Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: Mike Pagano <mpagano@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] proj/linux-patches:4.4 commit in: /
Date: Wed, 21 Nov 2018 15:02:39
Message-Id: 1542812488.86bc6e325e814eac0e799c3cd77384a5a6469ecd.mpagano@gentoo
1 commit: 86bc6e325e814eac0e799c3cd77384a5a6469ecd
2 Author: Mike Pagano <mpagano <AT> gentoo <DOT> org>
3 AuthorDate: Sun Sep 9 23:25:58 2018 +0000
4 Commit: Mike Pagano <mpagano <AT> gentoo <DOT> org>
5 CommitDate: Wed Nov 21 15:01:28 2018 +0000
6 URL: https://gitweb.gentoo.org/proj/linux-patches.git/commit/?id=86bc6e32
7
8 Linux patch 4.4.155
9
10 Signed-off-by: Mike Pagano <mpagano <AT> gentoo.org>
11
12 0000_README | 4 +
13 1154_linux-4.4.155.patch | 1862 ++++++++++++++++++++++++++++++++++++++++++++++
14 2 files changed, 1866 insertions(+)
15
16 diff --git a/0000_README b/0000_README
17 index 5a367b5..6b63ef8 100644
18 --- a/0000_README
19 +++ b/0000_README
20 @@ -659,6 +659,10 @@ Patch: 1153_linux-4.4.154.patch
21 From: http://www.kernel.org
22 Desc: Linux 4.4.154
23
24 +Patch: 1154_linux-4.4.155.patch
25 +From: http://www.kernel.org
26 +Desc: Linux 4.4.155
27 +
28 Patch: 1500_XATTR_USER_PREFIX.patch
29 From: https://bugs.gentoo.org/show_bug.cgi?id=470644
30 Desc: Support for namespace user.pax.* on tmpfs.
31
32 diff --git a/1154_linux-4.4.155.patch b/1154_linux-4.4.155.patch
33 new file mode 100644
34 index 0000000..0e4fe23
35 --- /dev/null
36 +++ b/1154_linux-4.4.155.patch
37 @@ -0,0 +1,1862 @@
38 +diff --git a/Makefile b/Makefile
39 +index b184286cf7e6..2d9f89ec8397 100644
40 +--- a/Makefile
41 ++++ b/Makefile
42 +@@ -1,6 +1,6 @@
43 + VERSION = 4
44 + PATCHLEVEL = 4
45 +-SUBLEVEL = 154
46 ++SUBLEVEL = 155
47 + EXTRAVERSION =
48 + NAME = Blurry Fish Butt
49 +
50 +diff --git a/arch/alpha/kernel/osf_sys.c b/arch/alpha/kernel/osf_sys.c
51 +index 63f06a2b1f7f..bbc7cb9faa01 100644
52 +--- a/arch/alpha/kernel/osf_sys.c
53 ++++ b/arch/alpha/kernel/osf_sys.c
54 +@@ -526,24 +526,19 @@ SYSCALL_DEFINE4(osf_mount, unsigned long, typenr, const char __user *, path,
55 + SYSCALL_DEFINE1(osf_utsname, char __user *, name)
56 + {
57 + int error;
58 ++ char tmp[5 * 32];
59 +
60 + down_read(&uts_sem);
61 +- error = -EFAULT;
62 +- if (copy_to_user(name + 0, utsname()->sysname, 32))
63 +- goto out;
64 +- if (copy_to_user(name + 32, utsname()->nodename, 32))
65 +- goto out;
66 +- if (copy_to_user(name + 64, utsname()->release, 32))
67 +- goto out;
68 +- if (copy_to_user(name + 96, utsname()->version, 32))
69 +- goto out;
70 +- if (copy_to_user(name + 128, utsname()->machine, 32))
71 +- goto out;
72 ++ memcpy(tmp + 0 * 32, utsname()->sysname, 32);
73 ++ memcpy(tmp + 1 * 32, utsname()->nodename, 32);
74 ++ memcpy(tmp + 2 * 32, utsname()->release, 32);
75 ++ memcpy(tmp + 3 * 32, utsname()->version, 32);
76 ++ memcpy(tmp + 4 * 32, utsname()->machine, 32);
77 ++ up_read(&uts_sem);
78 +
79 +- error = 0;
80 +- out:
81 +- up_read(&uts_sem);
82 +- return error;
83 ++ if (copy_to_user(name, tmp, sizeof(tmp)))
84 ++ return -EFAULT;
85 ++ return 0;
86 + }
87 +
88 + SYSCALL_DEFINE0(getpagesize)
89 +@@ -561,24 +556,22 @@ SYSCALL_DEFINE0(getdtablesize)
90 + */
91 + SYSCALL_DEFINE2(osf_getdomainname, char __user *, name, int, namelen)
92 + {
93 +- unsigned len;
94 +- int i;
95 ++ int len, err = 0;
96 ++ char *kname;
97 ++ char tmp[32];
98 +
99 +- if (!access_ok(VERIFY_WRITE, name, namelen))
100 +- return -EFAULT;
101 +-
102 +- len = namelen;
103 +- if (len > 32)
104 +- len = 32;
105 ++ if (namelen < 0 || namelen > 32)
106 ++ namelen = 32;
107 +
108 + down_read(&uts_sem);
109 +- for (i = 0; i < len; ++i) {
110 +- __put_user(utsname()->domainname[i], name + i);
111 +- if (utsname()->domainname[i] == '\0')
112 +- break;
113 +- }
114 ++ kname = utsname()->domainname;
115 ++ len = strnlen(kname, namelen);
116 ++ len = min(len + 1, namelen);
117 ++ memcpy(tmp, kname, len);
118 + up_read(&uts_sem);
119 +
120 ++ if (copy_to_user(name, tmp, len))
121 ++ return -EFAULT;
122 + return 0;
123 + }
124 +
125 +@@ -741,13 +734,14 @@ SYSCALL_DEFINE3(osf_sysinfo, int, command, char __user *, buf, long, count)
126 + };
127 + unsigned long offset;
128 + const char *res;
129 +- long len, err = -EINVAL;
130 ++ long len;
131 ++ char tmp[__NEW_UTS_LEN + 1];
132 +
133 + offset = command-1;
134 + if (offset >= ARRAY_SIZE(sysinfo_table)) {
135 + /* Digital UNIX has a few unpublished interfaces here */
136 + printk("sysinfo(%d)", command);
137 +- goto out;
138 ++ return -EINVAL;
139 + }
140 +
141 + down_read(&uts_sem);
142 +@@ -755,13 +749,11 @@ SYSCALL_DEFINE3(osf_sysinfo, int, command, char __user *, buf, long, count)
143 + len = strlen(res)+1;
144 + if ((unsigned long)len > (unsigned long)count)
145 + len = count;
146 +- if (copy_to_user(buf, res, len))
147 +- err = -EFAULT;
148 +- else
149 +- err = 0;
150 ++ memcpy(tmp, res, len);
151 + up_read(&uts_sem);
152 +- out:
153 +- return err;
154 ++ if (copy_to_user(buf, tmp, len))
155 ++ return -EFAULT;
156 ++ return 0;
157 + }
158 +
159 + SYSCALL_DEFINE5(osf_getsysinfo, unsigned long, op, void __user *, buffer,
160 +diff --git a/arch/arm/boot/dts/tegra30-cardhu.dtsi b/arch/arm/boot/dts/tegra30-cardhu.dtsi
161 +index bb1ca158273c..1922e7a93e40 100644
162 +--- a/arch/arm/boot/dts/tegra30-cardhu.dtsi
163 ++++ b/arch/arm/boot/dts/tegra30-cardhu.dtsi
164 +@@ -201,6 +201,7 @@
165 + #address-cells = <1>;
166 + #size-cells = <0>;
167 + reg = <0x70>;
168 ++ reset-gpio = <&gpio TEGRA_GPIO(BB, 0) GPIO_ACTIVE_LOW>;
169 + };
170 + };
171 +
172 +diff --git a/arch/powerpc/include/asm/fadump.h b/arch/powerpc/include/asm/fadump.h
173 +index 493e72f64b35..5768ec3c1781 100644
174 +--- a/arch/powerpc/include/asm/fadump.h
175 ++++ b/arch/powerpc/include/asm/fadump.h
176 +@@ -194,9 +194,6 @@ struct fadump_crash_info_header {
177 + struct cpumask cpu_online_mask;
178 + };
179 +
180 +-/* Crash memory ranges */
181 +-#define INIT_CRASHMEM_RANGES (INIT_MEMBLOCK_REGIONS + 2)
182 +-
183 + struct fad_crash_memory_ranges {
184 + unsigned long long base;
185 + unsigned long long size;
186 +diff --git a/arch/powerpc/kernel/fadump.c b/arch/powerpc/kernel/fadump.c
187 +index 791d4c3329c3..c3c835290131 100644
188 +--- a/arch/powerpc/kernel/fadump.c
189 ++++ b/arch/powerpc/kernel/fadump.c
190 +@@ -35,6 +35,7 @@
191 + #include <linux/crash_dump.h>
192 + #include <linux/kobject.h>
193 + #include <linux/sysfs.h>
194 ++#include <linux/slab.h>
195 +
196 + #include <asm/page.h>
197 + #include <asm/prom.h>
198 +@@ -48,8 +49,10 @@ static struct fadump_mem_struct fdm;
199 + static const struct fadump_mem_struct *fdm_active;
200 +
201 + static DEFINE_MUTEX(fadump_mutex);
202 +-struct fad_crash_memory_ranges crash_memory_ranges[INIT_CRASHMEM_RANGES];
203 ++struct fad_crash_memory_ranges *crash_memory_ranges;
204 ++int crash_memory_ranges_size;
205 + int crash_mem_ranges;
206 ++int max_crash_mem_ranges;
207 +
208 + /* Scan the Firmware Assisted dump configuration details. */
209 + int __init early_init_dt_scan_fw_dump(unsigned long node,
210 +@@ -726,38 +729,88 @@ static int __init process_fadump(const struct fadump_mem_struct *fdm_active)
211 + return 0;
212 + }
213 +
214 +-static inline void fadump_add_crash_memory(unsigned long long base,
215 +- unsigned long long end)
216 ++static void free_crash_memory_ranges(void)
217 ++{
218 ++ kfree(crash_memory_ranges);
219 ++ crash_memory_ranges = NULL;
220 ++ crash_memory_ranges_size = 0;
221 ++ max_crash_mem_ranges = 0;
222 ++}
223 ++
224 ++/*
225 ++ * Allocate or reallocate crash memory ranges array in incremental units
226 ++ * of PAGE_SIZE.
