Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: Mike Pagano <mpagano@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] proj/linux-patches:4.1 commit in: /
Date: Tue, 29 May 2018 10:34:13
Message-Id: 1527590036.b9fd7bdba6609d0fa42485ee3cdee8f607a321ec.mpagano@gentoo
1 commit: b9fd7bdba6609d0fa42485ee3cdee8f607a321ec
2 Author: Mike Pagano <mpagano <AT> gentoo <DOT> org>
3 AuthorDate: Tue May 29 10:33:56 2018 +0000
4 Commit: Mike Pagano <mpagano <AT> gentoo <DOT> org>
5 CommitDate: Tue May 29 10:33:56 2018 +0000
6 URL: https://gitweb.gentoo.org/proj/linux-patches.git/commit/?id=b9fd7bdb
7
8 Linux patches 4.1.50, 4.1.51, 4.1.52
9
10 0000_README | 12 +
11 1049_linux-4.1.50.patch | 18012 ++++++++++++++++++++++++++++++++++++++++++++++
12 1050_linux-4.1.51.patch | 2698 +++++++
13 1051_linux-4.1.52.patch | 15535 +++++++++++++++++++++++++++++++++++++++
14 4 files changed, 36257 insertions(+)
15
16 diff --git a/0000_README b/0000_README
17 index 3abfafc..431a915 100644
18 --- a/0000_README
19 +++ b/0000_README
20 @@ -239,6 +239,18 @@ Patch: 1048_linux-4.1.49.patch
21 From: http://www.kernel.org
22 Desc: Linux 4.1.49
23
24 +Patch: 1049_linux-4.1.50.patch
25 +From: http://www.kernel.org
26 +Desc: Linux 4.1.50
27 +
28 +Patch: 1050_linux-4.1.51.patch
29 +From: http://www.kernel.org
30 +Desc: Linux 4.1.51
31 +
32 +Patch: 1051_linux-4.1.52.patch
33 +From: http://www.kernel.org
34 +Desc: Linux 4.1.52
35 +
36 Patch: 1500_XATTR_USER_PREFIX.patch
37 From: https://bugs.gentoo.org/show_bug.cgi?id=470644
38 Desc: Support for namespace user.pax.* on tmpfs.
39
40 diff --git a/1049_linux-4.1.50.patch b/1049_linux-4.1.50.patch
41 new file mode 100644
42 index 0000000..95262b7
43 --- /dev/null
44 +++ b/1049_linux-4.1.50.patch
45 @@ -0,0 +1,18012 @@
46 +diff --git a/Documentation/devicetree/bindings/dma/snps-dma.txt b/Documentation/devicetree/bindings/dma/snps-dma.txt
47 +index c261598164a7..17d43ca27f41 100644
48 +--- a/Documentation/devicetree/bindings/dma/snps-dma.txt
49 ++++ b/Documentation/devicetree/bindings/dma/snps-dma.txt
50 +@@ -58,6 +58,6 @@ Example:
51 + interrupts = <0 35 0x4>;
52 + status = "disabled";
53 + dmas = <&dmahost 12 0 1>,
54 +- <&dmahost 13 0 1 0>;
55 ++ <&dmahost 13 1 0>;
56 + dma-names = "rx", "rx";
57 + };
58 +diff --git a/Documentation/filesystems/ext4.txt b/Documentation/filesystems/ext4.txt
59 +index 6c0108eb0137..2139ea253142 100644
60 +--- a/Documentation/filesystems/ext4.txt
61 ++++ b/Documentation/filesystems/ext4.txt
62 +@@ -233,7 +233,7 @@ data_err=ignore(*) Just print an error message if an error occurs
63 + data_err=abort Abort the journal if an error occurs in a file
64 + data buffer in ordered mode.
65 +
66 +-grpid Give objects the same group ID as their creator.
67 ++grpid New objects have the group ID of their parent.
68 + bsdgroups
69 +
70 + nogrpid (*) New objects have the group ID of their creator.
71 +diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt
72 +index 08dc303d0d47..19e9f2e77bdf 100644
73 +--- a/Documentation/kernel-parameters.txt
74 ++++ b/Documentation/kernel-parameters.txt
75 +@@ -2435,6 +2435,8 @@ bytes respectively. Such letter suffixes can also be entirely omitted.
76 +
77 + nointroute [IA-64]
78 +
79 ++ noinvpcid [X86] Disable the INVPCID cpu feature.
80 ++
81 + nojitter [IA-64] Disables jitter checking for ITC timers.
82 +
83 + no-kvmclock [X86,KVM] Disable paravirtualized KVM clock driver
84 +@@ -2469,11 +2471,11 @@ bytes respectively. Such letter suffixes can also be entirely omitted.
85 + nopat [X86] Disable PAT (page attribute table extension of
86 + pagetables) support.
87 +
88 ++ nopcid [X86-64] Disable the PCID cpu feature.
89 ++
90 + norandmaps Don't use address space randomization. Equivalent to
91 + echo 0 > /proc/sys/kernel/randomize_va_space
92 +
93 +- noreplace-paravirt [X86,IA-64,PV_OPS] Don't patch paravirt_ops
94 +-
95 + noreplace-smp [X86-32,SMP] Don't replace SMP instructions
96 + with UP alternatives
97 +
98 +diff --git a/Documentation/speculation.txt b/Documentation/speculation.txt
99 +new file mode 100644
100 +index 000000000000..e9e6cbae2841
101 +--- /dev/null
102 ++++ b/Documentation/speculation.txt
103 +@@ -0,0 +1,90 @@
104 ++This document explains potential effects of speculation, and how undesirable
105 ++effects can be mitigated portably using common APIs.
106 ++
107 ++===========
108 ++Speculation
109 ++===========
110 ++
111 ++To improve performance and minimize average latencies, many contemporary CPUs
112 ++employ speculative execution techniques such as branch prediction, performing
113 ++work which may be discarded at a later stage.
114 ++
115 ++Typically speculative execution cannot be observed from architectural state,
116 ++such as the contents of registers. However, in some cases it is possible to
117 ++observe its impact on microarchitectural state, such as the presence or
118 ++absence of data in caches. Such state may form side-channels which can be
119 ++observed to extract secret information.
120 ++
121 ++For example, in the presence of branch prediction, it is possible for bounds
122 ++checks to be ignored by code which is speculatively executed. Consider the
123 ++following code:
124 ++
125 ++ int load_array(int *array, unsigned int index)
126 ++ {
127 ++ if (index >= MAX_ARRAY_ELEMS)
128 ++ return 0;
129 ++ else
130 ++ return array[index];
131 ++ }
132 ++
133 ++Which, on arm64, may be compiled to an assembly sequence such as:
134 ++
135 ++ CMP <index>, #MAX_ARRAY_ELEMS
136 ++ B.LT less
137 ++ MOV <returnval>, #0
138 ++ RET
139 ++ less:
140 ++ LDR <returnval>, [<array>, <index>]
141 ++ RET
142 ++
143 ++It is possible that a CPU mis-predicts the conditional branch, and
144 ++speculatively loads array[index], even if index >= MAX_ARRAY_ELEMS. This
145 ++value will subsequently be discarded, but the speculated load may affect
146 ++microarchitectural state which can be subsequently measured.
147 ++
148 ++More complex sequences involving multiple dependent memory accesses may
149 ++result in sensitive information being leaked. Consider the following
150 ++code, building on the prior example:
151 ++
152 ++ int load_dependent_arrays(int *arr1, int *arr2, int index)
153 ++ {
154 ++ int val1, val2,
155 ++
156 ++ val1 = load_array(arr1, index);
157 ++ val2 = load_array(arr2, val1);
158 ++
159 ++ return val2;
160 ++ }
161 ++
162 ++Under speculation, the first call to load_array() may return the value
163 ++of an out-of-bounds address, while the second call will influence
164 ++microarchitectural state dependent on this value. This may provide an
165 ++arbitrary read primitive.
166 ++
167 ++====================================
168 ++Mitigating speculation side-channels
169 ++====================================
170 ++
171 ++The kernel provides a generic API to ensure that bounds checks are
172 ++respected even under speculation. Architectures which are affected by
173 ++speculation-based side-channels are expected to implement these
174 ++primitives.
175 ++
176 ++The array_index_nospec() helper in <linux/nospec.h> can be used to
177 ++prevent information from being leaked via side-channels.
178 ++
179 ++A call to array_index_nospec(index, size) returns a sanitized index
180 ++value that is bounded to [0, size) even under cpu speculation
181 ++conditions.
182 ++
183 ++This can be used to protect the earlier load_array() example:
184 ++
185 ++ int load_array(int *array, unsigned int index)
186 ++ {
187 ++ if (index >= MAX_ARRAY_ELEMS)
188 ++ return 0;
189 ++ else {
190 ++ index = array_index_nospec(index, MAX_ARRAY_ELEMS);
191 ++ return array[index];
192 ++ }
193 ++ }
194 +diff --git a/Makefile b/Makefile
195 +index a51938e99e37..a655f63aedeb 100644
196 +--- a/Makefile
197 ++++ b/Makefile
198 +@@ -1,6 +1,6 @@
199 + VERSION = 4
200 + PATCHLEVEL = 1
201 +-SUBLEVEL = 49
202 ++SUBLEVEL = 50
203 + EXTRAVERSION =
204 + NAME = Series 4800
205 +
206 +@@ -772,6 +772,9 @@ KBUILD_CFLAGS += $(call cc-disable-warning, pointer-sign)
207 + # disable invalid "can't wrap" optimizations for signed / pointers
208 + KBUILD_CFLAGS += $(call cc-option,-fno-strict-overflow)
209 +
210 ++# Make sure -fstack-check isn't enabled (like gentoo apparently did)
211 ++KBUILD_CFLAGS += $(call cc-option,-fno-stack-check,)
212 ++
213 + # conserve stack if available
214 + KBUILD_CFLAGS += $(call cc-option,-fconserve-stack)
215 +
216 +diff --git a/arch/alpha/include/asm/mmu_context.h b/arch/alpha/include/asm/mmu_context.h
217 +index 4c51c05333c6..4cafffa80e2c 100644
218 +--- a/arch/alpha/include/asm/mmu_context.h
219 ++++ b/arch/alpha/include/asm/mmu_context.h
220 +@@ -7,6 +7,7 @@
221 + * Copyright (C) 1996, Linus Torvalds
222 + */
223 +
224 ++#include <linux/sched.h>
225 + #include <asm/machvec.h>
226 + #include <asm/compiler.h>
227 + #include <asm-generic/mm_hooks.h>
228 +diff --git a/arch/alpha/kernel/pci_impl.h b/arch/alpha/kernel/pci_impl.h
229 +index 2b0ac429f5eb..412bb3c24f36 100644
230 +--- a/arch/alpha/kernel/pci_impl.h
231 ++++ b/arch/alpha/kernel/pci_impl.h
232 +@@ -143,7 +143,8 @@ struct pci_iommu_arena
233 + };
234 +
235 + #if defined(CONFIG_ALPHA_SRM) && \
236 +- (defined(CONFIG_ALPHA_CIA) || defined(CONFIG_ALPHA_LCA))
237 ++ (defined(CONFIG_ALPHA_CIA) || defined(CONFIG_ALPHA_LCA) || \
238 ++ defined(CONFIG_ALPHA_AVANTI))
239 + # define NEED_SRM_SAVE_RESTORE
240 + #else
241 + # undef NEED_SRM_SAVE_RESTORE
242 +diff --git a/arch/alpha/kernel/process.c b/arch/alpha/kernel/process.c
243 +index 84d13263ce46..8095fb2c5c94 100644
244 +--- a/arch/alpha/kernel/process.c
245 ++++ b/arch/alpha/kernel/process.c
246 +@@ -273,12 +273,13 @@ copy_thread(unsigned long clone_flags, unsigned long usp,
247 + application calling fork. */
248 + if (clone_flags & CLONE_SETTLS)
249 + childti->pcb.unique = regs->r20;
250 ++ else
251 ++ regs->r20 = 0; /* OSF/1 has some strange fork() semantics. */
252 + childti->pcb.usp = usp ?: rdusp();
253 + *childregs = *regs;
254 + childregs->r0 = 0;
255 + childregs->r19 = 0;
256 + childregs->r20 = 1; /* OSF/1 has some strange fork() semantics. */
257 +- regs->r20 = 0;
258 + stack = ((struct switch_stack *) regs) - 1;
259 + *childstack = *stack;
260 + childstack->r26 = (unsigned long) ret_from_fork;
261 +diff --git a/arch/arm/boot/dts/am335x-evmsk.dts b/arch/arm/boot/dts/am335x-evmsk.dts
262 +index 156d05efcb70..01288546bda1 100644
263 +--- a/arch/arm/boot/dts/am335x-evmsk.dts
264 ++++ b/arch/arm/boot/dts/am335x-evmsk.dts
265 +@@ -646,6 +646,7 @@
266 + ti,non-removable;
267 + bus-width = <4>;
268 + cap-power-off-card;
269 ++ keep-power-in-suspend;
270 + pinctrl-names = "default";
271 + pinctrl-0 = <&mmc2_pins>;
272 +
273 +diff --git a/arch/arm/boot/dts/am4372.dtsi b/arch/arm/boot/dts/am4372.dtsi
274 +index c80a3e233792..96222885ad27 100644
275 +--- a/arch/arm/boot/dts/am4372.dtsi
276 ++++ b/arch/arm/boot/dts/am4372.dtsi
277 +@@ -750,7 +750,8 @@
278 + reg = <0x48038000 0x2000>,
279 + <0x46000000 0x400000>;
280 + reg-names = "mpu", "dat";
281 +- interrupts = <80>, <81>;
282 ++ interrupts = <GIC_SPI 80 IRQ_TYPE_LEVEL_HIGH>,
283 ++ <GIC_SPI 81 IRQ_TYPE_LEVEL_HIGH>;
284 + interrupt-names = "tx", "rx";
285 + status = "disabled";
286 + dmas = <&edma 8>,
287 +@@ -764,7 +765,8 @@
288 + reg = <0x4803C000 0x2000>,
289 + <0x46400000 0x400000>;
290 + reg-names = "mpu", "dat";
291 +- interrupts = <82>, <83>;
292 ++ interrupts = <GIC_SPI 82 IRQ_TYPE_LEVEL_HIGH>,
293 ++ <GIC_SPI 83 IRQ_TYPE_LEVEL_HIGH>;
294 + interrupt-names = "tx", "rx";
295 + status = "disabled";
296 + dmas = <&edma 10>,
297 +diff --git a/arch/arm/boot/dts/dra7.dtsi b/arch/arm/boot/dts/dra7.dtsi
298 +index bc04b754fe36..a13618266234 100644
299 +--- a/arch/arm/boot/dts/dra7.dtsi
300 ++++ b/arch/arm/boot/dts/dra7.dtsi
301 +@@ -216,6 +216,7 @@
302 + device_type = "pci";
303 + ranges = <0x81000000 0 0 0x03000 0 0x00010000
304 + 0x82000000 0 0x20013000 0x13000 0 0xffed000>;
305 ++ bus-range = <0x00 0xff>;
306 + #interrupt-cells = <1>;
307 + num-lanes = <1>;
308 + ti,hwmods = "pcie1";
309 +@@ -251,6 +252,7 @@
310 + device_type = "pci";
311 + ranges = <0x81000000 0 0 0x03000 0 0x00010000
312 + 0x82000000 0 0x30013000 0x13000 0 0xffed000>;
313 ++ bus-range = <0x00 0xff>;
314 + #interrupt-cells = <1>;
315 + num-lanes = <1>;
316 + ti,hwmods = "pcie2";
317 +diff --git a/arch/arm/boot/dts/kirkwood-openblocks_a7.dts b/arch/arm/boot/dts/kirkwood-openblocks_a7.dts
318 +index d5e3bc518968..d57f48543f76 100644
319 +--- a/arch/arm/boot/dts/kirkwood-openblocks_a7.dts
320 ++++ b/arch/arm/boot/dts/kirkwood-openblocks_a7.dts
321 +@@ -53,7 +53,8 @@
322 + };
323 +
324 + pinctrl: pin-controller@10000 {
325 +- pinctrl-0 = <&pmx_dip_switches &pmx_gpio_header>;
326 ++ pinctrl-0 = <&pmx_dip_switches &pmx_gpio_header
327 ++ &pmx_gpio_header_gpo>;
328 + pinctrl-names = "default";
329 +
330 + pmx_uart0: pmx-uart0 {
331 +@@ -85,11 +86,16 @@
332 + * ground.
333 + */
334 + pmx_gpio_header: pmx-gpio-header {
335 +- marvell,pins = "mpp17", "mpp7", "mpp29", "mpp28",
336 ++ marvell,pins = "mpp17", "mpp29", "mpp28",
337 + "mpp35", "mpp34", "mpp40";
338 + marvell,function = "gpio";
339 + };
340 +
341 ++ pmx_gpio_header_gpo: pxm-gpio-header-gpo {
342 ++ marvell,pins = "mpp7";
343 ++ marvell,function = "gpo";
344 ++ };
345 ++
346 + pmx_gpio_init: pmx-init {
347 + marvell,pins = "mpp38";
348 + marvell,function = "gpio";
349 +diff --git a/arch/arm/boot/dts/omap4.dtsi b/arch/arm/boot/dts/omap4.dtsi
350 +index 84be9da74c7e..48c5a3b23d03 100644
351 +--- a/arch/arm/boot/dts/omap4.dtsi
352 ++++ b/arch/arm/boot/dts/omap4.dtsi
353 +@@ -841,14 +841,12 @@
354 + usbhsohci: ohci@4a064800 {
355 + compatible = "ti,ohci-omap3";
356 + reg = <0x4a064800 0x400>;
357 +- interrupt-parent = <&gic>;
358 + interrupts = <GIC_SPI 76 IRQ_TYPE_LEVEL_HIGH>;
359 + };
360 +
361 + usbhsehci: ehci@4a064c00 {
362 + compatible = "ti,ehci-omap";
363 + reg = <0x4a064c00 0x400>;
364 +- interrupt-parent = <&gic>;
365 + interrupts = <GIC_SPI 77 IRQ_TYPE_LEVEL_HIGH>;
366 + };
367 + };
368 +diff --git a/arch/arm/boot/dts/s5pv210.dtsi b/arch/arm/boot/dts/s5pv210.dtsi
369 +index 8344a0ee2b86..b03fe747b98c 100644
370 +--- a/arch/arm/boot/dts/s5pv210.dtsi
371 ++++ b/arch/arm/boot/dts/s5pv210.dtsi
372 +@@ -461,6 +461,7 @@
373 + compatible = "samsung,exynos4210-ohci";
374 + reg = <0xec300000 0x100>;
375 + interrupts = <23>;
376 ++ interrupt-parent = <&vic1>;
377 + clocks = <&clocks CLK_USB_HOST>;
378 + clock-names = "usbhost";
379 + #address-cells = <1>;
380 +diff --git a/arch/arm/boot/dts/spear1310-evb.dts b/arch/arm/boot/dts/spear1310-evb.dts
381 +index d42c84b1df8d..9cff28d476be 100644
382 +--- a/arch/arm/boot/dts/spear1310-evb.dts
383 ++++ b/arch/arm/boot/dts/spear1310-evb.dts
384 +@@ -349,7 +349,7 @@
385 + spi0: spi@e0100000 {
386 + status = "okay";
387 + num-cs = <3>;
388 +- cs-gpios = <&gpio1 7 0>, <&spics 0>, <&spics 1>;
389 ++ cs-gpios = <&gpio1 7 0>, <&spics 0 0>, <&spics 1 0>;
390 +
391 + stmpe610@0 {
392 + compatible = "st,stmpe610";
393 +diff --git a/arch/arm/boot/dts/spear1340.dtsi b/arch/arm/boot/dts/spear1340.dtsi
394 +index 13e1aa33daa2..69bc407b4a5a 100644
395 +--- a/arch/arm/boot/dts/spear1340.dtsi
396 ++++ b/arch/arm/boot/dts/spear1340.dtsi
397 +@@ -141,8 +141,8 @@
398 + reg = <0xb4100000 0x1000>;
399 + interrupts = <0 105 0x4>;
400 + status = "disabled";
401 +- dmas = <&dwdma0 0x600 0 0 1>, /* 0xC << 11 */
402 +- <&dwdma0 0x680 0 1 0>; /* 0xD << 7 */
403 ++ dmas = <&dwdma0 12 0 1>,
404 ++ <&dwdma0 13 1 0>;
405 + dma-names = "tx", "rx";
406 + };
407 +
408 +diff --git a/arch/arm/boot/dts/spear13xx.dtsi b/arch/arm/boot/dts/spear13xx.dtsi
409 +index 40accc87e3a2..4e5a2770eac8 100644
410 +--- a/arch/arm/boot/dts/spear13xx.dtsi
411 ++++ b/arch/arm/boot/dts/spear13xx.dtsi
412 +@@ -100,7 +100,7 @@
413 + reg = <0xb2800000 0x1000>;
414 + interrupts = <0 29 0x4>;
415 + status = "disabled";
416 +- dmas = <&dwdma0 0 0 0 0>;
417 ++ dmas = <&dwdma0 0 0 0>;
418 + dma-names = "data";
419 + };
420 +
421 +@@ -288,8 +288,8 @@
422 + #size-cells = <0>;
423 + interrupts = <0 31 0x4>;
424 + status = "disabled";
425 +- dmas = <&dwdma0 0x2000 0 0 0>, /* 0x4 << 11 */
426 +- <&dwdma0 0x0280 0 0 0>; /* 0x5 << 7 */
427 ++ dmas = <&dwdma0 4 0 0>,
428 ++ <&dwdma0 5 0 0>;
429 + dma-names = "tx", "rx";
430 + };
431 +
432 +diff --git a/arch/arm/boot/dts/spear600.dtsi b/arch/arm/boot/dts/spear600.dtsi
433 +index 9f60a7b6a42b..bd379034993c 100644
434 +--- a/arch/arm/boot/dts/spear600.dtsi
435 ++++ b/arch/arm/boot/dts/spear600.dtsi
436 +@@ -194,6 +194,7 @@
437 + rtc@fc900000 {
438 + compatible = "st,spear600-rtc";
439 + reg = <0xfc900000 0x1000>;
440 ++ interrupt-parent = <&vic0>;
441 + interrupts = <10>;
442 + status = "disabled";
443 + };
444 +diff --git a/arch/arm/include/asm/kvm_arm.h b/arch/arm/include/asm/kvm_arm.h
445 +index aacd6668d1a0..d43122f0993d 100644
446 +--- a/arch/arm/include/asm/kvm_arm.h
447 ++++ b/arch/arm/include/asm/kvm_arm.h
448 +@@ -161,8 +161,7 @@
449 + #else
450 + #define VTTBR_X (5 - KVM_T0SZ)
451 + #endif
452 +-#define VTTBR_BADDR_SHIFT (VTTBR_X - 1)
453 +-#define VTTBR_BADDR_MASK (((1LLU << (40 - VTTBR_X)) - 1) << VTTBR_BADDR_SHIFT)
454 ++#define VTTBR_BADDR_MASK (((1LLU << (40 - VTTBR_X)) - 1) << VTTBR_X)
455 + #define VTTBR_VMID_SHIFT (48LLU)
456 + #define VTTBR_VMID_MASK (0xffLLU << VTTBR_VMID_SHIFT)
457 +
458 +diff --git a/arch/arm/include/asm/mmu_context.h b/arch/arm/include/asm/mmu_context.h
459 +index 9b32f76bb0dd..10f662498eb7 100644
460 +--- a/arch/arm/include/asm/mmu_context.h
461 ++++ b/arch/arm/include/asm/mmu_context.h
462 +@@ -61,6 +61,7 @@ static inline void check_and_switch_context(struct mm_struct *mm,
463 + cpu_switch_mm(mm->pgd, mm);
464 + }
465 +
466 ++#ifndef MODULE
467 + #define finish_arch_post_lock_switch \
468 + finish_arch_post_lock_switch
469 + static inline void finish_arch_post_lock_switch(void)
470 +@@ -82,6 +83,7 @@ static inline void finish_arch_post_lock_switch(void)
471 + preempt_enable_no_resched();
472 + }
473 + }
474 ++#endif /* !MODULE */
475 +
476 + #endif /* CONFIG_MMU */
477 +
478 +diff --git a/arch/arm/kvm/handle_exit.c b/arch/arm/kvm/handle_exit.c
479 +index f36b5b1acd1f..05b2f8294968 100644
480 +--- a/arch/arm/kvm/handle_exit.c
481 ++++ b/arch/arm/kvm/handle_exit.c
482 +@@ -45,7 +45,7 @@ static int handle_hvc(struct kvm_vcpu *vcpu, struct kvm_run *run)
483 +
484 + ret = kvm_psci_call(vcpu);
485 + if (ret < 0) {
486 +- kvm_inject_undefined(vcpu);
487 ++ vcpu_set_reg(vcpu, 0, ~0UL);
488 + return 1;
489 + }
490 +
491 +@@ -54,7 +54,16 @@ static int handle_hvc(struct kvm_vcpu *vcpu, struct kvm_run *run)
492 +
493 + static int handle_smc(struct kvm_vcpu *vcpu, struct kvm_run *run)
494 + {
495 +- kvm_inject_undefined(vcpu);
496 ++ /*
497 ++ * "If an SMC instruction executed at Non-secure EL1 is
498 ++ * trapped to EL2 because HCR_EL2.TSC is 1, the exception is a
499 ++ * Trap exception, not a Secure Monitor Call exception [...]"
500 ++ *
501 ++ * We need to advance the PC after the trap, as it would
502 ++ * otherwise return to the same address...
503 ++ */
504 ++ vcpu_set_reg(vcpu, 0, ~0UL);
505 ++ kvm_skip_instr(vcpu, kvm_vcpu_trap_il_is32bit(vcpu));
506 + return 1;
507 + }
508 +
509 +diff --git a/arch/arm/kvm/mmio.c b/arch/arm/kvm/mmio.c
510 +index 974b1c606d04..04e5004b34e1 100644
511 +--- a/arch/arm/kvm/mmio.c
512 ++++ b/arch/arm/kvm/mmio.c
513 +@@ -113,7 +113,7 @@ int kvm_handle_mmio_return(struct kvm_vcpu *vcpu, struct kvm_run *run)
514 + }
515 +
516 + trace_kvm_mmio(KVM_TRACE_MMIO_READ, len, run->mmio.phys_addr,
517 +- data);
518 ++ &data);
519 + data = vcpu_data_host_to_guest(vcpu, data, len);
520 + *vcpu_reg(vcpu, vcpu->arch.mmio_decode.rt) = data;
521 + }
522 +@@ -188,14 +188,14 @@ int io_mem_abort(struct kvm_vcpu *vcpu, struct kvm_run *run,
523 + if (is_write) {
524 + data = vcpu_data_guest_to_host(vcpu, *vcpu_reg(vcpu, rt), len);
525 +
526 +- trace_kvm_mmio(KVM_TRACE_MMIO_WRITE, len, fault_ipa, data);
527 ++ trace_kvm_mmio(KVM_TRACE_MMIO_WRITE, len, fault_ipa, &data);
528 + mmio_write_buf(data_buf, len, data);
529 +
530 + ret = kvm_io_bus_write(vcpu, KVM_MMIO_BUS, fault_ipa, len,
531 + data_buf);
532 + } else {
533 + trace_kvm_mmio(KVM_TRACE_MMIO_READ_UNSATISFIED, len,
534 +- fault_ipa, 0);
535 ++ fault_ipa, NULL);
536 +
537 + ret = kvm_io_bus_read(vcpu, KVM_MMIO_BUS, fault_ipa, len,
538 + data_buf);
539 +diff --git a/arch/arm/mach-omap2/omap-secure.c b/arch/arm/mach-omap2/omap-secure.c
540 +index 5ac122e88f67..9ff92050053c 100644
541 +--- a/arch/arm/mach-omap2/omap-secure.c
542 ++++ b/arch/arm/mach-omap2/omap-secure.c
543 +@@ -73,6 +73,25 @@ phys_addr_t omap_secure_ram_mempool_base(void)
544 + return omap_secure_memblock_base;
545 + }
546 +
547 ++u32 omap3_save_secure_ram(void __iomem *addr, int size)
548 ++{
549 ++ u32 ret;
550 ++ u32 param[5];
551 ++
552 ++ if (size != OMAP3_SAVE_SECURE_RAM_SZ)
553 ++ return OMAP3_SAVE_SECURE_RAM_SZ;
554 ++
555 ++ param[0] = 4; /* Number of arguments */
556 ++ param[1] = __pa(addr); /* Physical address for saving */
557 ++ param[2] = 0;
558 ++ param[3] = 1;
559 ++ param[4] = 1;
560 ++
561 ++ ret = save_secure_ram_context(__pa(param));
562 ++
563 ++ return ret;
564 ++}
565 ++
566 + /**
567 + * rx51_secure_dispatcher: Routine to dispatch secure PPA API calls
568 + * @idx: The PPA API index
569 +diff --git a/arch/arm/mach-omap2/omap-secure.h b/arch/arm/mach-omap2/omap-secure.h
570 +index af2851fbcdf0..ab6ce2597a88 100644
571 +--- a/arch/arm/mach-omap2/omap-secure.h
572 ++++ b/arch/arm/mach-omap2/omap-secure.h
573 +@@ -31,6 +31,8 @@
574 + /* Maximum Secure memory storage size */
575 + #define OMAP_SECURE_RAM_STORAGE (88 * SZ_1K)
576 +
577 ++#define OMAP3_SAVE_SECURE_RAM_SZ 0x803F
578 ++
579 + /* Secure low power HAL API index */
580 + #define OMAP4_HAL_SAVESECURERAM_INDEX 0x1a
581 + #define OMAP4_HAL_SAVEHW_INDEX 0x1b
582 +@@ -64,6 +66,8 @@ extern u32 omap_smc2(u32 id, u32 falg, u32 pargs);
583 + extern u32 omap_smc3(u32 id, u32 process, u32 flag, u32 pargs);
584 + extern phys_addr_t omap_secure_ram_mempool_base(void);
585 + extern int omap_secure_ram_reserve_memblock(void);
586 ++extern u32 save_secure_ram_context(u32 args_pa);
587 ++extern u32 omap3_save_secure_ram(void __iomem *save_regs, int size);
588 +
589 + extern u32 rx51_secure_dispatcher(u32 idx, u32 process, u32 flag, u32 nargs,
590 + u32 arg1, u32 arg2, u32 arg3, u32 arg4);
591 +diff --git a/arch/arm/mach-omap2/pm.h b/arch/arm/mach-omap2/pm.h
592 +index 425bfcd67db6..326218953737 100644
593 +--- a/arch/arm/mach-omap2/pm.h
594 ++++ b/arch/arm/mach-omap2/pm.h
595 +@@ -81,10 +81,6 @@ extern unsigned int omap3_do_wfi_sz;
596 + /* ... and its pointer from SRAM after copy */
597 + extern void (*omap3_do_wfi_sram)(void);
598 +
599 +-/* save_secure_ram_context function pointer and size, for copy to SRAM */
600 +-extern int save_secure_ram_context(u32 *addr);
601 +-extern unsigned int save_secure_ram_context_sz;
602 +-
603 + extern void omap3_save_scratchpad_contents(void);
604 +
605 + #define PM_RTA_ERRATUM_i608 (1 << 0)
606 +diff --git a/arch/arm/mach-omap2/pm34xx.c b/arch/arm/mach-omap2/pm34xx.c
607 +index 87b98bf92366..0b8ab6c00071 100644
608 +--- a/arch/arm/mach-omap2/pm34xx.c
609 ++++ b/arch/arm/mach-omap2/pm34xx.c
610 +@@ -48,6 +48,7 @@
611 + #include "prm3xxx.h"
612 + #include "pm.h"
613 + #include "sdrc.h"
614 ++#include "omap-secure.h"
615 + #include "sram.h"
616 + #include "control.h"
617 + #include "vc.h"
618 +@@ -66,7 +67,6 @@ struct power_state {
619 +
620 + static LIST_HEAD(pwrst_list);
621 +
622 +-static int (*_omap_save_secure_sram)(u32 *addr);
623 + void (*omap3_do_wfi_sram)(void);
624 +
625 + static struct powerdomain *mpu_pwrdm, *neon_pwrdm;
626 +@@ -121,8 +121,8 @@ static void omap3_save_secure_ram_context(void)
627 + * will hang the system.
628 + */
629 + pwrdm_set_next_pwrst(mpu_pwrdm, PWRDM_POWER_ON);
630 +- ret = _omap_save_secure_sram((u32 *)(unsigned long)
631 +- __pa(omap3_secure_ram_storage));
632 ++ ret = omap3_save_secure_ram(omap3_secure_ram_storage,
633 ++ OMAP3_SAVE_SECURE_RAM_SZ);
634 + pwrdm_set_next_pwrst(mpu_pwrdm, mpu_next_state);
635 + /* Following is for error tracking, it should not happen */
636 + if (ret) {
637 +@@ -431,15 +431,10 @@ static int __init pwrdms_setup(struct powerdomain *pwrdm, void *unused)
638 + *
639 + * The minimum set of functions is pushed to SRAM for execution:
640 + * - omap3_do_wfi for erratum i581 WA,
641 +- * - save_secure_ram_context for security extensions.
642 + */
643 + void omap_push_sram_idle(void)
644 + {
645 + omap3_do_wfi_sram = omap_sram_push(omap3_do_wfi, omap3_do_wfi_sz);
646 +-
647 +- if (omap_type() != OMAP2_DEVICE_TYPE_GP)
648 +- _omap_save_secure_sram = omap_sram_push(save_secure_ram_context,
649 +- save_secure_ram_context_sz);
650 + }
651 +
652 + static void __init pm_errata_configure(void)
653 +@@ -551,7 +546,7 @@ int __init omap3_pm_init(void)
654 + clkdm_add_wkdep(neon_clkdm, mpu_clkdm);
655 + if (omap_type() != OMAP2_DEVICE_TYPE_GP) {
656 + omap3_secure_ram_storage =
657 +- kmalloc(0x803F, GFP_KERNEL);
658 ++ kmalloc(OMAP3_SAVE_SECURE_RAM_SZ, GFP_KERNEL);
659 + if (!omap3_secure_ram_storage)
660 + pr_err("Memory allocation failed when allocating for secure sram context\n");
661 +
662 +diff --git a/arch/arm/mach-omap2/prm33xx.c b/arch/arm/mach-omap2/prm33xx.c
663 +index dcb5001d77da..973bcd754e1c 100644
664 +--- a/arch/arm/mach-omap2/prm33xx.c
665 ++++ b/arch/arm/mach-omap2/prm33xx.c
666 +@@ -176,17 +176,6 @@ static int am33xx_pwrdm_read_pwrst(struct powerdomain *pwrdm)
667 + return v;
668 + }
669 +
670 +-static int am33xx_pwrdm_read_prev_pwrst(struct powerdomain *pwrdm)
671 +-{
672 +- u32 v;
673 +-
674 +- v = am33xx_prm_read_reg(pwrdm->prcm_offs, pwrdm->pwrstst_offs);
675 +- v &= AM33XX_LASTPOWERSTATEENTERED_MASK;
676 +- v >>= AM33XX_LASTPOWERSTATEENTERED_SHIFT;
677 +-
678 +- return v;
679 +-}
680 +-
681 + static int am33xx_pwrdm_set_lowpwrstchange(struct powerdomain *pwrdm)
682 + {
683 + am33xx_prm_rmw_reg_bits(AM33XX_LOWPOWERSTATECHANGE_MASK,
684 +@@ -357,7 +346,6 @@ struct pwrdm_ops am33xx_pwrdm_operations = {
685 + .pwrdm_set_next_pwrst = am33xx_pwrdm_set_next_pwrst,
686 + .pwrdm_read_next_pwrst = am33xx_pwrdm_read_next_pwrst,
687 + .pwrdm_read_pwrst = am33xx_pwrdm_read_pwrst,
688 +- .pwrdm_read_prev_pwrst = am33xx_pwrdm_read_prev_pwrst,
689 + .pwrdm_set_logic_retst = am33xx_pwrdm_set_logic_retst,
690 + .pwrdm_read_logic_pwrst = am33xx_pwrdm_read_logic_pwrst,
691 + .pwrdm_read_logic_retst = am33xx_pwrdm_read_logic_retst,
692 +diff --git a/arch/arm/mach-omap2/sleep34xx.S b/arch/arm/mach-omap2/sleep34xx.S
693 +index 1b9f0520dea9..3e0d802c59da 100644
694 +--- a/arch/arm/mach-omap2/sleep34xx.S
695 ++++ b/arch/arm/mach-omap2/sleep34xx.S
696 +@@ -93,20 +93,13 @@ ENTRY(enable_omap3630_toggle_l2_on_restore)
697 + ENDPROC(enable_omap3630_toggle_l2_on_restore)
698 +
699 + /*
700 +- * Function to call rom code to save secure ram context. This gets
701 +- * relocated to SRAM, so it can be all in .data section. Otherwise
702 +- * we need to initialize api_params separately.
703 ++ * Function to call rom code to save secure ram context.
704 ++ *
705 ++ * r0 = physical address of the parameters
706 + */
707 +- .data
708 +- .align 3
709 + ENTRY(save_secure_ram_context)
710 + stmfd sp!, {r4 - r11, lr} @ save registers on stack
711 +- adr r3, api_params @ r3 points to parameters
712 +- str r0, [r3,#0x4] @ r0 has sdram address
713 +- ldr r12, high_mask
714 +- and r3, r3, r12
715 +- ldr r12, sram_phy_addr_mask
716 +- orr r3, r3, r12
717 ++ mov r3, r0 @ physical address of parameters
718 + mov r0, #25 @ set service ID for PPA
719 + mov r12, r0 @ copy secure service ID in r12
720 + mov r1, #0 @ set task id for ROM code in r1
721 +@@ -120,18 +113,7 @@ ENTRY(save_secure_ram_context)
722 + nop
723 + nop
724 + ldmfd sp!, {r4 - r11, pc}
725 +- .align
726 +-sram_phy_addr_mask:
727 +- .word SRAM_BASE_P
728 +-high_mask:
729 +- .word 0xffff
730 +-api_params:
731 +- .word 0x4, 0x0, 0x0, 0x1, 0x1
732 + ENDPROC(save_secure_ram_context)
733 +-ENTRY(save_secure_ram_context_sz)
734 +- .word . - save_secure_ram_context
735 +-
736 +- .text
737 +
738 + /*
739 + * ======================
740 +diff --git a/arch/arm/mm/dma-mapping.c b/arch/arm/mm/dma-mapping.c
741 +index 64d7486262e5..e37c04facc1d 100644
742 +--- a/arch/arm/mm/dma-mapping.c
743 ++++ b/arch/arm/mm/dma-mapping.c
744 +@@ -764,13 +764,31 @@ static void arm_coherent_dma_free(struct device *dev, size_t size, void *cpu_add
745 + __arm_dma_free(dev, size, cpu_addr, handle, attrs, true);
746 + }
747 +
748 ++/*
749 ++ * The whole dma_get_sgtable() idea is fundamentally unsafe - it seems
750 ++ * that the intention is to allow exporting memory allocated via the
751 ++ * coherent DMA APIs through the dma_buf API, which only accepts a
752 ++ * scattertable. This presents a couple of problems:
753 ++ * 1. Not all memory allocated via the coherent DMA APIs is backed by
754 ++ * a struct page
755 ++ * 2. Passing coherent DMA memory into the streaming APIs is not allowed
756 ++ * as we will try to flush the memory through a different alias to that
757 ++ * actually being used (and the flushes are redundant.)
758 ++ */
759 + int arm_dma_get_sgtable(struct device *dev, struct sg_table *sgt,
760 + void *cpu_addr, dma_addr_t handle, size_t size,
761 + struct dma_attrs *attrs)
762 + {
763 +- struct page *page = pfn_to_page(dma_to_pfn(dev, handle));
764 ++ unsigned long pfn = dma_to_pfn(dev, handle);
765 ++ struct page *page;
766 + int ret;
767 +
768 ++ /* If the PFN is not valid, we do not have a struct page */
769 ++ if (!pfn_valid(pfn))
770 ++ return -ENXIO;
771 ++
772 ++ page = pfn_to_page(pfn);
773 ++
774 + ret = sg_alloc_table(sgt, 1, GFP_KERNEL);
775 + if (unlikely(ret))
776 + return ret;
777 +diff --git a/arch/arm/probes/kprobes/core.c b/arch/arm/probes/kprobes/core.c
778 +index a4ec240ee7ba..3eb018fa1a1f 100644
779 +--- a/arch/arm/probes/kprobes/core.c
780 ++++ b/arch/arm/probes/kprobes/core.c
781 +@@ -433,6 +433,7 @@ static __used __kprobes void *trampoline_handler(struct pt_regs *regs)
782 + struct hlist_node *tmp;
783 + unsigned long flags, orig_ret_address = 0;
784 + unsigned long trampoline_address = (unsigned long)&kretprobe_trampoline;
785 ++ kprobe_opcode_t *correct_ret_addr = NULL;
786 +
787 + INIT_HLIST_HEAD(&empty_rp);
788 + kretprobe_hash_lock(current, &head, &flags);
789 +@@ -455,14 +456,34 @@ static __used __kprobes void *trampoline_handler(struct pt_regs *regs)
790 + /* another task is sharing our hash bucket */
791 + continue;
792 +
793 ++ orig_ret_address = (unsigned long)ri->ret_addr;
794 ++
795 ++ if (orig_ret_address != trampoline_address)
796 ++ /*
797 ++ * This is the real return address. Any other
798 ++ * instances associated with this task are for
799 ++ * other calls deeper on the call stack
800 ++ */
801 ++ break;
802 ++ }
803 ++
804 ++ kretprobe_assert(ri, orig_ret_address, trampoline_address);
805 ++
806 ++ correct_ret_addr = ri->ret_addr;
807 ++ hlist_for_each_entry_safe(ri, tmp, head, hlist) {
808 ++ if (ri->task != current)
809 ++ /* another task is sharing our hash bucket */
810 ++ continue;
811 ++
812 ++ orig_ret_address = (unsigned long)ri->ret_addr;
813 + if (ri->rp && ri->rp->handler) {
814 + __this_cpu_write(current_kprobe, &ri->rp->kp);
815 + get_kprobe_ctlblk()->kprobe_status = KPROBE_HIT_ACTIVE;
816 ++ ri->ret_addr = correct_ret_addr;
817 + ri->rp->handler(ri, regs);
818 + __this_cpu_write(current_kprobe, NULL);
819 + }
820 +
821 +- orig_ret_address = (unsigned long)ri->ret_addr;
822 + recycle_rp_inst(ri, &empty_rp);
823 +
824 + if (orig_ret_address != trampoline_address)
825 +@@ -474,7 +495,6 @@ static __used __kprobes void *trampoline_handler(struct pt_regs *regs)
826 + break;
827 + }
828 +
829 +- kretprobe_assert(ri, orig_ret_address, trampoline_address);
830 + kretprobe_hash_unlock(current, &flags);
831 +
832 + hlist_for_each_entry_safe(ri, tmp, &empty_rp, hlist) {
833 +diff --git a/arch/arm/probes/kprobes/test-core.c b/arch/arm/probes/kprobes/test-core.c
834 +index 9775de22e2ff..a48354de1aa1 100644
835 +--- a/arch/arm/probes/kprobes/test-core.c
836 ++++ b/arch/arm/probes/kprobes/test-core.c
837 +@@ -976,7 +976,10 @@ static void coverage_end(void)
838 + void __naked __kprobes_test_case_start(void)
839 + {
840 + __asm__ __volatile__ (
841 +- "stmdb sp!, {r4-r11} \n\t"
842 ++ "mov r2, sp \n\t"
843 ++ "bic r3, r2, #7 \n\t"
844 ++ "mov sp, r3 \n\t"
845 ++ "stmdb sp!, {r2-r11} \n\t"
846 + "sub sp, sp, #"__stringify(TEST_MEMORY_SIZE)"\n\t"
847 + "bic r0, lr, #1 @ r0 = inline data \n\t"
848 + "mov r1, sp \n\t"
849 +@@ -996,7 +999,8 @@ void __naked __kprobes_test_case_end_32(void)
850 + "movne pc, r0 \n\t"
851 + "mov r0, r4 \n\t"
852 + "add sp, sp, #"__stringify(TEST_MEMORY_SIZE)"\n\t"
853 +- "ldmia sp!, {r4-r11} \n\t"
854 ++ "ldmia sp!, {r2-r11} \n\t"
855 ++ "mov sp, r2 \n\t"
856 + "mov pc, r0 \n\t"
857 + );
858 + }
859 +@@ -1012,7 +1016,8 @@ void __naked __kprobes_test_case_end_16(void)
860 + "bxne r0 \n\t"
861 + "mov r0, r4 \n\t"
862 + "add sp, sp, #"__stringify(TEST_MEMORY_SIZE)"\n\t"
863 +- "ldmia sp!, {r4-r11} \n\t"
864 ++ "ldmia sp!, {r2-r11} \n\t"
865 ++ "mov sp, r2 \n\t"
866 + "bx r0 \n\t"
867 + );
868 + }
869 +diff --git a/arch/arm64/kernel/traps.c b/arch/arm64/kernel/traps.c
870 +index 8bbd57efae78..9322be69ca09 100644
871 +--- a/arch/arm64/kernel/traps.c
872 ++++ b/arch/arm64/kernel/traps.c
873 +@@ -46,7 +46,7 @@ static const char *handler[]= {
874 + "Error"
875 + };
876 +
877 +-int show_unhandled_signals = 1;
878 ++int show_unhandled_signals = 0;
879 +
880 + /*
881 + * Dump out the contents of some memory nicely...
882 +diff --git a/arch/arm64/kvm/handle_exit.c b/arch/arm64/kvm/handle_exit.c
883 +index 524fa25671fc..2d357aed5e66 100644
884 +--- a/arch/arm64/kvm/handle_exit.c
885 ++++ b/arch/arm64/kvm/handle_exit.c
886 +@@ -42,7 +42,7 @@ static int handle_hvc(struct kvm_vcpu *vcpu, struct kvm_run *run)
887 +
888 + ret = kvm_psci_call(vcpu);
889 + if (ret < 0) {
890 +- kvm_inject_undefined(vcpu);
891 ++ vcpu_set_reg(vcpu, 0, ~0UL);
892 + return 1;
893 + }
894 +
895 +@@ -51,7 +51,7 @@ static int handle_hvc(struct kvm_vcpu *vcpu, struct kvm_run *run)
896 +
897 + static int handle_smc(struct kvm_vcpu *vcpu, struct kvm_run *run)
898 + {
899 +- kvm_inject_undefined(vcpu);
900 ++ vcpu_set_reg(vcpu, 0, ~0UL);
901 + return 1;
902 + }
903 +
904 +diff --git a/arch/arm64/mm/init.c b/arch/arm64/mm/init.c
905 +index ae8f940152aa..b8ed781807ef 100644
906 +--- a/arch/arm64/mm/init.c
907 ++++ b/arch/arm64/mm/init.c
908 +@@ -177,6 +177,7 @@ void __init arm64_memblock_init(void)
909 + arm64_dma_phys_limit = max_zone_dma_phys();
910 + else
911 + arm64_dma_phys_limit = PHYS_MASK + 1;
912 ++ high_memory = __va(memblock_end_of_DRAM() - 1) + 1;
913 + dma_contiguous_reserve(arm64_dma_phys_limit);
914 +
915 + memblock_allow_resize();
916 +@@ -201,7 +202,6 @@ void __init bootmem_init(void)
917 + sparse_init();
918 + zone_sizes_init(min, max);
919 +
920 +- high_memory = __va((max << PAGE_SHIFT) - 1) + 1;
921 + max_pfn = max_low_pfn = max;
922 + }
923 +
924 +diff --git a/arch/mips/ar7/platform.c b/arch/mips/ar7/platform.c
925 +index 5afbb7b41160..d60986fdc288 100644
926 +--- a/arch/mips/ar7/platform.c
927 ++++ b/arch/mips/ar7/platform.c
928 +@@ -577,7 +577,7 @@ static int __init ar7_register_uarts(void)
929 + uart_port.type = PORT_AR7;
930 + uart_port.uartclk = clk_get_rate(bus_clk) / 2;
931 + uart_port.iotype = UPIO_MEM32;
932 +- uart_port.flags = UPF_FIXED_TYPE;
933 ++ uart_port.flags = UPF_FIXED_TYPE | UPF_BOOT_AUTOCONF;
934 + uart_port.regshift = 2;
935 +
936 + uart_port.line = 0;
937 +diff --git a/arch/mips/kernel/process.c b/arch/mips/kernel/process.c
938 +index ded8b8ba34fd..18cb5eb10e55 100644
939 +--- a/arch/mips/kernel/process.c
940 ++++ b/arch/mips/kernel/process.c
941 +@@ -631,6 +631,18 @@ int mips_set_process_fp_mode(struct task_struct *task, unsigned int value)
942 + unsigned long switch_count;
943 + struct task_struct *t;
944 +
945 ++ /* If nothing to change, return right away, successfully. */
946 ++ if (value == mips_get_process_fp_mode(task))
947 ++ return 0;
948 ++
949 ++ /* Only accept a mode change if 64-bit FP enabled for o32. */
950 ++ if (!IS_ENABLED(CONFIG_MIPS_O32_FP64_SUPPORT))
951 ++ return -EOPNOTSUPP;
952 ++
953 ++ /* And only for o32 tasks. */
954 ++ if (IS_ENABLED(CONFIG_64BIT) && !test_thread_flag(TIF_32BIT_REGS))
955 ++ return -EOPNOTSUPP;
956 ++
957 + /* Check the value is valid */
958 + if (value & ~known_bits)
959 + return -EOPNOTSUPP;
960 +diff --git a/arch/mips/kernel/ptrace.c b/arch/mips/kernel/ptrace.c
961 +index 2bea5db01b0b..938d7576f455 100644
962 +--- a/arch/mips/kernel/ptrace.c
963 ++++ b/arch/mips/kernel/ptrace.c
964 +@@ -438,63 +438,160 @@ static int gpr64_set(struct task_struct *target,
965 +
966 + #endif /* CONFIG_64BIT */
967 +
968 ++/*
969 ++ * Copy the floating-point context to the supplied NT_PRFPREG buffer,
970 ++ * !CONFIG_CPU_HAS_MSA variant. FP context's general register slots
971 ++ * correspond 1:1 to buffer slots. Only general registers are copied.
972 ++ */
973 ++static int fpr_get_fpa(struct task_struct *target,
974 ++ unsigned int *pos, unsigned int *count,
975 ++ void **kbuf, void __user **ubuf)
976 ++{
977 ++ return user_regset_copyout(pos, count, kbuf, ubuf,
978 ++ &target->thread.fpu,
979 ++ 0, NUM_FPU_REGS * sizeof(elf_fpreg_t));
980 ++}
981 ++
982 ++/*
983 ++ * Copy the floating-point context to the supplied NT_PRFPREG buffer,
984 ++ * CONFIG_CPU_HAS_MSA variant. Only lower 64 bits of FP context's
985 ++ * general register slots are copied to buffer slots. Only general
986 ++ * registers are copied.
987 ++ */
988 ++static int fpr_get_msa(struct task_struct *target,
989 ++ unsigned int *pos, unsigned int *count,
990 ++ void **kbuf, void __user **ubuf)
991 ++{
992 ++ unsigned int i;
993 ++ u64 fpr_val;
994 ++ int err;
995 ++
996 ++ BUILD_BUG_ON(sizeof(fpr_val) != sizeof(elf_fpreg_t));
997 ++ for (i = 0; i < NUM_FPU_REGS; i++) {
998 ++ fpr_val = get_fpr64(&target->thread.fpu.fpr[i], 0);
999 ++ err = user_regset_copyout(pos, count, kbuf, ubuf,
1000 ++ &fpr_val, i * sizeof(elf_fpreg_t),
1001 ++ (i + 1) * sizeof(elf_fpreg_t));
1002 ++ if (err)
1003 ++ return err;
1004 ++ }
1005 ++
1006 ++ return 0;
1007 ++}
1008 ++
1009 ++/*
1010 ++ * Copy the floating-point context to the supplied NT_PRFPREG buffer.
1011 ++ * Choose the appropriate helper for general registers, and then copy
1012 ++ * the FCSR register separately.
1013 ++ */
1014 + static int fpr_get(struct task_struct *target,
1015 + const struct user_regset *regset,
1016 + unsigned int pos, unsigned int count,
1017 + void *kbuf, void __user *ubuf)
1018 + {
1019 +- unsigned i;
1020 ++ const int fcr31_pos = NUM_FPU_REGS * sizeof(elf_fpreg_t);
1021 + int err;
1022 +- u64 fpr_val;
1023 +
1024 +- /* XXX fcr31 */
1025 ++ if (sizeof(target->thread.fpu.fpr[0]) == sizeof(elf_fpreg_t))
1026 ++ err = fpr_get_fpa(target, &pos, &count, &kbuf, &ubuf);
1027 ++ else
1028 ++ err = fpr_get_msa(target, &pos, &count, &kbuf, &ubuf);
1029 ++ if (err)
1030 ++ return err;
1031 +
1032 +- if (sizeof(target->thread.fpu.fpr[i]) == sizeof(elf_fpreg_t))
1033 +- return user_regset_copyout(&pos, &count, &kbuf, &ubuf,
1034 +- &target->thread.fpu,
1035 +- 0, sizeof(elf_fpregset_t));
1036 ++ err = user_regset_copyout(&pos, &count, &kbuf, &ubuf,
1037 ++ &target->thread.fpu.fcr31,
1038 ++ fcr31_pos, fcr31_pos + sizeof(u32));
1039 +
1040 +- for (i = 0; i < NUM_FPU_REGS; i++) {
1041 +- fpr_val = get_fpr64(&target->thread.fpu.fpr[i], 0);
1042 +- err = user_regset_copyout(&pos, &count, &kbuf, &ubuf,
1043 +- &fpr_val, i * sizeof(elf_fpreg_t),
1044 +- (i + 1) * sizeof(elf_fpreg_t));
1045 ++ return err;
1046 ++}
1047 ++
1048 ++/*
1049 ++ * Copy the supplied NT_PRFPREG buffer to the floating-point context,
1050 ++ * !CONFIG_CPU_HAS_MSA variant. Buffer slots correspond 1:1 to FP
1051 ++ * context's general register slots. Only general registers are copied.
1052 ++ */
1053 ++static int fpr_set_fpa(struct task_struct *target,
1054 ++ unsigned int *pos, unsigned int *count,
1055 ++ const void **kbuf, const void __user **ubuf)
1056 ++{
1057 ++ return user_regset_copyin(pos, count, kbuf, ubuf,
1058 ++ &target->thread.fpu,
1059 ++ 0, NUM_FPU_REGS * sizeof(elf_fpreg_t));
1060 ++}
1061 ++
1062 ++/*
1063 ++ * Copy the supplied NT_PRFPREG buffer to the floating-point context,
1064 ++ * CONFIG_CPU_HAS_MSA variant. Buffer slots are copied to lower 64
1065 ++ * bits only of FP context's general register slots. Only general
1066 ++ * registers are copied.
1067 ++ */
1068 ++static int fpr_set_msa(struct task_struct *target,
1069 ++ unsigned int *pos, unsigned int *count,
1070 ++ const void **kbuf, const void __user **ubuf)
1071 ++{
1072 ++ unsigned int i;
1073 ++ u64 fpr_val;
1074 ++ int err;
1075 ++
1076 ++ BUILD_BUG_ON(sizeof(fpr_val) != sizeof(elf_fpreg_t));
1077 ++ for (i = 0; i < NUM_FPU_REGS && *count > 0; i++) {
1078 ++ err = user_regset_copyin(pos, count, kbuf, ubuf,
1079 ++ &fpr_val, i * sizeof(elf_fpreg_t),
1080 ++ (i + 1) * sizeof(elf_fpreg_t));
1081 + if (err)
1082 + return err;
1083 ++ set_fpr64(&target->thread.fpu.fpr[i], 0, fpr_val);
1084 + }
1085 +
1086 + return 0;
1087 + }
1088 +
1089 ++/*
1090 ++ * Copy the supplied NT_PRFPREG buffer to the floating-point context.
1091 ++ * Choose the appropriate helper for general registers, and then copy
1092 ++ * the FCSR register separately.
1093 ++ *
1094 ++ * We optimize for the case where `count % sizeof(elf_fpreg_t) == 0',
1095 ++ * which is supposed to have been guaranteed by the kernel before
1096 ++ * calling us, e.g. in `ptrace_regset'. We enforce that requirement,
1097 ++ * so that we can safely avoid preinitializing temporaries for
1098 ++ * partial register writes.
1099 ++ */
1100 + static int fpr_set(struct task_struct *target,
1101 + const struct user_regset *regset,
1102 + unsigned int pos, unsigned int count,
1103 + const void *kbuf, const void __user *ubuf)
1104 + {
1105 +- unsigned i;
1106 ++ const int fcr31_pos = NUM_FPU_REGS * sizeof(elf_fpreg_t);
1107 ++ u32 fcr31;
1108 + int err;
1109 +- u64 fpr_val;
1110 +
1111 +- /* XXX fcr31 */
1112 ++ BUG_ON(count % sizeof(elf_fpreg_t));
1113 ++
1114 ++ if (pos + count > sizeof(elf_fpregset_t))
1115 ++ return -EIO;
1116 +
1117 + init_fp_ctx(target);
1118 +
1119 +- if (sizeof(target->thread.fpu.fpr[i]) == sizeof(elf_fpreg_t))
1120 +- return user_regset_copyin(&pos, &count, &kbuf, &ubuf,
1121 +- &target->thread.fpu,
1122 +- 0, sizeof(elf_fpregset_t));
1123 ++ if (sizeof(target->thread.fpu.fpr[0]) == sizeof(elf_fpreg_t))
1124 ++ err = fpr_set_fpa(target, &pos, &count, &kbuf, &ubuf);
1125 ++ else
1126 ++ err = fpr_set_msa(target, &pos, &count, &kbuf, &ubuf);
1127 ++ if (err)
1128 ++ return err;
1129 +
1130 +- BUILD_BUG_ON(sizeof(fpr_val) != sizeof(elf_fpreg_t));
1131 +- for (i = 0; i < NUM_FPU_REGS && count >= sizeof(elf_fpreg_t); i++) {
1132 ++ if (count > 0) {
1133 + err = user_regset_copyin(&pos, &count, &kbuf, &ubuf,
1134 +- &fpr_val, i * sizeof(elf_fpreg_t),
1135 +- (i + 1) * sizeof(elf_fpreg_t));
1136 ++ &fcr31,
1137 ++ fcr31_pos, fcr31_pos + sizeof(u32));
1138 + if (err)
1139 + return err;
1140 +- set_fpr64(&target->thread.fpu.fpr[i], 0, fpr_val);
1141 ++
1142 ++ ptrace_setfcr31(target, fcr31);
1143 + }
1144 +
1145 +- return 0;
1146 ++ return err;
1147 + }
1148 +
1149 + enum mips_regset {
1150 +diff --git a/arch/mn10300/mm/misalignment.c b/arch/mn10300/mm/misalignment.c
1151 +index b9920b1edd5a..70cef54dc40f 100644
1152 +--- a/arch/mn10300/mm/misalignment.c
1153 ++++ b/arch/mn10300/mm/misalignment.c
1154 +@@ -437,7 +437,7 @@ transfer_failed:
1155 +
1156 + info.si_signo = SIGSEGV;
1157 + info.si_errno = 0;
1158 +- info.si_code = 0;
1159 ++ info.si_code = SEGV_MAPERR;
1160 + info.si_addr = (void *) regs->pc;
1161 + force_sig_info(SIGSEGV, &info, current);
1162 + return;
1163 +diff --git a/arch/openrisc/kernel/traps.c b/arch/openrisc/kernel/traps.c
1164 +index 3d3f6062f49c..605a284922fb 100644
1165 +--- a/arch/openrisc/kernel/traps.c
1166 ++++ b/arch/openrisc/kernel/traps.c
1167 +@@ -302,12 +302,12 @@ asmlinkage void do_unaligned_access(struct pt_regs *regs, unsigned long address)
1168 + siginfo_t info;
1169 +
1170 + if (user_mode(regs)) {
1171 +- /* Send a SIGSEGV */
1172 +- info.si_signo = SIGSEGV;
1173 ++ /* Send a SIGBUS */
1174 ++ info.si_signo = SIGBUS;
1175 + info.si_errno = 0;
1176 +- /* info.si_code has been set above */
1177 +- info.si_addr = (void *)address;
1178 +- force_sig_info(SIGSEGV, &info, current);
1179 ++ info.si_code = BUS_ADRALN;
1180 ++ info.si_addr = (void __user *)address;
1181 ++ force_sig_info(SIGBUS, &info, current);
1182 + } else {
1183 + printk("KERNEL: Unaligned Access 0x%.8lx\n", address);
1184 + show_registers(regs);
1185 +diff --git a/arch/parisc/include/asm/ldcw.h b/arch/parisc/include/asm/ldcw.h
1186 +index 8121aa6db2ff..51bb6b8eade6 100644
1187 +--- a/arch/parisc/include/asm/ldcw.h
1188 ++++ b/arch/parisc/include/asm/ldcw.h
1189 +@@ -11,6 +11,7 @@
1190 + for the semaphore. */
1191 +
1192 + #define __PA_LDCW_ALIGNMENT 16
1193 ++#define __PA_LDCW_ALIGN_ORDER 4
1194 + #define __ldcw_align(a) ({ \
1195 + unsigned long __ret = (unsigned long) &(a)->lock[0]; \
1196 + __ret = (__ret + __PA_LDCW_ALIGNMENT - 1) \
1197 +@@ -28,6 +29,7 @@
1198 + ldcd). */
1199 +
1200 + #define __PA_LDCW_ALIGNMENT 4
1201 ++#define __PA_LDCW_ALIGN_ORDER 2
1202 + #define __ldcw_align(a) (&(a)->slock)
1203 + #define __LDCW "ldcw,co"
1204 +
1205 +diff --git a/arch/parisc/kernel/entry.S b/arch/parisc/kernel/entry.S
1206 +index c5ef4081b01d..b523fa90a727 100644
1207 +--- a/arch/parisc/kernel/entry.S
1208 ++++ b/arch/parisc/kernel/entry.S
1209 +@@ -35,6 +35,7 @@
1210 + #include <asm/pgtable.h>
1211 + #include <asm/signal.h>
1212 + #include <asm/unistd.h>
1213 ++#include <asm/ldcw.h>
1214 + #include <asm/thread_info.h>
1215 +
1216 + #include <linux/linkage.h>
1217 +@@ -46,6 +47,14 @@
1218 + #endif
1219 +
1220 + .import pa_tlb_lock,data
1221 ++ .macro load_pa_tlb_lock reg
1222 ++#if __PA_LDCW_ALIGNMENT > 4
1223 ++ load32 PA(pa_tlb_lock) + __PA_LDCW_ALIGNMENT-1, \reg
1224 ++ depi 0,31,__PA_LDCW_ALIGN_ORDER, \reg
1225 ++#else
1226 ++ load32 PA(pa_tlb_lock), \reg
1227 ++#endif
1228 ++ .endm
1229 +
1230 + /* space_to_prot macro creates a prot id from a space id */
1231 +
1232 +@@ -457,7 +466,7 @@
1233 + .macro tlb_lock spc,ptp,pte,tmp,tmp1,fault
1234 + #ifdef CONFIG_SMP
1235 + cmpib,COND(=),n 0,\spc,2f
1236 +- load32 PA(pa_tlb_lock),\tmp
1237 ++ load_pa_tlb_lock \tmp
1238 + 1: LDCW 0(\tmp),\tmp1
1239 + cmpib,COND(=) 0,\tmp1,1b
1240 + nop
1241 +@@ -480,7 +489,7 @@
1242 + /* Release pa_tlb_lock lock. */
1243 + .macro tlb_unlock1 spc,tmp
1244 + #ifdef CONFIG_SMP
1245 +- load32 PA(pa_tlb_lock),\tmp
1246 ++ load_pa_tlb_lock \tmp
1247 + tlb_unlock0 \spc,\tmp
1248 + #endif
1249 + .endm
1250 +diff --git a/arch/parisc/kernel/pacache.S b/arch/parisc/kernel/pacache.S
1251 +index b743a80eaba0..ddc2f0cf1c73 100644
1252 +--- a/arch/parisc/kernel/pacache.S
1253 ++++ b/arch/parisc/kernel/pacache.S
1254 +@@ -36,6 +36,7 @@
1255 + #include <asm/assembly.h>
1256 + #include <asm/pgtable.h>
1257 + #include <asm/cache.h>
1258 ++#include <asm/ldcw.h>
1259 + #include <linux/linkage.h>
1260 +
1261 + .text
1262 +@@ -333,8 +334,12 @@ ENDPROC(flush_data_cache_local)
1263 +
1264 + .macro tlb_lock la,flags,tmp
1265 + #ifdef CONFIG_SMP
1266 +- ldil L%pa_tlb_lock,%r1
1267 +- ldo R%pa_tlb_lock(%r1),\la
1268 ++#if __PA_LDCW_ALIGNMENT > 4
1269 ++ load32 pa_tlb_lock + __PA_LDCW_ALIGNMENT-1, \la
1270 ++ depi 0,31,__PA_LDCW_ALIGN_ORDER, \la
1271 ++#else
1272 ++ load32 pa_tlb_lock, \la
1273 ++#endif
1274 + rsm PSW_SM_I,\flags
1275 + 1: LDCW 0(\la),\tmp
1276 + cmpib,<>,n 0,\tmp,3f
1277 +diff --git a/arch/powerpc/Kconfig b/arch/powerpc/Kconfig
1278 +index 4b8c928a9873..a55a246fc784 100644
1279 +--- a/arch/powerpc/Kconfig
1280 ++++ b/arch/powerpc/Kconfig
1281 +@@ -126,13 +126,14 @@ config PPC
1282 + select IRQ_FORCED_THREADING
1283 + select HAVE_RCU_TABLE_FREE if SMP
1284 + select HAVE_SYSCALL_TRACEPOINTS
1285 +- select HAVE_BPF_JIT
1286 ++ select HAVE_BPF_JIT if CPU_BIG_ENDIAN
1287 + select HAVE_ARCH_JUMP_LABEL
1288 + select ARCH_HAVE_NMI_SAFE_CMPXCHG
1289 + select ARCH_HAS_GCOV_PROFILE_ALL
1290 + select GENERIC_SMP_IDLE_THREAD
1291 + select GENERIC_CMOS_UPDATE
1292 + select GENERIC_TIME_VSYSCALL_OLD
1293 ++ select GENERIC_CPU_VULNERABILITIES if PPC_BOOK3S_64
1294 + select GENERIC_CLOCKEVENTS
1295 + select GENERIC_CLOCKEVENTS_BROADCAST if SMP
1296 + select ARCH_HAS_TICK_BROADCAST if GENERIC_CLOCKEVENTS_BROADCAST
1297 +diff --git a/arch/powerpc/include/asm/exception-64e.h b/arch/powerpc/include/asm/exception-64e.h
1298 +index a8b52b61043f..bd8958445336 100644
1299 +--- a/arch/powerpc/include/asm/exception-64e.h
1300 ++++ b/arch/powerpc/include/asm/exception-64e.h
1301 +@@ -208,5 +208,11 @@ exc_##label##_book3e:
1302 + ori r3,r3,interrupt_base_book3e@l; \
1303 + mtspr SPRN_IVOR##vector_number,r3;
1304 +
1305 ++#define RFI_TO_KERNEL \
1306 ++ rfi
1307 ++
1308 ++#define RFI_TO_USER \
1309 ++ rfi
1310 ++
1311 + #endif /* _ASM_POWERPC_EXCEPTION_64E_H */
1312 +
1313 +diff --git a/arch/powerpc/include/asm/exception-64s.h b/arch/powerpc/include/asm/exception-64s.h
1314 +index 77f52b26dad6..9bddbec441b8 100644
1315 +--- a/arch/powerpc/include/asm/exception-64s.h
1316 ++++ b/arch/powerpc/include/asm/exception-64s.h
1317 +@@ -50,6 +50,59 @@
1318 + #define EX_PPR 88 /* SMT thread status register (priority) */
1319 + #define EX_CTR 96
1320 +
1321 ++/*
1322 ++ * Macros for annotating the expected destination of (h)rfid
1323 ++ *
1324 ++ * The nop instructions allow us to insert one or more instructions to flush the
1325 ++ * L1-D cache when returning to userspace or a guest.
1326 ++ */
1327 ++#define RFI_FLUSH_SLOT \
1328 ++ RFI_FLUSH_FIXUP_SECTION; \
1329 ++ nop; \
1330 ++ nop; \
1331 ++ nop
1332 ++
1333 ++#define RFI_TO_KERNEL \
1334 ++ rfid
1335 ++
1336 ++#define RFI_TO_USER \
1337 ++ RFI_FLUSH_SLOT; \
1338 ++ rfid; \
1339 ++ b rfi_flush_fallback
1340 ++
1341 ++#define RFI_TO_USER_OR_KERNEL \
1342 ++ RFI_FLUSH_SLOT; \
1343 ++ rfid; \
1344 ++ b rfi_flush_fallback
1345 ++
1346 ++#define RFI_TO_GUEST \
1347 ++ RFI_FLUSH_SLOT; \
1348 ++ rfid; \
1349 ++ b rfi_flush_fallback
1350 ++
1351 ++#define HRFI_TO_KERNEL \
1352 ++ hrfid
1353 ++
1354 ++#define HRFI_TO_USER \
1355 ++ RFI_FLUSH_SLOT; \
1356 ++ hrfid; \
1357 ++ b hrfi_flush_fallback
1358 ++
1359 ++#define HRFI_TO_USER_OR_KERNEL \
1360 ++ RFI_FLUSH_SLOT; \
1361 ++ hrfid; \
1362 ++ b hrfi_flush_fallback
1363 ++
1364 ++#define HRFI_TO_GUEST \
1365 ++ RFI_FLUSH_SLOT; \
1366 ++ hrfid; \
1367 ++ b hrfi_flush_fallback
1368 ++
1369 ++#define HRFI_TO_UNKNOWN \
1370 ++ RFI_FLUSH_SLOT; \
1371 ++ hrfid; \
1372 ++ b hrfi_flush_fallback
1373 ++
1374 + #ifdef CONFIG_RELOCATABLE
1375 + #define __EXCEPTION_RELON_PROLOG_PSERIES_1(label, h) \
1376 + ld r12,PACAKBASE(r13); /* get high part of &label */ \
1377 +@@ -191,7 +244,7 @@ END_FTR_SECTION_NESTED(ftr,ftr,943)
1378 + mtspr SPRN_##h##SRR0,r12; \
1379 + mfspr r12,SPRN_##h##SRR1; /* and SRR1 */ \
1380 + mtspr SPRN_##h##SRR1,r10; \
1381 +- h##rfid; \
1382 ++ h##RFI_TO_KERNEL; \
1383 + b . /* prevent speculative execution */
1384 + #define EXCEPTION_PROLOG_PSERIES_1(label, h) \
1385 + __EXCEPTION_PROLOG_PSERIES_1(label, h)
1386 +diff --git a/arch/powerpc/include/asm/feature-fixups.h b/arch/powerpc/include/asm/feature-fixups.h
1387 +index 9a67a38bf7b9..7068bafbb2d6 100644
1388 +--- a/arch/powerpc/include/asm/feature-fixups.h
1389 ++++ b/arch/powerpc/include/asm/feature-fixups.h
1390 +@@ -184,4 +184,19 @@ label##3: \
1391 + FTR_ENTRY_OFFSET label##1b-label##3b; \
1392 + .popsection;
1393 +
1394 ++#define RFI_FLUSH_FIXUP_SECTION \
1395 ++951: \
1396 ++ .pushsection __rfi_flush_fixup,"a"; \
1397 ++ .align 2; \
1398 ++952: \
1399 ++ FTR_ENTRY_OFFSET 951b-952b; \
1400 ++ .popsection;
1401 ++
1402 ++
1403 ++#ifndef __ASSEMBLY__
1404 ++
1405 ++extern long __start___rfi_flush_fixup, __stop___rfi_flush_fixup;
1406 ++
1407 ++#endif
1408 ++
1409 + #endif /* __ASM_POWERPC_FEATURE_FIXUPS_H */
1410 +diff --git a/arch/powerpc/include/asm/hvcall.h b/arch/powerpc/include/asm/hvcall.h
1411 +index 85bc8c0d257b..449bbb87c257 100644
1412 +--- a/arch/powerpc/include/asm/hvcall.h
1413 ++++ b/arch/powerpc/include/asm/hvcall.h
1414 +@@ -239,6 +239,7 @@
1415 + #define H_GET_HCA_INFO 0x1B8
1416 + #define H_GET_PERF_COUNT 0x1BC
1417 + #define H_MANAGE_TRACE 0x1C0
1418 ++#define H_GET_CPU_CHARACTERISTICS 0x1C8
1419 + #define H_FREE_LOGICAL_LAN_BUFFER 0x1D4
1420 + #define H_QUERY_INT_STATE 0x1E4
1421 + #define H_POLL_PENDING 0x1D8
1422 +@@ -285,7 +286,19 @@
1423 + #define H_SET_MODE_RESOURCE_ADDR_TRANS_MODE 3
1424 + #define H_SET_MODE_RESOURCE_LE 4
1425 +
1426 ++/* H_GET_CPU_CHARACTERISTICS return values */
1427 ++#define H_CPU_CHAR_SPEC_BAR_ORI31 (1ull << 63) // IBM bit 0
1428 ++#define H_CPU_CHAR_BCCTRL_SERIALISED (1ull << 62) // IBM bit 1
1429 ++#define H_CPU_CHAR_L1D_FLUSH_ORI30 (1ull << 61) // IBM bit 2
1430 ++#define H_CPU_CHAR_L1D_FLUSH_TRIG2 (1ull << 60) // IBM bit 3
1431 ++#define H_CPU_CHAR_L1D_THREAD_PRIV (1ull << 59) // IBM bit 4
1432 ++
1433 ++#define H_CPU_BEHAV_FAVOUR_SECURITY (1ull << 63) // IBM bit 0
1434 ++#define H_CPU_BEHAV_L1D_FLUSH_PR (1ull << 62) // IBM bit 1
1435 ++#define H_CPU_BEHAV_BNDS_CHK_SPEC_BAR (1ull << 61) // IBM bit 2
1436 ++
1437 + #ifndef __ASSEMBLY__
1438 ++#include <linux/types.h>
1439 +
1440 + /**
1441 + * plpar_hcall_norets: - Make a pseries hypervisor call with no return arguments
1442 +@@ -423,6 +436,11 @@ extern long pseries_big_endian_exceptions(void);
1443 +
1444 + #endif /* CONFIG_PPC_PSERIES */
1445 +
1446 ++struct h_cpu_char_result {
1447 ++ u64 character;
1448 ++ u64 behaviour;
1449 ++};
1450 ++
1451 + #endif /* __ASSEMBLY__ */
1452 + #endif /* __KERNEL__ */
1453 + #endif /* _ASM_POWERPC_HVCALL_H */
1454 +diff --git a/arch/powerpc/include/asm/paca.h b/arch/powerpc/include/asm/paca.h
1455 +index 70bd4381f8e6..08e5df3395fa 100644
1456 +--- a/arch/powerpc/include/asm/paca.h
1457 ++++ b/arch/powerpc/include/asm/paca.h
1458 +@@ -192,6 +192,15 @@ struct paca_struct {
1459 + #endif
1460 + struct kvmppc_host_state kvm_hstate;
1461 + #endif
1462 ++#ifdef CONFIG_PPC_BOOK3S_64
1463 ++ /*
1464 ++ * rfi fallback flush must be in its own cacheline to prevent
1465 ++ * other paca data leaking into the L1d
1466 ++ */
1467 ++ u64 exrfi[13] __aligned(0x80);
1468 ++ void *rfi_flush_fallback_area;
1469 ++ u64 l1d_flush_size;
1470 ++#endif
1471 + };
1472 +
1473 + extern struct paca_struct *paca;
1474 +diff --git a/arch/powerpc/include/asm/plpar_wrappers.h b/arch/powerpc/include/asm/plpar_wrappers.h
1475 +index 67859edbf8fd..6e05cb397a5c 100644
1476 +--- a/arch/powerpc/include/asm/plpar_wrappers.h
1477 ++++ b/arch/powerpc/include/asm/plpar_wrappers.h
1478 +@@ -323,4 +323,18 @@ static inline long plapr_set_watchpoint0(unsigned long dawr0, unsigned long dawr
1479 + return plpar_set_mode(0, H_SET_MODE_RESOURCE_SET_DAWR, dawr0, dawrx0);
1480 + }
1481 +
1482 ++static inline long plpar_get_cpu_characteristics(struct h_cpu_char_result *p)
1483 ++{
1484 ++ unsigned long retbuf[PLPAR_HCALL_BUFSIZE];
1485 ++ long rc;
1486 ++
1487 ++ rc = plpar_hcall(H_GET_CPU_CHARACTERISTICS, retbuf);
1488 ++ if (rc == H_SUCCESS) {
1489 ++ p->character = retbuf[0];
1490 ++ p->behaviour = retbuf[1];
1491 ++ }
1492 ++
1493 ++ return rc;
1494 ++}
1495 ++
1496 + #endif /* _ASM_POWERPC_PLPAR_WRAPPERS_H */
1497 +diff --git a/arch/powerpc/include/asm/ppc_asm.h b/arch/powerpc/include/asm/ppc_asm.h
1498 +index dd0fc18d8103..160bb2311bbb 100644
1499 +--- a/arch/powerpc/include/asm/ppc_asm.h
1500 ++++ b/arch/powerpc/include/asm/ppc_asm.h
1501 +@@ -224,6 +224,16 @@ name: \
1502 + .globl name; \
1503 + name:
1504 +
1505 ++#define _KPROBE_TOC(name) \
1506 ++ .section ".kprobes.text","a"; \
1507 ++ .align 2 ; \
1508 ++ .type name,@function; \
1509 ++ .globl name; \
1510 ++name: \
1511 ++0: addis r2,r12,(.TOC.-0b)@ha; \
1512 ++ addi r2,r2,(.TOC.-0b)@l; \
1513 ++ .localentry name,.-name
1514 ++
1515 + #define DOTSYM(a) a
1516 +
1517 + #else
1518 +@@ -261,6 +271,8 @@ name: \
1519 + .type GLUE(.,name),@function; \
1520 + GLUE(.,name):
1521 +
1522 ++#define _KPROBE_TOC(n) _KPROBE(n)
1523 ++
1524 + #define DOTSYM(a) GLUE(.,a)
1525 +
1526 + #endif
1527 +diff --git a/arch/powerpc/include/asm/setup.h b/arch/powerpc/include/asm/setup.h
1528 +index e9d384cbd021..7916b56f2e60 100644
1529 +--- a/arch/powerpc/include/asm/setup.h
1530 ++++ b/arch/powerpc/include/asm/setup.h
1531 +@@ -26,6 +26,19 @@ void initmem_init(void);
1532 + void setup_panic(void);
1533 + #define ARCH_PANIC_TIMEOUT 180
1534 +
1535 ++void rfi_flush_enable(bool enable);
1536 ++
1537 ++/* These are bit flags */
1538 ++enum l1d_flush_type {
1539 ++ L1D_FLUSH_NONE = 0x1,
1540 ++ L1D_FLUSH_FALLBACK = 0x2,
1541 ++ L1D_FLUSH_ORI = 0x4,
1542 ++ L1D_FLUSH_MTTRIG = 0x8,
1543 ++};
1544 ++
1545 ++void __init setup_rfi_flush(enum l1d_flush_type, bool enable);
1546 ++void do_rfi_flush_fixups(enum l1d_flush_type types);
1547 ++
1548 + #endif /* !__ASSEMBLY__ */
1549 +
1550 + #endif /* _ASM_POWERPC_SETUP_H */
1551 +diff --git a/arch/powerpc/kernel/asm-offsets.c b/arch/powerpc/kernel/asm-offsets.c
1552 +index d8d332e65078..23fe603a98d3 100644
1553 +--- a/arch/powerpc/kernel/asm-offsets.c
1554 ++++ b/arch/powerpc/kernel/asm-offsets.c
1555 +@@ -244,6 +244,9 @@ int main(void)
1556 + #ifdef CONFIG_PPC_BOOK3S_64
1557 + DEFINE(PACAMCEMERGSP, offsetof(struct paca_struct, mc_emergency_sp));
1558 + DEFINE(PACA_IN_MCE, offsetof(struct paca_struct, in_mce));
1559 ++ DEFINE(PACA_RFI_FLUSH_FALLBACK_AREA, offsetof(struct paca_struct, rfi_flush_fallback_area));
1560 ++ DEFINE(PACA_EXRFI, offsetof(struct paca_struct, exrfi));
1561 ++ DEFINE(PACA_L1D_FLUSH_SIZE, offsetof(struct paca_struct, l1d_flush_size));
1562 + #endif
1563 + DEFINE(PACAHWCPUID, offsetof(struct paca_struct, hw_cpu_id));
1564 + DEFINE(PACAKEXECSTATE, offsetof(struct paca_struct, kexec_state));
1565 +diff --git a/arch/powerpc/kernel/entry_64.S b/arch/powerpc/kernel/entry_64.S
1566 +index de276553cc79..36a8bf3d053b 100644
1567 +--- a/arch/powerpc/kernel/entry_64.S
1568 ++++ b/arch/powerpc/kernel/entry_64.S
1569 +@@ -34,6 +34,11 @@
1570 + #include <asm/ftrace.h>
1571 + #include <asm/hw_irq.h>
1572 + #include <asm/context_tracking.h>
1573 ++#ifdef CONFIG_PPC_BOOK3S
1574 ++#include <asm/exception-64s.h>
1575 ++#else
1576 ++#include <asm/exception-64e.h>
1577 ++#endif
1578 +
1579 + /*
1580 + * System calls.
1581 +@@ -218,13 +223,23 @@ END_FTR_SECTION_IFCLR(CPU_FTR_STCX_CHECKS_ADDRESS)
1582 + ACCOUNT_CPU_USER_EXIT(r11, r12)
1583 + HMT_MEDIUM_LOW_HAS_PPR
1584 + ld r13,GPR13(r1) /* only restore r13 if returning to usermode */
1585 ++ ld r2,GPR2(r1)
1586 ++ ld r1,GPR1(r1)
1587 ++ mtlr r4
1588 ++ mtcr r5
1589 ++ mtspr SPRN_SRR0,r7
1590 ++ mtspr SPRN_SRR1,r8
1591 ++ RFI_TO_USER
1592 ++ b . /* prevent speculative execution */
1593 ++
1594 ++ /* exit to kernel */
1595 + 1: ld r2,GPR2(r1)
1596 + ld r1,GPR1(r1)
1597 + mtlr r4
1598 + mtcr r5
1599 + mtspr SPRN_SRR0,r7
1600 + mtspr SPRN_SRR1,r8
1601 +- RFI
1602 ++ RFI_TO_KERNEL
1603 + b . /* prevent speculative execution */
1604 +
1605 + syscall_error:
1606 +@@ -840,7 +855,7 @@ BEGIN_FTR_SECTION
1607 + END_FTR_SECTION_IFSET(CPU_FTR_HAS_PPR)
1608 + ACCOUNT_CPU_USER_EXIT(r2, r4)
1609 + REST_GPR(13, r1)
1610 +-1:
1611 ++
1612 + mtspr SPRN_SRR1,r3
1613 +
1614 + ld r2,_CCR(r1)
1615 +@@ -853,8 +868,22 @@ END_FTR_SECTION_IFSET(CPU_FTR_HAS_PPR)
1616 + ld r3,GPR3(r1)
1617 + ld r4,GPR4(r1)
1618 + ld r1,GPR1(r1)
1619 ++ RFI_TO_USER
1620 ++ b . /* prevent speculative execution */
1621 ++
1622 ++1: mtspr SPRN_SRR1,r3
1623 ++
1624 ++ ld r2,_CCR(r1)
1625 ++ mtcrf 0xFF,r2
1626 ++ ld r2,_NIP(r1)
1627 ++ mtspr SPRN_SRR0,r2
1628 +
1629 +- rfid
1630 ++ ld r0,GPR0(r1)
1631 ++ ld r2,GPR2(r1)
1632 ++ ld r3,GPR3(r1)
1633 ++ ld r4,GPR4(r1)
1634 ++ ld r1,GPR1(r1)
1635 ++ RFI_TO_KERNEL
1636 + b . /* prevent speculative execution */
1637 +
1638 + #endif /* CONFIG_PPC_BOOK3E */
1639 +@@ -1030,7 +1059,7 @@ _GLOBAL(enter_rtas)
1640 +
1641 + mtspr SPRN_SRR0,r5
1642 + mtspr SPRN_SRR1,r6
1643 +- rfid
1644 ++ RFI_TO_KERNEL
1645 + b . /* prevent speculative execution */
1646 +
1647 + rtas_return_loc:
1648 +@@ -1055,7 +1084,7 @@ rtas_return_loc:
1649 +
1650 + mtspr SPRN_SRR0,r3
1651 + mtspr SPRN_SRR1,r4
1652 +- rfid
1653 ++ RFI_TO_KERNEL
1654 + b . /* prevent speculative execution */
1655 +
1656 + .align 3
1657 +@@ -1126,7 +1155,7 @@ _GLOBAL(enter_prom)
1658 + LOAD_REG_IMMEDIATE(r12, MSR_SF | MSR_ISF | MSR_LE)
1659 + andc r11,r11,r12
1660 + mtsrr1 r11
1661 +- rfid
1662 ++ RFI_TO_KERNEL
1663 + #endif /* CONFIG_PPC_BOOK3E */
1664 +
1665 + 1: /* Return from OF */
1666 +diff --git a/arch/powerpc/kernel/exceptions-64s.S b/arch/powerpc/kernel/exceptions-64s.S
1667 +index 7662bfae0493..3b8991df5101 100644
1668 +--- a/arch/powerpc/kernel/exceptions-64s.S
1669 ++++ b/arch/powerpc/kernel/exceptions-64s.S
1670 +@@ -46,7 +46,7 @@ END_FTR_SECTION_IFSET(CPU_FTR_REAL_LE) \
1671 + mtspr SPRN_SRR0,r10 ; \
1672 + ld r10,PACAKMSR(r13) ; \
1673 + mtspr SPRN_SRR1,r10 ; \
1674 +- rfid ; \
1675 ++ RFI_TO_KERNEL ; \
1676 + b . ; /* prevent speculative execution */
1677 +
1678 + #define SYSCALL_PSERIES_3 \
1679 +@@ -54,7 +54,7 @@ END_FTR_SECTION_IFSET(CPU_FTR_REAL_LE) \
1680 + 1: mfspr r12,SPRN_SRR1 ; \
1681 + xori r12,r12,MSR_LE ; \
1682 + mtspr SPRN_SRR1,r12 ; \
1683 +- rfid ; /* return to userspace */ \
1684 ++ RFI_TO_USER ; /* return to userspace */ \
1685 + b . ; /* prevent speculative execution */
1686 +
1687 + #if defined(CONFIG_RELOCATABLE)
1688 +@@ -508,7 +508,7 @@ BEGIN_FTR_SECTION
1689 + LOAD_HANDLER(r12, machine_check_handle_early)
1690 + 1: mtspr SPRN_SRR0,r12
1691 + mtspr SPRN_SRR1,r11
1692 +- rfid
1693 ++ RFI_TO_KERNEL
1694 + b . /* prevent speculative execution */
1695 + 2:
1696 + /* Stack overflow. Stay on emergency stack and panic.
1697 +@@ -602,7 +602,7 @@ END_FTR_SECTION_IFSET(CPU_FTR_CFAR)
1698 + ld r11,PACA_EXGEN+EX_R11(r13)
1699 + ld r12,PACA_EXGEN+EX_R12(r13)
1700 + ld r13,PACA_EXGEN+EX_R13(r13)
1701 +- HRFID
1702 ++ HRFI_TO_UNKNOWN
1703 + b .
1704 + #endif
1705 +
1706 +@@ -667,7 +667,7 @@ masked_##_H##interrupt: \
1707 + ld r10,PACA_EXGEN+EX_R10(r13); \
1708 + ld r11,PACA_EXGEN+EX_R11(r13); \
1709 + GET_SCRATCH0(r13); \
1710 +- ##_H##rfid; \
1711 ++ ##_H##RFI_TO_KERNEL; \
1712 + b .
1713 +
1714 + MASKED_INTERRUPT()
1715 +@@ -757,7 +757,7 @@ kvmppc_skip_interrupt:
1716 + addi r13, r13, 4
1717 + mtspr SPRN_SRR0, r13
1718 + GET_SCRATCH0(r13)
1719 +- rfid
1720 ++ RFI_TO_KERNEL
1721 + b .
1722 +
1723 + kvmppc_skip_Hinterrupt:
1724 +@@ -769,7 +769,7 @@ kvmppc_skip_Hinterrupt:
1725 + addi r13, r13, 4
1726 + mtspr SPRN_HSRR0, r13
1727 + GET_SCRATCH0(r13)
1728 +- hrfid
1729 ++ HRFI_TO_KERNEL
1730 + b .
1731 + #endif
1732 +
1733 +@@ -1447,7 +1447,7 @@ machine_check_handle_early:
1734 + li r3,MSR_ME
1735 + andc r10,r10,r3 /* Turn off MSR_ME */
1736 + mtspr SPRN_SRR1,r10
1737 +- rfid
1738 ++ RFI_TO_KERNEL
1739 + b .
1740 + 2:
1741 + /*
1742 +@@ -1465,7 +1465,7 @@ machine_check_handle_early:
1743 + */
1744 + bl machine_check_queue_event
1745 + MACHINE_CHECK_HANDLER_WINDUP
1746 +- rfid
1747 ++ RFI_TO_USER_OR_KERNEL
1748 + 9:
1749 + /* Deliver the machine check to host kernel in V mode. */
1750 + MACHINE_CHECK_HANDLER_WINDUP
1751 +@@ -1511,6 +1511,8 @@ slb_miss_realmode:
1752 +
1753 + andi. r10,r12,MSR_RI /* check for unrecoverable exception */
1754 + beq- 2f
1755 ++ andi. r10,r12,MSR_PR /* check for user mode (PR != 0) */
1756 ++ bne 1f
1757 +
1758 + .machine push
1759 + .machine "power4"
1760 +@@ -1524,7 +1526,23 @@ slb_miss_realmode:
1761 + ld r11,PACA_EXSLB+EX_R11(r13)
1762 + ld r12,PACA_EXSLB+EX_R12(r13)
1763 + ld r13,PACA_EXSLB+EX_R13(r13)
1764 +- rfid
1765 ++ RFI_TO_KERNEL
1766 ++ b . /* prevent speculative execution */
1767 ++
1768 ++1:
1769 ++.machine push
1770 ++.machine "power4"
1771 ++ mtcrf 0x80,r9
1772 ++ mtcrf 0x01,r9 /* slb_allocate uses cr0 and cr7 */
1773 ++.machine pop
1774 ++
1775 ++ RESTORE_PPR_PACA(PACA_EXSLB, r9)
1776 ++ ld r9,PACA_EXSLB+EX_R9(r13)
1777 ++ ld r10,PACA_EXSLB+EX_R10(r13)
1778 ++ ld r11,PACA_EXSLB+EX_R11(r13)
1779 ++ ld r12,PACA_EXSLB+EX_R12(r13)
1780 ++ ld r13,PACA_EXSLB+EX_R13(r13)
1781 ++ RFI_TO_USER
1782 + b . /* prevent speculative execution */
1783 +
1784 + 2: mfspr r11,SPRN_SRR0
1785 +@@ -1533,7 +1551,7 @@ slb_miss_realmode:
1786 + mtspr SPRN_SRR0,r10
1787 + ld r10,PACAKMSR(r13)
1788 + mtspr SPRN_SRR1,r10
1789 +- rfid
1790 ++ RFI_TO_KERNEL
1791 + b .
1792 +
1793 + unrecov_slb:
1794 +@@ -1554,6 +1572,88 @@ power4_fixup_nap:
1795 + blr
1796 + #endif
1797 +
1798 ++ .globl rfi_flush_fallback
1799 ++rfi_flush_fallback:
1800 ++ SET_SCRATCH0(r13);
1801 ++ GET_PACA(r13);
1802 ++ std r9,PACA_EXRFI+EX_R9(r13)
1803 ++ std r10,PACA_EXRFI+EX_R10(r13)
1804 ++ std r11,PACA_EXRFI+EX_R11(r13)
1805 ++ mfctr r9
1806 ++ ld r10,PACA_RFI_FLUSH_FALLBACK_AREA(r13)
1807 ++ ld r11,PACA_L1D_FLUSH_SIZE(r13)
1808 ++ srdi r11,r11,(7 + 3) /* 128 byte lines, unrolled 8x */
1809 ++ mtctr r11
1810 ++ DCBT_STOP_ALL_STREAM_IDS(r11) /* Stop prefetch streams */
1811 ++
1812 ++ /* order ld/st prior to dcbt stop all streams with flushing */
1813 ++ sync
1814 ++
1815 ++ /*
1816 ++ * The load adresses are at staggered offsets within cachelines,
1817 ++ * which suits some pipelines better (on others it should not
1818 ++ * hurt).
1819 ++ */
1820 ++1:
1821 ++ ld r11,(0x80 + 8)*0(r10)
1822 ++ ld r11,(0x80 + 8)*1(r10)
1823 ++ ld r11,(0x80 + 8)*2(r10)
1824 ++ ld r11,(0x80 + 8)*3(r10)
1825 ++ ld r11,(0x80 + 8)*4(r10)
1826 ++ ld r11,(0x80 + 8)*5(r10)
1827 ++ ld r11,(0x80 + 8)*6(r10)
1828 ++ ld r11,(0x80 + 8)*7(r10)
1829 ++ addi r10,r10,0x80*8
1830 ++ bdnz 1b
1831 ++
1832 ++ mtctr r9
1833 ++ ld r9,PACA_EXRFI+EX_R9(r13)
1834 ++ ld r10,PACA_EXRFI+EX_R10(r13)
1835 ++ ld r11,PACA_EXRFI+EX_R11(r13)
1836 ++ GET_SCRATCH0(r13);
1837 ++ rfid
1838 ++
1839 ++ .globl hrfi_flush_fallback
1840 ++hrfi_flush_fallback:
1841 ++ SET_SCRATCH0(r13);
1842 ++ GET_PACA(r13);
1843 ++ std r9,PACA_EXRFI+EX_R9(r13)
1844 ++ std r10,PACA_EXRFI+EX_R10(r13)
1845 ++ std r11,PACA_EXRFI+EX_R11(r13)
1846 ++ mfctr r9
1847 ++ ld r10,PACA_RFI_FLUSH_FALLBACK_AREA(r13)
1848 ++ ld r11,PACA_L1D_FLUSH_SIZE(r13)
1849 ++ srdi r11,r11,(7 + 3) /* 128 byte lines, unrolled 8x */
1850 ++ mtctr r11
1851 ++ DCBT_STOP_ALL_STREAM_IDS(r11) /* Stop prefetch streams */
1852 ++
1853 ++ /* order ld/st prior to dcbt stop all streams with flushing */
1854 ++ sync
1855 ++
1856 ++ /*
1857 ++ * The load adresses are at staggered offsets within cachelines,
1858 ++ * which suits some pipelines better (on others it should not
1859 ++ * hurt).
1860 ++ */
1861 ++1:
1862 ++ ld r11,(0x80 + 8)*0(r10)
1863 ++ ld r11,(0x80 + 8)*1(r10)
1864 ++ ld r11,(0x80 + 8)*2(r10)
1865 ++ ld r11,(0x80 + 8)*3(r10)
1866 ++ ld r11,(0x80 + 8)*4(r10)
1867 ++ ld r11,(0x80 + 8)*5(r10)
1868 ++ ld r11,(0x80 + 8)*6(r10)
1869 ++ ld r11,(0x80 + 8)*7(r10)
1870 ++ addi r10,r10,0x80*8
1871 ++ bdnz 1b
1872 ++
1873 ++ mtctr r9
1874 ++ ld r9,PACA_EXRFI+EX_R9(r13)
1875 ++ ld r10,PACA_EXRFI+EX_R10(r13)
1876 ++ ld r11,PACA_EXRFI+EX_R11(r13)
1877 ++ GET_SCRATCH0(r13);
1878 ++ hrfid
1879 ++
1880 + /*
1881 + * Hash table stuff
1882 + */
1883 +diff --git a/arch/powerpc/kernel/misc_64.S b/arch/powerpc/kernel/misc_64.S
1884 +index 4e314b90c75d..1f979d5617a2 100644
1885 +--- a/arch/powerpc/kernel/misc_64.S
1886 ++++ b/arch/powerpc/kernel/misc_64.S
1887 +@@ -65,7 +65,7 @@ PPC64_CACHES:
1888 + * flush all bytes from start through stop-1 inclusive
1889 + */
1890 +
1891 +-_KPROBE(flush_icache_range)
1892 ++_KPROBE_TOC(flush_icache_range)
1893 + BEGIN_FTR_SECTION
1894 + PURGE_PREFETCHED_INS
1895 + blr
1896 +@@ -116,7 +116,7 @@ END_FTR_SECTION_IFSET(CPU_FTR_COHERENT_ICACHE)
1897 + *
1898 + * flush all bytes from start to stop-1 inclusive
1899 + */
1900 +-_GLOBAL(flush_dcache_range)
1901 ++_GLOBAL_TOC(flush_dcache_range)
1902 +
1903 + /*
1904 + * Flush the data cache to memory
1905 +@@ -634,31 +634,3 @@ _GLOBAL(kexec_sequence)
1906 + li r5,0
1907 + blr /* image->start(physid, image->start, 0); */
1908 + #endif /* CONFIG_KEXEC */
1909 +-
1910 +-#ifdef CONFIG_MODULES
1911 +-#if defined(_CALL_ELF) && _CALL_ELF == 2
1912 +-
1913 +-#ifdef CONFIG_MODVERSIONS
1914 +-.weak __crc_TOC.
1915 +-.section "___kcrctab+TOC.","a"
1916 +-.globl __kcrctab_TOC.
1917 +-__kcrctab_TOC.:
1918 +- .llong __crc_TOC.
1919 +-#endif
1920 +-
1921 +-/*
1922 +- * Export a fake .TOC. since both modpost and depmod will complain otherwise.
1923 +- * Both modpost and depmod strip the leading . so we do the same here.
1924 +- */
1925 +-.section "__ksymtab_strings","a"
1926 +-__kstrtab_TOC.:
1927 +- .asciz "TOC."
1928 +-
1929 +-.section "___ksymtab+TOC.","a"
1930 +-/* This symbol name is important: it's used by modpost to find exported syms */
1931 +-.globl __ksymtab_TOC.
1932 +-__ksymtab_TOC.:
1933 +- .llong 0 /* .value */
1934 +- .llong __kstrtab_TOC.
1935 +-#endif /* ELFv2 */
1936 +-#endif /* MODULES */
1937 +diff --git a/arch/powerpc/kernel/module_64.c b/arch/powerpc/kernel/module_64.c
1938 +index e4f7d4eed20c..08b7a40de5f8 100644
1939 +--- a/arch/powerpc/kernel/module_64.c
1940 ++++ b/arch/powerpc/kernel/module_64.c
1941 +@@ -326,7 +326,10 @@ static void dedotify_versions(struct modversion_info *vers,
1942 + }
1943 + }
1944 +
1945 +-/* Undefined symbols which refer to .funcname, hack to funcname (or .TOC.) */
1946 ++/*
1947 ++ * Undefined symbols which refer to .funcname, hack to funcname. Make .TOC.
1948 ++ * seem to be defined (value set later).
1949 ++ */
1950 + static void dedotify(Elf64_Sym *syms, unsigned int numsyms, char *strtab)
1951 + {
1952 + unsigned int i;
1953 +@@ -334,8 +337,11 @@ static void dedotify(Elf64_Sym *syms, unsigned int numsyms, char *strtab)
1954 + for (i = 1; i < numsyms; i++) {
1955 + if (syms[i].st_shndx == SHN_UNDEF) {
1956 + char *name = strtab + syms[i].st_name;
1957 +- if (name[0] == '.')
1958 ++ if (name[0] == '.') {
1959 ++ if (strcmp(name+1, "TOC.") == 0)
1960 ++ syms[i].st_shndx = SHN_ABS;
1961 + syms[i].st_name++;
1962 ++ }
1963 + }
1964 + }
1965 + }
1966 +@@ -351,7 +357,7 @@ static Elf64_Sym *find_dot_toc(Elf64_Shdr *sechdrs,
1967 + numsyms = sechdrs[symindex].sh_size / sizeof(Elf64_Sym);
1968 +
1969 + for (i = 1; i < numsyms; i++) {
1970 +- if (syms[i].st_shndx == SHN_UNDEF
1971 ++ if (syms[i].st_shndx == SHN_ABS
1972 + && strcmp(strtab + syms[i].st_name, "TOC.") == 0)
1973 + return &syms[i];
1974 + }
1975 +diff --git a/arch/powerpc/kernel/process.c b/arch/powerpc/kernel/process.c
1976 +index dd023904bac5..9579f9c13315 100644
1977 +--- a/arch/powerpc/kernel/process.c
1978 ++++ b/arch/powerpc/kernel/process.c
1979 +@@ -209,7 +209,8 @@ void enable_kernel_vsx(void)
1980 + WARN_ON(preemptible());
1981 +
1982 + #ifdef CONFIG_SMP
1983 +- if (current->thread.regs && (current->thread.regs->msr & MSR_VSX))
1984 ++ if (current->thread.regs &&
1985 ++ (current->thread.regs->msr & (MSR_VSX|MSR_VEC|MSR_FP)))
1986 + giveup_vsx(current);
1987 + else
1988 + giveup_vsx(NULL); /* just enable vsx for kernel - force */
1989 +@@ -231,7 +232,7 @@ void flush_vsx_to_thread(struct task_struct *tsk)
1990 + {
1991 + if (tsk->thread.regs) {
1992 + preempt_disable();
1993 +- if (tsk->thread.regs->msr & MSR_VSX) {
1994 ++ if (tsk->thread.regs->msr & (MSR_VSX|MSR_VEC|MSR_FP)) {
1995 + #ifdef CONFIG_SMP
1996 + BUG_ON(tsk != current);
1997 + #endif
1998 +diff --git a/arch/powerpc/kernel/ptrace.c b/arch/powerpc/kernel/ptrace.c
1999 +index f21897b42057..93f200f14e19 100644
2000 +--- a/arch/powerpc/kernel/ptrace.c
2001 ++++ b/arch/powerpc/kernel/ptrace.c
2002 +@@ -376,7 +376,7 @@ static int fpr_get(struct task_struct *target, const struct user_regset *regset,
2003 +
2004 + #else
2005 + BUILD_BUG_ON(offsetof(struct thread_fp_state, fpscr) !=
2006 +- offsetof(struct thread_fp_state, fpr[32][0]));
2007 ++ offsetof(struct thread_fp_state, fpr[32]));
2008 +
2009 + return user_regset_copyout(&pos, &count, &kbuf, &ubuf,
2010 + &target->thread.fp_state, 0, -1);
2011 +@@ -404,7 +404,7 @@ static int fpr_set(struct task_struct *target, const struct user_regset *regset,
2012 + return 0;
2013 + #else
2014 + BUILD_BUG_ON(offsetof(struct thread_fp_state, fpscr) !=
2015 +- offsetof(struct thread_fp_state, fpr[32][0]));
2016 ++ offsetof(struct thread_fp_state, fpr[32]));
2017 +
2018 + return user_regset_copyin(&pos, &count, &kbuf, &ubuf,
2019 + &target->thread.fp_state, 0, -1);
2020 +diff --git a/arch/powerpc/kernel/setup_64.c b/arch/powerpc/kernel/setup_64.c
2021 +index 8161d66830a2..c6ebe398def1 100644
2022 +--- a/arch/powerpc/kernel/setup_64.c
2023 ++++ b/arch/powerpc/kernel/setup_64.c
2024 +@@ -38,6 +38,7 @@
2025 + #include <linux/hugetlb.h>
2026 + #include <linux/memory.h>
2027 + #include <linux/nmi.h>
2028 ++#include <linux/debugfs.h>
2029 +
2030 + #include <asm/io.h>
2031 + #include <asm/kdump.h>
2032 +@@ -807,4 +808,131 @@ static int __init disable_hardlockup_detector(void)
2033 + return 0;
2034 + }
2035 + early_initcall(disable_hardlockup_detector);
2036 ++
2037 ++#ifdef CONFIG_PPC_BOOK3S_64
2038 ++static enum l1d_flush_type enabled_flush_types;
2039 ++static void *l1d_flush_fallback_area;
2040 ++static bool no_rfi_flush;
2041 ++bool rfi_flush;
2042 ++
2043 ++static int __init handle_no_rfi_flush(char *p)
2044 ++{
2045 ++ pr_info("rfi-flush: disabled on command line.");
2046 ++ no_rfi_flush = true;
2047 ++ return 0;
2048 ++}
2049 ++early_param("no_rfi_flush", handle_no_rfi_flush);
2050 ++
2051 ++/*
2052 ++ * The RFI flush is not KPTI, but because users will see doco that says to use
2053 ++ * nopti we hijack that option here to also disable the RFI flush.
2054 ++ */
2055 ++static int __init handle_no_pti(char *p)
2056 ++{
2057 ++ pr_info("rfi-flush: disabling due to 'nopti' on command line.\n");
2058 ++ handle_no_rfi_flush(NULL);
2059 ++ return 0;
2060 ++}
2061 ++early_param("nopti", handle_no_pti);
2062 ++
2063 ++static void do_nothing(void *unused)
2064 ++{
2065 ++ /*
2066 ++ * We don't need to do the flush explicitly, just enter+exit kernel is
2067 ++ * sufficient, the RFI exit handlers will do the right thing.
2068 ++ */
2069 ++}
2070 ++
2071 ++void rfi_flush_enable(bool enable)
2072 ++{
2073 ++ if (rfi_flush == enable)
2074 ++ return;
2075 ++
2076 ++ if (enable) {
2077 ++ do_rfi_flush_fixups(enabled_flush_types);
2078 ++ on_each_cpu(do_nothing, NULL, 1);
2079 ++ } else
2080 ++ do_rfi_flush_fixups(L1D_FLUSH_NONE);
2081 ++
2082 ++ rfi_flush = enable;
2083 ++}
2084 ++
2085 ++static void init_fallback_flush(void)
2086 ++{
2087 ++ u64 l1d_size, limit;
2088 ++ int cpu;
2089 ++
2090 ++ l1d_size = ppc64_caches.dsize;
2091 ++ limit = min(safe_stack_limit(), ppc64_rma_size);
2092 ++
2093 ++ /*
2094 ++ * Align to L1d size, and size it at 2x L1d size, to catch possible
2095 ++ * hardware prefetch runoff. We don't have a recipe for load patterns to
2096 ++ * reliably avoid the prefetcher.
2097 ++ */
2098 ++ l1d_flush_fallback_area = __va(memblock_alloc_base(l1d_size * 2, l1d_size, limit));
2099 ++ memset(l1d_flush_fallback_area, 0, l1d_size * 2);
2100 ++
2101 ++ for_each_possible_cpu(cpu) {
2102 ++ paca[cpu].rfi_flush_fallback_area = l1d_flush_fallback_area;
2103 ++ paca[cpu].l1d_flush_size = l1d_size;
2104 ++ }
2105 ++}
2106 ++
2107 ++void __init setup_rfi_flush(enum l1d_flush_type types, bool enable)
2108 ++{
2109 ++ if (types & L1D_FLUSH_FALLBACK) {
2110 ++ pr_info("rfi-flush: Using fallback displacement flush\n");
2111 ++ init_fallback_flush();
2112 ++ }
2113 ++
2114 ++ if (types & L1D_FLUSH_ORI)
2115 ++ pr_info("rfi-flush: Using ori type flush\n");
2116 ++
2117 ++ if (types & L1D_FLUSH_MTTRIG)
2118 ++ pr_info("rfi-flush: Using mttrig type flush\n");
2119 ++
2120 ++ enabled_flush_types = types;
2121 ++
2122 ++ if (!no_rfi_flush)
2123 ++ rfi_flush_enable(enable);
2124 ++}
2125 ++
2126 ++#ifdef CONFIG_DEBUG_FS
2127 ++static int rfi_flush_set(void *data, u64 val)
2128 ++{
2129 ++ if (val == 1)
2130 ++ rfi_flush_enable(true);
2131 ++ else if (val == 0)
2132 ++ rfi_flush_enable(false);
2133 ++ else
2134 ++ return -EINVAL;
2135 ++
2136 ++ return 0;
2137 ++}
2138 ++
2139 ++static int rfi_flush_get(void *data, u64 *val)
2140 ++{
2141 ++ *val = rfi_flush ? 1 : 0;
2142 ++ return 0;
2143 ++}
2144 ++
2145 ++DEFINE_SIMPLE_ATTRIBUTE(fops_rfi_flush, rfi_flush_get, rfi_flush_set, "%llu\n");
2146 ++
2147 ++static __init int rfi_flush_debugfs_init(void)
2148 ++{
2149 ++ debugfs_create_file("rfi_flush", 0600, powerpc_debugfs_root, NULL, &fops_rfi_flush);
2150 ++ return 0;
2151 ++}
2152 ++device_initcall(rfi_flush_debugfs_init);
2153 ++#endif
2154 ++
2155 ++ssize_t cpu_show_meltdown(struct device *dev, struct device_attribute *attr, char *buf)
2156 ++{
2157 ++ if (rfi_flush)
2158 ++ return sprintf(buf, "Mitigation: RFI Flush\n");
2159 ++
2160 ++ return sprintf(buf, "Vulnerable\n");
2161 ++}
2162 ++#endif /* CONFIG_PPC_BOOK3S_64 */
2163 + #endif
2164 +diff --git a/arch/powerpc/kernel/vdso64/datapage.S b/arch/powerpc/kernel/vdso64/datapage.S
2165 +index 79796de11737..3263ee23170d 100644
2166 +--- a/arch/powerpc/kernel/vdso64/datapage.S
2167 ++++ b/arch/powerpc/kernel/vdso64/datapage.S
2168 +@@ -57,7 +57,7 @@ V_FUNCTION_BEGIN(__kernel_get_syscall_map)
2169 + bl V_LOCAL_FUNC(__get_datapage)
2170 + mtlr r12
2171 + addi r3,r3,CFG_SYSCALL_MAP64
2172 +- cmpli cr0,r4,0
2173 ++ cmpldi cr0,r4,0
2174 + crclr cr0*4+so
2175 + beqlr
2176 + li r0,__NR_syscalls
2177 +diff --git a/arch/powerpc/kernel/vdso64/gettimeofday.S b/arch/powerpc/kernel/vdso64/gettimeofday.S
2178 +index a76b4af37ef2..382021324883 100644
2179 +--- a/arch/powerpc/kernel/vdso64/gettimeofday.S
2180 ++++ b/arch/powerpc/kernel/vdso64/gettimeofday.S
2181 +@@ -145,7 +145,7 @@ V_FUNCTION_BEGIN(__kernel_clock_getres)
2182 + bne cr0,99f
2183 +
2184 + li r3,0
2185 +- cmpli cr0,r4,0
2186 ++ cmpldi cr0,r4,0
2187 + crclr cr0*4+so
2188 + beqlr
2189 + lis r5,CLOCK_REALTIME_RES@h
2190 +diff --git a/arch/powerpc/kernel/vmlinux.lds.S b/arch/powerpc/kernel/vmlinux.lds.S
2191 +index 1db685104ffc..b542a80477c8 100644
2192 +--- a/arch/powerpc/kernel/vmlinux.lds.S
2193 ++++ b/arch/powerpc/kernel/vmlinux.lds.S
2194 +@@ -72,6 +72,15 @@ SECTIONS
2195 + /* Read-only data */
2196 + RODATA
2197 +
2198 ++#ifdef CONFIG_PPC64
2199 ++ . = ALIGN(8);
2200 ++ __rfi_flush_fixup : AT(ADDR(__rfi_flush_fixup) - LOAD_OFFSET) {
2201 ++ __start___rfi_flush_fixup = .;
2202 ++ *(__rfi_flush_fixup)
2203 ++ __stop___rfi_flush_fixup = .;
2204 ++ }
2205 ++#endif
2206 ++
2207 + EXCEPTION_TABLE(0)
2208 +
2209 + NOTES :kernel :notes
2210 +diff --git a/arch/powerpc/kvm/book3s_hv_rmhandlers.S b/arch/powerpc/kvm/book3s_hv_rmhandlers.S
2211 +index a3018f109cd3..a7bd4100f158 100644
2212 +--- a/arch/powerpc/kvm/book3s_hv_rmhandlers.S
2213 ++++ b/arch/powerpc/kvm/book3s_hv_rmhandlers.S
2214 +@@ -64,7 +64,7 @@ _GLOBAL_TOC(kvmppc_hv_entry_trampoline)
2215 + mtmsrd r0,1 /* clear RI in MSR */
2216 + mtsrr0 r5
2217 + mtsrr1 r6
2218 +- RFI
2219 ++ RFI_TO_KERNEL
2220 +
2221 + kvmppc_call_hv_entry:
2222 + ld r4, HSTATE_KVM_VCPU(r13)
2223 +@@ -164,7 +164,7 @@ END_FTR_SECTION_IFSET(CPU_FTR_ARCH_207S)
2224 + mtsrr0 r8
2225 + mtsrr1 r7
2226 + beq cr1, 13f /* machine check */
2227 +- RFI
2228 ++ RFI_TO_KERNEL
2229 +
2230 + /* On POWER7, we have external interrupts set to use HSRR0/1 */
2231 + 11: mtspr SPRN_HSRR0, r8
2232 +@@ -877,8 +877,7 @@ BEGIN_FTR_SECTION
2233 + END_FTR_SECTION_IFSET(CPU_FTR_HAS_PPR)
2234 + ld r0, VCPU_GPR(R0)(r4)
2235 + ld r4, VCPU_GPR(R4)(r4)
2236 +-
2237 +- hrfid
2238 ++ HRFI_TO_GUEST
2239 + b .
2240 +
2241 + secondary_too_late:
2242 +diff --git a/arch/powerpc/kvm/book3s_rmhandlers.S b/arch/powerpc/kvm/book3s_rmhandlers.S
2243 +index 16c4d88ba27d..a328f99a887c 100644
2244 +--- a/arch/powerpc/kvm/book3s_rmhandlers.S
2245 ++++ b/arch/powerpc/kvm/book3s_rmhandlers.S
2246 +@@ -46,6 +46,9 @@
2247 +
2248 + #define FUNC(name) name
2249 +
2250 ++#define RFI_TO_KERNEL RFI
2251 ++#define RFI_TO_GUEST RFI
2252 ++
2253 + .macro INTERRUPT_TRAMPOLINE intno
2254 +
2255 + .global kvmppc_trampoline_\intno
2256 +@@ -141,7 +144,7 @@ kvmppc_handler_skip_ins:
2257 + GET_SCRATCH0(r13)
2258 +
2259 + /* And get back into the code */
2260 +- RFI
2261 ++ RFI_TO_KERNEL
2262 + #endif
2263 +
2264 + /*
2265 +@@ -164,6 +167,6 @@ _GLOBAL_TOC(kvmppc_entry_trampoline)
2266 + ori r5, r5, MSR_EE
2267 + mtsrr0 r7
2268 + mtsrr1 r6
2269 +- RFI
2270 ++ RFI_TO_KERNEL
2271 +
2272 + #include "book3s_segment.S"
2273 +diff --git a/arch/powerpc/kvm/book3s_segment.S b/arch/powerpc/kvm/book3s_segment.S
2274 +index acee37cde840..af3a91c00b46 100644
2275 +--- a/arch/powerpc/kvm/book3s_segment.S
2276 ++++ b/arch/powerpc/kvm/book3s_segment.S
2277 +@@ -156,7 +156,7 @@ no_dcbz32_on:
2278 + PPC_LL r9, SVCPU_R9(r3)
2279 + PPC_LL r3, (SVCPU_R3)(r3)
2280 +
2281 +- RFI
2282 ++ RFI_TO_GUEST
2283 + kvmppc_handler_trampoline_enter_end:
2284 +
2285 +
2286 +@@ -389,5 +389,5 @@ END_FTR_SECTION_IFSET(CPU_FTR_HVMODE)
2287 + cmpwi r12, BOOK3S_INTERRUPT_DOORBELL
2288 + beqa BOOK3S_INTERRUPT_DOORBELL
2289 +
2290 +- RFI
2291 ++ RFI_TO_KERNEL
2292 + kvmppc_handler_trampoline_exit_end:
2293 +diff --git a/arch/powerpc/lib/feature-fixups.c b/arch/powerpc/lib/feature-fixups.c
2294 +index 7ce3870d7ddd..a18d648d31a6 100644
2295 +--- a/arch/powerpc/lib/feature-fixups.c
2296 ++++ b/arch/powerpc/lib/feature-fixups.c
2297 +@@ -20,6 +20,7 @@
2298 + #include <asm/code-patching.h>
2299 + #include <asm/page.h>
2300 + #include <asm/sections.h>
2301 ++#include <asm/setup.h>
2302 +
2303 +
2304 + struct fixup_entry {
2305 +@@ -113,6 +114,47 @@ void do_feature_fixups(unsigned long value, void *fixup_start, void *fixup_end)
2306 + }
2307 + }
2308 +
2309 ++#ifdef CONFIG_PPC_BOOK3S_64
2310 ++void do_rfi_flush_fixups(enum l1d_flush_type types)
2311 ++{
2312 ++ unsigned int instrs[3], *dest;
2313 ++ long *start, *end;
2314 ++ int i;
2315 ++
2316 ++ start = PTRRELOC(&__start___rfi_flush_fixup),
2317 ++ end = PTRRELOC(&__stop___rfi_flush_fixup);
2318 ++
2319 ++ instrs[0] = 0x60000000; /* nop */
2320 ++ instrs[1] = 0x60000000; /* nop */
2321 ++ instrs[2] = 0x60000000; /* nop */
2322 ++
2323 ++ if (types & L1D_FLUSH_FALLBACK)
2324 ++ /* b .+16 to fallback flush */
2325 ++ instrs[0] = 0x48000010;
2326 ++
2327 ++ i = 0;
2328 ++ if (types & L1D_FLUSH_ORI) {
2329 ++ instrs[i++] = 0x63ff0000; /* ori 31,31,0 speculation barrier */
2330 ++ instrs[i++] = 0x63de0000; /* ori 30,30,0 L1d flush*/
2331 ++ }
2332 ++
2333 ++ if (types & L1D_FLUSH_MTTRIG)
2334 ++ instrs[i++] = 0x7c12dba6; /* mtspr TRIG2,r0 (SPR #882) */
2335 ++
2336 ++ for (i = 0; start < end; start++, i++) {
2337 ++ dest = (void *)start + *start;
2338 ++
2339 ++ pr_devel("patching dest %lx\n", (unsigned long)dest);
2340 ++
2341 ++ patch_instruction(dest, instrs[0]);
2342 ++ patch_instruction(dest + 1, instrs[1]);
2343 ++ patch_instruction(dest + 2, instrs[2]);
2344 ++ }
2345 ++
2346 ++ printk(KERN_DEBUG "rfi-flush: patched %d locations\n", i);
2347 ++}
2348 ++#endif /* CONFIG_PPC_BOOK3S_64 */
2349 ++
2350 + void do_lwsync_fixups(unsigned long value, void *fixup_start, void *fixup_end)
2351 + {
2352 + long *start, *end;
2353 +diff --git a/arch/powerpc/perf/core-book3s.c b/arch/powerpc/perf/core-book3s.c
2354 +index d90893b76e7c..b7e1307fe633 100644
2355 +--- a/arch/powerpc/perf/core-book3s.c
2356 ++++ b/arch/powerpc/perf/core-book3s.c
2357 +@@ -401,8 +401,12 @@ static __u64 power_pmu_bhrb_to(u64 addr)
2358 + int ret;
2359 + __u64 target;
2360 +
2361 +- if (is_kernel_addr(addr))
2362 +- return branch_target((unsigned int *)addr);
2363 ++ if (is_kernel_addr(addr)) {
2364 ++ if (probe_kernel_read(&instr, (void *)addr, sizeof(instr)))
2365 ++ return 0;
2366 ++
2367 ++ return branch_target(&instr);
2368 ++ }
2369 +
2370 + /* Userspace: need copy instruction here then translate it */
2371 + pagefault_disable();
2372 +@@ -1377,7 +1381,7 @@ static int collect_events(struct perf_event *group, int max_count,
2373 + int n = 0;
2374 + struct perf_event *event;
2375 +
2376 +- if (!is_software_event(group)) {
2377 ++ if (group->pmu->task_ctx_nr == perf_hw_context) {
2378 + if (n >= max_count)
2379 + return -1;
2380 + ctrs[n] = group;
2381 +@@ -1385,7 +1389,7 @@ static int collect_events(struct perf_event *group, int max_count,
2382 + events[n++] = group->hw.config;
2383 + }
2384 + list_for_each_entry(event, &group->sibling_list, group_entry) {
2385 +- if (!is_software_event(event) &&
2386 ++ if (event->pmu->task_ctx_nr == perf_hw_context &&
2387 + event->state != PERF_EVENT_STATE_OFF) {
2388 + if (n >= max_count)
2389 + return -1;
2390 +diff --git a/arch/powerpc/platforms/powernv/setup.c b/arch/powerpc/platforms/powernv/setup.c
2391 +index 20974478f8d0..e3c98361e6e4 100644
2392 +--- a/arch/powerpc/platforms/powernv/setup.c
2393 ++++ b/arch/powerpc/platforms/powernv/setup.c
2394 +@@ -38,14 +38,63 @@
2395 + #include <asm/cputhreads.h>
2396 + #include <asm/cpuidle.h>
2397 + #include <asm/code-patching.h>
2398 ++#include <asm/setup.h>
2399 +
2400 + #include "powernv.h"
2401 + #include "subcore.h"
2402 +
2403 ++static void pnv_setup_rfi_flush(void)
2404 ++{
2405 ++ struct device_node *np, *fw_features;
2406 ++ enum l1d_flush_type type;
2407 ++ int enable;
2408 ++
2409 ++ /* Default to fallback in case fw-features are not available */
2410 ++ type = L1D_FLUSH_FALLBACK;
2411 ++ enable = 1;
2412 ++
2413 ++ np = of_find_node_by_name(NULL, "ibm,opal");
2414 ++ fw_features = of_get_child_by_name(np, "fw-features");
2415 ++ of_node_put(np);
2416 ++
2417 ++ if (fw_features) {
2418 ++ np = of_get_child_by_name(fw_features, "inst-l1d-flush-trig2");
2419 ++ if (np && of_property_read_bool(np, "enabled"))
2420 ++ type = L1D_FLUSH_MTTRIG;
2421 ++
2422 ++ of_node_put(np);
2423 ++
2424 ++ np = of_get_child_by_name(fw_features, "inst-l1d-flush-ori30,30,0");
2425 ++ if (np && of_property_read_bool(np, "enabled"))
2426 ++ type = L1D_FLUSH_ORI;
2427 ++
2428 ++ of_node_put(np);
2429 ++
2430 ++ /* Enable unless firmware says NOT to */
2431 ++ enable = 2;
2432 ++ np = of_get_child_by_name(fw_features, "needs-l1d-flush-msr-hv-1-to-0");
2433 ++ if (np && of_property_read_bool(np, "disabled"))
2434 ++ enable--;
2435 ++
2436 ++ of_node_put(np);
2437 ++
2438 ++ np = of_get_child_by_name(fw_features, "needs-l1d-flush-msr-pr-0-to-1");
2439 ++ if (np && of_property_read_bool(np, "disabled"))
2440 ++ enable--;
2441 ++
2442 ++ of_node_put(np);
2443 ++ of_node_put(fw_features);
2444 ++ }
2445 ++
2446 ++ setup_rfi_flush(type, enable > 0);
2447 ++}
2448 ++
2449 + static void __init pnv_setup_arch(void)
2450 + {
2451 + set_arch_panic_timeout(10, ARCH_PANIC_TIMEOUT);
2452 +
2453 ++ pnv_setup_rfi_flush();
2454 ++
2455 + /* Initialize SMP */
2456 + pnv_smp_init();
2457 +
2458 +diff --git a/arch/powerpc/platforms/pseries/setup.c b/arch/powerpc/platforms/pseries/setup.c
2459 +index e6e8b241d717..b4867b4d5a1e 100644
2460 +--- a/arch/powerpc/platforms/pseries/setup.c
2461 ++++ b/arch/powerpc/platforms/pseries/setup.c
2462 +@@ -507,6 +507,39 @@ static void __init find_and_init_phbs(void)
2463 + }
2464 + }
2465 +
2466 ++static void pseries_setup_rfi_flush(void)
2467 ++{
2468 ++ struct h_cpu_char_result result;
2469 ++ enum l1d_flush_type types;
2470 ++ bool enable;
2471 ++ long rc;
2472 ++
2473 ++ /* Enable by default */
2474 ++ enable = true;
2475 ++
2476 ++ rc = plpar_get_cpu_characteristics(&result);
2477 ++ if (rc == H_SUCCESS) {
2478 ++ types = L1D_FLUSH_NONE;
2479 ++
2480 ++ if (result.character & H_CPU_CHAR_L1D_FLUSH_TRIG2)
2481 ++ types |= L1D_FLUSH_MTTRIG;
2482 ++ if (result.character & H_CPU_CHAR_L1D_FLUSH_ORI30)
2483 ++ types |= L1D_FLUSH_ORI;
2484 ++
2485 ++ /* Use fallback if nothing set in hcall */
2486 ++ if (types == L1D_FLUSH_NONE)
2487 ++ types = L1D_FLUSH_FALLBACK;
2488 ++
2489 ++ if (!(result.behaviour & H_CPU_BEHAV_L1D_FLUSH_PR))
2490 ++ enable = false;
2491 ++ } else {
2492 ++ /* Default to fallback if case hcall is not available */
2493 ++ types = L1D_FLUSH_FALLBACK;
2494 ++ }
2495 ++
2496 ++ setup_rfi_flush(types, enable);
2497 ++}
2498 ++
2499 + static void __init pSeries_setup_arch(void)
2500 + {
2501 + set_arch_panic_timeout(10, ARCH_PANIC_TIMEOUT);
2502 +@@ -523,7 +556,9 @@ static void __init pSeries_setup_arch(void)
2503 +
2504 + fwnmi_init();
2505 +
2506 +- /* By default, only probe PCI (can be overriden by rtas_pci) */
2507 ++ pseries_setup_rfi_flush();
2508 ++
2509 ++ /* By default, only probe PCI (can be overridden by rtas_pci) */
2510 + pci_add_flags(PCI_PROBE_ONLY);
2511 +
2512 + /* Find and initialize PCI host bridges */
2513 +diff --git a/arch/s390/kernel/compat_linux.c b/arch/s390/kernel/compat_linux.c
2514 +index 437e61159279..86f934255eb6 100644
2515 +--- a/arch/s390/kernel/compat_linux.c
2516 ++++ b/arch/s390/kernel/compat_linux.c
2517 +@@ -110,7 +110,7 @@ COMPAT_SYSCALL_DEFINE2(s390_setregid16, u16, rgid, u16, egid)
2518 +
2519 + COMPAT_SYSCALL_DEFINE1(s390_setgid16, u16, gid)
2520 + {
2521 +- return sys_setgid((gid_t)gid);
2522 ++ return sys_setgid(low2highgid(gid));
2523 + }
2524 +
2525 + COMPAT_SYSCALL_DEFINE2(s390_setreuid16, u16, ruid, u16, euid)
2526 +@@ -120,7 +120,7 @@ COMPAT_SYSCALL_DEFINE2(s390_setreuid16, u16, ruid, u16, euid)
2527 +
2528 + COMPAT_SYSCALL_DEFINE1(s390_setuid16, u16, uid)
2529 + {
2530 +- return sys_setuid((uid_t)uid);
2531 ++ return sys_setuid(low2highuid(uid));
2532 + }
2533 +
2534 + COMPAT_SYSCALL_DEFINE3(s390_setresuid16, u16, ruid, u16, euid, u16, suid)
2535 +@@ -173,12 +173,12 @@ COMPAT_SYSCALL_DEFINE3(s390_getresgid16, u16 __user *, rgidp,
2536 +
2537 + COMPAT_SYSCALL_DEFINE1(s390_setfsuid16, u16, uid)
2538 + {
2539 +- return sys_setfsuid((uid_t)uid);
2540 ++ return sys_setfsuid(low2highuid(uid));
2541 + }
2542 +
2543 + COMPAT_SYSCALL_DEFINE1(s390_setfsgid16, u16, gid)
2544 + {
2545 +- return sys_setfsgid((gid_t)gid);
2546 ++ return sys_setfsgid(low2highgid(gid));
2547 + }
2548 +
2549 + static int groups16_to_user(u16 __user *grouplist, struct group_info *group_info)
2550 +@@ -263,6 +263,7 @@ COMPAT_SYSCALL_DEFINE2(s390_setgroups16, int, gidsetsize, u16 __user *, grouplis
2551 + return retval;
2552 + }
2553 +
2554 ++ groups_sort(group_info);
2555 + retval = set_current_groups(group_info);
2556 + put_group_info(group_info);
2557 +
2558 +diff --git a/arch/sh/kernel/traps_32.c b/arch/sh/kernel/traps_32.c
2559 +index ff639342a8be..c5b997757988 100644
2560 +--- a/arch/sh/kernel/traps_32.c
2561 ++++ b/arch/sh/kernel/traps_32.c
2562 +@@ -607,7 +607,8 @@ asmlinkage void do_divide_error(unsigned long r4)
2563 + break;
2564 + }
2565 +
2566 +- force_sig_info(SIGFPE, &info, current);
2567 ++ info.si_signo = SIGFPE;
2568 ++ force_sig_info(info.si_signo, &info, current);
2569 + }
2570 + #endif
2571 +
2572 +diff --git a/arch/um/Makefile b/arch/um/Makefile
2573 +index 17d4460b1af3..01558aeeba50 100644
2574 +--- a/arch/um/Makefile
2575 ++++ b/arch/um/Makefile
2576 +@@ -116,7 +116,7 @@ archheaders:
2577 + archprepare: include/generated/user_constants.h
2578 +
2579 + LINK-$(CONFIG_LD_SCRIPT_STATIC) += -static
2580 +-LINK-$(CONFIG_LD_SCRIPT_DYN) += -Wl,-rpath,/lib
2581 ++LINK-$(CONFIG_LD_SCRIPT_DYN) += -Wl,-rpath,/lib $(call cc-option, -no-pie)
2582 +
2583 + CFLAGS_NO_HARDENING := $(call cc-option, -fno-PIC,) $(call cc-option, -fno-pic,) \
2584 + $(call cc-option, -fno-stack-protector,) \
2585 +diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
2586 +index a3d283addbde..ffb2cb0495c3 100644
2587 +--- a/arch/x86/Kconfig
2588 ++++ b/arch/x86/Kconfig
2589 +@@ -982,7 +982,7 @@ config X86_MCE_THRESHOLD
2590 + def_bool y
2591 +
2592 + config X86_MCE_INJECT
2593 +- depends on X86_MCE
2594 ++ depends on X86_MCE && X86_LOCAL_APIC
2595 + tristate "Machine check injector support"
2596 + ---help---
2597 + Provide support for injecting machine checks for testing purposes.
2598 +diff --git a/arch/x86/boot/Makefile b/arch/x86/boot/Makefile
2599 +index 78c366462e70..48740eb2910c 100644
2600 +--- a/arch/x86/boot/Makefile
2601 ++++ b/arch/x86/boot/Makefile
2602 +@@ -64,12 +64,13 @@ GCOV_PROFILE := n
2603 + $(obj)/bzImage: asflags-y := $(SVGA_MODE)
2604 +
2605 + quiet_cmd_image = BUILD $@
2606 ++silent_redirect_image = >/dev/null
2607 + cmd_image = $(obj)/tools/build $(obj)/setup.bin $(obj)/vmlinux.bin \
2608 +- $(obj)/zoffset.h $@
2609 ++ $(obj)/zoffset.h $@ $($(quiet)redirect_image)
2610 +
2611 + $(obj)/bzImage: $(obj)/setup.bin $(obj)/vmlinux.bin $(obj)/tools/build FORCE
2612 + $(call if_changed,image)
2613 +- @echo 'Kernel: $@ is ready' ' (#'`cat .version`')'
2614 ++ @$(kecho) 'Kernel: $@ is ready' ' (#'`cat .version`')'
2615 +
2616 + OBJCOPYFLAGS_vmlinux.bin := -O binary -R .note -R .comment -S
2617 + $(obj)/vmlinux.bin: $(obj)/compressed/vmlinux FORCE
2618 +diff --git a/arch/x86/crypto/twofish-x86_64-asm_64-3way.S b/arch/x86/crypto/twofish-x86_64-asm_64-3way.S
2619 +index 1c3b7ceb36d2..e7273a606a07 100644
2620 +--- a/arch/x86/crypto/twofish-x86_64-asm_64-3way.S
2621 ++++ b/arch/x86/crypto/twofish-x86_64-asm_64-3way.S
2622 +@@ -55,29 +55,31 @@
2623 + #define RAB1bl %bl
2624 + #define RAB2bl %cl
2625 +
2626 ++#define CD0 0x0(%rsp)
2627 ++#define CD1 0x8(%rsp)
2628 ++#define CD2 0x10(%rsp)
2629 ++
2630 ++# used only before/after all rounds
2631 + #define RCD0 %r8
2632 + #define RCD1 %r9
2633 + #define RCD2 %r10
2634 +
2635 +-#define RCD0d %r8d
2636 +-#define RCD1d %r9d
2637 +-#define RCD2d %r10d
2638 +-
2639 +-#define RX0 %rbp
2640 +-#define RX1 %r11
2641 +-#define RX2 %r12
2642 ++# used only during rounds
2643 ++#define RX0 %r8
2644 ++#define RX1 %r9
2645 ++#define RX2 %r10
2646 +
2647 +-#define RX0d %ebp
2648 +-#define RX1d %r11d
2649 +-#define RX2d %r12d
2650 ++#define RX0d %r8d
2651 ++#define RX1d %r9d
2652 ++#define RX2d %r10d
2653 +
2654 +-#define RY0 %r13
2655 +-#define RY1 %r14
2656 +-#define RY2 %r15
2657 ++#define RY0 %r11
2658 ++#define RY1 %r12
2659 ++#define RY2 %r13
2660 +
2661 +-#define RY0d %r13d
2662 +-#define RY1d %r14d
2663 +-#define RY2d %r15d
2664 ++#define RY0d %r11d
2665 ++#define RY1d %r12d
2666 ++#define RY2d %r13d
2667 +
2668 + #define RT0 %rdx
2669 + #define RT1 %rsi
2670 +@@ -85,6 +87,8 @@
2671 + #define RT0d %edx
2672 + #define RT1d %esi
2673 +
2674 ++#define RT1bl %sil
2675 ++
2676 + #define do16bit_ror(rot, op1, op2, T0, T1, tmp1, tmp2, ab, dst) \
2677 + movzbl ab ## bl, tmp2 ## d; \
2678 + movzbl ab ## bh, tmp1 ## d; \
2679 +@@ -92,6 +96,11 @@
2680 + op1##l T0(CTX, tmp2, 4), dst ## d; \
2681 + op2##l T1(CTX, tmp1, 4), dst ## d;
2682 +
2683 ++#define swap_ab_with_cd(ab, cd, tmp) \
2684 ++ movq cd, tmp; \
2685 ++ movq ab, cd; \
2686 ++ movq tmp, ab;
2687 ++
2688 + /*
2689 + * Combined G1 & G2 function. Reordered with help of rotates to have moves
2690 + * at begining.
2691 +@@ -110,15 +119,15 @@
2692 + /* G1,2 && G2,2 */ \
2693 + do16bit_ror(32, xor, xor, Tx2, Tx3, RT0, RT1, ab ## 0, x ## 0); \
2694 + do16bit_ror(16, xor, xor, Ty3, Ty0, RT0, RT1, ab ## 0, y ## 0); \
2695 +- xchgq cd ## 0, ab ## 0; \
2696 ++ swap_ab_with_cd(ab ## 0, cd ## 0, RT0); \
2697 + \
2698 + do16bit_ror(32, xor, xor, Tx2, Tx3, RT0, RT1, ab ## 1, x ## 1); \
2699 + do16bit_ror(16, xor, xor, Ty3, Ty0, RT0, RT1, ab ## 1, y ## 1); \
2700 +- xchgq cd ## 1, ab ## 1; \
2701 ++ swap_ab_with_cd(ab ## 1, cd ## 1, RT0); \
2702 + \
2703 + do16bit_ror(32, xor, xor, Tx2, Tx3, RT0, RT1, ab ## 2, x ## 2); \
2704 + do16bit_ror(16, xor, xor, Ty3, Ty0, RT0, RT1, ab ## 2, y ## 2); \
2705 +- xchgq cd ## 2, ab ## 2;
2706 ++ swap_ab_with_cd(ab ## 2, cd ## 2, RT0);
2707 +
2708 + #define enc_round_end(ab, x, y, n) \
2709 + addl y ## d, x ## d; \
2710 +@@ -168,6 +177,16 @@
2711 + decrypt_round3(ba, dc, (n*2)+1); \
2712 + decrypt_round3(ba, dc, (n*2));
2713 +
2714 ++#define push_cd() \
2715 ++ pushq RCD2; \
2716 ++ pushq RCD1; \
2717 ++ pushq RCD0;
2718 ++
2719 ++#define pop_cd() \
2720 ++ popq RCD0; \
2721 ++ popq RCD1; \
2722 ++ popq RCD2;
2723 ++
2724 + #define inpack3(in, n, xy, m) \
2725 + movq 4*(n)(in), xy ## 0; \
2726 + xorq w+4*m(CTX), xy ## 0; \
2727 +@@ -223,11 +242,8 @@ ENTRY(__twofish_enc_blk_3way)
2728 + * %rdx: src, RIO
2729 + * %rcx: bool, if true: xor output
2730 + */
2731 +- pushq %r15;
2732 +- pushq %r14;
2733 + pushq %r13;
2734 + pushq %r12;
2735 +- pushq %rbp;
2736 + pushq %rbx;
2737 +
2738 + pushq %rcx; /* bool xor */
2739 +@@ -235,40 +251,36 @@ ENTRY(__twofish_enc_blk_3way)
2740 +
2741 + inpack_enc3();
2742 +
2743 +- encrypt_cycle3(RAB, RCD, 0);
2744 +- encrypt_cycle3(RAB, RCD, 1);
2745 +- encrypt_cycle3(RAB, RCD, 2);
2746 +- encrypt_cycle3(RAB, RCD, 3);
2747 +- encrypt_cycle3(RAB, RCD, 4);
2748 +- encrypt_cycle3(RAB, RCD, 5);
2749 +- encrypt_cycle3(RAB, RCD, 6);
2750 +- encrypt_cycle3(RAB, RCD, 7);
2751 ++ push_cd();
2752 ++ encrypt_cycle3(RAB, CD, 0);
2753 ++ encrypt_cycle3(RAB, CD, 1);
2754 ++ encrypt_cycle3(RAB, CD, 2);
2755 ++ encrypt_cycle3(RAB, CD, 3);
2756 ++ encrypt_cycle3(RAB, CD, 4);
2757 ++ encrypt_cycle3(RAB, CD, 5);
2758 ++ encrypt_cycle3(RAB, CD, 6);
2759 ++ encrypt_cycle3(RAB, CD, 7);
2760 ++ pop_cd();
2761 +
2762 + popq RIO; /* dst */
2763 +- popq %rbp; /* bool xor */
2764 ++ popq RT1; /* bool xor */
2765 +
2766 +- testb %bpl, %bpl;
2767 ++ testb RT1bl, RT1bl;
2768 + jnz .L__enc_xor3;
2769 +
2770 + outunpack_enc3(mov);
2771 +
2772 + popq %rbx;
2773 +- popq %rbp;
2774 + popq %r12;
2775 + popq %r13;
2776 +- popq %r14;
2777 +- popq %r15;
2778 + ret;
2779 +
2780 + .L__enc_xor3:
2781 + outunpack_enc3(xor);
2782 +
2783 + popq %rbx;
2784 +- popq %rbp;
2785 + popq %r12;
2786 + popq %r13;
2787 +- popq %r14;
2788 +- popq %r15;
2789 + ret;
2790 + ENDPROC(__twofish_enc_blk_3way)
2791 +
2792 +@@ -278,35 +290,31 @@ ENTRY(twofish_dec_blk_3way)
2793 + * %rsi: dst
2794 + * %rdx: src, RIO
2795 + */
2796 +- pushq %r15;
2797 +- pushq %r14;
2798 + pushq %r13;
2799 + pushq %r12;
2800 +- pushq %rbp;
2801 + pushq %rbx;
2802 +
2803 + pushq %rsi; /* dst */
2804 +
2805 + inpack_dec3();
2806 +
2807 +- decrypt_cycle3(RAB, RCD, 7);
2808 +- decrypt_cycle3(RAB, RCD, 6);
2809 +- decrypt_cycle3(RAB, RCD, 5);
2810 +- decrypt_cycle3(RAB, RCD, 4);
2811 +- decrypt_cycle3(RAB, RCD, 3);
2812 +- decrypt_cycle3(RAB, RCD, 2);
2813 +- decrypt_cycle3(RAB, RCD, 1);
2814 +- decrypt_cycle3(RAB, RCD, 0);
2815 ++ push_cd();
2816 ++ decrypt_cycle3(RAB, CD, 7);
2817 ++ decrypt_cycle3(RAB, CD, 6);
2818 ++ decrypt_cycle3(RAB, CD, 5);
2819 ++ decrypt_cycle3(RAB, CD, 4);
2820 ++ decrypt_cycle3(RAB, CD, 3);
2821 ++ decrypt_cycle3(RAB, CD, 2);
2822 ++ decrypt_cycle3(RAB, CD, 1);
2823 ++ decrypt_cycle3(RAB, CD, 0);
2824 ++ pop_cd();
2825 +
2826 + popq RIO; /* dst */
2827 +
2828 + outunpack_dec3();
2829 +
2830 + popq %rbx;
2831 +- popq %rbp;
2832 + popq %r12;
2833 + popq %r13;
2834 +- popq %r14;
2835 +- popq %r15;
2836 + ret;
2837 + ENDPROC(twofish_dec_blk_3way)
2838 +diff --git a/arch/x86/include/asm/alternative.h b/arch/x86/include/asm/alternative.h
2839 +index c97effa6c72b..cb8fd023b23f 100644
2840 +--- a/arch/x86/include/asm/alternative.h
2841 ++++ b/arch/x86/include/asm/alternative.h
2842 +@@ -1,6 +1,8 @@
2843 + #ifndef _ASM_X86_ALTERNATIVE_H
2844 + #define _ASM_X86_ALTERNATIVE_H
2845 +
2846 ++#ifndef __ASSEMBLY__
2847 ++
2848 + #include <linux/types.h>
2849 + #include <linux/stddef.h>
2850 + #include <linux/stringify.h>
2851 +@@ -132,7 +134,7 @@ static inline int alternatives_text_reserved(void *start, void *end)
2852 + ".popsection\n" \
2853 + ".pushsection .altinstr_replacement, \"ax\"\n" \
2854 + ALTINSTR_REPLACEMENT(newinstr, feature, 1) \
2855 +- ".popsection"
2856 ++ ".popsection\n"
2857 +
2858 + #define ALTERNATIVE_2(oldinstr, newinstr1, feature1, newinstr2, feature2)\
2859 + OLDINSTR_2(oldinstr, 1, 2) \
2860 +@@ -143,7 +145,7 @@ static inline int alternatives_text_reserved(void *start, void *end)
2861 + ".pushsection .altinstr_replacement, \"ax\"\n" \
2862 + ALTINSTR_REPLACEMENT(newinstr1, feature1, 1) \
2863 + ALTINSTR_REPLACEMENT(newinstr2, feature2, 2) \
2864 +- ".popsection"
2865 ++ ".popsection\n"
2866 +
2867 + /*
2868 + * This must be included *after* the definition of ALTERNATIVE due to
2869 +@@ -265,4 +267,6 @@ extern void *text_poke(void *addr, const void *opcode, size_t len);
2870 + extern int poke_int3_handler(struct pt_regs *regs);
2871 + extern void *text_poke_bp(void *addr, const void *opcode, size_t len, void *handler);
2872 +
2873 ++#endif /* __ASSEMBLY__ */
2874 ++
2875 + #endif /* _ASM_X86_ALTERNATIVE_H */
2876 +diff --git a/arch/x86/include/asm/asm-prototypes.h b/arch/x86/include/asm/asm-prototypes.h
2877 +new file mode 100644
2878 +index 000000000000..44b8762fa0c7
2879 +--- /dev/null
2880 ++++ b/arch/x86/include/asm/asm-prototypes.h
2881 +@@ -0,0 +1,16 @@
2882 ++#include <asm/ftrace.h>
2883 ++#include <asm/uaccess.h>
2884 ++#include <asm/string.h>
2885 ++#include <asm/page.h>
2886 ++#include <asm/checksum.h>
2887 ++
2888 ++#include <asm-generic/asm-prototypes.h>
2889 ++
2890 ++#include <asm/page.h>
2891 ++#include <asm/pgtable.h>
2892 ++#include <asm/special_insns.h>
2893 ++#include <asm/preempt.h>
2894 ++
2895 ++#ifndef CONFIG_X86_CMPXCHG64
2896 ++extern void cmpxchg8b_emu(void);
2897 ++#endif
2898 +diff --git a/arch/x86/include/asm/asm.h b/arch/x86/include/asm/asm.h
2899 +index e2015452177d..37496d271033 100644
2900 +--- a/arch/x86/include/asm/asm.h
2901 ++++ b/arch/x86/include/asm/asm.h
2902 +@@ -88,4 +88,15 @@
2903 + /* For C file, we already have NOKPROBE_SYMBOL macro */
2904 + #endif
2905 +
2906 ++#ifndef __ASSEMBLY__
2907 ++/*
2908 ++ * This output constraint should be used for any inline asm which has a "call"
2909 ++ * instruction. Otherwise the asm may be inserted before the frame pointer
2910 ++ * gets set up by the containing function. If you forget to do this, objtool
2911 ++ * may print a "call without frame pointer save/setup" warning.
2912 ++ */
2913 ++register unsigned long current_stack_pointer asm(_ASM_SP);
2914 ++#define ASM_CALL_CONSTRAINT "+r" (current_stack_pointer)
2915 ++#endif
2916 ++
2917 + #endif /* _ASM_X86_ASM_H */
2918 +diff --git a/arch/x86/include/asm/barrier.h b/arch/x86/include/asm/barrier.h
2919 +index 959e45b81fe2..0295dd893884 100644
2920 +--- a/arch/x86/include/asm/barrier.h
2921 ++++ b/arch/x86/include/asm/barrier.h
2922 +@@ -24,6 +24,30 @@
2923 + #define wmb() asm volatile("sfence" ::: "memory")
2924 + #endif
2925 +
2926 ++/**
2927 ++ * array_index_mask_nospec() - generate a mask that is ~0UL when the
2928 ++ * bounds check succeeds and 0 otherwise
2929 ++ * @index: array element index
2930 ++ * @size: number of elements in array
2931 ++ *
2932 ++ * Returns:
2933 ++ * 0 - (index < size)
2934 ++ */
2935 ++static inline unsigned long array_index_mask_nospec(unsigned long index,
2936 ++ unsigned long size)
2937 ++{
2938 ++ unsigned long mask;
2939 ++
2940 ++ asm ("cmp %1,%2; sbb %0,%0;"
2941 ++ :"=r" (mask)
2942 ++ :"r"(size),"r" (index)
2943 ++ :"cc");
2944 ++ return mask;
2945 ++}
2946 ++
2947 ++/* Override the default implementation from linux/nospec.h. */
2948 ++#define array_index_mask_nospec array_index_mask_nospec
2949 ++
2950 + #ifdef CONFIG_X86_PPRO_FENCE
2951 + #define dma_rmb() rmb()
2952 + #else
2953 +diff --git a/arch/x86/include/asm/cmdline.h b/arch/x86/include/asm/cmdline.h
2954 +index e01f7f7ccb0c..84ae170bc3d0 100644
2955 +--- a/arch/x86/include/asm/cmdline.h
2956 ++++ b/arch/x86/include/asm/cmdline.h
2957 +@@ -2,5 +2,7 @@
2958 + #define _ASM_X86_CMDLINE_H
2959 +
2960 + int cmdline_find_option_bool(const char *cmdline_ptr, const char *option);
2961 ++int cmdline_find_option(const char *cmdline_ptr, const char *option,
2962 ++ char *buffer, int bufsize);
2963 +
2964 + #endif /* _ASM_X86_CMDLINE_H */
2965 +diff --git a/arch/x86/include/asm/cpufeature.h b/arch/x86/include/asm/cpufeature.h
2966 +index 3d6606fb97d0..026c0b4ae086 100644
2967 +--- a/arch/x86/include/asm/cpufeature.h
2968 ++++ b/arch/x86/include/asm/cpufeature.h
2969 +@@ -348,6 +348,8 @@ extern const char * const x86_bug_flags[NBUGINTS*32];
2970 + set_bit(bit, (unsigned long *)cpu_caps_set); \
2971 + } while (0)
2972 +
2973 ++#define setup_force_cpu_bug(bit) setup_force_cpu_cap(bit)
2974 ++
2975 + #define cpu_has_fpu boot_cpu_has(X86_FEATURE_FPU)
2976 + #define cpu_has_de boot_cpu_has(X86_FEATURE_DE)
2977 + #define cpu_has_pse boot_cpu_has(X86_FEATURE_PSE)
2978 +diff --git a/arch/x86/include/asm/disabled-features.h b/arch/x86/include/asm/disabled-features.h
2979 +index f226df064660..8b17c2ad1048 100644
2980 +--- a/arch/x86/include/asm/disabled-features.h
2981 ++++ b/arch/x86/include/asm/disabled-features.h
2982 +@@ -21,11 +21,13 @@
2983 + # define DISABLE_K6_MTRR (1<<(X86_FEATURE_K6_MTRR & 31))
2984 + # define DISABLE_CYRIX_ARR (1<<(X86_FEATURE_CYRIX_ARR & 31))
2985 + # define DISABLE_CENTAUR_MCR (1<<(X86_FEATURE_CENTAUR_MCR & 31))
2986 ++# define DISABLE_PCID 0
2987 + #else
2988 + # define DISABLE_VME 0
2989 + # define DISABLE_K6_MTRR 0
2990 + # define DISABLE_CYRIX_ARR 0
2991 + # define DISABLE_CENTAUR_MCR 0
2992 ++# define DISABLE_PCID (1<<(X86_FEATURE_PCID & 31))
2993 + #endif /* CONFIG_X86_64 */
2994 +
2995 + /*
2996 +@@ -35,7 +37,7 @@
2997 + #define DISABLED_MASK1 0
2998 + #define DISABLED_MASK2 0
2999 + #define DISABLED_MASK3 (DISABLE_CYRIX_ARR|DISABLE_CENTAUR_MCR|DISABLE_K6_MTRR)
3000 +-#define DISABLED_MASK4 0
3001 ++#define DISABLED_MASK4 (DISABLE_PCID)
3002 + #define DISABLED_MASK5 0
3003 + #define DISABLED_MASK6 0
3004 + #define DISABLED_MASK7 0
3005 +diff --git a/arch/x86/include/asm/hardirq.h b/arch/x86/include/asm/hardirq.h
3006 +index 0f5fb6b6567e..ebaf64d0a785 100644
3007 +--- a/arch/x86/include/asm/hardirq.h
3008 ++++ b/arch/x86/include/asm/hardirq.h
3009 +@@ -21,10 +21,6 @@ typedef struct {
3010 + #ifdef CONFIG_SMP
3011 + unsigned int irq_resched_count;
3012 + unsigned int irq_call_count;
3013 +- /*
3014 +- * irq_tlb_count is double-counted in irq_call_count, so it must be
3015 +- * subtracted from irq_call_count when displaying irq_call_count
3016 +- */
3017 + unsigned int irq_tlb_count;
3018 + #endif
3019 + #ifdef CONFIG_X86_THERMAL_VECTOR
3020 +diff --git a/arch/x86/include/asm/intel-family.h b/arch/x86/include/asm/intel-family.h
3021 +new file mode 100644
3022 +index 000000000000..6999f7d01a0d
3023 +--- /dev/null
3024 ++++ b/arch/x86/include/asm/intel-family.h
3025 +@@ -0,0 +1,68 @@
3026 ++#ifndef _ASM_X86_INTEL_FAMILY_H
3027 ++#define _ASM_X86_INTEL_FAMILY_H
3028 ++
3029 ++/*
3030 ++ * "Big Core" Processors (Branded as Core, Xeon, etc...)
3031 ++ *
3032 ++ * The "_X" parts are generally the EP and EX Xeons, or the
3033 ++ * "Extreme" ones, like Broadwell-E.
3034 ++ *
3035 ++ * Things ending in "2" are usually because we have no better
3036 ++ * name for them. There's no processor called "WESTMERE2".
3037 ++ */
3038 ++
3039 ++#define INTEL_FAM6_CORE_YONAH 0x0E
3040 ++#define INTEL_FAM6_CORE2_MEROM 0x0F
3041 ++#define INTEL_FAM6_CORE2_MEROM_L 0x16
3042 ++#define INTEL_FAM6_CORE2_PENRYN 0x17
3043 ++#define INTEL_FAM6_CORE2_DUNNINGTON 0x1D
3044 ++
3045 ++#define INTEL_FAM6_NEHALEM 0x1E
3046 ++#define INTEL_FAM6_NEHALEM_EP 0x1A
3047 ++#define INTEL_FAM6_NEHALEM_EX 0x2E
3048 ++#define INTEL_FAM6_WESTMERE 0x25
3049 ++#define INTEL_FAM6_WESTMERE2 0x1F
3050 ++#define INTEL_FAM6_WESTMERE_EP 0x2C
3051 ++#define INTEL_FAM6_WESTMERE_EX 0x2F
3052 ++
3053 ++#define INTEL_FAM6_SANDYBRIDGE 0x2A
3054 ++#define INTEL_FAM6_SANDYBRIDGE_X 0x2D
3055 ++#define INTEL_FAM6_IVYBRIDGE 0x3A
3056 ++#define INTEL_FAM6_IVYBRIDGE_X 0x3E
3057 ++
3058 ++#define INTEL_FAM6_HASWELL_CORE 0x3C
3059 ++#define INTEL_FAM6_HASWELL_X 0x3F
3060 ++#define INTEL_FAM6_HASWELL_ULT 0x45
3061 ++#define INTEL_FAM6_HASWELL_GT3E 0x46
3062 ++
3063 ++#define INTEL_FAM6_BROADWELL_CORE 0x3D
3064 ++#define INTEL_FAM6_BROADWELL_XEON_D 0x56
3065 ++#define INTEL_FAM6_BROADWELL_GT3E 0x47
3066 ++#define INTEL_FAM6_BROADWELL_X 0x4F
3067 ++
3068 ++#define INTEL_FAM6_SKYLAKE_MOBILE 0x4E
3069 ++#define INTEL_FAM6_SKYLAKE_DESKTOP 0x5E
3070 ++#define INTEL_FAM6_SKYLAKE_X 0x55
3071 ++#define INTEL_FAM6_KABYLAKE_MOBILE 0x8E
3072 ++#define INTEL_FAM6_KABYLAKE_DESKTOP 0x9E
3073 ++
3074 ++/* "Small Core" Processors (Atom) */
3075 ++
3076 ++#define INTEL_FAM6_ATOM_PINEVIEW 0x1C
3077 ++#define INTEL_FAM6_ATOM_LINCROFT 0x26
3078 ++#define INTEL_FAM6_ATOM_PENWELL 0x27
3079 ++#define INTEL_FAM6_ATOM_CLOVERVIEW 0x35
3080 ++#define INTEL_FAM6_ATOM_CEDARVIEW 0x36
3081 ++#define INTEL_FAM6_ATOM_SILVERMONT1 0x37 /* BayTrail/BYT / Valleyview */
3082 ++#define INTEL_FAM6_ATOM_SILVERMONT2 0x4D /* Avaton/Rangely */
3083 ++#define INTEL_FAM6_ATOM_AIRMONT 0x4C /* CherryTrail / Braswell */
3084 ++#define INTEL_FAM6_ATOM_MERRIFIELD1 0x4A /* Tangier */
3085 ++#define INTEL_FAM6_ATOM_MERRIFIELD2 0x5A /* Annidale */
3086 ++#define INTEL_FAM6_ATOM_GOLDMONT 0x5C
3087 ++#define INTEL_FAM6_ATOM_DENVERTON 0x5F /* Goldmont Microserver */
3088 ++
3089 ++/* Xeon Phi */
3090 ++
3091 ++#define INTEL_FAM6_XEON_PHI_KNL 0x57 /* Knights Landing */
3092 ++
3093 ++#endif /* _ASM_X86_INTEL_FAMILY_H */
3094 +diff --git a/arch/x86/include/asm/kvm_host.h b/arch/x86/include/asm/kvm_host.h
3095 +index 606f5fff1989..6e014befd522 100644
3096 +--- a/arch/x86/include/asm/kvm_host.h
3097 ++++ b/arch/x86/include/asm/kvm_host.h
3098 +@@ -933,7 +933,8 @@ int x86_emulate_instruction(struct kvm_vcpu *vcpu, unsigned long cr2,
3099 + static inline int emulate_instruction(struct kvm_vcpu *vcpu,
3100 + int emulation_type)
3101 + {
3102 +- return x86_emulate_instruction(vcpu, 0, emulation_type, NULL, 0);
3103 ++ return x86_emulate_instruction(vcpu, 0,
3104 ++ emulation_type | EMULTYPE_NO_REEXECUTE, NULL, 0);
3105 + }
3106 +
3107 + void kvm_enable_efer_bits(u64);
3108 +diff --git a/arch/x86/include/asm/processor.h b/arch/x86/include/asm/processor.h
3109 +index 23ba6765b718..4ac06db325a2 100644
3110 +--- a/arch/x86/include/asm/processor.h
3111 ++++ b/arch/x86/include/asm/processor.h
3112 +@@ -150,8 +150,8 @@ extern struct cpuinfo_x86 boot_cpu_data;
3113 + extern struct cpuinfo_x86 new_cpu_data;
3114 +
3115 + extern struct tss_struct doublefault_tss;
3116 +-extern __u32 cpu_caps_cleared[NCAPINTS];
3117 +-extern __u32 cpu_caps_set[NCAPINTS];
3118 ++extern __u32 cpu_caps_cleared[NCAPINTS + NBUGINTS];
3119 ++extern __u32 cpu_caps_set[NCAPINTS + NBUGINTS];
3120 +
3121 + #ifdef CONFIG_SMP
3122 + DECLARE_PER_CPU_READ_MOSTLY(struct cpuinfo_x86, cpu_info);
3123 +@@ -701,7 +701,7 @@ static inline void sync_core(void)
3124 + {
3125 + int tmp;
3126 +
3127 +-#ifdef CONFIG_M486
3128 ++#ifdef CONFIG_X86_32
3129 + /*
3130 + * Do a CPUID if available, otherwise do a jump. The jump
3131 + * can conveniently enough be the jump around CPUID.
