.tic_des_from_pc; /* tic number to send */ + IndexCard = NumCard - 1; + +- if((NumCard < 1) || (NumCard > MAX_BOARD) || !apbs[IndexCard].RamIO) ++ if (IndexCard >= MAX_BOARD) ++ return -EINVAL; ++ IndexCard = array_index_nospec(IndexCard, MAX_BOARD); ++ ++ if (!apbs[IndexCard].RamIO) + return -EINVAL; + + #ifdef DEBUG +@@ -697,6 +702,7 @@ static long ac_ioctl(struct file *file, unsigned int cmd, unsigned long arg) + unsigned char IndexCard; + void __iomem *pmem; + int ret = 0; ++ static int warncount = 10; + volatile unsigned char byte_reset_it; + struct st_ram_io *adgl; + void __user *argp = (void __user *)arg; +@@ -711,16 +717,12 @@ static long ac_ioctl(struct file *file, unsigned int cmd, unsigned long arg) + mutex_lock(&ac_mutex); + IndexCard = adgl->num_card-1; + +- if(cmd != 6 && ((IndexCard >= MAX_BOARD) || !apbs[IndexCard].RamIO)) { +- static int warncount = 10; +- if (warncount) { +- printk( KERN_WARNING "APPLICOM driver IOCTL, bad board number %d\n",(int)IndexCard+1); +- warncount--; +- } +- kfree(adgl); +- mutex_unlock(&ac_mutex); +- return -EINVAL; +- } ++ if (cmd != 6 && IndexCard >= MAX_BOARD) ++ goto err; ++ IndexCard = array_index_nospec(IndexCard, MAX_BOARD); ++ ++ if (cmd != 6 && !apbs[IndexCard].RamIO) ++ goto err; + + switch (cmd) { + +@@ -838,5 +840,16 @@ static long ac_ioctl(struct file *file, unsigned int cmd, unsigned long arg) + kfree(adgl); + mutex_unlock(&ac_mutex); + return 0; ++ ++err: ++ if (warncount) { ++ pr_warn("APPLICOM driver IOCTL, bad board number %d\n", ++ (int)IndexCard + 1); ++ warncount--; ++ } ++ kfree(adgl); ++ mutex_unlock(&ac_mutex); ++ return -EINVAL; ++ + } + +diff --git a/drivers/clk/ingenic/cgu.c b/drivers/clk/ingenic/cgu.c +index 7cfb7b2a2ed6..8878efb80620 100644 +--- a/drivers/clk/ingenic/cgu.c ++++ b/drivers/clk/ingenic/cgu.c +@@ -355,16 +355,16 @@ ingenic_clk_round_rate(struct clk_hw *hw, unsigned long req_rate, + struct ingenic_clk *ingenic_clk = to_ingenic_clk(hw); + struct ingenic_cgu *cgu = ingenic_clk->cgu; + const struct ingenic_cgu_clk_info *clk_info; +- long rate = *parent_rate; ++ unsigned int div = 1; + + clk_info = &cgu->clock_info[ingenic_clk->idx]; + + if (clk_info->type & CGU_CLK_DIV) +- rate /= ingenic_clk_calc_div(clk_info, *parent_rate, req_rate); ++ div = ingenic_clk_calc_div(clk_info, *parent_rate, req_rate); + else if (clk_info->type & CGU_CLK_FIXDIV) +- rate /= clk_info->fixdiv.div; ++ div = clk_info->fixdiv.div; + +- return rate; ++ return DIV_ROUND_UP(*parent_rate, div); + } + + static int +@@ -384,7 +384,7 @@ ingenic_clk_set_rate(struct clk_hw *hw, unsigned long req_rate, + + if (clk_info->type & CGU_CLK_DIV) { + div = ingenic_clk_calc_div(clk_info, parent_rate, req_rate); +- rate = parent_rate / div; ++ rate = DIV_ROUND_UP(parent_rate, div); + + if (rate != req_rate) + return -EINVAL; +diff --git a/drivers/clocksource/exynos_mct.c b/drivers/clocksource/exynos_mct.c +index 47f8aafe3344..d65a6036d610 100644 +--- a/drivers/clocksource/exynos_mct.c ++++ b/drivers/clocksource/exynos_mct.c +@@ -379,6 +379,13 @@ static void exynos4_mct_tick_start(unsigned long cycles, + exynos4_mct_write(tmp, mevt->base + MCT_L_TCON_OFFSET); + } + ++static void exynos4_mct_tick_clear(struct mct_clock_event_device *mevt) ++{ ++ /* Clear the MCT tick interrupt */ ++ if (readl_relaxed(reg_base + mevt->base + MCT_L_INT_CSTAT_OFFSET) & 1) ++ exynos4_mct_write(0x1, mevt->base + MCT_L_INT_CSTAT_OFFSET); ++} ++ + static int exynos4_tick_set_next_event(unsigned long cycles, + struct clock_event_device *evt) + { +@@ -395,6 +402,7 @@ static int set_state_shutdown(struct clock_event_device *evt) + + mevt = container_of(evt, struct mct_clock_event_device, evt); + exynos4_mct_tick_stop(mevt); ++ exynos4_mct_tick_clear(mevt); + return 0; + } + +@@ -411,8 +419,11 @@ static int set_state_periodic(struct clock_event_device *evt) + return 0; + } + +-static void exynos4_mct_tick_clear(struct mct_clock_event_device *mevt) ++static irqreturn_t exynos4_mct_tick_isr(int irq, void *dev_id) + { ++ struct mct_clock_event_device *mevt = dev_id; ++ struct clock_event_device *evt = &mevt->evt; ++ + /* + * This is for supporting oneshot mode. + * Mct would generate interrupt periodically +@@ -421,16 +432,6 @@ static void exynos4_mct_tick_clear(struct mct_clock_event_device *mevt) + if (!clockevent_state_periodic(&mevt->evt)) + exynos4_mct_tick_stop(mevt); + +- /* Clear the MCT tick interrupt */ +- if (readl_relaxed(reg_base + mevt->base + MCT_L_INT_CSTAT_OFFSET) & 1) +- exynos4_mct_write(0x1, mevt->base + MCT_L_INT_CSTAT_OFFSET); +-} +- +-static irqreturn_t exynos4_mct_tick_isr(int irq, void *dev_id) +-{ +- struct mct_clock_event_device *mevt = dev_id; +- struct clock_event_device *evt = &mevt->evt; +- + exynos4_mct_tick_clear(mevt); + + evt->event_handler(evt); +diff --git a/drivers/crypto/caam/caamalg.c b/drivers/crypto/caam/caamalg.c +index f3307fc38e79..f2d1fea23fbf 100644 +--- a/drivers/crypto/caam/caamalg.c ++++ b/drivers/crypto/caam/caamalg.c +@@ -2081,6 +2081,7 @@ static void init_aead_job(struct aead_request *req, + if (unlikely(req->src != req->dst)) { + if (!edesc->dst_nents) { + dst_dma = sg_dma_address(req->dst); ++ out_options = 0; + } else { + dst_dma = edesc->sec4_sg_dma + + sec4_sg_index * +diff --git a/drivers/dma/at_xdmac.c b/drivers/dma/at_xdmac.c +index 82a7c89caae2..af24c5bf32d6 100644 +--- a/drivers/dma/at_xdmac.c ++++ b/drivers/dma/at_xdmac.c +@@ -203,6 +203,7 @@ struct at_xdmac_chan { + u32 save_cim; + u32 save_cnda; + u32 save_cndc; ++ u32 irq_status; + unsigned long status; + struct tasklet_struct tasklet; + struct dma_slave_config sconfig; +@@ -1582,8 +1583,8 @@ static void at_xdmac_tasklet(unsigned long data) + struct at_xdmac_desc *desc; + u32 error_mask; + +- dev_dbg(chan2dev(&atchan->chan), "%s: status=0x%08lx\n", +- __func__, atchan->status); ++ dev_dbg(chan2dev(&atchan->chan), "%s: status=0x%08x\n", ++ __func__, atchan->irq_status); + + error_mask = AT_XDMAC_CIS_RBEIS + | AT_XDMAC_CIS_WBEIS +@@ -1591,15 +1592,15 @@ static void at_xdmac_tasklet(unsigned long data) + + if (at_xdmac_chan_is_cyclic(atchan)) { + at_xdmac_handle_cyclic(atchan); +- } else if ((atchan->status & AT_XDMAC_CIS_LIS) +- || (atchan->status & error_mask)) { ++ } else if ((atchan->irq_status & AT_XDMAC_CIS_LIS) ++ || (atchan->irq_status & error_mask)) { + struct dma_async_tx_descriptor *txd; + +- if (atchan->status & AT_XDMAC_CIS_RBEIS) ++ if (atchan->irq_status & AT_XDMAC_CIS_RBEIS) + dev_err(chan2dev(&atchan->chan), "read bus error!!!"); +- if (atchan->status & AT_XDMAC_CIS_WBEIS) ++ if (atchan->irq_status & AT_XDMAC_CIS_WBEIS) + dev_err(chan2dev(&atchan->chan), "write bus error!!!"); +- if (atchan->status & AT_XDMAC_CIS_ROIS) ++ if (atchan->irq_status & AT_XDMAC_CIS_ROIS) + dev_err(chan2dev(&atchan->chan), "request overflow error!!!"); + + spin_lock_bh(&atchan->lock); +@@ -1654,7 +1655,7 @@ static irqreturn_t at_xdmac_interrupt(int irq, void *dev_id) + atchan = &atxdmac->chan[i]; + chan_imr = at_xdmac_chan_read(atchan, AT_XDMAC_CIM); + chan_status = at_xdmac_chan_read(atchan, AT_XDMAC_CIS); +- atchan->status = chan_status & chan_imr; ++ atchan->irq_status = chan_status & chan_imr; + dev_vdbg(atxdmac->dma.dev, + "%s: chan%d: imr=0x%x, status=0x%x\n", + __func__, i, chan_imr, chan_status); +@@ -1668,7 +1669,7 @@ static irqreturn_t at_xdmac_interrupt(int irq, void *dev_id) + at_xdmac_chan_read(atchan, AT_XDMAC_CDA), + at_xdmac_chan_read(atchan, AT_XDMAC_CUBC)); + +- if (atchan->status & (AT_XDMAC_CIS_RBEIS | AT_XDMAC_CIS_WBEIS)) ++ if (atchan->irq_status & (AT_XDMAC_CIS_RBEIS | AT_XDMAC_CIS_WBEIS)) + at_xdmac_write(atxdmac, AT_XDMAC_GD, atchan->mask); + + tasklet_schedule(&atchan->tasklet); +diff --git a/drivers/dma/dmatest.c b/drivers/dma/dmatest.c +index 6796eb1a8a4c..884aecebb249 100644 +--- a/drivers/dma/dmatest.c ++++ b/drivers/dma/dmatest.c +@@ -563,11 +563,9 @@ static int dmatest_func(void *data) + srcs[i] = um->addr[i] + src_off; + ret = dma_mapping_error(dev->dev, um->addr[i]); + if (ret) { +- dmaengine_unmap_put(um); + result("src mapping error", total_tests, + src_off, dst_off, len, ret); +- failed_tests++; +- continue; ++ goto error_unmap_continue; + } + um->to_cnt++; + } +@@ -582,11 +580,9 @@ static int dmatest_func(void *data) + DMA_BIDIRECTIONAL); + ret = dma_mapping_error(dev->dev, dsts[i]); + if (ret) { +- dmaengine_unmap_put(um); + result("dst mapping error", total_tests, + src_off, dst_off, len, ret); +- failed_tests++; +- continue; ++ goto error_unmap_continue; + } + um->bidi_cnt++; + } +@@ -611,12 +607,10 @@ static int dmatest_func(void *data) + } + + if (!tx) { +- dmaengine_unmap_put(um); + result("prep error", total_tests, src_off, + dst_off, len, ret); + msleep(100); +- failed_tests++; +- continue; ++ goto error_unmap_continue; + } + + done->done = false; +@@ -625,12 +619,10 @@ static int dmatest_func(void *data) + cookie = tx->tx_submit(tx); + + if (dma_submit_error(cookie)) { +- dmaengine_unmap_put(um); + result("submit error", total_tests, src_off, + dst_off, len, ret); + msleep(100); +- failed_tests++; +- continue; ++ goto error_unmap_continue; + } + dma_async_issue_pending(chan); + +@@ -643,16 +635,14 @@ static int dmatest_func(void *data) + dmaengine_unmap_put(um); + result("test timed out", total_tests, src_off, dst_off, + len, 0); +- failed_tests++; +- continue; ++ goto error_unmap_continue; + } else if (status != DMA_COMPLETE) { + dmaengine_unmap_put(um); + result(status == DMA_ERROR ? + "completion error status" : + "completion busy status", total_tests, src_off, + dst_off, len, ret); +- failed_tests++; +- continue; ++ goto error_unmap_continue; + } + + dmaengine_unmap_put(um); +@@ -691,6 +681,12 @@ static int dmatest_func(void *data) + verbose_result("test passed", total_tests, src_off, + dst_off, len, 0); + } ++ ++ continue; ++ ++error_unmap_continue: ++ dmaengine_unmap_put(um); ++ failed_tests++; + } + runtime = ktime_us_delta(ktime_get(), ktime); + +diff --git a/drivers/dma/sh/usb-dmac.c b/drivers/dma/sh/usb-dmac.c +index 6682b3eec2b6..cc8fc601ed47 100644 +--- a/drivers/dma/sh/usb-dmac.c ++++ b/drivers/dma/sh/usb-dmac.c +@@ -700,6 +700,8 @@ static int usb_dmac_runtime_resume(struct device *dev) + #endif /* CONFIG_PM */ + + static const struct dev_pm_ops usb_dmac_pm = { ++ SET_NOIRQ_SYSTEM_SLEEP_PM_OPS(pm_runtime_force_suspend, ++ pm_runtime_force_resume) + SET_RUNTIME_PM_OPS(usb_dmac_runtime_suspend, usb_dmac_runtime_resume, + NULL) + }; +diff --git a/drivers/firmware/efi/runtime-wrappers.c b/drivers/firmware/efi/runtime-wrappers.c +index 906d0224f50d..228bbf910461 100644 +--- a/drivers/firmware/efi/runtime-wrappers.c ++++ b/drivers/firmware/efi/runtime-wrappers.c +@@ -87,13 +87,6 @@ static DEFINE_SPINLOCK(efi_runtime_lock); + * context through efi_pstore_write(). + */ + +-/* +- * Expose the EFI runtime lock to the UV platform +- */ +-#ifdef CONFIG_X86_UV +-extern struct semaphore __efi_uv_runtime_lock __alias(efi_runtime_lock); +-#endif +- + /* + * As per commit ef68c8f87ed1 ("x86: Serialize EFI time accesses on rtc_lock"), + * the EFI specification requires that callers of the time related runtime +diff --git a/drivers/firmware/iscsi_ibft.c b/drivers/firmware/iscsi_ibft.c +index 72791232e46b..437c8ef90643 100644 +--- a/drivers/firmware/iscsi_ibft.c ++++ b/drivers/firmware/iscsi_ibft.c +@@ -513,6 +513,7 @@ static umode_t __init ibft_check_tgt_for(void *data, int type) + case ISCSI_BOOT_TGT_NIC_ASSOC: + case ISCSI_BOOT_TGT_CHAP_TYPE: + rc = S_IRUGO; ++ break; + case ISCSI_BOOT_TGT_NAME: + if (tgt->tgt_name_len) + rc = S_IRUGO; +diff --git a/drivers/gpio/gpio-vf610.c b/drivers/gpio/gpio-vf610.c +index 87b950cec6ec..db95c4b99a74 100644 +--- a/drivers/gpio/gpio-vf610.c ++++ b/drivers/gpio/gpio-vf610.c +@@ -227,6 +227,7 @@ static int vf610_gpio_probe(struct platform_device *pdev) + struct vf610_gpio_port *port; + struct resource *iores; + struct gpio_chip *gc; ++ int i; + int ret; + + port = devm_kzalloc(&pdev->dev, sizeof(*port), GFP_KERNEL); +@@ -265,6 +266,10 @@ static int vf610_gpio_probe(struct platform_device *pdev) + if (ret < 0) + return ret; + ++ /* Mask all GPIO interrupts */ ++ for (i = 0; i < gc->ngpio; i++) ++ vf610_gpio_writel(0, port->base + PORT_PCR(i)); ++ + /* Clear the interrupt status register for all GPIO's */ + vf610_gpio_writel(~0, port->base + PORT_ISFR); + +diff --git a/drivers/gpu/drm/msm/msm_rd.c b/drivers/gpu/drm/msm/msm_rd.c +index 9a78c48817c6..909a52b21ebe 100644 +--- a/drivers/gpu/drm/msm/msm_rd.c ++++ b/drivers/gpu/drm/msm/msm_rd.c +@@ -103,7 +103,9 @@ static void rd_write(struct msm_rd_state *rd, const void *buf, int sz) + char *fptr = &fifo->buf[fifo->head]; + int n; + +- wait_event(rd->fifo_event, circ_space(&rd->fifo) > 0); ++ wait_event(rd->fifo_event, circ_space(&rd->fifo) > 0 || !rd->open); ++ if (!rd->open) ++ return; + + n = min(sz, circ_space_to_end(&rd->fifo)); + memcpy(fptr, ptr, n); +@@ -192,7 +194,10 @@ out: + static int rd_release(struct inode *inode, struct file *file) + { + struct msm_rd_state *rd = inode->i_private; ++ + rd->open = false; ++ wake_up_all(&rd->fifo_event); ++ + return 0; + } + +diff --git a/drivers/gpu/drm/radeon/evergreen_cs.c b/drivers/gpu/drm/radeon/evergreen_cs.c +index 46f87d4aaf31..782fee330b4c 100644 +--- a/drivers/gpu/drm/radeon/evergreen_cs.c ++++ b/drivers/gpu/drm/radeon/evergreen_cs.c +@@ -1299,6 +1299,7 @@ static int evergreen_cs_handle_reg(struct radeon_cs_parser *p, u32 reg, u32 idx) + return -EINVAL; + } + ib[idx] += (u32)((reloc->gpu_offset >> 8) & 0xffffffff); ++ break; + case CB_TARGET_MASK: + track->cb_target_mask = radeon_get_ib_value(p, idx); + track->cb_dirty = true; +diff --git a/drivers/gpu/ipu-v3/ipu-common.c b/drivers/gpu/ipu-v3/ipu-common.c +index 5030cba4a581..df295a0ce87d 100644 +--- a/drivers/gpu/ipu-v3/ipu-common.c ++++ b/drivers/gpu/ipu-v3/ipu-common.c +@@ -746,8 +746,8 @@ static struct ipu_devtype ipu_type_imx51 = { + .cpmem_ofs = 0x1f000000, + .srm_ofs = 0x1f040000, + .tpm_ofs = 0x1f060000, +- .csi0_ofs = 0x1f030000, +- .csi1_ofs = 0x1f038000, ++ .csi0_ofs = 0x1e030000, ++ .csi1_ofs = 0x1e038000, + .ic_ofs = 0x1e020000, + .disp0_ofs = 0x1e040000, + .disp1_ofs = 0x1e048000, +@@ -762,8 +762,8 @@ static struct ipu_devtype ipu_type_imx53 = { + .cpmem_ofs = 0x07000000, + .srm_ofs = 0x07040000, + .tpm_ofs = 0x07060000, +- .csi0_ofs = 0x07030000, +- .csi1_ofs = 0x07038000, ++ .csi0_ofs = 0x06030000, ++ .csi1_ofs = 0x06038000, + .ic_ofs = 0x06020000, + .disp0_ofs = 0x06040000, + .disp1_ofs = 0x06048000, +diff --git a/drivers/hwtracing/intel_th/gth.c b/drivers/hwtracing/intel_th/gth.c +index 2dc5378ccd3a..eb43943cdf07 100644 +--- a/drivers/hwtracing/intel_th/gth.c ++++ b/drivers/hwtracing/intel_th/gth.c +@@ -591,11 +591,15 @@ static void intel_th_gth_unassign(struct intel_th_device *thdev, + { + struct gth_device *gth = dev_get_drvdata(&thdev->dev); + int port = othdev->output.port; ++ int master; + + spin_lock(>h->gth_lock); + othdev->output.port = -1; + othdev->output.active = false; + gth->output[port].output = NULL; ++ for (master = 0; master < TH_CONFIGURABLE_MASTERS; master++) ++ if (gth->master[master] == port) ++ gth->master[master] = -1; + spin_unlock(>h->gth_lock); + } + +diff --git a/drivers/hwtracing/stm/core.c b/drivers/hwtracing/stm/core.c +index 99434f5be34c..92ab51aa8a74 100644 +--- a/drivers/hwtracing/stm/core.c ++++ b/drivers/hwtracing/stm/core.c +@@ -229,6 +229,9 @@ static int find_free_channels(unsigned long *bitmap, unsigned int start, + ; + if (i == width) + return pos; ++ ++ /* step over [pos..pos+i) to continue search */ ++ pos += i; + } + + return -1; +@@ -474,7 +477,7 @@ static int stm_char_policy_set_ioctl(struct stm_file *stmf, void __user *arg) + { + struct stm_device *stm = stmf->stm; + struct stp_policy_id *id; +- int ret = -EINVAL; ++ int ret = -EINVAL, wlimit = 1; + u32 size; + + if (stmf->output.nr_chans) +@@ -502,8 +505,10 @@ static int stm_char_policy_set_ioctl(struct stm_file *stmf, void __user *arg) + if (id->__reserved_0 || id->__reserved_1) + goto err_free; + +- if (id->width < 1 || +- id->width > PAGE_SIZE / stm->data->sw_mmiosz) ++ if (stm->data->sw_mmiosz) ++ wlimit = PAGE_SIZE / stm->data->sw_mmiosz; ++ ++ if (id->width < 1 || id->width > wlimit) + goto err_free; + + ret = stm_file_assign(stmf, id->id, id->width); +diff --git a/drivers/i2c/busses/i2c-cadence.c b/drivers/i2c/busses/i2c-cadence.c +index 84deed6571bd..6d32e6da3110 100644 +--- a/drivers/i2c/busses/i2c-cadence.c ++++ b/drivers/i2c/busses/i2c-cadence.c +@@ -378,8 +378,10 @@ static void cdns_i2c_mrecv(struct cdns_i2c *id) + * Check for the message size against FIFO depth and set the + * 'hold bus' bit if it is greater than FIFO depth. + */ +- if (id->recv_count > CDNS_I2C_FIFO_DEPTH) ++ if ((id->recv_count > CDNS_I2C_FIFO_DEPTH) || id->bus_hold_flag) + ctrl_reg |= CDNS_I2C_CR_HOLD; ++ else ++ ctrl_reg = ctrl_reg & ~CDNS_I2C_CR_HOLD; + + cdns_i2c_writereg(ctrl_reg, CDNS_I2C_CR_OFFSET); + +@@ -436,8 +438,11 @@ static void cdns_i2c_msend(struct cdns_i2c *id) + * Check for the message size against FIFO depth and set the + * 'hold bus' bit if it is greater than FIFO depth. + */ +- if (id->send_count > CDNS_I2C_FIFO_DEPTH) ++ if ((id->send_count > CDNS_I2C_FIFO_DEPTH) || id->bus_hold_flag) + ctrl_reg |= CDNS_I2C_CR_HOLD; ++ else ++ ctrl_reg = ctrl_reg & ~CDNS_I2C_CR_HOLD; ++ + cdns_i2c_writereg(ctrl_reg, CDNS_I2C_CR_OFFSET); + + /* Clear the interrupts in interrupt status register. */ +diff --git a/drivers/i2c/busses/i2c-tegra.c b/drivers/i2c/busses/i2c-tegra.c +index a0522fcc4ff8..1004422dbb10 100644 +--- a/drivers/i2c/busses/i2c-tegra.c ++++ b/drivers/i2c/busses/i2c-tegra.c +@@ -696,7 +696,7 @@ static const struct i2c_algorithm tegra_i2c_algo = { + /* payload size is only 12 bit */ + static struct i2c_adapter_quirks tegra_i2c_quirks = { + .max_read_len = 4096, +- .max_write_len = 4096, ++ .max_write_len = 4096 - 12, + }; + + static const struct tegra_i2c_hw_feature tegra20_i2c_hw = { +diff --git a/drivers/infiniband/hw/qib/qib_ud.c b/drivers/infiniband/hw/qib/qib_ud.c +index 59193f67ea78..56bd59bc08b5 100644 +--- a/drivers/infiniband/hw/qib/qib_ud.c ++++ b/drivers/infiniband/hw/qib/qib_ud.c +@@ -515,7 +515,6 @@ void qib_ud_rcv(struct qib_ibport *ibp, struct qib_ib_header *hdr, + opcode == IB_OPCODE_UD_SEND_ONLY_WITH_IMMEDIATE) { + wc.ex.imm_data = ohdr->u.ud.imm_data; + wc.wc_flags = IB_WC_WITH_IMM; +- tlen -= sizeof(u32); + } else if (opcode == IB_OPCODE_UD_SEND_ONLY) { + wc.ex.imm_data = 0; + wc.wc_flags = 0; +diff --git a/drivers/infiniband/ulp/srp/ib_srp.c b/drivers/infiniband/ulp/srp/ib_srp.c +index 1897c4080346..3dbc3ed263c2 100644 +--- a/drivers/infiniband/ulp/srp/ib_srp.c ++++ b/drivers/infiniband/ulp/srp/ib_srp.c +@@ -2594,7 +2594,6 @@ static int srp_reset_device(struct scsi_cmnd *scmnd) + { + struct srp_target_port *target = host_to_target(scmnd->device->host); + struct srp_rdma_ch *ch; +- int i, j; + u8 status; + + shost_printk(KERN_ERR, target->scsi_host, "SRP reset_device called\n"); +@@ -2606,15 +2605,6 @@ static int srp_reset_device(struct scsi_cmnd *scmnd) + if (status) + return FAILED; + +- for (i = 0; i < target->ch_count; i++) { +- ch = &target->ch[i]; +- for (j = 0; j < target->req_ring_size; ++j) { +- struct srp_request *req = &ch->req_ring[j]; +- +- srp_finish_req(ch, req, scmnd->device, DID_RESET << 16); +- } +- } +- + return SUCCESS; + } + +diff --git a/drivers/input/keyboard/matrix_keypad.c b/drivers/input/keyboard/matrix_keypad.c +index c64d87442a62..2e12e31f45c5 100644 +--- a/drivers/input/keyboard/matrix_keypad.c ++++ b/drivers/input/keyboard/matrix_keypad.c +@@ -220,7 +220,7 @@ static void matrix_keypad_stop(struct input_dev *dev) + keypad->stopped = true; + spin_unlock_irq(&keypad->lock); + +- flush_work(&keypad->work.work); ++ flush_delayed_work(&keypad->work); + /* + * matrix_keypad_scan() will leave IRQs enabled; + * we should disable them now. +diff --git a/drivers/input/keyboard/st-keyscan.c b/drivers/input/keyboard/st-keyscan.c +index de7be4f03d91..ebf9f643d910 100644 +--- a/drivers/input/keyboard/st-keyscan.c ++++ b/drivers/input/keyboard/st-keyscan.c +@@ -153,6 +153,8 @@ static int keyscan_probe(struct platform_device *pdev) + + input_dev->id.bustype = BUS_HOST; + ++ keypad_data->input_dev = input_dev; ++ + error = keypad_matrix_key_parse_dt(keypad_data); + if (error) + return error; +@@ -168,8 +170,6 @@ static int keyscan_probe(struct platform_device *pdev) + + input_set_drvdata(input_dev, keypad_data); + +- keypad_data->input_dev = input_dev; +- + res = platform_get_resource(pdev, IORESOURCE_MEM, 0); + keypad_data->base = devm_ioremap_resource(&pdev->dev, res); + if (IS_ERR(keypad_data->base)) +diff --git a/drivers/input/mouse/elan_i2c_core.c b/drivers/input/mouse/elan_i2c_core.c +index 25ce9047b682..16f5d5660053 100644 +--- a/drivers/input/mouse/elan_i2c_core.c ++++ b/drivers/input/mouse/elan_i2c_core.c +@@ -1241,6 +1241,7 @@ static const struct acpi_device_id elan_acpi_id[] = { + { "ELAN0000", 0 }, + { "ELAN0100", 0 }, + { "ELAN0600", 0 }, ++ { "ELAN0601", 0 }, + { "ELAN0602", 0 }, + { "ELAN0605", 0 }, + { "ELAN0608", 0 }, +diff --git a/drivers/input/tablet/wacom_serial4.c b/drivers/input/tablet/wacom_serial4.c +index 20ab802461e7..1d46b763aae6 100644 +--- a/drivers/input/tablet/wacom_serial4.c ++++ b/drivers/input/tablet/wacom_serial4.c +@@ -187,6 +187,7 @@ enum { + MODEL_DIGITIZER_II = 0x5544, /* UD */ + MODEL_GRAPHIRE = 0x4554, /* ET */ + MODEL_PENPARTNER = 0x4354, /* CT */ ++ MODEL_ARTPAD_II = 0x4B54, /* KT */ + }; + + static void wacom_handle_model_response(struct wacom *wacom) +@@ -245,6 +246,7 @@ static void wacom_handle_model_response(struct wacom *wacom) + wacom->flags = F_HAS_STYLUS2 | F_HAS_SCROLLWHEEL; + break; + ++ case MODEL_ARTPAD_II: + case MODEL_DIGITIZER_II: + wacom->dev->name = "Wacom Digitizer II"; + wacom->dev->id.version = MODEL_DIGITIZER_II; +diff --git a/drivers/iommu/amd_iommu.c b/drivers/iommu/amd_iommu.c +index 52c36394dba5..0ad8b7c78a43 100644 +--- a/drivers/iommu/amd_iommu.c ++++ b/drivers/iommu/amd_iommu.c +@@ -1982,6 +1982,7 @@ static void do_attach(struct iommu_dev_data *dev_data, + + static void do_detach(struct iommu_dev_data *dev_data) + { ++ struct protection_domain *domain = dev_data->domain; + struct amd_iommu *iommu; + u16 alias; + +@@ -1997,10 +1998,6 @@ static void do_detach(struct iommu_dev_data *dev_data) + iommu = amd_iommu_rlookup_table[dev_data->devid]; + alias = dev_data->alias; + +- /* decrease reference counters */ +- dev_data->domain->dev_iommu[iommu->index] -= 1; +- dev_data->domain->dev_cnt -= 1; +- + /* Update data structures */ + dev_data->domain = NULL; + list_del(&dev_data->list); +@@ -2010,6 +2007,16 @@ static void do_detach(struct iommu_dev_data *dev_data) + + /* Flush the DTE entry */ + device_flush_dte(dev_data); ++ ++ /* Flush IOTLB */ ++ domain_flush_tlb_pde(domain); ++ ++ /* Wait for the flushes to finish */ ++ domain_flush_complete(domain); ++ ++ /* decrease reference counters - needs to happen after the flushes */ ++ domain->dev_iommu[iommu->index] -= 1; ++ domain->dev_cnt -= 1; + } + + /* +diff --git a/drivers/irqchip/irq-mmp.c b/drivers/irqchip/irq-mmp.c +index 013fc9659a84..2fe2bcb63a71 100644 +--- a/drivers/irqchip/irq-mmp.c ++++ b/drivers/irqchip/irq-mmp.c +@@ -34,6 +34,9 @@ + #define SEL_INT_PENDING (1 << 6) + #define SEL_INT_NUM_MASK 0x3f + ++#define MMP2_ICU_INT_ROUTE_PJ4_IRQ (1 << 5) ++#define MMP2_ICU_INT_ROUTE_PJ4_FIQ (1 << 6) ++ + struct icu_chip_data { + int nr_irqs; + unsigned int virq_base; +@@ -190,7 +193,8 @@ static struct mmp_intc_conf mmp_conf = { + static struct mmp_intc_conf mmp2_conf = { + .conf_enable = 0x20, + .conf_disable = 0x0, +- .conf_mask = 0x7f, ++ .conf_mask = MMP2_ICU_INT_ROUTE_PJ4_IRQ | ++ MMP2_ICU_INT_ROUTE_PJ4_FIQ, + }; + + static void __exception_irq_entry mmp_handle_irq(struct pt_regs *regs) +diff --git a/drivers/isdn/hardware/avm/b1.c b/drivers/isdn/hardware/avm/b1.c +index 4d9b195547c5..df2a10157720 100644 +--- a/drivers/isdn/hardware/avm/b1.c ++++ b/drivers/isdn/hardware/avm/b1.c +@@ -423,7 +423,7 @@ void b1_parse_version(avmctrl_info *cinfo) + int i, j; + + for (j = 0; j < AVM_MAXVERSION; j++) +- cinfo->version[j] = "\0\0" + 1; ++ cinfo->version[j] = ""; + for (i = 0, j = 0; + j < AVM_MAXVERSION && i < cinfo->versionlen; + j++, i += cinfo->versionbuf[i] + 1) +diff --git a/drivers/isdn/i4l/isdn_tty.c b/drivers/isdn/i4l/isdn_tty.c +index 2175225af742..2da3f5cd0729 100644 +--- a/drivers/isdn/i4l/isdn_tty.c ++++ b/drivers/isdn/i4l/isdn_tty.c +@@ -786,7 +786,7 @@ isdn_tty_suspend(char *id, modem_info *info, atemu *m) + cmd.parm.cmsg.para[3] = 4; /* 16 bit 0x0004 Suspend */ + cmd.parm.cmsg.para[4] = 0; + cmd.parm.cmsg.para[5] = l; +- strncpy(&cmd.parm.cmsg.para[6], id, l); ++ strscpy(&cmd.parm.cmsg.para[6], id, l); + cmd.command = CAPI_PUT_MESSAGE; + cmd.driver = info->isdn_driver; + cmd.arg = info->isdn_channel; +@@ -1459,15 +1459,19 @@ isdn_tty_set_termios(struct tty_struct *tty, struct ktermios *old_termios) + { + modem_info *info = (modem_info *) tty->driver_data; + ++ mutex_lock(&modem_info_mutex); + if (!old_termios) + isdn_tty_change_speed(info); + else { + if (tty->termios.c_cflag == old_termios->c_cflag && + tty->termios.c_ispeed == old_termios->c_ispeed && +- tty->termios.c_ospeed == old_termios->c_ospeed) ++ tty->termios.c_ospeed == old_termios->c_ospeed) { ++ mutex_unlock(&modem_info_mutex); + return; ++ } + isdn_tty_change_speed(info); + } ++ mutex_unlock(&modem_info_mutex); + } + + /* +diff --git a/drivers/leds/leds-lp5523.c b/drivers/leds/leds-lp5523.c +index 1d0187f42941..d12370352ae3 100644 +--- a/drivers/leds/leds-lp5523.c ++++ b/drivers/leds/leds-lp5523.c +@@ -318,7 +318,9 @@ static int lp5523_init_program_engine(struct lp55xx_chip *chip) + + /* Let the programs run for couple of ms and check the engine status */ + usleep_range(3000, 6000); +- lp55xx_read(chip, LP5523_REG_STATUS, &status); ++ ret = lp55xx_read(chip, LP5523_REG_STATUS, &status); ++ if (ret) ++ return ret; + status &= LP5523_ENG_STATUS_MASK; + + if (status != LP5523_ENG_STATUS_MASK) { +diff --git a/drivers/md/raid10.c b/drivers/md/raid10.c +index 8d613652d0e2..69e9abf00c74 100644 +--- a/drivers/md/raid10.c ++++ b/drivers/md/raid10.c +@@ -3755,6 +3755,8 @@ static int run(struct mddev *mddev) + set_bit(MD_RECOVERY_RUNNING, &mddev->recovery); + mddev->sync_thread = md_register_thread(md_do_sync, mddev, + "reshape"); ++ if (!mddev->sync_thread) ++ goto out_free_conf; + } + + return 0; +@@ -4442,7 +4444,6 @@ bio_full: + atomic_inc(&r10_bio->remaining); + read_bio->bi_next = NULL; + generic_make_request(read_bio); +- sector_nr += nr_sectors; + sectors_done += nr_sectors; + if (sector_nr <= last) + goto read_more; +diff --git a/drivers/md/raid5.c b/drivers/md/raid5.c +index 0841d8f10a58..5e65dc6def7e 100644 +--- a/drivers/md/raid5.c ++++ b/drivers/md/raid5.c +@@ -6973,6 +6973,8 @@ static int run(struct mddev *mddev) + set_bit(MD_RECOVERY_RUNNING, &mddev->recovery); + mddev->sync_thread = md_register_thread(md_do_sync, mddev, + "reshape"); ++ if (!mddev->sync_thread) ++ goto abort; + } + + /* Ok, everything is just fine now */ +diff --git a/drivers/media/usb/uvc/uvc_driver.c b/drivers/media/usb/uvc/uvc_driver.c +index 885f689ac870..f2e3fdf385cc 100644 +--- a/drivers/media/usb/uvc/uvc_driver.c ++++ b/drivers/media/usb/uvc/uvc_driver.c +@@ -1019,11 +1019,19 @@ static int uvc_parse_standard_control(struct uvc_device *dev, + return -EINVAL; + } + +- /* Make sure the terminal type MSB is not null, otherwise it +- * could be confused with a unit. ++ /* ++ * Reject invalid terminal types that would cause issues: ++ * ++ * - The high byte must be non-zero, otherwise it would be ++ * confused with a unit. ++ * ++ * - Bit 15 must be 0, as we use it internally as a terminal ++ * direction flag. ++ * ++ * Other unknown types are accepted. + */ + type = get_unaligned_le16(&buffer[4]); +- if ((type & 0xff00) == 0) { ++ if ((type & 0x7f00) == 0 || (type & 0x8000) != 0) { + uvc_trace(UVC_TRACE_DESCR, "device %d videocontrol " + "interface %d INPUT_TERMINAL %d has invalid " + "type 0x%04x, skipping\n", udev->devnum, +diff --git a/drivers/media/usb/uvc/uvc_video.c b/drivers/media/usb/uvc/uvc_video.c +index a4048a04d236..a550dbe36dc5 100644 +--- a/drivers/media/usb/uvc/uvc_video.c ++++ b/drivers/media/usb/uvc/uvc_video.c +@@ -638,6 +638,14 @@ void uvc_video_clock_update(struct uvc_streaming *stream, + if (!uvc_hw_timestamps_param) + return; + ++ /* ++ * We will get called from __vb2_queue_cancel() if there are buffers ++ * done but not dequeued by the user, but the sample array has already ++ * been released at that time. Just bail out in that case. ++ */ ++ if (!clock->samples) ++ return; ++ + spin_lock_irqsave(&clock->lock, flags); + + if (clock->count < clock->size) +diff --git a/drivers/media/v4l2-core/videobuf2-v4l2.c b/drivers/media/v4l2-core/videobuf2-v4l2.c +index bf23234d957e..412a6a74d0a8 100644 +--- a/drivers/media/v4l2-core/videobuf2-v4l2.c ++++ b/drivers/media/v4l2-core/videobuf2-v4l2.c +@@ -141,7 +141,6 @@ static void vb2_warn_zero_bytesused(struct vb2_buffer *vb) + return; + + check_once = true; +- WARN_ON(1); + + pr_warn("use of bytesused == 0 is deprecated and will be removed in the future,\n"); + if (vb->vb2_queue->allow_zero_bytesused) +diff --git a/drivers/mfd/ab8500-core.c b/drivers/mfd/ab8500-core.c +index fefbe4cfa61d..1263cfd8b4d2 100644 +--- a/drivers/mfd/ab8500-core.c ++++ b/drivers/mfd/ab8500-core.c +@@ -259,7 +259,7 @@ static int get_register_interruptible(struct ab8500 *ab8500, u8 bank, + mutex_unlock(&ab8500->lock); + dev_vdbg(ab8500->dev, "rd: addr %#x => data %#x\n", addr, ret); + +- return ret; ++ return (ret < 0) ? ret : 0; + } + + static int ab8500_get_register(struct device *dev, u8 bank, +diff --git a/drivers/mfd/db8500-prcmu.c b/drivers/mfd/db8500-prcmu.c +index 12099b09a9a7..e71b9f23379d 100644 +--- a/drivers/mfd/db8500-prcmu.c ++++ b/drivers/mfd/db8500-prcmu.c +@@ -2610,7 +2610,7 @@ static struct irq_chip prcmu_irq_chip = { + .irq_unmask = prcmu_irq_unmask, + }; + +-static __init char *fw_project_name(u32 project) ++static char *fw_project_name(u32 project) + { + switch (project) { + case PRCMU_FW_PROJECT_U8500: +@@ -2758,7 +2758,7 @@ void __init db8500_prcmu_early_init(u32 phy_base, u32 size) + INIT_WORK(&mb0_transfer.mask_work, prcmu_mask_work); + } + +-static void __init init_prcm_registers(void) ++static void init_prcm_registers(void) + { + u32 val; + +diff --git a/drivers/mfd/mc13xxx-core.c b/drivers/mfd/mc13xxx-core.c +index 3f9f4c874d2a..8d74806b83c1 100644 +--- a/drivers/mfd/mc13xxx-core.c ++++ b/drivers/mfd/mc13xxx-core.c +@@ -274,7 +274,9 @@ int mc13xxx_adc_do_conversion(struct mc13xxx *mc13xxx, unsigned int mode, + + mc13xxx->adcflags |= MC13XXX_ADC_WORKING; + +- mc13xxx_reg_read(mc13xxx, MC13XXX_ADC0, &old_adc0); ++ ret = mc13xxx_reg_read(mc13xxx, MC13XXX_ADC0, &old_adc0); ++ if (ret) ++ goto out; + + adc0 = MC13XXX_ADC0_ADINC1 | MC13XXX_ADC0_ADINC2; + adc1 = MC13XXX_ADC1_ADEN | MC13XXX_ADC1_ADTRIGIGN | MC13XXX_ADC1_ASC; +diff --git a/drivers/mfd/qcom_rpm.c b/drivers/mfd/qcom_rpm.c +index a867cc91657e..27486f278201 100644 +--- a/drivers/mfd/qcom_rpm.c ++++ b/drivers/mfd/qcom_rpm.c +@@ -570,6 +570,10 @@ static int qcom_rpm_probe(struct platform_device *pdev) + return -EFAULT; + } + ++ writel(fw_version[0], RPM_CTRL_REG(rpm, 0)); ++ writel(fw_version[1], RPM_CTRL_REG(rpm, 1)); ++ writel(fw_version[2], RPM_CTRL_REG(rpm, 2)); ++ + dev_info(&pdev->dev, "RPM firmware %u.%u.%u\n", fw_version[0], + fw_version[1], + fw_version[2]); +diff --git a/drivers/mfd/ti_am335x_tscadc.c b/drivers/mfd/ti_am335x_tscadc.c +index 4a0f076c91ba..faf8ce5be576 100644 +--- a/drivers/mfd/ti_am335x_tscadc.c ++++ b/drivers/mfd/ti_am335x_tscadc.c +@@ -279,8 +279,9 @@ static int ti_tscadc_probe(struct platform_device *pdev) + cell->pdata_size = sizeof(tscadc); + } + +- err = mfd_add_devices(&pdev->dev, pdev->id, tscadc->cells, +- tscadc->used_cells, NULL, 0, NULL); ++ err = mfd_add_devices(&pdev->dev, PLATFORM_DEVID_AUTO, ++ tscadc->cells, tscadc->used_cells, NULL, ++ 0, NULL); + if (err < 0) + goto err_disable_clk; + +diff --git a/drivers/mfd/twl-core.c b/drivers/mfd/twl-core.c +index 831696ee2472..90732a655d57 100644 +--- a/drivers/mfd/twl-core.c ++++ b/drivers/mfd/twl-core.c +@@ -982,7 +982,7 @@ add_children(struct twl4030_platform_data *pdata, unsigned irq_base, + * letting it generate the right frequencies for USB, MADC, and + * other purposes. + */ +-static inline int __init protect_pm_master(void) ++static inline int protect_pm_master(void) + { + int e = 0; + +@@ -991,7 +991,7 @@ static inline int __init protect_pm_master(void) + return e; + } + +-static inline int __init unprotect_pm_master(void) ++static inline int unprotect_pm_master(void) + { + int e = 0; + +diff --git a/drivers/mfd/wm5110-tables.c b/drivers/mfd/wm5110-tables.c +index 2bb2d0467a92..c47efe6dcb01 100644 +--- a/drivers/mfd/wm5110-tables.c ++++ b/drivers/mfd/wm5110-tables.c +@@ -1622,6 +1622,7 @@ static const struct reg_default wm5110_reg_default[] = { + { 0x00000ECD, 0x0000 }, /* R3789 - HPLPF4_2 */ + { 0x00000EE0, 0x0000 }, /* R3808 - ASRC_ENABLE */ + { 0x00000EE2, 0x0000 }, /* R3810 - ASRC_RATE1 */ ++ { 0x00000EE3, 0x4000 }, /* R3811 - ASRC_RATE2 */ + { 0x00000EF0, 0x0000 }, /* R3824 - ISRC 1 CTRL 1 */ + { 0x00000EF1, 0x0000 }, /* R3825 - ISRC 1 CTRL 2 */ + { 0x00000EF2, 0x0000 }, /* R3826 - ISRC 1 CTRL 3 */ +@@ -2877,6 +2878,7 @@ static bool wm5110_readable_register(struct device *dev, unsigned int reg) + case ARIZONA_ASRC_ENABLE: + case ARIZONA_ASRC_STATUS: + case ARIZONA_ASRC_RATE1: ++ case ARIZONA_ASRC_RATE2: + case ARIZONA_ISRC_1_CTRL_1: + case ARIZONA_ISRC_1_CTRL_2: + case ARIZONA_ISRC_1_CTRL_3: +diff --git a/drivers/mmc/host/mmc_spi.c b/drivers/mmc/host/mmc_spi.c +index aad3243a48fc..e03ec74f3fb0 100644 +--- a/drivers/mmc/host/mmc_spi.c ++++ b/drivers/mmc/host/mmc_spi.c +@@ -1451,6 +1451,7 @@ static int mmc_spi_probe(struct spi_device *spi) + if (status != 0) + goto fail_add_host; + } ++ mmc_detect_change(mmc, 0); + + dev_info(&spi->dev, "SD/MMC host %s%s%s%s%s\n", + dev_name(&mmc->class_dev), +diff --git a/drivers/net/dsa/mv88e6xxx.c b/drivers/net/dsa/mv88e6xxx.c +index 2dea39b5cb0b..e2414f2d7ba9 100644 +--- a/drivers/net/dsa/mv88e6xxx.c ++++ b/drivers/net/dsa/mv88e6xxx.c +@@ -712,7 +712,7 @@ static uint64_t _mv88e6xxx_get_ethtool_stat(struct dsa_switch *ds, + if (s->sizeof_stat == 8) + _mv88e6xxx_stats_read(ds, s->reg + 1, &high); + } +- value = (((u64)high) << 16) | low; ++ value = (((u64)high) << 32) | low; + return value; + } + +diff --git a/drivers/net/ethernet/altera/altera_msgdma.c b/drivers/net/ethernet/altera/altera_msgdma.c +index 0fb986ba3290..0ae723f75341 100644 +--- a/drivers/net/ethernet/altera/altera_msgdma.c ++++ b/drivers/net/ethernet/altera/altera_msgdma.c +@@ -145,7 +145,8 @@ u32 msgdma_tx_completions(struct altera_tse_private *priv) + & 0xffff; + + if (inuse) { /* Tx FIFO is not empty */ +- ready = priv->tx_prod - priv->tx_cons - inuse - 1; ++ ready = max_t(int, ++ priv->tx_prod - priv->tx_cons - inuse - 1, 0); + } else { + /* Check for buffered last packet */ + status = csrrd32(priv->tx_dma_csr, msgdma_csroffs(status)); +diff --git a/drivers/net/ethernet/altera/altera_tse_main.c b/drivers/net/ethernet/altera/altera_tse_main.c +index fe644823ceaf..bb51f124d8c7 100644 +--- a/drivers/net/ethernet/altera/altera_tse_main.c ++++ b/drivers/net/ethernet/altera/altera_tse_main.c +@@ -716,8 +716,10 @@ static struct phy_device *connect_local_phy(struct net_device *dev) + + phydev = phy_connect(dev, phy_id_fmt, &altera_tse_adjust_link, + priv->phy_iface); +- if (IS_ERR(phydev)) ++ if (IS_ERR(phydev)) { + netdev_err(dev, "Could not attach to PHY\n"); ++ phydev = NULL; ++ } + + } else { + int ret; +diff --git a/drivers/net/ethernet/atheros/atlx/atl2.c b/drivers/net/ethernet/atheros/atlx/atl2.c +index 2ff465848b65..097a0bf592ab 100644 +--- a/drivers/net/ethernet/atheros/atlx/atl2.c ++++ b/drivers/net/ethernet/atheros/atlx/atl2.c +@@ -1338,13 +1338,11 @@ static int atl2_probe(struct pci_dev *pdev, const struct pci_device_id *ent) + { + struct net_device *netdev; + struct atl2_adapter *adapter; +- static int cards_found; ++ static int cards_found = 0; + unsigned long mmio_start; + int mmio_len; + int err; + +- cards_found = 0; +- + err = pci_enable_device(pdev); + if (err) + return err; +diff --git a/drivers/net/ethernet/broadcom/bcmsysport.c b/drivers/net/ethernet/broadcom/bcmsysport.c +index 143b9a384af8..53b3c1a5851c 100644 +--- a/drivers/net/ethernet/broadcom/bcmsysport.c ++++ b/drivers/net/ethernet/broadcom/bcmsysport.c +@@ -126,6 +126,10 @@ static int bcm_sysport_set_rx_csum(struct net_device *dev, + + priv->rx_chk_en = !!(wanted & NETIF_F_RXCSUM); + reg = rxchk_readl(priv, RXCHK_CONTROL); ++ /* Clear L2 header checks, which would prevent BPDUs ++ * from being received. ++ */ ++ reg &= ~RXCHK_L2_HDR_DIS; + if (priv->rx_chk_en) + reg |= RXCHK_EN; + else +diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +index fea8116da06a..00bd7be85679 100644 +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +@@ -330,6 +330,12 @@ normal_tx: + } + + length >>= 9; ++ if (unlikely(length >= ARRAY_SIZE(bnxt_lhint_arr))) { ++ dev_warn_ratelimited(&pdev->dev, "Dropped oversize %d bytes TX packet.\n", ++ skb->len); ++ i = 0; ++ goto tx_dma_error; ++ } + flags |= bnxt_lhint_arr[length]; + txbd->tx_bd_len_flags_type = cpu_to_le32(flags); + +diff --git a/drivers/net/ethernet/hisilicon/hns/hns_ae_adapt.c b/drivers/net/ethernet/hisilicon/hns/hns_ae_adapt.c +index 1a16c0307b47..bd36fbe81ad2 100644 +--- a/drivers/net/ethernet/hisilicon/hns/hns_ae_adapt.c ++++ b/drivers/net/ethernet/hisilicon/hns/hns_ae_adapt.c +@@ -188,12 +188,10 @@ static void hns_ae_put_handle(struct hnae_handle *handle) + struct hnae_vf_cb *vf_cb = hns_ae_get_vf_cb(handle); + int i; + +- vf_cb->mac_cb = NULL; +- +- kfree(vf_cb); +- + for (i = 0; i < handle->q_num; i++) + hns_ae_get_ring_pair(handle->qs[i])->used_by_vf = 0; ++ ++ kfree(vf_cb); + } + + static void hns_ae_ring_enable_all(struct hnae_handle *handle, int val) +diff --git a/drivers/net/ethernet/hisilicon/hns_mdio.c b/drivers/net/ethernet/hisilicon/hns_mdio.c +index 37491c85bc42..6ff13c559e52 100644 +--- a/drivers/net/ethernet/hisilicon/hns_mdio.c ++++ b/drivers/net/ethernet/hisilicon/hns_mdio.c +@@ -319,7 +319,7 @@ static int hns_mdio_read(struct mii_bus *bus, int phy_id, int regnum) + } + + hns_mdio_cmd_write(mdio_dev, is_c45, +- MDIO_C45_WRITE_ADDR, phy_id, devad); ++ MDIO_C45_READ, phy_id, devad); + } + + /* Step 5: waitting for MDIO_COMMAND_REG 's mdio_start==0,*/ +diff --git a/drivers/net/ethernet/ibm/ibmveth.c b/drivers/net/ethernet/ibm/ibmveth.c +index 61a9ab4fe047..70b3253e7ed5 100644 +--- a/drivers/net/ethernet/ibm/ibmveth.c ++++ b/drivers/net/ethernet/ibm/ibmveth.c +@@ -1238,7 +1238,6 @@ static int ibmveth_poll(struct napi_struct *napi, int budget) + struct iphdr *iph; + u16 mss = 0; + +-restart_poll: + while (frames_processed < budget) { + if (!ibmveth_rxq_pending_buffer(adapter)) + break; +@@ -1336,7 +1335,6 @@ restart_poll: + napi_reschedule(napi)) { + lpar_rc = h_vio_signal(adapter->vdev->unit_address, + VIO_IRQ_DISABLE); +- goto restart_poll; + } + } + +diff --git a/drivers/net/ethernet/marvell/mv643xx_eth.c b/drivers/net/ethernet/marvell/mv643xx_eth.c +index 4182290fdbcf..82f080a5ed5c 100644 +--- a/drivers/net/ethernet/marvell/mv643xx_eth.c ++++ b/drivers/net/ethernet/marvell/mv643xx_eth.c +@@ -2884,7 +2884,7 @@ static int mv643xx_eth_shared_probe(struct platform_device *pdev) + + ret = mv643xx_eth_shared_of_probe(pdev); + if (ret) +- return ret; ++ goto err_put_clk; + pd = dev_get_platdata(&pdev->dev); + + msp->tx_csum_limit = (pd != NULL && pd->tx_csum_limit) ? +@@ -2892,6 +2892,11 @@ static int mv643xx_eth_shared_probe(struct platform_device *pdev) + infer_hw_params(msp); + + return 0; ++ ++err_put_clk: ++ if (!IS_ERR(msp->clk)) ++ clk_disable_unprepare(msp->clk); ++ return ret; + } + + static int mv643xx_eth_shared_remove(struct platform_device *pdev) +diff --git a/drivers/net/ethernet/marvell/sky2.c b/drivers/net/ethernet/marvell/sky2.c +index 4b97aa24559a..5cc05df69a86 100644 +--- a/drivers/net/ethernet/marvell/sky2.c ++++ b/drivers/net/ethernet/marvell/sky2.c +@@ -46,6 +46,7 @@ + #include + #include + #include ++#include + + #include + +@@ -93,7 +94,7 @@ static int copybreak __read_mostly = 128; + module_param(copybreak, int, 0); + MODULE_PARM_DESC(copybreak, "Receive copy threshold"); + +-static int disable_msi = 0; ++static int disable_msi = -1; + module_param(disable_msi, int, 0); + MODULE_PARM_DESC(disable_msi, "Disable Message Signaled Interrupt (MSI)"); + +@@ -4923,6 +4924,24 @@ static const char *sky2_name(u8 chipid, char *buf, int sz) + return buf; + } + ++static const struct dmi_system_id msi_blacklist[] = { ++ { ++ .ident = "Dell Inspiron 1545", ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."), ++ DMI_MATCH(DMI_PRODUCT_NAME, "Inspiron 1545"), ++ }, ++ }, ++ { ++ .ident = "Gateway P-79", ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "Gateway"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "P-79"), ++ }, ++ }, ++ {} ++}; ++ + static int sky2_probe(struct pci_dev *pdev, const struct pci_device_id *ent) + { + struct net_device *dev, *dev1; +@@ -5034,6 +5053,9 @@ static int sky2_probe(struct pci_dev *pdev, const struct pci_device_id *ent) + goto err_out_free_pci; + } + ++ if (disable_msi == -1) ++ disable_msi = !!dmi_check_system(msi_blacklist); ++ + if (!disable_msi && pci_enable_msi(pdev) == 0) { + err = sky2_test_msi(hw); + if (err) { +diff --git a/drivers/net/ethernet/mellanox/mlx4/cmd.c b/drivers/net/ethernet/mellanox/mlx4/cmd.c +index fc222df47aa9..9e104dcfa9dd 100644 +--- a/drivers/net/ethernet/mellanox/mlx4/cmd.c ++++ b/drivers/net/ethernet/mellanox/mlx4/cmd.c +@@ -2636,6 +2636,7 @@ void mlx4_cmd_use_polling(struct mlx4_dev *dev) + down(&priv->cmd.event_sem); + + kfree(priv->cmd.context); ++ priv->cmd.context = NULL; + + up(&priv->cmd.poll_sem); + } +diff --git a/drivers/net/ethernet/mellanox/mlx4/en_rx.c b/drivers/net/ethernet/mellanox/mlx4/en_rx.c +index 82bf1b539d87..ac7c64bae2a5 100644 +--- a/drivers/net/ethernet/mellanox/mlx4/en_rx.c ++++ b/drivers/net/ethernet/mellanox/mlx4/en_rx.c +@@ -725,13 +725,27 @@ static int get_fixed_ipv6_csum(__wsum hw_checksum, struct sk_buff *skb, + return 0; + } + #endif ++ ++#define short_frame(size) ((size) <= ETH_ZLEN + ETH_FCS_LEN) ++ + static int check_csum(struct mlx4_cqe *cqe, struct sk_buff *skb, void *va, + netdev_features_t dev_features) + { + __wsum hw_checksum = 0; ++ void *hdr; ++ ++ /* CQE csum doesn't cover padding octets in short ethernet ++ * frames. And the pad field is appended prior to calculating ++ * and appending the FCS field. ++ * ++ * Detecting these padded frames requires to verify and parse ++ * IP headers, so we simply force all those small frames to skip ++ * checksum complete. ++ */ ++ if (short_frame(skb->len)) ++ return -EINVAL; + +- void *hdr = (u8 *)va + sizeof(struct ethhdr); +- ++ hdr = (u8 *)va + sizeof(struct ethhdr); + hw_checksum = csum_unfold((__force __sum16)cqe->checksum); + + if (cqe->vlan_my_qpn & cpu_to_be32(MLX4_CQE_CVLAN_PRESENT_MASK) && +@@ -851,6 +865,11 @@ int mlx4_en_process_rx_cq(struct net_device *dev, struct mlx4_en_cq *cq, int bud + (cqe->vlan_my_qpn & cpu_to_be32(MLX4_CQE_L2_TUNNEL)); + + if (likely(dev->features & NETIF_F_RXCSUM)) { ++ /* TODO: For IP non TCP/UDP packets when csum complete is ++ * not an option (not supported or any other reason) we can ++ * actually check cqe IPOK status bit and report ++ * CHECKSUM_UNNECESSARY rather than CHECKSUM_NONE ++ */ + if (cqe->status & cpu_to_be16(MLX4_CQE_STATUS_TCP | + MLX4_CQE_STATUS_UDP)) { + if ((cqe->status & cpu_to_be16(MLX4_CQE_STATUS_IPOK)) && +diff --git a/drivers/net/ethernet/mellanox/mlx4/resource_tracker.c b/drivers/net/ethernet/mellanox/mlx4/resource_tracker.c +index 7911dc3da98e..37dfdb1329f4 100644 +--- a/drivers/net/ethernet/mellanox/mlx4/resource_tracker.c ++++ b/drivers/net/ethernet/mellanox/mlx4/resource_tracker.c +@@ -2652,13 +2652,13 @@ static int qp_get_mtt_size(struct mlx4_qp_context *qpc) + int total_pages; + int total_mem; + int page_offset = (be32_to_cpu(qpc->params2) >> 6) & 0x3f; ++ int tot; + + sq_size = 1 << (log_sq_size + log_sq_sride + 4); + rq_size = (srq|rss|xrc) ? 0 : (1 << (log_rq_size + log_rq_stride + 4)); + total_mem = sq_size + rq_size; +- total_pages = +- roundup_pow_of_two((total_mem + (page_offset << 6)) >> +- page_shift); ++ tot = (total_mem + (page_offset << 6)) >> page_shift; ++ total_pages = !tot ? 1 : roundup_pow_of_two(tot); + + return total_pages; + } +diff --git a/drivers/net/ethernet/renesas/ravb_main.c b/drivers/net/ethernet/renesas/ravb_main.c +index f735dfcb64ae..29d31eb995d7 100644 +--- a/drivers/net/ethernet/renesas/ravb_main.c ++++ b/drivers/net/ethernet/renesas/ravb_main.c +@@ -453,7 +453,7 @@ static int ravb_dmac_init(struct net_device *ndev) + ravb_write(ndev, RCR_EFFS | RCR_ENCF | RCR_ETS0 | 0x18000000, RCR); + + /* Set FIFO size */ +- ravb_write(ndev, TGC_TQP_AVBMODE1 | 0x00222200, TGC); ++ ravb_write(ndev, TGC_TQP_AVBMODE1 | 0x00112200, TGC); + + /* Timestamp enable */ + ravb_write(ndev, TCCR_TFEN, TCCR); +diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac-rk.c b/drivers/net/ethernet/stmicro/stmmac/dwmac-rk.c +index 0cd3ecff768b..398b08e07149 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/dwmac-rk.c ++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac-rk.c +@@ -535,8 +535,10 @@ static int rk_gmac_init(struct platform_device *pdev, void *priv) + int ret; + + ret = phy_power_on(bsp_priv, true); +- if (ret) ++ if (ret) { ++ gmac_clk_enable(bsp_priv, false); + return ret; ++ } + + ret = gmac_clk_enable(bsp_priv, true); + if (ret) +diff --git a/drivers/net/ipvlan/ipvlan_main.c b/drivers/net/ipvlan/ipvlan_main.c +index a9268db4e349..ae02ce17c505 100644 +--- a/drivers/net/ipvlan/ipvlan_main.c ++++ b/drivers/net/ipvlan/ipvlan_main.c +@@ -389,7 +389,12 @@ static int ipvlan_nl_changelink(struct net_device *dev, + struct ipvl_dev *ipvlan = netdev_priv(dev); + struct ipvl_port *port = ipvlan_port_get_rtnl(ipvlan->phy_dev); + +- if (data && data[IFLA_IPVLAN_MODE]) { ++ if (!data) ++ return 0; ++ if (!ns_capable(dev_net(ipvlan->phy_dev)->user_ns, CAP_NET_ADMIN)) ++ return -EPERM; ++ ++ if (data[IFLA_IPVLAN_MODE]) { + u16 nmode = nla_get_u16(data[IFLA_IPVLAN_MODE]); + + ipvlan_set_port_mode(port, nmode); +@@ -454,6 +459,8 @@ static int ipvlan_link_new(struct net *src_net, struct net_device *dev, + struct ipvl_dev *tmp = netdev_priv(phy_dev); + + phy_dev = tmp->phy_dev; ++ if (!ns_capable(dev_net(phy_dev)->user_ns, CAP_NET_ADMIN)) ++ return -EPERM; + } else if (!netif_is_ipvlan_port(phy_dev)) { + err = ipvlan_port_create(phy_dev); + if (err < 0) +diff --git a/drivers/net/phy/mdio_bus.c b/drivers/net/phy/mdio_bus.c +index 88cb4592b6fb..ccefba7af960 100644 +--- a/drivers/net/phy/mdio_bus.c ++++ b/drivers/net/phy/mdio_bus.c +@@ -267,7 +267,6 @@ int __mdiobus_register(struct mii_bus *bus, struct module *owner) + err = device_register(&bus->dev); + if (err) { + pr_err("mii_bus %s failed to register\n", bus->id); +- put_device(&bus->dev); + return -EINVAL; + } + +diff --git a/drivers/net/phy/micrel.c b/drivers/net/phy/micrel.c +index 920391165f18..ba84fc3637b1 100644 +--- a/drivers/net/phy/micrel.c ++++ b/drivers/net/phy/micrel.c +@@ -28,6 +28,7 @@ + #include + #include + #include ++#include + + /* Operation Mode Strap Override */ + #define MII_KSZPHY_OMSO 0x16 +@@ -287,6 +288,17 @@ static int kszphy_config_init(struct phy_device *phydev) + return 0; + } + ++static int ksz8061_config_init(struct phy_device *phydev) ++{ ++ int ret; ++ ++ ret = phy_write_mmd(phydev, MDIO_MMD_PMAPMD, MDIO_DEVID1, 0xB61A); ++ if (ret) ++ return ret; ++ ++ return kszphy_config_init(phydev); ++} ++ + static int ksz9021_load_values_from_of(struct phy_device *phydev, + const struct device_node *of_node, + u16 reg, +@@ -771,7 +783,7 @@ static struct phy_driver ksphy_driver[] = { + .phy_id_mask = 0x00fffff0, + .features = (PHY_BASIC_FEATURES | SUPPORTED_Pause), + .flags = PHY_HAS_MAGICANEG | PHY_HAS_INTERRUPT, +- .config_init = kszphy_config_init, ++ .config_init = ksz8061_config_init, + .config_aneg = genphy_config_aneg, + .read_status = genphy_read_status, + .ack_interrupt = kszphy_ack_interrupt, +diff --git a/drivers/net/ppp/pptp.c b/drivers/net/ppp/pptp.c +index 12a627fcc02c..53c1f2bd0f24 100644 +--- a/drivers/net/ppp/pptp.c ++++ b/drivers/net/ppp/pptp.c +@@ -577,6 +577,7 @@ static void pptp_sock_destruct(struct sock *sk) + pppox_unbind_sock(sk); + } + skb_queue_purge(&sk->sk_receive_queue); ++ dst_release(rcu_dereference_protected(sk->sk_dst_cache, 1)); + } + + static int pptp_create(struct net *net, struct socket *sock, int kern) +diff --git a/drivers/net/team/team.c b/drivers/net/team/team.c +index 33ffb573fd67..267a90423154 100644 +--- a/drivers/net/team/team.c ++++ b/drivers/net/team/team.c +@@ -247,17 +247,6 @@ static void __team_option_inst_mark_removed_port(struct team *team, + } + } + +-static bool __team_option_inst_tmp_find(const struct list_head *opts, +- const struct team_option_inst *needle) +-{ +- struct team_option_inst *opt_inst; +- +- list_for_each_entry(opt_inst, opts, tmp_list) +- if (opt_inst == needle) +- return true; +- return false; +-} +- + static int __team_options_register(struct team *team, + const struct team_option *option, + size_t option_count) +@@ -2447,7 +2436,6 @@ static int team_nl_cmd_options_set(struct sk_buff *skb, struct genl_info *info) + int err = 0; + int i; + struct nlattr *nl_option; +- LIST_HEAD(opt_inst_list); + + team = team_nl_team_get(info); + if (!team) +@@ -2463,6 +2451,7 @@ static int team_nl_cmd_options_set(struct sk_buff *skb, struct genl_info *info) + struct nlattr *opt_attrs[TEAM_ATTR_OPTION_MAX + 1]; + struct nlattr *attr; + struct nlattr *attr_data; ++ LIST_HEAD(opt_inst_list); + enum team_option_type opt_type; + int opt_port_ifindex = 0; /* != 0 for per-port options */ + u32 opt_array_index = 0; +@@ -2566,23 +2555,17 @@ static int team_nl_cmd_options_set(struct sk_buff *skb, struct genl_info *info) + if (err) + goto team_put; + opt_inst->changed = true; +- +- /* dumb/evil user-space can send us duplicate opt, +- * keep only the last one +- */ +- if (__team_option_inst_tmp_find(&opt_inst_list, +- opt_inst)) +- continue; +- + list_add(&opt_inst->tmp_list, &opt_inst_list); + } + if (!opt_found) { + err = -ENOENT; + goto team_put; + } +- } + +- err = team_nl_send_event_options_get(team, &opt_inst_list); ++ err = team_nl_send_event_options_get(team, &opt_inst_list); ++ if (err) ++ break; ++ } + + team_put: + team_nl_team_put(team); +diff --git a/drivers/net/team/team_mode_loadbalance.c b/drivers/net/team/team_mode_loadbalance.c +index a1536d0d83a9..a00335b3786e 100644 +--- a/drivers/net/team/team_mode_loadbalance.c ++++ b/drivers/net/team/team_mode_loadbalance.c +@@ -305,6 +305,20 @@ static int lb_bpf_func_set(struct team *team, struct team_gsetter_ctx *ctx) + return 0; + } + ++static void lb_bpf_func_free(struct team *team) ++{ ++ struct lb_priv *lb_priv = get_lb_priv(team); ++ struct bpf_prog *fp; ++ ++ if (!lb_priv->ex->orig_fprog) ++ return; ++ ++ __fprog_destroy(lb_priv->ex->orig_fprog); ++ fp = rcu_dereference_protected(lb_priv->fp, ++ lockdep_is_held(&team->lock)); ++ bpf_prog_destroy(fp); ++} ++ + static int lb_tx_method_get(struct team *team, struct team_gsetter_ctx *ctx) + { + struct lb_priv *lb_priv = get_lb_priv(team); +@@ -619,6 +633,7 @@ static void lb_exit(struct team *team) + + team_options_unregister(team, lb_options, + ARRAY_SIZE(lb_options)); ++ lb_bpf_func_free(team); + cancel_delayed_work_sync(&lb_priv->ex->stats.refresh_dw); + free_percpu(lb_priv->pcpu_stats); + kfree(lb_priv->ex); +diff --git a/drivers/net/vxlan.c b/drivers/net/vxlan.c +index 553908adf3c5..5dadfc508ade 100644 +--- a/drivers/net/vxlan.c ++++ b/drivers/net/vxlan.c +@@ -1229,6 +1229,14 @@ static void vxlan_rcv(struct vxlan_sock *vs, struct sk_buff *skb, + } + } + ++ rcu_read_lock(); ++ ++ if (unlikely(!(vxlan->dev->flags & IFF_UP))) { ++ rcu_read_unlock(); ++ atomic_long_inc(&vxlan->dev->rx_dropped); ++ goto drop; ++ } ++ + stats = this_cpu_ptr(vxlan->dev->tstats); + u64_stats_update_begin(&stats->syncp); + stats->rx_packets++; +@@ -1237,6 +1245,8 @@ static void vxlan_rcv(struct vxlan_sock *vs, struct sk_buff *skb, + + gro_cells_receive(&vxlan->gro_cells, skb); + ++ rcu_read_unlock(); ++ + return; + drop: + if (tun_dst) +@@ -2312,6 +2322,8 @@ static void vxlan_uninit(struct net_device *dev) + { + struct vxlan_dev *vxlan = netdev_priv(dev); + ++ gro_cells_destroy(&vxlan->gro_cells); ++ + vxlan_fdb_delete_default(vxlan); + + free_percpu(dev->tstats); +@@ -3056,7 +3068,6 @@ static void vxlan_dellink(struct net_device *dev, struct list_head *head) + { + struct vxlan_dev *vxlan = netdev_priv(dev); + +- gro_cells_destroy(&vxlan->gro_cells); + list_del(&vxlan->next); + unregister_netdevice_queue(dev, head); + } +diff --git a/drivers/net/wireless/mac80211_hwsim.c b/drivers/net/wireless/mac80211_hwsim.c +index 0d1abcfec003..0f582117b0e3 100644 +--- a/drivers/net/wireless/mac80211_hwsim.c ++++ b/drivers/net/wireless/mac80211_hwsim.c +@@ -3002,7 +3002,7 @@ static int hwsim_get_radio_nl(struct sk_buff *msg, struct genl_info *info) + goto out_err; + } + +- genlmsg_reply(skb, info); ++ res = genlmsg_reply(skb, info); + break; + } + +diff --git a/drivers/net/xen-netback/netback.c b/drivers/net/xen-netback/netback.c +index 02db20b26749..d324ac308e6d 100644 +--- a/drivers/net/xen-netback/netback.c ++++ b/drivers/net/xen-netback/netback.c +@@ -1538,11 +1538,6 @@ static int xenvif_handle_frag_list(struct xenvif_queue *queue, struct sk_buff *s + skb_frag_size_set(&frags[i], len); + } + +- /* Copied all the bits from the frag list -- free it. */ +- skb_frag_list_init(skb); +- xenvif_skb_zerocopy_prepare(queue, nskb); +- kfree_skb(nskb); +- + /* Release all the original (foreign) frags. */ + for (f = 0; f < skb_shinfo(skb)->nr_frags; f++) + skb_frag_unref(skb, f); +@@ -1611,6 +1606,8 @@ static int xenvif_tx_submit(struct xenvif_queue *queue) + xenvif_fill_frags(queue, skb); + + if (unlikely(skb_has_frag_list(skb))) { ++ struct sk_buff *nskb = skb_shinfo(skb)->frag_list; ++ xenvif_skb_zerocopy_prepare(queue, nskb); + if (xenvif_handle_frag_list(queue, skb)) { + if (net_ratelimit()) + netdev_err(queue->vif->dev, +@@ -1619,6 +1616,9 @@ static int xenvif_tx_submit(struct xenvif_queue *queue) + kfree_skb(skb); + continue; + } ++ /* Copied all the bits from the frag list -- free it. */ ++ skb_frag_list_init(skb); ++ kfree_skb(nskb); + } + + skb->dev = queue->vif->dev; +diff --git a/drivers/parport/parport_pc.c b/drivers/parport/parport_pc.c +index bdce0679674c..02e6485c1ed5 100644 +--- a/drivers/parport/parport_pc.c ++++ b/drivers/parport/parport_pc.c +@@ -1377,7 +1377,7 @@ static struct superio_struct *find_superio(struct parport *p) + { + int i; + for (i = 0; i < NR_SUPERIOS; i++) +- if (superios[i].io != p->base) ++ if (superios[i].io == p->base) + return &superios[i]; + return NULL; + } +diff --git a/drivers/pinctrl/meson/pinctrl-meson8b.c b/drivers/pinctrl/meson/pinctrl-meson8b.c +index b505b87661f8..07c4153e6f3d 100644 +--- a/drivers/pinctrl/meson/pinctrl-meson8b.c ++++ b/drivers/pinctrl/meson/pinctrl-meson8b.c +@@ -656,7 +656,7 @@ static const char * const sd_a_groups[] = { + + static const char * const sdxc_a_groups[] = { + "sdxc_d0_0_a", "sdxc_d13_0_a", "sdxc_d47_a", "sdxc_clk_a", +- "sdxc_cmd_a", "sdxc_d0_1_a", "sdxc_d0_13_1_a" ++ "sdxc_cmd_a", "sdxc_d0_1_a", "sdxc_d13_1_a" + }; + + static const char * const pcm_a_groups[] = { +diff --git a/drivers/platform/x86/Kconfig b/drivers/platform/x86/Kconfig +index 988ebe9a6b90..953974b5a9a9 100644 +--- a/drivers/platform/x86/Kconfig ++++ b/drivers/platform/x86/Kconfig +@@ -881,6 +881,7 @@ config INTEL_OAKTRAIL + config SAMSUNG_Q10 + tristate "Samsung Q10 Extras" + depends on ACPI ++ depends on BACKLIGHT_LCD_SUPPORT + select BACKLIGHT_CLASS_DEVICE + ---help--- + This driver provides support for backlight control on Samsung Q10 +diff --git a/drivers/regulator/s2mpa01.c b/drivers/regulator/s2mpa01.c +index 92f88753bfed..2daf751c26c7 100644 +--- a/drivers/regulator/s2mpa01.c ++++ b/drivers/regulator/s2mpa01.c +@@ -303,13 +303,13 @@ static const struct regulator_desc regulators[] = { + regulator_desc_ldo(2, STEP_50_MV), + regulator_desc_ldo(3, STEP_50_MV), + regulator_desc_ldo(4, STEP_50_MV), +- regulator_desc_ldo(5, STEP_50_MV), ++ regulator_desc_ldo(5, STEP_25_MV), + regulator_desc_ldo(6, STEP_25_MV), + regulator_desc_ldo(7, STEP_50_MV), + regulator_desc_ldo(8, STEP_50_MV), + regulator_desc_ldo(9, STEP_50_MV), + regulator_desc_ldo(10, STEP_50_MV), +- regulator_desc_ldo(11, STEP_25_MV), ++ regulator_desc_ldo(11, STEP_50_MV), + regulator_desc_ldo(12, STEP_50_MV), + regulator_desc_ldo(13, STEP_50_MV), + regulator_desc_ldo(14, STEP_50_MV), +@@ -320,11 +320,11 @@ static const struct regulator_desc regulators[] = { + regulator_desc_ldo(19, STEP_50_MV), + regulator_desc_ldo(20, STEP_50_MV), + regulator_desc_ldo(21, STEP_50_MV), +- regulator_desc_ldo(22, STEP_25_MV), +- regulator_desc_ldo(23, STEP_25_MV), ++ regulator_desc_ldo(22, STEP_50_MV), ++ regulator_desc_ldo(23, STEP_50_MV), + regulator_desc_ldo(24, STEP_50_MV), + regulator_desc_ldo(25, STEP_50_MV), +- regulator_desc_ldo(26, STEP_50_MV), ++ regulator_desc_ldo(26, STEP_25_MV), + regulator_desc_buck1_4(1), + regulator_desc_buck1_4(2), + regulator_desc_buck1_4(3), +diff --git a/drivers/regulator/s2mps11.c b/drivers/regulator/s2mps11.c +index b6d831b84e1d..47694dd515ab 100644 +--- a/drivers/regulator/s2mps11.c ++++ b/drivers/regulator/s2mps11.c +@@ -372,7 +372,7 @@ static const struct regulator_desc s2mps11_regulators[] = { + regulator_desc_s2mps11_ldo(32, STEP_50_MV), + regulator_desc_s2mps11_ldo(33, STEP_50_MV), + regulator_desc_s2mps11_ldo(34, STEP_50_MV), +- regulator_desc_s2mps11_ldo(35, STEP_50_MV), ++ regulator_desc_s2mps11_ldo(35, STEP_25_MV), + regulator_desc_s2mps11_ldo(36, STEP_50_MV), + regulator_desc_s2mps11_ldo(37, STEP_50_MV), + regulator_desc_s2mps11_ldo(38, STEP_50_MV), +@@ -382,8 +382,8 @@ static const struct regulator_desc s2mps11_regulators[] = { + regulator_desc_s2mps11_buck1_4(4), + regulator_desc_s2mps11_buck5, + regulator_desc_s2mps11_buck67810(6, MIN_600_MV, STEP_6_25_MV), +- regulator_desc_s2mps11_buck67810(7, MIN_600_MV, STEP_6_25_MV), +- regulator_desc_s2mps11_buck67810(8, MIN_600_MV, STEP_6_25_MV), ++ regulator_desc_s2mps11_buck67810(7, MIN_600_MV, STEP_12_5_MV), ++ regulator_desc_s2mps11_buck67810(8, MIN_600_MV, STEP_12_5_MV), + regulator_desc_s2mps11_buck9, + regulator_desc_s2mps11_buck67810(10, MIN_750_MV, STEP_12_5_MV), + }; +diff --git a/drivers/s390/block/dasd_eckd.c b/drivers/s390/block/dasd_eckd.c +index dac2f6883e28..80a43074c2f9 100644 +--- a/drivers/s390/block/dasd_eckd.c ++++ b/drivers/s390/block/dasd_eckd.c +@@ -4023,6 +4023,14 @@ static int dasd_symm_io(struct dasd_device *device, void __user *argp) + usrparm.psf_data &= 0x7fffffffULL; + usrparm.rssd_result &= 0x7fffffffULL; + } ++ /* at least 2 bytes are accessed and should be allocated */ ++ if (usrparm.psf_data_len < 2) { ++ DBF_DEV_EVENT(DBF_WARNING, device, ++ "Symmetrix ioctl invalid data length %d", ++ usrparm.psf_data_len); ++ rc = -EINVAL; ++ goto out; ++ } + /* alloc I/O data area */ + psf_data = kzalloc(usrparm.psf_data_len, GFP_KERNEL | GFP_DMA); + rssd_result = kzalloc(usrparm.rssd_result_len, GFP_KERNEL | GFP_DMA); +diff --git a/drivers/s390/net/qeth_core_main.c b/drivers/s390/net/qeth_core_main.c +index 533bd2467910..b40604d0126f 100644 +--- a/drivers/s390/net/qeth_core_main.c ++++ b/drivers/s390/net/qeth_core_main.c +@@ -2452,11 +2452,12 @@ out: + return rc; + } + +-static void qeth_free_qdio_out_buf(struct qeth_qdio_out_q *q) ++static void qeth_free_output_queue(struct qeth_qdio_out_q *q) + { + if (!q) + return; + ++ qeth_clear_outq_buffers(q, 1); + qdio_free_buffers(q->qdio_bufs, QDIO_MAX_BUFFERS_PER_Q); + kfree(q); + } +@@ -2529,10 +2530,8 @@ out_freeoutqbufs: + card->qdio.out_qs[i]->bufs[j] = NULL; + } + out_freeoutq: +- while (i > 0) { +- qeth_free_qdio_out_buf(card->qdio.out_qs[--i]); +- qeth_clear_outq_buffers(card->qdio.out_qs[i], 1); +- } ++ while (i > 0) ++ qeth_free_output_queue(card->qdio.out_qs[--i]); + kfree(card->qdio.out_qs); + card->qdio.out_qs = NULL; + out_freepool: +@@ -2565,10 +2564,8 @@ static void qeth_free_qdio_buffers(struct qeth_card *card) + qeth_free_buffer_pool(card); + /* free outbound qdio_qs */ + if (card->qdio.out_qs) { +- for (i = 0; i < card->qdio.no_out_queues; ++i) { +- qeth_clear_outq_buffers(card->qdio.out_qs[i], 1); +- qeth_free_qdio_out_buf(card->qdio.out_qs[i]); +- } ++ for (i = 0; i < card->qdio.no_out_queues; i++) ++ qeth_free_output_queue(card->qdio.out_qs[i]); + kfree(card->qdio.out_qs); + card->qdio.out_qs = NULL; + } +diff --git a/drivers/s390/virtio/virtio_ccw.c b/drivers/s390/virtio/virtio_ccw.c +index ff06bdfd2b20..2bb275fb39d1 100644 +--- a/drivers/s390/virtio/virtio_ccw.c ++++ b/drivers/s390/virtio/virtio_ccw.c +@@ -283,6 +283,8 @@ static void virtio_ccw_drop_indicators(struct virtio_ccw_device *vcdev) + { + struct virtio_ccw_vq_info *info; + ++ if (!vcdev->airq_info) ++ return; + list_for_each_entry(info, &vcdev->virtqueues, node) + drop_airq_indicator(info->vq, vcdev->airq_info); + } +@@ -423,7 +425,7 @@ static int virtio_ccw_read_vq_conf(struct virtio_ccw_device *vcdev, + ret = ccw_io_helper(vcdev, ccw, VIRTIO_CCW_DOING_READ_VQ_CONF); + if (ret) + return ret; +- return vcdev->config_block->num; ++ return vcdev->config_block->num ?: -ENOENT; + } + + static void virtio_ccw_del_vq(struct virtqueue *vq, struct ccw1 *ccw) +diff --git a/drivers/scsi/csiostor/csio_attr.c b/drivers/scsi/csiostor/csio_attr.c +index 2d1c4ebd40f9..6587f20cff1a 100644 +--- a/drivers/scsi/csiostor/csio_attr.c ++++ b/drivers/scsi/csiostor/csio_attr.c +@@ -582,12 +582,12 @@ csio_vport_create(struct fc_vport *fc_vport, bool disable) + } + + fc_vport_set_state(fc_vport, FC_VPORT_INITIALIZING); ++ ln->fc_vport = fc_vport; + + if (csio_fcoe_alloc_vnp(hw, ln)) + goto error; + + *(struct csio_lnode **)fc_vport->dd_data = ln; +- ln->fc_vport = fc_vport; + if (!fc_vport->node_name) + fc_vport->node_name = wwn_to_u64(csio_ln_wwnn(ln)); + if (!fc_vport->port_name) +diff --git a/drivers/scsi/isci/init.c b/drivers/scsi/isci/init.c +index 77128d680e3b..6f38fa1f468a 100644 +--- a/drivers/scsi/isci/init.c ++++ b/drivers/scsi/isci/init.c +@@ -595,6 +595,13 @@ static struct isci_host *isci_host_alloc(struct pci_dev *pdev, int id) + shost->max_lun = ~0; + shost->max_cmd_len = MAX_COMMAND_SIZE; + ++ /* turn on DIF support */ ++ scsi_host_set_prot(shost, ++ SHOST_DIF_TYPE1_PROTECTION | ++ SHOST_DIF_TYPE2_PROTECTION | ++ SHOST_DIF_TYPE3_PROTECTION); ++ scsi_host_set_guard(shost, SHOST_DIX_GUARD_CRC); ++ + err = scsi_add_host(shost, &pdev->dev); + if (err) + goto err_shost; +@@ -682,13 +689,6 @@ static int isci_pci_probe(struct pci_dev *pdev, const struct pci_device_id *id) + goto err_host_alloc; + } + pci_info->hosts[i] = h; +- +- /* turn on DIF support */ +- scsi_host_set_prot(to_shost(h), +- SHOST_DIF_TYPE1_PROTECTION | +- SHOST_DIF_TYPE2_PROTECTION | +- SHOST_DIF_TYPE3_PROTECTION); +- scsi_host_set_guard(to_shost(h), SHOST_DIX_GUARD_CRC); + } + + err = isci_setup_interrupts(pdev); +diff --git a/drivers/scsi/libfc/fc_lport.c b/drivers/scsi/libfc/fc_lport.c +index e01a29863c38..867fc036d6ef 100644 +--- a/drivers/scsi/libfc/fc_lport.c ++++ b/drivers/scsi/libfc/fc_lport.c +@@ -1739,14 +1739,14 @@ void fc_lport_flogi_resp(struct fc_seq *sp, struct fc_frame *fp, + fc_frame_payload_op(fp) != ELS_LS_ACC) { + FC_LPORT_DBG(lport, "FLOGI not accepted or bad response\n"); + fc_lport_error(lport, fp); +- goto err; ++ goto out; + } + + flp = fc_frame_payload_get(fp, sizeof(*flp)); + if (!flp) { + FC_LPORT_DBG(lport, "FLOGI bad response\n"); + fc_lport_error(lport, fp); +- goto err; ++ goto out; + } + + mfs = ntohs(flp->fl_csp.sp_bb_data) & +@@ -1756,7 +1756,7 @@ void fc_lport_flogi_resp(struct fc_seq *sp, struct fc_frame *fp, + FC_LPORT_DBG(lport, "FLOGI bad mfs:%hu response, " + "lport->mfs:%hu\n", mfs, lport->mfs); + fc_lport_error(lport, fp); +- goto err; ++ goto out; + } + + if (mfs <= lport->mfs) { +diff --git a/drivers/scsi/libiscsi.c b/drivers/scsi/libiscsi.c +index 009a2ef829d6..0fdc8c417035 100644 +--- a/drivers/scsi/libiscsi.c ++++ b/drivers/scsi/libiscsi.c +@@ -1448,7 +1448,13 @@ static int iscsi_xmit_task(struct iscsi_conn *conn) + if (test_bit(ISCSI_SUSPEND_BIT, &conn->suspend_tx)) + return -ENODATA; + ++ spin_lock_bh(&conn->session->back_lock); ++ if (conn->task == NULL) { ++ spin_unlock_bh(&conn->session->back_lock); ++ return -ENODATA; ++ } + __iscsi_get_task(task); ++ spin_unlock_bh(&conn->session->back_lock); + spin_unlock_bh(&conn->session->frwd_lock); + rc = conn->session->tt->xmit_task(task); + spin_lock_bh(&conn->session->frwd_lock); +diff --git a/drivers/scsi/libsas/sas_expander.c b/drivers/scsi/libsas/sas_expander.c +index 12886f96b286..7be581f7c35d 100644 +--- a/drivers/scsi/libsas/sas_expander.c ++++ b/drivers/scsi/libsas/sas_expander.c +@@ -818,6 +818,7 @@ static struct domain_device *sas_ex_discover_end_dev( + rphy = sas_end_device_alloc(phy->port); + if (!rphy) + goto out_free; ++ rphy->identify.phy_identifier = phy_id; + + child->rphy = rphy; + get_device(&rphy->dev); +@@ -845,6 +846,7 @@ static struct domain_device *sas_ex_discover_end_dev( + + child->rphy = rphy; + get_device(&rphy->dev); ++ rphy->identify.phy_identifier = phy_id; + sas_fill_in_rphy(child, rphy); + + list_add_tail(&child->disco_list_node, &parent->port->disco_list); +diff --git a/drivers/scsi/qla4xxx/ql4_os.c b/drivers/scsi/qla4xxx/ql4_os.c +index d8c03431d0aa..f9f899ec9427 100644 +--- a/drivers/scsi/qla4xxx/ql4_os.c ++++ b/drivers/scsi/qla4xxx/ql4_os.c +@@ -7245,6 +7245,8 @@ static int qla4xxx_sysfs_ddb_tgt_create(struct scsi_qla_host *ha, + + rc = qla4xxx_copy_from_fwddb_param(fnode_sess, fnode_conn, + fw_ddb_entry); ++ if (rc) ++ goto free_sess; + + ql4_printk(KERN_INFO, ha, "%s: sysfs entry %s created\n", + __func__, fnode_sess->dev.kobj.name); +diff --git a/drivers/scsi/virtio_scsi.c b/drivers/scsi/virtio_scsi.c +index 8ef905cbfc9c..9237427728ce 100644 +--- a/drivers/scsi/virtio_scsi.c ++++ b/drivers/scsi/virtio_scsi.c +@@ -692,7 +692,6 @@ static int virtscsi_device_reset(struct scsi_cmnd *sc) + return FAILED; + + memset(cmd, 0, sizeof(*cmd)); +- cmd->sc = sc; + cmd->req.tmf = (struct virtio_scsi_ctrl_tmf_req){ + .type = VIRTIO_SCSI_T_TMF, + .subtype = cpu_to_virtio32(vscsi->vdev, +@@ -751,7 +750,6 @@ static int virtscsi_abort(struct scsi_cmnd *sc) + return FAILED; + + memset(cmd, 0, sizeof(*cmd)); +- cmd->sc = sc; + cmd->req.tmf = (struct virtio_scsi_ctrl_tmf_req){ + .type = VIRTIO_SCSI_T_TMF, + .subtype = VIRTIO_SCSI_T_TMF_ABORT_TASK, +diff --git a/drivers/staging/lustre/lnet/klnds/socklnd/socklnd.c b/drivers/staging/lustre/lnet/klnds/socklnd/socklnd.c +index ecfe73302350..46a24b4ead09 100644 +--- a/drivers/staging/lustre/lnet/klnds/socklnd/socklnd.c ++++ b/drivers/staging/lustre/lnet/klnds/socklnd/socklnd.c +@@ -2621,8 +2621,8 @@ ksocknal_enumerate_interfaces(ksock_net_t *net) + + net->ksnn_interfaces[j].ksni_ipaddr = ip; + net->ksnn_interfaces[j].ksni_netmask = mask; +- strncpy(&net->ksnn_interfaces[j].ksni_name[0], +- names[i], IFNAMSIZ); ++ strlcpy(net->ksnn_interfaces[j].ksni_name, ++ names[i], sizeof(net->ksnn_interfaces[j].ksni_name)); + j++; + } + +@@ -2805,8 +2805,9 @@ ksocknal_startup(lnet_ni_t *ni) + goto fail_1; + } + +- strncpy(&net->ksnn_interfaces[i].ksni_name[0], +- ni->ni_interfaces[i], IFNAMSIZ); ++ strlcpy(net->ksnn_interfaces[i].ksni_name, ++ ni->ni_interfaces[i], ++ sizeof(net->ksnn_interfaces[i].ksni_name)); + } + net->ksnn_ninterfaces = i; + } +diff --git a/drivers/staging/lustre/lnet/lnet/config.c b/drivers/staging/lustre/lnet/lnet/config.c +index 1b3bc8386524..75f120da0a84 100644 +--- a/drivers/staging/lustre/lnet/lnet/config.c ++++ b/drivers/staging/lustre/lnet/lnet/config.c +@@ -650,8 +650,8 @@ lnet_parse_route(char *str, int *im_a_router) + INIT_LIST_HEAD(&nets); + + /* save a copy of the string for error messages */ +- strncpy(cmd, str, sizeof(cmd) - 1); +- cmd[sizeof(cmd) - 1] = 0; ++ strncpy(cmd, str, sizeof(cmd)); ++ cmd[sizeof(cmd) - 1] = '\0'; + + sep = str; + for (;;) { +@@ -972,11 +972,13 @@ lnet_splitnets(char *source, struct list_head *nets) + return 0; + + offset += (int)(sep - tb->ltb_text); +- tb2 = lnet_new_text_buf(strlen(sep)); ++ len = strlen(sep); ++ tb2 = lnet_new_text_buf(len); + if (tb2 == NULL) + return -ENOMEM; + +- strcpy(tb2->ltb_text, sep); ++ strncpy(tb2->ltb_text, sep, len); ++ tb2->ltb_text[len] = '\0'; + list_add_tail(&tb2->ltb_list, nets); + + tb = tb2; +@@ -1021,8 +1023,8 @@ lnet_match_networks(char **networksp, char *ip2nets, __u32 *ipaddrs, int nip) + tb = list_entry(raw_entries.next, struct lnet_text_buf_t, + ltb_list); + +- strncpy(source, tb->ltb_text, sizeof(source)-1); +- source[sizeof(source)-1] = 0; ++ strncpy(source, tb->ltb_text, sizeof(source)); ++ source[sizeof(source)-1] = '\0'; + + /* replace ltb_text with the network(s) add on match */ + rc = lnet_match_network_tokens(tb->ltb_text, ipaddrs, nip); +diff --git a/drivers/staging/lustre/lnet/selftest/conrpc.c b/drivers/staging/lustre/lnet/selftest/conrpc.c +index 64a0335934f3..1066c70434b1 100644 +--- a/drivers/staging/lustre/lnet/selftest/conrpc.c ++++ b/drivers/staging/lustre/lnet/selftest/conrpc.c +@@ -612,8 +612,8 @@ lstcon_sesrpc_prep(lstcon_node_t *nd, int transop, + msrq = &(*crpc)->crp_rpc->crpc_reqstmsg.msg_body.mksn_reqst; + msrq->mksn_sid = console_session.ses_id; + msrq->mksn_force = console_session.ses_force; +- strncpy(msrq->mksn_name, console_session.ses_name, +- strlen(console_session.ses_name)); ++ strlcpy(msrq->mksn_name, console_session.ses_name, ++ sizeof(msrq->mksn_name)); + break; + + case LST_TRANS_SESEND: +diff --git a/drivers/staging/lustre/lnet/selftest/console.c b/drivers/staging/lustre/lnet/selftest/console.c +index d315dd44ae3b..ed1bc6ac79dd 100644 +--- a/drivers/staging/lustre/lnet/selftest/console.c ++++ b/drivers/staging/lustre/lnet/selftest/console.c +@@ -1739,7 +1739,8 @@ lstcon_session_new(char *name, int key, unsigned feats, + console_session.ses_feats_updated = 0; + console_session.ses_timeout = (timeout <= 0) ? + LST_CONSOLE_TIMEOUT : timeout; +- strcpy(console_session.ses_name, name); ++ strlcpy(console_session.ses_name, name, ++ sizeof(console_session.ses_name)); + + rc = lstcon_batch_add(LST_DEFAULT_BATCH); + if (rc != 0) +@@ -1959,7 +1960,8 @@ lstcon_acceptor_handle(srpc_server_rpc_t *rpc) + if (grp->grp_userland == 0) + grp->grp_userland = 1; + +- strcpy(jrep->join_session, console_session.ses_name); ++ strlcpy(jrep->join_session, console_session.ses_name, ++ sizeof(jrep->join_session)); + jrep->join_timeout = console_session.ses_timeout; + jrep->join_status = 0; + +diff --git a/drivers/staging/lustre/lustre/include/lustre_disk.h b/drivers/staging/lustre/lustre/include/lustre_disk.h +index 5e1ac129a681..7c6933ffc9c1 100644 +--- a/drivers/staging/lustre/lustre/include/lustre_disk.h ++++ b/drivers/staging/lustre/lustre/include/lustre_disk.h +@@ -68,6 +68,7 @@ + everything as string options */ + + #define LMD_MAGIC 0xbdacbd03 ++#define LMD_PARAMS_MAXLEN 4096 + + /* gleaned from the mount command - no persistent info here */ + struct lustre_mount_data { +diff --git a/drivers/staging/lustre/lustre/libcfs/debug.c b/drivers/staging/lustre/lustre/libcfs/debug.c +index 1d1c67164418..170775bc7bc0 100644 +--- a/drivers/staging/lustre/lustre/libcfs/debug.c ++++ b/drivers/staging/lustre/lustre/libcfs/debug.c +@@ -512,9 +512,9 @@ int libcfs_debug_init(unsigned long bufsize) + } + + if (libcfs_debug_file_path != NULL) { +- strncpy(libcfs_debug_file_path_arr, +- libcfs_debug_file_path, PATH_MAX-1); +- libcfs_debug_file_path_arr[PATH_MAX - 1] = '\0'; ++ strlcpy(libcfs_debug_file_path_arr, ++ libcfs_debug_file_path, ++ sizeof(libcfs_debug_file_path_arr)); + } + + /* If libcfs_debug_mb is set to an invalid value or uninitialized +diff --git a/drivers/staging/lustre/lustre/libcfs/hash.c b/drivers/staging/lustre/lustre/libcfs/hash.c +index 030874428952..55fc2190a5bb 100644 +--- a/drivers/staging/lustre/lustre/libcfs/hash.c ++++ b/drivers/staging/lustre/lustre/libcfs/hash.c +@@ -1062,8 +1062,7 @@ cfs_hash_create(char *name, unsigned cur_bits, unsigned max_bits, + if (hs == NULL) + return NULL; + +- strncpy(hs->hs_name, name, len); +- hs->hs_name[len - 1] = '\0'; ++ strlcpy(hs->hs_name, name, len); + hs->hs_flags = flags; + + atomic_set(&hs->hs_refcount, 1); +diff --git a/drivers/staging/lustre/lustre/libcfs/workitem.c b/drivers/staging/lustre/lustre/libcfs/workitem.c +index e1143a566ac4..f6cc434af756 100644 +--- a/drivers/staging/lustre/lustre/libcfs/workitem.c ++++ b/drivers/staging/lustre/lustre/libcfs/workitem.c +@@ -360,8 +360,8 @@ cfs_wi_sched_create(char *name, struct cfs_cpt_table *cptab, + if (sched == NULL) + return -ENOMEM; + +- strncpy(sched->ws_name, name, CFS_WS_NAME_LEN); +- sched->ws_name[CFS_WS_NAME_LEN - 1] = '\0'; ++ strlcpy(sched->ws_name, name, CFS_WS_NAME_LEN); ++ + sched->ws_cptab = cptab; + sched->ws_cpt = cpt; + +diff --git a/drivers/staging/lustre/lustre/llite/dir.c b/drivers/staging/lustre/lustre/llite/dir.c +index 5c9502b5b358..951259a98323 100644 +--- a/drivers/staging/lustre/lustre/llite/dir.c ++++ b/drivers/staging/lustre/lustre/llite/dir.c +@@ -641,7 +641,7 @@ static int ll_send_mgc_param(struct obd_export *mgc, char *string) + if (!msp) + return -ENOMEM; + +- strncpy(msp->mgs_param, string, MGS_PARAM_MAXLEN); ++ strlcpy(msp->mgs_param, string, sizeof(msp->mgs_param)); + rc = obd_set_info_async(NULL, mgc, sizeof(KEY_SET_INFO), KEY_SET_INFO, + sizeof(struct mgs_send_param), msp, NULL); + if (rc) +diff --git a/drivers/staging/lustre/lustre/lov/lov_pool.c b/drivers/staging/lustre/lustre/lov/lov_pool.c +index b03827ef6514..b43ce6cd64c2 100644 +--- a/drivers/staging/lustre/lustre/lov/lov_pool.c ++++ b/drivers/staging/lustre/lustre/lov/lov_pool.c +@@ -412,8 +412,7 @@ int lov_pool_new(struct obd_device *obd, char *poolname) + if (!new_pool) + return -ENOMEM; + +- strncpy(new_pool->pool_name, poolname, LOV_MAXPOOLNAME); +- new_pool->pool_name[LOV_MAXPOOLNAME] = '\0'; ++ strlcpy(new_pool->pool_name, poolname, sizeof(new_pool->pool_name)); + new_pool->pool_lobd = obd; + /* ref count init to 1 because when created a pool is always used + * up to deletion +diff --git a/drivers/staging/lustre/lustre/obdclass/obd_mount.c b/drivers/staging/lustre/lustre/obdclass/obd_mount.c +index 48003d5325e3..7617c57d16e0 100644 +--- a/drivers/staging/lustre/lustre/obdclass/obd_mount.c ++++ b/drivers/staging/lustre/lustre/obdclass/obd_mount.c +@@ -892,7 +892,7 @@ static int lmd_parse(char *options, struct lustre_mount_data *lmd) + } + lmd->lmd_magic = LMD_MAGIC; + +- lmd->lmd_params = kzalloc(4096, GFP_NOFS); ++ lmd->lmd_params = kzalloc(LMD_PARAMS_MAXLEN, GFP_NOFS); + if (!lmd->lmd_params) + return -ENOMEM; + lmd->lmd_params[0] = '\0'; +@@ -978,7 +978,7 @@ static int lmd_parse(char *options, struct lustre_mount_data *lmd) + goto invalid; + clear++; + } else if (strncmp(s1, "param=", 6) == 0) { +- int length; ++ size_t length, params_length; + char *tail = strchr(s1 + 6, ','); + + if (tail == NULL) +@@ -986,8 +986,12 @@ static int lmd_parse(char *options, struct lustre_mount_data *lmd) + else + length = tail - s1; + length -= 6; ++ params_length = strlen(lmd->lmd_params); ++ if (params_length + length + 1 >= LMD_PARAMS_MAXLEN) ++ return -E2BIG; + strncat(lmd->lmd_params, s1 + 6, length); +- strcat(lmd->lmd_params, " "); ++ lmd->lmd_params[params_length + length] = '\0'; ++ strlcat(lmd->lmd_params, " ", LMD_PARAMS_MAXLEN); + clear++; + } else if (strncmp(s1, "osd=", 4) == 0) { + rc = lmd_parse_string(&lmd->lmd_osd_type, s1 + 4); +diff --git a/drivers/staging/lustre/lustre/ptlrpc/ptlrpcd.c b/drivers/staging/lustre/lustre/ptlrpc/ptlrpcd.c +index ce036a1ac466..ac87aa12bd7e 100644 +--- a/drivers/staging/lustre/lustre/ptlrpc/ptlrpcd.c ++++ b/drivers/staging/lustre/lustre/ptlrpc/ptlrpcd.c +@@ -422,6 +422,7 @@ static int ptlrpcd(void *arg) + complete(&pc->pc_starting); + + /* ++ + * This mainloop strongly resembles ptlrpc_set_wait() except that our + * set never completes. ptlrpcd_check() calls ptlrpc_check_set() when + * there are requests in the set. New requests come in on the set's +diff --git a/drivers/staging/lustre/lustre/ptlrpc/sec_config.c b/drivers/staging/lustre/lustre/ptlrpc/sec_config.c +index 7ff948fe1424..7a206705865b 100644 +--- a/drivers/staging/lustre/lustre/ptlrpc/sec_config.c ++++ b/drivers/staging/lustre/lustre/ptlrpc/sec_config.c +@@ -83,8 +83,7 @@ int sptlrpc_parse_flavor(const char *str, struct sptlrpc_flavor *flvr) + return 0; + } + +- strncpy(buf, str, sizeof(buf)); +- buf[sizeof(buf) - 1] = '\0'; ++ strlcpy(buf, str, sizeof(buf)); + + bulk = strchr(buf, '-'); + if (bulk) +diff --git a/drivers/staging/rdma/hfi1/ud.c b/drivers/staging/rdma/hfi1/ud.c +index 5a9c784bec04..a88e37444be0 100644 +--- a/drivers/staging/rdma/hfi1/ud.c ++++ b/drivers/staging/rdma/hfi1/ud.c +@@ -793,7 +793,6 @@ void hfi1_ud_rcv(struct hfi1_packet *packet) + opcode == IB_OPCODE_UD_SEND_ONLY_WITH_IMMEDIATE) { + wc.ex.imm_data = ohdr->u.ud.imm_data; + wc.wc_flags = IB_WC_WITH_IMM; +- tlen -= sizeof(u32); + } else if (opcode == IB_OPCODE_UD_SEND_ONLY) { + wc.ex.imm_data = 0; + wc.wc_flags = 0; +diff --git a/drivers/target/iscsi/iscsi_target.c b/drivers/target/iscsi/iscsi_target.c +index 58fe27705b96..cbb4414edd71 100644 +--- a/drivers/target/iscsi/iscsi_target.c ++++ b/drivers/target/iscsi/iscsi_target.c +@@ -4232,9 +4232,9 @@ static void iscsit_release_commands_from_conn(struct iscsi_conn *conn) + struct se_cmd *se_cmd = &cmd->se_cmd; + + if (se_cmd->se_tfo != NULL) { +- spin_lock(&se_cmd->t_state_lock); ++ spin_lock_irq(&se_cmd->t_state_lock); + se_cmd->transport_state |= CMD_T_FABRIC_STOP; +- spin_unlock(&se_cmd->t_state_lock); ++ spin_unlock_irq(&se_cmd->t_state_lock); + } + } + spin_unlock_bh(&conn->cmd_lock); +diff --git a/drivers/thermal/int340x_thermal/processor_thermal_device.c b/drivers/thermal/int340x_thermal/processor_thermal_device.c +index ccc0ad02d066..7f374ab5b176 100644 +--- a/drivers/thermal/int340x_thermal/processor_thermal_device.c ++++ b/drivers/thermal/int340x_thermal/processor_thermal_device.c +@@ -363,7 +363,7 @@ static int proc_thermal_pci_probe(struct pci_dev *pdev, + proc_priv->soc_dts = intel_soc_dts_iosf_init( + INTEL_SOC_DTS_INTERRUPT_MSI, 2, 0); + +- if (proc_priv->soc_dts && pdev->irq) { ++ if (!IS_ERR(proc_priv->soc_dts) && pdev->irq) { + ret = pci_enable_msi(pdev); + if (!ret) { + ret = request_threaded_irq(pdev->irq, NULL, +diff --git a/drivers/tty/serial/8250/8250_pci.c b/drivers/tty/serial/8250/8250_pci.c +index 746c76b358a0..b032add92722 100644 +--- a/drivers/tty/serial/8250/8250_pci.c ++++ b/drivers/tty/serial/8250/8250_pci.c +@@ -2326,6 +2326,111 @@ static struct pci_serial_quirk pci_serial_quirks[] __refdata = { + .setup = pci_default_setup, + .exit = pci_plx9050_exit, + }, ++ { ++ .vendor = PCI_VENDOR_ID_ACCESIO, ++ .device = PCI_DEVICE_ID_ACCESIO_PCIE_COM_4SDB, ++ .subvendor = PCI_ANY_ID, ++ .subdevice = PCI_ANY_ID, ++ .setup = pci_pericom_setup, ++ }, ++ { ++ .vendor = PCI_VENDOR_ID_ACCESIO, ++ .device = PCI_DEVICE_ID_ACCESIO_MPCIE_COM_4S, ++ .subvendor = PCI_ANY_ID, ++ .subdevice = PCI_ANY_ID, ++ .setup = pci_pericom_setup, ++ }, ++ { ++ .vendor = PCI_VENDOR_ID_ACCESIO, ++ .device = PCI_DEVICE_ID_ACCESIO_PCIE_COM232_4DB, ++ .subvendor = PCI_ANY_ID, ++ .subdevice = PCI_ANY_ID, ++ .setup = pci_pericom_setup, ++ }, ++ { ++ .vendor = PCI_VENDOR_ID_ACCESIO, ++ .device = PCI_DEVICE_ID_ACCESIO_MPCIE_COM232_4, ++ .subvendor = PCI_ANY_ID, ++ .subdevice = PCI_ANY_ID, ++ .setup = pci_pericom_setup, ++ }, ++ { ++ .vendor = PCI_VENDOR_ID_ACCESIO, ++ .device = PCI_DEVICE_ID_ACCESIO_PCIE_COM_4SMDB, ++ .subvendor = PCI_ANY_ID, ++ .subdevice = PCI_ANY_ID, ++ .setup = pci_pericom_setup, ++ }, ++ { ++ .vendor = PCI_VENDOR_ID_ACCESIO, ++ .device = PCI_DEVICE_ID_ACCESIO_MPCIE_COM_4SM, ++ .subvendor = PCI_ANY_ID, ++ .subdevice = PCI_ANY_ID, ++ .setup = pci_pericom_setup, ++ }, ++ { ++ .vendor = PCI_VENDOR_ID_ACCESIO, ++ .device = PCI_DEVICE_ID_ACCESIO_MPCIE_ICM422_4, ++ .subvendor = PCI_ANY_ID, ++ .subdevice = PCI_ANY_ID, ++ .setup = pci_pericom_setup, ++ }, ++ { ++ .vendor = PCI_VENDOR_ID_ACCESIO, ++ .device = PCI_DEVICE_ID_ACCESIO_MPCIE_ICM485_4, ++ .subvendor = PCI_ANY_ID, ++ .subdevice = PCI_ANY_ID, ++ .setup = pci_pericom_setup, ++ }, ++ { ++ .vendor = PCI_DEVICE_ID_ACCESIO_PCIE_ICM_4S, ++ .device = PCI_DEVICE_ID_ACCESIO_PCIE_ICM232_4, ++ .subvendor = PCI_ANY_ID, ++ .subdevice = PCI_ANY_ID, ++ .setup = pci_pericom_setup, ++ }, ++ { ++ .vendor = PCI_VENDOR_ID_ACCESIO, ++ .device = PCI_DEVICE_ID_ACCESIO_MPCIE_ICM232_4, ++ .subvendor = PCI_ANY_ID, ++ .subdevice = PCI_ANY_ID, ++ .setup = pci_pericom_setup, ++ }, ++ { ++ .vendor = PCI_VENDOR_ID_ACCESIO, ++ .device = PCI_DEVICE_ID_ACCESIO_PCIE_COM422_4, ++ .subvendor = PCI_ANY_ID, ++ .subdevice = PCI_ANY_ID, ++ .setup = pci_pericom_setup, ++ }, ++ { ++ .vendor = PCI_VENDOR_ID_ACCESIO, ++ .device = PCI_DEVICE_ID_ACCESIO_PCIE_COM485_4, ++ .subvendor = PCI_ANY_ID, ++ .subdevice = PCI_ANY_ID, ++ .setup = pci_pericom_setup, ++ }, ++ { ++ .vendor = PCI_VENDOR_ID_ACCESIO, ++ .device = PCI_DEVICE_ID_ACCESIO_PCIE_COM232_4, ++ .subvendor = PCI_ANY_ID, ++ .subdevice = PCI_ANY_ID, ++ .setup = pci_pericom_setup, ++ }, ++ { ++ .vendor = PCI_VENDOR_ID_ACCESIO, ++ .device = PCI_DEVICE_ID_ACCESIO_PCIE_COM_4SM, ++ .subvendor = PCI_ANY_ID, ++ .subdevice = PCI_ANY_ID, ++ .setup = pci_pericom_setup, ++ }, ++ { ++ .vendor = PCI_VENDOR_ID_ACCESIO, ++ .device = PCI_DEVICE_ID_ACCESIO_PCIE_ICM_4SM, ++ .subvendor = PCI_ANY_ID, ++ .subdevice = PCI_ANY_ID, ++ .setup = pci_pericom_setup, ++ }, + /* + * SBS Technologies, Inc., PMC-OCTALPRO 232 + */ +@@ -5176,10 +5281,10 @@ static struct pci_device_id serial_pci_tbl[] = { + */ + { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_COM_2SDB, + PCI_ANY_ID, PCI_ANY_ID, 0, 0, +- pbn_pericom_PI7C9X7954 }, ++ pbn_pericom_PI7C9X7952 }, + { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_MPCIE_COM_2S, + PCI_ANY_ID, PCI_ANY_ID, 0, 0, +- pbn_pericom_PI7C9X7954 }, ++ pbn_pericom_PI7C9X7952 }, + { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_COM_4SDB, + PCI_ANY_ID, PCI_ANY_ID, 0, 0, + pbn_pericom_PI7C9X7954 }, +@@ -5188,10 +5293,10 @@ static struct pci_device_id serial_pci_tbl[] = { + pbn_pericom_PI7C9X7954 }, + { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_COM232_2DB, + PCI_ANY_ID, PCI_ANY_ID, 0, 0, +- pbn_pericom_PI7C9X7954 }, ++ pbn_pericom_PI7C9X7952 }, + { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_MPCIE_COM232_2, + PCI_ANY_ID, PCI_ANY_ID, 0, 0, +- pbn_pericom_PI7C9X7954 }, ++ pbn_pericom_PI7C9X7952 }, + { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_COM232_4DB, + PCI_ANY_ID, PCI_ANY_ID, 0, 0, + pbn_pericom_PI7C9X7954 }, +@@ -5200,10 +5305,10 @@ static struct pci_device_id serial_pci_tbl[] = { + pbn_pericom_PI7C9X7954 }, + { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_COM_2SMDB, + PCI_ANY_ID, PCI_ANY_ID, 0, 0, +- pbn_pericom_PI7C9X7954 }, ++ pbn_pericom_PI7C9X7952 }, + { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_MPCIE_COM_2SM, + PCI_ANY_ID, PCI_ANY_ID, 0, 0, +- pbn_pericom_PI7C9X7954 }, ++ pbn_pericom_PI7C9X7952 }, + { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_COM_4SMDB, + PCI_ANY_ID, PCI_ANY_ID, 0, 0, + pbn_pericom_PI7C9X7954 }, +@@ -5212,13 +5317,13 @@ static struct pci_device_id serial_pci_tbl[] = { + pbn_pericom_PI7C9X7954 }, + { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_MPCIE_ICM485_1, + PCI_ANY_ID, PCI_ANY_ID, 0, 0, +- pbn_pericom_PI7C9X7954 }, ++ pbn_pericom_PI7C9X7951 }, + { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_MPCIE_ICM422_2, + PCI_ANY_ID, PCI_ANY_ID, 0, 0, +- pbn_pericom_PI7C9X7954 }, ++ pbn_pericom_PI7C9X7952 }, + { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_MPCIE_ICM485_2, + PCI_ANY_ID, PCI_ANY_ID, 0, 0, +- pbn_pericom_PI7C9X7954 }, ++ pbn_pericom_PI7C9X7952 }, + { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_MPCIE_ICM422_4, + PCI_ANY_ID, PCI_ANY_ID, 0, 0, + pbn_pericom_PI7C9X7954 }, +@@ -5227,16 +5332,16 @@ static struct pci_device_id serial_pci_tbl[] = { + pbn_pericom_PI7C9X7954 }, + { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_ICM_2S, + PCI_ANY_ID, PCI_ANY_ID, 0, 0, +- pbn_pericom_PI7C9X7954 }, ++ pbn_pericom_PI7C9X7952 }, + { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_ICM_4S, + PCI_ANY_ID, PCI_ANY_ID, 0, 0, + pbn_pericom_PI7C9X7954 }, + { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_ICM232_2, + PCI_ANY_ID, PCI_ANY_ID, 0, 0, +- pbn_pericom_PI7C9X7954 }, ++ pbn_pericom_PI7C9X7952 }, + { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_MPCIE_ICM232_2, + PCI_ANY_ID, PCI_ANY_ID, 0, 0, +- pbn_pericom_PI7C9X7954 }, ++ pbn_pericom_PI7C9X7952 }, + { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_ICM232_4, + PCI_ANY_ID, PCI_ANY_ID, 0, 0, + pbn_pericom_PI7C9X7954 }, +@@ -5245,13 +5350,13 @@ static struct pci_device_id serial_pci_tbl[] = { + pbn_pericom_PI7C9X7954 }, + { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_ICM_2SM, + PCI_ANY_ID, PCI_ANY_ID, 0, 0, +- pbn_pericom_PI7C9X7954 }, ++ pbn_pericom_PI7C9X7952 }, + { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_COM422_4, + PCI_ANY_ID, PCI_ANY_ID, 0, 0, +- pbn_pericom_PI7C9X7958 }, ++ pbn_pericom_PI7C9X7954 }, + { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_COM485_4, + PCI_ANY_ID, PCI_ANY_ID, 0, 0, +- pbn_pericom_PI7C9X7958 }, ++ pbn_pericom_PI7C9X7954 }, + { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_COM422_8, + PCI_ANY_ID, PCI_ANY_ID, 0, 0, + pbn_pericom_PI7C9X7958 }, +@@ -5260,19 +5365,19 @@ static struct pci_device_id serial_pci_tbl[] = { + pbn_pericom_PI7C9X7958 }, + { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_COM232_4, + PCI_ANY_ID, PCI_ANY_ID, 0, 0, +- pbn_pericom_PI7C9X7958 }, ++ pbn_pericom_PI7C9X7954 }, + { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_COM232_8, + PCI_ANY_ID, PCI_ANY_ID, 0, 0, + pbn_pericom_PI7C9X7958 }, + { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_COM_4SM, + PCI_ANY_ID, PCI_ANY_ID, 0, 0, +- pbn_pericom_PI7C9X7958 }, ++ pbn_pericom_PI7C9X7954 }, + { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_COM_8SM, + PCI_ANY_ID, PCI_ANY_ID, 0, 0, + pbn_pericom_PI7C9X7958 }, + { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_ICM_4SM, + PCI_ANY_ID, PCI_ANY_ID, 0, 0, +- pbn_pericom_PI7C9X7958 }, ++ pbn_pericom_PI7C9X7954 }, + /* + * Topic TP560 Data/Fax/Voice 56k modem (reported by Evan Clarke) + */ +diff --git a/drivers/tty/serial/fsl_lpuart.c b/drivers/tty/serial/fsl_lpuart.c +index 8b5ec9386f0f..1544a7cc76ff 100644 +--- a/drivers/tty/serial/fsl_lpuart.c ++++ b/drivers/tty/serial/fsl_lpuart.c +@@ -1409,7 +1409,7 @@ lpuart32_set_termios(struct uart_port *port, struct ktermios *termios, + } + + /* ask the core to calculate the divisor */ +- baud = uart_get_baud_rate(port, termios, old, 50, port->uartclk / 16); ++ baud = uart_get_baud_rate(port, termios, old, 50, port->uartclk / 4); + + spin_lock_irqsave(&sport->port.lock, flags); + +diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c +index b6037a0ae829..557f08adf644 100644 +--- a/drivers/usb/dwc3/gadget.c ++++ b/drivers/usb/dwc3/gadget.c +@@ -1676,6 +1676,7 @@ static int dwc3_gadget_start(struct usb_gadget *g, + + /* begin to receive SETUP packets */ + dwc->ep0state = EP0_SETUP_PHASE; ++ dwc->link_state = DWC3_LINK_STATE_SS_DIS; + dwc3_ep0_out_start(dwc); + + dwc3_gadget_enable_irq(dwc); +diff --git a/drivers/usb/gadget/function/f_sourcesink.c b/drivers/usb/gadget/function/f_sourcesink.c +index 67b243989938..d7d095781be1 100644 +--- a/drivers/usb/gadget/function/f_sourcesink.c ++++ b/drivers/usb/gadget/function/f_sourcesink.c +@@ -849,7 +849,7 @@ static struct usb_function *source_sink_alloc_func( + + ss = kzalloc(sizeof(*ss), GFP_KERNEL); + if (!ss) +- return NULL; ++ return ERR_PTR(-ENOMEM); + + ss_opts = container_of(fi, struct f_ss_opts, func_inst); + +diff --git a/drivers/usb/serial/cp210x.c b/drivers/usb/serial/cp210x.c +index 97382301c393..b317594a6342 100644 +--- a/drivers/usb/serial/cp210x.c ++++ b/drivers/usb/serial/cp210x.c +@@ -57,6 +57,7 @@ static const struct usb_device_id id_table[] = { + { USB_DEVICE(0x08e6, 0x5501) }, /* Gemalto Prox-PU/CU contactless smartcard reader */ + { USB_DEVICE(0x08FD, 0x000A) }, /* Digianswer A/S , ZigBee/802.15.4 MAC Device */ + { USB_DEVICE(0x0908, 0x01FF) }, /* Siemens RUGGEDCOM USB Serial Console */ ++ { USB_DEVICE(0x0B00, 0x3070) }, /* Ingenico 3070 */ + { USB_DEVICE(0x0BED, 0x1100) }, /* MEI (TM) Cashflow-SC Bill/Voucher Acceptor */ + { USB_DEVICE(0x0BED, 0x1101) }, /* MEI series 2000 Combo Acceptor */ + { USB_DEVICE(0x0FCF, 0x1003) }, /* Dynastream ANT development board */ +diff --git a/drivers/usb/serial/ftdi_sio.c b/drivers/usb/serial/ftdi_sio.c +index 3e5b189a79b4..4287e2b1c175 100644 +--- a/drivers/usb/serial/ftdi_sio.c ++++ b/drivers/usb/serial/ftdi_sio.c +@@ -1020,6 +1020,8 @@ static const struct usb_device_id id_table_combined[] = { + { USB_DEVICE(CYPRESS_VID, CYPRESS_WICED_BT_USB_PID) }, + { USB_DEVICE(CYPRESS_VID, CYPRESS_WICED_WL_USB_PID) }, + { USB_DEVICE(AIRBUS_DS_VID, AIRBUS_DS_P8GR) }, ++ /* EZPrototypes devices */ ++ { USB_DEVICE(EZPROTOTYPES_VID, HJELMSLUND_USB485_ISO_PID) }, + { } /* Terminating entry */ + }; + +diff --git a/drivers/usb/serial/ftdi_sio_ids.h b/drivers/usb/serial/ftdi_sio_ids.h +index 76a10b222ff9..ddf5ab983dc9 100644 +--- a/drivers/usb/serial/ftdi_sio_ids.h ++++ b/drivers/usb/serial/ftdi_sio_ids.h +@@ -1307,6 +1307,12 @@ + #define IONICS_VID 0x1c0c + #define IONICS_PLUGCOMPUTER_PID 0x0102 + ++/* ++ * EZPrototypes (PID reseller) ++ */ ++#define EZPROTOTYPES_VID 0x1c40 ++#define HJELMSLUND_USB485_ISO_PID 0x0477 ++ + /* + * Dresden Elektronik Sensor Terminal Board + */ +diff --git a/drivers/usb/serial/option.c b/drivers/usb/serial/option.c +index 7bc2c9fef605..b2b7c12e5c86 100644 +--- a/drivers/usb/serial/option.c ++++ b/drivers/usb/serial/option.c +@@ -1147,6 +1147,8 @@ static const struct usb_device_id option_ids[] = { + .driver_info = NCTRL(0) | RSVD(1) | RSVD(3) }, + { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_ME910_DUAL_MODEM), + .driver_info = NCTRL(0) | RSVD(3) }, ++ { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x1102, 0xff), /* Telit ME910 (ECM) */ ++ .driver_info = NCTRL(0) }, + { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_LE910), + .driver_info = NCTRL(0) | RSVD(1) | RSVD(2) }, + { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_LE910_USBCFG4), +diff --git a/fs/9p/cache.c b/fs/9p/cache.c +index a69260f27555..103ca5e1267b 100644 +--- a/fs/9p/cache.c ++++ b/fs/9p/cache.c +@@ -243,14 +243,14 @@ void v9fs_cache_inode_set_cookie(struct inode *inode, struct file *filp) + if (!v9inode->fscache) + return; + +- spin_lock(&v9inode->fscache_lock); ++ mutex_lock(&v9inode->fscache_lock); + + if ((filp->f_flags & O_ACCMODE) != O_RDONLY) + v9fs_cache_inode_flush_cookie(inode); + else + v9fs_cache_inode_get_cookie(inode); + +- spin_unlock(&v9inode->fscache_lock); ++ mutex_unlock(&v9inode->fscache_lock); + } + + void v9fs_cache_inode_reset_cookie(struct inode *inode) +@@ -264,7 +264,7 @@ void v9fs_cache_inode_reset_cookie(struct inode *inode) + + old = v9inode->fscache; + +- spin_lock(&v9inode->fscache_lock); ++ mutex_lock(&v9inode->fscache_lock); + fscache_relinquish_cookie(v9inode->fscache, 1); + + v9ses = v9fs_inode2v9ses(inode); +@@ -274,7 +274,7 @@ void v9fs_cache_inode_reset_cookie(struct inode *inode) + p9_debug(P9_DEBUG_FSC, "inode %p revalidating cookie old %p new %p\n", + inode, old, v9inode->fscache); + +- spin_unlock(&v9inode->fscache_lock); ++ mutex_unlock(&v9inode->fscache_lock); + } + + int __v9fs_fscache_release_page(struct page *page, gfp_t gfp) +diff --git a/fs/9p/v9fs.h b/fs/9p/v9fs.h +index 0923f2cf3c80..6877050384a1 100644 +--- a/fs/9p/v9fs.h ++++ b/fs/9p/v9fs.h +@@ -123,7 +123,7 @@ struct v9fs_session_info { + + struct v9fs_inode { + #ifdef CONFIG_9P_FSCACHE +- spinlock_t fscache_lock; ++ struct mutex fscache_lock; + struct fscache_cookie *fscache; + #endif + struct p9_qid qid; +diff --git a/fs/9p/v9fs_vfs.h b/fs/9p/v9fs_vfs.h +index 5a0db6dec8d1..aaee1e6584e6 100644 +--- a/fs/9p/v9fs_vfs.h ++++ b/fs/9p/v9fs_vfs.h +@@ -40,6 +40,9 @@ + */ + #define P9_LOCK_TIMEOUT (30*HZ) + ++/* flags for v9fs_stat2inode() & v9fs_stat2inode_dotl() */ ++#define V9FS_STAT2INODE_KEEP_ISIZE 1 ++ + extern struct file_system_type v9fs_fs_type; + extern const struct address_space_operations v9fs_addr_operations; + extern const struct file_operations v9fs_file_operations; +@@ -61,8 +64,10 @@ int v9fs_init_inode(struct v9fs_session_info *v9ses, + struct inode *inode, umode_t mode, dev_t); + void v9fs_evict_inode(struct inode *inode); + ino_t v9fs_qid2ino(struct p9_qid *qid); +-void v9fs_stat2inode(struct p9_wstat *, struct inode *, struct super_block *); +-void v9fs_stat2inode_dotl(struct p9_stat_dotl *, struct inode *); ++void v9fs_stat2inode(struct p9_wstat *stat, struct inode *inode, ++ struct super_block *sb, unsigned int flags); ++void v9fs_stat2inode_dotl(struct p9_stat_dotl *stat, struct inode *inode, ++ unsigned int flags); + int v9fs_dir_release(struct inode *inode, struct file *filp); + int v9fs_file_open(struct inode *inode, struct file *file); + void v9fs_inode2stat(struct inode *inode, struct p9_wstat *stat); +@@ -83,4 +88,18 @@ static inline void v9fs_invalidate_inode_attr(struct inode *inode) + } + + int v9fs_open_to_dotl_flags(int flags); ++ ++static inline void v9fs_i_size_write(struct inode *inode, loff_t i_size) ++{ ++ /* ++ * 32-bit need the lock, concurrent updates could break the ++ * sequences and make i_size_read() loop forever. ++ * 64-bit updates are atomic and can skip the locking. ++ */ ++ if (sizeof(i_size) > sizeof(long)) ++ spin_lock(&inode->i_lock); ++ i_size_write(inode, i_size); ++ if (sizeof(i_size) > sizeof(long)) ++ spin_unlock(&inode->i_lock); ++} + #endif +diff --git a/fs/9p/vfs_file.c b/fs/9p/vfs_file.c +index e7b3d2c4472d..62ce8b4a7e5f 100644 +--- a/fs/9p/vfs_file.c ++++ b/fs/9p/vfs_file.c +@@ -442,7 +442,11 @@ v9fs_file_write_iter(struct kiocb *iocb, struct iov_iter *from) + i_size = i_size_read(inode); + if (iocb->ki_pos > i_size) { + inode_add_bytes(inode, iocb->ki_pos - i_size); +- i_size_write(inode, iocb->ki_pos); ++ /* ++ * Need to serialize against i_size_write() in ++ * v9fs_stat2inode() ++ */ ++ v9fs_i_size_write(inode, iocb->ki_pos); + } + return retval; + } +diff --git a/fs/9p/vfs_inode.c b/fs/9p/vfs_inode.c +index 73f1d1b3a51c..2de1505aedfd 100644 +--- a/fs/9p/vfs_inode.c ++++ b/fs/9p/vfs_inode.c +@@ -244,7 +244,7 @@ struct inode *v9fs_alloc_inode(struct super_block *sb) + return NULL; + #ifdef CONFIG_9P_FSCACHE + v9inode->fscache = NULL; +- spin_lock_init(&v9inode->fscache_lock); ++ mutex_init(&v9inode->fscache_lock); + #endif + v9inode->writeback_fid = NULL; + v9inode->cache_validity = 0; +@@ -538,7 +538,7 @@ static struct inode *v9fs_qid_iget(struct super_block *sb, + if (retval) + goto error; + +- v9fs_stat2inode(st, inode, sb); ++ v9fs_stat2inode(st, inode, sb, 0); + v9fs_cache_inode_get_cookie(inode); + unlock_new_inode(inode); + return inode; +@@ -1074,7 +1074,7 @@ v9fs_vfs_getattr(struct vfsmount *mnt, struct dentry *dentry, + if (IS_ERR(st)) + return PTR_ERR(st); + +- v9fs_stat2inode(st, d_inode(dentry), d_inode(dentry)->i_sb); ++ v9fs_stat2inode(st, d_inode(dentry), d_inode(dentry)->i_sb, 0); + generic_fillattr(d_inode(dentry), stat); + + p9stat_free(st); +@@ -1152,12 +1152,13 @@ static int v9fs_vfs_setattr(struct dentry *dentry, struct iattr *iattr) + * @stat: Plan 9 metadata (mistat) structure + * @inode: inode to populate + * @sb: superblock of filesystem ++ * @flags: control flags (e.g. V9FS_STAT2INODE_KEEP_ISIZE) + * + */ + + void + v9fs_stat2inode(struct p9_wstat *stat, struct inode *inode, +- struct super_block *sb) ++ struct super_block *sb, unsigned int flags) + { + umode_t mode; + char ext[32]; +@@ -1198,10 +1199,11 @@ v9fs_stat2inode(struct p9_wstat *stat, struct inode *inode, + mode = p9mode2perm(v9ses, stat); + mode |= inode->i_mode & ~S_IALLUGO; + inode->i_mode = mode; +- i_size_write(inode, stat->length); + ++ if (!(flags & V9FS_STAT2INODE_KEEP_ISIZE)) ++ v9fs_i_size_write(inode, stat->length); + /* not real number of blocks, but 512 byte ones ... */ +- inode->i_blocks = (i_size_read(inode) + 512 - 1) >> 9; ++ inode->i_blocks = (stat->length + 512 - 1) >> 9; + v9inode->cache_validity &= ~V9FS_INO_INVALID_ATTR; + } + +@@ -1389,9 +1391,9 @@ int v9fs_refresh_inode(struct p9_fid *fid, struct inode *inode) + { + int umode; + dev_t rdev; +- loff_t i_size; + struct p9_wstat *st; + struct v9fs_session_info *v9ses; ++ unsigned int flags; + + v9ses = v9fs_inode2v9ses(inode); + st = p9_client_stat(fid); +@@ -1404,16 +1406,13 @@ int v9fs_refresh_inode(struct p9_fid *fid, struct inode *inode) + if ((inode->i_mode & S_IFMT) != (umode & S_IFMT)) + goto out; + +- spin_lock(&inode->i_lock); + /* + * We don't want to refresh inode->i_size, + * because we may have cached data + */ +- i_size = inode->i_size; +- v9fs_stat2inode(st, inode, inode->i_sb); +- if (v9ses->cache == CACHE_LOOSE || v9ses->cache == CACHE_FSCACHE) +- inode->i_size = i_size; +- spin_unlock(&inode->i_lock); ++ flags = (v9ses->cache == CACHE_LOOSE || v9ses->cache == CACHE_FSCACHE) ? ++ V9FS_STAT2INODE_KEEP_ISIZE : 0; ++ v9fs_stat2inode(st, inode, inode->i_sb, flags); + out: + p9stat_free(st); + kfree(st); +diff --git a/fs/9p/vfs_inode_dotl.c b/fs/9p/vfs_inode_dotl.c +index 0b88744c6446..7ae67fcca031 100644 +--- a/fs/9p/vfs_inode_dotl.c ++++ b/fs/9p/vfs_inode_dotl.c +@@ -143,7 +143,7 @@ static struct inode *v9fs_qid_iget_dotl(struct super_block *sb, + if (retval) + goto error; + +- v9fs_stat2inode_dotl(st, inode); ++ v9fs_stat2inode_dotl(st, inode, 0); + v9fs_cache_inode_get_cookie(inode); + retval = v9fs_get_acl(inode, fid); + if (retval) +@@ -498,7 +498,7 @@ v9fs_vfs_getattr_dotl(struct vfsmount *mnt, struct dentry *dentry, + if (IS_ERR(st)) + return PTR_ERR(st); + +- v9fs_stat2inode_dotl(st, d_inode(dentry)); ++ v9fs_stat2inode_dotl(st, d_inode(dentry), 0); + generic_fillattr(d_inode(dentry), stat); + /* Change block size to what the server returned */ + stat->blksize = st->st_blksize; +@@ -609,11 +609,13 @@ int v9fs_vfs_setattr_dotl(struct dentry *dentry, struct iattr *iattr) + * v9fs_stat2inode_dotl - populate an inode structure with stat info + * @stat: stat structure + * @inode: inode to populate ++ * @flags: ctrl flags (e.g. V9FS_STAT2INODE_KEEP_ISIZE) + * + */ + + void +-v9fs_stat2inode_dotl(struct p9_stat_dotl *stat, struct inode *inode) ++v9fs_stat2inode_dotl(struct p9_stat_dotl *stat, struct inode *inode, ++ unsigned int flags) + { + umode_t mode; + struct v9fs_inode *v9inode = V9FS_I(inode); +@@ -633,7 +635,8 @@ v9fs_stat2inode_dotl(struct p9_stat_dotl *stat, struct inode *inode) + mode |= inode->i_mode & ~S_IALLUGO; + inode->i_mode = mode; + +- i_size_write(inode, stat->st_size); ++ if (!(flags & V9FS_STAT2INODE_KEEP_ISIZE)) ++ v9fs_i_size_write(inode, stat->st_size); + inode->i_blocks = stat->st_blocks; + } else { + if (stat->st_result_mask & P9_STATS_ATIME) { +@@ -663,8 +666,9 @@ v9fs_stat2inode_dotl(struct p9_stat_dotl *stat, struct inode *inode) + } + if (stat->st_result_mask & P9_STATS_RDEV) + inode->i_rdev = new_decode_dev(stat->st_rdev); +- if (stat->st_result_mask & P9_STATS_SIZE) +- i_size_write(inode, stat->st_size); ++ if (!(flags & V9FS_STAT2INODE_KEEP_ISIZE) && ++ stat->st_result_mask & P9_STATS_SIZE) ++ v9fs_i_size_write(inode, stat->st_size); + if (stat->st_result_mask & P9_STATS_BLOCKS) + inode->i_blocks = stat->st_blocks; + } +@@ -926,9 +930,9 @@ v9fs_vfs_follow_link_dotl(struct dentry *dentry, void **cookie) + + int v9fs_refresh_inode_dotl(struct p9_fid *fid, struct inode *inode) + { +- loff_t i_size; + struct p9_stat_dotl *st; + struct v9fs_session_info *v9ses; ++ unsigned int flags; + + v9ses = v9fs_inode2v9ses(inode); + st = p9_client_getattr_dotl(fid, P9_STATS_ALL); +@@ -940,16 +944,13 @@ int v9fs_refresh_inode_dotl(struct p9_fid *fid, struct inode *inode) + if ((inode->i_mode & S_IFMT) != (st->st_mode & S_IFMT)) + goto out; + +- spin_lock(&inode->i_lock); + /* + * We don't want to refresh inode->i_size, + * because we may have cached data + */ +- i_size = inode->i_size; +- v9fs_stat2inode_dotl(st, inode); +- if (v9ses->cache == CACHE_LOOSE || v9ses->cache == CACHE_FSCACHE) +- inode->i_size = i_size; +- spin_unlock(&inode->i_lock); ++ flags = (v9ses->cache == CACHE_LOOSE || v9ses->cache == CACHE_FSCACHE) ? ++ V9FS_STAT2INODE_KEEP_ISIZE : 0; ++ v9fs_stat2inode_dotl(st, inode, flags); + out: + kfree(st); + return 0; +diff --git a/fs/9p/vfs_super.c b/fs/9p/vfs_super.c +index bf495cedec26..ccf935d9e722 100644 +--- a/fs/9p/vfs_super.c ++++ b/fs/9p/vfs_super.c +@@ -165,7 +165,7 @@ static struct dentry *v9fs_mount(struct file_system_type *fs_type, int flags, + goto release_sb; + } + d_inode(root)->i_ino = v9fs_qid2ino(&st->qid); +- v9fs_stat2inode_dotl(st, d_inode(root)); ++ v9fs_stat2inode_dotl(st, d_inode(root), 0); + kfree(st); + } else { + struct p9_wstat *st = NULL; +@@ -176,7 +176,7 @@ static struct dentry *v9fs_mount(struct file_system_type *fs_type, int flags, + } + + d_inode(root)->i_ino = v9fs_qid2ino(&st->qid); +- v9fs_stat2inode(st, d_inode(root), sb); ++ v9fs_stat2inode(st, d_inode(root), sb, 0); + + p9stat_free(st); + kfree(st); +diff --git a/fs/autofs4/expire.c b/fs/autofs4/expire.c +index 7a5a598a2d94..0d8b9c4f27f2 100644 +--- a/fs/autofs4/expire.c ++++ b/fs/autofs4/expire.c +@@ -560,7 +560,6 @@ int autofs4_expire_run(struct super_block *sb, + pkt.len = dentry->d_name.len; + memcpy(pkt.name, dentry->d_name.name, pkt.len); + pkt.name[pkt.len] = '\0'; +- dput(dentry); + + if ( copy_to_user(pkt_p, &pkt, sizeof(struct autofs_packet_expire)) ) + ret = -EFAULT; +@@ -573,6 +572,8 @@ int autofs4_expire_run(struct super_block *sb, + complete_all(&ino->expire_complete); + spin_unlock(&sbi->fs_lock); + ++ dput(dentry); ++ + return ret; + } + +diff --git a/fs/autofs4/inode.c b/fs/autofs4/inode.c +index 1132fe71b312..0fd472d67029 100644 +--- a/fs/autofs4/inode.c ++++ b/fs/autofs4/inode.c +@@ -255,8 +255,10 @@ int autofs4_fill_super(struct super_block *s, void *data, int silent) + } + root_inode = autofs4_get_inode(s, S_IFDIR | 0755); + root = d_make_root(root_inode); +- if (!root) ++ if (!root) { ++ ret = -ENOMEM; + goto fail_ino; ++ } + pipe = NULL; + + root->d_fsdata = ino; +diff --git a/fs/btrfs/extent_io.c b/fs/btrfs/extent_io.c +index 42e7f6a8f91d..a18f558b4477 100644 +--- a/fs/btrfs/extent_io.c ++++ b/fs/btrfs/extent_io.c +@@ -3106,11 +3106,11 @@ static int __do_readpage(struct extent_io_tree *tree, + */ + if (test_bit(EXTENT_FLAG_COMPRESSED, &em->flags) && + prev_em_start && *prev_em_start != (u64)-1 && +- *prev_em_start != em->orig_start) ++ *prev_em_start != em->start) + force_bio_submit = true; + + if (prev_em_start) +- *prev_em_start = em->orig_start; ++ *prev_em_start = em->start; + + free_extent_map(em); + em = NULL; +diff --git a/fs/btrfs/volumes.c b/fs/btrfs/volumes.c +index 5e8fe8f3942d..d1cca19b29d3 100644 +--- a/fs/btrfs/volumes.c ++++ b/fs/btrfs/volumes.c +@@ -6287,10 +6287,10 @@ static int btrfs_check_chunk_valid(struct btrfs_root *root, + } + + if ((type & BTRFS_BLOCK_GROUP_RAID10 && sub_stripes != 2) || +- (type & BTRFS_BLOCK_GROUP_RAID1 && num_stripes < 1) || ++ (type & BTRFS_BLOCK_GROUP_RAID1 && num_stripes != 2) || + (type & BTRFS_BLOCK_GROUP_RAID5 && num_stripes < 2) || + (type & BTRFS_BLOCK_GROUP_RAID6 && num_stripes < 3) || +- (type & BTRFS_BLOCK_GROUP_DUP && num_stripes > 2) || ++ (type & BTRFS_BLOCK_GROUP_DUP && num_stripes != 2) || + ((type & BTRFS_BLOCK_GROUP_PROFILE_MASK) == 0 && + num_stripes != 1)) { + btrfs_err(root->fs_info, +diff --git a/fs/ceph/snap.c b/fs/ceph/snap.c +index 4aa7122a8d38..a485d0cdc559 100644 +--- a/fs/ceph/snap.c ++++ b/fs/ceph/snap.c +@@ -611,7 +611,8 @@ int __ceph_finish_cap_snap(struct ceph_inode_info *ci, + capsnap->size); + + spin_lock(&mdsc->snap_flush_lock); +- list_add_tail(&ci->i_snap_flush_item, &mdsc->snap_flush_list); ++ if (list_empty(&ci->i_snap_flush_item)) ++ list_add_tail(&ci->i_snap_flush_item, &mdsc->snap_flush_list); + spin_unlock(&mdsc->snap_flush_lock); + return 1; /* caller may want to ceph_flush_snaps */ + } +diff --git a/fs/cifs/file.c b/fs/cifs/file.c +index 1062e96ee272..0305e3866216 100644 +--- a/fs/cifs/file.c ++++ b/fs/cifs/file.c +@@ -2753,14 +2753,16 @@ cifs_strict_writev(struct kiocb *iocb, struct iov_iter *from) + * these pages but not on the region from pos to ppos+len-1. + */ + written = cifs_user_writev(iocb, from); +- if (written > 0 && CIFS_CACHE_READ(cinode)) { ++ if (CIFS_CACHE_READ(cinode)) { + /* +- * Windows 7 server can delay breaking level2 oplock if a write +- * request comes - break it on the client to prevent reading +- * an old data. ++ * We have read level caching and we have just sent a write ++ * request to the server thus making data in the cache stale. ++ * Zap the cache and set oplock/lease level to NONE to avoid ++ * reading stale data from the cache. All subsequent read ++ * operations will read new data from the server. + */ + cifs_zap_mapping(inode); +- cifs_dbg(FYI, "Set no oplock for inode=%p after a write operation\n", ++ cifs_dbg(FYI, "Set Oplock/Lease to NONE for inode=%p after write\n", + inode); + cinode->oplock = 0; + } +diff --git a/fs/cifs/smb2pdu.h b/fs/cifs/smb2pdu.h +index aacb15bd56fe..f087158c5555 100644 +--- a/fs/cifs/smb2pdu.h ++++ b/fs/cifs/smb2pdu.h +@@ -82,8 +82,8 @@ + + #define NUMBER_OF_SMB2_COMMANDS 0x0013 + +-/* 4 len + 52 transform hdr + 64 hdr + 56 create rsp */ +-#define MAX_SMB2_HDR_SIZE 0x00b0 ++/* 52 transform hdr + 64 hdr + 88 create rsp */ ++#define MAX_SMB2_HDR_SIZE 204 + + #define SMB2_PROTO_NUMBER cpu_to_le32(0x424d53fe) + +diff --git a/fs/drop_caches.c b/fs/drop_caches.c +index d72d52b90433..280460fef066 100644 +--- a/fs/drop_caches.c ++++ b/fs/drop_caches.c +@@ -20,8 +20,13 @@ static void drop_pagecache_sb(struct super_block *sb, void *unused) + spin_lock(&sb->s_inode_list_lock); + list_for_each_entry(inode, &sb->s_inodes, i_sb_list) { + spin_lock(&inode->i_lock); ++ /* ++ * We must skip inodes in unusual state. We may also skip ++ * inodes without pages but we deliberately won't in case ++ * we need to reschedule to avoid softlockups. ++ */ + if ((inode->i_state & (I_FREEING|I_WILL_FREE|I_NEW)) || +- (inode->i_mapping->nrpages == 0)) { ++ (inode->i_mapping->nrpages == 0 && !need_resched())) { + spin_unlock(&inode->i_lock); + continue; + } +@@ -29,6 +34,7 @@ static void drop_pagecache_sb(struct super_block *sb, void *unused) + spin_unlock(&inode->i_lock); + spin_unlock(&sb->s_inode_list_lock); + ++ cond_resched(); + invalidate_mapping_pages(inode->i_mapping, 0, -1); + iput(toput_inode); + toput_inode = inode; +diff --git a/fs/ext2/super.c b/fs/ext2/super.c +index 748d35afc902..860024392969 100644 +--- a/fs/ext2/super.c ++++ b/fs/ext2/super.c +@@ -721,7 +721,8 @@ static loff_t ext2_max_size(int bits) + { + loff_t res = EXT2_NDIR_BLOCKS; + int meta_blocks; +- loff_t upper_limit; ++ unsigned int upper_limit; ++ unsigned int ppb = 1 << (bits-2); + + /* This is calculated to be the largest file size for a + * dense, file such that the total number of +@@ -735,24 +736,34 @@ static loff_t ext2_max_size(int bits) + /* total blocks in file system block size */ + upper_limit >>= (bits - 9); + ++ /* Compute how many blocks we can address by block tree */ ++ res += 1LL << (bits-2); ++ res += 1LL << (2*(bits-2)); ++ res += 1LL << (3*(bits-2)); ++ /* Does block tree limit file size? */ ++ if (res < upper_limit) ++ goto check_lfs; + ++ res = upper_limit; ++ /* How many metadata blocks are needed for addressing upper_limit? */ ++ upper_limit -= EXT2_NDIR_BLOCKS; + /* indirect blocks */ + meta_blocks = 1; ++ upper_limit -= ppb; + /* double indirect blocks */ +- meta_blocks += 1 + (1LL << (bits-2)); +- /* tripple indirect blocks */ +- meta_blocks += 1 + (1LL << (bits-2)) + (1LL << (2*(bits-2))); +- +- upper_limit -= meta_blocks; +- upper_limit <<= bits; +- +- res += 1LL << (bits-2); +- res += 1LL << (2*(bits-2)); +- res += 1LL << (3*(bits-2)); ++ if (upper_limit < ppb * ppb) { ++ meta_blocks += 1 + DIV_ROUND_UP(upper_limit, ppb); ++ res -= meta_blocks; ++ goto check_lfs; ++ } ++ meta_blocks += 1 + ppb; ++ upper_limit -= ppb * ppb; ++ /* tripple indirect blocks for the rest */ ++ meta_blocks += 1 + DIV_ROUND_UP(upper_limit, ppb) + ++ DIV_ROUND_UP(upper_limit, ppb*ppb); ++ res -= meta_blocks; ++check_lfs: + res <<= bits; +- if (res > upper_limit) +- res = upper_limit; +- + if (res > MAX_LFS_FILESIZE) + res = MAX_LFS_FILESIZE; + +diff --git a/fs/ext4/resize.c b/fs/ext4/resize.c +index 2fc1564f62dd..4bd12247a9be 100644 +--- a/fs/ext4/resize.c ++++ b/fs/ext4/resize.c +@@ -1928,7 +1928,8 @@ retry: + le16_to_cpu(es->s_reserved_gdt_blocks); + n_group = n_desc_blocks * EXT4_DESC_PER_BLOCK(sb); + n_blocks_count = (ext4_fsblk_t)n_group * +- EXT4_BLOCKS_PER_GROUP(sb); ++ EXT4_BLOCKS_PER_GROUP(sb) + ++ le32_to_cpu(es->s_first_data_block); + n_group--; /* set to last group number */ + } + +diff --git a/fs/hugetlbfs/inode.c b/fs/hugetlbfs/inode.c +index ab34f613fa85..cefae2350da5 100644 +--- a/fs/hugetlbfs/inode.c ++++ b/fs/hugetlbfs/inode.c +@@ -869,6 +869,18 @@ static int hugetlbfs_migrate_page(struct address_space *mapping, + rc = migrate_huge_page_move_mapping(mapping, newpage, page); + if (rc != MIGRATEPAGE_SUCCESS) + return rc; ++ ++ /* ++ * page_private is subpool pointer in hugetlb pages. Transfer to ++ * new page. PagePrivate is not associated with page_private for ++ * hugetlb pages and can not be set here as only page_huge_active ++ * pages can be migrated. ++ */ ++ if (page_private(page)) { ++ set_page_private(newpage, page_private(page)); ++ set_page_private(page, 0); ++ } ++ + migrate_page_copy(newpage, page); + + return MIGRATEPAGE_SUCCESS; +diff --git a/fs/jbd2/transaction.c b/fs/jbd2/transaction.c +index bce343febb9e..c34433432d47 100644 +--- a/fs/jbd2/transaction.c ++++ b/fs/jbd2/transaction.c +@@ -1215,11 +1215,12 @@ int jbd2_journal_get_undo_access(handle_t *handle, struct buffer_head *bh) + struct journal_head *jh; + char *committed_data = NULL; + +- JBUFFER_TRACE(jh, "entry"); + if (jbd2_write_access_granted(handle, bh, true)) + return 0; + + jh = jbd2_journal_add_journal_head(bh); ++ JBUFFER_TRACE(jh, "entry"); ++ + /* + * Do this first --- it can drop the journal lock, so we want to + * make sure that obtaining the committed_data is done +@@ -1336,15 +1337,17 @@ int jbd2_journal_dirty_metadata(handle_t *handle, struct buffer_head *bh) + + if (is_handle_aborted(handle)) + return -EROFS; +- if (!buffer_jbd(bh)) { +- ret = -EUCLEAN; +- goto out; +- } ++ if (!buffer_jbd(bh)) ++ return -EUCLEAN; ++ + /* + * We don't grab jh reference here since the buffer must be part + * of the running transaction. + */ + jh = bh2jh(bh); ++ jbd_debug(5, "journal_head %p\n", jh); ++ JBUFFER_TRACE(jh, "entry"); ++ + /* + * This and the following assertions are unreliable since we may see jh + * in inconsistent state unless we grab bh_state lock. But this is +@@ -1378,9 +1381,6 @@ int jbd2_journal_dirty_metadata(handle_t *handle, struct buffer_head *bh) + } + + journal = transaction->t_journal; +- jbd_debug(5, "journal_head %p\n", jh); +- JBUFFER_TRACE(jh, "entry"); +- + jbd_lock_bh_state(bh); + + if (jh->b_modified == 0) { +@@ -1578,14 +1578,21 @@ int jbd2_journal_forget (handle_t *handle, struct buffer_head *bh) + /* However, if the buffer is still owned by a prior + * (committing) transaction, we can't drop it yet... */ + JBUFFER_TRACE(jh, "belongs to older transaction"); +- /* ... but we CAN drop it from the new transaction if we +- * have also modified it since the original commit. */ ++ /* ... but we CAN drop it from the new transaction through ++ * marking the buffer as freed and set j_next_transaction to ++ * the new transaction, so that not only the commit code ++ * knows it should clear dirty bits when it is done with the ++ * buffer, but also the buffer can be checkpointed only ++ * after the new transaction commits. */ + +- if (jh->b_next_transaction) { +- J_ASSERT(jh->b_next_transaction == transaction); ++ set_buffer_freed(bh); ++ ++ if (!jh->b_next_transaction) { + spin_lock(&journal->j_list_lock); +- jh->b_next_transaction = NULL; ++ jh->b_next_transaction = transaction; + spin_unlock(&journal->j_list_lock); ++ } else { ++ J_ASSERT(jh->b_next_transaction == transaction); + + /* + * only drop a reference if this transaction modified +diff --git a/fs/ncpfs/ioctl.c b/fs/ncpfs/ioctl.c +index 0a3f9b594602..37779ed3f790 100644 +--- a/fs/ncpfs/ioctl.c ++++ b/fs/ncpfs/ioctl.c +@@ -233,7 +233,7 @@ ncp_get_charsets(struct ncp_server* server, struct ncp_nls_ioctl __user *arg) + len = strlen(server->nls_vol->charset); + if (len > NCP_IOCSNAME_LEN) + len = NCP_IOCSNAME_LEN; +- strncpy(user.codepage, server->nls_vol->charset, len); ++ strscpy(user.codepage, server->nls_vol->charset, NCP_IOCSNAME_LEN); + user.codepage[len] = 0; + } + +@@ -243,7 +243,7 @@ ncp_get_charsets(struct ncp_server* server, struct ncp_nls_ioctl __user *arg) + len = strlen(server->nls_io->charset); + if (len > NCP_IOCSNAME_LEN) + len = NCP_IOCSNAME_LEN; +- strncpy(user.iocharset, server->nls_io->charset, len); ++ strscpy(user.iocharset, server->nls_io->charset, NCP_IOCSNAME_LEN); + user.iocharset[len] = 0; + } + mutex_unlock(&server->root_setup_lock); +diff --git a/fs/nfs/direct.c b/fs/nfs/direct.c +index 211440722e24..88cb8e0d6014 100644 +--- a/fs/nfs/direct.c ++++ b/fs/nfs/direct.c +@@ -670,6 +670,10 @@ static void nfs_direct_write_reschedule(struct nfs_direct_req *dreq) + + req = nfs_list_entry(reqs.next); + nfs_direct_setup_mirroring(dreq, &desc, req); ++ if (desc.pg_error < 0) { ++ list_splice_init(&reqs, &failed); ++ goto out_failed; ++ } + + list_for_each_entry_safe(req, tmp, &reqs, wb_list) { + if (!nfs_pageio_add_request(&desc, req)) { +@@ -677,13 +681,17 @@ static void nfs_direct_write_reschedule(struct nfs_direct_req *dreq) + nfs_list_add_request(req, &failed); + spin_lock(cinfo.lock); + dreq->flags = 0; +- dreq->error = -EIO; ++ if (desc.pg_error < 0) ++ dreq->error = desc.pg_error; ++ else ++ dreq->error = -EIO; + spin_unlock(cinfo.lock); + } + nfs_release_request(req); + } + nfs_pageio_complete(&desc); + ++out_failed: + while (!list_empty(&failed)) { + req = nfs_list_entry(failed.next); + nfs_list_remove_request(req); +@@ -898,6 +906,11 @@ static ssize_t nfs_direct_write_schedule_iovec(struct nfs_direct_req *dreq, + } + + nfs_direct_setup_mirroring(dreq, &desc, req); ++ if (desc.pg_error < 0) { ++ nfs_free_request(req); ++ result = desc.pg_error; ++ break; ++ } + + nfs_lock_request(req); + req->wb_index = pos >> PAGE_SHIFT; +diff --git a/fs/nfs/filelayout/filelayout.c b/fs/nfs/filelayout/filelayout.c +index fd8da630fd22..8e268965c96d 100644 +--- a/fs/nfs/filelayout/filelayout.c ++++ b/fs/nfs/filelayout/filelayout.c +@@ -882,13 +882,19 @@ static void + filelayout_pg_init_read(struct nfs_pageio_descriptor *pgio, + struct nfs_page *req) + { +- if (!pgio->pg_lseg) ++ if (!pgio->pg_lseg) { + pgio->pg_lseg = pnfs_update_layout(pgio->pg_inode, + req->wb_context, + 0, + NFS4_MAX_UINT64, + IOMODE_READ, + GFP_KERNEL); ++ if (IS_ERR(pgio->pg_lseg)) { ++ pgio->pg_error = PTR_ERR(pgio->pg_lseg); ++ pgio->pg_lseg = NULL; ++ return; ++ } ++ } + /* If no lseg, fall back to read through mds */ + if (pgio->pg_lseg == NULL) + nfs_pageio_reset_read_mds(pgio); +@@ -901,13 +907,20 @@ filelayout_pg_init_write(struct nfs_pageio_descriptor *pgio, + struct nfs_commit_info cinfo; + int status; + +- if (!pgio->pg_lseg) ++ if (!pgio->pg_lseg) { + pgio->pg_lseg = pnfs_update_layout(pgio->pg_inode, + req->wb_context, + 0, + NFS4_MAX_UINT64, + IOMODE_RW, + GFP_NOFS); ++ if (IS_ERR(pgio->pg_lseg)) { ++ pgio->pg_error = PTR_ERR(pgio->pg_lseg); ++ pgio->pg_lseg = NULL; ++ return; ++ } ++ } ++ + /* If no lseg, fall back to write through mds */ + if (pgio->pg_lseg == NULL) + goto out_mds; +diff --git a/fs/nfs/flexfilelayout/flexfilelayout.c b/fs/nfs/flexfilelayout/flexfilelayout.c +index c8e90152b61b..6506775575aa 100644 +--- a/fs/nfs/flexfilelayout/flexfilelayout.c ++++ b/fs/nfs/flexfilelayout/flexfilelayout.c +@@ -786,13 +786,19 @@ ff_layout_pg_init_read(struct nfs_pageio_descriptor *pgio, + int ds_idx; + + /* Use full layout for now */ +- if (!pgio->pg_lseg) ++ if (!pgio->pg_lseg) { + pgio->pg_lseg = pnfs_update_layout(pgio->pg_inode, + req->wb_context, + 0, + NFS4_MAX_UINT64, + IOMODE_READ, + GFP_KERNEL); ++ if (IS_ERR(pgio->pg_lseg)) { ++ pgio->pg_error = PTR_ERR(pgio->pg_lseg); ++ pgio->pg_lseg = NULL; ++ return; ++ } ++ } + /* If no lseg, fall back to read through mds */ + if (pgio->pg_lseg == NULL) + goto out_mds; +@@ -826,13 +832,19 @@ ff_layout_pg_init_write(struct nfs_pageio_descriptor *pgio, + int i; + int status; + +- if (!pgio->pg_lseg) ++ if (!pgio->pg_lseg) { + pgio->pg_lseg = pnfs_update_layout(pgio->pg_inode, + req->wb_context, + 0, + NFS4_MAX_UINT64, + IOMODE_RW, + GFP_NOFS); ++ if (IS_ERR(pgio->pg_lseg)) { ++ pgio->pg_error = PTR_ERR(pgio->pg_lseg); ++ pgio->pg_lseg = NULL; ++ return; ++ } ++ } + /* If no lseg, fall back to write through mds */ + if (pgio->pg_lseg == NULL) + goto out_mds; +@@ -868,18 +880,25 @@ static unsigned int + ff_layout_pg_get_mirror_count_write(struct nfs_pageio_descriptor *pgio, + struct nfs_page *req) + { +- if (!pgio->pg_lseg) ++ if (!pgio->pg_lseg) { + pgio->pg_lseg = pnfs_update_layout(pgio->pg_inode, + req->wb_context, + 0, + NFS4_MAX_UINT64, + IOMODE_RW, + GFP_NOFS); ++ if (IS_ERR(pgio->pg_lseg)) { ++ pgio->pg_error = PTR_ERR(pgio->pg_lseg); ++ pgio->pg_lseg = NULL; ++ goto out; ++ } ++ } + if (pgio->pg_lseg) + return FF_LAYOUT_MIRROR_COUNT(pgio->pg_lseg); + + /* no lseg means that pnfs is not in use, so no mirroring here */ + nfs_pageio_reset_write_mds(pgio); ++out: + return 1; + } + +diff --git a/fs/nfs/pagelist.c b/fs/nfs/pagelist.c +index 4bdc2fc86280..8a2077408ab0 100644 +--- a/fs/nfs/pagelist.c ++++ b/fs/nfs/pagelist.c +@@ -872,6 +872,9 @@ static int nfs_pageio_setup_mirroring(struct nfs_pageio_descriptor *pgio, + + mirror_count = pgio->pg_ops->pg_get_mirror_count(pgio, req); + ++ if (pgio->pg_error < 0) ++ return pgio->pg_error; ++ + if (!mirror_count || mirror_count > NFS_PAGEIO_DESCRIPTOR_MIRROR_MAX) + return -EINVAL; + +@@ -980,6 +983,8 @@ static int nfs_pageio_do_add_request(struct nfs_pageio_descriptor *desc, + } else { + if (desc->pg_ops->pg_init) + desc->pg_ops->pg_init(desc, req); ++ if (desc->pg_error < 0) ++ return 0; + mirror->pg_base = req->wb_pgbase; + } + if (!nfs_can_coalesce_requests(prev, req, desc)) +@@ -1102,7 +1107,6 @@ static int nfs_do_recoalesce(struct nfs_pageio_descriptor *desc) + struct nfs_page *req; + + req = list_first_entry(&head, struct nfs_page, wb_list); +- nfs_list_remove_request(req); + if (__nfs_pageio_add_request(desc, req)) + continue; + if (desc->pg_error < 0) { +@@ -1145,6 +1149,8 @@ int nfs_pageio_add_request(struct nfs_pageio_descriptor *desc, + bytes = req->wb_bytes; + + nfs_pageio_setup_mirroring(desc, req); ++ if (desc->pg_error < 0) ++ return 0; + + for (midx = 0; midx < desc->pg_mirror_count; midx++) { + if (midx) { +@@ -1196,7 +1202,7 @@ static void nfs_pageio_complete_mirror(struct nfs_pageio_descriptor *desc, + desc->pg_mirror_idx = mirror_idx; + for (;;) { + nfs_pageio_doio(desc); +- if (!mirror->pg_recoalesce) ++ if (desc->pg_error < 0 || !mirror->pg_recoalesce) + break; + if (!nfs_do_recoalesce(desc)) + break; +@@ -1230,7 +1236,7 @@ int nfs_pageio_resend(struct nfs_pageio_descriptor *desc, + nfs_pageio_complete(desc); + if (!list_empty(&failed)) { + list_move(&failed, &hdr->pages); +- return -EIO; ++ return desc->pg_error < 0 ? desc->pg_error : -EIO; + } + return 0; + } +diff --git a/fs/nfs/pnfs.c b/fs/nfs/pnfs.c +index c8e75e5e6a67..d34fb0feb5c2 100644 +--- a/fs/nfs/pnfs.c ++++ b/fs/nfs/pnfs.c +@@ -909,14 +909,15 @@ send_layoutget(struct pnfs_layout_hdr *lo, + + if (IS_ERR(lseg)) { + switch (PTR_ERR(lseg)) { +- case -ENOMEM: + case -ERESTARTSYS: ++ case -EIO: ++ case -ENOSPC: ++ case -EROFS: ++ case -E2BIG: + break; + default: +- /* remember that LAYOUTGET failed and suspend trying */ +- pnfs_layout_io_set_failed(lo, range->iomode); ++ return NULL; + } +- return NULL; + } else + pnfs_layout_clear_fail_bit(lo, + pnfs_iomode_to_fail_bit(range->iomode)); +@@ -1625,7 +1626,7 @@ out: + "(%s, offset: %llu, length: %llu)\n", + __func__, ino->i_sb->s_id, + (unsigned long long)NFS_FILEID(ino), +- lseg == NULL ? "not found" : "found", ++ IS_ERR_OR_NULL(lseg) ? "not found" : "found", + iomode==IOMODE_RW ? "read/write" : "read-only", + (unsigned long long)pos, + (unsigned long long)count); +@@ -1804,6 +1805,11 @@ pnfs_generic_pg_init_read(struct nfs_pageio_descriptor *pgio, struct nfs_page *r + rd_size, + IOMODE_READ, + GFP_KERNEL); ++ if (IS_ERR(pgio->pg_lseg)) { ++ pgio->pg_error = PTR_ERR(pgio->pg_lseg); ++ pgio->pg_lseg = NULL; ++ return; ++ } + } + /* If no lseg, fall back to read through mds */ + if (pgio->pg_lseg == NULL) +@@ -1816,13 +1822,19 @@ void + pnfs_generic_pg_init_write(struct nfs_pageio_descriptor *pgio, + struct nfs_page *req, u64 wb_size) + { +- if (pgio->pg_lseg == NULL) ++ if (pgio->pg_lseg == NULL) { + pgio->pg_lseg = pnfs_update_layout(pgio->pg_inode, + req->wb_context, + req_offset(req), + wb_size, + IOMODE_RW, + GFP_NOFS); ++ if (IS_ERR(pgio->pg_lseg)) { ++ pgio->pg_error = PTR_ERR(pgio->pg_lseg); ++ pgio->pg_lseg = NULL; ++ return; ++ } ++ } + /* If no lseg, fall back to write through mds */ + if (pgio->pg_lseg == NULL) + nfs_pageio_reset_write_mds(pgio); +diff --git a/fs/nfs/read.c b/fs/nfs/read.c +index 0a5e33f33b5c..0bb580174cb3 100644 +--- a/fs/nfs/read.c ++++ b/fs/nfs/read.c +@@ -115,7 +115,7 @@ int nfs_readpage_async(struct nfs_open_context *ctx, struct inode *inode, + pgm = &pgio.pg_mirrors[0]; + NFS_I(inode)->read_io += pgm->pg_bytes_written; + +- return 0; ++ return pgio.pg_error < 0 ? pgio.pg_error : 0; + } + + static void nfs_readpage_release(struct nfs_page *req) +diff --git a/fs/nfs/super.c b/fs/nfs/super.c +index 412fcfbc50e2..9b42139a479b 100644 +--- a/fs/nfs/super.c ++++ b/fs/nfs/super.c +@@ -1877,6 +1877,11 @@ static int nfs_parse_devname(const char *dev_name, + size_t len; + char *end; + ++ if (unlikely(!dev_name || !