227 ++ */
228 ++static int allocate_crash_memory_ranges(void)
229 ++{
230 ++ struct fad_crash_memory_ranges *new_array;
231 ++ u64 new_size;
232 ++
233 ++ new_size = crash_memory_ranges_size + PAGE_SIZE;
234 ++ pr_debug("Allocating %llu bytes of memory for crash memory ranges\n",
235 ++ new_size);
236 ++
237 ++ new_array = krealloc(crash_memory_ranges, new_size, GFP_KERNEL);
238 ++ if (new_array == NULL) {
239 ++ pr_err("Insufficient memory for setting up crash memory ranges\n");
240 ++ free_crash_memory_ranges();
241 ++ return -ENOMEM;
242 ++ }
243 ++
244 ++ crash_memory_ranges = new_array;
245 ++ crash_memory_ranges_size = new_size;
246 ++ max_crash_mem_ranges = (new_size /
247 ++ sizeof(struct fad_crash_memory_ranges));
248 ++ return 0;
249 ++}
250 ++
251 ++static inline int fadump_add_crash_memory(unsigned long long base,
252 ++ unsigned long long end)
253 + {
254 + if (base == end)
255 +- return;
256 ++ return 0;
257 ++
258 ++ if (crash_mem_ranges == max_crash_mem_ranges) {
259 ++ int ret;
260 ++
261 ++ ret = allocate_crash_memory_ranges();
262 ++ if (ret)
263 ++ return ret;
264 ++ }
265 +
266 + pr_debug("crash_memory_range[%d] [%#016llx-%#016llx], %#llx bytes\n",
267 + crash_mem_ranges, base, end - 1, (end - base));
268 + crash_memory_ranges[crash_mem_ranges].base = base;
269 + crash_memory_ranges[crash_mem_ranges].size = end - base;
270 + crash_mem_ranges++;
271 ++ return 0;
272 + }
273 +
274 +-static void fadump_exclude_reserved_area(unsigned long long start,
275 ++static int fadump_exclude_reserved_area(unsigned long long start,
276 + unsigned long long end)
277 + {
278 + unsigned long long ra_start, ra_end;
279 ++ int ret = 0;
280 +
281 + ra_start = fw_dump.reserve_dump_area_start;
282 + ra_end = ra_start + fw_dump.reserve_dump_area_size;
283 +
284 + if ((ra_start < end) && (ra_end > start)) {
285 + if ((start < ra_start) && (end > ra_end)) {
286 +- fadump_add_crash_memory(start, ra_start);
287 +- fadump_add_crash_memory(ra_end, end);
288 ++ ret = fadump_add_crash_memory(start, ra_start);
289 ++ if (ret)
290 ++ return ret;
291 ++
292 ++ ret = fadump_add_crash_memory(ra_end, end);
293 + } else if (start < ra_start) {
294 +- fadump_add_crash_memory(start, ra_start);
295 ++ ret = fadump_add_crash_memory(start, ra_start);
296 + } else if (ra_end < end) {
297 +- fadump_add_crash_memory(ra_end, end);
298 ++ ret = fadump_add_crash_memory(ra_end, end);
299 + }
300 + } else
301 +- fadump_add_crash_memory(start, end);
302 ++ ret = fadump_add_crash_memory(start, end);
303 ++
304 ++ return ret;
305 + }
306 +
307 + static int fadump_init_elfcore_header(char *bufp)
308 +@@ -793,10 +846,11 @@ static int fadump_init_elfcore_header(char *bufp)
309 + * Traverse through memblock structure and setup crash memory ranges. These
310 + * ranges will be used create PT_LOAD program headers in elfcore header.
311 + */
312 +-static void fadump_setup_crash_memory_ranges(void)
313 ++static int fadump_setup_crash_memory_ranges(void)
314 + {
315 + struct memblock_region *reg;
316 + unsigned long long start, end;
317 ++ int ret;
318 +
319 + pr_debug("Setup crash memory ranges.\n");
320 + crash_mem_ranges = 0;
321 +@@ -807,7 +861,9 @@ static void fadump_setup_crash_memory_ranges(void)
322 + * specified during fadump registration. We need to create a separate
323 + * program header for this chunk with the correct offset.
324 + */
325 +- fadump_add_crash_memory(RMA_START, fw_dump.boot_memory_size);
326 ++ ret = fadump_add_crash_memory(RMA_START, fw_dump.boot_memory_size);
327 ++ if (ret)
328 ++ return ret;
329 +
330 + for_each_memblock(memory, reg) {
331 + start = (unsigned long long)reg->base;
332 +@@ -816,8 +872,12 @@ static void fadump_setup_crash_memory_ranges(void)
333 + start = fw_dump.boot_memory_size;
334 +
335 + /* add this range excluding the reserved dump area. */
336 +- fadump_exclude_reserved_area(start, end);
337 ++ ret = fadump_exclude_reserved_area(start, end);
338 ++ if (ret)
339 ++ return ret;
340 + }
341 ++
342 ++ return 0;
343 + }
344 +
345 + /*
346 +@@ -941,6 +1001,7 @@ static void register_fadump(void)
347 + {
348 + unsigned long addr;
349 + void *vaddr;
350 ++ int ret;
351 +
352 + /*
353 + * If no memory is reserved then we can not register for firmware-
354 +@@ -949,7 +1010,9 @@ static void register_fadump(void)
355 + if (!fw_dump.reserve_dump_area_size)
356 + return;
357 +
358 +- fadump_setup_crash_memory_ranges();
359 ++ ret = fadump_setup_crash_memory_ranges();
360 ++ if (ret)
361 ++ return ret;
362 +
363 + addr = be64_to_cpu(fdm.rmr_region.destination_address) + be64_to_cpu(fdm.rmr_region.source_len);
364 + /* Initialize fadump crash info header. */
365 +@@ -1028,6 +1091,7 @@ void fadump_cleanup(void)
366 + } else if (fw_dump.dump_registered) {
367 + /* Un-register Firmware-assisted dump if it was registered. */
368 + fadump_unregister_dump(&fdm);
369 ++ free_crash_memory_ranges();
370 + }
371 + }
372 +
373 +diff --git a/arch/powerpc/platforms/pseries/ras.c b/arch/powerpc/platforms/pseries/ras.c
374 +index 3b6647e574b6..f5313a78e5d6 100644
375 +--- a/arch/powerpc/platforms/pseries/ras.c
376 ++++ b/arch/powerpc/platforms/pseries/ras.c
377 +@@ -300,7 +300,7 @@ static struct rtas_error_log *fwnmi_get_errinfo(struct pt_regs *regs)
378 + }
379 +
380 + savep = __va(regs->gpr[3]);
381 +- regs->gpr[3] = savep[0]; /* restore original r3 */
382 ++ regs->gpr[3] = be64_to_cpu(savep[0]); /* restore original r3 */
383 +
384 + /* If it isn't an extended log we can use the per cpu 64bit buffer */
385 + h = (struct rtas_error_log *)&savep[1];
386 +diff --git a/arch/sparc/kernel/sys_sparc_32.c b/arch/sparc/kernel/sys_sparc_32.c
387 +index 646988d4c1a3..740f43b9b541 100644
388 +--- a/arch/sparc/kernel/sys_sparc_32.c
389 ++++ b/arch/sparc/kernel/sys_sparc_32.c
390 +@@ -201,23 +201,27 @@ SYSCALL_DEFINE5(rt_sigaction, int, sig,
391 +
392 + asmlinkage long sys_getdomainname(char __user *name, int len)
393 + {
394 +- int nlen, err;
395 +-
396 ++ int nlen, err;
397 ++ char tmp[__NEW_UTS_LEN + 1];
398 ++
399 + if (len < 0)
400 + return -EINVAL;
401 +
402 +- down_read(&uts_sem);
403 +-
404 ++ down_read(&uts_sem);
405 ++
406 + nlen = strlen(utsname()->domainname) + 1;
407 + err = -EINVAL;
408 + if (nlen > len)
409 +- goto out;
410 ++ goto out_unlock;
411 ++ memcpy(tmp, utsname()->domainname, nlen);
412 +
413 +- err = -EFAULT;
414 +- if (!copy_to_user(name, utsname()->domainname, nlen))
415 +- err = 0;
416 ++ up_read(&uts_sem);
417 +
418 +-out:
419 ++ if (copy_to_user(name, tmp, nlen))
420 ++ return -EFAULT;
421 ++ return 0;
422 ++
423 ++out_unlock:
424 + up_read(&uts_sem);
425 + return err;
426 + }
427 +diff --git a/arch/sparc/kernel/sys_sparc_64.c b/arch/sparc/kernel/sys_sparc_64.c
428 +index 7f0f7c01b297..f63cd2ea8470 100644
429 +--- a/arch/sparc/kernel/sys_sparc_64.c
430 ++++ b/arch/sparc/kernel/sys_sparc_64.c
431 +@@ -524,23 +524,27 @@ extern void check_pending(int signum);
432 +
433 + SYSCALL_DEFINE2(getdomainname, char __user *, name, int, len)
434 + {
435 +- int nlen, err;
436 ++ int nlen, err;
437 ++ char tmp[__NEW_UTS_LEN + 1];
438 +
439 + if (len < 0)
440 + return -EINVAL;
441 +
442 +- down_read(&uts_sem);
443 +-
444 ++ down_read(&uts_sem);
445 ++
446 + nlen = strlen(utsname()->domainname) + 1;
447 + err = -EINVAL;
448 + if (nlen > len)
449 +- goto out;
450 ++ goto out_unlock;
451 ++ memcpy(tmp, utsname()->domainname, nlen);
452 ++
453 ++ up_read(&uts_sem);
454 +
455 +- err = -EFAULT;
456 +- if (!copy_to_user(name, utsname()->domainname, nlen))
457 +- err = 0;
458 ++ if (copy_to_user(name, tmp, nlen))
459 ++ return -EFAULT;
460 ++ return 0;
461 +
462 +-out:
463 ++out_unlock:
464 + up_read(&uts_sem);
465 + return err;
466 + }
467 +diff --git a/arch/x86/include/asm/io.h b/arch/x86/include/asm/io.h
468 +index 9016b4b70375..6c5020163db0 100644
469 +--- a/arch/x86/include/asm/io.h
470 ++++ b/arch/x86/include/asm/io.h
471 +@@ -351,4 +351,10 @@ extern void arch_phys_wc_del(int handle);
472 + #define arch_phys_wc_add arch_phys_wc_add
473 + #endif
474 +
475 ++#ifdef CONFIG_X86_PAT
476 ++extern int arch_io_reserve_memtype_wc(resource_size_t start, resource_size_t size);
477 ++extern void arch_io_free_memtype_wc(resource_size_t start, resource_size_t size);
478 ++#define arch_io_reserve_memtype_wc arch_io_reserve_memtype_wc
479 ++#endif
480 ++
481 + #endif /* _ASM_X86_IO_H */
482 +diff --git a/arch/x86/mm/pageattr.c b/arch/x86/mm/pageattr.c
483 +index 1007fa80f5a6..0e1dd7d47f05 100644
484 +--- a/arch/x86/mm/pageattr.c
485 ++++ b/arch/x86/mm/pageattr.c
486 +@@ -1079,7 +1079,7 @@ static int populate_pud(struct cpa_data *cpa, unsigned long start, pgd_t *pgd,
487 + * Map everything starting from the Gb boundary, possibly with 1G pages
488 + */
489 + while (end - start >= PUD_SIZE) {
490 +- set_pud(pud, pud_mkhuge(pfn_pud(cpa->pfn,
491 ++ set_pud(pud, pud_mkhuge(pfn_pud(cpa->pfn >> PAGE_SHIFT,
492 + canon_pgprot(pud_pgprot))));
493 +
494 + start += PUD_SIZE;
495 +diff --git a/arch/x86/mm/pat.c b/arch/x86/mm/pat.c
496 +index 3146b1da6d72..5ff0cb74de55 100644
497 +--- a/arch/x86/mm/pat.c
498 ++++ b/arch/x86/mm/pat.c
499 +@@ -726,6 +726,20 @@ void io_free_memtype(resource_size_t start, resource_size_t end)
500 + free_memtype(start, end);
501 + }
502 +
503 ++int arch_io_reserve_memtype_wc(resource_size_t start, resource_size_t size)
504 ++{
505 ++ enum page_cache_mode type = _PAGE_CACHE_MODE_WC;
506 ++
507 ++ return io_reserve_memtype(start, start + size, &type);
508 ++}
509 ++EXPORT_SYMBOL(arch_io_reserve_memtype_wc);
510 ++
511 ++void arch_io_free_memtype_wc(resource_size_t start, resource_size_t size)
512 ++{
513 ++ io_free_memtype(start, start + size);
514 ++}
515 ++EXPORT_SYMBOL(arch_io_free_memtype_wc);
516 ++