3132 +diff --git a/arch/x86/include/asm/thread_info.h b/arch/x86/include/asm/thread_info.h
3133 +index b4bdec3e9523..b58daa40eae9 100644
3134 +--- a/arch/x86/include/asm/thread_info.h
3135 ++++ b/arch/x86/include/asm/thread_info.h
3136 +@@ -184,17 +184,6 @@ static inline struct thread_info *current_thread_info(void)
3137 + return (struct thread_info *)(current_top_of_stack() - THREAD_SIZE);
3138 + }
3139 +
3140 +-static inline unsigned long current_stack_pointer(void)
3141 +-{
3142 +- unsigned long sp;
3143 +-#ifdef CONFIG_X86_64
3144 +- asm("mov %%rsp,%0" : "=g" (sp));
3145 +-#else
3146 +- asm("mov %%esp,%0" : "=g" (sp));
3147 +-#endif
3148 +- return sp;
3149 +-}
3150 +-
3151 + #else /* !__ASSEMBLY__ */
3152 +
3153 + /* Load thread_info address into "reg" */
3154 +diff --git a/arch/x86/include/asm/tlbflush.h b/arch/x86/include/asm/tlbflush.h
3155 +index 7e459b7ee708..13c1a094cead 100644
3156 +--- a/arch/x86/include/asm/tlbflush.h
3157 ++++ b/arch/x86/include/asm/tlbflush.h
3158 +@@ -7,6 +7,54 @@
3159 + #include <asm/processor.h>
3160 + #include <asm/special_insns.h>
3161 +
3162 ++static inline void __invpcid(unsigned long pcid, unsigned long addr,
3163 ++ unsigned long type)
3164 ++{
3165 ++ struct { u64 d[2]; } desc = { { pcid, addr } };
3166 ++
3167 ++ /*
3168 ++ * The memory clobber is because the whole point is to invalidate
3169 ++ * stale TLB entries and, especially if we're flushing global
3170 ++ * mappings, we don't want the compiler to reorder any subsequent
3171 ++ * memory accesses before the TLB flush.
3172 ++ *
3173 ++ * The hex opcode is invpcid (%ecx), %eax in 32-bit mode and
3174 ++ * invpcid (%rcx), %rax in long mode.
3175 ++ */
3176 ++ asm volatile (".byte 0x66, 0x0f, 0x38, 0x82, 0x01"
3177 ++ : : "m" (desc), "a" (type), "c" (&desc) : "memory");
3178 ++}
3179 ++
3180 ++#define INVPCID_TYPE_INDIV_ADDR 0
3181 ++#define INVPCID_TYPE_SINGLE_CTXT 1
3182 ++#define INVPCID_TYPE_ALL_INCL_GLOBAL 2
3183 ++#define INVPCID_TYPE_ALL_NON_GLOBAL 3
3184 ++
3185 ++/* Flush all mappings for a given pcid and addr, not including globals. */
3186 ++static inline void invpcid_flush_one(unsigned long pcid,
3187 ++ unsigned long addr)
3188 ++{
3189 ++ __invpcid(pcid, addr, INVPCID_TYPE_INDIV_ADDR);
3190 ++}
3191 ++
3192 ++/* Flush all mappings for a given PCID, not including globals. */
3193 ++static inline void invpcid_flush_single_context(unsigned long pcid)
3194 ++{
3195 ++ __invpcid(pcid, 0, INVPCID_TYPE_SINGLE_CTXT);
3196 ++}
3197 ++
3198 ++/* Flush all mappings, including globals, for all PCIDs. */
3199 ++static inline void invpcid_flush_all(void)
3200 ++{
3201 ++ __invpcid(0, 0, INVPCID_TYPE_ALL_INCL_GLOBAL);
3202 ++}
3203 ++
3204 ++/* Flush all mappings for all PCIDs except globals. */
3205 ++static inline void invpcid_flush_all_nonglobals(void)
3206 ++{
3207 ++ __invpcid(0, 0, INVPCID_TYPE_ALL_NON_GLOBAL);
3208 ++}
3209 ++
3210 + #ifdef CONFIG_PARAVIRT
3211 + #include <asm/paravirt.h>
3212 + #else
3213 +@@ -86,7 +134,14 @@ static inline void cr4_set_bits_and_update_boot(unsigned long mask)
3214 +
3215 + static inline void __native_flush_tlb(void)
3216 + {
3217 ++ /*
3218 ++ * If current->mm == NULL then we borrow a mm which may change during a
3219 ++ * task switch and therefore we must not be preempted while we write CR3
3220 ++ * back:
3221 ++ */
3222 ++ preempt_disable();
3223 + native_write_cr3(native_read_cr3());
3224 ++ preempt_enable();
3225 + }
3226 +
3227 + static inline void __native_flush_tlb_global_irq_disabled(void)
3228 +@@ -104,6 +159,15 @@ static inline void __native_flush_tlb_global(void)
3229 + {
3230 + unsigned long flags;
3231 +
3232 ++ if (static_cpu_has(X86_FEATURE_INVPCID)) {
3233 ++ /*
3234 ++ * Using INVPCID is considerably faster than a pair of writes
3235 ++ * to CR4 sandwiched inside an IRQ flag save/restore.
3236 ++ */
3237 ++ invpcid_flush_all();
3238 ++ return;
3239 ++ }
3240 ++
3241 + /*
3242 + * Read-modify-write to CR4 - protect it from preemption and
3243 + * from interrupts. (Use the raw variant because this code can
3244 +@@ -127,6 +191,14 @@ static inline void __flush_tlb_all(void)
3245 + __flush_tlb_global();
3246 + else
3247 + __flush_tlb();
3248 ++
3249 ++ /*
3250 ++ * Note: if we somehow had PCID but not PGE, then this wouldn't work --
3251 ++ * we'd end up flushing kernel translations for the current ASID but
3252 ++ * we might fail to flush kernel translations for other cached ASIDs.
3253 ++ *
3254 ++ * To avoid this issue, we force PCID off if PGE is off.
3255 ++ */
3256 + }
3257 +
3258 + static inline void __flush_tlb_one(unsigned long addr)
3259 +@@ -140,7 +212,6 @@ static inline void __flush_tlb_one(unsigned long addr)
3260 + /*
3261 + * TLB flushing:
3262 + *
3263 +- * - flush_tlb() flushes the current mm struct TLBs
3264 + * - flush_tlb_all() flushes all processes TLBs
3265 + * - flush_tlb_mm(mm) flushes the specified mm context TLB's
3266 + * - flush_tlb_page(vma, vmaddr) flushes one page
3267 +@@ -172,11 +243,6 @@ static inline void flush_tlb_all(void)
3268 + __flush_tlb_all();
3269 + }
3270 +
3271 +-static inline void flush_tlb(void)
3272 +-{
3273 +- __flush_tlb_up();
3274 +-}
3275 +-
3276 + static inline void local_flush_tlb(void)
3277 + {
3278 + __flush_tlb_up();
3279 +@@ -238,14 +304,11 @@ static inline void flush_tlb_kernel_range(unsigned long start,
3280 + flush_tlb_mm_range(vma->vm_mm, start, end, vma->vm_flags)
3281 +
3282 + extern void flush_tlb_all(void);
3283 +-extern void flush_tlb_current_task(void);
3284 + extern void flush_tlb_page(struct vm_area_struct *, unsigned long);
3285 + extern void flush_tlb_mm_range(struct mm_struct *mm, unsigned long start,
3286 + unsigned long end, unsigned long vmflag);
3287 + extern void flush_tlb_kernel_range(unsigned long start, unsigned long end);
3288 +
3289 +-#define flush_tlb() flush_tlb_current_task()
3290 +-
3291 + void native_flush_tlb_others(const struct cpumask *cpumask,
3292 + struct mm_struct *mm,
3293 + unsigned long start, unsigned long end);
3294 +diff --git a/arch/x86/kernel/alternative.c b/arch/x86/kernel/alternative.c
3295 +index d1918a8c4393..9b5f8e6a9864 100644
3296 +--- a/arch/x86/kernel/alternative.c
3297 ++++ b/arch/x86/kernel/alternative.c
3298 +@@ -41,17 +41,6 @@ static int __init setup_noreplace_smp(char *str)
3299 + }
3300 + __setup("noreplace-smp", setup_noreplace_smp);
3301 +
3302 +-#ifdef CONFIG_PARAVIRT
3303 +-static int __initdata_or_module noreplace_paravirt = 0;
3304 +-
3305 +-static int __init setup_noreplace_paravirt(char *str)
3306 +-{
3307 +- noreplace_paravirt = 1;
3308 +- return 1;
3309 +-}
3310 +-__setup("noreplace-paravirt", setup_noreplace_paravirt);
3311 +-#endif
3312 +-
3313 + #define DPRINTK(fmt, args...) \
3314 + do { \
3315 + if (debug_alternative) \
3316 +@@ -326,9 +315,12 @@ done:
3317 + static void __init_or_module optimize_nops(struct alt_instr *a, u8 *instr)
3318 + {
3319 + unsigned long flags;
3320 ++ int i;
3321 +
3322 +- if (instr[0] != 0x90)
3323 +- return;
3324 ++ for (i = 0; i < a->padlen; i++) {
3325 ++ if (instr[i] != 0x90)
3326 ++ return;
3327 ++ }
3328 +
3329 + local_irq_save(flags);
3330 + add_nops(instr + (a->instrlen - a->padlen), a->padlen);
3331 +@@ -571,9 +563,6 @@ void __init_or_module apply_paravirt(struct paravirt_patch_site *start,
3332 + struct paravirt_patch_site *p;
3333 + char insnbuf[MAX_PATCH_LEN];
3334 +
3335 +- if (noreplace_paravirt)
3336 +- return;
3337 +-
3338 + for (p = start; p < end; p++) {
3339 + unsigned int used;
3340 +
3341 +diff --git a/arch/x86/kernel/apic/io_apic.c b/arch/x86/kernel/apic/io_apic.c
3342 +index f4dc2462a1ac..484ffab4d3e8 100644
3343 +--- a/arch/x86/kernel/apic/io_apic.c
3344 ++++ b/arch/x86/kernel/apic/io_apic.c
3345 +@@ -2728,8 +2728,8 @@ static struct resource * __init ioapic_setup_resources(void)
3346 + res[num].flags = IORESOURCE_MEM | IORESOURCE_BUSY;
3347 + snprintf(mem, IOAPIC_RESOURCE_NAME_SIZE, "IOAPIC %u", i);
3348 + mem += IOAPIC_RESOURCE_NAME_SIZE;
3349 ++ ioapics[i].iomem_res = &res[num];
3350 + num++;
3351 +- ioapics[i].iomem_res = res;
3352 + }
3353 +
3354 + ioapic_resources = res;
3355 +diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
3356 +index 03445346ee0a..4c7dd836304a 100644
3357 +--- a/arch/x86/kernel/cpu/bugs.c
3358 ++++ b/arch/x86/kernel/cpu/bugs.c
3359 +@@ -65,6 +65,14 @@ static void __init check_fpu(void)
3360 +
3361 + void __init check_bugs(void)
3362 + {
3363 ++#ifdef CONFIG_X86_32
3364 ++ /*
3365 ++ * Regardless of whether PCID is enumerated, the SDM says
3366 ++ * that it can't be enabled in 32-bit mode.
3367 ++ */
3368 ++ setup_clear_cpu_cap(X86_FEATURE_PCID);
3369 ++#endif
3370 ++
3371 + identify_boot_cpu();
3372 + #ifndef CONFIG_SMP
3373 + pr_info("CPU: ");
3374 +diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c
3375 +index 5732326ec126..9613a72723cd 100644
3376 +--- a/arch/x86/kernel/cpu/common.c
3377 ++++ b/arch/x86/kernel/cpu/common.c
3378 +@@ -172,6 +172,40 @@ static int __init x86_xsaves_setup(char *s)
3379 + }
3380 + __setup("noxsaves", x86_xsaves_setup);
3381 +
3382 ++#ifdef CONFIG_X86_64
3383 ++static int __init x86_pcid_setup(char *s)
3384 ++{
3385 ++ /* require an exact match without trailing characters */
3386 ++ if (strlen(s))
3387 ++ return 0;
3388 ++
3389 ++ /* do not emit a message if the feature is not present */
3390 ++ if (!boot_cpu_has(X86_FEATURE_PCID))
3391 ++ return 1;
3392 ++
3393 ++ setup_clear_cpu_cap(X86_FEATURE_PCID);
3394 ++ pr_info("nopcid: PCID feature disabled\n");
3395 ++ return 1;
3396 ++}
3397 ++__setup("nopcid", x86_pcid_setup);
3398 ++#endif
3399 ++
3400 ++static int __init x86_noinvpcid_setup(char *s)
3401 ++{
3402 ++ /* noinvpcid doesn't accept parameters */
3403 ++ if (s)
3404 ++ return -EINVAL;
3405 ++
3406 ++ /* do not emit a message if the feature is not present */
3407 ++ if (!boot_cpu_has(X86_FEATURE_INVPCID))
3408 ++ return 0;
3409 ++
3410 ++ setup_clear_cpu_cap(X86_FEATURE_INVPCID);
3411 ++ pr_info("noinvpcid: INVPCID feature disabled\n");
3412 ++ return 0;
3413 ++}
3414 ++early_param("noinvpcid", x86_noinvpcid_setup);
3415 ++
3416 + #ifdef CONFIG_X86_32
3417 + static int cachesize_override = -1;
3418 + static int disable_x86_serial_nr = 1;
3419 +@@ -305,6 +339,25 @@ static __always_inline void setup_smap(struct cpuinfo_x86 *c)
3420 + }
3421 + }
3422 +
3423 ++static void setup_pcid(struct cpuinfo_x86 *c)
3424 ++{
3425 ++ if (cpu_has(c, X86_FEATURE_PCID)) {
3426 ++ if (cpu_has(c, X86_FEATURE_PGE)) {
3427 ++ cr4_set_bits(X86_CR4_PCIDE);
3428 ++ } else {
3429 ++ /*
3430 ++ * flush_tlb_all(), as currently implemented, won't
3431 ++ * work if PCID is on but PGE is not. Since that
3432 ++ * combination doesn't exist on real hardware, there's
3433 ++ * no reason to try to fully support it, but it's
3434 ++ * polite to avoid corrupting data if we're on
3435 ++ * an improperly configured VM.
3436 ++ */
3437 ++ clear_cpu_cap(c, X86_FEATURE_PCID);
3438 ++ }
3439 ++ }
3440 ++}
3441 ++
3442 + /*
3443 + * Some CPU features depend on higher CPUID levels, which may not always
3444 + * be available due to CPUID level capping or broken virtualization
3445 +@@ -383,8 +436,8 @@ static const char *table_lookup_model(struct cpuinfo_x86 *c)
3446 + return NULL; /* Not found */
3447 + }
3448 +
3449 +-__u32 cpu_caps_cleared[NCAPINTS];
3450 +-__u32 cpu_caps_set[NCAPINTS];
3451 ++__u32 cpu_caps_cleared[NCAPINTS + NBUGINTS];
3452 ++__u32 cpu_caps_set[NCAPINTS + NBUGINTS];
3453 +
3454 + void load_percpu_segment(int cpu)
3455 + {
3456 +@@ -613,6 +666,16 @@ void cpu_detect(struct cpuinfo_x86 *c)
3457 + }
3458 + }
3459 +
3460 ++static void apply_forced_caps(struct cpuinfo_x86 *c)
3461 ++{
3462 ++ int i;
3463 ++
3464 ++ for (i = 0; i < NCAPINTS + NBUGINTS; i++) {
3465 ++ c->x86_capability[i] &= ~cpu_caps_cleared[i];
3466 ++ c->x86_capability[i] |= cpu_caps_set[i];
3467 ++ }
3468 ++}
3469 ++
3470 + void get_cpu_cap(struct cpuinfo_x86 *c)
3471 + {
3472 + u32 tfms, xlvl;
3473 +@@ -904,11 +967,8 @@ static void identify_cpu(struct cpuinfo_x86 *c)
3474 + if (this_cpu->c_identify)
3475 + this_cpu->c_identify(c);
3476 +
3477 +- /* Clear/Set all flags overriden by options, after probe */
3478 +- for (i = 0; i < NCAPINTS; i++) {
3479 +- c->x86_capability[i] &= ~cpu_caps_cleared[i];
3480 +- c->x86_capability[i] |= cpu_caps_set[i];
3481 +- }
3482 ++ /* Clear/Set all flags overridden by options, after probe */
3483 ++ apply_forced_caps(c);
3484 +
3485 + #ifdef CONFIG_X86_64
3486 + c->apicid = apic->phys_pkg_id(c->initial_apicid, 0);
3487 +@@ -934,6 +994,9 @@ static void identify_cpu(struct cpuinfo_x86 *c)
3488 + setup_smep(c);
3489 + setup_smap(c);
3490 +
3491 ++ /* Set up PCID */
3492 ++ setup_pcid(c);
3493 ++
3494 + /*
3495 + * The vendor-specific functions might have changed features.
3496 + * Now we do "generic changes."
3497 +@@ -966,10 +1029,7 @@ static void identify_cpu(struct cpuinfo_x86 *c)
3498 + * Clear/Set all flags overriden by options, need do it
3499 + * before following smp all cpus cap AND.
3500 + */
3501 +- for (i = 0; i < NCAPINTS; i++) {
3502 +- c->x86_capability[i] &= ~cpu_caps_cleared[i];
3503 +- c->x86_capability[i] |= cpu_caps_set[i];
3504 +- }
3505 ++ apply_forced_caps(c);
3506 +
3507 + /*
3508 + * On SMP, boot_cpu_data holds the common feature set between
3509 +diff --git a/arch/x86/kernel/cpu/intel_cacheinfo.c b/arch/x86/kernel/cpu/intel_cacheinfo.c
3510 +index edcb0e28c336..13fb13334f2a 100644
3511 +--- a/arch/x86/kernel/cpu/intel_cacheinfo.c
3512 ++++ b/arch/x86/kernel/cpu/intel_cacheinfo.c
3513 +@@ -934,6 +934,8 @@ static int __populate_cache_leaves(unsigned int cpu)
3514 + ci_leaf_init(this_leaf++, &id4_regs);
3515 + __cache_cpumap_setup(cpu, idx, &id4_regs);
3516 + }
3517 ++ this_cpu_ci->cpu_map_populated = true;
3518 ++
3519 + return 0;
3520 + }
3521 +
3522 +diff --git a/arch/x86/kernel/cpu/mcheck/mce-inject.c b/arch/x86/kernel/cpu/mcheck/mce-inject.c
3523 +index 4cfba4371a71..101bfae369e1 100644
3524 +--- a/arch/x86/kernel/cpu/mcheck/mce-inject.c
3525 ++++ b/arch/x86/kernel/cpu/mcheck/mce-inject.c
3526 +@@ -152,7 +152,6 @@ static void raise_mce(struct mce *m)
3527 + if (context == MCJ_CTX_RANDOM)
3528 + return;
3529 +
3530 +-#ifdef CONFIG_X86_LOCAL_APIC
3531 + if (m->inject_flags & (MCJ_IRQ_BROADCAST | MCJ_NMI_BROADCAST)) {
3532 + unsigned long start;
3533 + int cpu;
3534 +@@ -193,9 +192,7 @@ static void raise_mce(struct mce *m)
3535 + raise_local();
3536 + put_cpu();
3537 + put_online_cpus();
3538 +- } else
3539 +-#endif
3540 +- {
3541 ++ } else {
3542 + preempt_disable();
3543 + raise_local();
3544 + preempt_enable();
3545 +diff --git a/arch/x86/kernel/cpu/microcode/amd.c b/arch/x86/kernel/cpu/microcode/amd.c
3546 +index 12829c3ced3c..ff422a92f063 100644
3547 +--- a/arch/x86/kernel/cpu/microcode/amd.c
3548 ++++ b/arch/x86/kernel/cpu/microcode/amd.c
3549 +@@ -153,6 +153,7 @@ static unsigned int verify_patch_size(u8 family, u32 patch_size,
3550 + #define F14H_MPB_MAX_SIZE 1824
3551 + #define F15H_MPB_MAX_SIZE 4096
3552 + #define F16H_MPB_MAX_SIZE 3458
3553 ++#define F17H_MPB_MAX_SIZE 3200
3554 +
3555 + switch (family) {
3556 + case 0x14:
3557 +@@ -164,6 +165,9 @@ static unsigned int verify_patch_size(u8 family, u32 patch_size,
3558 + case 0x16:
3559 + max_size = F16H_MPB_MAX_SIZE;
3560 + break;
3561 ++ case 0x17:
3562 ++ max_size = F17H_MPB_MAX_SIZE;
3563 ++ break;
3564 + default:
3565 + max_size = F1XH_MPB_MAX_SIZE;
3566 + break;
3567 +diff --git a/arch/x86/kernel/cpu/microcode/intel.c b/arch/x86/kernel/cpu/microcode/intel.c
3568 +index 6ca31bf3ccbd..1009c82088ed 100644
3569 +--- a/arch/x86/kernel/cpu/microcode/intel.c
3570 ++++ b/arch/x86/kernel/cpu/microcode/intel.c
3571 +@@ -276,9 +276,17 @@ static bool is_blacklisted(unsigned int cpu)
3572 + {
3573 + struct cpuinfo_x86 *c = &cpu_data(cpu);
3574 +
3575 +- if (c->x86 == 6 && c->x86_model == 79) {
3576 +- pr_err_once("late loading on model 79 is disabled.\n");
3577 +- return true;
3578 ++ /*
3579 ++ * Late loading on model 79 with microcode revision less than 0x0b000021
3580 ++ * may result in a system hang. This behavior is documented in item
3581 ++ * BDF90, #334165 (Intel Xeon Processor E7-8800/4800 v4 Product Family).
3582 ++ */
3583 ++ if (c->x86 == 6 &&
3584 ++ c->x86_model == 79 &&
3585 ++ c->x86_mask == 0x01 &&
3586 ++ c->microcode < 0x0b000021) {
3587 ++ pr_err_once("Erratum BDF90: late loading with revision < 0x0b000021 (0x%x) disabled.\n", c->microcode);
3588 ++ pr_err_once("Please consider either early loading through initrd/built-in or a potential BIOS update.\n");
3589 + }
3590 +
3591 + return false;
3592 +diff --git a/arch/x86/kernel/cpu/perf_event.c b/arch/x86/kernel/cpu/perf_event.c
3593 +index 83f33a2e662f..904b31ebc419 100644
3594 +--- a/arch/x86/kernel/cpu/perf_event.c
3595 ++++ b/arch/x86/kernel/cpu/perf_event.c
3596 +@@ -187,8 +187,8 @@ static void release_pmc_hardware(void) {}
3597 +
3598 + static bool check_hw_exists(void)
3599 + {
3600 +- u64 val, val_fail, val_new= ~0;
3601 +- int i, reg, reg_fail, ret = 0;
3602 ++ u64 val, val_fail = -1, val_new= ~0;
3603 ++ int i, reg, reg_fail = -1, ret = 0;
3604 + int bios_fail = 0;
3605 + int reg_safe = -1;
3606 +
3607 +diff --git a/arch/x86/kernel/head_32.S b/arch/x86/kernel/head_32.S
3608 +index 7e429c99c728..63dd2c971db8 100644
3609 +--- a/arch/x86/kernel/head_32.S
3610 ++++ b/arch/x86/kernel/head_32.S
3611 +@@ -670,14 +670,17 @@ __PAGE_ALIGNED_BSS
3612 + initial_pg_pmd:
3613 + .fill 1024*KPMDS,4,0
3614 + #else
3615 +-ENTRY(initial_page_table)
3616 ++.globl initial_page_table
3617 ++initial_page_table:
3618 + .fill 1024,4,0
3619 + #endif
3620 + initial_pg_fixmap:
3621 + .fill 1024,4,0
3622 +-ENTRY(empty_zero_page)
3623 ++.globl empty_zero_page
3624 ++empty_zero_page:
3625 + .fill 4096,1,0
3626 +-ENTRY(swapper_pg_dir)
3627 ++.globl swapper_pg_dir
3628 ++swapper_pg_dir:
3629 + .fill 1024,4,0
3630 +
3631 + /*
3632 +diff --git a/arch/x86/kernel/irq.c b/arch/x86/kernel/irq.c
3633 +index e5952c225532..b6460c5a9cab 100644
3634 +--- a/arch/x86/kernel/irq.c
3635 ++++ b/arch/x86/kernel/irq.c
3636 +@@ -96,8 +96,7 @@ int arch_show_interrupts(struct seq_file *p, int prec)
3637 + seq_puts(p, " Rescheduling interrupts\n");
3638 + seq_printf(p, "%*s: ", prec, "CAL");
3639 + for_each_online_cpu(j)
3640 +- seq_printf(p, "%10u ", irq_stats(j)->irq_call_count -
3641 +- irq_stats(j)->irq_tlb_count);
3642 ++ seq_printf(p, "%10u ", irq_stats(j)->irq_call_count);
3643 + seq_puts(p, " Function call interrupts\n");
3644 + seq_printf(p, "%*s: ", prec, "TLB");
3645 + for_each_online_cpu(j)
3646 +diff --git a/arch/x86/kernel/irq_32.c b/arch/x86/kernel/irq_32.c
3647 +index f9fd86a7fcc7..9f4ffc122d9e 100644
3648 +--- a/arch/x86/kernel/irq_32.c
3649 ++++ b/arch/x86/kernel/irq_32.c
3650 +@@ -71,7 +71,7 @@ static void call_on_stack(void *func, void *stack)
3651 +
3652 + static inline void *current_stack(void)
3653 + {
3654 +- return (void *)(current_stack_pointer() & ~(THREAD_SIZE - 1));
3655 ++ return (void *)(current_stack_pointer & ~(THREAD_SIZE - 1));
3656 + }
3657 +
3658 + static inline int
3659 +@@ -96,7 +96,7 @@ execute_on_irq_stack(int overflow, struct irq_desc *desc, int irq)
3660 +
3661 + /* Save the next esp at the bottom of the stack */
3662 + prev_esp = (u32 *)irqstk;
3663 +- *prev_esp = current_stack_pointer();
3664 ++ *prev_esp = current_stack_pointer;
3665 +
3666 + if (unlikely(overflow))
3667 + call_on_stack(print_stack_overflow, isp);
3668 +@@ -149,7 +149,7 @@ void do_softirq_own_stack(void)
3669 +
3670 + /* Push the previous esp onto the stack */
3671 + prev_esp = (u32 *)irqstk;
3672 +- *prev_esp = current_stack_pointer();
3673 ++ *prev_esp = current_stack_pointer;
3674 +
3675 + call_on_stack(__do_softirq, isp);
3676 + }
3677 +diff --git a/arch/x86/kernel/paravirt_patch_64.c b/arch/x86/kernel/paravirt_patch_64.c
3678 +index a1da6737ba5b..a91d9b9b4bde 100644
3679 +--- a/arch/x86/kernel/paravirt_patch_64.c
3680 ++++ b/arch/x86/kernel/paravirt_patch_64.c
3681 +@@ -9,7 +9,6 @@ DEF_NATIVE(pv_irq_ops, save_fl, "pushfq; popq %rax");
3682 + DEF_NATIVE(pv_mmu_ops, read_cr2, "movq %cr2, %rax");
3683 + DEF_NATIVE(pv_mmu_ops, read_cr3, "movq %cr3, %rax");
3684 + DEF_NATIVE(pv_mmu_ops, write_cr3, "movq %rdi, %cr3");
3685 +-DEF_NATIVE(pv_mmu_ops, flush_tlb_single, "invlpg (%rdi)");
3686 + DEF_NATIVE(pv_cpu_ops, clts, "clts");
3687 + DEF_NATIVE(pv_cpu_ops, wbinvd, "wbinvd");
3688 +
3689 +@@ -57,7 +56,6 @@ unsigned native_patch(u8 type, u16 clobbers, void *ibuf,
3690 + PATCH_SITE(pv_mmu_ops, read_cr3);
3691 + PATCH_SITE(pv_mmu_ops, write_cr3);
3692 + PATCH_SITE(pv_cpu_ops, clts);
3693 +- PATCH_SITE(pv_mmu_ops, flush_tlb_single);
3694 + PATCH_SITE(pv_cpu_ops, wbinvd);
3695 +
3696 + patch_site:
3697 +diff --git a/arch/x86/kernel/reboot.c b/arch/x86/kernel/reboot.c
3698 +index 0549ae3cb332..d9ea27ec9dbd 100644
3699 +--- a/arch/x86/kernel/reboot.c
3700 ++++ b/arch/x86/kernel/reboot.c
3701 +@@ -93,6 +93,10 @@ void __noreturn machine_real_restart(unsigned int type)
3702 + load_cr3(initial_page_table);
3703 + #else
3704 + write_cr3(real_mode_header->trampoline_pgd);
3705 ++
3706 ++ /* Exiting long mode will fail if CR4.PCIDE is set. */
3707 ++ if (static_cpu_has(X86_FEATURE_PCID))
3708 ++ cr4_clear_bits(X86_CR4_PCIDE);
3709 + #endif
3710 +
3711 + /* Jump to the identity-mapped low memory code */
3712 +diff --git a/arch/x86/kernel/smpboot.c b/arch/x86/kernel/smpboot.c
3713 +index 50e547eac8cd..f6911cc90a81 100644
3714 +--- a/arch/x86/kernel/smpboot.c
3715 ++++ b/arch/x86/kernel/smpboot.c
3716 +@@ -107,25 +107,16 @@ static inline void smpboot_setup_warm_reset_vector(unsigned long start_eip)
3717 + spin_lock_irqsave(&rtc_lock, flags);
3718 + CMOS_WRITE(0xa, 0xf);
3719 + spin_unlock_irqrestore(&rtc_lock, flags);
3720 +- local_flush_tlb();
3721 +- pr_debug("1.\n");
3722 + *((volatile unsigned short *)phys_to_virt(TRAMPOLINE_PHYS_HIGH)) =
3723 + start_eip >> 4;
3724 +- pr_debug("2.\n");
3725 + *((volatile unsigned short *)phys_to_virt(TRAMPOLINE_PHYS_LOW)) =
3726 + start_eip & 0xf;
3727 +- pr_debug("3.\n");
3728 + }
3729 +
3730 + static inline void smpboot_restore_warm_reset_vector(void)
3731 + {
3732 + unsigned long flags;
3733 +
3734 +- /*
3735 +- * Install writable page 0 entry to set BIOS data area.
3736 +- */
3737 +- local_flush_tlb();
3738 +-
3739 + /*
3740 + * Paranoid: Set warm reset code and vector here back
3741 + * to default values.
3742 +diff --git a/arch/x86/kernel/traps.c b/arch/x86/kernel/traps.c
3743 +index 020248f2cec4..e78c6783a2de 100644
3744 +--- a/arch/x86/kernel/traps.c
3745 ++++ b/arch/x86/kernel/traps.c
3746 +@@ -175,7 +175,7 @@ void ist_begin_non_atomic(struct pt_regs *regs)
3747 + * from double_fault.
3748 + */
3749 + BUG_ON((unsigned long)(current_top_of_stack() -
3750 +- current_stack_pointer()) >= THREAD_SIZE);
3751 ++ current_stack_pointer) >= THREAD_SIZE);
3752 +
3753 + preempt_count_sub(HARDIRQ_OFFSET);
3754 + }
3755 +diff --git a/arch/x86/kernel/vm86_32.c b/arch/x86/kernel/vm86_32.c
3756 +index fc9db6ef2a95..e0ae0a8ad5bd 100644
3757 +--- a/arch/x86/kernel/vm86_32.c
3758 ++++ b/arch/x86/kernel/vm86_32.c
3759 +@@ -194,7 +194,7 @@ static void mark_screen_rdonly(struct mm_struct *mm)
3760 + pte_unmap_unlock(pte, ptl);
3761 + out:
3762 + up_write(&mm->mmap_sem);
3763 +- flush_tlb();
3764 ++ flush_tlb_mm_range(mm, 0xA0000, 0xA0000 + 32*PAGE_SIZE, 0UL);
3765 + }
3766 +
3767 +
3768 +diff --git a/arch/x86/kvm/Kconfig b/arch/x86/kvm/Kconfig
3769 +index 413a7bf9efbb..64c1920515ea 100644
3770 +--- a/arch/x86/kvm/Kconfig
3771 ++++ b/arch/x86/kvm/Kconfig
3772 +@@ -22,7 +22,7 @@ config KVM
3773 + depends on HAVE_KVM
3774 + depends on HIGH_RES_TIMERS
3775 + # for TASKSTATS/TASK_DELAY_ACCT:
3776 +- depends on NET
3777 ++ depends on NET && MULTIUSER
3778 + select PREEMPT_NOTIFIERS
3779 + select MMU_NOTIFIER
3780 + select ANON_INODES
3781 +diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c
3782 +index d877a59f8de8..dd49efe915e1 100644
3783 +--- a/arch/x86/kvm/emulate.c
3784 ++++ b/arch/x86/kvm/emulate.c
3785 +@@ -4480,6 +4480,8 @@ int x86_decode_insn(struct x86_emulate_ctxt *ctxt, void *insn, int insn_len)
3786 + bool op_prefix = false;
3787 + bool has_seg_override = false;
3788 + struct opcode opcode;
3789 ++ u16 dummy;
3790 ++ struct desc_struct desc;
3791 +
3792 + ctxt->memop.type = OP_NONE;
3793 + ctxt->memopp = NULL;
3794 +@@ -4498,6 +4500,11 @@ int x86_decode_insn(struct x86_emulate_ctxt *ctxt, void *insn, int insn_len)
3795 + switch (mode) {
3796 + case X86EMUL_MODE_REAL:
3797 + case X86EMUL_MODE_VM86:
3798 ++ def_op_bytes = def_ad_bytes = 2;
3799 ++ ctxt->ops->get_segment(ctxt, &dummy, &desc, NULL, VCPU_SREG_CS);
3800 ++ if (desc.d)
3801 ++ def_op_bytes = def_ad_bytes = 4;
3802 ++ break;
3803 + case X86EMUL_MODE_PROT16:
3804 + def_op_bytes = def_ad_bytes = 2;
3805 + break;
3806 +diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c
3807 +index c5ecf85227e0..6b87d8bcdcdd 100644
3808 +--- a/arch/x86/kvm/svm.c
3809 ++++ b/arch/x86/kvm/svm.c
3810 +@@ -3947,6 +3947,25 @@ static void svm_vcpu_run(struct kvm_vcpu *vcpu)
3811 + "mov %%r13, %c[r13](%[svm]) \n\t"
3812 + "mov %%r14, %c[r14](%[svm]) \n\t"
3813 + "mov %%r15, %c[r15](%[svm]) \n\t"
3814 ++#endif
3815 ++ /*
3816 ++ * Clear host registers marked as clobbered to prevent
3817 ++ * speculative use.
3818 ++ */
3819 ++ "xor %%" _ASM_BX ", %%" _ASM_BX " \n\t"
3820 ++ "xor %%" _ASM_CX ", %%" _ASM_CX " \n\t"
3821 ++ "xor %%" _ASM_DX ", %%" _ASM_DX " \n\t"
3822 ++ "xor %%" _ASM_SI ", %%" _ASM_SI " \n\t"
3823 ++ "xor %%" _ASM_DI ", %%" _ASM_DI " \n\t"
3824 ++#ifdef CONFIG_X86_64
3825 ++ "xor %%r8, %%r8 \n\t"
3826 ++ "xor %%r9, %%r9 \n\t"
3827 ++ "xor %%r10, %%r10 \n\t"
3828 ++ "xor %%r11, %%r11 \n\t"
3829 ++ "xor %%r12, %%r12 \n\t"
3830 ++ "xor %%r13, %%r13 \n\t"
3831 ++ "xor %%r14, %%r14 \n\t"
3832 ++ "xor %%r15, %%r15 \n\t"
3833 + #endif
3834 + "pop %%" _ASM_BP
3835 + :
3836 +diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
3837 +index 84f2825f19b5..ffd5502dd215 100644
3838 +--- a/arch/x86/kvm/vmx.c
3839 ++++ b/arch/x86/kvm/vmx.c
3840 +@@ -32,6 +32,7 @@
3841 + #include <linux/slab.h>
3842 + #include <linux/tboot.h>
3843 + #include <linux/hrtimer.h>
3844 ++#include <linux/nospec.h>
3845 + #include "kvm_cache_regs.h"
3846 + #include "x86.h"
3847 +
3848 +@@ -770,13 +771,18 @@ static const unsigned short vmcs_field_to_offset_table[] = {
3849 +
3850 + static inline short vmcs_field_to_offset(unsigned long field)
3851 + {
3852 +- BUILD_BUG_ON(ARRAY_SIZE(vmcs_field_to_offset_table) > SHRT_MAX);
3853 ++ const size_t size = ARRAY_SIZE(vmcs_field_to_offset_table);
3854 ++ unsigned short offset;
3855 +
3856 +- if (field >= ARRAY_SIZE(vmcs_field_to_offset_table) ||
3857 +- vmcs_field_to_offset_table[field] == 0)
3858 ++ BUILD_BUG_ON(size > SHRT_MAX);
3859 ++ if (field >= size)
3860 + return -ENOENT;
3861 +
3862 +- return vmcs_field_to_offset_table[field];
3863 ++ field = array_index_nospec(field, size);
3864 ++ offset = vmcs_field_to_offset_table[field];
3865 ++ if (offset == 0)
3866 ++ return -ENOENT;
3867 ++ return offset;
3868 + }
3869 +
3870 + static inline struct vmcs12 *get_vmcs12(struct kvm_vcpu *vcpu)
3871 +@@ -4356,7 +4362,7 @@ static int vmx_vm_has_apicv(struct kvm *kvm)
3872 + return enable_apicv && irqchip_in_kernel(kvm);
3873 + }
3874 +
3875 +-static int vmx_complete_nested_posted_interrupt(struct kvm_vcpu *vcpu)
3876 ++static void vmx_complete_nested_posted_interrupt(struct kvm_vcpu *vcpu)
3877 + {
3878 + struct vcpu_vmx *vmx = to_vmx(vcpu);
3879 + int max_irr;
3880 +@@ -4367,19 +4373,15 @@ static int vmx_complete_nested_posted_interrupt(struct kvm_vcpu *vcpu)
3881 + vmx->nested.pi_pending) {
3882 + vmx->nested.pi_pending = false;
3883 + if (!pi_test_and_clear_on(vmx->nested.pi_desc))
3884 +- return 0;
3885 ++ return;
3886 +
3887 + max_irr = find_last_bit(
3888 + (unsigned long *)vmx->nested.pi_desc->pir, 256);
3889 +
3890 + if (max_irr == 256)
3891 +- return 0;
3892 ++ return;
3893 +
3894 + vapic_page = kmap(vmx->nested.virtual_apic_page);
3895 +- if (!vapic_page) {
3896 +- WARN_ON(1);
3897 +- return -ENOMEM;
3898 +- }
3899 + __kvm_apic_update_irr(vmx->nested.pi_desc->pir, vapic_page);
3900 + kunmap(vmx->nested.virtual_apic_page);
3901 +
3902 +@@ -4390,7 +4392,6 @@ static int vmx_complete_nested_posted_interrupt(struct kvm_vcpu *vcpu)
3903 + vmcs_write16(GUEST_INTR_STATUS, status);
3904 + }
3905 + }
3906 +- return 0;
3907 + }
3908 +
3909 + static inline bool kvm_vcpu_trigger_posted_interrupt(struct kvm_vcpu *vcpu)
3910 +@@ -4412,14 +4413,15 @@ static int vmx_deliver_nested_posted_interrupt(struct kvm_vcpu *vcpu,
3911 +
3912 + if (is_guest_mode(vcpu) &&
3913 + vector == vmx->nested.posted_intr_nv) {
3914 +- /* the PIR and ON have been set by L1. */
3915 +- kvm_vcpu_trigger_posted_interrupt(vcpu);
3916 + /*
3917 + * If a posted intr is not recognized by hardware,
3918 + * we will accomplish it in the next vmentry.
3919 + */
3920 + vmx->nested.pi_pending = true;
3921 + kvm_make_request(KVM_REQ_EVENT, vcpu);
3922 ++ /* the PIR and ON have been set by L1. */
3923 ++ if (!kvm_vcpu_trigger_posted_interrupt(vcpu))
3924 ++ kvm_vcpu_kick(vcpu);
3925 + return 0;
3926 + }
3927 + return -1;
3928 +@@ -4762,7 +4764,7 @@ static void vmx_vcpu_reset(struct kvm_vcpu *vcpu)
3929 + vmcs_writel(GUEST_SYSENTER_ESP, 0);
3930 + vmcs_writel(GUEST_SYSENTER_EIP, 0);
3931 +
3932 +- vmcs_writel(GUEST_RFLAGS, 0x02);
3933 ++ kvm_set_rflags(vcpu, X86_EFLAGS_FIXED);
3934 + kvm_rip_write(vcpu, 0xfff0);
3935 +
3936 + vmcs_writel(GUEST_GDTR_BASE, 0);
3937 +@@ -5921,7 +5923,7 @@ static int handle_invalid_guest_state(struct kvm_vcpu *vcpu)
3938 + if (test_bit(KVM_REQ_EVENT, &vcpu->requests))
3939 + return 1;
3940 +
3941 +- err = emulate_instruction(vcpu, EMULTYPE_NO_REEXECUTE);
3942 ++ err = emulate_instruction(vcpu, 0);
3943 +
3944 + if (err == EMULATE_USER_EXIT) {
3945 + ++vcpu->stat.mmio_exits;
3946 +@@ -8252,6 +8254,7 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu)
3947 + /* Save guest registers, load host registers, keep flags */
3948 + "mov %0, %c[wordsize](%%" _ASM_SP ") \n\t"
3949 + "pop %0 \n\t"
3950 ++ "setbe %c[fail](%0)\n\t"
3951 + "mov %%" _ASM_AX ", %c[rax](%0) \n\t"
3952 + "mov %%" _ASM_BX ", %c[rbx](%0) \n\t"
3953 + __ASM_SIZE(pop) " %c[rcx](%0) \n\t"
3954 +@@ -8268,12 +8271,23 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu)
3955 + "mov %%r13, %c[r13](%0) \n\t"
3956 + "mov %%r14, %c[r14](%0) \n\t"
3957 + "mov %%r15, %c[r15](%0) \n\t"
3958 ++ "xor %%r8d, %%r8d \n\t"
3959 ++ "xor %%r9d, %%r9d \n\t"
3960 ++ "xor %%r10d, %%r10d \n\t"
3961 ++ "xor %%r11d, %%r11d \n\t"
3962 ++ "xor %%r12d, %%r12d \n\t"
3963 ++ "xor %%r13d, %%r13d \n\t"
3964 ++ "xor %%r14d, %%r14d \n\t"
3965 ++ "xor %%r15d, %%r15d \n\t"
3966 + #endif
3967 + "mov %%cr2, %%" _ASM_AX " \n\t"
3968 + "mov %%" _ASM_AX ", %c[cr2](%0) \n\t"
3969 +
3970 ++ "xor %%eax, %%eax \n\t"
3971 ++ "xor %%ebx, %%ebx \n\t"
3972 ++ "xor %%esi, %%esi \n\t"
3973 ++ "xor %%edi, %%edi \n\t"
3974 + "pop %%" _ASM_BP "; pop %%" _ASM_DX " \n\t"
3975 +- "setbe %c[fail](%0) \n\t"
3976 + ".pushsection .rodata \n\t"
3977 + ".global vmx_return \n\t"
3978 + "vmx_return: " _ASM_PTR " 2b \n\t"
3979 +@@ -8806,11 +8820,6 @@ static inline bool nested_vmx_merge_msr_bitmap(struct kvm_vcpu *vcpu,
3980 + return false;
3981 + }
3982 + msr_bitmap = (unsigned long *)kmap(page);
3983 +- if (!msr_bitmap) {
3984 +- nested_release_page_clean(page);
3985 +- WARN_ON(1);
3986 +- return false;
3987 +- }
3988 +
3989 + if (nested_cpu_has_virt_x2apic_mode(vmcs12)) {
3990 + if (nested_cpu_has_apic_reg_virt(vmcs12))
3991 +@@ -9720,7 +9729,8 @@ static int vmx_check_nested_events(struct kvm_vcpu *vcpu, bool external_intr)
3992 + return 0;
3993 + }
3994 +
3995 +- return vmx_complete_nested_posted_interrupt(vcpu);
3996 ++ vmx_complete_nested_posted_interrupt(vcpu);
3997 ++ return 0;
3998 + }
3999 +
4000 + static u32 vmx_get_preemption_timer_value(struct kvm_vcpu *vcpu)
4001 +diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
4002 +index e4e7d45fd551..e05cb66b575b 100644
4003 +--- a/arch/x86/kvm/x86.c
4004 ++++ b/arch/x86/kvm/x86.c
4005 +@@ -4188,7 +4188,7 @@ static int vcpu_mmio_read(struct kvm_vcpu *vcpu, gpa_t addr, int len, void *v)
4006 + addr, n, v))
4007 + && kvm_io_bus_read(vcpu, KVM_MMIO_BUS, addr, n, v))
4008 + break;
4009 +- trace_kvm_mmio(KVM_TRACE_MMIO_READ, n, addr, *(u64 *)v);
4010 ++ trace_kvm_mmio(KVM_TRACE_MMIO_READ, n, addr, v);
4011 + handled += n;
4012 + addr += n;
4013 + len -= n;
4014 +@@ -4427,7 +4427,7 @@ static int read_prepare(struct kvm_vcpu *vcpu, void *val, int bytes)
4015 + {
4016 + if (vcpu->mmio_read_completed) {
4017 + trace_kvm_mmio(KVM_TRACE_MMIO_READ, bytes,
4018 +- vcpu->mmio_fragments[0].gpa, *(u64 *)val);
4019 ++ vcpu->mmio_fragments[0].gpa, val);
4020 + vcpu->mmio_read_completed = 0;
4021 + return 1;
4022 + }
4023 +@@ -4449,14 +4449,14 @@ static int write_emulate(struct kvm_vcpu *vcpu, gpa_t gpa,
4024 +
4025 + static int write_mmio(struct kvm_vcpu *vcpu, gpa_t gpa, int bytes, void *val)
4026 + {
4027 +- trace_kvm_mmio(KVM_TRACE_MMIO_WRITE, bytes, gpa, *(u64 *)val);
4028 ++ trace_kvm_mmio(KVM_TRACE_MMIO_WRITE, bytes, gpa, val);
4029 + return vcpu_mmio_write(vcpu, gpa, bytes, val);
4030 + }
4031 +
4032 + static int read_exit_mmio(struct kvm_vcpu *vcpu, gpa_t gpa,
4033 + void *val, int bytes)
4034 + {
4035 +- trace_kvm_mmio(KVM_TRACE_MMIO_READ_UNSATISFIED, bytes, gpa, 0);
4036 ++ trace_kvm_mmio(KVM_TRACE_MMIO_READ_UNSATISFIED, bytes, gpa, NULL);
4037 + return X86EMUL_IO_NEEDED;
4038 + }
4039 +
4040 +@@ -5187,7 +5187,7 @@ static int handle_emulation_failure(struct kvm_vcpu *vcpu)
4041 + vcpu->run->exit_reason = KVM_EXIT_INTERNAL_ERROR;
4042 + vcpu->run->internal.suberror = KVM_INTERNAL_ERROR_EMULATION;
4043 + vcpu->run->internal.ndata = 0;
4044 +- r = EMULATE_FAIL;
4045 ++ r = EMULATE_USER_EXIT;
4046 + }
4047 + kvm_queue_exception(vcpu, UD_VECTOR);
4048 +
4049 +@@ -6737,7 +6737,7 @@ int kvm_arch_vcpu_ioctl_set_regs(struct kvm_vcpu *vcpu, struct kvm_regs *regs)
4050 + #endif
4051 +
4052 + kvm_rip_write(vcpu, regs->rip);
4053 +- kvm_set_rflags(vcpu, regs->rflags);
4054 ++ kvm_set_rflags(vcpu, regs->rflags | X86_EFLAGS_FIXED);
4055 +
4056 + vcpu->arch.exception.pending = false;
4057 +
4058 +@@ -7927,6 +7927,13 @@ static int apf_put_user(struct kvm_vcpu *vcpu, u32 val)
4059 + sizeof(val));
4060 + }
4061 +
4062 ++static int apf_get_user(struct kvm_vcpu *vcpu, u32 *val)
4063 ++{
4064 ++
4065 ++ return kvm_read_guest_cached(vcpu->kvm, &vcpu->arch.apf.data, val,
4066 ++ sizeof(u32));
4067 ++}
4068 ++
4069 + void kvm_arch_async_page_not_present(struct kvm_vcpu *vcpu,
4070 + struct kvm_async_pf *work)
4071 + {
4072 +@@ -7953,21 +7960,32 @@ void kvm_arch_async_page_present(struct kvm_vcpu *vcpu,
4073 + struct kvm_async_pf *work)
4074 + {
4075 + struct x86_exception fault;
4076 ++ u32 val;
4077 +
4078 +- trace_kvm_async_pf_ready(work->arch.token, work->gva);
4079 + if (work->wakeup_all)
4080 + work->arch.token = ~0; /* broadcast wakeup */
4081 + else
4082 + kvm_del_async_pf_gfn(vcpu, work->arch.gfn);
4083 ++ trace_kvm_async_pf_ready(work->arch.token, work->gva);
4084 +
4085 +- if ((vcpu->arch.apf.msr_val & KVM_ASYNC_PF_ENABLED) &&
4086 +- !apf_put_user(vcpu, KVM_PV_REASON_PAGE_READY)) {
4087 +- fault.vector = PF_VECTOR;
4088 +- fault.error_code_valid = true;
4089 +- fault.error_code = 0;
4090 +- fault.nested_page_fault = false;
4091 +- fault.address = work->arch.token;
4092 +- kvm_inject_page_fault(vcpu, &fault);
4093 ++ if (vcpu->arch.apf.msr_val & KVM_ASYNC_PF_ENABLED &&
4094 ++ !apf_get_user(vcpu, &val)) {
4095 ++ if (val == KVM_PV_REASON_PAGE_NOT_PRESENT &&
4096 ++ vcpu->arch.exception.pending &&
4097 ++ vcpu->arch.exception.nr == PF_VECTOR &&
4098 ++ !apf_put_user(vcpu, 0)) {
4099 ++ vcpu->arch.exception.pending = false;
4100 ++ vcpu->arch.exception.nr = 0;
4101 ++ vcpu->arch.exception.has_error_code = false;
4102 ++ vcpu->arch.exception.error_code = 0;
4103 ++ } else if (!apf_put_user(vcpu, KVM_PV_REASON_PAGE_READY)) {
4104 ++ fault.vector = PF_VECTOR;
4105 ++ fault.error_code_valid = true;
4106 ++ fault.error_code = 0;
4107 ++ fault.nested_page_fault = false;
4108 ++ fault.address = work->arch.token;
4109 ++ kvm_inject_page_fault(vcpu, &fault);
4110 ++ }
4111 + }
4112 + vcpu->arch.apf.halted = false;
4113 + vcpu->arch.mp_state = KVM_MP_STATE_RUNNABLE;
4114 +diff --git a/arch/x86/lib/checksum_32.S b/arch/x86/lib/checksum_32.S
4115 +index 9bc944a91274..b7518368492a 100644
4116 +--- a/arch/x86/lib/checksum_32.S
4117 ++++ b/arch/x86/lib/checksum_32.S
4118 +@@ -29,7 +29,8 @@
4119 + #include <asm/dwarf2.h>
4120 + #include <asm/errno.h>
4121 + #include <asm/asm.h>
4122 +-
4123 ++#include <asm/nospec-branch.h>
4124 ++
4125 + /*
4126 + * computes a partial checksum, e.g. for TCP/UDP fragments
4127 + */
4128 +@@ -159,7 +160,7 @@ ENTRY(csum_partial)
4129 + negl %ebx
4130 + lea 45f(%ebx,%ebx,2), %ebx
4131 + testl %esi, %esi
4132 +- jmp *%ebx
4133 ++ JMP_NOSPEC %ebx
4134 +
4135 + # Handle 2-byte-aligned regions
4136 + 20: addw (%esi), %ax
4137 +@@ -446,7 +447,7 @@ ENTRY(csum_partial_copy_generic)
4138 + andl $-32,%edx
4139 + lea 3f(%ebx,%ebx), %ebx
4140 + testl %esi, %esi
4141 +- jmp *%ebx
4142 ++ JMP_NOSPEC %ebx
4143 + 1: addl $64,%esi
4144 + addl $64,%edi
4145 + SRC(movb -32(%edx),%bl) ; SRC(movb (%edx),%bl)
4146 +diff --git a/arch/x86/lib/cmdline.c b/arch/x86/lib/cmdline.c
4147 +index 422db000d727..a744506856b1 100644
4148 +--- a/arch/x86/lib/cmdline.c
4149 ++++ b/arch/x86/lib/cmdline.c
4150 +@@ -82,3 +82,108 @@ int cmdline_find_option_bool(const char *cmdline, const char *option)
4151 +
4152 + return 0; /* Buffer overrun */
4153 + }
4154 ++
4155 ++/*
4156 ++ * Find a non-boolean option (i.e. option=argument). In accordance with
4157 ++ * standard Linux practice, if this option is repeated, this returns the
4158 ++ * last instance on the command line.
4159 ++ *
4160 ++ * @cmdline: the cmdline string
4161 ++ * @max_cmdline_size: the maximum size of cmdline
4162 ++ * @option: option string to look for
4163 ++ * @buffer: memory buffer to return the option argument
4164 ++ * @bufsize: size of the supplied memory buffer
4165 ++ *
4166 ++ * Returns the length of the argument (regardless of if it was
4167 ++ * truncated to fit in the buffer), or -1 on not found.
4168 ++ */
4169 ++static int
4170 ++__cmdline_find_option(const char *cmdline, int max_cmdline_size,
4171 ++ const char *option, char *buffer, int bufsize)
4172 ++{
4173 ++ char c;
4174 ++ int pos = 0, len = -1;
4175 ++ const char *opptr = NULL;
4176 ++ char *bufptr = buffer;
4177 ++ enum {
4178 ++ st_wordstart = 0, /* Start of word/after whitespace */
4179 ++ st_wordcmp, /* Comparing this word */
4180 ++ st_wordskip, /* Miscompare, skip */
4181 ++ st_bufcpy, /* Copying this to buffer */
4182 ++ } state = st_wordstart;
4183 ++
4184 ++ if (!cmdline)
4185 ++ return -1; /* No command line */
4186 ++
4187 ++ /*
4188 ++ * This 'pos' check ensures we do not overrun
4189 ++ * a non-NULL-terminated 'cmdline'
4190 ++ */
4191 ++ while (pos++ < max_cmdline_size) {
4192 ++ c = *(char *)cmdline++;
4193 ++ if (!c)
4194 ++ break;
4195 ++
4196 ++ switch (state) {
4197 ++ case st_wordstart:
4198 ++ if (myisspace(c))
4199 ++ break;
4200 ++
4201 ++ state = st_wordcmp;
4202 ++ opptr = option;
4203 ++ /* fall through */
4204 ++
4205 ++ case st_wordcmp:
4206 ++ if ((c == '=') && !*opptr) {
4207 ++ /*
4208 ++ * We matched all the way to the end of the
4209 ++ * option we were looking for, prepare to
4210 ++ * copy the argument.
4211 ++ */
4212 ++ len = 0;
4213 ++ bufptr = buffer;
4214 ++ state = st_bufcpy;
4215 ++ break;
4216 ++ } else if (c == *opptr++) {
4217 ++ /*
4218 ++ * We are currently matching, so continue
4219 ++ * to the next character on the cmdline.
4220 ++ */
4221 ++ break;
4222 ++ }
4223 ++ state = st_wordskip;
4224 ++ /* fall through */
4225 ++
4226 ++ case st_wordskip:
4227 ++ if (myisspace(c))
4228 ++ state = st_wordstart;
4229 ++ break;
4230 ++
4231 ++ case st_bufcpy:
4232 ++ if (myisspace(c)) {
4233 ++ state = st_wordstart;
4234 ++ } else {
4235 ++ /*
4236 ++ * Increment len, but don't overrun the
4237 ++ * supplied buffer and leave room for the
4238 ++ * NULL terminator.
4239 ++ */
4240 ++ if (++len < bufsize)
4241 ++ *bufptr++ = c;
4242 ++ }
4243 ++ break;
4244 ++ }
4245 ++ }
4246 ++
4247 ++ if (bufsize)
4248 ++ *bufptr = '\0';
4249 ++
4250 ++ return len;
4251 ++}
4252 ++
4253 ++int cmdline_find_option(const char *cmdline, const char *option, char *buffer,
4254 ++ int bufsize)
4255 ++{
4256 ++ return __cmdline_find_option(cmdline, COMMAND_LINE_SIZE, option,
4257 ++ buffer, bufsize);
4258 ++}
4259 +diff --git a/arch/x86/lib/getuser.S b/arch/x86/lib/getuser.S
4260 +index a4512359656a..3917307fca99 100644
4261 +--- a/arch/x86/lib/getuser.S
4262 ++++ b/arch/x86/lib/getuser.S
4263 +@@ -40,6 +40,8 @@ ENTRY(__get_user_1)
4264 + GET_THREAD_INFO(%_ASM_DX)
4265 + cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
4266 + jae bad_get_user
4267 ++ sbb %_ASM_DX, %_ASM_DX /* array_index_mask_nospec() */
4268 ++ and %_ASM_DX, %_ASM_AX
4269 + ASM_STAC
4270 + 1: movzbl (%_ASM_AX),%edx
4271 + xor %eax,%eax
4272 +@@ -55,6 +57,8 @@ ENTRY(__get_user_2)
4273 + GET_THREAD_INFO(%_ASM_DX)
4274 + cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
4275 + jae bad_get_user
4276 ++ sbb %_ASM_DX, %_ASM_DX /* array_index_mask_nospec() */
4277 ++ and %_ASM_DX, %_ASM_AX
4278 + ASM_STAC
4279 + 2: movzwl -1(%_ASM_AX),%edx
4280 + xor %eax,%eax
4281 +@@ -70,6 +74,8 @@ ENTRY(__get_user_4)
4282 + GET_THREAD_INFO(%_ASM_DX)
4283 + cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
4284 + jae bad_get_user
4285 ++ sbb %_ASM_DX, %_ASM_DX /* array_index_mask_nospec() */
4286 ++ and %_ASM_DX, %_ASM_AX
4287 + ASM_STAC
4288 + 3: movl -3(%_ASM_AX),%edx
4289 + xor %eax,%eax
4290 +@@ -86,6 +92,8 @@ ENTRY(__get_user_8)
4291 + GET_THREAD_INFO(%_ASM_DX)
4292 + cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
4293 + jae bad_get_user
4294 ++ sbb %_ASM_DX, %_ASM_DX /* array_index_mask_nospec() */
4295 ++ and %_ASM_DX, %_ASM_AX
4296 + ASM_STAC
4297 + 4: movq -7(%_ASM_AX),%rdx
4298 + xor %eax,%eax
4299 +@@ -97,6 +105,8 @@ ENTRY(__get_user_8)
4300 + GET_THREAD_INFO(%_ASM_DX)
4301 + cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
4302 + jae bad_get_user_8
4303 ++ sbb %_ASM_DX, %_ASM_DX /* array_index_mask_nospec() */
4304 ++ and %_ASM_DX, %_ASM_AX
4305 + ASM_STAC
4306 + 4: movl -7(%_ASM_AX),%edx
4307 + 5: movl -3(%_ASM_AX),%ecx
4308 +diff --git a/arch/x86/mm/Makefile b/arch/x86/mm/Makefile
4309 +index a482d105172b..d893640d5c68 100644
4310 +--- a/arch/x86/mm/Makefile
4311 ++++ b/arch/x86/mm/Makefile
4312 +@@ -1,5 +1,5 @@
4313 + obj-y := init.o init_$(BITS).o fault.o ioremap.o extable.o pageattr.o mmap.o \
4314 +- pat.o pgtable.o physaddr.o gup.o setup_nx.o
4315 ++ pat.o pgtable.o physaddr.o gup.o setup_nx.o tlb.o
4316 +
4317 + # Make sure __phys_addr has no stackprotector
4318 + nostackp := $(call cc-option, -fno-stack-protector)
4319 +@@ -9,7 +9,6 @@ CFLAGS_setup_nx.o := $(nostackp)
4320 + CFLAGS_fault.o := -I$(src)/../include/asm/trace
4321 +
4322 + obj-$(CONFIG_X86_PAT) += pat_rbtree.o
4323 +-obj-$(CONFIG_SMP) += tlb.o
4324 +
4325 + obj-$(CONFIG_X86_32) += pgtable_32.o iomap_32.o
4326 +
4327 +diff --git a/arch/x86/mm/init.c b/arch/x86/mm/init.c
4328 +index 3e1bb1c8daea..6fae65ea51d6 100644
4329 +--- a/arch/x86/mm/init.c
4330 ++++ b/arch/x86/mm/init.c
4331 +@@ -758,7 +758,7 @@ DEFINE_PER_CPU_SHARED_ALIGNED(struct tlb_state, cpu_tlbstate) = {
4332 + #endif
4333 + .cr4 = ~0UL, /* fail hard if we screw up cr4 shadow initialization */
4334 + };
4335 +-EXPORT_SYMBOL_GPL(cpu_tlbstate);
4336 ++EXPORT_PER_CPU_SYMBOL(cpu_tlbstate);
4337 +
4338 + void update_cache_mode_entry(unsigned entry, enum page_cache_mode cache)
4339 + {
4340 +diff --git a/arch/x86/mm/ioremap.c b/arch/x86/mm/ioremap.c
4341 +index 70e7444c6835..5f3e167daefd 100644
4342 +--- a/arch/x86/mm/ioremap.c
4343 ++++ b/arch/x86/mm/ioremap.c
4344 +@@ -304,11 +304,11 @@ void iounmap(volatile void __iomem *addr)
4345 + (void __force *)addr < phys_to_virt(ISA_END_ADDRESS))
4346 + return;
4347 +
4348 ++ mmiotrace_iounmap(addr);
4349 ++
4350 + addr = (volatile void __iomem *)
4351 + (PAGE_MASK & (unsigned long __force)addr);
4352 +
4353 +- mmiotrace_iounmap(addr);
4354 +-
4355 + /* Use the vm area unlocked, assuming the caller
4356 + ensures there isn't another iounmap for the same address
4357 + in parallel. Reuse of the virtual address is prevented by
4358 +diff --git a/arch/x86/mm/kmmio.c b/arch/x86/mm/kmmio.c
4359 +index ddb2244b06a1..76604c8a2a48 100644
4360 +--- a/arch/x86/mm/kmmio.c
4361 ++++ b/arch/x86/mm/kmmio.c
4362 +@@ -434,17 +434,18 @@ int register_kmmio_probe(struct kmmio_probe *p)
4363 + unsigned long flags;
4364 + int ret = 0;
4365 + unsigned long size = 0;
4366 ++ unsigned long addr = p->addr & PAGE_MASK;
4367 + const unsigned long size_lim = p->len + (p->addr & ~PAGE_MASK);
4368 + unsigned int l;
4369 + pte_t *pte;
4370 +
4371 + spin_lock_irqsave(&kmmio_lock, flags);
4372 +- if (get_kmmio_probe(p->addr)) {
4373 ++ if (get_kmmio_probe(addr)) {
4374 + ret = -EEXIST;
4375 + goto out;
4376 + }
4377 +
4378 +- pte = lookup_address(p->addr, &l);
4379 ++ pte = lookup_address(addr, &l);
4380 + if (!pte) {
4381 + ret = -EINVAL;
4382 + goto out;
4383 +@@ -453,7 +454,7 @@ int register_kmmio_probe(struct kmmio_probe *p)
4384 + kmmio_count++;
4385 + list_add_rcu(&p->list, &kmmio_probes);
4386 + while (size < size_lim) {
4387 +- if (add_kmmio_fault_page(p->addr + size))
4388 ++ if (add_kmmio_fault_page(addr + size))
4389 + pr_err("Unable to set page fault.\n");
4390 + size += page_level_size(l);
4391 + }
4392 +@@ -527,19 +528,20 @@ void unregister_kmmio_probe(struct kmmio_probe *p)
4393 + {
4394 + unsigned long flags;
4395 + unsigned long size = 0;
4396 ++ unsigned long addr = p->addr & PAGE_MASK;
4397 + const unsigned long size_lim = p->len + (p->addr & ~PAGE_MASK);
4398 + struct kmmio_fault_page *release_list = NULL;
4399 + struct kmmio_delayed_release *drelease;
4400 + unsigned int l;
4401 + pte_t *pte;
4402 +
4403 +- pte = lookup_address(p->addr, &l);
4404 ++ pte = lookup_address(addr, &l);
4405 + if (!pte)
4406 + return;
4407 +
4408 + spin_lock_irqsave(&kmmio_lock, flags);
4409 + while (size < size_lim) {
4410 +- release_kmmio_fault_page(p->addr + size, &release_list);
4411 ++ release_kmmio_fault_page(addr + size, &release_list);
4412 + size += page_level_size(l);
4413 + }
4414 + list_del_rcu(&p->list);
4415 +diff --git a/arch/x86/mm/tlb.c b/arch/x86/mm/tlb.c
4416 +index 061e0114005e..cd6e3339b19e 100644
4417 +--- a/arch/x86/mm/tlb.c
4418 ++++ b/arch/x86/mm/tlb.c
4419 +@@ -28,6 +28,8 @@
4420 + * Implement flush IPI by CALL_FUNCTION_VECTOR, Alex Shi
4421 + */
4422 +
4423 ++#ifdef CONFIG_SMP
4424 ++
4425 + struct flush_tlb_info {
4426 + struct mm_struct *flush_mm;
4427 + unsigned long flush_start;
4428 +@@ -153,23 +155,6 @@ void native_flush_tlb_others(const struct cpumask *cpumask,
4429 + smp_call_function_many(cpumask, flush_tlb_func, &info, 1);
4430 + }
4431 +
4432 +-void flush_tlb_current_task(void)
4433 +-{
4434 +- struct mm_struct *mm = current->mm;
4435 +-
4436 +- preempt_disable();
4437 +-
4438 +- count_vm_tlb_event(NR_TLB_LOCAL_FLUSH_ALL);
4439 +-
4440 +- /* This is an implicit full barrier that synchronizes with switch_mm. */
4441 +- local_flush_tlb();
4442 +-
4443 +- trace_tlb_flush(TLB_LOCAL_SHOOTDOWN, TLB_FLUSH_ALL);
4444 +- if (cpumask_any_but(mm_cpumask(mm), smp_processor_id()) < nr_cpu_ids)
4445 +- flush_tlb_others(mm_cpumask(mm), mm, 0UL, TLB_FLUSH_ALL);
4446 +- preempt_enable();
4447 +-}
4448 +-
4449 + /*
4450 + * See Documentation/x86/tlb.txt for details. We choose 33
4451 + * because it is large enough to cover the vast majority (at
4452 +@@ -190,6 +175,12 @@ void flush_tlb_mm_range(struct mm_struct *mm, unsigned long start,
4453 + unsigned long base_pages_to_flush = TLB_FLUSH_ALL;
4454 +
4455 + preempt_disable();
4456 ++
4457 ++ if ((end != TLB_FLUSH_ALL) && !(vmflag & VM_HUGETLB))
4458 ++ base_pages_to_flush = (end - start) >> PAGE_SHIFT;
4459 ++ if (base_pages_to_flush > tlb_single_page_flush_ceiling)
4460 ++ base_pages_to_flush = TLB_FLUSH_ALL;
4461 ++
4462 + if (current->active_mm != mm) {
4463 + /* Synchronize with switch_mm. */
4464 + smp_mb();
4465 +@@ -206,15 +197,11 @@ void flush_tlb_mm_range(struct mm_struct *mm, unsigned long start,
4466 + goto out;
4467 + }
4468 +
4469 +- if ((end != TLB_FLUSH_ALL) && !(vmflag & VM_HUGETLB))
4470 +- base_pages_to_flush = (end - start) >> PAGE_SHIFT;
4471 +-
4472 + /*
4473 + * Both branches below are implicit full barriers (MOV to CR or
4474 + * INVLPG) that synchronize with switch_mm.
4475 + */
4476 +- if (base_pages_to_flush > tlb_single_page_flush_ceiling) {
4477 +- base_pages_to_flush = TLB_FLUSH_ALL;
4478 ++ if (base_pages_to_flush == TLB_FLUSH_ALL) {
4479 + count_vm_tlb_event(NR_TLB_LOCAL_FLUSH_ALL);
4480 + local_flush_tlb();
4481 + } else {
4482 +@@ -346,3 +333,5 @@ static int __init create_tlb_single_page_flush_ceiling(void)
4483 + return 0;
4484 + }
4485 + late_initcall(create_tlb_single_page_flush_ceiling);
4486 ++
4487 ++#endif /* CONFIG_SMP */
4488 +diff --git a/arch/x86/oprofile/nmi_int.c b/arch/x86/oprofile/nmi_int.c
4489 +index 1d2e6392f5fa..f24bd7249536 100644
4490 +--- a/arch/x86/oprofile/nmi_int.c
4491 ++++ b/arch/x86/oprofile/nmi_int.c
4492 +@@ -471,7 +471,7 @@ static int nmi_setup(void)
4493 + goto fail;
4494 +
4495 + for_each_possible_cpu(cpu) {
4496 +- if (!cpu)
4497 ++ if (!IS_ENABLED(CONFIG_SMP) || !cpu)
4498 + continue;
4499 +
4500 + memcpy(per_cpu(cpu_msrs, cpu).counters,
4501 +diff --git a/arch/x86/platform/olpc/olpc-xo15-sci.c b/arch/x86/platform/olpc/olpc-xo15-sci.c
4502 +index 55130846ac87..c0533fbc39e3 100644
4503 +--- a/arch/x86/platform/olpc/olpc-xo15-sci.c
4504 ++++ b/arch/x86/platform/olpc/olpc-xo15-sci.c
4505 +@@ -196,6 +196,7 @@ static int xo15_sci_remove(struct acpi_device *device)
4506 + return 0;
4507 + }
4508 +
4509 ++#ifdef CONFIG_PM_SLEEP
4510 + static int xo15_sci_resume(struct device *dev)
4511 + {
4512 + /* Enable all EC events */
4513 +@@ -207,6 +208,7 @@ static int xo15_sci_resume(struct device *dev)
4514 +
4515 + return 0;
4516 + }
4517 ++#endif
4518 +
4519 + static SIMPLE_DEV_PM_OPS(xo15_sci_pm, NULL, xo15_sci_resume);
4520 +
4521 +diff --git a/arch/x86/xen/enlighten.c b/arch/x86/xen/enlighten.c
4522 +index 1ecae556d4ed..809730c09e2b 100644
4523 +--- a/arch/x86/xen/enlighten.c
4524 ++++ b/arch/x86/xen/enlighten.c
4525 +@@ -432,6 +432,12 @@ static void __init xen_init_cpuid_mask(void)
4526 + ~((1 << X86_FEATURE_MTRR) | /* disable MTRR */
4527 + (1 << X86_FEATURE_ACC)); /* thermal monitoring */
4528 +
4529 ++ /*
4530 ++ * Xen PV would need some work to support PCID: CR3 handling as well
4531 ++ * as xen_flush_tlb_others() would need updating.
4532 ++ */
4533 ++ cpuid_leaf1_ecx_mask &= ~(1 << (X86_FEATURE_PCID % 32)); /* disable PCID */
4534 ++
4535 + if (!xen_initial_domain())
4536 + cpuid_leaf1_edx_mask &=
4537 + ~((1 << X86_FEATURE_ACPI)); /* disable ACPI */
4538 +diff --git a/arch/xtensa/include/asm/futex.h b/arch/xtensa/include/asm/futex.h
4539 +index b39531babec0..72bfc1cbc2b5 100644
4540 +--- a/arch/xtensa/include/asm/futex.h
4541 ++++ b/arch/xtensa/include/asm/futex.h
4542 +@@ -109,7 +109,6 @@ futex_atomic_cmpxchg_inatomic(u32 *uval, u32 __user *uaddr,
4543 + u32 oldval, u32 newval)
4544 + {
4545 + int ret = 0;
4546 +- u32 prev;
4547 +
4548 + if (!access_ok(VERIFY_WRITE, uaddr, sizeof(u32)))
4549 + return -EFAULT;
4550 +@@ -120,26 +119,24 @@ futex_atomic_cmpxchg_inatomic(u32 *uval, u32 __user *uaddr,
4551 +
4552 + __asm__ __volatile__ (
4553 + " # futex_atomic_cmpxchg_inatomic\n"
4554 +- "1: l32i %1, %3, 0\n"
4555 +- " mov %0, %5\n"
4556 +- " wsr %1, scompare1\n"
4557 +- "2: s32c1i %0, %3, 0\n"
4558 +- "3:\n"
4559 ++ " wsr %5, scompare1\n"
4560 ++ "1: s32c1i %1, %4, 0\n"
4561 ++ " s32i %1, %6, 0\n"
4562 ++ "2:\n"
4563 + " .section .fixup,\"ax\"\n"
4564 + " .align 4\n"
4565 +- "4: .long 3b\n"
4566 +- "5: l32r %1, 4b\n"
4567 +- " movi %0, %6\n"
4568 ++ "3: .long 2b\n"
4569 ++ "4: l32r %1, 3b\n"
4570 ++ " movi %0, %7\n"
4571 + " jx %1\n"
4572 + " .previous\n"
4573 + " .section __ex_table,\"a\"\n"
4574 +- " .long 1b,5b,2b,5b\n"
4575 ++ " .long 1b,4b\n"
4576 + " .previous\n"
4577 +- : "+r" (ret), "=&r" (prev), "+m" (*uaddr)
4578 +- : "r" (uaddr), "r" (oldval), "r" (newval), "I" (-EFAULT)
4579 ++ : "+r" (ret), "+r" (newval), "+m" (*uaddr), "+m" (*uval)
4580 ++ : "r" (uaddr), "r" (oldval), "r" (uval), "I" (-EFAULT)
4581 + : "memory");
4582 +
4583 +- *uval = prev;
4584 + return ret;
4585 + }
4586 +
4587 +diff --git a/block/bio.c b/block/bio.c
4588 +index d9cf77c6a847..f90b2abe2fa7 100644
4589 +--- a/block/bio.c
4590 ++++ b/block/bio.c
4591 +@@ -1290,6 +1290,7 @@ struct bio *bio_map_user_iov(struct request_queue *q,
4592 + int ret, offset;
4593 + struct iov_iter i;
4594 + struct iovec iov;
4595 ++ struct bio_vec *bvec;
4596 +
4597 + iov_for_each(iov, i, *iter) {
4598 + unsigned long uaddr = (unsigned long) iov.iov_base;
4599 +@@ -1334,7 +1335,12 @@ struct bio *bio_map_user_iov(struct request_queue *q,
4600 + ret = get_user_pages_fast(uaddr, local_nr_pages,
4601 + (iter->type & WRITE) != WRITE,
4602 + &pages[cur_page]);
4603 +- if (ret < local_nr_pages) {
4604 ++ if (unlikely(ret < local_nr_pages)) {
4605 ++ for (j = cur_page; j < page_limit; j++) {
4606 ++ if (!pages[j])
4607 ++ break;
4608 ++ put_page(pages[j]);
4609 ++ }
4610 + ret = -EFAULT;
4611 + goto out_unmap;
4612 + }
4613 +@@ -1396,10 +1402,8 @@ struct bio *bio_map_user_iov(struct request_queue *q,
4614 + return bio;
4615 +
4616 + out_unmap:
4617 +- for (j = 0; j < nr_pages; j++) {
4618 +- if (!pages[j])
4619 +- break;
4620 +- page_cache_release(pages[j]);
4621 ++ bio_for_each_segment_all(bvec, bio, j) {
4622 ++ put_page(bvec->bv_page);
4623 + }
4624 + out:
4625 + kfree(pages);
4626 +diff --git a/crypto/ahash.c b/crypto/ahash.c
4627 +index f9caf0f74199..7006dbfd39bd 100644
4628 +--- a/crypto/ahash.c
4629 ++++ b/crypto/ahash.c
4630 +@@ -637,5 +637,16 @@ struct hash_alg_common *ahash_attr_alg(struct rtattr *rta, u32 type, u32 mask)
4631 + }
4632 + EXPORT_SYMBOL_GPL(ahash_attr_alg);
4633 +
4634 ++bool crypto_hash_alg_has_setkey(struct hash_alg_common *halg)
4635 ++{
4636 ++ struct crypto_alg *alg = &halg->base;
4637 ++
4638 ++ if (alg->cra_type != &crypto_ahash_type)
4639 ++ return crypto_shash_alg_has_setkey(__crypto_shash_alg(alg));
4640 ++
4641 ++ return __crypto_ahash_alg(alg)->setkey != NULL;
4642 ++}
4643 ++EXPORT_SYMBOL_GPL(crypto_hash_alg_has_setkey);
4644 ++
4645 + MODULE_LICENSE("GPL");
4646 + MODULE_DESCRIPTION("Asynchronous cryptographic hash type");
4647 +diff --git a/crypto/algapi.c b/crypto/algapi.c
4648 +index 4e69f3161888..35f5efb2ecff 100644
4649 +--- a/crypto/algapi.c
4650 ++++ b/crypto/algapi.c
4651 +@@ -160,6 +160,18 @@ void crypto_remove_spawns(struct crypto_alg *alg, struct list_head *list,
4652 +
4653 + spawn->alg = NULL;
4654 + spawns = &inst->alg.cra_users;
4655 ++
4656 ++ /*
4657 ++ * We may encounter an unregistered instance here, since
4658 ++ * an instance's spawns are set up prior to the instance
4659 ++ * being registered. An unregistered instance will have
4660 ++ * NULL ->cra_users.next, since ->cra_users isn't
4661 ++ * properly initialized until registration. But an
4662 ++ * unregistered instance cannot have any users, so treat
4663 ++ * it the same as ->cra_users being empty.
4664 ++ */
4665 ++ if (spawns->next == NULL)
4666 ++ break;
4667 + }
4668 + } while ((spawns = crypto_more_spawns(alg, &stack, &top,
4669 + &secondary_spawns)));
4670 +diff --git a/crypto/cryptd.c b/crypto/cryptd.c
4671 +index 66c9e8262572..4e76f1db3e68 100644
4672 +--- a/crypto/cryptd.c
4673 ++++ b/crypto/cryptd.c
4674 +@@ -645,7 +645,8 @@ static int cryptd_create_hash(struct crypto_template *tmpl, struct rtattr **tb,
4675 + inst->alg.finup = cryptd_hash_finup_enqueue;
4676 + inst->alg.export = cryptd_hash_export;
4677 + inst->alg.import = cryptd_hash_import;
4678 +- inst->alg.setkey = cryptd_hash_setkey;
4679 ++ if (crypto_shash_alg_has_setkey(salg))
4680 ++ inst->alg.setkey = cryptd_hash_setkey;
4681 + inst->alg.digest = cryptd_hash_digest_enqueue;
4682 +
4683 + err = ahash_register_instance(tmpl, inst);
4684 +diff --git a/crypto/mcryptd.c b/crypto/mcryptd.c
4685 +index cfb68a889ef6..cbe0135839df 100644
4686 +--- a/crypto/mcryptd.c
4687 ++++ b/crypto/mcryptd.c
4688 +@@ -80,6 +80,7 @@ static int mcryptd_init_queue(struct mcryptd_queue *queue,
4689 + pr_debug("cpu_queue #%d %p\n", cpu, queue->cpu_queue);
4690 + crypto_init_queue(&cpu_queue->queue, max_cpu_qlen);
4691 + INIT_WORK(&cpu_queue->work, mcryptd_queue_worker);
4692 ++ spin_lock_init(&cpu_queue->q_lock);
4693 + }
4694 + return 0;
4695 + }
4696 +@@ -103,15 +104,16 @@ static int mcryptd_enqueue_request(struct mcryptd_queue *queue,
4697 + int cpu, err;
4698 + struct mcryptd_cpu_queue *cpu_queue;
4699 +
4700 +- cpu = get_cpu();
4701 +- cpu_queue = this_cpu_ptr(queue->cpu_queue);
4702 +- rctx->tag.cpu = cpu;
4703 ++ cpu_queue = raw_cpu_ptr(queue->cpu_queue);
4704 ++ spin_lock(&cpu_queue->q_lock);
4705 ++ cpu = smp_processor_id();
4706 ++ rctx->tag.cpu = smp_processor_id();
4707 +
4708 + err = crypto_enqueue_request(&cpu_queue->queue, request);
4709 + pr_debug("enqueue request: cpu %d cpu_queue %p request %p\n",
4710 + cpu, cpu_queue, request);
4711 ++ spin_unlock(&cpu_queue->q_lock);
4712 + queue_work_on(cpu, kcrypto_wq, &cpu_queue->work);
4713 +- put_cpu();
4714 +
4715 + return err;
4716 + }
4717 +@@ -164,16 +166,11 @@ static void mcryptd_queue_worker(struct work_struct *work)
4718 + cpu_queue = container_of(work, struct mcryptd_cpu_queue, work);
4719 + i = 0;
4720 + while (i < MCRYPTD_BATCH || single_task_running()) {
4721 +- /*
4722 +- * preempt_disable/enable is used to prevent
4723 +- * being preempted by mcryptd_enqueue_request()
4724 +- */
4725 +- local_bh_disable();
4726 +- preempt_disable();
4727 ++
4728 ++ spin_lock_bh(&cpu_queue->q_lock);
4729 + backlog = crypto_get_backlog(&cpu_queue->queue);
4730 + req = crypto_dequeue_request(&cpu_queue->queue);
4731 +- preempt_enable();
4732 +- local_bh_enable();
4733 ++ spin_unlock_bh(&cpu_queue->q_lock);
4734 +
4735 + if (!req) {
4736 + mcryptd_opportunistic_flush();
4737 +@@ -188,7 +185,7 @@ static void mcryptd_queue_worker(struct work_struct *work)
4738 + ++i;
4739 + }
4740 + if (cpu_queue->queue.qlen)
4741 +- queue_work(kcrypto_wq, &cpu_queue->work);
4742 ++ queue_work_on(smp_processor_id(), kcrypto_wq, &cpu_queue->work);
4743 + }
4744 +
4745 + void mcryptd_flusher(struct work_struct *__work)
4746 +diff --git a/drivers/Makefile b/drivers/Makefile
4747 +index d7407f0b0d3b..bffce51498df 100644
4748 +--- a/drivers/Makefile
4749 ++++ b/drivers/Makefile
4750 +@@ -93,6 +93,7 @@ obj-$(CONFIG_TC) += tc/
4751 + obj-$(CONFIG_UWB) += uwb/
4752 + obj-$(CONFIG_USB_PHY) += usb/
4753 + obj-$(CONFIG_USB) += usb/
4754 ++obj-$(CONFIG_USB_SUPPORT) += usb/
4755 + obj-$(CONFIG_PCI) += usb/
4756 + obj-$(CONFIG_USB_GADGET) += usb/
4757 + obj-$(CONFIG_OF) += usb/
4758 +diff --git a/drivers/acpi/acpi_processor.c b/drivers/acpi/acpi_processor.c
4759 +index 568f2b942aac..0272d53d5bcb 100644
4760 +--- a/drivers/acpi/acpi_processor.c
4761 ++++ b/drivers/acpi/acpi_processor.c
4762 +@@ -315,15 +315,6 @@ static int acpi_processor_get_info(struct acpi_device *device)
4763 + pr->throttling.duty_width = acpi_gbl_FADT.duty_width;
4764 +
4765 + pr->pblk = object.processor.pblk_address;
4766 +-
4767 +- /*
4768 +- * We don't care about error returns - we just try to mark
4769 +- * these reserved so that nobody else is confused into thinking
4770 +- * that this region might be unused..
4771 +- *
4772 +- * (In particular, allocating the IO range for Cardbus)
4773 +- */
4774 +- request_region(pr->throttling.address, 6, "ACPI CPU throttle");
4775 + }
4776 +
4777 + /*
4778 +diff --git a/drivers/acpi/apei/erst.c b/drivers/acpi/apei/erst.c
4779 +index ed65e9c4b5b0..ba4930c0e98c 100644
4780 +--- a/drivers/acpi/apei/erst.c
4781 ++++ b/drivers/acpi/apei/erst.c
4782 +@@ -1023,7 +1023,7 @@ skip:
4783 + /* The record may be cleared by others, try read next record */
4784 + if (len == -ENOENT)
4785 + goto skip;
4786 +- else if (len < sizeof(*rcd)) {
4787 ++ else if (len < 0 || len < sizeof(*rcd)) {
4788 + rc = -EIO;
4789 + goto out;
4790 + }
4791 +diff --git a/drivers/acpi/processor_throttling.c b/drivers/acpi/processor_throttling.c
4792 +index 84243c32e29c..f3df4b5e5fc9 100644
4793 +--- a/drivers/acpi/processor_throttling.c
4794 ++++ b/drivers/acpi/processor_throttling.c
4795 +@@ -680,6 +680,15 @@ static int acpi_processor_get_throttling_fadt(struct acpi_processor *pr)
4796 + if (!pr->flags.throttling)
4797 + return -ENODEV;
4798 +
4799 ++ /*
4800 ++ * We don't care about error returns - we just try to mark
4801 ++ * these reserved so that nobody else is confused into thinking
4802 ++ * that this region might be unused..
4803 ++ *
4804 ++ * (In particular, allocating the IO range for Cardbus)
4805 ++ */
4806 ++ request_region(pr->throttling.address, 6, "ACPI CPU throttle");
4807 ++
4808 + pr->throttling.state = 0;
4809 +
4810 + duty_mask = pr->throttling.state_count - 1;
4811 +diff --git a/drivers/acpi/sbshc.c b/drivers/acpi/sbshc.c
4812 +index bf034f8b7c1a..030ab2f543df 100644
4813 +--- a/drivers/acpi/sbshc.c
4814 ++++ b/drivers/acpi/sbshc.c
4815 +@@ -309,8 +309,8 @@ static int acpi_smbus_hc_add(struct acpi_device *device)
4816 + device->driver_data = hc;
4817 +
4818 + acpi_ec_add_query_handler(hc->ec, hc->query_bit, NULL, smbus_alarm, hc);
4819 +- printk(KERN_INFO PREFIX "SBS HC: EC = 0x%p, offset = 0x%0x, query_bit = 0x%0x\n",
4820 +- hc->ec, hc->offset, hc->query_bit);
4821 ++ dev_info(&device->dev, "SBS HC: offset = 0x%0x, query_bit = 0x%0x\n",
4822 ++ hc->offset, hc->query_bit);
4823 +
4824 + return 0;
4825 + }
4826 +diff --git a/drivers/android/binder.c b/drivers/android/binder.c
4827 +index 235ba1fbabdb..b834278c0c4d 100644
4828 +--- a/drivers/android/binder.c
4829 ++++ b/drivers/android/binder.c
4830 +@@ -2618,6 +2618,8 @@ static unsigned int binder_poll(struct file *filp,
4831 + binder_lock(__func__);
4832 +
4833 + thread = binder_get_thread(proc);
4834 ++ if (!thread)
4835 ++ return POLLERR;
4836 +
4837 + wait_for_proc_work = thread->transaction_stack == NULL &&
4838 + list_empty(&thread->todo) && thread->return_error == BR_OK;
4839 +diff --git a/drivers/ata/ahci.c b/drivers/ata/ahci.c
4840 +index 34825d63d483..3b0cebb2122b 100644
4841 +--- a/drivers/ata/ahci.c
4842 ++++ b/drivers/ata/ahci.c
4843 +@@ -388,6 +388,11 @@ static const struct pci_device_id ahci_pci_tbl[] = {
4844 + { PCI_VDEVICE(INTEL, 0xa20e), board_ahci }, /* Lewisburg RAID*/
4845 + { PCI_VDEVICE(INTEL, 0xa252), board_ahci }, /* Lewisburg RAID*/
4846 + { PCI_VDEVICE(INTEL, 0xa256), board_ahci }, /* Lewisburg RAID*/
4847 ++ { PCI_VDEVICE(INTEL, 0xa356), board_ahci }, /* Cannon Lake PCH-H RAID */
4848 ++ { PCI_VDEVICE(INTEL, 0x0f22), board_ahci }, /* Bay Trail AHCI */
4849 ++ { PCI_VDEVICE(INTEL, 0x0f23), board_ahci }, /* Bay Trail AHCI */
4850 ++ { PCI_VDEVICE(INTEL, 0x22a3), board_ahci }, /* Cherry Trail AHCI */
4851 ++ { PCI_VDEVICE(INTEL, 0x5ae3), board_ahci }, /* Apollo Lake AHCI */
4852 +
4853 + /* JMicron 360/1/3/5/6, match class to avoid IDE function */
4854 + { PCI_VENDOR_ID_JMICRON, PCI_ANY_ID, PCI_ANY_ID, PCI_ANY_ID,
4855 +diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c
4856 +index 4c0dac27882f..b31d6853ba7a 100644
4857 +--- a/drivers/ata/libata-core.c
4858 ++++ b/drivers/ata/libata-core.c
4859 +@@ -4145,6 +4145,7 @@ static const struct ata_blacklist_entry ata_device_blacklist [] = {
4860 + * https://bugzilla.kernel.org/show_bug.cgi?id=121671
4861 + */
4862 + { "LITEON CX1-JB*-HP", NULL, ATA_HORKAGE_MAX_SEC_1024 },
4863 ++ { "LITEON EP1-*", NULL, ATA_HORKAGE_MAX_SEC_1024 },
4864 +
4865 + /* Devices we expect to fail diagnostics */
4866 +
4867 +diff --git a/drivers/base/cacheinfo.c b/drivers/base/cacheinfo.c
4868 +index fdba441457ec..3f5fb95b0f4c 100644
4869 +--- a/drivers/base/cacheinfo.c
4870 ++++ b/drivers/base/cacheinfo.c
4871 +@@ -106,6 +106,9 @@ static int cache_shared_cpu_map_setup(unsigned int cpu)
4872 + unsigned int index;
4873 + int ret;
4874 +
4875 ++ if (this_cpu_ci->cpu_map_populated)
4876 ++ return 0;
4877 ++
4878 + ret = cache_setup_of_node(cpu);
4879 + if (ret)
4880 + return ret;
4881 +diff --git a/drivers/base/power/trace.c b/drivers/base/power/trace.c
4882 +index a311cfa4c5bd..a6975795e7f3 100644
4883 +--- a/drivers/base/power/trace.c
4884 ++++ b/drivers/base/power/trace.c
4885 +@@ -166,14 +166,14 @@ void generate_pm_trace(const void *tracedata, unsigned int user)
4886 + }
4887 + EXPORT_SYMBOL(generate_pm_trace);
4888 +
4889 +-extern char __tracedata_start, __tracedata_end;
4890 ++extern char __tracedata_start[], __tracedata_end[];
4891 + static int show_file_hash(unsigned int value)
4892 + {
4893 + int match;
4894 + char *tracedata;
4895 +
4896 + match = 0;
4897 +- for (tracedata = &__tracedata_start ; tracedata < &__tracedata_end ;
4898 ++ for (tracedata = __tracedata_start ; tracedata < __tracedata_end ;
4899 + tracedata += 2 + sizeof(unsigned long)) {
4900 + unsigned short lineno = *(unsigned short *)tracedata;
4901 + const char *file = *(const char **)(tracedata + 2);
4902 +diff --git a/drivers/block/loop.c b/drivers/block/loop.c
4903 +index ea0c863861b9..b5dbce192c6b 100644
4904 +--- a/drivers/block/loop.c
4905 ++++ b/drivers/block/loop.c
4906 +@@ -1338,9 +1338,8 @@ out:
4907 + return err;
4908 + }
4909 +
4910 +-static void lo_release(struct gendisk *disk, fmode_t mode)
4911 ++static void __lo_release(struct loop_device *lo)
4912 + {
4913 +- struct loop_device *lo = disk->private_data;
4914 + int err;
4915 +
4916 + mutex_lock(&lo->lo_ctl_mutex);
4917 +@@ -1368,6 +1367,13 @@ out:
4918 + mutex_unlock(&lo->lo_ctl_mutex);
4919 + }
4920 +
4921 ++static void lo_release(struct gendisk *disk, fmode_t mode)
4922 ++{
4923 ++ mutex_lock(&loop_index_mutex);
4924 ++ __lo_release(disk->private_data);
4925 ++ mutex_unlock(&loop_index_mutex);
4926 ++}
4927 ++
4928 + static const struct block_device_operations lo_fops = {
4929 + .owner = THIS_MODULE,
4930 + .open = lo_open,
4931 +diff --git a/drivers/block/pktcdvd.c b/drivers/block/pktcdvd.c
4932 +index 09e628dafd9d..46098d236476 100644
4933 +--- a/drivers/block/pktcdvd.c
4934 ++++ b/drivers/block/pktcdvd.c
4935 +@@ -2798,7 +2798,7 @@ static int pkt_setup_dev(dev_t dev, dev_t* pkt_dev)
4936 + pd->pkt_dev = MKDEV(pktdev_major, idx);
4937 + ret = pkt_new_dev(pd, dev);
4938 + if (ret)
4939 +- goto out_new_dev;
4940 ++ goto out_mem2;
4941 +
4942 + /* inherit events of the host device */
4943 + disk->events = pd->bdev->bd_disk->events;
4944 +@@ -2816,8 +2816,6 @@ static int pkt_setup_dev(dev_t dev, dev_t* pkt_dev)
4945 + mutex_unlock(&ctl_mutex);
4946 + return 0;
4947 +
4948 +-out_new_dev:
4949 +- blk_cleanup_queue(disk->queue);
4950 + out_mem2:
4951 + put_disk(disk);
4952 + out_mem:
4953 +diff --git a/drivers/bluetooth/btsdio.c b/drivers/bluetooth/btsdio.c
4954 +index 83f6437dd91d..1481a3c9b5af 100644
4955 +--- a/drivers/bluetooth/btsdio.c
4956 ++++ b/drivers/bluetooth/btsdio.c
4957 +@@ -31,6 +31,7 @@
4958 + #include <linux/errno.h>
4959 + #include <linux/skbuff.h>
4960 +
4961 ++#include <linux/mmc/host.h>
4962 + #include <linux/mmc/sdio_ids.h>
4963 + #include <linux/mmc/sdio_func.h>
4964 +
4965 +@@ -303,6 +304,14 @@ static int btsdio_probe(struct sdio_func *func,
4966 + tuple = tuple->next;
4967 + }
4968 +
4969 ++ /* BCM43341 devices soldered onto the PCB (non-removable) use an
4970 ++ * uart connection for bluetooth, ignore the BT SDIO interface.
4971 ++ */
4972 ++ if (func->vendor == SDIO_VENDOR_ID_BROADCOM &&
4973 ++ func->device == SDIO_DEVICE_ID_BROADCOM_43341 &&
4974 ++ !mmc_card_is_removable(func->card->host))
4975 ++ return -ENODEV;
4976 ++
4977 + data = devm_kzalloc(&func->dev, sizeof(*data), GFP_KERNEL);
4978 + if (!data)
4979 + return -ENOMEM;
4980 +diff --git a/drivers/char/hw_random/core.c b/drivers/char/hw_random/core.c
4981 +index 5643b65cee20..0ff7682cfb14 100644
4982 +--- a/drivers/char/hw_random/core.c
4983 ++++ b/drivers/char/hw_random/core.c
4984 +@@ -238,7 +238,10 @@ static ssize_t rng_dev_read(struct file *filp, char __user *buf,
4985 + goto out;
4986 + }
4987 +
4988 +- mutex_lock(&reading_mutex);
4989 ++ if (mutex_lock_interruptible(&reading_mutex)) {
4990 ++ err = -ERESTARTSYS;
4991 ++ goto out_put;
4992 ++ }
4993 + if (!data_avail) {
4994 + bytes_read = rng_get_data(rng, rng_buffer,
4995 + rng_buffer_size(),
4996 +@@ -288,6 +291,7 @@ out:
4997 +
4998 + out_unlock_reading:
4999 + mutex_unlock(&reading_mutex);
5000 ++out_put:
5001 + put_rng(rng);
5002 + goto out;
5003 + }
5004 +diff --git a/drivers/cpufreq/Kconfig b/drivers/cpufreq/Kconfig
5005 +index 659879a56dba..949610360b14 100644
5006 +--- a/drivers/cpufreq/Kconfig
5007 ++++ b/drivers/cpufreq/Kconfig
5008 +@@ -236,6 +236,7 @@ endif
5009 + if MIPS
5010 + config LOONGSON2_CPUFREQ
5011 + tristate "Loongson2 CPUFreq Driver"
5012 ++ depends on LEMOTE_MACH2F
5013 + help
5014 + This option adds a CPUFreq driver for loongson processors which
5015 + support software configurable cpu frequency.
5016 +@@ -248,6 +249,7 @@ config LOONGSON2_CPUFREQ
5017 +
5018 + config LOONGSON1_CPUFREQ
5019 + tristate "Loongson1 CPUFreq Driver"
5020 ++ depends on LOONGSON1_LS1B
5021 + help
5022 + This option adds a CPUFreq driver for loongson1 processors which
5023 + support software configurable cpu frequency.
5024 +diff --git a/drivers/cpuidle/cpuidle-powernv.c b/drivers/cpuidle/cpuidle-powernv.c
5025 +index 3442764a5293..544e0e330afd 100644
5026 +--- a/drivers/cpuidle/cpuidle-powernv.c
5027 ++++ b/drivers/cpuidle/cpuidle-powernv.c
5028 +@@ -153,6 +153,24 @@ static int powernv_cpuidle_driver_init(void)
5029 + drv->state_count += 1;
5030 + }
5031 +
5032 ++ /*
5033 ++ * On the PowerNV platform cpu_present may be less than cpu_possible in
5034 ++ * cases when firmware detects the CPU, but it is not available to the
5035 ++ * OS. If CONFIG_HOTPLUG_CPU=n, then such CPUs are not hotplugable at
5036 ++ * run time and hence cpu_devices are not created for those CPUs by the
5037 ++ * generic topology_init().
5038 ++ *
5039 ++ * drv->cpumask defaults to cpu_possible_mask in
5040 ++ * __cpuidle_driver_init(). This breaks cpuidle on PowerNV where
5041 ++ * cpu_devices are not created for CPUs in cpu_possible_mask that
5042 ++ * cannot be hot-added later at run time.
5043 ++ *
5044 ++ * Trying cpuidle_register_device() on a CPU without a cpu_device is
5045 ++ * incorrect, so pass a correct CPU mask to the generic cpuidle driver.
5046 ++ */
5047 ++
5048 ++ drv->cpumask = (struct cpumask *)cpu_present_mask;
5049 ++
5050 + return 0;
5051 + }
5052 +
5053 +diff --git a/drivers/cpuidle/sysfs.c b/drivers/cpuidle/sysfs.c
5054 +index 832a2c3f01ff..9e98a5fbbc1d 100644
5055 +--- a/drivers/cpuidle/sysfs.c
5056 ++++ b/drivers/cpuidle/sysfs.c
5057 +@@ -613,6 +613,18 @@ int cpuidle_add_sysfs(struct cpuidle_device *dev)
5058 + struct device *cpu_dev = get_cpu_device((unsigned long)dev->cpu);
5059 + int error;
5060 +
5061 ++ /*
5062 ++ * Return if cpu_device is not setup for this CPU.
5063 ++ *
5064 ++ * This could happen if the arch did not set up cpu_device
5065 ++ * since this CPU is not in cpu_present mask and the
5066 ++ * driver did not send a correct CPU mask during registration.
5067 ++ * Without this check we would end up passing bogus
5068 ++ * value for &cpu_dev->kobj in kobject_init_and_add()
5069 ++ */
5070 ++ if (!cpu_dev)
5071 ++ return -ENODEV;
5072 ++
5073 + kdev = kzalloc(sizeof(*kdev), GFP_KERNEL);
5074 + if (!kdev)
5075 + return -ENOMEM;
5076 +diff --git a/drivers/crypto/amcc/crypto4xx_core.h b/drivers/crypto/amcc/crypto4xx_core.h
5077 +index bac0bdeb4b5f..b6529b9fcbe2 100644
5078 +--- a/drivers/crypto/amcc/crypto4xx_core.h
5079 ++++ b/drivers/crypto/amcc/crypto4xx_core.h
5080 +@@ -32,12 +32,12 @@
5081 + #define PPC405EX_CE_RESET 0x00000008
5082 +
5083 + #define CRYPTO4XX_CRYPTO_PRIORITY 300
5084 +-#define PPC4XX_LAST_PD 63
5085 +-#define PPC4XX_NUM_PD 64
5086 +-#define PPC4XX_LAST_GD 1023
5087 ++#define PPC4XX_NUM_PD 256
5088 ++#define PPC4XX_LAST_PD (PPC4XX_NUM_PD - 1)
5089 + #define PPC4XX_NUM_GD 1024
5090 +-#define PPC4XX_LAST_SD 63
5091 +-#define PPC4XX_NUM_SD 64
5092 ++#define PPC4XX_LAST_GD (PPC4XX_NUM_GD - 1)
5093 ++#define PPC4XX_NUM_SD 256
5094 ++#define PPC4XX_LAST_SD (PPC4XX_NUM_SD - 1)
5095 + #define PPC4XX_SD_BUFFER_SIZE 2048
5096 +
5097 + #define PD_ENTRY_INUSE 1
5098 +diff --git a/drivers/crypto/n2_core.c b/drivers/crypto/n2_core.c
5099 +index 10a9aeff1666..32035daae8c9 100644
5100 +--- a/drivers/crypto/n2_core.c
5101 ++++ b/drivers/crypto/n2_core.c
5102 +@@ -1641,6 +1641,7 @@ static int queue_cache_init(void)
5103 + CWQ_ENTRY_SIZE, 0, NULL);
5104 + if (!queue_cache[HV_NCS_QTYPE_CWQ - 1]) {
5105 + kmem_cache_destroy(queue_cache[HV_NCS_QTYPE_MAU - 1]);
5106 ++ queue_cache[HV_NCS_QTYPE_MAU - 1] = NULL;
5107 + return -ENOMEM;
5108 + }
5109 + return 0;
5110 +@@ -1650,6 +1651,8 @@ static void queue_cache_destroy(void)
5111 + {
5112 + kmem_cache_destroy(queue_cache[HV_NCS_QTYPE_MAU - 1]);
5113 + kmem_cache_destroy(queue_cache[HV_NCS_QTYPE_CWQ - 1]);
5114 ++ queue_cache[HV_NCS_QTYPE_MAU - 1] = NULL;
5115 ++ queue_cache[HV_NCS_QTYPE_CWQ - 1] = NULL;
5116 + }
5117 +
5118 + static int spu_queue_register(struct spu_queue *p, unsigned long q_type)
5119 +diff --git a/drivers/crypto/s5p-sss.c b/drivers/crypto/s5p-sss.c
5120 +index 4f0c4a3cc5c5..89219806fd8e 100644
5121 +--- a/drivers/crypto/s5p-sss.c
5122 ++++ b/drivers/crypto/s5p-sss.c
5123 +@@ -419,16 +419,21 @@ static void s5p_aes_crypt_start(struct s5p_aes_dev *dev, unsigned long mode)
5124 + uint32_t aes_control;
5125 + int err;
5126 + unsigned long flags;
5127 ++ u8 *iv;
5128 +
5129 + aes_control = SSS_AES_KEY_CHANGE_MODE;
5130 + if (mode & FLAGS_AES_DECRYPT)
5131 + aes_control |= SSS_AES_MODE_DECRYPT;
5132 +
5133 +- if ((mode & FLAGS_AES_MODE_MASK) == FLAGS_AES_CBC)
5134 ++ if ((mode & FLAGS_AES_MODE_MASK) == FLAGS_AES_CBC) {
5135 + aes_control |= SSS_AES_CHAIN_MODE_CBC;
5136 +- else if ((mode & FLAGS_AES_MODE_MASK) == FLAGS_AES_CTR)
5137 ++ iv = req->info;
5138 ++ } else if ((mode & FLAGS_AES_MODE_MASK) == FLAGS_AES_CTR) {
5139 + aes_control |= SSS_AES_CHAIN_MODE_CTR;
5140 +-
5141 ++ iv = req->info;
5142 ++ } else {
5143 ++ iv = NULL; /* AES_ECB */
5144 ++ }
5145 + if (dev->ctx->keylen == AES_KEYSIZE_192)
5146 + aes_control |= SSS_AES_KEY_SIZE_192;
5147 + else if (dev->ctx->keylen == AES_KEYSIZE_256)
5148 +@@ -458,7 +463,7 @@ static void s5p_aes_crypt_start(struct s5p_aes_dev *dev, unsigned long mode)
5149 + goto outdata_error;
5150 +
5151 + SSS_AES_WRITE(dev, AES_CONTROL, aes_control);
5152 +- s5p_set_aes(dev, dev->ctx->aes_key, req->info, dev->ctx->keylen);
5153 ++ s5p_set_aes(dev, dev->ctx->aes_key, iv, dev->ctx->keylen);
5154 +
5155 + s5p_set_dma_indata(dev, req->src);
5156 + s5p_set_dma_outdata(dev, req->dst);
5157 +diff --git a/drivers/devfreq/devfreq.c b/drivers/devfreq/devfreq.c
5158 +index ca1b362d77e2..3373561caae8 100644
5159 +--- a/drivers/devfreq/devfreq.c
5160 ++++ b/drivers/devfreq/devfreq.c
5161 +@@ -584,7 +584,7 @@ struct devfreq *devm_devfreq_add_device(struct device *dev,
5162 + devfreq = devfreq_add_device(dev, profile, governor_name, data);
5163 + if (IS_ERR(devfreq)) {
5164 + devres_free(ptr);
5165 +- return ERR_PTR(-ENOMEM);
5166 ++ return devfreq;
5167 + }
5168 +
5169 + *ptr = devfreq;
5170 +diff --git a/drivers/dma/dma-jz4740.c b/drivers/dma/dma-jz4740.c
5171 +index 7638b24ce8d0..35fc58f4bf4b 100644
5172 +--- a/drivers/dma/dma-jz4740.c
5173 ++++ b/drivers/dma/dma-jz4740.c
5174 +@@ -557,7 +557,7 @@ static int jz4740_dma_probe(struct platform_device *pdev)
5175 +
5176 + ret = dma_async_device_register(dd);
5177 + if (ret)
5178 +- return ret;
5179 ++ goto err_clk;
5180 +
5181 + irq = platform_get_irq(pdev, 0);
5182 + ret = request_irq(irq, jz4740_dma_irq, 0, dev_name(&pdev->dev), dmadev);
5183 +@@ -570,6 +570,8 @@ static int jz4740_dma_probe(struct platform_device *pdev)
5184 +
5185 + err_unregister:
5186 + dma_async_device_unregister(dd);
5187 ++err_clk:
5188 ++ clk_disable_unprepare(dmadev->clk);
5189 + return ret;
5190 + }
5191 +
5192 +diff --git a/drivers/dma/dmatest.c b/drivers/dma/dmatest.c
5193 +index 2e9bc49d30ec..5e4fe755a4d8 100644
5194 +--- a/drivers/dma/dmatest.c
5195 ++++ b/drivers/dma/dmatest.c
5196 +@@ -329,7 +329,7 @@ static void dmatest_callback(void *arg)
5197 + {
5198 + struct dmatest_done *done = arg;
5199 + struct dmatest_thread *thread =
5200 +- container_of(arg, struct dmatest_thread, done_wait);
5201 ++ container_of(done, struct dmatest_thread, test_done);
5202 + if (!thread->done) {
5203 + done->done = true;
5204 + wake_up_all(done->wait);
5205 +diff --git a/drivers/edac/octeon_edac-lmc.c b/drivers/edac/octeon_edac-lmc.c
5206 +index cda6dab5067a..6b65a102b49d 100644
5207 +--- a/drivers/edac/octeon_edac-lmc.c
5208 ++++ b/drivers/edac/octeon_edac-lmc.c
5209 +@@ -79,6 +79,7 @@ static void octeon_lmc_edac_poll_o2(struct mem_ctl_info *mci)
5210 + if (!pvt->inject)
5211 + int_reg.u64 = cvmx_read_csr(CVMX_LMCX_INT(mci->mc_idx));
5212 + else {
5213 ++ int_reg.u64 = 0;
5214 + if (pvt->error_type == 1)
5215 + int_reg.s.sec_err = 1;
5216 + if (pvt->error_type == 2)
5217 +diff --git a/drivers/gpio/gpio-intel-mid.c b/drivers/gpio/gpio-intel-mid.c
5218 +index 14945fd9d5e1..935fa3bce6d0 100644
5219 +--- a/drivers/gpio/gpio-intel-mid.c
5220 ++++ b/drivers/gpio/gpio-intel-mid.c
5221 +@@ -326,7 +326,7 @@ static void intel_mid_irq_init_hw(struct intel_mid_gpio *priv)
5222 + }
5223 + }
5224 +
5225 +-static int intel_gpio_runtime_idle(struct device *dev)
5226 ++static int __maybe_unused intel_gpio_runtime_idle(struct device *dev)
5227 + {
5228 + int err = pm_schedule_suspend(dev, 500);
5229 + return err ?: -EBUSY;
5230 +diff --git a/drivers/gpio/gpio-iop.c b/drivers/gpio/gpio-iop.c
5231 +index 2ed0237a8baf..304e68633d29 100644
5232 +--- a/drivers/gpio/gpio-iop.c
5233 ++++ b/drivers/gpio/gpio-iop.c
5234 +@@ -129,3 +129,7 @@ static int __init iop3xx_gpio_init(void)
5235 + return platform_driver_register(&iop3xx_gpio_driver);
5236 + }
5237 + arch_initcall(iop3xx_gpio_init);
5238 ++
5239 ++MODULE_DESCRIPTION("GPIO handling for Intel IOP3xx processors");
5240 ++MODULE_AUTHOR("Lennert Buytenhek <buytenh@××××××××××.org>");
5241 ++MODULE_LICENSE("GPL");
5242 +diff --git a/drivers/gpio/gpio-xgene.c b/drivers/gpio/gpio-xgene.c
5243 +index 18a8182d4fec..7f1f32324504 100644
5244 +--- a/drivers/gpio/gpio-xgene.c
5245 ++++ b/drivers/gpio/gpio-xgene.c
5246 +@@ -42,9 +42,7 @@ struct xgene_gpio {
5247 + struct gpio_chip chip;
5248 + void __iomem *base;
5249 + spinlock_t lock;
5250 +-#ifdef CONFIG_PM
5251 + u32 set_dr_val[XGENE_MAX_GPIO_BANKS];
5252 +-#endif
5253 + };
5254 +
5255 + static inline struct xgene_gpio *to_xgene_gpio(struct gpio_chip *chip)
5256 +@@ -132,8 +130,7 @@ static int xgene_gpio_dir_out(struct gpio_chip *gc,
5257 + return 0;
5258 + }
5259 +
5260 +-#ifdef CONFIG_PM
5261 +-static int xgene_gpio_suspend(struct device *dev)
5262 ++static __maybe_unused int xgene_gpio_suspend(struct device *dev)
5263 + {
5264 + struct xgene_gpio *gpio = dev_get_drvdata(dev);
5265 + unsigned long bank_offset;
5266 +@@ -146,7 +143,7 @@ static int xgene_gpio_suspend(struct device *dev)
5267 + return 0;
5268 + }
5269 +
5270 +-static int xgene_gpio_resume(struct device *dev)
5271 ++static __maybe_unused int xgene_gpio_resume(struct device *dev)
5272 + {
5273 + struct xgene_gpio *gpio = dev_get_drvdata(dev);
5274 + unsigned long bank_offset;
5275 +@@ -160,10 +157,6 @@ static int xgene_gpio_resume(struct device *dev)
5276 + }
5277 +
5278 + static SIMPLE_DEV_PM_OPS(xgene_gpio_pm, xgene_gpio_suspend, xgene_gpio_resume);
5279 +-#define XGENE_GPIO_PM_OPS (&xgene_gpio_pm)
5280 +-#else
5281 +-#define XGENE_GPIO_PM_OPS NULL
5282 +-#endif
5283 +
5284 + static int xgene_gpio_probe(struct platform_device *pdev)
5285 + {
5286 +@@ -230,7 +223,7 @@ static struct platform_driver xgene_gpio_driver = {
5287 + .driver = {
5288 + .name = "xgene-gpio",
5289 + .of_match_table = xgene_gpio_of_match,
5290 +- .pm = XGENE_GPIO_PM_OPS,
5291 ++ .pm = &xgene_gpio_pm,
5292 + },
5293 + .probe = xgene_gpio_probe,
5294 + .remove = xgene_gpio_remove,
5295 +diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_process_queue_manager.c b/drivers/gpu/drm/amd/amdkfd/kfd_process_queue_manager.c
5296 +index 530b82c4e78b..7c736e8d7f33 100644
5297 +--- a/drivers/gpu/drm/amd/amdkfd/kfd_process_queue_manager.c
5298 ++++ b/drivers/gpu/drm/amd/amdkfd/kfd_process_queue_manager.c
5299 +@@ -189,6 +189,24 @@ int pqm_create_queue(struct process_queue_manager *pqm,
5300 +
5301 + switch (type) {
5302 + case KFD_QUEUE_TYPE_SDMA:
5303 ++ if (dev->dqm->queue_count >=
5304 ++ CIK_SDMA_QUEUES_PER_ENGINE * CIK_SDMA_ENGINE_NUM) {
5305 ++ pr_err("Over-subscription is not allowed for SDMA.\n");
5306 ++ retval = -EPERM;
5307 ++ goto err_create_queue;
5308 ++ }
5309 ++
5310 ++ retval = create_cp_queue(pqm, dev, &q, properties, f, *qid);
5311 ++ if (retval != 0)
5312 ++ goto err_create_queue;
5313 ++ pqn->q = q;
5314 ++ pqn->kq = NULL;
5315 ++ retval = dev->dqm->ops.create_queue(dev->dqm, q, &pdd->qpd,
5316 ++ &q->properties.vmid);
5317 ++ pr_debug("DQM returned %d for create_queue\n", retval);
5318 ++ print_queue(q);
5319 ++ break;
5320 ++
5321 + case KFD_QUEUE_TYPE_COMPUTE:
5322 + /* check if there is over subscription */
5323 + if ((sched_policy == KFD_SCHED_POLICY_HWS_NO_OVERSUBSCRIPTION) &&
5324 +diff --git a/drivers/gpu/drm/gma500/mdfld_dsi_dpi.c b/drivers/gpu/drm/gma500/mdfld_dsi_dpi.c
5325 +index d4813e03f5ee..00275c3856ce 100644
5326 +--- a/drivers/gpu/drm/gma500/mdfld_dsi_dpi.c
5327 ++++ b/drivers/gpu/drm/gma500/mdfld_dsi_dpi.c
5328 +@@ -821,14 +821,18 @@ void mdfld_dsi_dpi_mode_set(struct drm_encoder *encoder,
5329 + struct drm_device *dev = dsi_config->dev;
5330 + struct drm_psb_private *dev_priv = dev->dev_private;
5331 + int pipe = mdfld_dsi_encoder_get_pipe(dsi_encoder);
5332 +-
5333 + u32 pipeconf_reg = PIPEACONF;
5334 + u32 dspcntr_reg = DSPACNTR;
5335 ++ u32 pipeconf, dspcntr;
5336 +
5337 +- u32 pipeconf = dev_priv->pipeconf[pipe];
5338 +- u32 dspcntr = dev_priv->dspcntr[pipe];
5339 + u32 mipi = MIPI_PORT_EN | PASS_FROM_SPHY_TO_AFE | SEL_FLOPPED_HSTX;
5340 +
5341 ++ if (WARN_ON(pipe < 0))
5342 ++ return;
5343 ++
5344 ++ pipeconf = dev_priv->pipeconf[pipe];
5345 ++ dspcntr = dev_priv->dspcntr[pipe];
5346 ++
5347 + if (pipe) {
5348 + pipeconf_reg = PIPECCONF;
5349 + dspcntr_reg = DSPCCNTR;
5350 +diff --git a/drivers/gpu/drm/gma500/mdfld_dsi_output.c b/drivers/gpu/drm/gma500/mdfld_dsi_output.c
5351 +index 89f705c3a5eb..910a2f253990 100644
5352 +--- a/drivers/gpu/drm/gma500/mdfld_dsi_output.c
5353 ++++ b/drivers/gpu/drm/gma500/mdfld_dsi_output.c
5354 +@@ -382,16 +382,6 @@ static int mdfld_dsi_connector_mode_valid(struct drm_connector *connector,
5355 + return MODE_OK;
5356 + }
5357 +
5358 +-static void mdfld_dsi_connector_dpms(struct drm_connector *connector, int mode)
5359 +-{
5360 +- if (mode == connector->dpms)
5361 +- return;
5362 +-
5363 +- /*first, execute dpms*/
5364 +-
5365 +- drm_helper_connector_dpms(connector, mode);
5366 +-}
5367 +-
5368 + static struct drm_encoder *mdfld_dsi_connector_best_encoder(
5369 + struct drm_connector *connector)
5370 + {
5371 +@@ -404,7 +394,7 @@ static struct drm_encoder *mdfld_dsi_connector_best_encoder(
5372 +
5373 + /*DSI connector funcs*/
5374 + static const struct drm_connector_funcs mdfld_dsi_connector_funcs = {
5375 +- .dpms = /*drm_helper_connector_dpms*/mdfld_dsi_connector_dpms,
5376 ++ .dpms = drm_helper_connector_dpms,
5377 + .save = mdfld_dsi_connector_save,
5378 + .restore = mdfld_dsi_connector_restore,
5379 + .detect = mdfld_dsi_connector_detect,
5380 +diff --git a/drivers/gpu/drm/nouveau/nouveau_gem.c b/drivers/gpu/drm/nouveau/nouveau_gem.c
5381 +index 58c959265b1a..36000f76e31d 100644
5382 +--- a/drivers/gpu/drm/nouveau/nouveau_gem.c
5383 ++++ b/drivers/gpu/drm/nouveau/nouveau_gem.c
5384 +@@ -368,7 +368,7 @@ validate_init(struct nouveau_channel *chan, struct drm_file *file_priv,
5385 + struct nouveau_cli *cli = nouveau_cli(file_priv);
5386 + struct drm_device *dev = chan->drm->dev;
5387 + int trycnt = 0;
5388 +- int ret, i;
5389 ++ int ret = -EINVAL, i;
5390 + struct nouveau_bo *res_bo = NULL;
5391 + LIST_HEAD(gart_list);
5392 + LIST_HEAD(vram_list);
5393 +diff --git a/drivers/gpu/drm/omapdrm/omap_dmm_tiler.c b/drivers/gpu/drm/omapdrm/omap_dmm_tiler.c
5394 +index 042038e8a662..6e6634cd1d17 100644
5395 +--- a/drivers/gpu/drm/omapdrm/omap_dmm_tiler.c
5396 ++++ b/drivers/gpu/drm/omapdrm/omap_dmm_tiler.c
5397 +@@ -610,7 +610,8 @@ static int omap_dmm_probe(struct platform_device *dev)
5398 + match = of_match_node(dmm_of_match, dev->dev.of_node);
5399 + if (!match) {
5400 + dev_err(&dev->dev, "failed to find matching device node\n");
5401 +- return -ENODEV;
5402 ++ ret = -ENODEV;
5403 ++ goto fail;
5404 + }
5405 +
5406 + omap_dmm->plat_data = match->data;
5407 +diff --git a/drivers/gpu/drm/radeon/radeon_uvd.c b/drivers/gpu/drm/radeon/radeon_uvd.c
5408 +index 6edcb5485092..b35ebabd6a9f 100644
5409 +--- a/drivers/gpu/drm/radeon/radeon_uvd.c
5410 ++++ b/drivers/gpu/drm/radeon/radeon_uvd.c
5411 +@@ -946,7 +946,7 @@ int radeon_uvd_calc_upll_dividers(struct radeon_device *rdev,
5412 + /* calc dclk divider with current vco freq */
5413 + dclk_div = radeon_uvd_calc_upll_post_div(vco_freq, dclk,
5414 + pd_min, pd_even);
5415 +- if (vclk_div > pd_max)
5416 ++ if (dclk_div > pd_max)
5417 + break; /* vco is too big, it has to stop */
5418 +
5419 + /* calc score with current vco freq */
5420 +diff --git a/drivers/gpu/drm/rcar-du/rcar_du_crtc.c b/drivers/gpu/drm/rcar-du/rcar_du_crtc.c
5421 +index 824c835330df..de155c77f739 100644
5422 +--- a/drivers/gpu/drm/rcar-du/rcar_du_crtc.c
5423 ++++ b/drivers/gpu/drm/rcar-du/rcar_du_crtc.c
5424 +@@ -511,7 +511,7 @@ static irqreturn_t rcar_du_crtc_irq(int irq, void *arg)
5425 + status = rcar_du_crtc_read(rcrtc, DSSR);
5426 + rcar_du_crtc_write(rcrtc, DSRCR, status & DSRCR_MASK);
5427 +
5428 +- if (status & DSSR_FRM) {
5429 ++ if (status & DSSR_VBK) {
5430 + drm_handle_vblank(rcrtc->crtc.dev, rcrtc->index);
5431 + rcar_du_crtc_finish_page_flip(rcrtc);
5432 + ret = IRQ_HANDLED;
5433 +diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c
5434 +index d786b48f5d7b..d8638d8221ea 100644
5435 +--- a/drivers/hid/hid-core.c
5436 ++++ b/drivers/hid/hid-core.c
5437 +@@ -2010,6 +2010,7 @@ static const struct hid_device_id hid_have_special_driver[] = {
5438 + { HID_USB_DEVICE(USB_VENDOR_ID_WALTOP, USB_DEVICE_ID_WALTOP_SIRIUS_BATTERY_FREE_TABLET) },
5439 + { HID_USB_DEVICE(USB_VENDOR_ID_X_TENSIONS, USB_DEVICE_ID_SPEEDLINK_VAD_CEZANNE) },
5440 + { HID_USB_DEVICE(USB_VENDOR_ID_XIN_MO, USB_DEVICE_ID_XIN_MO_DUAL_ARCADE) },
5441 ++ { HID_USB_DEVICE(USB_VENDOR_ID_XIN_MO, USB_DEVICE_ID_THT_2P_ARCADE) },
5442 + { HID_USB_DEVICE(USB_VENDOR_ID_ZEROPLUS, 0x0005) },
5443 + { HID_USB_DEVICE(USB_VENDOR_ID_ZEROPLUS, 0x0030) },
5444 + { HID_USB_DEVICE(USB_VENDOR_ID_ZYDACRON, USB_DEVICE_ID_ZYDACRON_REMOTE_CONTROL) },
5445 +@@ -2349,6 +2350,9 @@ static const struct hid_device_id hid_ignore_list[] = {
5446 + { HID_USB_DEVICE(USB_VENDOR_ID_LD, USB_DEVICE_ID_LD_MICROCASSYTIME) },
5447 + { HID_USB_DEVICE(USB_VENDOR_ID_LD, USB_DEVICE_ID_LD_MICROCASSYTEMPERATURE) },
5448 + { HID_USB_DEVICE(USB_VENDOR_ID_LD, USB_DEVICE_ID_LD_MICROCASSYPH) },
5449 ++ { HID_USB_DEVICE(USB_VENDOR_ID_LD, USB_DEVICE_ID_LD_POWERANALYSERCASSY) },
5450 ++ { HID_USB_DEVICE(USB_VENDOR_ID_LD, USB_DEVICE_ID_LD_CONVERTERCONTROLLERCASSY) },
5451 ++ { HID_USB_DEVICE(USB_VENDOR_ID_LD, USB_DEVICE_ID_LD_MACHINETESTCASSY) },
5452 + { HID_USB_DEVICE(USB_VENDOR_ID_LD, USB_DEVICE_ID_LD_JWM) },
5453 + { HID_USB_DEVICE(USB_VENDOR_ID_LD, USB_DEVICE_ID_LD_DMMP) },
5454 + { HID_USB_DEVICE(USB_VENDOR_ID_LD, USB_DEVICE_ID_LD_UMIP) },
5455 +diff --git a/drivers/hid/hid-ids.h b/drivers/hid/hid-ids.h
5456 +index e995058ad264..62b337d61fe1 100644
5457 +--- a/drivers/hid/hid-ids.h
5458 ++++ b/drivers/hid/hid-ids.h
5459 +@@ -559,6 +559,9 @@
5460 + #define USB_DEVICE_ID_LD_MICROCASSYTIME 0x1033
5461 + #define USB_DEVICE_ID_LD_MICROCASSYTEMPERATURE 0x1035
5462 + #define USB_DEVICE_ID_LD_MICROCASSYPH 0x1038
5463 ++#define USB_DEVICE_ID_LD_POWERANALYSERCASSY 0x1040
5464 ++#define USB_DEVICE_ID_LD_CONVERTERCONTROLLERCASSY 0x1042
5465 ++#define USB_DEVICE_ID_LD_MACHINETESTCASSY 0x1043
5466 + #define USB_DEVICE_ID_LD_JWM 0x1080
5467 + #define USB_DEVICE_ID_LD_DMMP 0x1081
5468 + #define USB_DEVICE_ID_LD_UMIP 0x1090
5469 +@@ -1011,6 +1014,7 @@
5470 +
5471 + #define USB_VENDOR_ID_XIN_MO 0x16c0
5472 + #define USB_DEVICE_ID_XIN_MO_DUAL_ARCADE 0x05e1
5473 ++#define USB_DEVICE_ID_THT_2P_ARCADE 0x75e1
5474 +
5475 + #define USB_VENDOR_ID_XIROKU 0x1477
5476 + #define USB_DEVICE_ID_XIROKU_SPX 0x1006
5477 +diff --git a/drivers/hid/hid-xinmo.c b/drivers/hid/hid-xinmo.c
5478 +index 7df5227a7e61..9ad7731d2e10 100644
5479 +--- a/drivers/hid/hid-xinmo.c
5480 ++++ b/drivers/hid/hid-xinmo.c
5481 +@@ -46,6 +46,7 @@ static int xinmo_event(struct hid_device *hdev, struct hid_field *field,
5482 +
5483 + static const struct hid_device_id xinmo_devices[] = {
5484 + { HID_USB_DEVICE(USB_VENDOR_ID_XIN_MO, USB_DEVICE_ID_XIN_MO_DUAL_ARCADE) },
5485 ++ { HID_USB_DEVICE(USB_VENDOR_ID_XIN_MO, USB_DEVICE_ID_THT_2P_ARCADE) },
5486 + { }
5487 + };
5488 +
5489 +diff --git a/drivers/hwmon/asus_atk0110.c b/drivers/hwmon/asus_atk0110.c
5490 +index cccef87963e0..975c43d446f8 100644
5491 +--- a/drivers/hwmon/asus_atk0110.c
5492 ++++ b/drivers/hwmon/asus_atk0110.c
5493 +@@ -646,6 +646,9 @@ static int atk_read_value(struct atk_sensor_data *sensor, u64 *value)
5494 + else
5495 + err = atk_read_value_new(sensor, value);
5496 +
5497 ++ if (err)
5498 ++ return err;
5499 ++
5500 + sensor->is_valid = true;
5501 + sensor->last_updated = jiffies;
5502 + sensor->cached_value = *value;
5503 +diff --git a/drivers/hwmon/pmbus/pmbus_core.c b/drivers/hwmon/pmbus/pmbus_core.c
5504 +index f2e47c7dd808..1362de353076 100644
5505 +--- a/drivers/hwmon/pmbus/pmbus_core.c
5506 ++++ b/drivers/hwmon/pmbus/pmbus_core.c
5507 +@@ -20,6 +20,7 @@
5508 + */
5509 +
5510 + #include <linux/kernel.h>
5511 ++#include <linux/math64.h>
5512 + #include <linux/module.h>
5513 + #include <linux/init.h>
5514 + #include <linux/err.h>
5515 +@@ -476,8 +477,8 @@ static long pmbus_reg2data_linear(struct pmbus_data *data,
5516 + static long pmbus_reg2data_direct(struct pmbus_data *data,
5517 + struct pmbus_sensor *sensor)
5518 + {
5519 +- long val = (s16) sensor->data;
5520 +- long m, b, R;
5521 ++ s64 b, val = (s16)sensor->data;
5522 ++ s32 m, R;
5523 +
5524 + m = data->info->m[sensor->class];
5525 + b = data->info->b[sensor->class];
5526 +@@ -505,11 +506,12 @@ static long pmbus_reg2data_direct(struct pmbus_data *data,
5527 + R--;
5528 + }
5529 + while (R < 0) {
5530 +- val = DIV_ROUND_CLOSEST(val, 10);
5531 ++ val = div_s64(val + 5LL, 10L); /* round closest */
5532 + R++;
5533 + }
5534 +
5535 +- return (val - b) / m;
5536 ++ val = div_s64(val - b, m);
5537 ++ return clamp_val(val, LONG_MIN, LONG_MAX);
5538 + }
5539 +
5540 + /*
5541 +@@ -621,7 +623,8 @@ static u16 pmbus_data2reg_linear(struct pmbus_data *data,
5542 + static u16 pmbus_data2reg_direct(struct pmbus_data *data,
5543 + struct pmbus_sensor *sensor, long val)
5544 + {
5545 +- long m, b, R;
5546 ++ s64 b, val64 = val;
5547 ++ s32 m, R;
5548 +
5549 + m = data->info->m[sensor->class];
5550 + b = data->info->b[sensor->class];
5551 +@@ -638,18 +641,18 @@ static u16 pmbus_data2reg_direct(struct pmbus_data *data,
5552 + R -= 3; /* Adjust R and b for data in milli-units */
5553 + b *= 1000;
5554 + }
5555 +- val = val * m + b;
5556 ++ val64 = val64 * m + b;
5557 +
5558 + while (R > 0) {
5559 +- val *= 10;
5560 ++ val64 *= 10;
5561 + R--;
5562 + }
5563 + while (R < 0) {
5564 +- val = DIV_ROUND_CLOSEST(val, 10);
5565 ++ val64 = div_s64(val64 + 5LL, 10L); /* round closest */
5566 + R++;
5567 + }
5568 +
5569 +- return val;
5570 ++ return (u16)clamp_val(val64, S16_MIN, S16_MAX);
5571 + }
5572 +
5573 + static u16 pmbus_data2reg_vid(struct pmbus_data *data,
5574 +diff --git a/drivers/i2c/i2c-boardinfo.c b/drivers/i2c/i2c-boardinfo.c
5575 +index 90e322959303..42c25aed671d 100644
5576 +--- a/drivers/i2c/i2c-boardinfo.c
5577 ++++ b/drivers/i2c/i2c-boardinfo.c
5578 +@@ -56,9 +56,7 @@ EXPORT_SYMBOL_GPL(__i2c_first_dynamic_bus_num);
5579 + * The board info passed can safely be __initdata, but be careful of embedded
5580 + * pointers (for platform_data, functions, etc) since that won't be copied.
5581 + */
5582 +-int __init
5583 +-i2c_register_board_info(int busnum,
5584 +- struct i2c_board_info const *info, unsigned len)
5585 ++int i2c_register_board_info(int busnum, struct i2c_board_info const *info, unsigned len)
5586 + {
5587 + int status;
5588 +
5589 +diff --git a/drivers/iio/adc/axp288_adc.c b/drivers/iio/adc/axp288_adc.c
5590 +index 1c626a3cc7f2..f3a64a45c512 100644
5591 +--- a/drivers/iio/adc/axp288_adc.c
5592 ++++ b/drivers/iio/adc/axp288_adc.c
5593 +@@ -44,7 +44,7 @@ struct axp288_adc_info {
5594 + struct regmap *regmap;
5595 + };
5596 +
5597 +-static const struct iio_chan_spec const axp288_adc_channels[] = {
5598 ++static const struct iio_chan_spec axp288_adc_channels[] = {
5599 + {
5600 + .indexed = 1,
5601 + .type = IIO_TEMP,
5602 +diff --git a/drivers/iio/imu/adis_trigger.c b/drivers/iio/imu/adis_trigger.c
5603 +index f53e9a803a0e..93b99bd93738 100644
5604 +--- a/drivers/iio/imu/adis_trigger.c
5605 ++++ b/drivers/iio/imu/adis_trigger.c
5606 +@@ -47,6 +47,10 @@ int adis_probe_trigger(struct adis *adis, struct iio_dev *indio_dev)
5607 + if (adis->trig == NULL)
5608 + return -ENOMEM;
5609 +
5610 ++ adis->trig->dev.parent = &adis->spi->dev;
5611 ++ adis->trig->ops = &adis_trigger_ops;
5612 ++ iio_trigger_set_drvdata(adis->trig, adis);
5613 ++
5614 + ret = request_irq(adis->spi->irq,
5615 + &iio_trigger_generic_data_rdy_poll,
5616 + IRQF_TRIGGER_RISING,
5617 +@@ -55,9 +59,6 @@ int adis_probe_trigger(struct adis *adis, struct iio_dev *indio_dev)
5618 + if (ret)
5619 + goto error_free_trig;
5620 +
5621 +- adis->trig->dev.parent = &adis->spi->dev;
5622 +- adis->trig->ops = &adis_trigger_ops;
5623 +- iio_trigger_set_drvdata(adis->trig, adis);
5624 + ret = iio_trigger_register(adis->trig);
5625 +
5626 + indio_dev->trig = iio_trigger_get(adis->trig);
5627 +diff --git a/drivers/iio/industrialio-buffer.c b/drivers/iio/industrialio-buffer.c
5628 +index 7fa280b28ecb..ec6b26f008d9 100644
5629 +--- a/drivers/iio/industrialio-buffer.c
5630 ++++ b/drivers/iio/industrialio-buffer.c
5631 +@@ -150,7 +150,7 @@ unsigned int iio_buffer_poll(struct file *filp,
5632 + struct iio_dev *indio_dev = filp->private_data;
5633 + struct iio_buffer *rb = indio_dev->buffer;
5634 +
5635 +- if (!indio_dev->info)
5636 ++ if (!indio_dev->info || rb == NULL)
5637 + return 0;
5638 +
5639 + poll_wait(filp, &rb->pollq, wait);
5640 +diff --git a/drivers/infiniband/hw/cxgb4/cq.c b/drivers/infiniband/hw/cxgb4/cq.c
5641 +index 68ddb3710215..c1e8c01f4ab3 100644
5642 +--- a/drivers/infiniband/hw/cxgb4/cq.c
5643 ++++ b/drivers/infiniband/hw/cxgb4/cq.c
5644 +@@ -581,10 +581,10 @@ static int poll_cq(struct t4_wq *wq, struct t4_cq *cq, struct t4_cqe *cqe,
5645 + ret = -EAGAIN;
5646 + goto skip_cqe;
5647 + }
5648 +- if (unlikely((CQE_WRID_MSN(hw_cqe) != (wq->rq.msn)))) {
5649 ++ if (unlikely(!CQE_STATUS(hw_cqe) &&
5650 ++ CQE_WRID_MSN(hw_cqe) != wq->rq.msn)) {
5651 + t4_set_wq_in_error(wq);
5652 +- hw_cqe->header |= htonl(CQE_STATUS_V(T4_ERR_MSN));
5653 +- goto proc_cqe;
5654 ++ hw_cqe->header |= cpu_to_be32(CQE_STATUS_V(T4_ERR_MSN));
5655 + }
5656 + goto proc_cqe;
5657 + }
5658 +diff --git a/drivers/infiniband/hw/mlx4/main.c b/drivers/infiniband/hw/mlx4/main.c
5659 +index 1563ee64a180..640bb7360537 100644
5660 +--- a/drivers/infiniband/hw/mlx4/main.c
5661 ++++ b/drivers/infiniband/hw/mlx4/main.c
5662 +@@ -2436,9 +2436,8 @@ err_steer_free_bitmap:
5663 + kfree(ibdev->ib_uc_qpns_bitmap);
5664 +
5665 + err_steer_qp_release:
5666 +- if (ibdev->steering_support == MLX4_STEERING_MODE_DEVICE_MANAGED)
5667 +- mlx4_qp_release_range(dev, ibdev->steer_qpn_base,
5668 +- ibdev->steer_qpn_count);
5669 ++ mlx4_qp_release_range(dev, ibdev->steer_qpn_base,
5670 ++ ibdev->steer_qpn_count);
5671 + err_counter:
5672 + for (; i; --i)
5673 + if (ibdev->counters[i - 1] != -1)
5674 +@@ -2540,11 +2539,9 @@ static void mlx4_ib_remove(struct mlx4_dev *dev, void *ibdev_ptr)
5675 + ibdev->iboe.nb.notifier_call = NULL;
5676 + }
5677 +
5678 +- if (ibdev->steering_support == MLX4_STEERING_MODE_DEVICE_MANAGED) {
5679 +- mlx4_qp_release_range(dev, ibdev->steer_qpn_base,
5680 +- ibdev->steer_qpn_count);
5681 +- kfree(ibdev->ib_uc_qpns_bitmap);
5682 +- }
5683 ++ mlx4_qp_release_range(dev, ibdev->steer_qpn_base,
5684 ++ ibdev->steer_qpn_count);
5685 ++ kfree(ibdev->ib_uc_qpns_bitmap);
5686 +
5687 + if (ibdev->iboe.nb_inet.notifier_call) {
5688 + if (unregister_inetaddr_notifier(&ibdev->iboe.nb_inet))
5689 +diff --git a/drivers/infiniband/ulp/srpt/ib_srpt.c b/drivers/infiniband/ulp/srpt/ib_srpt.c
5690 +index 416cd07ab87a..6c30192dcb78 100644
5691 +--- a/drivers/infiniband/ulp/srpt/ib_srpt.c
5692 ++++ b/drivers/infiniband/ulp/srpt/ib_srpt.c
5693 +@@ -958,8 +958,7 @@ static int srpt_init_ch_qp(struct srpt_rdma_ch *ch, struct ib_qp *qp)
5694 + return -ENOMEM;
5695 +
5696 + attr->qp_state = IB_QPS_INIT;
5697 +- attr->qp_access_flags = IB_ACCESS_LOCAL_WRITE | IB_ACCESS_REMOTE_READ |
5698 +- IB_ACCESS_REMOTE_WRITE;
5699 ++ attr->qp_access_flags = IB_ACCESS_LOCAL_WRITE;
5700 + attr->port_num = ch->sport->port;
5701 + attr->pkey_index = 0;
5702 +
5703 +diff --git a/drivers/input/keyboard/tca8418_keypad.c b/drivers/input/keyboard/tca8418_keypad.c
5704 +index 4e491c1762cf..5c4f7f8f2c20 100644
5705 +--- a/drivers/input/keyboard/tca8418_keypad.c
5706 ++++ b/drivers/input/keyboard/tca8418_keypad.c
5707 +@@ -164,11 +164,18 @@ static void tca8418_read_keypad(struct tca8418_keypad *keypad_data)
5708 + int error, col, row;
5709 + u8 reg, state, code;
5710 +
5711 +- /* Initial read of the key event FIFO */
5712 +- error = tca8418_read_byte(keypad_data, REG_KEY_EVENT_A, &reg);
5713 ++ do {
5714 ++ error = tca8418_read_byte(keypad_data, REG_KEY_EVENT_A, &reg);
5715 ++ if (error < 0) {
5716 ++ dev_err(&keypad_data->client->dev,
5717 ++ "unable to read REG_KEY_EVENT_A\n");
5718 ++ break;
5719 ++ }
5720 ++
5721 ++ /* Assume that key code 0 signifies empty FIFO */
5722 ++ if (reg <= 0)
5723 ++ break;
5724 +
5725 +- /* Assume that key code 0 signifies empty FIFO */
5726 +- while (error >= 0 && reg > 0) {
5727 + state = reg & KEY_EVENT_VALUE;
5728 + code = reg & KEY_EVENT_CODE;
5729 +
5730 +@@ -184,11 +191,7 @@ static void tca8418_read_keypad(struct tca8418_keypad *keypad_data)
5731 +
5732 + /* Read for next loop */
5733 + error = tca8418_read_byte(keypad_data, REG_KEY_EVENT_A, &reg);
5734 +- }
5735 +-
5736 +- if (error < 0)
5737 +- dev_err(&keypad_data->client->dev,
5738 +- "unable to read REG_KEY_EVENT_A\n");
5739 ++ } while (1);
5740 +
5741 + input_sync(input);
5742 + }
5743 +diff --git a/drivers/input/misc/twl6040-vibra.c b/drivers/input/misc/twl6040-vibra.c
5744 +index 0e0d094df2e6..6caeb1a2670c 100644
5745 +--- a/drivers/input/misc/twl6040-vibra.c
5746 ++++ b/drivers/input/misc/twl6040-vibra.c
5747 +@@ -262,7 +262,7 @@ static int twl6040_vibra_probe(struct platform_device *pdev)
5748 + int vddvibr_uV = 0;
5749 + int error;
5750 +
5751 +- twl6040_core_node = of_find_node_by_name(twl6040_core_dev->of_node,
5752 ++ twl6040_core_node = of_get_child_by_name(twl6040_core_dev->of_node,
5753 + "vibra");
5754 + if (!twl6040_core_node) {
5755 + dev_err(&pdev->dev, "parent of node is missing?\n");
5756 +diff --git a/drivers/input/mouse/elantech.c b/drivers/input/mouse/elantech.c
5757 +index c3c5d492cba0..07ce8f4314ba 100644
5758 +--- a/drivers/input/mouse/elantech.c
5759 ++++ b/drivers/input/mouse/elantech.c
5760 +@@ -1550,7 +1550,7 @@ static int elantech_set_properties(struct elantech_data *etd)
5761 + case 5:
5762 + etd->hw_version = 3;
5763 + break;
5764 +- case 6 ... 14:
5765 ++ case 6 ... 15:
5766 + etd->hw_version = 4;
5767 + break;
5768 + default:
5769 +diff --git a/drivers/input/mouse/trackpoint.c b/drivers/input/mouse/trackpoint.c
5770 +index 7e2dc5e56632..0b49f29bf0da 100644
5771 +--- a/drivers/input/mouse/trackpoint.c
5772 ++++ b/drivers/input/mouse/trackpoint.c
5773 +@@ -383,6 +383,9 @@ int trackpoint_detect(struct psmouse *psmouse, bool set_properties)
5774 + if (trackpoint_read(&psmouse->ps2dev, TP_EXT_BTN, &button_info)) {
5775 + psmouse_warn(psmouse, "failed to get extended button data, assuming 3 buttons\n");
5776 + button_info = 0x33;
5777 ++ } else if (!button_info) {
5778 ++ psmouse_warn(psmouse, "got 0 in extended button data, assuming 3 buttons\n");
5779 ++ button_info = 0x33;
5780 + }
5781 +
5782 + psmouse->private = kzalloc(sizeof(struct trackpoint_data), GFP_KERNEL);
5783 +diff --git a/drivers/input/touchscreen/88pm860x-ts.c b/drivers/input/touchscreen/88pm860x-ts.c
5784 +index 251ff2aa0633..7a0dbce4dae9 100644
5785 +--- a/drivers/input/touchscreen/88pm860x-ts.c
5786 ++++ b/drivers/input/touchscreen/88pm860x-ts.c
5787 +@@ -126,7 +126,7 @@ static int pm860x_touch_dt_init(struct platform_device *pdev,
5788 + int data, n, ret;
5789 + if (!np)
5790 + return -ENODEV;
5791 +- np = of_find_node_by_name(np, "touch");
5792 ++ np = of_get_child_by_name(np, "touch");
5793 + if (!np) {
5794 + dev_err(&pdev->dev, "Can't find touch node\n");
5795 + return -EINVAL;
5796 +@@ -144,13 +144,13 @@ static int pm860x_touch_dt_init(struct platform_device *pdev,
5797 + if (data) {
5798 + ret = pm860x_reg_write(i2c, PM8607_GPADC_MISC1, data);
5799 + if (ret < 0)
5800 +- return -EINVAL;
5801 ++ goto err_put_node;
5802 + }
5803 + /* set tsi prebias time */
5804 + if (!of_property_read_u32(np, "marvell,88pm860x-tsi-prebias", &data)) {
5805 + ret = pm860x_reg_write(i2c, PM8607_TSI_PREBIAS, data);
5806 + if (ret < 0)
5807 +- return -EINVAL;
5808 ++ goto err_put_node;
5809 + }
5810 + /* set prebias & prechg time of pen detect */
5811 + data = 0;
5812 +@@ -161,10 +161,18 @@ static int pm860x_touch_dt_init(struct platform_device *pdev,
5813 + if (data) {
5814 + ret = pm860x_reg_write(i2c, PM8607_PD_PREBIAS, data);
5815 + if (ret < 0)
5816 +- return -EINVAL;
5817 ++ goto err_put_node;
5818 + }
5819 + of_property_read_u32(np, "marvell,88pm860x-resistor-X", res_x);
5820 ++
5821 ++ of_node_put(np);
5822 ++
5823 + return 0;
5824 ++
5825 ++err_put_node:
5826 ++ of_node_put(np);
5827 ++
5828 ++ return -EINVAL;
5829 + }
5830 + #else
5831 + #define pm860x_touch_dt_init(x, y, z) (-1)
5832 +diff --git a/drivers/irqchip/irq-gic-v3.c b/drivers/irqchip/irq-gic-v3.c
5833 +index 9976c37b9c64..f2b3a0152860 100644
5834 +--- a/drivers/irqchip/irq-gic-v3.c
5835 ++++ b/drivers/irqchip/irq-gic-v3.c
5836 +@@ -584,7 +584,7 @@ static void gic_raise_softirq(const struct cpumask *mask, unsigned int irq)
5837 + * Ensure that stores to Normal memory are visible to the
5838 + * other CPUs before issuing the IPI.
5839 + */
5840 +- smp_wmb();
5841 ++ wmb();
5842 +
5843 + for_each_cpu(cpu, mask) {
5844 + u64 cluster_id = cpu_logical_map(cpu) & ~0xffUL;
5845 +diff --git a/drivers/isdn/capi/kcapi.c b/drivers/isdn/capi/kcapi.c
5846 +index 823f6985b260..dd7e38ac29bd 100644
5847 +--- a/drivers/isdn/capi/kcapi.c
5848 ++++ b/drivers/isdn/capi/kcapi.c
5849 +@@ -1032,6 +1032,7 @@ static int old_capi_manufacturer(unsigned int cmd, void __user *data)
5850 + sizeof(avmb1_carddef))))
5851 + return -EFAULT;
5852 + cdef.cardtype = AVM_CARDTYPE_B1;
5853 ++ cdef.cardnr = 0;
5854 + } else {
5855 + if ((retval = copy_from_user(&cdef, data,
5856 + sizeof(avmb1_extcarddef))))
5857 +diff --git a/drivers/isdn/hardware/eicon/message.c b/drivers/isdn/hardware/eicon/message.c
5858 +index 7b4ddf0a39ec..2d28530b7e82 100644
5859 +--- a/drivers/isdn/hardware/eicon/message.c
5860 ++++ b/drivers/isdn/hardware/eicon/message.c
5861 +@@ -147,7 +147,7 @@ static word plci_remove_check(PLCI *);
5862 + static void listen_check(DIVA_CAPI_ADAPTER *);
5863 + static byte AddInfo(byte **, byte **, byte *, byte *);
5864 + static byte getChannel(API_PARSE *);
5865 +-static void IndParse(PLCI *, word *, byte **, byte);
5866 ++static void IndParse(PLCI *, const word *, byte **, byte);
5867 + static byte ie_compare(byte *, byte *);
5868 + static word find_cip(DIVA_CAPI_ADAPTER *, byte *, byte *);
5869 + static word CPN_filter_ok(byte *cpn, DIVA_CAPI_ADAPTER *, word);
5870 +@@ -4860,7 +4860,7 @@ static void sig_ind(PLCI *plci)
5871 + /* included before the ESC_MSGTYPE and MAXPARMSIDS has to be incremented */
5872 + /* SMSG is situated at the end because its 0 (for compatibility reasons */
5873 + /* (see Info_Mask Bit 4, first IE. then the message type) */
5874 +- word parms_id[] =
5875 ++ static const word parms_id[] =
5876 + {MAXPARMSIDS, CPN, 0xff, DSA, OSA, BC, LLC, HLC, ESC_CAUSE, DSP, DT, CHA,
5877 + UUI, CONG_RR, CONG_RNR, ESC_CHI, KEY, CHI, CAU, ESC_LAW,
5878 + RDN, RDX, CONN_NR, RIN, NI, CAI, ESC_CR,
5879 +@@ -4868,12 +4868,12 @@ static void sig_ind(PLCI *plci)
5880 + /* 14 FTY repl by ESC_CHI */
5881 + /* 18 PI repl by ESC_LAW */
5882 + /* removed OAD changed to 0xff for future use, OAD is multiIE now */
5883 +- word multi_fac_id[] = {1, FTY};
5884 +- word multi_pi_id[] = {1, PI};
5885 +- word multi_CiPN_id[] = {1, OAD};
5886 +- word multi_ssext_id[] = {1, ESC_SSEXT};
5887 ++ static const word multi_fac_id[] = {1, FTY};
5888 ++ static const word multi_pi_id[] = {1, PI};
5889 ++ static const word multi_CiPN_id[] = {1, OAD};
5890 ++ static const word multi_ssext_id[] = {1, ESC_SSEXT};
5891 +
5892 +- word multi_vswitch_id[] = {1, ESC_VSWITCH};
5893 ++ static const word multi_vswitch_id[] = {1, ESC_VSWITCH};
5894 +
5895 + byte *cau;
5896 + word ncci;
5897 +@@ -8926,7 +8926,7 @@ static void listen_check(DIVA_CAPI_ADAPTER *a)
5898 + /* functions for all parameters sent in INDs */
5899 + /*------------------------------------------------------------------*/
5900 +
5901 +-static void IndParse(PLCI *plci, word *parms_id, byte **parms, byte multiIEsize)
5902 ++static void IndParse(PLCI *plci, const word *parms_id, byte **parms, byte multiIEsize)
5903 + {
5904 + word ploc; /* points to current location within packet */
5905 + byte w;
5906 +diff --git a/drivers/isdn/icn/icn.c b/drivers/isdn/icn/icn.c
5907 +index 358a574d9e8b..46d957c34be1 100644
5908 +--- a/drivers/isdn/icn/icn.c
5909 ++++ b/drivers/isdn/icn/icn.c
5910 +@@ -718,7 +718,7 @@ icn_sendbuf(int channel, int ack, struct sk_buff *skb, icn_card *card)
5911 + return 0;
5912 + if (card->sndcount[channel] > ICN_MAX_SQUEUE)
5913 + return 0;
5914 +-#warning TODO test headroom or use skb->nb to flag ACK
5915 ++ /* TODO test headroom or use skb->nb to flag ACK */
5916 + nskb = skb_clone(skb, GFP_ATOMIC);
5917 + if (nskb) {
5918 + /* Push ACK flag as one
5919 +diff --git a/drivers/md/bcache/btree.c b/drivers/md/bcache/btree.c
5920 +index f0b75d54951a..ee2927b460c9 100644
5921 +--- a/drivers/md/bcache/btree.c
5922 ++++ b/drivers/md/bcache/btree.c
5923 +@@ -808,7 +808,10 @@ int bch_btree_cache_alloc(struct cache_set *c)
5924 + c->shrink.scan_objects = bch_mca_scan;
5925 + c->shrink.seeks = 4;
5926 + c->shrink.batch = c->btree_pages * 2;
5927 +- register_shrinker(&c->shrink);
5928 ++
5929 ++ if (register_shrinker(&c->shrink))
5930 ++ pr_warn("bcache: %s: could not register shrinker",
5931 ++ __func__);
5932 +
5933 + return 0;
5934 + }
5935 +diff --git a/drivers/md/dm-bufio.c b/drivers/md/dm-bufio.c
5936 +index 51dc353f7962..657b8f763754 100644
5937 +--- a/drivers/md/dm-bufio.c
5938 ++++ b/drivers/md/dm-bufio.c
5939 +@@ -1521,7 +1521,8 @@ static unsigned long __scan(struct dm_bufio_client *c, unsigned long nr_to_scan,
5940 + int l;
5941 + struct dm_buffer *b, *tmp;
5942 + unsigned long freed = 0;
5943 +- unsigned long count = nr_to_scan;
5944 ++ unsigned long count = c->n_buffers[LIST_CLEAN] +
5945 ++ c->n_buffers[LIST_DIRTY];
5946 + unsigned long retain_target = get_retain_buffers(c);
5947 +
5948 + for (l = 0; l < LIST_SIZE; l++) {
5949 +@@ -1558,6 +1559,7 @@ dm_bufio_shrink_count(struct shrinker *shrink, struct shrink_control *sc)
5950 + {
5951 + struct dm_bufio_client *c;
5952 + unsigned long count;
5953 ++ unsigned long retain_target;
5954 +
5955 + c = container_of(shrink, struct dm_bufio_client, shrinker);
5956 + if (sc->gfp_mask & __GFP_FS)
5957 +@@ -1566,8 +1568,9 @@ dm_bufio_shrink_count(struct shrinker *shrink, struct shrink_control *sc)
5958 + return 0;
5959 +
5960 + count = c->n_buffers[LIST_CLEAN] + c->n_buffers[LIST_DIRTY];
5961 ++ retain_target = get_retain_buffers(c);
5962 + dm_bufio_unlock(c);
5963 +- return count;
5964 ++ return (count < retain_target) ? 0 : (count - retain_target);
5965 + }
5966 +
5967 + /*
5968 +diff --git a/drivers/md/dm-thin-metadata.c b/drivers/md/dm-thin-metadata.c
5969 +index a178134abbe8..c9f51f7c1063 100644
5970 +--- a/drivers/md/dm-thin-metadata.c
5971 ++++ b/drivers/md/dm-thin-metadata.c
5972 +@@ -81,10 +81,14 @@
5973 + #define SECTOR_TO_BLOCK_SHIFT 3
5974 +
5975 + /*
5976 ++ * For btree insert:
5977 + * 3 for btree insert +
5978 + * 2 for btree lookup used within space map
5979 ++ * For btree remove:
5980 ++ * 2 for shadow spine +
5981 ++ * 4 for rebalance 3 child node
5982 + */
5983 +-#define THIN_MAX_CONCURRENT_LOCKS 5
5984 ++#define THIN_MAX_CONCURRENT_LOCKS 6
5985 +
5986 + /* This should be plenty */
5987 + #define SPACE_MAP_ROOT_SIZE 128
5988 +diff --git a/drivers/md/md.c b/drivers/md/md.c
5989 +index 1fdcd5735418..03bcc1ab2e9d 100644
5990 +--- a/drivers/md/md.c
5991 ++++ b/drivers/md/md.c
5992 +@@ -1043,8 +1043,9 @@ static int super_90_load(struct md_rdev *rdev, struct md_rdev *refdev, int minor
5993 + * (not needed for Linear and RAID0 as metadata doesn't
5994 + * record this size)
5995 + */
5996 +- if (rdev->sectors >= (2ULL << 32) && sb->level >= 1)
5997 +- rdev->sectors = (2ULL << 32) - 2;
5998 ++ if (IS_ENABLED(CONFIG_LBDAF) && (u64)rdev->sectors >= (2ULL << 32) &&
5999 ++ sb->level >= 1)
6000 ++ rdev->sectors = (sector_t)(2ULL << 32) - 2;
6001 +
6002 + if (rdev->sectors < ((sector_t)sb->size) * 2 && sb->level >= 1)
6003 + /* "this cannot possibly happen" ... */
6004 +@@ -1337,8 +1338,9 @@ super_90_rdev_size_change(struct md_rdev *rdev, sector_t num_sectors)
6005 + /* Limit to 4TB as metadata cannot record more than that.
6006 + * 4TB == 2^32 KB, or 2*2^32 sectors.
6007 + */
6008 +- if (num_sectors >= (2ULL << 32) && rdev->mddev->level >= 1)
6009 +- num_sectors = (2ULL << 32) - 2;
6010 ++ if (IS_ENABLED(CONFIG_LBDAF) && (u64)num_sectors >= (2ULL << 32) &&
6011 ++ rdev->mddev->level >= 1)
6012 ++ num_sectors = (sector_t)(2ULL << 32) - 2;
6013 + md_super_write(rdev->mddev, rdev, rdev->sb_start, rdev->sb_size,
6014 + rdev->sb_page);
6015 + md_super_wait(rdev->mddev);
6016 +diff --git a/drivers/md/persistent-data/dm-btree.c b/drivers/md/persistent-data/dm-btree.c
6017 +index 360c22d44647..f2a8e4c69d9f 100644
6018 +--- a/drivers/md/persistent-data/dm-btree.c
6019 ++++ b/drivers/md/persistent-data/dm-btree.c
6020 +@@ -572,23 +572,8 @@ static int btree_split_beneath(struct shadow_spine *s, uint64_t key)
6021 + pn->keys[1] = rn->keys[0];
6022 + memcpy_disk(value_ptr(pn, 1), &val, sizeof(__le64));
6023 +
6024 +- /*
6025 +- * rejig the spine. This is ugly, since it knows too
6026 +- * much about the spine
6027 +- */
6028 +- if (s->nodes[0] != new_parent) {
6029 +- unlock_block(s->info, s->nodes[0]);
6030 +- s->nodes[0] = new_parent;
6031 +- }
6032 +- if (key < le64_to_cpu(rn->keys[0])) {
6033 +- unlock_block(s->info, right);
6034 +- s->nodes[1] = left;
6035 +- } else {
6036 +- unlock_block(s->info, left);
6037 +- s->nodes[1] = right;
6038 +- }
6039 +- s->count = 2;
6040 +-
6041 ++ unlock_block(s->info, left);
6042 ++ unlock_block(s->info, right);
6043 + return 0;
6044 + }
6045 +
6046 +diff --git a/drivers/media/i2c/s5k6aa.c b/drivers/media/i2c/s5k6aa.c
6047 +index de803a11efb4..768ae2115f1a 100644
6048 +--- a/drivers/media/i2c/s5k6aa.c
6049 ++++ b/drivers/media/i2c/s5k6aa.c
6050 +@@ -421,6 +421,7 @@ static int s5k6aa_set_ahb_address(struct i2c_client *client)
6051 +
6052 + /**
6053 + * s5k6aa_configure_pixel_clock - apply ISP main clock/PLL configuration
6054 ++ * @s5k6aa: pointer to &struct s5k6aa describing the device
6055 + *
6056 + * Configure the internal ISP PLL for the required output frequency.
6057 + * Locking: called with s5k6aa.lock mutex held.
6058 +@@ -669,6 +670,7 @@ static int s5k6aa_set_input_params(struct s5k6aa *s5k6aa)
6059 +
6060 + /**
6061 + * s5k6aa_configure_video_bus - configure the video output interface
6062 ++ * @s5k6aa: pointer to &struct s5k6aa describing the device
6063 + * @bus_type: video bus type: parallel or MIPI-CSI
6064 + * @nlanes: number of MIPI lanes to be used (MIPI-CSI only)
6065 + *
6066 +@@ -724,6 +726,8 @@ static int s5k6aa_new_config_sync(struct i2c_client *client, int timeout,
6067 +
6068 + /**
6069 + * s5k6aa_set_prev_config - write user preview register set
6070 ++ * @s5k6aa: pointer to &struct s5k6aa describing the device
6071 ++ * @preset: s5kaa preset to be applied
6072 + *
6073 + * Configure output resolution and color fromat, pixel clock
6074 + * frequency range, device frame rate type and frame period range.
