Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: Mike Pagano <mpagano@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] proj/linux-patches:4.4 commit in: /
Date: Tue, 24 Apr 2018 11:28:42
Message-Id: 1524569309.8f9c5a44d98694dba36e19234ed5f67ee891d232.mpagano@gentoo
1 commit: 8f9c5a44d98694dba36e19234ed5f67ee891d232
2 Author: Mike Pagano <mpagano <AT> gentoo <DOT> org>
3 AuthorDate: Tue Apr 24 11:28:29 2018 +0000
4 Commit: Mike Pagano <mpagano <AT> gentoo <DOT> org>
5 CommitDate: Tue Apr 24 11:28:29 2018 +0000
6 URL: https://gitweb.gentoo.org/proj/linux-patches.git/commit/?id=8f9c5a44
7
8 Linux patch 4.4.129
9
10 0000_README | 4 +
11 1128_linux-4.4.129.patch | 3714 ++++++++++++++++++++++++++++++++++++++++++++++
12 2 files changed, 3718 insertions(+)
13
14 diff --git a/0000_README b/0000_README
15 index 618f750..c2625c8 100644
16 --- a/0000_README
17 +++ b/0000_README
18 @@ -555,6 +555,10 @@ Patch: 1127_linux-4.4.128.patch
19 From: http://www.kernel.org
20 Desc: Linux 4.4.128
21
22 +Patch: 1128_linux-4.4.129.patch
23 +From: http://www.kernel.org
24 +Desc: Linux 4.4.129
25 +
26 Patch: 1500_XATTR_USER_PREFIX.patch
27 From: https://bugs.gentoo.org/show_bug.cgi?id=470644
28 Desc: Support for namespace user.pax.* on tmpfs.
29
30 diff --git a/1128_linux-4.4.129.patch b/1128_linux-4.4.129.patch
31 new file mode 100644
32 index 0000000..8b1de93
33 --- /dev/null
34 +++ b/1128_linux-4.4.129.patch
35 @@ -0,0 +1,3714 @@
36 +diff --git a/Makefile b/Makefile
37 +index 575459bb47eb..096d7e867b6c 100644
38 +--- a/Makefile
39 ++++ b/Makefile
40 +@@ -1,6 +1,6 @@
41 + VERSION = 4
42 + PATCHLEVEL = 4
43 +-SUBLEVEL = 128
44 ++SUBLEVEL = 129
45 + EXTRAVERSION =
46 + NAME = Blurry Fish Butt
47 +
48 +diff --git a/arch/arm/boot/dts/at91sam9g25.dtsi b/arch/arm/boot/dts/at91sam9g25.dtsi
49 +index a7da0dd0c98f..0898213f3bb2 100644
50 +--- a/arch/arm/boot/dts/at91sam9g25.dtsi
51 ++++ b/arch/arm/boot/dts/at91sam9g25.dtsi
52 +@@ -21,7 +21,7 @@
53 + atmel,mux-mask = <
54 + /* A B C */
55 + 0xffffffff 0xffe0399f 0xc000001c /* pioA */
56 +- 0x0007ffff 0x8000fe3f 0x00000000 /* pioB */
57 ++ 0x0007ffff 0x00047e3f 0x00000000 /* pioB */
58 + 0x80000000 0x07c0ffff 0xb83fffff /* pioC */
59 + 0x003fffff 0x003f8000 0x00000000 /* pioD */
60 + >;
61 +diff --git a/arch/arm/boot/dts/sama5d4.dtsi b/arch/arm/boot/dts/sama5d4.dtsi
62 +index 3daf8d5d7878..fb0d1b252dc8 100644
63 +--- a/arch/arm/boot/dts/sama5d4.dtsi
64 ++++ b/arch/arm/boot/dts/sama5d4.dtsi
65 +@@ -1354,7 +1354,7 @@
66 + pinctrl@fc06a000 {
67 + #address-cells = <1>;
68 + #size-cells = <1>;
69 +- compatible = "atmel,at91sam9x5-pinctrl", "atmel,at91rm9200-pinctrl", "simple-bus";
70 ++ compatible = "atmel,sama5d3-pinctrl", "atmel,at91sam9x5-pinctrl", "simple-bus";
71 + ranges = <0xfc068000 0xfc068000 0x100
72 + 0xfc06a000 0xfc06a000 0x4000>;
73 + /* WARNING: revisit as pin spec has changed */
74 +diff --git a/arch/mips/include/asm/uaccess.h b/arch/mips/include/asm/uaccess.h
75 +index c74c32ccc647..4f281768937f 100644
76 +--- a/arch/mips/include/asm/uaccess.h
77 ++++ b/arch/mips/include/asm/uaccess.h
78 +@@ -1238,6 +1238,13 @@ __clear_user(void __user *addr, __kernel_size_t size)
79 + {
80 + __kernel_size_t res;
81 +
82 ++#ifdef CONFIG_CPU_MICROMIPS
83 ++/* micromips memset / bzero also clobbers t7 & t8 */
84 ++#define bzero_clobbers "$4", "$5", "$6", __UA_t0, __UA_t1, "$15", "$24", "$31"
85 ++#else
86 ++#define bzero_clobbers "$4", "$5", "$6", __UA_t0, __UA_t1, "$31"
87 ++#endif /* CONFIG_CPU_MICROMIPS */
88 ++
89 + if (eva_kernel_access()) {
90 + __asm__ __volatile__(
91 + "move\t$4, %1\n\t"
92 +@@ -1247,7 +1254,7 @@ __clear_user(void __user *addr, __kernel_size_t size)
93 + "move\t%0, $6"
94 + : "=r" (res)
95 + : "r" (addr), "r" (size)
96 +- : "$4", "$5", "$6", __UA_t0, __UA_t1, "$31");
97 ++ : bzero_clobbers);
98 + } else {
99 + might_fault();
100 + __asm__ __volatile__(
101 +@@ -1258,7 +1265,7 @@ __clear_user(void __user *addr, __kernel_size_t size)
102 + "move\t%0, $6"
103 + : "=r" (res)
104 + : "r" (addr), "r" (size)
105 +- : "$4", "$5", "$6", __UA_t0, __UA_t1, "$31");
106 ++ : bzero_clobbers);
107 + }
108 +
109 + return res;
110 +diff --git a/arch/mips/lib/memset.S b/arch/mips/lib/memset.S
111 +index 8f0019a2e5c8..2d33cf2185d9 100644
112 +--- a/arch/mips/lib/memset.S
113 ++++ b/arch/mips/lib/memset.S
114 +@@ -218,7 +218,7 @@
115 + 1: PTR_ADDIU a0, 1 /* fill bytewise */
116 + R10KCBARRIER(0(ra))
117 + bne t1, a0, 1b
118 +- sb a1, -1(a0)
119 ++ EX(sb, a1, -1(a0), .Lsmall_fixup\@)
120 +
121 + 2: jr ra /* done */
122 + move a2, zero
123 +@@ -249,13 +249,18 @@
124 + PTR_L t0, TI_TASK($28)
125 + andi a2, STORMASK
126 + LONG_L t0, THREAD_BUADDR(t0)
127 +- LONG_ADDU a2, t1
128 ++ LONG_ADDU a2, a0
129 + jr ra
130 + LONG_SUBU a2, t0
131 +
132 + .Llast_fixup\@:
133 + jr ra
134 +- andi v1, a2, STORMASK
135 ++ nop
136 ++
137 ++.Lsmall_fixup\@:
138 ++ PTR_SUBU a2, t1, a0
139 ++ jr ra
140 ++ PTR_ADDIU a2, 1
141 +
142 + .endm
143 +
144 +diff --git a/arch/parisc/kernel/drivers.c b/arch/parisc/kernel/drivers.c
145 +index dba508fe1683..4f7060ec6875 100644
146 +--- a/arch/parisc/kernel/drivers.c
147 ++++ b/arch/parisc/kernel/drivers.c
148 +@@ -648,6 +648,10 @@ static int match_pci_device(struct device *dev, int index,
149 + (modpath->mod == PCI_FUNC(devfn)));
150 + }
151 +
152 ++ /* index might be out of bounds for bc[] */
153 ++ if (index >= 6)
154 ++ return 0;
155 ++
156 + id = PCI_SLOT(pdev->devfn) | (PCI_FUNC(pdev->devfn) << 5);
157 + return (modpath->bc[index] == id);
158 + }
159 +diff --git a/arch/powerpc/include/asm/barrier.h b/arch/powerpc/include/asm/barrier.h
160 +index 0eca6efc0631..b9e16855a037 100644
161 +--- a/arch/powerpc/include/asm/barrier.h
162 ++++ b/arch/powerpc/include/asm/barrier.h
163 +@@ -36,7 +36,8 @@
164 +
165 + #define smp_store_mb(var, value) do { WRITE_ONCE(var, value); mb(); } while (0)
166 +
167 +-#ifdef __SUBARCH_HAS_LWSYNC
168 ++/* The sub-arch has lwsync */
169 ++#if defined(__powerpc64__) || defined(CONFIG_PPC_E500MC)
170 + # define SMPWMB LWSYNC
171 + #else
172 + # define SMPWMB eieio
173 +diff --git a/arch/powerpc/include/asm/opal.h b/arch/powerpc/include/asm/opal.h
174 +index 07a99e638449..bab3461115bb 100644
175 +--- a/arch/powerpc/include/asm/opal.h
176 ++++ b/arch/powerpc/include/asm/opal.h
177 +@@ -21,6 +21,9 @@
178 + /* We calculate number of sg entries based on PAGE_SIZE */
179 + #define SG_ENTRIES_PER_NODE ((PAGE_SIZE - 16) / sizeof(struct opal_sg_entry))
180 +
181 ++/* Default time to sleep or delay between OPAL_BUSY/OPAL_BUSY_EVENT loops */
182 ++#define OPAL_BUSY_DELAY_MS 10
183 ++
184 + /* /sys/firmware/opal */
185 + extern struct kobject *opal_kobj;
186 +
187 +diff --git a/arch/powerpc/include/asm/synch.h b/arch/powerpc/include/asm/synch.h
188 +index c50868681f9e..e8d6a842f4bb 100644
189 +--- a/arch/powerpc/include/asm/synch.h
190 ++++ b/arch/powerpc/include/asm/synch.h
191 +@@ -5,10 +5,6 @@
192 + #include <linux/stringify.h>
193 + #include <asm/feature-fixups.h>
194 +
195 +-#if defined(__powerpc64__) || defined(CONFIG_PPC_E500MC)
196 +-#define __SUBARCH_HAS_LWSYNC
197 +-#endif
198 +-
199 + #ifndef __ASSEMBLY__
200 + extern unsigned int __start___lwsync_fixup, __stop___lwsync_fixup;
201 + extern void do_lwsync_fixups(unsigned long value, void *fixup_start,
202 +diff --git a/arch/powerpc/kernel/eeh_pe.c b/arch/powerpc/kernel/eeh_pe.c
203 +index 98f81800e00c..304f07cfa262 100644
204 +--- a/arch/powerpc/kernel/eeh_pe.c
205 ++++ b/arch/powerpc/kernel/eeh_pe.c
206 +@@ -788,7 +788,8 @@ static void eeh_restore_bridge_bars(struct eeh_dev *edev)
207 + eeh_ops->write_config(pdn, 15*4, 4, edev->config_space[15]);
208 +
209 + /* PCI Command: 0x4 */
210 +- eeh_ops->write_config(pdn, PCI_COMMAND, 4, edev->config_space[1]);
211 ++ eeh_ops->write_config(pdn, PCI_COMMAND, 4, edev->config_space[1] |
212 ++ PCI_COMMAND_MEMORY | PCI_COMMAND_MASTER);
213 +
214 + /* Check the PCIe link is ready */
215 + eeh_bridge_check_link(edev);
216 +diff --git a/arch/powerpc/lib/feature-fixups.c b/arch/powerpc/lib/feature-fixups.c
217 +index a18d648d31a6..3af014684872 100644
218 +--- a/arch/powerpc/lib/feature-fixups.c
219 ++++ b/arch/powerpc/lib/feature-fixups.c
220 +@@ -53,7 +53,7 @@ static int patch_alt_instruction(unsigned int *src, unsigned int *dest,
221 + unsigned int *target = (unsigned int *)branch_target(src);
222 +
223 + /* Branch within the section doesn't need translating */
224 +- if (target < alt_start || target >= alt_end) {
225 ++ if (target < alt_start || target > alt_end) {
226 + instr = translate_branch(dest, src);
227 + if (!instr)
228 + return 1;
229 +diff --git a/arch/powerpc/platforms/powernv/opal-nvram.c b/arch/powerpc/platforms/powernv/opal-nvram.c
230 +index 9db4398ded5d..1bceb95f422d 100644
231 +--- a/arch/powerpc/platforms/powernv/opal-nvram.c
232 ++++ b/arch/powerpc/platforms/powernv/opal-nvram.c
233 +@@ -11,6 +11,7 @@
234 +
235 + #define DEBUG
236 +
237 ++#include <linux/delay.h>
238 + #include <linux/kernel.h>
239 + #include <linux/init.h>
240 + #include <linux/of.h>
241 +@@ -56,9 +57,17 @@ static ssize_t opal_nvram_write(char *buf, size_t count, loff_t *index)
242 +
243 + while (rc == OPAL_BUSY || rc == OPAL_BUSY_EVENT) {
244 + rc = opal_write_nvram(__pa(buf), count, off);
245 +- if (rc == OPAL_BUSY_EVENT)
246 ++ if (rc == OPAL_BUSY_EVENT) {
247 ++ msleep(OPAL_BUSY_DELAY_MS);
248 + opal_poll_events(NULL);
249 ++ } else if (rc == OPAL_BUSY) {
250 ++ msleep(OPAL_BUSY_DELAY_MS);
251 ++ }
252 + }
253 ++
254 ++ if (rc)
255 ++ return -EIO;
256 ++
257 + *index += count;
258 + return count;
259 + }
260 +diff --git a/arch/s390/hypfs/inode.c b/arch/s390/hypfs/inode.c
261 +index b2e5902bd8f4..c670279b33f0 100644
262 +--- a/arch/s390/hypfs/inode.c
263 ++++ b/arch/s390/hypfs/inode.c
264 +@@ -318,7 +318,7 @@ static void hypfs_kill_super(struct super_block *sb)
265 +
266 + if (sb->s_root)
267 + hypfs_delete_tree(sb->s_root);
268 +- if (sb_info->update_file)
269 ++ if (sb_info && sb_info->update_file)
270 + hypfs_remove(sb_info->update_file);
271 + kfree(sb->s_fs_info);
272 + sb->s_fs_info = NULL;
273 +diff --git a/arch/s390/kernel/ipl.c b/arch/s390/kernel/ipl.c
274 +index 42570d8fb265..e73979236659 100644
275 +--- a/arch/s390/kernel/ipl.c
276 ++++ b/arch/s390/kernel/ipl.c
277 +@@ -798,6 +798,7 @@ static ssize_t reipl_generic_loadparm_store(struct ipl_parameter_block *ipb,
278 + /* copy and convert to ebcdic */
279 + memcpy(ipb->hdr.loadparm, buf, lp_len);
280 + ASCEBC(ipb->hdr.loadparm, LOADPARM_LEN);
281 ++ ipb->hdr.flags |= DIAG308_FLAGS_LP_VALID;
282 + return len;
283 + }
284 +
285 +diff --git a/arch/um/os-Linux/signal.c b/arch/um/os-Linux/signal.c
286 +index c211153ca69a..56648f4f8b41 100644
287 +--- a/arch/um/os-Linux/signal.c
288 ++++ b/arch/um/os-Linux/signal.c
289 +@@ -140,7 +140,7 @@ static void (*handlers[_NSIG])(int sig, struct siginfo *si, mcontext_t *mc) = {
290 +
291 + static void hard_handler(int sig, siginfo_t *si, void *p)
292 + {
293 +- struct ucontext *uc = p;
294 ++ ucontext_t *uc = p;
295 + mcontext_t *mc = &uc->uc_mcontext;
296 + unsigned long pending = 1UL << sig;
297 +
298 +diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
299 +index bb6aab2fa7f5..eab1ef25eecd 100644
300 +--- a/arch/x86/Kconfig
301 ++++ b/arch/x86/Kconfig
302 +@@ -280,11 +280,6 @@ config X86_32_LAZY_GS
303 + def_bool y
304 + depends on X86_32 && !CC_STACKPROTECTOR
305 +
306 +-config ARCH_HWEIGHT_CFLAGS
307 +- string
308 +- default "-fcall-saved-ecx -fcall-saved-edx" if X86_32
309 +- default "-fcall-saved-rdi -fcall-saved-rsi -fcall-saved-rdx -fcall-saved-rcx -fcall-saved-r8 -fcall-saved-r9 -fcall-saved-r10 -fcall-saved-r11" if X86_64
310 +-
311 + config ARCH_SUPPORTS_UPROBES
312 + def_bool y
313 +
314 +diff --git a/arch/x86/include/asm/arch_hweight.h b/arch/x86/include/asm/arch_hweight.h
315 +index 259a7c1ef709..44f825c80ed5 100644
316 +--- a/arch/x86/include/asm/arch_hweight.h
317 ++++ b/arch/x86/include/asm/arch_hweight.h
318 +@@ -2,8 +2,8 @@
319 + #define _ASM_X86_HWEIGHT_H
320 +
321 + #ifdef CONFIG_64BIT
322 +-/* popcnt %edi, %eax -- redundant REX prefix for alignment */
323 +-#define POPCNT32 ".byte 0xf3,0x40,0x0f,0xb8,0xc7"
324 ++/* popcnt %edi, %eax */
325 ++#define POPCNT32 ".byte 0xf3,0x0f,0xb8,0xc7"
326 + /* popcnt %rdi, %rax */
327 + #define POPCNT64 ".byte 0xf3,0x48,0x0f,0xb8,0xc7"
328 + #define REG_IN "D"
329 +@@ -15,19 +15,15 @@
330 + #define REG_OUT "a"
331 + #endif
332 +
333 +-/*
334 +- * __sw_hweightXX are called from within the alternatives below
335 +- * and callee-clobbered registers need to be taken care of. See
336 +- * ARCH_HWEIGHT_CFLAGS in <arch/x86/Kconfig> for the respective
337 +- * compiler switches.
338 +- */
339 ++#define __HAVE_ARCH_SW_HWEIGHT
340 ++
341 + static __always_inline unsigned int __arch_hweight32(unsigned int w)
342 + {
343 +- unsigned int res = 0;
344 ++ unsigned int res;
345 +
346 + asm (ALTERNATIVE("call __sw_hweight32", POPCNT32, X86_FEATURE_POPCNT)
347 +- : "="REG_OUT (res)
348 +- : REG_IN (w));
349 ++ : "="REG_OUT (res)
350 ++ : REG_IN (w));
351 +
352 + return res;
353 + }
354 +@@ -51,11 +47,11 @@ static inline unsigned long __arch_hweight64(__u64 w)
355 + #else
356 + static __always_inline unsigned long __arch_hweight64(__u64 w)
357 + {
358 +- unsigned long res = 0;
359 ++ unsigned long res;
360 +
361 + asm (ALTERNATIVE("call __sw_hweight64", POPCNT64, X86_FEATURE_POPCNT)
362 +- : "="REG_OUT (res)
363 +- : REG_IN (w));
364 ++ : "="REG_OUT (res)
365 ++ : REG_IN (w));
366 +
367 + return res;
368 + }
369 +diff --git a/arch/x86/kernel/i386_ksyms_32.c b/arch/x86/kernel/i386_ksyms_32.c
370 +index 64341aa485ae..d40ee8a38fed 100644
371 +--- a/arch/x86/kernel/i386_ksyms_32.c
372 ++++ b/arch/x86/kernel/i386_ksyms_32.c
373 +@@ -42,3 +42,5 @@ EXPORT_SYMBOL(empty_zero_page);
374 + EXPORT_SYMBOL(___preempt_schedule);
375 + EXPORT_SYMBOL(___preempt_schedule_notrace);
376 + #endif
377 ++
378 ++EXPORT_SYMBOL(__sw_hweight32);
379 +diff --git a/arch/x86/kernel/x8664_ksyms_64.c b/arch/x86/kernel/x8664_ksyms_64.c
380 +index a0695be19864..c7efd394c42b 100644
381 +--- a/arch/x86/kernel/x8664_ksyms_64.c
382 ++++ b/arch/x86/kernel/x8664_ksyms_64.c
383 +@@ -42,6 +42,9 @@ EXPORT_SYMBOL(clear_page);
384 +
385 + EXPORT_SYMBOL(csum_partial);
386 +
387 ++EXPORT_SYMBOL(__sw_hweight32);
388 ++EXPORT_SYMBOL(__sw_hweight64);
389 ++
390 + /*
391 + * Export string functions. We normally rely on gcc builtin for most of these,
392 + * but gcc sometimes decides not to inline them.