517 + pgprot_t phys_mem_access_prot(struct file *file, unsigned long pfn,
518 + unsigned long size, pgprot_t vma_prot)
519 + {
520 +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_object.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_object.c
521 +index 73628c7599e7..3aca9a9011fb 100644
522 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_object.c
523 ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_object.c
524 +@@ -492,6 +492,10 @@ void amdgpu_bo_force_delete(struct amdgpu_device *adev)
525 +
526 + int amdgpu_bo_init(struct amdgpu_device *adev)
527 + {
528 ++ /* reserve PAT memory space to WC for VRAM */
529 ++ arch_io_reserve_memtype_wc(adev->mc.aper_base,
530 ++ adev->mc.aper_size);
531 ++
532 + /* Add an MTRR for the VRAM */
533 + adev->mc.vram_mtrr = arch_phys_wc_add(adev->mc.aper_base,
534 + adev->mc.aper_size);
535 +@@ -507,6 +511,7 @@ void amdgpu_bo_fini(struct amdgpu_device *adev)
536 + {
537 + amdgpu_ttm_fini(adev);
538 + arch_phys_wc_del(adev->mc.vram_mtrr);
539 ++ arch_io_free_memtype_wc(adev->mc.aper_base, adev->mc.aper_size);
540 + }
541 +
542 + int amdgpu_bo_fbdev_mmap(struct amdgpu_bo *bo,
543 +diff --git a/drivers/gpu/drm/ast/ast_ttm.c b/drivers/gpu/drm/ast/ast_ttm.c
544 +index 08f82eae6939..ac12f74e6b32 100644
545 +--- a/drivers/gpu/drm/ast/ast_ttm.c
546 ++++ b/drivers/gpu/drm/ast/ast_ttm.c
547 +@@ -275,6 +275,8 @@ int ast_mm_init(struct ast_private *ast)
548 + return ret;
549 + }
550 +
551 ++ arch_io_reserve_memtype_wc(pci_resource_start(dev->pdev, 0),
552 ++ pci_resource_len(dev->pdev, 0));
553 + ast->fb_mtrr = arch_phys_wc_add(pci_resource_start(dev->pdev, 0),
554 + pci_resource_len(dev->pdev, 0));
555 +
556 +@@ -283,11 +285,15 @@ int ast_mm_init(struct ast_private *ast)
557 +
558 + void ast_mm_fini(struct ast_private *ast)
559 + {
560 ++ struct drm_device *dev = ast->dev;
561 ++
562 + ttm_bo_device_release(&ast->ttm.bdev);
563 +
564 + ast_ttm_global_release(ast);
565 +
566 + arch_phys_wc_del(ast->fb_mtrr);
567 ++ arch_io_free_memtype_wc(pci_resource_start(dev->pdev, 0),
568 ++ pci_resource_len(dev->pdev, 0));
569 + }
570 +
571 + void ast_ttm_placement(struct ast_bo *bo, int domain)
572 +diff --git a/drivers/gpu/drm/cirrus/cirrus_ttm.c b/drivers/gpu/drm/cirrus/cirrus_ttm.c
573 +index dfffd528517a..393967025043 100644
574 +--- a/drivers/gpu/drm/cirrus/cirrus_ttm.c
575 ++++ b/drivers/gpu/drm/cirrus/cirrus_ttm.c
576 +@@ -275,6 +275,9 @@ int cirrus_mm_init(struct cirrus_device *cirrus)
577 + return ret;
578 + }
579 +
580 ++ arch_io_reserve_memtype_wc(pci_resource_start(dev->pdev, 0),
581 ++ pci_resource_len(dev->pdev, 0));
582 ++
583 + cirrus->fb_mtrr = arch_phys_wc_add(pci_resource_start(dev->pdev, 0),
584 + pci_resource_len(dev->pdev, 0));
585 +
586 +@@ -284,6 +287,8 @@ int cirrus_mm_init(struct cirrus_device *cirrus)
587 +
588 + void cirrus_mm_fini(struct cirrus_device *cirrus)
589 + {
590 ++ struct drm_device *dev = cirrus->dev;
591 ++
592 + if (!cirrus->mm_inited)
593 + return;
594 +
595 +@@ -293,6 +298,8 @@ void cirrus_mm_fini(struct cirrus_device *cirrus)
596 +
597 + arch_phys_wc_del(cirrus->fb_mtrr);
598 + cirrus->fb_mtrr = 0;
599 ++ arch_io_free_memtype_wc(pci_resource_start(dev->pdev, 0),
600 ++ pci_resource_len(dev->pdev, 0));
601 + }
602 +
603 + void cirrus_ttm_placement(struct cirrus_bo *bo, int domain)
604 +diff --git a/drivers/gpu/drm/i915/i915_gem_userptr.c b/drivers/gpu/drm/i915/i915_gem_userptr.c
605 +index 19fb0bddc1cd..359fe2b8bb8a 100644
606 +--- a/drivers/gpu/drm/i915/i915_gem_userptr.c
607 ++++ b/drivers/gpu/drm/i915/i915_gem_userptr.c
608 +@@ -842,6 +842,9 @@ i915_gem_userptr_ioctl(struct drm_device *dev, void *data, struct drm_file *file
609 + I915_USERPTR_UNSYNCHRONIZED))
610 + return -EINVAL;
611 +
612 ++ if (!args->user_size)
613 ++ return -EINVAL;
614 ++
615 + if (offset_in_page(args->user_ptr | args->user_size))
616 + return -EINVAL;
617 +
618 +diff --git a/drivers/gpu/drm/mgag200/mgag200_ttm.c b/drivers/gpu/drm/mgag200/mgag200_ttm.c
619 +index 05108b505fbf..d9df8d32fc35 100644
620 +--- a/drivers/gpu/drm/mgag200/mgag200_ttm.c
621 ++++ b/drivers/gpu/drm/mgag200/mgag200_ttm.c
622 +@@ -274,6 +274,9 @@ int mgag200_mm_init(struct mga_device *mdev)
623 + return ret;
624 + }
625 +
626 ++ arch_io_reserve_memtype_wc(pci_resource_start(dev->pdev, 0),
627 ++ pci_resource_len(dev->pdev, 0));
628 ++
629 + mdev->fb_mtrr = arch_phys_wc_add(pci_resource_start(dev->pdev, 0),
630 + pci_resource_len(dev->pdev, 0));
631 +
632 +@@ -282,10 +285,14 @@ int mgag200_mm_init(struct mga_device *mdev)
633 +
634 + void mgag200_mm_fini(struct mga_device *mdev)
635 + {
636 ++ struct drm_device *dev = mdev->dev;
637 ++
638 + ttm_bo_device_release(&mdev->ttm.bdev);
639 +
640 + mgag200_ttm_global_release(mdev);
641 +
642 ++ arch_io_free_memtype_wc(pci_resource_start(dev->pdev, 0),
643 ++ pci_resource_len(dev->pdev, 0));
644 + arch_phys_wc_del(mdev->fb_mtrr);
645 + mdev->fb_mtrr = 0;
646 + }
647 +diff --git a/drivers/gpu/drm/nouveau/nouveau_ttm.c b/drivers/gpu/drm/nouveau/nouveau_ttm.c
648 +index d2e7d209f651..9835327a3214 100644
649 +--- a/drivers/gpu/drm/nouveau/nouveau_ttm.c
650 ++++ b/drivers/gpu/drm/nouveau/nouveau_ttm.c
651 +@@ -397,6 +397,9 @@ nouveau_ttm_init(struct nouveau_drm *drm)
652 + /* VRAM init */
653 + drm->gem.vram_available = drm->device.info.ram_user;
654 +
655 ++ arch_io_reserve_memtype_wc(device->func->resource_addr(device, 1),
656 ++ device->func->resource_size(device, 1));
657 ++
658 + ret = ttm_bo_init_mm(&drm->ttm.bdev, TTM_PL_VRAM,
659 + drm->gem.vram_available >> PAGE_SHIFT);
660 + if (ret) {
661 +@@ -429,6 +432,8 @@ nouveau_ttm_init(struct nouveau_drm *drm)
662 + void
663 + nouveau_ttm_fini(struct nouveau_drm *drm)
664 + {
665 ++ struct nvkm_device *device = nvxx_device(&drm->device);
666 ++
667 + ttm_bo_clean_mm(&drm->ttm.bdev, TTM_PL_VRAM);
668 + ttm_bo_clean_mm(&drm->ttm.bdev, TTM_PL_TT);
669 +
670 +@@ -438,4 +443,7 @@ nouveau_ttm_fini(struct nouveau_drm *drm)
671 +
672 + arch_phys_wc_del(drm->ttm.mtrr);
673 + drm->ttm.mtrr = 0;
674 ++ arch_io_free_memtype_wc(device->func->resource_addr(device, 1),
675 ++ device->func->resource_size(device, 1));
676 ++
677 + }
678 +diff --git a/drivers/gpu/drm/radeon/radeon_object.c b/drivers/gpu/drm/radeon/radeon_object.c
679 +index 83aee9e814ba..18ec38d0d3f5 100644
680 +--- a/drivers/gpu/drm/radeon/radeon_object.c
681 ++++ b/drivers/gpu/drm/radeon/radeon_object.c
682 +@@ -447,6 +447,10 @@ void radeon_bo_force_delete(struct radeon_device *rdev)
683 +
684 + int radeon_bo_init(struct radeon_device *rdev)
685 + {
686 ++ /* reserve PAT memory space to WC for VRAM */
687 ++ arch_io_reserve_memtype_wc(rdev->mc.aper_base,
688 ++ rdev->mc.aper_size);
689 ++
690 + /* Add an MTRR for the VRAM */
691 + if (!rdev->fastfb_working) {
692 + rdev->mc.vram_mtrr = arch_phys_wc_add(rdev->mc.aper_base,
693 +@@ -464,6 +468,7 @@ void radeon_bo_fini(struct radeon_device *rdev)
694 + {
695 + radeon_ttm_fini(rdev);
696 + arch_phys_wc_del(rdev->mc.vram_mtrr);
697 ++ arch_io_free_memtype_wc(rdev->mc.aper_base, rdev->mc.aper_size);
698 + }
699 +
700 + /* Returns how many bytes TTM can move per IB.
701 +diff --git a/drivers/iio/frequency/ad9523.c b/drivers/iio/frequency/ad9523.c
702 +index 44a30f286de1..57b1812a5a18 100644
703 +--- a/drivers/iio/frequency/ad9523.c
704 ++++ b/drivers/iio/frequency/ad9523.c
705 +@@ -507,7 +507,7 @@ static ssize_t ad9523_store(struct device *dev,
706 + return ret;
707 +
708 + if (!state)
709 +- return 0;
710 ++ return len;
711 +
712 + mutex_lock(&indio_dev->mlock);
713 + switch ((u32)this_attr->address) {
714 +@@ -641,7 +641,7 @@ static int ad9523_read_raw(struct iio_dev *indio_dev,
715 + code = (AD9523_CLK_DIST_DIV_PHASE_REV(ret) * 3141592) /
716 + AD9523_CLK_DIST_DIV_REV(ret);
717 + *val = code / 1000000;
718 +- *val2 = (code % 1000000) * 10;
719 ++ *val2 = code % 1000000;
720 + return IIO_VAL_INT_PLUS_MICRO;
721 + default:
722 + return -EINVAL;
723 +diff --git a/drivers/iommu/dmar.c b/drivers/iommu/dmar.c
724 +index e913a930ac80..5a63e32a4a6b 100644
725 +--- a/drivers/iommu/dmar.c
726 ++++ b/drivers/iommu/dmar.c
727 +@@ -1315,8 +1315,8 @@ void qi_flush_iotlb(struct intel_iommu *iommu, u16 did, u64 addr,
728 + qi_submit_sync(&desc, iommu);
729 + }
730 +
731 +-void qi_flush_dev_iotlb(struct intel_iommu *iommu, u16 sid, u16 qdep,
732 +- u64 addr, unsigned mask)
733 ++void qi_flush_dev_iotlb(struct intel_iommu *iommu, u16 sid, u16 pfsid,
734 ++ u16 qdep, u64 addr, unsigned mask)
735 + {
736 + struct qi_desc desc;
737 +
738 +@@ -1331,7 +1331,7 @@ void qi_flush_dev_iotlb(struct intel_iommu *iommu, u16 sid, u16 qdep,
739 + qdep = 0;
740 +
741 + desc.low = QI_DEV_IOTLB_SID(sid) | QI_DEV_IOTLB_QDEP(qdep) |
742 +- QI_DIOTLB_TYPE;
743 ++ QI_DIOTLB_TYPE | QI_DEV_IOTLB_PFSID(pfsid);
744 +
745 + qi_submit_sync(&desc, iommu);
746 + }
747 +diff --git a/drivers/iommu/intel-iommu.c b/drivers/iommu/intel-iommu.c
748 +index 4efec2db4ee2..49b266433f4c 100644
749 +--- a/drivers/iommu/intel-iommu.c
750 ++++ b/drivers/iommu/intel-iommu.c
751 +@@ -419,6 +419,7 @@ struct device_domain_info {
752 + struct list_head global; /* link to global list */
753 + u8 bus; /* PCI bus number */
754 + u8 devfn; /* PCI devfn number */
755 ++ u16 pfsid; /* SRIOV physical function source ID */
756 + u8 pasid_supported:3;
757 + u8 pasid_enabled:1;
758 + u8 pri_supported:1;
759 +@@ -1479,6 +1480,20 @@ static void iommu_enable_dev_iotlb(struct device_domain_info *info)
760 + return;
761 +
762 + pdev = to_pci_dev(info->dev);
763 ++ /* For IOMMU that supports device IOTLB throttling (DIT), we assign
764 ++ * PFSID to the invalidation desc of a VF such that IOMMU HW can gauge
765 ++ * queue depth at PF level. If DIT is not set, PFSID will be treated as
766 ++ * reserved, which should be set to 0.
