Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: Mike Pagano <mpagano@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] proj/linux-patches:3.4 commit in: /
Date: Mon, 02 Feb 2015 23:32:52
Message-Id: 1422919279.a1d2f4883e1b6a2e2ca1849e6c9e1efd51c287d0.mpagano@gentoo
1 commit: a1d2f4883e1b6a2e2ca1849e6c9e1efd51c287d0
2 Author: Mike Pagano <mpagano <AT> gentoo <DOT> org>
3 AuthorDate: Mon Feb 2 23:21:19 2015 +0000
4 Commit: Mike Pagano <mpagano <AT> gentoo <DOT> org>
5 CommitDate: Mon Feb 2 23:21:19 2015 +0000
6 URL: http://sources.gentoo.org/gitweb/?p=proj/linux-patches.git;a=commit;h=a1d2f488
7
8 Linux patch 3.4.106
9
10 ---
11 0000_README | 4 +
12 1105_linux-3.4.106.patch | 6748 ++++++++++++++++++++++++++++++++++++++++++++++
13 2 files changed, 6752 insertions(+)
14
15 diff --git a/0000_README b/0000_README
16 index 5ff1506..ba104e4 100644
17 --- a/0000_README
18 +++ b/0000_README
19 @@ -459,6 +459,10 @@ Patch: 1104_linux-3.4.105.patch
20 From: http://www.kernel.org
21 Desc: Linux 3.4.105
22
23 +Patch: 1105_linux-3.4.106.patch
24 +From: http://www.kernel.org
25 +Desc: Linux 3.4.106
26 +
27 Patch: 1500_XATTR_USER_PREFIX.patch
28 From: https://bugs.gentoo.org/show_bug.cgi?id=470644
29 Desc: Support for namespace user.pax.* on tmpfs.
30
31 diff --git a/1105_linux-3.4.106.patch b/1105_linux-3.4.106.patch
32 new file mode 100644
33 index 0000000..61b5c3c
34 --- /dev/null
35 +++ b/1105_linux-3.4.106.patch
36 @@ -0,0 +1,6748 @@
37 +diff --git a/Documentation/lzo.txt b/Documentation/lzo.txt
38 +new file mode 100644
39 +index 000000000000..ea45dd3901e3
40 +--- /dev/null
41 ++++ b/Documentation/lzo.txt
42 +@@ -0,0 +1,164 @@
43 ++
44 ++LZO stream format as understood by Linux's LZO decompressor
45 ++===========================================================
46 ++
47 ++Introduction
48 ++
49 ++ This is not a specification. No specification seems to be publicly available
50 ++ for the LZO stream format. This document describes what input format the LZO
51 ++ decompressor as implemented in the Linux kernel understands. The file subject
52 ++ of this analysis is lib/lzo/lzo1x_decompress_safe.c. No analysis was made on
53 ++ the compressor nor on any other implementations though it seems likely that
54 ++ the format matches the standard one. The purpose of this document is to
55 ++ better understand what the code does in order to propose more efficient fixes
56 ++ for future bug reports.
57 ++
58 ++Description
59 ++
60 ++ The stream is composed of a series of instructions, operands, and data. The
61 ++ instructions consist in a few bits representing an opcode, and bits forming
62 ++ the operands for the instruction, whose size and position depend on the
63 ++ opcode and on the number of literals copied by previous instruction. The
64 ++ operands are used to indicate :
65 ++
66 ++ - a distance when copying data from the dictionary (past output buffer)
67 ++ - a length (number of bytes to copy from dictionary)
68 ++ - the number of literals to copy, which is retained in variable "state"
69 ++ as a piece of information for next instructions.
70 ++
71 ++ Optionally depending on the opcode and operands, extra data may follow. These
72 ++ extra data can be a complement for the operand (eg: a length or a distance
73 ++ encoded on larger values), or a literal to be copied to the output buffer.
74 ++
75 ++ The first byte of the block follows a different encoding from other bytes, it
76 ++ seems to be optimized for literal use only, since there is no dictionary yet
77 ++ prior to that byte.
78 ++
79 ++ Lengths are always encoded on a variable size starting with a small number
80 ++ of bits in the operand. If the number of bits isn't enough to represent the
81 ++ length, up to 255 may be added in increments by consuming more bytes with a
82 ++ rate of at most 255 per extra byte (thus the compression ratio cannot exceed
83 ++ around 255:1). The variable length encoding using #bits is always the same :
84 ++
85 ++ length = byte & ((1 << #bits) - 1)
86 ++ if (!length) {
87 ++ length = ((1 << #bits) - 1)
88 ++ length += 255*(number of zero bytes)
89 ++ length += first-non-zero-byte
90 ++ }
91 ++ length += constant (generally 2 or 3)
92 ++
93 ++ For references to the dictionary, distances are relative to the output
94 ++ pointer. Distances are encoded using very few bits belonging to certain
95 ++ ranges, resulting in multiple copy instructions using different encodings.
96 ++ Certain encodings involve one extra byte, others involve two extra bytes
97 ++ forming a little-endian 16-bit quantity (marked LE16 below).
98 ++
99 ++ After any instruction except the large literal copy, 0, 1, 2 or 3 literals
100 ++ are copied before starting the next instruction. The number of literals that
101 ++ were copied may change the meaning and behaviour of the next instruction. In
102 ++ practice, only one instruction needs to know whether 0, less than 4, or more
103 ++ literals were copied. This is the information stored in the <state> variable
104 ++ in this implementation. This number of immediate literals to be copied is
105 ++ generally encoded in the last two bits of the instruction but may also be
106 ++ taken from the last two bits of an extra operand (eg: distance).
107 ++
108 ++ End of stream is declared when a block copy of distance 0 is seen. Only one
109 ++ instruction may encode this distance (0001HLLL), it takes one LE16 operand
110 ++ for the distance, thus requiring 3 bytes.
111 ++
112 ++ IMPORTANT NOTE : in the code some length checks are missing because certain
113 ++ instructions are called under the assumption that a certain number of bytes
114 ++ follow because it has already been garanteed before parsing the instructions.
115 ++ They just have to "refill" this credit if they consume extra bytes. This is
116 ++ an implementation design choice independant on the algorithm or encoding.
117 ++
118 ++Byte sequences
119 ++
120 ++ First byte encoding :
121 ++
122 ++ 0..17 : follow regular instruction encoding, see below. It is worth
123 ++ noting that codes 16 and 17 will represent a block copy from
124 ++ the dictionary which is empty, and that they will always be
125 ++ invalid at this place.
126 ++
127 ++ 18..21 : copy 0..3 literals
128 ++ state = (byte - 17) = 0..3 [ copy <state> literals ]
129 ++ skip byte
130 ++
131 ++ 22..255 : copy literal string
132 ++ length = (byte - 17) = 4..238
133 ++ state = 4 [ don't copy extra literals ]
134 ++ skip byte
135 ++
136 ++ Instruction encoding :
137 ++
138 ++ 0 0 0 0 X X X X (0..15)
139 ++ Depends on the number of literals copied by the last instruction.
140 ++ If last instruction did not copy any literal (state == 0), this
141 ++ encoding will be a copy of 4 or more literal, and must be interpreted
142 ++ like this :
143 ++
144 ++ 0 0 0 0 L L L L (0..15) : copy long literal string
145 ++ length = 3 + (L ?: 15 + (zero_bytes * 255) + non_zero_byte)
146 ++ state = 4 (no extra literals are copied)
147 ++
148 ++ If last instruction used to copy between 1 to 3 literals (encoded in
149 ++ the instruction's opcode or distance), the instruction is a copy of a
150 ++ 2-byte block from the dictionary within a 1kB distance. It is worth
151 ++ noting that this instruction provides little savings since it uses 2
152 ++ bytes to encode a copy of 2 other bytes but it encodes the number of
153 ++ following literals for free. It must be interpreted like this :
154 ++
155 ++ 0 0 0 0 D D S S (0..15) : copy 2 bytes from <= 1kB distance
156 ++ length = 2
157 ++ state = S (copy S literals after this block)
158 ++ Always followed by exactly one byte : H H H H H H H H
159 ++ distance = (H << 2) + D + 1
160 ++
161 ++ If last instruction used to copy 4 or more literals (as detected by
162 ++ state == 4), the instruction becomes a copy of a 3-byte block from the
163 ++ dictionary from a 2..3kB distance, and must be interpreted like this :
164 ++
165 ++ 0 0 0 0 D D S S (0..15) : copy 3 bytes from 2..3 kB distance
166 ++ length = 3
167 ++ state = S (copy S literals after this block)
168 ++ Always followed by exactly one byte : H H H H H H H H
169 ++ distance = (H << 2) + D + 2049
170 ++
171 ++ 0 0 0 1 H L L L (16..31)
172 ++ Copy of a block within 16..48kB distance (preferably less than 10B)
173 ++ length = 2 + (L ?: 7 + (zero_bytes * 255) + non_zero_byte)
174 ++ Always followed by exactly one LE16 : D D D D D D D D : D D D D D D S S
175 ++ distance = 16384 + (H << 14) + D
176 ++ state = S (copy S literals after this block)
177 ++ End of stream is reached if distance == 16384
178 ++
179 ++ 0 0 1 L L L L L (32..63)
180 ++ Copy of small block within 16kB distance (preferably less than 34B)
181 ++ length = 2 + (L ?: 31 + (zero_bytes * 255) + non_zero_byte)
182 ++ Always followed by exactly one LE16 : D D D D D D D D : D D D D D D S S
183 ++ distance = D + 1
184 ++ state = S (copy S literals after this block)
185 ++
186 ++ 0 1 L D D D S S (64..127)
187 ++ Copy 3-4 bytes from block within 2kB distance
188 ++ state = S (copy S literals after this block)
189 ++ length = 3 + L
190 ++ Always followed by exactly one byte : H H H H H H H H
191 ++ distance = (H << 3) + D + 1
192 ++
193 ++ 1 L L D D D S S (128..255)
194 ++ Copy 5-8 bytes from block within 2kB distance
195 ++ state = S (copy S literals after this block)
196 ++ length = 5 + L
197 ++ Always followed by exactly one byte : H H H H H H H H
198 ++ distance = (H << 3) + D + 1
199 ++
200 ++Authors
201 ++
202 ++ This document was written by Willy Tarreau <w@×××.eu> on 2014/07/19 during an
203 ++ analysis of the decompression code available in Linux 3.16-rc5. The code is
204 ++ tricky, it is possible that this document contains mistakes or that a few
205 ++ corner cases were overlooked. In any case, please report any doubt, fix, or
206 ++ proposed updates to the author(s) so that the document can be updated.
207 +diff --git a/Makefile b/Makefile
208 +index cf2c8a82ca3e..649f1462ebf8 100644
209 +--- a/Makefile
210 ++++ b/Makefile
211 +@@ -1,6 +1,6 @@
212 + VERSION = 3
213 + PATCHLEVEL = 4
214 +-SUBLEVEL = 105
215 ++SUBLEVEL = 106
216 + EXTRAVERSION =
217 + NAME = Saber-toothed Squirrel
218 +
219 +diff --git a/arch/m68k/mm/hwtest.c b/arch/m68k/mm/hwtest.c
220 +index 2c7dde3c6430..2a5259fd23eb 100644
221 +--- a/arch/m68k/mm/hwtest.c
222 ++++ b/arch/m68k/mm/hwtest.c
223 +@@ -28,9 +28,11 @@
224 + int hwreg_present( volatile void *regp )
225 + {
226 + int ret = 0;
227 ++ unsigned long flags;
228 + long save_sp, save_vbr;
229 + long tmp_vectors[3];
230 +
231 ++ local_irq_save(flags);
232 + __asm__ __volatile__
233 + ( "movec %/vbr,%2\n\t"
234 + "movel #Lberr1,%4@(8)\n\t"
235 +@@ -46,6 +48,7 @@ int hwreg_present( volatile void *regp )
236 + : "=&d" (ret), "=&r" (save_sp), "=&r" (save_vbr)
237 + : "a" (regp), "a" (tmp_vectors)
238 + );
239 ++ local_irq_restore(flags);
240 +
241 + return( ret );
242 + }
243 +@@ -58,9 +61,11 @@ EXPORT_SYMBOL(hwreg_present);
244 + int hwreg_write( volatile void *regp, unsigned short val )
245 + {
246 + int ret;
247 ++ unsigned long flags;
248 + long save_sp, save_vbr;
249 + long tmp_vectors[3];
250 +
251 ++ local_irq_save(flags);
252 + __asm__ __volatile__
253 + ( "movec %/vbr,%2\n\t"
254 + "movel #Lberr2,%4@(8)\n\t"
255 +@@ -78,6 +83,7 @@ int hwreg_write( volatile void *regp, unsigned short val )
256 + : "=&d" (ret), "=&r" (save_sp), "=&r" (save_vbr)
257 + : "a" (regp), "a" (tmp_vectors), "g" (val)
258 + );
259 ++ local_irq_restore(flags);
260 +
261 + return( ret );
262 + }
263 +diff --git a/arch/mips/mm/tlbex.c b/arch/mips/mm/tlbex.c
264 +index 0bc485b3cd60..6d64efe77026 100644
265 +--- a/arch/mips/mm/tlbex.c
266 ++++ b/arch/mips/mm/tlbex.c
267 +@@ -1041,6 +1041,7 @@ static void __cpuinit build_update_entries(u32 **p, unsigned int tmp,
268 + struct mips_huge_tlb_info {
269 + int huge_pte;
270 + int restore_scratch;
271 ++ bool need_reload_pte;
272 + };
273 +
274 + static struct mips_huge_tlb_info __cpuinit
275 +@@ -1055,6 +1056,7 @@ build_fast_tlb_refill_handler (u32 **p, struct uasm_label **l,
276 +
277 + rv.huge_pte = scratch;
278 + rv.restore_scratch = 0;
279 ++ rv.need_reload_pte = false;
280 +
281 + if (check_for_high_segbits) {
282 + UASM_i_MFC0(p, tmp, C0_BADVADDR);
283 +@@ -1247,6 +1249,7 @@ static void __cpuinit build_r4000_tlb_refill_handler(void)
284 + } else {
285 + htlb_info.huge_pte = K0;
286 + htlb_info.restore_scratch = 0;
287 ++ htlb_info.need_reload_pte = true;
288 + vmalloc_mode = refill_noscratch;
289 + /*
290 + * create the plain linear handler
291 +@@ -1283,6 +1286,8 @@ static void __cpuinit build_r4000_tlb_refill_handler(void)
292 + }
293 + #ifdef CONFIG_HUGETLB_PAGE
294 + uasm_l_tlb_huge_update(&l, p);
295 ++ if (htlb_info.need_reload_pte)
296 ++ UASM_i_LW(&p, htlb_info.huge_pte, 0, K1);
297 + build_huge_update_entries(&p, htlb_info.huge_pte, K1);
298 + build_huge_tlb_write_entry(&p, &l, &r, K0, tlb_random,
299 + htlb_info.restore_scratch);
300 +diff --git a/arch/mips/oprofile/backtrace.c b/arch/mips/oprofile/backtrace.c
301 +index 6854ed5097d2..83a1dfd8f0e3 100644
302 +--- a/arch/mips/oprofile/backtrace.c
303 ++++ b/arch/mips/oprofile/backtrace.c
304 +@@ -92,7 +92,7 @@ static inline int unwind_user_frame(struct stackframe *old_frame,
305 + /* This marks the end of the previous function,
306 + which means we overran. */
307 + break;
308 +- stack_size = (unsigned) stack_adjustment;
309 ++ stack_size = (unsigned long) stack_adjustment;
310 + } else if (is_ra_save_ins(&ip)) {
311 + int ra_slot = ip.i_format.simmediate;
312 + if (ra_slot < 0)
313 +diff --git a/arch/powerpc/kernel/entry_64.S b/arch/powerpc/kernel/entry_64.S
314 +index e500969bea0c..c3fc39ee57a5 100644
315 +--- a/arch/powerpc/kernel/entry_64.S
316 ++++ b/arch/powerpc/kernel/entry_64.S
317 +@@ -813,7 +813,13 @@ user_work:
318 + b .ret_from_except_lite
319 +
320 + 1: bl .save_nvgprs
321 ++ /*
322 ++ * Use a non volatile GPR to save and restore our thread_info flags
323 ++ * across the call to restore_interrupts.
324 ++ */
325 ++ mr r30,r4
326 + bl .restore_interrupts
327 ++ mr r4,r30
328 + addi r3,r1,STACK_FRAME_OVERHEAD
329 + bl .do_notify_resume
330 + b .ret_from_except
331 +diff --git a/arch/s390/kvm/interrupt.c b/arch/s390/kvm/interrupt.c
332 +index 10e13b331d38..df69bcb13c79 100644
333 +--- a/arch/s390/kvm/interrupt.c
334 ++++ b/arch/s390/kvm/interrupt.c
335 +@@ -43,6 +43,7 @@ static int __interrupt_is_deliverable(struct kvm_vcpu *vcpu,
336 + return 0;
337 + if (vcpu->arch.sie_block->gcr[0] & 0x2000ul)
338 + return 1;
339 ++ return 0;
340 + case KVM_S390_INT_EMERGENCY:
341 + if (psw_extint_disabled(vcpu))
342 + return 0;
343 +diff --git a/arch/x86/include/asm/desc.h b/arch/x86/include/asm/desc.h
344 +index e95822d683f4..fa9c8c7bc500 100644
345 +--- a/arch/x86/include/asm/desc.h
346 ++++ b/arch/x86/include/asm/desc.h
347 +@@ -250,7 +250,8 @@ static inline void native_load_tls(struct thread_struct *t, unsigned int cpu)
348 + gdt[GDT_ENTRY_TLS_MIN + i] = t->tls_array[i];
349 + }
350 +
351 +-#define _LDT_empty(info) \
352 ++/* This intentionally ignores lm, since 32-bit apps don't have that field. */
353 ++#define LDT_empty(info) \
354 + ((info)->base_addr == 0 && \
355 + (info)->limit == 0 && \
356 + (info)->contents == 0 && \
357 +@@ -260,11 +261,18 @@ static inline void native_load_tls(struct thread_struct *t, unsigned int cpu)
358 + (info)->seg_not_present == 1 && \
359 + (info)->useable == 0)
360 +
361 +-#ifdef CONFIG_X86_64
362 +-#define LDT_empty(info) (_LDT_empty(info) && ((info)->lm == 0))
363 +-#else
364 +-#define LDT_empty(info) (_LDT_empty(info))
365 +-#endif
366 ++/* Lots of programs expect an all-zero user_desc to mean "no segment at all". */
367 ++static inline bool LDT_zero(const struct user_desc *info)
368 ++{
369 ++ return (info->base_addr == 0 &&
370 ++ info->limit == 0 &&
371 ++ info->contents == 0 &&
372 ++ info->read_exec_only == 0 &&
373 ++ info->seg_32bit == 0 &&
374 ++ info->limit_in_pages == 0 &&
375 ++ info->seg_not_present == 0 &&
376 ++ info->useable == 0);
377 ++}
378 +
379 + static inline void clear_LDT(void)
380 + {
381 +diff --git a/arch/x86/include/asm/elf.h b/arch/x86/include/asm/elf.h
382 +index 5939f44fe0c0..06ec1fe26d98 100644
383 +--- a/arch/x86/include/asm/elf.h
384 ++++ b/arch/x86/include/asm/elf.h
385 +@@ -155,8 +155,9 @@ do { \
386 + #define elf_check_arch(x) \
387 + ((x)->e_machine == EM_X86_64)
388 +
389 +-#define compat_elf_check_arch(x) \
390 +- (elf_check_arch_ia32(x) || (x)->e_machine == EM_X86_64)
391 ++#define compat_elf_check_arch(x) \
392 ++ (elf_check_arch_ia32(x) || \
393 ++ (IS_ENABLED(CONFIG_X86_X32_ABI) && (x)->e_machine == EM_X86_64))
394 +
395 + #if __USER32_DS != __USER_DS
396 + # error "The following code assumes __USER32_DS == __USER_DS"
397 +diff --git a/arch/x86/include/asm/kvm_host.h b/arch/x86/include/asm/kvm_host.h
398 +index 944471f4d142..4f787579b329 100644
399 +--- a/arch/x86/include/asm/kvm_host.h
400 ++++ b/arch/x86/include/asm/kvm_host.h
401 +@@ -453,6 +453,7 @@ struct kvm_vcpu_arch {
402 + u64 mmio_gva;
403 + unsigned access;
404 + gfn_t mmio_gfn;
405 ++ u64 mmio_gen;
406 +
407 + struct kvm_pmu pmu;
408 +
409 +@@ -881,6 +882,20 @@ static inline void kvm_inject_gp(struct kvm_vcpu *vcpu, u32 error_code)
410 + kvm_queue_exception_e(vcpu, GP_VECTOR, error_code);
411 + }
412 +
413 ++static inline u64 get_canonical(u64 la)
414 ++{
415 ++ return ((int64_t)la << 16) >> 16;
416 ++}
417 ++
418 ++static inline bool is_noncanonical_address(u64 la)
419 ++{
420 ++#ifdef CONFIG_X86_64
421 ++ return get_canonical(la) != la;
422 ++#else
423 ++ return false;
424 ++#endif
425 ++}
426 ++
427 + #define TSS_IOPB_BASE_OFFSET 0x66
428 + #define TSS_BASE_SIZE 0x68
429 + #define TSS_IOPB_SIZE (65536 / 8)
430 +@@ -939,7 +954,7 @@ int kvm_arch_interrupt_allowed(struct kvm_vcpu *vcpu);
431 + int kvm_cpu_get_interrupt(struct kvm_vcpu *v);
432 +
433 + void kvm_define_shared_msr(unsigned index, u32 msr);
434 +-void kvm_set_shared_msr(unsigned index, u64 val, u64 mask);
435 ++int kvm_set_shared_msr(unsigned index, u64 val, u64 mask);
436 +
437 + bool kvm_is_linear_rip(struct kvm_vcpu *vcpu, unsigned long linear_rip);
438 +
439 +diff --git a/arch/x86/include/asm/page_32_types.h b/arch/x86/include/asm/page_32_types.h
440 +index ade619ff9e2a..88dae6b3d7d5 100644
441 +--- a/arch/x86/include/asm/page_32_types.h
442 ++++ b/arch/x86/include/asm/page_32_types.h
443 +@@ -18,7 +18,6 @@
444 + #define THREAD_ORDER 1
445 + #define THREAD_SIZE (PAGE_SIZE << THREAD_ORDER)
446 +
447 +-#define STACKFAULT_STACK 0
448 + #define DOUBLEFAULT_STACK 1
449 + #define NMI_STACK 0
450 + #define DEBUG_STACK 0
451 +diff --git a/arch/x86/include/asm/page_64_types.h b/arch/x86/include/asm/page_64_types.h
452 +index 7639dbf5d223..a9e9937b9a62 100644
453 +--- a/arch/x86/include/asm/page_64_types.h
454 ++++ b/arch/x86/include/asm/page_64_types.h
455 +@@ -14,12 +14,11 @@
456 + #define IRQ_STACK_ORDER 2
457 + #define IRQ_STACK_SIZE (PAGE_SIZE << IRQ_STACK_ORDER)
458 +
459 +-#define STACKFAULT_STACK 1
460 +-#define DOUBLEFAULT_STACK 2
461 +-#define NMI_STACK 3
462 +-#define DEBUG_STACK 4
463 +-#define MCE_STACK 5
464 +-#define N_EXCEPTION_STACKS 5 /* hw limit: 7 */
465 ++#define DOUBLEFAULT_STACK 1
466 ++#define NMI_STACK 2
467 ++#define DEBUG_STACK 3
468 ++#define MCE_STACK 4
469 ++#define N_EXCEPTION_STACKS 4 /* hw limit: 7 */
470 +
471 + #define PUD_PAGE_SIZE (_AC(1, UL) << PUD_SHIFT)
472 + #define PUD_PAGE_MASK (~(PUD_PAGE_SIZE-1))
473 +diff --git a/arch/x86/include/asm/vmx.h b/arch/x86/include/asm/vmx.h
474 +index 31f180c21ce9..504d1cf9def8 100644
475 +--- a/arch/x86/include/asm/vmx.h
476 ++++ b/arch/x86/include/asm/vmx.h
477 +@@ -279,6 +279,8 @@ enum vmcs_field {
478 + #define EXIT_REASON_APIC_ACCESS 44
479 + #define EXIT_REASON_EPT_VIOLATION 48
480 + #define EXIT_REASON_EPT_MISCONFIG 49
481 ++#define EXIT_REASON_INVEPT 50
482 ++#define EXIT_REASON_INVVPID 53
483 + #define EXIT_REASON_WBINVD 54
484 + #define EXIT_REASON_XSETBV 55
485 +
486 +diff --git a/arch/x86/kernel/apic/apic.c b/arch/x86/kernel/apic/apic.c
487 +index edc24480469f..cb5b54e796eb 100644
488 +--- a/arch/x86/kernel/apic/apic.c
489 ++++ b/arch/x86/kernel/apic/apic.c
490 +@@ -1229,7 +1229,7 @@ void __cpuinit setup_local_APIC(void)
491 + unsigned int value, queued;
492 + int i, j, acked = 0;
493 + unsigned long long tsc = 0, ntsc;
494 +- long long max_loops = cpu_khz;
495 ++ long long max_loops = cpu_khz ? cpu_khz : 1000000;
496 +
497 + if (cpu_has_tsc)
498 + rdtscll(tsc);
499 +@@ -1325,7 +1325,7 @@ void __cpuinit setup_local_APIC(void)
500 + acked);
501 + break;
502 + }
503 +- if (cpu_has_tsc) {
504 ++ if (cpu_has_tsc && cpu_khz) {
505 + rdtscll(ntsc);
506 + max_loops = (cpu_khz << 10) - (ntsc - tsc);
507 + } else
508 +diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c
509 +index cf79302198a6..114db0fee86c 100644
510 +--- a/arch/x86/kernel/cpu/common.c
511 ++++ b/arch/x86/kernel/cpu/common.c
512 +@@ -142,6 +142,8 @@ EXPORT_PER_CPU_SYMBOL_GPL(gdt_page);
513 +
514 + static int __init x86_xsave_setup(char *s)
515 + {
516 ++ if (strlen(s))
517 ++ return 0;
518 + setup_clear_cpu_cap(X86_FEATURE_XSAVE);
519 + setup_clear_cpu_cap(X86_FEATURE_XSAVEOPT);
520 + return 1;
521 +diff --git a/arch/x86/kernel/cpu/intel.c b/arch/x86/kernel/cpu/intel.c
522 +index 3e6ff6cbf42a..e7a64dd602d9 100644
523 +--- a/arch/x86/kernel/cpu/intel.c
524 ++++ b/arch/x86/kernel/cpu/intel.c
525 +@@ -143,6 +143,21 @@ static void __cpuinit early_init_intel(struct cpuinfo_x86 *c)
526 + setup_clear_cpu_cap(X86_FEATURE_ERMS);
527 + }
528 + }
529 ++
530 ++ /*
531 ++ * Intel Quark Core DevMan_001.pdf section 6.4.11
532 ++ * "The operating system also is required to invalidate (i.e., flush)
533 ++ * the TLB when any changes are made to any of the page table entries.
534 ++ * The operating system must reload CR3 to cause the TLB to be flushed"
535 ++ *
536 ++ * As a result cpu_has_pge() in arch/x86/include/asm/tlbflush.h should
537 ++ * be false so that __flush_tlb_all() causes CR3 insted of CR4.PGE
538 ++ * to be modified
539 ++ */
540 ++ if (c->x86 == 5 && c->x86_model == 9) {
541 ++ pr_info("Disabling PGE capability bit\n");
542 ++ setup_clear_cpu_cap(X86_FEATURE_PGE);
543 ++ }
544 + }
545 +
546 + #ifdef CONFIG_X86_32
547 +diff --git a/arch/x86/kernel/dumpstack_64.c b/arch/x86/kernel/dumpstack_64.c
548 +index 17107bd6e1f0..e8206060a0a8 100644
549 +--- a/arch/x86/kernel/dumpstack_64.c
550 ++++ b/arch/x86/kernel/dumpstack_64.c
551 +@@ -24,7 +24,6 @@ static char x86_stack_ids[][8] = {
552 + [ DEBUG_STACK-1 ] = "#DB",
553 + [ NMI_STACK-1 ] = "NMI",
554 + [ DOUBLEFAULT_STACK-1 ] = "#DF",
555 +- [ STACKFAULT_STACK-1 ] = "#SS",
556 + [ MCE_STACK-1 ] = "#MC",
557 + #if DEBUG_STKSZ > EXCEPTION_STKSZ
558 + [ N_EXCEPTION_STACKS ...
559 +diff --git a/arch/x86/kernel/entry_64.S b/arch/x86/kernel/entry_64.S
560 +index 42b055e24691..45f9c70f1246 100644
561 +--- a/arch/x86/kernel/entry_64.S
562 ++++ b/arch/x86/kernel/entry_64.S
563 +@@ -912,13 +912,16 @@ ENTRY(native_iret)
564 + jnz native_irq_return_ldt
565 + #endif
566 +
567 ++.global native_irq_return_iret
568 + native_irq_return_iret:
569 ++ /*
570 ++ * This may fault. Non-paranoid faults on return to userspace are
571 ++ * handled by fixup_bad_iret. These include #SS, #GP, and #NP.
572 ++ * Double-faults due to espfix64 are handled in do_double_fault.
573 ++ * Other faults here are fatal.
574 ++ */
575 + iretq
576 +
577 +- .section __ex_table,"a"
578 +- .quad native_irq_return_iret, bad_iret
579 +- .previous
580 +-
581 + #ifdef CONFIG_X86_ESPFIX64
582 + native_irq_return_ldt:
583 + pushq_cfi %rax
584 +@@ -945,25 +948,6 @@ native_irq_return_ldt:
585 + jmp native_irq_return_iret
586 + #endif
587 +
588 +- .section .fixup,"ax"
589 +-bad_iret:
590 +- /*
591 +- * The iret traps when the %cs or %ss being restored is bogus.
592 +- * We've lost the original trap vector and error code.
593 +- * #GPF is the most likely one to get for an invalid selector.
594 +- * So pretend we completed the iret and took the #GPF in user mode.
595 +- *
596 +- * We are now running with the kernel GS after exception recovery.
597 +- * But error_entry expects us to have user GS to match the user %cs,
598 +- * so swap back.
599 +- */
600 +- pushq $0
601 +-
602 +- SWAPGS
603 +- jmp general_protection
604 +-
605 +- .previous
606 +-
607 + /* edi: workmask, edx: work */
608 + retint_careful:
609 + CFI_RESTORE_STATE
610 +@@ -1011,37 +995,6 @@ ENTRY(retint_kernel)
611 + CFI_ENDPROC
612 + END(common_interrupt)
613 +
614 +- /*
615 +- * If IRET takes a fault on the espfix stack, then we
616 +- * end up promoting it to a doublefault. In that case,
617 +- * modify the stack to make it look like we just entered
618 +- * the #GP handler from user space, similar to bad_iret.
619 +- */
620 +-#ifdef CONFIG_X86_ESPFIX64
621 +- ALIGN
622 +-__do_double_fault:
623 +- XCPT_FRAME 1 RDI+8
624 +- movq RSP(%rdi),%rax /* Trap on the espfix stack? */
625 +- sarq $PGDIR_SHIFT,%rax
626 +- cmpl $ESPFIX_PGD_ENTRY,%eax
627 +- jne do_double_fault /* No, just deliver the fault */
628 +- cmpl $__KERNEL_CS,CS(%rdi)
629 +- jne do_double_fault
630 +- movq RIP(%rdi),%rax
631 +- cmpq $native_irq_return_iret,%rax
632 +- jne do_double_fault /* This shouldn't happen... */
633 +- movq PER_CPU_VAR(kernel_stack),%rax
634 +- subq $(6*8-KERNEL_STACK_OFFSET),%rax /* Reset to original stack */
635 +- movq %rax,RSP(%rdi)
636 +- movq $0,(%rax) /* Missing (lost) #GP error code */
637 +- movq $general_protection,RIP(%rdi)
638 +- retq
639 +- CFI_ENDPROC
640 +-END(__do_double_fault)
641 +-#else
642 +-# define __do_double_fault do_double_fault
643 +-#endif
644 +-
645 + /*
646 + * End of kprobes section
647 + */
648 +@@ -1217,7 +1170,7 @@ zeroentry overflow do_overflow
649 + zeroentry bounds do_bounds
650 + zeroentry invalid_op do_invalid_op
651 + zeroentry device_not_available do_device_not_available
652 +-paranoiderrorentry double_fault __do_double_fault
653 ++paranoiderrorentry double_fault do_double_fault
654 + zeroentry coprocessor_segment_overrun do_coprocessor_segment_overrun
655 + errorentry invalid_TSS do_invalid_TSS
656 + errorentry segment_not_present do_segment_not_present
657 +@@ -1431,7 +1384,7 @@ apicinterrupt XEN_HVM_EVTCHN_CALLBACK \
658 +
659 + paranoidzeroentry_ist debug do_debug DEBUG_STACK
660 + paranoidzeroentry_ist int3 do_int3 DEBUG_STACK
661 +-paranoiderrorentry stack_segment do_stack_segment
662 ++errorentry stack_segment do_stack_segment
663 + #ifdef CONFIG_XEN
664 + zeroentry xen_debug do_debug
665 + zeroentry xen_int3 do_int3
666 +@@ -1541,16 +1494,15 @@ error_sti:
667 +
668 + /*
669 + * There are two places in the kernel that can potentially fault with
670 +- * usergs. Handle them here. The exception handlers after iret run with
671 +- * kernel gs again, so don't set the user space flag. B stepping K8s
672 +- * sometimes report an truncated RIP for IRET exceptions returning to
673 +- * compat mode. Check for these here too.
674 ++ * usergs. Handle them here. B stepping K8s sometimes report a
675 ++ * truncated RIP for IRET exceptions returning to compat mode. Check
676 ++ * for these here too.
677 + */
678 + error_kernelspace:
679 + incl %ebx
680 + leaq native_irq_return_iret(%rip),%rcx
681 + cmpq %rcx,RIP+8(%rsp)
682 +- je error_swapgs
683 ++ je error_bad_iret
684 + movl %ecx,%eax /* zero extend */
685 + cmpq %rax,RIP+8(%rsp)
686 + je bstep_iret
687 +@@ -1561,7 +1513,15 @@ error_kernelspace:
688 + bstep_iret:
689 + /* Fix truncated RIP */
690 + movq %rcx,RIP+8(%rsp)
691 +- jmp error_swapgs
692 ++ /* fall through */
693 ++
694 ++error_bad_iret:
695 ++ SWAPGS
696 ++ mov %rsp,%rdi
697 ++ call fixup_bad_iret
698 ++ mov %rax,%rsp
699 ++ decl %ebx /* Return to usergs */
700 ++ jmp error_sti
701 + CFI_ENDPROC
702 + END(error_entry)
703 +
704 +diff --git a/arch/x86/kernel/kvm.c b/arch/x86/kernel/kvm.c
705 +index e554e5ad2fe8..226f28413f76 100644
706 +--- a/arch/x86/kernel/kvm.c
707 ++++ b/arch/x86/kernel/kvm.c
708 +@@ -258,7 +258,14 @@ do_async_page_fault(struct pt_regs *regs, unsigned long error_code)
709 + static void __init paravirt_ops_setup(void)
710 + {
711 + pv_info.name = "KVM";
712 +- pv_info.paravirt_enabled = 1;
713 ++
714 ++ /*
715 ++ * KVM isn't paravirt in the sense of paravirt_enabled. A KVM
716 ++ * guest kernel works like a bare metal kernel with additional
717 ++ * features, and paravirt_enabled is about features that are
718 ++ * missing.
719 ++ */
720 ++ pv_info.paravirt_enabled = 0;
721 +
722 + if (kvm_para_has_feature(KVM_FEATURE_NOP_IO_DELAY))
723 + pv_cpu_ops.io_delay = kvm_io_delay;
724 +diff --git a/arch/x86/kernel/kvmclock.c b/arch/x86/kernel/kvmclock.c
725 +index f8492da65bfc..5e3f91bb6ec3 100644
726 +--- a/arch/x86/kernel/kvmclock.c
727 ++++ b/arch/x86/kernel/kvmclock.c
728 +@@ -212,7 +212,6 @@ void __init kvmclock_init(void)
729 + #endif
730 + kvm_get_preset_lpj();
731 + clocksource_register_hz(&kvm_clock, NSEC_PER_SEC);
732 +- pv_info.paravirt_enabled = 1;
733 + pv_info.name = "KVM";
734 +
735 + if (kvm_para_has_feature(KVM_FEATURE_CLOCKSOURCE_STABLE_BIT))
736 +diff --git a/arch/x86/kernel/tls.c b/arch/x86/kernel/tls.c
737 +index 9d9d2f9e77a5..9d25a6eef1e1 100644
738 +--- a/arch/x86/kernel/tls.c
739 ++++ b/arch/x86/kernel/tls.c
740 +@@ -27,6 +27,42 @@ static int get_free_idx(void)
741 + return -ESRCH;
742 + }
743 +
744 ++static bool tls_desc_okay(const struct user_desc *info)
745 ++{
746 ++ /*
747 ++ * For historical reasons (i.e. no one ever documented how any
748 ++ * of the segmentation APIs work), user programs can and do
749 ++ * assume that a struct user_desc that's all zeros except for
750 ++ * entry_number means "no segment at all". This never actually
751 ++ * worked. In fact, up to Linux 3.19, a struct user_desc like
752 ++ * this would create a 16-bit read-write segment with base and
753 ++ * limit both equal to zero.
754 ++ *
755 ++ * That was close enough to "no segment at all" until we
756 ++ * hardened this function to disallow 16-bit TLS segments. Fix
757 ++ * it up by interpreting these zeroed segments the way that they
758 ++ * were almost certainly intended to be interpreted.
759 ++ *
760 ++ * The correct way to ask for "no segment at all" is to specify
761 ++ * a user_desc that satisfies LDT_empty. To keep everything
762 ++ * working, we accept both.
763 ++ *
764 ++ * Note that there's a similar kludge in modify_ldt -- look at
765 ++ * the distinction between modes 1 and 0x11.
766 ++ */
767 ++ if (LDT_empty(info) || LDT_zero(info))
768 ++ return true;
769 ++
770 ++ /*
771 ++ * espfix is required for 16-bit data segments, but espfix
772 ++ * only works for LDT segments.
773 ++ */
774 ++ if (!info->seg_32bit)
775 ++ return false;
776 ++
777 ++ return true;
778 ++}
779 ++
780 + static void set_tls_desc(struct task_struct *p, int idx,
781 + const struct user_desc *info, int n)
782 + {
783 +@@ -40,7 +76,7 @@ static void set_tls_desc(struct task_struct *p, int idx,
784 + cpu = get_cpu();
785 +
786 + while (n-- > 0) {
787 +- if (LDT_empty(info))
788 ++ if (LDT_empty(info) || LDT_zero(info))
789 + desc->a = desc->b = 0;
790 + else
791 + fill_ldt(desc, info);
792 +@@ -66,6 +102,9 @@ int do_set_thread_area(struct task_struct *p, int idx,
793 + if (copy_from_user(&info, u_info, sizeof(info)))
794 + return -EFAULT;
795 +
796 ++ if (!tls_desc_okay(&info))
797 ++ return -EINVAL;
798 ++
799 + if (idx == -1)
800 + idx = info.entry_number;
801 +
802 +@@ -196,6 +235,7 @@ int regset_tls_set(struct task_struct *target, const struct user_regset *regset,
803 + {
804 + struct user_desc infobuf[GDT_ENTRY_TLS_ENTRIES];
805 + const struct user_desc *info;
806 ++ int i;
807 +
808 + if (pos >= GDT_ENTRY_TLS_ENTRIES * sizeof(struct user_desc) ||
809 + (pos % sizeof(struct user_desc)) != 0 ||
810 +@@ -209,6 +249,10 @@ int regset_tls_set(struct task_struct *target, const struct user_regset *regset,
811 + else
812 + info = infobuf;
813 +
814 ++ for (i = 0; i < count / sizeof(struct user_desc); i++)
815 ++ if (!tls_desc_okay(info + i))
816 ++ return -EINVAL;
817 ++
818 + set_tls_desc(target,
819 + GDT_ENTRY_TLS_MIN + (pos / sizeof(struct user_desc)),
820 + info, count / sizeof(struct user_desc));
821 +diff --git a/arch/x86/kernel/traps.c b/arch/x86/kernel/traps.c
822 +index ff9281f16029..9bfe95fda57c 100644
823 +--- a/arch/x86/kernel/traps.c
824 ++++ b/arch/x86/kernel/traps.c
825 +@@ -213,29 +213,41 @@ DO_ERROR(X86_TRAP_OLD_MF, SIGFPE, "coprocessor segment overrun",
826 + coprocessor_segment_overrun)
827 + DO_ERROR(X86_TRAP_TS, SIGSEGV, "invalid TSS", invalid_TSS)
828 + DO_ERROR(X86_TRAP_NP, SIGBUS, "segment not present", segment_not_present)
829 +-#ifdef CONFIG_X86_32
830 + DO_ERROR(X86_TRAP_SS, SIGBUS, "stack segment", stack_segment)
831 +-#endif
832 + DO_ERROR_INFO(X86_TRAP_AC, SIGBUS, "alignment check", alignment_check,
833 + BUS_ADRALN, 0)
834 +
835 + #ifdef CONFIG_X86_64
836 + /* Runs on IST stack */
837 +-dotraplinkage void do_stack_segment(struct pt_regs *regs, long error_code)
838 +-{
839 +- if (notify_die(DIE_TRAP, "stack segment", regs, error_code,
840 +- X86_TRAP_SS, SIGBUS) == NOTIFY_STOP)
841 +- return;
842 +- preempt_conditional_sti(regs);
843 +- do_trap(X86_TRAP_SS, SIGBUS, "stack segment", regs, error_code, NULL);
844 +- preempt_conditional_cli(regs);
845 +-}
846 +-
847 + dotraplinkage void do_double_fault(struct pt_regs *regs, long error_code)
848 + {
849 + static const char str[] = "double fault";
850 + struct task_struct *tsk = current;
851 +
852 ++#ifdef CONFIG_X86_ESPFIX64
853 ++ extern unsigned char native_irq_return_iret[];
854 ++
855 ++ /*
856 ++ * If IRET takes a non-IST fault on the espfix64 stack, then we
857 ++ * end up promoting it to a doublefault. In that case, modify
858 ++ * the stack to make it look like we just entered the #GP
859 ++ * handler from user space, similar to bad_iret.
860 ++ */
861 ++ if (((long)regs->sp >> PGDIR_SHIFT) == ESPFIX_PGD_ENTRY &&
862 ++ regs->cs == __KERNEL_CS &&
863 ++ regs->ip == (unsigned long)native_irq_return_iret)
864 ++ {
865 ++ struct pt_regs *normal_regs = task_pt_regs(current);
866 ++
867 ++ /* Fake a #GP(0) from userspace. */
868 ++ memmove(&normal_regs->ip, (void *)regs->sp, 5*8);
869 ++ normal_regs->orig_ax = 0; /* Missing (lost) #GP error code */
870 ++ regs->ip = (unsigned long)general_protection;
871 ++ regs->sp = (unsigned long)&normal_regs->orig_ax;
872 ++ return;
873 ++ }
874 ++#endif
875 ++
876 + /* Return not checked because double check cannot be ignored */
877 + notify_die(DIE_TRAP, str, regs, error_code, X86_TRAP_DF, SIGSEGV);
878 +
879 +@@ -332,7 +344,7 @@ dotraplinkage void __kprobes do_int3(struct pt_regs *regs, long error_code)
880 + * for scheduling or signal handling. The actual stack switch is done in
881 + * entry.S
882 + */
883 +-asmlinkage __kprobes struct pt_regs *sync_regs(struct pt_regs *eregs)
884 ++asmlinkage notrace __kprobes struct pt_regs *sync_regs(struct pt_regs *eregs)
885 + {
886 + struct pt_regs *regs = eregs;
887 + /* Did already sync */
888 +@@ -351,6 +363,35 @@ asmlinkage __kprobes struct pt_regs *sync_regs(struct pt_regs *eregs)
889 + *regs = *eregs;
890 + return regs;
891 + }
892 ++
893 ++struct bad_iret_stack {
894 ++ void *error_entry_ret;
895 ++ struct pt_regs regs;
896 ++};
897 ++
898 ++asmlinkage notrace __kprobes
899 ++struct bad_iret_stack *fixup_bad_iret(struct bad_iret_stack *s)
900 ++{
901 ++ /*
902 ++ * This is called from entry_64.S early in handling a fault
903 ++ * caused by a bad iret to user mode. To handle the fault
904 ++ * correctly, we want move our stack frame to task_pt_regs
905 ++ * and we want to pretend that the exception came from the
906 ++ * iret target.