393 +diff --git a/arch/x86/lib/Makefile b/arch/x86/lib/Makefile
394 +index 12a34d15b648..c0c8b0a49bb8 100644
395 +--- a/arch/x86/lib/Makefile
396 ++++ b/arch/x86/lib/Makefile
397 +@@ -23,7 +23,7 @@ lib-$(CONFIG_RWSEM_XCHGADD_ALGORITHM) += rwsem.o
398 + lib-$(CONFIG_INSTRUCTION_DECODER) += insn.o inat.o
399 + lib-$(CONFIG_RETPOLINE) += retpoline.o
400 +
401 +-obj-y += msr.o msr-reg.o msr-reg-export.o
402 ++obj-y += msr.o msr-reg.o msr-reg-export.o hweight.o
403 +
404 + ifeq ($(CONFIG_X86_32),y)
405 + obj-y += atomic64_32.o
406 +diff --git a/arch/x86/lib/hweight.S b/arch/x86/lib/hweight.S
407 +new file mode 100644
408 +index 000000000000..8a602a1e404a
409 +--- /dev/null
410 ++++ b/arch/x86/lib/hweight.S
411 +@@ -0,0 +1,79 @@
412 ++#include <linux/linkage.h>
413 ++
414 ++#include <asm/asm.h>
415 ++
416 ++/*
417 ++ * unsigned int __sw_hweight32(unsigned int w)
418 ++ * %rdi: w
419 ++ */
420 ++ENTRY(__sw_hweight32)
421 ++
422 ++#ifdef CONFIG_X86_64
423 ++ movl %edi, %eax # w
424 ++#endif
425 ++ __ASM_SIZE(push,) %__ASM_REG(dx)
426 ++ movl %eax, %edx # w -> t
427 ++ shrl %edx # t >>= 1
428 ++ andl $0x55555555, %edx # t &= 0x55555555
429 ++ subl %edx, %eax # w -= t
430 ++
431 ++ movl %eax, %edx # w -> t
432 ++ shrl $2, %eax # w_tmp >>= 2
433 ++ andl $0x33333333, %edx # t &= 0x33333333
434 ++ andl $0x33333333, %eax # w_tmp &= 0x33333333
435 ++ addl %edx, %eax # w = w_tmp + t
436 ++
437 ++ movl %eax, %edx # w -> t
438 ++ shrl $4, %edx # t >>= 4
439 ++ addl %edx, %eax # w_tmp += t
440 ++ andl $0x0f0f0f0f, %eax # w_tmp &= 0x0f0f0f0f
441 ++ imull $0x01010101, %eax, %eax # w_tmp *= 0x01010101
442 ++ shrl $24, %eax # w = w_tmp >> 24
443 ++ __ASM_SIZE(pop,) %__ASM_REG(dx)
444 ++ ret
445 ++ENDPROC(__sw_hweight32)
446 ++
447 ++ENTRY(__sw_hweight64)
448 ++#ifdef CONFIG_X86_64
449 ++ pushq %rdi
450 ++ pushq %rdx
451 ++
452 ++ movq %rdi, %rdx # w -> t
453 ++ movabsq $0x5555555555555555, %rax
454 ++ shrq %rdx # t >>= 1
455 ++ andq %rdx, %rax # t &= 0x5555555555555555
456 ++ movabsq $0x3333333333333333, %rdx
457 ++ subq %rax, %rdi # w -= t
458 ++
459 ++ movq %rdi, %rax # w -> t
460 ++ shrq $2, %rdi # w_tmp >>= 2
461 ++ andq %rdx, %rax # t &= 0x3333333333333333
462 ++ andq %rdi, %rdx # w_tmp &= 0x3333333333333333
463 ++ addq %rdx, %rax # w = w_tmp + t
464 ++
465 ++ movq %rax, %rdx # w -> t
466 ++ shrq $4, %rdx # t >>= 4
467 ++ addq %rdx, %rax # w_tmp += t
468 ++ movabsq $0x0f0f0f0f0f0f0f0f, %rdx
469 ++ andq %rdx, %rax # w_tmp &= 0x0f0f0f0f0f0f0f0f
470 ++ movabsq $0x0101010101010101, %rdx
471 ++ imulq %rdx, %rax # w_tmp *= 0x0101010101010101
472 ++ shrq $56, %rax # w = w_tmp >> 56
473 ++
474 ++ popq %rdx
475 ++ popq %rdi
476 ++ ret
477 ++#else /* CONFIG_X86_32 */
478 ++ /* We're getting an u64 arg in (%eax,%edx): unsigned long hweight64(__u64 w) */
479 ++ pushl %ecx
480 ++
481 ++ call __sw_hweight32
482 ++ movl %eax, %ecx # stash away result
483 ++ movl %edx, %eax # second part of input
484 ++ call __sw_hweight32
485 ++ addl %ecx, %eax # result
486 ++
487 ++ popl %ecx
488 ++ ret
489 ++#endif
490 ++ENDPROC(__sw_hweight64)
491 +diff --git a/arch/x86/um/stub_segv.c b/arch/x86/um/stub_segv.c
492 +index 1518d2805ae8..fd6825537b97 100644
493 +--- a/arch/x86/um/stub_segv.c
494 ++++ b/arch/x86/um/stub_segv.c
495 +@@ -10,7 +10,7 @@
496 + void __attribute__ ((__section__ (".__syscall_stub")))
497 + stub_segv_handler(int sig, siginfo_t *info, void *p)
498 + {
499 +- struct ucontext *uc = p;
500 ++ ucontext_t *uc = p;
501 +
502 + GET_FAULTINFO_FROM_MC(*((struct faultinfo *) STUB_DATA),
503 + &uc->uc_mcontext);
504 +diff --git a/drivers/acpi/video_detect.c b/drivers/acpi/video_detect.c
505 +index b48ecbfc4498..8c5503c0bad7 100644
506 +--- a/drivers/acpi/video_detect.c
507 ++++ b/drivers/acpi/video_detect.c
508 +@@ -205,6 +205,15 @@ static const struct dmi_system_id video_detect_dmi_table[] = {
509 + "3570R/370R/470R/450R/510R/4450RV"),
510 + },
511 + },
512 ++ {
513 ++ /* https://bugzilla.redhat.com/show_bug.cgi?id=1557060 */
514 ++ .callback = video_detect_force_video,
515 ++ .ident = "SAMSUNG 670Z5E",
516 ++ .matches = {
517 ++ DMI_MATCH(DMI_SYS_VENDOR, "SAMSUNG ELECTRONICS CO., LTD."),
518 ++ DMI_MATCH(DMI_PRODUCT_NAME, "670Z5E"),
519 ++ },
520 ++ },
521 + {
522 + /* https://bugzilla.redhat.com/show_bug.cgi?id=1094948 */
523 + .callback = video_detect_force_video,
524 +diff --git a/drivers/base/regmap/regmap.c b/drivers/base/regmap/regmap.c
525 +index 4ac63c0e50c7..fd377b956199 100644
526 +--- a/drivers/base/regmap/regmap.c
527 ++++ b/drivers/base/regmap/regmap.c
528 +@@ -1582,7 +1582,7 @@ int regmap_raw_write(struct regmap *map, unsigned int reg,
529 + return -EINVAL;
530 + if (val_len % map->format.val_bytes)
531 + return -EINVAL;
532 +- if (map->max_raw_write && map->max_raw_write > val_len)
533 ++ if (map->max_raw_write && map->max_raw_write < val_len)
534 + return -E2BIG;
535 +
536 + map->lock(map->lock_arg);
537 +diff --git a/drivers/block/loop.c b/drivers/block/loop.c
538 +index 1dd16f26e77d..e8165ec55e6f 100644
539 +--- a/drivers/block/loop.c
540 ++++ b/drivers/block/loop.c
541 +@@ -1121,11 +1121,15 @@ loop_set_status(struct loop_device *lo, const struct loop_info64 *info)
542 + if (info->lo_encrypt_type) {
543 + unsigned int type = info->lo_encrypt_type;
544 +
545 +- if (type >= MAX_LO_CRYPT)
546 +- return -EINVAL;
547 ++ if (type >= MAX_LO_CRYPT) {
548 ++ err = -EINVAL;
549 ++ goto exit;
550 ++ }
551 + xfer = xfer_funcs[type];
552 +- if (xfer == NULL)
553 +- return -EINVAL;
554 ++ if (xfer == NULL) {
555 ++ err = -EINVAL;
556 ++ goto exit;
557 ++ }
558 + } else
559 + xfer = NULL;
560 +
561 +diff --git a/drivers/char/random.c b/drivers/char/random.c
562 +index bd9fc2baa6aa..dffd06a3bb76 100644
563 +--- a/drivers/char/random.c
564 ++++ b/drivers/char/random.c
565 +@@ -724,7 +724,7 @@ retry:
566 +
567 + static int credit_entropy_bits_safe(struct entropy_store *r, int nbits)
568 + {
569 +- const int nbits_max = (int)(~0U >> (ENTROPY_SHIFT + 1));
570 ++ const int nbits_max = r->poolinfo->poolwords * 32;
571 +
572 + if (nbits < 0)
573 + return -EINVAL;
574 +diff --git a/drivers/clk/bcm/clk-bcm2835.c b/drivers/clk/bcm/clk-bcm2835.c
575 +index 7c4b1ffe874f..d56ba46e6b78 100644
576 +--- a/drivers/clk/bcm/clk-bcm2835.c
577 ++++ b/drivers/clk/bcm/clk-bcm2835.c
578 +@@ -891,9 +891,7 @@ static void bcm2835_pll_off(struct clk_hw *hw)
579 + const struct bcm2835_pll_data *data = pll->data;
580 +
581 + spin_lock(&cprman->regs_lock);
582 +- cprman_write(cprman, data->cm_ctrl_reg,
583 +- cprman_read(cprman, data->cm_ctrl_reg) |
584 +- CM_PLL_ANARST);
585 ++ cprman_write(cprman, data->cm_ctrl_reg, CM_PLL_ANARST);
586 + cprman_write(cprman, data->a2w_ctrl_reg,
587 + cprman_read(cprman, data->a2w_ctrl_reg) |
588 + A2W_PLL_CTRL_PWRDN);
589 +@@ -929,6 +927,10 @@ static int bcm2835_pll_on(struct clk_hw *hw)
590 + cpu_relax();
591 + }
592 +
593 ++ cprman_write(cprman, data->a2w_ctrl_reg,
594 ++ cprman_read(cprman, data->a2w_ctrl_reg) |
595 ++ A2W_PLL_CTRL_PRST_DISABLE);
596 ++
597 + return 0;
598 + }
599 +
600 +diff --git a/drivers/clk/mvebu/armada-38x.c b/drivers/clk/mvebu/armada-38x.c
601 +index 8bccf4ecdab6..9ff4ea63932d 100644
602 +--- a/drivers/clk/mvebu/armada-38x.c
603 ++++ b/drivers/clk/mvebu/armada-38x.c
604 +@@ -46,10 +46,11 @@ static u32 __init armada_38x_get_tclk_freq(void __iomem *sar)
605 + }
606 +
607 + static const u32 armada_38x_cpu_frequencies[] __initconst = {
608 +- 0, 0, 0, 0,
609 +- 1066 * 1000 * 1000, 0, 0, 0,
610 ++ 666 * 1000 * 1000, 0, 800 * 1000 * 1000, 0,
611 ++ 1066 * 1000 * 1000, 0, 1200 * 1000 * 1000, 0,
612 + 1332 * 1000 * 1000, 0, 0, 0,
613 +- 1600 * 1000 * 1000,
614 ++ 1600 * 1000 * 1000, 0, 0, 0,
615 ++ 1866 * 1000 * 1000, 0, 0, 2000 * 1000 * 1000,
616 + };
617 +
618 + static u32 __init armada_38x_get_cpu_freq(void __iomem *sar)
619 +@@ -75,11 +76,11 @@ static const struct coreclk_ratio armada_38x_coreclk_ratios[] __initconst = {
620 + };
621 +
622 + static const int armada_38x_cpu_l2_ratios[32][2] __initconst = {
623 +- {0, 1}, {0, 1}, {0, 1}, {0, 1},
624 +- {1, 2}, {0, 1}, {0, 1}, {0, 1},
625 ++ {1, 2}, {0, 1}, {1, 2}, {0, 1},
626 ++ {1, 2}, {0, 1}, {1, 2}, {0, 1},
627 + {1, 2}, {0, 1}, {0, 1}, {0, 1},
628 + {1, 2}, {0, 1}, {0, 1}, {0, 1},
629 +- {0, 1}, {0, 1}, {0, 1}, {0, 1},
630 ++ {1, 2}, {0, 1}, {0, 1}, {1, 2},
631 + {0, 1}, {0, 1}, {0, 1}, {0, 1},
632 + {0, 1}, {0, 1}, {0, 1}, {0, 1},
633 + {0, 1}, {0, 1}, {0, 1}, {0, 1},
634 +@@ -90,7 +91,7 @@ static const int armada_38x_cpu_ddr_ratios[32][2] __initconst = {
635 + {1, 2}, {0, 1}, {0, 1}, {0, 1},
636 + {1, 2}, {0, 1}, {0, 1}, {0, 1},
637 + {1, 2}, {0, 1}, {0, 1}, {0, 1},
638 +- {0, 1}, {0, 1}, {0, 1}, {0, 1},
639 ++ {1, 2}, {0, 1}, {0, 1}, {7, 15},
640 + {0, 1}, {0, 1}, {0, 1}, {0, 1},
641 + {0, 1}, {0, 1}, {0, 1}, {0, 1},
642 + {0, 1}, {0, 1}, {0, 1}, {0, 1},
643 +diff --git a/drivers/dma/at_xdmac.c b/drivers/dma/at_xdmac.c
644 +index 66c073fc8afc..82a7c89caae2 100644
645 +--- a/drivers/dma/at_xdmac.c
646 ++++ b/drivers/dma/at_xdmac.c
647 +@@ -1473,10 +1473,10 @@ at_xdmac_tx_status(struct dma_chan *chan, dma_cookie_t cookie,
648 + for (retry = 0; retry < AT_XDMAC_RESIDUE_MAX_RETRIES; retry++) {
649 + check_nda = at_xdmac_chan_read(atchan, AT_XDMAC_CNDA) & 0xfffffffc;
650 + rmb();
651 +- initd = !!(at_xdmac_chan_read(atchan, AT_XDMAC_CC) & AT_XDMAC_CC_INITD);
652 +- rmb();
653 + cur_ubc = at_xdmac_chan_read(atchan, AT_XDMAC_CUBC);
654 + rmb();
655 ++ initd = !!(at_xdmac_chan_read(atchan, AT_XDMAC_CC) & AT_XDMAC_CC_INITD);
656 ++ rmb();
657 + cur_nda = at_xdmac_chan_read(atchan, AT_XDMAC_CNDA) & 0xfffffffc;
658 + rmb();
659 +
660 +diff --git a/drivers/gpu/drm/radeon/radeon_object.c b/drivers/gpu/drm/radeon/radeon_object.c
661 +index fb6ad143873f..83aee9e814ba 100644
662 +--- a/drivers/gpu/drm/radeon/radeon_object.c
663 ++++ b/drivers/gpu/drm/radeon/radeon_object.c
664 +@@ -238,9 +238,10 @@ int radeon_bo_create(struct radeon_device *rdev,
665 + * may be slow
666 + * See https://bugs.freedesktop.org/show_bug.cgi?id=88758
667 + */
668 +-
669 ++#ifndef CONFIG_COMPILE_TEST
670 + #warning Please enable CONFIG_MTRR and CONFIG_X86_PAT for better performance \
671 + thanks to write-combining
672 ++#endif
673 +
674 + if (bo->flags & RADEON_GEM_GTT_WC)
675 + DRM_INFO_ONCE("Please enable CONFIG_MTRR and CONFIG_X86_PAT for "
676 +diff --git a/drivers/gpu/drm/radeon/si_dpm.c b/drivers/gpu/drm/radeon/si_dpm.c
677 +index d9007cc37be1..892d0a71d766 100644
678 +--- a/drivers/gpu/drm/radeon/si_dpm.c
679 ++++ b/drivers/gpu/drm/radeon/si_dpm.c
680 +@@ -5964,9 +5964,9 @@ static void si_set_pcie_lane_width_in_smc(struct radeon_device *rdev,
681 + {
682 + u32 lane_width;
683 + u32 new_lane_width =
684 +- (radeon_new_state->caps & ATOM_PPLIB_PCIE_LINK_WIDTH_MASK) >> ATOM_PPLIB_PCIE_LINK_WIDTH_SHIFT;
685 ++ ((radeon_new_state->caps & ATOM_PPLIB_PCIE_LINK_WIDTH_MASK) >> ATOM_PPLIB_PCIE_LINK_WIDTH_SHIFT) + 1;
686 + u32 current_lane_width =
687 +- (radeon_current_state->caps & ATOM_PPLIB_PCIE_LINK_WIDTH_MASK) >> ATOM_PPLIB_PCIE_LINK_WIDTH_SHIFT;
688 ++ ((radeon_current_state->caps & ATOM_PPLIB_PCIE_LINK_WIDTH_MASK) >> ATOM_PPLIB_PCIE_LINK_WIDTH_SHIFT) + 1;
689 +
690 + if (new_lane_width != current_lane_width) {
691 + radeon_set_pcie_lanes(rdev, new_lane_width);
692 +diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c
693 +index d07fb967f92b..e4541c6bf3d3 100644
694 +--- a/drivers/hid/hid-core.c
695 ++++ b/drivers/hid/hid-core.c
696 +@@ -1331,7 +1331,7 @@ u8 *hid_alloc_report_buf(struct hid_report *report, gfp_t flags)
697 + * of implement() working on 8 byte chunks
698 + */
699 +
700 +- int len = hid_report_len(report) + 7;
701 ++ u32 len = hid_report_len(report) + 7;
702 +
703 + return kmalloc(len, flags);
704 + }
705 +@@ -1396,7 +1396,7 @@ void __hid_request(struct hid_device *hid, struct hid_report *report,
706 + {
707 + char *buf;
708 + int ret;
709 +- int len;
710 ++ u32 len;
711 +
712 + buf = hid_alloc_report_buf(report, GFP_KERNEL);
713 + if (!buf)
714 +@@ -1422,14 +1422,14 @@ out:
715 + }
716 + EXPORT_SYMBOL_GPL(__hid_request);
717 +
718 +-int hid_report_raw_event(struct hid_device *hid, int type, u8 *data, int size,
719 ++int hid_report_raw_event(struct hid_device *hid, int type, u8 *data, u32 size,
720 + int interrupt)
721 + {
722 + struct hid_report_enum *report_enum = hid->report_enum + type;
723 + struct hid_report *report;
724 + struct hid_driver *hdrv;
725 + unsigned int a;
726 +- int rsize, csize = size;
727 ++ u32 rsize, csize = size;
728 + u8 *cdata = data;
729 + int ret = 0;
730 +
731 +@@ -1487,7 +1487,7 @@ EXPORT_SYMBOL_GPL(hid_report_raw_event);
732 + *
733 + * This is data entry for lower layers.
734 + */
735 +-int hid_input_report(struct hid_device *hid, int type, u8 *data, int size, int interrupt)
736 ++int hid_input_report(struct hid_device *hid, int type, u8 *data, u32 size, int interrupt)
737 + {
738 + struct hid_report_enum *report_enum;
739 + struct hid_driver *hdrv;
740 +diff --git a/drivers/hid/hid-input.c b/drivers/hid/hid-input.c
741 +index 53e54855c366..8d74e691ac90 100644
742 +--- a/drivers/hid/hid-input.c
743 ++++ b/drivers/hid/hid-input.c
744 +@@ -1258,7 +1258,8 @@ static void hidinput_led_worker(struct work_struct *work)
745 + led_work);
746 + struct hid_field *field;
747 + struct hid_report *report;
748 +- int len, ret;
749 ++ int ret;
750 ++ u32 len;
751 + __u8 *buf;
752 +
753 + field = hidinput_get_led_field(hid);
754 +diff --git a/drivers/hid/hid-multitouch.c b/drivers/hid/hid-multitouch.c
755 +index f62a9d6601cc..9de379c1b3fd 100644
756 +--- a/drivers/hid/hid-multitouch.c
757 ++++ b/drivers/hid/hid-multitouch.c
758 +@@ -314,7 +314,8 @@ static struct attribute_group mt_attribute_group = {
759 + static void mt_get_feature(struct hid_device *hdev, struct hid_report *report)
760 + {
761 + struct mt_device *td = hid_get_drvdata(hdev);
762 +- int ret, size = hid_report_len(report);
763 ++ int ret;
764 ++ u32 size = hid_report_len(report);
765 + u8 *buf;
766 +
767 + /*
768 +@@ -919,7 +920,7 @@ static void mt_set_input_mode(struct hid_device *hdev)
769 + struct hid_report_enum *re;
770 + struct mt_class *cls = &td->mtclass;
771 + char *buf;
772 +- int report_len;
773 ++ u32 report_len;
774 +
775 + if (td->inputmode < 0)
776 + return;
777 +diff --git a/drivers/hid/hid-rmi.c b/drivers/hid/hid-rmi.c
778 +index 67cd059a8f46..41a4a2af9db1 100644
779 +--- a/drivers/hid/hid-rmi.c
780 ++++ b/drivers/hid/hid-rmi.c
781 +@@ -110,8 +110,8 @@ struct rmi_data {
782 + u8 *writeReport;
783 + u8 *readReport;
784 +
785 +- int input_report_size;
786 +- int output_report_size;
787 ++ u32 input_report_size;
788 ++ u32 output_report_size;
789 +
790 + unsigned long flags;
791 +
792 +diff --git a/drivers/hid/hidraw.c b/drivers/hid/hidraw.c
793 +index 9c2d7c23f296..c0c4df198725 100644
794 +--- a/drivers/hid/hidraw.c
795 ++++ b/drivers/hid/hidraw.c
796 +@@ -197,6 +197,11 @@ static ssize_t hidraw_get_report(struct file *file, char __user *buffer, size_t
797 + int ret = 0, len;
798 + unsigned char report_number;
799 +
800 ++ if (!hidraw_table[minor] || !hidraw_table[minor]->exist) {
801 ++ ret = -ENODEV;
802 ++ goto out;
803 ++ }
804 ++
805 + dev = hidraw_table[minor]->hid;
806 +
807 + if (!dev->ll_driver->raw_request) {
808 +diff --git a/drivers/hid/i2c-hid/i2c-hid.c b/drivers/hid/i2c-hid/i2c-hid.c
809 +index 312aa1e33fb2..4c3ed078c6b9 100644
810 +--- a/drivers/hid/i2c-hid/i2c-hid.c
811 ++++ b/drivers/hid/i2c-hid/i2c-hid.c
812 +@@ -137,10 +137,10 @@ struct i2c_hid {
813 + * register of the HID
814 + * descriptor. */
815 + unsigned int bufsize; /* i2c buffer size */
816 +- char *inbuf; /* Input buffer */
817 +- char *rawbuf; /* Raw Input buffer */
818 +- char *cmdbuf; /* Command buffer */
819 +- char *argsbuf; /* Command arguments buffer */
820 ++ u8 *inbuf; /* Input buffer */
821 ++ u8 *rawbuf; /* Raw Input buffer */
822 ++ u8 *cmdbuf; /* Command buffer */
823 ++ u8 *argsbuf; /* Command arguments buffer */
824 +
825 + unsigned long flags; /* device flags */
826 +
827 +@@ -387,7 +387,8 @@ static int i2c_hid_hwreset(struct i2c_client *client)
828 +
829 + static void i2c_hid_get_input(struct i2c_hid *ihid)
830 + {
831 +- int ret, ret_size;
832 ++ int ret;
833 ++ u32 ret_size;
834 + int size = le16_to_cpu(ihid->hdesc.wMaxInputLength);
835 +
836 + if (size > ihid->bufsize)
837 +@@ -412,7 +413,7 @@ static void i2c_hid_get_input(struct i2c_hid *ihid)
838 + return;
839 + }
840 +
841 +- if (ret_size > size) {
842 ++ if ((ret_size > size) || (ret_size <= 2)) {
843 + dev_err(&ihid->client->dev, "%s: incomplete report (%d/%d)\n",
844 + __func__, size, ret_size);
845 + return;
846 +diff --git a/drivers/hwmon/ina2xx.c b/drivers/hwmon/ina2xx.c
847 +index a629f7c130f0..ac63e562071f 100644
848 +--- a/drivers/hwmon/ina2xx.c
849 ++++ b/drivers/hwmon/ina2xx.c
850 +@@ -447,6 +447,7 @@ static int ina2xx_probe(struct i2c_client *client,
851 +
852 + /* set the device type */
853 + data->config = &ina2xx_config[id->driver_data];
854 ++ mutex_init(&data->config_lock);
855 +
856 + if (of_property_read_u32(dev->of_node, "shunt-resistor", &val) < 0) {
857 + struct ina2xx_platform_data *pdata = dev_get_platdata(dev);
858 +@@ -473,8 +474,6 @@ static int ina2xx_probe(struct i2c_client *client,
859 + return -ENODEV;
860 + }
861 +
862 +- mutex_init(&data->config_lock);
863 +-
864 + data->groups[group++] = &ina2xx_group;
865 + if (id->driver_data == ina226)
866 + data->groups[group++] = &ina226_group;
867 +diff --git a/drivers/infiniband/core/ucma.c b/drivers/infiniband/core/ucma.c
868 +index 960fcb613198..ea3bc9bb1b7a 100644
869 +--- a/drivers/infiniband/core/ucma.c
870 ++++ b/drivers/infiniband/core/ucma.c
871 +@@ -1230,6 +1230,9 @@ static int ucma_set_ib_path(struct ucma_context *ctx,
872 + if (!optlen)
873 + return -EINVAL;
874 +
875 ++ if (!ctx->cm_id->device)
876 ++ return -EINVAL;
877 ++
878 + memset(&sa_path, 0, sizeof(sa_path));
879 +
880 + ib_sa_unpack_path(path_data->path_rec, &sa_path);
881 +diff --git a/drivers/infiniband/ulp/srp/ib_srp.c b/drivers/infiniband/ulp/srp/ib_srp.c
882 +index 9a99cee2665a..4fd2892613dd 100644
883 +--- a/drivers/infiniband/ulp/srp/ib_srp.c
884 ++++ b/drivers/infiniband/ulp/srp/ib_srp.c
885 +@@ -2581,9 +2581,11 @@ static int srp_abort(struct scsi_cmnd *scmnd)
886 + ret = FAST_IO_FAIL;
887 + else
888 + ret = FAILED;
889 +- srp_free_req(ch, req, scmnd, 0);
890 +- scmnd->result = DID_ABORT << 16;
891 +- scmnd->scsi_done(scmnd);
892 ++ if (ret == SUCCESS) {
893 ++ srp_free_req(ch, req, scmnd, 0);
894 ++ scmnd->result = DID_ABORT << 16;
895 ++ scmnd->scsi_done(scmnd);
896 ++ }
897 +
898 + return ret;
899 + }
900 +@@ -3309,12 +3311,10 @@ static ssize_t srp_create_target(struct device *dev,
901 + num_online_nodes());
902 + const int ch_end = ((node_idx + 1) * target->ch_count /
903 + num_online_nodes());
904 +- const int cv_start = (node_idx * ibdev->num_comp_vectors /
905 +- num_online_nodes() + target->comp_vector)
906 +- % ibdev->num_comp_vectors;
907 +- const int cv_end = ((node_idx + 1) * ibdev->num_comp_vectors /
908 +- num_online_nodes() + target->comp_vector)
909 +- % ibdev->num_comp_vectors;
910 ++ const int cv_start = node_idx * ibdev->num_comp_vectors /
911 ++ num_online_nodes();
912 ++ const int cv_end = (node_idx + 1) * ibdev->num_comp_vectors /
913 ++ num_online_nodes();
914 + int cpu_idx = 0;
915 +
916 + for_each_online_cpu(cpu) {
917 +diff --git a/drivers/iommu/intel-svm.c b/drivers/iommu/intel-svm.c
918 +index a7d516f973dd..10068a481e22 100644
919 +--- a/drivers/iommu/intel-svm.c
920 ++++ b/drivers/iommu/intel-svm.c
921 +@@ -389,6 +389,7 @@ int intel_svm_bind_mm(struct device *dev, int *pasid, int flags, struct svm_dev_
922 + pasid_max - 1, GFP_KERNEL);
923 + if (ret < 0) {
924 + kfree(svm);
925 ++ kfree(sdev);
926 + goto out;
927 + }
928 + svm->pasid = ret;
929 +diff --git a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
930 +index 943f90e392a7..e0ae2f34623a 100644
931 +--- a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
932 ++++ b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
933 +@@ -101,7 +101,7 @@ static int get_v4l2_window32(struct v4l2_window __user *kp,
934 + static int put_v4l2_window32(struct v4l2_window __user *kp,
935 + struct v4l2_window32 __user *up)
936 + {
937 +- struct v4l2_clip __user *kclips = kp->clips;
938 ++ struct v4l2_clip __user *kclips;
939 + struct v4l2_clip32 __user *uclips;
940 + compat_caddr_t p;
941 + u32 clipcount;
942 +@@ -116,6 +116,8 @@ static int put_v4l2_window32(struct v4l2_window __user *kp,
943 + if (!clipcount)
944 + return 0;
945 +
946 ++ if (get_user(kclips, &kp->clips))
947 ++ return -EFAULT;
948 + if (get_user(p, &up->clips))
949 + return -EFAULT;
950 + uclips = compat_ptr(p);
951 +diff --git a/drivers/mmc/host/jz4740_mmc.c b/drivers/mmc/host/jz4740_mmc.c
952 +index 76e8bce6f46e..ad572a0f2124 100644
953 +--- a/drivers/mmc/host/jz4740_mmc.c
954 ++++ b/drivers/mmc/host/jz4740_mmc.c
955 +@@ -368,9 +368,9 @@ static void jz4740_mmc_set_irq_enabled(struct jz4740_mmc_host *host,
956 + host->irq_mask &= ~irq;
957 + else
958 + host->irq_mask |= irq;
959 +- spin_unlock_irqrestore(&host->lock, flags);
960 +
961 + writew(host->irq_mask, host->base + JZ_REG_MMC_IMASK);
962 ++ spin_unlock_irqrestore(&host->lock, flags);
963 + }
964 +
965 + static void jz4740_mmc_clock_enable(struct jz4740_mmc_host *host,
966 +diff --git a/drivers/mtd/ubi/block.c b/drivers/mtd/ubi/block.c
967 +index b2fb0528c092..07ad86759d92 100644
968 +--- a/drivers/mtd/ubi/block.c
969 ++++ b/drivers/mtd/ubi/block.c
970 +@@ -244,7 +244,7 @@ static int ubiblock_open(struct block_device *bdev, fmode_t mode)
971 + * in any case.