*dev_name)) { ++ dfprintk(MOUNT, "NFS: device name not specified\n"); ++ return -EINVAL; ++ } ++ + /* Is the host name protected with square brakcets? */ + if (*dev_name == '[') { + end = strchr(++dev_name, ']'); +diff --git a/fs/nfsd/nfs3proc.c b/fs/nfsd/nfs3proc.c +index 7b755b7f785c..91146f025769 100644 +--- a/fs/nfsd/nfs3proc.c ++++ b/fs/nfsd/nfs3proc.c +@@ -430,8 +430,19 @@ nfsd3_proc_readdir(struct svc_rqst *rqstp, struct nfsd3_readdirargs *argp, + &resp->common, nfs3svc_encode_entry); + memcpy(resp->verf, argp->verf, 8); + resp->count = resp->buffer - argp->buffer; +- if (resp->offset) +- xdr_encode_hyper(resp->offset, argp->cookie); ++ if (resp->offset) { ++ loff_t offset = argp->cookie; ++ ++ if (unlikely(resp->offset1)) { ++ /* we ended up with offset on a page boundary */ ++ *resp->offset = htonl(offset >> 32); ++ *resp->offset1 = htonl(offset & 0xffffffff); ++ resp->offset1 = NULL; ++ } else { ++ xdr_encode_hyper(resp->offset, offset); ++ } ++ resp->offset = NULL; ++ } + + RETURN_STATUS(nfserr); + } +@@ -499,6 +510,7 @@ nfsd3_proc_readdirplus(struct svc_rqst *rqstp, struct nfsd3_readdirargs *argp, + } else { + xdr_encode_hyper(resp->offset, offset); + } ++ resp->offset = NULL; + } + + RETURN_STATUS(nfserr); +diff --git a/fs/nfsd/nfs3xdr.c b/fs/nfsd/nfs3xdr.c +index 7162ab7bc093..d4fa7fbc37dc 100644 +--- a/fs/nfsd/nfs3xdr.c ++++ b/fs/nfsd/nfs3xdr.c +@@ -898,6 +898,7 @@ encode_entry(struct readdir_cd *ccd, const char *name, int namlen, + } else { + xdr_encode_hyper(cd->offset, offset64); + } ++ cd->offset = NULL; + } + + /* +diff --git a/fs/nfsd/nfsctl.c b/fs/nfsd/nfsctl.c +index 03c7a4e7b6ba..0cd57db5c5af 100644 +--- a/fs/nfsd/nfsctl.c ++++ b/fs/nfsd/nfsctl.c +@@ -1106,7 +1106,7 @@ static ssize_t write_v4_end_grace(struct file *file, char *buf, size_t size) + case 'Y': + case 'y': + case '1': +- if (nn->nfsd_serv) ++ if (!nn->nfsd_serv) + return -EBUSY; + nfsd4_end_grace(nn); + break; +diff --git a/include/keys/user-type.h b/include/keys/user-type.h +index c56fef40f53e..5d744ec8f644 100644 +--- a/include/keys/user-type.h ++++ b/include/keys/user-type.h +@@ -31,7 +31,7 @@ + struct user_key_payload { + struct rcu_head rcu; /* RCU destructor */ + unsigned short datalen; /* length of this data */ +- char data[0]; /* actual data */ ++ char data[0] __aligned(__alignof__(u64)); /* actual data */ + }; + + extern struct key_type key_type_user; +diff --git a/include/linux/device-mapper.h b/include/linux/device-mapper.h +index 899ab9f8549e..82621fa441f3 100644 +--- a/include/linux/device-mapper.h ++++ b/include/linux/device-mapper.h +@@ -593,7 +593,7 @@ extern struct ratelimit_state dm_ratelimit_state; + */ + #define dm_target_offset(ti, sector) ((sector) - (ti)->begin) + +-static inline sector_t to_sector(unsigned long n) ++static inline sector_t to_sector(unsigned long long n) + { + return (n >> SECTOR_SHIFT); + } +diff --git a/include/net/gro_cells.h b/include/net/gro_cells.h +index 86316f90ea1e..cd856b7a11f5 100644 +--- a/include/net/gro_cells.h ++++ b/include/net/gro_cells.h +@@ -19,22 +19,30 @@ static inline void gro_cells_receive(struct gro_cells *gcells, struct sk_buff *s + struct gro_cell *cell; + struct net_device *dev = skb->dev; + ++ rcu_read_lock(); ++ if (unlikely(!(dev->flags & IFF_UP))) ++ goto drop; ++ + if (!gcells->cells || skb_cloned(skb) || !(dev->features & NETIF_F_GRO)) { + netif_rx(skb); +- return; ++ goto unlock; + } + + cell = this_cpu_ptr(gcells->cells); + + if (skb_queue_len(&cell->napi_skbs) > netdev_max_backlog) { ++drop: + atomic_long_inc(&dev->rx_dropped); + kfree_skb(skb); +- return; ++ goto unlock; + } + + __skb_queue_tail(&cell->napi_skbs, skb); + if (skb_queue_len(&cell->napi_skbs) == 1) + napi_schedule(&cell->napi); ++ ++unlock: ++ rcu_read_unlock(); + } + + /* called under BH context */ +diff --git a/include/net/icmp.h b/include/net/icmp.h +index 970028e13382..06ceb483475d 100644 +--- a/include/net/icmp.h ++++ b/include/net/icmp.h +@@ -22,6 +22,7 @@ + + #include + #include ++#include + + struct icmp_err { + int errno; +@@ -39,7 +40,13 @@ struct net_proto_family; + struct sk_buff; + struct net; + +-void icmp_send(struct sk_buff *skb_in, int type, int code, __be32 info); ++void __icmp_send(struct sk_buff *skb_in, int type, int code, __be32 info, ++ const struct ip_options *opt); ++static inline void icmp_send(struct sk_buff *skb_in, int type, int code, __be32 info) ++{ ++ __icmp_send(skb_in, type, code, info, &IPCB(skb_in)->opt); ++} ++ + int icmp_rcv(struct sk_buff *skb); + void icmp_err(struct sk_buff *skb, u32 info); + int icmp_init(void); +diff --git a/include/net/ip.h b/include/net/ip.h +index 7b968927477d..e2320f9e4d3e 100644 +--- a/include/net/ip.h ++++ b/include/net/ip.h +@@ -546,6 +546,8 @@ static inline int ip_options_echo(struct ip_options *dopt, struct sk_buff *skb) + } + + void ip_options_fragment(struct sk_buff *skb); ++int __ip_options_compile(struct net *net, struct ip_options *opt, ++ struct sk_buff *skb, __be32 *info); + int ip_options_compile(struct net *net, struct ip_options *opt, + struct sk_buff *skb); + int ip_options_get(struct net *net, struct ip_options_rcu **optp, +diff --git a/include/net/phonet/pep.h b/include/net/phonet/pep.h +index b669fe6dbc3b..98f31c7ea23d 100644 +--- a/include/net/phonet/pep.h ++++ b/include/net/phonet/pep.h +@@ -63,10 +63,11 @@ struct pnpipehdr { + u8 state_after_reset; /* reset request */ + u8 error_code; /* any response */ + u8 pep_type; /* status indication */ +- u8 data[1]; ++ u8 data0; /* anything else */ + }; ++ u8 data[]; + }; +-#define other_pep_type data[1] ++#define other_pep_type data[0] + + static inline struct pnpipehdr *pnp_hdr(struct sk_buff *skb) + { +diff --git a/kernel/futex.c b/kernel/futex.c +index a26d217c99fe..0c92c8d34ffa 100644 +--- a/kernel/futex.c ++++ b/kernel/futex.c +@@ -2923,10 +2923,13 @@ static int futex_wait_requeue_pi(u32 __user *uaddr, unsigned int flags, + */ + WARN_ON(!q.pi_state); + pi_mutex = &q.pi_state->pi_mutex; +- ret = rt_mutex_finish_proxy_lock(pi_mutex, to, &rt_waiter); +- debug_rt_mutex_free_waiter(&rt_waiter); ++ ret = rt_mutex_wait_proxy_lock(pi_mutex, to, &rt_waiter); + + spin_lock(q.lock_ptr); ++ if (ret && !rt_mutex_cleanup_proxy_lock(pi_mutex, &rt_waiter)) ++ ret = 0; ++ ++ debug_rt_mutex_free_waiter(&rt_waiter); + /* + * Fixup the pi_state owner and possibly acquire the lock if we + * haven't already. +diff --git a/kernel/locking/rtmutex.c b/kernel/locking/rtmutex.c +index b066724d7a5b..dd173df9ee5e 100644 +--- a/kernel/locking/rtmutex.c ++++ b/kernel/locking/rtmutex.c +@@ -1712,21 +1712,23 @@ struct task_struct *rt_mutex_next_owner(struct rt_mutex *lock) + } + + /** +- * rt_mutex_finish_proxy_lock() - Complete lock acquisition ++ * rt_mutex_wait_proxy_lock() - Wait for lock acquisition + * @lock: the rt_mutex we were woken on + * @to: the timeout, null if none. hrtimer should already have + * been started. + * @waiter: the pre-initialized rt_mutex_waiter + * +- * Complete the lock acquisition started our behalf by another thread. ++ * Wait for the the lock acquisition started on our behalf by ++ * rt_mutex_start_proxy_lock(). Upon failure, the caller must call ++ * rt_mutex_cleanup_proxy_lock(). + * + * Returns: + * 0 - success + * <0 - error, one of -EINTR, -ETIMEDOUT + * +- * Special API call for PI-futex requeue support ++ * Special API call for PI-futex support + */ +-int rt_mutex_finish_proxy_lock(struct rt_mutex *lock, ++int rt_mutex_wait_proxy_lock(struct rt_mutex *lock, + struct hrtimer_sleeper *to, + struct rt_mutex_waiter *waiter) + { +@@ -1739,9 +1741,6 @@ int rt_mutex_finish_proxy_lock(struct rt_mutex *lock, + /* sleep on the mutex */ + ret = __rt_mutex_slowlock(lock, TASK_INTERRUPTIBLE, to, waiter); + +- if (unlikely(ret)) +- remove_waiter(lock, waiter); +- + /* + * try_to_take_rt_mutex() sets the waiter bit unconditionally. We might + * have to fix that up. +@@ -1752,3 +1751,42 @@ int rt_mutex_finish_proxy_lock(struct rt_mutex *lock, + + return ret; + } ++ ++/** ++ * rt_mutex_cleanup_proxy_lock() - Cleanup failed lock acquisition ++ * @lock: the rt_mutex we were woken on ++ * @waiter: the pre-initialized rt_mutex_waiter ++ * ++ * Attempt to clean up after a failed rt_mutex_wait_proxy_lock(). ++ * ++ * Unless we acquired the lock; we're still enqueued on the wait-list and can ++ * in fact still be granted ownership until we're removed. Therefore we can ++ * find we are in fact the owner and must disregard the ++ * rt_mutex_wait_proxy_lock() failure. ++ * ++ * Returns: ++ * true - did the cleanup, we done. ++ * false - we acquired the lock after rt_mutex_wait_proxy_lock() returned, ++ * caller should disregards its return value. ++ * ++ * Special API call for PI-futex support ++ */ ++bool rt_mutex_cleanup_proxy_lock(struct rt_mutex *lock, ++ struct rt_mutex_waiter *waiter) ++{ ++ bool cleanup = false; ++ ++ raw_spin_lock_irq(&lock->wait_lock); ++ /* ++ * Unless we're the owner; we're still enqueued on the wait_list. ++ * So check if we became owner, if not, take us off the wait_list. ++ */ ++ if (rt_mutex_owner(lock) != current) { ++ remove_waiter(lock, waiter); ++ fixup_rt_mutex_waiters(lock); ++ cleanup = true; ++ } ++ raw_spin_unlock_irq(&lock->wait_lock); ++ ++ return cleanup; ++} +diff --git a/kernel/locking/rtmutex_common.h b/kernel/locking/rtmutex_common.h +index e317e1cbb3eb..6f8f68edb700 100644 +--- a/kernel/locking/rtmutex_common.h ++++ b/kernel/locking/rtmutex_common.h +@@ -106,9 +106,11 @@ extern void rt_mutex_proxy_unlock(struct rt_mutex *lock, + extern int rt_mutex_start_proxy_lock(struct rt_mutex *lock, + struct rt_mutex_waiter *waiter, + struct task_struct *task); +-extern int rt_mutex_finish_proxy_lock(struct rt_mutex *lock, +- struct hrtimer_sleeper *to, +- struct rt_mutex_waiter *waiter); ++extern int rt_mutex_wait_proxy_lock(struct rt_mutex *lock, ++ struct hrtimer_sleeper *to, ++ struct rt_mutex_waiter *waiter); ++extern bool rt_mutex_cleanup_proxy_lock(struct rt_mutex *lock, ++ struct rt_mutex_waiter *waiter); + extern int rt_mutex_timed_futex_lock(struct rt_mutex *l, struct hrtimer_sleeper *to); + extern bool rt_mutex_futex_unlock(struct rt_mutex *lock, + struct wake_q_head *wqh); +diff --git a/kernel/rcu/tree.c b/kernel/rcu/tree.c +index 4e886ccd40db..082aedefe29c 100644 +--- a/kernel/rcu/tree.c ++++ b/kernel/rcu/tree.c +@@ -1611,15 +1611,23 @@ static int rcu_future_gp_cleanup(struct rcu_state *rsp, struct rcu_node *rnp) + } + + /* +- * Awaken the grace-period kthread for the specified flavor of RCU. +- * Don't do a self-awaken, and don't bother awakening when there is +- * nothing for the grace-period kthread to do (as in several CPUs +- * raced to awaken, and we lost), and finally don't try to awaken +- * a kthread that has not yet been created. ++ * Awaken the grace-period kthread. Don't do a self-awaken (unless in ++ * an interrupt or softirq handler), and don't bother awakening when there ++ * is nothing for the grace-period kthread to do (as in several CPUs raced ++ * to awaken, and we lost), and finally don't try to awaken a kthread that ++ * has not yet been created. If all those checks are passed, track some ++ * debug information and awaken. ++ * ++ * So why do the self-wakeup when in an interrupt or softirq handler ++ * in the grace-period kthread's context? Because the kthread might have ++ * been interrupted just as it was going to sleep, and just after the final ++ * pre-sleep check of the awaken condition. In this case, a wakeup really ++ * is required, and is therefore supplied. + */ + static void rcu_gp_kthread_wake(struct rcu_state *rsp) + { +- if (current == rsp->gp_kthread || ++ if ((current == rsp->gp_kthread && ++ !in_interrupt() && !in_serving_softirq()) || + !READ_ONCE(rsp->gp_flags) || + !rsp->gp_kthread) + return; +diff --git a/kernel/sysctl.c b/kernel/sysctl.c +index 7e832f9a8f42..beadcf83ceba 100644 +--- a/kernel/sysctl.c ++++ b/kernel/sysctl.c +@@ -2306,7 +2306,16 @@ static int do_proc_dointvec_minmax_conv(bool *negp, unsigned long *lvalp, + { + struct do_proc_dointvec_minmax_conv_param *param = data; + if (write) { +- int val = *negp ? -*lvalp : *lvalp; ++ int val; ++ if (*negp) { ++ if (*lvalp > (unsigned long) INT_MAX + 1) ++ return -EINVAL; ++ val = -*lvalp; ++ } else { ++ if (*lvalp > (unsigned long) INT_MAX) ++ return -EINVAL; ++ val = *lvalp; ++ } + if ((param->min && *param->min > val) || + (param->max && *param->max < val)) + return -EINVAL; +diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c +index 1a47a64d623f..8c097de8a596 100644 +--- a/kernel/trace/trace.c ++++ b/kernel/trace/trace.c +@@ -4646,7 +4646,6 @@ out: + return ret; + + fail: +- kfree(iter->trace); + kfree(iter); + __trace_array_put(tr); + mutex_unlock(&trace_types_lock); +diff --git a/lib/assoc_array.c b/lib/assoc_array.c +index 5cd093589c5a..3b46c5433b7a 100644 +--- a/lib/assoc_array.c ++++ b/lib/assoc_array.c +@@ -781,9 +781,11 @@ all_leaves_cluster_together: + new_s0->index_key[i] = + ops->get_key_chunk(index_key, i * ASSOC_ARRAY_KEY_CHUNK_SIZE); + +- blank = ULONG_MAX << (level & ASSOC_ARRAY_KEY_CHUNK_MASK); +- pr_devel("blank off [%zu] %d: %lx\n", keylen - 1, level, blank); +- new_s0->index_key[keylen - 1] &= ~blank; ++ if (level & ASSOC_ARRAY_KEY_CHUNK_MASK) { ++ blank = ULONG_MAX << (level & ASSOC_ARRAY_KEY_CHUNK_MASK); ++ pr_devel("blank off [%zu] %d: %lx\n", keylen - 1, level, blank); ++ new_s0->index_key[keylen - 1] &= ~blank; ++ } + + /* This now reduces to a node splitting exercise for which we'll need + * to regenerate the disparity table. +diff --git a/mm/hugetlb.c b/mm/hugetlb.c +index f1a45f5077fe..324b2953e57e 100644 +--- a/mm/hugetlb.c ++++ b/mm/hugetlb.c +@@ -3472,7 +3472,6 @@ retry_avoidcopy: + copy_user_huge_page(new_page, old_page, address, vma, + pages_per_huge_page(h)); + __SetPageUptodate(new_page); +- set_page_huge_active(new_page); + + mmun_start = address & huge_page_mask(h); + mmun_end = mmun_start + huge_page_size(h); +@@ -3494,6 +3493,7 @@ retry_avoidcopy: + make_huge_pte(vma, new_page, 1)); + page_remove_rmap(old_page); + hugepage_add_new_anon_rmap(new_page, vma, address); ++ set_page_huge_active(new_page); + /* Make the old page be freed below */ + new_page = old_page; + } +@@ -3575,6 +3575,7 @@ static int hugetlb_no_page(struct mm_struct *mm, struct vm_area_struct *vma, + struct page *page; + pte_t new_pte; + spinlock_t *ptl; ++ bool new_page = false; + + /* + * Currently, we are forced to kill the process in the event the +@@ -3608,7 +3609,7 @@ retry: + } + clear_huge_page(page, address, pages_per_huge_page(h)); + __SetPageUptodate(page); +- set_page_huge_active(page); ++ new_page = true; + + if (vma->vm_flags & VM_MAYSHARE) { + int err = huge_add_to_page_cache(page, mapping, idx); +@@ -3680,6 +3681,15 @@ retry: + } + + spin_unlock(ptl); ++ ++ /* ++ * Only make newly allocated pages active. Existing pages found ++ * in the pagecache could be !page_huge_active() if they have been ++ * isolated for migration. ++ */ ++ if (new_page) ++ set_page_huge_active(page); ++ + unlock_page(page); + out: + return ret; +diff --git a/mm/memory_hotplug.c b/mm/memory_hotplug.c +index 0addef5f8aa3..804cbfe9132d 100644 +--- a/mm/memory_hotplug.c ++++ b/mm/memory_hotplug.c +@@ -1358,7 +1358,8 @@ static struct page *next_active_pageblock(struct page *page) + int is_mem_section_removable(unsigned long start_pfn, unsigned long nr_pages) + { + struct page *page = pfn_to_page(start_pfn); +- struct page *end_page = page + nr_pages; ++ unsigned long end_pfn = min(start_pfn + nr_pages, zone_end_pfn(page_zone(page))); ++ struct page *end_page = pfn_to_page(end_pfn); + + /* Check the starting page of each pageblock within the range */ + for (; page < end_page; page = next_active_pageblock(page)) { +@@ -1398,6 +1399,9 @@ int test_pages_in_a_zone(unsigned long start_pfn, unsigned long end_pfn, + i++; + if (i == MAX_ORDER_NR_PAGES) + continue; ++ /* Check if we got outside of the zone */ ++ if (zone && !zone_spans_pfn(zone, pfn + i)) ++ return 0; + page = pfn_to_page(pfn + i); + if (zone && page_zone(page) != zone) + return 0; +diff --git a/mm/mempolicy.c b/mm/mempolicy.c +index 44134ba6fb53..5418ab0c5e2c 100644 +--- a/mm/mempolicy.c ++++ b/mm/mempolicy.c +@@ -1295,7 +1295,7 @@ static int copy_nodes_to_user(unsigned long __user *mask, unsigned long maxnode, + nodemask_t *nodes) + { + unsigned long copy = ALIGN(maxnode-1, 64) / 8; +- const int nbytes = BITS_TO_LONGS(MAX_NUMNODES) * sizeof(long); ++ unsigned int nbytes = BITS_TO_LONGS(nr_node_ids) * sizeof(long); + + if (copy > nbytes) { + if (copy > PAGE_SIZE) +@@ -1456,7 +1456,7 @@ SYSCALL_DEFINE5(get_mempolicy, int __user *, policy, + int uninitialized_var(pval); + nodemask_t nodes; + +- if (nmask != NULL && maxnode < MAX_NUMNODES) ++ if (nmask != NULL && maxnode < nr_node_ids) + return -EINVAL; + + err = do_get_mempolicy(&pval, &nodes, addr, flags); +@@ -1485,7 +1485,7 @@ COMPAT_SYSCALL_DEFINE5(get_mempolicy, int __user *, policy, + unsigned long nr_bits, alloc_size; + DECLARE_BITMAP(bm, MAX_NUMNODES); + +- nr_bits = min_t(unsigned long, maxnode-1, MAX_NUMNODES); ++ nr_bits = min_t(unsigned long, maxnode-1, nr_node_ids); + alloc_size = ALIGN(nr_bits, BITS_PER_LONG) / 8; + + if (nmask) +diff --git a/mm/migrate.c b/mm/migrate.c +index ce88dff1da98..73da75d5e5b2 100644 +--- a/mm/migrate.c ++++ b/mm/migrate.c +@@ -1056,6 +1056,16 @@ static int unmap_and_move_huge_page(new_page_t get_new_page, + lock_page(hpage); + } + ++ /* ++ * Check for pages which are in the process of being freed. Without ++ * page_mapping() set, hugetlbfs specific move page routine will not ++ * be called and we could leak usage counts for subpools. ++ */ ++ if (page_private(hpage) && !page_mapping(hpage)) { ++ rc = -EBUSY; ++ goto out_unlock; ++ } ++ + if (PageAnon(hpage)) + anon_vma = page_get_anon_vma(hpage); + +@@ -1086,6 +1096,7 @@ put_anon: + put_new_page = NULL; + } + ++out_unlock: + unlock_page(hpage); + out: + if (rc != -EAGAIN) +diff --git a/mm/mmap.c b/mm/mmap.c +index 3074dbcd9621..baa4c1280bff 100644 +--- a/mm/mmap.c ++++ b/mm/mmap.c +@@ -2294,12 +2294,11 @@ int expand_downwards(struct vm_area_struct *vma, + struct mm_struct *mm = vma->vm_mm; + struct vm_area_struct *prev; + unsigned long gap_addr; +- int error; ++ int error = 0; + + address &= PAGE_MASK; +- error = security_mmap_addr(address); +- if (error) +- return error; ++ if (address < mmap_min_addr) ++ return -EPERM; + + /* Enforce stack_guard_gap */ + gap_addr = address - stack_guard_gap; +diff --git a/mm/shmem.c b/mm/shmem.c +index d902b413941a..f11aec40f2e1 100644 +--- a/mm/shmem.c ++++ b/mm/shmem.c +@@ -2293,16 +2293,20 @@ static int shmem_create(struct inode *dir, struct dentry *dentry, umode_t mode, + static int shmem_link(struct dentry *old_dentry, struct inode *dir, struct dentry *dentry) + { + struct inode *inode = d_inode(old_dentry); +- int ret; ++ int ret = 0; + + /* + * No ordinary (disk based) filesystem counts links as inodes; + * but each new link needs a new dentry, pinning lowmem, and + * tmpfs dentries cannot be pruned until they are unlinked. ++ * But if an O_TMPFILE file is linked into the tmpfs, the ++ * first link must skip that, to get the accounting right. + */ +- ret = shmem_reserve_inode(inode->i_sb); +- if (ret) +- goto out; ++ if (inode->i_nlink) { ++ ret = shmem_reserve_inode(inode->i_sb); ++ if (ret) ++ goto out; ++ } + + dir->i_size += BOGO_DIRENT_SIZE; + inode->i_ctime = dir->i_ctime = dir->i_mtime = CURRENT_TIME; +diff --git a/mm/vmalloc.c b/mm/vmalloc.c +index de8e372ece04..400e580725da 100644 +--- a/mm/vmalloc.c ++++ b/mm/vmalloc.c +@@ -2162,7 +2162,7 @@ int remap_vmalloc_range_partial(struct vm_area_struct *vma, unsigned long uaddr, + if (!(area->flags & VM_USERMAP)) + return -EINVAL; + +- if (kaddr + size > area->addr + area->size) ++ if (kaddr + size > area->addr + get_vm_area_size(area)) + return -EINVAL; + + do { +diff --git a/net/9p/client.c b/net/9p/client.c +index 8fba9cd973c1..443db202db09 100644 +--- a/net/9p/client.c ++++ b/net/9p/client.c +@@ -1058,7 +1058,7 @@ struct p9_client *p9_client_create(const char *dev_name, char *options) + p9_debug(P9_DEBUG_ERROR, + "Please specify a msize of at least 4k\n"); + err = -EINVAL; +- goto free_client; ++ goto close_trans; + } + + err = p9_client_version(clnt); +diff --git a/net/batman-adv/soft-interface.c b/net/batman-adv/soft-interface.c +index 5aeb585571ed..4812123e0a2c 100644 +--- a/net/batman-adv/soft-interface.c ++++ b/net/batman-adv/soft-interface.c +@@ -215,6 +215,8 @@ static int batadv_interface_tx(struct sk_buff *skb, + + switch (ntohs(ethhdr->h_proto)) { + case ETH_P_8021Q: ++ if (!pskb_may_pull(skb, sizeof(*vhdr))) ++ goto dropped; + vhdr = vlan_eth_hdr(skb); + + if (vhdr->h_vlan_encapsulated_proto != ethertype) { +diff --git a/net/bridge/br_multicast.c b/net/bridge/br_multicast.c +index 270d9c9a5331..d80c15d028fe 100644 +--- a/net/bridge/br_multicast.c ++++ b/net/bridge/br_multicast.c +@@ -1261,14 +1261,7 @@ static void br_multicast_query_received(struct net_bridge *br, + return; + + br_multicast_update_query_timer(br, query, max_delay); +- +- /* Based on RFC4541, section 2.1.1 IGMP Forwarding Rules, +- * the arrival port for IGMP Queries where the source address +- * is 0.0.0.0 should not be added to router port list. +- */ +- if ((saddr->proto == htons(ETH_P_IP) && saddr->u.ip4) || +- saddr->proto == htons(ETH_P_IPV6)) +- br_multicast_mark_router(br, port); ++ br_multicast_mark_router(br, port); + } + + static int br_ip4_multicast_query(struct net_bridge *br, +diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c +index 8b8a43fda6ca..f13402d407e4 100644 +--- a/net/bridge/netfilter/ebtables.c ++++ b/net/bridge/netfilter/ebtables.c +@@ -1528,6 +1528,8 @@ static int do_ebt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len) + if (copy_from_user(&tmp, user, sizeof(tmp))) + return -EFAULT; + ++ tmp.name[sizeof(tmp.name) - 1] = '\0'; ++ + t = find_table_lock(net, tmp.name, &ret, &ebt_mutex); + if (!t) + return ret; +@@ -2368,6 +2370,8 @@ static int compat_do_ebt_get_ctl(struct sock *sk, int cmd, + if (copy_from_user(&tmp, user, sizeof(tmp))) + return -EFAULT; + ++ tmp.name[sizeof(tmp.name) - 1] = '\0'; ++ + t = find_table_lock(net, tmp.name, &ret, &ebt_mutex); + if (!t) + return ret; +diff --git a/net/ceph/messenger.c b/net/ceph/messenger.c +index 3e6897efe1eb..3ed2796d008b 100644 +--- a/net/ceph/messenger.c ++++ b/net/ceph/messenger.c +@@ -2049,15 +2049,19 @@ static int process_connect(struct ceph_connection *con) + dout("process_connect on %p tag %d\n", con, (int)con->in_tag); + + if (con->auth_reply_buf) { ++ int len = le32_to_cpu(con->in_reply.authorizer_len); ++ + /* + * Any connection that defines ->get_authorizer() + * should also define ->verify_authorizer_reply(). + * See get_connect_authorizer(). + */ +- ret = con->ops->verify_authorizer_reply(con, 0); +- if (ret < 0) { +- con->error_msg = "bad authorize reply"; +- return ret; ++ if (len) { ++ ret = con->ops->verify_authorizer_reply(con, 0); ++ if (ret < 0) { ++ con->error_msg = "bad authorize reply"; ++ return ret; ++ } + } + } + +diff --git a/net/core/net-sysfs.c b/net/core/net-sysfs.c +index f88a62ab019d..579d351f6ddd 100644 +--- a/net/core/net-sysfs.c ++++ b/net/core/net-sysfs.c +@@ -1361,6 +1361,9 @@ static int register_queue_kobjects(struct net_device *dev) + error: + netdev_queue_update_kobjects(dev, txq, 0); + net_rx_queue_update_kobjects(dev, rxq, 0); ++#ifdef CONFIG_SYSFS ++ kset_unregister(dev->queues_kset); ++#endif + return error; + } + +diff --git a/net/hsr/hsr_device.c b/net/hsr/hsr_device.c +index c7d1adca30d8..943378d6e4c3 100644 +--- a/net/hsr/hsr_device.c ++++ b/net/hsr/hsr_device.c +@@ -93,9 +93,8 @@ static void hsr_check_announce(struct net_device *hsr_dev, + if ((hsr_dev->operstate == IF_OPER_UP) && (old_operstate != IF_OPER_UP)) { + /* Went up */ + hsr->announce_count = 0; +- hsr->announce_timer.expires = jiffies + +- msecs_to_jiffies(HSR_ANNOUNCE_INTERVAL); +- add_timer(&hsr->announce_timer); ++ mod_timer(&hsr->announce_timer, ++ jiffies + msecs_to_jiffies(HSR_ANNOUNCE_INTERVAL)); + } + + if ((hsr_dev->operstate != IF_OPER_UP) && (old_operstate == IF_OPER_UP)) +@@ -323,6 +322,7 @@ static void hsr_announce(unsigned long data) + { + struct hsr_priv *hsr; + struct hsr_port *master; ++ unsigned long interval; + + hsr = (struct hsr_priv *) data; + +@@ -337,14 +337,12 @@ static void hsr_announce(unsigned long data) + } + + if (hsr->announce_count < 3) +- hsr->announce_timer.expires = jiffies + +- msecs_to_jiffies(HSR_ANNOUNCE_INTERVAL); ++ interval = msecs_to_jiffies(HSR_ANNOUNCE_INTERVAL); + else +- hsr->announce_timer.expires = jiffies + +- msecs_to_jiffies(HSR_LIFE_CHECK_INTERVAL); ++ interval = msecs_to_jiffies(HSR_LIFE_CHECK_INTERVAL); + + if (is_admin_up(master->dev)) +- add_timer(&hsr->announce_timer); ++ mod_timer(&hsr->announce_timer, jiffies + interval); + + rcu_read_unlock(); + } +@@ -477,7 +475,7 @@ int hsr_dev_finalize(struct net_device *hsr_dev, struct net_device *slave[2], + + res = hsr_add_port(hsr, hsr_dev, HSR_PT_MASTER); + if (res) +- return res; ++ goto err_add_port; + + res = register_netdevice(hsr_dev); + if (res) +@@ -498,6 +496,8 @@ int hsr_dev_finalize(struct net_device *hsr_dev, struct net_device *slave[2], + fail: + hsr_for_each_port(hsr, port) + hsr_del_port(port); ++err_add_port: ++ hsr_del_node(&hsr->self_node_db); + + return res; + } +diff --git a/net/hsr/hsr_framereg.c b/net/hsr/hsr_framereg.c +index bace124d14ef..46415839e67e 100644 +--- a/net/hsr/hsr_framereg.c ++++ b/net/hsr/hsr_framereg.c +@@ -124,6 +124,18 @@ int hsr_create_self_node(struct list_head *self_node_db, + return 0; + } + ++void hsr_del_node(struct list_head *self_node_db) ++{ ++ struct hsr_node *node; ++ ++ rcu_read_lock(); ++ node = list_first_or_null_rcu(self_node_db, struct hsr_node, mac_list); ++ rcu_read_unlock(); ++ if (node) { ++ list_del_rcu(&node->mac_list); ++ kfree(node); ++ } ++} + + /* Allocate an hsr_node and add it to node_db. 'addr' is the node's AddressA; + * seq_out is used to initialize filtering of outgoing duplicate frames +diff --git a/net/hsr/hsr_framereg.h b/net/hsr/hsr_framereg.h +index 438b40f98f5a..7a8f4e98f515 100644 +--- a/net/hsr/hsr_framereg.h ++++ b/net/hsr/hsr_framereg.h +@@ -16,6 +16,7 @@ + + struct hsr_node; + ++void hsr_del_node(struct list_head *self_node_db); + struct hsr_node *hsr_add_node(struct list_head *node_db, unsigned char addr[], + u16 seq_out); + struct hsr_node *hsr_get_node(struct list_head *node_db, struct sk_buff *skb, +diff --git a/net/ipv4/cipso_ipv4.c b/net/ipv4/cipso_ipv4.c +index cfaacaa023e6..7fe643062013 100644 +--- a/net/ipv4/cipso_ipv4.c ++++ b/net/ipv4/cipso_ipv4.c +@@ -167,7 +167,8 @@ static int cipso_v4_bitmap_walk(const unsigned char *bitmap, + (state == 0 && (byte & bitmask) == 0)) + return bit_spot; + +- bit_spot++; ++ if (++bit_spot >= bitmap_len) ++ return -1; + bitmask >>= 1; + if (bitmask == 0) { + byte = bitmap[++byte_offset]; +@@ -737,7 +738,8 @@ static int cipso_v4_map_lvl_valid(const struct cipso_v4_doi *doi_def, u8 level) + case CIPSO_V4_MAP_PASS: + return 0; + case CIPSO_V4_MAP_TRANS: +- if (doi_def->map.std->lvl.cipso[level] < CIPSO_V4_INV_LVL) ++ if ((level < doi_def->map.std->lvl.cipso_size) && ++ (doi_def->map.std->lvl.cipso[level] < CIPSO_V4_INV_LVL)) + return 0; + break; + } +@@ -1805,13 +1807,26 @@ validate_return: + */ + void cipso_v4_error(struct sk_buff *skb, int error, u32 gateway) + { ++ unsigned char optbuf[sizeof(struct ip_options) + 40]; ++ struct ip_options *opt = (struct ip_options *)optbuf; ++ + if (ip_hdr(skb)->protocol == IPPROTO_ICMP || error != -EACCES) + return; + ++ /* ++ * We might be called above the IP layer, ++ * so we can not use icmp_send and IPCB here. ++ */ ++ ++ memset(opt, 0, sizeof(struct ip_options)); ++ opt->optlen = ip_hdr(skb)->ihl*4 - sizeof(struct iphdr); ++ if (__ip_options_compile(dev_net(skb->dev), opt, skb, NULL)) ++ return; ++ + if (gateway) +- icmp_send(skb, ICMP_DEST_UNREACH, ICMP_NET_ANO, 0); ++ __icmp_send(skb, ICMP_DEST_UNREACH, ICMP_NET_ANO, 0, opt); + else +- icmp_send(skb, ICMP_DEST_UNREACH, ICMP_HOST_ANO, 0); ++ __icmp_send(skb, ICMP_DEST_UNREACH, ICMP_HOST_ANO, 0, opt); + } + + /** +diff --git a/net/ipv4/icmp.c b/net/ipv4/icmp.c +index 36e26977c908..d0ec8a997210 100644 +--- a/net/ipv4/icmp.c ++++ b/net/ipv4/icmp.c +@@ -565,7 +565,8 @@ relookup_failed: + * MUST reply to only the first fragment. + */ + +-void icmp_send(struct sk_buff *skb_in, int type, int code, __be32 info) ++void __icmp_send(struct sk_buff *skb_in, int type, int code, __be32 info, ++ const struct ip_options *opt) + { + struct iphdr *iph; + int room; +@@ -679,7 +680,7 @@ void icmp_send(struct sk_buff *skb_in, int type, int code, __be32 info) + iph->tos; + mark = IP4_REPLY_MARK(net, skb_in->mark); + +- if (ip_options_echo(&icmp_param->replyopts.opt.opt, skb_in)) ++ if (__ip_options_echo(&icmp_param->replyopts.opt.opt, skb_in, opt)) + goto out_unlock; + + +@@ -731,7 +732,7 @@ out_free: + kfree(icmp_param); + out:; + } +-EXPORT_SYMBOL(icmp_send); ++EXPORT_SYMBOL(__icmp_send); + + + static void icmp_socket_deliver(struct sk_buff *skb, u32 info) +diff --git a/net/ipv4/inet_connection_sock.c b/net/ipv4/inet_connection_sock.c +index 01acb94c4963..6c9158805b57 100644 +--- a/net/ipv4/inet_connection_sock.c ++++ b/net/ipv4/inet_connection_sock.c +@@ -787,7 +787,6 @@ static void inet_child_forget(struct sock *sk, struct request_sock *req, + tcp_sk(child)->fastopen_rsk = NULL; + } + inet_csk_destroy_sock(child); +- reqsk_put(req); + } + + struct sock *inet_csk_reqsk_queue_add(struct sock *sk, +@@ -858,6 +857,7 @@ void inet_csk_listen_stop(struct sock *sk) + sock_hold(child); + + inet_child_forget(sk, req, child); ++ reqsk_put(req); + bh_unlock_sock(child); + local_bh_enable(); + sock_put(child); +diff --git a/net/ipv4/ip_options.c b/net/ipv4/ip_options.c +index bd246792360b..d3922a93e4c1 100644 +--- a/net/ipv4/ip_options.c ++++ b/net/ipv4/ip_options.c +@@ -254,8 +254,9 @@ static void spec_dst_fill(__be32 *spec_dst, struct sk_buff *skb) + * If opt == NULL, then skb->data should point to IP header. + */ + +-int ip_options_compile(struct net *net, +- struct ip_options *opt, struct sk_buff *skb) ++int __ip_options_compile(struct net *net, ++ struct ip_options *opt, struct sk_buff *skb, ++ __be32 *info) + { + __be32 spec_dst = htonl(INADDR_ANY); + unsigned char *pp_ptr = NULL; +@@ -472,11 +473,22 @@ eol: + return 0; + + error: +- if (skb) { +- icmp_send(skb, ICMP_PARAMETERPROB, 0, htonl((pp_ptr-iph)<<24)); +- } ++ if (info) ++ *info = htonl((pp_ptr-iph)<<24); + return -EINVAL; + } ++ ++int ip_options_compile(struct net *net, ++ struct ip_options *opt, struct sk_buff *skb) ++{ ++ int ret; ++ __be32 info; ++ ++ ret = __ip_options_compile(net, opt, skb, &info); ++ if (ret != 0 && skb) ++ icmp_send(skb, ICMP_PARAMETERPROB, 0, info); ++ return ret; ++} + EXPORT_SYMBOL(ip_options_compile); + + /* +diff --git a/net/ipv4/ip_vti.c b/net/ipv4/ip_vti.c +index 4b7c81f88abf..fcf327ebd134 100644 +--- a/net/ipv4/ip_vti.c ++++ b/net/ipv4/ip_vti.c +@@ -75,6 +75,33 @@ drop: + return 0; + } + ++static int vti_input_ipip(struct sk_buff *skb, int nexthdr, __be32 spi, ++ int encap_type) ++{ ++ struct ip_tunnel *tunnel; ++ const struct iphdr *iph = ip_hdr(skb); ++ struct net *net = dev_net(skb->dev); ++ struct ip_tunnel_net *itn = net_generic(net, vti_net_id); ++ ++ tunnel = ip_tunnel_lookup(itn, skb->dev->ifindex, TUNNEL_NO_KEY, ++ iph->saddr, iph->daddr, 0); ++ if (tunnel) { ++ if (!xfrm4_policy_check(NULL, XFRM_POLICY_IN, skb)) ++ goto drop; ++ ++ XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip4 = tunnel; ++ ++ skb->dev = tunnel->dev; ++ ++ return xfrm_input(skb, nexthdr, spi, encap_type); ++ } ++ ++ return -EINVAL; ++drop: ++ kfree_skb(skb); ++ return 0; ++} ++ + static int vti_rcv(struct sk_buff *skb) + { + XFRM_SPI_SKB_CB(skb)->family = AF_INET; +@@ -83,6 +110,14 @@ static int vti_rcv(struct sk_buff *skb) + return vti_input(skb, ip_hdr(skb)->protocol, 0, 0); + } + ++static int vti_rcv_ipip(struct sk_buff *skb) ++{ ++ XFRM_SPI_SKB_CB(skb)->family = AF_INET; ++ XFRM_SPI_SKB_CB(skb)->daddroff = offsetof(struct iphdr, daddr); ++ ++ return vti_input_ipip(skb, ip_hdr(skb)->protocol, ip_hdr(skb)->saddr, 0); ++} ++ + static int vti_rcv_cb(struct sk_buff *skb, int err) + { + unsigned short family; +@@ -409,6 +444,12 @@ static struct xfrm4_protocol vti_ipcomp4_protocol __read_mostly = { + .priority = 100, + }; + ++static struct xfrm_tunnel ipip_handler __read_mostly = { ++ .handler = vti_rcv_ipip, ++ .err_handler = vti4_err, ++ .priority = 0, ++}; ++ + static int __net_init vti_init_net(struct net *net) + { + int err; +@@ -592,6 +633,13 @@ static int __init vti_init(void) + if (err < 0) + goto xfrm_proto_comp_failed; + ++ msg = "ipip tunnel"; ++ err = xfrm4_tunnel_register(&ipip_handler, AF_INET); ++ if (err < 0) { ++ pr_info("%s: cant't register tunnel\n",__func__); ++ goto xfrm_tunnel_failed; ++ } ++ + msg = "netlink interface"; + err = rtnl_link_register(&vti_link_ops); + if (err < 0) +@@ -601,6 +649,8 @@ static int __init vti_init(void) + + rtnl_link_failed: + xfrm4_protocol_deregister(&vti_ipcomp4_protocol, IPPROTO_COMP); ++xfrm_tunnel_failed: ++ xfrm4_tunnel_deregister(&ipip_handler, AF_INET); + xfrm_proto_comp_failed: + xfrm4_protocol_deregister(&vti_ah4_protocol, IPPROTO_AH); + xfrm_proto_ah_failed: +diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c +index f51b32ed353c..cbe630aab44a 100644 +--- a/net/ipv4/netfilter/arp_tables.c ++++ b/net/ipv4/netfilter/arp_tables.c +@@ -983,6 +983,7 @@ static int get_entries(struct net *net, struct arpt_get_entries __user *uptr, + sizeof(struct arpt_get_entries) + get.size); + return -EINVAL; + } ++ get.name[sizeof(get.name) - 1] = '\0'; + + t = xt_find_table_lock(net, NFPROTO_ARP, get.name); + if (!IS_ERR_OR_NULL(t)) { +@@ -1557,6 +1558,7 @@ static int compat_get_entries(struct net *net, + *len, sizeof(get) + get.size); + return -EINVAL; + } ++ get.name[sizeof(get.name) - 1] = '\0'; + + xt_compat_lock(NFPROTO_ARP); + t = xt_find_table_lock(net, NFPROTO_ARP, get.name); +diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c +index 8adb6e9ba8f5..53d664a7774c 100644 +--- a/net/ipv4/netfilter/ip_tables.c ++++ b/net/ipv4/netfilter/ip_tables.c +@@ -1171,6 +1171,7 @@ get_entries(struct net *net, struct ipt_get_entries __user *uptr, + *len, sizeof(get) + get.size); + return -EINVAL; + } ++ get.name[sizeof(get.name) - 1] = '\0'; + + t = xt_find_table_lock(net, AF_INET, get.name); + if (!IS_ERR_OR_NULL(t)) { +@@ -1799,6 +1800,7 @@ compat_get_entries(struct net *net, struct compat_ipt_get_entries __user *uptr, + *len, sizeof(get) + get.size); + return -EINVAL; + } ++ get.name[sizeof(get.name) - 1] = '\0'; + + xt_compat_lock(AF_INET); + t = xt_find_table_lock(net, AF_INET, get.name); +diff --git a/net/ipv4/route.c b/net/ipv4/route.c +index 80ce6b0672d2..97bf6c785767 100644 +--- a/net/ipv4/route.c ++++ b/net/ipv4/route.c +@@ -1604,6 +1604,10 @@ static void ip_del_fnhe(struct fib_nh *nh, __be32 daddr) + if (fnhe->fnhe_daddr == daddr) { + rcu_assign_pointer(*fnhe_p, rcu_dereference_protected( + fnhe->fnhe_next, lockdep_is_held(&fnhe_lock))); ++ /* set fnhe_daddr to 0 to ensure it won't bind with ++ * new dsts in rt_bind_exception(). ++ */ ++ fnhe->fnhe_daddr = 0; + fnhe_flush_routes(fnhe); + kfree_rcu(fnhe, rcu); + break; +diff --git a/net/ipv4/syncookies.c b/net/ipv4/syncookies.c +index c22a74374a9c..f3d3ac5c23d5 100644 +--- a/net/ipv4/syncookies.c ++++ b/net/ipv4/syncookies.c +@@ -228,7 +228,12 @@ struct sock *tcp_get_cookie_sock(struct sock *sk, struct sk_buff *skb, + if (child) { + atomic_set(&req->rsk_refcnt, 1); + sock_rps_save_rxhash(child, skb); +- inet_csk_reqsk_queue_add(sk, req, child); ++ if (!inet_csk_reqsk_queue_add(sk, req, child)) { ++ bh_unlock_sock(child); ++ sock_put(child); ++ child = NULL; ++ reqsk_put(req); ++ } + } else { + reqsk_free(req); + } +diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c +index 1aff93d76f24..561f568e8938 100644 +--- a/net/ipv4/tcp_input.c ++++ b/net/ipv4/tcp_input.c +@@ -6409,7 +6409,13 @@ int tcp_conn_request(struct request_sock_ops *rsk_ops, + af_ops->send_synack(fastopen_sk, dst, &fl, req, + &foc, false); + /* Add the child socket directly into the accept queue */ +- inet_csk_reqsk_queue_add(sk, req, fastopen_sk); ++ if (!inet_csk_reqsk_queue_add(sk, req, fastopen_sk)) { ++ reqsk_fastopen_remove(fastopen_sk, req, false); ++ bh_unlock_sock(fastopen_sk); ++ sock_put(fastopen_sk); ++ reqsk_put(req); ++ goto drop; ++ } + sk->sk_data_ready(sk); + bh_unlock_sock(fastopen_sk); + sock_put(fastopen_sk); +diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c +index 6f929689fd03..0924f93a0aff 100644 +--- a/net/ipv4/udp.c ++++ b/net/ipv4/udp.c +@@ -1463,7 +1463,7 @@ static void udp_v4_rehash(struct sock *sk) + udp_lib_rehash(sk, new_hash); + } + +-static int __udp_queue_rcv_skb(struct sock *sk, struct sk_buff *skb) ++int __udp_queue_rcv_skb(struct sock *sk, struct sk_buff *skb) + { + int rc; + +diff --git a/net/ipv4/udp_impl.h b/net/ipv4/udp_impl.h +index 7e0fe4bdd967..feb50a16398d 100644 +--- a/net/ipv4/udp_impl.h ++++ b/net/ipv4/udp_impl.h +@@ -25,7 +25,7 @@ int udp_recvmsg(struct sock *sk, struct msghdr *msg, size_t len, int noblock, + int flags, int *addr_len); + int udp_sendpage(struct sock *sk, struct page *page, int offset, size_t size, + int flags); +-int udp_queue_rcv_skb(struct sock *sk, struct sk_buff *skb); ++int __udp_queue_rcv_skb(struct sock *sk, struct sk_buff *skb); + void udp_destroy_sock(struct sock *sk); + + #ifdef CONFIG_PROC_FS +diff --git a/net/ipv4/udplite.c b/net/ipv4/udplite.c +index 3b3efbda48e1..78766b32b78b 100644 +--- a/net/ipv4/udplite.c ++++ b/net/ipv4/udplite.c +@@ -50,7 +50,7 @@ struct proto udplite_prot = { + .sendmsg = udp_sendmsg, + .recvmsg = udp_recvmsg, + .sendpage = udp_sendpage, +- .backlog_rcv = udp_queue_rcv_skb, ++ .backlog_rcv = __udp_queue_rcv_skb, + .hash = udp_lib_hash, + .unhash = udp_lib_unhash, + .get_port = udp_v4_get_port, +diff --git a/net/ipv6/ip6mr.c b/net/ipv6/ip6mr.c +index 74b3e9718e84..e348a140e540 100644 +--- a/net/ipv6/ip6mr.c ++++ b/net/ipv6/ip6mr.c +@@ -1990,10 +1990,10 @@ int ip6mr_compat_ioctl(struct sock *sk, unsigned int cmd, void __user *arg) + + static inline int ip6mr_forward2_finish(struct net *net, struct sock *sk, struct sk_buff *skb) + { +- IP6_INC_STATS_BH(net, ip6_dst_idev(skb_dst(skb)), +- IPSTATS_MIB_OUTFORWDATAGRAMS); +- IP6_ADD_STATS_BH(net, ip6_dst_idev(skb_dst(skb)), +- IPSTATS_MIB_OUTOCTETS, skb->len); ++ IP6_INC_STATS(net, ip6_dst_idev(skb_dst(skb)), ++ IPSTATS_MIB_OUTFORWDATAGRAMS); ++ IP6_ADD_STATS(net, ip6_dst_idev(skb_dst(skb)), ++ IPSTATS_MIB_OUTOCTETS, skb->len); + return dst_output(net, sk, skb); + } + +diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c +index 96de322fe5e2..f563cf3fcc4c 100644 +--- a/net/ipv6/netfilter/ip6_tables.c ++++ b/net/ipv6/netfilter/ip6_tables.c +@@ -1182,6 +1182,7 @@ get_entries(struct net *net, struct ip6t_get_entries __user *uptr, + *len, sizeof(get) + get.size); + return -EINVAL; + } ++ get.name[sizeof(get.name) - 1] = '\0'; + + t = xt_find_table_lock(net, AF_INET6, get.name); + if (!IS_ERR_OR_NULL(t)) { +@@ -1800,6 +1801,7 @@ compat_get_entries(struct net *net, struct compat_ip6t_get_entries __user *uptr, + *len, sizeof(get) + get.size); + return -EINVAL; + } ++ get.name[sizeof(get.name) - 1] = '\0'; + + xt_compat_lock(AF_INET6); + t = xt_find_table_lock(net, AF_INET6, get.name); +diff --git a/net/ipv6/route.c b/net/ipv6/route.c +index 1cb8954885ec..fffd2ad28942 100644 +--- a/net/ipv6/route.c ++++ b/net/ipv6/route.c +@@ -3095,7 +3095,7 @@ static int rt6_fill_node(struct net *net, + table = rt->rt6i_table->tb6_id; + else + table = RT6_TABLE_UNSPEC; +- rtm->rtm_table = table; ++ rtm->rtm_table = table < 256 ? table : RT_TABLE_COMPAT; + if (nla_put_u32(skb, RTA_TABLE, table)) + goto nla_put_failure; + if (rt->rt6i_flags & RTF_REJECT) { +diff --git a/net/ipv6/sit.c b/net/ipv6/sit.c +index 11282ffca567..96582ec9c807 100644 +--- a/net/ipv6/sit.c ++++ b/net/ipv6/sit.c +@@ -577,7 +577,7 @@ static int ipip6_err(struct sk_buff *skb, u32 info) + goto out; + + err = 0; +- if (!ipip6_err_gen_icmpv6_unreach(skb)) ++ if (__in6_dev_get(skb->dev) && !ipip6_err_gen_icmpv6_unreach(skb)) + goto out; + + if (t->parms.iph.ttl == 0 && type == ICMP_TIME_EXCEEDED) +@@ -772,8 +772,9 @@ static bool check_6rd(struct ip_tunnel *tunnel, const struct in6_addr *v6dst, + pbw0 = tunnel->ip6rd.prefixlen >> 5; + pbi0 = tunnel->ip6rd.prefixlen & 0x1f; + +- d = (ntohl(v6dst->s6_addr32[pbw0]) << pbi0) >> +- tunnel->ip6rd.relay_prefixlen; ++ d = tunnel->ip6rd.relay_prefixlen < 32 ? ++ (ntohl(v6dst->s6_addr32[pbw0]) << pbi0) >> ++ tunnel->ip6rd.relay_prefixlen : 0; + + pbi1 = pbi0 - tunnel->ip6rd.relay_prefixlen; + if (pbi1 > 0) +diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c +index 6eb1e9293b6f..f4e06748f86b 100644 +--- a/net/ipv6/udp.c ++++ b/net/ipv6/udp.c +@@ -585,7 +585,7 @@ out: + sock_put(sk); + } + +-static int __udpv6_queue_rcv_skb(struct sock *sk, struct sk_buff *skb) ++int __udpv6_queue_rcv_skb(struct sock *sk, struct sk_buff *skb) + { + int rc; + +diff --git a/net/ipv6/udp_impl.h b/net/ipv6/udp_impl.h +index 0682c031ccdc..3c1dbc9f74cf 100644 +--- a/net/ipv6/udp_impl.h ++++ b/net/ipv6/udp_impl.h +@@ -26,7 +26,7 @@ int compat_udpv6_getsockopt(struct sock *sk, int level, int optname, + int udpv6_sendmsg(struct sock *sk, struct msghdr *msg, size_t len); + int udpv6_recvmsg(struct sock *sk, struct msghdr *msg, size_t len, int noblock, + int flags, int *addr_len); +-int udpv6_queue_rcv_skb(struct sock *sk, struct sk_buff *skb); ++int __udpv6_queue_rcv_skb(struct sock *sk, struct sk_buff *skb); + void udpv6_destroy_sock(struct sock *sk); + + void udp_v6_clear_sk(struct sock *sk, int size); +diff --git a/net/ipv6/udplite.c b/net/ipv6/udplite.c +index 9cf097e206e9..d1eaeeaa34d2 100644 +--- a/net/ipv6/udplite.c ++++ b/net/ipv6/udplite.c +@@ -45,7 +45,7 @@ struct proto udplitev6_prot = { + .getsockopt = udpv6_getsockopt, + .sendmsg = udpv6_sendmsg, + .recvmsg = udpv6_recvmsg, +- .backlog_rcv = udpv6_queue_rcv_skb, ++ .backlog_rcv = __udpv6_queue_rcv_skb, + .hash = udp_lib_hash, + .unhash = udp_lib_unhash, + .get_port = udp_v6_get_port, +diff --git a/net/l2tp/l2tp_ip6.c b/net/l2tp/l2tp_ip6.c +index e066111b9398..a88649c5d26c 100644 +--- a/net/l2tp/l2tp_ip6.c ++++ b/net/l2tp/l2tp_ip6.c +@@ -666,9 +666,6 @@ static int l2tp_ip6_recvmsg(struct sock *sk, struct msghdr *msg, size_t len, + if (flags & MSG_OOB) + goto out; + +- if (addr_len) +- *addr_len = sizeof(*lsa); +- + if (flags & MSG_ERRQUEUE) + return ipv6_recv_error(sk, msg, len, addr_len); + +@@ -698,6 +695,7 @@ static int l2tp_ip6_recvmsg(struct sock *sk, struct msghdr *msg, size_t len, + lsa->l2tp_conn_id = 0; + if (ipv6_addr_type(&lsa->l2tp_addr) & IPV6_ADDR_LINKLOCAL) + lsa->l2tp_scope_id = inet6_iif(skb); ++ *addr_len = sizeof(*lsa); + } + + if (np->rxopt.all) +diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c +index 67348d8ac35d..7349bf26ae7b 100644 +--- a/net/mac80211/cfg.c ++++ b/net/mac80211/cfg.c +@@ -1228,6 +1228,10 @@ static int ieee80211_add_station(struct wiphy *wiphy, struct net_device *dev, + if (params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) + sta->sta.tdls = true; + ++ if (sta->sta.tdls && sdata->vif.type == NL80211_IFTYPE_STATION && ++ !sdata->u.mgd.associated) ++ return -EINVAL; ++ + err = sta_apply_parameters(local, sta, params); + if (err) { + sta_info_free(local, sta); +diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c +index acacceec8cd8..833ad779659c 100644 +--- a/net/mac80211/rx.c ++++ b/net/mac80211/rx.c +@@ -2340,7 +2340,9 @@ ieee80211_rx_h_mesh_fwding(struct ieee80211_rx_data *rx) + skb_set_queue_mapping(skb, q); + + if (!--mesh_hdr->ttl) { +- IEEE80211_IFSTA_MESH_CTR_INC(ifmsh, dropped_frames_ttl); ++ if (!is_multicast_ether_addr(hdr->addr1)) ++ IEEE80211_IFSTA_MESH_CTR_INC(ifmsh, ++ dropped_frames_ttl); + goto out; + } + +diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c +index 3167ec76903a..56c62b65923f 100644 +--- a/net/netfilter/ipvs/ip_vs_ctl.c ++++ b/net/netfilter/ipvs/ip_vs_ctl.c +@@ -2217,6 +2217,18 @@ static int ip_vs_set_timeout(struct netns_ipvs *ipvs, struct ip_vs_timeout_user + u->tcp_fin_timeout, + u->udp_timeout); + ++#ifdef CONFIG_IP_VS_PROTO_TCP ++ if (u->tcp_timeout < 0 || u->tcp_timeout > (INT_MAX / HZ) || ++ u->tcp_fin_timeout < 0 || u->tcp_fin_timeout > (INT_MAX / HZ)) { ++ return -EINVAL; ++ } ++#endif ++ ++#ifdef CONFIG_IP_VS_PROTO_UDP ++ if (u->udp_timeout < 0 || u->udp_timeout > (INT_MAX / HZ)) ++ return -EINVAL; ++#endif ++ + #ifdef CONFIG_IP_VS_PROTO_TCP + if (u->tcp_timeout) { + pd = ip_vs_proto_data_get(ipvs, IPPROTO_TCP); +diff --git a/net/netfilter/nf_conntrack_proto_tcp.c b/net/netfilter/nf_conntrack_proto_tcp.c +index 278f3b9356ef..7cc1d9c22a9f 100644 +--- a/net/netfilter/nf_conntrack_proto_tcp.c ++++ b/net/netfilter/nf_conntrack_proto_tcp.c +@@ -410,6 +410,8 @@ static void tcp_options(const struct sk_buff *skb, + length--; + continue; + default: ++ if (length < 2) ++ return; + opsize=*ptr++; + if (opsize < 2) /* "silly options" */ + return; +@@ -470,6 +472,8 @@ static void tcp_sack(const struct sk_buff *skb, unsigned int dataoff, + length--; + continue; + default: ++ if (length < 2) ++ return; + opsize = *ptr++; + if (opsize < 2) /* "silly options" */ + return; +diff --git a/net/netfilter/nfnetlink_acct.c b/net/netfilter/nfnetlink_acct.c +index fefbf5f0b28d..088e8da06b00 100644 +--- a/net/netfilter/nfnetlink_acct.c ++++ b/net/netfilter/nfnetlink_acct.c +@@ -243,6 +243,9 @@ nfacct_filter_alloc(const struct nlattr * const attr) + if (err < 0) + return ERR_PTR(err); + ++ if (!tb[NFACCT_FILTER_MASK] || !tb[NFACCT_FILTER_VALUE]) ++ return ERR_PTR(-EINVAL); ++ + filter = kzalloc(sizeof(struct nfacct_filter), GFP_KERNEL); + if (!filter) + return ERR_PTR(-ENOMEM); +diff --git a/net/netfilter/nfnetlink_log.c b/net/netfilter/nfnetlink_log.c +index 740cce4685ac..85b4f7902b49 100644 +--- a/net/netfilter/nfnetlink_log.c ++++ b/net/netfilter/nfnetlink_log.c +@@ -895,7 +895,7 @@ nfulnl_recv_config(struct sock *ctnl, struct sk_buff *skb, + goto out_put; + default: + ret = -ENOTSUPP; +- break; ++ goto out_put; + } + } else if (!inst) { + ret = -ENODEV; +diff --git a/net/nfc/llcp_commands.c b/net/nfc/llcp_commands.c +index 04f060488686..96277ac37dac 100644 +--- a/net/nfc/llcp_commands.c ++++ b/net/nfc/llcp_commands.c +@@ -419,6 +419,10 @@ int nfc_llcp_send_connect(struct nfc_llcp_sock *sock) + sock->service_name, + sock->service_name_len, + &service_name_tlv_length); ++ if (!service_name_tlv) { ++ err = -ENOMEM; ++ goto error_tlv; ++ } + size += service_name_tlv_length; + } + +@@ -429,9 +433,17 @@ int nfc_llcp_send_connect(struct nfc_llcp_sock *sock) + + miux_tlv = nfc_llcp_build_tlv(LLCP_TLV_MIUX, (u8 *)&miux, 0, + &miux_tlv_length); ++ if (!miux_tlv) { ++ err = -ENOMEM; ++ goto error_tlv; ++ } + size += miux_tlv_length; + + rw_tlv = nfc_llcp_build_tlv(LLCP_TLV_RW, &rw, 0, &rw_tlv_length); ++ if (!rw_tlv) { ++ err = -ENOMEM; ++ goto error_tlv; ++ } + size += rw_tlv_length; + + pr_debug("SKB size %d SN length %zu\n", size, sock->service_name_len); +@@ -486,9 +498,17 @@ int nfc_llcp_send_cc(struct nfc_llcp_sock *sock) + + miux_tlv = nfc_llcp_build_tlv(LLCP_TLV_MIUX, (u8 *)&miux, 0, + &miux_tlv_length); ++ if (!miux_tlv) { ++ err = -ENOMEM; ++ goto error_tlv; ++ } + size += miux_tlv_length; + + rw_tlv = nfc_llcp_build_tlv(LLCP_TLV_RW, &rw, 0, &rw_tlv_length); ++ if (!rw_tlv) { ++ err = -ENOMEM; ++ goto error_tlv; ++ } + size += rw_tlv_length; + + skb = llcp_allocate_pdu(sock, LLCP_PDU_CC, size); +diff --git a/net/nfc/llcp_core.c b/net/nfc/llcp_core.c +index 98876274a1ee..c1334b826dd5 100644 +--- a/net/nfc/llcp_core.c ++++ b/net/nfc/llcp_core.c +@@ -532,10 +532,10 @@ static u8 nfc_llcp_reserve_sdp_ssap(struct nfc_llcp_local *local) + + static int nfc_llcp_build_gb(struct nfc_llcp_local *local) + { +- u8 *gb_cur, *version_tlv, version, version_length; +- u8 *lto_tlv, lto_length; +- u8 *wks_tlv, wks_length; +- u8 *miux_tlv, miux_length; ++ u8 *gb_cur, version, version_length; ++ u8 lto_length, wks_length, miux_length; ++ u8 *version_tlv = NULL, *lto_tlv = NULL, ++ *wks_tlv = NULL, *miux_tlv = NULL; + __be16 wks = cpu_to_be16(local->local_wks); + u8 gb_len = 0; + int ret = 0; +@@ -543,17 +543,33 @@ static int nfc_llcp_build_gb(struct nfc_llcp_local *local) + version = LLCP_VERSION_11; + version_tlv = nfc_llcp_build_tlv(LLCP_TLV_VERSION, &version, + 1, &version_length); ++ if (!version_tlv) { ++ ret = -ENOMEM; ++ goto out; ++ } + gb_len += version_length; + + lto_tlv = nfc_llcp_build_tlv(LLCP_TLV_LTO, &local->lto, 1, <o_length); ++ if (!lto_tlv) { ++ ret = -ENOMEM; ++ goto out; ++ } + gb_len += lto_length; + + pr_debug("Local wks 0x%lx\n", local->local_wks); + wks_tlv = nfc_llcp_build_tlv(LLCP_TLV_WKS, (u8 *)&wks, 2, &wks_length); ++ if (!wks_tlv) { ++ ret = -ENOMEM; ++ goto out; ++ } + gb_len += wks_length; + + miux_tlv = nfc_llcp_build_tlv(LLCP_TLV_MIUX, (u8 *)&local->miux, 0, + &miux_length); ++ if (!miux_tlv) { ++ ret = -ENOMEM; ++ goto out; ++ } + gb_len += miux_length; + + gb_len += ARRAY_SIZE(llcp_magic); +diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c +index 753b2837318d..d517dd7f4ac7 100644 +--- a/net/packet/af_packet.c ++++ b/net/packet/af_packet.c +@@ -4217,7 +4217,7 @@ static int packet_set_ring(struct sock *sk, union tpacket_req_u *req_u, + rb->frames_per_block = req->tp_block_size / req->tp_frame_size; + if (unlikely(rb->frames_per_block == 0)) + goto out; +- if (unlikely(req->tp_block_size > UINT_MAX / req->tp_block_nr)) ++ if (unlikely(rb->frames_per_block > UINT_MAX / req->tp_block_nr)) + goto out; + if (unlikely((rb->frames_per_block * req->tp_block_nr) != + req->tp_frame_nr)) +diff --git a/net/phonet/pep.c b/net/phonet/pep.c +index 850a86cde0b3..f6aa532bcbf6 100644 +--- a/net/phonet/pep.c ++++ b/net/phonet/pep.c +@@ -131,7 +131,7 @@ static int pep_indicate(struct sock *sk, u8 id, u8 code, + ph->utid = 0; + ph->message_id = id; + ph->pipe_handle = pn->pipe_handle; +- ph->data[0] = code; ++ ph->error_code = code; + return pn_skb_send(sk, skb, NULL); + } + +@@ -152,7 +152,7 @@ static int pipe_handler_request(struct sock *sk, u8 id, u8 code, + ph->utid = id; /* whatever */ + ph->message_id = id; + ph->pipe_handle = pn->pipe_handle; +- ph->data[0] = code; ++ ph->error_code = code; + return pn_skb_send(sk, skb, NULL); + } + +@@ -207,7 +207,7 @@ static int pep_ctrlreq_error(struct sock *sk, struct sk_buff *oskb, u8 code, + struct pnpipehdr *ph; + struct sockaddr_pn dst; + u8 data[4] = { +- oph->data[0], /* PEP type */ ++ oph->pep_type, /* PEP type */ + code, /* error code, at an unusual offset */ + PAD, PAD, + }; +@@ -220,7 +220,7 @@ static int pep_ctrlreq_error(struct sock *sk, struct sk_buff *oskb, u8 code, + ph->utid = oph->utid; + ph->message_id = PNS_PEP_CTRL_RESP; + ph->pipe_handle = oph->pipe_handle; +- ph->data[0] = oph->data[1]; /* CTRL id */ ++ ph->data0 = oph->data[0]; /* CTRL id */ + + pn_skb_get_src_sockaddr(oskb, &dst); + return pn_skb_send(sk, skb, &dst); +@@ -271,17 +271,17 @@ static int pipe_rcv_status(struct sock *sk, struct sk_buff *skb) + return -EINVAL; + + hdr = pnp_hdr(skb); +- if (hdr->data[0] != PN_PEP_TYPE_COMMON) { ++ if (hdr->pep_type != PN_PEP_TYPE_COMMON) { + net_dbg_ratelimited("Phonet unknown PEP type: %u\n", +- (unsigned int)hdr->data[0]); ++ (unsigned int)hdr->pep_type); + return -EOPNOTSUPP; + } + +- switch (hdr->data[1]) { ++ switch (hdr->data[0]) { + case PN_PEP_IND_FLOW_CONTROL: + switch (pn->tx_fc) { + case PN_LEGACY_FLOW_CONTROL: +- switch (hdr->data[4]) { ++ switch (hdr->data[3]) { + case PEP_IND_BUSY: + atomic_set(&pn->tx_credits, 0); + break; +@@ -291,7 +291,7 @@ static int pipe_rcv_status(struct sock *sk, struct sk_buff *skb) + } + break; + case PN_ONE_CREDIT_FLOW_CONTROL: +- if (hdr->data[4] == PEP_IND_READY) ++ if (hdr->data[3] == PEP_IND_READY) + atomic_set(&pn->tx_credits, wake = 1); + break; + } +@@ -300,12 +300,12 @@ static int pipe_rcv_status(struct sock *sk, struct sk_buff *skb) + case PN_PEP_IND_ID_MCFC_GRANT_CREDITS: + if (pn->tx_fc != PN_MULTI_CREDIT_FLOW_CONTROL) + break; +- atomic_add(wake = hdr->data[4], &pn->tx_credits); ++ atomic_add(wake = hdr->data[3], &pn->tx_credits); + break; + + default: + net_dbg_ratelimited("Phonet unknown PEP indication: %u\n", +- (unsigned int)hdr->data[1]); ++ (unsigned int)hdr->data[0]); + return -EOPNOTSUPP; + } + if (wake) +@@ -317,7 +317,7 @@ static int pipe_rcv_created(struct sock *sk, struct sk_buff *skb) + { + struct pep_sock *pn = pep_sk(sk); + struct pnpipehdr *hdr = pnp_hdr(skb); +- u8 n_sb = hdr->data[0]; ++ u8 n_sb = hdr->data0; + + pn->rx_fc = pn->tx_fc = PN_LEGACY_FLOW_CONTROL; + __skb_pull(skb, sizeof(*hdr)); +@@ -505,7 +505,7 @@ static int pep_connresp_rcv(struct sock *sk, struct sk_buff *skb) + return -ECONNREFUSED; + + /* Parse sub-blocks */ +- n_sb = hdr->data[4]; ++ n_sb = hdr->data[3]; + while (n_sb > 0) { + u8 type, buf[6], len = sizeof(buf); + const u8 *data = pep_get_sb(skb, &type, &len, buf); +@@ -738,7 +738,7 @@ static int pipe_do_remove(struct sock *sk) + ph->utid = 0; + ph->message_id = PNS_PIPE_REMOVE_REQ; + ph->pipe_handle = pn->pipe_handle; +- ph->data[0] = PAD; ++ ph->data0 = PAD; + return pn_skb_send(sk, skb, NULL); + } + +@@ -815,7 +815,7 @@ static struct sock *pep_sock_accept(struct sock *sk, int flags, int *errp) + peer_type = hdr->other_pep_type << 8; + + /* Parse sub-blocks (options) */ +- n_sb = hdr->data[4]; ++ n_sb = hdr->data[3]; + while (n_sb > 0) { + u8 type, buf[1], len = sizeof(buf); + const u8 *data = pep_get_sb(skb, &type, &len, buf); +@@ -1106,7 +1106,7 @@ static int pipe_skb_send(struct sock *sk, struct sk_buff *skb) + ph->utid = 0; + if (pn->aligned) { + ph->message_id = PNS_PIPE_ALIGNED_DATA; +- ph->data[0] = 0; /* padding */ ++ ph->data0 = 0; /* padding */ + } else + ph->message_id = PNS_PIPE_DATA; + ph->pipe_handle = pn->pipe_handle; +diff --git a/net/socket.c b/net/socket.c +index 96133777d17c..e5bb73eb36fe 100644 +--- a/net/socket.c ++++ b/net/socket.c +@@ -470,27 +470,15 @@ static struct socket *sockfd_lookup_light(int fd, int *err, int *fput_needed) + static ssize_t sockfs_getxattr(struct dentry *dentry, + const char *name, void *value, size_t size) + { +- const char *proto_name; +- size_t proto_size; +- int error; +- +- error = -ENODATA; +- if (!strncmp(name, XATTR_NAME_SOCKPROTONAME, XATTR_NAME_SOCKPROTONAME_LEN)) { +- proto_name = dentry->d_name.name; +- proto_size = strlen(proto_name); +- ++ if (!strcmp(name, XATTR_NAME_SOCKPROTONAME)) { + if (value) { +- error = -ERANGE; +- if (proto_size + 1 > size) +- goto out; +- +- strncpy(value, proto_name, proto_size + 1); ++ if (dentry->d_name.len + 1 > size) ++ return -ERANGE; ++ memcpy(value, dentry->d_name.name, dentry->d_name.len + 1); + } +- error = proto_size + 1; ++ return dentry->d_name.len + 1; + } +- +-out: +- return error; ++ return -EOPNOTSUPP; + } + + static ssize_t sockfs_listxattr(struct dentry *dentry, char *buffer, +diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c +index c6b1eec94911..b1a72615fdc3 100644 +--- a/net/unix/af_unix.c ++++ b/net/unix/af_unix.c +@@ -890,7 +890,7 @@ retry: + addr->hash ^= sk->sk_type; + + __unix_remove_socket(sk); +- u->addr = addr; ++ smp_store_release(&u->addr, addr); + __unix_insert_socket(&unix_socket_table[addr->hash], sk); + spin_unlock(&unix_table_lock); + err = 0; +@@ -1060,7 +1060,7 @@ static int unix_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len) + + err = 0; + __unix_remove_socket(sk); +- u->addr = addr; ++ smp_store_release(&u->addr, addr); + __unix_insert_socket(list, sk); + + out_unlock: +@@ -1331,15 +1331,29 @@ restart: + RCU_INIT_POINTER(newsk->sk_wq, &newu->peer_wq); + otheru = unix_sk(other); + +- /* copy address information from listening to new sock*/ +- if (otheru->addr) { +- atomic_inc(&otheru->addr->refcnt); +- newu->addr = otheru->addr; +- } ++ /* copy address information from listening to new sock ++ * ++ * The contents of *(otheru->addr) and otheru->path ++ * are seen fully set up here, since we have found ++ * otheru in hash under unix_table_lock. Insertion ++ * into the hash chain we'd found it in had been done ++ * in an earlier critical area protected by unix_table_lock, ++ * the same one where we'd set *(otheru->addr) contents, ++ * as well as otheru->path and otheru->addr itself. ++ * ++ * Using smp_store_release() here to set newu->addr ++ * is enough to make those stores, as well as stores ++ * to newu->path visible to anyone who gets newu->addr ++ * by smp_load_acquire(). IOW, the same warranties ++ * as for unix_sock instances bound in unix_bind() or ++ * in unix_autobind(). ++ */ + if (otheru->path.dentry) { + path_get(&otheru->path); + newu->path = otheru->path; + } ++ atomic_inc(&otheru->addr->refcnt); ++ smp_store_release(&newu->addr, otheru->addr); + + /* Set credentials */ + copy_peercred(sk, other); +@@ -1452,7 +1466,7 @@ out: + static int unix_getname(struct socket *sock, struct sockaddr *uaddr, int *uaddr_len, int peer) + { + struct sock *sk = sock->sk; +- struct unix_sock *u; ++ struct unix_address *addr; + DECLARE_SOCKADDR(struct sockaddr_un *, sunaddr, uaddr); + int err = 0; + +@@ -1467,19 +1481,15 @@ static int unix_getname(struct socket *sock, struct sockaddr *uaddr, int *uaddr_ + sock_hold(sk); + } + +- u = unix_sk(sk); +- unix_state_lock(sk); +- if (!u->addr) { ++ addr = smp_load_acquire(&unix_sk(sk)->addr); ++ if (!addr) { + sunaddr->sun_family = AF_UNIX; + sunaddr->sun_path[0] = 0; + *uaddr_len = sizeof(short); + } else { +- struct unix_address *addr = u->addr; +- + *uaddr_len = addr->len; + memcpy(sunaddr, addr->name, *uaddr_len); + } +- unix_state_unlock(sk); + sock_put(sk); + out: + return err; +@@ -2093,11 +2103,11 @@ static int unix_seqpacket_recvmsg(struct socket *sock, struct msghdr *msg, + + static void unix_copy_addr(struct msghdr *msg, struct sock *sk) + { +- struct unix_sock *u = unix_sk(sk); ++ struct unix_address *addr = smp_load_acquire(&unix_sk(sk)->addr); + +- if (u->addr) { +- msg->msg_namelen = u->addr->len; +- memcpy(msg->msg_name, u->addr->name, u->addr->len); ++ if (addr) { ++ msg->msg_namelen = addr->len; ++ memcpy(msg->msg_name, addr->name, addr->len); + } + } + +@@ -2820,7 +2830,7 @@ static int unix_seq_show(struct seq_file *seq, void *v) + (s->sk_state == TCP_ESTABLISHED ? SS_CONNECTING : SS_DISCONNECTING), + sock_i_ino(s)); + +- if (u->addr) { ++ if (u->addr) { // under unix_table_lock here + int i, len; + seq_putc(seq, ' '); + +diff --git a/net/unix/diag.c b/net/unix/diag.c +index 384c84e83462..3183d9b8ab33 100644 +--- a/net/unix/diag.c ++++ b/net/unix/diag.c +@@ -10,7 +10,8 @@ + + static int sk_diag_dump_name(struct sock *sk, struct sk_buff *nlskb) + { +- struct unix_address *addr = unix_sk(sk)->addr; ++ /* might or might not have unix_table_lock */ ++ struct unix_address *addr = smp_load_acquire(&unix_sk(sk)->addr); + + if (!addr) + return 0; +diff --git a/net/wireless/reg.c b/net/wireless/reg.c +index 50dffd183cc6..429abf421906 100644 +--- a/net/wireless/reg.c ++++ b/net/wireless/reg.c +@@ -780,7 +780,7 @@ static bool reg_does_bw_fit(const struct ieee80211_freq_range *freq_range, + * definitions (the "2.4 GHz band", the "5 GHz band" and the "60GHz band"), + * however it is safe for now to assume that a frequency rule should not be + * part of a frequency's band if the start freq or end freq are off by more +- * than 2 GHz for the 2.4 and 5 GHz bands, and by more than 10 GHz for the ++ * than 2 GHz for the 2.4 and 5 GHz bands, and by more than 20 GHz for the + * 60 GHz band. + * This resolution can be lowered and should be considered as we add + * regulatory rule support for other "bands". +@@ -795,7 +795,7 @@ static bool freq_in_rule_band(const struct ieee80211_freq_range *freq_range, + * with the Channel starting frequency above 45 GHz. + */ + u32 limit = freq_khz > 45 * ONE_GHZ_IN_KHZ ? +- 10 * ONE_GHZ_IN_KHZ : 2 * ONE_GHZ_IN_KHZ; ++ 20 * ONE_GHZ_IN_KHZ : 2 * ONE_GHZ_IN_KHZ; + if (abs(freq_khz - freq_range->start_freq_khz) <= limit) + return true; + if (abs(freq_khz - freq_range->end_freq_khz) <= limit) +diff --git a/net/x25/af_x25.c b/net/x25/af_x25.c +index 8d7b2802d33f..5dca42dbc737 100644 +--- a/net/x25/af_x25.c ++++ b/net/x25/af_x25.c +@@ -678,8 +678,7 @@ static int x25_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len) + struct sockaddr_x25 *addr = (struct sockaddr_x25 *)uaddr; + int len, i, rc = 0; + +- if (!sock_flag(sk, SOCK_ZAPPED) || +- addr_len != sizeof(struct sockaddr_x25) || ++ if (addr_len != sizeof(struct sockaddr_x25) || + addr->sx25_family != AF_X25) { + rc = -EINVAL; + goto out; +@@ -694,9 +693,13 @@ static int x25_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len) + } + + lock_sock(sk); +- x25_sk(sk)->source_addr = addr->sx25_addr; +- x25_insert_socket(sk); +- sock_reset_flag(sk, SOCK_ZAPPED); ++ if (sock_flag(sk, SOCK_ZAPPED)) { ++ x25_sk(sk)->source_addr = addr->sx25_addr; ++ x25_insert_socket(sk); ++ sock_reset_flag(sk, SOCK_ZAPPED); ++ } else { ++ rc = -EINVAL; ++ } + release_sock(sk); + SOCK_DEBUG(sk, "x25_bind: socket is bound\n"); + out: +@@ -812,8 +815,13 @@ static int x25_connect(struct socket *sock, struct sockaddr *uaddr, + sock->state = SS_CONNECTED; + rc = 0; + out_put_neigh: +- if (rc) ++ if (rc) { ++ read_lock_bh(&x25_list_lock); + x25_neigh_put(x25->neighbour); ++ x25->neighbour = NULL; ++ read_unlock_bh(&x25_list_lock); ++ x25->state = X25_STATE_0; ++ } + out_put_route: + x25_route_put(rt); + out: +diff --git a/security/keys/key.c b/security/keys/key.c +index 4d971bf88ac3..03160f1f1aa2 100644 +--- a/security/keys/key.c ++++ b/security/keys/key.c +@@ -260,8 +260,8 @@ struct key *key_alloc(struct key_type *type, const char *desc, + + spin_lock(&user->lock); + if (!(flags & KEY_ALLOC_QUOTA_OVERRUN)) { +- if (user->qnkeys + 1 >= maxkeys || +- user->qnbytes + quotalen >= maxbytes || ++ if (user->qnkeys + 1 > maxkeys || ++ user->qnbytes + quotalen > maxbytes || + user->qnbytes + quotalen < user->qnbytes) + goto no_quota; + } +diff --git a/security/keys/keyring.c b/security/keys/keyring.c +index d5264f950ce1..737e60b3d4bd 100644 +--- a/security/keys/keyring.c ++++ b/security/keys/keyring.c +@@ -628,9 +628,6 @@ static bool search_nested_keyrings(struct key *keyring, + BUG_ON((ctx->flags & STATE_CHECKS) == 0 || + (ctx->flags & STATE_CHECKS) == STATE_CHECKS); + +- if (ctx->index_key.description) +- ctx->index_key.desc_len = strlen(ctx->index_key.description); +- + /* Check to see if this top-level keyring is what we are looking for + * and whether it is valid or not. + */ +@@ -888,6 +885,7 @@ key_ref_t keyring_search(key_ref_t keyring, + struct keyring_search_context ctx = { + .index_key.type = type, + .index_key.description = description, ++ .index_key.desc_len = strlen(description), + .cred = current_cred(), + .match_data.cmp = key_default_cmp, + .match_data.raw_data = description, +diff --git a/security/keys/proc.c b/security/keys/proc.c +index 036128682463..f2c7e090a66d 100644 +--- a/security/keys/proc.c ++++ b/security/keys/proc.c +@@ -186,9 +186,8 @@ static int proc_keys_show(struct seq_file *m, void *v) + int rc; + + struct keyring_search_context ctx = { +- .index_key.type = key->type, +- .index_key.description = key->description, +- .cred = current_cred(), ++ .index_key = key->index_key, ++ .cred = m->file->f_cred, + .match_data.cmp = lookup_user_key_possessed, + .match_data.raw_data = key, + .match_data.lookup_type = KEYRING_SEARCH_LOOKUP_DIRECT, +@@ -208,11 +207,7 @@ static int proc_keys_show(struct seq_file *m, void *v) + } + } + +- /* check whether the current task is allowed to view the key (assuming +- * non-possession) +- * - the caller holds a spinlock, and thus the RCU read lock, making our +- * access to __current_cred() safe +- */ ++ /* check whether the current task is allowed to view the key */ + rc = key_task_permission(key_ref, ctx.cred, KEY_NEED_VIEW); + if (rc < 0) + return 0; +diff --git a/security/keys/request_key.c b/security/keys/request_key.c +index 3ae3acf473c8..88172c163953 100644 +--- a/security/keys/request_key.c ++++ b/security/keys/request_key.c +@@ -544,6 +544,7 @@ struct key *request_key_and_link(struct key_type *type, + struct keyring_search_context ctx = { + .index_key.type = type, + .index_key.description = description, ++ .index_key.desc_len = strlen(description), + .cred = current_cred(), + .match_data.cmp = key_default_cmp, + .match_data.raw_data = description, +diff --git a/security/keys/request_key_auth.c b/security/keys/request_key_auth.c +index 217775fcd0f3..8882b729924d 100644 +--- a/security/keys/request_key_auth.c ++++ b/security/keys/request_key_auth.c +@@ -254,7 +254,7 @@ struct key *key_get_instantiation_authkey(key_serial_t target_id) + struct key *authkey; + key_ref_t authkey_ref; + +- sprintf(description, "%x", target_id); ++ ctx.index_key.desc_len = sprintf(description, "%x", target_id); + + authkey_ref = search_process_keyrings(&ctx); + +diff --git a/security/lsm_audit.c b/security/lsm_audit.c +index cccbf3068cdc..331fd3bd0f39 100644 +--- a/security/lsm_audit.c ++++ b/security/lsm_audit.c +@@ -308,6 +308,7 @@ static void dump_common_audit_data(struct audit_buffer *ab, + if (a->u.net->sk) { + struct sock *sk = a->u.net->sk; + struct unix_sock *u; ++ struct unix_address *addr; + int len = 0; + char *p = NULL; + +@@ -338,14 +339,15 @@ static void dump_common_audit_data(struct audit_buffer *ab, + #endif + case AF_UNIX: + u = unix_sk(sk); ++ addr = smp_load_acquire(&u->addr); ++ if (!addr) ++ break; + if (u->path.dentry) { + audit_log_d_path(ab, " path=", &u->path); + break; + } +- if (!u->addr) +- break; +- len = u->addr->len-sizeof(short); +- p = &u->addr->name->sun_path[0]; ++ len = addr->len-sizeof(short); ++ p = &addr->name->sun_path[0]; + audit_log_format(ab, " path="); + if (*p) + audit_log_untrustedstring(ab, p); +diff --git a/sound/core/compress_offload.c b/sound/core/compress_offload.c +index 6163bf3e8177..2272aee12871 100644 +--- a/sound/core/compress_offload.c ++++ b/sound/core/compress_offload.c +@@ -500,7 +500,8 @@ static int snd_compress_check_input(struct snd_compr_params *params) + { + /* first let's check the buffer parameter's */ + if (params->buffer.fragment_size == 0 || +- params->buffer.fragments > INT_MAX / params->buffer.fragment_size) ++ params->buffer.fragments > INT_MAX / params->buffer.fragment_size || ++ params->buffer.fragments == 0) + return -EINVAL; + + /* now codec parameters */ +diff --git a/sound/firewire/bebob/bebob.c b/sound/firewire/bebob/bebob.c +index 1898fa4228ad..3a0361458597 100644 +--- a/sound/firewire/bebob/bebob.c ++++ b/sound/firewire/bebob/bebob.c +@@ -422,7 +422,19 @@ static const struct ieee1394_device_id bebob_id_table[] = { + /* Focusrite, SaffirePro 26 I/O */ + SND_BEBOB_DEV_ENTRY(VEN_FOCUSRITE, 0x00000003, &saffirepro_26_spec), + /* Focusrite, SaffirePro 10 I/O */ +- SND_BEBOB_DEV_ENTRY(VEN_FOCUSRITE, 0x00000006, &saffirepro_10_spec), ++ { ++ // The combination of vendor_id and model_id is the same as the ++ // same as the one of Liquid Saffire 56. ++ .match_flags = IEEE1394_MATCH_VENDOR_ID | ++ IEEE1394_MATCH_MODEL_ID | ++ IEEE1394_MATCH_SPECIFIER_ID | ++ IEEE1394_MATCH_VERSION, ++ .vendor_id = VEN_FOCUSRITE, ++ .model_id = 0x000006, ++ .specifier_id = 0x00a02d, ++ .version = 0x010001, ++ .driver_data = (kernel_ulong_t)&saffirepro_10_spec, ++ }, + /* Focusrite, Saffire(no label and LE) */ + SND_BEBOB_DEV_ENTRY(VEN_FOCUSRITE, MODEL_FOCUSRITE_SAFFIRE_BOTH, + &saffire_spec), +diff --git a/sound/soc/fsl/fsl_esai.c b/sound/soc/fsl/fsl_esai.c +index e8adead8be00..a87836d4de15 100644 +--- a/sound/soc/fsl/fsl_esai.c ++++ b/sound/soc/fsl/fsl_esai.c +@@ -394,7 +394,8 @@ static int fsl_esai_set_dai_fmt(struct snd_soc_dai *dai, unsigned int fmt) + break; + case SND_SOC_DAIFMT_RIGHT_J: + /* Data on rising edge of bclk, frame high, right aligned */ +- xccr |= ESAI_xCCR_xCKP | ESAI_xCCR_xHCKP | ESAI_xCR_xWA; ++ xccr |= ESAI_xCCR_xCKP | ESAI_xCCR_xHCKP; ++ xcr |= ESAI_xCR_xWA; + break; + case SND_SOC_DAIFMT_DSP_A: + /* Data on rising edge of bclk, frame high, 1clk before data */ +@@ -451,12 +452,12 @@ static int fsl_esai_set_dai_fmt(struct snd_soc_dai *dai, unsigned int fmt) + return -EINVAL; + } + +- mask = ESAI_xCR_xFSL | ESAI_xCR_xFSR; ++ mask = ESAI_xCR_xFSL | ESAI_xCR_xFSR | ESAI_xCR_xWA; + regmap_update_bits(esai_priv->regmap, REG_ESAI_TCR, mask, xcr); + regmap_update_bits(esai_priv->regmap, REG_ESAI_RCR, mask, xcr); + + mask = ESAI_xCCR_xCKP | ESAI_xCCR_xHCKP | ESAI_xCCR_xFSP | +- ESAI_xCCR_xFSD | ESAI_xCCR_xCKD | ESAI_xCR_xWA; ++ ESAI_xCCR_xFSD | ESAI_xCCR_xCKD; + regmap_update_bits(esai_priv->regmap, REG_ESAI_TCCR, mask, xccr); + regmap_update_bits(esai_priv->regmap, REG_ESAI_RCCR, mask, xccr); + +diff --git a/sound/soc/fsl/imx-audmux.c b/sound/soc/fsl/imx-audmux.c +index fc57da341d61..136df38c4536 100644 +--- a/sound/soc/fsl/imx-audmux.c ++++ b/sound/soc/fsl/imx-audmux.c +@@ -86,49 +86,49 @@ static ssize_t audmux_read_file(struct file *file, char __user *user_buf, + if (!buf) + return -ENOMEM; + +- ret = snprintf(buf, PAGE_SIZE, "PDCR: %08x\nPTCR: %08x\n", ++ ret = scnprintf(buf, PAGE_SIZE, "PDCR: %08x\nPTCR: %08x\n", + pdcr, ptcr); + + if (ptcr & IMX_AUDMUX_V2_PTCR_TFSDIR) +- ret += snprintf(buf + ret, PAGE_SIZE - ret, ++ ret += scnprintf(buf + ret, PAGE_SIZE - ret, + "TxFS output from %s, ", + audmux_port_string((ptcr >> 27) & 0x7)); + else +- ret += snprintf(buf + ret, PAGE_SIZE - ret, ++ ret += scnprintf(buf + ret, PAGE_SIZE - ret, + "TxFS input, "); + + if (ptcr & IMX_AUDMUX_V2_PTCR_TCLKDIR) +- ret += snprintf(buf + ret, PAGE_SIZE - ret, ++ ret += scnprintf(buf + ret, PAGE_SIZE - ret, + "TxClk output from %s", + audmux_port_string((ptcr >> 22) & 0x7)); + else +- ret += snprintf(buf + ret, PAGE_SIZE - ret, ++ ret += scnprintf(buf + ret, PAGE_SIZE - ret, + "TxClk input"); + +- ret += snprintf(buf + ret, PAGE_SIZE - ret, "\n"); ++ ret += scnprintf(buf + ret, PAGE_SIZE - ret, "\n"); + + if (ptcr & IMX_AUDMUX_V2_PTCR_SYN) { +- ret += snprintf(buf + ret, PAGE_SIZE - ret, ++ ret += scnprintf(buf + ret, PAGE_SIZE - ret, + "Port is symmetric"); + } else { + if (ptcr & IMX_AUDMUX_V2_PTCR_RFSDIR) +- ret += snprintf(buf + ret, PAGE_SIZE - ret, ++ ret += scnprintf(buf + ret, PAGE_SIZE - ret, + "RxFS output from %s, ", + audmux_port_string((ptcr >> 17) & 0x7)); + else +- ret += snprintf(buf + ret, PAGE_SIZE - ret, ++ ret += scnprintf(buf + ret, PAGE_SIZE - ret, + "RxFS input, "); + + if (ptcr & IMX_AUDMUX_V2_PTCR_RCLKDIR) +- ret += snprintf(buf + ret, PAGE_SIZE - ret, ++ ret += scnprintf(buf + ret, PAGE_SIZE - ret, + "RxClk output from %s", + audmux_port_string((ptcr >> 12) & 0x7)); + else +- ret += snprintf(buf + ret, PAGE_SIZE - ret, ++ ret += scnprintf(buf + ret, PAGE_SIZE - ret, + "RxClk input"); + } + +- ret += snprintf(buf + ret, PAGE_SIZE - ret, ++ ret += scnprintf(buf + ret, PAGE_SIZE - ret, + "\nData received from %s\n", + audmux_port_string((pdcr >> 13) & 0x7)); + +diff --git a/sound/soc/intel/boards/broadwell.c b/sound/soc/intel/boards/broadwell.c +index 3f8a1e10bed0..e5ca41ffa890 100644 +--- a/sound/soc/intel/boards/broadwell.c ++++ b/sound/soc/intel/boards/broadwell.c +@@ -191,7 +191,7 @@ static struct snd_soc_dai_link broadwell_rt286_dais[] = { + .stream_name = "Loopback", + .cpu_dai_name = "Loopback Pin", + .platform_name = "haswell-pcm-audio", +- .dynamic = 0, ++ .dynamic = 1, + .codec_name = "snd-soc-dummy", + .codec_dai_name = "snd-soc-dummy-dai", + .trigger = {SND_SOC_DPCM_TRIGGER_POST, SND_SOC_DPCM_TRIGGER_POST}, +diff --git a/sound/soc/intel/boards/haswell.c b/sound/soc/intel/boards/haswell.c +index 22558572cb9c..de955c2e8c4e 100644 +--- a/sound/soc/intel/boards/haswell.c ++++ b/sound/soc/intel/boards/haswell.c +@@ -145,7 +145,7 @@ static struct snd_soc_dai_link haswell_rt5640_dais[] = { + .stream_name = "Loopback", + .cpu_dai_name = "Loopback Pin", + .platform_name = "haswell-pcm-audio", +- .dynamic = 0, ++ .dynamic = 1, + .codec_name = "snd-soc-dummy", + .codec_dai_name = "snd-soc-dummy-dai", + .trigger = {SND_SOC_DPCM_TRIGGER_POST, SND_SOC_DPCM_TRIGGER_POST}, +diff --git a/sound/soc/soc-dapm.c b/sound/soc/soc-dapm.c +index 0aefed8ab0cf..7e26d173da41 100644 +--- a/sound/soc/soc-dapm.c ++++ b/sound/soc/soc-dapm.c +@@ -1943,19 +1943,19 @@ static ssize_t dapm_widget_power_read_file(struct file *file, + out = is_connected_output_ep(w, NULL); + } + +- ret = snprintf(buf, PAGE_SIZE, "%s: %s%s in %d out %d", ++ ret = scnprintf(buf, PAGE_SIZE, "%s: %s%s in %d out %d", + w->name, w->power ? "On" : "Off", + w->force ? " (forced)" : "", in, out); + + if (w->reg >= 0) +- ret += snprintf(buf + ret, PAGE_SIZE - ret, ++ ret += scnprintf(buf + ret, PAGE_SIZE - ret, + " - R%d(0x%x) mask 0x%x", + w->reg, w->reg, w->mask << w->shift); + +- ret += snprintf(buf + ret, PAGE_SIZE - ret, "\n"); ++ ret += scnprintf(buf + ret, PAGE_SIZE - ret, "\n"); + + if (w->sname) +- ret += snprintf(buf + ret, PAGE_SIZE - ret, " stream %s %s\n", ++ ret += scnprintf(buf + ret, PAGE_SIZE - ret, " stream %s %s\n", + w->sname, + w->active ? "active" : "inactive"); + +@@ -1968,7 +1968,7 @@ static ssize_t dapm_widget_power_read_file(struct file *file, + if (!p->connect) + continue; + +- ret += snprintf(buf + ret, PAGE_SIZE - ret, ++ ret += scnprintf(buf + ret, PAGE_SIZE - ret, + " %s \"%s\" \"%s\"\n", + (rdir == SND_SOC_DAPM_DIR_IN) ? "in" : "out", + p->name ? p->name : "static", +diff --git a/sound/soc/soc-topology.c b/sound/soc/soc-topology.c +index c1e76feb3529..824f4d7fc41f 100644 +--- a/sound/soc/soc-topology.c ++++ b/sound/soc/soc-topology.c +@@ -1770,6 +1770,7 @@ int snd_soc_tplg_component_load(struct snd_soc_component *comp, + struct snd_soc_tplg_ops *ops, const struct firmware *fw, u32 id) + { + struct soc_tplg tplg; ++ int ret; + + /* setup parsing context */ + memset(&tplg, 0, sizeof(tplg)); +@@ -1783,7 +1784,12 @@ int snd_soc_tplg_component_load(struct snd_soc_component *comp, + tplg.bytes_ext_ops = ops->bytes_ext_ops; + tplg.bytes_ext_ops_count = ops->bytes_ext_ops_count; + +- return soc_tplg_load(&tplg); ++ ret = soc_tplg_load(&tplg); ++ /* free the created components if fail to load topology */ ++ if (ret) ++ snd_soc_tplg_component_remove(comp, SND_SOC_TPLG_INDEX_ALL); ++ ++ return ret; + } + EXPORT_SYMBOL_GPL(snd_soc_tplg_component_load); + +diff --git a/tools/arch/x86/include/asm/cpufeatures.h b/tools/arch/x86/include/asm/cpufeatures.h +new file mode 100644 +index 000000000000..a5fa3195a230 +--- /dev/null ++++ b/tools/arch/x86/include/asm/cpufeatures.h +@@ -0,0 +1,336 @@ ++#ifndef _ASM_X86_CPUFEATURES_H ++#define _ASM_X86_CPUFEATURES_H ++ ++#ifndef _ASM_X86_REQUIRED_FEATURES_H ++#include ++#endif ++ ++#ifndef _ASM_X86_DISABLED_FEATURES_H ++#include ++#endif ++ ++/* ++ * Defines x86 CPU feature bits ++ */ ++#define NCAPINTS 19 /* N 32-bit words worth of info */ ++#define NBUGINTS 1 /* N 32-bit bug flags */ ++ ++/* ++ * Note: If the comment begins with a quoted string, that string is used ++ * in /proc/cpuinfo instead of the macro name. If the string is "", ++ * this feature bit is not displayed in /proc/cpuinfo at all. ++ */ ++ ++/* Intel-defined CPU features, CPUID level 0x00000001 (edx), word 0 */ ++#define X86_FEATURE_FPU ( 0*32+ 0) /* Onboard FPU */ ++#define X86_FEATURE_VME ( 0*32+ 1) /* Virtual Mode Extensions */ ++#define X86_FEATURE_DE ( 0*32+ 2) /* Debugging Extensions */ ++#define X86_FEATURE_PSE ( 0*32+ 3) /* Page Size Extensions */ ++#define X86_FEATURE_TSC ( 0*32+ 4) /* Time Stamp Counter */ ++#define X86_FEATURE_MSR ( 0*32+ 5) /* Model-Specific Registers */ ++#define X86_FEATURE_PAE ( 0*32+ 6) /* Physical Address Extensions */ ++#define X86_FEATURE_MCE ( 0*32+ 7) /* Machine Check Exception */ ++#define X86_FEATURE_CX8 ( 0*32+ 8) /* CMPXCHG8 instruction */ ++#define X86_FEATURE_APIC ( 0*32+ 9) /* Onboard APIC */ ++#define X86_FEATURE_SEP ( 0*32+11) /* SYSENTER/SYSEXIT */ ++#define X86_FEATURE_MTRR ( 0*32+12) /* Memory Type Range Registers */ ++#define X86_FEATURE_PGE ( 0*32+13) /* Page Global Enable */ ++#define X86_FEATURE_MCA ( 0*32+14) /* Machine Check Architecture */ ++#define X86_FEATURE_CMOV ( 0*32+15) /* CMOV instructions */ ++ /* (plus FCMOVcc, FCOMI with FPU) */ ++#define X86_FEATURE_PAT ( 0*32+16) /* Page Attribute Table */ ++#define X86_FEATURE_PSE36 ( 0*32+17) /* 36-bit PSEs */ ++#define X86_FEATURE_PN ( 0*32+18) /* Processor serial number */ ++#define X86_FEATURE_CLFLUSH ( 0*32+19) /* CLFLUSH instruction */ ++#define X86_FEATURE_DS ( 0*32+21) /* "dts" Debug Store */ ++#define X86_FEATURE_ACPI ( 0*32+22) /* ACPI via MSR */ ++#define X86_FEATURE_MMX ( 0*32+23) /* Multimedia Extensions */ ++#define X86_FEATURE_FXSR ( 0*32+24) /* FXSAVE/FXRSTOR, CR4.OSFXSR */ ++#define X86_FEATURE_XMM ( 0*32+25) /* "sse" */ ++#define X86_FEATURE_XMM2 ( 0*32+26) /* "sse2" */ ++#define X86_FEATURE_SELFSNOOP ( 0*32+27) /* "ss" CPU self snoop */ ++#define X86_FEATURE_HT ( 0*32+28) /* Hyper-Threading */ ++#define X86_FEATURE_ACC ( 0*32+29) /* "tm" Automatic clock control */ ++#define X86_FEATURE_IA64 ( 0*32+30) /* IA-64 processor */ ++#define X86_FEATURE_PBE ( 0*32+31) /* Pending Break Enable */ ++ ++/* AMD-defined CPU features, CPUID level 0x80000001, word 1 */ ++/* Don't duplicate feature flags which are redundant with Intel! */ ++#define X86_FEATURE_SYSCALL ( 1*32+11) /* SYSCALL/SYSRET */ ++#define X86_FEATURE_MP ( 1*32+19) /* MP Capable. */ ++#define X86_FEATURE_NX ( 1*32+20) /* Execute Disable */ ++#define X86_FEATURE_MMXEXT ( 1*32+22) /* AMD MMX extensions */ ++#define X86_FEATURE_FXSR_OPT ( 1*32+25) /* FXSAVE/FXRSTOR optimizations */ ++#define X86_FEATURE_GBPAGES ( 1*32+26) /* "pdpe1gb" GB pages */ ++#define X86_FEATURE_RDTSCP ( 1*32+27) /* RDTSCP */ ++#define X86_FEATURE_LM ( 1*32+29) /* Long Mode (x86-64) */ ++#define X86_FEATURE_3DNOWEXT ( 1*32+30) /* AMD 3DNow! extensions */ ++#define X86_FEATURE_3DNOW ( 1*32+31) /* 3DNow! */ ++ ++/* Transmeta-defined CPU features, CPUID level 0x80860001, word 2 */ ++#define X86_FEATURE_RECOVERY ( 2*32+ 0) /* CPU in recovery mode */ ++#define X86_FEATURE_LONGRUN ( 2*32+ 1) /* Longrun power control */ ++#define X86_FEATURE_LRTI ( 2*32+ 3) /* LongRun table interface */ ++ ++/* Other features, Linux-defined mapping, word 3 */ ++/* This range is used for feature bits which conflict or are synthesized */ ++#define X86_FEATURE_CXMMX ( 3*32+ 0) /* Cyrix MMX extensions */ ++#define X86_FEATURE_K6_MTRR ( 3*32+ 1) /* AMD K6 nonstandard MTRRs */ ++#define X86_FEATURE_CYRIX_ARR ( 3*32+ 2) /* Cyrix ARRs (= MTRRs) */ ++#define X86_FEATURE_CENTAUR_MCR ( 3*32+ 3) /* Centaur MCRs (= MTRRs) */ ++/* cpu types for specific tunings: */ ++#define X86_FEATURE_K8 ( 3*32+ 4) /* "" Opteron, Athlon64 */ ++#define X86_FEATURE_K7 ( 3*32+ 5) /* "" Athlon */ ++#define X86_FEATURE_P3 ( 3*32+ 6) /* "" P3 */ ++#define X86_FEATURE_P4 ( 3*32+ 7) /* "" P4 */ ++#define X86_FEATURE_CONSTANT_TSC ( 3*32+ 8) /* TSC ticks at a constant rate */ ++#define X86_FEATURE_UP ( 3*32+ 9) /* smp kernel running on up */ ++/* free, was #define X86_FEATURE_FXSAVE_LEAK ( 3*32+10) * "" FXSAVE leaks FOP/FIP/FOP */ ++#define X86_FEATURE_ARCH_PERFMON ( 3*32+11) /* Intel Architectural PerfMon */ ++#define X86_FEATURE_PEBS ( 3*32+12) /* Precise-Event Based Sampling */ ++#define X86_FEATURE_BTS ( 3*32+13) /* Branch Trace Store */ ++#define X86_FEATURE_SYSCALL32 ( 3*32+14) /* "" syscall in ia32 userspace */ ++#define X86_FEATURE_SYSENTER32 ( 3*32+15) /* "" sysenter in ia32 userspace */ ++#define X86_FEATURE_REP_GOOD ( 3*32+16) /* rep microcode works well */ ++#define X86_FEATURE_MFENCE_RDTSC ( 3*32+17) /* "" Mfence synchronizes RDTSC */ ++#define X86_FEATURE_LFENCE_RDTSC ( 3*32+18) /* "" Lfence synchronizes RDTSC */ ++/* free, was #define X86_FEATURE_11AP ( 3*32+19) * "" Bad local APIC aka 11AP */ ++#define X86_FEATURE_NOPL ( 3*32+20) /* The NOPL (0F 1F) instructions */ ++#define X86_FEATURE_ALWAYS ( 3*32+21) /* "" Always-present feature */ ++#define X86_FEATURE_XTOPOLOGY ( 3*32+22) /* cpu topology enum extensions */ ++#define X86_FEATURE_TSC_RELIABLE ( 3*32+23) /* TSC is known to be reliable */ ++#define X86_FEATURE_NONSTOP_TSC ( 3*32+24) /* TSC does not stop in C states */ ++/* free, was #define X86_FEATURE_CLFLUSH_MONITOR ( 3*32+25) * "" clflush reqd with monitor */ ++#define X86_FEATURE_EXTD_APICID ( 3*32+26) /* has extended APICID (8 bits) */ ++#define X86_FEATURE_AMD_DCM ( 3*32+27) /* multi-node processor */ ++#define X86_FEATURE_APERFMPERF ( 3*32+28) /* APERFMPERF */ ++#define X86_FEATURE_NONSTOP_TSC_S3 ( 3*32+30) /* TSC doesn't stop in S3 state */ ++ ++/* Intel-defined CPU features, CPUID level 0x00000001 (ecx), word 4 */ ++#define X86_FEATURE_XMM3 ( 4*32+ 0) /* "pni" SSE-3 */ ++#define X86_FEATURE_PCLMULQDQ ( 4*32+ 1) /* PCLMULQDQ instruction */ ++#define X86_FEATURE_DTES64 ( 4*32+ 2) /* 64-bit Debug Store */ ++#define X86_FEATURE_MWAIT ( 4*32+ 3) /* "monitor" Monitor/Mwait support */ ++#define X86_FEATURE_DSCPL ( 4*32+ 4) /* "ds_cpl" CPL Qual. Debug Store */ ++#define X86_FEATURE_VMX ( 4*32+ 5) /* Hardware virtualization */ ++#define X86_FEATURE_SMX ( 4*32+ 6) /* Safer mode */ ++#define X86_FEATURE_EST ( 4*32+ 7) /* Enhanced SpeedStep */ ++#define X86_FEATURE_TM2 ( 4*32+ 8) /* Thermal Monitor 2 */ ++#define X86_FEATURE_SSSE3 ( 4*32+ 9) /* Supplemental SSE-3 */ ++#define X86_FEATURE_CID ( 4*32+10) /* Context ID */ ++#define X86_FEATURE_SDBG ( 4*32+11) /* Silicon Debug */ ++#define X86_FEATURE_FMA ( 4*32+12) /* Fused multiply-add */ ++#define X86_FEATURE_CX16 ( 4*32+13) /* CMPXCHG16B */ ++#define X86_FEATURE_XTPR ( 4*32+14) /* Send Task Priority Messages */ ++#define X86_FEATURE_PDCM ( 4*32+15) /* Performance Capabilities */ ++#define X86_FEATURE_PCID ( 4*32+17) /* Process Context Identifiers */ ++#define X86_FEATURE_DCA ( 4*32+18) /* Direct Cache Access */ ++#define X86_FEATURE_XMM4_1 ( 4*32+19) /* "sse4_1" SSE-4.1 */ ++#define X86_FEATURE_XMM4_2 ( 4*32+20) /* "sse4_2" SSE-4.2 */ ++#define X86_FEATURE_X2APIC ( 4*32+21) /* x2APIC */ ++#define X86_FEATURE_MOVBE ( 4*32+22) /* MOVBE instruction */ ++#define X86_FEATURE_POPCNT ( 4*32+23) /* POPCNT instruction */ ++#define X86_FEATURE_TSC_DEADLINE_TIMER ( 4*32+24) /* Tsc deadline timer */ ++#define X86_FEATURE_AES ( 4*32+25) /* AES instructions */ ++#define X86_FEATURE_XSAVE ( 4*32+26) /* XSAVE/XRSTOR/XSETBV/XGETBV */ ++#define X86_FEATURE_OSXSAVE ( 4*32+27) /* "" XSAVE enabled in the OS */ ++#define X86_FEATURE_AVX ( 4*32+28) /* Advanced Vector Extensions */ ++#define X86_FEATURE_F16C ( 4*32+29) /* 16-bit fp conversions */ ++#define X86_FEATURE_RDRAND ( 4*32+30) /* The RDRAND instruction */ ++#define X86_FEATURE_HYPERVISOR ( 4*32+31) /* Running on a hypervisor */ ++ ++/* VIA/Cyrix/Centaur-defined CPU features, CPUID level 0xC0000001, word 5 */ ++#define X86_FEATURE_XSTORE ( 5*32+ 2) /* "rng" RNG present (xstore) */ ++#define X86_FEATURE_XSTORE_EN ( 5*32+ 3) /* "rng_en" RNG enabled */ ++#define X86_FEATURE_XCRYPT ( 5*32+ 6) /* "ace" on-CPU crypto (xcrypt) */ ++#define X86_FEATURE_XCRYPT_EN ( 5*32+ 7) /* "ace_en" on-CPU crypto enabled */ ++#define X86_FEATURE_ACE2 ( 5*32+ 8) /* Advanced Cryptography Engine v2 */ ++#define X86_FEATURE_ACE2_EN ( 5*32+ 9) /* ACE v2 enabled */ ++#define X86_FEATURE_PHE ( 5*32+10) /* PadLock Hash Engine */ ++#define X86_FEATURE_PHE_EN ( 5*32+11) /* PHE enabled */ ++#define X86_FEATURE_PMM ( 5*32+12) /* PadLock Montgomery Multiplier */ ++#define X86_FEATURE_PMM_EN ( 5*32+13) /* PMM enabled */ ++ ++/* More extended AMD flags: CPUID level 0x80000001, ecx, word 6 */ ++#define X86_FEATURE_LAHF_LM ( 6*32+ 0) /* LAHF/SAHF in long mode */ ++#define X86_FEATURE_CMP_LEGACY ( 6*32+ 1) /* If yes HyperThreading not valid */ ++#define X86_FEATURE_SVM ( 6*32+ 2) /* Secure virtual machine */ ++#define X86_FEATURE_EXTAPIC ( 6*32+ 3) /* Extended APIC space */ ++#define X86_FEATURE_CR8_LEGACY ( 6*32+ 4) /* CR8 in 32-bit mode */ ++#define X86_FEATURE_ABM ( 6*32+ 5) /* Advanced bit manipulation */ ++#define X86_FEATURE_SSE4A ( 6*32+ 6) /* SSE-4A */ ++#define X86_FEATURE_MISALIGNSSE ( 6*32+ 7) /* Misaligned SSE mode */ ++#define X86_FEATURE_3DNOWPREFETCH ( 6*32+ 8) /* 3DNow prefetch instructions */ ++#define X86_FEATURE_OSVW ( 6*32+ 9) /* OS Visible Workaround */ ++#define X86_FEATURE_IBS ( 6*32+10) /* Instruction Based Sampling */ ++#define X86_FEATURE_XOP ( 6*32+11) /* extended AVX instructions */ ++#define X86_FEATURE_SKINIT ( 6*32+12) /* SKINIT/STGI instructions */ ++#define X86_FEATURE_WDT ( 6*32+13) /* Watchdog timer */ ++#define X86_FEATURE_LWP ( 6*32+15) /* Light Weight Profiling */ ++#define X86_FEATURE_FMA4 ( 6*32+16) /* 4 operands MAC instructions */ ++#define X86_FEATURE_TCE ( 6*32+17) /* translation cache extension */ ++#define X86_FEATURE_NODEID_MSR ( 6*32+19) /* NodeId MSR */ ++#define X86_FEATURE_TBM ( 6*32+21) /* trailing bit manipulations */ ++#define X86_FEATURE_TOPOEXT ( 6*32+22) /* topology extensions CPUID leafs */ ++#define X86_FEATURE_PERFCTR_CORE ( 6*32+23) /* core performance counter extensions */ ++#define X86_FEATURE_PERFCTR_NB ( 6*32+24) /* NB performance counter extensions */ ++#define X86_FEATURE_BPEXT (6*32+26) /* data breakpoint extension */ ++#define X86_FEATURE_PERFCTR_L2 ( 6*32+28) /* L2 performance counter extensions */ ++#define X86_FEATURE_MWAITX ( 6*32+29) /* MWAIT extension (MONITORX/MWAITX) */ ++ ++/* ++ * Auxiliary flags: Linux defined - For features scattered in various ++ * CPUID levels like 0x6, 0xA etc, word 7. ++ * ++ * Reuse free bits when adding new feature flags! ++ */ ++ ++#define X86_FEATURE_CPB ( 7*32+ 2) /* AMD Core Performance Boost */ ++#define X86_FEATURE_EPB ( 7*32+ 3) /* IA32_ENERGY_PERF_BIAS support */ ++#define X86_FEATURE_INVPCID_SINGLE ( 7*32+ 4) /* Effectively INVPCID && CR4.PCIDE=1 */ ++ ++#define X86_FEATURE_HW_PSTATE ( 7*32+ 8) /* AMD HW-PState */ ++#define X86_FEATURE_PROC_FEEDBACK ( 7*32+ 9) /* AMD ProcFeedbackInterface */ ++ ++#define X86_FEATURE_RETPOLINE ( 7*32+12) /* "" Generic Retpoline mitigation for Spectre variant 2 */ ++#define X86_FEATURE_RETPOLINE_AMD ( 7*32+13) /* "" AMD Retpoline mitigation for Spectre variant 2 */ ++ ++#define X86_FEATURE_INTEL_PT ( 7*32+15) /* Intel Processor Trace */ ++#define X86_FEATURE_RSB_CTXSW ( 7*32+19) /* "" Fill RSB on context switches */ ++ ++#define X86_FEATURE_MSR_SPEC_CTRL ( 7*32+16) /* "" MSR SPEC_CTRL is implemented */ ++#define X86_FEATURE_SSBD ( 7*32+17) /* Speculative Store Bypass Disable */ ++ ++/* Because the ALTERNATIVE scheme is for members of the X86_FEATURE club... */ ++#define X86_FEATURE_KAISER ( 7*32+31) /* CONFIG_PAGE_TABLE_ISOLATION w/o nokaiser */ ++ ++#define X86_FEATURE_USE_IBPB ( 7*32+21) /* "" Indirect Branch Prediction Barrier enabled*/ ++#define X86_FEATURE_USE_IBRS_FW ( 7*32+22) /* "" Use IBRS during runtime firmware calls */ ++#define X86_FEATURE_SPEC_STORE_BYPASS_DISABLE ( 7*32+23) /* "" Disable Speculative Store Bypass. */ ++#define X86_FEATURE_LS_CFG_SSBD ( 7*32+24) /* "" AMD SSBD implementation */ ++ ++#define X86_FEATURE_IBRS ( 7*32+25) /* Indirect Branch Restricted Speculation */ ++#define X86_FEATURE_IBPB ( 7*32+26) /* Indirect Branch Prediction Barrier */ ++#define X86_FEATURE_STIBP ( 7*32+27) /* Single Thread Indirect Branch Predictors */ ++#define X86_FEATURE_ZEN ( 7*32+28) /* "" CPU is AMD family 0x17 (Zen) */ ++#define X86_FEATURE_L1TF_PTEINV ( 7*32+29) /* "" L1TF workaround PTE inversion */ ++ ++/* Virtualization flags: Linux defined, word 8 */ ++#define X86_FEATURE_TPR_SHADOW ( 8*32+ 0) /* Intel TPR Shadow */ ++#define X86_FEATURE_VNMI ( 8*32+ 1) /* Intel Virtual NMI */ ++#define X86_FEATURE_FLEXPRIORITY ( 8*32+ 2) /* Intel FlexPriority */ ++#define X86_FEATURE_EPT ( 8*32+ 3) /* Intel Extended Page Table */ ++#define X86_FEATURE_VPID ( 8*32+ 4) /* Intel Virtual Processor ID */ ++ ++#define X86_FEATURE_VMMCALL ( 8*32+15) /* Prefer vmmcall to vmcall */ ++#define X86_FEATURE_XENPV ( 8*32+16) /* "" Xen paravirtual guest */ ++ ++ ++/* Intel-defined CPU features, CPUID level 0x00000007:0 (ebx), word 9 */ ++#define X86_FEATURE_FSGSBASE ( 9*32+ 0) /* {RD/WR}{FS/GS}BASE instructions*/ ++#define X86_FEATURE_TSC_ADJUST ( 9*32+ 1) /* TSC adjustment MSR 0x3b */ ++#define X86_FEATURE_BMI1 ( 9*32+ 3) /* 1st group bit manipulation extensions */ ++#define X86_FEATURE_HLE ( 9*32+ 4) /* Hardware Lock Elision */ ++#define X86_FEATURE_AVX2 ( 9*32+ 5) /* AVX2 instructions */ ++#define X86_FEATURE_SMEP ( 9*32+ 7) /* Supervisor Mode Execution Protection */ ++#define X86_FEATURE_BMI2 ( 9*32+ 8) /* 2nd group bit manipulation extensions */ ++#define X86_FEATURE_ERMS ( 9*32+ 9) /* Enhanced REP MOVSB/STOSB */ ++#define X86_FEATURE_INVPCID ( 9*32+10) /* Invalidate Processor Context ID */ ++#define X86_FEATURE_RTM ( 9*32+11) /* Restricted Transactional Memory */ ++#define X86_FEATURE_CQM ( 9*32+12) /* Cache QoS Monitoring */ ++#define X86_FEATURE_MPX ( 9*32+14) /* Memory Protection Extension */ ++#define X86_FEATURE_AVX512F ( 9*32+16) /* AVX-512 Foundation */ ++#define X86_FEATURE_RDSEED ( 9*32+18) /* The RDSEED instruction */ ++#define X86_FEATURE_ADX ( 9*32+19) /* The ADCX and ADOX instructions */ ++#define X86_FEATURE_SMAP ( 9*32+20) /* Supervisor Mode Access Prevention */ ++#define X86_FEATURE_PCOMMIT ( 9*32+22) /* PCOMMIT instruction */ ++#define X86_FEATURE_CLFLUSHOPT ( 9*32+23) /* CLFLUSHOPT instruction */ ++#define X86_FEATURE_CLWB ( 9*32+24) /* CLWB instruction */ ++#define X86_FEATURE_AVX512PF ( 9*32+26) /* AVX-512 Prefetch */ ++#define X86_FEATURE_AVX512ER ( 9*32+27) /* AVX-512 Exponential and Reciprocal */ ++#define X86_FEATURE_AVX512CD ( 9*32+28) /* AVX-512 Conflict Detection */ ++#define X86_FEATURE_SHA_NI ( 9*32+29) /* SHA1/SHA256 Instruction Extensions */ ++ ++/* Extended state features, CPUID level 0x0000000d:1 (eax), word 10 */ ++#define X86_FEATURE_XSAVEOPT (10*32+ 0) /* XSAVEOPT */ ++#define X86_FEATURE_XSAVEC (10*32+ 1) /* XSAVEC */ ++#define X86_FEATURE_XGETBV1 (10*32+ 2) /* XGETBV with ECX = 1 */ ++#define X86_FEATURE_XSAVES (10*32+ 3) /* XSAVES/XRSTORS */ ++ ++/* Intel-defined CPU QoS Sub-leaf, CPUID level 0x0000000F:0 (edx), word 11 */ ++#define X86_FEATURE_CQM_LLC (11*32+ 1) /* LLC QoS if 1 */ ++ ++/* Intel-defined CPU QoS Sub-leaf, CPUID level 0x0000000F:1 (edx), word 12 */ ++#define X86_FEATURE_CQM_OCCUP_LLC (12*32+ 0) /* LLC occupancy monitoring if 1 */ ++ ++/* AMD-defined CPU features, CPUID level 0x80000008 (ebx), word 13 */ ++#define X86_FEATURE_CLZERO (13*32+0) /* CLZERO instruction */ ++#define X86_FEATURE_AMD_IBPB (13*32+12) /* Indirect Branch Prediction Barrier */ ++#define X86_FEATURE_AMD_IBRS (13*32+14) /* Indirect Branch Restricted Speculation */ ++#define X86_FEATURE_AMD_STIBP (13*32+15) /* Single Thread Indirect Branch Predictors */ ++#define X86_FEATURE_VIRT_SSBD (13*32+25) /* Virtualized Speculative Store Bypass Disable */ ++ ++/* Thermal and Power Management Leaf, CPUID level 0x00000006 (eax), word 14 */ ++#define X86_FEATURE_DTHERM (14*32+ 0) /* Digital Thermal Sensor */ ++#define X86_FEATURE_IDA (14*32+ 1) /* Intel Dynamic Acceleration */ ++#define X86_FEATURE_ARAT (14*32+ 2) /* Always Running APIC Timer */ ++#define X86_FEATURE_PLN (14*32+ 4) /* Intel Power Limit Notification */ ++#define X86_FEATURE_PTS (14*32+ 6) /* Intel Package Thermal Status */ ++#define X86_FEATURE_HWP (14*32+ 7) /* Intel Hardware P-states */ ++#define X86_FEATURE_HWP_NOTIFY (14*32+ 8) /* HWP Notification */ ++#define X86_FEATURE_HWP_ACT_WINDOW (14*32+ 9) /* HWP Activity Window */ ++#define X86_FEATURE_HWP_EPP (14*32+10) /* HWP Energy Perf. Preference */ ++#define X86_FEATURE_HWP_PKG_REQ (14*32+11) /* HWP Package Level Request */ ++ ++/* AMD SVM Feature Identification, CPUID level 0x8000000a (edx), word 15 */ ++#define X86_FEATURE_NPT (15*32+ 0) /* Nested Page Table support */ ++#define X86_FEATURE_LBRV (15*32+ 1) /* LBR Virtualization support */ ++#define X86_FEATURE_SVML (15*32+ 2) /* "svm_lock" SVM locking MSR */ ++#define X86_FEATURE_NRIPS (15*32+ 3) /* "nrip_save" SVM next_rip save */ ++#define X86_FEATURE_TSCRATEMSR (15*32+ 4) /* "tsc_scale" TSC scaling support */ ++#define X86_FEATURE_VMCBCLEAN (15*32+ 5) /* "vmcb_clean" VMCB clean bits support */ ++#define X86_FEATURE_FLUSHBYASID (15*32+ 6) /* flush-by-ASID support */ ++#define X86_FEATURE_DECODEASSISTS (15*32+ 7) /* Decode Assists support */ ++#define X86_FEATURE_PAUSEFILTER (15*32+10) /* filtered pause intercept */ ++#define X86_FEATURE_PFTHRESHOLD (15*32+12) /* pause filter threshold */ ++ ++/* Intel-defined CPU features, CPUID level 0x00000007:0 (ecx), word 16 */ ++#define X86_FEATURE_PKU (16*32+ 3) /* Protection Keys for Userspace */ ++#define X86_FEATURE_OSPKE (16*32+ 4) /* OS Protection Keys Enable */ ++ ++/* AMD-defined CPU features, CPUID level 0x80000007 (ebx), word 17 */ ++#define X86_FEATURE_OVERFLOW_RECOV (17*32+0) /* MCA overflow recovery support */ ++#define X86_FEATURE_SUCCOR (17*32+1) /* Uncorrectable error containment and recovery */ ++#define X86_FEATURE_SMCA (17*32+3) /* Scalable MCA */ ++ ++ ++/* Intel-defined CPU features, CPUID level 0x00000007:0 (EDX), word 18 */ ++#define X86_FEATURE_AVX512_4VNNIW (18*32+ 2) /* AVX-512 Neural Network Instructions */ ++#define X86_FEATURE_AVX512_4FMAPS (18*32+ 3) /* AVX-512 Multiply Accumulation Single precision */ ++#define X86_FEATURE_SPEC_CTRL (18*32+26) /* "" Speculation Control (IBRS + IBPB) */ ++#define X86_FEATURE_INTEL_STIBP (18*32+27) /* "" Single Thread Indirect Branch Predictors */ ++#define X86_FEATURE_FLUSH_L1D (18*32+28) /* Flush L1D cache */ ++#define X86_FEATURE_ARCH_CAPABILITIES (18*32+29) /* IA32_ARCH_CAPABILITIES MSR (Intel) */ ++#define X86_FEATURE_SPEC_CTRL_SSBD (18*32+31) /* "" Speculative Store Bypass Disable */ ++ ++/* ++ * BUG word(s) ++ */ ++#define X86_BUG(x) (NCAPINTS*32 + (x)) ++ ++#define X86_BUG_F00F X86_BUG(0) /* Intel F00F */ ++#define X86_BUG_FDIV X86_BUG(1) /* FPU FDIV */ ++#define X86_BUG_COMA X86_BUG(2) /* Cyrix 6x86 coma */ ++#define X86_BUG_AMD_TLB_MMATCH X86_BUG(3) /* "tlb_mmatch" AMD Erratum 383 */ ++#define X86_BUG_AMD_APIC_C1E X86_BUG(4) /* "apic_c1e" AMD Erratum 400 */ ++#define X86_BUG_11AP X86_BUG(5) /* Bad local APIC aka 11AP */ ++#define X86_BUG_FXSAVE_LEAK X86_BUG(6) /* FXSAVE leaks FOP/FIP/FOP */ ++#define X86_BUG_CLFLUSH_MONITOR X86_BUG(7) /* AAI65, CLFLUSH required before MONITOR */ ++#define X86_BUG_SYSRET_SS_ATTRS X86_BUG(8) /* SYSRET doesn't fix up SS attrs */ ++#define X86_BUG_CPU_MELTDOWN X86_BUG(14) /* CPU is affected by meltdown attack and needs kernel page table isolation */ ++#define X86_BUG_SPECTRE_V1 X86_BUG(15) /* CPU is affected by Spectre variant 1 attack with conditional branches */ ++#define X86_BUG_SPECTRE_V2 X86_BUG(16) /* CPU is affected by Spectre variant 2 attack with indirect branches */ ++#define X86_BUG_SPEC_STORE_BYPASS X86_BUG(17) /* CPU is affected by speculative store bypass attack */ ++#define X86_BUG_L1TF X86_BUG(18) /* CPU is affected by L1 Terminal Fault */ ++ ++#endif /* _ASM_X86_CPUFEATURES_H */ +diff --git a/tools/arch/x86/include/asm/disabled-features.h b/tools/arch/x86/include/asm/disabled-features.h +new file mode 100644 +index 000000000000..1f8cca459c6c +--- /dev/null ++++ b/tools/arch/x86/include/asm/disabled-features.h +@@ -0,0 +1,65 @@ ++#ifndef _ASM_X86_DISABLED_FEATURES_H ++#define _ASM_X86_DISABLED_FEATURES_H ++ ++/* These features, although they might be available in a CPU ++ * will not be used because the compile options to support ++ * them are not present. ++ * ++ * This code allows them to be checked and disabled at ++ * compile time without an explicit #ifdef. Use ++ * cpu_feature_enabled(). ++ */ ++ ++#ifdef CONFIG_X86_INTEL_MPX ++# define DISABLE_MPX 0 ++#else ++# define DISABLE_MPX (1<<(X86_FEATURE_MPX & 31)) ++#endif ++ ++#ifdef CONFIG_X86_64 ++# define DISABLE_VME (1<<(X86_FEATURE_VME & 31)) ++# define DISABLE_K6_MTRR (1<<(X86_FEATURE_K6_MTRR & 31)) ++# define DISABLE_CYRIX_ARR (1<<(X86_FEATURE_CYRIX_ARR & 31)) ++# define DISABLE_CENTAUR_MCR (1<<(X86_FEATURE_CENTAUR_MCR & 31)) ++# define DISABLE_PCID 0 ++#else ++# define DISABLE_VME 0 ++# define DISABLE_K6_MTRR 0 ++# define DISABLE_CYRIX_ARR 0 ++# define DISABLE_CENTAUR_MCR 0 ++# define DISABLE_PCID (1<<(X86_FEATURE_PCID & 31)) ++#endif /* CONFIG_X86_64 */ ++ ++#ifdef CONFIG_X86_INTEL_MEMORY_PROTECTION_KEYS ++# define DISABLE_PKU 0 ++# define DISABLE_OSPKE 0 ++#else ++# define DISABLE_PKU (1<<(X86_FEATURE_PKU & 31)) ++# define DISABLE_OSPKE (1<<(X86_FEATURE_OSPKE & 31)) ++#endif /* CONFIG_X86_INTEL_MEMORY_PROTECTION_KEYS */ ++ ++/* ++ * Make sure to add features to the correct mask ++ */ ++#define DISABLED_MASK0 (DISABLE_VME) ++#define DISABLED_MASK1 0 ++#define DISABLED_MASK2 0 ++#define DISABLED_MASK3 (DISABLE_CYRIX_ARR|DISABLE_CENTAUR_MCR|DISABLE_K6_MTRR) ++#define DISABLED_MASK4 (DISABLE_PCID) ++#define DISABLED_MASK5 0 ++#define DISABLED_MASK6 0 ++#define DISABLED_MASK7 0 ++#define DISABLED_MASK8 0 ++#define DISABLED_MASK9 (DISABLE_MPX) ++#define DISABLED_MASK10 0 ++#define DISABLED_MASK11 0 ++#define DISABLED_MASK12 0 ++#define DISABLED_MASK13 0 ++#define DISABLED_MASK14 0 ++#define DISABLED_MASK15 0 ++#define DISABLED_MASK16 (DISABLE_PKU|DISABLE_OSPKE) ++#define DISABLED_MASK17 0 ++#define DISABLED_MASK18 0 ++#define DISABLED_MASK_CHECK BUILD_BUG_ON_ZERO(NCAPINTS != 19) ++ ++#endif /* _ASM_X86_DISABLED_FEATURES_H */ +diff --git a/tools/arch/x86/include/asm/required-features.h b/tools/arch/x86/include/asm/required-features.h +new file mode 100644 +index 000000000000..6847d85400a8 +--- /dev/null ++++ b/tools/arch/x86/include/asm/required-features.h +@@ -0,0 +1,106 @@ ++#ifndef _ASM_X86_REQUIRED_FEATURES_H ++#define _ASM_X86_REQUIRED_FEATURES_H ++ ++/* Define minimum CPUID feature set for kernel These bits are checked ++ really early to actually display a visible error message before the ++ kernel dies. Make sure to assign features to the proper mask! ++ ++ Some requirements that are not in CPUID yet are also in the ++ CONFIG_X86_MINIMUM_CPU_FAMILY which is checked too. ++ ++ The real information is in arch/x86/Kconfig.cpu, this just converts ++ the CONFIGs into a bitmask */ ++ ++#ifndef CONFIG_MATH_EMULATION ++# define NEED_FPU (1<<(X86_FEATURE_FPU & 31)) ++#else ++# define NEED_FPU 0 ++#endif ++ ++#if defined(CONFIG_X86_PAE) || defined(CONFIG_X86_64) ++# define NEED_PAE (1<<(X86_FEATURE_PAE & 31)) ++#else ++# define NEED_PAE 0 ++#endif ++ ++#ifdef CONFIG_X86_CMPXCHG64 ++# define NEED_CX8 (1<<(X86_FEATURE_CX8 & 31)) ++#else ++# define NEED_CX8 0 ++#endif ++ ++#if defined(CONFIG_X86_CMOV) || defined(CONFIG_X86_64) ++# define NEED_CMOV (1<<(X86_FEATURE_CMOV & 31)) ++#else ++# define NEED_CMOV 0 ++#endif ++ ++#ifdef CONFIG_X86_USE_3DNOW ++# define NEED_3DNOW (1<<(X86_FEATURE_3DNOW & 31)) ++#else ++# define NEED_3DNOW 0 ++#endif ++ ++#if defined(CONFIG_X86_P6_NOP) || defined(CONFIG_X86_64) ++# define NEED_NOPL (1<<(X86_FEATURE_NOPL & 31)) ++#else ++# define NEED_NOPL 0 ++#endif ++ ++#ifdef CONFIG_MATOM ++# define NEED_MOVBE (1<<(X86_FEATURE_MOVBE & 31)) ++#else ++# define NEED_MOVBE 0 ++#endif ++ ++#ifdef CONFIG_X86_64 ++#ifdef CONFIG_PARAVIRT ++/* Paravirtualized systems may not have PSE or PGE available */ ++#define NEED_PSE 0 ++#define NEED_PGE 0 ++#else ++#define NEED_PSE (1<<(X86_FEATURE_PSE) & 31) ++#define NEED_PGE (1<<(X86_FEATURE_PGE) & 31) ++#endif ++#define NEED_MSR (1<<(X86_FEATURE_MSR & 31)) ++#define NEED_FXSR (1<<(X86_FEATURE_FXSR & 31)) ++#define NEED_XMM (1<<(X86_FEATURE_XMM & 31)) ++#define NEED_XMM2 (1<<(X86_FEATURE_XMM2 & 31)) ++#define NEED_LM (1<<(X86_FEATURE_LM & 31)) ++#else ++#define NEED_PSE 0 ++#define NEED_MSR 0 ++#define NEED_PGE 0 ++#define NEED_FXSR 0 ++#define NEED_XMM 0 ++#define NEED_XMM2 0 ++#define NEED_LM 0 ++#endif ++ ++#define REQUIRED_MASK0 (NEED_FPU|NEED_PSE|NEED_MSR|NEED_PAE|\ ++ NEED_CX8|NEED_PGE|NEED_FXSR|NEED_CMOV|\ ++ NEED_XMM|NEED_XMM2) ++#define SSE_MASK (NEED_XMM|NEED_XMM2) ++ ++#define REQUIRED_MASK1 (NEED_LM|NEED_3DNOW) ++ ++#define REQUIRED_MASK2 0 ++#define REQUIRED_MASK3 (NEED_NOPL) ++#define REQUIRED_MASK4 (NEED_MOVBE) ++#define REQUIRED_MASK5 0 ++#define REQUIRED_MASK6 0 ++#define REQUIRED_MASK7 0 ++#define REQUIRED_MASK8 0 ++#define REQUIRED_MASK9 0 ++#define REQUIRED_MASK10 0 ++#define REQUIRED_MASK11 0 ++#define REQUIRED_MASK12 0 ++#define REQUIRED_MASK13 0 ++#define REQUIRED_MASK14 0 ++#define REQUIRED_MASK15 0 ++#define REQUIRED_MASK16 0 ++#define REQUIRED_MASK17 0 ++#define REQUIRED_MASK18 0 ++#define REQUIRED_MASK_CHECK BUILD_BUG_ON_ZERO(NCAPINTS != 19) ++ ++#endif /* _ASM_X86_REQUIRED_FEATURES_H */ +diff --git a/tools/arch/x86/lib/memcpy_64.S b/tools/arch/x86/lib/memcpy_64.S +new file mode 100644 +index 000000000000..a0de849435ad +--- /dev/null ++++ b/tools/arch/x86/lib/memcpy_64.S +@@ -0,0 +1,179 @@ ++/* Copyright 2002 Andi Kleen */ ++ ++#include ++#include ++#include ++ ++/* ++ * We build a jump to memcpy_orig by default which gets NOPped out on ++ * the majority of x86 CPUs which set REP_GOOD. In addition, CPUs which ++ * have the enhanced REP MOVSB/STOSB feature (ERMS), change those NOPs ++ * to a jmp to memcpy_erms which does the REP; MOVSB mem copy. ++ */ ++ ++.weak memcpy ++ ++/* ++ * memcpy - Copy a memory block. ++ * ++ * Input: ++ * rdi destination ++ * rsi source ++ * rdx count ++ * ++ * Output: ++ * rax original destination ++ */ ++ENTRY(__memcpy) ++ENTRY(memcpy) ++ ALTERNATIVE_2 "jmp memcpy_orig", "", X86_FEATURE_REP_GOOD, \ ++ "jmp memcpy_erms", X86_FEATURE_ERMS ++ ++ movq %rdi, %rax ++ movq %rdx, %rcx ++ shrq $3, %rcx ++ andl $7, %edx ++ rep movsq ++ movl %edx, %ecx ++ rep movsb ++ ret ++ENDPROC(memcpy) ++ENDPROC(__memcpy) ++ ++/* ++ * memcpy_erms() - enhanced fast string memcpy. This is faster and ++ * simpler than memcpy. Use memcpy_erms when possible. ++ */ ++ENTRY(memcpy_erms) ++ movq %rdi, %rax ++ movq %rdx, %rcx ++ rep movsb ++ ret ++ENDPROC(memcpy_erms) ++ ++ENTRY(memcpy_orig) ++ movq %rdi, %rax ++ ++ cmpq $0x20, %rdx ++ jb .Lhandle_tail ++ ++ /* ++ * We check whether memory false dependence could occur, ++ * then jump to corresponding copy mode. ++ */ ++ cmp %dil, %sil ++ jl .Lcopy_backward ++ subq $0x20, %rdx ++.Lcopy_forward_loop: ++ subq $0x20, %rdx ++ ++ /* ++ * Move in blocks of 4x8 bytes: ++ */ ++ movq 0*8(%rsi), %r8 ++ movq 1*8(%rsi), %r9 ++ movq 2*8(%rsi), %r10 ++ movq 3*8(%rsi), %r11 ++ leaq 4*8(%rsi), %rsi ++ ++ movq %r8, 0*8(%rdi) ++ movq %r9, 1*8(%rdi) ++ movq %r10, 2*8(%rdi) ++ movq %r11, 3*8(%rdi) ++ leaq 4*8(%rdi), %rdi ++ jae .Lcopy_forward_loop ++ addl $0x20, %edx ++ jmp .Lhandle_tail ++ ++.Lcopy_backward: ++ /* ++ * Calculate copy position to tail. ++ */ ++ addq %rdx, %rsi ++ addq %rdx, %rdi ++ subq $0x20, %rdx ++ /* ++ * At most 3 ALU operations in one cycle, ++ * so append NOPS in the same 16 bytes trunk. ++ */ ++ .p2align 4 ++.Lcopy_backward_loop: ++ subq $0x20, %rdx ++ movq -1*8(%rsi), %r8 ++ movq -2*8(%rsi), %r9 ++ movq -3*8(%rsi), %r10 ++ movq -4*8(%rsi), %r11 ++ leaq -4*8(%rsi), %rsi ++ movq %r8, -1*8(%rdi) ++ movq %r9, -2*8(%rdi) ++ movq %r10, -3*8(%rdi) ++ movq %r11, -4*8(%rdi) ++ leaq -4*8(%rdi), %rdi ++ jae .Lcopy_backward_loop ++ ++ /* ++ * Calculate copy position to head. ++ */ ++ addl $0x20, %edx ++ subq %rdx, %rsi ++ subq %rdx, %rdi ++.Lhandle_tail: ++ cmpl $16, %edx ++ jb .Lless_16bytes ++ ++ /* ++ * Move data from 16 bytes to 31 bytes. ++ */ ++ movq 0*8(%rsi), %r8 ++ movq 1*8(%rsi), %r9 ++ movq -2*8(%rsi, %rdx), %r10 ++ movq -1*8(%rsi, %rdx), %r11 ++ movq %r8, 0*8(%rdi) ++ movq %r9, 1*8(%rdi) ++ movq %r10, -2*8(%rdi, %rdx) ++ movq %r11, -1*8(%rdi, %rdx) ++ retq ++ .p2align 4 ++.Lless_16bytes: ++ cmpl $8, %edx ++ jb .Lless_8bytes ++ /* ++ * Move data from 8 bytes to 15 bytes. ++ */ ++ movq 0*8(%rsi), %r8 ++ movq -1*8(%rsi, %rdx), %r9 ++ movq %r8, 0*8(%rdi) ++ movq %r9, -1*8(%rdi, %rdx) ++ retq ++ .p2align 4 ++.Lless_8bytes: ++ cmpl $4, %edx ++ jb .Lless_3bytes ++ ++ /* ++ * Move data from 4 bytes to 7 bytes. ++ */ ++ movl (%rsi), %ecx ++ movl -4(%rsi, %rdx), %r8d ++ movl %ecx, (%rdi) ++ movl %r8d, -4(%rdi, %rdx) ++ retq ++ .p2align 4 ++.Lless_3bytes: ++ subl $1, %edx ++ jb .Lend ++ /* ++ * Move data from 1 bytes to 3 bytes. ++ */ ++ movzbl (%rsi), %ecx ++ jz .Lstore_1byte ++ movzbq 1(%rsi), %r8 ++ movzbq (%rsi, %rdx), %r9 ++ movb %r8b, 1(%rdi) ++ movb %r9b, (%rdi, %rdx) ++.Lstore_1byte: ++ movb %cl, (%rdi) ++ ++.Lend: ++ retq ++ENDPROC(memcpy_orig) +diff --git a/tools/arch/x86/lib/memset_64.S b/tools/arch/x86/lib/memset_64.S +new file mode 100644 +index 000000000000..c9c81227ea37 +--- /dev/null ++++ b/tools/arch/x86/lib/memset_64.S +@@ -0,0 +1,138 @@ ++/* Copyright 2002 Andi Kleen, SuSE Labs */ ++ ++#include ++#include ++#include ++ ++.weak memset ++ ++/* ++ * ISO C memset - set a memory block to a byte value. This function uses fast ++ * string to get better performance than the original function. The code is ++ * simpler and shorter than the orignal function as well. ++ * ++ * rdi destination ++ * rsi value (char) ++ * rdx count (bytes) ++ * ++ * rax original destination ++ */ ++ENTRY(memset) ++ENTRY(__memset) ++ /* ++ * Some CPUs support enhanced REP MOVSB/STOSB feature. It is recommended ++ * to use it when possible. If not available, use fast string instructions. ++ * ++ * Otherwise, use original memset function. ++ */ ++ ALTERNATIVE_2 "jmp memset_orig", "", X86_FEATURE_REP_GOOD, \ ++ "jmp memset_erms", X86_FEATURE_ERMS ++ ++ movq %rdi,%r9 ++ movq %rdx,%rcx ++ andl $7,%edx ++ shrq $3,%rcx ++ /* expand byte value */ ++ movzbl %sil,%esi ++ movabs $0x0101010101010101,%rax ++ imulq %rsi,%rax ++ rep stosq ++ movl %edx,%ecx ++ rep stosb ++ movq %r9,%rax ++ ret ++ENDPROC(memset) ++ENDPROC(__memset) ++ ++/* ++ * ISO C memset - set a memory block to a byte value. This function uses ++ * enhanced rep stosb to override the fast string function. ++ * The code is simpler and shorter than the fast string function as well. ++ * ++ * rdi destination ++ * rsi value (char) ++ * rdx count (bytes) ++ * ++ * rax original destination ++ */ ++ENTRY(memset_erms) ++ movq %rdi,%r9 ++ movb %sil,%al ++ movq %rdx,%rcx ++ rep stosb ++ movq %r9,%rax ++ ret ++ENDPROC(memset_erms) ++ ++ENTRY(memset_orig) ++ movq %rdi,%r10 ++ ++ /* expand byte value */ ++ movzbl %sil,%ecx ++ movabs $0x0101010101010101,%rax ++ imulq %rcx,%rax ++ ++ /* align dst */ ++ movl %edi,%r9d ++ andl $7,%r9d ++ jnz .Lbad_alignment ++.Lafter_bad_alignment: ++ ++ movq %rdx,%rcx ++ shrq $6,%rcx ++ jz .Lhandle_tail ++ ++ .p2align 4 ++.Lloop_64: ++ decq %rcx ++ movq %rax,(%rdi) ++ movq %rax,8(%rdi) ++ movq %rax,16(%rdi) ++ movq %rax,24(%rdi) ++ movq %rax,32(%rdi) ++ movq %rax,40(%rdi) ++ movq %rax,48(%rdi) ++ movq %rax,56(%rdi) ++ leaq 64(%rdi),%rdi ++ jnz .Lloop_64 ++ ++ /* Handle tail in loops. The loops should be faster than hard ++ to predict jump tables. */ ++ .p2align 4 ++.Lhandle_tail: ++ movl %edx,%ecx ++ andl $63&(~7),%ecx ++ jz .Lhandle_7 ++ shrl $3,%ecx ++ .p2align 4 ++.Lloop_8: ++ decl %ecx ++ movq %rax,(%rdi) ++ leaq 8(%rdi),%rdi ++ jnz .Lloop_8 ++ ++.Lhandle_7: ++ andl $7,%edx ++ jz .Lende ++ .p2align 4 ++.Lloop_1: ++ decl %edx ++ movb %al,(%rdi) ++ leaq 1(%rdi),%rdi ++ jnz .Lloop_1 ++ ++.Lende: ++ movq %r10,%rax ++ ret ++ ++.Lbad_alignment: ++ cmpq $7,%rdx ++ jbe .Lhandle_7 ++ movq %rax,(%rdi) /* unaligned store */ ++ movq $8,%r8 ++ subq %r9,%r8 ++ addq %r8,%rdi ++ subq %r8,%rdx ++ jmp .Lafter_bad_alignment ++.Lfinal: ++ENDPROC(memset_orig) +diff --git a/tools/include/asm/alternative-asm.h b/tools/include/asm/alternative-asm.h +new file mode 100644 +index 000000000000..2a4d1bfa2988 +--- /dev/null ++++ b/tools/include/asm/alternative-asm.h +@@ -0,0 +1,9 @@ ++#ifndef _TOOLS_ASM_ALTERNATIVE_ASM_H ++#define _TOOLS_ASM_ALTERNATIVE_ASM_H ++ ++/* Just disable it so we can build arch/x86/lib/memcpy_64.S for perf bench: */ ++ ++#define altinstruction_entry # ++#define ALTERNATIVE_2 # ++ ++#endif +diff --git a/tools/perf/MANIFEST b/tools/perf/MANIFEST +index 