907 ++ */
908 ++ struct bad_iret_stack *new_stack =
909 ++ container_of(task_pt_regs(current),
910 ++ struct bad_iret_stack, regs);
911 ++
912 ++ /* Copy the IRET target to the new stack. */
913 ++ memmove(&new_stack->regs.ip, (void *)s->regs.sp, 5*8);
914 ++
915 ++ /* Copy the remainder of the stack from the current stack. */
916 ++ memmove(new_stack, s, offsetof(struct bad_iret_stack, regs.ip));
917 ++
918 ++ BUG_ON(!user_mode_vm(&new_stack->regs));
919 ++ return new_stack;
920 ++}
921 + #endif
922 +
923 + /*
924 +@@ -694,7 +735,7 @@ void __init trap_init(void)
925 + set_intr_gate(X86_TRAP_OLD_MF, &coprocessor_segment_overrun);
926 + set_intr_gate(X86_TRAP_TS, &invalid_TSS);
927 + set_intr_gate(X86_TRAP_NP, &segment_not_present);
928 +- set_intr_gate_ist(X86_TRAP_SS, &stack_segment, STACKFAULT_STACK);
929 ++ set_intr_gate(X86_TRAP_SS, stack_segment);
930 + set_intr_gate(X86_TRAP_GP, &general_protection);
931 + set_intr_gate(X86_TRAP_SPURIOUS, &spurious_interrupt_bug);
932 + set_intr_gate(X86_TRAP_MF, &coprocessor_error);
933 +diff --git a/arch/x86/kernel/tsc.c b/arch/x86/kernel/tsc.c
934 +index fc0a147e3727..8652aa408ae0 100644
935 +--- a/arch/x86/kernel/tsc.c
936 ++++ b/arch/x86/kernel/tsc.c
937 +@@ -959,14 +959,17 @@ void __init tsc_init(void)
938 +
939 + x86_init.timers.tsc_pre_init();
940 +
941 +- if (!cpu_has_tsc)
942 ++ if (!cpu_has_tsc) {
943 ++ setup_clear_cpu_cap(X86_FEATURE_TSC_DEADLINE_TIMER);
944 + return;
945 ++ }
946 +
947 + tsc_khz = x86_platform.calibrate_tsc();
948 + cpu_khz = tsc_khz;
949 +
950 + if (!tsc_khz) {
951 + mark_tsc_unstable("could not calculate TSC khz");
952 ++ setup_clear_cpu_cap(X86_FEATURE_TSC_DEADLINE_TIMER);
953 + return;
954 + }
955 +
956 +diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c
957 +index 83756223f8aa..91e8680ec239 100644
958 +--- a/arch/x86/kvm/emulate.c
959 ++++ b/arch/x86/kvm/emulate.c
960 +@@ -459,11 +459,6 @@ register_address_increment(struct x86_emulate_ctxt *ctxt, unsigned long *reg, in
961 + *reg = (*reg & ~ad_mask(ctxt)) | ((*reg + inc) & ad_mask(ctxt));
962 + }
963 +
964 +-static inline void jmp_rel(struct x86_emulate_ctxt *ctxt, int rel)
965 +-{
966 +- register_address_increment(ctxt, &ctxt->_eip, rel);
967 +-}
968 +-
969 + static u32 desc_limit_scaled(struct desc_struct *desc)
970 + {
971 + u32 limit = get_desc_limit(desc);
972 +@@ -537,6 +532,40 @@ static int emulate_nm(struct x86_emulate_ctxt *ctxt)
973 + return emulate_exception(ctxt, NM_VECTOR, 0, false);
974 + }
975 +
976 ++static inline int assign_eip_far(struct x86_emulate_ctxt *ctxt, ulong dst,
977 ++ int cs_l)
978 ++{
979 ++ switch (ctxt->op_bytes) {
980 ++ case 2:
981 ++ ctxt->_eip = (u16)dst;
982 ++ break;
983 ++ case 4:
984 ++ ctxt->_eip = (u32)dst;
985 ++ break;
986 ++#ifdef CONFIG_X86_64
987 ++ case 8:
988 ++ if ((cs_l && is_noncanonical_address(dst)) ||
989 ++ (!cs_l && (dst >> 32) != 0))
990 ++ return emulate_gp(ctxt, 0);
991 ++ ctxt->_eip = dst;
992 ++ break;
993 ++#endif
994 ++ default:
995 ++ WARN(1, "unsupported eip assignment size\n");
996 ++ }
997 ++ return X86EMUL_CONTINUE;
998 ++}
999 ++
1000 ++static inline int assign_eip_near(struct x86_emulate_ctxt *ctxt, ulong dst)
1001 ++{
1002 ++ return assign_eip_far(ctxt, dst, ctxt->mode == X86EMUL_MODE_PROT64);
1003 ++}
1004 ++
1005 ++static inline int jmp_rel(struct x86_emulate_ctxt *ctxt, int rel)
1006 ++{
1007 ++ return assign_eip_near(ctxt, ctxt->_eip + rel);
1008 ++}
1009 ++
1010 + static u16 get_segment_selector(struct x86_emulate_ctxt *ctxt, unsigned seg)
1011 + {
1012 + u16 selector;
1013 +@@ -1224,11 +1253,13 @@ static int write_segment_descriptor(struct x86_emulate_ctxt *ctxt,
1014 + }
1015 +
1016 + /* Does not support long mode */
1017 +-static int load_segment_descriptor(struct x86_emulate_ctxt *ctxt,
1018 +- u16 selector, int seg)
1019 ++static int __load_segment_descriptor(struct x86_emulate_ctxt *ctxt,
1020 ++ u16 selector, int seg, u8 cpl,
1021 ++ bool in_task_switch,
1022 ++ struct desc_struct *desc)
1023 + {
1024 + struct desc_struct seg_desc;
1025 +- u8 dpl, rpl, cpl;
1026 ++ u8 dpl, rpl;
1027 + unsigned err_vec = GP_VECTOR;
1028 + u32 err_code = 0;
1029 + bool null_selector = !(selector & ~0x3); /* 0000-0003 are null */
1030 +@@ -1279,7 +1310,6 @@ static int load_segment_descriptor(struct x86_emulate_ctxt *ctxt,
1031 +
1032 + rpl = selector & 3;
1033 + dpl = seg_desc.dpl;
1034 +- cpl = ctxt->ops->cpl(ctxt);
1035 +
1036 + switch (seg) {
1037 + case VCPU_SREG_SS:
1038 +@@ -1336,12 +1366,21 @@ static int load_segment_descriptor(struct x86_emulate_ctxt *ctxt,
1039 + }
1040 + load:
1041 + ctxt->ops->set_segment(ctxt, selector, &seg_desc, 0, seg);
1042 ++ if (desc)
1043 ++ *desc = seg_desc;
1044 + return X86EMUL_CONTINUE;
1045 + exception:
1046 + emulate_exception(ctxt, err_vec, err_code, true);
1047 + return X86EMUL_PROPAGATE_FAULT;
1048 + }
1049 +
1050 ++static int load_segment_descriptor(struct x86_emulate_ctxt *ctxt,
1051 ++ u16 selector, int seg)
1052 ++{
1053 ++ u8 cpl = ctxt->ops->cpl(ctxt);
1054 ++ return __load_segment_descriptor(ctxt, selector, seg, cpl, false, NULL);
1055 ++}
1056 ++
1057 + static void write_register_operand(struct operand *op)
1058 + {
1059 + /* The 4-byte case *is* correct: in 64-bit mode we zero-extend. */
1060 +@@ -1681,17 +1720,31 @@ static int em_iret(struct x86_emulate_ctxt *ctxt)
1061 + static int em_jmp_far(struct x86_emulate_ctxt *ctxt)
1062 + {
1063 + int rc;
1064 +- unsigned short sel;
1065 ++ unsigned short sel, old_sel;
1066 ++ struct desc_struct old_desc, new_desc;
1067 ++ const struct x86_emulate_ops *ops = ctxt->ops;
1068 ++ u8 cpl = ctxt->ops->cpl(ctxt);
1069 ++
1070 ++ /* Assignment of RIP may only fail in 64-bit mode */
1071 ++ if (ctxt->mode == X86EMUL_MODE_PROT64)
1072 ++ ops->get_segment(ctxt, &old_sel, &old_desc, NULL,
1073 ++ VCPU_SREG_CS);
1074 +
1075 + memcpy(&sel, ctxt->src.valptr + ctxt->op_bytes, 2);
1076 +
1077 +- rc = load_segment_descriptor(ctxt, sel, VCPU_SREG_CS);
1078 ++ rc = __load_segment_descriptor(ctxt, sel, VCPU_SREG_CS, cpl, false,
1079 ++ &new_desc);
1080 + if (rc != X86EMUL_CONTINUE)
1081 + return rc;
1082 +
1083 +- ctxt->_eip = 0;
1084 +- memcpy(&ctxt->_eip, ctxt->src.valptr, ctxt->op_bytes);
1085 +- return X86EMUL_CONTINUE;
1086 ++ rc = assign_eip_far(ctxt, ctxt->src.val, new_desc.l);
1087 ++ if (rc != X86EMUL_CONTINUE) {
1088 ++ WARN_ON(ctxt->mode != X86EMUL_MODE_PROT64);
1089 ++ /* assigning eip failed; restore the old cs */
1090 ++ ops->set_segment(ctxt, old_sel, &old_desc, 0, VCPU_SREG_CS);
1091 ++ return rc;
1092 ++ }
1093 ++ return rc;
1094 + }
1095 +
1096 + static int em_grp2(struct x86_emulate_ctxt *ctxt)
1097 +@@ -1785,13 +1838,15 @@ static int em_grp45(struct x86_emulate_ctxt *ctxt)
1098 + case 2: /* call near abs */ {
1099 + long int old_eip;
1100 + old_eip = ctxt->_eip;
1101 +- ctxt->_eip = ctxt->src.val;
1102 ++ rc = assign_eip_near(ctxt, ctxt->src.val);
1103 ++ if (rc != X86EMUL_CONTINUE)
1104 ++ break;
1105 + ctxt->src.val = old_eip;
1106 + rc = em_push(ctxt);
1107 + break;
1108 + }
1109 + case 4: /* jmp abs */
1110 +- ctxt->_eip = ctxt->src.val;
1111 ++ rc = assign_eip_near(ctxt, ctxt->src.val);
1112 + break;
1113 + case 5: /* jmp far */
1114 + rc = em_jmp_far(ctxt);
1115 +@@ -1823,26 +1878,43 @@ static int em_cmpxchg8b(struct x86_emulate_ctxt *ctxt)
1116 +
1117 + static int em_ret(struct x86_emulate_ctxt *ctxt)
1118 + {
1119 +- ctxt->dst.type = OP_REG;
1120 +- ctxt->dst.addr.reg = &ctxt->_eip;
1121 +- ctxt->dst.bytes = ctxt->op_bytes;
1122 +- return em_pop(ctxt);
1123 ++ int rc;
1124 ++ unsigned long eip;
1125 ++
1126 ++ rc = emulate_pop(ctxt, &eip, ctxt->op_bytes);
1127 ++ if (rc != X86EMUL_CONTINUE)
1128 ++ return rc;
1129 ++
1130 ++ return assign_eip_near(ctxt, eip);
1131 + }
1132 +
1133 + static int em_ret_far(struct x86_emulate_ctxt *ctxt)
1134 + {
1135 + int rc;
1136 +- unsigned long cs;
1137 ++ unsigned long eip, cs;
1138 ++ u16 old_cs;
1139 ++ struct desc_struct old_desc, new_desc;
1140 ++ const struct x86_emulate_ops *ops = ctxt->ops;
1141 ++
1142 ++ if (ctxt->mode == X86EMUL_MODE_PROT64)
1143 ++ ops->get_segment(ctxt, &old_cs, &old_desc, NULL,
1144 ++ VCPU_SREG_CS);
1145 +
1146 +- rc = emulate_pop(ctxt, &ctxt->_eip, ctxt->op_bytes);
1147 ++ rc = emulate_pop(ctxt, &eip, ctxt->op_bytes);
1148 + if (rc != X86EMUL_CONTINUE)
1149 + return rc;
1150 +- if (ctxt->op_bytes == 4)
1151 +- ctxt->_eip = (u32)ctxt->_eip;
1152 + rc = emulate_pop(ctxt, &cs, ctxt->op_bytes);
1153 + if (rc != X86EMUL_CONTINUE)
1154 + return rc;
1155 +- rc = load_segment_descriptor(ctxt, (u16)cs, VCPU_SREG_CS);
1156 ++ rc = __load_segment_descriptor(ctxt, (u16)cs, VCPU_SREG_CS, 0, false,
1157 ++ &new_desc);
1158 ++ if (rc != X86EMUL_CONTINUE)
1159 ++ return rc;
1160 ++ rc = assign_eip_far(ctxt, eip, new_desc.l);
1161 ++ if (rc != X86EMUL_CONTINUE) {
1162 ++ WARN_ON(ctxt->mode != X86EMUL_MODE_PROT64);
1163 ++ ops->set_segment(ctxt, old_cs, &old_desc, 0, VCPU_SREG_CS);
1164 ++ }
1165 + return rc;
1166 + }
1167 +
1168 +@@ -2091,7 +2163,7 @@ static int em_sysexit(struct x86_emulate_ctxt *ctxt)
1169 + {
1170 + struct x86_emulate_ops *ops = ctxt->ops;
1171 + struct desc_struct cs, ss;
1172 +- u64 msr_data;
1173 ++ u64 msr_data, rcx, rdx;
1174 + int usermode;
1175 + u16 cs_sel = 0, ss_sel = 0;
1176 +
1177 +@@ -2107,6 +2179,9 @@ static int em_sysexit(struct x86_emulate_ctxt *ctxt)
1178 + else
1179 + usermode = X86EMUL_MODE_PROT32;
1180 +
1181 ++ rcx = ctxt->regs[VCPU_REGS_RCX];
1182 ++ rdx = ctxt->regs[VCPU_REGS_RDX];
1183 ++
1184 + cs.dpl = 3;
1185 + ss.dpl = 3;
1186 + ops->get_msr(ctxt, MSR_IA32_SYSENTER_CS, &msr_data);
1187 +@@ -2124,6 +2199,9 @@ static int em_sysexit(struct x86_emulate_ctxt *ctxt)
1188 + ss_sel = cs_sel + 8;
1189 + cs.d = 0;
1190 + cs.l = 1;
1191 ++ if (is_noncanonical_address(rcx) ||
1192 ++ is_noncanonical_address(rdx))
1193 ++ return emulate_gp(ctxt, 0);
1194 + break;
1195 + }
1196 + cs_sel |= SELECTOR_RPL_MASK;
1197 +@@ -2132,8 +2210,8 @@ static int em_sysexit(struct x86_emulate_ctxt *ctxt)
1198 + ops->set_segment(ctxt, cs_sel, &cs, 0, VCPU_SREG_CS);
1199 + ops->set_segment(ctxt, ss_sel, &ss, 0, VCPU_SREG_SS);
1200 +
1201 +- ctxt->_eip = ctxt->regs[VCPU_REGS_RDX];
1202 +- ctxt->regs[VCPU_REGS_RSP] = ctxt->regs[VCPU_REGS_RCX];
1203 ++ ctxt->_eip = rdx;
1204 ++ ctxt->regs[VCPU_REGS_RSP] = rcx;
1205 +
1206 + return X86EMUL_CONTINUE;
1207 + }
1208 +@@ -2222,6 +2300,7 @@ static int load_state_from_tss16(struct x86_emulate_ctxt *ctxt,
1209 + struct tss_segment_16 *tss)
1210 + {
1211 + int ret;
1212 ++ u8 cpl;
1213 +
1214 + ctxt->_eip = tss->ip;
1215 + ctxt->eflags = tss->flag | 2;
1216 +@@ -2244,23 +2323,30 @@ static int load_state_from_tss16(struct x86_emulate_ctxt *ctxt,
1217 + set_segment_selector(ctxt, tss->ss, VCPU_SREG_SS);
1218 + set_segment_selector(ctxt, tss->ds, VCPU_SREG_DS);
1219 +
1220 ++ cpl = tss->cs & 3;
1221 ++
1222 + /*
1223 + * Now load segment descriptors. If fault happenes at this stage
1224 + * it is handled in a context of new task
1225 + */
1226 +- ret = load_segment_descriptor(ctxt, tss->ldt, VCPU_SREG_LDTR);
1227 ++ ret = __load_segment_descriptor(ctxt, tss->ldt, VCPU_SREG_LDTR, cpl,
1228 ++ true, NULL);
1229 + if (ret != X86EMUL_CONTINUE)
1230 + return ret;
1231 +- ret = load_segment_descriptor(ctxt, tss->es, VCPU_SREG_ES);
1232 ++ ret = __load_segment_descriptor(ctxt, tss->es, VCPU_SREG_ES, cpl,
1233 ++ true, NULL);
1234 + if (ret != X86EMUL_CONTINUE)
1235 + return ret;
1236 +- ret = load_segment_descriptor(ctxt, tss->cs, VCPU_SREG_CS);
1237 ++ ret = __load_segment_descriptor(ctxt, tss->cs, VCPU_SREG_CS, cpl,
1238 ++ true, NULL);
1239 + if (ret != X86EMUL_CONTINUE)
1240 + return ret;
1241 +- ret = load_segment_descriptor(ctxt, tss->ss, VCPU_SREG_SS);
1242 ++ ret = __load_segment_descriptor(ctxt, tss->ss, VCPU_SREG_SS, cpl,
1243 ++ true, NULL);
1244 + if (ret != X86EMUL_CONTINUE)
1245 + return ret;
1246 +- ret = load_segment_descriptor(ctxt, tss->ds, VCPU_SREG_DS);
1247 ++ ret = __load_segment_descriptor(ctxt, tss->ds, VCPU_SREG_DS, cpl,
1248 ++ true, NULL);
1249 + if (ret != X86EMUL_CONTINUE)
1250 + return ret;
1251 +
1252 +@@ -2339,6 +2425,7 @@ static int load_state_from_tss32(struct x86_emulate_ctxt *ctxt,
1253 + struct tss_segment_32 *tss)
1254 + {
1255 + int ret;
1256 ++ u8 cpl;
1257 +
1258 + if (ctxt->ops->set_cr(ctxt, 3, tss->cr3))
1259 + return emulate_gp(ctxt, 0);
1260 +@@ -2357,7 +2444,8 @@ static int load_state_from_tss32(struct x86_emulate_ctxt *ctxt,
1261 +
1262 + /*
1263 + * SDM says that segment selectors are loaded before segment
1264 +- * descriptors
1265 ++ * descriptors. This is important because CPL checks will
1266 ++ * use CS.RPL.
1267 + */
1268 + set_segment_selector(ctxt, tss->ldt_selector, VCPU_SREG_LDTR);
1269 + set_segment_selector(ctxt, tss->es, VCPU_SREG_ES);
1270 +@@ -2371,43 +2459,45 @@ static int load_state_from_tss32(struct x86_emulate_ctxt *ctxt,
1271 + * If we're switching between Protected Mode and VM86, we need to make
1272 + * sure to update the mode before loading the segment descriptors so
1273 + * that the selectors are interpreted correctly.
1274 +- *
1275 +- * Need to get rflags to the vcpu struct immediately because it
1276 +- * influences the CPL which is checked at least when loading the segment
1277 +- * descriptors and when pushing an error code to the new kernel stack.
1278 +- *
1279 +- * TODO Introduce a separate ctxt->ops->set_cpl callback
1280 + */
1281 +- if (ctxt->eflags & X86_EFLAGS_VM)
1282 ++ if (ctxt->eflags & X86_EFLAGS_VM) {
1283 + ctxt->mode = X86EMUL_MODE_VM86;
1284 +- else
1285 ++ cpl = 3;
1286 ++ } else {
1287 + ctxt->mode = X86EMUL_MODE_PROT32;
1288 +-
1289 +- ctxt->ops->set_rflags(ctxt, ctxt->eflags);
1290 ++ cpl = tss->cs & 3;
1291 ++ }
1292 +
1293 + /*
1294 + * Now load segment descriptors. If fault happenes at this stage
1295 + * it is handled in a context of new task
1296 + */
1297 +- ret = load_segment_descriptor(ctxt, tss->ldt_selector, VCPU_SREG_LDTR);
1298 ++ ret = __load_segment_descriptor(ctxt, tss->ldt_selector, VCPU_SREG_LDTR,
1299 ++ cpl, true, NULL);
1300 + if (ret != X86EMUL_CONTINUE)
1301 + return ret;
1302 +- ret = load_segment_descriptor(ctxt, tss->es, VCPU_SREG_ES);
1303 ++ ret = __load_segment_descriptor(ctxt, tss->es, VCPU_SREG_ES, cpl,
1304 ++ true, NULL);
1305 + if (ret != X86EMUL_CONTINUE)
1306 + return ret;
1307 +- ret = load_segment_descriptor(ctxt, tss->cs, VCPU_SREG_CS);
1308 ++ ret = __load_segment_descriptor(ctxt, tss->cs, VCPU_SREG_CS, cpl,
1309 ++ true, NULL);
1310 + if (ret != X86EMUL_CONTINUE)
1311 + return ret;
1312 +- ret = load_segment_descriptor(ctxt, tss->ss, VCPU_SREG_SS);
1313 ++ ret = __load_segment_descriptor(ctxt, tss->ss, VCPU_SREG_SS, cpl,
1314 ++ true, NULL);
1315 + if (ret != X86EMUL_CONTINUE)
1316 + return ret;
1317 +- ret = load_segment_descriptor(ctxt, tss->ds, VCPU_SREG_DS);
1318 ++ ret = __load_segment_descriptor(ctxt, tss->ds, VCPU_SREG_DS, cpl,
1319 ++ true, NULL);
1320 + if (ret != X86EMUL_CONTINUE)
1321 + return ret;
1322 +- ret = load_segment_descriptor(ctxt, tss->fs, VCPU_SREG_FS);
1323 ++ ret = __load_segment_descriptor(ctxt, tss->fs, VCPU_SREG_FS, cpl,
1324 ++ true, NULL);
1325 + if (ret != X86EMUL_CONTINUE)
1326 + return ret;
1327 +- ret = load_segment_descriptor(ctxt, tss->gs, VCPU_SREG_GS);
1328 ++ ret = __load_segment_descriptor(ctxt, tss->gs, VCPU_SREG_GS, cpl,
1329 ++ true, NULL);
1330 + if (ret != X86EMUL_CONTINUE)
1331 + return ret;
1332 +
1333 +@@ -2629,10 +2719,13 @@ static int em_das(struct x86_emulate_ctxt *ctxt)
1334 +
1335 + static int em_call(struct x86_emulate_ctxt *ctxt)
1336 + {
1337 ++ int rc;
1338 + long rel = ctxt->src.val;
1339 +
1340 + ctxt->src.val = (unsigned long)ctxt->_eip;
1341 +- jmp_rel(ctxt, rel);
1342 ++ rc = jmp_rel(ctxt, rel);
1343 ++ if (rc != X86EMUL_CONTINUE)
1344 ++ return rc;
1345 + return em_push(ctxt);
1346 + }
1347 +
1348 +@@ -2641,34 +2734,50 @@ static int em_call_far(struct x86_emulate_ctxt *ctxt)
1349 + u16 sel, old_cs;
1350 + ulong old_eip;
1351 + int rc;
1352 ++ struct desc_struct old_desc, new_desc;
1353 ++ const struct x86_emulate_ops *ops = ctxt->ops;
1354 ++ int cpl = ctxt->ops->cpl(ctxt);
1355 +
1356 +- old_cs = get_segment_selector(ctxt, VCPU_SREG_CS);
1357 + old_eip = ctxt->_eip;
1358 ++ ops->get_segment(ctxt, &old_cs, &old_desc, NULL, VCPU_SREG_CS);
1359 +
1360 + memcpy(&sel, ctxt->src.valptr + ctxt->op_bytes, 2);
1361 +- if (load_segment_descriptor(ctxt, sel, VCPU_SREG_CS))
1362 ++ rc = __load_segment_descriptor(ctxt, sel, VCPU_SREG_CS, cpl, false,
1363 ++ &new_desc);
1364 ++ if (rc != X86EMUL_CONTINUE)
1365 + return X86EMUL_CONTINUE;
1366 +
1367 +- ctxt->_eip = 0;
1368 +- memcpy(&ctxt->_eip, ctxt->src.valptr, ctxt->op_bytes);
1369 ++ rc = assign_eip_far(ctxt, ctxt->src.val, new_desc.l);
1370 ++ if (rc != X86EMUL_CONTINUE)
1371 ++ goto fail;
1372 +
1373 + ctxt->src.val = old_cs;
1374 + rc = em_push(ctxt);
1375 + if (rc != X86EMUL_CONTINUE)
1376 +- return rc;
1377 ++ goto fail;
1378 +
1379 + ctxt->src.val = old_eip;
1380 +- return em_push(ctxt);
1381 ++ rc = em_push(ctxt);
1382 ++ /* If we failed, we tainted the memory, but the very least we should
1383 ++ restore cs */
1384 ++ if (rc != X86EMUL_CONTINUE)
1385 ++ goto fail;
1386 ++ return rc;
1387 ++fail:
1388 ++ ops->set_segment(ctxt, old_cs, &old_desc, 0, VCPU_SREG_CS);
1389 ++ return rc;
1390 ++
1391 + }
1392 +
1393 + static int em_ret_near_imm(struct x86_emulate_ctxt *ctxt)
1394 + {
1395 + int rc;
1396 ++ unsigned long eip;
1397 +
1398 +- ctxt->dst.type = OP_REG;
1399 +- ctxt->dst.addr.reg = &ctxt->_eip;
1400 +- ctxt->dst.bytes = ctxt->op_bytes;
1401 +- rc = emulate_pop(ctxt, &ctxt->dst.val, ctxt->op_bytes);
1402 ++ rc = emulate_pop(ctxt, &eip, ctxt->op_bytes);
1403 ++ if (rc != X86EMUL_CONTINUE)
1404 ++ return rc;
1405 ++ rc = assign_eip_near(ctxt, eip);
1406 + if (rc != X86EMUL_CONTINUE)
1407 + return rc;
1408 + register_address_increment(ctxt, &ctxt->regs[VCPU_REGS_RSP], ctxt->src.val);
1409 +@@ -2977,20 +3086,24 @@ static int em_lmsw(struct x86_emulate_ctxt *ctxt)
1410 +
1411 + static int em_loop(struct x86_emulate_ctxt *ctxt)
1412 + {
1413 ++ int rc = X86EMUL_CONTINUE;
1414 ++
1415 + register_address_increment(ctxt, &ctxt->regs[VCPU_REGS_RCX], -1);
1416 + if ((address_mask(ctxt, ctxt->regs[VCPU_REGS_RCX]) != 0) &&
1417 + (ctxt->b == 0xe2 || test_cc(ctxt->b ^ 0x5, ctxt->eflags)))
1418 +- jmp_rel(ctxt, ctxt->src.val);
1419 ++ rc = jmp_rel(ctxt, ctxt->src.val);
1420 +
1421 +- return X86EMUL_CONTINUE;
1422 ++ return rc;
1423 + }
1424 +
1425 + static int em_jcxz(struct x86_emulate_ctxt *ctxt)
1426 + {
1427 ++ int rc = X86EMUL_CONTINUE;
1428 ++
1429 + if (address_mask(ctxt, ctxt->regs[VCPU_REGS_RCX]) == 0)
1430 +- jmp_rel(ctxt, ctxt->src.val);
1431 ++ rc = jmp_rel(ctxt, ctxt->src.val);
1432 +
1433 +- return X86EMUL_CONTINUE;
1434 ++ return rc;
1435 + }
1436 +
1437 + static int em_in(struct x86_emulate_ctxt *ctxt)
1438 +@@ -4168,7 +4281,7 @@ special_insn:
1439 + break;
1440 + case 0x70 ... 0x7f: /* jcc (short) */
1441 + if (test_cc(ctxt->b, ctxt->eflags))
1442 +- jmp_rel(ctxt, ctxt->src.val);
1443 ++ rc = jmp_rel(ctxt, ctxt->src.val);
1444 + break;
1445 + case 0x8d: /* lea r16/r32, m */
1446 + ctxt->dst.val = ctxt->src.addr.mem.ea;
1447 +@@ -4207,7 +4320,7 @@ special_insn:
1448 + break;
1449 + case 0xe9: /* jmp rel */
1450 + case 0xeb: /* jmp rel short */
1451 +- jmp_rel(ctxt, ctxt->src.val);
1452 ++ rc = jmp_rel(ctxt, ctxt->src.val);
1453 + ctxt->dst.type = OP_NONE; /* Disable writeback. */
1454 + break;
1455 + case 0xf4: /* hlt */
1456 +@@ -4310,7 +4423,7 @@ twobyte_insn:
1457 + break;
1458 + case 0x80 ... 0x8f: /* jnz rel, etc*/
1459 + if (test_cc(ctxt->b, ctxt->eflags))
1460 +- jmp_rel(ctxt, ctxt->src.val);
1461 ++ rc = jmp_rel(ctxt, ctxt->src.val);
1462 + break;
1463 + case 0x90 ... 0x9f: /* setcc r/m8 */
1464 + ctxt->dst.val = test_cc(ctxt->b, ctxt->eflags);
1465 +diff --git a/arch/x86/kvm/i8254.c b/arch/x86/kvm/i8254.c
1466 +index d68f99df690c..db336f9f2c8c 100644
1467 +--- a/arch/x86/kvm/i8254.c
1468 ++++ b/arch/x86/kvm/i8254.c
1469 +@@ -263,8 +263,10 @@ void __kvm_migrate_pit_timer(struct kvm_vcpu *vcpu)
1470 + return;
1471 +
1472 + timer = &pit->pit_state.pit_timer.timer;
1473 ++ mutex_lock(&pit->pit_state.lock);
1474 + if (hrtimer_cancel(timer))
1475 + hrtimer_start_expires(timer, HRTIMER_MODE_ABS);
1476 ++ mutex_unlock(&pit->pit_state.lock);
1477 + }
1478 +
1479 + static void destroy_pit_timer(struct kvm_pit *pit)
1480 +diff --git a/arch/x86/kvm/mmu.c b/arch/x86/kvm/mmu.c
1481 +index fd6dec6ffa47..84f4bca0ca2c 100644
1482 +--- a/arch/x86/kvm/mmu.c
1483 ++++ b/arch/x86/kvm/mmu.c
1484 +@@ -2842,7 +2842,7 @@ static void mmu_sync_roots(struct kvm_vcpu *vcpu)
1485 + if (!VALID_PAGE(vcpu->arch.mmu.root_hpa))
1486 + return;
1487 +
1488 +- vcpu_clear_mmio_info(vcpu, ~0ul);
1489 ++ vcpu_clear_mmio_info(vcpu, MMIO_GVA_ANY);
1490 + kvm_mmu_audit(vcpu, AUDIT_PRE_SYNC);
1491 + if (vcpu->arch.mmu.root_level == PT64_ROOT_LEVEL) {
1492 + hpa_t root = vcpu->arch.mmu.root_hpa;
1493 +diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c
1494 +index b567285efceb..86c74c0cd876 100644
1495 +--- a/arch/x86/kvm/svm.c
1496 ++++ b/arch/x86/kvm/svm.c
1497 +@@ -3212,7 +3212,7 @@ static int wrmsr_interception(struct vcpu_svm *svm)
1498 +
1499 +
1500 + svm->next_rip = kvm_rip_read(&svm->vcpu) + 2;
1501 +- if (svm_set_msr(&svm->vcpu, ecx, data)) {
1502 ++ if (kvm_set_msr(&svm->vcpu, ecx, data)) {
1503 + trace_kvm_msr_write_ex(ecx, data);
1504 + kvm_inject_gp(&svm->vcpu, 0);
1505 + } else {
1506 +@@ -3494,9 +3494,9 @@ static int handle_exit(struct kvm_vcpu *vcpu)
1507 +
1508 + if (exit_code >= ARRAY_SIZE(svm_exit_handlers)
1509 + || !svm_exit_handlers[exit_code]) {
1510 +- kvm_run->exit_reason = KVM_EXIT_UNKNOWN;
1511 +- kvm_run->hw.hardware_exit_reason = exit_code;
1512 +- return 0;
1513 ++ WARN_ONCE(1, "vmx: unexpected exit reason 0x%x\n", exit_code);
1514 ++ kvm_queue_exception(vcpu, UD_VECTOR);
1515 ++ return 1;
1516 + }
1517 +
1518 + return svm_exit_handlers[exit_code](svm);
1519 +diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
1520 +index 617b00b4857b..2eb4e5af8816 100644
1521 +--- a/arch/x86/kvm/vmx.c
1522 ++++ b/arch/x86/kvm/vmx.c
1523 +@@ -388,6 +388,7 @@ struct vcpu_vmx {
1524 + u16 fs_sel, gs_sel, ldt_sel;
1525 + int gs_ldt_reload_needed;
1526 + int fs_reload_needed;
1527 ++ unsigned long vmcs_host_cr4; /* May not match real cr4 */
1528 + } host_state;
1529 + struct {
1530 + int vm86_active;
1531 +@@ -2209,12 +2210,15 @@ static int vmx_set_msr(struct kvm_vcpu *vcpu, u32 msr_index, u64 data)
1532 + break;
1533 + msr = find_msr_entry(vmx, msr_index);
1534 + if (msr) {
1535 ++ u64 old_msr_data = msr->data;
1536 + msr->data = data;
1537 + if (msr - vmx->guest_msrs < vmx->save_nmsrs) {
1538 + preempt_disable();
1539 +- kvm_set_shared_msr(msr->index, msr->data,
1540 +- msr->mask);
1541 ++ ret = kvm_set_shared_msr(msr->index, msr->data,
1542 ++ msr->mask);
1543 + preempt_enable();
1544 ++ if (ret)
1545 ++ msr->data = old_msr_data;
1546 + }
1547 + break;
1548 + }
1549 +@@ -3622,16 +3626,21 @@ static void vmx_disable_intercept_for_msr(u32 msr, bool longmode_only)
1550 + * Note that host-state that does change is set elsewhere. E.g., host-state
1551 + * that is set differently for each CPU is set in vmx_vcpu_load(), not here.
1552 + */
1553 +-static void vmx_set_constant_host_state(void)
1554 ++static void vmx_set_constant_host_state(struct vcpu_vmx *vmx)
1555 + {
1556 + u32 low32, high32;
1557 + unsigned long tmpl;
1558 + struct desc_ptr dt;
1559 ++ unsigned long cr4;
1560 +
1561 + vmcs_writel(HOST_CR0, read_cr0() | X86_CR0_TS); /* 22.2.3 */
1562 +- vmcs_writel(HOST_CR4, read_cr4()); /* 22.2.3, 22.2.5 */
1563 + vmcs_writel(HOST_CR3, read_cr3()); /* 22.2.3 FIXME: shadow tables */
1564 +
1565 ++ /* Save the most likely value for this task's CR4 in the VMCS. */
1566 ++ cr4 = read_cr4();
1567 ++ vmcs_writel(HOST_CR4, cr4); /* 22.2.3, 22.2.5 */
1568 ++ vmx->host_state.vmcs_host_cr4 = cr4;
1569 ++
1570 + vmcs_write16(HOST_CS_SELECTOR, __KERNEL_CS); /* 22.2.4 */
1571 + vmcs_write16(HOST_DS_SELECTOR, __KERNEL_DS); /* 22.2.4 */
1572 + vmcs_write16(HOST_ES_SELECTOR, __KERNEL_DS); /* 22.2.4 */
1573 +@@ -3753,7 +3762,7 @@ static int vmx_vcpu_setup(struct vcpu_vmx *vmx)
1574 +
1575 + vmcs_write16(HOST_FS_SELECTOR, 0); /* 22.2.4 */
1576 + vmcs_write16(HOST_GS_SELECTOR, 0); /* 22.2.4 */
1577 +- vmx_set_constant_host_state();
1578 ++ vmx_set_constant_host_state(vmx);
1579 + #ifdef CONFIG_X86_64
1580 + rdmsrl(MSR_FS_BASE, a);
1581 + vmcs_writel(HOST_FS_BASE, a); /* 22.2.4 */
1582 +@@ -4539,7 +4548,7 @@ static int handle_wrmsr(struct kvm_vcpu *vcpu)
1583 + u64 data = (vcpu->arch.regs[VCPU_REGS_RAX] & -1u)
1584 + | ((u64)(vcpu->arch.regs[VCPU_REGS_RDX] & -1u) << 32);
1585 +
1586 +- if (vmx_set_msr(vcpu, ecx, data) != 0) {
1587 ++ if (kvm_set_msr(vcpu, ecx, data) != 0) {
1588 + trace_kvm_msr_write_ex(ecx, data);
1589 + kvm_inject_gp(vcpu, 0);
1590 + return 1;
1591 +@@ -5557,6 +5566,18 @@ static int handle_vmptrst(struct kvm_vcpu *vcpu)
1592 + return 1;
1593 + }
1594 +
1595 ++static int handle_invept(struct kvm_vcpu *vcpu)
1596 ++{
1597 ++ kvm_queue_exception(vcpu, UD_VECTOR);
1598 ++ return 1;
1599 ++}
1600 ++
1601 ++static int handle_invvpid(struct kvm_vcpu *vcpu)
1602 ++{
1603 ++ kvm_queue_exception(vcpu, UD_VECTOR);
1604 ++ return 1;
1605 ++}
1606 ++
1607 + /*
1608 + * The exit handlers return 1 if the exit was handled fully and guest execution
1609 + * may resume. Otherwise they set the kvm_run parameter to indicate what needs
1610 +@@ -5599,6 +5620,8 @@ static int (*kvm_vmx_exit_handlers[])(struct kvm_vcpu *vcpu) = {
1611 + [EXIT_REASON_PAUSE_INSTRUCTION] = handle_pause,
1612 + [EXIT_REASON_MWAIT_INSTRUCTION] = handle_invalid_op,
1613 + [EXIT_REASON_MONITOR_INSTRUCTION] = handle_invalid_op,
1614 ++ [EXIT_REASON_INVEPT] = handle_invept,
1615 ++ [EXIT_REASON_INVVPID] = handle_invvpid,
1616 + };
1617 +
1618 + static const int kvm_vmx_max_exit_handlers =
1619 +@@ -5783,6 +5806,7 @@ static bool nested_vmx_exit_handled(struct kvm_vcpu *vcpu)
1620 + case EXIT_REASON_VMPTRST: case EXIT_REASON_VMREAD:
1621 + case EXIT_REASON_VMRESUME: case EXIT_REASON_VMWRITE:
1622 + case EXIT_REASON_VMOFF: case EXIT_REASON_VMON:
1623 ++ case EXIT_REASON_INVEPT: case EXIT_REASON_INVVPID:
1624 + /*
1625 + * VMX instructions trap unconditionally. This allows L1 to
1626 + * emulate them for its L2 guest, i.e., allows 3-level nesting!
1627 +@@ -5912,10 +5936,10 @@ static int vmx_handle_exit(struct kvm_vcpu *vcpu)
1628 + && kvm_vmx_exit_handlers[exit_reason])
1629 + return kvm_vmx_exit_handlers[exit_reason](vcpu);
1630 + else {
1631 +- vcpu->run->exit_reason = KVM_EXIT_UNKNOWN;
1632 +- vcpu->run->hw.hardware_exit_reason = exit_reason;
1633 ++ WARN_ONCE(1, "vmx: unexpected exit reason 0x%x\n", exit_reason);
1634 ++ kvm_queue_exception(vcpu, UD_VECTOR);
1635 ++ return 1;
1636 + }
1637 +- return 0;
1638 + }
1639 +
1640 + static void update_cr8_intercept(struct kvm_vcpu *vcpu, int tpr, int irr)
1641 +@@ -6101,6 +6125,7 @@ static void atomic_switch_perf_msrs(struct vcpu_vmx *vmx)
1642 + static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu)
1643 + {
1644 + struct vcpu_vmx *vmx = to_vmx(vcpu);
1645 ++ unsigned long cr4;
1646 +
1647 + if (is_guest_mode(vcpu) && !vmx->nested.nested_run_pending) {
1648 + struct vmcs12 *vmcs12 = get_vmcs12(vcpu);
1649 +@@ -6131,6 +6156,12 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu)
1650 + if (test_bit(VCPU_REGS_RIP, (unsigned long *)&vcpu->arch.regs_dirty))
1651 + vmcs_writel(GUEST_RIP, vcpu->arch.regs[VCPU_REGS_RIP]);
1652 +
1653 ++ cr4 = read_cr4();
1654 ++ if (unlikely(cr4 != vmx->host_state.vmcs_host_cr4)) {
1655 ++ vmcs_writel(HOST_CR4, cr4);
1656 ++ vmx->host_state.vmcs_host_cr4 = cr4;
1657 ++ }
1658 ++
1659 + /* When single-stepping over STI and MOV SS, we must clear the
1660 + * corresponding interruptibility bits in the guest state. Otherwise
1661 + * vmentry fails as it then expects bit 14 (BS) in pending debug
1662 +@@ -6589,7 +6620,7 @@ static void prepare_vmcs02(struct kvm_vcpu *vcpu, struct vmcs12 *vmcs12)
1663 + * Other fields are different per CPU, and will be set later when
1664 + * vmx_vcpu_load() is called, and when vmx_save_host_state() is called.
1665 + */
1666 +- vmx_set_constant_host_state();
1667 ++ vmx_set_constant_host_state(vmx);
1668 +
1669 + /*
1670 + * HOST_RSP is normally set correctly in vmx_vcpu_run() just before
1671 +diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
1672 +index 4b1be290f6e3..318a2454366f 100644
1673 +--- a/arch/x86/kvm/x86.c
1674 ++++ b/arch/x86/kvm/x86.c
1675 +@@ -220,19 +220,24 @@ static void kvm_shared_msr_cpu_online(void)
1676 + shared_msr_update(i, shared_msrs_global.msrs[i]);
1677 + }
1678 +
1679 +-void kvm_set_shared_msr(unsigned slot, u64 value, u64 mask)
1680 ++int kvm_set_shared_msr(unsigned slot, u64 value, u64 mask)
1681 + {
1682 + struct kvm_shared_msrs *smsr = &__get_cpu_var(shared_msrs);
1683 ++ int err;
1684 +
1685 + if (((value ^ smsr->values[slot].curr) & mask) == 0)
1686 +- return;
1687 ++ return 0;
1688 + smsr->values[slot].curr = value;
1689 +- wrmsrl(shared_msrs_global.msrs[slot], value);
1690 ++ err = checking_wrmsrl(shared_msrs_global.msrs[slot], value);
1691 ++ if (err)
1692 ++ return 1;
1693 ++
1694 + if (!smsr->registered) {
1695 + smsr->urn.on_user_return = kvm_on_user_return;
1696 + user_return_notifier_register(&smsr->urn);
1697 + smsr->registered = true;
1698 + }
1699 ++ return 0;
1700 + }
1701 + EXPORT_SYMBOL_GPL(kvm_set_shared_msr);
1702 +
1703 +@@ -858,7 +863,6 @@ void kvm_enable_efer_bits(u64 mask)
1704 + }
1705 + EXPORT_SYMBOL_GPL(kvm_enable_efer_bits);
1706 +
1707 +-
1708 + /*
1709 + * Writes msr value into into the appropriate "register".
1710 + * Returns 0 on success, non-0 otherwise.
1711 +@@ -866,8 +870,34 @@ EXPORT_SYMBOL_GPL(kvm_enable_efer_bits);
1712 + */
1713 + int kvm_set_msr(struct kvm_vcpu *vcpu, u32 msr_index, u64 data)
1714 + {
1715 ++ switch (msr_index) {
1716 ++ case MSR_FS_BASE:
1717 ++ case MSR_GS_BASE:
1718 ++ case MSR_KERNEL_GS_BASE:
1719 ++ case MSR_CSTAR:
1720 ++ case MSR_LSTAR:
1721 ++ if (is_noncanonical_address(data))
1722 ++ return 1;
1723 ++ break;
1724 ++ case MSR_IA32_SYSENTER_EIP:
1725 ++ case MSR_IA32_SYSENTER_ESP:
1726 ++ /*
1727 ++ * IA32_SYSENTER_ESP and IA32_SYSENTER_EIP cause #GP if
1728 ++ * non-canonical address is written on Intel but not on
1729 ++ * AMD (which ignores the top 32-bits, because it does
1730 ++ * not implement 64-bit SYSENTER).
1731 ++ *
1732 ++ * 64-bit code should hence be able to write a non-canonical
1733 ++ * value on AMD. Making the address canonical ensures that
1734 ++ * vmentry does not fail on Intel after writing a non-canonical
1735 ++ * value, and that something deterministic happens if the guest
1736 ++ * invokes 64-bit SYSENTER.