972 + */
973 + if (mode & FMODE_WRITE) {
974 +- ret = -EPERM;
975 ++ ret = -EROFS;
976 + goto out_unlock;
977 + }
978 +
979 +diff --git a/drivers/mtd/ubi/build.c b/drivers/mtd/ubi/build.c
980 +index 27de0463226e..a2e6c7848b0a 100644
981 +--- a/drivers/mtd/ubi/build.c
982 ++++ b/drivers/mtd/ubi/build.c
983 +@@ -889,6 +889,17 @@ int ubi_attach_mtd_dev(struct mtd_info *mtd, int ubi_num,
984 + return -EINVAL;
985 + }
986 +
987 ++ /*
988 ++ * Both UBI and UBIFS have been designed for SLC NAND and NOR flashes.
989 ++ * MLC NAND is different and needs special care, otherwise UBI or UBIFS
990 ++ * will die soon and you will lose all your data.
991 ++ */
992 ++ if (mtd->type == MTD_MLCNANDFLASH) {
993 ++ pr_err("ubi: refuse attaching mtd%d - MLC NAND is not supported\n",
994 ++ mtd->index);
995 ++ return -EINVAL;
996 ++ }
997 ++
998 + if (ubi_num == UBI_DEV_NUM_AUTO) {
999 + /* Search for an empty slot in the @ubi_devices array */
1000 + for (ubi_num = 0; ubi_num < UBI_MAX_DEVICES; ubi_num++)
1001 +diff --git a/drivers/mtd/ubi/fastmap-wl.c b/drivers/mtd/ubi/fastmap-wl.c
1002 +index 30d3999dddba..ed62f1efe6eb 100644
1003 +--- a/drivers/mtd/ubi/fastmap-wl.c
1004 ++++ b/drivers/mtd/ubi/fastmap-wl.c
1005 +@@ -360,7 +360,6 @@ static void ubi_fastmap_close(struct ubi_device *ubi)
1006 + {
1007 + int i;
1008 +
1009 +- flush_work(&ubi->fm_work);
1010 + return_unused_pool_pebs(ubi, &ubi->fm_pool);
1011 + return_unused_pool_pebs(ubi, &ubi->fm_wl_pool);
1012 +
1013 +diff --git a/drivers/net/slip/slhc.c b/drivers/net/slip/slhc.c
1014 +index 27ed25252aac..cfd81eb1b532 100644
1015 +--- a/drivers/net/slip/slhc.c
1016 ++++ b/drivers/net/slip/slhc.c
1017 +@@ -509,6 +509,10 @@ slhc_uncompress(struct slcompress *comp, unsigned char *icp, int isize)
1018 + if(x < 0 || x > comp->rslot_limit)
1019 + goto bad;
1020 +
1021 ++ /* Check if the cstate is initialized */
1022 ++ if (!comp->rstate[x].initialized)
1023 ++ goto bad;
1024 ++
1025 + comp->flags &=~ SLF_TOSS;
1026 + comp->recv_current = x;
1027 + } else {
1028 +@@ -673,6 +677,7 @@ slhc_remember(struct slcompress *comp, unsigned char *icp, int isize)
1029 + if (cs->cs_tcp.doff > 5)
1030 + memcpy(cs->cs_tcpopt, icp + ihl*4 + sizeof(struct tcphdr), (cs->cs_tcp.doff - 5) * 4);
1031 + cs->cs_hsize = ihl*2 + cs->cs_tcp.doff*2;
1032 ++ cs->initialized = true;
1033 + /* Put headers back on packet
1034 + * Neither header checksum is recalculated
1035 + */
1036 +diff --git a/drivers/net/usb/cdc_ether.c b/drivers/net/usb/cdc_ether.c
1037 +index f9343bee1de3..6578127db847 100644
1038 +--- a/drivers/net/usb/cdc_ether.c
1039 ++++ b/drivers/net/usb/cdc_ether.c
1040 +@@ -704,6 +704,12 @@ static const struct usb_device_id products[] = {
1041 + USB_CDC_SUBCLASS_ETHERNET,
1042 + USB_CDC_PROTO_NONE),
1043 + .driver_info = (unsigned long)&wwan_info,
1044 ++}, {
1045 ++ /* Cinterion AHS3 modem by GEMALTO */
1046 ++ USB_DEVICE_AND_INTERFACE_INFO(0x1e2d, 0x0055, USB_CLASS_COMM,
1047 ++ USB_CDC_SUBCLASS_ETHERNET,
1048 ++ USB_CDC_PROTO_NONE),
1049 ++ .driver_info = (unsigned long)&wwan_info,
1050 + }, {
1051 + /* Telit modules */
1052 + USB_VENDOR_AND_INTERFACE_INFO(0x1bc7, USB_CLASS_COMM,
1053 +diff --git a/drivers/net/usb/lan78xx.c b/drivers/net/usb/lan78xx.c
1054 +index ebdee8f01f65..a6d429950cb0 100644
1055 +--- a/drivers/net/usb/lan78xx.c
1056 ++++ b/drivers/net/usb/lan78xx.c
1057 +@@ -618,7 +618,8 @@ static int lan78xx_read_otp(struct lan78xx_net *dev, u32 offset,
1058 + offset += 0x100;
1059 + else
1060 + ret = -EINVAL;
1061 +- ret = lan78xx_read_raw_otp(dev, offset, length, data);
1062 ++ if (!ret)
1063 ++ ret = lan78xx_read_raw_otp(dev, offset, length, data);
1064 + }
1065 +
1066 + return ret;
1067 +diff --git a/drivers/net/wireless/realtek/rtl818x/rtl8187/dev.c b/drivers/net/wireless/realtek/rtl818x/rtl8187/dev.c
1068 +index b7f72f9c7988..b3691712df61 100644
1069 +--- a/drivers/net/wireless/realtek/rtl818x/rtl8187/dev.c
1070 ++++ b/drivers/net/wireless/realtek/rtl818x/rtl8187/dev.c
1071 +@@ -1454,6 +1454,7 @@ static int rtl8187_probe(struct usb_interface *intf,
1072 + goto err_free_dev;
1073 + }
1074 + mutex_init(&priv->io_mutex);
1075 ++ mutex_init(&priv->conf_mutex);
1076 +
1077 + SET_IEEE80211_DEV(dev, &intf->dev);
1078 + usb_set_intfdata(intf, dev);
1079 +@@ -1627,7 +1628,6 @@ static int rtl8187_probe(struct usb_interface *intf,
1080 + printk(KERN_ERR "rtl8187: Cannot register device\n");
1081 + goto err_free_dmabuf;
1082 + }
1083 +- mutex_init(&priv->conf_mutex);
1084 + skb_queue_head_init(&priv->b_tx_status.queue);
1085 +
1086 + wiphy_info(dev->wiphy, "hwaddr %pM, %s V%d + %s, rfkill mask %d\n",
1087 +diff --git a/drivers/net/xen-netfront.c b/drivers/net/xen-netfront.c
1088 +index 0b8d2655985f..fee4c01fbdfd 100644
1089 +--- a/drivers/net/xen-netfront.c
1090 ++++ b/drivers/net/xen-netfront.c
1091 +@@ -2024,7 +2024,10 @@ static void netback_changed(struct xenbus_device *dev,
1092 + case XenbusStateInitialised:
1093 + case XenbusStateReconfiguring:
1094 + case XenbusStateReconfigured:
1095 ++ break;
1096 ++
1097 + case XenbusStateUnknown:
1098 ++ wake_up_all(&module_unload_q);
1099 + break;
1100 +
1101 + case XenbusStateInitWait:
1102 +@@ -2155,7 +2158,9 @@ static int xennet_remove(struct xenbus_device *dev)
1103 + xenbus_switch_state(dev, XenbusStateClosing);
1104 + wait_event(module_unload_q,
1105 + xenbus_read_driver_state(dev->otherend) ==
1106 +- XenbusStateClosing);
1107 ++ XenbusStateClosing ||
1108 ++ xenbus_read_driver_state(dev->otherend) ==
1109 ++ XenbusStateUnknown);
1110 +
1111 + xenbus_switch_state(dev, XenbusStateClosed);
1112 + wait_event(module_unload_q,
1113 +diff --git a/drivers/pci/hotplug/acpiphp_glue.c b/drivers/pci/hotplug/acpiphp_glue.c
1114 +index 0b3e0bfa7be5..572ca192cb1f 100644
1115 +--- a/drivers/pci/hotplug/acpiphp_glue.c
1116 ++++ b/drivers/pci/hotplug/acpiphp_glue.c
1117 +@@ -587,6 +587,7 @@ static unsigned int get_slot_status(struct acpiphp_slot *slot)
1118 + {
1119 + unsigned long long sta = 0;
1120 + struct acpiphp_func *func;
1121 ++ u32 dvid;
1122 +
1123 + list_for_each_entry(func, &slot->funcs, sibling) {
1124 + if (func->flags & FUNC_HAS_STA) {
1125 +@@ -597,19 +598,27 @@ static unsigned int get_slot_status(struct acpiphp_slot *slot)
1126 + if (ACPI_SUCCESS(status) && sta)
1127 + break;
1128 + } else {
1129 +- u32 dvid;
1130 +-
1131 +- pci_bus_read_config_dword(slot->bus,
1132 +- PCI_DEVFN(slot->device,
1133 +- func->function),
1134 +- PCI_VENDOR_ID, &dvid);
1135 +- if (dvid != 0xffffffff) {
1136 ++ if (pci_bus_read_dev_vendor_id(slot->bus,
1137 ++ PCI_DEVFN(slot->device, func->function),
1138 ++ &dvid, 0)) {
1139 + sta = ACPI_STA_ALL;
1140 + break;
1141 + }
1142 + }
1143 + }
1144 +
1145 ++ if (!sta) {
1146 ++ /*
1147 ++ * Check for the slot itself since it may be that the
1148 ++ * ACPI slot is a device below PCIe upstream port so in
1149 ++ * that case it may not even be reachable yet.
1150 ++ */
1151 ++ if (pci_bus_read_dev_vendor_id(slot->bus,
1152 ++ PCI_DEVFN(slot->device, 0), &dvid, 0)) {
1153 ++ sta = ACPI_STA_ALL;
1154 ++ }
1155 ++ }
1156 ++
1157 + return (unsigned int)sta;
1158 + }
1159 +
1160 +diff --git a/drivers/s390/cio/qdio_main.c b/drivers/s390/cio/qdio_main.c
1161 +index 4bb5262f7aee..742ca57ece8c 100644
1162 +--- a/drivers/s390/cio/qdio_main.c
1163 ++++ b/drivers/s390/cio/qdio_main.c
1164 +@@ -126,7 +126,7 @@ static inline int qdio_check_ccq(struct qdio_q *q, unsigned int ccq)
1165 + static int qdio_do_eqbs(struct qdio_q *q, unsigned char *state,
1166 + int start, int count, int auto_ack)
1167 + {
1168 +- int rc, tmp_count = count, tmp_start = start, nr = q->nr, retried = 0;
1169 ++ int rc, tmp_count = count, tmp_start = start, nr = q->nr;
1170 + unsigned int ccq = 0;
1171 +
1172 + qperf_inc(q, eqbs);
1173 +@@ -149,14 +149,7 @@ again:
1174 + qperf_inc(q, eqbs_partial);
1175 + DBF_DEV_EVENT(DBF_WARN, q->irq_ptr, "EQBS part:%02x",
1176 + tmp_count);
1177 +- /*
1178 +- * Retry once, if that fails bail out and process the
1179 +- * extracted buffers before trying again.
1180 +- */
1181 +- if (!retried++)
1182 +- goto again;
1183 +- else
1184 +- return count - tmp_count;
1185 ++ return count - tmp_count;
1186 + }
1187 +
1188 + DBF_ERROR("%4x EQBS ERROR", SCH_NO(q));
1189 +@@ -212,7 +205,10 @@ again:
1190 + return 0;
1191 + }
1192 +
1193 +-/* returns number of examined buffers and their common state in *state */
1194 ++/*
1195 ++ * Returns number of examined buffers and their common state in *state.
1196 ++ * Requested number of buffers-to-examine must be > 0.
1197 ++ */
1198 + static inline int get_buf_states(struct qdio_q *q, unsigned int bufnr,
1199 + unsigned char *state, unsigned int count,
1200 + int auto_ack, int merge_pending)
1201 +@@ -223,17 +219,23 @@ static inline int get_buf_states(struct qdio_q *q, unsigned int bufnr,
1202 + if (is_qebsm(q))
1203 + return qdio_do_eqbs(q, state, bufnr, count, auto_ack);
1204 +
1205 +- for (i = 0; i < count; i++) {
1206 +- if (!__state) {
1207 +- __state = q->slsb.val[bufnr];
1208 +- if (merge_pending && __state == SLSB_P_OUTPUT_PENDING)
1209 +- __state = SLSB_P_OUTPUT_EMPTY;
1210 +- } else if (merge_pending) {
1211 +- if ((q->slsb.val[bufnr] & __state) != __state)
1212 +- break;
1213 +- } else if (q->slsb.val[bufnr] != __state)
1214 +- break;
1215 ++ /* get initial state: */
1216 ++ __state = q->slsb.val[bufnr];
1217 ++ if (merge_pending && __state == SLSB_P_OUTPUT_PENDING)
1218 ++ __state = SLSB_P_OUTPUT_EMPTY;
1219 ++
1220 ++ for (i = 1; i < count; i++) {
1221 + bufnr = next_buf(bufnr);
1222 ++
1223 ++ /* merge PENDING into EMPTY: */
1224 ++ if (merge_pending &&
1225 ++ q->slsb.val[bufnr] == SLSB_P_OUTPUT_PENDING &&
1226 ++ __state == SLSB_P_OUTPUT_EMPTY)
1227 ++ continue;
1228 ++
1229 ++ /* stop if next state differs from initial state: */
1230 ++ if (q->slsb.val[bufnr] != __state)
1231 ++ break;
1232 + }
1233 + *state = __state;
1234 + return i;
1235 +diff --git a/drivers/thermal/imx_thermal.c b/drivers/thermal/imx_thermal.c
1236 +index c5547bd711db..6a8300108148 100644
1237 +--- a/drivers/thermal/imx_thermal.c
1238 ++++ b/drivers/thermal/imx_thermal.c
1239 +@@ -589,6 +589,9 @@ static int imx_thermal_probe(struct platform_device *pdev)
1240 + regmap_write(map, TEMPSENSE0 + REG_CLR, TEMPSENSE0_POWER_DOWN);
1241 + regmap_write(map, TEMPSENSE0 + REG_SET, TEMPSENSE0_MEASURE_TEMP);
1242 +
1243 ++ data->irq_enabled = true;
1244 ++ data->mode = THERMAL_DEVICE_ENABLED;
1245 ++
1246 + ret = devm_request_threaded_irq(&pdev->dev, data->irq,
1247 + imx_thermal_alarm_irq, imx_thermal_alarm_irq_thread,
1248 + 0, "imx_thermal", data);
1249 +@@ -600,9 +603,6 @@ static int imx_thermal_probe(struct platform_device *pdev)
1250 + return ret;
1251 + }
1252 +
1253 +- data->irq_enabled = true;
1254 +- data->mode = THERMAL_DEVICE_ENABLED;
1255 +-
1256 + return 0;
1257 + }
1258 +
1259 +diff --git a/drivers/thunderbolt/nhi.c b/drivers/thunderbolt/nhi.c
1260 +index 20a41f7de76f..6713fd1958e7 100644
1261 +--- a/drivers/thunderbolt/nhi.c
1262 ++++ b/drivers/thunderbolt/nhi.c
1263 +@@ -627,6 +627,7 @@ static const struct dev_pm_ops nhi_pm_ops = {
1264 + * we just disable hotplug, the
1265 + * pci-tunnels stay alive.
1266 + */
1267 ++ .thaw_noirq = nhi_resume_noirq,
1268 + .restore_noirq = nhi_resume_noirq,
1269 + };
1270 +
1271 +diff --git a/drivers/tty/n_tty.c b/drivers/tty/n_tty.c
1272 +index 41dda25da049..190e5dc15738 100644
1273 +--- a/drivers/tty/n_tty.c
1274 ++++ b/drivers/tty/n_tty.c
1275 +@@ -2238,6 +2238,12 @@ static ssize_t n_tty_read(struct tty_struct *tty, struct file *file,
1276 + }
1277 + if (tty_hung_up_p(file))
1278 + break;
1279 ++ /*
1280 ++ * Abort readers for ttys which never actually
1281 ++ * get hung up. See __tty_hangup().
1282 ++ */
1283 ++ if (test_bit(TTY_HUPPING, &tty->flags))
1284 ++ break;
1285 + if (!timeout)
1286 + break;
1287 + if (file->f_flags & O_NONBLOCK) {
1288 +diff --git a/drivers/tty/tty_io.c b/drivers/tty/tty_io.c
1289 +index a638c1738547..89fd20382ce4 100644
1290 +--- a/drivers/tty/tty_io.c
1291 ++++ b/drivers/tty/tty_io.c
1292 +@@ -702,6 +702,14 @@ static void __tty_hangup(struct tty_struct *tty, int exit_session)
1293 + return;
1294 + }
1295 +
1296 ++ /*
1297 ++ * Some console devices aren't actually hung up for technical and
1298 ++ * historical reasons, which can lead to indefinite interruptible
1299 ++ * sleep in n_tty_read(). The following explicitly tells
1300 ++ * n_tty_read() to abort readers.
1301 ++ */
1302 ++ set_bit(TTY_HUPPING, &tty->flags);
1303 ++
1304 + /* inuse_filps is protected by the single tty lock,
1305 + this really needs to change if we want to flush the
1306 + workqueue with the lock held */
1307 +@@ -757,6 +765,7 @@ static void __tty_hangup(struct tty_struct *tty, int exit_session)
1308 + * can't yet guarantee all that.
1309 + */
1310 + set_bit(TTY_HUPPED, &tty->flags);
1311 ++ clear_bit(TTY_HUPPING, &tty->flags);
1312 + tty_unlock(tty);
1313 +
1314 + if (f)
1315 +diff --git a/drivers/usb/core/generic.c b/drivers/usb/core/generic.c
1316 +index 358ca8dd784f..a5240b4d7ab9 100644
1317 +--- a/drivers/usb/core/generic.c
1318 ++++ b/drivers/usb/core/generic.c
1319 +@@ -208,8 +208,13 @@ static int generic_suspend(struct usb_device *udev, pm_message_t msg)
1320 + if (!udev->parent)
1321 + rc = hcd_bus_suspend(udev, msg);
1322 +
1323 +- /* Non-root devices don't need to do anything for FREEZE or PRETHAW */
1324 +- else if (msg.event == PM_EVENT_FREEZE || msg.event == PM_EVENT_PRETHAW)
1325 ++ /*
1326 ++ * Non-root USB2 devices don't need to do anything for FREEZE
1327 ++ * or PRETHAW. USB3 devices don't support global suspend and
1328 ++ * needs to be selectively suspended.
1329 ++ */
1330 ++ else if ((msg.event == PM_EVENT_FREEZE || msg.event == PM_EVENT_PRETHAW)
1331 ++ && (udev->speed < USB_SPEED_SUPER))
1332 + rc = 0;
1333 + else
1334 + rc = usb_port_suspend(udev, msg);
1335 +diff --git a/drivers/usb/dwc3/dwc3-pci.c b/drivers/usb/dwc3/dwc3-pci.c
1336 +index d2c0c1a8d979..68230adf2449 100644
1337 +--- a/drivers/usb/dwc3/dwc3-pci.c
1338 ++++ b/drivers/usb/dwc3/dwc3-pci.c
1339 +@@ -167,7 +167,7 @@ static int dwc3_pci_probe(struct pci_dev *pci,
1340 + ret = platform_device_add_resources(dwc3, res, ARRAY_SIZE(res));
1341 + if (ret) {
1342 + dev_err(dev, "couldn't add resources to dwc3 device\n");
1343 +- return ret;
1344 ++ goto err;
1345 + }
1346 +
1347 + pci_set_drvdata(pci, dwc3);
1348 +diff --git a/drivers/usb/musb/musb_gadget_ep0.c b/drivers/usb/musb/musb_gadget_ep0.c
1349 +index 10d30afe4a3c..a0d1417362cd 100644
1350 +--- a/drivers/usb/musb/musb_gadget_ep0.c
1351 ++++ b/drivers/usb/musb/musb_gadget_ep0.c
1352 +@@ -114,15 +114,19 @@ static int service_tx_status_request(
1353 + }
1354 +
1355 + is_in = epnum & USB_DIR_IN;
1356 +- if (is_in) {
1357 +- epnum &= 0x0f;
1358 ++ epnum &= 0x0f;
1359 ++ if (epnum >= MUSB_C_NUM_EPS) {
1360 ++ handled = -EINVAL;
1361 ++ break;
1362 ++ }
1363 ++
1364 ++ if (is_in)
1365 + ep = &musb->endpoints[epnum].ep_in;
1366 +- } else {
1367 ++ else
1368 + ep = &musb->endpoints[epnum].ep_out;
1369 +- }
1370 + regs = musb->endpoints[epnum].regs;
1371 +
1372 +- if (epnum >= MUSB_C_NUM_EPS || !ep->desc) {
1373 ++ if (!ep->desc) {
1374 + handled = -EINVAL;
1375 + break;
1376 + }
1377 +diff --git a/drivers/vfio/pci/vfio_pci_config.c b/drivers/vfio/pci/vfio_pci_config.c
1378 +index fe2b470d7ec6..c55c632a3b24 100644
1379 +--- a/drivers/vfio/pci/vfio_pci_config.c
1380 ++++ b/drivers/vfio/pci/vfio_pci_config.c
1381 +@@ -752,6 +752,62 @@ static int __init init_pci_cap_pcix_perm(struct perm_bits *perm)
1382 + return 0;
1383 + }
1384 +
1385 ++static int vfio_exp_config_write(struct vfio_pci_device *vdev, int pos,
1386 ++ int count, struct perm_bits *perm,
1387 ++ int offset, __le32 val)
1388 ++{
1389 ++ __le16 *ctrl = (__le16 *)(vdev->vconfig + pos -
1390 ++ offset + PCI_EXP_DEVCTL);
1391 ++ int readrq = le16_to_cpu(*ctrl) & PCI_EXP_DEVCTL_READRQ;
1392 ++
1393 ++ count = vfio_default_config_write(vdev, pos, count, perm, offset, val);
1394 ++ if (count < 0)
1395 ++ return count;
1396 ++
1397 ++ /*
1398 ++ * The FLR bit is virtualized, if set and the device supports PCIe
1399 ++ * FLR, issue a reset_function. Regardless, clear the bit, the spec
1400 ++ * requires it to be always read as zero. NB, reset_function might
1401 ++ * not use a PCIe FLR, we don't have that level of granularity.