767 ++ */
768 ++ if (!ecap_dit(info->iommu->ecap))
769 ++ info->pfsid = 0;
770 ++ else {
771 ++ struct pci_dev *pf_pdev;
772 ++
773 ++ /* pdev will be returned if device is not a vf */
774 ++ pf_pdev = pci_physfn(pdev);
775 ++ info->pfsid = PCI_DEVID(pf_pdev->bus->number, pf_pdev->devfn);
776 ++ }
777 +
778 + #ifdef CONFIG_INTEL_IOMMU_SVM
779 + /* The PCIe spec, in its wisdom, declares that the behaviour of
780 +@@ -1537,7 +1552,8 @@ static void iommu_flush_dev_iotlb(struct dmar_domain *domain,
781 +
782 + sid = info->bus << 8 | info->devfn;
783 + qdep = info->ats_qdep;
784 +- qi_flush_dev_iotlb(info->iommu, sid, qdep, addr, mask);
785 ++ qi_flush_dev_iotlb(info->iommu, sid, info->pfsid,
786 ++ qdep, addr, mask);
787 + }
788 + spin_unlock_irqrestore(&device_domain_lock, flags);
789 + }
790 +diff --git a/drivers/md/bcache/writeback.c b/drivers/md/bcache/writeback.c
791 +index f2c0000de613..95a6ae053714 100644
792 +--- a/drivers/md/bcache/writeback.c
793 ++++ b/drivers/md/bcache/writeback.c
794 +@@ -462,8 +462,10 @@ static int bch_writeback_thread(void *arg)
795 + * data on cache. BCACHE_DEV_DETACHING flag is set in
796 + * bch_cached_dev_detach().
797 + */
798 +- if (test_bit(BCACHE_DEV_DETACHING, &dc->disk.flags))
799 ++ if (test_bit(BCACHE_DEV_DETACHING, &dc->disk.flags)) {
800 ++ up_write(&dc->writeback_lock);
801 + break;
802 ++ }
803 + }
804 +
805 + up_write(&dc->writeback_lock);
806 +diff --git a/drivers/md/dm-cache-metadata.c b/drivers/md/dm-cache-metadata.c
807 +index d3c55d7754af..905badc6cb17 100644
808 +--- a/drivers/md/dm-cache-metadata.c
809 ++++ b/drivers/md/dm-cache-metadata.c
810 +@@ -337,7 +337,7 @@ static int __write_initial_superblock(struct dm_cache_metadata *cmd)
811 + disk_super->version = cpu_to_le32(MAX_CACHE_VERSION);
812 + memset(disk_super->policy_name, 0, sizeof(disk_super->policy_name));
813 + memset(disk_super->policy_version, 0, sizeof(disk_super->policy_version));
814 +- disk_super->policy_hint_size = 0;
815 ++ disk_super->policy_hint_size = cpu_to_le32(0);
816 +
817 + __copy_sm_root(cmd, disk_super);
818 +
819 +@@ -652,6 +652,7 @@ static int __commit_transaction(struct dm_cache_metadata *cmd,
820 + disk_super->policy_version[0] = cpu_to_le32(cmd->policy_version[0]);
821 + disk_super->policy_version[1] = cpu_to_le32(cmd->policy_version[1]);
822 + disk_super->policy_version[2] = cpu_to_le32(cmd->policy_version[2]);
823 ++ disk_super->policy_hint_size = cpu_to_le32(cmd->policy_hint_size);
824 +
825 + disk_super->read_hits = cpu_to_le32(cmd->stats.read_hits);
826 + disk_super->read_misses = cpu_to_le32(cmd->stats.read_misses);
827 +diff --git a/drivers/misc/vmw_balloon.c b/drivers/misc/vmw_balloon.c
828 +index 5e047bfc0cc4..518e2dec2aa2 100644
829 +--- a/drivers/misc/vmw_balloon.c
830 ++++ b/drivers/misc/vmw_balloon.c
831 +@@ -341,7 +341,13 @@ static bool vmballoon_send_start(struct vmballoon *b, unsigned long req_caps)
832 + success = false;
833 + }
834 +
835 +- if (b->capabilities & VMW_BALLOON_BATCHED_2M_CMDS)
836 ++ /*
837 ++ * 2MB pages are only supported with batching. If batching is for some
838 ++ * reason disabled, do not use 2MB pages, since otherwise the legacy
839 ++ * mechanism is used with 2MB pages, causing a failure.
840 ++ */
841 ++ if ((b->capabilities & VMW_BALLOON_BATCHED_2M_CMDS) &&
842 ++ (b->capabilities & VMW_BALLOON_BATCHED_CMDS))
843 + b->supported_page_sizes = 2;
844 + else
845 + b->supported_page_sizes = 1;
846 +@@ -450,7 +456,7 @@ static int vmballoon_send_lock_page(struct vmballoon *b, unsigned long pfn,
847 +
848 + pfn32 = (u32)pfn;
849 + if (pfn32 != pfn)
850 +- return -1;
851 ++ return -EINVAL;
852 +
853 + STATS_INC(b->stats.lock[false]);
854 +
855 +@@ -460,7 +466,7 @@ static int vmballoon_send_lock_page(struct vmballoon *b, unsigned long pfn,
856 +
857 + pr_debug("%s - ppn %lx, hv returns %ld\n", __func__, pfn, status);
858 + STATS_INC(b->stats.lock_fail[false]);
859 +- return 1;
860 ++ return -EIO;
861 + }
862 +
863 + static int vmballoon_send_batched_lock(struct vmballoon *b,
864 +@@ -597,11 +603,12 @@ static int vmballoon_lock_page(struct vmballoon *b, unsigned int num_pages,
865 +
866 + locked = vmballoon_send_lock_page(b, page_to_pfn(page), &hv_status,
867 + target);
868 +- if (locked > 0) {
869 ++ if (locked) {
870 + STATS_INC(b->stats.refused_alloc[false]);
871 +
872 +- if (hv_status == VMW_BALLOON_ERROR_RESET ||
873 +- hv_status == VMW_BALLOON_ERROR_PPN_NOTNEEDED) {
874 ++ if (locked == -EIO &&
875 ++ (hv_status == VMW_BALLOON_ERROR_RESET ||
876 ++ hv_status == VMW_BALLOON_ERROR_PPN_NOTNEEDED)) {
877 + vmballoon_free_page(page, false);
878 + return -EIO;
879 + }
880 +@@ -617,7 +624,7 @@ static int vmballoon_lock_page(struct vmballoon *b, unsigned int num_pages,
881 + } else {
882 + vmballoon_free_page(page, false);
883 + }
884 +- return -EIO;
885 ++ return locked;
886 + }
887 +
888 + /* track allocated page */
889 +@@ -1029,29 +1036,30 @@ static void vmballoon_vmci_cleanup(struct vmballoon *b)
890 + */
891 + static int vmballoon_vmci_init(struct vmballoon *b)
892 + {
893 +- int error = 0;
894 ++ unsigned long error, dummy;
895 +
896 +- if ((b->capabilities & VMW_BALLOON_SIGNALLED_WAKEUP_CMD) != 0) {
897 +- error = vmci_doorbell_create(&b->vmci_doorbell,
898 +- VMCI_FLAG_DELAYED_CB,
899 +- VMCI_PRIVILEGE_FLAG_RESTRICTED,
900 +- vmballoon_doorbell, b);
901 +-
902 +- if (error == VMCI_SUCCESS) {
903 +- VMWARE_BALLOON_CMD(VMCI_DOORBELL_SET,
904 +- b->vmci_doorbell.context,
905 +- b->vmci_doorbell.resource, error);
906 +- STATS_INC(b->stats.doorbell_set);
907 +- }
908 +- }
909 ++ if ((b->capabilities & VMW_BALLOON_SIGNALLED_WAKEUP_CMD) == 0)
910 ++ return 0;
911 +
912 +- if (error != 0) {
913 +- vmballoon_vmci_cleanup(b);
914 ++ error = vmci_doorbell_create(&b->vmci_doorbell, VMCI_FLAG_DELAYED_CB,
915 ++ VMCI_PRIVILEGE_FLAG_RESTRICTED,
916 ++ vmballoon_doorbell, b);
917 +
918 +- return -EIO;
919 +- }
920 ++ if (error != VMCI_SUCCESS)
921 ++ goto fail;
922 ++
923 ++ error = VMWARE_BALLOON_CMD(VMCI_DOORBELL_SET, b->vmci_doorbell.context,
924 ++ b->vmci_doorbell.resource, dummy);
925 ++
926 ++ STATS_INC(b->stats.doorbell_set);
927 ++
928 ++ if (error != VMW_BALLOON_SUCCESS)
929 ++ goto fail;
930 +
931 + return 0;
932 ++fail:
933 ++ vmballoon_vmci_cleanup(b);
934 ++ return -EIO;
935 + }
936 +
937 + /*
938 +@@ -1289,7 +1297,14 @@ static int __init vmballoon_init(void)
939 +
940 + return 0;
941 + }
942 +-module_init(vmballoon_init);
943 ++
944 ++/*
945 ++ * Using late_initcall() instead of module_init() allows the balloon to use the
946 ++ * VMCI doorbell even when the balloon is built into the kernel. Otherwise the
947 ++ * VMCI is probed only after the balloon is initialized. If the balloon is used
948 ++ * as a module, late_initcall() is equivalent to module_init().