1737 ++ */
1738 ++ data = get_canonical(data);
1739 ++ }
1740 + return kvm_x86_ops->set_msr(vcpu, msr_index, data);
1741 + }
1742 ++EXPORT_SYMBOL_GPL(kvm_set_msr);
1743 +
1744 + /*
1745 + * Adapt set_msr() to msr_io()'s calling convention
1746 +diff --git a/arch/x86/kvm/x86.h b/arch/x86/kvm/x86.h
1747 +index cb80c293cdd8..1ce5611fdb09 100644
1748 +--- a/arch/x86/kvm/x86.h
1749 ++++ b/arch/x86/kvm/x86.h
1750 +@@ -78,15 +78,23 @@ static inline void vcpu_cache_mmio_info(struct kvm_vcpu *vcpu,
1751 + vcpu->arch.mmio_gva = gva & PAGE_MASK;
1752 + vcpu->arch.access = access;
1753 + vcpu->arch.mmio_gfn = gfn;
1754 ++ vcpu->arch.mmio_gen = kvm_memslots(vcpu->kvm)->generation;
1755 ++}
1756 ++
1757 ++static inline bool vcpu_match_mmio_gen(struct kvm_vcpu *vcpu)
1758 ++{
1759 ++ return vcpu->arch.mmio_gen == kvm_memslots(vcpu->kvm)->generation;
1760 + }
1761 +
1762 + /*
1763 +- * Clear the mmio cache info for the given gva,
1764 +- * specially, if gva is ~0ul, we clear all mmio cache info.
1765 ++ * Clear the mmio cache info for the given gva. If gva is MMIO_GVA_ANY, we
1766 ++ * clear all mmio cache info.
1767 + */
1768 ++#define MMIO_GVA_ANY (~(gva_t)0)
1769 ++
1770 + static inline void vcpu_clear_mmio_info(struct kvm_vcpu *vcpu, gva_t gva)
1771 + {
1772 +- if (gva != (~0ul) && vcpu->arch.mmio_gva != (gva & PAGE_MASK))
1773 ++ if (gva != MMIO_GVA_ANY && vcpu->arch.mmio_gva != (gva & PAGE_MASK))
1774 + return;
1775 +
1776 + vcpu->arch.mmio_gva = 0;
1777 +@@ -94,7 +102,8 @@ static inline void vcpu_clear_mmio_info(struct kvm_vcpu *vcpu, gva_t gva)
1778 +
1779 + static inline bool vcpu_match_mmio_gva(struct kvm_vcpu *vcpu, unsigned long gva)
1780 + {
1781 +- if (vcpu->arch.mmio_gva && vcpu->arch.mmio_gva == (gva & PAGE_MASK))
1782 ++ if (vcpu_match_mmio_gen(vcpu) && vcpu->arch.mmio_gva &&
1783 ++ vcpu->arch.mmio_gva == (gva & PAGE_MASK))
1784 + return true;
1785 +
1786 + return false;
1787 +@@ -102,7 +111,8 @@ static inline bool vcpu_match_mmio_gva(struct kvm_vcpu *vcpu, unsigned long gva)
1788 +
1789 + static inline bool vcpu_match_mmio_gpa(struct kvm_vcpu *vcpu, gpa_t gpa)
1790 + {
1791 +- if (vcpu->arch.mmio_gfn && vcpu->arch.mmio_gfn == gpa >> PAGE_SHIFT)
1792 ++ if (vcpu_match_mmio_gen(vcpu) && vcpu->arch.mmio_gfn &&
1793 ++ vcpu->arch.mmio_gfn == gpa >> PAGE_SHIFT)
1794 + return true;
1795 +
1796 + return false;
1797 +diff --git a/arch/xtensa/include/asm/unistd.h b/arch/xtensa/include/asm/unistd.h
1798 +index 798ee6d285a1..7ab1f52f1fdd 100644
1799 +--- a/arch/xtensa/include/asm/unistd.h
1800 ++++ b/arch/xtensa/include/asm/unistd.h
1801 +@@ -394,7 +394,8 @@ __SYSCALL(174, sys_chroot, 1)
1802 + #define __NR_pivot_root 175
1803 + __SYSCALL(175, sys_pivot_root, 2)
1804 + #define __NR_umount 176
1805 +-__SYSCALL(176, sys_umount, 2)
1806 ++__SYSCALL(176, sys_oldumount, 1)
1807 ++#define __ARCH_WANT_SYS_OLDUMOUNT
1808 + #define __NR_swapoff 177
1809 + __SYSCALL(177, sys_swapoff, 1)
1810 + #define __NR_sync 178
1811 +diff --git a/block/blk-settings.c b/block/blk-settings.c
1812 +index b74cc58bc038..14f1d3083cae 100644
1813 +--- a/block/blk-settings.c
1814 ++++ b/block/blk-settings.c
1815 +@@ -538,7 +538,7 @@ int blk_stack_limits(struct queue_limits *t, struct queue_limits *b,
1816 + bottom = max(b->physical_block_size, b->io_min) + alignment;
1817 +
1818 + /* Verify that top and bottom intervals line up */
1819 +- if (max(top, bottom) & (min(top, bottom) - 1)) {
1820 ++ if (max(top, bottom) % min(top, bottom)) {
1821 + t->misaligned = 1;
1822 + ret = -1;
1823 + }
1824 +@@ -579,7 +579,7 @@ int blk_stack_limits(struct queue_limits *t, struct queue_limits *b,
1825 +
1826 + /* Find lowest common alignment_offset */
1827 + t->alignment_offset = lcm(t->alignment_offset, alignment)
1828 +- & (max(t->physical_block_size, t->io_min) - 1);
1829 ++ % max(t->physical_block_size, t->io_min);
1830 +
1831 + /* Verify that new alignment_offset is on a logical block boundary */
1832 + if (t->alignment_offset & (t->logical_block_size - 1)) {
1833 +diff --git a/block/scsi_ioctl.c b/block/scsi_ioctl.c
1834 +index 9a87daa6f4fb..f1c00c9aec1a 100644
1835 +--- a/block/scsi_ioctl.c
1836 ++++ b/block/scsi_ioctl.c
1837 +@@ -505,7 +505,7 @@ int sg_scsi_ioctl(struct request_queue *q, struct gendisk *disk, fmode_t mode,
1838 +
1839 + if (bytes && blk_rq_map_kern(q, rq, buffer, bytes, __GFP_WAIT)) {
1840 + err = DRIVER_ERROR << 24;
1841 +- goto out;
1842 ++ goto error;
1843 + }
1844 +
1845 + memset(sense, 0, sizeof(sense));
1846 +@@ -515,7 +515,6 @@ int sg_scsi_ioctl(struct request_queue *q, struct gendisk *disk, fmode_t mode,
1847 +
1848 + blk_execute_rq(q, disk, rq, 0);
1849 +
1850 +-out:
1851 + err = rq->errors & 0xff; /* only 8 bit SCSI status */
1852 + if (err) {
1853 + if (rq->sense_len && rq->sense) {
1854 +diff --git a/drivers/ata/ahci.c b/drivers/ata/ahci.c
1855 +index d366a75e6705..ca9a287b5864 100644
1856 +--- a/drivers/ata/ahci.c
1857 ++++ b/drivers/ata/ahci.c
1858 +@@ -313,6 +313,11 @@ static const struct pci_device_id ahci_pci_tbl[] = {
1859 + { PCI_VDEVICE(INTEL, 0x8c87), board_ahci }, /* 9 Series RAID */
1860 + { PCI_VDEVICE(INTEL, 0x8c8e), board_ahci }, /* 9 Series RAID */
1861 + { PCI_VDEVICE(INTEL, 0x8c8f), board_ahci }, /* 9 Series RAID */
1862 ++ { PCI_VDEVICE(INTEL, 0xa103), board_ahci }, /* Sunrise Point-H AHCI */
1863 ++ { PCI_VDEVICE(INTEL, 0xa103), board_ahci }, /* Sunrise Point-H RAID */
1864 ++ { PCI_VDEVICE(INTEL, 0xa105), board_ahci }, /* Sunrise Point-H RAID */
1865 ++ { PCI_VDEVICE(INTEL, 0xa107), board_ahci }, /* Sunrise Point-H RAID */
1866 ++ { PCI_VDEVICE(INTEL, 0xa10f), board_ahci }, /* Sunrise Point-H RAID */
1867 +
1868 + /* JMicron 360/1/3/5/6, match class to avoid IDE function */
1869 + { PCI_VENDOR_ID_JMICRON, PCI_ANY_ID, PCI_ANY_ID, PCI_ANY_ID,
1870 +diff --git a/drivers/ata/libata-sff.c b/drivers/ata/libata-sff.c
1871 +index d8af325a6bda..3723e5ec2b4d 100644
1872 +--- a/drivers/ata/libata-sff.c
1873 ++++ b/drivers/ata/libata-sff.c
1874 +@@ -2008,13 +2008,15 @@ static int ata_bus_softreset(struct ata_port *ap, unsigned int devmask,
1875 +
1876 + DPRINTK("ata%u: bus reset via SRST\n", ap->print_id);
1877 +
1878 +- /* software reset. causes dev0 to be selected */
1879 +- iowrite8(ap->ctl, ioaddr->ctl_addr);
1880 +- udelay(20); /* FIXME: flush */
1881 +- iowrite8(ap->ctl | ATA_SRST, ioaddr->ctl_addr);
1882 +- udelay(20); /* FIXME: flush */
1883 +- iowrite8(ap->ctl, ioaddr->ctl_addr);
1884 +- ap->last_ctl = ap->ctl;
1885 ++ if (ap->ioaddr.ctl_addr) {
1886 ++ /* software reset. causes dev0 to be selected */
1887 ++ iowrite8(ap->ctl, ioaddr->ctl_addr);
1888 ++ udelay(20); /* FIXME: flush */
1889 ++ iowrite8(ap->ctl | ATA_SRST, ioaddr->ctl_addr);
1890 ++ udelay(20); /* FIXME: flush */
1891 ++ iowrite8(ap->ctl, ioaddr->ctl_addr);
1892 ++ ap->last_ctl = ap->ctl;
1893 ++ }
1894 +
1895 + /* wait the port to become ready */
1896 + return ata_sff_wait_after_reset(&ap->link, devmask, deadline);
1897 +@@ -2215,10 +2217,6 @@ void ata_sff_error_handler(struct ata_port *ap)
1898 +
1899 + spin_unlock_irqrestore(ap->lock, flags);
1900 +
1901 +- /* ignore ata_sff_softreset if ctl isn't accessible */
1902 +- if (softreset == ata_sff_softreset && !ap->ioaddr.ctl_addr)
1903 +- softreset = NULL;
1904 +-
1905 + /* ignore built-in hardresets if SCR access is not available */
1906 + if ((hardreset == sata_std_hardreset ||
1907 + hardreset == sata_sff_hardreset) && !sata_scr_valid(&ap->link))
1908 +diff --git a/drivers/ata/pata_serverworks.c b/drivers/ata/pata_serverworks.c
1909 +index 71eaf385e970..5929dde07c91 100644
1910 +--- a/drivers/ata/pata_serverworks.c
1911 ++++ b/drivers/ata/pata_serverworks.c
1912 +@@ -252,12 +252,18 @@ static void serverworks_set_dmamode(struct ata_port *ap, struct ata_device *adev
1913 + pci_write_config_byte(pdev, 0x54, ultra_cfg);
1914 + }
1915 +
1916 +-static struct scsi_host_template serverworks_sht = {
1917 ++static struct scsi_host_template serverworks_osb4_sht = {
1918 ++ ATA_BMDMA_SHT(DRV_NAME),
1919 ++ .sg_tablesize = LIBATA_DUMB_MAX_PRD,
1920 ++};
1921 ++
1922 ++static struct scsi_host_template serverworks_csb_sht = {
1923 + ATA_BMDMA_SHT(DRV_NAME),
1924 + };
1925 +
1926 + static struct ata_port_operations serverworks_osb4_port_ops = {
1927 + .inherits = &ata_bmdma_port_ops,
1928 ++ .qc_prep = ata_bmdma_dumb_qc_prep,
1929 + .cable_detect = serverworks_cable_detect,
1930 + .mode_filter = serverworks_osb4_filter,
1931 + .set_piomode = serverworks_set_piomode,
1932 +@@ -266,6 +272,7 @@ static struct ata_port_operations serverworks_osb4_port_ops = {
1933 +
1934 + static struct ata_port_operations serverworks_csb_port_ops = {
1935 + .inherits = &serverworks_osb4_port_ops,
1936 ++ .qc_prep = ata_bmdma_qc_prep,
1937 + .mode_filter = serverworks_csb_filter,
1938 + };
1939 +
1940 +@@ -405,6 +412,7 @@ static int serverworks_init_one(struct pci_dev *pdev, const struct pci_device_id
1941 + }
1942 + };
1943 + const struct ata_port_info *ppi[] = { &info[id->driver_data], NULL };
1944 ++ struct scsi_host_template *sht = &serverworks_csb_sht;
1945 + int rc;
1946 +
1947 + rc = pcim_enable_device(pdev);
1948 +@@ -418,6 +426,7 @@ static int serverworks_init_one(struct pci_dev *pdev, const struct pci_device_id
1949 + /* Select non UDMA capable OSB4 if we can't do fixups */
1950 + if (rc < 0)
1951 + ppi[0] = &info[1];
1952 ++ sht = &serverworks_osb4_sht;
1953 + }
1954 + /* setup CSB5/CSB6 : South Bridge and IDE option RAID */
1955 + else if ((pdev->device == PCI_DEVICE_ID_SERVERWORKS_CSB5IDE) ||
1956 +@@ -434,7 +443,7 @@ static int serverworks_init_one(struct pci_dev *pdev, const struct pci_device_id
1957 + ppi[1] = &ata_dummy_port_info;
1958 + }
1959 +
1960 +- return ata_pci_bmdma_init_one(pdev, ppi, &serverworks_sht, NULL, 0);
1961 ++ return ata_pci_bmdma_init_one(pdev, ppi, sht, NULL, 0);
1962 + }
1963 +
1964 + #ifdef CONFIG_PM
1965 +diff --git a/drivers/base/core.c b/drivers/base/core.c
1966 +index e28ce9898af4..32e86d6f141c 100644
1967 +--- a/drivers/base/core.c
1968 ++++ b/drivers/base/core.c
1969 +@@ -718,12 +718,12 @@ class_dir_create_and_add(struct class *class, struct kobject *parent_kobj)
1970 + return &dir->kobj;
1971 + }
1972 +
1973 ++static DEFINE_MUTEX(gdp_mutex);
1974 +
1975 + static struct kobject *get_device_parent(struct device *dev,
1976 + struct device *parent)
1977 + {
1978 + if (dev->class) {
1979 +- static DEFINE_MUTEX(gdp_mutex);
1980 + struct kobject *kobj = NULL;
1981 + struct kobject *parent_kobj;
1982 + struct kobject *k;
1983 +@@ -787,7 +787,9 @@ static void cleanup_glue_dir(struct device *dev, struct kobject *glue_dir)
1984 + glue_dir->kset != &dev->class->p->glue_dirs)
1985 + return;
1986 +
1987 ++ mutex_lock(&gdp_mutex);
1988 + kobject_put(glue_dir);
1989 ++ mutex_unlock(&gdp_mutex);
1990 + }
1991 +
1992 + static void cleanup_device_parent(struct device *dev)
1993 +diff --git a/drivers/base/firmware_class.c b/drivers/base/firmware_class.c
1994 +index 5401814c874d..b7a4fe586f8a 100644
1995 +--- a/drivers/base/firmware_class.c
1996 ++++ b/drivers/base/firmware_class.c
1997 +@@ -588,6 +588,9 @@ request_firmware(const struct firmware **firmware_p, const char *name,
1998 + struct firmware_priv *fw_priv;
1999 + int ret;
2000 +
2001 ++ if (!name || name[0] == '\0')
2002 ++ return -EINVAL;
2003 ++
2004 + fw_priv = _request_firmware_prepare(firmware_p, name, device, true,
2005 + false);
2006 + if (IS_ERR_OR_NULL(fw_priv))
2007 +diff --git a/drivers/base/regmap/regmap-debugfs.c b/drivers/base/regmap/regmap-debugfs.c
2008 +index 8ab1eab90be7..1db12895110a 100644
2009 +--- a/drivers/base/regmap/regmap-debugfs.c
2010 ++++ b/drivers/base/regmap/regmap-debugfs.c
2011 +@@ -244,7 +244,12 @@ static const struct file_operations regmap_access_fops = {
2012 +
2013 + void regmap_debugfs_init(struct regmap *map)
2014 + {
2015 +- map->debugfs = debugfs_create_dir(dev_name(map->dev),
2016 ++ const char *devname = "dummy";
2017 ++
2018 ++ if (map->dev)
2019 ++ devname = dev_name(map->dev);
2020 ++
2021 ++ map->debugfs = debugfs_create_dir(devname,
2022 + regmap_debugfs_root);
2023 + if (!map->debugfs) {
2024 + dev_warn(map->dev, "Failed to create debugfs directory\n");
2025 +diff --git a/drivers/base/regmap/regmap.c b/drivers/base/regmap/regmap.c
2026 +index e5545427b46b..8e81f85b1ba0 100644
2027 +--- a/drivers/base/regmap/regmap.c
2028 ++++ b/drivers/base/regmap/regmap.c
2029 +@@ -600,6 +600,11 @@ int regmap_bulk_write(struct regmap *map, unsigned int reg, const void *val,
2030 + if (val_bytes == 1) {
2031 + wval = (void *)val;
2032 + } else {
2033 ++ if (!val_count) {
2034 ++ ret = -EINVAL;
2035 ++ goto out;
2036 ++ }
2037 ++
2038 + wval = kmemdup(val, val_count * val_bytes, GFP_KERNEL);
2039 + if (!wval) {
2040 + ret = -ENOMEM;
2041 +diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c
2042 +index 3cc242535012..155a61841e2b 100644
2043 +--- a/drivers/bluetooth/btusb.c
2044 ++++ b/drivers/bluetooth/btusb.c
2045 +@@ -304,6 +304,9 @@ static void btusb_intr_complete(struct urb *urb)
2046 + BT_ERR("%s corrupted event packet", hdev->name);
2047 + hdev->stat.err_rx++;
2048 + }
2049 ++ } else if (urb->status == -ENOENT) {
2050 ++ /* Avoid suspend failed when usb_kill_urb */
2051 ++ return;
2052 + }
2053 +
2054 + if (!test_bit(BTUSB_INTR_RUNNING, &data->flags))
2055 +@@ -392,6 +395,9 @@ static void btusb_bulk_complete(struct urb *urb)
2056 + BT_ERR("%s corrupted ACL packet", hdev->name);
2057 + hdev->stat.err_rx++;
2058 + }
2059 ++ } else if (urb->status == -ENOENT) {
2060 ++ /* Avoid suspend failed when usb_kill_urb */
2061 ++ return;
2062 + }
2063 +
2064 + if (!test_bit(BTUSB_BULK_RUNNING, &data->flags))
2065 +@@ -486,6 +492,9 @@ static void btusb_isoc_complete(struct urb *urb)
2066 + hdev->stat.err_rx++;
2067 + }
2068 + }
2069 ++ } else if (urb->status == -ENOENT) {
2070 ++ /* Avoid suspend failed when usb_kill_urb */
2071 ++ return;
2072 + }
2073 +
2074 + if (!test_bit(BTUSB_ISOC_RUNNING, &data->flags))
2075 +diff --git a/drivers/char/random.c b/drivers/char/random.c
2076 +index 1052fc4cae66..85172faa1569 100644
2077 +--- a/drivers/char/random.c
2078 ++++ b/drivers/char/random.c
2079 +@@ -932,8 +932,8 @@ static void extract_buf(struct entropy_store *r, __u8 *out)
2080 + * pool while mixing, and hash one final time.
2081 + */
2082 + sha_transform(hash.w, extract, workspace);
2083 +- memset(extract, 0, sizeof(extract));
2084 +- memset(workspace, 0, sizeof(workspace));
2085 ++ memzero_explicit(extract, sizeof(extract));
2086 ++ memzero_explicit(workspace, sizeof(workspace));
2087 +
2088 + /*
2089 + * In case the hash function has some recognizable output
2090 +@@ -956,7 +956,7 @@ static void extract_buf(struct entropy_store *r, __u8 *out)
2091 + }
2092 +
2093 + memcpy(out, &hash, EXTRACT_SIZE);
2094 +- memset(&hash, 0, sizeof(hash));
2095 ++ memzero_explicit(&hash, sizeof(hash));
2096 + }
2097 +
2098 + static ssize_t extract_entropy(struct entropy_store *r, void *buf,
2099 +@@ -989,7 +989,7 @@ static ssize_t extract_entropy(struct entropy_store *r, void *buf,
2100 + }
2101 +
2102 + /* Wipe data just returned from memory */
2103 +- memset(tmp, 0, sizeof(tmp));
2104 ++ memzero_explicit(tmp, sizeof(tmp));
2105 +
2106 + return ret;
2107 + }
2108 +@@ -1027,7 +1027,7 @@ static ssize_t extract_entropy_user(struct entropy_store *r, void __user *buf,
2109 + }
2110 +
2111 + /* Wipe data just returned from memory */
2112 +- memset(tmp, 0, sizeof(tmp));
2113 ++ memzero_explicit(tmp, sizeof(tmp));
2114 +
2115 + return ret;
2116 + }
2117 +diff --git a/drivers/cpufreq/cpufreq.c b/drivers/cpufreq/cpufreq.c
2118 +index 7f2f149ae40f..cf864ef8d181 100644
2119 +--- a/drivers/cpufreq/cpufreq.c
2120 ++++ b/drivers/cpufreq/cpufreq.c
2121 +@@ -371,7 +371,18 @@ show_one(cpuinfo_max_freq, cpuinfo.max_freq);
2122 + show_one(cpuinfo_transition_latency, cpuinfo.transition_latency);
2123 + show_one(scaling_min_freq, min);
2124 + show_one(scaling_max_freq, max);
2125 +-show_one(scaling_cur_freq, cur);
2126 ++
2127 ++static ssize_t show_scaling_cur_freq(
2128 ++ struct cpufreq_policy *policy, char *buf)
2129 ++{
2130 ++ ssize_t ret;
2131 ++
2132 ++ if (cpufreq_driver && cpufreq_driver->setpolicy && cpufreq_driver->get)
2133 ++ ret = sprintf(buf, "%u\n", cpufreq_driver->get(policy->cpu));
2134 ++ else
2135 ++ ret = sprintf(buf, "%u\n", policy->cur);
2136 ++ return ret;
2137 ++}
2138 +
2139 + static int __cpufreq_set_policy(struct cpufreq_policy *data,
2140 + struct cpufreq_policy *policy);
2141 +@@ -818,11 +829,11 @@ static int cpufreq_add_dev_interface(unsigned int cpu,
2142 + if (ret)
2143 + goto err_out_kobj_put;
2144 + }
2145 +- if (cpufreq_driver->target) {
2146 +- ret = sysfs_create_file(&policy->kobj, &scaling_cur_freq.attr);
2147 +- if (ret)
2148 +- goto err_out_kobj_put;
2149 +- }
2150 ++
2151 ++ ret = sysfs_create_file(&policy->kobj, &scaling_cur_freq.attr);
2152 ++ if (ret)
2153 ++ goto err_out_kobj_put;
2154 ++
2155 + if (cpufreq_driver->bios_limit) {
2156 + ret = sysfs_create_file(&policy->kobj, &bios_limit.attr);
2157 + if (ret)
2158 +diff --git a/drivers/edac/mpc85xx_edac.c b/drivers/edac/mpc85xx_edac.c
2159 +index 73464a62adf7..0f0bf1a2ae1a 100644
2160 +--- a/drivers/edac/mpc85xx_edac.c
2161 ++++ b/drivers/edac/mpc85xx_edac.c
2162 +@@ -577,7 +577,8 @@ static int __devinit mpc85xx_l2_err_probe(struct platform_device *op)
2163 + if (edac_op_state == EDAC_OPSTATE_INT) {
2164 + pdata->irq = irq_of_parse_and_map(op->dev.of_node, 0);
2165 + res = devm_request_irq(&op->dev, pdata->irq,
2166 +- mpc85xx_l2_isr, IRQF_DISABLED,
2167 ++ mpc85xx_l2_isr,
2168 ++ IRQF_DISABLED | IRQF_SHARED,
2169 + "[EDAC] L2 err", edac_dev);
2170 + if (res < 0) {
2171 + printk(KERN_ERR
2172 +diff --git a/drivers/firewire/core-cdev.c b/drivers/firewire/core-cdev.c
2173 +index b558810b2da0..b449572cb800 100644
2174 +--- a/drivers/firewire/core-cdev.c
2175 ++++ b/drivers/firewire/core-cdev.c
2176 +@@ -1619,8 +1619,7 @@ static int dispatch_ioctl(struct client *client,
2177 + _IOC_SIZE(cmd) > sizeof(buffer))
2178 + return -ENOTTY;
2179 +
2180 +- if (_IOC_DIR(cmd) == _IOC_READ)
2181 +- memset(&buffer, 0, _IOC_SIZE(cmd));
2182 ++ memset(&buffer, 0, sizeof(buffer));
2183 +
2184 + if (_IOC_DIR(cmd) & _IOC_WRITE)
2185 + if (copy_from_user(&buffer, arg, _IOC_SIZE(cmd)))
2186 +diff --git a/drivers/gpu/drm/radeon/evergreen.c b/drivers/gpu/drm/radeon/evergreen.c
2187 +index df62c393f2f5..01434ef9e00f 100644
2188 +--- a/drivers/gpu/drm/radeon/evergreen.c
2189 ++++ b/drivers/gpu/drm/radeon/evergreen.c
2190 +@@ -1176,6 +1176,7 @@ void evergreen_mc_stop(struct radeon_device *rdev, struct evergreen_mc_save *sav
2191 + WREG32(EVERGREEN_CRTC_UPDATE_LOCK + crtc_offsets[i], 1);
2192 + tmp |= EVERGREEN_CRTC_BLANK_DATA_EN;
2193 + WREG32(EVERGREEN_CRTC_BLANK_CONTROL + crtc_offsets[i], tmp);
2194 ++ WREG32(EVERGREEN_CRTC_UPDATE_LOCK + crtc_offsets[i], 0);
2195 + }
2196 + } else {
2197 + tmp = RREG32(EVERGREEN_CRTC_CONTROL + crtc_offsets[i]);
2198 +diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c b/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c
2199 +index 00fb5aa2bf77..7ca1d472d7cb 100644
2200 +--- a/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c
2201 ++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c
2202 +@@ -1915,6 +1915,14 @@ int vmw_du_connector_fill_modes(struct drm_connector *connector,
2203 + DRM_MODE_FLAG_NHSYNC | DRM_MODE_FLAG_PVSYNC)
2204 + };
2205 + int i;
2206 ++ u32 assumed_bpp = 2;
2207 ++
2208 ++ /*
2209 ++ * If using screen objects, then assume 32-bpp because that's what the
2210 ++ * SVGA device is assuming
2211 ++ */
2212 ++ if (dev_priv->sou_priv)
2213 ++ assumed_bpp = 4;
2214 +
2215 + /* Add preferred mode */
2216 + {
2217 +@@ -1925,8 +1933,9 @@ int vmw_du_connector_fill_modes(struct drm_connector *connector,
2218 + mode->vdisplay = du->pref_height;
2219 + vmw_guess_mode_timing(mode);
2220 +
2221 +- if (vmw_kms_validate_mode_vram(dev_priv, mode->hdisplay * 2,
2222 +- mode->vdisplay)) {
2223 ++ if (vmw_kms_validate_mode_vram(dev_priv,
2224 ++ mode->hdisplay * assumed_bpp,
2225 ++ mode->vdisplay)) {
2226 + drm_mode_probed_add(connector, mode);
2227 + } else {
2228 + drm_mode_destroy(dev, mode);
2229 +@@ -1948,7 +1957,8 @@ int vmw_du_connector_fill_modes(struct drm_connector *connector,
2230 + bmode->vdisplay > max_height)
2231 + continue;
2232 +
2233 +- if (!vmw_kms_validate_mode_vram(dev_priv, bmode->hdisplay * 2,
2234 ++ if (!vmw_kms_validate_mode_vram(dev_priv,
2235 ++ bmode->hdisplay * assumed_bpp,
2236 + bmode->vdisplay))
2237 + continue;
2238 +
2239 +diff --git a/drivers/hv/channel.c b/drivers/hv/channel.c
2240 +index f4c3d28cd1fc..3c8b2c473b81 100644
2241 +--- a/drivers/hv/channel.c
2242 ++++ b/drivers/hv/channel.c
2243 +@@ -207,8 +207,10 @@ int vmbus_open(struct vmbus_channel *newchannel, u32 send_ringbuffer_size,
2244 + ret = vmbus_post_msg(open_msg,
2245 + sizeof(struct vmbus_channel_open_channel));
2246 +
2247 +- if (ret != 0)
2248 ++ if (ret != 0) {
2249 ++ err = ret;
2250 + goto error1;
2251 ++ }
2252 +
2253 + t = wait_for_completion_timeout(&open_info->waitevent, 5*HZ);
2254 + if (t == 0) {
2255 +@@ -400,7 +402,6 @@ int vmbus_establish_gpadl(struct vmbus_channel *channel, void *kbuffer,
2256 + u32 next_gpadl_handle;
2257 + unsigned long flags;
2258 + int ret = 0;
2259 +- int t;
2260 +
2261 + next_gpadl_handle = atomic_read(&vmbus_connection.next_gpadl_handle);
2262 + atomic_inc(&vmbus_connection.next_gpadl_handle);
2263 +@@ -447,9 +448,7 @@ int vmbus_establish_gpadl(struct vmbus_channel *channel, void *kbuffer,
2264 +
2265 + }
2266 + }
2267 +- t = wait_for_completion_timeout(&msginfo->waitevent, 5*HZ);
2268 +- BUG_ON(t == 0);
2269 +-
2270 ++ wait_for_completion(&msginfo->waitevent);
2271 +
2272 + /* At this point, we received the gpadl created msg */
2273 + *gpadl_handle = gpadlmsg->gpadl;
2274 +@@ -472,7 +471,7 @@ int vmbus_teardown_gpadl(struct vmbus_channel *channel, u32 gpadl_handle)
2275 + struct vmbus_channel_gpadl_teardown *msg;
2276 + struct vmbus_channel_msginfo *info;
2277 + unsigned long flags;
2278 +- int ret, t;
2279 ++ int ret;
2280 +
2281 + info = kmalloc(sizeof(*info) +
2282 + sizeof(struct vmbus_channel_gpadl_teardown), GFP_KERNEL);
2283 +@@ -494,11 +493,12 @@ int vmbus_teardown_gpadl(struct vmbus_channel *channel, u32 gpadl_handle)
2284 + ret = vmbus_post_msg(msg,
2285 + sizeof(struct vmbus_channel_gpadl_teardown));
2286 +
2287 +- BUG_ON(ret != 0);
2288 +- t = wait_for_completion_timeout(&info->waitevent, 5*HZ);
2289 +- BUG_ON(t == 0);
2290 ++ if (ret)
2291 ++ goto post_msg_err;
2292 ++
2293 ++ wait_for_completion(&info->waitevent);
2294 +
2295 +- /* Received a torndown response */
2296 ++post_msg_err:
2297 + spin_lock_irqsave(&vmbus_connection.channelmsg_lock, flags);
2298 + list_del(&info->msglistentry);
2299 + spin_unlock_irqrestore(&vmbus_connection.channelmsg_lock, flags);
2300 +@@ -531,11 +531,28 @@ void vmbus_close(struct vmbus_channel *channel)
2301 +
2302 + ret = vmbus_post_msg(msg, sizeof(struct vmbus_channel_close_channel));
2303 +
2304 +- BUG_ON(ret != 0);
2305 ++ if (ret) {
2306 ++ pr_err("Close failed: close post msg return is %d\n", ret);
2307 ++ /*
2308 ++ * If we failed to post the close msg,
2309 ++ * it is perhaps better to leak memory.
2310 ++ */
2311 ++ return;
2312 ++ }
2313 ++
2314 + /* Tear down the gpadl for the channel's ring buffer */
2315 +- if (channel->ringbuffer_gpadlhandle)
2316 +- vmbus_teardown_gpadl(channel,
2317 +- channel->ringbuffer_gpadlhandle);
2318 ++ if (channel->ringbuffer_gpadlhandle) {
2319 ++ ret = vmbus_teardown_gpadl(channel,
2320 ++ channel->ringbuffer_gpadlhandle);
2321 ++ if (ret) {
2322 ++ pr_err("Close failed: teardown gpadl return %d\n", ret);
2323 ++ /*
2324 ++ * If we failed to teardown gpadl,
2325 ++ * it is perhaps better to leak memory.
2326 ++ */
2327 ++ return;
2328 ++ }
2329 ++ }
2330 +
2331 + /* Cleanup the ring buffers for this channel */
2332 + hv_ringbuffer_cleanup(&channel->outbound);
2333 +@@ -543,8 +560,6 @@ void vmbus_close(struct vmbus_channel *channel)
2334 +
2335 + free_pages((unsigned long)channel->ringbuffer_pages,
2336 + get_order(channel->ringbuffer_pagecount * PAGE_SIZE));
2337 +-
2338 +-
2339 + }
2340 + EXPORT_SYMBOL_GPL(vmbus_close);
2341 +
2342 +diff --git a/drivers/hv/connection.c b/drivers/hv/connection.c
2343 +index 650c9f0b6642..2d52a1b15b35 100644
2344 +--- a/drivers/hv/connection.c
2345 ++++ b/drivers/hv/connection.c
2346 +@@ -294,10 +294,21 @@ int vmbus_post_msg(void *buffer, size_t buflen)
2347 + * insufficient resources. Retry the operation a couple of
2348 + * times before giving up.
2349 + */
2350 +- while (retries < 3) {
2351 +- ret = hv_post_message(conn_id, 1, buffer, buflen);
2352 +- if (ret != HV_STATUS_INSUFFICIENT_BUFFERS)
2353 ++ while (retries < 10) {
2354 ++ ret = hv_post_message(conn_id, 1, buffer, buflen);
2355 ++
2356 ++ switch (ret) {
2357 ++ case HV_STATUS_INSUFFICIENT_BUFFERS:
2358 ++ ret = -ENOMEM;
2359 ++ case -ENOMEM:
2360 ++ break;
2361 ++ case HV_STATUS_SUCCESS:
2362 + return ret;
2363 ++ default:
2364 ++ pr_err("hv_post_msg() failed; error code:%d\n", ret);
2365 ++ return -EINVAL;
2366 ++ }
2367 ++
2368 + retries++;
2369 + msleep(100);
2370 + }
2371 +diff --git a/drivers/infiniband/ulp/srpt/ib_srpt.c b/drivers/infiniband/ulp/srpt/ib_srpt.c
2372 +index ff0b71a7e8e1..6bd8e81cfd9d 100644
2373 +--- a/drivers/infiniband/ulp/srpt/ib_srpt.c
2374 ++++ b/drivers/infiniband/ulp/srpt/ib_srpt.c
2375 +@@ -2146,6 +2146,7 @@ static int srpt_create_ch_ib(struct srpt_rdma_ch *ch)
2376 + if (!qp_init)
2377 + goto out;
2378 +
2379 ++retry:
2380 + ch->cq = ib_create_cq(sdev->device, srpt_completion, NULL, ch,
2381 + ch->rq_size + srp_sq_size, 0);
2382 + if (IS_ERR(ch->cq)) {
2383 +@@ -2169,6 +2170,13 @@ static int srpt_create_ch_ib(struct srpt_rdma_ch *ch)
2384 + ch->qp = ib_create_qp(sdev->pd, qp_init);
2385 + if (IS_ERR(ch->qp)) {
2386 + ret = PTR_ERR(ch->qp);
2387 ++ if (ret == -ENOMEM) {
2388 ++ srp_sq_size /= 2;
2389 ++ if (srp_sq_size >= MIN_SRPT_SQ_SIZE) {
2390 ++ ib_destroy_cq(ch->cq);
2391 ++ goto retry;
2392 ++ }
2393 ++ }
2394 + printk(KERN_ERR "failed to create_qp ret= %d\n", ret);
2395 + goto err_destroy_cq;
2396 + }
2397 +diff --git a/drivers/input/mouse/alps.c b/drivers/input/mouse/alps.c
2398 +index 4c6a72d3d48c..9854a1ff5ab5 100644
2399 +--- a/drivers/input/mouse/alps.c
2400 ++++ b/drivers/input/mouse/alps.c
2401 +@@ -787,7 +787,13 @@ static psmouse_ret_t alps_process_byte(struct psmouse *psmouse)
2402 + struct alps_data *priv = psmouse->private;
2403 + const struct alps_model_info *model = priv->i;
2404 +
2405 +- if ((psmouse->packet[0] & 0xc8) == 0x08) { /* PS/2 packet */
2406 ++ /*
2407 ++ * Check if we are dealing with a bare PS/2 packet, presumably from
2408 ++ * a device connected to the external PS/2 port. Because bare PS/2
2409 ++ * protocol does not have enough constant bits to self-synchronize
2410 ++ * properly we only do this if the device is fully synchronized.
2411 ++ */
2412 ++ if (!psmouse->out_of_sync_cnt && (psmouse->packet[0] & 0xc8) == 0x08) {
2413 + if (psmouse->pktcnt == 3) {
2414 + alps_report_bare_ps2_packet(psmouse, psmouse->packet,
2415 + true);
2416 +@@ -1619,6 +1625,9 @@ int alps_init(struct psmouse *psmouse)
2417 + /* We are having trouble resyncing ALPS touchpads so disable it for now */
2418 + psmouse->resync_time = 0;
2419 +
2420 ++ /* Allow 2 invalid packets without resetting device */
2421 ++ psmouse->resetafter = psmouse->pktsize * 2;
2422 ++
2423 + return 0;
2424 +
2425 + init_fail:
2426 +diff --git a/drivers/input/mouse/synaptics.c b/drivers/input/mouse/synaptics.c
2427 +index 32b1363f7ace..97e5f6f797b4 100644
2428 +--- a/drivers/input/mouse/synaptics.c
2429 ++++ b/drivers/input/mouse/synaptics.c
2430 +@@ -506,6 +506,8 @@ static void synaptics_parse_agm(const unsigned char buf[],
2431 + priv->agm_pending = true;
2432 + }
2433 +
2434 ++static bool is_forcepad;
2435 ++
2436 + static int synaptics_parse_hw_state(const unsigned char buf[],
2437 + struct synaptics_data *priv,
2438 + struct synaptics_hw_state *hw)
2439 +@@ -535,7 +537,7 @@ static int synaptics_parse_hw_state(const unsigned char buf[],
2440 + hw->left = (buf[0] & 0x01) ? 1 : 0;
2441 + hw->right = (buf[0] & 0x02) ? 1 : 0;
2442 +
2443 +- if (SYN_CAP_FORCEPAD(priv->ext_cap_0c)) {
2444 ++ if (is_forcepad) {
2445 + /*
2446 + * ForcePads, like Clickpads, use middle button
2447 + * bits to report primary button clicks.
2448 +@@ -1512,6 +1514,18 @@ static const struct dmi_system_id min_max_dmi_table[] __initconst = {
2449 + { }
2450 + };
2451 +
2452 ++static const struct dmi_system_id forcepad_dmi_table[] __initconst = {
2453 ++#if defined(CONFIG_DMI) && defined(CONFIG_X86)
2454 ++ {
2455 ++ .matches = {
2456 ++ DMI_MATCH(DMI_SYS_VENDOR, "Hewlett-Packard"),
2457 ++ DMI_MATCH(DMI_PRODUCT_NAME, "HP EliteBook Folio 1040 G1"),
2458 ++ },
2459 ++ },
2460 ++#endif
2461 ++ { }
2462 ++};
2463 ++
2464 + void __init synaptics_module_init(void)
2465 + {
2466 + const struct dmi_system_id *min_max_dmi;
2467 +@@ -1522,6 +1536,12 @@ void __init synaptics_module_init(void)
2468 + min_max_dmi = dmi_first_match(min_max_dmi_table);
2469 + if (min_max_dmi)
2470 + quirk_min_max = min_max_dmi->driver_data;
2471 ++
2472 ++ /*
2473 ++ * Unfortunately ForcePad capability is not exported over PS/2,
2474 ++ * so we have to resort to checking DMI.
2475 ++ */
2476 ++ is_forcepad = dmi_check_system(forcepad_dmi_table);
2477 + }
2478 +
2479 + static int __synaptics_init(struct psmouse *psmouse, bool absolute_mode)
2480 +diff --git a/drivers/input/mouse/synaptics.h b/drivers/input/mouse/synaptics.h
2481 +index ac1b77354cac..20d861b4e326 100644
2482 +--- a/drivers/input/mouse/synaptics.h
2483 ++++ b/drivers/input/mouse/synaptics.h
2484 +@@ -76,12 +76,9 @@
2485 + * for noise.
2486 + * 2 0x08 image sensor image sensor tracks 5 fingers, but only
2487 + * reports 2.
2488 ++ * 2 0x01 uniform clickpad whole clickpad moves instead of being
2489 ++ * hinged at the top.
2490 + * 2 0x20 report min query 0x0f gives min coord reported
2491 +- * 2 0x80 forcepad forcepad is a variant of clickpad that
2492 +- * does not have physical buttons but rather
2493 +- * uses pressure above certain threshold to
2494 +- * report primary clicks. Forcepads also have
2495 +- * clickpad bit set.
2496 + */
2497 + #define SYN_CAP_CLICKPAD(ex0c) ((ex0c) & 0x100000) /* 1-button ClickPad */
2498 + #define SYN_CAP_CLICKPAD2BTN(ex0c) ((ex0c) & 0x000100) /* 2-button ClickPad */
2499 +@@ -90,7 +87,6 @@
2500 + #define SYN_CAP_ADV_GESTURE(ex0c) ((ex0c) & 0x080000)
2501 + #define SYN_CAP_REDUCED_FILTERING(ex0c) ((ex0c) & 0x000400)
2502 + #define SYN_CAP_IMAGE_SENSOR(ex0c) ((ex0c) & 0x000800)
2503 +-#define SYN_CAP_FORCEPAD(ex0c) ((ex0c) & 0x008000)
2504 +
2505 + /* synaptics modes query bits */
2506 + #define SYN_MODE_ABSOLUTE(m) ((m) & (1 << 7))
2507 +diff --git a/drivers/input/serio/i8042-x86ia64io.h b/drivers/input/serio/i8042-x86ia64io.h
2508 +index 1291673bd57e..ce715b1bee46 100644
2509 +--- a/drivers/input/serio/i8042-x86ia64io.h
2510 ++++ b/drivers/input/serio/i8042-x86ia64io.h
2511 +@@ -101,6 +101,12 @@ static const struct dmi_system_id __initconst i8042_dmi_noloop_table[] = {
2512 + },
2513 + {
2514 + .matches = {
2515 ++ DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."),
2516 ++ DMI_MATCH(DMI_PRODUCT_NAME, "X750LN"),
2517 ++ },
2518 ++ },
2519 ++ {
2520 ++ .matches = {
2521 + DMI_MATCH(DMI_SYS_VENDOR, "Compaq"),
2522 + DMI_MATCH(DMI_PRODUCT_NAME , "ProLiant"),
2523 + DMI_MATCH(DMI_PRODUCT_VERSION, "8500"),
2524 +@@ -609,6 +615,22 @@ static const struct dmi_system_id __initconst i8042_dmi_notimeout_table[] = {
2525 + },
2526 + },
2527 + {
2528 ++ /* Fujitsu A544 laptop */
2529 ++ /* https://bugzilla.redhat.com/show_bug.cgi?id=1111138 */
2530 ++ .matches = {
2531 ++ DMI_MATCH(DMI_SYS_VENDOR, "FUJITSU"),
2532 ++ DMI_MATCH(DMI_PRODUCT_NAME, "LIFEBOOK A544"),
2533 ++ },
2534 ++ },
2535 ++ {
2536 ++ /* Fujitsu AH544 laptop */
2537 ++ /* https://bugzilla.kernel.org/show_bug.cgi?id=69731 */
2538 ++ .matches = {
2539 ++ DMI_MATCH(DMI_SYS_VENDOR, "FUJITSU"),
2540 ++ DMI_MATCH(DMI_PRODUCT_NAME, "LIFEBOOK AH544"),
2541 ++ },
2542 ++ },
2543 ++ {
2544 + /* Fujitsu U574 laptop */
2545 + /* https://bugzilla.kernel.org/show_bug.cgi?id=69731 */
2546 + .matches = {
2547 +diff --git a/drivers/md/dm-bufio.c b/drivers/md/dm-bufio.c
2548 +index 6f99500790b3..535b09cd3cd8 100644
2549 +--- a/drivers/md/dm-bufio.c
2550 ++++ b/drivers/md/dm-bufio.c
2551 +@@ -467,6 +467,7 @@ static void __relink_lru(struct dm_buffer *b, int dirty)
2552 + b->list_mode = dirty;
2553 + list_del(&b->lru_list);
2554 + list_add(&b->lru_list, &c->lru[dirty]);
2555 ++ b->last_accessed = jiffies;
2556 + }
2557 +
2558 + /*----------------------------------------------------------------
2559 +@@ -1378,9 +1379,9 @@ static void drop_buffers(struct dm_bufio_client *c)
2560 +
2561 + /*
2562 + * Test if the buffer is unused and too old, and commit it.