1402 ++ */
1403 ++ if (*ctrl & cpu_to_le16(PCI_EXP_DEVCTL_BCR_FLR)) {
1404 ++ u32 cap;
1405 ++ int ret;
1406 ++
1407 ++ *ctrl &= ~cpu_to_le16(PCI_EXP_DEVCTL_BCR_FLR);
1408 ++
1409 ++ ret = pci_user_read_config_dword(vdev->pdev,
1410 ++ pos - offset + PCI_EXP_DEVCAP,
1411 ++ &cap);
1412 ++
1413 ++ if (!ret && (cap & PCI_EXP_DEVCAP_FLR))
1414 ++ pci_try_reset_function(vdev->pdev);
1415 ++ }
1416 ++
1417 ++ /*
1418 ++ * MPS is virtualized to the user, writes do not change the physical
1419 ++ * register since determining a proper MPS value requires a system wide
1420 ++ * device view. The MRRS is largely independent of MPS, but since the
1421 ++ * user does not have that system-wide view, they might set a safe, but
1422 ++ * inefficiently low value. Here we allow writes through to hardware,
1423 ++ * but we set the floor to the physical device MPS setting, so that
1424 ++ * we can at least use full TLPs, as defined by the MPS value.
1425 ++ *
1426 ++ * NB, if any devices actually depend on an artificially low MRRS
1427 ++ * setting, this will need to be revisited, perhaps with a quirk
1428 ++ * though pcie_set_readrq().
1429 ++ */
1430 ++ if (readrq != (le16_to_cpu(*ctrl) & PCI_EXP_DEVCTL_READRQ)) {
1431 ++ readrq = 128 <<
1432 ++ ((le16_to_cpu(*ctrl) & PCI_EXP_DEVCTL_READRQ) >> 12);
1433 ++ readrq = max(readrq, pcie_get_mps(vdev->pdev));
1434 ++
1435 ++ pcie_set_readrq(vdev->pdev, readrq);
1436 ++ }
1437 ++
1438 ++ return count;
1439 ++}
1440 ++
1441 + /* Permissions for PCI Express capability */
1442 + static int __init init_pci_cap_exp_perm(struct perm_bits *perm)
1443 + {
1444 +@@ -759,26 +815,67 @@ static int __init init_pci_cap_exp_perm(struct perm_bits *perm)
1445 + if (alloc_perm_bits(perm, PCI_CAP_EXP_ENDPOINT_SIZEOF_V2))
1446 + return -ENOMEM;
1447 +
1448 ++ perm->writefn = vfio_exp_config_write;
1449 ++
1450 + p_setb(perm, PCI_CAP_LIST_NEXT, (u8)ALL_VIRT, NO_WRITE);
1451 +
1452 + /*
1453 +- * Allow writes to device control fields (includes FLR!)
1454 +- * but not to devctl_phantom which could confuse IOMMU
1455 +- * or to the ARI bit in devctl2 which is set at probe time
1456 ++ * Allow writes to device control fields, except devctl_phantom,
1457 ++ * which could confuse IOMMU, MPS, which can break communication
1458 ++ * with other physical devices, and the ARI bit in devctl2, which
1459 ++ * is set at probe time. FLR and MRRS get virtualized via our
1460 ++ * writefn.
1461 + */
1462 +- p_setw(perm, PCI_EXP_DEVCTL, NO_VIRT, ~PCI_EXP_DEVCTL_PHANTOM);
1463 ++ p_setw(perm, PCI_EXP_DEVCTL,
1464 ++ PCI_EXP_DEVCTL_BCR_FLR | PCI_EXP_DEVCTL_PAYLOAD |
1465 ++ PCI_EXP_DEVCTL_READRQ, ~PCI_EXP_DEVCTL_PHANTOM);
1466 + p_setw(perm, PCI_EXP_DEVCTL2, NO_VIRT, ~PCI_EXP_DEVCTL2_ARI);
1467 + return 0;
1468 + }
1469 +
1470 ++static int vfio_af_config_write(struct vfio_pci_device *vdev, int pos,
1471 ++ int count, struct perm_bits *perm,
1472 ++ int offset, __le32 val)
1473 ++{
1474 ++ u8 *ctrl = vdev->vconfig + pos - offset + PCI_AF_CTRL;
1475 ++
1476 ++ count = vfio_default_config_write(vdev, pos, count, perm, offset, val);
1477 ++ if (count < 0)
1478 ++ return count;
1479 ++
1480 ++ /*
1481 ++ * The FLR bit is virtualized, if set and the device supports AF
1482 ++ * FLR, issue a reset_function. Regardless, clear the bit, the spec
1483 ++ * requires it to be always read as zero. NB, reset_function might
1484 ++ * not use an AF FLR, we don't have that level of granularity.
1485 ++ */
1486 ++ if (*ctrl & PCI_AF_CTRL_FLR) {
1487 ++ u8 cap;
1488 ++ int ret;
1489 ++
1490 ++ *ctrl &= ~PCI_AF_CTRL_FLR;
1491 ++
1492 ++ ret = pci_user_read_config_byte(vdev->pdev,
1493 ++ pos - offset + PCI_AF_CAP,
1494 ++ &cap);
1495 ++
1496 ++ if (!ret && (cap & PCI_AF_CAP_FLR) && (cap & PCI_AF_CAP_TP))
1497 ++ pci_try_reset_function(vdev->pdev);
1498 ++ }
1499 ++
1500 ++ return count;
1501 ++}
1502 ++
1503 + /* Permissions for Advanced Function capability */
1504 + static int __init init_pci_cap_af_perm(struct perm_bits *perm)
1505 + {
1506 + if (alloc_perm_bits(perm, pci_cap_length[PCI_CAP_ID_AF]))
1507 + return -ENOMEM;
1508 +
1509 ++ perm->writefn = vfio_af_config_write;
1510 ++
1511 + p_setb(perm, PCI_CAP_LIST_NEXT, (u8)ALL_VIRT, NO_WRITE);
1512 +- p_setb(perm, PCI_AF_CTRL, NO_VIRT, PCI_AF_CTRL_FLR);
1513 ++ p_setb(perm, PCI_AF_CTRL, PCI_AF_CTRL_FLR, PCI_AF_CTRL_FLR);
1514 + return 0;
1515 + }
1516 +
1517 +diff --git a/drivers/watchdog/f71808e_wdt.c b/drivers/watchdog/f71808e_wdt.c
1518 +index 016bd9355190..aa93df5833dc 100644
1519 +--- a/drivers/watchdog/f71808e_wdt.c
1520 ++++ b/drivers/watchdog/f71808e_wdt.c
1521 +@@ -450,7 +450,7 @@ static bool watchdog_is_running(void)
1522 +
1523 + is_running = (superio_inb(watchdog.sioaddr, SIO_REG_ENABLE) & BIT(0))
1524 + && (superio_inb(watchdog.sioaddr, F71808FG_REG_WDT_CONF)
1525 +- & F71808FG_FLAG_WD_EN);
1526 ++ & BIT(F71808FG_FLAG_WD_EN));
1527 +
1528 + superio_exit(watchdog.sioaddr);
1529 +
1530 +diff --git a/fs/autofs4/root.c b/fs/autofs4/root.c
1531 +index 7a54c6a867c8..500098cdb960 100644
1532 +--- a/fs/autofs4/root.c
1533 ++++ b/fs/autofs4/root.c
1534 +@@ -746,7 +746,7 @@ static int autofs4_dir_mkdir(struct inode *dir, struct dentry *dentry, umode_t m
1535 +
1536 + autofs4_del_active(dentry);
1537 +
1538 +- inode = autofs4_get_inode(dir->i_sb, S_IFDIR | 0555);
1539 ++ inode = autofs4_get_inode(dir->i_sb, S_IFDIR | mode);
1540 + if (!inode)
1541 + return -ENOMEM;
1542 + d_add(dentry, inode);
1543 +diff --git a/fs/ext4/balloc.c b/fs/ext4/balloc.c
1544 +index f97110461c19..78c51ce913db 100644
1545 +--- a/fs/ext4/balloc.c
1546 ++++ b/fs/ext4/balloc.c
1547 +@@ -242,8 +242,6 @@ static int ext4_init_block_bitmap(struct super_block *sb,
1548 + */
1549 + ext4_mark_bitmap_end(num_clusters_in_group(sb, block_group),
1550 + sb->s_blocksize * 8, bh->b_data);
1551 +- ext4_block_bitmap_csum_set(sb, block_group, gdp, bh);
1552 +- ext4_group_desc_csum_set(sb, block_group, gdp);
1553 + return 0;
1554 + }
1555 +
1556 +@@ -447,6 +445,7 @@ ext4_read_block_bitmap_nowait(struct super_block *sb, ext4_group_t block_group)
1557 + err = ext4_init_block_bitmap(sb, bh, block_group, desc);
1558 + set_bitmap_uptodate(bh);
1559 + set_buffer_uptodate(bh);
1560 ++ set_buffer_verified(bh);
1561 + ext4_unlock_group(sb, block_group);
1562 + unlock_buffer(bh);
1563 + if (err) {
1564 +diff --git a/fs/ext4/ialloc.c b/fs/ext4/ialloc.c
1565 +index 5388207d2832..e10c12f59c58 100644
1566 +--- a/fs/ext4/ialloc.c
1567 ++++ b/fs/ext4/ialloc.c
1568 +@@ -63,44 +63,6 @@ void ext4_mark_bitmap_end(int start_bit, int end_bit, char *bitmap)
1569 + memset(bitmap + (i >> 3), 0xff, (end_bit - i) >> 3);
1570 + }
1571 +
1572 +-/* Initializes an uninitialized inode bitmap */
1573 +-static int ext4_init_inode_bitmap(struct super_block *sb,
1574 +- struct buffer_head *bh,
1575 +- ext4_group_t block_group,
1576 +- struct ext4_group_desc *gdp)
1577 +-{
1578 +- struct ext4_group_info *grp;
1579 +- struct ext4_sb_info *sbi = EXT4_SB(sb);
1580 +- J_ASSERT_BH(bh, buffer_locked(bh));
1581 +-
1582 +- /* If checksum is bad mark all blocks and inodes use to prevent
1583 +- * allocation, essentially implementing a per-group read-only flag. */
1584 +- if (!ext4_group_desc_csum_verify(sb, block_group, gdp)) {
1585 +- grp = ext4_get_group_info(sb, block_group);
1586 +- if (!EXT4_MB_GRP_BBITMAP_CORRUPT(grp))
1587 +- percpu_counter_sub(&sbi->s_freeclusters_counter,
1588 +- grp->bb_free);
1589 +- set_bit(EXT4_GROUP_INFO_BBITMAP_CORRUPT_BIT, &grp->bb_state);
1590 +- if (!EXT4_MB_GRP_IBITMAP_CORRUPT(grp)) {
1591 +- int count;
1592 +- count = ext4_free_inodes_count(sb, gdp);
1593 +- percpu_counter_sub(&sbi->s_freeinodes_counter,
1594 +- count);
1595 +- }
1596 +- set_bit(EXT4_GROUP_INFO_IBITMAP_CORRUPT_BIT, &grp->bb_state);
1597 +- return -EFSBADCRC;
1598 +- }
1599 +-
1600 +- memset(bh->b_data, 0, (EXT4_INODES_PER_GROUP(sb) + 7) / 8);
1601 +- ext4_mark_bitmap_end(EXT4_INODES_PER_GROUP(sb), sb->s_blocksize * 8,
1602 +- bh->b_data);
1603 +- ext4_inode_bitmap_csum_set(sb, block_group, gdp, bh,
1604 +- EXT4_INODES_PER_GROUP(sb) / 8);
1605 +- ext4_group_desc_csum_set(sb, block_group, gdp);
1606 +-
1607 +- return 0;
1608 +-}
1609 +-
1610 + void ext4_end_bitmap_read(struct buffer_head *bh, int uptodate)
1611 + {
1612 + if (uptodate) {
1613 +@@ -184,17 +146,14 @@ ext4_read_inode_bitmap(struct super_block *sb, ext4_group_t block_group)
1614 +
1615 + ext4_lock_group(sb, block_group);
1616 + if (desc->bg_flags & cpu_to_le16(EXT4_BG_INODE_UNINIT)) {
1617 +- err = ext4_init_inode_bitmap(sb, bh, block_group, desc);
1618 ++ memset(bh->b_data, 0, (EXT4_INODES_PER_GROUP(sb) + 7) / 8);
1619 ++ ext4_mark_bitmap_end(EXT4_INODES_PER_GROUP(sb),
1620 ++ sb->s_blocksize * 8, bh->b_data);
1621 + set_bitmap_uptodate(bh);
1622 + set_buffer_uptodate(bh);
1623 + set_buffer_verified(bh);
1624 + ext4_unlock_group(sb, block_group);
1625 + unlock_buffer(bh);
1626 +- if (err) {
1627 +- ext4_error(sb, "Failed to init inode bitmap for group "
1628 +- "%u: %d", block_group, err);
1629 +- goto out;
1630 +- }
1631 + return bh;
1632 + }
1633 + ext4_unlock_group(sb, block_group);
1634 +diff --git a/fs/ext4/inline.c b/fs/ext4/inline.c
1635 +index dad8e7bdf0a6..3006b81c107f 100644
1636 +--- a/fs/ext4/inline.c
1637 ++++ b/fs/ext4/inline.c
1638 +@@ -376,7 +376,7 @@ out:
1639 + static int ext4_prepare_inline_data(handle_t *handle, struct inode *inode,
1640 + unsigned int len)
1641 + {
1642 +- int ret, size;
1643 ++ int ret, size, no_expand;
1644 + struct ext4_inode_info *ei = EXT4_I(inode);
1645 +
1646 + if (!ext4_test_inode_state(inode, EXT4_STATE_MAY_INLINE_DATA))
1647 +@@ -386,15 +386,14 @@ static int ext4_prepare_inline_data(handle_t *handle, struct inode *inode,
1648 + if (size < len)
1649 + return -ENOSPC;
1650 +
1651 +- down_write(&EXT4_I(inode)->xattr_sem);
1652 ++ ext4_write_lock_xattr(inode, &no_expand);
1653 +
1654 + if (ei->i_inline_off)
1655 + ret = ext4_update_inline_data(handle, inode, len);
1656 + else
1657 + ret = ext4_create_inline_data(handle, inode, len);
1658 +
1659 +- up_write(&EXT4_I(inode)->xattr_sem);
1660 +-
1661 ++ ext4_write_unlock_xattr(inode, &no_expand);
1662 + return ret;
1663 + }
1664 +
1665 +@@ -523,7 +522,7 @@ static int ext4_convert_inline_data_to_extent(struct address_space *mapping,
1666 + struct inode *inode,
1667 + unsigned flags)
1668 + {
1669 +- int ret, needed_blocks;
1670 ++ int ret, needed_blocks, no_expand;
1671 + handle_t *handle = NULL;
1672 + int retries = 0, sem_held = 0;
1673 + struct page *page = NULL;
1674 +@@ -563,7 +562,7 @@ retry:
1675 + goto out;
1676 + }
1677 +
1678 +- down_write(&EXT4_I(inode)->xattr_sem);
1679 ++ ext4_write_lock_xattr(inode, &no_expand);
1680 + sem_held = 1;
1681 + /* If some one has already done this for us, just exit. */
1682 + if (!ext4_has_inline_data(inode)) {
1683 +@@ -599,7 +598,7 @@ retry:
1684 + page_cache_release(page);
1685 + page = NULL;
1686 + ext4_orphan_add(handle, inode);
1687 +- up_write(&EXT4_I(inode)->xattr_sem);
1688 ++ ext4_write_unlock_xattr(inode, &no_expand);
1689 + sem_held = 0;
1690 + ext4_journal_stop(handle);
1691 + handle = NULL;
1692 +@@ -625,7 +624,7 @@ out:
1693 + page_cache_release(page);
1694 + }
1695 + if (sem_held)
1696 +- up_write(&EXT4_I(inode)->xattr_sem);
1697 ++ ext4_write_unlock_xattr(inode, &no_expand);
1698 + if (handle)
1699 + ext4_journal_stop(handle);
1700 + brelse(iloc.bh);
1701 +@@ -718,7 +717,7 @@ convert:
1702 + int ext4_write_inline_data_end(struct inode *inode, loff_t pos, unsigned len,
1703 + unsigned copied, struct page *page)
1704 + {
1705 +- int ret;
1706 ++ int ret, no_expand;
1707 + void *kaddr;
1708 + struct ext4_iloc iloc;
1709 +
1710 +@@ -736,7 +735,7 @@ int ext4_write_inline_data_end(struct inode *inode, loff_t pos, unsigned len,
1711 + goto out;
1712 + }
1713 +
1714 +- down_write(&EXT4_I(inode)->xattr_sem);
1715 ++ ext4_write_lock_xattr(inode, &no_expand);
1716 + BUG_ON(!ext4_has_inline_data(inode));
1717 +
1718 + kaddr = kmap_atomic(page);
1719 +@@ -746,7 +745,7 @@ int ext4_write_inline_data_end(struct inode *inode, loff_t pos, unsigned len,
1720 + /* clear page dirty so that writepages wouldn't work for us. */
1721 + ClearPageDirty(page);
1722 +
1723 +- up_write(&EXT4_I(inode)->xattr_sem);
1724 ++ ext4_write_unlock_xattr(inode, &no_expand);
1725 + brelse(iloc.bh);
1726 + out:
1727 + return copied;
1728 +@@ -757,7 +756,7 @@ ext4_journalled_write_inline_data(struct inode *inode,
1729 + unsigned len,
1730 + struct page *page)
1731 + {
1732 +- int ret;
1733 ++ int ret, no_expand;
1734 + void *kaddr;
1735 + struct ext4_iloc iloc;
1736 +
1737 +@@ -767,11 +766,11 @@ ext4_journalled_write_inline_data(struct inode *inode,
1738 + return NULL;
1739 + }
1740 +
1741 +- down_write(&EXT4_I(inode)->xattr_sem);
1742 ++ ext4_write_lock_xattr(inode, &no_expand);
1743 + kaddr = kmap_atomic(page);
1744 + ext4_write_inline_data(inode, &iloc, kaddr, 0, len);
1745 + kunmap_atomic(kaddr);
1746 +- up_write(&EXT4_I(inode)->xattr_sem);
1747 ++ ext4_write_unlock_xattr(inode, &no_expand);
1748 +
1749 + return iloc.bh;
1750 + }
1751 +@@ -1255,7 +1254,7 @@ out:
1752 + int ext4_try_add_inline_entry(handle_t *handle, struct ext4_filename *fname,
1753 + struct dentry *dentry, struct inode *inode)
1754 + {
1755 +- int ret, inline_size;
1756 ++ int ret, inline_size, no_expand;
1757 + void *inline_start;
1758 + struct ext4_iloc iloc;
1759 + struct inode *dir = d_inode(dentry->d_parent);
1760 +@@ -1264,7 +1263,7 @@ int ext4_try_add_inline_entry(handle_t *handle, struct ext4_filename *fname,
1761 + if (ret)
1762 + return ret;
1763 +
1764 +- down_write(&EXT4_I(dir)->xattr_sem);
1765 ++ ext4_write_lock_xattr(dir, &no_expand);
1766 + if (!ext4_has_inline_data(dir))
1767 + goto out;
1768 +
1769 +@@ -1310,7 +1309,7 @@ int ext4_try_add_inline_entry(handle_t *handle, struct ext4_filename *fname,
1770 +
1771 + out:
1772 + ext4_mark_inode_dirty(handle, dir);
1773 +- up_write(&EXT4_I(dir)->xattr_sem);
1774 ++ ext4_write_unlock_xattr(dir, &no_expand);
1775 + brelse(iloc.bh);
1776 + return ret;
1777 + }
1778 +@@ -1670,7 +1669,7 @@ int ext4_delete_inline_entry(handle_t *handle,
1779 + struct buffer_head *bh,
1780 + int *has_inline_data)
1781 + {
1782 +- int err, inline_size;
1783 ++ int err, inline_size, no_expand;
1784 + struct ext4_iloc iloc;
1785 + void *inline_start;
1786 +
1787 +@@ -1678,7 +1677,7 @@ int ext4_delete_inline_entry(handle_t *handle,
1788 + if (err)
1789 + return err;
1790 +
1791 +- down_write(&EXT4_I(dir)->xattr_sem);
1792 ++ ext4_write_lock_xattr(dir, &no_expand);
1793 + if (!ext4_has_inline_data(dir)) {
1794 + *has_inline_data = 0;
1795 + goto out;
1796 +@@ -1713,7 +1712,7 @@ int ext4_delete_inline_entry(handle_t *handle,
1797 +
1798 + ext4_show_inline_dir(dir, iloc.bh, inline_start, inline_size);
1799 + out:
1800 +- up_write(&EXT4_I(dir)->xattr_sem);
1801 ++ ext4_write_unlock_xattr(dir, &no_expand);
1802 + brelse(iloc.bh);
1803 + if (err != -ENOENT)
1804 + ext4_std_error(dir->i_sb, err);
1805 +@@ -1812,11 +1811,11 @@ out:
1806 +
1807 + int ext4_destroy_inline_data(handle_t *handle, struct inode *inode)
1808 + {
1809 +- int ret;
1810 ++ int ret, no_expand;
1811 +
1812 +- down_write(&EXT4_I(inode)->xattr_sem);
1813 ++ ext4_write_lock_xattr(inode, &no_expand);
1814 + ret = ext4_destroy_inline_data_nolock(handle, inode);
1815 +- up_write(&EXT4_I(inode)->xattr_sem);
1816 ++ ext4_write_unlock_xattr(inode, &no_expand);
1817 +
1818 + return ret;
1819 + }
1820 +@@ -1901,7 +1900,7 @@ out:
1821 + void ext4_inline_data_truncate(struct inode *inode, int *has_inline)
1822 + {
1823 + handle_t *handle;
1824 +- int inline_size, value_len, needed_blocks;
1825 ++ int inline_size, value_len, needed_blocks, no_expand;
1826 + size_t i_size;
1827 + void *value = NULL;
1828 + struct ext4_xattr_ibody_find is = {
1829 +@@ -1918,7 +1917,7 @@ void ext4_inline_data_truncate(struct inode *inode, int *has_inline)
1830 + if (IS_ERR(handle))
1831 + return;
1832 +
1833 +- down_write(&EXT4_I(inode)->xattr_sem);
1834 ++ ext4_write_lock_xattr(inode, &no_expand);
1835 + if (!ext4_has_inline_data(inode)) {
1836 + *has_inline = 0;
1837 + ext4_journal_stop(handle);
1838 +@@ -1976,7 +1975,7 @@ out_error:
1839 + up_write(&EXT4_I(inode)->i_data_sem);
1840 + out:
1841 + brelse(is.iloc.bh);
1842 +- up_write(&EXT4_I(inode)->xattr_sem);
1843 ++ ext4_write_unlock_xattr(inode, &no_expand);
1844 + kfree(value);
1845 + if (inode->i_nlink)
1846 + ext4_orphan_del(handle, inode);
1847 +@@ -1992,7 +1991,7 @@ out:
1848 +
1849 + int ext4_convert_inline_data(struct inode *inode)
1850 + {
1851 +- int error, needed_blocks;
1852 ++ int error, needed_blocks, no_expand;
1853 + handle_t *handle;
1854 + struct ext4_iloc iloc;
1855 +
1856 +@@ -2014,15 +2013,10 @@ int ext4_convert_inline_data(struct inode *inode)
1857 + goto out_free;
1858 + }
1859 +
1860 +- down_write(&EXT4_I(inode)->xattr_sem);
1861 +- if (!ext4_has_inline_data(inode)) {
1862 +- up_write(&EXT4_I(inode)->xattr_sem);
1863 +- goto out;
1864 +- }
1865 +-
1866 +- error = ext4_convert_inline_data_nolock(handle, inode, &iloc);
1867 +- up_write(&EXT4_I(inode)->xattr_sem);
1868 +-out:
1869 ++ ext4_write_lock_xattr(inode, &no_expand);
1870 ++ if (ext4_has_inline_data(inode))
1871 ++ error = ext4_convert_inline_data_nolock(handle, inode, &iloc);
1872 ++ ext4_write_unlock_xattr(inode, &no_expand);
1873 + ext4_journal_stop(handle);
1874 + out_free:
1875 + brelse(iloc.bh);
1876 +diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c
1877 +index f0cabc8c96cb..56ce7fd0f0d0 100644
1878 +--- a/fs/ext4/inode.c
1879 ++++ b/fs/ext4/inode.c
1880 +@@ -1515,6 +1515,8 @@ static void mpage_release_unused_pages(struct mpage_da_data *mpd,
1881 + BUG_ON(!PageLocked(page));
1882 + BUG_ON(PageWriteback(page));
1883 + if (invalidate) {
1884 ++ if (page_mapped(page))
1885 ++ clear_page_dirty_for_io(page);
1886 + block_invalidatepage(page, 0, PAGE_CACHE_SIZE);
1887 + ClearPageUptodate(page);
1888 + }
1889 +@@ -3256,29 +3258,29 @@ static ssize_t ext4_ext_direct_IO(struct kiocb *iocb, struct iov_iter *iter,
1890 + * case, we allocate an io_end structure to hook to the iocb.