39c38cb45b00..358b810057d6 100644 +--- a/tools/perf/MANIFEST ++++ b/tools/perf/MANIFEST +@@ -11,6 +11,11 @@ tools/arch/sparc/include/asm/barrier_32.h + tools/arch/sparc/include/asm/barrier_64.h + tools/arch/tile/include/asm/barrier.h + tools/arch/x86/include/asm/barrier.h ++tools/arch/x86/include/asm/cpufeatures.h ++tools/arch/x86/include/asm/disabled-features.h ++tools/arch/x86/include/asm/required-features.h ++tools/arch/x86/lib/memcpy_64.S ++tools/arch/x86/lib/memset_64.S + tools/arch/xtensa/include/asm/barrier.h + tools/scripts + tools/build +@@ -25,6 +30,7 @@ tools/lib/rbtree.c + tools/lib/symbol/kallsyms.c + tools/lib/symbol/kallsyms.h + tools/lib/util/find_next_bit.c ++tools/include/asm/alternative-asm.h + tools/include/asm/atomic.h + tools/include/asm/barrier.h + tools/include/asm/bug.h +@@ -65,8 +71,6 @@ include/linux/swab.h + arch/*/include/asm/unistd*.h + arch/*/include/uapi/asm/unistd*.h + arch/*/include/uapi/asm/perf_regs.h +-arch/*/lib/memcpy*.S +-arch/*/lib/memset*.S + include/linux/poison.h + include/linux/hw_breakpoint.h + include/uapi/linux/perf_event.h +diff --git a/tools/perf/Makefile.perf b/tools/perf/Makefile.perf +index b67e006d56cc..7e0837579f40 100644 +--- a/tools/perf/Makefile.perf ++++ b/tools/perf/Makefile.perf +@@ -310,6 +310,21 @@ export srctree OUTPUT RM CC LD AR CFLAGS V BISON FLEX AWK + include $(srctree)/tools/build/Makefile.include + + $(PERF_IN): prepare FORCE ++ @(test -f ../../arch/x86/include/asm/disabled-features.h && ( \ ++ (diff -B ../arch/x86/include/asm/disabled-features.h ../../arch/x86/include/asm/disabled-features.h >/dev/null) \ ++ || echo "Warning: tools/arch/x86/include/asm/disabled-features.h differs from kernel" >&2 )) || true ++ @(test -f ../../arch/x86/include/asm/required-features.h && ( \ ++ (diff -B ../arch/x86/include/asm/required-features.h ../../arch/x86/include/asm/required-features.h >/dev/null) \ ++ || echo "Warning: tools/arch/x86/include/asm/required-features.h differs from kernel" >&2 )) || true ++ @(test -f ../../arch/x86/include/asm/cpufeatures.h && ( \ ++ (diff -B ../arch/x86/include/asm/cpufeatures.h ../../arch/x86/include/asm/cpufeatures.h >/dev/null) \ ++ || echo "Warning: tools/arch/x86/include/asm/cpufeatures.h differs from kernel" >&2 )) || true ++ @(test -f ../../arch/x86/lib/memcpy_64.S && ( \ ++ (diff -B ../arch/x86/lib/memcpy_64.S ../../arch/x86/lib/memcpy_64.S >/dev/null) \ ++ || echo "Warning: tools/arch/x86/lib/memcpy_64.S differs from kernel" >&2 )) || true ++ @(test -f ../../arch/x86/lib/memset_64.S && ( \ ++ (diff -B ../arch/x86/lib/memset_64.S ../../arch/x86/lib/memset_64.S >/dev/null) \ ++ || echo "Warning: tools/arch/x86/lib/memset_64.S differs from kernel" >&2 )) || true + $(Q)$(MAKE) $(build)=perf + + $(OUTPUT)perf: $(PERFLIBS) $(PERF_IN) $(LIBTRACEEVENT_DYNAMIC_LIST) +diff --git a/tools/perf/bench/mem-memcpy-x86-64-asm.S b/tools/perf/bench/mem-memcpy-x86-64-asm.S +index e4c2c30143b9..9d82c44a6d71 100644 +--- a/tools/perf/bench/mem-memcpy-x86-64-asm.S ++++ b/tools/perf/bench/mem-memcpy-x86-64-asm.S +@@ -1,7 +1,7 @@ + #define memcpy MEMCPY /* don't hide glibc's memcpy() */ + #define altinstr_replacement text + #define globl p2align 4; .globl +-#include "../../../arch/x86/lib/memcpy_64.S" ++#include "../../arch/x86/lib/memcpy_64.S" + /* + * We need to provide note.GNU-stack section, saying that we want + * NOT executable stack. Otherwise the final linking will assume that +diff --git a/tools/perf/bench/mem-memset-x86-64-asm.S b/tools/perf/bench/mem-memset-x86-64-asm.S +index de278784c866..58407aa24c1b 100644 +--- a/tools/perf/bench/mem-memset-x86-64-asm.S ++++ b/tools/perf/bench/mem-memset-x86-64-asm.S +@@ -1,7 +1,7 @@ + #define memset MEMSET /* don't hide glibc's memset() */ + #define altinstr_replacement text + #define globl p2align 4; .globl +-#include "../../../arch/x86/lib/memset_64.S" ++#include "../../arch/x86/lib/memset_64.S" + + /* + * We need to provide note.GNU-stack section, saying that we want +diff --git a/tools/perf/util/auxtrace.c b/tools/perf/util/auxtrace.c +index 58426e7d320d..4b898b15643d 100644 +--- a/tools/perf/util/auxtrace.c ++++ b/tools/perf/util/auxtrace.c +@@ -1226,9 +1226,9 @@ static int __auxtrace_mmap__read(struct auxtrace_mmap *mm, + } + + /* padding must be written by fn() e.g. record__process_auxtrace() */ +- padding = size & 7; ++ padding = size & (PERF_AUXTRACE_RECORD_ALIGNMENT - 1); + if (padding) +- padding = 8 - padding; ++ padding = PERF_AUXTRACE_RECORD_ALIGNMENT - padding; + + memset(&ev, 0, sizeof(ev)); + ev.auxtrace.header.type = PERF_RECORD_AUXTRACE; +diff --git a/tools/perf/util/auxtrace.h b/tools/perf/util/auxtrace.h +index b86f90db1352..b6d6ccf630d9 100644 +--- a/tools/perf/util/auxtrace.h ++++ b/tools/perf/util/auxtrace.h +@@ -37,6 +37,9 @@ struct record_opts; + struct auxtrace_info_event; + struct events_stats; + ++/* Auxtrace records must have the same alignment as perf event records */ ++#define PERF_AUXTRACE_RECORD_ALIGNMENT 8 ++ + enum auxtrace_type { + PERF_AUXTRACE_UNKNOWN, + PERF_AUXTRACE_INTEL_PT, +diff --git a/tools/perf/util/cpumap.c b/tools/perf/util/cpumap.c +index 10af1e7524fb..f1aae86f7f6c 100644 +--- a/tools/perf/util/cpumap.c ++++ b/tools/perf/util/cpumap.c +@@ -124,7 +124,12 @@ struct cpu_map *cpu_map__new(const char *cpu_list) + if (!cpu_list) + return cpu_map__read_all_cpu_map(); + +- if (!isdigit(*cpu_list)) ++ /* ++ * must handle the case of empty cpumap to cover ++ * TOPOLOGY header for NUMA nodes with no CPU ++ * ( e.g., because of CPU hotplug) ++ */ ++ if (!isdigit(*cpu_list) && *cpu_list != '\0') + goto out; + + while (isdigit(*cpu_list)) { +@@ -171,8 +176,10 @@ struct cpu_map *cpu_map__new(const char *cpu_list) + + if (nr_cpus > 0) + cpus = cpu_map__trim_new(nr_cpus, tmp_cpus); +- else ++ else if (*cpu_list != '\0') + cpus = cpu_map__default_new(); ++ else ++ cpus = cpu_map__dummy_new(); + invalid: + free(tmp_cpus); + out: +diff --git a/tools/perf/util/include/asm/alternative-asm.h b/tools/perf/util/include/asm/alternative-asm.h +deleted file mode 100644 +index 3a3a0f16456a..000000000000 +--- a/tools/perf/util/include/asm/alternative-asm.h ++++ /dev/null +@@ -1,9 +0,0 @@ +-#ifndef _PERF_ASM_ALTERNATIVE_ASM_H +-#define _PERF_ASM_ALTERNATIVE_ASM_H +- +-/* Just disable it so we can build arch/x86/lib/memcpy_64.S for perf bench: */ +- +-#define altinstruction_entry # +-#define ALTERNATIVE_2 # +- +-#endif +diff --git a/tools/perf/util/intel-pt-decoder/intel-pt-decoder.c b/tools/perf/util/intel-pt-decoder/intel-pt-decoder.c +index dc17c881275d..d01e2ce818f7 100644 +--- a/tools/perf/util/intel-pt-decoder/intel-pt-decoder.c ++++ b/tools/perf/util/intel-pt-decoder/intel-pt-decoder.c +@@ -26,6 +26,7 @@ + + #include "../cache.h" + #include "../util.h" ++#include "../auxtrace.h" + + #include "intel-pt-insn-decoder.h" + #include "intel-pt-pkt-decoder.h" +@@ -1281,7 +1282,6 @@ static int intel_pt_overflow(struct intel_pt_decoder *decoder) + { + intel_pt_log("ERROR: Buffer overflow\n"); + intel_pt_clear_tx_flags(decoder); +- decoder->cbr = 0; + decoder->timestamp_insn_cnt = 0; + decoder->pkt_state = INTEL_PT_STATE_ERR_RESYNC; + decoder->overflow = true; +@@ -2321,6 +2321,34 @@ static int intel_pt_tsc_cmp(uint64_t tsc1, uint64_t tsc2) + } + } + ++#define MAX_PADDING (PERF_AUXTRACE_RECORD_ALIGNMENT - 1) ++ ++/** ++ * adj_for_padding - adjust overlap to account for padding. ++ * @buf_b: second buffer ++ * @buf_a: first buffer ++ * @len_a: size of first buffer ++ * ++ * @buf_a might have up to 7 bytes of padding appended. Adjust the overlap ++ * accordingly. ++ * ++ * Return: A pointer into @buf_b from where non-overlapped data starts ++ */ ++static unsigned char *adj_for_padding(unsigned char *buf_b, ++ unsigned char *buf_a, size_t len_a) ++{ ++ unsigned char *p = buf_b - MAX_PADDING; ++ unsigned char *q = buf_a + len_a - MAX_PADDING; ++ int i; ++ ++ for (i = MAX_PADDING; i; i--, p++, q++) { ++ if (*p != *q) ++ break; ++ } ++ ++ return p; ++} ++ + /** + * intel_pt_find_overlap_tsc - determine start of non-overlapped trace data + * using TSC. +@@ -2371,8 +2399,11 @@ static unsigned char *intel_pt_find_overlap_tsc(unsigned char *buf_a, + + /* Same TSC, so buffers are consecutive */ + if (!cmp && rem_b >= rem_a) { ++ unsigned char *start; ++ + *consecutive = true; +- return buf_b + len_b - (rem_b - rem_a); ++ start = buf_b + len_b - (rem_b - rem_a); ++ return adj_for_padding(start, buf_a, len_a); + } + if (cmp < 0) + return buf_b; /* tsc_a < tsc_b => no overlap */ +@@ -2435,7 +2466,7 @@ unsigned char *intel_pt_find_overlap(unsigned char *buf_a, size_t len_a, + found = memmem(buf_a, len_a, buf_b, len_a); + if (found) { + *consecutive = true; +- return buf_b + len_a; ++ return adj_for_padding(buf_b + len_a, buf_a, len_a); + } + + /* Try again at next PSB in buffer 'a' */ +diff --git a/tools/perf/util/symbol-elf.c b/tools/perf/util/symbol-elf.c +index 7c97ecaeae48..2070c02de3af 100644 +--- a/tools/perf/util/symbol-elf.c ++++ b/tools/perf/util/symbol-elf.c +@@ -74,6 +74,11 @@ static inline uint8_t elf_sym__type(const GElf_Sym *sym) + return GELF_ST_TYPE(sym->st_info); + } + ++static inline uint8_t elf_sym__visibility(const GElf_Sym *sym) ++{ ++ return GELF_ST_VISIBILITY(sym->st_other); ++} ++ + #ifndef STT_GNU_IFUNC + #define STT_GNU_IFUNC 10 + #endif +@@ -98,7 +103,9 @@ static inline int elf_sym__is_label(const GElf_Sym *sym) + return elf_sym__type(sym) == STT_NOTYPE && + sym->st_name != 0 && + sym->st_shndx != SHN_UNDEF && +- sym->st_shndx != SHN_ABS; ++ sym->st_shndx != SHN_ABS && ++ elf_sym__visibility(sym) != STV_HIDDEN && ++ elf_sym__visibility(sym) != STV_INTERNAL; + } + + static bool elf_sym__is_a(GElf_Sym *sym, enum map_type type) +diff --git a/virt/kvm/arm/vgic.c b/virt/kvm/arm/vgic.c +index 5d10f104f3eb..964df643509d 100644 +--- a/virt/kvm/arm/vgic.c ++++ b/virt/kvm/arm/vgic.c +@@ -821,7 +821,6 @@ static int vgic_handle_mmio_access(struct kvm_vcpu *vcpu, + struct vgic_dist *dist = &vcpu->kvm->arch.vgic; + struct vgic_io_device *iodev = container_of(this, + struct vgic_io_device, dev); +- struct kvm_run *run = vcpu->run; + const struct vgic_io_range *range; + struct kvm_exit_mmio mmio; + bool updated_state; +@@ -850,12 +849,6 @@ static int vgic_handle_mmio_access(struct kvm_vcpu *vcpu, + updated_state = false; + } + spin_unlock(&dist->lock); +- run->mmio.is_write = is_write; +- run->mmio.len = len; +- run->mmio.phys_addr = addr; +- memcpy(run->mmio.data, val, len); +- +- kvm_handle_mmio_return(vcpu, run); + + if (updated_state) + vgic_kick_vcpus(vcpu->kvm); diff --git a/patch/kernel/rockchip-default/04-patch-4.4.177-178.patch b/patch/kernel/rockchip-default/04-patch-4.4.177-178.patch new file mode 100644 index 0000000000..9b85380a07 --- /dev/null +++ b/patch/kernel/rockchip-default/04-patch-4.4.177-178.patch @@ -0,0 +1,1860 @@ +diff --git a/Documentation/virtual/kvm/api.txt b/Documentation/virtual/kvm/api.txt +index df8ab4fc240a..496673adcb6b 100644 +--- a/Documentation/virtual/kvm/api.txt ++++ b/Documentation/virtual/kvm/api.txt +@@ -13,7 +13,7 @@ of a virtual machine. The ioctls belong to three classes + + - VM ioctls: These query and set attributes that affect an entire virtual + machine, for example memory layout. In addition a VM ioctl is used to +- create virtual cpus (vcpus). ++ create virtual cpus (vcpus) and devices. + + Only run VM ioctls from the same process (address space) that was used + to create the VM. +@@ -24,6 +24,11 @@ of a virtual machine. The ioctls belong to three classes + Only run vcpu ioctls from the same thread that was used to create the + vcpu. + ++ - device ioctls: These query and set attributes that control the operation ++ of a single device. ++ ++ device ioctls must be issued from the same process (address space) that ++ was used to create the VM. + + 2. File descriptors + ------------------- +@@ -32,10 +37,11 @@ The kvm API is centered around file descriptors. An initial + open("/dev/kvm") obtains a handle to the kvm subsystem; this handle + can be used to issue system ioctls. A KVM_CREATE_VM ioctl on this + handle will create a VM file descriptor which can be used to issue VM +-ioctls. A KVM_CREATE_VCPU ioctl on a VM fd will create a virtual cpu +-and return a file descriptor pointing to it. Finally, ioctls on a vcpu +-fd can be used to control the vcpu, including the important task of +-actually running guest code. ++ioctls. A KVM_CREATE_VCPU or KVM_CREATE_DEVICE ioctl on a VM fd will ++create a virtual cpu or device and return a file descriptor pointing to ++the new resource. Finally, ioctls on a vcpu or device fd can be used ++to control the vcpu or device. For vcpus, this includes the important ++task of actually running guest code. + + In general file descriptors can be migrated among processes by means + of fork() and the SCM_RIGHTS facility of unix domain socket. These +diff --git a/Makefile b/Makefile +index 1de443248119..35be7983ef2d 100644 +--- a/Makefile ++++ b/Makefile +@@ -1,6 +1,6 @@ + VERSION = 4 + PATCHLEVEL = 4 +-SUBLEVEL = 177 ++SUBLEVEL = 178 + EXTRAVERSION = + NAME = Blurry Fish Butt + +diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig +index 5b47218809e0..f18b8c26a959 100644 +--- a/arch/arm64/Kconfig ++++ b/arch/arm64/Kconfig +@@ -89,7 +89,6 @@ config ARM64 + select PERF_USE_VMALLOC + select POWER_RESET + select POWER_SUPPLY +- select RTC_LIB + select SPARSE_IRQ + select SYSCTL_EXCEPTION_TRACE + select HAVE_CONTEXT_TRACKING +@@ -819,6 +818,10 @@ config SYSVIPC_COMPAT + def_bool y + depends on COMPAT && SYSVIPC + ++config KEYS_COMPAT ++ def_bool y ++ depends on COMPAT && KEYS ++ + endmenu + + menu "Power management options" +diff --git a/arch/arm64/kernel/traps.c b/arch/arm64/kernel/traps.c +index 5d270ca76aec..6b4579e07aa2 100644 +--- a/arch/arm64/kernel/traps.c ++++ b/arch/arm64/kernel/traps.c +@@ -239,10 +239,12 @@ void die(const char *str, struct pt_regs *regs, int err) + { + struct thread_info *thread = current_thread_info(); + int ret; ++ unsigned long flags; ++ ++ raw_spin_lock_irqsave(&die_lock, flags); + + oops_enter(); + +- raw_spin_lock_irq(&die_lock); + console_verbose(); + bust_spinlocks(1); + ret = __die(str, err, thread, regs); +@@ -252,13 +254,15 @@ void die(const char *str, struct pt_regs *regs, int err) + + bust_spinlocks(0); + add_taint(TAINT_DIE, LOCKDEP_NOW_UNRELIABLE); +- raw_spin_unlock_irq(&die_lock); + oops_exit(); + + if (in_interrupt()) + panic("Fatal exception in interrupt"); + if (panic_on_oops) + panic("Fatal exception"); ++ ++ raw_spin_unlock_irqrestore(&die_lock, flags); ++ + if (ret != NOTIFY_STOP) + do_exit(SIGSEGV); + } +diff --git a/arch/arm64/mm/fault.c b/arch/arm64/mm/fault.c +index be7f8416809f..04c4b88706d8 100644 +--- a/arch/arm64/mm/fault.c ++++ b/arch/arm64/mm/fault.c +@@ -595,20 +595,33 @@ asmlinkage int __exception do_debug_exception(unsigned long addr, + { + const struct fault_info *inf = debug_fault_info + DBG_ESR_EVT(esr); + struct siginfo info; ++ int rv; + +- if (!inf->fn(addr, esr, regs)) +- return 1; ++ /* ++ * Tell lockdep we disabled irqs in entry.S. Do nothing if they were ++ * already disabled to preserve the last enabled/disabled addresses. ++ */ ++ if (interrupts_enabled(regs)) ++ trace_hardirqs_off(); + +- pr_alert("Unhandled debug exception: %s (0x%08x) at 0x%016lx\n", +- inf->name, esr, addr); ++ if (!inf->fn(addr, esr, regs)) { ++ rv = 1; ++ } else { ++ pr_alert("Unhandled debug exception: %s (0x%08x) at 0x%016lx\n", ++ inf->name, esr, addr); ++ ++ info.si_signo = inf->sig; ++ info.si_errno = 0; ++ info.si_code = inf->code; ++ info.si_addr = (void __user *)addr; ++ arm64_notify_die("", regs, &info, 0); ++ rv = 0; ++ } + +- info.si_signo = inf->sig; +- info.si_errno = 0; +- info.si_code = inf->code; +- info.si_addr = (void __user *)addr; +- arm64_notify_die("", regs, &info, 0); ++ if (interrupts_enabled(regs)) ++ trace_hardirqs_on(); + +- return 0; ++ return rv; + } + + #ifdef CONFIG_ARM64_PAN +diff --git a/arch/mips/include/asm/jump_label.h b/arch/mips/include/asm/jump_label.h +index e77672539e8e..e4456e450f94 100644 +--- a/arch/mips/include/asm/jump_label.h ++++ b/arch/mips/include/asm/jump_label.h +@@ -21,15 +21,15 @@ + #endif + + #ifdef CONFIG_CPU_MICROMIPS +-#define NOP_INSN "nop32" ++#define B_INSN "b32" + #else +-#define NOP_INSN "nop" ++#define B_INSN "b" + #endif + + static __always_inline bool arch_static_branch(struct static_key *key, bool branch) + { +- asm_volatile_goto("1:\t" NOP_INSN "\n\t" +- "nop\n\t" ++ asm_volatile_goto("1:\t" B_INSN " 2f\n\t" ++ "2:\tnop\n\t" + ".pushsection __jump_table, \"aw\"\n\t" + WORD_INSN " 1b, %l[l_yes], %0\n\t" + ".popsection\n\t" +diff --git a/arch/mips/loongson64/lemote-2f/irq.c b/arch/mips/loongson64/lemote-2f/irq.c +index cab5f43e0e29..d371f0294cbb 100644 +--- a/arch/mips/loongson64/lemote-2f/irq.c ++++ b/arch/mips/loongson64/lemote-2f/irq.c +@@ -102,7 +102,7 @@ static struct irqaction ip6_irqaction = { + static struct irqaction cascade_irqaction = { + .handler = no_action, + .name = "cascade", +- .flags = IRQF_NO_THREAD, ++ .flags = IRQF_NO_THREAD | IRQF_NO_SUSPEND, + }; + + void __init mach_init_irq(void) +diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig +index 9beee7f364ad..4598d087dec2 100644 +--- a/arch/x86/Kconfig ++++ b/arch/x86/Kconfig +@@ -1970,14 +1970,8 @@ config PHYSICAL_ALIGN + Don't change this unless you know what you are doing. + + config HOTPLUG_CPU +- bool "Support for hot-pluggable CPUs" ++ def_bool y + depends on SMP +- ---help--- +- Say Y here to allow turning CPUs off and on. CPUs can be +- controlled through /sys/devices/system/cpu. +- ( Note: power management support will enable this option +- automatically on SMP systems. ) +- Say N if you want to disable CPU hotplug. + + config BOOTPARAM_HOTPLUG_CPU0 + bool "Set default setting of cpu0_hotpluggable" +diff --git a/drivers/extcon/extcon-usb-gpio.c b/drivers/extcon/extcon-usb-gpio.c +index 2b2fecffb1ad..c6a7c9ddf0ac 100644 +--- a/drivers/extcon/extcon-usb-gpio.c ++++ b/drivers/extcon/extcon-usb-gpio.c +@@ -192,6 +192,9 @@ static int usb_extcon_resume(struct device *dev) + } + + enable_irq(info->id_irq); ++ if (!device_may_wakeup(dev)) ++ queue_delayed_work(system_power_efficient_wq, ++ &info->wq_detcable, 0); + + return ret; + } +diff --git a/drivers/gpio/gpio-adnp.c b/drivers/gpio/gpio-adnp.c +index d3d0a90fe542..995b2be45982 100644 +--- a/drivers/gpio/gpio-adnp.c ++++ b/drivers/gpio/gpio-adnp.c +@@ -137,8 +137,10 @@ static int adnp_gpio_direction_input(struct gpio_chip *chip, unsigned offset) + if (err < 0) + goto out; + +- if (err & BIT(pos)) +- err = -EACCES; ++ if (value & BIT(pos)) { ++ err = -EPERM; ++ goto out; ++ } + + err = 0; + +diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_fb.c b/drivers/gpu/drm/vmwgfx/vmwgfx_fb.c +index aec6e9eef489..55884cb5a0fc 100644 +--- a/drivers/gpu/drm/vmwgfx/vmwgfx_fb.c ++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_fb.c +@@ -531,11 +531,9 @@ static int vmw_fb_set_par(struct fb_info *info) + 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, + DRM_MODE_FLAG_NHSYNC | DRM_MODE_FLAG_PVSYNC) + }; +- struct drm_display_mode *old_mode; + struct drm_display_mode *mode; + int ret; + +- old_mode = par->set_mode; + mode = drm_mode_duplicate(vmw_priv->dev, &new_mode); + if (!mode) { + DRM_ERROR("Could not create new fb mode.\n"); +@@ -546,11 +544,7 @@ static int vmw_fb_set_par(struct fb_info *info) + mode->vdisplay = var->yres; + vmw_guess_mode_timing(mode); + +- if (old_mode && drm_mode_equal(old_mode, mode)) { +- drm_mode_destroy(vmw_priv->dev, mode); +- mode = old_mode; +- old_mode = NULL; +- } else if (!vmw_kms_validate_mode_vram(vmw_priv, ++ if (!vmw_kms_validate_mode_vram(vmw_priv, + mode->hdisplay * + DIV_ROUND_UP(var->bits_per_pixel, 8), + mode->vdisplay)) { +@@ -613,8 +607,8 @@ static int vmw_fb_set_par(struct fb_info *info) + schedule_delayed_work(&par->local_work, 0); + + out_unlock: +- if (old_mode) +- drm_mode_destroy(vmw_priv->dev, old_mode); ++ if (par->set_mode) ++ drm_mode_destroy(vmw_priv->dev, par->set_mode); + par->set_mode = mode; + + drm_modeset_unlock_all(vmw_priv->dev); +diff --git a/drivers/isdn/hardware/mISDN/hfcmulti.c b/drivers/isdn/hardware/mISDN/hfcmulti.c +index 28543d795188..9a27809bdaf2 100644 +--- a/drivers/isdn/hardware/mISDN/hfcmulti.c ++++ b/drivers/isdn/hardware/mISDN/hfcmulti.c +@@ -4370,7 +4370,8 @@ setup_pci(struct hfc_multi *hc, struct pci_dev *pdev, + if (m->clock2) + test_and_set_bit(HFC_CHIP_CLOCK2, &hc->chip); + +- if (ent->device == 0xB410) { ++ if (ent->vendor == PCI_VENDOR_ID_DIGIUM && ++ ent->device == PCI_DEVICE_ID_DIGIUM_HFC4S) { + test_and_set_bit(HFC_CHIP_B410P, &hc->chip); + test_and_set_bit(HFC_CHIP_PCM_MASTER, &hc->chip); + test_and_clear_bit(HFC_CHIP_PCM_SLAVE, &hc->chip); +diff --git a/drivers/media/usb/uvc/uvc_ctrl.c b/drivers/media/usb/uvc/uvc_ctrl.c +index 618e4e2b4207..fea09a33c6c8 100644 +--- a/drivers/media/usb/uvc/uvc_ctrl.c ++++ b/drivers/media/usb/uvc/uvc_ctrl.c +@@ -1202,7 +1202,7 @@ static void uvc_ctrl_fill_event(struct uvc_video_chain *chain, + + __uvc_query_v4l2_ctrl(chain, ctrl, mapping, &v4l2_ctrl); + +- memset(ev->reserved, 0, sizeof(ev->reserved)); ++ memset(ev, 0, sizeof(*ev)); + ev->type = V4L2_EVENT_CTRL; + ev->id = v4l2_ctrl.id; + ev->u.ctrl.value = value; +diff --git a/drivers/media/v4l2-core/v4l2-ctrls.c b/drivers/media/v4l2-core/v4l2-ctrls.c +index 523758e71fe6..70097cc3a35d 100644 +--- a/drivers/media/v4l2-core/v4l2-ctrls.c ++++ b/drivers/media/v4l2-core/v4l2-ctrls.c +@@ -1212,7 +1212,7 @@ static u32 user_flags(const struct v4l2_ctrl *ctrl) + + static void fill_event(struct v4l2_event *ev, struct v4l2_ctrl *ctrl, u32 changes) + { +- memset(ev->reserved, 0, sizeof(ev->reserved)); ++ memset(ev, 0, sizeof(*ev)); + ev->type = V4L2_EVENT_CTRL; + ev->id = ctrl->id; + ev->u.ctrl.changes = changes; +diff --git a/drivers/mmc/core/debugfs.c b/drivers/mmc/core/debugfs.c +index 154aced0b91b..705586dcd9fa 100644 +--- a/drivers/mmc/core/debugfs.c ++++ b/drivers/mmc/core/debugfs.c +@@ -220,7 +220,7 @@ static int mmc_clock_opt_set(void *data, u64 val) + struct mmc_host *host = data; + + /* We need this check due to input value is u64 */ +- if (val > host->f_max) ++ if (val != 0 && (val > host->f_max || val < host->f_min)) + return -EINVAL; + + mmc_claim_host(host); +diff --git a/drivers/mmc/host/pxamci.c b/drivers/mmc/host/pxamci.c +index 72bbb12fb938..1d57c12b191c 100644 +--- a/drivers/mmc/host/pxamci.c ++++ b/drivers/mmc/host/pxamci.c +@@ -181,7 +181,7 @@ static void pxamci_dma_irq(void *param); + static void pxamci_setup_data(struct pxamci_host *host, struct mmc_data *data) + { + struct dma_async_tx_descriptor *tx; +- enum dma_data_direction direction; ++ enum dma_transfer_direction direction; + struct dma_slave_config config; + struct dma_chan *chan; + unsigned int nob = data->blocks; +diff --git a/drivers/mmc/host/tmio_mmc_pio.c b/drivers/mmc/host/tmio_mmc_pio.c +index a10fde40b6c3..3c7c3a1c8f4f 100644 +--- a/drivers/mmc/host/tmio_mmc_pio.c ++++ b/drivers/mmc/host/tmio_mmc_pio.c +@@ -716,7 +716,7 @@ irqreturn_t tmio_mmc_sdio_irq(int irq, void *devid) + unsigned int sdio_status; + + if (!(pdata->flags & TMIO_MMC_SDIO_IRQ)) +- return IRQ_HANDLED; ++ return IRQ_NONE; + + status = sd_ctrl_read16(host, CTL_SDIO_STATUS); + ireg = status & TMIO_SDIO_MASK_ALL & ~host->sdcard_irq_mask; +@@ -730,7 +730,7 @@ irqreturn_t tmio_mmc_sdio_irq(int irq, void *devid) + if (mmc->caps & MMC_CAP_SDIO_IRQ && ireg & TMIO_SDIO_STAT_IOIRQ) + mmc_signal_sdio_irq(mmc); + +- return IRQ_HANDLED; ++ return IRQ_RETVAL(ireg); + } + EXPORT_SYMBOL(tmio_mmc_sdio_irq); + +@@ -747,9 +747,7 @@ irqreturn_t tmio_mmc_irq(int irq, void *devid) + if (__tmio_mmc_sdcard_irq(host, ireg, status)) + return IRQ_HANDLED; + +- tmio_mmc_sdio_irq(irq, devid); +- +- return IRQ_HANDLED; ++ return tmio_mmc_sdio_irq(irq, devid); + } + EXPORT_SYMBOL(tmio_mmc_irq); + +diff --git a/drivers/net/ethernet/8390/mac8390.c b/drivers/net/ethernet/8390/mac8390.c +index b9283901136e..0fdc9ad32a2e 100644 +--- a/drivers/net/ethernet/8390/mac8390.c ++++ b/drivers/net/ethernet/8390/mac8390.c +@@ -156,8 +156,6 @@ static void dayna_block_output(struct net_device *dev, int count, + #define memcpy_fromio(a, b, c) memcpy((a), (void *)(b), (c)) + #define memcpy_toio(a, b, c) memcpy((void *)(a), (b), (c)) + +-#define memcmp_withio(a, b, c) memcmp((a), (void *)(b), (c)) +- + /* Slow Sane (16-bit chunk memory read/write) Cabletron uses this */ + static void slow_sane_get_8390_hdr(struct net_device *dev, + struct e8390_pkt_hdr *hdr, int ring_page); +@@ -237,19 +235,26 @@ static enum mac8390_type __init mac8390_ident(struct nubus_dev *dev) + + static enum mac8390_access __init mac8390_testio(volatile unsigned long membase) + { +- unsigned long outdata = 0xA5A0B5B0; +- unsigned long indata = 0x00000000; ++ u32 outdata = 0xA5A0B5B0; ++ u32 indata = 0; ++ + /* Try writing 32 bits */ +- memcpy_toio(membase, &outdata, 4); +- /* Now compare them */ +- if (memcmp_withio(&outdata, membase, 4) == 0) ++ nubus_writel(outdata, membase); ++ /* Now read it back */ ++ indata = nubus_readl(membase); ++ if (outdata == indata) + return ACCESS_32; ++ ++ outdata = 0xC5C0D5D0; ++ indata = 0; ++ + /* Write 16 bit output */ + word_memcpy_tocard(membase, &outdata, 4); + /* Now read it back */ + word_memcpy_fromcard(&indata, membase, 4); + if (outdata == indata) + return ACCESS_16; ++ + return ACCESS_UNKNOWN; + } + +diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +index 7bba30f24135..059113dce6e0 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +@@ -2529,6 +2529,20 @@ static int stmmac_ioctl(struct net_device *dev, struct ifreq *rq, int cmd) + return ret; + } + ++static int stmmac_set_mac_address(struct net_device *ndev, void *addr) ++{ ++ struct stmmac_priv *priv = netdev_priv(ndev); ++ int ret = 0; ++ ++ ret = eth_mac_addr(ndev, addr); ++ if (ret) ++ return ret; ++ ++ priv->hw->mac->set_umac_addr(priv->hw, ndev->dev_addr, 0); ++ ++ return ret; ++} ++ + #ifdef CONFIG_DEBUG_FS + static struct dentry *stmmac_fs_dir; + +@@ -2730,7 +2744,7 @@ static const struct net_device_ops stmmac_netdev_ops = { + #ifdef CONFIG_NET_POLL_CONTROLLER + .ndo_poll_controller = stmmac_poll_controller, + #endif +- .ndo_set_mac_address = eth_mac_addr, ++ .ndo_set_mac_address = stmmac_set_mac_address, + }; + + /** +diff --git a/drivers/net/vxlan.c b/drivers/net/vxlan.c +index 5dadfc508ade..835129152fc4 100644 +--- a/drivers/net/vxlan.c ++++ b/drivers/net/vxlan.c +@@ -3276,10 +3276,8 @@ static void __net_exit vxlan_exit_net(struct net *net) + /* If vxlan->dev is in the same netns, it has already been added + * to the list by the previous loop. + */ +- if (!net_eq(dev_net(vxlan->dev), net)) { +- gro_cells_destroy(&vxlan->gro_cells); ++ if (!net_eq(dev_net(vxlan->dev), net)) + unregister_netdevice_queue(vxlan->dev, &list); +- } + } + + unregister_netdevice_many(&list); +diff --git a/drivers/net/wireless/ath/ath10k/wmi.c b/drivers/net/wireless/ath/ath10k/wmi.c +index f201e50447d8..b867875aa6e6 100644 +--- a/drivers/net/wireless/ath/ath10k/wmi.c ++++ b/drivers/net/wireless/ath/ath10k/wmi.c +@@ -4065,7 +4065,7 @@ static void ath10k_tpc_config_disp_tables(struct ath10k *ar, + rate_code[i], + type); + snprintf(buff, sizeof(buff), "%8d ", tpc[j]); +- strncat(tpc_value, buff, strlen(buff)); ++ strlcat(tpc_value, buff, sizeof(tpc_value)); + } + tpc_stats->tpc_table[type].pream_idx[i] = pream_idx; + tpc_stats->tpc_table[type].rate_code[i] = rate_code[i]; +diff --git a/drivers/rtc/rtc-lib.c b/drivers/rtc/rtc-lib.c +index e6bfb9c42a10..5b136bdc03d4 100644 +--- a/drivers/rtc/rtc-lib.c ++++ b/drivers/rtc/rtc-lib.c +@@ -52,13 +52,11 @@ EXPORT_SYMBOL(rtc_year_days); + */ + void rtc_time64_to_tm(time64_t time, struct rtc_time *tm) + { +- unsigned int month, year; +- unsigned long secs; ++ unsigned int month, year, secs; + int days; + + /* time must be positive */ +- days = div_s64(time, 86400); +- secs = time - (unsigned int) days * 86400; ++ days = div_s64_rem(time, 86400, &secs); + + /* day of the week, 1970-01-01 was a Thursday */ + tm->tm_wday = (days + 4) % 7; +diff --git a/drivers/s390/scsi/zfcp_erp.c b/drivers/s390/scsi/zfcp_erp.c +index 2abcd331b05d..abe460eac712 100644 +--- a/drivers/s390/scsi/zfcp_erp.c ++++ b/drivers/s390/scsi/zfcp_erp.c +@@ -652,6 +652,20 @@ static void zfcp_erp_strategy_memwait(struct zfcp_erp_action *erp_action) + add_timer(&erp_action->timer); + } + ++void zfcp_erp_port_forced_reopen_all(struct zfcp_adapter *adapter, ++ int clear, char *dbftag) ++{ ++ unsigned long flags; ++ struct zfcp_port *port; ++ ++ write_lock_irqsave(&adapter->erp_lock, flags); ++ read_lock(&adapter->port_list_lock); ++ list_for_each_entry(port, &adapter->port_list, list) ++ _zfcp_erp_port_forced_reopen(port, clear, dbftag); ++ read_unlock(&adapter->port_list_lock); ++ write_unlock_irqrestore(&adapter->erp_lock, flags); ++} ++ + static void _zfcp_erp_port_reopen_all(struct zfcp_adapter *adapter, + int clear, char *id) + { +@@ -1306,6 +1320,9 @@ static void zfcp_erp_try_rport_unblock(struct zfcp_port *port) + struct zfcp_scsi_dev *zsdev = sdev_to_zfcp(sdev); + int lun_status; + ++ if (sdev->sdev_state == SDEV_DEL || ++ sdev->sdev_state == SDEV_CANCEL) ++ continue; + if (zsdev->port != port) + continue; + /* LUN under port of interest */ +diff --git a/drivers/s390/scsi/zfcp_ext.h b/drivers/s390/scsi/zfcp_ext.h +index b326f05c7f89..a39a74500e23 100644 +--- a/drivers/s390/scsi/zfcp_ext.h ++++ b/drivers/s390/scsi/zfcp_ext.h +@@ -68,6 +68,8 @@ extern void zfcp_erp_clear_port_status(struct zfcp_port *, u32); + extern int zfcp_erp_port_reopen(struct zfcp_port *, int, char *); + extern void zfcp_erp_port_shutdown(struct zfcp_port *, int, char *); + extern void zfcp_erp_port_forced_reopen(struct zfcp_port *, int, char *); ++extern void zfcp_erp_port_forced_reopen_all(struct zfcp_adapter *adapter, ++ int clear, char *dbftag); + extern void zfcp_erp_set_lun_status(struct scsi_device *, u32); + extern void zfcp_erp_clear_lun_status(struct scsi_device *, u32); + extern void zfcp_erp_lun_reopen(struct scsi_device *, int, char *); +diff --git a/drivers/s390/scsi/zfcp_scsi.c b/drivers/s390/scsi/zfcp_scsi.c +index 3afb200b2829..bdb257eaa2e5 100644 +--- a/drivers/s390/scsi/zfcp_scsi.c ++++ b/drivers/s390/scsi/zfcp_scsi.c +@@ -326,6 +326,10 @@ static int zfcp_scsi_eh_host_reset_handler(struct scsi_cmnd *scpnt) + struct zfcp_adapter *adapter = zfcp_sdev->port->adapter; + int ret = SUCCESS, fc_ret; + ++ if (!(adapter->connection_features & FSF_FEATURE_NPIV_MODE)) { ++ zfcp_erp_port_forced_reopen_all(adapter, 0, "schrh_p"); ++ zfcp_erp_wait(adapter); ++ } + zfcp_erp_adapter_reopen(adapter, 0, "schrh_1"); + zfcp_erp_wait(adapter); + fc_ret = fc_block_scsi_eh(scpnt); +diff --git a/drivers/scsi/sd.c b/drivers/scsi/sd.c +index ec80a0077ace..62adaca8fb97 100644 +--- a/drivers/scsi/sd.c ++++ b/drivers/scsi/sd.c +@@ -1276,11 +1276,6 @@ static void sd_release(struct gendisk *disk, fmode_t mode) + scsi_set_medium_removal(sdev, SCSI_REMOVAL_ALLOW); + } + +- /* +- * XXX and what if there are packets in flight and this close() +- * XXX is followed by a "rmmod sd_mod"? +- */ +- + scsi_disk_put(sdkp); + } + +@@ -3227,11 +3222,23 @@ static void scsi_disk_release(struct device *dev) + { + struct scsi_disk *sdkp = to_scsi_disk(dev); + struct gendisk *disk = sdkp->disk; +- ++ struct request_queue *q = disk->queue; ++ + spin_lock(&sd_index_lock); + ida_remove(&sd_index_ida, sdkp->index); + spin_unlock(&sd_index_lock); + ++ /* ++ * Wait until all requests that are in progress have completed. ++ * This is necessary to avoid that e.g. scsi_end_request() crashes ++ * due to clearing the disk->private_data pointer. Wait from inside ++ * scsi_disk_release() instead of from sd_release() to avoid that ++ * freezing and unfreezing the request queue affects user space I/O ++ * in case multiple processes open a /dev/sd... node concurrently. ++ */ ++ blk_mq_freeze_queue(q); ++ blk_mq_unfreeze_queue(q); ++ + disk->private_data = NULL; + put_disk(disk); + put_device(&sdkp->device->sdev_gendev); +diff --git a/drivers/staging/vt6655/device_main.c b/drivers/staging/vt6655/device_main.c +index 8fd8f3a2d1bf..58b6403458b7 100644 +--- a/drivers/staging/vt6655/device_main.c ++++ b/drivers/staging/vt6655/device_main.c +@@ -972,8 +972,6 @@ static void vnt_interrupt_process(struct vnt_private *priv) + return; + } + +- MACvIntDisable(priv->PortOffset); +- + spin_lock_irqsave(&priv->lock, flags); + + /* Read low level stats */ +@@ -1062,8 +1060,6 @@ static void vnt_interrupt_process(struct vnt_private *priv) + } + + spin_unlock_irqrestore(&priv->lock, flags); +- +- MACvIntEnable(priv->PortOffset, IMR_MASK_VALUE); + } + + static void vnt_interrupt_work(struct work_struct *work) +@@ -1073,14 +1069,17 @@ static void vnt_interrupt_work(struct work_struct *work) + + if (priv->vif) + vnt_interrupt_process(priv); ++ ++ MACvIntEnable(priv->PortOffset, IMR_MASK_VALUE); + } + + static irqreturn_t vnt_interrupt(int irq, void *arg) + { + struct vnt_private *priv = arg; + +- if (priv->vif) +- schedule_work(&priv->interrupt_work); ++ schedule_work(&priv->interrupt_work); ++ ++ MACvIntDisable(priv->PortOffset); + + return IRQ_HANDLED; + } +diff --git a/drivers/tty/serial/atmel_serial.c b/drivers/tty/serial/atmel_serial.c +index e0277cf0bf58..f5c4e92b5172 100644 +--- a/drivers/tty/serial/atmel_serial.c ++++ b/drivers/tty/serial/atmel_serial.c +@@ -1167,6 +1167,10 @@ static int atmel_prepare_rx_dma(struct uart_port *port) + sg_dma_len(&atmel_port->sg_rx)/2, + DMA_DEV_TO_MEM, + DMA_PREP_INTERRUPT); ++ if (!desc) { ++ dev_err(port->dev, "Preparing DMA cyclic failed\n"); ++ goto chan_err; ++ } + desc->callback = atmel_complete_rx_dma; + desc->callback_param = port; + atmel_port->desc_rx = desc; +diff --git a/drivers/tty/serial/kgdboc.c b/drivers/tty/serial/kgdboc.c +index f2b0d8cee8ef..0314e78e31ff 100644 +--- a/drivers/tty/serial/kgdboc.c ++++ b/drivers/tty/serial/kgdboc.c +@@ -148,8 +148,10 @@ static int configure_kgdboc(void) + char *cptr = config; + struct console *cons; + +- if (!strlen(config) || isspace(config[0])) ++ if (!strlen(config) || isspace(config[0])) { ++ err = 0; + goto noconfig; ++ } + + kgdboc_io_ops.is_console = 0; + kgdb_tty_driver = NULL; +diff --git a/drivers/tty/serial/max310x.c b/drivers/tty/serial/max310x.c +index d45133056f51..be55fb6def89 100644 +--- a/drivers/tty/serial/max310x.c ++++ b/drivers/tty/serial/max310x.c +@@ -1306,6 +1306,8 @@ static int max310x_spi_probe(struct spi_device *spi) + if (spi->dev.of_node) { + const struct of_device_id *of_id = + of_match_device(max310x_dt_ids, &spi->dev); ++ if (!of_id) ++ return -ENODEV; + + devtype = (struct max310x_devtype *)of_id->data; + } else { +diff --git a/drivers/tty/serial/sh-sci.c b/drivers/tty/serial/sh-sci.c +index b63920481b1d..669134e27ed9 100644 +--- a/drivers/tty/serial/sh-sci.c ++++ b/drivers/tty/serial/sh-sci.c +@@ -746,19 +746,9 @@ static void sci_transmit_chars(struct uart_port *port) + + if (uart_circ_chars_pending(xmit) < WAKEUP_CHARS) + uart_write_wakeup(port); +- if (uart_circ_empty(xmit)) { ++ if (uart_circ_empty(xmit)) + sci_stop_tx(port); +- } else { +- ctrl = serial_port_in(port, SCSCR); +- +- if (port->type != PORT_SCI) { +- serial_port_in(port, SCxSR); /* Dummy read */ +- sci_clear_SCxSR(port, SCxSR_TDxE_CLEAR(port)); +- } + +- ctrl |= SCSCR_TIE; +- serial_port_out(port, SCSCR, ctrl); +- } + } + + /* On SH3, SCIF may read end-of-break as a space->mark char */ +diff --git a/drivers/tty/serial/sprd_serial.c b/drivers/tty/serial/sprd_serial.c +index 1e302caaa450..c894eca57e73 100644 +--- a/drivers/tty/serial/sprd_serial.c ++++ b/drivers/tty/serial/sprd_serial.c +@@ -36,7 +36,7 @@ + #define SPRD_FIFO_SIZE 128 + #define SPRD_DEF_RATE 26000000 + #define SPRD_BAUD_IO_LIMIT 3000000 +-#define SPRD_TIMEOUT 256 ++#define SPRD_TIMEOUT 256000 + + /* the offset of serial registers and BITs for them */ + /* data registers */ +@@ -63,6 +63,7 @@ + + /* interrupt clear register */ + #define SPRD_ICLR 0x0014 ++#define SPRD_ICLR_TIMEOUT BIT(13) + + /* line control register */ + #define SPRD_LCR 0x0018 +@@ -298,7 +299,8 @@ static irqreturn_t sprd_handle_irq(int irq, void *dev_id) + return IRQ_NONE; + } + +- serial_out(port, SPRD_ICLR, ~0); ++ if (ims & SPRD_IMSR_TIMEOUT) ++ serial_out(port, SPRD_ICLR, SPRD_ICLR_TIMEOUT); + + if (ims & (SPRD_IMSR_RX_FIFO_FULL | + SPRD_IMSR_BREAK_DETECT | SPRD_IMSR_TIMEOUT)) +diff --git a/drivers/usb/gadget/composite.c b/drivers/usb/gadget/composite.c +index 58f5fbdb6959..8bf54477f472 100644 +--- a/drivers/usb/gadget/composite.c ++++ b/drivers/usb/gadget/composite.c +@@ -1819,6 +1819,8 @@ unknown: + break; + + case USB_RECIP_ENDPOINT: ++ if (!cdev->config) ++ break; + endp = ((w_index & 0x80) >> 3) | (w_index & 0x0f); + list_for_each_entry(f, &cdev->config->functions, list) { + if (test_bit(endp, f->endpoints)) +diff --git a/drivers/usb/gadget/function/rndis.c b/drivers/usb/gadget/function/rndis.c +index 70d3917cc003..2582db38d6a6 100644 +--- a/drivers/usb/gadget/function/rndis.c ++++ b/drivers/usb/gadget/function/rndis.c +@@ -680,6 +680,12 @@ static int rndis_reset_response(struct rndis_params *params, + { + rndis_reset_cmplt_type *resp; + rndis_resp_t *r; ++ u8 *xbuf; ++ u32 length; ++ ++ /* drain the response queue */ ++ while ((xbuf = rndis_get_next_response(params, &length))) ++ rndis_free_response(params, xbuf); + + r = rndis_add_response(params, sizeof(rndis_reset_cmplt_type)); + if (!r) +diff --git a/drivers/usb/gadget/function/u_serial.c b/drivers/usb/gadget/function/u_serial.c +index 4ea44f7122ee..d73618475664 100644 +--- a/drivers/usb/gadget/function/u_serial.c ++++ b/drivers/usb/gadget/function/u_serial.c +@@ -361,10 +361,15 @@ __acquires(&port->port_lock) + */ + { + struct list_head *pool = &port->write_pool; +- struct usb_ep *in = port->port_usb->in; ++ struct usb_ep *in; + int status = 0; + bool do_tty_wake = false; + ++ if (!port->port_usb) ++ return status; ++ ++ in = port->port_usb->in; ++ + while (!port->write_busy && !list_empty(pool)) { + struct usb_request *req; + int len; +diff --git a/drivers/usb/renesas_usbhs/mod_gadget.c b/drivers/usb/renesas_usbhs/mod_gadget.c +index 8647d2c2a8c4..c5553028e616 100644 +--- a/drivers/usb/renesas_usbhs/mod_gadget.c ++++ b/drivers/usb/renesas_usbhs/mod_gadget.c +@@ -641,14 +641,11 @@ static int usbhsg_ep_disable(struct usb_ep *ep) + struct usbhsg_uep *uep = usbhsg_ep_to_uep(ep); + struct usbhs_pipe *pipe; + unsigned long flags; +- int ret = 0; + + spin_lock_irqsave(&uep->lock, flags); + pipe = usbhsg_uep_to_pipe(uep); +- if (!pipe) { +- ret = -EINVAL; ++ if (!pipe) + goto out; +- } + + usbhsg_pipe_disable(uep); + usbhs_pipe_free(pipe); +diff --git a/drivers/usb/serial/cp210x.c b/drivers/usb/serial/cp210x.c +index b317594a6342..e3ea0fdd3913 100644 +--- a/drivers/usb/serial/cp210x.c ++++ b/drivers/usb/serial/cp210x.c +@@ -76,6 +76,7 @@ static const struct usb_device_id id_table[] = { + { USB_DEVICE(0x10C4, 0x804E) }, /* Software Bisque Paramount ME build-in converter */ + { USB_DEVICE(0x10C4, 0x8053) }, /* Enfora EDG1228 */ + { USB_DEVICE(0x10C4, 0x8054) }, /* Enfora GSM2228 */ ++ { USB_DEVICE(0x10C4, 0x8056) }, /* Lorenz Messtechnik devices */ + { USB_DEVICE(0x10C4, 0x8066) }, /* Argussoft In-System Programmer */ + { USB_DEVICE(0x10C4, 0x806F) }, /* IMS USB to RS422 Converter Cable */ + { USB_DEVICE(0x10C4, 0x807A) }, /* Crumb128 board */ +diff --git a/drivers/usb/serial/ftdi_sio.c b/drivers/usb/serial/ftdi_sio.c +index 4287e2b1c175..af258bb632dd 100644 +--- a/drivers/usb/serial/ftdi_sio.c ++++ b/drivers/usb/serial/ftdi_sio.c +@@ -604,6 +604,8 @@ static const struct usb_device_id id_table_combined[] = { + .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk }, + { USB_DEVICE(FTDI_VID, FTDI_NT_ORIONLXM_PID), + .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk }, ++ { USB_DEVICE(FTDI_VID, FTDI_NT_ORIONLX_PLUS_PID) }, ++ { USB_DEVICE(FTDI_VID, FTDI_NT_ORION_IO_PID) }, + { USB_DEVICE(FTDI_VID, FTDI_SYNAPSE_SS200_PID) }, + { USB_DEVICE(FTDI_VID, FTDI_CUSTOMWARE_MINIPLEX_PID) }, + { USB_DEVICE(FTDI_VID, FTDI_CUSTOMWARE_MINIPLEX2_PID) }, +diff --git a/drivers/usb/serial/ftdi_sio_ids.h b/drivers/usb/serial/ftdi_sio_ids.h +index ddf5ab983dc9..15d220eaf6e6 100644 +--- a/drivers/usb/serial/ftdi_sio_ids.h ++++ b/drivers/usb/serial/ftdi_sio_ids.h +@@ -566,7 +566,9 @@ + /* + * NovaTech product ids (FTDI_VID) + */ +-#define FTDI_NT_ORIONLXM_PID 0x7c90 /* OrionLXm Substation Automation Platform */ ++#define FTDI_NT_ORIONLXM_PID 0x7c90 /* OrionLXm Substation Automation Platform */ ++#define FTDI_NT_ORIONLX_PLUS_PID 0x7c91 /* OrionLX+ Substation Automation Platform */ ++#define FTDI_NT_ORION_IO_PID 0x7c92 /* Orion I/O */ + + /* + * Synapse Wireless product ids (FTDI_VID) +diff --git a/drivers/usb/serial/mos7720.c b/drivers/usb/serial/mos7720.c +index 4581fa1dec98..286b43c79d38 100644 +--- a/drivers/usb/serial/mos7720.c ++++ b/drivers/usb/serial/mos7720.c +@@ -368,8 +368,6 @@ static int write_parport_reg_nonblock(struct mos7715_parport *mos_parport, + if (!urbtrack) + return -ENOMEM; + +- kref_get(&mos_parport->ref_count); +- urbtrack->mos_parport = mos_parport; + urbtrack->urb = usb_alloc_urb(0, GFP_ATOMIC); + if (!urbtrack->urb) { + kfree(urbtrack); +@@ -390,6 +388,8 @@ static int write_parport_reg_nonblock(struct mos7715_parport *mos_parport, + usb_sndctrlpipe(usbdev, 0), + (unsigned char *)urbtrack->setup, + NULL, 0, async_complete, urbtrack); ++ kref_get(&mos_parport->ref_count); ++ urbtrack->mos_parport = mos_parport; + kref_init(&urbtrack->ref_count); + INIT_LIST_HEAD(&urbtrack->urblist_entry); + +diff --git a/drivers/usb/serial/option.c b/drivers/usb/serial/option.c +index b2b7c12e5c86..9f96dd274370 100644 +--- a/drivers/usb/serial/option.c ++++ b/drivers/usb/serial/option.c +@@ -1066,7 +1066,8 @@ static const struct usb_device_id option_ids[] = { + .driver_info = RSVD(3) }, + { USB_DEVICE(QUALCOMM_VENDOR_ID, 0x6613)}, /* Onda H600/ZTE MF330 */ + { USB_DEVICE(QUALCOMM_VENDOR_ID, 0x0023)}, /* ONYX 3G device */ +- { USB_DEVICE(QUALCOMM_VENDOR_ID, 0x9000)}, /* SIMCom SIM5218 */ ++ { USB_DEVICE(QUALCOMM_VENDOR_ID, 0x9000), /* SIMCom SIM5218 */ ++ .driver_info = NCTRL(0) | NCTRL(1) | NCTRL(2) | NCTRL(3) | RSVD(4) }, + /* Quectel products using Qualcomm vendor ID */ + { USB_DEVICE(QUALCOMM_VENDOR_ID, QUECTEL_PRODUCT_UC15)}, + { USB_DEVICE(QUALCOMM_VENDOR_ID, QUECTEL_PRODUCT_UC20), +@@ -1941,10 +1942,12 @@ static const struct usb_device_id option_ids[] = { + .driver_info = RSVD(4) }, + { USB_DEVICE_INTERFACE_CLASS(0x2001, 0x7e35, 0xff), /* D-Link DWM-222 */ + .driver_info = RSVD(4) }, +- { USB_DEVICE_AND_INTERFACE_INFO(0x07d1, 0x3e01, 0xff, 0xff, 0xff) }, /* D-Link DWM-152/C1 */ +- { USB_DEVICE_AND_INTERFACE_INFO(0x07d1, 0x3e02, 0xff, 0xff, 0xff) }, /* D-Link DWM-156/C1 */ +- { USB_DEVICE_AND_INTERFACE_INFO(0x07d1, 0x7e11, 0xff, 0xff, 0xff) }, /* D-Link DWM-156/A3 */ +- { USB_DEVICE_INTERFACE_CLASS(0x2020, 0x4000, 0xff) }, /* OLICARD300 - MT6225 */ ++ { USB_DEVICE_AND_INTERFACE_INFO(0x07d1, 0x3e01, 0xff, 0xff, 0xff) }, /* D-Link DWM-152/C1 */ ++ { USB_DEVICE_AND_INTERFACE_INFO(0x07d1, 0x3e02, 0xff, 0xff, 0xff) }, /* D-Link DWM-156/C1 */ ++ { USB_DEVICE_AND_INTERFACE_INFO(0x07d1, 0x7e11, 0xff, 0xff, 0xff) }, /* D-Link DWM-156/A3 */ ++ { USB_DEVICE_INTERFACE_CLASS(0x2020, 0x2031, 0xff), /* Olicard 600 */ ++ .driver_info = RSVD(4) }, ++ { USB_DEVICE_INTERFACE_CLASS(0x2020, 0x4000, 0xff) }, /* OLICARD300 - MT6225 */ + { USB_DEVICE(INOVIA_VENDOR_ID, INOVIA_SEW858) }, + { USB_DEVICE(VIATELECOM_VENDOR_ID, VIATELECOM_PRODUCT_CDS7) }, + { USB_DEVICE_AND_INTERFACE_INFO(WETELECOM_VENDOR_ID, WETELECOM_PRODUCT_WMD200, 0xff, 0xff, 0xff) }, +diff --git a/fs/btrfs/raid56.c b/fs/btrfs/raid56.c +index b9fa99577bf7..2d2a76906786 100644 +--- a/fs/btrfs/raid56.c ++++ b/fs/btrfs/raid56.c +@@ -2420,8 +2420,9 @@ static noinline void finish_parity_scrub(struct btrfs_raid_bio *rbio, + bitmap_clear(rbio->dbitmap, pagenr, 1); + kunmap(p); + +- for (stripe = 0; stripe < rbio->real_stripes; stripe++) ++ for (stripe = 0; stripe < nr_data; stripe++) + kunmap(page_in_rbio(rbio, stripe, pagenr, 0)); ++ kunmap(p_page); + } + + __free_page(p_page); +diff --git a/fs/btrfs/tree-log.c b/fs/btrfs/tree-log.c +index 63f59f17c97e..c7190f322576 100644 +--- a/fs/btrfs/tree-log.c ++++ b/fs/btrfs/tree-log.c +@@ -3321,9 +3321,16 @@ static noinline int log_dir_items(struct btrfs_trans_handle *trans, + } + btrfs_release_path(path); + +- /* find the first key from this transaction again */ ++ /* ++ * Find the first key from this transaction again. See the note for ++ * log_new_dir_dentries, if we're logging a directory recursively we ++ * won't be holding its i_mutex, which means we can modify the directory ++ * while we're logging it. If we remove an entry between our first ++ * search and this search we'll not find the key again and can just ++ * bail. ++ */ + ret = btrfs_search_slot(NULL, root, &min_key, path, 0, 0); +- if (WARN_ON(ret != 0)) ++ if (ret != 0) + goto done; + + /* +diff --git a/fs/dcache.c b/fs/dcache.c +index 9ffe60702299..cb554e406545 100644 +--- a/fs/dcache.c ++++ b/fs/dcache.c +@@ -1510,7 +1510,7 @@ static void check_and_drop(void *_data) + { + struct detach_data *data = _data; + +- if (!data->mountpoint && !data->select.found) ++ if (!data->mountpoint && list_empty(&data->select.dispose)) + __d_drop(data->select.start); + } + +@@ -1552,17 +1552,15 @@ void d_invalidate(struct dentry *dentry) + + d_walk(dentry, &data, detach_and_collect, check_and_drop); + +- if (data.select.found) ++ if (!list_empty(&data.select.dispose)) + shrink_dentry_list(&data.select.dispose); ++ else if (!data.mountpoint) ++ return; + + if (data.mountpoint) { + detach_mounts(data.mountpoint); + dput(data.mountpoint); + } +- +- if (!data.mountpoint && !data.select.found) +- break; +- + cond_resched(); + } + } +diff --git a/fs/ext4/ext4_jbd2.h b/fs/ext4/ext4_jbd2.h +index f817ed58f5ad..b40e75dbf48c 100644 +--- a/fs/ext4/ext4_jbd2.h ++++ b/fs/ext4/ext4_jbd2.h +@@ -372,7 +372,7 @@ static inline void ext4_update_inode_fsync_trans(handle_t *handle, + { + struct ext4_inode_info *ei = EXT4_I(inode); + +- if (ext4_handle_valid(handle)) { ++ if (ext4_handle_valid(handle) && !is_handle_aborted(handle)) { + ei->i_sync_tid = handle->h_transaction->t_tid; + if (datasync) + ei->i_datasync_tid = handle->h_transaction->t_tid; +diff --git a/fs/ext4/file.c b/fs/ext4/file.c +index debf0707789d..2e5ae183a18a 100644 +--- a/fs/ext4/file.c ++++ b/fs/ext4/file.c +@@ -79,7 +79,7 @@ ext4_unaligned_aio(struct inode *inode, struct iov_iter *from, loff_t pos) + struct super_block *sb = inode->i_sb; + int blockmask = sb->s_blocksize - 1; + +- if (pos >= i_size_read(inode)) ++ if (pos >= ALIGN(i_size_read(inode), sb->s_blocksize)) + return 0; + + if ((pos | iov_iter_alignment(from)) & blockmask) +diff --git a/fs/ext4/indirect.c b/fs/ext4/indirect.c +index 355ef9c36c87..8f3e78eb0bbd 100644 +--- a/fs/ext4/indirect.c ++++ b/fs/ext4/indirect.c +@@ -1491,10 +1491,14 @@ end_range: + partial->p + 1, + partial2->p, + (chain+n-1) - partial); +- BUFFER_TRACE(partial->bh, "call brelse"); +- brelse(partial->bh); +- BUFFER_TRACE(partial2->bh, "call brelse"); +- brelse(partial2->bh); ++ while (partial > chain) { ++ BUFFER_TRACE(partial->bh, "call brelse"); ++ brelse(partial->bh); ++ } ++ while (partial2 > chain2) { ++ BUFFER_TRACE(partial2->bh, "call brelse"); ++ brelse(partial2->bh); ++ } + return 0; + } + +diff --git a/fs/proc/proc_sysctl.c b/fs/proc/proc_sysctl.c +index 5e1054f028af..c7e32a891502 100644 +--- a/fs/proc/proc_sysctl.c ++++ b/fs/proc/proc_sysctl.c +@@ -1550,7 +1550,8 @@ static void drop_sysctl_table(struct ctl_table_header *header) + if (--header->nreg) + return; + +- put_links(header); ++ if (parent) ++ put_links(header); + start_unregistering(header); + if (!--header->count) + kfree_rcu(header, rcu); +diff --git a/fs/udf/truncate.c b/fs/udf/truncate.c +index 42b8c57795cb..c6ce7503a329 100644 +--- a/fs/udf/truncate.c ++++ b/fs/udf/truncate.c +@@ -260,6 +260,9 @@ void udf_truncate_extents(struct inode *inode) + epos.block = eloc; + epos.bh = udf_tread(sb, + udf_get_lb_pblock(sb, &eloc, 0)); ++ /* Error reading indirect block? */ ++ if (!epos.bh) ++ return; + if (elen) + indirect_ext_len = + (elen + sb->s_blocksize - 1) >> +diff --git a/include/linux/rculist.h b/include/linux/rculist.h +index 5ed540986019..a579240c64e9 100644 +--- a/include/linux/rculist.h ++++ b/include/linux/rculist.h +@@ -401,6 +401,42 @@ static inline void hlist_add_head_rcu(struct hlist_node *n, + first->pprev = &n->next; + } + ++/** ++ * hlist_add_tail_rcu ++ * @n: the element to add to the hash list. ++ * @h: the list to add to. ++ * ++ * Description: ++ * Adds the specified element to the specified hlist, ++ * while permitting racing traversals. ++ * ++ * The caller must take whatever precautions are necessary ++ * (such as holding appropriate locks) to avoid racing ++ * with another list-mutation primitive, such as hlist_add_head_rcu() ++ * or hlist_del_rcu(), running on this same list. ++ * However, it is perfectly legal to run concurrently with ++ * the _rcu list-traversal primitives, such as ++ * hlist_for_each_entry_rcu(), used to prevent memory-consistency ++ * problems on Alpha CPUs. Regardless of the type of CPU, the ++ * list-traversal primitive must be guarded by rcu_read_lock(). ++ */ ++static inline void hlist_add_tail_rcu(struct hlist_node *n, ++ struct hlist_head *h) ++{ ++ struct hlist_node *i, *last = NULL; ++ ++ for (i = hlist_first_rcu(h); i; i = hlist_next_rcu(i)) ++ last = i; ++ ++ if (last) { ++ n->next = last->next; ++ n->pprev = &last->next; ++ rcu_assign_pointer(hlist_next_rcu(last), n); ++ } else { ++ hlist_add_head_rcu(n, h); ++ } ++} ++ + /** + * hlist_add_before_rcu + * @n: the new element to add to the hash list. +diff --git a/include/net/sctp/checksum.h b/include/net/sctp/checksum.h +index 4a5b9a306c69..803fc26ef0ba 100644 +--- a/include/net/sctp/checksum.h ++++ b/include/net/sctp/checksum.h +@@ -60,7 +60,7 @@ static inline __wsum sctp_csum_combine(__wsum csum, __wsum csum2, + static inline __le32 sctp_compute_cksum(const struct sk_buff *skb, + unsigned int offset) + { +- struct sctphdr *sh = sctp_hdr(skb); ++ struct sctphdr *sh = (struct sctphdr *)(skb->data + offset); + __le32 ret, old = sh->checksum; + const struct skb_checksum_ops ops = { + .update = sctp_csum_update, +diff --git a/include/net/sock.h b/include/net/sock.h +index 7420299c31f5..0aadd3b03ced 100644 +--- a/include/net/sock.h ++++ b/include/net/sock.h +@@ -651,6 +651,12 @@ static inline void sk_add_node_rcu(struct sock *sk, struct hlist_head *list) + hlist_add_head_rcu(&sk->sk_node, list); + } + ++static inline void sk_add_node_tail_rcu(struct sock *sk, struct hlist_head *list) ++{ ++ sock_hold(sk); ++ hlist_add_tail_rcu(&sk->sk_node, list); ++} ++ + static inline void __sk_nulls_add_node_rcu(struct sock *sk, struct hlist_nulls_head *list) + { + hlist_nulls_add_head_rcu(&sk->sk_nulls_node, list); +diff --git a/kernel/futex.c b/kernel/futex.c +index 0c92c8d34ffa..ec9df5ba040b 100644 +--- a/kernel/futex.c ++++ b/kernel/futex.c +@@ -3067,6 +3067,10 @@ int handle_futex_death(u32 __user *uaddr, struct task_struct *curr, int pi) + { + u32 uval, uninitialized_var(nval), mval; + ++ /* Futex address must be 32bit aligned */ ++ if ((((unsigned long)uaddr) % sizeof(*uaddr)) != 0) ++ return -1; ++ + retry: + if (get_user(uval, uaddr)) + return -1; +diff --git a/kernel/locking/lockdep.c b/kernel/locking/lockdep.c +index 774ab79d3ec7..a49c565529a0 100644 +--- a/kernel/locking/lockdep.c ++++ b/kernel/locking/lockdep.c +@@ -3314,6 +3314,9 @@ __lock_set_class(struct lockdep_map *lock, const char *name, + unsigned int depth; + int i; + ++ if (unlikely(!debug_locks)) ++ return 0; ++ + depth = curr->lockdep_depth; + /* + * This function is about (re)setting the class of a held lock, +diff --git a/lib/int_sqrt.c b/lib/int_sqrt.c +index 1ef4cc344977..1afb545a37c5 100644 +--- a/lib/int_sqrt.c ++++ b/lib/int_sqrt.c +@@ -22,6 +22,9 @@ unsigned long int_sqrt(unsigned long x) + return x; + + m = 1UL << (BITS_PER_LONG - 2); ++ while (m > x) ++ m >>= 2; ++ + while (m != 0) { + b = y + m; + y >>= 1; +diff --git a/mm/rmap.c b/mm/rmap.c +index 488dda209431..cf733fab230f 100644 +--- a/mm/rmap.c ++++ b/mm/rmap.c +@@ -408,7 +408,7 @@ void unlink_anon_vmas(struct vm_area_struct *vma) + list_for_each_entry_safe(avc, next, &vma->anon_vma_chain, same_vma) { + struct anon_vma *anon_vma = avc->anon_vma; + +- BUG_ON(anon_vma->degree); ++ VM_WARN_ON(anon_vma->degree); + put_anon_vma(anon_vma); + + list_del(&avc->same_vma); +diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c +index af68674690af..f76e9c1e9f17 100644 +--- a/net/bluetooth/l2cap_core.c ++++ b/net/bluetooth/l2cap_core.c +@@ -3315,16 +3315,22 @@ static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data, size_t data + + while (len >= L2CAP_CONF_OPT_SIZE) { + len -= l2cap_get_conf_opt(&req, &type, &olen, &val); ++ if (len < 0) ++ break; + + hint = type & L2CAP_CONF_HINT; + type &= L2CAP_CONF_MASK; + + switch (type) { + case L2CAP_CONF_MTU: ++ if (olen != 2) ++ break; + mtu = val; + break; + + case L2CAP_CONF_FLUSH_TO: ++ if (olen != 2) ++ break; + chan->flush_to = val; + break; + +@@ -3332,26 +3338,30 @@ static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data, size_t data + break; + + case L2CAP_CONF_RFC: +- if (olen == sizeof(rfc)) +- memcpy(&rfc, (void *) val, olen); ++ if (olen != sizeof(rfc)) ++ break; ++ memcpy(&rfc, (void *) val, olen); + break; + + case L2CAP_CONF_FCS: ++ if (olen != 1) ++ break; + if (val == L2CAP_FCS_NONE) + set_bit(CONF_RECV_NO_FCS, &chan->conf_state); + break; + + case L2CAP_CONF_EFS: +- if (olen == sizeof(efs)) { +- remote_efs = 1; +- memcpy(&efs, (void *) val, olen); +- } ++ if (olen != sizeof(efs)) ++ break; ++ remote_efs = 1; ++ memcpy(&efs, (void *) val, olen); + break; + + case L2CAP_CONF_EWS: ++ if (olen != 2) ++ break; + if (!(chan->conn->local_fixed_chan & L2CAP_FC_A2MP)) + return -ECONNREFUSED; +- + set_bit(FLAG_EXT_CTRL, &chan->flags); + set_bit(CONF_EWS_RECV, &chan->conf_state); + chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW; +@@ -3361,7 +3371,6 @@ static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data, size_t data + default: + if (hint) + break; +- + result = L2CAP_CONF_UNKNOWN; + *((u8 *) ptr++) = type; + break; +@@ -3526,58 +3535,65 @@ static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len, + + while (len >= L2CAP_CONF_OPT_SIZE) { + len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val); ++ if (len < 0) ++ break; + + switch (type) { + case L2CAP_CONF_MTU: ++ if (olen != 2) ++ break; + if (val < L2CAP_DEFAULT_MIN_MTU) { + *result = L2CAP_CONF_UNACCEPT; + chan->imtu = L2CAP_DEFAULT_MIN_MTU; + } else + chan->imtu = val; +- l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu, endptr - ptr); ++ l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu, ++ endptr - ptr); + break; + + case L2CAP_CONF_FLUSH_TO: ++ if (olen != 2) ++ break; + chan->flush_to = val; +- l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO, +- 2, chan->flush_to, endptr - ptr); ++ l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO, 2, ++ chan->flush_to, endptr - ptr); + break; + + case L2CAP_CONF_RFC: +- if (olen == sizeof(rfc)) +- memcpy(&rfc, (void *)val, olen); +- ++ if (olen != sizeof(rfc)) ++ break; ++ memcpy(&rfc, (void *)val, olen); + if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state) && + rfc.mode != chan->mode) + return -ECONNREFUSED; +- + chan->fcs = 0; +- +- l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, +- sizeof(rfc), (unsigned long) &rfc, endptr - ptr); ++ l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc), ++ (unsigned long) &rfc, endptr - ptr); + break; + + case L2CAP_CONF_EWS: ++ if (olen != 2) ++ break; + chan->ack_win = min_t(u16, val, chan->ack_win); + l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2, + chan->tx_win, endptr - ptr); + break; + + case L2CAP_CONF_EFS: +- if (olen == sizeof(efs)) { +- memcpy(&efs, (void *)val, olen); +- +- if (chan->local_stype != L2CAP_SERV_NOTRAFIC && +- efs.stype != L2CAP_SERV_NOTRAFIC && +- efs.stype != chan->local_stype) +- return -ECONNREFUSED; +- +- l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS, sizeof(efs), +- (unsigned long) &efs, endptr - ptr); +- } ++ if (olen != sizeof(efs)) ++ break; ++ memcpy(&efs, (void *)val, olen); ++ if (chan->local_stype != L2CAP_SERV_NOTRAFIC && ++ efs.stype != L2CAP_SERV_NOTRAFIC && ++ efs.stype != chan->local_stype) ++ return -ECONNREFUSED; ++ l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS, sizeof(efs), ++ (unsigned long) &efs, endptr - ptr); + break; + + case L2CAP_CONF_FCS: ++ if (olen != 1) ++ break; + if (*result == L2CAP_CONF_PENDING) + if (val == L2CAP_FCS_NONE) + set_bit(CONF_RECV_NO_FCS, +@@ -3706,13 +3722,18 @@ static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len) + + while (len >= L2CAP_CONF_OPT_SIZE) { + len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val); ++ if (len < 0) ++ break; + + switch (type) { + case L2CAP_CONF_RFC: +- if (olen == sizeof(rfc)) +- memcpy(&rfc, (void *)val, olen); ++ if (olen != sizeof(rfc)) ++ break; ++ memcpy(&rfc, (void *)val, olen); + break; + case L2CAP_CONF_EWS: ++ if (olen != 2) ++ break; + txwin_ext = val; + break; + } +diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c +index d6c191158e07..6e7f99569bdf 100644 +--- a/net/ipv6/tcp_ipv6.c ++++ b/net/ipv6/tcp_ipv6.c +@@ -1043,11 +1043,11 @@ static struct sock *tcp_v6_syn_recv_sock(const struct sock *sk, struct sk_buff * + newnp->ipv6_fl_list = NULL; + newnp->pktoptions = NULL; + newnp->opt = NULL; +- newnp->mcast_oif = tcp_v6_iif(skb); +- newnp->mcast_hops = ipv6_hdr(skb)->hop_limit; +- newnp->rcv_flowinfo = ip6_flowinfo(ipv6_hdr(skb)); ++ newnp->mcast_oif = inet_iif(skb); ++ newnp->mcast_hops = ip_hdr(skb)->ttl; ++ newnp->rcv_flowinfo = 0; + if (np->repflow) +- newnp->flow_label = ip6_flowlabel(ipv6_hdr(skb)); ++ newnp->flow_label = 0; + + /* + * No need to charge this sock to the relevant IPv6 refcnt debug socks count +diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c +index d517dd7f4ac7..7d93228ba1e1 100644 +--- a/net/packet/af_packet.c ++++ b/net/packet/af_packet.c +@@ -3155,7 +3155,7 @@ static int packet_create(struct net *net, struct socket *sock, int protocol, + } + + mutex_lock(&net->packet.sklist_lock); +- sk_add_node_rcu(sk, &net->packet.sklist); ++ sk_add_node_tail_rcu(sk, &net->packet.sklist); + mutex_unlock(&net->packet.sklist_lock); + + preempt_disable(); +@@ -4130,7 +4130,7 @@ static struct pgv *alloc_pg_vec(struct tpacket_req *req, int order) + struct pgv *pg_vec; + int i; + +- pg_vec = kcalloc(block_nr, sizeof(struct pgv), GFP_KERNEL); ++ pg_vec = kcalloc(block_nr, sizeof(struct pgv), GFP_KERNEL | __GFP_NOWARN); + if (unlikely(!pg_vec)) + goto out; + +diff --git a/net/rose/rose_subr.c b/net/rose/rose_subr.c +index 7ca57741b2fb..7849f286bb93 100644 +--- a/net/rose/rose_subr.c ++++ b/net/rose/rose_subr.c +@@ -105,16 +105,17 @@ void rose_write_internal(struct sock *sk, int frametype) + struct sk_buff *skb; + unsigned char *dptr; + unsigned char lci1, lci2; +- char buffer[100]; +- int len, faclen = 0; ++ int maxfaclen = 0; ++ int len, faclen; ++ int reserve; + +- len = AX25_BPQ_HEADER_LEN + AX25_MAX_HEADER_LEN + ROSE_MIN_LEN + 1; ++ reserve = AX25_BPQ_HEADER_LEN + AX25_MAX_HEADER_LEN + 1; ++ len = ROSE_MIN_LEN; + + switch (frametype) { + case ROSE_CALL_REQUEST: + len += 1 + ROSE_ADDR_LEN + ROSE_ADDR_LEN; +- faclen = rose_create_facilities(buffer, rose); +- len += faclen; ++ maxfaclen = 256; + break; + case ROSE_CALL_ACCEPTED: + case ROSE_CLEAR_REQUEST: +@@ -123,15 +124,16 @@ void rose_write_internal(struct sock *sk, int frametype) + break; + } + +- if ((skb = alloc_skb(len, GFP_ATOMIC)) == NULL) ++ skb = alloc_skb(reserve + len + maxfaclen, GFP_ATOMIC); ++ if (!skb) + return; + + /* + * Space for AX.25 header and PID. + */ +- skb_reserve(skb, AX25_BPQ_HEADER_LEN + AX25_MAX_HEADER_LEN + 1); ++ skb_reserve(skb, reserve); + +- dptr = skb_put(skb, skb_tailroom(skb)); ++ dptr = skb_put(skb, len); + + lci1 = (rose->lci >> 8) & 0x0F; + lci2 = (rose->lci >> 0) & 0xFF; +@@ -146,7 +148,8 @@ void rose_write_internal(struct sock *sk, int frametype) + dptr += ROSE_ADDR_LEN; + memcpy(dptr, &rose->source_addr, ROSE_ADDR_LEN); + dptr += ROSE_ADDR_LEN; +- memcpy(dptr, buffer, faclen); ++ faclen = rose_create_facilities(dptr, rose); ++ skb_put(skb, faclen); + dptr += faclen; + break; + +diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c +index 642a78079ae1..81013490a99f 100644 +--- a/net/wireless/nl80211.c ++++ b/net/wireless/nl80211.c +@@ -11721,7 +11721,7 @@ static void nl80211_send_mlme_event(struct cfg80211_registered_device *rdev, + struct sk_buff *msg; + void *hdr; + +- msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp); ++ msg = nlmsg_new(100 + len, gfp); + if (!msg) + return; + +@@ -11873,7 +11873,7 @@ void nl80211_send_connect_result(struct cfg80211_registered_device *rdev, + struct sk_buff *msg; + void *hdr; + +- msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp); ++ msg = nlmsg_new(100 + req_ie_len + resp_ie_len, gfp); + if (!msg) + return; + +@@ -11913,7 +11913,7 @@ void nl80211_send_roamed(struct cfg80211_registered_device *rdev, + struct sk_buff *msg; + void *hdr; + +- msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp); ++ msg = nlmsg_new(100 + req_ie_len + resp_ie_len, gfp); + if (!msg) + return; + +@@ -11951,7 +11951,7 @@ void nl80211_send_disconnected(struct cfg80211_registered_device *rdev, + struct sk_buff *msg; + void *hdr; + +- msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL); ++ msg = nlmsg_new(100 + ie_len, GFP_KERNEL); + if (!msg) + return; + +@@ -12028,7 +12028,7 @@ void cfg80211_notify_new_peer_candidate(struct net_device *dev, const u8 *addr, + + trace_cfg80211_notify_new_peer_candidate(dev, addr); + +- msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp); ++ msg = nlmsg_new(100 + ie_len, gfp); + if (!msg) + return; + +@@ -12397,7 +12397,7 @@ int nl80211_send_mgmt(struct cfg80211_registered_device *rdev, + struct sk_buff *msg; + void *hdr; + +- msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp); ++ msg = nlmsg_new(100 + len, gfp); + if (!msg) + return -ENOMEM; + +@@ -12440,7 +12440,7 @@ void cfg80211_mgmt_tx_status(struct wireless_dev *wdev, u64 cookie, + + trace_cfg80211_mgmt_tx_status(wdev, cookie, ack); + +- msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp); ++ msg = nlmsg_new(100 + len, gfp); + if (!msg) + return; + +@@ -13244,7 +13244,7 @@ void cfg80211_ft_event(struct net_device *netdev, + if (!ft_event->target_ap) + return; + +- msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL); ++ msg = nlmsg_new(100 + ft_event->ric_ies_len, GFP_KERNEL); + if (!msg) + return; + +diff --git a/scripts/setlocalversion b/scripts/setlocalversion +index 63d91e22ed7c..966dd3924ea9 100755 +--- a/scripts/setlocalversion ++++ b/scripts/setlocalversion +@@ -143,7 +143,7 @@ fi + if test -e include/config/auto.conf; then + . include/config/auto.conf + else +- echo "Error: kernelrelease not valid - run 'make prepare' to update it" ++ echo "Error: kernelrelease not valid - run 'make prepare' to update it" >&2 + exit 1 + fi + +diff --git a/sound/core/compress_offload.c b/sound/core/compress_offload.c +index 2272aee12871..3c88a3384064 100644 +--- a/sound/core/compress_offload.c ++++ b/sound/core/compress_offload.c +@@ -38,6 +38,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -859,6 +860,15 @@ static long snd_compr_ioctl(struct file *f, unsigned int cmd, unsigned long arg) + return retval; + } + ++/* support of 32bit userspace on 64bit platforms */ ++#ifdef CONFIG_COMPAT ++static long snd_compr_ioctl_compat(struct file *file, unsigned int cmd, ++ unsigned long arg) ++{ ++ return snd_compr_ioctl(file, cmd, (unsigned long)compat_ptr(arg)); ++} ++#endif ++ + static const struct file_operations snd_compr_file_ops = { + .owner = THIS_MODULE, + .open = snd_compr_open, +@@ -866,6 +876,9 @@ static const struct file_operations snd_compr_file_ops = { + .write = snd_compr_write, + .read = snd_compr_read, + .unlocked_ioctl = snd_compr_ioctl, ++#ifdef CONFIG_COMPAT ++ .compat_ioctl = snd_compr_ioctl_compat, ++#endif + .mmap = snd_compr_mmap, + .poll = snd_compr_poll, + }; +diff --git a/sound/core/oss/pcm_oss.c b/sound/core/oss/pcm_oss.c +index 07feb35f1935..443bb8ce8255 100644 +--- a/sound/core/oss/pcm_oss.c ++++ b/sound/core/oss/pcm_oss.c +@@ -950,6 +950,28 @@ static int snd_pcm_oss_change_params_locked(struct snd_pcm_substream *substream) + oss_frame_size = snd_pcm_format_physical_width(params_format(params)) * + params_channels(params) / 8; + ++ err = snd_pcm_oss_period_size(substream, params, sparams); ++ if (err < 0) ++ goto failure; ++ ++ n = snd_pcm_plug_slave_size(substream, runtime->oss.period_bytes / oss_frame_size); ++ err = snd_pcm_hw_param_near(substream, sparams, SNDRV_PCM_HW_PARAM_PERIOD_SIZE, n, NULL); ++ if (err < 0) ++ goto failure; ++ ++ err = snd_pcm_hw_param_near(substream, sparams, SNDRV_PCM_HW_PARAM_PERIODS, ++ runtime->oss.periods, NULL); ++ if (err < 0) ++ goto failure; ++ ++ snd_pcm_kernel_ioctl(substream, SNDRV_PCM_IOCTL_DROP, NULL); ++ ++ err = snd_pcm_kernel_ioctl(substream, SNDRV_PCM_IOCTL_HW_PARAMS, sparams); ++ if (err < 0) { ++ pcm_dbg(substream->pcm, "HW_PARAMS failed: %i\n", err); ++ goto failure; ++ } ++ + #ifdef CONFIG_SND_PCM_OSS_PLUGINS + snd_pcm_oss_plugin_clear(substream); + if (!direct) { +@@ -984,27 +1006,6 @@ static int snd_pcm_oss_change_params_locked(struct snd_pcm_substream *substream) + } + #endif + +- err = snd_pcm_oss_period_size(substream, params, sparams); +- if (err < 0) +- goto failure; +- +- n = snd_pcm_plug_slave_size(substream, runtime->oss.period_bytes / oss_frame_size); +- err = snd_pcm_hw_param_near(substream, sparams, SNDRV_PCM_HW_PARAM_PERIOD_SIZE, n, NULL); +- if (err < 0) +- goto failure; +- +- err = snd_pcm_hw_param_near(substream, sparams, SNDRV_PCM_HW_PARAM_PERIODS, +- runtime->oss.periods, NULL); +- if (err < 0) +- goto failure; +- +- snd_pcm_kernel_ioctl(substream, SNDRV_PCM_IOCTL_DROP, NULL); +- +- if ((err = snd_pcm_kernel_ioctl(substream, SNDRV_PCM_IOCTL_HW_PARAMS, sparams)) < 0) { +- pcm_dbg(substream->pcm, "HW_PARAMS failed: %i\n", err); +- goto failure; +- } +- + if (runtime->oss.trigger) { + sw_params->start_threshold = 1; + } else { +diff --git a/sound/core/pcm_native.c b/sound/core/pcm_native.c +index 9b6dcdea4431..4d6f0f56d54a 100644 +--- a/sound/core/pcm_native.c ++++ b/sound/core/pcm_native.c +@@ -1254,8 +1254,15 @@ static int snd_pcm_pause(struct snd_pcm_substream *substream, int push) + static int snd_pcm_pre_suspend(struct snd_pcm_substream *substream, int state) + { + struct snd_pcm_runtime *runtime = substream->runtime; +- if (runtime->status->state == SNDRV_PCM_STATE_SUSPENDED) ++ switch (runtime->status->state) { ++ case SNDRV_PCM_STATE_SUSPENDED: + return -EBUSY; ++ /* unresumable PCM state; return -EBUSY for skipping suspend */ ++ case SNDRV_PCM_STATE_OPEN: ++ case SNDRV_PCM_STATE_SETUP: ++ case SNDRV_PCM_STATE_DISCONNECTED: ++ return -EBUSY; ++ } + runtime->trigger_master = substream; + return 0; + } +diff --git a/sound/core/rawmidi.c b/sound/core/rawmidi.c +index 59111cadaec2..c8b2309352d7 100644 +--- a/sound/core/rawmidi.c ++++ b/sound/core/rawmidi.c +@@ -29,6 +29,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -591,6 +592,7 @@ static int __snd_rawmidi_info_select(struct snd_card *card, + return -ENXIO; + if (info->stream < 0 || info->stream > 1) + return -EINVAL; ++ info->stream = array_index_nospec(info->stream, 2); + pstr = &rmidi->streams[info->stream]; + if (pstr->substream_count == 0) + return -ENOENT; +diff --git a/sound/core/seq/oss/seq_oss_synth.c b/sound/core/seq/oss/seq_oss_synth.c +index ea545f9291b4..df5b984bb33f 100644 +--- a/sound/core/seq/oss/seq_oss_synth.c ++++ b/sound/core/seq/oss/seq_oss_synth.c +@@ -617,13 +617,14 @@ int + snd_seq_oss_synth_make_info(struct seq_oss_devinfo *dp, int dev, struct synth_info *inf) + { + struct seq_oss_synth *rec; ++ struct seq_oss_synthinfo *info = get_synthinfo_nospec(dp, dev); + +- if (dev < 0 || dev >= dp->max_synthdev) ++ if (!info) + return -ENXIO; + +- if (dp->synths[dev].is_midi) { ++ if (info->is_midi) { + struct midi_info minf; +- snd_seq_oss_midi_make_info(dp, dp->synths[dev].midi_mapped, &minf); ++ snd_seq_oss_midi_make_info(dp, info->midi_mapped, &minf); + inf->synth_type = SYNTH_TYPE_MIDI; + inf->synth_subtype = 0; + inf->nr_voices = 16; +diff --git a/sound/pci/hda/hda_codec.c b/sound/pci/hda/hda_codec.c +index f6d4a1046e54..ad0b23a21bc8 100644 +--- a/sound/pci/hda/hda_codec.c ++++ b/sound/pci/hda/hda_codec.c +@@ -3004,6 +3004,7 @@ static void hda_call_codec_resume(struct hda_codec *codec) + hda_jackpoll_work(&codec->jackpoll_work.work); + else + snd_hda_jack_report_sync(codec); ++ codec->core.dev.power.power_state = PMSG_ON; + atomic_dec(&codec->core.in_pm); + } + +@@ -3036,10 +3037,62 @@ static int hda_codec_runtime_resume(struct device *dev) + } + #endif /* CONFIG_PM */ + ++#ifdef CONFIG_PM_SLEEP ++static int hda_codec_force_resume(struct device *dev) ++{ ++ int ret; ++ ++ /* The get/put pair below enforces the runtime resume even if the ++ * device hasn't been used at suspend time. This trick is needed to ++ * update the jack state change during the sleep. ++ */ ++ pm_runtime_get_noresume(dev); ++ ret = pm_runtime_force_resume(dev); ++ pm_runtime_put(dev); ++ return ret; ++} ++ ++static int hda_codec_pm_suspend(struct device *dev) ++{ ++ dev->power.power_state = PMSG_SUSPEND; ++ return pm_runtime_force_suspend(dev); ++} ++ ++static int hda_codec_pm_resume(struct device *dev) ++{ ++ dev->power.power_state = PMSG_RESUME; ++ return hda_codec_force_resume(dev); ++} ++ ++static int hda_codec_pm_freeze(struct device *dev) ++{ ++ dev->power.power_state = PMSG_FREEZE; ++ return pm_runtime_force_suspend(dev); ++} ++ ++static int hda_codec_pm_thaw(struct device *dev) ++{ ++ dev->power.power_state = PMSG_THAW; ++ return hda_codec_force_resume(dev); ++} ++ ++static int hda_codec_pm_restore(struct device *dev) ++{ ++ dev->power.power_state = PMSG_RESTORE; ++ return hda_codec_force_resume(dev); ++} ++#endif /* CONFIG_PM_SLEEP */ ++ + /* referred in hda_bind.c */ + const struct dev_pm_ops hda_codec_driver_pm = { +- SET_SYSTEM_SLEEP_PM_OPS(pm_runtime_force_suspend, +- pm_runtime_force_resume) ++#ifdef CONFIG_PM_SLEEP ++ .suspend = hda_codec_pm_suspend, ++ .resume = hda_codec_pm_resume, ++ .freeze = hda_codec_pm_freeze, ++ .thaw = hda_codec_pm_thaw, ++ .poweroff = hda_codec_pm_suspend, ++ .restore = hda_codec_pm_restore, ++#endif /* CONFIG_PM_SLEEP */ + SET_RUNTIME_PM_OPS(hda_codec_runtime_suspend, hda_codec_runtime_resume, + NULL) + }; +diff --git a/tools/perf/util/intel-pt-decoder/intel-pt-decoder.c b/tools/perf/util/intel-pt-decoder/intel-pt-decoder.c +index d01e2ce818f7..62b38f2ff60d 100644 +--- a/tools/perf/util/intel-pt-decoder/intel-pt-decoder.c ++++ b/tools/perf/util/intel-pt-decoder/intel-pt-decoder.c +@@ -238,19 +238,15 @@ struct intel_pt_decoder *intel_pt_decoder_new(struct intel_pt_params *params) + if (!(decoder->tsc_ctc_ratio_n % decoder->tsc_ctc_ratio_d)) + decoder->tsc_ctc_mult = decoder->tsc_ctc_ratio_n / + decoder->tsc_ctc_ratio_d; +- +- /* +- * Allow for timestamps appearing to backwards because a TSC +- * packet has slipped past a MTC packet, so allow 2 MTC ticks +- * or ... +- */ +- decoder->tsc_slip = multdiv(2 << decoder->mtc_shift, +- decoder->tsc_ctc_ratio_n, +- decoder->tsc_ctc_ratio_d); + } +- /* ... or 0x100 paranoia */ +- if (decoder->tsc_slip < 0x100) +- decoder->tsc_slip = 0x100; ++ ++ /* ++ * A TSC packet can slip past MTC packets so that the timestamp appears ++ * to go backwards. One estimate is that can be up to about 40 CPU ++ * cycles, which is certainly less than 0x1000 TSC ticks, but accept ++ * slippage an order of magnitude more to be on the safe side. ++ */ ++ decoder->tsc_slip = 0x10000; + + intel_pt_log("timestamp: mtc_shift %u\n", decoder->mtc_shift); + intel_pt_log("timestamp: tsc_ctc_ratio_n %u\n", decoder->tsc_ctc_ratio_n); +diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c +index fce48d11ae07..08a954582e31 100644 +--- a/virt/kvm/kvm_main.c ++++ b/virt/kvm/kvm_main.c +@@ -2611,6 +2611,9 @@ static long kvm_device_ioctl(struct file *filp, unsigned int ioctl, + { + struct kvm_device *dev = filp->private_data; + ++ if (dev->kvm->mm != current->mm) ++ return -EIO; ++ + switch (ioctl) { + case KVM_SET_DEVICE_ATTR: + return kvm_device_ioctl_attr(dev, dev->ops->set_attr, arg); diff --git a/patch/kernel/rockchip-default/04-patch-4.4.178-179.patch b/patch/kernel/rockchip-default/04-patch-4.4.178-179.patch new file mode 100644 index 0000000000..711ef54348 --- /dev/null +++ b/patch/kernel/rockchip-default/04-patch-4.4.178-179.patch @@ -0,0 +1,5220 @@ +diff --git a/Documentation/arm/kernel_mode_neon.txt b/Documentation/arm/kernel_mode_neon.txt +index 525452726d31..b9e060c5b61e 100644 +--- a/Documentation/arm/kernel_mode_neon.txt ++++ b/Documentation/arm/kernel_mode_neon.txt +@@ -6,7 +6,7 @@ TL;DR summary + * Use only NEON instructions, or VFP instructions that don't rely on support + code + * Isolate your NEON code in a separate compilation unit, and compile it with +- '-mfpu=neon -mfloat-abi=softfp' ++ '-march=armv7-a -mfpu=neon -mfloat-abi=softfp' + * Put kernel_neon_begin() and kernel_neon_end() calls around the calls into your + NEON code + * Don't sleep in your NEON code, and be aware that it will be executed with +@@ -87,7 +87,7 @@ instructions appearing in unexpected places if no special care is taken. + Therefore, the recommended and only supported way of using NEON/VFP in the + kernel is by adhering to the following rules: + * isolate the NEON code in a separate compilation unit and compile it with +- '-mfpu=neon -mfloat-abi=softfp'; ++ '-march=armv7-a -mfpu=neon -mfloat-abi=softfp'; + * issue the calls to kernel_neon_begin(), kernel_neon_end() as well as the calls + into the unit containing the NEON code from a compilation unit which is *not* + built with the GCC flag '-mfpu=neon' set. +diff --git a/Makefile b/Makefile +index 35be7983ef2d..ee0a50b871b9 100644 +--- a/Makefile ++++ b/Makefile +@@ -1,6 +1,6 @@ + VERSION = 4 + PATCHLEVEL = 4 +-SUBLEVEL = 178 ++SUBLEVEL = 179 + EXTRAVERSION = + NAME = Blurry Fish Butt + +@@ -639,7 +639,7 @@ KBUILD_CFLAGS += $(call cc-disable-warning, int-in-bool-context) + KBUILD_CFLAGS += $(call cc-disable-warning, attribute-alias) + + ifdef CONFIG_CC_OPTIMIZE_FOR_SIZE +-KBUILD_CFLAGS += $(call cc-option,-Oz,-Os) ++KBUILD_CFLAGS += -Os + else + ifdef CONFIG_PROFILE_ALL_BRANCHES + KBUILD_CFLAGS += -O2 +diff --git a/arch/arm/boot/dts/sama5d2-pinfunc.h b/arch/arm/boot/dts/sama5d2-pinfunc.h +index 8a394f336003..ee65702f9645 100644 +--- a/arch/arm/boot/dts/sama5d2-pinfunc.h ++++ b/arch/arm/boot/dts/sama5d2-pinfunc.h +@@ -517,7 +517,7 @@ + #define PIN_PC9__GPIO PINMUX_PIN(PIN_PC9, 0, 0) + #define PIN_PC9__FIQ PINMUX_PIN(PIN_PC9, 1, 3) + #define PIN_PC9__GTSUCOMP PINMUX_PIN(PIN_PC9, 2, 1) +-#define PIN_PC9__ISC_D0 PINMUX_PIN(PIN_PC9, 2, 1) ++#define PIN_PC9__ISC_D0 PINMUX_PIN(PIN_PC9, 3, 1) + #define PIN_PC9__TIOA4 PINMUX_PIN(PIN_PC9, 4, 2) + #define PIN_PC10 74 + #define PIN_PC10__GPIO PINMUX_PIN(PIN_PC10, 0, 0) +diff --git a/arch/arm/crypto/sha256-armv4.pl b/arch/arm/crypto/sha256-armv4.pl +index fac0533ea633..f64e8413ab9a 100644 +--- a/arch/arm/crypto/sha256-armv4.pl ++++ b/arch/arm/crypto/sha256-armv4.pl +@@ -205,10 +205,11 @@ K256: + .global sha256_block_data_order + .type sha256_block_data_order,%function + sha256_block_data_order: ++.Lsha256_block_data_order: + #if __ARM_ARCH__<7 + sub r3,pc,#8 @ sha256_block_data_order + #else +- adr r3,sha256_block_data_order ++ adr r3,.Lsha256_block_data_order + #endif + #if __ARM_MAX_ARCH__>=7 && !defined(__KERNEL__) + ldr r12,.LOPENSSL_armcap +diff --git a/arch/arm/crypto/sha256-core.S_shipped b/arch/arm/crypto/sha256-core.S_shipped +index 555a1a8eec90..72c248081d27 100644 +--- a/arch/arm/crypto/sha256-core.S_shipped ++++ b/arch/arm/crypto/sha256-core.S_shipped +@@ -86,10 +86,11 @@ K256: + .global sha256_block_data_order + .type sha256_block_data_order,%function + sha256_block_data_order: ++.Lsha256_block_data_order: + #if __ARM_ARCH__<7 + sub r3,pc,#8 @ sha256_block_data_order + #else +- adr r3,sha256_block_data_order ++ adr r3,.Lsha256_block_data_order + #endif + #if __ARM_MAX_ARCH__>=7 && !defined(__KERNEL__) + ldr r12,.LOPENSSL_armcap +diff --git a/arch/arm/crypto/sha512-armv4.pl b/arch/arm/crypto/sha512-armv4.pl +index a2b11a844357..5fe336420bcf 100644 +--- a/arch/arm/crypto/sha512-armv4.pl ++++ b/arch/arm/crypto/sha512-armv4.pl +@@ -267,10 +267,11 @@ WORD64(0x5fcb6fab,0x3ad6faec, 0x6c44198c,0x4a475817) + .global sha512_block_data_order + .type sha512_block_data_order,%function + sha512_block_data_order: ++.Lsha512_block_data_order: + #if __ARM_ARCH__<7 + sub r3,pc,#8 @ sha512_block_data_order + #else +- adr r3,sha512_block_data_order ++ adr r3,.Lsha512_block_data_order + #endif + #if __ARM_MAX_ARCH__>=7 && !defined(__KERNEL__) + ldr r12,.LOPENSSL_armcap +diff --git a/arch/arm/crypto/sha512-core.S_shipped b/arch/arm/crypto/sha512-core.S_shipped +index 3694c4d4ca2b..de9bd7f55242 100644 +--- a/arch/arm/crypto/sha512-core.S_shipped ++++ b/arch/arm/crypto/sha512-core.S_shipped +@@ -134,10 +134,11 @@ WORD64(0x5fcb6fab,0x3ad6faec, 0x6c44198c,0x4a475817) + .global sha512_block_data_order + .type sha512_block_data_order,%function + sha512_block_data_order: ++.Lsha512_block_data_order: + #if __ARM_ARCH__<7 + sub r3,pc,#8 @ sha512_block_data_order + #else +- adr r3,sha512_block_data_order ++ adr r3,.Lsha512_block_data_order + #endif + #if __ARM_MAX_ARCH__>=7 && !defined(__KERNEL__) + ldr r12,.LOPENSSL_armcap +diff --git a/arch/arm/include/asm/barrier.h b/arch/arm/include/asm/barrier.h +index 3ff5642d9788..27c1d26b05b5 100644 +--- a/arch/arm/include/asm/barrier.h ++++ b/arch/arm/include/asm/barrier.h +@@ -10,6 +10,8 @@ + #define sev() __asm__ __volatile__ ("sev" : : : "memory") + #define wfe() __asm__ __volatile__ ("wfe" : : : "memory") + #define wfi() __asm__ __volatile__ ("wfi" : : : "memory") ++#else ++#define wfe() do { } while (0) + #endif + + #if __LINUX_ARM_ARCH__ >= 7 +diff --git a/arch/arm/include/asm/processor.h b/arch/arm/include/asm/processor.h +index 8a1e8e995dae..08509183c7df 100644 +--- a/arch/arm/include/asm/processor.h ++++ b/arch/arm/include/asm/processor.h +@@ -77,7 +77,11 @@ extern void release_thread(struct task_struct *); + unsigned long get_wchan(struct task_struct *p); + + #if __LINUX_ARM_ARCH__ == 6 || defined(CONFIG_ARM_ERRATA_754327) +-#define cpu_relax() smp_mb() ++#define cpu_relax() \ ++ do { \ ++ smp_mb(); \ ++ __asm__ __volatile__("nop; nop; nop; nop; nop; nop; nop; nop; nop; nop;"); \ ++ } while (0) + #else + #define cpu_relax() barrier() + #endif +diff --git a/arch/arm/kernel/machine_kexec.c b/arch/arm/kernel/machine_kexec.c +index 8bf3b7c09888..46519916a465 100644 +--- a/arch/arm/kernel/machine_kexec.c ++++ b/arch/arm/kernel/machine_kexec.c +@@ -87,8 +87,11 @@ void machine_crash_nonpanic_core(void *unused) + + set_cpu_online(smp_processor_id(), false); + atomic_dec(&waiting_for_crash_ipi); +- while (1) ++ ++ while (1) { + cpu_relax(); ++ wfe(); ++ } + } + + static void machine_kexec_mask_interrupts(void) +diff --git a/arch/arm/kernel/patch.c b/arch/arm/kernel/patch.c +index 69bda1a5707e..1f665acaa6a9 100644 +--- a/arch/arm/kernel/patch.c ++++ b/arch/arm/kernel/patch.c +@@ -15,7 +15,7 @@ struct patch { + unsigned int insn; + }; + +-static DEFINE_SPINLOCK(patch_lock); ++static DEFINE_RAW_SPINLOCK(patch_lock); + + static void __kprobes *patch_map(void *addr, int fixmap, unsigned long *flags) + __acquires(&patch_lock) +@@ -32,7 +32,7 @@ static void __kprobes *patch_map(void *addr, int fixmap, unsigned long *flags) + return addr; + + if (flags) +- spin_lock_irqsave(&patch_lock, *flags); ++ raw_spin_lock_irqsave(&patch_lock, *flags); + else + __acquire(&patch_lock); + +@@ -47,7 +47,7 @@ static void __kprobes patch_unmap(int fixmap, unsigned long *flags) + clear_fixmap(fixmap); + + if (flags) +- spin_unlock_irqrestore(&patch_lock, *flags); ++ raw_spin_unlock_irqrestore(&patch_lock, *flags); + else + __release(&patch_lock); + } +diff --git a/arch/arm/kernel/smp.c b/arch/arm/kernel/smp.c +index 08ce9e36dc5a..0f1c11861147 100644 +--- a/arch/arm/kernel/smp.c ++++ b/arch/arm/kernel/smp.c +@@ -563,8 +563,10 @@ static void ipi_cpu_stop(unsigned int cpu) + local_fiq_disable(); + local_irq_disable(); + +- while (1) ++ while (1) { + cpu_relax(); ++ wfe(); ++ } + } + + static DEFINE_PER_CPU(struct completion *, cpu_completion); +diff --git a/arch/arm/kernel/unwind.c b/arch/arm/kernel/unwind.c +index 0bee233fef9a..314cfb232a63 100644 +--- a/arch/arm/kernel/unwind.c ++++ b/arch/arm/kernel/unwind.c +@@ -93,7 +93,7 @@ extern const struct unwind_idx __start_unwind_idx[]; + static const struct unwind_idx *__origin_unwind_idx; + extern const struct unwind_idx __stop_unwind_idx[]; + +-static DEFINE_SPINLOCK(unwind_lock); ++static DEFINE_RAW_SPINLOCK(unwind_lock); + static LIST_HEAD(unwind_tables); + + /* Convert a prel31 symbol to an absolute address */ +@@ -201,7 +201,7 @@ static const struct unwind_idx *unwind_find_idx(unsigned long addr) + /* module unwind tables */ + struct unwind_table *table; + +- spin_lock_irqsave(&unwind_lock, flags); ++ raw_spin_lock_irqsave(&unwind_lock, flags); + list_for_each_entry(table, &unwind_tables, list) { + if (addr >= table->begin_addr && + addr < table->end_addr) { +@@ -213,7 +213,7 @@ static const struct unwind_idx *unwind_find_idx(unsigned long addr) + break; + } + } +- spin_unlock_irqrestore(&unwind_lock, flags); ++ raw_spin_unlock_irqrestore(&unwind_lock, flags); + } + + pr_debug("%s: idx = %p\n", __func__, idx); +@@ -529,9 +529,9 @@ struct unwind_table *unwind_table_add(unsigned long start, unsigned long size, + tab->begin_addr = text_addr; + tab->end_addr = text_addr + text_size; + +- spin_lock_irqsave(&unwind_lock, flags); ++ raw_spin_lock_irqsave(&unwind_lock, flags); + list_add_tail(&tab->list, &unwind_tables); +- spin_unlock_irqrestore(&unwind_lock, flags); ++ raw_spin_unlock_irqrestore(&unwind_lock, flags); + + return tab; + } +@@ -543,9 +543,9 @@ void unwind_table_del(struct unwind_table *tab) + if (!tab) + return; + +- spin_lock_irqsave(&unwind_lock, flags); ++ raw_spin_lock_irqsave(&unwind_lock, flags); + list_del(&tab->list); +- spin_unlock_irqrestore(&unwind_lock, flags); ++ raw_spin_unlock_irqrestore(&unwind_lock, flags); + + kfree(tab); + } +diff --git a/arch/arm/lib/Makefile b/arch/arm/lib/Makefile +index d8a780799506..06348a3d50c2 100644 +--- a/arch/arm/lib/Makefile ++++ b/arch/arm/lib/Makefile +@@ -35,7 +35,7 @@ $(obj)/csumpartialcopy.o: $(obj)/csumpartialcopygeneric.S + $(obj)/csumpartialcopyuser.o: $(obj)/csumpartialcopygeneric.S + + ifeq ($(CONFIG_KERNEL_MODE_NEON),y) +- NEON_FLAGS := -mfloat-abi=softfp -mfpu=neon ++ NEON_FLAGS := -march=armv7-a -mfloat-abi=softfp -mfpu=neon + CFLAGS_xor-neon.o += $(NEON_FLAGS) + obj-$(CONFIG_XOR_BLOCKS) += xor-neon.o + endif +diff --git a/arch/arm/lib/xor-neon.c b/arch/arm/lib/xor-neon.c +index 2c40aeab3eaa..c691b901092f 100644 +--- a/arch/arm/lib/xor-neon.c ++++ b/arch/arm/lib/xor-neon.c +@@ -14,7 +14,7 @@ + MODULE_LICENSE("GPL"); + + #ifndef __ARM_NEON__ +-#error You should compile this file with '-mfloat-abi=softfp -mfpu=neon' ++#error You should compile this file with '-march=armv7-a -mfloat-abi=softfp -mfpu=neon' + #endif + + /* +diff --git a/arch/arm/mach-omap2/prm_common.c b/arch/arm/mach-omap2/prm_common.c +index 0ce4548ef7f0..4b9e9d1d8229 100644 +--- a/arch/arm/mach-omap2/prm_common.c ++++ b/arch/arm/mach-omap2/prm_common.c +@@ -533,8 +533,10 @@ void omap_prm_reset_system(void) + + prm_ll_data->reset_system(); + +- while (1) ++ while (1) { + cpu_relax(); ++ wfe(); ++ } + } + + /** +diff --git a/arch/arm/plat-samsung/Kconfig b/arch/arm/plat-samsung/Kconfig +index 57729b915003..b9396dcf836d 100644 +--- a/arch/arm/plat-samsung/Kconfig ++++ b/arch/arm/plat-samsung/Kconfig +@@ -255,7 +255,7 @@ config S3C_PM_DEBUG_LED_SMDK + + config SAMSUNG_PM_CHECK + bool "S3C2410 PM Suspend Memory CRC" +- depends on PM ++ depends on PM && (PLAT_S3C24XX || ARCH_S3C64XX || ARCH_S5PV210) + select CRC32 + help + Enable the PM code's memory area checksum over sleep. This option +diff --git a/arch/arm64/include/asm/futex.h b/arch/arm64/include/asm/futex.h +index 195fd56b2377..34d4d2e2f561 100644 +--- a/arch/arm64/include/asm/futex.h ++++ b/arch/arm64/include/asm/futex.h +@@ -33,8 +33,8 @@ + " prfm pstl1strm, %2\n" \ + "1: ldxr %w1, %2\n" \ + insn "\n" \ +-"2: stlxr %w3, %w0, %2\n" \ +-" cbnz %w3, 1b\n" \ ++"2: stlxr %w0, %w3, %2\n" \ ++" cbnz %w0, 1b\n" \ + " dmb ish\n" \ + "3:\n" \ + " .pushsection .fixup,\"ax\"\n" \ +@@ -61,23 +61,23 @@ arch_futex_atomic_op_inuser(int op, int oparg, int *oval, u32 __user *uaddr) + + switch (op) { + case FUTEX_OP_SET: +- __futex_atomic_op("mov %w0, %w4", ++ __futex_atomic_op("mov %w3, %w4", + ret, oldval, uaddr, tmp, oparg); + break; + case FUTEX_OP_ADD: +- __futex_atomic_op("add %w0, %w1, %w4", ++ __futex_atomic_op("add %w3, %w1, %w4", + ret, oldval, uaddr, tmp, oparg); + break; + case FUTEX_OP_OR: +- __futex_atomic_op("orr %w0, %w1, %w4", ++ __futex_atomic_op("orr %w3, %w1, %w4", + ret, oldval, uaddr, tmp, oparg); + break; + case FUTEX_OP_ANDN: +- __futex_atomic_op("and %w0, %w1, %w4", ++ __futex_atomic_op("and %w3, %w1, %w4", + ret, oldval, uaddr, tmp, ~oparg); + break; + case FUTEX_OP_XOR: +- __futex_atomic_op("eor %w0, %w1, %w4", ++ __futex_atomic_op("eor %w3, %w1, %w4", + ret, oldval, uaddr, tmp, oparg); + break; + default: +diff --git a/arch/arm64/kernel/kgdb.c b/arch/arm64/kernel/kgdb.c +index bcac81e600b9..f72743dc070d 100644 +--- a/arch/arm64/kernel/kgdb.c ++++ b/arch/arm64/kernel/kgdb.c +@@ -215,25 +215,34 @@ int kgdb_arch_handle_exception(int exception_vector, int signo, + + static int kgdb_brk_fn(struct pt_regs *regs, unsigned int esr) + { ++ if (user_mode(regs)) ++ return DBG_HOOK_ERROR; ++ + kgdb_handle_exception(1, SIGTRAP, 0, regs); +- return 0; ++ return DBG_HOOK_HANDLED; + } + NOKPROBE_SYMBOL(kgdb_brk_fn) + + static int kgdb_compiled_brk_fn(struct pt_regs *regs, unsigned int esr) + { ++ if (user_mode(regs)) ++ return DBG_HOOK_ERROR; ++ + compiled_break = 1; + kgdb_handle_exception(1, SIGTRAP, 0, regs); + +- return 0; ++ return DBG_HOOK_HANDLED; + } + NOKPROBE_SYMBOL(kgdb_compiled_brk_fn); + + static int kgdb_step_brk_fn(struct pt_regs *regs, unsigned int esr) + { ++ if (user_mode(regs)) ++ return DBG_HOOK_ERROR; ++ + kgdb_handle_exception(1, SIGTRAP, 0, regs); +- return 0; ++ return DBG_HOOK_HANDLED; + } + NOKPROBE_SYMBOL(kgdb_step_brk_fn); + + static struct break_hook kgdb_brkpt_hook = { +diff --git a/arch/arm64/mm/fault.c b/arch/arm64/mm/fault.c +index 04c4b88706d8..89abdf9af4e6 100644 +--- a/arch/arm64/mm/fault.c ++++ b/arch/arm64/mm/fault.c +@@ -589,11 +589,12 @@ void __init hook_debug_fault_code(int nr, + debug_fault_info[nr].name = name; + } + +-asmlinkage int __exception do_debug_exception(unsigned long addr, ++asmlinkage int __exception do_debug_exception(unsigned long addr_if_watchpoint, + unsigned int esr, + struct pt_regs *regs) + { + const struct fault_info *inf = debug_fault_info + DBG_ESR_EVT(esr); ++ unsigned long pc = instruction_pointer(regs); + struct siginfo info; + int rv; + +@@ -604,16 +605,16 @@ asmlinkage int __exception do_debug_exception(unsigned long addr, + if (interrupts_enabled(regs)) + trace_hardirqs_off(); + +- if (!inf->fn(addr, esr, regs)) { ++ if (!inf->fn(addr_if_watchpoint, esr, regs)) { + rv = 1; + } else { + pr_alert("Unhandled debug exception: %s (0x%08x) at 0x%016lx\n", +- inf->name, esr, addr); ++ inf->name, esr, pc); + + info.si_signo = inf->sig; + info.si_errno = 0; + info.si_code = inf->code; +- info.si_addr = (void __user *)addr; ++ info.si_addr = (void __user *)pc; + arm64_notify_die("", regs, &info, 0); + rv = 0; + } +diff --git a/arch/h8300/Makefile b/arch/h8300/Makefile +index e1c02ca230cb..073bba6f9f60 100644 +--- a/arch/h8300/Makefile ++++ b/arch/h8300/Makefile +@@ -23,7 +23,7 @@ KBUILD_AFLAGS += $(aflags-y) + LDFLAGS += $(ldflags-y) + + ifeq ($(CROSS_COMPILE),) +-CROSS_COMPILE := h8300-unknown-linux- ++CROSS_COMPILE := $(call cc-cross-prefix, h8300-unknown-linux- h8300-linux-) + endif + + core-y += arch/$(ARCH)/kernel/ arch/$(ARCH)/mm/ +diff --git a/arch/x86/boot/Makefile b/arch/x86/boot/Makefile +index 6da2cd0897f3..e94745321cac 100644 +--- a/arch/x86/boot/Makefile ++++ b/arch/x86/boot/Makefile +@@ -100,7 +100,7 @@ $(obj)/zoffset.h: $(obj)/compressed/vmlinux FORCE + AFLAGS_header.o += -I$(obj) + $(obj)/header.o: $(obj)/voffset.h $(obj)/zoffset.h + +-LDFLAGS_setup.elf := -T ++LDFLAGS_setup.elf := -m elf_i386 -T + $(obj)/setup.elf: $(src)/setup.ld $(SETUP_OBJS) FORCE + $(call if_changed,ld) + +diff --git a/arch/x86/crypto/poly1305-avx2-x86_64.S b/arch/x86/crypto/poly1305-avx2-x86_64.S +index eff2f414e22b..ec234c43b3f4 100644 +--- a/arch/x86/crypto/poly1305-avx2-x86_64.S ++++ b/arch/x86/crypto/poly1305-avx2-x86_64.S +@@ -321,6 +321,12 @@ ENTRY(poly1305_4block_avx2) + vpaddq t2,t1,t1 + vmovq t1x,d4 + ++ # Now do a partial reduction mod (2^130)-5, carrying h0 -> h1 -> h2 -> ++ # h3 -> h4 -> h0 -> h1 to get h0,h2,h3,h4 < 2^26 and h1 < 2^26 + a small ++ # amount. Careful: we must not assume the carry bits 'd0 >> 26', ++ # 'd1 >> 26', 'd2 >> 26', 'd3 >> 26', and '(d4 >> 26) * 5' fit in 32-bit ++ # integers. It's true in a single-block implementation, but not here. ++ + # d1 += d0 >> 26 + mov d0,%rax + shr $26,%rax +@@ -359,16 +365,16 @@ ENTRY(poly1305_4block_avx2) + # h0 += (d4 >> 26) * 5 + mov d4,%rax + shr $26,%rax +- lea (%eax,%eax,4),%eax +- add %eax,%ebx ++ lea (%rax,%rax,4),%rax ++ add %rax,%rbx + # h4 = d4 & 0x3ffffff + mov d4,%rax + and $0x3ffffff,%eax + mov %eax,h4 + + # h1 += h0 >> 26 +- mov %ebx,%eax +- shr $26,%eax ++ mov %rbx,%rax ++ shr $26,%rax + add %eax,h1 + # h0 = h0 & 0x3ffffff + andl $0x3ffffff,%ebx +diff --git a/arch/x86/crypto/poly1305-sse2-x86_64.S b/arch/x86/crypto/poly1305-sse2-x86_64.S +index 338c748054ed..639d9760b089 100644 +--- a/arch/x86/crypto/poly1305-sse2-x86_64.S ++++ b/arch/x86/crypto/poly1305-sse2-x86_64.S +@@ -251,16 +251,16 @@ ENTRY(poly1305_block_sse2) + # h0 += (d4 >> 26) * 5 + mov d4,%rax + shr $26,%rax +- lea (%eax,%eax,4),%eax +- add %eax,%ebx ++ lea (%rax,%rax,4),%rax ++ add %rax,%rbx + # h4 = d4 & 0x3ffffff + mov d4,%rax + and $0x3ffffff,%eax + mov %eax,h4 + + # h1 += h0 >> 26 +- mov %ebx,%eax +- shr $26,%eax ++ mov %rbx,%rax ++ shr $26,%rax + add %eax,h1 + # h0 = h0 & 0x3ffffff + andl $0x3ffffff,%ebx +@@ -518,6 +518,12 @@ ENTRY(poly1305_2block_sse2) + paddq t2,t1 + movq t1,d4 + ++ # Now do a partial reduction mod (2^130)-5, carrying h0 -> h1 -> h2 -> ++ # h3 -> h4 -> h0 -> h1 to get h0,h2,h3,h4 < 2^26 and h1 < 2^26 + a small ++ # amount. Careful: we must not assume the carry bits 'd0 >> 26', ++ # 'd1 >> 26', 'd2 >> 26', 'd3 >> 26', and '(d4 >> 26) * 5' fit in 32-bit ++ # integers. It's true in a single-block implementation, but not here. ++ + # d1 += d0 >> 26 + mov d0,%rax + shr $26,%rax +@@ -556,16 +562,16 @@ ENTRY(poly1305_2block_sse2) + # h0 += (d4 >> 26) * 5 + mov d4,%rax + shr $26,%rax +- lea (%eax,%eax,4),%eax +- add %eax,%ebx ++ lea (%rax,%rax,4),%rax ++ add %rax,%rbx + # h4 = d4 & 0x3ffffff + mov d4,%rax + and $0x3ffffff,%eax + mov %eax,h4 + + # h1 += h0 >> 26 +- mov %ebx,%eax +- shr $26,%eax ++ mov %rbx,%rax ++ shr $26,%rax + add %eax,h1 + # h0 = h0 & 0x3ffffff + andl $0x3ffffff,%ebx +index 0977e7607046..5937b112ebc2 100644 +--- a/arch/x86/include/asm/xen/hypercall.h ++++ b/arch/x86/include/asm/xen/hypercall.h +@@ -215,6 +215,9 @@ privcmd_call(unsigned call, + __HYPERCALL_DECLS; + __HYPERCALL_5ARG(a1, a2, a3, a4, a5); + ++ if (call >= PAGE_SIZE / sizeof(hypercall_page[0])) ++ return -EINVAL; ++ + stac(); + asm volatile(CALL_NOSPEC + : __HYPERCALL_5PARAM +diff --git a/arch/x86/kernel/cpu/cyrix.c b/arch/x86/kernel/cpu/cyrix.c +index 15e47c1cd412..6e4e4191abb5 100644 +--- a/arch/x86/kernel/cpu/cyrix.c ++++ b/arch/x86/kernel/cpu/cyrix.c +@@ -121,7 +121,7 @@ static void set_cx86_reorder(void) + setCx86(CX86_CCR3, (ccr3 & 0x0f) | 0x10); /* enable MAPEN */ + + /* Load/Store Serialize to mem access disable (=reorder it) */ +- setCx86_old(CX86_PCR0, getCx86_old(CX86_PCR0) & ~0x80); ++ setCx86(CX86_PCR0, getCx86(CX86_PCR0) & ~0x80); + /* set load/store serialize from 1GB to 4GB */ + ccr3 |= 0xe0; + setCx86(CX86_CCR3, ccr3); +@@ -132,11 +132,11 @@ static void set_cx86_memwb(void) + printk(KERN_INFO "Enable Memory-Write-back mode on Cyrix/NSC processor.\n"); + + /* CCR2 bit 2: unlock NW bit */ +- setCx86_old(CX86_CCR2, getCx86_old(CX86_CCR2) & ~0x04); ++ setCx86(CX86_CCR2, getCx86(CX86_CCR2) & ~0x04); + /* set 'Not Write-through' */ + write_cr0(read_cr0() | X86_CR0_NW); + /* CCR2 bit 2: lock NW bit and set WT1 */ +- setCx86_old(CX86_CCR2, getCx86_old(CX86_CCR2) | 0x14); ++ setCx86(CX86_CCR2, getCx86(CX86_CCR2) | 0x14); + } + + /* +@@ -150,14 +150,14 @@ static void geode_configure(void) + local_irq_save(flags); + + /* Suspend on halt power saving and enable #SUSP pin */ +- setCx86_old(CX86_CCR2, getCx86_old(CX86_CCR2) | 0x88); ++ setCx86(CX86_CCR2, getCx86(CX86_CCR2) | 0x88); + + ccr3 = getCx86(CX86_CCR3); + setCx86(CX86_CCR3, (ccr3 & 0x0f) | 0x10); /* enable MAPEN */ + + + /* FPU fast, DTE cache, Mem bypass */ +- setCx86_old(CX86_CCR4, getCx86_old(CX86_CCR4) | 0x38); ++ setCx86(CX86_CCR4, getCx86(CX86_CCR4) | 0x38); + setCx86(CX86_CCR3, ccr3); /* disable MAPEN */ + + set_cx86_memwb(); +@@ -292,7 +292,7 @@ static void init_cyrix(struct cpuinfo_x86 *c) + /* GXm supports extended cpuid levels 'ala' AMD */ + if (c->cpuid_level == 2) { + /* Enable cxMMX extensions (GX1 Datasheet 54) */ +- setCx86_old(CX86_CCR7, getCx86_old(CX86_CCR7) | 1); ++ setCx86(CX86_CCR7, getCx86(CX86_CCR7) | 1); + + /* + * GXm : 0x30 ... 0x5f GXm datasheet 51 +@@ -315,7 +315,7 @@ static void init_cyrix(struct cpuinfo_x86 *c) + if (dir1 > 7) { + dir0_msn++; /* M II */ + /* Enable MMX extensions (App note 108) */ +- setCx86_old(CX86_CCR7, getCx86_old(CX86_CCR7)|1); ++ setCx86(CX86_CCR7, getCx86(CX86_CCR7)|1); + } else { + /* A 6x86MX - it has the bug. */ + set_cpu_bug(c, X86_BUG_COMA); +diff --git a/arch/x86/kernel/hpet.c b/arch/x86/kernel/hpet.c +index 3fdc1e53aaac..9cce5504a5c7 100644 +--- a/arch/x86/kernel/hpet.c ++++ b/arch/x86/kernel/hpet.c +@@ -825,6 +825,8 @@ int __init hpet_enable(void) + return 0; + + hpet_set_mapping(); ++ if (!hpet_virt_address) ++ return 0; + + /* + * Read the period and check for a sane value: +diff --git a/arch/x86/kernel/hw_breakpoint.c b/arch/x86/kernel/hw_breakpoint.c +index 2bcfb5f2bc44..433f17d154e2 100644 +--- a/arch/x86/kernel/hw_breakpoint.c ++++ b/arch/x86/kernel/hw_breakpoint.c +@@ -351,6 +351,7 @@ int arch_validate_hwbkpt_settings(struct perf_event *bp) + #endif + default: + WARN_ON_ONCE(1); ++ return -EINVAL; + } + + /* +diff --git a/arch/x86/kernel/kprobes/core.c b/arch/x86/kernel/kprobes/core.c +index c6f466d6cc57..a9fc2292d9ce 100644 +--- a/arch/x86/kernel/kprobes/core.c ++++ b/arch/x86/kernel/kprobes/core.c +@@ -541,6 +541,7 @@ void arch_prepare_kretprobe(struct kretprobe_instance *ri, struct pt_regs *regs) + unsigned long *sara = stack_addr(regs); + + ri->ret_addr = (kprobe_opcode_t *) *sara; ++ ri->fp = sara; + + /* Replace the return addr with trampoline addr */ + *sara = (unsigned long) &kretprobe_trampoline; +@@ -742,15 +743,21 @@ __visible __used void *trampoline_handler(struct pt_regs *regs) + unsigned long flags, orig_ret_address = 0; + unsigned long trampoline_address = (unsigned long)&kretprobe_trampoline; + kprobe_opcode_t *correct_ret_addr = NULL; ++ void *frame_pointer; ++ bool skipped = false; + + INIT_HLIST_HEAD(&empty_rp); + kretprobe_hash_lock(current, &head, &flags); + /* fixup registers */ + #ifdef CONFIG_X86_64 + regs->cs = __KERNEL_CS; ++ /* On x86-64, we use pt_regs->sp for return address holder. */ ++ frame_pointer = ®s->sp; + #else + regs->cs = __KERNEL_CS | get_kernel_rpl(); + regs->gs = 0; ++ /* On x86-32, we use pt_regs->flags for return address holder. */ ++ frame_pointer = ®s->flags; + #endif + regs->ip = trampoline_address; + regs->orig_ax = ~0UL; +@@ -772,8 +779,25 @@ __visible __used void *trampoline_handler(struct pt_regs *regs) + if (ri->task != current) + /* another task is sharing our hash bucket */ + continue; ++ /* ++ * Return probes must be pushed on this hash list correct ++ * order (same as return order) so that it can be poped ++ * correctly. However, if we find it is pushed it incorrect ++ * order, this means we find a function which should not be ++ * probed, because the wrong order entry is pushed on the ++ * path of processing other kretprobe itself. ++ */ ++ if (ri->fp != frame_pointer) { ++ if (!skipped) ++ pr_warn("kretprobe is stacked incorrectly. Trying to fixup.\n"); ++ skipped = true; ++ continue; ++ } + + orig_ret_address = (unsigned long)ri->ret_addr; ++ if (skipped) ++ pr_warn("%ps must be blacklisted because of incorrect kretprobe order\n", ++ ri->rp->kp.addr); + + if (orig_ret_address != trampoline_address) + /* +@@ -791,6 +815,8 @@ __visible __used void *trampoline_handler(struct pt_regs *regs) + if (ri->task != current) + /* another task is sharing our hash bucket */ + continue; ++ if (ri->fp != frame_pointer) ++ continue; + + orig_ret_address = (unsigned long)ri->ret_addr; + if (ri->rp && ri->rp->handler) { +diff --git a/arch/x86/kernel/vmlinux.lds.S b/arch/x86/kernel/vmlinux.lds.S +index a703842b54de..17e1e60b6b40 100644 +--- a/arch/x86/kernel/vmlinux.lds.S ++++ b/arch/x86/kernel/vmlinux.lds.S +@@ -365,7 +365,7 @@ SECTIONS + * Per-cpu symbols which need to be offset from __per_cpu_load + * for the boot processor. + */ +-#define INIT_PER_CPU(x) init_per_cpu__##x = x + __per_cpu_load ++#define INIT_PER_CPU(x) init_per_cpu__##x = ABSOLUTE(x) + __per_cpu_load + INIT_PER_CPU(gdt_page); + INIT_PER_CPU(irq_stack_union); + +diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c +index f1507626ed36..5dd56e3517f3 100644 +--- a/arch/x86/kvm/emulate.c ++++ b/arch/x86/kvm/emulate.c +@@ -2567,15 +2567,13 @@ static int em_rsm(struct x86_emulate_ctxt *ctxt) + * CR0/CR3/CR4/EFER. It's all a bit more complicated if the vCPU + * supports long mode. + */ +- cr4 = ctxt->ops->get_cr(ctxt, 4); + if (emulator_has_longmode(ctxt)) { + struct desc_struct cs_desc; + + /* Zero CR4.PCIDE before CR0.PG. */ +- if (cr4 & X86_CR4_PCIDE) { ++ cr4 = ctxt->ops->get_cr(ctxt, 4); ++ if (cr4 & X86_CR4_PCIDE) + ctxt->ops->set_cr(ctxt, 4, cr4 & ~X86_CR4_PCIDE); +- cr4 &= ~X86_CR4_PCIDE; +- } + + /* A 32-bit code segment is required to clear EFER.LMA. */ + memset(&cs_desc, 0, sizeof(cs_desc)); +@@ -2589,13 +2587,16 @@ static int em_rsm(struct x86_emulate_ctxt *ctxt) + if (cr0 & X86_CR0_PE) + ctxt->ops->set_cr(ctxt, 0, cr0 & ~(X86_CR0_PG | X86_CR0_PE)); + +- /* Now clear CR4.PAE (which must be done before clearing EFER.LME). */ +- if (cr4 & X86_CR4_PAE) +- ctxt->ops->set_cr(ctxt, 4, cr4 & ~X86_CR4_PAE); ++ if (emulator_has_longmode(ctxt)) { ++ /* Clear CR4.PAE before clearing EFER.LME. */ ++ cr4 = ctxt->ops->get_cr(ctxt, 4); ++ if (cr4 & X86_CR4_PAE) ++ ctxt->ops->set_cr(ctxt, 4, cr4 & ~X86_CR4_PAE); + +- /* And finally go back to 32-bit mode. */ +- efer = 0; +- ctxt->ops->set_msr(ctxt, MSR_EFER, efer); ++ /* And finally go back to 32-bit mode. */ ++ efer = 0; ++ ctxt->ops->set_msr(ctxt, MSR_EFER, efer); ++ } + + smbase = ctxt->ops->get_smbase(ctxt); + if (emulator_has_longmode(ctxt)) +diff --git a/arch/x86/realmode/rm/Makefile b/arch/x86/realmode/rm/Makefile +index 2730d775ef9a..228cb16962ba 100644 +--- a/arch/x86/realmode/rm/Makefile ++++ b/arch/x86/realmode/rm/Makefile +@@ -43,7 +43,7 @@ $(obj)/pasyms.h: $(REALMODE_OBJS) FORCE + targets += realmode.lds + $(obj)/realmode.lds: $(obj)/pasyms.h + +-LDFLAGS_realmode.elf := --emit-relocs -T ++LDFLAGS_realmode.elf := -m elf_i386 --emit-relocs -T + CPPFLAGS_realmode.lds += -P -C -I$(obj) + + targets += realmode.elf +diff --git a/arch/xtensa/kernel/stacktrace.c b/arch/xtensa/kernel/stacktrace.c +index 7538d802b65a..483593068139 100644 +--- a/arch/xtensa/kernel/stacktrace.c ++++ b/arch/xtensa/kernel/stacktrace.c +@@ -272,10 +272,14 @@ static int return_address_cb(struct stackframe *frame, void *data) + return 1; + } + ++/* ++ * level == 0 is for the return address from the caller of this function, ++ * not from this function itself. ++ */ + unsigned long return_address(unsigned level) + { + struct return_addr_data r = { +- .skip = level + 1, ++ .skip = level, + }; + walk_stackframe(stack_pointer(NULL), return_address_cb, &r); + return r.addr; +diff --git a/block/bio.c b/block/bio.c +index 63363a689922..cf513f74dffd 100644 +--- a/block/bio.c ++++ b/block/bio.c +@@ -1216,8 +1216,11 @@ struct bio *bio_copy_user_iov(struct request_queue *q, + } + } + +- if (bio_add_pc_page(q, bio, page, bytes, offset) < bytes) ++ if (bio_add_pc_page(q, bio, page, bytes, offset) < bytes) { ++ if (!map_data) ++ __free_page(page); + break; ++ } + + len -= bytes; + offset = 0; +diff --git a/crypto/testmgr.h b/crypto/testmgr.h +index 0e02c60a57b6..743d6cb7f8cd 100644 +--- a/crypto/testmgr.h ++++ b/crypto/testmgr.h +@@ -3494,7 +3494,49 @@ static struct hash_testvec poly1305_tv_template[] = { + .psize = 80, + .digest = "\x13\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00", +- }, ++ }, { /* Regression test for overflow in AVX2 implementation */ ++ .plaintext = "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff", ++ .psize = 300, ++ .digest = "\xfb\x5e\x96\xd8\x61\xd5\xc7\xc8" ++ "\x78\xe5\x87\xcc\x2d\x5a\x22\xe1", ++ } + }; + + /* +diff --git a/drivers/acpi/sbs.c b/drivers/acpi/sbs.c +index cb3dedb1beae..b133dac8a7f2 100644 +--- a/drivers/acpi/sbs.c ++++ b/drivers/acpi/sbs.c +@@ -443,9 +443,13 @@ static int acpi_ac_get_present(struct acpi_sbs *sbs) + + /* + * The spec requires that bit 4 always be 1. If it's not set, assume +- * that the implementation doesn't support an SBS charger ++ * that the implementation doesn't support an SBS charger. ++ * ++ * And on some MacBooks a status of 0xffff is always returned, no ++ * matter whether the charger is plugged in or not, which is also ++ * wrong, so ignore the SBS charger for those too. + */ +- if (!((status >> 4) & 0x1)) ++ if (!((status >> 4) & 0x1) || status == 0xffff) + return -ENODEV; + + sbs->charger_present = (status >> 15) & 0x1; +diff --git a/drivers/cdrom/cdrom.c b/drivers/cdrom/cdrom.c +index d203940203b6..aee23092f50e 100644 +--- a/drivers/cdrom/cdrom.c ++++ b/drivers/cdrom/cdrom.c +@@ -265,6 +265,7 @@ + /* #define ERRLOGMASK (CD_WARNING|CD_OPEN|CD_COUNT_TRACKS|CD_CLOSE) */ + /* #define ERRLOGMASK (CD_WARNING|CD_REG_UNREG|CD_DO_IOCTL|CD_OPEN|CD_CLOSE|CD_COUNT_TRACKS) */ + ++#include + #include + #include + #include +@@ -3677,9 +3678,9 @@ static struct ctl_table_header *cdrom_sysctl_header; + + static void cdrom_sysctl_register(void) + { +- static int initialized; ++ static atomic_t initialized = ATOMIC_INIT(0); + +- if (initialized == 1) ++ if (!atomic_add_unless(&initialized, 1, 1)) + return; + + cdrom_sysctl_header = register_sysctl_table(cdrom_root_table); +@@ -3690,8 +3691,6 @@ static void cdrom_sysctl_register(void) + cdrom_sysctl_settings.debug = debug; + cdrom_sysctl_settings.lock = lockdoor; + cdrom_sysctl_settings.check = check_media_type; +- +- initialized = 1; + } + + static void cdrom_sysctl_unregister(void) +diff --git a/drivers/char/Kconfig b/drivers/char/Kconfig +index 3143db57ce44..2bc741bea8f3 100644 +--- a/drivers/char/Kconfig ++++ b/drivers/char/Kconfig +@@ -389,7 +389,7 @@ config XILINX_HWICAP + + config R3964 + tristate "Siemens R3964 line discipline" +- depends on TTY ++ depends on TTY && BROKEN + ---help--- + This driver allows synchronous communication with devices using the + Siemens R3964 packet protocol. Unless you are dealing with special +diff --git a/drivers/char/hpet.c b/drivers/char/hpet.c +index 240b6cf1d97c..72e073895ed9 100644 +--- a/drivers/char/hpet.c ++++ b/drivers/char/hpet.c +@@ -376,7 +376,7 @@ static __init int hpet_mmap_enable(char *str) + pr_info("HPET mmap %s\n", hpet_mmap_enabled ? "enabled" : "disabled"); + return 1; + } +-__setup("hpet_mmap", hpet_mmap_enable); ++__setup("hpet_mmap=", hpet_mmap_enable); + + static int hpet_mmap(struct file *file, struct vm_area_struct *vma) + { +diff --git a/drivers/char/hw_random/virtio-rng.c b/drivers/char/hw_random/virtio-rng.c +index 3fa2f8a009b3..1c5c4314c6b5 100644 +--- a/drivers/char/hw_random/virtio-rng.c ++++ b/drivers/char/hw_random/virtio-rng.c +@@ -73,7 +73,7 @@ static int virtio_read(struct hwrng *rng, void *buf, size_t size, bool wait) + + if (!vi->busy) { + vi->busy = true; +- init_completion(&vi->have_data); ++ reinit_completion(&vi->have_data); + register_buffer(vi, buf, size); + } + +diff --git a/drivers/char/tpm/tpm_crb.c b/drivers/char/tpm/tpm_crb.c +index 35308dfff754..8226e3b6dc1f 100644 +--- a/drivers/char/tpm/tpm_crb.c ++++ b/drivers/char/tpm/tpm_crb.c +@@ -109,19 +109,29 @@ static int crb_recv(struct tpm_chip *chip, u8 *buf, size_t count) + struct crb_priv *priv = chip->vendor.priv; + unsigned int expected; + +- /* sanity check */ +- if (count < 6) ++ /* A sanity check that the upper layer wants to get at least the header ++ * as that is the minimum size for any TPM response. ++ */ ++ if (count < TPM_HEADER_SIZE) + return -EIO; + ++ /* If this bit is set, according to the spec, the TPM is in ++ * unrecoverable condition. ++ */ + if (le32_to_cpu(ioread32(&priv->cca->sts)) & CRB_CA_STS_ERROR) + return -EIO; + +- memcpy_fromio(buf, priv->rsp, 6); +- expected = be32_to_cpup((__be32 *) &buf[2]); +- if (expected > count || expected < 6) ++ /* Read the first 8 bytes in order to get the length of the response. ++ * We read exactly a quad word in order to make sure that the remaining ++ * reads will be aligned. ++ */ ++ memcpy_fromio(buf, priv->rsp, 8); ++ ++ expected = be32_to_cpup((__be32 *)&buf[2]); ++ if (expected > count || expected < TPM_HEADER_SIZE) + return -EIO; + +- memcpy_fromio(&buf[6], &priv->rsp[6], expected - 6); ++ memcpy_fromio(&buf[8], &priv->rsp[8], expected - 8); + + return expected; + } +diff --git a/drivers/char/tpm/tpm_i2c_atmel.c b/drivers/char/tpm/tpm_i2c_atmel.c +index dd8f0eb3170a..73f7e0f7e34a 100644 +--- a/drivers/char/tpm/tpm_i2c_atmel.c ++++ b/drivers/char/tpm/tpm_i2c_atmel.c +@@ -65,7 +65,15 @@ static int i2c_atmel_send(struct tpm_chip *chip, u8 *buf, size_t len) + dev_dbg(&chip->dev, + "%s(buf=%*ph len=%0zx) -> sts=%d\n", __func__, + (int)min_t(size_t, 64, len), buf, len, status); +- return status; ++ ++ if (status < 0) ++ return status; ++ ++ /* The upper layer does not support incomplete sends. */ ++ if (status != len) ++ return -E2BIG; ++ ++ return 0; + } + + static int i2c_atmel_recv(struct tpm_chip *chip, u8 *buf, size_t count) +diff --git a/drivers/crypto/amcc/crypto4xx_alg.c b/drivers/crypto/amcc/crypto4xx_alg.c +index 4afca3968773..e3b8bebfdd30 100644 +--- a/drivers/crypto/amcc/crypto4xx_alg.c ++++ b/drivers/crypto/amcc/crypto4xx_alg.c +@@ -138,7 +138,8 @@ static int crypto4xx_setkey_aes(struct crypto_ablkcipher *cipher, + sa = (struct dynamic_sa_ctl *) ctx->sa_in; + ctx->hash_final = 0; + +- set_dynamic_sa_command_0(sa, SA_NOT_SAVE_HASH, SA_NOT_SAVE_IV, ++ set_dynamic_sa_command_0(sa, SA_NOT_SAVE_HASH, (cm == CRYPTO_MODE_CBC ? ++ SA_SAVE_IV : SA_NOT_SAVE_IV), + SA_LOAD_HASH_FROM_SA, SA_LOAD_IV_FROM_STATE, + SA_NO_HEADER_PROC, SA_HASH_ALG_NULL, + SA_CIPHER_ALG_AES, SA_PAD_TYPE_ZERO, +diff --git a/drivers/crypto/amcc/crypto4xx_core.c b/drivers/crypto/amcc/crypto4xx_core.c +index 78d0722feacb..1e810f5f03fa 100644 +--- a/drivers/crypto/amcc/crypto4xx_core.c ++++ b/drivers/crypto/amcc/crypto4xx_core.c +@@ -645,6 +645,15 @@ static u32 crypto4xx_ablkcipher_done(struct crypto4xx_device *dev, + addr = dma_map_page(dev->core_dev->device, sg_page(dst), + dst->offset, dst->length, DMA_FROM_DEVICE); + } ++ ++ if (pd_uinfo->sa_va->sa_command_0.bf.save_iv == SA_SAVE_IV) { ++ struct crypto_skcipher *skcipher = crypto_skcipher_reqtfm(req); ++ ++ crypto4xx_memcpy_from_le32((u32 *)req->iv, ++ pd_uinfo->sr_va->save_iv, ++ crypto_skcipher_ivsize(skcipher)); ++ } ++ + crypto4xx_ret_sg_desc(dev, pd_uinfo); + if (ablk_req->base.complete != NULL) + ablk_req->base.complete(&ablk_req->base, 0); +diff --git a/drivers/dma/imx-dma.c b/drivers/dma/imx-dma.c +index dfa337ae06fc..529b315a6683 100644 +--- a/drivers/dma/imx-dma.c ++++ b/drivers/dma/imx-dma.c +@@ -286,7 +286,7 @@ static inline int imxdma_sg_next(struct imxdma_desc *d) + struct scatterlist *sg = d->sg; + unsigned long now; + +- now = min(d->len, sg_dma_len(sg)); ++ now = min_t(size_t, d->len, sg_dma_len(sg)); + if (d->len != IMX_DMA_LENGTH_LOOP) + d->len -= now; + +diff --git a/drivers/dma/tegra20-apb-dma.c b/drivers/dma/tegra20-apb-dma.c +index c8f79dcaaee8..67f201b8dcda 100644 +--- a/drivers/dma/tegra20-apb-dma.c ++++ b/drivers/dma/tegra20-apb-dma.c +@@ -632,7 +632,10 @@ static void handle_cont_sngl_cycle_dma_done(struct tegra_dma_channel *tdc, + + sgreq = list_first_entry(&tdc->pending_sg_req, typeof(*sgreq), node); + dma_desc = sgreq->dma_desc; +- dma_desc->bytes_transferred += sgreq->req_len; ++ /* if we dma for long enough the transfer count will wrap */ ++ dma_desc->bytes_transferred = ++ (dma_desc->bytes_transferred + sgreq->req_len) % ++ dma_desc->bytes_requested; + + /* Callback need to be call */ + if (!dma_desc->cb_count) +diff --git a/drivers/gpio/gpio-omap.c b/drivers/gpio/gpio-omap.c +index f7fbb46d5d79..9943273ec981 100644 +--- a/drivers/gpio/gpio-omap.c ++++ b/drivers/gpio/gpio-omap.c +@@ -872,14 +872,16 @@ static void omap_gpio_unmask_irq(struct irq_data *d) + if (trigger) + omap_set_gpio_triggering(bank, offset, trigger); + +- /* For level-triggered GPIOs, the clearing must be done after +- * the HW source is cleared, thus after the handler has run */ +- if (bank->level_mask & BIT(offset)) { +- omap_set_gpio_irqenable(bank, offset, 0); ++ omap_set_gpio_irqenable(bank, offset, 1); ++ ++ /* ++ * For level-triggered GPIOs, clearing must be done after the source ++ * is cleared, thus after the handler has run. OMAP4 needs this done ++ * after enabing the interrupt to clear the wakeup status. ++ */ ++ if (bank->level_mask & BIT(offset)) + omap_clear_gpio_irqstatus(bank, offset); +- } + +- omap_set_gpio_irqenable(bank, offset, 1); + raw_spin_unlock_irqrestore(&bank->lock, flags); + } + +diff --git a/drivers/gpu/drm/drm_dp_mst_topology.c b/drivers/gpu/drm/drm_dp_mst_topology.c +index 5a1bafb5ecbb..ff12d926eb65 100644 +--- a/drivers/gpu/drm/drm_dp_mst_topology.c ++++ b/drivers/gpu/drm/drm_dp_mst_topology.c +@@ -3019,6 +3019,7 @@ static int drm_dp_mst_i2c_xfer(struct i2c_adapter *adapter, struct i2c_msg *msgs + msg.u.i2c_read.transactions[i].i2c_dev_id = msgs[i].addr; + msg.u.i2c_read.transactions[i].num_bytes = msgs[i].len; + msg.u.i2c_read.transactions[i].bytes = msgs[i].buf; ++ msg.u.i2c_read.transactions[i].no_stop_bit = !(msgs[i].flags & I2C_M_STOP); + } + msg.u.i2c_read.read_i2c_device_id = msgs[num - 1].addr; + msg.u.i2c_read.num_bytes_read = msgs[num - 1].len; +diff --git a/drivers/hwtracing/coresight/coresight-etm4x.c b/drivers/hwtracing/coresight/coresight-etm4x.c +index 0edc10b44004..c80cc18747cb 100644 +--- a/drivers/hwtracing/coresight/coresight-etm4x.c ++++ b/drivers/hwtracing/coresight/coresight-etm4x.c +@@ -54,7 +54,8 @@ static void etm4_os_unlock(void *info) + + static bool etm4_arch_supported(u8 arch) + { +- switch (arch) { ++ /* Mask out the minor version number */ ++ switch (arch & 0xf0) { + case ETM_ARCH_V4: + break; + default: +diff --git a/drivers/i2c/i2c-core.c b/drivers/i2c/i2c-core.c +index e4587411b447..153376009b46 100644 +--- a/drivers/i2c/i2c-core.c ++++ b/drivers/i2c/i2c-core.c +@@ -2936,16 +2936,16 @@ static s32 i2c_smbus_xfer_emulated(struct i2c_adapter *adapter, u16 addr, + the underlying bus driver */ + break; + case I2C_SMBUS_I2C_BLOCK_DATA: ++ if (data->block[0] > I2C_SMBUS_BLOCK_MAX) { ++ dev_err(&adapter->dev, "Invalid block %s size %d\n", ++ read_write == I2C_SMBUS_READ ? "read" : "write", ++ data->block[0]); ++ return -EINVAL; ++ } + if (read_write == I2C_SMBUS_READ) { + msg[1].len = data->block[0]; + } else { + msg[0].len = data->block[0] + 1; +- if (msg[0].len > I2C_SMBUS_BLOCK_MAX + 1) { +- dev_err(&adapter->dev, +- "Invalid block write size %d\n", +- data->block[0]); +- return -EINVAL; +- } + for (i = 1; i <= data->block[0]; i++) + msgbuf0[i] = data->block[i]; + } +diff --git a/drivers/iio/accel/kxcjk-1013.c b/drivers/iio/accel/kxcjk-1013.c +index 18c1b06684c1..0667b2875ee4 100644 +--- a/drivers/iio/accel/kxcjk-1013.c ++++ b/drivers/iio/accel/kxcjk-1013.c +@@ -1343,6 +1343,8 @@ static int kxcjk1013_resume(struct device *dev) + + mutex_lock(&data->mutex); + ret = kxcjk1013_set_mode(data, OPERATION); ++ if (ret == 0) ++ ret = kxcjk1013_set_range(data, data->range); + mutex_unlock(&data->mutex); + + return ret; +diff --git a/drivers/iio/adc/ad_sigma_delta.c b/drivers/iio/adc/ad_sigma_delta.c +index 22c4c17cd996..a1d072ecb717 100644 +--- a/drivers/iio/adc/ad_sigma_delta.c ++++ b/drivers/iio/adc/ad_sigma_delta.c +@@ -121,6 +121,7 @@ static int ad_sd_read_reg_raw(struct ad_sigma_delta *sigma_delta, + if (sigma_delta->info->has_registers) { + data[0] = reg << sigma_delta->info->addr_shift; + data[0] |= sigma_delta->info->read_mask; ++ data[0] |= sigma_delta->comm; + spi_message_add_tail(&t[0], &m); + } + spi_message_add_tail(&t[1], &m); +diff --git a/drivers/iio/adc/at91_adc.c b/drivers/iio/adc/at91_adc.c +index d83e5b75a37b..4b317ffd144c 100644 +--- a/drivers/iio/adc/at91_adc.c ++++ b/drivers/iio/adc/at91_adc.c +@@ -702,23 +702,29 @@ static int at91_adc_read_raw(struct iio_dev *idev, + ret = wait_event_interruptible_timeout(st->wq_data_avail, + st->done, + msecs_to_jiffies(1000)); +- if (ret == 0) +- ret = -ETIMEDOUT; +- if (ret < 0) { +- mutex_unlock(&st->lock); +- return ret; +- } +- +- *val = st->last_value; + ++ /* Disable interrupts, regardless if adc conversion was ++ * successful or not ++ */ + at91_adc_writel(st, AT91_ADC_CHDR, + AT91_ADC_CH(chan->channel)); + at91_adc_writel(st, AT91_ADC_IDR, BIT(chan->channel)); + +- st->last_value = 0; +- st->done = false; ++ if (ret > 0) { ++ /* a valid conversion took place */ ++ *val = st->last_value; ++ st->last_value = 0; ++ st->done = false; ++ ret = IIO_VAL_INT; ++ } else if (ret == 0) { ++ /* conversion timeout */ ++ dev_err(&idev->dev, "ADC Channel %d timeout.