2563 +- * At if noio is set, we must not do any I/O because we hold
2564 +- * dm_bufio_clients_lock and we would risk deadlock if the I/O gets rerouted to
2565 +- * different bufio client.
2566 ++ * And if GFP_NOFS is used, we must not do any I/O because we hold
2567 ++ * dm_bufio_clients_lock and we would risk deadlock if the I/O gets
2568 ++ * rerouted to different bufio client.
2569 + */
2570 + static int __cleanup_old_buffer(struct dm_buffer *b, gfp_t gfp,
2571 + unsigned long max_jiffies)
2572 +@@ -1388,7 +1389,7 @@ static int __cleanup_old_buffer(struct dm_buffer *b, gfp_t gfp,
2573 + if (jiffies - b->last_accessed < max_jiffies)
2574 + return 1;
2575 +
2576 +- if (!(gfp & __GFP_IO)) {
2577 ++ if (!(gfp & __GFP_FS)) {
2578 + if (test_bit(B_READING, &b->state) ||
2579 + test_bit(B_WRITING, &b->state) ||
2580 + test_bit(B_DIRTY, &b->state))
2581 +@@ -1427,7 +1428,7 @@ static int shrink(struct shrinker *shrinker, struct shrink_control *sc)
2582 + unsigned long r;
2583 + unsigned long nr_to_scan = sc->nr_to_scan;
2584 +
2585 +- if (sc->gfp_mask & __GFP_IO)
2586 ++ if (sc->gfp_mask & __GFP_FS)
2587 + dm_bufio_lock(c);
2588 + else if (!dm_bufio_trylock(c))
2589 + return !nr_to_scan ? 0 : -1;
2590 +diff --git a/drivers/md/dm-log-userspace-transfer.c b/drivers/md/dm-log-userspace-transfer.c
2591 +index 08d9a207259a..c69d0b787746 100644
2592 +--- a/drivers/md/dm-log-userspace-transfer.c
2593 ++++ b/drivers/md/dm-log-userspace-transfer.c
2594 +@@ -272,7 +272,7 @@ int dm_ulog_tfr_init(void)
2595 +
2596 + r = cn_add_callback(&ulog_cn_id, "dmlogusr", cn_ulog_callback);
2597 + if (r) {
2598 +- cn_del_callback(&ulog_cn_id);
2599 ++ kfree(prealloced_cn_msg);
2600 + return r;
2601 + }
2602 +
2603 +diff --git a/drivers/md/dm-raid.c b/drivers/md/dm-raid.c
2604 +index ead5ca99a749..5dea02cff622 100644
2605 +--- a/drivers/md/dm-raid.c
2606 ++++ b/drivers/md/dm-raid.c
2607 +@@ -592,8 +592,7 @@ struct dm_raid_superblock {
2608 + __le32 layout;
2609 + __le32 stripe_sectors;
2610 +
2611 +- __u8 pad[452]; /* Round struct to 512 bytes. */
2612 +- /* Always set to 0 when writing. */
2613 ++ /* Remainder of a logical block is zero-filled when writing (see super_sync()). */
2614 + } __packed;
2615 +
2616 + static int read_disk_sb(struct md_rdev *rdev, int size)
2617 +@@ -628,7 +627,7 @@ static void super_sync(struct mddev *mddev, struct md_rdev *rdev)
2618 + if ((r->raid_disk >= 0) && test_bit(Faulty, &r->flags))
2619 + failed_devices |= (1ULL << r->raid_disk);
2620 +
2621 +- memset(sb, 0, sizeof(*sb));
2622 ++ memset(sb + 1, 0, rdev->sb_size - sizeof(*sb));
2623 +
2624 + sb->magic = cpu_to_le32(DM_RAID_MAGIC);
2625 + sb->features = cpu_to_le32(0); /* No features yet */
2626 +@@ -663,7 +662,11 @@ static int super_load(struct md_rdev *rdev, struct md_rdev *refdev)
2627 + uint64_t events_sb, events_refsb;
2628 +
2629 + rdev->sb_start = 0;
2630 +- rdev->sb_size = sizeof(*sb);
2631 ++ rdev->sb_size = bdev_logical_block_size(rdev->meta_bdev);
2632 ++ if (rdev->sb_size < sizeof(*sb) || rdev->sb_size > PAGE_SIZE) {
2633 ++ DMERR("superblock size of a logical block is no longer valid");
2634 ++ return -EINVAL;
2635 ++ }
2636 +
2637 + ret = read_disk_sb(rdev, rdev->sb_size);
2638 + if (ret)
2639 +diff --git a/drivers/net/can/dev.c b/drivers/net/can/dev.c
2640 +index c2cdefa1651e..d4f7f9537db2 100644
2641 +--- a/drivers/net/can/dev.c
2642 ++++ b/drivers/net/can/dev.c
2643 +@@ -359,7 +359,7 @@ void can_free_echo_skb(struct net_device *dev, unsigned int idx)
2644 + BUG_ON(idx >= priv->echo_skb_max);
2645 +
2646 + if (priv->echo_skb[idx]) {
2647 +- kfree_skb(priv->echo_skb[idx]);
2648 ++ dev_kfree_skb_any(priv->echo_skb[idx]);
2649 + priv->echo_skb[idx] = NULL;
2650 + }
2651 + }
2652 +diff --git a/drivers/net/can/usb/esd_usb2.c b/drivers/net/can/usb/esd_usb2.c
2653 +index 09b1da5bc512..6c8423411dd8 100644
2654 +--- a/drivers/net/can/usb/esd_usb2.c
2655 ++++ b/drivers/net/can/usb/esd_usb2.c
2656 +@@ -1094,6 +1094,7 @@ static void esd_usb2_disconnect(struct usb_interface *intf)
2657 + }
2658 + }
2659 + unlink_all_urbs(dev);
2660 ++ kfree(dev);
2661 + }
2662 + }
2663 +
2664 +diff --git a/drivers/net/macvtap.c b/drivers/net/macvtap.c
2665 +index f5b9de48bb82..c19f9447b200 100644
2666 +--- a/drivers/net/macvtap.c
2667 ++++ b/drivers/net/macvtap.c
2668 +@@ -17,6 +17,7 @@
2669 + #include <linux/idr.h>
2670 + #include <linux/fs.h>
2671 +
2672 ++#include <net/ipv6.h>
2673 + #include <net/net_namespace.h>
2674 + #include <net/rtnetlink.h>
2675 + #include <net/sock.h>
2676 +@@ -578,6 +579,8 @@ static int macvtap_skb_from_vnet_hdr(struct sk_buff *skb,
2677 + break;
2678 + case VIRTIO_NET_HDR_GSO_UDP:
2679 + gso_type = SKB_GSO_UDP;
2680 ++ if (skb->protocol == htons(ETH_P_IPV6))
2681 ++ ipv6_proxy_select_ident(skb);
2682 + break;
2683 + default:
2684 + return -EINVAL;
2685 +@@ -634,6 +637,8 @@ static int macvtap_skb_to_vnet_hdr(const struct sk_buff *skb,
2686 + if (skb->ip_summed == CHECKSUM_PARTIAL) {
2687 + vnet_hdr->flags = VIRTIO_NET_HDR_F_NEEDS_CSUM;
2688 + vnet_hdr->csum_start = skb_checksum_start_offset(skb);
2689 ++ if (vlan_tx_tag_present(skb))
2690 ++ vnet_hdr->csum_start += VLAN_HLEN;
2691 + vnet_hdr->csum_offset = skb->csum_offset;
2692 + } else if (skb->ip_summed == CHECKSUM_UNNECESSARY) {
2693 + vnet_hdr->flags = VIRTIO_NET_HDR_F_DATA_VALID;
2694 +diff --git a/drivers/net/ppp/ppp_generic.c b/drivers/net/ppp/ppp_generic.c
2695 +index 21d7151fb0ab..1207bb19ba58 100644
2696 +--- a/drivers/net/ppp/ppp_generic.c
2697 ++++ b/drivers/net/ppp/ppp_generic.c
2698 +@@ -588,7 +588,7 @@ static long ppp_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
2699 + if (file == ppp->owner)
2700 + ppp_shutdown_interface(ppp);
2701 + }
2702 +- if (atomic_long_read(&file->f_count) <= 2) {
2703 ++ if (atomic_long_read(&file->f_count) < 2) {
2704 + ppp_release(NULL, file);
2705 + err = 0;
2706 + } else
2707 +diff --git a/drivers/net/tun.c b/drivers/net/tun.c
2708 +index 5b1a1b51fdb0..84b95c9b15f6 100644
2709 +--- a/drivers/net/tun.c
2710 ++++ b/drivers/net/tun.c
2711 +@@ -64,6 +64,7 @@
2712 + #include <linux/nsproxy.h>
2713 + #include <linux/virtio_net.h>
2714 + #include <linux/rcupdate.h>
2715 ++#include <net/ipv6.h>
2716 + #include <net/net_namespace.h>
2717 + #include <net/netns/generic.h>
2718 + #include <net/rtnetlink.h>
2719 +@@ -696,6 +697,8 @@ static ssize_t tun_get_user(struct tun_struct *tun,
2720 + break;
2721 + }
2722 +
2723 ++ skb_reset_network_header(skb);
2724 ++
2725 + if (gso.gso_type != VIRTIO_NET_HDR_GSO_NONE) {
2726 + pr_debug("GSO!\n");
2727 + switch (gso.gso_type & ~VIRTIO_NET_HDR_GSO_ECN) {
2728 +@@ -707,6 +710,8 @@ static ssize_t tun_get_user(struct tun_struct *tun,
2729 + break;
2730 + case VIRTIO_NET_HDR_GSO_UDP:
2731 + skb_shinfo(skb)->gso_type = SKB_GSO_UDP;
2732 ++ if (skb->protocol == htons(ETH_P_IPV6))
2733 ++ ipv6_proxy_select_ident(skb);
2734 + break;
2735 + default:
2736 + tun->dev->stats.rx_frame_errors++;
2737 +diff --git a/drivers/net/wireless/rt2x00/rt2800.h b/drivers/net/wireless/rt2x00/rt2800.h
2738 +index 063bfa8b91f4..9105493445bd 100644
2739 +--- a/drivers/net/wireless/rt2x00/rt2800.h
2740 ++++ b/drivers/net/wireless/rt2x00/rt2800.h
2741 +@@ -1751,7 +1751,7 @@ struct mac_iveiv_entry {
2742 + * 2 - drop tx power by 12dBm,
2743 + * 3 - increase tx power by 6dBm
2744 + */
2745 +-#define BBP1_TX_POWER_CTRL FIELD8(0x07)
2746 ++#define BBP1_TX_POWER_CTRL FIELD8(0x03)
2747 + #define BBP1_TX_ANTENNA FIELD8(0x18)
2748 +
2749 + /*
2750 +diff --git a/drivers/net/wireless/rt2x00/rt2800usb.c b/drivers/net/wireless/rt2x00/rt2800usb.c
2751 +index 664e93d2a682..49baf0cfe304 100644
2752 +--- a/drivers/net/wireless/rt2x00/rt2800usb.c
2753 ++++ b/drivers/net/wireless/rt2x00/rt2800usb.c
2754 +@@ -1081,6 +1081,7 @@ static struct usb_device_id rt2800usb_device_table[] = {
2755 + /* Ovislink */
2756 + { USB_DEVICE(0x1b75, 0x3071) },
2757 + { USB_DEVICE(0x1b75, 0x3072) },
2758 ++ { USB_DEVICE(0x1b75, 0xa200) },
2759 + /* Para */
2760 + { USB_DEVICE(0x20b8, 0x8888) },
2761 + /* Pegatron */
2762 +diff --git a/drivers/net/wireless/rt2x00/rt2x00queue.c b/drivers/net/wireless/rt2x00/rt2x00queue.c
2763 +index 4d792a242c5e..c5bdbe94aec8 100644
2764 +--- a/drivers/net/wireless/rt2x00/rt2x00queue.c
2765 ++++ b/drivers/net/wireless/rt2x00/rt2x00queue.c
2766 +@@ -148,55 +148,29 @@ void rt2x00queue_align_frame(struct sk_buff *skb)
2767 + skb_trim(skb, frame_length);
2768 + }
2769 +
2770 +-void rt2x00queue_insert_l2pad(struct sk_buff *skb, unsigned int header_length)
2771 ++/*
2772 ++ * H/W needs L2 padding between the header and the paylod if header size
2773 ++ * is not 4 bytes aligned.
2774 ++ */
2775 ++void rt2x00queue_insert_l2pad(struct sk_buff *skb, unsigned int hdr_len)
2776 + {
2777 +- unsigned int payload_length = skb->len - header_length;
2778 +- unsigned int header_align = ALIGN_SIZE(skb, 0);
2779 +- unsigned int payload_align = ALIGN_SIZE(skb, header_length);
2780 +- unsigned int l2pad = payload_length ? L2PAD_SIZE(header_length) : 0;
2781 ++ unsigned int l2pad = (skb->len > hdr_len) ? L2PAD_SIZE(hdr_len) : 0;
2782 +
2783 +- /*
2784 +- * Adjust the header alignment if the payload needs to be moved more
2785 +- * than the header.
2786 +- */
2787 +- if (payload_align > header_align)
2788 +- header_align += 4;
2789 +-
2790 +- /* There is nothing to do if no alignment is needed */
2791 +- if (!header_align)
2792 ++ if (!l2pad)
2793 + return;
2794 +
2795 +- /* Reserve the amount of space needed in front of the frame */
2796 +- skb_push(skb, header_align);
2797 +-
2798 +- /*
2799 +- * Move the header.
2800 +- */
2801 +- memmove(skb->data, skb->data + header_align, header_length);
2802 +-
2803 +- /* Move the payload, if present and if required */
2804 +- if (payload_length && payload_align)
2805 +- memmove(skb->data + header_length + l2pad,
2806 +- skb->data + header_length + l2pad + payload_align,
2807 +- payload_length);
2808 +-
2809 +- /* Trim the skb to the correct size */
2810 +- skb_trim(skb, header_length + l2pad + payload_length);
2811 ++ skb_push(skb, l2pad);
2812 ++ memmove(skb->data, skb->data + l2pad, hdr_len);
2813 + }
2814 +
2815 +-void rt2x00queue_remove_l2pad(struct sk_buff *skb, unsigned int header_length)
2816 ++void rt2x00queue_remove_l2pad(struct sk_buff *skb, unsigned int hdr_len)
2817 + {
2818 +- /*
2819 +- * L2 padding is only present if the skb contains more than just the
2820 +- * IEEE 802.11 header.
2821 +- */
2822 +- unsigned int l2pad = (skb->len > header_length) ?
2823 +- L2PAD_SIZE(header_length) : 0;
2824 ++ unsigned int l2pad = (skb->len > hdr_len) ? L2PAD_SIZE(hdr_len) : 0;
2825 +
2826 + if (!l2pad)
2827 + return;
2828 +
2829 +- memmove(skb->data + l2pad, skb->data, header_length);
2830 ++ memmove(skb->data + l2pad, skb->data, hdr_len);
2831 + skb_pull(skb, l2pad);
2832 + }
2833 +
2834 +diff --git a/drivers/of/address.c b/drivers/of/address.c
2835 +index 66d96f14c274..c059ce1dd338 100644
2836 +--- a/drivers/of/address.c
2837 ++++ b/drivers/of/address.c
2838 +@@ -328,6 +328,21 @@ static struct of_bus *of_match_bus(struct device_node *np)
2839 + return NULL;
2840 + }
2841 +
2842 ++static int of_empty_ranges_quirk(void)
2843 ++{
2844 ++ if (IS_ENABLED(CONFIG_PPC)) {
2845 ++ /* To save cycles, we cache the result */
2846 ++ static int quirk_state = -1;
2847 ++
2848 ++ if (quirk_state < 0)
2849 ++ quirk_state =
2850 ++ of_machine_is_compatible("Power Macintosh") ||
2851 ++ of_machine_is_compatible("MacRISC");
2852 ++ return quirk_state;
2853 ++ }
2854 ++ return false;
2855 ++}
2856 ++
2857 + static int of_translate_one(struct device_node *parent, struct of_bus *bus,
2858 + struct of_bus *pbus, u32 *addr,
2859 + int na, int ns, int pna, const char *rprop)
2860 +@@ -353,12 +368,10 @@ static int of_translate_one(struct device_node *parent, struct of_bus *bus,
2861 + * This code is only enabled on powerpc. --gcl
2862 + */
2863 + ranges = of_get_property(parent, rprop, &rlen);
2864 +-#if !defined(CONFIG_PPC)
2865 +- if (ranges == NULL) {
2866 ++ if (ranges == NULL && !of_empty_ranges_quirk()) {
2867 + pr_err("OF: no ranges; cannot translate\n");
2868 + return 1;
2869 + }
2870 +-#endif /* !defined(CONFIG_PPC) */
2871 + if (ranges == NULL || rlen == 0) {
2872 + offset = of_read_number(addr, na);
2873 + memset(addr, 0, pna * 4);
2874 +diff --git a/drivers/of/base.c b/drivers/of/base.c
2875 +index 1c207f23b114..d439d0611559 100644
2876 +--- a/drivers/of/base.c
2877 ++++ b/drivers/of/base.c
2878 +@@ -716,52 +716,6 @@ int of_property_read_string(struct device_node *np, const char *propname,
2879 + EXPORT_SYMBOL_GPL(of_property_read_string);
2880 +
2881 + /**
2882 +- * of_property_read_string_index - Find and read a string from a multiple
2883 +- * strings property.
2884 +- * @np: device node from which the property value is to be read.
2885 +- * @propname: name of the property to be searched.
2886 +- * @index: index of the string in the list of strings
2887 +- * @out_string: pointer to null terminated return string, modified only if
2888 +- * return value is 0.
2889 +- *
2890 +- * Search for a property in a device tree node and retrieve a null
2891 +- * terminated string value (pointer to data, not a copy) in the list of strings
2892 +- * contained in that property.
2893 +- * Returns 0 on success, -EINVAL if the property does not exist, -ENODATA if
2894 +- * property does not have a value, and -EILSEQ if the string is not
2895 +- * null-terminated within the length of the property data.
2896 +- *
2897 +- * The out_string pointer is modified only if a valid string can be decoded.
2898 +- */
2899 +-int of_property_read_string_index(struct device_node *np, const char *propname,
2900 +- int index, const char **output)
2901 +-{
2902 +- struct property *prop = of_find_property(np, propname, NULL);
2903 +- int i = 0;
2904 +- size_t l = 0, total = 0;
2905 +- const char *p;
2906 +-
2907 +- if (!prop)
2908 +- return -EINVAL;
2909 +- if (!prop->value)
2910 +- return -ENODATA;
2911 +- if (strnlen(prop->value, prop->length) >= prop->length)
2912 +- return -EILSEQ;
2913 +-
2914 +- p = prop->value;
2915 +-
2916 +- for (i = 0; total < prop->length; total += l, p += l) {
2917 +- l = strlen(p) + 1;
2918 +- if (i++ == index) {
2919 +- *output = p;
2920 +- return 0;
2921 +- }
2922 +- }
2923 +- return -ENODATA;
2924 +-}
2925 +-EXPORT_SYMBOL_GPL(of_property_read_string_index);
2926 +-
2927 +-/**
2928 + * of_property_match_string() - Find string in a list and return index
2929 + * @np: pointer to node containing string list property
2930 + * @propname: string list property name
2931 +@@ -787,7 +741,7 @@ int of_property_match_string(struct device_node *np, const char *propname,
2932 + end = p + prop->length;
2933 +
2934 + for (i = 0; p < end; i++, p += l) {
2935 +- l = strlen(p) + 1;
2936 ++ l = strnlen(p, end - p) + 1;
2937 + if (p + l > end)
2938 + return -EILSEQ;
2939 + pr_debug("comparing %s with %s\n", string, p);
2940 +@@ -799,39 +753,41 @@ int of_property_match_string(struct device_node *np, const char *propname,
2941 + EXPORT_SYMBOL_GPL(of_property_match_string);
2942 +
2943 + /**
2944 +- * of_property_count_strings - Find and return the number of strings from a
2945 +- * multiple strings property.
2946 ++ * of_property_read_string_util() - Utility helper for parsing string properties
2947 + * @np: device node from which the property value is to be read.
2948 + * @propname: name of the property to be searched.
2949 ++ * @out_strs: output array of string pointers.
2950 ++ * @sz: number of array elements to read.
2951 ++ * @skip: Number of strings to skip over at beginning of list.
2952 + *
2953 +- * Search for a property in a device tree node and retrieve the number of null
2954 +- * terminated string contain in it. Returns the number of strings on
2955 +- * success, -EINVAL if the property does not exist, -ENODATA if property
2956 +- * does not have a value, and -EILSEQ if the string is not null-terminated
2957 +- * within the length of the property data.
2958 ++ * Don't call this function directly. It is a utility helper for the
2959 ++ * of_property_read_string*() family of functions.
2960 + */
2961 +-int of_property_count_strings(struct device_node *np, const char *propname)
2962 ++int of_property_read_string_helper(struct device_node *np, const char *propname,
2963 ++ const char **out_strs, size_t sz, int skip)
2964 + {
2965 + struct property *prop = of_find_property(np, propname, NULL);
2966 +- int i = 0;
2967 +- size_t l = 0, total = 0;
2968 +- const char *p;
2969 ++ int l = 0, i = 0;
2970 ++ const char *p, *end;
2971 +
2972 + if (!prop)
2973 + return -EINVAL;
2974 + if (!prop->value)
2975 + return -ENODATA;
2976 +- if (strnlen(prop->value, prop->length) >= prop->length)
2977 +- return -EILSEQ;
2978 +-
2979 + p = prop->value;
2980 ++ end = p + prop->length;
2981 +
2982 +- for (i = 0; total < prop->length; total += l, p += l, i++)
2983 +- l = strlen(p) + 1;
2984 +-
2985 +- return i;
2986 ++ for (i = 0; p < end && (!out_strs || i < skip + sz); i++, p += l) {
2987 ++ l = strnlen(p, end - p) + 1;
2988 ++ if (p + l > end)
2989 ++ return -EILSEQ;
2990 ++ if (out_strs && i >= skip)
2991 ++ *out_strs++ = p;
2992 ++ }
2993 ++ i -= skip;
2994 ++ return i <= 0 ? -ENODATA : i;
2995 + }
2996 +-EXPORT_SYMBOL_GPL(of_property_count_strings);
2997 ++EXPORT_SYMBOL_GPL(of_property_read_string_helper);
2998 +
2999 + /**
3000 + * of_parse_phandle - Resolve a phandle property to a device_node pointer
3001 +diff --git a/drivers/of/selftest.c b/drivers/of/selftest.c
3002 +index f24ffd7088d2..5a0771cc8987 100644
3003 +--- a/drivers/of/selftest.c
3004 ++++ b/drivers/of/selftest.c
3005 +@@ -120,8 +120,9 @@ static void __init of_selftest_parse_phandle_with_args(void)
3006 + pr_info("end - %s\n", passed_all ? "PASS" : "FAIL");
3007 + }
3008 +
3009 +-static void __init of_selftest_property_match_string(void)
3010 ++static void __init of_selftest_property_string(void)
3011 + {
3012 ++ const char *strings[4];
3013 + struct device_node *np;
3014 + int rc;
3015 +
3016 +@@ -139,13 +140,66 @@ static void __init of_selftest_property_match_string(void)
3017 + rc = of_property_match_string(np, "phandle-list-names", "third");
3018 + selftest(rc == 2, "third expected:0 got:%i\n", rc);
3019 + rc = of_property_match_string(np, "phandle-list-names", "fourth");
3020 +- selftest(rc == -ENODATA, "unmatched string; rc=%i", rc);
3021 ++ selftest(rc == -ENODATA, "unmatched string; rc=%i\n", rc);
3022 + rc = of_property_match_string(np, "missing-property", "blah");
3023 +- selftest(rc == -EINVAL, "missing property; rc=%i", rc);
3024 ++ selftest(rc == -EINVAL, "missing property; rc=%i\n", rc);
3025 + rc = of_property_match_string(np, "empty-property", "blah");
3026 +- selftest(rc == -ENODATA, "empty property; rc=%i", rc);
3027 ++ selftest(rc == -ENODATA, "empty property; rc=%i\n", rc);
3028 + rc = of_property_match_string(np, "unterminated-string", "blah");
3029 +- selftest(rc == -EILSEQ, "unterminated string; rc=%i", rc);
3030 ++ selftest(rc == -EILSEQ, "unterminated string; rc=%i\n", rc);
3031 ++
3032 ++ /* of_property_count_strings() tests */
3033 ++ rc = of_property_count_strings(np, "string-property");
3034 ++ selftest(rc == 1, "Incorrect string count; rc=%i\n", rc);
3035 ++ rc = of_property_count_strings(np, "phandle-list-names");
3036 ++ selftest(rc == 3, "Incorrect string count; rc=%i\n", rc);
3037 ++ rc = of_property_count_strings(np, "unterminated-string");
3038 ++ selftest(rc == -EILSEQ, "unterminated string; rc=%i\n", rc);
3039 ++ rc = of_property_count_strings(np, "unterminated-string-list");
3040 ++ selftest(rc == -EILSEQ, "unterminated string array; rc=%i\n", rc);
3041 ++
3042 ++ /* of_property_read_string_index() tests */
3043 ++ rc = of_property_read_string_index(np, "string-property", 0, strings);
3044 ++ selftest(rc == 0 && !strcmp(strings[0], "foobar"), "of_property_read_string_index() failure; rc=%i\n", rc);
3045 ++ strings[0] = NULL;
3046 ++ rc = of_property_read_string_index(np, "string-property", 1, strings);
3047 ++ selftest(rc == -ENODATA && strings[0] == NULL, "of_property_read_string_index() failure; rc=%i\n", rc);
3048 ++ rc = of_property_read_string_index(np, "phandle-list-names", 0, strings);
3049 ++ selftest(rc == 0 && !strcmp(strings[0], "first"), "of_property_read_string_index() failure; rc=%i\n", rc);
3050 ++ rc = of_property_read_string_index(np, "phandle-list-names", 1, strings);
3051 ++ selftest(rc == 0 && !strcmp(strings[0], "second"), "of_property_read_string_index() failure; rc=%i\n", rc);
3052 ++ rc = of_property_read_string_index(np, "phandle-list-names", 2, strings);
3053 ++ selftest(rc == 0 && !strcmp(strings[0], "third"), "of_property_read_string_index() failure; rc=%i\n", rc);
3054 ++ strings[0] = NULL;
3055 ++ rc = of_property_read_string_index(np, "phandle-list-names", 3, strings);
3056 ++ selftest(rc == -ENODATA && strings[0] == NULL, "of_property_read_string_index() failure; rc=%i\n", rc);
3057 ++ strings[0] = NULL;
3058 ++ rc = of_property_read_string_index(np, "unterminated-string", 0, strings);
3059 ++ selftest(rc == -EILSEQ && strings[0] == NULL, "of_property_read_string_index() failure; rc=%i\n", rc);
3060 ++ rc = of_property_read_string_index(np, "unterminated-string-list", 0, strings);
3061 ++ selftest(rc == 0 && !strcmp(strings[0], "first"), "of_property_read_string_index() failure; rc=%i\n", rc);
3062 ++ strings[0] = NULL;
3063 ++ rc = of_property_read_string_index(np, "unterminated-string-list", 2, strings); /* should fail */
3064 ++ selftest(rc == -EILSEQ && strings[0] == NULL, "of_property_read_string_index() failure; rc=%i\n", rc);
3065 ++ strings[1] = NULL;
3066 ++
3067 ++ /* of_property_read_string_array() tests */
3068 ++ rc = of_property_read_string_array(np, "string-property", strings, 4);
3069 ++ selftest(rc == 1, "Incorrect string count; rc=%i\n", rc);
3070 ++ rc = of_property_read_string_array(np, "phandle-list-names", strings, 4);
3071 ++ selftest(rc == 3, "Incorrect string count; rc=%i\n", rc);
3072 ++ rc = of_property_read_string_array(np, "unterminated-string", strings, 4);
3073 ++ selftest(rc == -EILSEQ, "unterminated string; rc=%i\n", rc);
3074 ++ /* -- An incorrectly formed string should cause a failure */
3075 ++ rc = of_property_read_string_array(np, "unterminated-string-list", strings, 4);
3076 ++ selftest(rc == -EILSEQ, "unterminated string array; rc=%i\n", rc);
3077 ++ /* -- parsing the correctly formed strings should still work: */
3078 ++ strings[2] = NULL;
3079 ++ rc = of_property_read_string_array(np, "unterminated-string-list", strings, 2);
3080 ++ selftest(rc == 2 && strings[2] == NULL, "of_property_read_string_array() failure; rc=%i\n", rc);
3081 ++ strings[1] = NULL;
3082 ++ rc = of_property_read_string_array(np, "phandle-list-names", strings, 1);
3083 ++ selftest(rc == 1 && strings[1] == NULL, "Overwrote end of string array; rc=%i, str='%s'\n", rc, strings[1]);
3084 + }
3085 +
3086 + static int __init of_selftest(void)
3087 +@@ -161,7 +215,7 @@ static int __init of_selftest(void)
3088 +
3089 + pr_info("start of selftest - you will see error messages\n");
3090 + of_selftest_parse_phandle_with_args();
3091 +- of_selftest_property_match_string();
3092 ++ of_selftest_property_string();
3093 + pr_info("end of selftest - %s\n", selftest_passed ? "PASS" : "FAIL");
3094 + return 0;
3095 + }
3096 +diff --git a/drivers/pci/hotplug/pciehp_core.c b/drivers/pci/hotplug/pciehp_core.c
3097 +index 9e39df969560..75dc402f0347 100644
3098 +--- a/drivers/pci/hotplug/pciehp_core.c
3099 ++++ b/drivers/pci/hotplug/pciehp_core.c
3100 +@@ -237,6 +237,13 @@ static int pciehp_probe(struct pcie_device *dev)
3101 + else if (pciehp_acpi_slot_detection_check(dev->port))
3102 + goto err_out_none;
3103 +
3104 ++ if (!dev->port->subordinate) {
3105 ++ /* Can happen if we run out of bus numbers during probe */
3106 ++ dev_err(&dev->device,
3107 ++ "Hotplug bridge without secondary bus, ignoring\n");
3108 ++ goto err_out_none;
3109 ++ }
3110 ++
3111 + ctrl = pcie_init(dev);
3112 + if (!ctrl) {
3113 + dev_err(&dev->device, "Controller initialization failed\n");
3114 +diff --git a/drivers/pci/pci-sysfs.c b/drivers/pci/pci-sysfs.c
3115 +index a55e248618cd..985ada79191e 100644
3116 +--- a/drivers/pci/pci-sysfs.c
3117 ++++ b/drivers/pci/pci-sysfs.c
3118 +@@ -173,7 +173,7 @@ static ssize_t modalias_show(struct device *dev, struct device_attribute *attr,
3119 + {
3120 + struct pci_dev *pci_dev = to_pci_dev(dev);
3121 +
3122 +- return sprintf(buf, "pci:v%08Xd%08Xsv%08Xsd%08Xbc%02Xsc%02Xi%02x\n",
3123 ++ return sprintf(buf, "pci:v%08Xd%08Xsv%08Xsd%08Xbc%02Xsc%02Xi%02X\n",
3124 + pci_dev->vendor, pci_dev->device,
3125 + pci_dev->subsystem_vendor, pci_dev->subsystem_device,
3126 + (u8)(pci_dev->class >> 16), (u8)(pci_dev->class >> 8),
3127 +diff --git a/drivers/pci/quirks.c b/drivers/pci/quirks.c
3128 +index 61bc33ed1116..e587d0035a74 100644
3129 +--- a/drivers/pci/quirks.c
3130 ++++ b/drivers/pci/quirks.c
3131 +@@ -28,6 +28,7 @@
3132 + #include <linux/ioport.h>
3133 + #include <linux/sched.h>
3134 + #include <linux/ktime.h>
3135 ++#include <linux/mm.h>
3136 + #include <asm/dma.h> /* isa_dma_bridge_buggy */
3137 + #include "pci.h"
3138 +
3139 +@@ -291,6 +292,25 @@ static void __devinit quirk_citrine(struct pci_dev *dev)
3140 + }
3141 + DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_IBM, PCI_DEVICE_ID_IBM_CITRINE, quirk_citrine);
3142 +
3143 ++/* On IBM Crocodile ipr SAS adapters, expand BAR to system page size */
3144 ++static void quirk_extend_bar_to_page(struct pci_dev *dev)
3145 ++{
3146 ++ int i;
3147 ++
3148 ++ for (i = 0; i < PCI_STD_RESOURCE_END; i++) {
3149 ++ struct resource *r = &dev->resource[i];
3150 ++
3151 ++ if (r->flags & IORESOURCE_MEM && resource_size(r) < PAGE_SIZE) {
3152 ++ r->end = PAGE_SIZE - 1;
3153 ++ r->start = 0;
3154 ++ r->flags |= IORESOURCE_UNSET;
3155 ++ dev_info(&dev->dev, "expanded BAR %d to page size: %pR\n",
3156 ++ i, r);
3157 ++ }
3158 ++ }
3159 ++}
3160 ++DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_IBM, 0x034a, quirk_extend_bar_to_page);
3161 ++
3162 + /*
3163 + * S3 868 and 968 chips report region size equal to 32M, but they decode 64M.
3164 + * If it's needed, re-allocate the region.
3165 +diff --git a/drivers/platform/x86/acer-wmi.c b/drivers/platform/x86/acer-wmi.c
3166 +index c1a3fd8e1243..4d047316e831 100644
3167 +--- a/drivers/platform/x86/acer-wmi.c
3168 ++++ b/drivers/platform/x86/acer-wmi.c
3169 +@@ -523,6 +523,17 @@ static const struct dmi_system_id video_vendor_dmi_table[] = {
3170 + DMI_MATCH(DMI_PRODUCT_NAME, "TravelMate 4750"),
3171 + },
3172 + },
3173 ++ {
3174 ++ /*
3175 ++ * Note no video_set_backlight_video_vendor, we must use the
3176 ++ * acer interface, as there is no native backlight interface.
3177 ++ */
3178 ++ .ident = "Acer KAV80",
3179 ++ .matches = {
3180 ++ DMI_MATCH(DMI_SYS_VENDOR, "Acer"),
3181 ++ DMI_MATCH(DMI_PRODUCT_NAME, "KAV80"),
3182 ++ },
3183 ++ },
3184 + {}
3185 + };
3186 +
3187 +diff --git a/drivers/platform/x86/samsung-laptop.c b/drivers/platform/x86/samsung-laptop.c
3188 +index de9f432cf22d..28c1bdb2e59b 100644
3189 +--- a/drivers/platform/x86/samsung-laptop.c
3190 ++++ b/drivers/platform/x86/samsung-laptop.c
3191 +@@ -1517,6 +1517,16 @@ static struct dmi_system_id __initdata samsung_dmi_table[] = {
3192 + },
3193 + .driver_data = &samsung_broken_acpi_video,
3194 + },
3195 ++ {
3196 ++ .callback = samsung_dmi_matched,
3197 ++ .ident = "NC210",
3198 ++ .matches = {
3199 ++ DMI_MATCH(DMI_SYS_VENDOR, "SAMSUNG ELECTRONICS CO., LTD."),
3200 ++ DMI_MATCH(DMI_PRODUCT_NAME, "NC210/NC110"),
3201 ++ DMI_MATCH(DMI_BOARD_NAME, "NC210/NC110"),
3202 ++ },
3203 ++ .driver_data = &samsung_broken_acpi_video,
3204 ++ },
3205 + { },
3206 + };
3207 + MODULE_DEVICE_TABLE(dmi, samsung_dmi_table);
3208 +diff --git a/drivers/power/charger-manager.c b/drivers/power/charger-manager.c
3209 +index 4c449b26de46..102267fc713d 100644
3210 +--- a/drivers/power/charger-manager.c
3211 ++++ b/drivers/power/charger-manager.c
3212 +@@ -808,6 +808,11 @@ static int charger_manager_probe(struct platform_device *pdev)
3213 + goto err_no_charger_stat;
3214 + }
3215 +
3216 ++ if (!desc->psy_fuel_gauge) {
3217 ++ dev_err(&pdev->dev, "No fuel gauge power supply defined\n");
3218 ++ return -EINVAL;
3219 ++ }
3220 ++
3221 + /* Counting index only */
3222 + while (desc->psy_charger_stat[i])
3223 + i++;
3224 +diff --git a/drivers/scsi/scsi_error.c b/drivers/scsi/scsi_error.c
3225 +index dcc39b612780..185971c2b41e 100644
3226 +--- a/drivers/scsi/scsi_error.c
3227 ++++ b/drivers/scsi/scsi_error.c
3228 +@@ -1679,8 +1679,10 @@ static void scsi_restart_operations(struct Scsi_Host *shost)
3229 + * is no point trying to lock the door of an off-line device.
3230 + */
3231 + shost_for_each_device(sdev, shost) {
3232 +- if (scsi_device_online(sdev) && sdev->locked)
3233 ++ if (scsi_device_online(sdev) && sdev->was_reset && sdev->locked) {
3234 + scsi_eh_lock_door(sdev);
3235 ++ sdev->was_reset = 0;
3236 ++ }
3237 + }
3238 +
3239 + /*
3240 +diff --git a/drivers/spi/spi-dw-mid.c b/drivers/spi/spi-dw-mid.c
3241 +index b9f0192758d6..efc494a65b43 100644
3242 +--- a/drivers/spi/spi-dw-mid.c
3243 ++++ b/drivers/spi/spi-dw-mid.c
3244 +@@ -89,7 +89,10 @@ err_exit:
3245 +
3246 + static void mid_spi_dma_exit(struct dw_spi *dws)
3247 + {
3248 ++ dmaengine_terminate_all(dws->txchan);
3249 + dma_release_channel(dws->txchan);
3250 ++
3251 ++ dmaengine_terminate_all(dws->rxchan);
3252 + dma_release_channel(dws->rxchan);
3253 + }
3254 +
3255 +@@ -136,7 +139,7 @@ static int mid_spi_dma_transfer(struct dw_spi *dws, int cs_change)
3256 + txconf.dst_addr = dws->dma_addr;
3257 + txconf.dst_maxburst = LNW_DMA_MSIZE_16;
3258 + txconf.src_addr_width = DMA_SLAVE_BUSWIDTH_4_BYTES;
3259 +- txconf.dst_addr_width = DMA_SLAVE_BUSWIDTH_2_BYTES;
3260 ++ txconf.dst_addr_width = dws->dma_width;
3261 + txconf.device_fc = false;
3262 +
3263 + txchan->device->device_control(txchan, DMA_SLAVE_CONFIG,
3264 +@@ -159,7 +162,7 @@ static int mid_spi_dma_transfer(struct dw_spi *dws, int cs_change)
3265 + rxconf.src_addr = dws->dma_addr;
3266 + rxconf.src_maxburst = LNW_DMA_MSIZE_16;
3267 + rxconf.dst_addr_width = DMA_SLAVE_BUSWIDTH_4_BYTES;
3268 +- rxconf.src_addr_width = DMA_SLAVE_BUSWIDTH_2_BYTES;
3269 ++ rxconf.src_addr_width = dws->dma_width;
3270 + rxconf.device_fc = false;
3271 +
3272 + rxchan->device->device_control(rxchan, DMA_SLAVE_CONFIG,
3273 +diff --git a/drivers/spi/spi-pl022.c b/drivers/spi/spi-pl022.c
3274 +index 469eb28e8328..e3b845ae93c6 100644
3275 +--- a/drivers/spi/spi-pl022.c
3276 ++++ b/drivers/spi/spi-pl022.c
3277 +@@ -1061,7 +1061,7 @@ err_rxdesc:
3278 + pl022->sgt_tx.nents, DMA_TO_DEVICE);
3279 + err_tx_sgmap:
3280 + dma_unmap_sg(rxchan->device->dev, pl022->sgt_rx.sgl,
3281 +- pl022->sgt_tx.nents, DMA_FROM_DEVICE);
3282 ++ pl022->sgt_rx.nents, DMA_FROM_DEVICE);
3283 + err_rx_sgmap:
3284 + sg_free_table(&pl022->sgt_tx);
3285 + err_alloc_tx_sg:
3286 +diff --git a/drivers/staging/iio/impedance-analyzer/ad5933.c b/drivers/staging/iio/impedance-analyzer/ad5933.c
3287 +index cd82b56d58af..2db80b1fda82 100644
3288 +--- a/drivers/staging/iio/impedance-analyzer/ad5933.c
3289 ++++ b/drivers/staging/iio/impedance-analyzer/ad5933.c
3290 +@@ -109,15 +109,44 @@ static struct ad5933_platform_data ad5933_default_pdata = {
3291 + };
3292 +
3293 + static struct iio_chan_spec ad5933_channels[] = {
3294 +- IIO_CHAN(IIO_TEMP, 0, 1, 1, NULL, 0, 0, 0,
3295 +- 0, AD5933_REG_TEMP_DATA, IIO_ST('s', 14, 16, 0), 0),
3296 +- /* Ring Channels */
3297 +- IIO_CHAN(IIO_VOLTAGE, 0, 1, 0, "real_raw", 0, 0,
3298 +- IIO_CHAN_INFO_SCALE_SEPARATE_BIT,
3299 +- AD5933_REG_REAL_DATA, 0, IIO_ST('s', 16, 16, 0), 0),
3300 +- IIO_CHAN(IIO_VOLTAGE, 0, 1, 0, "imag_raw", 0, 0,
3301 +- IIO_CHAN_INFO_SCALE_SEPARATE_BIT,
3302 +- AD5933_REG_IMAG_DATA, 1, IIO_ST('s', 16, 16, 0), 0),
3303 ++ {
3304 ++ .type = IIO_TEMP,
3305 ++ .indexed = 1,
3306 ++ .processed_val = 1,
3307 ++ .channel = 0,
3308 ++ .address = AD5933_REG_TEMP_DATA,
3309 ++ .scan_type = {
3310 ++ .sign = 's',
3311 ++ .realbits = 14,
3312 ++ .storagebits = 16,
3313 ++ },
3314 ++ }, { /* Ring Channels */
3315 ++ .type = IIO_VOLTAGE,
3316 ++ .indexed = 1,
3317 ++ .channel = 0,
3318 ++ .extend_name = "real",
3319 ++ .info_mask = IIO_CHAN_INFO_SCALE_SEPARATE_BIT,
3320 ++ .address = AD5933_REG_REAL_DATA,
3321 ++ .scan_index = 0,
3322 ++ .scan_type = {
3323 ++ .sign = 's',
3324 ++ .realbits = 16,
3325 ++ .storagebits = 16,
3326 ++ },
3327 ++ }, {
3328 ++ .type = IIO_VOLTAGE,
3329 ++ .indexed = 1,
3330 ++ .channel = 0,
3331 ++ .extend_name = "imag",
3332 ++ .info_mask = IIO_CHAN_INFO_SCALE_SEPARATE_BIT,
3333 ++ .address = AD5933_REG_IMAG_DATA,
3334 ++ .scan_index = 1,
3335 ++ .scan_type = {
3336 ++ .sign = 's',
3337 ++ .realbits = 16,
3338 ++ .storagebits = 16,
3339 ++ },
3340 ++ },
3341 + };
3342 +
3343 + static int ad5933_i2c_write(struct i2c_client *client,
3344 +diff --git a/drivers/staging/iio/meter/ade7758_ring.c b/drivers/staging/iio/meter/ade7758_ring.c
3345 +index c45b23bb1229..629a6ed2c6ed 100644
3346 +--- a/drivers/staging/iio/meter/ade7758_ring.c
3347 ++++ b/drivers/staging/iio/meter/ade7758_ring.c
3348 +@@ -96,7 +96,7 @@ static int ade7758_ring_preenable(struct iio_dev *indio_dev)
3349 + size_t d_size;
3350 + unsigned channel;
3351 +
3352 +- if (!bitmap_empty(indio_dev->active_scan_mask, indio_dev->masklength))
3353 ++ if (bitmap_empty(indio_dev->active_scan_mask, indio_dev->masklength))
3354 + return -EINVAL;
3355 +
3356 + channel = find_first_bit(indio_dev->active_scan_mask,
3357 +diff --git a/drivers/target/target_core_transport.c b/drivers/target/target_core_transport.c
3358 +index 34df0b2a630e..b4b308ef6cf5 100644
3359 +--- a/drivers/target/target_core_transport.c
3360 ++++ b/drivers/target/target_core_transport.c
3361 +@@ -3284,8 +3284,7 @@ static void transport_complete_qf(struct se_cmd *cmd)
3362 +
3363 + if (cmd->se_cmd_flags & SCF_TRANSPORT_TASK_SENSE) {
3364 + ret = cmd->se_tfo->queue_status(cmd);
3365 +- if (ret)
3366 +- goto out;
3367 ++ goto out;
3368 + }
3369 +
3370 + switch (cmd->data_direction) {
3371 +diff --git a/drivers/tty/serial/8250/8250_pci.c b/drivers/tty/serial/8250/8250_pci.c
3372 +index d53f39668044..6f8f985e7805 100644
3373 +--- a/drivers/tty/serial/8250/8250_pci.c
3374 ++++ b/drivers/tty/serial/8250/8250_pci.c
3375 +@@ -1164,6 +1164,7 @@ pci_xr17c154_setup(struct serial_private *priv,
3376 + #define PCI_DEVICE_ID_PLX_CRONYX_OMEGA 0xc001
3377 + #define PCI_DEVICE_ID_INTEL_PATSBURG_KT 0x1d3d
3378 + #define PCI_DEVICE_ID_BROADCOM_TRUMANAGE 0x160a
3379 ++#define PCI_DEVICE_ID_INTEL_QRK_UART 0x0936
3380 +
3381 + /* Unknown vendors/cards - this should not be in linux/pci_ids.h */
3382 + #define PCI_SUBDEVICE_ID_UNKNOWN_0x1584 0x1584
3383 +@@ -1686,6 +1687,13 @@ static struct pci_serial_quirk pci_serial_quirks[] __refdata = {
3384 + .init = pci_eg20t_init,
3385 + .setup = pci_default_setup,
3386 + },
3387 ++ {
3388 ++ .vendor = PCI_VENDOR_ID_INTEL,
3389 ++ .device = PCI_DEVICE_ID_INTEL_QRK_UART,
3390 ++ .subvendor = PCI_ANY_ID,
3391 ++ .subdevice = PCI_ANY_ID,
3392 ++ .setup = pci_default_setup,
3393 ++ },
3394 + /*
3395 + * Cronyx Omega PCI (PLX-chip based)
3396 + */
3397 +@@ -1894,6 +1902,7 @@ enum pci_board_num_t {
3398 + pbn_ADDIDATA_PCIe_4_3906250,
3399 + pbn_ADDIDATA_PCIe_8_3906250,
3400 + pbn_ce4100_1_115200,
3401 ++ pbn_qrk,
3402 + pbn_omegapci,
3403 + pbn_NETMOS9900_2s_115200,
3404 + pbn_brcm_trumanage,
3405 +@@ -2592,6 +2601,12 @@ static struct pciserial_board pci_boards[] __devinitdata = {
3406 + .base_baud = 921600,
3407 + .reg_shift = 2,
3408 + },
3409 ++ [pbn_qrk] = {
3410 ++ .flags = FL_BASE0,
3411 ++ .num_ports = 1,
3412 ++ .base_baud = 2764800,
3413 ++ .reg_shift = 2,
3414 ++ },
3415 + [pbn_omegapci] = {
3416 + .flags = FL_BASE0,
3417 + .num_ports = 8,
3418 +@@ -4164,6 +4179,12 @@ static struct pci_device_id serial_pci_tbl[] = {
3419 + pbn_ce4100_1_115200 },
3420 +
3421 + /*
3422 ++ * Intel Quark x1000
3423 ++ */
3424 ++ { PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_QRK_UART,
3425 ++ PCI_ANY_ID, PCI_ANY_ID, 0, 0,
3426 ++ pbn_qrk },
3427 ++ /*
3428 + * Cronyx Omega PCI
3429 + */
3430 + { PCI_VENDOR_ID_PLX, PCI_DEVICE_ID_PLX_CRONYX_OMEGA,
3431 +diff --git a/drivers/tty/serial/serial_core.c b/drivers/tty/serial/serial_core.c
3432 +index 4185cc5332ab..82aac2920e19 100644
3433 +--- a/drivers/tty/serial/serial_core.c
3434 ++++ b/drivers/tty/serial/serial_core.c
3435 +@@ -355,7 +355,7 @@ uart_get_baud_rate(struct uart_port *port, struct ktermios *termios,
3436 + * The spd_hi, spd_vhi, spd_shi, spd_warp kludge...