1891 + */
1892 + iocb->private = NULL;
1893 +- ext4_inode_aio_set(inode, NULL);
1894 +- if (!is_sync_kiocb(iocb)) {
1895 +- io_end = ext4_init_io_end(inode, GFP_NOFS);
1896 +- if (!io_end) {
1897 +- ret = -ENOMEM;
1898 +- goto retake_lock;
1899 +- }
1900 +- /*
1901 +- * Grab reference for DIO. Will be dropped in ext4_end_io_dio()
1902 +- */
1903 +- iocb->private = ext4_get_io_end(io_end);
1904 +- /*
1905 +- * we save the io structure for current async direct
1906 +- * IO, so that later ext4_map_blocks() could flag the
1907 +- * io structure whether there is a unwritten extents
1908 +- * needs to be converted when IO is completed.
1909 +- */
1910 +- ext4_inode_aio_set(inode, io_end);
1911 +- }
1912 +-
1913 + if (overwrite) {
1914 + get_block_func = ext4_get_block_write_nolock;
1915 + } else {
1916 ++ ext4_inode_aio_set(inode, NULL);
1917 ++ if (!is_sync_kiocb(iocb)) {
1918 ++ io_end = ext4_init_io_end(inode, GFP_NOFS);
1919 ++ if (!io_end) {
1920 ++ ret = -ENOMEM;
1921 ++ goto retake_lock;
1922 ++ }
1923 ++ /*
1924 ++ * Grab reference for DIO. Will be dropped in
1925 ++ * ext4_end_io_dio()
1926 ++ */
1927 ++ iocb->private = ext4_get_io_end(io_end);
1928 ++ /*
1929 ++ * we save the io structure for current async direct
1930 ++ * IO, so that later ext4_map_blocks() could flag the
1931 ++ * io structure whether there is a unwritten extents
1932 ++ * needs to be converted when IO is completed.
1933 ++ */
1934 ++ ext4_inode_aio_set(inode, io_end);
1935 ++ }
1936 + get_block_func = ext4_get_block_write;
1937 + dio_flags = DIO_LOCKING;
1938 + }
1939 +@@ -4231,6 +4233,12 @@ struct inode *ext4_iget(struct super_block *sb, unsigned long ino)
1940 + goto bad_inode;
1941 + raw_inode = ext4_raw_inode(&iloc);
1942 +
1943 ++ if ((ino == EXT4_ROOT_INO) && (raw_inode->i_links_count == 0)) {
1944 ++ EXT4_ERROR_INODE(inode, "root inode unallocated");
1945 ++ ret = -EFSCORRUPTED;
1946 ++ goto bad_inode;
1947 ++ }
1948 ++
1949 + if (EXT4_INODE_SIZE(inode->i_sb) > EXT4_GOOD_OLD_INODE_SIZE) {
1950 + ei->i_extra_isize = le16_to_cpu(raw_inode->i_extra_isize);
1951 + if (EXT4_GOOD_OLD_INODE_SIZE + ei->i_extra_isize >
1952 +diff --git a/fs/ext4/super.c b/fs/ext4/super.c
1953 +index 742455292dfe..0e0438b5ddbe 100644
1954 +--- a/fs/ext4/super.c
1955 ++++ b/fs/ext4/super.c
1956 +@@ -2131,6 +2131,8 @@ static int ext4_check_descriptors(struct super_block *sb,
1957 + ext4_msg(sb, KERN_ERR, "ext4_check_descriptors: "
1958 + "Block bitmap for group %u overlaps "
1959 + "superblock", i);
1960 ++ if (!(sb->s_flags & MS_RDONLY))
1961 ++ return 0;
1962 + }
1963 + if (block_bitmap < first_block || block_bitmap > last_block) {
1964 + ext4_msg(sb, KERN_ERR, "ext4_check_descriptors: "
1965 +@@ -2143,6 +2145,8 @@ static int ext4_check_descriptors(struct super_block *sb,
1966 + ext4_msg(sb, KERN_ERR, "ext4_check_descriptors: "
1967 + "Inode bitmap for group %u overlaps "
1968 + "superblock", i);
1969 ++ if (!(sb->s_flags & MS_RDONLY))
1970 ++ return 0;
1971 + }
1972 + if (inode_bitmap < first_block || inode_bitmap > last_block) {
1973 + ext4_msg(sb, KERN_ERR, "ext4_check_descriptors: "
1974 +@@ -2155,6 +2159,8 @@ static int ext4_check_descriptors(struct super_block *sb,
1975 + ext4_msg(sb, KERN_ERR, "ext4_check_descriptors: "
1976 + "Inode table for group %u overlaps "
1977 + "superblock", i);
1978 ++ if (!(sb->s_flags & MS_RDONLY))
1979 ++ return 0;
1980 + }
1981 + if (inode_table < first_block ||
1982 + inode_table + sbi->s_itb_per_group - 1 > last_block) {
1983 +diff --git a/fs/ext4/xattr.c b/fs/ext4/xattr.c
1984 +index 8d661b3c47b6..c7cad05aed27 100644
1985 +--- a/fs/ext4/xattr.c
1986 ++++ b/fs/ext4/xattr.c
1987 +@@ -1117,16 +1117,14 @@ ext4_xattr_set_handle(handle_t *handle, struct inode *inode, int name_index,
1988 + struct ext4_xattr_block_find bs = {
1989 + .s = { .not_found = -ENODATA, },
1990 + };
1991 +- unsigned long no_expand;
1992 ++ int no_expand;
1993 + int error;
1994 +
1995 + if (!name)
1996 + return -EINVAL;
1997 + if (strlen(name) > 255)
1998 + return -ERANGE;
1999 +- down_write(&EXT4_I(inode)->xattr_sem);
2000 +- no_expand = ext4_test_inode_state(inode, EXT4_STATE_NO_EXPAND);
2001 +- ext4_set_inode_state(inode, EXT4_STATE_NO_EXPAND);
2002 ++ ext4_write_lock_xattr(inode, &no_expand);
2003 +
2004 + error = ext4_reserve_inode_write(handle, inode, &is.iloc);
2005 + if (error)
2006 +@@ -1187,7 +1185,7 @@ ext4_xattr_set_handle(handle_t *handle, struct inode *inode, int name_index,
2007 + ext4_xattr_update_super_block(handle, inode->i_sb);
2008 + inode->i_ctime = ext4_current_time(inode);
2009 + if (!value)
2010 +- ext4_clear_inode_state(inode, EXT4_STATE_NO_EXPAND);
2011 ++ no_expand = 0;
2012 + error = ext4_mark_iloc_dirty(handle, inode, &is.iloc);
2013 + /*
2014 + * The bh is consumed by ext4_mark_iloc_dirty, even with
2015 +@@ -1201,9 +1199,7 @@ ext4_xattr_set_handle(handle_t *handle, struct inode *inode, int name_index,
2016 + cleanup:
2017 + brelse(is.iloc.bh);
2018 + brelse(bs.bh);
2019 +- if (no_expand == 0)
2020 +- ext4_clear_inode_state(inode, EXT4_STATE_NO_EXPAND);
2021 +- up_write(&EXT4_I(inode)->xattr_sem);
2022 ++ ext4_write_unlock_xattr(inode, &no_expand);
2023 + return error;
2024 + }
2025 +
2026 +@@ -1287,12 +1283,11 @@ int ext4_expand_extra_isize_ea(struct inode *inode, int new_extra_isize,
2027 + int error = 0, tried_min_extra_isize = 0;
2028 + int s_min_extra_isize = le16_to_cpu(EXT4_SB(inode->i_sb)->s_es->s_min_extra_isize);
2029 + int isize_diff; /* How much do we need to grow i_extra_isize */
2030 ++ int no_expand;
2031 ++
2032 ++ if (ext4_write_trylock_xattr(inode, &no_expand) == 0)
2033 ++ return 0;
2034 +
2035 +- down_write(&EXT4_I(inode)->xattr_sem);
2036 +- /*
2037 +- * Set EXT4_STATE_NO_EXPAND to avoid recursion when marking inode dirty
2038 +- */
2039 +- ext4_set_inode_state(inode, EXT4_STATE_NO_EXPAND);
2040 + retry:
2041 + isize_diff = new_extra_isize - EXT4_I(inode)->i_extra_isize;
2042 + if (EXT4_I(inode)->i_extra_isize >= new_extra_isize)
2043 +@@ -1486,8 +1481,7 @@ retry:
2044 + }
2045 + brelse(bh);
2046 + out:
2047 +- ext4_clear_inode_state(inode, EXT4_STATE_NO_EXPAND);
2048 +- up_write(&EXT4_I(inode)->xattr_sem);
2049 ++ ext4_write_unlock_xattr(inode, &no_expand);
2050 + return 0;
2051 +
2052 + cleanup:
2053 +@@ -1499,10 +1493,10 @@ cleanup:
2054 + kfree(bs);
2055 + brelse(bh);
2056 + /*
2057 +- * We deliberately leave EXT4_STATE_NO_EXPAND set here since inode
2058 +- * size expansion failed.
2059 ++ * Inode size expansion failed; don't try again
2060 + */
2061 +- up_write(&EXT4_I(inode)->xattr_sem);
2062 ++ no_expand = 1;
2063 ++ ext4_write_unlock_xattr(inode, &no_expand);
2064 + return error;
2065 + }
2066 +
2067 +diff --git a/fs/ext4/xattr.h b/fs/ext4/xattr.h
2068 +index ddc0957760ba..c000ed398555 100644
2069 +--- a/fs/ext4/xattr.h
2070 ++++ b/fs/ext4/xattr.h
2071 +@@ -101,6 +101,38 @@ extern const struct xattr_handler ext4_xattr_security_handler;
2072 +
2073 + #define EXT4_XATTR_NAME_ENCRYPTION_CONTEXT "c"
2074 +
2075 ++/*
2076 ++ * The EXT4_STATE_NO_EXPAND is overloaded and used for two purposes.
2077 ++ * The first is to signal that there the inline xattrs and data are
2078 ++ * taking up so much space that we might as well not keep trying to
2079 ++ * expand it. The second is that xattr_sem is taken for writing, so
2080 ++ * we shouldn't try to recurse into the inode expansion. For this
2081 ++ * second case, we need to make sure that we take save and restore the
2082 ++ * NO_EXPAND state flag appropriately.
2083 ++ */
2084 ++static inline void ext4_write_lock_xattr(struct inode *inode, int *save)
2085 ++{
2086 ++ down_write(&EXT4_I(inode)->xattr_sem);
2087 ++ *save = ext4_test_inode_state(inode, EXT4_STATE_NO_EXPAND);
2088 ++ ext4_set_inode_state(inode, EXT4_STATE_NO_EXPAND);
2089 ++}
2090 ++
2091 ++static inline int ext4_write_trylock_xattr(struct inode *inode, int *save)
2092 ++{
2093 ++ if (down_write_trylock(&EXT4_I(inode)->xattr_sem) == 0)
2094 ++ return 0;
2095 ++ *save = ext4_test_inode_state(inode, EXT4_STATE_NO_EXPAND);
2096 ++ ext4_set_inode_state(inode, EXT4_STATE_NO_EXPAND);
2097 ++ return 1;
2098 ++}
2099 ++
2100 ++static inline void ext4_write_unlock_xattr(struct inode *inode, int *save)
2101 ++{
2102 ++ if (*save == 0)
2103 ++ ext4_clear_inode_state(inode, EXT4_STATE_NO_EXPAND);
2104 ++ up_write(&EXT4_I(inode)->xattr_sem);
2105 ++}
2106 ++
2107 + extern ssize_t ext4_listxattr(struct dentry *, char *, size_t);
2108 +
2109 + extern int ext4_xattr_get(struct inode *, int, const char *, void *, size_t);
2110 +diff --git a/fs/fs-writeback.c b/fs/fs-writeback.c
2111 +index 22b30249fbcb..0fe667875852 100644
2112 +--- a/fs/fs-writeback.c
2113 ++++ b/fs/fs-writeback.c
2114 +@@ -747,11 +747,12 @@ int inode_congested(struct inode *inode, int cong_bits)
2115 + */
2116 + if (inode && inode_to_wb_is_valid(inode)) {
2117 + struct bdi_writeback *wb;
2118 +- bool locked, congested;
2119 ++ struct wb_lock_cookie lock_cookie = {};
2120 ++ bool congested;
2121 +
2122 +- wb = unlocked_inode_to_wb_begin(inode, &locked);
2123 ++ wb = unlocked_inode_to_wb_begin(inode, &lock_cookie);
2124 + congested = wb_congested(wb, cong_bits);
2125 +- unlocked_inode_to_wb_end(inode, locked);
2126 ++ unlocked_inode_to_wb_end(inode, &lock_cookie);
2127 + return congested;
2128 + }
2129 +
2130 +diff --git a/fs/jbd2/journal.c b/fs/jbd2/journal.c
2131 +index 624a57a9c4aa..4759df4eb8ce 100644
2132 +--- a/fs/jbd2/journal.c
2133 ++++ b/fs/jbd2/journal.c
2134 +@@ -914,7 +914,7 @@ out:
2135 + }
2136 +
2137 + /*
2138 +- * This is a variaon of __jbd2_update_log_tail which checks for validity of
2139 ++ * This is a variation of __jbd2_update_log_tail which checks for validity of
2140 + * provided log tail and locks j_checkpoint_mutex. So it is safe against races
2141 + * with other threads updating log tail.
2142 + */
2143 +@@ -1384,6 +1384,9 @@ int jbd2_journal_update_sb_log_tail(journal_t *journal, tid_t tail_tid,
2144 + journal_superblock_t *sb = journal->j_superblock;
2145 + int ret;
2146 +
2147 ++ if (is_journal_aborted(journal))
2148 ++ return -EIO;
2149 ++
2150 + BUG_ON(!mutex_is_locked(&journal->j_checkpoint_mutex));
2151 + jbd_debug(1, "JBD2: updating superblock (start %lu, seq %u)\n",
2152 + tail_block, tail_tid);
2153 +diff --git a/fs/jffs2/super.c b/fs/jffs2/super.c
2154 +index d86c5e3176a1..600da1a4df29 100644
2155 +--- a/fs/jffs2/super.c
2156 ++++ b/fs/jffs2/super.c
2157 +@@ -345,7 +345,7 @@ static void jffs2_put_super (struct super_block *sb)
2158 + static void jffs2_kill_sb(struct super_block *sb)
2159 + {
2160 + struct jffs2_sb_info *c = JFFS2_SB_INFO(sb);
2161 +- if (!(sb->s_flags & MS_RDONLY))
2162 ++ if (c && !(sb->s_flags & MS_RDONLY))
2163 + jffs2_stop_garbage_collect_thread(c);
2164 + kill_mtd_super(sb);
2165 + kfree(c);
2166 +diff --git a/fs/namei.c b/fs/namei.c
2167 +index 0fcad42e4d3e..de57dd59d95f 100644
2168 +--- a/fs/namei.c
2169 ++++ b/fs/namei.c
2170 +@@ -219,9 +219,10 @@ getname_kernel(const char * filename)
2171 + if (len <= EMBEDDED_NAME_MAX) {
2172 + result->name = (char *)result->iname;
2173 + } else if (len <= PATH_MAX) {
2174 ++ const size_t size = offsetof(struct filename, iname[1]);
2175 + struct filename *tmp;
2176 +
2177 +- tmp = kmalloc(sizeof(*tmp), GFP_KERNEL);
2178 ++ tmp = kmalloc(size, GFP_KERNEL);
2179 + if (unlikely(!tmp)) {
2180 + __putname(result);
2181 + return ERR_PTR(-ENOMEM);
2182 +diff --git a/fs/namespace.c b/fs/namespace.c
2183 +index ec4078d16eb7..a879560ea144 100644
2184 +--- a/fs/namespace.c
2185 ++++ b/fs/namespace.c
2186 +@@ -1018,7 +1018,8 @@ static struct mount *clone_mnt(struct mount *old, struct dentry *root,
2187 + goto out_free;
2188 + }
2189 +
2190 +- mnt->mnt.mnt_flags = old->mnt.mnt_flags & ~(MNT_WRITE_HOLD|MNT_MARKED);
2191 ++ mnt->mnt.mnt_flags = old->mnt.mnt_flags;
2192 ++ mnt->mnt.mnt_flags &= ~(MNT_WRITE_HOLD|MNT_MARKED|MNT_INTERNAL);
2193 + /* Don't allow unprivileged users to change mount flags */
2194 + if (flag & CL_UNPRIVILEGED) {
2195 + mnt->mnt.mnt_flags |= MNT_LOCK_ATIME;
2196 +diff --git a/fs/notify/fanotify/fanotify.c b/fs/notify/fanotify/fanotify.c
2197 +index e0e5f7c3c99f..8a459b179183 100644
2198 +--- a/fs/notify/fanotify/fanotify.c
2199 ++++ b/fs/notify/fanotify/fanotify.c
2200 +@@ -92,7 +92,7 @@ static bool fanotify_should_send_event(struct fsnotify_mark *inode_mark,
2201 + u32 event_mask,
2202 + void *data, int data_type)
2203 + {
2204 +- __u32 marks_mask, marks_ignored_mask;
2205 ++ __u32 marks_mask = 0, marks_ignored_mask = 0;
2206 + struct path *path = data;
2207 +
2208 + pr_debug("%s: inode_mark=%p vfsmnt_mark=%p mask=%x data=%p"
2209 +@@ -108,24 +108,20 @@ static bool fanotify_should_send_event(struct fsnotify_mark *inode_mark,
2210 + !d_can_lookup(path->dentry))
2211 + return false;
2212 +
2213 +- if (inode_mark && vfsmnt_mark) {
2214 +- marks_mask = (vfsmnt_mark->mask | inode_mark->mask);
2215 +- marks_ignored_mask = (vfsmnt_mark->ignored_mask | inode_mark->ignored_mask);
2216 +- } else if (inode_mark) {
2217 +- /*
2218 +- * if the event is for a child and this inode doesn't care about
2219 +- * events on the child, don't send it!
2220 +- */
2221 +- if ((event_mask & FS_EVENT_ON_CHILD) &&
2222 +- !(inode_mark->mask & FS_EVENT_ON_CHILD))
2223 +- return false;
2224 +- marks_mask = inode_mark->mask;
2225 +- marks_ignored_mask = inode_mark->ignored_mask;
2226 +- } else if (vfsmnt_mark) {
2227 +- marks_mask = vfsmnt_mark->mask;
2228 +- marks_ignored_mask = vfsmnt_mark->ignored_mask;
2229 +- } else {
2230 +- BUG();
2231 ++ /*
2232 ++ * if the event is for a child and this inode doesn't care about
2233 ++ * events on the child, don't send it!
2234 ++ */
2235 ++ if (inode_mark &&
2236 ++ (!(event_mask & FS_EVENT_ON_CHILD) ||
2237 ++ (inode_mark->mask & FS_EVENT_ON_CHILD))) {
2238 ++ marks_mask |= inode_mark->mask;
2239 ++ marks_ignored_mask |= inode_mark->ignored_mask;
2240 ++ }
2241 ++
2242 ++ if (vfsmnt_mark) {
2243 ++ marks_mask |= vfsmnt_mark->mask;
2244 ++ marks_ignored_mask |= vfsmnt_mark->ignored_mask;
2245 + }
2246 +
2247 + if (d_is_dir(path->dentry) &&
2248 +diff --git a/fs/reiserfs/journal.c b/fs/reiserfs/journal.c
2249 +index a72097b625ef..00985f9db9f7 100644
2250 +--- a/fs/reiserfs/journal.c
2251 ++++ b/fs/reiserfs/journal.c
2252 +@@ -2643,7 +2643,7 @@ static int journal_init_dev(struct super_block *super,
2253 + if (IS_ERR(journal->j_dev_bd)) {
2254 + result = PTR_ERR(journal->j_dev_bd);
2255 + journal->j_dev_bd = NULL;
2256 +- reiserfs_warning(super,
2257 ++ reiserfs_warning(super, "sh-457",
2258 + "journal_init_dev: Cannot open '%s': %i",
2259 + jdev_name, result);
2260 + return result;
2261 +diff --git a/fs/ubifs/super.c b/fs/ubifs/super.c
2262 +index 1fd90c079537..0bb6de356451 100644
2263 +--- a/fs/ubifs/super.c
2264 ++++ b/fs/ubifs/super.c
2265 +@@ -1728,8 +1728,11 @@ static void ubifs_remount_ro(struct ubifs_info *c)
2266 +
2267 + dbg_save_space_info(c);
2268 +
2269 +- for (i = 0; i < c->jhead_cnt; i++)
2270 +- ubifs_wbuf_sync(&c->jheads[i].wbuf);
2271 ++ for (i = 0; i < c->jhead_cnt; i++) {
2272 ++ err = ubifs_wbuf_sync(&c->jheads[i].wbuf);
2273 ++ if (err)
2274 ++ ubifs_ro_mode(c, err);
2275 ++ }
2276 +
2277 + c->mst_node->flags &= ~cpu_to_le32(UBIFS_MST_DIRTY);
2278 + c->mst_node->flags |= cpu_to_le32(UBIFS_MST_NO_ORPHS);
2279 +@@ -1795,8 +1798,11 @@ static void ubifs_put_super(struct super_block *sb)
2280 + int err;
2281 +
2282 + /* Synchronize write-buffers */
2283 +- for (i = 0; i < c->jhead_cnt; i++)
2284 +- ubifs_wbuf_sync(&c->jheads[i].wbuf);
2285 ++ for (i = 0; i < c->jhead_cnt; i++) {
2286 ++ err = ubifs_wbuf_sync(&c->jheads[i].wbuf);
2287 ++ if (err)
2288 ++ ubifs_ro_mode(c, err);
2289 ++ }
2290 +
2291 + /*
2292 + * We are being cleanly unmounted which means the
2293 +diff --git a/include/linux/backing-dev-defs.h b/include/linux/backing-dev-defs.h
2294 +index 140c29635069..a307c37c2e6c 100644
2295 +--- a/include/linux/backing-dev-defs.h
2296 ++++ b/include/linux/backing-dev-defs.h
2297 +@@ -191,6 +191,11 @@ static inline void set_bdi_congested(struct backing_dev_info *bdi, int sync)
2298 + set_wb_congested(bdi->wb.congested, sync);
2299 + }
2300 +
2301 ++struct wb_lock_cookie {
2302 ++ bool locked;
2303 ++ unsigned long flags;
2304 ++};
2305 ++
2306 + #ifdef CONFIG_CGROUP_WRITEBACK
2307 +
2308 + /**
2309 +diff --git a/include/linux/backing-dev.h b/include/linux/backing-dev.h
2310 +index 89d3de3e096b..361274ce5815 100644
2311 +--- a/include/linux/backing-dev.h
2312 ++++ b/include/linux/backing-dev.h
2313 +@@ -366,7 +366,7 @@ static inline struct bdi_writeback *inode_to_wb(struct inode *inode)
2314 + /**
2315 + * unlocked_inode_to_wb_begin - begin unlocked inode wb access transaction
2316 + * @inode: target inode
2317 +- * @lockedp: temp bool output param, to be passed to the end function
2318 ++ * @cookie: output param, to be passed to the end function
2319 + *
2320 + * The caller wants to access the wb associated with @inode but isn't
2321 + * holding inode->i_lock, mapping->tree_lock or wb->list_lock. This
2322 +@@ -374,12 +374,12 @@ static inline struct bdi_writeback *inode_to_wb(struct inode *inode)
2323 + * association doesn't change until the transaction is finished with
2324 + * unlocked_inode_to_wb_end().
2325 + *
2326 +- * The caller must call unlocked_inode_to_wb_end() with *@lockdep
2327 +- * afterwards and can't sleep during transaction. IRQ may or may not be
2328 +- * disabled on return.
2329 ++ * The caller must call unlocked_inode_to_wb_end() with *@cookie afterwards and
2330 ++ * can't sleep during the transaction. IRQs may or may not be disabled on
2331 ++ * return.