949 ++ */
950 ++late_initcall(vmballoon_init);
951 +
952 + static void __exit vmballoon_exit(void)
953 + {
954 +diff --git a/drivers/net/usb/lan78xx.c b/drivers/net/usb/lan78xx.c
955 +index acec4b565511..1aede726052c 100644
956 +--- a/drivers/net/usb/lan78xx.c
957 ++++ b/drivers/net/usb/lan78xx.c
958 +@@ -902,6 +902,8 @@ static int lan78xx_link_reset(struct lan78xx_net *dev)
959 +
960 + ret = lan78xx_update_flowcontrol(dev, ecmd.duplex, ladv, radv);
961 + netif_carrier_on(dev->net);
962 ++
963 ++ tasklet_schedule(&dev->bh);
964 + }
965 +
966 + return ret;
967 +@@ -1361,8 +1363,6 @@ static void lan78xx_init_mac_address(struct lan78xx_net *dev)
968 + netif_dbg(dev, ifup, dev->net,
969 + "MAC address set to random addr");
970 + }
971 +-
972 +- tasklet_schedule(&dev->bh);
973 + }
974 +
975 + ret = lan78xx_write_reg(dev, MAF_LO(0), addr_lo);
976 +diff --git a/drivers/pwm/pwm-tiehrpwm.c b/drivers/pwm/pwm-tiehrpwm.c
977 +index 6a41e66015b6..062dff1c902d 100644
978 +--- a/drivers/pwm/pwm-tiehrpwm.c
979 ++++ b/drivers/pwm/pwm-tiehrpwm.c
980 +@@ -384,6 +384,8 @@ static void ehrpwm_pwm_disable(struct pwm_chip *chip, struct pwm_device *pwm)
981 + aqcsfrc_mask = AQCSFRC_CSFA_MASK;
982 + }
983 +
984 ++ /* Update shadow register first before modifying active register */
985 ++ ehrpwm_modify(pc->mmio_base, AQCSFRC, aqcsfrc_mask, aqcsfrc_val);
986 + /*
987 + * Changes to immediate action on Action Qualifier. This puts
988 + * Action Qualifier control on PWM output from next TBCLK
989 +diff --git a/drivers/spi/spi-davinci.c b/drivers/spi/spi-davinci.c
990 +index c872a2e54c4b..2603bee2ce07 100644
991 +--- a/drivers/spi/spi-davinci.c
992 ++++ b/drivers/spi/spi-davinci.c
993 +@@ -220,7 +220,7 @@ static void davinci_spi_chipselect(struct spi_device *spi, int value)
994 + pdata = &dspi->pdata;
995 +
996 + /* program delay transfers if tx_delay is non zero */
997 +- if (spicfg->wdelay)
998 ++ if (spicfg && spicfg->wdelay)
999 + spidat1 |= SPIDAT1_WDEL;
1000 +
1001 + /*
1002 +diff --git a/drivers/video/fbdev/core/fbmem.c b/drivers/video/fbdev/core/fbmem.c
1003 +index 0705d8883ede..8a29ec5992fd 100644
1004 +--- a/drivers/video/fbdev/core/fbmem.c
1005 ++++ b/drivers/video/fbdev/core/fbmem.c
1006 +@@ -1687,12 +1687,12 @@ static int do_register_framebuffer(struct fb_info *fb_info)
1007 + return 0;
1008 + }
1009 +
1010 +-static int do_unregister_framebuffer(struct fb_info *fb_info)
1011 ++static int unbind_console(struct fb_info *fb_info)
1012 + {
1013 + struct fb_event event;
1014 +- int i, ret = 0;
1015 ++ int ret;
1016 ++ int i = fb_info->node;
1017 +
1018 +- i = fb_info->node;
1019 + if (i < 0 || i >= FB_MAX || registered_fb[i] != fb_info)
1020 + return -EINVAL;
1021 +
1022 +@@ -1707,17 +1707,29 @@ static int do_unregister_framebuffer(struct fb_info *fb_info)
1023 + unlock_fb_info(fb_info);
1024 + console_unlock();
1025 +
1026 ++ return ret;
1027 ++}
1028 ++
1029 ++static int __unlink_framebuffer(struct fb_info *fb_info);
1030 ++
1031 ++static int do_unregister_framebuffer(struct fb_info *fb_info)
1032 ++{
1033 ++ struct fb_event event;
1034 ++ int ret;
1035 ++
1036 ++ ret = unbind_console(fb_info);
1037 ++
1038 + if (ret)
1039 + return -EINVAL;
1040 +
1041 + pm_vt_switch_unregister(fb_info->dev);
1042 +
1043 +- unlink_framebuffer(fb_info);
1044 ++ __unlink_framebuffer(fb_info);
1045 + if (fb_info->pixmap.addr &&
1046 + (fb_info->pixmap.flags & FB_PIXMAP_DEFAULT))
1047 + kfree(fb_info->pixmap.addr);
1048 + fb_destroy_modelist(&fb_info->modelist);
1049 +- registered_fb[i] = NULL;
1050 ++ registered_fb[fb_info->node] = NULL;
1051 + num_registered_fb--;
1052 + fb_cleanup_device(fb_info);
1053 + event.info = fb_info;
1054 +@@ -1730,7 +1742,7 @@ static int do_unregister_framebuffer(struct fb_info *fb_info)
1055 + return 0;
1056 + }
1057 +
1058 +-int unlink_framebuffer(struct fb_info *fb_info)
1059 ++static int __unlink_framebuffer(struct fb_info *fb_info)
1060 + {
1061 + int i;
1062 +
1063 +@@ -1742,6 +1754,20 @@ int unlink_framebuffer(struct fb_info *fb_info)
1064 + device_destroy(fb_class, MKDEV(FB_MAJOR, i));
1065 + fb_info->dev = NULL;
1066 + }
1067 ++
1068 ++ return 0;
1069 ++}
1070 ++
1071 ++int unlink_framebuffer(struct fb_info *fb_info)
1072 ++{
1073 ++ int ret;
1074 ++
1075 ++ ret = __unlink_framebuffer(fb_info);
1076 ++ if (ret)
1077 ++ return ret;
1078 ++
1079 ++ unbind_console(fb_info);
1080 ++
1081 + return 0;
1082 + }
1083 + EXPORT_SYMBOL(unlink_framebuffer);
1084 +diff --git a/fs/9p/xattr.c b/fs/9p/xattr.c
1085 +index e3d026ac382e..f35168ce426b 100644
1086 +--- a/fs/9p/xattr.c
1087 ++++ b/fs/9p/xattr.c
1088 +@@ -107,7 +107,7 @@ int v9fs_fid_xattr_set(struct p9_fid *fid, const char *name,
1089 + {
1090 + struct kvec kvec = {.iov_base = (void *)value, .iov_len = value_len};
1091 + struct iov_iter from;
1092 +- int retval;
1093 ++ int retval, err;
1094 +
1095 + iov_iter_kvec(&from, WRITE | ITER_KVEC, &kvec, 1, value_len);
1096 +
1097 +@@ -128,7 +128,9 @@ int v9fs_fid_xattr_set(struct p9_fid *fid, const char *name,
1098 + retval);
1099 + else
1100 + p9_client_write(fid, 0, &from, &retval);
1101 +- p9_client_clunk(fid);
1102 ++ err = p9_client_clunk(fid);
1103 ++ if (!retval && err)
1104 ++ retval = err;
1105 + return retval;
1106 + }
1107 +
1108 +diff --git a/fs/nfs/blocklayout/dev.c b/fs/nfs/blocklayout/dev.c
1109 +index a861bbdfe577..fa8b484d035d 100644
1110 +--- a/fs/nfs/blocklayout/dev.c
1111 ++++ b/fs/nfs/blocklayout/dev.c
1112 +@@ -162,7 +162,7 @@ static bool bl_map_stripe(struct pnfs_block_dev *dev, u64 offset,
1113 + chunk = div_u64(offset, dev->chunk_size);
1114 + div_u64_rem(chunk, dev->nr_children, &chunk_idx);
1115 +
1116 +- if (chunk_idx > dev->nr_children) {
1117 ++ if (chunk_idx >= dev->nr_children) {
1118 + dprintk("%s: invalid chunk idx %d (%lld/%lld)\n",
1119 + __func__, chunk_idx, offset, dev->chunk_size);
1120 + /* error, should not happen */
1121 +diff --git a/fs/quota/quota.c b/fs/quota/quota.c
1122 +index 3746367098fd..bb0d643481c8 100644
1123 +--- a/fs/quota/quota.c
1124 ++++ b/fs/quota/quota.c
1125 +@@ -17,6 +17,7 @@
1126 + #include <linux/quotaops.h>
1127 + #include <linux/types.h>
1128 + #include <linux/writeback.h>
1129 ++#include <linux/nospec.h>
1130 +
1131 + static int check_quotactl_permission(struct super_block *sb, int type, int cmd,
1132 + qid_t id)
1133 +@@ -644,6 +645,7 @@ static int do_quotactl(struct super_block *sb, int type, int cmd, qid_t id,
1134 +
1135 + if (type >= (XQM_COMMAND(cmd) ? XQM_MAXQUOTAS : MAXQUOTAS))
1136 + return -EINVAL;
1137 ++ type = array_index_nospec(type, MAXQUOTAS);
1138 + /*
1139 + * Quota not supported on this fs? Check this before s_quota_types
1140 + * since they needn't be set if quota is not supported at all.
1141 +diff --git a/fs/ubifs/journal.c b/fs/ubifs/journal.c
1142 +index 22dba8837a86..539fa934ed93 100644
1143 +--- a/fs/ubifs/journal.c
1144 ++++ b/fs/ubifs/journal.c
1145 +@@ -661,6 +661,11 @@ int ubifs_jnl_update(struct ubifs_info *c, const struct inode *dir,
1146 + spin_lock(&ui->ui_lock);
1147 + ui->synced_i_size = ui->ui_size;
1148 + spin_unlock(&ui->ui_lock);
1149 ++ if (xent) {
1150 ++ spin_lock(&host_ui->ui_lock);
1151 ++ host_ui->synced_i_size = host_ui->ui_size;
1152 ++ spin_unlock(&host_ui->ui_lock);
1153 ++ }
1154 + mark_inode_clean(c, ui);
1155 + mark_inode_clean(c, host_ui);
1156 + return 0;
1157 +@@ -1107,7 +1112,7 @@ static int recomp_data_node(const struct ubifs_info *c,
1158 + int err, len, compr_type, out_len;
1159 +
1160 + out_len = le32_to_cpu(dn->size);
1161 +- buf = kmalloc_array(out_len, WORST_COMPR_FACTOR, GFP_NOFS);
1162 ++ buf = kmalloc(out_len * WORST_COMPR_FACTOR, GFP_NOFS);
1163 + if (!buf)
1164 + return -ENOMEM;
1165 +
1166 +@@ -1186,7 +1191,16 @@ int ubifs_jnl_truncate(struct ubifs_info *c, const struct inode *inode,
1167 + else if (err)
1168 + goto out_free;
1169 + else {
1170 +- if (le32_to_cpu(dn->size) <= dlen)
1171 ++ int dn_len = le32_to_cpu(dn->size);
1172 ++
1173 ++ if (dn_len <= 0 || dn_len > UBIFS_BLOCK_SIZE) {
1174 ++ ubifs_err(c, "bad data node (block %u, inode %lu)",
1175 ++ blk, inode->i_ino);
1176 ++ ubifs_dump_node(c, dn);
1177 ++ goto out_free;
1178 ++ }
1179 ++
1180 ++ if (dn_len <= dlen)
1181 + dlen = 0; /* Nothing to do */
1182 + else {
1183 + int compr_type = le16_to_cpu(dn->compr_type);
1184 +diff --git a/fs/ubifs/lprops.c b/fs/ubifs/lprops.c
1185 +index a0011aa3a779..f43f162e36f4 100644
1186 +--- a/fs/ubifs/lprops.c
1187 ++++ b/fs/ubifs/lprops.c
1188 +@@ -1091,10 +1091,6 @@ static int scan_check_cb(struct ubifs_info *c,
1189 + }
1190 + }
1191 +
1192 +- buf = __vmalloc(c->leb_size, GFP_NOFS, PAGE_KERNEL);
1193 +- if (!buf)
1194 +- return -ENOMEM;
1195 +-
1196 + /*
1197 + * After an unclean unmount, empty and freeable LEBs
1198 + * may contain garbage - do not scan them.