3437 + * Die! Die! Die!
3438 + */
3439 +- if (baud == 38400)
3440 ++ if (try == 0 && baud == 38400)
3441 + baud = altbaud;
3442 +
3443 + /*
3444 +diff --git a/drivers/tty/tty_io.c b/drivers/tty/tty_io.c
3445 +index b28d6356a142..a07eb4c068a0 100644
3446 +--- a/drivers/tty/tty_io.c
3447 ++++ b/drivers/tty/tty_io.c
3448 +@@ -1633,6 +1633,8 @@ int tty_release(struct inode *inode, struct file *filp)
3449 + int devpts;
3450 + int idx;
3451 + char buf[64];
3452 ++ long timeout = 0;
3453 ++ int once = 1;
3454 +
3455 + if (tty_paranoia_check(tty, inode, __func__))
3456 + return 0;
3457 +@@ -1713,11 +1715,18 @@ int tty_release(struct inode *inode, struct file *filp)
3458 + if (!do_sleep)
3459 + break;
3460 +
3461 +- printk(KERN_WARNING "%s: %s: read/write wait queue active!\n",
3462 ++ if (once) {
3463 ++ once = 0;
3464 ++ printk(KERN_WARNING "%s: %s: read/write wait queue active!\n",
3465 + __func__, tty_name(tty, buf));
3466 ++ }
3467 + tty_unlock();
3468 + mutex_unlock(&tty_mutex);
3469 +- schedule();
3470 ++ schedule_timeout_killable(timeout);
3471 ++ if (timeout < 120 * HZ)
3472 ++ timeout = 2 * timeout + 1;
3473 ++ else
3474 ++ timeout = MAX_SCHEDULE_TIMEOUT;
3475 + }
3476 +
3477 + /*
3478 +diff --git a/drivers/tty/vt/consolemap.c b/drivers/tty/vt/consolemap.c
3479 +index 8308fc7cdc26..87025d01aaec 100644
3480 +--- a/drivers/tty/vt/consolemap.c
3481 ++++ b/drivers/tty/vt/consolemap.c
3482 +@@ -518,6 +518,10 @@ int con_set_unimap(struct vc_data *vc, ushort ct, struct unipair __user *list)
3483 +
3484 + /* Save original vc_unipagdir_loc in case we allocate a new one */
3485 + p = (struct uni_pagedir *)*vc->vc_uni_pagedir_loc;
3486 ++
3487 ++ if (!p)
3488 ++ return -EINVAL;
3489 ++
3490 + if (p->readonly) return -EIO;
3491 +
3492 + if (!ct) return 0;
3493 +diff --git a/drivers/usb/class/cdc-acm.c b/drivers/usb/class/cdc-acm.c
3494 +index 2f2540ff21f6..8f4a628d3382 100644
3495 +--- a/drivers/usb/class/cdc-acm.c
3496 ++++ b/drivers/usb/class/cdc-acm.c
3497 +@@ -910,11 +910,12 @@ static void acm_tty_set_termios(struct tty_struct *tty,
3498 + /* FIXME: Needs to clear unsupported bits in the termios */
3499 + acm->clocal = ((termios->c_cflag & CLOCAL) != 0);
3500 +
3501 +- if (!newline.dwDTERate) {
3502 ++ if (C_BAUD(tty) == B0) {
3503 + newline.dwDTERate = acm->line.dwDTERate;
3504 + newctrl &= ~ACM_CTRL_DTR;
3505 +- } else
3506 ++ } else if (termios_old && (termios_old->c_cflag & CBAUD) == B0) {
3507 + newctrl |= ACM_CTRL_DTR;
3508 ++ }
3509 +
3510 + if (newctrl != acm->ctrlout)
3511 + acm_set_control(acm, acm->ctrlout = newctrl);
3512 +@@ -1601,6 +1602,7 @@ static const struct usb_device_id acm_ids[] = {
3513 + { USB_DEVICE(0x0572, 0x1328), /* Shiro / Aztech USB MODEM UM-3100 */
3514 + .driver_info = NO_UNION_NORMAL, /* has no union descriptor */
3515 + },
3516 ++ { USB_DEVICE(0x2184, 0x001c) }, /* GW Instek AFG-2225 */
3517 + { USB_DEVICE(0x22b8, 0x6425), /* Motorola MOTOMAGX phones */
3518 + },
3519 + /* Motorola H24 HSPA module: */
3520 +diff --git a/drivers/usb/core/hcd.c b/drivers/usb/core/hcd.c
3521 +index e2cc8df3d87b..6baeada782eb 100644
3522 +--- a/drivers/usb/core/hcd.c
3523 ++++ b/drivers/usb/core/hcd.c
3524 +@@ -1882,6 +1882,8 @@ int usb_alloc_streams(struct usb_interface *interface,
3525 + return -EINVAL;
3526 + if (dev->speed != USB_SPEED_SUPER)
3527 + return -EINVAL;
3528 ++ if (dev->state < USB_STATE_CONFIGURED)
3529 ++ return -ENODEV;
3530 +
3531 + /* Streams only apply to bulk endpoints. */
3532 + for (i = 0; i < num_eps; i++)
3533 +diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c
3534 +index 62a9e44bfef6..93f2538b16cc 100644
3535 +--- a/drivers/usb/core/hub.c
3536 ++++ b/drivers/usb/core/hub.c
3537 +@@ -1638,8 +1638,10 @@ void usb_set_device_state(struct usb_device *udev,
3538 + || new_state == USB_STATE_SUSPENDED)
3539 + ; /* No change to wakeup settings */
3540 + else if (new_state == USB_STATE_CONFIGURED)
3541 +- wakeup = udev->actconfig->desc.bmAttributes
3542 +- & USB_CONFIG_ATT_WAKEUP;
3543 ++ wakeup = (udev->quirks &
3544 ++ USB_QUIRK_IGNORE_REMOTE_WAKEUP) ? 0 :
3545 ++ udev->actconfig->desc.bmAttributes &
3546 ++ USB_CONFIG_ATT_WAKEUP;
3547 + else
3548 + wakeup = 0;
3549 + }
3550 +@@ -3359,6 +3361,9 @@ check_highspeed (struct usb_hub *hub, struct usb_device *udev, int port1)
3551 + struct usb_qualifier_descriptor *qual;
3552 + int status;
3553 +
3554 ++ if (udev->quirks & USB_QUIRK_DEVICE_QUALIFIER)
3555 ++ return;
3556 ++
3557 + qual = kmalloc (sizeof *qual, GFP_KERNEL);
3558 + if (qual == NULL)
3559 + return;
3560 +diff --git a/drivers/usb/core/quirks.c b/drivers/usb/core/quirks.c
3561 +index bcde6f65b1c6..980a9d8c6504 100644
3562 +--- a/drivers/usb/core/quirks.c
3563 ++++ b/drivers/usb/core/quirks.c
3564 +@@ -88,6 +88,12 @@ static const struct usb_device_id usb_quirk_list[] = {
3565 + { USB_DEVICE(0x04e8, 0x6601), .driver_info =
3566 + USB_QUIRK_CONFIG_INTF_STRINGS },
3567 +
3568 ++ { USB_DEVICE(0x04f3, 0x009b), .driver_info =
3569 ++ USB_QUIRK_DEVICE_QUALIFIER },
3570 ++
3571 ++ { USB_DEVICE(0x04f3, 0x016f), .driver_info =
3572 ++ USB_QUIRK_DEVICE_QUALIFIER },
3573 ++
3574 + /* Roland SC-8820 */
3575 + { USB_DEVICE(0x0582, 0x0007), .driver_info = USB_QUIRK_RESET_RESUME },
3576 +
3577 +@@ -158,6 +164,10 @@ static const struct usb_device_id usb_interface_quirk_list[] = {
3578 + { USB_VENDOR_AND_INTERFACE_INFO(0x046d, USB_CLASS_VIDEO, 1, 0),
3579 + .driver_info = USB_QUIRK_RESET_RESUME },
3580 +
3581 ++ /* ASUS Base Station(T100) */
3582 ++ { USB_DEVICE(0x0b05, 0x17e0), .driver_info =
3583 ++ USB_QUIRK_IGNORE_REMOTE_WAKEUP },
3584 ++
3585 + { } /* terminating entry must be last */
3586 + };
3587 +
3588 +diff --git a/drivers/usb/dwc3/ep0.c b/drivers/usb/dwc3/ep0.c
3589 +index 5bf2bc00821b..8a7a8ee176fa 100644
3590 +--- a/drivers/usb/dwc3/ep0.c
3591 ++++ b/drivers/usb/dwc3/ep0.c
3592 +@@ -209,7 +209,7 @@ static void dwc3_ep0_stall_and_restart(struct dwc3 *dwc)
3593 + struct dwc3_ep *dep = dwc->eps[0];
3594 +
3595 + /* stall is always issued on EP0 */
3596 +- __dwc3_gadget_ep_set_halt(dep, 1);
3597 ++ __dwc3_gadget_ep_set_halt(dep, 1, false);
3598 + dep->flags = DWC3_EP_ENABLED;
3599 + dwc->delayed_status = false;
3600 +
3601 +@@ -382,7 +382,7 @@ static int dwc3_ep0_handle_feature(struct dwc3 *dwc,
3602 + return -EINVAL;
3603 + if (set == 0 && (dep->flags & DWC3_EP_WEDGE))
3604 + break;
3605 +- ret = __dwc3_gadget_ep_set_halt(dep, set);
3606 ++ ret = __dwc3_gadget_ep_set_halt(dep, set, true);
3607 + if (ret)
3608 + return -EINVAL;
3609 + break;
3610 +diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c
3611 +index 895497d42270..1acb3a419539 100644
3612 +--- a/drivers/usb/dwc3/gadget.c
3613 ++++ b/drivers/usb/dwc3/gadget.c
3614 +@@ -485,12 +485,11 @@ static int __dwc3_gadget_ep_enable(struct dwc3_ep *dep,
3615 + if (!usb_endpoint_xfer_isoc(desc))
3616 + return 0;
3617 +
3618 +- memset(&trb_link, 0, sizeof(trb_link));
3619 +-
3620 + /* Link TRB for ISOC. The HWO bit is never reset */
3621 + trb_st_hw = &dep->trb_pool[0];
3622 +
3623 + trb_link = &dep->trb_pool[DWC3_TRB_NUM - 1];
3624 ++ memset(trb_link, 0, sizeof(*trb_link));
3625 +
3626 + trb_link->bpl = lower_32_bits(dwc3_trb_dma_offset(dep, trb_st_hw));
3627 + trb_link->bph = upper_32_bits(dwc3_trb_dma_offset(dep, trb_st_hw));
3628 +@@ -533,7 +532,7 @@ static int __dwc3_gadget_ep_disable(struct dwc3_ep *dep)
3629 +
3630 + /* make sure HW endpoint isn't stalled */
3631 + if (dep->flags & DWC3_EP_STALL)
3632 +- __dwc3_gadget_ep_set_halt(dep, 0);
3633 ++ __dwc3_gadget_ep_set_halt(dep, 0, false);
3634 +
3635 + reg = dwc3_readl(dwc->regs, DWC3_DALEPENA);
3636 + reg &= ~DWC3_DALEPENA_EP(dep->number);
3637 +@@ -1078,7 +1077,7 @@ out0:
3638 + return ret;
3639 + }
3640 +
3641 +-int __dwc3_gadget_ep_set_halt(struct dwc3_ep *dep, int value)
3642 ++int __dwc3_gadget_ep_set_halt(struct dwc3_ep *dep, int value, int protocol)
3643 + {
3644 + struct dwc3_gadget_ep_cmd_params params;
3645 + struct dwc3 *dwc = dep->dwc;
3646 +@@ -1087,6 +1086,14 @@ int __dwc3_gadget_ep_set_halt(struct dwc3_ep *dep, int value)
3647 + memset(&params, 0x00, sizeof(params));
3648 +
3649 + if (value) {
3650 ++ if (!protocol && ((dep->direction && dep->flags & DWC3_EP_BUSY) ||
3651 ++ (!list_empty(&dep->req_queued) ||
3652 ++ !list_empty(&dep->request_list)))) {
3653 ++ dev_dbg(dwc->dev, "%s: pending request, cannot halt\n",
3654 ++ dep->name);
3655 ++ return -EAGAIN;
3656 ++ }
3657 ++
3658 + if (dep->number == 0 || dep->number == 1) {
3659 + /*
3660 + * Whenever EP0 is stalled, we will restart
3661 +@@ -1135,7 +1142,7 @@ static int dwc3_gadget_ep_set_halt(struct usb_ep *ep, int value)
3662 + goto out;
3663 + }
3664 +
3665 +- ret = __dwc3_gadget_ep_set_halt(dep, value);
3666 ++ ret = __dwc3_gadget_ep_set_halt(dep, value, false);
3667 + out:
3668 + spin_unlock_irqrestore(&dwc->lock, flags);
3669 +
3670 +diff --git a/drivers/usb/dwc3/gadget.h b/drivers/usb/dwc3/gadget.h
3671 +index a8600084348c..6f498fc4f568 100644
3672 +--- a/drivers/usb/dwc3/gadget.h
3673 ++++ b/drivers/usb/dwc3/gadget.h
3674 +@@ -108,7 +108,7 @@ void dwc3_ep0_interrupt(struct dwc3 *dwc,
3675 + void dwc3_ep0_out_start(struct dwc3 *dwc);
3676 + int dwc3_gadget_ep0_queue(struct usb_ep *ep, struct usb_request *request,
3677 + gfp_t gfp_flags);
3678 +-int __dwc3_gadget_ep_set_halt(struct dwc3_ep *dep, int value);
3679 ++int __dwc3_gadget_ep_set_halt(struct dwc3_ep *dep, int value, int protocol);
3680 + int dwc3_send_gadget_ep_cmd(struct dwc3 *dwc, unsigned ep,
3681 + unsigned cmd, struct dwc3_gadget_ep_cmd_params *params);
3682 +
3683 +diff --git a/drivers/usb/host/xhci-pci.c b/drivers/usb/host/xhci-pci.c
3684 +index 8882d654b0d1..c8835d591b37 100644
3685 +--- a/drivers/usb/host/xhci-pci.c
3686 ++++ b/drivers/usb/host/xhci-pci.c
3687 +@@ -118,20 +118,6 @@ static void xhci_pci_quirks(struct device *dev, struct xhci_hcd *xhci)
3688 + xhci->quirks |= XHCI_SPURIOUS_REBOOT;
3689 + xhci->quirks |= XHCI_AVOID_BEI;
3690 + }
3691 +- if (pdev->vendor == PCI_VENDOR_ID_INTEL &&
3692 +- (pdev->device == PCI_DEVICE_ID_INTEL_LYNXPOINT_XHCI ||
3693 +- pdev->device == PCI_DEVICE_ID_INTEL_LYNXPOINT_LP_XHCI)) {
3694 +- /* Workaround for occasional spurious wakeups from S5 (or
3695 +- * any other sleep) on Haswell machines with LPT and LPT-LP
3696 +- * with the new Intel BIOS
3697 +- */
3698 +- /* Limit the quirk to only known vendors, as this triggers
3699 +- * yet another BIOS bug on some other machines
3700 +- * https://bugzilla.kernel.org/show_bug.cgi?id=66171
3701 +- */
3702 +- if (pdev->subsystem_vendor == PCI_VENDOR_ID_HP)
3703 +- xhci->quirks |= XHCI_SPURIOUS_WAKEUP;
3704 +- }
3705 + if (pdev->vendor == PCI_VENDOR_ID_ETRON &&
3706 + pdev->device == PCI_DEVICE_ID_ASROCK_P67) {
3707 + xhci->quirks |= XHCI_RESET_ON_RESUME;
3708 +diff --git a/drivers/usb/serial/cp210x.c b/drivers/usb/serial/cp210x.c
3709 +index ac339570a805..19074db60896 100644
3710 +--- a/drivers/usb/serial/cp210x.c
3711 ++++ b/drivers/usb/serial/cp210x.c
3712 +@@ -128,6 +128,7 @@ static const struct usb_device_id id_table[] = {
3713 + { USB_DEVICE(0x10C4, 0x8665) }, /* AC-Services OBD-IF */
3714 + { USB_DEVICE(0x10C4, 0x88A4) }, /* MMB Networks ZigBee USB Device */
3715 + { USB_DEVICE(0x10C4, 0x88A5) }, /* Planet Innovation Ingeni ZigBee USB Device */
3716 ++ { USB_DEVICE(0x10C4, 0x8946) }, /* Ketra N1 Wireless Interface */
3717 + { USB_DEVICE(0x10C4, 0xEA60) }, /* Silicon Labs factory default */
3718 + { USB_DEVICE(0x10C4, 0xEA61) }, /* Silicon Labs factory default */
3719 + { USB_DEVICE(0x10C4, 0xEA70) }, /* Silicon Labs factory default */
3720 +@@ -160,7 +161,9 @@ static const struct usb_device_id id_table[] = {
3721 + { USB_DEVICE(0x18EF, 0xE00F) }, /* ELV USB-I2C-Interface */
3722 + { USB_DEVICE(0x1ADB, 0x0001) }, /* Schweitzer Engineering C662 Cable */
3723 + { USB_DEVICE(0x1B1C, 0x1C00) }, /* Corsair USB Dongle */
3724 ++ { USB_DEVICE(0x1BA4, 0x0002) }, /* Silicon Labs 358x factory default */
3725 + { USB_DEVICE(0x1BE3, 0x07A6) }, /* WAGO 750-923 USB Service Cable */
3726 ++ { USB_DEVICE(0x1D6F, 0x0010) }, /* Seluxit ApS RF Dongle */
3727 + { USB_DEVICE(0x1E29, 0x0102) }, /* Festo CPX-USB */
3728 + { USB_DEVICE(0x1E29, 0x0501) }, /* Festo CMSP */
3729 + { USB_DEVICE(0x1FB9, 0x0100) }, /* Lake Shore Model 121 Current Source */
3730 +diff --git a/drivers/usb/serial/ftdi_sio.c b/drivers/usb/serial/ftdi_sio.c
3731 +index 8425e9e9e127..a89433bd5314 100644
3732 +--- a/drivers/usb/serial/ftdi_sio.c
3733 ++++ b/drivers/usb/serial/ftdi_sio.c
3734 +@@ -156,6 +156,7 @@ static struct ftdi_sio_quirk ftdi_8u2232c_quirk = {
3735 + * /sys/bus/usb/ftdi_sio/new_id, then send patch/report!
3736 + */
3737 + static struct usb_device_id id_table_combined [] = {
3738 ++ { USB_DEVICE(FTDI_VID, FTDI_BRICK_PID) },
3739 + { USB_DEVICE(FTDI_VID, FTDI_ZEITCONTROL_TAGTRACE_MIFARE_PID) },
3740 + { USB_DEVICE(FTDI_VID, FTDI_CTI_MINI_PID) },
3741 + { USB_DEVICE(FTDI_VID, FTDI_CTI_NANO_PID) },
3742 +@@ -685,6 +686,10 @@ static struct usb_device_id id_table_combined [] = {
3743 + { USB_DEVICE(FTDI_VID, XSENS_CONVERTER_5_PID) },
3744 + { USB_DEVICE(FTDI_VID, XSENS_CONVERTER_6_PID) },
3745 + { USB_DEVICE(FTDI_VID, XSENS_CONVERTER_7_PID) },
3746 ++ { USB_DEVICE(XSENS_VID, XSENS_AWINDA_DONGLE_PID) },
3747 ++ { USB_DEVICE(XSENS_VID, XSENS_AWINDA_STATION_PID) },
3748 ++ { USB_DEVICE(XSENS_VID, XSENS_CONVERTER_PID) },
3749 ++ { USB_DEVICE(XSENS_VID, XSENS_MTW_PID) },
3750 + { USB_DEVICE(FTDI_VID, FTDI_OMNI1509) },
3751 + { USB_DEVICE(MOBILITY_VID, MOBILITY_USB_SERIAL_PID) },
3752 + { USB_DEVICE(FTDI_VID, FTDI_ACTIVE_ROBOTS_PID) },
3753 +diff --git a/drivers/usb/serial/ftdi_sio_ids.h b/drivers/usb/serial/ftdi_sio_ids.h
3754 +index 7628b91017ba..64ee791687d9 100644
3755 +--- a/drivers/usb/serial/ftdi_sio_ids.h
3756 ++++ b/drivers/usb/serial/ftdi_sio_ids.h
3757 +@@ -30,6 +30,12 @@
3758 +
3759 + /*** third-party PIDs (using FTDI_VID) ***/
3760 +
3761 ++/*
3762 ++ * Certain versions of the official Windows FTDI driver reprogrammed
3763 ++ * counterfeit FTDI devices to PID 0. Support these devices anyway.
3764 ++ */
3765 ++#define FTDI_BRICK_PID 0x0000
3766 ++
3767 + #define FTDI_LUMEL_PD12_PID 0x6002
3768 +
3769 + /*
3770 +@@ -142,12 +148,19 @@
3771 + /*
3772 + * Xsens Technologies BV products (http://www.xsens.com).
3773 + */
3774 +-#define XSENS_CONVERTER_0_PID 0xD388
3775 +-#define XSENS_CONVERTER_1_PID 0xD389
3776 ++#define XSENS_VID 0x2639
3777 ++#define XSENS_AWINDA_STATION_PID 0x0101
3778 ++#define XSENS_AWINDA_DONGLE_PID 0x0102
3779 ++#define XSENS_MTW_PID 0x0200 /* Xsens MTw */
3780 ++#define XSENS_CONVERTER_PID 0xD00D /* Xsens USB-serial converter */
3781 ++
3782 ++/* Xsens devices using FTDI VID */
3783 ++#define XSENS_CONVERTER_0_PID 0xD388 /* Xsens USB converter */
3784 ++#define XSENS_CONVERTER_1_PID 0xD389 /* Xsens Wireless Receiver */
3785 + #define XSENS_CONVERTER_2_PID 0xD38A
3786 +-#define XSENS_CONVERTER_3_PID 0xD38B
3787 +-#define XSENS_CONVERTER_4_PID 0xD38C
3788 +-#define XSENS_CONVERTER_5_PID 0xD38D
3789 ++#define XSENS_CONVERTER_3_PID 0xD38B /* Xsens USB-serial converter */
3790 ++#define XSENS_CONVERTER_4_PID 0xD38C /* Xsens Wireless Receiver */
3791 ++#define XSENS_CONVERTER_5_PID 0xD38D /* Xsens Awinda Station */
3792 + #define XSENS_CONVERTER_6_PID 0xD38E
3793 + #define XSENS_CONVERTER_7_PID 0xD38F
3794 +
3795 +diff --git a/drivers/usb/serial/kobil_sct.c b/drivers/usb/serial/kobil_sct.c
3796 +index 4a9a75eb9b95..c3a53acda67a 100644
3797 +--- a/drivers/usb/serial/kobil_sct.c
3798 ++++ b/drivers/usb/serial/kobil_sct.c
3799 +@@ -447,7 +447,7 @@ static int kobil_write(struct tty_struct *tty, struct usb_serial_port *port,
3800 + );
3801 +
3802 + priv->cur_pos = priv->cur_pos + length;
3803 +- result = usb_submit_urb(port->write_urb, GFP_NOIO);
3804 ++ result = usb_submit_urb(port->write_urb, GFP_ATOMIC);
3805 + dbg("%s - port %d Send write URB returns: %i",
3806 + __func__, port->number, result);
3807 + todo = priv->filled - priv->cur_pos;
3808 +@@ -463,7 +463,7 @@ static int kobil_write(struct tty_struct *tty, struct usb_serial_port *port,
3809 + if (priv->device_type == KOBIL_ADAPTER_B_PRODUCT_ID ||
3810 + priv->device_type == KOBIL_ADAPTER_K_PRODUCT_ID) {
3811 + result = usb_submit_urb(port->interrupt_in_urb,
3812 +- GFP_NOIO);
3813 ++ GFP_ATOMIC);
3814 + dbg("%s - port %d Send read URB returns: %i",
3815 + __func__, port->number, result);
3816 + }
3817 +diff --git a/drivers/usb/serial/opticon.c b/drivers/usb/serial/opticon.c
3818 +index 1f850065d159..58b7cecd682f 100644
3819 +--- a/drivers/usb/serial/opticon.c
3820 ++++ b/drivers/usb/serial/opticon.c
3821 +@@ -293,7 +293,7 @@ static int opticon_write(struct tty_struct *tty, struct usb_serial_port *port,
3822 +
3823 + /* The conncected devices do not have a bulk write endpoint,
3824 + * to transmit data to de barcode device the control endpoint is used */
3825 +- dr = kmalloc(sizeof(struct usb_ctrlrequest), GFP_NOIO);
3826 ++ dr = kmalloc(sizeof(struct usb_ctrlrequest), GFP_ATOMIC);
3827 + if (!dr) {
3828 + dev_err(&port->dev, "out of memory\n");
3829 + count = -ENOMEM;
3830 +diff --git a/drivers/usb/serial/option.c b/drivers/usb/serial/option.c
3831 +index 703ebe7eaa93..d8232df2c211 100644
3832 +--- a/drivers/usb/serial/option.c
3833 ++++ b/drivers/usb/serial/option.c
3834 +@@ -269,6 +269,7 @@ static void option_instat_callback(struct urb *urb);
3835 + #define TELIT_PRODUCT_DE910_DUAL 0x1010
3836 + #define TELIT_PRODUCT_UE910_V2 0x1012
3837 + #define TELIT_PRODUCT_LE920 0x1200
3838 ++#define TELIT_PRODUCT_LE910 0x1201
3839 +
3840 + /* ZTE PRODUCTS */
3841 + #define ZTE_VENDOR_ID 0x19d2
3842 +@@ -362,6 +363,7 @@ static void option_instat_callback(struct urb *urb);
3843 +
3844 + /* Haier products */
3845 + #define HAIER_VENDOR_ID 0x201e
3846 ++#define HAIER_PRODUCT_CE81B 0x10f8
3847 + #define HAIER_PRODUCT_CE100 0x2009
3848 +
3849 + /* Cinterion (formerly Siemens) products */
3850 +@@ -589,6 +591,11 @@ static const struct option_blacklist_info zte_1255_blacklist = {
3851 + .reserved = BIT(3) | BIT(4),
3852 + };
3853 +
3854 ++static const struct option_blacklist_info telit_le910_blacklist = {
3855 ++ .sendsetup = BIT(0),
3856 ++ .reserved = BIT(1) | BIT(2),
3857 ++};
3858 ++
3859 + static const struct option_blacklist_info telit_le920_blacklist = {
3860 + .sendsetup = BIT(0),
3861 + .reserved = BIT(1) | BIT(5),
3862 +@@ -1138,6 +1145,8 @@ static const struct usb_device_id option_ids[] = {
3863 + { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_CC864_SINGLE) },
3864 + { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_DE910_DUAL) },
3865 + { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_UE910_V2) },
3866 ++ { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_LE910),
3867 ++ .driver_info = (kernel_ulong_t)&telit_le910_blacklist },
3868 + { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_LE920),
3869 + .driver_info = (kernel_ulong_t)&telit_le920_blacklist },
3870 + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, ZTE_PRODUCT_MF622, 0xff, 0xff, 0xff) }, /* ZTE WCDMA products */
3871 +@@ -1614,6 +1623,7 @@ static const struct usb_device_id option_ids[] = {
3872 + { USB_DEVICE(LONGCHEER_VENDOR_ID, ZOOM_PRODUCT_4597) },
3873 + { USB_DEVICE(LONGCHEER_VENDOR_ID, IBALL_3_5G_CONNECT) },
3874 + { USB_DEVICE(HAIER_VENDOR_ID, HAIER_PRODUCT_CE100) },
3875 ++ { USB_DEVICE_AND_INTERFACE_INFO(HAIER_VENDOR_ID, HAIER_PRODUCT_CE81B, 0xff, 0xff, 0xff) },
3876 + /* Pirelli */
3877 + { USB_DEVICE(PIRELLI_VENDOR_ID, PIRELLI_PRODUCT_C100_1)},
3878 + { USB_DEVICE(PIRELLI_VENDOR_ID, PIRELLI_PRODUCT_C100_2)},
3879 +diff --git a/drivers/usb/storage/transport.c b/drivers/usb/storage/transport.c
3880 +index c70109e5d60b..d8d26f4f14dd 100644
3881 +--- a/drivers/usb/storage/transport.c
3882 ++++ b/drivers/usb/storage/transport.c
3883 +@@ -1120,6 +1120,31 @@ int usb_stor_Bulk_transport(struct scsi_cmnd *srb, struct us_data *us)
3884 + */
3885 + if (result == USB_STOR_XFER_LONG)
3886 + fake_sense = 1;
3887 ++
3888 ++ /*
3889 ++ * Sometimes a device will mistakenly skip the data phase
3890 ++ * and go directly to the status phase without sending a
3891 ++ * zero-length packet. If we get a 13-byte response here,
3892 ++ * check whether it really is a CSW.
3893 ++ */
3894 ++ if (result == USB_STOR_XFER_SHORT &&
3895 ++ srb->sc_data_direction == DMA_FROM_DEVICE &&
3896 ++ transfer_length - scsi_get_resid(srb) ==
3897 ++ US_BULK_CS_WRAP_LEN) {
3898 ++ struct scatterlist *sg = NULL;
3899 ++ unsigned int offset = 0;
3900 ++
3901 ++ if (usb_stor_access_xfer_buf((unsigned char *) bcs,
3902 ++ US_BULK_CS_WRAP_LEN, srb, &sg,
3903 ++ &offset, FROM_XFER_BUF) ==
3904 ++ US_BULK_CS_WRAP_LEN &&
3905 ++ bcs->Signature ==
3906 ++ cpu_to_le32(US_BULK_CS_SIGN)) {
3907 ++ US_DEBUGP("Device skipped data phase\n");
3908 ++ scsi_set_resid(srb, transfer_length);
3909 ++ goto skipped_data_phase;
3910 ++ }
3911 ++ }
3912 + }
3913 +
3914 + /* See flow chart on pg 15 of the Bulk Only Transport spec for
3915 +@@ -1155,6 +1180,7 @@ int usb_stor_Bulk_transport(struct scsi_cmnd *srb, struct us_data *us)
3916 + if (result != USB_STOR_XFER_GOOD)
3917 + return USB_STOR_TRANSPORT_ERROR;
3918 +
3919 ++ skipped_data_phase:
3920 + /* check bulk status */
3921 + residue = le32_to_cpu(bcs->Residue);
3922 + US_DEBUGP("Bulk Status S 0x%x T 0x%x R %u Stat 0x%x\n",
3923 +diff --git a/drivers/video/console/bitblit.c b/drivers/video/console/bitblit.c
3924 +index 28b1a834906b..6cbb2069531d 100644
3925 +--- a/drivers/video/console/bitblit.c
3926 ++++ b/drivers/video/console/bitblit.c
3927 +@@ -205,7 +205,6 @@ static void bit_putcs(struct vc_data *vc, struct fb_info *info,
3928 + static void bit_clear_margins(struct vc_data *vc, struct fb_info *info,
3929 + int bottom_only)
3930 + {
3931 +- int bgshift = (vc->vc_hi_font_mask) ? 13 : 12;
3932 + unsigned int cw = vc->vc_font.width;
3933 + unsigned int ch = vc->vc_font.height;
3934 + unsigned int rw = info->var.xres - (vc->vc_cols*cw);
3935 +@@ -214,7 +213,7 @@ static void bit_clear_margins(struct vc_data *vc, struct fb_info *info,
3936 + unsigned int bs = info->var.yres - bh;
3937 + struct fb_fillrect region;
3938 +
3939 +- region.color = attr_bgcol_ec(bgshift, vc, info);
3940 ++ region.color = 0;
3941 + region.rop = ROP_COPY;
3942 +
3943 + if (rw && !bottom_only) {
3944 +diff --git a/drivers/video/console/fbcon_ccw.c b/drivers/video/console/fbcon_ccw.c
3945 +index 41b32ae23dac..5a3cbf6dff4d 100644
3946 +--- a/drivers/video/console/fbcon_ccw.c
3947 ++++ b/drivers/video/console/fbcon_ccw.c
3948 +@@ -197,9 +197,8 @@ static void ccw_clear_margins(struct vc_data *vc, struct fb_info *info,
3949 + unsigned int bh = info->var.xres - (vc->vc_rows*ch);
3950 + unsigned int bs = vc->vc_rows*ch;
3951 + struct fb_fillrect region;
3952 +- int bgshift = (vc->vc_hi_font_mask) ? 13 : 12;
3953 +
3954 +- region.color = attr_bgcol_ec(bgshift,vc,info);
3955 ++ region.color = 0;
3956 + region.rop = ROP_COPY;
3957 +
3958 + if (rw && !bottom_only) {
3959 +diff --git a/drivers/video/console/fbcon_cw.c b/drivers/video/console/fbcon_cw.c
3960 +index 6a737827beb1..7d3fd9bda66c 100644
3961 +--- a/drivers/video/console/fbcon_cw.c
3962 ++++ b/drivers/video/console/fbcon_cw.c
3963 +@@ -181,9 +181,8 @@ static void cw_clear_margins(struct vc_data *vc, struct fb_info *info,
3964 + unsigned int bh = info->var.xres - (vc->vc_rows*ch);
3965 + unsigned int rs = info->var.yres - rw;
3966 + struct fb_fillrect region;
3967 +- int bgshift = (vc->vc_hi_font_mask) ? 13 : 12;
3968 +
3969 +- region.color = attr_bgcol_ec(bgshift,vc,info);
3970 ++ region.color = 0;
3971 + region.rop = ROP_COPY;
3972 +
3973 + if (rw && !bottom_only) {
3974 +diff --git a/drivers/video/console/fbcon_ud.c b/drivers/video/console/fbcon_ud.c
3975 +index ff0872c0498b..19e3714abfe8 100644
3976 +--- a/drivers/video/console/fbcon_ud.c
3977 ++++ b/drivers/video/console/fbcon_ud.c
3978 +@@ -227,9 +227,8 @@ static void ud_clear_margins(struct vc_data *vc, struct fb_info *info,
3979 + unsigned int rw = info->var.xres - (vc->vc_cols*cw);
3980 + unsigned int bh = info->var.yres - (vc->vc_rows*ch);
3981 + struct fb_fillrect region;
3982 +- int bgshift = (vc->vc_hi_font_mask) ? 13 : 12;
3983 +
3984 +- region.color = attr_bgcol_ec(bgshift,vc,info);
3985 ++ region.color = 0;
3986 + region.rop = ROP_COPY;
3987 +
3988 + if (rw && !bottom_only) {
3989 +diff --git a/drivers/virtio/virtio_pci.c b/drivers/virtio/virtio_pci.c
3990 +index 2e03d416b9af..a41f264dc23d 100644
3991 +--- a/drivers/virtio/virtio_pci.c
3992 ++++ b/drivers/virtio/virtio_pci.c
3993 +@@ -745,6 +745,7 @@ static int virtio_pci_restore(struct device *dev)
3994 + struct pci_dev *pci_dev = to_pci_dev(dev);
3995 + struct virtio_pci_device *vp_dev = pci_get_drvdata(pci_dev);
3996 + struct virtio_driver *drv;
3997 ++ unsigned status = 0;
3998 + int ret;
3999 +
4000 + drv = container_of(vp_dev->vdev.dev.driver,
4001 +@@ -755,14 +756,40 @@ static int virtio_pci_restore(struct device *dev)
4002 + return ret;
4003 +
4004 + pci_set_master(pci_dev);
4005 ++ /* We always start by resetting the device, in case a previous
4006 ++ * driver messed it up. */
4007 ++ vp_reset(&vp_dev->vdev);
4008 ++
4009 ++ /* Acknowledge that we've seen the device. */
4010 ++ status |= VIRTIO_CONFIG_S_ACKNOWLEDGE;
4011 ++ vp_set_status(&vp_dev->vdev, status);
4012 ++
4013 ++ /* Maybe driver failed before freeze.