2332 + */
2333 + static inline struct bdi_writeback *
2334 +-unlocked_inode_to_wb_begin(struct inode *inode, bool *lockedp)
2335 ++unlocked_inode_to_wb_begin(struct inode *inode, struct wb_lock_cookie *cookie)
2336 + {
2337 + rcu_read_lock();
2338 +
2339 +@@ -387,10 +387,10 @@ unlocked_inode_to_wb_begin(struct inode *inode, bool *lockedp)
2340 + * Paired with store_release in inode_switch_wb_work_fn() and
2341 + * ensures that we see the new wb if we see cleared I_WB_SWITCH.
2342 + */
2343 +- *lockedp = smp_load_acquire(&inode->i_state) & I_WB_SWITCH;
2344 ++ cookie->locked = smp_load_acquire(&inode->i_state) & I_WB_SWITCH;
2345 +
2346 +- if (unlikely(*lockedp))
2347 +- spin_lock_irq(&inode->i_mapping->tree_lock);
2348 ++ if (unlikely(cookie->locked))
2349 ++ spin_lock_irqsave(&inode->i_mapping->tree_lock, cookie->flags);
2350 +
2351 + /*
2352 + * Protected by either !I_WB_SWITCH + rcu_read_lock() or tree_lock.
2353 +@@ -402,12 +402,14 @@ unlocked_inode_to_wb_begin(struct inode *inode, bool *lockedp)
2354 + /**
2355 + * unlocked_inode_to_wb_end - end inode wb access transaction
2356 + * @inode: target inode
2357 +- * @locked: *@lockedp from unlocked_inode_to_wb_begin()
2358 ++ * @cookie: @cookie from unlocked_inode_to_wb_begin()
2359 + */
2360 +-static inline void unlocked_inode_to_wb_end(struct inode *inode, bool locked)
2361 ++static inline void unlocked_inode_to_wb_end(struct inode *inode,
2362 ++ struct wb_lock_cookie *cookie)
2363 + {
2364 +- if (unlikely(locked))
2365 +- spin_unlock_irq(&inode->i_mapping->tree_lock);
2366 ++ if (unlikely(cookie->locked))
2367 ++ spin_unlock_irqrestore(&inode->i_mapping->tree_lock,
2368 ++ cookie->flags);
2369 +
2370 + rcu_read_unlock();
2371 + }
2372 +@@ -454,12 +456,13 @@ static inline struct bdi_writeback *inode_to_wb(struct inode *inode)
2373 + }
2374 +
2375 + static inline struct bdi_writeback *
2376 +-unlocked_inode_to_wb_begin(struct inode *inode, bool *lockedp)
2377 ++unlocked_inode_to_wb_begin(struct inode *inode, struct wb_lock_cookie *cookie)
2378 + {
2379 + return inode_to_wb(inode);
2380 + }
2381 +
2382 +-static inline void unlocked_inode_to_wb_end(struct inode *inode, bool locked)
2383 ++static inline void unlocked_inode_to_wb_end(struct inode *inode,
2384 ++ struct wb_lock_cookie *cookie)
2385 + {
2386 + }
2387 +
2388 +diff --git a/include/linux/hid.h b/include/linux/hid.h
2389 +index 251a1d382e23..fd86687f8119 100644
2390 +--- a/include/linux/hid.h
2391 ++++ b/include/linux/hid.h
2392 +@@ -793,7 +793,7 @@ extern int hidinput_connect(struct hid_device *hid, unsigned int force);
2393 + extern void hidinput_disconnect(struct hid_device *);
2394 +
2395 + int hid_set_field(struct hid_field *, unsigned, __s32);
2396 +-int hid_input_report(struct hid_device *, int type, u8 *, int, int);
2397 ++int hid_input_report(struct hid_device *, int type, u8 *, u32, int);
2398 + int hidinput_find_field(struct hid_device *hid, unsigned int type, unsigned int code, struct hid_field **field);
2399 + struct hid_field *hidinput_get_led_field(struct hid_device *hid);
2400 + unsigned int hidinput_count_leds(struct hid_device *hid);
2401 +@@ -1098,13 +1098,13 @@ static inline void hid_hw_wait(struct hid_device *hdev)
2402 + *
2403 + * @report: the report we want to know the length
2404 + */
2405 +-static inline int hid_report_len(struct hid_report *report)
2406 ++static inline u32 hid_report_len(struct hid_report *report)
2407 + {
2408 + /* equivalent to DIV_ROUND_UP(report->size, 8) + !!(report->id > 0) */
2409 + return ((report->size - 1) >> 3) + 1 + (report->id > 0);
2410 + }
2411 +
2412 +-int hid_report_raw_event(struct hid_device *hid, int type, u8 *data, int size,
2413 ++int hid_report_raw_event(struct hid_device *hid, int type, u8 *data, u32 size,
2414 + int interrupt);
2415 +
2416 + /* HID quirks API */
2417 +diff --git a/include/linux/mm.h b/include/linux/mm.h
2418 +index 55f950afb60d..a100946607a5 100644
2419 +--- a/include/linux/mm.h
2420 ++++ b/include/linux/mm.h
2421 +@@ -225,10 +225,14 @@ extern pgprot_t protection_map[16];
2422 + * ->fault function. The vma's ->fault is responsible for returning a bitmask
2423 + * of VM_FAULT_xxx flags that give details about how the fault was handled.
2424 + *
2425 ++ * MM layer fills up gfp_mask for page allocations but fault handler might
2426 ++ * alter it if its implementation requires a different allocation context.
2427 ++ *
2428 + * pgoff should be used in favour of virtual_address, if possible.
2429 + */
2430 + struct vm_fault {
2431 + unsigned int flags; /* FAULT_FLAG_xxx flags */
2432 ++ gfp_t gfp_mask; /* gfp mask to be used for allocations */
2433 + pgoff_t pgoff; /* Logical page offset based on vma */
2434 + void __user *virtual_address; /* Faulting virtual address */
2435 +
2436 +diff --git a/include/linux/tty.h b/include/linux/tty.h
2437 +index a1042afff99a..d67ceb3f5958 100644
2438 +--- a/include/linux/tty.h
2439 ++++ b/include/linux/tty.h
2440 +@@ -342,6 +342,7 @@ struct tty_file_private {
2441 + #define TTY_PTY_LOCK 16 /* pty private */
2442 + #define TTY_NO_WRITE_SPLIT 17 /* Preserve write boundaries to driver */
2443 + #define TTY_HUPPED 18 /* Post driver->hangup() */
2444 ++#define TTY_HUPPING 19 /* Hangup in progress */
2445 + #define TTY_LDISC_HALTED 22 /* Line discipline is halted */
2446 +
2447 + #define TTY_WRITE_FLUSH(tty) tty_write_flush((tty))
2448 +diff --git a/include/net/slhc_vj.h b/include/net/slhc_vj.h
2449 +index 8716d5942b65..8fcf8908a694 100644
2450 +--- a/include/net/slhc_vj.h
2451 ++++ b/include/net/slhc_vj.h
2452 +@@ -127,6 +127,7 @@ typedef __u32 int32;
2453 + */
2454 + struct cstate {
2455 + byte_t cs_this; /* connection id number (xmit) */
2456 ++ bool initialized; /* true if initialized */
2457 + struct cstate *next; /* next in ring (xmit) */
2458 + struct iphdr cs_ip; /* ip/tcp hdr from most recent packet */
2459 + struct tcphdr cs_tcp;
2460 +diff --git a/include/sound/pcm_oss.h b/include/sound/pcm_oss.h
2461 +index 760c969d885d..12bbf8c81112 100644
2462 +--- a/include/sound/pcm_oss.h
2463 ++++ b/include/sound/pcm_oss.h
2464 +@@ -57,6 +57,7 @@ struct snd_pcm_oss_runtime {
2465 + char *buffer; /* vmallocated period */
2466 + size_t buffer_used; /* used length from period buffer */
2467 + struct mutex params_lock;
2468 ++ atomic_t rw_ref; /* concurrent read/write accesses */
2469 + #ifdef CONFIG_SND_PCM_OSS_PLUGINS
2470 + struct snd_pcm_plugin *plugin_first;
2471 + struct snd_pcm_plugin *plugin_last;
2472 +diff --git a/ipc/shm.c b/ipc/shm.c
2473 +index 4982a4e7f009..a492dd81cf56 100644
2474 +--- a/ipc/shm.c
2475 ++++ b/ipc/shm.c
2476 +@@ -198,6 +198,12 @@ static int __shm_open(struct vm_area_struct *vma)
2477 + if (IS_ERR(shp))
2478 + return PTR_ERR(shp);
2479 +
2480 ++ if (shp->shm_file != sfd->file) {
2481 ++ /* ID was reused */
2482 ++ shm_unlock(shp);
2483 ++ return -EINVAL;
2484 ++ }
2485 ++
2486 + shp->shm_atim = get_seconds();
2487 + shp->shm_lprid = task_tgid_vnr(current);
2488 + shp->shm_nattch++;
2489 +@@ -414,8 +420,9 @@ static int shm_mmap(struct file *file, struct vm_area_struct *vma)
2490 + int ret;
2491 +
2492 + /*
2493 +- * In case of remap_file_pages() emulation, the file can represent
2494 +- * removed IPC ID: propogate shm_lock() error to caller.
2495 ++ * In case of remap_file_pages() emulation, the file can represent an
2496 ++ * IPC ID that was removed, and possibly even reused by another shm
2497 ++ * segment already. Propagate this case as an error to caller.
2498 + */
2499 + ret =__shm_open(vma);
2500 + if (ret)
2501 +@@ -439,6 +446,7 @@ static int shm_release(struct inode *ino, struct file *file)
2502 + struct shm_file_data *sfd = shm_file_data(file);
2503 +
2504 + put_ipc_ns(sfd->ns);
2505 ++ fput(sfd->file);
2506 + shm_file_data(file) = NULL;
2507 + kfree(sfd);
2508 + return 0;
2509 +@@ -1198,7 +1206,16 @@ long do_shmat(int shmid, char __user *shmaddr, int shmflg,
2510 + file->f_mapping = shp->shm_file->f_mapping;
2511 + sfd->id = shp->shm_perm.id;
2512 + sfd->ns = get_ipc_ns(ns);
2513 +- sfd->file = shp->shm_file;
2514 ++ /*
2515 ++ * We need to take a reference to the real shm file to prevent the
2516 ++ * pointer from becoming stale in cases where the lifetime of the outer
2517 ++ * file extends beyond that of the shm segment. It's not usually
2518 ++ * possible, but it can happen during remap_file_pages() emulation as
2519 ++ * that unmaps the memory, then does ->mmap() via file reference only.
2520 ++ * We'll deny the ->mmap() if the shm segment was since removed, but to
2521 ++ * detect shm ID reuse we need to compare the file pointers.
2522 ++ */
2523 ++ sfd->file = get_file(shp->shm_file);
2524 + sfd->vm_ops = NULL;
2525 +
2526 + err = security_mmap_file(file, prot, flags);
2527 +diff --git a/kernel/resource.c b/kernel/resource.c
2528 +index a4a94e700fb9..41718cd8cab5 100644
2529 +--- a/kernel/resource.c
2530 ++++ b/kernel/resource.c
2531 +@@ -611,7 +611,8 @@ static int __find_resource(struct resource *root, struct resource *old,
2532 + alloc.start = constraint->alignf(constraint->alignf_data, &avail,
2533 + size, constraint->align);
2534 + alloc.end = alloc.start + size - 1;
2535 +- if (resource_contains(&avail, &alloc)) {
2536 ++ if (alloc.start <= alloc.end &&
2537 ++ resource_contains(&avail, &alloc)) {
2538 + new->start = alloc.start;
2539 + new->end = alloc.end;
2540 + return 0;
2541 +diff --git a/lib/Makefile b/lib/Makefile
2542 +index 7f1de26613d2..cb4f6aa95013 100644
2543 +--- a/lib/Makefile
2544 ++++ b/lib/Makefile
2545 +@@ -58,8 +58,6 @@ obj-$(CONFIG_HAS_IOMEM) += iomap_copy.o devres.o
2546 + obj-$(CONFIG_CHECK_SIGNATURE) += check_signature.o
2547 + obj-$(CONFIG_DEBUG_LOCKING_API_SELFTESTS) += locking-selftest.o
2548 +
2549 +-GCOV_PROFILE_hweight.o := n
2550 +-CFLAGS_hweight.o = $(subst $(quote),,$(CONFIG_ARCH_HWEIGHT_CFLAGS))
2551 + obj-$(CONFIG_GENERIC_HWEIGHT) += hweight.o
2552 +
2553 + obj-$(CONFIG_BTREE) += btree.o
2554 +diff --git a/lib/hweight.c b/lib/hweight.c
2555 +index 9a5c1f221558..43273a7d83cf 100644
2556 +--- a/lib/hweight.c
2557 ++++ b/lib/hweight.c
2558 +@@ -9,6 +9,7 @@
2559 + * The Hamming Weight of a number is the total number of bits set in it.
2560 + */
2561 +
2562 ++#ifndef __HAVE_ARCH_SW_HWEIGHT
2563 + unsigned int __sw_hweight32(unsigned int w)
2564 + {
2565 + #ifdef CONFIG_ARCH_HAS_FAST_MULTIPLIER
2566 +@@ -25,6 +26,7 @@ unsigned int __sw_hweight32(unsigned int w)
2567 + #endif
2568 + }
2569 + EXPORT_SYMBOL(__sw_hweight32);
2570 ++#endif
2571 +
2572 + unsigned int __sw_hweight16(unsigned int w)
2573 + {
2574 +@@ -43,6 +45,7 @@ unsigned int __sw_hweight8(unsigned int w)
2575 + }
2576 + EXPORT_SYMBOL(__sw_hweight8);
2577 +
2578 ++#ifndef __HAVE_ARCH_SW_HWEIGHT
2579 + unsigned long __sw_hweight64(__u64 w)
2580 + {
2581 + #if BITS_PER_LONG == 32
2582 +@@ -65,3 +68,4 @@ unsigned long __sw_hweight64(__u64 w)
2583 + #endif
2584 + }
2585 + EXPORT_SYMBOL(__sw_hweight64);
2586 ++#endif
2587 +diff --git a/mm/filemap.c b/mm/filemap.c
2588 +index 69f75c77c098..b15f1d8bba43 100644
2589 +--- a/mm/filemap.c
2590 ++++ b/mm/filemap.c
2591 +@@ -571,7 +571,7 @@ int replace_page_cache_page(struct page *old, struct page *new, gfp_t gfp_mask)
2592 + VM_BUG_ON_PAGE(!PageLocked(new), new);
2593 + VM_BUG_ON_PAGE(new->mapping, new);
2594 +
2595 +- error = radix_tree_preload(gfp_mask & ~__GFP_HIGHMEM);
2596 ++ error = radix_tree_preload(gfp_mask & GFP_RECLAIM_MASK);
2597 + if (!error) {
2598 + struct address_space *mapping = old->mapping;
2599 + void (*freepage)(struct page *);
2600 +@@ -630,7 +630,7 @@ static int __add_to_page_cache_locked(struct page *page,
2601 + return error;
2602 + }
2603 +
2604 +- error = radix_tree_maybe_preload(gfp_mask & ~__GFP_HIGHMEM);
2605 ++ error = radix_tree_maybe_preload(gfp_mask & GFP_RECLAIM_MASK);
2606 + if (error) {
2607 + if (!huge)
2608 + mem_cgroup_cancel_charge(page, memcg);
2609 +@@ -1192,8 +1192,7 @@ no_page:
2610 + if (fgp_flags & FGP_ACCESSED)
2611 + __SetPageReferenced(page);
2612 +
2613 +- err = add_to_page_cache_lru(page, mapping, offset,
2614 +- gfp_mask & GFP_RECLAIM_MASK);
2615 ++ err = add_to_page_cache_lru(page, mapping, offset, gfp_mask);
2616 + if (unlikely(err)) {
2617 + page_cache_release(page);
2618 + page = NULL;
2619 +@@ -1827,19 +1826,18 @@ EXPORT_SYMBOL(generic_file_read_iter);
2620 + * This adds the requested page to the page cache if it isn't already there,
2621 + * and schedules an I/O to read in its contents from disk.
2622 + */
2623 +-static int page_cache_read(struct file *file, pgoff_t offset)
2624 ++static int page_cache_read(struct file *file, pgoff_t offset, gfp_t gfp_mask)
2625 + {
2626 + struct address_space *mapping = file->f_mapping;
2627 + struct page *page;
2628 + int ret;
2629 +
2630 + do {
2631 +- page = page_cache_alloc_cold(mapping);
2632 ++ page = __page_cache_alloc(gfp_mask|__GFP_COLD);
2633 + if (!page)
2634 + return -ENOMEM;
2635 +
2636 +- ret = add_to_page_cache_lru(page, mapping, offset,
2637 +- mapping_gfp_constraint(mapping, GFP_KERNEL));
2638 ++ ret = add_to_page_cache_lru(page, mapping, offset, gfp_mask);
2639 + if (ret == 0)
2640 + ret = mapping->a_ops->readpage(file, page);
2641 + else if (ret == -EEXIST)
2642 +@@ -2020,7 +2018,7 @@ no_cached_page:
2643 + * We're only likely to ever get here if MADV_RANDOM is in
2644 + * effect.
2645 + */
2646 +- error = page_cache_read(file, offset);
2647 ++ error = page_cache_read(file, offset, vmf->gfp_mask);
2648 +
2649 + /*
2650 + * The page we want has now been added to the page cache.
2651 +diff --git a/mm/memory.c b/mm/memory.c
2652 +index 31ca97f7ebbc..177cb7d111a9 100644
2653 +--- a/mm/memory.c
2654 ++++ b/mm/memory.c
2655 +@@ -1990,6 +1990,20 @@ static inline void cow_user_page(struct page *dst, struct page *src, unsigned lo
2656 + copy_user_highpage(dst, src, va, vma);
2657 + }
2658 +
2659 ++static gfp_t __get_fault_gfp_mask(struct vm_area_struct *vma)
2660 ++{
2661 ++ struct file *vm_file = vma->vm_file;
2662 ++
2663 ++ if (vm_file)
2664 ++ return mapping_gfp_mask(vm_file->f_mapping) | __GFP_FS | __GFP_IO;
2665 ++
2666 ++ /*
2667 ++ * Special mappings (e.g. VDSO) do not have any file so fake
2668 ++ * a default GFP_KERNEL for them.
2669 ++ */
2670 ++ return GFP_KERNEL;
2671 ++}
2672 ++
2673 + /*
2674 + * Notify the address space that the page is about to become writable so that
2675 + * it can prohibit this or wait for the page to get into an appropriate state.
2676 +@@ -2005,6 +2019,7 @@ static int do_page_mkwrite(struct vm_area_struct *vma, struct page *page,
2677 + vmf.virtual_address = (void __user *)(address & PAGE_MASK);
2678 + vmf.pgoff = page->index;
2679 + vmf.flags = FAULT_FLAG_WRITE|FAULT_FLAG_MKWRITE;
2680 ++ vmf.gfp_mask = __get_fault_gfp_mask(vma);
2681 + vmf.page = page;
2682 + vmf.cow_page = NULL;
2683 +
2684 +@@ -2770,6 +2785,7 @@ static int __do_fault(struct vm_area_struct *vma, unsigned long address,
2685 + vmf.pgoff = pgoff;
2686 + vmf.flags = flags;
2687 + vmf.page = NULL;
2688 ++ vmf.gfp_mask = __get_fault_gfp_mask(vma);
2689 + vmf.cow_page = cow_page;
2690 +
2691 + ret = vma->vm_ops->fault(vma, &vmf);
2692 +@@ -2936,6 +2952,7 @@ static void do_fault_around(struct vm_area_struct *vma, unsigned long address,
2693 + vmf.pgoff = pgoff;
2694 + vmf.max_pgoff = max_pgoff;
2695 + vmf.flags = flags;
2696 ++ vmf.gfp_mask = __get_fault_gfp_mask(vma);
2697 + vma->vm_ops->map_pages(vma, &vmf);
2698 + }
2699 +
2700 +diff --git a/mm/page-writeback.c b/mm/page-writeback.c
2701 +index 6d0dbde4503b..3309dbda7ffa 100644
2702 +--- a/mm/page-writeback.c
2703 ++++ b/mm/page-writeback.c
2704 +@@ -2510,13 +2510,13 @@ void account_page_redirty(struct page *page)
2705 + if (mapping && mapping_cap_account_dirty(mapping)) {
2706 + struct inode *inode = mapping->host;
2707 + struct bdi_writeback *wb;
2708 +- bool locked;
2709 ++ struct wb_lock_cookie cookie = {};
2710 +
2711 +- wb = unlocked_inode_to_wb_begin(inode, &locked);
2712 ++ wb = unlocked_inode_to_wb_begin(inode, &cookie);
2713 + current->nr_dirtied--;
2714 + dec_zone_page_state(page, NR_DIRTIED);
2715 + dec_wb_stat(wb, WB_DIRTIED);
2716 +- unlocked_inode_to_wb_end(inode, locked);
2717 ++ unlocked_inode_to_wb_end(inode, &cookie);
2718 + }
2719 + }
2720 + EXPORT_SYMBOL(account_page_redirty);
2721 +@@ -2622,15 +2622,15 @@ void cancel_dirty_page(struct page *page)
2722 + struct inode *inode = mapping->host;
2723 + struct bdi_writeback *wb;
2724 + struct mem_cgroup *memcg;
2725 +- bool locked;
2726 ++ struct wb_lock_cookie cookie = {};
2727 +
2728 + memcg = mem_cgroup_begin_page_stat(page);
2729 +- wb = unlocked_inode_to_wb_begin(inode, &locked);
2730 ++ wb = unlocked_inode_to_wb_begin(inode, &cookie);
2731 +
2732 + if (TestClearPageDirty(page))
2733 + account_page_cleaned(page, mapping, memcg, wb);
2734 +
2735 +- unlocked_inode_to_wb_end(inode, locked);
2736 ++ unlocked_inode_to_wb_end(inode, &cookie);
2737 + mem_cgroup_end_page_stat(memcg);
2738 + } else {
2739 + ClearPageDirty(page);
2740 +@@ -2663,7 +2663,7 @@ int clear_page_dirty_for_io(struct page *page)
2741 + struct inode *inode = mapping->host;
2742 + struct bdi_writeback *wb;
2743 + struct mem_cgroup *memcg;
2744 +- bool locked;
2745 ++ struct wb_lock_cookie cookie = {};
2746 +
2747 + /*
2748 + * Yes, Virginia, this is indeed insane.
2749 +@@ -2701,14 +2701,14 @@ int clear_page_dirty_for_io(struct page *page)
2750 + * exclusion.