6075 +@@ -777,6 +781,7 @@ static int s5k6aa_set_prev_config(struct s5k6aa *s5k6aa,
6076 +
6077 + /**
6078 + * s5k6aa_initialize_isp - basic ISP MCU initialization
6079 ++ * @sd: pointer to V4L2 sub-device descriptor
6080 + *
6081 + * Configure AHB addresses for registers read/write; configure PLLs for
6082 + * required output pixel clock. The ISP power supply needs to be already
6083 +diff --git a/drivers/media/platform/soc_camera/soc_scale_crop.c b/drivers/media/platform/soc_camera/soc_scale_crop.c
6084 +index 8e74fb7f2a07..2d673516a614 100644
6085 +--- a/drivers/media/platform/soc_camera/soc_scale_crop.c
6086 ++++ b/drivers/media/platform/soc_camera/soc_scale_crop.c
6087 +@@ -400,3 +400,7 @@ void soc_camera_calc_client_output(struct soc_camera_device *icd,
6088 + mf->height = soc_camera_shift_scale(rect->height, shift, scale_v);
6089 + }
6090 + EXPORT_SYMBOL(soc_camera_calc_client_output);
6091 ++
6092 ++MODULE_DESCRIPTION("soc-camera scaling-cropping functions");
6093 ++MODULE_AUTHOR("Guennadi Liakhovetski <kernel@×××××××××××.de>");
6094 ++MODULE_LICENSE("GPL");
6095 +diff --git a/drivers/media/tuners/r820t.c b/drivers/media/tuners/r820t.c
6096 +index 71159a58860f..4bfd64b0c0ad 100644
6097 +--- a/drivers/media/tuners/r820t.c
6098 ++++ b/drivers/media/tuners/r820t.c
6099 +@@ -410,9 +410,11 @@ static int r820t_write(struct r820t_priv *priv, u8 reg, const u8 *val,
6100 + return 0;
6101 + }
6102 +
6103 +-static int r820t_write_reg(struct r820t_priv *priv, u8 reg, u8 val)
6104 ++static inline int r820t_write_reg(struct r820t_priv *priv, u8 reg, u8 val)
6105 + {
6106 +- return r820t_write(priv, reg, &val, 1);
6107 ++ u8 tmp = val; /* work around GCC PR81715 with asan-stack=1 */
6108 ++
6109 ++ return r820t_write(priv, reg, &tmp, 1);
6110 + }
6111 +
6112 + static int r820t_read_cache_reg(struct r820t_priv *priv, int reg)
6113 +@@ -425,17 +427,18 @@ static int r820t_read_cache_reg(struct r820t_priv *priv, int reg)
6114 + return -EINVAL;
6115 + }
6116 +
6117 +-static int r820t_write_reg_mask(struct r820t_priv *priv, u8 reg, u8 val,
6118 ++static inline int r820t_write_reg_mask(struct r820t_priv *priv, u8 reg, u8 val,
6119 + u8 bit_mask)
6120 + {
6121 ++ u8 tmp = val;
6122 + int rc = r820t_read_cache_reg(priv, reg);
6123 +
6124 + if (rc < 0)
6125 + return rc;
6126 +
6127 +- val = (rc & ~bit_mask) | (val & bit_mask);
6128 ++ tmp = (rc & ~bit_mask) | (tmp & bit_mask);
6129 +
6130 +- return r820t_write(priv, reg, &val, 1);
6131 ++ return r820t_write(priv, reg, &tmp, 1);
6132 + }
6133 +
6134 + static int r820t_read(struct r820t_priv *priv, u8 reg, u8 *val, int len)
6135 +diff --git a/drivers/media/usb/dvb-usb-v2/lmedm04.c b/drivers/media/usb/dvb-usb-v2/lmedm04.c
6136 +index 5de6f7c04d09..7399bd58e286 100644
6137 +--- a/drivers/media/usb/dvb-usb-v2/lmedm04.c
6138 ++++ b/drivers/media/usb/dvb-usb-v2/lmedm04.c
6139 +@@ -444,18 +444,23 @@ static int lme2510_pid_filter(struct dvb_usb_adapter *adap, int index, u16 pid,
6140 +
6141 + static int lme2510_return_status(struct dvb_usb_device *d)
6142 + {
6143 +- int ret = 0;
6144 ++ int ret;
6145 + u8 *data;
6146 +
6147 +- data = kzalloc(10, GFP_KERNEL);
6148 ++ data = kzalloc(6, GFP_KERNEL);
6149 + if (!data)
6150 + return -ENOMEM;
6151 +
6152 +- ret |= usb_control_msg(d->udev, usb_rcvctrlpipe(d->udev, 0),
6153 +- 0x06, 0x80, 0x0302, 0x00, data, 0x0006, 200);
6154 +- info("Firmware Status: %x (%x)", ret , data[2]);
6155 ++ ret = usb_control_msg(d->udev, usb_rcvctrlpipe(d->udev, 0),
6156 ++ 0x06, 0x80, 0x0302, 0x00,
6157 ++ data, 0x6, 200);
6158 ++ if (ret != 6)
6159 ++ ret = -EINVAL;
6160 ++ else
6161 ++ ret = data[2];
6162 ++
6163 ++ info("Firmware Status: %6ph", data);
6164 +
6165 +- ret = (ret < 0) ? -ENODEV : data[2];
6166 + kfree(data);
6167 + return ret;
6168 + }
6169 +@@ -1029,8 +1034,6 @@ static int dm04_lme2510_frontend_attach(struct dvb_usb_adapter *adap)
6170 +
6171 + if (adap->fe[0]) {
6172 + info("FE Found M88RS2000");
6173 +- dvb_attach(ts2020_attach, adap->fe[0], &ts2020_config,
6174 +- &d->i2c_adap);
6175 + st->i2c_tuner_gate_w = 5;
6176 + st->i2c_tuner_gate_r = 5;
6177 + st->i2c_tuner_addr = 0x60;
6178 +@@ -1096,17 +1099,18 @@ static int dm04_lme2510_tuner(struct dvb_usb_adapter *adap)
6179 + ret = st->tuner_config;
6180 + break;
6181 + case TUNER_RS2000:
6182 +- ret = st->tuner_config;
6183 ++ if (dvb_attach(ts2020_attach, adap->fe[0],
6184 ++ &ts2020_config, &d->i2c_adap))
6185 ++ ret = st->tuner_config;
6186 + break;
6187 + default:
6188 + break;
6189 + }
6190 +
6191 +- if (ret)
6192 ++ if (ret) {
6193 + info("TUN Found %s tuner", tun_msg[ret]);
6194 +- else {
6195 +- info("TUN No tuner found --- resetting device");
6196 +- lme_coldreset(d);
6197 ++ } else {
6198 ++ info("TUN No tuner found");
6199 + return -ENODEV;
6200 + }
6201 +
6202 +@@ -1150,6 +1154,7 @@ static int lme2510_get_adapter_count(struct dvb_usb_device *d)
6203 + static int lme2510_identify_state(struct dvb_usb_device *d, const char **name)
6204 + {
6205 + struct lme2510_state *st = d->priv;
6206 ++ int status;
6207 +
6208 + usb_reset_configuration(d->udev);
6209 +
6210 +@@ -1158,12 +1163,16 @@ static int lme2510_identify_state(struct dvb_usb_device *d, const char **name)
6211 +
6212 + st->dvb_usb_lme2510_firmware = dvb_usb_lme2510_firmware;
6213 +
6214 +- if (lme2510_return_status(d) == 0x44) {
6215 ++ status = lme2510_return_status(d);
6216 ++ if (status == 0x44) {
6217 + *name = lme_firmware_switch(d, 0);
6218 + return COLD;
6219 + }
6220 +
6221 +- return 0;
6222 ++ if (status != 0x47)
6223 ++ return -EINVAL;
6224 ++
6225 ++ return WARM;
6226 + }
6227 +
6228 + static int lme2510_get_stream_config(struct dvb_frontend *fe, u8 *ts_type,
6229 +diff --git a/drivers/media/usb/dvb-usb/cxusb.c b/drivers/media/usb/dvb-usb/cxusb.c
6230 +index ffc3704abded..d89de44d94a0 100644
6231 +--- a/drivers/media/usb/dvb-usb/cxusb.c
6232 ++++ b/drivers/media/usb/dvb-usb/cxusb.c
6233 +@@ -818,6 +818,8 @@ static int dvico_bluebird_xc2028_callback(void *ptr, int component,
6234 + case XC2028_RESET_CLK:
6235 + deb_info("%s: XC2028_RESET_CLK %d\n", __func__, arg);
6236 + break;
6237 ++ case XC2028_I2C_FLUSH:
6238 ++ break;
6239 + default:
6240 + deb_info("%s: unknown command %d, arg %d\n", __func__,
6241 + command, arg);
6242 +diff --git a/drivers/media/usb/dvb-usb/dib0700_devices.c b/drivers/media/usb/dvb-usb/dib0700_devices.c
6243 +index 0d7565158207..97057ae10509 100644
6244 +--- a/drivers/media/usb/dvb-usb/dib0700_devices.c
6245 ++++ b/drivers/media/usb/dvb-usb/dib0700_devices.c
6246 +@@ -431,6 +431,7 @@ static int stk7700ph_xc3028_callback(void *ptr, int component,
6247 + state->dib7000p_ops.set_gpio(adap->fe_adap[0].fe, 8, 0, 1);
6248 + break;
6249 + case XC2028_RESET_CLK:
6250 ++ case XC2028_I2C_FLUSH:
6251 + break;
6252 + default:
6253 + err("%s: unknown command %d, arg %d\n", __func__,
6254 +diff --git a/drivers/media/usb/em28xx/Kconfig b/drivers/media/usb/em28xx/Kconfig
6255 +index e382210c4ada..75323f5efd0f 100644
6256 +--- a/drivers/media/usb/em28xx/Kconfig
6257 ++++ b/drivers/media/usb/em28xx/Kconfig
6258 +@@ -11,7 +11,7 @@ config VIDEO_EM28XX_V4L2
6259 + select VIDEO_SAA711X if MEDIA_SUBDRV_AUTOSELECT
6260 + select VIDEO_TVP5150 if MEDIA_SUBDRV_AUTOSELECT
6261 + select VIDEO_MSP3400 if MEDIA_SUBDRV_AUTOSELECT
6262 +- select VIDEO_MT9V011 if MEDIA_SUBDRV_AUTOSELECT
6263 ++ select VIDEO_MT9V011 if MEDIA_SUBDRV_AUTOSELECT && MEDIA_CAMERA_SUPPORT
6264 +
6265 + ---help---
6266 + This is a video4linux driver for Empia 28xx based TV cards.
6267 +diff --git a/drivers/media/usb/go7007/Kconfig b/drivers/media/usb/go7007/Kconfig
6268 +index 95a3af644a92..af1d02430931 100644
6269 +--- a/drivers/media/usb/go7007/Kconfig
6270 ++++ b/drivers/media/usb/go7007/Kconfig
6271 +@@ -11,7 +11,7 @@ config VIDEO_GO7007
6272 + select VIDEO_TW2804 if MEDIA_SUBDRV_AUTOSELECT
6273 + select VIDEO_TW9903 if MEDIA_SUBDRV_AUTOSELECT
6274 + select VIDEO_TW9906 if MEDIA_SUBDRV_AUTOSELECT
6275 +- select VIDEO_OV7640 if MEDIA_SUBDRV_AUTOSELECT
6276 ++ select VIDEO_OV7640 if MEDIA_SUBDRV_AUTOSELECT && MEDIA_CAMERA_SUPPORT
6277 + select VIDEO_UDA1342 if MEDIA_SUBDRV_AUTOSELECT
6278 + ---help---
6279 + This is a video4linux driver for the WIS GO7007 MPEG
6280 +diff --git a/drivers/media/usb/hdpvr/hdpvr-core.c b/drivers/media/usb/hdpvr/hdpvr-core.c
6281 +index 3fc64197b4e6..08f0ca7aa012 100644
6282 +--- a/drivers/media/usb/hdpvr/hdpvr-core.c
6283 ++++ b/drivers/media/usb/hdpvr/hdpvr-core.c
6284 +@@ -273,7 +273,9 @@ static int hdpvr_probe(struct usb_interface *interface,
6285 + struct hdpvr_device *dev;
6286 + struct usb_host_interface *iface_desc;
6287 + struct usb_endpoint_descriptor *endpoint;
6288 ++#if IS_ENABLED(CONFIG_I2C)
6289 + struct i2c_client *client;
6290 ++#endif
6291 + size_t buffer_size;
6292 + int i;
6293 + int retval = -ENOMEM;
6294 +diff --git a/drivers/media/usb/pwc/pwc-if.c b/drivers/media/usb/pwc/pwc-if.c
6295 +index a7e1f6f37790..a8f265cee365 100644
6296 +--- a/drivers/media/usb/pwc/pwc-if.c
6297 ++++ b/drivers/media/usb/pwc/pwc-if.c
6298 +@@ -1110,8 +1110,10 @@ static int usb_pwc_probe(struct usb_interface *intf, const struct usb_device_id
6299 +
6300 + return 0;
6301 +
6302 ++#ifdef CONFIG_USB_PWC_INPUT_EVDEV
6303 + err_video_unreg:
6304 + video_unregister_device(&pdev->vdev);
6305 ++#endif
6306 + err_unregister_v4l2_dev:
6307 + v4l2_device_unregister(&pdev->v4l2_dev);
6308 + err_free_controls:
6309 +diff --git a/drivers/media/usb/usbtv/usbtv-core.c b/drivers/media/usb/usbtv/usbtv-core.c
6310 +index 29428bef272c..3bbc77aa6a33 100644
6311 +--- a/drivers/media/usb/usbtv/usbtv-core.c
6312 ++++ b/drivers/media/usb/usbtv/usbtv-core.c
6313 +@@ -127,6 +127,7 @@ static void usbtv_disconnect(struct usb_interface *intf)
6314 +
6315 + static struct usb_device_id usbtv_id_table[] = {
6316 + { USB_DEVICE(0x1b71, 0x3002) },
6317 ++ { USB_DEVICE(0x1f71, 0x3301) },
6318 + {}
6319 + };
6320 + MODULE_DEVICE_TABLE(usb, usbtv_id_table);
6321 +diff --git a/drivers/media/usb/usbvision/usbvision-video.c b/drivers/media/usb/usbvision/usbvision-video.c
6322 +index 3b3becc5718d..7b12710becac 100644
6323 +--- a/drivers/media/usb/usbvision/usbvision-video.c
6324 ++++ b/drivers/media/usb/usbvision/usbvision-video.c
6325 +@@ -1522,6 +1522,13 @@ static int usbvision_probe(struct usb_interface *intf,
6326 + printk(KERN_INFO "%s: %s found\n", __func__,
6327 + usbvision_device_data[model].model_string);
6328 +
6329 ++ /*
6330 ++ * this is a security check.
6331 ++ * an exploit using an incorrect bInterfaceNumber is known
6332 ++ */
6333 ++ if (ifnum >= USB_MAXINTERFACES || !dev->actconfig->interface[ifnum])
6334 ++ return -ENODEV;
6335 ++
6336 + if (usbvision_device_data[model].interface >= 0)
6337 + interface = &dev->actconfig->interface[usbvision_device_data[model].interface]->altsetting[0];
6338 + else if (ifnum < dev->actconfig->desc.bNumInterfaces)
6339 +diff --git a/drivers/media/v4l2-core/Kconfig b/drivers/media/v4l2-core/Kconfig
6340 +index ba7e21a73023..b0372b1908f1 100644
6341 +--- a/drivers/media/v4l2-core/Kconfig
6342 ++++ b/drivers/media/v4l2-core/Kconfig
6343 +@@ -37,7 +37,6 @@ config VIDEO_PCI_SKELETON
6344 + # Used by drivers that need tuner.ko
6345 + config VIDEO_TUNER
6346 + tristate
6347 +- depends on MEDIA_TUNER
6348 +
6349 + # Used by drivers that need v4l2-mem2mem.ko
6350 + config V4L2_MEM2MEM_DEV
6351 +diff --git a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
6352 +index 4f002d0bebb1..e03aa0961360 100644
6353 +--- a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
6354 ++++ b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
6355 +@@ -18,8 +18,18 @@
6356 + #include <linux/videodev2.h>
6357 + #include <linux/v4l2-subdev.h>
6358 + #include <media/v4l2-dev.h>
6359 ++#include <media/v4l2-fh.h>
6360 ++#include <media/v4l2-ctrls.h>
6361 + #include <media/v4l2-ioctl.h>
6362 +
6363 ++/* Use the same argument order as copy_in_user */
6364 ++#define assign_in_user(to, from) \
6365 ++({ \
6366 ++ typeof(*from) __assign_tmp; \
6367 ++ \
6368 ++ get_user(__assign_tmp, from) || put_user(__assign_tmp, to); \
6369 ++})
6370 ++
6371 + static long native_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
6372 + {
6373 + long ret = -ENOIOCTLCMD;
6374 +@@ -33,117 +43,88 @@ static long native_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
6375 +
6376 + struct v4l2_clip32 {
6377 + struct v4l2_rect c;
6378 +- compat_caddr_t next;
6379 ++ compat_caddr_t next;
6380 + };
6381 +
6382 + struct v4l2_window32 {
6383 + struct v4l2_rect w;
6384 +- __u32 field; /* enum v4l2_field */
6385 ++ __u32 field; /* enum v4l2_field */
6386 + __u32 chromakey;
6387 + compat_caddr_t clips; /* actually struct v4l2_clip32 * */
6388 + __u32 clipcount;
6389 + compat_caddr_t bitmap;
6390 ++ __u8 global_alpha;
6391 + };
6392 +
6393 +-static int get_v4l2_window32(struct v4l2_window *kp, struct v4l2_window32 __user *up)
6394 +-{
6395 +- if (!access_ok(VERIFY_READ, up, sizeof(struct v4l2_window32)) ||
6396 +- copy_from_user(&kp->w, &up->w, sizeof(up->w)) ||
6397 +- get_user(kp->field, &up->field) ||
6398 +- get_user(kp->chromakey, &up->chromakey) ||
6399 +- get_user(kp->clipcount, &up->clipcount))
6400 +- return -EFAULT;
6401 +- if (kp->clipcount > 2048)
6402 +- return -EINVAL;
6403 +- if (kp->clipcount) {
6404 +- struct v4l2_clip32 __user *uclips;
6405 +- struct v4l2_clip __user *kclips;
6406 +- int n = kp->clipcount;
6407 +- compat_caddr_t p;
6408 +-
6409 +- if (get_user(p, &up->clips))
6410 +- return -EFAULT;
6411 +- uclips = compat_ptr(p);
6412 +- kclips = compat_alloc_user_space(n * sizeof(struct v4l2_clip));
6413 +- kp->clips = kclips;
6414 +- while (--n >= 0) {
6415 +- if (copy_in_user(&kclips->c, &uclips->c, sizeof(uclips->c)))
6416 +- return -EFAULT;
6417 +- if (put_user(n ? kclips + 1 : NULL, &kclips->next))
6418 +- return -EFAULT;
6419 +- uclips += 1;
6420 +- kclips += 1;
6421 +- }
6422 +- } else
6423 +- kp->clips = NULL;
6424 +- return 0;
6425 +-}
6426 +-
6427 +-static int put_v4l2_window32(struct v4l2_window *kp, struct v4l2_window32 __user *up)
6428 ++static int get_v4l2_window32(struct v4l2_window __user *kp,
6429 ++ struct v4l2_window32 __user *up,
6430 ++ void __user *aux_buf, u32 aux_space)
6431 + {
6432 +- if (copy_to_user(&up->w, &kp->w, sizeof(kp->w)) ||
6433 +- put_user(kp->field, &up->field) ||
6434 +- put_user(kp->chromakey, &up->chromakey) ||
6435 +- put_user(kp->clipcount, &up->clipcount))
6436 +- return -EFAULT;
6437 +- return 0;
6438 +-}
6439 +-
6440 +-static inline int get_v4l2_pix_format(struct v4l2_pix_format *kp, struct v4l2_pix_format __user *up)
6441 +-{
6442 +- if (copy_from_user(kp, up, sizeof(struct v4l2_pix_format)))
6443 +- return -EFAULT;
6444 +- return 0;
6445 +-}
6446 +-
6447 +-static inline int get_v4l2_pix_format_mplane(struct v4l2_pix_format_mplane *kp,
6448 +- struct v4l2_pix_format_mplane __user *up)
6449 +-{
6450 +- if (copy_from_user(kp, up, sizeof(struct v4l2_pix_format_mplane)))
6451 ++ struct v4l2_clip32 __user *uclips;
6452 ++ struct v4l2_clip __user *kclips;
6453 ++ compat_caddr_t p;
6454 ++ u32 clipcount;
6455 ++
6456 ++ if (!access_ok(VERIFY_READ, up, sizeof(*up)) ||
6457 ++ copy_in_user(&kp->w, &up->w, sizeof(up->w)) ||
6458 ++ assign_in_user(&kp->field, &up->field) ||
6459 ++ assign_in_user(&kp->chromakey, &up->chromakey) ||
6460 ++ assign_in_user(&kp->global_alpha, &up->global_alpha) ||
6461 ++ get_user(clipcount, &up->clipcount) ||
6462 ++ put_user(clipcount, &kp->clipcount))
6463 + return -EFAULT;
6464 +- return 0;
6465 +-}
6466 ++ if (clipcount > 2048)
6467 ++ return -EINVAL;
6468 ++ if (!clipcount)
6469 ++ return put_user(NULL, &kp->clips);
6470 +
6471 +-static inline int put_v4l2_pix_format(struct v4l2_pix_format *kp, struct v4l2_pix_format __user *up)
6472 +-{
6473 +- if (copy_to_user(up, kp, sizeof(struct v4l2_pix_format)))
6474 ++ if (get_user(p, &up->clips))
6475 + return -EFAULT;
6476 +- return 0;
6477 +-}
6478 +-
6479 +-static inline int put_v4l2_pix_format_mplane(struct v4l2_pix_format_mplane *kp,
6480 +- struct v4l2_pix_format_mplane __user *up)
6481 +-{
6482 +- if (copy_to_user(up, kp, sizeof(struct v4l2_pix_format_mplane)))
6483 ++ uclips = compat_ptr(p);
6484 ++ if (aux_space < clipcount * sizeof(*kclips))
6485 + return -EFAULT;
6486 +- return 0;
6487 +-}
6488 +-
6489 +-static inline int get_v4l2_vbi_format(struct v4l2_vbi_format *kp, struct v4l2_vbi_format __user *up)
6490 +-{
6491 +- if (copy_from_user(kp, up, sizeof(struct v4l2_vbi_format)))
6492 ++ kclips = aux_buf;
6493 ++ if (put_user(kclips, &kp->clips))
6494 + return -EFAULT;
6495 +- return 0;
6496 +-}
6497 +
6498 +-static inline int put_v4l2_vbi_format(struct v4l2_vbi_format *kp, struct v4l2_vbi_format __user *up)
6499 +-{
6500 +- if (copy_to_user(up, kp, sizeof(struct v4l2_vbi_format)))
6501 +- return -EFAULT;
6502 ++ while (clipcount--) {
6503 ++ if (copy_in_user(&kclips->c, &uclips->c, sizeof(uclips->c)))
6504 ++ return -EFAULT;
6505 ++ if (put_user(clipcount ? kclips + 1 : NULL, &kclips->next))
6506 ++ return -EFAULT;
6507 ++ uclips++;
6508 ++ kclips++;
6509 ++ }
6510 + return 0;
6511 + }
6512 +
6513 +-static inline int get_v4l2_sliced_vbi_format(struct v4l2_sliced_vbi_format *kp, struct v4l2_sliced_vbi_format __user *up)
6514 ++static int put_v4l2_window32(struct v4l2_window __user *kp,
6515 ++ struct v4l2_window32 __user *up)
6516 + {
6517 +- if (copy_from_user(kp, up, sizeof(struct v4l2_sliced_vbi_format)))
6518 ++ struct v4l2_clip __user *kclips = kp->clips;
6519 ++ struct v4l2_clip32 __user *uclips;
6520 ++ compat_caddr_t p;
6521 ++ u32 clipcount;
6522 ++
6523 ++ if (copy_in_user(&up->w, &kp->w, sizeof(kp->w)) ||
6524 ++ assign_in_user(&up->field, &kp->field) ||
6525 ++ assign_in_user(&up->chromakey, &kp->chromakey) ||
6526 ++ assign_in_user(&up->global_alpha, &kp->global_alpha) ||
6527 ++ get_user(clipcount, &kp->clipcount) ||
6528 ++ put_user(clipcount, &up->clipcount))
6529 + return -EFAULT;
6530 +- return 0;
6531 +-}
6532 ++ if (!clipcount)
6533 ++ return 0;
6534 +
6535 +-static inline int put_v4l2_sliced_vbi_format(struct v4l2_sliced_vbi_format *kp, struct v4l2_sliced_vbi_format __user *up)
6536 +-{
6537 +- if (copy_to_user(up, kp, sizeof(struct v4l2_sliced_vbi_format)))
6538 ++ if (get_user(p, &up->clips))
6539 + return -EFAULT;
6540 ++ uclips = compat_ptr(p);
6541 ++ while (clipcount--) {
6542 ++ if (copy_in_user(&uclips->c, &kclips->c, sizeof(uclips->c)))
6543 ++ return -EFAULT;
6544 ++ uclips++;
6545 ++ kclips++;
6546 ++ }
6547 + return 0;
6548 + }
6549 +
6550 +@@ -176,91 +157,150 @@ struct v4l2_create_buffers32 {
6551 + __u32 reserved[8];
6552 + };
6553 +
6554 +-static int __get_v4l2_format32(struct v4l2_format *kp, struct v4l2_format32 __user *up)
6555 ++static int __bufsize_v4l2_format(struct v4l2_format32 __user *up, u32 *size)
6556 + {
6557 +- if (get_user(kp->type, &up->type))
6558 ++ u32 type;
6559 ++
6560 ++ if (get_user(type, &up->type))
6561 + return -EFAULT;
6562 +
6563 +- switch (kp->type) {
6564 ++ switch (type) {
6565 ++ case V4L2_BUF_TYPE_VIDEO_OVERLAY:
6566 ++ case V4L2_BUF_TYPE_VIDEO_OUTPUT_OVERLAY: {
6567 ++ u32 clipcount;
6568 ++
6569 ++ if (get_user(clipcount, &up->fmt.win.clipcount))
6570 ++ return -EFAULT;
6571 ++ if (clipcount > 2048)
6572 ++ return -EINVAL;
6573 ++ *size = clipcount * sizeof(struct v4l2_clip);
6574 ++ return 0;
6575 ++ }
6576 ++ default:
6577 ++ *size = 0;
6578 ++ return 0;
6579 ++ }
6580 ++}
6581 ++
6582 ++static int bufsize_v4l2_format(struct v4l2_format32 __user *up, u32 *size)
6583 ++{
6584 ++ if (!access_ok(VERIFY_READ, up, sizeof(*up)))
6585 ++ return -EFAULT;
6586 ++ return __bufsize_v4l2_format(up, size);
6587 ++}
6588 ++
6589 ++static int __get_v4l2_format32(struct v4l2_format __user *kp,
6590 ++ struct v4l2_format32 __user *up,
6591 ++ void __user *aux_buf, u32 aux_space)
6592 ++{
6593 ++ u32 type;
6594 ++
6595 ++ if (get_user(type, &up->type) || put_user(type, &kp->type))
6596 ++ return -EFAULT;
6597 ++
6598 ++ switch (type) {
6599 + case V4L2_BUF_TYPE_VIDEO_CAPTURE:
6600 + case V4L2_BUF_TYPE_VIDEO_OUTPUT:
6601 +- return get_v4l2_pix_format(&kp->fmt.pix, &up->fmt.pix);
6602 ++ return copy_in_user(&kp->fmt.pix, &up->fmt.pix,
6603 ++ sizeof(kp->fmt.pix)) ? -EFAULT : 0;
6604 + case V4L2_BUF_TYPE_VIDEO_CAPTURE_MPLANE:
6605 + case V4L2_BUF_TYPE_VIDEO_OUTPUT_MPLANE:
6606 +- return get_v4l2_pix_format_mplane(&kp->fmt.pix_mp,
6607 +- &up->fmt.pix_mp);
6608 ++ return copy_in_user(&kp->fmt.pix_mp, &up->fmt.pix_mp,
6609 ++ sizeof(kp->fmt.pix_mp)) ? -EFAULT : 0;
6610 + case V4L2_BUF_TYPE_VIDEO_OVERLAY:
6611 + case V4L2_BUF_TYPE_VIDEO_OUTPUT_OVERLAY:
6612 +- return get_v4l2_window32(&kp->fmt.win, &up->fmt.win);
6613 ++ return get_v4l2_window32(&kp->fmt.win, &up->fmt.win,
6614 ++ aux_buf, aux_space);
6615 + case V4L2_BUF_TYPE_VBI_CAPTURE:
6616 + case V4L2_BUF_TYPE_VBI_OUTPUT:
6617 +- return get_v4l2_vbi_format(&kp->fmt.vbi, &up->fmt.vbi);
6618 ++ return copy_in_user(&kp->fmt.vbi, &up->fmt.vbi,
6619 ++ sizeof(kp->fmt.vbi)) ? -EFAULT : 0;
6620 + case V4L2_BUF_TYPE_SLICED_VBI_CAPTURE:
6621 + case V4L2_BUF_TYPE_SLICED_VBI_OUTPUT:
6622 +- return get_v4l2_sliced_vbi_format(&kp->fmt.sliced, &up->fmt.sliced);
6623 ++ return copy_in_user(&kp->fmt.sliced, &up->fmt.sliced,
6624 ++ sizeof(kp->fmt.sliced)) ? -EFAULT : 0;
6625 + default:
6626 +- printk(KERN_INFO "compat_ioctl32: unexpected VIDIOC_FMT type %d\n",
6627 +- kp->type);
6628 + return -EINVAL;
6629 + }
6630 + }
6631 +
6632 +-static int get_v4l2_format32(struct v4l2_format *kp, struct v4l2_format32 __user *up)
6633 ++static int get_v4l2_format32(struct v4l2_format __user *kp,
6634 ++ struct v4l2_format32 __user *up,
6635 ++ void __user *aux_buf, u32 aux_space)
6636 + {
6637 +- if (!access_ok(VERIFY_READ, up, sizeof(struct v4l2_format32)))
6638 ++ if (!access_ok(VERIFY_READ, up, sizeof(*up)))
6639 + return -EFAULT;
6640 +- return __get_v4l2_format32(kp, up);
6641 ++ return __get_v4l2_format32(kp, up, aux_buf, aux_space);
6642 + }
6643 +
6644 +-static int get_v4l2_create32(struct v4l2_create_buffers *kp, struct v4l2_create_buffers32 __user *up)
6645 ++static int bufsize_v4l2_create(struct v4l2_create_buffers32 __user *up,
6646 ++ u32 *size)
6647 + {
6648 +- if (!access_ok(VERIFY_READ, up, sizeof(struct v4l2_create_buffers32)) ||
6649 +- copy_from_user(kp, up, offsetof(struct v4l2_create_buffers32, format)))
6650 ++ if (!access_ok(VERIFY_READ, up, sizeof(*up)))
6651 + return -EFAULT;
6652 +- return __get_v4l2_format32(&kp->format, &up->format);
6653 ++ return __bufsize_v4l2_format(&up->format, size);
6654 + }
6655 +
6656 +-static int __put_v4l2_format32(struct v4l2_format *kp, struct v4l2_format32 __user *up)
6657 ++static int get_v4l2_create32(struct v4l2_create_buffers __user *kp,
6658 ++ struct v4l2_create_buffers32 __user *up,
6659 ++ void __user *aux_buf, u32 aux_space)
6660 + {
6661 +- if (put_user(kp->type, &up->type))
6662 ++ if (!access_ok(VERIFY_READ, up, sizeof(*up)) ||
6663 ++ copy_in_user(kp, up,
6664 ++ offsetof(struct v4l2_create_buffers32, format)))
6665 + return -EFAULT;
6666 ++ return __get_v4l2_format32(&kp->format, &up->format,
6667 ++ aux_buf, aux_space);
6668 ++}
6669 ++
6670 ++static int __put_v4l2_format32(struct v4l2_format __user *kp,
6671 ++ struct v4l2_format32 __user *up)
6672 ++{
6673 ++ u32 type;
6674 +
6675 +- switch (kp->type) {
6676 ++ if (get_user(type, &kp->type))
6677 ++ return -EFAULT;
6678 ++
6679 ++ switch (type) {
6680 + case V4L2_BUF_TYPE_VIDEO_CAPTURE:
6681 + case V4L2_BUF_TYPE_VIDEO_OUTPUT:
6682 +- return put_v4l2_pix_format(&kp->fmt.pix, &up->fmt.pix);
6683 ++ return copy_in_user(&up->fmt.pix, &kp->fmt.pix,
6684 ++ sizeof(kp->fmt.pix)) ? -EFAULT : 0;
6685 + case V4L2_BUF_TYPE_VIDEO_CAPTURE_MPLANE:
6686 + case V4L2_BUF_TYPE_VIDEO_OUTPUT_MPLANE:
6687 +- return put_v4l2_pix_format_mplane(&kp->fmt.pix_mp,
6688 +- &up->fmt.pix_mp);
6689 ++ return copy_in_user(&up->fmt.pix_mp, &kp->fmt.pix_mp,
6690 ++ sizeof(kp->fmt.pix_mp)) ? -EFAULT : 0;
6691 + case V4L2_BUF_TYPE_VIDEO_OVERLAY:
6692 + case V4L2_BUF_TYPE_VIDEO_OUTPUT_OVERLAY:
6693 + return put_v4l2_window32(&kp->fmt.win, &up->fmt.win);
6694 + case V4L2_BUF_TYPE_VBI_CAPTURE:
6695 + case V4L2_BUF_TYPE_VBI_OUTPUT:
6696 +- return put_v4l2_vbi_format(&kp->fmt.vbi, &up->fmt.vbi);
6697 ++ return copy_in_user(&up->fmt.vbi, &kp->fmt.vbi,
6698 ++ sizeof(kp->fmt.vbi)) ? -EFAULT : 0;
6699 + case V4L2_BUF_TYPE_SLICED_VBI_CAPTURE:
6700 + case V4L2_BUF_TYPE_SLICED_VBI_OUTPUT:
6701 +- return put_v4l2_sliced_vbi_format(&kp->fmt.sliced, &up->fmt.sliced);
6702 ++ return copy_in_user(&up->fmt.sliced, &kp->fmt.sliced,
6703 ++ sizeof(kp->fmt.sliced)) ? -EFAULT : 0;
6704 + default:
6705 +- printk(KERN_INFO "compat_ioctl32: unexpected VIDIOC_FMT type %d\n",
6706 +- kp->type);
6707 + return -EINVAL;
6708 + }
6709 + }
6710 +
6711 +-static int put_v4l2_format32(struct v4l2_format *kp, struct v4l2_format32 __user *up)
6712 ++static int put_v4l2_format32(struct v4l2_format __user *kp,
6713 ++ struct v4l2_format32 __user *up)
6714 + {
6715 +- if (!access_ok(VERIFY_WRITE, up, sizeof(struct v4l2_format32)))
6716 ++ if (!access_ok(VERIFY_WRITE, up, sizeof(*up)))
6717 + return -EFAULT;
6718 + return __put_v4l2_format32(kp, up);
6719 + }
6720 +
6721 +-static int put_v4l2_create32(struct v4l2_create_buffers *kp, struct v4l2_create_buffers32 __user *up)
6722 ++static int put_v4l2_create32(struct v4l2_create_buffers __user *kp,
6723 ++ struct v4l2_create_buffers32 __user *up)
6724 + {
6725 +- if (!access_ok(VERIFY_WRITE, up, sizeof(struct v4l2_create_buffers32)) ||
6726 +- copy_to_user(up, kp, offsetof(struct v4l2_create_buffers32, format)) ||
6727 +- copy_to_user(up->reserved, kp->reserved, sizeof(kp->reserved)))
6728 ++ if (!access_ok(VERIFY_WRITE, up, sizeof(*up)) ||
6729 ++ copy_in_user(up, kp,
6730 ++ offsetof(struct v4l2_create_buffers32, format)) ||
6731 ++ copy_in_user(up->reserved, kp->reserved, sizeof(kp->reserved)))
6732 + return -EFAULT;
6733 + return __put_v4l2_format32(&kp->format, &up->format);
6734 + }
6735 +@@ -274,25 +314,28 @@ struct v4l2_standard32 {
6736 + __u32 reserved[4];
6737 + };
6738 +
6739 +-static int get_v4l2_standard32(struct v4l2_standard *kp, struct v4l2_standard32 __user *up)
6740 ++static int get_v4l2_standard32(struct v4l2_standard __user *kp,
6741 ++ struct v4l2_standard32 __user *up)
6742 + {
6743 + /* other fields are not set by the user, nor used by the driver */
6744 +- if (!access_ok(VERIFY_READ, up, sizeof(struct v4l2_standard32)) ||
6745 +- get_user(kp->index, &up->index))
6746 ++ if (!access_ok(VERIFY_READ, up, sizeof(*up)) ||
6747 ++ assign_in_user(&kp->index, &up->index))
6748 + return -EFAULT;
6749 + return 0;
6750 + }
6751 +
6752 +-static int put_v4l2_standard32(struct v4l2_standard *kp, struct v4l2_standard32 __user *up)
6753 ++static int put_v4l2_standard32(struct v4l2_standard __user *kp,
6754 ++ struct v4l2_standard32 __user *up)
6755 + {
6756 +- if (!access_ok(VERIFY_WRITE, up, sizeof(struct v4l2_standard32)) ||
6757 +- put_user(kp->index, &up->index) ||
6758 +- copy_to_user(up->id, &kp->id, sizeof(__u64)) ||
6759 +- copy_to_user(up->name, kp->name, 24) ||
6760 +- copy_to_user(&up->frameperiod, &kp->frameperiod, sizeof(kp->frameperiod)) ||
6761 +- put_user(kp->framelines, &up->framelines) ||
6762 +- copy_to_user(up->reserved, kp->reserved, 4 * sizeof(__u32)))
6763 +- return -EFAULT;
6764 ++ if (!access_ok(VERIFY_WRITE, up, sizeof(*up)) ||
6765 ++ assign_in_user(&up->index, &kp->index) ||
6766 ++ copy_in_user(&up->id, &kp->id, sizeof(up->id)) ||
6767 ++ copy_in_user(up->name, kp->name, sizeof(up->name)) ||
6768 ++ copy_in_user(&up->frameperiod, &kp->frameperiod,
6769 ++ sizeof(up->frameperiod)) ||
6770 ++ assign_in_user(&up->framelines, &kp->framelines) ||
6771 ++ copy_in_user(up->reserved, kp->reserved, sizeof(up->reserved)))
6772 ++ return -EFAULT;
6773 + return 0;
6774 + }
6775 +
6776 +@@ -331,134 +374,186 @@ struct v4l2_buffer32 {
6777 + __u32 reserved;
6778 + };
6779 +
6780 +-static int get_v4l2_plane32(struct v4l2_plane __user *up, struct v4l2_plane32 __user *up32,
6781 +- enum v4l2_memory memory)
6782 ++static int get_v4l2_plane32(struct v4l2_plane __user *up,
6783 ++ struct v4l2_plane32 __user *up32,
6784 ++ enum v4l2_memory memory)
6785 + {
6786 +- void __user *up_pln;
6787 +- compat_long_t p;
6788 ++ compat_ulong_t p;
6789 +
6790 + if (copy_in_user(up, up32, 2 * sizeof(__u32)) ||
6791 +- copy_in_user(&up->data_offset, &up32->data_offset,
6792 +- sizeof(__u32)))
6793 ++ copy_in_user(&up->data_offset, &up32->data_offset,
6794 ++ sizeof(up->data_offset)))
6795 + return -EFAULT;
6796 +
6797 +- if (memory == V4L2_MEMORY_USERPTR) {
6798 +- if (get_user(p, &up32->m.userptr))
6799 +- return -EFAULT;
6800 +- up_pln = compat_ptr(p);
6801 +- if (put_user((unsigned long)up_pln, &up->m.userptr))
6802 ++ switch (memory) {
6803 ++ case V4L2_MEMORY_MMAP:
6804 ++ case V4L2_MEMORY_OVERLAY:
6805 ++ if (copy_in_user(&up->m.mem_offset, &up32->m.mem_offset,
6806 ++ sizeof(up32->m.mem_offset)))
6807 + return -EFAULT;
6808 +- } else if (memory == V4L2_MEMORY_DMABUF) {
6809 +- if (copy_in_user(&up->m.fd, &up32->m.fd, sizeof(int)))
6810 ++ break;
6811 ++ case V4L2_MEMORY_USERPTR:
6812 ++ if (get_user(p, &up32->m.userptr) ||
6813 ++ put_user((unsigned long)compat_ptr(p), &up->m.userptr))
6814 + return -EFAULT;
6815 +- } else {
6816 +- if (copy_in_user(&up->m.mem_offset, &up32->m.mem_offset,
6817 +- sizeof(__u32)))
6818 ++ break;
6819 ++ case V4L2_MEMORY_DMABUF:
6820 ++ if (copy_in_user(&up->m.fd, &up32->m.fd, sizeof(up32->m.fd)))
6821 + return -EFAULT;
6822 ++ break;
6823 + }
6824 +
6825 + return 0;
6826 + }
6827 +
6828 +-static int put_v4l2_plane32(struct v4l2_plane __user *up, struct v4l2_plane32 __user *up32,
6829 +- enum v4l2_memory memory)
6830 ++static int put_v4l2_plane32(struct v4l2_plane __user *up,
6831 ++ struct v4l2_plane32 __user *up32,
6832 ++ enum v4l2_memory memory)
6833 + {
6834 ++ unsigned long p;
6835 ++
6836 + if (copy_in_user(up32, up, 2 * sizeof(__u32)) ||
6837 +- copy_in_user(&up32->data_offset, &up->data_offset,
6838 +- sizeof(__u32)))
6839 ++ copy_in_user(&up32->data_offset, &up->data_offset,
6840 ++ sizeof(up->data_offset)))
6841 + return -EFAULT;
6842 +
6843 +- /* For MMAP, driver might've set up the offset, so copy it back.
6844 +- * USERPTR stays the same (was userspace-provided), so no copying. */
6845 +- if (memory == V4L2_MEMORY_MMAP)
6846 ++ switch (memory) {
6847 ++ case V4L2_MEMORY_MMAP:
6848 ++ case V4L2_MEMORY_OVERLAY:
6849 + if (copy_in_user(&up32->m.mem_offset, &up->m.mem_offset,
6850 +- sizeof(__u32)))
6851 ++ sizeof(up->m.mem_offset)))
6852 + return -EFAULT;
6853 +- /* For DMABUF, driver might've set up the fd, so copy it back. */
6854 +- if (memory == V4L2_MEMORY_DMABUF)
6855 +- if (copy_in_user(&up32->m.fd, &up->m.fd,
6856 +- sizeof(int)))
6857 ++ break;
6858 ++ case V4L2_MEMORY_USERPTR:
6859 ++ if (get_user(p, &up->m.userptr) ||
6860 ++ put_user((compat_ulong_t)ptr_to_compat((__force void *)p),
6861 ++ &up32->m.userptr))
6862 ++ return -EFAULT;
6863 ++ break;
6864 ++ case V4L2_MEMORY_DMABUF:
6865 ++ if (copy_in_user(&up32->m.fd, &up->m.fd, sizeof(up->m.fd)))
6866 + return -EFAULT;
6867 ++ break;
6868 ++ }
6869 ++
6870 ++ return 0;
6871 ++}
6872 ++
6873 ++static int bufsize_v4l2_buffer(struct v4l2_buffer32 __user *up, u32 *size)
6874 ++{
6875 ++ u32 type;
6876 ++ u32 length;
6877 ++
6878 ++ if (!access_ok(VERIFY_READ, up, sizeof(*up)) ||
6879 ++ get_user(type, &up->type) ||
6880 ++ get_user(length, &up->length))
6881 ++ return -EFAULT;
6882 +
6883 ++ if (V4L2_TYPE_IS_MULTIPLANAR(type)) {
6884 ++ if (length > VIDEO_MAX_PLANES)
6885 ++ return -EINVAL;
6886 ++
6887 ++ /*
6888 ++ * We don't really care if userspace decides to kill itself
6889 ++ * by passing a very big length value
6890 ++ */
6891 ++ *size = length * sizeof(struct v4l2_plane);
6892 ++ } else {
6893 ++ *size = 0;
6894 ++ }
6895 + return 0;
6896 + }
6897 +
6898 +-static int get_v4l2_buffer32(struct v4l2_buffer *kp, struct v4l2_buffer32 __user *up)
6899 ++static int get_v4l2_buffer32(struct v4l2_buffer __user *kp,
6900 ++ struct v4l2_buffer32 __user *up,
6901 ++ void __user *aux_buf, u32 aux_space)
6902 + {
6903 ++ u32 type;
6904 ++ u32 length;
6905 ++ enum v4l2_memory memory;
6906 + struct v4l2_plane32 __user *uplane32;
6907 + struct v4l2_plane __user *uplane;
6908 + compat_caddr_t p;
6909 +- int num_planes;
6910 + int ret;
6911 +
6912 +- if (!access_ok(VERIFY_READ, up, sizeof(struct v4l2_buffer32)) ||
6913 +- get_user(kp->index, &up->index) ||
6914 +- get_user(kp->type, &up->type) ||
6915 +- get_user(kp->flags, &up->flags) ||
6916 +- get_user(kp->memory, &up->memory) ||
6917 +- get_user(kp->length, &up->length))
6918 +- return -EFAULT;
6919 ++ if (!access_ok(VERIFY_READ, up, sizeof(*up)) ||
6920 ++ assign_in_user(&kp->index, &up->index) ||
6921 ++ get_user(type, &up->type) ||
6922 ++ put_user(type, &kp->type) ||
6923 ++ assign_in_user(&kp->flags, &up->flags) ||
6924 ++ get_user(memory, &up->memory) ||
6925 ++ put_user(memory, &kp->memory) ||
6926 ++ get_user(length, &up->length) ||
6927 ++ put_user(length, &kp->length))
6928 ++ return -EFAULT;
6929 +
6930 +- if (V4L2_TYPE_IS_OUTPUT(kp->type))
6931 +- if (get_user(kp->bytesused, &up->bytesused) ||
6932 +- get_user(kp->field, &up->field) ||
6933 +- get_user(kp->timestamp.tv_sec, &up->timestamp.tv_sec) ||
6934 +- get_user(kp->timestamp.tv_usec,
6935 +- &up->timestamp.tv_usec))
6936 ++ if (V4L2_TYPE_IS_OUTPUT(type))
6937 ++ if (assign_in_user(&kp->bytesused, &up->bytesused) ||
6938 ++ assign_in_user(&kp->field, &up->field) ||
6939 ++ assign_in_user(&kp->timestamp.tv_sec,
6940 ++ &up->timestamp.tv_sec) ||
6941 ++ assign_in_user(&kp->timestamp.tv_usec,
6942 ++ &up->timestamp.tv_usec))
6943 + return -EFAULT;
6944 +
6945 +- if (V4L2_TYPE_IS_MULTIPLANAR(kp->type)) {
6946 +- num_planes = kp->length;
6947 ++ if (V4L2_TYPE_IS_MULTIPLANAR(type)) {
6948 ++ u32 num_planes = length;
6949 ++
6950 + if (num_planes == 0) {
6951 +- kp->m.planes = NULL;
6952 +- /* num_planes == 0 is legal, e.g. when userspace doesn't
6953 +- * need planes array on DQBUF*/
6954 +- return 0;
6955 ++ /*
6956 ++ * num_planes == 0 is legal, e.g. when userspace doesn't
6957 ++ * need planes array on DQBUF
6958 ++ */
6959 ++ return put_user(NULL, &kp->m.planes);
6960 + }
6961 ++ if (num_planes > VIDEO_MAX_PLANES)
6962 ++ return -EINVAL;
6963 +
6964 + if (get_user(p, &up->m.planes))
6965 + return -EFAULT;
6966 +
6967 + uplane32 = compat_ptr(p);
6968 + if (!access_ok(VERIFY_READ, uplane32,
6969 +- num_planes * sizeof(struct v4l2_plane32)))
6970 ++ num_planes * sizeof(*uplane32)))
6971 + return -EFAULT;
6972 +
6973 +- /* We don't really care if userspace decides to kill itself
6974 +- * by passing a very big num_planes value */
6975 +- uplane = compat_alloc_user_space(num_planes *
6976 +- sizeof(struct v4l2_plane));
6977 +- kp->m.planes = (__force struct v4l2_plane *)uplane;
6978 ++ /*
6979 ++ * We don't really care if userspace decides to kill itself
6980 ++ * by passing a very big num_planes value
6981 ++ */
6982 ++ if (aux_space < num_planes * sizeof(*uplane))
6983 ++ return -EFAULT;
6984 ++
6985 ++ uplane = aux_buf;
6986 ++ if (put_user((__force struct v4l2_plane *)uplane,
6987 ++ &kp->m.planes))
6988 ++ return -EFAULT;
6989 +
6990 +- while (--num_planes >= 0) {
6991 +- ret = get_v4l2_plane32(uplane, uplane32, kp->memory);
6992 ++ while (num_planes--) {
6993 ++ ret = get_v4l2_plane32(uplane, uplane32, memory);
6994 + if (ret)
6995 + return ret;
6996 +- ++uplane;
6997 +- ++uplane32;
6998 ++ uplane++;
6999 ++ uplane32++;
7000 + }
7001 + } else {
7002 +- switch (kp->memory) {
7003 ++ switch (memory) {
7004 + case V4L2_MEMORY_MMAP:
7005 +- if (get_user(kp->m.offset, &up->m.offset))
7006 ++ case V4L2_MEMORY_OVERLAY:
7007 ++ if (assign_in_user(&kp->m.offset, &up->m.offset))
7008 + return -EFAULT;
7009 + break;
7010 +- case V4L2_MEMORY_USERPTR:
7011 +- {
7012 +- compat_long_t tmp;
7013 ++ case V4L2_MEMORY_USERPTR: {
7014 ++ compat_ulong_t userptr;
7015 +
7016 +- if (get_user(tmp, &up->m.userptr))
7017 +- return -EFAULT;
7018 +-
7019 +- kp->m.userptr = (unsigned long)compat_ptr(tmp);
7020 +- }
7021 +- break;
7022 +- case V4L2_MEMORY_OVERLAY:
7023 +- if (get_user(kp->m.offset, &up->m.offset))
7024 ++ if (get_user(userptr, &up->m.userptr) ||
7025 ++ put_user((unsigned long)compat_ptr(userptr),
7026 ++ &kp->m.userptr))
7027 + return -EFAULT;
7028 + break;
7029 ++ }
7030 + case V4L2_MEMORY_DMABUF:
7031 +- if (get_user(kp->m.fd, &up->m.fd))
7032 ++ if (assign_in_user(&kp->m.fd, &up->m.fd))
7033 + return -EFAULT;
7034 + break;
7035 + }
7036 +@@ -467,65 +562,70 @@ static int get_v4l2_buffer32(struct v4l2_buffer *kp, struct v4l2_buffer32 __user
7037 + return 0;
7038 + }
7039 +
7040 +-static int put_v4l2_buffer32(struct v4l2_buffer *kp, struct v4l2_buffer32 __user *up)
7041 ++static int put_v4l2_buffer32(struct v4l2_buffer __user *kp,
7042 ++ struct v4l2_buffer32 __user *up)
7043 + {
7044 ++ u32 type;
7045 ++ u32 length;
7046 ++ enum v4l2_memory memory;
7047 + struct v4l2_plane32 __user *uplane32;
7048 + struct v4l2_plane __user *uplane;
7049 + compat_caddr_t p;
7050 +- int num_planes;
7051 + int ret;
7052 +
7053 +- if (!access_ok(VERIFY_WRITE, up, sizeof(struct v4l2_buffer32)) ||
7054 +- put_user(kp->index, &up->index) ||
7055 +- put_user(kp->type, &up->type) ||
7056 +- put_user(kp->flags, &up->flags) ||
7057 +- put_user(kp->memory, &up->memory))
7058 +- return -EFAULT;
7059 ++ if (!access_ok(VERIFY_WRITE, up, sizeof(*up)) ||
7060 ++ assign_in_user(&up->index, &kp->index) ||
7061 ++ get_user(type, &kp->type) ||
7062 ++ put_user(type, &up->type) ||
7063 ++ assign_in_user(&up->flags, &kp->flags) ||
7064 ++ get_user(memory, &kp->memory) ||
7065 ++ put_user(memory, &up->memory))
7066 ++ return -EFAULT;
7067 +
7068 +- if (put_user(kp->bytesused, &up->bytesused) ||
7069 +- put_user(kp->field, &up->field) ||
7070 +- put_user(kp->timestamp.tv_sec, &up->timestamp.tv_sec) ||
7071 +- put_user(kp->timestamp.tv_usec, &up->timestamp.tv_usec) ||
7072 +- copy_to_user(&up->timecode, &kp->timecode, sizeof(struct v4l2_timecode)) ||
7073 +- put_user(kp->sequence, &up->sequence) ||
7074 +- put_user(kp->reserved2, &up->reserved2) ||
7075 +- put_user(kp->reserved, &up->reserved) ||
7076 +- put_user(kp->length, &up->length))
7077 +- return -EFAULT;
7078 ++ if (assign_in_user(&up->bytesused, &kp->bytesused) ||
7079 ++ assign_in_user(&up->field, &kp->field) ||
7080 ++ assign_in_user(&up->timestamp.tv_sec, &kp->timestamp.tv_sec) ||
7081 ++ assign_in_user(&up->timestamp.tv_usec, &kp->timestamp.tv_usec) ||
7082 ++ copy_in_user(&up->timecode, &kp->timecode, sizeof(kp->timecode)) ||
7083 ++ assign_in_user(&up->sequence, &kp->sequence) ||
7084 ++ assign_in_user(&up->reserved2, &kp->reserved2) ||
7085 ++ assign_in_user(&up->reserved, &kp->reserved) ||
7086 ++ get_user(length, &kp->length) ||
7087 ++ put_user(length, &up->length))
7088 ++ return -EFAULT;
7089 ++
7090 ++ if (V4L2_TYPE_IS_MULTIPLANAR(type)) {
7091 ++ u32 num_planes = length;
7092 +
7093 +- if (V4L2_TYPE_IS_MULTIPLANAR(kp->type)) {
7094 +- num_planes = kp->length;
7095 + if (num_planes == 0)
7096 + return 0;
7097 +
7098 +- uplane = (__force struct v4l2_plane __user *)kp->m.planes;
7099 ++ if (get_user(uplane, ((__force struct v4l2_plane __user **)&kp->m.planes)))
7100 ++ return -EFAULT;
7101 + if (get_user(p, &up->m.planes))
7102 + return -EFAULT;
7103 + uplane32 = compat_ptr(p);
7104 +
7105 +- while (--num_planes >= 0) {
7106 +- ret = put_v4l2_plane32(uplane, uplane32, kp->memory);
7107 ++ while (num_planes--) {
7108 ++ ret = put_v4l2_plane32(uplane, uplane32, memory);
7109 + if (ret)
7110 + return ret;
7111 + ++uplane;
7112 + ++uplane32;
7113 + }
7114 + } else {
7115 +- switch (kp->memory) {
7116 ++ switch (memory) {
7117 + case V4L2_MEMORY_MMAP:
7118 +- if (put_user(kp->m.offset, &up->m.offset))
7119 ++ case V4L2_MEMORY_OVERLAY:
7120 ++ if (assign_in_user(&up->m.offset, &kp->m.offset))
7121 + return -EFAULT;
7122 + break;
7123 + case V4L2_MEMORY_USERPTR:
7124 +- if (put_user(kp->m.userptr, &up->m.userptr))
7125 +- return -EFAULT;
7126 +- break;
7127 +- case V4L2_MEMORY_OVERLAY:
7128 +- if (put_user(kp->m.offset, &up->m.offset))
7129 ++ if (assign_in_user(&up->m.userptr, &kp->m.userptr))
7130 + return -EFAULT;
7131 + break;
7132 + case V4L2_MEMORY_DMABUF:
7133 +- if (put_user(kp->m.fd, &up->m.fd))
7134 ++ if (assign_in_user(&up->m.fd, &kp->m.fd))
7135 + return -EFAULT;
7136 + break;
7137 + }
7138 +@@ -537,7 +637,7 @@ static int put_v4l2_buffer32(struct v4l2_buffer *kp, struct v4l2_buffer32 __user
7139 + struct v4l2_framebuffer32 {
7140 + __u32 capability;
7141 + __u32 flags;
7142 +- compat_caddr_t base;
7143 ++ compat_caddr_t base;
7144 + struct {
7145 + __u32 width;
7146 + __u32 height;
7147 +@@ -550,30 +650,33 @@ struct v4l2_framebuffer32 {
7148 + } fmt;
7149 + };
7150 +
7151 +-static int get_v4l2_framebuffer32(struct v4l2_framebuffer *kp, struct v4l2_framebuffer32 __user *up)
7152 ++static int get_v4l2_framebuffer32(struct v4l2_framebuffer __user *kp,
7153 ++ struct v4l2_framebuffer32 __user *up)
7154 + {
7155 +- u32 tmp;
7156 +-
7157 +- if (!access_ok(VERIFY_READ, up, sizeof(struct v4l2_framebuffer32)) ||
7158 +- get_user(tmp, &up->base) ||
7159 +- get_user(kp->capability, &up->capability) ||
7160 +- get_user(kp->flags, &up->flags) ||
7161 +- copy_from_user(&kp->fmt, &up->fmt, sizeof(up->fmt)))
7162 +- return -EFAULT;
7163 +- kp->base = (__force void *)compat_ptr(tmp);
7164 ++ compat_caddr_t tmp;
7165 ++
7166 ++ if (!access_ok(VERIFY_READ, up, sizeof(*up)) ||
7167 ++ get_user(tmp, &up->base) ||
7168 ++ put_user((__force void *)compat_ptr(tmp), &kp->base) ||
7169 ++ assign_in_user(&kp->capability, &up->capability) ||
7170 ++ assign_in_user(&kp->flags, &up->flags) ||
7171 ++ copy_in_user(&kp->fmt, &up->fmt, sizeof(kp->fmt)))
7172 ++ return -EFAULT;
7173 + return 0;
7174 + }
7175 +
7176 +-static int put_v4l2_framebuffer32(struct v4l2_framebuffer *kp, struct v4l2_framebuffer32 __user *up)
7177 ++static int put_v4l2_framebuffer32(struct v4l2_framebuffer __user *kp,
7178 ++ struct v4l2_framebuffer32 __user *up)
7179 + {
7180 +- u32 tmp = (u32)((unsigned long)kp->base);
7181 +-
7182 +- if (!access_ok(VERIFY_WRITE, up, sizeof(struct v4l2_framebuffer32)) ||
7183 +- put_user(tmp, &up->base) ||
7184 +- put_user(kp->capability, &up->capability) ||
7185 +- put_user(kp->flags, &up->flags) ||
7186 +- copy_to_user(&up->fmt, &kp->fmt, sizeof(up->fmt)))
7187 +- return -EFAULT;
7188 ++ void *base;
7189 ++
7190 ++ if (!access_ok(VERIFY_WRITE, up, sizeof(*up)) ||
7191 ++ get_user(base, &kp->base) ||
7192 ++ put_user(ptr_to_compat(base), &up->base) ||
7193 ++ assign_in_user(&up->capability, &kp->capability) ||
7194 ++ assign_in_user(&up->flags, &kp->flags) ||
7195 ++ copy_in_user(&up->fmt, &kp->fmt, sizeof(kp->fmt)))
7196 ++ return -EFAULT;
7197 + return 0;
7198 + }
7199 +
7200 +@@ -585,31 +688,36 @@ struct v4l2_input32 {
7201 + __u32 tuner; /* Associated tuner */
7202 + v4l2_std_id std;
7203 + __u32 status;
7204 +- __u32 reserved[4];
7205 +-} __attribute__ ((packed));
7206 ++ __u32 capabilities;
7207 ++ __u32 reserved[3];
7208 ++};
7209 +
7210 +-/* The 64-bit v4l2_input struct has extra padding at the end of the struct.
7211 +- Otherwise it is identical to the 32-bit version. */
7212 +-static inline int get_v4l2_input32(struct v4l2_input *kp, struct v4l2_input32 __user *up)
7213 ++/*
7214 ++ * The 64-bit v4l2_input struct has extra padding at the end of the struct.
7215 ++ * Otherwise it is identical to the 32-bit version.
7216 ++ */
7217 ++static inline int get_v4l2_input32(struct v4l2_input __user *kp,
7218 ++ struct v4l2_input32 __user *up)
7219 + {
7220 +- if (copy_from_user(kp, up, sizeof(struct v4l2_input32)))
7221 ++ if (copy_in_user(kp, up, sizeof(*up)))
7222 + return -EFAULT;
7223 + return 0;
7224 + }
7225 +
7226 +-static inline int put_v4l2_input32(struct v4l2_input *kp, struct v4l2_input32 __user *up)
7227 ++static inline int put_v4l2_input32(struct v4l2_input __user *kp,
7228 ++ struct v4l2_input32 __user *up)
7229 + {
7230 +- if (copy_to_user(up, kp, sizeof(struct v4l2_input32)))
7231 ++ if (copy_in_user(up, kp, sizeof(*up)))
7232 + return -EFAULT;
7233 + return 0;
7234 + }
7235 +
7236 + struct v4l2_ext_controls32 {
7237 +- __u32 ctrl_class;
7238 +- __u32 count;
7239 +- __u32 error_idx;
7240 +- __u32 reserved[2];
7241 +- compat_caddr_t controls; /* actually struct v4l2_ext_control32 * */
7242 ++ __u32 ctrl_class;
7243 ++ __u32 count;
7244 ++ __u32 error_idx;
7245 ++ __u32 reserved[2];
7246 ++ compat_caddr_t controls; /* actually struct v4l2_ext_control32 * */
7247 + };
7248 +
7249 + struct v4l2_ext_control32 {
7250 +@@ -623,57 +731,95 @@ struct v4l2_ext_control32 {
7251 + };
7252 + } __attribute__ ((packed));
7253 +
7254 +-/* The following function really belong in v4l2-common, but that causes
7255 +- a circular dependency between modules. We need to think about this, but
7256 +- for now this will do. */
7257 +-
7258 +-/* Return non-zero if this control is a pointer type. Currently only
7259 +- type STRING is a pointer type. */
7260 +-static inline int ctrl_is_pointer(u32 id)
7261 ++/* Return true if this control is a pointer type. */
7262 ++static inline bool ctrl_is_pointer(struct file *file, u32 id)
7263 + {
7264 +- switch (id) {
7265 +- case V4L2_CID_RDS_TX_PS_NAME:
7266 +- case V4L2_CID_RDS_TX_RADIO_TEXT:
7267 +- return 1;
7268 +- default:
7269 +- return 0;
7270 ++ struct video_device *vdev = video_devdata(file);
7271 ++ struct v4l2_fh *fh = NULL;
7272 ++ struct v4l2_ctrl_handler *hdl = NULL;
7273 ++ struct v4l2_query_ext_ctrl qec = { id };
7274 ++ const struct v4l2_ioctl_ops *ops = vdev->ioctl_ops;
7275 ++
7276 ++ if (test_bit(V4L2_FL_USES_V4L2_FH, &vdev->flags))
7277 ++ fh = file->private_data;
7278 ++
7279 ++ if (fh && fh->ctrl_handler)
7280 ++ hdl = fh->ctrl_handler;
7281 ++ else if (vdev->ctrl_handler)
7282 ++ hdl = vdev->ctrl_handler;
7283 ++
7284 ++ if (hdl) {
7285 ++ struct v4l2_ctrl *ctrl = v4l2_ctrl_find(hdl, id);
7286 ++
7287 ++ return ctrl && ctrl->is_ptr;
7288 + }
7289 ++
7290 ++ if (!ops || !ops->vidioc_query_ext_ctrl)
7291 ++ return false;
7292 ++
7293 ++ return !ops->vidioc_query_ext_ctrl(file, fh, &qec) &&
7294 ++ (qec.flags & V4L2_CTRL_FLAG_HAS_PAYLOAD);
7295 ++}
7296 ++
7297 ++static int bufsize_v4l2_ext_controls(struct v4l2_ext_controls32 __user *up,
7298 ++ u32 *size)
7299 ++{
7300 ++ u32 count;
7301 ++
7302 ++ if (!access_ok(VERIFY_READ, up, sizeof(*up)) ||
7303 ++ get_user(count, &up->count))
7304 ++ return -EFAULT;
7305 ++ if (count > V4L2_CID_MAX_CTRLS)
7306 ++ return -EINVAL;
7307 ++ *size = count * sizeof(struct v4l2_ext_control);
7308 ++ return 0;
7309 + }
7310 +
7311 +-static int get_v4l2_ext_controls32(struct v4l2_ext_controls *kp, struct v4l2_ext_controls32 __user *up)
7312 ++static int get_v4l2_ext_controls32(struct file *file,
7313 ++ struct v4l2_ext_controls __user *kp,
7314 ++ struct v4l2_ext_controls32 __user *up,
7315 ++ void __user *aux_buf, u32 aux_space)
7316 + {
7317 + struct v4l2_ext_control32 __user *ucontrols;
7318 + struct v4l2_ext_control __user *kcontrols;
7319 +- int n;
7320 ++ u32 count;
7321 ++ u32 n;
7322 + compat_caddr_t p;
7323 +
7324 +- if (!access_ok(VERIFY_READ, up, sizeof(struct v4l2_ext_controls32)) ||
7325 +- get_user(kp->ctrl_class, &up->ctrl_class) ||
7326 +- get_user(kp->count, &up->count) ||
7327 +- get_user(kp->error_idx, &up->error_idx) ||
7328 +- copy_from_user(kp->reserved, up->reserved, sizeof(kp->reserved)))
7329 +- return -EFAULT;
7330 +- n = kp->count;
7331 +- if (n == 0) {
7332 +- kp->controls = NULL;
7333 +- return 0;
7334 +- }
7335 ++ if (!access_ok(VERIFY_READ, up, sizeof(*up)) ||
7336 ++ assign_in_user(&kp->ctrl_class, &up->ctrl_class) ||
7337 ++ get_user(count, &up->count) ||
7338 ++ put_user(count, &kp->count) ||
7339 ++ assign_in_user(&kp->error_idx, &up->error_idx) ||
7340 ++ copy_in_user(kp->reserved, up->reserved, sizeof(kp->reserved)))
7341 ++ return -EFAULT;
7342 ++
7343 ++ if (count == 0)
7344 ++ return put_user(NULL, &kp->controls);
7345 ++ if (count > V4L2_CID_MAX_CTRLS)
7346 ++ return -EINVAL;
7347 + if (get_user(p, &up->controls))
7348 + return -EFAULT;
7349 + ucontrols = compat_ptr(p);
7350 +- if (!access_ok(VERIFY_READ, ucontrols,
7351 +- n * sizeof(struct v4l2_ext_control32)))
7352 ++ if (!access_ok(VERIFY_READ, ucontrols, count * sizeof(*ucontrols)))
7353 + return -EFAULT;
7354 +- kcontrols = compat_alloc_user_space(n * sizeof(struct v4l2_ext_control));
7355 +- kp->controls = (__force struct v4l2_ext_control *)kcontrols;
7356 +- while (--n >= 0) {
7357 ++ if (aux_space < count * sizeof(*kcontrols))
7358 ++ return -EFAULT;
7359 ++ kcontrols = aux_buf;
7360 ++ if (put_user((__force struct v4l2_ext_control *)kcontrols,
7361 ++ &kp->controls))
7362 ++ return -EFAULT;
7363 ++
7364 ++ for (n = 0; n < count; n++) {
7365 + u32 id;
7366 +
7367 + if (copy_in_user(kcontrols, ucontrols, sizeof(*ucontrols)))
7368 + return -EFAULT;
7369 ++
7370 + if (get_user(id, &kcontrols->id))
7371 + return -EFAULT;
7372 +- if (ctrl_is_pointer(id)) {
7373 ++
7374 ++ if (ctrl_is_pointer(file, id)) {
7375 + void __user *s;
7376 +
7377 + if (get_user(p, &ucontrols->string))
7378 +@@ -688,43 +834,55 @@ static int get_v4l2_ext_controls32(struct v4l2_ext_controls *kp, struct v4l2_ext
7379 + return 0;
7380 + }
7381 +
7382 +-static int put_v4l2_ext_controls32(struct v4l2_ext_controls *kp, struct v4l2_ext_controls32 __user *up)
7383 ++static int put_v4l2_ext_controls32(struct file *file,
7384 ++ struct v4l2_ext_controls __user *kp,
7385 ++ struct v4l2_ext_controls32 __user *up)
7386 + {
7387 + struct v4l2_ext_control32 __user *ucontrols;
7388 +- struct v4l2_ext_control __user *kcontrols =
7389 +- (__force struct v4l2_ext_control __user *)kp->controls;
7390 +- int n = kp->count;
7391 ++ struct v4l2_ext_control __user *kcontrols;
7392 ++ u32 count;
7393 ++ u32 n;
7394 + compat_caddr_t p;
7395 +
7396 +- if (!access_ok(VERIFY_WRITE, up, sizeof(struct v4l2_ext_controls32)) ||
7397 +- put_user(kp->ctrl_class, &up->ctrl_class) ||
7398 +- put_user(kp->count, &up->count) ||
7399 +- put_user(kp->error_idx, &up->error_idx) ||
7400 +- copy_to_user(up->reserved, kp->reserved, sizeof(up->reserved)))
7401 +- return -EFAULT;
7402 +- if (!kp->count)
7403 +- return 0;
7404 ++ if (!access_ok(VERIFY_WRITE, up, sizeof(*up)) ||
7405 ++ assign_in_user(&up->ctrl_class, &kp->ctrl_class) ||
7406 ++ get_user(count, &kp->count) ||
7407 ++ put_user(count, &up->count) ||
7408 ++ assign_in_user(&up->error_idx, &kp->error_idx) ||
7409 ++ copy_in_user(up->reserved, kp->reserved, sizeof(up->reserved)) ||
7410 ++ get_user(kcontrols, &kp->controls))
7411 ++ return -EFAULT;
7412 +
7413 ++ if (!count)
7414 ++ return 0;
7415 + if (get_user(p, &up->controls))
7416 + return -EFAULT;
7417 + ucontrols = compat_ptr(p);
7418 +- if (!access_ok(VERIFY_WRITE, ucontrols,
7419 +- n * sizeof(struct v4l2_ext_control32)))
7420 ++ if (!access_ok(VERIFY_WRITE, ucontrols, count * sizeof(*ucontrols)))
7421 + return -EFAULT;
7422 +
7423 +- while (--n >= 0) {
7424 +- unsigned size = sizeof(*ucontrols);
7425 ++ for (n = 0; n < count; n++) {
7426 ++ unsigned int size = sizeof(*ucontrols);
7427 + u32 id;
7428 +
7429 +- if (get_user(id, &kcontrols->id))
7430 ++ if (get_user(id, &kcontrols->id) ||
7431 ++ put_user(id, &ucontrols->id) ||
7432 ++ assign_in_user(&ucontrols->size, &kcontrols->size) ||
7433 ++ copy_in_user(&ucontrols->reserved2, &kcontrols->reserved2,
7434 ++ sizeof(ucontrols->reserved2)))
7435 + return -EFAULT;
7436 +- /* Do not modify the pointer when copying a pointer control.
7437 +- The contents of the pointer was changed, not the pointer
7438 +- itself. */
7439 +- if (ctrl_is_pointer(id))
7440 ++
7441 ++ /*
7442 ++ * Do not modify the pointer when copying a pointer control.
7443 ++ * The contents of the pointer was changed, not the pointer
7444 ++ * itself.
7445 ++ */
7446 ++ if (ctrl_is_pointer(file, id))
7447 + size -= sizeof(ucontrols->value64);
7448 ++
7449 + if (copy_in_user(ucontrols, kcontrols, size))
7450 + return -EFAULT;
7451 ++
7452 + ucontrols++;
7453 + kcontrols++;
7454 + }
7455 +@@ -743,18 +901,19 @@ struct v4l2_event32 {
7456 + __u32 reserved[8];
7457 + };
7458 +
7459 +-static int put_v4l2_event32(struct v4l2_event *kp, struct v4l2_event32 __user *up)
7460 ++static int put_v4l2_event32(struct v4l2_event __user *kp,
7461 ++ struct v4l2_event32 __user *up)
7462 + {
7463 +- if (!access_ok(VERIFY_WRITE, up, sizeof(struct v4l2_event32)) ||
7464 +- put_user(kp->type, &up->type) ||
7465 +- copy_to_user(&up->u, &kp->u, sizeof(kp->u)) ||
7466 +- put_user(kp->pending, &up->pending) ||
7467 +- put_user(kp->sequence, &up->sequence) ||
7468 +- put_user(kp->timestamp.tv_sec, &up->timestamp.tv_sec) ||
7469 +- put_user(kp->timestamp.tv_nsec, &up->timestamp.tv_nsec) ||
7470 +- put_user(kp->id, &up->id) ||
7471 +- copy_to_user(up->reserved, kp->reserved, 8 * sizeof(__u32)))
7472 +- return -EFAULT;
7473 ++ if (!access_ok(VERIFY_WRITE, up, sizeof(*up)) ||
7474 ++ assign_in_user(&up->type, &kp->type) ||
7475 ++ copy_in_user(&up->u, &kp->u, sizeof(kp->u)) ||
7476 ++ assign_in_user(&up->pending, &kp->pending) ||
7477 ++ assign_in_user(&up->sequence, &kp->sequence) ||
7478 ++ assign_in_user(&up->timestamp.tv_sec, &kp->timestamp.tv_sec) ||
7479 ++ assign_in_user(&up->timestamp.tv_nsec, &kp->timestamp.tv_nsec) ||
7480 ++ assign_in_user(&up->id, &kp->id) ||
7481 ++ copy_in_user(up->reserved, kp->reserved, sizeof(up->reserved)))
7482 ++ return -EFAULT;
7483 + return 0;
7484 + }
7485 +
7486 +@@ -766,32 +925,35 @@ struct v4l2_edid32 {
7487 + compat_caddr_t edid;
7488 + };
7489 +
7490 +-static int get_v4l2_edid32(struct v4l2_edid *kp, struct v4l2_edid32 __user *up)
7491 ++static int get_v4l2_edid32(struct v4l2_edid __user *kp,
7492 ++ struct v4l2_edid32 __user *up)
7493 + {
7494 +- u32 tmp;
7495 +-
7496 +- if (!access_ok(VERIFY_READ, up, sizeof(struct v4l2_edid32)) ||
7497 +- get_user(kp->pad, &up->pad) ||
7498 +- get_user(kp->start_block, &up->start_block) ||
7499 +- get_user(kp->blocks, &up->blocks) ||
7500 +- get_user(tmp, &up->edid) ||
7501 +- copy_from_user(kp->reserved, up->reserved, sizeof(kp->reserved)))
7502 +- return -EFAULT;
7503 +- kp->edid = (__force u8 *)compat_ptr(tmp);
7504 ++ compat_uptr_t tmp;
7505 ++
7506 ++ if (!access_ok(VERIFY_READ, up, sizeof(*up)) ||
7507 ++ assign_in_user(&kp->pad, &up->pad) ||
7508 ++ assign_in_user(&kp->start_block, &up->start_block) ||
7509 ++ assign_in_user(&kp->blocks, &up->blocks) ||
7510 ++ get_user(tmp, &up->edid) ||
7511 ++ put_user(compat_ptr(tmp), &kp->edid) ||
7512 ++ copy_in_user(kp->reserved, up->reserved, sizeof(kp->reserved)))
7513 ++ return -EFAULT;
7514 + return 0;
7515 + }
7516 +
7517 +-static int put_v4l2_edid32(struct v4l2_edid *kp, struct v4l2_edid32 __user *up)
7518 ++static int put_v4l2_edid32(struct v4l2_edid __user *kp,
7519 ++ struct v4l2_edid32 __user *up)
7520 + {
7521 +- u32 tmp = (u32)((unsigned long)kp->edid);
7522 +-
7523 +- if (!access_ok(VERIFY_WRITE, up, sizeof(struct v4l2_edid32)) ||
7524 +- put_user(kp->pad, &up->pad) ||
7525 +- put_user(kp->start_block, &up->start_block) ||
7526 +- put_user(kp->blocks, &up->blocks) ||
7527 +- put_user(tmp, &up->edid) ||
7528 +- copy_to_user(up->reserved, kp->reserved, sizeof(up->reserved)))
7529 +- return -EFAULT;
7530 ++ void *edid;
7531 ++
7532 ++ if (!access_ok(VERIFY_WRITE, up, sizeof(*up)) ||
7533 ++ assign_in_user(&up->pad, &kp->pad) ||
7534 ++ assign_in_user(&up->start_block, &kp->start_block) ||
7535 ++ assign_in_user(&up->blocks, &kp->blocks) ||
7536 ++ get_user(edid, &kp->edid) ||
7537 ++ put_user(ptr_to_compat(edid), &up->edid) ||
7538 ++ copy_in_user(up->reserved, kp->reserved, sizeof(up->reserved)))
7539 ++ return -EFAULT;
7540 + return 0;
7541 + }
7542 +
7543 +@@ -807,7 +969,7 @@ static int put_v4l2_edid32(struct v4l2_edid *kp, struct v4l2_edid32 __user *up)
7544 + #define VIDIOC_ENUMINPUT32 _IOWR('V', 26, struct v4l2_input32)
7545 + #define VIDIOC_G_EDID32 _IOWR('V', 40, struct v4l2_edid32)
7546 + #define VIDIOC_S_EDID32 _IOWR('V', 41, struct v4l2_edid32)
7547 +-#define VIDIOC_TRY_FMT32 _IOWR('V', 64, struct v4l2_format32)
7548 ++#define VIDIOC_TRY_FMT32 _IOWR('V', 64, struct v4l2_format32)
7549 + #define VIDIOC_G_EXT_CTRLS32 _IOWR('V', 71, struct v4l2_ext_controls32)
7550 + #define VIDIOC_S_EXT_CTRLS32 _IOWR('V', 72, struct v4l2_ext_controls32)
7551 + #define VIDIOC_TRY_EXT_CTRLS32 _IOWR('V', 73, struct v4l2_ext_controls32)
7552 +@@ -823,22 +985,23 @@ static int put_v4l2_edid32(struct v4l2_edid *kp, struct v4l2_edid32 __user *up)
7553 + #define VIDIOC_G_OUTPUT32 _IOR ('V', 46, s32)
7554 + #define VIDIOC_S_OUTPUT32 _IOWR('V', 47, s32)
7555 +
7556 ++static int alloc_userspace(unsigned int size, u32 aux_space,
7557 ++ void __user **up_native)
7558 ++{
7559 ++ *up_native = compat_alloc_user_space(size + aux_space);
7560 ++ if (!*up_native)
7561 ++ return -ENOMEM;
7562 ++ if (clear_user(*up_native, size))
7563 ++ return -EFAULT;
7564 ++ return 0;
7565 ++}
7566 ++
7567 + static long do_video_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
7568 + {
7569 +- union {
7570 +- struct v4l2_format v2f;
7571 +- struct v4l2_buffer v2b;
7572 +- struct v4l2_framebuffer v2fb;
7573 +- struct v4l2_input v2i;
7574 +- struct v4l2_standard v2s;
7575 +- struct v4l2_ext_controls v2ecs;
7576 +- struct v4l2_event v2ev;
7577 +- struct v4l2_create_buffers v2crt;
7578 +- struct v4l2_edid v2edid;
7579 +- unsigned long vx;
7580 +- int vi;
7581 +- } karg;
7582 + void __user *up = compat_ptr(arg);
7583 ++ void __user *up_native = NULL;
7584 ++ void __user *aux_buf;
7585 ++ u32 aux_space;
7586 + int compatible_arg = 1;
7587 + long err = 0;
7588 +
7589 +@@ -877,30 +1040,52 @@ static long do_video_ioctl(struct file *file, unsigned int cmd, unsigned long ar
7590 + case VIDIOC_STREAMOFF:
7591 + case VIDIOC_S_INPUT:
7592 + case VIDIOC_S_OUTPUT:
7593 +- err = get_user(karg.vi, (s32 __user *)up);
7594 ++ err = alloc_userspace(sizeof(unsigned int), 0, &up_native);
7595 ++ if (!err && assign_in_user((unsigned int __user *)up_native,
7596 ++ (compat_uint_t __user *)up))
7597 ++ err = -EFAULT;
7598 + compatible_arg = 0;
7599 + break;
7600 +
7601 + case VIDIOC_G_INPUT:
7602 + case VIDIOC_G_OUTPUT:
7603 ++ err = alloc_userspace(sizeof(unsigned int), 0, &up_native);
7604 + compatible_arg = 0;
7605 + break;
7606 +
7607 + case VIDIOC_G_EDID:
7608 + case VIDIOC_S_EDID:
7609 +- err = get_v4l2_edid32(&karg.v2edid, up);
7610 ++ err = alloc_userspace(sizeof(struct v4l2_edid), 0, &up_native);
7611 ++ if (!err)
7612 ++ err = get_v4l2_edid32(up_native, up);
7613 + compatible_arg = 0;
7614 + break;
7615 +
7616 + case VIDIOC_G_FMT:
7617 + case VIDIOC_S_FMT:
7618 + case VIDIOC_TRY_FMT:
7619 +- err = get_v4l2_format32(&karg.v2f, up);
7620 ++ err = bufsize_v4l2_format(up, &aux_space);
7621 ++ if (!err)
7622 ++ err = alloc_userspace(sizeof(struct v4l2_format),
7623 ++ aux_space, &up_native);
7624 ++ if (!err) {
7625 ++ aux_buf = up_native + sizeof(struct v4l2_format);
7626 ++ err = get_v4l2_format32(up_native, up,
7627 ++ aux_buf, aux_space);
7628 ++ }
7629 + compatible_arg = 0;
7630 + break;
7631 +
7632 + case VIDIOC_CREATE_BUFS:
7633 +- err = get_v4l2_create32(&karg.v2crt, up);
7634 ++ err = bufsize_v4l2_create(up, &aux_space);
7635 ++ if (!err)
7636 ++ err = alloc_userspace(sizeof(struct v4l2_create_buffers),
7637 ++ aux_space, &up_native);
7638 ++ if (!err) {
7639 ++ aux_buf = up_native + sizeof(struct v4l2_create_buffers);
7640 ++ err = get_v4l2_create32(up_native, up,
7641 ++ aux_buf, aux_space);
7642 ++ }
7643 + compatible_arg = 0;
7644 + break;
7645 +
7646 +@@ -908,36 +1093,63 @@ static long do_video_ioctl(struct file *file, unsigned int cmd, unsigned long ar
7647 + case VIDIOC_QUERYBUF:
7648 + case VIDIOC_QBUF:
7649 + case VIDIOC_DQBUF:
7650 +- err = get_v4l2_buffer32(&karg.v2b, up);
7651 ++ err = bufsize_v4l2_buffer(up, &aux_space);
7652 ++ if (!err)
7653 ++ err = alloc_userspace(sizeof(struct v4l2_buffer),
7654 ++ aux_space, &up_native);
7655 ++ if (!err) {
7656 ++ aux_buf = up_native + sizeof(struct v4l2_buffer);
7657 ++ err = get_v4l2_buffer32(up_native, up,
7658 ++ aux_buf, aux_space);
7659 ++ }
7660 + compatible_arg = 0;
7661 + break;
7662 +
7663 + case VIDIOC_S_FBUF:
7664 +- err = get_v4l2_framebuffer32(&karg.v2fb, up);
7665 ++ err = alloc_userspace(sizeof(struct v4l2_framebuffer), 0,
7666 ++ &up_native);
7667 ++ if (!err)
7668 ++ err = get_v4l2_framebuffer32(up_native, up);
7669 + compatible_arg = 0;
7670 + break;
7671 +
7672 + case VIDIOC_G_FBUF:
7673 ++ err = alloc_userspace(sizeof(struct v4l2_framebuffer), 0,
7674 ++ &up_native);
7675 + compatible_arg = 0;
7676 + break;
7677 +
7678 + case VIDIOC_ENUMSTD:
7679 +- err = get_v4l2_standard32(&karg.v2s, up);
7680 ++ err = alloc_userspace(sizeof(struct v4l2_standard), 0,
7681 ++ &up_native);
7682 ++ if (!err)
7683 ++ err = get_v4l2_standard32(up_native, up);
7684 + compatible_arg = 0;
7685 + break;
7686 +
7687 + case VIDIOC_ENUMINPUT:
7688 +- err = get_v4l2_input32(&karg.v2i, up);
7689 ++ err = alloc_userspace(sizeof(struct v4l2_input), 0, &up_native);
7690 ++ if (!err)
7691 ++ err = get_v4l2_input32(up_native, up);
7692 + compatible_arg = 0;
7693 + break;
7694 +
7695 + case VIDIOC_G_EXT_CTRLS:
7696 + case VIDIOC_S_EXT_CTRLS:
7697 + case VIDIOC_TRY_EXT_CTRLS:
7698 +- err = get_v4l2_ext_controls32(&karg.v2ecs, up);
7699 ++ err = bufsize_v4l2_ext_controls(up, &aux_space);
7700 ++ if (!err)
7701 ++ err = alloc_userspace(sizeof(struct v4l2_ext_controls),
7702 ++ aux_space, &up_native);
7703 ++ if (!err) {
7704 ++ aux_buf = up_native + sizeof(struct v4l2_ext_controls);
7705 ++ err = get_v4l2_ext_controls32(file, up_native, up,
7706 ++ aux_buf, aux_space);
7707 ++ }
7708 + compatible_arg = 0;
7709 + break;
7710 + case VIDIOC_DQEVENT:
7711 ++ err = alloc_userspace(sizeof(struct v4l2_event), 0, &up_native);
7712 + compatible_arg = 0;
7713 + break;
7714 + }
7715 +@@ -946,22 +1158,26 @@ static long do_video_ioctl(struct file *file, unsigned int cmd, unsigned long ar
7716 +
7717 + if (compatible_arg)
7718 + err = native_ioctl(file, cmd, (unsigned long)up);
7719 +- else {
7720 +- mm_segment_t old_fs = get_fs();
7721 ++ else
7722 ++ err = native_ioctl(file, cmd, (unsigned long)up_native);
7723 +
7724 +- set_fs(KERNEL_DS);
7725 +- err = native_ioctl(file, cmd, (unsigned long)&karg);
7726 +- set_fs(old_fs);
7727 +- }
7728 ++ if (err == -ENOTTY)
7729 ++ return err;
7730 +
7731 +- /* Special case: even after an error we need to put the
7732 +- results back for these ioctls since the error_idx will
7733 +- contain information on which control failed. */
7734 ++ /*
7735 ++ * Special case: even after an error we need to put the
7736 ++ * results back for these ioctls since the error_idx will
7737 ++ * contain information on which control failed.
7738 ++ */
7739 + switch (cmd) {
7740 + case VIDIOC_G_EXT_CTRLS:
7741 + case VIDIOC_S_EXT_CTRLS:
7742 + case VIDIOC_TRY_EXT_CTRLS:
7743 +- if (put_v4l2_ext_controls32(&karg.v2ecs, up))
7744 ++ if (put_v4l2_ext_controls32(file, up_native, up))
7745 ++ err = -EFAULT;
7746 ++ break;
7747 ++ case VIDIOC_S_EDID:
7748 ++ if (put_v4l2_edid32(up_native, up))
7749 + err = -EFAULT;
7750 + break;
7751 + }
7752 +@@ -973,44 +1189,46 @@ static long do_video_ioctl(struct file *file, unsigned int cmd, unsigned long ar
7753 + case VIDIOC_S_OUTPUT:
7754 + case VIDIOC_G_INPUT:
7755 + case VIDIOC_G_OUTPUT:
7756 +- err = put_user(((s32)karg.vi), (s32 __user *)up);
7757 ++ if (assign_in_user((compat_uint_t __user *)up,
7758 ++ ((unsigned int __user *)up_native)))
7759 ++ err = -EFAULT;
7760 + break;
7761 +
7762 + case VIDIOC_G_FBUF:
7763 +- err = put_v4l2_framebuffer32(&karg.v2fb, up);
7764 ++ err = put_v4l2_framebuffer32(up_native, up);
7765 + break;
7766 +
7767 + case VIDIOC_DQEVENT:
7768 +- err = put_v4l2_event32(&karg.v2ev, up);
7769 ++ err = put_v4l2_event32(up_native, up);
7770 + break;
7771 +
7772 + case VIDIOC_G_EDID:
7773 +- case VIDIOC_S_EDID:
7774 +- err = put_v4l2_edid32(&karg.v2edid, up);
7775 ++ err = put_v4l2_edid32(up_native, up);
7776 + break;
7777 +
7778 + case VIDIOC_G_FMT:
7779 + case VIDIOC_S_FMT:
7780 + case VIDIOC_TRY_FMT:
7781 +- err = put_v4l2_format32(&karg.v2f, up);
7782 ++ err = put_v4l2_format32(up_native, up);
7783 + break;
7784 +
7785 + case VIDIOC_CREATE_BUFS:
7786 +- err = put_v4l2_create32(&karg.v2crt, up);
7787 ++ err = put_v4l2_create32(up_native, up);
7788 + break;
7789 +
7790 ++ case VIDIOC_PREPARE_BUF:
7791 + case VIDIOC_QUERYBUF:
7792 + case VIDIOC_QBUF:
7793 + case VIDIOC_DQBUF:
7794 +- err = put_v4l2_buffer32(&karg.v2b, up);
7795 ++ err = put_v4l2_buffer32(up_native, up);
7796 + break;
7797 +
7798 + case VIDIOC_ENUMSTD:
7799 +- err = put_v4l2_standard32(&karg.v2s, up);
7800 ++ err = put_v4l2_standard32(up_native, up);
7801 + break;
7802 +
7803 + case VIDIOC_ENUMINPUT:
7804 +- err = put_v4l2_input32(&karg.v2i, up);
7805 ++ err = put_v4l2_input32(up_native, up);
7806 + break;
7807 + }
7808 + return err;
7809 +diff --git a/drivers/media/v4l2-core/v4l2-ioctl.c b/drivers/media/v4l2-core/v4l2-ioctl.c
7810 +index aa407cb5f830..7004477e7ffc 100644
7811 +--- a/drivers/media/v4l2-core/v4l2-ioctl.c
7812 ++++ b/drivers/media/v4l2-core/v4l2-ioctl.c
7813 +@@ -2552,8 +2552,11 @@ video_usercopy(struct file *file, unsigned int cmd, unsigned long arg,
7814 +
7815 + /* Handles IOCTL */
7816 + err = func(file, cmd, parg);
7817 +- if (err == -ENOIOCTLCMD)
7818 ++ if (err == -ENOTTY || err == -ENOIOCTLCMD) {
7819 + err = -ENOTTY;
7820 ++ goto out;
7821 ++ }
7822 ++
7823 + if (err == 0) {
7824 + if (cmd == VIDIOC_DQBUF)
7825 + trace_v4l2_dqbuf(video_devdata(file)->minor, parg);
7826 +diff --git a/drivers/media/v4l2-core/videobuf2-core.c b/drivers/media/v4l2-core/videobuf2-core.c
7827 +index fd9b252e2b34..079ee4ae9436 100644
7828 +--- a/drivers/media/v4l2-core/videobuf2-core.c
7829 ++++ b/drivers/media/v4l2-core/videobuf2-core.c
7830 +@@ -2119,6 +2119,11 @@ static int vb2_internal_dqbuf(struct vb2_queue *q, struct v4l2_buffer *b, bool n
7831 + dprintk(1, "dqbuf of buffer %d, with state %d\n",
7832 + vb->v4l2_buf.index, vb->state);
7833 +
7834 ++ /*
7835 ++ * After calling the VIDIOC_DQBUF V4L2_BUF_FLAG_DONE must be
7836 ++ * cleared.
7837 ++ */
7838 ++ b->flags &= ~V4L2_BUF_FLAG_DONE;
7839 + return 0;
7840 + }
7841 +
7842 +diff --git a/drivers/message/fusion/mptbase.c b/drivers/message/fusion/mptbase.c
7843 +index 187f83629f7e..b1c5f02c3cab 100644
7844 +--- a/drivers/message/fusion/mptbase.c
7845 ++++ b/drivers/message/fusion/mptbase.c
7846 +@@ -6872,6 +6872,7 @@ mpt_print_ioc_summary(MPT_ADAPTER *ioc, char *buffer, int *size, int len, int sh
7847 + *size = y;
7848 + }
7849 +
7850 ++#ifdef CONFIG_PROC_FS
7851 + static void seq_mpt_print_ioc_summary(MPT_ADAPTER *ioc, struct seq_file *m, int showlan)
7852 + {
7853 + char expVer[32];
7854 +@@ -6903,6 +6904,7 @@ static void seq_mpt_print_ioc_summary(MPT_ADAPTER *ioc, struct seq_file *m, int
7855 +
7856 + seq_putc(m, '\n');
7857 + }
7858 ++#endif
7859 +
7860 + /**
7861 + * mpt_set_taskmgmt_in_progress_flag - set flags associated with task management
7862 +diff --git a/drivers/mfd/twl4030-audio.c b/drivers/mfd/twl4030-audio.c
7863 +index 0a1606480023..cc832d309599 100644
7864 +--- a/drivers/mfd/twl4030-audio.c
7865 ++++ b/drivers/mfd/twl4030-audio.c
7866 +@@ -159,13 +159,18 @@ unsigned int twl4030_audio_get_mclk(void)
7867 + EXPORT_SYMBOL_GPL(twl4030_audio_get_mclk);
7868 +
7869 + static bool twl4030_audio_has_codec(struct twl4030_audio_data *pdata,
7870 +- struct device_node *node)
7871 ++ struct device_node *parent)
7872 + {
7873 ++ struct device_node *node;
7874 ++
7875 + if (pdata && pdata->codec)
7876 + return true;
7877 +
7878 +- if (of_find_node_by_name(node, "codec"))
7879 ++ node = of_get_child_by_name(parent, "codec");
7880 ++ if (node) {
7881 ++ of_node_put(node);
7882 + return true;
7883 ++ }
7884 +
7885 + return false;
7886 + }
7887 +diff --git a/drivers/mfd/twl6040.c b/drivers/mfd/twl6040.c
7888 +index 6aacd205a774..aec1ab253f7f 100644
7889 +--- a/drivers/mfd/twl6040.c
7890 ++++ b/drivers/mfd/twl6040.c
7891 +@@ -97,12 +97,16 @@ static struct reg_default twl6040_patch[] = {
7892 + };
7893 +
7894 +
7895 +-static bool twl6040_has_vibra(struct device_node *node)
7896 ++static bool twl6040_has_vibra(struct device_node *parent)
7897 + {
7898 +-#ifdef CONFIG_OF
7899 +- if (of_find_node_by_name(node, "vibra"))
7900 ++ struct device_node *node;
7901 ++
7902 ++ node = of_get_child_by_name(parent, "vibra");
7903 ++ if (node) {
7904 ++ of_node_put(node);
7905 + return true;
7906 +-#endif
7907 ++ }
7908 ++
7909 + return false;
7910 + }
7911 +
7912 +diff --git a/drivers/mtd/chips/Kconfig b/drivers/mtd/chips/Kconfig
7913 +index 6bc1f94333a5..e956231de30f 100644
7914 +--- a/drivers/mtd/chips/Kconfig
7915 ++++ b/drivers/mtd/chips/Kconfig
7916 +@@ -66,6 +66,10 @@ endchoice
7917 + config MTD_CFI_GEOMETRY
7918 + bool "Specific CFI Flash geometry selection"
7919 + depends on MTD_CFI_ADV_OPTIONS
7920 ++ select MTD_MAP_BANK_WIDTH_1 if !(MTD_MAP_BANK_WIDTH_2 || \
7921 ++ MTD_MAP_BANK_WIDTH_4 || MTD_MAP_BANK_WIDTH_8 || \
7922 ++ MTD_MAP_BANK_WIDTH_16 || MTD_MAP_BANK_WIDTH_32)
7923 ++ select MTD_CFI_I1 if !(MTD_CFI_I2 || MTD_CFI_I4 || MTD_CFI_I8)
7924 + help
7925 + This option does not affect the code directly, but will enable
7926 + some other configuration options which would allow you to reduce
7927 +diff --git a/drivers/mtd/maps/ck804xrom.c b/drivers/mtd/maps/ck804xrom.c
7928 +index 0455166f05fa..4f206a99164c 100644
7929 +--- a/drivers/mtd/maps/ck804xrom.c
7930 ++++ b/drivers/mtd/maps/ck804xrom.c
7931 +@@ -112,8 +112,8 @@ static void ck804xrom_cleanup(struct ck804xrom_window *window)
7932 + }
7933 +
7934 +
7935 +-static int ck804xrom_init_one(struct pci_dev *pdev,
7936 +- const struct pci_device_id *ent)
7937 ++static int __init ck804xrom_init_one(struct pci_dev *pdev,
7938 ++ const struct pci_device_id *ent)
7939 + {
7940 + static char *rom_probe_types[] = { "cfi_probe", "jedec_probe", NULL };
7941 + u8 byte;
7942 +diff --git a/drivers/mtd/maps/esb2rom.c b/drivers/mtd/maps/esb2rom.c
7943 +index f784cf0caa13..a47b374b1b0c 100644
7944 +--- a/drivers/mtd/maps/esb2rom.c
7945 ++++ b/drivers/mtd/maps/esb2rom.c
7946 +@@ -144,8 +144,8 @@ static void esb2rom_cleanup(struct esb2rom_window *window)
7947 + pci_dev_put(window->pdev);
7948 + }
7949 +
7950 +-static int esb2rom_init_one(struct pci_dev *pdev,
7951 +- const struct pci_device_id *ent)
7952 ++static int __init esb2rom_init_one(struct pci_dev *pdev,
7953 ++ const struct pci_device_id *ent)
7954 + {
7955 + static char *rom_probe_types[] = { "cfi_probe", "jedec_probe", NULL };
7956 + struct esb2rom_window *window = &esb2rom_window;
7957 +diff --git a/drivers/mtd/maps/ichxrom.c b/drivers/mtd/maps/ichxrom.c
7958 +index c7478e18f485..aa83e7b87cfe 100644
7959 +--- a/drivers/mtd/maps/ichxrom.c
7960 ++++ b/drivers/mtd/maps/ichxrom.c
7961 +@@ -57,10 +57,12 @@ static void ichxrom_cleanup(struct ichxrom_window *window)
7962 + {
7963 + struct ichxrom_map_info *map, *scratch;
7964 + u16 word;
7965 ++ int ret;
7966 +
7967 + /* Disable writes through the rom window */
7968 +- pci_read_config_word(window->pdev, BIOS_CNTL, &word);
7969 +- pci_write_config_word(window->pdev, BIOS_CNTL, word & ~1);
7970 ++ ret = pci_read_config_word(window->pdev, BIOS_CNTL, &word);
7971 ++ if (!ret)
7972 ++ pci_write_config_word(window->pdev, BIOS_CNTL, word & ~1);
7973 + pci_dev_put(window->pdev);
7974 +
7975 + /* Free all of the mtd devices */
7976 +@@ -84,8 +86,8 @@ static void ichxrom_cleanup(struct ichxrom_window *window)
7977 + }
7978 +
7979 +
7980 +-static int ichxrom_init_one(struct pci_dev *pdev,
7981 +- const struct pci_device_id *ent)
7982 ++static int __init ichxrom_init_one(struct pci_dev *pdev,
7983 ++ const struct pci_device_id *ent)
7984 + {
7985 + static char *rom_probe_types[] = { "cfi_probe", "jedec_probe", NULL };
7986 + struct ichxrom_window *window = &ichxrom_window;
7987 +diff --git a/drivers/mtd/nand/nand_base.c b/drivers/mtd/nand/nand_base.c
7988 +index f84113fc7cb7..14a5f559e300 100644
7989 +--- a/drivers/mtd/nand/nand_base.c
7990 ++++ b/drivers/mtd/nand/nand_base.c
7991 +@@ -1889,6 +1889,7 @@ static int nand_write_oob_syndrome(struct mtd_info *mtd,
7992 + static int nand_do_read_oob(struct mtd_info *mtd, loff_t from,
7993 + struct mtd_oob_ops *ops)
7994 + {
7995 ++ unsigned int max_bitflips = 0;
7996 + int page, realpage, chipnr;
7997 + struct nand_chip *chip = mtd->priv;
7998 + struct mtd_ecc_stats stats;
7999 +@@ -1949,6 +1950,8 @@ static int nand_do_read_oob(struct mtd_info *mtd, loff_t from,
8000 + nand_wait_ready(mtd);
8001 + }
8002 +
8003 ++ max_bitflips = max_t(unsigned int, max_bitflips, ret);
8004 ++
8005 + readlen -= len;
8006 + if (!readlen)
8007 + break;
8008 +@@ -1974,7 +1977,7 @@ static int nand_do_read_oob(struct mtd_info *mtd, loff_t from,
8009 + if (mtd->ecc_stats.failed - stats.failed)
8010 + return -EBADMSG;
8011 +
8012 +- return mtd->ecc_stats.corrected - stats.corrected ? -EUCLEAN : 0;
8013 ++ return max_bitflips;
8014 + }
8015 +
8016 + /**
8017 +diff --git a/drivers/mtd/nand/sh_flctl.c b/drivers/mtd/nand/sh_flctl.c
8018 +index c3ce81c1a716..54cf6fce9877 100644
8019 +--- a/drivers/mtd/nand/sh_flctl.c
8020 ++++ b/drivers/mtd/nand/sh_flctl.c
8021 +@@ -160,7 +160,7 @@ static void flctl_setup_dma(struct sh_flctl *flctl)
8022 +
8023 + memset(&cfg, 0, sizeof(cfg));
8024 + cfg.direction = DMA_MEM_TO_DEV;
8025 +- cfg.dst_addr = (dma_addr_t)FLDTFIFO(flctl);
8026 ++ cfg.dst_addr = flctl->fifo;
8027 + cfg.src_addr = 0;
8028 + ret = dmaengine_slave_config(flctl->chan_fifo0_tx, &cfg);
8029 + if (ret < 0)
8030 +@@ -176,7 +176,7 @@ static void flctl_setup_dma(struct sh_flctl *flctl)
8031 +
8032 + cfg.direction = DMA_DEV_TO_MEM;
8033 + cfg.dst_addr = 0;
8034 +- cfg.src_addr = (dma_addr_t)FLDTFIFO(flctl);
8035 ++ cfg.src_addr = flctl->fifo;
8036 + ret = dmaengine_slave_config(flctl->chan_fifo0_rx, &cfg);
8037 + if (ret < 0)
8038 + goto err;
8039 +@@ -1095,6 +1095,7 @@ static int flctl_probe(struct platform_device *pdev)
8040 + flctl->reg = devm_ioremap_resource(&pdev->dev, res);
8041 + if (IS_ERR(flctl->reg))
8042 + return PTR_ERR(flctl->reg);
8043 ++ flctl->fifo = res->start + 0x24; /* FLDTFIFO */
8044 +
8045 + irq = platform_get_irq(pdev, 0);
8046 + if (irq < 0) {
8047 +diff --git a/drivers/mtd/nand/sunxi_nand.c b/drivers/mtd/nand/sunxi_nand.c
8048 +index 499b8e433d3d..1c8fdc3cec93 100644
8049 +--- a/drivers/mtd/nand/sunxi_nand.c
8050 ++++ b/drivers/mtd/nand/sunxi_nand.c
8051 +@@ -933,8 +933,14 @@ static int sunxi_nand_hw_common_ecc_ctrl_init(struct mtd_info *mtd,
8052 +
8053 + /* Add ECC info retrieval from DT */
8054 + for (i = 0; i < ARRAY_SIZE(strengths); i++) {
8055 +- if (ecc->strength <= strengths[i])
8056 ++ if (ecc->strength <= strengths[i]) {
8057 ++ /*
8058 ++ * Update ecc->strength value with the actual strength
8059 ++ * that will be used by the ECC engine.
8060 ++ */
8061 ++ ecc->strength = strengths[i];
8062 + break;
8063 ++ }
8064 + }
8065 +
8066 + if (i >= ARRAY_SIZE(strengths)) {
8067 +diff --git a/drivers/net/Kconfig b/drivers/net/Kconfig
8068 +index df51d6025a90..0eeb248a287e 100644
8069 +--- a/drivers/net/Kconfig
8070 ++++ b/drivers/net/Kconfig
8071 +@@ -374,6 +374,9 @@ config XEN_NETDEV_BACKEND
8072 + config VMXNET3
8073 + tristate "VMware VMXNET3 ethernet driver"
8074 + depends on PCI && INET
8075 ++ depends on !(PAGE_SIZE_64KB || ARM64_64K_PAGES || \
8076 ++ IA64_PAGE_SIZE_64KB || MICROBLAZE_64K_PAGES || \
8077 ++ PARISC_PAGE_SIZE_64KB || PPC_64K_PAGES)
8078 + help
8079 + This driver supports VMware's vmxnet3 virtual ethernet NIC.
8080 + To compile this driver as a module, choose M here: the
8081 +diff --git a/drivers/net/can/usb/gs_usb.c b/drivers/net/can/usb/gs_usb.c
8082 +index 3b850f390fd7..7e6f36a59f06 100644
8083 +--- a/drivers/net/can/usb/gs_usb.c
8084 ++++ b/drivers/net/can/usb/gs_usb.c
8085 +@@ -430,7 +430,7 @@ static int gs_usb_set_bittiming(struct net_device *netdev)
8086 + dev_err(netdev->dev.parent, "Couldn't set bittimings (err=%d)",
8087 + rc);
8088 +
8089 +- return rc;
8090 ++ return (rc > 0) ? 0 : rc;
8091 + }
8092 +
8093 + static void gs_usb_xmit_callback(struct urb *urb)
8094 +diff --git a/drivers/net/can/usb/peak_usb/pcan_usb_fd.c b/drivers/net/can/usb/peak_usb/pcan_usb_fd.c
8095 +index ce44a033f63b..64cc86a82b2d 100644
8096 +--- a/drivers/net/can/usb/peak_usb/pcan_usb_fd.c
8097 ++++ b/drivers/net/can/usb/peak_usb/pcan_usb_fd.c
8098 +@@ -184,7 +184,7 @@ static int pcan_usb_fd_send_cmd(struct peak_usb_device *dev, void *cmd_tail)
8099 + void *cmd_head = pcan_usb_fd_cmd_buffer(dev);
8100 + int err = 0;
8101 + u8 *packet_ptr;
8102 +- int i, n = 1, packet_len;
8103 ++ int packet_len;
8104 + ptrdiff_t cmd_len;
8105 +
8106 + /* usb device unregistered? */
8107 +@@ -201,17 +201,13 @@ static int pcan_usb_fd_send_cmd(struct peak_usb_device *dev, void *cmd_tail)
8108 + }
8109 +
8110 + packet_ptr = cmd_head;
8111 ++ packet_len = cmd_len;
8112 +
8113 + /* firmware is not able to re-assemble 512 bytes buffer in full-speed */
8114 +- if ((dev->udev->speed != USB_SPEED_HIGH) &&
8115 +- (cmd_len > PCAN_UFD_LOSPD_PKT_SIZE)) {
8116 +- packet_len = PCAN_UFD_LOSPD_PKT_SIZE;
8117 +- n += cmd_len / packet_len;
8118 +- } else {
8119 +- packet_len = cmd_len;
8120 +- }
8121 ++ if (unlikely(dev->udev->speed != USB_SPEED_HIGH))
8122 ++ packet_len = min(packet_len, PCAN_UFD_LOSPD_PKT_SIZE);
8123 +
8124 +- for (i = 0; i < n; i++) {
8125 ++ do {
8126 + err = usb_bulk_msg(dev->udev,
8127 + usb_sndbulkpipe(dev->udev,
8128 + PCAN_USBPRO_EP_CMDOUT),
8129 +@@ -224,7 +220,12 @@ static int pcan_usb_fd_send_cmd(struct peak_usb_device *dev, void *cmd_tail)
8130 + }
8131 +
8132 + packet_ptr += packet_len;
8133 +- }
8134 ++ cmd_len -= packet_len;
8135 ++
8136 ++ if (cmd_len < PCAN_UFD_LOSPD_PKT_SIZE)
8137 ++ packet_len = cmd_len;
8138 ++
8139 ++ } while (packet_len > 0);
8140 +
8141 + return err;
8142 + }
8143 +diff --git a/drivers/net/ethernet/3com/3c509.c b/drivers/net/ethernet/3com/3c509.c
8144 +index 4547a1b8b958..7677c745fb30 100644
8145 +--- a/drivers/net/ethernet/3com/3c509.c
8146 ++++ b/drivers/net/ethernet/3com/3c509.c
8147 +@@ -562,7 +562,7 @@ static void el3_common_remove (struct net_device *dev)
8148 + }
8149 +
8150 + #ifdef CONFIG_EISA
8151 +-static int __init el3_eisa_probe (struct device *device)
8152 ++static int el3_eisa_probe(struct device *device)
8153 + {
8154 + short i;
8155 + int ioaddr, irq, if_port;
8156 +diff --git a/drivers/net/ethernet/3com/3c59x.c b/drivers/net/ethernet/3com/3c59x.c
8157 +index 41095ebad97f..8a876e97597c 100644
8158 +--- a/drivers/net/ethernet/3com/3c59x.c
8159 ++++ b/drivers/net/ethernet/3com/3c59x.c
8160 +@@ -907,7 +907,7 @@ static struct eisa_device_id vortex_eisa_ids[] = {
8161 + };
8162 + MODULE_DEVICE_TABLE(eisa, vortex_eisa_ids);
8163 +
8164 +-static int __init vortex_eisa_probe(struct device *device)
8165 ++static int vortex_eisa_probe(struct device *device)
8166 + {
8167 + void __iomem *ioaddr;
8168 + struct eisa_device *edev;
8169 +diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-main.c b/drivers/net/ethernet/amd/xgbe/xgbe-main.c
8170 +index 714905384900..5feddde71f18 100644
8171 +--- a/drivers/net/ethernet/amd/xgbe/xgbe-main.c
8172 ++++ b/drivers/net/ethernet/amd/xgbe/xgbe-main.c
8173 +@@ -553,7 +553,7 @@ static int xgbe_remove(struct platform_device *pdev)
8174 + return 0;
8175 + }
8176 +
8177 +-#ifdef CONFIG_PM
8178 ++#ifdef CONFIG_PM_SLEEP
8179 + static int xgbe_suspend(struct device *dev)
8180 + {
8181 + struct net_device *netdev = dev_get_drvdata(dev);
8182 +@@ -591,7 +591,7 @@ static int xgbe_resume(struct device *dev)
8183 +
8184 + return ret;
8185 + }
8186 +-#endif /* CONFIG_PM */
8187 ++#endif /* CONFIG_PM_SLEEP */
8188 +
8189 + #ifdef CONFIG_ACPI
8190 + static const struct acpi_device_id xgbe_acpi_match[] = {
8191 +diff --git a/drivers/net/ethernet/broadcom/tg3.c b/drivers/net/ethernet/broadcom/tg3.c
8192 +index f9713fe036ef..7b150085e34d 100644
8193 +--- a/drivers/net/ethernet/broadcom/tg3.c
8194 ++++ b/drivers/net/ethernet/broadcom/tg3.c
8195 +@@ -14228,7 +14228,9 @@ static int tg3_change_mtu(struct net_device *dev, int new_mtu)
8196 + /* Reset PHY, otherwise the read DMA engine will be in a mode that
8197 + * breaks all requests to 256 bytes.
8198 + */
8199 +- if (tg3_asic_rev(tp) == ASIC_REV_57766)
8200 ++ if (tg3_asic_rev(tp) == ASIC_REV_57766 ||
8201 ++ tg3_asic_rev(tp) == ASIC_REV_5717 ||
8202 ++ tg3_asic_rev(tp) == ASIC_REV_5719)
8203 + reset_phy = true;
8204 +
8205 + err = tg3_restart_hw(tp, reset_phy);
8206 +diff --git a/drivers/net/ethernet/brocade/bna/bfa_ioc.c b/drivers/net/ethernet/brocade/bna/bfa_ioc.c
8207 +index 68f3c13c9ef6..5be892ffdaed 100644
8208 +--- a/drivers/net/ethernet/brocade/bna/bfa_ioc.c
8209 ++++ b/drivers/net/ethernet/brocade/bna/bfa_ioc.c
8210 +@@ -1948,13 +1948,13 @@ static void
8211 + bfa_ioc_send_enable(struct bfa_ioc *ioc)
8212 + {
8213 + struct bfi_ioc_ctrl_req enable_req;
8214 +- struct timeval tv;
8215 +
8216 + bfi_h2i_set(enable_req.mh, BFI_MC_IOC, BFI_IOC_H2I_ENABLE_REQ,
8217 + bfa_ioc_portid(ioc));
8218 + enable_req.clscode = htons(ioc->clscode);
8219 +- do_gettimeofday(&tv);
8220 +- enable_req.tv_sec = ntohl(tv.tv_sec);
8221 ++ enable_req.rsvd = htons(0);
8222 ++ /* overflow in 2106 */
8223 ++ enable_req.tv_sec = ntohl(ktime_get_real_seconds());
8224 + bfa_ioc_mbox_send(ioc, &enable_req, sizeof(struct bfi_ioc_ctrl_req));
8225 + }
8226 +
8227 +@@ -1965,6 +1965,10 @@ bfa_ioc_send_disable(struct bfa_ioc *ioc)
8228 +
8229 + bfi_h2i_set(disable_req.mh, BFI_MC_IOC, BFI_IOC_H2I_DISABLE_REQ,
8230 + bfa_ioc_portid(ioc));
8231 ++ disable_req.clscode = htons(ioc->clscode);
8232 ++ disable_req.rsvd = htons(0);
8233 ++ /* overflow in 2106 */
8234 ++ disable_req.tv_sec = ntohl(ktime_get_real_seconds());
8235 + bfa_ioc_mbox_send(ioc, &disable_req, sizeof(struct bfi_ioc_ctrl_req));
8236 + }
8237 +
8238 +diff --git a/drivers/net/ethernet/dec/tulip/de4x5.c b/drivers/net/ethernet/dec/tulip/de4x5.c
8239 +index badff181e719..37827819ae86 100644
8240 +--- a/drivers/net/ethernet/dec/tulip/de4x5.c
8241 ++++ b/drivers/net/ethernet/dec/tulip/de4x5.c
8242 +@@ -1990,7 +1990,7 @@ SetMulticastFilter(struct net_device *dev)
8243 +
8244 + static u_char de4x5_irq[] = EISA_ALLOWED_IRQ_LIST;
8245 +
8246 +-static int __init de4x5_eisa_probe (struct device *gendev)
8247 ++static int de4x5_eisa_probe(struct device *gendev)
8248 + {
8249 + struct eisa_device *edev;
8250 + u_long iobase;
8251 +diff --git a/drivers/net/ethernet/freescale/gianfar.c b/drivers/net/ethernet/freescale/gianfar.c
8252 +index 3ea651afa63d..6075ed694a6c 100644
8253 +--- a/drivers/net/ethernet/freescale/gianfar.c
8254 ++++ b/drivers/net/ethernet/freescale/gianfar.c
8255 +@@ -1413,9 +1413,11 @@ static int gfar_probe(struct platform_device *ofdev)
8256 +
8257 + gfar_init_addr_hash_table(priv);
8258 +
8259 +- /* Insert receive time stamps into padding alignment bytes */
8260 ++ /* Insert receive time stamps into padding alignment bytes, and
8261 ++ * plus 2 bytes padding to ensure the cpu alignment.
8262 ++ */
8263 + if (priv->device_flags & FSL_GIANFAR_DEV_HAS_TIMER)
8264 +- priv->padding = 8;
8265 ++ priv->padding = 8 + DEFAULT_PADDING;
8266 +
8267 + if (dev->features & NETIF_F_IP_CSUM ||
8268 + priv->device_flags & FSL_GIANFAR_DEV_HAS_TIMER)
8269 +diff --git a/drivers/net/ethernet/hp/hp100.c b/drivers/net/ethernet/hp/hp100.c
8270 +index ae6e30d39f0f..3daf2d4a7ca0 100644
8271 +--- a/drivers/net/ethernet/hp/hp100.c
8272 ++++ b/drivers/net/ethernet/hp/hp100.c
8273 +@@ -194,7 +194,6 @@ static const char *hp100_isa_tbl[] = {
8274 + };
8275 + #endif
8276 +
8277 +-#ifdef CONFIG_EISA
8278 + static struct eisa_device_id hp100_eisa_tbl[] = {
8279 + { "HWPF180" }, /* HP J2577 rev A */
8280 + { "HWP1920" }, /* HP 27248B */
8281 +@@ -205,9 +204,7 @@ static struct eisa_device_id hp100_eisa_tbl[] = {
8282 + { "" } /* Mandatory final entry ! */
8283 + };
8284 + MODULE_DEVICE_TABLE(eisa, hp100_eisa_tbl);
8285 +-#endif
8286 +
8287 +-#ifdef CONFIG_PCI
8288 + static const struct pci_device_id hp100_pci_tbl[] = {
8289 + {PCI_VENDOR_ID_HP, PCI_DEVICE_ID_HP_J2585A, PCI_ANY_ID, PCI_ANY_ID,},
8290 + {PCI_VENDOR_ID_HP, PCI_DEVICE_ID_HP_J2585B, PCI_ANY_ID, PCI_ANY_ID,},
8291 +@@ -219,7 +216,6 @@ static const struct pci_device_id hp100_pci_tbl[] = {
8292 + {} /* Terminating entry */
8293 + };
8294 + MODULE_DEVICE_TABLE(pci, hp100_pci_tbl);
8295 +-#endif
8296 +
8297 + static int hp100_rx_ratio = HP100_DEFAULT_RX_RATIO;
8298 + static int hp100_priority_tx = HP100_DEFAULT_PRIORITY_TX;
8299 +@@ -2842,8 +2838,7 @@ static void cleanup_dev(struct net_device *d)
8300 + free_netdev(d);
8301 + }
8302 +
8303 +-#ifdef CONFIG_EISA
8304 +-static int __init hp100_eisa_probe (struct device *gendev)
8305 ++static int hp100_eisa_probe(struct device *gendev)
8306 + {
8307 + struct net_device *dev = alloc_etherdev(sizeof(struct hp100_private));
8308 + struct eisa_device *edev = to_eisa_device(gendev);
8309 +@@ -2884,9 +2879,7 @@ static struct eisa_driver hp100_eisa_driver = {
8310 + .remove = hp100_eisa_remove,
8311 + }
8312 + };
8313 +-#endif
8314 +
8315 +-#ifdef CONFIG_PCI
8316 + static int hp100_pci_probe(struct pci_dev *pdev,
8317 + const struct pci_device_id *ent)
8318 + {
8319 +@@ -2955,7 +2948,6 @@ static struct pci_driver hp100_pci_driver = {
8320 + .probe = hp100_pci_probe,
8321 + .remove = hp100_pci_remove,
8322 + };
8323 +-#endif
8324 +
8325 + /*
8326 + * module section
8327 +@@ -3032,23 +3024,17 @@ static int __init hp100_module_init(void)
8328 + err = hp100_isa_init();
8329 + if (err && err != -ENODEV)
8330 + goto out;
8331 +-#ifdef CONFIG_EISA
8332 + err = eisa_driver_register(&hp100_eisa_driver);
8333 + if (err && err != -ENODEV)
8334 + goto out2;
8335 +-#endif
8336 +-#ifdef CONFIG_PCI
8337 + err = pci_register_driver(&hp100_pci_driver);
8338 + if (err && err != -ENODEV)
8339 + goto out3;
8340 +-#endif
8341 + out:
8342 + return err;
8343 + out3:
8344 +-#ifdef CONFIG_EISA
8345 + eisa_driver_unregister (&hp100_eisa_driver);
8346 + out2:
8347 +-#endif
8348 + hp100_isa_cleanup();
8349 + goto out;
8350 + }
8351 +@@ -3057,12 +3043,8 @@ static int __init hp100_module_init(void)
8352 + static void __exit hp100_module_exit(void)
8353 + {
8354 + hp100_isa_cleanup();
8355 +-#ifdef CONFIG_EISA
8356 + eisa_driver_unregister (&hp100_eisa_driver);
8357 +-#endif
8358 +-#ifdef CONFIG_PCI
8359 + pci_unregister_driver (&hp100_pci_driver);
8360 +-#endif
8361 + }
8362 +
8363 + module_init(hp100_module_init)
8364 +diff --git a/drivers/net/ethernet/intel/e1000e/ich8lan.c b/drivers/net/ethernet/intel/e1000e/ich8lan.c
8365 +index e2498dbf3c3b..5e63a8931f2e 100644
8366 +--- a/drivers/net/ethernet/intel/e1000e/ich8lan.c
8367 ++++ b/drivers/net/ethernet/intel/e1000e/ich8lan.c
8368 +@@ -1345,6 +1345,9 @@ out:
8369 + * Checks to see of the link status of the hardware has changed. If a
8370 + * change in link status has been detected, then we read the PHY registers
8371 + * to get the current speed/duplex if link exists.
8372 ++ *
8373 ++ * Returns a negative error code (-E1000_ERR_*) or 0 (link down) or 1 (link
8374 ++ * up).
8375 + **/
8376 + static s32 e1000_check_for_copper_link_ich8lan(struct e1000_hw *hw)
8377 + {
8378 +@@ -1360,7 +1363,7 @@ static s32 e1000_check_for_copper_link_ich8lan(struct e1000_hw *hw)
8379 + * Change or Rx Sequence Error interrupt.
8380 + */
8381 + if (!mac->get_link_status)
8382 +- return 0;
8383 ++ return 1;
8384 +
8385 + /* First we want to see if the MII Status Register reports
8386 + * link. If so, then we want to get the current speed/duplex
8387 +@@ -1519,10 +1522,12 @@ static s32 e1000_check_for_copper_link_ich8lan(struct e1000_hw *hw)
8388 + * different link partner.
8389 + */
8390 + ret_val = e1000e_config_fc_after_link_up(hw);
8391 +- if (ret_val)
8392 ++ if (ret_val) {
8393 + e_dbg("Error configuring flow control\n");
8394 ++ return ret_val;
8395 ++ }
8396 +
8397 +- return ret_val;
8398 ++ return 1;
8399 + }
8400 +
8401 + static s32 e1000_get_variants_ich8lan(struct e1000_adapter *adapter)
8402 +diff --git a/drivers/net/ethernet/intel/fm10k/fm10k_iov.c b/drivers/net/ethernet/intel/fm10k/fm10k_iov.c
8403 +index 5b08e6284a3c..8d8fd5d49d60 100644
8404 +--- a/drivers/net/ethernet/intel/fm10k/fm10k_iov.c
8405 ++++ b/drivers/net/ethernet/intel/fm10k/fm10k_iov.c
8406 +@@ -126,6 +126,9 @@ process_mbx:
8407 + struct fm10k_mbx_info *mbx = &vf_info->mbx;
8408 + u16 glort = vf_info->glort;
8409 +
8410 ++ /* process the SM mailbox first to drain outgoing messages */
8411 ++ hw->mbx.ops.process(hw, &hw->mbx);
8412 ++
8413 + /* verify port mapping is valid, if not reset port */
8414 + if (vf_info->vf_flags && !fm10k_glort_valid_pf(hw, glort))
8415 + hw->iov.ops.reset_lport(hw, vf_info);
8416 +diff --git a/drivers/net/ethernet/intel/i40e/i40e_main.c b/drivers/net/ethernet/intel/i40e/i40e_main.c
8417 +index 13e0cf90e567..042f3486f79a 100644
8418 +--- a/drivers/net/ethernet/intel/i40e/i40e_main.c
8419 ++++ b/drivers/net/ethernet/intel/i40e/i40e_main.c
8420 +@@ -3894,8 +3894,12 @@ static void i40e_napi_enable_all(struct i40e_vsi *vsi)
8421 + if (!vsi->netdev)
8422 + return;
8423 +
8424 +- for (q_idx = 0; q_idx < vsi->num_q_vectors; q_idx++)
8425 +- napi_enable(&vsi->q_vectors[q_idx]->napi);
8426 ++ for (q_idx = 0; q_idx < vsi->num_q_vectors; q_idx++) {
8427 ++ struct i40e_q_vector *q_vector = vsi->q_vectors[q_idx];
8428 ++
8429 ++ if (q_vector->rx.ring || q_vector->tx.ring)
8430 ++ napi_enable(&q_vector->napi);
8431 ++ }
8432 + }
8433 +
8434 + /**
8435 +@@ -3909,8 +3913,12 @@ static void i40e_napi_disable_all(struct i40e_vsi *vsi)
8436 + if (!vsi->netdev)
8437 + return;
8438 +
8439 +- for (q_idx = 0; q_idx < vsi->num_q_vectors; q_idx++)
8440 +- napi_disable(&vsi->q_vectors[q_idx]->napi);
8441 ++ for (q_idx = 0; q_idx < vsi->num_q_vectors; q_idx++) {
8442 ++ struct i40e_q_vector *q_vector = vsi->q_vectors[q_idx];
8443 ++
8444 ++ if (q_vector->rx.ring || q_vector->tx.ring)
8445 ++ napi_disable(&q_vector->napi);
8446 ++ }
8447 + }
8448 +
8449 + /**
8450 +diff --git a/drivers/net/ethernet/intel/igb/igb_main.c b/drivers/net/ethernet/intel/igb/igb_main.c
8451 +index 34f15f56b2a1..cfcafea9d2b6 100644
8452 +--- a/drivers/net/ethernet/intel/igb/igb_main.c
8453 ++++ b/drivers/net/ethernet/intel/igb/igb_main.c
8454 +@@ -2998,6 +2998,8 @@ static int igb_sw_init(struct igb_adapter *adapter)
8455 + /* Setup and initialize a copy of the hw vlan table array */
8456 + adapter->shadow_vfta = kcalloc(E1000_VLAN_FILTER_TBL_SIZE, sizeof(u32),
8457 + GFP_ATOMIC);
8458 ++ if (!adapter->shadow_vfta)
8459 ++ return -ENOMEM;
8460 +
8461 + /* This call may decrease the number of queues */
8462 + if (igb_init_interrupt_scheme(adapter, true)) {
8463 +@@ -3167,7 +3169,7 @@ static int __igb_close(struct net_device *netdev, bool suspending)
8464 +
8465 + static int igb_close(struct net_device *netdev)
8466 + {
8467 +- if (netif_device_present(netdev))
8468 ++ if (netif_device_present(netdev) || netdev->dismantle)
8469 + return __igb_close(netdev, false);
8470 + return 0;
8471 + }
8472 +diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_common.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_common.c
8473 +index 06d8f3cfa099..14f789e72c29 100644
8474 +--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_common.c
8475 ++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_common.c
8476 +@@ -3609,10 +3609,10 @@ s32 ixgbe_set_fw_drv_ver_generic(struct ixgbe_hw *hw, u8 maj, u8 min,
8477 + fw_cmd.ver_build = build;
8478 + fw_cmd.ver_sub = sub;
8479 + fw_cmd.hdr.checksum = 0;
8480 +- fw_cmd.hdr.checksum = ixgbe_calculate_checksum((u8 *)&fw_cmd,
8481 +- (FW_CEM_HDR_LEN + fw_cmd.hdr.buf_len));
8482 + fw_cmd.pad = 0;
8483 + fw_cmd.pad2 = 0;
8484 ++ fw_cmd.hdr.checksum = ixgbe_calculate_checksum((u8 *)&fw_cmd,
8485 ++ (FW_CEM_HDR_LEN + fw_cmd.hdr.buf_len));
8486 +
8487 + for (i = 0; i <= FW_CEM_MAX_RETRIES; i++) {
8488 + ret_val = ixgbe_host_interface_command(hw, (u32 *)&fw_cmd,
8489 +diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_x550.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_x550.c
8490 +index cf5cf819a6b8..0e1e63ee6c5e 100644
8491 +--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_x550.c
8492 ++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_x550.c
8493 +@@ -224,6 +224,8 @@ static s32 ixgbe_read_ee_hostif_buffer_X550(struct ixgbe_hw *hw,
8494 + /* convert offset from words to bytes */
8495 + buffer.address = cpu_to_be32((offset + current_word) * 2);
8496 + buffer.length = cpu_to_be16(words_to_read * 2);
8497 ++ buffer.pad2 = 0;
8498 ++ buffer.pad3 = 0;
8499 +
8500 + status = ixgbe_host_interface_command(hw, (u32 *)&buffer,
8501 + sizeof(buffer),
8502 +diff --git a/drivers/net/ethernet/marvell/mvmdio.c b/drivers/net/ethernet/marvell/mvmdio.c
8503 +index fc2fb25343f4..c122b3b99cd8 100644
8504 +--- a/drivers/net/ethernet/marvell/mvmdio.c
8505 ++++ b/drivers/net/ethernet/marvell/mvmdio.c
8506 +@@ -241,7 +241,8 @@ static int orion_mdio_probe(struct platform_device *pdev)
8507 + dev->regs + MVMDIO_ERR_INT_MASK);
8508 +
8509 + } else if (dev->err_interrupt == -EPROBE_DEFER) {
8510 +- return -EPROBE_DEFER;
8511 ++ ret = -EPROBE_DEFER;
8512 ++ goto out_mdio;
8513 + }
8514 +
8515 + mutex_init(&dev->lock);
8516 +diff --git a/drivers/net/ethernet/marvell/mvneta.c b/drivers/net/ethernet/marvell/mvneta.c
8517 +index 40161dacc9c7..744277984cb8 100644
8518 +--- a/drivers/net/ethernet/marvell/mvneta.c
8519 ++++ b/drivers/net/ethernet/marvell/mvneta.c
8520 +@@ -858,6 +858,10 @@ static void mvneta_port_disable(struct mvneta_port *pp)
8521 + val &= ~MVNETA_GMAC0_PORT_ENABLE;
8522 + mvreg_write(pp, MVNETA_GMAC_CTRL_0, val);
8523 +
8524 ++ pp->link = 0;
8525 ++ pp->duplex = -1;
8526 ++ pp->speed = 0;
8527 ++
8528 + udelay(200);
8529 + }
8530 +
8531 +diff --git a/drivers/net/ethernet/marvell/mvpp2.c b/drivers/net/ethernet/marvell/mvpp2.c
8532 +index 3e8b1bfb1f2e..eda6b0a2faf4 100644
8533 +--- a/drivers/net/ethernet/marvell/mvpp2.c
8534 ++++ b/drivers/net/ethernet/marvell/mvpp2.c
8535 +@@ -5583,6 +5583,7 @@ static void mvpp2_set_rx_mode(struct net_device *dev)
8536 + int id = port->id;
8537 + bool allmulti = dev->flags & IFF_ALLMULTI;
8538 +
8539 ++retry:
8540 + mvpp2_prs_mac_promisc_set(priv, id, dev->flags & IFF_PROMISC);
8541 + mvpp2_prs_mac_multi_set(priv, id, MVPP2_PE_MAC_MC_ALL, allmulti);
8542 + mvpp2_prs_mac_multi_set(priv, id, MVPP2_PE_MAC_MC_IP6, allmulti);
8543 +@@ -5590,9 +5591,13 @@ static void mvpp2_set_rx_mode(struct net_device *dev)
8544 + /* Remove all port->id's mcast enries */
8545 + mvpp2_prs_mcast_del_all(priv, id);
8546 +
8547 +- if (allmulti && !netdev_mc_empty(dev)) {
8548 +- netdev_for_each_mc_addr(ha, dev)
8549 +- mvpp2_prs_mac_da_accept(priv, id, ha->addr, true);
8550 ++ if (!allmulti) {
8551 ++ netdev_for_each_mc_addr(ha, dev) {
8552 ++ if (mvpp2_prs_mac_da_accept(priv, id, ha->addr, true)) {
8553 ++ allmulti = true;
8554 ++ goto retry;
8555 ++ }
8556 ++ }
8557 + }
8558 + }
8559 +
8560 +diff --git a/drivers/net/ethernet/mellanox/mlx4/qp.c b/drivers/net/ethernet/mellanox/mlx4/qp.c
8561 +index b75214a80d0e..eb1dcb7e9e96 100644
8562 +--- a/drivers/net/ethernet/mellanox/mlx4/qp.c
8563 ++++ b/drivers/net/ethernet/mellanox/mlx4/qp.c
8564 +@@ -280,6 +280,9 @@ void mlx4_qp_release_range(struct mlx4_dev *dev, int base_qpn, int cnt)
8565 + u64 in_param = 0;
8566 + int err;
8567 +
8568 ++ if (!cnt)
8569 ++ return;
8570 ++
8571 + if (mlx4_is_mfunc(dev)) {
8572 + set_param_l(&in_param, base_qpn);
8573 + set_param_h(&in_param, cnt);
8574 +diff --git a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_hw.c b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_hw.c
8575 +index dd618d7ed257..1c40c524f0c8 100644
8576 +--- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_hw.c
8577 ++++ b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_hw.c
8578 +@@ -3825,7 +3825,7 @@ static void qlcnic_83xx_flush_mbx_queue(struct qlcnic_adapter *adapter)
8579 + struct list_head *head = &mbx->cmd_q;
8580 + struct qlcnic_cmd_args *cmd = NULL;
8581 +
8582 +- spin_lock(&mbx->queue_lock);
8583 ++ spin_lock_bh(&mbx->queue_lock);
8584 +
8585 + while (!list_empty(head)) {
8586 + cmd = list_entry(head->next, struct qlcnic_cmd_args, list);
8587 +@@ -3836,7 +3836,7 @@ static void qlcnic_83xx_flush_mbx_queue(struct qlcnic_adapter *adapter)
8588 + qlcnic_83xx_notify_cmd_completion(adapter, cmd);
8589 + }
8590 +
8591 +- spin_unlock(&mbx->queue_lock);
8592 ++ spin_unlock_bh(&mbx->queue_lock);
8593 + }
8594 +
8595 + static int qlcnic_83xx_check_mbx_status(struct qlcnic_adapter *adapter)
8596 +@@ -3872,12 +3872,12 @@ static void qlcnic_83xx_dequeue_mbx_cmd(struct qlcnic_adapter *adapter,
8597 + {
8598 + struct qlcnic_mailbox *mbx = adapter->ahw->mailbox;
8599 +
8600 +- spin_lock(&mbx->queue_lock);
8601 ++ spin_lock_bh(&mbx->queue_lock);
8602 +
8603 + list_del(&cmd->list);
8604 + mbx->num_cmds--;
8605 +
8606 +- spin_unlock(&mbx->queue_lock);
8607 ++ spin_unlock_bh(&mbx->queue_lock);
8608 +
8609 + qlcnic_83xx_notify_cmd_completion(adapter, cmd);
8610 + }
8611 +@@ -3942,7 +3942,7 @@ static int qlcnic_83xx_enqueue_mbx_cmd(struct qlcnic_adapter *adapter,
8612 + init_completion(&cmd->completion);
8613 + cmd->rsp_opcode = QLC_83XX_MBX_RESPONSE_UNKNOWN;
8614 +
8615 +- spin_lock(&mbx->queue_lock);
8616 ++ spin_lock_bh(&mbx->queue_lock);
8617 +
8618 + list_add_tail(&cmd->list, &mbx->cmd_q);
8619 + mbx->num_cmds++;
8620 +@@ -3950,7 +3950,7 @@ static int qlcnic_83xx_enqueue_mbx_cmd(struct qlcnic_adapter *adapter,
8621 + *timeout = cmd->total_cmds * QLC_83XX_MBX_TIMEOUT;
8622 + queue_work(mbx->work_q, &mbx->work);
8623 +
8624 +- spin_unlock(&mbx->queue_lock);
8625 ++ spin_unlock_bh(&mbx->queue_lock);
8626 +
8627 + return 0;
8628 + }
8629 +@@ -4046,15 +4046,15 @@ static void qlcnic_83xx_mailbox_worker(struct work_struct *work)
8630 + mbx->rsp_status = QLC_83XX_MBX_RESPONSE_WAIT;
8631 + spin_unlock_irqrestore(&mbx->aen_lock, flags);
8632 +
8633 +- spin_lock(&mbx->queue_lock);
8634 ++ spin_lock_bh(&mbx->queue_lock);
8635 +
8636 + if (list_empty(head)) {
8637 +- spin_unlock(&mbx->queue_lock);
8638 ++ spin_unlock_bh(&mbx->queue_lock);
8639 + return;
8640 + }
8641 + cmd = list_entry(head->next, struct qlcnic_cmd_args, list);
8642 +
8643 +- spin_unlock(&mbx->queue_lock);
8644 ++ spin_unlock_bh(&mbx->queue_lock);
8645 +
8646 + mbx_ops->encode_cmd(adapter, cmd);
8647 + mbx_ops->nofity_fw(adapter, QLC_83XX_MBX_REQUEST);
8648 +diff --git a/drivers/net/ethernet/realtek/r8169.c b/drivers/net/ethernet/realtek/r8169.c
8649 +index af4b1f4c24d2..8004de976890 100644
8650 +--- a/drivers/net/ethernet/realtek/r8169.c
8651 ++++ b/drivers/net/ethernet/realtek/r8169.c
8652 +@@ -1375,7 +1375,7 @@ DECLARE_RTL_COND(rtl_ocp_tx_cond)
8653 + {
8654 + void __iomem *ioaddr = tp->mmio_addr;
8655 +
8656 +- return RTL_R8(IBISR0) & 0x02;
8657 ++ return RTL_R8(IBISR0) & 0x20;
8658 + }
8659 +
8660 + static void rtl8168ep_stop_cmac(struct rtl8169_private *tp)
8661 +@@ -1383,7 +1383,7 @@ static void rtl8168ep_stop_cmac(struct rtl8169_private *tp)
8662 + void __iomem *ioaddr = tp->mmio_addr;
8663 +
8664 + RTL_W8(IBCR2, RTL_R8(IBCR2) & ~0x01);
8665 +- rtl_msleep_loop_wait_low(tp, &rtl_ocp_tx_cond, 50, 2000);
8666 ++ rtl_msleep_loop_wait_high(tp, &rtl_ocp_tx_cond, 50, 2000);
8667 + RTL_W8(IBISR0, RTL_R8(IBISR0) | 0x20);
8668 + RTL_W8(IBCR0, RTL_R8(IBCR0) & ~0x01);
8669 + }
8670 +diff --git a/drivers/net/ethernet/renesas/sh_eth.c b/drivers/net/ethernet/renesas/sh_eth.c
8671 +index e2dd94a91c15..0ae76e419482 100644
8672 +--- a/drivers/net/ethernet/renesas/sh_eth.c
8673 ++++ b/drivers/net/ethernet/renesas/sh_eth.c
8674 +@@ -3171,18 +3171,37 @@ static int sh_eth_drv_probe(struct platform_device *pdev)
8675 + /* ioremap the TSU registers */
8676 + if (mdp->cd->tsu) {
8677 + struct resource *rtsu;
8678 ++
8679 + rtsu = platform_get_resource(pdev, IORESOURCE_MEM, 1);
8680 +- mdp->tsu_addr = devm_ioremap_resource(&pdev->dev, rtsu);
8681 +- if (IS_ERR(mdp->tsu_addr)) {
8682 +- ret = PTR_ERR(mdp->tsu_addr);
8683 ++ if (!rtsu) {
8684 ++ dev_err(&pdev->dev, "no TSU resource\n");
8685 ++ ret = -ENODEV;
8686 ++ goto out_release;
8687 ++ }
8688 ++ /* We can only request the TSU region for the first port
8689 ++ * of the two sharing this TSU for the probe to succeed...
8690 ++ */
8691 ++ if (devno % 2 == 0 &&
8692 ++ !devm_request_mem_region(&pdev->dev, rtsu->start,
8693 ++ resource_size(rtsu),
8694 ++ dev_name(&pdev->dev))) {
8695 ++ dev_err(&pdev->dev, "can't request TSU resource.\n");
8696 ++ ret = -EBUSY;
8697 ++ goto out_release;
8698 ++ }
8699 ++ mdp->tsu_addr = devm_ioremap(&pdev->dev, rtsu->start,
8700 ++ resource_size(rtsu));
8701 ++ if (!mdp->tsu_addr) {
8702 ++ dev_err(&pdev->dev, "TSU region ioremap() failed.\n");
8703 ++ ret = -ENOMEM;
8704 + goto out_release;
8705 + }
8706 + mdp->port = devno % 2;
8707 + ndev->features = NETIF_F_HW_VLAN_CTAG_FILTER;
8708 + }
8709 +
8710 +- /* initialize first or needed device */
8711 +- if (!devno || pd->needs_init) {
8712 ++ /* Need to init only the first port of the two sharing a TSU */
8713 ++ if (devno % 2 == 0) {
8714 + if (mdp->cd->chip_reset)
8715 + mdp->cd->chip_reset(ndev);
8716 +
8717 +diff --git a/drivers/net/ethernet/ti/tlan.c b/drivers/net/ethernet/ti/tlan.c
8718 +index 691ec936e88d..a0f805142d42 100644
8719 +--- a/drivers/net/ethernet/ti/tlan.c
8720 ++++ b/drivers/net/ethernet/ti/tlan.c
8721 +@@ -610,8 +610,8 @@ err_out_regions:
8722 + #ifdef CONFIG_PCI
8723 + if (pdev)
8724 + pci_release_regions(pdev);
8725 +-#endif
8726 + err_out:
8727 ++#endif
8728 + if (pdev)
8729 + pci_disable_device(pdev);
8730 + return rc;
8731 +diff --git a/drivers/net/ethernet/xilinx/Kconfig b/drivers/net/ethernet/xilinx/Kconfig
8732 +index 7b90a5eba099..9d6c252c1911 100644
8733 +--- a/drivers/net/ethernet/xilinx/Kconfig
8734 ++++ b/drivers/net/ethernet/xilinx/Kconfig
8735 +@@ -36,6 +36,7 @@ config XILINX_AXI_EMAC
8736 + config XILINX_LL_TEMAC
8737 + tristate "Xilinx LL TEMAC (LocalLink Tri-mode Ethernet MAC) driver"
8738 + depends on (PPC || MICROBLAZE)
8739 ++ depends on !64BIT || BROKEN
8740 + select PHYLIB
8741 + ---help---
8742 + This driver supports the Xilinx 10/100/1000 LocalLink TEMAC
8743 +diff --git a/drivers/net/hippi/rrunner.c b/drivers/net/hippi/rrunner.c
8744 +index 95c0b45a68fb..313e006f74fe 100644
8745 +--- a/drivers/net/hippi/rrunner.c
8746 ++++ b/drivers/net/hippi/rrunner.c
8747 +@@ -1381,8 +1381,8 @@ static int rr_close(struct net_device *dev)
8748 + rrpriv->info_dma);
8749 + rrpriv->info = NULL;
8750 +
8751 +- free_irq(pdev->irq, dev);
8752 + spin_unlock_irqrestore(&rrpriv->lock, flags);
8753 ++ free_irq(pdev->irq, dev);
8754 +
8755 + return 0;
8756 + }
8757 +diff --git a/drivers/net/ipvlan/ipvlan_core.c b/drivers/net/ipvlan/ipvlan_core.c
8758 +index c30b5c300c05..f3cd85ecd795 100644
8759 +--- a/drivers/net/ipvlan/ipvlan_core.c
8760 ++++ b/drivers/net/ipvlan/ipvlan_core.c
8761 +@@ -345,6 +345,7 @@ static int ipvlan_process_v4_outbound(struct sk_buff *skb)
8762 + .flowi4_oif = dev_get_iflink(dev),
8763 + .flowi4_tos = RT_TOS(ip4h->tos),
8764 + .flowi4_flags = FLOWI_FLAG_ANYSRC,
8765 ++ .flowi4_mark = skb->mark,
8766 + .daddr = ip4h->daddr,
8767 + .saddr = ip4h->saddr,
8768 + };
8769 +diff --git a/drivers/net/irda/vlsi_ir.c b/drivers/net/irda/vlsi_ir.c
8770 +index a0849f49bbec..c0192f97ecc8 100644
8771 +--- a/drivers/net/irda/vlsi_ir.c
8772 ++++ b/drivers/net/irda/vlsi_ir.c
8773 +@@ -418,8 +418,9 @@ static struct vlsi_ring *vlsi_alloc_ring(struct pci_dev *pdev, struct ring_descr
8774 + memset(rd, 0, sizeof(*rd));
8775 + rd->hw = hwmap + i;
8776 + rd->buf = kmalloc(len, GFP_KERNEL|GFP_DMA);
8777 +- if (rd->buf == NULL ||
8778 +- !(busaddr = pci_map_single(pdev, rd->buf, len, dir))) {
8779 ++ if (rd->buf)
8780 ++ busaddr = pci_map_single(pdev, rd->buf, len, dir);
8781 ++ if (rd->buf == NULL || pci_dma_mapping_error(pdev, busaddr)) {
8782 + if (rd->buf) {
8783 + net_err_ratelimited("%s: failed to create PCI-MAP for %p\n",
8784 + __func__, rd->buf);
8785 +@@ -430,8 +431,7 @@ static struct vlsi_ring *vlsi_alloc_ring(struct pci_dev *pdev, struct ring_descr
8786 + rd = r->rd + j;
8787 + busaddr = rd_get_addr(rd);
8788 + rd_set_addr_status(rd, 0, 0);
8789 +- if (busaddr)
8790 +- pci_unmap_single(pdev, busaddr, len, dir);
8791 ++ pci_unmap_single(pdev, busaddr, len, dir);
8792 + kfree(rd->buf);
8793 + rd->buf = NULL;
8794 + }
8795 +diff --git a/drivers/net/phy/at803x.c b/drivers/net/phy/at803x.c
8796 +index fabf11d32d27..d4b8ea30cd9d 100644
8797 +--- a/drivers/net/phy/at803x.c
8798 ++++ b/drivers/net/phy/at803x.c
8799 +@@ -105,7 +105,7 @@ static int at803x_set_wol(struct phy_device *phydev,
8800 + mac = (const u8 *) ndev->dev_addr;
8801 +
8802 + if (!is_valid_ether_addr(mac))
8803 +- return -EFAULT;
8804 ++ return -EINVAL;
8805 +
8806 + for (i = 0; i < 3; i++) {
8807 + phy_write(phydev, AT803X_MMD_ACCESS_CONTROL,
8808 +diff --git a/drivers/net/ppp/pppoe.c b/drivers/net/ppp/pppoe.c
8809 +index d1c4bc1c4df0..31aa93907b77 100644
8810 +--- a/drivers/net/ppp/pppoe.c
8811 ++++ b/drivers/net/ppp/pppoe.c
8812 +@@ -860,6 +860,7 @@ static int pppoe_sendmsg(struct socket *sock, struct msghdr *m,
8813 + struct pppoe_hdr *ph;
8814 + struct net_device *dev;
8815 + char *start;
8816 ++ int hlen;
8817 +
8818 + lock_sock(sk);
8819 + if (sock_flag(sk, SOCK_DEAD) || !(sk->sk_state & PPPOX_CONNECTED)) {
8820 +@@ -878,16 +879,16 @@ static int pppoe_sendmsg(struct socket *sock, struct msghdr *m,
8821 + if (total_len > (dev->mtu + dev->hard_header_len))
8822 + goto end;
8823 +
8824 +-
8825 +- skb = sock_wmalloc(sk, total_len + dev->hard_header_len + 32,
8826 +- 0, GFP_KERNEL);
8827 ++ hlen = LL_RESERVED_SPACE(dev);
8828 ++ skb = sock_wmalloc(sk, hlen + sizeof(*ph) + total_len +
8829 ++ dev->needed_tailroom, 0, GFP_KERNEL);
8830 + if (!skb) {
8831 + error = -ENOMEM;
8832 + goto end;
8833 + }
8834 +
8835 + /* Reserve space for headers. */
8836 +- skb_reserve(skb, dev->hard_header_len);
8837 ++ skb_reserve(skb, hlen);
8838 + skb_reset_network_header(skb);
8839 +
8840 + skb->dev = dev;
8841 +@@ -948,7 +949,7 @@ static int __pppoe_xmit(struct sock *sk, struct sk_buff *skb)
8842 + /* Copy the data if there is no space for the header or if it's
8843 + * read-only.
8844 + */
8845 +- if (skb_cow_head(skb, sizeof(*ph) + dev->hard_header_len))
8846 ++ if (skb_cow_head(skb, LL_RESERVED_SPACE(dev) + sizeof(*ph)))
8847 + goto abort;
8848 +
8849 + __skb_push(skb, sizeof(*ph));
8850 +diff --git a/drivers/net/usb/Kconfig b/drivers/net/usb/Kconfig
8851 +index 2b47cbae524c..9a9e0ea05a72 100644
8852 +--- a/drivers/net/usb/Kconfig
8853 ++++ b/drivers/net/usb/Kconfig
8854 +@@ -382,6 +382,10 @@ config USB_NET_RNDIS_HOST
8855 + The protocol specification is incomplete, and is controlled by
8856 + (and for) Microsoft; it isn't an "Open" ecosystem or market.
8857 +
8858 ++config USB_NET_CDC_SUBSET_ENABLE
8859 ++ tristate
8860 ++ depends on USB_NET_CDC_SUBSET
8861 ++
8862 + config USB_NET_CDC_SUBSET
8863 + tristate "Simple USB Network Links (CDC Ethernet subset)"
8864 + depends on USB_USBNET
8865 +@@ -400,6 +404,7 @@ config USB_NET_CDC_SUBSET
8866 + config USB_ALI_M5632
8867 + bool "ALi M5632 based 'USB 2.0 Data Link' cables"
8868 + depends on USB_NET_CDC_SUBSET
8869 ++ select USB_NET_CDC_SUBSET_ENABLE
8870 + help
8871 + Choose this option if you're using a host-to-host cable
8872 + based on this design, which supports USB 2.0 high speed.
8873 +@@ -407,6 +412,7 @@ config USB_ALI_M5632
8874 + config USB_AN2720
8875 + bool "AnchorChips 2720 based cables (Xircom PGUNET, ...)"
8876 + depends on USB_NET_CDC_SUBSET
8877 ++ select USB_NET_CDC_SUBSET_ENABLE
8878 + help
8879 + Choose this option if you're using a host-to-host cable
8880 + based on this design. Note that AnchorChips is now a
8881 +@@ -415,6 +421,7 @@ config USB_AN2720
8882 + config USB_BELKIN
8883 + bool "eTEK based host-to-host cables (Advance, Belkin, ...)"
8884 + depends on USB_NET_CDC_SUBSET
8885 ++ select USB_NET_CDC_SUBSET_ENABLE
8886 + default y
8887 + help
8888 + Choose this option if you're using a host-to-host cable
8889 +@@ -424,6 +431,7 @@ config USB_BELKIN
8890 + config USB_ARMLINUX
8891 + bool "Embedded ARM Linux links (iPaq, ...)"
8892 + depends on USB_NET_CDC_SUBSET
8893 ++ select USB_NET_CDC_SUBSET_ENABLE
8894 + default y
8895 + help
8896 + Choose this option to support the "usb-eth" networking driver
8897 +@@ -441,6 +449,7 @@ config USB_ARMLINUX
8898 + config USB_EPSON2888
8899 + bool "Epson 2888 based firmware (DEVELOPMENT)"
8900 + depends on USB_NET_CDC_SUBSET
8901 ++ select USB_NET_CDC_SUBSET_ENABLE
8902 + help
8903 + Choose this option to support the usb networking links used
8904 + by some sample firmware from Epson.
8905 +@@ -448,6 +457,7 @@ config USB_EPSON2888
8906 + config USB_KC2190
8907 + bool "KT Technology KC2190 based cables (InstaNet)"
8908 + depends on USB_NET_CDC_SUBSET
8909 ++ select USB_NET_CDC_SUBSET_ENABLE
8910 + help
8911 + Choose this option if you're using a host-to-host cable
8912 + with one of these chips.
8913 +diff --git a/drivers/net/usb/Makefile b/drivers/net/usb/Makefile
8914 +index e2797f1e1b31..ed5a577c1a61 100644
8915 +--- a/drivers/net/usb/Makefile
8916 ++++ b/drivers/net/usb/Makefile
8917 +@@ -22,7 +22,7 @@ obj-$(CONFIG_USB_NET_GL620A) += gl620a.o
8918 + obj-$(CONFIG_USB_NET_NET1080) += net1080.o
8919 + obj-$(CONFIG_USB_NET_PLUSB) += plusb.o
8920 + obj-$(CONFIG_USB_NET_RNDIS_HOST) += rndis_host.o
8921 +-obj-$(CONFIG_USB_NET_CDC_SUBSET) += cdc_subset.o
8922 ++obj-$(CONFIG_USB_NET_CDC_SUBSET_ENABLE) += cdc_subset.o
8923 + obj-$(CONFIG_USB_NET_ZAURUS) += zaurus.o
8924 + obj-$(CONFIG_USB_NET_MCS7830) += mcs7830.o
8925 + obj-$(CONFIG_USB_USBNET) += usbnet.o
8926 +diff --git a/drivers/net/usb/cx82310_eth.c b/drivers/net/usb/cx82310_eth.c
8927 +index e221bfcee76b..947bea81d924 100644
8928 +--- a/drivers/net/usb/cx82310_eth.c
8929 ++++ b/drivers/net/usb/cx82310_eth.c
8930 +@@ -293,12 +293,9 @@ static struct sk_buff *cx82310_tx_fixup(struct usbnet *dev, struct sk_buff *skb,
8931 + {
8932 + int len = skb->len;
8933 +
8934 +- if (skb_headroom(skb) < 2) {
8935 +- struct sk_buff *skb2 = skb_copy_expand(skb, 2, 0, flags);
8936 ++ if (skb_cow_head(skb, 2)) {
8937 + dev_kfree_skb_any(skb);
8938 +- skb = skb2;
8939 +- if (!skb)
8940 +- return NULL;
8941 ++ return NULL;
8942 + }
8943 + skb_push(skb, 2);
8944 +
8945 +diff --git a/drivers/net/usb/qmi_wwan.c b/drivers/net/usb/qmi_wwan.c
8946 +index 6cf881ce4d4e..3d97fd391793 100644
8947 +--- a/drivers/net/usb/qmi_wwan.c
8948 ++++ b/drivers/net/usb/qmi_wwan.c
8949 +@@ -464,6 +464,10 @@ static const struct usb_device_id products[] = {
8950 + USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, USB_CLASS_VENDOR_SPEC, 0x01, 0x69),
8951 + .driver_info = (unsigned long)&qmi_wwan_info,
8952 + },
8953 ++ { /* Motorola Mapphone devices with MDM6600 */
8954 ++ USB_VENDOR_AND_INTERFACE_INFO(0x22b8, USB_CLASS_VENDOR_SPEC, 0xfb, 0xff),
8955 ++ .driver_info = (unsigned long)&qmi_wwan_info,
8956 ++ },
8957 +
8958 + /* 2. Combined interface devices matching on class+protocol */
8959 + { /* Huawei E367 and possibly others in "Windows mode" */
8960 +@@ -775,6 +779,7 @@ static const struct usb_device_id products[] = {
8961 + {QMI_FIXED_INTF(0x1199, 0x9079, 10)}, /* Sierra Wireless EM74xx */
8962 + {QMI_FIXED_INTF(0x1199, 0x907b, 8)}, /* Sierra Wireless EM74xx */
8963 + {QMI_FIXED_INTF(0x1199, 0x907b, 10)}, /* Sierra Wireless EM74xx */
8964 ++ {QMI_FIXED_INTF(0x1199, 0x9091, 8)}, /* Sierra Wireless EM7565 */
8965 + {QMI_FIXED_INTF(0x1bbb, 0x011e, 4)}, /* Telekom Speedstick LTE II (Alcatel One Touch L100V LTE) */
8966 + {QMI_FIXED_INTF(0x1bbb, 0x0203, 2)}, /* Alcatel L800MA */
8967 + {QMI_FIXED_INTF(0x2357, 0x0201, 4)}, /* TP-LINK HSUPA Modem MA180 */
8968 +diff --git a/drivers/net/usb/r8152.c b/drivers/net/usb/r8152.c
8969 +index e387af61e0d3..55b0129acff7 100644
8970 +--- a/drivers/net/usb/r8152.c
8971 ++++ b/drivers/net/usb/r8152.c
8972 +@@ -1263,6 +1263,7 @@ static int alloc_all_mem(struct r8152 *tp)
8973 + spin_lock_init(&tp->rx_lock);
8974 + spin_lock_init(&tp->tx_lock);
8975 + INIT_LIST_HEAD(&tp->tx_free);
8976 ++ INIT_LIST_HEAD(&tp->rx_done);
8977 + skb_queue_head_init(&tp->tx_queue);
8978 + skb_queue_head_init(&tp->rx_queue);
8979 +
8980 +@@ -1928,7 +1929,6 @@ static void _rtl8152_set_rx_mode(struct net_device *netdev)
8981 + __le32 tmp[2];
8982 + u32 ocp_data;
8983 +
8984 +- clear_bit(RTL8152_SET_RX_MODE, &tp->flags);
8985 + netif_stop_queue(netdev);
8986 + ocp_data = ocp_read_dword(tp, MCU_TYPE_PLA, PLA_RCR);
8987 + ocp_data &= ~RCR_ACPT_ALL;
8988 +@@ -2363,8 +2363,6 @@ static void rtl_phy_reset(struct r8152 *tp)
8989 + u16 data;
8990 + int i;
8991 +
8992 +- clear_bit(PHY_RESET, &tp->flags);
8993 +-
8994 + data = r8152_mdio_read(tp, MII_BMCR);
8995 +
8996 + /* don't reset again before the previous one complete */
8997 +@@ -2859,10 +2857,9 @@ static int rtl8152_set_speed(struct r8152 *tp, u8 autoneg, u16 speed, u8 duplex)
8998 + r8152_mdio_write(tp, MII_ADVERTISE, anar);
8999 + r8152_mdio_write(tp, MII_BMCR, bmcr);
9000 +
9001 +- if (test_bit(PHY_RESET, &tp->flags)) {
9002 ++ if (test_and_clear_bit(PHY_RESET, &tp->flags)) {
9003 + int i;
9004 +
9005 +- clear_bit(PHY_RESET, &tp->flags);
9006 + for (i = 0; i < 50; i++) {
9007 + msleep(20);
9008 + if ((r8152_mdio_read(tp, MII_BMCR) & BMCR_RESET) == 0)
9009 +@@ -2871,7 +2868,6 @@ static int rtl8152_set_speed(struct r8152 *tp, u8 autoneg, u16 speed, u8 duplex)
9010 + }
9011 +
9012 + out:
9013 +-
9014 + return ret;
9015 + }
9016 +
9017 +@@ -2927,7 +2923,6 @@ static void set_carrier(struct r8152 *tp)
9018 + struct net_device *netdev = tp->netdev;
9019 + u8 speed;
9020 +
9021 +- clear_bit(RTL8152_LINK_CHG, &tp->flags);
9022 + speed = rtl8152_get_speed(tp);
9023 +
9024 + if (speed & LINK_STATUS) {
9025 +@@ -2968,20 +2963,18 @@ static void rtl_work_func_t(struct work_struct *work)
9026 + goto out1;
9027 + }
9028 +
9029 +- if (test_bit(RTL8152_LINK_CHG, &tp->flags))
9030 ++ if (test_and_clear_bit(RTL8152_LINK_CHG, &tp->flags))
9031 + set_carrier(tp);
9032 +
9033 +- if (test_bit(RTL8152_SET_RX_MODE, &tp->flags))
9034 ++ if (test_and_clear_bit(RTL8152_SET_RX_MODE, &tp->flags))
9035 + _rtl8152_set_rx_mode(tp->netdev);
9036 +
9037 + /* don't schedule napi before linking */
9038 +- if (test_bit(SCHEDULE_NAPI, &tp->flags) &&
9039 +- netif_carrier_ok(tp->netdev)) {
9040 +- clear_bit(SCHEDULE_NAPI, &tp->flags);
9041 ++ if (test_and_clear_bit(SCHEDULE_NAPI, &tp->flags) &&
9042 ++ netif_carrier_ok(tp->netdev))
9043 + napi_schedule(&tp->napi);
9044 +- }
9045 +
9046 +- if (test_bit(PHY_RESET, &tp->flags))
9047 ++ if (test_and_clear_bit(PHY_RESET, &tp->flags))
9048 + rtl_phy_reset(tp);
9049 +
9050 + mutex_unlock(&tp->control);
9051 +diff --git a/drivers/net/usb/smsc75xx.c b/drivers/net/usb/smsc75xx.c
9052 +index d9e7892262fa..2c526ca29cde 100644
9053 +--- a/drivers/net/usb/smsc75xx.c
9054 ++++ b/drivers/net/usb/smsc75xx.c
9055 +@@ -2198,13 +2198,9 @@ static struct sk_buff *smsc75xx_tx_fixup(struct usbnet *dev,
9056 + {
9057 + u32 tx_cmd_a, tx_cmd_b;
9058 +
9059 +- if (skb_headroom(skb) < SMSC75XX_TX_OVERHEAD) {
9060 +- struct sk_buff *skb2 =
9061 +- skb_copy_expand(skb, SMSC75XX_TX_OVERHEAD, 0, flags);
9062 ++ if (skb_cow_head(skb, SMSC75XX_TX_OVERHEAD)) {
9063 + dev_kfree_skb_any(skb);
9064 +- skb = skb2;
9065 +- if (!skb)
9066 +- return NULL;
9067 ++ return NULL;
9068 + }
9069 +
9070 + tx_cmd_a = (u32)(skb->len & TX_CMD_A_LEN) | TX_CMD_A_FCS;
9071 +diff --git a/drivers/net/usb/sr9700.c b/drivers/net/usb/sr9700.c
9072 +index 4a1e9c489f1f..aadfe1d1c37e 100644
9073 +--- a/drivers/net/usb/sr9700.c
9074 ++++ b/drivers/net/usb/sr9700.c
9075 +@@ -456,14 +456,9 @@ static struct sk_buff *sr9700_tx_fixup(struct usbnet *dev, struct sk_buff *skb,
9076 +
9077 + len = skb->len;
9078 +
9079 +- if (skb_headroom(skb) < SR_TX_OVERHEAD) {
9080 +- struct sk_buff *skb2;
9081 +-
9082 +- skb2 = skb_copy_expand(skb, SR_TX_OVERHEAD, 0, flags);
9083 ++ if (skb_cow_head(skb, SR_TX_OVERHEAD)) {
9084 + dev_kfree_skb_any(skb);
9085 +- skb = skb2;
9086 +- if (!skb)
9087 +- return NULL;
9088 ++ return NULL;
9089 + }
9090 +
9091 + __skb_push(skb, SR_TX_OVERHEAD);
9092 +diff --git a/drivers/net/vmxnet3/vmxnet3_drv.c b/drivers/net/vmxnet3/vmxnet3_drv.c
9093 +index 61c0840c448c..0b9c8d61f7d1 100644
9094 +--- a/drivers/net/vmxnet3/vmxnet3_drv.c
9095 ++++ b/drivers/net/vmxnet3/vmxnet3_drv.c
9096 +@@ -1431,7 +1431,6 @@ static void vmxnet3_rq_destroy(struct vmxnet3_rx_queue *rq,
9097 + rq->rx_ring[i].basePA);
9098 + rq->rx_ring[i].base = NULL;
9099 + }
9100 +- rq->buf_info[i] = NULL;
9101 + }
9102 +
9103 + if (rq->comp_ring.base) {
9104 +@@ -1446,6 +1445,7 @@ static void vmxnet3_rq_destroy(struct vmxnet3_rx_queue *rq,
9105 + (rq->rx_ring[0].size + rq->rx_ring[1].size);
9106 + dma_free_coherent(&adapter->pdev->dev, sz, rq->buf_info[0],
9107 + rq->buf_info_pa);
9108 ++ rq->buf_info[0] = rq->buf_info[1] = NULL;
9109 + }
9110 + }
9111 +
9112 +diff --git a/drivers/net/wireless/cw1200/wsm.c b/drivers/net/wireless/cw1200/wsm.c
9113 +index 9e0ca3048657..3dd46c78c1cc 100644
9114 +--- a/drivers/net/wireless/cw1200/wsm.c
9115 ++++ b/drivers/net/wireless/cw1200/wsm.c
9116 +@@ -379,7 +379,6 @@ static int wsm_multi_tx_confirm(struct cw1200_common *priv,
9117 + {
9118 + int ret;
9119 + int count;
9120 +- int i;
9121 +
9122 + count = WSM_GET32(buf);
9123 + if (WARN_ON(count <= 0))
9124 +@@ -395,11 +394,10 @@ static int wsm_multi_tx_confirm(struct cw1200_common *priv,
9125 + }
9126 +
9127 + cw1200_debug_txed_multi(priv, count);
9128 +- for (i = 0; i < count; ++i) {
9129 ++ do {
9130 + ret = wsm_tx_confirm(priv, buf, link_id);
9131 +- if (ret)
9132 +- return ret;
9133 +- }
9134 ++ } while (!ret && --count);
9135 ++
9136 + return ret;
9137 +
9138 + underflow:
9139 +diff --git a/drivers/net/xen-netfront.c b/drivers/net/xen-netfront.c
9140 +index 8a38a5bd34b8..9e8461466534 100644
9141 +--- a/drivers/net/xen-netfront.c
9142 ++++ b/drivers/net/xen-netfront.c
9143 +@@ -87,6 +87,8 @@ struct netfront_cb {
9144 + /* IRQ name is queue name with "-tx" or "-rx" appended */
9145 + #define IRQ_NAME_SIZE (QUEUE_NAME_SIZE + 3)
9146 +
9147 ++static DECLARE_WAIT_QUEUE_HEAD(module_unload_q);
9148 ++
9149 + struct netfront_stats {
9150 + u64 packets;
9151 + u64 bytes;
9152 +@@ -1999,10 +2001,12 @@ static void netback_changed(struct xenbus_device *dev,
9153 + break;
9154 +
9155 + case XenbusStateClosed:
9156 ++ wake_up_all(&module_unload_q);
9157 + if (dev->state == XenbusStateClosed)
9158 + break;
9159 + /* Missed the backend's CLOSING state -- fallthrough */
9160 + case XenbusStateClosing:
9161 ++ wake_up_all(&module_unload_q);
9162 + xenbus_frontend_closed(dev);
9163 + break;
9164 + }
9165 +@@ -2108,6 +2112,20 @@ static int xennet_remove(struct xenbus_device *dev)
9166 +
9167 + dev_dbg(&dev->dev, "%s\n", dev->nodename);
9168 +
9169 ++ if (xenbus_read_driver_state(dev->otherend) != XenbusStateClosed) {
9170 ++ xenbus_switch_state(dev, XenbusStateClosing);
9171 ++ wait_event(module_unload_q,
9172 ++ xenbus_read_driver_state(dev->otherend) ==
9173 ++ XenbusStateClosing);
9174 ++
9175 ++ xenbus_switch_state(dev, XenbusStateClosed);
9176 ++ wait_event(module_unload_q,
9177 ++ xenbus_read_driver_state(dev->otherend) ==
9178 ++ XenbusStateClosed ||
9179 ++ xenbus_read_driver_state(dev->otherend) ==
9180 ++ XenbusStateUnknown);
9181 ++ }
9182 ++
9183 + xennet_disconnect_backend(info);
9184 +
9185 + unregister_netdev(info->netdev);
9186 +diff --git a/drivers/parisc/lba_pci.c b/drivers/parisc/lba_pci.c
9187 +index 3901ff66d0ee..2f7978204421 100644
9188 +--- a/drivers/parisc/lba_pci.c
9189 ++++ b/drivers/parisc/lba_pci.c
9190 +@@ -1654,3 +1654,36 @@ void lba_set_iregs(struct parisc_device *lba, u32 ibase, u32 imask)
9191 + iounmap(base_addr);
9192 + }
9193 +
9194 ++
9195 ++/*
9196 ++ * The design of the Diva management card in rp34x0 machines (rp3410, rp3440)
9197 ++ * seems rushed, so that many built-in components simply don't work.