1199 +@@ -1113,6 +1109,10 @@ static int scan_check_cb(struct ubifs_info *c,
1200 + return LPT_SCAN_CONTINUE;
1201 + }
1202 +
1203 ++ buf = __vmalloc(c->leb_size, GFP_NOFS, PAGE_KERNEL);
1204 ++ if (!buf)
1205 ++ return -ENOMEM;
1206 ++
1207 + sleb = ubifs_scan(c, lnum, 0, buf, 0);
1208 + if (IS_ERR(sleb)) {
1209 + ret = PTR_ERR(sleb);
1210 +diff --git a/fs/xattr.c b/fs/xattr.c
1211 +index 76f01bf4b048..09441c396798 100644
1212 +--- a/fs/xattr.c
1213 ++++ b/fs/xattr.c
1214 +@@ -453,7 +453,7 @@ getxattr(struct dentry *d, const char __user *name, void __user *value,
1215 + if (error > 0) {
1216 + if ((strcmp(kname, XATTR_NAME_POSIX_ACL_ACCESS) == 0) ||
1217 + (strcmp(kname, XATTR_NAME_POSIX_ACL_DEFAULT) == 0))
1218 +- posix_acl_fix_xattr_to_user(kvalue, size);
1219 ++ posix_acl_fix_xattr_to_user(kvalue, error);
1220 + if (size && copy_to_user(value, kvalue, error))
1221 + error = -EFAULT;
1222 + } else if (error == -ERANGE && size >= XATTR_SIZE_MAX) {
1223 +diff --git a/include/linux/intel-iommu.h b/include/linux/intel-iommu.h
1224 +index 23e129ef6726..e353f6600b0b 100644
1225 +--- a/include/linux/intel-iommu.h
1226 ++++ b/include/linux/intel-iommu.h
1227 +@@ -125,6 +125,7 @@ static inline void dmar_writeq(void __iomem *addr, u64 val)
1228 + * Extended Capability Register
1229 + */
1230 +
1231 ++#define ecap_dit(e) ((e >> 41) & 0x1)
1232 + #define ecap_pasid(e) ((e >> 40) & 0x1)
1233 + #define ecap_pss(e) ((e >> 35) & 0x1f)
1234 + #define ecap_eafs(e) ((e >> 34) & 0x1)
1235 +@@ -294,6 +295,7 @@ enum {
1236 + #define QI_DEV_IOTLB_SID(sid) ((u64)((sid) & 0xffff) << 32)
1237 + #define QI_DEV_IOTLB_QDEP(qdep) (((qdep) & 0x1f) << 16)
1238 + #define QI_DEV_IOTLB_ADDR(addr) ((u64)(addr) & VTD_PAGE_MASK)
1239 ++#define QI_DEV_IOTLB_PFSID(pfsid) (((u64)(pfsid & 0xf) << 12) | ((u64)(pfsid & 0xfff) << 52))
1240 + #define QI_DEV_IOTLB_SIZE 1
1241 + #define QI_DEV_IOTLB_MAX_INVS 32
1242 +
1243 +@@ -318,6 +320,7 @@ enum {
1244 + #define QI_DEV_EIOTLB_PASID(p) (((u64)p) << 32)
1245 + #define QI_DEV_EIOTLB_SID(sid) ((u64)((sid) & 0xffff) << 16)
1246 + #define QI_DEV_EIOTLB_QDEP(qd) ((u64)((qd) & 0x1f) << 4)
1247 ++#define QI_DEV_EIOTLB_PFSID(pfsid) (((u64)(pfsid & 0xf) << 12) | ((u64)(pfsid & 0xfff) << 52))
1248 + #define QI_DEV_EIOTLB_MAX_INVS 32
1249 +
1250 + #define QI_PGRP_IDX(idx) (((u64)(idx)) << 55)
1251 +@@ -463,9 +466,8 @@ extern void qi_flush_context(struct intel_iommu *iommu, u16 did, u16 sid,
1252 + u8 fm, u64 type);
1253 + extern void qi_flush_iotlb(struct intel_iommu *iommu, u16 did, u64 addr,
1254 + unsigned int size_order, u64 type);
1255 +-extern void qi_flush_dev_iotlb(struct intel_iommu *iommu, u16 sid, u16 qdep,
1256 +- u64 addr, unsigned mask);
1257 +-
1258 ++extern void qi_flush_dev_iotlb(struct intel_iommu *iommu, u16 sid, u16 pfsid,
1259 ++ u16 qdep, u64 addr, unsigned mask);
1260 + extern int qi_submit_sync(struct qi_desc *desc, struct intel_iommu *iommu);
1261 +
1262 + extern int dmar_ir_support(void);
1263 +diff --git a/include/linux/io.h b/include/linux/io.h
1264 +index de64c1e53612..8ab45611fc35 100644
1265 +--- a/include/linux/io.h
1266 ++++ b/include/linux/io.h
1267 +@@ -154,4 +154,26 @@ enum {
1268 + void *memremap(resource_size_t offset, size_t size, unsigned long flags);
1269 + void memunmap(void *addr);
1270 +
1271 ++/*
1272 ++ * On x86 PAT systems we have memory tracking that keeps track of
1273 ++ * the allowed mappings on memory ranges. This tracking works for
1274 ++ * all the in-kernel mapping APIs (ioremap*), but where the user
1275 ++ * wishes to map a range from a physical device into user memory
1276 ++ * the tracking won't be updated. This API is to be used by
1277 ++ * drivers which remap physical device pages into userspace,
1278 ++ * and wants to make sure they are mapped WC and not UC.
1279 ++ */
1280 ++#ifndef arch_io_reserve_memtype_wc
1281 ++static inline int arch_io_reserve_memtype_wc(resource_size_t base,
1282 ++ resource_size_t size)
1283 ++{
1284 ++ return 0;
1285 ++}
1286 ++
1287 ++static inline void arch_io_free_memtype_wc(resource_size_t base,
1288 ++ resource_size_t size)
1289 ++{
1290 ++}
1291 ++#endif
1292 ++
1293 + #endif /* _LINUX_IO_H */
1294 +diff --git a/include/video/udlfb.h b/include/video/udlfb.h
1295 +index f9466fa54ba4..2ad9a6d37ff4 100644
1296 +--- a/include/video/udlfb.h
1297 ++++ b/include/video/udlfb.h
1298 +@@ -87,7 +87,7 @@ struct dlfb_data {
1299 + #define MIN_RAW_PIX_BYTES 2
1300 + #define MIN_RAW_CMD_BYTES (RAW_HEADER_BYTES + MIN_RAW_PIX_BYTES)
1301 +
1302 +-#define DL_DEFIO_WRITE_DELAY 5 /* fb_deferred_io.delay in jiffies */
1303 ++#define DL_DEFIO_WRITE_DELAY msecs_to_jiffies(HZ <= 300 ? 4 : 10) /* optimal value for 720p video */
1304 + #define DL_DEFIO_WRITE_DISABLE (HZ*60) /* "disable" with long delay */
1305 +
1306 + /* remove these once align.h patch is taken into kernel */
1307 +diff --git a/kernel/kthread.c b/kernel/kthread.c
1308 +index 850b255649a2..ac6849ee3057 100644
1309 +--- a/kernel/kthread.c
1310 ++++ b/kernel/kthread.c
1311 +@@ -313,10 +313,16 @@ struct task_struct *kthread_create_on_node(int (*threadfn)(void *data),
1312 + task = create->result;
1313 + if (!IS_ERR(task)) {
1314 + static const struct sched_param param = { .sched_priority = 0 };
1315 ++ char name[TASK_COMM_LEN];
1316 + va_list args;
1317 +
1318 + va_start(args, namefmt);
1319 +- vsnprintf(task->comm, sizeof(task->comm), namefmt, args);
1320 ++ /*
1321 ++ * task is already visible to other tasks, so updating
1322 ++ * COMM must be protected.
1323 ++ */
1324 ++ vsnprintf(name, sizeof(name), namefmt, args);
1325 ++ set_task_comm(task, name);
1326 + va_end(args);
1327 + /*
1328 + * root may have changed our (kthreadd's) priority or CPU mask.
1329 +diff --git a/kernel/power/Kconfig b/kernel/power/Kconfig
1330 +index 02e8dfaa1ce2..9d76184279fe 100644
1331 +--- a/kernel/power/Kconfig
1332 ++++ b/kernel/power/Kconfig
1333 +@@ -105,6 +105,7 @@ config PM_SLEEP
1334 + def_bool y
1335 + depends on SUSPEND || HIBERNATE_CALLBACKS
1336 + select PM
1337 ++ select SRCU
1338 +
1339 + config PM_SLEEP_SMP
1340 + def_bool y
1341 +diff --git a/kernel/sys.c b/kernel/sys.c
1342 +index f718742e55e6..e2446ade79ba 100644
1343 +--- a/kernel/sys.c
1344 ++++ b/kernel/sys.c
1345 +@@ -1142,18 +1142,19 @@ static int override_release(char __user *release, size_t len)
1346 +
1347 + SYSCALL_DEFINE1(newuname, struct new_utsname __user *, name)
1348 + {
1349 +- int errno = 0;
1350 ++ struct new_utsname tmp;
1351 +
1352 + down_read(&uts_sem);
1353 +- if (copy_to_user(name, utsname(), sizeof *name))
1354 +- errno = -EFAULT;
1355 ++ memcpy(&tmp, utsname(), sizeof(tmp));
1356 + up_read(&uts_sem);
1357 ++ if (copy_to_user(name, &tmp, sizeof(tmp)))
1358 ++ return -EFAULT;
1359 +
1360 +- if (!errno && override_release(name->release, sizeof(name->release)))
1361 +- errno = -EFAULT;
1362 +- if (!errno && override_architecture(name))
1363 +- errno = -EFAULT;
1364 +- return errno;
1365 ++ if (override_release(name->release, sizeof(name->release)))
1366 ++ return -EFAULT;
1367 ++ if (override_architecture(name))
1368 ++ return -EFAULT;
1369 ++ return 0;
1370 + }
1371 +
1372 + #ifdef __ARCH_WANT_SYS_OLD_UNAME
1373 +@@ -1162,55 +1163,46 @@ SYSCALL_DEFINE1(newuname, struct new_utsname __user *, name)
1374 + */
1375 + SYSCALL_DEFINE1(uname, struct old_utsname __user *, name)
1376 + {
1377 +- int error = 0;
1378 ++ struct old_utsname tmp;
1379 +
1380 + if (!name)
1381 + return -EFAULT;
1382 +
1383 + down_read(&uts_sem);
1384 +- if (copy_to_user(name, utsname(), sizeof(*name)))
1385 +- error = -EFAULT;
1386 ++ memcpy(&tmp, utsname(), sizeof(tmp));
1387 + up_read(&uts_sem);
1388 ++ if (copy_to_user(name, &tmp, sizeof(tmp)))
1389 ++ return -EFAULT;
1390 +
1391 +- if (!error && override_release(name->release, sizeof(name->release)))
1392 +- error = -EFAULT;
1393 +- if (!error && override_architecture(name))
1394 +- error = -EFAULT;
1395 +- return error;
1396 ++ if (override_release(name->release, sizeof(name->release)))
1397 ++ return -EFAULT;
1398 ++ if (override_architecture(name))
1399 ++ return -EFAULT;
1400 ++ return 0;
1401 + }
1402 +
1403 + SYSCALL_DEFINE1(olduname, struct oldold_utsname __user *, name)
1404 + {
1405 +- int error;
1406 ++ struct oldold_utsname tmp = {};
1407 +
1408 + if (!name)
1409 + return -EFAULT;
1410 +- if (!access_ok(VERIFY_WRITE, name, sizeof(struct oldold_utsname)))
1411 +- return -EFAULT;
1412 +
1413 + down_read(&uts_sem);
1414 +- error = __copy_to_user(&name->sysname, &utsname()->sysname,
1415 +- __OLD_UTS_LEN);
1416 +- error |= __put_user(0, name->sysname + __OLD_UTS_LEN);
1417 +- error |= __copy_to_user(&name->nodename, &utsname()->nodename,