\n", ++ chan->channel); ++ ret = -ETIMEDOUT; ++ } ++ + mutex_unlock(&st->lock); +- return IIO_VAL_INT; ++ return ret; + + case IIO_CHAN_INFO_SCALE: + *val = st->vref_mv; +diff --git a/drivers/iio/gyro/bmg160_core.c b/drivers/iio/gyro/bmg160_core.c +index 90841abd3ce4..a4dc6a3783d0 100644 +--- a/drivers/iio/gyro/bmg160_core.c ++++ b/drivers/iio/gyro/bmg160_core.c +@@ -519,11 +519,10 @@ static int bmg160_read_raw(struct iio_dev *indio_dev, + } else + return -EINVAL; + case IIO_CHAN_INFO_SCALE: +- *val = 0; + switch (chan->type) { + case IIO_TEMP: +- *val2 = 500000; +- return IIO_VAL_INT_PLUS_MICRO; ++ *val = 500; ++ return IIO_VAL_INT; + case IIO_ANGL_VEL: + { + int i; +@@ -531,6 +530,7 @@ static int bmg160_read_raw(struct iio_dev *indio_dev, + for (i = 0; i < ARRAY_SIZE(bmg160_scale_table); ++i) { + if (bmg160_scale_table[i].dps_range == + data->dps_range) { ++ *val = 0; + *val2 = bmg160_scale_table[i].scale; + return IIO_VAL_INT_PLUS_MICRO; + } +diff --git a/drivers/infiniband/hw/mlx4/alias_GUID.c b/drivers/infiniband/hw/mlx4/alias_GUID.c +index 21cb41a60fe8..3a70b418d913 100644 +--- a/drivers/infiniband/hw/mlx4/alias_GUID.c ++++ b/drivers/infiniband/hw/mlx4/alias_GUID.c +@@ -805,8 +805,8 @@ void mlx4_ib_destroy_alias_guid_service(struct mlx4_ib_dev *dev) + unsigned long flags; + + for (i = 0 ; i < dev->num_ports; i++) { +- cancel_delayed_work(&dev->sriov.alias_guid.ports_guid[i].alias_guid_work); + det = &sriov->alias_guid.ports_guid[i]; ++ cancel_delayed_work_sync(&det->alias_guid_work); + spin_lock_irqsave(&sriov->alias_guid.ag_work_lock, flags); + while (!list_empty(&det->cb_list)) { + cb_ctx = list_entry(det->cb_list.next, +diff --git a/drivers/infiniband/hw/mlx4/cm.c b/drivers/infiniband/hw/mlx4/cm.c +index 39a488889fc7..5dc920fe1326 100644 +--- a/drivers/infiniband/hw/mlx4/cm.c ++++ b/drivers/infiniband/hw/mlx4/cm.c +@@ -39,7 +39,7 @@ + + #include "mlx4_ib.h" + +-#define CM_CLEANUP_CACHE_TIMEOUT (5 * HZ) ++#define CM_CLEANUP_CACHE_TIMEOUT (30 * HZ) + + struct id_map_entry { + struct rb_node node; +diff --git a/drivers/iommu/dmar.c b/drivers/iommu/dmar.c +index 5a63e32a4a6b..cbad1926cec1 100644 +--- a/drivers/iommu/dmar.c ++++ b/drivers/iommu/dmar.c +@@ -143,7 +143,7 @@ dmar_alloc_pci_notify_info(struct pci_dev *dev, unsigned long event) + for (tmp = dev; tmp; tmp = tmp->bus->self) + level++; + +- size = sizeof(*info) + level * sizeof(struct acpi_dmar_pci_path); ++ size = sizeof(*info) + level * sizeof(info->path[0]); + if (size <= sizeof(dmar_pci_notify_info_buf)) { + info = (struct dmar_pci_notify_info *)dmar_pci_notify_info_buf; + } else { +diff --git a/drivers/iommu/intel-iommu.c b/drivers/iommu/intel-iommu.c +index 8b4a4d95669a..3e97c4b2ebed 100644 +--- a/drivers/iommu/intel-iommu.c ++++ b/drivers/iommu/intel-iommu.c +@@ -1598,6 +1598,9 @@ static void iommu_disable_protect_mem_regions(struct intel_iommu *iommu) + u32 pmen; + unsigned long flags; + ++ if (!cap_plmr(iommu->cap) && !cap_phmr(iommu->cap)) ++ return; ++ + raw_spin_lock_irqsave(&iommu->register_lock, flags); + pmen = readl(iommu->reg + DMAR_PMEN_REG); + pmen &= ~DMA_PMEN_EPM; +diff --git a/drivers/leds/leds-lp55xx-common.c b/drivers/leds/leds-lp55xx-common.c +index 59b76833f0d3..fd077c176a62 100644 +--- a/drivers/leds/leds-lp55xx-common.c ++++ b/drivers/leds/leds-lp55xx-common.c +@@ -200,7 +200,7 @@ static void lp55xx_firmware_loaded(const struct firmware *fw, void *context) + + if (!fw) { + dev_err(dev, "firmware request failed\n"); +- goto out; ++ return; + } + + /* handling firmware data is chip dependent */ +@@ -213,9 +213,9 @@ static void lp55xx_firmware_loaded(const struct firmware *fw, void *context) + + mutex_unlock(&chip->lock); + +-out: + /* firmware should be released for other channel use */ + release_firmware(chip->fw); ++ chip->fw = NULL; + } + + static int lp55xx_request_firmware(struct lp55xx_chip *chip) +diff --git a/drivers/md/bcache/sysfs.c b/drivers/md/bcache/sysfs.c +index 5a5c1f1bd8a5..463ce6757338 100644 +--- a/drivers/md/bcache/sysfs.c ++++ b/drivers/md/bcache/sysfs.c +@@ -215,7 +215,9 @@ STORE(__cached_dev) + d_strtoul(writeback_rate_d_term); + d_strtoul_nonzero(writeback_rate_p_term_inverse); + +- d_strtoi_h(sequential_cutoff); ++ sysfs_strtoul_clamp(sequential_cutoff, ++ dc->sequential_cutoff, ++ 0, UINT_MAX); + d_strtoi_h(readahead); + + if (attr == &sysfs_clear_stats) +@@ -645,8 +647,17 @@ STORE(__bch_cache_set) + c->error_limit = strtoul_or_return(buf) << IO_ERROR_SHIFT; + + /* See count_io_errors() for why 88 */ +- if (attr == &sysfs_io_error_halflife) +- c->error_decay = strtoul_or_return(buf) / 88; ++ if (attr == &sysfs_io_error_halflife) { ++ unsigned long v = 0; ++ ssize_t ret; ++ ++ ret = strtoul_safe_clamp(buf, v, 0, UINT_MAX); ++ if (!ret) { ++ c->error_decay = v / 88; ++ return size; ++ } ++ return ret; ++ } + + sysfs_strtoul(journal_delay_ms, c->journal_delay_ms); + sysfs_strtoul(verify, c->verify); +diff --git a/drivers/md/bcache/sysfs.h b/drivers/md/bcache/sysfs.h +index 0526fe92a683..e7a3c12aa66f 100644 +--- a/drivers/md/bcache/sysfs.h ++++ b/drivers/md/bcache/sysfs.h +@@ -80,9 +80,16 @@ do { \ + + #define sysfs_strtoul_clamp(file, var, min, max) \ + do { \ +- if (attr == &sysfs_ ## file) \ +- return strtoul_safe_clamp(buf, var, min, max) \ +- ?: (ssize_t) size; \ ++ if (attr == &sysfs_ ## file) { \ ++ unsigned long v = 0; \ ++ ssize_t ret; \ ++ ret = strtoul_safe_clamp(buf, v, min, max); \ ++ if (!ret) { \ ++ var = v; \ ++ return size; \ ++ } \ ++ return ret; \ ++ } \ + } while (0) + + #define strtoul_or_return(cp) \ +diff --git a/drivers/md/dm-thin.c b/drivers/md/dm-thin.c +index 07eaa9f90712..d52ea584e0bc 100644 +--- a/drivers/md/dm-thin.c ++++ b/drivers/md/dm-thin.c +@@ -3210,6 +3210,13 @@ static int pool_ctr(struct dm_target *ti, unsigned argc, char **argv) + as.argc = argc; + as.argv = argv; + ++ /* make sure metadata and data are different devices */ ++ if (!strcmp(argv[0], argv[1])) { ++ ti->error = "Error setting metadata or data device"; ++ r = -EINVAL; ++ goto out_unlock; ++ } ++ + /* + * Set default pool features. + */ +@@ -4092,6 +4099,12 @@ static int thin_ctr(struct dm_target *ti, unsigned argc, char **argv) + tc->sort_bio_list = RB_ROOT; + + if (argc == 3) { ++ if (!strcmp(argv[0], argv[2])) { ++ ti->error = "Error setting origin device"; ++ r = -EINVAL; ++ goto bad_origin_dev; ++ } ++ + r = dm_get_device(ti, argv[2], FMODE_READ, &origin_dev); + if (r) { + ti->error = "Error opening origin device"; +diff --git a/drivers/media/i2c/soc_camera/mt9m111.c b/drivers/media/i2c/soc_camera/mt9m111.c +index 6dfaead6aaa8..1d1ca03c797f 100644 +--- a/drivers/media/i2c/soc_camera/mt9m111.c ++++ b/drivers/media/i2c/soc_camera/mt9m111.c +@@ -988,6 +988,8 @@ static int mt9m111_probe(struct i2c_client *client, + mt9m111->rect.top = MT9M111_MIN_DARK_ROWS; + mt9m111->rect.width = MT9M111_MAX_WIDTH; + mt9m111->rect.height = MT9M111_MAX_HEIGHT; ++ mt9m111->width = mt9m111->rect.width; ++ mt9m111->height = mt9m111->rect.height; + mt9m111->fmt = &mt9m111_colour_fmts[0]; + mt9m111->lastpage = -1; + mutex_init(&mt9m111->power_lock); +diff --git a/drivers/media/platform/mx2_emmaprp.c b/drivers/media/platform/mx2_emmaprp.c +index 03a1b606655d..009a4bb77d05 100644 +--- a/drivers/media/platform/mx2_emmaprp.c ++++ b/drivers/media/platform/mx2_emmaprp.c +@@ -289,7 +289,7 @@ static void emmaprp_device_run(void *priv) + { + struct emmaprp_ctx *ctx = priv; + struct emmaprp_q_data *s_q_data, *d_q_data; +- struct vb2_buffer *src_buf, *dst_buf; ++ struct vb2_v4l2_buffer *src_buf, *dst_buf; + struct emmaprp_dev *pcdev = ctx->dev; + unsigned int s_width, s_height; + unsigned int d_width, d_height; +@@ -309,8 +309,8 @@ static void emmaprp_device_run(void *priv) + d_height = d_q_data->height; + d_size = d_width * d_height; + +- p_in = vb2_dma_contig_plane_dma_addr(src_buf, 0); +- p_out = vb2_dma_contig_plane_dma_addr(dst_buf, 0); ++ p_in = vb2_dma_contig_plane_dma_addr(&src_buf->vb2_buf, 0); ++ p_out = vb2_dma_contig_plane_dma_addr(&dst_buf->vb2_buf, 0); + if (!p_in || !p_out) { + v4l2_err(&pcdev->v4l2_dev, + "Acquiring kernel pointers to buffers failed\n"); +diff --git a/drivers/media/platform/s5p-g2d/g2d.c b/drivers/media/platform/s5p-g2d/g2d.c +index e1936d9d27da..2b939555cccb 100644 +--- a/drivers/media/platform/s5p-g2d/g2d.c ++++ b/drivers/media/platform/s5p-g2d/g2d.c +@@ -497,7 +497,7 @@ static void device_run(void *prv) + { + struct g2d_ctx *ctx = prv; + struct g2d_dev *dev = ctx->dev; +- struct vb2_buffer *src, *dst; ++ struct vb2_v4l2_buffer *src, *dst; + unsigned long flags; + u32 cmd = 0; + +@@ -512,10 +512,10 @@ static void device_run(void *prv) + spin_lock_irqsave(&dev->ctrl_lock, flags); + + g2d_set_src_size(dev, &ctx->in); +- g2d_set_src_addr(dev, vb2_dma_contig_plane_dma_addr(src, 0)); ++ g2d_set_src_addr(dev, vb2_dma_contig_plane_dma_addr(&src->vb2_buf, 0)); + + g2d_set_dst_size(dev, &ctx->out); +- g2d_set_dst_addr(dev, vb2_dma_contig_plane_dma_addr(dst, 0)); ++ g2d_set_dst_addr(dev, vb2_dma_contig_plane_dma_addr(&dst->vb2_buf, 0)); + + g2d_set_rop4(dev, ctx->rop); + g2d_set_flip(dev, ctx->flip); +diff --git a/drivers/media/platform/s5p-jpeg/jpeg-core.c b/drivers/media/platform/s5p-jpeg/jpeg-core.c +index 9c6fc09b88e0..0d981bbf38bc 100644 +--- a/drivers/media/platform/s5p-jpeg/jpeg-core.c ++++ b/drivers/media/platform/s5p-jpeg/jpeg-core.c +@@ -788,14 +788,14 @@ static void skip(struct s5p_jpeg_buffer *buf, long len); + static void exynos4_jpeg_parse_decode_h_tbl(struct s5p_jpeg_ctx *ctx) + { + struct s5p_jpeg *jpeg = ctx->jpeg; +- struct vb2_buffer *vb = v4l2_m2m_next_src_buf(ctx->fh.m2m_ctx); ++ struct vb2_v4l2_buffer *vb = v4l2_m2m_next_src_buf(ctx->fh.m2m_ctx); + struct s5p_jpeg_buffer jpeg_buffer; + unsigned int word; + int c, x, components; + + jpeg_buffer.size = 2; /* Ls */ + jpeg_buffer.data = +- (unsigned long)vb2_plane_vaddr(vb, 0) + ctx->out_q.sos + 2; ++ (unsigned long)vb2_plane_vaddr(&vb->vb2_buf, 0) + ctx->out_q.sos + 2; + jpeg_buffer.curr = 0; + + word = 0; +@@ -825,14 +825,14 @@ static void exynos4_jpeg_parse_decode_h_tbl(struct s5p_jpeg_ctx *ctx) + static void exynos4_jpeg_parse_huff_tbl(struct s5p_jpeg_ctx *ctx) + { + struct s5p_jpeg *jpeg = ctx->jpeg; +- struct vb2_buffer *vb = v4l2_m2m_next_src_buf(ctx->fh.m2m_ctx); ++ struct vb2_v4l2_buffer *vb = v4l2_m2m_next_src_buf(ctx->fh.m2m_ctx); + struct s5p_jpeg_buffer jpeg_buffer; + unsigned int word; + int c, i, n, j; + + for (j = 0; j < ctx->out_q.dht.n; ++j) { + jpeg_buffer.size = ctx->out_q.dht.len[j]; +- jpeg_buffer.data = (unsigned long)vb2_plane_vaddr(vb, 0) + ++ jpeg_buffer.data = (unsigned long)vb2_plane_vaddr(&vb->vb2_buf, 0) + + ctx->out_q.dht.marker[j]; + jpeg_buffer.curr = 0; + +@@ -884,13 +884,13 @@ static void exynos4_jpeg_parse_huff_tbl(struct s5p_jpeg_ctx *ctx) + static void exynos4_jpeg_parse_decode_q_tbl(struct s5p_jpeg_ctx *ctx) + { + struct s5p_jpeg *jpeg = ctx->jpeg; +- struct vb2_buffer *vb = v4l2_m2m_next_src_buf(ctx->fh.m2m_ctx); ++ struct vb2_v4l2_buffer *vb = v4l2_m2m_next_src_buf(ctx->fh.m2m_ctx); + struct s5p_jpeg_buffer jpeg_buffer; + int c, x, components; + + jpeg_buffer.size = ctx->out_q.sof_len; + jpeg_buffer.data = +- (unsigned long)vb2_plane_vaddr(vb, 0) + ctx->out_q.sof; ++ (unsigned long)vb2_plane_vaddr(&vb->vb2_buf, 0) + ctx->out_q.sof; + jpeg_buffer.curr = 0; + + skip(&jpeg_buffer, 5); /* P, Y, X */ +@@ -915,14 +915,14 @@ static void exynos4_jpeg_parse_decode_q_tbl(struct s5p_jpeg_ctx *ctx) + static void exynos4_jpeg_parse_q_tbl(struct s5p_jpeg_ctx *ctx) + { + struct s5p_jpeg *jpeg = ctx->jpeg; +- struct vb2_buffer *vb = v4l2_m2m_next_src_buf(ctx->fh.m2m_ctx); ++ struct vb2_v4l2_buffer *vb = v4l2_m2m_next_src_buf(ctx->fh.m2m_ctx); + struct s5p_jpeg_buffer jpeg_buffer; + unsigned int word; + int c, i, j; + + for (j = 0; j < ctx->out_q.dqt.n; ++j) { + jpeg_buffer.size = ctx->out_q.dqt.len[j]; +- jpeg_buffer.data = (unsigned long)vb2_plane_vaddr(vb, 0) + ++ jpeg_buffer.data = (unsigned long)vb2_plane_vaddr(&vb->vb2_buf, 0) + + ctx->out_q.dqt.marker[j]; + jpeg_buffer.curr = 0; + +@@ -1262,13 +1262,16 @@ static int s5p_jpeg_querycap(struct file *file, void *priv, + return 0; + } + +-static int enum_fmt(struct s5p_jpeg_fmt *sjpeg_formats, int n, ++static int enum_fmt(struct s5p_jpeg_ctx *ctx, ++ struct s5p_jpeg_fmt *sjpeg_formats, int n, + struct v4l2_fmtdesc *f, u32 type) + { + int i, num = 0; ++ unsigned int fmt_ver_flag = ctx->jpeg->variant->fmt_ver_flag; + + for (i = 0; i < n; ++i) { +- if (sjpeg_formats[i].flags & type) { ++ if (sjpeg_formats[i].flags & type && ++ sjpeg_formats[i].flags & fmt_ver_flag) { + /* index-th format of type type found ? */ + if (num == f->index) + break; +@@ -1294,11 +1297,11 @@ static int s5p_jpeg_enum_fmt_vid_cap(struct file *file, void *priv, + struct s5p_jpeg_ctx *ctx = fh_to_ctx(priv); + + if (ctx->mode == S5P_JPEG_ENCODE) +- return enum_fmt(sjpeg_formats, SJPEG_NUM_FORMATS, f, ++ return enum_fmt(ctx, sjpeg_formats, SJPEG_NUM_FORMATS, f, + SJPEG_FMT_FLAG_ENC_CAPTURE); + +- return enum_fmt(sjpeg_formats, SJPEG_NUM_FORMATS, f, +- SJPEG_FMT_FLAG_DEC_CAPTURE); ++ return enum_fmt(ctx, sjpeg_formats, SJPEG_NUM_FORMATS, f, ++ SJPEG_FMT_FLAG_DEC_CAPTURE); + } + + static int s5p_jpeg_enum_fmt_vid_out(struct file *file, void *priv, +@@ -1307,11 +1310,11 @@ static int s5p_jpeg_enum_fmt_vid_out(struct file *file, void *priv, + struct s5p_jpeg_ctx *ctx = fh_to_ctx(priv); + + if (ctx->mode == S5P_JPEG_ENCODE) +- return enum_fmt(sjpeg_formats, SJPEG_NUM_FORMATS, f, ++ return enum_fmt(ctx, sjpeg_formats, SJPEG_NUM_FORMATS, f, + SJPEG_FMT_FLAG_ENC_OUTPUT); + +- return enum_fmt(sjpeg_formats, SJPEG_NUM_FORMATS, f, +- SJPEG_FMT_FLAG_DEC_OUTPUT); ++ return enum_fmt(ctx, sjpeg_formats, SJPEG_NUM_FORMATS, f, ++ SJPEG_FMT_FLAG_DEC_OUTPUT); + } + + static struct s5p_jpeg_q_data *get_q_data(struct s5p_jpeg_ctx *ctx, +@@ -2016,15 +2019,15 @@ static void s5p_jpeg_device_run(void *priv) + { + struct s5p_jpeg_ctx *ctx = priv; + struct s5p_jpeg *jpeg = ctx->jpeg; +- struct vb2_buffer *src_buf, *dst_buf; ++ struct vb2_v4l2_buffer *src_buf, *dst_buf; + unsigned long src_addr, dst_addr, flags; + + spin_lock_irqsave(&ctx->jpeg->slock, flags); + + src_buf = v4l2_m2m_next_src_buf(ctx->fh.m2m_ctx); + dst_buf = v4l2_m2m_next_dst_buf(ctx->fh.m2m_ctx); +- src_addr = vb2_dma_contig_plane_dma_addr(src_buf, 0); +- dst_addr = vb2_dma_contig_plane_dma_addr(dst_buf, 0); ++ src_addr = vb2_dma_contig_plane_dma_addr(&src_buf->vb2_buf, 0); ++ dst_addr = vb2_dma_contig_plane_dma_addr(&dst_buf->vb2_buf, 0); + + s5p_jpeg_reset(jpeg->regs); + s5p_jpeg_poweron(jpeg->regs); +@@ -2097,7 +2100,7 @@ static void exynos4_jpeg_set_img_addr(struct s5p_jpeg_ctx *ctx) + { + struct s5p_jpeg *jpeg = ctx->jpeg; + struct s5p_jpeg_fmt *fmt; +- struct vb2_buffer *vb; ++ struct vb2_v4l2_buffer *vb; + struct s5p_jpeg_addr jpeg_addr = {}; + u32 pix_size, padding_bytes = 0; + +@@ -2116,7 +2119,7 @@ static void exynos4_jpeg_set_img_addr(struct s5p_jpeg_ctx *ctx) + vb = v4l2_m2m_next_dst_buf(ctx->fh.m2m_ctx); + } + +- jpeg_addr.y = vb2_dma_contig_plane_dma_addr(vb, 0); ++ jpeg_addr.y = vb2_dma_contig_plane_dma_addr(&vb->vb2_buf, 0); + + if (fmt->colplanes == 2) { + jpeg_addr.cb = jpeg_addr.y + pix_size - padding_bytes; +@@ -2134,7 +2137,7 @@ static void exynos4_jpeg_set_img_addr(struct s5p_jpeg_ctx *ctx) + static void exynos4_jpeg_set_jpeg_addr(struct s5p_jpeg_ctx *ctx) + { + struct s5p_jpeg *jpeg = ctx->jpeg; +- struct vb2_buffer *vb; ++ struct vb2_v4l2_buffer *vb; + unsigned int jpeg_addr = 0; + + if (ctx->mode == S5P_JPEG_ENCODE) +@@ -2142,7 +2145,7 @@ static void exynos4_jpeg_set_jpeg_addr(struct s5p_jpeg_ctx *ctx) + else + vb = v4l2_m2m_next_src_buf(ctx->fh.m2m_ctx); + +- jpeg_addr = vb2_dma_contig_plane_dma_addr(vb, 0); ++ jpeg_addr = vb2_dma_contig_plane_dma_addr(&vb->vb2_buf, 0); + if (jpeg->variant->version == SJPEG_EXYNOS5433 && + ctx->mode == S5P_JPEG_DECODE) + jpeg_addr += ctx->out_q.sos; +@@ -2257,7 +2260,7 @@ static void exynos3250_jpeg_set_img_addr(struct s5p_jpeg_ctx *ctx) + { + struct s5p_jpeg *jpeg = ctx->jpeg; + struct s5p_jpeg_fmt *fmt; +- struct vb2_buffer *vb; ++ struct vb2_v4l2_buffer *vb; + struct s5p_jpeg_addr jpeg_addr = {}; + u32 pix_size; + +@@ -2271,7 +2274,7 @@ static void exynos3250_jpeg_set_img_addr(struct s5p_jpeg_ctx *ctx) + fmt = ctx->cap_q.fmt; + } + +- jpeg_addr.y = vb2_dma_contig_plane_dma_addr(vb, 0); ++ jpeg_addr.y = vb2_dma_contig_plane_dma_addr(&vb->vb2_buf, 0); + + if (fmt->colplanes == 2) { + jpeg_addr.cb = jpeg_addr.y + pix_size; +@@ -2289,7 +2292,7 @@ static void exynos3250_jpeg_set_img_addr(struct s5p_jpeg_ctx *ctx) + static void exynos3250_jpeg_set_jpeg_addr(struct s5p_jpeg_ctx *ctx) + { + struct s5p_jpeg *jpeg = ctx->jpeg; +- struct vb2_buffer *vb; ++ struct vb2_v4l2_buffer *vb; + unsigned int jpeg_addr = 0; + + if (ctx->mode == S5P_JPEG_ENCODE) +@@ -2297,7 +2300,7 @@ static void exynos3250_jpeg_set_jpeg_addr(struct s5p_jpeg_ctx *ctx) + else + vb = v4l2_m2m_next_src_buf(ctx->fh.m2m_ctx); + +- jpeg_addr = vb2_dma_contig_plane_dma_addr(vb, 0); ++ jpeg_addr = vb2_dma_contig_plane_dma_addr(&vb->vb2_buf, 0); + exynos3250_jpeg_jpgadr(jpeg->regs, jpeg_addr); + } + +diff --git a/drivers/media/platform/sh_veu.c b/drivers/media/platform/sh_veu.c +index d6ab33e7060a..b9f4cdee555e 100644 +--- a/drivers/media/platform/sh_veu.c ++++ b/drivers/media/platform/sh_veu.c +@@ -277,13 +277,13 @@ static void sh_veu_process(struct sh_veu_dev *veu, + static void sh_veu_device_run(void *priv) + { + struct sh_veu_dev *veu = priv; +- struct vb2_buffer *src_buf, *dst_buf; ++ struct vb2_v4l2_buffer *src_buf, *dst_buf; + + src_buf = v4l2_m2m_next_src_buf(veu->m2m_ctx); + dst_buf = v4l2_m2m_next_dst_buf(veu->m2m_ctx); + + if (src_buf && dst_buf) +- sh_veu_process(veu, src_buf, dst_buf); ++ sh_veu_process(veu, &src_buf->vb2_buf, &dst_buf->vb2_buf); + } + + /* ========== video ioctls ========== */ +diff --git a/drivers/mmc/host/davinci_mmc.c b/drivers/mmc/host/davinci_mmc.c +index ea2a2ebc6b91..dba7565571a5 100644 +--- a/drivers/mmc/host/davinci_mmc.c ++++ b/drivers/mmc/host/davinci_mmc.c +@@ -1147,7 +1147,7 @@ static inline void mmc_davinci_cpufreq_deregister(struct mmc_davinci_host *host) + { + } + #endif +-static void __init init_mmcsd_host(struct mmc_davinci_host *host) ++static void init_mmcsd_host(struct mmc_davinci_host *host) + { + + mmc_davinci_reset_ctrl(host, 1); +diff --git a/drivers/mmc/host/omap.c b/drivers/mmc/host/omap.c +index 5bcf4f45f8b4..20d422558fa3 100644 +--- a/drivers/mmc/host/omap.c ++++ b/drivers/mmc/host/omap.c +@@ -921,7 +921,7 @@ static inline void set_cmd_timeout(struct mmc_omap_host *host, struct mmc_reques + reg &= ~(1 << 5); + OMAP_MMC_WRITE(host, SDIO, reg); + /* Set maximum timeout */ +- OMAP_MMC_WRITE(host, CTO, 0xff); ++ OMAP_MMC_WRITE(host, CTO, 0xfd); + } + + static inline void set_data_timeout(struct mmc_omap_host *host, struct mmc_request *req) +diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c +index a32dcb6718ca..fde7f5efc47d 100644 +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -3067,8 +3067,12 @@ static int bond_netdev_event(struct notifier_block *this, + return NOTIFY_DONE; + + if (event_dev->flags & IFF_MASTER) { ++ int ret; ++ + netdev_dbg(event_dev, "IFF_MASTER\n"); +- return bond_master_netdev_event(event, event_dev); ++ ret = bond_master_netdev_event(event, event_dev); ++ if (ret != NOTIFY_DONE) ++ return ret; + } + + if (event_dev->flags & IFF_SLAVE) { +diff --git a/drivers/net/ethernet/cisco/enic/enic_main.c b/drivers/net/ethernet/cisco/enic/enic_main.c +index 9ef4caa4b84d..3c20d0dc9256 100644 +--- a/drivers/net/ethernet/cisco/enic/enic_main.c ++++ b/drivers/net/ethernet/cisco/enic/enic_main.c +@@ -120,7 +120,7 @@ static void enic_init_affinity_hint(struct enic *enic) + + for (i = 0; i < enic->intr_count; i++) { + if (enic_is_err_intr(enic, i) || enic_is_notify_intr(enic, i) || +- (enic->msix[i].affinity_mask && ++ (cpumask_available(enic->msix[i].affinity_mask) && + !cpumask_empty(enic->msix[i].affinity_mask))) + continue; + if (zalloc_cpumask_var(&enic->msix[i].affinity_mask, +@@ -149,7 +149,7 @@ static void enic_set_affinity_hint(struct enic *enic) + for (i = 0; i < enic->intr_count; i++) { + if (enic_is_err_intr(enic, i) || + enic_is_notify_intr(enic, i) || +- !enic->msix[i].affinity_mask || ++ !cpumask_available(enic->msix[i].affinity_mask) || + cpumask_empty(enic->msix[i].affinity_mask)) + continue; + err = irq_set_affinity_hint(enic->msix_entry[i].vector, +@@ -162,7 +162,7 @@ static void enic_set_affinity_hint(struct enic *enic) + for (i = 0; i < enic->wq_count; i++) { + int wq_intr = enic_msix_wq_intr(enic, i); + +- if (enic->msix[wq_intr].affinity_mask && ++ if (cpumask_available(enic->msix[wq_intr].affinity_mask) && + !cpumask_empty(enic->msix[wq_intr].affinity_mask)) + netif_set_xps_queue(enic->netdev, + enic->msix[wq_intr].affinity_mask, +diff --git a/drivers/net/ethernet/intel/e1000e/netdev.c b/drivers/net/ethernet/intel/e1000e/netdev.c +index 6369d88b81c1..6b1cacd86c6e 100644 +--- a/drivers/net/ethernet/intel/e1000e/netdev.c ++++ b/drivers/net/ethernet/intel/e1000e/netdev.c +@@ -2131,7 +2131,7 @@ static int e1000_request_msix(struct e1000_adapter *adapter) + if (strlen(netdev->name) < (IFNAMSIZ - 5)) + snprintf(adapter->rx_ring->name, + sizeof(adapter->rx_ring->name) - 1, +- "%s-rx-0", netdev->name); ++ "%.14s-rx-0", netdev->name); + else + memcpy(adapter->rx_ring->name, netdev->name, IFNAMSIZ); + err = request_irq(adapter->msix_entries[vector].vector, +@@ -2147,7 +2147,7 @@ static int e1000_request_msix(struct e1000_adapter *adapter) + if (strlen(netdev->name) < (IFNAMSIZ - 5)) + snprintf(adapter->tx_ring->name, + sizeof(adapter->tx_ring->name) - 1, +- "%s-tx-0", netdev->name); ++ "%.14s-tx-0", netdev->name); + else + memcpy(adapter->tx_ring->name, netdev->name, IFNAMSIZ); + err = request_irq(adapter->msix_entries[vector].vector, +diff --git a/drivers/net/usb/qmi_wwan.c b/drivers/net/usb/qmi_wwan.c +index 3b67140eed73..ee6fefe92af4 100644 +--- a/drivers/net/usb/qmi_wwan.c ++++ b/drivers/net/usb/qmi_wwan.c +@@ -717,6 +717,7 @@ static const struct usb_device_id products[] = { + {QMI_FIXED_INTF(0x19d2, 0x2002, 4)}, /* ZTE (Vodafone) K3765-Z */ + {QMI_FIXED_INTF(0x2001, 0x7e19, 4)}, /* D-Link DWM-221 B1 */ + {QMI_FIXED_INTF(0x2001, 0x7e35, 4)}, /* D-Link DWM-222 */ ++ {QMI_FIXED_INTF(0x2020, 0x2031, 4)}, /* Olicard 600 */ + {QMI_FIXED_INTF(0x2020, 0x2033, 4)}, /* BroadMobi BM806U */ + {QMI_FIXED_INTF(0x0f3d, 0x68a2, 8)}, /* Sierra Wireless MC7700 */ + {QMI_FIXED_INTF(0x114f, 0x68a2, 8)}, /* Sierra Wireless MC7750 */ +diff --git a/drivers/net/wireless/mediatek/mt7601u/eeprom.h b/drivers/net/wireless/mediatek/mt7601u/eeprom.h +index 662d12703b69..57b503ae63f1 100644 +--- a/drivers/net/wireless/mediatek/mt7601u/eeprom.h ++++ b/drivers/net/wireless/mediatek/mt7601u/eeprom.h +@@ -17,7 +17,7 @@ + + struct mt7601u_dev; + +-#define MT7601U_EE_MAX_VER 0x0c ++#define MT7601U_EE_MAX_VER 0x0d + #define MT7601U_EEPROM_SIZE 256 + + #define MT7601U_DEFAULT_TX_POWER 6 +diff --git a/drivers/net/wireless/rsi/rsi_common.h b/drivers/net/wireless/rsi/rsi_common.h +index d3fbe33d2324..a13f08fd8690 100644 +--- a/drivers/net/wireless/rsi/rsi_common.h ++++ b/drivers/net/wireless/rsi/rsi_common.h +@@ -75,7 +75,6 @@ static inline int rsi_kill_thread(struct rsi_thread *handle) + atomic_inc(&handle->thread_done); + rsi_set_event(&handle->event); + +- wait_for_completion(&handle->completion); + return kthread_stop(handle->task); + } + +diff --git a/drivers/net/wireless/ti/wlcore/main.c b/drivers/net/wireless/ti/wlcore/main.c +index 7b27c7e23af2..cc10b72607c6 100644 +--- a/drivers/net/wireless/ti/wlcore/main.c ++++ b/drivers/net/wireless/ti/wlcore/main.c +@@ -1123,8 +1123,11 @@ static int wl12xx_chip_wakeup(struct wl1271 *wl, bool plt) + goto out; + + ret = wl12xx_fetch_firmware(wl, plt); +- if (ret < 0) +- goto out; ++ if (ret < 0) { ++ kfree(wl->fw_status); ++ kfree(wl->raw_fw_status); ++ kfree(wl->tx_res_if); ++ } + + out: + return ret; +diff --git a/drivers/pci/quirks.c b/drivers/pci/quirks.c +index 84d501f5ff4e..d85010ebac5a 100644 +--- a/drivers/pci/quirks.c ++++ b/drivers/pci/quirks.c +@@ -3623,6 +3623,8 @@ DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_MARVELL_EXT, 0x9128, + /* https://bugzilla.kernel.org/show_bug.cgi?id=42679#c14 */ + DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_MARVELL_EXT, 0x9130, + quirk_dma_func1_alias); ++DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_MARVELL_EXT, 0x9170, ++ quirk_dma_func1_alias); + /* https://bugzilla.kernel.org/show_bug.cgi?id=42679#c47 + c57 */ + DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_MARVELL_EXT, 0x9172, + quirk_dma_func1_alias); +diff --git a/drivers/regulator/act8865-regulator.c b/drivers/regulator/act8865-regulator.c +index f8d4cd3d1397..63a00d1d9360 100644 +--- a/drivers/regulator/act8865-regulator.c ++++ b/drivers/regulator/act8865-regulator.c +@@ -131,7 +131,7 @@ + * ACT8865 voltage number + */ + #define ACT8865_VOLTAGE_NUM 64 +-#define ACT8600_SUDCDC_VOLTAGE_NUM 255 ++#define ACT8600_SUDCDC_VOLTAGE_NUM 256 + + struct act8865 { + struct regmap *regmap; +@@ -154,7 +154,8 @@ static const struct regulator_linear_range act8600_sudcdc_voltage_ranges[] = { + REGULATOR_LINEAR_RANGE(3000000, 0, 63, 0), + REGULATOR_LINEAR_RANGE(3000000, 64, 159, 100000), + REGULATOR_LINEAR_RANGE(12600000, 160, 191, 200000), +- REGULATOR_LINEAR_RANGE(19000000, 191, 255, 400000), ++ REGULATOR_LINEAR_RANGE(19000000, 192, 247, 400000), ++ REGULATOR_LINEAR_RANGE(41400000, 248, 255, 0), + }; + + static struct regulator_ops act8865_ops = { +diff --git a/drivers/scsi/megaraid/megaraid_sas_base.c b/drivers/scsi/megaraid/megaraid_sas_base.c +index ac7acd257c99..2422094f1f15 100644 +--- a/drivers/scsi/megaraid/megaraid_sas_base.c ++++ b/drivers/scsi/megaraid/megaraid_sas_base.c +@@ -3847,6 +3847,7 @@ int megasas_alloc_cmds(struct megasas_instance *instance) + if (megasas_create_frame_pool(instance)) { + dev_printk(KERN_DEBUG, &instance->pdev->dev, "Error creating frame DMA pool\n"); + megasas_free_cmds(instance); ++ return -ENOMEM; + } + + return 0; +diff --git a/drivers/scsi/scsi_scan.c b/drivers/scsi/scsi_scan.c +index 850ddc5fac04..3e2288af56bc 100644 +--- a/drivers/scsi/scsi_scan.c ++++ b/drivers/scsi/scsi_scan.c +@@ -217,7 +217,7 @@ static struct scsi_device *scsi_alloc_sdev(struct scsi_target *starget, + extern void scsi_requeue_run_queue(struct work_struct *work); + + sdev = kzalloc(sizeof(*sdev) + shost->transportt->device_size, +- GFP_ATOMIC); ++ GFP_KERNEL); + if (!sdev) + goto out; + +@@ -791,7 +791,7 @@ static int scsi_add_lun(struct scsi_device *sdev, unsigned char *inq_result, + */ + sdev->inquiry = kmemdup(inq_result, + max_t(size_t, sdev->inquiry_len, 36), +- GFP_ATOMIC); ++ GFP_KERNEL); + if (sdev->inquiry == NULL) + return SCSI_SCAN_NO_RESPONSE; + +@@ -1085,7 +1085,7 @@ static int scsi_probe_and_add_lun(struct scsi_target *starget, + if (!sdev) + goto out; + +- result = kmalloc(result_len, GFP_ATOMIC | ++ result = kmalloc(result_len, GFP_KERNEL | + ((shost->unchecked_isa_dma) ? __GFP_DMA : 0)); + if (!result) + goto out_free_sdev; +diff --git a/drivers/soc/qcom/qcom_gsbi.c b/drivers/soc/qcom/qcom_gsbi.c +index 09c669e70d63..038abc377fdb 100644 +--- a/drivers/soc/qcom/qcom_gsbi.c ++++ b/drivers/soc/qcom/qcom_gsbi.c +@@ -138,7 +138,7 @@ static int gsbi_probe(struct platform_device *pdev) + struct resource *res; + void __iomem *base; + struct gsbi_info *gsbi; +- int i; ++ int i, ret; + u32 mask, gsbi_num; + const struct crci_config *config = NULL; + +@@ -221,7 +221,10 @@ static int gsbi_probe(struct platform_device *pdev) + + platform_set_drvdata(pdev, gsbi); + +- return of_platform_populate(node, NULL, NULL, &pdev->dev); ++ ret = of_platform_populate(node, NULL, NULL, &pdev->dev); ++ if (ret) ++ clk_disable_unprepare(gsbi->hclk); ++ return ret; + } + + static int gsbi_remove(struct platform_device *pdev) +diff --git a/drivers/soc/tegra/fuse/fuse-tegra.c b/drivers/soc/tegra/fuse/fuse-tegra.c +index de2c1bfe28b5..c4f5e5bbb8dc 100644 +--- a/drivers/soc/tegra/fuse/fuse-tegra.c ++++ b/drivers/soc/tegra/fuse/fuse-tegra.c +@@ -131,13 +131,17 @@ static int tegra_fuse_probe(struct platform_device *pdev) + /* take over the memory region from the early initialization */ + res = platform_get_resource(pdev, IORESOURCE_MEM, 0); + fuse->base = devm_ioremap_resource(&pdev->dev, res); +- if (IS_ERR(fuse->base)) +- return PTR_ERR(fuse->base); ++ if (IS_ERR(fuse->base)) { ++ err = PTR_ERR(fuse->base); ++ fuse->base = base; ++ return err; ++ } + + fuse->clk = devm_clk_get(&pdev->dev, "fuse"); + if (IS_ERR(fuse->clk)) { + dev_err(&pdev->dev, "failed to get FUSE clock: %ld", + PTR_ERR(fuse->clk)); ++ fuse->base = base; + return PTR_ERR(fuse->clk); + } + +@@ -146,8 +150,10 @@ static int tegra_fuse_probe(struct platform_device *pdev) + + if (fuse->soc->probe) { + err = fuse->soc->probe(fuse); +- if (err < 0) ++ if (err < 0) { ++ fuse->base = base; + return err; ++ } + } + + if (tegra_fuse_create_sysfs(&pdev->dev, fuse->soc->info->size, +diff --git a/drivers/staging/comedi/drivers/ni_usb6501.c b/drivers/staging/comedi/drivers/ni_usb6501.c +index 95b537a8ecdb..6778e2b73667 100644 +--- a/drivers/staging/comedi/drivers/ni_usb6501.c ++++ b/drivers/staging/comedi/drivers/ni_usb6501.c +@@ -472,10 +472,8 @@ static int ni6501_alloc_usb_buffers(struct comedi_device *dev) + + size = le16_to_cpu(devpriv->ep_tx->wMaxPacketSize); + devpriv->usb_tx_buf = kzalloc(size, GFP_KERNEL); +- if (!devpriv->usb_tx_buf) { +- kfree(devpriv->usb_rx_buf); ++ if (!devpriv->usb_tx_buf) + return -ENOMEM; +- } + + return 0; + } +@@ -527,6 +525,9 @@ static int ni6501_auto_attach(struct comedi_device *dev, + if (!devpriv) + return -ENOMEM; + ++ mutex_init(&devpriv->mut); ++ usb_set_intfdata(intf, devpriv); ++ + ret = ni6501_find_endpoints(dev); + if (ret) + return ret; +@@ -535,9 +536,6 @@ static int ni6501_auto_attach(struct comedi_device *dev, + if (ret) + return ret; + +- mutex_init(&devpriv->mut); +- usb_set_intfdata(intf, devpriv); +- + ret = comedi_alloc_subdevices(dev, 2); + if (ret) + return ret; +diff --git a/drivers/staging/comedi/drivers/vmk80xx.c b/drivers/staging/comedi/drivers/vmk80xx.c +index 8c7393ef762d..95e53cfd76a4 100644 +--- a/drivers/staging/comedi/drivers/vmk80xx.c ++++ b/drivers/staging/comedi/drivers/vmk80xx.c +@@ -691,10 +691,8 @@ static int vmk80xx_alloc_usb_buffers(struct comedi_device *dev) + + size = le16_to_cpu(devpriv->ep_tx->wMaxPacketSize); + devpriv->usb_tx_buf = kzalloc(size, GFP_KERNEL); +- if (!devpriv->usb_tx_buf) { +- kfree(devpriv->usb_rx_buf); ++ if (!devpriv->usb_tx_buf) + return -ENOMEM; +- } + + return 0; + } +@@ -809,6 +807,8 @@ static int vmk80xx_auto_attach(struct comedi_device *dev, + + devpriv->model = board->model; + ++ sema_init(&devpriv->limit_sem, 8); ++ + ret = vmk80xx_find_usb_endpoints(dev); + if (ret) + return ret; +@@ -817,8 +817,6 @@ static int vmk80xx_auto_attach(struct comedi_device *dev, + if (ret) + return ret; + +- sema_init(&devpriv->limit_sem, 8); +- + usb_set_intfdata(intf, devpriv); + + if (devpriv->model == VMK8055_MODEL) +diff --git a/drivers/thermal/int340x_thermal/int3400_thermal.c b/drivers/thermal/int340x_thermal/int3400_thermal.c +index 5836e5554433..d4c374cc4f74 100644 +--- a/drivers/thermal/int340x_thermal/int3400_thermal.c ++++ b/drivers/thermal/int340x_thermal/int3400_thermal.c +@@ -20,6 +20,13 @@ enum int3400_thermal_uuid { + INT3400_THERMAL_PASSIVE_1, + INT3400_THERMAL_ACTIVE, + INT3400_THERMAL_CRITICAL, ++ INT3400_THERMAL_ADAPTIVE_PERFORMANCE, ++ INT3400_THERMAL_EMERGENCY_CALL_MODE, ++ INT3400_THERMAL_PASSIVE_2, ++ INT3400_THERMAL_POWER_BOSS, ++ INT3400_THERMAL_VIRTUAL_SENSOR, ++ INT3400_THERMAL_COOLING_MODE, ++ INT3400_THERMAL_HARDWARE_DUTY_CYCLING, + INT3400_THERMAL_MAXIMUM_UUID, + }; + +@@ -27,6 +34,13 @@ static u8 *int3400_thermal_uuids[INT3400_THERMAL_MAXIMUM_UUID] = { + "42A441D6-AE6A-462b-A84B-4A8CE79027D3", + "3A95C389-E4B8-4629-A526-C52C88626BAE", + "97C68AE7-15FA-499c-B8C9-5DA81D606E0A", ++ "63BE270F-1C11-48FD-A6F7-3AF253FF3E2D", ++ "5349962F-71E6-431D-9AE8-0A635B710AEE", ++ "9E04115A-AE87-4D1C-9500-0F3E340BFE75", ++ "F5A35014-C209-46A4-993A-EB56DE7530A1", ++ "6ED722A7-9240-48A5-B479-31EEF723D7CF", ++ "16CAF1B7-DD38-40ED-B1C1-1B8A1913D531", ++ "BE84BABF-C4D4-403D-B495-3128FD44dAC1", + }; + + struct int3400_thermal_priv { +@@ -271,10 +285,9 @@ static int int3400_thermal_probe(struct platform_device *pdev) + + platform_set_drvdata(pdev, priv); + +- if (priv->uuid_bitmap & 1 << INT3400_THERMAL_PASSIVE_1) { +- int3400_thermal_ops.get_mode = int3400_thermal_get_mode; +- int3400_thermal_ops.set_mode = int3400_thermal_set_mode; +- } ++ int3400_thermal_ops.get_mode = int3400_thermal_get_mode; ++ int3400_thermal_ops.set_mode = int3400_thermal_set_mode; ++ + priv->thermal = thermal_zone_device_register("INT3400 Thermal", 0, 0, + priv, &int3400_thermal_ops, + &int3400_thermal_params, 0, 0); +diff --git a/drivers/tty/Kconfig b/drivers/tty/Kconfig +index 82c4d2e45319..864cceea46ad 100644 +--- a/drivers/tty/Kconfig ++++ b/drivers/tty/Kconfig +@@ -466,4 +466,27 @@ config MIPS_EJTAG_FDC_KGDB_CHAN + help + FDC channel number to use for KGDB. + ++config LDISC_AUTOLOAD ++ bool "Automatically load TTY Line Disciplines" ++ default y ++ help ++ Historically the kernel has always automatically loaded any ++ line discipline that is in a kernel module when a user asks ++ for it to be loaded with the TIOCSETD ioctl, or through other ++ means. This is not always the best thing to do on systems ++ where you know you will not be using some of the more ++ "ancient" line disciplines, so prevent the kernel from doing ++ this unless the request is coming from a process with the ++ CAP_SYS_MODULE permissions. ++ ++ Say 'Y' here if you trust your userspace users to do the right ++ thing, or if you have only provided the line disciplines that ++ you know you will be using, or if you wish to continue to use ++ the traditional method of on-demand loading of these modules ++ by any user. ++ ++ This functionality can be changed at runtime with the ++ dev.tty.ldisc_autoload sysctl, this configuration option will ++ only set the default value of this functionality. ++ + endif # TTY +diff --git a/drivers/tty/serial/atmel_serial.c b/drivers/tty/serial/atmel_serial.c +index f5c4e92b5172..fc46c8cf5fcd 100644 +--- a/drivers/tty/serial/atmel_serial.c ++++ b/drivers/tty/serial/atmel_serial.c +@@ -169,6 +169,8 @@ struct atmel_uart_port { + unsigned int pending_status; + spinlock_t lock_suspended; + ++ bool hd_start_rx; /* can start RX during half-duplex operation */ ++ + int (*prepare_rx)(struct uart_port *port); + int (*prepare_tx)(struct uart_port *port); + void (*schedule_rx)(struct uart_port *port); +@@ -237,6 +239,12 @@ static inline void atmel_uart_write_char(struct uart_port *port, u8 value) + + #endif + ++static inline int atmel_uart_is_half_duplex(struct uart_port *port) ++{ ++ return (port->rs485.flags & SER_RS485_ENABLED) && ++ !(port->rs485.flags & SER_RS485_RX_DURING_TX); ++} ++ + #ifdef CONFIG_SERIAL_ATMEL_PDC + static bool atmel_use_pdc_rx(struct uart_port *port) + { +@@ -481,9 +489,9 @@ static void atmel_stop_tx(struct uart_port *port) + /* Disable interrupts */ + atmel_uart_writel(port, ATMEL_US_IDR, atmel_port->tx_done_mask); + +- if ((port->rs485.flags & SER_RS485_ENABLED) && +- !(port->rs485.flags & SER_RS485_RX_DURING_TX)) ++ if (atmel_uart_is_half_duplex(port)) + atmel_start_rx(port); ++ + } + + /* +@@ -500,8 +508,7 @@ static void atmel_start_tx(struct uart_port *port) + return; + + if (atmel_use_pdc_tx(port) || atmel_use_dma_tx(port)) +- if ((port->rs485.flags & SER_RS485_ENABLED) && +- !(port->rs485.flags & SER_RS485_RX_DURING_TX)) ++ if (atmel_uart_is_half_duplex(port)) + atmel_stop_rx(port); + + if (atmel_use_pdc_tx(port)) +@@ -810,10 +817,14 @@ static void atmel_complete_tx_dma(void *arg) + */ + if (!uart_circ_empty(xmit)) + tasklet_schedule(&atmel_port->tasklet); +- else if ((port->rs485.flags & SER_RS485_ENABLED) && +- !(port->rs485.flags & SER_RS485_RX_DURING_TX)) { +- /* DMA done, stop TX, start RX for RS485 */ +- atmel_start_rx(port); ++ else if (atmel_uart_is_half_duplex(port)) { ++ /* ++ * DMA done, re-enable TXEMPTY and signal that we can stop ++ * TX and start RX for RS485 ++ */ ++ atmel_port->hd_start_rx = true; ++ atmel_uart_writel(port, ATMEL_US_IER, ++ atmel_port->tx_done_mask); + } + + spin_unlock_irqrestore(&port->lock, flags); +@@ -1253,9 +1264,20 @@ atmel_handle_transmit(struct uart_port *port, unsigned int pending) + struct atmel_uart_port *atmel_port = to_atmel_uart_port(port); + + if (pending & atmel_port->tx_done_mask) { +- /* Either PDC or interrupt transmission */ + atmel_uart_writel(port, ATMEL_US_IDR, + atmel_port->tx_done_mask); ++ ++ /* Start RX if flag was set and FIFO is empty */ ++ if (atmel_port->hd_start_rx) { ++ if (!(atmel_uart_readl(port, ATMEL_US_CSR) ++ & ATMEL_US_TXEMPTY)) ++ dev_warn(port->dev, "Should start RX, but TX fifo is not empty\n"); ++ ++ atmel_port->hd_start_rx = false; ++ atmel_start_rx(port); ++ return; ++ } ++ + tasklet_schedule(&atmel_port->tasklet); + } + } +@@ -1388,8 +1410,7 @@ static void atmel_tx_pdc(struct uart_port *port) + atmel_uart_writel(port, ATMEL_US_IER, + atmel_port->tx_done_mask); + } else { +- if ((port->rs485.flags & SER_RS485_ENABLED) && +- !(port->rs485.flags & SER_RS485_RX_DURING_TX)) { ++ if (atmel_uart_is_half_duplex(port)) { + /* DMA done, stop TX, start RX for RS485 */ + atmel_start_rx(port); + } +diff --git a/drivers/tty/serial/xilinx_uartps.c b/drivers/tty/serial/xilinx_uartps.c +index 4f2f4aca8d2e..06efcef1b495 100644 +--- a/drivers/tty/serial/xilinx_uartps.c ++++ b/drivers/tty/serial/xilinx_uartps.c +@@ -1145,7 +1145,7 @@ static void cdns_uart_console_write(struct console *co, const char *s, + * + * Return: 0 on success, negative errno otherwise. + */ +-static int __init cdns_uart_console_setup(struct console *co, char *options) ++static int cdns_uart_console_setup(struct console *co, char *options) + { + struct uart_port *port = &cdns_uart_port[co->index]; + int baud = 9600; +diff --git a/drivers/tty/tty_buffer.c b/drivers/tty/tty_buffer.c +index 355e9cad680d..4706df20191b 100644 +--- a/drivers/tty/tty_buffer.c ++++ b/drivers/tty/tty_buffer.c +@@ -25,7 +25,7 @@ + * Byte threshold to limit memory consumption for flip buffers. + * The actual memory limit is > 2x this amount. + */ +-#define TTYB_DEFAULT_MEM_LIMIT 65536 ++#define TTYB_DEFAULT_MEM_LIMIT (640 * 1024UL) + + /* + * We default to dicing tty buffer allocations to this many characters +diff --git a/drivers/tty/tty_io.c b/drivers/tty/tty_io.c +index 5b86ebc76a8a..b7effcfee91d 100644 +--- a/drivers/tty/tty_io.c ++++ b/drivers/tty/tty_io.c +@@ -513,6 +513,8 @@ void proc_clear_tty(struct task_struct *p) + tty_kref_put(tty); + } + ++extern void tty_sysctl_init(void); ++ + /** + * proc_set_tty - set the controlling terminal + * +@@ -3689,6 +3691,7 @@ void console_sysfs_notify(void) + */ + int __init tty_init(void) + { ++ tty_sysctl_init(); + cdev_init(&tty_cdev, &tty_fops); + if (cdev_add(&tty_cdev, MKDEV(TTYAUX_MAJOR, 0), 1) || + register_chrdev_region(MKDEV(TTYAUX_MAJOR, 0), 1, "/dev/tty") < 0) +diff --git a/drivers/tty/tty_ldisc.c b/drivers/tty/tty_ldisc.c +index d9e013dc2c08..02ab7e2d4494 100644 +--- a/drivers/tty/tty_ldisc.c ++++ b/drivers/tty/tty_ldisc.c +@@ -148,6 +148,13 @@ static void put_ldops(struct tty_ldisc_ops *ldops) + * takes tty_ldiscs_lock to guard against ldisc races + */ + ++#if defined(CONFIG_LDISC_AUTOLOAD) ++ #define INITIAL_AUTOLOAD_STATE 1 ++#else ++ #define INITIAL_AUTOLOAD_STATE 0 ++#endif ++static int tty_ldisc_autoload = INITIAL_AUTOLOAD_STATE; ++ + static struct tty_ldisc *tty_ldisc_get(struct tty_struct *tty, int disc) + { + struct tty_ldisc *ld; +@@ -162,6 +169,8 @@ static struct tty_ldisc *tty_ldisc_get(struct tty_struct *tty, int disc) + */ + ldops = get_ldops(disc); + if (IS_ERR(ldops)) { ++ if (!capable(CAP_SYS_MODULE) && !tty_ldisc_autoload) ++ return ERR_PTR(-EPERM); + request_module("tty-ldisc-%d", disc); + ldops = get_ldops(disc); + if (IS_ERR(ldops)) +@@ -830,3 +839,41 @@ void tty_ldisc_begin(void) + /* Setup the default TTY line discipline. */ + (void) tty_register_ldisc(N_TTY, &tty_ldisc_N_TTY); + } ++ ++static int zero; ++static int one = 1; ++static struct ctl_table tty_table[] = { ++ { ++ .procname = "ldisc_autoload", ++ .data = &tty_ldisc_autoload, ++ .maxlen = sizeof(tty_ldisc_autoload), ++ .mode = 0644, ++ .proc_handler = proc_dointvec, ++ .extra1 = &zero, ++ .extra2 = &one, ++ }, ++ { } ++}; ++ ++static struct ctl_table tty_dir_table[] = { ++ { ++ .procname = "tty", ++ .mode = 0555, ++ .child = tty_table, ++ }, ++ { } ++}; ++ ++static struct ctl_table tty_root_table[] = { ++ { ++ .procname = "dev", ++ .mode = 0555, ++ .child = tty_dir_table, ++ }, ++ { } ++}; ++ ++void tty_sysctl_init(void) ++{ ++ register_sysctl_table(tty_root_table); ++} +diff --git a/drivers/usb/chipidea/core.c b/drivers/usb/chipidea/core.c +index 57ee43512992..dee22d8effda 100644 +--- a/drivers/usb/chipidea/core.c ++++ b/drivers/usb/chipidea/core.c +@@ -913,8 +913,15 @@ static int ci_hdrc_probe(struct platform_device *pdev) + } else if (ci->platdata->usb_phy) { + ci->usb_phy = ci->platdata->usb_phy; + } else { ++ ci->usb_phy = devm_usb_get_phy_by_phandle(dev->parent, "phys", ++ 0); + ci->phy = devm_phy_get(dev->parent, "usb-phy"); +- ci->usb_phy = devm_usb_get_phy(dev->parent, USB_PHY_TYPE_USB2); ++ ++ /* Fallback to grabbing any registered USB2 PHY */ ++ if (IS_ERR(ci->usb_phy) && ++ PTR_ERR(ci->usb_phy) != -EPROBE_DEFER) ++ ci->usb_phy = devm_usb_get_phy(dev->parent, ++ USB_PHY_TYPE_USB2); + + /* if both generic PHY and USB PHY layers aren't enabled */ + if (PTR_ERR(ci->phy) == -ENOSYS && +diff --git a/drivers/video/fbdev/core/fbmem.c b/drivers/video/fbdev/core/fbmem.c +index ea2bd6208a2f..9eae191728d2 100644 +--- a/drivers/video/fbdev/core/fbmem.c ++++ b/drivers/video/fbdev/core/fbmem.c +@@ -425,6 +425,9 @@ static void fb_do_show_logo(struct fb_info *info, struct fb_image *image, + { + unsigned int x; + ++ if (image->width > info->var.xres || image->height > info->var.yres) ++ return; ++ + if (rotate == FB_ROTATE_UR) { + for (x = 0; + x < num && image->dx + image->width <= info->var.xres; +diff --git a/fs/9p/v9fs.c b/fs/9p/v9fs.c +index 6caca025019d..1e9bb8db7b48 100644 +--- a/fs/9p/v9fs.c ++++ b/fs/9p/v9fs.c +@@ -59,6 +59,8 @@ enum { + Opt_cache_loose, Opt_fscache, Opt_mmap, + /* Access options */ + Opt_access, Opt_posixacl, ++ /* Lock timeout option */ ++ Opt_locktimeout, + /* Error token */ + Opt_err + }; +@@ -78,6 +80,7 @@ static const match_table_t tokens = { + {Opt_cachetag, "cachetag=%s"}, + {Opt_access, "access=%s"}, + {Opt_posixacl, "posixacl"}, ++ {Opt_locktimeout, "locktimeout=%u"}, + {Opt_err, NULL} + }; + +@@ -126,6 +129,7 @@ static int v9fs_parse_options(struct v9fs_session_info *v9ses, char *opts) + #ifdef CONFIG_9P_FSCACHE + v9ses->cachetag = NULL; + #endif ++ v9ses->session_lock_timeout = P9_LOCK_TIMEOUT; + + if (!opts) + return 0; +@@ -298,6 +302,23 @@ static int v9fs_parse_options(struct v9fs_session_info *v9ses, char *opts) + #endif + break; + ++ case Opt_locktimeout: ++ r = match_int(&args[0], &option); ++ if (r < 0) { ++ p9_debug(P9_DEBUG_ERROR, ++ "integer field, but no integer?\n"); ++ ret = r; ++ continue; ++ } ++ if (option < 1) { ++ p9_debug(P9_DEBUG_ERROR, ++ "locktimeout must be a greater than zero integer.\n"); ++ ret = -EINVAL; ++ continue; ++ } ++ v9ses->session_lock_timeout = (long)option * HZ; ++ break; ++ + default: + continue; + } +diff --git a/fs/9p/v9fs.h b/fs/9p/v9fs.h +index 6877050384a1..3775f275ede3 100644 +--- a/fs/9p/v9fs.h ++++ b/fs/9p/v9fs.h +@@ -116,6 +116,7 @@ struct v9fs_session_info { + struct list_head slist; /* list of sessions registered with v9fs */ + struct backing_dev_info bdi; + struct rw_semaphore rename_sem; ++ long session_lock_timeout; /* retry interval for blocking locks */ + }; + + /* cache_validity flags */ +diff --git a/fs/9p/vfs_dir.c b/fs/9p/vfs_dir.c +index 7d889f56b8e7..05769219d2c2 100644 +--- a/fs/9p/vfs_dir.c ++++ b/fs/9p/vfs_dir.c +@@ -105,7 +105,6 @@ static int v9fs_dir_readdir(struct file *file, struct dir_context *ctx) + int err = 0; + struct p9_fid *fid; + int buflen; +- int reclen = 0; + struct p9_rdir *rdir; + struct kvec kvec; + +@@ -138,11 +137,10 @@ static int v9fs_dir_readdir(struct file *file, struct dir_context *ctx) + while (rdir->head < rdir->tail) { + err = p9stat_read(fid->clnt, rdir->buf + rdir->head, + rdir->tail - rdir->head, &st); +- if (err) { ++ if (err <= 0) { + p9_debug(P9_DEBUG_VFS, "returned %d\n", err); + return -EIO; + } +- reclen = st.size+2; + + over = !dir_emit(ctx, st.name, strlen(st.name), + v9fs_qid2ino(&st.qid), dt_type(&st)); +@@ -150,8 +148,8 @@ static int v9fs_dir_readdir(struct file *file, struct dir_context *ctx) + if (over) + return 0; + +- rdir->head += reclen; +- ctx->pos += reclen; ++ rdir->head += err; ++ ctx->pos += err; + } + } + } +diff --git a/fs/9p/vfs_file.c b/fs/9p/vfs_file.c +index 62ce8b4a7e5f..373cc50544e9 100644 +--- a/fs/9p/vfs_file.c ++++ b/fs/9p/vfs_file.c +@@ -154,6 +154,7 @@ static int v9fs_file_do_lock(struct file *filp, int cmd, struct file_lock *fl) + uint8_t status = P9_LOCK_ERROR; + int res = 0; + unsigned char fl_type; ++ struct v9fs_session_info *v9ses; + + fid = filp->private_data; + BUG_ON(fid == NULL); +@@ -189,6 +190,8 @@ static int v9fs_file_do_lock(struct file *filp, int cmd, struct file_lock *fl) + if (IS_SETLKW(cmd)) + flock.flags = P9_LOCK_FLAGS_BLOCK; + ++ v9ses = v9fs_inode2v9ses(file_inode(filp)); ++ + /* + * if its a blocked request and we get P9_LOCK_BLOCKED as the status + * for lock request, keep on trying +@@ -202,7 +205,8 @@ static int v9fs_file_do_lock(struct file *filp, int cmd, struct file_lock *fl) + break; + if (status == P9_LOCK_BLOCKED && !IS_SETLKW(cmd)) + break; +- if (schedule_timeout_interruptible(P9_LOCK_TIMEOUT) != 0) ++ if (schedule_timeout_interruptible(v9ses->session_lock_timeout) ++ != 0) + break; + /* + * p9_client_lock_dotl overwrites flock.client_id with the +diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c +index f010d6c8dd14..f1f32e55d877 100644 +--- a/fs/binfmt_elf.c ++++ b/fs/binfmt_elf.c +@@ -850,6 +850,7 @@ static int load_elf_binary(struct linux_binprm *bprm) + current->flags |= PF_RANDOMIZE; + + setup_new_exec(bprm); ++ install_exec_creds(bprm); + + /* Do this so that we can load the interpreter, if need be. We will + change some of these later */ +@@ -1084,7 +1085,6 @@ static int load_elf_binary(struct linux_binprm *bprm) + goto out; + #endif /* ARCH_HAS_SETUP_ADDITIONAL_PAGES */ + +- install_exec_creds(bprm); + retval = create_elf_tables(bprm, &loc->elf_ex, + load_addr, interp_load_addr); + if (retval < 0) +diff --git a/fs/buffer.c b/fs/buffer.c +index 6f7d519a093b..f278e27bd8c0 100644 +--- a/fs/buffer.c ++++ b/fs/buffer.c +@@ -2985,6 +2985,13 @@ void guard_bio_eod(int rw, struct bio *bio) + /* Uhhuh. We've got a bio that straddles the device size! */ + truncated_bytes = bio->bi_iter.bi_size - (maxsector << 9); + ++ /* ++ * The bio contains more than one segment which spans EOD, just return ++ * and let IO layer turn it into an EIO ++ */ ++ if (truncated_bytes > bvec->bv_len) ++ return; ++ + /* Truncate the bio.. */ + bio->bi_iter.bi_size -= truncated_bytes; + bvec->bv_len -= truncated_bytes; +diff --git a/fs/cifs/cifs_dfs_ref.c b/fs/cifs/cifs_dfs_ref.c +index 7dc886c9a78f..1ea643faf04b 100644 +--- a/fs/cifs/cifs_dfs_ref.c ++++ b/fs/cifs/cifs_dfs_ref.c +@@ -266,9 +266,9 @@ static void dump_referral(const struct dfs_info3_param *ref) + { + cifs_dbg(FYI, "DFS: ref path: %s\n", ref->path_name); + cifs_dbg(FYI, "DFS: node path: %s\n", ref->node_name); +- cifs_dbg(FYI, "DFS: fl: %hd, srv_type: %hd\n", ++ cifs_dbg(FYI, "DFS: fl: %d, srv_type: %d\n", + ref->flags, ref->server_type); +- cifs_dbg(FYI, "DFS: ref_flags: %hd, path_consumed: %hd\n", ++ cifs_dbg(FYI, "DFS: ref_flags: %d, path_consumed: %d\n", + ref->ref_flag, ref->path_consumed); + } + +diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c +index eacf57c24ca9..9cb72fd40eff 100644 +--- a/fs/cifs/connect.c ++++ b/fs/cifs/connect.c +@@ -1255,6 +1255,11 @@ cifs_parse_devname(const char *devname, struct smb_vol *vol) + const char *delims = "/\\"; + size_t len; + ++ if (unlikely(!devname || !*devname)) { ++ cifs_dbg(VFS, "Device name not specified.\n"); ++ return -EINVAL; ++ } ++ + /* make sure we have a valid UNC double delimiter prefix */ + len = strspn(devname, delims); + if (len != 2) +diff --git a/fs/cifs/file.c b/fs/cifs/file.c +index 0305e3866216..23a8374fa97f 100644 +--- a/fs/cifs/file.c ++++ b/fs/cifs/file.c +@@ -1574,8 +1574,20 @@ cifs_setlk(struct file *file, struct file_lock *flock, __u32 type, + rc = server->ops->mand_unlock_range(cfile, flock, xid); + + out: +- if (flock->fl_flags & FL_POSIX && !rc) ++ if (flock->fl_flags & FL_POSIX) { ++ /* ++ * If this is a request to remove all locks because we ++ * are closing the file, it doesn't matter if the ++ * unlocking failed as both cifs.ko and the SMB server ++ * remove the lock on file close ++ */ ++ if (rc) { ++ cifs_dbg(VFS, "%s failed rc=%d\n", __func__, rc); ++ if (!(flock->fl_flags & FL_CLOSE)) ++ return rc; ++ } + rc = locks_lock_file_wait(file, flock); ++ } + return rc; + } + +diff --git a/fs/cifs/inode.c b/fs/cifs/inode.c +index 5c3187df9ab9..d8bd8dd36211 100644 +--- a/fs/cifs/inode.c ++++ b/fs/cifs/inode.c +@@ -759,43 +759,50 @@ cifs_get_inode_info(struct inode **inode, const char *full_path, + } else if ((rc == -EACCES) && backup_cred(cifs_sb) && + (strcmp(server->vals->version_string, SMB1_VERSION_STRING) + == 0)) { +- /* +- * For SMB2 and later the backup intent flag is already +- * sent if needed on open and there is no path based +- * FindFirst operation to use to retry with +- */ +- +- srchinf = kzalloc(sizeof(struct cifs_search_info), +- GFP_KERNEL); +- if (srchinf == NULL) { +- rc = -ENOMEM; +- goto cgii_exit; +- } ++ /* ++ * For SMB2 and later the backup intent flag is already ++ * sent if needed on open and there is no path based ++ * FindFirst operation to use to retry with ++ */ ++ ++ srchinf = kzalloc(sizeof(struct cifs_search_info), ++ GFP_KERNEL); ++ if (srchinf == NULL) { ++ rc = -ENOMEM; ++ goto cgii_exit; ++ } + +- srchinf->endOfSearch = false; ++ srchinf->endOfSearch = false; ++ if (tcon->unix_ext) ++ srchinf->info_level = SMB_FIND_FILE_UNIX; ++ else if ((tcon->ses->capabilities & ++ tcon->ses->server->vals->cap_nt_find) == 0) ++ srchinf->info_level = SMB_FIND_FILE_INFO_STANDARD; ++ else if (cifs_sb->mnt_cifs_flags & CIFS_MOUNT_SERVER_INUM) + srchinf->info_level = SMB_FIND_FILE_ID_FULL_DIR_INFO; ++ else /* no srvino useful for fallback to some netapp */ ++ srchinf->info_level = SMB_FIND_FILE_DIRECTORY_INFO; + +- srchflgs = CIFS_SEARCH_CLOSE_ALWAYS | +- CIFS_SEARCH_CLOSE_AT_END | +- CIFS_SEARCH_BACKUP_SEARCH; ++ srchflgs = CIFS_SEARCH_CLOSE_ALWAYS | ++ CIFS_SEARCH_CLOSE_AT_END | ++ CIFS_SEARCH_BACKUP_SEARCH; + +- rc = CIFSFindFirst(xid, tcon, full_path, +- cifs_sb, NULL, srchflgs, srchinf, false); +- if (!rc) { +- data = +- (FILE_ALL_INFO *)srchinf->srch_entries_start; ++ rc = CIFSFindFirst(xid, tcon, full_path, ++ cifs_sb, NULL, srchflgs, srchinf, false); ++ if (!rc) { ++ data = (FILE_ALL_INFO *)srchinf->srch_entries_start; + +- cifs_dir_info_to_fattr(&fattr, +- (FILE_DIRECTORY_INFO *)data, cifs_sb); +- fattr.cf_uniqueid = le64_to_cpu( +- ((SEARCH_ID_FULL_DIR_INFO *)data)->UniqueId); +- validinum = true; ++ cifs_dir_info_to_fattr(&fattr, ++ (FILE_DIRECTORY_INFO *)data, cifs_sb); ++ fattr.cf_uniqueid = le64_to_cpu( ++ ((SEARCH_ID_FULL_DIR_INFO *)data)->UniqueId); ++ validinum = true; + +- cifs_buf_release(srchinf->ntwrk_buf_start); +- } +- kfree(srchinf); +- if (rc) +- goto cgii_exit; ++ cifs_buf_release(srchinf->ntwrk_buf_start); ++ } ++ kfree(srchinf); ++ if (rc) ++ goto cgii_exit; + } else + goto cgii_exit; + +diff --git a/fs/cifs/smb1ops.c b/fs/cifs/smb1ops.c +index efd72e1fae74..f7a9adab0b84 100644 +--- a/fs/cifs/smb1ops.c ++++ b/fs/cifs/smb1ops.c +@@ -305,7 +305,7 @@ coalesce_t2(char *second_buf, struct smb_hdr *target_hdr) + remaining = tgt_total_cnt - total_in_tgt; + + if (remaining < 0) { +- cifs_dbg(FYI, "Server sent too much data. tgt_total_cnt=%hu total_in_tgt=%hu\n", ++ cifs_dbg(FYI, "Server sent too much data. tgt_total_cnt=%hu total_in_tgt=%u\n", + tgt_total_cnt, total_in_tgt); + return -EPROTO; + } +diff --git a/fs/cifs/smb2maperror.c b/fs/cifs/smb2maperror.c +index 98c25b969ab8..7e93d5706bf6 100644 +--- a/fs/cifs/smb2maperror.c ++++ b/fs/cifs/smb2maperror.c +@@ -1034,7 +1034,8 @@ static const struct status_to_posix_error smb2_error_map_table[] = { + {STATUS_UNFINISHED_CONTEXT_DELETED, -EIO, + "STATUS_UNFINISHED_CONTEXT_DELETED"}, + {STATUS_NO_TGT_REPLY, -EIO, "STATUS_NO_TGT_REPLY"}, +- {STATUS_OBJECTID_NOT_FOUND, -EIO, "STATUS_OBJECTID_NOT_FOUND"}, ++ /* Note that ENOATTTR and ENODATA are the same errno */ ++ {STATUS_OBJECTID_NOT_FOUND, -ENODATA, "STATUS_OBJECTID_NOT_FOUND"}, + {STATUS_NO_IP_ADDRESSES, -EIO, "STATUS_NO_IP_ADDRESSES"}, + {STATUS_WRONG_CREDENTIAL_HANDLE, -EIO, + "STATUS_WRONG_CREDENTIAL_HANDLE"}, +diff --git a/fs/ext4/indirect.c b/fs/ext4/indirect.c +index 8f3e78eb0bbd..08f3a0c0f468 100644 +--- a/fs/ext4/indirect.c ++++ b/fs/ext4/indirect.c +@@ -1323,6 +1323,7 @@ int ext4_ind_remove_space(handle_t *handle, struct inode *inode, + ext4_lblk_t offsets[4], offsets2[4]; + Indirect chain[4], chain2[4]; + Indirect *partial, *partial2; ++ Indirect *p = NULL, *p2 = NULL; + ext4_lblk_t max_block; + __le32 nr = 0, nr2 = 0; + int n = 0, n2 = 0; +@@ -1364,7 +1365,7 @@ int ext4_ind_remove_space(handle_t *handle, struct inode *inode, + } + + +- partial = ext4_find_shared(inode, n, offsets, chain, &nr); ++ partial = p = ext4_find_shared(inode, n, offsets, chain, &nr); + if (nr) { + if (partial == chain) { + /* Shared branch grows from the inode */ +@@ -1389,13 +1390,11 @@ int ext4_ind_remove_space(handle_t *handle, struct inode *inode, + partial->p + 1, + (__le32 *)partial->bh->b_data+addr_per_block, + (chain+n-1) - partial); +- BUFFER_TRACE(partial->bh, "call brelse"); +- brelse(partial->bh); + partial--; + } + + end_range: +- partial2 = ext4_find_shared(inode, n2, offsets2, chain2, &nr2); ++ partial2 = p2 = ext4_find_shared(inode, n2, offsets2, chain2, &nr2); + if (nr2) { + if (partial2 == chain2) { + /* +@@ -1425,16 +1424,14 @@ end_range: + (__le32 *)partial2->bh->b_data, + partial2->p, + (chain2+n2-1) - partial2); +- BUFFER_TRACE(partial2->bh, "call brelse"); +- brelse(partial2->bh); + partial2--; + } + goto do_indirects; + } + + /* Punch happened within the same level (n == n2) */ +- partial = ext4_find_shared(inode, n, offsets, chain, &nr); +- partial2 = ext4_find_shared(inode, n2, offsets2, chain2, &nr2); ++ partial = p = ext4_find_shared(inode, n, offsets, chain, &nr); ++ partial2 = p2 = ext4_find_shared(inode, n2, offsets2, chain2, &nr2); + + /* Free top, but only if partial2 isn't its subtree. */ + if (nr) { +@@ -1491,15 +1488,7 @@ end_range: + partial->p + 1, + partial2->p, + (chain+n-1) - partial); +- while (partial > chain) { +- BUFFER_TRACE(partial->bh, "call brelse"); +- brelse(partial->bh); +- } +- while (partial2 > chain2) { +- BUFFER_TRACE(partial2->bh, "call brelse"); +- brelse(partial2->bh); +- } +- return 0; ++ goto cleanup; + } + + /* +@@ -1514,8 +1503,6 @@ end_range: + partial->p + 1, + (__le32 *)partial->bh->b_data+addr_per_block, + (chain+n-1) - partial); +- BUFFER_TRACE(partial->bh, "call brelse"); +- brelse(partial->bh); + partial--; + } + if (partial2 > chain2 && depth2 <= depth) { +@@ -1523,11 +1510,21 @@ end_range: + (__le32 *)partial2->bh->b_data, + partial2->p, + (chain2+n2-1) - partial2); +- BUFFER_TRACE(partial2->bh, "call brelse"); +- brelse(partial2->bh); + partial2--; + } + } ++ ++cleanup: ++ while (p && p > chain) { ++ BUFFER_TRACE(p->bh, "call brelse"); ++ brelse(p->bh); ++ p--; ++ } ++ while (p2 && p2 > chain2) { ++ BUFFER_TRACE(p2->bh, "call brelse"); ++ brelse(p2->bh); ++ p2--; ++ } + return 0; + + do_indirects: +@@ -1535,7 +1532,7 @@ do_indirects: + switch (offsets[0]) { + default: + if (++n >= n2) +- return 0; ++ break; + nr = i_data[EXT4_IND_BLOCK]; + if (nr) { + ext4_free_branches(handle, inode, NULL, &nr, &nr+1, 1); +@@ -1543,7 +1540,7 @@ do_indirects: + } + case EXT4_IND_BLOCK: + if (++n >= n2) +- return 0; ++ break; + nr = i_data[EXT4_DIND_BLOCK]; + if (nr) { + ext4_free_branches(handle, inode, NULL, &nr, &nr+1, 2); +@@ -1551,7 +1548,7 @@ do_indirects: + } + case EXT4_DIND_BLOCK: + if (++n >= n2) +- return 0; ++ break; + nr = i_data[EXT4_TIND_BLOCK]; + if (nr) { + ext4_free_branches(handle, inode, NULL, &nr, &nr+1, 3); +@@ -1560,5 +1557,5 @@ do_indirects: + case EXT4_TIND_BLOCK: + ; + } +- return 0; ++ goto cleanup; + } +diff --git a/fs/ext4/ioctl.c b/fs/ext4/ioctl.c +index bcd7c4788903..e44e3cd738b6 100644 +--- a/fs/ext4/ioctl.c ++++ b/fs/ext4/ioctl.c +@@ -599,6 +599,13 @@ resizefs_out: + + if ((flags & BLKDEV_DISCARD_SECURE) && !blk_queue_secdiscard(q)) + return -EOPNOTSUPP; ++ /* ++ * We haven't replayed the journal, so we cannot use our ++ * block-bitmap-guided storage zapping commands. ++ */ ++ if (test_opt(sb, NOLOAD) && ext4_has_feature_journal(sb)) ++ return -EROFS; ++ + if (copy_from_user(&range, (struct fstrim_range __user *)arg, + sizeof(range))) + return -EFAULT; +diff --git a/fs/ext4/resize.c b/fs/ext4/resize.c +index 4bd12247a9be..5223eb25bf59 100644 +--- a/fs/ext4/resize.c ++++ b/fs/ext4/resize.c +@@ -907,11 +907,18 @@ static int add_new_gdb_meta_bg(struct super_block *sb, + memcpy(n_group_desc, o_group_desc, + EXT4_SB(sb)->s_gdb_count * sizeof(struct buffer_head *)); + n_group_desc[gdb_num] = gdb_bh; ++ ++ BUFFER_TRACE(gdb_bh, "get_write_access"); ++ err = ext4_journal_get_write_access(handle, gdb_bh); ++ if (err) { ++ kvfree(n_group_desc); ++ brelse(gdb_bh); ++ return err; ++ } ++ + EXT4_SB(sb)->s_group_desc = n_group_desc; + EXT4_SB(sb)->s_gdb_count++; + kvfree(o_group_desc); +- BUFFER_TRACE(gdb_bh, "get_write_access"); +- err = ext4_journal_get_write_access(handle, gdb_bh); + return err; + } + +@@ -2040,6 +2047,10 @@ out: + free_flex_gd(flex_gd); + if (resize_inode != NULL) + iput(resize_inode); +- ext4_msg(sb, KERN_INFO, "resized filesystem to %llu", n_blocks_count); ++ if (err) ++ ext4_warning(sb, "error (%d) occurred during " ++ "file system resize", err); ++ ext4_msg(sb, KERN_INFO, "resized filesystem to %llu", ++ ext4_blocks_count(es)); + return err; + } +diff --git a/fs/f2fs/trace.c b/fs/f2fs/trace.c +index 145fb659ad44..8f327fa7ae47 100644 +--- a/fs/f2fs/trace.c ++++ b/fs/f2fs/trace.c +@@ -60,6 +60,7 @@ void f2fs_trace_pid(struct page *page) + + page->private = pid; + ++retry: + if (radix_tree_preload(GFP_NOFS)) + return; + +@@ -70,7 +71,12 @@ void f2fs_trace_pid(struct page *page) + if (p) + radix_tree_delete(&pids, pid); + +- f2fs_radix_tree_insert(&pids, pid, current); ++ if (radix_tree_insert(&pids, pid, current)) { ++ spin_unlock(&pids_lock); ++ radix_tree_preload_end(); ++ cond_resched(); ++ goto retry; ++ } + + trace_printk("%3x:%3x %4x %-16s\n", + MAJOR(inode->i_sb->s_dev), MINOR(inode->i_sb->s_dev), +diff --git a/fs/file.c b/fs/file.c +index 39f8f15921da..7e9eb65a2912 100644 +--- a/fs/file.c ++++ b/fs/file.c +@@ -474,6 +474,7 @@ struct files_struct init_files = { + .full_fds_bits = init_files.full_fds_bits_init, + }, + .file_lock = __SPIN_LOCK_UNLOCKED(init_files.file_lock), ++ .resize_wait = __WAIT_QUEUE_HEAD_INITIALIZER(init_files.resize_wait), + }; + + static unsigned long find_next_fd(struct fdtable *fdt, unsigned long start) +diff --git a/fs/ocfs2/cluster/nodemanager.c b/fs/ocfs2/cluster/nodemanager.c +index 3c45a9301a09..a87a08e1bfab 100644 +--- a/fs/ocfs2/cluster/nodemanager.c ++++ b/fs/ocfs2/cluster/nodemanager.c +@@ -621,13 +621,15 @@ static void o2nm_node_group_drop_item(struct config_group *group, + struct o2nm_node *node = to_o2nm_node(item); + struct o2nm_cluster *cluster = to_o2nm_cluster(group->cg_item.ci_parent); + +- o2net_disconnect_node(node); ++ if (cluster->cl_nodes[node->nd_num] == node) { ++ o2net_disconnect_node(node); + +- if (cluster->cl_has_local && +- (cluster->cl_local_node == node->nd_num)) { +- cluster->cl_has_local = 0; +- cluster->cl_local_node = O2NM_INVALID_NODE_NUM; +- o2net_stop_listening(node); ++ if (cluster->cl_has_local && ++ (cluster->cl_local_node == node->nd_num)) { ++ cluster->cl_has_local = 0; ++ cluster->cl_local_node = O2NM_INVALID_NODE_NUM; ++ o2net_stop_listening(node); ++ } + } + + /* XXX call into net to stop this node from trading messages */ +diff --git a/fs/overlayfs/dir.c b/fs/overlayfs/dir.c +index f8aa54272121..eedacae889b9 100644 +--- a/fs/overlayfs/dir.c ++++ b/fs/overlayfs/dir.c +@@ -408,12 +408,21 @@ static int ovl_create_or_link(struct dentry *dentry, int mode, dev_t rdev, + err = ovl_create_upper(dentry, inode, &stat, link, hardlink); + } else { + const struct cred *old_cred; ++ struct cred *override_cred; + + old_cred = ovl_override_creds(dentry->d_sb); + +- err = ovl_create_over_whiteout(dentry, inode, &stat, link, +- hardlink); ++ err = -ENOMEM; ++ override_cred = prepare_creds(); ++ if (override_cred) { ++ override_cred->fsuid = old_cred->fsuid; ++ override_cred->fsgid = old_cred->fsgid; ++ put_cred(override_creds(override_cred)); ++ put_cred(override_cred); + ++ err = ovl_create_over_whiteout(dentry, inode, &stat, ++ link, hardlink); ++ } + revert_creds(old_cred); + } + +diff --git a/include/linux/atalk.h b/include/linux/atalk.h +index 73fd8b7e9534..af43ed404ff4 100644 +--- a/include/linux/atalk.h ++++ b/include/linux/atalk.h +@@ -150,19 +150,29 @@ extern int sysctl_aarp_retransmit_limit; + extern int sysctl_aarp_resolve_time; + + #ifdef CONFIG_SYSCTL +-extern void atalk_register_sysctl(void); ++extern int atalk_register_sysctl(void); + extern void atalk_unregister_sysctl(void); + #else +-#define atalk_register_sysctl() do { } while(0) +-#define atalk_unregister_sysctl() do { } while(0) ++static inline int atalk_register_sysctl(void) ++{ ++ return 0; ++} ++static inline void atalk_unregister_sysctl(void) ++{ ++} + #endif + + #ifdef CONFIG_PROC_FS + extern int atalk_proc_init(void); + extern void atalk_proc_exit(void); + #else +-#define atalk_proc_init() ({ 0; }) +-#define atalk_proc_exit() do { } while(0) ++static inline int atalk_proc_init(void) ++{ ++ return 0; ++} ++static inline void atalk_proc_exit(void) ++{ ++} + #endif /* CONFIG_PROC_FS */ + + #endif /* __LINUX_ATALK_H__ */ +diff --git a/include/linux/bitrev.h b/include/linux/bitrev.h +index fb790b8449c1..333e42cf08de 100644 +--- a/include/linux/bitrev.h ++++ b/include/linux/bitrev.h +@@ -31,32 +31,32 @@ static inline u32 __bitrev32(u32 x) + + #define __constant_bitrev32(x) \ + ({ \ +- u32 __x = x; \ +- __x = (__x >> 16) | (__x << 16); \ +- __x = ((__x & (u32)0xFF00FF00UL) >> 8) | ((__x & (u32)0x00FF00FFUL) << 8); \ +- __x = ((__x & (u32)0xF0F0F0F0UL) >> 4) | ((__x & (u32)0x0F0F0F0FUL) << 4); \ +- __x = ((__x & (u32)0xCCCCCCCCUL) >> 2) | ((__x & (u32)0x33333333UL) << 2); \ +- __x = ((__x & (u32)0xAAAAAAAAUL) >> 1) | ((__x & (u32)0x55555555UL) << 1); \ +- __x; \ ++ u32 ___x = x; \ ++ ___x = (___x >> 16) | (___x << 16); \ ++ ___x = ((___x & (u32)0xFF00FF00UL) >> 8) | ((___x & (u32)0x00FF00FFUL) << 8); \ ++ ___x = ((___x & (u32)0xF0F0F0F0UL) >> 4) | ((___x & (u32)0x0F0F0F0FUL) << 4); \ ++ ___x = ((___x & (u32)0xCCCCCCCCUL) >> 2) | ((___x & (u32)0x33333333UL) << 2); \ ++ ___x = ((___x & (u32)0xAAAAAAAAUL) >> 1) | ((___x & (u32)0x55555555UL) << 1); \ ++ ___x; \ + }) + + #define __constant_bitrev16(x) \ + ({ \ +- u16 __x = x; \ +- __x = (__x >> 8) | (__x << 8); \ +- __x = ((__x & (u16)0xF0F0U) >> 4) | ((__x & (u16)0x0F0FU) << 4); \ +- __x = ((__x & (u16)0xCCCCU) >> 2) | ((__x & (u16)0x3333U) << 2); \ +- __x = ((__x & (u16)0xAAAAU) >> 1) | ((__x & (u16)0x5555U) << 1); \ +- __x; \ ++ u16 ___x = x; \ ++ ___x = (___x >> 8) | (___x << 8); \ ++ ___x = ((___x & (u16)0xF0F0U) >> 4) | ((___x & (u16)0x0F0FU) << 4); \ ++ ___x = ((___x & (u16)0xCCCCU) >> 2) | ((___x & (u16)0x3333U) << 2); \ ++ ___x = ((___x & (u16)0xAAAAU) >> 1) | ((___x & (u16)0x5555U) << 1); \ ++ ___x; \ + }) + + #define __constant_bitrev8(x) \ + ({ \ +- u8 __x = x; \ +- __x = (__x >> 4) | (__x << 4); \ +- __x = ((__x & (u8)0xCCU) >> 2) | ((__x & (u8)0x33U) << 2); \ +- __x = ((__x & (u8)0xAAU) >> 1) | ((__x & (u8)0x55U) << 1); \ +- __x; \ ++ u8 ___x = x; \ ++ ___x = (___x >> 4) | (___x << 4); \ ++ ___x = ((___x & (u8)0xCCU) >> 2) | ((___x & (u8)0x33U) << 2); \ ++ ___x = ((___x & (u8)0xAAU) >> 1) | ((___x & (u8)0x55U) << 1); \ ++ ___x; \ + }) + + #define bitrev32(x) \ +diff --git a/include/linux/kprobes.h b/include/linux/kprobes.h +index e23392517db9..cb527c78de9f 100644 +--- a/include/linux/kprobes.h ++++ b/include/linux/kprobes.h +@@ -197,6 +197,7 @@ struct kretprobe_instance { + struct kretprobe *rp; + kprobe_opcode_t *ret_addr; + struct task_struct *task; ++ void *fp; + char data[0]; + }; + +diff --git a/include/linux/ring_buffer.h b/include/linux/ring_buffer.h +index 19d0778ec382..121c8f99ecdd 100644 +--- a/include/linux/ring_buffer.h ++++ b/include/linux/ring_buffer.h +@@ -125,7 +125,7 @@ ring_buffer_consume(struct ring_buffer *buffer, int cpu, u64 *ts, + unsigned long *lost_events); + + struct ring_buffer_iter * +-ring_buffer_read_prepare(struct ring_buffer *buffer, int cpu); ++ring_buffer_read_prepare(struct ring_buffer *buffer, int cpu, gfp_t flags); + void ring_buffer_read_prepare_sync(void); + void ring_buffer_read_start(struct ring_buffer_iter *iter); + void ring_buffer_read_finish(struct ring_buffer_iter *iter); +diff --git a/include/linux/string.h b/include/linux/string.h +index c026b7a19e26..870268d42ae7 100644 +--- a/include/linux/string.h ++++ b/include/linux/string.h +@@ -110,6 +110,9 @@ extern void * memscan(void *,int,__kernel_size_t); + #ifndef __HAVE_ARCH_MEMCMP + extern int memcmp(const void *,const void *,__kernel_size_t); + #endif ++#ifndef __HAVE_ARCH_BCMP ++extern int bcmp(const void *,const void *,__kernel_size_t); ++#endif + #ifndef __HAVE_ARCH_MEMCHR + extern void * memchr(const void *,int,__kernel_size_t); + #endif +diff --git a/include/linux/swap.h b/include/linux/swap.h +index d8ca2eaa3a8b..0a0b7529dae4 100644 +--- a/include/linux/swap.h ++++ b/include/linux/swap.h +@@ -135,9 +135,9 @@ struct swap_extent { + /* + * Max bad pages in the new format.. + */ +-#define __swapoffset(x) ((unsigned long)&((union swap_header *)0)->x) + #define MAX_SWAP_BADPAGES \ +- ((__swapoffset(magic.magic) - __swapoffset(info.badpages)) / sizeof(int)) ++ ((offsetof(union swap_header, magic.magic) - \ ++ offsetof(union swap_header, info.badpages)) / sizeof(int)) + + enum { + SWP_USED = (1 << 0), /* is slot in swap_info[] used? */ +diff --git a/include/net/net_namespace.h b/include/net/net_namespace.h +index 6965dfe7e88b..0daed810724d 100644 +--- a/include/net/net_namespace.h ++++ b/include/net/net_namespace.h +@@ -53,6 +53,7 @@ struct net { + */ + spinlock_t rules_mod_lock; + ++ u32 hash_mix; + atomic64_t cookie_gen; + + struct list_head list; /* list of network namespaces */ +diff --git a/include/net/netfilter/br_netfilter.h b/include/net/netfilter/br_netfilter.h +index e8d1448425a7..b1d0d46344e2 100644 +--- a/include/net/netfilter/br_netfilter.h ++++ b/include/net/netfilter/br_netfilter.h +@@ -42,7 +42,6 @@ static inline struct rtable *bridge_parent_rtable(const struct net_device *dev) + } + + struct net_device *setup_pre_routing(struct sk_buff *skb); +-void br_netfilter_enable(void); + + #if IS_ENABLED(CONFIG_IPV6) + int br_validate_ipv6(struct net *net, struct sk_buff *skb); +diff --git a/include/net/netns/hash.h b/include/net/netns/hash.h +index 69a6715d9f3f..a347b2f9e748 100644 +--- a/include/net/netns/hash.h ++++ b/include/net/netns/hash.h +@@ -1,21 +1,10 @@ + #ifndef __NET_NS_HASH_H__ + #define __NET_NS_HASH_H__ + +-#include +- +-struct net; ++#include + + static inline u32 net_hash_mix(const struct net *net) + { +-#ifdef CONFIG_NET_NS +- /* +- * shift this right to eliminate bits, that are +- * always zeroed +- */ +- +- return (u32)(((unsigned long)net) >> L1_CACHE_SHIFT); +-#else +- return 0; +-#endif ++ return net->hash_mix; + } + #endif +diff --git a/kernel/events/core.c b/kernel/events/core.c +index e53dfb5b826e..17230ca00bd4 100644 +--- a/kernel/events/core.c ++++ b/kernel/events/core.c +@@ -5998,6 +5998,7 @@ static void perf_event_mmap_output(struct perf_event *event, + struct perf_output_handle handle; + struct perf_sample_data sample; + int size = mmap_event->event_id.header.size; ++ u32 type = mmap_event->event_id.header.type; + int ret; + + if (!perf_event_mmap_match(event, data)) +@@ -6041,6 +6042,7 @@ static void perf_event_mmap_output(struct perf_event *event, + perf_output_end(&handle); + out: + mmap_event->event_id.header.size = size; ++ mmap_event->event_id.header.type = type; + } + + static void perf_event_mmap_event(struct perf_mmap_event *mmap_event) +diff --git a/kernel/irq/chip.c b/kernel/irq/chip.c +index 3c74e13a95dc..67aafc2b249c 100644 +--- a/kernel/irq/chip.c ++++ b/kernel/irq/chip.c +@@ -1056,6 +1056,10 @@ int irq_chip_set_vcpu_affinity_parent(struct irq_data *data, void *vcpu_info) + int irq_chip_set_wake_parent(struct irq_data *data, unsigned int on) + { + data = data->parent_data; ++ ++ if (data->chip->flags & IRQCHIP_SKIP_SET_WAKE) ++ return 0; ++ + if (data->chip->irq_set_wake) + return data->chip->irq_set_wake(data, on); + +diff --git a/kernel/kprobes.c b/kernel/kprobes.c +index d8daf6c55d2b..a53998cba804 100644 +--- a/kernel/kprobes.c ++++ b/kernel/kprobes.c +@@ -668,7 +668,6 @@ static void unoptimize_kprobe(struct kprobe *p, bool force) + static int reuse_unused_kprobe(struct kprobe *ap) + { + struct optimized_kprobe *op; +- int ret; + + BUG_ON(!kprobe_unused(ap)); + /* +@@ -682,9 +681,8 @@ static int reuse_unused_kprobe(struct kprobe *ap) + /* Enable the probe again */ + ap->flags &= ~KPROBE_FLAG_DISABLED; + /* Optimize it again (remove from op->list) */ +- ret = kprobe_optready(ap); +- if (ret) +- return ret; ++ if (!kprobe_optready(ap)) ++ return -EINVAL; + + optimize_kprobe(ap); + return 0; +diff --git a/kernel/locking/lockdep.c b/kernel/locking/lockdep.c +index a49c565529a0..774ab79d3ec7 100644 +--- a/kernel/locking/lockdep.c ++++ b/kernel/locking/lockdep.c +@@ -3314,9 +3314,6 @@ __lock_set_class(struct lockdep_map *lock, const char *name, + unsigned int depth; + int i; + +- if (unlikely(!debug_locks)) +- return 0; +- + depth = curr->lockdep_depth; + /* + * This function is about (re)setting the class of a held lock, +diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c +index 6051007918ad..d706cf4fda99 100644 +--- a/kernel/sched/fair.c ++++ b/kernel/sched/fair.c +@@ -4016,12 +4016,15 @@ static enum hrtimer_restart sched_cfs_slack_timer(struct hrtimer *timer) + return HRTIMER_NORESTART; + } + ++extern const u64 max_cfs_quota_period; ++ + static enum hrtimer_restart sched_cfs_period_timer(struct hrtimer *timer) + { + struct cfs_bandwidth *cfs_b = + container_of(timer, struct cfs_bandwidth, period_timer); + int overrun; + int idle = 0; ++ int count = 0; + + raw_spin_lock(&cfs_b->lock); + for (;;) { +@@ -4029,6 +4032,28 @@ static enum hrtimer_restart sched_cfs_period_timer(struct hrtimer *timer) + if (!overrun) + break; + ++ if (++count > 3) { ++ u64 new, old = ktime_to_ns(cfs_b->period); ++ ++ new = (old * 147) / 128; /* ~115% */ ++ new = min(new, max_cfs_quota_period); ++ ++ cfs_b->period = ns_to_ktime(new); ++ ++ /* since max is 1s, this is limited to 1e9^2, which fits in u64 */ ++ cfs_b->quota *= new; ++ cfs_b->quota = div64_u64(cfs_b->quota, old); ++ ++ pr_warn_ratelimited( ++ "cfs_period_timer[cpu%d]: period too short, scaling up (new cfs_period_us %lld, cfs_quota_us = %lld)\n", ++ smp_processor_id(), ++ div_u64(new, NSEC_PER_USEC), ++ div_u64(cfs_b->quota, NSEC_PER_USEC)); ++ ++ /* reset count so we don't come right back in here */ ++ count = 0; ++ } ++ + idle = do_sched_cfs_period_timer(cfs_b, overrun); + } + if (idle) +@@ -6022,10 +6047,10 @@ static void update_cfs_rq_h_load(struct cfs_rq *cfs_rq) + if (cfs_rq->last_h_load_update == now) + return; + +- cfs_rq->h_load_next = NULL; ++ WRITE_ONCE(cfs_rq->h_load_next, NULL); + for_each_sched_entity(se) { + cfs_rq = cfs_rq_of(se); +- cfs_rq->h_load_next = se; ++ WRITE_ONCE(cfs_rq->h_load_next, se); + if (cfs_rq->last_h_load_update == now) + break; + } +@@ -6035,7 +6060,7 @@ static void update_cfs_rq_h_load(struct cfs_rq *cfs_rq) + cfs_rq->last_h_load_update = now; + } + +- while ((se = cfs_rq->h_load_next) != NULL) { ++ while ((se = READ_ONCE(cfs_rq->h_load_next)) != NULL) { + load = cfs_rq->h_load; + load = div64_ul(load * se->avg.load_avg, + cfs_rq_load_avg(cfs_rq) + 1); +diff --git a/kernel/sysctl.c b/kernel/sysctl.c +index beadcf83ceba..c140659db669 100644 +--- a/kernel/sysctl.c ++++ b/kernel/sysctl.c +@@ -125,7 +125,9 @@ static int zero; + static int __maybe_unused one = 1; + static int __maybe_unused two = 2; + static int __maybe_unused four = 4; ++static unsigned long zero_ul; + static unsigned long one_ul = 1; ++static unsigned long long_max = LONG_MAX; + static int one_hundred = 100; + #ifdef CONFIG_PRINTK + static int ten_thousand = 10000; +@@ -1603,6 +1605,8 @@ static struct ctl_table fs_table[] = { + .maxlen = sizeof(files_stat.max_files), + .mode = 0644, + .proc_handler = proc_doulongvec_minmax, ++ .extra1 = &zero_ul, ++ .extra2 = &long_max, + }, + { + .procname = "nr_open", +diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c +index d90b42b39908..6380ec0453e0 100644 +--- a/kernel/trace/ftrace.c ++++ b/kernel/trace/ftrace.c +@@ -32,6 +32,7 @@ + #include + #include + #include ++#include + + #include + +@@ -5165,7 +5166,7 @@ static struct ftrace_ops control_ops = { + INIT_OPS_HASH(control_ops) + }; + +-static inline void ++static nokprobe_inline void + __ftrace_ops_list_func(unsigned long ip, unsigned long parent_ip, + struct ftrace_ops *ignored, struct pt_regs *regs) + { +@@ -5214,11 +5215,13 @@ static void ftrace_ops_list_func(unsigned long ip, unsigned long parent_ip, + { + __ftrace_ops_list_func(ip, parent_ip, NULL, regs); + } ++NOKPROBE_SYMBOL(ftrace_ops_list_func); + #else + static void ftrace_ops_no_ops(unsigned long ip, unsigned long parent_ip) + { + __ftrace_ops_list_func(ip, parent_ip, NULL, NULL); + } ++NOKPROBE_SYMBOL(ftrace_ops_no_ops); + #endif + + /* +@@ -5239,6 +5242,7 @@ static void ftrace_ops_recurs_func(unsigned long ip, unsigned long parent_ip, + + trace_clear_recursion(bit); + } ++NOKPROBE_SYMBOL(ftrace_ops_recurs_func); + + /** + * ftrace_ops_get_func - get the function a trampoline should call +diff --git a/kernel/trace/ring_buffer.c b/kernel/trace/ring_buffer.c +index 74b20e3ab8c6..5e091614fe39 100644 +--- a/kernel/trace/ring_buffer.c ++++ b/kernel/trace/ring_buffer.c +@@ -4042,6 +4042,7 @@ EXPORT_SYMBOL_GPL(ring_buffer_consume); + * ring_buffer_read_prepare - Prepare for a non consuming read of the buffer + * @buffer: The ring buffer to read from + * @cpu: The cpu buffer to iterate over ++ * @flags: gfp flags to use for memory allocation + * + * This performs the initial preparations necessary to iterate + * through the buffer. Memory is allocated, buffer recording +@@ -4059,7 +4060,7 @@ EXPORT_SYMBOL_GPL(ring_buffer_consume); + * This overall must be paired with ring_buffer_read_finish. + */ + struct ring_buffer_iter * +-ring_buffer_read_prepare(struct ring_buffer *buffer, int cpu) ++ring_buffer_read_prepare(struct ring_buffer *buffer, int cpu, gfp_t flags) + { + struct ring_buffer_per_cpu *cpu_buffer; + struct ring_buffer_iter *iter; +@@ -4067,7 +4068,7 @@ ring_buffer_read_prepare(struct ring_buffer *buffer, int cpu) + if (!cpumask_test_cpu(cpu, buffer->cpumask)) + return NULL; + +- iter = kmalloc(sizeof(*iter), GFP_KERNEL); ++ iter = kmalloc(sizeof(*iter), flags); + if (!iter) + return NULL; + +diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c +index 8c097de8a596..ae00e68ceae3 100644 +--- a/kernel/trace/trace.c ++++ b/kernel/trace/trace.c +@@ -3122,7 +3122,8 @@ __tracing_open(struct inode *inode, struct file *file, bool snapshot) + if (iter->cpu_file == RING_BUFFER_ALL_CPUS) { + for_each_tracing_cpu(cpu) { + iter->buffer_iter[cpu] = +- ring_buffer_read_prepare(iter->trace_buffer->buffer, cpu); ++ ring_buffer_read_prepare(iter->trace_buffer->buffer, ++ cpu, GFP_KERNEL); + } + ring_buffer_read_prepare_sync(); + for_each_tracing_cpu(cpu) { +@@ -3132,7 +3133,8 @@ __tracing_open(struct inode *inode, struct file *file, bool snapshot) + } else { + cpu = iter->cpu_file; + iter->buffer_iter[cpu] = +- ring_buffer_read_prepare(iter->trace_buffer->buffer, cpu); ++ ring_buffer_read_prepare(iter->trace_buffer->buffer, ++ cpu, GFP_KERNEL); + ring_buffer_read_prepare_sync(); + ring_buffer_read_start(iter->buffer_iter[cpu]); + tracing_iter_reset(iter, cpu); +diff --git a/kernel/trace/trace_kdb.c b/kernel/trace/trace_kdb.c +index 57149bce6aad..896458285fdd 100644 +--- a/kernel/trace/trace_kdb.c ++++ b/kernel/trace/trace_kdb.c +@@ -50,14 +50,16 @@ static void ftrace_dump_buf(int skip_lines, long cpu_file) + if (cpu_file == RING_BUFFER_ALL_CPUS) { + for_each_tracing_cpu(cpu) { + iter.buffer_iter[cpu] = +- ring_buffer_read_prepare(iter.trace_buffer->buffer, cpu); ++ ring_buffer_read_prepare(iter.trace_buffer->buffer, ++ cpu, GFP_ATOMIC); + ring_buffer_read_start(iter.buffer_iter[cpu]); + tracing_iter_reset(&iter, cpu); + } + } else { + iter.cpu_file = cpu_file; + iter.buffer_iter[cpu_file] = +- ring_buffer_read_prepare(iter.trace_buffer->buffer, cpu_file); ++ ring_buffer_read_prepare(iter.trace_buffer->buffer, ++ cpu_file, GFP_ATOMIC); + ring_buffer_read_start(iter.buffer_iter[cpu_file]); + tracing_iter_reset(&iter, cpu_file); + } +diff --git a/lib/bsearch.c b/lib/bsearch.c +index e33c179089db..d50048446b77 100644 +--- a/lib/bsearch.c ++++ b/lib/bsearch.c +@@ -11,6 +11,7 @@ + + #include + #include ++#include + + /* + * bsearch - binary search an array of elements +@@ -51,3 +52,4 @@ void *bsearch(const void *key, const void *base, size_t num, size_t size, + return NULL; + } + EXPORT_SYMBOL(bsearch); ++NOKPROBE_SYMBOL(bsearch); +diff --git a/lib/div64.c b/lib/div64.c +index 62a698a432bc..75b8521c2146 100644 +--- a/lib/div64.c ++++ b/lib/div64.c +@@ -100,7 +100,7 @@ u64 div64_u64_rem(u64 dividend, u64 divisor, u64 *remainder) + quot = div_u64_rem(dividend, divisor, &rem32); + *remainder = rem32; + } else { +- int n = 1 + fls(high); ++ int n = fls(high); + quot = div_u64(dividend >> n, divisor >> n); + + if (quot != 0) +@@ -138,7 +138,7 @@ u64 div64_u64(u64 dividend, u64 divisor) + if (high == 0) { + quot = div_u64(dividend, divisor); + } else { +- int n = 1 + fls(high); ++ int n = fls(high); + quot = div_u64(dividend >> n, divisor >> n); + + if (quot != 0) +diff --git a/lib/int_sqrt.c b/lib/int_sqrt.c +index 1afb545a37c5..6d35274170bc 100644 +--- a/lib/int_sqrt.c ++++ b/lib/int_sqrt.c +@@ -7,6 +7,7 @@ + + #include + #include ++#include + + /** + * int_sqrt - rough approximation to sqrt +@@ -21,10 +22,7 @@ unsigned long int_sqrt(unsigned long x) + if (x <= 1) + return x; + +- m = 1UL << (BITS_PER_LONG - 2); +- while (m > x) +- m >>= 2; +- ++ m = 1UL << (__fls(x) & ~1UL); + while (m != 0) { + b = y + m; + y >>= 1; +diff --git a/lib/raid6/Makefile b/lib/raid6/Makefile +index 3b10a48fa040..a84efd4aad37 100644 +--- a/lib/raid6/Makefile ++++ b/lib/raid6/Makefile +@@ -23,7 +23,7 @@ endif + ifeq ($(CONFIG_KERNEL_MODE_NEON),y) + NEON_FLAGS := -ffreestanding + ifeq ($(ARCH),arm) +-NEON_FLAGS += -mfloat-abi=softfp -mfpu=neon ++NEON_FLAGS += -march=armv7-a -mfloat-abi=softfp -mfpu=neon + endif + ifeq ($(ARCH),arm64) + CFLAGS_REMOVE_neon1.o += -mgeneral-regs-only +diff --git a/lib/string.c b/lib/string.c +index 1a90db9bc6e1..c7cf65ac42ad 100644 +--- a/lib/string.c ++++ b/lib/string.c +@@ -746,6 +746,26 @@ __visible int memcmp(const void *cs, const void *ct, size_t count) + EXPORT_SYMBOL(memcmp); + #endif + ++#ifndef __HAVE_ARCH_BCMP ++/** ++ * bcmp - returns 0 if and only if the buffers have identical contents. ++ * @a: pointer to first buffer. ++ * @b: pointer to second buffer. ++ * @len: size of buffers. ++ * ++ * The sign or magnitude of a non-zero return value has no particular ++ * meaning, and architectures may implement their own more efficient bcmp(). So ++ * while this particular implementation is a simple (tail) call to memcmp, do ++ * not rely on anything but whether the return value is zero or non-zero. ++ */ ++#undef bcmp ++int bcmp(const void *a, const void *b, size_t len) ++{ ++ return memcmp(a, b, len); ++} ++EXPORT_SYMBOL(bcmp); ++#endif ++ + #ifndef __HAVE_ARCH_MEMSCAN + /** + * memscan - Find a character in an area of memory. +diff --git a/mm/cma.c b/mm/cma.c +index 43f4a122e969..f0d91aca5a4c 100644 +--- a/mm/cma.c ++++ b/mm/cma.c +@@ -339,12 +339,14 @@ int __init cma_declare_contiguous(phys_addr_t base, + + ret = cma_init_reserved_mem(base, size, order_per_bit, res_cma); + if (ret) +- goto err; ++ goto free_mem; + + pr_info("Reserved %ld MiB at %pa\n", (unsigned long)size / SZ_1M, + &base); + return 0; + ++free_mem: ++ memblock_free(base, size); + err: + pr_err("Failed to reserve %ld MiB\n", (unsigned long)size / SZ_1M); + return ret; +diff --git a/mm/mempolicy.c b/mm/mempolicy.c +index 5418ab0c5e2c..878d05bd185c 100644 +--- a/mm/mempolicy.c ++++ b/mm/mempolicy.c +@@ -514,12 +514,16 @@ static int queue_pages_pte_range(pmd_t *pmd, unsigned long addr, + if (node_isset(nid, *qp->nmask) == !!(flags & MPOL_MF_INVERT)) + continue; + +- if (flags & (MPOL_MF_MOVE | MPOL_MF_MOVE_ALL)) ++ if (flags & (MPOL_MF_MOVE | MPOL_MF_MOVE_ALL)) { ++ if (!vma_migratable(vma)) ++ break; + migrate_page_add(page, qp->pagelist, flags); ++ } else ++ break; + } + pte_unmap_unlock(pte - 1, ptl); + cond_resched(); +- return 0; ++ return addr != end ? -EIO : 0; + } + + static int queue_pages_hugetlb(pte_t *pte, unsigned long hmask, +diff --git a/mm/page_ext.c b/mm/page_ext.c +index 4d1eac0d4fc5..de1f34c5a2f1 100644 +--- a/mm/page_ext.c ++++ b/mm/page_ext.c +@@ -255,6 +255,7 @@ static void free_page_ext(void *addr) + table_size = sizeof(struct page_ext) * PAGES_PER_SECTION; + + BUG_ON(PageReserved(page)); ++ kmemleak_free(addr); + free_pages_exact(addr, table_size); + } + } +diff --git a/mm/slab.c b/mm/slab.c +index 92df044f5e00..d043b8007f23 100644 +--- a/mm/slab.c ++++ b/mm/slab.c +@@ -660,14 +660,6 @@ static void start_cpu_timer(int cpu) + + static void init_arraycache(struct array_cache *ac, int limit, int batch) + { +- /* +- * The array_cache structures contain pointers to free object. +- * However, when such objects are allocated or transferred to another +- * cache the pointers are not cleared and they could be counted as +- * valid references during a kmemleak scan. Therefore, kmemleak must +- * not scan such objects. +- */ +- kmemleak_no_scan(ac); + if (ac) { + ac->avail = 0; + ac->limit = limit; +@@ -683,6 +675,14 @@ static struct array_cache *alloc_arraycache(int node, int entries, + struct array_cache *ac = NULL; + + ac = kmalloc_node(memsize, gfp, node); ++ /* ++ * The array_cache structures contain pointers to free object. ++ * However, when such objects are allocated or transferred to another ++ * cache the pointers are not cleared and they could be counted as ++ * valid references during a kmemleak scan. Therefore, kmemleak must ++ * not scan such objects. ++ */ ++ kmemleak_no_scan(ac); + init_arraycache(ac, entries, batchcount); + return ac; + } +@@ -876,6 +876,7 @@ static struct alien_cache *__alloc_alien_cache(int node, int entries, + + alc = kmalloc_node(memsize, gfp, node); + if (alc) { ++ kmemleak_no_scan(alc); + init_arraycache(&alc->ac, entries, batch); + spin_lock_init(&alc->lock); + } +diff --git a/mm/vmalloc.c b/mm/vmalloc.c +index 400e580725da..7c556b59f0ec 100644 +--- a/mm/vmalloc.c ++++ b/mm/vmalloc.c +@@ -446,7 +446,11 @@ nocache: + } + + found: +- if (addr + size > vend) ++ /* ++ * Check also calculated address against the vstart, ++ * because it can be 0 because of big align request. ++ */ ++ if (addr + size > vend || addr < vstart) + goto overflow; + + va->va_start = addr; +diff --git a/mm/vmstat.c b/mm/vmstat.c +index 6af9bbad94c7..dd0a13013cb4 100644 +--- a/mm/vmstat.c ++++ b/mm/vmstat.c +@@ -857,13 +857,8 @@ const char * const vmstat_text[] = { + #endif + #endif /* CONFIG_MEMORY_BALLOON */ + #ifdef CONFIG_DEBUG_TLBFLUSH +-#ifdef CONFIG_SMP + "nr_tlb_remote_flush", + "nr_tlb_remote_flush_received", +-#else +- "", /* nr_tlb_remote_flush */ +- "", /* nr_tlb_remote_flush_received */ +-#endif /* CONFIG_SMP */ + "nr_tlb_local_flush_all", + "nr_tlb_local_flush_one", + #endif /* CONFIG_DEBUG_TLBFLUSH */ +diff --git a/net/9p/protocol.c b/net/9p/protocol.c +index 145f80518064..7f1b45c082c9 100644 +--- a/net/9p/protocol.c ++++ b/net/9p/protocol.c +@@ -570,9 +570,10 @@ int p9stat_read(struct p9_client *clnt, char *buf, int len, struct p9_wstat *st) + if (ret) { + p9_debug(P9_DEBUG_9P, "<<< p9stat_read failed: %d\n", ret); + trace_9p_protocol_dump(clnt, &fake_pdu); ++ return ret; + } + +- return ret; ++ return fake_pdu.offset; + } + EXPORT_SYMBOL(p9stat_read); + +diff --git a/net/appletalk/atalk_proc.c b/net/appletalk/atalk_proc.c +index af46bc49e1e9..b5f84f428aa6 100644 +--- a/net/appletalk/atalk_proc.c ++++ b/net/appletalk/atalk_proc.c +@@ -293,7 +293,7 @@ out_interface: + goto out; + } + +-void __exit atalk_proc_exit(void) ++void atalk_proc_exit(void) + { + remove_proc_entry("interface", atalk_proc_dir); + remove_proc_entry("route", atalk_proc_dir); +diff --git a/net/appletalk/ddp.c b/net/appletalk/ddp.c +index d5871ac493eb..4246df3b7ae8 100644 +--- a/net/appletalk/ddp.c ++++ b/net/appletalk/ddp.c +@@ -1912,12 +1912,16 @@ static const char atalk_err_snap[] __initconst = + /* Called by proto.c on kernel start up */ + static int __init atalk_init(void) + { +- int rc = proto_register(&ddp_proto, 0); ++ int rc; + +- if (rc != 0) ++ rc = proto_register(&ddp_proto, 0); ++ if (rc) + goto out; + +- (void)sock_register(&atalk_family_ops); ++ rc = sock_register(&atalk_family_ops); ++ if (rc) ++ goto out_proto; ++ + ddp_dl = register_snap_client(ddp_snap_id, atalk_rcv); + if (!ddp_dl) + printk(atalk_err_snap); +@@ -1925,12 +1929,33 @@ static int __init atalk_init(void) + dev_add_pack(<alk_packet_type); + dev_add_pack(&ppptalk_packet_type); + +- register_netdevice_notifier(&ddp_notifier); ++ rc = register_netdevice_notifier(&ddp_notifier); ++ if (rc) ++ goto out_sock; ++ + aarp_proto_init(); +- atalk_proc_init(); +- atalk_register_sysctl(); ++ rc = atalk_proc_init(); ++ if (rc) ++ goto out_aarp; ++ ++ rc = atalk_register_sysctl(); ++ if (rc) ++ goto out_proc; + out: + return rc; ++out_proc: ++ atalk_proc_exit(); ++out_aarp: ++ aarp_cleanup_module(); ++ unregister_netdevice_notifier(&ddp_notifier); ++out_sock: ++ dev_remove_pack(&ppptalk_packet_type); ++ dev_remove_pack(<alk_packet_type); ++ unregister_snap_client(ddp_dl); ++ sock_unregister(PF_APPLETALK); ++out_proto: ++ proto_unregister(&ddp_proto); ++ goto out; + } + module_init(atalk_init); + +diff --git a/net/appletalk/sysctl_net_atalk.c b/net/appletalk/sysctl_net_atalk.c +index ebb864361f7a..4e6042e0fcac 100644 +--- a/net/appletalk/sysctl_net_atalk.c ++++ b/net/appletalk/sysctl_net_atalk.c +@@ -44,9 +44,12 @@ static struct ctl_table atalk_table[] = { + + static struct ctl_table_header *atalk_table_header; + +-void atalk_register_sysctl(void) ++int __init atalk_register_sysctl(void) + { + atalk_table_header = register_net_sysctl(&init_net, "net/appletalk", atalk_table); ++ if (!atalk_table_header) ++ return -ENOMEM; ++ return 0; + } + + void atalk_unregister_sysctl(void) +diff --git a/net/atm/lec.c b/net/atm/lec.c +index 10e4066991b8..e4afac94ff15 100644 +--- a/net/atm/lec.c ++++ b/net/atm/lec.c +@@ -721,7 +721,10 @@ static int lec_vcc_attach(struct atm_vcc *vcc, void __user *arg) + + static int lec_mcast_attach(struct atm_vcc *vcc, int arg) + { +- if (arg < 0 || arg >= MAX_LEC_ITF || !dev_lec[arg]) ++ if (arg < 0 || arg >= MAX_LEC_ITF) ++ return -EINVAL; ++ arg = array_index_nospec(arg, MAX_LEC_ITF); ++ if (!dev_lec[arg]) + return -EINVAL; + vcc->proto_data = dev_lec[arg]; + return lec_mcast_make(netdev_priv(dev_lec[arg]), vcc); +@@ -739,6 +742,7 @@ static int lecd_attach(struct atm_vcc *vcc, int arg) + i = arg; + if (arg >= MAX_LEC_ITF) + return -EINVAL; ++ i = array_index_nospec(arg, MAX_LEC_ITF); + if (!dev_lec[i]) { + int size; + +diff --git a/net/bluetooth/hci_sock.c b/net/bluetooth/hci_sock.c +index c842f40c1173..ea1cd8b21708 100644 +--- a/net/bluetooth/hci_sock.c ++++ b/net/bluetooth/hci_sock.c +@@ -558,13 +558,12 @@ static int hci_sock_release(struct socket *sock) + if (!sk) + return 0; + +- hdev = hci_pi(sk)->hdev; +- + if (hci_pi(sk)->channel == HCI_CHANNEL_MONITOR) + atomic_dec(&monitor_promisc); + + bt_sock_unlink(&hci_sk_list, sk); + ++ hdev = hci_pi(sk)->hdev; + if (hdev) { + if (hci_pi(sk)->channel == HCI_CHANNEL_USER) { + /* When releasing an user channel exclusive access, +diff --git a/net/bridge/br_multicast.c b/net/bridge/br_multicast.c +index d80c15d028fe..a52b4ffe30f4 100644 +--- a/net/bridge/br_multicast.c ++++ b/net/bridge/br_multicast.c +@@ -1894,7 +1894,8 @@ static void br_multicast_start_querier(struct net_bridge *br, + + __br_multicast_open(br, query); + +- list_for_each_entry(port, &br->port_list, list) { ++ rcu_read_lock(); ++ list_for_each_entry_rcu(port, &br->port_list, list) { + if (port->state == BR_STATE_DISABLED || + port->state == BR_STATE_BLOCKING) + continue; +@@ -1906,6 +1907,7 @@ static void br_multicast_start_querier(struct net_bridge *br, + br_multicast_enable(&port->ip6_own_query); + #endif + } ++ rcu_read_unlock(); + } + + int br_multicast_toggle(struct net_bridge *br, unsigned long val) +diff --git a/net/bridge/br_netfilter_hooks.c b/net/bridge/br_netfilter_hooks.c +index 6def85d75b1d..93b5525bcccf 100644 +--- a/net/bridge/br_netfilter_hooks.c ++++ b/net/bridge/br_netfilter_hooks.c +@@ -873,11 +873,6 @@ static const struct nf_br_ops br_ops = { + .br_dev_xmit_hook = br_nf_dev_xmit, + }; + +-void br_netfilter_enable(void) +-{ +-} +-EXPORT_SYMBOL_GPL(br_netfilter_enable); +- + /* For br_nf_post_routing, we need (prio = NF_BR_PRI_LAST), because + * br_dev_queue_push_xmit is called afterwards */ + static struct nf_hook_ops br_nf_ops[] __read_mostly = { +diff --git a/net/core/ethtool.c b/net/core/ethtool.c +index b6bca625b0d2..9a53c66deb64 100644 +--- a/net/core/ethtool.c ++++ b/net/core/ethtool.c +@@ -1287,17 +1287,22 @@ static int ethtool_get_strings(struct net_device *dev, void __user *useraddr) + + gstrings.len = ret; + +- data = kcalloc(gstrings.len, ETH_GSTRING_LEN, GFP_USER); +- if (!data) +- return -ENOMEM; ++ if (gstrings.len) { ++ data = kcalloc(gstrings.len, ETH_GSTRING_LEN, GFP_USER); ++ if (!data) ++ return -ENOMEM; + +- __ethtool_get_strings(dev, gstrings.string_set, data); ++ __ethtool_get_strings(dev, gstrings.string_set, data); ++ } else { ++ data = NULL; ++ } + + ret = -EFAULT; + if (copy_to_user(useraddr, &gstrings, sizeof(gstrings))) + goto out; + useraddr += sizeof(gstrings); +- if (copy_to_user(useraddr, data, gstrings.len * ETH_GSTRING_LEN)) ++ if (gstrings.len && ++ copy_to_user(useraddr, data, gstrings.len * ETH_GSTRING_LEN)) + goto out; + ret = 0; + +@@ -1385,17 +1390,21 @@ static int ethtool_get_stats(struct net_device *dev, void __user *useraddr) + return -EFAULT; + + stats.n_stats = n_stats; +- data = kmalloc(n_stats * sizeof(u64), GFP_USER); +- if (!data) +- return -ENOMEM; ++ if (n_stats) { ++ data = kmalloc(n_stats * sizeof(u64), GFP_USER); ++ if (!data) ++ return -ENOMEM; + +- ops->get_ethtool_stats(dev, &stats, data); ++ ops->get_ethtool_stats(dev, &stats, data); ++ } else { ++ data = NULL; ++ } + + ret = -EFAULT; + if (copy_to_user(useraddr, &stats, sizeof(stats))) + goto out; + useraddr += sizeof(stats); +- if (copy_to_user(useraddr, data, stats.n_stats * sizeof(u64))) ++ if (n_stats && copy_to_user(useraddr, data, n_stats * sizeof(u64))) + goto out; + ret = 0; + +diff --git a/net/core/net_namespace.c b/net/core/net_namespace.c +index ccd20669ac00..087ce1598b74 100644 +--- a/net/core/net_namespace.c ++++ b/net/core/net_namespace.c +@@ -280,6 +280,7 @@ static __net_init int setup_net(struct net *net, struct user_namespace *user_ns) + + atomic_set(&net->count, 1); + atomic_set(&net->passive, 1); ++ get_random_bytes(&net->hash_mix, sizeof(u32)); + net->dev_base_seq = 1; + net->user_ns = user_ns; + idr_init(&net->netns_ids); +diff --git a/net/ipv4/fou.c b/net/ipv4/fou.c +index d83888bc33d3..b5a137338e50 100644 +--- a/net/ipv4/fou.c ++++ b/net/ipv4/fou.c +@@ -116,6 +116,7 @@ static int gue_udp_recv(struct sock *sk, struct sk_buff *skb) + struct guehdr *guehdr; + void *data; + u16 doffset = 0; ++ u8 proto_ctype; + + if (!fou) + return 1; +@@ -173,13 +174,14 @@ static int gue_udp_recv(struct sock *sk, struct sk_buff *skb) + if (unlikely(guehdr->control)) + return gue_control_message(skb, guehdr); + ++ proto_ctype = guehdr->proto_ctype; + __skb_pull(skb, sizeof(struct udphdr) + hdrlen); + skb_reset_transport_header(skb); + + if (iptunnel_pull_offloads(skb)) + goto drop; + +- return -guehdr->proto_ctype; ++ return -proto_ctype; + + drop: + kfree_skb(skb); +diff --git a/net/ipv4/route.c b/net/ipv4/route.c +index 97bf6c785767..1d580d290054 100644 +--- a/net/ipv4/route.c ++++ b/net/ipv4/route.c +@@ -1164,9 +1164,23 @@ static struct dst_entry *ipv4_dst_check(struct dst_entry *dst, u32 cookie) + + static void ipv4_link_failure(struct sk_buff *skb) + { ++ struct ip_options opt; + struct rtable *rt; ++ int res; ++ ++ /* Recompile ip options since IPCB may not be valid anymore. ++ */ ++ memset(&opt, 0, sizeof(opt)); ++ opt.optlen = ip_hdr(skb)->ihl*4 - sizeof(struct iphdr); ++ ++ rcu_read_lock(); ++ res = __ip_options_compile(dev_net(skb->dev), &opt, skb, NULL); ++ rcu_read_unlock(); ++ ++ if (res) ++ return; + +- icmp_send(skb, ICMP_DEST_UNREACH, ICMP_HOST_UNREACH, 0); ++ __icmp_send(skb, ICMP_DEST_UNREACH, ICMP_HOST_UNREACH, 0, &opt); + + rt = skb_rtable(skb); + if (rt) +diff --git a/net/ipv4/tcp_dctcp.c b/net/ipv4/tcp_dctcp.c +index 62f90f6b7a9d..7ccbbd0d3e43 100644 +--- a/net/ipv4/tcp_dctcp.c ++++ b/net/ipv4/tcp_dctcp.c +@@ -66,11 +66,6 @@ static unsigned int dctcp_alpha_on_init __read_mostly = DCTCP_MAX_ALPHA; + module_param(dctcp_alpha_on_init, uint, 0644); + MODULE_PARM_DESC(dctcp_alpha_on_init, "parameter for initial alpha value"); + +-static unsigned int dctcp_clamp_alpha_on_loss __read_mostly; +-module_param(dctcp_clamp_alpha_on_loss, uint, 0644); +-MODULE_PARM_DESC(dctcp_clamp_alpha_on_loss, +- "parameter for clamping alpha on loss"); +- + static struct tcp_congestion_ops dctcp_reno; + + static void dctcp_reset(const struct tcp_sock *tp, struct dctcp *ca) +@@ -211,21 +206,23 @@ static void dctcp_update_alpha(struct sock *sk, u32 flags) + } + } + +-static void dctcp_state(struct sock *sk, u8 new_state) ++static void dctcp_react_to_loss(struct sock *sk) + { +- if (dctcp_clamp_alpha_on_loss && new_state == TCP_CA_Loss) { +- struct dctcp *ca = inet_csk_ca(sk); ++ struct dctcp *ca = inet_csk_ca(sk); ++ struct tcp_sock *tp = tcp_sk(sk); + +- /* If this extension is enabled, we clamp dctcp_alpha to +- * max on packet loss; the motivation is that dctcp_alpha +- * is an indicator to the extend of congestion and packet +- * loss is an indicator of extreme congestion; setting +- * this in practice turned out to be beneficial, and +- * effectively assumes total congestion which reduces the +- * window by half. +- */ +- ca->dctcp_alpha = DCTCP_MAX_ALPHA; +- } ++ ca->loss_cwnd = tp->snd_cwnd; ++ tp->snd_ssthresh = max(tp->snd_cwnd >> 1U, 2U); ++} ++ ++static void dctcp_state(struct sock *sk, u8 new_state) ++{ ++ if (new_state == TCP_CA_Recovery && ++ new_state != inet_csk(sk)->icsk_ca_state) ++ dctcp_react_to_loss(sk); ++ /* We handle RTO in dctcp_cwnd_event to ensure that we perform only ++ * one loss-adjustment per RTT. ++ */ + } + + static void dctcp_cwnd_event(struct sock *sk, enum tcp_ca_event ev) +@@ -237,6 +234,9 @@ static void dctcp_cwnd_event(struct sock *sk, enum tcp_ca_event ev) + case CA_EVENT_ECN_NO_CE: + dctcp_ce_state_1_to_0(sk); + break; ++ case CA_EVENT_LOSS: ++ dctcp_react_to_loss(sk); ++ break; + default: + /* Don't care for the rest. */ + break; +diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c +index aff90b0ddb63..44a3aa7a41e2 100644 +--- a/net/ipv4/tcp_input.c ++++ b/net/ipv4/tcp_input.c +@@ -365,11 +365,12 @@ static int __tcp_grow_window(const struct sock *sk, const struct sk_buff *skb) + static void tcp_grow_window(struct sock *sk, const struct sk_buff *skb) + { + struct tcp_sock *tp = tcp_sk(sk); ++ int room; ++ ++ room = min_t(int, tp->window_clamp, tcp_space(sk)) - tp->rcv_ssthresh; + + /* Check #1 */ +- if (tp->rcv_ssthresh < tp->window_clamp && +- (int)tp->rcv_ssthresh < tcp_space(sk) && +- !tcp_under_memory_pressure(sk)) { ++ if (room > 0 && !tcp_under_memory_pressure(sk)) { + int incr; + + /* Check #2. Increase window, if skb with such overhead +@@ -382,8 +383,7 @@ static void tcp_grow_window(struct sock *sk, const struct sk_buff *skb) + + if (incr) { + incr = max_t(int, incr, 2 * skb->len); +- tp->rcv_ssthresh = min(tp->rcv_ssthresh + incr, +- tp->window_clamp); ++ tp->rcv_ssthresh += min(room, incr); + inet_csk(sk)->icsk_ack.quick |= 1; + } + } +diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c +index f8cca81d66f2..e39dc94486b2 100644 +--- a/net/ipv6/ip6_output.c ++++ b/net/ipv6/ip6_output.c +@@ -575,7 +575,7 @@ int ip6_fragment(struct net *net, struct sock *sk, struct sk_buff *skb, + inet6_sk(skb->sk) : NULL; + struct ipv6hdr *tmp_hdr; + struct frag_hdr *fh; +- unsigned int mtu, hlen, left, len; ++ unsigned int mtu, hlen, left, len, nexthdr_offset; + int hroom, troom; + __be32 frag_id; + int ptr, offset = 0, err = 0; +@@ -586,6 +586,7 @@ int ip6_fragment(struct net *net, struct sock *sk, struct sk_buff *skb, + goto fail; + hlen = err; + nexthdr = *prevhdr; ++ nexthdr_offset = prevhdr - skb_network_header(skb); + + mtu = ip6_skb_dst_mtu(skb); + +@@ -620,6 +621,7 @@ int ip6_fragment(struct net *net, struct sock *sk, struct sk_buff *skb, + (err = skb_checksum_help(skb))) + goto fail; + ++ prevhdr = skb_network_header(skb) + nexthdr_offset; + hroom = LL_RESERVED_SPACE(rt->dst.dev); + if (skb_has_frag_list(skb)) { + int first_len = skb_pagelen(skb); +diff --git a/net/ipv6/ip6_tunnel.c b/net/ipv6/ip6_tunnel.c +index 7c7a74ea2b0d..f072a4c4575c 100644 +--- a/net/ipv6/ip6_tunnel.c ++++ b/net/ipv6/ip6_tunnel.c +@@ -622,7 +622,7 @@ ip4ip6_err(struct sk_buff *skb, struct inet6_skb_parm *opt, + IPPROTO_IPIP, + RT_TOS(eiph->tos), 0); + if (IS_ERR(rt) || +- rt->dst.dev->type != ARPHRD_TUNNEL) { ++ rt->dst.dev->type != ARPHRD_TUNNEL6) { + if (!IS_ERR(rt)) + ip_rt_put(rt); + goto out; +@@ -632,7 +632,7 @@ ip4ip6_err(struct sk_buff *skb, struct inet6_skb_parm *opt, + ip_rt_put(rt); + if (ip_route_input(skb2, eiph->daddr, eiph->saddr, eiph->tos, + skb2->dev) || +- skb_dst(skb2)->dev->type != ARPHRD_TUNNEL) ++ skb_dst(skb2)->dev->type != ARPHRD_TUNNEL6) + goto out; + } + +diff --git a/net/ipv6/sit.c b/net/ipv6/sit.c +index 96582ec9c807..77736190dc15 100644 +--- a/net/ipv6/sit.c ++++ b/net/ipv6/sit.c +@@ -693,6 +693,10 @@ static int ipip6_rcv(struct sk_buff *skb) + if (iptunnel_pull_header(skb, 0, htons(ETH_P_IPV6))) + goto out; + ++ /* skb can be uncloned in iptunnel_pull_header, so ++ * old iph is no longer valid ++ */ ++ iph = (const struct iphdr *)skb_mac_header(skb); + err = IP_ECN_decapsulate(iph, skb); + if (unlikely(err)) { + if (log_ecn_error) +diff --git a/net/mac80211/driver-ops.h b/net/mac80211/driver-ops.h +index 18b0d65baff0..6019988bfb84 100644 +--- a/net/mac80211/driver-ops.h ++++ b/net/mac80211/driver-ops.h +@@ -1157,6 +1157,9 @@ static inline void drv_wake_tx_queue(struct ieee80211_local *local, + { + struct ieee80211_sub_if_data *sdata = vif_to_sdata(txq->txq.vif); + ++ if (local->in_reconfig) ++ return; ++ + if (!check_sdata_in_driver(sdata)) + return; + +diff --git a/net/netfilter/xt_physdev.c b/net/netfilter/xt_physdev.c +index 1caaccbc306c..7e4063621960 100644 +--- a/net/netfilter/xt_physdev.c ++++ b/net/netfilter/xt_physdev.c +@@ -96,8 +96,7 @@ match_outdev: + static int physdev_mt_check(const struct xt_mtchk_param *par) + { + const struct xt_physdev_info *info = par->matchinfo; +- +- br_netfilter_enable(); ++ static bool brnf_probed __read_mostly; + + if (!