9198 ++ * The following quirks disable the serial AUX port and the built-in ATI RV100
9199 ++ * Radeon 7000 graphics card which both don't have any external connectors and
9200 ++ * thus are useless, and even worse, e.g. the AUX port occupies ttyS0 and as
9201 ++ * such makes those machines the only PARISC machines on which we can't use
9202 ++ * ttyS0 as boot console.
9203 ++ */
9204 ++static void quirk_diva_ati_card(struct pci_dev *dev)
9205 ++{
9206 ++ if (dev->subsystem_vendor != PCI_VENDOR_ID_HP ||
9207 ++ dev->subsystem_device != 0x1292)
9208 ++ return;
9209 ++
9210 ++ dev_info(&dev->dev, "Hiding Diva built-in ATI card");
9211 ++ dev->device = 0;
9212 ++}
9213 ++DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_ATI, PCI_DEVICE_ID_ATI_RADEON_QY,
9214 ++ quirk_diva_ati_card);
9215 ++
9216 ++static void quirk_diva_aux_disable(struct pci_dev *dev)
9217 ++{
9218 ++ if (dev->subsystem_vendor != PCI_VENDOR_ID_HP ||
9219 ++ dev->subsystem_device != 0x1291)
9220 ++ return;
9221 ++
9222 ++ dev_info(&dev->dev, "Hiding Diva built-in AUX serial device");
9223 ++ dev->device = 0;
9224 ++}
9225 ++DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_HP, PCI_DEVICE_ID_HP_DIVA_AUX,
9226 ++ quirk_diva_aux_disable);
9227 +diff --git a/drivers/pci/host/pci-keystone.c b/drivers/pci/host/pci-keystone.c
9228 +index 75333b0c4f0a..29b018c4e7e4 100644
9229 +--- a/drivers/pci/host/pci-keystone.c
9230 ++++ b/drivers/pci/host/pci-keystone.c
9231 +@@ -179,14 +179,16 @@ static int ks_pcie_get_irq_controller_info(struct keystone_pcie *ks_pcie,
9232 + }
9233 +
9234 + /* interrupt controller is in a child node */
9235 +- *np_temp = of_find_node_by_name(np_pcie, controller);
9236 ++ *np_temp = of_get_child_by_name(np_pcie, controller);
9237 + if (!(*np_temp)) {
9238 + dev_err(dev, "Node for %s is absent\n", controller);
9239 + goto out;
9240 + }
9241 + temp = of_irq_count(*np_temp);
9242 +- if (!temp)
9243 ++ if (!temp) {
9244 ++ of_node_put(*np_temp);
9245 + goto out;
9246 ++ }
9247 + if (temp > max_host_irqs)
9248 + dev_warn(dev, "Too many %s interrupts defined %u\n",
9249 + (legacy ? "legacy" : "MSI"), temp);
9250 +@@ -200,6 +202,9 @@ static int ks_pcie_get_irq_controller_info(struct keystone_pcie *ks_pcie,
9251 + if (!host_irqs[temp])
9252 + break;
9253 + }
9254 ++
9255 ++ of_node_put(*np_temp);
9256 ++
9257 + if (temp) {
9258 + *num_irqs = temp;
9259 + ret = 0;
9260 +diff --git a/drivers/pci/iov.c b/drivers/pci/iov.c
9261 +index 089a1f41e44e..95db37cf5f08 100644
9262 +--- a/drivers/pci/iov.c
9263 ++++ b/drivers/pci/iov.c
9264 +@@ -156,7 +156,6 @@ static int virtfn_add(struct pci_dev *dev, int id, int reset)
9265 + pci_device_add(virtfn, virtfn->bus);
9266 + mutex_unlock(&iov->dev->sriov->lock);
9267 +
9268 +- pci_bus_add_device(virtfn);
9269 + sprintf(buf, "virtfn%u", id);
9270 + rc = sysfs_create_link(&dev->dev.kobj, &virtfn->dev.kobj, buf);
9271 + if (rc)
9272 +@@ -167,6 +166,8 @@ static int virtfn_add(struct pci_dev *dev, int id, int reset)
9273 +
9274 + kobject_uevent(&virtfn->dev.kobj, KOBJ_CHANGE);
9275 +
9276 ++ pci_bus_add_device(virtfn);
9277 ++
9278 + return 0;
9279 +
9280 + failed2:
9281 +diff --git a/drivers/pci/pci-driver.c b/drivers/pci/pci-driver.c
9282 +index 98101c4118bb..1363fe636281 100644
9283 +--- a/drivers/pci/pci-driver.c
9284 ++++ b/drivers/pci/pci-driver.c
9285 +@@ -936,7 +936,12 @@ static int pci_pm_thaw_noirq(struct device *dev)
9286 + if (pci_has_legacy_pm_support(pci_dev))
9287 + return pci_legacy_resume_early(dev);
9288 +
9289 +- pci_update_current_state(pci_dev, PCI_D0);
9290 ++ /*
9291 ++ * pci_restore_state() requires the device to be in D0 (because of MSI
9292 ++ * restoration among other things), so force it into D0 in case the
9293 ++ * driver's "freeze" callbacks put it into a low-power state directly.
9294 ++ */
9295 ++ pci_set_power_state(pci_dev, PCI_D0);
9296 + pci_restore_state(pci_dev);
9297 +
9298 + if (drv && drv->pm && drv->pm->thaw_noirq)
9299 +diff --git a/drivers/pci/pci.c b/drivers/pci/pci.c
9300 +index 409f895b5a3d..ffd8fe77b8ae 100644
9301 +--- a/drivers/pci/pci.c
9302 ++++ b/drivers/pci/pci.c
9303 +@@ -3651,6 +3651,10 @@ static bool pci_bus_resetable(struct pci_bus *bus)
9304 + {
9305 + struct pci_dev *dev;
9306 +
9307 ++
9308 ++ if (bus->self && (bus->self->dev_flags & PCI_DEV_FLAGS_NO_BUS_RESET))
9309 ++ return false;
9310 ++
9311 + list_for_each_entry(dev, &bus->devices, bus_list) {
9312 + if (dev->dev_flags & PCI_DEV_FLAGS_NO_BUS_RESET ||
9313 + (dev->subordinate && !pci_bus_resetable(dev->subordinate)))
9314 +diff --git a/drivers/pci/pcie/aer/aerdrv_core.c b/drivers/pci/pcie/aer/aerdrv_core.c
9315 +index b60a325234c5..cca4b4789ac4 100644
9316 +--- a/drivers/pci/pcie/aer/aerdrv_core.c
9317 ++++ b/drivers/pci/pcie/aer/aerdrv_core.c
9318 +@@ -360,7 +360,14 @@ static pci_ers_result_t broadcast_error_message(struct pci_dev *dev,
9319 + * If the error is reported by an end point, we think this
9320 + * error is related to the upstream link of the end point.
9321 + */
9322 +- pci_walk_bus(dev->bus, cb, &result_data);
9323 ++ if (state == pci_channel_io_normal)
9324 ++ /*
9325 ++ * the error is non fatal so the bus is ok, just invoke
9326 ++ * the callback for the function that logged the error.
9327 ++ */
9328 ++ cb(dev, &result_data);
9329 ++ else
9330 ++ pci_walk_bus(dev->bus, cb, &result_data);
9331 + }
9332 +
9333 + return result_data.result;
9334 +diff --git a/drivers/pinctrl/pinctrl-st.c b/drivers/pinctrl/pinctrl-st.c
9335 +index 65bf73b70e34..a02a7caf8d4c 100644
9336 +--- a/drivers/pinctrl/pinctrl-st.c
9337 ++++ b/drivers/pinctrl/pinctrl-st.c
9338 +@@ -1348,6 +1348,22 @@ static void st_gpio_irq_unmask(struct irq_data *d)
9339 + writel(BIT(d->hwirq), bank->base + REG_PIO_SET_PMASK);
9340 + }
9341 +
9342 ++static int st_gpio_irq_request_resources(struct irq_data *d)
9343 ++{
9344 ++ struct gpio_chip *gc = irq_data_get_irq_chip_data(d);
9345 ++
9346 ++ st_gpio_direction_input(gc, d->hwirq);
9347 ++
9348 ++ return gpiochip_lock_as_irq(gc, d->hwirq);
9349 ++}
9350 ++
9351 ++static void st_gpio_irq_release_resources(struct irq_data *d)
9352 ++{
9353 ++ struct gpio_chip *gc = irq_data_get_irq_chip_data(d);
9354 ++
9355 ++ gpiochip_unlock_as_irq(gc, d->hwirq);
9356 ++}
9357 ++
9358 + static int st_gpio_irq_set_type(struct irq_data *d, unsigned type)
9359 + {
9360 + struct gpio_chip *gc = irq_data_get_irq_chip_data(d);
9361 +@@ -1503,12 +1519,14 @@ static struct gpio_chip st_gpio_template = {
9362 + };
9363 +
9364 + static struct irq_chip st_gpio_irqchip = {
9365 +- .name = "GPIO",
9366 +- .irq_disable = st_gpio_irq_mask,
9367 +- .irq_mask = st_gpio_irq_mask,
9368 +- .irq_unmask = st_gpio_irq_unmask,
9369 +- .irq_set_type = st_gpio_irq_set_type,
9370 +- .flags = IRQCHIP_SKIP_SET_WAKE,
9371 ++ .name = "GPIO",
9372 ++ .irq_request_resources = st_gpio_irq_request_resources,
9373 ++ .irq_release_resources = st_gpio_irq_release_resources,
9374 ++ .irq_disable = st_gpio_irq_mask,
9375 ++ .irq_mask = st_gpio_irq_mask,
9376 ++ .irq_unmask = st_gpio_irq_unmask,
9377 ++ .irq_set_type = st_gpio_irq_set_type,
9378 ++ .flags = IRQCHIP_SKIP_SET_WAKE,
9379 + };
9380 +
9381 + static int st_gpiolib_register_bank(struct st_pinctrl *info,
9382 +diff --git a/drivers/pinctrl/sunxi/pinctrl-sun9i-a80.c b/drivers/pinctrl/sunxi/pinctrl-sun9i-a80.c
9383 +index 1b580ba76453..907d7db3fcee 100644
9384 +--- a/drivers/pinctrl/sunxi/pinctrl-sun9i-a80.c
9385 ++++ b/drivers/pinctrl/sunxi/pinctrl-sun9i-a80.c
9386 +@@ -145,19 +145,19 @@ static const struct sunxi_desc_pin sun9i_a80_pins[] = {
9387 + SUNXI_FUNCTION(0x0, "gpio_in"),
9388 + SUNXI_FUNCTION(0x1, "gpio_out"),
9389 + SUNXI_FUNCTION(0x3, "mcsi"), /* MCLK */
9390 +- SUNXI_FUNCTION_IRQ_BANK(0x6, 0, 14)), /* PB_EINT14 */
9391 ++ SUNXI_FUNCTION_IRQ_BANK(0x6, 1, 14)), /* PB_EINT14 */
9392 + SUNXI_PIN(SUNXI_PINCTRL_PIN(B, 15),
9393 + SUNXI_FUNCTION(0x0, "gpio_in"),
9394 + SUNXI_FUNCTION(0x1, "gpio_out"),
9395 + SUNXI_FUNCTION(0x3, "mcsi"), /* SCK */
9396 + SUNXI_FUNCTION(0x4, "i2c4"), /* SCK */
9397 +- SUNXI_FUNCTION_IRQ_BANK(0x6, 0, 15)), /* PB_EINT15 */
9398 ++ SUNXI_FUNCTION_IRQ_BANK(0x6, 1, 15)), /* PB_EINT15 */
9399 + SUNXI_PIN(SUNXI_PINCTRL_PIN(B, 16),
9400 + SUNXI_FUNCTION(0x0, "gpio_in"),
9401 + SUNXI_FUNCTION(0x1, "gpio_out"),
9402 + SUNXI_FUNCTION(0x3, "mcsi"), /* SDA */
9403 + SUNXI_FUNCTION(0x4, "i2c4"), /* SDA */
9404 +- SUNXI_FUNCTION_IRQ_BANK(0x6, 0, 16)), /* PB_EINT16 */
9405 ++ SUNXI_FUNCTION_IRQ_BANK(0x6, 1, 16)), /* PB_EINT16 */
9406 +
9407 + /* Hole */
9408 + SUNXI_PIN(SUNXI_PINCTRL_PIN(C, 0),
9409 +diff --git a/drivers/platform/x86/Kconfig b/drivers/platform/x86/Kconfig
9410 +index f9f205cb1f11..8becddcf130b 100644
9411 +--- a/drivers/platform/x86/Kconfig
9412 ++++ b/drivers/platform/x86/Kconfig
9413 +@@ -94,6 +94,7 @@ config DELL_LAPTOP
9414 + tristate "Dell Laptop Extras"
9415 + depends on X86
9416 + depends on DCDBAS
9417 ++ depends on DMI
9418 + depends on BACKLIGHT_CLASS_DEVICE
9419 + depends on RFKILL || RFKILL = n
9420 + depends on SERIO_I8042
9421 +@@ -108,6 +109,7 @@ config DELL_LAPTOP
9422 + config DELL_WMI
9423 + tristate "Dell WMI extras"
9424 + depends on ACPI_WMI
9425 ++ depends on DMI
9426 + depends on INPUT
9427 + select INPUT_SPARSEKMAP
9428 + ---help---
9429 +diff --git a/drivers/platform/x86/intel_mid_thermal.c b/drivers/platform/x86/intel_mid_thermal.c
9430 +index aeb3f786d2f0..84273a979768 100644
9431 +--- a/drivers/platform/x86/intel_mid_thermal.c
9432 ++++ b/drivers/platform/x86/intel_mid_thermal.c
9433 +@@ -416,6 +416,7 @@ static struct thermal_device_info *initialize_sensor(int index)
9434 + return td_info;
9435 + }
9436 +
9437 ++#ifdef CONFIG_PM_SLEEP
9438 + /**
9439 + * mid_thermal_resume - resume routine
9440 + * @dev: device structure
9441 +@@ -443,6 +444,7 @@ static int mid_thermal_suspend(struct device *dev)
9442 + */
9443 + return configure_adc(0);
9444 + }
9445 ++#endif
9446 +
9447 + static SIMPLE_DEV_PM_OPS(mid_thermal_pm,
9448 + mid_thermal_suspend, mid_thermal_resume);
9449 +diff --git a/drivers/platform/x86/tc1100-wmi.c b/drivers/platform/x86/tc1100-wmi.c
9450 +index e36542564131..e89ac8cd20e8 100644
9451 +--- a/drivers/platform/x86/tc1100-wmi.c
9452 ++++ b/drivers/platform/x86/tc1100-wmi.c
9453 +@@ -52,7 +52,9 @@ struct tc1100_data {
9454 + u32 jogdial;
9455 + };
9456 +
9457 ++#ifdef CONFIG_PM
9458 + static struct tc1100_data suspend_data;
9459 ++#endif
9460 +
9461 + /* --------------------------------------------------------------------------
9462 + Device Management
9463 +diff --git a/drivers/rtc/interface.c b/drivers/rtc/interface.c
9464 +index faa81ac2d481..038da40e4038 100644
9465 +--- a/drivers/rtc/interface.c
9466 ++++ b/drivers/rtc/interface.c
9467 +@@ -809,7 +809,7 @@ static int rtc_timer_enqueue(struct rtc_device *rtc, struct rtc_timer *timer)
9468 + }
9469 +
9470 + timerqueue_add(&rtc->timerqueue, &timer->node);
9471 +- if (!next) {
9472 ++ if (!next || ktime_before(timer->node.expires, next->expires)) {
9473 + struct rtc_wkalrm alarm;
9474 + int err;
9475 + alarm.time = rtc_ktime_to_tm(timer->node.expires);
9476 +diff --git a/drivers/rtc/rtc-opal.c b/drivers/rtc/rtc-opal.c
9477 +index 7061dcae2b09..482af0dda0b0 100644
9478 +--- a/drivers/rtc/rtc-opal.c
9479 ++++ b/drivers/rtc/rtc-opal.c
9480 +@@ -58,6 +58,7 @@ static void tm_to_opal(struct rtc_time *tm, u32 *y_m_d, u64 *h_m_s_ms)
9481 + static int opal_get_rtc_time(struct device *dev, struct rtc_time *tm)
9482 + {
9483 + long rc = OPAL_BUSY;
9484 ++ int retries = 10;
9485 + u32 y_m_d;
9486 + u64 h_m_s_ms;
9487 + __be32 __y_m_d;
9488 +@@ -67,8 +68,11 @@ static int opal_get_rtc_time(struct device *dev, struct rtc_time *tm)
9489 + rc = opal_rtc_read(&__y_m_d, &__h_m_s_ms);
9490 + if (rc == OPAL_BUSY_EVENT)
9491 + opal_poll_events(NULL);
9492 +- else
9493 ++ else if (retries-- && (rc == OPAL_HARDWARE
9494 ++ || rc == OPAL_INTERNAL_ERROR))
9495 + msleep(10);
9496 ++ else if (rc != OPAL_BUSY && rc != OPAL_BUSY_EVENT)
9497 ++ break;
9498 + }
9499 +
9500 + if (rc != OPAL_SUCCESS)
9501 +@@ -84,6 +88,7 @@ static int opal_get_rtc_time(struct device *dev, struct rtc_time *tm)
9502 + static int opal_set_rtc_time(struct device *dev, struct rtc_time *tm)
9503 + {
9504 + long rc = OPAL_BUSY;
9505 ++ int retries = 10;
9506 + u32 y_m_d = 0;
9507 + u64 h_m_s_ms = 0;
9508 +
9509 +@@ -92,8 +97,11 @@ static int opal_set_rtc_time(struct device *dev, struct rtc_time *tm)
9510 + rc = opal_rtc_write(y_m_d, h_m_s_ms);
9511 + if (rc == OPAL_BUSY_EVENT)
9512 + opal_poll_events(NULL);
9513 +- else
9514 ++ else if (retries-- && (rc == OPAL_HARDWARE
9515 ++ || rc == OPAL_INTERNAL_ERROR))
9516 + msleep(10);
9517 ++ else if (rc != OPAL_BUSY && rc != OPAL_BUSY_EVENT)
9518 ++ break;
9519 + }
9520 +
9521 + return rc == OPAL_SUCCESS ? 0 : -EIO;
9522 +diff --git a/drivers/s390/block/dasd_eckd.c b/drivers/s390/block/dasd_eckd.c
9523 +index 6215f6455eb8..7f31087fca31 100644
9524 +--- a/drivers/s390/block/dasd_eckd.c
9525 ++++ b/drivers/s390/block/dasd_eckd.c
9526 +@@ -518,10 +518,12 @@ static int prefix_LRE(struct ccw1 *ccw, struct PFX_eckd_data *pfxdata,
9527 + pfxdata->validity.define_extent = 1;
9528 +
9529 + /* private uid is kept up to date, conf_data may be outdated */
9530 +- if (startpriv->uid.type != UA_BASE_DEVICE) {
9531 ++ if (startpriv->uid.type == UA_BASE_PAV_ALIAS)
9532 + pfxdata->validity.verify_base = 1;
9533 +- if (startpriv->uid.type == UA_HYPER_PAV_ALIAS)
9534 +- pfxdata->validity.hyper_pav = 1;
9535 ++
9536 ++ if (startpriv->uid.type == UA_HYPER_PAV_ALIAS) {
9537 ++ pfxdata->validity.verify_base = 1;
9538 ++ pfxdata->validity.hyper_pav = 1;
9539 + }
9540 +
9541 + /* define extend data (mostly)*/
9542 +@@ -2964,10 +2966,12 @@ static int prepare_itcw(struct itcw *itcw,
9543 + pfxdata.validity.define_extent = 1;
9544 +
9545 + /* private uid is kept up to date, conf_data may be outdated */
9546 +- if (startpriv->uid.type != UA_BASE_DEVICE) {
9547 ++ if (startpriv->uid.type == UA_BASE_PAV_ALIAS)
9548 ++ pfxdata.validity.verify_base = 1;
9549 ++
9550 ++ if (startpriv->uid.type == UA_HYPER_PAV_ALIAS) {
9551 + pfxdata.validity.verify_base = 1;
9552 +- if (startpriv->uid.type == UA_HYPER_PAV_ALIAS)
9553 +- pfxdata.validity.hyper_pav = 1;
9554 ++ pfxdata.validity.hyper_pav = 1;
9555 + }
9556 +
9557 + switch (cmd) {
9558 +diff --git a/drivers/s390/net/qeth_l3_main.c b/drivers/s390/net/qeth_l3_main.c
9559 +index fefd3c512386..6dbf0d5a2a22 100644
9560 +--- a/drivers/s390/net/qeth_l3_main.c
9561 ++++ b/drivers/s390/net/qeth_l3_main.c
9562 +@@ -2790,17 +2790,13 @@ static void qeth_l3_fill_af_iucv_hdr(struct qeth_card *card,
9563 + char daddr[16];
9564 + struct af_iucv_trans_hdr *iucv_hdr;
9565 +
9566 +- skb_pull(skb, 14);
9567 +- card->dev->header_ops->create(skb, card->dev, 0,
9568 +- card->dev->dev_addr, card->dev->dev_addr,
9569 +- card->dev->addr_len);
9570 +- skb_pull(skb, 14);
9571 +- iucv_hdr = (struct af_iucv_trans_hdr *)skb->data;
9572 + memset(hdr, 0, sizeof(struct qeth_hdr));
9573 + hdr->hdr.l3.id = QETH_HEADER_TYPE_LAYER3;
9574 + hdr->hdr.l3.ext_flags = 0;
9575 +- hdr->hdr.l3.length = skb->len;
9576 ++ hdr->hdr.l3.length = skb->len - ETH_HLEN;
9577 + hdr->hdr.l3.flags = QETH_HDR_IPV6 | QETH_CAST_UNICAST;
9578 ++
9579 ++ iucv_hdr = (struct af_iucv_trans_hdr *) (skb->data + ETH_HLEN);
9580 + memset(daddr, 0, sizeof(daddr));
9581 + daddr[0] = 0xfe;
9582 + daddr[1] = 0x80;
9583 +@@ -2983,10 +2979,7 @@ static int qeth_l3_hard_start_xmit(struct sk_buff *skb, struct net_device *dev)
9584 + if ((card->info.type == QETH_CARD_TYPE_IQD) && (!large_send) &&
9585 + (skb_shinfo(skb)->nr_frags == 0)) {
9586 + new_skb = skb;
9587 +- if (new_skb->protocol == ETH_P_AF_IUCV)
9588 +- data_offset = 0;
9589 +- else
9590 +- data_offset = ETH_HLEN;
9591 ++ data_offset = ETH_HLEN;
9592 + hdr = kmem_cache_alloc(qeth_core_header_cache, GFP_ATOMIC);
9593 + if (!hdr)
9594 + goto tx_drop;
9595 +diff --git a/drivers/scsi/advansys.c b/drivers/scsi/advansys.c
9596 +index ae95e347f37d..42a14c456da0 100644
9597 +--- a/drivers/scsi/advansys.c
9598 ++++ b/drivers/scsi/advansys.c
9599 +@@ -6482,18 +6482,17 @@ static uchar AscGetSynPeriodIndex(ASC_DVC_VAR *asc_dvc, uchar syn_time)
9600 + static uchar
9601 + AscMsgOutSDTR(ASC_DVC_VAR *asc_dvc, uchar sdtr_period, uchar sdtr_offset)
9602 + {
9603 +- EXT_MSG sdtr_buf;
9604 +- uchar sdtr_period_index;
9605 +- PortAddr iop_base;
9606 +-
9607 +- iop_base = asc_dvc->iop_base;
9608 +- sdtr_buf.msg_type = EXTENDED_MESSAGE;
9609 +- sdtr_buf.msg_len = MS_SDTR_LEN;
9610 +- sdtr_buf.msg_req = EXTENDED_SDTR;
9611 +- sdtr_buf.xfer_period = sdtr_period;
9612 ++ PortAddr iop_base = asc_dvc->iop_base;
9613 ++ uchar sdtr_period_index = AscGetSynPeriodIndex(asc_dvc, sdtr_period);
9614 ++ EXT_MSG sdtr_buf = {
9615 ++ .msg_type = EXTENDED_MESSAGE,
9616 ++ .msg_len = MS_SDTR_LEN,
9617 ++ .msg_req = EXTENDED_SDTR,
9618 ++ .xfer_period = sdtr_period,
9619 ++ .req_ack_offset = sdtr_offset,
9620 ++ };
9621 + sdtr_offset &= ASC_SYN_MAX_OFFSET;
9622 +- sdtr_buf.req_ack_offset = sdtr_offset;
9623 +- sdtr_period_index = AscGetSynPeriodIndex(asc_dvc, sdtr_period);
9624 ++
9625 + if (sdtr_period_index <= asc_dvc->max_sdtr_index) {
9626 + AscMemWordCopyPtrToLram(iop_base, ASCV_MSGOUT_BEG,
9627 + (uchar *)&sdtr_buf,
9628 +@@ -11476,6 +11475,9 @@ static int advansys_board_found(struct Scsi_Host *shost, unsigned int iop,
9629 + ASC_DBG(2, "AdvInitGetConfig()\n");
9630 +
9631 + ret = AdvInitGetConfig(pdev, shost) ? -ENODEV : 0;
9632 ++#else
9633 ++ share_irq = 0;
9634 ++ ret = -ENODEV;
9635 + #endif /* CONFIG_PCI */
9636 + }
9637 +
9638 +diff --git a/drivers/scsi/cxgbi/cxgb4i/cxgb4i.c b/drivers/scsi/cxgbi/cxgb4i/cxgb4i.c
9639 +index dd00e5fe4a5e..18f782bfc874 100644
9640 +--- a/drivers/scsi/cxgbi/cxgb4i/cxgb4i.c
9641 ++++ b/drivers/scsi/cxgbi/cxgb4i/cxgb4i.c
9642 +@@ -1332,6 +1332,7 @@ static void release_offload_resources(struct cxgbi_sock *csk)
9643 + csk, csk->state, csk->flags, csk->tid);
9644 +
9645 + cxgbi_sock_free_cpl_skbs(csk);
9646 ++ cxgbi_sock_purge_write_queue(csk);
9647 + if (csk->wr_cred != csk->wr_max_cred) {
9648 + cxgbi_sock_purge_wr_queue(csk);
9649 + cxgbi_sock_reset_wr_list(csk);
9650 +diff --git a/drivers/scsi/dpt_i2o.c b/drivers/scsi/dpt_i2o.c
9651 +index 2806cfbec2b9..8803bafc48e9 100644
9652 +--- a/drivers/scsi/dpt_i2o.c
9653 ++++ b/drivers/scsi/dpt_i2o.c
9654 +@@ -180,11 +180,14 @@ static u8 adpt_read_blink_led(adpt_hba* host)
9655 + *============================================================================
9656 + */
9657 +
9658 ++#ifdef MODULE
9659 + static struct pci_device_id dptids[] = {
9660 + { PCI_DPT_VENDOR_ID, PCI_DPT_DEVICE_ID, PCI_ANY_ID, PCI_ANY_ID,},
9661 + { PCI_DPT_VENDOR_ID, PCI_DPT_RAPTOR_DEVICE_ID, PCI_ANY_ID, PCI_ANY_ID,},
9662 + { 0, }
9663 + };
9664 ++#endif
9665 ++
9666 + MODULE_DEVICE_TABLE(pci,dptids);
9667 +
9668 + static int adpt_detect(struct scsi_host_template* sht)
9669 +diff --git a/drivers/scsi/fdomain.c b/drivers/scsi/fdomain.c
9670 +index fff682976c56..466d0a30aae7 100644
9671 +--- a/drivers/scsi/fdomain.c
9672 ++++ b/drivers/scsi/fdomain.c
9673 +@@ -1769,7 +1769,7 @@ struct scsi_host_template fdomain_driver_template = {
9674 + };
9675 +
9676 + #ifndef PCMCIA
9677 +-#ifdef CONFIG_PCI
9678 ++#if defined(CONFIG_PCI) && defined(MODULE)
9679 +
9680 + static struct pci_device_id fdomain_pci_tbl[] = {
9681 + { PCI_VENDOR_ID_FD, PCI_DEVICE_ID_FD_36C70,
9682 +diff --git a/drivers/scsi/ibmvscsi/ibmvfc.h b/drivers/scsi/ibmvscsi/ibmvfc.h
9683 +index 8fae03215a85..543c10266984 100644
9684 +--- a/drivers/scsi/ibmvscsi/ibmvfc.h
9685 ++++ b/drivers/scsi/ibmvscsi/ibmvfc.h
9686 +@@ -366,7 +366,7 @@ enum ibmvfc_fcp_rsp_info_codes {
9687 + };
9688 +
9689 + struct ibmvfc_fcp_rsp_info {
9690 +- __be16 reserved;
9691 ++ u8 reserved[3];
9692 + u8 rsp_code;
9693 + u8 reserved2[4];
9694 + }__attribute__((packed, aligned (2)));
9695 +diff --git a/drivers/scsi/initio.c b/drivers/scsi/initio.c
9696 +index e5dae7b54d9a..51063177f18e 100644
9697 +--- a/drivers/scsi/initio.c
9698 ++++ b/drivers/scsi/initio.c
9699 +@@ -110,11 +110,6 @@
9700 + #define i91u_MAXQUEUE 2
9701 + #define i91u_REVID "Initio INI-9X00U/UW SCSI device driver; Revision: 1.04a"
9702 +
9703 +-#define I950_DEVICE_ID 0x9500 /* Initio's inic-950 product ID */
9704 +-#define I940_DEVICE_ID 0x9400 /* Initio's inic-940 product ID */
9705 +-#define I935_DEVICE_ID 0x9401 /* Initio's inic-935 product ID */
9706 +-#define I920_DEVICE_ID 0x0002 /* Initio's other product ID */
9707 +-
9708 + #ifdef DEBUG_i91u
9709 + static unsigned int i91u_debug = DEBUG_DEFAULT;
9710 + #endif
9711 +@@ -127,17 +122,6 @@ static int setup_debug = 0;
9712 +
9713 + static void i91uSCBPost(u8 * pHcb, u8 * pScb);
9714 +
9715 +-/* PCI Devices supported by this driver */
9716 +-static struct pci_device_id i91u_pci_devices[] = {
9717 +- { PCI_VENDOR_ID_INIT, I950_DEVICE_ID, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0},
9718 +- { PCI_VENDOR_ID_INIT, I940_DEVICE_ID, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0},
9719 +- { PCI_VENDOR_ID_INIT, I935_DEVICE_ID, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0},
9720 +- { PCI_VENDOR_ID_INIT, I920_DEVICE_ID, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0},
9721 +- { PCI_VENDOR_ID_DOMEX, I920_DEVICE_ID, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0},
9722 +- { }
9723 +-};
9724 +-MODULE_DEVICE_TABLE(pci, i91u_pci_devices);
9725 +-
9726 + #define DEBUG_INTERRUPT 0
9727 + #define DEBUG_QUEUE 0
9728 + #define DEBUG_STATE 0
9729 +diff --git a/drivers/scsi/libiscsi.c b/drivers/scsi/libiscsi.c
9730 +index 39e511216fd9..8826110991eb 100644
9731 +--- a/drivers/scsi/libiscsi.c
9732 ++++ b/drivers/scsi/libiscsi.c
9733 +@@ -1727,7 +1727,7 @@ int iscsi_queuecommand(struct Scsi_Host *host, struct scsi_cmnd *sc)
9734 +
9735 + if (test_bit(ISCSI_SUSPEND_BIT, &conn->suspend_tx)) {
9736 + reason = FAILURE_SESSION_IN_RECOVERY;
9737 +- sc->result = DID_REQUEUE;
9738 ++ sc->result = DID_REQUEUE << 16;
9739 + goto fault;
9740 + }
9741 +
9742 +diff --git a/drivers/scsi/lpfc/lpfc_els.c b/drivers/scsi/lpfc/lpfc_els.c
9743 +index 30f2fe9ba766..9c09ce9b98da 100644
9744 +--- a/drivers/scsi/lpfc/lpfc_els.c
9745 ++++ b/drivers/scsi/lpfc/lpfc_els.c
9746 +@@ -6891,7 +6891,8 @@ lpfc_els_unsol_buffer(struct lpfc_hba *phba, struct lpfc_sli_ring *pring,
9747 + did, vport->port_state, ndlp->nlp_flag);
9748 +
9749 + phba->fc_stat.elsRcvPRLI++;
9750 +- if (vport->port_state < LPFC_DISC_AUTH) {
9751 ++ if ((vport->port_state < LPFC_DISC_AUTH) &&
9752 ++ (vport->fc_flag & FC_FABRIC)) {
9753 + rjt_err = LSRJT_UNABLE_TPC;
9754 + rjt_exp = LSEXP_NOTHING_MORE;
9755 + break;
9756 +diff --git a/drivers/scsi/lpfc/lpfc_hbadisc.c b/drivers/scsi/lpfc/lpfc_hbadisc.c
9757 +index 2500f15d437f..574b1a9b2b32 100644
9758 +--- a/drivers/scsi/lpfc/lpfc_hbadisc.c
9759 ++++ b/drivers/scsi/lpfc/lpfc_hbadisc.c
9760 +@@ -4767,7 +4767,8 @@ lpfc_nlp_remove(struct lpfc_vport *vport, struct lpfc_nodelist *ndlp)
9761 + lpfc_cancel_retry_delay_tmo(vport, ndlp);
9762 + if ((ndlp->nlp_flag & NLP_DEFER_RM) &&
9763 + !(ndlp->nlp_flag & NLP_REG_LOGIN_SEND) &&
9764 +- !(ndlp->nlp_flag & NLP_RPI_REGISTERED)) {
9765 ++ !(ndlp->nlp_flag & NLP_RPI_REGISTERED) &&
9766 ++ phba->sli_rev != LPFC_SLI_REV4) {
9767 + /* For this case we need to cleanup the default rpi
9768 + * allocated by the firmware.
9769 + */
9770 +diff --git a/drivers/scsi/lpfc/lpfc_hw4.h b/drivers/scsi/lpfc/lpfc_hw4.h
9771 +index 3757a7399983..d7ee72ef99ed 100644
9772 +--- a/drivers/scsi/lpfc/lpfc_hw4.h
9773 ++++ b/drivers/scsi/lpfc/lpfc_hw4.h
9774 +@@ -2953,7 +2953,7 @@ struct lpfc_mbx_get_port_name {
9775 + #define MB_CEQ_STATUS_QUEUE_FLUSHING 0x4
9776 + #define MB_CQE_STATUS_DMA_FAILED 0x5
9777 +
9778 +-#define LPFC_MBX_WR_CONFIG_MAX_BDE 8
9779 ++#define LPFC_MBX_WR_CONFIG_MAX_BDE 1
9780 + struct lpfc_mbx_wr_object {
9781 + struct mbox_header header;
9782 + union {
9783 +diff --git a/drivers/scsi/mvumi.c b/drivers/scsi/mvumi.c
9784 +index 3e6b866759fe..c51e1537ed8e 100644
9785 +--- a/drivers/scsi/mvumi.c
9786 ++++ b/drivers/scsi/mvumi.c
9787 +@@ -2629,7 +2629,7 @@ static void mvumi_shutdown(struct pci_dev *pdev)
9788 + mvumi_flush_cache(mhba);
9789 + }
9790 +
9791 +-static int mvumi_suspend(struct pci_dev *pdev, pm_message_t state)
9792 ++static int __maybe_unused mvumi_suspend(struct pci_dev *pdev, pm_message_t state)
9793 + {
9794 + struct mvumi_hba *mhba = NULL;
9795 +
9796 +@@ -2648,7 +2648,7 @@ static int mvumi_suspend(struct pci_dev *pdev, pm_message_t state)
9797 + return 0;
9798 + }
9799 +
9800 +-static int mvumi_resume(struct pci_dev *pdev)
9801 ++static int __maybe_unused mvumi_resume(struct pci_dev *pdev)
9802 + {
9803 + int ret;
9804 + struct mvumi_hba *mhba = NULL;
9805 +diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c
9806 +index 102806a961da..2589a75f0810 100644
9807 +--- a/drivers/scsi/sg.c
9808 ++++ b/drivers/scsi/sg.c
9809 +@@ -160,7 +160,6 @@ typedef struct sg_fd { /* holds the state of a file descriptor */
9810 + struct list_head rq_list; /* head of request list */
9811 + struct fasync_struct *async_qp; /* used by asynchronous notification */
9812 + Sg_request req_arr[SG_MAX_QUEUE]; /* used as singly-linked list */
9813 +- char low_dma; /* as in parent but possibly overridden to 1 */
9814 + char force_packid; /* 1 -> pack_id input to read(), 0 -> ignored */
9815 + char cmd_q; /* 1 -> allow command queuing, 0 -> don't */
9816 + unsigned char next_cmd_len; /* 0: automatic, >0: use on next write() */
9817 +@@ -926,24 +925,14 @@ sg_ioctl(struct file *filp, unsigned int cmd_in, unsigned long arg)
9818 + /* strange ..., for backward compatibility */
9819 + return sfp->timeout_user;
9820 + case SG_SET_FORCE_LOW_DMA:
9821 +- result = get_user(val, ip);
9822 +- if (result)
9823 +- return result;
9824 +- if (val) {
9825 +- sfp->low_dma = 1;
9826 +- if ((0 == sfp->low_dma) && !sfp->res_in_use) {
9827 +- val = (int) sfp->reserve.bufflen;
9828 +- sg_remove_scat(sfp, &sfp->reserve);
9829 +- sg_build_reserve(sfp, val);
9830 +- }
9831 +- } else {
9832 +- if (atomic_read(&sdp->detaching))
9833 +- return -ENODEV;
9834 +- sfp->low_dma = sdp->device->host->unchecked_isa_dma;
9835 +- }
9836 ++ /*
9837 ++ * N.B. This ioctl never worked properly, but failed to
9838 ++ * return an error value. So returning '0' to keep compability
9839 ++ * with legacy applications.
9840 ++ */
9841 + return 0;
9842 + case SG_GET_LOW_DMA:
9843 +- return put_user((int) sfp->low_dma, ip);
9844 ++ return put_user((int) sdp->device->host->unchecked_isa_dma, ip);
9845 + case SG_GET_SCSI_ID:
9846 + if (!access_ok(VERIFY_WRITE, p, sizeof (sg_scsi_id_t)))
9847 + return -EFAULT;
9848 +@@ -1864,6 +1853,7 @@ sg_build_indirect(Sg_scatter_hold * schp, Sg_fd * sfp, int buff_size)
9849 + int sg_tablesize = sfp->parentdp->sg_tablesize;
9850 + int blk_size = buff_size, order;
9851 + gfp_t gfp_mask = GFP_ATOMIC | __GFP_COMP | __GFP_NOWARN;
9852 ++ struct sg_device *sdp = sfp->parentdp;
9853 +
9854 + if (blk_size < 0)
9855 + return -EFAULT;
9856 +@@ -1889,7 +1879,7 @@ sg_build_indirect(Sg_scatter_hold * schp, Sg_fd * sfp, int buff_size)
9857 + scatter_elem_sz_prev = num;
9858 + }
9859 +
9860 +- if (sfp->low_dma)
9861 ++ if (sdp->device->host->unchecked_isa_dma)
9862 + gfp_mask |= GFP_DMA;
9863 +
9864 + if (!capable(CAP_SYS_ADMIN) || !capable(CAP_SYS_RAWIO))
9865 +@@ -2152,8 +2142,6 @@ sg_add_sfp(Sg_device * sdp)
9866 + sfp->timeout = SG_DEFAULT_TIMEOUT;
9867 + sfp->timeout_user = SG_DEFAULT_TIMEOUT_USER;
9868 + sfp->force_packid = SG_DEF_FORCE_PACK_ID;
9869 +- sfp->low_dma = (SG_DEF_FORCE_LOW_DMA == 0) ?
9870 +- sdp->device->host->unchecked_isa_dma : 1;
9871 + sfp->cmd_q = SG_DEF_COMMAND_Q;
9872 + sfp->keep_orphan = SG_DEF_KEEP_ORPHAN;
9873 + sfp->parentdp = sdp;
9874 +@@ -2612,7 +2600,7 @@ static void sg_proc_debug_helper(struct seq_file *s, Sg_device * sdp)
9875 + jiffies_to_msecs(fp->timeout),
9876 + fp->reserve.bufflen,
9877 + (int) fp->reserve.k_use_sg,
9878 +- (int) fp->low_dma);
9879 ++ (int) sdp->device->host->unchecked_isa_dma);
9880 + seq_printf(s, " cmd_q=%d f_packid=%d k_orphan=%d closed=0\n",
9881 + (int) fp->cmd_q, (int) fp->force_packid,
9882 + (int) fp->keep_orphan);
9883 +diff --git a/drivers/scsi/sim710.c b/drivers/scsi/sim710.c
9884 +index 3b3b56f4a830..82ed99848378 100644
9885 +--- a/drivers/scsi/sim710.c
9886 ++++ b/drivers/scsi/sim710.c
9887 +@@ -176,8 +176,7 @@ static struct eisa_device_id sim710_eisa_ids[] = {
9888 + };
9889 + MODULE_DEVICE_TABLE(eisa, sim710_eisa_ids);
9890 +
9891 +-static __init int
9892 +-sim710_eisa_probe(struct device *dev)
9893 ++static int sim710_eisa_probe(struct device *dev)
9894 + {
9895 + struct eisa_device *edev = to_eisa_device(dev);
9896 + unsigned long io_addr = edev->base_addr;
9897 +diff --git a/drivers/scsi/ufs/ufshcd.c b/drivers/scsi/ufs/ufshcd.c
9898 +index 648a44675880..05b76cdfb263 100644
9899 +--- a/drivers/scsi/ufs/ufshcd.c
9900 ++++ b/drivers/scsi/ufs/ufshcd.c
9901 +@@ -4290,12 +4290,15 @@ static int ufshcd_config_vreg(struct device *dev,
9902 + struct ufs_vreg *vreg, bool on)
9903 + {
9904 + int ret = 0;
9905 +- struct regulator *reg = vreg->reg;
9906 +- const char *name = vreg->name;
9907 ++ struct regulator *reg;
9908 ++ const char *name;
9909 + int min_uV, uA_load;
9910 +
9911 + BUG_ON(!vreg);
9912 +
9913 ++ reg = vreg->reg;
9914 ++ name = vreg->name;
9915 ++
9916 + if (regulator_count_voltages(reg) > 0) {
9917 + min_uV = on ? vreg->min_uV : 0;
9918 + ret = regulator_set_voltage(reg, min_uV, vreg->max_uV);
9919 +diff --git a/drivers/spi/spi-imx.c b/drivers/spi/spi-imx.c
9920 +index 412b9c86b997..967ba6329a58 100644
9921 +--- a/drivers/spi/spi-imx.c
9922 ++++ b/drivers/spi/spi-imx.c
9923 +@@ -1221,12 +1221,23 @@ static int spi_imx_remove(struct platform_device *pdev)
9924 + {
9925 + struct spi_master *master = platform_get_drvdata(pdev);
9926 + struct spi_imx_data *spi_imx = spi_master_get_devdata(master);
9927 ++ int ret;
9928 +
9929 + spi_bitbang_stop(&spi_imx->bitbang);
9930 +
9931 ++ ret = clk_enable(spi_imx->clk_per);
9932 ++ if (ret)
9933 ++ return ret;
9934 ++
9935 ++ ret = clk_enable(spi_imx->clk_ipg);
9936 ++ if (ret) {
9937 ++ clk_disable(spi_imx->clk_per);
9938 ++ return ret;
9939 ++ }
9940 ++
9941 + writel(0, spi_imx->base + MXC_CSPICTRL);
9942 +- clk_unprepare(spi_imx->clk_ipg);
9943 +- clk_unprepare(spi_imx->clk_per);
9944 ++ clk_disable_unprepare(spi_imx->clk_ipg);
9945 ++ clk_disable_unprepare(spi_imx->clk_per);
9946 + spi_imx_sdma_exit(spi_imx);
9947 + spi_master_put(master);
9948 +
9949 +diff --git a/drivers/spi/spi-sun4i.c b/drivers/spi/spi-sun4i.c
9950 +index 39d7c7c70112..2eea3de5a668 100644
9951 +--- a/drivers/spi/spi-sun4i.c
9952 ++++ b/drivers/spi/spi-sun4i.c
9953 +@@ -458,7 +458,7 @@ err_free_master:
9954 +
9955 + static int sun4i_spi_remove(struct platform_device *pdev)
9956 + {
9957 +- pm_runtime_disable(&pdev->dev);
9958 ++ pm_runtime_force_suspend(&pdev->dev);
9959 +
9960 + return 0;
9961 + }
9962 +diff --git a/drivers/staging/android/ashmem.c b/drivers/staging/android/ashmem.c
9963 +index 7dd6bde4f325..c40bd7fbc210 100644
9964 +--- a/drivers/staging/android/ashmem.c
9965 ++++ b/drivers/staging/android/ashmem.c
9966 +@@ -758,10 +758,12 @@ static long ashmem_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
9967 + break;
9968 + case ASHMEM_SET_SIZE:
9969 + ret = -EINVAL;
9970 ++ mutex_lock(&ashmem_mutex);
9971 + if (!asma->file) {
9972 + ret = 0;
9973 + asma->size = (size_t) arg;
9974 + }
9975 ++ mutex_unlock(&ashmem_mutex);
9976 + break;
9977 + case ASHMEM_GET_SIZE:
9978 + ret = asma->size;
9979 +diff --git a/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c b/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c
9980 +index 96c1c2d4a112..6e73f4e130b5 100644
9981 +--- a/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c
9982 ++++ b/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c
9983 +@@ -1397,19 +1397,13 @@ static int rtw_wx_get_essid(struct net_device *dev,
9984 + if ((check_fwstate(pmlmepriv, _FW_LINKED)) ||
9985 + (check_fwstate(pmlmepriv, WIFI_ADHOC_MASTER_STATE))) {
9986 + len = pcur_bss->Ssid.SsidLength;
9987 +-
9988 +- wrqu->essid.length = len;
9989 +-
9990 + memcpy(extra, pcur_bss->Ssid.Ssid, len);
9991 +-
9992 +- wrqu->essid.flags = 1;
9993 + } else {
9994 +- ret = -1;
9995 +- goto exit;
9996 ++ len = 0;
9997 ++ *extra = 0;
9998 + }
9999 +-
10000 +-exit:
10001 +-
10002 ++ wrqu->essid.length = len;
10003 ++ wrqu->essid.flags = 1;
10004 +
10005 + return ret;
10006 + }
10007 +diff --git a/drivers/staging/ste_rmi4/synaptics_i2c_rmi4.c b/drivers/staging/ste_rmi4/synaptics_i2c_rmi4.c
10008 +index 0f524bb7b41d..daff4e76b6d6 100644
10009 +--- a/drivers/staging/ste_rmi4/synaptics_i2c_rmi4.c
10010 ++++ b/drivers/staging/ste_rmi4/synaptics_i2c_rmi4.c
10011 +@@ -1039,7 +1039,6 @@ static int synaptics_rmi4_remove(struct i2c_client *client)
10012 + return 0;
10013 + }
10014 +
10015 +-#ifdef CONFIG_PM
10016 + /**
10017 + * synaptics_rmi4_suspend() - suspend the touch screen controller
10018 + * @dev: pointer to device structure
10019 +@@ -1047,7 +1046,7 @@ static int synaptics_rmi4_remove(struct i2c_client *client)
10020 + * This function is used to suspend the
10021 + * touch panel controller and returns integer
10022 + */
10023 +-static int synaptics_rmi4_suspend(struct device *dev)
10024 ++static int __maybe_unused synaptics_rmi4_suspend(struct device *dev)
10025 + {
10026 + /* Touch sleep mode */
10027 + int retval;
10028 +@@ -1081,7 +1080,7 @@ static int synaptics_rmi4_suspend(struct device *dev)
10029 + * This function is used to resume the touch panel
10030 + * controller and returns integer.
10031 + */
10032 +-static int synaptics_rmi4_resume(struct device *dev)
10033 ++static int __maybe_unused synaptics_rmi4_resume(struct device *dev)
10034 + {
10035 + int retval;
10036 + unsigned char intr_status;
10037 +@@ -1112,8 +1111,6 @@ static int synaptics_rmi4_resume(struct device *dev)
10038 + return 0;
10039 + }
10040 +
10041 +-#endif
10042 +-
10043 + static SIMPLE_DEV_PM_OPS(synaptics_rmi4_dev_pm_ops, synaptics_rmi4_suspend,
10044 + synaptics_rmi4_resume);
10045 +
10046 +diff --git a/drivers/target/iscsi/iscsi_target.c b/drivers/target/iscsi/iscsi_target.c
10047 +index 2d6b0cf0929e..614811e93298 100644
10048 +--- a/drivers/target/iscsi/iscsi_target.c
10049 ++++ b/drivers/target/iscsi/iscsi_target.c
10050 +@@ -1755,7 +1755,6 @@ iscsit_handle_task_mgt_cmd(struct iscsi_conn *conn, struct iscsi_cmd *cmd,
10051 + struct iscsi_tmr_req *tmr_req;
10052 + struct iscsi_tm *hdr;
10053 + int out_of_order_cmdsn = 0, ret;
10054 +- bool sess_ref = false;
10055 + u8 function, tcm_function = TMR_UNKNOWN;
10056 +
10057 + hdr = (struct iscsi_tm *) buf;
10058 +@@ -1797,18 +1796,17 @@ iscsit_handle_task_mgt_cmd(struct iscsi_conn *conn, struct iscsi_cmd *cmd,
10059 + buf);
10060 + }
10061 +
10062 ++ transport_init_se_cmd(&cmd->se_cmd, &iscsi_ops,
10063 ++ conn->sess->se_sess, 0, DMA_NONE,
10064 ++ TCM_SIMPLE_TAG, cmd->sense_buffer + 2);
10065 ++
10066 ++ target_get_sess_cmd(&cmd->se_cmd, true);
10067 ++
10068 + /*
10069 + * TASK_REASSIGN for ERL=2 / connection stays inside of
10070 + * LIO-Target $FABRIC_MOD
10071 + */
10072 + if (function != ISCSI_TM_FUNC_TASK_REASSIGN) {
10073 +- transport_init_se_cmd(&cmd->se_cmd, &iscsi_ops,
10074 +- conn->sess->se_sess, 0, DMA_NONE,
10075 +- TCM_SIMPLE_TAG, cmd->sense_buffer + 2);
10076 +-
10077 +- target_get_sess_cmd(&cmd->se_cmd, true);
10078 +- sess_ref = true;
10079 +-
10080 + switch (function) {
10081 + case ISCSI_TM_FUNC_ABORT_TASK:
10082 + tcm_function = TMR_ABORT_TASK;
10083 +@@ -1947,12 +1945,8 @@ attach:
10084 + * For connection recovery, this is also the default action for
10085 + * TMR TASK_REASSIGN.
10086 + */
10087 +- if (sess_ref) {
10088 +- pr_debug("Handle TMR, using sess_ref=true check\n");
10089 +- target_put_sess_cmd(&cmd->se_cmd);
10090 +- }
10091 +-
10092 + iscsit_add_cmd_to_response_queue(cmd, conn, cmd->i_state);
10093 ++ target_put_sess_cmd(&cmd->se_cmd);
10094 + return 0;
10095 + }
10096 + EXPORT_SYMBOL(iscsit_handle_task_mgt_cmd);
10097 +diff --git a/drivers/target/target_core_user.c b/drivers/target/target_core_user.c
10098 +index 39e8f22be68b..b2edb5f6e6b9 100644
10099 +--- a/drivers/target/target_core_user.c
10100 ++++ b/drivers/target/target_core_user.c
10101 +@@ -860,7 +860,7 @@ static int tcmu_configure_device(struct se_device *dev)
10102 + info->version = xstr(TCMU_MAILBOX_VERSION);
10103 +
10104 + info->mem[0].name = "tcm-user command & data buffer";
10105 +- info->mem[0].addr = (phys_addr_t) udev->mb_addr;
10106 ++ info->mem[0].addr = (phys_addr_t)(uintptr_t)udev->mb_addr;
10107 + info->mem[0].size = TCMU_RING_SIZE;
10108 + info->mem[0].memtype = UIO_MEM_VIRTUAL;
10109 +
10110 +diff --git a/drivers/thermal/spear_thermal.c b/drivers/thermal/spear_thermal.c
10111 +index bddb71744a6c..9d42f88a4224 100644
10112 +--- a/drivers/thermal/spear_thermal.c
10113 ++++ b/drivers/thermal/spear_thermal.c
10114 +@@ -54,8 +54,7 @@ static struct thermal_zone_device_ops ops = {
10115 + .get_temp = thermal_get_temp,
10116 + };
10117 +
10118 +-#ifdef CONFIG_PM
10119 +-static int spear_thermal_suspend(struct device *dev)
10120 ++static int __maybe_unused spear_thermal_suspend(struct device *dev)
10121 + {
10122 + struct platform_device *pdev = to_platform_device(dev);
10123 + struct thermal_zone_device *spear_thermal = platform_get_drvdata(pdev);
10124 +@@ -72,7 +71,7 @@ static int spear_thermal_suspend(struct device *dev)
10125 + return 0;
10126 + }
10127 +
10128 +-static int spear_thermal_resume(struct device *dev)
10129 ++static int __maybe_unused spear_thermal_resume(struct device *dev)
10130 + {
10131 + struct platform_device *pdev = to_platform_device(dev);
10132 + struct thermal_zone_device *spear_thermal = platform_get_drvdata(pdev);
10133 +@@ -94,7 +93,6 @@ static int spear_thermal_resume(struct device *dev)
10134 +
10135 + return 0;
10136 + }
10137 +-#endif
10138 +
10139 + static SIMPLE_DEV_PM_OPS(spear_thermal_pm_ops, spear_thermal_suspend,
10140 + spear_thermal_resume);
10141 +diff --git a/drivers/tty/Kconfig b/drivers/tty/Kconfig
10142 +index c01f45095877..82c4d2e45319 100644
10143 +--- a/drivers/tty/Kconfig
10144 ++++ b/drivers/tty/Kconfig
10145 +@@ -226,7 +226,7 @@ config CYCLADES
10146 +
10147 + config CYZ_INTR
10148 + bool "Cyclades-Z interrupt mode operation"
10149 +- depends on CYCLADES
10150 ++ depends on CYCLADES && PCI
10151 + help
10152 + The Cyclades-Z family of multiport cards allows 2 (two) driver op
10153 + modes: polling and interrupt. In polling mode, the driver will check
10154 +diff --git a/drivers/tty/hvc/hvc_xen.c b/drivers/tty/hvc/hvc_xen.c
10155 +index 7a3d146a5f0e..5cc3ca1dd5c9 100644
10156 +--- a/drivers/tty/hvc/hvc_xen.c
10157 ++++ b/drivers/tty/hvc/hvc_xen.c
10158 +@@ -322,6 +322,7 @@ void xen_console_resume(void)
10159 + }
10160 + }
10161 +
10162 ++#ifdef CONFIG_HVC_XEN_FRONTEND
10163 + static void xencons_disconnect_backend(struct xencons_info *info)
10164 + {
10165 + if (info->irq > 0)
10166 +@@ -362,7 +363,6 @@ static int xen_console_remove(struct xencons_info *info)
10167 + return 0;
10168 + }
10169 +
10170 +-#ifdef CONFIG_HVC_XEN_FRONTEND
10171 + static int xencons_remove(struct xenbus_device *dev)
10172 + {
10173 + return xen_console_remove(dev_get_drvdata(&dev->dev));
10174 +diff --git a/drivers/tty/n_tty.c b/drivers/tty/n_tty.c
10175 +index aba20f66bdd9..66e257b5a5b7 100644
10176 +--- a/drivers/tty/n_tty.c
10177 ++++ b/drivers/tty/n_tty.c
10178 +@@ -1808,7 +1808,7 @@ static void n_tty_set_termios(struct tty_struct *tty, struct ktermios *old)
10179 + {
10180 + struct n_tty_data *ldata = tty->disc_data;
10181 +
10182 +- if (!old || (old->c_lflag ^ tty->termios.c_lflag) & ICANON) {
10183 ++ if (!old || (old->c_lflag ^ tty->termios.c_lflag) & (ICANON | EXTPROC)) {
10184 + bitmap_zero(ldata->read_flags, N_TTY_BUF_SIZE);
10185 + ldata->line_start = ldata->read_tail;
10186 + if (!L_ICANON(tty) || !read_cnt(ldata)) {
10187 +@@ -2517,7 +2517,7 @@ static int n_tty_ioctl(struct tty_struct *tty, struct file *file,
10188 + return put_user(tty_chars_in_buffer(tty), (int __user *) arg);
10189 + case TIOCINQ:
10190 + down_write(&tty->termios_rwsem);
10191 +- if (L_ICANON(tty))
10192 ++ if (L_ICANON(tty) && !L_EXTPROC(tty))
10193 + retval = inq_canon(ldata);
10194 + else
10195 + retval = read_cnt(ldata);
10196 +diff --git a/drivers/tty/sysrq.c b/drivers/tty/sysrq.c
10197 +index 529cc86283e7..9c27ee008dff 100644
10198 +--- a/drivers/tty/sysrq.c
10199 ++++ b/drivers/tty/sysrq.c
10200 +@@ -133,6 +133,12 @@ static void sysrq_handle_crash(int key)
10201 + {
10202 + char *killer = NULL;
10203 +
10204 ++ /* we need to release the RCU read lock here,
10205 ++ * otherwise we get an annoying
10206 ++ * 'BUG: sleeping function called from invalid context'
10207 ++ * complaint from the kernel before the panic.
10208 ++ */
10209 ++ rcu_read_unlock();
10210 + panic_on_oops = 1; /* force panic */
10211 + wmb();
10212 + *killer = 1;
10213 +diff --git a/drivers/usb/class/cdc-acm.c b/drivers/usb/class/cdc-acm.c
10214 +index 463d8a3375f5..eeed4b45d35c 100644
10215 +--- a/drivers/usb/class/cdc-acm.c
10216 ++++ b/drivers/usb/class/cdc-acm.c
10217 +@@ -381,7 +381,7 @@ static int acm_submit_read_urb(struct acm *acm, int index, gfp_t mem_flags)
10218 +
10219 + res = usb_submit_urb(acm->read_urbs[index], mem_flags);
10220 + if (res) {
10221 +- if (res != -EPERM) {
10222 ++ if (res != -EPERM && res != -ENODEV) {
10223 + dev_err(&acm->data->dev,
10224 + "%s - usb_submit_urb failed: %d\n",
10225 + __func__, res);
10226 +@@ -1707,6 +1707,9 @@ static const struct usb_device_id acm_ids[] = {
10227 + { USB_DEVICE(0x0ace, 0x1611), /* ZyDAS 56K USB MODEM - new version */
10228 + .driver_info = SINGLE_RX_URB, /* firmware bug */
10229 + },
10230 ++ { USB_DEVICE(0x11ca, 0x0201), /* VeriFone Mx870 Gadget Serial */
10231 ++ .driver_info = SINGLE_RX_URB,
10232 ++ },
10233 + { USB_DEVICE(0x22b8, 0x7000), /* Motorola Q Phone */
10234 + .driver_info = NO_UNION_NORMAL, /* has no union descriptor */
10235 + },
10236 +diff --git a/drivers/usb/core/quirks.c b/drivers/usb/core/quirks.c
10237 +index 50010282c010..774c97bb1c08 100644
10238 +--- a/drivers/usb/core/quirks.c
10239 ++++ b/drivers/usb/core/quirks.c
10240 +@@ -57,10 +57,11 @@ static const struct usb_device_id usb_quirk_list[] = {
10241 + /* Microsoft LifeCam-VX700 v2.0 */
10242 + { USB_DEVICE(0x045e, 0x0770), .driver_info = USB_QUIRK_RESET_RESUME },
10243 +
10244 +- /* Logitech HD Pro Webcams C920, C920-C and C930e */
10245 ++ /* Logitech HD Pro Webcams C920, C920-C, C925e and C930e */
10246 + { USB_DEVICE(0x046d, 0x082d), .driver_info = USB_QUIRK_DELAY_INIT },
10247 + { USB_DEVICE(0x046d, 0x0841), .driver_info = USB_QUIRK_DELAY_INIT },
10248 + { USB_DEVICE(0x046d, 0x0843), .driver_info = USB_QUIRK_DELAY_INIT },
10249 ++ { USB_DEVICE(0x046d, 0x085b), .driver_info = USB_QUIRK_DELAY_INIT },
10250 +
10251 + /* Logitech ConferenceCam CC3000e */
10252 + { USB_DEVICE(0x046d, 0x0847), .driver_info = USB_QUIRK_DELAY_INIT },
10253 +@@ -154,6 +155,9 @@ static const struct usb_device_id usb_quirk_list[] = {
10254 + /* Genesys Logic hub, internally used by KY-688 USB 3.1 Type-C Hub */
10255 + { USB_DEVICE(0x05e3, 0x0612), .driver_info = USB_QUIRK_NO_LPM },
10256 +
10257 ++ /* ELSA MicroLink 56K */
10258 ++ { USB_DEVICE(0x05cc, 0x2267), .driver_info = USB_QUIRK_RESET_RESUME },
10259 ++
10260 + /* Genesys Logic hub, internally used by Moshi USB to Ethernet Adapter */
10261 + { USB_DEVICE(0x05e3, 0x0616), .driver_info = USB_QUIRK_NO_LPM },
10262 +
10263 +@@ -221,6 +225,9 @@ static const struct usb_device_id usb_quirk_list[] = {
10264 + { USB_DEVICE(0x1a0a, 0x0200), .driver_info =
10265 + USB_QUIRK_LINEAR_UFRAME_INTR_BINTERVAL },
10266 +
10267 ++ /* Corsair K70 RGB */
10268 ++ { USB_DEVICE(0x1b1c, 0x1b13), .driver_info = USB_QUIRK_DELAY_INIT },
10269 ++
10270 + /* Corsair Strafe RGB */
10271 + { USB_DEVICE(0x1b1c, 0x1b20), .driver_info = USB_QUIRK_DELAY_INIT },
10272 +
10273 +diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c
10274 +index ff56aaa00bf7..3ce30909cbe4 100644
10275 +--- a/drivers/usb/dwc3/gadget.c
10276 ++++ b/drivers/usb/dwc3/gadget.c
10277 +@@ -2376,6 +2376,8 @@ static void dwc3_gadget_conndone_interrupt(struct dwc3 *dwc)
10278 + break;
10279 + }
10280 +
10281 ++ dwc->eps[1]->endpoint.maxpacket = dwc->gadget.ep0->maxpacket;
10282 ++
10283 + /* Enable USB2 LPM Capability */
10284 +
10285 + if ((dwc->revision > DWC3_REVISION_194A)
10286 +diff --git a/drivers/usb/gadget/composite.c b/drivers/usb/gadget/composite.c
10287 +index a01d90fe37d9..54c15622e133 100644
10288 +--- a/drivers/usb/gadget/composite.c
10289 ++++ b/drivers/usb/gadget/composite.c
10290 +@@ -103,7 +103,6 @@ int config_ep_by_speed(struct usb_gadget *g,
10291 + struct usb_function *f,
10292 + struct usb_ep *_ep)
10293 + {
10294 +- struct usb_composite_dev *cdev = get_gadget_data(g);
10295 + struct usb_endpoint_descriptor *chosen_desc = NULL;
10296 + struct usb_descriptor_header **speed_desc = NULL;
10297 +
10298 +@@ -170,8 +169,12 @@ ep_found:
10299 + _ep->maxburst = comp_desc->bMaxBurst + 1;
10300 + break;
10301 + default:
10302 +- if (comp_desc->bMaxBurst != 0)
10303 ++ if (comp_desc->bMaxBurst != 0) {
10304 ++ struct usb_composite_dev *cdev;
10305 ++
10306 ++ cdev = get_gadget_data(g);
10307 + ERROR(cdev, "ep0 bMaxBurst must be 0\n");
10308 ++ }
10309 + _ep->maxburst = 1;
10310 + break;
10311 + }
10312 +diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c
10313 +index 2c25a5dec442..6b62bb5c021c 100644
10314 +--- a/drivers/usb/gadget/function/f_fs.c
10315 ++++ b/drivers/usb/gadget/function/f_fs.c
10316 +@@ -2756,10 +2756,8 @@ static int _ffs_func_bind(struct usb_configuration *c,
10317 + struct ffs_data *ffs = func->ffs;
10318 +
10319 + const int full = !!func->ffs->fs_descs_count;
10320 +- const int high = gadget_is_dualspeed(func->gadget) &&
10321 +- func->ffs->hs_descs_count;
10322 +- const int super = gadget_is_superspeed(func->gadget) &&
10323 +- func->ffs->ss_descs_count;
10324 ++ const int high = !!func->ffs->hs_descs_count;
10325 ++ const int super = !!func->ffs->ss_descs_count;
10326 +
10327 + int fs_len, hs_len, ss_len, ret, i;
10328 +
10329 +@@ -3486,7 +3484,8 @@ static void ffs_closed(struct ffs_data *ffs)
10330 + ci = opts->func_inst.group.cg_item.ci_parent->ci_parent;
10331 + ffs_dev_unlock();
10332 +
10333 +- unregister_gadget_item(ci);
10334 ++ if (test_bit(FFS_FL_BOUND, &ffs->flags))
10335 ++ unregister_gadget_item(ci);
10336 + return;
10337 + done:
10338 + ffs_dev_unlock();
10339 +diff --git a/drivers/usb/gadget/function/f_uvc.c b/drivers/usb/gadget/function/f_uvc.c
10340 +index 7405ce32a690..0e704a857115 100644
10341 +--- a/drivers/usb/gadget/function/f_uvc.c
10342 ++++ b/drivers/usb/gadget/function/f_uvc.c
10343 +@@ -611,6 +611,14 @@ uvc_function_bind(struct usb_configuration *c, struct usb_function *f)
10344 + opts->streaming_maxpacket = clamp(opts->streaming_maxpacket, 1U, 3072U);
10345 + opts->streaming_maxburst = min(opts->streaming_maxburst, 15U);
10346 +
10347 ++ /* For SS, wMaxPacketSize has to be 1024 if bMaxBurst is not 0 */
10348 ++ if (opts->streaming_maxburst &&
10349 ++ (opts->streaming_maxpacket % 1024) != 0) {
10350 ++ opts->streaming_maxpacket = roundup(opts->streaming_maxpacket, 1024);
10351 ++ INFO(cdev, "overriding streaming_maxpacket to %d\n",
10352 ++ opts->streaming_maxpacket);
10353 ++ }
10354 ++
10355 + /* Fill in the FS/HS/SS Video Streaming specific descriptors from the
10356 + * module parameters.
10357 + *
10358 +diff --git a/drivers/usb/gadget/udc/pch_udc.c b/drivers/usb/gadget/udc/pch_udc.c
10359 +index 613547f07828..2e04d6596ac6 100644
10360 +--- a/drivers/usb/gadget/udc/pch_udc.c
10361 ++++ b/drivers/usb/gadget/udc/pch_udc.c
10362 +@@ -1534,7 +1534,6 @@ static void pch_udc_free_dma_chain(struct pch_udc_dev *dev,
10363 + td = phys_to_virt(addr);
10364 + addr2 = (dma_addr_t)td->next;
10365 + pci_pool_free(dev->data_requests, td, addr);
10366 +- td->next = 0x00;
10367 + addr = addr2;
10368 + }
10369 + req->chain_len = 1;
10370 +diff --git a/drivers/usb/host/ohci-q.c b/drivers/usb/host/ohci-q.c
10371 +index 47d2c09e4f35..5cd4b286b198 100644
10372 +--- a/drivers/usb/host/ohci-q.c
10373 ++++ b/drivers/usb/host/ohci-q.c
10374 +@@ -1017,6 +1017,8 @@ skip_ed:
10375 + * have modified this list. normally it's just prepending
10376 + * entries (which we'd ignore), but paranoia won't hurt.
10377 + */
10378 ++ *last = ed->ed_next;
10379 ++ ed->ed_next = NULL;
10380 + modified = 0;
10381 +
10382 + /* unlink urbs as requested, but rescan the list after
10383 +@@ -1075,21 +1077,22 @@ rescan_this:
10384 + goto rescan_this;
10385 +
10386 + /*
10387 +- * If no TDs are queued, take ED off the ed_rm_list.
10388 ++ * If no TDs are queued, ED is now idle.
10389 + * Otherwise, if the HC is running, reschedule.
10390 +- * If not, leave it on the list for further dequeues.
10391 ++ * If the HC isn't running, add ED back to the
10392 ++ * start of the list for later processing.
10393 + */
10394 + if (list_empty(&ed->td_list)) {
10395 +- *last = ed->ed_next;
10396 +- ed->ed_next = NULL;
10397 + ed->state = ED_IDLE;
10398 + list_del(&ed->in_use_list);
10399 + } else if (ohci->rh_state == OHCI_RH_RUNNING) {
10400 +- *last = ed->ed_next;
10401 +- ed->ed_next = NULL;
10402 + ed_schedule(ohci, ed);
10403 + } else {
10404 +- last = &ed->ed_next;
10405 ++ ed->ed_next = ohci->ed_rm_list;
10406 ++ ohci->ed_rm_list = ed;
10407 ++ /* Don't loop on the same ED */
10408 ++ if (last == &ohci->ed_rm_list)
10409 ++ last = &ed->ed_next;
10410 + }
10411 +
10412 + if (modified)
10413 +diff --git a/drivers/usb/host/xhci-pci.c b/drivers/usb/host/xhci-pci.c
10414 +index e91cbf360afe..8a82e14829e9 100644
10415 +--- a/drivers/usb/host/xhci-pci.c
10416 ++++ b/drivers/usb/host/xhci-pci.c
10417 +@@ -181,6 +181,9 @@ static void xhci_pci_quirks(struct device *dev, struct xhci_hcd *xhci)
10418 + xhci->quirks |= XHCI_TRUST_TX_LENGTH;
10419 + xhci->quirks |= XHCI_BROKEN_STREAMS;
10420 + }
10421 ++ if (pdev->vendor == PCI_VENDOR_ID_RENESAS &&
10422 ++ pdev->device == 0x0014)
10423 ++ xhci->quirks |= XHCI_TRUST_TX_LENGTH;
10424 + if (pdev->vendor == PCI_VENDOR_ID_RENESAS &&
10425 + pdev->device == 0x0015)
10426 + xhci->quirks |= XHCI_RESET_ON_RESUME;
10427 +diff --git a/drivers/usb/host/xhci-plat.c b/drivers/usb/host/xhci-plat.c
10428 +index 23c5bdab988d..e92b9903faa4 100644
10429 +--- a/drivers/usb/host/xhci-plat.c
10430 ++++ b/drivers/usb/host/xhci-plat.c
10431 +@@ -266,6 +266,7 @@ MODULE_DEVICE_TABLE(of, usb_xhci_of_match);
10432 + static struct platform_driver usb_xhci_driver = {
10433 + .probe = xhci_plat_probe,
10434 + .remove = xhci_plat_remove,
10435 ++ .shutdown = usb_hcd_platform_shutdown,
10436 + .driver = {
10437 + .name = "xhci-hcd",
10438 + .pm = DEV_PM_OPS,
10439 +diff --git a/drivers/usb/misc/ldusb.c b/drivers/usb/misc/ldusb.c
10440 +index 82503a7ff6c8..2bbca7d674d6 100644
10441 +--- a/drivers/usb/misc/ldusb.c
10442 ++++ b/drivers/usb/misc/ldusb.c
10443 +@@ -46,6 +46,9 @@
10444 + #define USB_DEVICE_ID_LD_MICROCASSYTIME 0x1033 /* USB Product ID of Micro-CASSY Time (reserved) */
10445 + #define USB_DEVICE_ID_LD_MICROCASSYTEMPERATURE 0x1035 /* USB Product ID of Micro-CASSY Temperature */
10446 + #define USB_DEVICE_ID_LD_MICROCASSYPH 0x1038 /* USB Product ID of Micro-CASSY pH */
10447 ++#define USB_DEVICE_ID_LD_POWERANALYSERCASSY 0x1040 /* USB Product ID of Power Analyser CASSY */
10448 ++#define USB_DEVICE_ID_LD_CONVERTERCONTROLLERCASSY 0x1042 /* USB Product ID of Converter Controller CASSY */
10449 ++#define USB_DEVICE_ID_LD_MACHINETESTCASSY 0x1043 /* USB Product ID of Machine Test CASSY */
10450 + #define USB_DEVICE_ID_LD_JWM 0x1080 /* USB Product ID of Joule and Wattmeter */
10451 + #define USB_DEVICE_ID_LD_DMMP 0x1081 /* USB Product ID of Digital Multimeter P (reserved) */
10452 + #define USB_DEVICE_ID_LD_UMIP 0x1090 /* USB Product ID of UMI P */
10453 +@@ -94,6 +97,9 @@ static const struct usb_device_id ld_usb_table[] = {
10454 + { USB_DEVICE(USB_VENDOR_ID_LD, USB_DEVICE_ID_LD_MICROCASSYTIME) },
10455 + { USB_DEVICE(USB_VENDOR_ID_LD, USB_DEVICE_ID_LD_MICROCASSYTEMPERATURE) },
10456 + { USB_DEVICE(USB_VENDOR_ID_LD, USB_DEVICE_ID_LD_MICROCASSYPH) },
10457 ++ { USB_DEVICE(USB_VENDOR_ID_LD, USB_DEVICE_ID_LD_POWERANALYSERCASSY) },
10458 ++ { USB_DEVICE(USB_VENDOR_ID_LD, USB_DEVICE_ID_LD_CONVERTERCONTROLLERCASSY) },
10459 ++ { USB_DEVICE(USB_VENDOR_ID_LD, USB_DEVICE_ID_LD_MACHINETESTCASSY) },
10460 + { USB_DEVICE(USB_VENDOR_ID_LD, USB_DEVICE_ID_LD_JWM) },
10461 + { USB_DEVICE(USB_VENDOR_ID_LD, USB_DEVICE_ID_LD_DMMP) },
10462 + { USB_DEVICE(USB_VENDOR_ID_LD, USB_DEVICE_ID_LD_UMIP) },
10463 +diff --git a/drivers/usb/misc/usb3503.c b/drivers/usb/misc/usb3503.c
10464 +index 64ff5b91752d..b117a1f6bfc3 100644
10465 +--- a/drivers/usb/misc/usb3503.c
10466 ++++ b/drivers/usb/misc/usb3503.c
10467 +@@ -292,6 +292,8 @@ static int usb3503_probe(struct usb3503 *hub)
10468 + if (gpio_is_valid(hub->gpio_reset)) {
10469 + err = devm_gpio_request_one(dev, hub->gpio_reset,
10470 + GPIOF_OUT_INIT_LOW, "usb3503 reset");
10471 ++ /* Datasheet defines a hardware reset to be at least 100us */
10472 ++ usleep_range(100, 10000);
10473 + if (err) {
10474 + dev_err(dev,
10475 + "unable to request GPIO %d as reset pin (%d)\n",
10476 +diff --git a/drivers/usb/mon/mon_bin.c b/drivers/usb/mon/mon_bin.c
10477 +index 9a62e89d6dc0..bbec84dd34fb 100644
10478 +--- a/drivers/usb/mon/mon_bin.c
10479 ++++ b/drivers/usb/mon/mon_bin.c
10480 +@@ -1000,7 +1000,9 @@ static long mon_bin_ioctl(struct file *file, unsigned int cmd, unsigned long arg
10481 + break;
10482 +
10483 + case MON_IOCQ_RING_SIZE:
10484 ++ mutex_lock(&rp->fetch_lock);
10485 + ret = rp->b_size;
10486 ++ mutex_unlock(&rp->fetch_lock);
10487 + break;
10488 +
10489 + case MON_IOCT_RING_SIZE:
10490 +@@ -1227,12 +1229,16 @@ static int mon_bin_vma_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
10491 + unsigned long offset, chunk_idx;
10492 + struct page *pageptr;
10493 +
10494 ++ mutex_lock(&rp->fetch_lock);
10495 + offset = vmf->pgoff << PAGE_SHIFT;
10496 +- if (offset >= rp->b_size)
10497 ++ if (offset >= rp->b_size) {
10498 ++ mutex_unlock(&rp->fetch_lock);
10499 + return VM_FAULT_SIGBUS;
10500 ++ }
10501 + chunk_idx = offset / CHUNK_SIZE;
10502 + pageptr = rp->b_vec[chunk_idx].pg;
10503 + get_page(pageptr);
10504 ++ mutex_unlock(&rp->fetch_lock);
10505 + vmf->page = pageptr;
10506 + return 0;
10507 + }
10508 +diff --git a/drivers/usb/musb/ux500_dma.c b/drivers/usb/musb/ux500_dma.c
10509 +index e93845c26bdb..c17495e7fcc5 100644
10510 +--- a/drivers/usb/musb/ux500_dma.c
10511 ++++ b/drivers/usb/musb/ux500_dma.c
10512 +@@ -207,9 +207,6 @@ static int ux500_dma_channel_program(struct dma_channel *channel,
10513 + BUG_ON(channel->status == MUSB_DMA_STATUS_UNKNOWN ||
10514 + channel->status == MUSB_DMA_STATUS_BUSY);
10515 +
10516 +- if (!ux500_dma_is_compatible(channel, packet_sz, (void *)dma_addr, len))
10517 +- return false;
10518 +-
10519 + channel->status = MUSB_DMA_STATUS_BUSY;
10520 + channel->actual_len = 0;
10521 + ret = ux500_configure_channel(channel, packet_sz, mode, dma_addr, len);
10522 +diff --git a/drivers/usb/renesas_usbhs/fifo.c b/drivers/usb/renesas_usbhs/fifo.c
10523 +index 8bb9367ada45..6f37966ea54b 100644
10524 +--- a/drivers/usb/renesas_usbhs/fifo.c
10525 ++++ b/drivers/usb/renesas_usbhs/fifo.c
10526 +@@ -999,6 +999,10 @@ static int usbhsf_dma_prepare_pop_with_usb_dmac(struct usbhs_pkt *pkt,
10527 + if ((uintptr_t)pkt->buf & (USBHS_USB_DMAC_XFER_SIZE - 1))
10528 + goto usbhsf_pio_prepare_pop;
10529 +
10530 ++ /* return at this time if the pipe is running */
10531 ++ if (usbhs_pipe_is_running(pipe))
10532 ++ return 0;
10533 ++
10534 + usbhs_pipe_config_change_bfre(pipe, 1);
10535 +
10536 + ret = usbhsf_fifo_select(pipe, fifo, 0);
10537 +@@ -1189,6 +1193,7 @@ static int usbhsf_dma_pop_done_with_usb_dmac(struct usbhs_pkt *pkt,
10538 + usbhsf_fifo_clear(pipe, fifo);
10539 + pkt->actual = usbhs_dma_calc_received_size(pkt, chan, rcv_len);
10540 +
10541 ++ usbhs_pipe_running(pipe, 0);
10542 + usbhsf_dma_stop(pipe, fifo);
10543 + usbhsf_dma_unmap(pkt);
10544 + usbhsf_fifo_unselect(pipe, pipe->fifo);
10545 +diff --git a/drivers/usb/serial/Kconfig b/drivers/usb/serial/Kconfig
10546 +index b7cf1982d1d9..941716c1177e 100644
10547 +--- a/drivers/usb/serial/Kconfig
10548 ++++ b/drivers/usb/serial/Kconfig
10549 +@@ -63,6 +63,7 @@ config USB_SERIAL_SIMPLE
10550 + - Google USB serial devices
10551 + - HP4x calculators
10552 + - a number of Motorola phones
10553 ++ - Motorola Tetra devices
10554 + - Novatel Wireless GPS receivers
10555 + - Siemens USB/MPI adapter.
10556 + - ViVOtech ViVOpay USB device.
10557 +diff --git a/drivers/usb/serial/cp210x.c b/drivers/usb/serial/cp210x.c
10558 +index b1be08570088..142c876e7b19 100644
10559 +--- a/drivers/usb/serial/cp210x.c
10560 ++++ b/drivers/usb/serial/cp210x.c
10561 +@@ -119,6 +119,7 @@ static const struct usb_device_id id_table[] = {
10562 + { USB_DEVICE(0x10C4, 0x846E) }, /* BEI USB Sensor Interface (VCP) */
10563 + { USB_DEVICE(0x10C4, 0x8477) }, /* Balluff RFID */
10564 + { USB_DEVICE(0x10C4, 0x84B6) }, /* Starizona Hyperion */
10565 ++ { USB_DEVICE(0x10C4, 0x85A7) }, /* LifeScan OneTouch Verio IQ */
10566 + { USB_DEVICE(0x10C4, 0x85EA) }, /* AC-Services IBUS-IF */
10567 + { USB_DEVICE(0x10C4, 0x85EB) }, /* AC-Services CIS-IBUS */
10568 + { USB_DEVICE(0x10C4, 0x85F8) }, /* Virtenio Preon32 */
10569 +@@ -168,6 +169,7 @@ static const struct usb_device_id id_table[] = {
10570 + { USB_DEVICE(0x1843, 0x0200) }, /* Vaisala USB Instrument Cable */
10571 + { USB_DEVICE(0x18EF, 0xE00F) }, /* ELV USB-I2C-Interface */
10572 + { USB_DEVICE(0x18EF, 0xE025) }, /* ELV Marble Sound Board 1 */
10573 ++ { USB_DEVICE(0x18EF, 0xE030) }, /* ELV ALC 8xxx Battery Charger */
10574 + { USB_DEVICE(0x18EF, 0xE032) }, /* ELV TFD500 Data Logger */
10575 + { USB_DEVICE(0x1901, 0x0190) }, /* GE B850 CP2105 Recorder interface */
10576 + { USB_DEVICE(0x1901, 0x0193) }, /* GE B650 CP2104 PMC interface */
10577 +diff --git a/drivers/usb/serial/io_edgeport.c b/drivers/usb/serial/io_edgeport.c
10578 +index 749e1b674145..6947985ccfb0 100644
10579 +--- a/drivers/usb/serial/io_edgeport.c
10580 ++++ b/drivers/usb/serial/io_edgeport.c
10581 +@@ -2219,7 +2219,6 @@ static int write_cmd_usb(struct edgeport_port *edge_port,
10582 + /* something went wrong */
10583 + dev_err(dev, "%s - usb_submit_urb(write command) failed, status = %d\n",
10584 + __func__, status);
10585 +- usb_kill_urb(urb);
10586 + usb_free_urb(urb);
10587 + atomic_dec(&CmdUrbs);
10588 + return status;
10589 +diff --git a/drivers/usb/serial/option.c b/drivers/usb/serial/option.c
10590 +index dc489fb4261b..0d31ca1cbf35 100644
10591 +--- a/drivers/usb/serial/option.c
10592 ++++ b/drivers/usb/serial/option.c
10593 +@@ -277,6 +277,7 @@ static void option_instat_callback(struct urb *urb);
10594 + #define TELIT_PRODUCT_LE922_USBCFG3 0x1043
10595 + #define TELIT_PRODUCT_LE922_USBCFG5 0x1045
10596 + #define TELIT_PRODUCT_ME910 0x1100
10597 ++#define TELIT_PRODUCT_ME910_DUAL_MODEM 0x1101
10598 + #define TELIT_PRODUCT_LE920 0x1200
10599 + #define TELIT_PRODUCT_LE910 0x1201
10600 + #define TELIT_PRODUCT_LE910_USBCFG4 0x1206
10601 +@@ -374,6 +375,9 @@ static void option_instat_callback(struct urb *urb);
10602 + #define FOUR_G_SYSTEMS_PRODUCT_W14 0x9603
10603 + #define FOUR_G_SYSTEMS_PRODUCT_W100 0x9b01
10604 +
10605 ++/* Fujisoft products */
10606 ++#define FUJISOFT_PRODUCT_FS040U 0x9b02
10607 ++
10608 + /* iBall 3.5G connect wireless modem */
10609 + #define IBALL_3_5G_CONNECT 0x9605
10610 +
10611 +@@ -642,6 +646,11 @@ static const struct option_blacklist_info telit_me910_blacklist = {
10612 + .reserved = BIT(1) | BIT(3),
10613 + };
10614 +
10615 ++static const struct option_blacklist_info telit_me910_dual_modem_blacklist = {
10616 ++ .sendsetup = BIT(0),
10617 ++ .reserved = BIT(3),
10618 ++};
10619 ++
10620 + static const struct option_blacklist_info telit_le910_blacklist = {
10621 + .sendsetup = BIT(0),
10622 + .reserved = BIT(1) | BIT(2),
10623 +@@ -1241,6 +1250,8 @@ static const struct usb_device_id option_ids[] = {
10624 + .driver_info = (kernel_ulong_t)&telit_le922_blacklist_usbcfg0 },
10625 + { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_ME910),
10626 + .driver_info = (kernel_ulong_t)&telit_me910_blacklist },
10627 ++ { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_ME910_DUAL_MODEM),
10628 ++ .driver_info = (kernel_ulong_t)&telit_me910_dual_modem_blacklist },
10629 + { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_LE910),
10630 + .driver_info = (kernel_ulong_t)&telit_le910_blacklist },
10631 + { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_LE910_USBCFG4),
10632 +@@ -1874,6 +1885,8 @@ static const struct usb_device_id option_ids[] = {
10633 + { USB_DEVICE(LONGCHEER_VENDOR_ID, FOUR_G_SYSTEMS_PRODUCT_W100),
10634 + .driver_info = (kernel_ulong_t)&four_g_w100_blacklist
10635 + },
10636 ++ {USB_DEVICE(LONGCHEER_VENDOR_ID, FUJISOFT_PRODUCT_FS040U),
10637 ++ .driver_info = (kernel_ulong_t)&net_intf3_blacklist},
10638 + { USB_DEVICE_INTERFACE_CLASS(LONGCHEER_VENDOR_ID, SPEEDUP_PRODUCT_SU9800, 0xff) },
10639 + { USB_DEVICE_INTERFACE_CLASS(LONGCHEER_VENDOR_ID, 0x9801, 0xff),
10640 + .driver_info = (kernel_ulong_t)&net_intf3_blacklist },
10641 +diff --git a/drivers/usb/serial/pl2303.c b/drivers/usb/serial/pl2303.c
10642 +index a51b28379850..3da25ad267a2 100644
10643 +--- a/drivers/usb/serial/pl2303.c
10644 ++++ b/drivers/usb/serial/pl2303.c
10645 +@@ -39,6 +39,7 @@ static const struct usb_device_id id_table[] = {
10646 + { USB_DEVICE(PL2303_VENDOR_ID, PL2303_PRODUCT_ID_RSAQ2) },
10647 + { USB_DEVICE(PL2303_VENDOR_ID, PL2303_PRODUCT_ID_DCU11) },
10648 + { USB_DEVICE(PL2303_VENDOR_ID, PL2303_PRODUCT_ID_RSAQ3) },
10649 ++ { USB_DEVICE(PL2303_VENDOR_ID, PL2303_PRODUCT_ID_CHILITAG) },
10650 + { USB_DEVICE(PL2303_VENDOR_ID, PL2303_PRODUCT_ID_PHAROS) },
10651 + { USB_DEVICE(PL2303_VENDOR_ID, PL2303_PRODUCT_ID_ALDIGA) },
10652 + { USB_DEVICE(PL2303_VENDOR_ID, PL2303_PRODUCT_ID_MMX) },
10653 +diff --git a/drivers/usb/serial/pl2303.h b/drivers/usb/serial/pl2303.h
10654 +index 3b5a15d1dc0d..123289085ee2 100644
10655 +--- a/drivers/usb/serial/pl2303.h
10656 ++++ b/drivers/usb/serial/pl2303.h
10657 +@@ -17,6 +17,7 @@
10658 + #define PL2303_PRODUCT_ID_DCU11 0x1234
10659 + #define PL2303_PRODUCT_ID_PHAROS 0xaaa0
10660 + #define PL2303_PRODUCT_ID_RSAQ3 0xaaa2
10661 ++#define PL2303_PRODUCT_ID_CHILITAG 0xaaa8
10662 + #define PL2303_PRODUCT_ID_ALDIGA 0x0611
10663 + #define PL2303_PRODUCT_ID_MMX 0x0612
10664 + #define PL2303_PRODUCT_ID_GPRS 0x0609
10665 +diff --git a/drivers/usb/serial/usb-serial-simple.c b/drivers/usb/serial/usb-serial-simple.c
10666 +index e98b6e57b703..6aa7ff2c1cf7 100644
10667 +--- a/drivers/usb/serial/usb-serial-simple.c
10668 ++++ b/drivers/usb/serial/usb-serial-simple.c
10669 +@@ -80,6 +80,11 @@ DEVICE(vivopay, VIVOPAY_IDS);
10670 + { USB_DEVICE(0x22b8, 0x2c64) } /* Motorola V950 phone */
10671 + DEVICE(moto_modem, MOTO_IDS);
10672 +
10673 ++/* Motorola Tetra driver */
10674 ++#define MOTOROLA_TETRA_IDS() \
10675 ++ { USB_DEVICE(0x0cad, 0x9011) } /* Motorola Solutions TETRA PEI */
10676 ++DEVICE(motorola_tetra, MOTOROLA_TETRA_IDS);
10677 ++
10678 + /* Novatel Wireless GPS driver */
10679 + #define NOVATEL_IDS() \
10680 + { USB_DEVICE(0x09d7, 0x0100) } /* NovAtel FlexPack GPS */
10681 +@@ -110,6 +115,7 @@ static struct usb_serial_driver * const serial_drivers[] = {
10682 + &google_device,
10683 + &vivopay_device,
10684 + &moto_modem_device,
10685 ++ &motorola_tetra_device,
10686 + &novatel_gps_device,
10687 + &hp4x_device,
10688 + &suunto_device,
10689 +@@ -125,6 +131,7 @@ static const struct usb_device_id id_table[] = {
10690 + GOOGLE_IDS(),
10691 + VIVOPAY_IDS(),
10692 + MOTO_IDS(),
10693 ++ MOTOROLA_TETRA_IDS(),
10694 + NOVATEL_IDS(),
10695 + HP4X_IDS(),
10696 + SUUNTO_IDS(),
10697 +diff --git a/drivers/usb/storage/uas.c b/drivers/usb/storage/uas.c
10698 +index f58ae4a84c11..021d6880a3ed 100644
10699 +--- a/drivers/usb/storage/uas.c
10700 ++++ b/drivers/usb/storage/uas.c
10701 +@@ -1052,20 +1052,19 @@ static int uas_post_reset(struct usb_interface *intf)
10702 + return 0;
10703 +
10704 + err = uas_configure_endpoints(devinfo);
10705 +- if (err) {
10706 ++ if (err && err != ENODEV)
10707 + shost_printk(KERN_ERR, shost,
10708 + "%s: alloc streams error %d after reset",
10709 + __func__, err);
10710 +- return 1;
10711 +- }
10712 +
10713 ++ /* we must unblock the host in every case lest we deadlock */
10714 + spin_lock_irqsave(shost->host_lock, flags);
10715 + scsi_report_bus_reset(shost, 0);
10716 + spin_unlock_irqrestore(shost->host_lock, flags);
10717 +
10718 + scsi_unblock_requests(shost);
10719 +
10720 +- return 0;
10721 ++ return err ? 1 : 0;
10722 + }
10723 +
10724 + static int uas_suspend(struct usb_interface *intf, pm_message_t message)
10725 +diff --git a/drivers/usb/storage/unusual_uas.h b/drivers/usb/storage/unusual_uas.h
10726 +index 2f80163ffb94..8ed80f28416f 100644
10727 +--- a/drivers/usb/storage/unusual_uas.h
10728 ++++ b/drivers/usb/storage/unusual_uas.h
10729 +@@ -155,6 +155,13 @@ UNUSUAL_DEV(0x2109, 0x0711, 0x0000, 0x9999,
10730 + USB_SC_DEVICE, USB_PR_DEVICE, NULL,
10731 + US_FL_NO_ATA_1X),
10732 +
10733 ++/* Reported-by: Icenowy Zheng <icenowy@××××.io> */
10734 ++UNUSUAL_DEV(0x2537, 0x1068, 0x0000, 0x9999,
10735 ++ "Norelsys",
10736 ++ "NS1068X",
10737 ++ USB_SC_DEVICE, USB_PR_DEVICE, NULL,
10738 ++ US_FL_IGNORE_UAS),
10739 ++
10740 + /* Reported-by: Takeo Nakayama <javhera@×××.com> */
10741 + UNUSUAL_DEV(0x357d, 0x7788, 0x0000, 0x9999,
10742 + "JMicron",
10743 +diff --git a/drivers/usb/usbip/stub_dev.c b/drivers/usb/usbip/stub_dev.c
10744 +index a3ec49bdc1e6..0931f3271119 100644
10745 +--- a/drivers/usb/usbip/stub_dev.c
10746 ++++ b/drivers/usb/usbip/stub_dev.c
10747 +@@ -87,6 +87,7 @@ static ssize_t store_sockfd(struct device *dev, struct device_attribute *attr,
10748 + goto err;
10749 +
10750 + sdev->ud.tcp_socket = socket;
10751 ++ sdev->ud.sockfd = sockfd;
10752 +
10753 + spin_unlock_irq(&sdev->ud.lock);
10754 +
10755 +@@ -163,8 +164,7 @@ static void stub_shutdown_connection(struct usbip_device *ud)
10756 + * step 1?
10757 + */
10758 + if (ud->tcp_socket) {
10759 +- dev_dbg(&sdev->udev->dev, "shutdown tcp_socket %p\n",
10760 +- ud->tcp_socket);
10761 ++ dev_dbg(&sdev->udev->dev, "shutdown sockfd %d\n", ud->sockfd);
10762 + kernel_sock_shutdown(ud->tcp_socket, SHUT_RDWR);
10763 + }
10764 +
10765 +@@ -187,6 +187,7 @@ static void stub_shutdown_connection(struct usbip_device *ud)
10766 + if (ud->tcp_socket) {
10767 + sockfd_put(ud->tcp_socket);
10768 + ud->tcp_socket = NULL;
10769 ++ ud->sockfd = -1;
10770 + }
10771 +
10772 + /* 3. free used data */
10773 +@@ -281,6 +282,7 @@ static struct stub_device *stub_device_alloc(struct usb_device *udev)
10774 + sdev->ud.status = SDEV_ST_AVAILABLE;
10775 + spin_lock_init(&sdev->ud.lock);
10776 + sdev->ud.tcp_socket = NULL;
10777 ++ sdev->ud.sockfd = -1;
10778 +
10779 + INIT_LIST_HEAD(&sdev->priv_init);
10780 + INIT_LIST_HEAD(&sdev->priv_tx);
10781 +diff --git a/drivers/usb/usbip/stub_main.c b/drivers/usb/usbip/stub_main.c
10782 +index af10f7b131a4..325b4c05acdd 100644
10783 +--- a/drivers/usb/usbip/stub_main.c
10784 ++++ b/drivers/usb/usbip/stub_main.c
10785 +@@ -252,11 +252,12 @@ void stub_device_cleanup_urbs(struct stub_device *sdev)
10786 + struct stub_priv *priv;
10787 + struct urb *urb;
10788 +
10789 +- dev_dbg(&sdev->udev->dev, "free sdev %p\n", sdev);
10790 ++ dev_dbg(&sdev->udev->dev, "Stub device cleaning up urbs\n");
10791 +
10792 + while ((priv = stub_priv_pop(sdev))) {
10793 + urb = priv->urb;
10794 +- dev_dbg(&sdev->udev->dev, "free urb %p\n", urb);
10795 ++ dev_dbg(&sdev->udev->dev, "free urb seqnum %lu\n",
10796 ++ priv->seqnum);
10797 + usb_kill_urb(urb);
10798 +
10799 + kmem_cache_free(stub_priv_cache, priv);
10800 +diff --git a/drivers/usb/usbip/stub_rx.c b/drivers/usb/usbip/stub_rx.c
10801 +index 00e475c51a12..56cacb68040c 100644
10802 +--- a/drivers/usb/usbip/stub_rx.c
10803 ++++ b/drivers/usb/usbip/stub_rx.c
10804 +@@ -230,9 +230,6 @@ static int stub_recv_cmd_unlink(struct stub_device *sdev,
10805 + if (priv->seqnum != pdu->u.cmd_unlink.seqnum)
10806 + continue;
10807 +
10808 +- dev_info(&priv->urb->dev->dev, "unlink urb %p\n",
10809 +- priv->urb);
10810 +-
10811 + /*
10812 + * This matched urb is not completed yet (i.e., be in
10813 + * flight in usb hcd hardware/driver). Now we are
10814 +@@ -271,8 +268,8 @@ static int stub_recv_cmd_unlink(struct stub_device *sdev,
10815 + ret = usb_unlink_urb(priv->urb);
10816 + if (ret != -EINPROGRESS)
10817 + dev_err(&priv->urb->dev->dev,
10818 +- "failed to unlink a urb %p, ret %d\n",
10819 +- priv->urb, ret);
10820 ++ "failed to unlink a urb # %lu, ret %d\n",
10821 ++ priv->seqnum, ret);
10822 +
10823 + return 0;
10824 + }
10825 +@@ -341,23 +338,26 @@ static struct stub_priv *stub_priv_alloc(struct stub_device *sdev,
10826 + return priv;
10827 + }
10828 +
10829 +-static int get_pipe(struct stub_device *sdev, int epnum, int dir)
10830 ++static int get_pipe(struct stub_device *sdev, struct usbip_header *pdu)
10831 + {
10832 + struct usb_device *udev = sdev->udev;
10833 + struct usb_host_endpoint *ep;
10834 + struct usb_endpoint_descriptor *epd = NULL;
10835 ++ int epnum = pdu->base.ep;
10836 ++ int dir = pdu->base.direction;
10837 ++
10838 ++ if (epnum < 0 || epnum > 15)
10839 ++ goto err_ret;
10840 +
10841 + if (dir == USBIP_DIR_IN)
10842 + ep = udev->ep_in[epnum & 0x7f];
10843 + else
10844 + ep = udev->ep_out[epnum & 0x7f];
10845 +- if (!ep) {
10846 +- dev_err(&sdev->interface->dev, "no such endpoint?, %d\n",
10847 +- epnum);
10848 +- BUG();
10849 +- }
10850 ++ if (!ep)
10851 ++ goto err_ret;
10852 +
10853 + epd = &ep->desc;
10854 ++
10855 + if (usb_endpoint_xfer_control(epd)) {
10856 + if (dir == USBIP_DIR_OUT)
10857 + return usb_sndctrlpipe(udev, epnum);
10858 +@@ -380,15 +380,37 @@ static int get_pipe(struct stub_device *sdev, int epnum, int dir)
10859 + }
10860 +
10861 + if (usb_endpoint_xfer_isoc(epd)) {
10862 ++ /* validate packet size and number of packets */
10863 ++ unsigned int maxp, packets, bytes;
10864 ++
10865 ++#define USB_EP_MAXP_MULT_SHIFT 11
10866 ++#define USB_EP_MAXP_MULT_MASK (3 << USB_EP_MAXP_MULT_SHIFT)
10867 ++#define USB_EP_MAXP_MULT(m) \
10868 ++ (((m) & USB_EP_MAXP_MULT_MASK) >> USB_EP_MAXP_MULT_SHIFT)
10869 ++
10870 ++ maxp = usb_endpoint_maxp(epd);
10871 ++ maxp *= (USB_EP_MAXP_MULT(
10872 ++ __le16_to_cpu(epd->wMaxPacketSize)) + 1);
10873 ++ bytes = pdu->u.cmd_submit.transfer_buffer_length;
10874 ++ packets = DIV_ROUND_UP(bytes, maxp);
10875 ++
10876 ++ if (pdu->u.cmd_submit.number_of_packets < 0 ||
10877 ++ pdu->u.cmd_submit.number_of_packets > packets) {
10878 ++ dev_err(&sdev->udev->dev,
10879 ++ "CMD_SUBMIT: isoc invalid num packets %d\n",
10880 ++ pdu->u.cmd_submit.number_of_packets);
10881 ++ return -1;
10882 ++ }
10883 + if (dir == USBIP_DIR_OUT)
10884 + return usb_sndisocpipe(udev, epnum);
10885 + else
10886 + return usb_rcvisocpipe(udev, epnum);
10887 + }
10888 +
10889 ++err_ret:
10890 + /* NOT REACHED */
10891 +- dev_err(&sdev->interface->dev, "get pipe, epnum %d\n", epnum);
10892 +- return 0;
10893 ++ dev_err(&sdev->udev->dev, "CMD_SUBMIT: invalid epnum %d\n", epnum);
10894 ++ return -1;
10895 + }
10896 +
10897 + static void masking_bogus_flags(struct urb *urb)
10898 +@@ -452,7 +474,10 @@ static void stub_recv_cmd_submit(struct stub_device *sdev,
10899 + struct stub_priv *priv;
10900 + struct usbip_device *ud = &sdev->ud;
10901 + struct usb_device *udev = sdev->udev;
10902 +- int pipe = get_pipe(sdev, pdu->base.ep, pdu->base.direction);
10903 ++ int pipe = get_pipe(sdev, pdu);
10904 ++
10905 ++ if (pipe == -1)
10906 ++ return;
10907 +
10908 + priv = stub_priv_alloc(sdev, pdu);
10909 + if (!priv)
10910 +diff --git a/drivers/usb/usbip/stub_tx.c b/drivers/usb/usbip/stub_tx.c
10911 +index af858d52608a..f4dd30c56f36 100644
10912 +--- a/drivers/usb/usbip/stub_tx.c
10913 ++++ b/drivers/usb/usbip/stub_tx.c
10914 +@@ -201,8 +201,8 @@ static int stub_send_ret_submit(struct stub_device *sdev)
10915 +
10916 + /* 1. setup usbip_header */
10917 + setup_ret_submit_pdu(&pdu_header, urb);
10918 +- usbip_dbg_stub_tx("setup txdata seqnum: %d urb: %p\n",
10919 +- pdu_header.base.seqnum, urb);
10920 ++ usbip_dbg_stub_tx("setup txdata seqnum: %d\n",
10921 ++ pdu_header.base.seqnum);
10922 + usbip_header_correct_endian(&pdu_header, 1);
10923 +
10924 + iov[iovnum].iov_base = &pdu_header;
10925 +diff --git a/drivers/usb/usbip/usbip_common.c b/drivers/usb/usbip/usbip_common.c
10926 +index e40da7759a0e..1838f1b2c2fa 100644
10927 +--- a/drivers/usb/usbip/usbip_common.c
10928 ++++ b/drivers/usb/usbip/usbip_common.c
10929 +@@ -103,7 +103,7 @@ static void usbip_dump_usb_device(struct usb_device *udev)
10930 + dev_dbg(dev, " devnum(%d) devpath(%s) usb speed(%s)",
10931 + udev->devnum, udev->devpath, usb_speed_string(udev->speed));
10932 +
10933 +- pr_debug("tt %p, ttport %d\n", udev->tt, udev->ttport);
10934 ++ pr_debug("tt hub ttport %d\n", udev->ttport);
10935 +
10936 + dev_dbg(dev, " ");
10937 + for (i = 0; i < 16; i++)
10938 +@@ -136,12 +136,8 @@ static void usbip_dump_usb_device(struct usb_device *udev)
10939 + }
10940 + pr_debug("\n");
10941 +
10942 +- dev_dbg(dev, "parent %p, bus %p\n", udev->parent, udev->bus);
10943 +-
10944 +- dev_dbg(dev,
10945 +- "descriptor %p, config %p, actconfig %p, rawdescriptors %p\n",
10946 +- &udev->descriptor, udev->config,
10947 +- udev->actconfig, udev->rawdescriptors);
10948 ++ dev_dbg(dev, "parent %s, bus %s\n", dev_name(&udev->parent->dev),
10949 ++ udev->bus->bus_name);
10950 +
10951 + dev_dbg(dev, "have_langid %d, string_langid %d\n",
10952 + udev->have_langid, udev->string_langid);
10953 +@@ -249,9 +245,6 @@ void usbip_dump_urb(struct urb *urb)
10954 +
10955 + dev = &urb->dev->dev;
10956 +
10957 +- dev_dbg(dev, " urb :%p\n", urb);
10958 +- dev_dbg(dev, " dev :%p\n", urb->dev);
10959 +-
10960 + usbip_dump_usb_device(urb->dev);
10961 +
10962 + dev_dbg(dev, " pipe :%08x ", urb->pipe);
10963 +@@ -260,11 +253,9 @@ void usbip_dump_urb(struct urb *urb)
10964 +
10965 + dev_dbg(dev, " status :%d\n", urb->status);
10966 + dev_dbg(dev, " transfer_flags :%08X\n", urb->transfer_flags);
10967 +- dev_dbg(dev, " transfer_buffer :%p\n", urb->transfer_buffer);
10968 + dev_dbg(dev, " transfer_buffer_length:%d\n",
10969 + urb->transfer_buffer_length);
10970 + dev_dbg(dev, " actual_length :%d\n", urb->actual_length);
10971 +- dev_dbg(dev, " setup_packet :%p\n", urb->setup_packet);
10972 +
10973 + if (urb->setup_packet && usb_pipetype(urb->pipe) == PIPE_CONTROL)
10974 + usbip_dump_usb_ctrlrequest(
10975 +@@ -274,8 +265,6 @@ void usbip_dump_urb(struct urb *urb)
10976 + dev_dbg(dev, " number_of_packets :%d\n", urb->number_of_packets);
10977 + dev_dbg(dev, " interval :%d\n", urb->interval);
10978 + dev_dbg(dev, " error_count :%d\n", urb->error_count);
10979 +- dev_dbg(dev, " context :%p\n", urb->context);
10980 +- dev_dbg(dev, " complete :%p\n", urb->complete);
10981 + }
10982 + EXPORT_SYMBOL_GPL(usbip_dump_urb);
10983 +
10984 +@@ -328,18 +317,14 @@ int usbip_recv(struct socket *sock, void *buf, int size)
10985 + struct msghdr msg;
10986 + struct kvec iov;
10987 + int total = 0;
10988 +-
10989 + /* for blocks of if (usbip_dbg_flag_xmit) */
10990 + char *bp = buf;
10991 + int osize = size;
10992 +
10993 +- usbip_dbg_xmit("enter\n");
10994 +-
10995 +- if (!sock || !buf || !size) {
10996 +- pr_err("invalid arg, sock %p buff %p size %d\n", sock, buf,
10997 +- size);
10998 ++ if (!sock || !buf || !size)
10999 + return -EINVAL;
11000 +- }
11001 ++
11002 ++ usbip_dbg_xmit("enter\n");
11003 +
11004 + do {
11005 + sock->sk->sk_allocation = GFP_NOIO;
11006 +@@ -352,11 +337,8 @@ int usbip_recv(struct socket *sock, void *buf, int size)
11007 + msg.msg_flags = MSG_NOSIGNAL;
11008 +
11009 + result = kernel_recvmsg(sock, &msg, &iov, 1, size, MSG_WAITALL);
11010 +- if (result <= 0) {
11011 +- pr_debug("receive sock %p buf %p size %u ret %d total %d\n",
11012 +- sock, buf, size, result, total);
11013 ++ if (result <= 0)
11014 + goto err;
11015 +- }
11016 +
11017 + size -= result;
11018 + buf += result;
11019 +diff --git a/drivers/usb/usbip/usbip_common.h b/drivers/usb/usbip/usbip_common.h
11020 +index 86b08475c254..f875ccaa55f9 100644
11021 +--- a/drivers/usb/usbip/usbip_common.h
11022 ++++ b/drivers/usb/usbip/usbip_common.h
11023 +@@ -261,6 +261,7 @@ struct usbip_device {
11024 + /* lock for status */
11025 + spinlock_t lock;
11026 +
11027 ++ int sockfd;
11028 + struct socket *tcp_socket;
11029 +
11030 + struct task_struct *tcp_rx;
11031 +diff --git a/drivers/usb/usbip/vhci_hcd.c b/drivers/usb/usbip/vhci_hcd.c
11032 +index e9ef1eccdace..17498af82b69 100644
11033 +--- a/drivers/usb/usbip/vhci_hcd.c
11034 ++++ b/drivers/usb/usbip/vhci_hcd.c
11035 +@@ -462,9 +462,6 @@ static int vhci_urb_enqueue(struct usb_hcd *hcd, struct urb *urb,
11036 + int ret = 0;
11037 + struct vhci_device *vdev;
11038 +
11039 +- usbip_dbg_vhci_hc("enter, usb_hcd %p urb %p mem_flags %d\n",
11040 +- hcd, urb, mem_flags);
11041 +-
11042 + /* patch to usb_sg_init() is in 2.5.60 */
11043 + BUG_ON(!urb->transfer_buffer && urb->transfer_buffer_length);
11044 +
11045 +@@ -620,8 +617,6 @@ static int vhci_urb_dequeue(struct usb_hcd *hcd, struct urb *urb, int status)
11046 + struct vhci_priv *priv;
11047 + struct vhci_device *vdev;
11048 +
11049 +- pr_info("dequeue a urb %p\n", urb);
11050 +-
11051 + spin_lock(&the_controller->lock);
11052 +
11053 + priv = urb->hcpriv;
11054 +@@ -649,7 +644,6 @@ static int vhci_urb_dequeue(struct usb_hcd *hcd, struct urb *urb, int status)
11055 + /* tcp connection is closed */
11056 + spin_lock(&vdev->priv_lock);
11057 +
11058 +- pr_info("device %p seems to be disconnected\n", vdev);
11059 + list_del(&priv->list);
11060 + kfree(priv);
11061 + urb->hcpriv = NULL;
11062 +@@ -661,8 +655,6 @@ static int vhci_urb_dequeue(struct usb_hcd *hcd, struct urb *urb, int status)
11063 + * vhci_rx will receive RET_UNLINK and give back the URB.
11064 + * Otherwise, we give back it here.
11065 + */
11066 +- pr_info("gives back urb %p\n", urb);
11067 +-
11068 + usb_hcd_unlink_urb_from_ep(hcd, urb);
11069 +
11070 + spin_unlock(&the_controller->lock);
11071 +@@ -691,8 +683,6 @@ static int vhci_urb_dequeue(struct usb_hcd *hcd, struct urb *urb, int status)
11072 +
11073 + unlink->unlink_seqnum = priv->seqnum;
11074 +
11075 +- pr_info("device %p seems to be still connected\n", vdev);
11076 +-
11077 + /* send cmd_unlink and try to cancel the pending URB in the
11078 + * peer */
11079 + list_add_tail(&unlink->list, &vdev->unlink_tx);
11080 +@@ -771,7 +761,7 @@ static void vhci_shutdown_connection(struct usbip_device *ud)
11081 +
11082 + /* need this? see stub_dev.c */
11083 + if (ud->tcp_socket) {
11084 +- pr_debug("shutdown tcp_socket %p\n", ud->tcp_socket);
11085 ++ pr_debug("shutdown sockfd %d\n", ud->sockfd);
11086 + kernel_sock_shutdown(ud->tcp_socket, SHUT_RDWR);
11087 + }
11088 +
11089 +@@ -790,6 +780,7 @@ static void vhci_shutdown_connection(struct usbip_device *ud)
11090 + if (vdev->ud.tcp_socket) {
11091 + sockfd_put(vdev->ud.tcp_socket);
11092 + vdev->ud.tcp_socket = NULL;
11093 ++ vdev->ud.sockfd = -1;
11094 + }
11095 + pr_info("release socket\n");
11096 +
11097 +@@ -836,6 +827,7 @@ static void vhci_device_reset(struct usbip_device *ud)
11098 + if (ud->tcp_socket) {
11099 + sockfd_put(ud->tcp_socket);
11100 + ud->tcp_socket = NULL;
11101 ++ ud->sockfd = -1;
11102 + }
11103 + ud->status = VDEV_ST_NULL;
11104 +
11105 +diff --git a/drivers/usb/usbip/vhci_rx.c b/drivers/usb/usbip/vhci_rx.c
11106 +index 00e4a54308e4..bc4eb0855314 100644
11107 +--- a/drivers/usb/usbip/vhci_rx.c
11108 ++++ b/drivers/usb/usbip/vhci_rx.c
11109 +@@ -37,24 +37,23 @@ struct urb *pickup_urb_and_free_priv(struct vhci_device *vdev, __u32 seqnum)
11110 + urb = priv->urb;
11111 + status = urb->status;
11112 +
11113 +- usbip_dbg_vhci_rx("find urb %p vurb %p seqnum %u\n",
11114 +- urb, priv, seqnum);
11115 ++ usbip_dbg_vhci_rx("find urb seqnum %u\n", seqnum);
11116 +
11117 + switch (status) {
11118 + case -ENOENT:
11119 + /* fall through */
11120 + case -ECONNRESET:
11121 +- dev_info(&urb->dev->dev,
11122 +- "urb %p was unlinked %ssynchronuously.\n", urb,
11123 +- status == -ENOENT ? "" : "a");
11124 ++ dev_dbg(&urb->dev->dev,
11125 ++ "urb seq# %u was unlinked %ssynchronuously\n",
11126 ++ seqnum, status == -ENOENT ? "" : "a");
11127 + break;
11128 + case -EINPROGRESS:
11129 + /* no info output */
11130 + break;
11131 + default:
11132 +- dev_info(&urb->dev->dev,
11133 +- "urb %p may be in a error, status %d\n", urb,
11134 +- status);
11135 ++ dev_dbg(&urb->dev->dev,
11136 ++ "urb seq# %u may be in a error, status %d\n",
11137 ++ seqnum, status);
11138 + }
11139 +
11140 + list_del(&priv->list);
11141 +@@ -78,8 +77,8 @@ static void vhci_recv_ret_submit(struct vhci_device *vdev,
11142 + spin_unlock(&vdev->priv_lock);
11143 +
11144 + if (!urb) {
11145 +- pr_err("cannot find a urb of seqnum %u\n", pdu->base.seqnum);
11146 +- pr_info("max seqnum %d\n",
11147 ++ pr_err("cannot find a urb of seqnum %u max seqnum %d\n",
11148 ++ pdu->base.seqnum,
11149 + atomic_read(&the_controller->seqnum));
11150 + usbip_event_add(ud, VDEV_EVENT_ERROR_TCP);
11151 + return;
11152 +@@ -102,7 +101,7 @@ static void vhci_recv_ret_submit(struct vhci_device *vdev,
11153 + if (usbip_dbg_flag_vhci_rx)
11154 + usbip_dump_urb(urb);
11155 +
11156 +- usbip_dbg_vhci_rx("now giveback urb %p\n", urb);
11157 ++ usbip_dbg_vhci_rx("now giveback urb %u\n", pdu->base.seqnum);
11158 +
11159 + spin_lock(&the_controller->lock);
11160 + usb_hcd_unlink_urb_from_ep(vhci_to_hcd(the_controller), urb);
11161 +@@ -165,7 +164,7 @@ static void vhci_recv_ret_unlink(struct vhci_device *vdev,
11162 + pr_info("the urb (seqnum %d) was already given back\n",
11163 + pdu->base.seqnum);
11164 + } else {
11165 +- usbip_dbg_vhci_rx("now giveback urb %p\n", urb);
11166 ++ usbip_dbg_vhci_rx("now giveback urb %d\n", pdu->base.seqnum);
11167 +
11168 + /* If unlink is successful, status is -ECONNRESET */
11169 + urb->status = pdu->u.ret_unlink.status;
11170 +diff --git a/drivers/usb/usbip/vhci_sysfs.c b/drivers/usb/usbip/vhci_sysfs.c
11171 +index 211f43f67ea2..84c21c4ccf46 100644
11172 +--- a/drivers/usb/usbip/vhci_sysfs.c
11173 ++++ b/drivers/usb/usbip/vhci_sysfs.c
11174 +@@ -39,16 +39,20 @@ static ssize_t status_show(struct device *dev, struct device_attribute *attr,
11175 +
11176 + /*
11177 + * output example:
11178 +- * prt sta spd dev socket local_busid
11179 +- * 000 004 000 000 c5a7bb80 1-2.3
11180 +- * 001 004 000 000 d8cee980 2-3.4
11181 ++ * port sta spd dev sockfd local_busid
11182 ++ * 0000 004 000 00000000 000003 1-2.3
11183 ++ * 0001 004 000 00000000 000004 2-3.4
11184 + *
11185 +- * IP address can be retrieved from a socket pointer address by looking
11186 +- * up /proc/net/{tcp,tcp6}. Also, a userland program may remember a
11187 +- * port number and its peer IP address.
11188 ++ * Output includes socket fd instead of socket pointer address to
11189 ++ * avoid leaking kernel memory address in:
11190 ++ * /sys/devices/platform/vhci_hcd.0/status and in debug output.
11191 ++ * The socket pointer address is not used at the moment and it was
11192 ++ * made visible as a convenient way to find IP address from socket
11193 ++ * pointer address by looking up /proc/net/{tcp,tcp6}. As this opens
11194 ++ * a security hole, the change is made to use sockfd instead.
11195 + */
11196 + out += sprintf(out,
11197 +- "prt sta spd bus dev socket local_busid\n");
11198 ++ "prt sta spd bus dev sockfd local_busid\n");
11199 +
11200 + for (i = 0; i < VHCI_NPORTS; i++) {
11201 + struct vhci_device *vdev = port_to_vdev(i);
11202 +@@ -60,11 +64,11 @@ static ssize_t status_show(struct device *dev, struct device_attribute *attr,
11203 + out += sprintf(out, "%03u %08x ",
11204 + vdev->speed, vdev->devid);
11205 + out += sprintf(out, "%16p ", vdev->ud.tcp_socket);
11206 ++ out += sprintf(out, "%06u", vdev->ud.sockfd);
11207 + out += sprintf(out, "%s", dev_name(&vdev->udev->dev));
11208 +
11209 +- } else {
11210 +- out += sprintf(out, "000 000 000 0000000000000000 0-0");
11211 +- }
11212 ++ } else
11213 ++ out += sprintf(out, "000 000 000 000000 0-0");
11214 +
11215 + out += sprintf(out, "\n");
11216 + spin_unlock(&vdev->ud.lock);
11217 +@@ -223,6 +227,7 @@ static ssize_t store_attach(struct device *dev, struct device_attribute *attr,
11218 +
11219 + vdev->devid = devid;
11220 + vdev->speed = speed;
11221 ++ vdev->ud.sockfd = sockfd;
11222 + vdev->ud.tcp_socket = socket;
11223 + vdev->ud.status = VDEV_ST_NOTASSIGNED;
11224 +
11225 +diff --git a/drivers/usb/usbip/vhci_tx.c b/drivers/usb/usbip/vhci_tx.c
11226 +index 409fd99f3257..3c5796c8633a 100644
11227 +--- a/drivers/usb/usbip/vhci_tx.c
11228 ++++ b/drivers/usb/usbip/vhci_tx.c
11229 +@@ -82,7 +82,8 @@ static int vhci_send_cmd_submit(struct vhci_device *vdev)
11230 + memset(&msg, 0, sizeof(msg));
11231 + memset(&iov, 0, sizeof(iov));
11232 +
11233 +- usbip_dbg_vhci_tx("setup txdata urb %p\n", urb);
11234 ++ usbip_dbg_vhci_tx("setup txdata urb seqnum %lu\n",
11235 ++ priv->seqnum);
11236 +
11237 + /* 1. setup usbip_header */
11238 + setup_cmd_submit_pdu(&pdu_header, urb);
11239 +diff --git a/drivers/vhost/net.c b/drivers/vhost/net.c
11240 +index 7d137a43cc86..14265c4c0203 100644
11241 +--- a/drivers/vhost/net.c
11242 ++++ b/drivers/vhost/net.c
11243 +@@ -982,6 +982,7 @@ static long vhost_net_reset_owner(struct vhost_net *n)
11244 + }
11245 + vhost_net_stop(n, &tx_sock, &rx_sock);
11246 + vhost_net_flush(n);
11247 ++ vhost_dev_stop(&n->dev);
11248 + vhost_dev_reset_owner(&n->dev, memory);
11249 + vhost_net_vq_reset(n);
11250 + done:
11251 +diff --git a/drivers/video/backlight/pwm_bl.c b/drivers/video/backlight/pwm_bl.c
11252 +index 6897f1c1bc73..95d01562ffa2 100644
11253 +--- a/drivers/video/backlight/pwm_bl.c
11254 ++++ b/drivers/video/backlight/pwm_bl.c
11255 +@@ -79,14 +79,17 @@ static void pwm_backlight_power_off(struct pwm_bl_data *pb)
11256 + static int compute_duty_cycle(struct pwm_bl_data *pb, int brightness)
11257 + {
11258 + unsigned int lth = pb->lth_brightness;
11259 +- int duty_cycle;
11260 ++ u64 duty_cycle;
11261 +
11262 + if (pb->levels)
11263 + duty_cycle = pb->levels[brightness];
11264 + else
11265 + duty_cycle = brightness;
11266 +
11267 +- return (duty_cycle * (pb->period - lth) / pb->scale) + lth;
11268 ++ duty_cycle *= pb->period - lth;
11269 ++ do_div(duty_cycle, pb->scale);
11270 ++
11271 ++ return duty_cycle + lth;
11272 + }
11273 +
11274 + static int pwm_backlight_update_status(struct backlight_device *bl)
11275 +diff --git a/drivers/video/console/dummycon.c b/drivers/video/console/dummycon.c
11276 +index 0efc52f11ad0..b30e7d87804b 100644
11277 +--- a/drivers/video/console/dummycon.c
11278 ++++ b/drivers/video/console/dummycon.c
11279 +@@ -68,7 +68,6 @@ const struct consw dummy_con = {
11280 + .con_switch = DUMMY,
11281 + .con_blank = DUMMY,
11282 + .con_font_set = DUMMY,
11283 +- .con_font_get = DUMMY,
11284 + .con_font_default = DUMMY,
11285 + .con_font_copy = DUMMY,
11286 + .con_set_palette = DUMMY,
11287 +diff --git a/drivers/video/fbdev/Kconfig b/drivers/video/fbdev/Kconfig
11288 +index 44eb7c737ea2..34af3a26472c 100644
11289 +--- a/drivers/video/fbdev/Kconfig
11290 ++++ b/drivers/video/fbdev/Kconfig
11291 +@@ -1506,6 +1506,7 @@ config FB_SIS
11292 + select FB_CFB_COPYAREA
11293 + select FB_CFB_IMAGEBLIT
11294 + select FB_BOOT_VESA_SUPPORT if FB_SIS = y
11295 ++ select FB_SIS_300 if !FB_SIS_315
11296 + help
11297 + This is the frame buffer device driver for the SiS 300, 315, 330
11298 + and 340 series as well as XGI V3XT, V5, V8, Z7 graphics chipsets.
11299 +diff --git a/drivers/video/fbdev/atmel_lcdfb.c b/drivers/video/fbdev/atmel_lcdfb.c
11300 +index 94a8d04e60f9..b16a1c16e212 100644
11301 +--- a/drivers/video/fbdev/atmel_lcdfb.c
11302 ++++ b/drivers/video/fbdev/atmel_lcdfb.c
11303 +@@ -1121,7 +1121,7 @@ static int atmel_lcdfb_of_init(struct atmel_lcdfb_info *sinfo)
11304 + goto put_display_node;
11305 + }
11306 +
11307 +- timings_np = of_find_node_by_name(display_np, "display-timings");
11308 ++ timings_np = of_get_child_by_name(display_np, "display-timings");
11309 + if (!timings_np) {
11310 + dev_err(dev, "failed to find display-timings node\n");
11311 + ret = -ENODEV;
11312 +@@ -1142,6 +1142,12 @@ static int atmel_lcdfb_of_init(struct atmel_lcdfb_info *sinfo)
11313 + fb_add_videomode(&fb_vm, &info->modelist);
11314 + }
11315 +
11316 ++ /*
11317 ++ * FIXME: Make sure we are not referencing any fields in display_np
11318 ++ * and timings_np and drop our references to them before returning to
11319 ++ * avoid leaking the nodes on probe deferral and driver unbind.
11320 ++ */
11321 ++
11322 + return 0;
11323 +
11324 + put_timings_node:
11325 +diff --git a/drivers/video/fbdev/auo_k190x.c b/drivers/video/fbdev/auo_k190x.c
11326 +index 8d2499d1cafb..9580374667ba 100644
11327 +--- a/drivers/video/fbdev/auo_k190x.c
11328 ++++ b/drivers/video/fbdev/auo_k190x.c
11329 +@@ -773,9 +773,7 @@ static void auok190x_recover(struct auok190xfb_par *par)
11330 + /*
11331 + * Power-management
11332 + */
11333 +-
11334 +-#ifdef CONFIG_PM
11335 +-static int auok190x_runtime_suspend(struct device *dev)
11336 ++static int __maybe_unused auok190x_runtime_suspend(struct device *dev)
11337 + {
11338 + struct platform_device *pdev = to_platform_device(dev);
11339 + struct fb_info *info = platform_get_drvdata(pdev);
11340 +@@ -822,7 +820,7 @@ finish:
11341 + return 0;
11342 + }
11343 +
11344 +-static int auok190x_runtime_resume(struct device *dev)
11345 ++static int __maybe_unused auok190x_runtime_resume(struct device *dev)
11346 + {
11347 + struct platform_device *pdev = to_platform_device(dev);
11348 + struct fb_info *info = platform_get_drvdata(pdev);
11349 +@@ -856,7 +854,7 @@ static int auok190x_runtime_resume(struct device *dev)
11350 + return 0;
11351 + }
11352 +
11353 +-static int auok190x_suspend(struct device *dev)
11354 ++static int __maybe_unused auok190x_suspend(struct device *dev)
11355 + {
11356 + struct platform_device *pdev = to_platform_device(dev);
11357 + struct fb_info *info = platform_get_drvdata(pdev);
11358 +@@ -896,7 +894,7 @@ static int auok190x_suspend(struct device *dev)
11359 + return 0;
11360 + }
11361 +
11362 +-static int auok190x_resume(struct device *dev)
11363 ++static int __maybe_unused auok190x_resume(struct device *dev)
11364 + {
11365 + struct platform_device *pdev = to_platform_device(dev);
11366 + struct fb_info *info = platform_get_drvdata(pdev);
11367 +@@ -933,7 +931,6 @@ static int auok190x_resume(struct device *dev)
11368 +
11369 + return 0;
11370 + }
11371 +-#endif
11372 +
11373 + const struct dev_pm_ops auok190x_pm = {
11374 + SET_RUNTIME_PM_OPS(auok190x_runtime_suspend, auok190x_runtime_resume,
11375 +diff --git a/drivers/video/fbdev/exynos/s6e8ax0.c b/drivers/video/fbdev/exynos/s6e8ax0.c
11376 +index 95873f26e39c..de2f3e793786 100644
11377 +--- a/drivers/video/fbdev/exynos/s6e8ax0.c
11378 ++++ b/drivers/video/fbdev/exynos/s6e8ax0.c
11379 +@@ -829,8 +829,7 @@ static int s6e8ax0_probe(struct mipi_dsim_lcd_device *dsim_dev)
11380 + return 0;
11381 + }
11382 +
11383 +-#ifdef CONFIG_PM
11384 +-static int s6e8ax0_suspend(struct mipi_dsim_lcd_device *dsim_dev)
11385 ++static int __maybe_unused s6e8ax0_suspend(struct mipi_dsim_lcd_device *dsim_dev)
11386 + {
11387 + struct s6e8ax0 *lcd = dev_get_drvdata(&dsim_dev->dev);
11388 +
11389 +@@ -843,7 +842,7 @@ static int s6e8ax0_suspend(struct mipi_dsim_lcd_device *dsim_dev)
11390 + return 0;
11391 + }
11392 +
11393 +-static int s6e8ax0_resume(struct mipi_dsim_lcd_device *dsim_dev)
11394 ++static int __maybe_unused s6e8ax0_resume(struct mipi_dsim_lcd_device *dsim_dev)
11395 + {
11396 + struct s6e8ax0 *lcd = dev_get_drvdata(&dsim_dev->dev);
11397 +
11398 +@@ -855,10 +854,6 @@ static int s6e8ax0_resume(struct mipi_dsim_lcd_device *dsim_dev)
11399 +
11400 + return 0;
11401 + }
11402 +-#else
11403 +-#define s6e8ax0_suspend NULL
11404 +-#define s6e8ax0_resume NULL
11405 +-#endif
11406 +
11407 + static struct mipi_dsim_lcd_driver s6e8ax0_dsim_ddi_driver = {
11408 + .name = "s6e8ax0",
11409 +@@ -867,8 +862,8 @@ static struct mipi_dsim_lcd_driver s6e8ax0_dsim_ddi_driver = {
11410 + .power_on = s6e8ax0_power_on,
11411 + .set_sequence = s6e8ax0_set_sequence,
11412 + .probe = s6e8ax0_probe,
11413 +- .suspend = s6e8ax0_suspend,
11414 +- .resume = s6e8ax0_resume,
11415 ++ .suspend = IS_ENABLED(CONFIG_PM) ? s6e8ax0_suspend : NULL,
11416 ++ .resume = IS_ENABLED(CONFIG_PM) ? s6e8ax0_resume : NULL,
11417 + };
11418 +
11419 + static int s6e8ax0_init(void)
11420 +diff --git a/drivers/video/fbdev/intelfb/intelfbdrv.c b/drivers/video/fbdev/intelfb/intelfbdrv.c
11421 +index b847d530471a..e8d1309ccefc 100644
11422 +--- a/drivers/video/fbdev/intelfb/intelfbdrv.c
11423 ++++ b/drivers/video/fbdev/intelfb/intelfbdrv.c
11424 +@@ -306,7 +306,7 @@ static __inline__ int get_opt_int(const char *this_opt, const char *name,
11425 + }
11426 +
11427 + static __inline__ int get_opt_bool(const char *this_opt, const char *name,
11428 +- int *ret)
11429 ++ bool *ret)
11430 + {
11431 + if (!ret)
11432 + return 0;
11433 +diff --git a/drivers/video/fbdev/mmp/core.c b/drivers/video/fbdev/mmp/core.c
11434 +index a0f496049db7..3a6bb6561ba0 100644
11435 +--- a/drivers/video/fbdev/mmp/core.c
11436 ++++ b/drivers/video/fbdev/mmp/core.c
11437 +@@ -23,6 +23,7 @@
11438 + #include <linux/slab.h>
11439 + #include <linux/dma-mapping.h>
11440 + #include <linux/export.h>
11441 ++#include <linux/module.h>
11442 + #include <video/mmp_disp.h>
11443 +
11444 + static struct mmp_overlay *path_get_overlay(struct mmp_path *path,
11445 +@@ -249,3 +250,7 @@ void mmp_unregister_path(struct mmp_path *path)
11446 + mutex_unlock(&disp_lock);
11447 + }
11448 + EXPORT_SYMBOL_GPL(mmp_unregister_path);
11449 ++
11450 ++MODULE_AUTHOR("Zhou Zhu <zzhu3@×××××××.com>");
11451 ++MODULE_DESCRIPTION("Marvell MMP display framework");
11452 ++MODULE_LICENSE("GPL");
11453 +diff --git a/drivers/video/fbdev/sis/init301.c b/drivers/video/fbdev/sis/init301.c
11454 +index 295e0dedaf1f..20f7234e809e 100644
11455 +--- a/drivers/video/fbdev/sis/init301.c
11456 ++++ b/drivers/video/fbdev/sis/init301.c
11457 +@@ -2151,17 +2151,15 @@ SiS_GetVCLK2Ptr(struct SiS_Private *SiS_Pr, unsigned short ModeNo, unsigned shor
11458 + unsigned short RefreshRateTableIndex)
11459 + {
11460 + unsigned short CRT2Index, VCLKIndex = 0, VCLKIndexGEN = 0, VCLKIndexGENCRT = 0;
11461 +- unsigned short modeflag, resinfo, tempbx;
11462 ++ unsigned short resinfo, tempbx;
11463 + const unsigned char *CHTVVCLKPtr = NULL;
11464 +
11465 + if(ModeNo <= 0x13) {
11466 +- modeflag = SiS_Pr->SiS_SModeIDTable[ModeIdIndex].St_ModeFlag;
11467 + resinfo = SiS_Pr->SiS_SModeIDTable[ModeIdIndex].St_ResInfo;
11468 + CRT2Index = SiS_Pr->SiS_SModeIDTable[ModeIdIndex].St_CRT2CRTC;
11469 + VCLKIndexGEN = (SiS_GetRegByte((SiS_Pr->SiS_P3ca+0x02)) >> 2) & 0x03;
11470 + VCLKIndexGENCRT = VCLKIndexGEN;
11471 + } else {
11472 +- modeflag = SiS_Pr->SiS_EModeIDTable[ModeIdIndex].Ext_ModeFlag;
11473 + resinfo = SiS_Pr->SiS_EModeIDTable[ModeIdIndex].Ext_RESINFO;
11474 + CRT2Index = SiS_Pr->SiS_RefIndex[RefreshRateTableIndex].Ext_CRT2CRTC;
11475 + VCLKIndexGEN = SiS_Pr->SiS_RefIndex[RefreshRateTableIndex].Ext_CRTVCLK;
11476 +@@ -7270,7 +7268,7 @@ SiS_ShiftXPos(struct SiS_Private *SiS_Pr, int shift)
11477 + static void
11478 + SiS_SetGroup4_C_ELV(struct SiS_Private *SiS_Pr, unsigned short ModeNo, unsigned short ModeIdIndex)
11479 + {
11480 +- unsigned short temp, temp1, resinfo = 0;
11481 ++ unsigned short temp, temp1;
11482 + unsigned char *ROMAddr = SiS_Pr->VirtualRomBase;
11483 +
11484 + if(!(SiS_Pr->SiS_VBType & VB_SIS30xCLV)) return;
11485 +@@ -7282,10 +7280,6 @@ SiS_SetGroup4_C_ELV(struct SiS_Private *SiS_Pr, unsigned short ModeNo, unsigned
11486 + if(!(ROMAddr[0x61] & 0x04)) return;
11487 + }
11488 +
11489 +- if(ModeNo > 0x13) {
11490 +- resinfo = SiS_Pr->SiS_EModeIDTable[ModeIdIndex].Ext_RESINFO;
11491 +- }
11492 +-
11493 + SiS_SetRegOR(SiS_Pr->SiS_Part4Port,0x3a,0x08);
11494 + temp = SiS_GetReg(SiS_Pr->SiS_Part4Port,0x3a);
11495 + if(!(temp & 0x01)) {
11496 +diff --git a/drivers/video/fbdev/via/viafbdev.c b/drivers/video/fbdev/via/viafbdev.c
11497 +index f9718f012aae..badee04ef496 100644
11498 +--- a/drivers/video/fbdev/via/viafbdev.c
11499 ++++ b/drivers/video/fbdev/via/viafbdev.c
11500 +@@ -1630,16 +1630,14 @@ static void viafb_init_proc(struct viafb_shared *shared)
11501 + }
11502 + static void viafb_remove_proc(struct viafb_shared *shared)
11503 + {
11504 +- struct proc_dir_entry *viafb_entry = shared->proc_entry,
11505 +- *iga1_entry = shared->iga1_proc_entry,
11506 +- *iga2_entry = shared->iga2_proc_entry;
11507 ++ struct proc_dir_entry *viafb_entry = shared->proc_entry;
11508 +
11509 + if (!viafb_entry)
11510 + return;
11511 +
11512 +- remove_proc_entry("output_devices", iga2_entry);
11513 ++ remove_proc_entry("output_devices", shared->iga2_proc_entry);
11514 + remove_proc_entry("iga2", viafb_entry);
11515 +- remove_proc_entry("output_devices", iga1_entry);
11516 ++ remove_proc_entry("output_devices", shared->iga1_proc_entry);
11517 + remove_proc_entry("iga1", viafb_entry);
11518 + remove_proc_entry("supported_output_devices", viafb_entry);
11519 +
11520 +diff --git a/drivers/virtio/virtio_balloon.c b/drivers/virtio/virtio_balloon.c
11521 +index 01d15dca940e..7cf26768ea0b 100644
11522 +--- a/drivers/virtio/virtio_balloon.c
11523 ++++ b/drivers/virtio/virtio_balloon.c
11524 +@@ -239,12 +239,14 @@ static void update_balloon_stats(struct virtio_balloon *vb)
11525 + all_vm_events(events);
11526 + si_meminfo(&i);
11527 +
11528 ++#ifdef CONFIG_VM_EVENT_COUNTERS
11529 + update_stat(vb, idx++, VIRTIO_BALLOON_S_SWAP_IN,
11530 + pages_to_bytes(events[PSWPIN]));
11531 + update_stat(vb, idx++, VIRTIO_BALLOON_S_SWAP_OUT,
11532 + pages_to_bytes(events[PSWPOUT]));
11533 + update_stat(vb, idx++, VIRTIO_BALLOON_S_MAJFLT, events[PGMAJFAULT]);
11534 + update_stat(vb, idx++, VIRTIO_BALLOON_S_MINFLT, events[PGFAULT]);
11535 ++#endif
11536 + update_stat(vb, idx++, VIRTIO_BALLOON_S_MEMFREE,
11537 + pages_to_bytes(i.freeram));
11538 + update_stat(vb, idx++, VIRTIO_BALLOON_S_MEMTOT,
11539 +diff --git a/drivers/xen/Kconfig b/drivers/xen/Kconfig
11540 +index 7cd226da15fe..a4918b00308f 100644
11541 +--- a/drivers/xen/Kconfig
11542 ++++ b/drivers/xen/Kconfig
11543 +@@ -239,7 +239,7 @@ config XEN_ACPI_HOTPLUG_CPU
11544 +
11545 + config XEN_ACPI_PROCESSOR
11546 + tristate "Xen ACPI processor"
11547 +- depends on XEN && X86 && ACPI_PROCESSOR && CPU_FREQ
11548 ++ depends on XEN && XEN_DOM0 && X86 && ACPI_PROCESSOR && CPU_FREQ
11549 + default m
11550 + help
11551 + This ACPI processor uploads Power Management information to the Xen
11552 +diff --git a/fs/btrfs/free-space-cache.c b/fs/btrfs/free-space-cache.c
11553 +index 9dbe5b548fa6..0814dffa30c8 100644
11554 +--- a/fs/btrfs/free-space-cache.c
11555 ++++ b/fs/btrfs/free-space-cache.c
11556 +@@ -1260,7 +1260,7 @@ static int __btrfs_write_out_cache(struct btrfs_root *root, struct inode *inode,
11557 + /* Lock all pages first so we can lock the extent safely. */
11558 + ret = io_ctl_prepare_pages(io_ctl, inode, 0);
11559 + if (ret)
11560 +- goto out;
11561 ++ goto out_unlock;
11562 +
11563 + lock_extent_bits(&BTRFS_I(inode)->io_tree, 0, i_size_read(inode) - 1,
11564 + 0, &cached_state);
11565 +@@ -1353,6 +1353,7 @@ out_nospc_locked:
11566 + out_nospc:
11567 + cleanup_write_cache_enospc(inode, io_ctl, &cached_state, &bitmap_list);
11568 +
11569 ++out_unlock:
11570 + if (block_group && (block_group->flags & BTRFS_BLOCK_GROUP_DATA))
11571 + up_write(&block_group->data_rwsem);
11572 +
11573 +diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c
11574 +index d14af5bd13d6..884e90e9622a 100644
11575 +--- a/fs/btrfs/inode.c
11576 ++++ b/fs/btrfs/inode.c
11577 +@@ -1282,8 +1282,11 @@ next_slot:
11578 + leaf = path->nodes[0];
11579 + if (path->slots[0] >= btrfs_header_nritems(leaf)) {
11580 + ret = btrfs_next_leaf(root, path);
11581 +- if (ret < 0)
11582 ++ if (ret < 0) {
11583 ++ if (cow_start != (u64)-1)
11584 ++ cur_offset = cow_start;
11585 + goto error;
11586 ++ }
11587 + if (ret > 0)
11588 + break;
11589 + leaf = path->nodes[0];
11590 +@@ -1999,7 +2002,15 @@ again:
11591 + goto out;
11592 + }
11593 +
11594 +- btrfs_set_extent_delalloc(inode, page_start, page_end, &cached_state);
11595 ++ ret = btrfs_set_extent_delalloc(inode, page_start, page_end,
11596 ++ &cached_state);
11597 ++ if (ret) {
11598 ++ mapping_set_error(page->mapping, ret);
11599 ++ end_extent_writepage(page, ret, page_start, page_end);
11600 ++ ClearPageChecked(page);
11601 ++ goto out;
11602 ++ }
11603 ++
11604 + ClearPageChecked(page);
11605 + set_page_dirty(page);
11606 + out:
11607 +diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c
11608 +index 2b115c309e1c..b7f6b473cd16 100644
11609 +--- a/fs/btrfs/ioctl.c
11610 ++++ b/fs/btrfs/ioctl.c
11611 +@@ -2216,7 +2216,7 @@ static noinline int btrfs_search_path_in_tree(struct btrfs_fs_info *info,
11612 + if (!path)
11613 + return -ENOMEM;
11614 +
11615 +- ptr = &name[BTRFS_INO_LOOKUP_PATH_MAX];
11616 ++ ptr = &name[BTRFS_INO_LOOKUP_PATH_MAX - 1];
11617 +
11618 + key.objectid = tree_id;
11619 + key.type = BTRFS_ROOT_ITEM_KEY;
11620 +diff --git a/fs/btrfs/tree-log.c b/fs/btrfs/tree-log.c
11621 +index 6ee954c62fe6..f355bd2d6ad8 100644
11622 +--- a/fs/btrfs/tree-log.c
11623 ++++ b/fs/btrfs/tree-log.c
11624 +@@ -26,6 +26,7 @@
11625 + #include "print-tree.h"
11626 + #include "backref.h"
11627 + #include "hash.h"
11628 ++#include "inode-map.h"
11629 +
11630 + /* magic values for the inode_only field in btrfs_log_inode:
11631 + *
11632 +@@ -2343,6 +2344,9 @@ static noinline int walk_down_log_tree(struct btrfs_trans_handle *trans,
11633 + next);
11634 + btrfs_wait_tree_block_writeback(next);
11635 + btrfs_tree_unlock(next);
11636 ++ } else {
11637 ++ if (test_and_clear_bit(EXTENT_BUFFER_DIRTY, &next->bflags))
11638 ++ clear_extent_buffer_dirty(next);
11639 + }
11640 +
11641 + WARN_ON(root_owner !=
11642 +@@ -2422,6 +2426,9 @@ static noinline int walk_up_log_tree(struct btrfs_trans_handle *trans,
11643 + next);
11644 + btrfs_wait_tree_block_writeback(next);
11645 + btrfs_tree_unlock(next);
11646 ++ } else {
11647 ++ if (test_and_clear_bit(EXTENT_BUFFER_DIRTY, &next->bflags))
11648 ++ clear_extent_buffer_dirty(next);
11649 + }
11650 +
11651 + WARN_ON(root_owner != BTRFS_TREE_LOG_OBJECTID);
11652 +@@ -2498,6 +2505,9 @@ static int walk_log_tree(struct btrfs_trans_handle *trans,
11653 + clean_tree_block(trans, log->fs_info, next);
11654 + btrfs_wait_tree_block_writeback(next);
11655 + btrfs_tree_unlock(next);
11656 ++ } else {
11657 ++ if (test_and_clear_bit(EXTENT_BUFFER_DIRTY, &next->bflags))
11658 ++ clear_extent_buffer_dirty(next);
11659 + }
11660 +
11661 + WARN_ON(log->root_key.objectid !=
11662 +@@ -5294,6 +5304,23 @@ again:
11663 + path);
11664 + }
11665 +
11666 ++ if (!ret && wc.stage == LOG_WALK_REPLAY_ALL) {
11667 ++ struct btrfs_root *root = wc.replay_dest;
11668 ++
11669 ++ btrfs_release_path(path);
11670 ++
11671 ++ /*
11672 ++ * We have just replayed everything, and the highest
11673 ++ * objectid of fs roots probably has changed in case
11674 ++ * some inode_item's got replayed.
11675 ++ *
11676 ++ * root->objectid_mutex is not acquired as log replay
11677 ++ * could only happen during mount.
11678 ++ */
11679 ++ ret = btrfs_find_highest_objectid(root,
11680 ++ &root->highest_objectid);
11681 ++ }
11682 ++
11683 + key.offset = found_key.offset - 1;
11684 + wc.replay_dest->log_root = NULL;
11685 + free_extent_buffer(log->node);
11686 +diff --git a/fs/cifs/cifsencrypt.c b/fs/cifs/cifsencrypt.c
11687 +index 4acbc390a7d6..1d707a67f8ac 100644
11688 +--- a/fs/cifs/cifsencrypt.c
11689 ++++ b/fs/cifs/cifsencrypt.c
11690 +@@ -306,9 +306,8 @@ int calc_lanman_hash(const char *password, const char *cryptkey, bool encrypt,
11691 + {
11692 + int i;
11693 + int rc;
11694 +- char password_with_pad[CIFS_ENCPWD_SIZE];
11695 ++ char password_with_pad[CIFS_ENCPWD_SIZE] = {0};
11696 +
11697 +- memset(password_with_pad, 0, CIFS_ENCPWD_SIZE);
11698 + if (password)
11699 + strncpy(password_with_pad, password, CIFS_ENCPWD_SIZE);
11700 +
11701 +diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c
11702 +index a2c100aed4b0..d733df946cc6 100644
11703 +--- a/fs/cifs/connect.c
11704 ++++ b/fs/cifs/connect.c
11705 +@@ -1635,7 +1635,7 @@ cifs_parse_mount_options(const char *mountdata, const char *devname,
11706 + tmp_end++;
11707 + if (!(tmp_end < end && tmp_end[1] == delim)) {
11708 + /* No it is not. Set the password to NULL */
11709 +- kfree(vol->password);
11710 ++ kzfree(vol->password);
11711 + vol->password = NULL;
11712 + break;
11713 + }
11714 +@@ -1673,7 +1673,7 @@ cifs_parse_mount_options(const char *mountdata, const char *devname,
11715 + options = end;
11716 + }
11717 +
11718 +- kfree(vol->password);
11719 ++ kzfree(vol->password);
11720 + /* Now build new password string */
11721 + temp_len = strlen(value);
11722 + vol->password = kzalloc(temp_len+1, GFP_KERNEL);
11723 +@@ -4038,7 +4038,7 @@ cifs_construct_tcon(struct cifs_sb_info *cifs_sb, kuid_t fsuid)
11724 + reset_cifs_unix_caps(0, tcon, NULL, vol_info);
11725 + out:
11726 + kfree(vol_info->username);
11727 +- kfree(vol_info->password);
11728 ++ kzfree(vol_info->password);
11729 + kfree(vol_info);
11730 +
11731 + return tcon;
11732 +diff --git a/fs/cifs/file.c b/fs/cifs/file.c
11733 +index 47e04038a846..1366d2151389 100644
11734 +--- a/fs/cifs/file.c
11735 ++++ b/fs/cifs/file.c
11736 +@@ -3231,20 +3231,18 @@ static struct vm_operations_struct cifs_file_vm_ops = {
11737 +
11738 + int cifs_file_strict_mmap(struct file *file, struct vm_area_struct *vma)
11739 + {
11740 +- int rc, xid;
11741 ++ int xid, rc = 0;
11742 + struct inode *inode = file_inode(file);
11743 +
11744 + xid = get_xid();
11745 +
11746 +- if (!CIFS_CACHE_READ(CIFS_I(inode))) {
11747 ++ if (!CIFS_CACHE_READ(CIFS_I(inode)))
11748 + rc = cifs_zap_mapping(inode);
11749 +- if (rc)
11750 +- return rc;
11751 +- }
11752 +-
11753 +- rc = generic_file_mmap(file, vma);
11754 +- if (rc == 0)
11755 ++ if (!rc)
11756 ++ rc = generic_file_mmap(file, vma);
11757 ++ if (!rc)
11758 + vma->vm_ops = &cifs_file_vm_ops;
11759 ++
11760 + free_xid(xid);
11761 + return rc;
11762 + }
11763 +@@ -3254,16 +3252,16 @@ int cifs_file_mmap(struct file *file, struct vm_area_struct *vma)
11764 + int rc, xid;
11765 +
11766 + xid = get_xid();
11767 ++
11768 + rc = cifs_revalidate_file(file);
11769 +- if (rc) {
11770 ++ if (rc)
11771 + cifs_dbg(FYI, "Validation prior to mmap failed, error=%d\n",
11772 + rc);
11773 +- free_xid(xid);
11774 +- return rc;
11775 +- }
11776 +- rc = generic_file_mmap(file, vma);
11777 +- if (rc == 0)
11778 ++ if (!rc)
11779 ++ rc = generic_file_mmap(file, vma);
11780 ++ if (!rc)
11781 + vma->vm_ops = &cifs_file_vm_ops;
11782 ++
11783 + free_xid(xid);
11784 + return rc;
11785 + }
11786 +diff --git a/fs/cifs/misc.c b/fs/cifs/misc.c
11787 +index 8442b8b8e0be..a9b68cb38c12 100644
11788 +--- a/fs/cifs/misc.c
11789 ++++ b/fs/cifs/misc.c
11790 +@@ -99,14 +99,11 @@ sesInfoFree(struct cifs_ses *buf_to_free)
11791 + kfree(buf_to_free->serverOS);
11792 + kfree(buf_to_free->serverDomain);
11793 + kfree(buf_to_free->serverNOS);
11794 +- if (buf_to_free->password) {
11795 +- memset(buf_to_free->password, 0, strlen(buf_to_free->password));
11796 +- kfree(buf_to_free->password);
11797 +- }
11798 ++ kzfree(buf_to_free->password);
11799 + kfree(buf_to_free->user_name);
11800 + kfree(buf_to_free->domainName);
11801 +- kfree(buf_to_free->auth_key.response);
11802 +- kfree(buf_to_free);
11803 ++ kzfree(buf_to_free->auth_key.response);
11804 ++ kzfree(buf_to_free);
11805 + }
11806 +
11807 + struct cifs_tcon *
11808 +@@ -136,10 +133,7 @@ tconInfoFree(struct cifs_tcon *buf_to_free)
11809 + }
11810 + atomic_dec(&tconInfoAllocCount);
11811 + kfree(buf_to_free->nativeFileSystem);
11812 +- if (buf_to_free->password) {
11813 +- memset(buf_to_free->password, 0, strlen(buf_to_free->password));
11814 +- kfree(buf_to_free->password);
11815 +- }
11816 ++ kzfree(buf_to_free->password);
11817 + kfree(buf_to_free);
11818 + }
11819 +
11820 +diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c
11821 +index 0cf4a76e8e94..69422157c71b 100644
11822 +--- a/fs/cifs/smb2pdu.c
11823 ++++ b/fs/cifs/smb2pdu.c
11824 +@@ -507,8 +507,7 @@ int smb3_validate_negotiate(const unsigned int xid, struct cifs_tcon *tcon)
11825 + }
11826 +
11827 + /* check validate negotiate info response matches what we got earlier */
11828 +- if (pneg_rsp->Dialect !=
11829 +- cpu_to_le16(tcon->ses->server->vals->protocol_id))
11830 ++ if (pneg_rsp->Dialect != cpu_to_le16(tcon->ses->server->dialect))
11831 + goto vneg_out;
11832 +
11833 + if (pneg_rsp->SecurityMode != cpu_to_le16(tcon->ses->server->sec_mode))
11834 +diff --git a/fs/ext2/acl.c b/fs/ext2/acl.c
11835 +index d6aeb84e90b6..d882d873c5a3 100644
11836 +--- a/fs/ext2/acl.c
11837 ++++ b/fs/ext2/acl.c
11838 +@@ -178,11 +178,8 @@ ext2_get_acl(struct inode *inode, int type)
11839 + return acl;
11840 + }
11841 +
11842 +-/*
11843 +- * inode->i_mutex: down
11844 +- */
11845 +-int
11846 +-ext2_set_acl(struct inode *inode, struct posix_acl *acl, int type)
11847 ++static int
11848 ++__ext2_set_acl(struct inode *inode, struct posix_acl *acl, int type)
11849 + {
11850 + int name_index;
11851 + void *value = NULL;
11852 +@@ -192,13 +189,6 @@ ext2_set_acl(struct inode *inode, struct posix_acl *acl, int type)
11853 + switch(type) {
11854 + case ACL_TYPE_ACCESS:
11855 + name_index = EXT2_XATTR_INDEX_POSIX_ACL_ACCESS;
11856 +- if (acl) {
11857 +- error = posix_acl_update_mode(inode, &inode->i_mode, &acl);
11858 +- if (error)
11859 +- return error;
11860 +- inode->i_ctime = CURRENT_TIME_SEC;
11861 +- mark_inode_dirty(inode);
11862 +- }
11863 + break;
11864 +
11865 + case ACL_TYPE_DEFAULT:
11866 +@@ -224,6 +214,24 @@ ext2_set_acl(struct inode *inode, struct posix_acl *acl, int type)
11867 + return error;
11868 + }
11869 +
11870 ++/*
11871 ++ * inode->i_mutex: down
11872 ++ */
11873 ++int
11874 ++ext2_set_acl(struct inode *inode, struct posix_acl *acl, int type)
11875 ++{
11876 ++ int error;
11877 ++
11878 ++ if (type == ACL_TYPE_ACCESS && acl) {
11879 ++ error = posix_acl_update_mode(inode, &inode->i_mode, &acl);
11880 ++ if (error)
11881 ++ return error;
11882 ++ inode->i_ctime = CURRENT_TIME_SEC;
11883 ++ mark_inode_dirty(inode);
11884 ++ }
11885 ++ return __ext2_set_acl(inode, acl, type);
11886 ++}
11887 ++
11888 + /*
11889 + * Initialize the ACLs of a new inode. Called from ext2_new_inode.