4014 ++ * Restore the failed status, for debugging. */
4015 ++ status |= vp_dev->saved_status & VIRTIO_CONFIG_S_FAILED;
4016 ++ vp_set_status(&vp_dev->vdev, status);
4017 ++
4018 ++ if (!drv)
4019 ++ return 0;
4020 ++
4021 ++ /* We have a driver! */
4022 ++ status |= VIRTIO_CONFIG_S_DRIVER;
4023 ++ vp_set_status(&vp_dev->vdev, status);
4024 ++
4025 + vp_finalize_features(&vp_dev->vdev);
4026 +
4027 +- if (drv && drv->restore)
4028 ++ if (drv->restore) {
4029 + ret = drv->restore(&vp_dev->vdev);
4030 ++ if (ret) {
4031 ++ status |= VIRTIO_CONFIG_S_FAILED;
4032 ++ vp_set_status(&vp_dev->vdev, status);
4033 ++ return ret;
4034 ++ }
4035 ++ }
4036 +
4037 + /* Finally, tell the device we're all set */
4038 +- if (!ret)
4039 +- vp_set_status(&vp_dev->vdev, vp_dev->saved_status);
4040 ++ status |= VIRTIO_CONFIG_S_DRIVER_OK;
4041 ++ vp_set_status(&vp_dev->vdev, status);
4042 +
4043 + return ret;
4044 + }
4045 +diff --git a/fs/btrfs/file-item.c b/fs/btrfs/file-item.c
4046 +index 5d158d320233..6eab2dd16e94 100644
4047 +--- a/fs/btrfs/file-item.c
4048 ++++ b/fs/btrfs/file-item.c
4049 +@@ -393,7 +393,7 @@ int btrfs_lookup_csums_range(struct btrfs_root *root, u64 start, u64 end,
4050 + ret = 0;
4051 + fail:
4052 + while (ret < 0 && !list_empty(&tmplist)) {
4053 +- sums = list_entry(&tmplist, struct btrfs_ordered_sum, list);
4054 ++ sums = list_entry(tmplist.next, struct btrfs_ordered_sum, list);
4055 + list_del(&sums->list);
4056 + kfree(sums);
4057 + }
4058 +diff --git a/fs/buffer.c b/fs/buffer.c
4059 +index f235e1834e39..ed2dc709883a 100644
4060 +--- a/fs/buffer.c
4061 ++++ b/fs/buffer.c
4062 +@@ -1982,6 +1982,7 @@ int generic_write_end(struct file *file, struct address_space *mapping,
4063 + struct page *page, void *fsdata)
4064 + {
4065 + struct inode *inode = mapping->host;
4066 ++ loff_t old_size = inode->i_size;
4067 + int i_size_changed = 0;
4068 +
4069 + copied = block_write_end(file, mapping, pos, len, copied, page, fsdata);
4070 +@@ -2001,6 +2002,8 @@ int generic_write_end(struct file *file, struct address_space *mapping,
4071 + unlock_page(page);
4072 + page_cache_release(page);
4073 +
4074 ++ if (old_size < pos)
4075 ++ pagecache_isize_extended(inode, old_size, pos);
4076 + /*
4077 + * Don't mark the inode dirty under page lock. First, it unnecessarily
4078 + * makes the holding time of page lock longer. Second, it forces lock
4079 +@@ -2221,6 +2224,11 @@ static int cont_expand_zero(struct file *file, struct address_space *mapping,
4080 + err = 0;
4081 +
4082 + balance_dirty_pages_ratelimited(mapping);
4083 ++
4084 ++ if (unlikely(fatal_signal_pending(current))) {
4085 ++ err = -EINTR;
4086 ++ goto out;
4087 ++ }
4088 + }
4089 +
4090 + /* page covers the boundary, find the boundary offset */
4091 +diff --git a/fs/ecryptfs/inode.c b/fs/ecryptfs/inode.c
4092 +index 11030b2fd3b4..b5b9b4086143 100644
4093 +--- a/fs/ecryptfs/inode.c
4094 ++++ b/fs/ecryptfs/inode.c
4095 +@@ -1093,7 +1093,7 @@ ecryptfs_setxattr(struct dentry *dentry, const char *name, const void *value,
4096 + }
4097 +
4098 + rc = vfs_setxattr(lower_dentry, name, value, size, flags);
4099 +- if (!rc)
4100 ++ if (!rc && dentry->d_inode)
4101 + fsstack_copy_attr_all(dentry->d_inode, lower_dentry->d_inode);
4102 + out:
4103 + return rc;
4104 +diff --git a/fs/ext3/super.c b/fs/ext3/super.c
4105 +index ef4c812c7a63..564f9429b3b1 100644
4106 +--- a/fs/ext3/super.c
4107 ++++ b/fs/ext3/super.c
4108 +@@ -1292,13 +1292,6 @@ set_qf_format:
4109 + "not specified.");
4110 + return 0;
4111 + }
4112 +- } else {
4113 +- if (sbi->s_jquota_fmt) {
4114 +- ext3_msg(sb, KERN_ERR, "error: journaled quota format "
4115 +- "specified with no journaling "
4116 +- "enabled.");
4117 +- return 0;
4118 +- }
4119 + }
4120 + #endif
4121 + return 1;
4122 +diff --git a/fs/ext4/ext4.h b/fs/ext4/ext4.h
4123 +index 521ba9d18ce6..b9cdb6df8d2b 100644
4124 +--- a/fs/ext4/ext4.h
4125 ++++ b/fs/ext4/ext4.h
4126 +@@ -1891,6 +1891,7 @@ int ext4_get_block(struct inode *inode, sector_t iblock,
4127 + struct buffer_head *bh_result, int create);
4128 +
4129 + extern struct inode *ext4_iget(struct super_block *, unsigned long);
4130 ++extern struct inode *ext4_iget_normal(struct super_block *, unsigned long);
4131 + extern int ext4_write_inode(struct inode *, struct writeback_control *);
4132 + extern int ext4_setattr(struct dentry *, struct iattr *);
4133 + extern int ext4_getattr(struct vfsmount *mnt, struct dentry *dentry,
4134 +diff --git a/fs/ext4/ialloc.c b/fs/ext4/ialloc.c
4135 +index 75c4f36bced8..97ca4b6fb2a9 100644
4136 +--- a/fs/ext4/ialloc.c
4137 ++++ b/fs/ext4/ialloc.c
4138 +@@ -725,6 +725,10 @@ got:
4139 + struct buffer_head *block_bitmap_bh;
4140 +
4141 + block_bitmap_bh = ext4_read_block_bitmap(sb, group);
4142 ++ if (!block_bitmap_bh) {
4143 ++ err = -EIO;
4144 ++ goto out;
4145 ++ }
4146 + BUFFER_TRACE(block_bitmap_bh, "get block bitmap access");
4147 + err = ext4_journal_get_write_access(handle, block_bitmap_bh);
4148 + if (err) {
4149 +diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c
4150 +index 5b6dcba304b1..9e9db425c613 100644
4151 +--- a/fs/ext4/inode.c
4152 ++++ b/fs/ext4/inode.c
4153 +@@ -157,16 +157,14 @@ void ext4_evict_inode(struct inode *inode)
4154 + goto no_delete;
4155 + }
4156 +
4157 +- if (!is_bad_inode(inode))
4158 +- dquot_initialize(inode);
4159 ++ if (is_bad_inode(inode))
4160 ++ goto no_delete;
4161 ++ dquot_initialize(inode);
4162 +
4163 + if (ext4_should_order_data(inode))
4164 + ext4_begin_ordered_truncate(inode, 0);
4165 + truncate_inode_pages(&inode->i_data, 0);
4166 +
4167 +- if (is_bad_inode(inode))
4168 +- goto no_delete;
4169 +-
4170 + handle = ext4_journal_start(inode, ext4_blocks_for_truncate(inode)+3);
4171 + if (IS_ERR(handle)) {
4172 + ext4_std_error(inode->i_sb, PTR_ERR(handle));
4173 +@@ -2410,6 +2408,20 @@ static int ext4_nonda_switch(struct super_block *sb)
4174 + return 0;
4175 + }
4176 +
4177 ++/* We always reserve for an inode update; the superblock could be there too */
4178 ++static int ext4_da_write_credits(struct inode *inode, loff_t pos, unsigned len)
4179 ++{
4180 ++ if (likely(EXT4_HAS_RO_COMPAT_FEATURE(inode->i_sb,
4181 ++ EXT4_FEATURE_RO_COMPAT_LARGE_FILE)))
4182 ++ return 1;
4183 ++
4184 ++ if (pos + len <= 0x7fffffffULL)
4185 ++ return 1;
4186 ++
4187 ++ /* We might need to update the superblock to set LARGE_FILE */
4188 ++ return 2;
4189 ++}
4190 ++
4191 + static int ext4_da_write_begin(struct file *file, struct address_space *mapping,
4192 + loff_t pos, unsigned len, unsigned flags,
4193 + struct page **pagep, void **fsdata)
4194 +@@ -2436,7 +2448,8 @@ retry:
4195 + * to journalling the i_disksize update if writes to the end
4196 + * of file which has an already mapped buffer.
4197 + */
4198 +- handle = ext4_journal_start(inode, 1);
4199 ++ handle = ext4_journal_start(inode,
4200 ++ ext4_da_write_credits(inode, pos, len));
4201 + if (IS_ERR(handle)) {
4202 + ret = PTR_ERR(handle);
4203 + goto out;
4204 +@@ -3840,6 +3853,13 @@ bad_inode:
4205 + return ERR_PTR(ret);
4206 + }
4207 +
4208 ++struct inode *ext4_iget_normal(struct super_block *sb, unsigned long ino)
4209 ++{
4210 ++ if (ino < EXT4_FIRST_INO(sb) && ino != EXT4_ROOT_INO)
4211 ++ return ERR_PTR(-EIO);
4212 ++ return ext4_iget(sb, ino);
4213 ++}
4214 ++
4215 + static int ext4_inode_blocks_set(handle_t *handle,
4216 + struct ext4_inode *raw_inode,
4217 + struct ext4_inode_info *ei)
4218 +diff --git a/fs/ext4/namei.c b/fs/ext4/namei.c
4219 +index 665e55ca208c..dc5852301da7 100644
4220 +--- a/fs/ext4/namei.c
4221 ++++ b/fs/ext4/namei.c
4222 +@@ -1051,7 +1051,7 @@ static struct dentry *ext4_lookup(struct inode *dir, struct dentry *dentry, stru
4223 + dentry->d_name.name);
4224 + return ERR_PTR(-EIO);
4225 + }
4226 +- inode = ext4_iget(dir->i_sb, ino);
4227 ++ inode = ext4_iget_normal(dir->i_sb, ino);
4228 + if (inode == ERR_PTR(-ESTALE)) {
4229 + EXT4_ERROR_INODE(dir,
4230 + "deleted inode referenced: %u",
4231 +@@ -1087,7 +1087,7 @@ struct dentry *ext4_get_parent(struct dentry *child)
4232 + return ERR_PTR(-EIO);
4233 + }
4234 +
4235 +- return d_obtain_alias(ext4_iget(child->d_inode->i_sb, ino));
4236 ++ return d_obtain_alias(ext4_iget_normal(child->d_inode->i_sb, ino));
4237 + }
4238 +
4239 + #define S_SHIFT 12
4240 +@@ -1421,31 +1421,38 @@ static int make_indexed_dir(handle_t *handle, struct dentry *dentry,
4241 + hinfo.hash_version += EXT4_SB(dir->i_sb)->s_hash_unsigned;
4242 + hinfo.seed = EXT4_SB(dir->i_sb)->s_hash_seed;
4243 + ext4fs_dirhash(name, namelen, &hinfo);
4244 ++ memset(frames, 0, sizeof(frames));
4245 + frame = frames;
4246 + frame->entries = entries;
4247 + frame->at = entries;
4248 + frame->bh = bh;
4249 + bh = bh2;
4250 +
4251 +- ext4_handle_dirty_metadata(handle, dir, frame->bh);
4252 +- ext4_handle_dirty_metadata(handle, dir, bh);
4253 ++ retval = ext4_handle_dirty_metadata(handle, dir, frame->bh);
4254 ++ if (retval)
4255 ++ goto out_frames;
4256 ++ retval = ext4_handle_dirty_metadata(handle, dir, bh);
4257 ++ if (retval)
4258 ++ goto out_frames;
4259 +
4260 + de = do_split(handle,dir, &bh, frame, &hinfo, &retval);
4261 + if (!de) {
4262 +- /*
4263 +- * Even if the block split failed, we have to properly write
4264 +- * out all the changes we did so far. Otherwise we can end up
4265 +- * with corrupted filesystem.
4266 +- */
4267 +- ext4_mark_inode_dirty(handle, dir);
4268 +- dx_release(frames);
4269 +- return retval;
4270 ++ goto out_frames;
4271 + }
4272 + dx_release(frames);
4273 +
4274 + retval = add_dirent_to_buf(handle, dentry, inode, de, bh);
4275 + brelse(bh);
4276 + return retval;
4277 ++out_frames:
4278 ++ /*
4279 ++ * Even if the block split failed, we have to properly write
4280 ++ * out all the changes we did so far. Otherwise we can end up
4281 ++ * with corrupted filesystem.
4282 ++ */
4283 ++ ext4_mark_inode_dirty(handle, dir);
4284 ++ dx_release(frames);
4285 ++ return retval;
4286 + }
4287 +
4288 + /*
4289 +@@ -1992,7 +1999,7 @@ int ext4_orphan_add(handle_t *handle, struct inode *inode)
4290 + struct ext4_iloc iloc;
4291 + int err = 0, rc;
4292 +
4293 +- if (!ext4_handle_valid(handle))
4294 ++ if (!ext4_handle_valid(handle) || is_bad_inode(inode))
4295 + return 0;
4296 +
4297 + mutex_lock(&EXT4_SB(sb)->s_orphan_lock);
4298 +diff --git a/fs/ext4/resize.c b/fs/ext4/resize.c
4299 +index a43e43c835d1..cfd321104250 100644
4300 +--- a/fs/ext4/resize.c
4301 ++++ b/fs/ext4/resize.c
4302 +@@ -991,7 +991,7 @@ static void update_backups(struct super_block *sb,
4303 + (err = ext4_journal_restart(handle, EXT4_MAX_TRANS_DATA)))
4304 + break;
4305 +
4306 +- bh = sb_getblk(sb, group * bpg + blk_off);
4307 ++ bh = sb_getblk(sb, ((ext4_fsblk_t)group) * bpg + blk_off);
4308 + if (!bh) {
4309 + err = -ENOMEM;
4310 + break;
4311 +diff --git a/fs/ext4/super.c b/fs/ext4/super.c
4312 +index f0e4e46867f7..92ea560efcc7 100644
4313 +--- a/fs/ext4/super.c
4314 ++++ b/fs/ext4/super.c
4315 +@@ -1041,7 +1041,7 @@ static struct inode *ext4_nfs_get_inode(struct super_block *sb,
4316 + * Currently we don't know the generation for parent directory, so
4317 + * a generation of 0 means "accept any"
4318 + */
4319 +- inode = ext4_iget(sb, ino);
4320 ++ inode = ext4_iget_normal(sb, ino);
4321 + if (IS_ERR(inode))
4322 + return ERR_CAST(inode);
4323 + if (generation && inode->i_generation != generation) {
4324 +@@ -1642,13 +1642,6 @@ static int parse_options(char *options, struct super_block *sb,
4325 + "not specified");
4326 + return 0;
4327 + }
4328 +- } else {
4329 +- if (sbi->s_jquota_fmt) {
4330 +- ext4_msg(sb, KERN_ERR, "journaled quota format "
4331 +- "specified with no journaling "
4332 +- "enabled");
4333 +- return 0;
4334 +- }
4335 + }
4336 + #endif
4337 + if (test_opt(sb, DIOREAD_NOLOCK)) {
4338 +diff --git a/fs/ext4/xattr.c b/fs/ext4/xattr.c
4339 +index 5743e9db8027..96455e6988fe 100644
4340 +--- a/fs/ext4/xattr.c
4341 ++++ b/fs/ext4/xattr.c
4342 +@@ -144,14 +144,28 @@ ext4_listxattr(struct dentry *dentry, char *buffer, size_t size)
4343 + }
4344 +
4345 + static int
4346 +-ext4_xattr_check_names(struct ext4_xattr_entry *entry, void *end)
4347 ++ext4_xattr_check_names(struct ext4_xattr_entry *entry, void *end,
4348 ++ void *value_start)
4349 + {
4350 +- while (!IS_LAST_ENTRY(entry)) {
4351 +- struct ext4_xattr_entry *next = EXT4_XATTR_NEXT(entry);
4352 ++ struct ext4_xattr_entry *e = entry;
4353 ++
4354 ++ while (!IS_LAST_ENTRY(e)) {
4355 ++ struct ext4_xattr_entry *next = EXT4_XATTR_NEXT(e);
4356 + if ((void *)next >= end)
4357 + return -EIO;
4358 +- entry = next;
4359 ++ e = next;
4360 + }
4361 ++
4362 ++ while (!IS_LAST_ENTRY(entry)) {
4363 ++ if (entry->e_value_size != 0 &&
4364 ++ (value_start + le16_to_cpu(entry->e_value_offs) <
4365 ++ (void *)e + sizeof(__u32) ||
4366 ++ value_start + le16_to_cpu(entry->e_value_offs) +
4367 ++ le32_to_cpu(entry->e_value_size) > end))
4368 ++ return -EIO;
4369 ++ entry = EXT4_XATTR_NEXT(entry);
4370 ++ }
4371 ++
4372 + return 0;
4373 + }
4374 +
4375 +@@ -161,7 +175,8 @@ ext4_xattr_check_block(struct buffer_head *bh)
4376 + if (BHDR(bh)->h_magic != cpu_to_le32(EXT4_XATTR_MAGIC) ||
4377 + BHDR(bh)->h_blocks != cpu_to_le32(1))
4378 + return -EIO;
4379 +- return ext4_xattr_check_names(BFIRST(bh), bh->b_data + bh->b_size);
4380 ++ return ext4_xattr_check_names(BFIRST(bh), bh->b_data + bh->b_size,
4381 ++ bh->b_data);
4382 + }
4383 +
4384 + static inline int
4385 +@@ -274,7 +289,7 @@ ext4_xattr_ibody_get(struct inode *inode, int name_index, const char *name,
4386 + header = IHDR(inode, raw_inode);
4387 + entry = IFIRST(header);
4388 + end = (void *)raw_inode + EXT4_SB(inode->i_sb)->s_inode_size;
4389 +- error = ext4_xattr_check_names(entry, end);
4390 ++ error = ext4_xattr_check_names(entry, end, entry);
4391 + if (error)
4392 + goto cleanup;
4393 + error = ext4_xattr_find_entry(&entry, name_index, name,
4394 +@@ -402,7 +417,7 @@ ext4_xattr_ibody_list(struct dentry *dentry, char *buffer, size_t buffer_size)
4395 + raw_inode = ext4_raw_inode(&iloc);
4396 + header = IHDR(inode, raw_inode);
4397 + end = (void *)raw_inode + EXT4_SB(inode->i_sb)->s_inode_size;
4398 +- error = ext4_xattr_check_names(IFIRST(header), end);
4399 ++ error = ext4_xattr_check_names(IFIRST(header), end, IFIRST(header));
4400 + if (error)
4401 + goto cleanup;
4402 + error = ext4_xattr_list_entries(dentry, IFIRST(header),
4403 +@@ -914,7 +929,8 @@ ext4_xattr_ibody_find(struct inode *inode, struct ext4_xattr_info *i,
4404 + is->s.here = is->s.first;
4405 + is->s.end = (void *)raw_inode + EXT4_SB(inode->i_sb)->s_inode_size;
4406 + if (ext4_test_inode_state(inode, EXT4_STATE_XATTR)) {
4407 +- error = ext4_xattr_check_names(IFIRST(header), is->s.end);
4408 ++ error = ext4_xattr_check_names(IFIRST(header), is->s.end,
4409 ++ IFIRST(header));
4410 + if (error)
4411 + return error;
4412 + /* Find the named attribute. */
4413 +diff --git a/fs/ioprio.c b/fs/ioprio.c
4414 +index 0f1b9515213b..0dd6a2a7ae82 100644
4415 +--- a/fs/ioprio.c
4416 ++++ b/fs/ioprio.c
4417 +@@ -153,14 +153,16 @@ out:
4418 +
4419 + int ioprio_best(unsigned short aprio, unsigned short bprio)
4420 + {
4421 +- unsigned short aclass = IOPRIO_PRIO_CLASS(aprio);
4422 +- unsigned short bclass = IOPRIO_PRIO_CLASS(bprio);
4423 ++ unsigned short aclass;
4424 ++ unsigned short bclass;
4425 +
4426 +- if (aclass == IOPRIO_CLASS_NONE)
4427 +- aclass = IOPRIO_CLASS_BE;
4428 +- if (bclass == IOPRIO_CLASS_NONE)
4429 +- bclass = IOPRIO_CLASS_BE;
4430 ++ if (!ioprio_valid(aprio))
4431 ++ aprio = IOPRIO_PRIO_VALUE(IOPRIO_CLASS_BE, IOPRIO_NORM);
4432 ++ if (!ioprio_valid(bprio))
4433 ++ bprio = IOPRIO_PRIO_VALUE(IOPRIO_CLASS_BE, IOPRIO_NORM);
4434 +
4435 ++ aclass = IOPRIO_PRIO_CLASS(aprio);
4436 ++ bclass = IOPRIO_PRIO_CLASS(bprio);
4437 + if (aclass == bclass)
4438 + return min(aprio, bprio);
4439 + if (aclass > bclass)
4440 +diff --git a/fs/lockd/mon.c b/fs/lockd/mon.c
4441 +index 606a8dd8818c..0a68e0b22839 100644
4442 +--- a/fs/lockd/mon.c
4443 ++++ b/fs/lockd/mon.c
4444 +@@ -114,6 +114,12 @@ static int nsm_mon_unmon(struct nsm_handle *nsm, u32 proc, struct nsm_res *res,
4445 +
4446 + msg.rpc_proc = &clnt->cl_procinfo[proc];
4447 + status = rpc_call_sync(clnt, &msg, 0);
4448 ++ if (status == -ECONNREFUSED) {
4449 ++ dprintk("lockd: NSM upcall RPC failed, status=%d, forcing rebind\n",
4450 ++ status);
4451 ++ rpc_force_rebind(clnt);
4452 ++ status = rpc_call_sync(clnt, &msg, RPC_TASK_SOFTCONN);
4453 ++ }
4454 + if (status < 0)
4455 + dprintk("lockd: NSM upcall RPC failed, status=%d\n",
4456 + status);
4457 +diff --git a/fs/namespace.c b/fs/namespace.c
4458 +index f0f2e067c5df..f7be8d9c1cd6 100644
4459 +--- a/fs/namespace.c
4460 ++++ b/fs/namespace.c
4461 +@@ -2508,6 +2508,9 @@ SYSCALL_DEFINE2(pivot_root, const char __user *, new_root,
4462 + /* make sure we can reach put_old from new_root */
4463 + if (!is_path_reachable(real_mount(old.mnt), old.dentry, &new))
4464 + goto out4;
4465 ++ /* make certain new is below the root */
4466 ++ if (!is_path_reachable(new_mnt, new.dentry, &root))
4467 ++ goto out4;
4468 + br_write_lock(vfsmount_lock);
4469 + detach_mnt(new_mnt, &parent_path);
4470 + detach_mnt(root_mnt, &root_parent);
4471 +diff --git a/fs/nfs/inode.c b/fs/nfs/inode.c
4472 +index 9bb4e5c541b0..a6d59054e8b3 100644
4473 +--- a/fs/nfs/inode.c
4474 ++++ b/fs/nfs/inode.c
4475 +@@ -512,7 +512,7 @@ int nfs_getattr(struct vfsmount *mnt, struct dentry *dentry, struct kstat *stat)
4476 + {
4477 + struct inode *inode = dentry->d_inode;
4478 + int need_atime = NFS_I(inode)->cache_validity & NFS_INO_INVALID_ATIME;
4479 +- int err;
4480 ++ int err = 0;
4481 +
4482 + /* Flush out writes to the server in order to update c/mtime. */
4483 + if (S_ISREG(inode->i_mode)) {
4484 +diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c
4485 +index 527a4fc12546..3d344ab0bdb3 100644
4486 +--- a/fs/nfs/nfs4proc.c
4487 ++++ b/fs/nfs/nfs4proc.c
4488 +@@ -1740,6 +1740,28 @@ static int nfs4_open_expired(struct nfs4_state_owner *sp, struct nfs4_state *sta
4489 + return ret;
4490 + }
4491 +
4492 ++static void nfs_finish_clear_delegation_stateid(struct nfs4_state *state)
4493 ++{
4494 ++ nfs_remove_bad_delegation(state->inode);
4495 ++ write_seqlock(&state->seqlock);
4496 ++ nfs4_stateid_copy(&state->stateid, &state->open_stateid);
4497 ++ write_sequnlock(&state->seqlock);
4498 ++ clear_bit(NFS_DELEGATED_STATE, &state->flags);
4499 ++}
4500 ++
4501 ++static void nfs40_clear_delegation_stateid(struct nfs4_state *state)
4502 ++{
4503 ++ if (rcu_access_pointer(NFS_I(state->inode)->delegation) != NULL)
4504 ++ nfs_finish_clear_delegation_stateid(state);
4505 ++}
4506 ++
4507 ++static int nfs40_open_expired(struct nfs4_state_owner *sp, struct nfs4_state *state)
4508 ++{
4509 ++ /* NFSv4.0 doesn't allow for delegation recovery on open expire */
4510 ++ nfs40_clear_delegation_stateid(state);
4511 ++ return nfs4_open_expired(sp, state);
4512 ++}
4513 ++
4514 + #if defined(CONFIG_NFS_V4_1)
4515 + static int nfs41_check_expired_stateid(struct nfs4_state *state, nfs4_stateid *stateid, unsigned int flags)
4516 + {
4517 +@@ -5796,7 +5818,7 @@ static int nfs41_proc_async_sequence(struct nfs_client *clp, struct rpc_cred *cr
4518 + int ret = 0;
4519 +
4520 + if ((renew_flags & NFS4_RENEW_TIMEOUT) == 0)
4521 +- return 0;
4522 ++ return -EAGAIN;
4523 + task = _nfs41_proc_sequence(clp, cred, &nfs41_sequence_ops);
4524 + if (IS_ERR(task))
4525 + ret = PTR_ERR(task);
4526 +@@ -6547,7 +6569,7 @@ static const struct nfs4_state_recovery_ops nfs41_reboot_recovery_ops = {
4527 + static const struct nfs4_state_recovery_ops nfs40_nograce_recovery_ops = {
4528 + .owner_flag_bit = NFS_OWNER_RECLAIM_NOGRACE,
4529 + .state_flag_bit = NFS_STATE_RECLAIM_NOGRACE,
4530 +- .recover_open = nfs4_open_expired,
4531 ++ .recover_open = nfs40_open_expired,
4532 + .recover_lock = nfs4_lock_expired,
4533 + .establish_clid = nfs4_init_clientid,
4534 + .get_clid_cred = nfs4_get_setclientid_cred,
4535 +diff --git a/fs/nfs/nfs4renewd.c b/fs/nfs/nfs4renewd.c
4536 +index dc484c0eae7f..78071cf90079 100644
4537 +--- a/fs/nfs/nfs4renewd.c
4538 ++++ b/fs/nfs/nfs4renewd.c
4539 +@@ -88,10 +88,18 @@ nfs4_renew_state(struct work_struct *work)
4540 + }
4541 + nfs_expire_all_delegations(clp);
4542 + } else {
4543 ++ int ret;
4544 ++
4545 + /* Queue an asynchronous RENEW. */
4546 +- ops->sched_state_renewal(clp, cred, renew_flags);
4547 ++ ret = ops->sched_state_renewal(clp, cred, renew_flags);
4548 + put_rpccred(cred);
4549 +- goto out_exp;
4550 ++ switch (ret) {
4551 ++ default:
4552 ++ goto out_exp;
4553 ++ case -EAGAIN:
4554 ++ case -ENOMEM:
4555 ++ break;
4556 ++ }
4557 + }
4558 + } else {
4559 + dprintk("%s: failed to call renewd. Reason: lease not expired \n",
4560 +diff --git a/fs/nfs/nfs4state.c b/fs/nfs/nfs4state.c
4561 +index 461816beff13..c4600b59744a 100644
4562 +--- a/fs/nfs/nfs4state.c
4563 ++++ b/fs/nfs/nfs4state.c
4564 +@@ -1515,7 +1515,8 @@ restart:
4565 + if (status < 0) {
4566 + set_bit(ops->owner_flag_bit, &sp->so_flags);
4567 + nfs4_put_state_owner(sp);
4568 +- return nfs4_recovery_handle_error(clp, status);
4569 ++ status = nfs4_recovery_handle_error(clp, status);
4570 ++ return (status != 0) ? status : -EAGAIN;
4571 + }
4572 +
4573 + nfs4_put_state_owner(sp);
4574 +@@ -1524,7 +1525,7 @@ restart:
4575 + spin_unlock(&clp->cl_lock);
4576 + }
4577 + rcu_read_unlock();
4578 +- return status;
4579 ++ return 0;
4580 + }
4581 +
4582 + static int nfs4_check_lease(struct nfs_client *clp)
4583 +@@ -1796,23 +1797,18 @@ static void nfs4_state_manager(struct nfs_client *clp)
4584 + if (test_bit(NFS4CLNT_RECLAIM_REBOOT, &clp->cl_state)) {
4585 + status = nfs4_do_reclaim(clp,
4586 + clp->cl_mvops->reboot_recovery_ops);
4587 +- if (test_bit(NFS4CLNT_LEASE_EXPIRED, &clp->cl_state) ||
4588 +- test_bit(NFS4CLNT_SESSION_RESET, &clp->cl_state))
4589 +- continue;
4590 +- nfs4_state_end_reclaim_reboot(clp);
4591 +- if (test_bit(NFS4CLNT_RECLAIM_NOGRACE, &clp->cl_state))
4592 ++ if (status == -EAGAIN)
4593 + continue;
4594 + if (status < 0)
4595 + goto out_error;
4596 ++ nfs4_state_end_reclaim_reboot(clp);
4597 + }
4598 +
4599 + /* Now recover expired state... */
4600 + if (test_and_clear_bit(NFS4CLNT_RECLAIM_NOGRACE, &clp->cl_state)) {
4601 + status = nfs4_do_reclaim(clp,
4602 + clp->cl_mvops->nograce_recovery_ops);
4603 +- if (test_bit(NFS4CLNT_LEASE_EXPIRED, &clp->cl_state) ||
4604 +- test_bit(NFS4CLNT_SESSION_RESET, &clp->cl_state) ||
4605 +- test_bit(NFS4CLNT_RECLAIM_REBOOT, &clp->cl_state))
4606 ++ if (status == -EAGAIN)
4607 + continue;
4608 + if (status < 0)
4609 + goto out_error;
4610 +diff --git a/fs/nfsd/nfs4proc.c b/fs/nfsd/nfs4proc.c
4611 +index 22beaff3544a..b2ce878080be 100644
4612 +--- a/fs/nfsd/nfs4proc.c
4613 ++++ b/fs/nfsd/nfs4proc.c
4614 +@@ -1132,7 +1132,8 @@ static bool need_wrongsec_check(struct svc_rqst *rqstp)
4615 + */
4616 + if (argp->opcnt == resp->opcnt)
4617 + return false;
4618 +-
4619 ++ if (next->opnum == OP_ILLEGAL)
4620 ++ return false;
4621 + nextd = OPDESC(next);
4622 + /*
4623 + * Rest of 2.6.3.1.1: certain operations will return WRONGSEC
4624 +diff --git a/fs/notify/fanotify/fanotify_user.c b/fs/notify/fanotify/fanotify_user.c
4625 +index 48bc91d60fce..97d91f046265 100644
4626 +--- a/fs/notify/fanotify/fanotify_user.c
4627 ++++ b/fs/notify/fanotify/fanotify_user.c
4628 +@@ -67,7 +67,7 @@ static int create_fd(struct fsnotify_group *group, struct fsnotify_event *event)
4629 +
4630 + pr_debug("%s: group=%p event=%p\n", __func__, group, event);
4631 +
4632 +- client_fd = get_unused_fd();
4633 ++ client_fd = get_unused_fd_flags(group->fanotify_data.f_flags);
4634 + if (client_fd < 0)
4635 + return client_fd;
4636 +
4637 +diff --git a/fs/super.c b/fs/super.c
4638 +index 3c520a5ed715..d0154e52c76b 100644
4639 +--- a/fs/super.c
4640 ++++ b/fs/super.c
4641 +@@ -69,6 +69,8 @@ static int prune_super(struct shrinker *shrink, struct shrink_control *sc)
4642 +
4643 + total_objects = sb->s_nr_dentry_unused +
4644 + sb->s_nr_inodes_unused + fs_objects + 1;
4645 ++ if (!total_objects)
4646 ++ total_objects = 1;
4647 +
4648 + if (sc->nr_to_scan) {
4649 + int dentries;
4650 +diff --git a/fs/ubifs/commit.c b/fs/ubifs/commit.c
4651 +index fb3b5c813a30..b2ca12fd593b 100644
4652 +--- a/fs/ubifs/commit.c
4653 ++++ b/fs/ubifs/commit.c
4654 +@@ -166,15 +166,10 @@ static int do_commit(struct ubifs_info *c)
4655 + err = ubifs_orphan_end_commit(c);
4656 + if (err)
4657 + goto out;
4658 +- old_ltail_lnum = c->ltail_lnum;
4659 +- err = ubifs_log_end_commit(c, new_ltail_lnum);
4660 +- if (err)
4661 +- goto out;
4662 + err = dbg_check_old_index(c, &zroot);
4663 + if (err)
4664 + goto out;
4665 +
4666 +- mutex_lock(&c->mst_mutex);
4667 + c->mst_node->cmt_no = cpu_to_le64(c->cmt_no);
4668 + c->mst_node->log_lnum = cpu_to_le32(new_ltail_lnum);
4669 + c->mst_node->root_lnum = cpu_to_le32(zroot.lnum);
4670 +@@ -203,8 +198,9 @@ static int do_commit(struct ubifs_info *c)
4671 + c->mst_node->flags |= cpu_to_le32(UBIFS_MST_NO_ORPHS);
4672 + else
4673 + c->mst_node->flags &= ~cpu_to_le32(UBIFS_MST_NO_ORPHS);
4674 +- err = ubifs_write_master(c);
4675 +- mutex_unlock(&c->mst_mutex);
4676 ++
4677 ++ old_ltail_lnum = c->ltail_lnum;
4678 ++ err = ubifs_log_end_commit(c, new_ltail_lnum);
4679 + if (err)
4680 + goto out;
4681 +
4682 +diff --git a/fs/ubifs/log.c b/fs/ubifs/log.c
4683 +index f9fd068d1ae0..843beda25767 100644
4684 +--- a/fs/ubifs/log.c
4685 ++++ b/fs/ubifs/log.c
4686 +@@ -110,10 +110,14 @@ static inline long long empty_log_bytes(const struct ubifs_info *c)
4687 + h = (long long)c->lhead_lnum * c->leb_size + c->lhead_offs;
4688 + t = (long long)c->ltail_lnum * c->leb_size;
4689 +
4690 +- if (h >= t)
4691 ++ if (h > t)
4692 + return c->log_bytes - h + t;
4693 +- else
4694 ++ else if (h != t)
4695 + return t - h;
4696 ++ else if (c->lhead_lnum != c->ltail_lnum)
4697 ++ return 0;
4698 ++ else
4699 ++ return c->log_bytes;
4700 + }
4701 +
4702 + /**
4703 +@@ -453,9 +457,9 @@ out:
4704 + * @ltail_lnum: new log tail LEB number
4705 + *
4706 + * This function is called on when the commit operation was finished. It
4707 +- * moves log tail to new position and unmaps LEBs which contain obsolete data.
4708 +- * Returns zero in case of success and a negative error code in case of
4709 +- * failure.
4710 ++ * moves log tail to new position and updates the master node so that it stores
4711 ++ * the new log tail LEB number. Returns zero in case of success and a negative
4712 ++ * error code in case of failure.
4713 + */
4714 + int ubifs_log_end_commit(struct ubifs_info *c, int ltail_lnum)
4715 + {
4716 +@@ -483,7 +487,12 @@ int ubifs_log_end_commit(struct ubifs_info *c, int ltail_lnum)
4717 + spin_unlock(&c->buds_lock);
4718 +
4719 + err = dbg_check_bud_bytes(c);
4720 ++ if (err)
4721 ++ goto out;
4722 +
4723 ++ err = ubifs_write_master(c);
4724 ++
4725 ++out:
4726 + mutex_unlock(&c->log_mutex);
4727 + return err;
4728 + }
4729 +diff --git a/fs/ubifs/master.c b/fs/ubifs/master.c
4730 +index 278c2382e8c2..bb9f48107815 100644
4731 +--- a/fs/ubifs/master.c
4732 ++++ b/fs/ubifs/master.c
4733 +@@ -352,10 +352,9 @@ int ubifs_read_master(struct ubifs_info *c)
4734 + * ubifs_write_master - write master node.
4735 + * @c: UBIFS file-system description object
4736 + *
4737 +- * This function writes the master node. The caller has to take the
4738 +- * @c->mst_mutex lock before calling this function. Returns zero in case of
4739 +- * success and a negative error code in case of failure. The master node is
4740 +- * written twice to enable recovery.
4741 ++ * This function writes the master node. Returns zero in case of success and a
4742 ++ * negative error code in case of failure. The master node is written twice to
4743 ++ * enable recovery.
4744 + */
4745 + int ubifs_write_master(struct ubifs_info *c)
4746 + {
4747 +diff --git a/fs/ubifs/super.c b/fs/ubifs/super.c
4748 +index d867bd97bc60..129bb488ce75 100644
4749 +--- a/fs/ubifs/super.c
4750 ++++ b/fs/ubifs/super.c
4751 +@@ -1984,7 +1984,6 @@ static struct ubifs_info *alloc_ubifs_info(struct ubi_volume_desc *ubi)
4752 + mutex_init(&c->lp_mutex);
4753 + mutex_init(&c->tnc_mutex);
4754 + mutex_init(&c->log_mutex);
4755 +- mutex_init(&c->mst_mutex);
4756 + mutex_init(&c->umount_mutex);
4757 + mutex_init(&c->bu_mutex);
4758 + mutex_init(&c->write_reserve_mutex);
4759 +diff --git a/fs/ubifs/ubifs.h b/fs/ubifs/ubifs.h
4760 +index 3f962617e29b..cd62067aea85 100644
4761 +--- a/fs/ubifs/ubifs.h
4762 ++++ b/fs/ubifs/ubifs.h
4763 +@@ -1041,7 +1041,6 @@ struct ubifs_debug_info;
4764 + *
4765 + * @mst_node: master node
4766 + * @mst_offs: offset of valid master node
4767 +- * @mst_mutex: protects the master node area, @mst_node, and @mst_offs
4768 + *
4769 + * @max_bu_buf_len: maximum bulk-read buffer length
4770 + * @bu_mutex: protects the pre-allocated bulk-read buffer and @c->bu
4771 +@@ -1281,7 +1280,6 @@ struct ubifs_info {
4772 +
4773 + struct ubifs_mst_node *mst_node;
4774 + int mst_offs;
4775 +- struct mutex mst_mutex;
4776 +
4777 + int max_bu_buf_len;
4778 + struct mutex bu_mutex;
4779 +diff --git a/include/drm/drm_pciids.h b/include/drm/drm_pciids.h
4780 +index 757f98066d6b..53baa0d7c34f 100644
4781 +--- a/include/drm/drm_pciids.h
4782 ++++ b/include/drm/drm_pciids.h
4783 +@@ -56,7 +56,6 @@
4784 + {0x1002, 0x4C64, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_RV250|RADEON_IS_MOBILITY}, \
4785 + {0x1002, 0x4C66, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_RV250|RADEON_IS_MOBILITY}, \
4786 + {0x1002, 0x4C67, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_RV250|RADEON_IS_MOBILITY}, \
4787 +- {0x1002, 0x4C6E, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_RV280|RADEON_IS_MOBILITY}, \
4788 + {0x1002, 0x4E44, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_R300}, \
4789 + {0x1002, 0x4E45, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_R300}, \
4790 + {0x1002, 0x4E46, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_R300}, \
4791 +diff --git a/include/linux/blkdev.h b/include/linux/blkdev.h
4792 +index 4d4ac24a263e..01b7047b60df 100644
4793 +--- a/include/linux/blkdev.h
4794 ++++ b/include/linux/blkdev.h
4795 +@@ -1069,10 +1069,9 @@ static inline int queue_alignment_offset(struct request_queue *q)
4796 + static inline int queue_limit_alignment_offset(struct queue_limits *lim, sector_t sector)
4797 + {
4798 + unsigned int granularity = max(lim->physical_block_size, lim->io_min);
4799 +- unsigned int alignment = (sector << 9) & (granularity - 1);
4800 ++ unsigned int alignment = sector_div(sector, granularity >> 9) << 9;
4801 +
4802 +- return (granularity + lim->alignment_offset - alignment)
4803 +- & (granularity - 1);
4804 ++ return (granularity + lim->alignment_offset - alignment) % granularity;
4805 + }
4806 +
4807 + static inline int bdev_alignment_offset(struct block_device *bdev)
4808 +diff --git a/include/linux/compiler-gcc.h b/include/linux/compiler-gcc.h
4809 +index 7970e31c8c0e..ea9cffe22ec4 100644
4810 +--- a/include/linux/compiler-gcc.h
4811 ++++ b/include/linux/compiler-gcc.h
4812 +@@ -37,6 +37,9 @@
4813 + __asm__ ("" : "=r"(__ptr) : "0"(ptr)); \
4814 + (typeof(ptr)) (__ptr + (off)); })
4815 +
4816 ++/* Make the optimizer believe the variable can be manipulated arbitrarily. */
4817 ++#define OPTIMIZER_HIDE_VAR(var) __asm__ ("" : "=r" (var) : "0" (var))
4818 ++
4819 + #ifdef __CHECKER__
4820 + #define __must_be_array(arr) 0
4821 + #else
4822 +diff --git a/include/linux/compiler-gcc5.h b/include/linux/compiler-gcc5.h
4823 +new file mode 100644
4824 +index 000000000000..cdd1cc202d51
4825 +--- /dev/null
4826 ++++ b/include/linux/compiler-gcc5.h
4827 +@@ -0,0 +1,66 @@
4828 ++#ifndef __LINUX_COMPILER_H
4829 ++#error "Please don't include <linux/compiler-gcc5.h> directly, include <linux/compiler.h> instead."
4830 ++#endif
4831 ++
4832 ++#define __used __attribute__((__used__))
4833 ++#define __must_check __attribute__((warn_unused_result))
4834 ++#define __compiler_offsetof(a, b) __builtin_offsetof(a, b)
4835 ++
4836 ++/* Mark functions as cold. gcc will assume any path leading to a call
4837 ++ to them will be unlikely. This means a lot of manual unlikely()s
4838 ++ are unnecessary now for any paths leading to the usual suspects
4839 ++ like BUG(), printk(), panic() etc. [but let's keep them for now for
4840 ++ older compilers]
4841 ++
4842 ++ Early snapshots of gcc 4.3 don't support this and we can't detect this
4843 ++ in the preprocessor, but we can live with this because they're unreleased.
4844 ++ Maketime probing would be overkill here.
4845 ++
4846 ++ gcc also has a __attribute__((__hot__)) to move hot functions into
4847 ++ a special section, but I don't see any sense in this right now in
4848 ++ the kernel context */
4849 ++#define __cold __attribute__((__cold__))
4850 ++
4851 ++#define __UNIQUE_ID(prefix) __PASTE(__PASTE(__UNIQUE_ID_, prefix), __COUNTER__)
4852 ++
4853 ++#ifndef __CHECKER__
4854 ++# define __compiletime_warning(message) __attribute__((warning(message)))
4855 ++# define __compiletime_error(message) __attribute__((error(message)))
4856 ++#endif /* __CHECKER__ */
4857 ++
4858 ++/*
4859 ++ * Mark a position in code as unreachable. This can be used to
4860 ++ * suppress control flow warnings after asm blocks that transfer
4861 ++ * control elsewhere.
4862 ++ *
4863 ++ * Early snapshots of gcc 4.5 don't support this and we can't detect
4864 ++ * this in the preprocessor, but we can live with this because they're
4865 ++ * unreleased. Really, we need to have autoconf for the kernel.
4866 ++ */
4867 ++#define unreachable() __builtin_unreachable()
4868 ++
4869 ++/* Mark a function definition as prohibited from being cloned. */
4870 ++#define __noclone __attribute__((__noclone__))
4871 ++
4872 ++/*
4873 ++ * Tell the optimizer that something else uses this function or variable.
4874 ++ */
4875 ++#define __visible __attribute__((externally_visible))
4876 ++
4877 ++/*
4878 ++ * GCC 'asm goto' miscompiles certain code sequences:
4879 ++ *
4880 ++ * http://gcc.gnu.org/bugzilla/show_bug.cgi?id=58670
4881 ++ *
4882 ++ * Work it around via a compiler barrier quirk suggested by Jakub Jelinek.
4883 ++ * Fixed in GCC 4.8.2 and later versions.
4884 ++ *
4885 ++ * (asm goto is automatically volatile - the naming reflects this.)
4886 ++ */
4887 ++#define asm_volatile_goto(x...) do { asm goto(x); asm (""); } while (0)
4888 ++
4889 ++#ifdef CONFIG_ARCH_USE_BUILTIN_BSWAP
4890 ++#define __HAVE_BUILTIN_BSWAP32__
4891 ++#define __HAVE_BUILTIN_BSWAP64__
4892 ++#define __HAVE_BUILTIN_BSWAP16__
4893 ++#endif /* CONFIG_ARCH_USE_BUILTIN_BSWAP */
4894 +diff --git a/include/linux/compiler-intel.h b/include/linux/compiler-intel.h
4895 +index cba9593c4047..1a97cac7dcb2 100644
4896 +--- a/include/linux/compiler-intel.h
4897 ++++ b/include/linux/compiler-intel.h
4898 +@@ -15,6 +15,7 @@
4899 + */
4900 + #undef barrier
4901 + #undef RELOC_HIDE
4902 ++#undef OPTIMIZER_HIDE_VAR
4903 +
4904 + #define barrier() __memory_barrier()
4905 +
4906 +@@ -23,6 +24,12 @@
4907 + __ptr = (unsigned long) (ptr); \
4908 + (typeof(ptr)) (__ptr + (off)); })
4909 +
4910 ++/* This should act as an optimization barrier on var.
4911 ++ * Given that this compiler does not have inline assembly, a compiler barrier
4912 ++ * is the best we can do.