(info->bitmask & XT_PHYSDEV_OP_MASK) || + info->bitmask & ~XT_PHYSDEV_OP_MASK) +@@ -113,6 +112,12 @@ static int physdev_mt_check(const struct xt_mtchk_param *par) + if (par->hook_mask & (1 << NF_INET_LOCAL_OUT)) + return -EINVAL; + } ++ ++ if (!brnf_probed) { ++ brnf_probed = true; ++ request_module("br_netfilter"); ++ } ++ + return 0; + } + +diff --git a/net/openvswitch/flow_netlink.c b/net/openvswitch/flow_netlink.c +index 537917dfa83a..9b676f8fc16f 100644 +--- a/net/openvswitch/flow_netlink.c ++++ b/net/openvswitch/flow_netlink.c +@@ -1736,14 +1736,14 @@ static struct nlattr *reserve_sfa_size(struct sw_flow_actions **sfa, + + struct sw_flow_actions *acts; + int new_acts_size; +- int req_size = NLA_ALIGN(attr_len); ++ size_t req_size = NLA_ALIGN(attr_len); + int next_offset = offsetof(struct sw_flow_actions, actions) + + (*sfa)->actions_len; + + if (req_size <= (ksize(*sfa) - next_offset)) + goto out; + +- new_acts_size = ksize(*sfa) * 2; ++ new_acts_size = max(next_offset + req_size, ksize(*sfa) * 2); + + if (new_acts_size > MAX_ACTIONS_BUFSIZE) { + if ((MAX_ACTIONS_BUFSIZE - next_offset) < req_size) { +diff --git a/net/rds/tcp.c b/net/rds/tcp.c +index 18e50a8fc05f..554d4b461983 100644 +--- a/net/rds/tcp.c ++++ b/net/rds/tcp.c +@@ -346,7 +346,7 @@ static void rds_tcp_kill_sock(struct net *net) + list_for_each_entry_safe(tc, _tc, &rds_tcp_conn_list, t_tcp_node) { + struct net *c_net = read_pnet(&tc->conn->c_net); + +- if (net != c_net || !tc->t_sock) ++ if (net != c_net) + continue; + list_move_tail(&tc->t_tcp_node, &tmp_list); + } +diff --git a/net/sctp/protocol.c b/net/sctp/protocol.c +index 9f2f3c48b7b6..247d1888c386 100644 +--- a/net/sctp/protocol.c ++++ b/net/sctp/protocol.c +@@ -598,6 +598,7 @@ out: + static int sctp_v4_addr_to_user(struct sctp_sock *sp, union sctp_addr *addr) + { + /* No address mapping for V4 sockets */ ++ memset(addr->v4.sin_zero, 0, sizeof(addr->v4.sin_zero)); + return sizeof(struct sockaddr_in); + } + +diff --git a/scripts/mod/file2alias.c b/scripts/mod/file2alias.c +index 9f5cdd49ff0b..4250d3d6f391 100644 +--- a/scripts/mod/file2alias.c ++++ b/scripts/mod/file2alias.c +@@ -47,49 +47,9 @@ typedef struct { + struct devtable { + const char *device_id; /* name of table, __mod___*_device_table. */ + unsigned long id_size; +- void *function; ++ int (*do_entry)(const char *filename, void *symval, char *alias); + }; + +-#define ___cat(a,b) a ## b +-#define __cat(a,b) ___cat(a,b) +- +-/* we need some special handling for this host tool running eventually on +- * Darwin. The Mach-O section handling is a bit different than ELF section +- * handling. The differnces in detail are: +- * a) we have segments which have sections +- * b) we need a API call to get the respective section symbols */ +-#if defined(__MACH__) +-#include +- +-#define INIT_SECTION(name) do { \ +- unsigned long name ## _len; \ +- char *__cat(pstart_,name) = getsectdata("__TEXT", \ +- #name, &__cat(name,_len)); \ +- char *__cat(pstop_,name) = __cat(pstart_,name) + \ +- __cat(name, _len); \ +- __cat(__start_,name) = (void *)__cat(pstart_,name); \ +- __cat(__stop_,name) = (void *)__cat(pstop_,name); \ +- } while (0) +-#define SECTION(name) __attribute__((section("__TEXT, " #name))) +- +-struct devtable **__start___devtable, **__stop___devtable; +-#else +-#define INIT_SECTION(name) /* no-op for ELF */ +-#define SECTION(name) __attribute__((section(#name))) +- +-/* We construct a table of pointers in an ELF section (pointers generally +- * go unpadded by gcc). ld creates boundary syms for us. */ +-extern struct devtable *__start___devtable[], *__stop___devtable[]; +-#endif /* __MACH__ */ +- +-#if !defined(__used) +-# if __GNUC__ == 3 && __GNUC_MINOR__ < 3 +-# define __used __attribute__((__unused__)) +-# else +-# define __used __attribute__((__used__)) +-# endif +-#endif +- + /* Define a variable f that holds the value of field f of struct devid + * based at address m. + */ +@@ -102,16 +62,6 @@ extern struct devtable *__start___devtable[], *__stop___devtable[]; + #define DEF_FIELD_ADDR(m, devid, f) \ + typeof(((struct devid *)0)->f) *f = ((m) + OFF_##devid##_##f) + +-/* Add a table entry. We test function type matches while we're here. */ +-#define ADD_TO_DEVTABLE(device_id, type, function) \ +- static struct devtable __cat(devtable,__LINE__) = { \ +- device_id + 0*sizeof((function)((const char *)NULL, \ +- (void *)NULL, \ +- (char *)NULL)), \ +- SIZE_##type, (function) }; \ +- static struct devtable *SECTION(__devtable) __used \ +- __cat(devtable_ptr,__LINE__) = &__cat(devtable,__LINE__) +- + #define ADD(str, sep, cond, field) \ + do { \ + strcat(str, sep); \ +@@ -388,7 +338,6 @@ static int do_hid_entry(const char *filename, + + return 1; + } +-ADD_TO_DEVTABLE("hid", hid_device_id, do_hid_entry); + + /* Looks like: ieee1394:venNmoNspNverN */ + static int do_ieee1394_entry(const char *filename, +@@ -413,7 +362,6 @@ static int do_ieee1394_entry(const char *filename, + add_wildcard(alias); + return 1; + } +-ADD_TO_DEVTABLE("ieee1394", ieee1394_device_id, do_ieee1394_entry); + + /* Looks like: pci:vNdNsvNsdNbcNscNiN. */ + static int do_pci_entry(const char *filename, +@@ -457,7 +405,6 @@ static int do_pci_entry(const char *filename, + add_wildcard(alias); + return 1; + } +-ADD_TO_DEVTABLE("pci", pci_device_id, do_pci_entry); + + /* looks like: "ccw:tNmNdtNdmN" */ + static int do_ccw_entry(const char *filename, +@@ -481,7 +428,6 @@ static int do_ccw_entry(const char *filename, + add_wildcard(alias); + return 1; + } +-ADD_TO_DEVTABLE("ccw", ccw_device_id, do_ccw_entry); + + /* looks like: "ap:tN" */ + static int do_ap_entry(const char *filename, +@@ -492,7 +438,6 @@ static int do_ap_entry(const char *filename, + sprintf(alias, "ap:t%02X*", dev_type); + return 1; + } +-ADD_TO_DEVTABLE("ap", ap_device_id, do_ap_entry); + + /* looks like: "css:tN" */ + static int do_css_entry(const char *filename, +@@ -503,7 +448,6 @@ static int do_css_entry(const char *filename, + sprintf(alias, "css:t%01X", type); + return 1; + } +-ADD_TO_DEVTABLE("css", css_device_id, do_css_entry); + + /* Looks like: "serio:tyNprNidNexN" */ + static int do_serio_entry(const char *filename, +@@ -523,7 +467,6 @@ static int do_serio_entry(const char *filename, + add_wildcard(alias); + return 1; + } +-ADD_TO_DEVTABLE("serio", serio_device_id, do_serio_entry); + + /* looks like: "acpi:ACPI0003" or "acpi:PNP0C0B" or "acpi:LNXVIDEO" or + * "acpi:bbsspp" (bb=base-class, ss=sub-class, pp=prog-if) +@@ -561,7 +504,6 @@ static int do_acpi_entry(const char *filename, + } + return 1; + } +-ADD_TO_DEVTABLE("acpi", acpi_device_id, do_acpi_entry); + + /* looks like: "pnp:dD" */ + static void do_pnp_device_entry(void *symval, unsigned long size, +@@ -682,7 +624,6 @@ static int do_pcmcia_entry(const char *filename, + add_wildcard(alias); + return 1; + } +-ADD_TO_DEVTABLE("pcmcia", pcmcia_device_id, do_pcmcia_entry); + + static int do_of_entry (const char *filename, void *symval, char *alias) + { +@@ -707,7 +648,6 @@ static int do_of_entry (const char *filename, void *symval, char *alias) + add_wildcard(alias); + return 1; + } +-ADD_TO_DEVTABLE("of", of_device_id, do_of_entry); + + static int do_vio_entry(const char *filename, void *symval, + char *alias) +@@ -727,7 +667,6 @@ static int do_vio_entry(const char *filename, void *symval, + add_wildcard(alias); + return 1; + } +-ADD_TO_DEVTABLE("vio", vio_device_id, do_vio_entry); + + #define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0])) + +@@ -800,7 +739,6 @@ static int do_input_entry(const char *filename, void *symval, + do_input(alias, *swbit, 0, INPUT_DEVICE_ID_SW_MAX); + return 1; + } +-ADD_TO_DEVTABLE("input", input_device_id, do_input_entry); + + static int do_eisa_entry(const char *filename, void *symval, + char *alias) +@@ -812,7 +750,6 @@ static int do_eisa_entry(const char *filename, void *symval, + strcat(alias, "*"); + return 1; + } +-ADD_TO_DEVTABLE("eisa", eisa_device_id, do_eisa_entry); + + /* Looks like: parisc:tNhvNrevNsvN */ + static int do_parisc_entry(const char *filename, void *symval, +@@ -832,7 +769,6 @@ static int do_parisc_entry(const char *filename, void *symval, + add_wildcard(alias); + return 1; + } +-ADD_TO_DEVTABLE("parisc", parisc_device_id, do_parisc_entry); + + /* Looks like: sdio:cNvNdN. */ + static int do_sdio_entry(const char *filename, +@@ -849,7 +785,6 @@ static int do_sdio_entry(const char *filename, + add_wildcard(alias); + return 1; + } +-ADD_TO_DEVTABLE("sdio", sdio_device_id, do_sdio_entry); + + /* Looks like: ssb:vNidNrevN. */ + static int do_ssb_entry(const char *filename, +@@ -866,7 +801,6 @@ static int do_ssb_entry(const char *filename, + add_wildcard(alias); + return 1; + } +-ADD_TO_DEVTABLE("ssb", ssb_device_id, do_ssb_entry); + + /* Looks like: bcma:mNidNrevNclN. */ + static int do_bcma_entry(const char *filename, +@@ -885,7 +819,6 @@ static int do_bcma_entry(const char *filename, + add_wildcard(alias); + return 1; + } +-ADD_TO_DEVTABLE("bcma", bcma_device_id, do_bcma_entry); + + /* Looks like: virtio:dNvN */ + static int do_virtio_entry(const char *filename, void *symval, +@@ -901,7 +834,6 @@ static int do_virtio_entry(const char *filename, void *symval, + add_wildcard(alias); + return 1; + } +-ADD_TO_DEVTABLE("virtio", virtio_device_id, do_virtio_entry); + + /* + * Looks like: vmbus:guid +@@ -924,7 +856,6 @@ static int do_vmbus_entry(const char *filename, void *symval, + + return 1; + } +-ADD_TO_DEVTABLE("vmbus", hv_vmbus_device_id, do_vmbus_entry); + + /* Looks like: i2c:S */ + static int do_i2c_entry(const char *filename, void *symval, +@@ -935,7 +866,6 @@ static int do_i2c_entry(const char *filename, void *symval, + + return 1; + } +-ADD_TO_DEVTABLE("i2c", i2c_device_id, do_i2c_entry); + + /* Looks like: spi:S */ + static int do_spi_entry(const char *filename, void *symval, +@@ -946,7 +876,6 @@ static int do_spi_entry(const char *filename, void *symval, + + return 1; + } +-ADD_TO_DEVTABLE("spi", spi_device_id, do_spi_entry); + + static const struct dmifield { + const char *prefix; +@@ -1001,7 +930,6 @@ static int do_dmi_entry(const char *filename, void *symval, + strcat(alias, ":"); + return 1; + } +-ADD_TO_DEVTABLE("dmi", dmi_system_id, do_dmi_entry); + + static int do_platform_entry(const char *filename, + void *symval, char *alias) +@@ -1010,7 +938,6 @@ static int do_platform_entry(const char *filename, + sprintf(alias, PLATFORM_MODULE_PREFIX "%s", *name); + return 1; + } +-ADD_TO_DEVTABLE("platform", platform_device_id, do_platform_entry); + + static int do_mdio_entry(const char *filename, + void *symval, char *alias) +@@ -1035,7 +962,6 @@ static int do_mdio_entry(const char *filename, + + return 1; + } +-ADD_TO_DEVTABLE("mdio", mdio_device_id, do_mdio_entry); + + /* Looks like: zorro:iN. */ + static int do_zorro_entry(const char *filename, void *symval, +@@ -1046,7 +972,6 @@ static int do_zorro_entry(const char *filename, void *symval, + ADD(alias, "i", id != ZORRO_WILDCARD, id); + return 1; + } +-ADD_TO_DEVTABLE("zorro", zorro_device_id, do_zorro_entry); + + /* looks like: "pnp:dD" */ + static int do_isapnp_entry(const char *filename, +@@ -1062,7 +987,6 @@ static int do_isapnp_entry(const char *filename, + (function >> 12) & 0x0f, (function >> 8) & 0x0f); + return 1; + } +-ADD_TO_DEVTABLE("isapnp", isapnp_device_id, do_isapnp_entry); + + /* Looks like: "ipack:fNvNdN". */ + static int do_ipack_entry(const char *filename, +@@ -1078,7 +1002,6 @@ static int do_ipack_entry(const char *filename, + add_wildcard(alias); + return 1; + } +-ADD_TO_DEVTABLE("ipack", ipack_device_id, do_ipack_entry); + + /* + * Append a match expression for a single masked hex digit. +@@ -1149,7 +1072,6 @@ static int do_amba_entry(const char *filename, + + return 1; + } +-ADD_TO_DEVTABLE("amba", amba_id, do_amba_entry); + + /* + * looks like: "mipscdmm:tN" +@@ -1165,7 +1087,6 @@ static int do_mips_cdmm_entry(const char *filename, + sprintf(alias, "mipscdmm:t%02X*", type); + return 1; + } +-ADD_TO_DEVTABLE("mipscdmm", mips_cdmm_device_id, do_mips_cdmm_entry); + + /* LOOKS like cpu:type:x86,venVVVVfamFFFFmodMMMM:feature:*,FEAT,* + * All fields are numbers. It would be nicer to use strings for vendor +@@ -1190,7 +1111,6 @@ static int do_x86cpu_entry(const char *filename, void *symval, + sprintf(alias + strlen(alias), "%04X*", feature); + return 1; + } +-ADD_TO_DEVTABLE("x86cpu", x86_cpu_id, do_x86cpu_entry); + + /* LOOKS like cpu:type:*:feature:*FEAT* */ + static int do_cpu_entry(const char *filename, void *symval, char *alias) +@@ -1200,7 +1120,6 @@ static int do_cpu_entry(const char *filename, void *symval, char *alias) + sprintf(alias, "cpu:type:*:feature:*%04X*", feature); + return 1; + } +-ADD_TO_DEVTABLE("cpu", cpu_feature, do_cpu_entry); + + /* Looks like: mei:S:uuid:N:* */ + static int do_mei_entry(const char *filename, void *symval, +@@ -1219,7 +1138,6 @@ static int do_mei_entry(const char *filename, void *symval, + + return 1; + } +-ADD_TO_DEVTABLE("mei", mei_cl_device_id, do_mei_entry); + + /* Looks like: rapidio:vNdNavNadN */ + static int do_rio_entry(const char *filename, +@@ -1239,7 +1157,6 @@ static int do_rio_entry(const char *filename, + add_wildcard(alias); + return 1; + } +-ADD_TO_DEVTABLE("rapidio", rio_device_id, do_rio_entry); + + /* Looks like: ulpi:vNpN */ + static int do_ulpi_entry(const char *filename, void *symval, +@@ -1252,7 +1169,6 @@ static int do_ulpi_entry(const char *filename, void *symval, + + return 1; + } +-ADD_TO_DEVTABLE("ulpi", ulpi_device_id, do_ulpi_entry); + + /* Looks like: hdaudio:vNrNaN */ + static int do_hda_entry(const char *filename, void *symval, char *alias) +@@ -1269,7 +1185,6 @@ static int do_hda_entry(const char *filename, void *symval, char *alias) + add_wildcard(alias); + return 1; + } +-ADD_TO_DEVTABLE("hdaudio", hda_device_id, do_hda_entry); + + /* Does namelen bytes of name exactly match the symbol? */ + static bool sym_is(const char *name, unsigned namelen, const char *symbol) +@@ -1283,12 +1198,11 @@ static bool sym_is(const char *name, unsigned namelen, const char *symbol) + static void do_table(void *symval, unsigned long size, + unsigned long id_size, + const char *device_id, +- void *function, ++ int (*do_entry)(const char *filename, void *symval, char *alias), + struct module *mod) + { + unsigned int i; + char alias[500]; +- int (*do_entry)(const char *, void *entry, char *alias) = function; + + device_id_check(mod->name, device_id, size, id_size, symval); + /* Leave last one: it's the terminator. */ +@@ -1302,6 +1216,44 @@ static void do_table(void *symval, unsigned long size, + } + } + ++static const struct devtable devtable[] = { ++ {"hid", SIZE_hid_device_id, do_hid_entry}, ++ {"ieee1394", SIZE_ieee1394_device_id, do_ieee1394_entry}, ++ {"pci", SIZE_pci_device_id, do_pci_entry}, ++ {"ccw", SIZE_ccw_device_id, do_ccw_entry}, ++ {"ap", SIZE_ap_device_id, do_ap_entry}, ++ {"css", SIZE_css_device_id, do_css_entry}, ++ {"serio", SIZE_serio_device_id, do_serio_entry}, ++ {"acpi", SIZE_acpi_device_id, do_acpi_entry}, ++ {"pcmcia", SIZE_pcmcia_device_id, do_pcmcia_entry}, ++ {"vio", SIZE_vio_device_id, do_vio_entry}, ++ {"input", SIZE_input_device_id, do_input_entry}, ++ {"eisa", SIZE_eisa_device_id, do_eisa_entry}, ++ {"parisc", SIZE_parisc_device_id, do_parisc_entry}, ++ {"sdio", SIZE_sdio_device_id, do_sdio_entry}, ++ {"ssb", SIZE_ssb_device_id, do_ssb_entry}, ++ {"bcma", SIZE_bcma_device_id, do_bcma_entry}, ++ {"virtio", SIZE_virtio_device_id, do_virtio_entry}, ++ {"vmbus", SIZE_hv_vmbus_device_id, do_vmbus_entry}, ++ {"i2c", SIZE_i2c_device_id, do_i2c_entry}, ++ {"spi", SIZE_spi_device_id, do_spi_entry}, ++ {"dmi", SIZE_dmi_system_id, do_dmi_entry}, ++ {"platform", SIZE_platform_device_id, do_platform_entry}, ++ {"mdio", SIZE_mdio_device_id, do_mdio_entry}, ++ {"zorro", SIZE_zorro_device_id, do_zorro_entry}, ++ {"isapnp", SIZE_isapnp_device_id, do_isapnp_entry}, ++ {"ipack", SIZE_ipack_device_id, do_ipack_entry}, ++ {"amba", SIZE_amba_id, do_amba_entry}, ++ {"mipscdmm", SIZE_mips_cdmm_device_id, do_mips_cdmm_entry}, ++ {"x86cpu", SIZE_x86_cpu_id, do_x86cpu_entry}, ++ {"cpu", SIZE_cpu_feature, do_cpu_entry}, ++ {"mei", SIZE_mei_cl_device_id, do_mei_entry}, ++ {"rapidio", SIZE_rio_device_id, do_rio_entry}, ++ {"ulpi", SIZE_ulpi_device_id, do_ulpi_entry}, ++ {"hdaudio", SIZE_hda_device_id, do_hda_entry}, ++ {"of", SIZE_of_device_id, do_of_entry}, ++}; ++ + /* Create MODULE_ALIAS() statements. + * At this time, we cannot write the actual output C source yet, + * so we write into the mod->dev_table_buf buffer. */ +@@ -1354,13 +1306,14 @@ void handle_moddevtable(struct module *mod, struct elf_info *info, + else if (sym_is(name, namelen, "pnp_card")) + do_pnp_card_entries(symval, sym->st_size, mod); + else { +- struct devtable **p; +- INIT_SECTION(__devtable); ++ int i; ++ ++ for (i = 0; i < ARRAY_SIZE(devtable); i++) { ++ const struct devtable *p = &devtable[i]; + +- for (p = __start___devtable; p < __stop___devtable; p++) { +- if (sym_is(name, namelen, (*p)->device_id)) { +- do_table(symval, sym->st_size, (*p)->id_size, +- (*p)->device_id, (*p)->function, mod); ++ if (sym_is(name, namelen, p->device_id)) { ++ do_table(symval, sym->st_size, p->id_size, ++ p->device_id, p->do_entry, mod); + break; + } + } +diff --git a/security/device_cgroup.c b/security/device_cgroup.c +index 03c1652c9a1f..db3bdc91c520 100644 +--- a/security/device_cgroup.c ++++ b/security/device_cgroup.c +@@ -568,7 +568,7 @@ static int propagate_exception(struct dev_cgroup *devcg_root, + devcg->behavior == DEVCG_DEFAULT_ALLOW) { + rc = dev_exception_add(devcg, ex); + if (rc) +- break; ++ return rc; + } else { + /* + * in the other possible cases: +diff --git a/sound/core/info.c b/sound/core/info.c +index 8ab72e0f5932..358a6947342d 100644 +--- a/sound/core/info.c ++++ b/sound/core/info.c +@@ -724,8 +724,11 @@ snd_info_create_entry(const char *name, struct snd_info_entry *parent) + INIT_LIST_HEAD(&entry->children); + INIT_LIST_HEAD(&entry->list); + entry->parent = parent; +- if (parent) ++ if (parent) { ++ mutex_lock(&parent->access); + list_add_tail(&entry->list, &parent->children); ++ mutex_unlock(&parent->access); ++ } + return entry; + } + +@@ -809,7 +812,12 @@ void snd_info_free_entry(struct snd_info_entry * entry) + list_for_each_entry_safe(p, n, &entry->children, list) + snd_info_free_entry(p); + +- list_del(&entry->list); ++ p = entry->parent; ++ if (p) { ++ mutex_lock(&p->access); ++ list_del(&entry->list); ++ mutex_unlock(&p->access); ++ } + kfree(entry->name); + if (entry->private_free) + entry->private_free(entry); +diff --git a/sound/core/init.c b/sound/core/init.c +index 20f37fb3800e..67765c61e5d5 100644 +--- a/sound/core/init.c ++++ b/sound/core/init.c +@@ -405,14 +405,7 @@ int snd_card_disconnect(struct snd_card *card) + card->shutdown = 1; + spin_unlock(&card->files_lock); + +- /* phase 1: disable fops (user space) operations for ALSA API */ +- mutex_lock(&snd_card_mutex); +- snd_cards[card->number] = NULL; +- clear_bit(card->number, snd_cards_lock); +- mutex_unlock(&snd_card_mutex); +- +- /* phase 2: replace file->f_op with special dummy operations */ +- ++ /* replace file->f_op with special dummy operations */ + spin_lock(&card->files_lock); + list_for_each_entry(mfile, &card->files_list, list) { + /* it's critical part, use endless loop */ +@@ -428,7 +421,7 @@ int snd_card_disconnect(struct snd_card *card) + } + spin_unlock(&card->files_lock); + +- /* phase 3: notify all connected devices about disconnection */ ++ /* notify all connected devices about disconnection */ + /* at this point, they cannot respond to any calls except release() */ + + #if IS_ENABLED(CONFIG_SND_MIXER_OSS) +@@ -444,6 +437,13 @@ int snd_card_disconnect(struct snd_card *card) + device_del(&card->card_dev); + card->registered = false; + } ++ ++ /* disable fops (user space) operations for ALSA API */ ++ mutex_lock(&snd_card_mutex); ++ snd_cards[card->number] = NULL; ++ clear_bit(card->number, snd_cards_lock); ++ mutex_unlock(&snd_card_mutex); ++ + #ifdef CONFIG_PM + wake_up(&card->power_sleep); + #endif +diff --git a/sound/core/pcm_native.c b/sound/core/pcm_native.c +index 4d6f0f56d54a..252392abd1b9 100644 +--- a/sound/core/pcm_native.c ++++ b/sound/core/pcm_native.c +@@ -1342,6 +1342,14 @@ int snd_pcm_suspend_all(struct snd_pcm *pcm) + /* FIXME: the open/close code should lock this as well */ + if (substream->runtime == NULL) + continue; ++ ++ /* ++ * Skip BE dai link PCM's that are internal and may ++ * not have their substream ops set. ++ */ ++ if (!substream->ops) ++ continue; ++ + err = snd_pcm_suspend(substream); + if (err < 0 && err != -EBUSY) + return err; +diff --git a/sound/core/seq/seq_clientmgr.c b/sound/core/seq/seq_clientmgr.c +index 73ee8476584d..0d0e0c2651c2 100644 +--- a/sound/core/seq/seq_clientmgr.c ++++ b/sound/core/seq/seq_clientmgr.c +@@ -1249,7 +1249,7 @@ static int snd_seq_ioctl_set_client_info(struct snd_seq_client *client, + + /* fill the info fields */ + if (client_info.name[0]) +- strlcpy(client->name, client_info.name, sizeof(client->name)); ++ strscpy(client->name, client_info.name, sizeof(client->name)); + + client->filter = client_info.filter; + client->event_lost = client_info.event_lost; +@@ -1558,7 +1558,7 @@ static int snd_seq_ioctl_create_queue(struct snd_seq_client *client, + /* set queue name */ + if (! info.name[0]) + snprintf(info.name, sizeof(info.name), "Queue-%d", q->queue); +- strlcpy(q->name, info.name, sizeof(q->name)); ++ strscpy(q->name, info.name, sizeof(q->name)); + snd_use_lock_free(&q->use_lock); + + if (copy_to_user(arg, &info, sizeof(info))) +@@ -1636,7 +1636,7 @@ static int snd_seq_ioctl_set_queue_info(struct snd_seq_client *client, + queuefree(q); + return -EPERM; + } +- strlcpy(q->name, info.name, sizeof(q->name)); ++ strscpy(q->name, info.name, sizeof(q->name)); + queuefree(q); + + return 0; +diff --git a/sound/drivers/opl3/opl3_voice.h b/sound/drivers/opl3/opl3_voice.h +index a371c075ac87..e26702559f61 100644 +--- a/sound/drivers/opl3/opl3_voice.h ++++ b/sound/drivers/opl3/opl3_voice.h +@@ -41,7 +41,7 @@ void snd_opl3_timer_func(unsigned long data); + + /* Prototypes for opl3_drums.c */ + void snd_opl3_load_drums(struct snd_opl3 *opl3); +-void snd_opl3_drum_switch(struct snd_opl3 *opl3, int note, int on_off, int vel, struct snd_midi_channel *chan); ++void snd_opl3_drum_switch(struct snd_opl3 *opl3, int note, int vel, int on_off, struct snd_midi_channel *chan); + + /* Prototypes for opl3_oss.c */ + #ifdef CONFIG_SND_SEQUENCER_OSS +diff --git a/sound/isa/sb/sb8.c b/sound/isa/sb/sb8.c +index b8e2391c33ff..0c7fe1418447 100644 +--- a/sound/isa/sb/sb8.c ++++ b/sound/isa/sb/sb8.c +@@ -111,6 +111,10 @@ static int snd_sb8_probe(struct device *pdev, unsigned int dev) + + /* block the 0x388 port to avoid PnP conflicts */ + acard->fm_res = request_region(0x388, 4, "SoundBlaster FM"); ++ if (!acard->fm_res) { ++ err = -EBUSY; ++ goto _err; ++ } + + if (port[dev] != SNDRV_AUTO_PORT) { + if ((err = snd_sbdsp_create(card, port[dev], irq[dev], +diff --git a/sound/pci/echoaudio/echoaudio.c b/sound/pci/echoaudio/echoaudio.c +index 286f5e3686a3..d73ee11a32bd 100644 +--- a/sound/pci/echoaudio/echoaudio.c ++++ b/sound/pci/echoaudio/echoaudio.c +@@ -1953,6 +1953,11 @@ static int snd_echo_create(struct snd_card *card, + } + chip->dsp_registers = (volatile u32 __iomem *) + ioremap_nocache(chip->dsp_registers_phys, sz); ++ if (!chip->dsp_registers) { ++ dev_err(chip->card->dev, "ioremap failed\n"); ++ snd_echo_free(chip); ++ return -ENOMEM; ++ } + + if (request_irq(pci->irq, snd_echo_interrupt, IRQF_SHARED, + KBUILD_MODNAME, chip)) { +diff --git a/sound/soc/fsl/fsl-asoc-card.c b/sound/soc/fsl/fsl-asoc-card.c +index 1b05d1c5d9fd..a32fe14b4687 100644 +--- a/sound/soc/fsl/fsl-asoc-card.c ++++ b/sound/soc/fsl/fsl-asoc-card.c +@@ -659,6 +659,7 @@ static int fsl_asoc_card_probe(struct platform_device *pdev) + asrc_fail: + of_node_put(asrc_np); + of_node_put(codec_np); ++ put_device(&cpu_pdev->dev); + fail: + of_node_put(cpu_np); + +diff --git a/sound/soc/fsl/fsl_esai.c b/sound/soc/fsl/fsl_esai.c +index a87836d4de15..40075b9afb79 100644 +--- a/sound/soc/fsl/fsl_esai.c ++++ b/sound/soc/fsl/fsl_esai.c +@@ -57,6 +57,8 @@ struct fsl_esai { + u32 fifo_depth; + u32 slot_width; + u32 slots; ++ u32 tx_mask; ++ u32 rx_mask; + u32 hck_rate[2]; + u32 sck_rate[2]; + bool hck_dir[2]; +@@ -357,21 +359,13 @@ static int fsl_esai_set_dai_tdm_slot(struct snd_soc_dai *dai, u32 tx_mask, + regmap_update_bits(esai_priv->regmap, REG_ESAI_TCCR, + ESAI_xCCR_xDC_MASK, ESAI_xCCR_xDC(slots)); + +- regmap_update_bits(esai_priv->regmap, REG_ESAI_TSMA, +- ESAI_xSMA_xS_MASK, ESAI_xSMA_xS(tx_mask)); +- regmap_update_bits(esai_priv->regmap, REG_ESAI_TSMB, +- ESAI_xSMB_xS_MASK, ESAI_xSMB_xS(tx_mask)); +- + regmap_update_bits(esai_priv->regmap, REG_ESAI_RCCR, + ESAI_xCCR_xDC_MASK, ESAI_xCCR_xDC(slots)); + +- regmap_update_bits(esai_priv->regmap, REG_ESAI_RSMA, +- ESAI_xSMA_xS_MASK, ESAI_xSMA_xS(rx_mask)); +- regmap_update_bits(esai_priv->regmap, REG_ESAI_RSMB, +- ESAI_xSMB_xS_MASK, ESAI_xSMB_xS(rx_mask)); +- + esai_priv->slot_width = slot_width; + esai_priv->slots = slots; ++ esai_priv->tx_mask = tx_mask; ++ esai_priv->rx_mask = rx_mask; + + return 0; + } +@@ -582,6 +576,7 @@ static int fsl_esai_trigger(struct snd_pcm_substream *substream, int cmd, + bool tx = substream->stream == SNDRV_PCM_STREAM_PLAYBACK; + u8 i, channels = substream->runtime->channels; + u32 pins = DIV_ROUND_UP(channels, esai_priv->slots); ++ u32 mask; + + switch (cmd) { + case SNDRV_PCM_TRIGGER_START: +@@ -594,15 +589,38 @@ static int fsl_esai_trigger(struct snd_pcm_substream *substream, int cmd, + for (i = 0; tx && i < channels; i++) + regmap_write(esai_priv->regmap, REG_ESAI_ETDR, 0x0); + ++ /* ++ * When set the TE/RE in the end of enablement flow, there ++ * will be channel swap issue for multi data line case. ++ * In order to workaround this issue, we switch the bit ++ * enablement sequence to below sequence ++ * 1) clear the xSMB & xSMA: which is done in probe and ++ * stop state. ++ * 2) set TE/RE ++ * 3) set xSMB ++ * 4) set xSMA: xSMA is the last one in this flow, which ++ * will trigger esai to start. ++ */ + regmap_update_bits(esai_priv->regmap, REG_ESAI_xCR(tx), + tx ? ESAI_xCR_TE_MASK : ESAI_xCR_RE_MASK, + tx ? ESAI_xCR_TE(pins) : ESAI_xCR_RE(pins)); ++ mask = tx ? esai_priv->tx_mask : esai_priv->rx_mask; ++ ++ regmap_update_bits(esai_priv->regmap, REG_ESAI_xSMB(tx), ++ ESAI_xSMB_xS_MASK, ESAI_xSMB_xS(mask)); ++ regmap_update_bits(esai_priv->regmap, REG_ESAI_xSMA(tx), ++ ESAI_xSMA_xS_MASK, ESAI_xSMA_xS(mask)); ++ + break; + case SNDRV_PCM_TRIGGER_SUSPEND: + case SNDRV_PCM_TRIGGER_STOP: + case SNDRV_PCM_TRIGGER_PAUSE_PUSH: + regmap_update_bits(esai_priv->regmap, REG_ESAI_xCR(tx), + tx ? ESAI_xCR_TE_MASK : ESAI_xCR_RE_MASK, 0); ++ regmap_update_bits(esai_priv->regmap, REG_ESAI_xSMA(tx), ++ ESAI_xSMA_xS_MASK, 0); ++ regmap_update_bits(esai_priv->regmap, REG_ESAI_xSMB(tx), ++ ESAI_xSMB_xS_MASK, 0); + + /* Disable and reset FIFO */ + regmap_update_bits(esai_priv->regmap, REG_ESAI_xFCR(tx), +@@ -887,6 +905,15 @@ static int fsl_esai_probe(struct platform_device *pdev) + return ret; + } + ++ esai_priv->tx_mask = 0xFFFFFFFF; ++ esai_priv->rx_mask = 0xFFFFFFFF; ++ ++ /* Clear the TSMA, TSMB, RSMA, RSMB */ ++ regmap_write(esai_priv->regmap, REG_ESAI_TSMA, 0); ++ regmap_write(esai_priv->regmap, REG_ESAI_TSMB, 0); ++ regmap_write(esai_priv->regmap, REG_ESAI_RSMA, 0); ++ regmap_write(esai_priv->regmap, REG_ESAI_RSMB, 0); ++ + ret = devm_snd_soc_register_component(&pdev->dev, &fsl_esai_component, + &fsl_esai_dai, 1); + if (ret) { +diff --git a/sound/soc/fsl/imx-sgtl5000.c b/sound/soc/fsl/imx-sgtl5000.c +index b99e0b5e00e9..8e525f7ac08d 100644 +--- a/sound/soc/fsl/imx-sgtl5000.c ++++ b/sound/soc/fsl/imx-sgtl5000.c +@@ -115,6 +115,7 @@ static int imx_sgtl5000_probe(struct platform_device *pdev) + ret = -EPROBE_DEFER; + goto fail; + } ++ put_device(&ssi_pdev->dev); + codec_dev = of_find_i2c_device_by_node(codec_np); + if (!codec_dev) { + dev_err(&pdev->dev, "failed to find codec platform device\n"); +diff --git a/tools/lib/traceevent/event-parse.c b/tools/lib/traceevent/event-parse.c +index 6e4a10fe9dd0..743746a3c50d 100644 +--- a/tools/lib/traceevent/event-parse.c ++++ b/tools/lib/traceevent/event-parse.c +@@ -2419,7 +2419,7 @@ static int arg_num_eval(struct print_arg *arg, long long *val) + static char *arg_eval (struct print_arg *arg) + { + long long val; +- static char buf[20]; ++ static char buf[24]; + + switch (arg->type) { + case PRINT_ATOM: +diff --git a/tools/perf/builtin-top.c b/tools/perf/builtin-top.c +index 47719bde34c6..4e64ba8163bb 100644 +--- a/tools/perf/builtin-top.c ++++ b/tools/perf/builtin-top.c +@@ -1320,8 +1320,9 @@ int cmd_top(int argc, const char **argv, const char *prefix __maybe_unused) + symbol_conf.priv_size = sizeof(struct annotation); + + symbol_conf.try_vmlinux_path = (symbol_conf.vmlinux_name == NULL); +- if (symbol__init(NULL) < 0) +- return -1; ++ status = symbol__init(NULL); ++ if (status < 0) ++ goto out_delete_evlist; + + sort__setup_elide(stdout); + +diff --git a/tools/perf/tests/evsel-tp-sched.c b/tools/perf/tests/evsel-tp-sched.c +index da474d743b6a..ea3161170f9e 100644 +--- a/tools/perf/tests/evsel-tp-sched.c ++++ b/tools/perf/tests/evsel-tp-sched.c +@@ -42,7 +42,7 @@ int test__perf_evsel__tp_sched_test(void) + return -1; + } + +- if (perf_evsel__test_field(evsel, "prev_comm", 16, true)) ++ if (perf_evsel__test_field(evsel, "prev_comm", 16, false)) + ret = -1; + + if (perf_evsel__test_field(evsel, "prev_pid", 4, true)) +@@ -54,7 +54,7 @@ int test__perf_evsel__tp_sched_test(void) + if (perf_evsel__test_field(evsel, "prev_state", sizeof(long), true)) + ret = -1; + +- if (perf_evsel__test_field(evsel, "next_comm", 16, true)) ++ if (perf_evsel__test_field(evsel, "next_comm", 16, false)) + ret = -1; + + if (perf_evsel__test_field(evsel, "next_pid", 4, true)) +@@ -72,7 +72,7 @@ int test__perf_evsel__tp_sched_test(void) + return -1; + } + +- if (perf_evsel__test_field(evsel, "comm", 16, true)) ++ if (perf_evsel__test_field(evsel, "comm", 16, false)) + ret = -1; + + if (perf_evsel__test_field(evsel, "pid", 4, true)) +@@ -84,5 +84,6 @@ int test__perf_evsel__tp_sched_test(void) + if (perf_evsel__test_field(evsel, "target_cpu", 4, true)) + ret = -1; + ++ perf_evsel__delete(evsel); + return ret; + } +diff --git a/tools/perf/tests/openat-syscall-all-cpus.c b/tools/perf/tests/openat-syscall-all-cpus.c +index 2006485a2859..3848d5ab378d 100644 +--- a/tools/perf/tests/openat-syscall-all-cpus.c ++++ b/tools/perf/tests/openat-syscall-all-cpus.c +@@ -35,7 +35,7 @@ int test__openat_syscall_event_on_all_cpus(void) + if (IS_ERR(evsel)) { + tracing_path__strerror_open_tp(errno, errbuf, sizeof(errbuf), "syscalls", "sys_enter_openat"); + pr_debug("%s\n", errbuf); +- goto out_thread_map_delete; ++ goto out_cpu_map_delete; + } + + if (perf_evsel__open(evsel, cpus, threads) < 0) { +@@ -109,6 +109,8 @@ out_close_fd: + perf_evsel__close_fd(evsel, 1, threads->nr); + out_evsel_delete: + perf_evsel__delete(evsel); ++out_cpu_map_delete: ++ cpu_map__put(cpus); + out_thread_map_delete: + thread_map__put(threads); + return err; +diff --git a/tools/perf/util/evsel.c b/tools/perf/util/evsel.c +index f0bd4825f95a..97fde9275f42 100644 +--- a/tools/perf/util/evsel.c ++++ b/tools/perf/util/evsel.c +@@ -1051,6 +1051,7 @@ void perf_evsel__exit(struct perf_evsel *evsel) + { + assert(list_empty(&evsel->node)); + assert(evsel->evlist == NULL); ++ perf_evsel__free_counts(evsel); + perf_evsel__free_fd(evsel); + perf_evsel__free_id(evsel); + perf_evsel__free_config_terms(evsel); +diff --git a/tools/power/x86/turbostat/turbostat.c b/tools/power/x86/turbostat/turbostat.c +index 33c79e415075..532e7bf06868 100644 +--- a/tools/power/x86/turbostat/turbostat.c ++++ b/tools/power/x86/turbostat/turbostat.c +@@ -3089,6 +3089,9 @@ int fork_it(char **argv) + signal(SIGQUIT, SIG_IGN); + if (waitpid(child_pid, &status, 0) == -1) + err(status, "waitpid"); ++ ++ if (WIFEXITED(status)) ++ status = WEXITSTATUS(status); + } + /* + * n.b. fork_it() does not check for errors from for_all_cpus() diff --git a/patch/kernel/rockchip-default/04-patch-4.4.179-180.patch b/patch/kernel/rockchip-default/04-patch-4.4.179-180.patch new file mode 100644 index 0000000000..d147c76798 --- /dev/null +++ b/patch/kernel/rockchip-default/04-patch-4.4.179-180.patch @@ -0,0 +1,5154 @@ +diff --git a/Documentation/ABI/testing/sysfs-devices-system-cpu b/Documentation/ABI/testing/sysfs-devices-system-cpu +index 50f95689ab38..e4cd3be77663 100644 +--- a/Documentation/ABI/testing/sysfs-devices-system-cpu ++++ b/Documentation/ABI/testing/sysfs-devices-system-cpu +@@ -277,6 +277,8 @@ What: /sys/devices/system/cpu/vulnerabilities + /sys/devices/system/cpu/vulnerabilities/spectre_v1 + /sys/devices/system/cpu/vulnerabilities/spectre_v2 + /sys/devices/system/cpu/vulnerabilities/spec_store_bypass ++ /sys/devices/system/cpu/vulnerabilities/l1tf ++ /sys/devices/system/cpu/vulnerabilities/mds + Date: January 2018 + Contact: Linux kernel mailing list + Description: Information about CPU vulnerabilities +diff --git a/Documentation/hw-vuln/mds.rst b/Documentation/hw-vuln/mds.rst +new file mode 100644 +index 000000000000..3f92728be021 +--- /dev/null ++++ b/Documentation/hw-vuln/mds.rst +@@ -0,0 +1,305 @@ ++MDS - Microarchitectural Data Sampling ++====================================== ++ ++Microarchitectural Data Sampling is a hardware vulnerability which allows ++unprivileged speculative access to data which is available in various CPU ++internal buffers. ++ ++Affected processors ++------------------- ++ ++This vulnerability affects a wide range of Intel processors. The ++vulnerability is not present on: ++ ++ - Processors from AMD, Centaur and other non Intel vendors ++ ++ - Older processor models, where the CPU family is < 6 ++ ++ - Some Atoms (Bonnell, Saltwell, Goldmont, GoldmontPlus) ++ ++ - Intel processors which have the ARCH_CAP_MDS_NO bit set in the ++ IA32_ARCH_CAPABILITIES MSR. ++ ++Whether a processor is affected or not can be read out from the MDS ++vulnerability file in sysfs. See :ref:`mds_sys_info`. ++ ++Not all processors are affected by all variants of MDS, but the mitigation ++is identical for all of them so the kernel treats them as a single ++vulnerability. ++ ++Related CVEs ++------------ ++ ++The following CVE entries are related to the MDS vulnerability: ++ ++ ============== ===== =================================================== ++ CVE-2018-12126 MSBDS Microarchitectural Store Buffer Data Sampling ++ CVE-2018-12130 MFBDS Microarchitectural Fill Buffer Data Sampling ++ CVE-2018-12127 MLPDS Microarchitectural Load Port Data Sampling ++ CVE-2019-11091 MDSUM Microarchitectural Data Sampling Uncacheable Memory ++ ============== ===== =================================================== ++ ++Problem ++------- ++ ++When performing store, load, L1 refill operations, processors write data ++into temporary microarchitectural structures (buffers). The data in the ++buffer can be forwarded to load operations as an optimization. ++ ++Under certain conditions, usually a fault/assist caused by a load ++operation, data unrelated to the load memory address can be speculatively ++forwarded from the buffers. Because the load operation causes a fault or ++assist and its result will be discarded, the forwarded data will not cause ++incorrect program execution or state changes. But a malicious operation ++may be able to forward this speculative data to a disclosure gadget which ++allows in turn to infer the value via a cache side channel attack. ++ ++Because the buffers are potentially shared between Hyper-Threads cross ++Hyper-Thread attacks are possible. ++ ++Deeper technical information is available in the MDS specific x86 ++architecture section: :ref:`Documentation/x86/mds.rst `. ++ ++ ++Attack scenarios ++---------------- ++ ++Attacks against the MDS vulnerabilities can be mounted from malicious non ++priviledged user space applications running on hosts or guest. Malicious ++guest OSes can obviously mount attacks as well. ++ ++Contrary to other speculation based vulnerabilities the MDS vulnerability ++does not allow the attacker to control the memory target address. As a ++consequence the attacks are purely sampling based, but as demonstrated with ++the TLBleed attack samples can be postprocessed successfully. ++ ++Web-Browsers ++^^^^^^^^^^^^ ++ ++ It's unclear whether attacks through Web-Browsers are possible at ++ all. The exploitation through Java-Script is considered very unlikely, ++ but other widely used web technologies like Webassembly could possibly be ++ abused. ++ ++ ++.. _mds_sys_info: ++ ++MDS system information ++----------------------- ++ ++The Linux kernel provides a sysfs interface to enumerate the current MDS ++status of the system: whether the system is vulnerable, and which ++mitigations are active. The relevant sysfs file is: ++ ++/sys/devices/system/cpu/vulnerabilities/mds ++ ++The possible values in this file are: ++ ++ .. list-table:: ++ ++ * - 'Not affected' ++ - The processor is not vulnerable ++ * - 'Vulnerable' ++ - The processor is vulnerable, but no mitigation enabled ++ * - 'Vulnerable: Clear CPU buffers attempted, no microcode' ++ - The processor is vulnerable but microcode is not updated. ++ ++ The mitigation is enabled on a best effort basis. See :ref:`vmwerv` ++ * - 'Mitigation: Clear CPU buffers' ++ - The processor is vulnerable and the CPU buffer clearing mitigation is ++ enabled. ++ ++If the processor is vulnerable then the following information is appended ++to the above information: ++ ++ ======================== ============================================ ++ 'SMT vulnerable' SMT is enabled ++ 'SMT mitigated' SMT is enabled and mitigated ++ 'SMT disabled' SMT is disabled ++ 'SMT Host state unknown' Kernel runs in a VM, Host SMT state unknown ++ ======================== ============================================ ++ ++.. _vmwerv: ++ ++Best effort mitigation mode ++^^^^^^^^^^^^^^^^^^^^^^^^^^^ ++ ++ If the processor is vulnerable, but the availability of the microcode based ++ mitigation mechanism is not advertised via CPUID the kernel selects a best ++ effort mitigation mode. This mode invokes the mitigation instructions ++ without a guarantee that they clear the CPU buffers. ++ ++ This is done to address virtualization scenarios where the host has the ++ microcode update applied, but the hypervisor is not yet updated to expose ++ the CPUID to the guest. If the host has updated microcode the protection ++ takes effect otherwise a few cpu cycles are wasted pointlessly. ++ ++ The state in the mds sysfs file reflects this situation accordingly. ++ ++ ++Mitigation mechanism ++------------------------- ++ ++The kernel detects the affected CPUs and the presence of the microcode ++which is required. ++ ++If a CPU is affected and the microcode is available, then the kernel ++enables the mitigation by default. The mitigation can be controlled at boot ++time via a kernel command line option. See ++:ref:`mds_mitigation_control_command_line`. ++ ++.. _cpu_buffer_clear: ++ ++CPU buffer clearing ++^^^^^^^^^^^^^^^^^^^ ++ ++ The mitigation for MDS clears the affected CPU buffers on return to user ++ space and when entering a guest. ++ ++ If SMT is enabled it also clears the buffers on idle entry when the CPU ++ is only affected by MSBDS and not any other MDS variant, because the ++ other variants cannot be protected against cross Hyper-Thread attacks. ++ ++ For CPUs which are only affected by MSBDS the user space, guest and idle ++ transition mitigations are sufficient and SMT is not affected. ++ ++.. _virt_mechanism: ++ ++Virtualization mitigation ++^^^^^^^^^^^^^^^^^^^^^^^^^ ++ ++ The protection for host to guest transition depends on the L1TF ++ vulnerability of the CPU: ++ ++ - CPU is affected by L1TF: ++ ++ If the L1D flush mitigation is enabled and up to date microcode is ++ available, the L1D flush mitigation is automatically protecting the ++ guest transition. ++ ++ If the L1D flush mitigation is disabled then the MDS mitigation is ++ invoked explicit when the host MDS mitigation is enabled. ++ ++ For details on L1TF and virtualization see: ++ :ref:`Documentation/hw-vuln//l1tf.rst `. ++ ++ - CPU is not affected by L1TF: ++ ++ CPU buffers are flushed before entering the guest when the host MDS ++ mitigation is enabled. ++ ++ The resulting MDS protection matrix for the host to guest transition: ++ ++ ============ ===== ============= ============ ================= ++ L1TF MDS VMX-L1FLUSH Host MDS MDS-State ++ ++ Don't care No Don't care N/A Not affected ++ ++ Yes Yes Disabled Off Vulnerable ++ ++ Yes Yes Disabled Full Mitigated ++ ++ Yes Yes Enabled Don't care Mitigated ++ ++ No Yes N/A Off Vulnerable ++ ++ No Yes N/A Full Mitigated ++ ============ ===== ============= ============ ================= ++ ++ This only covers the host to guest transition, i.e. prevents leakage from ++ host to guest, but does not protect the guest internally. Guests need to ++ have their own protections. ++ ++.. _xeon_phi: ++ ++XEON PHI specific considerations ++^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ++ ++ The XEON PHI processor family is affected by MSBDS which can be exploited ++ cross Hyper-Threads when entering idle states. Some XEON PHI variants allow ++ to use MWAIT in user space (Ring 3) which opens an potential attack vector ++ for malicious user space. The exposure can be disabled on the kernel ++ command line with the 'ring3mwait=disable' command line option. ++ ++ XEON PHI is not affected by the other MDS variants and MSBDS is mitigated ++ before the CPU enters a idle state. As XEON PHI is not affected by L1TF ++ either disabling SMT is not required for full protection. ++ ++.. _mds_smt_control: ++ ++SMT control ++^^^^^^^^^^^ ++ ++ All MDS variants except MSBDS can be attacked cross Hyper-Threads. That ++ means on CPUs which are affected by MFBDS or MLPDS it is necessary to ++ disable SMT for full protection. These are most of the affected CPUs; the ++ exception is XEON PHI, see :ref:`xeon_phi`. ++ ++ Disabling SMT can have a significant performance impact, but the impact ++ depends on the type of workloads. ++ ++ See the relevant chapter in the L1TF mitigation documentation for details: ++ :ref:`Documentation/hw-vuln/l1tf.rst `. ++ ++ ++.. _mds_mitigation_control_command_line: ++ ++Mitigation control on the kernel command line ++--------------------------------------------- ++ ++The kernel command line allows to control the MDS mitigations at boot ++time with the option "mds=". The valid arguments for this option are: ++ ++ ============ ============================================================= ++ full If the CPU is vulnerable, enable all available mitigations ++ for the MDS vulnerability, CPU buffer clearing on exit to ++ userspace and when entering a VM. Idle transitions are ++ protected as well if SMT is enabled. ++ ++ It does not automatically disable SMT. ++ ++ off Disables MDS mitigations completely. ++ ++ ============ ============================================================= ++ ++Not specifying this option is equivalent to "mds=full". ++ ++ ++Mitigation selection guide ++-------------------------- ++ ++1. Trusted userspace ++^^^^^^^^^^^^^^^^^^^^ ++ ++ If all userspace applications are from a trusted source and do not ++ execute untrusted code which is supplied externally, then the mitigation ++ can be disabled. ++ ++ ++2. Virtualization with trusted guests ++^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ++ ++ The same considerations as above versus trusted user space apply. ++ ++3. Virtualization with untrusted guests ++^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ++ ++ The protection depends on the state of the L1TF mitigations. ++ See :ref:`virt_mechanism`. ++ ++ If the MDS mitigation is enabled and SMT is disabled, guest to host and ++ guest to guest attacks are prevented. ++ ++.. _mds_default_mitigations: ++ ++Default mitigations ++------------------- ++ ++ The kernel default mitigations for vulnerable processors are: ++ ++ - Enable CPU buffer clearing ++ ++ The kernel does not by default enforce the disabling of SMT, which leaves ++ SMT systems vulnerable when running untrusted code. The same rationale as ++ for L1TF applies. ++ See :ref:`Documentation/hw-vuln//l1tf.rst `. +diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt +index da515c535e62..175d57049168 100644 +--- a/Documentation/kernel-parameters.txt ++++ b/Documentation/kernel-parameters.txt +@@ -2035,6 +2035,30 @@ bytes respectively. Such letter suffixes can also be entirely omitted. + Format: , + Specifies range of consoles to be captured by the MDA. + ++ mds= [X86,INTEL] ++ Control mitigation for the Micro-architectural Data ++ Sampling (MDS) vulnerability. ++ ++ Certain CPUs are vulnerable to an exploit against CPU ++ internal buffers which can forward information to a ++ disclosure gadget under certain conditions. ++ ++ In vulnerable processors, the speculatively ++ forwarded data can be used in a cache side channel ++ attack, to access data to which the attacker does ++ not have direct access. ++ ++ This parameter controls the MDS mitigation. The ++ options are: ++ ++ full - Enable MDS mitigation on vulnerable CPUs ++ off - Unconditionally disable MDS mitigation ++ ++ Not specifying this option is equivalent to ++ mds=full. ++ ++ For details see: Documentation/hw-vuln/mds.rst ++ + mem=nn[KMG] [KNL,BOOT] Force usage of a specific amount of memory + Amount of memory to be used when the kernel is not able + to see the whole system memory or for test. +@@ -2149,6 +2173,30 @@ bytes respectively. Such letter suffixes can also be entirely omitted. + in the "bleeding edge" mini2440 support kernel at + http://repo.or.cz/w/linux-2.6/mini2440.git + ++ mitigations= ++ [X86] Control optional mitigations for CPU ++ vulnerabilities. This is a set of curated, ++ arch-independent options, each of which is an ++ aggregation of existing arch-specific options. ++ ++ off ++ Disable all optional CPU mitigations. This ++ improves system performance, but it may also ++ expose users to several CPU vulnerabilities. ++ Equivalent to: nopti [X86] ++ nospectre_v2 [X86] ++ spectre_v2_user=off [X86] ++ spec_store_bypass_disable=off [X86] ++ mds=off [X86] ++ ++ auto (default) ++ Mitigate all CPU vulnerabilities, but leave SMT ++ enabled, even if it's vulnerable. This is for ++ users who don't want to be surprised by SMT ++ getting disabled across kernel upgrades, or who ++ have other ways of avoiding SMT-based attacks. ++ Equivalent to: (default behavior) ++ + mminit_loglevel= + [KNL] When CONFIG_DEBUG_MEMORY_INIT is set, this + parameter allows control of the logging verbosity for +@@ -2450,7 +2498,11 @@ bytes respectively. Such letter suffixes can also be entirely omitted. + + nohugeiomap [KNL,x86] Disable kernel huge I/O mappings. + +- nospectre_v2 [X86] Disable all mitigations for the Spectre variant 2 ++ nospectre_v1 [PPC] Disable mitigations for Spectre Variant 1 (bounds ++ check bypass). With this option data leaks are possible ++ in the system. ++ ++ nospectre_v2 [X86,PPC_FSL_BOOK3E] Disable all mitigations for the Spectre variant 2 + (indirect branch prediction) vulnerability. System may + allow data leaks with this option, which is equivalent + to spectre_v2=off. +@@ -3600,9 +3652,13 @@ bytes respectively. Such letter suffixes can also be entirely omitted. + + spectre_v2= [X86] Control mitigation of Spectre variant 2 + (indirect branch speculation) vulnerability. ++ The default operation protects the kernel from ++ user space attacks. + +- on - unconditionally enable +- off - unconditionally disable ++ on - unconditionally enable, implies ++ spectre_v2_user=on ++ off - unconditionally disable, implies ++ spectre_v2_user=off + auto - kernel detects whether your CPU model is + vulnerable + +@@ -3612,6 +3668,12 @@ bytes respectively. Such letter suffixes can also be entirely omitted. + CONFIG_RETPOLINE configuration option, and the + compiler with which the kernel was built. + ++ Selecting 'on' will also enable the mitigation ++ against user space to user space task attacks. ++ ++ Selecting 'off' will disable both the kernel and ++ the user space protections. ++ + Specific mitigations can also be selected manually: + + retpoline - replace indirect branches +@@ -3621,6 +3683,48 @@ bytes respectively. Such letter suffixes can also be entirely omitted. + Not specifying this option is equivalent to + spectre_v2=auto. + ++ spectre_v2_user= ++ [X86] Control mitigation of Spectre variant 2 ++ (indirect branch speculation) vulnerability between ++ user space tasks ++ ++ on - Unconditionally enable mitigations. Is ++ enforced by spectre_v2=on ++ ++ off - Unconditionally disable mitigations. Is ++ enforced by spectre_v2=off ++ ++ prctl - Indirect branch speculation is enabled, ++ but mitigation can be enabled via prctl ++ per thread. The mitigation control state ++ is inherited on fork. ++ ++ prctl,ibpb ++ - Like "prctl" above, but only STIBP is ++ controlled per thread. IBPB is issued ++ always when switching between different user ++ space processes. ++ ++ seccomp ++ - Same as "prctl" above, but all seccomp ++ threads will enable the mitigation unless ++ they explicitly opt out. ++ ++ seccomp,ibpb ++ - Like "seccomp" above, but only STIBP is ++ controlled per thread. IBPB is issued ++ always when switching between different ++ user space processes. ++ ++ auto - Kernel selects the mitigation depending on ++ the available CPU features and vulnerability. ++ ++ Default mitigation: ++ If CONFIG_SECCOMP=y then "seccomp", otherwise "prctl" ++ ++ Not specifying this option is equivalent to ++ spectre_v2_user=auto. ++ + spec_store_bypass_disable= + [HW] Control Speculative Store Bypass (SSB) Disable mitigation + (Speculative Store Bypass vulnerability) +diff --git a/Documentation/networking/ip-sysctl.txt b/Documentation/networking/ip-sysctl.txt +index 2fb35658d151..709d24b4b533 100644 +--- a/Documentation/networking/ip-sysctl.txt ++++ b/Documentation/networking/ip-sysctl.txt +@@ -387,6 +387,7 @@ tcp_min_rtt_wlen - INTEGER + minimum RTT when it is moved to a longer path (e.g., due to traffic + engineering). A longer window makes the filter more resistant to RTT + inflations such as transient congestion. The unit is seconds. ++ Possible values: 0 - 86400 (1 day) + Default: 300 + + tcp_moderate_rcvbuf - BOOLEAN +diff --git a/Documentation/spec_ctrl.txt b/Documentation/spec_ctrl.txt +index 32f3d55c54b7..c4dbe6f7cdae 100644 +--- a/Documentation/spec_ctrl.txt ++++ b/Documentation/spec_ctrl.txt +@@ -92,3 +92,12 @@ Speculation misfeature controls + * prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, PR_SPEC_ENABLE, 0, 0); + * prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, PR_SPEC_DISABLE, 0, 0); + * prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, PR_SPEC_FORCE_DISABLE, 0, 0); ++ ++- PR_SPEC_INDIR_BRANCH: Indirect Branch Speculation in User Processes ++ (Mitigate Spectre V2 style attacks against user processes) ++ ++ Invocations: ++ * prctl(PR_GET_SPECULATION_CTRL, PR_SPEC_INDIRECT_BRANCH, 0, 0, 0); ++ * prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_INDIRECT_BRANCH, PR_SPEC_ENABLE, 0, 0); ++ * prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_INDIRECT_BRANCH, PR_SPEC_DISABLE, 0, 0); ++ * prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_INDIRECT_BRANCH, PR_SPEC_FORCE_DISABLE, 0, 0); +diff --git a/Documentation/usb/power-management.txt b/Documentation/usb/power-management.txt +index 0a94ffe17ab6..b13e031beaa6 100644 +--- a/Documentation/usb/power-management.txt ++++ b/Documentation/usb/power-management.txt +@@ -365,11 +365,15 @@ autosuspend the interface's device. When the usage counter is = 0 + then the interface is considered to be idle, and the kernel may + autosuspend the device. + +-Drivers need not be concerned about balancing changes to the usage +-counter; the USB core will undo any remaining "get"s when a driver +-is unbound from its interface. As a corollary, drivers must not call +-any of the usb_autopm_* functions after their disconnect() routine has +-returned. ++Drivers must be careful to balance their overall changes to the usage ++counter. Unbalanced "get"s will remain in effect when a driver is ++unbound from its interface, preventing the device from going into ++runtime suspend should the interface be bound to a driver again. On ++the other hand, drivers are allowed to achieve this balance by calling ++the ``usb_autopm_*`` functions even after their ``disconnect`` routine ++has returned -- say from within a work-queue routine -- provided they ++retain an active reference to the interface (via ``usb_get_intf`` and ++``usb_put_intf``). + + Drivers using the async routines are responsible for their own + synchronization and mutual exclusion. +diff --git a/Documentation/x86/mds.rst b/Documentation/x86/mds.rst +new file mode 100644 +index 000000000000..534e9baa4e1d +--- /dev/null ++++ b/Documentation/x86/mds.rst +@@ -0,0 +1,225 @@ ++Microarchitectural Data Sampling (MDS) mitigation ++================================================= ++ ++.. _mds: ++ ++Overview ++-------- ++ ++Microarchitectural Data Sampling (MDS) is a family of side channel attacks ++on internal buffers in Intel CPUs. The variants are: ++ ++ - Microarchitectural Store Buffer Data Sampling (MSBDS) (CVE-2018-12126) ++ - Microarchitectural Fill Buffer Data Sampling (MFBDS) (CVE-2018-12130) ++ - Microarchitectural Load Port Data Sampling (MLPDS) (CVE-2018-12127) ++ - Microarchitectural Data Sampling Uncacheable Memory (MDSUM) (CVE-2019-11091) ++ ++MSBDS leaks Store Buffer Entries which can be speculatively forwarded to a ++dependent load (store-to-load forwarding) as an optimization. The forward ++can also happen to a faulting or assisting load operation for a different ++memory address, which can be exploited under certain conditions. Store ++buffers are partitioned between Hyper-Threads so cross thread forwarding is ++not possible. But if a thread enters or exits a sleep state the store ++buffer is repartitioned which can expose data from one thread to the other. ++ ++MFBDS leaks Fill Buffer Entries. Fill buffers are used internally to manage ++L1 miss situations and to hold data which is returned or sent in response ++to a memory or I/O operation. Fill buffers can forward data to a load ++operation and also write data to the cache. When the fill buffer is ++deallocated it can retain the stale data of the preceding operations which ++can then be forwarded to a faulting or assisting load operation, which can ++be exploited under certain conditions. Fill buffers are shared between ++Hyper-Threads so cross thread leakage is possible. ++ ++MLPDS leaks Load Port Data. Load ports are used to perform load operations ++from memory or I/O. The received data is then forwarded to the register ++file or a subsequent operation. In some implementations the Load Port can ++contain stale data from a previous operation which can be forwarded to ++faulting or assisting loads under certain conditions, which again can be ++exploited eventually. Load ports are shared between Hyper-Threads so cross ++thread leakage is possible. ++ ++MDSUM is a special case of MSBDS, MFBDS and MLPDS. An uncacheable load from ++memory that takes a fault or assist can leave data in a microarchitectural ++structure that may later be observed using one of the same methods used by ++MSBDS, MFBDS or MLPDS. ++ ++Exposure assumptions ++-------------------- ++ ++It is assumed that attack code resides in user space or in a guest with one ++exception. The rationale behind this assumption is that the code construct ++needed for exploiting MDS requires: ++ ++ - to control the load to trigger a fault or assist ++ ++ - to have a disclosure gadget which exposes the speculatively accessed ++ data for consumption through a side channel. ++ ++ - to control the pointer through which the disclosure gadget exposes the ++ data ++ ++The existence of such a construct in the kernel cannot be excluded with ++100% certainty, but the complexity involved makes it extremly unlikely. ++ ++There is one exception, which is untrusted BPF. The functionality of ++untrusted BPF is limited, but it needs to be thoroughly investigated ++whether it can be used to create such a construct. ++ ++ ++Mitigation strategy ++------------------- ++ ++All variants have the same mitigation strategy at least for the single CPU ++thread case (SMT off): Force the CPU to clear the affected buffers. ++ ++This is achieved by using the otherwise unused and obsolete VERW ++instruction in combination with a microcode update. The microcode clears ++the affected CPU buffers when the VERW instruction is executed. ++ ++For virtualization there are two ways to achieve CPU buffer ++clearing. Either the modified VERW instruction or via the L1D Flush ++command. The latter is issued when L1TF mitigation is enabled so the extra ++VERW can be avoided. If the CPU is not affected by L1TF then VERW needs to ++be issued. ++ ++If the VERW instruction with the supplied segment selector argument is ++executed on a CPU without the microcode update there is no side effect ++other than a small number of pointlessly wasted CPU cycles. ++ ++This does not protect against cross Hyper-Thread attacks except for MSBDS ++which is only exploitable cross Hyper-thread when one of the Hyper-Threads ++enters a C-state. ++ ++The kernel provides a function to invoke the buffer clearing: ++ ++ mds_clear_cpu_buffers() ++ ++The mitigation is invoked on kernel/userspace, hypervisor/guest and C-state ++(idle) transitions. ++ ++As a special quirk to address virtualization scenarios where the host has ++the microcode updated, but the hypervisor does not (yet) expose the ++MD_CLEAR CPUID bit to guests, the kernel issues the VERW instruction in the ++hope that it might actually clear the buffers. The state is reflected ++accordingly. ++ ++According to current knowledge additional mitigations inside the kernel ++itself are not required because the necessary gadgets to expose the leaked ++data cannot be controlled in a way which allows exploitation from malicious ++user space or VM guests. ++ ++Kernel internal mitigation modes ++-------------------------------- ++ ++ ======= ============================================================ ++ off Mitigation is disabled. Either the CPU is not affected or ++ mds=off is supplied on the kernel command line ++ ++ full Mitigation is enabled. CPU is affected and MD_CLEAR is ++ advertised in CPUID. ++ ++ vmwerv Mitigation is enabled. CPU is affected and MD_CLEAR is not ++ advertised in CPUID. That is mainly for virtualization ++ scenarios where the host has the updated microcode but the ++ hypervisor does not expose MD_CLEAR in CPUID. It's a best ++ effort approach without guarantee. ++ ======= ============================================================ ++ ++If the CPU is affected and mds=off is not supplied on the kernel command ++line then the kernel selects the appropriate mitigation mode depending on ++the availability of the MD_CLEAR CPUID bit. ++ ++Mitigation points ++----------------- ++ ++1. Return to user space ++^^^^^^^^^^^^^^^^^^^^^^^ ++ ++ When transitioning from kernel to user space the CPU buffers are flushed ++ on affected CPUs when the mitigation is not disabled on the kernel ++ command line. The migitation is enabled through the static key ++ mds_user_clear. ++ ++ The mitigation is invoked in prepare_exit_to_usermode() which covers ++ most of the kernel to user space transitions. There are a few exceptions ++ which are not invoking prepare_exit_to_usermode() on return to user ++ space. These exceptions use the paranoid exit code. ++ ++ - Non Maskable Interrupt (NMI): ++ ++ Access to sensible data like keys, credentials in the NMI context is ++ mostly theoretical: The CPU can do prefetching or execute a ++ misspeculated code path and thereby fetching data which might end up ++ leaking through a buffer. ++ ++ But for mounting other attacks the kernel stack address of the task is ++ already valuable information. So in full mitigation mode, the NMI is ++ mitigated on the return from do_nmi() to provide almost complete ++ coverage. ++ ++ - Double fault (#DF): ++ ++ A double fault is usually fatal, but the ESPFIX workaround, which can ++ be triggered from user space through modify_ldt(2) is a recoverable ++ double fault. #DF uses the paranoid exit path, so explicit mitigation ++ in the double fault handler is required. ++ ++ - Machine Check Exception (#MC): ++ ++ Another corner case is a #MC which hits between the CPU buffer clear ++ invocation and the actual return to user. As this still is in kernel ++ space it takes the paranoid exit path which does not clear the CPU ++ buffers. So the #MC handler repopulates the buffers to some ++ extent. Machine checks are not reliably controllable and the window is ++ extremly small so mitigation would just tick a checkbox that this ++ theoretical corner case is covered. To keep the amount of special ++ cases small, ignore #MC. ++ ++ - Debug Exception (#DB): ++ ++ This takes the paranoid exit path only when the INT1 breakpoint is in ++ kernel space. #DB on a user space address takes the regular exit path, ++ so no extra mitigation required. ++ ++ ++2. C-State transition ++^^^^^^^^^^^^^^^^^^^^^ ++ ++ When a CPU goes idle and enters a C-State the CPU buffers need to be ++ cleared on affected CPUs when SMT is active. This addresses the ++ repartitioning of the store buffer when one of the Hyper-Threads enters ++ a C-State. ++ ++ When SMT is inactive, i.e. either the CPU does not support it or all ++ sibling threads are offline CPU buffer clearing is not required. ++ ++ The idle clearing is enabled on CPUs which are only affected by MSBDS ++ and not by any other MDS variant. The other MDS variants cannot be ++ protected against cross Hyper-Thread attacks because the Fill Buffer and ++ the Load Ports are shared. So on CPUs affected by other variants, the ++ idle clearing would be a window dressing exercise and is therefore not ++ activated. ++ ++ The invocation is controlled by the static key mds_idle_clear which is ++ switched depending on the chosen mitigation mode and the SMT state of ++ the system. ++ ++ The buffer clear is only invoked before entering the C-State to prevent ++ that stale data from the idling CPU from spilling to the Hyper-Thread ++ sibling after the store buffer got repartitioned and all entries are ++ available to the non idle sibling. ++ ++ When coming out of idle the store buffer is partitioned again so each ++ sibling has half of it available. The back from idle CPU could be then ++ speculatively exposed to contents of the sibling. The buffers are ++ flushed either on exit to user space or on VMENTER so malicious code ++ in user space or the guest cannot speculatively access them. ++ ++ The mitigation is hooked into all variants of halt()/mwait(), but does ++ not cover the legacy ACPI IO-Port mechanism because the ACPI idle driver ++ has been superseded by the intel_idle driver around 2010 and is ++ preferred on all affected CPUs which are expected to gain the MD_CLEAR ++ functionality in microcode. Aside of that the IO-Port mechanism is a ++ legacy interface which is only used on older systems which are either ++ not affected or do not receive microcode updates anymore. +diff --git a/Makefile b/Makefile +index ee0a50b871b9..6023a9dbad59 100644 +--- a/Makefile ++++ b/Makefile +@@ -1,6 +1,6 @@ + VERSION = 4 + PATCHLEVEL = 4 +-SUBLEVEL = 179 ++SUBLEVEL = 180 + EXTRAVERSION = + NAME = Blurry Fish Butt + +diff --git a/arch/arm/boot/dts/imx6qdl-phytec-pfla02.dtsi b/arch/arm/boot/dts/imx6qdl-phytec-pfla02.dtsi +index d6d98d426384..cae04e806036 100644 +--- a/arch/arm/boot/dts/imx6qdl-phytec-pfla02.dtsi ++++ b/arch/arm/boot/dts/imx6qdl-phytec-pfla02.dtsi +@@ -90,6 +90,7 @@ + pinctrl-names = "default"; + pinctrl-0 = <&pinctrl_enet>; + phy-mode = "rgmii"; ++ phy-reset-duration = <10>; /* in msecs */ + phy-reset-gpios = <&gpio3 23 GPIO_ACTIVE_LOW>; + phy-supply = <&vdd_eth_io_reg>; + status = "disabled"; +diff --git a/arch/arm/mach-iop13xx/setup.c b/arch/arm/mach-iop13xx/setup.c +index 53c316f7301e..fe4932fda01d 100644 +--- a/arch/arm/mach-iop13xx/setup.c ++++ b/arch/arm/mach-iop13xx/setup.c +@@ -300,7 +300,7 @@ static struct resource iop13xx_adma_2_resources[] = { + } + }; + +-static u64 iop13xx_adma_dmamask = DMA_BIT_MASK(64); ++static u64 iop13xx_adma_dmamask = DMA_BIT_MASK(32); + static struct iop_adma_platform_data iop13xx_adma_0_data = { + .hw_id = 0, + .pool_size = PAGE_SIZE, +@@ -324,7 +324,7 @@ static struct platform_device iop13xx_adma_0_channel = { + .resource = iop13xx_adma_0_resources, + .dev = { + .dma_mask = &iop13xx_adma_dmamask, +- .coherent_dma_mask = DMA_BIT_MASK(64), ++ .coherent_dma_mask = DMA_BIT_MASK(32), + .platform_data = (void *) &iop13xx_adma_0_data, + }, + }; +@@ -336,7 +336,7 @@ static struct platform_device iop13xx_adma_1_channel = { + .resource = iop13xx_adma_1_resources, + .dev = { + .dma_mask = &iop13xx_adma_dmamask, +- .coherent_dma_mask = DMA_BIT_MASK(64), ++ .coherent_dma_mask = DMA_BIT_MASK(32), + .platform_data = (void *) &iop13xx_adma_1_data, + }, + }; +@@ -348,7 +348,7 @@ static struct platform_device iop13xx_adma_2_channel = { + .resource = iop13xx_adma_2_resources, + .dev = { + .dma_mask = &iop13xx_adma_dmamask, +- .coherent_dma_mask = DMA_BIT_MASK(64), ++ .coherent_dma_mask = DMA_BIT_MASK(32), + .platform_data = (void *) &iop13xx_adma_2_data, + }, + }; +diff --git a/arch/arm/mach-iop13xx/tpmi.c b/arch/arm/mach-iop13xx/tpmi.c +index db511ec2b1df..116feb6b261e 100644 +--- a/arch/arm/mach-iop13xx/tpmi.c ++++ b/arch/arm/mach-iop13xx/tpmi.c +@@ -152,7 +152,7 @@ static struct resource iop13xx_tpmi_3_resources[] = { + } + }; + +-u64 iop13xx_tpmi_mask = DMA_BIT_MASK(64); ++u64 iop13xx_tpmi_mask = DMA_BIT_MASK(32); + static struct platform_device iop13xx_tpmi_0_device = { + .name = "iop-tpmi", + .id = 0, +@@ -160,7 +160,7 @@ static struct platform_device iop13xx_tpmi_0_device = { + .resource = iop13xx_tpmi_0_resources, + .dev = { + .dma_mask = &iop13xx_tpmi_mask, +- .coherent_dma_mask = DMA_BIT_MASK(64), ++ .coherent_dma_mask = DMA_BIT_MASK(32), + }, + }; + +@@ -171,7 +171,7 @@ static struct platform_device iop13xx_tpmi_1_device = { + .resource = iop13xx_tpmi_1_resources, + .dev = { + .dma_mask = &iop13xx_tpmi_mask, +- .coherent_dma_mask = DMA_BIT_MASK(64), ++ .coherent_dma_mask = DMA_BIT_MASK(32), + }, + }; + +@@ -182,7 +182,7 @@ static struct platform_device iop13xx_tpmi_2_device = { + .resource = iop13xx_tpmi_2_resources, + .dev = { + .dma_mask = &iop13xx_tpmi_mask, +- .coherent_dma_mask = DMA_BIT_MASK(64), ++ .coherent_dma_mask = DMA_BIT_MASK(32), + }, + }; + +@@ -193,7 +193,7 @@ static struct platform_device iop13xx_tpmi_3_device = { + .resource = iop13xx_tpmi_3_resources, + .dev = { + .dma_mask = &iop13xx_tpmi_mask, +- .coherent_dma_mask = DMA_BIT_MASK(64), ++ .coherent_dma_mask = DMA_BIT_MASK(32), + }, + }; + +diff --git a/arch/arm/plat-iop/adma.c b/arch/arm/plat-iop/adma.c +index a4d1f8de3b5b..d9612221e484 100644 +--- a/arch/arm/plat-iop/adma.c ++++ b/arch/arm/plat-iop/adma.c +@@ -143,7 +143,7 @@ struct platform_device iop3xx_dma_0_channel = { + .resource = iop3xx_dma_0_resources, + .dev = { + .dma_mask = &iop3xx_adma_dmamask, +- .coherent_dma_mask = DMA_BIT_MASK(64), ++ .coherent_dma_mask = DMA_BIT_MASK(32), + .platform_data = (void *) &iop3xx_dma_0_data, + }, + }; +@@ -155,7 +155,7 @@ struct platform_device iop3xx_dma_1_channel = { + .resource = iop3xx_dma_1_resources, + .dev = { + .dma_mask = &iop3xx_adma_dmamask, +- .coherent_dma_mask = DMA_BIT_MASK(64), ++ .coherent_dma_mask = DMA_BIT_MASK(32), + .platform_data = (void *) &iop3xx_dma_1_data, + }, + }; +@@ -167,7 +167,7 @@ struct platform_device iop3xx_aau_channel = { + .resource = iop3xx_aau_resources, + .dev = { + .dma_mask = &iop3xx_adma_dmamask, +- .coherent_dma_mask = DMA_BIT_MASK(64), ++ .coherent_dma_mask = DMA_BIT_MASK(32), + .platform_data = (void *) &iop3xx_aau_data, + }, + }; +diff --git a/arch/arm/plat-orion/common.c b/arch/arm/plat-orion/common.c +index 8861c367d061..51c3737ddba7 100644 +--- a/arch/arm/plat-orion/common.c ++++ b/arch/arm/plat-orion/common.c +@@ -645,7 +645,7 @@ static struct platform_device orion_xor0_shared = { + .resource = orion_xor0_shared_resources, + .dev = { + .dma_mask = &orion_xor_dmamask, +- .coherent_dma_mask = DMA_BIT_MASK(64), ++ .coherent_dma_mask = DMA_BIT_MASK(32), + .platform_data = &orion_xor0_pdata, + }, + }; +@@ -706,7 +706,7 @@ static struct platform_device orion_xor1_shared = { + .resource = orion_xor1_shared_resources, + .dev = { + .dma_mask = &orion_xor_dmamask, +- .coherent_dma_mask = DMA_BIT_MASK(64), ++ .coherent_dma_mask = DMA_BIT_MASK(32), + .platform_data = &orion_xor1_pdata, + }, + }; +diff --git a/arch/mips/kernel/scall64-o32.S b/arch/mips/kernel/scall64-o32.S +index 87c697181d25..4faff3e77b25 100644 +--- a/arch/mips/kernel/scall64-o32.S ++++ b/arch/mips/kernel/scall64-o32.S +@@ -126,7 +126,7 @@ trace_a_syscall: + subu t1, v0, __NR_O32_Linux + move a1, v0 + bnez t1, 1f /* __NR_syscall at offset 0 */ +- lw a1, PT_R4(sp) /* Arg1 for __NR_syscall case */ ++ ld a1, PT_R4(sp) /* Arg1 for __NR_syscall case */ + .set pop + + 1: jal syscall_trace_enter +diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig +index 4598d087dec2..4d1262cf630c 100644 +--- a/arch/x86/Kconfig ++++ b/arch/x86/Kconfig +@@ -893,13 +893,7 @@ config NR_CPUS + approximately eight kilobytes to the kernel image. + + config SCHED_SMT +- bool "SMT (Hyperthreading) scheduler support" +- depends on SMP +- ---help--- +- SMT scheduler support improves the CPU scheduler's decision making +- when dealing with Intel Pentium 4 chips with HyperThreading at a +- cost of slightly increased overhead in some places. If unsure say +- N here. ++ def_bool y if SMP + + config SCHED_MC + def_bool y +diff --git a/arch/x86/entry/common.c b/arch/x86/entry/common.c +index 071582a3b5c0..57be07f27f37 100644 +--- a/arch/x86/entry/common.c ++++ b/arch/x86/entry/common.c +@@ -28,6 +28,7 @@ + #include + #include + #include ++#include + + #define CREATE_TRACE_POINTS + #include +@@ -295,6 +296,8 @@ __visible inline void prepare_exit_to_usermode(struct pt_regs *regs) + #endif + + user_enter(); ++ ++ mds_user_clear_cpu_buffers(); + } + + #define SYSCALL_EXIT_WORK_FLAGS \ +diff --git a/drivers/ata/libata-zpodd.c b/drivers/ata/libata-zpodd.c +index 0ad96c647541..7017a81d53cf 100644 +--- a/drivers/ata/libata-zpodd.c ++++ b/drivers/ata/libata-zpodd.c +@@ -51,38 +51,52 @@ static int eject_tray(struct ata_device *dev) + /* Per the spec, only slot type and drawer type ODD can be supported */ + static enum odd_mech_type zpodd_get_mech_type(struct ata_device *dev) + { +- char buf[16]; ++ char *buf; + unsigned int ret; +- struct rm_feature_desc *desc = (void *)(buf + 8); ++ struct rm_feature_desc *desc; + struct ata_taskfile tf; + static const char cdb[] = { GPCMD_GET_CONFIGURATION, + 2, /* only 1 feature descriptor requested */ + 0, 3, /* 3, removable medium feature */ + 0, 0, 0,/* reserved */ +- 0, sizeof(buf), ++ 0, 16, + 0, 0, 0, + }; + ++ buf = kzalloc(16, GFP_KERNEL); ++ if (!buf) ++ return ODD_MECH_TYPE_UNSUPPORTED; ++ desc = (void *)(buf + 8); ++ + ata_tf_init(dev, &tf); + tf.flags = ATA_TFLAG_ISADDR | ATA_TFLAG_DEVICE; + tf.command = ATA_CMD_PACKET; + tf.protocol = ATAPI_PROT_PIO; +- tf.lbam = sizeof(buf); ++ tf.lbam = 16; + + ret = ata_exec_internal(dev, &tf, cdb, DMA_FROM_DEVICE, +- buf, sizeof(buf), 0); +- if (ret) ++ buf, 16, 0); ++ if (ret) { ++ kfree(buf); + return ODD_MECH_TYPE_UNSUPPORTED; ++ } + +- if (be16_to_cpu(desc->feature_code) != 3) ++ if (be16_to_cpu(desc->feature_code) != 3) { ++ kfree(buf); + return ODD_MECH_TYPE_UNSUPPORTED; ++ } + +- if (desc->mech_type == 0 && desc->load == 0 && desc->eject == 1) ++ if (desc->mech_type == 0 && desc->load == 0 && desc->eject == 1) { ++ kfree(buf); + return ODD_MECH_TYPE_SLOT; +- else if (desc->mech_type == 1 && desc->load == 0 && desc->eject == 1) ++ } else if (desc->mech_type == 1 && desc->load == 0 && ++ desc->eject == 1) { ++ kfree(buf); + return ODD_MECH_TYPE_DRAWER; +- else ++ } else { ++ kfree(buf); + return ODD_MECH_TYPE_UNSUPPORTED; ++ } + } + + /* Test if ODD is zero power ready by sense code */ +diff --git a/drivers/base/cpu.c b/drivers/base/cpu.c +index 41090ef5facb..3934aaf9d157 100644 +--- a/drivers/base/cpu.c ++++ b/drivers/base/cpu.c +@@ -530,11 +530,18 @@ ssize_t __weak cpu_show_l1tf(struct device *dev, + return sprintf(buf, "Not affected\n"); + } + ++ssize_t __weak cpu_show_mds(struct device *dev, ++ struct device_attribute *attr, char *buf) ++{ ++ return sprintf(buf, "Not affected\n"); ++} ++ + static DEVICE_ATTR(meltdown, 0444, cpu_show_meltdown, NULL); + static DEVICE_ATTR(spectre_v1, 0444, cpu_show_spectre_v1, NULL); + static DEVICE_ATTR(spectre_v2, 0444, cpu_show_spectre_v2, NULL); + static DEVICE_ATTR(spec_store_bypass, 0444, cpu_show_spec_store_bypass, NULL); + static DEVICE_ATTR(l1tf, 0444, cpu_show_l1tf, NULL); ++static DEVICE_ATTR(mds, 0444, cpu_show_mds, NULL); + + static struct attribute *cpu_root_vulnerabilities_attrs[] = { + &dev_attr_meltdown.attr, +@@ -542,6 +549,7 @@ static struct attribute *cpu_root_vulnerabilities_attrs[] = { + &dev_attr_spectre_v2.attr, + &dev_attr_spec_store_bypass.attr, + &dev_attr_l1tf.attr, ++ &dev_attr_mds.attr, + NULL + }; + +diff --git a/drivers/block/loop.c b/drivers/block/loop.c +index ae361ee90587..da3902ac16c8 100644 +--- a/drivers/block/loop.c ++++ b/drivers/block/loop.c +@@ -82,7 +82,6 @@ + + static DEFINE_IDR(loop_index_idr); + static DEFINE_MUTEX(loop_index_mutex); +-static DEFINE_MUTEX(loop_ctl_mutex); + + static int max_part; + static int part_shift; +@@ -1045,7 +1044,7 @@ static int loop_clr_fd(struct loop_device *lo) + */ + if (atomic_read(&lo->lo_refcnt) > 1) { + lo->lo_flags |= LO_FLAGS_AUTOCLEAR; +- mutex_unlock(&loop_ctl_mutex); ++ mutex_unlock(&lo->lo_ctl_mutex); + return 0; + } + +@@ -1094,12 +1093,12 @@ static int loop_clr_fd(struct loop_device *lo) + if (!part_shift) + lo->lo_disk->flags |= GENHD_FL_NO_PART_SCAN; + loop_unprepare_queue(lo); +- mutex_unlock(&loop_ctl_mutex); ++ mutex_unlock(&lo->lo_ctl_mutex); + /* +- * Need not hold loop_ctl_mutex to fput backing file. +- * Calling fput holding loop_ctl_mutex triggers a circular ++ * Need not hold lo_ctl_mutex to fput backing file. ++ * Calling fput holding lo_ctl_mutex triggers a circular + * lock dependency possibility warning as fput can take +- * bd_mutex which is usually taken before loop_ctl_mutex. ++ * bd_mutex which is usually taken before lo_ctl_mutex. + */ + fput(filp); + return 0; +@@ -1362,7 +1361,7 @@ static int lo_ioctl(struct block_device *bdev, fmode_t mode, + struct loop_device *lo = bdev->bd_disk->private_data; + int err; + +- mutex_lock_nested(&loop_ctl_mutex, 1); ++ mutex_lock_nested(&lo->lo_ctl_mutex, 1); + switch (cmd) { + case LOOP_SET_FD: + err = loop_set_fd(lo, mode, bdev, arg); +@@ -1371,7 +1370,7 @@ static int lo_ioctl(struct block_device *bdev, fmode_t mode, + err = loop_change_fd(lo, bdev, arg); + break; + case LOOP_CLR_FD: +- /* loop_clr_fd would have unlocked loop_ctl_mutex on success */ ++ /* loop_clr_fd would have unlocked lo_ctl_mutex on success */ + err = loop_clr_fd(lo); + if (!err) + goto out_unlocked; +@@ -1407,7 +1406,7 @@ static int lo_ioctl(struct block_device *bdev, fmode_t mode, + default: + err = lo->ioctl ? lo->ioctl(lo, cmd, arg) : -EINVAL; + } +- mutex_unlock(&loop_ctl_mutex); ++ mutex_unlock(&lo->lo_ctl_mutex); + + out_unlocked: + return err; +@@ -1540,16 +1539,16 @@ static int lo_compat_ioctl(struct block_device *bdev, fmode_t mode, + + switch(cmd) { + case LOOP_SET_STATUS: +- mutex_lock(&loop_ctl_mutex); ++ mutex_lock(&lo->lo_ctl_mutex); + err = loop_set_status_compat( + lo, (const struct compat_loop_info __user *) arg); +- mutex_unlock(&loop_ctl_mutex); ++ mutex_unlock(&lo->lo_ctl_mutex); + break; + case LOOP_GET_STATUS: +- mutex_lock(&loop_ctl_mutex); ++ mutex_lock(&lo->lo_ctl_mutex); + err = loop_get_status_compat( + lo, (struct compat_loop_info __user *) arg); +- mutex_unlock(&loop_ctl_mutex); ++ mutex_unlock(&lo->lo_ctl_mutex); + break; + case LOOP_SET_CAPACITY: + case LOOP_CLR_FD: +@@ -1593,7 +1592,7 @@ static void __lo_release(struct loop_device *lo) + if (atomic_dec_return(&lo->lo_refcnt)) + return; + +- mutex_lock(&loop_ctl_mutex); ++ mutex_lock(&lo->lo_ctl_mutex); + if (lo->lo_flags & LO_FLAGS_AUTOCLEAR) { + /* + * In autoclear mode, stop the loop thread +@@ -1610,7 +1609,7 @@ static void __lo_release(struct loop_device *lo) + loop_flush(lo); + } + +- mutex_unlock(&loop_ctl_mutex); ++ mutex_unlock(&lo->lo_ctl_mutex); + } + + static void lo_release(struct gendisk *disk, fmode_t mode) +@@ -1656,10 +1655,10 @@ static int unregister_transfer_cb(int id, void *ptr, void *data) + struct loop_device *lo = ptr; + struct loop_func_table *xfer = data; + +- mutex_lock(&loop_ctl_mutex); ++ mutex_lock(&lo->lo_ctl_mutex); + if (lo->lo_encryption == xfer) + loop_release_xfer(lo); +- mutex_unlock(&loop_ctl_mutex); ++ mutex_unlock(&lo->lo_ctl_mutex); + return 0; + } + +@@ -1821,6 +1820,7 @@ static int loop_add(struct loop_device **l, int i) + if (!part_shift) + disk->flags |= GENHD_FL_NO_PART_SCAN; + disk->flags |= GENHD_FL_EXT_DEVT; ++ mutex_init(&lo->lo_ctl_mutex); + atomic_set(&lo->lo_refcnt, 0); + lo->lo_number = i; + spin_lock_init(&lo->lo_lock); +@@ -1933,19 +1933,19 @@ static long loop_control_ioctl(struct file *file, unsigned int cmd, + ret = loop_lookup(&lo, parm); + if (ret < 0) + break; +- mutex_lock(&loop_ctl_mutex); ++ mutex_lock(&lo->lo_ctl_mutex); + if (lo->lo_state != Lo_unbound) { + ret = -EBUSY; +- mutex_unlock(&loop_ctl_mutex); ++ mutex_unlock(&lo->lo_ctl_mutex); + break; + } + if (atomic_read(&lo->lo_refcnt) > 0) { + ret = -EBUSY; +- mutex_unlock(&loop_ctl_mutex); ++ mutex_unlock(&lo->lo_ctl_mutex); + break; + } + lo->lo_disk->private_data = NULL; +- mutex_unlock(&loop_ctl_mutex); ++ mutex_unlock(&lo->lo_ctl_mutex); + idr_remove(&loop_index_idr, lo->lo_number); + loop_remove(lo); + break; +diff --git a/drivers/block/loop.h b/drivers/block/loop.h +index a923e74495ce..60f0fd2c0c65 100644 +--- a/drivers/block/loop.h ++++ b/drivers/block/loop.h +@@ -55,6 +55,7 @@ struct loop_device { + + spinlock_t lo_lock; + int lo_state; ++ struct mutex lo_ctl_mutex; + struct kthread_worker worker; + struct task_struct *worker_task; + bool use_dio; +diff --git a/drivers/block/xsysace.c b/drivers/block/xsysace.c +index c4328d9d9981..f838119d12b2 100644 +--- a/drivers/block/xsysace.c ++++ b/drivers/block/xsysace.c +@@ -1062,6 +1062,8 @@ static int ace_setup(struct ace_device *ace) + return 0; + + err_read: ++ /* prevent double queue cleanup */ ++ ace->gd->queue = NULL; + put_disk(ace->gd); + err_alloc_disk: + blk_cleanup_queue(ace->queue); +diff --git a/drivers/gpu/ipu-v3/ipu-dp.c b/drivers/gpu/ipu-v3/ipu-dp.c +index 98686edbcdbb..33de3a1bac49 100644 +--- a/drivers/gpu/ipu-v3/ipu-dp.c ++++ b/drivers/gpu/ipu-v3/ipu-dp.c +@@ -195,7 +195,8 @@ int ipu_dp_setup_channel(struct ipu_dp *dp, + ipu_dp_csc_init(flow, flow->foreground.in_cs, flow->out_cs, + DP_COM_CONF_CSC_DEF_BOTH); + } else { +- if (flow->foreground.in_cs == flow->out_cs) ++ if (flow->foreground.in_cs == IPUV3_COLORSPACE_UNKNOWN || ++ flow->foreground.in_cs == flow->out_cs) + /* + * foreground identical to output, apply color + * conversion on background +@@ -261,6 +262,8 @@ void ipu_dp_disable_channel(struct ipu_dp *dp) + struct ipu_dp_priv *priv = flow->priv; + u32 reg, csc; + ++ dp->in_cs = IPUV3_COLORSPACE_UNKNOWN; ++ + if (!dp->foreground) + return; + +@@ -268,8 +271,9 @@ void ipu_dp_disable_channel(struct ipu_dp *dp) + + reg = readl(flow->base + DP_COM_CONF); + csc = reg & DP_COM_CONF_CSC_DEF_MASK; +- if (csc == DP_COM_CONF_CSC_DEF_FG) +- reg &= ~DP_COM_CONF_CSC_DEF_MASK; ++ reg &= ~DP_COM_CONF_CSC_DEF_MASK; ++ if (csc == DP_COM_CONF_CSC_DEF_BOTH || csc == DP_COM_CONF_CSC_DEF_BG) ++ reg |= DP_COM_CONF_CSC_DEF_BG; + + reg &= ~DP_COM_CONF_FG_EN; + writel(reg, flow->base + DP_COM_CONF); +@@ -350,6 +354,8 @@ int ipu_dp_init(struct ipu_soc *ipu, struct device *dev, unsigned long base) + mutex_init(&priv->mutex); + + for (i = 0; i < IPUV3_NUM_FLOWS; i++) { ++ priv->flow[i].background.in_cs = IPUV3_COLORSPACE_UNKNOWN; ++ priv->flow[i].foreground.in_cs = IPUV3_COLORSPACE_UNKNOWN; + priv->flow[i].foreground.foreground = true; + priv->flow[i].base = priv->base + ipu_dp_flow_base[i]; + priv->flow[i].priv = priv; +diff --git a/drivers/hid/hid-debug.c b/drivers/hid/hid-debug.c +index d7179dd3c9ef..3cafa1d28fed 100644 +--- a/drivers/hid/hid-debug.c ++++ b/drivers/hid/hid-debug.c +@@ -1058,10 +1058,15 @@ static int hid_debug_rdesc_show(struct seq_file *f, void *p) + seq_printf(f, "\n\n"); + + /* dump parsed data and input mappings */ ++ if (down_interruptible(&hdev->driver_input_lock)) ++ return 0; ++ + hid_dump_device(hdev, f); + seq_printf(f, "\n"); + hid_dump_input_mapping(hdev, f); + ++ up(&hdev->driver_input_lock); ++ + return 0; + } + +diff --git a/drivers/hid/hid-input.c b/drivers/hid/hid-input.c +index 8d74e691ac90..ee3c66c02043 100644 +--- a/drivers/hid/hid-input.c ++++ b/drivers/hid/hid-input.c +@@ -783,6 +783,10 @@ static void hidinput_configure_usage(struct hid_input *hidinput, struct hid_fiel + case 0x074: map_key_clear(KEY_BRIGHTNESS_MAX); break; + case 0x075: map_key_clear(KEY_BRIGHTNESS_AUTO); break; + ++ case 0x079: map_key_clear(KEY_KBDILLUMUP); break; ++ case 0x07a: map_key_clear(KEY_KBDILLUMDOWN); break; ++ case 0x07c: map_key_clear(KEY_KBDILLUMTOGGLE); break; ++ + case 0x082: map_key_clear(KEY_VIDEO_NEXT); break; + case 0x083: map_key_clear(KEY_LAST); break; + case 0x084: map_key_clear(KEY_ENTER); break; +@@ -913,6 +917,8 @@ static void hidinput_configure_usage(struct hid_input *hidinput, struct hid_fiel + case 0x2cb: map_key_clear(KEY_KBDINPUTASSIST_ACCEPT); break; + case 0x2cc: map_key_clear(KEY_KBDINPUTASSIST_CANCEL); break; + ++ case 0x29f: map_key_clear(KEY_SCALE); break; ++ + default: map_key_clear(KEY_UNKNOWN); + } + break; +diff --git a/drivers/hwtracing/intel_th/gth.c b/drivers/hwtracing/intel_th/gth.c +index eb43943cdf07..189eb6269971 100644 +--- a/drivers/hwtracing/intel_th/gth.c ++++ b/drivers/hwtracing/intel_th/gth.c +@@ -597,7 +597,7 @@ static void intel_th_gth_unassign(struct intel_th_device *thdev, + othdev->output.port = -1; + othdev->output.active = false; + gth->output[port].output = NULL; +- for (master = 0; master < TH_CONFIGURABLE_MASTERS; master++) ++ for (master = 0; master <= TH_CONFIGURABLE_MASTERS; master++) + if (gth->master[master] == port) + gth->master[master] = -1; + spin_unlock(>h->gth_lock); +diff --git a/drivers/iio/adc/xilinx-xadc-core.c b/drivers/iio/adc/xilinx-xadc-core.c +index 475c5a74f2d1..6398e86a272b 100644 +--- a/drivers/iio/adc/xilinx-xadc-core.c ++++ b/drivers/iio/adc/xilinx-xadc-core.c +@@ -1299,7 +1299,7 @@ static int xadc_remove(struct platform_device *pdev) + } + free_irq(irq, indio_dev); + clk_disable_unprepare(xadc->clk); +- cancel_delayed_work(&xadc->zynq_unmask_work); ++ cancel_delayed_work_sync(&xadc->zynq_unmask_work); + kfree(xadc->data); + kfree(indio_dev->channels); + +diff --git a/drivers/input/keyboard/snvs_pwrkey.c b/drivers/input/keyboard/snvs_pwrkey.c +index 9adf13a5864a..57143365e945 100644 +--- a/drivers/input/keyboard/snvs_pwrkey.c ++++ b/drivers/input/keyboard/snvs_pwrkey.c +@@ -156,6 +156,9 @@ static int imx_snvs_pwrkey_probe(struct platform_device *pdev) + return error; + } + ++ pdata->input = input; ++ platform_set_drvdata(pdev, pdata); ++ + error = devm_request_irq(&pdev->dev, pdata->irq, + imx_snvs_pwrkey_interrupt, + 0, pdev->name, pdev); +@@ -172,9 +175,6 @@ static int imx_snvs_pwrkey_probe(struct platform_device *pdev) + return error; + } + +- pdata->input = input; +- platform_set_drvdata(pdev, pdata); +- + device_init_wakeup(&pdev->dev, pdata->wakeup); + + return 0; +diff --git a/drivers/iommu/amd_iommu_init.c b/drivers/iommu/amd_iommu_init.c +index 94f1bf772ec9..db85cc5791dc 100644 +--- a/drivers/iommu/amd_iommu_init.c ++++ b/drivers/iommu/amd_iommu_init.c +@@ -295,7 +295,7 @@ static void iommu_write_l2(struct amd_iommu *iommu, u8 address, u32 val) + static void iommu_set_exclusion_range(struct amd_iommu *iommu) + { + u64 start = iommu->exclusion_start & PAGE_MASK; +- u64 limit = (start + iommu->exclusion_length) & PAGE_MASK; ++ u64 limit = (start + iommu->exclusion_length - 1) & PAGE_MASK; + u64 entry; + + if (!iommu->exclusion_start) +diff --git a/drivers/md/raid5.c b/drivers/md/raid5.c +index 5e65dc6def7e..17517889d46b 100644 +--- a/drivers/md/raid5.c ++++ b/drivers/md/raid5.c +@@ -3897,26 +3897,15 @@ static void handle_parity_checks6(struct r5conf *conf, struct stripe_head *sh, + case check_state_check_result: + sh->check_state = check_state_idle; + ++ if (s->failed > 1) ++ break; + /* handle a successful check operation, if parity is correct + * we are done. Otherwise update the mismatch count and repair + * parity if !MD_RECOVERY_CHECK + */ + if (sh->ops.zero_sum_result == 0) { +- /* both parities are correct */ +- if (!s->failed) +- set_bit(STRIPE_INSYNC, &sh->state); +- else { +- /* in contrast to the raid5 case we can validate +- * parity, but still have a failure to write +- * back +- */ +- sh->check_state = check_state_compute_result; +- /* Returning at this point means that we may go +- * off and bring p and/or q uptodate again so +- * we make sure to check zero_sum_result again +- * to verify if p or q need writeback +- */ +- } ++ /* Any parity checked was correct */ ++ set_bit(STRIPE_INSYNC, &sh->state); + } else { + atomic64_add(STRIPE_SECTORS, &conf->mddev->resync_mismatches); + if (test_bit(MD_RECOVERY_CHECK, &conf->mddev->recovery)) +diff --git a/drivers/media/i2c/ov7670.c b/drivers/media/i2c/ov7670.c +index e1b5dc84c14e..24a0c21a3d8d 100644 +--- a/drivers/media/i2c/ov7670.c ++++ b/drivers/media/i2c/ov7670.c +@@ -155,10 +155,10 @@ MODULE_PARM_DESC(debug, "Debug level (0-1)"); + #define REG_GFIX 0x69 /* Fix gain control */ + + #define REG_DBLV 0x6b /* PLL control an debugging */ +-#define DBLV_BYPASS 0x00 /* Bypass PLL */ +-#define DBLV_X4 0x01 /* clock x4 */ +-#define DBLV_X6 0x10 /* clock x6 */ +-#define DBLV_X8 0x11 /* clock x8 */ ++#define DBLV_BYPASS 0x0a /* Bypass PLL */ ++#define DBLV_X4 0x4a /* clock x4 */ ++#define DBLV_X6 0x8a /* clock x6 */ ++#define DBLV_X8 0xca /* clock x8 */ + + #define REG_REG76 0x76 /* OV's name */ + #define R76_BLKPCOR 0x80 /* Black pixel correction enable */ +@@ -833,7 +833,7 @@ static int ov7675_set_framerate(struct v4l2_subdev *sd, + if (ret < 0) + return ret; + +- return ov7670_write(sd, REG_DBLV, DBLV_X4); ++ return 0; + } + + static void ov7670_get_framerate_legacy(struct v4l2_subdev *sd, +@@ -1578,11 +1578,7 @@ static int ov7670_probe(struct i2c_client *client, + if (config->clock_speed) + info->clock_speed = config->clock_speed; + +- /* +- * It should be allowed for ov7670 too when it is migrated to +- * the new frame rate formula. +- */ +- if (config->pll_bypass && id->driver_data != MODEL_OV7670) ++ if (config->pll_bypass) + info->pll_bypass = true; + + if (config->pclk_hb_disable) +diff --git a/drivers/net/bonding/bond_options.c b/drivers/net/bonding/bond_options.c +index 66560a8fcfa2..1022e80aaf97 100644 +--- a/drivers/net/bonding/bond_options.c ++++ b/drivers/net/bonding/bond_options.c +@@ -1066,13 +1066,6 @@ static int bond_option_arp_validate_set(struct bonding *bond, + { + netdev_info(bond->dev, "Setting arp_validate to %s (%llu)\n", + newval->string, newval->value); +- +- if (bond->dev->flags & IFF_UP) { +- if (!newval->value) +- bond->recv_probe = NULL; +- else if (bond->params.arp_interval) +- bond->recv_probe = bond_arp_rcv; +- } + bond->params.arp_validate = newval->value; + + return 0; +diff --git a/drivers/net/bonding/bond_sysfs_slave.c b/drivers/net/bonding/bond_sysfs_slave.c +index 7d16c51e6913..641a532b67cb 100644 +--- a/drivers/net/bonding/bond_sysfs_slave.c ++++ b/drivers/net/bonding/bond_sysfs_slave.c +@@ -55,7 +55,9 @@ static SLAVE_ATTR_RO(link_failure_count); + + static ssize_t perm_hwaddr_show(struct slave *slave, char *buf) + { +- return sprintf(buf, "%pM\n", slave->perm_hwaddr); ++ return sprintf(buf, "%*phC\n", ++ slave->dev->addr_len, ++ slave->perm_hwaddr); + } + static SLAVE_ATTR_RO(perm_hwaddr); + +diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +index 00bd7be85679..d9ab970dcbe9 100644 +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +@@ -4957,8 +4957,15 @@ static int bnxt_cfg_rx_mode(struct bnxt *bp) + + skip_uc: + rc = bnxt_hwrm_cfa_l2_set_rx_mask(bp, 0); ++ if (rc && vnic->mc_list_count) { ++ netdev_info(bp->dev, "Failed setting MC filters rc: %d, turning on ALL_MCAST mode\n", ++ rc); ++ vnic->rx_mask |= CFA_L2_SET_RX_MASK_REQ_MASK_ALL_MCAST; ++ vnic->mc_list_count = 0; ++ rc = bnxt_hwrm_cfa_l2_set_rx_mask(bp, 0); ++ } + if (rc) +- netdev_err(bp->dev, "HWRM cfa l2 rx mask failure rc: %x\n", ++ netdev_err(bp->dev, "HWRM cfa l2 rx mask failure rc: %d\n", + rc); + + return rc; +diff --git a/drivers/net/ethernet/freescale/ucc_geth_ethtool.c b/drivers/net/ethernet/freescale/ucc_geth_ethtool.c +index 89714f5e0dfc..c8b9a73d6b1b 100644 +--- a/drivers/net/ethernet/freescale/ucc_geth_ethtool.c ++++ b/drivers/net/ethernet/freescale/ucc_geth_ethtool.c +@@ -253,14 +253,12 @@ uec_set_ringparam(struct net_device *netdev, + return -EINVAL; + } + ++ if (netif_running(netdev)) ++ return -EBUSY; ++ + ug_info->bdRingLenRx[queue] = ring->rx_pending; + ug_info->bdRingLenTx[queue] = ring->tx_pending; + +- if (netif_running(netdev)) { +- /* FIXME: restart automatically */ +- netdev_info(netdev, "Please re-open the interface\n"); +- } +- + return ret; + } + +diff --git a/drivers/net/ethernet/hisilicon/hns/hnae.c b/drivers/net/ethernet/hisilicon/hns/hnae.c +index b3645297477e..3ce41efe8a94 100644 +--- a/drivers/net/ethernet/hisilicon/hns/hnae.c ++++ b/drivers/net/ethernet/hisilicon/hns/hnae.c +@@ -144,7 +144,6 @@ out_buffer_fail: + /* free desc along with its attached buffer */ + static void hnae_free_desc(struct hnae_ring *ring) + { +- hnae_free_buffers(ring); + dma_unmap_single(ring_to_dev(ring), ring->desc_dma_addr, + ring->desc_num * sizeof(ring->desc[0]), + ring_to_dma_dir(ring)); +@@ -177,6 +176,9 @@ static int hnae_alloc_desc(struct hnae_ring *ring) + /* fini ring, also free the buffer for the ring */ + static void hnae_fini_ring(struct hnae_ring *ring) + { ++ if (is_rx_ring(ring)) ++ hnae_free_buffers(ring); ++ + hnae_free_desc(ring); + kfree(ring->desc_cb); + ring->desc_cb = NULL; +diff --git a/drivers/net/ethernet/hisilicon/hns/hns_enet.c b/drivers/net/ethernet/hisilicon/hns/hns_enet.c +index 2fa54b0b0679..6d649e7b45a9 100644 +--- a/drivers/net/ethernet/hisilicon/hns/hns_enet.c ++++ b/drivers/net/ethernet/hisilicon/hns/hns_enet.c +@@ -28,9 +28,6 @@ + + #define SERVICE_TIMER_HZ (1 * HZ) + +-#define NIC_TX_CLEAN_MAX_NUM 256 +-#define NIC_RX_CLEAN_MAX_NUM 64 +- + #define RCB_IRQ_NOT_INITED 0 + #define RCB_IRQ_INITED 1 + +@@ -1408,7 +1405,7 @@ static int hns_nic_init_ring_data(struct hns_nic_priv *priv) + rd->fini_process = hns_nic_tx_fini_pro; + + netif_napi_add(priv->netdev, &rd->napi, +- hns_nic_common_poll, NIC_TX_CLEAN_MAX_NUM); ++ hns_nic_common_poll, NAPI_POLL_WEIGHT); + rd->ring->irq_init_flag = RCB_IRQ_NOT_INITED; + } + for (i = h->q_num; i < h->q_num * 2; i++) { +@@ -1420,7 +1417,7 @@ static int hns_nic_init_ring_data(struct hns_nic_priv *priv) + rd->fini_process = hns_nic_rx_fini_pro; + + netif_napi_add(priv->netdev, &rd->napi, +- hns_nic_common_poll, NIC_RX_CLEAN_MAX_NUM); ++ hns_nic_common_poll, NAPI_POLL_WEIGHT); + rd->ring->irq_init_flag = RCB_IRQ_NOT_INITED; + } + +diff --git a/drivers/net/ethernet/ibm/ehea/ehea_main.c b/drivers/net/ethernet/ibm/ehea/ehea_main.c +index 2a0dc127df3f..1a56de06b014 100644 +--- a/drivers/net/ethernet/ibm/ehea/ehea_main.c ++++ b/drivers/net/ethernet/ibm/ehea/ehea_main.c +@@ -3183,6 +3183,7 @@ static ssize_t ehea_probe_port(struct device *dev, + + if (ehea_add_adapter_mr(adapter)) { + pr_err("creating MR failed\n"); ++ of_node_put(eth_dn); + return -EIO; + } + +diff --git a/drivers/net/ethernet/intel/igb/e1000_defines.h b/drivers/net/ethernet/intel/igb/e1000_defines.h +index b1915043bc0c..7b9fb71137da 100644 +--- a/drivers/net/ethernet/intel/igb/e1000_defines.h ++++ b/drivers/net/ethernet/intel/igb/e1000_defines.h +@@ -193,6 +193,8 @@ + /* enable link status from external LINK_0 and LINK_1 pins */ + #define E1000_CTRL_SWDPIN0 0x00040000 /* SWDPIN 0 value */ + #define E1000_CTRL_SWDPIN1 0x00080000 /* SWDPIN 1 value */ ++#define E1000_CTRL_ADVD3WUC 0x00100000 /* D3 WUC */ ++#define E1000_CTRL_EN_PHY_PWR_MGMT 0x00200000 /* PHY PM enable */ + #define E1000_CTRL_SDP0_DIR 0x00400000 /* SDP0 Data direction */ + #define E1000_CTRL_SDP1_DIR 0x00800000 /* SDP1 Data direction */ + #define E1000_CTRL_RST 0x04000000 /* Global reset */ +diff --git a/drivers/net/ethernet/intel/igb/igb_main.c b/drivers/net/ethernet/intel/igb/igb_main.c +index c1796aa2dde5..70ed5e5c3514 100644 +--- a/drivers/net/ethernet/intel/igb/igb_main.c ++++ b/drivers/net/ethernet/intel/igb/igb_main.c +@@ -7325,9 +7325,7 @@ static int __igb_shutdown(struct pci_dev *pdev, bool *enable_wake, + struct e1000_hw *hw = &adapter->hw; + u32 ctrl, rctl, status; + u32 wufc = runtime ? E1000_WUFC_LNKC : adapter->wol; +-#ifdef CONFIG_PM +- int retval = 0; +-#endif ++ bool wake; + + rtnl_lock(); + netif_device_detach(netdev); +@@ -7338,14 +7336,6 @@ static int __igb_shutdown(struct pci_dev *pdev, bool *enable_wake, + igb_clear_interrupt_scheme(adapter); + rtnl_unlock(); + +-#ifdef CONFIG_PM +- if (!runtime) { +- retval = pci_save_state(pdev); +- if (retval) +- return retval; +- } +-#endif +- + status = rd32(E1000_STATUS); + if (status & E1000_STATUS_LU) + wufc &= ~E1000_WUFC_LNKC; +@@ -7362,10 +7352,6 @@ static int __igb_shutdown(struct pci_dev *pdev, bool *enable_wake, + } + + ctrl = rd32(E1000_CTRL); +- /* advertise wake from D3Cold */ +- #define E1000_CTRL_ADVD3WUC 0x00100000 +- /* phy power management enable */ +- #define E1000_CTRL_EN_PHY_PWR_MGMT 0x00200000 + ctrl |= E1000_CTRL_ADVD3WUC; + wr32(E1000_CTRL, ctrl); + +@@ -7379,12 +7365,15 @@ static int __igb_shutdown(struct pci_dev *pdev, bool *enable_wake, + wr32(E1000_WUFC, 0); + } + +- *enable_wake = wufc || adapter->en_mng_pt; +- if (!*enable_wake) ++ wake = wufc || adapter->en_mng_pt; ++ if (!wake) + igb_power_down_link(adapter); + else + igb_power_up_link(adapter); + ++ if (enable_wake) ++ *enable_wake = wake; ++ + /* Release control of h/w to f/w. If f/w is AMT enabled, this + * would have already happened in close and is redundant. + */ +@@ -7399,22 +7388,7 @@ static int __igb_shutdown(struct pci_dev *pdev, bool *enable_wake, + #ifdef CONFIG_PM_SLEEP + static int igb_suspend(struct device *dev) + { +- int retval; +- bool wake; +- struct pci_dev *pdev = to_pci_dev(dev); +- +- retval = __igb_shutdown(pdev, &wake, 0); +- if (retval) +- return retval; +- +- if (wake) { +- pci_prepare_to_sleep(pdev); +- } else { +- pci_wake_from_d3(pdev, false); +- pci_set_power_state(pdev, PCI_D3hot); +- } +- +- return 0; ++ return __igb_shutdown(to_pci_dev(dev), NULL, 0); + } + #endif /* CONFIG_PM_SLEEP */ + +@@ -7483,22 +7457,7 @@ static int igb_runtime_idle(struct device *dev) + + static int igb_runtime_suspend(struct device *dev) + { +- struct pci_dev *pdev = to_pci_dev(dev); +- int retval; +- bool wake; +- +- retval = __igb_shutdown(pdev, &wake, 1); +- if (retval) +- return retval; +- +- if (wake) { +- pci_prepare_to_sleep(pdev); +- } else { +- pci_wake_from_d3(pdev, false); +- pci_set_power_state(pdev, PCI_D3hot); +- } +- +- return 0; ++ return __igb_shutdown(to_pci_dev(dev), NULL, 1); + } + + static int igb_runtime_resume(struct device *dev) +diff --git a/drivers/net/ethernet/micrel/ks8851.c b/drivers/net/ethernet/micrel/ks8851.c +index 1edc973df4c4..7377dca6eb57 100644 +--- a/drivers/net/ethernet/micrel/ks8851.c ++++ b/drivers/net/ethernet/micrel/ks8851.c +@@ -547,9 +547,8 @@ static void ks8851_rx_pkts(struct ks8851_net *ks) + /* set dma read address */ + ks8851_wrreg16(ks, KS_RXFDPR, RXFDPR_RXFPAI | 0x00); + +- /* start the packet dma process, and set auto-dequeue rx */ +- ks8851_wrreg16(ks, KS_RXQCR, +- ks->rc_rxqcr | RXQCR_SDA | RXQCR_ADRFE); ++ /* start DMA access */ ++ ks8851_wrreg16(ks, KS_RXQCR, ks->rc_rxqcr | RXQCR_SDA); + + if (rxlen > 4) { + unsigned int rxalign; +@@ -580,7 +579,8 @@ static void ks8851_rx_pkts(struct ks8851_net *ks) + } + } + +- ks8851_wrreg16(ks, KS_RXQCR, ks->rc_rxqcr); ++ /* end DMA access and dequeue packet */ ++ ks8851_wrreg16(ks, KS_RXQCR, ks->rc_rxqcr | RXQCR_RRXEF); + } + } + +@@ -797,6 +797,15 @@ static void ks8851_tx_work(struct work_struct *work) + static int ks8851_net_open(struct net_device *dev) + { + struct ks8851_net *ks = netdev_priv(dev); ++ int ret; ++ ++ ret = request_threaded_irq(dev->irq, NULL, ks8851_irq, ++ IRQF_TRIGGER_LOW | IRQF_ONESHOT, ++ dev->name, ks); ++ if (ret < 0) { ++ netdev_err(dev, "failed to get irq\n"); ++ return ret; ++ } + + /* lock the card, even if we may not actually be doing anything + * else at the moment */ +@@ -861,6 +870,7 @@ static int ks8851_net_open(struct net_device *dev) + netif_dbg(ks, ifup, ks->netdev, "network device up\n"); + + mutex_unlock(&ks->lock); ++ mii_check_link(&ks->mii); + return 0; + } + +@@ -911,6 +921,8 @@ static int ks8851_net_stop(struct net_device *dev) + dev_kfree_skb(txb); + } + ++ free_irq(dev->irq, ks); ++ + return 0; + } + +@@ -1516,6 +1528,7 @@ static int ks8851_probe(struct spi_device *spi) + + spi_set_drvdata(spi, ks); + ++ netif_carrier_off(ks->netdev); + ndev->if_port = IF_PORT_100BASET; + ndev->netdev_ops = &ks8851_netdev_ops; + ndev->irq = spi->irq; +@@ -1542,14 +1555,6 @@ static int ks8851_probe(struct spi_device *spi) + ks8851_read_selftest(ks); + ks8851_init_mac(ks); + +- ret = request_threaded_irq(spi->irq, NULL, ks8851_irq, +- IRQF_TRIGGER_LOW | IRQF_ONESHOT, +- ndev->name, ks); +- if (ret < 0) { +- dev_err(&spi->dev, "failed to get irq\n"); +- goto err_irq; +- } +- + ret = register_netdev(ndev); + if (ret) { + dev_err(&spi->dev, "failed to register network device\n"); +@@ -1562,14 +1567,10 @@ static int ks8851_probe(struct spi_device *spi) + + return 0; + +- + err_netdev: +- free_irq(ndev->irq, ks); +- +-err_irq: ++err_id: + if (gpio_is_valid(gpio)) + gpio_set_value(gpio, 0); +-err_id: + regulator_disable(ks->vdd_reg); + err_reg: + regulator_disable(ks->vdd_io); +@@ -1587,7 +1588,6 @@ static int ks8851_remove(struct spi_device *spi) + dev_info(&spi->dev, "remove\n"); + + unregister_netdev(priv->netdev); +- free_irq(spi->irq, priv); + if (gpio_is_valid(priv->gpio)) + gpio_set_value(priv->gpio, 0); + regulator_disable(priv->vdd_reg); +diff --git a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_ethtool.c b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_ethtool.c +index 0a2318cad34d..63ebc491057b 100644 +--- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_ethtool.c ++++ b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_ethtool.c +@@ -1038,6 +1038,8 @@ int qlcnic_do_lb_test(struct qlcnic_adapter *adapter, u8 mode) + + for (i = 0; i < QLCNIC_NUM_ILB_PKT; i++) { + skb = netdev_alloc_skb(adapter->netdev, QLCNIC_ILB_PKT_SIZE); ++ if (!skb) ++ break; + qlcnic_create_loopback_buff(skb->data, adapter->mac_addr); + skb_put(skb, QLCNIC_ILB_PKT_SIZE); + adapter->ahw->diag_cnt = 0; +diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +index 059113dce6e0..f4d6512f066c 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +@@ -1792,8 +1792,6 @@ static int stmmac_open(struct net_device *dev) + struct stmmac_priv *priv = netdev_priv(dev); + int ret; + +- stmmac_check_ether_addr(priv); +- + if (priv->pcs != STMMAC_PCS_RGMII && priv->pcs != STMMAC_PCS_TBI && + priv->pcs != STMMAC_PCS_RTBI) { + ret = stmmac_init_phy(dev); +@@ -2929,6 +2927,8 @@ int stmmac_dvr_probe(struct device *device, + if (ret) + goto error_hw_init; + ++ stmmac_check_ether_addr(priv); ++ + ndev->netdev_ops = &stmmac_netdev_ops; + + ndev->hw_features = NETIF_F_SG | NETIF_F_IP_CSUM | NETIF_F_IPV6_CSUM | +diff --git a/drivers/net/ethernet/ti/netcp_ethss.c b/drivers/net/ethernet/ti/netcp_ethss.c +index 4e70e7586a09..a5732edc8437 100644 +--- a/drivers/net/ethernet/ti/netcp_ethss.c ++++ b/drivers/net/ethernet/ti/netcp_ethss.c +@@ -3122,12 +3122,16 @@ static int gbe_probe(struct netcp_device *netcp_device, struct device *dev, + + ret = netcp_txpipe_init(&gbe_dev->tx_pipe, netcp_device, + gbe_dev->dma_chan_name, gbe_dev->tx_queue_id); +- if (ret) ++ if (ret) { ++ of_node_put(interfaces); + return ret; ++ } + + ret = netcp_txpipe_open(&gbe_dev->tx_pipe); +- if (ret) ++ if (ret) { ++ of_node_put(interfaces); + return ret; ++ } + + /* Create network interfaces */ + INIT_LIST_HEAD(&gbe_dev->gbe_intf_head); +diff --git a/drivers/net/ethernet/xilinx/xilinx_axienet_main.c b/drivers/net/ethernet/xilinx/xilinx_axienet_main.c +index 4684644703cc..58ba579793f8 100644 +--- a/drivers/net/ethernet/xilinx/xilinx_axienet_main.c ++++ b/drivers/net/ethernet/xilinx/xilinx_axienet_main.c +@@ -1595,12 +1595,14 @@ static int axienet_probe(struct platform_device *pdev) + ret = of_address_to_resource(np, 0, &dmares); + if (ret) { + dev_err(&pdev->dev, "unable to get DMA resource\n"); ++ of_node_put(np); + goto free_netdev; + } + lp->dma_regs = devm_ioremap_resource(&pdev->dev, &dmares); + if (IS_ERR(lp->dma_regs)) { + dev_err(&pdev->dev, "could not map DMA regs\n"); + ret = PTR_ERR(lp->dma_regs); ++ of_node_put(np); + goto free_netdev; + } + lp->rx_irq = irq_of_parse_and_map(np, 1); +diff --git a/drivers/net/slip/slhc.c b/drivers/net/slip/slhc.c +index cfd81eb1b532..ddceed3c5a4a 100644 +--- a/drivers/net/slip/slhc.c ++++ b/drivers/net/slip/slhc.c +@@ -153,7 +153,7 @@ out_fail: + void + slhc_free(struct slcompress *comp) + { +- if ( comp == NULLSLCOMPR ) ++ if ( IS_ERR_OR_NULL(comp) ) + return; + + if ( comp->tstate != NULLSLSTATE ) +diff --git a/drivers/net/team/team.c b/drivers/net/team/team.c +index 267a90423154..7b3ef6dc45a4 100644 +--- a/drivers/net/team/team.c ++++ b/drivers/net/team/team.c +@@ -1136,6 +1136,12 @@ static int team_port_add(struct team *team, struct net_device *port_dev) + return -EINVAL; + } + ++ if (netdev_has_upper_dev(dev, port_dev)) { ++ netdev_err(dev, "Device %s is already an upper device of the team interface\n", ++ portname); ++ return -EBUSY; ++ } ++ + if (port_dev->features & NETIF_F_VLAN_CHALLENGED && + vlan_uses_dev(dev)) { + netdev_err(dev, "Device %s is VLAN challenged and team device has VLAN set up\n", +diff --git a/drivers/net/usb/ipheth.c b/drivers/net/usb/ipheth.c +index f1f8227e7342..01f95d192d25 100644 +--- a/drivers/net/usb/ipheth.c ++++ b/drivers/net/usb/ipheth.c +@@ -148,6 +148,7 @@ struct ipheth_device { + u8 bulk_in; + u8 bulk_out; + struct delayed_work carrier_work; ++ bool confirmed_pairing; + }; + + static int ipheth_rx_submit(struct ipheth_device *dev, gfp_t mem_flags); +@@ -259,7 +260,7 @@ static void ipheth_rcvbulk_callback(struct urb *urb) + + dev->net->stats.rx_packets++; + dev->net->stats.rx_bytes += len; +- ++ dev->confirmed_pairing = true; + netif_rx(skb); + ipheth_rx_submit(dev, GFP_ATOMIC); + } +@@ -280,14 +281,24 @@ static void ipheth_sndbulk_callback(struct urb *urb) + dev_err(&dev->intf->dev, "%s: urb status: %d\n", + __func__, status); + +- netif_wake_queue(dev->net); ++ if (status == 0) ++ netif_wake_queue(dev->net); ++ else ++ // on URB error, trigger immediate poll ++ schedule_delayed_work(&dev->carrier_work, 0); + } + + static int ipheth_carrier_set(struct ipheth_device *dev) + { +- struct usb_device *udev = dev->udev; ++ struct usb_device *udev; + int retval; + ++ if (!dev) ++ return 0; ++ if (!dev->confirmed_pairing) ++ return 0; ++ ++ udev = dev->udev; + retval = usb_control_msg(udev, + usb_rcvctrlpipe(udev, IPHETH_CTRL_ENDP), + IPHETH_CMD_CARRIER_CHECK, /* request */ +@@ -302,11 +313,14 @@ static int ipheth_carrier_set(struct ipheth_device *dev) + return retval; + } + +- if (dev->ctrl_buf[0] == IPHETH_CARRIER_ON) ++ if (dev->ctrl_buf[0] == IPHETH_CARRIER_ON) { + netif_carrier_on(dev->net); +- else ++ if (dev->tx_urb->status != -EINPROGRESS) ++ netif_wake_queue(dev->net); ++ } else { + netif_carrier_off(dev->net); +- ++ netif_stop_queue(dev->net); ++ } + return 0; + } + +@@ -386,7 +400,6 @@ static int ipheth_open(struct net_device *net) + return retval; + + schedule_delayed_work(&dev->carrier_work, IPHETH_CARRIER_CHECK_TIMEOUT); +- netif_start_queue(net); + return retval; + } + +@@ -489,7 +502,7 @@ static int ipheth_probe(struct usb_interface *intf, + dev->udev = udev; + dev->net = netdev; + dev->intf = intf; +- ++ dev->confirmed_pairing = false; + /* Set up endpoints */ + hintf = usb_altnum_to_altsetting(intf, IPHETH_ALT_INTFNUM); + if (hintf == NULL) { +@@ -540,7 +553,9 @@ static int ipheth_probe(struct usb_interface *intf, + retval = -EIO; + goto err_register_netdev; + } +- ++ // carrier down and transmit queues stopped until packet from device ++ netif_carrier_off(netdev); ++ netif_tx_stop_all_queues(netdev); + dev_info(&intf->dev, "Apple iPhone USB Ethernet device attached\n"); + return 0; + +diff --git a/drivers/net/wireless/cw1200/scan.c b/drivers/net/wireless/cw1200/scan.c +index 9f1037e7e55c..2ce0193614f2 100644 +--- a/drivers/net/wireless/cw1200/scan.c ++++ b/drivers/net/wireless/cw1200/scan.c +@@ -84,8 +84,11 @@ int cw1200_hw_scan(struct ieee80211_hw *hw, + + frame.skb = ieee80211_probereq_get(hw, priv->vif->addr, NULL, 0, + req->ie_len); +- if (!frame.skb) ++ if (!frame.skb) { ++ mutex_unlock(&priv->conf_mutex); ++ up(&priv->scan.lock); + return -ENOMEM; ++ } + + if (req->ie_len) + memcpy(skb_put(frame.skb, req->ie_len), req->ie, req->ie_len); +diff --git a/drivers/nvdimm/btt_devs.c b/drivers/nvdimm/btt_devs.c +index cb477518dd0e..4c129450495d 100644 +--- a/drivers/nvdimm/btt_devs.c ++++ b/drivers/nvdimm/btt_devs.c +@@ -170,14 +170,15 @@ static struct device *__nd_btt_create(struct nd_region *nd_region, + return NULL; + + nd_btt->id = ida_simple_get(&nd_region->btt_ida, 0, 0, GFP_KERNEL); +- if (nd_btt->id < 0) { +- kfree(nd_btt); +- return NULL; +- } ++ if (nd_btt->id < 0) ++ goto out_nd_btt; + + nd_btt->lbasize = lbasize; +- if (uuid) ++ if (uuid) { + uuid = kmemdup(uuid, 16, GFP_KERNEL); ++ if (!uuid) ++ goto out_put_id; ++ } + nd_btt->uuid = uuid; + dev = &nd_btt->dev; + dev_set_name(dev, "btt%d.%d", nd_region->id, nd_btt->id); +@@ -192,6 +193,13 @@ static struct device *__nd_btt_create(struct nd_region *nd_region, + return NULL; + } + return dev; ++ ++out_put_id: ++ ida_simple_remove(&nd_region->btt_ida, nd_btt->id); ++ ++out_nd_btt: ++ kfree(nd_btt); ++ return NULL; + } + + struct device *nd_btt_create(struct nd_region *nd_region) +diff --git a/drivers/platform/x86/sony-laptop.c b/drivers/platform/x86/sony-laptop.c +index f73c29558cd3..c54ff94c491d 100644 +--- a/drivers/platform/x86/sony-laptop.c ++++ b/drivers/platform/x86/sony-laptop.c +@@ -4394,14 +4394,16 @@ sony_pic_read_possible_resource(struct acpi_resource *resource, void *context) + } + return AE_OK; + } ++ ++ case ACPI_RESOURCE_TYPE_END_TAG: ++ return AE_OK; ++ + default: + dprintk("Resource %d isn't an IRQ nor an IO port\n", + resource->type); ++ return AE_CTRL_TERMINATE; + +- case ACPI_RESOURCE_TYPE_END_TAG: +- return AE_OK; + } +- return AE_CTRL_TERMINATE; + } + + static int sony_pic_possible_resources(struct acpi_device *device) +diff --git a/drivers/rtc/rtc-da9063.c b/drivers/rtc/rtc-da9063.c +index d6c853bbfa9f..e93beecd5010 100644 +--- a/drivers/rtc/rtc-da9063.c ++++ b/drivers/rtc/rtc-da9063.c +@@ -491,6 +491,13 @@ static int da9063_rtc_probe(struct platform_device *pdev) + da9063_data_to_tm(data, &rtc->alarm_time, rtc); + rtc->rtc_sync = false; + ++ /* ++ * TODO: some models have alarms on a minute boundary but still support ++ * real hardware interrupts. Add this once the core supports it. ++ */ ++ if (config->rtc_data_start != RTC_SEC) ++ rtc->rtc_dev->uie_unsupported = 1; ++ + irq_alarm = platform_get_irq_byname(pdev, "ALARM"); + ret = devm_request_threaded_irq(&pdev->dev, irq_alarm, NULL, + da9063_alarm_event, +diff --git a/drivers/rtc/rtc-sh.c b/drivers/rtc/rtc-sh.c +index 2b81dd4baf17..104c854d6a8a 100644 +--- a/drivers/rtc/rtc-sh.c ++++ b/drivers/rtc/rtc-sh.c +@@ -455,7 +455,7 @@ static int sh_rtc_set_time(struct device *dev, struct rtc_time *tm) + static inline int sh_rtc_read_alarm_value(struct sh_rtc *rtc, int reg_off) + { + unsigned int byte; +- int value = 0xff; /* return 0xff for ignored values */ ++ int value = -1; /* return -1 for ignored values */ + + byte = readb(rtc->regbase + reg_off); + if (byte & AR_ENB) { +diff --git a/drivers/s390/block/dasd_eckd.c b/drivers/s390/block/dasd_eckd.c +index 80a43074c2f9..c530610f61ac 100644 +--- a/drivers/s390/block/dasd_eckd.c ++++ b/drivers/s390/block/dasd_eckd.c +@@ -2066,14 +2066,14 @@ static int dasd_eckd_end_analysis(struct dasd_block *block) + blk_per_trk = recs_per_track(&private->rdc_data, 0, block->bp_block); + + raw: +- block->blocks = (private->real_cyl * ++ block->blocks = ((unsigned long) private->real_cyl * + private->rdc_data.trk_per_cyl * + blk_per_trk); + + dev_info(&device->cdev->dev, +- "DASD with %d KB/block, %d KB total size, %d KB/track, " ++ "DASD with %u KB/block, %lu KB total size, %u KB/track, " + "%s\n", (block->bp_block >> 10), +- ((private->real_cyl * ++ (((unsigned long) private->real_cyl * + private->rdc_data.trk_per_cyl * + blk_per_trk * (block->bp_block >> 9)) >> 1), + ((blk_per_trk * block->bp_block) >> 10), +diff --git a/drivers/s390/char/con3270.c b/drivers/s390/char/con3270.c +index bae98521c808..3e5a7912044f 100644 +--- a/drivers/s390/char/con3270.c ++++ b/drivers/s390/char/con3270.c +@@ -627,7 +627,7 @@ con3270_init(void) + (void (*)(unsigned long)) con3270_read_tasklet, + (unsigned long) condev->read); + +- raw3270_add_view(&condev->view, &con3270_fn, 1); ++ raw3270_add_view(&condev->view, &con3270_fn, 1, RAW3270_VIEW_LOCK_IRQ); + + INIT_LIST_HEAD(&condev->freemem); + for (i = 0; i < CON3270_STRING_PAGES; i++) { +diff --git a/drivers/s390/char/fs3270.c b/drivers/s390/char/fs3270.c +index 71e974738014..f0c86bcbe316 100644 +--- a/drivers/s390/char/fs3270.c ++++ b/drivers/s390/char/fs3270.c +@@ -463,7 +463,8 @@ fs3270_open(struct inode *inode, struct file *filp) + + init_waitqueue_head(&fp->wait); + fp->fs_pid = get_pid(task_pid(current)); +- rc = raw3270_add_view(&fp->view, &fs3270_fn, minor); ++ rc = raw3270_add_view(&fp->view, &fs3270_fn, minor, ++ RAW3270_VIEW_LOCK_BH); + if (rc) { + fs3270_free_view(&fp->view); + goto out; +diff --git a/drivers/s390/char/raw3270.c b/drivers/s390/char/raw3270.c +index 220acb4cbee5..9c350e6d75bf 100644 +--- a/drivers/s390/char/raw3270.c ++++ b/drivers/s390/char/raw3270.c +@@ -956,7 +956,7 @@ raw3270_deactivate_view(struct raw3270_view *view) + * Add view to device with minor "minor". + */ + int +-raw3270_add_view(struct raw3270_view *view, struct raw3270_fn *fn, int minor) ++raw3270_add_view(struct raw3270_view *view, struct raw3270_fn *fn, int minor, int subclass) + { + unsigned long flags; + struct raw3270 *rp; +@@ -978,6 +978,7 @@ raw3270_add_view(struct raw3270_view *view, struct raw3270_fn *fn, int minor) + view->cols = rp->cols; + view->ascebc = rp->ascebc; + spin_lock_init(&view->lock); ++ lockdep_set_subclass(&view->lock, subclass); + list_add(&view->list, &rp->view_list); + rc = 0; + spin_unlock_irqrestore(get_ccwdev_lock(rp->cdev), flags); +diff --git a/drivers/s390/char/raw3270.h b/drivers/s390/char/raw3270.h +index e1e41c2861fb..5ae54317857a 100644 +--- a/drivers/s390/char/raw3270.h ++++ b/drivers/s390/char/raw3270.h +@@ -155,6 +155,8 @@ struct raw3270_fn { + struct raw3270_view { + struct list_head list; + spinlock_t lock; ++#define RAW3270_VIEW_LOCK_IRQ 0 ++#define RAW3270_VIEW_LOCK_BH 1 + atomic_t ref_count; + struct raw3270 *dev; + struct raw3270_fn *fn; +@@ -163,7 +165,7 @@ struct raw3270_view { + unsigned char *ascebc; /* ascii -> ebcdic table */ + }; + +-int raw3270_add_view(struct raw3270_view *, struct raw3270_fn *, int); ++int raw3270_add_view(struct raw3270_view *, struct raw3270_fn *, int, int); + int raw3270_activate_view(struct raw3270_view *); + void raw3270_del_view(struct raw3270_view *); + void raw3270_deactivate_view(struct raw3270_view *); +diff --git a/drivers/s390/char/tty3270.c b/drivers/s390/char/tty3270.c +index e96fc7fd9498..ab95d24b991b 100644 +--- a/drivers/s390/char/tty3270.c ++++ b/drivers/s390/char/tty3270.c +@@ -937,7 +937,8 @@ static int tty3270_install(struct tty_driver *driver, struct tty_struct *tty) + return PTR_ERR(tp); + + rc = raw3270_add_view(&tp->view, &tty3270_fn, +- tty->index + RAW3270_FIRSTMINOR); ++ tty->index + RAW3270_FIRSTMINOR, ++ RAW3270_VIEW_LOCK_BH); + if (rc) { + tty3270_free_view(tp); + return rc; +diff --git a/drivers/s390/net/ctcm_main.c b/drivers/s390/net/ctcm_main.c +index 05c37d6d4afe..a31821d94677 100644 +--- a/drivers/s390/net/ctcm_main.c ++++ b/drivers/s390/net/ctcm_main.c +@@ -1595,6 +1595,7 @@ static int ctcm_new_device(struct ccwgroup_device *cgdev) + if (priv->channel[direction] == NULL) { + if (direction == CTCM_WRITE) + channel_free(priv->channel[CTCM_READ]); ++ result = -ENODEV; + goto out_dev; + } + priv->channel[direction]->netdev = dev; +diff --git a/drivers/s390/scsi/zfcp_fc.c b/drivers/s390/scsi/zfcp_fc.c +index 237688af179b..f7630cf581cd 100644 +--- a/drivers/s390/scsi/zfcp_fc.c ++++ b/drivers/s390/scsi/zfcp_fc.c +@@ -238,10 +238,6 @@ static void _zfcp_fc_incoming_rscn(struct zfcp_fsf_req *fsf_req, u32 range, + list_for_each_entry(port, &adapter->port_list, list) { + if ((port->d_id & range) == (ntoh24(page->rscn_fid) & range)) + zfcp_fc_test_link(port); +- if (!port->d_id) +- zfcp_erp_port_reopen(port, +- ZFCP_STATUS_COMMON_ERP_FAILED, +- "fcrscn1"); + } + read_unlock_irqrestore(&adapter->port_list_lock, flags); + } +@@ -249,6 +245,7 @@ static void _zfcp_fc_incoming_rscn(struct zfcp_fsf_req *fsf_req, u32 range, + static void zfcp_fc_incoming_rscn(struct zfcp_fsf_req *fsf_req) + { + struct fsf_status_read_buffer *status_buffer = (void *)fsf_req->data; ++ struct zfcp_adapter *adapter = fsf_req->adapter; + struct fc_els_rscn *head; + struct fc_els_rscn_page *page; + u16 i; +@@ -261,6 +258,22 @@ static void zfcp_fc_incoming_rscn(struct zfcp_fsf_req *fsf_req) + /* see FC-FS */ + no_entries = head->rscn_plen / sizeof(struct fc_els_rscn_page); + ++ if (no_entries > 1) { ++ /* handle failed ports */ ++ unsigned long flags; ++ struct zfcp_port *port; ++ ++ read_lock_irqsave(&adapter->port_list_lock, flags); ++ list_for_each_entry(port, &adapter->port_list, list) { ++ if (port->d_id) ++ continue; ++ zfcp_erp_port_reopen(port, ++ ZFCP_STATUS_COMMON_ERP_FAILED, ++ "fcrscn1"); ++ } ++ read_unlock_irqrestore(&adapter->port_list_lock, flags); ++ } ++ + for (i = 1; i < no_entries; i++) { + /* skip head and start with 1st element */ + page++; +diff --git a/drivers/scsi/csiostor/csio_scsi.c b/drivers/scsi/csiostor/csio_scsi.c +index c2a6f9f29427..ddbdaade654d 100644 +--- a/drivers/scsi/csiostor/csio_scsi.c ++++ b/drivers/scsi/csiostor/csio_scsi.c +@@ -1713,8 +1713,11 @@ csio_scsi_err_handler(struct csio_hw *hw, struct csio_ioreq *req) + } + + out: +- if (req->nsge > 0) ++ if (req->nsge > 0) { + scsi_dma_unmap(cmnd); ++ if (req->dcopy && (host_status == DID_OK)) ++ host_status = csio_scsi_copy_to_sgl(hw, req); ++ } + + cmnd->result = (((host_status) << 16) | scsi_status); + cmnd->scsi_done(cmnd); +diff --git a/drivers/scsi/libsas/sas_expander.c b/drivers/scsi/libsas/sas_expander.c +index 7be581f7c35d..1a6f65db615e 100644 +--- a/drivers/scsi/libsas/sas_expander.c ++++ b/drivers/scsi/libsas/sas_expander.c +@@ -47,17 +47,16 @@ static void smp_task_timedout(unsigned long _task) + unsigned long flags; + + spin_lock_irqsave(&task->task_state_lock, flags); +- if (!(task->task_state_flags & SAS_TASK_STATE_DONE)) ++ if (!