2751 + */
2752 + memcg = mem_cgroup_begin_page_stat(page);
2753 +- wb = unlocked_inode_to_wb_begin(inode, &locked);
2754 ++ wb = unlocked_inode_to_wb_begin(inode, &cookie);
2755 + if (TestClearPageDirty(page)) {
2756 + mem_cgroup_dec_page_stat(memcg, MEM_CGROUP_STAT_DIRTY);
2757 + dec_zone_page_state(page, NR_FILE_DIRTY);
2758 + dec_wb_stat(wb, WB_RECLAIMABLE);
2759 + ret = 1;
2760 + }
2761 +- unlocked_inode_to_wb_end(inode, locked);
2762 ++ unlocked_inode_to_wb_end(inode, &cookie);
2763 + mem_cgroup_end_page_stat(memcg);
2764 + return ret;
2765 + }
2766 +diff --git a/mm/slab.c b/mm/slab.c
2767 +index 4765c97ce690..fa49c01225a7 100644
2768 +--- a/mm/slab.c
2769 ++++ b/mm/slab.c
2770 +@@ -3915,7 +3915,8 @@ next:
2771 + next_reap_node();
2772 + out:
2773 + /* Set up the next iteration */
2774 +- schedule_delayed_work(work, round_jiffies_relative(REAPTIMEOUT_AC));
2775 ++ schedule_delayed_work_on(smp_processor_id(), work,
2776 ++ round_jiffies_relative(REAPTIMEOUT_AC));
2777 + }
2778 +
2779 + #ifdef CONFIG_SLABINFO
2780 +diff --git a/net/sunrpc/rpc_pipe.c b/net/sunrpc/rpc_pipe.c
2781 +index d81186d34558..9103dd15511c 100644
2782 +--- a/net/sunrpc/rpc_pipe.c
2783 ++++ b/net/sunrpc/rpc_pipe.c
2784 +@@ -1375,6 +1375,7 @@ rpc_gssd_dummy_depopulate(struct dentry *pipe_dentry)
2785 + struct dentry *clnt_dir = pipe_dentry->d_parent;
2786 + struct dentry *gssd_dir = clnt_dir->d_parent;
2787 +
2788 ++ dget(pipe_dentry);
2789 + __rpc_rmpipe(d_inode(clnt_dir), pipe_dentry);
2790 + __rpc_depopulate(clnt_dir, gssd_dummy_info_file, 0, 1);
2791 + __rpc_depopulate(gssd_dir, gssd_dummy_clnt_dir, 0, 1);
2792 +diff --git a/sound/core/oss/pcm_oss.c b/sound/core/oss/pcm_oss.c
2793 +index 6cd8aec146f2..07feb35f1935 100644
2794 +--- a/sound/core/oss/pcm_oss.c
2795 ++++ b/sound/core/oss/pcm_oss.c
2796 +@@ -833,8 +833,25 @@ static int choose_rate(struct snd_pcm_substream *substream,
2797 + return snd_pcm_hw_param_near(substream, params, SNDRV_PCM_HW_PARAM_RATE, best_rate, NULL);
2798 + }
2799 +
2800 +-static int snd_pcm_oss_change_params(struct snd_pcm_substream *substream,
2801 +- bool trylock)
2802 ++/* parameter locking: returns immediately if tried during streaming */
2803 ++static int lock_params(struct snd_pcm_runtime *runtime)
2804 ++{
2805 ++ if (mutex_lock_interruptible(&runtime->oss.params_lock))
2806 ++ return -ERESTARTSYS;
2807 ++ if (atomic_read(&runtime->oss.rw_ref)) {
2808 ++ mutex_unlock(&runtime->oss.params_lock);
2809 ++ return -EBUSY;
2810 ++ }
2811 ++ return 0;
2812 ++}
2813 ++
2814 ++static void unlock_params(struct snd_pcm_runtime *runtime)
2815 ++{
2816 ++ mutex_unlock(&runtime->oss.params_lock);
2817 ++}
2818 ++
2819 ++/* call with params_lock held */
2820 ++static int snd_pcm_oss_change_params_locked(struct snd_pcm_substream *substream)
2821 + {
2822 + struct snd_pcm_runtime *runtime = substream->runtime;
2823 + struct snd_pcm_hw_params *params, *sparams;
2824 +@@ -848,12 +865,9 @@ static int snd_pcm_oss_change_params(struct snd_pcm_substream *substream,
2825 + struct snd_mask sformat_mask;
2826 + struct snd_mask mask;
2827 +
2828 +- if (trylock) {
2829 +- if (!(mutex_trylock(&runtime->oss.params_lock)))
2830 +- return -EAGAIN;
2831 +- } else if (mutex_lock_interruptible(&runtime->oss.params_lock))
2832 +- return -EINTR;
2833 +- sw_params = kmalloc(sizeof(*sw_params), GFP_KERNEL);
2834 ++ if (!runtime->oss.params)
2835 ++ return 0;
2836 ++ sw_params = kzalloc(sizeof(*sw_params), GFP_KERNEL);
2837 + params = kmalloc(sizeof(*params), GFP_KERNEL);
2838 + sparams = kmalloc(sizeof(*sparams), GFP_KERNEL);
2839 + if (!sw_params || !params || !sparams) {
2840 +@@ -991,7 +1005,6 @@ static int snd_pcm_oss_change_params(struct snd_pcm_substream *substream,
2841 + goto failure;
2842 + }
2843 +
2844 +- memset(sw_params, 0, sizeof(*sw_params));
2845 + if (runtime->oss.trigger) {
2846 + sw_params->start_threshold = 1;
2847 + } else {
2848 +@@ -1079,6 +1092,23 @@ failure:
2849 + kfree(sw_params);
2850 + kfree(params);
2851 + kfree(sparams);
2852 ++ return err;
2853 ++}
2854 ++
2855 ++/* this one takes the lock by itself */
2856 ++static int snd_pcm_oss_change_params(struct snd_pcm_substream *substream,
2857 ++ bool trylock)
2858 ++{
2859 ++ struct snd_pcm_runtime *runtime = substream->runtime;
2860 ++ int err;
2861 ++
2862 ++ if (trylock) {
2863 ++ if (!(mutex_trylock(&runtime->oss.params_lock)))
2864 ++ return -EAGAIN;
2865 ++ } else if (mutex_lock_interruptible(&runtime->oss.params_lock))
2866 ++ return -ERESTARTSYS;
2867 ++
2868 ++ err = snd_pcm_oss_change_params_locked(substream);
2869 + mutex_unlock(&runtime->oss.params_lock);
2870 + return err;
2871 + }
2872 +@@ -1107,6 +1137,10 @@ static int snd_pcm_oss_get_active_substream(struct snd_pcm_oss_file *pcm_oss_fil
2873 + return 0;
2874 + }
2875 +
2876 ++/* call with params_lock held */
2877 ++/* NOTE: this always call PREPARE unconditionally no matter whether
2878 ++ * runtime->oss.prepare is set or not
2879 ++ */
2880 + static int snd_pcm_oss_prepare(struct snd_pcm_substream *substream)
2881 + {
2882 + int err;
2883 +@@ -1131,14 +1165,35 @@ static int snd_pcm_oss_make_ready(struct snd_pcm_substream *substream)
2884 + struct snd_pcm_runtime *runtime;
2885 + int err;
2886 +
2887 +- if (substream == NULL)
2888 +- return 0;
2889 + runtime = substream->runtime;
2890 + if (runtime->oss.params) {
2891 + err = snd_pcm_oss_change_params(substream, false);
2892 + if (err < 0)
2893 + return err;
2894 + }
2895 ++ if (runtime->oss.prepare) {
2896 ++ if (mutex_lock_interruptible(&runtime->oss.params_lock))
2897 ++ return -ERESTARTSYS;
2898 ++ err = snd_pcm_oss_prepare(substream);
2899 ++ mutex_unlock(&runtime->oss.params_lock);
2900 ++ if (err < 0)
2901 ++ return err;
2902 ++ }
2903 ++ return 0;
2904 ++}
2905 ++
2906 ++/* call with params_lock held */
2907 ++static int snd_pcm_oss_make_ready_locked(struct snd_pcm_substream *substream)
2908 ++{
2909 ++ struct snd_pcm_runtime *runtime;
2910 ++ int err;
2911 ++
2912 ++ runtime = substream->runtime;
2913 ++ if (runtime->oss.params) {
2914 ++ err = snd_pcm_oss_change_params_locked(substream);
2915 ++ if (err < 0)
2916 ++ return err;
2917 ++ }
2918 + if (runtime->oss.prepare) {
2919 + err = snd_pcm_oss_prepare(substream);
2920 + if (err < 0)
2921 +@@ -1367,13 +1422,15 @@ static ssize_t snd_pcm_oss_write1(struct snd_pcm_substream *substream, const cha
2922 + if (atomic_read(&substream->mmap_count))
2923 + return -ENXIO;
2924 +
2925 +- if ((tmp = snd_pcm_oss_make_ready(substream)) < 0)
2926 +- return tmp;
2927 ++ atomic_inc(&runtime->oss.rw_ref);
2928 + while (bytes > 0) {
2929 + if (mutex_lock_interruptible(&runtime->oss.params_lock)) {
2930 + tmp = -ERESTARTSYS;
2931 + break;
2932 + }
2933 ++ tmp = snd_pcm_oss_make_ready_locked(substream);
2934 ++ if (tmp < 0)
2935 ++ goto err;
2936 + if (bytes < runtime->oss.period_bytes || runtime->oss.buffer_used > 0) {
2937 + tmp = bytes;
2938 + if (tmp + runtime->oss.buffer_used > runtime->oss.period_bytes)
2939 +@@ -1429,6 +1486,7 @@ static ssize_t snd_pcm_oss_write1(struct snd_pcm_substream *substream, const cha
2940 + }
2941 + tmp = 0;
2942 + }
2943 ++ atomic_dec(&runtime->oss.rw_ref);
2944 + return xfer > 0 ? (snd_pcm_sframes_t)xfer : tmp;
2945 + }
2946 +
2947 +@@ -1474,13 +1532,15 @@ static ssize_t snd_pcm_oss_read1(struct snd_pcm_substream *substream, char __use
2948 + if (atomic_read(&substream->mmap_count))
2949 + return -ENXIO;
2950 +
2951 +- if ((tmp = snd_pcm_oss_make_ready(substream)) < 0)
2952 +- return tmp;
2953 ++ atomic_inc(&runtime->oss.rw_ref);
2954 + while (bytes > 0) {
2955 + if (mutex_lock_interruptible(&runtime->oss.params_lock)) {
2956 + tmp = -ERESTARTSYS;
2957 + break;
2958 + }
2959 ++ tmp = snd_pcm_oss_make_ready_locked(substream);
2960 ++ if (tmp < 0)
2961 ++ goto err;
2962 + if (bytes < runtime->oss.period_bytes || runtime->oss.buffer_used > 0) {
2963 + if (runtime->oss.buffer_used == 0) {
2964 + tmp = snd_pcm_oss_read2(substream, runtime->oss.buffer, runtime->oss.period_bytes, 1);
2965 +@@ -1521,6 +1581,7 @@ static ssize_t snd_pcm_oss_read1(struct snd_pcm_substream *substream, char __use
2966 + }
2967 + tmp = 0;
2968 + }
2969 ++ atomic_dec(&runtime->oss.rw_ref);
2970 + return xfer > 0 ? (snd_pcm_sframes_t)xfer : tmp;
2971 + }
2972 +
2973 +@@ -1536,10 +1597,12 @@ static int snd_pcm_oss_reset(struct snd_pcm_oss_file *pcm_oss_file)
2974 + continue;
2975 + runtime = substream->runtime;
2976 + snd_pcm_kernel_ioctl(substream, SNDRV_PCM_IOCTL_DROP, NULL);
2977 ++ mutex_lock(&runtime->oss.params_lock);
2978 + runtime->oss.prepare = 1;
2979 + runtime->oss.buffer_used = 0;
2980 + runtime->oss.prev_hw_ptr_period = 0;
2981 + runtime->oss.period_ptr = 0;
2982 ++ mutex_unlock(&runtime->oss.params_lock);
2983 + }
2984 + return 0;
2985 + }
2986 +@@ -1625,9 +1688,13 @@ static int snd_pcm_oss_sync(struct snd_pcm_oss_file *pcm_oss_file)
2987 + goto __direct;
2988 + if ((err = snd_pcm_oss_make_ready(substream)) < 0)
2989 + return err;
2990 ++ atomic_inc(&runtime->oss.rw_ref);
2991 ++ if (mutex_lock_interruptible(&runtime->oss.params_lock)) {
2992 ++ atomic_dec(&runtime->oss.rw_ref);
2993 ++ return -ERESTARTSYS;
2994 ++ }
2995 + format = snd_pcm_oss_format_from(runtime->oss.format);
2996 + width = snd_pcm_format_physical_width(format);
2997 +- mutex_lock(&runtime->oss.params_lock);
2998 + if (runtime->oss.buffer_used > 0) {
2999 + #ifdef OSS_DEBUG
3000 + pcm_dbg(substream->pcm, "sync: buffer_used\n");
3001 +@@ -1637,10 +1704,8 @@ static int snd_pcm_oss_sync(struct snd_pcm_oss_file *pcm_oss_file)
3002 + runtime->oss.buffer + runtime->oss.buffer_used,
3003 + size);
3004 + err = snd_pcm_oss_sync1(substream, runtime->oss.period_bytes);
3005 +- if (err < 0) {
3006 +- mutex_unlock(&runtime->oss.params_lock);
3007 +- return err;
3008 +- }
3009 ++ if (err < 0)
3010 ++ goto unlock;
3011 + } else if (runtime->oss.period_ptr > 0) {
3012 + #ifdef OSS_DEBUG
3013 + pcm_dbg(substream->pcm, "sync: period_ptr\n");
3014 +@@ -1650,10 +1715,8 @@ static int snd_pcm_oss_sync(struct snd_pcm_oss_file *pcm_oss_file)
3015 + runtime->oss.buffer,
3016 + size * 8 / width);
3017 + err = snd_pcm_oss_sync1(substream, size);
3018 +- if (err < 0) {
3019 +- mutex_unlock(&runtime->oss.params_lock);
3020 +- return err;
3021 +- }
3022 ++ if (err < 0)
3023 ++ goto unlock;
3024 + }
3025 + /*
3026 + * The ALSA's period might be a bit large than OSS one.
3027 +@@ -1684,7 +1747,11 @@ static int snd_pcm_oss_sync(struct snd_pcm_oss_file *pcm_oss_file)
3028 + snd_pcm_lib_writev(substream, buffers, size);
3029 + }
3030 + }
3031 ++unlock:
3032 + mutex_unlock(&runtime->oss.params_lock);
3033 ++ atomic_dec(&runtime->oss.rw_ref);
3034 ++ if (err < 0)
3035 ++ return err;
3036 + /*
3037 + * finish sync: drain the buffer
3038 + */
3039 +@@ -1695,7 +1762,9 @@ static int snd_pcm_oss_sync(struct snd_pcm_oss_file *pcm_oss_file)
3040 + substream->f_flags = saved_f_flags;
3041 + if (err < 0)
3042 + return err;
3043 ++ mutex_lock(&runtime->oss.params_lock);
3044 + runtime->oss.prepare = 1;
3045 ++ mutex_unlock(&runtime->oss.params_lock);
3046 + }
3047 +
3048 + substream = pcm_oss_file->streams[SNDRV_PCM_STREAM_CAPTURE];
3049 +@@ -1706,8 +1775,10 @@ static int snd_pcm_oss_sync(struct snd_pcm_oss_file *pcm_oss_file)
3050 + err = snd_pcm_kernel_ioctl(substream, SNDRV_PCM_IOCTL_DROP, NULL);
3051 + if (err < 0)
3052 + return err;
3053 ++ mutex_lock(&runtime->oss.params_lock);
3054 + runtime->oss.buffer_used = 0;
3055 + runtime->oss.prepare = 1;
3056 ++ mutex_unlock(&runtime->oss.params_lock);
3057 + }
3058 + return 0;
3059 + }
3060 +@@ -1719,6 +1790,8 @@ static int snd_pcm_oss_set_rate(struct snd_pcm_oss_file *pcm_oss_file, int rate)
3061 + for (idx = 1; idx >= 0; --idx) {
3062 + struct snd_pcm_substream *substream = pcm_oss_file->streams[idx];
3063 + struct snd_pcm_runtime *runtime;
3064 ++ int err;
3065 ++
3066 + if (substream == NULL)
3067 + continue;
3068 + runtime = substream->runtime;
3069 +@@ -1726,10 +1799,14 @@ static int snd_pcm_oss_set_rate(struct snd_pcm_oss_file *pcm_oss_file, int rate)
3070 + rate = 1000;
3071 + else if (rate > 192000)
3072 + rate = 192000;
3073 ++ err = lock_params(runtime);
3074 ++ if (err < 0)
3075 ++ return err;
3076 + if (runtime->oss.rate != rate) {
3077 + runtime->oss.params = 1;
3078 + runtime->oss.rate = rate;
3079 + }
3080 ++ unlock_params(runtime);
3081 + }
3082 + return snd_pcm_oss_get_rate(pcm_oss_file);
3083 + }
3084 +@@ -1754,13 +1831,19 @@ static int snd_pcm_oss_set_channels(struct snd_pcm_oss_file *pcm_oss_file, unsig
3085 + for (idx = 1; idx >= 0; --idx) {
3086 + struct snd_pcm_substream *substream = pcm_oss_file->streams[idx];
3087 + struct snd_pcm_runtime *runtime;
3088 ++ int err;
3089 ++
3090 + if (substream == NULL)
3091 + continue;
3092 + runtime = substream->runtime;
3093 ++ err = lock_params(runtime);
3094 ++ if (err < 0)
3095 ++ return err;
3096 + if (runtime->oss.channels != channels) {
3097 + runtime->oss.params = 1;
3098 + runtime->oss.channels = channels;
3099 + }
3100 ++ unlock_params(runtime);
3101 + }
3102 + return snd_pcm_oss_get_channels(pcm_oss_file);
3103 + }
3104 +@@ -1833,6 +1916,7 @@ static int snd_pcm_oss_get_formats(struct snd_pcm_oss_file *pcm_oss_file)
3105 + static int snd_pcm_oss_set_format(struct snd_pcm_oss_file *pcm_oss_file, int format)
3106 + {
3107 + int formats, idx;
3108 ++ int err;
3109 +
3110 + if (format != AFMT_QUERY) {
3111 + formats = snd_pcm_oss_get_formats(pcm_oss_file);
3112 +@@ -1846,10 +1930,14 @@ static int snd_pcm_oss_set_format(struct snd_pcm_oss_file *pcm_oss_file, int for
3113 + if (substream == NULL)
3114 + continue;
3115 + runtime = substream->runtime;
3116 ++ err = lock_params(runtime);
3117 ++ if (err < 0)
3118 ++ return err;
3119 + if (runtime->oss.format != format) {
3120 + runtime->oss.params = 1;
3121 + runtime->oss.format = format;
3122 + }
3123 ++ unlock_params(runtime);
3124 + }
3125 + }
3126 + return snd_pcm_oss_get_format(pcm_oss_file);
3127 +@@ -1869,8 +1957,6 @@ static int snd_pcm_oss_set_subdivide1(struct snd_pcm_substream *substream, int s
3128 + {
3129 + struct snd_pcm_runtime *runtime;
3130 +
3131 +- if (substream == NULL)
3132 +- return 0;
3133 + runtime = substream->runtime;
3134 + if (subdivide == 0) {
3135 + subdivide = runtime->oss.subdivision;
3136 +@@ -1894,9 +1980,17 @@ static int snd_pcm_oss_set_subdivide(struct snd_pcm_oss_file *pcm_oss_file, int
3137 +
3138 + for (idx = 1; idx >= 0; --idx) {
3139 + struct snd_pcm_substream *substream = pcm_oss_file->streams[idx];
3140 ++ struct snd_pcm_runtime *runtime;
3141 ++
3142 + if (substream == NULL)
3143 + continue;
3144 +- if ((err = snd_pcm_oss_set_subdivide1(substream, subdivide)) < 0)
3145 ++ runtime = substream->runtime;
3146 ++ err = lock_params(runtime);
3147 ++ if (err < 0)
3148 ++ return err;
3149 ++ err = snd_pcm_oss_set_subdivide1(substream, subdivide);
3150 ++ unlock_params(runtime);
3151 ++ if (err < 0)
3152 + return err;
3153 + }
3154 + return err;
3155 +@@ -1906,8 +2000,6 @@ static int snd_pcm_oss_set_fragment1(struct snd_pcm_substream *substream, unsign
3156 + {
3157 + struct snd_pcm_runtime *runtime;
3158 +
3159 +- if (substream == NULL)
3160 +- return 0;
3161 + runtime = substream->runtime;
3162 + if (runtime->oss.subdivision || runtime->oss.fragshift)
3163 + return -EINVAL;
3164 +@@ -1927,9 +2019,17 @@ static int snd_pcm_oss_set_fragment(struct snd_pcm_oss_file *pcm_oss_file, unsig
3165 +
3166 + for (idx = 1; idx >= 0; --idx) {
3167 + struct snd_pcm_substream *substream = pcm_oss_file->streams[idx];
3168 ++ struct snd_pcm_runtime *runtime;
3169 ++
3170 + if (substream == NULL)
3171 + continue;
3172 +- if ((err = snd_pcm_oss_set_fragment1(substream, val)) < 0)
3173 ++ runtime = substream->runtime;
3174 ++ err = lock_params(runtime);
3175 ++ if (err < 0)
3176 ++ return err;
3177 ++ err = snd_pcm_oss_set_fragment1(substream, val);
3178 ++ unlock_params(runtime);
3179 ++ if (err < 0)
3180 + return err;
3181 + }
3182 + return err;
3183 +@@ -2013,6 +2113,9 @@ static int snd_pcm_oss_set_trigger(struct snd_pcm_oss_file *pcm_oss_file, int tr
3184 + }
3185 + if (psubstream) {
3186 + runtime = psubstream->runtime;
3187 ++ cmd = 0;
3188 ++ if (mutex_lock_interruptible(&runtime->oss.params_lock))
3189 ++ return -ERESTARTSYS;
3190 + if (trigger & PCM_ENABLE_OUTPUT) {
3191 + if (runtime->oss.trigger)
3192 + goto _skip1;
3193 +@@ -2030,13 +2133,19 @@ static int snd_pcm_oss_set_trigger(struct snd_pcm_oss_file *pcm_oss_file, int tr
3194 + cmd = SNDRV_PCM_IOCTL_DROP;
3195 + runtime->oss.prepare = 1;
3196 + }
3197 +- err = snd_pcm_kernel_ioctl(psubstream, cmd, NULL);
3198 +- if (err < 0)
3199 +- return err;
3200 +- }
3201 + _skip1:
3202 ++ mutex_unlock(&runtime->oss.params_lock);
3203 ++ if (cmd) {
3204 ++ err = snd_pcm_kernel_ioctl(psubstream, cmd, NULL);
3205 ++ if (err < 0)
3206 ++ return err;
3207 ++ }
3208 ++ }
3209 + if (csubstream) {
3210 + runtime = csubstream->runtime;
3211 ++ cmd = 0;
3212 ++ if (mutex_lock_interruptible(&runtime->oss.params_lock))
3213 ++ return -ERESTARTSYS;
3214 + if (trigger & PCM_ENABLE_INPUT) {
3215 + if (runtime->oss.trigger)
3216 + goto _skip2;
3217 +@@ -2051,11 +2160,14 @@ static int snd_pcm_oss_set_trigger(struct snd_pcm_oss_file *pcm_oss_file, int tr
3218 + cmd = SNDRV_PCM_IOCTL_DROP;
3219 + runtime->oss.prepare = 1;
3220 + }
3221 +- err = snd_pcm_kernel_ioctl(csubstream, cmd, NULL);
3222 +- if (err < 0)
3223 +- return err;
3224 +- }
3225 + _skip2:
3226 ++ mutex_unlock(&runtime->oss.params_lock);
3227 ++ if (cmd) {
3228 ++ err = snd_pcm_kernel_ioctl(csubstream, cmd, NULL);
3229 ++ if (err < 0)
3230 ++ return err;
3231 ++ }
3232 ++ }
3233 + return 0;
3234 + }
3235 +
3236 +@@ -2307,6 +2419,7 @@ static void snd_pcm_oss_init_substream(struct snd_pcm_substream *substream,
3237 + runtime->oss.maxfrags = 0;
3238 + runtime->oss.subdivision = 0;
3239 + substream->pcm_release = snd_pcm_oss_release_substream;
3240 ++ atomic_set(&runtime->oss.rw_ref, 0);
3241 + }
3242 +
3243 + static int snd_pcm_oss_release_file(struct snd_pcm_oss_file *pcm_oss_file)
3244 +diff --git a/sound/core/pcm.c b/sound/core/pcm.c
3245 +index 074363b63cc4..6bda8f6c5f84 100644
3246 +--- a/sound/core/pcm.c
3247 ++++ b/sound/core/pcm.c
3248 +@@ -28,6 +28,7 @@
3249 + #include <sound/core.h>
3250 + #include <sound/minors.h>
3251 + #include <sound/pcm.h>
3252 ++#include <sound/timer.h>
3253 + #include <sound/control.h>
3254 + #include <sound/info.h>
3255 +
3256 +@@ -1025,8 +1026,13 @@ void snd_pcm_detach_substream(struct snd_pcm_substream *substream)
3257 + snd_free_pages((void*)runtime->control,
3258 + PAGE_ALIGN(sizeof(struct snd_pcm_mmap_control)));
3259 + kfree(runtime->hw_constraints.rules);
3260 +- kfree(runtime);
3261 ++ /* Avoid concurrent access to runtime via PCM timer interface */
3262 ++ if (substream->timer)
3263 ++ spin_lock_irq(&substream->timer->lock);
3264 + substream->runtime = NULL;
3265 ++ if (substream->timer)
3266 ++ spin_unlock_irq(&substream->timer->lock);
3267 ++ kfree(runtime);
3268 + put_pid(substream->pid);
3269 + substream->pid = NULL;
3270 + substream->pstr->substream_opened--;
3271 +diff --git a/sound/core/rawmidi_compat.c b/sound/core/rawmidi_compat.c
3272 +index 09a89094dcf7..4e304a24924a 100644
3273 +--- a/sound/core/rawmidi_compat.c
3274 ++++ b/sound/core/rawmidi_compat.c
3275 +@@ -36,8 +36,6 @@ static int snd_rawmidi_ioctl_params_compat(struct snd_rawmidi_file *rfile,
3276 + struct snd_rawmidi_params params;
3277 + unsigned int val;
3278 +
3279 +- if (rfile->output == NULL)
3280 +- return -EINVAL;
3281 + if (get_user(params.stream, &src->stream) ||
3282 + get_user(params.buffer_size, &src->buffer_size) ||
3283 + get_user(params.avail_min, &src->avail_min) ||
3284 +@@ -46,8 +44,12 @@ static int snd_rawmidi_ioctl_params_compat(struct snd_rawmidi_file *rfile,
3285 + params.no_active_sensing = val;
3286 + switch (params.stream) {
3287 + case SNDRV_RAWMIDI_STREAM_OUTPUT:
3288 ++ if (!rfile->output)
3289 ++ return -EINVAL;
3290 + return snd_rawmidi_output_params(rfile->output, &params);
3291 + case SNDRV_RAWMIDI_STREAM_INPUT:
3292 ++ if (!rfile->input)
3293 ++ return -EINVAL;
3294 + return snd_rawmidi_input_params(rfile->input, &params);
3295 + }
3296 + return -EINVAL;
3297 +@@ -67,16 +69,18 @@ static int snd_rawmidi_ioctl_status_compat(struct snd_rawmidi_file *rfile,
3298 + int err;
3299 + struct snd_rawmidi_status status;
3300 +
3301 +- if (rfile->output == NULL)
3302 +- return -EINVAL;
3303 + if (get_user(status.stream, &src->stream))
3304 + return -EFAULT;
3305 +
3306 + switch (status.stream) {
3307 + case SNDRV_RAWMIDI_STREAM_OUTPUT:
3308 ++ if (!rfile->output)
3309 ++ return -EINVAL;
3310 + err = snd_rawmidi_output_status(rfile->output, &status);
3311 + break;
3312 + case SNDRV_RAWMIDI_STREAM_INPUT:
3313 ++ if (!rfile->input)
3314 ++ return -EINVAL;
3315 + err = snd_rawmidi_input_status(rfile->input, &status);
3316 + break;
3317 + default:
3318 +@@ -113,16 +117,18 @@ static int snd_rawmidi_ioctl_status_x32(struct snd_rawmidi_file *rfile,
3319 + int err;
3320 + struct snd_rawmidi_status status;
3321 +
3322 +- if (rfile->output == NULL)
3323 +- return -EINVAL;
3324 + if (get_user(status.stream, &src->stream))
3325 + return -EFAULT;
3326 +
3327 + switch (status.stream) {
3328 + case SNDRV_RAWMIDI_STREAM_OUTPUT:
3329 ++ if (!rfile->output)
3330 ++ return -EINVAL;
3331 + err = snd_rawmidi_output_status(rfile->output, &status);
3332 + break;
3333 + case SNDRV_RAWMIDI_STREAM_INPUT:
3334 ++ if (!rfile->input)
3335 ++ return -EINVAL;
3336 + err = snd_rawmidi_input_status(rfile->input, &status);
3337 + break;
3338 + default:
3339 +diff --git a/sound/pci/hda/hda_intel.c b/sound/pci/hda/hda_intel.c
3340 +index fbd00821e326..3be91696ac35 100644
3341 +--- a/sound/pci/hda/hda_intel.c
3342 ++++ b/sound/pci/hda/hda_intel.c
3343 +@@ -1549,7 +1549,8 @@ static void azx_check_snoop_available(struct azx *chip)
3344 + */
3345 + u8 val;
3346 + pci_read_config_byte(chip->pci, 0x42, &val);
3347 +- if (!(val & 0x80) && chip->pci->revision == 0x30)
3348 ++ if (!(val & 0x80) && (chip->pci->revision == 0x30 ||
3349 ++ chip->pci->revision == 0x20))
3350 + snoop = false;
3351 + }
3352 +
3353 +diff --git a/sound/soc/codecs/ssm2602.c b/sound/soc/codecs/ssm2602.c
3354 +index 4452fea0b118..bd4998f577a0 100644
3355 +--- a/sound/soc/codecs/ssm2602.c
3356 ++++ b/sound/soc/codecs/ssm2602.c
3357 +@@ -54,10 +54,17 @@ struct ssm2602_priv {
3358 + * using 2 wire for device control, so we cache them instead.