4913 ++ */
4914 ++#define OPTIMIZER_HIDE_VAR(var) barrier()
4915 ++
4916 + /* Intel ECC compiler doesn't support __builtin_types_compatible_p() */
4917 + #define __must_be_array(a) 0
4918 +
4919 +diff --git a/include/linux/init_task.h b/include/linux/init_task.h
4920 +index e7bafa432aa3..b11e298e989f 100644
4921 +--- a/include/linux/init_task.h
4922 ++++ b/include/linux/init_task.h
4923 +@@ -38,6 +38,7 @@ extern struct fs_struct init_fs;
4924 +
4925 + #define INIT_SIGNALS(sig) { \
4926 + .nr_threads = 1, \
4927 ++ .thread_head = LIST_HEAD_INIT(init_task.thread_node), \
4928 + .wait_chldexit = __WAIT_QUEUE_HEAD_INITIALIZER(sig.wait_chldexit),\
4929 + .shared_pending = { \
4930 + .list = LIST_HEAD_INIT(sig.shared_pending.list), \
4931 +@@ -202,6 +203,7 @@ extern struct task_group root_task_group;
4932 + [PIDTYPE_SID] = INIT_PID_LINK(PIDTYPE_SID), \
4933 + }, \
4934 + .thread_group = LIST_HEAD_INIT(tsk.thread_group), \
4935 ++ .thread_node = LIST_HEAD_INIT(init_signals.thread_head), \
4936 + INIT_IDS \
4937 + INIT_PERF_EVENTS(tsk) \
4938 + INIT_TRACE_IRQFLAGS \
4939 +diff --git a/include/linux/khugepaged.h b/include/linux/khugepaged.h
4940 +index 6b394f0b5148..eeb307985715 100644
4941 +--- a/include/linux/khugepaged.h
4942 ++++ b/include/linux/khugepaged.h
4943 +@@ -6,7 +6,8 @@
4944 + #ifdef CONFIG_TRANSPARENT_HUGEPAGE
4945 + extern int __khugepaged_enter(struct mm_struct *mm);
4946 + extern void __khugepaged_exit(struct mm_struct *mm);
4947 +-extern int khugepaged_enter_vma_merge(struct vm_area_struct *vma);
4948 ++extern int khugepaged_enter_vma_merge(struct vm_area_struct *vma,
4949 ++ unsigned long vm_flags);
4950 +
4951 + #define khugepaged_enabled() \
4952 + (transparent_hugepage_flags & \
4953 +@@ -35,13 +36,13 @@ static inline void khugepaged_exit(struct mm_struct *mm)
4954 + __khugepaged_exit(mm);
4955 + }
4956 +
4957 +-static inline int khugepaged_enter(struct vm_area_struct *vma)
4958 ++static inline int khugepaged_enter(struct vm_area_struct *vma,
4959 ++ unsigned long vm_flags)
4960 + {
4961 + if (!test_bit(MMF_VM_HUGEPAGE, &vma->vm_mm->flags))
4962 + if ((khugepaged_always() ||
4963 +- (khugepaged_req_madv() &&
4964 +- vma->vm_flags & VM_HUGEPAGE)) &&
4965 +- !(vma->vm_flags & VM_NOHUGEPAGE))
4966 ++ (khugepaged_req_madv() && (vm_flags & VM_HUGEPAGE))) &&
4967 ++ !(vm_flags & VM_NOHUGEPAGE))
4968 + if (__khugepaged_enter(vma->vm_mm))
4969 + return -ENOMEM;
4970 + return 0;
4971 +@@ -54,11 +55,13 @@ static inline int khugepaged_fork(struct mm_struct *mm, struct mm_struct *oldmm)
4972 + static inline void khugepaged_exit(struct mm_struct *mm)
4973 + {
4974 + }
4975 +-static inline int khugepaged_enter(struct vm_area_struct *vma)
4976 ++static inline int khugepaged_enter(struct vm_area_struct *vma,
4977 ++ unsigned long vm_flags)
4978 + {
4979 + return 0;
4980 + }
4981 +-static inline int khugepaged_enter_vma_merge(struct vm_area_struct *vma)
4982 ++static inline int khugepaged_enter_vma_merge(struct vm_area_struct *vma,
4983 ++ unsigned long vm_flags)
4984 + {
4985 + return 0;
4986 + }
4987 +diff --git a/include/linux/mm.h b/include/linux/mm.h
4988 +index dbca4b21b7d3..656b4e968991 100644
4989 +--- a/include/linux/mm.h
4990 ++++ b/include/linux/mm.h
4991 +@@ -953,6 +953,7 @@ static inline void unmap_shared_mapping_range(struct address_space *mapping,
4992 +
4993 + extern void truncate_pagecache(struct inode *inode, loff_t old, loff_t new);
4994 + extern void truncate_setsize(struct inode *inode, loff_t newsize);
4995 ++void pagecache_isize_extended(struct inode *inode, loff_t from, loff_t to);
4996 + extern int vmtruncate(struct inode *inode, loff_t offset);
4997 + extern int vmtruncate_range(struct inode *inode, loff_t offset, loff_t end);
4998 + void truncate_pagecache_range(struct inode *inode, loff_t offset, loff_t end);
4999 +diff --git a/include/linux/of.h b/include/linux/of.h
5000 +index fa7fb1d97458..ac58796df055 100644
5001 +--- a/include/linux/of.h
5002 ++++ b/include/linux/of.h
5003 +@@ -212,14 +212,12 @@ extern int of_property_read_u64(const struct device_node *np,
5004 + extern int of_property_read_string(struct device_node *np,
5005 + const char *propname,
5006 + const char **out_string);
5007 +-extern int of_property_read_string_index(struct device_node *np,
5008 +- const char *propname,
5009 +- int index, const char **output);
5010 + extern int of_property_match_string(struct device_node *np,
5011 + const char *propname,
5012 + const char *string);
5013 +-extern int of_property_count_strings(struct device_node *np,
5014 +- const char *propname);
5015 ++extern int of_property_read_string_helper(struct device_node *np,
5016 ++ const char *propname,
5017 ++ const char **out_strs, size_t sz, int index);
5018 + extern int of_device_is_compatible(const struct device_node *device,
5019 + const char *);
5020 + extern int of_device_is_available(const struct device_node *device);
5021 +@@ -304,15 +302,9 @@ static inline int of_property_read_string(struct device_node *np,
5022 + return -ENOSYS;
5023 + }
5024 +
5025 +-static inline int of_property_read_string_index(struct device_node *np,
5026 +- const char *propname, int index,
5027 +- const char **out_string)
5028 +-{
5029 +- return -ENOSYS;
5030 +-}
5031 +-
5032 +-static inline int of_property_count_strings(struct device_node *np,
5033 +- const char *propname)
5034 ++static inline int of_property_read_string_helper(struct device_node *np,
5035 ++ const char *propname,
5036 ++ const char **out_strs, size_t sz, int index)
5037 + {
5038 + return -ENOSYS;
5039 + }
5040 +@@ -352,6 +344,70 @@ static inline int of_machine_is_compatible(const char *compat)
5041 + #endif /* CONFIG_OF */
5042 +
5043 + /**
5044 ++ * of_property_read_string_array() - Read an array of strings from a multiple
5045 ++ * strings property.
5046 ++ * @np: device node from which the property value is to be read.
5047 ++ * @propname: name of the property to be searched.
5048 ++ * @out_strs: output array of string pointers.
5049 ++ * @sz: number of array elements to read.
5050 ++ *
5051 ++ * Search for a property in a device tree node and retrieve a list of
5052 ++ * terminated string values (pointer to data, not a copy) in that property.
5053 ++ *
5054 ++ * If @out_strs is NULL, the number of strings in the property is returned.
5055 ++ */
5056 ++static inline int of_property_read_string_array(struct device_node *np,
5057 ++ const char *propname, const char **out_strs,
5058 ++ size_t sz)
5059 ++{
5060 ++ return of_property_read_string_helper(np, propname, out_strs, sz, 0);
5061 ++}
5062 ++
5063 ++/**
5064 ++ * of_property_count_strings() - Find and return the number of strings from a
5065 ++ * multiple strings property.
5066 ++ * @np: device node from which the property value is to be read.
5067 ++ * @propname: name of the property to be searched.
5068 ++ *
5069 ++ * Search for a property in a device tree node and retrieve the number of null
5070 ++ * terminated string contain in it. Returns the number of strings on
5071 ++ * success, -EINVAL if the property does not exist, -ENODATA if property
5072 ++ * does not have a value, and -EILSEQ if the string is not null-terminated
5073 ++ * within the length of the property data.
5074 ++ */
5075 ++static inline int of_property_count_strings(struct device_node *np,
5076 ++ const char *propname)
5077 ++{
5078 ++ return of_property_read_string_helper(np, propname, NULL, 0, 0);
5079 ++}
5080 ++
5081 ++/**
5082 ++ * of_property_read_string_index() - Find and read a string from a multiple
5083 ++ * strings property.
5084 ++ * @np: device node from which the property value is to be read.
5085 ++ * @propname: name of the property to be searched.
5086 ++ * @index: index of the string in the list of strings
5087 ++ * @out_string: pointer to null terminated return string, modified only if
5088 ++ * return value is 0.
5089 ++ *
5090 ++ * Search for a property in a device tree node and retrieve a null
5091 ++ * terminated string value (pointer to data, not a copy) in the list of strings
5092 ++ * contained in that property.
5093 ++ * Returns 0 on success, -EINVAL if the property does not exist, -ENODATA if
5094 ++ * property does not have a value, and -EILSEQ if the string is not
5095 ++ * null-terminated within the length of the property data.
5096 ++ *
5097 ++ * The out_string pointer is modified only if a valid string can be decoded.
5098 ++ */
5099 ++static inline int of_property_read_string_index(struct device_node *np,
5100 ++ const char *propname,
5101 ++ int index, const char **output)
5102 ++{
5103 ++ int rc = of_property_read_string_helper(np, propname, output, 1, index);
5104 ++ return rc < 0 ? rc : 0;
5105 ++}
5106 ++
5107 ++/**
5108 + * of_property_read_bool - Findfrom a property
5109 + * @np: device node from which the property value is to be read.
5110 + * @propname: name of the property to be searched.
5111 +diff --git a/include/linux/oom.h b/include/linux/oom.h
5112 +index 3d7647536b03..d6ed7b05e31c 100644
5113 +--- a/include/linux/oom.h
5114 ++++ b/include/linux/oom.h
5115 +@@ -45,6 +45,10 @@ extern int test_set_oom_score_adj(int new_val);
5116 +
5117 + extern unsigned int oom_badness(struct task_struct *p, struct mem_cgroup *memcg,
5118 + const nodemask_t *nodemask, unsigned long totalpages);
5119 ++
5120 ++extern int oom_kills_count(void);
5121 ++extern void note_oom_kill(void);
5122 ++
5123 + extern int try_set_zonelist_oom(struct zonelist *zonelist, gfp_t gfp_flags);
5124 + extern void clear_zonelist_oom(struct zonelist *zonelist, gfp_t gfp_flags);
5125 +
5126 +diff --git a/include/linux/sched.h b/include/linux/sched.h
5127 +index 56d8233c5de7..d529bd9e6680 100644
5128 +--- a/include/linux/sched.h
5129 ++++ b/include/linux/sched.h
5130 +@@ -534,6 +534,7 @@ struct signal_struct {
5131 + atomic_t sigcnt;
5132 + atomic_t live;
5133 + int nr_threads;
5134 ++ struct list_head thread_head;
5135 +
5136 + wait_queue_head_t wait_chldexit; /* for wait4() */
5137 +
5138 +@@ -1394,6 +1395,7 @@ struct task_struct {
5139 + /* PID/PID hash table linkage. */
5140 + struct pid_link pids[PIDTYPE_MAX];
5141 + struct list_head thread_group;
5142 ++ struct list_head thread_node;
5143 +
5144 + struct completion *vfork_done; /* for vfork() */
5145 + int __user *set_child_tid; /* CLONE_CHILD_SETTID */
5146 +@@ -2397,6 +2399,16 @@ extern bool current_is_single_threaded(void);
5147 + #define while_each_thread(g, t) \
5148 + while ((t = next_thread(t)) != g)
5149 +
5150 ++#define __for_each_thread(signal, t) \
5151 ++ list_for_each_entry_rcu(t, &(signal)->thread_head, thread_node)
5152 ++
5153 ++#define for_each_thread(p, t) \
5154 ++ __for_each_thread((p)->signal, t)
5155 ++
5156 ++/* Careful: this is a double loop, 'break' won't work as expected. */
5157 ++#define for_each_process_thread(p, t) \
5158 ++ for_each_process(p) for_each_thread(p, t)
5159 ++
5160 + static inline int get_nr_threads(struct task_struct *tsk)
5161 + {
5162 + return tsk->signal->nr_threads;
5163 +diff --git a/include/linux/string.h b/include/linux/string.h
5164 +index e033564f10ba..3d9feb70dc20 100644
5165 +--- a/include/linux/string.h
5166 ++++ b/include/linux/string.h
5167 +@@ -133,7 +133,7 @@ int bprintf(u32 *bin_buf, size_t size, const char *fmt, ...) __printf(3, 4);
5168 + #endif
5169 +
5170 + extern ssize_t memory_read_from_buffer(void *to, size_t count, loff_t *ppos,
5171 +- const void *from, size_t available);
5172 ++ const void *from, size_t available);
5173 +
5174 + /**
5175 + * strstarts - does @str start with @prefix?
5176 +@@ -144,5 +144,7 @@ static inline bool strstarts(const char *str, const char *prefix)
5177 + {
5178 + return strncmp(str, prefix, strlen(prefix)) == 0;
5179 + }
5180 ++
5181 ++void memzero_explicit(void *s, size_t count);
5182 + #endif
5183 + #endif /* _LINUX_STRING_H_ */
5184 +diff --git a/include/linux/usb/quirks.h b/include/linux/usb/quirks.h
5185 +index 3e93de7ecbc3..d0d2af09dcc6 100644
5186 +--- a/include/linux/usb/quirks.h
5187 ++++ b/include/linux/usb/quirks.h
5188 +@@ -30,4 +30,10 @@
5189 + descriptor */
5190 + #define USB_QUIRK_DELAY_INIT 0x00000040
5191 +
5192 ++/* device generates spurious wakeup, ignore remote wakeup capability */
5193 ++#define USB_QUIRK_IGNORE_REMOTE_WAKEUP 0x00000200
5194 ++
5195 ++/* device can't handle device_qualifier descriptor requests */
5196 ++#define USB_QUIRK_DEVICE_QUALIFIER 0x00000100
5197 ++
5198 + #endif /* __LINUX_USB_QUIRKS_H */
5199 +diff --git a/include/net/ipv6.h b/include/net/ipv6.h
5200 +index 117eaa578d0d..8898a191929a 100644
5201 +--- a/include/net/ipv6.h
5202 ++++ b/include/net/ipv6.h
5203 +@@ -485,6 +485,7 @@ static inline int ipv6_addr_diff(const struct in6_addr *a1, const struct in6_add
5204 + }
5205 +
5206 + extern void ipv6_select_ident(struct frag_hdr *fhdr, struct rt6_info *rt);
5207 ++void ipv6_proxy_select_ident(struct sk_buff *skb);
5208 +
5209 + /*
5210 + * Prototypes exported by ipv6
5211 +diff --git a/kernel/audit_tree.c b/kernel/audit_tree.c
5212 +index 0caf1f8de0fb..8a142844318f 100644
5213 +--- a/kernel/audit_tree.c
5214 ++++ b/kernel/audit_tree.c
5215 +@@ -154,6 +154,7 @@ static struct audit_chunk *alloc_chunk(int count)
5216 + chunk->owners[i].index = i;
5217 + }
5218 + fsnotify_init_mark(&chunk->mark, audit_tree_destroy_watch);
5219 ++ chunk->mark.mask = FS_IN_IGNORED;
5220 + return chunk;
5221 + }
5222 +
5223 +diff --git a/kernel/exit.c b/kernel/exit.c
5224 +index 3eb4dcfc658a..38980ea0b2d6 100644
5225 +--- a/kernel/exit.c
5226 ++++ b/kernel/exit.c
5227 +@@ -74,6 +74,7 @@ static void __unhash_process(struct task_struct *p, bool group_dead)
5228 + __this_cpu_dec(process_counts);
5229 + }
5230 + list_del_rcu(&p->thread_group);
5231 ++ list_del_rcu(&p->thread_node);
5232 + }
5233 +
5234 + /*
5235 +diff --git a/kernel/fork.c b/kernel/fork.c
5236 +index 878dcb2eec55..be2495f0eed7 100644
5237 +--- a/kernel/fork.c
5238 ++++ b/kernel/fork.c
5239 +@@ -1026,6 +1026,11 @@ static int copy_signal(unsigned long clone_flags, struct task_struct *tsk)
5240 + sig->nr_threads = 1;
5241 + atomic_set(&sig->live, 1);
5242 + atomic_set(&sig->sigcnt, 1);
5243 ++
5244 ++ /* list_add(thread_node, thread_head) without INIT_LIST_HEAD() */
5245 ++ sig->thread_head = (struct list_head)LIST_HEAD_INIT(tsk->thread_node);
5246 ++ tsk->thread_node = (struct list_head)LIST_HEAD_INIT(sig->thread_head);
5247 ++
5248 + init_waitqueue_head(&sig->wait_chldexit);
5249 + if (clone_flags & CLONE_NEWPID)
5250 + sig->flags |= SIGNAL_UNKILLABLE;
5251 +@@ -1412,14 +1417,6 @@ static struct task_struct *copy_process(unsigned long clone_flags,
5252 + goto bad_fork_free_pid;
5253 + }
5254 +
5255 +- if (clone_flags & CLONE_THREAD) {
5256 +- current->signal->nr_threads++;
5257 +- atomic_inc(&current->signal->live);
5258 +- atomic_inc(&current->signal->sigcnt);
5259 +- p->group_leader = current->group_leader;
5260 +- list_add_tail_rcu(&p->thread_group, &p->group_leader->thread_group);
5261 +- }
5262 +-
5263 + if (likely(p->pid)) {
5264 + ptrace_init_task(p, (clone_flags & CLONE_PTRACE) || trace);
5265 +
5266 +@@ -1434,6 +1431,15 @@ static struct task_struct *copy_process(unsigned long clone_flags,
5267 + list_add_tail(&p->sibling, &p->real_parent->children);
5268 + list_add_tail_rcu(&p->tasks, &init_task.tasks);
5269 + __this_cpu_inc(process_counts);
5270 ++ } else {
5271 ++ current->signal->nr_threads++;
5272 ++ atomic_inc(&current->signal->live);
5273 ++ atomic_inc(&current->signal->sigcnt);
5274 ++ p->group_leader = current->group_leader;
5275 ++ list_add_tail_rcu(&p->thread_group,
5276 ++ &p->group_leader->thread_group);
5277 ++ list_add_tail_rcu(&p->thread_node,
5278 ++ &p->signal->thread_head);
5279 + }
5280 + attach_pid(p, PIDTYPE_PID, pid);
5281 + nr_threads++;
5282 +diff --git a/kernel/freezer.c b/kernel/freezer.c
5283 +index 11f82a4d4eae..2f8ecd994d47 100644
5284 +--- a/kernel/freezer.c
5285 ++++ b/kernel/freezer.c
5286 +@@ -36,6 +36,9 @@ bool freezing_slow_path(struct task_struct *p)
5287 + if (p->flags & PF_NOFREEZE)
5288 + return false;
5289 +
5290 ++ if (test_thread_flag(TIF_MEMDIE))
5291 ++ return false;
5292 ++
5293 + if (pm_nosig_freezing || cgroup_freezing(p))
5294 + return true;
5295 +
5296 +diff --git a/kernel/futex.c b/kernel/futex.c
5297 +index 41dfb1866f95..6b320c2ad6fa 100644
5298 +--- a/kernel/futex.c
5299 ++++ b/kernel/futex.c
5300 +@@ -212,6 +212,8 @@ static void drop_futex_key_refs(union futex_key *key)
5301 + case FUT_OFF_MMSHARED:
5302 + mmdrop(key->private.mm);
5303 + break;
5304 ++ default:
5305 ++ smp_mb(); /* explicit MB (B) */
5306 + }
5307 + }
5308 +
5309 +@@ -484,8 +486,14 @@ static struct futex_pi_state * alloc_pi_state(void)
5310 + return pi_state;
5311 + }
5312 +
5313 ++/*
5314 ++ * Must be called with the hb lock held.
5315 ++ */
5316 + static void free_pi_state(struct futex_pi_state *pi_state)
5317 + {
5318 ++ if (!pi_state)
5319 ++ return;
5320 ++
5321 + if (!atomic_dec_and_test(&pi_state->refcount))
5322 + return;
5323 +
5324 +@@ -1399,15 +1407,6 @@ static int futex_requeue(u32 __user *uaddr1, unsigned int flags,
5325 + }
5326 +
5327 + retry:
5328 +- if (pi_state != NULL) {
5329 +- /*
5330 +- * We will have to lookup the pi_state again, so free this one
5331 +- * to keep the accounting correct.
5332 +- */
5333 +- free_pi_state(pi_state);
5334 +- pi_state = NULL;
5335 +- }
5336 +-
5337 + ret = get_futex_key(uaddr1, flags & FLAGS_SHARED, &key1, VERIFY_READ);
5338 + if (unlikely(ret != 0))
5339 + goto out;
5340 +@@ -1495,6 +1494,8 @@ retry_private:
5341 + case 0:
5342 + break;
5343 + case -EFAULT:
5344 ++ free_pi_state(pi_state);
5345 ++ pi_state = NULL;
5346 + double_unlock_hb(hb1, hb2);
5347 + put_futex_key(&key2);
5348 + put_futex_key(&key1);
5349 +@@ -1504,6 +1505,8 @@ retry_private:
5350 + goto out;
5351 + case -EAGAIN:
5352 + /* The owner was exiting, try again. */
5353 ++ free_pi_state(pi_state);
5354 ++ pi_state = NULL;
5355 + double_unlock_hb(hb1, hb2);
5356 + put_futex_key(&key2);
5357 + put_futex_key(&key1);
5358 +@@ -1580,6 +1583,7 @@ retry_private:
5359 + }
5360 +
5361 + out_unlock:
5362 ++ free_pi_state(pi_state);
5363 + double_unlock_hb(hb1, hb2);
5364 +
5365 + /*
5366 +@@ -1596,8 +1600,6 @@ out_put_keys:
5367 + out_put_key1:
5368 + put_futex_key(&key1);
5369 + out:
5370 +- if (pi_state != NULL)
5371 +- free_pi_state(pi_state);
5372 + return ret ? ret : task_count;
5373 + }
5374 +
5375 +diff --git a/kernel/posix-timers.c b/kernel/posix-timers.c
5376 +index e885be1e8a11..02824a5c2693 100644
5377 +--- a/kernel/posix-timers.c
5378 ++++ b/kernel/posix-timers.c
5379 +@@ -589,6 +589,7 @@ SYSCALL_DEFINE3(timer_create, const clockid_t, which_clock,
5380 + goto out;
5381 + }
5382 + } else {
5383 ++ memset(&event.sigev_value, 0, sizeof(event.sigev_value));
5384 + event.sigev_notify = SIGEV_SIGNAL;
5385 + event.sigev_signo = SIGALRM;
5386 + event.sigev_value.sival_int = new_timer->it_id;
5387 +diff --git a/kernel/power/hibernate.c b/kernel/power/hibernate.c
5388 +index 52a18173c845..dd875cbe0d1a 100644
5389 +--- a/kernel/power/hibernate.c
5390 ++++ b/kernel/power/hibernate.c
5391 +@@ -486,8 +486,14 @@ int hibernation_restore(int platform_mode)
5392 + error = dpm_suspend_start(PMSG_QUIESCE);
5393 + if (!error) {
5394 + error = resume_target_kernel(platform_mode);
5395 +- dpm_resume_end(PMSG_RECOVER);
5396 ++ /*
5397 ++ * The above should either succeed and jump to the new kernel,
5398 ++ * or return with an error. Otherwise things are just
5399 ++ * undefined, so let's be paranoid.
5400 ++ */
5401 ++ BUG_ON(!error);
5402 + }
5403 ++ dpm_resume_end(PMSG_RECOVER);
5404 + pm_restore_gfp_mask();
5405 + ftrace_start();
5406 + resume_console();
5407 +diff --git a/kernel/power/process.c b/kernel/power/process.c
5408 +index f27d0c8cd9e8..286ff570f3b7 100644
5409 +--- a/kernel/power/process.c
5410 ++++ b/kernel/power/process.c
5411 +@@ -114,6 +114,28 @@ static int try_to_freeze_tasks(bool user_only)
5412 + return todo ? -EBUSY : 0;
5413 + }
5414 +
5415 ++/*
5416 ++ * Returns true if all freezable tasks (except for current) are frozen already
5417 ++ */
5418 ++static bool check_frozen_processes(void)
5419 ++{
5420 ++ struct task_struct *g, *p;
5421 ++ bool ret = true;
5422 ++
5423 ++ read_lock(&tasklist_lock);
5424 ++ for_each_process_thread(g, p) {
5425 ++ if (p != current && !freezer_should_skip(p) &&
5426 ++ !frozen(p)) {
5427 ++ ret = false;
5428 ++ goto done;
5429 ++ }
5430 ++ }
5431 ++done:
5432 ++ read_unlock(&tasklist_lock);
5433 ++
5434 ++ return ret;
5435 ++}
5436 ++
5437 + /**
5438 + * freeze_processes - Signal user space processes to enter the refrigerator.
5439 + *
5440 +@@ -122,6 +144,7 @@ static int try_to_freeze_tasks(bool user_only)
5441 + int freeze_processes(void)
5442 + {
5443 + int error;
5444 ++ int oom_kills_saved;
5445 +
5446 + error = __usermodehelper_disable(UMH_FREEZING);
5447 + if (error)
5448 +@@ -132,12 +155,27 @@ int freeze_processes(void)
5449 +
5450 + printk("Freezing user space processes ... ");
5451 + pm_freezing = true;
5452 ++ oom_kills_saved = oom_kills_count();
5453 + error = try_to_freeze_tasks(true);
5454 + if (!error) {
5455 +- printk("done.");
5456 + __usermodehelper_set_disable_depth(UMH_DISABLED);
5457 + oom_killer_disable();
5458 ++
5459 ++ /*
5460 ++ * There might have been an OOM kill while we were
5461 ++ * freezing tasks and the killed task might be still
5462 ++ * on the way out so we have to double check for race.
5463 ++ */
5464 ++ if (oom_kills_count() != oom_kills_saved &&
5465 ++ !check_frozen_processes()) {
5466 ++ __usermodehelper_set_disable_depth(UMH_ENABLED);
5467 ++ printk("OOM in progress.");
5468 ++ error = -EBUSY;
5469 ++ goto done;
5470 ++ }
5471 ++ printk("done.");
5472 + }
5473 ++done:
5474 + printk("\n");
5475 + BUG_ON(in_atomic());
5476 +
5477 +diff --git a/kernel/trace/trace_syscalls.c b/kernel/trace/trace_syscalls.c
5478 +index c9ce09addacd..4d0a209ecfda 100644
5479 +--- a/kernel/trace/trace_syscalls.c
5480 ++++ b/kernel/trace/trace_syscalls.c
5481 +@@ -309,7 +309,7 @@ void ftrace_syscall_enter(void *ignore, struct pt_regs *regs, long id)
5482 + int pc;
5483 +
5484 + syscall_nr = syscall_get_nr(current, regs);
5485 +- if (syscall_nr < 0)
5486 ++ if (syscall_nr < 0 || syscall_nr >= NR_syscalls)
5487 + return;
5488 + if (!test_bit(syscall_nr, enabled_enter_syscalls))
5489 + return;
5490 +@@ -349,7 +349,7 @@ void ftrace_syscall_exit(void *ignore, struct pt_regs *regs, long ret)
5491 + int pc;
5492 +
5493 + syscall_nr = syscall_get_nr(current, regs);
5494 +- if (syscall_nr < 0)
5495 ++ if (syscall_nr < 0 || syscall_nr >= NR_syscalls)
5496 + return;
5497 + if (!test_bit(syscall_nr, enabled_exit_syscalls))
5498 + return;
5499 +@@ -519,6 +519,8 @@ static void perf_syscall_enter(void *ignore, struct pt_regs *regs, long id)
5500 + int size;
5501 +
5502 + syscall_nr = syscall_get_nr(current, regs);
5503 ++ if (syscall_nr < 0 || syscall_nr >= NR_syscalls)
5504 ++ return;
5505 + if (!test_bit(syscall_nr, enabled_perf_enter_syscalls))
5506 + return;
5507 +
5508 +@@ -593,6 +595,8 @@ static void perf_syscall_exit(void *ignore, struct pt_regs *regs, long ret)
5509 + int size;
5510 +
5511 + syscall_nr = syscall_get_nr(current, regs);
5512 ++ if (syscall_nr < 0 || syscall_nr >= NR_syscalls)
5513 ++ return;
5514 + if (!test_bit(syscall_nr, enabled_perf_exit_syscalls))
5515 + return;
5516 +
5517 +diff --git a/lib/bitmap.c b/lib/bitmap.c
5518 +index b5a8b6ad2454..6ccf2120b406 100644
5519 +--- a/lib/bitmap.c
5520 ++++ b/lib/bitmap.c
5521 +@@ -131,7 +131,9 @@ void __bitmap_shift_right(unsigned long *dst,
5522 + lower = src[off + k];
5523 + if (left && off + k == lim - 1)
5524 + lower &= mask;
5525 +- dst[k] = upper << (BITS_PER_LONG - rem) | lower >> rem;
5526 ++ dst[k] = lower >> rem;
5527 ++ if (rem)
5528 ++ dst[k] |= upper << (BITS_PER_LONG - rem);
5529 + if (left && k == lim - 1)
5530 + dst[k] &= mask;
5531 + }
5532 +@@ -172,7 +174,9 @@ void __bitmap_shift_left(unsigned long *dst,
5533 + upper = src[k];
5534 + if (left && k == lim - 1)
5535 + upper &= (1UL << left) - 1;
5536 +- dst[k + off] = lower >> (BITS_PER_LONG - rem) | upper << rem;
5537 ++ dst[k + off] = upper << rem;
5538 ++ if (rem)
5539 ++ dst[k + off] |= lower >> (BITS_PER_LONG - rem);
5540 + if (left && k + off == lim - 1)
5541 + dst[k + off] &= (1UL << left) - 1;
5542 + }
5543 +diff --git a/lib/lzo/lzo1x_decompress_safe.c b/lib/lzo/lzo1x_decompress_safe.c
5544 +index 8563081e8da3..a1c387f6afba 100644
5545 +--- a/lib/lzo/lzo1x_decompress_safe.c
5546 ++++ b/lib/lzo/lzo1x_decompress_safe.c
5547 +@@ -19,31 +19,21 @@
5548 + #include <linux/lzo.h>
5549 + #include "lzodefs.h"
5550 +
5551 +-#define HAVE_IP(t, x) \
5552 +- (((size_t)(ip_end - ip) >= (size_t)(t + x)) && \
5553 +- (((t + x) >= t) && ((t + x) >= x)))
5554 ++#define HAVE_IP(x) ((size_t)(ip_end - ip) >= (size_t)(x))
5555 ++#define HAVE_OP(x) ((size_t)(op_end - op) >= (size_t)(x))
5556 ++#define NEED_IP(x) if (!HAVE_IP(x)) goto input_overrun
5557 ++#define NEED_OP(x) if (!HAVE_OP(x)) goto output_overrun
5558 ++#define TEST_LB(m_pos) if ((m_pos) < out) goto lookbehind_overrun
5559 +
5560 +-#define HAVE_OP(t, x) \
5561 +- (((size_t)(op_end - op) >= (size_t)(t + x)) && \
5562 +- (((t + x) >= t) && ((t + x) >= x)))
5563 +-
5564 +-#define NEED_IP(t, x) \
5565 +- do { \
5566 +- if (!HAVE_IP(t, x)) \
5567 +- goto input_overrun; \
5568 +- } while (0)
5569 +-
5570 +-#define NEED_OP(t, x) \
5571 +- do { \
5572 +- if (!HAVE_OP(t, x)) \
5573 +- goto output_overrun; \
5574 +- } while (0)
5575 +-
5576 +-#define TEST_LB(m_pos) \
5577 +- do { \
5578 +- if ((m_pos) < out) \
5579 +- goto lookbehind_overrun; \
5580 +- } while (0)
5581 ++/* This MAX_255_COUNT is the maximum number of times we can add 255 to a base
5582 ++ * count without overflowing an integer. The multiply will overflow when
5583 ++ * multiplying 255 by more than MAXINT/255. The sum will overflow earlier
5584 ++ * depending on the base count. Since the base count is taken from a u8
5585 ++ * and a few bits, it is safe to assume that it will always be lower than
5586 ++ * or equal to 2*255, thus we can always prevent any overflow by accepting
5587 ++ * two less 255 steps. See Documentation/lzo.txt for more information.
5588 ++ */
5589 ++#define MAX_255_COUNT ((((size_t)~0) / 255) - 2)
5590 +
5591 + int lzo1x_decompress_safe(const unsigned char *in, size_t in_len,
5592 + unsigned char *out, size_t *out_len)
5593 +@@ -75,17 +65,24 @@ int lzo1x_decompress_safe(const unsigned char *in, size_t in_len,
5594 + if (t < 16) {
5595 + if (likely(state == 0)) {
5596 + if (unlikely(t == 0)) {
5597 ++ size_t offset;
5598 ++ const unsigned char *ip_last = ip;
5599 ++
5600 + while (unlikely(*ip == 0)) {
5601 +- t += 255;
5602 + ip++;
5603 +- NEED_IP(1, 0);
5604 ++ NEED_IP(1);
5605 + }
5606 +- t += 15 + *ip++;
5607 ++ offset = ip - ip_last;
5608 ++ if (unlikely(offset > MAX_255_COUNT))
5609 ++ return LZO_E_ERROR;
5610 ++
5611 ++ offset = (offset << 8) - offset;
5612 ++ t += offset + 15 + *ip++;
5613 + }
5614 + t += 3;
5615 + copy_literal_run:
5616 + #if defined(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS)
5617 +- if (likely(HAVE_IP(t, 15) && HAVE_OP(t, 15))) {
5618 ++ if (likely(HAVE_IP(t + 15) && HAVE_OP(t + 15))) {
5619 + const unsigned char *ie = ip + t;
5620 + unsigned char *oe = op + t;
5621 + do {
5622 +@@ -101,8 +98,8 @@ copy_literal_run:
5623 + } else
5624 + #endif
5625 + {
5626 +- NEED_OP(t, 0);
5627 +- NEED_IP(t, 3);
5628 ++ NEED_OP(t);
5629 ++ NEED_IP(t + 3);
5630 + do {
5631 + *op++ = *ip++;
5632 + } while (--t > 0);
5633 +@@ -115,7 +112,7 @@ copy_literal_run:
5634 + m_pos -= t >> 2;
5635 + m_pos -= *ip++ << 2;
5636 + TEST_LB(m_pos);
5637 +- NEED_OP(2, 0);
5638 ++ NEED_OP(2);
5639 + op[0] = m_pos[0];
5640 + op[1] = m_pos[1];
5641 + op += 2;
5642 +@@ -136,13 +133,20 @@ copy_literal_run:
5643 + } else if (t >= 32) {
5644 + t = (t & 31) + (3 - 1);
5645 + if (unlikely(t == 2)) {
5646 ++ size_t offset;
5647 ++ const unsigned char *ip_last = ip;
5648 ++
5649 + while (unlikely(*ip == 0)) {
5650 +- t += 255;
5651 + ip++;
5652 +- NEED_IP(1, 0);
5653 ++ NEED_IP(1);
5654 + }
5655 +- t += 31 + *ip++;
5656 +- NEED_IP(2, 0);
5657 ++ offset = ip - ip_last;
5658 ++ if (unlikely(offset > MAX_255_COUNT))
5659 ++ return LZO_E_ERROR;
5660 ++
5661 ++ offset = (offset << 8) - offset;
5662 ++ t += offset + 31 + *ip++;
5663 ++ NEED_IP(2);
5664 + }
5665 + m_pos = op - 1;
5666 + next = get_unaligned_le16(ip);
5667 +@@ -154,13 +158,20 @@ copy_literal_run:
5668 + m_pos -= (t & 8) << 11;
5669 + t = (t & 7) + (3 - 1);
5670 + if (unlikely(t == 2)) {
5671 ++ size_t offset;
5672 ++ const unsigned char *ip_last = ip;
5673 ++
5674 + while (unlikely(*ip == 0)) {
5675 +- t += 255;
5676 + ip++;
5677 +- NEED_IP(1, 0);
5678 ++ NEED_IP(1);
5679 + }
5680 +- t += 7 + *ip++;
5681 +- NEED_IP(2, 0);
5682 ++ offset = ip - ip_last;
5683 ++ if (unlikely(offset > MAX_255_COUNT))
5684 ++ return LZO_E_ERROR;
5685 ++
5686 ++ offset = (offset << 8) - offset;
5687 ++ t += offset + 7 + *ip++;
5688 ++ NEED_IP(2);
5689 + }
5690 + next = get_unaligned_le16(ip);
5691 + ip += 2;
5692 +@@ -174,7 +185,7 @@ copy_literal_run:
5693 + #if defined(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS)
5694 + if (op - m_pos >= 8) {
5695 + unsigned char *oe = op + t;
5696 +- if (likely(HAVE_OP(t, 15))) {
5697 ++ if (likely(HAVE_OP(t + 15))) {
5698 + do {
5699 + COPY8(op, m_pos);
5700 + op += 8;
5701 +@@ -184,7 +195,7 @@ copy_literal_run:
5702 + m_pos += 8;
5703 + } while (op < oe);
5704 + op = oe;
5705 +- if (HAVE_IP(6, 0)) {
5706 ++ if (HAVE_IP(6)) {
5707 + state = next;
5708 + COPY4(op, ip);
5709 + op += next;
5710 +@@ -192,7 +203,7 @@ copy_literal_run:
5711 + continue;
5712 + }
5713 + } else {
5714 +- NEED_OP(t, 0);
5715 ++ NEED_OP(t);
5716 + do {
5717 + *op++ = *m_pos++;
5718 + } while (op < oe);
5719 +@@ -201,7 +212,7 @@ copy_literal_run:
5720 + #endif
5721 + {
5722 + unsigned char *oe = op + t;
5723 +- NEED_OP(t, 0);
5724 ++ NEED_OP(t);
5725 + op[0] = m_pos[0];
5726 + op[1] = m_pos[1];
5727 + op += 2;
5728 +@@ -214,15 +225,15 @@ match_next:
5729 + state = next;
5730 + t = next;
5731 + #if defined(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS)
5732 +- if (likely(HAVE_IP(6, 0) && HAVE_OP(4, 0))) {
5733 ++ if (likely(HAVE_IP(6) && HAVE_OP(4))) {
5734 + COPY4(op, ip);
5735 + op += t;
5736 + ip += t;
5737 + } else
5738 + #endif
5739 + {
5740 +- NEED_IP(t, 3);
5741 +- NEED_OP(t, 0);
5742 ++ NEED_IP(t + 3);
5743 ++ NEED_OP(t);
5744 + while (t > 0) {
5745 + *op++ = *ip++;
5746 + t--;
5747 +diff --git a/lib/string.c b/lib/string.c
5748 +index e5878de4f101..43d0781daf47 100644
5749 +--- a/lib/string.c
5750 ++++ b/lib/string.c
5751 +@@ -586,6 +586,22 @@ void *memset(void *s, int c, size_t count)
5752 + EXPORT_SYMBOL(memset);
5753 + #endif
5754 +
5755 ++/**
5756 ++ * memzero_explicit - Fill a region of memory (e.g. sensitive
5757 ++ * keying data) with 0s.
5758 ++ * @s: Pointer to the start of the area.
5759 ++ * @count: The size of the area.
5760 ++ *
5761 ++ * memzero_explicit() doesn't need an arch-specific version as
5762 ++ * it just invokes the one of memset() implicitly.
5763 ++ */
5764 ++void memzero_explicit(void *s, size_t count)
5765 ++{
5766 ++ memset(s, 0, count);
5767 ++ OPTIMIZER_HIDE_VAR(s);
5768 ++}
5769 ++EXPORT_SYMBOL(memzero_explicit);
5770 ++
5771 + #ifndef __HAVE_ARCH_MEMCPY
5772 + /**
5773 + * memcpy - Copy one area of memory to another
5774 +diff --git a/mm/huge_memory.c b/mm/huge_memory.c
5775 +index 3da5c0bff3b0..8978c1bf91e4 100644
5776 +--- a/mm/huge_memory.c
5777 ++++ b/mm/huge_memory.c
5778 +@@ -711,7 +711,7 @@ int do_huge_pmd_anonymous_page(struct mm_struct *mm, struct vm_area_struct *vma,
5779 + if (haddr >= vma->vm_start && haddr + HPAGE_PMD_SIZE <= vma->vm_end) {
5780 + if (unlikely(anon_vma_prepare(vma)))
5781 + return VM_FAULT_OOM;
5782 +- if (unlikely(khugepaged_enter(vma)))
5783 ++ if (unlikely(khugepaged_enter(vma, vma->vm_flags)))
5784 + return VM_FAULT_OOM;
5785 + page = alloc_hugepage_vma(transparent_hugepage_defrag(vma),
5786 + vma, haddr, numa_node_id(), 0);
5787 +@@ -1505,7 +1505,7 @@ int hugepage_madvise(struct vm_area_struct *vma,
5788 + * register it here without waiting a page fault that
5789 + * may not happen any time soon.
5790 + */
5791 +- if (unlikely(khugepaged_enter_vma_merge(vma)))
5792 ++ if (unlikely(khugepaged_enter_vma_merge(vma, *vm_flags)))
5793 + return -ENOMEM;
5794 + break;
5795 + case MADV_NOHUGEPAGE:
5796 +@@ -1637,7 +1637,8 @@ int __khugepaged_enter(struct mm_struct *mm)
5797 + return 0;
5798 + }
5799 +
5800 +-int khugepaged_enter_vma_merge(struct vm_area_struct *vma)
5801 ++int khugepaged_enter_vma_merge(struct vm_area_struct *vma,
5802 ++ unsigned long vm_flags)
5803 + {
5804 + unsigned long hstart, hend;
5805 + if (!vma->anon_vma)
5806 +@@ -1653,11 +1654,11 @@ int khugepaged_enter_vma_merge(struct vm_area_struct *vma)
5807 + * If is_pfn_mapping() is true is_learn_pfn_mapping() must be
5808 + * true too, verify it here.
5809 + */
5810 +- VM_BUG_ON(is_linear_pfn_mapping(vma) || vma->vm_flags & VM_NO_THP);
5811 ++ VM_BUG_ON(is_linear_pfn_mapping(vma) || vm_flags & VM_NO_THP);
5812 + hstart = (vma->vm_start + ~HPAGE_PMD_MASK) & HPAGE_PMD_MASK;
5813 + hend = vma->vm_end & HPAGE_PMD_MASK;
5814 + if (hstart < hend)
5815 +- return khugepaged_enter(vma);
5816 ++ return khugepaged_enter(vma, vm_flags);
5817 + return 0;
5818 + }
5819 +
5820 +diff --git a/mm/memory.c b/mm/memory.c
5821 +index ffd74f370e8d..c34e60a950aa 100644
5822 +--- a/mm/memory.c
5823 ++++ b/mm/memory.c
5824 +@@ -1164,8 +1164,10 @@ again:
5825 + if (unlikely(page_mapcount(page) < 0))
5826 + print_bad_pte(vma, addr, ptent, page);
5827 + force_flush = !__tlb_remove_page(tlb, page);
5828 +- if (force_flush)
5829 ++ if (force_flush) {
5830 ++ addr += PAGE_SIZE;
5831 + break;
5832 ++ }
5833 + continue;
5834 + }
5835 + /*
5836 +diff --git a/mm/mmap.c b/mm/mmap.c
5837 +index 69367e43e52e..94fdbe8f3b99 100644
5838 +--- a/mm/mmap.c
5839 ++++ b/mm/mmap.c
5840 +@@ -826,7 +826,7 @@ struct vm_area_struct *vma_merge(struct mm_struct *mm,
5841 + end, prev->vm_pgoff, NULL);
5842 + if (err)
5843 + return NULL;
5844 +- khugepaged_enter_vma_merge(prev);
5845 ++ khugepaged_enter_vma_merge(prev, vm_flags);
5846 + return prev;
5847 + }
5848 +
5849 +@@ -845,7 +845,7 @@ struct vm_area_struct *vma_merge(struct mm_struct *mm,
5850 + next->vm_pgoff - pglen, NULL);
5851 + if (err)
5852 + return NULL;
5853 +- khugepaged_enter_vma_merge(area);
5854 ++ khugepaged_enter_vma_merge(area, vm_flags);
5855 + return area;
5856 + }
5857 +
5858 +@@ -1820,7 +1820,7 @@ int expand_upwards(struct vm_area_struct *vma, unsigned long address)
5859 + }
5860 + }
5861 + vma_unlock_anon_vma(vma);
5862 +- khugepaged_enter_vma_merge(vma);
5863 ++ khugepaged_enter_vma_merge(vma, vma->vm_flags);
5864 + return error;
5865 + }
5866 + #endif /* CONFIG_STACK_GROWSUP || CONFIG_IA64 */
5867 +@@ -1871,7 +1871,7 @@ int expand_downwards(struct vm_area_struct *vma,
5868 + }
5869 + }
5870 + vma_unlock_anon_vma(vma);
5871 +- khugepaged_enter_vma_merge(vma);
5872 ++ khugepaged_enter_vma_merge(vma, vma->vm_flags);
5873 + return error;
5874 + }
5875 +
5876 +diff --git a/mm/oom_kill.c b/mm/oom_kill.c
5877 +index 597ecac5731a..cb1f046faa68 100644
5878 +--- a/mm/oom_kill.c
5879 ++++ b/mm/oom_kill.c
5880 +@@ -435,6 +435,23 @@ static void dump_header(struct task_struct *p, gfp_t gfp_mask, int order,
5881 + dump_tasks(memcg, nodemask);
5882 + }
5883 +
5884 ++/*
5885 ++ * Number of OOM killer invocations (including memcg OOM killer).
5886 ++ * Primarily used by PM freezer to check for potential races with
5887 ++ * OOM killed frozen task.