(task->task_state_flags & SAS_TASK_STATE_DONE)) { + task->task_state_flags |= SAS_TASK_STATE_ABORTED; ++ complete(&task->slow_task->completion); ++ } + spin_unlock_irqrestore(&task->task_state_lock, flags); +- +- complete(&task->slow_task->completion); + } + + static void smp_task_done(struct sas_task *task) + { +- if (!del_timer(&task->slow_task->timer)) +- return; ++ del_timer(&task->slow_task->timer); + complete(&task->slow_task->completion); + } + +diff --git a/drivers/scsi/qla2xxx/qla_attr.c b/drivers/scsi/qla2xxx/qla_attr.c +index ac12ee844bfc..31c29a5d1f38 100644 +--- a/drivers/scsi/qla2xxx/qla_attr.c ++++ b/drivers/scsi/qla2xxx/qla_attr.c +@@ -431,7 +431,7 @@ qla2x00_sysfs_write_optrom_ctl(struct file *filp, struct kobject *kobj, + } + + ha->optrom_region_start = start; +- ha->optrom_region_size = start + size; ++ ha->optrom_region_size = size; + + ha->optrom_state = QLA_SREADING; + ha->optrom_buffer = vmalloc(ha->optrom_region_size); +@@ -504,7 +504,7 @@ qla2x00_sysfs_write_optrom_ctl(struct file *filp, struct kobject *kobj, + } + + ha->optrom_region_start = start; +- ha->optrom_region_size = start + size; ++ ha->optrom_region_size = size; + + ha->optrom_state = QLA_SWRITING; + ha->optrom_buffer = vmalloc(ha->optrom_region_size); +diff --git a/drivers/scsi/qla4xxx/ql4_os.c b/drivers/scsi/qla4xxx/ql4_os.c +index f9f899ec9427..c158967b59d7 100644 +--- a/drivers/scsi/qla4xxx/ql4_os.c ++++ b/drivers/scsi/qla4xxx/ql4_os.c +@@ -3207,6 +3207,8 @@ static int qla4xxx_conn_bind(struct iscsi_cls_session *cls_session, + if (iscsi_conn_bind(cls_session, cls_conn, is_leading)) + return -EINVAL; + ep = iscsi_lookup_endpoint(transport_fd); ++ if (!ep) ++ return -EINVAL; + conn = cls_conn->dd_data; + qla_conn = conn->dd_data; + qla_conn->qla_ep = ep->dd_data; +diff --git a/drivers/scsi/storvsc_drv.c b/drivers/scsi/storvsc_drv.c +index 44b7a69d022a..45cd4cf93af3 100644 +--- a/drivers/scsi/storvsc_drv.c ++++ b/drivers/scsi/storvsc_drv.c +@@ -613,13 +613,22 @@ static void handle_sc_creation(struct vmbus_channel *new_sc) + static void handle_multichannel_storage(struct hv_device *device, int max_chns) + { + struct storvsc_device *stor_device; +- int num_cpus = num_online_cpus(); + int num_sc; + struct storvsc_cmd_request *request; + struct vstor_packet *vstor_packet; + int ret, t; + +- num_sc = ((max_chns > num_cpus) ? num_cpus : max_chns); ++ /* ++ * If the number of CPUs is artificially restricted, such as ++ * with maxcpus=1 on the kernel boot line, Hyper-V could offer ++ * sub-channels >= the number of CPUs. These sub-channels ++ * should not be created. The primary channel is already created ++ * and assigned to one CPU, so check against # CPUs - 1. ++ */ ++ num_sc = min((int)(num_online_cpus() - 1), max_chns); ++ if (!num_sc) ++ return; ++ + stor_device = get_out_stor_device(device); + if (!stor_device) + return; +diff --git a/drivers/staging/iio/addac/adt7316.c b/drivers/staging/iio/addac/adt7316.c +index 3adc4516918c..8c5cfb9400d0 100644 +--- a/drivers/staging/iio/addac/adt7316.c ++++ b/drivers/staging/iio/addac/adt7316.c +@@ -47,6 +47,8 @@ + #define ADT7516_MSB_AIN3 0xA + #define ADT7516_MSB_AIN4 0xB + #define ADT7316_DA_DATA_BASE 0x10 ++#define ADT7316_DA_10_BIT_LSB_SHIFT 6 ++#define ADT7316_DA_12_BIT_LSB_SHIFT 4 + #define ADT7316_DA_MSB_DATA_REGS 4 + #define ADT7316_LSB_DAC_A 0x10 + #define ADT7316_MSB_DAC_A 0x11 +@@ -1092,7 +1094,7 @@ static ssize_t adt7316_store_DAC_internal_Vref(struct device *dev, + ldac_config = chip->ldac_config & (~ADT7516_DAC_IN_VREF_MASK); + if (data & 0x1) + ldac_config |= ADT7516_DAC_AB_IN_VREF; +- else if (data & 0x2) ++ if (data & 0x2) + ldac_config |= ADT7516_DAC_CD_IN_VREF; + } else { + ret = kstrtou8(buf, 16, &data); +@@ -1414,7 +1416,7 @@ static IIO_DEVICE_ATTR(ex_analog_temp_offset, S_IRUGO | S_IWUSR, + static ssize_t adt7316_show_DAC(struct adt7316_chip_info *chip, + int channel, char *buf) + { +- u16 data; ++ u16 data = 0; + u8 msb, lsb, offset; + int ret; + +@@ -1439,7 +1441,11 @@ static ssize_t adt7316_show_DAC(struct adt7316_chip_info *chip, + if (ret) + return -EIO; + +- data = (msb << offset) + (lsb & ((1 << offset) - 1)); ++ if (chip->dac_bits == 12) ++ data = lsb >> ADT7316_DA_12_BIT_LSB_SHIFT; ++ else if (chip->dac_bits == 10) ++ data = lsb >> ADT7316_DA_10_BIT_LSB_SHIFT; ++ data |= msb << offset; + + return sprintf(buf, "%d\n", data); + } +@@ -1447,7 +1453,7 @@ static ssize_t adt7316_show_DAC(struct adt7316_chip_info *chip, + static ssize_t adt7316_store_DAC(struct adt7316_chip_info *chip, + int channel, const char *buf, size_t len) + { +- u8 msb, lsb, offset; ++ u8 msb, lsb, lsb_reg, offset; + u16 data; + int ret; + +@@ -1465,9 +1471,13 @@ static ssize_t adt7316_store_DAC(struct adt7316_chip_info *chip, + return -EINVAL; + + if (chip->dac_bits > 8) { +- lsb = data & (1 << offset); ++ lsb = data & ((1 << offset) - 1); ++ if (chip->dac_bits == 12) ++ lsb_reg = lsb << ADT7316_DA_12_BIT_LSB_SHIFT; ++ else ++ lsb_reg = lsb << ADT7316_DA_10_BIT_LSB_SHIFT; + ret = chip->bus.write(chip->bus.client, +- ADT7316_DA_DATA_BASE + channel * 2, lsb); ++ ADT7316_DA_DATA_BASE + channel * 2, lsb_reg); + if (ret) + return -EIO; + } +diff --git a/drivers/tty/serial/sc16is7xx.c b/drivers/tty/serial/sc16is7xx.c +index 17a22073d226..032f3c13b8c4 100644 +--- a/drivers/tty/serial/sc16is7xx.c ++++ b/drivers/tty/serial/sc16is7xx.c +@@ -1448,7 +1448,7 @@ static int __init sc16is7xx_init(void) + ret = i2c_add_driver(&sc16is7xx_i2c_uart_driver); + if (ret < 0) { + pr_err("failed to init sc16is7xx i2c --> %d\n", ret); +- return ret; ++ goto err_i2c; + } + #endif + +@@ -1456,10 +1456,18 @@ static int __init sc16is7xx_init(void) + ret = spi_register_driver(&sc16is7xx_spi_uart_driver); + if (ret < 0) { + pr_err("failed to init sc16is7xx spi --> %d\n", ret); +- return ret; ++ goto err_spi; + } + #endif + return ret; ++ ++err_spi: ++#ifdef CONFIG_SERIAL_SC16IS7XX_I2C ++ i2c_del_driver(&sc16is7xx_i2c_uart_driver); ++#endif ++err_i2c: ++ uart_unregister_driver(&sc16is7xx_uart); ++ return ret; + } + module_init(sc16is7xx_init); + +diff --git a/drivers/usb/core/driver.c b/drivers/usb/core/driver.c +index e9d6cf146fcc..654199c6a36c 100644 +--- a/drivers/usb/core/driver.c ++++ b/drivers/usb/core/driver.c +@@ -470,11 +470,6 @@ static int usb_unbind_interface(struct device *dev) + pm_runtime_disable(dev); + pm_runtime_set_suspended(dev); + +- /* Undo any residual pm_autopm_get_interface_* calls */ +- for (r = atomic_read(&intf->pm_usage_cnt); r > 0; --r) +- usb_autopm_put_interface_no_suspend(intf); +- atomic_set(&intf->pm_usage_cnt, 0); +- + if (!error) + usb_autosuspend_device(udev); + +@@ -1625,7 +1620,6 @@ void usb_autopm_put_interface(struct usb_interface *intf) + int status; + + usb_mark_last_busy(udev); +- atomic_dec(&intf->pm_usage_cnt); + status = pm_runtime_put_sync(&intf->dev); + dev_vdbg(&intf->dev, "%s: cnt %d -> %d\n", + __func__, atomic_read(&intf->dev.power.usage_count), +@@ -1654,7 +1648,6 @@ void usb_autopm_put_interface_async(struct usb_interface *intf) + int status; + + usb_mark_last_busy(udev); +- atomic_dec(&intf->pm_usage_cnt); + status = pm_runtime_put(&intf->dev); + dev_vdbg(&intf->dev, "%s: cnt %d -> %d\n", + __func__, atomic_read(&intf->dev.power.usage_count), +@@ -1676,7 +1669,6 @@ void usb_autopm_put_interface_no_suspend(struct usb_interface *intf) + struct usb_device *udev = interface_to_usbdev(intf); + + usb_mark_last_busy(udev); +- atomic_dec(&intf->pm_usage_cnt); + pm_runtime_put_noidle(&intf->dev); + } + EXPORT_SYMBOL_GPL(usb_autopm_put_interface_no_suspend); +@@ -1707,8 +1699,6 @@ int usb_autopm_get_interface(struct usb_interface *intf) + status = pm_runtime_get_sync(&intf->dev); + if (status < 0) + pm_runtime_put_sync(&intf->dev); +- else +- atomic_inc(&intf->pm_usage_cnt); + dev_vdbg(&intf->dev, "%s: cnt %d -> %d\n", + __func__, atomic_read(&intf->dev.power.usage_count), + status); +@@ -1742,8 +1732,6 @@ int usb_autopm_get_interface_async(struct usb_interface *intf) + status = pm_runtime_get(&intf->dev); + if (status < 0 && status != -EINPROGRESS) + pm_runtime_put_noidle(&intf->dev); +- else +- atomic_inc(&intf->pm_usage_cnt); + dev_vdbg(&intf->dev, "%s: cnt %d -> %d\n", + __func__, atomic_read(&intf->dev.power.usage_count), + status); +@@ -1767,7 +1755,6 @@ void usb_autopm_get_interface_no_resume(struct usb_interface *intf) + struct usb_device *udev = interface_to_usbdev(intf); + + usb_mark_last_busy(udev); +- atomic_inc(&intf->pm_usage_cnt); + pm_runtime_get_noresume(&intf->dev); + } + EXPORT_SYMBOL_GPL(usb_autopm_get_interface_no_resume); +@@ -1888,14 +1875,11 @@ int usb_runtime_idle(struct device *dev) + return -EBUSY; + } + +-int usb_set_usb2_hardware_lpm(struct usb_device *udev, int enable) ++static int usb_set_usb2_hardware_lpm(struct usb_device *udev, int enable) + { + struct usb_hcd *hcd = bus_to_hcd(udev->bus); + int ret = -EPERM; + +- if (enable && !udev->usb2_hw_lpm_allowed) +- return 0; +- + if (hcd->driver->set_usb2_hw_lpm) { + ret = hcd->driver->set_usb2_hw_lpm(hcd, udev, enable); + if (!ret) +@@ -1905,6 +1889,24 @@ int usb_set_usb2_hardware_lpm(struct usb_device *udev, int enable) + return ret; + } + ++int usb_enable_usb2_hardware_lpm(struct usb_device *udev) ++{ ++ if (!udev->usb2_hw_lpm_capable || ++ !udev->usb2_hw_lpm_allowed || ++ udev->usb2_hw_lpm_enabled) ++ return 0; ++ ++ return usb_set_usb2_hardware_lpm(udev, 1); ++} ++ ++int usb_disable_usb2_hardware_lpm(struct usb_device *udev) ++{ ++ if (!udev->usb2_hw_lpm_enabled) ++ return 0; ++ ++ return usb_set_usb2_hardware_lpm(udev, 0); ++} ++ + #endif /* CONFIG_PM */ + + struct bus_type usb_bus_type = { +diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c +index 3a6978458d95..7c87c0b38bcf 100644 +--- a/drivers/usb/core/hub.c ++++ b/drivers/usb/core/hub.c +@@ -3116,8 +3116,7 @@ int usb_port_suspend(struct usb_device *udev, pm_message_t msg) + } + + /* disable USB2 hardware LPM */ +- if (udev->usb2_hw_lpm_enabled == 1) +- usb_set_usb2_hardware_lpm(udev, 0); ++ usb_disable_usb2_hardware_lpm(udev); + + if (usb_disable_ltm(udev)) { + dev_err(&udev->dev, "Failed to disable LTM before suspend\n."); +@@ -3163,8 +3162,7 @@ int usb_port_suspend(struct usb_device *udev, pm_message_t msg) + usb_enable_ltm(udev); + err_ltm: + /* Try to enable USB2 hardware LPM again */ +- if (udev->usb2_hw_lpm_capable == 1) +- usb_set_usb2_hardware_lpm(udev, 1); ++ usb_enable_usb2_hardware_lpm(udev); + + if (udev->do_remote_wakeup) + (void) usb_disable_remote_wakeup(udev); +@@ -3443,8 +3441,7 @@ int usb_port_resume(struct usb_device *udev, pm_message_t msg) + hub_port_logical_disconnect(hub, port1); + } else { + /* Try to enable USB2 hardware LPM */ +- if (udev->usb2_hw_lpm_capable == 1) +- usb_set_usb2_hardware_lpm(udev, 1); ++ usb_enable_usb2_hardware_lpm(udev); + + /* Try to enable USB3 LTM and LPM */ + usb_enable_ltm(udev); +@@ -4270,7 +4267,7 @@ static void hub_set_initial_usb2_lpm_policy(struct usb_device *udev) + if ((udev->bos->ext_cap->bmAttributes & cpu_to_le32(USB_BESL_SUPPORT)) || + connect_type == USB_PORT_CONNECT_TYPE_HARD_WIRED) { + udev->usb2_hw_lpm_allowed = 1; +- usb_set_usb2_hardware_lpm(udev, 1); ++ usb_enable_usb2_hardware_lpm(udev); + } + } + +@@ -5415,8 +5412,7 @@ static int usb_reset_and_verify_device(struct usb_device *udev) + /* Disable USB2 hardware LPM. + * It will be re-enabled by the enumeration process. + */ +- if (udev->usb2_hw_lpm_enabled == 1) +- usb_set_usb2_hardware_lpm(udev, 0); ++ usb_disable_usb2_hardware_lpm(udev); + + /* Disable LPM and LTM while we reset the device and reinstall the alt + * settings. Device-initiated LPM settings, and system exit latency +@@ -5526,7 +5522,7 @@ static int usb_reset_and_verify_device(struct usb_device *udev) + + done: + /* Now that the alt settings are re-installed, enable LTM and LPM. */ +- usb_set_usb2_hardware_lpm(udev, 1); ++ usb_enable_usb2_hardware_lpm(udev); + usb_unlocked_enable_lpm(udev); + usb_enable_ltm(udev); + usb_release_bos_descriptor(udev); +diff --git a/drivers/usb/core/message.c b/drivers/usb/core/message.c +index 08cba309eb78..adc696a76b20 100644 +--- a/drivers/usb/core/message.c ++++ b/drivers/usb/core/message.c +@@ -820,9 +820,11 @@ int usb_string(struct usb_device *dev, int index, char *buf, size_t size) + + if (dev->state == USB_STATE_SUSPENDED) + return -EHOSTUNREACH; +- if (size <= 0 || !buf || !index) ++ if (size <= 0 || !buf) + return -EINVAL; + buf[0] = 0; ++ if (index <= 0 || index >= 256) ++ return -EINVAL; + tbuf = kmalloc(256, GFP_NOIO); + if (!tbuf) + return -ENOMEM; +@@ -1184,8 +1186,7 @@ void usb_disable_device(struct usb_device *dev, int skip_ep0) + dev->actconfig->interface[i] = NULL; + } + +- if (dev->usb2_hw_lpm_enabled == 1) +- usb_set_usb2_hardware_lpm(dev, 0); ++ usb_disable_usb2_hardware_lpm(dev); + usb_unlocked_disable_lpm(dev); + usb_disable_ltm(dev); + +diff --git a/drivers/usb/core/sysfs.c b/drivers/usb/core/sysfs.c +index 65b6e6b84043..6dc0f4e25cf3 100644 +--- a/drivers/usb/core/sysfs.c ++++ b/drivers/usb/core/sysfs.c +@@ -472,7 +472,10 @@ static ssize_t usb2_hardware_lpm_store(struct device *dev, + + if (!ret) { + udev->usb2_hw_lpm_allowed = value; +- ret = usb_set_usb2_hardware_lpm(udev, value); ++ if (value) ++ ret = usb_enable_usb2_hardware_lpm(udev); ++ else ++ ret = usb_disable_usb2_hardware_lpm(udev); + } + + usb_unlock_device(udev); +diff --git a/drivers/usb/core/usb.h b/drivers/usb/core/usb.h +index 53318126ed91..6b2f11544283 100644 +--- a/drivers/usb/core/usb.h ++++ b/drivers/usb/core/usb.h +@@ -84,7 +84,8 @@ extern int usb_remote_wakeup(struct usb_device *dev); + extern int usb_runtime_suspend(struct device *dev); + extern int usb_runtime_resume(struct device *dev); + extern int usb_runtime_idle(struct device *dev); +-extern int usb_set_usb2_hardware_lpm(struct usb_device *udev, int enable); ++extern int usb_enable_usb2_hardware_lpm(struct usb_device *udev); ++extern int usb_disable_usb2_hardware_lpm(struct usb_device *udev); + + #else + +@@ -104,7 +105,12 @@ static inline int usb_autoresume_device(struct usb_device *udev) + return 0; + } + +-static inline int usb_set_usb2_hardware_lpm(struct usb_device *udev, int enable) ++static inline int usb_enable_usb2_hardware_lpm(struct usb_device *udev) ++{ ++ return 0; ++} ++ ++static inline int usb_disable_usb2_hardware_lpm(struct usb_device *udev) + { + return 0; + } +diff --git a/drivers/usb/dwc3/core.c b/drivers/usb/dwc3/core.c +index 22b4797383cd..4378e758baef 100644 +--- a/drivers/usb/dwc3/core.c ++++ b/drivers/usb/dwc3/core.c +@@ -867,7 +867,7 @@ static int dwc3_probe(struct platform_device *pdev) + dwc->regs_size = resource_size(res); + + /* default to highest possible threshold */ +- lpm_nyet_threshold = 0xff; ++ lpm_nyet_threshold = 0xf; + + /* default to -3.5dB de-emphasis */ + tx_de_emphasis = 1; +diff --git a/drivers/usb/gadget/udc/net2272.c b/drivers/usb/gadget/udc/net2272.c +index 3b6e34fc032b..553922c3be85 100644 +--- a/drivers/usb/gadget/udc/net2272.c ++++ b/drivers/usb/gadget/udc/net2272.c +@@ -962,6 +962,7 @@ net2272_dequeue(struct usb_ep *_ep, struct usb_request *_req) + break; + } + if (&req->req != _req) { ++ ep->stopped = stopped; + spin_unlock_irqrestore(&ep->dev->lock, flags); + return -EINVAL; + } +diff --git a/drivers/usb/gadget/udc/net2280.c b/drivers/usb/gadget/udc/net2280.c +index 8efeadf30b4d..3a8d056a5d16 100644 +--- a/drivers/usb/gadget/udc/net2280.c ++++ b/drivers/usb/gadget/udc/net2280.c +@@ -870,9 +870,6 @@ static void start_queue(struct net2280_ep *ep, u32 dmactl, u32 td_dma) + (void) readl(&ep->dev->pci->pcimstctl); + + writel(BIT(DMA_START), &dma->dmastat); +- +- if (!ep->is_in) +- stop_out_naking(ep); + } + + static void start_dma(struct net2280_ep *ep, struct net2280_request *req) +@@ -911,6 +908,7 @@ static void start_dma(struct net2280_ep *ep, struct net2280_request *req) + writel(BIT(DMA_START), &dma->dmastat); + return; + } ++ stop_out_naking(ep); + } + + tmp = dmactl_default; +@@ -1272,9 +1270,9 @@ static int net2280_dequeue(struct usb_ep *_ep, struct usb_request *_req) + break; + } + if (&req->req != _req) { ++ ep->stopped = stopped; + spin_unlock_irqrestore(&ep->dev->lock, flags); +- dev_err(&ep->dev->pdev->dev, "%s: Request mismatch\n", +- __func__); ++ ep_dbg(ep->dev, "%s: Request mismatch\n", __func__); + return -EINVAL; + } + +diff --git a/drivers/usb/host/u132-hcd.c b/drivers/usb/host/u132-hcd.c +index d5434e7a3b2e..86f9944f337d 100644 +--- a/drivers/usb/host/u132-hcd.c ++++ b/drivers/usb/host/u132-hcd.c +@@ -3214,6 +3214,9 @@ static int __init u132_hcd_init(void) + printk(KERN_INFO "driver %s\n", hcd_name); + workqueue = create_singlethread_workqueue("u132"); + retval = platform_driver_register(&u132_platform_driver); ++ if (retval) ++ destroy_workqueue(workqueue); ++ + return retval; + } + +diff --git a/drivers/usb/misc/yurex.c b/drivers/usb/misc/yurex.c +index 5594a4a4a83f..a8b6d0036e5d 100644 +--- a/drivers/usb/misc/yurex.c ++++ b/drivers/usb/misc/yurex.c +@@ -332,6 +332,7 @@ static void yurex_disconnect(struct usb_interface *interface) + usb_deregister_dev(interface, &yurex_class); + + /* prevent more I/O from starting */ ++ usb_poison_urb(dev->urb); + mutex_lock(&dev->io_mutex); + dev->interface = NULL; + mutex_unlock(&dev->io_mutex); +diff --git a/drivers/usb/serial/generic.c b/drivers/usb/serial/generic.c +index 54e170dd3dad..faead4f32b1c 100644 +--- a/drivers/usb/serial/generic.c ++++ b/drivers/usb/serial/generic.c +@@ -350,39 +350,59 @@ void usb_serial_generic_read_bulk_callback(struct urb *urb) + struct usb_serial_port *port = urb->context; + unsigned char *data = urb->transfer_buffer; + unsigned long flags; ++ bool stopped = false; ++ int status = urb->status; + int i; + + for (i = 0; i < ARRAY_SIZE(port->read_urbs); ++i) { + if (urb == port->read_urbs[i]) + break; + } +- set_bit(i, &port->read_urbs_free); + + dev_dbg(&port->dev, "%s - urb %d, len %d\n", __func__, i, + urb->actual_length); +- switch (urb->status) { ++ switch (status) { + case 0: ++ usb_serial_debug_data(&port->dev, __func__, urb->actual_length, ++ data); ++ port->serial->type->process_read_urb(urb); + break; + case -ENOENT: + case -ECONNRESET: + case -ESHUTDOWN: + dev_dbg(&port->dev, "%s - urb stopped: %d\n", +- __func__, urb->status); +- return; ++ __func__, status); ++ stopped = true; ++ break; + case -EPIPE: + dev_err(&port->dev, "%s - urb stopped: %d\n", +- __func__, urb->status); +- return; ++ __func__, status); ++ stopped = true; ++ break; + default: + dev_dbg(&port->dev, "%s - nonzero urb status: %d\n", +- __func__, urb->status); +- goto resubmit; ++ __func__, status); ++ break; + } + +- usb_serial_debug_data(&port->dev, __func__, urb->actual_length, data); +- port->serial->type->process_read_urb(urb); ++ /* ++ * Make sure URB processing is done before marking as free to avoid ++ * racing with unthrottle() on another CPU. Matches the barriers ++ * implied by the test_and_clear_bit() in ++ * usb_serial_generic_submit_read_urb(). ++ */ ++ smp_mb__before_atomic(); ++ set_bit(i, &port->read_urbs_free); ++ /* ++ * Make sure URB is marked as free before checking the throttled flag ++ * to avoid racing with unthrottle() on another CPU. Matches the ++ * smp_mb() in unthrottle(). ++ */ ++ smp_mb__after_atomic(); ++ ++ if (stopped) ++ return; + +-resubmit: + /* Throttle the device if requested by tty */ + spin_lock_irqsave(&port->lock, flags); + port->throttled = port->throttle_req; +@@ -399,6 +419,7 @@ void usb_serial_generic_write_bulk_callback(struct urb *urb) + { + unsigned long flags; + struct usb_serial_port *port = urb->context; ++ int status = urb->status; + int i; + + for (i = 0; i < ARRAY_SIZE(port->write_urbs); ++i) { +@@ -410,22 +431,22 @@ void usb_serial_generic_write_bulk_callback(struct urb *urb) + set_bit(i, &port->write_urbs_free); + spin_unlock_irqrestore(&port->lock, flags); + +- switch (urb->status) { ++ switch (status) { + case 0: + break; + case -ENOENT: + case -ECONNRESET: + case -ESHUTDOWN: + dev_dbg(&port->dev, "%s - urb stopped: %d\n", +- __func__, urb->status); ++ __func__, status); + return; + case -EPIPE: + dev_err_console(port, "%s - urb stopped: %d\n", +- __func__, urb->status); ++ __func__, status); + return; + default: + dev_err_console(port, "%s - nonzero urb status: %d\n", +- __func__, urb->status); ++ __func__, status); + goto resubmit; + } + +@@ -456,6 +477,12 @@ void usb_serial_generic_unthrottle(struct tty_struct *tty) + port->throttled = port->throttle_req = 0; + spin_unlock_irq(&port->lock); + ++ /* ++ * Matches the smp_mb__after_atomic() in ++ * usb_serial_generic_read_bulk_callback(). ++ */ ++ smp_mb(); ++ + if (was_throttled) + usb_serial_generic_submit_read_urbs(port, GFP_KERNEL); + } +diff --git a/drivers/usb/storage/realtek_cr.c b/drivers/usb/storage/realtek_cr.c +index 20433563a601..be432bec0c5b 100644 +--- a/drivers/usb/storage/realtek_cr.c ++++ b/drivers/usb/storage/realtek_cr.c +@@ -772,18 +772,16 @@ static void rts51x_suspend_timer_fn(unsigned long data) + break; + case RTS51X_STAT_IDLE: + case RTS51X_STAT_SS: +- usb_stor_dbg(us, "RTS51X_STAT_SS, intf->pm_usage_cnt:%d, power.usage:%d\n", +- atomic_read(&us->pusb_intf->pm_usage_cnt), ++ usb_stor_dbg(us, "RTS51X_STAT_SS, power.usage:%d\n", + atomic_read(&us->pusb_intf->dev.power.usage_count)); + +- if (atomic_read(&us->pusb_intf->pm_usage_cnt) > 0) { ++ if (atomic_read(&us->pusb_intf->dev.power.usage_count) > 0) { + usb_stor_dbg(us, "Ready to enter SS state\n"); + rts51x_set_stat(chip, RTS51X_STAT_SS); + /* ignore mass storage interface's children */ + pm_suspend_ignore_children(&us->pusb_intf->dev, true); + usb_autopm_put_interface_async(us->pusb_intf); +- usb_stor_dbg(us, "RTS51X_STAT_SS 01, intf->pm_usage_cnt:%d, power.usage:%d\n", +- atomic_read(&us->pusb_intf->pm_usage_cnt), ++ usb_stor_dbg(us, "RTS51X_STAT_SS 01, power.usage:%d\n", + atomic_read(&us->pusb_intf->dev.power.usage_count)); + } + break; +@@ -816,11 +814,10 @@ static void rts51x_invoke_transport(struct scsi_cmnd *srb, struct us_data *us) + int ret; + + if (working_scsi(srb)) { +- usb_stor_dbg(us, "working scsi, intf->pm_usage_cnt:%d, power.usage:%d\n", +- atomic_read(&us->pusb_intf->pm_usage_cnt), ++ usb_stor_dbg(us, "working scsi, power.usage:%d\n", + atomic_read(&us->pusb_intf->dev.power.usage_count)); + +- if (atomic_read(&us->pusb_intf->pm_usage_cnt) <= 0) { ++ if (atomic_read(&us->pusb_intf->dev.power.usage_count) <= 0) { + ret = usb_autopm_get_interface(us->pusb_intf); + usb_stor_dbg(us, "working scsi, ret=%d\n", ret); + } +diff --git a/drivers/usb/storage/uas.c b/drivers/usb/storage/uas.c +index 6cac8f26b97a..e657b111b320 100644 +--- a/drivers/usb/storage/uas.c ++++ b/drivers/usb/storage/uas.c +@@ -772,23 +772,33 @@ static int uas_slave_alloc(struct scsi_device *sdev) + { + struct uas_dev_info *devinfo = + (struct uas_dev_info *)sdev->host->hostdata; ++ int maxp; + + sdev->hostdata = devinfo; + +- /* USB has unusual DMA-alignment requirements: Although the +- * starting address of each scatter-gather element doesn't matter, +- * the length of each element except the last must be divisible +- * by the Bulk maxpacket value. There's currently no way to +- * express this by block-layer constraints, so we'll cop out +- * and simply require addresses to be aligned at 512-byte +- * boundaries. This is okay since most block I/O involves +- * hardware sectors that are multiples of 512 bytes in length, +- * and since host controllers up through USB 2.0 have maxpacket +- * values no larger than 512. +- * +- * But it doesn't suffice for Wireless USB, where Bulk maxpacket +- * values can be as large as 2048. To make that work properly +- * will require changes to the block layer. ++ /* ++ * We have two requirements here. We must satisfy the requirements ++ * of the physical HC and the demands of the protocol, as we ++ * definitely want no additional memory allocation in this path ++ * ruling out using bounce buffers. ++ * ++ * For a transmission on USB to continue we must never send ++ * a package that is smaller than maxpacket. Hence the length of each ++ * scatterlist element except the last must be divisible by the ++ * Bulk maxpacket value. ++ * If the HC does not ensure that through SG, ++ * the upper layer must do that. We must assume nothing ++ * about the capabilities off the HC, so we use the most ++ * pessimistic requirement. ++ */ ++ ++ maxp = usb_maxpacket(devinfo->udev, devinfo->data_in_pipe, 0); ++ blk_queue_virt_boundary(sdev->request_queue, maxp - 1); ++ ++ /* ++ * The protocol has no requirements on alignment in the strict sense. ++ * Controllers may or may not have alignment restrictions. ++ * As this is not exported, we use an extremely conservative guess. + */ + blk_queue_update_dma_alignment(sdev->request_queue, (512 - 1)); + +diff --git a/drivers/usb/usbip/stub_rx.c b/drivers/usb/usbip/stub_rx.c +index 56cacb68040c..808e3a317954 100644 +--- a/drivers/usb/usbip/stub_rx.c ++++ b/drivers/usb/usbip/stub_rx.c +@@ -380,22 +380,10 @@ static int get_pipe(struct stub_device *sdev, struct usbip_header *pdu) + } + + if (usb_endpoint_xfer_isoc(epd)) { +- /* validate packet size and number of packets */ +- unsigned int maxp, packets, bytes; +- +-#define USB_EP_MAXP_MULT_SHIFT 11 +-#define USB_EP_MAXP_MULT_MASK (3 << USB_EP_MAXP_MULT_SHIFT) +-#define USB_EP_MAXP_MULT(m) \ +- (((m) & USB_EP_MAXP_MULT_MASK) >> USB_EP_MAXP_MULT_SHIFT) +- +- maxp = usb_endpoint_maxp(epd); +- maxp *= (USB_EP_MAXP_MULT( +- __le16_to_cpu(epd->wMaxPacketSize)) + 1); +- bytes = pdu->u.cmd_submit.transfer_buffer_length; +- packets = DIV_ROUND_UP(bytes, maxp); +- ++ /* validate number of packets */ + if (pdu->u.cmd_submit.number_of_packets < 0 || +- pdu->u.cmd_submit.number_of_packets > packets) { ++ pdu->u.cmd_submit.number_of_packets > ++ USBIP_MAX_ISO_PACKETS) { + dev_err(&sdev->udev->dev, + "CMD_SUBMIT: isoc invalid num packets %d\n", + pdu->u.cmd_submit.number_of_packets); +diff --git a/drivers/usb/usbip/usbip_common.h b/drivers/usb/usbip/usbip_common.h +index 0fc5ace57c0e..af903aa4ad90 100644 +--- a/drivers/usb/usbip/usbip_common.h ++++ b/drivers/usb/usbip/usbip_common.h +@@ -134,6 +134,13 @@ extern struct device_attribute dev_attr_usbip_debug; + #define USBIP_DIR_OUT 0x00 + #define USBIP_DIR_IN 0x01 + ++/* ++ * Arbitrary limit for the maximum number of isochronous packets in an URB, ++ * compare for example the uhci_submit_isochronous function in ++ * drivers/usb/host/uhci-q.c ++ */ ++#define USBIP_MAX_ISO_PACKETS 1024 ++ + /** + * struct usbip_header_basic - data pertinent to every request + * @command: the usbip request type +diff --git a/drivers/vfio/pci/vfio_pci.c b/drivers/vfio/pci/vfio_pci.c +index b31b84f56e8f..47b229fa5e8e 100644 +--- a/drivers/vfio/pci/vfio_pci.c ++++ b/drivers/vfio/pci/vfio_pci.c +@@ -1191,11 +1191,11 @@ static void __init vfio_pci_fill_ids(void) + rc = pci_add_dynid(&vfio_pci_driver, vendor, device, + subvendor, subdevice, class, class_mask, 0); + if (rc) +- pr_warn("failed to add dynamic id [%04hx:%04hx[%04hx:%04hx]] class %#08x/%08x (%d)\n", ++ pr_warn("failed to add dynamic id [%04x:%04x[%04x:%04x]] class %#08x/%08x (%d)\n", + vendor, device, subvendor, subdevice, + class, class_mask, rc); + else +- pr_info("add [%04hx:%04hx[%04hx:%04hx]] class %#08x/%08x\n", ++ pr_info("add [%04x:%04x[%04x:%04x]] class %#08x/%08x\n", + vendor, device, subvendor, subdevice, + class, class_mask); + } +diff --git a/drivers/vfio/vfio_iommu_type1.c b/drivers/vfio/vfio_iommu_type1.c +index 2fa280671c1e..875634d0d020 100644 +--- a/drivers/vfio/vfio_iommu_type1.c ++++ b/drivers/vfio/vfio_iommu_type1.c +@@ -53,10 +53,16 @@ module_param_named(disable_hugepages, + MODULE_PARM_DESC(disable_hugepages, + "Disable VFIO IOMMU support for IOMMU hugepages."); + ++static unsigned int dma_entry_limit __read_mostly = U16_MAX; ++module_param_named(dma_entry_limit, dma_entry_limit, uint, 0644); ++MODULE_PARM_DESC(dma_entry_limit, ++ "Maximum number of user DMA mappings per container (65535)."); ++ + struct vfio_iommu { + struct list_head domain_list; + struct mutex lock; + struct rb_root dma_list; ++ unsigned int dma_avail; + bool v2; + bool nesting; + }; +@@ -382,6 +388,7 @@ static void vfio_remove_dma(struct vfio_iommu *iommu, struct vfio_dma *dma) + vfio_unmap_unpin(iommu, dma); + vfio_unlink_dma(iommu, dma); + kfree(dma); ++ iommu->dma_avail++; + } + + static unsigned long vfio_pgsize_bitmap(struct vfio_iommu *iommu) +@@ -582,12 +589,18 @@ static int vfio_dma_do_map(struct vfio_iommu *iommu, + return -EEXIST; + } + ++ if (!iommu->dma_avail) { ++ mutex_unlock(&iommu->lock); ++ return -ENOSPC; ++ } ++ + dma = kzalloc(sizeof(*dma), GFP_KERNEL); + if (!dma) { + mutex_unlock(&iommu->lock); + return -ENOMEM; + } + ++ iommu->dma_avail--; + dma->iova = iova; + dma->vaddr = vaddr; + dma->prot = prot; +@@ -903,6 +916,7 @@ static void *vfio_iommu_type1_open(unsigned long arg) + + INIT_LIST_HEAD(&iommu->domain_list); + iommu->dma_list = RB_ROOT; ++ iommu->dma_avail = dma_entry_limit; + mutex_init(&iommu->lock); + + return iommu; +diff --git a/drivers/virt/fsl_hypervisor.c b/drivers/virt/fsl_hypervisor.c +index 590a0f51a249..9f96c7e61387 100644 +--- a/drivers/virt/fsl_hypervisor.c ++++ b/drivers/virt/fsl_hypervisor.c +@@ -215,6 +215,9 @@ static long ioctl_memcpy(struct fsl_hv_ioctl_memcpy __user *p) + * hypervisor. + */ + lb_offset = param.local_vaddr & (PAGE_SIZE - 1); ++ if (param.count == 0 || ++ param.count > U64_MAX - lb_offset - PAGE_SIZE + 1) ++ return -EINVAL; + num_pages = (param.count + lb_offset + PAGE_SIZE - 1) >> PAGE_SHIFT; + + /* Allocate the buffers we need */ +@@ -335,8 +338,8 @@ static long ioctl_dtprop(struct fsl_hv_ioctl_prop __user *p, int set) + struct fsl_hv_ioctl_prop param; + char __user *upath, *upropname; + void __user *upropval; +- char *path = NULL, *propname = NULL; +- void *propval = NULL; ++ char *path, *propname; ++ void *propval; + int ret = 0; + + /* Get the parameters from the user. */ +@@ -348,32 +351,30 @@ static long ioctl_dtprop(struct fsl_hv_ioctl_prop __user *p, int set) + upropval = (void __user *)(uintptr_t)param.propval; + + path = strndup_user(upath, FH_DTPROP_MAX_PATHLEN); +- if (IS_ERR(path)) { +- ret = PTR_ERR(path); +- goto out; +- } ++ if (IS_ERR(path)) ++ return PTR_ERR(path); + + propname = strndup_user(upropname, FH_DTPROP_MAX_PATHLEN); + if (IS_ERR(propname)) { + ret = PTR_ERR(propname); +- goto out; ++ goto err_free_path; + } + + if (param.proplen > FH_DTPROP_MAX_PROPLEN) { + ret = -EINVAL; +- goto out; ++ goto err_free_propname; + } + + propval = kmalloc(param.proplen, GFP_KERNEL); + if (!propval) { + ret = -ENOMEM; +- goto out; ++ goto err_free_propname; + } + + if (set) { + if (copy_from_user(propval, upropval, param.proplen)) { + ret = -EFAULT; +- goto out; ++ goto err_free_propval; + } + + param.ret = fh_partition_set_dtprop(param.handle, +@@ -392,7 +393,7 @@ static long ioctl_dtprop(struct fsl_hv_ioctl_prop __user *p, int set) + if (copy_to_user(upropval, propval, param.proplen) || + put_user(param.proplen, &p->proplen)) { + ret = -EFAULT; +- goto out; ++ goto err_free_propval; + } + } + } +@@ -400,10 +401,12 @@ static long ioctl_dtprop(struct fsl_hv_ioctl_prop __user *p, int set) + if (put_user(param.ret, &p->ret)) + ret = -EFAULT; + +-out: +- kfree(path); ++err_free_propval: + kfree(propval); ++err_free_propname: + kfree(propname); ++err_free_path: ++ kfree(path); + + return ret; + } +diff --git a/drivers/w1/masters/ds2490.c b/drivers/w1/masters/ds2490.c +index 59d74d1b47a8..2287e1be0e55 100644 +--- a/drivers/w1/masters/ds2490.c ++++ b/drivers/w1/masters/ds2490.c +@@ -1039,15 +1039,15 @@ static int ds_probe(struct usb_interface *intf, + /* alternative 3, 1ms interrupt (greatly speeds search), 64 byte bulk */ + alt = 3; + err = usb_set_interface(dev->udev, +- intf->altsetting[alt].desc.bInterfaceNumber, alt); ++ intf->cur_altsetting->desc.bInterfaceNumber, alt); + if (err) { + dev_err(&dev->udev->dev, "Failed to set alternative setting %d " + "for %d interface: err=%d.\n", alt, +- intf->altsetting[alt].desc.bInterfaceNumber, err); ++ intf->cur_altsetting->desc.bInterfaceNumber, err); + goto err_out_clear; + } + +- iface_desc = &intf->altsetting[alt]; ++ iface_desc = intf->cur_altsetting; + if (iface_desc->desc.bNumEndpoints != NUM_EP-1) { + pr_info("Num endpoints=%d. It is not DS9490R.\n", + iface_desc->desc.bNumEndpoints); +diff --git a/fs/ceph/dir.c b/fs/ceph/dir.c +index be7d187d53fd..d636e2660e62 100644 +--- a/fs/ceph/dir.c ++++ b/fs/ceph/dir.c +@@ -1288,6 +1288,7 @@ void ceph_dentry_lru_del(struct dentry *dn) + unsigned ceph_dentry_hash(struct inode *dir, struct dentry *dn) + { + struct ceph_inode_info *dci = ceph_inode(dir); ++ unsigned hash; + + switch (dci->i_dir_layout.dl_dir_hash) { + case 0: /* for backward compat */ +@@ -1295,8 +1296,11 @@ unsigned ceph_dentry_hash(struct inode *dir, struct dentry *dn) + return dn->d_name.hash; + + default: +- return ceph_str_hash(dci->i_dir_layout.dl_dir_hash, ++ spin_lock(&dn->d_lock); ++ hash = ceph_str_hash(dci->i_dir_layout.dl_dir_hash, + dn->d_name.name, dn->d_name.len); ++ spin_unlock(&dn->d_lock); ++ return hash; + } + } + +diff --git a/fs/ceph/inode.c b/fs/ceph/inode.c +index 9f0d99094cc1..a663b676d566 100644 +--- a/fs/ceph/inode.c ++++ b/fs/ceph/inode.c +@@ -474,6 +474,7 @@ static void ceph_i_callback(struct rcu_head *head) + struct inode *inode = container_of(head, struct inode, i_rcu); + struct ceph_inode_info *ci = ceph_inode(inode); + ++ kfree(ci->i_symlink); + kmem_cache_free(ceph_inode_cachep, ci); + } + +@@ -505,7 +506,6 @@ void ceph_destroy_inode(struct inode *inode) + ceph_put_snap_realm(mdsc, realm); + } + +- kfree(ci->i_symlink); + while ((n = rb_first(&ci->i_fragtree)) != NULL) { + frag = rb_entry(n, struct ceph_inode_frag, node); + rb_erase(n, &ci->i_fragtree); +diff --git a/fs/ceph/mds_client.c b/fs/ceph/mds_client.c +index 35e6e0b2cf34..a5de8e22629b 100644 +--- a/fs/ceph/mds_client.c ++++ b/fs/ceph/mds_client.c +@@ -1198,6 +1198,15 @@ static int remove_session_caps_cb(struct inode *inode, struct ceph_cap *cap, + list_add(&ci->i_prealloc_cap_flush->list, &to_remove); + ci->i_prealloc_cap_flush = NULL; + } ++ ++ if (drop && ++ ci->i_wrbuffer_ref_head == 0 && ++ ci->i_wr_ref == 0 && ++ ci->i_dirty_caps == 0 && ++ ci->i_flushing_caps == 0) { ++ ceph_put_snap_context(ci->i_head_snapc); ++ ci->i_head_snapc = NULL; ++ } + } + spin_unlock(&ci->i_ceph_lock); + while (!list_empty(&to_remove)) { +diff --git a/fs/ceph/snap.c b/fs/ceph/snap.c +index a485d0cdc559..3d876a1cf567 100644 +--- a/fs/ceph/snap.c ++++ b/fs/ceph/snap.c +@@ -567,7 +567,12 @@ void ceph_queue_cap_snap(struct ceph_inode_info *ci) + capsnap = NULL; + + update_snapc: +- if (ci->i_head_snapc) { ++ if (ci->i_wrbuffer_ref_head == 0 && ++ ci->i_wr_ref == 0 && ++ ci->i_dirty_caps == 0 && ++ ci->i_flushing_caps == 0) { ++ ci->i_head_snapc = NULL; ++ } else { + ci->i_head_snapc = ceph_get_snap_context(new_snapc); + dout(" new snapc is %p\n", new_snapc); + } +diff --git a/fs/cifs/inode.c b/fs/cifs/inode.c +index d8bd8dd36211..0f210cb5038a 100644 +--- a/fs/cifs/inode.c ++++ b/fs/cifs/inode.c +@@ -1669,6 +1669,10 @@ cifs_do_rename(const unsigned int xid, struct dentry *from_dentry, + if (rc == 0 || rc != -EBUSY) + goto do_rename_exit; + ++ /* Don't fall back to using SMB on SMB 2+ mount */ ++ if (server->vals->protocol_id != 0) ++ goto do_rename_exit; ++ + /* open-file renames don't work across directories */ + if (to_dentry->d_parent != from_dentry->d_parent) + goto do_rename_exit; +diff --git a/fs/debugfs/inode.c b/fs/debugfs/inode.c +index 22fe11baef2b..3530e1c3ff56 100644 +--- a/fs/debugfs/inode.c ++++ b/fs/debugfs/inode.c +@@ -164,19 +164,24 @@ static int debugfs_show_options(struct seq_file *m, struct dentry *root) + return 0; + } + +-static void debugfs_evict_inode(struct inode *inode) ++static void debugfs_i_callback(struct rcu_head *head) + { +- truncate_inode_pages_final(&inode->i_data); +- clear_inode(inode); ++ struct inode *inode = container_of(head, struct inode, i_rcu); + if (S_ISLNK(inode->i_mode)) + kfree(inode->i_link); ++ free_inode_nonrcu(inode); ++} ++ ++static void debugfs_destroy_inode(struct inode *inode) ++{ ++ call_rcu(&inode->i_rcu, debugfs_i_callback); + } + + static const struct super_operations debugfs_super_operations = { + .statfs = simple_statfs, + .remount_fs = debugfs_remount, + .show_options = debugfs_show_options, +- .evict_inode = debugfs_evict_inode, ++ .destroy_inode = debugfs_destroy_inode, + }; + + static struct vfsmount *debugfs_automount(struct path *path) +diff --git a/fs/hugetlbfs/inode.c b/fs/hugetlbfs/inode.c +index cefae2350da5..27c4e2ac39a9 100644 +--- a/fs/hugetlbfs/inode.c ++++ b/fs/hugetlbfs/inode.c +@@ -745,11 +745,17 @@ static struct inode *hugetlbfs_get_inode(struct super_block *sb, + umode_t mode, dev_t dev) + { + struct inode *inode; +- struct resv_map *resv_map; ++ struct resv_map *resv_map = NULL; + +- resv_map = resv_map_alloc(); +- if (!resv_map) +- return NULL; ++ /* ++ * Reserve maps are only needed for inodes that can have associated ++ * page allocations. ++ */ ++ if (S_ISREG(mode) || S_ISLNK(mode)) { ++ resv_map = resv_map_alloc(); ++ if (!resv_map) ++ return NULL; ++ } + + inode = new_inode(sb); + if (inode) { +@@ -790,8 +796,10 @@ static struct inode *hugetlbfs_get_inode(struct super_block *sb, + break; + } + lockdep_annotate_inode_mutex_key(inode); +- } else +- kref_put(&resv_map->refs, resv_map_release); ++ } else { ++ if (resv_map) ++ kref_put(&resv_map->refs, resv_map_release); ++ } + + return inode; + } +diff --git a/fs/jffs2/readinode.c b/fs/jffs2/readinode.c +index bfebbf13698c..5b52ea41b84f 100644 +--- a/fs/jffs2/readinode.c ++++ b/fs/jffs2/readinode.c +@@ -1414,11 +1414,6 @@ void jffs2_do_clear_inode(struct jffs2_sb_info *c, struct jffs2_inode_info *f) + + jffs2_kill_fragtree(&f->fragtree, deleted?c:NULL); + +- if (f->target) { +- kfree(f->target); +- f->target = NULL; +- } +- + fds = f->dents; + while(fds) { + fd = fds; +diff --git a/fs/jffs2/super.c b/fs/jffs2/super.c +index 023e7f32ee1b..9fc297df8c75 100644 +--- a/fs/jffs2/super.c ++++ b/fs/jffs2/super.c +@@ -47,7 +47,10 @@ static struct inode *jffs2_alloc_inode(struct super_block *sb) + static void jffs2_i_callback(struct rcu_head *head) + { + struct inode *inode = container_of(head, struct inode, i_rcu); +- kmem_cache_free(jffs2_inode_cachep, JFFS2_INODE_INFO(inode)); ++ struct jffs2_inode_info *f = JFFS2_INODE_INFO(inode); ++ ++ kfree(f->target); ++ kmem_cache_free(jffs2_inode_cachep, f); + } + + static void jffs2_destroy_inode(struct inode *inode) +diff --git a/fs/nfs/super.c b/fs/nfs/super.c +index 9b42139a479b..dced329a8584 100644 +--- a/fs/nfs/super.c ++++ b/fs/nfs/super.c +@@ -2020,7 +2020,8 @@ static int nfs23_validate_mount_data(void *options, + memcpy(sap, &data->addr, sizeof(data->addr)); + args->nfs_server.addrlen = sizeof(data->addr); + args->nfs_server.port = ntohs(data->addr.sin_port); +- if (!nfs_verify_server_address(sap)) ++ if (sap->sa_family != AF_INET || ++ !nfs_verify_server_address(sap)) + goto out_no_address; + + if (!(data->flags & NFS_MOUNT_TCP)) +diff --git a/fs/nfsd/nfs4callback.c b/fs/nfsd/nfs4callback.c +index 24ace275160c..4fa3f0ba9ab3 100644 +--- a/fs/nfsd/nfs4callback.c ++++ b/fs/nfsd/nfs4callback.c +@@ -874,8 +874,9 @@ static void nfsd4_cb_prepare(struct rpc_task *task, void *calldata) + cb->cb_seq_status = 1; + cb->cb_status = 0; + if (minorversion) { +- if (!nfsd41_cb_get_slot(clp, task)) ++ if (!cb->cb_holds_slot && !nfsd41_cb_get_slot(clp, task)) + return; ++ cb->cb_holds_slot = true; + } + rpc_call_start(task); + } +@@ -902,6 +903,9 @@ static bool nfsd4_cb_sequence_done(struct rpc_task *task, struct nfsd4_callback + return true; + } + ++ if (!cb->cb_holds_slot) ++ goto need_restart; ++ + switch (cb->cb_seq_status) { + case 0: + /* +@@ -939,6 +943,7 @@ static bool nfsd4_cb_sequence_done(struct rpc_task *task, struct nfsd4_callback + cb->cb_seq_status); + } + ++ cb->cb_holds_slot = false; + clear_bit(0, &clp->cl_cb_slot_busy); + rpc_wake_up_next(&clp->cl_cb_waitq); + dprintk("%s: freed slot, new seqid=%d\n", __func__, +@@ -1146,6 +1151,7 @@ void nfsd4_init_cb(struct nfsd4_callback *cb, struct nfs4_client *clp, + cb->cb_seq_status = 1; + cb->cb_status = 0; + cb->cb_need_restart = false; ++ cb->cb_holds_slot = false; + } + + void nfsd4_run_cb(struct nfsd4_callback *cb) +diff --git a/fs/nfsd/state.h b/fs/nfsd/state.h +index 86af697c21d3..2c26bedda7be 100644 +--- a/fs/nfsd/state.h ++++ b/fs/nfsd/state.h +@@ -70,6 +70,7 @@ struct nfsd4_callback { + int cb_seq_status; + int cb_status; + bool cb_need_restart; ++ bool cb_holds_slot; + }; + + struct nfsd4_callback_ops { +diff --git a/fs/proc/proc_sysctl.c b/fs/proc/proc_sysctl.c +index c7e32a891502..2eea16a81500 100644 +--- a/fs/proc/proc_sysctl.c ++++ b/fs/proc/proc_sysctl.c +@@ -1550,9 +1550,11 @@ static void drop_sysctl_table(struct ctl_table_header *header) + if (--header->nreg) + return; + +- if (parent) ++ if (parent) { + put_links(header); +- start_unregistering(header); ++ start_unregistering(header); ++ } ++ + if (!--header->count) + kfree_rcu(header, rcu); + +diff --git a/include/linux/bitops.h b/include/linux/bitops.h +index defeaac0745f..e76d03f44c80 100644 +--- a/include/linux/bitops.h ++++ b/include/linux/bitops.h +@@ -1,28 +1,9 @@ + #ifndef _LINUX_BITOPS_H + #define _LINUX_BITOPS_H + #include ++#include + +-#ifdef __KERNEL__ +-#define BIT(nr) (1UL << (nr)) +-#define BIT_ULL(nr) (1ULL << (nr)) +-#define BIT_MASK(nr) (1UL << ((nr) % BITS_PER_LONG)) +-#define BIT_WORD(nr) ((nr) / BITS_PER_LONG) +-#define BIT_ULL_MASK(nr) (1ULL << ((nr) % BITS_PER_LONG_LONG)) +-#define BIT_ULL_WORD(nr) ((nr) / BITS_PER_LONG_LONG) +-#define BITS_PER_BYTE 8 + #define BITS_TO_LONGS(nr) DIV_ROUND_UP(nr, BITS_PER_BYTE * sizeof(long)) +-#endif +- +-/* +- * Create a contiguous bitmask starting at bit position @l and ending at +- * position @h. For example +- * GENMASK_ULL(39, 21) gives us the 64bit vector 0x000000ffffe00000. +- */ +-#define GENMASK(h, l) \ +- (((~0UL) << (l)) & (~0UL >> (BITS_PER_LONG - 1 - (h)))) +- +-#define GENMASK_ULL(h, l) \ +- (((~0ULL) << (l)) & (~0ULL >> (BITS_PER_LONG_LONG - 1 - (h)))) + + extern unsigned int __sw_hweight8(unsigned int w); + extern unsigned int __sw_hweight16(unsigned int w); +diff --git a/include/linux/bits.h b/include/linux/bits.h +new file mode 100644 +index 000000000000..2b7b532c1d51 +--- /dev/null ++++ b/include/linux/bits.h +@@ -0,0 +1,26 @@ ++/* SPDX-License-Identifier: GPL-2.0 */ ++#ifndef __LINUX_BITS_H ++#define __LINUX_BITS_H ++#include ++ ++#define BIT(nr) (1UL << (nr)) ++#define BIT_ULL(nr) (1ULL << (nr)) ++#define BIT_MASK(nr) (1UL << ((nr) % BITS_PER_LONG)) ++#define BIT_WORD(nr) ((nr) / BITS_PER_LONG) ++#define BIT_ULL_MASK(nr) (1ULL << ((nr) % BITS_PER_LONG_LONG)) ++#define BIT_ULL_WORD(nr) ((nr) / BITS_PER_LONG_LONG) ++#define BITS_PER_BYTE 8 ++ ++/* ++ * Create a contiguous bitmask starting at bit position @l and ending at ++ * position @h. For example ++ * GENMASK_ULL(39, 21) gives us the 64bit vector 0x000000ffffe00000. ++ */ ++#define GENMASK(h, l) \ ++ (((~0UL) - (1UL << (l)) + 1) & (~0UL >> (BITS_PER_LONG - 1 - (h)))) ++ ++#define GENMASK_ULL(h, l) \ ++ (((~0ULL) - (1ULL << (l)) + 1) & \ ++ (~0ULL >> (BITS_PER_LONG_LONG - 1 - (h)))) ++ ++#endif /* __LINUX_BITS_H */ +diff --git a/include/linux/cpu.h b/include/linux/cpu.h +index 063c73ed6d78..664f892d6e73 100644 +--- a/include/linux/cpu.h ++++ b/include/linux/cpu.h +@@ -50,6 +50,8 @@ extern ssize_t cpu_show_spec_store_bypass(struct device *dev, + struct device_attribute *attr, char *buf); + extern ssize_t cpu_show_l1tf(struct device *dev, + struct device_attribute *attr, char *buf); ++extern ssize_t cpu_show_mds(struct device *dev, ++ struct device_attribute *attr, char *buf); + + extern __printf(4, 5) + struct device *cpu_device_create(struct device *parent, void *drvdata, +@@ -294,4 +296,21 @@ bool cpu_wait_death(unsigned int cpu, int seconds); + bool cpu_report_death(void); + #endif /* #ifdef CONFIG_HOTPLUG_CPU */ + ++/* ++ * These are used for a global "mitigations=" cmdline option for toggling ++ * optional CPU mitigations. ++ */ ++enum cpu_mitigations { ++ CPU_MITIGATIONS_OFF, ++ CPU_MITIGATIONS_AUTO, ++}; ++ ++extern enum cpu_mitigations cpu_mitigations; ++ ++/* mitigations=off */ ++static inline bool cpu_mitigations_off(void) ++{ ++ return cpu_mitigations == CPU_MITIGATIONS_OFF; ++} ++ + #endif /* _LINUX_CPU_H_ */ +diff --git a/include/linux/jump_label.h b/include/linux/jump_label.h +index 68904469fba1..2209eb0740b0 100644 +--- a/include/linux/jump_label.h ++++ b/include/linux/jump_label.h +@@ -267,9 +267,15 @@ struct static_key_false { + #define DEFINE_STATIC_KEY_TRUE(name) \ + struct static_key_true name = STATIC_KEY_TRUE_INIT + ++#define DECLARE_STATIC_KEY_TRUE(name) \ ++ extern struct static_key_true name ++ + #define DEFINE_STATIC_KEY_FALSE(name) \ + struct static_key_false name = STATIC_KEY_FALSE_INIT + ++#define DECLARE_STATIC_KEY_FALSE(name) \ ++ extern struct static_key_false name ++ + extern bool ____wrong_branch_error(void); + + #define static_key_enabled(x) \ +diff --git a/include/linux/ptrace.h b/include/linux/ptrace.h +index 81fdf4b8aba4..8b1e2bd46bb7 100644 +--- a/include/linux/ptrace.h ++++ b/include/linux/ptrace.h +@@ -57,14 +57,17 @@ extern void exit_ptrace(struct task_struct *tracer, struct list_head *dead); + #define PTRACE_MODE_READ 0x01 + #define PTRACE_MODE_ATTACH 0x02 + #define PTRACE_MODE_NOAUDIT 0x04 +-#define PTRACE_MODE_FSCREDS 0x08 +-#define PTRACE_MODE_REALCREDS 0x10 ++#define PTRACE_MODE_FSCREDS 0x08 ++#define PTRACE_MODE_REALCREDS 0x10 ++#define PTRACE_MODE_SCHED 0x20 ++#define PTRACE_MODE_IBPB 0x40 + + /* shorthands for READ/ATTACH and FSCREDS/REALCREDS combinations */ + #define PTRACE_MODE_READ_FSCREDS (PTRACE_MODE_READ | PTRACE_MODE_FSCREDS) + #define PTRACE_MODE_READ_REALCREDS (PTRACE_MODE_READ | PTRACE_MODE_REALCREDS) + #define PTRACE_MODE_ATTACH_FSCREDS (PTRACE_MODE_ATTACH | PTRACE_MODE_FSCREDS) + #define PTRACE_MODE_ATTACH_REALCREDS (PTRACE_MODE_ATTACH | PTRACE_MODE_REALCREDS) ++#define PTRACE_MODE_SPEC_IBPB (PTRACE_MODE_ATTACH_REALCREDS | PTRACE_MODE_IBPB) + + /** + * ptrace_may_access - check whether the caller is permitted to access +@@ -82,6 +85,20 @@ extern void exit_ptrace(struct task_struct *tracer, struct list_head *dead); + */ + extern bool ptrace_may_access(struct task_struct *task, unsigned int mode); + ++/** ++ * ptrace_may_access - check whether the caller is permitted to access ++ * a target task. ++ * @task: target task ++ * @mode: selects type of access and caller credentials ++ * ++ * Returns true on success, false on denial. ++ * ++ * Similar to ptrace_may_access(). Only to be called from context switch ++ * code. Does not call into audit and the regular LSM hooks due to locking ++ * constraints. ++ */ ++extern bool ptrace_may_access_sched(struct task_struct *task, unsigned int mode); ++ + static inline int ptrace_reparented(struct task_struct *child) + { + return !same_thread_group(child->real_parent, child->parent); +diff --git a/include/linux/sched.h b/include/linux/sched.h +index 48a59f731406..a0b540f800d9 100644 +--- a/include/linux/sched.h ++++ b/include/linux/sched.h +@@ -2169,6 +2169,8 @@ static inline void memalloc_noio_restore(unsigned int flags) + #define PFA_SPREAD_SLAB 2 /* Spread some slab caches over cpuset */ + #define PFA_SPEC_SSB_DISABLE 4 /* Speculative Store Bypass disabled */ + #define PFA_SPEC_SSB_FORCE_DISABLE 5 /* Speculative Store Bypass force disabled*/ ++#define PFA_SPEC_IB_DISABLE 6 /* Indirect branch speculation restricted */ ++#define PFA_SPEC_IB_FORCE_DISABLE 7 /* Indirect branch speculation permanently restricted */ + + + #define TASK_PFA_TEST(name, func) \ +@@ -2199,6 +2201,13 @@ TASK_PFA_CLEAR(SPEC_SSB_DISABLE, spec_ssb_disable) + TASK_PFA_TEST(SPEC_SSB_FORCE_DISABLE, spec_ssb_force_disable) + TASK_PFA_SET(SPEC_SSB_FORCE_DISABLE, spec_ssb_force_disable) + ++TASK_PFA_TEST(SPEC_IB_DISABLE, spec_ib_disable) ++TASK_PFA_SET(SPEC_IB_DISABLE, spec_ib_disable) ++TASK_PFA_CLEAR(SPEC_IB_DISABLE, spec_ib_disable) ++ ++TASK_PFA_TEST(SPEC_IB_FORCE_DISABLE, spec_ib_force_disable) ++TASK_PFA_SET(SPEC_IB_FORCE_DISABLE, spec_ib_force_disable) ++ + /* + * task->jobctl flags + */ +diff --git a/include/linux/sched/smt.h b/include/linux/sched/smt.h +new file mode 100644 +index 000000000000..559ac4590593 +--- /dev/null ++++ b/include/linux/sched/smt.h +@@ -0,0 +1,20 @@ ++/* SPDX-License-Identifier: GPL-2.0 */ ++#ifndef _LINUX_SCHED_SMT_H ++#define _LINUX_SCHED_SMT_H ++ ++#include ++ ++#ifdef CONFIG_SCHED_SMT ++extern atomic_t sched_smt_present; ++ ++static __always_inline bool sched_smt_active(void) ++{ ++ return atomic_read(&sched_smt_present); ++} ++#else ++static inline bool sched_smt_active(void) { return false; } ++#endif ++ ++void arch_smt_update(void); ++ ++#endif +diff --git a/include/linux/usb.h b/include/linux/usb.h +index 5c03ebc6dfa0..02bffcc611c3 100644 +--- a/include/linux/usb.h ++++ b/include/linux/usb.h +@@ -127,7 +127,6 @@ enum usb_interface_condition { + * @dev: driver model's view of this device + * @usb_dev: if an interface is bound to the USB major, this will point + * to the sysfs representation for that device. +- * @pm_usage_cnt: PM usage counter for this interface + * @reset_ws: Used for scheduling resets from atomic context. + * @resetting_device: USB core reset the device, so use alt setting 0 as + * current; needs bandwidth alloc after reset. +@@ -184,7 +183,6 @@ struct usb_interface { + + struct device dev; /* interface specific device info */ + struct device *usb_dev; +- atomic_t pm_usage_cnt; /* usage counter for autosuspend */ + struct work_struct reset_ws; /* for resets in atomic context */ + }; + #define to_usb_interface(d) container_of(d, struct usb_interface, dev) +diff --git a/include/net/addrconf.h b/include/net/addrconf.h +index 18dd7a3caf2f..af032e5405f6 100644 +--- a/include/net/addrconf.h ++++ b/include/net/addrconf.h +@@ -162,6 +162,7 @@ int ipv6_sock_mc_join(struct sock *sk, int ifindex, + const struct in6_addr *addr); + int ipv6_sock_mc_drop(struct sock *sk, int ifindex, + const struct in6_addr *addr); ++void __ipv6_sock_mc_close(struct sock *sk); + void ipv6_sock_mc_close(struct sock *sk); + bool inet6_mc_check(struct sock *sk, const struct in6_addr *mc_addr, + const struct in6_addr *src_addr); +diff --git a/include/net/bluetooth/hci_core.h b/include/net/bluetooth/hci_core.h +index 876688b5a356..7c0c83dfe86e 100644 +--- a/include/net/bluetooth/hci_core.h ++++ b/include/net/bluetooth/hci_core.h +@@ -174,6 +174,9 @@ struct adv_info { + + #define HCI_MAX_SHORT_NAME_LENGTH 10 + ++/* Min encryption key size to match with SMP */ ++#define HCI_MIN_ENC_KEY_SIZE 7 ++ + /* Default LE RPA expiry time, 15 minutes */ + #define HCI_DEFAULT_RPA_TIMEOUT (15 * 60) + +diff --git a/include/uapi/linux/prctl.h b/include/uapi/linux/prctl.h +index 64776b72e1eb..64ec0d62e5f5 100644 +--- a/include/uapi/linux/prctl.h ++++ b/include/uapi/linux/prctl.h +@@ -202,6 +202,7 @@ struct prctl_mm_map { + #define PR_SET_SPECULATION_CTRL 53 + /* Speculation control variants */ + # define PR_SPEC_STORE_BYPASS 0 ++# define PR_SPEC_INDIRECT_BRANCH 1 + /* Return and control values for PR_SET/GET_SPECULATION_CTRL */ + # define PR_SPEC_NOT_AFFECTED 0 + # define PR_SPEC_PRCTL (1UL << 0) +diff --git a/init/main.c b/init/main.c +index 49926d95442f..e88c8cdef6a7 100644 +--- a/init/main.c ++++ b/init/main.c +@@ -538,6 +538,8 @@ asmlinkage __visible void __init start_kernel(void) + } + #else + pr_notice("Kernel command line: %s\n", boot_command_line); + #endif ++ /* parameters may set static keys */ ++ jump_label_init(); + parse_early_param(); + after_dashes = parse_args("Booting kernel", + static_command_line, __start___param, +@@ -547,8 +549,6 @@ asmlinkage __visible void __init start_kernel(void) + parse_args("Setting init args", after_dashes, NULL, 0, -1, -1, + NULL, set_init_arg); + +- jump_label_init(); +- + /* + * These use large bootmem allocations and must precede + * kmem_cache_init() +diff --git a/kernel/cpu.c b/kernel/cpu.c +index 42ce0b0ae5c5..3225c3a9d028 100644 +--- a/kernel/cpu.c ++++ b/kernel/cpu.c +@@ -8,6 +8,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -199,6 +200,12 @@ void cpu_hotplug_enable(void) + EXPORT_SYMBOL_GPL(cpu_hotplug_enable); + #endif /* CONFIG_HOTPLUG_CPU */ + ++/* ++ * Architectures that need SMT-specific errata handling during SMT hotplug ++ * should override this. ++ */ ++void __weak arch_smt_update(void) { } ++ + /* Need to know about CPUs going up/down? */ + int register_cpu_notifier(struct notifier_block *nb) + { +@@ -434,6 +441,7 @@ out_release: + cpu_hotplug_done(); + if (!err) + cpu_notify_nofail(CPU_POST_DEAD | mod, hcpu); ++ arch_smt_update(); + return err; + } + +@@ -537,8 +545,8 @@ out_notify: + __cpu_notify(CPU_UP_CANCELED | mod, hcpu, nr_calls, NULL); + out: + cpu_hotplug_done(); + trace_sched_cpu_hotplug(cpu, ret, 1); +- ++ arch_smt_update(); + return ret; + } + +@@ -834,5 +842,18 @@ void init_cpu_online(const struct cpumask *src) + { + cpumask_copy(to_cpumask(cpu_online_bits), src); + } ++ ++enum cpu_mitigations cpu_mitigations = CPU_MITIGATIONS_AUTO; ++ ++static int __init mitigations_parse_cmdline(char *arg) ++{ ++ if (!strcmp(arg, "off")) ++ cpu_mitigations = CPU_MITIGATIONS_OFF; ++ else if (!strcmp(arg, "auto")) ++ cpu_mitigations = CPU_MITIGATIONS_AUTO; ++ ++ return 0; ++} ++early_param("mitigations", mitigations_parse_cmdline); + + static ATOMIC_NOTIFIER_HEAD(idle_notifier); +diff --git a/kernel/irq/manage.c b/kernel/irq/manage.c +index 83cea913983c..92c7eb1aeded 100644 +--- a/kernel/irq/manage.c ++++ b/kernel/irq/manage.c +@@ -319,8 +319,10 @@ irq_set_affinity_notifier(unsigned int irq, struct irq_affinity_notify *notify) + desc->affinity_notify = notify; + raw_spin_unlock_irqrestore(&desc->lock, flags); + +- if (old_notify) ++ if (old_notify) { ++ cancel_work_sync(&old_notify->work); + kref_put(&old_notify->kref, old_notify->release); ++ } + + return 0; + } +diff --git a/kernel/ptrace.c b/kernel/ptrace.c +index 5e2cd1030702..8303874c2a06 100644 +--- a/kernel/ptrace.c ++++ b/kernel/ptrace.c +@@ -228,6 +228,9 @@ static int ptrace_check_attach(struct task_struct *child, bool ignore_state) + + static int ptrace_has_cap(struct user_namespace *ns, unsigned int mode) + { ++ if (mode & PTRACE_MODE_SCHED) ++ return false; ++ + if (mode & PTRACE_MODE_NOAUDIT) + return has_ns_capability_noaudit(current, ns, CAP_SYS_PTRACE); + else +@@ -295,9 +298,16 @@ ok: + !ptrace_has_cap(mm->user_ns, mode))) + return -EPERM; + ++ if (mode & PTRACE_MODE_SCHED) ++ return 0; + return security_ptrace_access_check(task, mode); + } + ++bool ptrace_may_access_sched(struct task_struct *task, unsigned int mode) ++{ ++ return __ptrace_may_access(task, mode | PTRACE_MODE_SCHED); ++} ++ + bool ptrace_may_access(struct task_struct *task, unsigned int mode) + { + int err; +diff --git a/kernel/sched/core.c b/kernel/sched/core.c +index d0618951014b..d35a7d528ea6 100644 +--- a/kernel/sched/core.c ++++ b/kernel/sched/core.c +@@ -5610,6 +5610,10 @@ static void set_cpu_rq_start_time(void) + rq->age_stamp = sched_clock_cpu(cpu); + } + ++#ifdef CONFIG_SCHED_SMT ++atomic_t sched_smt_present = ATOMIC_INIT(0); ++#endif ++ + static int sched_cpu_active(struct notifier_block *nfb, + unsigned long action, void *hcpu) + { +@@ -5626,11 +5630,23 @@ static int sched_cpu_active(struct notifier_block *nfb, + * set_cpu_online(). But it might not yet have marked itself + * as active, which is essential from here on. + */ ++#ifdef CONFIG_SCHED_SMT ++ /* ++ * When going up, increment the number of cores with SMT present. ++ */ ++ if (cpumask_weight(cpu_smt_mask(cpu)) == 2) ++ atomic_inc(&sched_smt_present); ++#endif + set_cpu_active(cpu, true); + stop_machine_unpark(cpu); + return NOTIFY_OK; + + case CPU_DOWN_FAILED: ++#ifdef CONFIG_SCHED_SMT ++ /* Same as for CPU_ONLINE */ ++ if (cpumask_weight(cpu_smt_mask(cpu)) == 2) ++ atomic_inc(&sched_smt_present); ++#endif + set_cpu_active(cpu, true); + return NOTIFY_OK; + +@@ -5645,7 +5661,15 @@ static int sched_cpu_inactive(struct notifier_block *nfb, + switch (action & ~CPU_TASKS_FROZEN) { + case CPU_DOWN_PREPARE: + set_cpu_active((long)hcpu, false); ++#ifdef CONFIG_SCHED_SMT ++ /* ++ * When going down, decrement the number of cores with SMT present. ++ */ ++ if (cpumask_weight(cpu_smt_mask((long)hcpu)) == 2) ++ atomic_dec(&sched_smt_present); ++#endif + return NOTIFY_OK; ++ + default: + return NOTIFY_DONE; + } +diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c +index d706cf4fda99..75bfa23f97b4 100644 +--- a/kernel/sched/fair.c ++++ b/kernel/sched/fair.c +@@ -1722,6 +1722,10 @@ static u64 numa_get_avg_runtime(struct task_struct *p, u64 *period) + if (p->last_task_numa_placement) { + delta = runtime - p->last_sum_exec_runtime; + *period = now - p->last_task_numa_placement; ++ ++ /* Avoid time going backwards, prevent potential divide error: */ ++ if (unlikely((s64)*period < 0)) ++ *period = 0; + } else { + delta = p->se.avg.load_sum / p->se.load.weight; + *period = LOAD_AVG_MAX; +diff --git a/kernel/sched/sched.h b/kernel/sched/sched.h +index 6893ee31df4d..8b96df04ba78 100644 +--- a/kernel/sched/sched.h ++++ b/kernel/sched/sched.h +@@ -2,6 +2,7 @@ + #include + #include + #include ++#include + #include + #include + #include +diff --git a/kernel/time/timer_stats.c b/kernel/time/timer_stats.c +index 1adecb4b87c8..7e4d715f9c22 100644 +--- a/kernel/time/timer_stats.c ++++ b/kernel/time/timer_stats.c +@@ -417,7 +417,7 @@ static int __init init_tstats_procfs(void) + { + struct proc_dir_entry *pe; + +- pe = proc_create("timer_stats", 0644, NULL, &tstats_fops); ++ pe = proc_create("timer_stats", 0600, NULL, &tstats_fops); + if (!pe) + return -ENOMEM; + return 0; +diff --git a/kernel/trace/ring_buffer.c b/kernel/trace/ring_buffer.c +index 5e091614fe39..1cf2402c6922 100644 +--- a/kernel/trace/ring_buffer.c ++++ b/kernel/trace/ring_buffer.c +@@ -701,7 +701,7 @@ u64 ring_buffer_time_stamp(struct ring_buffer *buffer, int cpu) + + preempt_disable_notrace(); + time = rb_time_stamp(buffer); +- preempt_enable_no_resched_notrace(); ++ preempt_enable_notrace(); + + return time; + } +diff --git a/net/8021q/vlan_dev.c b/net/8021q/vlan_dev.c +index ac9791dd4768..5139c4ebb96b 100644 +--- a/net/8021q/vlan_dev.c ++++ b/net/8021q/vlan_dev.c +@@ -363,10 +363,12 @@ static int vlan_dev_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd) + ifrr.ifr_ifru = ifr->ifr_ifru; + + switch (cmd) { ++ case SIOCSHWTSTAMP: ++ if (!net_eq(dev_net(dev), &init_net)) ++ break; + case SIOCGMIIPHY: + case SIOCGMIIREG: + case SIOCSMIIREG: +- case SIOCSHWTSTAMP: + case SIOCGHWTSTAMP: + if (netif_device_present(real_dev) && ops->ndo_do_ioctl) + err = ops->ndo_do_ioctl(real_dev, &ifrr, cmd); +diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c +index 80be0ee17ff3..83d4d574fa44 100644 +--- a/net/bluetooth/hci_conn.c ++++ b/net/bluetooth/hci_conn.c +@@ -1177,6 +1177,14 @@ int hci_conn_check_link_mode(struct hci_conn *conn) + !test_bit(HCI_CONN_ENCRYPT, &conn->flags)) + return 0; + ++ /* The minimum encryption key size needs to be enforced by the ++ * host stack before establishing any L2CAP connections. The ++ * specification in theory allows a minimum of 1, but to align ++ * BR/EDR and LE transports, a minimum of 7 is chosen. ++ */ ++ if (conn->enc_key_size < HCI_MIN_ENC_KEY_SIZE) ++ return 0; ++ + return 1; + } + +diff --git a/net/bluetooth/hidp/sock.c b/net/bluetooth/hidp/sock.c +index 008ba439bd62..cc80c76177b6 100644 +--- a/net/bluetooth/hidp/sock.c ++++ b/net/bluetooth/hidp/sock.c +@@ -76,6 +76,7 @@ static int hidp_sock_ioctl(struct socket *sock, unsigned int cmd, unsigned long + sockfd_put(csock); + return err; + } ++ ca.name[sizeof(ca.name)-1] = 0; + + err = hidp_connection_add(&ca, csock, isock); + if (!err && copy_to_user(argp, &ca, sizeof(ca))) +diff --git a/net/bridge/br_if.c b/net/bridge/br_if.c +index 50e84e634dfe..c7a281549d91 100644 +--- a/net/bridge/br_if.c ++++ b/net/bridge/br_if.c +@@ -471,13 +471,15 @@ int br_add_if(struct net_bridge *br, struct net_device *dev) + call_netdevice_notifiers(NETDEV_JOIN, dev); + + err = dev_set_allmulti(dev, 1); +- if (err) +- goto put_back; ++ if (err) { ++ kfree(p); /* kobject not yet init'd, manually free */ ++ goto err1; ++ } + + err = kobject_init_and_add(&p->kobj, &brport_ktype, &(dev->dev.kobj), + SYSFS_BRIDGE_PORT_ATTR); + if (err) +- goto err1; ++ goto err2; + + err = br_sysfs_addif(p); + if (err) +@@ -551,12 +553,9 @@ err3: + sysfs_remove_link(br->ifobj, p->dev->name); + err2: + kobject_put(&p->kobj); +- p = NULL; /* kobject_put frees */ +-err1: + dev_set_allmulti(dev, -1); +-put_back: ++err1: + dev_put(dev); +- kfree(p); + return err; + } + +diff --git a/net/bridge/br_netfilter_hooks.c b/net/bridge/br_netfilter_hooks.c +index 93b5525bcccf..2ae0451fd634 100644 +--- a/net/bridge/br_netfilter_hooks.c ++++ b/net/bridge/br_netfilter_hooks.c +@@ -507,6 +507,7 @@ static unsigned int br_nf_pre_routing(void *priv, + nf_bridge->ipv4_daddr = ip_hdr(skb)->daddr; + + skb->protocol = htons(ETH_P_IP); ++ skb->transport_header = skb->network_header + ip_hdr(skb)->ihl * 4; + + NF_HOOK(NFPROTO_IPV4, NF_INET_PRE_ROUTING, state->net, state->sk, skb, + skb->dev, NULL, +diff --git a/net/bridge/br_netfilter_ipv6.c b/net/bridge/br_netfilter_ipv6.c +index 69dfd212e50d..f94c83f5cc37 100644 +--- a/net/bridge/br_netfilter_ipv6.c ++++ b/net/bridge/br_netfilter_ipv6.c +@@ -237,6 +237,8 @@ unsigned int br_nf_pre_routing_ipv6(void *priv, + nf_bridge->ipv6_daddr = ipv6_hdr(skb)->daddr; + + skb->protocol = htons(ETH_P_IPV6); ++ skb->transport_header = skb->network_header + sizeof(struct ipv6hdr); ++ + NF_HOOK(NFPROTO_IPV6, NF_INET_PRE_ROUTING, state->net, state->sk, skb, + skb->dev, NULL, + br_nf_pre_routing_finish_ipv6); +diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c +index f13402d407e4..1a87cf78fadc 100644 +--- a/net/bridge/netfilter/ebtables.c ++++ b/net/bridge/netfilter/ebtables.c +@@ -2046,7 +2046,8 @@ static int ebt_size_mwt(struct compat_ebt_entry_mwt *match32, + if (match_kern) + match_kern->match_size = ret; + +- if (WARN_ON(type == EBT_COMPAT_TARGET && size_left)) ++ /* rule should have no remaining data after target */ ++ if (type == EBT_COMPAT_TARGET && size_left) + return -EINVAL; + + match32 = (struct compat_ebt_entry_mwt *) buf; +diff --git a/net/core/filter.c b/net/core/filter.c +index 1a9ded6af138..3c5f51198c41 100644 +--- a/net/core/filter.c ++++ b/net/core/filter.c +@@ -742,6 +742,17 @@ static bool chk_code_allowed(u16 code_to_probe) + return codes[code_to_probe]; + } + ++static bool bpf_check_basics_ok(const struct sock_filter *filter, ++ unsigned int flen) ++{ ++ if (filter == NULL) ++ return false; ++ if (flen == 0 || flen > BPF_MAXINSNS) ++ return false; ++ ++ return true; ++} ++ + /** + * bpf_check_classic - verify socket filter code + * @filter: filter to verify +@@ -762,9 +773,6 @@ static int bpf_check_classic(const struct sock_filter *filter, + bool anc_found; + int pc; + +- if (flen == 0 || flen > BPF_MAXINSNS) +- return -EINVAL; +- + /* Check the filter code now */ + for (pc = 0; pc < flen; pc++) { + const struct sock_filter *ftest = &filter[pc]; +@@ -1057,7 +1065,7 @@ int bpf_prog_create(struct bpf_prog **pfp, struct sock_fprog_kern *fprog) + struct bpf_prog *fp; + + /* Make sure new filter is there and in the right amounts. */ +- if (fprog->filter == NULL) ++ if (!bpf_check_basics_ok(fprog->filter, fprog->len)) + return -EINVAL; + + fp = bpf_prog_alloc(bpf_prog_size(fprog->len), 0); +@@ -1104,7 +1112,7 @@ int bpf_prog_create_from_user(struct bpf_prog **pfp, struct sock_fprog *fprog, + int err; + + /* Make sure new filter is there and in the right amounts. */ +- if (fprog->filter == NULL) ++ if (!bpf_check_basics_ok(fprog->filter, fprog->len)) + return -EINVAL; + + fp = bpf_prog_alloc(bpf_prog_size(fprog->len), 0); +@@ -1184,7 +1192,6 @@ int __sk_attach_filter(struct sock_fprog *fprog, struct sock *sk, + bool locked) + { + unsigned int fsize = bpf_classic_proglen(fprog); +- unsigned int bpf_fsize = bpf_prog_size(fprog->len); + struct bpf_prog *prog; + int err; + +@@ -1192,10 +1199,10 @@ int __sk_attach_filter(struct sock_fprog *fprog, struct sock *sk, + return -EPERM; + + /* Make sure new filter is there and in the right amounts. */ +- if (fprog->filter == NULL) ++ if (!bpf_check_basics_ok(fprog->filter, fprog->len)) + return -EINVAL; + +- prog = bpf_prog_alloc(bpf_fsize, 0); ++ prog = bpf_prog_alloc(bpf_prog_size(fprog->len), 0); + if (!prog) + return -ENOMEM; + +diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c +index c11bb6d2d00a..6d5a0a7ebe10 100644 +--- a/net/ipv4/ip_output.c ++++ b/net/ipv4/ip_output.c +@@ -475,6 +475,7 @@ static void ip_copy_metadata(struct sk_buff *to, struct sk_buff *from) + to->pkt_type = from->pkt_type; + to->priority = from->priority; + to->protocol = from->protocol; ++ to->skb_iif = from->skb_iif; + skb_dst_drop(to); + skb_dst_copy(to, from); + to->dev = from->dev; +diff --git a/net/ipv4/raw.c b/net/ipv4/raw.c +index 4d3d4291c82f..e742323d69e1 100644 +--- a/net/ipv4/raw.c ++++ b/net/ipv4/raw.c +@@ -167,6 +167,7 @@ static int icmp_filter(const struct sock *sk, const struct sk_buff *skb) + */ + static int raw_v4_input(struct sk_buff *skb, const struct iphdr *iph, int hash) + { ++ int dif = inet_iif(skb); + struct sock *sk; + struct hlist_head *head; + int delivered = 0; +@@ -179,8 +180,7 @@ static int raw_v4_input(struct sk_buff *skb, const struct iphdr *iph, int hash) + + net = dev_net(skb->dev); + sk = __raw_v4_lookup(net, __sk_head(head), iph->protocol, +- iph->saddr, iph->daddr, +- skb->dev->ifindex); ++ iph->saddr, iph->daddr, dif); + + while (sk) { + delivered = 1; +diff --git a/net/ipv4/route.c b/net/ipv4/route.c +index 1d580d290054..a58effba760a 100644 +--- a/net/ipv4/route.c ++++ b/net/ipv4/route.c +@@ -1162,25 +1162,39 @@ static struct dst_entry *ipv4_dst_check(struct dst_entry *dst, u32 cookie) + return dst; + } + +-static void ipv4_link_failure(struct sk_buff *skb) ++static void ipv4_send_dest_unreach(struct sk_buff *skb) + { + struct ip_options opt; +- struct rtable *rt; + int res; + + /* Recompile ip options since IPCB may not be valid anymore. ++ * Also check we have a reasonable ipv4 header. + */ +- memset(&opt, 0, sizeof(opt)); +- opt.optlen = ip_hdr(skb)->ihl*4 - sizeof(struct iphdr); ++ if (!pskb_network_may_pull(skb, sizeof(struct iphdr)) || ++ ip_hdr(skb)->version != 4 || ip_hdr(skb)->ihl < 5) ++ return; + +- rcu_read_lock(); +- res = __ip_options_compile(dev_net(skb->dev), &opt, skb, NULL); +- rcu_read_unlock(); ++ memset(&opt, 0, sizeof(opt)); ++ if (ip_hdr(skb)->ihl > 5) { ++ if (!pskb_network_may_pull(skb, ip_hdr(skb)->ihl * 4)) ++ return; ++ opt.optlen = ip_hdr(skb)->ihl * 4 - sizeof(struct iphdr); + +- if (res) +- return; ++ rcu_read_lock(); ++ res = __ip_options_compile(dev_net(skb->dev), &opt, skb, NULL); ++ rcu_read_unlock(); + ++ if (res) ++ return; ++ } + __icmp_send(skb, ICMP_DEST_UNREACH, ICMP_HOST_UNREACH, 0, &opt); ++} ++ ++static void ipv4_link_failure(struct sk_buff *skb) ++{ ++ struct rtable *rt; ++ ++ ipv4_send_dest_unreach(skb); + + rt = skb_rtable(skb); + if (rt) +diff --git a/net/ipv4/sysctl_net_ipv4.c b/net/ipv4/sysctl_net_ipv4.c +index da90c74d12ef..167ca0fddf9e 100644 +--- a/net/ipv4/sysctl_net_ipv4.c ++++ b/net/ipv4/sysctl_net_ipv4.c +@@ -42,6 +42,7 @@ static int tcp_syn_retries_min = 1; + static int tcp_syn_retries_max = MAX_TCP_SYNCNT; + static int ip_ping_group_range_min[] = { 0, 0 }; + static int ip_ping_group_range_max[] = { GID_T_MAX, GID_T_MAX }; ++static int one_day_secs = 24 * 3600; + + /* Update system visible IP port range */ + static void set_local_port_range(struct net *net, int range[2]) +@@ -597,7 +598,9 @@ static struct ctl_table ipv4_table[] = { + .data = &sysctl_tcp_min_rtt_wlen, + .maxlen = sizeof(int), + .mode = 0644, +- .proc_handler = proc_dointvec ++ .proc_handler = proc_dointvec_minmax, ++ .extra1 = &zero, ++ .extra2 = &one_day_secs + }, + { + .procname = "tcp_low_latency", +diff --git a/net/ipv6/ip6_flowlabel.c b/net/ipv6/ip6_flowlabel.c +index f3a0a9c0f61e..c6061f7343f1 100644 +--- a/net/ipv6/ip6_flowlabel.c ++++ b/net/ipv6/ip6_flowlabel.c +@@ -94,15 +94,21 @@ static struct ip6_flowlabel *fl_lookup(struct net *net, __be32 label) + return fl; + } + ++static void fl_free_rcu(struct rcu_head *head) ++{ ++ struct ip6_flowlabel *fl = container_of(head, struct ip6_flowlabel, rcu); ++ ++ if (fl->share == IPV6_FL_S_PROCESS) ++ put_pid(fl->owner.pid); ++ kfree(fl->opt); ++ kfree(fl); ++} ++ + + static void fl_free(struct ip6_flowlabel *fl) + { +- if (fl) { +- if (fl->share == IPV6_FL_S_PROCESS) +- put_pid(fl->owner.pid); +- kfree(fl->opt); +- kfree_rcu(fl, rcu); +- } ++ if (fl) ++ call_rcu(&fl->rcu, fl_free_rcu); + } + + static void fl_release(struct ip6_flowlabel *fl) +@@ -633,9 +639,9 @@ recheck: + if (fl1->share == IPV6_FL_S_EXCL || + fl1->share != fl->share || + ((fl1->share == IPV6_FL_S_PROCESS) && +- (fl1->owner.pid == fl->owner.pid)) || ++ (fl1->owner.pid != fl->owner.pid)) || + ((fl1->share == IPV6_FL_S_USER) && +- uid_eq(fl1->owner.uid, fl->owner.uid))) ++ !uid_eq(fl1->owner.uid, fl->owner.uid))) + goto release; + + err = -ENOMEM; +diff --git a/net/ipv6/ipv6_sockglue.c b/net/ipv6/ipv6_sockglue.c +index 8d11a034ca3f..71263754b19b 100644 +--- a/net/ipv6/ipv6_sockglue.c ++++ b/net/ipv6/ipv6_sockglue.c +@@ -121,6 +121,7 @@ struct ipv6_txoptions *ipv6_update_options(struct sock *sk, + static bool setsockopt_needs_rtnl(int optname) + { + switch (optname) { ++ case IPV6_ADDRFORM: + case IPV6_ADD_MEMBERSHIP: + case IPV6_DROP_MEMBERSHIP: + case IPV6_JOIN_ANYCAST: +@@ -199,7 +200,7 @@ static int do_ipv6_setsockopt(struct sock *sk, int level, int optname, + } + + fl6_free_socklist(sk); +- ipv6_sock_mc_close(sk); ++ __ipv6_sock_mc_close(sk); + + /* + * Sock is moving from IPv6 to IPv4 (sk_prot), so +diff --git a/net/ipv6/mcast.c b/net/ipv6/mcast.c +index a5ec9a0cbb80..976c8133a281 100644 +--- a/net/ipv6/mcast.c ++++ b/net/ipv6/mcast.c +@@ -276,16 +276,14 @@ static struct inet6_dev *ip6_mc_find_dev_rcu(struct net *net, + return idev; + } + +-void ipv6_sock_mc_close(struct sock *sk) ++void __ipv6_sock_mc_close(struct sock *sk) + { + struct ipv6_pinfo *np = inet6_sk(sk); + struct ipv6_mc_socklist *mc_lst; + struct net *net = sock_net(sk); + +- if (!rcu_access_pointer(np->ipv6_mc_list)) +- return; ++ ASSERT_RTNL(); + +- rtnl_lock(); + while ((mc_lst = rtnl_dereference(np->ipv6_mc_list)) != NULL) { + struct net_device *dev; + +@@ -303,8 +301,17 @@ void ipv6_sock_mc_close(struct sock *sk) + + atomic_sub(sizeof(*mc_lst), &sk->sk_omem_alloc); + kfree_rcu(mc_lst, rcu); +- + } ++} ++ ++void ipv6_sock_mc_close(struct sock *sk) ++{ ++ struct ipv6_pinfo *np = inet6_sk(sk); ++ ++ if (!rcu_access_pointer(np->ipv6_mc_list)) ++ return; ++ rtnl_lock(); ++ __ipv6_sock_mc_close(sk); + rtnl_unlock(); + } + +diff --git a/net/ipv6/sit.c b/net/ipv6/sit.c +index 77736190dc15..5039486c4f86 100644 +--- a/net/ipv6/sit.c ++++ b/net/ipv6/sit.c +@@ -1076,7 +1076,7 @@ static void ipip6_tunnel_bind_dev(struct net_device *dev) + if (!tdev && tunnel->parms.link) + tdev = __dev_get_by_index(tunnel->net, tunnel->parms.link); + +- if (tdev) { ++ if (tdev && !netif_is_l3_master(tdev)) { + int t_hlen = tunnel->hlen + sizeof(struct iphdr); + + dev->hard_header_len = tdev->hard_header_len + sizeof(struct iphdr); +diff --git a/net/netfilter/ipvs/ip_vs_core.c b/net/netfilter/ipvs/ip_vs_core.c +index ac212542a217..c4509a10ce52 100644 +--- a/net/netfilter/ipvs/ip_vs_core.c ++++ b/net/netfilter/ipvs/ip_vs_core.c +@@ -1484,7 +1484,7 @@ ip_vs_in_icmp(struct netns_ipvs *ipvs, struct sk_buff *skb, int *related, + if (!cp) { + int v; + +- if (!sysctl_schedule_icmp(ipvs)) ++ if (ipip || !sysctl_schedule_icmp(ipvs)) + return NF_ACCEPT; + + if (!ip_vs_try_to_schedule(ipvs, AF_INET, skb, pd, &v, &cp, &ciph)) +diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c +index b6e72af15237..cdafbd38a456 100644 +--- a/net/netfilter/x_tables.c ++++ b/net/netfilter/x_tables.c +@@ -1699,7 +1699,7 @@ static int __init xt_init(void) + seqcount_init(&per_cpu(xt_recseq, i)); + } + +- xt = kmalloc(sizeof(struct xt_af) * NFPROTO_NUMPROTO, GFP_KERNEL); ++ xt = kcalloc(NFPROTO_NUMPROTO, sizeof(struct xt_af), GFP_KERNEL); + if (!xt) + return -ENOMEM; + +diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c +index 7d93228ba1e1..c78bcc13ebab 100644 +--- a/net/packet/af_packet.c ++++ b/net/packet/af_packet.c +@@ -2490,8 +2490,8 @@ static int tpacket_snd(struct packet_sock *po, struct msghdr *msg) + void *ph; + DECLARE_SOCKADDR(struct sockaddr_ll *, saddr, msg->msg_name); + bool need_wait = !(msg->msg_flags & MSG_DONTWAIT); ++ unsigned char *addr = NULL; + int tp_len, size_max; +- unsigned char *addr; + int len_sum = 0; + int status = TP_STATUS_AVAILABLE; + int hlen, tlen; +@@ -2511,10 +2511,13 @@ static int tpacket_snd(struct packet_sock *po, struct msghdr *msg) + sll_addr))) + goto out; + proto = saddr->sll_protocol; +- addr = saddr->sll_halen ? saddr->sll_addr : NULL; + dev = dev_get_by_index(sock_net(&po->sk), saddr->sll_ifindex); +- if (addr && dev && saddr->sll_halen < dev->addr_len) +- goto out_put; ++ if (po->sk.sk_socket->type == SOCK_DGRAM) { ++ if (dev && msg->msg_namelen < dev->addr_len + ++ offsetof(struct sockaddr_ll, sll_addr)) ++ goto out_put; ++ addr = saddr->sll_addr; ++ } + } + + err = -ENXIO; +@@ -2652,7 +2655,7 @@ static int packet_snd(struct socket *sock, struct msghdr *msg, size_t len) + struct sk_buff *skb; + struct net_device *dev; + __be16 proto; +- unsigned char *addr; ++ unsigned char *addr = NULL; + int err, reserve = 0; + struct sockcm_cookie sockc; + struct virtio_net_hdr vnet_hdr = { 0 }; +@@ -2672,7 +2675,6 @@ static int packet_snd(struct socket *sock, struct msghdr *msg, size_t len) + if (likely(saddr == NULL)) { + dev = packet_cached_dev_get(po); + proto = po->num; +- addr = NULL; + } else { + err = -EINVAL; + if (msg->msg_namelen < sizeof(struct sockaddr_ll)) +@@ -2680,10 +2682,13 @@ static int packet_snd(struct socket *sock, struct msghdr *msg, size_t len) + if (msg->msg_namelen < (saddr->sll_halen + offsetof(struct sockaddr_ll, sll_addr))) + goto out; + proto = saddr->sll_protocol; +- addr = saddr->sll_halen ? saddr->sll_addr : NULL; + dev = dev_get_by_index(sock_net(sk), saddr->sll_ifindex); +- if (addr && dev && saddr->sll_halen < dev->addr_len) +- goto out_unlock; ++ if (sock->type == SOCK_DGRAM) { ++ if (dev && msg->msg_namelen < dev->addr_len + ++ offsetof(struct sockaddr_ll, sll_addr)) ++ goto out_unlock; ++ addr = saddr->sll_addr; ++ } + } + + err = -ENXIO; +@@ -4518,14 +4523,29 @@ static void __exit packet_exit(void) + + static int __init packet_init(void) + { +- int rc = proto_register(&packet_proto, 0); ++ int rc; + +- if (rc != 0) ++ rc = proto_register(&packet_proto, 0); ++ if (rc) + goto out; ++ rc = sock_register(&packet_family_ops); ++ if (rc) ++ goto out_proto; ++ rc = register_pernet_subsys(&packet_net_ops); ++ if (rc) ++ goto out_sock; ++ rc = register_netdevice_notifier(&packet_netdev_notifier); ++ if (rc) ++ goto out_pernet; + +- sock_register(&packet_family_ops); +- register_pernet_subsys(&packet_net_ops); +- register_netdevice_notifier(&packet_netdev_notifier); ++ return 0; ++ ++out_pernet: ++ unregister_pernet_subsys(&packet_net_ops); ++out_sock: ++ sock_unregister(PF_PACKET); ++out_proto: ++ proto_unregister(&packet_proto); + out: + return rc; + } +diff --git a/net/sunrpc/cache.c b/net/sunrpc/cache.c +index af17b00145e1..a8ab98b53a3a 100644 +--- a/net/sunrpc/cache.c ++++ b/net/sunrpc/cache.c +@@ -54,6 +54,7 @@ static void cache_init(struct cache_head *h, struct cache_detail *detail) + h->last_refresh = now; + } + ++static inline int cache_is_valid(struct cache_head *h); + static void cache_fresh_locked(struct cache_head *head, time_t expiry, + struct cache_detail *detail); + static void cache_fresh_unlocked(struct cache_head *head, +@@ -100,6 +101,8 @@ struct cache_head *sunrpc_cache_lookup(struct cache_detail *detail, + if (cache_is_expired(detail, tmp)) { + hlist_del_init(&tmp->cache_list); + detail->entries --; ++ if (cache_is_valid(tmp) == -EAGAIN) ++ set_bit(CACHE_NEGATIVE, &tmp->flags); + cache_fresh_locked(tmp, 0, detail); + freeme = tmp; + break; +diff --git a/net/tipc/netlink_compat.c b/net/tipc/netlink_compat.c +index e9653c42cdd1..8400211537a2 100644 +--- a/net/tipc/netlink_compat.c ++++ b/net/tipc/netlink_compat.c +@@ -262,8 +262,14 @@ static int tipc_nl_compat_dumpit(struct tipc_nl_compat_cmd_dump *cmd, + if (msg->rep_type) + tipc_tlv_init(msg->rep, msg->rep_type); + +- if (cmd->header) +- (*cmd->header)(msg); ++ if (cmd->header) { ++ err = (*cmd->header)(msg); ++ if (err) { ++ kfree_skb(msg->rep); ++ msg->rep = NULL; ++ return err; ++ } ++ } + + arg = nlmsg_new(0, GFP_KERNEL); + if (!arg) { +@@ -382,7 +388,12 @@ static int tipc_nl_compat_bearer_enable(struct tipc_nl_compat_cmd_doit *cmd, + if (!bearer) + return -EMSGSIZE; + +- len = min_t(int, TLV_GET_DATA_LEN(msg->req), TIPC_MAX_BEARER_NAME); ++ len = TLV_GET_DATA_LEN(msg->req); ++ len -= offsetof(struct tipc_bearer_config, name); ++ if (len <= 0) ++ return -EINVAL; ++ ++ len = min_t(int, len, TIPC_MAX_BEARER_NAME); + if (!string_is_valid(b->name, len)) + return -EINVAL; + +@@ -727,7 +738,12 @@ static int tipc_nl_compat_link_set(struct tipc_nl_compat_cmd_doit *cmd, + + lc = (struct tipc_link_config *)TLV_DATA(msg->req); + +- len = min_t(int, TLV_GET_DATA_LEN(msg->req), TIPC_MAX_LINK_NAME); ++ len = TLV_GET_DATA_LEN(msg->req); ++ len -= offsetof(struct tipc_link_config, name); ++ if (len <= 0) ++ return -EINVAL; ++ ++ len = min_t(int, len, TIPC_MAX_LINK_NAME); + if (!string_is_valid(lc->name, len)) + return -EINVAL; + +diff --git a/scripts/kconfig/lxdialog/inputbox.c b/scripts/kconfig/lxdialog/inputbox.c +index d58de1dc5360..510049a7bd1d 100644 +--- a/scripts/kconfig/lxdialog/inputbox.c ++++ b/scripts/kconfig/lxdialog/inputbox.c +@@ -126,7 +126,8 @@ do_resize: + case KEY_DOWN: + break; + case KEY_BACKSPACE: +- case 127: ++ case 8: /* ^H */ ++ case 127: /* ^? */ + if (pos) { + wattrset(dialog, dlg.inputbox.atr); + if (input_x == 0) { +diff --git a/scripts/kconfig/nconf.c b/scripts/kconfig/nconf.c +index d42d534a66cd..f7049e288e93 100644 +--- a/scripts/kconfig/nconf.c ++++ b/scripts/kconfig/nconf.c +@@ -1046,7 +1046,7 @@ static int do_match(int key, struct match_state *state, int *ans) + state->match_direction = FIND_NEXT_MATCH_UP; + *ans = get_mext_match(state->pattern, + state->match_direction); +- } else if (key == KEY_BACKSPACE || key == 127) { ++ } else if (key == KEY_BACKSPACE || key == 8 || key == 127) { + state->pattern[strlen(state->pattern)-1] = '\0'; + adj_match_dir(&state->match_direction); + } else +diff --git a/scripts/kconfig/nconf.gui.c b/scripts/kconfig/nconf.gui.c +index 4b2f44c20caf..9a65035cf787 100644 +--- a/scripts/kconfig/nconf.gui.c ++++ b/scripts/kconfig/nconf.gui.c +@@ -439,7 +439,8 @@ int dialog_inputbox(WINDOW *main_window, + case KEY_F(F_EXIT): + case KEY_F(F_BACK): + break; +- case 127: ++ case 8: /* ^H */ ++ case 127: /* ^? */ + case KEY_BACKSPACE: + if (cursor_position > 0) { + memmove(&result[cursor_position-1], +diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c +index 99212ff6a568..ab2759d88bc6 100644 +--- a/security/selinux/hooks.c ++++ b/security/selinux/hooks.c +@@ -396,22 +396,44 @@ static int may_context_mount_inode_relabel(u32 sid, + return rc; + } + +-static int selinux_is_sblabel_mnt(struct super_block *sb) ++static int selinux_is_genfs_special_handling(struct super_block *sb) + { +- struct superblock_security_struct *sbsec = sb->s_security; +- +- return sbsec->behavior == SECURITY_FS_USE_XATTR || +- sbsec->behavior == SECURITY_FS_USE_TRANS || +- sbsec->behavior == SECURITY_FS_USE_TASK || +- sbsec->behavior == SECURITY_FS_USE_NATIVE || +- /* Special handling. Genfs but also in-core setxattr handler */ +- !strcmp(sb->s_type->name, "sysfs") || ++ /* Special handling. Genfs but also in-core setxattr handler */ ++ return !strcmp(sb->s_type->name, "sysfs") || + !strcmp(sb->s_type->name, "pstore") || + !strcmp(sb->s_type->name, "debugfs") || + !strcmp(sb->s_type->name, "tracefs") || + !strcmp(sb->s_type->name, "rootfs"); + } + ++static int selinux_is_sblabel_mnt(struct super_block *sb) ++{ ++ struct superblock_security_struct *sbsec = sb->s_security; ++ ++ /* ++ * IMPORTANT: Double-check logic in this function when adding a new ++ * SECURITY_FS_USE_* definition! ++ */ ++ BUILD_BUG_ON(SECURITY_FS_USE_MAX != 7); ++ ++ switch (sbsec->behavior) { ++ case SECURITY_FS_USE_XATTR: ++ case SECURITY_FS_USE_TRANS: ++ case SECURITY_FS_USE_TASK: ++ case SECURITY_FS_USE_NATIVE: ++ return 1; ++ ++ case SECURITY_FS_USE_GENFS: ++ return selinux_is_genfs_special_handling(sb); ++ ++ /* Never allow relabeling on context mounts */ ++ case SECURITY_FS_USE_MNTPOINT: ++ case SECURITY_FS_USE_NONE: ++ default: ++ return 0; ++ } ++} ++ + static int sb_finish_set_opts(struct super_block *sb) + { + struct superblock_security_struct *sbsec = sb->s_security; +diff --git a/sound/soc/codecs/cs4270.c b/sound/soc/codecs/cs4270.c +index 3670086b9227..f273533c6653 100644 +--- a/sound/soc/codecs/cs4270.c ++++ b/sound/soc/codecs/cs4270.c +@@ -641,6 +641,7 @@ static const struct regmap_config cs4270_regmap = { + .reg_defaults = cs4270_reg_defaults, + .num_reg_defaults = ARRAY_SIZE(cs4270_reg_defaults), + .cache_type = REGCACHE_RBTREE, ++ .write_flag_mask = CS4270_I2C_INCR, + + .readable_reg = cs4270_reg_is_readable, + .volatile_reg = cs4270_reg_is_volatile, +diff --git a/sound/soc/codecs/tlv320aic32x4.c b/sound/soc/codecs/tlv320aic32x4.c +index f2d3191961e1..714bd0e3fc71 100644 +--- a/sound/soc/codecs/tlv320aic32x4.c ++++ b/sound/soc/codecs/tlv320aic32x4.c +@@ -234,6 +234,8 @@ static const struct snd_soc_dapm_widget aic32x4_dapm_widgets[] = { + SND_SOC_DAPM_INPUT("IN2_R"), + SND_SOC_DAPM_INPUT("IN3_L"), + SND_SOC_DAPM_INPUT("IN3_R"), ++ SND_SOC_DAPM_INPUT("CM_L"), ++ SND_SOC_DAPM_INPUT("CM_R"), + }; + + static const struct snd_soc_dapm_route aic32x4_dapm_routes[] = { +diff --git a/sound/soc/intel/common/sst-dsp.c b/sound/soc/intel/common/sst-dsp.c +index c9452e02e0dd..c0a50ecb6dbd 100644 +--- a/sound/soc/intel/common/sst-dsp.c ++++ b/sound/soc/intel/common/sst-dsp.c +@@ -463,11 +463,15 @@ struct sst_dsp *sst_dsp_new(struct device *dev, + goto irq_err; + + err = sst_dma_new(sst); +- if (err) +- dev_warn(dev, "sst_dma_new failed %d\n", err); ++ if (err) { ++ dev_err(dev, "sst_dma_new failed %d\n", err); ++ goto dma_err; ++ } + + return sst; + ++dma_err: ++ free_irq(sst->irq, sst); + irq_err: + if (sst->ops->free) + sst->ops->free(sst); +diff --git a/sound/soc/soc-pcm.c b/sound/soc/soc-pcm.c +index f99eb8f44282..1c0d44c86c01 100644 +--- a/sound/soc/soc-pcm.c ++++ b/sound/soc/soc-pcm.c +@@ -882,10 +882,13 @@ static int soc_pcm_hw_params(struct snd_pcm_substream *substream, + codec_params = *params; + + /* fixup params based on TDM slot masks */ +- if (codec_dai->tx_mask) ++ if (substream->stream == SNDRV_PCM_STREAM_PLAYBACK && ++ codec_dai->tx_mask) + soc_pcm_codec_params_fixup(&codec_params, + codec_dai->tx_mask); +- if (codec_dai->rx_mask) ++ ++ if (substream->stream == SNDRV_PCM_STREAM_CAPTURE && ++ codec_dai->rx_mask) + soc_pcm_codec_params_fixup(&codec_params, + codec_dai->rx_mask); + +diff --git a/sound/usb/line6/driver.c b/sound/usb/line6/driver.c +index be78078a10ba..954dc4423cb0 100644 +--- a/sound/usb/line6/driver.c ++++ b/sound/usb/line6/driver.c +@@ -307,12 +307,16 @@ int line6_read_data(struct usb_line6 *line6, unsigned address, void *data, + { + struct usb_device *usbdev = line6->usbdev; + int ret; +- unsigned char len; ++ unsigned char *len; + unsigned count; + + if (address > 0xffff || datalen > 0xff) + return -EINVAL; + ++ len = kmalloc(sizeof(*len), GFP_KERNEL); ++ if (!len) ++ return -ENOMEM; ++ + /* query the serial number: */ + ret = usb_control_msg(usbdev, usb_sndctrlpipe(usbdev, 0), 0x67, + USB_TYPE_VENDOR | USB_RECIP_DEVICE | USB_DIR_OUT, +@@ -321,7 +325,7 @@ int line6_read_data(struct usb_line6 *line6, unsigned address, void *data, + + if (ret < 0) { + dev_err(line6->ifcdev, "read request failed (error %d)\n", ret); +- return ret; ++ goto exit; + } + + /* Wait for data length. We'll get 0xff until length arrives. */ +@@ -331,28 +335,29 @@ int line6_read_data(struct usb_line6 *line6, unsigned address, void *data, + ret = usb_control_msg(usbdev, usb_rcvctrlpipe(usbdev, 0), 0x67, + USB_TYPE_VENDOR | USB_RECIP_DEVICE | + USB_DIR_IN, +- 0x0012, 0x0000, &len, 1, ++ 0x0012, 0x0000, len, 1, + LINE6_TIMEOUT * HZ); + if (ret < 0) { + dev_err(line6->ifcdev, + "receive length failed (error %d)\n", ret); +- return ret; ++ goto exit; + } + +- if (len != 0xff) ++ if (*len != 0xff) + break; + } + +- if (len == 0xff) { ++ ret = -EIO; ++ if (*len == 0xff) { + dev_err(line6->ifcdev, "read failed after %d retries\n", + count); +- return -EIO; +- } else if (len != datalen) { ++ goto exit; ++ } else if (*len != datalen) { + /* should be equal or something went wrong */ + dev_err(line6->ifcdev, + "length mismatch (expected %d, got %d)\n", +- (int)datalen, (int)len); +- return -EIO; ++ (int)datalen, (int)*len); ++ goto exit; + } + + /* receive the result: */ +@@ -361,12 +366,12 @@ int line6_read_data(struct usb_line6 *line6, unsigned address, void *data, + 0x0013, 0x0000, data, datalen, + LINE6_TIMEOUT * HZ); + +- if (ret < 0) { ++ if (ret < 0) + dev_err(line6->ifcdev, "read failed (error %d)\n", ret); +- return ret; +- } + +- return 0; ++exit: ++ kfree(len); ++ return ret; + } + EXPORT_SYMBOL_GPL(line6_read_data); + +@@ -378,12 +383,16 @@ int line6_write_data(struct usb_line6 *line6, unsigned address, void *data, + { + struct usb_device *usbdev = line6->usbdev; + int ret; +- unsigned char status; ++ unsigned char *status; + int count; + + if (address > 0xffff || datalen > 0xffff) + return -EINVAL; + ++ status = kmalloc(sizeof(*status), GFP_KERNEL); ++ if (!status) ++ return -ENOMEM; ++ + ret = usb_control_msg(usbdev, usb_sndctrlpipe(usbdev, 0), 0x67, + USB_TYPE_VENDOR | USB_RECIP_DEVICE | USB_DIR_OUT, + 0x0022, address, data, datalen, +@@ -392,7 +401,7 @@ int line6_write_data(struct usb_line6 *line6, unsigned address, void *data, + if (ret < 0) { + dev_err(line6->ifcdev, + "write request failed (error %d)\n", ret); +- return ret; ++ goto exit; + } + + for (count = 0; count < LINE6_READ_WRITE_MAX_RETRIES; count++) { +@@ -403,28 +412,29 @@ int line6_write_data(struct usb_line6 *line6, unsigned address, void *data, + USB_TYPE_VENDOR | USB_RECIP_DEVICE | + USB_DIR_IN, + 0x0012, 0x0000, +- &status, 1, LINE6_TIMEOUT * HZ); ++ status, 1, LINE6_TIMEOUT * HZ); + + if (ret < 0) { + dev_err(line6->ifcdev, + "receiving status failed (error %d)\n", ret); +- return ret; ++ goto exit; + } + +- if (status != 0xff) ++ if (*status != 0xff) + break; + } + +- if (status == 0xff) { ++ if (*status == 0xff) { + dev_err(line6->ifcdev, "write failed after %d retries\n", + count); +- return -EIO; +- } else if (status != 0) { ++ ret = -EIO; ++ } else if (*status != 0) { + dev_err(line6->ifcdev, "write failed (error %d)\n", ret); +- return -EIO; ++ ret = -EIO; + } +- +- return 0; ++exit: ++ kfree(status); ++ return ret; + } + EXPORT_SYMBOL_GPL(line6_write_data); + +diff --git a/sound/usb/line6/toneport.c b/sound/usb/line6/toneport.c +index 6d4c50c9b17d..5512b3d532e7 100644 +--- a/sound/usb/line6/toneport.c ++++ b/sound/usb/line6/toneport.c +@@ -365,15 +365,20 @@ static bool toneport_has_source_select(struct usb_line6_toneport *toneport) + /* + Setup Toneport device. + */ +-static void toneport_setup(struct usb_line6_toneport *toneport) ++static int toneport_setup(struct usb_line6_toneport *toneport) + { +- int ticks; ++ int *ticks; + struct usb_line6 *line6 = &toneport->line6; + struct usb_device *usbdev = line6->usbdev; + ++ ticks = kmalloc(sizeof(*ticks), GFP_KERNEL); ++ if (!ticks) ++ return -ENOMEM; ++ + /* sync time on device with host: */ +- ticks = (int)get_seconds(); +- line6_write_data(line6, 0x80c6, &ticks, 4); ++ *ticks = (int)get_seconds(); ++ line6_write_data(line6, 0x80c6, ticks, 4); ++ kfree(ticks); + + /* enable device: */ + toneport_send_cmd(usbdev, 0x0301, 0x0000); +@@ -388,6 +393,7 @@ static void toneport_setup(struct usb_line6_toneport *toneport) + toneport_update_led(toneport); + + mod_timer(&toneport->timer, jiffies + TONEPORT_PCM_DELAY * HZ); ++ return 0; + } + + /* +@@ -451,7 +457,9 @@ static int toneport_init(struct usb_line6 *line6, + return err; + } + +- toneport_setup(toneport); ++ err = toneport_setup(toneport); ++ if (err) ++ return err; + + /* register audio system: */ + return snd_card_register(line6->card); +@@ -463,7 +471,11 @@ static int toneport_init(struct usb_line6 *line6, + */ + static int toneport_reset_resume(struct usb_interface *interface) + { +- toneport_setup(usb_get_intfdata(interface)); ++ int err; ++ ++ err = toneport_setup(usb_get_intfdata(interface)); ++ if (err) ++ return err; + return line6_resume(interface); + } + #endif +diff --git a/tools/lib/traceevent/event-parse.c b/tools/lib/traceevent/event-parse.c +index 743746a3c50d..df3c73e9dea4 100644 +--- a/tools/lib/traceevent/event-parse.c ++++ b/tools/lib/traceevent/event-parse.c +@@ -2201,7 +2201,7 @@ eval_type_str(unsigned long long val, const char *type, int pointer) + return val & 0xffffffff; + + if (strcmp(type, "u64") == 0 || +- strcmp(type, "s64")) ++ strcmp(type, "s64") == 0) + return val; + + if (strcmp(type, "s8") == 0) +diff --git a/tools/power/x86/turbostat/Makefile b/tools/power/x86/turbostat/Makefile +index e367b1a85d70..3c04e2a85599 100644 +--- a/tools/power/x86/turbostat/Makefile ++++ b/tools/power/x86/turbostat/Makefile +@@ -8,7 +8,7 @@ ifeq ("$(origin O)", "command line") + endif + + turbostat : turbostat.c +-CFLAGS += -Wall ++CFLAGS += -Wall -I../../../include + CFLAGS += -DMSRHEADER='"../../../../arch/x86/include/asm/msr-index.h"' + + %: %.c +diff --git a/tools/testing/selftests/net/run_netsocktests b/tools/testing/selftests/net/run_netsocktests +index 16058bbea7a8..c195b4478662 100755 +--- a/tools/testing/selftests/net/run_netsocktests ++++ b/tools/testing/selftests/net/run_netsocktests +@@ -6,7 +6,7 @@ echo "--------------------" + ./socket + if [ $? -ne 0 ]; then + echo "[FAIL]" ++ exit 1 + else + echo "[PASS]" + fi +- diff --git a/patch/kernel/rockchip-default/04-patch-4.4.180-181.patch b/patch/kernel/rockchip-default/04-patch-4.4.180-181.patch new file mode 100644 index 0000000000..2d29576fab --- /dev/null +++ b/patch/kernel/rockchip-default/04-patch-4.4.180-181.patch @@ -0,0 +1,8285 @@ +diff --git a/Documentation/x86/mds.rst b/Documentation/x86/mds.rst +index 534e9baa4e1d..5d4330be200f 100644 +--- a/Documentation/x86/mds.rst ++++ b/Documentation/x86/mds.rst +@@ -142,45 +142,13 @@ Mitigation points + mds_user_clear. + + The mitigation is invoked in prepare_exit_to_usermode() which covers +- most of the kernel to user space transitions. There are a few exceptions +- which are not invoking prepare_exit_to_usermode() on return to user +- space. These exceptions use the paranoid exit code. ++ all but one of the kernel to user space transitions. The exception ++ is when we return from a Non Maskable Interrupt (NMI), which is ++ handled directly in do_nmi(). + +- - Non Maskable Interrupt (NMI): +- +- Access to sensible data like keys, credentials in the NMI context is +- mostly theoretical: The CPU can do prefetching or execute a +- misspeculated code path and thereby fetching data which might end up +- leaking through a buffer. +- +- But for mounting other attacks the kernel stack address of the task is +- already valuable information. So in full mitigation mode, the NMI is +- mitigated on the return from do_nmi() to provide almost complete +- coverage. +- +- - Double fault (#DF): +- +- A double fault is usually fatal, but the ESPFIX workaround, which can +- be triggered from user space through modify_ldt(2) is a recoverable +- double fault. #DF uses the paranoid exit path, so explicit mitigation +- in the double fault handler is required. +- +- - Machine Check Exception (#MC): +- +- Another corner case is a #MC which hits between the CPU buffer clear +- invocation and the actual return to user. As this still is in kernel +- space it takes the paranoid exit path which does not clear the CPU +- buffers. So the #MC handler repopulates the buffers to some +- extent. Machine checks are not reliably controllable and the window is +- extremly small so mitigation would just tick a checkbox that this +- theoretical corner case is covered. To keep the amount of special +- cases small, ignore #MC. +- +- - Debug Exception (#DB): +- +- This takes the paranoid exit path only when the INT1 breakpoint is in +- kernel space. #DB on a user space address takes the regular exit path, +- so no extra mitigation required. ++ (The reason that NMI is special is that prepare_exit_to_usermode() can ++ enable IRQs. In NMI context, NMIs are blocked, and we don't want to ++ enable IRQs with NMIs blocked.) + + + 2. C-State transition +diff --git a/Makefile b/Makefile +index 6023a9dbad59..b33f3ecf84fc 100644 +--- a/Makefile ++++ b/Makefile +@@ -1,6 +1,6 @@ + VERSION = 4 + PATCHLEVEL = 4 +-SUBLEVEL = 180 ++SUBLEVEL = 181 + EXTRAVERSION = + NAME = Blurry Fish Butt + +diff --git a/arch/arm/crypto/aesbs-glue.c b/arch/arm/crypto/aesbs-glue.c +index 648d5fac9cbf..3271c836e1a1 100644 +--- a/arch/arm/crypto/aesbs-glue.c ++++ b/arch/arm/crypto/aesbs-glue.c +@@ -259,6 +259,8 @@ static int aesbs_xts_encrypt(struct blkcipher_desc *desc, + + blkcipher_walk_init(&walk, dst, src, nbytes); + err = blkcipher_walk_virt_block(desc, &walk, 8 * AES_BLOCK_SIZE); ++ if (err) ++ return err; + + /* generate the initial tweak */ + AES_encrypt(walk.iv, walk.iv, &ctx->twkey); +@@ -283,6 +285,8 @@ static int aesbs_xts_decrypt(struct blkcipher_desc *desc, + + blkcipher_walk_init(&walk, dst, src, nbytes); + err = blkcipher_walk_virt_block(desc, &walk, 8 * AES_BLOCK_SIZE); ++ if (err) ++ return err; + + /* generate the initial tweak */ + AES_encrypt(walk.iv, walk.iv, &ctx->twkey); +diff --git a/arch/arm/kvm/arm.c b/arch/arm/kvm/arm.c +index d7bef2144760..e96ddc599c30 100644 +--- a/arch/arm/kvm/arm.c ++++ b/arch/arm/kvm/arm.c +@@ -744,7 +744,7 @@ int kvm_vm_ioctl_irq_line(struct kvm *kvm, struct kvm_irq_level *irq_level, + static int kvm_vcpu_set_target(struct kvm_vcpu *vcpu, + const struct kvm_vcpu_init *init) + { +- unsigned int i; ++ unsigned int i, ret; + int phys_target = kvm_target_cpu(); + + if (init->target != phys_target) +@@ -779,9 +779,14 @@ static int kvm_vcpu_set_target(struct kvm_vcpu *vcpu, + vcpu->arch.target = phys_target; + + /* Now we know what it is, we can reset it. */ +- return kvm_reset_vcpu(vcpu); +-} ++ ret = kvm_reset_vcpu(vcpu); ++ if (ret) { ++ vcpu->arch.target = -1; ++ bitmap_zero(vcpu->arch.features, KVM_VCPU_MAX_FEATURES); ++ } + ++ return ret; ++} + + static int kvm_arch_vcpu_ioctl_vcpu_init(struct kvm_vcpu *vcpu, + struct kvm_vcpu_init *init) +diff --git a/arch/arm/mach-exynos/firmware.c b/arch/arm/mach-exynos/firmware.c +index 111cfbf66fdb..7bfe2bd17400 100644 +--- a/arch/arm/mach-exynos/firmware.c ++++ b/arch/arm/mach-exynos/firmware.c +@@ -207,6 +207,7 @@ void __init exynos_firmware_init(void) + return; + + addr = of_get_address(nd, 0, NULL, NULL); ++ of_node_put(nd); + if (!addr) { + pr_err("%s: No address specified.\n", __func__); + return; +diff --git a/arch/arm/mach-exynos/suspend.c b/arch/arm/mach-exynos/suspend.c +index e8adb428dddb..a003833ac112 100644 +--- a/arch/arm/mach-exynos/suspend.c ++++ b/arch/arm/mach-exynos/suspend.c +@@ -725,8 +725,10 @@ void __init exynos_pm_init(void) + + if (WARN_ON(!of_find_property(np, "interrupt-controller", NULL))) { + pr_warn("Outdated DT detected, suspend/resume will NOT work\n"); ++ of_node_put(np); + return; + } ++ of_node_put(np); + + pm_data = (const struct exynos_pm_data *) match->data; + +diff --git a/arch/arm64/kernel/cpu_ops.c b/arch/arm64/kernel/cpu_ops.c +index b6bd7d447768..fbd6aead48e1 100644 +--- a/arch/arm64/kernel/cpu_ops.c ++++ b/arch/arm64/kernel/cpu_ops.c +@@ -73,6 +73,7 @@ static const char *__init cpu_read_enable_method(int cpu) + pr_err("%s: missing enable-method property\n", + dn->full_name); + } ++ of_node_put(dn); + } else { + enable_method = acpi_get_enable_method(cpu); + if (!enable_method) +diff --git a/arch/mips/pistachio/Platform b/arch/mips/pistachio/Platform +index d80cd612df1f..c3592b374ad2 100644 +--- a/arch/mips/pistachio/Platform ++++ b/arch/mips/pistachio/Platform +@@ -6,3 +6,4 @@ cflags-$(CONFIG_MACH_PISTACHIO) += \ + -I$(srctree)/arch/mips/include/asm/mach-pistachio + load-$(CONFIG_MACH_PISTACHIO) += 0xffffffff80400000 + zload-$(CONFIG_MACH_PISTACHIO) += 0xffffffff81000000 ++all-$(CONFIG_MACH_PISTACHIO) := uImage.gz +diff --git a/arch/powerpc/boot/addnote.c b/arch/powerpc/boot/addnote.c +index 9d9f6f334d3c..3da3e2b1b51b 100644 +--- a/arch/powerpc/boot/addnote.c ++++ b/arch/powerpc/boot/addnote.c +@@ -223,7 +223,11 @@ main(int ac, char **av) + PUT_16(E_PHNUM, np + 2); + + /* write back */ +- lseek(fd, (long) 0, SEEK_SET); ++ i = lseek(fd, (long) 0, SEEK_SET); ++ if (i < 0) { ++ perror("lseek"); ++ exit(1); ++ } + i = write(fd, buf, n); + if (i < 0) { + perror("write"); +diff --git a/arch/powerpc/mm/numa.c b/arch/powerpc/mm/numa.c +index bb3df222ae71..215bff2b8470 100644 +--- a/arch/powerpc/mm/numa.c ++++ b/arch/powerpc/mm/numa.c +@@ -1611,6 +1611,9 @@ int start_topology_update(void) + { + int rc = 0; + ++ if (!topology_updates_enabled) ++ return 0; ++ + if (firmware_has_feature(FW_FEATURE_PRRN)) { + if (!prrn_enabled) { + prrn_enabled = 1; +@@ -1640,6 +1643,9 @@ int stop_topology_update(void) + { + int rc = 0; + ++ if (!topology_updates_enabled) ++ return 0; ++ + if (prrn_enabled) { + prrn_enabled = 0; + #ifdef CONFIG_SMP +@@ -1685,11 +1691,13 @@ static ssize_t topology_write(struct file *file, const char __user *buf, + + kbuf[read_len] = '\0'; + +- if (!strncmp(kbuf, "on", 2)) ++ if (!strncmp(kbuf, "on", 2)) { ++ topology_updates_enabled = true; + start_topology_update(); +- else if (!strncmp(kbuf, "off", 3)) ++ } else if (!strncmp(kbuf, "off", 3)) { + stop_topology_update(); +- else ++ topology_updates_enabled = false; ++ } else + return -EINVAL; + + return count; +@@ -1704,9 +1712,7 @@ static const struct file_operations topology_ops = { + + static int topology_update_init(void) + { +- /* Do not poll for changes if disabled at boot */ +- if (topology_updates_enabled) +- start_topology_update(); ++ start_topology_update(); + + if (!proc_create("powerpc/topology_updates", 0644, NULL, &topology_ops)) + return -ENOMEM; +diff --git a/arch/sparc/mm/ultra.S b/arch/sparc/mm/ultra.S +index fcf4d27a38fb..e09f7b440b8c 100644 +--- a/arch/sparc/mm/ultra.S ++++ b/arch/sparc/mm/ultra.S +@@ -586,7 +586,7 @@ xcall_flush_tlb_kernel_range: /* 44 insns */ + sub %g7, %g1, %g3 + srlx %g3, 18, %g2 + brnz,pn %g2, 2f +- add %g2, 1, %g2 ++ sethi %hi(PAGE_SIZE), %g2 + sub %g3, %g2, %g3 + or %g1, 0x20, %g1 ! Nucleus + 1: stxa %g0, [%g1 + %g3] ASI_DMMU_DEMAP +@@ -750,7 +750,7 @@ __cheetah_xcall_flush_tlb_kernel_range: /* 44 insns */ + sub %g7, %g1, %g3 + srlx %g3, 18, %g2 + brnz,pn %g2, 2f +- add %g2, 1, %g2 ++ sethi %hi(PAGE_SIZE), %g2 + sub %g3, %g2, %g3 + or %g1, 0x20, %g1 ! Nucleus + 1: stxa %g0, [%g1 + %g3] ASI_DMMU_DEMAP +diff --git a/arch/x86/Makefile b/arch/x86/Makefile +index e26560cd1844..00e0226634fa 100644 +--- a/arch/x86/Makefile ++++ b/arch/x86/Makefile +@@ -47,7 +47,7 @@ export REALMODE_CFLAGS + export BITS + + ifdef CONFIG_X86_NEED_RELOCS +- LDFLAGS_vmlinux := --emit-relocs ++ LDFLAGS_vmlinux := --emit-relocs --discard-none + endif + + # +diff --git a/arch/x86/crypto/crct10dif-pclmul_glue.c b/arch/x86/crypto/crct10dif-pclmul_glue.c +index cd4df9322501..7bbfe7d35da7 100644 +--- a/arch/x86/crypto/crct10dif-pclmul_glue.c ++++ b/arch/x86/crypto/crct10dif-pclmul_glue.c +@@ -76,15 +76,14 @@ static int chksum_final(struct shash_desc *desc, u8 *out) + return 0; + } + +-static int __chksum_finup(__u16 *crcp, const u8 *data, unsigned int len, +- u8 *out) ++static int __chksum_finup(__u16 crc, const u8 *data, unsigned int len, u8 *out) + { + if (irq_fpu_usable()) { + kernel_fpu_begin(); +- *(__u16 *)out = crc_t10dif_pcl(*crcp, data, len); ++ *(__u16 *)out = crc_t10dif_pcl(crc, data, len); + kernel_fpu_end(); + } else +- *(__u16 *)out = crc_t10dif_generic(*crcp, data, len); ++ *(__u16 *)out = crc_t10dif_generic(crc, data, len); + return 0; + } + +@@ -93,15 +92,13 @@ static int chksum_finup(struct shash_desc *desc, const u8 *data, + { + struct chksum_desc_ctx *ctx = shash_desc_ctx(desc); + +- return __chksum_finup(&ctx->crc, data, len, out); ++ return __chksum_finup(ctx->crc, data, len, out); + } + + static int chksum_digest(struct shash_desc *desc, const u8 *data, + unsigned int length, u8 *out) + { +- struct chksum_desc_ctx *ctx = shash_desc_ctx(desc); +- +- return __chksum_finup(&ctx->crc, data, length, out); ++ return __chksum_finup(0, data, length, out); + } + + static struct shash_alg alg = { +diff --git a/arch/x86/ia32/ia32_signal.c b/arch/x86/ia32/ia32_signal.c +index 0552884da18d..a7b9acd709db 100644 +--- a/arch/x86/ia32/ia32_signal.c ++++ b/arch/x86/ia32/ia32_signal.c +@@ -60,9 +60,8 @@ + } while (0) + + #define RELOAD_SEG(seg) { \ +- unsigned int pre = GET_SEG(seg); \ ++ unsigned int pre = (seg) | 3; \ + unsigned int cur = get_user_seg(seg); \ +- pre |= 3; \ + if (pre != cur) \ + set_user_seg(seg, pre); \ + } +@@ -71,6 +70,7 @@ static int ia32_restore_sigcontext(struct pt_regs *regs, + struct sigcontext_32 __user *sc) + { + unsigned int tmpflags, err = 0; ++ u16 gs, fs, es, ds; + void __user *buf; + u32 tmp; + +@@ -78,16 +78,10 @@ static int ia32_restore_sigcontext(struct pt_regs *regs, + current->restart_block.fn = do_no_restart_syscall; + + get_user_try { +- /* +- * Reload fs and gs if they have changed in the signal +- * handler. This does not handle long fs/gs base changes in +- * the handler, but does not clobber them at least in the +- * normal case. +- */ +- RELOAD_SEG(gs); +- RELOAD_SEG(fs); +- RELOAD_SEG(ds); +- RELOAD_SEG(es); ++ gs = GET_SEG(gs); ++ fs = GET_SEG(fs); ++ ds = GET_SEG(ds); ++ es = GET_SEG(es); + + COPY(di); COPY(si); COPY(bp); COPY(sp); COPY(bx); + COPY(dx); COPY(cx); COPY(ip); COPY(ax); +@@ -105,6 +99,17 @@ static int ia32_restore_sigcontext(struct pt_regs *regs, + buf = compat_ptr(tmp); + } get_user_catch(err); + ++ /* ++ * Reload fs and gs if they have changed in the signal ++ * handler. This does not handle long fs/gs base changes in ++ * the handler, but does not clobber them at least in the ++ * normal case. ++ */ ++ RELOAD_SEG(gs); ++ RELOAD_SEG(fs); ++ RELOAD_SEG(ds); ++ RELOAD_SEG(es); ++ + err |= fpu__restore_sig(buf, 1); + + force_iret(); +diff --git a/arch/x86/kernel/irq_64.c b/arch/x86/kernel/irq_64.c +index 206d0b90a3ab..e39d7197f9fb 100644 +--- a/arch/x86/kernel/irq_64.c ++++ b/arch/x86/kernel/irq_64.c +@@ -25,9 +25,18 @@ int sysctl_panic_on_stackoverflow; + /* + * Probabilistic stack overflow check: + * +- * Only check the stack in process context, because everything else +- * runs on the big interrupt stacks. Checking reliably is too expensive, +- * so we just check from interrupts. ++ * Regular device interrupts can enter on the following stacks: ++ * ++ * - User stack ++ * ++ * - Kernel task stack ++ * ++ * - Interrupt stack if a device driver reenables interrupts ++ * which should only happen in really old drivers. ++ * ++ * - Debug IST stack ++ * ++ * All other contexts are invalid. + */ + static inline void stack_overflow_check(struct pt_regs *regs) + { +@@ -53,8 +62,8 @@ static inline void stack_overflow_check(struct pt_regs *regs) + return; + + oist = this_cpu_ptr(&orig_ist); +- estack_top = (u64)oist->ist[0] - EXCEPTION_STKSZ + STACK_TOP_MARGIN; +- estack_bottom = (u64)oist->ist[N_EXCEPTION_STACKS - 1]; ++ estack_bottom = (u64)oist->ist[DEBUG_STACK]; ++ estack_top = estack_bottom - DEBUG_STKSZ + STACK_TOP_MARGIN; + if (regs->sp >= estack_top && regs->sp <= estack_bottom) + return; + +diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c +index d830a0d60ba4..516d8b1562c8 100644 +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -990,11 +990,8 @@ static u32 emulated_msrs[] = { + + static unsigned num_emulated_msrs; + +-bool kvm_valid_efer(struct kvm_vcpu *vcpu, u64 efer) ++static bool __kvm_valid_efer(struct kvm_vcpu *vcpu, u64 efer) + { +- if (efer & efer_reserved_bits) +- return false; +- + if (efer & EFER_FFXSR) { + struct kvm_cpuid_entry2 *feat; + +@@ -1012,19 +1009,33 @@ bool kvm_valid_efer(struct kvm_vcpu *vcpu, u64 efer) + } + + return true; ++ ++} ++bool kvm_valid_efer(struct kvm_vcpu *vcpu, u64 efer) ++{ ++ if (efer & efer_reserved_bits) ++ return false; ++ ++ return __kvm_valid_efer(vcpu, efer); + } + EXPORT_SYMBOL_GPL(kvm_valid_efer); + +-static int set_efer(struct kvm_vcpu *vcpu, u64 efer) ++static int set_efer(struct kvm_vcpu *vcpu, struct msr_data *msr_info) + { + u64 old_efer = vcpu->arch.efer; ++ u64 efer = msr_info->data; + +- if (!kvm_valid_efer(vcpu, efer)) ++ if (efer & efer_reserved_bits) + return 1; + +- if (is_paging(vcpu) +- && (vcpu->arch.efer & EFER_LME) != (efer & EFER_LME)) +- return 1; ++ if (!msr_info->host_initiated) { ++ if (!__kvm_valid_efer(vcpu, efer)) ++ return 1; ++ ++ if (is_paging(vcpu) && ++ (vcpu->arch.efer & EFER_LME) != (efer & EFER_LME)) ++ return 1; ++ } + + efer &= ~EFER_LMA; + efer |= vcpu->arch.efer & EFER_LMA; +@@ -2055,7 +2066,7 @@ int kvm_set_msr_common(struct kvm_vcpu *vcpu, struct msr_data *msr_info) + break; + + case MSR_EFER: +- return set_efer(vcpu, data); ++ return set_efer(vcpu, msr_info); + case MSR_K7_HWCR: + data &= ~(u64)0x40; /* ignore flush filter disable */ + data &= ~(u64)0x100; /* ignore ignne emulation enable */ +diff --git a/arch/x86/mm/fault.c b/arch/x86/mm/fault.c +index c4dffae5d939..462c5c30b9a2 100644 +--- a/arch/x86/mm/fault.c ++++ b/arch/x86/mm/fault.c +@@ -373,8 +373,6 @@ static noinline int vmalloc_fault(unsigned long address) + if (!(address >= VMALLOC_START && address < VMALLOC_END)) + return -1; + +- WARN_ON_ONCE(in_nmi()); +- + /* + * Copy kernel mappings over when needed. This can also + * happen within a race in page table update. In the later +diff --git a/crypto/chacha20poly1305.c b/crypto/chacha20poly1305.c +index 0214600ba071..6c4724222e3a 100644 +--- a/crypto/chacha20poly1305.c ++++ b/crypto/chacha20poly1305.c +@@ -637,8 +637,8 @@ static int chachapoly_create(struct crypto_template *tmpl, struct rtattr **tb, + + err = -ENAMETOOLONG; + if (snprintf(inst->alg.base.cra_name, CRYPTO_MAX_ALG_NAME, +- "%s(%s,%s)", name, chacha_name, +- poly_name) >= CRYPTO_MAX_ALG_NAME) ++ "%s(%s,%s)", name, chacha->cra_name, ++ poly->cra_name) >= CRYPTO_MAX_ALG_NAME) + goto out_drop_chacha; + if (snprintf(inst->alg.base.cra_driver_name, CRYPTO_MAX_ALG_NAME, + "%s(%s,%s)", name, chacha->cra_driver_name, +diff --git a/crypto/crct10dif_generic.c b/crypto/crct10dif_generic.c +index c1229614c7e3..eed577714975 100644 +--- a/crypto/crct10dif_generic.c ++++ b/crypto/crct10dif_generic.c +@@ -65,10 +65,9 @@ static int chksum_final(struct shash_desc *desc, u8 *out) + return 0; + } + +-static int __chksum_finup(__u16 *crcp, const u8 *data, unsigned int len, +- u8 *out) ++static int __chksum_finup(__u16 crc, const u8 *data, unsigned int len, u8 *out) + { +- *(__u16 *)out = crc_t10dif_generic(*crcp, data, len); ++ *(__u16 *)out = crc_t10dif_generic(crc, data, len); + return 0; + } + +@@ -77,15 +76,13 @@ static int chksum_finup(struct shash_desc *desc, const u8 *data, + { + struct chksum_desc_ctx *ctx = shash_desc_ctx(desc); + +- return __chksum_finup(&ctx->crc, data, len, out); ++ return __chksum_finup(ctx->crc, data, len, out); + } + + static int chksum_digest(struct shash_desc *desc, const u8 *data, + unsigned int length, u8 *out) + { +- struct chksum_desc_ctx *ctx = shash_desc_ctx(desc); +- +- return __chksum_finup(&ctx->crc, data, length, out); ++ return __chksum_finup(0, data, length, out); + } + + static struct shash_alg alg = { +diff --git a/crypto/gcm.c b/crypto/gcm.c +index 0a12c09d7cb2..9d3bffc0238f 100644 +--- a/crypto/gcm.c ++++ b/crypto/gcm.c +@@ -616,7 +616,6 @@ static void crypto_gcm_free(struct aead_instance *inst) + + static int crypto_gcm_create_common(struct crypto_template *tmpl, + struct rtattr **tb, +- const char *full_name, + const char *ctr_name, + const char *ghash_name) + { +@@ -657,7 +656,8 @@ static int crypto_gcm_create_common(struct crypto_template *tmpl, + goto err_free_inst; + + err = -EINVAL; +- if (ghash->digestsize != 16) ++ if (strcmp(ghash->base.cra_name, "ghash") != 0 || ++ ghash->digestsize != 16) + goto err_drop_ghash; + + crypto_set_skcipher_spawn(&ctx->ctr, aead_crypto_instance(inst)); +@@ -669,24 +669,24 @@ static int crypto_gcm_create_common(struct crypto_template *tmpl, + + ctr = crypto_skcipher_spawn_alg(&ctx->ctr); + +- /* We only support 16-byte blocks. */ +- if (ctr->cra_ablkcipher.ivsize != 16) +- goto out_put_ctr; +- +- /* Not a stream cipher? */ ++ /* The skcipher algorithm must be CTR mode, using 16-byte blocks. */ + err = -EINVAL; +- if (ctr->cra_blocksize != 1) ++ if (strncmp(ctr->cra_name, "ctr(", 4) != 0 || ++ ctr->cra_ablkcipher.ivsize != 16 || ++ ctr->cra_blocksize != 1) + goto out_put_ctr; + + err = -ENAMETOOLONG; ++ if (snprintf(inst->alg.base.cra_name, CRYPTO_MAX_ALG_NAME, ++ "gcm(%s", ctr->cra_name + 4) >= CRYPTO_MAX_ALG_NAME) ++ goto out_put_ctr; ++ + if (snprintf(inst->alg.base.cra_driver_name, CRYPTO_MAX_ALG_NAME, + "gcm_base(%s,%s)", ctr->cra_driver_name, + ghash_alg->cra_driver_name) >= + CRYPTO_MAX_ALG_NAME) + goto out_put_ctr; + +- memcpy(inst->alg.base.cra_name, full_name, CRYPTO_MAX_ALG_NAME); +- + inst->alg.base.cra_flags = (ghash->base.cra_flags | ctr->cra_flags) & + CRYPTO_ALG_ASYNC; + inst->alg.base.cra_priority = (ghash->base.cra_priority + +@@ -727,7 +727,6 @@ static int crypto_gcm_create(struct crypto_template *tmpl, struct rtattr **tb) + { + const char *cipher_name; + char ctr_name[CRYPTO_MAX_ALG_NAME]; +- char full_name[CRYPTO_MAX_ALG_NAME]; + + cipher_name = crypto_attr_alg_name(tb[1]); + if (IS_ERR(cipher_name)) +@@ -737,12 +736,7 @@ static int crypto_gcm_create(struct crypto_template *tmpl, struct rtattr **tb) + CRYPTO_MAX_ALG_NAME) + return -ENAMETOOLONG; + +- if (snprintf(full_name, CRYPTO_MAX_ALG_NAME, "gcm(%s)", cipher_name) >= +- CRYPTO_MAX_ALG_NAME) +- return -ENAMETOOLONG; +- +- return crypto_gcm_create_common(tmpl, tb, full_name, +- ctr_name, "ghash"); ++ return crypto_gcm_create_common(tmpl, tb, ctr_name, "ghash"); + } + + static struct crypto_template crypto_gcm_tmpl = { +@@ -756,7 +750,6 @@ static int crypto_gcm_base_create(struct crypto_template *tmpl, + { + const char *ctr_name; + const char *ghash_name; +- char full_name[CRYPTO_MAX_ALG_NAME]; + + ctr_name = crypto_attr_alg_name(tb[1]); + if (IS_ERR(ctr_name)) +@@ -766,12 +759,7 @@ static int crypto_gcm_base_create(struct crypto_template *tmpl, + if (IS_ERR(ghash_name)) + return PTR_ERR(ghash_name); + +- if (snprintf(full_name, CRYPTO_MAX_ALG_NAME, "gcm_base(%s,%s)", +- ctr_name, ghash_name) >= CRYPTO_MAX_ALG_NAME) +- return -ENAMETOOLONG; +- +- return crypto_gcm_create_common(tmpl, tb, full_name, +- ctr_name, ghash_name); ++ return crypto_gcm_create_common(tmpl, tb, ctr_name, ghash_name); + } + + static struct crypto_template crypto_gcm_base_tmpl = { +diff --git a/crypto/salsa20_generic.c b/crypto/salsa20_generic.c +index d7da0eea5622..319d9962552e 100644 +--- a/crypto/salsa20_generic.c ++++ b/crypto/salsa20_generic.c +@@ -186,7 +186,7 @@ static int encrypt(struct blkcipher_desc *desc, + blkcipher_walk_init(&walk, dst, src, nbytes); + err = blkcipher_walk_virt_block(desc, &walk, 64); + +- salsa20_ivsetup(ctx, walk.iv); ++ salsa20_ivsetup(ctx, desc->info); + + while (walk.nbytes >= 64) { + salsa20_encrypt_bytes(ctx, walk.dst.virt.addr, +diff --git a/drivers/base/power/main.c b/drivers/base/power/main.c +index 05409141ec07..8efdb823826c 100644 +--- a/drivers/base/power/main.c ++++ b/drivers/base/power/main.c +@@ -1378,6 +1378,10 @@ static int __device_suspend(struct device *dev, pm_message_t state, bool async) + if (dev->power.syscore) + goto Complete; + ++ /* Avoid direct_complete to let wakeup_path propagate. */ ++ if (device_may_wakeup(dev) || dev->power.wakeup_path) ++ dev->power.direct_complete = false; ++ + if (dev->power.direct_complete) { + if (pm_runtime_status_suspended(dev)) { + pm_runtime_disable(dev); +diff --git a/drivers/char/ipmi/ipmi_ssif.c b/drivers/char/ipmi/ipmi_ssif.c +index b2da2382d544..67d23ed2d1a0 100644 +--- a/drivers/char/ipmi/ipmi_ssif.c ++++ b/drivers/char/ipmi/ipmi_ssif.c +@@ -695,12 +695,16 @@ static void msg_done_handler(struct ssif_info *ssif_info, int result, + /* End of read */ + len = ssif_info->multi_len; + data = ssif_info->data; +- } else if (blocknum != ssif_info->multi_pos) { ++ } else if (blocknum + 1 != ssif_info->multi_pos) { + /* + * Out of sequence block, just abort. Block + * numbers start at zero for the second block, + * but multi_pos starts at one, so the +1. + */ ++ if (ssif_info->ssif_debug & SSIF_DEBUG_MSG) ++ dev_dbg(&ssif_info->client->dev, ++ "Received message out of sequence, expected %u, got %u\n", ++ ssif_info->multi_pos - 1, blocknum); + result = -EIO; + } else { + ssif_inc_stat(ssif_info, received_message_parts); +diff --git a/drivers/char/virtio_console.c b/drivers/char/virtio_console.c +index 2aca689061e1..df9eab91c2d2 100644 +--- a/drivers/char/virtio_console.c ++++ b/drivers/char/virtio_console.c +@@ -76,7 +76,7 @@ struct ports_driver_data { + /* All the console devices handled by this driver */ + struct list_head consoles; + }; +-static struct ports_driver_data pdrvdata; ++static struct ports_driver_data pdrvdata = { .next_vtermno = 1}; + + static DEFINE_SPINLOCK(pdrvdata_lock); + static DECLARE_COMPLETION(early_console_added); +@@ -1419,6 +1419,7 @@ static int add_port(struct ports_device *portdev, u32 id) + port->async_queue = NULL; + + port->cons.ws.ws_row = port->cons.ws.ws_col = 0; ++ port->cons.vtermno = 0; + + port->host_connected = port->guest_connected = false; + port->stats = (struct port_stats) { 0 }; +diff --git a/drivers/clk/tegra/clk-pll.c b/drivers/clk/tegra/clk-pll.c +index d6d4ecb88e94..311f6e62264f 100644 +--- a/drivers/clk/tegra/clk-pll.c ++++ b/drivers/clk/tegra/clk-pll.c +@@ -492,8 +492,8 @@ static void _update_pll_mnp(struct tegra_clk_pll *pll, + pll_override_writel(val, params->pmc_divp_reg, pll); + + val = pll_override_readl(params->pmc_divnm_reg, pll); +- val &= ~(divm_mask(pll) << div_nmp->override_divm_shift) | +- ~(divn_mask(pll) << div_nmp->override_divn_shift); ++ val &= ~((divm_mask(pll) << div_nmp->override_divm_shift) | ++ (divn_mask(pll) << div_nmp->override_divn_shift)); + val |= (cfg->m << div_nmp->override_divm_shift) | + (cfg->n << div_nmp->override_divn_shift); + pll_override_writel(val, params->pmc_divnm_reg, pll); +diff --git a/drivers/cpufreq/pasemi-cpufreq.c b/drivers/cpufreq/pasemi-cpufreq.c +index 35dd4d7ffee0..58c933f48300 100644 +--- a/drivers/cpufreq/pasemi-cpufreq.c ++++ b/drivers/cpufreq/pasemi-cpufreq.c +@@ -146,6 +146,7 @@ static int pas_cpufreq_cpu_init(struct cpufreq_policy *policy) + + cpu = of_get_cpu_node(policy->cpu, NULL); + ++ of_node_put(cpu); + if (!cpu) + goto out; + +diff --git a/drivers/cpufreq/pmac32-cpufreq.c b/drivers/cpufreq/pmac32-cpufreq.c +index 1f49d97a70ea..14928e0dc326 100644 +--- a/drivers/cpufreq/pmac32-cpufreq.c ++++ b/drivers/cpufreq/pmac32-cpufreq.c +@@ -549,6 +549,7 @@ static int pmac_cpufreq_init_7447A(struct device_node *cpunode) + volt_gpio_np = of_find_node_by_name(NULL, "cpu-vcore-select"); + if (volt_gpio_np) + voltage_gpio = read_gpio(volt_gpio_np); ++ of_node_put(volt_gpio_np); + if (!voltage_gpio){ + printk(KERN_ERR "cpufreq: missing cpu-vcore-select gpio\n"); + return 1; +@@ -585,6 +586,7 @@ static int pmac_cpufreq_init_750FX(struct device_node *cpunode) + if (volt_gpio_np) + voltage_gpio = read_gpio(volt_gpio_np); + ++ of_node_put(volt_gpio_np); + pvr = mfspr(SPRN_PVR); + has_cpu_l2lve = !