3359 + * There is no point in caching the reset register
3360 + */
3361 +-static const u16 ssm2602_reg[SSM2602_CACHEREGNUM] = {
3362 +- 0x0097, 0x0097, 0x0079, 0x0079,
3363 +- 0x000a, 0x0008, 0x009f, 0x000a,
3364 +- 0x0000, 0x0000
3365 ++static const struct reg_default ssm2602_reg[SSM2602_CACHEREGNUM] = {
3366 ++ { .reg = 0x00, .def = 0x0097 },
3367 ++ { .reg = 0x01, .def = 0x0097 },
3368 ++ { .reg = 0x02, .def = 0x0079 },
3369 ++ { .reg = 0x03, .def = 0x0079 },
3370 ++ { .reg = 0x04, .def = 0x000a },
3371 ++ { .reg = 0x05, .def = 0x0008 },
3372 ++ { .reg = 0x06, .def = 0x009f },
3373 ++ { .reg = 0x07, .def = 0x000a },
3374 ++ { .reg = 0x08, .def = 0x0000 },
3375 ++ { .reg = 0x09, .def = 0x0000 }
3376 + };
3377 +
3378 +
3379 +@@ -618,8 +625,8 @@ const struct regmap_config ssm2602_regmap_config = {
3380 + .volatile_reg = ssm2602_register_volatile,
3381 +
3382 + .cache_type = REGCACHE_RBTREE,
3383 +- .reg_defaults_raw = ssm2602_reg,
3384 +- .num_reg_defaults_raw = ARRAY_SIZE(ssm2602_reg),
3385 ++ .reg_defaults = ssm2602_reg,
3386 ++ .num_reg_defaults = ARRAY_SIZE(ssm2602_reg),
3387 + };
3388 + EXPORT_SYMBOL_GPL(ssm2602_regmap_config);
3389 +
3390 +diff --git a/sound/usb/line6/midi.c b/sound/usb/line6/midi.c
3391 +index cebea9b7f769..6a9be1df7851 100644
3392 +--- a/sound/usb/line6/midi.c
3393 ++++ b/sound/usb/line6/midi.c
3394 +@@ -125,7 +125,7 @@ static int send_midi_async(struct usb_line6 *line6, unsigned char *data,
3395 + }
3396 +
3397 + usb_fill_int_urb(urb, line6->usbdev,
3398 +- usb_sndbulkpipe(line6->usbdev,
3399 ++ usb_sndintpipe(line6->usbdev,
3400 + line6->properties->ep_ctrl_w),
3401 + transfer_buffer, length, midi_sent, line6,
3402 + line6->interval);
3403 +diff --git a/tools/perf/tests/code-reading.c b/tools/perf/tests/code-reading.c
3404 +index 6ea4fcfaab36..a767a6400c5c 100644
3405 +--- a/tools/perf/tests/code-reading.c
3406 ++++ b/tools/perf/tests/code-reading.c
3407 +@@ -182,8 +182,6 @@ static int read_object_code(u64 addr, size_t len, u8 cpumode,
3408 + unsigned char buf2[BUFSZ];
3409 + size_t ret_len;
3410 + u64 objdump_addr;
3411 +- const char *objdump_name;
3412 +- char decomp_name[KMOD_DECOMP_LEN];
3413 + int ret;
3414 +
3415 + pr_debug("Reading object code for memory address: %#"PRIx64"\n", addr);
3416 +@@ -244,25 +242,9 @@ static int read_object_code(u64 addr, size_t len, u8 cpumode,
3417 + state->done[state->done_cnt++] = al.map->start;
3418 + }
3419 +
3420 +- objdump_name = al.map->dso->long_name;
3421 +- if (dso__needs_decompress(al.map->dso)) {
3422 +- if (dso__decompress_kmodule_path(al.map->dso, objdump_name,
3423 +- decomp_name,
3424 +- sizeof(decomp_name)) < 0) {
3425 +- pr_debug("decompression failed\n");
3426 +- return -1;
3427 +- }
3428 +-
3429 +- objdump_name = decomp_name;
3430 +- }
3431 +-
3432 + /* Read the object code using objdump */
3433 + objdump_addr = map__rip_2objdump(al.map, al.addr);
3434 +- ret = read_via_objdump(objdump_name, objdump_addr, buf2, len);
3435 +-
3436 +- if (dso__needs_decompress(al.map->dso))
3437 +- unlink(objdump_name);
3438 +-
3439 ++ ret = read_via_objdump(al.map->dso->long_name, objdump_addr, buf2, len);
3440 + if (ret > 0) {
3441 + /*
3442 + * The kernel maps are inaccurate - assume objdump is right in
3443 +diff --git a/tools/perf/util/intel-pt-decoder/intel-pt-decoder.c b/tools/perf/util/intel-pt-decoder/intel-pt-decoder.c
3444 +index eeeae0629ad3..0b540b84f8b7 100644
3445 +--- a/tools/perf/util/intel-pt-decoder/intel-pt-decoder.c
3446 ++++ b/tools/perf/util/intel-pt-decoder/intel-pt-decoder.c
3447 +@@ -1270,6 +1270,7 @@ static int intel_pt_overflow(struct intel_pt_decoder *decoder)
3448 + intel_pt_clear_tx_flags(decoder);
3449 + decoder->have_tma = false;
3450 + decoder->cbr = 0;
3451 ++ decoder->timestamp_insn_cnt = 0;
3452 + decoder->pkt_state = INTEL_PT_STATE_ERR_RESYNC;
3453 + decoder->overflow = true;
3454 + return -EOVERFLOW;
3455 +@@ -1492,6 +1493,7 @@ static int intel_pt_walk_fup_tip(struct intel_pt_decoder *decoder)
3456 + case INTEL_PT_PSBEND:
3457 + intel_pt_log("ERROR: Missing TIP after FUP\n");
3458 + decoder->pkt_state = INTEL_PT_STATE_ERR3;
3459 ++ decoder->pkt_step = 0;
3460 + return -ENOENT;
3461 +
3462 + case INTEL_PT_OVF:
3463 +@@ -2152,14 +2154,6 @@ const struct intel_pt_state *intel_pt_decode(struct intel_pt_decoder *decoder)
3464 + return &decoder->state;
3465 + }
3466 +
3467 +-static bool intel_pt_at_psb(unsigned char *buf, size_t len)
3468 +-{
3469 +- if (len < INTEL_PT_PSB_LEN)
3470 +- return false;
3471 +- return memmem(buf, INTEL_PT_PSB_LEN, INTEL_PT_PSB_STR,
3472 +- INTEL_PT_PSB_LEN);
3473 +-}
3474 +-
3475 + /**
3476 + * intel_pt_next_psb - move buffer pointer to the start of the next PSB packet.
3477 + * @buf: pointer to buffer pointer
3478 +@@ -2248,6 +2242,7 @@ static unsigned char *intel_pt_last_psb(unsigned char *buf, size_t len)
3479 + * @buf: buffer
3480 + * @len: size of buffer
3481 + * @tsc: TSC value returned
3482 ++ * @rem: returns remaining size when TSC is found
3483 + *
3484 + * Find a TSC packet in @buf and return the TSC value. This function assumes
3485 + * that @buf starts at a PSB and that PSB+ will contain TSC and so stops if a
3486 +@@ -2255,7 +2250,8 @@ static unsigned char *intel_pt_last_psb(unsigned char *buf, size_t len)
3487 + *
3488 + * Return: %true if TSC is found, false otherwise.
3489 + */
3490 +-static bool intel_pt_next_tsc(unsigned char *buf, size_t len, uint64_t *tsc)
3491 ++static bool intel_pt_next_tsc(unsigned char *buf, size_t len, uint64_t *tsc,
3492 ++ size_t *rem)
3493 + {
3494 + struct intel_pt_pkt packet;
3495 + int ret;
3496 +@@ -2266,6 +2262,7 @@ static bool intel_pt_next_tsc(unsigned char *buf, size_t len, uint64_t *tsc)
3497 + return false;
3498 + if (packet.type == INTEL_PT_TSC) {
3499 + *tsc = packet.payload;
3500 ++ *rem = len;
3501 + return true;
3502 + }
3503 + if (packet.type == INTEL_PT_PSBEND)
3504 +@@ -2316,6 +2313,8 @@ static int intel_pt_tsc_cmp(uint64_t tsc1, uint64_t tsc2)
3505 + * @len_a: size of first buffer
3506 + * @buf_b: second buffer
3507 + * @len_b: size of second buffer
3508 ++ * @consecutive: returns true if there is data in buf_b that is consecutive
3509 ++ * to buf_a
3510 + *
3511 + * If the trace contains TSC we can look at the last TSC of @buf_a and the
3512 + * first TSC of @buf_b in order to determine if the buffers overlap, and then
3513 +@@ -2328,33 +2327,41 @@ static int intel_pt_tsc_cmp(uint64_t tsc1, uint64_t tsc2)
3514 + static unsigned char *intel_pt_find_overlap_tsc(unsigned char *buf_a,
3515 + size_t len_a,
3516 + unsigned char *buf_b,
3517 +- size_t len_b)
3518 ++ size_t len_b, bool *consecutive)
3519 + {
3520 + uint64_t tsc_a, tsc_b;
3521 + unsigned char *p;
3522 +- size_t len;
3523 ++ size_t len, rem_a, rem_b;
3524 +
3525 + p = intel_pt_last_psb(buf_a, len_a);
3526 + if (!p)
3527 + return buf_b; /* No PSB in buf_a => no overlap */
3528 +
3529 + len = len_a - (p - buf_a);
3530 +- if (!intel_pt_next_tsc(p, len, &tsc_a)) {
3531 ++ if (!intel_pt_next_tsc(p, len, &tsc_a, &rem_a)) {
3532 + /* The last PSB+ in buf_a is incomplete, so go back one more */
3533 + len_a -= len;
3534 + p = intel_pt_last_psb(buf_a, len_a);
3535 + if (!p)
3536 + return buf_b; /* No full PSB+ => assume no overlap */
3537 + len = len_a - (p - buf_a);
3538 +- if (!intel_pt_next_tsc(p, len, &tsc_a))
3539 ++ if (!intel_pt_next_tsc(p, len, &tsc_a, &rem_a))
3540 + return buf_b; /* No TSC in buf_a => assume no overlap */
3541 + }
3542 +
3543 + while (1) {
3544 + /* Ignore PSB+ with no TSC */
3545 +- if (intel_pt_next_tsc(buf_b, len_b, &tsc_b) &&
3546 +- intel_pt_tsc_cmp(tsc_a, tsc_b) < 0)
3547 +- return buf_b; /* tsc_a < tsc_b => no overlap */
3548 ++ if (intel_pt_next_tsc(buf_b, len_b, &tsc_b, &rem_b)) {
3549 ++ int cmp = intel_pt_tsc_cmp(tsc_a, tsc_b);
3550 ++
3551 ++ /* Same TSC, so buffers are consecutive */
3552 ++ if (!cmp && rem_b >= rem_a) {
3553 ++ *consecutive = true;
3554 ++ return buf_b + len_b - (rem_b - rem_a);
3555 ++ }
3556 ++ if (cmp < 0)
3557 ++ return buf_b; /* tsc_a < tsc_b => no overlap */
3558 ++ }
3559 +
3560 + if (!intel_pt_step_psb(&buf_b, &len_b))
3561 + return buf_b + len_b; /* No PSB in buf_b => no data */
3562 +@@ -2368,6 +2375,8 @@ static unsigned char *intel_pt_find_overlap_tsc(unsigned char *buf_a,
3563 + * @buf_b: second buffer
3564 + * @len_b: size of second buffer
3565 + * @have_tsc: can use TSC packets to detect overlap
3566 ++ * @consecutive: returns true if there is data in buf_b that is consecutive
3567 ++ * to buf_a
3568 + *
3569 + * When trace samples or snapshots are recorded there is the possibility that
3570 + * the data overlaps. Note that, for the purposes of decoding, data is only
3571 +@@ -2378,7 +2387,7 @@ static unsigned char *intel_pt_find_overlap_tsc(unsigned char *buf_a,
3572 + */
3573 + unsigned char *intel_pt_find_overlap(unsigned char *buf_a, size_t len_a,
3574 + unsigned char *buf_b, size_t len_b,
3575 +- bool have_tsc)
3576 ++ bool have_tsc, bool *consecutive)
3577 + {
3578 + unsigned char *found;
3579 +
3580 +@@ -2390,7 +2399,8 @@ unsigned char *intel_pt_find_overlap(unsigned char *buf_a, size_t len_a,
3581 + return buf_b; /* No overlap */
3582 +
3583 + if (have_tsc) {
3584 +- found = intel_pt_find_overlap_tsc(buf_a, len_a, buf_b, len_b);
3585 ++ found = intel_pt_find_overlap_tsc(buf_a, len_a, buf_b, len_b,
3586 ++ consecutive);
3587 + if (found)
3588 + return found;
3589 + }
3590 +@@ -2405,28 +2415,16 @@ unsigned char *intel_pt_find_overlap(unsigned char *buf_a, size_t len_a,
3591 + }
3592 +
3593 + /* Now len_b >= len_a */
3594 +- if (len_b > len_a) {
3595 +- /* The leftover buffer 'b' must start at a PSB */
3596 +- while (!intel_pt_at_psb(buf_b + len_a, len_b - len_a)) {
3597 +- if (!intel_pt_step_psb(&buf_a, &len_a))
3598 +- return buf_b; /* No overlap */
3599 +- }
3600 +- }
3601 +-
3602 + while (1) {
3603 + /* Potential overlap so check the bytes */
3604 + found = memmem(buf_a, len_a, buf_b, len_a);
3605 +- if (found)
3606 ++ if (found) {
3607 ++ *consecutive = true;
3608 + return buf_b + len_a;
3609 ++ }
3610 +
3611 + /* Try again at next PSB in buffer 'a' */
3612 + if (!intel_pt_step_psb(&buf_a, &len_a))
3613 + return buf_b; /* No overlap */
3614 +-
3615 +- /* The leftover buffer 'b' must start at a PSB */
3616 +- while (!intel_pt_at_psb(buf_b + len_a, len_b - len_a)) {
3617 +- if (!intel_pt_step_psb(&buf_a, &len_a))
3618 +- return buf_b; /* No overlap */
3619 +- }
3620 + }
3621 + }
3622 +diff --git a/tools/perf/util/intel-pt-decoder/intel-pt-decoder.h b/tools/perf/util/intel-pt-decoder/intel-pt-decoder.h
3623 +index 02c38fec1c37..89a3eda6a318 100644
3624 +--- a/tools/perf/util/intel-pt-decoder/intel-pt-decoder.h
3625 ++++ b/tools/perf/util/intel-pt-decoder/intel-pt-decoder.h
3626 +@@ -102,7 +102,7 @@ const struct intel_pt_state *intel_pt_decode(struct intel_pt_decoder *decoder);
3627 +
3628 + unsigned char *intel_pt_find_overlap(unsigned char *buf_a, size_t len_a,
3629 + unsigned char *buf_b, size_t len_b,
3630 +- bool have_tsc);
3631 ++ bool have_tsc, bool *consecutive);
3632 +
3633 + int intel_pt__strerror(int code, char *buf, size_t buflen);
3634 +
3635 +diff --git a/tools/perf/util/intel-pt.c b/tools/perf/util/intel-pt.c
3636 +index 89927b5beebf..3693cb26ec66 100644
3637 +--- a/tools/perf/util/intel-pt.c
3638 ++++ b/tools/perf/util/intel-pt.c
3639 +@@ -125,6 +125,7 @@ struct intel_pt_queue {
3640 + bool stop;
3641 + bool step_through_buffers;
3642 + bool use_buffer_pid_tid;
3643 ++ bool sync_switch;
3644 + pid_t pid, tid;
3645 + int cpu;
3646 + int switch_state;
3647 +@@ -188,14 +189,17 @@ static void intel_pt_dump_event(struct intel_pt *pt, unsigned char *buf,
3648 + static int intel_pt_do_fix_overlap(struct intel_pt *pt, struct auxtrace_buffer *a,
3649 + struct auxtrace_buffer *b)
3650 + {
3651 ++ bool consecutive = false;
3652 + void *start;
3653 +
3654 + start = intel_pt_find_overlap(a->data, a->size, b->data, b->size,
3655 +- pt->have_tsc);
3656 ++ pt->have_tsc, &consecutive);
3657 + if (!start)
3658 + return -EINVAL;
3659 + b->use_size = b->data + b->size - start;
3660 + b->use_data = start;
3661 ++ if (b->use_size && consecutive)
3662 ++ b->consecutive = true;
3663 + return 0;
3664 + }
3665 +
3666 +@@ -849,10 +853,12 @@ static int intel_pt_setup_queue(struct intel_pt *pt,
3667 + if (pt->timeless_decoding || !pt->have_sched_switch)
3668 + ptq->use_buffer_pid_tid = true;
3669 + }
3670 ++
3671 ++ ptq->sync_switch = pt->sync_switch;
3672 + }
3673 +
3674 + if (!ptq->on_heap &&
3675 +- (!pt->sync_switch ||
3676 ++ (!ptq->sync_switch ||
3677 + ptq->switch_state != INTEL_PT_SS_EXPECTING_SWITCH_EVENT)) {
3678 + const struct intel_pt_state *state;
3679 + int ret;
3680 +@@ -1235,7 +1241,7 @@ static int intel_pt_sample(struct intel_pt_queue *ptq)
3681 + if (pt->synth_opts.last_branch)
3682 + intel_pt_update_last_branch_rb(ptq);
3683 +
3684 +- if (!pt->sync_switch)
3685 ++ if (!ptq->sync_switch)
3686 + return 0;
3687 +
3688 + if (intel_pt_is_switch_ip(ptq, state->to_ip)) {
3689 +@@ -1316,6 +1322,21 @@ static u64 intel_pt_switch_ip(struct intel_pt *pt, u64 *ptss_ip)
3690 + return switch_ip;
3691 + }
3692 +
3693 ++static void intel_pt_enable_sync_switch(struct intel_pt *pt)
3694 ++{
3695 ++ unsigned int i;
3696 ++
3697 ++ pt->sync_switch = true;
3698 ++
3699 ++ for (i = 0; i < pt->queues.nr_queues; i++) {
3700 ++ struct auxtrace_queue *queue = &pt->queues.queue_array[i];
3701 ++ struct intel_pt_queue *ptq = queue->priv;
3702 ++
3703 ++ if (ptq)
3704 ++ ptq->sync_switch = true;
3705 ++ }
3706 ++}
3707 ++
3708 + static int intel_pt_run_decoder(struct intel_pt_queue *ptq, u64 *timestamp)
3709 + {
3710 + const struct intel_pt_state *state = ptq->state;
3711 +@@ -1332,7 +1353,7 @@ static int intel_pt_run_decoder(struct intel_pt_queue *ptq, u64 *timestamp)
3712 + if (pt->switch_ip) {
3713 + intel_pt_log("switch_ip: %"PRIx64" ptss_ip: %"PRIx64"\n",
3714 + pt->switch_ip, pt->ptss_ip);
3715 +- pt->sync_switch = true;
3716 ++ intel_pt_enable_sync_switch(pt);
3717 + }
3718 + }
3719 + }
3720 +@@ -1348,9 +1369,9 @@ static int intel_pt_run_decoder(struct intel_pt_queue *ptq, u64 *timestamp)
3721 + if (state->err) {
3722 + if (state->err == INTEL_PT_ERR_NODATA)
3723 + return 1;
3724 +- if (pt->sync_switch &&
3725 ++ if (ptq->sync_switch &&
3726 + state->from_ip >= pt->kernel_start) {
3727 +- pt->sync_switch = false;
3728 ++ ptq->sync_switch = false;
3729 + intel_pt_next_tid(pt, ptq);
3730 + }
3731 + if (pt->synth_opts.errors) {
3732 +@@ -1376,7 +1397,7 @@ static int intel_pt_run_decoder(struct intel_pt_queue *ptq, u64 *timestamp)
3733 + state->timestamp, state->est_timestamp);
3734 + ptq->timestamp = state->est_timestamp;
3735 + /* Use estimated TSC in unknown switch state */
3736 +- } else if (pt->sync_switch &&
3737 ++ } else if (ptq->sync_switch &&
3738 + ptq->switch_state == INTEL_PT_SS_UNKNOWN &&
3739 + intel_pt_is_switch_ip(ptq, state->to_ip) &&
3740 + ptq->next_tid == -1) {
3741 +@@ -1523,7 +1544,7 @@ static int intel_pt_sync_switch(struct intel_pt *pt, int cpu, pid_t tid,
3742 + return 1;
3743 +
3744 + ptq = intel_pt_cpu_to_ptq(pt, cpu);
3745 +- if (!ptq)
3746 ++ if (!ptq || !ptq->sync_switch)
3747 + return 1;
3748 +
3749 + switch (ptq->switch_state) {
Report Message
Find on MARC Find on Google Groups