5888 ++ */
5889 ++static atomic_t oom_kills = ATOMIC_INIT(0);
5890 ++
5891 ++int oom_kills_count(void)
5892 ++{
5893 ++ return atomic_read(&oom_kills);
5894 ++}
5895 ++
5896 ++void note_oom_kill(void)
5897 ++{
5898 ++ atomic_inc(&oom_kills);
5899 ++}
5900 ++
5901 + #define K(x) ((x) << (PAGE_SHIFT-10))
5902 + static void oom_kill_process(struct task_struct *p, gfp_t gfp_mask, int order,
5903 + unsigned int points, unsigned long totalpages,
5904 +diff --git a/mm/page_alloc.c b/mm/page_alloc.c
5905 +index ff0b0997b953..2891a9059f8a 100644
5906 +--- a/mm/page_alloc.c
5907 ++++ b/mm/page_alloc.c
5908 +@@ -1982,6 +1982,14 @@ __alloc_pages_may_oom(gfp_t gfp_mask, unsigned int order,
5909 + }
5910 +
5911 + /*
5912 ++ * PM-freezer should be notified that there might be an OOM killer on
5913 ++ * its way to kill and wake somebody up. This is too early and we might
5914 ++ * end up not killing anything but false positives are acceptable.
5915 ++ * See freeze_processes.
5916 ++ */
5917 ++ note_oom_kill();
5918 ++
5919 ++ /*
5920 + * Go through the zonelist yet one more time, keep very high watermark
5921 + * here, this is only to catch a parallel oom killing, we must fail if
5922 + * we're still under heavy pressure.
5923 +diff --git a/mm/page_cgroup.c b/mm/page_cgroup.c
5924 +index 1ccbd714059c..b7693fdc6bb5 100644
5925 +--- a/mm/page_cgroup.c
5926 ++++ b/mm/page_cgroup.c
5927 +@@ -170,6 +170,7 @@ static void free_page_cgroup(void *addr)
5928 + sizeof(struct page_cgroup) * PAGES_PER_SECTION;
5929 +
5930 + BUG_ON(PageReserved(page));
5931 ++ kmemleak_free(addr);
5932 + free_pages_exact(addr, table_size);
5933 + }
5934 + }
5935 +diff --git a/mm/percpu.c b/mm/percpu.c
5936 +index 5f6042b61ca8..13b2eefabfdd 100644
5937 +--- a/mm/percpu.c
5938 ++++ b/mm/percpu.c
5939 +@@ -1907,8 +1907,6 @@ void __init setup_per_cpu_areas(void)
5940 +
5941 + if (pcpu_setup_first_chunk(ai, fc) < 0)
5942 + panic("Failed to initialize percpu areas.");
5943 +-
5944 +- pcpu_free_alloc_info(ai);
5945 + }
5946 +
5947 + #endif /* CONFIG_SMP */
5948 +diff --git a/mm/truncate.c b/mm/truncate.c
5949 +index f38055cb8af6..57625f7ed8e1 100644
5950 +--- a/mm/truncate.c
5951 ++++ b/mm/truncate.c
5952 +@@ -20,6 +20,7 @@
5953 + #include <linux/buffer_head.h> /* grr. try_to_release_page,
5954 + do_invalidatepage */
5955 + #include <linux/cleancache.h>
5956 ++#include <linux/rmap.h>
5957 + #include "internal.h"
5958 +
5959 +
5960 +@@ -571,16 +572,70 @@ EXPORT_SYMBOL(truncate_pagecache);
5961 + */
5962 + void truncate_setsize(struct inode *inode, loff_t newsize)
5963 + {
5964 +- loff_t oldsize;
5965 +-
5966 +- oldsize = inode->i_size;
5967 ++ loff_t oldsize = inode->i_size;
5968 + i_size_write(inode, newsize);
5969 +
5970 ++ if (newsize > oldsize)
5971 ++ pagecache_isize_extended(inode, oldsize, newsize);
5972 + truncate_pagecache(inode, oldsize, newsize);
5973 + }
5974 + EXPORT_SYMBOL(truncate_setsize);
5975 +
5976 + /**
5977 ++ * pagecache_isize_extended - update pagecache after extension of i_size
5978 ++ * @inode: inode for which i_size was extended
5979 ++ * @from: original inode size
5980 ++ * @to: new inode size
5981 ++ *
5982 ++ * Handle extension of inode size either caused by extending truncate or by
5983 ++ * write starting after current i_size. We mark the page straddling current
5984 ++ * i_size RO so that page_mkwrite() is called on the nearest write access to
5985 ++ * the page. This way filesystem can be sure that page_mkwrite() is called on
5986 ++ * the page before user writes to the page via mmap after the i_size has been
5987 ++ * changed.
5988 ++ *
5989 ++ * The function must be called after i_size is updated so that page fault
5990 ++ * coming after we unlock the page will already see the new i_size.
5991 ++ * The function must be called while we still hold i_mutex - this not only
5992 ++ * makes sure i_size is stable but also that userspace cannot observe new
5993 ++ * i_size value before we are prepared to store mmap writes at new inode size.
5994 ++ */
5995 ++void pagecache_isize_extended(struct inode *inode, loff_t from, loff_t to)
5996 ++{
5997 ++ int bsize = 1 << inode->i_blkbits;
5998 ++ loff_t rounded_from;
5999 ++ struct page *page;
6000 ++ pgoff_t index;
6001 ++
6002 ++ WARN_ON(to > inode->i_size);
6003 ++
6004 ++ if (from >= to || bsize == PAGE_CACHE_SIZE)
6005 ++ return;
6006 ++ /* Page straddling @from will not have any hole block created? */
6007 ++ rounded_from = round_up(from, bsize);
6008 ++ if (to <= rounded_from || !(rounded_from & (PAGE_CACHE_SIZE - 1)))
6009 ++ return;
6010 ++
6011 ++ index = from >> PAGE_CACHE_SHIFT;
6012 ++ page = find_lock_page(inode->i_mapping, index);
6013 ++ /* Page not cached? Nothing to do */
6014 ++ if (!page)
6015 ++ return;
6016 ++ /*
6017 ++ * See clear_page_dirty_for_io() for details why set_page_dirty()
6018 ++ * is needed.
6019 ++ */
6020 ++ if (page_mkclean(page))
6021 ++ set_page_dirty(page);
6022 ++ unlock_page(page);
6023 ++ page_cache_release(page);
6024 ++}
6025 ++EXPORT_SYMBOL(pagecache_isize_extended);
6026 ++
6027 ++/**
6028 ++ * truncate_pagecache_range - unmap and remove pagecache that is hole-punched
6029 ++ * @inode: inode
6030 ++ * @lstart: offset of beginning of hole
6031 + * vmtruncate - unmap mappings "freed" by truncate() syscall
6032 + * @inode: inode of the file used
6033 + * @newsize: file offset to start truncating
6034 +diff --git a/net/bluetooth/smp.c b/net/bluetooth/smp.c
6035 +index 605156f13899..61e2494dc188 100644
6036 +--- a/net/bluetooth/smp.c
6037 ++++ b/net/bluetooth/smp.c
6038 +@@ -325,8 +325,11 @@ static int tk_request(struct l2cap_conn *conn, u8 remote_oob, u8 auth,
6039 + }
6040 +
6041 + /* Not Just Works/Confirm results in MITM Authentication */
6042 +- if (method != JUST_CFM)
6043 ++ if (method != JUST_CFM) {
6044 + set_bit(SMP_FLAG_MITM_AUTH, &smp->smp_flags);
6045 ++ if (hcon->pending_sec_level < BT_SECURITY_HIGH)
6046 ++ hcon->pending_sec_level = BT_SECURITY_HIGH;
6047 ++ }
6048 +
6049 + /* If both devices have Keyoard-Display I/O, the master
6050 + * Confirms and the slave Enters the passkey.
6051 +diff --git a/net/ceph/crypto.c b/net/ceph/crypto.c
6052 +index 9da7fdd3cd8a..3d1be9911b8e 100644
6053 +--- a/net/ceph/crypto.c
6054 ++++ b/net/ceph/crypto.c
6055 +@@ -89,11 +89,82 @@ static struct crypto_blkcipher *ceph_crypto_alloc_cipher(void)
6056 +
6057 + static const u8 *aes_iv = (u8 *)CEPH_AES_IV;
6058 +
6059 ++/*
6060 ++ * Should be used for buffers allocated with ceph_kvmalloc().
6061 ++ * Currently these are encrypt out-buffer (ceph_buffer) and decrypt
6062 ++ * in-buffer (msg front).
6063 ++ *
6064 ++ * Dispose of @sgt with teardown_sgtable().
6065 ++ *
6066 ++ * @prealloc_sg is to avoid memory allocation inside sg_alloc_table()
6067 ++ * in cases where a single sg is sufficient. No attempt to reduce the
6068 ++ * number of sgs by squeezing physically contiguous pages together is
6069 ++ * made though, for simplicity.
6070 ++ */
6071 ++static int setup_sgtable(struct sg_table *sgt, struct scatterlist *prealloc_sg,
6072 ++ const void *buf, unsigned int buf_len)
6073 ++{
6074 ++ struct scatterlist *sg;
6075 ++ const bool is_vmalloc = is_vmalloc_addr(buf);
6076 ++ unsigned int off = offset_in_page(buf);
6077 ++ unsigned int chunk_cnt = 1;
6078 ++ unsigned int chunk_len = PAGE_ALIGN(off + buf_len);
6079 ++ int i;
6080 ++ int ret;
6081 ++
6082 ++ if (buf_len == 0) {
6083 ++ memset(sgt, 0, sizeof(*sgt));
6084 ++ return -EINVAL;
6085 ++ }
6086 ++
6087 ++ if (is_vmalloc) {
6088 ++ chunk_cnt = chunk_len >> PAGE_SHIFT;
6089 ++ chunk_len = PAGE_SIZE;
6090 ++ }
6091 ++
6092 ++ if (chunk_cnt > 1) {
6093 ++ ret = sg_alloc_table(sgt, chunk_cnt, GFP_NOFS);
6094 ++ if (ret)
6095 ++ return ret;
6096 ++ } else {
6097 ++ WARN_ON(chunk_cnt != 1);
6098 ++ sg_init_table(prealloc_sg, 1);
6099 ++ sgt->sgl = prealloc_sg;
6100 ++ sgt->nents = sgt->orig_nents = 1;
6101 ++ }
6102 ++
6103 ++ for_each_sg(sgt->sgl, sg, sgt->orig_nents, i) {
6104 ++ struct page *page;
6105 ++ unsigned int len = min(chunk_len - off, buf_len);
6106 ++
6107 ++ if (is_vmalloc)
6108 ++ page = vmalloc_to_page(buf);
6109 ++ else
6110 ++ page = virt_to_page(buf);
6111 ++
6112 ++ sg_set_page(sg, page, len, off);
6113 ++
6114 ++ off = 0;
6115 ++ buf += len;
6116 ++ buf_len -= len;
6117 ++ }
6118 ++ WARN_ON(buf_len != 0);
6119 ++
6120 ++ return 0;
6121 ++}
6122 ++
6123 ++static void teardown_sgtable(struct sg_table *sgt)
6124 ++{
6125 ++ if (sgt->orig_nents > 1)
6126 ++ sg_free_table(sgt);
6127 ++}
6128 ++
6129 + static int ceph_aes_encrypt(const void *key, int key_len,
6130 + void *dst, size_t *dst_len,
6131 + const void *src, size_t src_len)
6132 + {
6133 +- struct scatterlist sg_in[2], sg_out[1];
6134 ++ struct scatterlist sg_in[2], prealloc_sg;
6135 ++ struct sg_table sg_out;
6136 + struct crypto_blkcipher *tfm = ceph_crypto_alloc_cipher();
6137 + struct blkcipher_desc desc = { .tfm = tfm, .flags = 0 };
6138 + int ret;
6139 +@@ -109,16 +180,18 @@ static int ceph_aes_encrypt(const void *key, int key_len,
6140 +
6141 + *dst_len = src_len + zero_padding;
6142 +
6143 +- crypto_blkcipher_setkey((void *)tfm, key, key_len);
6144 + sg_init_table(sg_in, 2);
6145 + sg_set_buf(&sg_in[0], src, src_len);
6146 + sg_set_buf(&sg_in[1], pad, zero_padding);
6147 +- sg_init_table(sg_out, 1);
6148 +- sg_set_buf(sg_out, dst, *dst_len);
6149 ++ ret = setup_sgtable(&sg_out, &prealloc_sg, dst, *dst_len);
6150 ++ if (ret)
6151 ++ goto out_tfm;
6152 ++
6153 ++ crypto_blkcipher_setkey((void *)tfm, key, key_len);
6154 + iv = crypto_blkcipher_crt(tfm)->iv;
6155 + ivsize = crypto_blkcipher_ivsize(tfm);
6156 +-
6157 + memcpy(iv, aes_iv, ivsize);
6158 ++
6159 + /*
6160 + print_hex_dump(KERN_ERR, "enc key: ", DUMP_PREFIX_NONE, 16, 1,
6161 + key, key_len, 1);
6162 +@@ -127,16 +200,22 @@ static int ceph_aes_encrypt(const void *key, int key_len,
6163 + print_hex_dump(KERN_ERR, "enc pad: ", DUMP_PREFIX_NONE, 16, 1,
6164 + pad, zero_padding, 1);
6165 + */
6166 +- ret = crypto_blkcipher_encrypt(&desc, sg_out, sg_in,
6167 ++ ret = crypto_blkcipher_encrypt(&desc, sg_out.sgl, sg_in,
6168 + src_len + zero_padding);
6169 +- crypto_free_blkcipher(tfm);
6170 +- if (ret < 0)
6171 ++ if (ret < 0) {
6172 + pr_err("ceph_aes_crypt failed %d\n", ret);
6173 ++ goto out_sg;
6174 ++ }
6175 + /*
6176 + print_hex_dump(KERN_ERR, "enc out: ", DUMP_PREFIX_NONE, 16, 1,
6177 + dst, *dst_len, 1);
6178 + */
6179 +- return 0;
6180 ++
6181 ++out_sg:
6182 ++ teardown_sgtable(&sg_out);
6183 ++out_tfm:
6184 ++ crypto_free_blkcipher(tfm);
6185 ++ return ret;
6186 + }
6187 +
6188 + static int ceph_aes_encrypt2(const void *key, int key_len, void *dst,
6189 +@@ -144,7 +223,8 @@ static int ceph_aes_encrypt2(const void *key, int key_len, void *dst,
6190 + const void *src1, size_t src1_len,
6191 + const void *src2, size_t src2_len)
6192 + {
6193 +- struct scatterlist sg_in[3], sg_out[1];
6194 ++ struct scatterlist sg_in[3], prealloc_sg;
6195 ++ struct sg_table sg_out;
6196 + struct crypto_blkcipher *tfm = ceph_crypto_alloc_cipher();
6197 + struct blkcipher_desc desc = { .tfm = tfm, .flags = 0 };
6198 + int ret;
6199 +@@ -160,17 +240,19 @@ static int ceph_aes_encrypt2(const void *key, int key_len, void *dst,
6200 +
6201 + *dst_len = src1_len + src2_len + zero_padding;
6202 +
6203 +- crypto_blkcipher_setkey((void *)tfm, key, key_len);
6204 + sg_init_table(sg_in, 3);
6205 + sg_set_buf(&sg_in[0], src1, src1_len);
6206 + sg_set_buf(&sg_in[1], src2, src2_len);
6207 + sg_set_buf(&sg_in[2], pad, zero_padding);
6208 +- sg_init_table(sg_out, 1);
6209 +- sg_set_buf(sg_out, dst, *dst_len);
6210 ++ ret = setup_sgtable(&sg_out, &prealloc_sg, dst, *dst_len);
6211 ++ if (ret)
6212 ++ goto out_tfm;
6213 ++
6214 ++ crypto_blkcipher_setkey((void *)tfm, key, key_len);
6215 + iv = crypto_blkcipher_crt(tfm)->iv;
6216 + ivsize = crypto_blkcipher_ivsize(tfm);
6217 +-
6218 + memcpy(iv, aes_iv, ivsize);
6219 ++
6220 + /*
6221 + print_hex_dump(KERN_ERR, "enc key: ", DUMP_PREFIX_NONE, 16, 1,
6222 + key, key_len, 1);
6223 +@@ -181,23 +263,30 @@ static int ceph_aes_encrypt2(const void *key, int key_len, void *dst,
6224 + print_hex_dump(KERN_ERR, "enc pad: ", DUMP_PREFIX_NONE, 16, 1,
6225 + pad, zero_padding, 1);
6226 + */
6227 +- ret = crypto_blkcipher_encrypt(&desc, sg_out, sg_in,
6228 ++ ret = crypto_blkcipher_encrypt(&desc, sg_out.sgl, sg_in,
6229 + src1_len + src2_len + zero_padding);
6230 +- crypto_free_blkcipher(tfm);
6231 +- if (ret < 0)
6232 ++ if (ret < 0) {
6233 + pr_err("ceph_aes_crypt2 failed %d\n", ret);
6234 ++ goto out_sg;
6235 ++ }
6236 + /*
6237 + print_hex_dump(KERN_ERR, "enc out: ", DUMP_PREFIX_NONE, 16, 1,
6238 + dst, *dst_len, 1);
6239 + */
6240 +- return 0;
6241 ++
6242 ++out_sg:
6243 ++ teardown_sgtable(&sg_out);
6244 ++out_tfm:
6245 ++ crypto_free_blkcipher(tfm);
6246 ++ return ret;
6247 + }
6248 +
6249 + static int ceph_aes_decrypt(const void *key, int key_len,
6250 + void *dst, size_t *dst_len,
6251 + const void *src, size_t src_len)
6252 + {
6253 +- struct scatterlist sg_in[1], sg_out[2];
6254 ++ struct sg_table sg_in;
6255 ++ struct scatterlist sg_out[2], prealloc_sg;
6256 + struct crypto_blkcipher *tfm = ceph_crypto_alloc_cipher();
6257 + struct blkcipher_desc desc = { .tfm = tfm };
6258 + char pad[16];
6259 +@@ -209,16 +298,16 @@ static int ceph_aes_decrypt(const void *key, int key_len,
6260 + if (IS_ERR(tfm))
6261 + return PTR_ERR(tfm);
6262 +
6263 +- crypto_blkcipher_setkey((void *)tfm, key, key_len);
6264 +- sg_init_table(sg_in, 1);
6265 + sg_init_table(sg_out, 2);
6266 +- sg_set_buf(sg_in, src, src_len);
6267 + sg_set_buf(&sg_out[0], dst, *dst_len);
6268 + sg_set_buf(&sg_out[1], pad, sizeof(pad));
6269 ++ ret = setup_sgtable(&sg_in, &prealloc_sg, src, src_len);
6270 ++ if (ret)
6271 ++ goto out_tfm;
6272 +
6273 ++ crypto_blkcipher_setkey((void *)tfm, key, key_len);
6274 + iv = crypto_blkcipher_crt(tfm)->iv;
6275 + ivsize = crypto_blkcipher_ivsize(tfm);
6276 +-
6277 + memcpy(iv, aes_iv, ivsize);
6278 +
6279 + /*
6280 +@@ -227,12 +316,10 @@ static int ceph_aes_decrypt(const void *key, int key_len,
6281 + print_hex_dump(KERN_ERR, "dec in: ", DUMP_PREFIX_NONE, 16, 1,
6282 + src, src_len, 1);
6283 + */
6284 +-
6285 +- ret = crypto_blkcipher_decrypt(&desc, sg_out, sg_in, src_len);
6286 +- crypto_free_blkcipher(tfm);
6287 ++ ret = crypto_blkcipher_decrypt(&desc, sg_out, sg_in.sgl, src_len);
6288 + if (ret < 0) {
6289 + pr_err("ceph_aes_decrypt failed %d\n", ret);
6290 +- return ret;
6291 ++ goto out_sg;
6292 + }
6293 +
6294 + if (src_len <= *dst_len)
6295 +@@ -250,7 +337,12 @@ static int ceph_aes_decrypt(const void *key, int key_len,
6296 + print_hex_dump(KERN_ERR, "dec out: ", DUMP_PREFIX_NONE, 16, 1,
6297 + dst, *dst_len, 1);
6298 + */
6299 +- return 0;
6300 ++
6301 ++out_sg:
6302 ++ teardown_sgtable(&sg_in);
6303 ++out_tfm:
6304 ++ crypto_free_blkcipher(tfm);
6305 ++ return ret;
6306 + }
6307 +
6308 + static int ceph_aes_decrypt2(const void *key, int key_len,
6309 +@@ -258,7 +350,8 @@ static int ceph_aes_decrypt2(const void *key, int key_len,
6310 + void *dst2, size_t *dst2_len,
6311 + const void *src, size_t src_len)
6312 + {
6313 +- struct scatterlist sg_in[1], sg_out[3];
6314 ++ struct sg_table sg_in;
6315 ++ struct scatterlist sg_out[3], prealloc_sg;
6316 + struct crypto_blkcipher *tfm = ceph_crypto_alloc_cipher();
6317 + struct blkcipher_desc desc = { .tfm = tfm };
6318 + char pad[16];
6319 +@@ -270,17 +363,17 @@ static int ceph_aes_decrypt2(const void *key, int key_len,
6320 + if (IS_ERR(tfm))
6321 + return PTR_ERR(tfm);
6322 +
6323 +- sg_init_table(sg_in, 1);
6324 +- sg_set_buf(sg_in, src, src_len);
6325 + sg_init_table(sg_out, 3);
6326 + sg_set_buf(&sg_out[0], dst1, *dst1_len);
6327 + sg_set_buf(&sg_out[1], dst2, *dst2_len);
6328 + sg_set_buf(&sg_out[2], pad, sizeof(pad));
6329 ++ ret = setup_sgtable(&sg_in, &prealloc_sg, src, src_len);
6330 ++ if (ret)
6331 ++ goto out_tfm;
6332 +
6333 + crypto_blkcipher_setkey((void *)tfm, key, key_len);
6334 + iv = crypto_blkcipher_crt(tfm)->iv;
6335 + ivsize = crypto_blkcipher_ivsize(tfm);
6336 +-
6337 + memcpy(iv, aes_iv, ivsize);
6338 +
6339 + /*
6340 +@@ -289,12 +382,10 @@ static int ceph_aes_decrypt2(const void *key, int key_len,
6341 + print_hex_dump(KERN_ERR, "dec in: ", DUMP_PREFIX_NONE, 16, 1,
6342 + src, src_len, 1);
6343 + */
6344 +-
6345 +- ret = crypto_blkcipher_decrypt(&desc, sg_out, sg_in, src_len);
6346 +- crypto_free_blkcipher(tfm);
6347 ++ ret = crypto_blkcipher_decrypt(&desc, sg_out, sg_in.sgl, src_len);
6348 + if (ret < 0) {
6349 + pr_err("ceph_aes_decrypt failed %d\n", ret);
6350 +- return ret;
6351 ++ goto out_sg;
6352 + }
6353 +
6354 + if (src_len <= *dst1_len)
6355 +@@ -324,7 +415,11 @@ static int ceph_aes_decrypt2(const void *key, int key_len,
6356 + dst2, *dst2_len, 1);
6357 + */
6358 +
6359 +- return 0;
6360 ++out_sg:
6361 ++ teardown_sgtable(&sg_in);
6362 ++out_tfm:
6363 ++ crypto_free_blkcipher(tfm);
6364 ++ return ret;
6365 + }
6366 +
6367 +
6368 +diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c
6369 +index 7827436ae843..330be870c1ef 100644
6370 +--- a/net/ipv4/ip_output.c
6371 ++++ b/net/ipv4/ip_output.c
6372 +@@ -1346,10 +1346,10 @@ struct sk_buff *__ip_make_skb(struct sock *sk,
6373 + iph->ihl = 5;
6374 + iph->tos = inet->tos;
6375 + iph->frag_off = df;
6376 +- ip_select_ident(skb, sk);
6377 + iph->ttl = ttl;
6378 + iph->protocol = sk->sk_protocol;
6379 + ip_copy_addrs(iph, fl4);
6380 ++ ip_select_ident(skb, sk);
6381 +
6382 + if (opt) {
6383 + iph->ihl += opt->optlen>>2;
6384 +diff --git a/net/ipv6/Makefile b/net/ipv6/Makefile
6385 +index 686934acfac1..4b20d5606f6d 100644
6386 +--- a/net/ipv6/Makefile
6387 ++++ b/net/ipv6/Makefile
6388 +@@ -37,6 +37,6 @@ obj-$(CONFIG_NETFILTER) += netfilter/
6389 + obj-$(CONFIG_IPV6_SIT) += sit.o
6390 + obj-$(CONFIG_IPV6_TUNNEL) += ip6_tunnel.o
6391 +
6392 +-obj-y += addrconf_core.o exthdrs_core.o
6393 ++obj-y += addrconf_core.o exthdrs_core.o output_core.o
6394 +
6395 + obj-$(subst m,y,$(CONFIG_IPV6)) += inet6_hashtables.o
6396 +diff --git a/net/ipv6/output_core.c b/net/ipv6/output_core.c
6397 +new file mode 100644
6398 +index 000000000000..a6126c62a9be
6399 +--- /dev/null
6400 ++++ b/net/ipv6/output_core.c
6401 +@@ -0,0 +1,38 @@
6402 ++#include <linux/export.h>
6403 ++#include <linux/skbuff.h>
6404 ++#include <net/ip.h>
6405 ++#include <net/ipv6.h>
6406 ++
6407 ++/* This function exists only for tap drivers that must support broken
6408 ++ * clients requesting UFO without specifying an IPv6 fragment ID.
6409 ++ *
6410 ++ * This is similar to ipv6_select_ident() but we use an independent hash
6411 ++ * seed to limit information leakage.
6412 ++ */
6413 ++void ipv6_proxy_select_ident(struct sk_buff *skb)
6414 ++{
6415 ++ static u32 ip6_proxy_idents_hashrnd __read_mostly;
6416 ++ static bool hashrnd_initialized = false;
6417 ++ struct in6_addr buf[2];
6418 ++ struct in6_addr *addrs;
6419 ++ u32 hash, id;
6420 ++
6421 ++ addrs = skb_header_pointer(skb,
6422 ++ skb_network_offset(skb) +
6423 ++ offsetof(struct ipv6hdr, saddr),
6424 ++ sizeof(buf), buf);
6425 ++ if (!addrs)
6426 ++ return;
6427 ++
6428 ++ if (unlikely(!hashrnd_initialized)) {
6429 ++ hashrnd_initialized = true;
6430 ++ get_random_bytes(&ip6_proxy_idents_hashrnd,
6431 ++ sizeof(ip6_proxy_idents_hashrnd));
6432 ++ }
6433 ++ hash = __ipv6_addr_jhash(&addrs[1], ip6_proxy_idents_hashrnd);
6434 ++ hash = __ipv6_addr_jhash(&addrs[0], hash);
6435 ++
6436 ++ id = ip_idents_reserve(hash, 1);
6437 ++ skb_shinfo(skb)->ip6_frag_id = htonl(id);
6438 ++}
6439 ++EXPORT_SYMBOL_GPL(ipv6_proxy_select_ident);
6440 +diff --git a/net/mac80211/iface.c b/net/mac80211/iface.c
6441 +index 95a04f02f30b..9f32756a302a 100644
6442 +--- a/net/mac80211/iface.c
6443 ++++ b/net/mac80211/iface.c
6444 +@@ -395,10 +395,12 @@ static void ieee80211_do_stop(struct ieee80211_sub_if_data *sdata,
6445 + u32 hw_reconf_flags = 0;
6446 + int i;
6447 + enum nl80211_channel_type orig_ct;
6448 ++ bool cancel_scan;
6449 +
6450 + clear_bit(SDATA_STATE_RUNNING, &sdata->state);
6451 +
6452 +- if (local->scan_sdata == sdata)
6453 ++ cancel_scan = local->scan_sdata == sdata;
6454 ++ if (cancel_scan)
6455 + ieee80211_scan_cancel(local);
6456 +
6457 + /*
6458 +@@ -562,6 +564,9 @@ static void ieee80211_do_stop(struct ieee80211_sub_if_data *sdata,
6459 +
6460 + ieee80211_recalc_ps(local, -1);
6461 +
6462 ++ if (cancel_scan)
6463 ++ flush_delayed_work(&local->scan_work);
6464 ++
6465 + if (local->open_count == 0) {
6466 + if (local->ops->napi_poll)
6467 + napi_disable(&local->napi);
6468 +diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c
6469 +index f5ed86388555..32929b07269f 100644
6470 +--- a/net/mac80211/rx.c
6471 ++++ b/net/mac80211/rx.c
6472 +@@ -1486,11 +1486,14 @@ ieee80211_rx_h_defragment(struct ieee80211_rx_data *rx)
6473 + sc = le16_to_cpu(hdr->seq_ctrl);
6474 + frag = sc & IEEE80211_SCTL_FRAG;
6475 +
6476 +- if (likely((!ieee80211_has_morefrags(fc) && frag == 0) ||
6477 +- is_multicast_ether_addr(hdr->addr1))) {
6478 +- /* not fragmented */
6479 ++ if (likely(!ieee80211_has_morefrags(fc) && frag == 0))
6480 ++ goto out;
6481 ++
6482 ++ if (is_multicast_ether_addr(hdr->addr1)) {
6483 ++ rx->local->dot11MulticastReceivedFrameCount++;
6484 + goto out;
6485 + }
6486 ++
6487 + I802_DEBUG_INC(rx->local->rx_handlers_fragments);
6488 +
6489 + if (skb_linearize(rx->skb))
6490 +@@ -1583,10 +1586,7 @@ ieee80211_rx_h_defragment(struct ieee80211_rx_data *rx)
6491 + out:
6492 + if (rx->sta)
6493 + rx->sta->rx_packets++;
6494 +- if (is_multicast_ether_addr(hdr->addr1))
6495 +- rx->local->dot11MulticastReceivedFrameCount++;
6496 +- else
6497 +- ieee80211_led_rx(rx->local);
6498 ++ ieee80211_led_rx(rx->local);
6499 + return RX_CONTINUE;
6500 + }
6501 +
6502 +diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c
6503 +index c487715698ab..d96b7f6a3b44 100644
6504 +--- a/security/integrity/evm/evm_main.c
6505 ++++ b/security/integrity/evm/evm_main.c
6506 +@@ -282,9 +282,12 @@ int evm_inode_setxattr(struct dentry *dentry, const char *xattr_name,
6507 + {
6508 + const struct evm_ima_xattr_data *xattr_data = xattr_value;
6509 +
6510 +- if ((strcmp(xattr_name, XATTR_NAME_EVM) == 0)
6511 +- && (xattr_data->type == EVM_XATTR_HMAC))
6512 +- return -EPERM;
6513 ++ if (strcmp(xattr_name, XATTR_NAME_EVM) == 0) {
6514 ++ if (!xattr_value_len)
6515 ++ return -EINVAL;
6516 ++ if (xattr_data->type != EVM_IMA_XATTR_DIGSIG)
6517 ++ return -EPERM;
6518 ++ }
6519 + return evm_protect_xattr(dentry, xattr_name, xattr_value,
6520 + xattr_value_len);
6521 + }
6522 +diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
6523 +index 639e5c4028ff..cbae6d392087 100644
6524 +--- a/security/selinux/hooks.c
6525 ++++ b/security/selinux/hooks.c
6526 +@@ -436,6 +436,7 @@ next_inode:
6527 + list_entry(sbsec->isec_head.next,
6528 + struct inode_security_struct, list);
6529 + struct inode *inode = isec->inode;
6530 ++ list_del_init(&isec->list);
6531 + spin_unlock(&sbsec->isec_lock);
6532 + inode = igrab(inode);
6533 + if (inode) {
6534 +@@ -444,7 +445,6 @@ next_inode:
6535 + iput(inode);
6536 + }
6537 + spin_lock(&sbsec->isec_lock);
6538 +- list_del_init(&isec->list);
6539 + goto next_inode;
6540 + }
6541 + spin_unlock(&sbsec->isec_lock);
6542 +diff --git a/sound/core/pcm_compat.c b/sound/core/pcm_compat.c
6543 +index 91cdf9435fec..4dbb66ef435d 100644
6544 +--- a/sound/core/pcm_compat.c
6545 ++++ b/sound/core/pcm_compat.c
6546 +@@ -204,6 +204,8 @@ static int snd_pcm_status_user_compat(struct snd_pcm_substream *substream,
6547 + if (err < 0)
6548 + return err;
6549 +
6550 ++ if (clear_user(src, sizeof(*src)))
6551 ++ return -EFAULT;
6552 + if (put_user(status.state, &src->state) ||
6553 + put_user(status.trigger_tstamp.tv_sec, &src->trigger_tstamp.tv_sec) ||
6554 + put_user(status.trigger_tstamp.tv_nsec, &src->trigger_tstamp.tv_nsec) ||
6555 +diff --git a/sound/core/pcm_native.c b/sound/core/pcm_native.c
6556 +index d776291d09a0..3a907935fa09 100644
6557 +--- a/sound/core/pcm_native.c
6558 ++++ b/sound/core/pcm_native.c
6559 +@@ -3171,7 +3171,7 @@ static const struct vm_operations_struct snd_pcm_vm_ops_data_fault = {
6560 +
6561 + #ifndef ARCH_HAS_DMA_MMAP_COHERENT
6562 + /* This should be defined / handled globally! */
6563 +-#ifdef CONFIG_ARM
6564 ++#if defined(CONFIG_ARM) || defined(CONFIG_ARM64)
6565 + #define ARCH_HAS_DMA_MMAP_COHERENT
6566 + #endif
6567 + #endif
6568 +diff --git a/sound/pci/emu10k1/emu10k1_callback.c b/sound/pci/emu10k1/emu10k1_callback.c
6569 +index a0afa5057488..f35284be7b02 100644
6570 +--- a/sound/pci/emu10k1/emu10k1_callback.c
6571 ++++ b/sound/pci/emu10k1/emu10k1_callback.c
6572 +@@ -85,6 +85,8 @@ snd_emu10k1_ops_setup(struct snd_emux *emux)
6573 + * get more voice for pcm
6574 + *
6575 + * terminate most inactive voice and give it as a pcm voice.
6576 ++ *
6577 ++ * voice_lock is already held.
6578 + */
6579 + int
6580 + snd_emu10k1_synth_get_voice(struct snd_emu10k1 *hw)
6581 +@@ -92,12 +94,10 @@ snd_emu10k1_synth_get_voice(struct snd_emu10k1 *hw)
6582 + struct snd_emux *emu;
6583 + struct snd_emux_voice *vp;
6584 + struct best_voice best[V_END];
6585 +- unsigned long flags;
6586 + int i;
6587 +
6588 + emu = hw->synth;
6589 +
6590 +- spin_lock_irqsave(&emu->voice_lock, flags);
6591 + lookup_voices(emu, hw, best, 1); /* no OFF voices */
6592 + for (i = 0; i < V_END; i++) {
6593 + if (best[i].voice >= 0) {
6594 +@@ -113,11 +113,9 @@ snd_emu10k1_synth_get_voice(struct snd_emu10k1 *hw)
6595 + vp->emu->num_voices--;
6596 + vp->ch = -1;
6597 + vp->state = SNDRV_EMUX_ST_OFF;
6598 +- spin_unlock_irqrestore(&emu->voice_lock, flags);
6599 + return ch;
6600 + }
6601 + }
6602 +- spin_unlock_irqrestore(&emu->voice_lock, flags);
6603 +
6604 + /* not found */
6605 + return -ENOMEM;
6606 +diff --git a/sound/soc/codecs/sgtl5000.c b/sound/soc/codecs/sgtl5000.c
6607 +index f0b8d8e38f71..c40b7ca7a143 100644
6608 +--- a/sound/soc/codecs/sgtl5000.c
6609 ++++ b/sound/soc/codecs/sgtl5000.c
6610 +@@ -1313,8 +1313,7 @@ static int sgtl5000_probe(struct snd_soc_codec *codec)
6611 +
6612 + /* enable small pop, introduce 400ms delay in turning off */
6613 + snd_soc_update_bits(codec, SGTL5000_CHIP_REF_CTRL,
6614 +- SGTL5000_SMALL_POP,
6615 +- SGTL5000_SMALL_POP);
6616 ++ SGTL5000_SMALL_POP, 1);
6617 +
6618 + /* disable short cut detector */
6619 + snd_soc_write(codec, SGTL5000_CHIP_SHORT_CTRL, 0);
6620 +diff --git a/sound/soc/codecs/sgtl5000.h b/sound/soc/codecs/sgtl5000.h
6621 +index d3a68bbfea00..0bd6e1cd8200 100644
6622 +--- a/sound/soc/codecs/sgtl5000.h
6623 ++++ b/sound/soc/codecs/sgtl5000.h
6624 +@@ -275,7 +275,7 @@
6625 + #define SGTL5000_BIAS_CTRL_MASK 0x000e
6626 + #define SGTL5000_BIAS_CTRL_SHIFT 1
6627 + #define SGTL5000_BIAS_CTRL_WIDTH 3
6628 +-#define SGTL5000_SMALL_POP 0x0001
6629 ++#define SGTL5000_SMALL_POP 0
6630 +
6631 + /*
6632 + * SGTL5000_CHIP_MIC_CTRL
6633 +diff --git a/sound/soc/sh/fsi.c b/sound/soc/sh/fsi.c
6634 +index 91b728774dba..eb0599f29768 100644
6635 +--- a/sound/soc/sh/fsi.c
6636 ++++ b/sound/soc/sh/fsi.c
6637 +@@ -1393,8 +1393,7 @@ static const struct snd_soc_dai_ops fsi_dai_ops = {
6638 + static struct snd_pcm_hardware fsi_pcm_hardware = {
6639 + .info = SNDRV_PCM_INFO_INTERLEAVED |
6640 + SNDRV_PCM_INFO_MMAP |
6641 +- SNDRV_PCM_INFO_MMAP_VALID |
6642 +- SNDRV_PCM_INFO_PAUSE,
6643 ++ SNDRV_PCM_INFO_MMAP_VALID,
6644 + .formats = FSI_FMTS,
6645 + .rates = FSI_RATES,
6646 + .rate_min = 8000,
6647 +diff --git a/sound/usb/card.c b/sound/usb/card.c
6648 +index 658ea1118a8e..43fca5231628 100644
6649 +--- a/sound/usb/card.c
6650 ++++ b/sound/usb/card.c
6651 +@@ -568,18 +568,19 @@ static void snd_usb_audio_disconnect(struct usb_device *dev,
6652 + {
6653 + struct snd_card *card;
6654 + struct list_head *p;
6655 ++ bool was_shutdown;
6656 +
6657 + if (chip == (void *)-1L)
6658 + return;
6659 +
6660 + card = chip->card;
6661 + down_write(&chip->shutdown_rwsem);
6662 ++ was_shutdown = chip->shutdown;
6663 + chip->shutdown = 1;
6664 + up_write(&chip->shutdown_rwsem);
6665 +
6666 + mutex_lock(&register_mutex);
6667 +- chip->num_interfaces--;
6668 +- if (chip->num_interfaces <= 0) {
6669 ++ if (!was_shutdown) {
6670 + snd_card_disconnect(card);
6671 + /* release the pcm resources */
6672 + list_for_each(p, &chip->pcm_list) {
6673 +@@ -593,6 +594,10 @@ static void snd_usb_audio_disconnect(struct usb_device *dev,
6674 + list_for_each(p, &chip->mixer_list) {
6675 + snd_usb_mixer_disconnect(p);
6676 + }
6677 ++ }
6678 ++
6679 ++ chip->num_interfaces--;
6680 ++ if (chip->num_interfaces <= 0) {
6681 + usb_chip[chip->index] = NULL;
6682 + mutex_unlock(&register_mutex);
6683 + snd_card_free_when_closed(card);
6684 +diff --git a/sound/usb/quirks-table.h b/sound/usb/quirks-table.h
6685 +index 915bc2cf73d9..5ef357983d92 100644
6686 +--- a/sound/usb/quirks-table.h
6687 ++++ b/sound/usb/quirks-table.h
6688 +@@ -301,6 +301,36 @@ YAMAHA_DEVICE(0x105d, NULL),
6689 + }
6690 + }
6691 + },
6692 ++{
6693 ++ USB_DEVICE(0x0499, 0x1509),
6694 ++ .driver_info = (unsigned long) & (const struct snd_usb_audio_quirk) {
6695 ++ /* .vendor_name = "Yamaha", */
6696 ++ /* .product_name = "Steinberg UR22", */
6697 ++ .ifnum = QUIRK_ANY_INTERFACE,
6698 ++ .type = QUIRK_COMPOSITE,
6699 ++ .data = (const struct snd_usb_audio_quirk[]) {
6700 ++ {
6701 ++ .ifnum = 1,
6702 ++ .type = QUIRK_AUDIO_STANDARD_INTERFACE
6703 ++ },
6704 ++ {
6705 ++ .ifnum = 2,
6706 ++ .type = QUIRK_AUDIO_STANDARD_INTERFACE
6707 ++ },
6708 ++ {
6709 ++ .ifnum = 3,
6710 ++ .type = QUIRK_MIDI_YAMAHA
6711 ++ },
6712 ++ {
6713 ++ .ifnum = 4,
6714 ++ .type = QUIRK_IGNORE_INTERFACE
6715 ++ },
6716 ++ {
6717 ++ .ifnum = -1
6718 ++ }
6719 ++ }
6720 ++ }
6721 ++},
6722 + YAMAHA_DEVICE(0x2000, "DGP-7"),
6723 + YAMAHA_DEVICE(0x2001, "DGP-5"),
6724 + YAMAHA_DEVICE(0x2002, NULL),
6725 +diff --git a/virt/kvm/iommu.c b/virt/kvm/iommu.c
6726 +index defc9baa9a45..3225903ec91b 100644
6727 +--- a/virt/kvm/iommu.c
6728 ++++ b/virt/kvm/iommu.c
6729 +@@ -43,13 +43,13 @@ static void kvm_iommu_put_pages(struct kvm *kvm,
6730 + gfn_t base_gfn, unsigned long npages);
6731 +
6732 + static pfn_t kvm_pin_pages(struct kvm *kvm, struct kvm_memory_slot *slot,
6733 +- gfn_t gfn, unsigned long size)
6734 ++ gfn_t gfn, unsigned long npages)
6735 + {
6736 + gfn_t end_gfn;
6737 + pfn_t pfn;
6738 +
6739 + pfn = gfn_to_pfn_memslot(kvm, slot, gfn);
6740 +- end_gfn = gfn + (size >> PAGE_SHIFT);
6741 ++ end_gfn = gfn + npages;
6742 + gfn += 1;
6743 +
6744 + if (is_error_pfn(pfn))
6745 +@@ -117,7 +117,7 @@ int kvm_iommu_map_pages(struct kvm *kvm, struct kvm_memory_slot *slot)
6746 + * Pin all pages we are about to map in memory. This is
6747 + * important because we unmap and unpin in 4kb steps later.
6748 + */
6749 +- pfn = kvm_pin_pages(kvm, slot, gfn, page_size);
6750 ++ pfn = kvm_pin_pages(kvm, slot, gfn, page_size >> PAGE_SHIFT);
6751 + if (is_error_pfn(pfn)) {
6752 + gfn += 1;
6753 + continue;
6754 +@@ -129,7 +129,7 @@ int kvm_iommu_map_pages(struct kvm *kvm, struct kvm_memory_slot *slot)
6755 + if (r) {
6756 + printk(KERN_ERR "kvm_iommu_map_address:"
6757 + "iommu failed to map pfn=%llx\n", pfn);
6758 +- kvm_unpin_pages(kvm, pfn, page_size);
6759 ++ kvm_unpin_pages(kvm, pfn, page_size >> PAGE_SHIFT);
6760 + goto unmap_pages;
6761 + }
6762 +
6763 +diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c
6764 +index bc5ed1412382..f4732bd2816c 100644
6765 +--- a/virt/kvm/kvm_main.c
6766 ++++ b/virt/kvm/kvm_main.c
6767 +@@ -52,6 +52,7 @@
6768 +
6769 + #include <asm/processor.h>
6770 + #include <asm/io.h>
6771 ++#include <asm/ioctl.h>
6772 + #include <asm/uaccess.h>
6773 + #include <asm/pgtable.h>
6774 +
6775 +@@ -1744,6 +1745,9 @@ static long kvm_vcpu_ioctl(struct file *filp,
6776 + if (vcpu->kvm->mm != current->mm)
6777 + return -EIO;
6778 +
6779 ++ if (unlikely(_IOC_TYPE(ioctl) != KVMIO))
6780 ++ return -EINVAL;
6781 ++
6782 + #if defined(CONFIG_S390) || defined(CONFIG_PPC)
6783 + /*
6784 + * Special cases: vcpu ioctls that are asynchronous to vcpu execution,
Report Message
Find on MARC Find on Google Groups