1418 +- __OLD_UTS_LEN);
1419 +- error |= __put_user(0, name->nodename + __OLD_UTS_LEN);
1420 +- error |= __copy_to_user(&name->release, &utsname()->release,
1421 +- __OLD_UTS_LEN);
1422 +- error |= __put_user(0, name->release + __OLD_UTS_LEN);
1423 +- error |= __copy_to_user(&name->version, &utsname()->version,
1424 +- __OLD_UTS_LEN);
1425 +- error |= __put_user(0, name->version + __OLD_UTS_LEN);
1426 +- error |= __copy_to_user(&name->machine, &utsname()->machine,
1427 +- __OLD_UTS_LEN);
1428 +- error |= __put_user(0, name->machine + __OLD_UTS_LEN);
1429 ++ memcpy(&tmp.sysname, &utsname()->sysname, __OLD_UTS_LEN);
1430 ++ memcpy(&tmp.nodename, &utsname()->nodename, __OLD_UTS_LEN);
1431 ++ memcpy(&tmp.release, &utsname()->release, __OLD_UTS_LEN);
1432 ++ memcpy(&tmp.version, &utsname()->version, __OLD_UTS_LEN);
1433 ++ memcpy(&tmp.machine, &utsname()->machine, __OLD_UTS_LEN);
1434 + up_read(&uts_sem);
1435 ++ if (copy_to_user(name, &tmp, sizeof(tmp)))
1436 ++ return -EFAULT;
1437 +
1438 +- if (!error && override_architecture(name))
1439 +- error = -EFAULT;
1440 +- if (!error && override_release(name->release, sizeof(name->release)))
1441 +- error = -EFAULT;
1442 +- return error ? -EFAULT : 0;
1443 ++ if (override_architecture(name))
1444 ++ return -EFAULT;
1445 ++ if (override_release(name->release, sizeof(name->release)))
1446 ++ return -EFAULT;
1447 ++ return 0;
1448 + }
1449 + #endif
1450 +
1451 +@@ -1224,17 +1216,18 @@ SYSCALL_DEFINE2(sethostname, char __user *, name, int, len)
1452 +
1453 + if (len < 0 || len > __NEW_UTS_LEN)
1454 + return -EINVAL;
1455 +- down_write(&uts_sem);
1456 + errno = -EFAULT;
1457 + if (!copy_from_user(tmp, name, len)) {
1458 +- struct new_utsname *u = utsname();
1459 ++ struct new_utsname *u;
1460 +
1461 ++ down_write(&uts_sem);
1462 ++ u = utsname();
1463 + memcpy(u->nodename, tmp, len);
1464 + memset(u->nodename + len, 0, sizeof(u->nodename) - len);
1465 + errno = 0;
1466 + uts_proc_notify(UTS_PROC_HOSTNAME);
1467 ++ up_write(&uts_sem);
1468 + }
1469 +- up_write(&uts_sem);
1470 + return errno;
1471 + }
1472 +
1473 +@@ -1242,8 +1235,9 @@ SYSCALL_DEFINE2(sethostname, char __user *, name, int, len)
1474 +
1475 + SYSCALL_DEFINE2(gethostname, char __user *, name, int, len)
1476 + {
1477 +- int i, errno;
1478 ++ int i;
1479 + struct new_utsname *u;
1480 ++ char tmp[__NEW_UTS_LEN + 1];
1481 +
1482 + if (len < 0)
1483 + return -EINVAL;
1484 +@@ -1252,11 +1246,11 @@ SYSCALL_DEFINE2(gethostname, char __user *, name, int, len)
1485 + i = 1 + strlen(u->nodename);
1486 + if (i > len)
1487 + i = len;
1488 +- errno = 0;
1489 +- if (copy_to_user(name, u->nodename, i))
1490 +- errno = -EFAULT;
1491 ++ memcpy(tmp, u->nodename, i);
1492 + up_read(&uts_sem);
1493 +- return errno;
1494 ++ if (copy_to_user(name, tmp, i))
1495 ++ return -EFAULT;
1496 ++ return 0;
1497 + }
1498 +
1499 + #endif
1500 +@@ -1275,17 +1269,18 @@ SYSCALL_DEFINE2(setdomainname, char __user *, name, int, len)
1501 + if (len < 0 || len > __NEW_UTS_LEN)
1502 + return -EINVAL;
1503 +
1504 +- down_write(&uts_sem);
1505 + errno = -EFAULT;
1506 + if (!copy_from_user(tmp, name, len)) {
1507 +- struct new_utsname *u = utsname();
1508 ++ struct new_utsname *u;
1509 +
1510 ++ down_write(&uts_sem);
1511 ++ u = utsname();
1512 + memcpy(u->domainname, tmp, len);
1513 + memset(u->domainname + len, 0, sizeof(u->domainname) - len);
1514 + errno = 0;
1515 + uts_proc_notify(UTS_PROC_DOMAINNAME);
1516 ++ up_write(&uts_sem);
1517 + }
1518 +- up_write(&uts_sem);
1519 + return errno;
1520 + }
1521 +
1522 +diff --git a/kernel/trace/blktrace.c b/kernel/trace/blktrace.c
1523 +index 7ab5eafea8b2..210b8e726a97 100644
1524 +--- a/kernel/trace/blktrace.c
1525 ++++ b/kernel/trace/blktrace.c
1526 +@@ -1716,6 +1716,10 @@ static ssize_t sysfs_blk_trace_attr_store(struct device *dev,
1527 + mutex_lock(&bdev->bd_mutex);
1528 +
1529 + if (attr == &dev_attr_enable) {
1530 ++ if (!!value == !!q->blk_trace) {
1531 ++ ret = 0;
1532 ++ goto out_unlock_bdev;
1533 ++ }
1534 + if (value)
1535 + ret = blk_trace_setup_queue(q, bdev);
1536 + else
1537 +diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c
1538 +index 11761b3dd7ba..e409ddce8754 100644
1539 +--- a/kernel/trace/trace.c
1540 ++++ b/kernel/trace/trace.c
1541 +@@ -6496,7 +6496,9 @@ rb_simple_write(struct file *filp, const char __user *ubuf,
1542 +
1543 + if (buffer) {
1544 + mutex_lock(&trace_types_lock);
1545 +- if (val) {
1546 ++ if (!!val == tracer_tracing_is_on(tr)) {
1547 ++ val = 0; /* do nothing */
1548 ++ } else if (val) {
1549 + tracer_tracing_on(tr);
1550 + if (tr->current_trace->start)
1551 + tr->current_trace->start(tr);
1552 +diff --git a/kernel/trace/trace_uprobe.c b/kernel/trace/trace_uprobe.c
1553 +index 68bb89ad9d28..1dc887bab085 100644
1554 +--- a/kernel/trace/trace_uprobe.c
1555 ++++ b/kernel/trace/trace_uprobe.c
1556 +@@ -969,7 +969,7 @@ probe_event_disable(struct trace_uprobe *tu, struct trace_event_file *file)
1557 +
1558 + list_del_rcu(&link->list);
1559 + /* synchronize with u{,ret}probe_trace_func */
1560 +- synchronize_sched();
1561 ++ synchronize_rcu();
1562 + kfree(link);
1563 +
1564 + if (!list_empty(&tu->tp.files))
1565 +diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c
1566 +index 88fefa68c516..a965df4b54f5 100644
1567 +--- a/kernel/user_namespace.c
1568 ++++ b/kernel/user_namespace.c
1569 +@@ -602,9 +602,26 @@ static ssize_t map_write(struct file *file, const char __user *buf,
1570 + struct uid_gid_map new_map;
1571 + unsigned idx;
1572 + struct uid_gid_extent *extent = NULL;
1573 +- unsigned long page = 0;
1574 ++ unsigned long page;
1575 + char *kbuf, *pos, *next_line;
1576 +- ssize_t ret = -EINVAL;
1577 ++ ssize_t ret;
1578 ++
1579 ++ /* Only allow < page size writes at the beginning of the file */
1580 ++ if ((*ppos != 0) || (count >= PAGE_SIZE))
1581 ++ return -EINVAL;
1582 ++
1583 ++ /* Get a buffer */
1584 ++ page = __get_free_page(GFP_TEMPORARY);
1585 ++ kbuf = (char *) page;
1586 ++ if (!page)
1587 ++ return -ENOMEM;
1588 ++
1589 ++ /* Slurp in the user data */
1590 ++ if (copy_from_user(kbuf, buf, count)) {
1591 ++ free_page(page);
1592 ++ return -EFAULT;
1593 ++ }
1594 ++ kbuf[count] = '\0';
1595 +
1596 + /*
1597 + * The userns_state_mutex serializes all writes to any given map.
1598 +@@ -638,24 +655,6 @@ static ssize_t map_write(struct file *file, const char __user *buf,
1599 + if (cap_valid(cap_setid) && !file_ns_capable(file, ns, CAP_SYS_ADMIN))
1600 + goto out;
1601 +
1602 +- /* Get a buffer */
1603 +- ret = -ENOMEM;
1604 +- page = __get_free_page(GFP_TEMPORARY);
1605 +- kbuf = (char *) page;
1606 +- if (!page)
1607 +- goto out;
1608 +-
1609 +- /* Only allow < page size writes at the beginning of the file */
1610 +- ret = -EINVAL;
1611 +- if ((*ppos != 0) || (count >= PAGE_SIZE))
1612 +- goto out;
1613 +-
1614 +- /* Slurp in the user data */
1615 +- ret = -EFAULT;
1616 +- if (copy_from_user(kbuf, buf, count))
1617 +- goto out;
1618 +- kbuf[count] = '\0';
1619 +-
1620 + /* Parse the user data */
1621 + ret = -EINVAL;
1622 + pos = kbuf;
1623 +diff --git a/kernel/utsname_sysctl.c b/kernel/utsname_sysctl.c
1624 +index c8eac43267e9..d2b3b2973456 100644
1625 +--- a/kernel/utsname_sysctl.c
1626 ++++ b/kernel/utsname_sysctl.c
1627 +@@ -17,7 +17,7 @@
1628 +
1629 + #ifdef CONFIG_PROC_SYSCTL
1630 +
1631 +-static void *get_uts(struct ctl_table *table, int write)
1632 ++static void *get_uts(struct ctl_table *table)
1633 + {
1634 + char *which = table->data;
1635 + struct uts_namespace *uts_ns;
1636 +@@ -25,21 +25,9 @@ static void *get_uts(struct ctl_table *table, int write)
1637 + uts_ns = current->nsproxy->uts_ns;
1638 + which = (which - (char *)&init_uts_ns) + (char *)uts_ns;
1639 +
1640 +- if (!write)
1641 +- down_read(&uts_sem);
1642 +- else
1643 +- down_write(&uts_sem);
1644 + return which;
1645 + }
1646 +
1647 +-static void put_uts(struct ctl_table *table, int write, void *which)
1648 +-{
1649 +- if (!write)
1650 +- up_read(&uts_sem);
1651 +- else
1652 +- up_write(&uts_sem);
1653 +-}
1654 +-
1655 + /*
1656 + * Special case of dostring for the UTS structure. This has locks
1657 + * to observe. Should this be in kernel/sys.c ????
1658 +@@ -49,13 +37,34 @@ static int proc_do_uts_string(struct ctl_table *table, int write,
1659 + {
1660 + struct ctl_table uts_table;
1661 + int r;
1662 ++ char tmp_data[__NEW_UTS_LEN + 1];
1663 ++
1664 + memcpy(&uts_table, table, sizeof(uts_table));
1665 +- uts_table.data = get_uts(table, write);
1666 ++ uts_table.data = tmp_data;
1667 ++
1668 ++ /*
1669 ++ * Buffer the value in tmp_data so that proc_dostring() can be called
1670 ++ * without holding any locks.