11890 + *
11891 +@@ -241,12 +249,12 @@ ext2_init_acl(struct inode *inode, struct inode *dir)
11892 + return error;
11893 +
11894 + if (default_acl) {
11895 +- error = ext2_set_acl(inode, default_acl, ACL_TYPE_DEFAULT);
11896 ++ error = __ext2_set_acl(inode, default_acl, ACL_TYPE_DEFAULT);
11897 + posix_acl_release(default_acl);
11898 + }
11899 + if (acl) {
11900 + if (!error)
11901 +- error = ext2_set_acl(inode, acl, ACL_TYPE_ACCESS);
11902 ++ error = __ext2_set_acl(inode, acl, ACL_TYPE_ACCESS);
11903 + posix_acl_release(acl);
11904 + }
11905 + return error;
11906 +diff --git a/fs/ext4/crypto_fname.c b/fs/ext4/crypto_fname.c
11907 +index fded02f72299..b7a39a185d01 100644
11908 +--- a/fs/ext4/crypto_fname.c
11909 ++++ b/fs/ext4/crypto_fname.c
11910 +@@ -346,8 +346,9 @@ struct ext4_fname_crypto_ctx *ext4_get_fname_crypto_ctx(
11911 + if (res == 0)
11912 + return NULL;
11913 +
11914 +- if (!ext4_has_encryption_key(inode))
11915 +- ext4_generate_encryption_key(inode);
11916 ++ res = ext4_generate_encryption_key(inode);
11917 ++ if (res)
11918 ++ return ERR_PTR(res);
11919 +
11920 + /* Get a crypto context based on the key.
11921 + * A new context is allocated if no context matches the requested key.
11922 +diff --git a/fs/ext4/crypto_key.c b/fs/ext4/crypto_key.c
11923 +index 52170d0b7c40..4f9818719d61 100644
11924 +--- a/fs/ext4/crypto_key.c
11925 ++++ b/fs/ext4/crypto_key.c
11926 +@@ -99,9 +99,17 @@ int ext4_generate_encryption_key(struct inode *inode)
11927 + struct ext4_encryption_context ctx;
11928 + struct user_key_payload *ukp;
11929 + struct ext4_sb_info *sbi = EXT4_SB(inode->i_sb);
11930 +- int res = ext4_xattr_get(inode, EXT4_XATTR_INDEX_ENCRYPTION,
11931 +- EXT4_XATTR_NAME_ENCRYPTION_CONTEXT,
11932 +- &ctx, sizeof(ctx));
11933 ++ int res;
11934 ++
11935 ++ mutex_lock(&ei->i_encryption_lock);
11936 ++ if (ext4_has_encryption_key(inode)) {
11937 ++ mutex_unlock(&ei->i_encryption_lock);
11938 ++ return 0;
11939 ++ }
11940 ++
11941 ++ res = ext4_xattr_get(inode, EXT4_XATTR_INDEX_ENCRYPTION,
11942 ++ EXT4_XATTR_NAME_ENCRYPTION_CONTEXT,
11943 ++ &ctx, sizeof(ctx));
11944 +
11945 + if (res != sizeof(ctx)) {
11946 + if (res > 0)
11947 +@@ -154,6 +162,7 @@ out:
11948 + key_put(keyring_key);
11949 + if (res < 0)
11950 + crypt_key->mode = EXT4_ENCRYPTION_MODE_INVALID;
11951 ++ mutex_unlock(&ei->i_encryption_lock);
11952 + return res;
11953 + }
11954 +
11955 +diff --git a/fs/ext4/crypto_policy.c b/fs/ext4/crypto_policy.c
11956 +index a6d6291aea16..591fc37dcd9e 100644
11957 +--- a/fs/ext4/crypto_policy.c
11958 ++++ b/fs/ext4/crypto_policy.c
11959 +@@ -85,6 +85,9 @@ static int ext4_create_encryption_context_from_policy(
11960 + int ext4_process_policy(const struct ext4_encryption_policy *policy,
11961 + struct inode *inode)
11962 + {
11963 ++ if (!inode_owner_or_capable(inode))
11964 ++ return -EACCES;
11965 ++
11966 + if (policy->version != 0)
11967 + return -EINVAL;
11968 +
11969 +diff --git a/fs/ext4/ext4.h b/fs/ext4/ext4.h
11970 +index df67a6f8582a..01771ed4529d 100644
11971 +--- a/fs/ext4/ext4.h
11972 ++++ b/fs/ext4/ext4.h
11973 +@@ -989,6 +989,7 @@ struct ext4_inode_info {
11974 + #ifdef CONFIG_EXT4_FS_ENCRYPTION
11975 + /* Encryption params */
11976 + struct ext4_encryption_key i_encryption_key;
11977 ++ struct mutex i_encryption_lock;
11978 + #endif
11979 + };
11980 +
11981 +diff --git a/fs/ext4/ioctl.c b/fs/ext4/ioctl.c
11982 +index 4196aa567784..dbe1ff511794 100644
11983 +--- a/fs/ext4/ioctl.c
11984 ++++ b/fs/ext4/ioctl.c
11985 +@@ -630,6 +630,9 @@ resizefs_out:
11986 + struct ext4_encryption_policy policy;
11987 + int err = 0;
11988 +
11989 ++ if (!ext4_sb_has_crypto(sb))
11990 ++ return -EOPNOTSUPP;
11991 ++
11992 + if (copy_from_user(&policy,
11993 + (struct ext4_encryption_policy __user *)arg,
11994 + sizeof(policy))) {
11995 +diff --git a/fs/ext4/super.c b/fs/ext4/super.c
11996 +index b29a7ef4953e..c67056a8c901 100644
11997 +--- a/fs/ext4/super.c
11998 ++++ b/fs/ext4/super.c
11999 +@@ -669,6 +669,7 @@ __acquires(bitlock)
12000 + }
12001 +
12002 + ext4_unlock_group(sb, grp);
12003 ++ ext4_commit_super(sb, 1);
12004 + ext4_handle_error(sb);
12005 + /*
12006 + * We only get here in the ERRORS_RO case; relocking the group
12007 +@@ -948,6 +949,9 @@ static void init_once(void *foo)
12008 + init_rwsem(&ei->xattr_sem);
12009 + init_rwsem(&ei->i_data_sem);
12010 + init_rwsem(&ei->i_mmap_sem);
12011 ++#ifdef CONFIG_EXT4_FS_ENCRYPTION
12012 ++ mutex_init(&ei->i_encryption_lock);
12013 ++#endif
12014 + inode_init_once(&ei->vfs_inode);
12015 + }
12016 +
12017 +diff --git a/fs/fcntl.c b/fs/fcntl.c
12018 +index 62376451bbce..5df914943d96 100644
12019 +--- a/fs/fcntl.c
12020 ++++ b/fs/fcntl.c
12021 +@@ -113,6 +113,10 @@ void f_setown(struct file *filp, unsigned long arg, int force)
12022 + int who = arg;
12023 + type = PIDTYPE_PID;
12024 + if (who < 0) {
12025 ++ /* avoid overflow below */
12026 ++ if (who == INT_MIN)
12027 ++ return;
12028 ++
12029 + type = PIDTYPE_PGID;
12030 + who = -who;
12031 + }
12032 +diff --git a/fs/kernfs/file.c b/fs/kernfs/file.c
12033 +index 9ff28bc294c0..5d084638e1f8 100644
12034 +--- a/fs/kernfs/file.c
12035 ++++ b/fs/kernfs/file.c
12036 +@@ -272,7 +272,7 @@ static ssize_t kernfs_fop_write(struct file *file, const char __user *user_buf,
12037 + {
12038 + struct kernfs_open_file *of = kernfs_of(file);
12039 + const struct kernfs_ops *ops;
12040 +- size_t len;
12041 ++ ssize_t len;
12042 + char *buf;
12043 +
12044 + if (of->atomic_write_len) {
12045 +diff --git a/fs/locks.c b/fs/locks.c
12046 +index 3c234b9fbdd9..af6fcf6e0dd0 100644
12047 +--- a/fs/locks.c
12048 ++++ b/fs/locks.c
12049 +@@ -2192,10 +2192,12 @@ int fcntl_setlk(unsigned int fd, struct file *filp, unsigned int cmd,
12050 + error = do_lock_file_wait(filp, cmd, file_lock);
12051 +
12052 + /*
12053 +- * Attempt to detect a close/fcntl race and recover by
12054 +- * releasing the lock that was just acquired.
12055 ++ * Attempt to detect a close/fcntl race and recover by releasing the
12056 ++ * lock that was just acquired. There is no need to do that when we're
12057 ++ * unlocking though, or for OFD locks.
12058 + */
12059 +- if (!error && file_lock->fl_type != F_UNLCK) {
12060 ++ if (!error && file_lock->fl_type != F_UNLCK &&
12061 ++ !(file_lock->fl_flags & FL_OFDLCK)) {
12062 + /*
12063 + * We need that spin_lock here - it prevents reordering between
12064 + * update of i_flctx->flc_posix and check for it done in
12065 +@@ -2334,10 +2336,12 @@ int fcntl_setlk64(unsigned int fd, struct file *filp, unsigned int cmd,
12066 + error = do_lock_file_wait(filp, cmd, file_lock);
12067 +
12068 + /*
12069 +- * Attempt to detect a close/fcntl race and recover by
12070 +- * releasing the lock that was just acquired.
12071 ++ * Attempt to detect a close/fcntl race and recover by releasing the
12072 ++ * lock that was just acquired. There is no need to do that when we're
12073 ++ * unlocking though, or for OFD locks.
12074 + */
12075 +- if (!error && file_lock->fl_type != F_UNLCK) {
12076 ++ if (!error && file_lock->fl_type != F_UNLCK &&
12077 ++ !(file_lock->fl_flags & FL_OFDLCK)) {
12078 + /*
12079 + * We need that spin_lock here - it prevents reordering between
12080 + * update of i_flctx->flc_posix and check for it done in
12081 +diff --git a/fs/namei.c b/fs/namei.c
12082 +index c7a6eabc02a5..0d97235019a9 100644
12083 +--- a/fs/namei.c
12084 ++++ b/fs/namei.c
12085 +@@ -1894,6 +1894,9 @@ static int path_init(int dfd, const struct filename *name, unsigned int flags,
12086 + int retval = 0;
12087 + const char *s = name->name;
12088 +
12089 ++ if (!*s)
12090 ++ flags &= ~LOOKUP_RCU;
12091 ++
12092 + nd->last_type = LAST_ROOT; /* if there are only slashes... */
12093 + nd->flags = flags | LOOKUP_JUMPED | LOOKUP_PARENT;
12094 + nd->depth = 0;
12095 +diff --git a/fs/ncpfs/dir.c b/fs/ncpfs/dir.c
12096 +index 0c2632386f35..d2c969d1d9d2 100644
12097 +--- a/fs/ncpfs/dir.c
12098 ++++ b/fs/ncpfs/dir.c
12099 +@@ -133,12 +133,11 @@ ncp_hash_dentry(const struct dentry *dentry, struct qstr *this)
12100 + return 0;
12101 +
12102 + if (!ncp_case_sensitive(inode)) {
12103 +- struct super_block *sb = dentry->d_sb;
12104 + struct nls_table *t;
12105 + unsigned long hash;
12106 + int i;
12107 +
12108 +- t = NCP_IO_TABLE(sb);
12109 ++ t = NCP_IO_TABLE(dentry->d_sb);
12110 + hash = init_name_hash();
12111 + for (i=0; i<this->len ; i++)
12112 + hash = partial_name_hash(ncp_tolower(t, this->name[i]),
12113 +diff --git a/fs/nfs/direct.c b/fs/nfs/direct.c
12114 +index 38678d9a5cc4..cb050d1e8146 100644
12115 +--- a/fs/nfs/direct.c
12116 ++++ b/fs/nfs/direct.c
12117 +@@ -784,10 +784,8 @@ static void nfs_direct_write_completion(struct nfs_pgio_header *hdr)
12118 +
12119 + spin_lock(&dreq->lock);
12120 +
12121 +- if (test_bit(NFS_IOHDR_ERROR, &hdr->flags)) {
12122 +- dreq->flags = 0;
12123 ++ if (test_bit(NFS_IOHDR_ERROR, &hdr->flags))
12124 + dreq->error = hdr->error;
12125 +- }
12126 + if (dreq->error == 0) {
12127 + nfs_direct_good_bytes(dreq, hdr);
12128 + if (nfs_write_need_commit(hdr)) {
12129 +diff --git a/fs/nfs/nfs4idmap.c b/fs/nfs/nfs4idmap.c
12130 +index 2e1737c40a29..27c4970ed32f 100644
12131 +--- a/fs/nfs/nfs4idmap.c
12132 ++++ b/fs/nfs/nfs4idmap.c
12133 +@@ -582,9 +582,13 @@ static int nfs_idmap_legacy_upcall(struct key_construction *cons,
12134 + struct idmap_msg *im;
12135 + struct idmap *idmap = (struct idmap *)aux;
12136 + struct key *key = cons->key;
12137 +- int ret = -ENOMEM;
12138 ++ int ret = -ENOKEY;
12139 ++
12140 ++ if (!aux)
12141 ++ goto out1;
12142 +
12143 + /* msg and im are freed in idmap_pipe_destroy_msg */
12144 ++ ret = -ENOMEM;
12145 + data = kzalloc(sizeof(*data), GFP_KERNEL);
12146 + if (!data)
12147 + goto out1;
12148 +diff --git a/fs/nfs/write.c b/fs/nfs/write.c
12149 +index 51af4fff890f..209b39ef69dd 100644
12150 +--- a/fs/nfs/write.c
12151 ++++ b/fs/nfs/write.c
12152 +@@ -1728,6 +1728,8 @@ static void nfs_commit_release_pages(struct nfs_commit_data *data)
12153 + set_bit(NFS_CONTEXT_RESEND_WRITES, &req->wb_context->flags);
12154 + next:
12155 + nfs_unlock_and_release_request(req);
12156 ++ /* Latency breaker */
12157 ++ cond_resched();
12158 + }
12159 + nfss = NFS_SERVER(data->inode);
12160 + if (atomic_long_read(&nfss->writeback) < NFS_CONGESTION_OFF_THRESH)
12161 +diff --git a/fs/nfs_common/grace.c b/fs/nfs_common/grace.c
12162 +index ae6e58ea4de5..450954d5b7f6 100644
12163 +--- a/fs/nfs_common/grace.c
12164 ++++ b/fs/nfs_common/grace.c
12165 +@@ -85,7 +85,9 @@ grace_exit_net(struct net *net)
12166 + {
12167 + struct list_head *grace_list = net_generic(net, grace_net_id);
12168 +
12169 +- BUG_ON(!list_empty(grace_list));
12170 ++ WARN_ONCE(!list_empty(grace_list),
12171 ++ "net %x %s: grace_list is not empty\n",
12172 ++ net->ns.inum, __func__);
12173 + }
12174 +
12175 + static struct pernet_operations grace_net_ops = {
12176 +diff --git a/fs/nfsd/auth.c b/fs/nfsd/auth.c
12177 +index 9d46a0bdd9f9..67eb154af881 100644
12178 +--- a/fs/nfsd/auth.c
12179 ++++ b/fs/nfsd/auth.c
12180 +@@ -59,7 +59,11 @@ int nfsd_setuser(struct svc_rqst *rqstp, struct svc_export *exp)
12181 + GROUP_AT(gi, i) = exp->ex_anon_gid;
12182 + else
12183 + GROUP_AT(gi, i) = GROUP_AT(rqgi, i);
12184 ++
12185 + }
12186 ++
12187 ++ /* Each thread allocates its own gi, no race */
12188 ++ groups_sort(gi);
12189 + } else {
12190 + gi = get_group_info(rqgi);
12191 + }
12192 +diff --git a/fs/nfsd/nfs4state.c b/fs/nfsd/nfs4state.c
12193 +index 529434f926f1..322cf41b5257 100644
12194 +--- a/fs/nfsd/nfs4state.c
12195 ++++ b/fs/nfsd/nfs4state.c
12196 +@@ -63,12 +63,16 @@ static const stateid_t zero_stateid = {
12197 + static const stateid_t currentstateid = {
12198 + .si_generation = 1,
12199 + };
12200 ++static const stateid_t close_stateid = {
12201 ++ .si_generation = 0xffffffffU,
12202 ++};
12203 +
12204 + static u64 current_sessionid = 1;
12205 +
12206 + #define ZERO_STATEID(stateid) (!memcmp((stateid), &zero_stateid, sizeof(stateid_t)))
12207 + #define ONE_STATEID(stateid) (!memcmp((stateid), &one_stateid, sizeof(stateid_t)))
12208 + #define CURRENT_STATEID(stateid) (!memcmp((stateid), &currentstateid, sizeof(stateid_t)))
12209 ++#define CLOSE_STATEID(stateid) (!memcmp((stateid), &close_stateid, sizeof(stateid_t)))
12210 +
12211 + /* forward declarations */
12212 + static bool check_for_locks(struct nfs4_file *fp, struct nfs4_lockowner *lowner);
12213 +@@ -4615,7 +4619,8 @@ static __be32 nfsd4_validate_stateid(struct nfs4_client *cl, stateid_t *stateid)
12214 + struct nfs4_stid *s;
12215 + __be32 status = nfserr_bad_stateid;
12216 +
12217 +- if (ZERO_STATEID(stateid) || ONE_STATEID(stateid))
12218 ++ if (ZERO_STATEID(stateid) || ONE_STATEID(stateid) ||
12219 ++ CLOSE_STATEID(stateid))
12220 + return status;
12221 + /* Client debugging aid. */
12222 + if (!same_clid(&stateid->si_opaque.so_clid, &cl->cl_clientid)) {
12223 +@@ -4673,7 +4678,8 @@ nfsd4_lookup_stateid(struct nfsd4_compound_state *cstate,
12224 + else if (typemask & NFS4_DELEG_STID)
12225 + typemask |= NFS4_REVOKED_DELEG_STID;
12226 +
12227 +- if (ZERO_STATEID(stateid) || ONE_STATEID(stateid))
12228 ++ if (ZERO_STATEID(stateid) || ONE_STATEID(stateid) ||
12229 ++ CLOSE_STATEID(stateid))
12230 + return nfserr_bad_stateid;
12231 + status = lookup_clientid(&stateid->si_opaque.so_clid, cstate, nn);
12232 + if (status == nfserr_stale_clientid) {
12233 +@@ -5107,6 +5113,11 @@ nfsd4_close(struct svc_rqst *rqstp, struct nfsd4_compound_state *cstate,
12234 +
12235 + nfsd4_close_open_stateid(stp);
12236 +
12237 ++ /* See RFC5661 sectionm 18.2.4 */
12238 ++ if (stp->st_stid.sc_client->cl_minorversion)
12239 ++ memcpy(&close->cl_stateid, &close_stateid,
12240 ++ sizeof(close->cl_stateid));
12241 ++
12242 + /* put reference from nfs4_preprocess_seqid_op */
12243 + nfs4_put_stid(&stp->st_stid);
12244 + out:
12245 +diff --git a/fs/nsfs.c b/fs/nsfs.c
12246 +index 99521e7c492b..845f29e15ac9 100644
12247 +--- a/fs/nsfs.c
12248 ++++ b/fs/nsfs.c
12249 +@@ -94,6 +94,7 @@ slow:
12250 + return ERR_PTR(-ENOMEM);
12251 + }
12252 + d_instantiate(dentry, inode);
12253 ++ dentry->d_flags |= DCACHE_RCUACCESS;
12254 + dentry->d_fsdata = (void *)ns_ops;
12255 + d = atomic_long_cmpxchg(&ns->stashed, 0, (unsigned long)dentry);
12256 + if (d) {
12257 +diff --git a/fs/overlayfs/readdir.c b/fs/overlayfs/readdir.c
12258 +index adcb1398c481..299a6e1d6b77 100644
12259 +--- a/fs/overlayfs/readdir.c
12260 ++++ b/fs/overlayfs/readdir.c
12261 +@@ -441,10 +441,14 @@ static int ovl_dir_fsync(struct file *file, loff_t start, loff_t end,
12262 + struct dentry *dentry = file->f_path.dentry;
12263 + struct file *realfile = od->realfile;
12264 +
12265 ++ /* Nothing to sync for lower */
12266 ++ if (!OVL_TYPE_UPPER(ovl_path_type(dentry)))
12267 ++ return 0;
12268 ++
12269 + /*
12270 + * Need to check if we started out being a lower dir, but got copied up
12271 + */
12272 +- if (!od->is_upper && OVL_TYPE_UPPER(ovl_path_type(dentry))) {
12273 ++ if (!od->is_upper) {
12274 + struct inode *inode = file_inode(file);
12275 +
12276 + realfile = lockless_dereference(od->upperfile);
12277 +diff --git a/fs/pipe.c b/fs/pipe.c
12278 +index 5916c19dbb02..dbea65d88398 100644
12279 +--- a/fs/pipe.c
12280 ++++ b/fs/pipe.c
12281 +@@ -999,6 +999,9 @@ static long pipe_set_size(struct pipe_inode_info *pipe, unsigned long nr_pages)
12282 + {
12283 + struct pipe_buffer *bufs;
12284 +
12285 ++ if (!nr_pages)
12286 ++ return -EINVAL;
12287 ++
12288 + /*
12289 + * We can shrink the pipe, if arg >= pipe->nrbufs. Since we don't
12290 + * expect a lot of shrink+grow operations, just free and allocate
12291 +@@ -1043,13 +1046,19 @@ static long pipe_set_size(struct pipe_inode_info *pipe, unsigned long nr_pages)
12292 +
12293 + /*
12294 + * Currently we rely on the pipe array holding a power-of-2 number
12295 +- * of pages.
12296 ++ * of pages. Returns 0 on error.
12297 + */
12298 + static inline unsigned int round_pipe_size(unsigned int size)
12299 + {
12300 + unsigned long nr_pages;
12301 +
12302 ++ if (size < pipe_min_size)
12303 ++ size = pipe_min_size;
12304 ++
12305 + nr_pages = (size + PAGE_SIZE - 1) >> PAGE_SHIFT;
12306 ++ if (nr_pages == 0)
12307 ++ return 0;
12308 ++
12309 + return roundup_pow_of_two(nr_pages) << PAGE_SHIFT;
12310 + }
12311 +
12312 +@@ -1060,13 +1069,18 @@ static inline unsigned int round_pipe_size(unsigned int size)
12313 + int pipe_proc_fn(struct ctl_table *table, int write, void __user *buf,
12314 + size_t *lenp, loff_t *ppos)
12315 + {
12316 ++ unsigned int rounded_pipe_max_size;
12317 + int ret;
12318 +
12319 + ret = proc_dointvec_minmax(table, write, buf, lenp, ppos);
12320 + if (ret < 0 || !write)
12321 + return ret;
12322 +
12323 +- pipe_max_size = round_pipe_size(pipe_max_size);
12324 ++ rounded_pipe_max_size = round_pipe_size(pipe_max_size);
12325 ++ if (rounded_pipe_max_size == 0)
12326 ++ return -EINVAL;
12327 ++
12328 ++ pipe_max_size = rounded_pipe_max_size;
12329 + return ret;
12330 + }
12331 +
12332 +diff --git a/fs/quota/dquot.c b/fs/quota/dquot.c
12333 +index 19c777ad0084..4f3b028e3a1f 100644
12334 +--- a/fs/quota/dquot.c
12335 ++++ b/fs/quota/dquot.c
12336 +@@ -2881,7 +2881,8 @@ static int __init dquot_init(void)
12337 + pr_info("VFS: Dquot-cache hash table entries: %ld (order %ld,"
12338 + " %ld bytes)\n", nr_hash, order, (PAGE_SIZE << order));
12339 +
12340 +- register_shrinker(&dqcache_shrinker);
12341 ++ if (register_shrinker(&dqcache_shrinker))
12342 ++ panic("Cannot register dquot shrinker");
12343 +
12344 + return 0;
12345 + }
12346 +diff --git a/fs/reiserfs/bitmap.c b/fs/reiserfs/bitmap.c
12347 +index dc198bc64c61..edc8ef78b63f 100644
12348 +--- a/fs/reiserfs/bitmap.c
12349 ++++ b/fs/reiserfs/bitmap.c
12350 +@@ -513,9 +513,17 @@ static void __discard_prealloc(struct reiserfs_transaction_handle *th,
12351 + "inode has negative prealloc blocks count.");
12352 + #endif
12353 + while (ei->i_prealloc_count > 0) {
12354 +- reiserfs_free_prealloc_block(th, inode, ei->i_prealloc_block);
12355 +- ei->i_prealloc_block++;
12356 ++ b_blocknr_t block_to_free;
12357 ++
12358 ++ /*
12359 ++ * reiserfs_free_prealloc_block can drop the write lock,
12360 ++ * which could allow another caller to free the same block.
12361 ++ * We can protect against it by modifying the prealloc
12362 ++ * state before calling it.
12363 ++ */
12364 ++ block_to_free = ei->i_prealloc_block++;
12365 + ei->i_prealloc_count--;
12366 ++ reiserfs_free_prealloc_block(th, inode, block_to_free);
12367 + dirty = 1;
12368 + }
12369 + if (dirty)
12370 +@@ -1128,7 +1136,7 @@ static int determine_prealloc_size(reiserfs_blocknr_hint_t * hint)
12371 + hint->prealloc_size = 0;
12372 +
12373 + if (!hint->formatted_node && hint->preallocate) {
12374 +- if (S_ISREG(hint->inode->i_mode)
12375 ++ if (S_ISREG(hint->inode->i_mode) && !IS_PRIVATE(hint->inode)
12376 + && hint->inode->i_size >=
12377 + REISERFS_SB(hint->th->t_super)->s_alloc_options.
12378 + preallocmin * hint->inode->i_sb->s_blocksize)
12379 +diff --git a/fs/reiserfs/lbalance.c b/fs/reiserfs/lbalance.c
12380 +index 249594a821e0..f5cebd70d903 100644
12381 +--- a/fs/reiserfs/lbalance.c
12382 ++++ b/fs/reiserfs/lbalance.c
12383 +@@ -475,7 +475,7 @@ static void leaf_item_bottle(struct buffer_info *dest_bi,
12384 + * 'cpy_bytes'; create new item header;
12385 + * n_ih = new item_header;
12386 + */
12387 +- memcpy(&n_ih, ih, SHORT_KEY_SIZE);
12388 ++ memcpy(&n_ih.ih_key, &ih->ih_key, KEY_SIZE);
12389 +
12390 + /* Endian safe, both le */
12391 + n_ih.ih_version = ih->ih_version;
12392 +diff --git a/fs/reiserfs/reiserfs.h b/fs/reiserfs/reiserfs.h
12393 +index 2adcde137c3f..5dcf3ab83886 100644
12394 +--- a/fs/reiserfs/reiserfs.h
12395 ++++ b/fs/reiserfs/reiserfs.h
12396 +@@ -1326,7 +1326,6 @@ struct cpu_key {
12397 + #define KEY_NOT_FOUND 0
12398 +
12399 + #define KEY_SIZE (sizeof(struct reiserfs_key))
12400 +-#define SHORT_KEY_SIZE (sizeof (__u32) + sizeof (__u32))
12401 +
12402 + /* return values for search_by_key and clones */
12403 + #define ITEM_FOUND 1
12404 +diff --git a/fs/reiserfs/xattr_acl.c b/fs/reiserfs/xattr_acl.c
12405 +index 9b1824f35501..91b036902a17 100644
12406 +--- a/fs/reiserfs/xattr_acl.c
12407 ++++ b/fs/reiserfs/xattr_acl.c
12408 +@@ -37,7 +37,14 @@ reiserfs_set_acl(struct inode *inode, struct posix_acl *acl, int type)
12409 + error = journal_begin(&th, inode->i_sb, jcreate_blocks);
12410 + reiserfs_write_unlock(inode->i_sb);
12411 + if (error == 0) {
12412 ++ if (type == ACL_TYPE_ACCESS && acl) {
12413 ++ error = posix_acl_update_mode(inode, &inode->i_mode,
12414 ++ &acl);
12415 ++ if (error)
12416 ++ goto unlock;
12417 ++ }
12418 + error = __reiserfs_set_acl(&th, inode, type, acl);
12419 ++unlock:
12420 + reiserfs_write_lock(inode->i_sb);
12421 + error2 = journal_end(&th);
12422 + reiserfs_write_unlock(inode->i_sb);
12423 +@@ -245,11 +252,6 @@ __reiserfs_set_acl(struct reiserfs_transaction_handle *th, struct inode *inode,
12424 + switch (type) {
12425 + case ACL_TYPE_ACCESS:
12426 + name = POSIX_ACL_XATTR_ACCESS;
12427 +- if (acl) {
12428 +- error = posix_acl_update_mode(inode, &inode->i_mode, &acl);
12429 +- if (error)
12430 +- return error;
12431 +- }
12432 + break;
12433 + case ACL_TYPE_DEFAULT:
12434 + name = POSIX_ACL_XATTR_DEFAULT;
12435 +diff --git a/fs/select.c b/fs/select.c
12436 +index f684c750e08a..f7e6fc7bf83c 100644
12437 +--- a/fs/select.c
12438 ++++ b/fs/select.c
12439 +@@ -29,6 +29,7 @@
12440 + #include <linux/sched/rt.h>
12441 + #include <linux/freezer.h>
12442 + #include <net/busy_poll.h>
12443 ++#include <linux/vmalloc.h>
12444 +
12445 + #include <asm/uaccess.h>
12446 +
12447 +@@ -550,7 +551,7 @@ int core_sys_select(int n, fd_set __user *inp, fd_set __user *outp,
12448 + fd_set_bits fds;
12449 + void *bits;
12450 + int ret, max_fds;
12451 +- unsigned int size;
12452 ++ size_t size, alloc_size;
12453 + struct fdtable *fdt;
12454 + /* Allocate small arguments on the stack to save memory and be faster */
12455 + long stack_fds[SELECT_STACK_ALLOC/sizeof(long)];
12456 +@@ -577,7 +578,14 @@ int core_sys_select(int n, fd_set __user *inp, fd_set __user *outp,
12457 + if (size > sizeof(stack_fds) / 6) {
12458 + /* Not enough space in on-stack array; must use kmalloc */
12459 + ret = -ENOMEM;
12460 +- bits = kmalloc(6 * size, GFP_KERNEL);
12461 ++ if (size > (SIZE_MAX / 6))
12462 ++ goto out_nofds;
12463 ++
12464 ++ alloc_size = 6 * size;
12465 ++ bits = kmalloc(alloc_size, GFP_KERNEL|__GFP_NOWARN);
12466 ++ if (!bits && alloc_size > PAGE_SIZE)
12467 ++ bits = vmalloc(alloc_size);
12468 ++
12469 + if (!bits)
12470 + goto out_nofds;
12471 + }
12472 +@@ -614,7 +622,7 @@ int core_sys_select(int n, fd_set __user *inp, fd_set __user *outp,
12473 +
12474 + out:
12475 + if (bits != stack_fds)
12476 +- kfree(bits);
12477 ++ kvfree(bits);
12478 + out_nofds:
12479 + return ret;
12480 + }
12481 +diff --git a/fs/xfs/xfs_aops.c b/fs/xfs/xfs_aops.c
12482 +index a56960dd1684..123ec87efac0 100644
12483 +--- a/fs/xfs/xfs_aops.c
12484 ++++ b/fs/xfs/xfs_aops.c
12485 +@@ -303,7 +303,7 @@ xfs_map_blocks(
12486 + (ip->i_df.if_flags & XFS_IFEXTENTS));
12487 + ASSERT(offset <= mp->m_super->s_maxbytes);
12488 +
12489 +- if (offset + count > mp->m_super->s_maxbytes)
12490 ++ if ((xfs_ufsize_t)offset + count > mp->m_super->s_maxbytes)
12491 + count = mp->m_super->s_maxbytes - offset;
12492 + end_fsb = XFS_B_TO_FSB(mp, (xfs_ufsize_t)offset + count);
12493 + offset_fsb = XFS_B_TO_FSBT(mp, offset);
12494 +@@ -1332,7 +1332,7 @@ xfs_map_trim_size(
12495 + if (mapping_size > size)
12496 + mapping_size = size;
12497 + if (offset < i_size_read(inode) &&
12498 +- offset + mapping_size >= i_size_read(inode)) {
12499 ++ (xfs_ufsize_t)offset + mapping_size >= i_size_read(inode)) {
12500 + /* limit mapping to block that spans EOF */
12501 + mapping_size = roundup_64(i_size_read(inode) - offset,
12502 + 1 << inode->i_blkbits);
12503 +@@ -1387,7 +1387,7 @@ __xfs_get_blocks(
12504 + }
12505 +
12506 + ASSERT(offset <= mp->m_super->s_maxbytes);
12507 +- if (offset + size > mp->m_super->s_maxbytes)
12508 ++ if ((xfs_ufsize_t)offset + size > mp->m_super->s_maxbytes)
12509 + size = mp->m_super->s_maxbytes - offset;
12510 + end_fsb = XFS_B_TO_FSB(mp, (xfs_ufsize_t)offset + size);
12511 + offset_fsb = XFS_B_TO_FSBT(mp, offset);
12512 +diff --git a/include/asm-generic/asm-prototypes.h b/include/asm-generic/asm-prototypes.h
12513 +new file mode 100644
12514 +index 000000000000..df13637e4017
12515 +--- /dev/null
12516 ++++ b/include/asm-generic/asm-prototypes.h
12517 +@@ -0,0 +1,7 @@
12518 ++#include <linux/bitops.h>
12519 ++extern void *__memset(void *, int, __kernel_size_t);
12520 ++extern void *__memcpy(void *, const void *, __kernel_size_t);
12521 ++extern void *__memmove(void *, const void *, __kernel_size_t);
12522 ++extern void *memset(void *, int, __kernel_size_t);
12523 ++extern void *memcpy(void *, const void *, __kernel_size_t);
12524 ++extern void *memmove(void *, const void *, __kernel_size_t);
12525 +diff --git a/include/asm-generic/export.h b/include/asm-generic/export.h
12526 +new file mode 100644
12527 +index 000000000000..43199a049da5
12528 +--- /dev/null
12529 ++++ b/include/asm-generic/export.h
12530 +@@ -0,0 +1,94 @@
12531 ++#ifndef __ASM_GENERIC_EXPORT_H
12532 ++#define __ASM_GENERIC_EXPORT_H
12533 ++
12534 ++#ifndef KSYM_FUNC
12535 ++#define KSYM_FUNC(x) x
12536 ++#endif
12537 ++#ifdef CONFIG_64BIT
12538 ++#define __put .quad
12539 ++#ifndef KSYM_ALIGN
12540 ++#define KSYM_ALIGN 8
12541 ++#endif
12542 ++#ifndef KCRC_ALIGN
12543 ++#define KCRC_ALIGN 8
12544 ++#endif
12545 ++#else
12546 ++#define __put .long
12547 ++#ifndef KSYM_ALIGN
12548 ++#define KSYM_ALIGN 4
12549 ++#endif
12550 ++#ifndef KCRC_ALIGN
12551 ++#define KCRC_ALIGN 4
12552 ++#endif
12553 ++#endif
12554 ++
12555 ++#ifdef CONFIG_HAVE_UNDERSCORE_SYMBOL_PREFIX
12556 ++#define KSYM(name) _##name
12557 ++#else
12558 ++#define KSYM(name) name
12559 ++#endif
12560 ++
12561 ++/*
12562 ++ * note on .section use: @progbits vs %progbits nastiness doesn't matter,
12563 ++ * since we immediately emit into those sections anyway.
12564 ++ */
12565 ++.macro ___EXPORT_SYMBOL name,val,sec
12566 ++#ifdef CONFIG_MODULES
12567 ++ .globl KSYM(__ksymtab_\name)
12568 ++ .section ___ksymtab\sec+\name,"a"
12569 ++ .balign KSYM_ALIGN
12570 ++KSYM(__ksymtab_\name):
12571 ++ __put \val, KSYM(__kstrtab_\name)
12572 ++ .previous
12573 ++ .section __ksymtab_strings,"a"
12574 ++KSYM(__kstrtab_\name):
12575 ++#ifdef CONFIG_HAVE_UNDERSCORE_SYMBOL_PREFIX
12576 ++ .asciz "_\name"
12577 ++#else
12578 ++ .asciz "\name"
12579 ++#endif
12580 ++ .previous
12581 ++#ifdef CONFIG_MODVERSIONS
12582 ++ .section ___kcrctab\sec+\name,"a"
12583 ++ .balign KCRC_ALIGN
12584 ++KSYM(__kcrctab_\name):
12585 ++ __put KSYM(__crc_\name)
12586 ++ .weak KSYM(__crc_\name)
12587 ++ .previous
12588 ++#endif
12589 ++#endif
12590 ++.endm
12591 ++#undef __put
12592 ++
12593 ++#if defined(__KSYM_DEPS__)
12594 ++
12595 ++#define __EXPORT_SYMBOL(sym, val, sec) === __KSYM_##sym ===
12596 ++
12597 ++#elif defined(CONFIG_TRIM_UNUSED_KSYMS)
12598 ++
12599 ++#include <linux/kconfig.h>
12600 ++#include <generated/autoksyms.h>
12601 ++
12602 ++#define __EXPORT_SYMBOL(sym, val, sec) \
12603 ++ __cond_export_sym(sym, val, sec, config_enabled(__KSYM_##sym))
12604 ++#define __cond_export_sym(sym, val, sec, conf) \
12605 ++ ___cond_export_sym(sym, val, sec, conf)
12606 ++#define ___cond_export_sym(sym, val, sec, enabled) \
12607 ++ __cond_export_sym_##enabled(sym, val, sec)
12608 ++#define __cond_export_sym_1(sym, val, sec) ___EXPORT_SYMBOL sym, val, sec
12609 ++#define __cond_export_sym_0(sym, val, sec) /* nothing */
12610 ++
12611 ++#else
12612 ++#define __EXPORT_SYMBOL(sym, val, sec) ___EXPORT_SYMBOL sym, val, sec
12613 ++#endif
12614 ++
12615 ++#define EXPORT_SYMBOL(name) \
12616 ++ __EXPORT_SYMBOL(name, KSYM_FUNC(KSYM(name)),)
12617 ++#define EXPORT_SYMBOL_GPL(name) \
12618 ++ __EXPORT_SYMBOL(name, KSYM_FUNC(KSYM(name)), _gpl)
12619 ++#define EXPORT_DATA_SYMBOL(name) \
12620 ++ __EXPORT_SYMBOL(name, KSYM(name),)
12621 ++#define EXPORT_DATA_SYMBOL_GPL(name) \
12622 ++ __EXPORT_SYMBOL(name, KSYM(name),_gpl)
12623 ++
12624 ++#endif
12625 +diff --git a/include/crypto/internal/hash.h b/include/crypto/internal/hash.h
12626 +index 9779c35f8454..dab9569f22bf 100644
12627 +--- a/include/crypto/internal/hash.h
12628 ++++ b/include/crypto/internal/hash.h
12629 +@@ -91,6 +91,8 @@ static inline bool crypto_shash_alg_has_setkey(struct shash_alg *alg)
12630 + return alg->setkey != shash_no_setkey;
12631 + }
12632 +
12633 ++bool crypto_hash_alg_has_setkey(struct hash_alg_common *halg);
12634 ++
12635 + int crypto_init_ahash_spawn(struct crypto_ahash_spawn *spawn,
12636 + struct hash_alg_common *alg,
12637 + struct crypto_instance *inst);
12638 +diff --git a/include/crypto/mcryptd.h b/include/crypto/mcryptd.h
12639 +index c23ee1f7ee80..c2ff077168d3 100644
12640 +--- a/include/crypto/mcryptd.h
12641 ++++ b/include/crypto/mcryptd.h
12642 +@@ -26,6 +26,7 @@ static inline struct mcryptd_ahash *__mcryptd_ahash_cast(
12643 +
12644 + struct mcryptd_cpu_queue {
12645 + struct crypto_queue queue;
12646 ++ spinlock_t q_lock;
12647 + struct work_struct work;
12648 + };
12649 +
12650 +diff --git a/include/linux/cacheinfo.h b/include/linux/cacheinfo.h
12651 +index 3daf5ed392c9..4b97ae264388 100644
12652 +--- a/include/linux/cacheinfo.h
12653 ++++ b/include/linux/cacheinfo.h
12654 +@@ -71,6 +71,7 @@ struct cpu_cacheinfo {
12655 + struct cacheinfo *info_list;
12656 + unsigned int num_levels;
12657 + unsigned int num_leaves;
12658 ++ bool cpu_map_populated;
12659 + };
12660 +
12661 + /*
12662 +diff --git a/include/linux/cred.h b/include/linux/cred.h
12663 +index 8b6c083e68a7..536d873ad6e5 100644
12664 +--- a/include/linux/cred.h
12665 ++++ b/include/linux/cred.h
12666 +@@ -87,6 +87,7 @@ extern int set_current_groups(struct group_info *);
12667 + extern void set_groups(struct cred *, struct group_info *);
12668 + extern int groups_search(const struct group_info *, kgid_t);
12669 + extern bool may_setgroups(void);
12670 ++extern void groups_sort(struct group_info *);
12671 +
12672 + /* access the groups "array" with this macro */
12673 + #define GROUP_AT(gi, i) \
12674 +diff --git a/include/linux/device.h b/include/linux/device.h
12675 +index 98a1d9748eec..84a1c7e49c51 100644
12676 +--- a/include/linux/device.h
12677 ++++ b/include/linux/device.h
12678 +@@ -1208,8 +1208,11 @@ do { \
12679 + dev_printk(KERN_DEBUG, dev, fmt, ##__VA_ARGS__); \
12680 + } while (0)
12681 + #else
12682 +-#define dev_dbg_ratelimited(dev, fmt, ...) \
12683 +- no_printk(KERN_DEBUG pr_fmt(fmt), ##__VA_ARGS__)
12684 ++#define dev_dbg_ratelimited(dev, fmt, ...) \
12685 ++do { \
12686 ++ if (0) \
12687 ++ dev_printk(KERN_DEBUG, dev, fmt, ##__VA_ARGS__); \
12688 ++} while (0)
12689 + #endif
12690 +
12691 + #ifdef VERBOSE_DEBUG
12692 +diff --git a/include/linux/fdtable.h b/include/linux/fdtable.h
12693 +index 230f87bdf5ad..2c084871e833 100644
12694 +--- a/include/linux/fdtable.h
12695 ++++ b/include/linux/fdtable.h
12696 +@@ -9,6 +9,7 @@
12697 + #include <linux/compiler.h>
12698 + #include <linux/spinlock.h>
12699 + #include <linux/rcupdate.h>
12700 ++#include <linux/nospec.h>
12701 + #include <linux/types.h>
12702 + #include <linux/init.h>
12703 + #include <linux/fs.h>
12704 +@@ -76,8 +77,10 @@ static inline struct file *__fcheck_files(struct files_struct *files, unsigned i
12705 + {
12706 + struct fdtable *fdt = rcu_dereference_raw(files->fdt);
12707 +
12708 +- if (fd < fdt->max_fds)
12709 ++ if (fd < fdt->max_fds) {
12710 ++ fd = array_index_nospec(fd, fdt->max_fds);
12711 + return rcu_dereference_raw(fdt->fd[fd]);
12712 ++ }
12713 + return NULL;
12714 + }
12715 +
12716 +diff --git a/include/linux/fscache.h b/include/linux/fscache.h
12717 +index 115bb81912cc..94a8aae8f9e2 100644
12718 +--- a/include/linux/fscache.h
12719 ++++ b/include/linux/fscache.h
12720 +@@ -764,7 +764,7 @@ bool fscache_maybe_release_page(struct fscache_cookie *cookie,
12721 + {
12722 + if (fscache_cookie_valid(cookie) && PageFsCache(page))
12723 + return __fscache_maybe_release_page(cookie, page, gfp);
12724 +- return false;
12725 ++ return true;
12726 + }
12727 +
12728 + /**
12729 +diff --git a/include/linux/init.h b/include/linux/init.h
12730 +index 21b6d768edd7..5f4d931095ce 100644
12731 +--- a/include/linux/init.h
12732 ++++ b/include/linux/init.h
12733 +@@ -4,6 +4,13 @@
12734 + #include <linux/compiler.h>
12735 + #include <linux/types.h>
12736 +
12737 ++/* Built-in __init functions needn't be compiled with retpoline */
12738 ++#if defined(RETPOLINE) && !defined(MODULE)
12739 ++#define __noretpoline __attribute__((indirect_branch("keep")))
12740 ++#else
12741 ++#define __noretpoline
12742 ++#endif
12743 ++
12744 + /* These macros are used to mark some functions or
12745 + * initialized data (doesn't apply to uninitialized data)
12746 + * as `initialization' functions. The kernel can take this
12747 +@@ -39,7 +46,7 @@
12748 +
12749 + /* These are for everybody (although not all archs will actually
12750 + discard it in modules) */
12751 +-#define __init __section(.init.text) __cold notrace
12752 ++#define __init __section(.init.text) __cold notrace __noretpoline
12753 + #define __initdata __section(.init.data)
12754 + #define __initconst __constsection(.init.rodata)
12755 + #define __exitdata __section(.exit.data)
12756 +diff --git a/include/linux/kconfig.h b/include/linux/kconfig.h
12757 +index b33c7797eb57..a94b5bf57f51 100644
12758 +--- a/include/linux/kconfig.h
12759 ++++ b/include/linux/kconfig.h
12760 +@@ -17,10 +17,11 @@
12761 + * the last step cherry picks the 2nd arg, we get a zero.
12762 + */
12763 + #define __ARG_PLACEHOLDER_1 0,
12764 +-#define config_enabled(cfg) _config_enabled(cfg)
12765 +-#define _config_enabled(value) __config_enabled(__ARG_PLACEHOLDER_##value)
12766 +-#define __config_enabled(arg1_or_junk) ___config_enabled(arg1_or_junk 1, 0)
12767 +-#define ___config_enabled(__ignored, val, ...) val
12768 ++#define config_enabled(cfg) ___is_defined(cfg)
12769 ++#define __is_defined(x) ___is_defined(x)
12770 ++#define ___is_defined(val) ____is_defined(__ARG_PLACEHOLDER_##val)
12771 ++#define ____is_defined(arg1_or_junk) __take_second_arg(arg1_or_junk 1, 0)
12772 ++#define __take_second_arg(__ignored, val, ...) val
12773 +
12774 + /*
12775 + * IS_BUILTIN(CONFIG_FOO) evaluates to 1 if CONFIG_FOO is set to 'y', 0
12776 +@@ -42,7 +43,7 @@
12777 + * built-in code when CONFIG_FOO is set to 'm'.
12778 + */
12779 + #define IS_REACHABLE(option) (config_enabled(option) || \
12780 +- (config_enabled(option##_MODULE) && config_enabled(MODULE)))
12781 ++ (config_enabled(option##_MODULE) && __is_defined(MODULE)))
12782 +
12783 + /*
12784 + * IS_ENABLED(CONFIG_FOO) evaluates to 1 if CONFIG_FOO is set to 'y' or 'm',
12785 +diff --git a/include/linux/ktime.h b/include/linux/ktime.h
12786 +index 2b6a204bd8d4..3ffc69ebe967 100644
12787 +--- a/include/linux/ktime.h
12788 ++++ b/include/linux/ktime.h
12789 +@@ -63,6 +63,13 @@ static inline ktime_t ktime_set(const s64 secs, const unsigned long nsecs)
12790 + #define ktime_add(lhs, rhs) \
12791 + ({ (ktime_t){ .tv64 = (lhs).tv64 + (rhs).tv64 }; })
12792 +
12793 ++/*
12794 ++ * Same as ktime_add(), but avoids undefined behaviour on overflow; however,
12795 ++ * this means that you must check the result for overflow yourself.
12796 ++ */
12797 ++#define ktime_add_unsafe(lhs, rhs) \
12798 ++ ({ (ktime_t){ .tv64 = (u64) (lhs).tv64 + (rhs).tv64 }; })
12799 ++
12800 + /*
12801 + * Add a ktime_t variable and a scalar nanosecond value.
12802 + * res = kt + nsval:
12803 +diff --git a/include/linux/mmu_context.h b/include/linux/mmu_context.h
12804 +index 70fffeba7495..a4441784503b 100644
12805 +--- a/include/linux/mmu_context.h
12806 ++++ b/include/linux/mmu_context.h
12807 +@@ -1,9 +1,16 @@
12808 + #ifndef _LINUX_MMU_CONTEXT_H
12809 + #define _LINUX_MMU_CONTEXT_H
12810 +
12811 ++#include <asm/mmu_context.h>
12812 ++
12813 + struct mm_struct;
12814 +
12815 + void use_mm(struct mm_struct *mm);
12816 + void unuse_mm(struct mm_struct *mm);
12817 +
12818 ++/* Architectures that care about IRQ state in switch_mm can override this. */
12819 ++#ifndef switch_mm_irqs_off
12820 ++# define switch_mm_irqs_off switch_mm
12821 ++#endif
12822 ++
12823 + #endif
12824 +diff --git a/include/linux/mtd/map.h b/include/linux/mtd/map.h
12825 +index dfff2baf836b..0deabc012551 100644
12826 +--- a/include/linux/mtd/map.h
12827 ++++ b/include/linux/mtd/map.h
12828 +@@ -265,75 +265,67 @@ void map_destroy(struct mtd_info *mtd);
12829 + #define INVALIDATE_CACHED_RANGE(map, from, size) \
12830 + do { if (map->inval_cache) map->inval_cache(map, from, size); } while (0)
12831 +
12832 +-
12833 +-static inline int map_word_equal(struct map_info *map, map_word val1, map_word val2)
12834 +-{
12835 +- int i;
12836 +-
12837 +- for (i = 0; i < map_words(map); i++) {
12838 +- if (val1.x[i] != val2.x[i])
12839 +- return 0;
12840 +- }
12841 +-
12842 +- return 1;
12843 +-}
12844 +-
12845 +-static inline map_word map_word_and(struct map_info *map, map_word val1, map_word val2)
12846 +-{
12847 +- map_word r;
12848 +- int i;
12849 +-
12850 +- for (i = 0; i < map_words(map); i++)
12851 +- r.x[i] = val1.x[i] & val2.x[i];
12852 +-
12853 +- return r;
12854 +-}
12855 +-
12856 +-static inline map_word map_word_clr(struct map_info *map, map_word val1, map_word val2)
12857 +-{
12858 +- map_word r;
12859 +- int i;
12860 +-
12861 +- for (i = 0; i < map_words(map); i++)
12862 +- r.x[i] = val1.x[i] & ~val2.x[i];
12863 +-
12864 +- return r;
12865 +-}
12866 +-
12867 +-static inline map_word map_word_or(struct map_info *map, map_word val1, map_word val2)
12868 +-{
12869 +- map_word r;
12870 +- int i;
12871 +-
12872 +- for (i = 0; i < map_words(map); i++)
12873 +- r.x[i] = val1.x[i] | val2.x[i];
12874 +-
12875 +- return r;
12876 +-}
12877 +-
12878 +-static inline int map_word_andequal(struct map_info *map, map_word val1, map_word val2, map_word val3)
12879 +-{
12880 +- int i;
12881 +-
12882 +- for (i = 0; i < map_words(map); i++) {
12883 +- if ((val1.x[i] & val2.x[i]) != val3.x[i])
12884 +- return 0;
12885 +- }
12886 +-
12887 +- return 1;
12888 +-}
12889 +-
12890 +-static inline int map_word_bitsset(struct map_info *map, map_word val1, map_word val2)
12891 +-{
12892 +- int i;
12893 +-
12894 +- for (i = 0; i < map_words(map); i++) {
12895 +- if (val1.x[i] & val2.x[i])
12896 +- return 1;
12897 +- }
12898 +-
12899 +- return 0;
12900 +-}
12901 ++#define map_word_equal(map, val1, val2) \
12902 ++({ \
12903 ++ int i, ret = 1; \
12904 ++ for (i = 0; i < map_words(map); i++) \
12905 ++ if ((val1).x[i] != (val2).x[i]) { \
12906 ++ ret = 0; \
12907 ++ break; \
12908 ++ } \
12909 ++ ret; \
12910 ++})
12911 ++
12912 ++#define map_word_and(map, val1, val2) \
12913 ++({ \
12914 ++ map_word r; \
12915 ++ int i; \
12916 ++ for (i = 0; i < map_words(map); i++) \
12917 ++ r.x[i] = (val1).x[i] & (val2).x[i]; \
12918 ++ r; \
12919 ++})
12920 ++
12921 ++#define map_word_clr(map, val1, val2) \
12922 ++({ \
12923 ++ map_word r; \
12924 ++ int i; \
12925 ++ for (i = 0; i < map_words(map); i++) \
12926 ++ r.x[i] = (val1).x[i] & ~(val2).x[i]; \
12927 ++ r; \
12928 ++})
12929 ++
12930 ++#define map_word_or(map, val1, val2) \
12931 ++({ \
12932 ++ map_word r; \
12933 ++ int i; \
12934 ++ for (i = 0; i < map_words(map); i++) \
12935 ++ r.x[i] = (val1).x[i] | (val2).x[i]; \
12936 ++ r; \
12937 ++})
12938 ++
12939 ++#define map_word_andequal(map, val1, val2, val3) \
12940 ++({ \
12941 ++ int i, ret = 1; \
12942 ++ for (i = 0; i < map_words(map); i++) { \
12943 ++ if (((val1).x[i] & (val2).x[i]) != (val2).x[i]) { \
12944 ++ ret = 0; \
12945 ++ break; \
12946 ++ } \
12947 ++ } \
12948 ++ ret; \
12949 ++})
12950 ++
12951 ++#define map_word_bitsset(map, val1, val2) \
12952 ++({ \
12953 ++ int i, ret = 0; \
12954 ++ for (i = 0; i < map_words(map); i++) { \
12955 ++ if ((val1).x[i] & (val2).x[i]) { \
12956 ++ ret = 1; \
12957 ++ break; \
12958 ++ } \
12959 ++ } \
12960 ++ ret; \
12961 ++})
12962 +
12963 + static inline map_word map_word_load(struct map_info *map, const void *ptr)
12964 + {
12965 +diff --git a/include/linux/mtd/sh_flctl.h b/include/linux/mtd/sh_flctl.h
12966 +index 1c28f8879b1c..067b37aff4a1 100644
12967 +--- a/include/linux/mtd/sh_flctl.h
12968 ++++ b/include/linux/mtd/sh_flctl.h
12969 +@@ -148,6 +148,7 @@ struct sh_flctl {
12970 + struct platform_device *pdev;
12971 + struct dev_pm_qos_request pm_qos;
12972 + void __iomem *reg;
12973 ++ resource_size_t fifo;
12974 +
12975 + uint8_t done_buff[2048 + 64]; /* max size 2048 + 64 */
12976 + int read_bytes;
12977 +diff --git a/include/linux/nospec.h b/include/linux/nospec.h
12978 +new file mode 100644
12979 +index 000000000000..b99bced39ac2
12980 +--- /dev/null
12981 ++++ b/include/linux/nospec.h
12982 +@@ -0,0 +1,72 @@
12983 ++// SPDX-License-Identifier: GPL-2.0
12984 ++// Copyright(c) 2018 Linus Torvalds. All rights reserved.
12985 ++// Copyright(c) 2018 Alexei Starovoitov. All rights reserved.
12986 ++// Copyright(c) 2018 Intel Corporation. All rights reserved.
12987 ++
12988 ++#ifndef _LINUX_NOSPEC_H
12989 ++#define _LINUX_NOSPEC_H
12990 ++
12991 ++/**
12992 ++ * array_index_mask_nospec() - generate a ~0 mask when index < size, 0 otherwise
12993 ++ * @index: array element index
12994 ++ * @size: number of elements in array
12995 ++ *
12996 ++ * When @index is out of bounds (@index >= @size), the sign bit will be
12997 ++ * set. Extend the sign bit to all bits and invert, giving a result of
12998 ++ * zero for an out of bounds index, or ~0 if within bounds [0, @size).
12999 ++ */
13000 ++#ifndef array_index_mask_nospec
13001 ++static inline unsigned long array_index_mask_nospec(unsigned long index,
13002 ++ unsigned long size)
13003 ++{
13004 ++ /*
13005 ++ * Warn developers about inappropriate array_index_nospec() usage.
13006 ++ *
13007 ++ * Even if the CPU speculates past the WARN_ONCE branch, the
13008 ++ * sign bit of @index is taken into account when generating the
13009 ++ * mask.
13010 ++ *
13011 ++ * This warning is compiled out when the compiler can infer that
13012 ++ * @index and @size are less than LONG_MAX.
13013 ++ */
13014 ++ if (WARN_ONCE(index > LONG_MAX || size > LONG_MAX,
13015 ++ "array_index_nospec() limited to range of [0, LONG_MAX]\n"))
13016 ++ return 0;
13017 ++
13018 ++ /*
13019 ++ * Always calculate and emit the mask even if the compiler
13020 ++ * thinks the mask is not needed. The compiler does not take
13021 ++ * into account the value of @index under speculation.
13022 ++ */
13023 ++ OPTIMIZER_HIDE_VAR(index);
13024 ++ return ~(long)(index | (size - 1UL - index)) >> (BITS_PER_LONG - 1);
13025 ++}
13026 ++#endif
13027 ++
13028 ++/*
13029 ++ * array_index_nospec - sanitize an array index after a bounds check
13030 ++ *
13031 ++ * For a code sequence like:
13032 ++ *
13033 ++ * if (index < size) {
13034 ++ * index = array_index_nospec(index, size);
13035 ++ * val = array[index];
13036 ++ * }
13037 ++ *
13038 ++ * ...if the CPU speculates past the bounds check then
13039 ++ * array_index_nospec() will clamp the index within the range of [0,
13040 ++ * size).
13041 ++ */
13042 ++#define array_index_nospec(index, size) \
13043 ++({ \
13044 ++ typeof(index) _i = (index); \
13045 ++ typeof(size) _s = (size); \
13046 ++ unsigned long _mask = array_index_mask_nospec(_i, _s); \
13047 ++ \
13048 ++ BUILD_BUG_ON(sizeof(_i) > sizeof(long)); \
13049 ++ BUILD_BUG_ON(sizeof(_s) > sizeof(long)); \
13050 ++ \
13051 ++ _i &= _mask; \
13052 ++ _i; \
13053 ++})
13054 ++#endif /* _LINUX_NOSPEC_H */
13055 +diff --git a/include/linux/sh_eth.h b/include/linux/sh_eth.h
13056 +index 8c9131db2b25..b050ef51e27e 100644
13057 +--- a/include/linux/sh_eth.h
13058 ++++ b/include/linux/sh_eth.h
13059 +@@ -16,7 +16,6 @@ struct sh_eth_plat_data {
13060 + unsigned char mac_addr[ETH_ALEN];
13061 + unsigned no_ether_link:1;
13062 + unsigned ether_link_active_low:1;
13063 +- unsigned needs_init:1;
13064 + };
13065 +
13066 + #endif
13067 +diff --git a/include/linux/string.h b/include/linux/string.h
13068 +index e40099e585c9..f8902cc0c10d 100644
13069 +--- a/include/linux/string.h
13070 ++++ b/include/linux/string.h
13071 +@@ -118,6 +118,7 @@ extern char *kstrdup(const char *s, gfp_t gfp);
13072 + extern const char *kstrdup_const(const char *s, gfp_t gfp);
13073 + extern char *kstrndup(const char *s, size_t len, gfp_t gfp);
13074 + extern void *kmemdup(const void *src, size_t len, gfp_t gfp);
13075 ++extern char *kmemdup_nul(const char *s, size_t len, gfp_t gfp);
13076 +
13077 + extern char **argv_split(gfp_t gfp, const char *str, int *argcp);
13078 + extern void argv_free(char **argv);
13079 +diff --git a/include/linux/tcp.h b/include/linux/tcp.h
13080 +index e8bbf403618f..5eeeca0b25f1 100644
13081 +--- a/include/linux/tcp.h
13082 ++++ b/include/linux/tcp.h
13083 +@@ -29,9 +29,14 @@ static inline struct tcphdr *tcp_hdr(const struct sk_buff *skb)
13084 + return (struct tcphdr *)skb_transport_header(skb);
13085 + }
13086 +
13087 ++static inline unsigned int __tcp_hdrlen(const struct tcphdr *th)
13088 ++{
13089 ++ return th->doff * 4;
13090 ++}
13091 ++
13092 + static inline unsigned int tcp_hdrlen(const struct sk_buff *skb)
13093 + {
13094 +- return tcp_hdr(skb)->doff * 4;
13095 ++ return __tcp_hdrlen(tcp_hdr(skb));
13096 + }
13097 +
13098 + static inline struct tcphdr *inner_tcp_hdr(const struct sk_buff *skb)
13099 +diff --git a/include/net/arp.h b/include/net/arp.h
13100 +index 5e0f891d476c..1b3f86981757 100644
13101 +--- a/include/net/arp.h
13102 ++++ b/include/net/arp.h
13103 +@@ -19,6 +19,9 @@ static inline u32 arp_hashfn(const void *pkey, const struct net_device *dev, u32
13104 +
13105 + static inline struct neighbour *__ipv4_neigh_lookup_noref(struct net_device *dev, u32 key)
13106 + {
13107 ++ if (dev->flags & (IFF_LOOPBACK | IFF_POINTOPOINT))
13108 ++ key = INADDR_ANY;
13109 ++
13110 + return ___neigh_lookup_noref(&arp_tbl, neigh_key_eq32, arp_hashfn, &key, dev);
13111 + }
13112 +
13113 +diff --git a/include/net/ip.h b/include/net/ip.h
13114 +index 117bde93995d..80b849cadc35 100644
13115 +--- a/include/net/ip.h
13116 ++++ b/include/net/ip.h
13117 +@@ -33,6 +33,8 @@
13118 + #include <net/flow.h>
13119 + #include <net/flow_keys.h>
13120 +
13121 ++#define IPV4_MIN_MTU 68 /* RFC 791 */
13122 ++
13123 + struct sock;
13124 +
13125 + struct inet_skb_parm {
13126 +diff --git a/include/net/net_namespace.h b/include/net/net_namespace.h
13127 +index f733656404de..01af6cd44c67 100644
13128 +--- a/include/net/net_namespace.h
13129 ++++ b/include/net/net_namespace.h
13130 +@@ -203,6 +203,11 @@ int net_eq(const struct net *net1, const struct net *net2)
13131 + return net1 == net2;
13132 + }
13133 +
13134 ++static inline int check_net(const struct net *net)
13135 ++{
13136 ++ return atomic_read(&net->count) != 0;
13137 ++}
13138 ++
13139 + void net_drop_ns(void *);
13140 +
13141 + #else
13142 +@@ -227,6 +232,11 @@ int net_eq(const struct net *net1, const struct net *net2)
13143 + return 1;
13144 + }
13145 +
13146 ++static inline int check_net(const struct net *net)
13147 ++{
13148 ++ return 1;
13149 ++}
13150 ++
13151 + #define net_drop_ns NULL
13152 + #endif
13153 +
13154 +diff --git a/include/net/netlink.h b/include/net/netlink.h
13155 +index 2a5dbcc90d1c..9bb53469b704 100644
13156 +--- a/include/net/netlink.h
13157 ++++ b/include/net/netlink.h
13158 +@@ -745,7 +745,10 @@ static inline int nla_parse_nested(struct nlattr *tb[], int maxtype,
13159 + */
13160 + static inline int nla_put_u8(struct sk_buff *skb, int attrtype, u8 value)
13161 + {
13162 +- return nla_put(skb, attrtype, sizeof(u8), &value);
13163 ++ /* temporary variables to work around GCC PR81715 with asan-stack=1 */
13164 ++ u8 tmp = value;
13165 ++
13166 ++ return nla_put(skb, attrtype, sizeof(u8), &tmp);
13167 + }
13168 +
13169 + /**
13170 +@@ -756,7 +759,9 @@ static inline int nla_put_u8(struct sk_buff *skb, int attrtype, u8 value)
13171 + */
13172 + static inline int nla_put_u16(struct sk_buff *skb, int attrtype, u16 value)
13173 + {
13174 +- return nla_put(skb, attrtype, sizeof(u16), &value);
13175 ++ u16 tmp = value;
13176 ++
13177 ++ return nla_put(skb, attrtype, sizeof(u16), &tmp);
13178 + }
13179 +
13180 + /**
13181 +@@ -767,7 +772,9 @@ static inline int nla_put_u16(struct sk_buff *skb, int attrtype, u16 value)
13182 + */
13183 + static inline int nla_put_be16(struct sk_buff *skb, int attrtype, __be16 value)
13184 + {
13185 +- return nla_put(skb, attrtype, sizeof(__be16), &value);
13186 ++ __be16 tmp = value;
13187 ++
13188 ++ return nla_put(skb, attrtype, sizeof(__be16), &tmp);
13189 + }
13190 +
13191 + /**
13192 +@@ -778,7 +785,9 @@ static inline int nla_put_be16(struct sk_buff *skb, int attrtype, __be16 value)
13193 + */
13194 + static inline int nla_put_net16(struct sk_buff *skb, int attrtype, __be16 value)
13195 + {
13196 +- return nla_put_be16(skb, attrtype | NLA_F_NET_BYTEORDER, value);
13197 ++ __be16 tmp = value;
13198 ++
13199 ++ return nla_put_be16(skb, attrtype | NLA_F_NET_BYTEORDER, tmp);
13200 + }
13201 +
13202 + /**
13203 +@@ -789,7 +798,9 @@ static inline int nla_put_net16(struct sk_buff *skb, int attrtype, __be16 value)
13204 + */
13205 + static inline int nla_put_le16(struct sk_buff *skb, int attrtype, __le16 value)
13206 + {
13207 +- return nla_put(skb, attrtype, sizeof(__le16), &value);
13208 ++ __le16 tmp = value;
13209 ++
13210 ++ return nla_put(skb, attrtype, sizeof(__le16), &tmp);
13211 + }
13212 +
13213 + /**
13214 +@@ -800,7 +811,9 @@ static inline int nla_put_le16(struct sk_buff *skb, int attrtype, __le16 value)
13215 + */
13216 + static inline int nla_put_u32(struct sk_buff *skb, int attrtype, u32 value)
13217 + {
13218 +- return nla_put(skb, attrtype, sizeof(u32), &value);
13219 ++ u32 tmp = value;
13220 ++
13221 ++ return nla_put(skb, attrtype, sizeof(u32), &tmp);
13222 + }
13223 +
13224 + /**
13225 +@@ -811,7 +824,9 @@ static inline int nla_put_u32(struct sk_buff *skb, int attrtype, u32 value)
13226 + */
13227 + static inline int nla_put_be32(struct sk_buff *skb, int attrtype, __be32 value)
13228 + {
13229 +- return nla_put(skb, attrtype, sizeof(__be32), &value);
13230 ++ __be32 tmp = value;
13231 ++
13232 ++ return nla_put(skb, attrtype, sizeof(__be32), &tmp);
13233 + }
13234 +
13235 + /**
13236 +@@ -822,7 +837,9 @@ static inline int nla_put_be32(struct sk_buff *skb, int attrtype, __be32 value)
13237 + */
13238 + static inline int nla_put_net32(struct sk_buff *skb, int attrtype, __be32 value)
13239 + {
13240 +- return nla_put_be32(skb, attrtype | NLA_F_NET_BYTEORDER, value);
13241 ++ __be32 tmp = value;
13242 ++
13243 ++ return nla_put_be32(skb, attrtype | NLA_F_NET_BYTEORDER, tmp);
13244 + }
13245 +
13246 + /**
13247 +@@ -833,7 +850,9 @@ static inline int nla_put_net32(struct sk_buff *skb, int attrtype, __be32 value)
13248 + */
13249 + static inline int nla_put_le32(struct sk_buff *skb, int attrtype, __le32 value)
13250 + {
13251 +- return nla_put(skb, attrtype, sizeof(__le32), &value);
13252 ++ __le32 tmp = value;
13253 ++
13254 ++ return nla_put(skb, attrtype, sizeof(__le32), &tmp);
13255 + }
13256 +
13257 + /**
13258 +@@ -844,7 +863,9 @@ static inline int nla_put_le32(struct sk_buff *skb, int attrtype, __le32 value)
13259 + */
13260 + static inline int nla_put_u64(struct sk_buff *skb, int attrtype, u64 value)
13261 + {
13262 +- return nla_put(skb, attrtype, sizeof(u64), &value);
13263 ++ u64 tmp = value;
13264 ++
13265 ++ return nla_put(skb, attrtype, sizeof(u64), &tmp);
13266 + }
13267 +
13268 + /**
13269 +@@ -855,7 +876,9 @@ static inline int nla_put_u64(struct sk_buff *skb, int attrtype, u64 value)
13270 + */
13271 + static inline int nla_put_be64(struct sk_buff *skb, int attrtype, __be64 value)
13272 + {
13273 +- return nla_put(skb, attrtype, sizeof(__be64), &value);
13274 ++ __be64 tmp = value;
13275 ++
13276 ++ return nla_put(skb, attrtype, sizeof(__be64), &tmp);
13277 + }
13278 +
13279 + /**
13280 +@@ -866,7 +889,9 @@ static inline int nla_put_be64(struct sk_buff *skb, int attrtype, __be64 value)
13281 + */
13282 + static inline int nla_put_net64(struct sk_buff *skb, int attrtype, __be64 value)
13283 + {
13284 +- return nla_put_be64(skb, attrtype | NLA_F_NET_BYTEORDER, value);
13285 ++ __be64 tmp = value;
13286 ++
13287 ++ return nla_put_be64(skb, attrtype | NLA_F_NET_BYTEORDER, tmp);
13288 + }
13289 +
13290 + /**
13291 +@@ -877,7 +902,9 @@ static inline int nla_put_net64(struct sk_buff *skb, int attrtype, __be64 value)
13292 + */
13293 + static inline int nla_put_le64(struct sk_buff *skb, int attrtype, __le64 value)
13294 + {
13295 +- return nla_put(skb, attrtype, sizeof(__le64), &value);
13296 ++ __le64 tmp = value;
13297 ++
13298 ++ return nla_put(skb, attrtype, sizeof(__le64), &tmp);
13299 + }
13300 +
13301 + /**
13302 +@@ -888,7 +915,9 @@ static inline int nla_put_le64(struct sk_buff *skb, int attrtype, __le64 value)
13303 + */
13304 + static inline int nla_put_s8(struct sk_buff *skb, int attrtype, s8 value)
13305 + {
13306 +- return nla_put(skb, attrtype, sizeof(s8), &value);
13307 ++ s8 tmp = value;
13308 ++
13309 ++ return nla_put(skb, attrtype, sizeof(s8), &tmp);
13310 + }
13311 +
13312 + /**
13313 +@@ -899,7 +928,9 @@ static inline int nla_put_s8(struct sk_buff *skb, int attrtype, s8 value)
13314 + */
13315 + static inline int nla_put_s16(struct sk_buff *skb, int attrtype, s16 value)
13316 + {
13317 +- return nla_put(skb, attrtype, sizeof(s16), &value);
13318 ++ s16 tmp = value;
13319 ++
13320 ++ return nla_put(skb, attrtype, sizeof(s16), &tmp);
13321 + }
13322 +
13323 + /**
13324 +@@ -910,7 +941,9 @@ static inline int nla_put_s16(struct sk_buff *skb, int attrtype, s16 value)
13325 + */
13326 + static inline int nla_put_s32(struct sk_buff *skb, int attrtype, s32 value)
13327 + {
13328 +- return nla_put(skb, attrtype, sizeof(s32), &value);
13329 ++ s32 tmp = value;
13330 ++
13331 ++ return nla_put(skb, attrtype, sizeof(s32), &tmp);
13332 + }
13333 +
13334 + /**
13335 +@@ -921,7 +954,9 @@ static inline int nla_put_s32(struct sk_buff *skb, int attrtype, s32 value)
13336 + */
13337 + static inline int nla_put_s64(struct sk_buff *skb, int attrtype, s64 value)
13338 + {
13339 +- return nla_put(skb, attrtype, sizeof(s64), &value);
13340 ++ s64 tmp = value;
13341 ++
13342 ++ return nla_put(skb, attrtype, sizeof(s64), &tmp);
13343 + }
13344 +
13345 + /**
13346 +@@ -969,7 +1004,9 @@ static inline int nla_put_msecs(struct sk_buff *skb, int attrtype,
13347 + static inline int nla_put_in_addr(struct sk_buff *skb, int attrtype,
13348 + __be32 addr)
13349 + {
13350 +- return nla_put_be32(skb, attrtype, addr);
13351 ++ __be32 tmp = addr;
13352 ++
13353 ++ return nla_put_be32(skb, attrtype, tmp);
13354 + }
13355 +
13356 + /**
13357 +diff --git a/include/net/red.h b/include/net/red.h
13358 +index 76e0b5f922c6..3618cdfec884 100644
13359 +--- a/include/net/red.h
13360 ++++ b/include/net/red.h
13361 +@@ -167,6 +167,17 @@ static inline void red_set_vars(struct red_vars *v)
13362 + v->qcount = -1;
13363 + }
13364 +
13365 ++static inline bool red_check_params(u32 qth_min, u32 qth_max, u8 Wlog)
13366 ++{
13367 ++ if (fls(qth_min) + Wlog > 32)
13368 ++ return false;
13369 ++ if (fls(qth_max) + Wlog > 32)
13370 ++ return false;
13371 ++ if (qth_max < qth_min)
13372 ++ return false;
13373 ++ return true;
13374 ++}
13375 ++
13376 + static inline void red_set_parms(struct red_parms *p,
13377 + u32 qth_min, u32 qth_max, u8 Wlog, u8 Plog,
13378 + u8 Scell_log, u8 *stab, u32 max_P)
13379 +@@ -178,7 +189,7 @@ static inline void red_set_parms(struct red_parms *p,
13380 + p->qth_max = qth_max << Wlog;
13381 + p->Wlog = Wlog;
13382 + p->Plog = Plog;
13383 +- if (delta < 0)
13384 ++ if (delta <= 0)
13385 + delta = 1;
13386 + p->qth_delta = delta;
13387 + if (!max_P) {
13388 +diff --git a/include/scsi/sg.h b/include/scsi/sg.h
13389 +index 3afec7032448..20bc71c3e0b8 100644
13390 +--- a/include/scsi/sg.h
13391 ++++ b/include/scsi/sg.h
13392 +@@ -197,7 +197,6 @@ typedef struct sg_req_info { /* used by SG_GET_REQUEST_TABLE ioctl() */
13393 + #define SG_DEFAULT_RETRIES 0
13394 +
13395 + /* Defaults, commented if they differ from original sg driver */
13396 +-#define SG_DEF_FORCE_LOW_DMA 0 /* was 1 -> memory below 16MB on i386 */
13397 + #define SG_DEF_FORCE_PACK_ID 0
13398 + #define SG_DEF_KEEP_ORPHAN 0
13399 + #define SG_DEF_RESERVED_SIZE SG_SCATTER_SZ /* load time option */
13400 +diff --git a/include/trace/events/clk.h b/include/trace/events/clk.h
13401 +index 758607226bfd..2cd449328aee 100644
13402 +--- a/include/trace/events/clk.h
13403 ++++ b/include/trace/events/clk.h
13404 +@@ -134,12 +134,12 @@ DECLARE_EVENT_CLASS(clk_parent,
13405 +
13406 + TP_STRUCT__entry(
13407 + __string( name, core->name )
13408 +- __string( pname, parent->name )
13409 ++ __string( pname, parent ? parent->name : "none" )
13410 + ),
13411 +
13412 + TP_fast_assign(
13413 + __assign_str(name, core->name);
13414 +- __assign_str(pname, parent->name);
13415 ++ __assign_str(pname, parent ? parent->name : "none");
13416 + ),
13417 +
13418 + TP_printk("%s %s", __get_str(name), __get_str(pname))
13419 +diff --git a/include/trace/events/kvm.h b/include/trace/events/kvm.h
13420 +index a44062da684b..c0cf08e9f38a 100644
13421 +--- a/include/trace/events/kvm.h
13422 ++++ b/include/trace/events/kvm.h
13423 +@@ -204,7 +204,7 @@ TRACE_EVENT(kvm_ack_irq,
13424 + { KVM_TRACE_MMIO_WRITE, "write" }
13425 +
13426 + TRACE_EVENT(kvm_mmio,
13427 +- TP_PROTO(int type, int len, u64 gpa, u64 val),
13428 ++ TP_PROTO(int type, int len, u64 gpa, void *val),
13429 + TP_ARGS(type, len, gpa, val),
13430 +
13431 + TP_STRUCT__entry(
13432 +@@ -218,7 +218,10 @@ TRACE_EVENT(kvm_mmio,
13433 + __entry->type = type;
13434 + __entry->len = len;
13435 + __entry->gpa = gpa;
13436 +- __entry->val = val;
13437 ++ __entry->val = 0;
13438 ++ if (val)
13439 ++ memcpy(&__entry->val, val,
13440 ++ min_t(u32, sizeof(__entry->val), len));
13441 + ),
13442 +
13443 + TP_printk("mmio %s len %u gpa 0x%llx val 0x%llx",
13444 +diff --git a/include/uapi/linux/eventpoll.h b/include/uapi/linux/eventpoll.h
13445 +index bc81fb2e1f0e..6f04cb419115 100644
13446 +--- a/include/uapi/linux/eventpoll.h
13447 ++++ b/include/uapi/linux/eventpoll.h
13448 +@@ -26,6 +26,19 @@
13449 + #define EPOLL_CTL_DEL 2
13450 + #define EPOLL_CTL_MOD 3
13451 +
13452 ++/* Epoll event masks */
13453 ++#define EPOLLIN 0x00000001
13454 ++#define EPOLLPRI 0x00000002
13455 ++#define EPOLLOUT 0x00000004
13456 ++#define EPOLLERR 0x00000008
13457 ++#define EPOLLHUP 0x00000010
13458 ++#define EPOLLRDNORM 0x00000040
13459 ++#define EPOLLRDBAND 0x00000080
13460 ++#define EPOLLWRNORM 0x00000100
13461 ++#define EPOLLWRBAND 0x00000200
13462 ++#define EPOLLMSG 0x00000400
13463 ++#define EPOLLRDHUP 0x00002000
13464 ++
13465 + /*
13466 + * Request the handling of system wakeup events so as to prevent system suspends
13467 + * from happening while those events are being processed.
13468 +diff --git a/ipc/msg.c b/ipc/msg.c
13469 +index 3b2b0f5149ab..55730c74a42a 100644
13470 +--- a/ipc/msg.c
13471 ++++ b/ipc/msg.c
13472 +@@ -740,7 +740,10 @@ static inline int convert_mode(long *msgtyp, int msgflg)
13473 + if (*msgtyp == 0)
13474 + return SEARCH_ANY;
13475 + if (*msgtyp < 0) {
13476 +- *msgtyp = -*msgtyp;
13477 ++ if (*msgtyp == LONG_MIN) /* -LONG_MIN is undefined */
13478 ++ *msgtyp = LONG_MAX;
13479 ++ else
13480 ++ *msgtyp = -*msgtyp;
13481 + return SEARCH_LESSEQUAL;
13482 + }
13483 + if (msgflg & MSG_EXCEPT)
13484 +diff --git a/kernel/acct.c b/kernel/acct.c
13485 +index 74963d192c5d..37f1dc696fbd 100644
13486 +--- a/kernel/acct.c
13487 ++++ b/kernel/acct.c
13488 +@@ -99,7 +99,7 @@ static int check_free_space(struct bsd_acct_struct *acct)
13489 + {
13490 + struct kstatfs sbuf;
13491 +
13492 +- if (time_is_before_jiffies(acct->needcheck))
13493 ++ if (time_is_after_jiffies(acct->needcheck))
13494 + goto out;
13495 +
13496 + /* May block */
13497 +diff --git a/kernel/async.c b/kernel/async.c
13498 +index 4c3773c0bf63..f1fd155abff6 100644
13499 +--- a/kernel/async.c
13500 ++++ b/kernel/async.c
13501 +@@ -84,20 +84,24 @@ static atomic_t entry_count;
13502 +
13503 + static async_cookie_t lowest_in_progress(struct async_domain *domain)
13504 + {
13505 +- struct list_head *pending;
13506 ++ struct async_entry *first = NULL;
13507 + async_cookie_t ret = ASYNC_COOKIE_MAX;
13508 + unsigned long flags;
13509 +
13510 + spin_lock_irqsave(&async_lock, flags);
13511 +
13512 +- if (domain)
13513 +- pending = &domain->pending;
13514 +- else
13515 +- pending = &async_global_pending;
13516 ++ if (domain) {
13517 ++ if (!list_empty(&domain->pending))
13518 ++ first = list_first_entry(&domain->pending,
13519 ++ struct async_entry, domain_list);
13520 ++ } else {
13521 ++ if (!list_empty(&async_global_pending))
13522 ++ first = list_first_entry(&async_global_pending,
13523 ++ struct async_entry, global_list);
13524 ++ }
13525 +
13526 +- if (!list_empty(pending))
13527 +- ret = list_first_entry(pending, struct async_entry,
13528 +- domain_list)->cookie;
13529 ++ if (first)
13530 ++ ret = first->cookie;
13531 +
13532 + spin_unlock_irqrestore(&async_lock, flags);
13533 + return ret;
13534 +diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c
13535 +index 54f0e7fcd0e2..199b54e75359 100644
13536 +--- a/kernel/bpf/core.c
13537 ++++ b/kernel/bpf/core.c
13538 +@@ -361,7 +361,7 @@ select_insn:
13539 + DST = tmp;
13540 + CONT;
13541 + ALU_MOD_X:
13542 +- if (unlikely(SRC == 0))
13543 ++ if (unlikely((u32)SRC == 0))
13544 + return 0;
13545 + tmp = (u32) DST;
13546 + DST = do_div(tmp, (u32) SRC);
13547 +@@ -380,7 +380,7 @@ select_insn:
13548 + DST = div64_u64(DST, SRC);
13549 + CONT;
13550 + ALU_DIV_X:
13551 +- if (unlikely(SRC == 0))
13552 ++ if (unlikely((u32)SRC == 0))
13553 + return 0;
13554 + tmp = (u32) DST;
13555 + do_div(tmp, (u32) SRC);
13556 +diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
13557 +index 1bdc6f910a1d..03d74868c709 100644
13558 +--- a/kernel/bpf/verifier.c
13559 ++++ b/kernel/bpf/verifier.c
13560 +@@ -1020,6 +1020,11 @@ static int check_alu_op(struct reg_state *regs, struct bpf_insn *insn)
13561 + return -EINVAL;
13562 + }
13563 +
13564 ++ if (opcode == BPF_ARSH && BPF_CLASS(insn->code) != BPF_ALU64) {
13565 ++ verbose("BPF_ARSH not supported for 32 bit ALU\n");
13566 ++ return -EINVAL;
13567 ++ }
13568 ++
13569 + if ((opcode == BPF_LSH || opcode == BPF_RSH ||
13570 + opcode == BPF_ARSH) && BPF_SRC(insn->code) == BPF_K) {
13571 + int size = BPF_CLASS(insn->code) == BPF_ALU64 ? 64 : 32;
13572 +diff --git a/kernel/futex.c b/kernel/futex.c
13573 +index 585cf96dab32..4195616b27d9 100644
13574 +--- a/kernel/futex.c
13575 ++++ b/kernel/futex.c
13576 +@@ -1514,6 +1514,9 @@ static int futex_requeue(u32 __user *uaddr1, unsigned int flags,
13577 + struct futex_hash_bucket *hb1, *hb2;
13578 + struct futex_q *this, *next;
13579 +
13580 ++ if (nr_wake < 0 || nr_requeue < 0)
13581 ++ return -EINVAL;
13582 ++
13583 + if (requeue_pi) {
13584 + /*
13585 + * Requeue PI only works on two distinct uaddrs. This
13586 +@@ -1831,8 +1834,12 @@ static int unqueue_me(struct futex_q *q)
13587 +
13588 + /* In the common case we don't take the spinlock, which is nice. */
13589 + retry:
13590 +- lock_ptr = q->lock_ptr;
13591 +- barrier();
13592 ++ /*
13593 ++ * q->lock_ptr can change between this read and the following spin_lock.
13594 ++ * Use READ_ONCE to forbid the compiler from reloading q->lock_ptr and
13595 ++ * optimizing lock_ptr out of the logic below.
13596 ++ */
13597 ++ lock_ptr = READ_ONCE(q->lock_ptr);
13598 + if (lock_ptr != NULL) {
13599 + spin_lock(lock_ptr);
13600 + /*
13601 +diff --git a/kernel/gcov/Kconfig b/kernel/gcov/Kconfig
13602 +index c92e44855ddd..1276aabaab55 100644
13603 +--- a/kernel/gcov/Kconfig
13604 ++++ b/kernel/gcov/Kconfig
13605 +@@ -37,6 +37,7 @@ config ARCH_HAS_GCOV_PROFILE_ALL
13606 +
13607 + config GCOV_PROFILE_ALL
13608 + bool "Profile entire Kernel"
13609 ++ depends on !COMPILE_TEST
13610 + depends on GCOV_KERNEL
13611 + depends on ARCH_HAS_GCOV_PROFILE_ALL
13612 + default n
13613 +diff --git a/kernel/groups.c b/kernel/groups.c
13614 +index 74d431d25251..5ea9847f172f 100644
13615 +--- a/kernel/groups.c
13616 ++++ b/kernel/groups.c
13617 +@@ -101,7 +101,7 @@ static int groups_from_user(struct group_info *group_info,
13618 + }
13619 +
13620 + /* a simple Shell sort */
13621 +-static void groups_sort(struct group_info *group_info)
13622 ++void groups_sort(struct group_info *group_info)
13623 + {
13624 + int base, max, stride;
13625 + int gidsetsize = group_info->ngroups;
13626 +@@ -128,6 +128,7 @@ static void groups_sort(struct group_info *group_info)
13627 + stride /= 3;
13628 + }
13629 + }
13630 ++EXPORT_SYMBOL(groups_sort);
13631 +
13632 + /* a simple bsearch */
13633 + int groups_search(const struct group_info *group_info, kgid_t grp)
13634 +@@ -159,7 +160,6 @@ int groups_search(const struct group_info *group_info, kgid_t grp)
13635 + void set_groups(struct cred *new, struct group_info *group_info)
13636 + {
13637 + put_group_info(new->group_info);
13638 +- groups_sort(group_info);
13639 + get_group_info(group_info);
13640 + new->group_info = group_info;
13641 + }
13642 +@@ -243,6 +243,7 @@ SYSCALL_DEFINE2(setgroups, int, gidsetsize, gid_t __user *, grouplist)
13643 + return retval;
13644 + }
13645 +
13646 ++ groups_sort(group_info);
13647 + retval = set_current_groups(group_info);
13648 + put_group_info(group_info);
13649 +
13650 +diff --git a/kernel/module.c b/kernel/module.c
13651 +index 6920d1080cdd..c38bf6e486a4 100644
13652 +--- a/kernel/module.c
13653 ++++ b/kernel/module.c
13654 +@@ -2233,7 +2233,7 @@ static char elf_type(const Elf_Sym *sym, const struct load_info *info)
13655 + }
13656 + if (sym->st_shndx == SHN_UNDEF)
13657 + return 'U';
13658 +- if (sym->st_shndx == SHN_ABS)
13659 ++ if (sym->st_shndx == SHN_ABS || sym->st_shndx == info->index.pcpu)
13660 + return 'a';
13661 + if (sym->st_shndx >= SHN_LORESERVE)
13662 + return '?';
13663 +@@ -2262,7 +2262,7 @@ static char elf_type(const Elf_Sym *sym, const struct load_info *info)
13664 + }
13665 +
13666 + static bool is_core_symbol(const Elf_Sym *src, const Elf_Shdr *sechdrs,
13667 +- unsigned int shnum)
13668 ++ unsigned int shnum, unsigned int pcpundx)
13669 + {
13670 + const Elf_Shdr *sec;
13671 +
13672 +@@ -2271,6 +2271,11 @@ static bool is_core_symbol(const Elf_Sym *src, const Elf_Shdr *sechdrs,
13673 + || !src->st_name)
13674 + return false;
13675 +
13676 ++#ifdef CONFIG_KALLSYMS_ALL
13677 ++ if (src->st_shndx == pcpundx)
13678 ++ return true;
13679 ++#endif
13680 ++
13681 + sec = sechdrs + src->st_shndx;
13682 + if (!(sec->sh_flags & SHF_ALLOC)
13683 + #ifndef CONFIG_KALLSYMS_ALL
13684 +@@ -2308,7 +2313,8 @@ static void layout_symtab(struct module *mod, struct load_info *info)
13685 + /* Compute total space required for the core symbols' strtab. */
13686 + for (ndst = i = 0; i < nsrc; i++) {
13687 + if (i == 0 ||
13688 +- is_core_symbol(src+i, info->sechdrs, info->hdr->e_shnum)) {
13689 ++ is_core_symbol(src+i, info->sechdrs, info->hdr->e_shnum,
13690 ++ info->index.pcpu)) {
13691 + strtab_size += strlen(&info->strtab[src[i].st_name])+1;
13692 + ndst++;
13693 + }
13694 +@@ -2366,7 +2372,8 @@ static void add_kallsyms(struct module *mod, const struct load_info *info)
13695 + src = mod->kallsyms->symtab;
13696 + for (ndst = i = 0; i < mod->kallsyms->num_symtab; i++) {
13697 + if (i == 0 ||
13698 +- is_core_symbol(src+i, info->sechdrs, info->hdr->e_shnum)) {
13699 ++ is_core_symbol(src+i, info->sechdrs, info->hdr->e_shnum,
13700 ++ info->index.pcpu)) {
13701 + dst[ndst] = src[i];
13702 + dst[ndst++].st_name = s - mod->core_kallsyms.strtab;
13703 + s += strlcpy(s, &mod->kallsyms->strtab[src[i].st_name],
13704 +@@ -2726,8 +2733,12 @@ static int check_modinfo(struct module *mod, struct load_info *info, int flags)
13705 + return -ENOEXEC;
13706 + }
13707 +
13708 +- if (!get_modinfo(info, "intree"))
13709 ++ if (!get_modinfo(info, "intree")) {
13710 ++ if (!test_taint(TAINT_OOT_MODULE))
13711 ++ pr_warn("%s: loading out-of-tree module taints kernel.\n",
13712 ++ mod->name);
13713 + add_taint_module(mod, TAINT_OOT_MODULE, LOCKDEP_STILL_OK);
13714 ++ }
13715 +
13716 + if (get_modinfo(info, "staging")) {
13717 + add_taint_module(mod, TAINT_CRAP, LOCKDEP_STILL_OK);
13718 +@@ -2892,6 +2903,8 @@ static int move_module(struct module *mod, struct load_info *info)
13719 +
13720 + static int check_module_license_and_versions(struct module *mod)
13721 + {
13722 ++ int prev_taint = test_taint(TAINT_PROPRIETARY_MODULE);
13723 ++
13724 + /*
13725 + * ndiswrapper is under GPL by itself, but loads proprietary modules.
13726 + * Don't use add_taint_module(), as it would prevent ndiswrapper from
13727 +@@ -2910,6 +2923,9 @@ static int check_module_license_and_versions(struct module *mod)
13728 + add_taint_module(mod, TAINT_PROPRIETARY_MODULE,
13729 + LOCKDEP_NOW_UNRELIABLE);
13730 +
13731 ++ if (!prev_taint && test_taint(TAINT_PROPRIETARY_MODULE))
13732 ++ pr_warn("%s: module license taints kernel.\n", mod->name);
13733 ++
13734 + #ifdef CONFIG_MODVERSIONS
13735 + if ((mod->num_syms && !mod->crcs)
13736 + || (mod->num_gpl_syms && !mod->gpl_crcs)
13737 +diff --git a/kernel/profile.c b/kernel/profile.c
13738 +index a7bcd28d6e9f..7ad939c708b9 100644
13739 +--- a/kernel/profile.c
13740 ++++ b/kernel/profile.c
13741 +@@ -44,7 +44,7 @@ int prof_on __read_mostly;
13742 + EXPORT_SYMBOL_GPL(prof_on);
13743 +
13744 + static cpumask_var_t prof_cpu_mask;
13745 +-#ifdef CONFIG_SMP
13746 ++#if defined(CONFIG_SMP) && defined(CONFIG_PROC_FS)
13747 + static DEFINE_PER_CPU(struct profile_hit *[2], cpu_profile_hits);
13748 + static DEFINE_PER_CPU(int, cpu_profile_flip);
13749 + static DEFINE_MUTEX(profile_flip_mutex);
13750 +@@ -201,7 +201,7 @@ int profile_event_unregister(enum profile_type type, struct notifier_block *n)
13751 + }
13752 + EXPORT_SYMBOL_GPL(profile_event_unregister);
13753 +
13754 +-#ifdef CONFIG_SMP
13755 ++#if defined(CONFIG_SMP) && defined(CONFIG_PROC_FS)
13756 + /*
13757 + * Each cpu has a pair of open-addressed hashtables for pending
13758 + * profile hits. read_profile() IPI's all cpus to request them
13759 +diff --git a/kernel/sched/core.c b/kernel/sched/core.c
13760 +index 8fbedeb5553f..9c905bd94ff0 100644
13761 +--- a/kernel/sched/core.c
13762 ++++ b/kernel/sched/core.c
13763 +@@ -32,7 +32,7 @@
13764 + #include <linux/init.h>
13765 + #include <linux/uaccess.h>
13766 + #include <linux/highmem.h>
13767 +-#include <asm/mmu_context.h>
13768 ++#include <linux/mmu_context.h>
13769 + #include <linux/interrupt.h>
13770 + #include <linux/capability.h>
13771 + #include <linux/completion.h>
13772 +@@ -2339,7 +2339,7 @@ context_switch(struct rq *rq, struct task_struct *prev,
13773 + atomic_inc(&oldmm->mm_count);
13774 + enter_lazy_tlb(oldmm, next);
13775 + } else
13776 +- switch_mm(oldmm, mm, next);
13777 ++ switch_mm_irqs_off(oldmm, mm, next);
13778 +
13779 + if (!prev->mm) {
13780 + prev->active_mm = NULL;
13781 +diff --git a/kernel/signal.c b/kernel/signal.c
13782 +index 525a4cda5598..46a2471173b8 100644
13783 +--- a/kernel/signal.c
13784 ++++ b/kernel/signal.c
13785 +@@ -72,7 +72,7 @@ static int sig_task_ignored(struct task_struct *t, int sig, bool force)
13786 + handler = sig_handler(t, sig);
13787 +
13788 + if (unlikely(t->signal->flags & SIGNAL_UNKILLABLE) &&
13789 +- handler == SIG_DFL && !force)
13790 ++ handler == SIG_DFL && !(force && sig_kernel_only(sig)))
13791 + return 1;
13792 +
13793 + return sig_handler_ignored(handler, sig);
13794 +@@ -88,13 +88,15 @@ static int sig_ignored(struct task_struct *t, int sig, bool force)
13795 + if (sigismember(&t->blocked, sig) || sigismember(&t->real_blocked, sig))
13796 + return 0;
13797 +
13798 +- if (!sig_task_ignored(t, sig, force))
13799 +- return 0;
13800 +-
13801 + /*
13802 +- * Tracers may want to know about even ignored signals.
13803 ++ * Tracers may want to know about even ignored signal unless it
13804 ++ * is SIGKILL which can't be reported anyway but can be ignored
13805 ++ * by SIGNAL_UNKILLABLE task.
13806 + */
13807 +- return !t->ptrace;
13808 ++ if (t->ptrace && sig != SIGKILL)
13809 ++ return 0;
13810 ++
13811 ++ return sig_task_ignored(t, sig, force);
13812 + }
13813 +
13814 + /*
13815 +@@ -960,9 +962,9 @@ static void complete_signal(int sig, struct task_struct *p, int group)
13816 + * then start taking the whole group down immediately.
13817 + */
13818 + if (sig_fatal(p, sig) &&
13819 +- !(signal->flags & (SIGNAL_UNKILLABLE | SIGNAL_GROUP_EXIT)) &&
13820 ++ !(signal->flags & SIGNAL_GROUP_EXIT) &&
13821 + !sigismember(&t->real_blocked, sig) &&
13822 +- (sig == SIGKILL || !t->ptrace)) {
13823 ++ (sig == SIGKILL || !p->ptrace)) {
13824 + /*
13825 + * This signal will be fatal to the whole group.
13826 + */
13827 +diff --git a/kernel/time/hrtimer.c b/kernel/time/hrtimer.c
13828 +index 93ef7190bdea..e82a5f40a0ac 100644
13829 +--- a/kernel/time/hrtimer.c
13830 ++++ b/kernel/time/hrtimer.c
13831 +@@ -292,7 +292,7 @@ EXPORT_SYMBOL_GPL(__ktime_divns);
13832 + */
13833 + ktime_t ktime_add_safe(const ktime_t lhs, const ktime_t rhs)
13834 + {
13835 +- ktime_t res = ktime_add(lhs, rhs);
13836 ++ ktime_t res = ktime_add_unsafe(lhs, rhs);
13837 +
13838 + /*
13839 + * We use KTIME_SEC_MAX here, the maximum timeout which we can
13840 +diff --git a/kernel/time/posix-timers.c b/kernel/time/posix-timers.c
13841 +index 31ea01f42e1f..2cca2e79c643 100644
13842 +--- a/kernel/time/posix-timers.c
13843 ++++ b/kernel/time/posix-timers.c
13844 +@@ -500,17 +500,22 @@ static struct pid *good_sigevent(sigevent_t * event)
13845 + {
13846 + struct task_struct *rtn = current->group_leader;
13847 +
13848 +- if ((event->sigev_notify & SIGEV_THREAD_ID ) &&
13849 +- (!(rtn = find_task_by_vpid(event->sigev_notify_thread_id)) ||
13850 +- !same_thread_group(rtn, current) ||
13851 +- (event->sigev_notify & ~SIGEV_THREAD_ID) != SIGEV_SIGNAL))
13852 ++ switch (event->sigev_notify) {
13853 ++ case SIGEV_SIGNAL | SIGEV_THREAD_ID:
13854 ++ rtn = find_task_by_vpid(event->sigev_notify_thread_id);
13855 ++ if (!rtn || !same_thread_group(rtn, current))
13856 ++ return NULL;
13857 ++ /* FALLTHRU */
13858 ++ case SIGEV_SIGNAL:
13859 ++ case SIGEV_THREAD:
13860 ++ if (event->sigev_signo <= 0 || event->sigev_signo > SIGRTMAX)
13861 ++ return NULL;
13862 ++ /* FALLTHRU */
13863 ++ case SIGEV_NONE:
13864 ++ return task_pid(rtn);
13865 ++ default:
13866 + return NULL;
13867 +-
13868 +- if (((event->sigev_notify & ~SIGEV_THREAD_ID) != SIGEV_NONE) &&
13869 +- ((event->sigev_signo <= 0) || (event->sigev_signo > SIGRTMAX)))
13870 +- return NULL;
13871 +-
13872 +- return task_pid(rtn);
13873 ++ }
13874 + }
13875 +
13876 + void posix_timers_register_clock(const clockid_t clock_id,
13877 +@@ -738,8 +743,7 @@ common_timer_get(struct k_itimer *timr, struct itimerspec *cur_setting)
13878 + /* interval timer ? */
13879 + if (iv.tv64)
13880 + cur_setting->it_interval = ktime_to_timespec(iv);
13881 +- else if (!hrtimer_active(timer) &&
13882 +- (timr->it_sigev_notify & ~SIGEV_THREAD_ID) != SIGEV_NONE)
13883 ++ else if (!hrtimer_active(timer) && timr->it_sigev_notify != SIGEV_NONE)
13884 + return;
13885 +
13886 + now = timer->base->get_time();
13887 +@@ -750,7 +754,7 @@ common_timer_get(struct k_itimer *timr, struct itimerspec *cur_setting)
13888 + * expiry is > now.
13889 + */
13890 + if (iv.tv64 && (timr->it_requeue_pending & REQUEUE_PENDING ||
13891 +- (timr->it_sigev_notify & ~SIGEV_THREAD_ID) == SIGEV_NONE))
13892 ++ timr->it_sigev_notify == SIGEV_NONE))
13893 + timr->it_overrun += (unsigned int) hrtimer_forward(timer, now, iv);
13894 +
13895 + remaining = ktime_sub(hrtimer_get_expires(timer), now);
13896 +@@ -760,7 +764,7 @@ common_timer_get(struct k_itimer *timr, struct itimerspec *cur_setting)
13897 + * A single shot SIGEV_NONE timer must return 0, when
13898 + * it is expired !
13899 + */
13900 +- if ((timr->it_sigev_notify & ~SIGEV_THREAD_ID) != SIGEV_NONE)
13901 ++ if (timr->it_sigev_notify != SIGEV_NONE)
13902 + cur_setting->it_value.tv_nsec = 1;
13903 + } else
13904 + cur_setting->it_value = ktime_to_timespec(remaining);
13905 +@@ -858,7 +862,7 @@ common_timer_set(struct k_itimer *timr, int flags,
13906 + timr->it.real.interval = timespec_to_ktime(new_setting->it_interval);
13907 +
13908 + /* SIGEV_NONE timers are not queued ! See common_timer_get */
13909 +- if (((timr->it_sigev_notify & ~SIGEV_THREAD_ID) == SIGEV_NONE)) {
13910 ++ if (timr->it_sigev_notify == SIGEV_NONE) {
13911 + /* Setup correct expiry time for relative timers */
13912 + if (mode == HRTIMER_MODE_REL) {
13913 + hrtimer_add_expires(timer, timer->base->get_time());
13914 +diff --git a/kernel/trace/blktrace.c b/kernel/trace/blktrace.c
13915 +index 483cecfa5c17..1994901ef239 100644
13916 +--- a/kernel/trace/blktrace.c
13917 ++++ b/kernel/trace/blktrace.c
13918 +@@ -57,7 +57,8 @@ static struct tracer_flags blk_tracer_flags = {
13919 + };
13920 +
13921 + /* Global reference count of probes */
13922 +-static atomic_t blk_probes_ref = ATOMIC_INIT(0);
13923 ++static DEFINE_MUTEX(blk_probe_mutex);
13924 ++static int blk_probes_ref;
13925 +
13926 + static void blk_register_tracepoints(void);
13927 + static void blk_unregister_tracepoints(void);
13928 +@@ -300,11 +301,26 @@ static void blk_trace_free(struct blk_trace *bt)
13929 + kfree(bt);
13930 + }
13931 +
13932 ++static void get_probe_ref(void)
13933 ++{
13934 ++ mutex_lock(&blk_probe_mutex);
13935 ++ if (++blk_probes_ref == 1)
13936 ++ blk_register_tracepoints();
13937 ++ mutex_unlock(&blk_probe_mutex);
13938 ++}
13939 ++
13940 ++static void put_probe_ref(void)
13941 ++{
13942 ++ mutex_lock(&blk_probe_mutex);
13943 ++ if (!--blk_probes_ref)
13944 ++ blk_unregister_tracepoints();
13945 ++ mutex_unlock(&blk_probe_mutex);
13946 ++}
13947 ++
13948 + static void blk_trace_cleanup(struct blk_trace *bt)
13949 + {
13950 + blk_trace_free(bt);
13951 +- if (atomic_dec_and_test(&blk_probes_ref))
13952 +- blk_unregister_tracepoints();
13953 ++ put_probe_ref();
13954 + }
13955 +
13956 + int blk_trace_remove(struct request_queue *q)
13957 +@@ -527,8 +543,7 @@ int do_blk_trace_setup(struct request_queue *q, char *name, dev_t dev,
13958 + goto err;
13959 + }
13960 +
13961 +- if (atomic_inc_return(&blk_probes_ref) == 1)
13962 +- blk_register_tracepoints();
13963 ++ get_probe_ref();
13964 +
13965 + return 0;
13966 + err:
13967 +@@ -1474,9 +1489,7 @@ static int blk_trace_remove_queue(struct request_queue *q)
13968 + if (bt == NULL)
13969 + return -EINVAL;
13970 +
13971 +- if (atomic_dec_and_test(&blk_probes_ref))
13972 +- blk_unregister_tracepoints();
13973 +-
13974 ++ put_probe_ref();
13975 + blk_trace_free(bt);
13976 + return 0;
13977 + }
13978 +@@ -1510,8 +1523,7 @@ static int blk_trace_setup_queue(struct request_queue *q,
13979 + goto free_bt;
13980 + }
13981 +
13982 +- if (atomic_inc_return(&blk_probes_ref) == 1)
13983 +- blk_register_tracepoints();
13984 ++ get_probe_ref();
13985 + return 0;
13986 +
13987 + free_bt:
13988 +diff --git a/kernel/trace/ring_buffer.c b/kernel/trace/ring_buffer.c
13989 +index 75c5271a56c2..40bc77080fad 100644
13990 +--- a/kernel/trace/ring_buffer.c
13991 ++++ b/kernel/trace/ring_buffer.c
13992 +@@ -332,6 +332,8 @@ EXPORT_SYMBOL_GPL(ring_buffer_event_data);
13993 + /* Missed count stored at end */
13994 + #define RB_MISSED_STORED (1 << 30)
13995 +
13996 ++#define RB_MISSED_FLAGS (RB_MISSED_EVENTS|RB_MISSED_STORED)
13997 ++
13998 + struct buffer_data_page {
13999 + u64 time_stamp; /* page time stamp */
14000 + local_t commit; /* write committed index */
14001 +@@ -383,7 +385,9 @@ static void rb_init_page(struct buffer_data_page *bpage)
14002 + */
14003 + size_t ring_buffer_page_len(void *page)
14004 + {
14005 +- return local_read(&((struct buffer_data_page *)page)->commit)
14006 ++ struct buffer_data_page *bpage = page;
14007 ++
14008 ++ return (local_read(&bpage->commit) & ~RB_MISSED_FLAGS)
14009 + + BUF_PAGE_HDR_SIZE;
14010 + }
14011 +
14012 +diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c
14013 +index 7a26798ffbf9..d03f7eadc1f3 100644
14014 +--- a/kernel/trace/trace.c
14015 ++++ b/kernel/trace/trace.c
14016 +@@ -5719,7 +5719,7 @@ tracing_buffers_splice_read(struct file *file, loff_t *ppos,
14017 + .spd_release = buffer_spd_release,
14018 + };
14019 + struct buffer_ref *ref;
14020 +- int entries, size, i;
14021 ++ int entries, i;
14022 + ssize_t ret = 0;
14023 +
14024 + #ifdef CONFIG_TRACER_MAX_TRACE
14025 +@@ -5770,14 +5770,6 @@ tracing_buffers_splice_read(struct file *file, loff_t *ppos,
14026 + break;
14027 + }
14028 +
14029 +- /*
14030 +- * zero out any left over data, this is going to
14031 +- * user land.
14032 +- */
14033 +- size = ring_buffer_page_len(ref->page);
14034 +- if (size < PAGE_SIZE)
14035 +- memset(ref->page + size, 0, PAGE_SIZE - size);
14036 +-
14037 + page = virt_to_page(ref->page);
14038 +
14039 + spd.pages[i] = page;
14040 +@@ -6448,6 +6440,7 @@ allocate_trace_buffer(struct trace_array *tr, struct trace_buffer *buf, int size
14041 + buf->data = alloc_percpu(struct trace_array_cpu);
14042 + if (!buf->data) {
14043 + ring_buffer_free(buf->buffer);
14044 ++ buf->buffer = NULL;
14045 + return -ENOMEM;
14046 + }
14047 +
14048 +@@ -6471,7 +6464,9 @@ static int allocate_trace_buffers(struct trace_array *tr, int size)
14049 + allocate_snapshot ? size : 1);
14050 + if (WARN_ON(ret)) {
14051 + ring_buffer_free(tr->trace_buffer.buffer);
14052 ++ tr->trace_buffer.buffer = NULL;
14053 + free_percpu(tr->trace_buffer.data);
14054 ++ tr->trace_buffer.data = NULL;
14055 + return -ENOMEM;
14056 + }
14057 + tr->allocated_snapshot = allocate_snapshot;
14058 +diff --git a/kernel/trace/trace_events.c b/kernel/trace/trace_events.c
14059 +index 6459f77e2c72..d19406850b0d 100644
14060 +--- a/kernel/trace/trace_events.c
14061 ++++ b/kernel/trace/trace_events.c
14062 +@@ -1819,6 +1819,7 @@ void trace_event_enum_update(struct trace_enum_map **map, int len)
14063 + {
14064 + struct ftrace_event_call *call, *p;
14065 + const char *last_system = NULL;
14066 ++ bool first = false;
14067 + int last_i;
14068 + int i;
14069 +
14070 +@@ -1826,15 +1827,28 @@ void trace_event_enum_update(struct trace_enum_map **map, int len)
14071 + list_for_each_entry_safe(call, p, &ftrace_events, list) {
14072 + /* events are usually grouped together with systems */
14073 + if (!last_system || call->class->system != last_system) {
14074 ++ first = true;
14075 + last_i = 0;
14076 + last_system = call->class->system;
14077 + }
14078 +
14079 ++ /*
14080 ++ * Since calls are grouped by systems, the likelyhood that the
14081 ++ * next call in the iteration belongs to the same system as the
14082 ++ * previous call is high. As an optimization, we skip seaching
14083 ++ * for a map[] that matches the call's system if the last call
14084 ++ * was from the same system. That's what last_i is for. If the
14085 ++ * call has the same system as the previous call, then last_i
14086 ++ * will be the index of the first map[] that has a matching
14087 ++ * system.
14088 ++ */
14089 + for (i = last_i; i < len; i++) {
14090 + if (call->class->system == map[i]->system) {
14091 + /* Save the first system if need be */
14092 +- if (!last_i)
14093 ++ if (first) {
14094 + last_i = i;
14095 ++ first = false;
14096 ++ }
14097 + update_event_printk(call, map[i]);
14098 + }
14099 + }
14100 +diff --git a/kernel/uid16.c b/kernel/uid16.c
14101 +index d58cc4d8f0d1..651aaa5221ec 100644
14102 +--- a/kernel/uid16.c
14103 ++++ b/kernel/uid16.c
14104 +@@ -190,6 +190,7 @@ SYSCALL_DEFINE2(setgroups16, int, gidsetsize, old_gid_t __user *, grouplist)
14105 + return retval;
14106 + }
14107 +
14108 ++ groups_sort(group_info);
14109 + retval = set_current_groups(group_info);
14110 + put_group_info(group_info);
14111 +
14112 +diff --git a/lib/oid_registry.c b/lib/oid_registry.c
14113 +index 318f382a010d..150e04d70303 100644
14114 +--- a/lib/oid_registry.c
14115 ++++ b/lib/oid_registry.c
14116 +@@ -116,7 +116,7 @@ int sprint_oid(const void *data, size_t datasize, char *buffer, size_t bufsize)
14117 + int count;
14118 +
14119 + if (v >= end)
14120 +- return -EBADMSG;
14121 ++ goto bad;
14122 +
14123 + n = *v++;
14124 + ret = count = snprintf(buffer, bufsize, "%u.%u", n / 40, n % 40);
14125 +@@ -134,7 +134,7 @@ int sprint_oid(const void *data, size_t datasize, char *buffer, size_t bufsize)
14126 + num = n & 0x7f;
14127 + do {
14128 + if (v >= end)
14129 +- return -EBADMSG;
14130 ++ goto bad;
14131 + n = *v++;
14132 + num <<= 7;
14133 + num |= n & 0x7f;
14134 +@@ -148,6 +148,10 @@ int sprint_oid(const void *data, size_t datasize, char *buffer, size_t bufsize)
14135 + }
14136 +
14137 + return ret;
14138 ++
14139 ++bad:
14140 ++ snprintf(buffer, bufsize, "(bad)");
14141 ++ return -EBADMSG;
14142 + }
14143 + EXPORT_SYMBOL_GPL(sprint_oid);
14144 +
14145 +diff --git a/mm/cma.c b/mm/cma.c
14146 +index 3a7a67b93394..3b4e38689202 100644
14147 +--- a/mm/cma.c
14148 ++++ b/mm/cma.c
14149 +@@ -54,7 +54,7 @@ unsigned long cma_get_size(const struct cma *cma)
14150 + }
14151 +
14152 + static unsigned long cma_bitmap_aligned_mask(const struct cma *cma,
14153 +- int align_order)
14154 ++ unsigned int align_order)
14155 + {
14156 + if (align_order <= cma->order_per_bit)
14157 + return 0;
14158 +@@ -62,17 +62,14 @@ static unsigned long cma_bitmap_aligned_mask(const struct cma *cma,
14159 + }
14160 +
14161 + /*
14162 +- * Find a PFN aligned to the specified order and return an offset represented in
14163 +- * order_per_bits.
14164 ++ * Find the offset of the base PFN from the specified align_order.
14165 ++ * The value returned is represented in order_per_bits.
14166 + */
14167 + static unsigned long cma_bitmap_aligned_offset(const struct cma *cma,
14168 +- int align_order)
14169 ++ unsigned int align_order)
14170 + {
14171 +- if (align_order <= cma->order_per_bit)
14172 +- return 0;
14173 +-
14174 +- return (ALIGN(cma->base_pfn, (1UL << align_order))
14175 +- - cma->base_pfn) >> cma->order_per_bit;
14176 ++ return (cma->base_pfn & ((1UL << align_order) - 1))
14177 ++ >> cma->order_per_bit;
14178 + }
14179 +
14180 + static unsigned long cma_bitmap_pages_to_bits(const struct cma *cma,
14181 +diff --git a/mm/early_ioremap.c b/mm/early_ioremap.c
14182 +index e10ccd299d66..5edcf1b37fa6 100644
14183 +--- a/mm/early_ioremap.c
14184 ++++ b/mm/early_ioremap.c
14185 +@@ -102,7 +102,7 @@ __early_ioremap(resource_size_t phys_addr, unsigned long size, pgprot_t prot)
14186 + enum fixed_addresses idx;
14187 + int i, slot;
14188 +
14189 +- WARN_ON(system_state != SYSTEM_BOOTING);
14190 ++ WARN_ON(system_state >= SYSTEM_RUNNING);
14191 +
14192 + slot = -1;
14193 + for (i = 0; i < FIX_BTMAPS_SLOTS; i++) {
14194 +diff --git a/mm/memcontrol.c b/mm/memcontrol.c
14195 +index 221762e24a68..696b5bbac2e0 100644
14196 +--- a/mm/memcontrol.c
14197 ++++ b/mm/memcontrol.c
14198 +@@ -5641,7 +5641,7 @@ static void uncharge_list(struct list_head *page_list)
14199 + next = page->lru.next;
14200 +
14201 + VM_BUG_ON_PAGE(PageLRU(page), page);
14202 +- VM_BUG_ON_PAGE(page_count(page), page);
14203 ++ VM_BUG_ON_PAGE(!PageHWPoison(page) && page_count(page), page);
14204 +
14205 + if (!page->mem_cgroup)
14206 + continue;
14207 +diff --git a/mm/memory-failure.c b/mm/memory-failure.c
14208 +index 321f5632c17b..7c57635958f2 100644
14209 +--- a/mm/memory-failure.c
14210 ++++ b/mm/memory-failure.c
14211 +@@ -582,6 +582,13 @@ static int delete_from_lru_cache(struct page *p)
14212 + */
14213 + ClearPageActive(p);
14214 + ClearPageUnevictable(p);
14215 ++
14216 ++ /*
14217 ++ * Poisoned page might never drop its ref count to 0 so we have
14218 ++ * to uncharge it manually from its memcg.
14219 ++ */
14220 ++ mem_cgroup_uncharge(p);
14221 ++
14222 + /*
14223 + * drop the page count elevated by isolate_lru_page()
14224 + */
14225 +diff --git a/mm/memory.c b/mm/memory.c
14226 +index fc449016d10e..942daab4dc57 100644
14227 +--- a/mm/memory.c
14228 ++++ b/mm/memory.c
14229 +@@ -71,7 +71,7 @@
14230 +
14231 + #include "internal.h"
14232 +
14233 +-#ifdef LAST_CPUPID_NOT_IN_PAGE_FLAGS
14234 ++#if defined(LAST_CPUPID_NOT_IN_PAGE_FLAGS) && !defined(CONFIG_COMPILE_TEST)
14235 + #warning Unfortunate NUMA and NUMA Balancing config, growing page-frame for last_cpupid.
14236 + #endif
14237 +
14238 +diff --git a/mm/mmap.c b/mm/mmap.c
14239 +index 1094833d0e82..d730c1b91a12 100644
14240 +--- a/mm/mmap.c
14241 ++++ b/mm/mmap.c
14242 +@@ -2179,7 +2179,8 @@ int expand_upwards(struct vm_area_struct *vma, unsigned long address)
14243 + if (gap_addr < address)
14244 + return -ENOMEM;
14245 + next = vma->vm_next;
14246 +- if (next && next->vm_start < gap_addr) {
14247 ++ if (next && next->vm_start < gap_addr &&
14248 ++ (next->vm_flags & (VM_WRITE|VM_READ|VM_EXEC))) {
14249 + if (!(next->vm_flags & VM_GROWSUP))
14250 + return -ENOMEM;
14251 + /* Check that both stack segments have the same anon_vma? */
14252 +@@ -2260,7 +2261,8 @@ int expand_downwards(struct vm_area_struct *vma,
14253 + if (gap_addr > address)
14254 + return -ENOMEM;
14255 + prev = vma->vm_prev;
14256 +- if (prev && prev->vm_end > gap_addr) {
14257 ++ if (prev && prev->vm_end > gap_addr &&
14258 ++ (prev->vm_flags & (VM_WRITE|VM_READ|VM_EXEC))) {
14259 + if (!(prev->vm_flags & VM_GROWSDOWN))
14260 + return -ENOMEM;
14261 + /* Check that both stack segments have the same anon_vma? */
14262 +diff --git a/mm/mmu_context.c b/mm/mmu_context.c
14263 +index f802c2d216a7..6f4d27c5bb32 100644
14264 +--- a/mm/mmu_context.c
14265 ++++ b/mm/mmu_context.c
14266 +@@ -4,9 +4,9 @@
14267 + */
14268 +
14269 + #include <linux/mm.h>
14270 ++#include <linux/sched.h>
14271 + #include <linux/mmu_context.h>
14272 + #include <linux/export.h>
14273 +-#include <linux/sched.h>
14274 +
14275 + #include <asm/mmu_context.h>
14276 +
14277 +diff --git a/mm/page-writeback.c b/mm/page-writeback.c
14278 +index eb59f7eea508..308757ae508d 100644
14279 +--- a/mm/page-writeback.c
14280 ++++ b/mm/page-writeback.c
14281 +@@ -967,6 +967,7 @@ static void bdi_update_dirty_ratelimit(struct backing_dev_info *bdi,
14282 + unsigned long pos_ratio;
14283 + unsigned long step;
14284 + unsigned long x;
14285 ++ unsigned long shift;
14286 +
14287 + /*
14288 + * The dirty rate will match the writeout rate in long term, except
14289 +@@ -1094,11 +1095,11 @@ static void bdi_update_dirty_ratelimit(struct backing_dev_info *bdi,
14290 + * rate itself is constantly fluctuating. So decrease the track speed
14291 + * when it gets close to the target. Helps eliminate pointless tremors.
14292 + */
14293 +- step >>= dirty_ratelimit / (2 * step + 1);
14294 +- /*
14295 +- * Limit the tracking speed to avoid overshooting.
14296 +- */
14297 +- step = (step + 7) / 8;
14298 ++ shift = dirty_ratelimit / (2 * step + 1);
14299 ++ if (shift < BITS_PER_LONG)
14300 ++ step = DIV_ROUND_UP(step >> shift, 8);
14301 ++ else
14302 ++ step = 0;
14303 +
14304 + if (dirty_ratelimit < balanced_dirty_ratelimit)
14305 + dirty_ratelimit += step;
14306 +diff --git a/mm/util.c b/mm/util.c
14307 +index 68ff8a5361e7..4baa25c35af8 100644
14308 +--- a/mm/util.c
14309 ++++ b/mm/util.c
14310 +@@ -80,6 +80,8 @@ EXPORT_SYMBOL(kstrdup_const);
14311 + * @s: the string to duplicate
14312 + * @max: read at most @max chars from @s
14313 + * @gfp: the GFP mask used in the kmalloc() call when allocating memory
14314 ++ *
14315 ++ * Note: Use kmemdup_nul() instead if the size is known exactly.
14316 + */
14317 + char *kstrndup(const char *s, size_t max, gfp_t gfp)
14318 + {
14319 +@@ -117,6 +119,28 @@ void *kmemdup(const void *src, size_t len, gfp_t gfp)
14320 + }
14321 + EXPORT_SYMBOL(kmemdup);
14322 +
14323 ++/**
14324 ++ * kmemdup_nul - Create a NUL-terminated string from unterminated data
14325 ++ * @s: The data to stringify
14326 ++ * @len: The size of the data
14327 ++ * @gfp: the GFP mask used in the kmalloc() call when allocating memory
14328 ++ */
14329 ++char *kmemdup_nul(const char *s, size_t len, gfp_t gfp)
14330 ++{
14331 ++ char *buf;
14332 ++
14333 ++ if (!s)
14334 ++ return NULL;
14335 ++
14336 ++ buf = kmalloc_track_caller(len + 1, gfp);
14337 ++ if (buf) {
14338 ++ memcpy(buf, s, len);
14339 ++ buf[len] = '\0';
14340 ++ }
14341 ++ return buf;
14342 ++}
14343 ++EXPORT_SYMBOL(kmemdup_nul);
14344 ++
14345 + /**
14346 + * memdup_user - duplicate memory region from user space
14347 + *
14348 +diff --git a/mm/vmscan.c b/mm/vmscan.c
14349 +index f16e330e1096..c6033260e739 100644
14350 +--- a/mm/vmscan.c
14351 ++++ b/mm/vmscan.c
14352 +@@ -223,10 +223,13 @@ EXPORT_SYMBOL(register_shrinker);
14353 + */
14354 + void unregister_shrinker(struct shrinker *shrinker)
14355 + {
14356 ++ if (!shrinker->nr_deferred)
14357 ++ return;
14358 + down_write(&shrinker_rwsem);
14359 + list_del(&shrinker->list);
14360 + up_write(&shrinker_rwsem);
14361 + kfree(shrinker->nr_deferred);
14362 ++ shrinker->nr_deferred = NULL;
14363 + }
14364 + EXPORT_SYMBOL(unregister_shrinker);
14365 +
14366 +diff --git a/mm/vmstat.c b/mm/vmstat.c
14367 +index 4f5cd974e11a..9b525cd66ca6 100644
14368 +--- a/mm/vmstat.c
14369 ++++ b/mm/vmstat.c
14370 +@@ -1326,7 +1326,9 @@ static int vmstat_show(struct seq_file *m, void *arg)
14371 + unsigned long *l = arg;
14372 + unsigned long off = l - (unsigned long *)m->private;
14373 +
14374 +- seq_printf(m, "%s %lu\n", vmstat_text[off], *l);
14375 ++ seq_puts(m, vmstat_text[off]);
14376 ++ seq_put_decimal_ull(m, ' ', *l);
14377 ++ seq_putc(m, '\n');
14378 + return 0;
14379 + }
14380 +
14381 +diff --git a/net/8021q/vlan.c b/net/8021q/vlan.c
14382 +index ce53c8691604..6ce54eed45e8 100644
14383 +--- a/net/8021q/vlan.c
14384 ++++ b/net/8021q/vlan.c
14385 +@@ -111,12 +111,7 @@ void unregister_vlan_dev(struct net_device *dev, struct list_head *head)
14386 + vlan_gvrp_uninit_applicant(real_dev);
14387 + }
14388 +
14389 +- /* Take it out of our own structures, but be sure to interlock with
14390 +- * HW accelerating devices or SW vlan input packet processing if
14391 +- * VLAN is not 0 (leave it there for 802.1p).
14392 +- */
14393 +- if (vlan_id)
14394 +- vlan_vid_del(real_dev, vlan->vlan_proto, vlan_id);
14395 ++ vlan_vid_del(real_dev, vlan->vlan_proto, vlan_id);
14396 +
14397 + /* Get rid of the vlan's reference to real_dev */
14398 + dev_put(real_dev);
14399 +diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
14400 +index 9b6b35977f48..915a584b4e19 100644
14401 +--- a/net/bluetooth/l2cap_core.c
14402 ++++ b/net/bluetooth/l2cap_core.c
14403 +@@ -3346,9 +3346,10 @@ static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data, size_t data
14404 + break;
14405 +
14406 + case L2CAP_CONF_EFS:
14407 +- remote_efs = 1;
14408 +- if (olen == sizeof(efs))
14409 ++ if (olen == sizeof(efs)) {
14410 ++ remote_efs = 1;
14411 + memcpy(&efs, (void *) val, olen);
14412 ++ }
14413 + break;
14414 +
14415 + case L2CAP_CONF_EWS:
14416 +@@ -3567,16 +3568,17 @@ static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len,
14417 + break;
14418 +
14419 + case L2CAP_CONF_EFS:
14420 +- if (olen == sizeof(efs))
14421 ++ if (olen == sizeof(efs)) {
14422 + memcpy(&efs, (void *)val, olen);
14423 +
14424 +- if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
14425 +- efs.stype != L2CAP_SERV_NOTRAFIC &&
14426 +- efs.stype != chan->local_stype)
14427 +- return -ECONNREFUSED;
14428 ++ if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
14429 ++ efs.stype != L2CAP_SERV_NOTRAFIC &&
14430 ++ efs.stype != chan->local_stype)
14431 ++ return -ECONNREFUSED;
14432 +
14433 +- l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS, sizeof(efs),
14434 +- (unsigned long) &efs, endptr - ptr);
14435 ++ l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS, sizeof(efs),
14436 ++ (unsigned long) &efs, endptr - ptr);
14437 ++ }
14438 + break;
14439 +
14440 + case L2CAP_CONF_FCS:
14441 +diff --git a/net/can/af_can.c b/net/can/af_can.c
14442 +index 62c635f2bcfc..2a55c0ce9490 100644
14443 +--- a/net/can/af_can.c
14444 ++++ b/net/can/af_can.c
14445 +@@ -714,13 +714,12 @@ static int can_rcv(struct sk_buff *skb, struct net_device *dev,
14446 + if (unlikely(!net_eq(dev_net(dev), &init_net)))
14447 + goto drop;
14448 +
14449 +- if (WARN_ONCE(dev->type != ARPHRD_CAN ||
14450 +- skb->len != CAN_MTU ||
14451 +- cfd->len > CAN_MAX_DLEN,
14452 +- "PF_CAN: dropped non conform CAN skbuf: "
14453 +- "dev type %d, len %d, datalen %d\n",
14454 +- dev->type, skb->len, cfd->len))
14455 ++ if (unlikely(dev->type != ARPHRD_CAN || skb->len != CAN_MTU ||
14456 ++ cfd->len > CAN_MAX_DLEN)) {
14457 ++ pr_warn_once("PF_CAN: dropped non conform CAN skbuf: dev type %d, len %d, datalen %d\n",
14458 ++ dev->type, skb->len, cfd->len);
14459 + goto drop;
14460 ++ }
14461 +
14462 + can_receive(skb, dev);
14463 + return NET_RX_SUCCESS;
14464 +@@ -738,13 +737,12 @@ static int canfd_rcv(struct sk_buff *skb, struct net_device *dev,
14465 + if (unlikely(!net_eq(dev_net(dev), &init_net)))
14466 + goto drop;
14467 +
14468 +- if (WARN_ONCE(dev->type != ARPHRD_CAN ||
14469 +- skb->len != CANFD_MTU ||
14470 +- cfd->len > CANFD_MAX_DLEN,
14471 +- "PF_CAN: dropped non conform CAN FD skbuf: "
14472 +- "dev type %d, len %d, datalen %d\n",
14473 +- dev->type, skb->len, cfd->len))
14474 ++ if (unlikely(dev->type != ARPHRD_CAN || skb->len != CANFD_MTU ||
14475 ++ cfd->len > CANFD_MAX_DLEN)) {
14476 ++ pr_warn_once("PF_CAN: dropped non conform CAN FD skbuf: dev type %d, len %d, datalen %d\n",
14477 ++ dev->type, skb->len, cfd->len);
14478 + goto drop;
14479 ++ }
14480 +
14481 + can_receive(skb, dev);
14482 + return NET_RX_SUCCESS;
14483 +diff --git a/net/core/dev.c b/net/core/dev.c
14484 +index 4d4213b6f7f6..0ccae464b46e 100644
14485 +--- a/net/core/dev.c
14486 ++++ b/net/core/dev.c
14487 +@@ -2513,7 +2513,7 @@ struct sk_buff *__skb_gso_segment(struct sk_buff *skb,
14488 +
14489 + segs = skb_mac_gso_segment(skb, features);
14490 +
14491 +- if (unlikely(skb_needs_check(skb, tx_path)))
14492 ++ if (unlikely(skb_needs_check(skb, tx_path) && !IS_ERR(segs)))
14493 + skb_warn_bad_offload(skb);
14494 +
14495 + return segs;
14496 +@@ -2803,10 +2803,21 @@ static void qdisc_pkt_len_init(struct sk_buff *skb)
14497 + hdr_len = skb_transport_header(skb) - skb_mac_header(skb);
14498 +
14499 + /* + transport layer */
14500 +- if (likely(shinfo->gso_type & (SKB_GSO_TCPV4 | SKB_GSO_TCPV6)))
14501 +- hdr_len += tcp_hdrlen(skb);
14502 +- else
14503 +- hdr_len += sizeof(struct udphdr);
14504 ++ if (likely(shinfo->gso_type & (SKB_GSO_TCPV4 | SKB_GSO_TCPV6))) {
14505 ++ const struct tcphdr *th;
14506 ++ struct tcphdr _tcphdr;
14507 ++
14508 ++ th = skb_header_pointer(skb, skb_transport_offset(skb),
14509 ++ sizeof(_tcphdr), &_tcphdr);
14510 ++ if (likely(th))
14511 ++ hdr_len += __tcp_hdrlen(th);
14512 ++ } else {
14513 ++ struct udphdr _udphdr;
14514 ++
14515 ++ if (skb_header_pointer(skb, skb_transport_offset(skb),
14516 ++ sizeof(_udphdr), &_udphdr))
14517 ++ hdr_len += sizeof(struct udphdr);
14518 ++ }
14519 +
14520 + if (shinfo->gso_type & SKB_GSO_DODGY)
14521 + gso_segs = DIV_ROUND_UP(skb->len - hdr_len,
14522 +diff --git a/net/core/neighbour.c b/net/core/neighbour.c
14523 +index cb9a7ab5444c..5fd6c6e699aa 100644
14524 +--- a/net/core/neighbour.c
14525 ++++ b/net/core/neighbour.c
14526 +@@ -492,7 +492,7 @@ struct neighbour *__neigh_create(struct neigh_table *tbl, const void *pkey,
14527 + if (atomic_read(&tbl->entries) > (1 << nht->hash_shift))
14528 + nht = neigh_hash_grow(tbl, nht->hash_shift + 1);
14529 +
14530 +- hash_val = tbl->hash(pkey, dev, nht->hash_rnd) >> (32 - nht->hash_shift);
14531 ++ hash_val = tbl->hash(n->primary_key, dev, nht->hash_rnd) >> (32 - nht->hash_shift);
14532 +
14533 + if (n->parms->dead) {
14534 + rc = ERR_PTR(-EINVAL);
14535 +@@ -504,7 +504,7 @@ struct neighbour *__neigh_create(struct neigh_table *tbl, const void *pkey,
14536 + n1 != NULL;
14537 + n1 = rcu_dereference_protected(n1->next,
14538 + lockdep_is_held(&tbl->lock))) {
14539 +- if (dev == n1->dev && !memcmp(n1->primary_key, pkey, key_len)) {
14540 ++ if (dev == n1->dev && !memcmp(n1->primary_key, n->primary_key, key_len)) {
14541 + if (want_ref)
14542 + neigh_hold(n1);
14543 + rc = n1;
14544 +diff --git a/net/core/skbuff.c b/net/core/skbuff.c
14545 +index 97a1fa140a9b..853e82075ebd 100644
14546 +--- a/net/core/skbuff.c
14547 ++++ b/net/core/skbuff.c
14548 +@@ -3694,7 +3694,7 @@ void skb_complete_tx_timestamp(struct sk_buff *skb,
14549 + struct sock *sk = skb->sk;
14550 +
14551 + if (!skb_may_tx_timestamp(sk, false))
14552 +- return;
14553 ++ goto err;
14554 +
14555 + /* Take a reference to prevent skb_orphan() from freeing the socket,
14556 + * but only if the socket refcount is not zero.
14557 +@@ -3703,7 +3703,11 @@ void skb_complete_tx_timestamp(struct sk_buff *skb,
14558 + *skb_hwtstamps(skb) = *hwtstamps;
14559 + __skb_complete_tx_timestamp(skb, sk, SCM_TSTAMP_SND);
14560 + sock_put(sk);
14561 ++ return;
14562 + }
14563 ++
14564 ++err:
14565 ++ kfree_skb(skb);
14566 + }
14567 + EXPORT_SYMBOL_GPL(skb_complete_tx_timestamp);
14568 +
14569 +diff --git a/net/core/sock.c b/net/core/sock.c
14570 +index 76e0b874f378..7697148eec4f 100644
14571 +--- a/net/core/sock.c
14572 ++++ b/net/core/sock.c
14573 +@@ -729,7 +729,7 @@ int sock_setsockopt(struct socket *sock, int level, int optname,
14574 + val = min_t(u32, val, sysctl_wmem_max);
14575 + set_sndbuf:
14576 + sk->sk_userlocks |= SOCK_SNDBUF_LOCK;
14577 +- sk->sk_sndbuf = max_t(u32, val * 2, SOCK_MIN_SNDBUF);
14578 ++ sk->sk_sndbuf = max_t(int, val * 2, SOCK_MIN_SNDBUF);
14579 + /* Wake up sending tasks if we upped the value. */
14580 + sk->sk_write_space(sk);
14581 + break;
14582 +@@ -765,7 +765,7 @@ set_rcvbuf:
14583 + * returning the value we actually used in getsockopt
14584 + * is the most desirable behavior.
14585 + */
14586 +- sk->sk_rcvbuf = max_t(u32, val * 2, SOCK_MIN_RCVBUF);
14587 ++ sk->sk_rcvbuf = max_t(int, val * 2, SOCK_MIN_RCVBUF);
14588 + break;
14589 +
14590 + case SO_RCVBUFFORCE:
14591 +diff --git a/net/core/sysctl_net_core.c b/net/core/sysctl_net_core.c
14592 +index a6beb7b6ae55..f5ef2115871f 100644
14593 +--- a/net/core/sysctl_net_core.c
14594 ++++ b/net/core/sysctl_net_core.c
14595 +@@ -360,14 +360,16 @@ static struct ctl_table net_core_table[] = {
14596 + .data = &sysctl_net_busy_poll,
14597 + .maxlen = sizeof(unsigned int),
14598 + .mode = 0644,
14599 +- .proc_handler = proc_dointvec
14600 ++ .proc_handler = proc_dointvec_minmax,
14601 ++ .extra1 = &zero,
14602 + },
14603 + {
14604 + .procname = "busy_read",
14605 + .data = &sysctl_net_busy_read,
14606 + .maxlen = sizeof(unsigned int),
14607 + .mode = 0644,
14608 +- .proc_handler = proc_dointvec
14609 ++ .proc_handler = proc_dointvec_minmax,
14610 ++ .extra1 = &zero,
14611 + },
14612 + #endif
14613 + #ifdef CONFIG_NET_SCHED
14614 +diff --git a/net/dccp/ccids/ccid2.c b/net/dccp/ccids/ccid2.c
14615 +index 5e3a7302f774..7753681195c1 100644
14616 +--- a/net/dccp/ccids/ccid2.c
14617 ++++ b/net/dccp/ccids/ccid2.c
14618 +@@ -140,6 +140,9 @@ static void ccid2_hc_tx_rto_expire(unsigned long data)
14619 +
14620 + ccid2_pr_debug("RTO_EXPIRE\n");
14621 +
14622 ++ if (sk->sk_state == DCCP_CLOSED)
14623 ++ goto out;
14624 ++
14625 + /* back-off timer */
14626 + hc->tx_rto <<= 1;
14627 + if (hc->tx_rto > DCCP_RTO_MAX)
14628 +diff --git a/net/dccp/proto.c b/net/dccp/proto.c
14629 +index 522658179cca..a20dc23360f9 100644
14630 +--- a/net/dccp/proto.c
14631 ++++ b/net/dccp/proto.c
14632 +@@ -259,6 +259,7 @@ int dccp_disconnect(struct sock *sk, int flags)
14633 + {
14634 + struct inet_connection_sock *icsk = inet_csk(sk);
14635 + struct inet_sock *inet = inet_sk(sk);
14636 ++ struct dccp_sock *dp = dccp_sk(sk);
14637 + int err = 0;
14638 + const int old_state = sk->sk_state;
14639 +
14640 +@@ -278,6 +279,10 @@ int dccp_disconnect(struct sock *sk, int flags)
14641 + sk->sk_err = ECONNRESET;
14642 +
14643 + dccp_clear_xmit_timers(sk);
14644 ++ ccid_hc_rx_delete(dp->dccps_hc_rx_ccid, sk);
14645 ++ ccid_hc_tx_delete(dp->dccps_hc_tx_ccid, sk);
14646 ++ dp->dccps_hc_rx_ccid = NULL;
14647 ++ dp->dccps_hc_tx_ccid = NULL;
14648 +
14649 + __skb_queue_purge(&sk->sk_receive_queue);
14650 + __skb_queue_purge(&sk->sk_write_queue);
14651 +diff --git a/net/decnet/af_decnet.c b/net/decnet/af_decnet.c
14652 +index 2783c538ec19..e31f0da7537a 100644
14653 +--- a/net/decnet/af_decnet.c
14654 ++++ b/net/decnet/af_decnet.c
14655 +@@ -1337,6 +1337,12 @@ static int dn_setsockopt(struct socket *sock, int level, int optname, char __use
14656 + lock_sock(sk);
14657 + err = __dn_setsockopt(sock, level, optname, optval, optlen, 0);
14658 + release_sock(sk);
14659 ++#ifdef CONFIG_NETFILTER
14660 ++ /* we need to exclude all possible ENOPROTOOPTs except default case */
14661 ++ if (err == -ENOPROTOOPT && optname != DSO_LINKINFO &&
14662 ++ optname != DSO_STREAM && optname != DSO_SEQPACKET)
14663 ++ err = nf_setsockopt(sk, PF_DECnet, optname, optval, optlen);
14664 ++#endif
14665 +
14666 + return err;
14667 + }
14668 +@@ -1444,15 +1450,6 @@ static int __dn_setsockopt(struct socket *sock, int level,int optname, char __us
14669 + dn_nsp_send_disc(sk, 0x38, 0, sk->sk_allocation);
14670 + break;
14671 +
14672 +- default:
14673 +-#ifdef CONFIG_NETFILTER
14674 +- return nf_setsockopt(sk, PF_DECnet, optname, optval, optlen);
14675 +-#endif
14676 +- case DSO_LINKINFO:
14677 +- case DSO_STREAM:
14678 +- case DSO_SEQPACKET:
14679 +- return -ENOPROTOOPT;
14680 +-
14681 + case DSO_MAXWINDOW:
14682 + if (optlen != sizeof(unsigned long))
14683 + return -EINVAL;
14684 +@@ -1500,6 +1497,12 @@ static int __dn_setsockopt(struct socket *sock, int level,int optname, char __us
14685 + return -EINVAL;
14686 + scp->info_loc = u.info;
14687 + break;
14688 ++
14689 ++ case DSO_LINKINFO:
14690 ++ case DSO_STREAM:
14691 ++ case DSO_SEQPACKET:
14692 ++ default:
14693 ++ return -ENOPROTOOPT;
14694 + }
14695 +
14696 + return 0;
14697 +@@ -1513,6 +1516,20 @@ static int dn_getsockopt(struct socket *sock, int level, int optname, char __use
14698 + lock_sock(sk);
14699 + err = __dn_getsockopt(sock, level, optname, optval, optlen, 0);
14700 + release_sock(sk);
14701 ++#ifdef CONFIG_NETFILTER
14702 ++ if (err == -ENOPROTOOPT && optname != DSO_STREAM &&
14703 ++ optname != DSO_SEQPACKET && optname != DSO_CONACCEPT &&
14704 ++ optname != DSO_CONREJECT) {
14705 ++ int len;
14706 ++
14707 ++ if (get_user(len, optlen))
14708 ++ return -EFAULT;
14709 ++
14710 ++ err = nf_getsockopt(sk, PF_DECnet, optname, optval, &len);
14711 ++ if (err >= 0)
14712 ++ err = put_user(len, optlen);
14713 ++ }
14714 ++#endif
14715 +
14716 + return err;
14717 + }
14718 +@@ -1578,26 +1595,6 @@ static int __dn_getsockopt(struct socket *sock, int level,int optname, char __us
14719 + r_data = &link;
14720 + break;
14721 +
14722 +- default:
14723 +-#ifdef CONFIG_NETFILTER
14724 +- {
14725 +- int ret, len;
14726 +-
14727 +- if (get_user(len, optlen))
14728 +- return -EFAULT;
14729 +-
14730 +- ret = nf_getsockopt(sk, PF_DECnet, optname, optval, &len);
14731 +- if (ret >= 0)
14732 +- ret = put_user(len, optlen);
14733 +- return ret;
14734 +- }
14735 +-#endif
14736 +- case DSO_STREAM:
14737 +- case DSO_SEQPACKET:
14738 +- case DSO_CONACCEPT:
14739 +- case DSO_CONREJECT:
14740 +- return -ENOPROTOOPT;
14741 +-
14742 + case DSO_MAXWINDOW:
14743 + if (r_len > sizeof(unsigned long))
14744 + r_len = sizeof(unsigned long);
14745 +@@ -1629,6 +1626,13 @@ static int __dn_getsockopt(struct socket *sock, int level,int optname, char __us
14746 + r_len = sizeof(unsigned char);
14747 + r_data = &scp->info_rem;
14748 + break;
14749 ++
14750 ++ case DSO_STREAM:
14751 ++ case DSO_SEQPACKET:
14752 ++ case DSO_CONACCEPT:
14753 ++ case DSO_CONREJECT:
14754 ++ default:
14755 ++ return -ENOPROTOOPT;
14756 + }
14757 +
14758 + if (r_data) {
14759 +diff --git a/net/ipv4/arp.c b/net/ipv4/arp.c
14760 +index a7e74fbf2ce6..24b4174a84bf 100644
14761 +--- a/net/ipv4/arp.c
14762 ++++ b/net/ipv4/arp.c
14763 +@@ -221,11 +221,16 @@ static bool arp_key_eq(const struct neighbour *neigh, const void *pkey)
14764 +
14765 + static int arp_constructor(struct neighbour *neigh)
14766 + {
14767 +- __be32 addr = *(__be32 *)neigh->primary_key;
14768 ++ __be32 addr;
14769 + struct net_device *dev = neigh->dev;
14770 + struct in_device *in_dev;
14771 + struct neigh_parms *parms;
14772 ++ u32 inaddr_any = INADDR_ANY;
14773 +
14774 ++ if (dev->flags & (IFF_LOOPBACK | IFF_POINTOPOINT))
14775 ++ memcpy(neigh->primary_key, &inaddr_any, arp_tbl.key_len);
14776 ++
14777 ++ addr = *(__be32 *)neigh->primary_key;
14778 + rcu_read_lock();
14779 + in_dev = __in_dev_get_rcu(dev);
14780 + if (!in_dev) {
14781 +diff --git a/net/ipv4/devinet.c b/net/ipv4/devinet.c
14782 +index a57056d87a43..1d2fba4aeeb2 100644
14783 +--- a/net/ipv4/devinet.c
14784 ++++ b/net/ipv4/devinet.c
14785 +@@ -1359,7 +1359,7 @@ skip:
14786 +
14787 + static bool inetdev_valid_mtu(unsigned int mtu)
14788 + {
14789 +- return mtu >= 68;
14790 ++ return mtu >= IPV4_MIN_MTU;
14791 + }
14792 +
14793 + static void inetdev_send_gratuitous_arp(struct net_device *dev,
14794 +diff --git a/net/ipv4/fib_frontend.c b/net/ipv4/fib_frontend.c
14795 +index a8db70b7fe45..5095491e6141 100644
14796 +--- a/net/ipv4/fib_frontend.c
14797 ++++ b/net/ipv4/fib_frontend.c
14798 +@@ -1181,7 +1181,7 @@ fail:
14799 +
14800 + static void ip_fib_net_exit(struct net *net)
14801 + {
14802 +- unsigned int i;
14803 ++ int i;
14804 +
14805 + rtnl_lock();
14806 + #ifdef CONFIG_IP_MULTIPLE_TABLES
14807 +@@ -1189,7 +1189,12 @@ static void ip_fib_net_exit(struct net *net)
14808 + RCU_INIT_POINTER(net->ipv4.fib_main, NULL);
14809 + RCU_INIT_POINTER(net->ipv4.fib_default, NULL);
14810 + #endif
14811 +- for (i = 0; i < FIB_TABLE_HASHSZ; i++) {
14812 ++ /* Destroy the tables in reverse order to guarantee that the
14813 ++ * local table, ID 255, is destroyed before the main table, ID
14814 ++ * 254. This is necessary as the local table may contain
14815 ++ * references to data contained in the main table.
14816 ++ */
14817 ++ for (i = FIB_TABLE_HASHSZ - 1; i >= 0; i--) {
14818 + struct hlist_head *head = &net->ipv4.fib_table_hash[i];
14819 + struct hlist_node *tmp;
14820 + struct fib_table *tb;
14821 +diff --git a/net/ipv4/igmp.c b/net/ipv4/igmp.c
14822 +index e2d3d62297ec..c17485bcb18a 100644
14823 +--- a/net/ipv4/igmp.c
14824 ++++ b/net/ipv4/igmp.c
14825 +@@ -89,6 +89,7 @@
14826 + #include <linux/rtnetlink.h>
14827 + #include <linux/times.h>
14828 + #include <linux/pkt_sched.h>
14829 ++#include <linux/byteorder/generic.h>
14830 +
14831 + #include <net/net_namespace.h>
14832 + #include <net/arp.h>
14833 +@@ -319,6 +320,23 @@ igmp_scount(struct ip_mc_list *pmc, int type, int gdeleted, int sdeleted)
14834 + return scount;
14835 + }
14836 +
14837 ++/* source address selection per RFC 3376 section 4.2.13 */
14838 ++static __be32 igmpv3_get_srcaddr(struct net_device *dev,
14839 ++ const struct flowi4 *fl4)
14840 ++{
14841 ++ struct in_device *in_dev = __in_dev_get_rcu(dev);
14842 ++
14843 ++ if (!in_dev)
14844 ++ return htonl(INADDR_ANY);
14845 ++
14846 ++ for_ifa(in_dev) {
14847 ++ if (fl4->saddr == ifa->ifa_local)
14848 ++ return fl4->saddr;
14849 ++ } endfor_ifa(in_dev);
14850 ++
14851 ++ return htonl(INADDR_ANY);
14852 ++}
14853 ++
14854 + static struct sk_buff *igmpv3_newpack(struct net_device *dev, unsigned int mtu)
14855 + {
14856 + struct sk_buff *skb;
14857 +@@ -366,7 +384,11 @@ static struct sk_buff *igmpv3_newpack(struct net_device *dev, unsigned int mtu)
14858 + pip->frag_off = htons(IP_DF);
14859 + pip->ttl = 1;
14860 + pip->daddr = fl4.daddr;
14861 +- pip->saddr = fl4.saddr;
14862 ++
14863 ++ rcu_read_lock();
14864 ++ pip->saddr = igmpv3_get_srcaddr(dev, &fl4);
14865 ++ rcu_read_unlock();
14866 ++
14867 + pip->protocol = IPPROTO_IGMP;
14868 + pip->tot_len = 0; /* filled in later */
14869 + ip_select_ident(net, skb, NULL);
14870 +@@ -402,16 +424,17 @@ static int grec_size(struct ip_mc_list *pmc, int type, int gdel, int sdel)
14871 + }
14872 +
14873 + static struct sk_buff *add_grhead(struct sk_buff *skb, struct ip_mc_list *pmc,
14874 +- int type, struct igmpv3_grec **ppgr)
14875 ++ int type, struct igmpv3_grec **ppgr, unsigned int mtu)
14876 + {
14877 + struct net_device *dev = pmc->interface->dev;
14878 + struct igmpv3_report *pih;
14879 + struct igmpv3_grec *pgr;
14880 +
14881 +- if (!skb)
14882 +- skb = igmpv3_newpack(dev, dev->mtu);
14883 +- if (!skb)
14884 +- return NULL;
14885 ++ if (!skb) {
14886 ++ skb = igmpv3_newpack(dev, mtu);
14887 ++ if (!skb)
14888 ++ return NULL;
14889 ++ }
14890 + pgr = (struct igmpv3_grec *)skb_put(skb, sizeof(struct igmpv3_grec));
14891 + pgr->grec_type = type;
14892 + pgr->grec_auxwords = 0;
14893 +@@ -433,10 +456,15 @@ static struct sk_buff *add_grec(struct sk_buff *skb, struct ip_mc_list *pmc,
14894 + struct igmpv3_grec *pgr = NULL;
14895 + struct ip_sf_list *psf, *psf_next, *psf_prev, **psf_list;
14896 + int scount, stotal, first, isquery, truncate;
14897 ++ unsigned int mtu;
14898 +
14899 + if (pmc->multiaddr == IGMP_ALL_HOSTS)
14900 + return skb;
14901 +
14902 ++ mtu = READ_ONCE(dev->mtu);
14903 ++ if (mtu < IPV4_MIN_MTU)
14904 ++ return skb;
14905 ++
14906 + isquery = type == IGMPV3_MODE_IS_INCLUDE ||
14907 + type == IGMPV3_MODE_IS_EXCLUDE;
14908 + truncate = type == IGMPV3_MODE_IS_EXCLUDE ||
14909 +@@ -457,7 +485,7 @@ static struct sk_buff *add_grec(struct sk_buff *skb, struct ip_mc_list *pmc,
14910 + AVAILABLE(skb) < grec_size(pmc, type, gdeleted, sdeleted)) {
14911 + if (skb)
14912 + igmpv3_sendpack(skb);
14913 +- skb = igmpv3_newpack(dev, dev->mtu);
14914 ++ skb = igmpv3_newpack(dev, mtu);
14915 + }
14916 + }
14917 + first = 1;
14918 +@@ -484,12 +512,12 @@ static struct sk_buff *add_grec(struct sk_buff *skb, struct ip_mc_list *pmc,
14919 + pgr->grec_nsrcs = htons(scount);
14920 + if (skb)
14921 + igmpv3_sendpack(skb);
14922 +- skb = igmpv3_newpack(dev, dev->mtu);
14923 ++ skb = igmpv3_newpack(dev, mtu);
14924 + first = 1;
14925 + scount = 0;
14926 + }
14927 + if (first) {
14928 +- skb = add_grhead(skb, pmc, type, &pgr);
14929 ++ skb = add_grhead(skb, pmc, type, &pgr, mtu);
14930 + first = 0;
14931 + }
14932 + if (!skb)
14933 +@@ -523,7 +551,7 @@ empty_source:
14934 + igmpv3_sendpack(skb);
14935 + skb = NULL; /* add_grhead will get a new one */
14936 + }
14937 +- skb = add_grhead(skb, pmc, type, &pgr);
14938 ++ skb = add_grhead(skb, pmc, type, &pgr, mtu);
14939 + }
14940 + }
14941 + if (pgr)
14942 +diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c
14943 +index b6c7bdea4853..67c1333422a4 100644
14944 +--- a/net/ipv4/ip_sockglue.c
14945 ++++ b/net/ipv4/ip_sockglue.c
14946 +@@ -1203,11 +1203,8 @@ int ip_setsockopt(struct sock *sk, int level,
14947 + if (err == -ENOPROTOOPT && optname != IP_HDRINCL &&
14948 + optname != IP_IPSEC_POLICY &&
14949 + optname != IP_XFRM_POLICY &&
14950 +- !ip_mroute_opt(optname)) {
14951 +- lock_sock(sk);
14952 ++ !ip_mroute_opt(optname))
14953 + err = nf_setsockopt(sk, PF_INET, optname, optval, optlen);
14954 +- release_sock(sk);
14955 +- }
14956 + #endif
14957 + return err;
14958 + }
14959 +@@ -1232,12 +1229,9 @@ int compat_ip_setsockopt(struct sock *sk, int level, int optname,
14960 + if (err == -ENOPROTOOPT && optname != IP_HDRINCL &&
14961 + optname != IP_IPSEC_POLICY &&
14962 + optname != IP_XFRM_POLICY &&
14963 +- !ip_mroute_opt(optname)) {
14964 +- lock_sock(sk);
14965 +- err = compat_nf_setsockopt(sk, PF_INET, optname,
14966 +- optval, optlen);
14967 +- release_sock(sk);
14968 +- }
14969 ++ !ip_mroute_opt(optname))
14970 ++ err = compat_nf_setsockopt(sk, PF_INET, optname, optval,
14971 ++ optlen);
14972 + #endif
14973 + return err;
14974 + }
14975 +@@ -1497,10 +1491,7 @@ int ip_getsockopt(struct sock *sk, int level,
14976 + if (get_user(len, optlen))
14977 + return -EFAULT;
14978 +
14979 +- lock_sock(sk);
14980 +- err = nf_getsockopt(sk, PF_INET, optname, optval,
14981 +- &len);
14982 +- release_sock(sk);
14983 ++ err = nf_getsockopt(sk, PF_INET, optname, optval, &len);
14984 + if (err >= 0)
14985 + err = put_user(len, optlen);
14986 + return err;
14987 +@@ -1532,9 +1523,7 @@ int compat_ip_getsockopt(struct sock *sk, int level, int optname,
14988 + if (get_user(len, optlen))
14989 + return -EFAULT;
14990 +
14991 +- lock_sock(sk);
14992 + err = compat_nf_getsockopt(sk, PF_INET, optname, optval, &len);
14993 +- release_sock(sk);
14994 + if (err >= 0)
14995 + err = put_user(len, optlen);
14996 + return err;
14997 +diff --git a/net/ipv4/ip_tunnel.c b/net/ipv4/ip_tunnel.c
14998 +index 35080a708b59..169bf7d1d8ca 100644
14999 +--- a/net/ipv4/ip_tunnel.c
15000 ++++ b/net/ipv4/ip_tunnel.c
15001 +@@ -393,8 +393,8 @@ static int ip_tunnel_bind_dev(struct net_device *dev)
15002 + dev->needed_headroom = t_hlen + hlen;
15003 + mtu -= (dev->hard_header_len + t_hlen);
15004 +
15005 +- if (mtu < 68)
15006 +- mtu = 68;
15007 ++ if (mtu < IPV4_MIN_MTU)
15008 ++ mtu = IPV4_MIN_MTU;
15009 +
15010 + return mtu;
15011 + }
15012 +diff --git a/net/ipv4/ipconfig.c b/net/ipv4/ipconfig.c
15013 +index 8e7328c6a390..6389616ccc3f 100644
15014 +--- a/net/ipv4/ipconfig.c
15015 ++++ b/net/ipv4/ipconfig.c
15016 +@@ -148,7 +148,11 @@ static char vendor_class_identifier[253] __initdata;
15017 +
15018 + /* Persistent data: */
15019 +
15020 ++#ifdef IPCONFIG_DYNAMIC
15021 + static int ic_proto_used; /* Protocol used, if any */
15022 ++#else
15023 ++#define ic_proto_used 0
15024 ++#endif
15025 + static __be32 ic_nameservers[CONF_NAMESERVERS_MAX]; /* DNS Server IP addresses */
15026 + static u8 ic_domain[64]; /* DNS (not NIS) domain name */
15027 +
15028 +diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
15029 +index ebf5821caefb..7510a851d316 100644
15030 +--- a/net/ipv4/netfilter/arp_tables.c
15031 ++++ b/net/ipv4/netfilter/arp_tables.c
15032 +@@ -1330,8 +1330,8 @@ static int translate_compat_table(struct xt_table_info **pinfo,
15033 +
15034 + newinfo->number = compatr->num_entries;
15035 + for (i = 0; i < NF_ARP_NUMHOOKS; i++) {
15036 +- newinfo->hook_entry[i] = info->hook_entry[i];
15037 +- newinfo->underflow[i] = info->underflow[i];
15038 ++ newinfo->hook_entry[i] = compatr->hook_entry[i];
15039 ++ newinfo->underflow[i] = compatr->underflow[i];
15040 + }
15041 + entry1 = newinfo->entries[raw_smp_processor_id()];
15042 + pos = entry1;
15043 +diff --git a/net/ipv4/netfilter/ipt_CLUSTERIP.c b/net/ipv4/netfilter/ipt_CLUSTERIP.c
15044 +index 771ab3d01ad3..d098013855f0 100644
15045 +--- a/net/ipv4/netfilter/ipt_CLUSTERIP.c
15046 ++++ b/net/ipv4/netfilter/ipt_CLUSTERIP.c
15047 +@@ -365,7 +365,7 @@ static int clusterip_tg_check(const struct xt_tgchk_param *par)
15048 + struct ipt_clusterip_tgt_info *cipinfo = par->targinfo;
15049 + const struct ipt_entry *e = par->entryinfo;
15050 + struct clusterip_config *config;
15051 +- int ret;
15052 ++ int ret, i;
15053 +
15054 + if (cipinfo->hash_mode != CLUSTERIP_HASHMODE_SIP &&
15055 + cipinfo->hash_mode != CLUSTERIP_HASHMODE_SIP_SPT &&
15056 +@@ -379,8 +379,18 @@ static int clusterip_tg_check(const struct xt_tgchk_param *par)
15057 + pr_info("Please specify destination IP\n");
15058 + return -EINVAL;
15059 + }
15060 +-
15061 +- /* FIXME: further sanity checks */
15062 ++ if (cipinfo->num_local_nodes > ARRAY_SIZE(cipinfo->local_nodes)) {
15063 ++ pr_info("bad num_local_nodes %u\n", cipinfo->num_local_nodes);
15064 ++ return -EINVAL;
15065 ++ }
15066 ++ for (i = 0; i < cipinfo->num_local_nodes; i++) {
15067 ++ if (cipinfo->local_nodes[i] - 1 >=
15068 ++ sizeof(config->local_nodes) * 8) {
15069 ++ pr_info("bad local_nodes[%d] %u\n",
15070 ++ i, cipinfo->local_nodes[i]);
15071 ++ return -EINVAL;
15072 ++ }
15073 ++ }
15074 +
15075 + config = clusterip_config_find_get(par->net, e->ip.dst.s_addr, 1);
15076 + if (!config) {
15077 +diff --git a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
15078 +index 30ad9554b5e9..406d69f033ac 100644
15079 +--- a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
15080 ++++ b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
15081 +@@ -261,15 +261,19 @@ getorigdst(struct sock *sk, int optval, void __user *user, int *len)
15082 + struct nf_conntrack_tuple tuple;
15083 +
15084 + memset(&tuple, 0, sizeof(tuple));
15085 ++
15086 ++ lock_sock(sk);
15087 + tuple.src.u3.ip = inet->inet_rcv_saddr;
15088 + tuple.src.u.tcp.port = inet->inet_sport;
15089 + tuple.dst.u3.ip = inet->inet_daddr;
15090 + tuple.dst.u.tcp.port = inet->inet_dport;
15091 + tuple.src.l3num = PF_INET;
15092 + tuple.dst.protonum = sk->sk_protocol;
15093 ++ release_sock(sk);
15094 +
15095 + /* We only do TCP and SCTP at the moment: is there a better way? */
15096 +- if (sk->sk_protocol != IPPROTO_TCP && sk->sk_protocol != IPPROTO_SCTP) {
15097 ++ if (tuple.dst.protonum != IPPROTO_TCP &&
15098 ++ tuple.dst.protonum != IPPROTO_SCTP) {
15099 + pr_debug("SO_ORIGINAL_DST: Not a TCP/SCTP socket\n");
15100 + return -ENOPROTOOPT;
15101 + }
15102 +diff --git a/net/ipv4/netfilter/nf_nat_snmp_basic.c b/net/ipv4/netfilter/nf_nat_snmp_basic.c
15103 +index cc626e1b06d3..64a8bbc06f23 100644
15104 +--- a/net/ipv4/netfilter/nf_nat_snmp_basic.c
15105 ++++ b/net/ipv4/netfilter/nf_nat_snmp_basic.c
15106 +@@ -1260,16 +1260,6 @@ static const struct nf_conntrack_expect_policy snmp_exp_policy = {
15107 + .timeout = 180,
15108 + };
15109 +
15110 +-static struct nf_conntrack_helper snmp_helper __read_mostly = {
15111 +- .me = THIS_MODULE,
15112 +- .help = help,
15113 +- .expect_policy = &snmp_exp_policy,
15114 +- .name = "snmp",
15115 +- .tuple.src.l3num = AF_INET,
15116 +- .tuple.src.u.udp.port = cpu_to_be16(SNMP_PORT),
15117 +- .tuple.dst.protonum = IPPROTO_UDP,
15118 +-};
15119 +-
15120 + static struct nf_conntrack_helper snmp_trap_helper __read_mostly = {
15121 + .me = THIS_MODULE,
15122 + .help = help,
15123 +@@ -1288,17 +1278,10 @@ static struct nf_conntrack_helper snmp_trap_helper __read_mostly = {
15124 +
15125 + static int __init nf_nat_snmp_basic_init(void)
15126 + {
15127 +- int ret = 0;
15128 +-
15129 + BUG_ON(nf_nat_snmp_hook != NULL);
15130 + RCU_INIT_POINTER(nf_nat_snmp_hook, help);
15131 +
15132 +- ret = nf_conntrack_helper_register(&snmp_trap_helper);
15133 +- if (ret < 0) {
15134 +- nf_conntrack_helper_unregister(&snmp_helper);
15135 +- return ret;
15136 +- }
15137 +- return ret;
15138 ++ return nf_conntrack_helper_register(&snmp_trap_helper);
15139 + }
15140 +
15141 + static void __exit nf_nat_snmp_basic_fini(void)
15142 +diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
15143 +index a1de8300cfce..94a4b28e5da6 100644
15144 +--- a/net/ipv4/tcp.c
15145 ++++ b/net/ipv4/tcp.c
15146 +@@ -2137,6 +2137,9 @@ adjudge_to_death:
15147 + tcp_send_active_reset(sk, GFP_ATOMIC);
15148 + NET_INC_STATS_BH(sock_net(sk),
15149 + LINUX_MIB_TCPABORTONMEMORY);
15150 ++ } else if (!check_net(sock_net(sk))) {
15151 ++ /* Not possible to send reset; just close */
15152 ++ tcp_set_state(sk, TCP_CLOSE);
15153 + }
15154 + }
15155 +
15156 +@@ -2232,6 +2235,12 @@ int tcp_disconnect(struct sock *sk, int flags)
15157 +
15158 + WARN_ON(inet->inet_num && !icsk->icsk_bind_hash);
15159 +
15160 ++ if (sk->sk_frag.page) {
15161 ++ put_page(sk->sk_frag.page);
15162 ++ sk->sk_frag.page = NULL;
15163 ++ sk->sk_frag.offset = 0;
15164 ++ }
15165 ++
15166 + sk->sk_error_report(sk);
15167 + return err;
15168 + }
15169 +diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
15170 +index 2923f7f7932a..38e9dc5b735d 100644
15171 +--- a/net/ipv4/tcp_ipv4.c
15172 ++++ b/net/ipv4/tcp_ipv4.c
15173 +@@ -814,7 +814,7 @@ static void tcp_v4_reqsk_send_ack(struct sock *sk, struct sk_buff *skb,
15174 + tcp_time_stamp,
15175 + req->ts_recent,
15176 + 0,
15177 +- tcp_md5_do_lookup(sk, (union tcp_md5_addr *)&ip_hdr(skb)->daddr,
15178 ++ tcp_md5_do_lookup(sk, (union tcp_md5_addr *)&ip_hdr(skb)->saddr,
15179 + AF_INET),
15180 + inet_rsk(req)->no_srccheck ? IP_REPLY_ARG_NOSRCCHECK : 0,
15181 + ip_hdr(skb)->tos);
15182 +diff --git a/net/ipv4/tcp_timer.c b/net/ipv4/tcp_timer.c
15183 +index f8c6b2343301..4a3f230ef91b 100644
15184 +--- a/net/ipv4/tcp_timer.c
15185 ++++ b/net/ipv4/tcp_timer.c
15186 +@@ -46,11 +46,19 @@ static void tcp_write_err(struct sock *sk)
15187 + * to prevent DoS attacks. It is called when a retransmission timeout
15188 + * or zero probe timeout occurs on orphaned socket.