((pvr & 0xf00) == 0x100); + +diff --git a/drivers/cpufreq/ppc_cbe_cpufreq.c b/drivers/cpufreq/ppc_cbe_cpufreq.c +index 5a4c5a639f61..2eaeebcc93af 100644 +--- a/drivers/cpufreq/ppc_cbe_cpufreq.c ++++ b/drivers/cpufreq/ppc_cbe_cpufreq.c +@@ -86,6 +86,7 @@ static int cbe_cpufreq_cpu_init(struct cpufreq_policy *policy) + if (!cbe_get_cpu_pmd_regs(policy->cpu) || + !cbe_get_cpu_mic_tm_regs(policy->cpu)) { + pr_info("invalid CBE regs pointers for cpufreq\n"); ++ of_node_put(cpu); + return -EINVAL; + } + +diff --git a/drivers/crypto/vmx/aesp8-ppc.pl b/drivers/crypto/vmx/aesp8-ppc.pl +index 228053921b3f..4277fdd037bb 100644 +--- a/drivers/crypto/vmx/aesp8-ppc.pl ++++ b/drivers/crypto/vmx/aesp8-ppc.pl +@@ -1298,7 +1298,7 @@ Loop_ctr32_enc: + addi $idx,$idx,16 + bdnz Loop_ctr32_enc + +- vadduwm $ivec,$ivec,$one ++ vadduqm $ivec,$ivec,$one + vmr $dat,$inptail + lvx $inptail,0,$inp + addi $inp,$inp,16 +@@ -1795,7 +1795,7 @@ Lctr32_enc8x_three: + stvx_u $out1,$x10,$out + stvx_u $out2,$x20,$out + addi $out,$out,0x30 +- b Lcbc_dec8x_done ++ b Lctr32_enc8x_done + + .align 5 + Lctr32_enc8x_two: +@@ -1807,7 +1807,7 @@ Lctr32_enc8x_two: + stvx_u $out0,$x00,$out + stvx_u $out1,$x10,$out + addi $out,$out,0x20 +- b Lcbc_dec8x_done ++ b Lctr32_enc8x_done + + .align 5 + Lctr32_enc8x_one: +diff --git a/drivers/crypto/vmx/ghash.c b/drivers/crypto/vmx/ghash.c +index 84b9389bf1ed..d6b68cf7bba7 100644 +--- a/drivers/crypto/vmx/ghash.c ++++ b/drivers/crypto/vmx/ghash.c +@@ -1,22 +1,14 @@ ++// SPDX-License-Identifier: GPL-2.0 + /** + * GHASH routines supporting VMX instructions on the Power 8 + * +- * Copyright (C) 2015 International Business Machines Inc. +- * +- * This program is free software; you can redistribute it and/or modify +- * it under the terms of the GNU General Public License as published by +- * the Free Software Foundation; version 2 only. +- * +- * This program is distributed in the hope that it will be useful, +- * but WITHOUT ANY WARRANTY; without even the implied warranty of +- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +- * GNU General Public License for more details. +- * +- * You should have received a copy of the GNU General Public License +- * along with this program; if not, write to the Free Software +- * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. ++ * Copyright (C) 2015, 2019 International Business Machines Inc. + * + * Author: Marcelo Henrique Cerri ++ * ++ * Extended by Daniel Axtens to replace the fallback ++ * mechanism. The new approach is based on arm64 code, which is: ++ * Copyright (C) 2014 - 2018 Linaro Ltd. + */ + + #include +@@ -39,71 +31,25 @@ void gcm_ghash_p8(u64 Xi[2], const u128 htable[16], + const u8 *in, size_t len); + + struct p8_ghash_ctx { ++ /* key used by vector asm */ + u128 htable[16]; +- struct crypto_shash *fallback; ++ /* key used by software fallback */ ++ be128 key; + }; + + struct p8_ghash_desc_ctx { + u64 shash[2]; + u8 buffer[GHASH_DIGEST_SIZE]; + int bytes; +- struct shash_desc fallback_desc; + }; + +-static int p8_ghash_init_tfm(struct crypto_tfm *tfm) +-{ +- const char *alg = "ghash-generic"; +- struct crypto_shash *fallback; +- struct crypto_shash *shash_tfm = __crypto_shash_cast(tfm); +- struct p8_ghash_ctx *ctx = crypto_tfm_ctx(tfm); +- +- fallback = crypto_alloc_shash(alg, 0, CRYPTO_ALG_NEED_FALLBACK); +- if (IS_ERR(fallback)) { +- printk(KERN_ERR +- "Failed to allocate transformation for '%s': %ld\n", +- alg, PTR_ERR(fallback)); +- return PTR_ERR(fallback); +- } +- +- crypto_shash_set_flags(fallback, +- crypto_shash_get_flags((struct crypto_shash +- *) tfm)); +- +- /* Check if the descsize defined in the algorithm is still enough. */ +- if (shash_tfm->descsize < sizeof(struct p8_ghash_desc_ctx) +- + crypto_shash_descsize(fallback)) { +- printk(KERN_ERR +- "Desc size of the fallback implementation (%s) does not match the expected value: %lu vs %u\n", +- alg, +- shash_tfm->descsize - sizeof(struct p8_ghash_desc_ctx), +- crypto_shash_descsize(fallback)); +- return -EINVAL; +- } +- ctx->fallback = fallback; +- +- return 0; +-} +- +-static void p8_ghash_exit_tfm(struct crypto_tfm *tfm) +-{ +- struct p8_ghash_ctx *ctx = crypto_tfm_ctx(tfm); +- +- if (ctx->fallback) { +- crypto_free_shash(ctx->fallback); +- ctx->fallback = NULL; +- } +-} +- + static int p8_ghash_init(struct shash_desc *desc) + { +- struct p8_ghash_ctx *ctx = crypto_tfm_ctx(crypto_shash_tfm(desc->tfm)); + struct p8_ghash_desc_ctx *dctx = shash_desc_ctx(desc); + + dctx->bytes = 0; + memset(dctx->shash, 0, GHASH_DIGEST_SIZE); +- dctx->fallback_desc.tfm = ctx->fallback; +- dctx->fallback_desc.flags = desc->flags; +- return crypto_shash_init(&dctx->fallback_desc); ++ return 0; + } + + static int p8_ghash_setkey(struct crypto_shash *tfm, const u8 *key, +@@ -122,7 +68,53 @@ static int p8_ghash_setkey(struct crypto_shash *tfm, const u8 *key, + gcm_init_p8(ctx->htable, (const u64 *) key); + pagefault_enable(); + preempt_enable(); +- return crypto_shash_setkey(ctx->fallback, key, keylen); ++ ++ memcpy(&ctx->key, key, GHASH_BLOCK_SIZE); ++ ++ return 0; ++} ++ ++static inline void __ghash_block(struct p8_ghash_ctx *ctx, ++ struct p8_ghash_desc_ctx *dctx) ++{ ++ if (!IN_INTERRUPT) { ++ preempt_disable(); ++ pagefault_disable(); ++ enable_kernel_altivec(); ++ enable_kernel_vsx(); ++ enable_kernel_fp(); ++ gcm_ghash_p8(dctx->shash, ctx->htable, ++ dctx->buffer, GHASH_DIGEST_SIZE); ++ pagefault_enable(); ++ preempt_enable(); ++ } else { ++ crypto_xor((u8 *)dctx->shash, dctx->buffer, GHASH_BLOCK_SIZE); ++ gf128mul_lle((be128 *)dctx->shash, &ctx->key); ++ } ++} ++ ++static inline void __ghash_blocks(struct p8_ghash_ctx *ctx, ++ struct p8_ghash_desc_ctx *dctx, ++ const u8 *src, unsigned int srclen) ++{ ++ if (!IN_INTERRUPT) { ++ preempt_disable(); ++ pagefault_disable(); ++ enable_kernel_altivec(); ++ enable_kernel_vsx(); ++ enable_kernel_fp(); ++ gcm_ghash_p8(dctx->shash, ctx->htable, ++ src, srclen); ++ pagefault_enable(); ++ preempt_enable(); ++ } else { ++ while (srclen >= GHASH_BLOCK_SIZE) { ++ crypto_xor((u8 *)dctx->shash, src, GHASH_BLOCK_SIZE); ++ gf128mul_lle((be128 *)dctx->shash, &ctx->key); ++ srclen -= GHASH_BLOCK_SIZE; ++ src += GHASH_BLOCK_SIZE; ++ } ++ } + } + + static int p8_ghash_update(struct shash_desc *desc, +@@ -132,51 +124,33 @@ static int p8_ghash_update(struct shash_desc *desc, + struct p8_ghash_ctx *ctx = crypto_tfm_ctx(crypto_shash_tfm(desc->tfm)); + struct p8_ghash_desc_ctx *dctx = shash_desc_ctx(desc); + +- if (IN_INTERRUPT) { +- return crypto_shash_update(&dctx->fallback_desc, src, +- srclen); +- } else { +- if (dctx->bytes) { +- if (dctx->bytes + srclen < GHASH_DIGEST_SIZE) { +- memcpy(dctx->buffer + dctx->bytes, src, +- srclen); +- dctx->bytes += srclen; +- return 0; +- } ++ if (dctx->bytes) { ++ if (dctx->bytes + srclen < GHASH_DIGEST_SIZE) { + memcpy(dctx->buffer + dctx->bytes, src, +- GHASH_DIGEST_SIZE - dctx->bytes); +- preempt_disable(); +- pagefault_disable(); +- enable_kernel_altivec(); +- enable_kernel_vsx(); +- enable_kernel_fp(); +- gcm_ghash_p8(dctx->shash, ctx->htable, +- dctx->buffer, GHASH_DIGEST_SIZE); +- pagefault_enable(); +- preempt_enable(); +- src += GHASH_DIGEST_SIZE - dctx->bytes; +- srclen -= GHASH_DIGEST_SIZE - dctx->bytes; +- dctx->bytes = 0; +- } +- len = srclen & ~(GHASH_DIGEST_SIZE - 1); +- if (len) { +- preempt_disable(); +- pagefault_disable(); +- enable_kernel_altivec(); +- enable_kernel_vsx(); +- enable_kernel_fp(); +- gcm_ghash_p8(dctx->shash, ctx->htable, src, len); +- pagefault_enable(); +- preempt_enable(); +- src += len; +- srclen -= len; +- } +- if (srclen) { +- memcpy(dctx->buffer, src, srclen); +- dctx->bytes = srclen; ++ srclen); ++ dctx->bytes += srclen; ++ return 0; + } +- return 0; ++ memcpy(dctx->buffer + dctx->bytes, src, ++ GHASH_DIGEST_SIZE - dctx->bytes); ++ ++ __ghash_block(ctx, dctx); ++ ++ src += GHASH_DIGEST_SIZE - dctx->bytes; ++ srclen -= GHASH_DIGEST_SIZE - dctx->bytes; ++ dctx->bytes = 0; ++ } ++ len = srclen & ~(GHASH_DIGEST_SIZE - 1); ++ if (len) { ++ __ghash_blocks(ctx, dctx, src, len); ++ src += len; ++ srclen -= len; + } ++ if (srclen) { ++ memcpy(dctx->buffer, src, srclen); ++ dctx->bytes = srclen; ++ } ++ return 0; + } + + static int p8_ghash_final(struct shash_desc *desc, u8 *out) +@@ -185,26 +159,14 @@ static int p8_ghash_final(struct shash_desc *desc, u8 *out) + struct p8_ghash_ctx *ctx = crypto_tfm_ctx(crypto_shash_tfm(desc->tfm)); + struct p8_ghash_desc_ctx *dctx = shash_desc_ctx(desc); + +- if (IN_INTERRUPT) { +- return crypto_shash_final(&dctx->fallback_desc, out); +- } else { +- if (dctx->bytes) { +- for (i = dctx->bytes; i < GHASH_DIGEST_SIZE; i++) +- dctx->buffer[i] = 0; +- preempt_disable(); +- pagefault_disable(); +- enable_kernel_altivec(); +- enable_kernel_vsx(); +- enable_kernel_fp(); +- gcm_ghash_p8(dctx->shash, ctx->htable, +- dctx->buffer, GHASH_DIGEST_SIZE); +- pagefault_enable(); +- preempt_enable(); +- dctx->bytes = 0; +- } +- memcpy(out, dctx->shash, GHASH_DIGEST_SIZE); +- return 0; ++ if (dctx->bytes) { ++ for (i = dctx->bytes; i < GHASH_DIGEST_SIZE; i++) ++ dctx->buffer[i] = 0; ++ __ghash_block(ctx, dctx); ++ dctx->bytes = 0; + } ++ memcpy(out, dctx->shash, GHASH_DIGEST_SIZE); ++ return 0; + } + + struct shash_alg p8_ghash_alg = { +@@ -219,11 +181,9 @@ struct shash_alg p8_ghash_alg = { + .cra_name = "ghash", + .cra_driver_name = "p8_ghash", + .cra_priority = 1000, +- .cra_flags = CRYPTO_ALG_TYPE_SHASH | CRYPTO_ALG_NEED_FALLBACK, ++ .cra_flags = CRYPTO_ALG_TYPE_SHASH, + .cra_blocksize = GHASH_BLOCK_SIZE, + .cra_ctxsize = sizeof(struct p8_ghash_ctx), + .cra_module = THIS_MODULE, +- .cra_init = p8_ghash_init_tfm, +- .cra_exit = p8_ghash_exit_tfm, + }, + }; +diff --git a/drivers/dma/at_xdmac.c b/drivers/dma/at_xdmac.c +index af24c5bf32d6..8aa3ccf42e55 100644 +--- a/drivers/dma/at_xdmac.c ++++ b/drivers/dma/at_xdmac.c +@@ -1608,7 +1608,11 @@ static void at_xdmac_tasklet(unsigned long data) + struct at_xdmac_desc, + xfer_node); + dev_vdbg(chan2dev(&atchan->chan), "%s: desc 0x%p\n", __func__, desc); +- BUG_ON(!desc->active_xfer); ++ if (!desc->active_xfer) { ++ dev_err(chan2dev(&atchan->chan), "Xfer not active: exiting"); ++ spin_unlock_bh(&atchan->lock); ++ return; ++ } + + txd = &desc->tx_dma_desc; + +diff --git a/drivers/extcon/extcon-arizona.c b/drivers/extcon/extcon-arizona.c +index e4890dd4fefd..38fb212e58ee 100644 +--- a/drivers/extcon/extcon-arizona.c ++++ b/drivers/extcon/extcon-arizona.c +@@ -1616,6 +1616,16 @@ static int arizona_extcon_remove(struct platform_device *pdev) + struct arizona_extcon_info *info = platform_get_drvdata(pdev); + struct arizona *arizona = info->arizona; + int jack_irq_rise, jack_irq_fall; ++ bool change; ++ ++ regmap_update_bits_check(arizona->regmap, ARIZONA_MIC_DETECT_1, ++ ARIZONA_MICD_ENA, 0, ++ &change); ++ ++ if (change) { ++ regulator_disable(info->micvdd); ++ pm_runtime_put(info->dev); ++ } + + gpiod_put(info->micd_pol_gpio); + +diff --git a/drivers/gpu/drm/gma500/cdv_intel_lvds.c b/drivers/gpu/drm/gma500/cdv_intel_lvds.c +index 211069b2b951..010fe3fc5ecf 100644 +--- a/drivers/gpu/drm/gma500/cdv_intel_lvds.c ++++ b/drivers/gpu/drm/gma500/cdv_intel_lvds.c +@@ -620,6 +620,9 @@ void cdv_intel_lvds_init(struct drm_device *dev, + int pipe; + u8 pin; + ++ if (!dev_priv->lvds_enabled_in_vbt) ++ return; ++ + pin = GMBUS_PORT_PANEL; + if (!lvds_is_present_in_vbt(dev, &pin)) { + DRM_DEBUG_KMS("LVDS is not present in VBT\n"); +diff --git a/drivers/gpu/drm/gma500/intel_bios.c b/drivers/gpu/drm/gma500/intel_bios.c +index 63bde4e86c6a..e019ea271ffc 100644 +--- a/drivers/gpu/drm/gma500/intel_bios.c ++++ b/drivers/gpu/drm/gma500/intel_bios.c +@@ -436,6 +436,9 @@ parse_driver_features(struct drm_psb_private *dev_priv, + if (driver->lvds_config == BDB_DRIVER_FEATURE_EDP) + dev_priv->edp.support = 1; + ++ dev_priv->lvds_enabled_in_vbt = driver->lvds_config != 0; ++ DRM_DEBUG_KMS("LVDS VBT config bits: 0x%x\n", driver->lvds_config); ++ + /* This bit means to use 96Mhz for DPLL_A or not */ + if (driver->primary_lfp_id) + dev_priv->dplla_96mhz = true; +diff --git a/drivers/gpu/drm/gma500/psb_drv.h b/drivers/gpu/drm/gma500/psb_drv.h +index e21726ecac32..4c7cc8a5edbd 100644 +--- a/drivers/gpu/drm/gma500/psb_drv.h ++++ b/drivers/gpu/drm/gma500/psb_drv.h +@@ -536,6 +536,7 @@ struct drm_psb_private { + int lvds_ssc_freq; + bool is_lvds_on; + bool is_mipi_on; ++ bool lvds_enabled_in_vbt; + u32 mipi_ctrl_display; + + unsigned int core_freq; +diff --git a/drivers/gpu/drm/nouveau/include/nvkm/subdev/i2c.h b/drivers/gpu/drm/nouveau/include/nvkm/subdev/i2c.h +index 6b6224dbd5bb..943eb2971c3e 100644 +--- a/drivers/gpu/drm/nouveau/include/nvkm/subdev/i2c.h ++++ b/drivers/gpu/drm/nouveau/include/nvkm/subdev/i2c.h +@@ -37,6 +37,7 @@ struct nvkm_i2c_bus { + struct mutex mutex; + struct list_head head; + struct i2c_adapter i2c; ++ u8 enabled; + }; + + int nvkm_i2c_bus_acquire(struct nvkm_i2c_bus *); +@@ -56,6 +57,7 @@ struct nvkm_i2c_aux { + struct mutex mutex; + struct list_head head; + struct i2c_adapter i2c; ++ u8 enabled; + + u32 intr; + }; +diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/i2c/aux.c b/drivers/gpu/drm/nouveau/nvkm/subdev/i2c/aux.c +index f0851d57df2f..f89692cb2bc7 100644 +--- a/drivers/gpu/drm/nouveau/nvkm/subdev/i2c/aux.c ++++ b/drivers/gpu/drm/nouveau/nvkm/subdev/i2c/aux.c +@@ -105,9 +105,15 @@ nvkm_i2c_aux_acquire(struct nvkm_i2c_aux *aux) + { + struct nvkm_i2c_pad *pad = aux->pad; + int ret; ++ + AUX_TRACE(aux, "acquire"); + mutex_lock(&aux->mutex); +- ret = nvkm_i2c_pad_acquire(pad, NVKM_I2C_PAD_AUX); ++ ++ if (aux->enabled) ++ ret = nvkm_i2c_pad_acquire(pad, NVKM_I2C_PAD_AUX); ++ else ++ ret = -EIO; ++ + if (ret) + mutex_unlock(&aux->mutex); + return ret; +@@ -141,6 +147,24 @@ nvkm_i2c_aux_del(struct nvkm_i2c_aux **paux) + } + } + ++void ++nvkm_i2c_aux_init(struct nvkm_i2c_aux *aux) ++{ ++ AUX_TRACE(aux, "init"); ++ mutex_lock(&aux->mutex); ++ aux->enabled = true; ++ mutex_unlock(&aux->mutex); ++} ++ ++void ++nvkm_i2c_aux_fini(struct nvkm_i2c_aux *aux) ++{ ++ AUX_TRACE(aux, "fini"); ++ mutex_lock(&aux->mutex); ++ aux->enabled = false; ++ mutex_unlock(&aux->mutex); ++} ++ + int + nvkm_i2c_aux_ctor(const struct nvkm_i2c_aux_func *func, + struct nvkm_i2c_pad *pad, int id, +diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/i2c/aux.h b/drivers/gpu/drm/nouveau/nvkm/subdev/i2c/aux.h +index 35a892e4a4c3..04885c097a32 100644 +--- a/drivers/gpu/drm/nouveau/nvkm/subdev/i2c/aux.h ++++ b/drivers/gpu/drm/nouveau/nvkm/subdev/i2c/aux.h +@@ -14,6 +14,8 @@ int nvkm_i2c_aux_ctor(const struct nvkm_i2c_aux_func *, struct nvkm_i2c_pad *, + int nvkm_i2c_aux_new_(const struct nvkm_i2c_aux_func *, struct nvkm_i2c_pad *, + int id, struct nvkm_i2c_aux **); + void nvkm_i2c_aux_del(struct nvkm_i2c_aux **); ++void nvkm_i2c_aux_init(struct nvkm_i2c_aux *); ++void nvkm_i2c_aux_fini(struct nvkm_i2c_aux *); + int nvkm_i2c_aux_xfer(struct nvkm_i2c_aux *, bool retry, u8 type, + u32 addr, u8 *data, u8 size); + +diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/i2c/base.c b/drivers/gpu/drm/nouveau/nvkm/subdev/i2c/base.c +index 243a71ff0a0d..2acc5cbcb6fb 100644 +--- a/drivers/gpu/drm/nouveau/nvkm/subdev/i2c/base.c ++++ b/drivers/gpu/drm/nouveau/nvkm/subdev/i2c/base.c +@@ -160,8 +160,18 @@ nvkm_i2c_fini(struct nvkm_subdev *subdev, bool suspend) + { + struct nvkm_i2c *i2c = nvkm_i2c(subdev); + struct nvkm_i2c_pad *pad; ++ struct nvkm_i2c_bus *bus; ++ struct nvkm_i2c_aux *aux; + u32 mask; + ++ list_for_each_entry(aux, &i2c->aux, head) { ++ nvkm_i2c_aux_fini(aux); ++ } ++ ++ list_for_each_entry(bus, &i2c->bus, head) { ++ nvkm_i2c_bus_fini(bus); ++ } ++ + if ((mask = (1 << i2c->func->aux) - 1), i2c->func->aux_stat) { + i2c->func->aux_mask(i2c, NVKM_I2C_ANY, mask, 0); + i2c->func->aux_stat(i2c, &mask, &mask, &mask, &mask); +@@ -180,6 +190,7 @@ nvkm_i2c_init(struct nvkm_subdev *subdev) + struct nvkm_i2c *i2c = nvkm_i2c(subdev); + struct nvkm_i2c_bus *bus; + struct nvkm_i2c_pad *pad; ++ struct nvkm_i2c_aux *aux; + + list_for_each_entry(pad, &i2c->pad, head) { + nvkm_i2c_pad_init(pad); +@@ -189,6 +200,10 @@ nvkm_i2c_init(struct nvkm_subdev *subdev) + nvkm_i2c_bus_init(bus); + } + ++ list_for_each_entry(aux, &i2c->aux, head) { ++ nvkm_i2c_aux_init(aux); ++ } ++ + return 0; + } + +diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/i2c/bus.c b/drivers/gpu/drm/nouveau/nvkm/subdev/i2c/bus.c +index 807a2b67bd64..ed50cc3736b9 100644 +--- a/drivers/gpu/drm/nouveau/nvkm/subdev/i2c/bus.c ++++ b/drivers/gpu/drm/nouveau/nvkm/subdev/i2c/bus.c +@@ -110,6 +110,19 @@ nvkm_i2c_bus_init(struct nvkm_i2c_bus *bus) + BUS_TRACE(bus, "init"); + if (bus->func->init) + bus->func->init(bus); ++ ++ mutex_lock(&bus->mutex); ++ bus->enabled = true; ++ mutex_unlock(&bus->mutex); ++} ++ ++void ++nvkm_i2c_bus_fini(struct nvkm_i2c_bus *bus) ++{ ++ BUS_TRACE(bus, "fini"); ++ mutex_lock(&bus->mutex); ++ bus->enabled = false; ++ mutex_unlock(&bus->mutex); + } + + void +@@ -126,9 +139,15 @@ nvkm_i2c_bus_acquire(struct nvkm_i2c_bus *bus) + { + struct nvkm_i2c_pad *pad = bus->pad; + int ret; ++ + BUS_TRACE(bus, "acquire"); + mutex_lock(&bus->mutex); +- ret = nvkm_i2c_pad_acquire(pad, NVKM_I2C_PAD_I2C); ++ ++ if (bus->enabled) ++ ret = nvkm_i2c_pad_acquire(pad, NVKM_I2C_PAD_I2C); ++ else ++ ret = -EIO; ++ + if (ret) + mutex_unlock(&bus->mutex); + return ret; +diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/i2c/bus.h b/drivers/gpu/drm/nouveau/nvkm/subdev/i2c/bus.h +index e1be14c23e54..2fdb1b8e7164 100644 +--- a/drivers/gpu/drm/nouveau/nvkm/subdev/i2c/bus.h ++++ b/drivers/gpu/drm/nouveau/nvkm/subdev/i2c/bus.h +@@ -17,6 +17,7 @@ int nvkm_i2c_bus_new_(const struct nvkm_i2c_bus_func *, struct nvkm_i2c_pad *, + int id, struct nvkm_i2c_bus **); + void nvkm_i2c_bus_del(struct nvkm_i2c_bus **); + void nvkm_i2c_bus_init(struct nvkm_i2c_bus *); ++void nvkm_i2c_bus_fini(struct nvkm_i2c_bus *); + + int nvkm_i2c_bit_xfer(struct nvkm_i2c_bus *, struct i2c_msg *, int); + +diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c +index 4564ecf71181..9b2b41d683de 100644 +--- a/drivers/hid/hid-core.c ++++ b/drivers/hid/hid-core.c +@@ -200,13 +200,14 @@ static unsigned hid_lookup_collection(struct hid_parser *parser, unsigned type) + * Add a usage to the temporary parser table. + */ + +-static int hid_add_usage(struct hid_parser *parser, unsigned usage) ++static int hid_add_usage(struct hid_parser *parser, unsigned usage, u8 size) + { + if (parser->local.usage_index >= HID_MAX_USAGES) { + hid_err(parser->device, "usage index exceeded\n"); + return -1; + } + parser->local.usage[parser->local.usage_index] = usage; ++ parser->local.usage_size[parser->local.usage_index] = size; + parser->local.collection_index[parser->local.usage_index] = + parser->collection_stack_ptr ? + parser->collection_stack[parser->collection_stack_ptr - 1] : 0; +@@ -463,10 +464,7 @@ static int hid_parser_local(struct hid_parser *parser, struct hid_item *item) + return 0; + } + +- if (item->size <= 2) +- data = (parser->global.usage_page << 16) + data; +- +- return hid_add_usage(parser, data); ++ return hid_add_usage(parser, data, item->size); + + case HID_LOCAL_ITEM_TAG_USAGE_MINIMUM: + +@@ -475,9 +473,6 @@ static int hid_parser_local(struct hid_parser *parser, struct hid_item *item) + return 0; + } + +- if (item->size <= 2) +- data = (parser->global.usage_page << 16) + data; +- + parser->local.usage_minimum = data; + return 0; + +@@ -488,9 +483,6 @@ static int hid_parser_local(struct hid_parser *parser, struct hid_item *item) + return 0; + } + +- if (item->size <= 2) +- data = (parser->global.usage_page << 16) + data; +- + count = data - parser->local.usage_minimum; + if (count + parser->local.usage_index >= HID_MAX_USAGES) { + /* +@@ -510,7 +502,7 @@ static int hid_parser_local(struct hid_parser *parser, struct hid_item *item) + } + + for (n = parser->local.usage_minimum; n <= data; n++) +- if (hid_add_usage(parser, n)) { ++ if (hid_add_usage(parser, n, item->size)) { + dbg_hid("hid_add_usage failed\n"); + return -1; + } +@@ -524,6 +516,22 @@ static int hid_parser_local(struct hid_parser *parser, struct hid_item *item) + return 0; + } + ++/* ++ * Concatenate Usage Pages into Usages where relevant: ++ * As per specification, 6.2.2.8: "When the parser encounters a main item it ++ * concatenates the last declared Usage Page with a Usage to form a complete ++ * usage value." ++ */ ++ ++static void hid_concatenate_usage_page(struct hid_parser *parser) ++{ ++ int i; ++ ++ for (i = 0; i < parser->local.usage_index; i++) ++ if (parser->local.usage_size[i] <= 2) ++ parser->local.usage[i] += parser->global.usage_page << 16; ++} ++ + /* + * Process a main item. + */ +@@ -533,6 +541,8 @@ static int hid_parser_main(struct hid_parser *parser, struct hid_item *item) + __u32 data; + int ret; + ++ hid_concatenate_usage_page(parser); ++ + data = item_udata(item); + + switch (item->tag) { +@@ -746,6 +756,8 @@ static int hid_scan_main(struct hid_parser *parser, struct hid_item *item) + __u32 data; + int i; + ++ hid_concatenate_usage_page(parser); ++ + data = item_udata(item); + + switch (item->tag) { +diff --git a/drivers/hid/hid-logitech-hidpp.c b/drivers/hid/hid-logitech-hidpp.c +index 5fd97860aec4..3666e5064d0d 100644 +--- a/drivers/hid/hid-logitech-hidpp.c ++++ b/drivers/hid/hid-logitech-hidpp.c +@@ -414,13 +414,16 @@ static int hidpp_root_get_feature(struct hidpp_device *hidpp, u16 feature, + + static int hidpp_root_get_protocol_version(struct hidpp_device *hidpp) + { ++ const u8 ping_byte = 0x5a; ++ u8 ping_data[3] = { 0, 0, ping_byte }; + struct hidpp_report response; + int ret; + +- ret = hidpp_send_fap_command_sync(hidpp, ++ ret = hidpp_send_rap_command_sync(hidpp, ++ REPORT_ID_HIDPP_SHORT, + HIDPP_PAGE_ROOT_IDX, + CMD_ROOT_GET_PROTOCOL_VERSION, +- NULL, 0, &response); ++ ping_data, sizeof(ping_data), &response); + + if (ret == HIDPP_ERROR_INVALID_SUBID) { + hidpp->protocol_major = 1; +@@ -440,8 +443,14 @@ static int hidpp_root_get_protocol_version(struct hidpp_device *hidpp) + if (ret) + return ret; + +- hidpp->protocol_major = response.fap.params[0]; +- hidpp->protocol_minor = response.fap.params[1]; ++ if (response.rap.params[2] != ping_byte) { ++ hid_err(hidpp->hid_dev, "%s: ping mismatch 0x%02x != 0x%02x\n", ++ __func__, response.rap.params[2], ping_byte); ++ return -EPROTO; ++ } ++ ++ hidpp->protocol_major = response.rap.params[0]; ++ hidpp->protocol_minor = response.rap.params[1]; + + return ret; + } +diff --git a/drivers/hwmon/f71805f.c b/drivers/hwmon/f71805f.c +index facd05cda26d..e8c089886427 100644 +--- a/drivers/hwmon/f71805f.c ++++ b/drivers/hwmon/f71805f.c +@@ -96,17 +96,23 @@ superio_select(int base, int ld) + outb(ld, base + 1); + } + +-static inline void ++static inline int + superio_enter(int base) + { ++ if (!request_muxed_region(base, 2, DRVNAME)) ++ return -EBUSY; ++ + outb(0x87, base); + outb(0x87, base); ++ ++ return 0; + } + + static inline void + superio_exit(int base) + { + outb(0xaa, base); ++ release_region(base, 2); + } + + /* +@@ -1561,7 +1567,7 @@ exit: + static int __init f71805f_find(int sioaddr, unsigned short *address, + struct f71805f_sio_data *sio_data) + { +- int err = -ENODEV; ++ int err; + u16 devid; + + static const char * const names[] = { +@@ -1569,8 +1575,11 @@ static int __init f71805f_find(int sioaddr, unsigned short *address, + "F71872F/FG or F71806F/FG", + }; + +- superio_enter(sioaddr); ++ err = superio_enter(sioaddr); ++ if (err) ++ return err; + ++ err = -ENODEV; + devid = superio_inw(sioaddr, SIO_REG_MANID); + if (devid != SIO_FINTEK_ID) + goto exit; +diff --git a/drivers/hwmon/pc87427.c b/drivers/hwmon/pc87427.c +index cb9fdd37bd0d..2b5b8c3de8fc 100644 +--- a/drivers/hwmon/pc87427.c ++++ b/drivers/hwmon/pc87427.c +@@ -106,6 +106,13 @@ static const char *logdev_str[2] = { DRVNAME " FMC", DRVNAME " HMC" }; + #define LD_IN 1 + #define LD_TEMP 1 + ++static inline int superio_enter(int sioaddr) ++{ ++ if (!request_muxed_region(sioaddr, 2, DRVNAME)) ++ return -EBUSY; ++ return 0; ++} ++ + static inline void superio_outb(int sioaddr, int reg, int val) + { + outb(reg, sioaddr); +@@ -122,6 +129,7 @@ static inline void superio_exit(int sioaddr) + { + outb(0x02, sioaddr); + outb(0x02, sioaddr + 1); ++ release_region(sioaddr, 2); + } + + /* +@@ -1220,7 +1228,11 @@ static int __init pc87427_find(int sioaddr, struct pc87427_sio_data *sio_data) + { + u16 val; + u8 cfg, cfg_b; +- int i, err = 0; ++ int i, err; ++ ++ err = superio_enter(sioaddr); ++ if (err) ++ return err; + + /* Identify device */ + val = force_id ? force_id : superio_inb(sioaddr, SIOREG_DEVID); +diff --git a/drivers/hwmon/smsc47b397.c b/drivers/hwmon/smsc47b397.c +index 6bd200756560..cbdb5c4991ae 100644 +--- a/drivers/hwmon/smsc47b397.c ++++ b/drivers/hwmon/smsc47b397.c +@@ -72,14 +72,19 @@ static inline void superio_select(int ld) + superio_outb(0x07, ld); + } + +-static inline void superio_enter(void) ++static inline int superio_enter(void) + { ++ if (!request_muxed_region(REG, 2, DRVNAME)) ++ return -EBUSY; ++ + outb(0x55, REG); ++ return 0; + } + + static inline void superio_exit(void) + { + outb(0xAA, REG); ++ release_region(REG, 2); + } + + #define SUPERIO_REG_DEVID 0x20 +@@ -300,8 +305,12 @@ static int __init smsc47b397_find(void) + u8 id, rev; + char *name; + unsigned short addr; ++ int err; ++ ++ err = superio_enter(); ++ if (err) ++ return err; + +- superio_enter(); + id = force_id ? force_id : superio_inb(SUPERIO_REG_DEVID); + + switch (id) { +diff --git a/drivers/hwmon/smsc47m1.c b/drivers/hwmon/smsc47m1.c +index 5d323186d2c1..d24df0c50bea 100644 +--- a/drivers/hwmon/smsc47m1.c ++++ b/drivers/hwmon/smsc47m1.c +@@ -73,16 +73,21 @@ superio_inb(int reg) + /* logical device for fans is 0x0A */ + #define superio_select() superio_outb(0x07, 0x0A) + +-static inline void ++static inline int + superio_enter(void) + { ++ if (!request_muxed_region(REG, 2, DRVNAME)) ++ return -EBUSY; ++ + outb(0x55, REG); ++ return 0; + } + + static inline void + superio_exit(void) + { + outb(0xAA, REG); ++ release_region(REG, 2); + } + + #define SUPERIO_REG_ACT 0x30 +@@ -531,8 +536,12 @@ static int __init smsc47m1_find(struct smsc47m1_sio_data *sio_data) + { + u8 val; + unsigned short addr; ++ int err; ++ ++ err = superio_enter(); ++ if (err) ++ return err; + +- superio_enter(); + val = force_id ? force_id : superio_inb(SUPERIO_REG_DEVID); + + /* +@@ -608,13 +617,14 @@ static int __init smsc47m1_find(struct smsc47m1_sio_data *sio_data) + static void smsc47m1_restore(const struct smsc47m1_sio_data *sio_data) + { + if ((sio_data->activate & 0x01) == 0) { +- superio_enter(); +- superio_select(); +- +- pr_info("Disabling device\n"); +- superio_outb(SUPERIO_REG_ACT, sio_data->activate); +- +- superio_exit(); ++ if (!superio_enter()) { ++ superio_select(); ++ pr_info("Disabling device\n"); ++ superio_outb(SUPERIO_REG_ACT, sio_data->activate); ++ superio_exit(); ++ } else { ++ pr_warn("Failed to disable device\n"); ++ } + } + } + +diff --git a/drivers/hwmon/vt1211.c b/drivers/hwmon/vt1211.c +index 3a6bfa51cb94..95d5e8ec8b7f 100644 +--- a/drivers/hwmon/vt1211.c ++++ b/drivers/hwmon/vt1211.c +@@ -226,15 +226,21 @@ static inline void superio_select(int sio_cip, int ldn) + outb(ldn, sio_cip + 1); + } + +-static inline void superio_enter(int sio_cip) ++static inline int superio_enter(int sio_cip) + { ++ if (!request_muxed_region(sio_cip, 2, DRVNAME)) ++ return -EBUSY; ++ + outb(0x87, sio_cip); + outb(0x87, sio_cip); ++ ++ return 0; + } + + static inline void superio_exit(int sio_cip) + { + outb(0xaa, sio_cip); ++ release_region(sio_cip, 2); + } + + /* --------------------------------------------------------------------- +@@ -1282,11 +1288,14 @@ EXIT: + + static int __init vt1211_find(int sio_cip, unsigned short *address) + { +- int err = -ENODEV; ++ int err; + int devid; + +- superio_enter(sio_cip); ++ err = superio_enter(sio_cip); ++ if (err) ++ return err; + ++ err = -ENODEV; + devid = force_id ? force_id : superio_inb(sio_cip, SIO_VT1211_DEVID); + if (devid != SIO_VT1211_ID) + goto EXIT; +diff --git a/drivers/hwtracing/intel_th/msu.c b/drivers/hwtracing/intel_th/msu.c +index 9d9e47eb0842..7d5c53a1abe4 100644 +--- a/drivers/hwtracing/intel_th/msu.c ++++ b/drivers/hwtracing/intel_th/msu.c +@@ -90,6 +90,7 @@ struct msc_iter { + * @reg_base: register window base address + * @thdev: intel_th_device pointer + * @win_list: list of windows in multiblock mode ++ * @single_sgt: single mode buffer + * @nr_pages: total number of pages allocated for this buffer + * @single_sz: amount of data in single mode + * @single_wrap: single mode wrap occurred +@@ -110,6 +111,7 @@ struct msc { + struct intel_th_device *thdev; + + struct list_head win_list; ++ struct sg_table single_sgt; + unsigned long nr_pages; + unsigned long single_sz; + unsigned int single_wrap : 1; +@@ -610,22 +612,45 @@ static void intel_th_msc_deactivate(struct intel_th_device *thdev) + */ + static int msc_buffer_contig_alloc(struct msc *msc, unsigned long size) + { ++ unsigned long nr_pages = size >> PAGE_SHIFT; + unsigned int order = get_order(size); + struct page *page; ++ int ret; + + if (!size) + return 0; + ++ ret = sg_alloc_table(&msc->single_sgt, 1, GFP_KERNEL); ++ if (ret) ++ goto err_out; ++ ++ ret = -ENOMEM; + page = alloc_pages(GFP_KERNEL | __GFP_ZERO, order); + if (!page) +- return -ENOMEM; ++ goto err_free_sgt; + + split_page(page, order); +- msc->nr_pages = size >> PAGE_SHIFT; ++ sg_set_buf(msc->single_sgt.sgl, page_address(page), size); ++ ++ ret = dma_map_sg(msc_dev(msc)->parent->parent, msc->single_sgt.sgl, 1, ++ DMA_FROM_DEVICE); ++ if (ret < 0) ++ goto err_free_pages; ++ ++ msc->nr_pages = nr_pages; + msc->base = page_address(page); +- msc->base_addr = page_to_phys(page); ++ msc->base_addr = sg_dma_address(msc->single_sgt.sgl); + + return 0; ++ ++err_free_pages: ++ __free_pages(page, order); ++ ++err_free_sgt: ++ sg_free_table(&msc->single_sgt); ++ ++err_out: ++ return ret; + } + + /** +@@ -636,6 +661,10 @@ static void msc_buffer_contig_free(struct msc *msc) + { + unsigned long off; + ++ dma_unmap_sg(msc_dev(msc)->parent->parent, msc->single_sgt.sgl, ++ 1, DMA_FROM_DEVICE); ++ sg_free_table(&msc->single_sgt); ++ + for (off = 0; off < msc->nr_pages << PAGE_SHIFT; off += PAGE_SIZE) { + struct page *page = virt_to_page(msc->base + off); + +diff --git a/drivers/hwtracing/stm/core.c b/drivers/hwtracing/stm/core.c +index b6cc841de79d..e880702a3784 100644 +--- a/drivers/hwtracing/stm/core.c ++++ b/drivers/hwtracing/stm/core.c +@@ -210,8 +210,8 @@ stm_output_disclaim(struct stm_device *stm, struct stm_output *output) + bitmap_release_region(&master->chan_map[0], output->channel, + ilog2(output->nr_chans)); + +- output->nr_chans = 0; + master->nr_free += output->nr_chans; ++ output->nr_chans = 0; + } + + /* +diff --git a/drivers/iio/adc/ad_sigma_delta.c b/drivers/iio/adc/ad_sigma_delta.c +index a1d072ecb717..30f200ad6b97 100644 +--- a/drivers/iio/adc/ad_sigma_delta.c ++++ b/drivers/iio/adc/ad_sigma_delta.c +@@ -62,7 +62,7 @@ int ad_sd_write_reg(struct ad_sigma_delta *sigma_delta, unsigned int reg, + struct spi_transfer t = { + .tx_buf = data, + .len = size + 1, +- .cs_change = sigma_delta->bus_locked, ++ .cs_change = sigma_delta->keep_cs_asserted, + }; + struct spi_message m; + int ret; +@@ -217,6 +217,7 @@ static int ad_sd_calibrate(struct ad_sigma_delta *sigma_delta, + + spi_bus_lock(sigma_delta->spi->master); + sigma_delta->bus_locked = true; ++ sigma_delta->keep_cs_asserted = true; + reinit_completion(&sigma_delta->completion); + + ret = ad_sigma_delta_set_mode(sigma_delta, mode); +@@ -234,9 +235,10 @@ static int ad_sd_calibrate(struct ad_sigma_delta *sigma_delta, + ret = 0; + } + out: ++ sigma_delta->keep_cs_asserted = false; ++ ad_sigma_delta_set_mode(sigma_delta, AD_SD_MODE_IDLE); + sigma_delta->bus_locked = false; + spi_bus_unlock(sigma_delta->spi->master); +- ad_sigma_delta_set_mode(sigma_delta, AD_SD_MODE_IDLE); + + return ret; + } +@@ -288,6 +290,7 @@ int ad_sigma_delta_single_conversion(struct iio_dev *indio_dev, + + spi_bus_lock(sigma_delta->spi->master); + sigma_delta->bus_locked = true; ++ sigma_delta->keep_cs_asserted = true; + reinit_completion(&sigma_delta->completion); + + ad_sigma_delta_set_mode(sigma_delta, AD_SD_MODE_SINGLE); +@@ -297,9 +300,6 @@ int ad_sigma_delta_single_conversion(struct iio_dev *indio_dev, + ret = wait_for_completion_interruptible_timeout( + &sigma_delta->completion, HZ); + +- sigma_delta->bus_locked = false; +- spi_bus_unlock(sigma_delta->spi->master); +- + if (ret == 0) + ret = -EIO; + if (ret < 0) +@@ -315,7 +315,10 @@ out: + sigma_delta->irq_dis = true; + } + ++ sigma_delta->keep_cs_asserted = false; + ad_sigma_delta_set_mode(sigma_delta, AD_SD_MODE_IDLE); ++ sigma_delta->bus_locked = false; ++ spi_bus_unlock(sigma_delta->spi->master); + mutex_unlock(&indio_dev->mlock); + + if (ret) +@@ -352,6 +355,8 @@ static int ad_sd_buffer_postenable(struct iio_dev *indio_dev) + + spi_bus_lock(sigma_delta->spi->master); + sigma_delta->bus_locked = true; ++ sigma_delta->keep_cs_asserted = true; ++ + ret = ad_sigma_delta_set_mode(sigma_delta, AD_SD_MODE_CONTINUOUS); + if (ret) + goto err_unlock; +@@ -380,6 +385,7 @@ static int ad_sd_buffer_postdisable(struct iio_dev *indio_dev) + sigma_delta->irq_dis = true; + } + ++ sigma_delta->keep_cs_asserted = false; + ad_sigma_delta_set_mode(sigma_delta, AD_SD_MODE_IDLE); + + sigma_delta->bus_locked = false; +diff --git a/drivers/iio/common/ssp_sensors/ssp_iio.c b/drivers/iio/common/ssp_sensors/ssp_iio.c +index a3ae165f8d9f..16180e6321bd 100644 +--- a/drivers/iio/common/ssp_sensors/ssp_iio.c ++++ b/drivers/iio/common/ssp_sensors/ssp_iio.c +@@ -80,7 +80,7 @@ int ssp_common_process_data(struct iio_dev *indio_dev, void *buf, + unsigned int len, int64_t timestamp) + { + __le32 time; +- int64_t calculated_time; ++ int64_t calculated_time = 0; + struct ssp_sensor_data *spd = iio_priv(indio_dev); + + if (indio_dev->scan_bytes == 0) +diff --git a/drivers/infiniband/hw/cxgb4/cm.c b/drivers/infiniband/hw/cxgb4/cm.c +index c9cffced00ca..54fd4d81a3f1 100644 +--- a/drivers/infiniband/hw/cxgb4/cm.c ++++ b/drivers/infiniband/hw/cxgb4/cm.c +@@ -360,6 +360,8 @@ static struct sk_buff *get_skb(struct sk_buff *skb, int len, gfp_t gfp) + skb_reset_transport_header(skb); + } else { + skb = alloc_skb(len, gfp); ++ if (!skb) ++ return NULL; + } + t4_set_arp_err_handler(skb, NULL, NULL); + return skb; +diff --git a/drivers/iommu/tegra-smmu.c b/drivers/iommu/tegra-smmu.c +index 9305964250ac..c4eb293b1524 100644 +--- a/drivers/iommu/tegra-smmu.c ++++ b/drivers/iommu/tegra-smmu.c +@@ -91,7 +91,6 @@ static inline u32 smmu_readl(struct tegra_smmu *smmu, unsigned long offset) + #define SMMU_TLB_FLUSH_VA_MATCH_ALL (0 << 0) + #define SMMU_TLB_FLUSH_VA_MATCH_SECTION (2 << 0) + #define SMMU_TLB_FLUSH_VA_MATCH_GROUP (3 << 0) +-#define SMMU_TLB_FLUSH_ASID(x) (((x) & 0x7f) << 24) + #define SMMU_TLB_FLUSH_VA_SECTION(addr) ((((addr) & 0xffc00000) >> 12) | \ + SMMU_TLB_FLUSH_VA_MATCH_SECTION) + #define SMMU_TLB_FLUSH_VA_GROUP(addr) ((((addr) & 0xffffc000) >> 12) | \ +@@ -194,8 +193,12 @@ static inline void smmu_flush_tlb_asid(struct tegra_smmu *smmu, + { + u32 value; + +- value = SMMU_TLB_FLUSH_ASID_MATCH | SMMU_TLB_FLUSH_ASID(asid) | +- SMMU_TLB_FLUSH_VA_MATCH_ALL; ++ if (smmu->soc->num_asids == 4) ++ value = (asid & 0x3) << 29; ++ else ++ value = (asid & 0x7f) << 24; ++ ++ value |= SMMU_TLB_FLUSH_ASID_MATCH | SMMU_TLB_FLUSH_VA_MATCH_ALL; + smmu_writel(smmu, value, SMMU_TLB_FLUSH); + } + +@@ -205,8 +208,12 @@ static inline void smmu_flush_tlb_section(struct tegra_smmu *smmu, + { + u32 value; + +- value = SMMU_TLB_FLUSH_ASID_MATCH | SMMU_TLB_FLUSH_ASID(asid) | +- SMMU_TLB_FLUSH_VA_SECTION(iova); ++ if (smmu->soc->num_asids == 4) ++ value = (asid & 0x3) << 29; ++ else ++ value = (asid & 0x7f) << 24; ++ ++ value |= SMMU_TLB_FLUSH_ASID_MATCH | SMMU_TLB_FLUSH_VA_SECTION(iova); + smmu_writel(smmu, value, SMMU_TLB_FLUSH); + } + +@@ -216,8 +223,12 @@ static inline void smmu_flush_tlb_group(struct tegra_smmu *smmu, + { + u32 value; + +- value = SMMU_TLB_FLUSH_ASID_MATCH | SMMU_TLB_FLUSH_ASID(asid) | +- SMMU_TLB_FLUSH_VA_GROUP(iova); ++ if (smmu->soc->num_asids == 4) ++ value = (asid & 0x3) << 29; ++ else ++ value = (asid & 0x7f) << 24; ++ ++ value |= SMMU_TLB_FLUSH_ASID_MATCH | SMMU_TLB_FLUSH_VA_GROUP(iova); + smmu_writel(smmu, value, SMMU_TLB_FLUSH); + } + +diff --git a/drivers/md/bcache/alloc.c b/drivers/md/bcache/alloc.c +index 16c3390e5d9f..d82ae445c9ee 100644 +--- a/drivers/md/bcache/alloc.c ++++ b/drivers/md/bcache/alloc.c +@@ -324,10 +324,11 @@ static int bch_allocator_thread(void *arg) + * possibly issue discards to them, then we add the bucket to + * the free list: + */ +- while (!fifo_empty(&ca->free_inc)) { ++ while (1) { + long bucket; + +- fifo_pop(&ca->free_inc, bucket); ++ if (!fifo_pop(&ca->free_inc, bucket)) ++ break; + + if (ca->discard) { + mutex_unlock(&ca->set->bucket_lock); +diff --git a/drivers/md/bcache/journal.c b/drivers/md/bcache/journal.c +index 6ed066a0e7c0..6f9db98f2dfd 100644 +--- a/drivers/md/bcache/journal.c ++++ b/drivers/md/bcache/journal.c +@@ -309,6 +309,18 @@ void bch_journal_mark(struct cache_set *c, struct list_head *list) + } + } + ++bool is_discard_enabled(struct cache_set *s) ++{ ++ struct cache *ca; ++ unsigned int i; ++ ++ for_each_cache(ca, s, i) ++ if (ca->discard) ++ return true; ++ ++ return false; ++} ++ + int bch_journal_replay(struct cache_set *s, struct list_head *list) + { + int ret = 0, keys = 0, entries = 0; +@@ -322,9 +334,17 @@ int bch_journal_replay(struct cache_set *s, struct list_head *list) + list_for_each_entry(i, list, list) { + BUG_ON(i->pin && atomic_read(i->pin) != 1); + +- cache_set_err_on(n != i->j.seq, s, +-"bcache: journal entries %llu-%llu missing! (replaying %llu-%llu)", +- n, i->j.seq - 1, start, end); ++ if (n != i->j.seq) { ++ if (n == start && is_discard_enabled(s)) ++ pr_info("bcache: journal entries %llu-%llu may be discarded! (replaying %llu-%llu)", ++ n, i->j.seq - 1, start, end); ++ else { ++ pr_err("bcache: journal entries %llu-%llu missing! (replaying %llu-%llu)", ++ n, i->j.seq - 1, start, end); ++ ret = -EIO; ++ goto err; ++ } ++ } + + for (k = i->j.start; + k < bset_bkey_last(&i->j); +@@ -513,11 +533,11 @@ static void journal_reclaim(struct cache_set *c) + ca->sb.nr_this_dev); + } + +- bkey_init(k); +- SET_KEY_PTRS(k, n); +- +- if (n) ++ if (n) { ++ bkey_init(k); ++ SET_KEY_PTRS(k, n); + c->journal.blocks_free = c->sb.bucket_size >> c->block_bits; ++ } + out: + if (!journal_full(&c->journal)) + __closure_wake_up(&c->journal.wait); +@@ -641,6 +661,9 @@ static void journal_write_unlocked(struct closure *cl) + ca->journal.seq[ca->journal.cur_idx] = w->data->seq; + } + ++ /* If KEY_PTRS(k) == 0, this jset gets lost in air */ ++ BUG_ON(i == 0); ++ + atomic_dec_bug(&fifo_back(&c->journal.pin)); + bch_journal_next(&c->journal); + journal_reclaim(c); +diff --git a/drivers/md/bcache/super.c b/drivers/md/bcache/super.c +index ef28ddfff7c6..02757b90e402 100644 +--- a/drivers/md/bcache/super.c ++++ b/drivers/md/bcache/super.c +@@ -1355,6 +1355,7 @@ static void cache_set_free(struct closure *cl) + bch_btree_cache_free(c); + bch_journal_free(c); + ++ mutex_lock(&bch_register_lock); + for_each_cache(ca, c, i) + if (ca) { + ca->set = NULL; +@@ -1377,7 +1378,6 @@ static void cache_set_free(struct closure *cl) + mempool_destroy(c->search); + kfree(c->devices); + +- mutex_lock(&bch_register_lock); + list_del(&c->list); + mutex_unlock(&bch_register_lock); + +@@ -1558,7 +1558,7 @@ err: + return NULL; + } + +-static void run_cache_set(struct cache_set *c) ++static int run_cache_set(struct cache_set *c) + { + const char *err = "cannot allocate memory"; + struct cached_dev *dc, *t; +@@ -1650,7 +1650,9 @@ static void run_cache_set(struct cache_set *c) + if (j->version < BCACHE_JSET_VERSION_UUID) + __uuid_write(c); + +- bch_journal_replay(c, &journal); ++ err = "bcache: replay journal failed"; ++ if (bch_journal_replay(c, &journal)) ++ goto err; + } else { + pr_notice("invalidating existing data"); + +@@ -1718,11 +1720,13 @@ static void run_cache_set(struct cache_set *c) + flash_devs_run(c); + + set_bit(CACHE_SET_RUNNING, &c->flags); +- return; ++ return 0; + err: + closure_sync(&cl); + /* XXX: test this, it's broken */ + bch_cache_set_error(c, "%s", err); ++ ++ return -EIO; + } + + static bool can_attach_cache(struct cache *ca, struct cache_set *c) +@@ -1786,8 +1790,11 @@ found: + ca->set->cache[ca->sb.nr_this_dev] = ca; + c->cache_by_alloc[c->caches_loaded++] = ca; + +- if (c->caches_loaded == c->sb.nr_in_set) +- run_cache_set(c); ++ if (c->caches_loaded == c->sb.nr_in_set) { ++ err = "failed to run cache set"; ++ if (run_cache_set(c) < 0) ++ goto err; ++ } + + return NULL; + err: +diff --git a/drivers/md/dm-delay.c b/drivers/md/dm-delay.c +index b4c356a21123..e789a4aae4e7 100644 +--- a/drivers/md/dm-delay.c ++++ b/drivers/md/dm-delay.c +@@ -222,7 +222,8 @@ static void delay_dtr(struct dm_target *ti) + { + struct delay_c *dc = ti->private; + +- destroy_workqueue(dc->kdelayd_wq); ++ if (dc->kdelayd_wq) ++ destroy_workqueue(dc->kdelayd_wq); + + dm_put_device(ti, dc->dev_read); + +diff --git a/drivers/md/md.c b/drivers/md/md.c +index 07f307402351..f71cca28ddda 100644 +--- a/drivers/md/md.c ++++ b/drivers/md/md.c +@@ -2690,8 +2690,10 @@ state_store(struct md_rdev *rdev, const char *buf, size_t len) + err = 0; + } + } else if (cmd_match(buf, "re-add")) { +- if (test_bit(Faulty, &rdev->flags) && (rdev->raid_disk == -1) && +- rdev->saved_raid_disk >= 0) { ++ if (!rdev->mddev->pers) ++ err = -EINVAL; ++ else if (test_bit(Faulty, &rdev->flags) && (rdev->raid_disk == -1) && ++ rdev->saved_raid_disk >= 0) { + /* clear_bit is performed _after_ all the devices + * have their local Faulty bit cleared. If any writes + * happen in the meantime in the local node, they +diff --git a/drivers/md/raid5.c b/drivers/md/raid5.c +index 17517889d46b..764e0e155ae2 100644 +--- a/drivers/md/raid5.c ++++ b/drivers/md/raid5.c +@@ -3861,7 +3861,7 @@ static void handle_parity_checks6(struct r5conf *conf, struct stripe_head *sh, + /* now write out any block on a failed drive, + * or P or Q if they were recomputed + */ +- BUG_ON(s->uptodate < disks - 1); /* We don't need Q to recover */ ++ dev = NULL; + if (s->failed == 2) { + dev = &sh->dev[s->failed_num[1]]; + s->locked++; +@@ -3886,6 +3886,14 @@ static void handle_parity_checks6(struct r5conf *conf, struct stripe_head *sh, + set_bit(R5_LOCKED, &dev->flags); + set_bit(R5_Wantwrite, &dev->flags); + } ++ if (WARN_ONCE(dev && !test_bit(R5_UPTODATE, &dev->flags), ++ "%s: disk%td not up to date\n", ++ mdname(conf->mddev), ++ dev - (struct r5dev *) &sh->dev)) { ++ clear_bit(R5_LOCKED, &dev->flags); ++ clear_bit(R5_Wantwrite, &dev->flags); ++ s->locked--; ++ } + clear_bit(STRIPE_DEGRADED, &sh->state); + + set_bit(STRIPE_INSYNC, &sh->state); +@@ -3897,15 +3905,26 @@ static void handle_parity_checks6(struct r5conf *conf, struct stripe_head *sh, + case check_state_check_result: + sh->check_state = check_state_idle; + +- if (s->failed > 1) +- break; + /* handle a successful check operation, if parity is correct + * we are done. Otherwise update the mismatch count and repair + * parity if !MD_RECOVERY_CHECK + */ + if (sh->ops.zero_sum_result == 0) { +- /* Any parity checked was correct */ +- set_bit(STRIPE_INSYNC, &sh->state); ++ /* both parities are correct */ ++ if (!s->failed) ++ set_bit(STRIPE_INSYNC, &sh->state); ++ else { ++ /* in contrast to the raid5 case we can validate ++ * parity, but still have a failure to write ++ * back ++ */ ++ sh->check_state = check_state_compute_result; ++ /* Returning at this point means that we may go ++ * off and bring p and/or q uptodate again so ++ * we make sure to check zero_sum_result again ++ * to verify if p or q need writeback ++ */ ++ } + } else { + atomic64_add(STRIPE_SECTORS, &conf->mddev->resync_mismatches); + if (test_bit(MD_RECOVERY_CHECK, &conf->mddev->recovery)) +diff --git a/drivers/media/dvb-frontends/m88ds3103.c b/drivers/media/dvb-frontends/m88ds3103.c +index d14d075ab1d6..9f0956e739a4 100644 +--- a/drivers/media/dvb-frontends/m88ds3103.c ++++ b/drivers/media/dvb-frontends/m88ds3103.c +@@ -309,6 +309,9 @@ static int m88ds3103_set_frontend(struct dvb_frontend *fe) + u16 u16tmp, divide_ratio = 0; + u32 tuner_frequency, target_mclk; + s32 s32tmp; ++ static const struct reg_sequence reset_buf[] = { ++ {0x07, 0x80}, {0x07, 0x00} ++ }; + + dev_dbg(&client->dev, + "delivery_system=%d modulation=%d frequency=%u symbol_rate=%d inversion=%d pilot=%d rolloff=%d\n", +@@ -321,11 +324,7 @@ static int m88ds3103_set_frontend(struct dvb_frontend *fe) + } + + /* reset */ +- ret = regmap_write(dev->regmap, 0x07, 0x80); +- if (ret) +- goto err; +- +- ret = regmap_write(dev->regmap, 0x07, 0x00); ++ ret = regmap_multi_reg_write(dev->regmap, reset_buf, 2); + if (ret) + goto err; + +diff --git a/drivers/media/i2c/ov2659.c b/drivers/media/i2c/ov2659.c +index 49109f4f5bb4..fadec1d70582 100644 +--- a/drivers/media/i2c/ov2659.c ++++ b/drivers/media/i2c/ov2659.c +@@ -1117,8 +1117,10 @@ static int ov2659_set_fmt(struct v4l2_subdev *sd, + if (ov2659_formats[index].code == mf->code) + break; + +- if (index < 0) +- return -EINVAL; ++ if (index < 0) { ++ index = 0; ++ mf->code = ov2659_formats[index].code; ++ } + + mf->colorspace = V4L2_COLORSPACE_SRGB; + mf->code = ov2659_formats[index].code; +diff --git a/drivers/media/i2c/soc_camera/ov6650.c b/drivers/media/i2c/soc_camera/ov6650.c +index 1e4783b51a35..4e19f5e5d8cf 100644 +--- a/drivers/media/i2c/soc_camera/ov6650.c ++++ b/drivers/media/i2c/soc_camera/ov6650.c +@@ -839,9 +839,18 @@ static int ov6650_video_probe(struct i2c_client *client) + u8 pidh, pidl, midh, midl; + int ret; + ++ priv->clk = v4l2_clk_get(&client->dev, NULL); ++ if (IS_ERR(priv->clk)) { ++ ret = PTR_ERR(priv->clk); ++ dev_err(&client->dev, "v4l2_clk request err: %d\n", ret); ++ return ret; ++ } ++ + ret = ov6650_s_power(&priv->subdev, 1); + if (ret < 0) +- return ret; ++ goto eclkput; ++ ++ msleep(20); + + /* + * check and show product ID and manufacturer ID +@@ -876,6 +885,11 @@ static int ov6650_video_probe(struct i2c_client *client) + + done: + ov6650_s_power(&priv->subdev, 0); ++ if (!ret) ++ return 0; ++eclkput: ++ v4l2_clk_put(priv->clk); ++ + return ret; + } + +@@ -1033,18 +1047,9 @@ static int ov6650_probe(struct i2c_client *client, + priv->code = MEDIA_BUS_FMT_YUYV8_2X8; + priv->colorspace = V4L2_COLORSPACE_JPEG; + +- priv->clk = v4l2_clk_get(&client->dev, NULL); +- if (IS_ERR(priv->clk)) { +- ret = PTR_ERR(priv->clk); +- goto eclkget; +- } +- + ret = ov6650_video_probe(client); +- if (ret) { +- v4l2_clk_put(priv->clk); +-eclkget: ++ if (ret) + v4l2_ctrl_handler_free(&priv->hdl); +- } + + return ret; + } +diff --git a/drivers/media/pci/saa7146/hexium_gemini.c b/drivers/media/pci/saa7146/hexium_gemini.c +index 03cbcd2095c6..d4b3ce828285 100644 +--- a/drivers/media/pci/saa7146/hexium_gemini.c ++++ b/drivers/media/pci/saa7146/hexium_gemini.c +@@ -270,9 +270,8 @@ static int hexium_attach(struct saa7146_dev *dev, struct saa7146_pci_extension_d + /* enable i2c-port pins */ + saa7146_write(dev, MC1, (MASK_08 | MASK_24 | MASK_10 | MASK_26)); + +- hexium->i2c_adapter = (struct i2c_adapter) { +- .name = "hexium gemini", +- }; ++ strscpy(hexium->i2c_adapter.name, "hexium gemini", ++ sizeof(hexium->i2c_adapter.name)); + saa7146_i2c_adapter_prepare(dev, &hexium->i2c_adapter, SAA7146_I2C_BUS_BIT_RATE_480); + if (i2c_add_adapter(&hexium->i2c_adapter) < 0) { + DEB_S("cannot register i2c-device. skipping.\n"); +diff --git a/drivers/media/pci/saa7146/hexium_orion.c b/drivers/media/pci/saa7146/hexium_orion.c +index 15f0d66ff78a..214396b1ca73 100644 +--- a/drivers/media/pci/saa7146/hexium_orion.c ++++ b/drivers/media/pci/saa7146/hexium_orion.c +@@ -232,9 +232,8 @@ static int hexium_probe(struct saa7146_dev *dev) + saa7146_write(dev, DD1_STREAM_B, 0x00000000); + saa7146_write(dev, MC2, (MASK_09 | MASK_25 | MASK_10 | MASK_26)); + +- hexium->i2c_adapter = (struct i2c_adapter) { +- .name = "hexium orion", +- }; ++ strscpy(hexium->i2c_adapter.name, "hexium orion", ++ sizeof(hexium->i2c_adapter.name)); + saa7146_i2c_adapter_prepare(dev, &hexium->i2c_adapter, SAA7146_I2C_BUS_BIT_RATE_480); + if (i2c_add_adapter(&hexium->i2c_adapter) < 0) { + DEB_S("cannot register i2c-device. skipping.\n"); +diff --git a/drivers/media/platform/coda/coda-bit.c b/drivers/media/platform/coda/coda-bit.c +index d76511c1c1e3..a4639813cf35 100644 +--- a/drivers/media/platform/coda/coda-bit.c ++++ b/drivers/media/platform/coda/coda-bit.c +@@ -1829,6 +1829,9 @@ static int coda_prepare_decode(struct coda_ctx *ctx) + /* Clear decode success flag */ + coda_write(dev, 0, CODA_RET_DEC_PIC_SUCCESS); + ++ /* Clear error return value */ ++ coda_write(dev, 0, CODA_RET_DEC_PIC_ERR_MB); ++ + trace_coda_dec_pic_run(ctx, meta); + + coda_command_async(ctx, CODA_COMMAND_PIC_RUN); +diff --git a/drivers/media/platform/vivid/vivid-vid-cap.c b/drivers/media/platform/vivid/vivid-vid-cap.c +index a84954f1be34..9eb0bc4a8d97 100644 +--- a/drivers/media/platform/vivid/vivid-vid-cap.c ++++ b/drivers/media/platform/vivid/vivid-vid-cap.c +@@ -993,7 +993,7 @@ int vivid_vid_cap_s_selection(struct file *file, void *fh, struct v4l2_selection + rect_map_inside(&s->r, &dev->fmt_cap_rect); + if (dev->bitmap_cap && (compose->width != s->r.width || + compose->height != s->r.height)) { +- kfree(dev->bitmap_cap); ++ vfree(dev->bitmap_cap); + dev->bitmap_cap = NULL; + } + *compose = s->r; +diff --git a/drivers/media/radio/wl128x/fmdrv_common.c b/drivers/media/radio/wl128x/fmdrv_common.c +index ebc73b034249..51639a3f7abe 100644 +--- a/drivers/media/radio/wl128x/fmdrv_common.c ++++ b/drivers/media/radio/wl128x/fmdrv_common.c +@@ -494,7 +494,8 @@ int fmc_send_cmd(struct fmdev *fmdev, u8 fm_op, u16 type, void *payload, + return -EIO; + } + /* Send response data to caller */ +- if (response != NULL && response_len != NULL && evt_hdr->dlen) { ++ if (response != NULL && response_len != NULL && evt_hdr->dlen && ++ evt_hdr->dlen <= payload_len) { + /* Skip header info and copy only response data */ + skb_pull(skb, sizeof(struct fm_event_msg_hdr)); + memcpy(response, skb->data, evt_hdr->dlen); +@@ -590,6 +591,8 @@ static void fm_irq_handle_flag_getcmd_resp(struct fmdev *fmdev) + return; + + fm_evt_hdr = (void *)skb->data; ++ if (fm_evt_hdr->dlen > sizeof(fmdev->irq_info.flag)) ++ return; + + /* Skip header info and copy only response data */ + skb_pull(skb, sizeof(struct fm_event_msg_hdr)); +@@ -1315,7 +1318,7 @@ static int load_default_rx_configuration(struct fmdev *fmdev) + static int fm_power_up(struct fmdev *fmdev, u8 mode) + { + u16 payload; +- __be16 asic_id, asic_ver; ++ __be16 asic_id = 0, asic_ver = 0; + int resp_len, ret; + u8 fw_name[50]; + +diff --git a/drivers/media/usb/au0828/au0828-video.c b/drivers/media/usb/au0828/au0828-video.c +index 7b2fe1b56039..1df23c01ad37 100644 +--- a/drivers/media/usb/au0828/au0828-video.c ++++ b/drivers/media/usb/au0828/au0828-video.c +@@ -711,6 +711,9 @@ static int au0828_analog_stream_enable(struct au0828_dev *d) + + dprintk(1, "au0828_analog_stream_enable called\n"); + ++ if (test_bit(DEV_DISCONNECTED, &d->dev_state)) ++ return -ENODEV; ++ + iface = usb_ifnum_to_if(d->usbdev, 0); + if (iface && iface->cur_altsetting->desc.bAlternateSetting != 5) { + dprintk(1, "Changing intf#0 to alt 5\n"); +@@ -799,9 +802,9 @@ int au0828_start_analog_streaming(struct vb2_queue *vq, unsigned int count) + return rc; + } + ++ v4l2_device_call_all(&dev->v4l2_dev, 0, video, s_stream, 1); ++ + if (vq->type == V4L2_BUF_TYPE_VIDEO_CAPTURE) { +- v4l2_device_call_all(&dev->v4l2_dev, 0, video, +- s_stream, 1); + dev->vid_timeout_running = 1; + mod_timer(&dev->vid_timeout, jiffies + (HZ / 10)); + } else if (vq->type == V4L2_BUF_TYPE_VBI_CAPTURE) { +@@ -821,10 +824,11 @@ static void au0828_stop_streaming(struct vb2_queue *vq) + + dprintk(1, "au0828_stop_streaming called %d\n", dev->streaming_users); + +- if (dev->streaming_users-- == 1) ++ if (dev->streaming_users-- == 1) { + au0828_uninit_isoc(dev); ++ v4l2_device_call_all(&dev->v4l2_dev, 0, video, s_stream, 0); ++ } + +- v4l2_device_call_all(&dev->v4l2_dev, 0, video, s_stream, 0); + dev->vid_timeout_running = 0; + del_timer_sync(&dev->vid_timeout); + +@@ -853,8 +857,10 @@ void au0828_stop_vbi_streaming(struct vb2_queue *vq) + dprintk(1, "au0828_stop_vbi_streaming called %d\n", + dev->streaming_users); + +- if (dev->streaming_users-- == 1) ++ if (dev->streaming_users-- == 1) { + au0828_uninit_isoc(dev); ++ v4l2_device_call_all(&dev->v4l2_dev, 0, video, s_stream, 0); ++ } + + spin_lock_irqsave(&dev->slock, flags); + if (dev->isoc_ctl.vbi_buf != NULL) { +diff --git a/drivers/media/usb/cpia2/cpia2_v4l.c b/drivers/media/usb/cpia2/cpia2_v4l.c +index d793c630f1dd..05e7edb213de 100644 +--- a/drivers/media/usb/cpia2/cpia2_v4l.c ++++ b/drivers/media/usb/cpia2/cpia2_v4l.c +@@ -1248,8 +1248,7 @@ static int __init cpia2_init(void) + LOG("%s v%s\n", + ABOUT, CPIA_VERSION); + check_parameters(); +- cpia2_usb_init(); +- return 0; ++ return cpia2_usb_init(); + } + + +diff --git a/drivers/media/usb/go7007/go7007-fw.c b/drivers/media/usb/go7007/go7007-fw.c +index 60bf5f0644d1..a5efcd4f7b4f 100644 +--- a/drivers/media/usb/go7007/go7007-fw.c ++++ b/drivers/media/usb/go7007/go7007-fw.c +@@ -1499,8 +1499,8 @@ static int modet_to_package(struct go7007 *go, __le16 *code, int space) + return cnt; + } + +-static int do_special(struct go7007 *go, u16 type, __le16 *code, int space, +- int *framelen) ++static noinline_for_stack int do_special(struct go7007 *go, u16 type, ++ __le16 *code, int space, int *framelen) + { + switch (type) { + case SPECIAL_FRM_HEAD: +diff --git a/drivers/media/usb/pvrusb2/pvrusb2-hdw.c b/drivers/media/usb/pvrusb2/pvrusb2-hdw.c +index 0533ef20decf..232b0fd3e478 100644 +--- a/drivers/media/usb/pvrusb2/pvrusb2-hdw.c ++++ b/drivers/media/usb/pvrusb2/pvrusb2-hdw.c +@@ -670,6 +670,8 @@ static int ctrl_get_input(struct pvr2_ctrl *cptr,int *vp) + + static int ctrl_check_input(struct pvr2_ctrl *cptr,int v) + { ++ if (v < 0 || v > PVR2_CVAL_INPUT_MAX) ++ return 0; + return ((1 << v) & cptr->hdw->input_allowed_mask) != 0; + } + +diff --git a/drivers/media/usb/pvrusb2/pvrusb2-hdw.h b/drivers/media/usb/pvrusb2/pvrusb2-hdw.h +index a82a00dd7329..80869990ffbb 100644 +--- a/drivers/media/usb/pvrusb2/pvrusb2-hdw.h ++++ b/drivers/media/usb/pvrusb2/pvrusb2-hdw.h +@@ -54,6 +54,7 @@ + #define PVR2_CVAL_INPUT_COMPOSITE 2 + #define PVR2_CVAL_INPUT_SVIDEO 3 + #define PVR2_CVAL_INPUT_RADIO 4 ++#define PVR2_CVAL_INPUT_MAX PVR2_CVAL_INPUT_RADIO + + enum pvr2_config { + pvr2_config_empty, /* No configuration */ +diff --git a/drivers/media/usb/siano/smsusb.c b/drivers/media/usb/siano/smsusb.c +index ec30a004f319..e8f7a1f56be5 100644 +--- a/drivers/media/usb/siano/smsusb.c ++++ b/drivers/media/usb/siano/smsusb.c +@@ -391,6 +391,7 @@ static int smsusb_init_device(struct usb_interface *intf, int board_id) + struct smsusb_device_t *dev; + void *mdev; + int i, rc; ++ int align = 0; + + /* create device object */ + dev = kzalloc(sizeof(struct smsusb_device_t), GFP_KERNEL); +@@ -402,6 +403,24 @@ static int smsusb_init_device(struct usb_interface *intf, int board_id) + dev->udev = interface_to_usbdev(intf); + dev->state = SMSUSB_DISCONNECTED; + ++ for (i = 0; i < intf->cur_altsetting->desc.bNumEndpoints; i++) { ++ struct usb_endpoint_descriptor *desc = ++ &intf->cur_altsetting->endpoint[i].desc; ++ ++ if (desc->bEndpointAddress & USB_DIR_IN) { ++ dev->in_ep = desc->bEndpointAddress; ++ align = usb_endpoint_maxp(desc) - sizeof(struct sms_msg_hdr); ++ } else { ++ dev->out_ep = desc->bEndpointAddress; ++ } ++ } ++ ++ pr_debug("in_ep = %02x, out_ep = %02x\n", dev->in_ep, dev->out_ep); ++ if (!dev->in_ep || !dev->out_ep || align < 0) { /* Missing endpoints? */ ++ smsusb_term_device(intf); ++ return -ENODEV; ++ } ++ + params.device_type = sms_get_board(board_id)->type; + + switch (params.device_type) { +@@ -416,24 +435,12 @@ static int smsusb_init_device(struct usb_interface *intf, int board_id) + /* fall-thru */ + default: + dev->buffer_size = USB2_BUFFER_SIZE; +- dev->response_alignment = +- le16_to_cpu(dev->udev->ep_in[1]->desc.wMaxPacketSize) - +- sizeof(struct sms_msg_hdr); ++ dev->response_alignment = align; + + params.flags |= SMS_DEVICE_FAMILY2; + break; + } + +- for (i = 0; i < intf->cur_altsetting->desc.bNumEndpoints; i++) { +- if (intf->cur_altsetting->endpoint[i].desc. bEndpointAddress & USB_DIR_IN) +- dev->in_ep = intf->cur_altsetting->endpoint[i].desc.bEndpointAddress; +- else +- dev->out_ep = intf->cur_altsetting->endpoint[i].desc.bEndpointAddress; +- } +- +- pr_debug("in_ep = %02x, out_ep = %02x\n", +- dev->in_ep, dev->out_ep); +- + params.device = &dev->udev->dev; + params.buffer_size = dev->buffer_size; + params.num_buffers = MAX_BUFFERS; +diff --git a/drivers/media/usb/uvc/uvc_driver.c b/drivers/media/usb/uvc/uvc_driver.c +index f2e3fdf385cc..ebd1b882556d 100644 +--- a/drivers/media/usb/uvc/uvc_driver.c ++++ b/drivers/media/usb/uvc/uvc_driver.c +@@ -868,7 +868,7 @@ static struct uvc_entity *uvc_alloc_entity(u16 type, u8 id, + unsigned int size; + unsigned int i; + +- extra_size = ALIGN(extra_size, sizeof(*entity->pads)); ++ extra_size = roundup(extra_size, sizeof(*entity->pads)); + num_inputs = (type & UVC_TERM_OUTPUT) ? num_pads : num_pads - 1; + size = sizeof(*entity) + extra_size + sizeof(*entity->pads) * num_pads + + num_inputs; +diff --git a/drivers/memory/tegra/mc.c b/drivers/memory/tegra/mc.c +index 6ab481ee8ece..8ac02b6c162f 100644 +--- a/drivers/memory/tegra/mc.c ++++ b/drivers/memory/tegra/mc.c +@@ -72,7 +72,7 @@ static int tegra_mc_setup_latency_allowance(struct tegra_mc *mc) + u32 value; + + /* compute the number of MC clock cycles per tick */ +- tick = mc->tick * clk_get_rate(mc->clk); ++ tick = (unsigned long long)mc->tick * clk_get_rate(mc->clk); + do_div(tick, NSEC_PER_SEC); + + value = readl(mc->regs + MC_EMEM_ARB_CFG); +diff --git a/drivers/misc/genwqe/card_dev.c b/drivers/misc/genwqe/card_dev.c +index c0012ca4229e..74923ffb0df1 100644 +--- a/drivers/misc/genwqe/card_dev.c ++++ b/drivers/misc/genwqe/card_dev.c +@@ -782,6 +782,8 @@ static int genwqe_pin_mem(struct genwqe_file *cfile, struct genwqe_mem *m) + + if ((m->addr == 0x0) || (m->size == 0)) + return -EINVAL; ++ if (m->size > ULONG_MAX - PAGE_SIZE - (m->addr & ~PAGE_MASK)) ++ return -EINVAL; + + map_addr = (m->addr & PAGE_MASK); + map_size = round_up(m->size + (m->addr & ~PAGE_MASK), PAGE_SIZE); +diff --git a/drivers/misc/genwqe/card_utils.c b/drivers/misc/genwqe/card_utils.c +index 0c15ba21fa54..d4c719683a8a 100644 +--- a/drivers/misc/genwqe/card_utils.c ++++ b/drivers/misc/genwqe/card_utils.c +@@ -582,6 +582,10 @@ int genwqe_user_vmap(struct genwqe_dev *cd, struct dma_mapping *m, void *uaddr, + /* determine space needed for page_list. */ + data = (unsigned long)uaddr; + offs = offset_in_page(data); ++ if (size > ULONG_MAX - PAGE_SIZE - offs) { ++ m->size = 0; /* mark unused and not added */ ++ return -EINVAL; ++ } + m->nr_pages = DIV_ROUND_UP(offs + size, PAGE_SIZE); + + m->page_list = kcalloc(m->nr_pages, +diff --git a/drivers/mmc/core/sd.c b/drivers/mmc/core/sd.c +index 967535d76e34..fb8741f18c1f 100644 +--- a/drivers/mmc/core/sd.c ++++ b/drivers/mmc/core/sd.c +@@ -216,6 +216,14 @@ static int mmc_decode_scr(struct mmc_card *card) + + if (scr->sda_spec3) + scr->cmds = UNSTUFF_BITS(resp, 32, 2); ++ ++ /* SD Spec says: any SD Card shall set at least bits 0 and 2 */ ++ if (!(scr->bus_widths & SD_SCR_BUS_WIDTH_1) || ++ !(scr->bus_widths & SD_SCR_BUS_WIDTH_4)) { ++ pr_err("%s: invalid bus width\n", mmc_hostname(card->host)); ++ return -EINVAL; ++ } ++ + return 0; + } + +diff --git a/drivers/mmc/host/mmc_spi.c b/drivers/mmc/host/mmc_spi.c +index e03ec74f3fb0..40a369c7005a 100644 +--- a/drivers/mmc/host/mmc_spi.c ++++ b/drivers/mmc/host/mmc_spi.c +@@ -819,6 +819,10 @@ mmc_spi_readblock(struct mmc_spi_host *host, struct spi_transfer *t, + } + + status = spi_sync_locked(spi, &host->m); ++ if (status < 0) { ++ dev_dbg(&spi->dev, "read error %d\n", status); ++ return status; ++ } + + if (host->dma_dev) { + dma_sync_single_for_cpu(host->dma_dev, +diff --git a/drivers/mmc/host/sdhci-of-esdhc.c b/drivers/mmc/host/sdhci-of-esdhc.c +index ac66c61d9433..356b294c93c9 100644 +--- a/drivers/mmc/host/sdhci-of-esdhc.c ++++ b/drivers/mmc/host/sdhci-of-esdhc.c +@@ -624,6 +624,11 @@ static int sdhci_esdhc_probe(struct platform_device *pdev) + if (esdhc->vendor_ver > VENDOR_V_22) + host->quirks &= ~SDHCI_QUIRK_NO_BUSY_IRQ; + ++ if (of_find_compatible_node(NULL, NULL, "fsl,p2020-esdhc")) { ++ host->quirks2 |= SDHCI_QUIRK_RESET_AFTER_REQUEST; ++ host->quirks2 |= SDHCI_QUIRK_BROKEN_TIMEOUT_VAL; ++ } ++ + if (of_device_is_compatible(np, "fsl,p5040-esdhc") || + of_device_is_compatible(np, "fsl,p5020-esdhc") || + of_device_is_compatible(np, "fsl,p4080-esdhc") || +diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c +index 403fa8d98aa3..d450d8b3708c 100644 +--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c ++++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c +@@ -12824,6 +12824,24 @@ static netdev_features_t bnx2x_features_check(struct sk_buff *skb, + struct net_device *dev, + netdev_features_t features) + { ++ /* ++ * A skb with gso_size + header length > 9700 will cause a ++ * firmware panic. Drop GSO support. ++ * ++ * Eventually the upper layer should not pass these packets down. ++ * ++ * For speed, if the gso_size is <= 9000, assume there will ++ * not be 700 bytes of headers and pass it through. Only do a ++ * full (slow) validation if the gso_size is > 9000. ++ * ++ * (Due to the way SKB_BY_FRAGS works this will also do a full ++ * validation in that case.) ++ */ ++ if (unlikely(skb_is_gso(skb) && ++ (skb_shinfo(skb)->gso_size > 9000) && ++ !skb_gso_validate_mac_len(skb, 9700))) ++ features &= ~NETIF_F_GSO_MASK; ++ + features = vlan_features_check(skb, features); + return vxlan_features_check(skb, features); + } +diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +index d9ab970dcbe9..81282b811a6c 100644 +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +@@ -1140,6 +1140,8 @@ static int bnxt_rx_pkt(struct bnxt *bp, struct bnxt_napi *bnapi, u32 *raw_cons, + skb = bnxt_copy_skb(bnapi, data, len, dma_addr); + bnxt_reuse_rx_data(rxr, cons, data); + if (!skb) { ++ if (agg_bufs) ++ bnxt_reuse_rx_agg_bufs(bnapi, cp_cons, agg_bufs); + rc = -ENOMEM; + goto next_rx; + } +diff --git a/drivers/net/ethernet/chelsio/cxgb3/l2t.h b/drivers/net/ethernet/chelsio/cxgb3/l2t.h +index 8cffcdfd5678..38b5858c335a 100644 +--- a/drivers/net/ethernet/chelsio/cxgb3/l2t.h ++++ b/drivers/net/ethernet/chelsio/cxgb3/l2t.h +@@ -75,8 +75,8 @@ struct l2t_data { + struct l2t_entry *rover; /* starting point for next allocation */ + atomic_t nfree; /* number of free entries */ + rwlock_t lock; +- struct l2t_entry l2tab[0]; + struct rcu_head rcu_head; /* to handle rcu cleanup */ ++ struct l2t_entry l2tab[]; + }; + + typedef void (*arp_failure_handler_func)(struct t3cdev * dev, +diff --git a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c +index a3e1498ca67c..3b96622de8ff 100644 +--- a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c ++++ b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c +@@ -5061,15 +5061,24 @@ static int __init cxgb4_init_module(void) + + ret = pci_register_driver(&cxgb4_driver); + if (ret < 0) +- debugfs_remove(cxgb4_debugfs_root); ++ goto err_pci; + + #if IS_ENABLED(CONFIG_IPV6) + if (!inet6addr_registered) { +- register_inet6addr_notifier(&cxgb4_inet6addr_notifier); +- inet6addr_registered = true; ++ ret = register_inet6addr_notifier(&cxgb4_inet6addr_notifier); ++ if (ret) ++ pci_unregister_driver(&cxgb4_driver); ++ else ++ inet6addr_registered = true; + } + #endif + ++ if (ret == 0) ++ return ret; ++ ++err_pci: ++ debugfs_remove(cxgb4_debugfs_root); ++ + return ret; + } + +diff --git a/drivers/net/ethernet/intel/i40e/i40e_main.c b/drivers/net/ethernet/intel/i40e/i40e_main.c +index 06b38f50980c..22c43a776c6c 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_main.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_main.c +@@ -2263,6 +2263,10 @@ void i40e_vlan_stripping_enable(struct i40e_vsi *vsi) + struct i40e_vsi_context ctxt; + i40e_status ret; + ++ /* Don't modify stripping options if a port VLAN is active */ ++ if (vsi->info.pvid) ++ return; ++ + if ((vsi->info.valid_sections & + cpu_to_le16(I40E_AQ_VSI_PROP_VLAN_VALID)) && + ((vsi->info.port_vlan_flags & I40E_AQ_VSI_PVLAN_MODE_MASK) == 0)) +@@ -2293,6 +2297,10 @@ void i40e_vlan_stripping_disable(struct i40e_vsi *vsi) + struct i40e_vsi_context ctxt; + i40e_status ret; + ++ /* Don't modify stripping options if a port VLAN is active */ ++ if (vsi->info.pvid) ++ return; ++ + if ((vsi->info.valid_sections & + cpu_to_le16(I40E_AQ_VSI_PROP_VLAN_VALID)) && + ((vsi->info.port_vlan_flags & I40E_AQ_VSI_PVLAN_EMOD_MASK) == +diff --git a/drivers/net/ethernet/marvell/mvpp2.c b/drivers/net/ethernet/marvell/mvpp2.c +index 42305f3234ff..03f0d20aa08b 100644 +--- a/drivers/net/ethernet/marvell/mvpp2.c ++++ b/drivers/net/ethernet/marvell/mvpp2.c +@@ -3940,7 +3940,7 @@ static inline void mvpp2_gmac_max_rx_size_set(struct mvpp2_port *port) + /* Set defaults to the MVPP2 port */ + static void mvpp2_defaults_set(struct mvpp2_port *port) + { +- int tx_port_num, val, queue, ptxq, lrxq; ++ int tx_port_num, val, queue, lrxq; + + /* Configure port to loopback if needed */ + if (port->flags & MVPP2_F_LOOPBACK) +@@ -3960,11 +3960,9 @@ static void mvpp2_defaults_set(struct mvpp2_port *port) + mvpp2_write(port->priv, MVPP2_TXP_SCHED_CMD_1_REG, 0); + + /* Close bandwidth for all queues */ +- for (queue = 0; queue < MVPP2_MAX_TXQ; queue++) { +- ptxq = mvpp2_txq_phys(port->id, queue); ++ for (queue = 0; queue < MVPP2_MAX_TXQ; queue++) + mvpp2_write(port->priv, +- MVPP2_TXQ_SCHED_TOKEN_CNTR_REG(ptxq), 0); +- } ++ MVPP2_TXQ_SCHED_TOKEN_CNTR_REG(queue), 0); + + /* Set refill period to 1 usec, refill tokens + * and bucket size to maximum +@@ -4722,7 +4720,7 @@ static void mvpp2_txq_deinit(struct mvpp2_port *port, + txq->descs_phys = 0; + + /* Set minimum bandwidth for disabled TXQs */ +- mvpp2_write(port->priv, MVPP2_TXQ_SCHED_TOKEN_CNTR_REG(txq->id), 0); ++ mvpp2_write(port->priv, MVPP2_TXQ_SCHED_TOKEN_CNTR_REG(txq->log_id), 0); + + /* Set Tx descriptors queue starting address and size */ + mvpp2_write(port->priv, MVPP2_TXQ_NUM_REG, txq->id); +diff --git a/drivers/net/ethernet/mellanox/mlx4/en_ethtool.c b/drivers/net/ethernet/mellanox/mlx4/en_ethtool.c +index bcfac000199e..fcd1e6b3950d 100644 +--- a/drivers/net/ethernet/mellanox/mlx4/en_ethtool.c ++++ b/drivers/net/ethernet/mellanox/mlx4/en_ethtool.c +@@ -1906,6 +1906,8 @@ static int mlx4_en_set_tunable(struct net_device *dev, + return ret; + } + ++#define MLX4_EEPROM_PAGE_LEN 256 ++ + static int mlx4_en_get_module_info(struct net_device *dev, + struct ethtool_modinfo *modinfo) + { +@@ -1940,7 +1942,7 @@ static int mlx4_en_get_module_info(struct net_device *dev, + break; + case MLX4_MODULE_ID_SFP: + modinfo->type = ETH_MODULE_SFF_8472; +- modinfo->eeprom_len = ETH_MODULE_SFF_8472_LEN; ++ modinfo->eeprom_len = MLX4_EEPROM_PAGE_LEN; + break; + default: + return -ENOSYS; +diff --git a/drivers/net/ethernet/mellanox/mlx4/mcg.c b/drivers/net/ethernet/mellanox/mlx4/mcg.c +index 897d061e4f03..3bf63de3a725 100644 +--- a/drivers/net/ethernet/mellanox/mlx4/mcg.c ++++ b/drivers/net/ethernet/mellanox/mlx4/mcg.c +@@ -1485,7 +1485,7 @@ int mlx4_flow_steer_promisc_add(struct mlx4_dev *dev, u8 port, + rule.port = port; + rule.qpn = qpn; + INIT_LIST_HEAD(&rule.list); +- mlx4_err(dev, "going promisc on %x\n", port); ++ mlx4_info(dev, "going promisc on %x\n", port); + + return mlx4_flow_attach(dev, &rule, regid_p); + } +diff --git a/drivers/net/ethernet/mellanox/mlx4/port.c b/drivers/net/ethernet/mellanox/mlx4/port.c +index c2b21313dba7..a9c4818448f9 100644 +--- a/drivers/net/ethernet/mellanox/mlx4/port.c ++++ b/drivers/net/ethernet/mellanox/mlx4/port.c +@@ -1398,11 +1398,6 @@ int mlx4_get_module_info(struct mlx4_dev *dev, u8 port, + size -= offset + size - I2C_PAGE_SIZE; + + i2c_addr = I2C_ADDR_LOW; +- if (offset >= I2C_PAGE_SIZE) { +- /* Reset offset to high page */ +- i2c_addr = I2C_ADDR_HIGH; +- offset -= I2C_PAGE_SIZE; +- } + + cable_info = (struct mlx4_cable_info *)inmad->data; + cable_info->dev_mem_address = cpu_to_be16(offset); +diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_mdio.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_mdio.c +index 90d95b3654f5..6bdde92869fb 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_mdio.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_mdio.c +@@ -154,7 +154,8 @@ int stmmac_mdio_reset(struct mii_bus *bus) + of_property_read_u32_array(np, + "snps,reset-delays-us", data->delays, 3); + +- if (gpio_request(data->reset_gpio, "mdio-reset")) ++ if (devm_gpio_request(priv->device, data->reset_gpio, ++ "mdio-reset")) + return 0; + } + +diff --git a/drivers/net/ppp/ppp_deflate.c b/drivers/net/ppp/ppp_deflate.c +index b5edc7f96a39..685e875f5164 100644 +--- a/drivers/net/ppp/ppp_deflate.c ++++ b/drivers/net/ppp/ppp_deflate.c +@@ -610,12 +610,20 @@ static struct compressor ppp_deflate_draft = { + + static int __init deflate_init(void) + { +- int answer = ppp_register_compressor(&ppp_deflate); +- if (answer == 0) +- printk(KERN_INFO +- "PPP Deflate Compression module registered\n"); +- ppp_register_compressor(&ppp_deflate_draft); +- return answer; ++ int rc; ++ ++ rc = ppp_register_compressor(&ppp_deflate); ++ if (rc) ++ return rc; ++ ++ rc = ppp_register_compressor(&ppp_deflate_draft); ++ if (rc) { ++ ppp_unregister_compressor(&ppp_deflate); ++ return rc; ++ } ++ ++ pr_info("PPP Deflate Compression module registered\n"); ++ return 0; + } + + static void __exit deflate_cleanup(void) +diff --git a/drivers/net/usb/cdc_ncm.c b/drivers/net/usb/cdc_ncm.c +index 36e1377fc954..1e921e5eddc7 100644 +--- a/drivers/net/usb/cdc_ncm.c ++++ b/drivers/net/usb/cdc_ncm.c +@@ -727,7 +727,7 @@ int cdc_ncm_bind_common(struct usbnet *dev, struct usb_interface *intf, u8 data_ + int err; + u8 iface_no; + struct usb_cdc_parsed_header hdr; +- u16 curr_ntb_format; ++ __le16 curr_ntb_format; + + ctx = kzalloc(sizeof(*ctx), GFP_KERNEL); + if (!ctx) +@@ -841,7 +841,7 @@ int cdc_ncm_bind_common(struct usbnet *dev, struct usb_interface *intf, u8 data_ + goto error2; + } + +- if (curr_ntb_format == USB_CDC_NCM_NTB32_FORMAT) { ++ if (curr_ntb_format == cpu_to_le16(USB_CDC_NCM_NTB32_FORMAT)) { + dev_info(&intf->dev, "resetting NTB format to 16-bit"); + err = usbnet_write_cmd(dev, USB_CDC_SET_NTB_FORMAT, + USB_TYPE_CLASS | USB_DIR_OUT +diff --git a/drivers/net/usb/usbnet.c b/drivers/net/usb/usbnet.c +index 9710cf71054a..2502681369cd 100644 +--- a/drivers/net/usb/usbnet.c ++++ b/drivers/net/usb/usbnet.c +@@ -499,6 +499,7 @@ static int rx_submit (struct usbnet *dev, struct urb *urb, gfp_t flags) + + if (netif_running (dev->net) && + netif_device_present (dev->net) && ++ test_bit(EVENT_DEV_OPEN, &dev->flags) && + !test_bit (EVENT_RX_HALT, &dev->flags) && + !test_bit (EVENT_DEV_ASLEEP, &dev->flags)) { + switch (retval = usb_submit_urb (urb, GFP_ATOMIC)) { +@@ -1385,6 +1386,11 @@ netdev_tx_t usbnet_start_xmit (struct sk_buff *skb, + spin_unlock_irqrestore(&dev->txq.lock, flags); + goto drop; + } ++ if (netif_queue_stopped(net)) { ++ usb_autopm_put_interface_async(dev->intf); ++ spin_unlock_irqrestore(&dev->txq.lock, flags); ++ goto drop; ++ } + + #ifdef CONFIG_PM + /* if this triggers the device is still a sleep */ +diff --git a/drivers/net/wireless/at76c50x-usb.c b/drivers/net/wireless/at76c50x-usb.c +index dab25136214a..da14eca2aa2c 100644 +--- a/drivers/net/wireless/at76c50x-usb.c ++++ b/drivers/net/wireless/at76c50x-usb.c +@@ -2582,8 +2582,8 @@ static int __init at76_mod_init(void) + if (result < 0) + printk(KERN_ERR DRIVER_NAME + ": usb_register failed (status %d)\n", result); +- +- led_trigger_register_simple("at76_usb-tx", &ledtrig_tx); ++ else ++ led_trigger_register_simple("at76_usb-tx", &ledtrig_tx); + return result; + } + +diff --git a/drivers/net/wireless/b43/phy_lp.c b/drivers/net/wireless/b43/phy_lp.c +index 058a9f232050..55cb07693ae8 100644 +--- a/drivers/net/wireless/b43/phy_lp.c ++++ b/drivers/net/wireless/b43/phy_lp.c +@@ -1834,7 +1834,7 @@ static void lpphy_papd_cal(struct b43_wldev *dev, struct lpphy_tx_gains gains, + static void lpphy_papd_cal_txpwr(struct b43_wldev *dev) + { + struct b43_phy_lp *lpphy = dev->phy.lp; +- struct lpphy_tx_gains gains, oldgains; ++ struct lpphy_tx_gains oldgains; + int old_txpctl, old_afe_ovr, old_rf, old_bbmult; + + lpphy_read_tx_pctl_mode_from_hardware(dev); +@@ -1848,9 +1848,9 @@ static void lpphy_papd_cal_txpwr(struct b43_wldev *dev) + lpphy_set_tx_power_control(dev, B43_LPPHY_TXPCTL_OFF); + + if (dev->dev->chip_id == 0x4325 && dev->dev->chip_rev == 0) +- lpphy_papd_cal(dev, gains, 0, 1, 30); ++ lpphy_papd_cal(dev, oldgains, 0, 1, 30); + else +- lpphy_papd_cal(dev, gains, 0, 1, 65); ++ lpphy_papd_cal(dev, oldgains, 0, 1, 65); + + if (old_afe_ovr) + lpphy_set_tx_gains(dev, oldgains); +diff --git a/drivers/net/wireless/brcm80211/brcmfmac/bus.h b/drivers/net/wireless/brcm80211/brcmfmac/bus.h +index 230cad788ace..84b8b1eaa22c 100644 +--- a/drivers/net/wireless/brcm80211/brcmfmac/bus.h ++++ b/drivers/net/wireless/brcm80211/brcmfmac/bus.h +@@ -214,7 +214,9 @@ bool brcmf_c_prec_enq(struct device *dev, struct pktq *q, struct sk_buff *pkt, + int prec); + + /* Receive frame for delivery to OS. Callee disposes of rxp. */ +-void brcmf_rx_frame(struct device *dev, struct sk_buff *rxp); ++void brcmf_rx_frame(struct device *dev, struct sk_buff *rxp, bool handle_event); ++/* Receive async event packet from firmware. Callee disposes of rxp. */ ++void brcmf_rx_event(struct device *dev, struct sk_buff *rxp); + + /* Indication from bus module regarding presence/insertion of dongle. */ + int brcmf_attach(struct device *dev); +diff --git a/drivers/net/wireless/brcm80211/brcmfmac/cfg80211.c b/drivers/net/wireless/brcm80211/brcmfmac/cfg80211.c +index ad35e760ed3f..231c0ba6acb9 100644 +--- a/drivers/net/wireless/brcm80211/brcmfmac/cfg80211.c ++++ b/drivers/net/wireless/brcm80211/brcmfmac/cfg80211.c +@@ -3328,9 +3328,15 @@ brcmf_notify_sched_scan_results(struct brcmf_if *ifp, + struct brcmf_pno_scanresults_le *pfn_result; + u32 result_count; + u32 status; ++ u32 datalen; + + brcmf_dbg(SCAN, "Enter\n"); + ++ if (e->datalen < (sizeof(*pfn_result) + sizeof(*netinfo))) { ++ brcmf_dbg(SCAN, "Event data to small. Ignore\n"); ++ return 0; ++ } ++ + if (e->event_code == BRCMF_E_PFN_NET_LOST) { + brcmf_dbg(SCAN, "PFN NET LOST event. Do Nothing\n"); + return 0; +@@ -3349,6 +3355,14 @@ brcmf_notify_sched_scan_results(struct brcmf_if *ifp, + if (result_count > 0) { + int i; + ++ data += sizeof(struct brcmf_pno_scanresults_le); ++ netinfo_start = (struct brcmf_pno_net_info_le *)data; ++ datalen = e->datalen - ((void *)netinfo_start - (void *)pfn_result); ++ if (datalen < result_count * sizeof(*netinfo)) { ++ brcmf_err("insufficient event data\n"); ++ goto out_err; ++ } ++ + request = kzalloc(sizeof(*request), GFP_KERNEL); + ssid = kcalloc(result_count, sizeof(*ssid), GFP_KERNEL); + channel = kcalloc(result_count, sizeof(*channel), GFP_KERNEL); +@@ -3358,9 +3372,6 @@ brcmf_notify_sched_scan_results(struct brcmf_if *ifp, + } + + request->wiphy = wiphy; +- data += sizeof(struct brcmf_pno_scanresults_le); +- netinfo_start = (struct brcmf_pno_net_info_le *)data; +- + for (i = 0; i < result_count; i++) { + netinfo = &netinfo_start[i]; + if (!netinfo) { +@@ -3370,6 +3381,8 @@ brcmf_notify_sched_scan_results(struct brcmf_if *ifp, + goto out_err; + } + ++ if (netinfo->SSID_len > IEEE80211_MAX_SSID_LEN) ++ netinfo->SSID_len = IEEE80211_MAX_SSID_LEN; + brcmf_dbg(SCAN, "SSID:%s Channel:%d\n", + netinfo->SSID, netinfo->channel); + memcpy(ssid[i].ssid, netinfo->SSID, netinfo->SSID_len); +@@ -4836,6 +4849,8 @@ static s32 brcmf_get_assoc_ies(struct brcmf_cfg80211_info *cfg, + conn_info->req_ie = + kmemdup(cfg->extra_buf, conn_info->req_ie_len, + GFP_KERNEL); ++ if (!conn_info->req_ie) ++ conn_info->req_ie_len = 0; + } else { + conn_info->req_ie_len = 0; + conn_info->req_ie = NULL; +@@ -4852,6 +4867,8 @@ static s32 brcmf_get_assoc_ies(struct brcmf_cfg80211_info *cfg, + conn_info->resp_ie = + kmemdup(cfg->extra_buf, conn_info->resp_ie_len, + GFP_KERNEL); ++ if (!conn_info->resp_ie) ++ conn_info->resp_ie_len = 0; + } else { + conn_info->resp_ie_len = 0; + conn_info->resp_ie = NULL; +diff --git a/drivers/net/wireless/brcm80211/brcmfmac/core.c b/drivers/net/wireless/brcm80211/brcmfmac/core.c +index 82753e7c7e7c..3082391c3062 100644 +--- a/drivers/net/wireless/brcm80211/brcmfmac/core.c ++++ b/drivers/net/wireless/brcm80211/brcmfmac/core.c +@@ -303,15 +303,9 @@ void brcmf_txflowblock(struct device *dev, bool state) + + void brcmf_netif_rx(struct brcmf_if *ifp, struct sk_buff *skb) + { +- skb->dev = ifp->ndev; +- skb->protocol = eth_type_trans(skb, skb->dev); +- + if (skb->pkt_type == PACKET_MULTICAST) + ifp->stats.multicast++; + +- /* Process special event packets */ +- brcmf_fweh_process_skb(ifp->drvr, skb); +- + if (!(ifp->ndev->flags & IFF_UP)) { + brcmu_pkt_buf_free_skb(skb); + return; +@@ -526,7 +520,7 @@ netif_rx: + } + } + +-void brcmf_rx_frame(struct device *dev, struct sk_buff *skb) ++void brcmf_rx_frame(struct device *dev, struct sk_buff *skb, bool handle_event) + { + struct brcmf_if *ifp; + struct brcmf_bus *bus_if = dev_get_drvdata(dev); +@@ -546,11 +540,44 @@ void brcmf_rx_frame(struct device *dev, struct sk_buff *skb) + return; + } + ++ skb->protocol = eth_type_trans(skb, ifp->ndev); ++ + rd = (struct brcmf_skb_reorder_data *)skb->cb; +- if (rd->reorder) ++ if (rd->reorder) { + brcmf_rxreorder_process_info(ifp, rd->reorder, skb); +- else ++ } else { ++ /* Process special event packets */ ++ if (handle_event) ++ brcmf_fweh_process_skb(ifp->drvr, skb, ++ BCMILCP_SUBTYPE_VENDOR_LONG); ++ + brcmf_netif_rx(ifp, skb); ++ } ++} ++ ++void brcmf_rx_event(struct device *dev, struct sk_buff *skb) ++{ ++ struct brcmf_if *ifp; ++ struct brcmf_bus *bus_if = dev_get_drvdata(dev); ++ struct brcmf_pub *drvr = bus_if->drvr; ++ int ret; ++ ++ brcmf_dbg(EVENT, "Enter: %s: rxp=%p\n", dev_name(dev), skb); ++ ++ /* process and remove protocol-specific header */ ++ ret = brcmf_proto_hdrpull(drvr, true, skb, &ifp); ++ ++ if (ret || !ifp || !ifp->ndev) { ++ if (ret != -ENODATA && ifp) ++ ifp->stats.rx_errors++; ++ brcmu_pkt_buf_free_skb(skb); ++ return; ++ } ++ ++ skb->protocol = eth_type_trans(skb, ifp->ndev); ++ ++ brcmf_fweh_process_skb(ifp->drvr, skb, 0); ++ brcmu_pkt_buf_free_skb(skb); + } + + void brcmf_txfinalize(struct brcmf_if *ifp, struct sk_buff *txp, bool success) +diff --git a/drivers/net/wireless/brcm80211/brcmfmac/fweh.c b/drivers/net/wireless/brcm80211/brcmfmac/fweh.c +index 3878b6f6cfce..f9aa37032c2d 100644 +--- a/drivers/net/wireless/brcm80211/brcmfmac/fweh.c ++++ b/drivers/net/wireless/brcm80211/brcmfmac/fweh.c +@@ -25,50 +25,6 @@ + #include "fweh.h" + #include "fwil.h" + +-/** +- * struct brcm_ethhdr - broadcom specific ether header. +- * +- * @subtype: subtype for this packet. +- * @length: TODO: length of appended data. +- * @version: version indication. +- * @oui: OUI of this packet. +- * @usr_subtype: subtype for this OUI. +- */ +-struct brcm_ethhdr { +- __be16 subtype; +- __be16 length; +- u8 version; +- u8 oui[3]; +- __be16 usr_subtype; +-} __packed; +- +-struct brcmf_event_msg_be { +- __be16 version; +- __be16 flags; +- __be32 event_type; +- __be32 status; +- __be32 reason; +- __be32 auth_type; +- __be32 datalen; +- u8 addr[ETH_ALEN]; +- char ifname[IFNAMSIZ]; +- u8 ifidx; +- u8 bsscfgidx; +-} __packed; +- +-/** +- * struct brcmf_event - contents of broadcom event packet. +- * +- * @eth: standard ether header. +- * @hdr: broadcom specific ether header. +- * @msg: common part of the actual event message. +- */ +-struct brcmf_event { +- struct ethhdr eth; +- struct brcm_ethhdr hdr; +- struct brcmf_event_msg_be msg; +-} __packed; +- + /** + * struct brcmf_fweh_queue_item - event item on event queue. + * +@@ -85,6 +41,7 @@ struct brcmf_fweh_queue_item { + u8 ifidx; + u8 ifaddr[ETH_ALEN]; + struct brcmf_event_msg_be emsg; ++ u32 datalen; + u8 data[0]; + }; + +@@ -294,6 +251,11 @@ static void brcmf_fweh_event_worker(struct work_struct *work) + brcmf_dbg_hex_dump(BRCMF_EVENT_ON(), event->data, + min_t(u32, emsg.datalen, 64), + "event payload, len=%d\n", emsg.datalen); ++ if (emsg.datalen > event->datalen) { ++ brcmf_err("event invalid length header=%d, msg=%d\n", ++ event->datalen, emsg.datalen); ++ goto event_free; ++ } + + /* special handling of interface event */ + if (event->code == BRCMF_E_IF) { +@@ -439,7 +401,8 @@ int brcmf_fweh_activate_events(struct brcmf_if *ifp) + * dispatch the event to a registered handler (using worker). + */ + void brcmf_fweh_process_event(struct brcmf_pub *drvr, +- struct brcmf_event *event_packet) ++ struct brcmf_event *event_packet, ++ u32 packet_len) + { + enum brcmf_fweh_event_code code; + struct brcmf_fweh_info *fweh = &drvr->fweh; +@@ -459,6 +422,9 @@ void brcmf_fweh_process_event(struct brcmf_pub *drvr, + if (code != BRCMF_E_IF && !fweh->evt_handler[code]) + return; + ++ if (datalen > BRCMF_DCMD_MAXLEN) ++ return; ++ + if (in_interrupt()) + alloc_flag = GFP_ATOMIC; + +@@ -472,6 +438,7 @@ void brcmf_fweh_process_event(struct brcmf_pub *drvr, + /* use memcpy to get aligned event message */ + memcpy(&event->emsg, &event_packet->msg, sizeof(event->emsg)); + memcpy(event->data, data, datalen); ++ event->datalen = datalen; + memcpy(event->ifaddr, event_packet->eth.h_dest, ETH_ALEN); + + brcmf_fweh_queue_event(fweh, event); +diff --git a/drivers/net/wireless/brcm80211/brcmfmac/fweh.h b/drivers/net/wireless/brcm80211/brcmfmac/fweh.h +index d9a942842382..b53db92341ce 100644 +--- a/drivers/net/wireless/brcm80211/brcmfmac/fweh.h ++++ b/drivers/net/wireless/brcm80211/brcmfmac/fweh.h +@@ -27,7 +27,6 @@ + struct brcmf_pub; + struct brcmf_if; + struct brcmf_cfg80211_info; +-struct brcmf_event; + + /* list of firmware events */ + #define BRCMF_FWEH_EVENT_ENUM_DEFLIST \ +@@ -180,11 +179,53 @@ enum brcmf_fweh_event_code { + /** + * definitions for event packet validation. + */ +-#define BRCMF_EVENT_OUI_OFFSET 19 +-#define BRCM_OUI "\x00\x10\x18" +-#define DOT11_OUI_LEN 3 +-#define BCMILCP_BCM_SUBTYPE_EVENT 1 ++#define BRCM_OUI "\x00\x10\x18" ++#define BCMILCP_BCM_SUBTYPE_EVENT 1 ++#define BCMILCP_SUBTYPE_VENDOR_LONG 32769 + ++/** ++ * struct brcm_ethhdr - broadcom specific ether header. ++ * ++ * @subtype: subtype for this packet. ++ * @length: TODO: length of appended data. ++ * @version: version indication. ++ * @oui: OUI of this packet. ++ * @usr_subtype: subtype for this OUI. ++ */ ++struct brcm_ethhdr { ++ __be16 subtype; ++ __be16 length; ++ u8 version; ++ u8 oui[3]; ++ __be16 usr_subtype; ++} __packed; ++ ++struct brcmf_event_msg_be { ++ __be16 version; ++ __be16 flags; ++ __be32 event_type; ++ __be32 status; ++ __be32 reason; ++ __be32 auth_type; ++ __be32 datalen; ++ u8 addr[ETH_ALEN]; ++ char ifname[IFNAMSIZ]; ++ u8 ifidx; ++ u8 bsscfgidx; ++} __packed; ++ ++/** ++ * struct brcmf_event - contents of broadcom event packet. ++ * ++ * @eth: standard ether header. ++ * @hdr: broadcom specific ether header. ++ * @msg: common part of the actual event message. ++ */ ++struct brcmf_event { ++ struct ethhdr eth; ++ struct brcm_ethhdr hdr; ++ struct brcmf_event_msg_be msg; ++} __packed; + + /** + * struct brcmf_event_msg - firmware event message. +@@ -256,34 +297,43 @@ void brcmf_fweh_unregister(struct brcmf_pub *drvr, + enum brcmf_fweh_event_code code); + int brcmf_fweh_activate_events(struct brcmf_if *ifp); + void brcmf_fweh_process_event(struct brcmf_pub *drvr, +- struct brcmf_event *event_packet); ++ struct brcmf_event *event_packet, ++ u32 packet_len); + void brcmf_fweh_p2pdev_setup(struct brcmf_if *ifp, bool ongoing); + + static inline void brcmf_fweh_process_skb(struct brcmf_pub *drvr, +- struct sk_buff *skb) ++ struct sk_buff *skb, u16 stype) + { + struct brcmf_event *event_packet; +- u8 *data; +- u16 usr_stype; ++ u16 subtype, usr_stype; + + /* only process events when protocol matches */ + if (skb->protocol != cpu_to_be16(ETH_P_LINK_CTL)) + return; + +- /* check for BRCM oui match */ ++ if ((skb->len + ETH_HLEN) < sizeof(*event_packet)) ++ return; ++ + event_packet = (struct brcmf_event *)skb_mac_header(skb); +- data = (u8 *)event_packet; +- data += BRCMF_EVENT_OUI_OFFSET; +- if (memcmp(BRCM_OUI, data, DOT11_OUI_LEN)) ++ ++ /* check subtype if needed */ ++ if (unlikely(stype)) { ++ subtype = get_unaligned_be16(&event_packet->hdr.subtype); ++ if (subtype != stype) ++ return; ++ } ++ ++ /* check for BRCM oui match */ ++ if (memcmp(BRCM_OUI, &event_packet->hdr.oui[0], ++ sizeof(event_packet->hdr.oui))) + return; + + /* final match on usr_subtype */ +- data += DOT11_OUI_LEN; +- usr_stype = get_unaligned_be16(data); ++ usr_stype = get_unaligned_be16(&event_packet->hdr.usr_subtype); + if (usr_stype != BCMILCP_BCM_SUBTYPE_EVENT) + return; + +- brcmf_fweh_process_event(drvr, event_packet); ++ brcmf_fweh_process_event(drvr, event_packet, skb->len + ETH_HLEN); + } + + #endif /* FWEH_H_ */ +diff --git a/drivers/net/wireless/brcm80211/brcmfmac/msgbuf.c b/drivers/net/wireless/brcm80211/brcmfmac/msgbuf.c +index 44e618f9d890..6f7138cea555 100644 +--- a/drivers/net/wireless/brcm80211/brcmfmac/msgbuf.c ++++ b/drivers/net/wireless/brcm80211/brcmfmac/msgbuf.c +@@ -20,6 +20,7 @@ + + #include + #include ++#include + + #include + #include +@@ -1076,28 +1077,13 @@ static void brcmf_msgbuf_rxbuf_event_post(struct brcmf_msgbuf *msgbuf) + } + + +-static void +-brcmf_msgbuf_rx_skb(struct brcmf_msgbuf *msgbuf, struct sk_buff *skb, +- u8 ifidx) +-{ +- struct brcmf_if *ifp; +- +- ifp = brcmf_get_ifp(msgbuf->drvr, ifidx); +- if (!ifp || !ifp->ndev) { +- brcmf_err("Received pkt for invalid ifidx %d\n", ifidx); +- brcmu_pkt_buf_free_skb(skb); +- return; +- } +- brcmf_netif_rx(ifp, skb); +-} +- +- + static void brcmf_msgbuf_process_event(struct brcmf_msgbuf *msgbuf, void *buf) + { + struct msgbuf_rx_event *event; + u32 idx; + u16 buflen; + struct sk_buff *skb; ++ struct brcmf_if *ifp; + + event = (struct msgbuf_rx_event *)buf; + idx = le32_to_cpu(event->msg.request_id); +@@ -1117,7 +1103,19 @@ static void brcmf_msgbuf_process_event(struct brcmf_msgbuf *msgbuf, void *buf) + + skb_trim(skb, buflen); + +- brcmf_msgbuf_rx_skb(msgbuf, skb, event->msg.ifidx); ++ ifp = brcmf_get_ifp(msgbuf->drvr, event->msg.ifidx); ++ if (!ifp || !ifp->ndev) { ++ brcmf_err("Received pkt for invalid ifidx %d\n", ++ event->msg.ifidx); ++ goto exit; ++ } ++ ++ skb->protocol = eth_type_trans(skb, ifp->ndev); ++ ++ brcmf_fweh_process_skb(ifp->drvr, skb, 0); ++ ++exit: ++ brcmu_pkt_buf_free_skb(skb); + } + + +@@ -1129,6 +1127,7 @@ brcmf_msgbuf_process_rx_complete(struct brcmf_msgbuf *msgbuf, void *buf) + u16 data_offset; + u16 buflen; + u32 idx; ++ struct brcmf_if *ifp; + + brcmf_msgbuf_update_rxbufpost_count(msgbuf, 1); + +@@ -1149,7 +1148,14 @@ brcmf_msgbuf_process_rx_complete(struct brcmf_msgbuf *msgbuf, void *buf) + + skb_trim(skb, buflen); + +- brcmf_msgbuf_rx_skb(msgbuf, skb, rx_complete->msg.ifidx); ++ ifp = brcmf_get_ifp(msgbuf->drvr, rx_complete->msg.ifidx); ++ if (!ifp || !ifp->ndev) { ++ brcmf_err("Received pkt for invalid ifidx %d\n", ++ rx_complete->msg.ifidx); ++ brcmu_pkt_buf_free_skb(skb); ++ return; ++ } ++ brcmf_netif_rx(ifp, skb); + } + + +diff --git a/drivers/net/wireless/brcm80211/brcmfmac/p2p.c b/drivers/net/wireless/brcm80211/brcmfmac/p2p.c +index 3196245ab820..e6c8b0d5afe0 100644 +--- a/drivers/net/wireless/brcm80211/brcmfmac/p2p.c ++++ b/drivers/net/wireless/brcm80211/brcmfmac/p2p.c +@@ -1365,6 +1365,11 @@ int brcmf_p2p_notify_action_frame_rx(struct brcmf_if *ifp, + u16 mgmt_type; + u8 action; + ++ if (e->datalen < sizeof(*rxframe)) { ++ brcmf_dbg(SCAN, "Event data to small. Ignore\n"); ++ return 0; ++ } ++ + ch.chspec = be16_to_cpu(rxframe->chanspec); + cfg->d11inf.decchspec(&ch); + /* Check if wpa_supplicant has registered for this frame */ +@@ -1862,6 +1867,11 @@ s32 brcmf_p2p_notify_rx_mgmt_p2p_probereq(struct brcmf_if *ifp, + brcmf_dbg(INFO, "Enter: event %d reason %d\n", e->event_code, + e->reason); + ++ if (e->datalen < sizeof(*rxframe)) { ++ brcmf_dbg(SCAN, "Event data to small. Ignore\n"); ++ return 0; ++ } ++ + ch.chspec = be16_to_cpu(rxframe->chanspec); + cfg->d11inf.decchspec(&ch); + +diff --git a/drivers/net/wireless/brcm80211/brcmfmac/sdio.c b/drivers/net/wireless/brcm80211/brcmfmac/sdio.c +index 35f62b00f1df..9954e641c943 100644 +--- a/drivers/net/wireless/brcm80211/brcmfmac/sdio.c ++++ b/drivers/net/wireless/brcm80211/brcmfmac/sdio.c +@@ -1394,6 +1394,17 @@ static inline u8 brcmf_sdio_getdatoffset(u8 *swheader) + return (u8)((hdrvalue & SDPCM_DOFFSET_MASK) >> SDPCM_DOFFSET_SHIFT); + } + ++static inline bool brcmf_sdio_fromevntchan(u8 *swheader) ++{ ++ u32 hdrvalue; ++ u8 ret; ++ ++ hdrvalue = *(u32 *)swheader; ++ ret = (u8)((hdrvalue & SDPCM_CHANNEL_MASK) >> SDPCM_CHANNEL_SHIFT); ++ ++ return (ret == SDPCM_EVENT_CHANNEL); ++} ++ + static int brcmf_sdio_hdparse(struct brcmf_sdio *bus, u8 *header, + struct brcmf_sdio_hdrinfo *rd, + enum brcmf_sdio_frmtype type) +@@ -1754,7 +1765,11 @@ static u8 brcmf_sdio_rxglom(struct brcmf_sdio *bus, u8 rxseq) + pfirst->len, pfirst->next, + pfirst->prev); + skb_unlink(pfirst, &bus->glom); +- brcmf_rx_frame(bus->sdiodev->dev, pfirst); ++ if (brcmf_sdio_fromevntchan(&dptr[SDPCM_HWHDR_LEN])) ++ brcmf_rx_event(bus->sdiodev->dev, pfirst); ++ else ++ brcmf_rx_frame(bus->sdiodev->dev, pfirst, ++ false); + bus->sdcnt.rxglompkts++; + } + +@@ -2081,18 +2096,19 @@ static uint brcmf_sdio_readframes(struct brcmf_sdio *bus, uint maxframes) + __skb_trim(pkt, rd->len); + skb_pull(pkt, rd->dat_offset); + ++ if (pkt->len == 0) ++ brcmu_pkt_buf_free_skb(pkt); ++ else if (rd->channel == SDPCM_EVENT_CHANNEL) ++ brcmf_rx_event(bus->sdiodev->dev, pkt); ++ else ++ brcmf_rx_frame(bus->sdiodev->dev, pkt, ++ false); ++ + /* prepare the descriptor for the next read */ + rd->len = rd->len_nxtfrm << 4; + rd->len_nxtfrm = 0; + /* treat all packet as event if we don't know */ + rd->channel = SDPCM_EVENT_CHANNEL; +- +- if (pkt->len == 0) { +- brcmu_pkt_buf_free_skb(pkt); +- continue; +- } +- +- brcmf_rx_frame(bus->sdiodev->dev, pkt); + } + + rxcount = maxframes - rxleft; +diff --git a/drivers/net/wireless/brcm80211/brcmfmac/usb.c b/drivers/net/wireless/brcm80211/brcmfmac/usb.c +index 689e64d004bc..3002268e57f3 100644 +--- a/drivers/net/wireless/brcm80211/brcmfmac/usb.c ++++ b/drivers/net/wireless/brcm80211/brcmfmac/usb.c +@@ -144,7 +144,7 @@ struct brcmf_usbdev_info { + + struct usb_device *usbdev; + struct device *dev; +- struct mutex dev_init_lock; ++ struct completion dev_init_done; + + int ctl_in_pipe, ctl_out_pipe; + struct urb *ctl_urb; /* URB for control endpoint */ +@@ -502,7 +502,7 @@ static void brcmf_usb_rx_complete(struct urb *urb) + + if (devinfo->bus_pub.state == BRCMFMAC_USB_STATE_UP) { + skb_put(skb, urb->actual_length); +- brcmf_rx_frame(devinfo->dev, skb); ++ brcmf_rx_frame(devinfo->dev, skb, true); + brcmf_usb_rx_refill(devinfo, req); + } else { + brcmu_pkt_buf_free_skb(skb); +@@ -669,12 +669,18 @@ static int brcmf_usb_up(struct device *dev) + + static void brcmf_cancel_all_urbs(struct brcmf_usbdev_info *devinfo) + { ++ int i; ++ + if (devinfo->ctl_urb) + usb_kill_urb(devinfo->ctl_urb); + if (devinfo->bulk_urb) + usb_kill_urb(devinfo->bulk_urb); +- brcmf_usb_free_q(&devinfo->tx_postq, true); +- brcmf_usb_free_q(&devinfo->rx_postq, true); ++ if (devinfo->tx_reqs) ++ for (i = 0; i < devinfo->bus_pub.ntxq; i++) ++ usb_kill_urb(devinfo->tx_reqs[i].urb); ++ if (devinfo->rx_reqs) ++ for (i = 0; i < devinfo->bus_pub.nrxq; i++) ++ usb_kill_urb(devinfo->rx_reqs[i].urb); + } + + static void brcmf_usb_down(struct device *dev) +@@ -1226,11 +1232,11 @@ static void brcmf_usb_probe_phase2(struct device *dev, + if (ret) + goto error; + +- mutex_unlock(&devinfo->dev_init_lock); ++ complete(&devinfo->dev_init_done); + return; + error: + brcmf_dbg(TRACE, "failed: dev=%s, err=%d\n", dev_name(dev), ret); +- mutex_unlock(&devinfo->dev_init_lock); ++ complete(&devinfo->dev_init_done); + device_release_driver(dev); + } + +@@ -1268,7 +1274,7 @@ static int brcmf_usb_probe_cb(struct brcmf_usbdev_info *devinfo) + if (ret) + goto fail; + /* we are done */ +- mutex_unlock(&devinfo->dev_init_lock); ++ complete(&devinfo->dev_init_done); + return 0; + } + bus->chip = bus_pub->devid; +@@ -1322,11 +1328,10 @@ brcmf_usb_probe(struct usb_interface *intf, const struct usb_device_id *id) + + devinfo->usbdev = usb; + devinfo->dev = &usb->dev; +- /* Take an init lock, to protect for disconnect while still loading. ++ /* Init completion, to protect for disconnect while still loading. + * Necessary because of the asynchronous firmware load construction + */ +- mutex_init(&devinfo->dev_init_lock); +- mutex_lock(&devinfo->dev_init_lock); ++ init_completion(&devinfo->dev_init_done); + + usb_set_intfdata(intf, devinfo); + +@@ -1402,7 +1407,7 @@ brcmf_usb_probe(struct usb_interface *intf, const struct usb_device_id *id) + return 0; + + fail: +- mutex_unlock(&devinfo->dev_init_lock); ++ complete(&devinfo->dev_init_done); + kfree(devinfo); + usb_set_intfdata(intf, NULL); + return ret; +@@ -1417,7 +1422,7 @@ brcmf_usb_disconnect(struct usb_interface *intf) + devinfo = (struct brcmf_usbdev_info *)usb_get_intfdata(intf); + + if (devinfo) { +- mutex_lock(&devinfo->dev_init_lock); ++ wait_for_completion(&devinfo->dev_init_done); + /* Make sure that devinfo still exists. Firmware probe routines + * may have released the device and cleared the intfdata. + */ +diff --git a/drivers/net/wireless/brcm80211/brcmfmac/vendor.c b/drivers/net/wireless/brcm80211/brcmfmac/vendor.c +index 8eff2753abad..d493021f6031 100644 +--- a/drivers/net/wireless/brcm80211/brcmfmac/vendor.c ++++ b/drivers/net/wireless/brcm80211/brcmfmac/vendor.c +@@ -35,9 +35,10 @@ static int brcmf_cfg80211_vndr_cmds_dcmd_handler(struct wiphy *wiphy, + struct brcmf_if *ifp; + const struct brcmf_vndr_dcmd_hdr *cmdhdr = data; + struct sk_buff *reply; +- int ret, payload, ret_len; ++ unsigned int payload, ret_len; + void *dcmd_buf = NULL, *wr_pointer; + u16 msglen, maxmsglen = PAGE_SIZE - 0x100; ++ int ret; + + if (len < sizeof(*cmdhdr)) { + brcmf_err("vendor command too short: %d\n", len); +@@ -65,7 +66,7 @@ static int brcmf_cfg80211_vndr_cmds_dcmd_handler(struct wiphy *wiphy, + brcmf_err("oversize return buffer %d\n", ret_len); + ret_len = BRCMF_DCMD_MAXLEN; + } +- payload = max(ret_len, len) + 1; ++ payload = max_t(unsigned int, ret_len, len) + 1; + dcmd_buf = vzalloc(payload); + if (NULL == dcmd_buf) + return -ENOMEM; +diff --git a/drivers/net/wireless/cw1200/main.c b/drivers/net/wireless/cw1200/main.c +index 0e51e27d2e3f..317daa968e03 100644 +--- a/drivers/net/wireless/cw1200/main.c ++++ b/drivers/net/wireless/cw1200/main.c +@@ -345,6 +345,11 @@ static struct ieee80211_hw *cw1200_init_common(const u8 *macaddr, + mutex_init(&priv->wsm_cmd_mux); + mutex_init(&priv->conf_mutex); + priv->workqueue = create_singlethread_workqueue("cw1200_wq"); ++ if (!priv->workqueue) { ++ ieee80211_free_hw(hw); ++ return NULL; ++ } ++ + sema_init(&priv->scan.lock, 1); + INIT_WORK(&priv->scan.work, cw1200_scan_work); + INIT_DELAYED_WORK(&priv->scan.probe_work, cw1200_probe_work); +diff --git a/drivers/net/wireless/mwifiex/cfp.c b/drivers/net/wireless/mwifiex/cfp.c +index 3ddb8ec676ed..6dd331dfb517 100644 +--- a/drivers/net/wireless/mwifiex/cfp.c ++++ b/drivers/net/wireless/mwifiex/cfp.c +@@ -533,5 +533,8 @@ u8 mwifiex_adjust_data_rate(struct mwifiex_private *priv, + rate_index = (rx_rate > MWIFIEX_RATE_INDEX_OFDM0) ? + rx_rate - 1 : rx_rate; + ++ if (rate_index >= MWIFIEX_MAX_AC_RX_RATES) ++ rate_index = MWIFIEX_MAX_AC_RX_RATES - 1; ++ + return rate_index; + } +diff --git a/drivers/net/wireless/realtek/rtlwifi/base.c b/drivers/net/wireless/realtek/rtlwifi/base.c +index aab752328c26..5013d8c1d4a6 100644 +--- a/drivers/net/wireless/realtek/rtlwifi/base.c ++++ b/drivers/net/wireless/realtek/rtlwifi/base.c +@@ -466,6 +466,11 @@ static void _rtl_init_deferred_work(struct ieee80211_hw *hw) + /* <2> work queue */ + rtlpriv->works.hw = hw; + rtlpriv->works.rtl_wq = alloc_workqueue("%s", 0, 0, rtlpriv->cfg->name); ++ if (unlikely(!rtlpriv->works.rtl_wq)) { ++ pr_err("Failed to allocate work queue\n"); ++ return; ++ } ++ + INIT_DELAYED_WORK(&rtlpriv->works.watchdog_wq, + (void *)rtl_watchdog_wq_callback); + INIT_DELAYED_WORK(&rtlpriv->works.ips_nic_off_wq, +diff --git a/drivers/parisc/ccio-dma.c b/drivers/parisc/ccio-dma.c +index 34f1d6b41fb9..cc3708ea8084 100644 +--- a/drivers/parisc/ccio-dma.c ++++ b/drivers/parisc/ccio-dma.c +@@ -563,8 +563,6 @@ ccio_io_pdir_entry(u64 *pdir_ptr, space_t sid, unsigned long vba, + /* We currently only support kernel addresses */ + BUG_ON(sid != KERNEL_SPACE); + +- mtsp(sid,1); +- + /* + ** WORD 1 - low order word + ** "hints" parm includes the VALID bit! +@@ -595,7 +593,7 @@ ccio_io_pdir_entry(u64 *pdir_ptr, space_t sid, unsigned long vba, + ** Grab virtual index [0:11] + ** Deposit virt_idx bits into I/O PDIR word + */ +- asm volatile ("lci %%r0(%%sr1, %1), %0" : "=r" (ci) : "r" (vba)); ++ asm volatile ("lci %%r0(%1), %0" : "=r" (ci) : "r" (vba)); + asm volatile ("extru %1,19,12,%0" : "+r" (ci) : "r" (ci)); + asm volatile ("depw %1,15,12,%0" : "+r" (pa) : "r" (ci)); + +diff --git a/drivers/parisc/sba_iommu.c b/drivers/parisc/sba_iommu.c +index d6326144ce01..f3b9746157f8 100644 +--- a/drivers/parisc/sba_iommu.c ++++ b/drivers/parisc/sba_iommu.c +@@ -573,8 +573,7 @@ sba_io_pdir_entry(u64 *pdir_ptr, space_t sid, unsigned long vba, + pa = virt_to_phys(vba); + pa &= IOVP_MASK; + +- mtsp(sid,1); +- asm("lci 0(%%sr1, %1), %0" : "=r" (ci) : "r" (vba)); ++ asm("lci 0(%1), %0" : "=r" (ci) : "r" (vba)); + pa |= (ci >> PAGE_SHIFT) & 0xff; /* move CI (8 bits) into lowest byte */ + + pa |= SBA_PDIR_VALID_BIT; /* set "valid" bit */ +diff --git a/drivers/pci/quirks.c b/drivers/pci/quirks.c +index d85010ebac5a..36c6f3702167 100644 +--- a/drivers/pci/quirks.c ++++ b/drivers/pci/quirks.c +@@ -3141,6 +3141,7 @@ DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_ATHEROS, 0x0030, quirk_no_bus_reset); + DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_ATHEROS, 0x0032, quirk_no_bus_reset); + DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_ATHEROS, 0x003c, quirk_no_bus_reset); + DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_ATHEROS, 0x0033, quirk_no_bus_reset); ++DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_ATHEROS, 0x0034, quirk_no_bus_reset); + + static void quirk_no_pm_reset(struct pci_dev *dev) + { +diff --git a/drivers/pinctrl/pinctrl-pistachio.c b/drivers/pinctrl/pinctrl-pistachio.c +index 98a459b1c095..86e8d989092c 100644 +--- a/drivers/pinctrl/pinctrl-pistachio.c ++++ b/drivers/pinctrl/pinctrl-pistachio.c +@@ -1373,6 +1373,7 @@ static int pistachio_gpio_register(struct pistachio_pinctrl *pctl) + if (!of_find_property(child, "gpio-controller", NULL)) { + dev_err(pctl->dev, + "No gpio-controller property for bank %u\n", i); ++ of_node_put(child); + ret = -ENODEV; + goto err; + } +@@ -1380,6 +1381,7 @@ static int pistachio_gpio_register(struct pistachio_pinctrl *pctl) + irq = irq_of_parse_and_map(child, 0); + if (irq < 0) { + dev_err(pctl->dev, "No IRQ for bank %u: %d\n", i, irq); ++ of_node_put(child); + ret = irq; + goto err; + } +diff --git a/drivers/power/power_supply_sysfs.c b/drivers/power/power_supply_sysfs.c +index ed2d7fd0c734..488dd7eb0aeb 100644 +--- a/drivers/power/power_supply_sysfs.c ++++ b/drivers/power/power_supply_sysfs.c +@@ -277,15 +277,11 @@ int power_supply_uevent(struct device *dev, struct kobj_uevent_env *env) + char *prop_buf; + char *attrname; + +- dev_dbg(dev, "uevent\n"); +- + if (!psy || !psy->desc) { + dev_dbg(dev, "No power supply yet\n"); + return ret; + } + +- dev_dbg(dev, "POWER_SUPPLY_NAME=%s\n", psy->desc->name); +- + ret = add_uevent_var(env, "POWER_SUPPLY_NAME=%s", psy->desc->name); + if (ret) + return ret; +@@ -321,8 +317,6 @@ int power_supply_uevent(struct device *dev, struct kobj_uevent_env *env) + goto out; + } + +- dev_dbg(dev, "prop %s=%s\n", attrname, prop_buf); +- + ret = add_uevent_var(env, "POWER_SUPPLY_%s=%s", attrname, prop_buf); + kfree(attrname); + if (ret) +diff --git a/drivers/rtc/rtc-88pm860x.c b/drivers/rtc/rtc-88pm860x.c +index 19e53b3b8e00..166faae3a59c 100644 +--- a/drivers/rtc/rtc-88pm860x.c ++++ b/drivers/rtc/rtc-88pm860x.c +@@ -414,7 +414,7 @@ static int pm860x_rtc_remove(struct platform_device *pdev) + struct pm860x_rtc_info *info = platform_get_drvdata(pdev); + + #ifdef VRTC_CALIBRATION +- flush_scheduled_work(); ++ cancel_delayed_work_sync(&info->calib_work); + /* disable measurement */ + pm860x_set_bits(info->i2c, PM8607_MEAS_EN2, MEAS2_VRTC, 0); + #endif /* VRTC_CALIBRATION */ +diff --git a/drivers/s390/cio/cio.h b/drivers/s390/cio/cio.h +index a01376ae1749..fdb87520543f 100644 +--- a/drivers/s390/cio/cio.h ++++ b/drivers/s390/cio/cio.h +@@ -102,7 +102,7 @@ struct subchannel { + struct schib_config config; + } __attribute__ ((aligned(8))); + +-DECLARE_PER_CPU(struct irb, cio_irb); ++DECLARE_PER_CPU_ALIGNED(struct irb, cio_irb); + + #define to_subchannel(n) container_of(n, struct subchannel, dev) + +diff --git a/drivers/s390/scsi/zfcp_ext.h b/drivers/s390/scsi/zfcp_ext.h +index a39a74500e23..aeb93478482f 100644 +--- a/drivers/s390/scsi/zfcp_ext.h ++++ b/drivers/s390/scsi/zfcp_ext.h +@@ -161,6 +161,7 @@ extern const struct attribute_group *zfcp_port_attr_groups[]; + extern struct mutex zfcp_sysfs_port_units_mutex; + extern struct device_attribute *zfcp_sysfs_sdev_attrs[]; + extern struct device_attribute *zfcp_sysfs_shost_attrs[]; ++bool zfcp_sysfs_port_is_removing(const struct zfcp_port *const port); + + /* zfcp_unit.c */ + extern int zfcp_unit_add(struct zfcp_port *, u64); +diff --git a/drivers/s390/scsi/zfcp_scsi.c b/drivers/s390/scsi/zfcp_scsi.c +index bdb257eaa2e5..68146b398603 100644 +--- a/drivers/s390/scsi/zfcp_scsi.c ++++ b/drivers/s390/scsi/zfcp_scsi.c +@@ -124,6 +124,15 @@ static int zfcp_scsi_slave_alloc(struct scsi_device *sdev) + + zfcp_sdev->erp_action.port = port; + ++ mutex_lock(&zfcp_sysfs_port_units_mutex); ++ if (zfcp_sysfs_port_is_removing(port)) { ++ /* port is already gone */ ++ mutex_unlock(&zfcp_sysfs_port_units_mutex); ++ put_device(&port->dev); /* undo zfcp_get_port_by_wwpn() */ ++ return -ENXIO; ++ } ++ mutex_unlock(&zfcp_sysfs_port_units_mutex); ++ + unit = zfcp_unit_find(port, zfcp_scsi_dev_lun(sdev)); + if (unit) + put_device(&unit->dev); +diff --git a/drivers/s390/scsi/zfcp_sysfs.c b/drivers/s390/scsi/zfcp_sysfs.c +index 96a0be13e841..5df597d1b978 100644 +--- a/drivers/s390/scsi/zfcp_sysfs.c ++++ b/drivers/s390/scsi/zfcp_sysfs.c +@@ -237,6 +237,53 @@ static ZFCP_DEV_ATTR(adapter, port_rescan, S_IWUSR, NULL, + + DEFINE_MUTEX(zfcp_sysfs_port_units_mutex); + ++static void zfcp_sysfs_port_set_removing(struct zfcp_port *const port) ++{ ++ lockdep_assert_held(&zfcp_sysfs_port_units_mutex); ++ atomic_set(&port->units, -1); ++} ++ ++bool zfcp_sysfs_port_is_removing(const struct zfcp_port *const port) ++{ ++ lockdep_assert_held(&zfcp_sysfs_port_units_mutex); ++ return atomic_read(&port->units) == -1; ++} ++ ++static bool zfcp_sysfs_port_in_use(struct zfcp_port *const port) ++{ ++ struct zfcp_adapter *const adapter = port->adapter; ++ unsigned long flags; ++ struct scsi_device *sdev; ++ bool in_use = true; ++ ++ mutex_lock(&zfcp_sysfs_port_units_mutex); ++ if (atomic_read(&port->units) > 0) ++ goto unlock_port_units_mutex; /* zfcp_unit(s) under port */ ++ ++ spin_lock_irqsave(adapter->scsi_host->host_lock, flags); ++ __shost_for_each_device(sdev, adapter->scsi_host) { ++ const struct zfcp_scsi_dev *zsdev = sdev_to_zfcp(sdev); ++ ++ if (sdev->sdev_state == SDEV_DEL || ++ sdev->sdev_state == SDEV_CANCEL) ++ continue; ++ if (zsdev->port != port) ++ continue; ++ /* alive scsi_device under port of interest */ ++ goto unlock_host_lock; ++ } ++ ++ /* port is about to be removed, so no more unit_add or slave_alloc */ ++ zfcp_sysfs_port_set_removing(port); ++ in_use = false; ++ ++unlock_host_lock: ++ spin_unlock_irqrestore(adapter->scsi_host->host_lock, flags); ++unlock_port_units_mutex: ++ mutex_unlock(&zfcp_sysfs_port_units_mutex); ++ return in_use; ++} ++ + static ssize_t zfcp_sysfs_port_remove_store(struct device *dev, + struct device_attribute *attr, + const char *buf, size_t count) +@@ -259,15 +306,11 @@ static ssize_t zfcp_sysfs_port_remove_store(struct device *dev, + else + retval = 0; + +- mutex_lock(&zfcp_sysfs_port_units_mutex); +- if (atomic_read(&port->units) > 0) { ++ if (zfcp_sysfs_port_in_use(port)) { + retval = -EBUSY; +- mutex_unlock(&zfcp_sysfs_port_units_mutex); ++ put_device(&port->dev); /* undo zfcp_get_port_by_wwpn() */ + goto out; + } +- /* port is about to be removed, so no more unit_add */ +- atomic_set(&port->units, -1); +- mutex_unlock(&zfcp_sysfs_port_units_mutex); + + write_lock_irq(&adapter->port_list_lock); + list_del(&port->list); +diff --git a/drivers/s390/scsi/zfcp_unit.c b/drivers/s390/scsi/zfcp_unit.c +index 157d3d203ba1..f00693698abc 100644 +--- a/drivers/s390/scsi/zfcp_unit.c ++++ b/drivers/s390/scsi/zfcp_unit.c +@@ -122,7 +122,7 @@ int zfcp_unit_add(struct zfcp_port *port, u64 fcp_lun) + int retval = 0; + + mutex_lock(&zfcp_sysfs_port_units_mutex); +- if (atomic_read(&port->units) == -1) { ++ if (zfcp_sysfs_port_is_removing(port)) { + /* port is already gone */ + retval = -ENODEV; + goto out; +@@ -166,8 +166,14 @@ int zfcp_unit_add(struct zfcp_port *port, u64 fcp_lun) + write_lock_irq(&port->unit_list_lock); + list_add_tail(&unit->list, &port->unit_list); + write_unlock_irq(&port->unit_list_lock); ++ /* ++ * lock order: shost->scan_mutex before zfcp_sysfs_port_units_mutex ++ * due to zfcp_unit_scsi_scan() => zfcp_scsi_slave_alloc() ++ */ ++ mutex_unlock(&zfcp_sysfs_port_units_mutex); + + zfcp_unit_scsi_scan(unit); ++ return retval; + + out: + mutex_unlock(&zfcp_sysfs_port_units_mutex); +diff --git a/drivers/scsi/libsas/sas_expander.c b/drivers/scsi/libsas/sas_expander.c +index 1a6f65db615e..ee1f9ee995e5 100644 +--- a/drivers/scsi/libsas/sas_expander.c ++++ b/drivers/scsi/libsas/sas_expander.c +@@ -2027,6 +2027,11 @@ static int sas_rediscover_dev(struct domain_device *dev, int phy_id, bool last) + if ((SAS_ADDR(sas_addr) == 0) || (res == -ECOMM)) { + phy->phy_state = PHY_EMPTY; + sas_unregister_devs_sas_addr(dev, phy_id, last); ++ /* ++ * Even though the PHY is empty, for convenience we discover ++ * the PHY to update the PHY info, like negotiated linkrate. ++ */ ++ sas_ex_phy_discover(dev, phy_id); + return res; + } else if (SAS_ADDR(sas_addr) == SAS_ADDR(phy->attached_sas_addr) && + dev_type_flutter(type, phy->attached_dev_type)) { +diff --git a/drivers/scsi/lpfc/lpfc_hbadisc.c b/drivers/scsi/lpfc/lpfc_hbadisc.c +index 4131addfb872..a67950908db1 100644 +--- a/drivers/scsi/lpfc/lpfc_hbadisc.c ++++ b/drivers/scsi/lpfc/lpfc_hbadisc.c +@@ -902,7 +902,11 @@ lpfc_linkdown(struct lpfc_hba *phba) + lpfc_linkdown_port(vports[i]); + } + lpfc_destroy_vport_work_array(phba, vports); +- /* Clean up any firmware default rpi's */ ++ ++ /* Clean up any SLI3 firmware default rpi's */ ++ if (phba->sli_rev > LPFC_SLI_REV3) ++ goto skip_unreg_did; ++ + mb = mempool_alloc(phba->mbox_mem_pool, GFP_KERNEL); + if (mb) { + lpfc_unreg_did(phba, 0xffff, LPFC_UNREG_ALL_DFLT_RPIS, mb); +@@ -914,6 +918,7 @@ lpfc_linkdown(struct lpfc_hba *phba) + } + } + ++ skip_unreg_did: + /* Setup myDID for link up if we are in pt2pt mode */ + if (phba->pport->fc_flag & FC_PT2PT) { + phba->pport->fc_myDID = 0; +@@ -4647,6 +4652,10 @@ lpfc_unreg_default_rpis(struct lpfc_vport *vport) + LPFC_MBOXQ_t *mbox; + int rc; + ++ /* Unreg DID is an SLI3 operation. */ ++ if (phba->sli_rev > LPFC_SLI_REV3) ++ return; ++ + mbox = mempool_alloc(phba->mbox_mem_pool, GFP_KERNEL); + if (mbox) { + lpfc_unreg_did(phba, vport->vpi, LPFC_UNREG_ALL_DFLT_RPIS, +diff --git a/drivers/scsi/qla4xxx/ql4_os.c b/drivers/scsi/qla4xxx/ql4_os.c +index c158967b59d7..d220b4f691c7 100644 +--- a/drivers/scsi/qla4xxx/ql4_os.c ++++ b/drivers/scsi/qla4xxx/ql4_os.c +@@ -5939,7 +5939,7 @@ static int get_fw_boot_info(struct scsi_qla_host *ha, uint16_t ddb_index[]) + val = rd_nvram_byte(ha, sec_addr); + if (val & BIT_7) + ddb_index[1] = (val & 0x7f); +- ++ goto exit_boot_info; + } else if (is_qla80XX(ha)) { + buf = dma_alloc_coherent(&ha->pdev->dev, size, + &buf_dma, GFP_KERNEL); +diff --git a/drivers/scsi/sd.c b/drivers/scsi/sd.c +index 62adaca8fb97..91b9eca75b75 100644 +--- a/drivers/scsi/sd.c ++++ b/drivers/scsi/sd.c +@@ -2396,7 +2396,6 @@ sd_read_write_protect_flag(struct scsi_disk *sdkp, unsigned char *buffer) + int res; + struct scsi_device *sdp = sdkp->device; + struct scsi_mode_data data; +- int disk_ro = get_disk_ro(sdkp->disk); + int old_wp = sdkp->write_prot; + + set_disk_ro(sdkp->disk, 0); +@@ -2437,7 +2436,7 @@ sd_read_write_protect_flag(struct scsi_disk *sdkp, unsigned char *buffer) + "Test WP failed, assume Write Enabled\n"); + } else { + sdkp->write_prot = ((data.device_specific & 0x80) != 0); +- set_disk_ro(sdkp->disk, sdkp->write_prot || disk_ro); ++ set_disk_ro(sdkp->disk, sdkp->write_prot); + if (sdkp->first_scan || old_wp != sdkp->write_prot) { + sd_printk(KERN_NOTICE, sdkp, "Write Protect is %s\n", + sdkp->write_prot ? "on" : "off"); +diff --git a/drivers/scsi/ufs/ufshcd.c b/drivers/scsi/ufs/ufshcd.c +index c94d465de941..7322a17660d1 100644 +--- a/drivers/scsi/ufs/ufshcd.c ++++ b/drivers/scsi/ufs/ufshcd.c +@@ -4144,19 +4144,19 @@ static u32 ufshcd_find_max_sup_active_icc_level(struct ufs_hba *hba, + goto out; + } + +- if (hba->vreg_info.vcc) ++ if (hba->vreg_info.vcc && hba->vreg_info.vcc->max_uA) + icc_level = ufshcd_get_max_icc_level( + hba->vreg_info.vcc->max_uA, + POWER_DESC_MAX_ACTV_ICC_LVLS - 1, + &desc_buf[PWR_DESC_ACTIVE_LVLS_VCC_0]); + +- if (hba->vreg_info.vccq) ++ if (hba->vreg_info.vccq && hba->vreg_info.vccq->max_uA) + icc_level = ufshcd_get_max_icc_level( + hba->vreg_info.vccq->max_uA, + icc_level, + &desc_buf[PWR_DESC_ACTIVE_LVLS_VCCQ_0]); + +- if (hba->vreg_info.vccq2) ++ if (hba->vreg_info.vccq2 && hba->vreg_info.vccq2->max_uA) + icc_level = ufshcd_get_max_icc_level( + hba->vreg_info.vccq2->max_uA, + icc_level, +@@ -4390,6 +4390,15 @@ static int ufshcd_config_vreg_load(struct device *dev, struct ufs_vreg *vreg, + if (!vreg) + return 0; + ++ /* ++ * "set_load" operation shall be required on those regulators ++ * which specifically configured current limitation. Otherwise ++ * zero max_uA may cause unexpected behavior when regulator is ++ * enabled or set as high power mode. ++ */ ++ if (!vreg->max_uA) ++ return 0; ++ + ret = regulator_set_load(vreg->reg, ua); + if (ret < 0) { + dev_err(dev, "%s: %s set load (ua=%d) failed, err=%d\n", +@@ -4425,12 +4434,15 @@ static int ufshcd_config_vreg(struct device *dev, + name = vreg->name; + + if (regulator_count_voltages(reg) > 0) { +- min_uV = on ? vreg->min_uV : 0; +- ret = regulator_set_voltage(reg, min_uV, vreg->max_uV); +- if (ret) { +- dev_err(dev, "%s: %s set voltage failed, err=%d\n", ++ if (vreg->min_uV && vreg->max_uV) { ++ min_uV = on ? vreg->min_uV : 0; ++ ret = regulator_set_voltage(reg, min_uV, vreg->max_uV); ++ if (ret) { ++ dev_err(dev, ++ "%s: %s set voltage failed, err=%d\n", + __func__, name, ret); +- goto out; ++ goto out; ++ } + } + + uA_load = on ? vreg->max_uA : 0; +diff --git a/drivers/spi/spi-pxa2xx.c b/drivers/spi/spi-pxa2xx.c +index 3cac73e4c3e4..e87b6fc9f4c6 100644 +--- a/drivers/spi/spi-pxa2xx.c ++++ b/drivers/spi/spi-pxa2xx.c +@@ -859,10 +859,14 @@ static unsigned int ssp_get_clk_div(struct driver_data *drv_data, int rate) + + rate = min_t(int, ssp_clk, rate); + ++ /* ++ * Calculate the divisor for the SCR (Serial Clock Rate), avoiding ++ * that the SSP transmission rate can be greater than the device rate ++ */ + if (ssp->type == PXA25x_SSP || ssp->type == CE4100_SSP) +- return (ssp_clk / (2 * rate) - 1) & 0xff; ++ return (DIV_ROUND_UP(ssp_clk, 2 * rate) - 1) & 0xff; + else +- return (ssp_clk / rate - 1) & 0xfff; ++ return (DIV_ROUND_UP(ssp_clk, rate) - 1) & 0xfff; + } + + static unsigned int pxa2xx_ssp_get_clk_div(struct driver_data *drv_data, +diff --git a/drivers/spi/spi-rspi.c b/drivers/spi/spi-rspi.c +index 9882d93e7566..0556259377f7 100644 +--- a/drivers/spi/spi-rspi.c ++++ b/drivers/spi/spi-rspi.c +@@ -279,7 +279,8 @@ static int rspi_set_config_register(struct rspi_data *rspi, int access_size) + /* Sets parity, interrupt mask */ + rspi_write8(rspi, 0x00, RSPI_SPCR2); + +- /* Sets SPCMD */ ++ /* Resets sequencer */ ++ rspi_write8(rspi, 0, RSPI_SPSCR); + rspi->spcmd |= SPCMD_SPB_8_TO_16(access_size); + rspi_write16(rspi, rspi->spcmd, RSPI_SPCMD0); + +@@ -313,7 +314,8 @@ static int rspi_rz_set_config_register(struct rspi_data *rspi, int access_size) + rspi_write8(rspi, 0x00, RSPI_SSLND); + rspi_write8(rspi, 0x00, RSPI_SPND); + +- /* Sets SPCMD */ ++ /* Resets sequencer */ ++ rspi_write8(rspi, 0, RSPI_SPSCR); + rspi->spcmd |= SPCMD_SPB_8_TO_16(access_size); + rspi_write16(rspi, rspi->spcmd, RSPI_SPCMD0); + +@@ -364,7 +366,8 @@ static int qspi_set_config_register(struct rspi_data *rspi, int access_size) + /* Sets buffer to allow normal operation */ + rspi_write8(rspi, 0x00, QSPI_SPBFCR); + +- /* Sets SPCMD */ ++ /* Resets sequencer */ ++ rspi_write8(rspi, 0, RSPI_SPSCR); + rspi_write16(rspi, rspi->spcmd, RSPI_SPCMD0); + + /* Enables SPI function in master mode */ +diff --git a/drivers/spi/spi-tegra114.c b/drivers/spi/spi-tegra114.c +index 73779cecc3bb..705f515863d4 100644 +--- a/drivers/spi/spi-tegra114.c ++++ b/drivers/spi/spi-tegra114.c +@@ -1067,27 +1067,19 @@ static int tegra_spi_probe(struct platform_device *pdev) + + spi_irq = platform_get_irq(pdev, 0); + tspi->irq = spi_irq; +- ret = request_threaded_irq(tspi->irq, tegra_spi_isr, +- tegra_spi_isr_thread, IRQF_ONESHOT, +- dev_name(&pdev->dev), tspi); +- if (ret < 0) { +- dev_err(&pdev->dev, "Failed to register ISR for IRQ %d\n", +- tspi->irq); +- goto exit_free_master; +- } + + tspi->clk = devm_clk_get(&pdev->dev, "spi"); + if (IS_ERR(tspi->clk)) { + dev_err(&pdev->dev, "can not get clock\n"); + ret = PTR_ERR(tspi->clk); +- goto exit_free_irq; ++ goto exit_free_master; + } + + tspi->rst = devm_reset_control_get(&pdev->dev, "spi"); + if (IS_ERR(tspi->rst)) { + dev_err(&pdev->dev, "can not get reset\n"); + ret = PTR_ERR(tspi->rst); +- goto exit_free_irq; ++ goto exit_free_master; + } + + tspi->max_buf_size = SPI_FIFO_DEPTH << 2; +@@ -1095,7 +1087,7 @@ static int tegra_spi_probe(struct platform_device *pdev) + + ret = tegra_spi_init_dma_param(tspi, true); + if (ret < 0) +- goto exit_free_irq; ++ goto exit_free_master; + ret = tegra_spi_init_dma_param(tspi, false); + if (ret < 0) + goto exit_rx_dma_free; +@@ -1117,18 +1109,32 @@ static int tegra_spi_probe(struct platform_device *pdev) + dev_err(&pdev->dev, "pm runtime get failed, e = %d\n", ret); + goto exit_pm_disable; + } ++ ++ reset_control_assert(tspi->rst); ++ udelay(2); ++ reset_control_deassert(tspi->rst); + tspi->def_command1_reg = SPI_M_S; + tegra_spi_writel(tspi, tspi->def_command1_reg, SPI_COMMAND1); + pm_runtime_put(&pdev->dev); ++ ret = request_threaded_irq(tspi->irq, tegra_spi_isr, ++ tegra_spi_isr_thread, IRQF_ONESHOT, ++ dev_name(&pdev->dev), tspi); ++ if (ret < 0) { ++ dev_err(&pdev->dev, "Failed to register ISR for IRQ %d\n", ++ tspi->irq); ++ goto exit_pm_disable; ++ } + + master->dev.of_node = pdev->dev.of_node; + ret = devm_spi_register_master(&pdev->dev, master); + if (ret < 0) { + dev_err(&pdev->dev, "can not register to master err %d\n", ret); +- goto exit_pm_disable; ++ goto exit_free_irq; + } + return ret; + ++exit_free_irq: ++ free_irq(spi_irq, tspi); + exit_pm_disable: + pm_runtime_disable(&pdev->dev); + if (!pm_runtime_status_suspended(&pdev->dev)) +@@ -1136,8 +1142,6 @@ exit_pm_disable: + tegra_spi_deinit_dma_param(tspi, false); + exit_rx_dma_free: + tegra_spi_deinit_dma_param(tspi, true); +-exit_free_irq: +- free_irq(spi_irq, tspi); + exit_free_master: + spi_master_put(master); + return ret; +diff --git a/drivers/spi/spi-topcliff-pch.c b/drivers/spi/spi-topcliff-pch.c +index 93dfcee0f987..9f30a4ab2004 100644 +--- a/drivers/spi/spi-topcliff-pch.c ++++ b/drivers/spi/spi-topcliff-pch.c +@@ -1326,18 +1326,27 @@ static void pch_free_dma_buf(struct pch_spi_board_data *board_dat, + return; + } + +-static void pch_alloc_dma_buf(struct pch_spi_board_data *board_dat, ++static int pch_alloc_dma_buf(struct pch_spi_board_data *board_dat, + struct pch_spi_data *data) + { + struct pch_spi_dma_ctrl *dma; ++ int ret; + + dma = &data->dma; ++ ret = 0; + /* Get Consistent memory for Tx DMA */ + dma->tx_buf_virt = dma_alloc_coherent(&board_dat->pdev->dev, + PCH_BUF_SIZE, &dma->tx_buf_dma, GFP_KERNEL); ++ if (!dma->tx_buf_virt) ++ ret = -ENOMEM; ++ + /* Get Consistent memory for Rx DMA */ + dma->rx_buf_virt = dma_alloc_coherent(&board_dat->pdev->dev, + PCH_BUF_SIZE, &dma->rx_buf_dma, GFP_KERNEL); ++ if (!dma->rx_buf_virt) ++ ret = -ENOMEM; ++ ++ return ret; + } + + static int pch_spi_pd_probe(struct platform_device *plat_dev) +@@ -1414,7 +1423,9 @@ static int pch_spi_pd_probe(struct platform_device *plat_dev) + + if (use_dma) { + dev_info(&plat_dev->dev, "Use DMA for data transfers\n"); +- pch_alloc_dma_buf(board_dat, data); ++ ret = pch_alloc_dma_buf(board_dat, data); ++ if (ret) ++ goto err_spi_register_master; + } + + ret = spi_register_master(master); +diff --git a/drivers/spi/spi.c b/drivers/spi/spi.c +index 04fd651f9e3e..c132c676df3a 100644 +--- a/drivers/spi/spi.c ++++ b/drivers/spi/spi.c +@@ -903,6 +903,8 @@ static int spi_map_msg(struct spi_master *master, struct spi_message *msg) + if (max_tx || max_rx) { + list_for_each_entry(xfer, &msg->transfers, + transfer_list) { ++ if (!xfer->len) ++ continue; + if (!xfer->tx_buf) + xfer->tx_buf = master->dummy_tx; + if (!xfer->rx_buf) +diff --git a/drivers/ssb/bridge_pcmcia_80211.c b/drivers/ssb/bridge_pcmcia_80211.c +index d70568ea02d5..2ff7d90e166a 100644 +--- a/drivers/ssb/bridge_pcmcia_80211.c ++++ b/drivers/ssb/bridge_pcmcia_80211.c +@@ -113,16 +113,21 @@ static struct pcmcia_driver ssb_host_pcmcia_driver = { + .resume = ssb_host_pcmcia_resume, + }; + ++static int pcmcia_init_failed; ++ + /* + * These are not module init/exit functions! + * The module_pcmcia_driver() helper cannot be used here. + */ + int ssb_host_pcmcia_init(void) + { +- return pcmcia_register_driver(&ssb_host_pcmcia_driver); ++ pcmcia_init_failed = pcmcia_register_driver(&ssb_host_pcmcia_driver); ++ ++ return pcmcia_init_failed; + } + + void ssb_host_pcmcia_exit(void) + { +- pcmcia_unregister_driver(&ssb_host_pcmcia_driver); ++ if (!pcmcia_init_failed) ++ pcmcia_unregister_driver(&ssb_host_pcmcia_driver); + } +diff --git a/drivers/staging/iio/magnetometer/hmc5843_i2c.c b/drivers/staging/iio/magnetometer/hmc5843_i2c.c +index 3e06ceb32059..676a8e329eeb 100644 +--- a/drivers/staging/iio/magnetometer/hmc5843_i2c.c ++++ b/drivers/staging/iio/magnetometer/hmc5843_i2c.c +@@ -59,8 +59,13 @@ static const struct regmap_config hmc5843_i2c_regmap_config = { + static int hmc5843_i2c_probe(struct i2c_client *cli, + const struct i2c_device_id *id) + { ++ struct regmap *regmap = devm_regmap_init_i2c(cli, ++ &hmc5843_i2c_regmap_config); ++ if (IS_ERR(regmap)) ++ return PTR_ERR(regmap); ++ + return hmc5843_common_probe(&cli->dev, +- devm_regmap_init_i2c(cli, &hmc5843_i2c_regmap_config), ++ regmap, + id->driver_data, id->name); + } + +diff --git a/drivers/staging/iio/magnetometer/hmc5843_spi.c b/drivers/staging/iio/magnetometer/hmc5843_spi.c +index 8be198058ea2..fded442a3c1d 100644 +--- a/drivers/staging/iio/magnetometer/hmc5843_spi.c ++++ b/drivers/staging/iio/magnetometer/hmc5843_spi.c +@@ -59,6 +59,7 @@ static const struct regmap_config hmc5843_spi_regmap_config = { + static int hmc5843_spi_probe(struct spi_device *spi) + { + int ret; ++ struct regmap *regmap; + const struct spi_device_id *id = spi_get_device_id(spi); + + spi->mode = SPI_MODE_3; +@@ -68,8 +69,12 @@ static int hmc5843_spi_probe(struct spi_device *spi) + if (ret) + return ret; + ++ regmap = devm_regmap_init_spi(spi, &hmc5843_spi_regmap_config); ++ if (IS_ERR(regmap)) ++ return PTR_ERR(regmap); ++ + return hmc5843_common_probe(&spi->dev, +- devm_regmap_init_spi(spi, &hmc5843_spi_regmap_config), ++ regmap, + id->driver_data, id->name); + } + +diff --git a/drivers/tty/ipwireless/main.c b/drivers/tty/ipwireless/main.c +index 655c7948261c..2fa4f9123469 100644 +--- a/drivers/tty/ipwireless/main.c ++++ b/drivers/tty/ipwireless/main.c +@@ -113,6 +113,10 @@ static int ipwireless_probe(struct pcmcia_device *p_dev, void *priv_data) + + ipw->common_memory = ioremap(p_dev->resource[2]->start, + resource_size(p_dev->resource[2])); ++ if (!ipw->common_memory) { ++ ret = -ENOMEM; ++ goto exit1; ++ } + if (!request_mem_region(p_dev->resource[2]->start, + resource_size(p_dev->resource[2]), + IPWIRELESS_PCCARD_NAME)) { +@@ -133,6 +137,10 @@ static int ipwireless_probe(struct pcmcia_device *p_dev, void *priv_data) + + ipw->attr_memory = ioremap(p_dev->resource[3]->start, + resource_size(p_dev->resource[3])); ++ if (!ipw->attr_memory) { ++ ret = -ENOMEM; ++ goto exit3; ++ } + if (!request_mem_region(p_dev->resource[3]->start, + resource_size(p_dev->resource[3]), + IPWIRELESS_PCCARD_NAME)) { +diff --git a/drivers/tty/serial/max310x.c b/drivers/tty/serial/max310x.c +index be55fb6def89..0ac0c618954e 100644 +--- a/drivers/tty/serial/max310x.c ++++ b/drivers/tty/serial/max310x.c +@@ -571,7 +571,7 @@ static int max310x_set_ref_clk(struct max310x_port *s, unsigned long freq, + } + + /* Configure clock source */ +- clksrc = xtal ? MAX310X_CLKSRC_CRYST_BIT : MAX310X_CLKSRC_EXTCLK_BIT; ++ clksrc = MAX310X_CLKSRC_EXTCLK_BIT | (xtal ? MAX310X_CLKSRC_CRYST_BIT : 0); + + /* Configure PLL */ + if (pllcfg) { +diff --git a/drivers/tty/serial/msm_serial.c b/drivers/tty/serial/msm_serial.c +index 8c4707d5778e..5f0ded6fc4e9 100644 +--- a/drivers/tty/serial/msm_serial.c ++++ b/drivers/tty/serial/msm_serial.c +@@ -703,6 +703,7 @@ static void msm_handle_tx(struct uart_port *port) + struct circ_buf *xmit = &msm_port->uart.state->xmit; + struct msm_dma *dma = &msm_port->tx_dma; + unsigned int pio_count, dma_count, dma_min; ++ char buf[4] = { 0 }; + void __iomem *tf; + int err = 0; + +@@ -712,10 +713,12 @@ static void msm_handle_tx(struct uart_port *port) + else + tf = port->membase + UART_TF; + ++ buf[0] = port->x_char; ++ + if (msm_port->is_uartdm) + msm_reset_dm_count(port, 1); + +- iowrite8_rep(tf, &port->x_char, 1); ++ iowrite32_rep(tf, buf, 1); + port->icount.tx++; + port->x_char = 0; + return; +diff --git a/drivers/tty/vt/keyboard.c b/drivers/tty/vt/keyboard.c +index 988c564b61a8..fd92c842504d 100644 +--- a/drivers/tty/vt/keyboard.c ++++ b/drivers/tty/vt/keyboard.c +@@ -121,6 +121,7 @@ static const int NR_TYPES = ARRAY_SIZE(max_vals); + static struct input_handler kbd_handler; + static DEFINE_SPINLOCK(kbd_event_lock); + static DEFINE_SPINLOCK(led_lock); ++static DEFINE_SPINLOCK(func_buf_lock); /* guard 'func_buf' and friends */ + static unsigned long key_down[BITS_TO_LONGS(KEY_CNT)]; /* keyboard key bitmap */ + static unsigned char shift_down[NR_SHIFT]; /* shift state counters.. */ + static bool dead_key_next; +@@ -1969,11 +1970,12 @@ int vt_do_kdgkb_ioctl(int cmd, struct kbsentry __user *user_kdgkb, int perm) + char *p; + u_char *q; + u_char __user *up; +- int sz; ++ int sz, fnw_sz; + int delta; + char *first_free, *fj, *fnw; + int i, j, k; + int ret; ++ unsigned long flags; + + if (!capable(CAP_SYS_TTY_CONFIG)) + perm = 0; +@@ -2016,7 +2018,14 @@ int vt_do_kdgkb_ioctl(int cmd, struct kbsentry __user *user_kdgkb, int perm) + goto reterr; + } + ++ fnw = NULL; ++ fnw_sz = 0; ++ /* race aginst other writers */ ++ again: ++ spin_lock_irqsave(&func_buf_lock, flags); + q = func_table[i]; ++ ++ /* fj pointer to next entry after 'q' */ + first_free = funcbufptr + (funcbufsize - funcbufleft); + for (j = i+1; j < MAX_NR_FUNC && !func_table[j]; j++) + ; +@@ -2024,10 +2033,12 @@ int vt_do_kdgkb_ioctl(int cmd, struct kbsentry __user *user_kdgkb, int perm) + fj = func_table[j]; + else + fj = first_free; +- ++ /* buffer usage increase by new entry */ + delta = (q ? -strlen(q) : 1) + strlen(kbs->kb_string); ++ + if (delta <= funcbufleft) { /* it fits in current buf */ + if (j < MAX_NR_FUNC) { ++ /* make enough space for new entry at 'fj' */ + memmove(fj + delta, fj, first_free - fj); + for (k = j; k < MAX_NR_FUNC; k++) + if (func_table[k]) +@@ -2040,20 +2051,28 @@ int vt_do_kdgkb_ioctl(int cmd, struct kbsentry __user *user_kdgkb, int perm) + sz = 256; + while (sz < funcbufsize - funcbufleft + delta) + sz <<= 1; +- fnw = kmalloc(sz, GFP_KERNEL); +- if(!fnw) { +- ret = -ENOMEM; +- goto reterr; ++ if (fnw_sz != sz) { ++ spin_unlock_irqrestore(&func_buf_lock, flags); ++ kfree(fnw); ++ fnw = kmalloc(sz, GFP_KERNEL); ++ fnw_sz = sz; ++ if (!fnw) { ++ ret = -ENOMEM; ++ goto reterr; ++ } ++ goto again; + } + + if (!q) + func_table[i] = fj; ++ /* copy data before insertion point to new location */ + if (fj > funcbufptr) + memmove(fnw, funcbufptr, fj - funcbufptr); + for (k = 0; k < j; k++) + if (func_table[k]) + func_table[k] = fnw + (func_table[k] - funcbufptr); + ++ /* copy data after insertion point to new location */ + if (first_free > fj) { + memmove(fnw + (fj - funcbufptr) + delta, fj, first_free - fj); + for (k = j; k < MAX_NR_FUNC; k++) +@@ -2066,7 +2085,9 @@ int vt_do_kdgkb_ioctl(int cmd, struct kbsentry __user *user_kdgkb, int perm) + funcbufleft = funcbufleft - delta + sz - funcbufsize; + funcbufsize = sz; + } ++ /* finally insert item itself */ + strcpy(func_table[i], kbs->kb_string); ++ spin_unlock_irqrestore(&func_buf_lock, flags); + break; + } + ret = 0; +diff --git a/drivers/usb/core/config.c b/drivers/usb/core/config.c +index 6a287c81a7be..aef208585544 100644 +--- a/drivers/usb/core/config.c ++++ b/drivers/usb/core/config.c +@@ -902,8 +902,8 @@ int usb_get_bos_descriptor(struct usb_device *dev) + + /* Get BOS descriptor */ + ret = usb_get_descriptor(dev, USB_DT_BOS, 0, bos, USB_DT_BOS_SIZE); +- if (ret < USB_DT_BOS_SIZE) { +- dev_err(ddev, "unable to get BOS descriptor\n"); ++ if (ret < USB_DT_BOS_SIZE || bos->bLength < USB_DT_BOS_SIZE) { ++ dev_err(ddev, "unable to get BOS descriptor or descriptor too short\n"); + if (ret >= 0) + ret = -ENOMSG; + kfree(bos); +diff --git a/drivers/usb/core/hcd.c b/drivers/usb/core/hcd.c +index 9c4f9b6e57e2..99c146f4b6b5 100644 +--- a/drivers/usb/core/hcd.c ++++ b/drivers/usb/core/hcd.c +@@ -3007,6 +3007,9 @@ usb_hcd_platform_shutdown(struct platform_device *dev) + { + struct usb_hcd *hcd = platform_get_drvdata(dev); + ++ /* No need for pm_runtime_put(), we're shutting down */ ++ pm_runtime_get_sync(&dev->dev); ++ + if (hcd->driver->shutdown) + hcd->driver->shutdown(hcd); + } +diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c +index 7c87c0b38bcf..6e307de25163 100644 +--- a/drivers/usb/core/hub.c ++++ b/drivers/usb/core/hub.c +@@ -5637,7 +5637,10 @@ int usb_reset_device(struct usb_device *udev) + cintf->needs_binding = 1; + } + } +- usb_unbind_and_rebind_marked_interfaces(udev); ++ ++ /* If the reset failed, hub_wq will unbind drivers later */ ++ if (ret == 0) ++ usb_unbind_and_rebind_marked_interfaces(udev); + } + + usb_autosuspend_device(udev); +diff --git a/drivers/usb/core/quirks.c b/drivers/usb/core/quirks.c +index 733479ddf8a7..38c7676e7a82 100644 +--- a/drivers/usb/core/quirks.c ++++ b/drivers/usb/core/quirks.c +@@ -64,6 +64,9 @@ static const struct usb_device_id usb_quirk_list[] = { + /* Microsoft LifeCam-VX700 v2.0 */ + { USB_DEVICE(0x045e, 0x0770), .driver_info = USB_QUIRK_RESET_RESUME }, + ++ /* Microsoft Surface Dock Ethernet (RTL8153 GigE) */ ++ { USB_DEVICE(0x045e, 0x07c6), .driver_info = USB_QUIRK_NO_LPM }, ++ + /* Cherry Stream G230 2.0 (G85-231) and 3.0 (G85-232) */ + { USB_DEVICE(0x046a, 0x0023), .driver_info = USB_QUIRK_RESET_RESUME }, + +diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c +index e3fdc799ad6e..ed152b8ea645 100644 +--- a/drivers/usb/host/xhci.c ++++ b/drivers/usb/host/xhci.c +@@ -21,6 +21,7 @@ + */ + + #include ++#include + #include + #include + #include +@@ -46,7 +47,6 @@ static unsigned int quirks; + module_param(quirks, uint, S_IRUGO); + MODULE_PARM_DESC(quirks, "Bit flags for quirks to be enabled as default"); + +-/* TODO: copied from ehci-hcd.c - can this be refactored? */ + /* + * xhci_handshake - spin reading hc until handshake completes or fails + * @ptr: address of hc register to be read +@@ -63,18 +63,16 @@ MODULE_PARM_DESC(quirks, "Bit flags for quirks to be enabled as default"); + int xhci_handshake(void __iomem *ptr, u32 mask, u32 done, int usec) + { + u32 result; ++ int ret; + +- do { +- result = readl(ptr); +- if (result == ~(u32)0) /* card removed */ +- return -ENODEV; +- result &= mask; +- if (result == done) +- return 0; +- udelay(1); +- usec--; +- } while (usec > 0); +- return -ETIMEDOUT; ++ ret = readl_poll_timeout_atomic(ptr, result, ++ (result & mask) == done || ++ result == U32_MAX, ++ 1, usec); ++ if (result == U32_MAX) /* card removed */ ++ return -ENODEV; ++ ++ return ret; + } + + /* +@@ -4193,7 +4191,6 @@ int xhci_set_usb2_hardware_lpm(struct usb_hcd *hcd, + pm_addr = port_array[port_num] + PORTPMSC; + pm_val = readl(pm_addr); + hlpm_addr = port_array[port_num] + PORTHLPMC; +- field = le32_to_cpu(udev->bos->ext_cap->bmAttributes); + + xhci_dbg(xhci, "%s port %d USB2 hardware LPM\n", + enable ? "enable" : "disable", port_num + 1); +@@ -4205,6 +4202,7 @@ int xhci_set_usb2_hardware_lpm(struct usb_hcd *hcd, + * default one which works with mixed HIRD and BESL + * systems. See XHCI_DEFAULT_BESL definition in xhci.h + */ ++ field = le32_to_cpu(udev->bos->ext_cap->bmAttributes); + if ((field & USB_BESL_SUPPORT) && + (field & USB_BESL_BASELINE_VALID)) + hird = USB_GET_BESL_BASELINE(field); +diff --git a/drivers/usb/misc/rio500.c b/drivers/usb/misc/rio500.c +index 13731d512624..6e761fabffca 100644 +--- a/drivers/usb/misc/rio500.c ++++ b/drivers/usb/misc/rio500.c +@@ -103,9 +103,22 @@ static int close_rio(struct inode *inode, struct file *file) + { + struct rio_usb_data *rio = &rio_instance; + +- rio->isopen = 0; ++ /* against disconnect() */ ++ mutex_lock(&rio500_mutex); ++ mutex_lock(&(rio->lock)); + +- dev_info(&rio->rio_dev->dev, "Rio closed.