1671 ++ * We also need to read the original value in the write==1 case to
1672 ++ * support partial writes.
1673 ++ */
1674 ++ down_read(&uts_sem);
1675 ++ memcpy(tmp_data, get_uts(table), sizeof(tmp_data));
1676 ++ up_read(&uts_sem);
1677 + r = proc_dostring(&uts_table, write, buffer, lenp, ppos);
1678 +- put_uts(table, write, uts_table.data);
1679 +
1680 +- if (write)
1681 ++ if (write) {
1682 ++ /*
1683 ++ * Write back the new value.
1684 ++ * Note that, since we dropped uts_sem, the result can
1685 ++ * theoretically be incorrect if there are two parallel writes
1686 ++ * at non-zero offsets to the same sysctl.
1687 ++ */
1688 ++ down_write(&uts_sem);
1689 ++ memcpy(get_uts(table), tmp_data, sizeof(tmp_data));
1690 ++ up_write(&uts_sem);
1691 + proc_sys_poll_notify(table->poll);
1692 ++ }
1693 +
1694 + return r;
1695 + }
1696 +diff --git a/mm/memory.c b/mm/memory.c
1697 +index 42db644f5ec4..5aee9ec8b8c6 100644
1698 +--- a/mm/memory.c
1699 ++++ b/mm/memory.c
1700 +@@ -361,15 +361,6 @@ void tlb_remove_table(struct mmu_gather *tlb, void *table)
1701 + {
1702 + struct mmu_table_batch **batch = &tlb->batch;
1703 +
1704 +- /*
1705 +- * When there's less then two users of this mm there cannot be a
1706 +- * concurrent page-table walk.
1707 +- */
1708 +- if (atomic_read(&tlb->mm->mm_users) < 2) {
1709 +- __tlb_remove_table(table);
1710 +- return;
1711 +- }
1712 +-
1713 + if (*batch == NULL) {
1714 + *batch = (struct mmu_table_batch *)__get_free_page(GFP_NOWAIT | __GFP_NOWARN);
1715 + if (*batch == NULL) {
1716 +diff --git a/net/9p/client.c b/net/9p/client.c
1717 +index 3ff26eb1ea20..ed8738c4dc09 100644
1718 +--- a/net/9p/client.c
1719 ++++ b/net/9p/client.c
1720 +@@ -931,7 +931,7 @@ static int p9_client_version(struct p9_client *c)
1721 + {
1722 + int err = 0;
1723 + struct p9_req_t *req;
1724 +- char *version;
1725 ++ char *version = NULL;
1726 + int msize;
1727 +
1728 + p9_debug(P9_DEBUG_9P, ">>> TVERSION msize %d protocol %d\n",
1729 +diff --git a/net/9p/trans_fd.c b/net/9p/trans_fd.c
1730 +index bced8c074c12..2f68ffda3715 100644
1731 +--- a/net/9p/trans_fd.c
1732 ++++ b/net/9p/trans_fd.c
1733 +@@ -185,6 +185,8 @@ static void p9_mux_poll_stop(struct p9_conn *m)
1734 + spin_lock_irqsave(&p9_poll_lock, flags);
1735 + list_del_init(&m->poll_pending_link);
1736 + spin_unlock_irqrestore(&p9_poll_lock, flags);
1737 ++
1738 ++ flush_work(&p9_poll_work);
1739 + }
1740 +
1741 + /**
1742 +@@ -933,7 +935,7 @@ p9_fd_create_tcp(struct p9_client *client, const char *addr, char *args)
1743 + if (err < 0)
1744 + return err;
1745 +
1746 +- if (valid_ipaddr4(addr) < 0)
1747 ++ if (addr == NULL || valid_ipaddr4(addr) < 0)
1748 + return -EINVAL;
1749 +
1750 + csocket = NULL;
1751 +@@ -981,6 +983,9 @@ p9_fd_create_unix(struct p9_client *client, const char *addr, char *args)
1752 +
1753 + csocket = NULL;
1754 +
1755 ++ if (addr == NULL)
1756 ++ return -EINVAL;
1757 ++
1758 + if (strlen(addr) >= UNIX_PATH_MAX) {
1759 + pr_err("%s (%d): address too long: %s\n",
1760 + __func__, task_pid_nr(current), addr);
1761 +diff --git a/net/9p/trans_rdma.c b/net/9p/trans_rdma.c
1762 +index 52b4a2f993f2..f42550dd3560 100644
1763 +--- a/net/9p/trans_rdma.c
1764 ++++ b/net/9p/trans_rdma.c
1765 +@@ -644,6 +644,9 @@ rdma_create_trans(struct p9_client *client, const char *addr, char *args)
1766 + struct ib_qp_init_attr qp_attr;
1767 + struct ib_cq_init_attr cq_attr = {};
1768 +
1769 ++ if (addr == NULL)
1770 ++ return -EINVAL;
1771 ++
1772 + /* Parse the transport specific mount options */
1773 + err = parse_opts(args, &opts);
1774 + if (err < 0)
1775 +diff --git a/net/9p/trans_virtio.c b/net/9p/trans_virtio.c
1776 +index 2ddeecca5b12..6018a1c0dc28 100644
1777 +--- a/net/9p/trans_virtio.c
1778 ++++ b/net/9p/trans_virtio.c
1779 +@@ -192,7 +192,7 @@ static int pack_sg_list(struct scatterlist *sg, int start,
1780 + s = rest_of_page(data);
1781 + if (s > count)
1782 + s = count;
1783 +- BUG_ON(index > limit);
1784 ++ BUG_ON(index >= limit);
1785 + /* Make sure we don't terminate early. */
1786 + sg_unmark_end(&sg[index]);
1787 + sg_set_buf(&sg[index++], data, s);
1788 +@@ -237,6 +237,7 @@ pack_sg_list_p(struct scatterlist *sg, int start, int limit,
1789 + s = PAGE_SIZE - data_off;
1790 + if (s > count)
1791 + s = count;
1792 ++ BUG_ON(index >= limit);
1793 + /* Make sure we don't terminate early. */
1794 + sg_unmark_end(&sg[index]);
1795 + sg_set_page(&sg[index++], pdata[i++], s, data_off);
1796 +@@ -409,6 +410,7 @@ p9_virtio_zc_request(struct p9_client *client, struct p9_req_t *req,
1797 + p9_debug(P9_DEBUG_TRANS, "virtio request\n");
1798 +
1799 + if (uodata) {
1800 ++ __le32 sz;
1801 + int n = p9_get_mapped_pages(chan, &out_pages, uodata,
1802 + outlen, &offs, &need_drop);
1803 + if (n < 0)
1804 +@@ -419,6 +421,12 @@ p9_virtio_zc_request(struct p9_client *client, struct p9_req_t *req,
1805 + memcpy(&req->tc->sdata[req->tc->size - 4], &v, 4);
1806 + outlen = n;
1807 + }
1808 ++ /* The size field of the message must include the length of the
1809 ++ * header and the length of the data. We didn't actually know
1810 ++ * the length of the data until this point so add it in now.
1811 ++ */
1812 ++ sz = cpu_to_le32(req->tc->size + outlen);
1813 ++ memcpy(&req->tc->sdata[0], &sz, sizeof(sz));
1814 + } else if (uidata) {
1815 + int n = p9_get_mapped_pages(chan, &in_pages, uidata,
1816 + inlen, &offs, &need_drop);
1817 +@@ -646,6 +654,9 @@ p9_virtio_create(struct p9_client *client, const char *devname, char *args)
1818 + int ret = -ENOENT;
1819 + int found = 0;
1820 +
1821 ++ if (devname == NULL)
1822 ++ return -EINVAL;
1823 ++
1824 + mutex_lock(&virtio_9p_lock);
1825 + list_for_each_entry(chan, &virtio_chan_list, chan_list) {
1826 + if (!strncmp(devname, chan->tag, chan->tag_len) &&
1827 +diff --git a/net/ieee802154/6lowpan/tx.c b/net/ieee802154/6lowpan/tx.c
1828 +index d4353faced35..a10db45b2e1e 100644
1829 +--- a/net/ieee802154/6lowpan/tx.c
1830 ++++ b/net/ieee802154/6lowpan/tx.c
1831 +@@ -265,9 +265,24 @@ netdev_tx_t lowpan_xmit(struct sk_buff *skb, struct net_device *ldev)
1832 + /* We must take a copy of the skb before we modify/replace the ipv6
1833 + * header as the header could be used elsewhere
1834 + */
1835 +- skb = skb_unshare(skb, GFP_ATOMIC);
1836 +- if (!skb)
1837 +- return NET_XMIT_DROP;
1838 ++ if (unlikely(skb_headroom(skb) < ldev->needed_headroom ||
1839 ++ skb_tailroom(skb) < ldev->needed_tailroom)) {
1840 ++ struct sk_buff *nskb;
1841 ++
1842 ++ nskb = skb_copy_expand(skb, ldev->needed_headroom,
1843 ++ ldev->needed_tailroom, GFP_ATOMIC);
1844 ++ if (likely(nskb)) {
1845 ++ consume_skb(skb);
1846 ++ skb = nskb;
1847 ++ } else {
1848 ++ kfree_skb(skb);
1849 ++ return NET_XMIT_DROP;
1850 ++ }
1851 ++ } else {
1852 ++ skb = skb_unshare(skb, GFP_ATOMIC);
1853 ++ if (!skb)
1854 ++ return NET_XMIT_DROP;
1855 ++ }
1856 +
1857 + ret = lowpan_header(skb, ldev, &dgram_size, &dgram_offset);
1858 + if (ret < 0) {
1859 +diff --git a/net/mac802154/tx.c b/net/mac802154/tx.c
1860 +index 3827f359b336..9e1ff9d4cf2d 100644
1861 +--- a/net/mac802154/tx.c
1862 ++++ b/net/mac802154/tx.c
1863 +@@ -72,8 +72,21 @@ ieee802154_tx(struct ieee802154_local *local, struct sk_buff *skb)
1864 + int ret;
1865 +
1866 + if (!(local->hw.flags & IEEE802154_HW_TX_OMIT_CKSUM)) {
1867 +- u16 crc = crc_ccitt(0, skb->data, skb->len);
1868 ++ struct sk_buff *nskb;
1869 ++ u16 crc;
1870 ++
1871 ++ if (unlikely(skb_tailroom(skb) < IEEE802154_FCS_LEN)) {
1872 ++ nskb = skb_copy_expand(skb, 0, IEEE802154_FCS_LEN,
1873 ++ GFP_ATOMIC);
1874 ++ if (likely(nskb)) {
1875 ++ consume_skb(skb);
1876 ++ skb = nskb;
1877 ++ } else {
1878 ++ goto err_tx;
1879 ++ }
1880 ++ }
1881 +
1882 ++ crc = crc_ccitt(0, skb->data, skb->len);
1883 + put_unaligned_le16(crc, skb_put(skb, 2));
1884 + }
1885 +
1886 +diff --git a/tools/perf/util/auxtrace.c b/tools/perf/util/auxtrace.c
1887 +index 7f10430af39c..58426e7d320d 100644
1888 +--- a/tools/perf/util/auxtrace.c
1889 ++++ b/tools/perf/util/auxtrace.c
1890 +@@ -186,6 +186,9 @@ static int auxtrace_queues__grow(struct auxtrace_queues *queues,
1891 + for (i = 0; i < queues->nr_queues; i++) {
1892 + list_splice_tail(&queues->queue_array[i].head,
1893 + &queue_array[i].head);
1894 ++ queue_array[i].tid = queues->queue_array[i].tid;
1895 ++ queue_array[i].cpu = queues->queue_array[i].cpu;
1896 ++ queue_array[i].set = queues->queue_array[i].set;
1897 + queue_array[i].priv = queues->queue_array[i].priv;
1898 + }
1899 +
Report Message
Find on MARC Find on Google Groups