15189 + *
15190 ++ * Also close if our net namespace is exiting; in that case there is no
15191 ++ * hope of ever communicating again since all netns interfaces are already
15192 ++ * down (or about to be down), and we need to release our dst references,
15193 ++ * which have been moved to the netns loopback interface, so the namespace
15194 ++ * can finish exiting. This condition is only possible if we are a kernel
15195 ++ * socket, as those do not hold references to the namespace.
15196 ++ *
15197 + * Criteria is still not confirmed experimentally and may change.
15198 + * We kill the socket, if:
15199 + * 1. If number of orphaned sockets exceeds an administratively configured
15200 + * limit.
15201 + * 2. If we have strong memory pressure.
15202 ++ * 3. If our net namespace is exiting.
15203 + */
15204 + static int tcp_out_of_resources(struct sock *sk, bool do_reset)
15205 + {
15206 +@@ -79,6 +87,13 @@ static int tcp_out_of_resources(struct sock *sk, bool do_reset)
15207 + NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_TCPABORTONMEMORY);
15208 + return 1;
15209 + }
15210 ++
15211 ++ if (!check_net(sock_net(sk))) {
15212 ++ /* Not possible to send reset; just close */
15213 ++ tcp_done(sk);
15214 ++ return 1;
15215 ++ }
15216 ++
15217 + return 0;
15218 + }
15219 +
15220 +diff --git a/net/ipv4/tcp_vegas.c b/net/ipv4/tcp_vegas.c
15221 +index a6cea1d5e20d..33c0879612f5 100644
15222 +--- a/net/ipv4/tcp_vegas.c
15223 ++++ b/net/ipv4/tcp_vegas.c
15224 +@@ -158,7 +158,7 @@ EXPORT_SYMBOL_GPL(tcp_vegas_cwnd_event);
15225 +
15226 + static inline u32 tcp_vegas_ssthresh(struct tcp_sock *tp)
15227 + {
15228 +- return min(tp->snd_ssthresh, tp->snd_cwnd-1);
15229 ++ return min(tp->snd_ssthresh, tp->snd_cwnd);
15230 + }
15231 +
15232 + static void tcp_vegas_cong_avoid(struct sock *sk, u32 ack, u32 acked)
15233 +diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
15234 +index 7a6317671d32..97397a3df219 100644
15235 +--- a/net/ipv6/ip6_output.c
15236 ++++ b/net/ipv6/ip6_output.c
15237 +@@ -1217,14 +1217,16 @@ static int ip6_setup_cork(struct sock *sk, struct inet_cork_full *cork,
15238 + v6_cork->tclass = tclass;
15239 + if (rt->dst.flags & DST_XFRM_TUNNEL)
15240 + mtu = np->pmtudisc >= IPV6_PMTUDISC_PROBE ?
15241 +- rt->dst.dev->mtu : dst_mtu(&rt->dst);
15242 ++ READ_ONCE(rt->dst.dev->mtu) : dst_mtu(&rt->dst);
15243 + else
15244 + mtu = np->pmtudisc >= IPV6_PMTUDISC_PROBE ?
15245 +- rt->dst.dev->mtu : dst_mtu(rt->dst.path);
15246 ++ READ_ONCE(rt->dst.dev->mtu) : dst_mtu(rt->dst.path);
15247 + if (np->frag_size < mtu) {
15248 + if (np->frag_size)
15249 + mtu = np->frag_size;
15250 + }
15251 ++ if (mtu < IPV6_MIN_MTU)
15252 ++ return -EINVAL;
15253 + cork->base.fragsize = mtu;
15254 + if (dst_allfrag(rt->dst.path))
15255 + cork->base.flags |= IPCORK_ALLFRAG;
15256 +@@ -1757,10 +1759,13 @@ struct sk_buff *ip6_make_skb(struct sock *sk,
15257 + cork.base.flags = 0;
15258 + cork.base.addr = 0;
15259 + cork.base.opt = NULL;
15260 ++ cork.base.dst = NULL;
15261 + v6_cork.opt = NULL;
15262 + err = ip6_setup_cork(sk, &cork, &v6_cork, hlimit, tclass, opt, rt, fl6);
15263 +- if (err)
15264 ++ if (err) {
15265 ++ ip6_cork_release(&cork, &v6_cork);
15266 + return ERR_PTR(err);
15267 ++ }
15268 +
15269 + if (dontfrag < 0)
15270 + dontfrag = inet6_sk(sk)->dontfrag;
15271 +diff --git a/net/ipv6/ip6mr.c b/net/ipv6/ip6mr.c
15272 +index 1c4db0fe7f88..672dd08dc3dd 100644
15273 +--- a/net/ipv6/ip6mr.c
15274 ++++ b/net/ipv6/ip6mr.c
15275 +@@ -496,6 +496,7 @@ static void *ipmr_mfc_seq_start(struct seq_file *seq, loff_t *pos)
15276 + return ERR_PTR(-ENOENT);
15277 +
15278 + it->mrt = mrt;
15279 ++ it->cache = NULL;
15280 + return *pos ? ipmr_mfc_seq_idx(net, seq->private, *pos - 1)
15281 + : SEQ_START_TOKEN;
15282 + }
15283 +diff --git a/net/ipv6/ipv6_sockglue.c b/net/ipv6/ipv6_sockglue.c
15284 +index 4449ad1f8114..2ad727bba3a5 100644
15285 +--- a/net/ipv6/ipv6_sockglue.c
15286 ++++ b/net/ipv6/ipv6_sockglue.c
15287 +@@ -896,12 +896,8 @@ int ipv6_setsockopt(struct sock *sk, int level, int optname,
15288 + #ifdef CONFIG_NETFILTER
15289 + /* we need to exclude all possible ENOPROTOOPTs except default case */
15290 + if (err == -ENOPROTOOPT && optname != IPV6_IPSEC_POLICY &&
15291 +- optname != IPV6_XFRM_POLICY) {
15292 +- lock_sock(sk);
15293 +- err = nf_setsockopt(sk, PF_INET6, optname, optval,
15294 +- optlen);
15295 +- release_sock(sk);
15296 +- }
15297 ++ optname != IPV6_XFRM_POLICY)
15298 ++ err = nf_setsockopt(sk, PF_INET6, optname, optval, optlen);
15299 + #endif
15300 + return err;
15301 + }
15302 +@@ -931,12 +927,9 @@ int compat_ipv6_setsockopt(struct sock *sk, int level, int optname,
15303 + #ifdef CONFIG_NETFILTER
15304 + /* we need to exclude all possible ENOPROTOOPTs except default case */
15305 + if (err == -ENOPROTOOPT && optname != IPV6_IPSEC_POLICY &&
15306 +- optname != IPV6_XFRM_POLICY) {
15307 +- lock_sock(sk);
15308 +- err = compat_nf_setsockopt(sk, PF_INET6, optname,
15309 +- optval, optlen);
15310 +- release_sock(sk);
15311 +- }
15312 ++ optname != IPV6_XFRM_POLICY)
15313 ++ err = compat_nf_setsockopt(sk, PF_INET6, optname, optval,
15314 ++ optlen);
15315 + #endif
15316 + return err;
15317 + }
15318 +@@ -1338,10 +1331,7 @@ int ipv6_getsockopt(struct sock *sk, int level, int optname,
15319 + if (get_user(len, optlen))
15320 + return -EFAULT;
15321 +
15322 +- lock_sock(sk);
15323 +- err = nf_getsockopt(sk, PF_INET6, optname, optval,
15324 +- &len);
15325 +- release_sock(sk);
15326 ++ err = nf_getsockopt(sk, PF_INET6, optname, optval, &len);
15327 + if (err >= 0)
15328 + err = put_user(len, optlen);
15329 + }
15330 +@@ -1380,10 +1370,7 @@ int compat_ipv6_getsockopt(struct sock *sk, int level, int optname,
15331 + if (get_user(len, optlen))
15332 + return -EFAULT;
15333 +
15334 +- lock_sock(sk);
15335 +- err = compat_nf_getsockopt(sk, PF_INET6,
15336 +- optname, optval, &len);
15337 +- release_sock(sk);
15338 ++ err = compat_nf_getsockopt(sk, PF_INET6, optname, optval, &len);
15339 + if (err >= 0)
15340 + err = put_user(len, optlen);
15341 + }
15342 +diff --git a/net/ipv6/mcast.c b/net/ipv6/mcast.c
15343 +index 9a63110b6548..47de89f57a80 100644
15344 +--- a/net/ipv6/mcast.c
15345 ++++ b/net/ipv6/mcast.c
15346 +@@ -1668,16 +1668,16 @@ static int grec_size(struct ifmcaddr6 *pmc, int type, int gdel, int sdel)
15347 + }
15348 +
15349 + static struct sk_buff *add_grhead(struct sk_buff *skb, struct ifmcaddr6 *pmc,
15350 +- int type, struct mld2_grec **ppgr)
15351 ++ int type, struct mld2_grec **ppgr, unsigned int mtu)
15352 + {
15353 +- struct net_device *dev = pmc->idev->dev;
15354 + struct mld2_report *pmr;
15355 + struct mld2_grec *pgr;
15356 +
15357 +- if (!skb)
15358 +- skb = mld_newpack(pmc->idev, dev->mtu);
15359 +- if (!skb)
15360 +- return NULL;
15361 ++ if (!skb) {
15362 ++ skb = mld_newpack(pmc->idev, mtu);
15363 ++ if (!skb)
15364 ++ return NULL;
15365 ++ }
15366 + pgr = (struct mld2_grec *)skb_put(skb, sizeof(struct mld2_grec));
15367 + pgr->grec_type = type;
15368 + pgr->grec_auxwords = 0;
15369 +@@ -1700,10 +1700,15 @@ static struct sk_buff *add_grec(struct sk_buff *skb, struct ifmcaddr6 *pmc,
15370 + struct mld2_grec *pgr = NULL;
15371 + struct ip6_sf_list *psf, *psf_next, *psf_prev, **psf_list;
15372 + int scount, stotal, first, isquery, truncate;
15373 ++ unsigned int mtu;
15374 +
15375 + if (pmc->mca_flags & MAF_NOREPORT)
15376 + return skb;
15377 +
15378 ++ mtu = READ_ONCE(dev->mtu);
15379 ++ if (mtu < IPV6_MIN_MTU)
15380 ++ return skb;
15381 ++
15382 + isquery = type == MLD2_MODE_IS_INCLUDE ||
15383 + type == MLD2_MODE_IS_EXCLUDE;
15384 + truncate = type == MLD2_MODE_IS_EXCLUDE ||
15385 +@@ -1724,7 +1729,7 @@ static struct sk_buff *add_grec(struct sk_buff *skb, struct ifmcaddr6 *pmc,
15386 + AVAILABLE(skb) < grec_size(pmc, type, gdeleted, sdeleted)) {
15387 + if (skb)
15388 + mld_sendpack(skb);
15389 +- skb = mld_newpack(idev, dev->mtu);
15390 ++ skb = mld_newpack(idev, mtu);
15391 + }
15392 + }
15393 + first = 1;
15394 +@@ -1751,12 +1756,12 @@ static struct sk_buff *add_grec(struct sk_buff *skb, struct ifmcaddr6 *pmc,
15395 + pgr->grec_nsrcs = htons(scount);
15396 + if (skb)
15397 + mld_sendpack(skb);
15398 +- skb = mld_newpack(idev, dev->mtu);
15399 ++ skb = mld_newpack(idev, mtu);
15400 + first = 1;
15401 + scount = 0;
15402 + }
15403 + if (first) {
15404 +- skb = add_grhead(skb, pmc, type, &pgr);
15405 ++ skb = add_grhead(skb, pmc, type, &pgr, mtu);
15406 + first = 0;
15407 + }
15408 + if (!skb)
15409 +@@ -1790,7 +1795,7 @@ empty_source:
15410 + mld_sendpack(skb);
15411 + skb = NULL; /* add_grhead will get a new one */
15412 + }
15413 +- skb = add_grhead(skb, pmc, type, &pgr);
15414 ++ skb = add_grhead(skb, pmc, type, &pgr, mtu);
15415 + }
15416 + }
15417 + if (pgr)
15418 +diff --git a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
15419 +index 4ba0c34c627b..6bb16657db3a 100644
15420 +--- a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
15421 ++++ b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
15422 +@@ -232,20 +232,27 @@ static struct nf_hook_ops ipv6_conntrack_ops[] __read_mostly = {
15423 + static int
15424 + ipv6_getorigdst(struct sock *sk, int optval, void __user *user, int *len)
15425 + {
15426 +- const struct inet_sock *inet = inet_sk(sk);
15427 ++ struct nf_conntrack_tuple tuple = { .src.l3num = NFPROTO_IPV6 };
15428 + const struct ipv6_pinfo *inet6 = inet6_sk(sk);
15429 ++ const struct inet_sock *inet = inet_sk(sk);
15430 + const struct nf_conntrack_tuple_hash *h;
15431 + struct sockaddr_in6 sin6;
15432 +- struct nf_conntrack_tuple tuple = { .src.l3num = NFPROTO_IPV6 };
15433 + struct nf_conn *ct;
15434 ++ __be32 flow_label;
15435 ++ int bound_dev_if;
15436 +
15437 ++ lock_sock(sk);
15438 + tuple.src.u3.in6 = sk->sk_v6_rcv_saddr;
15439 + tuple.src.u.tcp.port = inet->inet_sport;
15440 + tuple.dst.u3.in6 = sk->sk_v6_daddr;
15441 + tuple.dst.u.tcp.port = inet->inet_dport;
15442 + tuple.dst.protonum = sk->sk_protocol;
15443 ++ bound_dev_if = sk->sk_bound_dev_if;
15444 ++ flow_label = inet6->flow_label;
15445 ++ release_sock(sk);
15446 +
15447 +- if (sk->sk_protocol != IPPROTO_TCP && sk->sk_protocol != IPPROTO_SCTP)
15448 ++ if (tuple.dst.protonum != IPPROTO_TCP &&
15449 ++ tuple.dst.protonum != IPPROTO_SCTP)
15450 + return -ENOPROTOOPT;
15451 +
15452 + if (*len < 0 || (unsigned int) *len < sizeof(sin6))
15453 +@@ -263,14 +270,13 @@ ipv6_getorigdst(struct sock *sk, int optval, void __user *user, int *len)
15454 +
15455 + sin6.sin6_family = AF_INET6;
15456 + sin6.sin6_port = ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.u.tcp.port;
15457 +- sin6.sin6_flowinfo = inet6->flow_label & IPV6_FLOWINFO_MASK;
15458 ++ sin6.sin6_flowinfo = flow_label & IPV6_FLOWINFO_MASK;
15459 + memcpy(&sin6.sin6_addr,
15460 + &ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.u3.in6,
15461 + sizeof(sin6.sin6_addr));
15462 +
15463 + nf_ct_put(ct);
15464 +- sin6.sin6_scope_id = ipv6_iface_scope_id(&sin6.sin6_addr,
15465 +- sk->sk_bound_dev_if);
15466 ++ sin6.sin6_scope_id = ipv6_iface_scope_id(&sin6.sin6_addr, bound_dev_if);
15467 + return copy_to_user(user, &sin6, sizeof(sin6)) ? -EFAULT : 0;
15468 + }
15469 +
15470 +diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
15471 +index 2f0f1b415fbe..9f274781ba57 100644
15472 +--- a/net/ipv6/tcp_ipv6.c
15473 ++++ b/net/ipv6/tcp_ipv6.c
15474 +@@ -940,7 +940,7 @@ static void tcp_v6_reqsk_send_ack(struct sock *sk, struct sk_buff *skb,
15475 + tcp_rsk(req)->snt_isn + 1 : tcp_sk(sk)->snd_nxt,
15476 + tcp_rsk(req)->rcv_nxt, req->rcv_wnd,
15477 + tcp_time_stamp, req->ts_recent, sk->sk_bound_dev_if,
15478 +- tcp_v6_md5_do_lookup(sk, &ipv6_hdr(skb)->daddr),
15479 ++ tcp_v6_md5_do_lookup(sk, &ipv6_hdr(skb)->saddr),
15480 + 0, 0);
15481 + }
15482 +
15483 +diff --git a/net/key/af_key.c b/net/key/af_key.c
15484 +index 39c78c9e1c68..354c43a1c43d 100644
15485 +--- a/net/key/af_key.c
15486 ++++ b/net/key/af_key.c
15487 +@@ -401,6 +401,11 @@ static int verify_address_len(const void *p)
15488 + #endif
15489 + int len;
15490 +
15491 ++ if (sp->sadb_address_len <
15492 ++ DIV_ROUND_UP(sizeof(*sp) + offsetofend(typeof(*addr), sa_family),
15493 ++ sizeof(uint64_t)))
15494 ++ return -EINVAL;
15495 ++
15496 + switch (addr->sa_family) {
15497 + case AF_INET:
15498 + len = DIV_ROUND_UP(sizeof(*sp) + sizeof(*sin), sizeof(uint64_t));
15499 +@@ -511,6 +516,9 @@ static int parse_exthdrs(struct sk_buff *skb, const struct sadb_msg *hdr, void *
15500 + uint16_t ext_type;
15501 + int ext_len;
15502 +
15503 ++ if (len < sizeof(*ehdr))
15504 ++ return -EINVAL;
15505 ++
15506 + ext_len = ehdr->sadb_ext_len;
15507 + ext_len *= sizeof(uint64_t);
15508 + ext_type = ehdr->sadb_ext_type;
15509 +diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c
15510 +index 37e0aa4891a2..cd85cbf9bf39 100644
15511 +--- a/net/mac80211/cfg.c
15512 ++++ b/net/mac80211/cfg.c
15513 +@@ -2857,7 +2857,7 @@ cfg80211_beacon_dup(struct cfg80211_beacon_data *beacon)
15514 + }
15515 + if (beacon->probe_resp_len) {
15516 + new_beacon->probe_resp_len = beacon->probe_resp_len;
15517 +- beacon->probe_resp = pos;
15518 ++ new_beacon->probe_resp = pos;
15519 + memcpy(pos, beacon->probe_resp, beacon->probe_resp_len);
15520 + pos += beacon->probe_resp_len;
15521 + }
15522 +diff --git a/net/mac80211/mesh_hwmp.c b/net/mac80211/mesh_hwmp.c
15523 +index 214e63b84e5c..4efc60236cdb 100644
15524 +--- a/net/mac80211/mesh_hwmp.c
15525 ++++ b/net/mac80211/mesh_hwmp.c
15526 +@@ -763,7 +763,7 @@ static void hwmp_rann_frame_process(struct ieee80211_sub_if_data *sdata,
15527 + struct mesh_path *mpath;
15528 + u8 ttl, flags, hopcount;
15529 + const u8 *orig_addr;
15530 +- u32 orig_sn, metric, metric_txsta, interval;
15531 ++ u32 orig_sn, new_metric, orig_metric, last_hop_metric, interval;
15532 + bool root_is_gate;
15533 +
15534 + ttl = rann->rann_ttl;
15535 +@@ -774,7 +774,7 @@ static void hwmp_rann_frame_process(struct ieee80211_sub_if_data *sdata,
15536 + interval = le32_to_cpu(rann->rann_interval);
15537 + hopcount = rann->rann_hopcount;
15538 + hopcount++;
15539 +- metric = le32_to_cpu(rann->rann_metric);
15540 ++ orig_metric = le32_to_cpu(rann->rann_metric);
15541 +
15542 + /* Ignore our own RANNs */
15543 + if (ether_addr_equal(orig_addr, sdata->vif.addr))
15544 +@@ -791,7 +791,10 @@ static void hwmp_rann_frame_process(struct ieee80211_sub_if_data *sdata,
15545 + return;
15546 + }
15547 +
15548 +- metric_txsta = airtime_link_metric_get(local, sta);
15549 ++ last_hop_metric = airtime_link_metric_get(local, sta);
15550 ++ new_metric = orig_metric + last_hop_metric;
15551 ++ if (new_metric < orig_metric)
15552 ++ new_metric = MAX_METRIC;
15553 +
15554 + mpath = mesh_path_lookup(sdata, orig_addr);
15555 + if (!mpath) {
15556 +@@ -804,7 +807,7 @@ static void hwmp_rann_frame_process(struct ieee80211_sub_if_data *sdata,
15557 + }
15558 +
15559 + if (!(SN_LT(mpath->sn, orig_sn)) &&
15560 +- !(mpath->sn == orig_sn && metric < mpath->rann_metric)) {
15561 ++ !(mpath->sn == orig_sn && new_metric < mpath->rann_metric)) {
15562 + rcu_read_unlock();
15563 + return;
15564 + }
15565 +@@ -822,7 +825,7 @@ static void hwmp_rann_frame_process(struct ieee80211_sub_if_data *sdata,
15566 + }
15567 +
15568 + mpath->sn = orig_sn;
15569 +- mpath->rann_metric = metric + metric_txsta;
15570 ++ mpath->rann_metric = new_metric;
15571 + mpath->is_root = true;
15572 + /* Recording RANNs sender address to send individually
15573 + * addressed PREQs destined for root mesh STA */
15574 +@@ -842,7 +845,7 @@ static void hwmp_rann_frame_process(struct ieee80211_sub_if_data *sdata,
15575 + mesh_path_sel_frame_tx(MPATH_RANN, flags, orig_addr,
15576 + orig_sn, 0, NULL, 0, broadcast_addr,
15577 + hopcount, ttl, interval,
15578 +- metric + metric_txsta, 0, sdata);
15579 ++ new_metric, 0, sdata);
15580 + }
15581 +
15582 + rcu_read_unlock();
15583 +diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
15584 +index bc3f791845aa..e951ca98757e 100644
15585 +--- a/net/netfilter/nf_conntrack_core.c
15586 ++++ b/net/netfilter/nf_conntrack_core.c
15587 +@@ -695,6 +695,7 @@ nf_conntrack_tuple_taken(const struct nf_conntrack_tuple *tuple,
15588 + * least once for the stats anyway.
15589 + */
15590 + rcu_read_lock_bh();
15591 ++ begin:
15592 + hlist_nulls_for_each_entry_rcu(h, n, &net->ct.hash[hash], hnnode) {
15593 + ct = nf_ct_tuplehash_to_ctrack(h);
15594 + if (ct != ignored_conntrack &&
15595 +@@ -706,6 +707,12 @@ nf_conntrack_tuple_taken(const struct nf_conntrack_tuple *tuple,
15596 + }
15597 + NF_CT_STAT_INC(net, searched);
15598 + }
15599 ++
15600 ++ if (get_nulls_value(n) != hash) {
15601 ++ NF_CT_STAT_INC(net, search_restart);
15602 ++ goto begin;
15603 ++ }
15604 ++
15605 + rcu_read_unlock_bh();
15606 +
15607 + return 0;
15608 +diff --git a/net/netfilter/nf_conntrack_expect.c b/net/netfilter/nf_conntrack_expect.c
15609 +index 4f4c88d70a8f..cba342b37b62 100644
15610 +--- a/net/netfilter/nf_conntrack_expect.c
15611 ++++ b/net/netfilter/nf_conntrack_expect.c
15612 +@@ -557,7 +557,7 @@ static int exp_seq_show(struct seq_file *s, void *v)
15613 + helper = rcu_dereference(nfct_help(expect->master)->helper);
15614 + if (helper) {
15615 + seq_printf(s, "%s%s", expect->flags ? " " : "", helper->name);
15616 +- if (helper->expect_policy[expect->class].name)
15617 ++ if (helper->expect_policy[expect->class].name[0])
15618 + seq_printf(s, "/%s",
15619 + helper->expect_policy[expect->class].name);
15620 + }
15621 +diff --git a/net/netfilter/nf_conntrack_sip.c b/net/netfilter/nf_conntrack_sip.c
15622 +index 885b4aba3695..1665c2159e4b 100644
15623 +--- a/net/netfilter/nf_conntrack_sip.c
15624 ++++ b/net/netfilter/nf_conntrack_sip.c
15625 +@@ -1434,9 +1434,12 @@ static int process_sip_request(struct sk_buff *skb, unsigned int protoff,
15626 + handler = &sip_handlers[i];
15627 + if (handler->request == NULL)
15628 + continue;
15629 +- if (*datalen < handler->len ||
15630 ++ if (*datalen < handler->len + 2 ||
15631 + strncasecmp(*dptr, handler->method, handler->len))
15632 + continue;
15633 ++ if ((*dptr)[handler->len] != ' ' ||
15634 ++ !isalpha((*dptr)[handler->len+1]))
15635 ++ continue;
15636 +
15637 + if (ct_sip_get_header(ct, *dptr, 0, *datalen, SIP_HDR_CSEQ,
15638 + &matchoff, &matchlen) <= 0) {
15639 +diff --git a/net/netfilter/nfnetlink_cthelper.c b/net/netfilter/nfnetlink_cthelper.c
15640 +index 6d10002d23f8..ac143ae4f7b6 100644
15641 +--- a/net/netfilter/nfnetlink_cthelper.c
15642 ++++ b/net/netfilter/nfnetlink_cthelper.c
15643 +@@ -17,6 +17,7 @@
15644 + #include <linux/types.h>
15645 + #include <linux/list.h>
15646 + #include <linux/errno.h>
15647 ++#include <linux/capability.h>
15648 + #include <net/netlink.h>
15649 + #include <net/sock.h>
15650 +
15651 +@@ -32,6 +33,13 @@ MODULE_LICENSE("GPL");
15652 + MODULE_AUTHOR("Pablo Neira Ayuso <pablo@×××××××××.org>");
15653 + MODULE_DESCRIPTION("nfnl_cthelper: User-space connection tracking helpers");
15654 +
15655 ++struct nfnl_cthelper {
15656 ++ struct list_head list;
15657 ++ struct nf_conntrack_helper helper;
15658 ++};
15659 ++
15660 ++static LIST_HEAD(nfnl_cthelper_list);
15661 ++
15662 + static int
15663 + nfnl_userspace_cthelper(struct sk_buff *skb, unsigned int protoff,
15664 + struct nf_conn *ct, enum ip_conntrack_info ctinfo)
15665 +@@ -205,18 +213,20 @@ nfnl_cthelper_create(const struct nlattr * const tb[],
15666 + struct nf_conntrack_tuple *tuple)
15667 + {
15668 + struct nf_conntrack_helper *helper;
15669 ++ struct nfnl_cthelper *nfcth;
15670 + int ret;
15671 +
15672 + if (!tb[NFCTH_TUPLE] || !tb[NFCTH_POLICY] || !tb[NFCTH_PRIV_DATA_LEN])
15673 + return -EINVAL;
15674 +
15675 +- helper = kzalloc(sizeof(struct nf_conntrack_helper), GFP_KERNEL);
15676 +- if (helper == NULL)
15677 ++ nfcth = kzalloc(sizeof(*nfcth), GFP_KERNEL);
15678 ++ if (nfcth == NULL)
15679 + return -ENOMEM;
15680 ++ helper = &nfcth->helper;
15681 +
15682 + ret = nfnl_cthelper_parse_expect_policy(helper, tb[NFCTH_POLICY]);
15683 + if (ret < 0)
15684 +- goto err;
15685 ++ goto err1;
15686 +
15687 + strncpy(helper->name, nla_data(tb[NFCTH_NAME]), NF_CT_HELPER_NAME_LEN);
15688 + helper->data_len = ntohl(nla_get_be32(tb[NFCTH_PRIV_DATA_LEN]));
15689 +@@ -247,14 +257,100 @@ nfnl_cthelper_create(const struct nlattr * const tb[],
15690 +
15691 + ret = nf_conntrack_helper_register(helper);
15692 + if (ret < 0)
15693 +- goto err;
15694 ++ goto err2;
15695 +
15696 ++ list_add_tail(&nfcth->list, &nfnl_cthelper_list);
15697 + return 0;
15698 +-err:
15699 +- kfree(helper);
15700 ++err2:
15701 ++ kfree(helper->expect_policy);
15702 ++err1:
15703 ++ kfree(nfcth);
15704 + return ret;
15705 + }
15706 +
15707 ++static int
15708 ++nfnl_cthelper_update_policy_one(const struct nf_conntrack_expect_policy *policy,
15709 ++ struct nf_conntrack_expect_policy *new_policy,
15710 ++ const struct nlattr *attr)
15711 ++{
15712 ++ struct nlattr *tb[NFCTH_POLICY_MAX + 1];
15713 ++ int err;
15714 ++
15715 ++ err = nla_parse_nested(tb, NFCTH_POLICY_MAX, attr,
15716 ++ nfnl_cthelper_expect_pol);
15717 ++ if (err < 0)
15718 ++ return err;
15719 ++
15720 ++ if (!tb[NFCTH_POLICY_NAME] ||
15721 ++ !tb[NFCTH_POLICY_EXPECT_MAX] ||
15722 ++ !tb[NFCTH_POLICY_EXPECT_TIMEOUT])
15723 ++ return -EINVAL;
15724 ++
15725 ++ if (nla_strcmp(tb[NFCTH_POLICY_NAME], policy->name))
15726 ++ return -EBUSY;
15727 ++
15728 ++ new_policy->max_expected =
15729 ++ ntohl(nla_get_be32(tb[NFCTH_POLICY_EXPECT_MAX]));
15730 ++ new_policy->timeout =
15731 ++ ntohl(nla_get_be32(tb[NFCTH_POLICY_EXPECT_TIMEOUT]));
15732 ++
15733 ++ return 0;
15734 ++}
15735 ++
15736 ++static int nfnl_cthelper_update_policy_all(struct nlattr *tb[],
15737 ++ struct nf_conntrack_helper *helper)
15738 ++{
15739 ++ struct nf_conntrack_expect_policy new_policy[helper->expect_class_max + 1];
15740 ++ struct nf_conntrack_expect_policy *policy;
15741 ++ int i, err;
15742 ++
15743 ++ /* Check first that all policy attributes are well-formed, so we don't
15744 ++ * leave things in inconsistent state on errors.
15745 ++ */
15746 ++ for (i = 0; i < helper->expect_class_max + 1; i++) {
15747 ++
15748 ++ if (!tb[NFCTH_POLICY_SET + i])
15749 ++ return -EINVAL;
15750 ++
15751 ++ err = nfnl_cthelper_update_policy_one(&helper->expect_policy[i],
15752 ++ &new_policy[i],
15753 ++ tb[NFCTH_POLICY_SET + i]);
15754 ++ if (err < 0)
15755 ++ return err;
15756 ++ }
15757 ++ /* Now we can safely update them. */
15758 ++ for (i = 0; i < helper->expect_class_max + 1; i++) {
15759 ++ policy = (struct nf_conntrack_expect_policy *)
15760 ++ &helper->expect_policy[i];
15761 ++ policy->max_expected = new_policy->max_expected;
15762 ++ policy->timeout = new_policy->timeout;
15763 ++ }
15764 ++
15765 ++ return 0;
15766 ++}
15767 ++
15768 ++static int nfnl_cthelper_update_policy(struct nf_conntrack_helper *helper,
15769 ++ const struct nlattr *attr)
15770 ++{
15771 ++ struct nlattr *tb[NFCTH_POLICY_SET_MAX + 1];
15772 ++ unsigned int class_max;
15773 ++ int err;
15774 ++
15775 ++ err = nla_parse_nested(tb, NFCTH_POLICY_SET_MAX, attr,
15776 ++ nfnl_cthelper_expect_policy_set);
15777 ++ if (err < 0)
15778 ++ return err;
15779 ++
15780 ++ if (!tb[NFCTH_POLICY_SET_NUM])
15781 ++ return -EINVAL;
15782 ++
15783 ++ class_max = ntohl(nla_get_be32(tb[NFCTH_POLICY_SET_NUM]));
15784 ++ if (helper->expect_class_max + 1 != class_max)
15785 ++ return -EBUSY;
15786 ++
15787 ++ return nfnl_cthelper_update_policy_all(tb, helper);
15788 ++}
15789 ++
15790 + static int
15791 + nfnl_cthelper_update(const struct nlattr * const tb[],
15792 + struct nf_conntrack_helper *helper)
15793 +@@ -265,8 +361,7 @@ nfnl_cthelper_update(const struct nlattr * const tb[],
15794 + return -EBUSY;
15795 +
15796 + if (tb[NFCTH_POLICY]) {
15797 +- ret = nfnl_cthelper_parse_expect_policy(helper,
15798 +- tb[NFCTH_POLICY]);
15799 ++ ret = nfnl_cthelper_update_policy(helper, tb[NFCTH_POLICY]);
15800 + if (ret < 0)
15801 + return ret;
15802 + }
15803 +@@ -295,7 +390,11 @@ nfnl_cthelper_new(struct sock *nfnl, struct sk_buff *skb,
15804 + const char *helper_name;
15805 + struct nf_conntrack_helper *cur, *helper = NULL;
15806 + struct nf_conntrack_tuple tuple;
15807 +- int ret = 0, i;
15808 ++ struct nfnl_cthelper *nlcth;
15809 ++ int ret = 0;
15810 ++
15811 ++ if (!capable(CAP_NET_ADMIN))
15812 ++ return -EPERM;
15813 +
15814 + if (!tb[NFCTH_NAME] || !tb[NFCTH_TUPLE])
15815 + return -EINVAL;
15816 +@@ -306,31 +405,22 @@ nfnl_cthelper_new(struct sock *nfnl, struct sk_buff *skb,
15817 + if (ret < 0)
15818 + return ret;
15819 +
15820 +- rcu_read_lock();
15821 +- for (i = 0; i < nf_ct_helper_hsize && !helper; i++) {
15822 +- hlist_for_each_entry_rcu(cur, &nf_ct_helper_hash[i], hnode) {
15823 ++ list_for_each_entry(nlcth, &nfnl_cthelper_list, list) {
15824 ++ cur = &nlcth->helper;
15825 +
15826 +- /* skip non-userspace conntrack helpers. */
15827 +- if (!(cur->flags & NF_CT_HELPER_F_USERSPACE))
15828 +- continue;
15829 ++ if (strncmp(cur->name, helper_name, NF_CT_HELPER_NAME_LEN))
15830 ++ continue;
15831 +
15832 +- if (strncmp(cur->name, helper_name,
15833 +- NF_CT_HELPER_NAME_LEN) != 0)
15834 +- continue;
15835 ++ if ((tuple.src.l3num != cur->tuple.src.l3num ||
15836 ++ tuple.dst.protonum != cur->tuple.dst.protonum))
15837 ++ continue;
15838 +
15839 +- if ((tuple.src.l3num != cur->tuple.src.l3num ||
15840 +- tuple.dst.protonum != cur->tuple.dst.protonum))
15841 +- continue;
15842 ++ if (nlh->nlmsg_flags & NLM_F_EXCL)
15843 ++ return -EEXIST;
15844 +
15845 +- if (nlh->nlmsg_flags & NLM_F_EXCL) {
15846 +- ret = -EEXIST;
15847 +- goto err;
15848 +- }
15849 +- helper = cur;
15850 +- break;
15851 +- }
15852 ++ helper = cur;
15853 ++ break;
15854 + }
15855 +- rcu_read_unlock();
15856 +
15857 + if (helper == NULL)
15858 + ret = nfnl_cthelper_create(tb, &tuple);
15859 +@@ -338,9 +428,6 @@ nfnl_cthelper_new(struct sock *nfnl, struct sk_buff *skb,
15860 + ret = nfnl_cthelper_update(tb, helper);
15861 +
15862 + return ret;
15863 +-err:
15864 +- rcu_read_unlock();
15865 +- return ret;
15866 + }
15867 +
15868 + static int
15869 +@@ -504,13 +591,17 @@ static int
15870 + nfnl_cthelper_get(struct sock *nfnl, struct sk_buff *skb,
15871 + const struct nlmsghdr *nlh, const struct nlattr * const tb[])
15872 + {
15873 +- int ret = -ENOENT, i;
15874 ++ int ret = -ENOENT;
15875 + struct nf_conntrack_helper *cur;
15876 + struct sk_buff *skb2;
15877 + char *helper_name = NULL;
15878 + struct nf_conntrack_tuple tuple;
15879 ++ struct nfnl_cthelper *nlcth;
15880 + bool tuple_set = false;
15881 +
15882 ++ if (!capable(CAP_NET_ADMIN))
15883 ++ return -EPERM;
15884 ++
15885 + if (nlh->nlmsg_flags & NLM_F_DUMP) {
15886 + struct netlink_dump_control c = {
15887 + .dump = nfnl_cthelper_dump_table,
15888 +@@ -529,45 +620,39 @@ nfnl_cthelper_get(struct sock *nfnl, struct sk_buff *skb,
15889 + tuple_set = true;
15890 + }
15891 +
15892 +- for (i = 0; i < nf_ct_helper_hsize; i++) {
15893 +- hlist_for_each_entry_rcu(cur, &nf_ct_helper_hash[i], hnode) {
15894 +-
15895 +- /* skip non-userspace conntrack helpers. */
15896 +- if (!(cur->flags & NF_CT_HELPER_F_USERSPACE))
15897 +- continue;
15898 ++ list_for_each_entry(nlcth, &nfnl_cthelper_list, list) {
15899 ++ cur = &nlcth->helper;
15900 ++ if (helper_name &&
15901 ++ strncmp(cur->name, helper_name, NF_CT_HELPER_NAME_LEN))
15902 ++ continue;
15903 +
15904 +- if (helper_name && strncmp(cur->name, helper_name,
15905 +- NF_CT_HELPER_NAME_LEN) != 0) {
15906 +- continue;
15907 +- }
15908 +- if (tuple_set &&
15909 +- (tuple.src.l3num != cur->tuple.src.l3num ||
15910 +- tuple.dst.protonum != cur->tuple.dst.protonum))
15911 +- continue;
15912 ++ if (tuple_set &&
15913 ++ (tuple.src.l3num != cur->tuple.src.l3num ||
15914 ++ tuple.dst.protonum != cur->tuple.dst.protonum))
15915 ++ continue;
15916 +
15917 +- skb2 = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
15918 +- if (skb2 == NULL) {
15919 +- ret = -ENOMEM;
15920 +- break;
15921 +- }
15922 ++ skb2 = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
15923 ++ if (skb2 == NULL) {
15924 ++ ret = -ENOMEM;
15925 ++ break;
15926 ++ }
15927 +
15928 +- ret = nfnl_cthelper_fill_info(skb2, NETLINK_CB(skb).portid,
15929 +- nlh->nlmsg_seq,
15930 +- NFNL_MSG_TYPE(nlh->nlmsg_type),
15931 +- NFNL_MSG_CTHELPER_NEW, cur);
15932 +- if (ret <= 0) {
15933 +- kfree_skb(skb2);
15934 +- break;
15935 +- }
15936 ++ ret = nfnl_cthelper_fill_info(skb2, NETLINK_CB(skb).portid,
15937 ++ nlh->nlmsg_seq,
15938 ++ NFNL_MSG_TYPE(nlh->nlmsg_type),
15939 ++ NFNL_MSG_CTHELPER_NEW, cur);
15940 ++ if (ret <= 0) {
15941 ++ kfree_skb(skb2);
15942 ++ break;
15943 ++ }
15944 +
15945 +- ret = netlink_unicast(nfnl, skb2, NETLINK_CB(skb).portid,
15946 +- MSG_DONTWAIT);
15947 +- if (ret > 0)
15948 +- ret = 0;
15949 ++ ret = netlink_unicast(nfnl, skb2, NETLINK_CB(skb).portid,
15950 ++ MSG_DONTWAIT);
15951 ++ if (ret > 0)
15952 ++ ret = 0;
15953 +
15954 +- /* this avoids a loop in nfnetlink. */
15955 +- return ret == -EAGAIN ? -ENOBUFS : ret;
15956 +- }
15957 ++ /* this avoids a loop in nfnetlink. */
15958 ++ return ret == -EAGAIN ? -ENOBUFS : ret;
15959 + }
15960 + return ret;
15961 + }
15962 +@@ -578,10 +663,13 @@ nfnl_cthelper_del(struct sock *nfnl, struct sk_buff *skb,
15963 + {
15964 + char *helper_name = NULL;
15965 + struct nf_conntrack_helper *cur;
15966 +- struct hlist_node *tmp;
15967 + struct nf_conntrack_tuple tuple;
15968 + bool tuple_set = false, found = false;
15969 +- int i, j = 0, ret;
15970 ++ struct nfnl_cthelper *nlcth, *n;
15971 ++ int j = 0, ret;
15972 ++
15973 ++ if (!capable(CAP_NET_ADMIN))
15974 ++ return -EPERM;
15975 +
15976 + if (tb[NFCTH_NAME])
15977 + helper_name = nla_data(tb[NFCTH_NAME]);
15978 +@@ -594,28 +682,27 @@ nfnl_cthelper_del(struct sock *nfnl, struct sk_buff *skb,
15979 + tuple_set = true;
15980 + }
15981 +
15982 +- for (i = 0; i < nf_ct_helper_hsize; i++) {
15983 +- hlist_for_each_entry_safe(cur, tmp, &nf_ct_helper_hash[i],
15984 +- hnode) {
15985 +- /* skip non-userspace conntrack helpers. */
15986 +- if (!(cur->flags & NF_CT_HELPER_F_USERSPACE))
15987 +- continue;
15988 ++ list_for_each_entry_safe(nlcth, n, &nfnl_cthelper_list, list) {
15989 ++ cur = &nlcth->helper;
15990 ++ j++;
15991 +
15992 +- j++;
15993 ++ if (helper_name &&
15994 ++ strncmp(cur->name, helper_name, NF_CT_HELPER_NAME_LEN))
15995 ++ continue;
15996 +
15997 +- if (helper_name && strncmp(cur->name, helper_name,
15998 +- NF_CT_HELPER_NAME_LEN) != 0) {
15999 +- continue;
16000 +- }
16001 +- if (tuple_set &&
16002 +- (tuple.src.l3num != cur->tuple.src.l3num ||
16003 +- tuple.dst.protonum != cur->tuple.dst.protonum))
16004 +- continue;
16005 ++ if (tuple_set &&
16006 ++ (tuple.src.l3num != cur->tuple.src.l3num ||
16007 ++ tuple.dst.protonum != cur->tuple.dst.protonum))
16008 ++ continue;
16009 +
16010 +- found = true;
16011 +- nf_conntrack_helper_unregister(cur);
16012 +- }
16013 ++ found = true;
16014 ++ nf_conntrack_helper_unregister(cur);
16015 ++ kfree(cur->expect_policy);
16016 ++
16017 ++ list_del(&nlcth->list);
16018 ++ kfree(nlcth);
16019 + }
16020 ++
16021 + /* Make sure we return success if we flush and there is no helpers */
16022 + return (found || j == 0) ? 0 : -ENOENT;
16023 + }
16024 +@@ -664,20 +751,16 @@ err_out:
16025 + static void __exit nfnl_cthelper_exit(void)
16026 + {
16027 + struct nf_conntrack_helper *cur;
16028 +- struct hlist_node *tmp;
16029 +- int i;
16030 ++ struct nfnl_cthelper *nlcth, *n;
16031 +
16032 + nfnetlink_subsys_unregister(&nfnl_cthelper_subsys);
16033 +
16034 +- for (i=0; i<nf_ct_helper_hsize; i++) {
16035 +- hlist_for_each_entry_safe(cur, tmp, &nf_ct_helper_hash[i],
16036 +- hnode) {
16037 +- /* skip non-userspace conntrack helpers. */
16038 +- if (!(cur->flags & NF_CT_HELPER_F_USERSPACE))
16039 +- continue;
16040 ++ list_for_each_entry_safe(nlcth, n, &nfnl_cthelper_list, list) {
16041 ++ cur = &nlcth->helper;
16042 +
16043 +- nf_conntrack_helper_unregister(cur);
16044 +- }
16045 ++ nf_conntrack_helper_unregister(cur);
16046 ++ kfree(cur->expect_policy);
16047 ++ kfree(nlcth);
16048 + }
16049 + }
16050 +
16051 +diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
16052 +index 703fc9ba6f20..f4fcd9441561 100644
16053 +--- a/net/netfilter/x_tables.c
16054 ++++ b/net/netfilter/x_tables.c
16055 +@@ -38,8 +38,6 @@ MODULE_LICENSE("GPL");
16056 + MODULE_AUTHOR("Harald Welte <laforge@×××××××××.org>");
16057 + MODULE_DESCRIPTION("{ip,ip6,arp,eb}_tables backend module");
16058 +
16059 +-#define SMP_ALIGN(x) (((x) + SMP_CACHE_BYTES-1) & ~(SMP_CACHE_BYTES-1))
16060 +-
16061 + struct compat_delta {
16062 + unsigned int offset; /* offset in kernel */
16063 + int delta; /* delta in 32bit user land */
16064 +@@ -211,6 +209,9 @@ xt_request_find_match(uint8_t nfproto, const char *name, uint8_t revision)
16065 + {
16066 + struct xt_match *match;
16067 +
16068 ++ if (strnlen(name, XT_EXTENSION_MAXNAMELEN) == XT_EXTENSION_MAXNAMELEN)
16069 ++ return ERR_PTR(-EINVAL);
16070 ++
16071 + match = xt_find_match(nfproto, name, revision);
16072 + if (IS_ERR(match)) {
16073 + request_module("%st_%s", xt_prefix[nfproto], name);
16074 +@@ -253,6 +254,9 @@ struct xt_target *xt_request_find_target(u8 af, const char *name, u8 revision)
16075 + {
16076 + struct xt_target *target;
16077 +
16078 ++ if (strnlen(name, XT_EXTENSION_MAXNAMELEN) == XT_EXTENSION_MAXNAMELEN)
16079 ++ return ERR_PTR(-EINVAL);
16080 ++
16081 + target = xt_find_target(af, name, revision);
16082 + if (IS_ERR(target)) {
16083 + request_module("%st_%s", xt_prefix[af], name);
16084 +@@ -951,7 +955,7 @@ struct xt_table_info *xt_alloc_table_info(unsigned int size)
16085 + int cpu;
16086 +
16087 + /* Pedantry: prevent them from hitting BUG() in vmalloc.c --RR */
16088 +- if ((SMP_ALIGN(size) >> PAGE_SHIFT) + 2 > totalram_pages)
16089 ++ if ((size >> PAGE_SHIFT) + 2 > totalram_pages)
16090 + return NULL;
16091 +
16092 + newinfo = kzalloc(XT_TABLE_INFO_SZ, GFP_KERNEL);
16093 +diff --git a/net/netfilter/xt_RATEEST.c b/net/netfilter/xt_RATEEST.c
16094 +index 604df6fae6fc..0be96f8475f7 100644
16095 +--- a/net/netfilter/xt_RATEEST.c
16096 ++++ b/net/netfilter/xt_RATEEST.c
16097 +@@ -40,23 +40,31 @@ static void xt_rateest_hash_insert(struct xt_rateest *est)
16098 + hlist_add_head(&est->list, &rateest_hash[h]);
16099 + }
16100 +
16101 +-struct xt_rateest *xt_rateest_lookup(const char *name)
16102 ++static struct xt_rateest *__xt_rateest_lookup(const char *name)
16103 + {
16104 + struct xt_rateest *est;
16105 + unsigned int h;
16106 +
16107 + h = xt_rateest_hash(name);
16108 +- mutex_lock(&xt_rateest_mutex);
16109 + hlist_for_each_entry(est, &rateest_hash[h], list) {
16110 + if (strcmp(est->name, name) == 0) {
16111 + est->refcnt++;
16112 +- mutex_unlock(&xt_rateest_mutex);
16113 + return est;
16114 + }
16115 + }
16116 +- mutex_unlock(&xt_rateest_mutex);
16117 ++
16118 + return NULL;
16119 + }
16120 ++
16121 ++struct xt_rateest *xt_rateest_lookup(const char *name)
16122 ++{
16123 ++ struct xt_rateest *est;
16124 ++
16125 ++ mutex_lock(&xt_rateest_mutex);
16126 ++ est = __xt_rateest_lookup(name);
16127 ++ mutex_unlock(&xt_rateest_mutex);
16128 ++ return est;
16129 ++}
16130 + EXPORT_SYMBOL_GPL(xt_rateest_lookup);
16131 +
16132 + void xt_rateest_put(struct xt_rateest *est)
16133 +@@ -104,8 +112,10 @@ static int xt_rateest_tg_checkentry(const struct xt_tgchk_param *par)
16134 + rnd_inited = true;
16135 + }
16136 +
16137 +- est = xt_rateest_lookup(info->name);
16138 ++ mutex_lock(&xt_rateest_mutex);
16139 ++ est = __xt_rateest_lookup(info->name);
16140 + if (est) {
16141 ++ mutex_unlock(&xt_rateest_mutex);
16142 + /*
16143 + * If estimator parameters are specified, they must match the
16144 + * existing estimator.
16145 +@@ -143,11 +153,13 @@ static int xt_rateest_tg_checkentry(const struct xt_tgchk_param *par)
16146 +
16147 + info->est = est;
16148 + xt_rateest_hash_insert(est);
16149 ++ mutex_unlock(&xt_rateest_mutex);
16150 + return 0;
16151 +
16152 + err2:
16153 + kfree(est);
16154 + err1:
16155 ++ mutex_unlock(&xt_rateest_mutex);
16156 + return ret;
16157 + }
16158 +
16159 +diff --git a/net/netfilter/xt_osf.c b/net/netfilter/xt_osf.c
16160 +index 0778855ea5e7..20f7bd64ad40 100644
16161 +--- a/net/netfilter/xt_osf.c
16162 ++++ b/net/netfilter/xt_osf.c
16163 +@@ -19,6 +19,7 @@
16164 + #include <linux/module.h>
16165 + #include <linux/kernel.h>
16166 +
16167 ++#include <linux/capability.h>
16168 + #include <linux/if.h>
16169 + #include <linux/inetdevice.h>
16170 + #include <linux/ip.h>
16171 +@@ -69,6 +70,9 @@ static int xt_osf_add_callback(struct sock *ctnl, struct sk_buff *skb,
16172 + struct xt_osf_finger *kf = NULL, *sf;
16173 + int err = 0;
16174 +
16175 ++ if (!capable(CAP_NET_ADMIN))
16176 ++ return -EPERM;
16177 ++
16178 + if (!osf_attrs[OSF_ATTR_FINGER])
16179 + return -EINVAL;
16180 +
16181 +@@ -112,6 +116,9 @@ static int xt_osf_remove_callback(struct sock *ctnl, struct sk_buff *skb,
16182 + struct xt_osf_finger *sf;
16183 + int err = -ENOENT;
16184 +
16185 ++ if (!capable(CAP_NET_ADMIN))
16186 ++ return -EPERM;
16187 ++
16188 + if (!osf_attrs[OSF_ATTR_FINGER])
16189 + return -EINVAL;
16190 +
16191 +diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
16192 +index a5815be7c81c..66c340bc0553 100644
16193 +--- a/net/netlink/af_netlink.c
16194 ++++ b/net/netlink/af_netlink.c
16195 +@@ -94,6 +94,44 @@ EXPORT_SYMBOL_GPL(nl_table);
16196 +
16197 + static DECLARE_WAIT_QUEUE_HEAD(nl_table_wait);
16198 +
16199 ++static struct lock_class_key nlk_cb_mutex_keys[MAX_LINKS];
16200 ++
16201 ++static const char *const nlk_cb_mutex_key_strings[MAX_LINKS + 1] = {
16202 ++ "nlk_cb_mutex-ROUTE",
16203 ++ "nlk_cb_mutex-1",
16204 ++ "nlk_cb_mutex-USERSOCK",
16205 ++ "nlk_cb_mutex-FIREWALL",
16206 ++ "nlk_cb_mutex-SOCK_DIAG",
16207 ++ "nlk_cb_mutex-NFLOG",
16208 ++ "nlk_cb_mutex-XFRM",
16209 ++ "nlk_cb_mutex-SELINUX",
16210 ++ "nlk_cb_mutex-ISCSI",
16211 ++ "nlk_cb_mutex-AUDIT",
16212 ++ "nlk_cb_mutex-FIB_LOOKUP",
16213 ++ "nlk_cb_mutex-CONNECTOR",
16214 ++ "nlk_cb_mutex-NETFILTER",
16215 ++ "nlk_cb_mutex-IP6_FW",
16216 ++ "nlk_cb_mutex-DNRTMSG",
16217 ++ "nlk_cb_mutex-KOBJECT_UEVENT",
16218 ++ "nlk_cb_mutex-GENERIC",
16219 ++ "nlk_cb_mutex-17",
16220 ++ "nlk_cb_mutex-SCSITRANSPORT",
16221 ++ "nlk_cb_mutex-ECRYPTFS",
16222 ++ "nlk_cb_mutex-RDMA",
16223 ++ "nlk_cb_mutex-CRYPTO",
16224 ++ "nlk_cb_mutex-SMC",
16225 ++ "nlk_cb_mutex-23",
16226 ++ "nlk_cb_mutex-24",
16227 ++ "nlk_cb_mutex-25",
16228 ++ "nlk_cb_mutex-26",
16229 ++ "nlk_cb_mutex-27",
16230 ++ "nlk_cb_mutex-28",
16231 ++ "nlk_cb_mutex-29",
16232 ++ "nlk_cb_mutex-30",
16233 ++ "nlk_cb_mutex-31",
16234 ++ "nlk_cb_mutex-MAX_LINKS"
16235 ++};
16236 ++
16237 + static int netlink_dump(struct sock *sk);
16238 + static void netlink_skb_destructor(struct sk_buff *skb);
16239 +
16240 +@@ -221,6 +259,9 @@ static int __netlink_deliver_tap_skb(struct sk_buff *skb,
16241 + struct sock *sk = skb->sk;
16242 + int ret = -ENOMEM;
16243 +
16244 ++ if (!net_eq(dev_net(dev), sock_net(sk)))
16245 ++ return 0;
16246 ++
16247 + dev_hold(dev);
16248 +
16249 + if (netlink_skb_is_mmaped(skb) || is_vmalloc_addr(skb->head))
16250 +@@ -1177,6 +1218,9 @@ static int __netlink_create(struct net *net, struct socket *sock,
16251 + } else {
16252 + nlk->cb_mutex = &nlk->cb_def_mutex;
16253 + mutex_init(nlk->cb_mutex);
16254 ++ lockdep_set_class_and_name(nlk->cb_mutex,
16255 ++ nlk_cb_mutex_keys + protocol,
16256 ++ nlk_cb_mutex_key_strings[protocol]);
16257 + }
16258 + init_waitqueue_head(&nlk->wait);
16259 + #ifdef CONFIG_NETLINK_MMAP
16260 +diff --git a/net/openvswitch/flow_netlink.c b/net/openvswitch/flow_netlink.c
16261 +index c691b1a1eee0..a2601b0c4b0f 100644
16262 +--- a/net/openvswitch/flow_netlink.c
16263 ++++ b/net/openvswitch/flow_netlink.c
16264 +@@ -1531,14 +1531,11 @@ int ovs_nla_put_mask(const struct sw_flow *flow, struct sk_buff *skb)
16265 +
16266 + #define MAX_ACTIONS_BUFSIZE (32 * 1024)
16267 +
16268 +-static struct sw_flow_actions *nla_alloc_flow_actions(int size, bool log)
16269 ++static struct sw_flow_actions *nla_alloc_flow_actions(int size)
16270 + {
16271 + struct sw_flow_actions *sfa;
16272 +
16273 +- if (size > MAX_ACTIONS_BUFSIZE) {
16274 +- OVS_NLERR(log, "Flow action size %u bytes exceeds max", size);
16275 +- return ERR_PTR(-EINVAL);
16276 +- }
16277 ++ WARN_ON_ONCE(size > MAX_ACTIONS_BUFSIZE);
16278 +
16279 + sfa = kmalloc(sizeof(*sfa) + size, GFP_KERNEL);
16280 + if (!sfa)
16281 +@@ -1571,12 +1568,15 @@ static struct nlattr *reserve_sfa_size(struct sw_flow_actions **sfa,
16282 + new_acts_size = ksize(*sfa) * 2;
16283 +
16284 + if (new_acts_size > MAX_ACTIONS_BUFSIZE) {
16285 +- if ((MAX_ACTIONS_BUFSIZE - next_offset) < req_size)
16286 ++ if ((MAX_ACTIONS_BUFSIZE - next_offset) < req_size) {
16287 ++ OVS_NLERR(log, "Flow action size exceeds max %u",
16288 ++ MAX_ACTIONS_BUFSIZE);
16289 + return ERR_PTR(-EMSGSIZE);
16290 ++ }
16291 + new_acts_size = MAX_ACTIONS_BUFSIZE;
16292 + }
16293 +
16294 +- acts = nla_alloc_flow_actions(new_acts_size, log);
16295 ++ acts = nla_alloc_flow_actions(new_acts_size);
16296 + if (IS_ERR(acts))
16297 + return (void *)acts;
16298 +
16299 +@@ -2170,7 +2170,7 @@ int ovs_nla_copy_actions(const struct nlattr *attr,
16300 + {
16301 + int err;
16302 +
16303 +- *sfa = nla_alloc_flow_actions(nla_len(attr), log);
16304 ++ *sfa = nla_alloc_flow_actions(min(nla_len(attr), MAX_ACTIONS_BUFSIZE));
16305 + if (IS_ERR(*sfa))
16306 + return PTR_ERR(*sfa);
16307 +
16308 +diff --git a/net/rds/rdma.c b/net/rds/rdma.c
16309 +index 612c3050d514..b1ec96bca937 100644
16310 +--- a/net/rds/rdma.c
16311 ++++ b/net/rds/rdma.c
16312 +@@ -516,6 +516,9 @@ int rds_rdma_extra_size(struct rds_rdma_args *args)
16313 +
16314 + local_vec = (struct rds_iovec __user *)(unsigned long) args->local_vec_addr;
16315 +
16316 ++ if (args->nr_local == 0)
16317 ++ return -EINVAL;
16318 ++
16319 + /* figure out the number of pages in the vector */
16320 + for (i = 0; i < args->nr_local; i++) {
16321 + if (copy_from_user(&vec, &local_vec[i],
16322 +@@ -863,6 +866,7 @@ int rds_cmsg_atomic(struct rds_sock *rs, struct rds_message *rm,
16323 + err:
16324 + if (page)
16325 + put_page(page);
16326 ++ rm->atomic.op_active = 0;
16327 + kfree(rm->atomic.op_notifier);
16328 +
16329 + return ret;
16330 +diff --git a/net/sched/sch_choke.c b/net/sched/sch_choke.c
16331 +index 3f6437db9b0f..ec11aced121d 100644
16332 +--- a/net/sched/sch_choke.c
16333 ++++ b/net/sched/sch_choke.c
16334 +@@ -431,6 +431,9 @@ static int choke_change(struct Qdisc *sch, struct nlattr *opt)
16335 +
16336 + ctl = nla_data(tb[TCA_CHOKE_PARMS]);
16337 +
16338 ++ if (!red_check_params(ctl->qth_min, ctl->qth_max, ctl->Wlog))
16339 ++ return -EINVAL;
16340 ++
16341 + if (ctl->limit > CHOKE_MAX_QUEUE)
16342 + return -EINVAL;
16343 +
16344 +diff --git a/net/sched/sch_gred.c b/net/sched/sch_gred.c
16345 +index 634529e0ce6b..5a476126a8fb 100644
16346 +--- a/net/sched/sch_gred.c
16347 ++++ b/net/sched/sch_gred.c
16348 +@@ -388,6 +388,9 @@ static inline int gred_change_vq(struct Qdisc *sch, int dp,
16349 + struct gred_sched *table = qdisc_priv(sch);
16350 + struct gred_sched_data *q = table->tab[dp];
16351 +
16352 ++ if (!red_check_params(ctl->qth_min, ctl->qth_max, ctl->Wlog))
16353 ++ return -EINVAL;
16354 ++
16355 + if (!q) {
16356 + table->tab[dp] = q = *prealloc;
16357 + *prealloc = NULL;
16358 +diff --git a/net/sched/sch_red.c b/net/sched/sch_red.c
16359 +index 8c0508c0e287..0505b8408c8b 100644
16360 +--- a/net/sched/sch_red.c
16361 ++++ b/net/sched/sch_red.c
16362 +@@ -199,6 +199,8 @@ static int red_change(struct Qdisc *sch, struct nlattr *opt)
16363 + max_P = tb[TCA_RED_MAX_P] ? nla_get_u32(tb[TCA_RED_MAX_P]) : 0;
16364 +
16365 + ctl = nla_data(tb[TCA_RED_PARMS]);
16366 ++ if (!red_check_params(ctl->qth_min, ctl->qth_max, ctl->Wlog))
16367 ++ return -EINVAL;
16368 +
16369 + if (ctl->limit > 0) {
16370 + child = fifo_create_dflt(sch, &bfifo_qdisc_ops, ctl->limit);
16371 +diff --git a/net/sched/sch_sfq.c b/net/sched/sch_sfq.c
16372 +index 78d0eaf5de61..0dd1f2b2eb10 100644
16373 +--- a/net/sched/sch_sfq.c
16374 ++++ b/net/sched/sch_sfq.c
16375 +@@ -656,6 +656,9 @@ static int sfq_change(struct Qdisc *sch, struct nlattr *opt)
16376 + if (ctl->divisor &&
16377 + (!is_power_of_2(ctl->divisor) || ctl->divisor > 65536))
16378 + return -EINVAL;
16379 ++ if (ctl_v1 && !red_check_params(ctl_v1->qth_min, ctl_v1->qth_max,
16380 ++ ctl_v1->Wlog))
16381 ++ return -EINVAL;
16382 + if (ctl_v1 && ctl_v1->qth_min) {
16383 + p = kmalloc(sizeof(*p), GFP_KERNEL);
16384 + if (!p)
16385 +diff --git a/net/sctp/socket.c b/net/sctp/socket.c
16386 +index 946d1c28f93f..c44e3d208804 100644
16387 +--- a/net/sctp/socket.c
16388 ++++ b/net/sctp/socket.c
16389 +@@ -83,7 +83,7 @@
16390 + static int sctp_writeable(struct sock *sk);
16391 + static void sctp_wfree(struct sk_buff *skb);
16392 + static int sctp_wait_for_sndbuf(struct sctp_association *asoc, long *timeo_p,
16393 +- size_t msg_len, struct sock **orig_sk);
16394 ++ size_t msg_len);
16395 + static int sctp_wait_for_packet(struct sock *sk, int *err, long *timeo_p);
16396 + static int sctp_wait_for_connect(struct sctp_association *, long *timeo_p);
16397 + static int sctp_wait_for_accept(struct sock *sk, long timeo);
16398 +@@ -332,16 +332,14 @@ static struct sctp_af *sctp_sockaddr_af(struct sctp_sock *opt,
16399 + if (len < sizeof (struct sockaddr))
16400 + return NULL;
16401 +
16402 ++ if (!opt->pf->af_supported(addr->sa.sa_family, opt))
16403 ++ return NULL;
16404 ++
16405 + /* V4 mapped address are really of AF_INET family */
16406 + if (addr->sa.sa_family == AF_INET6 &&
16407 +- ipv6_addr_v4mapped(&addr->v6.sin6_addr)) {
16408 +- if (!opt->pf->af_supported(AF_INET, opt))
16409 +- return NULL;
16410 +- } else {
16411 +- /* Does this PF support this AF? */
16412 +- if (!opt->pf->af_supported(addr->sa.sa_family, opt))
16413 +- return NULL;
16414 +- }
16415 ++ ipv6_addr_v4mapped(&addr->v6.sin6_addr) &&
16416 ++ !opt->pf->af_supported(AF_INET, opt))
16417 ++ return NULL;
16418 +
16419 + /* If we get this far, af is valid. */
16420 + af = sctp_get_af_specific(addr->sa.sa_family);
16421 +@@ -1948,7 +1946,7 @@ static int sctp_sendmsg(struct sock *sk, struct msghdr *msg, size_t msg_len)
16422 + timeo = sock_sndtimeo(sk, msg->msg_flags & MSG_DONTWAIT);
16423 + if (!sctp_wspace(asoc)) {
16424 + /* sk can be changed by peel off when waiting for buf. */
16425 +- err = sctp_wait_for_sndbuf(asoc, &timeo, msg_len, &sk);
16426 ++ err = sctp_wait_for_sndbuf(asoc, &timeo, msg_len);
16427 + if (err) {
16428 + if (err == -ESRCH) {
16429 + /* asoc is already dead. */
16430 +@@ -4163,7 +4161,7 @@ static int sctp_init_sock(struct sock *sk)
16431 + SCTP_DBG_OBJCNT_INC(sock);
16432 +
16433 + local_bh_disable();
16434 +- percpu_counter_inc(&sctp_sockets_allocated);
16435 ++ sk_sockets_allocated_inc(sk);
16436 + sock_prot_inuse_add(net, sk->sk_prot, 1);
16437 +
16438 + /* Nothing can fail after this block, otherwise
16439 +@@ -4207,7 +4205,7 @@ static void sctp_destroy_sock(struct sock *sk)
16440 + }
16441 + sctp_endpoint_free(sp->ep);
16442 + local_bh_disable();
16443 +- percpu_counter_dec(&sctp_sockets_allocated);
16444 ++ sk_sockets_allocated_dec(sk);
16445 + sock_prot_inuse_add(sock_net(sk), sk->sk_prot, -1);
16446 + local_bh_enable();
16447 + }
16448 +@@ -6979,12 +6977,12 @@ void sctp_sock_rfree(struct sk_buff *skb)
16449 +
16450 + /* Helper function to wait for space in the sndbuf. */
16451 + static int sctp_wait_for_sndbuf(struct sctp_association *asoc, long *timeo_p,
16452 +- size_t msg_len, struct sock **orig_sk)
16453 ++ size_t msg_len)
16454 + {
16455 + struct sock *sk = asoc->base.sk;
16456 +- int err = 0;
16457 + long current_timeo = *timeo_p;
16458 + DEFINE_WAIT(wait);
16459 ++ int err = 0;
16460 +
16461 + pr_debug("%s: asoc:%p, timeo:%ld, msg_len:%zu\n", __func__, asoc,
16462 + *timeo_p, msg_len);
16463 +@@ -7014,17 +7012,13 @@ static int sctp_wait_for_sndbuf(struct sctp_association *asoc, long *timeo_p,
16464 + current_timeo = schedule_timeout(current_timeo);
16465 + BUG_ON(sk != asoc->base.sk);
16466 + lock_sock(sk);
16467 +- if (sk != asoc->base.sk) {
16468 +- release_sock(sk);
16469 +- sk = asoc->base.sk;
16470 +- lock_sock(sk);
16471 +- }
16472 ++ if (sk != asoc->base.sk)
16473 ++ goto do_error;
16474 +
16475 + *timeo_p = current_timeo;
16476 + }
16477 +
16478 + out:
16479 +- *orig_sk = sk;
16480 + finish_wait(&asoc->wait, &wait);
16481 +
16482 + /* Release the association's refcnt. */
16483 +diff --git a/net/sunrpc/auth_gss/gss_rpc_xdr.c b/net/sunrpc/auth_gss/gss_rpc_xdr.c
16484 +index 2410d557ae39..89731c9023f0 100644
16485 +--- a/net/sunrpc/auth_gss/gss_rpc_xdr.c
16486 ++++ b/net/sunrpc/auth_gss/gss_rpc_xdr.c
16487 +@@ -231,6 +231,7 @@ static int gssx_dec_linux_creds(struct xdr_stream *xdr,
16488 + goto out_free_groups;
16489 + GROUP_AT(creds->cr_group_info, i) = kgid;
16490 + }
16491 ++ groups_sort(creds->cr_group_info);
16492 +
16493 + return 0;
16494 + out_free_groups:
16495 +diff --git a/net/sunrpc/auth_gss/svcauth_gss.c b/net/sunrpc/auth_gss/svcauth_gss.c
16496 +index 033fec307528..036bbf2b44c1 100644
16497 +--- a/net/sunrpc/auth_gss/svcauth_gss.c
16498 ++++ b/net/sunrpc/auth_gss/svcauth_gss.c
16499 +@@ -481,6 +481,7 @@ static int rsc_parse(struct cache_detail *cd,
16500 + goto out;
16501 + GROUP_AT(rsci.cred.cr_group_info, i) = kgid;
16502 + }
16503 ++ groups_sort(rsci.cred.cr_group_info);
16504 +
16505 + /* mech name */
16506 + len = qword_get(&mesg, buf, mlen);
16507 +diff --git a/net/sunrpc/svcauth_unix.c b/net/sunrpc/svcauth_unix.c
16508 +index 621ca7b4a155..98db1715cb17 100644
16509 +--- a/net/sunrpc/svcauth_unix.c
16510 ++++ b/net/sunrpc/svcauth_unix.c
16511 +@@ -520,6 +520,7 @@ static int unix_gid_parse(struct cache_detail *cd,
16512 + GROUP_AT(ug.gi, i) = kgid;
16513 + }
16514 +
16515 ++ groups_sort(ug.gi);
16516 + ugp = unix_gid_lookup(cd, uid);
16517 + if (ugp) {
16518 + struct cache_head *ch;
16519 +@@ -827,6 +828,7 @@ svcauth_unix_accept(struct svc_rqst *rqstp, __be32 *authp)
16520 + kgid_t kgid = make_kgid(&init_user_ns, svc_getnl(argv));
16521 + GROUP_AT(cred->cr_group_info, i) = kgid;
16522 + }
16523 ++ groups_sort(cred->cr_group_info);
16524 + if (svc_getu32(argv) != htonl(RPC_AUTH_NULL) || svc_getu32(argv) != 0) {
16525 + *authp = rpc_autherr_badverf;
16526 + return SVC_DENIED;
16527 +diff --git a/net/sunrpc/xprtsock.c b/net/sunrpc/xprtsock.c
16528 +index 5e3ad598d3f5..14972988d29d 100644
16529 +--- a/net/sunrpc/xprtsock.c
16530 ++++ b/net/sunrpc/xprtsock.c
16531 +@@ -2189,6 +2189,7 @@ static void xs_tcp_setup_socket(struct work_struct *work)
16532 + case -ECONNREFUSED:
16533 + case -ECONNRESET:
16534 + case -ENETUNREACH:
16535 ++ case -EHOSTUNREACH:
16536 + case -EADDRINUSE:
16537 + case -ENOBUFS:
16538 + /* retry with existing socket, after a delay */
16539 +diff --git a/net/wireless/core.c b/net/wireless/core.c
16540 +index 71e9b84847f3..a0e465845735 100644
16541 +--- a/net/wireless/core.c
16542 ++++ b/net/wireless/core.c
16543 +@@ -390,6 +390,8 @@ struct wiphy *wiphy_new_nm(const struct cfg80211_ops *ops, int sizeof_priv,
16544 + if (rv)
16545 + goto use_default_name;
16546 + } else {
16547 ++ int rv;
16548 ++
16549 + use_default_name:
16550 + /* NOTE: This is *probably* safe w/out holding rtnl because of
16551 + * the restrictions on phy names. Probably this call could
16552 +@@ -397,7 +399,11 @@ use_default_name:
16553 + * phyX. But, might should add some locking and check return
16554 + * value, and use a different name if this one exists?
16555 + */
16556 +- dev_set_name(&rdev->wiphy.dev, PHY_NAME "%d", rdev->wiphy_idx);
16557 ++ rv = dev_set_name(&rdev->wiphy.dev, PHY_NAME "%d", rdev->wiphy_idx);
16558 ++ if (rv < 0) {
16559 ++ kfree(rdev);
16560 ++ return NULL;
16561 ++ }
16562 + }
16563 +
16564 + INIT_LIST_HEAD(&rdev->wdev_list);
16565 +diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
16566 +index acb4ccf448ba..f96aa76865de 100644
16567 +--- a/net/wireless/nl80211.c
16568 ++++ b/net/wireless/nl80211.c
16569 +@@ -15,6 +15,7 @@
16570 + #include <linux/nl80211.h>
16571 + #include <linux/rtnetlink.h>
16572 + #include <linux/netlink.h>
16573 ++#include <linux/nospec.h>
16574 + #include <linux/etherdevice.h>
16575 + #include <net/net_namespace.h>
16576 + #include <net/genetlink.h>
16577 +@@ -1874,20 +1875,22 @@ static const struct nla_policy txq_params_policy[NL80211_TXQ_ATTR_MAX + 1] = {
16578 + static int parse_txq_params(struct nlattr *tb[],
16579 + struct ieee80211_txq_params *txq_params)
16580 + {
16581 ++ u8 ac;
16582 ++
16583 + if (!tb[NL80211_TXQ_ATTR_AC] || !tb[NL80211_TXQ_ATTR_TXOP] ||
16584 + !tb[NL80211_TXQ_ATTR_CWMIN] || !tb[NL80211_TXQ_ATTR_CWMAX] ||
16585 + !tb[NL80211_TXQ_ATTR_AIFS])
16586 + return -EINVAL;
16587 +
16588 +- txq_params->ac = nla_get_u8(tb[NL80211_TXQ_ATTR_AC]);
16589 ++ ac = nla_get_u8(tb[NL80211_TXQ_ATTR_AC]);
16590 + txq_params->txop = nla_get_u16(tb[NL80211_TXQ_ATTR_TXOP]);
16591 + txq_params->cwmin = nla_get_u16(tb[NL80211_TXQ_ATTR_CWMIN]);
16592 + txq_params->cwmax = nla_get_u16(tb[NL80211_TXQ_ATTR_CWMAX]);
16593 + txq_params->aifs = nla_get_u8(tb[NL80211_TXQ_ATTR_AIFS]);
16594 +
16595 +- if (txq_params->ac >= NL80211_NUM_ACS)
16596 ++ if (ac >= NL80211_NUM_ACS)
16597 + return -EINVAL;
16598 +-
16599 ++ txq_params->ac = array_index_nospec(ac, NL80211_NUM_ACS);
16600 + return 0;
16601 + }
16602 +
16603 +diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
16604 +index 30593cadd428..84541b35629a 100644
16605 +--- a/net/xfrm/xfrm_user.c
16606 ++++ b/net/xfrm/xfrm_user.c
16607 +@@ -1353,11 +1353,14 @@ static void copy_templates(struct xfrm_policy *xp, struct xfrm_user_tmpl *ut,
16608 +
16609 + static int validate_tmpl(int nr, struct xfrm_user_tmpl *ut, u16 family)
16610 + {
16611 ++ u16 prev_family;
16612 + int i;
16613 +
16614 + if (nr > XFRM_MAX_DEPTH)
16615 + return -EINVAL;
16616 +
16617 ++ prev_family = family;
16618 ++
16619 + for (i = 0; i < nr; i++) {
16620 + /* We never validated the ut->family value, so many
16621 + * applications simply leave it at zero. The check was
16622 +@@ -1369,6 +1372,12 @@ static int validate_tmpl(int nr, struct xfrm_user_tmpl *ut, u16 family)
16623 + if (!ut[i].family)
16624 + ut[i].family = family;
16625 +
16626 ++ if ((ut[i].mode == XFRM_MODE_TRANSPORT) &&
16627 ++ (ut[i].family != prev_family))
16628 ++ return -EINVAL;
16629 ++
16630 ++ prev_family = ut[i].family;
16631 ++
16632 + switch (ut[i].family) {
16633 + case AF_INET:
16634 + break;
16635 +@@ -1379,6 +1388,21 @@ static int validate_tmpl(int nr, struct xfrm_user_tmpl *ut, u16 family)
16636 + default:
16637 + return -EINVAL;
16638 + }
16639 ++
16640 ++ switch (ut[i].id.proto) {
16641 ++ case IPPROTO_AH:
16642 ++ case IPPROTO_ESP:
16643 ++ case IPPROTO_COMP:
16644 ++#if IS_ENABLED(CONFIG_IPV6)
16645 ++ case IPPROTO_ROUTING:
16646 ++ case IPPROTO_DSTOPTS:
16647 ++#endif
16648 ++ case IPSEC_PROTO_ANY:
16649 ++ break;
16650 ++ default:
16651 ++ return -EINVAL;
16652 ++ }
16653 ++
16654 + }
16655 +
16656 + return 0;
16657 +diff --git a/scripts/Makefile.build b/scripts/Makefile.build
16658 +index 01df30af4d4a..18209917e379 100644
16659 +--- a/scripts/Makefile.build
16660 ++++ b/scripts/Makefile.build
16661 +@@ -158,7 +158,8 @@ cmd_cc_i_c = $(CPP) $(c_flags) -o $@ $<
16662 + $(obj)/%.i: $(src)/%.c FORCE
16663 + $(call if_changed_dep,cc_i_c)
16664 +
16665 +-cmd_gensymtypes = \
16666 ++# These mirror gensymtypes_S and co below, keep them in synch.
16667 ++cmd_gensymtypes_c = \
16668 + $(CPP) -D__GENKSYMS__ $(c_flags) $< | \
16669 + $(GENKSYMS) $(if $(1), -T $(2)) \
16670 + $(patsubst y,-s _,$(CONFIG_HAVE_UNDERSCORE_SYMBOL_PREFIX)) \
16671 +@@ -168,7 +169,7 @@ cmd_gensymtypes = \
16672 + quiet_cmd_cc_symtypes_c = SYM $(quiet_modtag) $@
16673 + cmd_cc_symtypes_c = \
16674 + set -e; \
16675 +- $(call cmd_gensymtypes,true,$@) >/dev/null; \
16676 ++ $(call cmd_gensymtypes_c,true,$@) >/dev/null; \
16677 + test -s $@ || rm -f $@
16678 +
16679 + $(obj)/%.symtypes : $(src)/%.c FORCE
16680 +@@ -197,9 +198,10 @@ else
16681 + # the actual value of the checksum generated by genksyms
16682 +
16683 + cmd_cc_o_c = $(CC) $(c_flags) -c -o $(@D)/.tmp_$(@F) $<
16684 +-cmd_modversions = \
16685 ++
16686 ++cmd_modversions_c = \
16687 + if $(OBJDUMP) -h $(@D)/.tmp_$(@F) | grep -q __ksymtab; then \
16688 +- $(call cmd_gensymtypes,$(KBUILD_SYMTYPES),$(@:.o=.symtypes)) \
16689 ++ $(call cmd_gensymtypes_c,$(KBUILD_SYMTYPES),$(@:.o=.symtypes)) \
16690 + > $(@D)/.tmp_$(@F:.o=.ver); \
16691 + \
16692 + $(LD) $(LDFLAGS) -r -o $@ $(@D)/.tmp_$(@F) \
16693 +@@ -244,7 +246,7 @@ endif
16694 + define rule_cc_o_c
16695 + $(call echo-cmd,checksrc) $(cmd_checksrc) \
16696 + $(call echo-cmd,cc_o_c) $(cmd_cc_o_c); \
16697 +- $(cmd_modversions) \
16698 ++ $(cmd_modversions_c) \
16699 + $(call echo-cmd,record_mcount) \
16700 + $(cmd_record_mcount) \
16701 + scripts/basic/fixdep $(depfile) $@ '$(call make-cmd,cc_o_c)' > \
16702 +@@ -253,6 +255,15 @@ define rule_cc_o_c
16703 + mv -f $(dot-target).tmp $(dot-target).cmd
16704 + endef
16705 +
16706 ++define rule_as_o_S
16707 ++ $(call echo-cmd,as_o_S) $(cmd_as_o_S); \
16708 ++ scripts/basic/fixdep $(depfile) $@ '$(call make-cmd,as_o_S)' > \
16709 ++ $(dot-target).tmp; \
16710 ++ $(cmd_modversions_S) \
16711 ++ rm -f $(depfile); \
16712 ++ mv -f $(dot-target).tmp $(dot-target).cmd
16713 ++endef
16714 ++
16715 + # Built-in and composite module parts
16716 + $(obj)/%.o: $(src)/%.c $(recordmcount_source) FORCE
16717 + $(call cmd,force_checksrc)
16718 +@@ -281,6 +292,38 @@ modkern_aflags := $(KBUILD_AFLAGS_KERNEL) $(AFLAGS_KERNEL)
16719 + $(real-objs-m) : modkern_aflags := $(KBUILD_AFLAGS_MODULE) $(AFLAGS_MODULE)
16720 + $(real-objs-m:.o=.s): modkern_aflags := $(KBUILD_AFLAGS_MODULE) $(AFLAGS_MODULE)
16721 +
16722 ++# .S file exports must have their C prototypes defined in asm/asm-prototypes.h
16723 ++# or a file that it includes, in order to get versioned symbols. We build a
16724 ++# dummy C file that includes asm-prototypes and the EXPORT_SYMBOL lines from
16725 ++# the .S file (with trailing ';'), and run genksyms on that, to extract vers.
16726 ++#
16727 ++# This is convoluted. The .S file must first be preprocessed to run guards and
16728 ++# expand names, then the resulting exports must be constructed into plain
16729 ++# EXPORT_SYMBOL(symbol); to build our dummy C file, and that gets preprocessed
16730 ++# to make the genksyms input.
16731 ++#
16732 ++# These mirror gensymtypes_c and co above, keep them in synch.
16733 ++cmd_gensymtypes_S = \
16734 ++ (echo "\#include <linux/kernel.h>" ; \
16735 ++ echo "\#include <asm/asm-prototypes.h>" ; \
16736 ++ $(CPP) $(a_flags) $< | \
16737 ++ grep "\<___EXPORT_SYMBOL\>" | \
16738 ++ sed 's/.*___EXPORT_SYMBOL[[:space:]]*\([a-zA-Z0-9_]*\)[[:space:]]*,.*/EXPORT_SYMBOL(\1);/' ) | \
16739 ++ $(CPP) -D__GENKSYMS__ $(c_flags) -xc - | \
16740 ++ $(GENKSYMS) $(if $(1), -T $(2)) \
16741 ++ $(patsubst y,-s _,$(CONFIG_HAVE_UNDERSCORE_SYMBOL_PREFIX)) \
16742 ++ $(if $(KBUILD_PRESERVE),-p) \
16743 ++ -r $(firstword $(wildcard $(2:.symtypes=.symref) /dev/null))
16744 ++
16745 ++quiet_cmd_cc_symtypes_S = SYM $(quiet_modtag) $@
16746 ++cmd_cc_symtypes_S = \
16747 ++ set -e; \
16748 ++ $(call cmd_gensymtypes_S,true,$@) >/dev/null; \
16749 ++ test -s $@ || rm -f $@
16750 ++
16751 ++$(obj)/%.symtypes : $(src)/%.S FORCE
16752 ++ $(call cmd,cc_symtypes_S)
16753 ++
16754 + quiet_cmd_as_s_S = CPP $(quiet_modtag) $@
16755 + cmd_as_s_S = $(CPP) $(a_flags) -o $@ $<
16756 +
16757 +@@ -288,10 +331,40 @@ $(obj)/%.s: $(src)/%.S FORCE
16758 + $(call if_changed_dep,as_s_S)
16759 +
16760 + quiet_cmd_as_o_S = AS $(quiet_modtag) $@
16761 +-cmd_as_o_S = $(CC) $(a_flags) -c -o $@ $<
16762 ++
16763 ++ifndef CONFIG_MODVERSIONS
16764 ++cmd_as_o_S = $(CC) $(a_flags) -c -o $@ $<
16765 ++
16766 ++else
16767 ++
16768 ++ASM_PROTOTYPES := $(wildcard $(srctree)/arch/$(SRCARCH)/include/asm/asm-prototypes.h)
16769 ++
16770 ++ifeq ($(ASM_PROTOTYPES),)
16771 ++cmd_as_o_S = $(CC) $(a_flags) -c -o $@ $<
16772 ++
16773 ++else
16774 ++
16775 ++# versioning matches the C process described above, with difference that
16776 ++# we parse asm-prototypes.h C header to get function definitions.
16777 ++
16778 ++cmd_as_o_S = $(CC) $(a_flags) -c -o $(@D)/.tmp_$(@F) $<
16779 ++
16780 ++cmd_modversions_S = \
16781 ++ if $(OBJDUMP) -h $(@D)/.tmp_$(@F) | grep -q __ksymtab; then \
16782 ++ $(call cmd_gensymtypes_S,$(KBUILD_SYMTYPES),$(@:.o=.symtypes)) \
16783 ++ > $(@D)/.tmp_$(@F:.o=.ver); \
16784 ++ \
16785 ++ $(LD) $(LDFLAGS) -r -o $@ $(@D)/.tmp_$(@F) \
16786 ++ -T $(@D)/.tmp_$(@F:.o=.ver); \
16787 ++ rm -f $(@D)/.tmp_$(@F) $(@D)/.tmp_$(@F:.o=.ver); \
16788 ++ else \
16789 ++ mv -f $(@D)/.tmp_$(@F) $@; \
16790 ++ fi;
16791 ++endif
16792 ++endif
16793 +
16794 + $(obj)/%.o: $(src)/%.S FORCE
16795 +- $(call if_changed_dep,as_o_S)
16796 ++ $(call if_changed_rule,as_o_S)
16797 +
16798 + targets += $(real-objs-y) $(real-objs-m) $(lib-y)
16799 + targets += $(extra-y) $(MAKECMDGOALS) $(always)
16800 +diff --git a/scripts/genksyms/genksyms.c b/scripts/genksyms/genksyms.c
16801 +index 88632df4381b..dafaf96e0a34 100644
16802 +--- a/scripts/genksyms/genksyms.c
16803 ++++ b/scripts/genksyms/genksyms.c
16804 +@@ -423,13 +423,15 @@ static struct string_list *read_node(FILE *f)
16805 + struct string_list node = {
16806 + .string = buffer,
16807 + .tag = SYM_NORMAL };
16808 +- int c;
16809 ++ int c, in_string = 0;
16810 +
16811 + while ((c = fgetc(f)) != EOF) {
16812 +- if (c == ' ') {
16813 ++ if (!in_string && c == ' ') {
16814 + if (node.string == buffer)
16815 + continue;
16816 + break;
16817 ++ } else if (c == '"') {
16818 ++ in_string = !in_string;
16819 + } else if (c == '\n') {
16820 + if (node.string == buffer)
16821 + return NULL;
16822 +diff --git a/scripts/kernel-doc b/scripts/kernel-doc
16823 +index 9922e66883a5..f936d9e5db91 100755
16824 +--- a/scripts/kernel-doc
16825 ++++ b/scripts/kernel-doc
16826 +@@ -2616,4 +2616,4 @@ if ($verbose && $warnings) {
16827 + print STDERR "$warnings warnings\n";
16828 + }
16829 +
16830 +-exit($errors);
16831 ++exit($output_mode eq "none" ? 0 : $errors);
16832 +diff --git a/scripts/mod/modpost.c b/scripts/mod/modpost.c
16833 +index 91ee1b2e0f9a..a9f02fe15ce3 100644
16834 +--- a/scripts/mod/modpost.c
16835 ++++ b/scripts/mod/modpost.c
16836 +@@ -593,7 +593,8 @@ static int ignore_undef_symbol(struct elf_info *info, const char *symname)
16837 + if (strncmp(symname, "_restgpr0_", sizeof("_restgpr0_") - 1) == 0 ||
16838 + strncmp(symname, "_savegpr0_", sizeof("_savegpr0_") - 1) == 0 ||
16839 + strncmp(symname, "_restvr_", sizeof("_restvr_") - 1) == 0 ||
16840 +- strncmp(symname, "_savevr_", sizeof("_savevr_") - 1) == 0)
16841 ++ strncmp(symname, "_savevr_", sizeof("_savevr_") - 1) == 0 ||
16842 ++ strcmp(symname, ".TOC.") == 0)
16843 + return 1;
16844 + /* Do not ignore this symbol */
16845 + return 0;
16846 +diff --git a/security/keys/encrypted-keys/encrypted.c b/security/keys/encrypted-keys/encrypted.c
16847 +index 89d5695c51cd..20251ee5c491 100644
16848 +--- a/security/keys/encrypted-keys/encrypted.c
16849 ++++ b/security/keys/encrypted-keys/encrypted.c
16850 +@@ -141,23 +141,22 @@ static int valid_ecryptfs_desc(const char *ecryptfs_desc)
16851 + */
16852 + static int valid_master_desc(const char *new_desc, const char *orig_desc)
16853 + {
16854 +- if (!memcmp(new_desc, KEY_TRUSTED_PREFIX, KEY_TRUSTED_PREFIX_LEN)) {
16855 +- if (strlen(new_desc) == KEY_TRUSTED_PREFIX_LEN)
16856 +- goto out;
16857 +- if (orig_desc)
16858 +- if (memcmp(new_desc, orig_desc, KEY_TRUSTED_PREFIX_LEN))
16859 +- goto out;
16860 +- } else if (!memcmp(new_desc, KEY_USER_PREFIX, KEY_USER_PREFIX_LEN)) {
16861 +- if (strlen(new_desc) == KEY_USER_PREFIX_LEN)
16862 +- goto out;
16863 +- if (orig_desc)
16864 +- if (memcmp(new_desc, orig_desc, KEY_USER_PREFIX_LEN))
16865 +- goto out;
16866 +- } else
16867 +- goto out;
16868 ++ int prefix_len;
16869 ++
16870 ++ if (!strncmp(new_desc, KEY_TRUSTED_PREFIX, KEY_TRUSTED_PREFIX_LEN))
16871 ++ prefix_len = KEY_TRUSTED_PREFIX_LEN;
16872 ++ else if (!strncmp(new_desc, KEY_USER_PREFIX, KEY_USER_PREFIX_LEN))
16873 ++ prefix_len = KEY_USER_PREFIX_LEN;
16874 ++ else
16875 ++ return -EINVAL;
16876 ++
16877 ++ if (!new_desc[prefix_len])
16878 ++ return -EINVAL;
16879 ++
16880 ++ if (orig_desc && strncmp(new_desc, orig_desc, prefix_len))
16881 ++ return -EINVAL;
16882 ++
16883 + return 0;
16884 +-out:
16885 +- return -EINVAL;
16886 + }
16887 +
16888 + /*
16889 +diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
16890 +index 9e2d82070915..31d1d2ebd6f2 100644
16891 +--- a/security/selinux/ss/services.c
16892 ++++ b/security/selinux/ss/services.c
16893 +@@ -823,6 +823,9 @@ int security_bounded_transition(u32 old_sid, u32 new_sid)
16894 + int index;
16895 + int rc;
16896 +
16897 ++ if (!ss_initialized)
16898 ++ return 0;
16899 ++
16900 + read_lock(&policy_rwlock);
16901 +
16902 + rc = -EINVAL;
16903 +@@ -1236,27 +1239,25 @@ static int security_context_to_sid_core(const char *scontext, u32 scontext_len,
16904 + if (!scontext_len)
16905 + return -EINVAL;
16906 +
16907 ++ /* Copy the string to allow changes and ensure a NUL terminator */
16908 ++ scontext2 = kmemdup_nul(scontext, scontext_len, gfp_flags);
16909 ++ if (!scontext2)
16910 ++ return -ENOMEM;
16911 ++
16912 + if (!ss_initialized) {
16913 + int i;
16914 +
16915 + for (i = 1; i < SECINITSID_NUM; i++) {
16916 +- if (!strcmp(initial_sid_to_string[i], scontext)) {
16917 ++ if (!strcmp(initial_sid_to_string[i], scontext2)) {
16918 + *sid = i;
16919 +- return 0;
16920 ++ goto out;
16921 + }
16922 + }
16923 + *sid = SECINITSID_KERNEL;
16924 +- return 0;
16925 ++ goto out;
16926 + }
16927 + *sid = SECSID_NULL;
16928 +
16929 +- /* Copy the string so that we can modify the copy as we parse it. */
16930 +- scontext2 = kmalloc(scontext_len + 1, gfp_flags);
16931 +- if (!scontext2)
16932 +- return -ENOMEM;
16933 +- memcpy(scontext2, scontext, scontext_len);
16934 +- scontext2[scontext_len] = 0;
16935 +-
16936 + if (force) {
16937 + /* Save another copy for storing in uninterpreted form */
16938 + rc = -ENOMEM;
16939 +diff --git a/sound/core/oss/pcm_oss.c b/sound/core/oss/pcm_oss.c
16940 +index 33e72c809e50..494b7b533366 100644
16941 +--- a/sound/core/oss/pcm_oss.c
16942 ++++ b/sound/core/oss/pcm_oss.c
16943 +@@ -465,7 +465,6 @@ static int snd_pcm_hw_param_near(struct snd_pcm_substream *pcm,
16944 + v = snd_pcm_hw_param_last(pcm, params, var, dir);
16945 + else
16946 + v = snd_pcm_hw_param_first(pcm, params, var, dir);
16947 +- snd_BUG_ON(v < 0);
16948 + return v;
16949 + }
16950 +
16951 +@@ -1370,8 +1369,11 @@ static ssize_t snd_pcm_oss_write1(struct snd_pcm_substream *substream, const cha
16952 +
16953 + if ((tmp = snd_pcm_oss_make_ready(substream)) < 0)
16954 + return tmp;
16955 +- mutex_lock(&runtime->oss.params_lock);
16956 + while (bytes > 0) {
16957 ++ if (mutex_lock_interruptible(&runtime->oss.params_lock)) {
16958 ++ tmp = -ERESTARTSYS;
16959 ++ break;
16960 ++ }
16961 + if (bytes < runtime->oss.period_bytes || runtime->oss.buffer_used > 0) {
16962 + tmp = bytes;
16963 + if (tmp + runtime->oss.buffer_used > runtime->oss.period_bytes)
16964 +@@ -1415,14 +1417,18 @@ static ssize_t snd_pcm_oss_write1(struct snd_pcm_substream *substream, const cha
16965 + xfer += tmp;
16966 + if ((substream->f_flags & O_NONBLOCK) != 0 &&
16967 + tmp != runtime->oss.period_bytes)
16968 +- break;
16969 ++ tmp = -EAGAIN;
16970 + }
16971 +- }
16972 +- mutex_unlock(&runtime->oss.params_lock);
16973 +- return xfer;
16974 +-
16975 + err:
16976 +- mutex_unlock(&runtime->oss.params_lock);
16977 ++ mutex_unlock(&runtime->oss.params_lock);
16978 ++ if (tmp < 0)
16979 ++ break;
16980 ++ if (signal_pending(current)) {
16981 ++ tmp = -ERESTARTSYS;
16982 ++ break;
16983 ++ }
16984 ++ tmp = 0;
16985 ++ }
16986 + return xfer > 0 ? (snd_pcm_sframes_t)xfer : tmp;
16987 + }
16988 +
16989 +@@ -1470,8 +1476,11 @@ static ssize_t snd_pcm_oss_read1(struct snd_pcm_substream *substream, char __use
16990 +
16991 + if ((tmp = snd_pcm_oss_make_ready(substream)) < 0)
16992 + return tmp;
16993 +- mutex_lock(&runtime->oss.params_lock);
16994 + while (bytes > 0) {
16995 ++ if (mutex_lock_interruptible(&runtime->oss.params_lock)) {
16996 ++ tmp = -ERESTARTSYS;
16997 ++ break;
16998 ++ }
16999 + if (bytes < runtime->oss.period_bytes || runtime->oss.buffer_used > 0) {
17000 + if (runtime->oss.buffer_used == 0) {
17001 + tmp = snd_pcm_oss_read2(substream, runtime->oss.buffer, runtime->oss.period_bytes, 1);
17002 +@@ -1502,12 +1511,16 @@ static ssize_t snd_pcm_oss_read1(struct snd_pcm_substream *substream, char __use
17003 + bytes -= tmp;
17004 + xfer += tmp;
17005 + }
17006 +- }
17007 +- mutex_unlock(&runtime->oss.params_lock);
17008 +- return xfer;
17009 +-
17010 + err:
17011 +- mutex_unlock(&runtime->oss.params_lock);
17012 ++ mutex_unlock(&runtime->oss.params_lock);
17013 ++ if (tmp < 0)
17014 ++ break;
17015 ++ if (signal_pending(current)) {
17016 ++ tmp = -ERESTARTSYS;
17017 ++ break;
17018 ++ }
17019 ++ tmp = 0;
17020 ++ }
17021 + return xfer > 0 ? (snd_pcm_sframes_t)xfer : tmp;
17022 + }
17023 +
17024 +diff --git a/sound/core/oss/pcm_plugin.c b/sound/core/oss/pcm_plugin.c
17025 +index 727ac44d39f4..a84a1d3d23e5 100644
17026 +--- a/sound/core/oss/pcm_plugin.c
17027 ++++ b/sound/core/oss/pcm_plugin.c
17028 +@@ -591,18 +591,26 @@ snd_pcm_sframes_t snd_pcm_plug_write_transfer(struct snd_pcm_substream *plug, st
17029 + snd_pcm_sframes_t frames = size;
17030 +
17031 + plugin = snd_pcm_plug_first(plug);
17032 +- while (plugin && frames > 0) {
17033 ++ while (plugin) {
17034 ++ if (frames <= 0)
17035 ++ return frames;
17036 + if ((next = plugin->next) != NULL) {
17037 + snd_pcm_sframes_t frames1 = frames;
17038 +- if (plugin->dst_frames)
17039 ++ if (plugin->dst_frames) {
17040 + frames1 = plugin->dst_frames(plugin, frames);
17041 ++ if (frames1 <= 0)
17042 ++ return frames1;
17043 ++ }
17044 + if ((err = next->client_channels(next, frames1, &dst_channels)) < 0) {
17045 + return err;
17046 + }
17047 + if (err != frames1) {
17048 + frames = err;
17049 +- if (plugin->src_frames)
17050 ++ if (plugin->src_frames) {
17051 + frames = plugin->src_frames(plugin, frames1);
17052 ++ if (frames <= 0)
17053 ++ return frames;
17054 ++ }
17055 + }
17056 + } else
17057 + dst_channels = NULL;
17058 +diff --git a/sound/core/pcm_lib.c b/sound/core/pcm_lib.c
17059 +index 9a7cc9a56a21..169df070c22b 100644
17060 +--- a/sound/core/pcm_lib.c
17061 ++++ b/sound/core/pcm_lib.c
17062 +@@ -578,7 +578,6 @@ static inline unsigned int muldiv32(unsigned int a, unsigned int b,
17063 + {
17064 + u_int64_t n = (u_int64_t) a * b;
17065 + if (c == 0) {
17066 +- snd_BUG_ON(!n);
17067 + *r = 0;
17068 + return UINT_MAX;
17069 + }
17070 +@@ -1663,7 +1662,7 @@ int snd_pcm_hw_param_first(struct snd_pcm_substream *pcm,
17071 + return changed;
17072 + if (params->rmask) {
17073 + int err = snd_pcm_hw_refine(pcm, params);
17074 +- if (snd_BUG_ON(err < 0))
17075 ++ if (err < 0)
17076 + return err;
17077 + }
17078 + return snd_pcm_hw_param_value(params, var, dir);
17079 +@@ -1710,7 +1709,7 @@ int snd_pcm_hw_param_last(struct snd_pcm_substream *pcm,
17080 + return changed;
17081 + if (params->rmask) {
17082 + int err = snd_pcm_hw_refine(pcm, params);
17083 +- if (snd_BUG_ON(err < 0))
17084 ++ if (err < 0)
17085 + return err;
17086 + }
17087 + return snd_pcm_hw_param_value(params, var, dir);
17088 +diff --git a/sound/core/rawmidi.c b/sound/core/rawmidi.c
17089 +index b450a27588c8..16f8124b1150 100644
17090 +--- a/sound/core/rawmidi.c
17091 ++++ b/sound/core/rawmidi.c
17092 +@@ -579,15 +579,14 @@ static int snd_rawmidi_info_user(struct snd_rawmidi_substream *substream,
17093 + return 0;
17094 + }
17095 +
17096 +-int snd_rawmidi_info_select(struct snd_card *card, struct snd_rawmidi_info *info)
17097 ++static int __snd_rawmidi_info_select(struct snd_card *card,
17098 ++ struct snd_rawmidi_info *info)
17099 + {
17100 + struct snd_rawmidi *rmidi;
17101 + struct snd_rawmidi_str *pstr;
17102 + struct snd_rawmidi_substream *substream;
17103 +
17104 +- mutex_lock(&register_mutex);
17105 + rmidi = snd_rawmidi_search(card, info->device);
17106 +- mutex_unlock(&register_mutex);
17107 + if (!rmidi)
17108 + return -ENXIO;
17109 + if (info->stream < 0 || info->stream > 1)
17110 +@@ -603,6 +602,16 @@ int snd_rawmidi_info_select(struct snd_card *card, struct snd_rawmidi_info *info
17111 + }
17112 + return -ENXIO;
17113 + }
17114 ++
17115 ++int snd_rawmidi_info_select(struct snd_card *card, struct snd_rawmidi_info *info)
17116 ++{
17117 ++ int ret;
17118 ++
17119 ++ mutex_lock(&register_mutex);
17120 ++ ret = __snd_rawmidi_info_select(card, info);
17121 ++ mutex_unlock(&register_mutex);
17122 ++ return ret;
17123 ++}
17124 + EXPORT_SYMBOL(snd_rawmidi_info_select);
17125 +
17126 + static int snd_rawmidi_info_select_user(struct snd_card *card,
17127 +diff --git a/sound/core/seq/seq_clientmgr.c b/sound/core/seq/seq_clientmgr.c
17128 +index e3767122dd0b..b9ce5da25938 100644
17129 +--- a/sound/core/seq/seq_clientmgr.c
17130 ++++ b/sound/core/seq/seq_clientmgr.c
17131 +@@ -236,6 +236,7 @@ static struct snd_seq_client *seq_create_client1(int client_index, int poolsize)
17132 + rwlock_init(&client->ports_lock);
17133 + mutex_init(&client->ports_mutex);
17134 + INIT_LIST_HEAD(&client->ports_list_head);
17135 ++ mutex_init(&client->ioctl_mutex);
17136 +
17137 + /* find free slot in the client table */
17138 + spin_lock_irqsave(&clients_lock, flags);
17139 +@@ -1011,7 +1012,7 @@ static ssize_t snd_seq_write(struct file *file, const char __user *buf,
17140 + {
17141 + struct snd_seq_client *client = file->private_data;
17142 + int written = 0, len;
17143 +- int err = -EINVAL;
17144 ++ int err;
17145 + struct snd_seq_event event;
17146 +
17147 + if (!(snd_seq_file_flags(file) & SNDRV_SEQ_LFLG_OUTPUT))
17148 +@@ -1026,11 +1027,15 @@ static ssize_t snd_seq_write(struct file *file, const char __user *buf,
17149 +
17150 + /* allocate the pool now if the pool is not allocated yet */
17151 + if (client->pool->size > 0 && !snd_seq_write_pool_allocated(client)) {
17152 +- if (snd_seq_pool_init(client->pool) < 0)
17153 ++ mutex_lock(&client->ioctl_mutex);
17154 ++ err = snd_seq_pool_init(client->pool);
17155 ++ mutex_unlock(&client->ioctl_mutex);
17156 ++ if (err < 0)
17157 + return -ENOMEM;
17158 + }
17159 +
17160 + /* only process whole events */
17161 ++ err = -EINVAL;
17162 + while (count >= sizeof(struct snd_seq_event)) {
17163 + /* Read in the event header from the user */
17164 + len = sizeof(event);
17165 +@@ -2195,6 +2200,7 @@ static int snd_seq_do_ioctl(struct snd_seq_client *client, unsigned int cmd,
17166 + void __user *arg)
17167 + {
17168 + struct seq_ioctl_table *p;
17169 ++ int ret;
17170 +
17171 + switch (cmd) {
17172 + case SNDRV_SEQ_IOCTL_PVERSION:
17173 +@@ -2208,8 +2214,12 @@ static int snd_seq_do_ioctl(struct snd_seq_client *client, unsigned int cmd,
17174 + if (! arg)
17175 + return -EFAULT;
17176 + for (p = ioctl_tables; p->cmd; p++) {
17177 +- if (p->cmd == cmd)
17178 +- return p->func(client, arg);
17179 ++ if (p->cmd == cmd) {
17180 ++ mutex_lock(&client->ioctl_mutex);
17181 ++ ret = p->func(client, arg);
17182 ++ mutex_unlock(&client->ioctl_mutex);
17183 ++ return ret;
17184 ++ }
17185 + }
17186 + pr_debug("ALSA: seq unknown ioctl() 0x%x (type='%c', number=0x%02x)\n",
17187 + cmd, _IOC_TYPE(cmd), _IOC_NR(cmd));
17188 +diff --git a/sound/core/seq/seq_clientmgr.h b/sound/core/seq/seq_clientmgr.h
17189 +index 20f0a725ec7d..91f8f165bfdc 100644
17190 +--- a/sound/core/seq/seq_clientmgr.h
17191 ++++ b/sound/core/seq/seq_clientmgr.h
17192 +@@ -59,6 +59,7 @@ struct snd_seq_client {
17193 + struct list_head ports_list_head;
17194 + rwlock_t ports_lock;
17195 + struct mutex ports_mutex;
17196 ++ struct mutex ioctl_mutex;
17197 + int convert32; /* convert 32->64bit */
17198 +
17199 + /* output pool */
17200 +diff --git a/sound/drivers/aloop.c b/sound/drivers/aloop.c
17201 +index 7f9126efc1e5..83ae083b192f 100644
17202 +--- a/sound/drivers/aloop.c
17203 ++++ b/sound/drivers/aloop.c
17204 +@@ -39,6 +39,7 @@
17205 + #include <sound/core.h>
17206 + #include <sound/control.h>
17207 + #include <sound/pcm.h>
17208 ++#include <sound/pcm_params.h>
17209 + #include <sound/info.h>
17210 + #include <sound/initval.h>
17211 +
17212 +@@ -305,19 +306,6 @@ static int loopback_trigger(struct snd_pcm_substream *substream, int cmd)
17213 + return 0;
17214 + }
17215 +
17216 +-static void params_change_substream(struct loopback_pcm *dpcm,
17217 +- struct snd_pcm_runtime *runtime)
17218 +-{
17219 +- struct snd_pcm_runtime *dst_runtime;
17220 +-
17221 +- if (dpcm == NULL || dpcm->substream == NULL)
17222 +- return;
17223 +- dst_runtime = dpcm->substream->runtime;
17224 +- if (dst_runtime == NULL)
17225 +- return;
17226 +- dst_runtime->hw = dpcm->cable->hw;
17227 +-}
17228 +-
17229 + static void params_change(struct snd_pcm_substream *substream)
17230 + {
17231 + struct snd_pcm_runtime *runtime = substream->runtime;
17232 +@@ -329,10 +317,6 @@ static void params_change(struct snd_pcm_substream *substream)
17233 + cable->hw.rate_max = runtime->rate;
17234 + cable->hw.channels_min = runtime->channels;
17235 + cable->hw.channels_max = runtime->channels;
17236 +- params_change_substream(cable->streams[SNDRV_PCM_STREAM_PLAYBACK],
17237 +- runtime);
17238 +- params_change_substream(cable->streams[SNDRV_PCM_STREAM_CAPTURE],
17239 +- runtime);
17240 + }
17241 +
17242 + static int loopback_prepare(struct snd_pcm_substream *substream)
17243 +@@ -620,26 +604,29 @@ static unsigned int get_cable_index(struct snd_pcm_substream *substream)
17244 + static int rule_format(struct snd_pcm_hw_params *params,
17245 + struct snd_pcm_hw_rule *rule)
17246 + {
17247 ++ struct loopback_pcm *dpcm = rule->private;
17248 ++ struct loopback_cable *cable = dpcm->cable;
17249 ++ struct snd_mask m;
17250 +
17251 +- struct snd_pcm_hardware *hw = rule->private;
17252 +- struct snd_mask *maskp = hw_param_mask(params, rule->var);
17253 +-
17254 +- maskp->bits[0] &= (u_int32_t)hw->formats;
17255 +- maskp->bits[1] &= (u_int32_t)(hw->formats >> 32);
17256 +- memset(maskp->bits + 2, 0, (SNDRV_MASK_MAX-64) / 8); /* clear rest */
17257 +- if (! maskp->bits[0] && ! maskp->bits[1])
17258 +- return -EINVAL;
17259 +- return 0;
17260 ++ snd_mask_none(&m);
17261 ++ mutex_lock(&dpcm->loopback->cable_lock);
17262 ++ m.bits[0] = (u_int32_t)cable->hw.formats;
17263 ++ m.bits[1] = (u_int32_t)(cable->hw.formats >> 32);
17264 ++ mutex_unlock(&dpcm->loopback->cable_lock);
17265 ++ return snd_mask_refine(hw_param_mask(params, rule->var), &m);
17266 + }
17267 +
17268 + static int rule_rate(struct snd_pcm_hw_params *params,
17269 + struct snd_pcm_hw_rule *rule)
17270 + {
17271 +- struct snd_pcm_hardware *hw = rule->private;
17272 ++ struct loopback_pcm *dpcm = rule->private;
17273 ++ struct loopback_cable *cable = dpcm->cable;
17274 + struct snd_interval t;
17275 +
17276 +- t.min = hw->rate_min;
17277 +- t.max = hw->rate_max;
17278 ++ mutex_lock(&dpcm->loopback->cable_lock);
17279 ++ t.min = cable->hw.rate_min;
17280 ++ t.max = cable->hw.rate_max;
17281 ++ mutex_unlock(&dpcm->loopback->cable_lock);
17282 + t.openmin = t.openmax = 0;
17283 + t.integer = 0;
17284 + return snd_interval_refine(hw_param_interval(params, rule->var), &t);
17285 +@@ -648,22 +635,44 @@ static int rule_rate(struct snd_pcm_hw_params *params,
17286 + static int rule_channels(struct snd_pcm_hw_params *params,
17287 + struct snd_pcm_hw_rule *rule)
17288 + {
17289 +- struct snd_pcm_hardware *hw = rule->private;
17290 ++ struct loopback_pcm *dpcm = rule->private;
17291 ++ struct loopback_cable *cable = dpcm->cable;
17292 + struct snd_interval t;
17293 +
17294 +- t.min = hw->channels_min;
17295 +- t.max = hw->channels_max;
17296 ++ mutex_lock(&dpcm->loopback->cable_lock);
17297 ++ t.min = cable->hw.channels_min;
17298 ++ t.max = cable->hw.channels_max;
17299 ++ mutex_unlock(&dpcm->loopback->cable_lock);
17300 + t.openmin = t.openmax = 0;
17301 + t.integer = 0;
17302 + return snd_interval_refine(hw_param_interval(params, rule->var), &t);
17303 + }
17304 +
17305 ++static void free_cable(struct snd_pcm_substream *substream)
17306 ++{
17307 ++ struct loopback *loopback = substream->private_data;
17308 ++ int dev = get_cable_index(substream);
17309 ++ struct loopback_cable *cable;
17310 ++
17311 ++ cable = loopback->cables[substream->number][dev];
17312 ++ if (!cable)
17313 ++ return;
17314 ++ if (cable->streams[!substream->stream]) {
17315 ++ /* other stream is still alive */
17316 ++ cable->streams[substream->stream] = NULL;
17317 ++ } else {
17318 ++ /* free the cable */
17319 ++ loopback->cables[substream->number][dev] = NULL;
17320 ++ kfree(cable);
17321 ++ }
17322 ++}
17323 ++
17324 + static int loopback_open(struct snd_pcm_substream *substream)
17325 + {
17326 + struct snd_pcm_runtime *runtime = substream->runtime;
17327 + struct loopback *loopback = substream->private_data;
17328 + struct loopback_pcm *dpcm;
17329 +- struct loopback_cable *cable;
17330 ++ struct loopback_cable *cable = NULL;
17331 + int err = 0;
17332 + int dev = get_cable_index(substream);
17333 +
17334 +@@ -682,7 +691,6 @@ static int loopback_open(struct snd_pcm_substream *substream)
17335 + if (!cable) {
17336 + cable = kzalloc(sizeof(*cable), GFP_KERNEL);
17337 + if (!cable) {
17338 +- kfree(dpcm);
17339 + err = -ENOMEM;
17340 + goto unlock;
17341 + }
17342 +@@ -700,19 +708,19 @@ static int loopback_open(struct snd_pcm_substream *substream)
17343 + /* are cached -> they do not reflect the actual state */
17344 + err = snd_pcm_hw_rule_add(runtime, 0,
17345 + SNDRV_PCM_HW_PARAM_FORMAT,
17346 +- rule_format, &runtime->hw,
17347 ++ rule_format, dpcm,
17348 + SNDRV_PCM_HW_PARAM_FORMAT, -1);
17349 + if (err < 0)
17350 + goto unlock;
17351 + err = snd_pcm_hw_rule_add(runtime, 0,
17352 + SNDRV_PCM_HW_PARAM_RATE,
17353 +- rule_rate, &runtime->hw,
17354 ++ rule_rate, dpcm,
17355 + SNDRV_PCM_HW_PARAM_RATE, -1);
17356 + if (err < 0)
17357 + goto unlock;
17358 + err = snd_pcm_hw_rule_add(runtime, 0,
17359 + SNDRV_PCM_HW_PARAM_CHANNELS,
17360 +- rule_channels, &runtime->hw,
17361 ++ rule_channels, dpcm,
17362 + SNDRV_PCM_HW_PARAM_CHANNELS, -1);
17363 + if (err < 0)
17364 + goto unlock;
17365 +@@ -724,6 +732,10 @@ static int loopback_open(struct snd_pcm_substream *substream)
17366 + else
17367 + runtime->hw = cable->hw;
17368 + unlock:
17369 ++ if (err < 0) {
17370 ++ free_cable(substream);
17371 ++ kfree(dpcm);
17372 ++ }
17373 + mutex_unlock(&loopback->cable_lock);
17374 + return err;
17375 + }
17376 +@@ -732,20 +744,10 @@ static int loopback_close(struct snd_pcm_substream *substream)
17377 + {
17378 + struct loopback *loopback = substream->private_data;
17379 + struct loopback_pcm *dpcm = substream->runtime->private_data;
17380 +- struct loopback_cable *cable;
17381 +- int dev = get_cable_index(substream);
17382 +
17383 + loopback_timer_stop(dpcm);
17384 + mutex_lock(&loopback->cable_lock);
17385 +- cable = loopback->cables[substream->number][dev];
17386 +- if (cable->streams[!substream->stream]) {
17387 +- /* other stream is still alive */
17388 +- cable->streams[substream->stream] = NULL;
17389 +- } else {
17390 +- /* free the cable */
17391 +- loopback->cables[substream->number][dev] = NULL;
17392 +- kfree(cable);
17393 +- }
17394 ++ free_cable(substream);
17395 + mutex_unlock(&loopback->cable_lock);
17396 + return 0;
17397 + }
17398 +diff --git a/sound/pci/hda/patch_ca0132.c b/sound/pci/hda/patch_ca0132.c
17399 +index 0374bd5b61c8..1fb951225318 100644
17400 +--- a/sound/pci/hda/patch_ca0132.c
17401 ++++ b/sound/pci/hda/patch_ca0132.c
17402 +@@ -1452,6 +1452,9 @@ static int dspio_scp(struct hda_codec *codec,
17403 + } else if (ret_size != reply_data_size) {
17404 + codec_dbg(codec, "RetLen and HdrLen .NE.\n");
17405 + return -EINVAL;
17406 ++ } else if (!reply) {
17407 ++ codec_dbg(codec, "NULL reply\n");
17408 ++ return -EINVAL;
17409 + } else {
17410 + *reply_len = ret_size*sizeof(unsigned int);
17411 + memcpy(reply, scp_reply.data, *reply_len);
17412 +diff --git a/sound/pci/hda/patch_cirrus.c b/sound/pci/hda/patch_cirrus.c
17413 +index aeb054ca9ed9..b3d222d96a1b 100644
17414 +--- a/sound/pci/hda/patch_cirrus.c
17415 ++++ b/sound/pci/hda/patch_cirrus.c
17416 +@@ -394,6 +394,7 @@ static const struct snd_pci_quirk cs420x_fixup_tbl[] = {
17417 + /*SND_PCI_QUIRK(0x8086, 0x7270, "IMac 27 Inch", CS420X_IMAC27),*/
17418 +
17419 + /* codec SSID */
17420 ++ SND_PCI_QUIRK(0x106b, 0x0600, "iMac 14,1", CS420X_IMAC27_122),
17421 + SND_PCI_QUIRK(0x106b, 0x1c00, "MacBookPro 8,1", CS420X_MBP81),
17422 + SND_PCI_QUIRK(0x106b, 0x2000, "iMac 12,2", CS420X_IMAC27_122),
17423 + SND_PCI_QUIRK(0x106b, 0x2800, "MacBookPro 10,1", CS420X_MBP101),
17424 +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c
17425 +index 75c4e14f4156..861dc57cb082 100644
17426 +--- a/sound/pci/hda/patch_realtek.c
17427 ++++ b/sound/pci/hda/patch_realtek.c
17428 +@@ -3119,6 +3119,19 @@ static void alc269_fixup_pincfg_no_hp_to_lineout(struct hda_codec *codec,
17429 + spec->parse_flags = HDA_PINCFG_NO_HP_FIXUP;
17430 + }
17431 +
17432 ++static void alc269_fixup_pincfg_U7x7_headset_mic(struct hda_codec *codec,
17433 ++ const struct hda_fixup *fix,
17434 ++ int action)
17435 ++{
17436 ++ unsigned int cfg_headphone = snd_hda_codec_get_pincfg(codec, 0x21);
17437 ++ unsigned int cfg_headset_mic = snd_hda_codec_get_pincfg(codec, 0x19);
17438 ++
17439 ++ if (cfg_headphone && cfg_headset_mic == 0x411111f0)
17440 ++ snd_hda_codec_set_pincfg(codec, 0x19,
17441 ++ (cfg_headphone & ~AC_DEFCFG_DEVICE) |
17442 ++ (AC_JACK_MIC_IN << AC_DEFCFG_DEVICE_SHIFT));
17443 ++}
17444 ++
17445 + static void alc269_fixup_hweq(struct hda_codec *codec,
17446 + const struct hda_fixup *fix, int action)
17447 + {
17448 +@@ -4675,6 +4688,7 @@ enum {
17449 + ALC269_FIXUP_LIFEBOOK_EXTMIC,
17450 + ALC269_FIXUP_LIFEBOOK_HP_PIN,
17451 + ALC269_FIXUP_LIFEBOOK_NO_HP_TO_LINEOUT,
17452 ++ ALC255_FIXUP_LIFEBOOK_U7x7_HEADSET_MIC,
17453 + ALC269_FIXUP_AMIC,
17454 + ALC269_FIXUP_DMIC,
17455 + ALC269VB_FIXUP_AMIC,
17456 +@@ -4732,6 +4746,7 @@ enum {
17457 + ALC286_FIXUP_HP_GPIO_LED,
17458 + ALC280_FIXUP_HP_GPIO2_MIC_HOTKEY,
17459 + ALC280_FIXUP_HP_DOCK_PINS,
17460 ++ ALC269_FIXUP_HP_DOCK_GPIO_MIC1_LED,
17461 + ALC280_FIXUP_HP_9480M,
17462 + ALC288_FIXUP_DELL_HEADSET_MODE,
17463 + ALC288_FIXUP_DELL1_MIC_NO_PRESENCE,
17464 +@@ -4864,6 +4879,10 @@ static const struct hda_fixup alc269_fixups[] = {
17465 + .type = HDA_FIXUP_FUNC,
17466 + .v.func = alc269_fixup_pincfg_no_hp_to_lineout,
17467 + },
17468 ++ [ALC255_FIXUP_LIFEBOOK_U7x7_HEADSET_MIC] = {
17469 ++ .type = HDA_FIXUP_FUNC,
17470 ++ .v.func = alc269_fixup_pincfg_U7x7_headset_mic,
17471 ++ },
17472 + [ALC269_FIXUP_AMIC] = {
17473 + .type = HDA_FIXUP_PINS,
17474 + .v.pins = (const struct hda_pintbl[]) {
17475 +@@ -5270,6 +5289,16 @@ static const struct hda_fixup alc269_fixups[] = {
17476 + .chained = true,
17477 + .chain_id = ALC280_FIXUP_HP_GPIO4
17478 + },
17479 ++ [ALC269_FIXUP_HP_DOCK_GPIO_MIC1_LED] = {
17480 ++ .type = HDA_FIXUP_PINS,
17481 ++ .v.pins = (const struct hda_pintbl[]) {
17482 ++ { 0x1b, 0x21011020 }, /* line-out */
17483 ++ { 0x18, 0x2181103f }, /* line-in */
17484 ++ { },
17485 ++ },
17486 ++ .chained = true,
17487 ++ .chain_id = ALC269_FIXUP_HP_GPIO_MIC1_LED
17488 ++ },
17489 + [ALC280_FIXUP_HP_9480M] = {
17490 + .type = HDA_FIXUP_FUNC,
17491 + .v.func = alc280_fixup_hp_9480m,
17492 +@@ -5482,6 +5511,7 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = {
17493 + SND_PCI_QUIRK(0x1028, 0x075b, "Dell XPS 13 9360", ALC256_FIXUP_DELL_XPS_13_HEADPHONE_NOISE),
17494 + SND_PCI_QUIRK(0x1028, 0x075d, "Dell AIO", ALC298_FIXUP_SPK_VOLUME),
17495 + SND_PCI_QUIRK(0x1028, 0x0798, "Dell Inspiron 17 7000 Gaming", ALC256_FIXUP_DELL_INSPIRON_7559_SUBWOOFER),
17496 ++ SND_PCI_QUIRK(0x1028, 0x082a, "Dell XPS 13 9360", ALC256_FIXUP_DELL_XPS_13_HEADPHONE_NOISE),
17497 + SND_PCI_QUIRK(0x1028, 0x164a, "Dell", ALC293_FIXUP_DELL1_MIC_NO_PRESENCE),
17498 + SND_PCI_QUIRK(0x1028, 0x164b, "Dell", ALC293_FIXUP_DELL1_MIC_NO_PRESENCE),
17499 + SND_PCI_QUIRK(0x103c, 0x1586, "HP", ALC269_FIXUP_HP_MUTE_LED_MIC2),
17500 +@@ -5522,7 +5552,7 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = {
17501 + SND_PCI_QUIRK(0x103c, 0x2256, "HP", ALC269_FIXUP_HP_GPIO_MIC1_LED),
17502 + SND_PCI_QUIRK(0x103c, 0x2257, "HP", ALC269_FIXUP_HP_GPIO_MIC1_LED),
17503 + SND_PCI_QUIRK(0x103c, 0x2259, "HP", ALC269_FIXUP_HP_GPIO_MIC1_LED),
17504 +- SND_PCI_QUIRK(0x103c, 0x225a, "HP", ALC269_FIXUP_HP_GPIO_MIC1_LED),
17505 ++ SND_PCI_QUIRK(0x103c, 0x225a, "HP", ALC269_FIXUP_HP_DOCK_GPIO_MIC1_LED),
17506 + SND_PCI_QUIRK(0x103c, 0x2260, "HP", ALC269_FIXUP_HP_MUTE_LED_MIC1),
17507 + SND_PCI_QUIRK(0x103c, 0x2263, "HP", ALC269_FIXUP_HP_MUTE_LED_MIC1),
17508 + SND_PCI_QUIRK(0x103c, 0x2264, "HP", ALC269_FIXUP_HP_MUTE_LED_MIC1),
17509 +@@ -5568,6 +5598,7 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = {
17510 + SND_PCI_QUIRK(0x10cf, 0x159f, "Lifebook E780", ALC269_FIXUP_LIFEBOOK_NO_HP_TO_LINEOUT),
17511 + SND_PCI_QUIRK(0x10cf, 0x15dc, "Lifebook T731", ALC269_FIXUP_LIFEBOOK_HP_PIN),
17512 + SND_PCI_QUIRK(0x10cf, 0x1757, "Lifebook E752", ALC269_FIXUP_LIFEBOOK_HP_PIN),
17513 ++ SND_PCI_QUIRK(0x10cf, 0x1629, "Lifebook U7x7", ALC255_FIXUP_LIFEBOOK_U7x7_HEADSET_MIC),
17514 + SND_PCI_QUIRK(0x10cf, 0x1845, "Lifebook U904", ALC269_FIXUP_LIFEBOOK_EXTMIC),
17515 + SND_PCI_QUIRK(0x144d, 0xc109, "Samsung Ativ book 9 (NP900X3G)", ALC269_FIXUP_INV_DMIC),
17516 + SND_PCI_QUIRK(0x1458, 0xfa53, "Gigabyte BXBT-2807", ALC283_FIXUP_BXBT2807_MIC),
17517 +@@ -5684,6 +5715,7 @@ static const struct hda_model_fixup alc269_fixup_models[] = {
17518 + {.id = ALC269_FIXUP_HEADSET_MIC, .name = "headset-mic"},
17519 + {.id = ALC269_FIXUP_LENOVO_DOCK, .name = "lenovo-dock"},
17520 + {.id = ALC269_FIXUP_HP_GPIO_LED, .name = "hp-gpio-led"},
17521 ++ {.id = ALC269_FIXUP_HP_DOCK_GPIO_MIC1_LED, .name = "hp-dock-gpio-mic1-led"},
17522 + {.id = ALC269_FIXUP_DELL1_MIC_NO_PRESENCE, .name = "dell-headset-multi"},
17523 + {.id = ALC269_FIXUP_DELL2_MIC_NO_PRESENCE, .name = "dell-headset-dock"},
17524 + {.id = ALC283_FIXUP_CHROME_BOOK, .name = "alc283-dac-wcaps"},
17525 +diff --git a/sound/soc/codecs/pcm512x-spi.c b/sound/soc/codecs/pcm512x-spi.c
17526 +index 7b64a9cef704..8adb0912d5f8 100644
17527 +--- a/sound/soc/codecs/pcm512x-spi.c
17528 ++++ b/sound/soc/codecs/pcm512x-spi.c
17529 +@@ -71,3 +71,7 @@ static struct spi_driver pcm512x_spi_driver = {
17530 + };
17531 +
17532 + module_spi_driver(pcm512x_spi_driver);
17533 ++
17534 ++MODULE_DESCRIPTION("ASoC PCM512x codec driver - SPI");
17535 ++MODULE_AUTHOR("Mark Brown <broonie@××××××.org>");
17536 ++MODULE_LICENSE("GPL v2");
17537 +diff --git a/sound/soc/codecs/twl4030.c b/sound/soc/codecs/twl4030.c
17538 +index d04693e9cf9f..3a98c0910560 100644
17539 +--- a/sound/soc/codecs/twl4030.c
17540 ++++ b/sound/soc/codecs/twl4030.c
17541 +@@ -232,7 +232,7 @@ static struct twl4030_codec_data *twl4030_get_pdata(struct snd_soc_codec *codec)
17542 + struct twl4030_codec_data *pdata = dev_get_platdata(codec->dev);
17543 + struct device_node *twl4030_codec_node = NULL;
17544 +
17545 +- twl4030_codec_node = of_find_node_by_name(codec->dev->parent->of_node,
17546 ++ twl4030_codec_node = of_get_child_by_name(codec->dev->parent->of_node,
17547 + "codec");
17548 +
17549 + if (!pdata && twl4030_codec_node) {
17550 +@@ -241,9 +241,11 @@ static struct twl4030_codec_data *twl4030_get_pdata(struct snd_soc_codec *codec)
17551 + GFP_KERNEL);
17552 + if (!pdata) {
17553 + dev_err(codec->dev, "Can not allocate memory\n");
17554 ++ of_node_put(twl4030_codec_node);
17555 + return NULL;
17556 + }
17557 + twl4030_setup_pdata_of(pdata, twl4030_codec_node);
17558 ++ of_node_put(twl4030_codec_node);
17559 + }
17560 +
17561 + return pdata;
17562 +diff --git a/sound/soc/ux500/mop500.c b/sound/soc/ux500/mop500.c
17563 +index 4e0c0e502ade..49a1b8050bc7 100644
17564 +--- a/sound/soc/ux500/mop500.c
17565 ++++ b/sound/soc/ux500/mop500.c
17566 +@@ -163,3 +163,7 @@ static struct platform_driver snd_soc_mop500_driver = {
17567 + };
17568 +
17569 + module_platform_driver(snd_soc_mop500_driver);
17570 ++
17571 ++MODULE_LICENSE("GPL v2");
17572 ++MODULE_DESCRIPTION("ASoC MOP500 board driver");
17573 ++MODULE_AUTHOR("Ola Lilja");
17574 +diff --git a/sound/soc/ux500/ux500_pcm.c b/sound/soc/ux500/ux500_pcm.c
17575 +index 51a66a87305a..b4ab903fca1b 100644
17576 +--- a/sound/soc/ux500/ux500_pcm.c
17577 ++++ b/sound/soc/ux500/ux500_pcm.c
17578 +@@ -166,3 +166,8 @@ int ux500_pcm_unregister_platform(struct platform_device *pdev)
17579 + return 0;
17580 + }
17581 + EXPORT_SYMBOL_GPL(ux500_pcm_unregister_platform);
17582 ++
17583 ++MODULE_AUTHOR("Ola Lilja");
17584 ++MODULE_AUTHOR("Roger Nilsson");
17585 ++MODULE_DESCRIPTION("ASoC UX500 driver");
17586 ++MODULE_LICENSE("GPL v2");
17587 +diff --git a/sound/usb/mixer.c b/sound/usb/mixer.c
17588 +index 2ee449fbe55f..76f7c95b38af 100644
17589 +--- a/sound/usb/mixer.c
17590 ++++ b/sound/usb/mixer.c
17591 +@@ -343,17 +343,20 @@ static int get_ctl_value_v2(struct usb_mixer_elem_info *cval, int request,
17592 + int validx, int *value_ret)
17593 + {
17594 + struct snd_usb_audio *chip = cval->head.mixer->chip;
17595 +- unsigned char buf[4 + 3 * sizeof(__u32)]; /* enough space for one range */
17596 ++ /* enough space for one range */
17597 ++ unsigned char buf[sizeof(__u16) + 3 * sizeof(__u32)];
17598 + unsigned char *val;
17599 +- int idx = 0, ret, size;
17600 ++ int idx = 0, ret, val_size, size;
17601 + __u8 bRequest;
17602 +
17603 ++ val_size = uac2_ctl_value_size(cval->val_type);
17604 ++
17605 + if (request == UAC_GET_CUR) {
17606 + bRequest = UAC2_CS_CUR;
17607 +- size = uac2_ctl_value_size(cval->val_type);
17608 ++ size = val_size;
17609 + } else {
17610 + bRequest = UAC2_CS_RANGE;
17611 +- size = sizeof(buf);
17612 ++ size = sizeof(__u16) + 3 * val_size;
17613 + }
17614 +
17615 + memset(buf, 0, sizeof(buf));
17616 +@@ -386,16 +389,17 @@ error:
17617 + val = buf + sizeof(__u16);
17618 + break;
17619 + case UAC_GET_MAX:
17620 +- val = buf + sizeof(__u16) * 2;
17621 ++ val = buf + sizeof(__u16) + val_size;
17622 + break;
17623 + case UAC_GET_RES:
17624 +- val = buf + sizeof(__u16) * 3;
17625 ++ val = buf + sizeof(__u16) + val_size * 2;
17626 + break;
17627 + default:
17628 + return -EINVAL;
17629 + }
17630 +
17631 +- *value_ret = convert_signed_value(cval, snd_usb_combine_bytes(val, sizeof(__u16)));
17632 ++ *value_ret = convert_signed_value(cval,
17633 ++ snd_usb_combine_bytes(val, val_size));
17634 +
17635 + return 0;
17636 + }
17637 +@@ -2095,20 +2099,25 @@ static int parse_audio_selector_unit(struct mixer_build *state, int unitid,
17638 + kctl->private_value = (unsigned long)namelist;
17639 + kctl->private_free = usb_mixer_selector_elem_free;
17640 +
17641 +- nameid = uac_selector_unit_iSelector(desc);
17642 ++ /* check the static mapping table at first */
17643 + len = check_mapped_name(map, kctl->id.name, sizeof(kctl->id.name));
17644 +- if (len)
17645 +- ;
17646 +- else if (nameid)
17647 +- len = snd_usb_copy_string_desc(state, nameid, kctl->id.name,
17648 +- sizeof(kctl->id.name));
17649 +- else
17650 +- len = get_term_name(state, &state->oterm,
17651 +- kctl->id.name, sizeof(kctl->id.name), 0);
17652 +-
17653 + if (!len) {
17654 +- strlcpy(kctl->id.name, "USB", sizeof(kctl->id.name));
17655 ++ /* no mapping ? */
17656 ++ /* if iSelector is given, use it */
17657 ++ nameid = uac_selector_unit_iSelector(desc);
17658 ++ if (nameid)
17659 ++ len = snd_usb_copy_string_desc(state, nameid,
17660 ++ kctl->id.name,
17661 ++ sizeof(kctl->id.name));
17662 ++ /* ... or pick up the terminal name at next */
17663 ++ if (!len)
17664 ++ len = get_term_name(state, &state->oterm,
17665 ++ kctl->id.name, sizeof(kctl->id.name), 0);
17666 ++ /* ... or use the fixed string "USB" as the last resort */
17667 ++ if (!len)
17668 ++ strlcpy(kctl->id.name, "USB", sizeof(kctl->id.name));
17669 +
17670 ++ /* and add the proper suffix */
17671 + if (desc->bDescriptorSubtype == UAC2_CLOCK_SELECTOR)
17672 + append_ctl_name(kctl, " Clock Source");
17673 + else if ((state->oterm.type & 0xff00) == 0x0100)
17674 +diff --git a/sound/usb/pcm.c b/sound/usb/pcm.c
17675 +index a51155197277..3351e2f9656d 100644
17676 +--- a/sound/usb/pcm.c
17677 ++++ b/sound/usb/pcm.c
17678 +@@ -343,6 +343,15 @@ static int set_sync_ep_implicit_fb_quirk(struct snd_usb_substream *subs,
17679 + ep = 0x81;
17680 + iface = usb_ifnum_to_if(dev, 2);
17681 +
17682 ++ if (!iface || iface->num_altsetting == 0)
17683 ++ return -EINVAL;
17684 ++
17685 ++ alts = &iface->altsetting[1];
17686 ++ goto add_sync_ep;
17687 ++ case USB_ID(0x1397, 0x0002):
17688 ++ ep = 0x81;
17689 ++ iface = usb_ifnum_to_if(dev, 1);
17690 ++
17691 + if (!iface || iface->num_altsetting == 0)
17692 + return -EINVAL;
17693 +
17694 +diff --git a/tools/perf/bench/numa.c b/tools/perf/bench/numa.c
17695 +index ba5efa4710b5..d464305c7c6c 100644
17696 +--- a/tools/perf/bench/numa.c
17697 ++++ b/tools/perf/bench/numa.c
17698 +@@ -203,6 +203,47 @@ static const char * const numa_usage[] = {
17699 + NULL
17700 + };
17701 +
17702 ++/*
17703 ++ * To get number of numa nodes present.
17704 ++ */
17705 ++static int nr_numa_nodes(void)
17706 ++{
17707 ++ int i, nr_nodes = 0;
17708 ++
17709 ++ for (i = 0; i < g->p.nr_nodes; i++) {
17710 ++ if (numa_bitmask_isbitset(numa_nodes_ptr, i))
17711 ++ nr_nodes++;
17712 ++ }
17713 ++
17714 ++ return nr_nodes;
17715 ++}
17716 ++
17717 ++/*
17718 ++ * To check if given numa node is present.
17719 ++ */
17720 ++static int is_node_present(int node)
17721 ++{
17722 ++ return numa_bitmask_isbitset(numa_nodes_ptr, node);
17723 ++}
17724 ++
17725 ++/*
17726 ++ * To check given numa node has cpus.