\n"); ++ rio->isopen = 0; ++ if (!rio->present) { ++ /* cleanup has been delayed */ ++ kfree(rio->ibuf); ++ kfree(rio->obuf); ++ rio->ibuf = NULL; ++ rio->obuf = NULL; ++ } else { ++ dev_info(&rio->rio_dev->dev, "Rio closed.\n"); ++ } ++ mutex_unlock(&(rio->lock)); ++ mutex_unlock(&rio500_mutex); + return 0; + } + +@@ -464,15 +477,23 @@ static int probe_rio(struct usb_interface *intf, + { + struct usb_device *dev = interface_to_usbdev(intf); + struct rio_usb_data *rio = &rio_instance; +- int retval; ++ int retval = 0; + +- dev_info(&intf->dev, "USB Rio found at address %d\n", dev->devnum); ++ mutex_lock(&rio500_mutex); ++ if (rio->present) { ++ dev_info(&intf->dev, "Second USB Rio at address %d refused\n", dev->devnum); ++ retval = -EBUSY; ++ goto bail_out; ++ } else { ++ dev_info(&intf->dev, "USB Rio found at address %d\n", dev->devnum); ++ } + + retval = usb_register_dev(intf, &usb_rio_class); + if (retval) { + dev_err(&dev->dev, + "Not able to get a minor for this device.\n"); +- return -ENOMEM; ++ retval = -ENOMEM; ++ goto bail_out; + } + + rio->rio_dev = dev; +@@ -481,7 +502,8 @@ static int probe_rio(struct usb_interface *intf, + dev_err(&dev->dev, + "probe_rio: Not enough memory for the output buffer\n"); + usb_deregister_dev(intf, &usb_rio_class); +- return -ENOMEM; ++ retval = -ENOMEM; ++ goto bail_out; + } + dev_dbg(&intf->dev, "obuf address:%p\n", rio->obuf); + +@@ -490,7 +512,8 @@ static int probe_rio(struct usb_interface *intf, + "probe_rio: Not enough memory for the input buffer\n"); + usb_deregister_dev(intf, &usb_rio_class); + kfree(rio->obuf); +- return -ENOMEM; ++ retval = -ENOMEM; ++ goto bail_out; + } + dev_dbg(&intf->dev, "ibuf address:%p\n", rio->ibuf); + +@@ -498,8 +521,10 @@ static int probe_rio(struct usb_interface *intf, + + usb_set_intfdata (intf, rio); + rio->present = 1; ++bail_out: ++ mutex_unlock(&rio500_mutex); + +- return 0; ++ return retval; + } + + static void disconnect_rio(struct usb_interface *intf) +diff --git a/drivers/usb/misc/sisusbvga/sisusb.c b/drivers/usb/misc/sisusbvga/sisusb.c +index 306d6852ebc7..b9d50020c684 100644 +--- a/drivers/usb/misc/sisusbvga/sisusb.c ++++ b/drivers/usb/misc/sisusbvga/sisusb.c +@@ -3103,6 +3103,13 @@ static int sisusb_probe(struct usb_interface *intf, + + mutex_init(&(sisusb->lock)); + ++ sisusb->sisusb_dev = dev; ++ sisusb->vrambase = SISUSB_PCI_MEMBASE; ++ sisusb->mmiobase = SISUSB_PCI_MMIOBASE; ++ sisusb->mmiosize = SISUSB_PCI_MMIOSIZE; ++ sisusb->ioportbase = SISUSB_PCI_IOPORTBASE; ++ /* Everything else is zero */ ++ + /* Register device */ + retval = usb_register_dev(intf, &usb_sisusb_class); + if (retval) { +@@ -3112,13 +3119,7 @@ static int sisusb_probe(struct usb_interface *intf, + goto error_1; + } + +- sisusb->sisusb_dev = dev; +- sisusb->minor = intf->minor; +- sisusb->vrambase = SISUSB_PCI_MEMBASE; +- sisusb->mmiobase = SISUSB_PCI_MMIOBASE; +- sisusb->mmiosize = SISUSB_PCI_MMIOSIZE; +- sisusb->ioportbase = SISUSB_PCI_IOPORTBASE; +- /* Everything else is zero */ ++ sisusb->minor = intf->minor; + + /* Allocate buffers */ + sisusb->ibufsize = SISUSB_IBUF_SIZE; +diff --git a/drivers/video/fbdev/core/fbcmap.c b/drivers/video/fbdev/core/fbcmap.c +index 68a113594808..2811c4afde01 100644 +--- a/drivers/video/fbdev/core/fbcmap.c ++++ b/drivers/video/fbdev/core/fbcmap.c +@@ -94,6 +94,8 @@ int fb_alloc_cmap_gfp(struct fb_cmap *cmap, int len, int transp, gfp_t flags) + int size = len * sizeof(u16); + int ret = -ENOMEM; + ++ flags |= __GFP_NOWARN; ++ + if (cmap->len != len) { + fb_dealloc_cmap(cmap); + if (!len) +diff --git a/drivers/video/fbdev/core/modedb.c b/drivers/video/fbdev/core/modedb.c +index de119f11b78f..455a15f70172 100644 +--- a/drivers/video/fbdev/core/modedb.c ++++ b/drivers/video/fbdev/core/modedb.c +@@ -933,6 +933,9 @@ void fb_var_to_videomode(struct fb_videomode *mode, + if (var->vmode & FB_VMODE_DOUBLE) + vtotal *= 2; + ++ if (!htotal || !vtotal) ++ return; ++ + hfreq = pixclock/htotal; + mode->refresh = hfreq/vtotal; + } +diff --git a/drivers/video/fbdev/sm712.h b/drivers/video/fbdev/sm712.h +index aad1cc4be34a..c7ebf03b8d53 100644 +--- a/drivers/video/fbdev/sm712.h ++++ b/drivers/video/fbdev/sm712.h +@@ -15,14 +15,10 @@ + + #define FB_ACCEL_SMI_LYNX 88 + +-#define SCREEN_X_RES 1024 +-#define SCREEN_Y_RES 600 +-#define SCREEN_BPP 16 +- +-/*Assume SM712 graphics chip has 4MB VRAM */ +-#define SM712_VIDEOMEMORYSIZE 0x00400000 +-/*Assume SM722 graphics chip has 8MB VRAM */ +-#define SM722_VIDEOMEMORYSIZE 0x00800000 ++#define SCREEN_X_RES 1024 ++#define SCREEN_Y_RES_PC 768 ++#define SCREEN_Y_RES_NETBOOK 600 ++#define SCREEN_BPP 16 + + #define dac_reg (0x3c8) + #define dac_val (0x3c9) +diff --git a/drivers/video/fbdev/sm712fb.c b/drivers/video/fbdev/sm712fb.c +index 86ae1d4556fc..589ac7e75413 100644 +--- a/drivers/video/fbdev/sm712fb.c ++++ b/drivers/video/fbdev/sm712fb.c +@@ -530,6 +530,65 @@ static const struct modeinit vgamode[] = { + 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x15, 0x03, + }, + }, ++ { /* 1024 x 768 16Bpp 60Hz */ ++ 1024, 768, 16, 60, ++ /* Init_MISC */ ++ 0xEB, ++ { /* Init_SR0_SR4 */ ++ 0x03, 0x01, 0x0F, 0x03, 0x0E, ++ }, ++ { /* Init_SR10_SR24 */ ++ 0xF3, 0xB6, 0xC0, 0xDD, 0x00, 0x0E, 0x17, 0x2C, ++ 0x99, 0x02, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, ++ 0xC4, 0x30, 0x02, 0x01, 0x01, ++ }, ++ { /* Init_SR30_SR75 */ ++ 0x38, 0x03, 0x20, 0x09, 0xC0, 0x3A, 0x3A, 0x3A, ++ 0x3A, 0x3A, 0x3A, 0x3A, 0x00, 0x00, 0x03, 0xFF, ++ 0x00, 0xFC, 0x00, 0x00, 0x20, 0x18, 0x00, 0xFC, ++ 0x20, 0x0C, 0x44, 0x20, 0x00, 0x00, 0x00, 0x3A, ++ 0x06, 0x68, 0xA7, 0x7F, 0x83, 0x24, 0xFF, 0x03, ++ 0x0F, 0x60, 0x59, 0x3A, 0x3A, 0x00, 0x00, 0x3A, ++ 0x01, 0x80, 0x7E, 0x1A, 0x1A, 0x00, 0x00, 0x00, ++ 0x50, 0x03, 0x74, 0x14, 0x3B, 0x0D, 0x09, 0x02, ++ 0x04, 0x45, 0x30, 0x30, 0x40, 0x20, ++ }, ++ { /* Init_SR80_SR93 */ ++ 0xFF, 0x07, 0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0x3A, ++ 0xF7, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0x3A, 0x3A, ++ 0x00, 0x00, 0x00, 0x00, ++ }, ++ { /* Init_SRA0_SRAF */ ++ 0x00, 0xFB, 0x9F, 0x01, 0x00, 0xED, 0xED, 0xED, ++ 0x7B, 0xFB, 0xFF, 0xFF, 0x97, 0xEF, 0xBF, 0xDF, ++ }, ++ { /* Init_GR00_GR08 */ ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x05, 0x0F, ++ 0xFF, ++ }, ++ { /* Init_AR00_AR14 */ ++ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, ++ 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F, ++ 0x41, 0x00, 0x0F, 0x00, 0x00, ++ }, ++ { /* Init_CR00_CR18 */ ++ 0xA3, 0x7F, 0x7F, 0x00, 0x85, 0x16, 0x24, 0xF5, ++ 0x00, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, ++ 0x03, 0x09, 0xFF, 0x80, 0x40, 0xFF, 0x00, 0xE3, ++ 0xFF, ++ }, ++ { /* Init_CR30_CR4D */ ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0x02, 0x20, ++ 0x00, 0x00, 0x00, 0x40, 0x00, 0xFF, 0xBF, 0xFF, ++ 0xA3, 0x7F, 0x00, 0x86, 0x15, 0x24, 0xFF, 0x00, ++ 0x01, 0x07, 0xE5, 0x20, 0x7F, 0xFF, ++ }, ++ { /* Init_CR90_CRA7 */ ++ 0x55, 0xD9, 0x5D, 0xE1, 0x86, 0x1B, 0x8E, 0x26, ++ 0xDA, 0x8D, 0xDE, 0x94, 0x00, 0x00, 0x18, 0x00, ++ 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x15, 0x03, ++ }, ++ }, + { /* mode#5: 1024 x 768 24Bpp 60Hz */ + 1024, 768, 24, 60, + /* Init_MISC */ +@@ -827,67 +886,80 @@ static inline unsigned int chan_to_field(unsigned int chan, + + static int smtc_blank(int blank_mode, struct fb_info *info) + { ++ struct smtcfb_info *sfb = info->par; ++ + /* clear DPMS setting */ + switch (blank_mode) { + case FB_BLANK_UNBLANK: + /* Screen On: HSync: On, VSync : On */ ++ ++ switch (sfb->chip_id) { ++ case 0x710: ++ case 0x712: ++ smtc_seqw(0x6a, 0x16); ++ smtc_seqw(0x6b, 0x02); ++ break; ++ case 0x720: ++ smtc_seqw(0x6a, 0x0d); ++ smtc_seqw(0x6b, 0x02); ++ break; ++ } ++ ++ smtc_seqw(0x23, (smtc_seqr(0x23) & (~0xc0))); + smtc_seqw(0x01, (smtc_seqr(0x01) & (~0x20))); +- smtc_seqw(0x6a, 0x16); +- smtc_seqw(0x6b, 0x02); + smtc_seqw(0x21, (smtc_seqr(0x21) & 0x77)); + smtc_seqw(0x22, (smtc_seqr(0x22) & (~0x30))); +- smtc_seqw(0x23, (smtc_seqr(0x23) & (~0xc0))); +- smtc_seqw(0x24, (smtc_seqr(0x24) | 0x01)); + smtc_seqw(0x31, (smtc_seqr(0x31) | 0x03)); ++ smtc_seqw(0x24, (smtc_seqr(0x24) | 0x01)); + break; + case FB_BLANK_NORMAL: + /* Screen Off: HSync: On, VSync : On Soft blank */ ++ smtc_seqw(0x24, (smtc_seqr(0x24) | 0x01)); ++ smtc_seqw(0x31, ((smtc_seqr(0x31) & (~0x07)) | 0x00)); ++ smtc_seqw(0x23, (smtc_seqr(0x23) & (~0xc0))); + smtc_seqw(0x01, (smtc_seqr(0x01) & (~0x20))); ++ smtc_seqw(0x22, (smtc_seqr(0x22) & (~0x30))); + smtc_seqw(0x6a, 0x16); + smtc_seqw(0x6b, 0x02); +- smtc_seqw(0x22, (smtc_seqr(0x22) & (~0x30))); +- smtc_seqw(0x23, (smtc_seqr(0x23) & (~0xc0))); +- smtc_seqw(0x24, (smtc_seqr(0x24) | 0x01)); +- smtc_seqw(0x31, ((smtc_seqr(0x31) & (~0x07)) | 0x00)); + break; + case FB_BLANK_VSYNC_SUSPEND: + /* Screen On: HSync: On, VSync : Off */ ++ smtc_seqw(0x24, (smtc_seqr(0x24) & (~0x01))); ++ smtc_seqw(0x31, ((smtc_seqr(0x31) & (~0x07)) | 0x00)); ++ smtc_seqw(0x23, ((smtc_seqr(0x23) & (~0xc0)) | 0x20)); + smtc_seqw(0x01, (smtc_seqr(0x01) | 0x20)); +- smtc_seqw(0x20, (smtc_seqr(0x20) & (~0xB0))); +- smtc_seqw(0x6a, 0x0c); +- smtc_seqw(0x6b, 0x02); + smtc_seqw(0x21, (smtc_seqr(0x21) | 0x88)); ++ smtc_seqw(0x20, (smtc_seqr(0x20) & (~0xB0))); + smtc_seqw(0x22, ((smtc_seqr(0x22) & (~0x30)) | 0x20)); +- smtc_seqw(0x23, ((smtc_seqr(0x23) & (~0xc0)) | 0x20)); +- smtc_seqw(0x24, (smtc_seqr(0x24) & (~0x01))); +- smtc_seqw(0x31, ((smtc_seqr(0x31) & (~0x07)) | 0x00)); + smtc_seqw(0x34, (smtc_seqr(0x34) | 0x80)); ++ smtc_seqw(0x6a, 0x0c); ++ smtc_seqw(0x6b, 0x02); + break; + case FB_BLANK_HSYNC_SUSPEND: + /* Screen On: HSync: Off, VSync : On */ ++ smtc_seqw(0x24, (smtc_seqr(0x24) & (~0x01))); ++ smtc_seqw(0x31, ((smtc_seqr(0x31) & (~0x07)) | 0x00)); ++ smtc_seqw(0x23, ((smtc_seqr(0x23) & (~0xc0)) | 0xD8)); + smtc_seqw(0x01, (smtc_seqr(0x01) | 0x20)); +- smtc_seqw(0x20, (smtc_seqr(0x20) & (~0xB0))); +- smtc_seqw(0x6a, 0x0c); +- smtc_seqw(0x6b, 0x02); + smtc_seqw(0x21, (smtc_seqr(0x21) | 0x88)); ++ smtc_seqw(0x20, (smtc_seqr(0x20) & (~0xB0))); + smtc_seqw(0x22, ((smtc_seqr(0x22) & (~0x30)) | 0x10)); +- smtc_seqw(0x23, ((smtc_seqr(0x23) & (~0xc0)) | 0xD8)); +- smtc_seqw(0x24, (smtc_seqr(0x24) & (~0x01))); +- smtc_seqw(0x31, ((smtc_seqr(0x31) & (~0x07)) | 0x00)); + smtc_seqw(0x34, (smtc_seqr(0x34) | 0x80)); ++ smtc_seqw(0x6a, 0x0c); ++ smtc_seqw(0x6b, 0x02); + break; + case FB_BLANK_POWERDOWN: + /* Screen On: HSync: Off, VSync : Off */ ++ smtc_seqw(0x24, (smtc_seqr(0x24) & (~0x01))); ++ smtc_seqw(0x31, ((smtc_seqr(0x31) & (~0x07)) | 0x00)); ++ smtc_seqw(0x23, ((smtc_seqr(0x23) & (~0xc0)) | 0xD8)); + smtc_seqw(0x01, (smtc_seqr(0x01) | 0x20)); +- smtc_seqw(0x20, (smtc_seqr(0x20) & (~0xB0))); +- smtc_seqw(0x6a, 0x0c); +- smtc_seqw(0x6b, 0x02); + smtc_seqw(0x21, (smtc_seqr(0x21) | 0x88)); ++ smtc_seqw(0x20, (smtc_seqr(0x20) & (~0xB0))); + smtc_seqw(0x22, ((smtc_seqr(0x22) & (~0x30)) | 0x30)); +- smtc_seqw(0x23, ((smtc_seqr(0x23) & (~0xc0)) | 0xD8)); +- smtc_seqw(0x24, (smtc_seqr(0x24) & (~0x01))); +- smtc_seqw(0x31, ((smtc_seqr(0x31) & (~0x07)) | 0x00)); + smtc_seqw(0x34, (smtc_seqr(0x34) | 0x80)); ++ smtc_seqw(0x6a, 0x0c); ++ smtc_seqw(0x6b, 0x02); + break; + default: + return -EINVAL; +@@ -1144,8 +1216,10 @@ static void sm7xx_set_timing(struct smtcfb_info *sfb) + + /* init SEQ register SR30 - SR75 */ + for (i = 0; i < SIZE_SR30_SR75; i++) +- if ((i + 0x30) != 0x62 && (i + 0x30) != 0x6a && +- (i + 0x30) != 0x6b) ++ if ((i + 0x30) != 0x30 && (i + 0x30) != 0x62 && ++ (i + 0x30) != 0x6a && (i + 0x30) != 0x6b && ++ (i + 0x30) != 0x70 && (i + 0x30) != 0x71 && ++ (i + 0x30) != 0x74 && (i + 0x30) != 0x75) + smtc_seqw(i + 0x30, + vgamode[j].init_sr30_sr75[i]); + +@@ -1170,8 +1244,12 @@ static void sm7xx_set_timing(struct smtcfb_info *sfb) + smtc_crtcw(i, vgamode[j].init_cr00_cr18[i]); + + /* init CRTC register CR30 - CR4D */ +- for (i = 0; i < SIZE_CR30_CR4D; i++) ++ for (i = 0; i < SIZE_CR30_CR4D; i++) { ++ if ((i + 0x30) >= 0x3B && (i + 0x30) <= 0x3F) ++ /* side-effect, don't write to CR3B-CR3F */ ++ continue; + smtc_crtcw(i + 0x30, vgamode[j].init_cr30_cr4d[i]); ++ } + + /* init CRTC register CR90 - CRA7 */ + for (i = 0; i < SIZE_CR90_CRA7; i++) +@@ -1322,6 +1400,11 @@ static int smtc_map_smem(struct smtcfb_info *sfb, + { + sfb->fb->fix.smem_start = pci_resource_start(pdev, 0); + ++ if (sfb->chip_id == 0x720) ++ /* on SM720, the framebuffer starts at the 1 MB offset */ ++ sfb->fb->fix.smem_start += 0x00200000; ++ ++ /* XXX: is it safe for SM720 on Big-Endian? */ + if (sfb->fb->var.bits_per_pixel == 32) + sfb->fb->fix.smem_start += big_addr; + +@@ -1359,12 +1442,82 @@ static inline void sm7xx_init_hw(void) + outb_p(0x11, 0x3c5); + } + ++static u_long sm7xx_vram_probe(struct smtcfb_info *sfb) ++{ ++ u8 vram; ++ ++ switch (sfb->chip_id) { ++ case 0x710: ++ case 0x712: ++ /* ++ * Assume SM712 graphics chip has 4MB VRAM. ++ * ++ * FIXME: SM712 can have 2MB VRAM, which is used on earlier ++ * laptops, such as IBM Thinkpad 240X. This driver would ++ * probably crash on those machines. If anyone gets one of ++ * those and is willing to help, run "git blame" and send me ++ * an E-mail. ++ */ ++ return 0x00400000; ++ case 0x720: ++ outb_p(0x76, 0x3c4); ++ vram = inb_p(0x3c5) >> 6; ++ ++ if (vram == 0x00) ++ return 0x00800000; /* 8 MB */ ++ else if (vram == 0x01) ++ return 0x01000000; /* 16 MB */ ++ else if (vram == 0x02) ++ return 0x00400000; /* illegal, fallback to 4 MB */ ++ else if (vram == 0x03) ++ return 0x00400000; /* 4 MB */ ++ } ++ return 0; /* unknown hardware */ ++} ++ ++static void sm7xx_resolution_probe(struct smtcfb_info *sfb) ++{ ++ /* get mode parameter from smtc_scr_info */ ++ if (smtc_scr_info.lfb_width != 0) { ++ sfb->fb->var.xres = smtc_scr_info.lfb_width; ++ sfb->fb->var.yres = smtc_scr_info.lfb_height; ++ sfb->fb->var.bits_per_pixel = smtc_scr_info.lfb_depth; ++ goto final; ++ } ++ ++ /* ++ * No parameter, default resolution is 1024x768-16. ++ * ++ * FIXME: earlier laptops, such as IBM Thinkpad 240X, has a 800x600 ++ * panel, also see the comments about Thinkpad 240X above. ++ */ ++ sfb->fb->var.xres = SCREEN_X_RES; ++ sfb->fb->var.yres = SCREEN_Y_RES_PC; ++ sfb->fb->var.bits_per_pixel = SCREEN_BPP; ++ ++#ifdef CONFIG_MIPS ++ /* ++ * Loongson MIPS netbooks use 1024x600 LCD panels, which is the original ++ * target platform of this driver, but nearly all old x86 laptops have ++ * 1024x768. Lighting 768 panels using 600's timings would partially ++ * garble the display, so we don't want that. But it's not possible to ++ * distinguish them reliably. ++ * ++ * So we change the default to 768, but keep 600 as-is on MIPS. ++ */ ++ sfb->fb->var.yres = SCREEN_Y_RES_NETBOOK; ++#endif ++ ++final: ++ big_pixel_depth(sfb->fb->var.bits_per_pixel, smtc_scr_info.lfb_depth); ++} ++ + static int smtcfb_pci_probe(struct pci_dev *pdev, + const struct pci_device_id *ent) + { + struct smtcfb_info *sfb; + struct fb_info *info; +- u_long smem_size = 0x00800000; /* default 8MB */ ++ u_long smem_size; + int err; + unsigned long mmio_base; + +@@ -1404,29 +1557,19 @@ static int smtcfb_pci_probe(struct pci_dev *pdev, + + sm7xx_init_hw(); + +- /* get mode parameter from smtc_scr_info */ +- if (smtc_scr_info.lfb_width != 0) { +- sfb->fb->var.xres = smtc_scr_info.lfb_width; +- sfb->fb->var.yres = smtc_scr_info.lfb_height; +- sfb->fb->var.bits_per_pixel = smtc_scr_info.lfb_depth; +- } else { +- /* default resolution 1024x600 16bit mode */ +- sfb->fb->var.xres = SCREEN_X_RES; +- sfb->fb->var.yres = SCREEN_Y_RES; +- sfb->fb->var.bits_per_pixel = SCREEN_BPP; +- } +- +- big_pixel_depth(sfb->fb->var.bits_per_pixel, smtc_scr_info.lfb_depth); + /* Map address and memory detection */ + mmio_base = pci_resource_start(pdev, 0); + pci_read_config_byte(pdev, PCI_REVISION_ID, &sfb->chip_rev_id); + ++ smem_size = sm7xx_vram_probe(sfb); ++ dev_info(&pdev->dev, "%lu MiB of VRAM detected.\n", ++ smem_size / 1048576); ++ + switch (sfb->chip_id) { + case 0x710: + case 0x712: + sfb->fb->fix.mmio_start = mmio_base + 0x00400000; + sfb->fb->fix.mmio_len = 0x00400000; +- smem_size = SM712_VIDEOMEMORYSIZE; + sfb->lfb = ioremap(mmio_base, mmio_addr); + if (!sfb->lfb) { + dev_err(&pdev->dev, +@@ -1458,8 +1601,7 @@ static int smtcfb_pci_probe(struct pci_dev *pdev, + case 0x720: + sfb->fb->fix.mmio_start = mmio_base; + sfb->fb->fix.mmio_len = 0x00200000; +- smem_size = SM722_VIDEOMEMORYSIZE; +- sfb->dp_regs = ioremap(mmio_base, 0x00a00000); ++ sfb->dp_regs = ioremap(mmio_base, 0x00200000 + smem_size); + sfb->lfb = sfb->dp_regs + 0x00200000; + sfb->mmio = (smtc_regbaseaddress = + sfb->dp_regs + 0x000c0000); +@@ -1476,6 +1618,9 @@ static int smtcfb_pci_probe(struct pci_dev *pdev, + goto failed_fb; + } + ++ /* probe and decide resolution */ ++ sm7xx_resolution_probe(sfb); ++ + /* can support 32 bpp */ + if (15 == sfb->fb->var.bits_per_pixel) + sfb->fb->var.bits_per_pixel = 16; +@@ -1486,7 +1631,11 @@ static int smtcfb_pci_probe(struct pci_dev *pdev, + if (err) + goto failed; + +- smtcfb_setmode(sfb); ++ /* ++ * The screen would be temporarily garbled when sm712fb takes over ++ * vesafb or VGA text mode. Zero the framebuffer. ++ */ ++ memset_io(sfb->lfb, 0, sfb->fb->fix.smem_len); + + err = register_framebuffer(info); + if (err < 0) +diff --git a/drivers/w1/w1_io.c b/drivers/w1/w1_io.c +index 282092421cc9..1a9d9ec8db4d 100644 +--- a/drivers/w1/w1_io.c ++++ b/drivers/w1/w1_io.c +@@ -437,8 +437,7 @@ int w1_reset_resume_command(struct w1_master *dev) + if (w1_reset_bus(dev)) + return -1; + +- /* This will make only the last matched slave perform a skip ROM. */ +- w1_write_8(dev, W1_RESUME_CMD); ++ w1_write_8(dev, dev->slave_count > 1 ? W1_RESUME_CMD : W1_SKIP_ROM); + return 0; + } + EXPORT_SYMBOL_GPL(w1_reset_resume_command); +diff --git a/drivers/xen/xen-pciback/pciback_ops.c b/drivers/xen/xen-pciback/pciback_ops.c +index fb0221434f81..49c5f0e9600a 100644 +--- a/drivers/xen/xen-pciback/pciback_ops.c ++++ b/drivers/xen/xen-pciback/pciback_ops.c +@@ -126,8 +126,6 @@ void xen_pcibk_reset_device(struct pci_dev *dev) + if (pci_is_enabled(dev)) + pci_disable_device(dev); + +- pci_write_config_word(dev, PCI_COMMAND, 0); +- + dev->is_busmaster = 0; + } else { + pci_read_config_word(dev, PCI_COMMAND, &cmd); +diff --git a/drivers/xen/xenbus/xenbus_dev_frontend.c b/drivers/xen/xenbus/xenbus_dev_frontend.c +index 816a0e08ef10..d7591efa7775 100644 +--- a/drivers/xen/xenbus/xenbus_dev_frontend.c ++++ b/drivers/xen/xenbus/xenbus_dev_frontend.c +@@ -536,7 +536,7 @@ static int xenbus_file_open(struct inode *inode, struct file *filp) + if (xen_store_evtchn == 0) + return -ENOENT; + +- nonseekable_open(inode, filp); ++ stream_open(inode, filp); + + u = kzalloc(sizeof(*u), GFP_KERNEL); + if (u == NULL) +diff --git a/fs/btrfs/backref.c b/fs/btrfs/backref.c +index e2f659dc5745..81c5d07a2af1 100644 +--- a/fs/btrfs/backref.c ++++ b/fs/btrfs/backref.c +@@ -1685,13 +1685,19 @@ int iterate_extent_inodes(struct btrfs_fs_info *fs_info, + extent_item_objectid); + + if (!search_commit_root) { +- trans = btrfs_join_transaction(fs_info->extent_root); +- if (IS_ERR(trans)) +- return PTR_ERR(trans); ++ trans = btrfs_attach_transaction(fs_info->extent_root); ++ if (IS_ERR(trans)) { ++ if (PTR_ERR(trans) != -ENOENT && ++ PTR_ERR(trans) != -EROFS) ++ return PTR_ERR(trans); ++ trans = NULL; ++ } ++ } ++ ++ if (trans) + btrfs_get_tree_mod_seq(fs_info, &tree_mod_seq_elem); +- } else { ++ else + down_read(&fs_info->commit_root_sem); +- } + + ret = btrfs_find_all_leafs(trans, fs_info, extent_item_objectid, + tree_mod_seq_elem.seq, &refs, +@@ -1721,7 +1727,7 @@ int iterate_extent_inodes(struct btrfs_fs_info *fs_info, + + free_leaf_list(refs); + out: +- if (!search_commit_root) { ++ if (trans) { + btrfs_put_tree_mod_seq(fs_info, &tree_mod_seq_elem); + btrfs_end_transaction(trans, fs_info->extent_root); + } else { +diff --git a/fs/btrfs/extent-tree.c b/fs/btrfs/extent-tree.c +index 978bbfed5a2c..df2bb4b61a00 100644 +--- a/fs/btrfs/extent-tree.c ++++ b/fs/btrfs/extent-tree.c +@@ -10730,9 +10730,9 @@ int btrfs_error_unpin_extent_range(struct btrfs_root *root, u64 start, u64 end) + * transaction. + */ + static int btrfs_trim_free_extents(struct btrfs_device *device, +- u64 minlen, u64 *trimmed) ++ struct fstrim_range *range, u64 *trimmed) + { +- u64 start = 0, len = 0; ++ u64 start = range->start, len = 0; + int ret; + + *trimmed = 0; +@@ -10768,8 +10768,8 @@ static int btrfs_trim_free_extents(struct btrfs_device *device, + atomic_inc(&trans->use_count); + spin_unlock(&fs_info->trans_lock); + +- ret = find_free_dev_extent_start(trans, device, minlen, start, +- &start, &len); ++ ret = find_free_dev_extent_start(trans, device, range->minlen, ++ start, &start, &len); + if (trans) + btrfs_put_transaction(trans); + +@@ -10781,6 +10781,16 @@ static int btrfs_trim_free_extents(struct btrfs_device *device, + break; + } + ++ /* If we are out of the passed range break */ ++ if (start > range->start + range->len - 1) { ++ mutex_unlock(&fs_info->chunk_mutex); ++ ret = 0; ++ break; ++ } ++ ++ start = max(range->start, start); ++ len = min(range->len, len); ++ + ret = btrfs_issue_discard(device->bdev, start, len, &bytes); + up_read(&fs_info->commit_root_sem); + mutex_unlock(&fs_info->chunk_mutex); +@@ -10791,6 +10801,10 @@ static int btrfs_trim_free_extents(struct btrfs_device *device, + start += len; + *trimmed += bytes; + ++ /* We've trimmed enough */ ++ if (*trimmed >= range->len) ++ break; ++ + if (fatal_signal_pending(current)) { + ret = -ERESTARTSYS; + break; +@@ -10857,8 +10871,7 @@ int btrfs_trim_fs(struct btrfs_root *root, struct fstrim_range *range) + mutex_lock(&root->fs_info->fs_devices->device_list_mutex); + devices = &root->fs_info->fs_devices->devices; + list_for_each_entry(device, devices, dev_list) { +- ret = btrfs_trim_free_extents(device, range->minlen, +- &group_trimmed); ++ ret = btrfs_trim_free_extents(device, range, &group_trimmed); + if (ret) + break; + +diff --git a/fs/btrfs/file.c b/fs/btrfs/file.c +index 052973620595..d056060529f8 100644 +--- a/fs/btrfs/file.c ++++ b/fs/btrfs/file.c +@@ -1900,6 +1900,18 @@ int btrfs_sync_file(struct file *file, loff_t start, loff_t end, int datasync) + bool full_sync = 0; + u64 len; + ++ /* ++ * If the inode needs a full sync, make sure we use a full range to ++ * avoid log tree corruption, due to hole detection racing with ordered ++ * extent completion for adjacent ranges, and assertion failures during ++ * hole detection. ++ */ ++ if (test_bit(BTRFS_INODE_NEEDS_FULL_SYNC, ++ &BTRFS_I(inode)->runtime_flags)) { ++ start = 0; ++ end = LLONG_MAX; ++ } ++ + /* + * The range length can be represented by u64, we have to do the typecasts + * to avoid signed overflow if it's [0, LLONG_MAX] eg. from fsync() +diff --git a/fs/btrfs/sysfs.c b/fs/btrfs/sysfs.c +index e0ac85949067..e6aaa15505c5 100644 +--- a/fs/btrfs/sysfs.c ++++ b/fs/btrfs/sysfs.c +@@ -733,7 +733,12 @@ int btrfs_sysfs_add_fsid(struct btrfs_fs_devices *fs_devs, + fs_devs->fsid_kobj.kset = btrfs_kset; + error = kobject_init_and_add(&fs_devs->fsid_kobj, + &btrfs_ktype, parent, "%pU", fs_devs->fsid); +- return error; ++ if (error) { ++ kobject_put(&fs_devs->fsid_kobj); ++ return error; ++ } ++ ++ return 0; + } + + int btrfs_sysfs_add_mounted(struct btrfs_fs_info *fs_info) +diff --git a/fs/btrfs/tree-log.c b/fs/btrfs/tree-log.c +index c7190f322576..57a46093656a 100644 +--- a/fs/btrfs/tree-log.c ++++ b/fs/btrfs/tree-log.c +@@ -2808,6 +2808,12 @@ int btrfs_sync_log(struct btrfs_trans_handle *trans, + root->log_transid++; + log->log_transid = root->log_transid; + root->log_start_pid = 0; ++ /* ++ * Update or create log root item under the root's log_mutex to prevent ++ * races with concurrent log syncs that can lead to failure to update ++ * log root item because it was not created yet. ++ */ ++ ret = update_log_root(trans, log); + /* + * IO has been started, blocks of the log tree have WRITTEN flag set + * in their headers. new modifications of the log will be written to +@@ -2827,8 +2833,6 @@ int btrfs_sync_log(struct btrfs_trans_handle *trans, + + mutex_unlock(&log_root_tree->log_mutex); + +- ret = update_log_root(trans, log); +- + mutex_lock(&log_root_tree->log_mutex); + if (atomic_dec_and_test(&log_root_tree->log_writers)) { + /* +diff --git a/fs/ceph/super.c b/fs/ceph/super.c +index f446afada328..ab8a8c9c74f2 100644 +--- a/fs/ceph/super.c ++++ b/fs/ceph/super.c +@@ -712,6 +712,12 @@ static void ceph_umount_begin(struct super_block *sb) + return; + } + ++static int ceph_remount(struct super_block *sb, int *flags, char *data) ++{ ++ sync_filesystem(sb); ++ return 0; ++} ++ + static const struct super_operations ceph_super_ops = { + .alloc_inode = ceph_alloc_inode, + .destroy_inode = ceph_destroy_inode, +@@ -719,6 +725,7 @@ static const struct super_operations ceph_super_ops = { + .drop_inode = ceph_drop_inode, + .sync_fs = ceph_sync_fs, + .put_super = ceph_put_super, ++ .remount_fs = ceph_remount, + .show_options = ceph_show_options, + .statfs = ceph_statfs, + .umount_begin = ceph_umount_begin, +diff --git a/fs/char_dev.c b/fs/char_dev.c +index 24b142569ca9..d0655ca89481 100644 +--- a/fs/char_dev.c ++++ b/fs/char_dev.c +@@ -130,6 +130,12 @@ __register_chrdev_region(unsigned int major, unsigned int baseminor, + ret = -EBUSY; + goto out; + } ++ ++ if (new_min < old_min && new_max > old_max) { ++ ret = -EBUSY; ++ goto out; ++ } ++ + } + + cd->next = *cp; +diff --git a/fs/cifs/file.c b/fs/cifs/file.c +index 23a8374fa97f..309c134fb66f 100644 +--- a/fs/cifs/file.c ++++ b/fs/cifs/file.c +@@ -2829,7 +2829,9 @@ cifs_read_allocate_pages(struct cifs_readdata *rdata, unsigned int nr_pages) + } + + if (rc) { +- for (i = 0; i < nr_pages; i++) { ++ unsigned int nr_page_failed = i; ++ ++ for (i = 0; i < nr_page_failed; i++) { + put_page(rdata->pages[i]); + rdata->pages[i] = NULL; + } +diff --git a/fs/cifs/smb2ops.c b/fs/cifs/smb2ops.c +index eae3cdffaf7f..591c93de8c20 100644 +--- a/fs/cifs/smb2ops.c ++++ b/fs/cifs/smb2ops.c +@@ -1329,26 +1329,28 @@ smb21_set_oplock_level(struct cifsInodeInfo *cinode, __u32 oplock, + unsigned int epoch, bool *purge_cache) + { + char message[5] = {0}; ++ unsigned int new_oplock = 0; + + oplock &= 0xFF; + if (oplock == SMB2_OPLOCK_LEVEL_NOCHANGE) + return; + +- cinode->oplock = 0; + if (oplock & SMB2_LEASE_READ_CACHING_HE) { +- cinode->oplock |= CIFS_CACHE_READ_FLG; ++ new_oplock |= CIFS_CACHE_READ_FLG; + strcat(message, "R"); + } + if (oplock & SMB2_LEASE_HANDLE_CACHING_HE) { +- cinode->oplock |= CIFS_CACHE_HANDLE_FLG; ++ new_oplock |= CIFS_CACHE_HANDLE_FLG; + strcat(message, "H"); + } + if (oplock & SMB2_LEASE_WRITE_CACHING_HE) { +- cinode->oplock |= CIFS_CACHE_WRITE_FLG; ++ new_oplock |= CIFS_CACHE_WRITE_FLG; + strcat(message, "W"); + } +- if (!cinode->oplock) +- strcat(message, "None"); ++ if (!new_oplock) ++ strncpy(message, "None", sizeof(message)); ++ ++ cinode->oplock = new_oplock; + cifs_dbg(FYI, "%s Lease granted on inode %p\n", message, + &cinode->vfs_inode); + } +diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c +index 1708597659a1..8d98c9ac9205 100644 +--- a/fs/ext4/extents.c ++++ b/fs/ext4/extents.c +@@ -1049,6 +1049,7 @@ static int ext4_ext_split(handle_t *handle, struct inode *inode, + __le32 border; + ext4_fsblk_t *ablocks = NULL; /* array of allocated blocks */ + int err = 0; ++ size_t ext_size = 0; + + /* make decision: where to split? */ + /* FIXME: now decision is simplest: at current extent */ +@@ -1140,6 +1141,10 @@ static int ext4_ext_split(handle_t *handle, struct inode *inode, + le16_add_cpu(&neh->eh_entries, m); + } + ++ /* zero out unused area in the extent block */ ++ ext_size = sizeof(struct ext4_extent_header) + ++ sizeof(struct ext4_extent) * le16_to_cpu(neh->eh_entries); ++ memset(bh->b_data + ext_size, 0, inode->i_sb->s_blocksize - ext_size); + ext4_extent_block_csum_set(inode, neh); + set_buffer_uptodate(bh); + unlock_buffer(bh); +@@ -1219,6 +1224,11 @@ static int ext4_ext_split(handle_t *handle, struct inode *inode, + sizeof(struct ext4_extent_idx) * m); + le16_add_cpu(&neh->eh_entries, m); + } ++ /* zero out unused area in the extent block */ ++ ext_size = sizeof(struct ext4_extent_header) + ++ (sizeof(struct ext4_extent) * le16_to_cpu(neh->eh_entries)); ++ memset(bh->b_data + ext_size, 0, ++ inode->i_sb->s_blocksize - ext_size); + ext4_extent_block_csum_set(inode, neh); + set_buffer_uptodate(bh); + unlock_buffer(bh); +@@ -1284,6 +1294,7 @@ static int ext4_ext_grow_indepth(handle_t *handle, struct inode *inode, + ext4_fsblk_t newblock, goal = 0; + struct ext4_super_block *es = EXT4_SB(inode->i_sb)->s_es; + int err = 0; ++ size_t ext_size = 0; + + /* Try to prepend new index to old one */ + if (ext_depth(inode)) +@@ -1309,9 +1320,11 @@ static int ext4_ext_grow_indepth(handle_t *handle, struct inode *inode, + goto out; + } + ++ ext_size = sizeof(EXT4_I(inode)->i_data); + /* move top-level index/leaf into new block */ +- memmove(bh->b_data, EXT4_I(inode)->i_data, +- sizeof(EXT4_I(inode)->i_data)); ++ memmove(bh->b_data, EXT4_I(inode)->i_data, ext_size); ++ /* zero out unused area in the extent block */ ++ memset(bh->b_data + ext_size, 0, inode->i_sb->s_blocksize - ext_size); + + /* set size of new block */ + neh = ext_block_hdr(bh); +diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c +index 181db3c7f5d1..063c5991f095 100644 +--- a/fs/ext4/inode.c ++++ b/fs/ext4/inode.c +@@ -4944,7 +4944,7 @@ int ext4_setattr(struct dentry *dentry, struct iattr *attr) + up_write(&EXT4_I(inode)->i_data_sem); + ext4_journal_stop(handle); + if (error) { +- if (orphan) ++ if (orphan && inode->i_nlink) + ext4_orphan_del(NULL, inode); + goto err_out; + } +diff --git a/fs/ext4/ioctl.c b/fs/ext4/ioctl.c +index e44e3cd738b6..b02f210ea617 100644 +--- a/fs/ext4/ioctl.c ++++ b/fs/ext4/ioctl.c +@@ -577,7 +577,7 @@ group_add_out: + if (err == 0) + err = err2; + mnt_drop_write_file(filp); +- if (!err && (o_group > EXT4_SB(sb)->s_groups_count) && ++ if (!err && (o_group < EXT4_SB(sb)->s_groups_count) && + ext4_has_group_desc_csum(sb) && + test_opt(sb, INIT_INODE_TABLE)) + err = ext4_register_li_request(sb, o_group); +diff --git a/fs/ext4/super.c b/fs/ext4/super.c +index 6a7df72cb3da..6f00388a1471 100644 +--- a/fs/ext4/super.c ++++ b/fs/ext4/super.c +@@ -3867,7 +3867,7 @@ static int ext4_fill_super(struct super_block *sb, void *data, int silent) + "data=, fs mounted w/o journal"); + goto failed_mount_wq; + } +- sbi->s_def_mount_opt &= EXT4_MOUNT_JOURNAL_CHECKSUM; ++ sbi->s_def_mount_opt &= ~EXT4_MOUNT_JOURNAL_CHECKSUM; + clear_opt(sb, JOURNAL_CHECKSUM); + clear_opt(sb, DATA_FLAGS); + sbi->s_journal = NULL; +diff --git a/fs/fs-writeback.c b/fs/fs-writeback.c +index cfb75dbb96f5..76597dd8cfe8 100644 +--- a/fs/fs-writeback.c ++++ b/fs/fs-writeback.c +@@ -331,11 +331,22 @@ struct inode_switch_wbs_context { + struct work_struct work; + }; + ++static void bdi_down_write_wb_switch_rwsem(struct backing_dev_info *bdi) ++{ ++ down_write(&bdi->wb_switch_rwsem); ++} ++ ++static void bdi_up_write_wb_switch_rwsem(struct backing_dev_info *bdi) ++{ ++ up_write(&bdi->wb_switch_rwsem); ++} ++ + static void inode_switch_wbs_work_fn(struct work_struct *work) + { + struct inode_switch_wbs_context *isw = + container_of(work, struct inode_switch_wbs_context, work); + struct inode *inode = isw->inode; ++ struct backing_dev_info *bdi = inode_to_bdi(inode); + struct address_space *mapping = inode->i_mapping; + struct bdi_writeback *old_wb = inode->i_wb; + struct bdi_writeback *new_wb = isw->new_wb; +@@ -343,6 +354,12 @@ static void inode_switch_wbs_work_fn(struct work_struct *work) + bool switched = false; + void **slot; + ++ /* ++ * If @inode switches cgwb membership while sync_inodes_sb() is ++ * being issued, sync_inodes_sb() might miss it. Synchronize. ++ */ ++ down_read(&bdi->wb_switch_rwsem); ++ + /* + * By the time control reaches here, RCU grace period has passed + * since I_WB_SWITCH assertion and all wb stat update transactions +@@ -435,6 +452,8 @@ skip_switch: + spin_unlock(&new_wb->list_lock); + spin_unlock(&old_wb->list_lock); + ++ up_read(&bdi->wb_switch_rwsem); ++ + if (switched) { + wb_wakeup(new_wb); + wb_put(old_wb); +@@ -475,9 +494,18 @@ static void inode_switch_wbs(struct inode *inode, int new_wb_id) + if (inode->i_state & I_WB_SWITCH) + return; + ++ /* ++ * Avoid starting new switches while sync_inodes_sb() is in ++ * progress. Otherwise, if the down_write protected issue path ++ * blocks heavily, we might end up starting a large number of ++ * switches which will block on the rwsem. ++ */ ++ if (!down_read_trylock(&bdi->wb_switch_rwsem)) ++ return; ++ + isw = kzalloc(sizeof(*isw), GFP_ATOMIC); + if (!isw) +- return; ++ goto out_unlock; + + /* find and pin the new wb */ + rcu_read_lock(); +@@ -502,8 +530,6 @@ static void inode_switch_wbs(struct inode *inode, int new_wb_id) + ihold(inode); + isw->inode = inode; + +- atomic_inc(&isw_nr_in_flight); +- + /* + * In addition to synchronizing among switchers, I_WB_SWITCH tells + * the RCU protected stat update paths to grab the mapping's +@@ -511,12 +537,17 @@ static void inode_switch_wbs(struct inode *inode, int new_wb_id) + * Let's continue after I_WB_SWITCH is guaranteed to be visible. + */ + call_rcu(&isw->rcu_head, inode_switch_wbs_rcu_fn); +- return; ++ ++ atomic_inc(&isw_nr_in_flight); ++ ++ goto out_unlock; + + out_free: + if (isw->new_wb) + wb_put(isw->new_wb); + kfree(isw); ++out_unlock: ++ up_read(&bdi->wb_switch_rwsem); + } + + /** +@@ -880,7 +911,11 @@ restart: + void cgroup_writeback_umount(void) + { + if (atomic_read(&isw_nr_in_flight)) { +- synchronize_rcu(); ++ /* ++ * Use rcu_barrier() to wait for all pending callbacks to ++ * ensure that all in-flight wb switches are in the workqueue. ++ */ ++ rcu_barrier(); + flush_workqueue(isw_wq); + } + } +@@ -896,6 +931,9 @@ fs_initcall(cgroup_writeback_init); + + #else /* CONFIG_CGROUP_WRITEBACK */ + ++static void bdi_down_write_wb_switch_rwsem(struct backing_dev_info *bdi) { } ++static void bdi_up_write_wb_switch_rwsem(struct backing_dev_info *bdi) { } ++ + static struct bdi_writeback * + locked_inode_to_wb_and_lock_list(struct inode *inode) + __releases(&inode->i_lock) +@@ -2341,8 +2379,11 @@ void sync_inodes_sb(struct super_block *sb) + return; + WARN_ON(!rwsem_is_locked(&sb->s_umount)); + ++ /* protect against inode wb switch, see inode_switch_wbs_work_fn() */ ++ bdi_down_write_wb_switch_rwsem(bdi); + bdi_split_work_to_wbs(bdi, &work, false); + wb_wait_for_completion(bdi, &done); ++ bdi_up_write_wb_switch_rwsem(bdi); + + wait_sb_inodes(sb); + } +diff --git a/fs/fuse/file.c b/fs/fuse/file.c +index d40c2451487c..ab93c4591f8c 100644 +--- a/fs/fuse/file.c ++++ b/fs/fuse/file.c +@@ -178,7 +178,9 @@ void fuse_finish_open(struct inode *inode, struct file *file) + file->f_op = &fuse_direct_io_file_operations; + if (!(ff->open_flags & FOPEN_KEEP_CACHE)) + invalidate_inode_pages2(inode->i_mapping); +- if (ff->open_flags & FOPEN_NONSEEKABLE) ++ if (ff->open_flags & FOPEN_STREAM) ++ stream_open(inode, file); ++ else if (ff->open_flags & FOPEN_NONSEEKABLE) + nonseekable_open(inode, file); + if (fc->atomic_o_trunc && (file->f_flags & O_TRUNC)) { + struct fuse_inode *fi = get_fuse_inode(inode); +@@ -1533,7 +1535,7 @@ __acquires(fc->lock) + { + struct fuse_conn *fc = get_fuse_conn(inode); + struct fuse_inode *fi = get_fuse_inode(inode); +- size_t crop = i_size_read(inode); ++ loff_t crop = i_size_read(inode); + struct fuse_req *req; + + while (fi->writectr >= 0 && !list_empty(&fi->queued_writes)) { +@@ -2947,6 +2949,13 @@ static long fuse_file_fallocate(struct file *file, int mode, loff_t offset, + } + } + ++ if (!(mode & FALLOC_FL_KEEP_SIZE) && ++ offset + length > i_size_read(inode)) { ++ err = inode_newsize_ok(inode, offset + length); ++ if (err) ++ goto out; ++ } ++ + if (!(mode & FALLOC_FL_KEEP_SIZE)) + set_bit(FUSE_I_SIZE_UNSTABLE, &fi->state); + +diff --git a/fs/gfs2/glock.c b/fs/gfs2/glock.c +index 09a0cf5f3dd8..1eb737c466dd 100644 +--- a/fs/gfs2/glock.c ++++ b/fs/gfs2/glock.c +@@ -136,22 +136,26 @@ static int demote_ok(const struct gfs2_glock *gl) + + void gfs2_glock_add_to_lru(struct gfs2_glock *gl) + { ++ if (!(gl->gl_ops->go_flags & GLOF_LRU)) ++ return; ++ + spin_lock(&lru_lock); + +- if (!list_empty(&gl->gl_lru)) +- list_del_init(&gl->gl_lru); +- else ++ list_del(&gl->gl_lru); ++ list_add_tail(&gl->gl_lru, &lru_list); ++ ++ if (!test_bit(GLF_LRU, &gl->gl_flags)) { ++ set_bit(GLF_LRU, &gl->gl_flags); + atomic_inc(&lru_count); ++ } + +- list_add_tail(&gl->gl_lru, &lru_list); +- set_bit(GLF_LRU, &gl->gl_flags); + spin_unlock(&lru_lock); + } + + static void gfs2_glock_remove_from_lru(struct gfs2_glock *gl) + { + spin_lock(&lru_lock); +- if (!list_empty(&gl->gl_lru)) { ++ if (test_bit(GLF_LRU, &gl->gl_flags)) { + list_del_init(&gl->gl_lru); + atomic_dec(&lru_count); + clear_bit(GLF_LRU, &gl->gl_flags); +@@ -1040,8 +1044,7 @@ void gfs2_glock_dq(struct gfs2_holder *gh) + !test_bit(GLF_DEMOTE, &gl->gl_flags)) + fast_path = 1; + } +- if (!test_bit(GLF_LFLUSH, &gl->gl_flags) && demote_ok(gl) && +- (glops->go_flags & GLOF_LRU)) ++ if (!test_bit(GLF_LFLUSH, &gl->gl_flags) && demote_ok(gl)) + gfs2_glock_add_to_lru(gl); + + trace_gfs2_glock_queue(gh, 0); +@@ -1341,6 +1344,7 @@ __acquires(&lru_lock) + if (!spin_trylock(&gl->gl_lockref.lock)) { + add_back_to_lru: + list_add(&gl->gl_lru, &lru_list); ++ set_bit(GLF_LRU, &gl->gl_flags); + atomic_inc(&lru_count); + continue; + } +@@ -1348,7 +1352,6 @@ add_back_to_lru: + spin_unlock(&gl->gl_lockref.lock); + goto add_back_to_lru; + } +- clear_bit(GLF_LRU, &gl->gl_flags); + gl->gl_lockref.count++; + if (demote_ok(gl)) + handle_callback(gl, LM_ST_UNLOCKED, 0, false); +@@ -1384,6 +1387,7 @@ static long gfs2_scan_glock_lru(int nr) + if (!test_bit(GLF_LOCK, &gl->gl_flags)) { + list_move(&gl->gl_lru, &dispose); + atomic_dec(&lru_count); ++ clear_bit(GLF_LRU, &gl->gl_flags); + freed++; + continue; + } +diff --git a/fs/gfs2/lock_dlm.c b/fs/gfs2/lock_dlm.c +index 8b907c5cc913..3c3d037df824 100644 +--- a/fs/gfs2/lock_dlm.c ++++ b/fs/gfs2/lock_dlm.c +@@ -32,9 +32,10 @@ extern struct workqueue_struct *gfs2_control_wq; + * @delta is the difference between the current rtt sample and the + * running average srtt. We add 1/8 of that to the srtt in order to + * update the current srtt estimate. The variance estimate is a bit +- * more complicated. We subtract the abs value of the @delta from +- * the current variance estimate and add 1/4 of that to the running +- * total. ++ * more complicated. We subtract the current variance estimate from ++ * the abs value of the @delta and add 1/4 of that to the running ++ * total. That's equivalent to 3/4 of the current variance ++ * estimate plus 1/4 of the abs of @delta. + * + * Note that the index points at the array entry containing the smoothed + * mean value, and the variance is always in the following entry +@@ -50,7 +51,7 @@ static inline void gfs2_update_stats(struct gfs2_lkstats *s, unsigned index, + s64 delta = sample - s->stats[index]; + s->stats[index] += (delta >> 3); + index++; +- s->stats[index] += ((abs(delta) - s->stats[index]) >> 2); ++ s->stats[index] += (s64)(abs(delta) - s->stats[index]) >> 2; + } + + /** +diff --git a/fs/hugetlbfs/inode.c b/fs/hugetlbfs/inode.c +index 27c4e2ac39a9..937c6ee1786f 100644 +--- a/fs/hugetlbfs/inode.c ++++ b/fs/hugetlbfs/inode.c +@@ -414,9 +414,7 @@ static void remove_inode_hugepages(struct inode *inode, loff_t lstart, + if (next >= end) + break; + +- hash = hugetlb_fault_mutex_hash(h, current->mm, +- &pseudo_vma, +- mapping, next, 0); ++ hash = hugetlb_fault_mutex_hash(h, mapping, next, 0); + mutex_lock(&hugetlb_fault_mutex_table[hash]); + + lock_page(page); +@@ -569,7 +567,6 @@ static long hugetlbfs_fallocate(struct file *file, int mode, loff_t offset, + struct address_space *mapping = inode->i_mapping; + struct hstate *h = hstate_inode(inode); + struct vm_area_struct pseudo_vma; +- struct mm_struct *mm = current->mm; + loff_t hpage_size = huge_page_size(h); + unsigned long hpage_shift = huge_page_shift(h); + pgoff_t start, index, end; +@@ -633,8 +630,7 @@ static long hugetlbfs_fallocate(struct file *file, int mode, loff_t offset, + addr = index * hpage_size; + + /* mutex taken here, fault path and hole punch */ +- hash = hugetlb_fault_mutex_hash(h, mm, &pseudo_vma, mapping, +- index, addr); ++ hash = hugetlb_fault_mutex_hash(h, mapping, index, addr); + mutex_lock(&hugetlb_fault_mutex_table[hash]); + + /* See if already present in mapping to avoid alloc/free */ +diff --git a/fs/nfs/nfs4state.c b/fs/nfs/nfs4state.c +index 44f5cea49699..5be61affeefd 100644 +--- a/fs/nfs/nfs4state.c ++++ b/fs/nfs/nfs4state.c +@@ -140,6 +140,10 @@ int nfs40_discover_server_trunking(struct nfs_client *clp, + /* Sustain the lease, even if it's empty. If the clientid4 + * goes stale it's of no use for trunking discovery. */ + nfs4_schedule_state_renewal(*result); ++ ++ /* If the client state need to recover, do it. */ ++ if (clp->cl_state) ++ nfs4_schedule_state_manager(clp); + } + out: + return status; +diff --git a/fs/ocfs2/export.c b/fs/ocfs2/export.c +index 3494e220b510..bed15dec3c16 100644 +--- a/fs/ocfs2/export.c ++++ b/fs/ocfs2/export.c +@@ -148,16 +148,24 @@ static struct dentry *ocfs2_get_parent(struct dentry *child) + u64 blkno; + struct dentry *parent; + struct inode *dir = d_inode(child); ++ int set; + + trace_ocfs2_get_parent(child, child->d_name.len, child->d_name.name, + (unsigned long long)OCFS2_I(dir)->ip_blkno); + ++ status = ocfs2_nfs_sync_lock(OCFS2_SB(dir->i_sb), 1); ++ if (status < 0) { ++ mlog(ML_ERROR, "getting nfs sync lock(EX) failed %d\n", status); ++ parent = ERR_PTR(status); ++ goto bail; ++ } ++ + status = ocfs2_inode_lock(dir, NULL, 0); + if (status < 0) { + if (status != -ENOENT) + mlog_errno(status); + parent = ERR_PTR(status); +- goto bail; ++ goto unlock_nfs_sync; + } + + status = ocfs2_lookup_ino_from_name(dir, "..", 2, &blkno); +@@ -166,11 +174,31 @@ static struct dentry *ocfs2_get_parent(struct dentry *child) + goto bail_unlock; + } + ++ status = ocfs2_test_inode_bit(OCFS2_SB(dir->i_sb), blkno, &set); ++ if (status < 0) { ++ if (status == -EINVAL) { ++ status = -ESTALE; ++ } else ++ mlog(ML_ERROR, "test inode bit failed %d\n", status); ++ parent = ERR_PTR(status); ++ goto bail_unlock; ++ } ++ ++ trace_ocfs2_get_dentry_test_bit(status, set); ++ if (!set) { ++ status = -ESTALE; ++ parent = ERR_PTR(status); ++ goto bail_unlock; ++ } ++ + parent = d_obtain_alias(ocfs2_iget(OCFS2_SB(dir->i_sb), blkno, 0, 0)); + + bail_unlock: + ocfs2_inode_unlock(dir, 0); + ++unlock_nfs_sync: ++ ocfs2_nfs_sync_unlock(OCFS2_SB(dir->i_sb), 1); ++ + bail: + trace_ocfs2_get_parent_end(parent); + +diff --git a/fs/open.c b/fs/open.c +index fbc5c7b230b3..6cf516156111 100644 +--- a/fs/open.c ++++ b/fs/open.c +@@ -1152,3 +1152,21 @@ int nonseekable_open(struct inode *inode, struct file *filp) + } + + EXPORT_SYMBOL(nonseekable_open); ++ ++/* ++ * stream_open is used by subsystems that want stream-like file descriptors. ++ * Such file descriptors are not seekable and don't have notion of position ++ * (file.f_pos is always 0). Contrary to file descriptors of other regular ++ * files, .read() and .write() can run simultaneously. ++ * ++ * stream_open never fails and is marked to return int so that it could be ++ * directly used as file_operations.open . ++ */ ++int stream_open(struct inode *inode, struct file *filp) ++{ ++ filp->f_mode &= ~(FMODE_LSEEK | FMODE_PREAD | FMODE_PWRITE | FMODE_ATOMIC_POS); ++ filp->f_mode |= FMODE_STREAM; ++ return 0; ++} ++ ++EXPORT_SYMBOL(stream_open); +diff --git a/fs/read_write.c b/fs/read_write.c +index 16e554ba885d..7b175b9134ec 100644 +--- a/fs/read_write.c ++++ b/fs/read_write.c +@@ -553,12 +553,13 @@ EXPORT_SYMBOL(vfs_write); + + static inline loff_t file_pos_read(struct file *file) + { +- return file->f_pos; ++ return file->f_mode & FMODE_STREAM ? 0 : file->f_pos; + } + + static inline void file_pos_write(struct file *file, loff_t pos) + { +- file->f_pos = pos; ++ if ((file->f_mode & FMODE_STREAM) == 0) ++ file->f_pos = pos; + } + + SYSCALL_DEFINE3(read, unsigned int, fd, char __user *, buf, size_t, count) +diff --git a/fs/ufs/util.h b/fs/ufs/util.h +index 3f9463f8cf2f..f877d5cadd98 100644 +--- a/fs/ufs/util.h ++++ b/fs/ufs/util.h +@@ -228,7 +228,7 @@ ufs_get_inode_gid(struct super_block *sb, struct ufs_inode *inode) + case UFS_UID_44BSD: + return fs32_to_cpu(sb, inode->ui_u3.ui_44.ui_gid); + case UFS_UID_EFT: +- if (inode->ui_u1.oldids.ui_suid == 0xFFFF) ++ if (inode->ui_u1.oldids.ui_sgid == 0xFFFF) + return fs32_to_cpu(sb, inode->ui_u3.ui_sun.ui_gid); + /* Fall through */ + default: +diff --git a/fs/userfaultfd.c b/fs/userfaultfd.c +index 59d58bdad7d3..e93541282aa1 100644 +--- a/fs/userfaultfd.c ++++ b/fs/userfaultfd.c +@@ -137,7 +137,7 @@ static void userfaultfd_ctx_put(struct userfaultfd_ctx *ctx) + VM_BUG_ON(waitqueue_active(&ctx->fault_wqh)); + VM_BUG_ON(spin_is_locked(&ctx->fd_wqh.lock)); + VM_BUG_ON(waitqueue_active(&ctx->fd_wqh)); +- mmput(ctx->mm); ++ mmdrop(ctx->mm); + kmem_cache_free(userfaultfd_ctx_cachep, ctx); + } + } +@@ -434,6 +434,9 @@ static int userfaultfd_release(struct inode *inode, struct file *file) + + ACCESS_ONCE(ctx->released) = true; + ++ if (!mmget_not_zero(mm)) ++ goto wakeup; ++ + /* + * Flush page faults out of all CPUs. NOTE: all page faults + * must be retried without returning VM_FAULT_SIGBUS if +@@ -466,7 +469,8 @@ static int userfaultfd_release(struct inode *inode, struct file *file) + vma->vm_userfaultfd_ctx = NULL_VM_UFFD_CTX; + } + up_write(&mm->mmap_sem); +- ++ mmput(mm); ++wakeup: + /* + * After no new page faults can wait on this fault_*wqh, flush + * the last page faults that may have been already waiting on +@@ -760,10 +764,12 @@ static int userfaultfd_register(struct userfaultfd_ctx *ctx, + start = uffdio_register.range.start; + end = start + uffdio_register.range.len; + ++ ret = -ENOMEM; ++ if (!mmget_not_zero(mm)) ++ goto out; ++ + down_write(&mm->mmap_sem); + vma = find_vma_prev(mm, start, &prev); +- +- ret = -ENOMEM; + if (!vma) + goto out_unlock; + +@@ -864,6 +870,7 @@ static int userfaultfd_register(struct userfaultfd_ctx *ctx, + } while (vma && vma->vm_start < end); + out_unlock: + up_write(&mm->mmap_sem); ++ mmput(mm); + if (!ret) { + /* + * Now that we scanned all vmas we can already tell +@@ -902,10 +909,12 @@ static int userfaultfd_unregister(struct userfaultfd_ctx *ctx, + start = uffdio_unregister.start; + end = start + uffdio_unregister.len; + ++ ret = -ENOMEM; ++ if (!mmget_not_zero(mm)) ++ goto out; ++ + down_write(&mm->mmap_sem); + vma = find_vma_prev(mm, start, &prev); +- +- ret = -ENOMEM; + if (!vma) + goto out_unlock; + +@@ -998,6 +1007,7 @@ static int userfaultfd_unregister(struct userfaultfd_ctx *ctx, + } while (vma && vma->vm_start < end); + out_unlock: + up_write(&mm->mmap_sem); ++ mmput(mm); + out: + return ret; + } +@@ -1067,9 +1077,11 @@ static int userfaultfd_copy(struct userfaultfd_ctx *ctx, + goto out; + if (uffdio_copy.mode & ~UFFDIO_COPY_MODE_DONTWAKE) + goto out; +- +- ret = mcopy_atomic(ctx->mm, uffdio_copy.dst, uffdio_copy.src, +- uffdio_copy.len); ++ if (mmget_not_zero(ctx->mm)) { ++ ret = mcopy_atomic(ctx->mm, uffdio_copy.dst, uffdio_copy.src, ++ uffdio_copy.len); ++ mmput(ctx->mm); ++ } + if (unlikely(put_user(ret, &user_uffdio_copy->copy))) + return -EFAULT; + if (ret < 0) +@@ -1110,8 +1122,11 @@ static int userfaultfd_zeropage(struct userfaultfd_ctx *ctx, + if (uffdio_zeropage.mode & ~UFFDIO_ZEROPAGE_MODE_DONTWAKE) + goto out; + +- ret = mfill_zeropage(ctx->mm, uffdio_zeropage.range.start, +- uffdio_zeropage.range.len); ++ if (mmget_not_zero(ctx->mm)) { ++ ret = mfill_zeropage(ctx->mm, uffdio_zeropage.range.start, ++ uffdio_zeropage.range.len); ++ mmput(ctx->mm); ++ } + if (unlikely(put_user(ret, &user_uffdio_zeropage->zeropage))) + return -EFAULT; + if (ret < 0) +@@ -1289,12 +1304,12 @@ static struct file *userfaultfd_file_create(int flags) + ctx->released = false; + ctx->mm = current->mm; + /* prevent the mm struct to be freed */ +- atomic_inc(&ctx->mm->mm_users); ++ atomic_inc(&ctx->mm->mm_count); + + file = anon_inode_getfile("[userfaultfd]", &userfaultfd_fops, ctx, + O_RDWR | (flags & UFFD_SHARED_FCNTL_FLAGS)); + if (IS_ERR(file)) { +- mmput(ctx->mm); ++ mmdrop(ctx->mm); + kmem_cache_free(userfaultfd_ctx_cachep, ctx); + } + out: +diff --git a/include/linux/backing-dev-defs.h b/include/linux/backing-dev-defs.h +index 072501a0ac86..dfa6d4f08b99 100644 +--- a/include/linux/backing-dev-defs.h ++++ b/include/linux/backing-dev-defs.h +@@ -157,6 +157,7 @@ struct backing_dev_info { + struct radix_tree_root cgwb_tree; /* radix tree of active cgroup wbs */ + struct rb_root cgwb_congested_tree; /* their congested states */ + atomic_t usage_cnt; /* counts both cgwbs and cgwb_contested's */ ++ struct rw_semaphore wb_switch_rwsem; /* no cgwb switch while syncing */ + #else + struct bdi_writeback_congested *wb_congested; + #endif +diff --git a/include/linux/bio.h b/include/linux/bio.h +index 42e4e3cbb001..0ffb9a397620 100644 +--- a/include/linux/bio.h ++++ b/include/linux/bio.h +@@ -290,7 +290,7 @@ static inline void bio_cnt_set(struct bio *bio, unsigned int count) + { + if (count != 1) { + bio->bi_flags |= (1 << BIO_REFFED); +- smp_mb__before_atomic(); ++ smp_mb(); + } + atomic_set(&bio->__bi_cnt, count); + } +diff --git a/include/linux/bitops.h b/include/linux/bitops.h +index e76d03f44c80..83edade218fa 100644 +--- a/include/linux/bitops.h ++++ b/include/linux/bitops.h +@@ -68,7 +68,7 @@ static __always_inline unsigned long hweight_long(unsigned long w) + */ + static inline __u64 rol64(__u64 word, unsigned int shift) + { +- return (word << shift) | (word >> (64 - shift)); ++ return (word << (shift & 63)) | (word >> ((-shift) & 63)); + } + + /** +@@ -78,7 +78,7 @@ static inline __u64 rol64(__u64 word, unsigned int shift) + */ + static inline __u64 ror64(__u64 word, unsigned int shift) + { +- return (word >> shift) | (word << (64 - shift)); ++ return (word >> (shift & 63)) | (word << ((-shift) & 63)); + } + + /** +@@ -88,7 +88,7 @@ static inline __u64 ror64(__u64 word, unsigned int shift) + */ + static inline __u32 rol32(__u32 word, unsigned int shift) + { +- return (word << shift) | (word >> ((-shift) & 31)); ++ return (word << (shift & 31)) | (word >> ((-shift) & 31)); + } + + /** +@@ -98,7 +98,7 @@ static inline __u32 rol32(__u32 word, unsigned int shift) + */ + static inline __u32 ror32(__u32 word, unsigned int shift) + { +- return (word >> shift) | (word << (32 - shift)); ++ return (word >> (shift & 31)) | (word << ((-shift) & 31)); + } + + /** +@@ -108,7 +108,7 @@ static inline __u32 ror32(__u32 word, unsigned int shift) + */ + static inline __u16 rol16(__u16 word, unsigned int shift) + { +- return (word << shift) | (word >> (16 - shift)); ++ return (word << (shift & 15)) | (word >> ((-shift) & 15)); + } + + /** +@@ -118,7 +118,7 @@ static inline __u16 rol16(__u16 word, unsigned int shift) + */ + static inline __u16 ror16(__u16 word, unsigned int shift) + { +- return (word >> shift) | (word << (16 - shift)); ++ return (word >> (shift & 15)) | (word << ((-shift) & 15)); + } + + /** +@@ -128,7 +128,7 @@ static inline __u16 ror16(__u16 word, unsigned int shift) + */ + static inline __u8 rol8(__u8 word, unsigned int shift) + { +- return (word << shift) | (word >> (8 - shift)); ++ return (word << (shift & 7)) | (word >> ((-shift) & 7)); + } + + /** +@@ -138,7 +138,7 @@ static inline __u8 rol8(__u8 word, unsigned int shift) + */ + static inline __u8 ror8(__u8 word, unsigned int shift) + { +- return (word >> shift) | (word << (8 - shift)); ++ return (word >> (shift & 7)) | (word << ((-shift) & 7)); + } + + /** +diff --git a/include/linux/fs.h b/include/linux/fs.h +index 13277d2715df..26c4bf47cc99 100644 +--- a/include/linux/fs.h ++++ b/include/linux/fs.h +@@ -140,6 +140,9 @@ typedef void (dax_iodone_t)(struct buffer_head *bh_map, int uptodate); + /* Has write method(s) */ + #define FMODE_CAN_WRITE ((__force fmode_t)0x40000) + ++/* File is stream-like */ ++#define FMODE_STREAM ((__force fmode_t)0x200000) ++ + /* File was opened by fanotify and shouldn't generate fanotify events */ + #define FMODE_NONOTIFY ((__force fmode_t)0x4000000) + +@@ -2706,6 +2709,7 @@ extern loff_t fixed_size_llseek(struct file *file, loff_t offset, + int whence, loff_t size); + extern int generic_file_open(struct inode * inode, struct file * filp); + extern int nonseekable_open(struct inode * inode, struct file * filp); ++extern int stream_open(struct inode * inode, struct file * filp); + + #ifdef CONFIG_BLOCK + typedef void (dio_submit_t)(int rw, struct bio *bio, struct inode *inode, +diff --git a/include/linux/hid.h b/include/linux/hid.h +index fd86687f8119..5f3131885136 100644 +--- a/include/linux/hid.h ++++ b/include/linux/hid.h +@@ -372,6 +372,7 @@ struct hid_global { + + struct hid_local { + unsigned usage[HID_MAX_USAGES]; /* usage array */ ++ u8 usage_size[HID_MAX_USAGES]; /* usage size array */ + unsigned collection_index[HID_MAX_USAGES]; /* collection index array */ + unsigned usage_index; + unsigned usage_minimum; +diff --git a/include/linux/hugetlb.h b/include/linux/hugetlb.h +index 3957d99e66ea..cc185525a94b 100644 +--- a/include/linux/hugetlb.h ++++ b/include/linux/hugetlb.h +@@ -91,9 +91,7 @@ void putback_active_hugepage(struct page *page); + void free_huge_page(struct page *page); + void hugetlb_fix_reserve_counts(struct inode *inode, bool restore_reserve); + extern struct mutex *hugetlb_fault_mutex_table; +-u32 hugetlb_fault_mutex_hash(struct hstate *h, struct mm_struct *mm, +- struct vm_area_struct *vma, +- struct address_space *mapping, ++u32 hugetlb_fault_mutex_hash(struct hstate *h, struct address_space *mapping, + pgoff_t idx, unsigned long address); + + #ifdef CONFIG_ARCH_WANT_HUGE_PMD_SHARE +diff --git a/include/linux/iio/adc/ad_sigma_delta.h b/include/linux/iio/adc/ad_sigma_delta.h +index 6cc48ac55fd2..40b14736c73d 100644 +--- a/include/linux/iio/adc/ad_sigma_delta.h ++++ b/include/linux/iio/adc/ad_sigma_delta.h +@@ -66,6 +66,7 @@ struct ad_sigma_delta { + bool irq_dis; + + bool bus_locked; ++ bool keep_cs_asserted; + + uint8_t comm; + +diff --git a/include/linux/list_lru.h b/include/linux/list_lru.h +index 743b34f56f2b..f9a8889e134a 100644 +--- a/include/linux/list_lru.h ++++ b/include/linux/list_lru.h +@@ -51,6 +51,7 @@ struct list_lru { + struct list_lru_node *node; + #ifdef CONFIG_MEMCG_KMEM + struct list_head list; ++ bool memcg_aware; + #endif + }; + +diff --git a/include/linux/mfd/da9063/registers.h b/include/linux/mfd/da9063/registers.h +index 2e0ba6d5fbc3..f97173bef581 100644 +--- a/include/linux/mfd/da9063/registers.h ++++ b/include/linux/mfd/da9063/registers.h +@@ -215,9 +215,9 @@ + + /* DA9063 Configuration registers */ + /* OTP */ +-#define DA9063_REG_OPT_COUNT 0x101 +-#define DA9063_REG_OPT_ADDR 0x102 +-#define DA9063_REG_OPT_DATA 0x103 ++#define DA9063_REG_OTP_CONT 0x101 ++#define DA9063_REG_OTP_ADDR 0x102 ++#define DA9063_REG_OTP_DATA 0x103 + + /* Customer Trim and Configuration */ + #define DA9063_REG_T_OFFSET 0x104 +diff --git a/include/linux/of.h b/include/linux/of.h +index d9371c9cd88a..2772f027f88f 100644 +--- a/include/linux/of.h ++++ b/include/linux/of.h +@@ -199,8 +199,8 @@ extern struct device_node *of_find_all_nodes(struct device_node *prev); + static inline u64 of_read_number(const __be32 *cell, int size) + { + u64 r = 0; +- while (size--) +- r = (r << 32) | be32_to_cpu(*(cell++)); ++ for (; size--; cell++) ++ r = (r << 32) | be32_to_cpu(*cell); + return r; + } + +diff --git a/include/linux/rcupdate.h b/include/linux/rcupdate.h +index a0189ba67fde..addd03641e1a 100644 +--- a/include/linux/rcupdate.h ++++ b/include/linux/rcupdate.h +@@ -297,14 +297,12 @@ void synchronize_rcu(void); + + static inline void __rcu_read_lock(void) + { +- if (IS_ENABLED(CONFIG_PREEMPT_COUNT)) +- preempt_disable(); ++ preempt_disable(); + } + + static inline void __rcu_read_unlock(void) + { +- if (IS_ENABLED(CONFIG_PREEMPT_COUNT)) +- preempt_enable(); ++ preempt_enable(); + } + + static inline void synchronize_rcu(void) +diff --git a/include/linux/sched.h b/include/linux/sched.h +index a0b540f800d9..315df144c156 100644 +--- a/include/linux/sched.h ++++ b/include/linux/sched.h +@@ -2614,12 +2614,17 @@ extern struct mm_struct * mm_alloc(void); + + /* mmdrop drops the mm and the page tables */ + extern void __mmdrop(struct mm_struct *); +-static inline void mmdrop(struct mm_struct * mm) ++static inline void mmdrop(struct mm_struct *mm) + { + if (unlikely(atomic_dec_and_test(&mm->mm_count))) + __mmdrop(mm); + } + ++static inline bool mmget_not_zero(struct mm_struct *mm) ++{ ++ return atomic_inc_not_zero(&mm->mm_users); ++} ++ + /* mmput gets rid of the mappings and all user-space */ + extern void mmput(struct mm_struct *); + /* Grab a reference to a task's mm, if it is not already going away */ +diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h +index 502787c29ce9..a2f12d377d23 100644 +--- a/include/linux/skbuff.h ++++ b/include/linux/skbuff.h +@@ -3664,5 +3664,35 @@ static inline unsigned int skb_gso_network_seglen(const struct sk_buff *skb) + return hdr_len + skb_gso_transport_seglen(skb); + } + ++/** ++ * skb_gso_mac_seglen - Return length of individual segments of a gso packet ++ * ++ * @skb: GSO skb ++ * ++ * skb_gso_mac_seglen is used to determine the real size of the ++ * individual segments, including MAC/L2, Layer3 (IP, IPv6) and L4 ++ * headers (TCP/UDP). ++ */ ++static inline unsigned int skb_gso_mac_seglen(const struct sk_buff *skb) ++{ ++ unsigned int hdr_len = skb_transport_header(skb) - skb_mac_header(skb); ++ return hdr_len + skb_gso_transport_seglen(skb); ++} ++ ++/** ++ * skb_gso_validate_mac_len - Will a split GSO skb fit in a given length? ++ * ++ * @skb: GSO skb ++ * @len: length to validate against ++ * ++ * skb_gso_validate_mac_len validates if a given skb will fit a wanted ++ * length once split, including L2, L3 and L4 headers and the payload. ++ */ ++static inline bool ++skb_gso_validate_mac_len(const struct sk_buff *skb, unsigned int len) ++{ ++ return skb_gso_mac_seglen(skb) <= len; ++} ++ + #endif /* __KERNEL__ */ + #endif /* _LINUX_SKBUFF_H */ +diff --git a/include/linux/smpboot.h b/include/linux/smpboot.h +index 12910cf19869..12a4b09f4d08 100644 +--- a/include/linux/smpboot.h ++++ b/include/linux/smpboot.h +@@ -30,7 +30,7 @@ struct smpboot_thread_data; + * @thread_comm: The base name of the thread + */ + struct smp_hotplug_thread { +- struct task_struct __percpu **store; ++ struct task_struct * __percpu *store; + struct list_head list; + int (*thread_should_run)(unsigned int cpu); + void (*thread_fn)(unsigned int cpu); +diff --git a/include/linux/usb/gadget.h b/include/linux/usb/gadget.h +index 7e84aac39ade..667e7f9fd877 100644 +--- a/include/linux/usb/gadget.h ++++ b/include/linux/usb/gadget.h +@@ -671,7 +671,9 @@ static inline struct usb_gadget *dev_to_usb_gadget(struct device *dev) + */ + static inline size_t usb_ep_align(struct usb_ep *ep, size_t len) + { +- return round_up(len, (size_t)le16_to_cpu(ep->desc->wMaxPacketSize)); ++ int max_packet_size = (size_t)usb_endpoint_maxp(ep->desc) & 0x7ff; ++ ++ return round_up(len, max_packet_size); + } + + /** +diff --git a/include/net/arp.h b/include/net/arp.h +index 1b3f86981757..92d2f7d7d1cb 100644 +--- a/include/net/arp.h ++++ b/include/net/arp.h +@@ -17,6 +17,7 @@ static inline u32 arp_hashfn(const void *pkey, const struct net_device *dev, u32 + return val * hash_rnd[0]; + } + ++#ifdef CONFIG_INET + static inline struct neighbour *__ipv4_neigh_lookup_noref(struct net_device *dev, u32 key) + { + if (dev->flags & (IFF_LOOPBACK | IFF_POINTOPOINT)) +@@ -24,6 +25,13 @@ static inline struct neighbour *__ipv4_neigh_lookup_noref(struct net_device *dev + + return ___neigh_lookup_noref(&arp_tbl, neigh_key_eq32, arp_hashfn, &key, dev); + } ++#else ++static inline ++struct neighbour *__ipv4_neigh_lookup_noref(struct net_device *dev, u32 key) ++{ ++ return NULL; ++} ++#endif + + static inline struct neighbour *__ipv4_neigh_lookup(struct net_device *dev, u32 key) + { +diff --git a/include/uapi/linux/fuse.h b/include/uapi/linux/fuse.h +index c9aca042e61d..d3a5cf3b5446 100644 +--- a/include/uapi/linux/fuse.h ++++ b/include/uapi/linux/fuse.h +@@ -205,10 +205,12 @@ struct fuse_file_lock { + * FOPEN_DIRECT_IO: bypass page cache for this open file + * FOPEN_KEEP_CACHE: don't invalidate the data cache on open + * FOPEN_NONSEEKABLE: the file is not seekable ++ * FOPEN_STREAM: the file is stream-like (no file position at all) + */ + #define FOPEN_DIRECT_IO (1 << 0) + #define FOPEN_KEEP_CACHE (1 << 1) + #define FOPEN_NONSEEKABLE (1 << 2) ++#define FOPEN_STREAM (1 << 4) + + /** + * INIT request/reply flags +diff --git a/include/uapi/linux/tipc_config.h b/include/uapi/linux/tipc_config.h +index 087b0ef82c07..bbebd258cf07 100644 +--- a/include/uapi/linux/tipc_config.h ++++ b/include/uapi/linux/tipc_config.h +@@ -301,8 +301,10 @@ static inline int TLV_SET(void *tlv, __u16 type, void *data, __u16 len) + tlv_ptr = (struct tlv_desc *)tlv; + tlv_ptr->tlv_type = htons(type); + tlv_ptr->tlv_len = htons(tlv_len); +- if (len && data) +- memcpy(TLV_DATA(tlv_ptr), data, tlv_len); ++ if (len && data) { ++ memcpy(TLV_DATA(tlv_ptr), data, len); ++ memset(TLV_DATA(tlv_ptr) + len, 0, TLV_SPACE(len) - tlv_len); ++ } + return TLV_SPACE(len); + } + +@@ -399,8 +401,10 @@ static inline int TCM_SET(void *msg, __u16 cmd, __u16 flags, + tcm_hdr->tcm_len = htonl(msg_len); + tcm_hdr->tcm_type = htons(cmd); + tcm_hdr->tcm_flags = htons(flags); +- if (data_len && data) ++ if (data_len && data) { + memcpy(TCM_DATA(msg), data, data_len); ++ memset(TCM_DATA(msg) + data_len, 0, TCM_SPACE(data_len) - msg_len); ++ } + return TCM_SPACE(data_len); + } + +diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c +index b57f929f1b46..cf7aa656b308 100644 +--- a/kernel/auditfilter.c ++++ b/kernel/auditfilter.c +@@ -1095,22 +1095,24 @@ int audit_rule_change(int type, __u32 portid, int seq, void *data, + int err = 0; + struct audit_entry *entry; + +- entry = audit_data_to_entry(data, datasz); +- if (IS_ERR(entry)) +- return PTR_ERR(entry); +- + switch (type) { + case AUDIT_ADD_RULE: ++ entry = audit_data_to_entry(data, datasz); ++ if (IS_ERR(entry)) ++ return PTR_ERR(entry); + err = audit_add_rule(entry); + audit_log_rule_change("add_rule", &entry->rule, !err); + break; + case AUDIT_DEL_RULE: ++ entry = audit_data_to_entry(data, datasz); ++ if (IS_ERR(entry)) ++ return PTR_ERR(entry); + err = audit_del_rule(entry); + audit_log_rule_change("remove_rule", &entry->rule, !err); + break; + default: +- err = -EINVAL; + WARN_ON(1); ++ return -EINVAL; + } + + if (err || type == AUDIT_DEL_RULE) { +diff --git a/kernel/rcu/rcutorture.c b/kernel/rcu/rcutorture.c +index d89328e260df..041a02b334d7 100644 +--- a/kernel/rcu/rcutorture.c ++++ b/kernel/rcu/rcutorture.c +@@ -1603,6 +1603,10 @@ rcu_torture_cleanup(void) + cur_ops->cb_barrier(); + return; + } ++ if (!cur_ops) { ++ torture_cleanup_end(); ++ return; ++ } + + rcu_torture_barrier_cleanup(); + torture_stop_kthread(rcu_torture_stall, stall_task); +@@ -1741,6 +1745,7 @@ rcu_torture_init(void) + pr_alert(" %s", torture_ops[i]->name); + pr_alert("\n"); + firsterr = -EINVAL; ++ cur_ops = NULL; + goto unwind; + } + if (cur_ops->fqs == NULL && fqs_duration != 0) { +diff --git a/kernel/sched/core.c b/kernel/sched/core.c +index d35a7d528ea6..0e70bfeded7f 100644 +--- a/kernel/sched/core.c ++++ b/kernel/sched/core.c +@@ -8361,6 +8361,8 @@ static void cpu_cgroup_attach(struct cgroup_taskset *tset) + static int cpu_shares_write_u64(struct cgroup_subsys_state *css, + struct cftype *cftype, u64 shareval) + { ++ if (shareval > scale_load_down(ULONG_MAX)) ++ shareval = MAX_SHARES; + return sched_group_set_shares(css_tg(css), scale_load(shareval)); + } + +@@ -8460,8 +8462,10 @@ int tg_set_cfs_quota(struct task_group *tg, long cfs_quota_us) + period = ktime_to_ns(tg->cfs_bandwidth.period); + if (cfs_quota_us < 0) + quota = RUNTIME_INF; +- else ++ else if ((u64)cfs_quota_us <= U64_MAX / NSEC_PER_USEC) + quota = (u64)cfs_quota_us * NSEC_PER_USEC; ++ else ++ return -EINVAL; + + return tg_set_cfs_bandwidth(tg, period, quota); + } +@@ -8483,6 +8487,9 @@ int tg_set_cfs_period(struct task_group *tg, long cfs_period_us) + { + u64 quota, period; + ++ if ((u64)cfs_period_us > U64_MAX / NSEC_PER_USEC) ++ return -EINVAL; ++ + period = (u64)cfs_period_us * NSEC_PER_USEC; + quota = tg->cfs_bandwidth.quota; + +diff --git a/kernel/signal.c b/kernel/signal.c +index 96e8c3cbfa38..072fd152ab01 100644 +--- a/kernel/signal.c ++++ b/kernel/signal.c +@@ -2244,6 +2244,8 @@ relock: + if (signal_group_exit(signal)) { + ksig->info.si_signo = signr = SIGKILL; + sigdelset(¤t->pending.signal, SIGKILL); ++ trace_signal_deliver(SIGKILL, SEND_SIG_NOINFO, ++ &sighand->action[SIGKILL - 1]); + recalc_sigpending(); + goto fatal; + } +diff --git a/kernel/trace/trace_events.c b/kernel/trace/trace_events.c +index ba5392807912..bd4c0bb61ad7 100644 +--- a/kernel/trace/trace_events.c ++++ b/kernel/trace/trace_events.c +@@ -1288,9 +1288,6 @@ event_id_read(struct file *filp, char __user *ubuf, size_t cnt, loff_t *ppos) + char buf[32]; + int len; + +- if (*ppos) +- return 0; +- + if (unlikely(!id)) + return -ENODEV; + +diff --git a/lib/strncpy_from_user.c b/lib/strncpy_from_user.c +index e0af6ff73d14..f8b1e3cb716b 100644 +--- a/lib/strncpy_from_user.c ++++ b/lib/strncpy_from_user.c +@@ -20,10 +20,11 @@ + * hit it), 'max' is the address space maximum (and we return + * -EFAULT if we hit it). + */ +-static inline long do_strncpy_from_user(char *dst, const char __user *src, long count, unsigned long max) ++static inline long do_strncpy_from_user(char *dst, const char __user *src, ++ unsigned long count, unsigned long max) + { + const struct word_at_a_time constants = WORD_AT_A_TIME_CONSTANTS; +- long res = 0; ++ unsigned long res = 0; + + /* + * Truncate 'max' to the user-specified limit, so that +diff --git a/lib/strnlen_user.c b/lib/strnlen_user.c +index 3a5f2b366d84..1c87bfa63db7 100644 +--- a/lib/strnlen_user.c ++++ b/lib/strnlen_user.c +@@ -27,7 +27,7 @@ + static inline long do_strnlen_user(const char __user *src, unsigned long count, unsigned long max) + { + const struct word_at_a_time constants = WORD_AT_A_TIME_CONSTANTS; +- long align, res = 0; ++ unsigned long align, res = 0; + unsigned long c; + + /* +@@ -41,7 +41,7 @@ static inline long do_strnlen_user(const char __user *src, unsigned long count, + * Do everything aligned. But that means that we + * need to also expand the maximum.. + */ +- align = (sizeof(long) - 1) & (unsigned long)src; ++ align = (sizeof(unsigned long) - 1) & (unsigned long)src; + src -= align; + max += align; + +diff --git a/mm/backing-dev.c b/mm/backing-dev.c +index 7f80b1a1bc34..07e3b3b8e846 100644 +--- a/mm/backing-dev.c ++++ b/mm/backing-dev.c +@@ -669,6 +669,7 @@ static int cgwb_bdi_init(struct backing_dev_info *bdi) + INIT_RADIX_TREE(&bdi->cgwb_tree, GFP_ATOMIC); + bdi->cgwb_congested_tree = RB_ROOT; + atomic_set(&bdi->usage_cnt, 1); ++ init_rwsem(&bdi->wb_switch_rwsem); + + ret = wb_init(&bdi->wb, bdi, 1, GFP_KERNEL); + if (!ret) { +diff --git a/mm/hugetlb.c b/mm/hugetlb.c +index 324b2953e57e..d7f65a8c629b 100644 +--- a/mm/hugetlb.c ++++ b/mm/hugetlb.c +@@ -3703,21 +3703,14 @@ backout_unlocked: + } + + #ifdef CONFIG_SMP +-u32 hugetlb_fault_mutex_hash(struct hstate *h, struct mm_struct *mm, +- struct vm_area_struct *vma, +- struct address_space *mapping, ++u32 hugetlb_fault_mutex_hash(struct hstate *h, struct address_space *mapping, + pgoff_t idx, unsigned long address) + { + unsigned long key[2]; + u32 hash; + +- if (vma->vm_flags & VM_SHARED) { +- key[0] = (unsigned long) mapping; +- key[1] = idx; +- } else { +- key[0] = (unsigned long) mm; +- key[1] = address >> huge_page_shift(h); +- } ++ key[0] = (unsigned long) mapping; ++ key[1] = idx; + + hash = jhash2((u32 *)&key, sizeof(key)/sizeof(u32), 0); + +@@ -3728,9 +3721,7 @@ u32 hugetlb_fault_mutex_hash(struct hstate *h, struct mm_struct *mm, + * For uniprocesor systems we always use a single mutex, so just + * return 0 and avoid the hashing overhead. + */ +-u32 hugetlb_fault_mutex_hash(struct hstate *h, struct mm_struct *mm, +- struct vm_area_struct *vma, +- struct address_space *mapping, ++u32 hugetlb_fault_mutex_hash(struct hstate *h, struct address_space *mapping, + pgoff_t idx, unsigned long address) + { + return 0; +@@ -3776,7 +3767,7 @@ int hugetlb_fault(struct mm_struct *mm, struct vm_area_struct *vma, + * get spurious allocation failures if two CPUs race to instantiate + * the same page in the page cache. + */ +- hash = hugetlb_fault_mutex_hash(h, mm, vma, mapping, idx, address); ++ hash = hugetlb_fault_mutex_hash(h, mapping, idx, address); + mutex_lock(&hugetlb_fault_mutex_table[hash]); + + entry = huge_ptep_get(ptep); +diff --git a/mm/list_lru.c b/mm/list_lru.c +index 786176b1a0ee..732a066e3d3a 100644 +--- a/mm/list_lru.c ++++ b/mm/list_lru.c +@@ -42,11 +42,7 @@ static void list_lru_unregister(struct list_lru *lru) + #ifdef CONFIG_MEMCG_KMEM + static inline bool list_lru_memcg_aware(struct list_lru *lru) + { +- /* +- * This needs node 0 to be always present, even +- * in the systems supporting sparse numa ids. +- */ +- return !!lru->node[0].memcg_lrus; ++ return lru->memcg_aware; + } + + static inline struct list_lru_one * +@@ -389,6 +385,8 @@ static int memcg_init_list_lru(struct list_lru *lru, bool memcg_aware) + { + int i; + ++ lru->memcg_aware = memcg_aware; ++ + if (!memcg_aware) + return 0; + +diff --git a/mm/mincore.c b/mm/mincore.c +index 14bb9fb37f0c..9700c2303941 100644 +--- a/mm/mincore.c ++++ b/mm/mincore.c +@@ -165,6 +165,22 @@ out: + return 0; + } + ++static inline bool can_do_mincore(struct vm_area_struct *vma) ++{ ++ if (vma_is_anonymous(vma)) ++ return true; ++ if (!vma->vm_file) ++ return false; ++ /* ++ * Reveal pagecache information only for non-anonymous mappings that ++ * correspond to the files the calling process could (if tried) open ++ * for writing; otherwise we'd be including shared non-exclusive ++ * mappings, which opens a side channel. ++ */ ++ return inode_owner_or_capable(file_inode(vma->vm_file)) || ++ inode_permission(file_inode(vma->vm_file), MAY_WRITE) == 0; ++} ++ + /* + * Do a chunk of "sys_mincore()". We've already checked + * all the arguments, we hold the mmap semaphore: we should +@@ -185,8 +201,13 @@ static long do_mincore(unsigned long addr, unsigned long pages, unsigned char *v + vma = find_vma(current->mm, addr); + if (!vma || addr < vma->vm_start) + return -ENOMEM; +- mincore_walk.mm = vma->vm_mm; + end = min(vma->vm_end, addr + (pages << PAGE_SHIFT)); ++ if (!can_do_mincore(vma)) { ++ unsigned long pages = DIV_ROUND_UP(end - addr, PAGE_SIZE); ++ memset(vec, 1, pages); ++ return pages; ++ } ++ mincore_walk.mm = vma->vm_mm; + err = walk_page_range(addr, end, &mincore_walk); + if (err < 0) + return err; +diff --git a/net/core/dev.c b/net/core/dev.c +index 49f78bce5795..db5345f5f7b0 100644 +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -4550,7 +4550,6 @@ static struct sk_buff *napi_frags_skb(struct napi_struct *napi) + skb_reset_mac_header(skb); + skb_gro_reset_offset(skb); + +- eth = skb_gro_header_fast(skb, 0); + if (unlikely(skb_gro_header_hard(skb, hlen))) { + eth = skb_gro_header_slow(skb, hlen, 0); + if (unlikely(!eth)) { +@@ -4558,6 +4557,7 @@ static struct sk_buff *napi_frags_skb(struct napi_struct *napi) + return NULL; + } + } else { ++ eth = (const struct ethhdr *)skb->data; + gro_pull_from_frag0(skb, hlen); + NAPI_GRO_CB(skb)->frag0 += hlen; + NAPI_GRO_CB(skb)->frag0_len -= hlen; +@@ -6986,7 +6986,7 @@ static void netdev_wait_allrefs(struct net_device *dev) + + refcnt = netdev_refcnt_read(dev); + +- if (time_after(jiffies, warning_time + 10 * HZ)) { ++ if (refcnt && time_after(jiffies, warning_time + 10 * HZ)) { + pr_emerg("unregister_netdevice: waiting for %s to become free. Usage count = %d\n", + dev->name, refcnt); + warning_time = jiffies; +diff --git a/net/core/ethtool.c b/net/core/ethtool.c +index 9a53c66deb64..66428c0eb663 100644 +--- a/net/core/ethtool.c ++++ b/net/core/ethtool.c +@@ -428,8 +428,13 @@ static noinline_for_stack int ethtool_get_drvinfo(struct net_device *dev, + if (rc >= 0) + info.n_priv_flags = rc; + } +- if (ops->get_regs_len) +- info.regdump_len = ops->get_regs_len(dev); ++ if (ops->get_regs_len) { ++ int ret = ops->get_regs_len(dev); ++ ++ if (ret > 0) ++ info.regdump_len = ret; ++ } ++ + if (ops->get_eeprom_len) + info.eedump_len = ops->get_eeprom_len(dev); + +@@ -883,6 +888,9 @@ static int ethtool_get_regs(struct net_device *dev, char __user *useraddr) + return -EFAULT; + + reglen = ops->get_regs_len(dev); ++ if (reglen <= 0) ++ return reglen; ++ + if (regs.len > reglen) + regs.len = reglen; + +@@ -893,13 +901,16 @@ static int ethtool_get_regs(struct net_device *dev, char __user *useraddr) + return -ENOMEM; + } + ++ if (regs.len < reglen) ++ reglen = regs.len; ++ + ops->get_regs(dev, ®s, regbuf); + + ret = -EFAULT; + if (copy_to_user(useraddr, ®s, sizeof(regs))) + goto out; + useraddr += offsetof(struct ethtool_regs, data); +- if (regbuf && copy_to_user(useraddr, regbuf, regs.len)) ++ if (copy_to_user(useraddr, regbuf, reglen)) + goto out; + ret = 0; + +diff --git a/net/core/neighbour.c b/net/core/neighbour.c +index 78dc184072e8..9d812ba38ff2 100644 +--- a/net/core/neighbour.c ++++ b/net/core/neighbour.c +@@ -30,6 +30,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -2490,7 +2491,13 @@ int neigh_xmit(int index, struct net_device *dev, + if (!tbl) + goto out; + rcu_read_lock_bh(); +- neigh = __neigh_lookup_noref(tbl, addr, dev); ++ if (index == NEIGH_ARP_TABLE) { ++ u32 key = *((u32 *)addr); ++ ++ neigh = __ipv4_neigh_lookup_noref(dev, key); ++ } else { ++ neigh = __neigh_lookup_noref(tbl, addr, dev); ++ } + if (!neigh) + neigh = __neigh_create(tbl, addr, dev, false); + err = PTR_ERR(neigh); +diff --git a/net/core/pktgen.c b/net/core/pktgen.c +index b6327601f979..4ea957c1e7ee 100644 +--- a/net/core/pktgen.c ++++ b/net/core/pktgen.c +@@ -3139,7 +3139,13 @@ static int pktgen_wait_thread_run(struct pktgen_thread *t) + { + while (thread_is_running(t)) { + ++ /* note: 't' will still be around even after the unlock/lock ++ * cycle because pktgen_thread threads are only cleared at ++ * net exit ++ */ ++ mutex_unlock(&pktgen_thread_lock); + msleep_interruptible(100); ++ mutex_lock(&pktgen_thread_lock); + + if (signal_pending(current)) + goto signal; +@@ -3154,6 +3160,10 @@ static int pktgen_wait_all_threads_run(struct pktgen_net *pn) + struct pktgen_thread *t; + int sig = 1; + ++ /* prevent from racing with rmmod */ ++ if (!try_module_get(THIS_MODULE)) ++ return sig; ++ + mutex_lock(&pktgen_thread_lock); + + list_for_each_entry(t, &pn->pktgen_threads, th_list) { +@@ -3167,6 +3177,7 @@ static int pktgen_wait_all_threads_run(struct pktgen_net *pn) + t->control |= (T_STOP); + + mutex_unlock(&pktgen_thread_lock); ++ module_put(THIS_MODULE); + return sig; + } + +diff --git a/net/ipv4/ip_vti.c b/net/ipv4/ip_vti.c +index fcf327ebd134..bbcbbc1cc2cc 100644 +--- a/net/ipv4/ip_vti.c ++++ b/net/ipv4/ip_vti.c +@@ -648,9 +648,9 @@ static int __init vti_init(void) + return err; + + rtnl_link_failed: +- xfrm4_protocol_deregister(&vti_ipcomp4_protocol, IPPROTO_COMP); +-xfrm_tunnel_failed: + xfrm4_tunnel_deregister(&ipip_handler, AF_INET); ++xfrm_tunnel_failed: ++ xfrm4_protocol_deregister(&vti_ipcomp4_protocol, IPPROTO_COMP); + xfrm_proto_comp_failed: + xfrm4_protocol_deregister(&vti_ah4_protocol, IPPROTO_AH); + xfrm_proto_ah_failed: +@@ -666,6 +666,7 @@ pernet_dev_failed: + static void __exit vti_fini(void) + { + rtnl_link_unregister(&vti_link_ops); ++ xfrm4_tunnel_deregister(&ipip_handler, AF_INET); + xfrm4_protocol_deregister(&vti_ipcomp4_protocol, IPPROTO_COMP); + xfrm4_protocol_deregister(&vti_ah4_protocol, IPPROTO_AH); + xfrm4_protocol_deregister(&vti_esp4_protocol, IPPROTO_ESP); +diff --git a/net/ipv4/xfrm4_policy.c b/net/ipv4/xfrm4_policy.c +index fddae0164b91..d9758ecdcba6 100644 +--- a/net/ipv4/xfrm4_policy.c ++++ b/net/ipv4/xfrm4_policy.c +@@ -108,7 +108,8 @@ static void + _decode_session4(struct sk_buff *skb, struct flowi *fl, int reverse) + { + const struct iphdr *iph = ip_hdr(skb); +- u8 *xprth = skb_network_header(skb) + iph->ihl * 4; ++ int ihl = iph->ihl; ++ u8 *xprth = skb_network_header(skb) + ihl * 4; + struct flowi4 *fl4 = &fl->u.ip4; + int oif = 0; + +@@ -119,6 +120,11 @@ _decode_session4(struct sk_buff *skb, struct flowi *fl, int reverse) + fl4->flowi4_mark = skb->mark; + fl4->flowi4_oif = reverse ? skb->skb_iif : oif; + ++ fl4->flowi4_proto = iph->protocol; ++ fl4->daddr = reverse ? iph->saddr : iph->daddr; ++ fl4->saddr = reverse ? iph->daddr : iph->saddr; ++ fl4->flowi4_tos = iph->tos; ++ + if (!ip_is_fragment(iph)) { + switch (iph->protocol) { + case IPPROTO_UDP: +@@ -130,7 +136,7 @@ _decode_session4(struct sk_buff *skb, struct flowi *fl, int reverse) + pskb_may_pull(skb, xprth + 4 - skb->data)) { + __be16 *ports; + +- xprth = skb_network_header(skb) + iph->ihl * 4; ++ xprth = skb_network_header(skb) + ihl * 4; + ports = (__be16 *)xprth; + + fl4->fl4_sport = ports[!!reverse]; +@@ -143,7 +149,7 @@ _decode_session4(struct sk_buff *skb, struct flowi *fl, int reverse) + pskb_may_pull(skb, xprth + 2 - skb->data)) { + u8 *icmp; + +- xprth = skb_network_header(skb) + iph->ihl * 4; ++ xprth = skb_network_header(skb) + ihl * 4; + icmp = xprth; + + fl4->fl4_icmp_type = icmp[0]; +@@ -156,7 +162,7 @@ _decode_session4(struct sk_buff *skb, struct flowi *fl, int reverse) + pskb_may_pull(skb, xprth + 4 - skb->data)) { + __be32 *ehdr; + +- xprth = skb_network_header(skb) + iph->ihl * 4; ++ xprth = skb_network_header(skb) + ihl * 4; + ehdr = (__be32 *)xprth; + + fl4->fl4_ipsec_spi = ehdr[0]; +@@ -168,7 +174,7 @@ _decode_session4(struct sk_buff *skb, struct flowi *fl, int reverse) + pskb_may_pull(skb, xprth + 8 - skb->data)) { + __be32 *ah_hdr; + +- xprth = skb_network_header(skb) + iph->ihl * 4; ++ xprth = skb_network_header(skb) + ihl * 4; + ah_hdr = (__be32 *)xprth; + + fl4->fl4_ipsec_spi = ah_hdr[1]; +@@ -180,7 +186,7 @@ _decode_session4(struct sk_buff *skb, struct flowi *fl, int reverse) + pskb_may_pull(skb, xprth + 4 - skb->data)) { + __be16 *ipcomp_hdr; + +- xprth = skb_network_header(skb) + iph->ihl * 4; ++ xprth = skb_network_header(skb) + ihl * 4; + ipcomp_hdr = (__be16 *)xprth; + + fl4->fl4_ipsec_spi = htonl(ntohs(ipcomp_hdr[1])); +@@ -193,7 +199,7 @@ _decode_session4(struct sk_buff *skb, struct flowi *fl, int reverse) + __be16 *greflags; + __be32 *gre_hdr; + +- xprth = skb_network_header(skb) + iph->ihl * 4; ++ xprth = skb_network_header(skb) + ihl * 4; + greflags = (__be16 *)xprth; + gre_hdr = (__be32 *)xprth; + +@@ -210,10 +216,6 @@ _decode_session4(struct sk_buff *skb, struct flowi *fl, int reverse) + break; + } + } +- fl4->flowi4_proto = iph->protocol; +- fl4->daddr = reverse ? iph->saddr : iph->daddr; +- fl4->saddr = reverse ? iph->daddr : iph->saddr; +- fl4->flowi4_tos = iph->tos; + } + + static inline int xfrm4_garbage_collect(struct dst_ops *ops) +diff --git a/net/ipv6/raw.c b/net/ipv6/raw.c +index 4d52a0e2f60d..55953c5804c3 100644 +--- a/net/ipv6/raw.c ++++ b/net/ipv6/raw.c +@@ -283,7 +283,9 @@ static int rawv6_bind(struct sock *sk, struct sockaddr *uaddr, int addr_len) + /* Binding to link-local address requires an interface */ + if (!sk->sk_bound_dev_if) + goto out_unlock; ++ } + ++ if (sk->sk_bound_dev_if) { + err = -ENODEV; + dev = dev_get_by_index_rcu(sock_net(sk), + sk->sk_bound_dev_if); +diff --git a/net/ipv6/xfrm6_tunnel.c b/net/ipv6/xfrm6_tunnel.c +index 56b72cada346..f9d493c59d6c 100644 +--- a/net/ipv6/xfrm6_tunnel.c ++++ b/net/ipv6/xfrm6_tunnel.c +@@ -391,6 +391,10 @@ static void __exit xfrm6_tunnel_fini(void) + xfrm6_tunnel_deregister(&xfrm6_tunnel_handler, AF_INET6); + xfrm_unregister_type(&xfrm6_tunnel_type, AF_INET6); + unregister_pernet_subsys(&xfrm6_tunnel_net_ops); ++ /* Someone maybe has gotten the xfrm6_tunnel_spi. ++ * So need to wait it. ++ */ ++ rcu_barrier(); + kmem_cache_destroy(xfrm6_tunnel_spi_kmem); + } + +diff --git a/net/llc/llc_output.c b/net/llc/llc_output.c +index 94425e421213..9e4b6bcf6920 100644 +--- a/net/llc/llc_output.c ++++ b/net/llc/llc_output.c +@@ -72,6 +72,8 @@ int llc_build_and_send_ui_pkt(struct llc_sap *sap, struct sk_buff *skb, + rc = llc_mac_hdr_init(skb, skb->dev->dev_addr, dmac); + if (likely(!rc)) + rc = dev_queue_xmit(skb); ++ else ++ kfree_skb(skb); + return rc; + } + +diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c +index ed4fef32b394..08384dbf426c 100644 +--- a/net/mac80211/mlme.c ++++ b/net/mac80211/mlme.c +@@ -1104,9 +1104,6 @@ static void ieee80211_chswitch_work(struct work_struct *work) + goto out; + } + +- /* XXX: shouldn't really modify cfg80211-owned data! */ +- ifmgd->associated->channel = sdata->csa_chandef.chan; +- + ifmgd->csa_waiting_bcn = true; + + ieee80211_sta_reset_beacon_monitor(sdata); +diff --git a/net/rds/ib_rdma.c b/net/rds/ib_rdma.c +index a2340748ec86..d7888924166e 100644 +--- a/net/rds/ib_rdma.c ++++ b/net/rds/ib_rdma.c +@@ -725,12 +725,14 @@ static int rds_ib_flush_mr_pool(struct rds_ib_mr_pool *pool, + wait_clean_list_grace(); + + list_to_llist_nodes(pool, &unmap_list, &clean_nodes, &clean_tail); +- if (ibmr_ret) ++ if (ibmr_ret) { + *ibmr_ret = llist_entry(clean_nodes, struct rds_ib_mr, llnode); +- ++ clean_nodes = clean_nodes->next; ++ } + /* more than one entry in llist nodes */ +- if (clean_nodes->next) +- llist_add_batch(clean_nodes->next, clean_tail, &pool->clean_list); ++ if (clean_nodes) ++ llist_add_batch(clean_nodes, clean_tail, ++ &pool->clean_list); + + } + +diff --git a/net/sched/sch_tbf.c b/net/sched/sch_tbf.c +index a06c9d6bfc9c..05c7a66f64da 100644 +--- a/net/sched/sch_tbf.c ++++ b/net/sched/sch_tbf.c +@@ -142,16 +142,6 @@ static u64 psched_ns_t2l(const struct psched_ratecfg *r, + return len; + } + +-/* +- * Return length of individual segments of a gso packet, +- * including all headers (MAC, IP, TCP/UDP) +- */ +-static unsigned int skb_gso_mac_seglen(const struct sk_buff *skb) +-{ +- unsigned int hdr_len = skb_transport_header(skb) - skb_mac_header(skb); +- return hdr_len + skb_gso_transport_seglen(skb); +-} +- + /* GSO packet is too big, segment it so that tbf can transmit + * each segment in time + */ +diff --git a/net/tipc/core.c b/net/tipc/core.c +index e2bdb07a49a2..c306e9bc1621 100644 +--- a/net/tipc/core.c ++++ b/net/tipc/core.c +@@ -70,9 +70,6 @@ static int __net_init tipc_init_net(struct net *net) + goto out_nametbl; + + INIT_LIST_HEAD(&tn->dist_queue); +- err = tipc_topsrv_start(net); +- if (err) +- goto out_subscr; + + err = tipc_bcast_init(net); + if (err) +@@ -81,8 +78,6 @@ static int __net_init tipc_init_net(struct net *net) + return 0; + + out_bclink: +- tipc_bcast_stop(net); +-out_subscr: + tipc_nametbl_stop(net); + out_nametbl: + tipc_sk_rht_destroy(net); +@@ -92,7 +87,6 @@ out_sk_rht: + + static void __net_exit tipc_exit_net(struct net *net) + { +- tipc_topsrv_stop(net); + tipc_net_stop(net); + tipc_bcast_stop(net); + tipc_nametbl_stop(net); +@@ -106,6 +100,11 @@ static struct pernet_operations tipc_net_ops = { + .size = sizeof(struct tipc_net), + }; + ++static struct pernet_operations tipc_topsrv_net_ops = { ++ .init = tipc_topsrv_init_net, ++ .exit = tipc_topsrv_exit_net, ++}; ++ + static int __init tipc_init(void) + { + int err; +@@ -126,10 +125,6 @@ static int __init tipc_init(void) + if (err) + goto out_netlink_compat; + +- err = tipc_socket_init(); +- if (err) +- goto out_socket; +- + err = tipc_register_sysctl(); + if (err) + goto out_sysctl; +@@ -138,6 +133,14 @@ static int __init tipc_init(void) + if (err) + goto out_pernet; + ++ err = tipc_socket_init(); ++ if (err) ++ goto out_socket; ++ ++ err = register_pernet_subsys(&tipc_topsrv_net_ops); ++ if (err) ++ goto out_pernet_topsrv; ++ + err = tipc_bearer_setup(); + if (err) + goto out_bearer; +@@ -145,12 +148,14 @@ static int __init tipc_init(void) + pr_info("Started in single node mode\n"); + return 0; + out_bearer: ++ unregister_pernet_subsys(&tipc_topsrv_net_ops); ++out_pernet_topsrv: ++ tipc_socket_stop(); ++out_socket: + unregister_pernet_subsys(&tipc_net_ops); + out_pernet: + tipc_unregister_sysctl(); + out_sysctl: +- tipc_socket_stop(); +-out_socket: + tipc_netlink_compat_stop(); + out_netlink_compat: + tipc_netlink_stop(); +@@ -162,10 +167,11 @@ out_netlink: + static void __exit tipc_exit(void) + { + tipc_bearer_cleanup(); ++ unregister_pernet_subsys(&tipc_topsrv_net_ops); ++ tipc_socket_stop(); + unregister_pernet_subsys(&tipc_net_ops); + tipc_netlink_stop(); + tipc_netlink_compat_stop(); +- tipc_socket_stop(); + tipc_unregister_sysctl(); + + pr_info("Deactivated\n"); +diff --git a/net/tipc/subscr.c b/net/tipc/subscr.c +index 500c9e614a06..4f80f00cd8f9 100644 +--- a/net/tipc/subscr.c ++++ b/net/tipc/subscr.c +@@ -306,7 +306,7 @@ static void *tipc_subscrb_connect_cb(int conid) + return (void *)tipc_subscrb_create(conid); + } + +-int tipc_topsrv_start(struct net *net) ++static int tipc_topsrv_start(struct net *net) + { + struct tipc_net *tn = net_generic(net, tipc_net_id); + const char name[] = "topology_server"; +@@ -344,7 +344,7 @@ int tipc_topsrv_start(struct net *net) + return tipc_server_start(topsrv); + } + +-void tipc_topsrv_stop(struct net *net) ++static void tipc_topsrv_stop(struct net *net) + { + struct tipc_net *tn = net_generic(net, tipc_net_id); + struct tipc_server *topsrv = tn->topsrv; +@@ -353,3 +353,13 @@ void tipc_topsrv_stop(struct net *net) + kfree(topsrv->saddr); + kfree(topsrv); + } ++ ++int __net_init tipc_topsrv_init_net(struct net *net) ++{ ++ return tipc_topsrv_start(net); ++} ++ ++void __net_exit tipc_topsrv_exit_net(struct net *net) ++{ ++ tipc_topsrv_stop(net); ++} +diff --git a/net/tipc/subscr.h b/net/tipc/subscr.h +index 92ee18cc5fe6..e9aa8c7a6fec 100644 +--- a/net/tipc/subscr.h ++++ b/net/tipc/subscr.h +@@ -77,7 +77,8 @@ int tipc_subscrp_check_overlap(struct tipc_subscription *sub, u32 found_lower, + void tipc_subscrp_report_overlap(struct tipc_subscription *sub, + u32 found_lower, u32 found_upper, u32 event, + u32 port_ref, u32 node, int must); +-int tipc_topsrv_start(struct net *net); +-void tipc_topsrv_stop(struct net *net); ++ ++int __net_init tipc_topsrv_init_net(struct net *net); ++void __net_exit tipc_topsrv_exit_net(struct net *net); + + #endif +diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c +index 81013490a99f..1968998e6c6c 100644 +--- a/net/wireless/nl80211.c ++++ b/net/wireless/nl80211.c +@@ -12788,6 +12788,11 @@ void cfg80211_ch_switch_notify(struct net_device *dev, + + wdev->chandef = *chandef; + wdev->preset_chandef = *chandef; ++ ++ if (wdev->iftype == NL80211_IFTYPE_STATION && ++ !WARN_ON(!wdev->current_bss)) ++ wdev->current_bss->pub.channel = chandef->chan; ++ + nl80211_ch_switch_notify(rdev, dev, chandef, GFP_KERNEL, + NL80211_CMD_CH_SWITCH_NOTIFY, 0); + } +diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c +index 177a6c75f136..b04c03043976 100644 +--- a/net/xfrm/xfrm_user.c ++++ b/net/xfrm/xfrm_user.c +@@ -1340,7 +1340,7 @@ static int verify_newpolicy_info(struct xfrm_userpolicy_info *p) + ret = verify_policy_dir(p->dir); + if (ret) + return ret; +- if (p->index && ((p->index & XFRM_POLICY_MAX) != p->dir)) ++ if (p->index && (xfrm_policy_id2dir(p->index) != p->dir)) + return -EINVAL; + + return 0; +diff --git a/scripts/coccinelle/api/stream_open.cocci b/scripts/coccinelle/api/stream_open.cocci +new file mode 100644 +index 000000000000..350145da7669 +--- /dev/null ++++ b/scripts/coccinelle/api/stream_open.cocci +@@ -0,0 +1,363 @@ ++// SPDX-License-Identifier: GPL-2.0 ++// Author: Kirill Smelkov (kirr@nexedi.com) ++// ++// Search for stream-like files that are using nonseekable_open and convert ++// them to stream_open. A stream-like file is a file that does not use ppos in ++// its read and write. Rationale for the conversion is to avoid deadlock in ++// between read and write. ++ ++virtual report ++virtual patch ++virtual explain // explain decisions in the patch (SPFLAGS="-D explain") ++ ++// stream-like reader & writer - ones that do not depend on f_pos. ++@ stream_reader @ ++identifier readstream, ppos; ++identifier f, buf, len; ++type loff_t; ++@@ ++ ssize_t readstream(struct file *f, char *buf, size_t len, loff_t *ppos) ++ { ++ ... when != ppos ++ } ++ ++@ stream_writer @ ++identifier writestream, ppos; ++identifier f, buf, len; ++type loff_t; ++@@ ++ ssize_t writestream(struct file *f, const char *buf, size_t len, loff_t *ppos) ++ { ++ ... when != ppos ++ } ++ ++ ++// a function that blocks ++@ blocks @ ++identifier block_f; ++identifier wait_event =~ "^wait_event_.*"; ++@@ ++ block_f(...) { ++ ... when exists ++ wait_event(...) ++ ... when exists ++ } ++ ++// stream_reader that can block inside. ++// ++// XXX wait_* can be called not directly from current function (e.g. func -> f -> g -> wait()) ++// XXX currently reader_blocks supports only direct and 1-level indirect cases. ++@ reader_blocks_direct @ ++identifier stream_reader.readstream; ++identifier wait_event =~ "^wait_event_.*"; ++@@ ++ readstream(...) ++ { ++ ... when exists ++ wait_event(...) ++ ... when exists ++ } ++ ++@ reader_blocks_1 @ ++identifier stream_reader.readstream; ++identifier blocks.block_f; ++@@ ++ readstream(...) ++ { ++ ... when exists ++ block_f(...) ++ ... when exists ++ } ++ ++@ reader_blocks depends on reader_blocks_direct || reader_blocks_1 @ ++identifier stream_reader.readstream; ++@@ ++ readstream(...) { ++ ... ++ } ++ ++ ++// file_operations + whether they have _any_ .read, .write, .llseek ... at all. ++// ++// XXX add support for file_operations xxx[N] = ... (sound/core/pcm_native.c) ++@ fops0 @ ++identifier fops; ++@@ ++ struct file_operations fops = { ++ ... ++ }; ++ ++@ has_read @ ++identifier fops0.fops; ++identifier read_f; ++@@ ++ struct file_operations fops = { ++ .read = read_f, ++ }; ++ ++@ has_read_iter @ ++identifier fops0.fops; ++identifier read_iter_f; ++@@ ++ struct file_operations fops = { ++ .read_iter = read_iter_f, ++ }; ++ ++@ has_write @ ++identifier fops0.fops; ++identifier write_f; ++@@ ++ struct file_operations fops = { ++ .write = write_f, ++ }; ++ ++@ has_write_iter @ ++identifier fops0.fops; ++identifier write_iter_f; ++@@ ++ struct file_operations fops = { ++ .write_iter = write_iter_f, ++ }; ++ ++@ has_llseek @ ++identifier fops0.fops; ++identifier llseek_f; ++@@ ++ struct file_operations fops = { ++ .llseek = llseek_f, ++ }; ++ ++@ has_no_llseek @ ++identifier fops0.fops; ++@@ ++ struct file_operations fops = { ++ .llseek = no_llseek, ++ }; ++ ++@ has_mmap @ ++identifier fops0.fops; ++identifier mmap_f; ++@@ ++ struct file_operations fops = { ++ .mmap = mmap_f, ++ }; ++ ++@ has_copy_file_range @ ++identifier fops0.fops; ++identifier copy_file_range_f; ++@@ ++ struct file_operations fops = { ++ .copy_file_range = copy_file_range_f, ++ }; ++ ++@ has_remap_file_range @ ++identifier fops0.fops; ++identifier remap_file_range_f; ++@@ ++ struct file_operations fops = { ++ .remap_file_range = remap_file_range_f, ++ }; ++ ++@ has_splice_read @ ++identifier fops0.fops; ++identifier splice_read_f; ++@@ ++ struct file_operations fops = { ++ .splice_read = splice_read_f, ++ }; ++ ++@ has_splice_write @ ++identifier fops0.fops; ++identifier splice_write_f; ++@@ ++ struct file_operations fops = { ++ .splice_write = splice_write_f, ++ }; ++ ++ ++// file_operations that is candidate for stream_open conversion - it does not ++// use mmap and other methods that assume @offset access to file. ++// ++// XXX for simplicity require no .{read/write}_iter and no .splice_{read/write} for now. ++// XXX maybe_steam.fops cannot be used in other rules - it gives "bad rule maybe_stream or bad variable fops". ++@ maybe_stream depends on (!has_llseek || has_no_llseek) && !has_mmap && !has_copy_file_range && !has_remap_file_range && !has_read_iter && !has_write_iter && !has_splice_read && !has_splice_write @ ++identifier fops0.fops; ++@@ ++ struct file_operations fops = { ++ }; ++ ++ ++// ---- conversions ---- ++ ++// XXX .open = nonseekable_open -> .open = stream_open ++// XXX .open = func -> openfunc -> nonseekable_open ++ ++// read & write ++// ++// if both are used in the same file_operations together with an opener - ++// under that conditions we can use stream_open instead of nonseekable_open. ++@ fops_rw depends on maybe_stream @ ++identifier fops0.fops, openfunc; ++identifier stream_reader.readstream; ++identifier stream_writer.writestream; ++@@ ++ struct file_operations fops = { ++ .open = openfunc, ++ .read = readstream, ++ .write = writestream, ++ }; ++ ++@ report_rw depends on report @ ++identifier fops_rw.openfunc; ++position p1; ++@@ ++ openfunc(...) { ++ <... ++ nonseekable_open@p1 ++ ...> ++ } ++ ++@ script:python depends on report && reader_blocks @ ++fops << fops0.fops; ++p << report_rw.p1; ++@@ ++coccilib.report.print_report(p[0], ++ "ERROR: %s: .read() can deadlock .write(); change nonseekable_open -> stream_open to fix." % (fops,)) ++ ++@ script:python depends on report && !reader_blocks @ ++fops << fops0.fops; ++p << report_rw.p1; ++@@ ++coccilib.report.print_report(p[0], ++ "WARNING: %s: .read() and .write() have stream semantic; safe to change nonseekable_open -> stream_open." % (fops,)) ++ ++ ++@ explain_rw_deadlocked depends on explain && reader_blocks @ ++identifier fops_rw.openfunc; ++@@ ++ openfunc(...) { ++ <... ++- nonseekable_open +++ nonseekable_open /* read & write (was deadlock) */ ++ ...> ++ } ++ ++ ++@ explain_rw_nodeadlock depends on explain && !reader_blocks @ ++identifier fops_rw.openfunc; ++@@ ++ openfunc(...) { ++ <... ++- nonseekable_open +++ nonseekable_open /* read & write (no direct deadlock) */ ++ ...> ++ } ++ ++@ patch_rw depends on patch @ ++identifier fops_rw.openfunc; ++@@ ++ openfunc(...) { ++ <... ++- nonseekable_open +++ stream_open ++ ...> ++ } ++ ++ ++// read, but not write ++@ fops_r depends on maybe_stream && !has_write @ ++identifier fops0.fops, openfunc; ++identifier stream_reader.readstream; ++@@ ++ struct file_operations fops = { ++ .open = openfunc, ++ .read = readstream, ++ }; ++ ++@ report_r depends on report @ ++identifier fops_r.openfunc; ++position p1; ++@@ ++ openfunc(...) { ++ <... ++ nonseekable_open@p1 ++ ...> ++ } ++ ++@ script:python depends on report @ ++fops << fops0.fops; ++p << report_r.p1; ++@@ ++coccilib.report.print_report(p[0], ++ "WARNING: %s: .read() has stream semantic; safe to change nonseekable_open -> stream_open." % (fops,)) ++ ++@ explain_r depends on explain @ ++identifier fops_r.openfunc; ++@@ ++ openfunc(...) { ++ <... ++- nonseekable_open +++ nonseekable_open /* read only */ ++ ...> ++ } ++ ++@ patch_r depends on patch @ ++identifier fops_r.openfunc; ++@@ ++ openfunc(...) { ++ <... ++- nonseekable_open +++ stream_open ++ ...> ++ } ++ ++ ++// write, but not read ++@ fops_w depends on maybe_stream && !has_read @ ++identifier fops0.fops, openfunc; ++identifier stream_writer.writestream; ++@@ ++ struct file_operations fops = { ++ .open = openfunc, ++ .write = writestream, ++ }; ++ ++@ report_w depends on report @ ++identifier fops_w.openfunc; ++position p1; ++@@ ++ openfunc(...) { ++ <... ++ nonseekable_open@p1 ++ ...> ++ } ++ ++@ script:python depends on report @ ++fops << fops0.fops; ++p << report_w.p1; ++@@ ++coccilib.report.print_report(p[0], ++ "WARNING: %s: .write() has stream semantic; safe to change nonseekable_open -> stream_open." % (fops,)) ++ ++@ explain_w depends on explain @ ++identifier fops_w.openfunc; ++@@ ++ openfunc(...) { ++ <... ++- nonseekable_open +++ nonseekable_open /* write only */ ++ ...> ++ } ++ ++@ patch_w depends on patch @ ++identifier fops_w.openfunc; ++@@ ++ openfunc(...) { ++ <... ++- nonseekable_open +++ stream_open ++ ...> ++ } ++ ++ ++// no read, no write - don't change anything +diff --git a/sound/pci/hda/patch_hdmi.c b/sound/pci/hda/patch_hdmi.c +index a8045b8a2a18..b249b1b85746 100644 +--- a/sound/pci/hda/patch_hdmi.c ++++ b/sound/pci/hda/patch_hdmi.c +@@ -1636,9 +1636,11 @@ static bool hdmi_present_sense(struct hdmi_spec_per_pin *per_pin, int repoll) + ret = !repoll || !pin_eld->monitor_present || pin_eld->eld_valid; + + jack = snd_hda_jack_tbl_get(codec, pin_nid); +- if (jack) ++ if (jack) { + jack->block_report = !ret; +- ++ jack->pin_sense = (eld->monitor_present && eld->eld_valid) ? ++ AC_PINSENSE_PRESENCE : 0; ++ } + mutex_unlock(&per_pin->lock); + snd_hda_power_down_pm(codec); + return ret; +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index 5d8ac2d798df..68d96c2e8cde 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -772,11 +772,10 @@ static int alc_init(struct hda_codec *codec) + if (spec->init_hook) + spec->init_hook(codec); + ++ snd_hda_gen_init(codec); + alc_fix_pll(codec); + alc_auto_init_amp(codec, spec->init_amp); + +- snd_hda_gen_init(codec); +- + snd_hda_apply_fixup(codec, HDA_FIXUP_ACT_INIT); + + return 0; +@@ -5779,7 +5778,7 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = { + SND_PCI_QUIRK(0x17aa, 0x3112, "ThinkCentre AIO", ALC233_FIXUP_LENOVO_LINE2_MIC_HOTKEY), + SND_PCI_QUIRK(0x17aa, 0x3902, "Lenovo E50-80", ALC269_FIXUP_DMIC_THINKPAD_ACPI), + SND_PCI_QUIRK(0x17aa, 0x3977, "IdeaPad S210", ALC283_FIXUP_INT_MIC), +- SND_PCI_QUIRK(0x17aa, 0x3978, "IdeaPad Y410P", ALC269_FIXUP_NO_SHUTUP), ++ SND_PCI_QUIRK(0x17aa, 0x3978, "Lenovo B50-70", ALC269_FIXUP_DMIC_THINKPAD_ACPI), + SND_PCI_QUIRK(0x17aa, 0x5013, "Thinkpad", ALC269_FIXUP_LIMIT_INT_MIC_BOOST), + SND_PCI_QUIRK(0x17aa, 0x501a, "Thinkpad", ALC283_FIXUP_INT_MIC), + SND_PCI_QUIRK(0x17aa, 0x501e, "Thinkpad L440", ALC292_FIXUP_TPT440_DOCK), +@@ -6237,7 +6236,7 @@ static int patch_alc269(struct hda_codec *codec) + + spec = codec->spec; + spec->gen.shared_mic_vref_pin = 0x18; +- codec->power_save_node = 1; ++ codec->power_save_node = 0; + + #ifdef CONFIG_PM + codec->patch_ops.suspend = alc269_suspend; +diff --git a/sound/soc/codecs/max98090.c b/sound/soc/codecs/max98090.c +index 584aab83e478..3e65dc74eb33 100644 +--- a/sound/soc/codecs/max98090.c ++++ b/sound/soc/codecs/max98090.c +@@ -1209,14 +1209,14 @@ static const struct snd_soc_dapm_widget max98090_dapm_widgets[] = { + &max98090_right_rcv_mixer_controls[0], + ARRAY_SIZE(max98090_right_rcv_mixer_controls)), + +- SND_SOC_DAPM_MUX("LINMOD Mux", M98090_REG_LOUTR_MIXER, +- M98090_LINMOD_SHIFT, 0, &max98090_linmod_mux), ++ SND_SOC_DAPM_MUX("LINMOD Mux", SND_SOC_NOPM, 0, 0, ++ &max98090_linmod_mux), + +- SND_SOC_DAPM_MUX("MIXHPLSEL Mux", M98090_REG_HP_CONTROL, +- M98090_MIXHPLSEL_SHIFT, 0, &max98090_mixhplsel_mux), ++ SND_SOC_DAPM_MUX("MIXHPLSEL Mux", SND_SOC_NOPM, 0, 0, ++ &max98090_mixhplsel_mux), + +- SND_SOC_DAPM_MUX("MIXHPRSEL Mux", M98090_REG_HP_CONTROL, +- M98090_MIXHPRSEL_SHIFT, 0, &max98090_mixhprsel_mux), ++ SND_SOC_DAPM_MUX("MIXHPRSEL Mux", SND_SOC_NOPM, 0, 0, ++ &max98090_mixhprsel_mux), + + SND_SOC_DAPM_PGA("HP Left Out", M98090_REG_OUTPUT_ENABLE, + M98090_HPLEN_SHIFT, 0, NULL, 0), +diff --git a/sound/soc/codecs/rt5677-spi.c b/sound/soc/codecs/rt5677-spi.c +index 91879ea95415..01aa75cde571 100644 +--- a/sound/soc/codecs/rt5677-spi.c ++++ b/sound/soc/codecs/rt5677-spi.c +@@ -60,13 +60,15 @@ static DEFINE_MUTEX(spi_mutex); + * RT5677_SPI_READ/WRITE_32: Transfer 4 bytes + * RT5677_SPI_READ/WRITE_BURST: Transfer any multiples of 8 bytes + * +- * For example, reading 260 bytes at 0x60030002 uses the following commands: +- * 0x60030002 RT5677_SPI_READ_16 2 bytes ++ * Note: ++ * 16 Bit writes and reads are restricted to the address range ++ * 0x18020000 ~ 0x18021000 ++ * ++ * For example, reading 256 bytes at 0x60030004 uses the following commands: + * 0x60030004 RT5677_SPI_READ_32 4 bytes + * 0x60030008 RT5677_SPI_READ_BURST 240 bytes + * 0x600300F8 RT5677_SPI_READ_BURST 8 bytes + * 0x60030100 RT5677_SPI_READ_32 4 bytes +- * 0x60030104 RT5677_SPI_READ_16 2 bytes + * + * Input: + * @read: true for read commands; false for write commands +@@ -81,15 +83,13 @@ static u8 rt5677_spi_select_cmd(bool read, u32 align, u32 remain, u32 *len) + { + u8 cmd; + +- if (align == 2 || align == 6 || remain == 2) { +- cmd = RT5677_SPI_READ_16; +- *len = 2; +- } else if (align == 4 || remain <= 6) { ++ if (align == 4 || remain <= 4) { + cmd = RT5677_SPI_READ_32; + *len = 4; + } else { + cmd = RT5677_SPI_READ_BURST; +- *len = min_t(u32, remain & ~7, RT5677_SPI_BURST_LEN); ++ *len = (((remain - 1) >> 3) + 1) << 3; ++ *len = min_t(u32, *len, RT5677_SPI_BURST_LEN); + } + return read ? cmd : cmd + 1; + } +@@ -110,7 +110,7 @@ static void rt5677_spi_reverse(u8 *dst, u32 dstlen, const u8 *src, u32 srclen) + } + } + +-/* Read DSP address space using SPI. addr and len have to be 2-byte aligned. */ ++/* Read DSP address space using SPI. addr and len have to be 4-byte aligned. */ + int rt5677_spi_read(u32 addr, void *rxbuf, size_t len) + { + u32 offset; +@@ -126,7 +126,7 @@ int rt5677_spi_read(u32 addr, void *rxbuf, size_t len) + if (!g_spi) + return -ENODEV; + +- if ((addr & 1) || (len & 1)) { ++ if ((addr & 3) || (len & 3)) { + dev_err(&g_spi->dev, "Bad read align 0x%x(%zu)\n", addr, len); + return -EACCES; + } +@@ -161,13 +161,13 @@ int rt5677_spi_read(u32 addr, void *rxbuf, size_t len) + } + EXPORT_SYMBOL_GPL(rt5677_spi_read); + +-/* Write DSP address space using SPI. addr has to be 2-byte aligned. +- * If len is not 2-byte aligned, an extra byte of zero is written at the end ++/* Write DSP address space using SPI. addr has to be 4-byte aligned. ++ * If len is not 4-byte aligned, then extra zeros are written at the end + * as padding. + */ + int rt5677_spi_write(u32 addr, const void *txbuf, size_t len) + { +- u32 offset, len_with_pad = len; ++ u32 offset; + int status = 0; + struct spi_transfer t; + struct spi_message m; +@@ -180,22 +180,19 @@ int rt5677_spi_write(u32 addr, const void *txbuf, size_t len) + if (!g_spi) + return -ENODEV; + +- if (addr & 1) { ++ if (addr & 3) { + dev_err(&g_spi->dev, "Bad write align 0x%x(%zu)\n", addr, len); + return -EACCES; + } + +- if (len & 1) +- len_with_pad = len + 1; +- + memset(&t, 0, sizeof(t)); + t.tx_buf = buf; + t.speed_hz = RT5677_SPI_FREQ; + spi_message_init_with_transfers(&m, &t, 1); + +- for (offset = 0; offset < len_with_pad;) { ++ for (offset = 0; offset < len;) { + spi_cmd = rt5677_spi_select_cmd(false, (addr + offset) & 7, +- len_with_pad - offset, &t.len); ++ len - offset, &t.len); + + /* Construct SPI message header */ + buf[0] = spi_cmd; +diff --git a/sound/soc/davinci/davinci-mcasp.c b/sound/soc/davinci/davinci-mcasp.c +index 2ccb8bccc9d4..512ec25c9ead 100644 +--- a/sound/soc/davinci/davinci-mcasp.c ++++ b/sound/soc/davinci/davinci-mcasp.c +@@ -43,6 +43,7 @@ + + #define MCASP_MAX_AFIFO_DEPTH 64 + ++#ifdef CONFIG_PM + static u32 context_regs[] = { + DAVINCI_MCASP_TXFMCTL_REG, + DAVINCI_MCASP_RXFMCTL_REG, +@@ -65,6 +66,7 @@ struct davinci_mcasp_context { + u32 *xrsr_regs; /* for serializer configuration */ + bool pm_state; + }; ++#endif + + struct davinci_mcasp_ruledata { + struct davinci_mcasp *mcasp; +diff --git a/sound/soc/fsl/Kconfig b/sound/soc/fsl/Kconfig +index 3066e068aae5..d420995ed45b 100644 +--- a/sound/soc/fsl/Kconfig ++++ b/sound/soc/fsl/Kconfig +@@ -171,16 +171,17 @@ config SND_MPC52xx_SOC_EFIKA + + endif # SND_POWERPC_SOC + ++config SND_SOC_IMX_PCM_FIQ ++ tristate ++ default y if SND_SOC_IMX_SSI=y && (SND_SOC_FSL_SSI=m || SND_SOC_FSL_SPDIF=m) && (MXC_TZIC || MXC_AVIC) ++ select FIQ ++ + if SND_IMX_SOC + + config SND_SOC_IMX_SSI + tristate + select SND_SOC_FSL_UTILS + +-config SND_SOC_IMX_PCM_FIQ +- tristate +- select FIQ +- + comment "SoC Audio support for Freescale i.MX boards:" + + config SND_MXC_SOC_WM1133_EV1 +diff --git a/sound/soc/fsl/eukrea-tlv320.c b/sound/soc/fsl/eukrea-tlv320.c +index 883087f2b092..38132143b7d5 100644 +--- a/sound/soc/fsl/eukrea-tlv320.c ++++ b/sound/soc/fsl/eukrea-tlv320.c +@@ -119,13 +119,13 @@ static int eukrea_tlv320_probe(struct platform_device *pdev) + if (ret) { + dev_err(&pdev->dev, + "fsl,mux-int-port node missing or invalid.\n"); +- return ret; ++ goto err; + } + ret = of_property_read_u32(np, "fsl,mux-ext-port", &ext_port); + if (ret) { + dev_err(&pdev->dev, + "fsl,mux-ext-port node missing or invalid.\n"); +- return ret; ++ goto err; + } + + /* +diff --git a/sound/soc/fsl/fsl_sai.c b/sound/soc/fsl/fsl_sai.c +index 08b460ba06ef..61d2d955f26a 100644 +--- a/sound/soc/fsl/fsl_sai.c ++++ b/sound/soc/fsl/fsl_sai.c +@@ -260,12 +260,14 @@ static int fsl_sai_set_dai_fmt_tr(struct snd_soc_dai *cpu_dai, + case SND_SOC_DAIFMT_CBS_CFS: + val_cr2 |= FSL_SAI_CR2_BCD_MSTR; + val_cr4 |= FSL_SAI_CR4_FSD_MSTR; ++ sai->is_slave_mode = false; + break; + case SND_SOC_DAIFMT_CBM_CFM: + sai->is_slave_mode = true; + break; + case SND_SOC_DAIFMT_CBS_CFM: + val_cr2 |= FSL_SAI_CR2_BCD_MSTR; ++ sai->is_slave_mode = false; + break; + case SND_SOC_DAIFMT_CBM_CFS: + val_cr4 |= FSL_SAI_CR4_FSD_MSTR; +diff --git a/sound/soc/fsl/fsl_utils.c b/sound/soc/fsl/fsl_utils.c +index b9e42b503a37..4f8bdb7650e8 100644 +--- a/sound/soc/fsl/fsl_utils.c ++++ b/sound/soc/fsl/fsl_utils.c +@@ -75,6 +75,7 @@ int fsl_asoc_get_dma_channel(struct device_node *ssi_np, + iprop = of_get_property(dma_np, "cell-index", NULL); + if (!iprop) { + of_node_put(dma_np); ++ of_node_put(dma_channel_np); + return -EINVAL; + } + *dma_id = be32_to_cpup(iprop); +diff --git a/sound/usb/mixer.c b/sound/usb/mixer.c +index f7eb0d2f797b..1f7eb3816cd7 100644 +--- a/sound/usb/mixer.c ++++ b/sound/usb/mixer.c +@@ -2112,6 +2112,8 @@ static int parse_audio_selector_unit(struct mixer_build *state, int unitid, + kctl = snd_ctl_new1(&mixer_selectunit_ctl, cval); + if (! kctl) { + usb_audio_err(state->chip, "cannot malloc kcontrol\n"); ++ for (i = 0; i < desc->bNrInPins; i++) ++ kfree(namelist[i]); + kfree(namelist); + kfree(cval); + return -ENOMEM; +diff --git a/tools/include/linux/bitops.h b/tools/include/linux/bitops.h +index 5ad9ee1dd7f6..57187d6790c1 100644 +--- a/tools/include/linux/bitops.h ++++ b/tools/include/linux/bitops.h +@@ -3,17 +3,14 @@ + + #include + #include +-#include +- + #ifndef __WORDSIZE + #define __WORDSIZE (__SIZEOF_LONG__ * 8) + #endif + + #define BITS_PER_LONG __WORDSIZE ++#include ++#include + +-#define BIT_MASK(nr) (1UL << ((nr) % BITS_PER_LONG)) +-#define BIT_WORD(nr) ((nr) / BITS_PER_LONG) +-#define BITS_PER_BYTE 8 + #define BITS_TO_LONGS(nr) DIV_ROUND_UP(nr, BITS_PER_BYTE * sizeof(long)) + #define BITS_TO_U64(nr) DIV_ROUND_UP(nr, BITS_PER_BYTE * sizeof(u64)) + #define BITS_TO_U32(nr) DIV_ROUND_UP(nr, BITS_PER_BYTE * sizeof(u32)) +diff --git a/tools/include/linux/bits.h b/tools/include/linux/bits.h +new file mode 100644 +index 000000000000..2b7b532c1d51 +--- /dev/null ++++ b/tools/include/linux/bits.h +@@ -0,0 +1,26 @@ ++/* SPDX-License-Identifier: GPL-2.0 */ ++#ifndef __LINUX_BITS_H ++#define __LINUX_BITS_H ++#include ++ ++#define BIT(nr) (1UL << (nr)) ++#define BIT_ULL(nr) (1ULL << (nr)) ++#define BIT_MASK(nr) (1UL << ((nr) % BITS_PER_LONG)) ++#define BIT_WORD(nr) ((nr) / BITS_PER_LONG) ++#define BIT_ULL_MASK(nr) (1ULL << ((nr) % BITS_PER_LONG_LONG)) ++#define BIT_ULL_WORD(nr) ((nr) / BITS_PER_LONG_LONG) ++#define BITS_PER_BYTE 8 ++ ++/* ++ * Create a contiguous bitmask starting at bit position @l and ending at ++ * position @h. For example ++ * GENMASK_ULL(39, 21) gives us the 64bit vector 0x000000ffffe00000. ++ */ ++#define GENMASK(h, l) \ ++ (((~0UL) - (1UL << (l)) + 1) & (~0UL >> (BITS_PER_LONG - 1 - (h)))) ++ ++#define GENMASK_ULL(h, l) \ ++ (((~0ULL) - (1ULL << (l)) + 1) & \ ++ (~0ULL >> (BITS_PER_LONG_LONG - 1 - (h)))) ++ ++#endif /* __LINUX_BITS_H */ +diff --git a/tools/perf/bench/numa.c b/tools/perf/bench/numa.c +index 73d192f57dc3..df41deed0320 100644 +--- a/tools/perf/bench/numa.c ++++ b/tools/perf/bench/numa.c +@@ -32,6 +32,10 @@ + #include + #include + ++#ifndef RUSAGE_THREAD ++# define RUSAGE_THREAD 1 ++#endif ++ + /* + * Regular printout to the terminal, supressed if -q is specified: + */ +diff --git a/tools/perf/util/intel-pt-decoder/intel-pt-decoder.c b/tools/perf/util/intel-pt-decoder/intel-pt-decoder.c +index 62b38f2ff60d..c1944765533c 100644 +--- a/tools/perf/util/intel-pt-decoder/intel-pt-decoder.c ++++ b/tools/perf/util/intel-pt-decoder/intel-pt-decoder.c +@@ -58,6 +58,7 @@ enum intel_pt_pkt_state { + INTEL_PT_STATE_NO_IP, + INTEL_PT_STATE_ERR_RESYNC, + INTEL_PT_STATE_IN_SYNC, ++ INTEL_PT_STATE_TNT_CONT, + INTEL_PT_STATE_TNT, + INTEL_PT_STATE_TIP, + INTEL_PT_STATE_TIP_PGD, +@@ -72,8 +73,9 @@ static inline bool intel_pt_sample_time(enum intel_pt_pkt_state pkt_state) + case INTEL_PT_STATE_NO_IP: + case INTEL_PT_STATE_ERR_RESYNC: + case INTEL_PT_STATE_IN_SYNC: +- case INTEL_PT_STATE_TNT: ++ case INTEL_PT_STATE_TNT_CONT: + return true; ++ case INTEL_PT_STATE_TNT: + case INTEL_PT_STATE_TIP: + case INTEL_PT_STATE_TIP_PGD: + case INTEL_PT_STATE_FUP: +@@ -854,16 +856,20 @@ static uint64_t intel_pt_next_period(struct intel_pt_decoder *decoder) + timestamp = decoder->timestamp + decoder->timestamp_insn_cnt; + masked_timestamp = timestamp & decoder->period_mask; + if (decoder->continuous_period) { +- if (masked_timestamp != decoder->last_masked_timestamp) ++ if (masked_timestamp > decoder->last_masked_timestamp) + return 1; + } else { + timestamp += 1; + masked_timestamp = timestamp & decoder->period_mask; +- if (masked_timestamp != decoder->last_masked_timestamp) { ++ if (masked_timestamp > decoder->last_masked_timestamp) { + decoder->last_masked_timestamp = masked_timestamp; + decoder->continuous_period = true; + } + } ++ ++ if (masked_timestamp < decoder->last_masked_timestamp) ++ return decoder->period_ticks; ++ + return decoder->period_ticks - (timestamp - masked_timestamp); + } + +@@ -892,7 +898,10 @@ static void intel_pt_sample_insn(struct intel_pt_decoder *decoder) + case INTEL_PT_PERIOD_TICKS: + timestamp = decoder->timestamp + decoder->timestamp_insn_cnt; + masked_timestamp = timestamp & decoder->period_mask; +- decoder->last_masked_timestamp = masked_timestamp; ++ if (masked_timestamp > decoder->last_masked_timestamp) ++ decoder->last_masked_timestamp = masked_timestamp; ++ else ++ decoder->last_masked_timestamp += decoder->period_ticks; + break; + case INTEL_PT_PERIOD_NONE: + case INTEL_PT_PERIOD_MTC: +@@ -1141,7 +1150,9 @@ static int intel_pt_walk_tnt(struct intel_pt_decoder *decoder) + return -ENOENT; + } + decoder->tnt.count -= 1; +- if (!decoder->tnt.count) ++ if (decoder->tnt.count) ++ decoder->pkt_state = INTEL_PT_STATE_TNT_CONT; ++ else + decoder->pkt_state = INTEL_PT_STATE_IN_SYNC; + decoder->tnt.payload <<= 1; + decoder->state.from_ip = decoder->ip; +@@ -1172,7 +1183,9 @@ static int intel_pt_walk_tnt(struct intel_pt_decoder *decoder) + + if (intel_pt_insn.branch == INTEL_PT_BR_CONDITIONAL) { + decoder->tnt.count -= 1; +- if (!decoder->tnt.count) ++ if (decoder->tnt.count) ++ decoder->pkt_state = INTEL_PT_STATE_TNT_CONT; ++ else + decoder->pkt_state = INTEL_PT_STATE_IN_SYNC; + if (decoder->tnt.payload & BIT63) { + decoder->tnt.payload <<= 1; +@@ -1192,8 +1205,11 @@ static int intel_pt_walk_tnt(struct intel_pt_decoder *decoder) + return 0; + } + decoder->ip += intel_pt_insn.length; +- if (!decoder->tnt.count) ++ if (!decoder->tnt.count) { ++ decoder->sample_timestamp = decoder->timestamp; ++ decoder->sample_insn_cnt = decoder->timestamp_insn_cnt; + return -EAGAIN; ++ } + decoder->tnt.payload <<= 1; + continue; + } +@@ -2116,6 +2132,7 @@ const struct intel_pt_state *intel_pt_decode(struct intel_pt_decoder *decoder) + err = intel_pt_walk_trace(decoder); + break; + case INTEL_PT_STATE_TNT: ++ case INTEL_PT_STATE_TNT_CONT: + err = intel_pt_walk_tnt(decoder); + if (err == -EAGAIN) + err = intel_pt_walk_trace(decoder); +diff --git a/tools/perf/util/string.c b/tools/perf/util/string.c +index accb7ece1d3c..3d7af024c73f 100644 +--- a/tools/perf/util/string.c ++++ b/tools/perf/util/string.c +@@ -1,4 +1,5 @@ + #include "util.h" ++#include + #include "linux/string.h" + + #define K 1024LL +diff --git a/tools/perf/util/util.h b/tools/perf/util/util.h +index dcc659017976..ee5d1dfe13da 100644 +--- a/tools/perf/util/util.h ++++ b/tools/perf/util/util.h +@@ -76,7 +76,6 @@ + #include + #include + #include +-#include + #include + + extern const char *graph_line; diff --git a/patch/kernel/rockchip-default/remove_deprecated_function_rtk_btusb.patch b/patch/kernel/rockchip-default/remove_deprecated_function_rtk_btusb.patch new file mode 100644 index 0000000000..b6d78d1473 --- /dev/null +++ b/patch/kernel/rockchip-default/remove_deprecated_function_rtk_btusb.patch @@ -0,0 +1,41 @@ +diff --git a/drivers/bluetooth/rtk_btusb.c b/drivers/bluetooth/rtk_btusb.c +index 5db18841..ad74ec9e 100644 +--- a/drivers/bluetooth/rtk_btusb.c ++++ b/drivers/bluetooth/rtk_btusb.c +@@ -3064,9 +3064,6 @@ static int btusb_open(struct hci_dev *hdev) + struct btusb_data *data = GET_DRV_DATA(hdev); + int err = 0; + +- RTKBT_INFO("%s: Start, PM usage count %d", __func__, +- atomic_read(&(data->intf->pm_usage_cnt))); +- + err = usb_autopm_get_interface(data->intf); + if (err < 0) + return err; +@@ -3095,16 +3092,12 @@ static int btusb_open(struct hci_dev *hdev) + + done: + usb_autopm_put_interface(data->intf); +- RTKBT_INFO("%s: End, PM usage count %d", __func__, +- atomic_read(&(data->intf->pm_usage_cnt))); + return 0; + + failed: + clear_bit(BTUSB_INTR_RUNNING, &data->flags); + clear_bit(HCI_RUNNING, &hdev->flags); + usb_autopm_put_interface(data->intf); +- RTKBT_ERR("%s: Failed, PM usage count %d", __func__, +- atomic_read(&(data->intf->pm_usage_cnt))); + return err; + } + +@@ -3610,9 +3603,6 @@ static void btusb_waker(struct work_struct *work) + struct btusb_data *data = container_of(work, struct btusb_data, waker); + int err; + +- RTKBT_DBG("%s: PM usage count %d", __func__, +- atomic_read(&data->intf->pm_usage_cnt)); +- + err = usb_autopm_get_interface(data->intf); + if (err < 0) + return;