17727 ++ */
17728 ++static bool node_has_cpus(int node)
17729 ++{
17730 ++ struct bitmask *cpu = numa_allocate_cpumask();
17731 ++ unsigned int i;
17732 ++
17733 ++ if (cpu && !numa_node_to_cpus(node, cpu)) {
17734 ++ for (i = 0; i < cpu->size; i++) {
17735 ++ if (numa_bitmask_isbitset(cpu, i))
17736 ++ return true;
17737 ++ }
17738 ++ }
17739 ++
17740 ++ return false; /* lets fall back to nocpus safely */
17741 ++}
17742 ++
17743 + static cpu_set_t bind_to_cpu(int target_cpu)
17744 + {
17745 + cpu_set_t orig_mask, mask;
17746 +@@ -231,12 +272,12 @@ static cpu_set_t bind_to_cpu(int target_cpu)
17747 +
17748 + static cpu_set_t bind_to_node(int target_node)
17749 + {
17750 +- int cpus_per_node = g->p.nr_cpus/g->p.nr_nodes;
17751 ++ int cpus_per_node = g->p.nr_cpus / nr_numa_nodes();
17752 + cpu_set_t orig_mask, mask;
17753 + int cpu;
17754 + int ret;
17755 +
17756 +- BUG_ON(cpus_per_node*g->p.nr_nodes != g->p.nr_cpus);
17757 ++ BUG_ON(cpus_per_node * nr_numa_nodes() != g->p.nr_cpus);
17758 + BUG_ON(!cpus_per_node);
17759 +
17760 + ret = sched_getaffinity(0, sizeof(orig_mask), &orig_mask);
17761 +@@ -636,7 +677,7 @@ static int parse_setup_node_list(void)
17762 + int i;
17763 +
17764 + for (i = 0; i < mul; i++) {
17765 +- if (t >= g->p.nr_tasks) {
17766 ++ if (t >= g->p.nr_tasks || !node_has_cpus(bind_node)) {
17767 + printf("\n# NOTE: ignoring bind NODEs starting at NODE#%d\n", bind_node);
17768 + goto out;
17769 + }
17770 +@@ -951,6 +992,8 @@ static void calc_convergence(double runtime_ns_max, double *convergence)
17771 + sum = 0;
17772 +
17773 + for (node = 0; node < g->p.nr_nodes; node++) {
17774 ++ if (!is_node_present(node))
17775 ++ continue;
17776 + nr = nodes[node];
17777 + nr_min = min(nr, nr_min);
17778 + nr_max = max(nr, nr_max);
17779 +@@ -971,8 +1014,11 @@ static void calc_convergence(double runtime_ns_max, double *convergence)
17780 + process_groups = 0;
17781 +
17782 + for (node = 0; node < g->p.nr_nodes; node++) {
17783 +- int processes = count_node_processes(node);
17784 ++ int processes;
17785 +
17786 ++ if (!is_node_present(node))
17787 ++ continue;
17788 ++ processes = count_node_processes(node);
17789 + nr = nodes[node];
17790 + tprintf(" %2d/%-2d", nr, processes);
17791 +
17792 +@@ -1270,7 +1316,7 @@ static void print_summary(void)
17793 +
17794 + printf("\n ###\n");
17795 + printf(" # %d %s will execute (on %d nodes, %d CPUs):\n",
17796 +- g->p.nr_tasks, g->p.nr_tasks == 1 ? "task" : "tasks", g->p.nr_nodes, g->p.nr_cpus);
17797 ++ g->p.nr_tasks, g->p.nr_tasks == 1 ? "task" : "tasks", nr_numa_nodes(), g->p.nr_cpus);
17798 + printf(" # %5dx %5ldMB global shared mem operations\n",
17799 + g->p.nr_loops, g->p.bytes_global/1024/1024);
17800 + printf(" # %5dx %5ldMB process shared mem operations\n",
17801 +diff --git a/tools/perf/builtin-top.c b/tools/perf/builtin-top.c
17802 +index 65e138019b99..866b911bcda5 100644
17803 +--- a/tools/perf/builtin-top.c
17804 ++++ b/tools/perf/builtin-top.c
17805 +@@ -69,6 +69,7 @@
17806 + #include <linux/types.h>
17807 +
17808 + static volatile int done;
17809 ++static volatile int resize;
17810 +
17811 + #define HEADER_LINE_NR 5
17812 +
17813 +@@ -78,10 +79,13 @@ static void perf_top__update_print_entries(struct perf_top *top)
17814 + }
17815 +
17816 + static void perf_top__sig_winch(int sig __maybe_unused,
17817 +- siginfo_t *info __maybe_unused, void *arg)
17818 ++ siginfo_t *info __maybe_unused, void *arg __maybe_unused)
17819 + {
17820 +- struct perf_top *top = arg;
17821 ++ resize = 1;
17822 ++}
17823 +
17824 ++static void perf_top__resize(struct perf_top *top)
17825 ++{
17826 + get_term_dimensions(&top->winsize);
17827 + perf_top__update_print_entries(top);
17828 + }
17829 +@@ -460,7 +464,7 @@ static bool perf_top__handle_keypress(struct perf_top *top, int c)
17830 + .sa_sigaction = perf_top__sig_winch,
17831 + .sa_flags = SA_SIGINFO,
17832 + };
17833 +- perf_top__sig_winch(SIGWINCH, NULL, top);
17834 ++ perf_top__resize(top);
17835 + sigaction(SIGWINCH, &act, NULL);
17836 + } else {
17837 + signal(SIGWINCH, SIG_DFL);
17838 +@@ -998,6 +1002,11 @@ static int __cmd_top(struct perf_top *top)
17839 +
17840 + if (hits == top->samples)
17841 + ret = perf_evlist__poll(top->evlist, 100);
17842 ++
17843 ++ if (resize) {
17844 ++ perf_top__resize(top);
17845 ++ resize = 0;
17846 ++ }
17847 + }
17848 +
17849 + ret = 0;
17850 +diff --git a/tools/usb/usbip/libsrc/usbip_common.c b/tools/usb/usbip/libsrc/usbip_common.c
17851 +index ac73710473de..8000445ff884 100644
17852 +--- a/tools/usb/usbip/libsrc/usbip_common.c
17853 ++++ b/tools/usb/usbip/libsrc/usbip_common.c
17854 +@@ -215,9 +215,16 @@ int read_usb_interface(struct usbip_usb_device *udev, int i,
17855 + struct usbip_usb_interface *uinf)
17856 + {
17857 + char busid[SYSFS_BUS_ID_SIZE];
17858 ++ int size;
17859 + struct udev_device *sif;
17860 +
17861 +- sprintf(busid, "%s:%d.%d", udev->busid, udev->bConfigurationValue, i);
17862 ++ size = snprintf(busid, sizeof(busid), "%s:%d.%d",
17863 ++ udev->busid, udev->bConfigurationValue, i);
17864 ++ if (size < 0 || (unsigned int)size >= sizeof(busid)) {
17865 ++ err("busid length %i >= %lu or < 0", size,
17866 ++ (unsigned long)sizeof(busid));
17867 ++ return -1;
17868 ++ }
17869 +
17870 + sif = udev_device_new_from_subsystem_sysname(udev_context, "usb", busid);
17871 + if (!sif) {
17872 +diff --git a/tools/usb/usbip/libsrc/usbip_host_driver.c b/tools/usb/usbip/libsrc/usbip_host_driver.c
17873 +index bef08d5c44e8..071b9ce99420 100644
17874 +--- a/tools/usb/usbip/libsrc/usbip_host_driver.c
17875 ++++ b/tools/usb/usbip/libsrc/usbip_host_driver.c
17876 +@@ -39,13 +39,19 @@ struct udev *udev_context;
17877 + static int32_t read_attr_usbip_status(struct usbip_usb_device *udev)
17878 + {
17879 + char status_attr_path[SYSFS_PATH_MAX];
17880 ++ int size;
17881 + int fd;
17882 + int length;
17883 + char status;
17884 + int value = 0;
17885 +
17886 +- snprintf(status_attr_path, SYSFS_PATH_MAX, "%s/usbip_status",
17887 +- udev->path);
17888 ++ size = snprintf(status_attr_path, SYSFS_PATH_MAX, "%s/usbip_status",
17889 ++ udev->path);
17890 ++ if (size < 0 || (unsigned int)size >= sizeof(status_attr_path)) {
17891 ++ err("usbip_status path length %i >= %lu or < 0", size,
17892 ++ (unsigned long)sizeof(status_attr_path));
17893 ++ return -1;
17894 ++ }
17895 +
17896 + fd = open(status_attr_path, O_RDONLY);
17897 + if (fd < 0) {
17898 +@@ -225,6 +231,7 @@ int usbip_host_export_device(struct usbip_exported_device *edev, int sockfd)
17899 + {
17900 + char attr_name[] = "usbip_sockfd";
17901 + char sockfd_attr_path[SYSFS_PATH_MAX];
17902 ++ int size;
17903 + char sockfd_buff[30];
17904 + int ret;
17905 +
17906 +@@ -244,10 +251,20 @@ int usbip_host_export_device(struct usbip_exported_device *edev, int sockfd)
17907 + }
17908 +
17909 + /* only the first interface is true */
17910 +- snprintf(sockfd_attr_path, sizeof(sockfd_attr_path), "%s/%s",
17911 +- edev->udev.path, attr_name);
17912 ++ size = snprintf(sockfd_attr_path, sizeof(sockfd_attr_path), "%s/%s",
17913 ++ edev->udev.path, attr_name);
17914 ++ if (size < 0 || (unsigned int)size >= sizeof(sockfd_attr_path)) {
17915 ++ err("exported device path length %i >= %lu or < 0", size,
17916 ++ (unsigned long)sizeof(sockfd_attr_path));
17917 ++ return -1;
17918 ++ }
17919 +
17920 +- snprintf(sockfd_buff, sizeof(sockfd_buff), "%d\n", sockfd);
17921 ++ size = snprintf(sockfd_buff, sizeof(sockfd_buff), "%d\n", sockfd);
17922 ++ if (size < 0 || (unsigned int)size >= sizeof(sockfd_buff)) {
17923 ++ err("socket length %i >= %lu or < 0", size,
17924 ++ (unsigned long)sizeof(sockfd_buff));
17925 ++ return -1;
17926 ++ }
17927 +
17928 + ret = write_sysfs_attribute(sockfd_attr_path, sockfd_buff,
17929 + strlen(sockfd_buff));
17930 +diff --git a/tools/usb/usbip/libsrc/vhci_driver.c b/tools/usb/usbip/libsrc/vhci_driver.c
17931 +index ad9204773533..1274f326242c 100644
17932 +--- a/tools/usb/usbip/libsrc/vhci_driver.c
17933 ++++ b/tools/usb/usbip/libsrc/vhci_driver.c
17934 +@@ -55,12 +55,12 @@ static int parse_status(const char *value)
17935 +
17936 + while (*c != '\0') {
17937 + int port, status, speed, devid;
17938 +- unsigned long socket;
17939 ++ int sockfd;
17940 + char lbusid[SYSFS_BUS_ID_SIZE];
17941 +
17942 +- ret = sscanf(c, "%d %d %d %x %lx %31s\n",
17943 ++ ret = sscanf(c, "%d %d %d %x %u %31s\n",
17944 + &port, &status, &speed,
17945 +- &devid, &socket, lbusid);
17946 ++ &devid, &sockfd, lbusid);
17947 +
17948 + if (ret < 5) {
17949 + dbg("sscanf failed: %d", ret);
17950 +@@ -69,7 +69,7 @@ static int parse_status(const char *value)
17951 +
17952 + dbg("port %d status %d speed %d devid %x",
17953 + port, status, speed, devid);
17954 +- dbg("socket %lx lbusid %s", socket, lbusid);
17955 ++ dbg("sockfd %u lbusid %s", sockfd, lbusid);
17956 +
17957 +
17958 + /* if a device is connected, look at it */
17959 +diff --git a/tools/usb/usbip/src/usbip.c b/tools/usb/usbip/src/usbip.c
17960 +index d7599d943529..73d8eee8130b 100644
17961 +--- a/tools/usb/usbip/src/usbip.c
17962 ++++ b/tools/usb/usbip/src/usbip.c
17963 +@@ -176,6 +176,8 @@ int main(int argc, char *argv[])
17964 + break;
17965 + case '?':
17966 + printf("usbip: invalid option\n");
17967 ++ /* Terminate after printing error */
17968 ++ /* FALLTHRU */
17969 + default:
17970 + usbip_usage();
17971 + goto out;
17972 +diff --git a/tools/usb/usbip/src/usbip_bind.c b/tools/usb/usbip/src/usbip_bind.c
17973 +index fa46141ae68b..e121cfb1746a 100644
17974 +--- a/tools/usb/usbip/src/usbip_bind.c
17975 ++++ b/tools/usb/usbip/src/usbip_bind.c
17976 +@@ -144,6 +144,7 @@ static int bind_device(char *busid)
17977 + int rc;
17978 + struct udev *udev;
17979 + struct udev_device *dev;
17980 ++ const char *devpath;
17981 +
17982 + /* Check whether the device with this bus ID exists. */
17983 + udev = udev_new();
17984 +@@ -152,8 +153,16 @@ static int bind_device(char *busid)
17985 + err("device with the specified bus ID does not exist");
17986 + return -1;
17987 + }
17988 ++ devpath = udev_device_get_devpath(dev);
17989 + udev_unref(udev);
17990 +
17991 ++ /* If the device is already attached to vhci_hcd - bail out */
17992 ++ if (strstr(devpath, USBIP_VHCI_DRV_NAME)) {
17993 ++ err("bind loop detected: device: %s is attached to %s\n",
17994 ++ devpath, USBIP_VHCI_DRV_NAME);
17995 ++ return -1;
17996 ++ }
17997 ++
17998 + rc = unbind_other(busid);
17999 + if (rc == UNBIND_ST_FAILED) {
18000 + err("could not unbind driver from device on busid %s", busid);
18001 +diff --git a/tools/usb/usbip/src/usbip_list.c b/tools/usb/usbip/src/usbip_list.c
18002 +index d5ce34a410e7..ac6081c3db82 100644
18003 +--- a/tools/usb/usbip/src/usbip_list.c
18004 ++++ b/tools/usb/usbip/src/usbip_list.c
18005 +@@ -180,6 +180,7 @@ static int list_devices(bool parsable)
18006 + const char *busid;
18007 + char product_name[128];
18008 + int ret = -1;
18009 ++ const char *devpath;
18010 +
18011 + /* Create libudev context. */
18012 + udev = udev_new();
18013 +@@ -202,6 +203,14 @@ static int list_devices(bool parsable)
18014 + path = udev_list_entry_get_name(dev_list_entry);
18015 + dev = udev_device_new_from_syspath(udev, path);
18016 +
18017 ++ /* Ignore devices attached to vhci_hcd */
18018 ++ devpath = udev_device_get_devpath(dev);
18019 ++ if (strstr(devpath, USBIP_VHCI_DRV_NAME)) {
18020 ++ dbg("Skip the device %s already attached to %s\n",
18021 ++ devpath, USBIP_VHCI_DRV_NAME);
18022 ++ continue;
18023 ++ }
18024 ++
18025 + /* Get device information. */
18026 + idVendor = udev_device_get_sysattr_value(dev, "idVendor");
18027 + idProduct = udev_device_get_sysattr_value(dev, "idProduct");
18028 +diff --git a/tools/usb/usbip/src/utils.c b/tools/usb/usbip/src/utils.c
18029 +index 2b3d6d235015..3d7b42e77299 100644
18030 +--- a/tools/usb/usbip/src/utils.c
18031 ++++ b/tools/usb/usbip/src/utils.c
18032 +@@ -30,6 +30,7 @@ int modify_match_busid(char *busid, int add)
18033 + char command[SYSFS_BUS_ID_SIZE + 4];
18034 + char match_busid_attr_path[SYSFS_PATH_MAX];
18035 + int rc;
18036 ++ int cmd_size;
18037 +
18038 + snprintf(match_busid_attr_path, sizeof(match_busid_attr_path),
18039 + "%s/%s/%s/%s/%s/%s", SYSFS_MNT_PATH, SYSFS_BUS_NAME,
18040 +@@ -37,12 +38,14 @@ int modify_match_busid(char *busid, int add)
18041 + attr_name);
18042 +
18043 + if (add)
18044 +- snprintf(command, SYSFS_BUS_ID_SIZE + 4, "add %s", busid);
18045 ++ cmd_size = snprintf(command, SYSFS_BUS_ID_SIZE + 4, "add %s",
18046 ++ busid);
18047 + else
18048 +- snprintf(command, SYSFS_BUS_ID_SIZE + 4, "del %s", busid);
18049 ++ cmd_size = snprintf(command, SYSFS_BUS_ID_SIZE + 4, "del %s",
18050 ++ busid);
18051 +
18052 + rc = write_sysfs_attribute(match_busid_attr_path, command,
18053 +- sizeof(command));
18054 ++ cmd_size);
18055 + if (rc < 0) {
18056 + dbg("failed to write match_busid: %s", strerror(errno));
18057 + return -1;
18058
18059 diff --git a/1050_linux-4.1.51.patch b/1050_linux-4.1.51.patch
18060 new file mode 100644
18061 index 0000000..e7f030a
18062 --- /dev/null
18063 +++ b/1050_linux-4.1.51.patch
18064 @@ -0,0 +1,2698 @@
18065 +diff --git a/Makefile b/Makefile
18066 +index a655f63aedeb..caccc6f16d62 100644
18067 +--- a/Makefile
18068 ++++ b/Makefile
18069 +@@ -1,6 +1,6 @@
18070 + VERSION = 4
18071 + PATCHLEVEL = 1
18072 +-SUBLEVEL = 50
18073 ++SUBLEVEL = 51
18074 + EXTRAVERSION =
18075 + NAME = Series 4800
18076 +
18077 +diff --git a/arch/arm/include/asm/kvm_emulate.h b/arch/arm/include/asm/kvm_emulate.h
18078 +index 642934a5ae9b..fc2acaefafb0 100644
18079 +--- a/arch/arm/include/asm/kvm_emulate.h
18080 ++++ b/arch/arm/include/asm/kvm_emulate.h
18081 +@@ -28,6 +28,18 @@
18082 + unsigned long *vcpu_reg(struct kvm_vcpu *vcpu, u8 reg_num);
18083 + unsigned long *vcpu_spsr(struct kvm_vcpu *vcpu);
18084 +
18085 ++static inline unsigned long vcpu_get_reg(struct kvm_vcpu *vcpu,
18086 ++ u8 reg_num)
18087 ++{
18088 ++ return *vcpu_reg(vcpu, reg_num);
18089 ++}
18090 ++
18091 ++static inline void vcpu_set_reg(struct kvm_vcpu *vcpu, u8 reg_num,
18092 ++ unsigned long val)
18093 ++{
18094 ++ *vcpu_reg(vcpu, reg_num) = val;
18095 ++}
18096 ++
18097 + bool kvm_condition_valid(struct kvm_vcpu *vcpu);
18098 + void kvm_skip_instr(struct kvm_vcpu *vcpu, bool is_wide_instr);
18099 + void kvm_inject_undefined(struct kvm_vcpu *vcpu);
18100 +diff --git a/arch/arm/kvm/mmio.c b/arch/arm/kvm/mmio.c
18101 +index 04e5004b34e1..387ee2a11e36 100644
18102 +--- a/arch/arm/kvm/mmio.c
18103 ++++ b/arch/arm/kvm/mmio.c
18104 +@@ -115,7 +115,7 @@ int kvm_handle_mmio_return(struct kvm_vcpu *vcpu, struct kvm_run *run)
18105 + trace_kvm_mmio(KVM_TRACE_MMIO_READ, len, run->mmio.phys_addr,
18106 + &data);
18107 + data = vcpu_data_host_to_guest(vcpu, data, len);
18108 +- *vcpu_reg(vcpu, vcpu->arch.mmio_decode.rt) = data;
18109 ++ vcpu_set_reg(vcpu, vcpu->arch.mmio_decode.rt, data);
18110 + }
18111 +
18112 + return 0;
18113 +@@ -186,7 +186,8 @@ int io_mem_abort(struct kvm_vcpu *vcpu, struct kvm_run *run,
18114 + rt = vcpu->arch.mmio_decode.rt;
18115 +
18116 + if (is_write) {
18117 +- data = vcpu_data_guest_to_host(vcpu, *vcpu_reg(vcpu, rt), len);
18118 ++ data = vcpu_data_guest_to_host(vcpu, vcpu_get_reg(vcpu, rt),
18119 ++ len);
18120 +
18121 + trace_kvm_mmio(KVM_TRACE_MMIO_WRITE, len, fault_ipa, &data);
18122 + mmio_write_buf(data_buf, len, data);
18123 +diff --git a/arch/arm/mach-mvebu/Kconfig b/arch/arm/mach-mvebu/Kconfig
18124 +index 97473168d6b6..60ad79edbc3c 100644
18125 +--- a/arch/arm/mach-mvebu/Kconfig
18126 ++++ b/arch/arm/mach-mvebu/Kconfig
18127 +@@ -37,7 +37,7 @@ config MACH_ARMADA_370
18128 + config MACH_ARMADA_375
18129 + bool "Marvell Armada 375 boards" if ARCH_MULTI_V7
18130 + select ARM_ERRATA_720789
18131 +- select ARM_ERRATA_753970
18132 ++ select PL310_ERRATA_753970
18133 + select ARM_GIC
18134 + select ARMADA_375_CLK
18135 + select HAVE_ARM_SCU
18136 +@@ -52,7 +52,7 @@ config MACH_ARMADA_375
18137 + config MACH_ARMADA_38X
18138 + bool "Marvell Armada 380/385 boards" if ARCH_MULTI_V7
18139 + select ARM_ERRATA_720789
18140 +- select ARM_ERRATA_753970
18141 ++ select PL310_ERRATA_753970
18142 + select ARM_GIC
18143 + select ARMADA_38X_CLK
18144 + select HAVE_ARM_SCU
18145 +diff --git a/arch/arm/mach-omap2/omap-secure.c b/arch/arm/mach-omap2/omap-secure.c
18146 +index 9ff92050053c..fa7f308c9027 100644
18147 +--- a/arch/arm/mach-omap2/omap-secure.c
18148 ++++ b/arch/arm/mach-omap2/omap-secure.c
18149 +@@ -73,6 +73,7 @@ phys_addr_t omap_secure_ram_mempool_base(void)
18150 + return omap_secure_memblock_base;
18151 + }
18152 +
18153 ++#if defined(CONFIG_ARCH_OMAP3) && defined(CONFIG_PM)
18154 + u32 omap3_save_secure_ram(void __iomem *addr, int size)
18155 + {
18156 + u32 ret;
18157 +@@ -91,6 +92,7 @@ u32 omap3_save_secure_ram(void __iomem *addr, int size)
18158 +
18159 + return ret;
18160 + }
18161 ++#endif
18162 +
18163 + /**
18164 + * rx51_secure_dispatcher: Routine to dispatch secure PPA API calls
18165 +diff --git a/arch/arm64/include/asm/kvm_emulate.h b/arch/arm64/include/asm/kvm_emulate.h
18166 +index 3e3c4c7a5082..0504f1347af0 100644
18167 +--- a/arch/arm64/include/asm/kvm_emulate.h
18168 ++++ b/arch/arm64/include/asm/kvm_emulate.h
18169 +@@ -109,6 +109,19 @@ static inline unsigned long *vcpu_reg(const struct kvm_vcpu *vcpu, u8 reg_num)
18170 + return (unsigned long *)&vcpu_gp_regs(vcpu)->regs.regs[reg_num];
18171 + }
18172 +
18173 ++static inline unsigned long vcpu_get_reg(const struct kvm_vcpu *vcpu,
18174 ++ u8 reg_num)
18175 ++{
18176 ++ return (reg_num == 31) ? 0 : vcpu_gp_regs(vcpu)->regs.regs[reg_num];
18177 ++}
18178 ++
18179 ++static inline void vcpu_set_reg(struct kvm_vcpu *vcpu, u8 reg_num,
18180 ++ unsigned long val)
18181 ++{
18182 ++ if (reg_num != 31)
18183 ++ vcpu_gp_regs(vcpu)->regs.regs[reg_num] = val;
18184 ++}
18185 ++
18186 + /* Get vcpu SPSR for current mode */
18187 + static inline unsigned long *vcpu_spsr(const struct kvm_vcpu *vcpu)
18188 + {
18189 +diff --git a/arch/mips/ath25/board.c b/arch/mips/ath25/board.c
18190 +index b8bb78282d6a..7df779f2cb63 100644
18191 +--- a/arch/mips/ath25/board.c
18192 ++++ b/arch/mips/ath25/board.c
18193 +@@ -135,6 +135,8 @@ int __init ath25_find_config(phys_addr_t base, unsigned long size)
18194 + }
18195 +
18196 + board_data = kzalloc(BOARD_CONFIG_BUFSZ, GFP_KERNEL);
18197 ++ if (!board_data)
18198 ++ goto error;
18199 + ath25_board.config = (struct ath25_boarddata *)board_data;
18200 + memcpy_fromio(board_data, bcfg, 0x100);
18201 + if (broken_boarddata) {
18202 +diff --git a/arch/mips/cavium-octeon/octeon-irq.c b/arch/mips/cavium-octeon/octeon-irq.c
18203 +index 10f762557b92..bacefffee16e 100644
18204 +--- a/arch/mips/cavium-octeon/octeon-irq.c
18205 ++++ b/arch/mips/cavium-octeon/octeon-irq.c
18206 +@@ -2242,6 +2242,8 @@ static int __init octeon_irq_init_cib(struct device_node *ciu_node,
18207 + }
18208 +
18209 + host_data = kzalloc(sizeof(*host_data), GFP_KERNEL);
18210 ++ if (!host_data)
18211 ++ return -ENOMEM;
18212 + raw_spin_lock_init(&host_data->lock);
18213 +
18214 + addr = of_get_address(ciu_node, 0, NULL, NULL);
18215 +diff --git a/arch/mips/kernel/smp-bmips.c b/arch/mips/kernel/smp-bmips.c
18216 +index 336708ae5c5b..ee306af6f3d9 100644
18217 +--- a/arch/mips/kernel/smp-bmips.c
18218 ++++ b/arch/mips/kernel/smp-bmips.c
18219 +@@ -166,11 +166,11 @@ static void bmips_prepare_cpus(unsigned int max_cpus)
18220 + return;
18221 + }
18222 +
18223 +- if (request_irq(IPI0_IRQ, bmips_ipi_interrupt, IRQF_PERCPU,
18224 +- "smp_ipi0", NULL))
18225 ++ if (request_irq(IPI0_IRQ, bmips_ipi_interrupt,
18226 ++ IRQF_PERCPU | IRQF_NO_SUSPEND, "smp_ipi0", NULL))
18227 + panic("Can't request IPI0 interrupt");
18228 +- if (request_irq(IPI1_IRQ, bmips_ipi_interrupt, IRQF_PERCPU,
18229 +- "smp_ipi1", NULL))
18230 ++ if (request_irq(IPI1_IRQ, bmips_ipi_interrupt,
18231 ++ IRQF_PERCPU | IRQF_NO_SUSPEND, "smp_ipi1", NULL))
18232 + panic("Can't request IPI1 interrupt");
18233 + }
18234 +
18235 +diff --git a/arch/sh/boards/mach-se/770x/setup.c b/arch/sh/boards/mach-se/770x/setup.c
18236 +index 658326f44df8..5e0267624d8d 100644
18237 +--- a/arch/sh/boards/mach-se/770x/setup.c
18238 ++++ b/arch/sh/boards/mach-se/770x/setup.c
18239 +@@ -8,6 +8,7 @@
18240 + */
18241 + #include <linux/init.h>
18242 + #include <linux/platform_device.h>
18243 ++#include <linux/sh_eth.h>
18244 + #include <mach-se/mach/se.h>
18245 + #include <mach-se/mach/mrshpc.h>
18246 + #include <asm/machvec.h>
18247 +@@ -114,6 +115,11 @@ static struct platform_device heartbeat_device = {
18248 + #if defined(CONFIG_CPU_SUBTYPE_SH7710) ||\
18249 + defined(CONFIG_CPU_SUBTYPE_SH7712)
18250 + /* SH771X Ethernet driver */
18251 ++static struct sh_eth_plat_data sh_eth_plat = {
18252 ++ .phy = PHY_ID,
18253 ++ .phy_interface = PHY_INTERFACE_MODE_MII,
18254 ++};
18255 ++
18256 + static struct resource sh_eth0_resources[] = {
18257 + [0] = {
18258 + .start = SH_ETH0_BASE,
18259 +@@ -131,7 +137,7 @@ static struct platform_device sh_eth0_device = {
18260 + .name = "sh771x-ether",
18261 + .id = 0,
18262 + .dev = {
18263 +- .platform_data = PHY_ID,
18264 ++ .platform_data = &sh_eth_plat,
18265 + },
18266 + .num_resources = ARRAY_SIZE(sh_eth0_resources),
18267 + .resource = sh_eth0_resources,
18268 +@@ -154,7 +160,7 @@ static struct platform_device sh_eth1_device = {
18269 + .name = "sh771x-ether",
18270 + .id = 1,
18271 + .dev = {
18272 +- .platform_data = PHY_ID,
18273 ++ .platform_data = &sh_eth_plat,
18274 + },
18275 + .num_resources = ARRAY_SIZE(sh_eth1_resources),
18276 + .resource = sh_eth1_resources,
18277 +diff --git a/arch/x86/kernel/cpu/mcheck/mce.c b/arch/x86/kernel/cpu/mcheck/mce.c
18278 +index 8de489937b89..f726068e1804 100644
18279 +--- a/arch/x86/kernel/cpu/mcheck/mce.c
18280 ++++ b/arch/x86/kernel/cpu/mcheck/mce.c
18281 +@@ -57,6 +57,9 @@ static DEFINE_MUTEX(mce_chrdev_read_mutex);
18282 + rcu_read_lock_sched_held() || \
18283 + lockdep_is_held(&mce_chrdev_read_mutex))
18284 +
18285 ++/* sysfs synchronization */
18286 ++static DEFINE_MUTEX(mce_sysfs_mutex);
18287 ++
18288 + #define CREATE_TRACE_POINTS
18289 + #include <trace/events/mce.h>
18290 +
18291 +@@ -2183,6 +2186,7 @@ static ssize_t set_ignore_ce(struct device *s,
18292 + if (kstrtou64(buf, 0, &new) < 0)
18293 + return -EINVAL;
18294 +
18295 ++ mutex_lock(&mce_sysfs_mutex);
18296 + if (mca_cfg.ignore_ce ^ !!new) {
18297 + if (new) {
18298 + /* disable ce features */
18299 +@@ -2195,6 +2199,8 @@ static ssize_t set_ignore_ce(struct device *s,
18300 + on_each_cpu(mce_enable_ce, (void *)1, 1);
18301 + }
18302 + }
18303 ++ mutex_unlock(&mce_sysfs_mutex);
18304 ++
18305 + return size;
18306 + }
18307 +
18308 +@@ -2207,6 +2213,7 @@ static ssize_t set_cmci_disabled(struct device *s,
18309 + if (kstrtou64(buf, 0, &new) < 0)
18310 + return -EINVAL;
18311 +
18312 ++ mutex_lock(&mce_sysfs_mutex);
18313 + if (mca_cfg.cmci_disabled ^ !!new) {
18314 + if (new) {
18315 + /* disable cmci */
18316 +@@ -2218,6 +2225,8 @@ static ssize_t set_cmci_disabled(struct device *s,
18317 + on_each_cpu(mce_enable_ce, NULL, 1);
18318 + }
18319 + }
18320 ++ mutex_unlock(&mce_sysfs_mutex);
18321 ++
18322 + return size;
18323 + }
18324 +
18325 +@@ -2225,8 +2234,19 @@ static ssize_t store_int_with_restart(struct device *s,
18326 + struct device_attribute *attr,
18327 + const char *buf, size_t size)
18328 + {
18329 +- ssize_t ret = device_store_int(s, attr, buf, size);
18330 ++ unsigned long old_check_interval = check_interval;
18331 ++ ssize_t ret = device_store_ulong(s, attr, buf, size);
18332 ++
18333 ++ if (check_interval == old_check_interval)
18334 ++ return ret;
18335 ++
18336 ++ if (check_interval < 1)
18337 ++ check_interval = 1;
18338 ++
18339 ++ mutex_lock(&mce_sysfs_mutex);
18340 + mce_restart();
18341 ++ mutex_unlock(&mce_sysfs_mutex);
18342 ++
18343 + return ret;
18344 + }
18345 +
18346 +diff --git a/arch/x86/kernel/machine_kexec_64.c b/arch/x86/kernel/machine_kexec_64.c
18347 +index 415480d3ea84..49ab807eca1c 100644
18348 +--- a/arch/x86/kernel/machine_kexec_64.c
18349 ++++ b/arch/x86/kernel/machine_kexec_64.c
18350 +@@ -517,6 +517,7 @@ int arch_kexec_apply_relocations_add(const Elf64_Ehdr *ehdr,
18351 + goto overflow;
18352 + break;
18353 + case R_X86_64_PC32:
18354 ++ case R_X86_64_PLT32:
18355 + value -= (u64)address;
18356 + *(u32 *)location = value;
18357 + break;
18358 +diff --git a/arch/x86/kernel/module.c b/arch/x86/kernel/module.c
18359 +index 005c03e93fc5..94779f66bf49 100644
18360 +--- a/arch/x86/kernel/module.c
18361 ++++ b/arch/x86/kernel/module.c
18362 +@@ -170,19 +170,28 @@ int apply_relocate_add(Elf64_Shdr *sechdrs,
18363 + case R_X86_64_NONE:
18364 + break;
18365 + case R_X86_64_64:
18366 ++ if (*(u64 *)loc != 0)
18367 ++ goto invalid_relocation;
18368 + *(u64 *)loc = val;
18369 + break;
18370 + case R_X86_64_32:
18371 ++ if (*(u32 *)loc != 0)
18372 ++ goto invalid_relocation;
18373 + *(u32 *)loc = val;
18374 + if (val != *(u32 *)loc)
18375 + goto overflow;
18376 + break;
18377 + case R_X86_64_32S:
18378 ++ if (*(s32 *)loc != 0)
18379 ++ goto invalid_relocation;
18380 + *(s32 *)loc = val;
18381 + if ((s64)val != *(s32 *)loc)
18382 + goto overflow;
18383 + break;
18384 + case R_X86_64_PC32:
18385 ++ case R_X86_64_PLT32:
18386 ++ if (*(u32 *)loc != 0)
18387 ++ goto invalid_relocation;
18388 + val -= (u64)loc;
18389 + *(u32 *)loc = val;
18390 + #if 0
18391 +@@ -198,6 +207,11 @@ int apply_relocate_add(Elf64_Shdr *sechdrs,
18392 + }
18393 + return 0;
18394 +
18395 ++invalid_relocation:
18396 ++ pr_err("x86/modules: Skipping invalid relocation target, existing value is nonzero for type %d, loc %p, val %Lx\n",
18397 ++ (int)ELF64_R_TYPE(rel[i].r_info), loc, val);
18398 ++ return -ENOEXEC;
18399 ++
18400 + overflow:
18401 + pr_err("overflow in relocation type %d val %Lx\n",
18402 + (int)ELF64_R_TYPE(rel[i].r_info), val);
18403 +diff --git a/arch/x86/lib/checksum_32.S b/arch/x86/lib/checksum_32.S
18404 +index b7518368492a..9bc944a91274 100644
18405 +--- a/arch/x86/lib/checksum_32.S
18406 ++++ b/arch/x86/lib/checksum_32.S
18407 +@@ -29,8 +29,7 @@
18408 + #include <asm/dwarf2.h>
18409 + #include <asm/errno.h>
18410 + #include <asm/asm.h>
18411 +-#include <asm/nospec-branch.h>
18412 +-
18413 ++
18414 + /*
18415 + * computes a partial checksum, e.g. for TCP/UDP fragments
18416 + */
18417 +@@ -160,7 +159,7 @@ ENTRY(csum_partial)
18418 + negl %ebx
18419 + lea 45f(%ebx,%ebx,2), %ebx
18420 + testl %esi, %esi
18421 +- JMP_NOSPEC %ebx
18422 ++ jmp *%ebx
18423 +
18424 + # Handle 2-byte-aligned regions
18425 + 20: addw (%esi), %ax
18426 +@@ -447,7 +446,7 @@ ENTRY(csum_partial_copy_generic)
18427 + andl $-32,%edx
18428 + lea 3f(%ebx,%ebx), %ebx
18429 + testl %esi, %esi
18430 +- JMP_NOSPEC %ebx
18431 ++ jmp *%ebx
18432 + 1: addl $64,%esi
18433 + addl $64,%edi
18434 + SRC(movb -32(%edx),%bl) ; SRC(movb (%edx),%bl)
18435 +diff --git a/arch/x86/tools/relocs.c b/arch/x86/tools/relocs.c
18436 +index 73eb7fd4aec4..5b6c8486a0be 100644
18437 +--- a/arch/x86/tools/relocs.c
18438 ++++ b/arch/x86/tools/relocs.c
18439 +@@ -769,9 +769,12 @@ static int do_reloc64(struct section *sec, Elf_Rel *rel, ElfW(Sym) *sym,
18440 + break;
18441 +
18442 + case R_X86_64_PC32:
18443 ++ case R_X86_64_PLT32:
18444 + /*
18445 + * PC relative relocations don't need to be adjusted unless
18446 + * referencing a percpu symbol.
18447 ++ *
18448 ++ * NB: R_X86_64_PLT32 can be treated as R_X86_64_PC32.
18449 + */
18450 + if (is_percpu_sym(sym, symname))
18451 + add_reloc(&relocs32neg, offset);
18452 +diff --git a/block/blk-cgroup.c b/block/blk-cgroup.c
18453 +index 7104d9e1b5f9..4d1cc6982518 100644
18454 +--- a/block/blk-cgroup.c
18455 ++++ b/block/blk-cgroup.c
18456 +@@ -870,10 +870,8 @@ int blkcg_init_queue(struct request_queue *q)
18457 + if (preloaded)
18458 + radix_tree_preload_end();
18459 +
18460 +- if (IS_ERR(blkg)) {
18461 +- blkg_free(new_blkg);
18462 ++ if (IS_ERR(blkg))
18463 + return PTR_ERR(blkg);
18464 +- }
18465 +
18466 + q->root_blkg = blkg;
18467 + q->root_rl.blkg = blkg;
18468 +diff --git a/drivers/block/loop.c b/drivers/block/loop.c
18469 +index b5dbce192c6b..9e72be28ee9f 100644
18470 +--- a/drivers/block/loop.c
18471 ++++ b/drivers/block/loop.c
18472 +@@ -207,7 +207,7 @@ static int lo_write_bvec(struct file *file, struct bio_vec *bvec, loff_t *ppos)
18473 + struct iov_iter i;
18474 + ssize_t bw;
18475 +
18476 +- iov_iter_bvec(&i, ITER_BVEC, bvec, 1, bvec->bv_len);
18477 ++ iov_iter_bvec(&i, ITER_BVEC | WRITE, bvec, 1, bvec->bv_len);
18478 +
18479 + file_start_write(file);
18480 + bw = vfs_iter_write(file, &i, ppos);
18481 +diff --git a/drivers/char/tpm/st33zp24/st33zp24.c b/drivers/char/tpm/st33zp24/st33zp24.c
18482 +index 8d626784cd8d..49e4040eeb55 100644
18483 +--- a/drivers/char/tpm/st33zp24/st33zp24.c
18484 ++++ b/drivers/char/tpm/st33zp24/st33zp24.c
18485 +@@ -485,7 +485,7 @@ static int st33zp24_recv(struct tpm_chip *chip, unsigned char *buf,
18486 + size_t count)
18487 + {
18488 + int size = 0;
18489 +- int expected;
18490 ++ u32 expected;
18491 +
18492 + if (!chip)
18493 + return -EBUSY;
18494 +@@ -502,7 +502,7 @@ static int st33zp24_recv(struct tpm_chip *chip, unsigned char *buf,
18495 + }
18496 +
18497 + expected = be32_to_cpu(*(__be32 *)(buf + 2));
18498 +- if (expected > count) {
18499 ++ if (expected > count || expected < TPM_HEADER_SIZE) {
18500 + size = -EIO;
18501 + goto out;
18502 + }
18503 +diff --git a/drivers/char/tpm/tpm_i2c_infineon.c b/drivers/char/tpm/tpm_i2c_infineon.c
18504 +index 33c5f360ab01..ff9ed941862a 100644
18505 +--- a/drivers/char/tpm/tpm_i2c_infineon.c
18506 ++++ b/drivers/char/tpm/tpm_i2c_infineon.c
18507 +@@ -436,7 +436,8 @@ static int recv_data(struct tpm_chip *chip, u8 *buf, size_t count)
18508 + static int tpm_tis_i2c_recv(struct tpm_chip *chip, u8 *buf, size_t count)
18509 + {
18510 + int size = 0;
18511 +- int expected, status;
18512 ++ int status;
18513 ++ u32 expected;
18514 +
18515 + if (count < TPM_HEADER_SIZE) {
18516 + size = -EIO;
18517 +@@ -451,7 +452,7 @@ static int tpm_tis_i2c_recv(struct tpm_chip *chip, u8 *buf, size_t count)
18518 + }
18519 +
18520 + expected = be32_to_cpu(*(__be32 *)(buf + 2));
18521 +- if ((size_t) expected > count) {
18522 ++ if (((size_t) expected > count) || (expected < TPM_HEADER_SIZE)) {
18523 + size = -EIO;
18524 + goto out;
18525 + }
18526 +diff --git a/drivers/char/tpm/tpm_i2c_nuvoton.c b/drivers/char/tpm/tpm_i2c_nuvoton.c
18527 +index eac6dc93589f..134cef873aeb 100644
18528 +--- a/drivers/char/tpm/tpm_i2c_nuvoton.c
18529 ++++ b/drivers/char/tpm/tpm_i2c_nuvoton.c
18530 +@@ -275,7 +275,11 @@ static int i2c_nuvoton_recv(struct tpm_chip *chip, u8 *buf, size_t count)
18531 + struct device *dev = chip->pdev;
18532 + struct i2c_client *client = to_i2c_client(dev);
18533 + s32 rc;
18534 +- int expected, status, burst_count, retries, size = 0;
18535 ++ int status;
18536 ++ int burst_count;
18537 ++ int retries;
18538 ++ int size = 0;
18539 ++ u32 expected;
18540 +
18541 + if (count < TPM_HEADER_SIZE) {
18542 + i2c_nuvoton_ready(chip); /* return to idle */
18543 +@@ -317,7 +321,7 @@ static int i2c_nuvoton_recv(struct tpm_chip *chip, u8 *buf, size_t count)
18544 + * to machine native
18545 + */
18546 + expected = be32_to_cpu(*(__be32 *) (buf + 2));
18547 +- if (expected > count) {
18548 ++ if (expected > count || expected < size) {
18549 + dev_err(dev, "%s() expected > count\n", __func__);
18550 + size = -EIO;
18551 + continue;
18552 +diff --git a/drivers/cpufreq/s3c24xx-cpufreq.c b/drivers/cpufreq/s3c24xx-cpufreq.c
18553 +index 733aa5153e74..e23fd9a9b8c4 100644
18554 +--- a/drivers/cpufreq/s3c24xx-cpufreq.c
18555 ++++ b/drivers/cpufreq/s3c24xx-cpufreq.c
18556 +@@ -364,7 +364,13 @@ struct clk *s3c_cpufreq_clk_get(struct device *dev, const char *name)
18557 + static int s3c_cpufreq_init(struct cpufreq_policy *policy)
18558 + {
18559 + policy->clk = clk_arm;
18560 +- return cpufreq_generic_init(policy, ftab, cpu_cur.info->latency);
18561 ++
18562 ++ policy->cpuinfo.transition_latency = cpu_cur.info->latency;
18563 ++
18564 ++ if (ftab)
18565 ++ return cpufreq_table_validate_and_show(policy, ftab);
18566 ++
18567 ++ return 0;
18568 + }
18569 +
18570 + static int __init s3c_cpufreq_initclks(void)
18571 +diff --git a/drivers/gpu/drm/radeon/cik.c b/drivers/gpu/drm/radeon/cik.c
18572 +index 2bf5fcb0062a..f80c719642b4 100644
18573 +--- a/drivers/gpu/drm/radeon/cik.c
18574 ++++ b/drivers/gpu/drm/radeon/cik.c
18575 +@@ -3574,35 +3574,8 @@ static void cik_gpu_init(struct radeon_device *rdev)
18576 + case CHIP_KAVERI:
18577 + rdev->config.cik.max_shader_engines = 1;
18578 + rdev->config.cik.max_tile_pipes = 4;
18579 +- if ((rdev->pdev->device == 0x1304) ||
18580 +- (rdev->pdev->device == 0x1305) ||
18581 +- (rdev->pdev->device == 0x130C) ||
18582 +- (rdev->pdev->device == 0x130F) ||
18583 +- (rdev->pdev->device == 0x1310) ||
18584 +- (rdev->pdev->device == 0x1311) ||
18585 +- (rdev->pdev->device == 0x131C)) {
18586 +- rdev->config.cik.max_cu_per_sh = 8;
18587 +- rdev->config.cik.max_backends_per_se = 2;
18588 +- } else if ((rdev->pdev->device == 0x1309) ||
18589 +- (rdev->pdev->device == 0x130A) ||
18590 +- (rdev->pdev->device == 0x130D) ||
18591 +- (rdev->pdev->device == 0x1313) ||
18592 +- (rdev->pdev->device == 0x131D)) {
18593 +- rdev->config.cik.max_cu_per_sh = 6;
18594 +- rdev->config.cik.max_backends_per_se = 2;
18595 +- } else if ((rdev->pdev->device == 0x1306) ||
18596 +- (rdev->pdev->device == 0x1307) ||
18597 +- (rdev->pdev->device == 0x130B) ||
18598 +- (rdev->pdev->device == 0x130E) ||
18599 +- (rdev->pdev->device == 0x1315) ||
18600 +- (rdev->pdev->device == 0x1318) ||
18601 +- (rdev->pdev->device == 0x131B)) {
18602 +- rdev->config.cik.max_cu_per_sh = 4;
18603 +- rdev->config.cik.max_backends_per_se = 1;
18604 +- } else {
18605 +- rdev->config.cik.max_cu_per_sh = 3;
18606 +- rdev->config.cik.max_backends_per_se = 1;
18607 +- }
18608 ++ rdev->config.cik.max_cu_per_sh = 8;
18609 ++ rdev->config.cik.max_backends_per_se = 2;
18610 + rdev->config.cik.max_sh_per_se = 1;
18611 + rdev->config.cik.max_texture_channel_caches = 4;
18612 + rdev->config.cik.max_gprs = 256;
18613 +diff --git a/drivers/gpu/drm/ttm/ttm_page_alloc.c b/drivers/gpu/drm/ttm/ttm_page_alloc.c
18614 +index 5d8dfe027b30..75d51ec98e06 100644
18615 +--- a/drivers/gpu/drm/ttm/ttm_page_alloc.c
18616 ++++ b/drivers/gpu/drm/ttm/ttm_page_alloc.c
18617 +@@ -818,6 +818,8 @@ int ttm_page_alloc_init(struct ttm_mem_global *glob, unsigned max_pages)
18618 + pr_info("Initializing pool allocator\n");
18619 +
18620 + _manager = kzalloc(sizeof(*_manager), GFP_KERNEL);
18621 ++ if (!_manager)
18622 ++ return -ENOMEM;
18623 +
18624 + ttm_page_pool_init_locked(&_manager->wc_pool, GFP_HIGHUSER, "wc");
18625 +
18626 +diff --git a/drivers/infiniband/core/ucma.c b/drivers/infiniband/core/ucma.c
18627 +index 81dd84d0b68b..9e7dd06031ae 100644
18628 +--- a/drivers/infiniband/core/ucma.c
18629 ++++ b/drivers/infiniband/core/ucma.c
18630 +@@ -1050,6 +1050,9 @@ static ssize_t ucma_init_qp_attr(struct ucma_file *file,
18631 + if (copy_from_user(&cmd, inbuf, sizeof(cmd)))
18632 + return -EFAULT;
18633 +
18634 ++ if (cmd.qp_state > IB_QPS_ERR)
18635 ++ return -EINVAL;
18636 ++
18637 + ctx = ucma_get_ctx(file, cmd.id);
18638 + if (IS_ERR(ctx))
18639 + return PTR_ERR(ctx);
18640 +@@ -1187,6 +1190,9 @@ static ssize_t ucma_set_option(struct ucma_file *file, const char __user *inbuf,
18641 + if (IS_ERR(ctx))
18642 + return PTR_ERR(ctx);
18643 +
18644 ++ if (unlikely(cmd.optval > KMALLOC_MAX_SIZE))
18645 ++ return -EINVAL;
18646 ++
18647 + optval = memdup_user((void __user *) (unsigned long) cmd.optval,
18648 + cmd.optlen);
18649 + if (IS_ERR(optval)) {
18650 +diff --git a/drivers/infiniband/hw/mlx5/cq.c b/drivers/infiniband/hw/mlx5/cq.c
18651 +index 2ee6b1051975..ca920c633f25 100644
18652 +--- a/drivers/infiniband/hw/mlx5/cq.c
18653 ++++ b/drivers/infiniband/hw/mlx5/cq.c
18654 +@@ -959,7 +959,12 @@ static int resize_user(struct mlx5_ib_dev *dev, struct mlx5_ib_cq *cq,
18655 + if (ucmd.reserved0 || ucmd.reserved1)
18656 + return -EINVAL;
18657 +
18658 +- umem = ib_umem_get(context, ucmd.buf_addr, entries * ucmd.cqe_size,
18659 ++ /* check multiplication overflow */
18660 ++ if (ucmd.cqe_size && SIZE_MAX / ucmd.cqe_size <= entries - 1)
18661 ++ return -EINVAL;
18662 ++
18663 ++ umem = ib_umem_get(context, ucmd.buf_addr,
18664 ++ (size_t)ucmd.cqe_size * entries,
18665 + IB_ACCESS_LOCAL_WRITE, 1);
18666 + if (IS_ERR(umem)) {
18667 + err = PTR_ERR(umem);
18668 +diff --git a/drivers/input/keyboard/matrix_keypad.c b/drivers/input/keyboard/matrix_keypad.c
18669 +index b370a59cb759..bfa9792b3184 100644
18670 +--- a/drivers/input/keyboard/matrix_keypad.c
18671 ++++ b/drivers/input/keyboard/matrix_keypad.c
18672 +@@ -216,8 +216,10 @@ static void matrix_keypad_stop(struct input_dev *dev)
18673 + {
18674 + struct matrix_keypad *keypad = input_get_drvdata(dev);
18675 +
18676 ++ spin_lock_irq(&keypad->lock);
18677 + keypad->stopped = true;
18678 +- mb();
18679 ++ spin_unlock_irq(&keypad->lock);
18680 ++
18681 + flush_work(&keypad->work.work);
18682 + /*
18683 + * matrix_keypad_scan() will leave IRQs enabled;
18684 +diff --git a/drivers/input/keyboard/tca8418_keypad.c b/drivers/input/keyboard/tca8418_keypad.c
18685 +index 5c4f7f8f2c20..05c3f25dd8c2 100644
18686 +--- a/drivers/input/keyboard/tca8418_keypad.c
18687 ++++ b/drivers/input/keyboard/tca8418_keypad.c
18688 +@@ -189,8 +189,6 @@ static void tca8418_read_keypad(struct tca8418_keypad *keypad_data)
18689 + input_event(input, EV_MSC, MSC_SCAN, code);
18690 + input_report_key(input, keymap[code], state);
18691 +
18692 +- /* Read for next loop */
18693 +- error = tca8418_read_byte(keypad_data, REG_KEY_EVENT_A, &reg);
18694 + } while (1);
18695 +
18696 + input_sync(input);
18697 +diff --git a/drivers/leds/led-core.c b/drivers/leds/led-core.c
18698 +index 9886dace5ad2..ba6db252e1cb 100644
18699 +--- a/drivers/leds/led-core.c
18700 ++++ b/drivers/leds/led-core.c
18701 +@@ -76,7 +76,7 @@ void led_blink_set(struct led_classdev *led_cdev,
18702 + unsigned long *delay_on,
18703 + unsigned long *delay_off)
18704 + {
18705 +- del_timer_sync(&led_cdev->blink_timer);
18706 ++ led_stop_software_blink(led_cdev);
18707 +
18708 + led_cdev->flags &= ~LED_BLINK_ONESHOT;
18709 + led_cdev->flags &= ~LED_BLINK_ONESHOT_STOP;
18710 +diff --git a/drivers/leds/led-triggers.c b/drivers/leds/led-triggers.c
18711 +index e8b1120f486d..eef3e64ca0a8 100644
18712 +--- a/drivers/leds/led-triggers.c
18713 ++++ b/drivers/leds/led-triggers.c
18714 +@@ -88,21 +88,23 @@ ssize_t led_trigger_show(struct device *dev, struct device_attribute *attr,
18715 + down_read(&led_cdev->trigger_lock);
18716 +
18717 + if (!led_cdev->trigger)
18718 +- len += sprintf(buf+len, "[none] ");
18719 ++ len += scnprintf(buf+len, PAGE_SIZE - len, "[none] ");
18720 + else
18721 +- len += sprintf(buf+len, "none ");
18722 ++ len += scnprintf(buf+len, PAGE_SIZE - len, "none ");
18723 +
18724 + list_for_each_entry(trig, &trigger_list, next_trig) {
18725 + if (led_cdev->trigger && !strcmp(led_cdev->trigger->name,
18726 + trig->name))
18727 +- len += sprintf(buf+len, "[%s] ", trig->name);
18728 ++ len += scnprintf(buf+len, PAGE_SIZE - len, "[%s] ",
18729 ++ trig->name);
18730 + else
18731 +- len += sprintf(buf+len, "%s ", trig->name);
18732 ++ len += scnprintf(buf+len, PAGE_SIZE - len, "%s ",
18733 ++ trig->name);
18734 + }
18735 + up_read(&led_cdev->trigger_lock);
18736 + up_read(&triggers_list_lock);
18737 +
18738 +- len += sprintf(len+buf, "\n");
18739 ++ len += scnprintf(len+buf, PAGE_SIZE - len, "\n");
18740 + return len;
18741 + }
18742 + EXPORT_SYMBOL_GPL(led_trigger_show);
18743 +diff --git a/drivers/md/bcache/super.c b/drivers/md/bcache/super.c
18744 +index 6f7bc8a8674b..b8013e386c76 100644
18745 +--- a/drivers/md/bcache/super.c
18746 ++++ b/drivers/md/bcache/super.c
18747 +@@ -966,6 +966,7 @@ int bch_cached_dev_attach(struct cached_dev *dc, struct cache_set *c)
18748 + uint32_t rtime = cpu_to_le32(get_seconds());
18749 + struct uuid_entry *u;
18750 + char buf[BDEVNAME_SIZE];
18751 ++ struct cached_dev *exist_dc, *t;
18752 +
18753 + bdevname(dc->bdev, buf);
18754 +
18755 +@@ -989,6 +990,16 @@ int bch_cached_dev_attach(struct cached_dev *dc, struct cache_set *c)
18756 + return -EINVAL;
18757 + }
18758 +
18759 ++ /* Check whether already attached */
18760 ++ list_for_each_entry_safe(exist_dc, t, &c->cached_devs, list) {
18761 ++ if (!memcmp(dc->sb.uuid, exist_dc->sb.uuid, 16)) {
18762 ++ pr_err("Tried to attach %s but duplicate UUID already attached",
18763 ++ buf);
18764 ++
18765 ++ return -EINVAL;
18766 ++ }
18767 ++ }
18768 ++
18769 + u = uuid_find(c, dc->sb.uuid);
18770 +
18771 + if (u &&
18772 +diff --git a/drivers/md/dm-io.c b/drivers/md/dm-io.c
18773 +index 74adcd2c967e..01d7b5785b8e 100644
18774 +--- a/drivers/md/dm-io.c
18775 ++++ b/drivers/md/dm-io.c
18776 +@@ -299,6 +299,7 @@ static void do_region(int rw, unsigned region, struct dm_io_region *where,
18777 + else if (rw & REQ_WRITE_SAME)
18778 + special_cmd_max_sectors = q->limits.max_write_same_sectors;
18779 + if ((rw & (REQ_DISCARD | REQ_WRITE_SAME)) && special_cmd_max_sectors == 0) {
18780 ++ atomic_inc(&io->count);
18781 + dec_count(io, region, -EOPNOTSUPP);
18782 + return;
18783 + }
18784 +diff --git a/drivers/mtd/nand/gpmi-nand/gpmi-nand.c b/drivers/mtd/nand/gpmi-nand/gpmi-nand.c
18785 +index 1b8f3500e6d2..d25f2563ffda 100644
18786 +--- a/drivers/mtd/nand/gpmi-nand/gpmi-nand.c
18787 ++++ b/drivers/mtd/nand/gpmi-nand/gpmi-nand.c
18788 +@@ -1029,9 +1029,6 @@ static int gpmi_ecc_read_page(struct mtd_info *mtd, struct nand_chip *chip,
18789 + return ret;
18790 + }
18791 +
18792 +- /* handle the block mark swapping */
18793 +- block_mark_swapping(this, payload_virt, auxiliary_virt);
18794 +-
18795 + /* Loop over status bytes, accumulating ECC status. */
18796 + status = auxiliary_virt + nfc_geo->auxiliary_status_offset;
18797 +
18798 +@@ -1047,6 +1044,9 @@ static int gpmi_ecc_read_page(struct mtd_info *mtd, struct nand_chip *chip,
18799 + max_bitflips = max_t(unsigned int, max_bitflips, *status);
18800 + }
18801 +
18802 ++ /* handle the block mark swapping */
18803 ++ block_mark_swapping(this, buf, auxiliary_virt);
18804 ++
18805 + if (oob_required) {
18806 + /*
18807 + * It's time to deliver the OOB bytes. See gpmi_ecc_read_oob()
18808 +diff --git a/drivers/mtd/ubi/vmt.c b/drivers/mtd/ubi/vmt.c
18809 +index 812ecf2d253a..9965acb8aca0 100644
18810 +--- a/drivers/mtd/ubi/vmt.c
18811 ++++ b/drivers/mtd/ubi/vmt.c
18812 +@@ -310,6 +310,12 @@ int ubi_create_volume(struct ubi_device *ubi, struct ubi_mkvol_req *req)
18813 + vol->last_eb_bytes = vol->usable_leb_size;
18814 + }
18815 +
18816 ++ /* Make volume "available" before it becomes accessible via sysfs */
18817 ++ spin_lock(&ubi->volumes_lock);
18818 ++ ubi->volumes[vol_id] = vol;
18819 ++ ubi->vol_count += 1;
18820 ++ spin_unlock(&ubi->volumes_lock);
18821 ++
18822 + /* Register character device for the volume */
18823 + cdev_init(&vol->cdev, &ubi_vol_cdev_operations);
18824 + vol->cdev.owner = THIS_MODULE;
18825 +@@ -352,11 +358,6 @@ int ubi_create_volume(struct ubi_device *ubi, struct ubi_mkvol_req *req)
18826 + if (err)
18827 + goto out_sysfs;
18828 +
18829 +- spin_lock(&ubi->volumes_lock);
18830 +- ubi->volumes[vol_id] = vol;
18831 +- ubi->vol_count += 1;
18832 +- spin_unlock(&ubi->volumes_lock);
18833 +-
18834 + ubi_volume_notify(ubi, vol, UBI_VOLUME_ADDED);
18835 + self_check_volumes(ubi);
18836 + return err;
18837 +@@ -376,6 +377,10 @@ out_sysfs:
18838 + out_cdev:
18839 + cdev_del(&vol->cdev);
18840 + out_mapping:
18841 ++ spin_lock(&ubi->volumes_lock);
18842 ++ ubi->volumes[vol_id] = NULL;
18843 ++ ubi->vol_count -= 1;
18844 ++ spin_unlock(&ubi->volumes_lock);
18845 + if (do_free)
18846 + kfree(vol->eba_tbl);
18847 + out_acc:
18848 +diff --git a/drivers/net/ethernet/arc/emac_main.c b/drivers/net/ethernet/arc/emac_main.c
18849 +index abe1eabc0171..9cc5daed13ed 100644
18850 +--- a/drivers/net/ethernet/arc/emac_main.c
18851 ++++ b/drivers/net/ethernet/arc/emac_main.c
18852 +@@ -250,39 +250,48 @@ static int arc_emac_rx(struct net_device *ndev, int budget)
18853 + continue;
18854 + }
18855 +
18856 +- pktlen = info & LEN_MASK;
18857 +- stats->rx_packets++;
18858 +- stats->rx_bytes += pktlen;
18859 +- skb = rx_buff->skb;
18860 +- skb_put(skb, pktlen);
18861 +- skb->dev = ndev;
18862 +- skb->protocol = eth_type_trans(skb, ndev);
18863 +-
18864 +- dma_unmap_single(&ndev->dev, dma_unmap_addr(rx_buff, addr),
18865 +- dma_unmap_len(rx_buff, len), DMA_FROM_DEVICE);
18866 +-
18867 +- /* Prepare the BD for next cycle */
18868 +- rx_buff->skb = netdev_alloc_skb_ip_align(ndev,
18869 +- EMAC_BUFFER_SIZE);
18870 +- if (unlikely(!rx_buff->skb)) {
18871 ++ /* Prepare the BD for next cycle. netif_receive_skb()
18872 ++ * only if new skb was allocated and mapped to avoid holes
18873 ++ * in the RX fifo.
18874 ++ */
18875 ++ skb = netdev_alloc_skb_ip_align(ndev, EMAC_BUFFER_SIZE);
18876 ++ if (unlikely(!skb)) {
18877 ++ if (net_ratelimit())
18878 ++ netdev_err(ndev, "cannot allocate skb\n");
18879 ++ /* Return ownership to EMAC */
18880 ++ rxbd->info = cpu_to_le32(FOR_EMAC | EMAC_BUFFER_SIZE);
18881 + stats->rx_errors++;
18882 +- /* Because receive_skb is below, increment rx_dropped */
18883 + stats->rx_dropped++;
18884 + continue;
18885 + }
18886 +
18887 +- /* receive_skb only if new skb was allocated to avoid holes */
18888 +- netif_receive_skb(skb);
18889 +-
18890 +- addr = dma_map_single(&ndev->dev, (void *)rx_buff->skb->data,
18891 ++ addr = dma_map_single(&ndev->dev, (void *)skb->data,
18892 + EMAC_BUFFER_SIZE, DMA_FROM_DEVICE);
18893 + if (dma_mapping_error(&ndev->dev, addr)) {
18894 + if (net_ratelimit())
18895 +- netdev_err(ndev, "cannot dma map\n");
18896 +- dev_kfree_skb(rx_buff->skb);
18897 ++ netdev_err(ndev, "cannot map dma buffer\n");
18898 ++ dev_kfree_skb(skb);
18899 ++ /* Return ownership to EMAC */
18900 ++ rxbd->info = cpu_to_le32(FOR_EMAC | EMAC_BUFFER_SIZE);
18901 + stats->rx_errors++;
18902 ++ stats->rx_dropped++;
18903 + continue;
18904 + }
18905 ++
18906 ++ /* unmap previosly mapped skb */
18907 ++ dma_unmap_single(&ndev->dev, dma_unmap_addr(rx_buff, addr),
18908 ++ dma_unmap_len(rx_buff, len), DMA_FROM_DEVICE);
18909 ++
18910 ++ pktlen = info & LEN_MASK;
18911 ++ stats->rx_packets++;
18912 ++ stats->rx_bytes += pktlen;
18913 ++ skb_put(rx_buff->skb, pktlen);
18914 ++ rx_buff->skb->dev = ndev;
18915 ++ rx_buff->skb->protocol = eth_type_trans(rx_buff->skb, ndev);
18916 ++
18917 ++ netif_receive_skb(rx_buff->skb);
18918 ++
18919 ++ rx_buff->skb = skb;
18920 + dma_unmap_addr_set(rx_buff, addr, addr);
18921 + dma_unmap_len_set(rx_buff, len, EMAC_BUFFER_SIZE);
18922 +
18923 +diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c
18924 +index 5d9843bc73a1..0eb43586c034 100644
18925 +--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c
18926 ++++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c
18927 +@@ -2996,7 +2996,7 @@ int bnx2x_nic_unload(struct bnx2x *bp, int unload_mode, bool keep_link)
18928 +
18929 + del_timer_sync(&bp->timer);
18930 +
18931 +- if (IS_PF(bp)) {
18932 ++ if (IS_PF(bp) && !BP_NOMCP(bp)) {
18933 + /* Set ALWAYS_ALIVE bit in shmem */
18934 + bp->fw_drv_pulse_wr_seq |= DRV_PULSE_ALWAYS_ALIVE;
18935 + bnx2x_drv_pulse(bp);
18936 +@@ -3078,7 +3078,7 @@ int bnx2x_nic_unload(struct bnx2x *bp, int unload_mode, bool keep_link)
18937 + bp->cnic_loaded = false;
18938 +
18939 + /* Clear driver version indication in shmem */
18940 +- if (IS_PF(bp))
18941 ++ if (IS_PF(bp) && !BP_NOMCP(bp))
18942 + bnx2x_update_mng_version(bp);
18943 +
18944 + /* Check if there are pending parity attentions. If there are - set
18945 +diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c
18946 +index a1d149515531..a33580119b7c 100644
18947 +--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c
18948 ++++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c
18949 +@@ -9488,6 +9488,15 @@ static int bnx2x_init_shmem(struct bnx2x *bp)
18950 +
18951 + do {
18952 + bp->common.shmem_base = REG_RD(bp, MISC_REG_SHARED_MEM_ADDR);
18953 ++
18954 ++ /* If we read all 0xFFs, means we are in PCI error state and
18955 ++ * should bail out to avoid crashes on adapter's FW reads.
18956 ++ */
18957 ++ if (bp->common.shmem_base == 0xFFFFFFFF) {
18958 ++ bp->flags |= NO_MCP_FLAG;
18959 ++ return -ENODEV;
18960 ++ }
18961 ++
18962 + if (bp->common.shmem_base) {
18963 + val = SHMEM_RD(bp, validity_map[BP_PORT(bp)]);
18964 + if (val & SHR_MEM_VALIDITY_MB)
18965 +@@ -13791,7 +13800,10 @@ static pci_ers_result_t bnx2x_io_slot_reset(struct pci_dev *pdev)
18966 + BNX2X_ERR("IO slot reset --> driver unload\n");
18967 +
18968 + /* MCP should have been reset; Need to wait for validity */
18969 +- bnx2x_init_shmem(bp);
18970 ++ if (bnx2x_init_shmem(bp)) {
18971 ++ rtnl_unlock();
18972 ++ return PCI_ERS_RESULT_DISCONNECT;
18973 ++ }
18974 +
18975 + if (IS_PF(bp) && SHMEM2_HAS(bp, drv_capabilities_flag)) {
18976 + u32 v;
18977 +diff --git a/drivers/net/ethernet/broadcom/tg3.c b/drivers/net/ethernet/broadcom/tg3.c
18978 +index 7b150085e34d..3640d6abc1e6 100644
18979 +--- a/drivers/net/ethernet/broadcom/tg3.c
18980 ++++ b/drivers/net/ethernet/broadcom/tg3.c
18981 +@@ -10051,6 +10051,16 @@ static int tg3_reset_hw(struct tg3 *tp, bool reset_phy)
18982 +
18983 + tw32(GRC_MODE, tp->grc_mode | val);
18984 +
18985 ++ /* On one of the AMD platform, MRRS is restricted to 4000 because of
18986 ++ * south bridge limitation. As a workaround, Driver is setting MRRS
18987 ++ * to 2048 instead of default 4096.
18988 ++ */
18989 ++ if (tp->pdev->subsystem_vendor == PCI_VENDOR_ID_DELL &&
18990 ++ tp->pdev->subsystem_device == TG3PCI_SUBDEVICE_ID_DELL_5762) {
18991 ++ val = tr32(TG3PCI_DEV_STATUS_CTRL) & ~MAX_READ_REQ_MASK;
18992 ++ tw32(TG3PCI_DEV_STATUS_CTRL, val | MAX_READ_REQ_SIZE_2048);
18993 ++ }
18994 ++
18995 + /* Setup the timer prescalar register. Clock is always 66Mhz. */
18996 + val = tr32(GRC_MISC_CFG);
18997 + val &= ~0xff;
18998 +@@ -14230,7 +14240,8 @@ static int tg3_change_mtu(struct net_device *dev, int new_mtu)
18999 + */
19000 + if (tg3_asic_rev(tp) == ASIC_REV_57766 ||
19001 + tg3_asic_rev(tp) == ASIC_REV_5717 ||
19002 +- tg3_asic_rev(tp) == ASIC_REV_5719)
19003 ++ tg3_asic_rev(tp) == ASIC_REV_5719 ||
19004 ++ tg3_asic_rev(tp) == ASIC_REV_5720)
19005 + reset_phy = true;
19006 +
19007 + err = tg3_restart_hw(tp, reset_phy);
19008 +diff --git a/drivers/net/ethernet/broadcom/tg3.h b/drivers/net/ethernet/broadcom/tg3.h
19009 +index 31c9f8295953..19532961e173 100644
19010 +--- a/drivers/net/ethernet/broadcom/tg3.h
19011 ++++ b/drivers/net/ethernet/broadcom/tg3.h
19012 +@@ -95,6 +95,7 @@
19013 + #define TG3PCI_SUBDEVICE_ID_DELL_JAGUAR 0x0106
19014 + #define TG3PCI_SUBDEVICE_ID_DELL_MERLOT 0x0109
19015 + #define TG3PCI_SUBDEVICE_ID_DELL_SLIM_MERLOT 0x010a
19016 ++#define TG3PCI_SUBDEVICE_ID_DELL_5762 0x07f0
19017 + #define TG3PCI_SUBVENDOR_ID_COMPAQ PCI_VENDOR_ID_COMPAQ
19018 + #define TG3PCI_SUBDEVICE_ID_COMPAQ_BANSHEE 0x007c
19019 + #define TG3PCI_SUBDEVICE_ID_COMPAQ_BANSHEE_2 0x009a
19020 +@@ -280,6 +281,9 @@
19021 + #define TG3PCI_STD_RING_PROD_IDX 0x00000098 /* 64-bit */
19022 + #define TG3PCI_RCV_RET_RING_CON_IDX 0x000000a0 /* 64-bit */
19023 + /* 0xa8 --> 0xb8 unused */
19024 ++#define TG3PCI_DEV_STATUS_CTRL 0x000000b4
19025 ++#define MAX_READ_REQ_SIZE_2048 0x00004000
19026 ++#define MAX_READ_REQ_MASK 0x00007000
19027 + #define TG3PCI_DUAL_MAC_CTRL 0x000000b8
19028 + #define DUAL_MAC_CTRL_CH_MASK 0x00000003
19029 + #define DUAL_MAC_CTRL_ID 0x00000004
19030 +diff --git a/drivers/net/ethernet/freescale/gianfar_ptp.c b/drivers/net/ethernet/freescale/gianfar_ptp.c
19031 +index 8e3cd77aa347..9e5d64f559a4 100644
19032 +--- a/drivers/net/ethernet/freescale/gianfar_ptp.c
19033 ++++ b/drivers/net/ethernet/freescale/gianfar_ptp.c
19034 +@@ -314,11 +314,10 @@ static int ptp_gianfar_adjtime(struct ptp_clock_info *ptp, s64 delta)
19035 + now = tmr_cnt_read(etsects);
19036 + now += delta;
19037 + tmr_cnt_write(etsects, now);
19038 ++ set_fipers(etsects);
19039 +
19040 + spin_unlock_irqrestore(&etsects->lock, flags);
19041 +
19042 +- set_fipers(etsects);
19043 +-
19044 + return 0;
19045 + }
19046 +
19047 +diff --git a/drivers/net/ethernet/intel/e1000/e1000.h b/drivers/net/ethernet/intel/e1000/e1000.h
19048 +index 69707108d23c..4cd6dac110f0 100644
19049 +--- a/drivers/net/ethernet/intel/e1000/e1000.h
19050 ++++ b/drivers/net/ethernet/intel/e1000/e1000.h
19051 +@@ -328,7 +328,8 @@ struct e1000_adapter {
19052 + enum e1000_state_t {
19053 + __E1000_TESTING,
19054 + __E1000_RESETTING,
19055 +- __E1000_DOWN
19056 ++ __E1000_DOWN,
19057 ++ __E1000_DISABLED
19058 + };
19059 +
19060 + #undef pr_fmt
19061 +diff --git a/drivers/net/ethernet/intel/e1000/e1000_main.c b/drivers/net/ethernet/intel/e1000/e1000_main.c
19062 +index 983eb4e6f7aa..4d80c92fa96d 100644
19063 +--- a/drivers/net/ethernet/intel/e1000/e1000_main.c
19064 ++++ b/drivers/net/ethernet/intel/e1000/e1000_main.c
19065 +@@ -940,7 +940,7 @@ static int e1000_init_hw_struct(struct e1000_adapter *adapter,
19066 + static int e1000_probe(struct pci_dev *pdev, const struct pci_device_id *ent)
19067 + {
19068 + struct net_device *netdev;
19069 +- struct e1000_adapter *adapter;
19070 ++ struct e1000_adapter *adapter = NULL;
19071 + struct e1000_hw *hw;
19072 +
19073 + static int cards_found = 0;
19074 +@@ -950,6 +950,7 @@ static int e1000_probe(struct pci_dev *pdev, const struct pci_device_id *ent)
19075 + u16 tmp = 0;
19076 + u16 eeprom_apme_mask = E1000_EEPROM_APME;
19077 + int bars, need_ioport;
19078 ++ bool disable_dev = false;
19079 +
19080 + /* do not allocate ioport bars when not needed */
19081 + need_ioport = e1000_is_need_ioport(pdev);
19082 +@@ -1250,11 +1251,13 @@ err_mdio_ioremap:
19083 + iounmap(hw->ce4100_gbe_mdio_base_virt);
19084 + iounmap(hw->hw_addr);
19085 + err_ioremap:
19086 ++ disable_dev = !test_and_set_bit(__E1000_DISABLED, &adapter->flags);
19087 + free_netdev(netdev);
19088 + err_alloc_etherdev:
19089 + pci_release_selected_regions(pdev, bars);
19090 + err_pci_reg:
19091 +- pci_disable_device(pdev);
19092 ++ if (!adapter || disable_dev)
19093 ++ pci_disable_device(pdev);
19094 + return err;
19095 + }
19096 +
19097 +@@ -1272,6 +1275,7 @@ static void e1000_remove(struct pci_dev *pdev)
19098 + struct net_device *netdev = pci_get_drvdata(pdev);
19099 + struct e1000_adapter *adapter = netdev_priv(netdev);
19100 + struct e1000_hw *hw = &adapter->hw;
19101 ++ bool disable_dev;
19102 +
19103 + e1000_down_and_stop(adapter);
19104 + e1000_release_manageability(adapter);
19105 +@@ -1290,9 +1294,11 @@ static void e1000_remove(struct pci_dev *pdev)
19106 + iounmap(hw->flash_address);
19107 + pci_release_selected_regions(pdev, adapter->bars);
19108 +
19109 ++ disable_dev = !test_and_set_bit(__E1000_DISABLED, &adapter->flags);
19110 + free_netdev(netdev);
19111 +
19112 +- pci_disable_device(pdev);
19113 ++ if (disable_dev)
19114 ++ pci_disable_device(pdev);
19115 + }
19116 +
19117 + /**
19118 +@@ -5137,7 +5143,8 @@ static int __e1000_shutdown(struct pci_dev *pdev, bool *enable_wake)
19119 + if (netif_running(netdev))
19120 + e1000_free_irq(adapter);
19121 +
19122 +- pci_disable_device(pdev);
19123 ++ if (!test_and_set_bit(__E1000_DISABLED, &adapter->flags))
19124 ++ pci_disable_device(pdev);
19125 +
19126 + return 0;
19127 + }
19128 +@@ -5181,6 +5188,10 @@ static int e1000_resume(struct pci_dev *pdev)
19129 + pr_err("Cannot enable PCI device from suspend\n");
19130 + return err;
19131 + }
19132 ++
19133 ++ /* flush memory to make sure state is correct */
19134 ++ smp_mb__before_atomic();
19135 ++ clear_bit(__E1000_DISABLED, &adapter->flags);
19136 + pci_set_master(pdev);
19137 +
19138 + pci_enable_wake(pdev, PCI_D3hot, 0);
19139 +@@ -5255,7 +5266,9 @@ static pci_ers_result_t e1000_io_error_detected(struct pci_dev *pdev,
19140 +
19141 + if (netif_running(netdev))
19142 + e1000_down(adapter);
19143 +- pci_disable_device(pdev);
19144 ++
19145 ++ if (!test_and_set_bit(__E1000_DISABLED, &adapter->flags))
19146 ++ pci_disable_device(pdev);
19147 +
19148 + /* Request a slot slot reset. */
19149 + return PCI_ERS_RESULT_NEED_RESET;
19150 +@@ -5283,6 +5296,10 @@ static pci_ers_result_t e1000_io_slot_reset(struct pci_dev *pdev)
19151 + pr_err("Cannot re-enable PCI device after reset.\n");
19152 + return PCI_ERS_RESULT_DISCONNECT;
19153 + }
19154 ++
19155 ++ /* flush memory to make sure state is correct */
19156 ++ smp_mb__before_atomic();
19157 ++ clear_bit(__E1000_DISABLED, &adapter->flags);
19158 + pci_set_master(pdev);
19159 +
19160 + pci_enable_wake(pdev, PCI_D3hot, 0);
19161 +diff --git a/drivers/net/phy/mdio-sun4i.c b/drivers/net/phy/mdio-sun4i.c
19162 +index 15bc7f9ea224..afd76e07088b 100644
19163 +--- a/drivers/net/phy/mdio-sun4i.c
19164 ++++ b/drivers/net/phy/mdio-sun4i.c
19165 +@@ -128,8 +128,10 @@ static int sun4i_mdio_probe(struct platform_device *pdev)
19166 +
19167 + data->regulator = devm_regulator_get(&pdev->dev, "phy");
19168 + if (IS_ERR(data->regulator)) {
19169 +- if (PTR_ERR(data->regulator) == -EPROBE_DEFER)
19170 +- return -EPROBE_DEFER;
19171 ++ if (PTR_ERR(data->regulator) == -EPROBE_DEFER) {
19172 ++ ret = -EPROBE_DEFER;
19173 ++ goto err_out_free_mdiobus;
19174 ++ }
19175 +
19176 + dev_info(&pdev->dev, "no regulator found\n");
19177 + } else {
19178 +diff --git a/drivers/net/ppp/ppp_generic.c b/drivers/net/ppp/ppp_generic.c
19179 +index c30c1fc7889a..ebd3fcf6dc62 100644
19180 +--- a/drivers/net/ppp/ppp_generic.c
19181 ++++ b/drivers/net/ppp/ppp_generic.c
19182 +@@ -2912,6 +2912,15 @@ ppp_connect_channel(struct channel *pch, int unit)
19183 + goto outl;
19184 +
19185 + ppp_lock(ppp);
19186 ++ spin_lock_bh(&pch->downl);
19187 ++ if (!pch->chan) {
19188 ++ /* Don't connect unregistered channels */
19189 ++ spin_unlock_bh(&pch->downl);
19190 ++ ppp_unlock(ppp);
19191 ++ ret = -ENOTCONN;
19192 ++ goto outl;
19193 ++ }
19194 ++ spin_unlock_bh(&pch->downl);
19195 + if (pch->file.hdrlen > ppp->file.hdrlen)
19196 + ppp->file.hdrlen = pch->file.hdrlen;
19197 + hdrlen = pch->file.hdrlen + 2; /* for protocol bytes */
19198 +diff --git a/drivers/net/wan/hdlc_ppp.c b/drivers/net/wan/hdlc_ppp.c
19199 +index 0d7645581f91..4842344a96f1 100644
19200 +--- a/drivers/net/wan/hdlc_ppp.c
19201 ++++ b/drivers/net/wan/hdlc_ppp.c
19202 +@@ -574,7 +574,10 @@ static void ppp_timer(unsigned long arg)
19203 + ppp_cp_event(proto->dev, proto->pid, TO_GOOD, 0, 0,
19204 + 0, NULL);
19205 + proto->restart_counter--;
19206 +- } else
19207 ++ } else if (netif_carrier_ok(proto->dev))
19208 ++ ppp_cp_event(proto->dev, proto->pid, TO_GOOD, 0, 0,
19209 ++ 0, NULL);
19210 ++ else
19211 + ppp_cp_event(proto->dev, proto->pid, TO_BAD, 0, 0,
19212 + 0, NULL);
19213 + break;
19214 +diff --git a/drivers/net/xen-netfront.c b/drivers/net/xen-netfront.c
19215 +index 9e8461466534..fd9f6ce14e8e 100644
19216 +--- a/drivers/net/xen-netfront.c
19217 ++++ b/drivers/net/xen-netfront.c
19218 +@@ -1284,6 +1284,7 @@ static struct net_device *xennet_create_dev(struct xenbus_device *dev)
19219 +
19220 + netif_carrier_off(netdev);
19221 +
19222 ++ xenbus_switch_state(dev, XenbusStateInitialising);
19223 + return netdev;
19224 +
19225 + exit:
19226 +diff --git a/drivers/s390/block/dasd_3990_erp.c b/drivers/s390/block/dasd_3990_erp.c
19227 +index d26134713682..d05c553eb552 100644
19228 +--- a/drivers/s390/block/dasd_3990_erp.c
19229 ++++ b/drivers/s390/block/dasd_3990_erp.c
19230 +@@ -2743,6 +2743,16 @@ dasd_3990_erp_action(struct dasd_ccw_req * cqr)
19231 + erp = dasd_3990_erp_handle_match_erp(cqr, erp);
19232 + }
19233 +
19234 ++
19235 ++ /*
19236 ++ * For path verification work we need to stick with the path that was
19237 ++ * originally chosen so that the per path configuration data is
19238 ++ * assigned correctly.
19239 ++ */
19240 ++ if (test_bit(DASD_CQR_VERIFY_PATH, &erp->flags) && cqr->lpm) {
19241 ++ erp->lpm = cqr->lpm;
19242 ++ }
19243 ++
19244 + if (device->features & DASD_FEATURE_ERPLOG) {
19245 + /* print current erp_chain */
19246 + dev_err(&device->cdev->dev,
19247 +diff --git a/drivers/s390/net/qeth_core.h b/drivers/s390/net/qeth_core.h
19248 +index 77336d85a717..02780b8c1c15 100644
19249 +--- a/drivers/s390/net/qeth_core.h
19250 ++++ b/drivers/s390/net/qeth_core.h
19251 +@@ -588,6 +588,11 @@ struct qeth_cmd_buffer {
19252 + void (*callback) (struct qeth_channel *, struct qeth_cmd_buffer *);
19253 + };
19254 +
19255 ++static inline struct qeth_ipa_cmd *__ipa_cmd(struct qeth_cmd_buffer *iob)
19256 ++{
19257 ++ return (struct qeth_ipa_cmd *)(iob->data + IPA_PDU_HEADER_SIZE);
19258 ++}
19259 ++
19260 + /**
19261 + * definition of a qeth channel, used for read and write
19262 + */
19263 +diff --git a/drivers/s390/net/qeth_core_main.c b/drivers/s390/net/qeth_core_main.c
19264 +index a81215d87ce1..9e9964ca696b 100644
19265 +--- a/drivers/s390/net/qeth_core_main.c
19266 ++++ b/drivers/s390/net/qeth_core_main.c
19267 +@@ -2061,7 +2061,7 @@ int qeth_send_control_data(struct qeth_card *card, int len,
19268 + unsigned long flags;
19269 + struct qeth_reply *reply = NULL;
19270 + unsigned long timeout, event_timeout;
19271 +- struct qeth_ipa_cmd *cmd;
19272 ++ struct qeth_ipa_cmd *cmd = NULL;
19273 +
19274 + QETH_CARD_TEXT(card, 2, "sendctl");
19275 +
19276 +@@ -2075,23 +2075,27 @@ int qeth_send_control_data(struct qeth_card *card, int len,
19277 + }
19278 + reply->callback = reply_cb;
19279 + reply->param = reply_param;
19280 +- if (card->state == CARD_STATE_DOWN)
19281 +- reply->seqno = QETH_IDX_COMMAND_SEQNO;
19282 +- else
19283 +- reply->seqno = card->seqno.ipa++;
19284 ++
19285 + init_waitqueue_head(&reply->wait_q);
19286 +- spin_lock_irqsave(&card->lock, flags);
19287 +- list_add_tail(&reply->list, &card->cmd_waiter_list);
19288 +- spin_unlock_irqrestore(&card->lock, flags);
19289 + QETH_DBF_HEX(CTRL, 2, iob->data, QETH_DBF_CTRL_LEN);
19290 +
19291 + while (atomic_cmpxchg(&card->write.irq_pending, 0, 1)) ;
19292 +- qeth_prepare_control_data(card, len, iob);
19293 +
19294 +- if (IS_IPA(iob->data))
19295 ++ if (IS_IPA(iob->data)) {
19296 ++ cmd = __ipa_cmd(iob);
19297 ++ cmd->hdr.seqno = card->seqno.ipa++;
19298 ++ reply->seqno = cmd->hdr.seqno;
19299 + event_timeout = QETH_IPA_TIMEOUT;
19300 +- else
19301 ++ } else {
19302 ++ reply->seqno = QETH_IDX_COMMAND_SEQNO;
19303 + event_timeout = QETH_TIMEOUT;
19304 ++ }
19305 ++ qeth_prepare_control_data(card, len, iob);
19306 ++
19307 ++ spin_lock_irqsave(&card->lock, flags);
19308 ++ list_add_tail(&reply->list, &card->cmd_waiter_list);
19309 ++ spin_unlock_irqrestore(&card->lock, flags);
19310 ++
19311 + timeout = jiffies + event_timeout;
19312 +
19313 + QETH_CARD_TEXT(card, 6, "noirqpnd");
19314 +@@ -2116,9 +2120,8 @@ int qeth_send_control_data(struct qeth_card *card, int len,
19315 +
19316 + /* we have only one long running ipassist, since we can ensure
19317 + process context of this command we can sleep */
19318 +- cmd = (struct qeth_ipa_cmd *)(iob->data+IPA_PDU_HEADER_SIZE);
19319 +- if ((cmd->hdr.command == IPA_CMD_SETIP) &&
19320 +- (cmd->hdr.prot_version == QETH_PROT_IPV4)) {
19321 ++ if (cmd && cmd->hdr.command == IPA_CMD_SETIP &&
19322 ++ cmd->hdr.prot_version == QETH_PROT_IPV4) {
19323 + if (!wait_event_timeout(reply->wait_q,
19324 + atomic_read(&reply->received), event_timeout))
19325 + goto time_err;
19326 +@@ -2925,7 +2928,7 @@ static void qeth_fill_ipacmd_header(struct qeth_card *card,
19327 + memset(cmd, 0, sizeof(struct qeth_ipa_cmd));
19328 + cmd->hdr.command = command;
19329 + cmd->hdr.initiator = IPA_CMD_INITIATOR_HOST;
19330 +- cmd->hdr.seqno = card->seqno.ipa;
19331 ++ /* cmd->hdr.seqno is set by qeth_send_control_data() */
19332 + cmd->hdr.adapter_type = qeth_get_ipa_adp_type(card->info.link_type);
19333 + cmd->hdr.rel_adapter_no = (__u8) card->info.portno;
19334 + if (card->options.layer2)
19335 +diff --git a/drivers/scsi/qla2xxx/qla_init.c b/drivers/scsi/qla2xxx/qla_init.c
19336 +index 60f9651f2643..ad7170bffc05 100644
19337 +--- a/drivers/scsi/qla2xxx/qla_init.c
19338 ++++ b/drivers/scsi/qla2xxx/qla_init.c
19339 +@@ -365,6 +365,7 @@ qla24xx_abort_sp_done(void *data, void *ptr, int res)
19340 + srb_t *sp = (srb_t *)ptr;
19341 + struct srb_iocb *abt = &sp->u.iocb_cmd;
19342 +
19343 ++ del_timer(&sp->u.iocb_cmd.timer);
19344 + complete(&abt->u.abt.comp);
19345 + }
19346 +
19347 +diff --git a/drivers/scsi/qla2xxx/qla_target.c b/drivers/scsi/qla2xxx/qla_target.c
19348 +index 4de1394ebf22..1be1c2dca118 100644
19349 +--- a/drivers/scsi/qla2xxx/qla_target.c
19350 ++++ b/drivers/scsi/qla2xxx/qla_target.c
19351 +@@ -5513,7 +5513,7 @@ static fc_port_t *qlt_get_port_database(struct scsi_qla_host *vha,
19352 + fc_port_t *fcport;
19353 + int rc;
19354 +
19355 +- fcport = kzalloc(sizeof(*fcport), GFP_KERNEL);
19356 ++ fcport = qla2x00_alloc_fcport(vha, GFP_KERNEL);
19357 + if (!fcport) {
19358 + ql_dbg(ql_dbg_tgt_mgt, vha, 0xf06f,
19359 + "qla_target(%d): Allocation of tmp FC port failed",
19360 +diff --git a/drivers/scsi/storvsc_drv.c b/drivers/scsi/storvsc_drv.c
19361 +index 98b56a7069d3..af4dc8501269 100644
19362 +--- a/drivers/scsi/storvsc_drv.c
19363 ++++ b/drivers/scsi/storvsc_drv.c
19364 +@@ -1067,10 +1067,11 @@ static void storvsc_handle_error(struct vmscsi_request *vm_srb,
19365 + case TEST_UNIT_READY:
19366 + break;
19367 + default:
19368 +- set_host_byte(scmnd, DID_TARGET_FAILURE);
19369 ++ set_host_byte(scmnd, DID_ERROR);
19370 + }
19371 + break;
19372 + case SRB_STATUS_INVALID_LUN:
19373 ++ set_host_byte(scmnd, DID_NO_CONNECT);
19374 + do_work = true;
19375 + process_err_fn = storvsc_remove_lun;
19376 + break;
19377 +diff --git a/drivers/spi/spi-atmel.c b/drivers/spi/spi-atmel.c
19378 +index a2f40b1b2225..3fef713f693b 100644
19379 +--- a/drivers/spi/spi-atmel.c
19380 ++++ b/drivers/spi/spi-atmel.c
19381 +@@ -1423,12 +1423,12 @@ static int atmel_spi_remove(struct platform_device *pdev)
19382 + pm_runtime_get_sync(&pdev->dev);
19383 +
19384 + /* reset the hardware and block queue progress */
19385 +- spin_lock_irq(&as->lock);
19386 + if (as->use_dma) {
19387 + atmel_spi_stop_dma(as);
19388 + atmel_spi_release_dma(as);
19389 + }
19390 +
19391 ++ spin_lock_irq(&as->lock);
19392 + spi_writel(as, CR, SPI_BIT(SWRST));
19393 + spi_writel(as, CR, SPI_BIT(SWRST)); /* AT91SAM9263 Rev B workaround */
19394 + spi_readl(as, SR);
19395 +diff --git a/drivers/staging/android/ashmem.c b/drivers/staging/android/ashmem.c
19396 +index c40bd7fbc210..68a5a950bf34 100644
19397 +--- a/drivers/staging/android/ashmem.c
19398 ++++ b/drivers/staging/android/ashmem.c
19399 +@@ -330,24 +330,23 @@ static loff_t ashmem_llseek(struct file *file, loff_t offset, int origin)
19400 + mutex_lock(&ashmem_mutex);
19401 +
19402 + if (asma->size == 0) {
19403 +- ret = -EINVAL;
19404 +- goto out;
19405 ++ mutex_unlock(&ashmem_mutex);
19406 ++ return -EINVAL;
19407 + }
19408 +
19409 + if (!asma->file) {
19410 +- ret = -EBADF;
19411 +- goto out;
19412 ++ mutex_unlock(&ashmem_mutex);
19413 ++ return -EBADF;
19414 + }
19415 +
19416 ++ mutex_unlock(&ashmem_mutex);
19417 ++
19418 + ret = vfs_llseek(asma->file, offset, origin);
19419 + if (ret < 0)
19420 +- goto out;
19421 ++ return ret;
19422 +
19423 + /** Copy f_pos from backing file, since f_ops->llseek() sets it */
19424 + file->f_pos = asma->file->f_pos;
19425 +-
19426 +-out:
19427 +- mutex_unlock(&ashmem_mutex);
19428 + return ret;
19429 + }
19430 +
19431 +diff --git a/drivers/tty/serial/8250/8250_pci.c b/drivers/tty/serial/8250/8250_pci.c
19432 +index 0a1e9f4d9882..e2956ccdd82c 100644
19433 +--- a/drivers/tty/serial/8250/8250_pci.c
19434 ++++ b/drivers/tty/serial/8250/8250_pci.c
19435 +@@ -5396,6 +5396,17 @@ static struct pci_device_id serial_pci_tbl[] = {
19436 + { PCI_VENDOR_ID_INTASHIELD, PCI_DEVICE_ID_INTASHIELD_IS400,
19437 + PCI_ANY_ID, PCI_ANY_ID, 0, 0, /* 135a.0dc0 */
19438 + pbn_b2_4_115200 },
19439 ++ /*
19440 ++ * BrainBoxes UC-260
19441 ++ */
19442 ++ { PCI_VENDOR_ID_INTASHIELD, 0x0D21,
19443 ++ PCI_ANY_ID, PCI_ANY_ID,
19444 ++ PCI_CLASS_COMMUNICATION_MULTISERIAL << 8, 0xffff00,
19445 ++ pbn_b2_4_115200 },
19446 ++ { PCI_VENDOR_ID_INTASHIELD, 0x0E34,
19447 ++ PCI_ANY_ID, PCI_ANY_ID,
19448 ++ PCI_CLASS_COMMUNICATION_MULTISERIAL << 8, 0xffff00,
19449 ++ pbn_b2_4_115200 },
19450 + /*
19451 + * Perle PCI-RAS cards
19452 + */
19453 +diff --git a/drivers/tty/serial/atmel_serial.c b/drivers/tty/serial/atmel_serial.c
19454 +index 1f45a0302b7c..839ba41b6232 100644
19455 +--- a/drivers/tty/serial/atmel_serial.c
19456 ++++ b/drivers/tty/serial/atmel_serial.c
19457 +@@ -1687,6 +1687,7 @@ static void atmel_get_ip_name(struct uart_port *port)
19458 + switch (version) {
19459 + case 0x302:
19460 + case 0x10213:
19461 ++ case 0x10302:
19462 + dev_dbg(port->dev, "This version is usart\n");
19463 + atmel_port->is_usart = true;
19464 + break;
19465 +diff --git a/drivers/tty/serial/sh-sci.c b/drivers/tty/serial/sh-sci.c
19466 +index 19316609d4f9..c8c564c71c75 100644
19467 +--- a/drivers/tty/serial/sh-sci.c
19468 ++++ b/drivers/tty/serial/sh-sci.c
19469 +@@ -736,6 +736,8 @@ static void sci_receive_chars(struct uart_port *port)
19470 + /* Tell the rest of the system the news. New characters! */
19471 + tty_flip_buffer_push(tport);
19472 + } else {
19473 ++ /* TTY buffers full; read from RX reg to prevent lockup */
19474 ++ serial_port_in(port, SCxRDR);
19475 + serial_port_in(port, SCxSR); /* dummy read */
19476 + serial_port_out(port, SCxSR, SCxSR_RDxF_CLEAR(port));
19477 + }
19478 +diff --git a/drivers/usb/core/message.c b/drivers/usb/core/message.c
19479 +index f368d2053da5..251b44300b38 100644
19480 +--- a/drivers/usb/core/message.c
19481 ++++ b/drivers/usb/core/message.c
19482 +@@ -147,6 +147,10 @@ int usb_control_msg(struct usb_device *dev, unsigned int pipe, __u8 request,
19483 +
19484 + ret = usb_internal_control_msg(dev, pipe, dr, data, size, timeout);
19485 +
19486 ++ /* Linger a bit, prior to the next control message. */
19487 ++ if (dev->quirks & USB_QUIRK_DELAY_CTRL_MSG)
19488 ++ msleep(200);
19489 ++
19490 + kfree(dr);
19491 +
19492 + return ret;
19493 +diff --git a/drivers/usb/core/quirks.c b/drivers/usb/core/quirks.c
19494 +index 774c97bb1c08..4f1c6f8d4352 100644
19495 +--- a/drivers/usb/core/quirks.c
19496 ++++ b/drivers/usb/core/quirks.c
19497 +@@ -229,7 +229,8 @@ static const struct usb_device_id usb_quirk_list[] = {
19498 + { USB_DEVICE(0x1b1c, 0x1b13), .driver_info = USB_QUIRK_DELAY_INIT },
19499 +
19500 + /* Corsair Strafe RGB */
19501 +- { USB_DEVICE(0x1b1c, 0x1b20), .driver_info = USB_QUIRK_DELAY_INIT },
19502 ++ { USB_DEVICE(0x1b1c, 0x1b20), .driver_info = USB_QUIRK_DELAY_INIT |
19503 ++ USB_QUIRK_DELAY_CTRL_MSG },
19504 +
19505 + /* Corsair K70 LUX */
19506 + { USB_DEVICE(0x1b1c, 0x1b36), .driver_info = USB_QUIRK_DELAY_INIT },
19507 +diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c
19508 +index 6b62bb5c021c..3f4c6d97a4ff 100644
19509 +--- a/drivers/usb/gadget/function/f_fs.c
19510 ++++ b/drivers/usb/gadget/function/f_fs.c
19511 +@@ -1333,7 +1333,6 @@ ffs_fs_kill_sb(struct super_block *sb)
19512 + if (sb->s_fs_info) {
19513 + ffs_release_dev(sb->s_fs_info);
19514 + ffs_data_closed(sb->s_fs_info);
19515 +- ffs_data_put(sb->s_fs_info);
19516 + }
19517 + }
19518 +
19519 +diff --git a/drivers/usb/mon/mon_text.c b/drivers/usb/mon/mon_text.c
19520 +index ad408251d955..108dcc5f5350 100644
19521 +--- a/drivers/usb/mon/mon_text.c
19522 ++++ b/drivers/usb/mon/mon_text.c
19523 +@@ -82,6 +82,8 @@ struct mon_reader_text {
19524 +
19525 + wait_queue_head_t wait;
19526 + int printf_size;
19527 ++ size_t printf_offset;
19528 ++ size_t printf_togo;
19529 + char *printf_buf;
19530 + struct mutex printf_lock;
19531 +
19532 +@@ -373,73 +375,103 @@ err_alloc:
19533 + return rc;
19534 + }
19535 +
19536 +-/*
19537 +- * For simplicity, we read one record in one system call and throw out
19538 +- * what does not fit. This means that the following does not work:
19539 +- * dd if=/dbg/usbmon/0t bs=10
19540 +- * Also, we do not allow seeks and do not bother advancing the offset.
19541 +- */
19542 ++static ssize_t mon_text_copy_to_user(struct mon_reader_text *rp,
19543 ++ char __user * const buf, const size_t nbytes)
19544 ++{
19545 ++ const size_t togo = min(nbytes, rp->printf_togo);
19546 ++
19547 ++ if (copy_to_user(buf, &rp->printf_buf[rp->printf_offset], togo))
19548 ++ return -EFAULT;
19549 ++ rp->printf_togo -= togo;
19550 ++ rp->printf_offset += togo;
19551 ++ return togo;
19552 ++}
19553 ++
19554 ++/* ppos is not advanced since the llseek operation is not permitted. */
19555 + static ssize_t mon_text_read_t(struct file *file, char __user *buf,
19556 +- size_t nbytes, loff_t *ppos)
19557 ++ size_t nbytes, loff_t *ppos)
19558 + {
19559 + struct mon_reader_text *rp = file->private_data;
19560 + struct mon_event_text *ep;
19561 + struct mon_text_ptr ptr;
19562 ++ ssize_t ret;
19563 +
19564 +- if (IS_ERR(ep = mon_text_read_wait(rp, file)))
19565 +- return PTR_ERR(ep);
19566 + mutex_lock(&rp->printf_lock);
19567 +- ptr.cnt = 0;
19568 +- ptr.pbuf = rp->printf_buf;
19569 +- ptr.limit = rp->printf_size;
19570 +-
19571 +- mon_text_read_head_t(rp, &ptr, ep);
19572 +- mon_text_read_statset(rp, &ptr, ep);
19573 +- ptr.cnt += snprintf(ptr.pbuf + ptr.cnt, ptr.limit - ptr.cnt,
19574 +- " %d", ep->length);
19575 +- mon_text_read_data(rp, &ptr, ep);
19576 +-
19577 +- if (copy_to_user(buf, rp->printf_buf, ptr.cnt))
19578 +- ptr.cnt = -EFAULT;
19579 ++
19580 ++ if (rp->printf_togo == 0) {
19581 ++
19582 ++ ep = mon_text_read_wait(rp, file);
19583 ++ if (IS_ERR(ep)) {
19584 ++ mutex_unlock(&rp->printf_lock);
19585 ++ return PTR_ERR(ep);
19586 ++ }
19587 ++ ptr.cnt = 0;
19588 ++ ptr.pbuf = rp->printf_buf;
19589 ++ ptr.limit = rp->printf_size;
19590 ++
19591 ++ mon_text_read_head_t(rp, &ptr, ep);
19592 ++ mon_text_read_statset(rp, &ptr, ep);
19593 ++ ptr.cnt += snprintf(ptr.pbuf + ptr.cnt, ptr.limit - ptr.cnt,
19594 ++ " %d", ep->length);
19595 ++ mon_text_read_data(rp, &ptr, ep);
19596 ++
19597 ++ rp->printf_togo = ptr.cnt;
19598 ++ rp->printf_offset = 0;
19599 ++
19600 ++ kmem_cache_free(rp->e_slab, ep);
19601 ++ }
19602 ++
19603 ++ ret = mon_text_copy_to_user(rp, buf, nbytes);
19604 + mutex_unlock(&rp->printf_lock);
19605 +- kmem_cache_free(rp->e_slab, ep);
19606 +- return ptr.cnt;
19607 ++ return ret;
19608 + }
19609 +
19610 ++/* ppos is not advanced since the llseek operation is not permitted. */
19611 + static ssize_t mon_text_read_u(struct file *file, char __user *buf,
19612 +- size_t nbytes, loff_t *ppos)
19613 ++ size_t nbytes, loff_t *ppos)
19614 + {
19615 + struct mon_reader_text *rp = file->private_data;
19616 + struct mon_event_text *ep;
19617 + struct mon_text_ptr ptr;
19618 ++ ssize_t ret;
19619 +
19620 +- if (IS_ERR(ep = mon_text_read_wait(rp, file)))
19621 +- return PTR_ERR(ep);
19622 + mutex_lock(&rp->printf_lock);
19623 +- ptr.cnt = 0;
19624 +- ptr.pbuf = rp->printf_buf;
19625 +- ptr.limit = rp->printf_size;
19626 +
19627 +- mon_text_read_head_u(rp, &ptr, ep);
19628 +- if (ep->type == 'E') {
19629 +- mon_text_read_statset(rp, &ptr, ep);
19630 +- } else if (ep->xfertype == USB_ENDPOINT_XFER_ISOC) {
19631 +- mon_text_read_isostat(rp, &ptr, ep);
19632 +- mon_text_read_isodesc(rp, &ptr, ep);
19633 +- } else if (ep->xfertype == USB_ENDPOINT_XFER_INT) {
19634 +- mon_text_read_intstat(rp, &ptr, ep);
19635 +- } else {
19636 +- mon_text_read_statset(rp, &ptr, ep);
19637 ++ if (rp->printf_togo == 0) {
19638 ++
19639 ++ ep = mon_text_read_wait(rp, file);
19640 ++ if (IS_ERR(ep)) {
19641 ++ mutex_unlock(&rp->printf_lock);
19642 ++ return PTR_ERR(ep);
19643 ++ }
19644 ++ ptr.cnt = 0;
19645 ++ ptr.pbuf = rp->printf_buf;
19646 ++ ptr.limit = rp->printf_size;
19647 ++
19648 ++ mon_text_read_head_u(rp, &ptr, ep);
19649 ++ if (ep->type == 'E') {
19650 ++ mon_text_read_statset(rp, &ptr, ep);
19651 ++ } else if (ep->xfertype == USB_ENDPOINT_XFER_ISOC) {
19652 ++ mon_text_read_isostat(rp, &ptr, ep);
19653 ++ mon_text_read_isodesc(rp, &ptr, ep);
19654 ++ } else if (ep->xfertype == USB_ENDPOINT_XFER_INT) {
19655 ++ mon_text_read_intstat(rp, &ptr, ep);
19656 ++ } else {
19657 ++ mon_text_read_statset(rp, &ptr, ep);
19658 ++ }
19659 ++ ptr.cnt += snprintf(ptr.pbuf + ptr.cnt, ptr.limit - ptr.cnt,
19660 ++ " %d", ep->length);
19661 ++ mon_text_read_data(rp, &ptr, ep);
19662 ++
19663 ++ rp->printf_togo = ptr.cnt;
19664 ++ rp->printf_offset = 0;
19665 ++
19666 ++ kmem_cache_free(rp->e_slab, ep);
19667 + }
19668 +- ptr.cnt += snprintf(ptr.pbuf + ptr.cnt, ptr.limit - ptr.cnt,
19669 +- " %d", ep->length);
19670 +- mon_text_read_data(rp, &ptr, ep);
19671 +
19672 +- if (copy_to_user(buf, rp->printf_buf, ptr.cnt))
19673 +- ptr.cnt = -EFAULT;
19674 ++ ret = mon_text_copy_to_user(rp, buf, nbytes);
19675 + mutex_unlock(&rp->printf_lock);
19676 +- kmem_cache_free(rp->e_slab, ep);
19677 +- return ptr.cnt;
19678 ++ return ret;
19679 + }
19680 +
19681 + static struct mon_event_text *mon_text_read_wait(struct mon_reader_text *rp,
19682 +diff --git a/drivers/usb/storage/uas.c b/drivers/usb/storage/uas.c
19683 +index 021d6880a3ed..b3c7670f0652 100644
19684 +--- a/drivers/usb/storage/uas.c
19685 ++++ b/drivers/usb/storage/uas.c
19686 +@@ -1052,7 +1052,7 @@ static int uas_post_reset(struct usb_interface *intf)
19687 + return 0;
19688 +
19689 + err = uas_configure_endpoints(devinfo);
19690 +- if (err && err != ENODEV)
19691 ++ if (err && err != -ENODEV)
19692 + shost_printk(KERN_ERR, shost,
19693 + "%s: alloc streams error %d after reset",
19694 + __func__, err);
19695 +diff --git a/drivers/usb/storage/unusual_devs.h b/drivers/usb/storage/unusual_devs.h
19696 +index cd2e880979f2..b9e9eaa8c45c 100644
19697 +--- a/drivers/usb/storage/unusual_devs.h
19698 ++++ b/drivers/usb/storage/unusual_devs.h
19699 +@@ -2131,6 +2131,13 @@ UNUSUAL_DEV( 0x22b8, 0x3010, 0x0001, 0x0001,
19700 + USB_SC_DEVICE, USB_PR_DEVICE, NULL,
19701 + US_FL_FIX_CAPACITY | US_FL_IGNORE_RESIDUE ),
19702 +
19703 ++/* Reported by Teijo Kinnunen <teijo.kinnunen@××××××.fi> */
19704 ++UNUSUAL_DEV( 0x152d, 0x2567, 0x0117, 0x0117,
19705 ++ "JMicron",
19706 ++ "USB to ATA/ATAPI Bridge",
19707 ++ USB_SC_DEVICE, USB_PR_DEVICE, NULL,
19708 ++ US_FL_BROKEN_FUA ),
19709 ++
19710 + /* Reported-by George Cherian <george.cherian@××××××.com> */
19711 + UNUSUAL_DEV(0x152d, 0x9561, 0x0000, 0x9999,
19712 + "JMicron",
19713 +diff --git a/drivers/watchdog/hpwdt.c b/drivers/watchdog/hpwdt.c
19714 +index ada3e44f9932..792d5fbad4e5 100644
19715 +--- a/drivers/watchdog/hpwdt.c
19716 ++++ b/drivers/watchdog/hpwdt.c
19717 +@@ -51,6 +51,7 @@ static char expect_release;
19718 + static unsigned long hpwdt_is_open;
19719 +
19720 + static void __iomem *pci_mem_addr; /* the PCI-memory address */
19721 ++static unsigned long __iomem *hpwdt_nmistat;
19722 + static unsigned long __iomem *hpwdt_timer_reg;
19723 + static unsigned long __iomem *hpwdt_timer_con;
19724 +
19725 +@@ -474,6 +475,11 @@ static int hpwdt_time_left(void)
19726 + }
19727 +
19728 + #ifdef CONFIG_HPWDT_NMI_DECODING
19729 ++static int hpwdt_my_nmi(void)
19730 ++{
19731 ++ return ioread8(hpwdt_nmistat) & 0x6;
19732 ++}
19733 ++
19734 + /*
19735 + * NMI Handler
19736 + */
19737 +@@ -485,6 +491,9 @@ static int hpwdt_pretimeout(unsigned int ulReason, struct pt_regs *regs)
19738 + if (!hpwdt_nmi_decoding)
19739 + goto out;
19740 +
19741 ++ if ((ulReason == NMI_UNKNOWN) && !hpwdt_my_nmi())
19742 ++ return NMI_DONE;
19743 ++
19744 + spin_lock_irqsave(&rom_lock, rom_pl);
19745 + if (!die_nmi_called && !is_icru && !is_uefi)
19746 + asminline_call(&cmn_regs, cru_rom_addr);
19747 +@@ -686,7 +695,7 @@ static void dmi_find_icru(const struct dmi_header *dm, void *dummy)
19748 + smbios_proliant_ptr = (struct smbios_proliant_info *) dm;
19749 + if (smbios_proliant_ptr->misc_features & 0x01)
19750 + is_icru = 1;
19751 +- if (smbios_proliant_ptr->misc_features & 0x408)
19752 ++ if (smbios_proliant_ptr->misc_features & 0x1400)
19753 + is_uefi = 1;
19754 + }
19755 + }
19756 +@@ -826,6 +835,7 @@ static int hpwdt_init_one(struct pci_dev *dev,
19757 + retval = -ENOMEM;
19758 + goto error_pci_iomap;
19759 + }
19760 ++ hpwdt_nmistat = pci_mem_addr + 0x6e;
19761 + hpwdt_timer_reg = pci_mem_addr + 0x70;
19762 + hpwdt_timer_con = pci_mem_addr + 0x72;
19763 +
19764 +diff --git a/drivers/xen/gntdev.c b/drivers/xen/gntdev.c
19765 +index cea37ee4c615..078982f509e3 100644
19766 +--- a/drivers/xen/gntdev.c
19767 ++++ b/drivers/xen/gntdev.c
19768 +@@ -378,10 +378,8 @@ static int unmap_grant_pages(struct grant_map *map, int offset, int pages)
19769 + }
19770 + range = 0;
19771 + while (range < pages) {
19772 +- if (map->unmap_ops[offset+range].handle == -1) {
19773 +- range--;
19774 ++ if (map->unmap_ops[offset+range].handle == -1)
19775 + break;
19776 +- }
19777 + range++;
19778 + }
19779 + err = __unmap_grant_pages(map, offset, range);
19780 +@@ -876,8 +874,10 @@ unlock_out:
19781 + out_unlock_put:
19782 + mutex_unlock(&priv->lock);
19783 + out_put_map:
19784 +- if (use_ptemod)
19785 ++ if (use_ptemod) {
19786 + map->vma = NULL;
19787 ++ unmap_grant_pages(map, 0, map->count);
19788 ++ }
19789 + gntdev_put_map(priv, map);
19790 + return err;
19791 + }
19792 +diff --git a/fs/btrfs/acl.c b/fs/btrfs/acl.c
19793 +index fb3e64d37cb4..6b16b8653d98 100644
19794 +--- a/fs/btrfs/acl.c
19795 ++++ b/fs/btrfs/acl.c
19796 +@@ -82,12 +82,6 @@ static int __btrfs_set_acl(struct btrfs_trans_handle *trans,
19797 + switch (type) {
19798 + case ACL_TYPE_ACCESS:
19799 + name = POSIX_ACL_XATTR_ACCESS;
19800 +- if (acl) {
19801 +- ret = posix_acl_update_mode(inode, &inode->i_mode, &acl);
19802 +- if (ret)
19803 +- return ret;
19804 +- }
19805 +- ret = 0;
19806 + break;
19807 + case ACL_TYPE_DEFAULT:
19808 + if (!S_ISDIR(inode->i_mode))
19809 +@@ -123,7 +117,18 @@ out:
19810 +
19811 + int btrfs_set_acl(struct inode *inode, struct posix_acl *acl, int type)
19812 + {
19813 +- return __btrfs_set_acl(NULL, inode, acl, type);
19814 ++ int ret;
19815 ++ umode_t old_mode = inode->i_mode;
19816 ++
19817 ++ if (type == ACL_TYPE_ACCESS && acl) {
19818 ++ ret = posix_acl_update_mode(inode, &inode->i_mode, &acl);
19819 ++ if (ret)
19820 ++ return ret;
19821 ++ }
19822 ++ ret = __btrfs_set_acl(NULL, inode, acl, type);
19823 ++ if (ret)
19824 ++ inode->i_mode = old_mode;
19825 ++ return ret;
19826 + }
19827 +
19828 + /*
19829 +diff --git a/fs/super.c b/fs/super.c
19830 +index 928c20f47af9..3fa6b945a34e 100644
19831 +--- a/fs/super.c
19832 ++++ b/fs/super.c
19833 +@@ -481,7 +481,11 @@ retry:
19834 + hlist_add_head(&s->s_instances, &type->fs_supers);
19835 + spin_unlock(&sb_lock);
19836 + get_filesystem(type);
19837 +- register_shrinker(&s->s_shrink);
19838 ++ err = register_shrinker(&s->s_shrink);
19839 ++ if (err) {
19840 ++ deactivate_locked_super(s);
19841 ++ s = ERR_PTR(err);
19842 ++ }
19843 + return s;
19844 + }
19845 +
19846 +diff --git a/fs/xfs/xfs_qm.c b/fs/xfs/xfs_qm.c
19847 +index 7d81032a645f..7806b3e0bf18 100644
19848 +--- a/fs/xfs/xfs_qm.c
19849 ++++ b/fs/xfs/xfs_qm.c
19850 +@@ -47,7 +47,7 @@
19851 + STATIC int xfs_qm_init_quotainos(xfs_mount_t *);
19852 + STATIC int xfs_qm_init_quotainfo(xfs_mount_t *);
19853 +
19854 +-
19855 ++STATIC void xfs_qm_destroy_quotainos(xfs_quotainfo_t *qi);
19856 + STATIC void xfs_qm_dqfree_one(struct xfs_dquot *dqp);
19857 + /*
19858 + * We use the batch lookup interface to iterate over the dquots as it
19859 +@@ -660,9 +660,17 @@ xfs_qm_init_quotainfo(
19860 + qinf->qi_shrinker.scan_objects = xfs_qm_shrink_scan;
19861 + qinf->qi_shrinker.seeks = DEFAULT_SEEKS;
19862 + qinf->qi_shrinker.flags = SHRINKER_NUMA_AWARE;
19863 +- register_shrinker(&qinf->qi_shrinker);
19864 ++
19865 ++ error = register_shrinker(&qinf->qi_shrinker);
19866 ++ if (error)
19867 ++ goto out_free_inos;
19868 ++
19869 + return 0;
19870 +
19871 ++out_free_inos:
19872 ++ mutex_destroy(&qinf->qi_quotaofflock);
19873 ++ mutex_destroy(&qinf->qi_tree_lock);
19874 ++ xfs_qm_destroy_quotainos(qinf);
19875 + out_free_lru:
19876 + list_lru_destroy(&qinf->qi_lru);
19877 + out_free_qinf:
19878 +@@ -671,7 +679,6 @@ out_free_qinf:
19879 + return error;
19880 + }
19881 +
19882 +-
19883 + /*
19884 + * Gets called when unmounting a filesystem or when all quotas get
19885 + * turned off.
19886 +@@ -688,19 +695,8 @@ xfs_qm_destroy_quotainfo(
19887 +
19888 + unregister_shrinker(&qi->qi_shrinker);
19889 + list_lru_destroy(&qi->qi_lru);
19890 +-
19891 +- if (qi->qi_uquotaip) {
19892 +- IRELE(qi->qi_uquotaip);
19893 +- qi->qi_uquotaip = NULL; /* paranoia */
19894 +- }
19895 +- if (qi->qi_gquotaip) {
19896 +- IRELE(qi->qi_gquotaip);
19897 +- qi->qi_gquotaip = NULL;
19898 +- }
19899 +- if (qi->qi_pquotaip) {
19900 +- IRELE(qi->qi_pquotaip);
19901 +- qi->qi_pquotaip = NULL;
19902 +- }
19903 ++ xfs_qm_destroy_quotainos(qi);
19904 ++ mutex_destroy(&qi->qi_tree_lock);
19905 + mutex_destroy(&qi->qi_quotaofflock);
19906 + kmem_free(qi);
19907 + mp->m_quotainfo = NULL;
19908 +@@ -1562,6 +1558,24 @@ error_rele:
19909 + return error;
19910 + }
19911 +
19912 ++STATIC void
19913 ++xfs_qm_destroy_quotainos(
19914 ++ xfs_quotainfo_t *qi)
19915 ++{
19916 ++ if (qi->qi_uquotaip) {
19917 ++ IRELE(qi->qi_uquotaip);
19918 ++ qi->qi_uquotaip = NULL; /* paranoia */
19919 ++ }
19920 ++ if (qi->qi_gquotaip) {
19921 ++ IRELE(qi->qi_gquotaip);
19922 ++ qi->qi_gquotaip = NULL;
19923 ++ }
19924 ++ if (qi->qi_pquotaip) {
19925 ++ IRELE(qi->qi_pquotaip);
19926 ++ qi->qi_pquotaip = NULL;
19927 ++ }
19928 ++}
19929 ++
19930 + STATIC void
19931 + xfs_qm_dqfree_one(
19932 + struct xfs_dquot *dqp)
19933 +diff --git a/include/linux/nospec.h b/include/linux/nospec.h
19934 +index b99bced39ac2..115381228203 100644
19935 +--- a/include/linux/nospec.h
19936 ++++ b/include/linux/nospec.h
19937 +@@ -5,6 +5,7 @@
19938 +
19939 + #ifndef _LINUX_NOSPEC_H
19940 + #define _LINUX_NOSPEC_H
19941 ++#include <asm/barrier.h>
19942 +
19943 + /**
19944 + * array_index_mask_nospec() - generate a ~0 mask when index < size, 0 otherwise
19945 +@@ -66,7 +67,6 @@ static inline unsigned long array_index_mask_nospec(unsigned long index,
19946 + BUILD_BUG_ON(sizeof(_i) > sizeof(long)); \
19947 + BUILD_BUG_ON(sizeof(_s) > sizeof(long)); \
19948 + \
19949 +- _i &= _mask; \
19950 +- _i; \
19951 ++ (typeof(_i)) (_i & _mask); \
19952 + })
19953 + #endif /* _LINUX_NOSPEC_H */
19954 +diff --git a/include/linux/usb/quirks.h b/include/linux/usb/quirks.h
19955 +index de2a722fe3cf..ea4f81c2a6d5 100644
19956 +--- a/include/linux/usb/quirks.h
19957 ++++ b/include/linux/usb/quirks.h
19958 +@@ -56,4 +56,7 @@
19959 + */
19960 + #define USB_QUIRK_LINEAR_FRAME_INTR_BINTERVAL BIT(11)
19961 +
19962 ++/* Device needs a pause after every control message. */
19963 ++#define USB_QUIRK_DELAY_CTRL_MSG BIT(13)
19964 ++
19965 + #endif /* __LINUX_USB_QUIRKS_H */
19966 +diff --git a/include/linux/workqueue.h b/include/linux/workqueue.h
19967 +index deee212af8e0..e450bdbc4d84 100644
19968 +--- a/include/linux/workqueue.h
19969 ++++ b/include/linux/workqueue.h
19970 +@@ -449,6 +449,7 @@ extern bool cancel_delayed_work_sync(struct delayed_work *dwork);
19971 +
19972 + extern void workqueue_set_max_active(struct workqueue_struct *wq,
19973 + int max_active);
19974 ++extern struct work_struct *current_work(void);
19975 + extern bool current_is_workqueue_rescuer(void);
19976 + extern bool workqueue_congested(int cpu, struct workqueue_struct *wq);
19977 + extern unsigned int work_busy(struct work_struct *work);
19978 +diff --git a/include/net/udplite.h b/include/net/udplite.h
19979 +index 80761938b9a7..8228155b305e 100644
19980 +--- a/include/net/udplite.h
19981 ++++ b/include/net/udplite.h
19982 +@@ -62,6 +62,7 @@ static inline int udplite_checksum_init(struct sk_buff *skb, struct udphdr *uh)
19983 + UDP_SKB_CB(skb)->cscov = cscov;
19984 + if (skb->ip_summed == CHECKSUM_COMPLETE)
19985 + skb->ip_summed = CHECKSUM_NONE;
19986 ++ skb->csum_valid = 0;
19987 + }
19988 +
19989 + return 0;
19990 +diff --git a/kernel/time/hrtimer.c b/kernel/time/hrtimer.c
19991 +index e82a5f40a0ac..20df094556ae 100644
19992 +--- a/kernel/time/hrtimer.c
19993 ++++ b/kernel/time/hrtimer.c
19994 +@@ -1148,7 +1148,12 @@ static void __hrtimer_init(struct hrtimer *timer, clockid_t clock_id,
19995 +
19996 + cpu_base = raw_cpu_ptr(&hrtimer_bases);
19997 +
19998 +- if (clock_id == CLOCK_REALTIME && mode != HRTIMER_MODE_ABS)
19999 ++ /*
20000 ++ * POSIX magic: Relative CLOCK_REALTIME timers are not affected by
20001 ++ * clock modifications, so they needs to become CLOCK_MONOTONIC to
20002 ++ * ensure POSIX compliance.
20003 ++ */
20004 ++ if (clock_id == CLOCK_REALTIME && mode & HRTIMER_MODE_REL)
20005 + clock_id = CLOCK_MONOTONIC;
20006 +
20007 + base = hrtimer_clockid_to_base(clock_id);
20008 +diff --git a/kernel/workqueue.c b/kernel/workqueue.c
20009 +index 376db986db9b..782ba721984b 100644
20010 +--- a/kernel/workqueue.c
20011 ++++ b/kernel/workqueue.c
20012 +@@ -4062,6 +4062,22 @@ void workqueue_set_max_active(struct workqueue_struct *wq, int max_active)
20013 + }
20014 + EXPORT_SYMBOL_GPL(workqueue_set_max_active);
20015 +
20016 ++/**
20017 ++ * current_work - retrieve %current task's work struct
20018 ++ *
20019 ++ * Determine if %current task is a workqueue worker and what it's working on.
20020 ++ * Useful to find out the context that the %current task is running in.
20021 ++ *
20022 ++ * Return: work struct if %current task is a workqueue worker, %NULL otherwise.
20023 ++ */
20024 ++struct work_struct *current_work(void)
20025 ++{
20026 ++ struct worker *worker = current_wq_worker();
20027 ++
20028 ++ return worker ? worker->current_work : NULL;
20029 ++}
20030 ++EXPORT_SYMBOL(current_work);
20031 ++
20032 + /**
20033 + * current_is_workqueue_rescuer - is %current workqueue rescuer?
20034 + *
20035 +diff --git a/lib/mpi/longlong.h b/lib/mpi/longlong.h
20036 +index a89d041592c8..e2851aafd1d3 100644
20037 +--- a/lib/mpi/longlong.h
20038 ++++ b/lib/mpi/longlong.h
20039 +@@ -671,7 +671,23 @@ do { \
20040 + ************** MIPS/64 **************
20041 + ***************************************/
20042 + #if (defined(__mips) && __mips >= 3) && W_TYPE_SIZE == 64
20043 +-#if (__GNUC__ >= 5) || (__GNUC__ >= 4 && __GNUC_MINOR__ >= 4)
20044 ++#if defined(__mips_isa_rev) && __mips_isa_rev >= 6
20045 ++/*
20046 ++ * GCC ends up emitting a __multi3 intrinsic call for MIPS64r6 with the plain C
20047 ++ * code below, so we special case MIPS64r6 until the compiler can do better.
20048 ++ */
20049 ++#define umul_ppmm(w1, w0, u, v) \
20050 ++do { \
20051 ++ __asm__ ("dmulu %0,%1,%2" \
20052 ++ : "=d" ((UDItype)(w0)) \
20053 ++ : "d" ((UDItype)(u)), \
20054 ++ "d" ((UDItype)(v))); \
20055 ++ __asm__ ("dmuhu %0,%1,%2" \
20056 ++ : "=d" ((UDItype)(w1)) \
20057 ++ : "d" ((UDItype)(u)), \
20058 ++ "d" ((UDItype)(v))); \
20059 ++} while (0)
20060 ++#elif (__GNUC__ >= 5) || (__GNUC__ >= 4 && __GNUC_MINOR__ >= 4)
20061 + #define umul_ppmm(w1, w0, u, v) \
20062 + do { \
20063 + typedef unsigned int __ll_UTItype __attribute__((mode(TI))); \
20064 +diff --git a/net/bridge/br_sysfs_if.c b/net/bridge/br_sysfs_if.c
20065 +index 4905845a94e9..b5c4941fc068 100644
20066 +--- a/net/bridge/br_sysfs_if.c
20067 ++++ b/net/bridge/br_sysfs_if.c
20068 +@@ -229,6 +229,9 @@ static ssize_t brport_show(struct kobject *kobj,
20069 + struct brport_attribute *brport_attr = to_brport_attr(attr);
20070 + struct net_bridge_port *p = to_brport(kobj);
20071 +
20072 ++ if (!brport_attr->show)
20073 ++ return -EINVAL;
20074 ++
20075 + return brport_attr->show(p, buf);
20076 + }
20077 +
20078 +diff --git a/net/bridge/netfilter/ebt_among.c b/net/bridge/netfilter/ebt_among.c
20079 +index 9024283d2bca..9637a681bdda 100644
20080 +--- a/net/bridge/netfilter/ebt_among.c
20081 ++++ b/net/bridge/netfilter/ebt_among.c
20082 +@@ -172,18 +172,35 @@ ebt_among_mt(const struct sk_buff *skb, struct xt_action_param *par)
20083 + return true;
20084 + }
20085 +
20086 ++static bool poolsize_invalid(const struct ebt_mac_wormhash *w)
20087 ++{
20088 ++ return w && w->poolsize >= (INT_MAX / sizeof(struct ebt_mac_wormhash_tuple));
20089 ++}
20090 ++
20091 + static int ebt_among_mt_check(const struct xt_mtchk_param *par)
20092 + {
20093 + const struct ebt_among_info *info = par->matchinfo;
20094 + const struct ebt_entry_match *em =
20095 + container_of(par->matchinfo, const struct ebt_entry_match, data);
20096 +- int expected_length = sizeof(struct ebt_among_info);
20097 ++ unsigned int expected_length = sizeof(struct ebt_among_info);
20098 + const struct ebt_mac_wormhash *wh_dst, *wh_src;
20099 + int err;
20100 +
20101 ++ if (expected_length > em->match_size)
20102 ++ return -EINVAL;
20103 ++
20104 + wh_dst = ebt_among_wh_dst(info);
20105 +- wh_src = ebt_among_wh_src(info);
20106 ++ if (poolsize_invalid(wh_dst))
20107 ++ return -EINVAL;
20108 ++
20109 + expected_length += ebt_mac_wormhash_size(wh_dst);
20110 ++ if (expected_length > em->match_size)
20111 ++ return -EINVAL;
20112 ++
20113 ++ wh_src = ebt_among_wh_src(info);
20114 ++ if (poolsize_invalid(wh_src))
20115 ++ return -EINVAL;
20116 ++
20117 + expected_length += ebt_mac_wormhash_size(wh_src);
20118 +
20119 + if (em->match_size != EBT_ALIGN(expected_length)) {
20120 +diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
20121 +index 91180a7fc943..3069eafeb33d 100644
20122 +--- a/net/bridge/netfilter/ebtables.c
20123 ++++ b/net/bridge/netfilter/ebtables.c
20124 +@@ -2019,7 +2019,9 @@ static int ebt_size_mwt(struct compat_ebt_entry_mwt *match32,
20125 + if (match_kern)
20126 + match_kern->match_size = ret;
20127 +
20128 +- WARN_ON(type == EBT_COMPAT_TARGET && size_left);
20129 ++ if (WARN_ON(type == EBT_COMPAT_TARGET && size_left))
20130 ++ return -EINVAL;
20131 ++
20132 + match32 = (struct compat_ebt_entry_mwt *) buf;
20133 + }
20134 +
20135 +@@ -2076,6 +2078,15 @@ static int size_entry_mwt(struct ebt_entry *entry, const unsigned char *base,
20136 + *
20137 + * offsets are relative to beginning of struct ebt_entry (i.e., 0).
20138 + */
20139 ++ for (i = 0; i < 4 ; ++i) {
20140 ++ if (offsets[i] >= *total)
20141 ++ return -EINVAL;
20142 ++ if (i == 0)
20143 ++ continue;
20144 ++ if (offsets[i-1] > offsets[i])
20145 ++ return -EINVAL;
20146 ++ }
20147 ++
20148 + for (i = 0, j = 1 ; j < 4 ; j++, i++) {
20149 + struct compat_ebt_entry_mwt *match32;
20150 + unsigned int size;
20151 +diff --git a/net/core/dev.c b/net/core/dev.c
20152 +index 0ccae464b46e..c2d927f91a30 100644
20153 +--- a/net/core/dev.c
20154 ++++ b/net/core/dev.c
20155 +@@ -2129,8 +2129,11 @@ EXPORT_SYMBOL(netif_set_xps_queue);
20156 + */
20157 + int netif_set_real_num_tx_queues(struct net_device *dev, unsigned int txq)
20158 + {
20159 ++ bool disabling;
20160 + int rc;
20161 +
20162 ++ disabling = txq < dev->real_num_tx_queues;
20163 ++
20164 + if (txq < 1 || txq > dev->num_tx_queues)
20165 + return -EINVAL;
20166 +
20167 +@@ -2146,15 +2149,19 @@ int netif_set_real_num_tx_queues(struct net_device *dev, unsigned int txq)
20168 + if (dev->num_tc)
20169 + netif_setup_tc(dev, txq);
20170 +
20171 +- if (txq < dev->real_num_tx_queues) {
20172 ++ dev->real_num_tx_queues = txq;
20173 ++
20174 ++ if (disabling) {
20175 ++ synchronize_net();
20176 + qdisc_reset_all_tx_gt(dev, txq);
20177 + #ifdef CONFIG_XPS
20178 + netif_reset_xps_queues_gt(dev, txq);
20179 + #endif
20180 + }
20181 ++ } else {
20182 ++ dev->real_num_tx_queues = txq;
20183 + }
20184 +
20185 +- dev->real_num_tx_queues = txq;
20186 + return 0;
20187 + }
20188 + EXPORT_SYMBOL(netif_set_real_num_tx_queues);
20189 +diff --git a/net/ipv4/route.c b/net/ipv4/route.c
20190 +index 6a9a495aff23..7a6400345cb9 100644
20191 +--- a/net/ipv4/route.c
20192 ++++ b/net/ipv4/route.c
20193 +@@ -122,10 +122,13 @@ static int ip_rt_redirect_silence __read_mostly = ((HZ / 50) << (9 + 1));
20194 + static int ip_rt_error_cost __read_mostly = HZ;
20195 + static int ip_rt_error_burst __read_mostly = 5 * HZ;
20196 + static int ip_rt_mtu_expires __read_mostly = 10 * 60 * HZ;
20197 +-static int ip_rt_min_pmtu __read_mostly = 512 + 20 + 20;
20198 ++static u32 ip_rt_min_pmtu __read_mostly = 512 + 20 + 20;
20199 + static int ip_rt_min_advmss __read_mostly = 256;
20200 +
20201 + static int ip_rt_gc_timeout __read_mostly = RT_GC_TIMEOUT;
20202 ++
20203 ++static int ip_min_valid_pmtu __read_mostly = IPV4_MIN_MTU;
20204 ++
20205 + /*
20206 + * Interface to generic destination cache.
20207 + */
20208 +@@ -2689,7 +2692,8 @@ static struct ctl_table ipv4_route_table[] = {
20209 + .data = &ip_rt_min_pmtu,
20210 + .maxlen = sizeof(int),
20211 + .mode = 0644,
20212 +- .proc_handler = proc_dointvec,
20213 ++ .proc_handler = proc_dointvec_minmax,
20214 ++ .extra1 = &ip_min_valid_pmtu,
20215 + },
20216 + {
20217 + .procname = "min_adv_mss",
20218 +diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
20219 +index 456718921552..75758e3d6c81 100644
20220 +--- a/net/ipv4/udp.c
20221 ++++ b/net/ipv4/udp.c
20222 +@@ -1733,6 +1733,11 @@ static inline int udp4_csum_init(struct sk_buff *skb, struct udphdr *uh,
20223 + err = udplite_checksum_init(skb, uh);
20224 + if (err)
20225 + return err;
20226 ++
20227 ++ if (UDP_SKB_CB(skb)->partial_cov) {
20228 ++ skb->csum = inet_compute_pseudo(skb, proto);
20229 ++ return 0;
20230 ++ }
20231 + }
20232 +
20233 + return skb_checksum_init_zero_check(skb, proto, uh->check,
20234 +diff --git a/net/ipv6/ip6_checksum.c b/net/ipv6/ip6_checksum.c
20235 +index 9a4d7322fb22..391a8fedb27e 100644
20236 +--- a/net/ipv6/ip6_checksum.c
20237 ++++ b/net/ipv6/ip6_checksum.c
20238 +@@ -73,6 +73,11 @@ int udp6_csum_init(struct sk_buff *skb, struct udphdr *uh, int proto)
20239 + err = udplite_checksum_init(skb, uh);
20240 + if (err)
20241 + return err;
20242 ++
20243 ++ if (UDP_SKB_CB(skb)->partial_cov) {
20244 ++ skb->csum = ip6_compute_pseudo(skb, proto);
20245 ++ return 0;
20246 ++ }
20247 + }
20248 +
20249 + /* To support RFC 6936 (allow zero checksum in UDP/IPV6 for tunnels)
20250 +diff --git a/net/ipv6/netfilter/nf_nat_l3proto_ipv6.c b/net/ipv6/netfilter/nf_nat_l3proto_ipv6.c
20251 +index e76900e0aa92..25df2ce92ad8 100644
20252 +--- a/net/ipv6/netfilter/nf_nat_l3proto_ipv6.c
20253 ++++ b/net/ipv6/netfilter/nf_nat_l3proto_ipv6.c
20254 +@@ -99,6 +99,10 @@ static bool nf_nat_ipv6_manip_pkt(struct sk_buff *skb,
20255 + !l4proto->manip_pkt(skb, &nf_nat_l3proto_ipv6, iphdroff, hdroff,
20256 + target, maniptype))
20257 + return false;
20258 ++
20259 ++ /* must reload, offset might have changed */
20260 ++ ipv6h = (void *)skb->data + iphdroff;
20261 ++
20262 + manip_addr:
20263 + if (maniptype == NF_NAT_MANIP_SRC)
20264 + ipv6h->saddr = target->src.u3.in6;
20265 +diff --git a/net/ipv6/route.c b/net/ipv6/route.c
20266 +index 135fe458bfac..d17efa1b8473 100644
20267 +--- a/net/ipv6/route.c
20268 ++++ b/net/ipv6/route.c
20269 +@@ -1379,6 +1379,7 @@ struct dst_entry *icmp6_dst_alloc(struct net_device *dev,
20270 + }
20271 +
20272 + rt->dst.flags |= DST_HOST;
20273 ++ rt->dst.input = ip6_input;
20274 + rt->dst.output = ip6_output;
20275 + atomic_set(&rt->dst.__refcnt, 1);
20276 + rt->rt6i_gateway = fl6->daddr;
20277 +diff --git a/net/ipv6/sit.c b/net/ipv6/sit.c
20278 +index 295502b261a8..f4034c4eadf7 100644
20279 +--- a/net/ipv6/sit.c
20280 ++++ b/net/ipv6/sit.c
20281 +@@ -176,7 +176,7 @@ static void ipip6_tunnel_clone_6rd(struct net_device *dev, struct sit_net *sitn)
20282 + #ifdef CONFIG_IPV6_SIT_6RD
20283 + struct ip_tunnel *t = netdev_priv(dev);
20284 +
20285 +- if (t->dev == sitn->fb_tunnel_dev) {
20286 ++ if (dev == sitn->fb_tunnel_dev) {
20287 + ipv6_addr_set(&t->ip6rd.prefix, htonl(0x20020000), 0, 0, 0);
20288 + t->ip6rd.relay_prefix = 0;
20289 + t->ip6rd.prefixlen = 16;
20290 +diff --git a/net/netfilter/nf_nat_proto_common.c b/net/netfilter/nf_nat_proto_common.c
20291 +index fbce552a796e..7d7466dbf663 100644
20292 +--- a/net/netfilter/nf_nat_proto_common.c
20293 ++++ b/net/netfilter/nf_nat_proto_common.c
20294 +@@ -41,7 +41,7 @@ void nf_nat_l4proto_unique_tuple(const struct nf_nat_l3proto *l3proto,
20295 + const struct nf_conn *ct,
20296 + u16 *rover)
20297 + {
20298 +- unsigned int range_size, min, i;
20299 ++ unsigned int range_size, min, max, i;
20300 + __be16 *portptr;
20301 + u_int16_t off;
20302 +
20303 +@@ -71,7 +71,10 @@ void nf_nat_l4proto_unique_tuple(const struct nf_nat_l3proto *l3proto,
20304 + }
20305 + } else {
20306 + min = ntohs(range->min_proto.all);
20307 +- range_size = ntohs(range->max_proto.all) - min + 1;
20308 ++ max = ntohs(range->max_proto.all);
20309 ++ if (unlikely(max < min))
20310 ++ swap(max, min);
20311 ++ range_size = max - min + 1;
20312 + }
20313 +
20314 + if (range->flags & NF_NAT_RANGE_PROTO_RANDOM) {
20315 +diff --git a/net/netfilter/xt_IDLETIMER.c b/net/netfilter/xt_IDLETIMER.c
20316 +index f407ebc13481..95b6dedc5ac7 100644
20317 +--- a/net/netfilter/xt_IDLETIMER.c
20318 ++++ b/net/netfilter/xt_IDLETIMER.c
20319 +@@ -146,11 +146,11 @@ static int idletimer_tg_create(struct idletimer_tg_info *info)
20320 + (unsigned long) info->timer);
20321 + info->timer->refcnt = 1;
20322 +
20323 ++ INIT_WORK(&info->timer->work, idletimer_tg_work);
20324 ++
20325 + mod_timer(&info->timer->timer,
20326 + msecs_to_jiffies(info->timeout * 1000) + jiffies);
20327 +
20328 +- INIT_WORK(&info->timer->work, idletimer_tg_work);
20329 +-
20330 + return 0;
20331 +
20332 + out_free_attr:
20333 +@@ -191,7 +191,10 @@ static int idletimer_tg_checkentry(const struct xt_tgchk_param *par)
20334 + pr_debug("timeout value is zero\n");
20335 + return -EINVAL;
20336 + }
20337 +-
20338 ++ if (info->timeout >= INT_MAX / 1000) {
20339 ++ pr_debug("timeout value is too big\n");
20340 ++ return -EINVAL;
20341 ++ }
20342 + if (info->label[0] == '\0' ||
20343 + strnlen(info->label,
20344 + MAX_IDLETIMER_LABEL_SIZE) == MAX_IDLETIMER_LABEL_SIZE) {
20345 +diff --git a/net/netfilter/xt_LED.c b/net/netfilter/xt_LED.c
20346 +index 3ba31c194cce..0858fe17e14a 100644
20347 +--- a/net/netfilter/xt_LED.c
20348 ++++ b/net/netfilter/xt_LED.c
20349 +@@ -141,10 +141,11 @@ static int led_tg_check(const struct xt_tgchk_param *par)
20350 + goto exit_alloc;
20351 + }
20352 +
20353 +- /* See if we need to set up a timer */
20354 +- if (ledinfo->delay > 0)
20355 +- setup_timer(&ledinternal->timer, led_timeout_callback,
20356 +- (unsigned long)ledinternal);
20357 ++ /* Since the letinternal timer can be shared between multiple targets,
20358 ++ * always set it up, even if the current target does not need it
20359 ++ */
20360 ++ setup_timer(&ledinternal->timer, led_timeout_callback,
20361 ++ (unsigned long)ledinternal);
20362 +
20363 + list_add_tail(&ledinternal->list, &xt_led_triggers);
20364 +
20365 +@@ -181,8 +182,7 @@ static void led_tg_destroy(const struct xt_tgdtor_param *par)
20366 +
20367 + list_del(&ledinternal->list);
20368 +
20369 +- if (ledinfo->delay > 0)
20370 +- del_timer_sync(&ledinternal->timer);
20371 ++ del_timer_sync(&ledinternal->timer);
20372 +
20373 + led_trigger_unregister(&ledinternal->netfilter_led_trigger);
20374 +
20375 +diff --git a/net/netlink/genetlink.c b/net/netlink/genetlink.c
20376 +index 3d111b053e3e..97c22c818134 100644
20377 +--- a/net/netlink/genetlink.c
20378 ++++ b/net/netlink/genetlink.c
20379 +@@ -1118,6 +1118,7 @@ static int genlmsg_mcast(struct sk_buff *skb, u32 portid, unsigned long group,
20380 + {
20381 + struct sk_buff *tmp;
20382 + struct net *net, *prev = NULL;
20383 ++ bool delivered = false;
20384 + int err;
20385 +
20386 + for_each_net_rcu(net) {
20387 +@@ -1129,14 +1130,21 @@ static int genlmsg_mcast(struct sk_buff *skb, u32 portid, unsigned long group,
20388 + }
20389 + err = nlmsg_multicast(prev->genl_sock, tmp,
20390 + portid, group, flags);
20391 +- if (err)
20392 ++ if (!err)
20393 ++ delivered = true;
20394 ++ else if (err != -ESRCH)
20395 + goto error;
20396 + }
20397 +
20398 + prev = net;
20399 + }
20400 +
20401 +- return nlmsg_multicast(prev->genl_sock, skb, portid, group, flags);
20402 ++ err = nlmsg_multicast(prev->genl_sock, skb, portid, group, flags);
20403 ++ if (!err)
20404 ++ delivered = true;
20405 ++ else if (err != -ESRCH)
20406 ++ goto error;
20407 ++ return delivered ? 0 : -ESRCH;
20408 + error:
20409 + kfree_skb(skb);
20410 + return err;
20411 +diff --git a/net/sctp/sm_make_chunk.c b/net/sctp/sm_make_chunk.c
20412 +index 83a07d468644..5235f56d735d 100644
20413 +--- a/net/sctp/sm_make_chunk.c
20414 ++++ b/net/sctp/sm_make_chunk.c
20415 +@@ -1367,10 +1367,14 @@ static struct sctp_chunk *_sctp_make_chunk(const struct sctp_association *asoc,
20416 + sctp_chunkhdr_t *chunk_hdr;
20417 + struct sk_buff *skb;
20418 + struct sock *sk;
20419 ++ int chunklen;
20420 ++
20421 ++ chunklen = sizeof(*chunk_hdr) + paylen;
20422 ++ if (chunklen > SCTP_MAX_CHUNK_LEN)
20423 ++ goto nodata;
20424 +
20425 + /* No need to allocate LL here, as this is only a chunk. */
20426 +- skb = alloc_skb(WORD_ROUND(sizeof(sctp_chunkhdr_t) + paylen),
20427 +- GFP_ATOMIC);
20428 ++ skb = alloc_skb(chunklen, GFP_ATOMIC);
20429 + if (!skb)
20430 + goto nodata;
20431 +
20432 +diff --git a/net/sctp/socket.c b/net/sctp/socket.c
20433 +index c44e3d208804..195b54a19f1e 100644
20434 +--- a/net/sctp/socket.c
20435 ++++ b/net/sctp/socket.c
20436 +@@ -4455,7 +4455,7 @@ static int sctp_getsockopt_autoclose(struct sock *sk, int len, char __user *optv
20437 + len = sizeof(int);
20438 + if (put_user(len, optlen))
20439 + return -EFAULT;
20440 +- if (copy_to_user(optval, &sctp_sk(sk)->autoclose, sizeof(int)))
20441 ++ if (copy_to_user(optval, &sctp_sk(sk)->autoclose, len))
20442 + return -EFAULT;
20443 + return 0;
20444 + }
20445 +@@ -5032,6 +5032,9 @@ copy_getaddrs:
20446 + err = -EFAULT;
20447 + goto out;
20448 + }
20449 ++ /* XXX: We should have accounted for sizeof(struct sctp_getaddrs) too,
20450 ++ * but we can't change it anymore.
20451 ++ */
20452 + if (put_user(bytes_copied, optlen))
20453 + err = -EFAULT;
20454 + out:
20455 +@@ -5468,7 +5471,7 @@ static int sctp_getsockopt_maxseg(struct sock *sk, int len,
20456 + params.assoc_id = 0;
20457 + } else if (len >= sizeof(struct sctp_assoc_value)) {
20458 + len = sizeof(struct sctp_assoc_value);
20459 +- if (copy_from_user(&params, optval, sizeof(params)))
20460 ++ if (copy_from_user(&params, optval, len))
20461 + return -EFAULT;
20462 + } else
20463 + return -EINVAL;
20464 +@@ -5637,7 +5640,9 @@ static int sctp_getsockopt_active_key(struct sock *sk, int len,
20465 +
20466 + if (len < sizeof(struct sctp_authkeyid))
20467 + return -EINVAL;
20468 +- if (copy_from_user(&val, optval, sizeof(struct sctp_authkeyid)))
20469 ++
20470 ++ len = sizeof(struct sctp_authkeyid);
20471 ++ if (copy_from_user(&val, optval, len))
20472 + return -EFAULT;
20473 +
20474 + asoc = sctp_id2assoc(sk, val.scact_assoc_id);
20475 +@@ -5649,7 +5654,6 @@ static int sctp_getsockopt_active_key(struct sock *sk, int len,
20476 + else
20477 + val.scact_keynumber = ep->active_key_id;
20478 +
20479 +- len = sizeof(struct sctp_authkeyid);
20480 + if (put_user(len, optlen))
20481 + return -EFAULT;
20482 + if (copy_to_user(optval, &val, len))
20483 +@@ -5675,7 +5679,7 @@ static int sctp_getsockopt_peer_auth_chunks(struct sock *sk, int len,
20484 + if (len < sizeof(struct sctp_authchunks))
20485 + return -EINVAL;
20486 +
20487 +- if (copy_from_user(&val, optval, sizeof(struct sctp_authchunks)))
20488 ++ if (copy_from_user(&val, optval, sizeof(val)))
20489 + return -EFAULT;
20490 +
20491 + to = p->gauth_chunks;
20492 +@@ -5720,7 +5724,7 @@ static int sctp_getsockopt_local_auth_chunks(struct sock *sk, int len,
20493 + if (len < sizeof(struct sctp_authchunks))
20494 + return -EINVAL;
20495 +
20496 +- if (copy_from_user(&val, optval, sizeof(struct sctp_authchunks)))
20497 ++ if (copy_from_user(&val, optval, sizeof(val)))
20498 + return -EFAULT;
20499 +
20500 + to = p->gauth_chunks;
20501 +diff --git a/sound/core/seq/seq_clientmgr.c b/sound/core/seq/seq_clientmgr.c
20502 +index b9ce5da25938..dac0a54e39de 100644
20503 +--- a/sound/core/seq/seq_clientmgr.c
20504 ++++ b/sound/core/seq/seq_clientmgr.c
20505 +@@ -919,7 +919,8 @@ int snd_seq_dispatch_event(struct snd_seq_event_cell *cell, int atomic, int hop)
20506 + static int snd_seq_client_enqueue_event(struct snd_seq_client *client,
20507 + struct snd_seq_event *event,
20508 + struct file *file, int blocking,
20509 +- int atomic, int hop)
20510 ++ int atomic, int hop,
20511 ++ struct mutex *mutexp)
20512 + {
20513 + struct snd_seq_event_cell *cell;
20514 + int err;
20515 +@@ -957,7 +958,8 @@ static int snd_seq_client_enqueue_event(struct snd_seq_client *client,
20516 + return -ENXIO; /* queue is not allocated */
20517 +
20518 + /* allocate an event cell */
20519 +- err = snd_seq_event_dup(client->pool, event, &cell, !blocking || atomic, file);
20520 ++ err = snd_seq_event_dup(client->pool, event, &cell, !blocking || atomic,
20521 ++ file, mutexp);
20522 + if (err < 0)
20523 + return err;
20524 +
20525 +@@ -1026,12 +1028,11 @@ static ssize_t snd_seq_write(struct file *file, const char __user *buf,
20526 + return -ENXIO;
20527 +
20528 + /* allocate the pool now if the pool is not allocated yet */
20529 ++ mutex_lock(&client->ioctl_mutex);
20530 + if (client->pool->size > 0 && !snd_seq_write_pool_allocated(client)) {
20531 +- mutex_lock(&client->ioctl_mutex);
20532 + err = snd_seq_pool_init(client->pool);
20533 +- mutex_unlock(&client->ioctl_mutex);
20534 + if (err < 0)
20535 +- return -ENOMEM;
20536 ++ goto out;
20537 + }
20538 +
20539 + /* only process whole events */
20540 +@@ -1082,7 +1083,7 @@ static ssize_t snd_seq_write(struct file *file, const char __user *buf,
20541 + /* ok, enqueue it */
20542 + err = snd_seq_client_enqueue_event(client, &event, file,
20543 + !(file->f_flags & O_NONBLOCK),
20544 +- 0, 0);
20545 ++ 0, 0, &client->ioctl_mutex);
20546 + if (err < 0)
20547 + break;
20548 +
20549 +@@ -1093,6 +1094,8 @@ static ssize_t snd_seq_write(struct file *file, const char __user *buf,
20550 + written += len;
20551 + }
20552 +
20553 ++ out:
20554 ++ mutex_unlock(&client->ioctl_mutex);
20555 + return written ? written : err;
20556 + }
20557 +
20558 +@@ -1924,6 +1927,9 @@ static int snd_seq_ioctl_set_client_pool(struct snd_seq_client *client,
20559 + (! snd_seq_write_pool_allocated(client) ||
20560 + info.output_pool != client->pool->size)) {
20561 + if (snd_seq_write_pool_allocated(client)) {
20562 ++ /* is the pool in use? */
20563 ++ if (atomic_read(&client->pool->counter))
20564 ++ return -EBUSY;
20565 + /* remove all existing cells */
20566 + snd_seq_pool_mark_closing(client->pool);
20567 + snd_seq_queue_client_leave_cells(client->number);
20568 +@@ -2348,7 +2354,8 @@ static int kernel_client_enqueue(int client, struct snd_seq_event *ev,
20569 + if (! cptr->accept_output)
20570 + result = -EPERM;
20571 + else /* send it */
20572 +- result = snd_seq_client_enqueue_event(cptr, ev, file, blocking, atomic, hop);
20573 ++ result = snd_seq_client_enqueue_event(cptr, ev, file, blocking,
20574 ++ atomic, hop, NULL);
20575 +
20576 + snd_seq_client_unlock(cptr);
20577 + return result;
20578 +diff --git a/sound/core/seq/seq_fifo.c b/sound/core/seq/seq_fifo.c
20579 +index 3490d21ab9e7..9acbed1ac982 100644
20580 +--- a/sound/core/seq/seq_fifo.c
20581 ++++ b/sound/core/seq/seq_fifo.c
20582 +@@ -123,7 +123,7 @@ int snd_seq_fifo_event_in(struct snd_seq_fifo *f,
20583 + return -EINVAL;
20584 +
20585 + snd_use_lock_use(&f->use_lock);
20586 +- err = snd_seq_event_dup(f->pool, event, &cell, 1, NULL); /* always non-blocking */
20587 ++ err = snd_seq_event_dup(f->pool, event, &cell, 1, NULL, NULL); /* always non-blocking */
20588 + if (err < 0) {
20589 + if ((err == -ENOMEM) || (err == -EAGAIN))
20590 + atomic_inc(&f->overflow);
20591 +diff --git a/sound/core/seq/seq_memory.c b/sound/core/seq/seq_memory.c
20592 +index 5847c4475bf3..4c8cbcd89887 100644
20593 +--- a/sound/core/seq/seq_memory.c
20594 ++++ b/sound/core/seq/seq_memory.c
20595 +@@ -221,7 +221,8 @@ void snd_seq_cell_free(struct snd_seq_event_cell * cell)
20596 + */
20597 + static int snd_seq_cell_alloc(struct snd_seq_pool *pool,
20598 + struct snd_seq_event_cell **cellp,
20599 +- int nonblock, struct file *file)
20600 ++ int nonblock, struct file *file,
20601 ++ struct mutex *mutexp)
20602 + {
20603 + struct snd_seq_event_cell *cell;
20604 + unsigned long flags;
20605 +@@ -245,7 +246,11 @@ static int snd_seq_cell_alloc(struct snd_seq_pool *pool,
20606 + set_current_state(TASK_INTERRUPTIBLE);
20607 + add_wait_queue(&pool->output_sleep, &wait);
20608 + spin_unlock_irq(&pool->lock);
20609 ++ if (mutexp)
20610 ++ mutex_unlock(mutexp);
20611 + schedule();
20612 ++ if (mutexp)
20613 ++ mutex_lock(mutexp);
20614 + spin_lock_irq(&pool->lock);
20615 + remove_wait_queue(&pool->output_sleep, &wait);
20616 + /* interrupted? */
20617 +@@ -288,7 +293,7 @@ __error:
20618 + */
20619 + int snd_seq_event_dup(struct snd_seq_pool *pool, struct snd_seq_event *event,
20620 + struct snd_seq_event_cell **cellp, int nonblock,
20621 +- struct file *file)
20622 ++ struct file *file, struct mutex *mutexp)
20623 + {
20624 + int ncells, err;
20625 + unsigned int extlen;
20626 +@@ -305,7 +310,7 @@ int snd_seq_event_dup(struct snd_seq_pool *pool, struct snd_seq_event *event,
20627 + if (ncells >= pool->total_elements)
20628 + return -ENOMEM;
20629 +
20630 +- err = snd_seq_cell_alloc(pool, &cell, nonblock, file);
20631 ++ err = snd_seq_cell_alloc(pool, &cell, nonblock, file, mutexp);
20632 + if (err < 0)
20633 + return err;
20634 +
20635 +@@ -331,7 +336,8 @@ int snd_seq_event_dup(struct snd_seq_pool *pool, struct snd_seq_event *event,
20636 + int size = sizeof(struct snd_seq_event);
20637 + if (len < size)
20638 + size = len;
20639 +- err = snd_seq_cell_alloc(pool, &tmp, nonblock, file);
20640 ++ err = snd_seq_cell_alloc(pool, &tmp, nonblock, file,
20641 ++ mutexp);
20642 + if (err < 0)
20643 + goto __error;
20644 + if (cell->event.data.ext.ptr == NULL)
20645 +diff --git a/sound/core/seq/seq_memory.h b/sound/core/seq/seq_memory.h
20646 +index 32f959c17786..3abe306c394a 100644
20647 +--- a/sound/core/seq/seq_memory.h
20648 ++++ b/sound/core/seq/seq_memory.h
20649 +@@ -66,7 +66,8 @@ struct snd_seq_pool {
20650 + void snd_seq_cell_free(struct snd_seq_event_cell *cell);
20651 +
20652 + int snd_seq_event_dup(struct snd_seq_pool *pool, struct snd_seq_event *event,
20653 +- struct snd_seq_event_cell **cellp, int nonblock, struct file *file);
20654 ++ struct snd_seq_event_cell **cellp, int nonblock,
20655 ++ struct file *file, struct mutex *mutexp);
20656 +
20657 + /* return number of unused (free) cells */
20658 + static inline int snd_seq_unused_cells(struct snd_seq_pool *pool)
20659 +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c
20660 +index 861dc57cb082..0fd1402e427b 100644
20661 +--- a/sound/pci/hda/patch_realtek.c
20662 ++++ b/sound/pci/hda/patch_realtek.c
20663 +@@ -4615,6 +4615,16 @@ static void alc298_fixup_speaker_volume(struct hda_codec *codec,
20664 + }
20665 + }
20666 +
20667 ++/* disable DAC3 (0x06) selection on NID 0x17 as it has no volume amp control */
20668 ++static void alc295_fixup_disable_dac3(struct hda_codec *codec,
20669 ++ const struct hda_fixup *fix, int action)
20670 ++{
20671 ++ if (action == HDA_FIXUP_ACT_PRE_PROBE) {
20672 ++ hda_nid_t conn[2] = { 0x02, 0x03 };
20673 ++ snd_hda_override_conn_list(codec, 0x17, 2, conn);
20674 ++ }
20675 ++}
20676 ++
20677 + /* Hook to update amp GPIO4 for automute */
20678 + static void alc280_hp_gpio4_automute_hook(struct hda_codec *codec,
20679 + struct hda_jack_callback *jack)
20680 +@@ -4764,6 +4774,7 @@ enum {
20681 + ALC233_FIXUP_LENOVO_LINE2_MIC_HOTKEY,
20682 + ALC255_FIXUP_DELL_SPK_NOISE,
20683 + ALC225_FIXUP_DELL1_MIC_NO_PRESENCE,
20684 ++ ALC295_FIXUP_DISABLE_DAC3,
20685 + ALC280_FIXUP_HP_HEADSET_MIC,
20686 + ALC221_FIXUP_HP_FRONT_MIC,
20687 + ALC292_FIXUP_TPT460,
20688 +@@ -5453,6 +5464,10 @@ static const struct hda_fixup alc269_fixups[] = {
20689 + .chained = true,
20690 + .chain_id = ALC298_FIXUP_DELL_AIO_MIC_NO_PRESENCE,
20691 + },
20692 ++ [ALC295_FIXUP_DISABLE_DAC3] = {
20693 ++ .type = HDA_FIXUP_FUNC,
20694 ++ .v.func = alc295_fixup_disable_dac3,
20695 ++ },
20696 + [ALC256_FIXUP_DELL_INSPIRON_7559_SUBWOOFER] = {
20697 + .type = HDA_FIXUP_PINS,
20698 + .v.pins = (const struct hda_pintbl[]) {
20699 +@@ -5510,6 +5525,7 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = {
20700 + SND_PCI_QUIRK(0x1028, 0x0725, "Dell Inspiron 3162", ALC255_FIXUP_DELL_SPK_NOISE),
20701 + SND_PCI_QUIRK(0x1028, 0x075b, "Dell XPS 13 9360", ALC256_FIXUP_DELL_XPS_13_HEADPHONE_NOISE),
20702 + SND_PCI_QUIRK(0x1028, 0x075d, "Dell AIO", ALC298_FIXUP_SPK_VOLUME),
20703 ++ SND_PCI_QUIRK(0x1028, 0x07b0, "Dell Precision 7520", ALC295_FIXUP_DISABLE_DAC3),
20704 + SND_PCI_QUIRK(0x1028, 0x0798, "Dell Inspiron 17 7000 Gaming", ALC256_FIXUP_DELL_INSPIRON_7559_SUBWOOFER),
20705 + SND_PCI_QUIRK(0x1028, 0x082a, "Dell XPS 13 9360", ALC256_FIXUP_DELL_XPS_13_HEADPHONE_NOISE),
20706 + SND_PCI_QUIRK(0x1028, 0x164a, "Dell", ALC293_FIXUP_DELL1_MIC_NO_PRESENCE),
20707 +diff --git a/sound/usb/quirks-table.h b/sound/usb/quirks-table.h
20708 +index 32719f28aa86..c7c8aac1ace6 100644
20709 +--- a/sound/usb/quirks-table.h
20710 ++++ b/sound/usb/quirks-table.h
20711 +@@ -3274,4 +3274,51 @@ AU0828_DEVICE(0x2040, 0x7270, "Hauppauge", "HVR-950Q"),
20712 + }
20713 + },
20714 +
20715 ++{
20716 ++ /*
20717 ++ * Bower's & Wilkins PX headphones only support the 48 kHz sample rate
20718 ++ * even though it advertises more. The capture interface doesn't work
20719 ++ * even on windows.
20720 ++ */
20721 ++ USB_DEVICE(0x19b5, 0x0021),
20722 ++ .driver_info = (unsigned long) &(const struct snd_usb_audio_quirk) {
20723 ++ .ifnum = QUIRK_ANY_INTERFACE,
20724 ++ .type = QUIRK_COMPOSITE,
20725 ++ .data = (const struct snd_usb_audio_quirk[]) {
20726 ++ {
20727 ++ .ifnum = 0,
20728 ++ .type = QUIRK_AUDIO_STANDARD_MIXER,
20729 ++ },
20730 ++ /* Capture */
20731 ++ {
20732 ++ .ifnum = 1,
20733 ++ .type = QUIRK_IGNORE_INTERFACE,
20734 ++ },
20735 ++ /* Playback */
20736 ++ {
20737 ++ .ifnum = 2,
20738 ++ .type = QUIRK_AUDIO_FIXED_ENDPOINT,
20739 ++ .data = &(const struct audioformat) {
20740 ++ .formats = SNDRV_PCM_FMTBIT_S16_LE,
20741 ++ .channels = 2,
20742 ++ .iface = 2,
20743 ++ .altsetting = 1,
20744 ++ .altset_idx = 1,
20745 ++ .attributes = UAC_EP_CS_ATTR_FILL_MAX |
20746 ++ UAC_EP_CS_ATTR_SAMPLE_RATE,
20747 ++ .endpoint = 0x03,
20748 ++ .ep_attr = USB_ENDPOINT_XFER_ISOC,
20749 ++ .rates = SNDRV_PCM_RATE_48000,
20750 ++ .rate_min = 48000,
20751 ++ .rate_max = 48000,
20752 ++ .nr_rates = 1,
20753 ++ .rate_table = (unsigned int[]) {
20754 ++ 48000
20755 ++ }
20756 ++ }
20757 ++ },
20758 ++ }
20759 ++ }
20760 ++},
20761 ++
20762 + #undef USB_DEVICE_VENDOR_SPEC
20763
20764 diff --git a/1051_linux-4.1.52.patch b/1051_linux-4.1.52.patch
20765 new file mode 100644
20766 index 0000000..6648ea5
20767 --- /dev/null
20768 +++ b/1051_linux-4.1.52.patch
20769 @@ -0,0 +1,15535 @@
20770 +diff --git a/Documentation/devicetree/bindings/pinctrl/pinctrl-palmas.txt b/Documentation/devicetree/bindings/pinctrl/pinctrl-palmas.txt
20771 +index caf297bee1fb..c28d4eb83b76 100644
20772 +--- a/Documentation/devicetree/bindings/pinctrl/pinctrl-palmas.txt
20773 ++++ b/Documentation/devicetree/bindings/pinctrl/pinctrl-palmas.txt
20774 +@@ -35,6 +35,15 @@ Optional properties:
20775 + - ti,palmas-enable-dvfs2: Enable DVFS2. Configure pins for DVFS2 mode.
20776 + Selection primary or secondary function associated to GPADC_START
20777 + and SYSEN2 pin/pad for DVFS2 interface
20778 ++- ti,palmas-override-powerhold: This is applicable for PMICs for which
20779 ++ GPIO7 is configured in POWERHOLD mode which has higher priority
20780 ++ over DEV_ON bit and keeps the PMIC supplies on even after the DEV_ON
20781 ++ bit is turned off. This property enables driver to over ride the
20782 ++ POWERHOLD value to GPIO7 so as to turn off the PMIC in power off
20783 ++ scenarios. So for GPIO7 if ti,palmas-override-powerhold is set
20784 ++ then the GPIO_7 field should never be muxed to anything else.
20785 ++ It should be set to POWERHOLD by default and only in case of
20786 ++ power off scenarios the driver will over ride the mux value.
20787 +
20788 + This binding uses the following generic properties as defined in
20789 + pinctrl-bindings.txt:
20790 +diff --git a/Makefile b/Makefile
20791 +index caccc6f16d62..1f5560281f70 100644
20792 +--- a/Makefile
20793 ++++ b/Makefile
20794 +@@ -1,6 +1,6 @@
20795 + VERSION = 4
20796 + PATCHLEVEL = 1
20797 +-SUBLEVEL = 51
20798 ++SUBLEVEL = 52
20799 + EXTRAVERSION =
20800 + NAME = Series 4800
20801 +
20802 +@@ -772,6 +772,15 @@ KBUILD_CFLAGS += $(call cc-disable-warning, pointer-sign)
20803 + # disable invalid "can't wrap" optimizations for signed / pointers
20804 + KBUILD_CFLAGS += $(call cc-option,-fno-strict-overflow)
20805 +
20806 ++# clang sets -fmerge-all-constants by default as optimization, but this
20807 ++# is non-conforming behavior for C and in fact breaks the kernel, so we
20808 ++# need to disable it here generally.
20809 ++KBUILD_CFLAGS += $(call cc-option,-fno-merge-all-constants)
20810 ++
20811 ++# for gcc -fno-merge-all-constants disables everything, but it is fine
20812 ++# to have actual conforming behavior enabled.
20813 ++KBUILD_CFLAGS += $(call cc-option,-fmerge-constants)
20814 ++
20815 + # Make sure -fstack-check isn't enabled (like gentoo apparently did)
20816 + KBUILD_CFLAGS += $(call cc-option,-fno-stack-check,)
20817 +
20818 +diff --git a/arch/alpha/kernel/console.c b/arch/alpha/kernel/console.c
20819 +index 6a61deed4a85..ab228ed45945 100644
20820 +--- a/arch/alpha/kernel/console.c
20821 ++++ b/arch/alpha/kernel/console.c
20822 +@@ -20,6 +20,7 @@
20823 + struct pci_controller *pci_vga_hose;
20824 + static struct resource alpha_vga = {
20825 + .name = "alpha-vga+",
20826 ++ .flags = IORESOURCE_IO,
20827 + .start = 0x3C0,
20828 + .end = 0x3DF
20829 + };
20830 +diff --git a/arch/arm/boot/dts/am335x-pepper.dts b/arch/arm/boot/dts/am335x-pepper.dts
20831 +index 0d35ab64641c..ac3ca3636405 100644
20832 +--- a/arch/arm/boot/dts/am335x-pepper.dts
20833 ++++ b/arch/arm/boot/dts/am335x-pepper.dts
20834 +@@ -138,7 +138,7 @@
20835 + &audio_codec {
20836 + status = "okay";
20837 +
20838 +- gpio-reset = <&gpio1 16 GPIO_ACTIVE_LOW>;
20839 ++ reset-gpios = <&gpio1 16 GPIO_ACTIVE_LOW>;
20840 + AVDD-supply = <&ldo3_reg>;
20841 + IOVDD-supply = <&ldo3_reg>;
20842 + DRVDD-supply = <&ldo3_reg>;
20843 +diff --git a/arch/arm/boot/dts/am57xx-beagle-x15.dts b/arch/arm/boot/dts/am57xx-beagle-x15.dts
20844 +index e8397879d0a7..825237d03168 100644
20845 +--- a/arch/arm/boot/dts/am57xx-beagle-x15.dts
20846 ++++ b/arch/arm/boot/dts/am57xx-beagle-x15.dts
20847 +@@ -299,6 +299,7 @@
20848 + interrupt-controller;
20849 +
20850 + ti,system-power-controller;
20851 ++ ti,palmas-override-powerhold;
20852 +
20853 + tps659038_pmic {
20854 + compatible = "ti,tps659038-pmic";
20855 +diff --git a/arch/arm/boot/dts/at91sam9g25.dtsi b/arch/arm/boot/dts/at91sam9g25.dtsi
20856 +index a7da0dd0c98f..0898213f3bb2 100644
20857 +--- a/arch/arm/boot/dts/at91sam9g25.dtsi
20858 ++++ b/arch/arm/boot/dts/at91sam9g25.dtsi
20859 +@@ -21,7 +21,7 @@
20860 + atmel,mux-mask = <
20861 + /* A B C */
20862 + 0xffffffff 0xffe0399f 0xc000001c /* pioA */
20863 +- 0x0007ffff 0x8000fe3f 0x00000000 /* pioB */
20864 ++ 0x0007ffff 0x00047e3f 0x00000000 /* pioB */
20865 + 0x80000000 0x07c0ffff 0xb83fffff /* pioC */
20866 + 0x003fffff 0x003f8000 0x00000000 /* pioD */
20867 + >;
20868 +diff --git a/arch/arm/boot/dts/dra7-evm.dts b/arch/arm/boot/dts/dra7-evm.dts
20869 +index 096f68be99e2..1e6369c24645 100644
20870 +--- a/arch/arm/boot/dts/dra7-evm.dts
20871 ++++ b/arch/arm/boot/dts/dra7-evm.dts
20872 +@@ -285,6 +285,8 @@
20873 + tps659038: tps659038@58 {
20874 + compatible = "ti,tps659038";
20875 + reg = <0x58>;
20876 ++ ti,palmas-override-powerhold;
20877 ++ ti,system-power-controller;
20878 +
20879 + tps659038_pmic {
20880 + compatible = "ti,tps659038-pmic";
20881 +diff --git a/arch/arm/boot/dts/imx6qdl-wandboard.dtsi b/arch/arm/boot/dts/imx6qdl-wandboard.dtsi
20882 +index 9e096d811bed..7a032dd84bb2 100644
20883 +--- a/arch/arm/boot/dts/imx6qdl-wandboard.dtsi
20884 ++++ b/arch/arm/boot/dts/imx6qdl-wandboard.dtsi
20885 +@@ -88,6 +88,7 @@
20886 + clocks = <&clks 201>;
20887 + VDDA-supply = <&reg_2p5v>;
20888 + VDDIO-supply = <&reg_3p3v>;
20889 ++ lrclk-strength = <3>;
20890 + };
20891 + };
20892 +
20893 +diff --git a/arch/arm/boot/dts/ls1021a.dtsi b/arch/arm/boot/dts/ls1021a.dtsi
20894 +index c70bb27ac65a..3429ceb1d577 100644
20895 +--- a/arch/arm/boot/dts/ls1021a.dtsi
20896 ++++ b/arch/arm/boot/dts/ls1021a.dtsi
20897 +@@ -128,7 +128,7 @@
20898 + };
20899 +
20900 + esdhc: esdhc@1560000 {
20901 +- compatible = "fsl,esdhc";
20902 ++ compatible = "fsl,ls1021a-esdhc", "fsl,esdhc";
20903 + reg = <0x0 0x1560000 0x0 0x10000>;
20904 + interrupts = <GIC_SPI 94 IRQ_TYPE_LEVEL_HIGH>;
20905 + clock-frequency = <0>;
20906 +diff --git a/arch/arm/boot/dts/moxart-uc7112lx.dts b/arch/arm/boot/dts/moxart-uc7112lx.dts
20907 +index 10d088df0c35..4a962a26482d 100644
20908 +--- a/arch/arm/boot/dts/moxart-uc7112lx.dts
20909 ++++ b/arch/arm/boot/dts/moxart-uc7112lx.dts
20910 +@@ -6,7 +6,7 @@
20911 + */
20912 +
20913 + /dts-v1/;
20914 +-/include/ "moxart.dtsi"
20915 ++#include "moxart.dtsi"
20916 +
20917 + / {
20918 + model = "MOXA UC-7112-LX";
20919 +diff --git a/arch/arm/boot/dts/moxart.dtsi b/arch/arm/boot/dts/moxart.dtsi
20920 +index 1fd27ed65a01..64f2f44235d0 100644
20921 +--- a/arch/arm/boot/dts/moxart.dtsi
20922 ++++ b/arch/arm/boot/dts/moxart.dtsi
20923 +@@ -6,6 +6,7 @@
20924 + */
20925 +
20926 + /include/ "skeleton.dtsi"
20927 ++#include <dt-bindings/interrupt-controller/irq.h>
20928 +
20929 + / {
20930 + compatible = "moxa,moxart";
20931 +@@ -36,8 +37,8 @@
20932 + ranges;
20933 +
20934 + intc: interrupt-controller@98800000 {
20935 +- compatible = "moxa,moxart-ic";
20936 +- reg = <0x98800000 0x38>;
20937 ++ compatible = "moxa,moxart-ic", "faraday,ftintc010";
20938 ++ reg = <0x98800000 0x100>;
20939 + interrupt-controller;
20940 + #interrupt-cells = <2>;
20941 + interrupt-mask = <0x00080000>;
20942 +@@ -59,7 +60,7 @@
20943 + timer: timer@98400000 {
20944 + compatible = "moxa,moxart-timer";
20945 + reg = <0x98400000 0x42>;
20946 +- interrupts = <19 1>;
20947 ++ interrupts = <19 IRQ_TYPE_EDGE_FALLING>;
20948 + clocks = <&clk_apb>;
20949 + };
20950 +
20951 +@@ -80,7 +81,7 @@
20952 + dma: dma@90500000 {
20953 + compatible = "moxa,moxart-dma";
20954 + reg = <0x90500080 0x40>;
20955 +- interrupts = <24 0>;
20956 ++ interrupts = <24 IRQ_TYPE_LEVEL_HIGH>;
20957 + #dma-cells = <1>;
20958 + };
20959 +
20960 +@@ -93,7 +94,7 @@
20961 + sdhci: sdhci@98e00000 {
20962 + compatible = "moxa,moxart-sdhci";
20963 + reg = <0x98e00000 0x5C>;
20964 +- interrupts = <5 0>;
20965 ++ interrupts = <5 IRQ_TYPE_LEVEL_HIGH>;
20966 + clocks = <&clk_apb>;
20967 + dmas = <&dma 5>,
20968 + <&dma 5>;
20969 +@@ -120,7 +121,7 @@
20970 + mac0: mac@90900000 {
20971 + compatible = "moxa,moxart-mac";
20972 + reg = <0x90900000 0x90>;
20973 +- interrupts = <25 0>;
20974 ++ interrupts = <25 IRQ_TYPE_LEVEL_HIGH>;
20975 + phy-handle = <&ethphy0>;
20976 + phy-mode = "mii";
20977 + status = "disabled";
20978 +@@ -129,7 +130,7 @@
20979 + mac1: mac@92000000 {
20980 + compatible = "moxa,moxart-mac";
20981 + reg = <0x92000000 0x90>;
20982 +- interrupts = <27 0>;
20983 ++ interrupts = <27 IRQ_TYPE_LEVEL_HIGH>;
20984 + phy-handle = <&ethphy1>;
20985 + phy-mode = "mii";
20986 + status = "disabled";
20987 +@@ -138,7 +139,7 @@
20988 + uart0: uart@98200000 {
20989 + compatible = "ns16550a";
20990 + reg = <0x98200000 0x20>;
20991 +- interrupts = <31 8>;
20992 ++ interrupts = <31 IRQ_TYPE_LEVEL_HIGH>;
20993 + reg-shift = <2>;
20994 + reg-io-width = <4>;
20995 + clock-frequency = <14745600>;
20996 +diff --git a/arch/arm/boot/dts/omap3-n900.dts b/arch/arm/boot/dts/omap3-n900.dts
20997 +index 27cd4abfc74d..731860314ab5 100644
20998 +--- a/arch/arm/boot/dts/omap3-n900.dts
20999 ++++ b/arch/arm/boot/dts/omap3-n900.dts
21000 +@@ -488,7 +488,7 @@
21001 + tlv320aic3x: tlv320aic3x@18 {
21002 + compatible = "ti,tlv320aic3x";
21003 + reg = <0x18>;
21004 +- gpio-reset = <&gpio2 28 GPIO_ACTIVE_HIGH>; /* 60 */
21005 ++ reset-gpios = <&gpio2 28 GPIO_ACTIVE_LOW>; /* 60 */
21006 + ai3x-gpio-func = <
21007 + 0 /* AIC3X_GPIO1_FUNC_DISABLED */
21008 + 5 /* AIC3X_GPIO2_FUNC_DIGITAL_MIC_INPUT */
21009 +@@ -505,7 +505,7 @@
21010 + tlv320aic3x_aux: tlv320aic3x@19 {
21011 + compatible = "ti,tlv320aic3x";
21012 + reg = <0x19>;
21013 +- gpio-reset = <&gpio2 28 GPIO_ACTIVE_HIGH>; /* 60 */
21014 ++ reset-gpios = <&gpio2 28 GPIO_ACTIVE_LOW>; /* 60 */
21015 +
21016 + AVDD-supply = <&vmmc2>;
21017 + DRVDD-supply = <&vmmc2>;
21018 +diff --git a/arch/arm/boot/dts/r8a7790.dtsi b/arch/arm/boot/dts/r8a7790.dtsi
21019 +index 4bb2f4c17321..07f31efec974 100644
21020 +--- a/arch/arm/boot/dts/r8a7790.dtsi
21021 ++++ b/arch/arm/boot/dts/r8a7790.dtsi
21022 +@@ -1227,8 +1227,11 @@
21023 + compatible = "renesas,r8a7790-mstp-clocks", "renesas,cpg-mstp-clocks";
21024 + reg = <0 0xe6150998 0 4>, <0 0xe61509a8 0 4>;
21025 + clocks = <&p_clk>,
21026 +- <&p_clk>, <&p_clk>, <&p_clk>, <&p_clk>, <&p_clk>,
21027 +- <&p_clk>, <&p_clk>, <&p_clk>, <&p_clk>, <&p_clk>,
21028 ++ <&mstp10_clks R8A7790_CLK_SSI_ALL>, <&mstp10_clks R8A7790_CLK_SSI_ALL>,
21029 ++ <&mstp10_clks R8A7790_CLK_SSI_ALL>, <&mstp10_clks R8A7790_CLK_SSI_ALL>,
21030 ++ <&mstp10_clks R8A7790_CLK_SSI_ALL>, <&mstp10_clks R8A7790_CLK_SSI_ALL>,
21031 ++ <&mstp10_clks R8A7790_CLK_SSI_ALL>, <&mstp10_clks R8A7790_CLK_SSI_ALL>,
21032 ++ <&mstp10_clks R8A7790_CLK_SSI_ALL>, <&mstp10_clks R8A7790_CLK_SSI_ALL>,
21033 + <&p_clk>,
21034 + <&mstp10_clks R8A7790_CLK_SCU_ALL>, <&mstp10_clks R8A7790_CLK_SCU_ALL>,
21035 + <&mstp10_clks R8A7790_CLK_SCU_ALL>, <&mstp10_clks R8A7790_CLK_SCU_ALL>,
21036 +diff --git a/arch/arm/boot/dts/r8a7791-koelsch.dts b/arch/arm/boot/dts/r8a7791-koelsch.dts
21037 +index 824ddab9c3ad..19106ceecd3a 100644
21038 +--- a/arch/arm/boot/dts/r8a7791-koelsch.dts
21039 ++++ b/arch/arm/boot/dts/r8a7791-koelsch.dts
21040 +@@ -273,7 +273,7 @@
21041 + x2_clk: x2-clock {
21042 + compatible = "fixed-clock";
21043 + #clock-cells = <0>;
21044 +- clock-frequency = <148500000>;
21045 ++ clock-frequency = <74250000>;
21046 + };
21047 +
21048 + x13_clk: x13-clock {
21049 +diff --git a/arch/arm/boot/dts/r8a7791.dtsi b/arch/arm/boot/dts/r8a7791.dtsi
21050 +index 4696062f6dde..96cd539ee4c6 100644
21051 +--- a/arch/arm/boot/dts/r8a7791.dtsi
21052 ++++ b/arch/arm/boot/dts/r8a7791.dtsi
21053 +@@ -1232,8 +1232,11 @@
21054 + compatible = "renesas,r8a7791-mstp-clocks", "renesas,cpg-mstp-clocks";
21055 + reg = <0 0xe6150998 0 4>, <0 0xe61509a8 0 4>;
21056 + clocks = <&p_clk>,
21057 +- <&p_clk>, <&p_clk>, <&p_clk>, <&p_clk>, <&p_clk>,
21058 +- <&p_clk>, <&p_clk>, <&p_clk>, <&p_clk>, <&p_clk>,
21059 ++ <&mstp10_clks R8A7791_CLK_SSI_ALL>, <&mstp10_clks R8A7791_CLK_SSI_ALL>,
21060 ++ <&mstp10_clks R8A7791_CLK_SSI_ALL>, <&mstp10_clks R8A7791_CLK_SSI_ALL>,
21061 ++ <&mstp10_clks R8A7791_CLK_SSI_ALL>, <&mstp10_clks R8A7791_CLK_SSI_ALL>,
21062 ++ <&mstp10_clks R8A7791_CLK_SSI_ALL>, <&mstp10_clks R8A7791_CLK_SSI_ALL>,
21063 ++ <&mstp10_clks R8A7791_CLK_SSI_ALL>, <&mstp10_clks R8A7791_CLK_SSI_ALL>,
21064 + <&p_clk>,
21065 + <&mstp10_clks R8A7791_CLK_SCU_ALL>, <&mstp10_clks R8A7791_CLK_SCU_ALL>,
21066 + <&mstp10_clks R8A7791_CLK_SCU_ALL>, <&mstp10_clks R8A7791_CLK_SCU_ALL>,
21067 +diff --git a/arch/arm/include/asm/xen/events.h b/arch/arm/include/asm/xen/events.h
21068 +index 8b1f37bfeeec..b7aadab9b0e8 100644
21069 +--- a/arch/arm/include/asm/xen/events.h
21070 ++++ b/arch/arm/include/asm/xen/events.h
21071 +@@ -16,7 +16,7 @@ static inline int xen_irqs_disabled(struct pt_regs *regs)
21072 + return raw_irqs_disabled_flags(regs->ARM_cpsr);
21073 + }
21074 +
21075 +-#define xchg_xen_ulong(ptr, val) atomic64_xchg(container_of((ptr), \
21076 ++#define xchg_xen_ulong(ptr, val) atomic64_xchg(container_of((long long*)(ptr),\
21077 + atomic64_t, \
21078 + counter), (val))
21079 +
21080 +diff --git a/arch/arm/kernel/ftrace.c b/arch/arm/kernel/ftrace.c
21081 +index 709ee1d6d4df..faa9a905826e 100644
21082 +--- a/arch/arm/kernel/ftrace.c
21083 ++++ b/arch/arm/kernel/ftrace.c
21084 +@@ -29,11 +29,6 @@
21085 + #endif
21086 +
21087 + #ifdef CONFIG_DYNAMIC_FTRACE
21088 +-#ifdef CONFIG_OLD_MCOUNT
21089 +-#define OLD_MCOUNT_ADDR ((unsigned long) mcount)
21090 +-#define OLD_FTRACE_ADDR ((unsigned long) ftrace_caller_old)
21091 +-
21092 +-#define OLD_NOP 0xe1a00000 /* mov r0, r0 */
21093 +
21094 + static int __ftrace_modify_code(void *data)
21095 + {
21096 +@@ -51,6 +46,12 @@ void arch_ftrace_update_code(int command)
21097 + stop_machine(__ftrace_modify_code, &command, NULL);
21098 + }
21099 +
21100 ++#ifdef CONFIG_OLD_MCOUNT
21101 ++#define OLD_MCOUNT_ADDR ((unsigned long) mcount)
21102 ++#define OLD_FTRACE_ADDR ((unsigned long) ftrace_caller_old)
21103 ++
21104 ++#define OLD_NOP 0xe1a00000 /* mov r0, r0 */
21105 ++
21106 + static unsigned long ftrace_nop_replace(struct dyn_ftrace *rec)
21107 + {
21108 + return rec->arch.old_mcount ? OLD_NOP : NOP;
21109 +diff --git a/arch/arm/kernel/perf_event.c b/arch/arm/kernel/perf_event.c
21110 +index 4a86a0133ac3..016c87fc9b69 100644
21111 +--- a/arch/arm/kernel/perf_event.c
21112 ++++ b/arch/arm/kernel/perf_event.c
21113 +@@ -311,10 +311,16 @@ validate_group(struct perf_event *event)
21114 + return 0;
21115 + }
21116 +
21117 ++static struct arm_pmu_platdata *armpmu_get_platdata(struct arm_pmu *armpmu)
21118 ++{
21119 ++ struct platform_device *pdev = armpmu->plat_device;
21120 ++
21121 ++ return pdev ? dev_get_platdata(&pdev->dev) : NULL;
21122 ++}
21123 ++
21124 + static irqreturn_t armpmu_dispatch_irq(int irq, void *dev)
21125 + {
21126 + struct arm_pmu *armpmu;
21127 +- struct platform_device *plat_device;
21128 + struct arm_pmu_platdata *plat;
21129 + int ret;
21130 + u64 start_clock, finish_clock;
21131 +@@ -326,8 +332,8 @@ static irqreturn_t armpmu_dispatch_irq(int irq, void *dev)
21132 + * dereference.
21133 + */
21134 + armpmu = *(void **)dev;
21135 +- plat_device = armpmu->plat_device;
21136 +- plat = dev_get_platdata(&plat_device->dev);
21137 ++
21138 ++ plat = armpmu_get_platdata(armpmu);
21139 +
21140 + start_clock = sched_clock();
21141 + if (plat && plat->handle_irq)
21142 +diff --git a/arch/arm/mach-davinci/devices-da8xx.c b/arch/arm/mach-davinci/devices-da8xx.c
21143 +index ddfdd820e6f2..6bad2a02a2f9 100644
21144 +--- a/arch/arm/mach-davinci/devices-da8xx.c
21145 ++++ b/arch/arm/mach-davinci/devices-da8xx.c
21146 +@@ -827,6 +827,8 @@ static struct platform_device da8xx_dsp = {
21147 + .resource = da8xx_rproc_resources,
21148 + };
21149 +
21150 ++static bool rproc_mem_inited __initdata;
21151 ++
21152 + #if IS_ENABLED(CONFIG_DA8XX_REMOTEPROC)
21153 +
21154 + static phys_addr_t rproc_base __initdata;
21155 +@@ -865,6 +867,8 @@ void __init da8xx_rproc_reserve_cma(void)
21156 + ret = dma_declare_contiguous(&da8xx_dsp.dev, rproc_size, rproc_base, 0);
21157 + if (ret)
21158 + pr_err("%s: dma_declare_contiguous failed %d\n", __func__, ret);
21159 ++ else
21160 ++ rproc_mem_inited = true;
21161 + }
21162 +
21163 + #else
21164 +@@ -879,6 +883,12 @@ int __init da8xx_register_rproc(void)
21165 + {
21166 + int ret;
21167 +
21168 ++ if (!rproc_mem_inited) {
21169 ++ pr_warn("%s: memory not reserved for DSP, not registering DSP device\n",
21170 ++ __func__);
21171 ++ return -ENOMEM;
21172 ++ }
21173 ++
21174 + ret = platform_device_register(&da8xx_dsp);
21175 + if (ret)
21176 + pr_err("%s: can't register DSP device: %d\n", __func__, ret);
21177 +diff --git a/arch/arm/mach-imx/clk-imx6q.c b/arch/arm/mach-imx/clk-imx6q.c
21178 +index a2e8ef3c0bd9..777531ef58d6 100644
21179 +--- a/arch/arm/mach-imx/clk-imx6q.c
21180 ++++ b/arch/arm/mach-imx/clk-imx6q.c
21181 +@@ -402,7 +402,7 @@ static void __init imx6q_clocks_init(struct device_node *ccm_node)
21182 + clk[IMX6QDL_CLK_GPU2D_CORE] = imx_clk_gate2("gpu2d_core", "gpu2d_core_podf", base + 0x6c, 24);
21183 + clk[IMX6QDL_CLK_GPU3D_CORE] = imx_clk_gate2("gpu3d_core", "gpu3d_core_podf", base + 0x6c, 26);
21184 + clk[IMX6QDL_CLK_HDMI_IAHB] = imx_clk_gate2("hdmi_iahb", "ahb", base + 0x70, 0);
21185 +- clk[IMX6QDL_CLK_HDMI_ISFR] = imx_clk_gate2("hdmi_isfr", "video_27m", base + 0x70, 4);
21186 ++ clk[IMX6QDL_CLK_HDMI_ISFR] = imx_clk_gate2("hdmi_isfr", "mipi_core_cfg", base + 0x70, 4);
21187 + clk[IMX6QDL_CLK_I2C1] = imx_clk_gate2("i2c1", "ipg_per", base + 0x70, 6);
21188 + clk[IMX6QDL_CLK_I2C2] = imx_clk_gate2("i2c2", "ipg_per", base + 0x70, 8);
21189 + clk[IMX6QDL_CLK_I2C3] = imx_clk_gate2("i2c3", "ipg_per", base + 0x70, 10);
21190 +diff --git a/arch/arm/mach-omap2/clockdomains7xx_data.c b/arch/arm/mach-omap2/clockdomains7xx_data.c
21191 +index 7581e036bda6..70e3b711e79c 100644
21192 +--- a/arch/arm/mach-omap2/clockdomains7xx_data.c
21193 ++++ b/arch/arm/mach-omap2/clockdomains7xx_data.c
21194 +@@ -524,7 +524,7 @@ static struct clockdomain pcie_7xx_clkdm = {
21195 + .dep_bit = DRA7XX_PCIE_STATDEP_SHIFT,
21196 + .wkdep_srcs = pcie_wkup_sleep_deps,
21197 + .sleepdep_srcs = pcie_wkup_sleep_deps,
21198 +- .flags = CLKDM_CAN_HWSUP_SWSUP,
21199 ++ .flags = CLKDM_CAN_SWSUP,
21200 + };
21201 +
21202 + static struct clockdomain atl_7xx_clkdm = {
21203 +diff --git a/arch/arm64/include/asm/futex.h b/arch/arm64/include/asm/futex.h
21204 +index 5f750dc96e0f..49d057eb93d6 100644
21205 +--- a/arch/arm64/include/asm/futex.h
21206 ++++ b/arch/arm64/include/asm/futex.h
21207 +@@ -44,16 +44,16 @@
21208 + : "memory")
21209 +
21210 + static inline int
21211 +-futex_atomic_op_inuser (int encoded_op, u32 __user *uaddr)
21212 ++futex_atomic_op_inuser(unsigned int encoded_op, u32 __user *uaddr)
21213 + {
21214 + int op = (encoded_op >> 28) & 7;
21215 + int cmp = (encoded_op >> 24) & 15;
21216 +- int oparg = (encoded_op << 8) >> 20;
21217 +- int cmparg = (encoded_op << 20) >> 20;
21218 ++ int oparg = (int)(encoded_op << 8) >> 20;
21219 ++ int cmparg = (int)(encoded_op << 20) >> 20;
21220 + int oldval = 0, ret, tmp;
21221 +
21222 + if (encoded_op & (FUTEX_OP_OPARG_SHIFT << 28))
21223 +- oparg = 1 << oparg;
21224 ++ oparg = 1U << (oparg & 0x1f);
21225 +
21226 + if (!access_ok(VERIFY_WRITE, uaddr, sizeof(u32)))
21227 + return -EFAULT;
21228 +diff --git a/arch/frv/include/asm/timex.h b/arch/frv/include/asm/timex.h
21229 +index a89bddefdacf..139093fab326 100644
21230 +--- a/arch/frv/include/asm/timex.h
21231 ++++ b/arch/frv/include/asm/timex.h
21232 +@@ -16,5 +16,11 @@ static inline cycles_t get_cycles(void)
21233 + #define vxtime_lock() do {} while (0)
21234 + #define vxtime_unlock() do {} while (0)
21235 +
21236 ++/* This attribute is used in include/linux/jiffies.h alongside with
21237 ++ * __cacheline_aligned_in_smp. It is assumed that __cacheline_aligned_in_smp
21238 ++ * for frv does not contain another section specification.
21239 ++ */
21240 ++#define __jiffy_arch_data __attribute__((__section__(".data")))
21241 ++
21242 + #endif
21243 +
21244 +diff --git a/arch/ia64/kernel/module.c b/arch/ia64/kernel/module.c
21245 +index 29754aae5177..4268a78d8a5b 100644
21246 +--- a/arch/ia64/kernel/module.c
21247 ++++ b/arch/ia64/kernel/module.c
21248 +@@ -153,7 +153,7 @@ slot (const struct insn *insn)
21249 + static int
21250 + apply_imm64 (struct module *mod, struct insn *insn, uint64_t val)
21251 + {
21252 +- if (slot(insn) != 2) {
21253 ++ if (slot(insn) != 1 && slot(insn) != 2) {
21254 + printk(KERN_ERR "%s: invalid slot number %d for IMM64\n",
21255 + mod->name, slot(insn));
21256 + return 0;
21257 +@@ -165,7 +165,7 @@ apply_imm64 (struct module *mod, struct insn *insn, uint64_t val)
21258 + static int
21259 + apply_imm60 (struct module *mod, struct insn *insn, uint64_t val)
21260 + {
21261 +- if (slot(insn) != 2) {
21262 ++ if (slot(insn) != 1 && slot(insn) != 2) {
21263 + printk(KERN_ERR "%s: invalid slot number %d for IMM60\n",
21264 + mod->name, slot(insn));
21265 + return 0;
21266 +diff --git a/arch/mips/include/asm/kprobes.h b/arch/mips/include/asm/kprobes.h
21267 +index daba1f9a4f79..174aedce3167 100644
21268 +--- a/arch/mips/include/asm/kprobes.h
21269 ++++ b/arch/mips/include/asm/kprobes.h
21270 +@@ -40,7 +40,8 @@ typedef union mips_instruction kprobe_opcode_t;
21271 +
21272 + #define flush_insn_slot(p) \
21273 + do { \
21274 +- flush_icache_range((unsigned long)p->addr, \
21275 ++ if (p->addr) \
21276 ++ flush_icache_range((unsigned long)p->addr, \
21277 + (unsigned long)p->addr + \
21278 + (MAX_INSN_SIZE * sizeof(kprobe_opcode_t))); \
21279 + } while (0)
21280 +diff --git a/arch/mips/kernel/mips-r2-to-r6-emul.c b/arch/mips/kernel/mips-r2-to-r6-emul.c
21281 +index d477508450de..805b71ed5129 100644
21282 +--- a/arch/mips/kernel/mips-r2-to-r6-emul.c
21283 ++++ b/arch/mips/kernel/mips-r2-to-r6-emul.c
21284 +@@ -1096,10 +1096,20 @@ repeat:
21285 + }
21286 + break;
21287 +
21288 +- case beql_op:
21289 +- case bnel_op:
21290 + case blezl_op:
21291 + case bgtzl_op:
21292 ++ /*
21293 ++ * For BLEZL and BGTZL, rt field must be set to 0. If this
21294 ++ * is not the case, this may be an encoding of a MIPS R6
21295 ++ * instruction, so return to CPU execution if this occurs
21296 ++ */
21297 ++ if (MIPSInst_RT(inst)) {
21298 ++ err = SIGILL;
21299 ++ break;
21300 ++ }
21301 ++ /* fall through */
21302 ++ case beql_op:
21303 ++ case bnel_op:
21304 + if (delay_slot(regs)) {
21305 + err = SIGILL;
21306 + break;
21307 +@@ -2329,6 +2339,8 @@ static int mipsr2_stats_clear_show(struct seq_file *s, void *unused)
21308 + __this_cpu_write((mipsr2bremustats).bgezl, 0);
21309 + __this_cpu_write((mipsr2bremustats).bltzll, 0);
21310 + __this_cpu_write((mipsr2bremustats).bgezll, 0);
21311 ++ __this_cpu_write((mipsr2bremustats).bltzall, 0);
21312 ++ __this_cpu_write((mipsr2bremustats).bgezall, 0);
21313 + __this_cpu_write((mipsr2bremustats).bltzal, 0);
21314 + __this_cpu_write((mipsr2bremustats).bgezal, 0);
21315 + __this_cpu_write((mipsr2bremustats).beql, 0);
21316 +diff --git a/arch/mips/lib/memset.S b/arch/mips/lib/memset.S
21317 +index b8e63fd00375..cda33475a481 100644
21318 +--- a/arch/mips/lib/memset.S
21319 ++++ b/arch/mips/lib/memset.S
21320 +@@ -218,7 +218,7 @@
21321 + 1: PTR_ADDIU a0, 1 /* fill bytewise */
21322 + R10KCBARRIER(0(ra))
21323 + bne t1, a0, 1b
21324 +- sb a1, -1(a0)
21325 ++ EX(sb, a1, -1(a0), .Lsmall_fixup\@)
21326 +
21327 + 2: jr ra /* done */
21328 + move a2, zero
21329 +@@ -249,13 +249,18 @@
21330 + PTR_L t0, TI_TASK($28)
21331 + andi a2, STORMASK
21332 + LONG_L t0, THREAD_BUADDR(t0)
21333 +- LONG_ADDU a2, t1
21334 ++ LONG_ADDU a2, a0
21335 + jr ra
21336 + LONG_SUBU a2, t0
21337 +
21338 + .Llast_fixup\@:
21339 + jr ra
21340 +- andi v1, a2, STORMASK
21341 ++ nop
21342 ++
21343 ++.Lsmall_fixup\@:
21344 ++ PTR_SUBU a2, t1, a0
21345 ++ jr ra
21346 ++ PTR_ADDIU a2, 1
21347 +
21348 + .endm
21349 +
21350 +diff --git a/arch/mips/mm/pgtable-32.c b/arch/mips/mm/pgtable-32.c
21351 +index adc6911ba748..b19a3c506b1e 100644
21352 +--- a/arch/mips/mm/pgtable-32.c
21353 ++++ b/arch/mips/mm/pgtable-32.c
21354 +@@ -51,15 +51,15 @@ void __init pagetable_init(void)
21355 + /*
21356 + * Fixed mappings:
21357 + */
21358 +- vaddr = __fix_to_virt(__end_of_fixed_addresses - 1) & PMD_MASK;
21359 +- fixrange_init(vaddr, vaddr + FIXADDR_SIZE, pgd_base);
21360 ++ vaddr = __fix_to_virt(__end_of_fixed_addresses - 1);
21361 ++ fixrange_init(vaddr & PMD_MASK, vaddr + FIXADDR_SIZE, pgd_base);
21362 +
21363 + #ifdef CONFIG_HIGHMEM
21364 + /*
21365 + * Permanent kmaps:
21366 + */
21367 + vaddr = PKMAP_BASE;
21368 +- fixrange_init(vaddr, vaddr + PAGE_SIZE*LAST_PKMAP, pgd_base);
21369 ++ fixrange_init(vaddr & PMD_MASK, vaddr + PAGE_SIZE*LAST_PKMAP, pgd_base);
21370 +
21371 + pgd = swapper_pg_dir + __pgd_offset(vaddr);
21372 + pud = pud_offset(pgd, vaddr);
21373 +diff --git a/arch/mips/net/bpf_jit.c b/arch/mips/net/bpf_jit.c
21374 +index d6d27d51d131..5cf32b77f128 100644
21375 +--- a/arch/mips/net/bpf_jit.c
21376 ++++ b/arch/mips/net/bpf_jit.c
21377 +@@ -562,7 +562,8 @@ static void save_bpf_jit_regs(struct jit_ctx *ctx, unsigned offset)
21378 + u32 sflags, tmp_flags;
21379 +
21380 + /* Adjust the stack pointer */
21381 +- emit_stack_offset(-align_sp(offset), ctx);
21382 ++ if (offset)
21383 ++ emit_stack_offset(-align_sp(offset), ctx);
21384 +
21385 + if (ctx->flags & SEEN_CALL) {
21386 + /* Argument save area */
21387 +@@ -641,7 +642,8 @@ static void restore_bpf_jit_regs(struct jit_ctx *ctx,
21388 + emit_load_stack_reg(r_ra, r_sp, real_off, ctx);
21389 +
21390 + /* Restore the sp and discard the scrach memory */
21391 +- emit_stack_offset(align_sp(offset), ctx);
21392 ++ if (offset)
21393 ++ emit_stack_offset(align_sp(offset), ctx);
21394 + }
21395 +
21396 + static unsigned int get_stack_depth(struct jit_ctx *ctx)
21397 +@@ -685,8 +687,14 @@ static void build_prologue(struct jit_ctx *ctx)
21398 + if (ctx->flags & SEEN_X)
21399 + emit_jit_reg_move(r_X, r_zero, ctx);
21400 +
21401 +- /* Do not leak kernel data to userspace */
21402 +- if (bpf_needs_clear_a(&ctx->skf->insns[0]))
21403 ++ /*
21404 ++ * Do not leak kernel data to userspace, we only need to clear
21405 ++ * r_A if it is ever used. In fact if it is never used, we
21406 ++ * will not save/restore it, so clearing it in this case would
21407 ++ * corrupt the state of the caller.
21408 ++ */
21409 ++ if (bpf_needs_clear_a(&ctx->skf->insns[0]) &&
21410 ++ (ctx->flags & SEEN_A))
21411 + emit_jit_reg_move(r_A, r_zero, ctx);
21412 + }
21413 +
21414 +diff --git a/arch/parisc/kernel/drivers.c b/arch/parisc/kernel/drivers.c
21415 +index dba508fe1683..4f7060ec6875 100644
21416 +--- a/arch/parisc/kernel/drivers.c
21417 ++++ b/arch/parisc/kernel/drivers.c
21418 +@@ -648,6 +648,10 @@ static int match_pci_device(struct device *dev, int index,
21419 + (modpath->mod == PCI_FUNC(devfn)));
21420 + }
21421 +
21422 ++ /* index might be out of bounds for bc[] */
21423 ++ if (index >= 6)
21424 ++ return 0;
21425 ++
21426 + id = PCI_SLOT(pdev->devfn) | (PCI_FUNC(pdev->devfn) << 5);
21427 + return (modpath->bc[index] == id);
21428 + }
21429 +diff --git a/arch/powerpc/include/asm/barrier.h b/arch/powerpc/include/asm/barrier.h
21430 +index a3bf5be111ff..bedaf3e3c558 100644
21431 +--- a/arch/powerpc/include/asm/barrier.h
21432 ++++ b/arch/powerpc/include/asm/barrier.h
21433 +@@ -36,7 +36,8 @@
21434 +
21435 + #define set_mb(var, value) do { var = value; mb(); } while (0)
21436 +
21437 +-#ifdef __SUBARCH_HAS_LWSYNC
21438 ++/* The sub-arch has lwsync */
21439 ++#if defined(__powerpc64__) || defined(CONFIG_PPC_E500MC)
21440 + # define SMPWMB LWSYNC
21441 + #else
21442 + # define SMPWMB eieio
21443 +diff --git a/arch/powerpc/include/asm/opal.h b/arch/powerpc/include/asm/opal.h
21444 +index 042af1abfc4d..e1b164f4a8f0 100644
21445 +--- a/arch/powerpc/include/asm/opal.h
21446 ++++ b/arch/powerpc/include/asm/opal.h
21447 +@@ -21,6 +21,9 @@
21448 + /* We calculate number of sg entries based on PAGE_SIZE */
21449 + #define SG_ENTRIES_PER_NODE ((PAGE_SIZE - 16) / sizeof(struct opal_sg_entry))
21450 +
21451 ++/* Default time to sleep or delay between OPAL_BUSY/OPAL_BUSY_EVENT loops */
21452 ++#define OPAL_BUSY_DELAY_MS 10
21453 ++
21454 + /* /sys/firmware/opal */
21455 + extern struct kobject *opal_kobj;
21456 +
21457 +diff --git a/arch/powerpc/include/asm/synch.h b/arch/powerpc/include/asm/synch.h
21458 +index c50868681f9e..e8d6a842f4bb 100644
21459 +--- a/arch/powerpc/include/asm/synch.h
21460 ++++ b/arch/powerpc/include/asm/synch.h
21461 +@@ -5,10 +5,6 @@
21462 + #include <linux/stringify.h>
21463 + #include <asm/feature-fixups.h>
21464 +
21465 +-#if defined(__powerpc64__) || defined(CONFIG_PPC_E500MC)
21466 +-#define __SUBARCH_HAS_LWSYNC
21467 +-#endif
21468 +-
21469 + #ifndef __ASSEMBLY__
21470 + extern unsigned int __start___lwsync_fixup, __stop___lwsync_fixup;
21471 + extern void do_lwsync_fixups(unsigned long value, void *fixup_start,
21472 +diff --git a/arch/powerpc/kernel/eeh_pe.c b/arch/powerpc/kernel/eeh_pe.c
21473 +index c3e0420b8a42..a9fec93c2144 100644
21474 +--- a/arch/powerpc/kernel/eeh_pe.c
21475 ++++ b/arch/powerpc/kernel/eeh_pe.c
21476 +@@ -766,7 +766,8 @@ static void eeh_restore_bridge_bars(struct eeh_dev *edev)
21477 + eeh_ops->write_config(pdn, 15*4, 4, edev->config_space[15]);
21478 +
21479 + /* PCI Command: 0x4 */
21480 +- eeh_ops->write_config(pdn, PCI_COMMAND, 4, edev->config_space[1]);
21481 ++ eeh_ops->write_config(pdn, PCI_COMMAND, 4, edev->config_space[1] |
21482 ++ PCI_COMMAND_MEMORY | PCI_COMMAND_MASTER);
21483 +
21484 + /* Check the PCIe link is ready */
21485 + eeh_bridge_check_link(edev);
21486 +diff --git a/arch/powerpc/kernel/time.c b/arch/powerpc/kernel/time.c
21487 +index 56f44848b044..4094e9013c18 100644
21488 +--- a/arch/powerpc/kernel/time.c
21489 ++++ b/arch/powerpc/kernel/time.c
21490 +@@ -685,12 +685,20 @@ static int __init get_freq(char *name, int cells, unsigned long *val)
21491 + static void start_cpu_decrementer(void)
21492 + {
21493 + #if defined(CONFIG_BOOKE) || defined(CONFIG_40x)
21494 ++ unsigned int tcr;
21495 ++
21496 + /* Clear any pending timer interrupts */
21497 + mtspr(SPRN_TSR, TSR_ENW | TSR_WIS | TSR_DIS | TSR_FIS);
21498 +
21499 +- /* Enable decrementer interrupt */
21500 +- mtspr(SPRN_TCR, TCR_DIE);
21501 +-#endif /* defined(CONFIG_BOOKE) || defined(CONFIG_40x) */
21502 ++ tcr = mfspr(SPRN_TCR);
21503 ++ /*
21504 ++ * The watchdog may have already been enabled by u-boot. So leave
21505 ++ * TRC[WP] (Watchdog Period) alone.
21506 ++ */
21507 ++ tcr &= TCR_WP_MASK; /* Clear all bits except for TCR[WP] */
21508 ++ tcr |= TCR_DIE; /* Enable decrementer */
21509 ++ mtspr(SPRN_TCR, tcr);
21510 ++#endif
21511 + }
21512 +
21513 + void __init generic_calibrate_decr(void)
21514 +diff --git a/arch/powerpc/kvm/book3s_64_mmu_host.c b/arch/powerpc/kvm/book3s_64_mmu_host.c
21515 +index b982d925c710..c74c9c4134b5 100644
21516 +--- a/arch/powerpc/kvm/book3s_64_mmu_host.c
21517 ++++ b/arch/powerpc/kvm/book3s_64_mmu_host.c
21518 +@@ -176,12 +176,15 @@ map_again:
21519 + ret = ppc_md.hpte_insert(hpteg, vpn, hpaddr, rflags, vflags,
21520 + hpsize, hpsize, MMU_SEGSIZE_256M);
21521 +
21522 +- if (ret < 0) {
21523 ++ if (ret == -1) {
21524 + /* If we couldn't map a primary PTE, try a secondary */
21525 + hash = ~hash;
21526 + vflags ^= HPTE_V_SECONDARY;
21527 + attempt++;
21528 + goto map_again;
21529 ++ } else if (ret < 0) {
21530 ++ r = -EIO;
21531 ++ goto out_unlock;
21532 + } else {
21533 + trace_kvm_book3s_64_mmu_map(rflags, hpteg,
21534 + vpn, hpaddr, orig_pte);
21535 +diff --git a/arch/powerpc/kvm/book3s_pr.c b/arch/powerpc/kvm/book3s_pr.c
21536 +index f57383941d03..7e66365cd0c9 100644
21537 +--- a/arch/powerpc/kvm/book3s_pr.c
21538 ++++ b/arch/powerpc/kvm/book3s_pr.c
21539 +@@ -625,7 +625,11 @@ int kvmppc_handle_pagefault(struct kvm_run *run, struct kvm_vcpu *vcpu,
21540 + kvmppc_mmu_unmap_page(vcpu, &pte);
21541 + }
21542 + /* The guest's PTE is not mapped yet. Map on the host */
21543 +- kvmppc_mmu_map_page(vcpu, &pte, iswrite);
21544 ++ if (kvmppc_mmu_map_page(vcpu, &pte, iswrite) == -EIO) {
21545 ++ /* Exit KVM if mapping failed */
21546 ++ run->exit_reason = KVM_EXIT_INTERNAL_ERROR;
21547 ++ return RESUME_HOST;
21548 ++ }
21549 + if (data)
21550 + vcpu->stat.sp_storage++;
21551 + else if (vcpu->arch.mmu.is_dcbz32(vcpu) &&
21552 +diff --git a/arch/powerpc/kvm/book3s_pr_papr.c b/arch/powerpc/kvm/book3s_pr_papr.c
21553 +index f2c75a1e0536..0d91baf63fed 100644
21554 +--- a/arch/powerpc/kvm/book3s_pr_papr.c
21555 ++++ b/arch/powerpc/kvm/book3s_pr_papr.c
21556 +@@ -50,7 +50,9 @@ static int kvmppc_h_pr_enter(struct kvm_vcpu *vcpu)
21557 + pteg_addr = get_pteg_addr(vcpu, pte_index);
21558 +
21559 + mutex_lock(&vcpu->kvm->arch.hpt_mutex);
21560 +- copy_from_user(pteg, (void __user *)pteg_addr, sizeof(pteg));
21561 ++ ret = H_FUNCTION;
21562 ++ if (copy_from_user(pteg, (void __user *)pteg_addr, sizeof(pteg)))
21563 ++ goto done;
21564 + hpte = pteg;
21565 +
21566 + ret = H_PTEG_FULL;
21567 +@@ -71,7 +73,9 @@ static int kvmppc_h_pr_enter(struct kvm_vcpu *vcpu)
21568 + hpte[0] = cpu_to_be64(kvmppc_get_gpr(vcpu, 6));
21569 + hpte[1] = cpu_to_be64(kvmppc_get_gpr(vcpu, 7));
21570 + pteg_addr += i * HPTE_SIZE;
21571 +- copy_to_user((void __user *)pteg_addr, hpte, HPTE_SIZE);
21572 ++ ret = H_FUNCTION;
21573 ++ if (copy_to_user((void __user *)pteg_addr, hpte, HPTE_SIZE))
21574 ++ goto done;
21575 + kvmppc_set_gpr(vcpu, 4, pte_index | i);
21576 + ret = H_SUCCESS;
21577 +
21578 +@@ -93,7 +97,9 @@ static int kvmppc_h_pr_remove(struct kvm_vcpu *vcpu)
21579 +
21580 + pteg = get_pteg_addr(vcpu, pte_index);
21581 + mutex_lock(&vcpu->kvm->arch.hpt_mutex);
21582 +- copy_from_user(pte, (void __user *)pteg, sizeof(pte));
21583 ++ ret = H_FUNCTION;
21584 ++ if (copy_from_user(pte, (void __user *)pteg, sizeof(pte)))
21585 ++ goto done;
21586 + pte[0] = be64_to_cpu((__force __be64)pte[0]);
21587 + pte[1] = be64_to_cpu((__force __be64)pte[1]);
21588 +
21589 +@@ -103,7 +109,9 @@ static int kvmppc_h_pr_remove(struct kvm_vcpu *vcpu)
21590 + ((flags & H_ANDCOND) && (pte[0] & avpn) != 0))
21591 + goto done;
21592 +
21593 +- copy_to_user((void __user *)pteg, &v, sizeof(v));
21594 ++ ret = H_FUNCTION;
21595 ++ if (copy_to_user((void __user *)pteg, &v, sizeof(v)))
21596 ++ goto done;
21597 +
21598 + rb = compute_tlbie_rb(pte[0], pte[1], pte_index);
21599 + vcpu->arch.mmu.tlbie(vcpu, rb, rb & 1 ? true : false);
21600 +@@ -171,7 +179,10 @@ static int kvmppc_h_pr_bulk_remove(struct kvm_vcpu *vcpu)
21601 + }
21602 +
21603 + pteg = get_pteg_addr(vcpu, tsh & H_BULK_REMOVE_PTEX);
21604 +- copy_from_user(pte, (void __user *)pteg, sizeof(pte));
21605 ++ if (copy_from_user(pte, (void __user *)pteg, sizeof(pte))) {
21606 ++ ret = H_FUNCTION;
21607 ++ break;
21608 ++ }
21609 + pte[0] = be64_to_cpu((__force __be64)pte[0]);
21610 + pte[1] = be64_to_cpu((__force __be64)pte[1]);
21611 +
21612 +@@ -184,7 +195,10 @@ static int kvmppc_h_pr_bulk_remove(struct kvm_vcpu *vcpu)
21613 + tsh |= H_BULK_REMOVE_NOT_FOUND;
21614 + } else {
21615 + /* Splat the pteg in (userland) hpt */
21616 +- copy_to_user((void __user *)pteg, &v, sizeof(v));
21617 ++ if (copy_to_user((void __user *)pteg, &v, sizeof(v))) {
21618 ++ ret = H_FUNCTION;
21619 ++ break;
21620 ++ }
21621 +
21622 + rb = compute_tlbie_rb(pte[0], pte[1],
21623 + tsh & H_BULK_REMOVE_PTEX);
21624 +@@ -211,7 +225,9 @@ static int kvmppc_h_pr_protect(struct kvm_vcpu *vcpu)
21625 +
21626 + pteg = get_pteg_addr(vcpu, pte_index);
21627 + mutex_lock(&vcpu->kvm->arch.hpt_mutex);
21628 +- copy_from_user(pte, (void __user *)pteg, sizeof(pte));
21629 ++ ret = H_FUNCTION;
21630 ++ if (copy_from_user(pte, (void __user *)pteg, sizeof(pte)))
21631 ++ goto done;
21632 + pte[0] = be64_to_cpu((__force __be64)pte[0]);
21633 + pte[1] = be64_to_cpu((__force __be64)pte[1]);
21634 +
21635 +@@ -234,7 +250,9 @@ static int kvmppc_h_pr_protect(struct kvm_vcpu *vcpu)
21636 + vcpu->arch.mmu.tlbie(vcpu, rb, rb & 1 ? true : false);
21637 + pte[0] = (__force u64)cpu_to_be64(pte[0]);
21638 + pte[1] = (__force u64)cpu_to_be64(pte[1]);
21639 +- copy_to_user((void __user *)pteg, pte, sizeof(pte));
21640 ++ ret = H_FUNCTION;
21641 ++ if (copy_to_user((void __user *)pteg, pte, sizeof(pte)))
21642 ++ goto done;
21643 + ret = H_SUCCESS;
21644 +
21645 + done:
21646 +diff --git a/arch/powerpc/mm/fault.c b/arch/powerpc/mm/fault.c
21647 +index b396868d2aa7..f962209a6037 100644
21648 +--- a/arch/powerpc/mm/fault.c
21649 ++++ b/arch/powerpc/mm/fault.c
21650 +@@ -293,7 +293,7 @@ int __kprobes do_page_fault(struct pt_regs *regs, unsigned long address,
21651 + * can result in fault, which will cause a deadlock when called with
21652 + * mmap_sem held
21653 + */
21654 +- if (user_mode(regs))
21655 ++ if (!is_exec && user_mode(regs))
21656 + store_update_sp = store_updates_sp(regs);
21657 +
21658 + if (user_mode(regs))
21659 +diff --git a/arch/powerpc/platforms/cell/spufs/coredump.c b/arch/powerpc/platforms/cell/spufs/coredump.c
21660 +index be6212ddbf06..7e42e3ec2142 100644
21661 +--- a/arch/powerpc/platforms/cell/spufs/coredump.c
21662 ++++ b/arch/powerpc/platforms/cell/spufs/coredump.c
21663 +@@ -174,6 +174,8 @@ static int spufs_arch_write_note(struct spu_context *ctx, int i,
21664 + if (!dump_skip(cprm,
21665 + roundup(cprm->written - total + sz, 4) - cprm->written))
21666 + goto Eio;
21667 ++
21668 ++ rc = 0;
21669 + out:
21670 + free_page((unsigned long)buf);
21671 + return rc;
21672 +diff --git a/arch/powerpc/platforms/powernv/opal-nvram.c b/arch/powerpc/platforms/powernv/opal-nvram.c
21673 +index 9db4398ded5d..1bceb95f422d 100644
21674 +--- a/arch/powerpc/platforms/powernv/opal-nvram.c
21675 ++++ b/arch/powerpc/platforms/powernv/opal-nvram.c
21676 +@@ -11,6 +11,7 @@
21677 +
21678 + #define DEBUG
21679 +
21680 ++#include <linux/delay.h>
21681 + #include <linux/kernel.h>
21682 + #include <linux/init.h>
21683 + #include <linux/of.h>
21684 +@@ -56,9 +57,17 @@ static ssize_t opal_nvram_write(char *buf, size_t count, loff_t *index)
21685 +
21686 + while (rc == OPAL_BUSY || rc == OPAL_BUSY_EVENT) {
21687 + rc = opal_write_nvram(__pa(buf), count, off);
21688 +- if (rc == OPAL_BUSY_EVENT)
21689 ++ if (rc == OPAL_BUSY_EVENT) {
21690 ++ msleep(OPAL_BUSY_DELAY_MS);
21691 + opal_poll_events(NULL);
21692 ++ } else if (rc == OPAL_BUSY) {
21693 ++ msleep(OPAL_BUSY_DELAY_MS);
21694 ++ }
21695 + }
21696 ++
21697 ++ if (rc)
21698 ++ return -EIO;
21699 ++
21700 + *index += count;
21701 + return count;
21702 + }
21703 +diff --git a/arch/s390/hypfs/inode.c b/arch/s390/hypfs/inode.c
21704 +index 2eeb0a0f506d..8e40530fd39c 100644
21705 +--- a/arch/s390/hypfs/inode.c
21706 ++++ b/arch/s390/hypfs/inode.c
21707 +@@ -323,7 +323,7 @@ static void hypfs_kill_super(struct super_block *sb)
21708 +
21709 + if (sb->s_root)
21710 + hypfs_delete_tree(sb->s_root);
21711 +- if (sb_info->update_file)
21712 ++ if (sb_info && sb_info->update_file)
21713 + hypfs_remove(sb_info->update_file);
21714 + kfree(sb->s_fs_info);
21715 + sb->s_fs_info = NULL;
21716 +diff --git a/arch/s390/kernel/ipl.c b/arch/s390/kernel/ipl.c
21717 +index 7963c6aa1196..09548603d782 100644
21718 +--- a/arch/s390/kernel/ipl.c
21719 ++++ b/arch/s390/kernel/ipl.c
21720 +@@ -770,6 +770,7 @@ static ssize_t reipl_generic_loadparm_store(struct ipl_parameter_block *ipb,
21721 + /* copy and convert to ebcdic */
21722 + memcpy(ipb->hdr.loadparm, buf, lp_len);
21723 + ASCEBC(ipb->hdr.loadparm, LOADPARM_LEN);
21724 ++ ipb->hdr.flags |= DIAG308_FLAGS_LP_VALID;
21725 + return len;
21726 + }
21727 +
21728 +diff --git a/arch/s390/kernel/vmlinux.lds.S b/arch/s390/kernel/vmlinux.lds.S
21729 +index 445657fe658c..6c553f6e791a 100644
21730 +--- a/arch/s390/kernel/vmlinux.lds.S
21731 ++++ b/arch/s390/kernel/vmlinux.lds.S
21732 +@@ -21,8 +21,14 @@ SECTIONS
21733 + {
21734 + . = 0x00000000;
21735 + .text : {
21736 +- _text = .; /* Text and read-only data */
21737 ++ /* Text and read-only data */
21738 + HEAD_TEXT
21739 ++ /*
21740 ++ * E.g. perf doesn't like symbols starting at address zero,
21741 ++ * therefore skip the initial PSW and channel program located
21742 ++ * at address zero and let _text start at 0x200.
21743 ++ */
21744 ++ _text = 0x200;
21745 + TEXT_TEXT
21746 + SCHED_TEXT
21747 + LOCK_TEXT
21748 +diff --git a/arch/sparc/kernel/ldc.c b/arch/sparc/kernel/ldc.c
21749 +index 7d3ca30fcd15..00e6b6c1dd79 100644
21750 +--- a/arch/sparc/kernel/ldc.c
21751 ++++ b/arch/sparc/kernel/ldc.c
21752 +@@ -1733,9 +1733,14 @@ static int read_nonraw(struct ldc_channel *lp, void *buf, unsigned int size)
21753 +
21754 + lp->rcv_nxt = p->seqid;
21755 +
21756 ++ /*
21757 ++ * If this is a control-only packet, there is nothing
21758 ++ * else to do but advance the rx queue since the packet
21759 ++ * was already processed above.
21760 ++ */
21761 + if (!(p->type & LDC_DATA)) {
21762 + new = rx_advance(lp, new);
21763 +- goto no_data;
21764 ++ break;
21765 + }
21766 + if (p->stype & (LDC_ACK | LDC_NACK)) {
21767 + err = data_ack_nack(lp, p);
21768 +diff --git a/arch/um/os-Linux/signal.c b/arch/um/os-Linux/signal.c
21769 +index 7b605e4dfffa..2ac6a7e5a179 100644
21770 +--- a/arch/um/os-Linux/signal.c
21771 ++++ b/arch/um/os-Linux/signal.c
21772 +@@ -135,7 +135,7 @@ static void (*handlers[_NSIG])(int sig, struct siginfo *si, mcontext_t *mc) = {
21773 +
21774 + static void hard_handler(int sig, siginfo_t *si, void *p)
21775 + {
21776 +- struct ucontext *uc = p;
21777 ++ ucontext_t *uc = p;
21778 + mcontext_t *mc = &uc->uc_mcontext;
21779 + unsigned long pending = 1UL << sig;
21780 +
21781 +diff --git a/arch/x86/Makefile b/arch/x86/Makefile
21782 +index 2fda005bb334..696c82f9035d 100644
21783 +--- a/arch/x86/Makefile
21784 ++++ b/arch/x86/Makefile
21785 +@@ -158,6 +158,15 @@ KBUILD_CFLAGS += $(cfi) $(cfi-sigframe) $(cfi-sections) $(asinstr) $(avx_instr)
21786 +
21787 + LDFLAGS := -m elf_$(UTS_MACHINE)
21788 +
21789 ++#
21790 ++# The 64-bit kernel must be aligned to 2MB. Pass -z max-page-size=0x200000 to
21791 ++# the linker to force 2MB page size regardless of the default page size used
21792 ++# by the linker.
21793 ++#
21794 ++ifdef CONFIG_X86_64
21795 ++LDFLAGS += $(call ld-option, -z max-page-size=0x200000)
21796 ++endif
21797 ++
21798 + # Speed up the build
21799 + KBUILD_CFLAGS += -pipe
21800 + # Workaround for a gcc prelease that unfortunately was shipped in a suse release
21801 +diff --git a/arch/x86/boot/compressed/misc.c b/arch/x86/boot/compressed/misc.c
21802 +index e28437e0f708..fc48e8e11a95 100644
21803 +--- a/arch/x86/boot/compressed/misc.c
21804 ++++ b/arch/x86/boot/compressed/misc.c
21805 +@@ -349,6 +349,10 @@ static void parse_elf(void *output)
21806 +
21807 + switch (phdr->p_type) {
21808 + case PT_LOAD:
21809 ++#ifdef CONFIG_X86_64
21810 ++ if ((phdr->p_align % 0x200000) != 0)
21811 ++ error("Alignment of LOAD segment isn't multiple of 2MB");
21812 ++#endif
21813 + #ifdef CONFIG_RELOCATABLE
21814 + dest = output;
21815 + dest += (phdr->p_paddr - LOAD_PHYSICAL_ADDR);
21816 +diff --git a/arch/x86/crypto/cast5_avx_glue.c b/arch/x86/crypto/cast5_avx_glue.c
21817 +index 236c80974457..75385fcf1074 100644
21818 +--- a/arch/x86/crypto/cast5_avx_glue.c
21819 ++++ b/arch/x86/crypto/cast5_avx_glue.c
21820 +@@ -67,8 +67,6 @@ static int ecb_crypt(struct blkcipher_desc *desc, struct blkcipher_walk *walk,
21821 + void (*fn)(struct cast5_ctx *ctx, u8 *dst, const u8 *src);
21822 + int err;
21823 +
21824 +- fn = (enc) ? cast5_ecb_enc_16way : cast5_ecb_dec_16way;
21825 +-
21826 + err = blkcipher_walk_virt(desc, walk);
21827 + desc->flags &= ~CRYPTO_TFM_REQ_MAY_SLEEP;
21828 +
21829 +@@ -80,6 +78,7 @@ static int ecb_crypt(struct blkcipher_desc *desc, struct blkcipher_walk *walk,
21830 +
21831 + /* Process multi-block batch */
21832 + if (nbytes >= bsize * CAST5_PARALLEL_BLOCKS) {
21833 ++ fn = (enc) ? cast5_ecb_enc_16way : cast5_ecb_dec_16way;
21834 + do {
21835 + fn(ctx, wdst, wsrc);
21836 +
21837 +diff --git a/arch/x86/include/asm/vmx.h b/arch/x86/include/asm/vmx.h
21838 +index da772edd19ab..b1965b6bbd68 100644
21839 +--- a/arch/x86/include/asm/vmx.h
21840 ++++ b/arch/x86/include/asm/vmx.h
21841 +@@ -306,6 +306,7 @@ enum vmcs_field {
21842 + #define INTR_TYPE_NMI_INTR (2 << 8) /* NMI */
21843 + #define INTR_TYPE_HARD_EXCEPTION (3 << 8) /* processor exception */
21844 + #define INTR_TYPE_SOFT_INTR (4 << 8) /* software interrupt */
21845 ++#define INTR_TYPE_PRIV_SW_EXCEPTION (5 << 8) /* ICE breakpoint - undocumented */
21846 + #define INTR_TYPE_SOFT_EXCEPTION (6 << 8) /* software exception */
21847 +
21848 + /* GUEST_INTERRUPTIBILITY_INFO flags. */
21849 +diff --git a/arch/x86/include/uapi/asm/msr-index.h b/arch/x86/include/uapi/asm/msr-index.h
21850 +index 06b407f79b24..da43f226e5a2 100644
21851 +--- a/arch/x86/include/uapi/asm/msr-index.h
21852 ++++ b/arch/x86/include/uapi/asm/msr-index.h
21853 +@@ -307,6 +307,9 @@
21854 + #define FAM10H_MMIO_CONF_BASE_MASK 0xfffffffULL
21855 + #define FAM10H_MMIO_CONF_BASE_SHIFT 20
21856 + #define MSR_FAM10H_NODE_ID 0xc001100c
21857 ++#define MSR_F10H_DECFG 0xc0011029
21858 ++#define MSR_F10H_DECFG_LFENCE_SERIALIZE_BIT 1
21859 ++#define MSR_F10H_DECFG_LFENCE_SERIALIZE BIT_ULL(MSR_F10H_DECFG_LFENCE_SERIALIZE_BIT)
21860 +
21861 + /* K8 MSRs */
21862 + #define MSR_K8_TOP_MEM1 0xc001001a
21863 +diff --git a/arch/x86/kernel/cpu/amd.c b/arch/x86/kernel/cpu/amd.c
21864 +index c6c4248ab138..1d64ba0c9496 100644
21865 +--- a/arch/x86/kernel/cpu/amd.c
21866 ++++ b/arch/x86/kernel/cpu/amd.c
21867 +@@ -712,8 +712,32 @@ static void init_amd(struct cpuinfo_x86 *c)
21868 + set_cpu_cap(c, X86_FEATURE_K8);
21869 +
21870 + if (cpu_has_xmm2) {
21871 +- /* MFENCE stops RDTSC speculation */
21872 +- set_cpu_cap(c, X86_FEATURE_MFENCE_RDTSC);
21873 ++ unsigned long long val;
21874 ++ int ret;
21875 ++
21876 ++ /*
21877 ++ * A serializing LFENCE has less overhead than MFENCE, so
21878 ++ * use it for execution serialization. On families which
21879 ++ * don't have that MSR, LFENCE is already serializing.
21880 ++ * msr_set_bit() uses the safe accessors, too, even if the MSR
21881 ++ * is not present.
21882 ++ */
21883 ++ msr_set_bit(MSR_F10H_DECFG,
21884 ++ MSR_F10H_DECFG_LFENCE_SERIALIZE_BIT);
21885 ++
21886 ++ /*
21887 ++ * Verify that the MSR write was successful (could be running
21888 ++ * under a hypervisor) and only then assume that LFENCE is
21889 ++ * serializing.
21890 ++ */
21891 ++ ret = rdmsrl_safe(MSR_F10H_DECFG, &val);
21892 ++ if (!ret && (val & MSR_F10H_DECFG_LFENCE_SERIALIZE)) {
21893 ++ /* A serializing LFENCE stops RDTSC speculation */
21894 ++ set_cpu_cap(c, X86_FEATURE_LFENCE_RDTSC);
21895 ++ } else {
21896 ++ /* MFENCE stops RDTSC speculation */
21897 ++ set_cpu_cap(c, X86_FEATURE_MFENCE_RDTSC);
21898 ++ }
21899 + }
21900 +
21901 + /*
21902 +diff --git a/arch/x86/kernel/cpu/perf_event_intel.c b/arch/x86/kernel/cpu/perf_event_intel.c
21903 +index 185ebd2c0c3c..5d77df85c529 100644
21904 +--- a/arch/x86/kernel/cpu/perf_event_intel.c
21905 ++++ b/arch/x86/kernel/cpu/perf_event_intel.c
21906 +@@ -2493,7 +2493,7 @@ static unsigned bdw_limit_period(struct perf_event *event, unsigned left)
21907 + X86_CONFIG(.event=0xc0, .umask=0x01)) {
21908 + if (left < 128)
21909 + left = 128;
21910 +- left &= ~0x3fu;
21911 ++ left &= ~0x3fULL;
21912 + }
21913 + return left;
21914 + }
21915 +diff --git a/arch/x86/kernel/i8259.c b/arch/x86/kernel/i8259.c
21916 +index e7cc5370cd2f..6c7e7986939a 100644
21917 +--- a/arch/x86/kernel/i8259.c
21918 ++++ b/arch/x86/kernel/i8259.c
21919 +@@ -405,6 +405,7 @@ struct legacy_pic default_legacy_pic = {
21920 + };
21921 +
21922 + struct legacy_pic *legacy_pic = &default_legacy_pic;
21923 ++EXPORT_SYMBOL(legacy_pic);
21924 +
21925 + static int __init i8259A_init_ops(void)
21926 + {
21927 +diff --git a/arch/x86/kernel/kprobes/core.c b/arch/x86/kernel/kprobes/core.c
21928 +index 228c233a2f36..106d4ac16a43 100644
21929 +--- a/arch/x86/kernel/kprobes/core.c
21930 ++++ b/arch/x86/kernel/kprobes/core.c
21931 +@@ -49,6 +49,7 @@
21932 + #include <linux/kdebug.h>
21933 + #include <linux/kallsyms.h>
21934 + #include <linux/ftrace.h>
21935 ++#include <linux/moduleloader.h>
21936 +
21937 + #include <asm/cacheflush.h>
21938 + #include <asm/desc.h>
21939 +@@ -196,6 +197,8 @@ retry:
21940 + return (opcode != 0x62 && opcode != 0x67);
21941 + case 0x70:
21942 + return 0; /* can't boost conditional jump */
21943 ++ case 0x90:
21944 ++ return opcode != 0x9a; /* can't boost call far */
21945 + case 0xc0:
21946 + /* can't boost software-interruptions */
21947 + return (0xc1 < opcode && opcode < 0xcc) || opcode == 0xcf;
21948 +@@ -400,10 +403,20 @@ int __copy_instruction(u8 *dest, u8 *src)
21949 + return length;
21950 + }
21951 +
21952 ++/* Recover page to RW mode before releasing it */
21953 ++void free_insn_page(void *page)
21954 ++{
21955 ++ set_memory_nx((unsigned long)page & PAGE_MASK, 1);
21956 ++ set_memory_rw((unsigned long)page & PAGE_MASK, 1);
21957 ++ module_memfree(page);
21958 ++}
21959 ++
21960 + static int arch_copy_kprobe(struct kprobe *p)
21961 + {
21962 + int ret;
21963 +
21964 ++ set_memory_rw((unsigned long)p->ainsn.insn & PAGE_MASK, 1);
21965 ++
21966 + /* Copy an instruction with recovering if other optprobe modifies it.*/
21967 + ret = __copy_instruction(p->ainsn.insn, p->addr);
21968 + if (!ret)
21969 +@@ -418,6 +431,8 @@ static int arch_copy_kprobe(struct kprobe *p)
21970 + else
21971 + p->ainsn.boostable = -1;
21972 +
21973 ++ set_memory_ro((unsigned long)p->ainsn.insn & PAGE_MASK, 1);
21974 ++
21975 + /* Check whether the instruction modifies Interrupt Flag or not */
21976 + p->ainsn.if_modifier = is_IF_modifier(p->ainsn.insn);
21977 +
21978 +diff --git a/arch/x86/kernel/kprobes/opt.c b/arch/x86/kernel/kprobes/opt.c
21979 +index c9d488f3e4cd..085415d88326 100644
21980 +--- a/arch/x86/kernel/kprobes/opt.c
21981 ++++ b/arch/x86/kernel/kprobes/opt.c
21982 +@@ -349,6 +349,7 @@ int arch_prepare_optimized_kprobe(struct optimized_kprobe *op,
21983 + }
21984 +
21985 + buf = (u8 *)op->optinsn.insn;
21986 ++ set_memory_rw((unsigned long)buf & PAGE_MASK, 1);
21987 +
21988 + /* Copy instructions into the out-of-line buffer */
21989 + ret = copy_optimized_instructions(buf + TMPL_END_IDX, op->kp.addr);
21990 +@@ -371,6 +372,8 @@ int arch_prepare_optimized_kprobe(struct optimized_kprobe *op,
21991 + synthesize_reljump(buf + TMPL_END_IDX + op->optinsn.size,
21992 + (u8 *)op->kp.addr + op->optinsn.size);
21993 +
21994 ++ set_memory_ro((unsigned long)buf & PAGE_MASK, 1);
21995 ++
21996 + flush_icache_range((unsigned long) buf,
21997 + (unsigned long) buf + TMPL_END_IDX +
21998 + op->optinsn.size + RELATIVEJUMP_SIZE);
21999 +diff --git a/arch/x86/kernel/smpboot.c b/arch/x86/kernel/smpboot.c
22000 +index f6911cc90a81..a92919864e04 100644
22001 +--- a/arch/x86/kernel/smpboot.c
22002 ++++ b/arch/x86/kernel/smpboot.c
22003 +@@ -1400,6 +1400,8 @@ static inline void mwait_play_dead(void)
22004 + void *mwait_ptr;
22005 + int i;
22006 +
22007 ++ if (boot_cpu_data.x86_vendor == X86_VENDOR_AMD)
22008 ++ return;
22009 + if (!this_cpu_has(X86_FEATURE_MWAIT))
22010 + return;
22011 + if (!this_cpu_has(X86_FEATURE_CLFLUSH))
22012 +diff --git a/arch/x86/kernel/tsc.c b/arch/x86/kernel/tsc.c
22013 +index 21187ebee7d0..8fdcdbf5f309 100644
22014 +--- a/arch/x86/kernel/tsc.c
22015 ++++ b/arch/x86/kernel/tsc.c
22016 +@@ -356,6 +356,8 @@ static int __init tsc_setup(char *str)
22017 + tsc_clocksource_reliable = 1;
22018 + if (!strncmp(str, "noirqtime", 9))
22019 + no_sched_irq_time = 1;
22020 ++ if (!strcmp(str, "unstable"))
22021 ++ mark_tsc_unstable("boot parameter");
22022 + return 1;
22023 + }
22024 +
22025 +@@ -397,7 +399,7 @@ static unsigned long calc_hpet_ref(u64 deltatsc, u64 hpet1, u64 hpet2)
22026 + hpet2 -= hpet1;
22027 + tmp = ((u64)hpet2 * hpet_readl(HPET_PERIOD));
22028 + do_div(tmp, 1000000);
22029 +- do_div(deltatsc, tmp);
22030 ++ deltatsc = div64_u64(deltatsc, tmp);
22031 +
22032 + return (unsigned long) deltatsc;
22033 + }
22034 +diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c
22035 +index 6b87d8bcdcdd..28d48339af32 100644
22036 +--- a/arch/x86/kvm/svm.c
22037 ++++ b/arch/x86/kvm/svm.c
22038 +@@ -1470,6 +1470,7 @@ static void svm_get_segment(struct kvm_vcpu *vcpu,
22039 + */
22040 + if (var->unusable)
22041 + var->db = 0;
22042 ++ /* This is symmetric with svm_set_segment() */
22043 + var->dpl = to_svm(vcpu)->vmcb->save.cpl;
22044 + break;
22045 + }
22046 +@@ -1614,18 +1615,14 @@ static void svm_set_segment(struct kvm_vcpu *vcpu,
22047 + s->base = var->base;
22048 + s->limit = var->limit;
22049 + s->selector = var->selector;
22050 +- if (var->unusable)
22051 +- s->attrib = 0;
22052 +- else {
22053 +- s->attrib = (var->type & SVM_SELECTOR_TYPE_MASK);
22054 +- s->attrib |= (var->s & 1) << SVM_SELECTOR_S_SHIFT;
22055 +- s->attrib |= (var->dpl & 3) << SVM_SELECTOR_DPL_SHIFT;
22056 +- s->attrib |= (var->present & 1) << SVM_SELECTOR_P_SHIFT;
22057 +- s->attrib |= (var->avl & 1) << SVM_SELECTOR_AVL_SHIFT;
22058 +- s->attrib |= (var->l & 1) << SVM_SELECTOR_L_SHIFT;
22059 +- s->attrib |= (var->db & 1) << SVM_SELECTOR_DB_SHIFT;
22060 +- s->attrib |= (var->g & 1) << SVM_SELECTOR_G_SHIFT;
22061 +- }
22062 ++ s->attrib = (var->type & SVM_SELECTOR_TYPE_MASK);
22063 ++ s->attrib |= (var->s & 1) << SVM_SELECTOR_S_SHIFT;
22064 ++ s->attrib |= (var->dpl & 3) << SVM_SELECTOR_DPL_SHIFT;
22065 ++ s->attrib |= ((var->present & 1) && !var->unusable) << SVM_SELECTOR_P_SHIFT;
22066 ++ s->attrib |= (var->avl & 1) << SVM_SELECTOR_AVL_SHIFT;
22067 ++ s->attrib |= (var->l & 1) << SVM_SELECTOR_L_SHIFT;
22068 ++ s->attrib |= (var->db & 1) << SVM_SELECTOR_DB_SHIFT;
22069 ++ s->attrib |= (var->g & 1) << SVM_SELECTOR_G_SHIFT;
22070 +
22071 + /*
22072 + * This is always accurate, except if SYSRET returned to a segment
22073 +@@ -1634,7 +1631,8 @@ static void svm_set_segment(struct kvm_vcpu *vcpu,
22074 + * would entail passing the CPL to userspace and back.
22075 + */
22076 + if (seg == VCPU_SREG_SS)
22077 +- svm->vmcb->save.cpl = (s->attrib >> SVM_SELECTOR_DPL_SHIFT) & 3;
22078 ++ /* This is symmetric with svm_get_segment() */
22079 ++ svm->vmcb->save.cpl = (var->dpl & 3);
22080 +
22081 + mark_dirty(svm->vmcb, VMCB_SEG);
22082 + }
22083 +diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
22084 +index ffd5502dd215..67f2d8e44fda 100644
22085 +--- a/arch/x86/kvm/vmx.c
22086 ++++ b/arch/x86/kvm/vmx.c
22087 +@@ -942,6 +942,13 @@ static inline bool is_machine_check(u32 intr_info)
22088 + (INTR_TYPE_HARD_EXCEPTION | MC_VECTOR | INTR_INFO_VALID_MASK);
22089 + }
22090 +
22091 ++/* Undocumented: icebp/int1 */
22092 ++static inline bool is_icebp(u32 intr_info)
22093 ++{
22094 ++ return (intr_info & (INTR_INFO_INTR_TYPE_MASK | INTR_INFO_VALID_MASK))
22095 ++ == (INTR_TYPE_PRIV_SW_EXCEPTION | INTR_INFO_VALID_MASK);
22096 ++}
22097 ++
22098 + static inline bool cpu_has_vmx_msr_bitmap(void)
22099 + {
22100 + return vmcs_config.cpu_based_exec_ctrl & CPU_BASED_USE_MSR_BITMAPS;
22101 +@@ -5151,7 +5158,7 @@ static int handle_exception(struct kvm_vcpu *vcpu)
22102 + (KVM_GUESTDBG_SINGLESTEP | KVM_GUESTDBG_USE_HW_BP))) {
22103 + vcpu->arch.dr6 &= ~15;
22104 + vcpu->arch.dr6 |= dr6 | DR6_RTM;
22105 +- if (!(dr6 & ~DR6_RESERVED)) /* icebp */
22106 ++ if (is_icebp(intr_info))
22107 + skip_emulated_instruction(vcpu);
22108 +
22109 + kvm_queue_exception(vcpu, DB_VECTOR);
22110 +@@ -7417,11 +7424,13 @@ static bool nested_vmx_exit_handled_cr(struct kvm_vcpu *vcpu,
22111 + {
22112 + unsigned long exit_qualification = vmcs_readl(EXIT_QUALIFICATION);
22113 + int cr = exit_qualification & 15;
22114 +- int reg = (exit_qualification >> 8) & 15;
22115 +- unsigned long val = kvm_register_readl(vcpu, reg);
22116 ++ int reg;
22117 ++ unsigned long val;
22118 +
22119 + switch ((exit_qualification >> 4) & 3) {
22120 + case 0: /* mov to cr */
22121 ++ reg = (exit_qualification >> 8) & 15;
22122 ++ val = kvm_register_readl(vcpu, reg);
22123 + switch (cr) {
22124 + case 0:
22125 + if (vmcs12->cr0_guest_host_mask &
22126 +@@ -7476,6 +7485,7 @@ static bool nested_vmx_exit_handled_cr(struct kvm_vcpu *vcpu,
22127 + * lmsw can change bits 1..3 of cr0, and only set bit 0 of
22128 + * cr0. Other attempted changes are ignored, with no exit.
22129 + */
22130 ++ val = (exit_qualification >> LMSW_SOURCE_DATA_SHIFT) & 0x0f;
22131 + if (vmcs12->cr0_guest_host_mask & 0xe &
22132 + (val ^ vmcs12->cr0_read_shadow))
22133 + return true;
22134 +diff --git a/arch/x86/mm/fault.c b/arch/x86/mm/fault.c
22135 +index 27bc31f0da52..f6ca8a0d14ee 100644
22136 +--- a/arch/x86/mm/fault.c
22137 ++++ b/arch/x86/mm/fault.c
22138 +@@ -285,7 +285,7 @@ static noinline int vmalloc_fault(unsigned long address)
22139 + if (!pmd_k)
22140 + return -1;
22141 +
22142 +- if (pmd_huge(*pmd_k))
22143 ++ if (pmd_large(*pmd_k))
22144 + return 0;
22145 +
22146 + pte_k = pte_offset_kernel(pmd_k, address);
22147 +@@ -403,7 +403,7 @@ static noinline int vmalloc_fault(unsigned long address)
22148 + if (pud_none(*pud) || pud_pfn(*pud) != pud_pfn(*pud_ref))
22149 + BUG();
22150 +
22151 +- if (pud_huge(*pud))
22152 ++ if (pud_large(*pud))
22153 + return 0;
22154 +
22155 + pmd = pmd_offset(pud, address);
22156 +@@ -414,7 +414,7 @@ static noinline int vmalloc_fault(unsigned long address)
22157 + if (pmd_none(*pmd) || pmd_pfn(*pmd) != pmd_pfn(*pmd_ref))
22158 + BUG();
22159 +
22160 +- if (pmd_huge(*pmd))
22161 ++ if (pmd_large(*pmd))
22162 + return 0;
22163 +
22164 + pte_ref = pte_offset_kernel(pmd_ref, address);
22165 +diff --git a/arch/x86/net/bpf_jit_comp.c b/arch/x86/net/bpf_jit_comp.c
22166 +index ddeff4844a10..31657a66e3fd 100644
22167 +--- a/arch/x86/net/bpf_jit_comp.c
22168 ++++ b/arch/x86/net/bpf_jit_comp.c
22169 +@@ -971,7 +971,7 @@ void bpf_int_jit_compile(struct bpf_prog *prog)
22170 + * may converge on the last pass. In such case do one more
22171 + * pass to emit the final image
22172 + */
22173 +- for (pass = 0; pass < 10 || image; pass++) {
22174 ++ for (pass = 0; pass < 20 || image; pass++) {
22175 + proglen = do_jit(prog, addrs, image, oldproglen, &ctx);
22176 + if (proglen <= 0) {
22177 + image = NULL;
22178 +@@ -994,6 +994,7 @@ void bpf_int_jit_compile(struct bpf_prog *prog)
22179 + goto out;
22180 + }
22181 + oldproglen = proglen;
22182 ++ cond_resched();
22183 + }
22184 +
22185 + if (bpf_jit_enable > 1)
22186 +diff --git a/arch/x86/um/stub_segv.c b/arch/x86/um/stub_segv.c
22187 +index 1518d2805ae8..fd6825537b97 100644
22188 +--- a/arch/x86/um/stub_segv.c
22189 ++++ b/arch/x86/um/stub_segv.c
22190 +@@ -10,7 +10,7 @@
22191 + void __attribute__ ((__section__ (".__syscall_stub")))
22192 + stub_segv_handler(int sig, siginfo_t *info, void *p)
22193 + {
22194 +- struct ucontext *uc = p;
22195 ++ ucontext_t *uc = p;
22196 +
22197 + GET_FAULTINFO_FROM_MC(*((struct faultinfo *) STUB_DATA),
22198 + &uc->uc_mcontext);
22199 +diff --git a/block/bio-integrity.c b/block/bio-integrity.c
22200 +index 39ce74d10e2b..21978fcd877a 100644
22201 +--- a/block/bio-integrity.c
22202 ++++ b/block/bio-integrity.c
22203 +@@ -165,6 +165,9 @@ bool bio_integrity_enabled(struct bio *bio)
22204 + if (!bio_is_rw(bio))
22205 + return false;
22206 +
22207 ++ if (!bio_sectors(bio))
22208 ++ return false;
22209 ++
22210 + /* Already protected? */
22211 + if (bio_integrity(bio))
22212 + return false;
22213 +diff --git a/block/blk-mq.c b/block/blk-mq.c
22214 +index 2dc1fd6c5bdb..0145b2ceafae 100644
22215 +--- a/block/blk-mq.c
22216 ++++ b/block/blk-mq.c
22217 +@@ -1607,7 +1607,8 @@ static void blk_mq_exit_hctx(struct request_queue *q,
22218 + {
22219 + unsigned flush_start_tag = set->queue_depth;
22220 +
22221 +- blk_mq_tag_idle(hctx);
22222 ++ if (blk_mq_hw_queue_mapped(hctx))
22223 ++ blk_mq_tag_idle(hctx);
22224 +
22225 + if (set->ops->exit_request)
22226 + set->ops->exit_request(set->driver_data,
22227 +diff --git a/block/blk-throttle.c b/block/blk-throttle.c
22228 +index 5b9c6d5c3636..fd51c8be247d 100644
22229 +--- a/block/blk-throttle.c
22230 ++++ b/block/blk-throttle.c
22231 +@@ -648,6 +648,17 @@ static void throtl_dequeue_tg(struct throtl_grp *tg)
22232 + static void throtl_schedule_pending_timer(struct throtl_service_queue *sq,
22233 + unsigned long expires)
22234 + {
22235 ++ unsigned long max_expire = jiffies + 8 * throtl_slice;
22236 ++
22237 ++ /*
22238 ++ * Since we are adjusting the throttle limit dynamically, the sleep
22239 ++ * time calculated according to previous limit might be invalid. It's
22240 ++ * possible the cgroup sleep time is very long and no other cgroups
22241 ++ * have IO running so notify the limit changes. Make sure the cgroup
22242 ++ * doesn't sleep too long to avoid the missed notification.
22243 ++ */
22244 ++ if (time_after(expires, max_expire))
22245 ++ expires = max_expire;
22246 + mod_timer(&sq->pending_timer, expires);
22247 + throtl_log(sq, "schedule timer. delay=%lu jiffies=%lu",
22248 + expires - jiffies, jiffies);
22249 +diff --git a/block/partition-generic.c b/block/partition-generic.c
22250 +index 0d9e5f97f0a8..94de2055365e 100644
22251 +--- a/block/partition-generic.c
22252 ++++ b/block/partition-generic.c
22253 +@@ -309,8 +309,10 @@ struct hd_struct *add_partition(struct gendisk *disk, int partno,
22254 +
22255 + if (info) {
22256 + struct partition_meta_info *pinfo = alloc_part_info(disk);
22257 +- if (!pinfo)
22258 ++ if (!pinfo) {
22259 ++ err = -ENOMEM;
22260 + goto out_free_stats;
22261 ++ }
22262 + memcpy(pinfo, info, sizeof(*info));
22263 + p->info = pinfo;
22264 + }
22265 +diff --git a/block/partitions/msdos.c b/block/partitions/msdos.c
22266 +index 5610cd537da7..7d8d50c11ce7 100644
22267 +--- a/block/partitions/msdos.c
22268 ++++ b/block/partitions/msdos.c
22269 +@@ -300,7 +300,9 @@ static void parse_bsd(struct parsed_partitions *state,
22270 + continue;
22271 + bsd_start = le32_to_cpu(p->p_offset);
22272 + bsd_size = le32_to_cpu(p->p_size);
22273 +- if (memcmp(flavour, "bsd\0", 4) == 0)
22274 ++ /* FreeBSD has relative offset if C partition offset is zero */
22275 ++ if (memcmp(flavour, "bsd\0", 4) == 0 &&
22276 ++ le32_to_cpu(l->d_partitions[2].p_offset) == 0)
22277 + bsd_start += offset;
22278 + if (offset == bsd_start && size == bsd_size)
22279 + /* full parent partition, we have it already */
22280 +diff --git a/crypto/ahash.c b/crypto/ahash.c
22281 +index 7006dbfd39bd..6978ad86e516 100644
22282 +--- a/crypto/ahash.c
22283 ++++ b/crypto/ahash.c
22284 +@@ -91,13 +91,14 @@ int crypto_hash_walk_done(struct crypto_hash_walk *walk, int err)
22285 +
22286 + if (nbytes && walk->offset & alignmask && !err) {
22287 + walk->offset = ALIGN(walk->offset, alignmask + 1);
22288 +- walk->data += walk->offset;
22289 +-
22290 + nbytes = min(nbytes,
22291 + ((unsigned int)(PAGE_SIZE)) - walk->offset);
22292 + walk->entrylen -= nbytes;
22293 +
22294 +- return nbytes;
22295 ++ if (nbytes) {
22296 ++ walk->data += walk->offset;
22297 ++ return nbytes;
22298 ++ }
22299 + }
22300 +
22301 + if (walk->flags & CRYPTO_ALG_ASYNC)
22302 +diff --git a/crypto/async_tx/async_pq.c b/crypto/async_tx/async_pq.c
22303 +index 5d355e0c2633..f3c4f0cd62dd 100644
22304 +--- a/crypto/async_tx/async_pq.c
22305 ++++ b/crypto/async_tx/async_pq.c
22306 +@@ -62,9 +62,6 @@ do_async_gen_syndrome(struct dma_chan *chan,
22307 + dma_addr_t dma_dest[2];
22308 + int src_off = 0;
22309 +
22310 +- if (submit->flags & ASYNC_TX_FENCE)
22311 +- dma_flags |= DMA_PREP_FENCE;
22312 +-
22313 + while (src_cnt > 0) {
22314 + submit->flags = flags_orig;
22315 + pq_src_cnt = min(src_cnt, dma_maxpq(dma, dma_flags));
22316 +@@ -83,6 +80,8 @@ do_async_gen_syndrome(struct dma_chan *chan,
22317 + if (cb_fn_orig)
22318 + dma_flags |= DMA_PREP_INTERRUPT;
22319 + }
22320 ++ if (submit->flags & ASYNC_TX_FENCE)
22321 ++ dma_flags |= DMA_PREP_FENCE;
22322 +
22323 + /* Drivers force forward progress in case they can not provide
22324 + * a descriptor
22325 +diff --git a/drivers/acpi/acpica/evxfevnt.c b/drivers/acpi/acpica/evxfevnt.c
22326 +index faad911d46b5..fe425951b2d1 100644
22327 +--- a/drivers/acpi/acpica/evxfevnt.c
22328 ++++ b/drivers/acpi/acpica/evxfevnt.c
22329 +@@ -180,6 +180,12 @@ acpi_status acpi_enable_event(u32 event, u32 flags)
22330 +
22331 + ACPI_FUNCTION_TRACE(acpi_enable_event);
22332 +
22333 ++ /* If Hardware Reduced flag is set, there are no fixed events */
22334 ++
22335 ++ if (acpi_gbl_reduced_hardware) {
22336 ++ return_ACPI_STATUS(AE_OK);
22337 ++ }
22338 ++
22339 + /* Decode the Fixed Event */
22340 +
22341 + if (event > ACPI_EVENT_MAX) {
22342 +@@ -237,6 +243,12 @@ acpi_status acpi_disable_event(u32 event, u32 flags)
22343 +
22344 + ACPI_FUNCTION_TRACE(acpi_disable_event);
22345 +
22346 ++ /* If Hardware Reduced flag is set, there are no fixed events */
22347 ++
22348 ++ if (acpi_gbl_reduced_hardware) {
22349 ++ return_ACPI_STATUS(AE_OK);
22350 ++ }
22351 ++
22352 + /* Decode the Fixed Event */
22353 +
22354 + if (event > ACPI_EVENT_MAX) {
22355 +@@ -290,6 +302,12 @@ acpi_status acpi_clear_event(u32 event)
22356 +
22357 + ACPI_FUNCTION_TRACE(acpi_clear_event);
22358 +
22359 ++ /* If Hardware Reduced flag is set, there are no fixed events */
22360 ++
22361 ++ if (acpi_gbl_reduced_hardware) {
22362 ++ return_ACPI_STATUS(AE_OK);
22363 ++ }
22364 ++
22365 + /* Decode the Fixed Event */
22366 +
22367 + if (event > ACPI_EVENT_MAX) {
22368 +diff --git a/drivers/acpi/acpica/psobject.c b/drivers/acpi/acpica/psobject.c
22369 +index 2f5ddd806c58..7a09290628ec 100644
22370 +--- a/drivers/acpi/acpica/psobject.c
22371 ++++ b/drivers/acpi/acpica/psobject.c
22372 +@@ -118,6 +118,9 @@ static acpi_status acpi_ps_get_aml_opcode(struct acpi_walk_state *walk_state)
22373 + (u32)(walk_state->aml_offset +
22374 + sizeof(struct acpi_table_header)));
22375 +
22376 ++ ACPI_ERROR((AE_INFO,
22377 ++ "Aborting disassembly, AML byte code is corrupt"));
22378 ++
22379 + /* Dump the context surrounding the invalid opcode */
22380 +
22381 + acpi_ut_dump_buffer(((u8 *)walk_state->parser_state.
22382 +@@ -126,6 +129,14 @@ static acpi_status acpi_ps_get_aml_opcode(struct acpi_walk_state *walk_state)
22383 + sizeof(struct acpi_table_header) -
22384 + 16));
22385 + acpi_os_printf(" */\n");
22386 ++
22387 ++ /*
22388 ++ * Just abort the disassembly, cannot continue because the
22389 ++ * parser is essentially lost. The disassembler can then
22390 ++ * randomly fail because an ill-constructed parse tree
22391 ++ * can result.
22392 ++ */
22393 ++ return_ACPI_STATUS(AE_AML_BAD_OPCODE);
22394 + #endif
22395 + }
22396 +
22397 +@@ -290,6 +301,9 @@ acpi_ps_create_op(struct acpi_walk_state *walk_state,
22398 + if (status == AE_CTRL_PARSE_CONTINUE) {
22399 + return_ACPI_STATUS(AE_CTRL_PARSE_CONTINUE);
22400 + }
22401 ++ if (ACPI_FAILURE(status)) {
22402 ++ return_ACPI_STATUS(status);
22403 ++ }
22404 +
22405 + /* Create Op structure and append to parent's argument list */
22406 +
22407 +diff --git a/drivers/acpi/pci_irq.c b/drivers/acpi/pci_irq.c
22408 +index b1def411c0b8..7249ba6b511f 100644
22409 +--- a/drivers/acpi/pci_irq.c
22410 ++++ b/drivers/acpi/pci_irq.c
22411 +@@ -136,9 +136,6 @@ static void do_prt_fixups(struct acpi_prt_entry *entry,
22412 + quirk = &prt_quirks[i];
22413 +
22414 + /* All current quirks involve link devices, not GSIs */
22415 +- if (!prt->source)
22416 +- continue;
22417 +-
22418 + if (dmi_check_system(quirk->system) &&
22419 + entry->id.segment == quirk->segment &&
22420 + entry->id.bus == quirk->bus &&
22421 +diff --git a/drivers/acpi/pmic/intel_pmic_xpower.c b/drivers/acpi/pmic/intel_pmic_xpower.c
22422 +index 6a082d4de12c..24a793957bc0 100644
22423 +--- a/drivers/acpi/pmic/intel_pmic_xpower.c
22424 ++++ b/drivers/acpi/pmic/intel_pmic_xpower.c
22425 +@@ -28,97 +28,97 @@ static struct pmic_table power_table[] = {
22426 + .address = 0x00,
22427 + .reg = 0x13,
22428 + .bit = 0x05,
22429 +- },
22430 ++ }, /* ALD1 */
22431 + {
22432 + .address = 0x04,
22433 + .reg = 0x13,
22434 + .bit = 0x06,
22435 +- },
22436 ++ }, /* ALD2 */
22437 + {
22438 + .address = 0x08,
22439 + .reg = 0x13,
22440 + .bit = 0x07,
22441 +- },
22442 ++ }, /* ALD3 */
22443 + {
22444 + .address = 0x0c,
22445 + .reg = 0x12,
22446 + .bit = 0x03,
22447 +- },
22448 ++ }, /* DLD1 */
22449 + {
22450 + .address = 0x10,
22451 + .reg = 0x12,
22452 + .bit = 0x04,
22453 +- },
22454 ++ }, /* DLD2 */
22455 + {
22456 + .address = 0x14,
22457 + .reg = 0x12,
22458 + .bit = 0x05,
22459 +- },
22460 ++ }, /* DLD3 */
22461 + {
22462 + .address = 0x18,
22463 + .reg = 0x12,
22464 + .bit = 0x06,
22465 +- },
22466 ++ }, /* DLD4 */
22467 + {
22468 + .address = 0x1c,
22469 + .reg = 0x12,
22470 + .bit = 0x00,
22471 +- },
22472 ++ }, /* ELD1 */
22473 + {
22474 + .address = 0x20,
22475 + .reg = 0x12,
22476 + .bit = 0x01,
22477 +- },
22478 ++ }, /* ELD2 */
22479 + {
22480 + .address = 0x24,
22481 + .reg = 0x12,
22482 + .bit = 0x02,
22483 +- },
22484 ++ }, /* ELD3 */
22485 + {
22486 + .address = 0x28,
22487 + .reg = 0x13,
22488 + .bit = 0x02,
22489 +- },
22490 ++ }, /* FLD1 */
22491 + {
22492 + .address = 0x2c,
22493 + .reg = 0x13,
22494 + .bit = 0x03,
22495 +- },
22496 ++ }, /* FLD2 */
22497 + {
22498 + .address = 0x30,
22499 + .reg = 0x13,
22500 + .bit = 0x04,
22501 +- },
22502 ++ }, /* FLD3 */
22503 + {
22504 +- .address = 0x38,
22505 ++ .address = 0x34,
22506 + .reg = 0x10,
22507 + .bit = 0x03,
22508 +- },
22509 ++ }, /* BUC1 */
22510 + {
22511 +- .address = 0x3c,
22512 ++ .address = 0x38,
22513 + .reg = 0x10,
22514 + .bit = 0x06,
22515 +- },
22516 ++ }, /* BUC2 */
22517 + {
22518 +- .address = 0x40,
22519 ++ .address = 0x3c,
22520 + .reg = 0x10,
22521 + .bit = 0x05,
22522 +- },
22523 ++ }, /* BUC3 */
22524 + {
22525 +- .address = 0x44,
22526 ++ .address = 0x40,
22527 + .reg = 0x10,
22528 + .bit = 0x04,
22529 +- },
22530 ++ }, /* BUC4 */
22531 + {
22532 +- .address = 0x48,
22533 ++ .address = 0x44,
22534 + .reg = 0x10,
22535 + .bit = 0x01,
22536 +- },
22537 ++ }, /* BUC5 */
22538 + {
22539 +- .address = 0x4c,
22540 ++ .address = 0x48,
22541 + .reg = 0x10,
22542 + .bit = 0x00
22543 +- },
22544 ++ }, /* BUC6 */
22545 + };
22546 +
22547 + /* TMP0 - TMP5 are the same, all from GPADC */
22548 +diff --git a/drivers/acpi/processor_driver.c b/drivers/acpi/processor_driver.c
22549 +index d9f71581b79b..bdc3063f694d 100644
22550 +--- a/drivers/acpi/processor_driver.c
22551 ++++ b/drivers/acpi/processor_driver.c
22552 +@@ -231,11 +231,16 @@ static int __acpi_processor_start(struct acpi_device *device)
22553 + static int acpi_processor_start(struct device *dev)
22554 + {
22555 + struct acpi_device *device = ACPI_COMPANION(dev);
22556 ++ int ret;
22557 +
22558 + if (!device)
22559 + return -ENODEV;
22560 +
22561 +- return __acpi_processor_start(device);
22562 ++ /* Protect against concurrent CPU hotplug operations */
22563 ++ get_online_cpus();
22564 ++ ret = __acpi_processor_start(device);
22565 ++ put_online_cpus();
22566 ++ return ret;
22567 + }
22568 +
22569 + static int acpi_processor_stop(struct device *dev)
22570 +diff --git a/drivers/acpi/processor_throttling.c b/drivers/acpi/processor_throttling.c
22571 +index f3df4b5e5fc9..cd7398b7aa67 100644
22572 +--- a/drivers/acpi/processor_throttling.c
22573 ++++ b/drivers/acpi/processor_throttling.c
22574 +@@ -66,8 +66,8 @@ struct acpi_processor_throttling_arg {
22575 + #define THROTTLING_POSTCHANGE (2)
22576 +
22577 + static int acpi_processor_get_throttling(struct acpi_processor *pr);
22578 +-int acpi_processor_set_throttling(struct acpi_processor *pr,
22579 +- int state, bool force);
22580 ++static int __acpi_processor_set_throttling(struct acpi_processor *pr,
22581 ++ int state, bool force, bool direct);
22582 +
22583 + static int acpi_processor_update_tsd_coord(void)
22584 + {
22585 +@@ -895,7 +895,8 @@ static int acpi_processor_get_throttling_ptc(struct acpi_processor *pr)
22586 + ACPI_DEBUG_PRINT((ACPI_DB_INFO,
22587 + "Invalid throttling state, reset\n"));
22588 + state = 0;
22589 +- ret = acpi_processor_set_throttling(pr, state, true);
22590 ++ ret = __acpi_processor_set_throttling(pr, state, true,
22591 ++ true);
22592 + if (ret)
22593 + return ret;
22594 + }
22595 +@@ -905,36 +906,31 @@ static int acpi_processor_get_throttling_ptc(struct acpi_processor *pr)
22596 + return 0;
22597 + }
22598 +
22599 +-static int acpi_processor_get_throttling(struct acpi_processor *pr)
22600 ++static long __acpi_processor_get_throttling(void *data)
22601 + {
22602 +- cpumask_var_t saved_mask;
22603 +- int ret;
22604 ++ struct acpi_processor *pr = data;
22605 ++
22606 ++ return pr->throttling.acpi_processor_get_throttling(pr);
22607 ++}
22608 +
22609 ++static int acpi_processor_get_throttling(struct acpi_processor *pr)
22610 ++{
22611 + if (!pr)
22612 + return -EINVAL;
22613 +
22614 + if (!pr->flags.throttling)
22615 + return -ENODEV;
22616 +
22617 +- if (!alloc_cpumask_var(&saved_mask, GFP_KERNEL))
22618 +- return -ENOMEM;
22619 +-
22620 + /*
22621 +- * Migrate task to the cpu pointed by pr.
22622 ++ * This is either called from the CPU hotplug callback of
22623 ++ * processor_driver or via the ACPI probe function. In the latter
22624 ++ * case the CPU is not guaranteed to be online. Both call sites are
22625 ++ * protected against CPU hotplug.
22626 + */
22627 +- cpumask_copy(saved_mask, &current->cpus_allowed);
22628 +- /* FIXME: use work_on_cpu() */
22629 +- if (set_cpus_allowed_ptr(current, cpumask_of(pr->id))) {
22630 +- /* Can't migrate to the target pr->id CPU. Exit */
22631 +- free_cpumask_var(saved_mask);
22632 ++ if (!cpu_online(pr->id))
22633 + return -ENODEV;
22634 +- }
22635 +- ret = pr->throttling.acpi_processor_get_throttling(pr);
22636 +- /* restore the previous state */
22637 +- set_cpus_allowed_ptr(current, saved_mask);
22638 +- free_cpumask_var(saved_mask);
22639 +
22640 +- return ret;
22641 ++ return work_on_cpu(pr->id, __acpi_processor_get_throttling, pr);
22642 + }
22643 +
22644 + static int acpi_processor_get_fadt_info(struct acpi_processor *pr)
22645 +@@ -1084,8 +1080,15 @@ static long acpi_processor_throttling_fn(void *data)
22646 + arg->target_state, arg->force);
22647 + }
22648 +
22649 +-int acpi_processor_set_throttling(struct acpi_processor *pr,
22650 +- int state, bool force)
22651 ++static int call_on_cpu(int cpu, long (*fn)(void *), void *arg, bool direct)
22652 ++{
22653 ++ if (direct)
22654 ++ return fn(arg);
22655 ++ return work_on_cpu(cpu, fn, arg);
22656 ++}
22657 ++
22658 ++static int __acpi_processor_set_throttling(struct acpi_processor *pr,
22659 ++ int state, bool force, bool direct)
22660 + {
22661 + int ret = 0;
22662 + unsigned int i;
22663 +@@ -1134,7 +1137,8 @@ int acpi_processor_set_throttling(struct acpi_processor *pr,
22664 + arg.pr = pr;
22665 + arg.target_state = state;
22666 + arg.force = force;
22667 +- ret = work_on_cpu(pr->id, acpi_processor_throttling_fn, &arg);
22668 ++ ret = call_on_cpu(pr->id, acpi_processor_throttling_fn, &arg,
22669 ++ direct);
22670 + } else {
22671 + /*
22672 + * When the T-state coordination is SW_ALL or HW_ALL,
22673 +@@ -1167,8 +1171,8 @@ int acpi_processor_set_throttling(struct acpi_processor *pr,
22674 + arg.pr = match_pr;
22675 + arg.target_state = state;
22676 + arg.force = force;
22677 +- ret = work_on_cpu(pr->id, acpi_processor_throttling_fn,
22678 +- &arg);
22679 ++ ret = call_on_cpu(pr->id, acpi_processor_throttling_fn,
22680 ++ &arg, direct);
22681 + }
22682 + }
22683 + /*
22684 +@@ -1186,6 +1190,12 @@ int acpi_processor_set_throttling(struct acpi_processor *pr,
22685 + return ret;
22686 + }
22687 +
22688 ++int acpi_processor_set_throttling(struct acpi_processor *pr, int state,
22689 ++ bool force)
22690 ++{
22691 ++ return __acpi_processor_set_throttling(pr, state, force, false);
22692 ++}
22693 ++
22694 + int acpi_processor_get_throttling_info(struct acpi_processor *pr)
22695 + {
22696 + int result = 0;
22697 +diff --git a/drivers/amba/bus.c b/drivers/amba/bus.c
22698 +index f0099360039e..1accc01fb0ca 100644
22699 +--- a/drivers/amba/bus.c
22700 ++++ b/drivers/amba/bus.c
22701 +@@ -68,11 +68,12 @@ static ssize_t driver_override_show(struct device *_dev,
22702 + struct device_attribute *attr, char *buf)
22703 + {
22704 + struct amba_device *dev = to_amba_device(_dev);
22705 ++ ssize_t len;
22706 +
22707 +- if (!dev->driver_override)
22708 +- return 0;
22709 +-
22710 +- return sprintf(buf, "%s\n", dev->driver_override);
22711 ++ device_lock(_dev);
22712 ++ len = sprintf(buf, "%s\n", dev->driver_override);
22713 ++ device_unlock(_dev);
22714 ++ return len;
22715 + }
22716 +
22717 + static ssize_t driver_override_store(struct device *_dev,
22718 +@@ -80,9 +81,10 @@ static ssize_t driver_override_store(struct device *_dev,
22719 + const char *buf, size_t count)
22720 + {
22721 + struct amba_device *dev = to_amba_device(_dev);
22722 +- char *driver_override, *old = dev->driver_override, *cp;
22723 ++ char *driver_override, *old, *cp;
22724 +
22725 +- if (count > PATH_MAX)
22726 ++ /* We need to keep extra room for a newline */
22727 ++ if (count >= (PAGE_SIZE - 1))
22728 + return -EINVAL;
22729 +
22730 + driver_override = kstrndup(buf, count, GFP_KERNEL);
22731 +@@ -93,12 +95,15 @@ static ssize_t driver_override_store(struct device *_dev,
22732 + if (cp)
22733 + *cp = '\0';
22734 +
22735 ++ device_lock(_dev);
22736 ++ old = dev->driver_override;
22737 + if (strlen(driver_override)) {
22738 + dev->driver_override = driver_override;
22739 + } else {
22740 + kfree(driver_override);
22741 + dev->driver_override = NULL;
22742 + }
22743 ++ device_unlock(_dev);
22744 +
22745 + kfree(old);
22746 +
22747 +diff --git a/drivers/ata/ahci.c b/drivers/ata/ahci.c
22748 +index 3b0cebb2122b..19733cdcd45c 100644
22749 +--- a/drivers/ata/ahci.c
22750 ++++ b/drivers/ata/ahci.c
22751 +@@ -542,7 +542,9 @@ static const struct pci_device_id ahci_pci_tbl[] = {
22752 + .driver_data = board_ahci_yes_fbs },
22753 + { PCI_DEVICE(PCI_VENDOR_ID_MARVELL_EXT, 0x9230),
22754 + .driver_data = board_ahci_yes_fbs },
22755 +- { PCI_DEVICE(PCI_VENDOR_ID_TTI, 0x0642),
22756 ++ { PCI_DEVICE(PCI_VENDOR_ID_TTI, 0x0642), /* highpoint rocketraid 642L */
22757 ++ .driver_data = board_ahci_yes_fbs },
22758 ++ { PCI_DEVICE(PCI_VENDOR_ID_TTI, 0x0645), /* highpoint rocketraid 644L */
22759 + .driver_data = board_ahci_yes_fbs },
22760 +
22761 + /* Promise */
22762 +diff --git a/drivers/ata/libahci_platform.c b/drivers/ata/libahci_platform.c
22763 +index d89305d289f6..cf7fdb79c992 100644
22764 +--- a/drivers/ata/libahci_platform.c
22765 ++++ b/drivers/ata/libahci_platform.c
22766 +@@ -514,8 +514,9 @@ int ahci_platform_init_host(struct platform_device *pdev,
22767 +
22768 + irq = platform_get_irq(pdev, 0);
22769 + if (irq <= 0) {
22770 +- dev_err(dev, "no irq\n");
22771 +- return -EINVAL;
22772 ++ if (irq != -EPROBE_DEFER)
22773 ++ dev_err(dev, "no irq\n");
22774 ++ return irq;
22775 + }
22776 +
22777 + /* prepare host */
22778 +diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c
22779 +index b31d6853ba7a..accad0598253 100644
22780 +--- a/drivers/ata/libata-core.c
22781 ++++ b/drivers/ata/libata-core.c
22782 +@@ -4226,6 +4226,28 @@ static const struct ata_blacklist_entry ata_device_blacklist [] = {
22783 + { "PIONEER DVD-RW DVR-212D", NULL, ATA_HORKAGE_NOSETXFER },
22784 + { "PIONEER DVD-RW DVR-216D", NULL, ATA_HORKAGE_NOSETXFER },
22785 +
22786 ++ /* Crucial BX100 SSD 500GB has broken LPM support */
22787 ++ { "CT500BX100SSD1", NULL, ATA_HORKAGE_NOLPM },
22788 ++
22789 ++ /* 512GB MX100 with MU01 firmware has both queued TRIM and LPM issues */
22790 ++ { "Crucial_CT512MX100*", "MU01", ATA_HORKAGE_NO_NCQ_TRIM |
22791 ++ ATA_HORKAGE_ZERO_AFTER_TRIM |
22792 ++ ATA_HORKAGE_NOLPM, },
22793 ++ /* 512GB MX100 with newer firmware has only LPM issues */
22794 ++ { "Crucial_CT512MX100*", NULL, ATA_HORKAGE_ZERO_AFTER_TRIM |
22795 ++ ATA_HORKAGE_NOLPM, },
22796 ++
22797 ++ /* 480GB+ M500 SSDs have both queued TRIM and LPM issues */
22798 ++ { "Crucial_CT480M500*", NULL, ATA_HORKAGE_NO_NCQ_TRIM |
22799 ++ ATA_HORKAGE_ZERO_AFTER_TRIM |
22800 ++ ATA_HORKAGE_NOLPM, },
22801 ++ { "Crucial_CT960M500*", NULL, ATA_HORKAGE_NO_NCQ_TRIM |
22802 ++ ATA_HORKAGE_ZERO_AFTER_TRIM |
22803 ++ ATA_HORKAGE_NOLPM, },
22804 ++
22805 ++ /* Sandisk devices which are known to not handle LPM well */
22806 ++ { "SanDisk SD7UB3Q*G1001", NULL, ATA_HORKAGE_NOLPM, },
22807 ++
22808 + /* devices that don't properly handle queued TRIM commands */
22809 + { "Micron_M500_*", NULL, ATA_HORKAGE_NO_NCQ_TRIM |
22810 + ATA_HORKAGE_ZERO_AFTER_TRIM, },
22811 +@@ -4237,7 +4259,9 @@ static const struct ata_blacklist_entry ata_device_blacklist [] = {
22812 + ATA_HORKAGE_ZERO_AFTER_TRIM, },
22813 + { "Crucial_CT*MX100*", "MU01", ATA_HORKAGE_NO_NCQ_TRIM |
22814 + ATA_HORKAGE_ZERO_AFTER_TRIM, },
22815 +- { "Samsung SSD 8*", NULL, ATA_HORKAGE_NO_NCQ_TRIM |
22816 ++ { "Samsung SSD 840*", NULL, ATA_HORKAGE_NO_NCQ_TRIM |
22817 ++ ATA_HORKAGE_ZERO_AFTER_TRIM, },
22818 ++ { "Samsung SSD 850*", NULL, ATA_HORKAGE_NO_NCQ_TRIM |
22819 + ATA_HORKAGE_ZERO_AFTER_TRIM, },
22820 + { "FCCT*M500*", NULL, ATA_HORKAGE_NO_NCQ_TRIM |
22821 + ATA_HORKAGE_ZERO_AFTER_TRIM, },
22822 +@@ -5078,8 +5102,7 @@ void ata_qc_issue(struct ata_queued_cmd *qc)
22823 + * We guarantee to LLDs that they will have at least one
22824 + * non-zero sg if the command is a data command.
22825 + */
22826 +- if (WARN_ON_ONCE(ata_is_data(prot) &&
22827 +- (!qc->sg || !qc->n_elem || !qc->nbytes)))
22828 ++ if (ata_is_data(prot) && (!qc->sg || !qc->n_elem || !qc->nbytes))
22829 + goto sys_err;
22830 +
22831 + if (ata_is_dma(prot) || (ata_is_pio(prot) &&
22832 +diff --git a/drivers/ata/libata-scsi.c b/drivers/ata/libata-scsi.c
22833 +index 4d4cdade9d7e..c471bb8637f9 100644
22834 +--- a/drivers/ata/libata-scsi.c
22835 ++++ b/drivers/ata/libata-scsi.c
22836 +@@ -3465,7 +3465,9 @@ static inline int __ata_scsi_queuecmd(struct scsi_cmnd *scmd,
22837 + if (likely((scsi_op != ATA_16) || !atapi_passthru16)) {
22838 + /* relay SCSI command to ATAPI device */
22839 + int len = COMMAND_SIZE(scsi_op);
22840 +- if (unlikely(len > scmd->cmd_len || len > dev->cdb_len))
22841 ++ if (unlikely(len > scmd->cmd_len ||
22842 ++ len > dev->cdb_len ||
22843 ++ scmd->cmd_len > ATAPI_CDB_LEN))
22844 + goto bad_cdb_len;
22845 +
22846 + xlat_func = atapi_xlat;
22847 +diff --git a/drivers/block/loop.c b/drivers/block/loop.c
22848 +index 9e72be28ee9f..53d22cc3cd3e 100644
22849 +--- a/drivers/block/loop.c
22850 ++++ b/drivers/block/loop.c
22851 +@@ -471,6 +471,9 @@ static int loop_switch(struct loop_device *lo, struct file *file)
22852 + */
22853 + static int loop_flush(struct loop_device *lo)
22854 + {
22855 ++ /* loop not yet configured, no running thread, nothing to flush */
22856 ++ if (lo->lo_state != Lo_bound)
22857 ++ return 0;
22858 + return loop_switch(lo, NULL);
22859 + }
22860 +
22861 +diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c
22862 +index 32f5b87fe93c..68a92550b4cd 100644
22863 +--- a/drivers/bluetooth/btusb.c
22864 ++++ b/drivers/bluetooth/btusb.c
22865 +@@ -203,7 +203,6 @@ static const struct usb_device_id blacklist_table[] = {
22866 + { USB_DEVICE(0x0930, 0x0227), .driver_info = BTUSB_ATH3012 },
22867 + { USB_DEVICE(0x0b05, 0x17d0), .driver_info = BTUSB_ATH3012 },
22868 + { USB_DEVICE(0x0cf3, 0x0036), .driver_info = BTUSB_ATH3012 },
22869 +- { USB_DEVICE(0x0cf3, 0x3004), .driver_info = BTUSB_ATH3012 },
22870 + { USB_DEVICE(0x0cf3, 0x3008), .driver_info = BTUSB_ATH3012 },
22871 + { USB_DEVICE(0x0cf3, 0x311d), .driver_info = BTUSB_ATH3012 },
22872 + { USB_DEVICE(0x0cf3, 0x311e), .driver_info = BTUSB_ATH3012 },
22873 +@@ -236,6 +235,7 @@ static const struct usb_device_id blacklist_table[] = {
22874 + { USB_DEVICE(0x0489, 0xe03c), .driver_info = BTUSB_ATH3012 },
22875 +
22876 + /* QCA ROME chipset */
22877 ++ { USB_DEVICE(0x0cf3, 0x3004), .driver_info = BTUSB_QCA_ROME },
22878 + { USB_DEVICE(0x0cf3, 0xe007), .driver_info = BTUSB_QCA_ROME },
22879 + { USB_DEVICE(0x0cf3, 0xe300), .driver_info = BTUSB_QCA_ROME },
22880 + { USB_DEVICE(0x0cf3, 0xe360), .driver_info = BTUSB_QCA_ROME },
22881 +diff --git a/drivers/bus/brcmstb_gisb.c b/drivers/bus/brcmstb_gisb.c
22882 +index 738612c45266..8f78990205ec 100644
22883 +--- a/drivers/bus/brcmstb_gisb.c
22884 ++++ b/drivers/bus/brcmstb_gisb.c
22885 +@@ -33,8 +33,6 @@
22886 + #define ARB_ERR_CAP_CLEAR (1 << 0)
22887 + #define ARB_ERR_CAP_STATUS_TIMEOUT (1 << 12)
22888 + #define ARB_ERR_CAP_STATUS_TEA (1 << 11)
22889 +-#define ARB_ERR_CAP_STATUS_BS_SHIFT (1 << 2)
22890 +-#define ARB_ERR_CAP_STATUS_BS_MASK 0x3c
22891 + #define ARB_ERR_CAP_STATUS_WRITE (1 << 1)
22892 + #define ARB_ERR_CAP_STATUS_VALID (1 << 0)
22893 +
22894 +@@ -43,7 +41,6 @@ enum {
22895 + ARB_ERR_CAP_CLR,
22896 + ARB_ERR_CAP_HI_ADDR,
22897 + ARB_ERR_CAP_ADDR,
22898 +- ARB_ERR_CAP_DATA,
22899 + ARB_ERR_CAP_STATUS,
22900 + ARB_ERR_CAP_MASTER,
22901 + };
22902 +@@ -53,7 +50,6 @@ static const int gisb_offsets_bcm7038[] = {
22903 + [ARB_ERR_CAP_CLR] = 0x0c4,
22904 + [ARB_ERR_CAP_HI_ADDR] = -1,
22905 + [ARB_ERR_CAP_ADDR] = 0x0c8,
22906 +- [ARB_ERR_CAP_DATA] = 0x0cc,
22907 + [ARB_ERR_CAP_STATUS] = 0x0d0,
22908 + [ARB_ERR_CAP_MASTER] = -1,
22909 + };
22910 +@@ -63,7 +59,6 @@ static const int gisb_offsets_bcm7400[] = {
22911 + [ARB_ERR_CAP_CLR] = 0x0c8,
22912 + [ARB_ERR_CAP_HI_ADDR] = -1,
22913 + [ARB_ERR_CAP_ADDR] = 0x0cc,
22914 +- [ARB_ERR_CAP_DATA] = 0x0d0,
22915 + [ARB_ERR_CAP_STATUS] = 0x0d4,
22916 + [ARB_ERR_CAP_MASTER] = 0x0d8,
22917 + };
22918 +@@ -73,7 +68,6 @@ static const int gisb_offsets_bcm7435[] = {
22919 + [ARB_ERR_CAP_CLR] = 0x168,
22920 + [ARB_ERR_CAP_HI_ADDR] = -1,
22921 + [ARB_ERR_CAP_ADDR] = 0x16c,
22922 +- [ARB_ERR_CAP_DATA] = 0x170,
22923 + [ARB_ERR_CAP_STATUS] = 0x174,
22924 + [ARB_ERR_CAP_MASTER] = 0x178,
22925 + };
22926 +@@ -83,7 +77,6 @@ static const int gisb_offsets_bcm7445[] = {
22927 + [ARB_ERR_CAP_CLR] = 0x7e4,
22928 + [ARB_ERR_CAP_HI_ADDR] = 0x7e8,
22929 + [ARB_ERR_CAP_ADDR] = 0x7ec,
22930 +- [ARB_ERR_CAP_DATA] = 0x7f0,
22931 + [ARB_ERR_CAP_STATUS] = 0x7f4,
22932 + [ARB_ERR_CAP_MASTER] = 0x7f8,
22933 + };
22934 +@@ -104,13 +97,27 @@ static u32 gisb_read(struct brcmstb_gisb_arb_device *gdev, int reg)
22935 + {
22936 + int offset = gdev->gisb_offsets[reg];
22937 +
22938 +- /* return 1 if the hardware doesn't have ARB_ERR_CAP_MASTER */
22939 +- if (offset == -1)
22940 +- return 1;
22941 ++ if (offset < 0) {
22942 ++ /* return 1 if the hardware doesn't have ARB_ERR_CAP_MASTER */
22943 ++ if (reg == ARB_ERR_CAP_MASTER)
22944 ++ return 1;
22945 ++ else
22946 ++ return 0;
22947 ++ }
22948 +
22949 + return ioread32(gdev->base + offset);
22950 + }
22951 +
22952 ++static u64 gisb_read_address(struct brcmstb_gisb_arb_device *gdev)
22953 ++{
22954 ++ u64 value;
22955 ++
22956 ++ value = gisb_read(gdev, ARB_ERR_CAP_ADDR);
22957 ++ value |= (u64)gisb_read(gdev, ARB_ERR_CAP_HI_ADDR) << 32;
22958 ++
22959 ++ return value;
22960 ++}
22961 ++
22962 + static void gisb_write(struct brcmstb_gisb_arb_device *gdev, u32 val, int reg)
22963 + {
22964 + int offset = gdev->gisb_offsets[reg];
22965 +@@ -173,7 +180,7 @@ static int brcmstb_gisb_arb_decode_addr(struct brcmstb_gisb_arb_device *gdev,
22966 + const char *reason)
22967 + {
22968 + u32 cap_status;
22969 +- unsigned long arb_addr;
22970 ++ u64 arb_addr;
22971 + u32 master;
22972 + const char *m_name;
22973 + char m_fmt[11];
22974 +@@ -185,10 +192,7 @@ static int brcmstb_gisb_arb_decode_addr(struct brcmstb_gisb_arb_device *gdev,
22975 + return 1;
22976 +
22977 + /* Read the address and master */
22978 +- arb_addr = gisb_read(gdev, ARB_ERR_CAP_ADDR) & 0xffffffff;
22979 +-#if (IS_ENABLED(CONFIG_PHYS_ADDR_T_64BIT))
22980 +- arb_addr |= (u64)gisb_read(gdev, ARB_ERR_CAP_HI_ADDR) << 32;
22981 +-#endif
22982 ++ arb_addr = gisb_read_address(gdev);
22983 + master = gisb_read(gdev, ARB_ERR_CAP_MASTER);
22984 +
22985 + m_name = brcmstb_gisb_master_to_str(gdev, master);
22986 +@@ -197,7 +201,7 @@ static int brcmstb_gisb_arb_decode_addr(struct brcmstb_gisb_arb_device *gdev,
22987 + m_name = m_fmt;
22988 + }
22989 +
22990 +- pr_crit("%s: %s at 0x%lx [%c %s], core: %s\n",
22991 ++ pr_crit("%s: %s at 0x%llx [%c %s], core: %s\n",
22992 + __func__, reason, arb_addr,
22993 + cap_status & ARB_ERR_CAP_STATUS_WRITE ? 'W' : 'R',
22994 + cap_status & ARB_ERR_CAP_STATUS_TIMEOUT ? "timeout" : "",
22995 +diff --git a/drivers/cdrom/cdrom.c b/drivers/cdrom/cdrom.c
22996 +index 5d28a45d2960..3922ce87c2e4 100644
22997 +--- a/drivers/cdrom/cdrom.c
22998 ++++ b/drivers/cdrom/cdrom.c
22999 +@@ -2357,7 +2357,7 @@ static int cdrom_ioctl_media_changed(struct cdrom_device_info *cdi,
23000 + if (!CDROM_CAN(CDC_SELECT_DISC) || arg == CDSL_CURRENT)
23001 + return media_changed(cdi, 1);
23002 +
23003 +- if ((unsigned int)arg >= cdi->capacity)
23004 ++ if (arg >= cdi->capacity)
23005 + return -EINVAL;
23006 +
23007 + info = kmalloc(sizeof(*info), GFP_KERNEL);
23008 +diff --git a/drivers/char/agp/intel-gtt.c b/drivers/char/agp/intel-gtt.c
23009 +index c6dea3f6917b..b38e31221a7e 100644
23010 +--- a/drivers/char/agp/intel-gtt.c
23011 ++++ b/drivers/char/agp/intel-gtt.c
23012 +@@ -859,6 +859,8 @@ void intel_gtt_insert_sg_entries(struct sg_table *st,
23013 + }
23014 + }
23015 + wmb();
23016 ++ if (intel_private.driver->chipset_flush)
23017 ++ intel_private.driver->chipset_flush();
23018 + }
23019 + EXPORT_SYMBOL(intel_gtt_insert_sg_entries);
23020 +
23021 +diff --git a/drivers/char/ipmi/ipmi_ssif.c b/drivers/char/ipmi/ipmi_ssif.c
23022 +index 9156bbd90b56..0166be52aacb 100644
23023 +--- a/drivers/char/ipmi/ipmi_ssif.c
23024 ++++ b/drivers/char/ipmi/ipmi_ssif.c
23025 +@@ -408,6 +408,7 @@ static void start_event_fetch(struct ssif_info *ssif_info, unsigned long *flags)
23026 + msg = ipmi_alloc_smi_msg();
23027 + if (!msg) {
23028 + ssif_info->ssif_state = SSIF_NORMAL;
23029 ++ ipmi_ssif_unlock_cond(ssif_info, flags);
23030 + return;
23031 + }
23032 +
23033 +@@ -430,6 +431,7 @@ static void start_recv_msg_fetch(struct ssif_info *ssif_info,
23034 + msg = ipmi_alloc_smi_msg();
23035 + if (!msg) {
23036 + ssif_info->ssif_state = SSIF_NORMAL;
23037 ++ ipmi_ssif_unlock_cond(ssif_info, flags);
23038 + return;
23039 + }
23040 +
23041 +diff --git a/drivers/char/ipmi/ipmi_watchdog.c b/drivers/char/ipmi/ipmi_watchdog.c
23042 +index f335fcee09af..0109d3fb5fbc 100644
23043 +--- a/drivers/char/ipmi/ipmi_watchdog.c
23044 ++++ b/drivers/char/ipmi/ipmi_watchdog.c
23045 +@@ -509,7 +509,7 @@ static void panic_halt_ipmi_heartbeat(void)
23046 + msg.cmd = IPMI_WDOG_RESET_TIMER;
23047 + msg.data = NULL;
23048 + msg.data_len = 0;
23049 +- atomic_add(2, &panic_done_count);
23050 ++ atomic_add(1, &panic_done_count);
23051 + rv = ipmi_request_supply_msgs(watchdog_user,
23052 + (struct ipmi_addr *) &addr,
23053 + 0,
23054 +@@ -519,7 +519,7 @@ static void panic_halt_ipmi_heartbeat(void)
23055 + &panic_halt_heartbeat_recv_msg,
23056 + 1);
23057 + if (rv)
23058 +- atomic_sub(2, &panic_done_count);
23059 ++ atomic_sub(1, &panic_done_count);
23060 + }
23061 +
23062 + static struct ipmi_smi_msg panic_halt_smi_msg = {
23063 +@@ -543,12 +543,12 @@ static void panic_halt_ipmi_set_timeout(void)
23064 + /* Wait for the messages to be free. */
23065 + while (atomic_read(&panic_done_count) != 0)
23066 + ipmi_poll_interface(watchdog_user);
23067 +- atomic_add(2, &panic_done_count);
23068 ++ atomic_add(1, &panic_done_count);
23069 + rv = i_ipmi_set_timeout(&panic_halt_smi_msg,
23070 + &panic_halt_recv_msg,
23071 + &send_heartbeat_now);
23072 + if (rv) {
23073 +- atomic_sub(2, &panic_done_count);
23074 ++ atomic_sub(1, &panic_done_count);
23075 + printk(KERN_WARNING PFX
23076 + "Unable to extend the watchdog timeout.");
23077 + } else {
23078 +diff --git a/drivers/char/random.c b/drivers/char/random.c
23079 +index d55156fc064d..4ba5c7e4e254 100644
23080 +--- a/drivers/char/random.c
23081 ++++ b/drivers/char/random.c
23082 +@@ -704,7 +704,7 @@ retry:
23083 +
23084 + static void credit_entropy_bits_safe(struct entropy_store *r, int nbits)
23085 + {
23086 +- const int nbits_max = (int)(~0U >> (ENTROPY_SHIFT + 1));
23087 ++ const int nbits_max = r->poolinfo->poolwords * 32;
23088 +
23089 + /* Cap the value to avoid overflows */
23090 + nbits = min(nbits, nbits_max);
23091 +@@ -863,12 +863,16 @@ static void add_interrupt_bench(cycles_t start)
23092 + static __u32 get_reg(struct fast_pool *f, struct pt_regs *regs)
23093 + {
23094 + __u32 *ptr = (__u32 *) regs;
23095 ++ unsigned int idx;
23096 +
23097 + if (regs == NULL)
23098 + return 0;
23099 +- if (f->reg_idx >= sizeof(struct pt_regs) / sizeof(__u32))
23100 +- f->reg_idx = 0;
23101 +- return *(ptr + f->reg_idx++);
23102 ++ idx = READ_ONCE(f->reg_idx);
23103 ++ if (idx >= sizeof(struct pt_regs) / sizeof(__u32))
23104 ++ idx = 0;
23105 ++ ptr += idx++;
23106 ++ WRITE_ONCE(f->reg_idx, idx);
23107 ++ return *ptr;
23108 + }
23109 +
23110 + void add_interrupt_randomness(int irq, int irq_flags)
23111 +diff --git a/drivers/char/tpm/tpm_tis.c b/drivers/char/tpm/tpm_tis.c
23112 +index 5809567d3cf0..d696e5c3d079 100644
23113 +--- a/drivers/char/tpm/tpm_tis.c
23114 ++++ b/drivers/char/tpm/tpm_tis.c
23115 +@@ -283,7 +283,8 @@ static int recv_data(struct tpm_chip *chip, u8 *buf, size_t count)
23116 + static int tpm_tis_recv(struct tpm_chip *chip, u8 *buf, size_t count)
23117 + {
23118 + int size = 0;
23119 +- int expected, status;
23120 ++ int status;
23121 ++ u32 expected;
23122 +
23123 + if (count < TPM_HEADER_SIZE) {
23124 + size = -EIO;
23125 +@@ -298,7 +299,7 @@ static int tpm_tis_recv(struct tpm_chip *chip, u8 *buf, size_t count)
23126 + }
23127 +
23128 + expected = be32_to_cpu(*(__be32 *) (buf + 2));
23129 +- if (expected > count) {
23130 ++ if (expected > count || expected < TPM_HEADER_SIZE) {
23131 + size = -EIO;
23132 + goto out;
23133 + }
23134 +diff --git a/drivers/char/virtio_console.c b/drivers/char/virtio_console.c
23135 +index 374b0006aa7a..a7adfc633db9 100644
23136 +--- a/drivers/char/virtio_console.c
23137 ++++ b/drivers/char/virtio_console.c
23138 +@@ -1399,7 +1399,6 @@ static int add_port(struct ports_device *portdev, u32 id)
23139 + {
23140 + char debugfs_name[16];
23141 + struct port *port;
23142 +- struct port_buffer *buf;
23143 + dev_t devt;
23144 + unsigned int nr_added_bufs;
23145 + int err;
23146 +@@ -1510,8 +1509,6 @@ static int add_port(struct ports_device *portdev, u32 id)
23147 + return 0;
23148 +
23149 + free_inbufs:
23150 +- while ((buf = virtqueue_detach_unused_buf(port->in_vq)))
23151 +- free_buf(buf, true);
23152 + free_device:
23153 + device_destroy(pdrvdata.class, port->dev->devt);
23154 + free_cdev:
23155 +@@ -1536,34 +1533,14 @@ static void remove_port(struct kref *kref)
23156 +
23157 + static void remove_port_data(struct port *port)
23158 + {
23159 +- struct port_buffer *buf;
23160 +-
23161 + spin_lock_irq(&port->inbuf_lock);
23162 + /* Remove unused data this port might have received. */
23163 + discard_port_data(port);
23164 + spin_unlock_irq(&port->inbuf_lock);
23165 +
23166 +- /* Remove buffers we queued up for the Host to send us data in. */
23167 +- do {
23168 +- spin_lock_irq(&port->inbuf_lock);
23169 +- buf = virtqueue_detach_unused_buf(port->in_vq);
23170 +- spin_unlock_irq(&port->inbuf_lock);
23171 +- if (buf)
23172 +- free_buf(buf, true);
23173 +- } while (buf);
23174 +-
23175 + spin_lock_irq(&port->outvq_lock);
23176 + reclaim_consumed_buffers(port);
23177 + spin_unlock_irq(&port->outvq_lock);
23178 +-
23179 +- /* Free pending buffers from the out-queue. */
23180 +- do {
23181 +- spin_lock_irq(&port->outvq_lock);
23182 +- buf = virtqueue_detach_unused_buf(port->out_vq);
23183 +- spin_unlock_irq(&port->outvq_lock);
23184 +- if (buf)
23185 +- free_buf(buf, true);
23186 +- } while (buf);
23187 + }
23188 +
23189 + /*
23190 +@@ -1788,13 +1765,24 @@ static void control_work_handler(struct work_struct *work)
23191 + spin_unlock(&portdev->c_ivq_lock);
23192 + }
23193 +
23194 ++static void flush_bufs(struct virtqueue *vq, bool can_sleep)
23195 ++{
23196 ++ struct port_buffer *buf;
23197 ++ unsigned int len;
23198 ++
23199 ++ while ((buf = virtqueue_get_buf(vq, &len)))
23200 ++ free_buf(buf, can_sleep);
23201 ++}
23202 ++
23203 + static void out_intr(struct virtqueue *vq)
23204 + {
23205 + struct port *port;
23206 +
23207 + port = find_port_by_vq(vq->vdev->priv, vq);
23208 +- if (!port)
23209 ++ if (!port) {
23210 ++ flush_bufs(vq, false);
23211 + return;
23212 ++ }
23213 +
23214 + wake_up_interruptible(&port->waitqueue);
23215 + }
23216 +@@ -1805,8 +1793,10 @@ static void in_intr(struct virtqueue *vq)
23217 + unsigned long flags;
23218 +
23219 + port = find_port_by_vq(vq->vdev->priv, vq);
23220 +- if (!port)
23221 ++ if (!port) {
23222 ++ flush_bufs(vq, false);
23223 + return;
23224 ++ }
23225 +
23226 + spin_lock_irqsave(&port->inbuf_lock, flags);
23227 + port->inbuf = get_inbuf(port);
23228 +@@ -1981,6 +1971,15 @@ static const struct file_operations portdev_fops = {
23229 +
23230 + static void remove_vqs(struct ports_device *portdev)
23231 + {
23232 ++ struct virtqueue *vq;
23233 ++
23234 ++ virtio_device_for_each_vq(portdev->vdev, vq) {
23235 ++ struct port_buffer *buf;
23236 ++
23237 ++ flush_bufs(vq, true);
23238 ++ while ((buf = virtqueue_detach_unused_buf(vq)))
23239 ++ free_buf(buf, true);
23240 ++ }
23241 + portdev->vdev->config->del_vqs(portdev->vdev);
23242 + kfree(portdev->in_vqs);
23243 + kfree(portdev->out_vqs);
23244 +diff --git a/drivers/clk/clk-si5351.c b/drivers/clk/clk-si5351.c
23245 +index 30335d3b99af..9db6d57f7ccc 100644
23246 +--- a/drivers/clk/clk-si5351.c
23247 ++++ b/drivers/clk/clk-si5351.c
23248 +@@ -72,7 +72,7 @@ static const char * const si5351_input_names[] = {
23249 + "xtal", "clkin"
23250 + };
23251 + static const char * const si5351_pll_names[] = {
23252 +- "plla", "pllb", "vxco"
23253 ++ "si5351_plla", "si5351_pllb", "si5351_vxco"
23254 + };
23255 + static const char * const si5351_msynth_names[] = {
23256 + "ms0", "ms1", "ms2", "ms3", "ms4", "ms5", "ms6", "ms7"
23257 +diff --git a/drivers/clk/mvebu/armada-38x.c b/drivers/clk/mvebu/armada-38x.c
23258 +index 8bccf4ecdab6..9ff4ea63932d 100644
23259 +--- a/drivers/clk/mvebu/armada-38x.c
23260 ++++ b/drivers/clk/mvebu/armada-38x.c
23261 +@@ -46,10 +46,11 @@ static u32 __init armada_38x_get_tclk_freq(void __iomem *sar)
23262 + }
23263 +
23264 + static const u32 armada_38x_cpu_frequencies[] __initconst = {
23265 +- 0, 0, 0, 0,
23266 +- 1066 * 1000 * 1000, 0, 0, 0,
23267 ++ 666 * 1000 * 1000, 0, 800 * 1000 * 1000, 0,
23268 ++ 1066 * 1000 * 1000, 0, 1200 * 1000 * 1000, 0,
23269 + 1332 * 1000 * 1000, 0, 0, 0,
23270 +- 1600 * 1000 * 1000,
23271 ++ 1600 * 1000 * 1000, 0, 0, 0,
23272 ++ 1866 * 1000 * 1000, 0, 0, 2000 * 1000 * 1000,
23273 + };
23274 +
23275 + static u32 __init armada_38x_get_cpu_freq(void __iomem *sar)
23276 +@@ -75,11 +76,11 @@ static const struct coreclk_ratio armada_38x_coreclk_ratios[] __initconst = {
23277 + };
23278 +
23279 + static const int armada_38x_cpu_l2_ratios[32][2] __initconst = {
23280 +- {0, 1}, {0, 1}, {0, 1}, {0, 1},
23281 +- {1, 2}, {0, 1}, {0, 1}, {0, 1},
23282 ++ {1, 2}, {0, 1}, {1, 2}, {0, 1},
23283 ++ {1, 2}, {0, 1}, {1, 2}, {0, 1},
23284 + {1, 2}, {0, 1}, {0, 1}, {0, 1},
23285 + {1, 2}, {0, 1}, {0, 1}, {0, 1},
23286 +- {0, 1}, {0, 1}, {0, 1}, {0, 1},
23287 ++ {1, 2}, {0, 1}, {0, 1}, {1, 2},
23288 + {0, 1}, {0, 1}, {0, 1}, {0, 1},
23289 + {0, 1}, {0, 1}, {0, 1}, {0, 1},
23290 + {0, 1}, {0, 1}, {0, 1}, {0, 1},
23291 +@@ -90,7 +91,7 @@ static const int armada_38x_cpu_ddr_ratios[32][2] __initconst = {
23292 + {1, 2}, {0, 1}, {0, 1}, {0, 1},
23293 + {1, 2}, {0, 1}, {0, 1}, {0, 1},
23294 + {1, 2}, {0, 1}, {0, 1}, {0, 1},
23295 +- {0, 1}, {0, 1}, {0, 1}, {0, 1},
23296 ++ {1, 2}, {0, 1}, {0, 1}, {7, 15},
23297 + {0, 1}, {0, 1}, {0, 1}, {0, 1},
23298 + {0, 1}, {0, 1}, {0, 1}, {0, 1},
23299 + {0, 1}, {0, 1}, {0, 1}, {0, 1},
23300 +diff --git a/drivers/cpufreq/sh-cpufreq.c b/drivers/cpufreq/sh-cpufreq.c
23301 +index 86628e22b2a3..719c3d9f07fb 100644
23302 +--- a/drivers/cpufreq/sh-cpufreq.c
23303 ++++ b/drivers/cpufreq/sh-cpufreq.c
23304 +@@ -30,54 +30,63 @@
23305 +
23306 + static DEFINE_PER_CPU(struct clk, sh_cpuclk);
23307 +
23308 ++struct cpufreq_target {
23309 ++ struct cpufreq_policy *policy;
23310 ++ unsigned int freq;
23311 ++};
23312 ++
23313 + static unsigned int sh_cpufreq_get(unsigned int cpu)
23314 + {
23315 + return (clk_get_rate(&per_cpu(sh_cpuclk, cpu)) + 500) / 1000;
23316 + }
23317 +
23318 +-/*
23319 +- * Here we notify other drivers of the proposed change and the final change.
23320 +- */
23321 +-static int sh_cpufreq_target(struct cpufreq_policy *policy,
23322 +- unsigned int target_freq,
23323 +- unsigned int relation)
23324 ++static long __sh_cpufreq_target(void *arg)
23325 + {
23326 +- unsigned int cpu = policy->cpu;
23327 ++ struct cpufreq_target *target = arg;
23328 ++ struct cpufreq_policy *policy = target->policy;
23329 ++ int cpu = policy->cpu;
23330 + struct clk *cpuclk = &per_cpu(sh_cpuclk, cpu);
23331 +- cpumask_t cpus_allowed;
23332 + struct cpufreq_freqs freqs;
23333 + struct device *dev;
23334 + long freq;
23335 +
23336 +- cpus_allowed = current->cpus_allowed;
23337 +- set_cpus_allowed_ptr(current, cpumask_of(cpu));
23338 +-
23339 +- BUG_ON(smp_processor_id() != cpu);
23340 ++ if (smp_processor_id() != cpu)
23341 ++ return -ENODEV;
23342 +
23343 + dev = get_cpu_device(cpu);
23344 +
23345 + /* Convert target_freq from kHz to Hz */
23346 +- freq = clk_round_rate(cpuclk, target_freq * 1000);
23347 ++ freq = clk_round_rate(cpuclk, target->freq * 1000);
23348 +
23349 + if (freq < (policy->min * 1000) || freq > (policy->max * 1000))
23350 + return -EINVAL;
23351 +
23352 +- dev_dbg(dev, "requested frequency %u Hz\n", target_freq * 1000);
23353 ++ dev_dbg(dev, "requested frequency %u Hz\n", target->freq * 1000);
23354 +
23355 + freqs.old = sh_cpufreq_get(cpu);
23356 + freqs.new = (freq + 500) / 1000;
23357 + freqs.flags = 0;
23358 +
23359 +- cpufreq_freq_transition_begin(policy, &freqs);
23360 +- set_cpus_allowed_ptr(current, &cpus_allowed);
23361 ++ cpufreq_freq_transition_begin(target->policy, &freqs);
23362 + clk_set_rate(cpuclk, freq);
23363 +- cpufreq_freq_transition_end(policy, &freqs, 0);
23364 ++ cpufreq_freq_transition_end(target->policy, &freqs, 0);
23365 +
23366 + dev_dbg(dev, "set frequency %lu Hz\n", freq);
23367 +-
23368 + return 0;
23369 + }
23370 +
23371 ++/*
23372 ++ * Here we notify other drivers of the proposed change and the final change.
23373 ++ */
23374 ++static int sh_cpufreq_target(struct cpufreq_policy *policy,
23375 ++ unsigned int target_freq,
23376 ++ unsigned int relation)
23377 ++{
23378 ++ struct cpufreq_target data = { .policy = policy, .freq = target_freq };
23379 ++
23380 ++ return work_on_cpu(policy->cpu, __sh_cpufreq_target, &data);
23381 ++}
23382 ++
23383 + static int sh_cpufreq_verify(struct cpufreq_policy *policy)
23384 + {
23385 + struct clk *cpuclk = &per_cpu(sh_cpuclk, policy->cpu);
23386 +diff --git a/drivers/cpuidle/dt_idle_states.c b/drivers/cpuidle/dt_idle_states.c
23387 +index a5c111b67f37..ea11a33e7fff 100644
23388 +--- a/drivers/cpuidle/dt_idle_states.c
23389 ++++ b/drivers/cpuidle/dt_idle_states.c
23390 +@@ -174,8 +174,10 @@ int dt_init_idle_driver(struct cpuidle_driver *drv,
23391 + if (!state_node)
23392 + break;
23393 +
23394 +- if (!of_device_is_available(state_node))
23395 ++ if (!of_device_is_available(state_node)) {
23396 ++ of_node_put(state_node);
23397 + continue;
23398 ++ }
23399 +
23400 + if (!idle_state_valid(state_node, i, cpumask)) {
23401 + pr_warn("%s idle state not valid, bailing out\n",
23402 +diff --git a/drivers/dma/at_xdmac.c b/drivers/dma/at_xdmac.c
23403 +index c5e6c82516ce..e4b4c5c07037 100644
23404 +--- a/drivers/dma/at_xdmac.c
23405 ++++ b/drivers/dma/at_xdmac.c
23406 +@@ -1003,10 +1003,10 @@ at_xdmac_tx_status(struct dma_chan *chan, dma_cookie_t cookie,
23407 + for (retry = 0; retry < AT_XDMAC_RESIDUE_MAX_RETRIES; retry++) {
23408 + check_nda = at_xdmac_chan_read(atchan, AT_XDMAC_CNDA) & 0xfffffffc;
23409 + rmb();
23410 +- initd = !!(at_xdmac_chan_read(atchan, AT_XDMAC_CC) & AT_XDMAC_CC_INITD);
23411 +- rmb();
23412 + cur_ubc = at_xdmac_chan_read(atchan, AT_XDMAC_CUBC);
23413 + rmb();
23414 ++ initd = !!(at_xdmac_chan_read(atchan, AT_XDMAC_CC) & AT_XDMAC_CC_INITD);
23415 ++ rmb();
23416 + cur_nda = at_xdmac_chan_read(atchan, AT_XDMAC_CNDA) & 0xfffffffc;
23417 + rmb();
23418 +
23419 +diff --git a/drivers/dma/imx-sdma.c b/drivers/dma/imx-sdma.c
23420 +index 62bbd79338e0..348259b0db52 100644
23421 +--- a/drivers/dma/imx-sdma.c
23422 ++++ b/drivers/dma/imx-sdma.c
23423 +@@ -1503,17 +1503,24 @@ static int sdma_probe(struct platform_device *pdev)
23424 + if (IS_ERR(sdma->clk_ahb))
23425 + return PTR_ERR(sdma->clk_ahb);
23426 +
23427 +- clk_prepare(sdma->clk_ipg);
23428 +- clk_prepare(sdma->clk_ahb);
23429 ++ ret = clk_prepare(sdma->clk_ipg);
23430 ++ if (ret)
23431 ++ return ret;
23432 ++
23433 ++ ret = clk_prepare(sdma->clk_ahb);
23434 ++ if (ret)
23435 ++ goto err_clk;
23436 +
23437 + ret = devm_request_irq(&pdev->dev, irq, sdma_int_handler, 0, "sdma",
23438 + sdma);
23439 + if (ret)
23440 +- return ret;
23441 ++ goto err_irq;
23442 +
23443 + sdma->script_addrs = kzalloc(sizeof(*sdma->script_addrs), GFP_KERNEL);
23444 +- if (!sdma->script_addrs)
23445 +- return -ENOMEM;
23446 ++ if (!sdma->script_addrs) {
23447 ++ ret = -ENOMEM;
23448 ++ goto err_irq;
23449 ++ }
23450 +
23451 + /* initially no scripts available */
23452 + saddr_arr = (s32 *)sdma->script_addrs;
23453 +@@ -1618,6 +1625,10 @@ err_register:
23454 + dma_async_device_unregister(&sdma->dma_device);
23455 + err_init:
23456 + kfree(sdma->script_addrs);
23457 ++err_irq:
23458 ++ clk_unprepare(sdma->clk_ahb);
23459 ++err_clk:
23460 ++ clk_unprepare(sdma->clk_ipg);
23461 + return ret;
23462 + }
23463 +
23464 +@@ -1628,6 +1639,8 @@ static int sdma_remove(struct platform_device *pdev)
23465 +
23466 + dma_async_device_unregister(&sdma->dma_device);
23467 + kfree(sdma->script_addrs);
23468 ++ clk_unprepare(sdma->clk_ahb);
23469 ++ clk_unprepare(sdma->clk_ipg);
23470 + /* Kill the tasklet */
23471 + for (i = 0; i < MAX_DMA_CHANNELS; i++) {
23472 + struct sdma_channel *sdmac = &sdma->channel[i];
23473 +diff --git a/drivers/edac/mv64x60_edac.c b/drivers/edac/mv64x60_edac.c
23474 +index 0574e1bbe45c..3ce5609b4611 100644
23475 +--- a/drivers/edac/mv64x60_edac.c
23476 ++++ b/drivers/edac/mv64x60_edac.c
23477 +@@ -763,7 +763,7 @@ static int mv64x60_mc_err_probe(struct platform_device *pdev)
23478 + /* Non-ECC RAM? */
23479 + printk(KERN_WARNING "%s: No ECC DIMMs discovered\n", __func__);
23480 + res = -ENODEV;
23481 +- goto err2;
23482 ++ goto err;
23483 + }
23484 +
23485 + edac_dbg(3, "init mci\n");
23486 +diff --git a/drivers/gpio/gpiolib.c b/drivers/gpio/gpiolib.c
23487 +index 95752d38b7fe..2ce21d9340cd 100644
23488 +--- a/drivers/gpio/gpiolib.c
23489 ++++ b/drivers/gpio/gpiolib.c
23490 +@@ -1998,7 +1998,8 @@ struct gpio_desc *__must_check __gpiod_get_index(struct device *dev,
23491 + return desc;
23492 + }
23493 +
23494 +- status = gpiod_request(desc, con_id);
23495 ++ /* If a connection label was passed use that, else use the device name as label */
23496 ++ status = gpiod_request(desc, con_id ? con_id : dev_name(dev));
23497 + if (status < 0)
23498 + return ERR_PTR(status);
23499 +
23500 +diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_topology.c b/drivers/gpu/drm/amd/amdkfd/kfd_topology.c
23501 +index c25728bc388a..fc924d375d95 100644
23502 +--- a/drivers/gpu/drm/amd/amdkfd/kfd_topology.c
23503 ++++ b/drivers/gpu/drm/amd/amdkfd/kfd_topology.c
23504 +@@ -519,11 +519,17 @@ static ssize_t sysprops_show(struct kobject *kobj, struct attribute *attr,
23505 + return ret;
23506 + }
23507 +
23508 ++static void kfd_topology_kobj_release(struct kobject *kobj)
23509 ++{
23510 ++ kfree(kobj);
23511 ++}
23512 ++
23513 + static const struct sysfs_ops sysprops_ops = {
23514 + .show = sysprops_show,
23515 + };
23516 +
23517 + static struct kobj_type sysprops_type = {
23518 ++ .release = kfd_topology_kobj_release,
23519 + .sysfs_ops = &sysprops_ops,
23520 + };
23521 +
23522 +@@ -559,6 +565,7 @@ static const struct sysfs_ops iolink_ops = {
23523 + };
23524 +
23525 + static struct kobj_type iolink_type = {
23526 ++ .release = kfd_topology_kobj_release,
23527 + .sysfs_ops = &iolink_ops,
23528 + };
23529 +
23530 +@@ -586,6 +593,7 @@ static const struct sysfs_ops mem_ops = {
23531 + };
23532 +
23533 + static struct kobj_type mem_type = {
23534 ++ .release = kfd_topology_kobj_release,
23535 + .sysfs_ops = &mem_ops,
23536 + };
23537 +
23538 +@@ -625,6 +633,7 @@ static const struct sysfs_ops cache_ops = {
23539 + };
23540 +
23541 + static struct kobj_type cache_type = {
23542 ++ .release = kfd_topology_kobj_release,
23543 + .sysfs_ops = &cache_ops,
23544 + };
23545 +
23546 +@@ -747,6 +756,7 @@ static const struct sysfs_ops node_ops = {
23547 + };
23548 +
23549 + static struct kobj_type node_type = {
23550 ++ .release = kfd_topology_kobj_release,
23551 + .sysfs_ops = &node_ops,
23552 + };
23553 +
23554 +diff --git a/drivers/gpu/drm/drm_edid.c b/drivers/gpu/drm/drm_edid.c
23555 +index 53bc7a628909..27d5c7867e92 100644
23556 +--- a/drivers/gpu/drm/drm_edid.c
23557 ++++ b/drivers/gpu/drm/drm_edid.c
23558 +@@ -3103,8 +3103,7 @@ monitor_name(struct detailed_timing *t, void *data)
23559 + * @edid: EDID to parse
23560 + *
23561 + * Fill the ELD (EDID-Like Data) buffer for passing to the audio driver. The
23562 +- * Conn_Type, HDCP and Port_ID ELD fields are left for the graphics driver to
23563 +- * fill in.
23564 ++ * HDCP and Port_ID ELD fields are left for the graphics driver to fill in.
23565 + */
23566 + void drm_edid_to_eld(struct drm_connector *connector, struct edid *edid)
23567 + {
23568 +@@ -3177,6 +3176,12 @@ void drm_edid_to_eld(struct drm_connector *connector, struct edid *edid)
23569 + }
23570 + eld[5] |= sad_count << 4;
23571 +
23572 ++ if (connector->connector_type == DRM_MODE_CONNECTOR_DisplayPort ||
23573 ++ connector->connector_type == DRM_MODE_CONNECTOR_eDP)
23574 ++ eld[DRM_ELD_SAD_COUNT_CONN_TYPE] |= DRM_ELD_CONN_TYPE_DP;
23575 ++ else
23576 ++ eld[DRM_ELD_SAD_COUNT_CONN_TYPE] |= DRM_ELD_CONN_TYPE_HDMI;
23577 ++
23578 + eld[DRM_ELD_BASELINE_ELD_LEN] =
23579 + DIV_ROUND_UP(drm_eld_calc_baseline_block_size(eld), 4);
23580 +
23581 +diff --git a/drivers/gpu/drm/drm_irq.c b/drivers/gpu/drm/drm_irq.c
23582 +index af9662e58272..5ab0f02a2ab1 100644
23583 +--- a/drivers/gpu/drm/drm_irq.c
23584 ++++ b/drivers/gpu/drm/drm_irq.c
23585 +@@ -1090,9 +1090,9 @@ void drm_vblank_put(struct drm_device *dev, int crtc)
23586 + if (atomic_dec_and_test(&vblank->refcount)) {
23587 + if (drm_vblank_offdelay == 0)
23588 + return;
23589 +- else if (dev->vblank_disable_immediate || drm_vblank_offdelay < 0)
23590 ++ else if (drm_vblank_offdelay < 0)
23591 + vblank_disable_fn((unsigned long)vblank);
23592 +- else
23593 ++ else if (!dev->vblank_disable_immediate)
23594 + mod_timer(&vblank->disable_timer,
23595 + jiffies + ((drm_vblank_offdelay * HZ)/1000));
23596 + }
23597 +@@ -1750,6 +1750,16 @@ bool drm_handle_vblank(struct drm_device *dev, int crtc)
23598 + wake_up(&vblank->queue);
23599 + drm_handle_vblank_events(dev, crtc);
23600 +
23601 ++ /* With instant-off, we defer disabling the interrupt until after
23602 ++ * we finish processing the following vblank. The disable has to
23603 ++ * be last (after drm_handle_vblank_events) so that the timestamp
23604 ++ * is always accurate.
23605 ++ */
23606 ++ if (dev->vblank_disable_immediate &&
23607 ++ drm_vblank_offdelay > 0 &&
23608 ++ !atomic_read(&vblank->refcount))
23609 ++ vblank_disable_fn((unsigned long)vblank);
23610 ++
23611 + spin_unlock_irqrestore(&dev->event_lock, irqflags);
23612 +
23613 + return true;
23614 +diff --git a/drivers/gpu/drm/exynos/exynos_drm_gem.c b/drivers/gpu/drm/exynos/exynos_drm_gem.c
23615 +index 0d5b9698d384..e7d6139528ca 100644
23616 +--- a/drivers/gpu/drm/exynos/exynos_drm_gem.c
23617 ++++ b/drivers/gpu/drm/exynos/exynos_drm_gem.c
23618 +@@ -241,6 +241,15 @@ struct exynos_drm_gem_obj *exynos_drm_gem_create(struct drm_device *dev,
23619 +
23620 + exynos_gem_obj->buffer = buf;
23621 +
23622 ++ if (!is_drm_iommu_supported(dev) && (flags & EXYNOS_BO_NONCONTIG)) {
23623 ++ /*
23624 ++ * when no IOMMU is available, all allocated buffers are
23625 ++ * contiguous anyway, so drop EXYNOS_BO_NONCONTIG flag
23626 ++ */
23627 ++ flags &= ~EXYNOS_BO_NONCONTIG;
23628 ++ DRM_WARN("Non-contiguous allocation is not supported without IOMMU, falling back to contiguous buffer\n");
23629 ++ }
23630 ++
23631 + /* set memory type and cache attribute from user side. */
23632 + exynos_gem_obj->flags = flags;
23633 +
23634 +diff --git a/drivers/gpu/drm/msm/msm_gem.c b/drivers/gpu/drm/msm/msm_gem.c
23635 +index 52839769eb6c..e101c2868734 100644
23636 +--- a/drivers/gpu/drm/msm/msm_gem.c
23637 ++++ b/drivers/gpu/drm/msm/msm_gem.c
23638 +@@ -89,14 +89,17 @@ static struct page **get_pages(struct drm_gem_object *obj)
23639 + return p;
23640 + }
23641 +
23642 ++ msm_obj->pages = p;
23643 ++
23644 + msm_obj->sgt = drm_prime_pages_to_sg(p, npages);
23645 + if (IS_ERR(msm_obj->sgt)) {
23646 ++ void *ptr = ERR_CAST(msm_obj->sgt);
23647 ++
23648 + dev_err(dev->dev, "failed to allocate sgt\n");
23649 +- return ERR_CAST(msm_obj->sgt);
23650 ++ msm_obj->sgt = NULL;
23651 ++ return ptr;
23652 + }
23653 +
23654 +- msm_obj->pages = p;
23655 +-
23656 + /* For non-cached buffers, ensure the new pages are clean
23657 + * because display controller, GPU, etc. are not coherent:
23658 + */
23659 +@@ -119,7 +122,10 @@ static void put_pages(struct drm_gem_object *obj)
23660 + if (msm_obj->flags & (MSM_BO_WC|MSM_BO_UNCACHED))
23661 + dma_unmap_sg(obj->dev->dev, msm_obj->sgt->sgl,
23662 + msm_obj->sgt->nents, DMA_BIDIRECTIONAL);
23663 +- sg_free_table(msm_obj->sgt);
23664 ++
23665 ++ if (msm_obj->sgt)
23666 ++ sg_free_table(msm_obj->sgt);
23667 ++
23668 + kfree(msm_obj->sgt);
23669 +
23670 + if (use_pages(obj))
23671 +diff --git a/drivers/gpu/drm/omapdrm/omap_dmm_tiler.c b/drivers/gpu/drm/omapdrm/omap_dmm_tiler.c
23672 +index 6e6634cd1d17..9eedb17a6b1b 100644
23673 +--- a/drivers/gpu/drm/omapdrm/omap_dmm_tiler.c
23674 ++++ b/drivers/gpu/drm/omapdrm/omap_dmm_tiler.c
23675 +@@ -287,7 +287,12 @@ static int dmm_txn_commit(struct dmm_txn *txn, bool wait)
23676 + msecs_to_jiffies(1))) {
23677 + dev_err(dmm->dev, "timed out waiting for done\n");
23678 + ret = -ETIMEDOUT;
23679 ++ goto cleanup;
23680 + }
23681 ++
23682 ++ /* Check the engine status before continue */
23683 ++ ret = wait_status(engine, DMM_PATSTATUS_READY |
23684 ++ DMM_PATSTATUS_VALID | DMM_PATSTATUS_DONE);
23685 + }
23686 +
23687 + cleanup:
23688 +diff --git a/drivers/gpu/drm/omapdrm/omap_gem.c b/drivers/gpu/drm/omapdrm/omap_gem.c
23689 +index e9718b99a8a9..ee43b48ded73 100644
23690 +--- a/drivers/gpu/drm/omapdrm/omap_gem.c
23691 ++++ b/drivers/gpu/drm/omapdrm/omap_gem.c
23692 +@@ -158,7 +158,7 @@ static void evict_entry(struct drm_gem_object *obj,
23693 + size_t size = PAGE_SIZE * n;
23694 + loff_t off = mmap_offset(obj) +
23695 + (entry->obj_pgoff << PAGE_SHIFT);
23696 +- const int m = 1 + ((omap_obj->width << fmt) / PAGE_SIZE);
23697 ++ const int m = DIV_ROUND_UP(omap_obj->width << fmt, PAGE_SIZE);
23698 +
23699 + if (m > 1) {
23700 + int i;
23701 +@@ -415,7 +415,7 @@ static int fault_2d(struct drm_gem_object *obj,
23702 + * into account in some of the math, so figure out virtual stride
23703 + * in pages
23704 + */
23705 +- const int m = 1 + ((omap_obj->width << fmt) / PAGE_SIZE);
23706 ++ const int m = DIV_ROUND_UP(omap_obj->width << fmt, PAGE_SIZE);
23707 +
23708 + /* We don't use vmf->pgoff since that has the fake offset: */
23709 + pgoff = ((unsigned long)vmf->virtual_address -
23710 +diff --git a/drivers/gpu/drm/radeon/radeon_connectors.c b/drivers/gpu/drm/radeon/radeon_connectors.c
23711 +index 9f699e87320a..6806772f3647 100644
23712 +--- a/drivers/gpu/drm/radeon/radeon_connectors.c
23713 ++++ b/drivers/gpu/drm/radeon/radeon_connectors.c
23714 +@@ -89,25 +89,18 @@ void radeon_connector_hotplug(struct drm_connector *connector)
23715 + /* don't do anything if sink is not display port, i.e.,
23716 + * passive dp->(dvi|hdmi) adaptor
23717 + */
23718 +- if (dig_connector->dp_sink_type == CONNECTOR_OBJECT_ID_DISPLAYPORT) {
23719 +- int saved_dpms = connector->dpms;
23720 +- /* Only turn off the display if it's physically disconnected */
23721 +- if (!radeon_hpd_sense(rdev, radeon_connector->hpd.hpd)) {
23722 +- drm_helper_connector_dpms(connector, DRM_MODE_DPMS_OFF);
23723 +- } else if (radeon_dp_needs_link_train(radeon_connector)) {
23724 +- /* Don't try to start link training before we
23725 +- * have the dpcd */
23726 +- if (!radeon_dp_getdpcd(radeon_connector))
23727 +- return;
23728 +-
23729 +- /* set it to OFF so that drm_helper_connector_dpms()
23730 +- * won't return immediately since the current state
23731 +- * is ON at this point.
23732 +- */
23733 +- connector->dpms = DRM_MODE_DPMS_OFF;
23734 +- drm_helper_connector_dpms(connector, DRM_MODE_DPMS_ON);
23735 +- }
23736 +- connector->dpms = saved_dpms;
23737 ++ if (dig_connector->dp_sink_type == CONNECTOR_OBJECT_ID_DISPLAYPORT &&
23738 ++ radeon_hpd_sense(rdev, radeon_connector->hpd.hpd) &&
23739 ++ radeon_dp_needs_link_train(radeon_connector)) {
23740 ++ /* Don't start link training before we have the DPCD */
23741 ++ if (!radeon_dp_getdpcd(radeon_connector))
23742 ++ return;
23743 ++
23744 ++ /* Turn the connector off and back on immediately, which
23745 ++ * will trigger link training
23746 ++ */
23747 ++ drm_helper_connector_dpms(connector, DRM_MODE_DPMS_OFF);
23748 ++ drm_helper_connector_dpms(connector, DRM_MODE_DPMS_ON);
23749 + }
23750 + }
23751 + }
23752 +diff --git a/drivers/gpu/drm/radeon/radeon_display.c b/drivers/gpu/drm/radeon/radeon_display.c
23753 +index 6743174acdbc..9dad7810d21b 100644
23754 +--- a/drivers/gpu/drm/radeon/radeon_display.c
23755 ++++ b/drivers/gpu/drm/radeon/radeon_display.c
23756 +@@ -1321,6 +1321,12 @@ radeon_user_framebuffer_create(struct drm_device *dev,
23757 + return ERR_PTR(-ENOENT);
23758 + }
23759 +
23760 ++ /* Handle is imported dma-buf, so cannot be migrated to VRAM for scanout */
23761 ++ if (obj->import_attach) {
23762 ++ DRM_DEBUG_KMS("Cannot create framebuffer from imported dma_buf\n");
23763 ++ return ERR_PTR(-EINVAL);
23764 ++ }
23765 ++
23766 + radeon_fb = kzalloc(sizeof(*radeon_fb), GFP_KERNEL);
23767 + if (radeon_fb == NULL) {
23768 + drm_gem_object_unreference_unlocked(obj);
23769 +diff --git a/drivers/gpu/drm/radeon/radeon_object.c b/drivers/gpu/drm/radeon/radeon_object.c
23770 +index 741065bd14b3..ad172473f047 100644
23771 +--- a/drivers/gpu/drm/radeon/radeon_object.c
23772 ++++ b/drivers/gpu/drm/radeon/radeon_object.c
23773 +@@ -232,9 +232,10 @@ int radeon_bo_create(struct radeon_device *rdev,
23774 + * may be slow
23775 + * See https://bugs.freedesktop.org/show_bug.cgi?id=88758
23776 + */
23777 +-
23778 ++#ifndef CONFIG_COMPILE_TEST
23779 + #warning Please enable CONFIG_MTRR and CONFIG_X86_PAT for better performance \
23780 + thanks to write-combining
23781 ++#endif
23782 +
23783 + DRM_INFO_ONCE("Please enable CONFIG_MTRR and CONFIG_X86_PAT for "
23784 + "better performance thanks to write-combining\n");
23785 +diff --git a/drivers/gpu/drm/radeon/si_dpm.c b/drivers/gpu/drm/radeon/si_dpm.c
23786 +index 128bd66b8cb0..f11a37832d78 100644
23787 +--- a/drivers/gpu/drm/radeon/si_dpm.c
23788 ++++ b/drivers/gpu/drm/radeon/si_dpm.c
23789 +@@ -5895,9 +5895,9 @@ static void si_set_pcie_lane_width_in_smc(struct radeon_device *rdev,
23790 + {
23791 + u32 lane_width;
23792 + u32 new_lane_width =
23793 +- (radeon_new_state->caps & ATOM_PPLIB_PCIE_LINK_WIDTH_MASK) >> ATOM_PPLIB_PCIE_LINK_WIDTH_SHIFT;
23794 ++ ((radeon_new_state->caps & ATOM_PPLIB_PCIE_LINK_WIDTH_MASK) >> ATOM_PPLIB_PCIE_LINK_WIDTH_SHIFT) + 1;
23795 + u32 current_lane_width =
23796 +- (radeon_current_state->caps & ATOM_PPLIB_PCIE_LINK_WIDTH_MASK) >> ATOM_PPLIB_PCIE_LINK_WIDTH_SHIFT;
23797 ++ ((radeon_current_state->caps & ATOM_PPLIB_PCIE_LINK_WIDTH_MASK) >> ATOM_PPLIB_PCIE_LINK_WIDTH_SHIFT) + 1;
23798 +
23799 + if (new_lane_width != current_lane_width) {
23800 + radeon_set_pcie_lanes(rdev, new_lane_width);
23801 +diff --git a/drivers/gpu/drm/udl/udl_fb.c b/drivers/gpu/drm/udl/udl_fb.c
23802 +index cd8d183dcfe5..ccb26652198b 100644
23803 +--- a/drivers/gpu/drm/udl/udl_fb.c
23804 ++++ b/drivers/gpu/drm/udl/udl_fb.c
23805 +@@ -256,10 +256,15 @@ static int udl_fb_mmap(struct fb_info *info, struct vm_area_struct *vma)
23806 + {
23807 + unsigned long start = vma->vm_start;
23808 + unsigned long size = vma->vm_end - vma->vm_start;
23809 +- unsigned long offset = vma->vm_pgoff << PAGE_SHIFT;
23810 ++ unsigned long offset;
23811 + unsigned long page, pos;
23812 +
23813 +- if (offset + size > info->fix.smem_len)
23814 ++ if (vma->vm_pgoff > (~0UL >> PAGE_SHIFT))
23815 ++ return -EINVAL;
23816 ++
23817 ++ offset = vma->vm_pgoff << PAGE_SHIFT;
23818 ++
23819 ++ if (offset > info->fix.smem_len || size > info->fix.smem_len - offset)
23820 + return -EINVAL;
23821 +
23822 + pos = (unsigned long)info->fix.smem_start + offset;
23823 +diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c
23824 +index d8638d8221ea..8331dfddbd2c 100644
23825 +--- a/drivers/hid/hid-core.c
23826 ++++ b/drivers/hid/hid-core.c
23827 +@@ -1308,7 +1308,7 @@ u8 *hid_alloc_report_buf(struct hid_report *report, gfp_t flags)
23828 + * of implement() working on 8 byte chunks
23829 + */
23830 +
23831 +- int len = hid_report_len(report) + 7;
23832 ++ u32 len = hid_report_len(report) + 7;
23833 +
23834 + return kmalloc(len, flags);
23835 + }
23836 +@@ -1373,7 +1373,7 @@ void __hid_request(struct hid_device *hid, struct hid_report *report,
23837 + {
23838 + char *buf;
23839 + int ret;
23840 +- int len;
23841 ++ u32 len;
23842 +
23843 + buf = hid_alloc_report_buf(report, GFP_KERNEL);
23844 + if (!buf)
23845 +@@ -1399,14 +1399,14 @@ out:
23846 + }
23847 + EXPORT_SYMBOL_GPL(__hid_request);
23848 +
23849 +-int hid_report_raw_event(struct hid_device *hid, int type, u8 *data, int size,
23850 ++int hid_report_raw_event(struct hid_device *hid, int type, u8 *data, u32 size,
23851 + int interrupt)
23852 + {
23853 + struct hid_report_enum *report_enum = hid->report_enum + type;
23854 + struct hid_report *report;
23855 + struct hid_driver *hdrv;
23856 + unsigned int a;
23857 +- int rsize, csize = size;
23858 ++ u32 rsize, csize = size;
23859 + u8 *cdata = data;
23860 + int ret = 0;
23861 +
23862 +@@ -1464,7 +1464,7 @@ EXPORT_SYMBOL_GPL(hid_report_raw_event);
23863 + *
23864 + * This is data entry for lower layers.
23865 + */
23866 +-int hid_input_report(struct hid_device *hid, int type, u8 *data, int size, int interrupt)
23867 ++int hid_input_report(struct hid_device *hid, int type, u8 *data, u32 size, int interrupt)
23868 + {
23869 + struct hid_report_enum *report_enum;
23870 + struct hid_driver *hdrv;
23871 +diff --git a/drivers/hid/hid-elo.c b/drivers/hid/hid-elo.c
23872 +index d0c8a1c1e1fe..2fc43ad7f0b6 100644
23873 +--- a/drivers/hid/hid-elo.c
23874 ++++ b/drivers/hid/hid-elo.c
23875 +@@ -42,6 +42,12 @@ static void elo_input_configured(struct hid_device *hdev,
23876 + {
23877 + struct input_dev *input = hidinput->input;
23878 +
23879 ++ /*
23880 ++ * ELO devices have one Button usage in GenDesk field, which makes
23881 ++ * hid-input map it to BTN_LEFT; that confuses userspace, which then
23882 ++ * considers the device to be a mouse/touchpad instead of touchscreen.
23883 ++ */
23884 ++ clear_bit(BTN_LEFT, input->keybit);
23885 + set_bit(BTN_TOUCH, input->keybit);
23886 + set_bit(ABS_PRESSURE, input->absbit);
23887 + input_set_abs_params(input, ABS_PRESSURE, 0, 256, 0, 0);
23888 +diff --git a/drivers/hid/hid-input.c b/drivers/hid/hid-input.c
23889 +index 32d52d29cc68..b4ace7561555 100644
23890 +--- a/drivers/hid/hid-input.c
23891 ++++ b/drivers/hid/hid-input.c
23892 +@@ -1128,18 +1128,26 @@ void hidinput_hid_event(struct hid_device *hid, struct hid_field *field, struct
23893 +
23894 + /*
23895 + * Ignore out-of-range values as per HID specification,
23896 +- * section 5.10 and 6.2.25.
23897 ++ * section 5.10 and 6.2.25, when NULL state bit is present.
23898 ++ * When it's not, clamp the value to match Microsoft's input
23899 ++ * driver as mentioned in "Required HID usages for digitizers":
23900 ++ * https://msdn.microsoft.com/en-us/library/windows/hardware/dn672278(v=vs.85).asp
23901 + *
23902 + * The logical_minimum < logical_maximum check is done so that we
23903 + * don't unintentionally discard values sent by devices which
23904 + * don't specify logical min and max.
23905 + */
23906 + if ((field->flags & HID_MAIN_ITEM_VARIABLE) &&
23907 +- (field->logical_minimum < field->logical_maximum) &&
23908 +- (value < field->logical_minimum ||
23909 +- value > field->logical_maximum)) {
23910 +- dbg_hid("Ignoring out-of-range value %x\n", value);
23911 +- return;
23912 ++ (field->logical_minimum < field->logical_maximum)) {
23913 ++ if (field->flags & HID_MAIN_ITEM_NULL_STATE &&
23914 ++ (value < field->logical_minimum ||
23915 ++ value > field->logical_maximum)) {
23916 ++ dbg_hid("Ignoring out-of-range value %x\n", value);
23917 ++ return;
23918 ++ }
23919 ++ value = clamp(value,
23920 ++ field->logical_minimum,
23921 ++ field->logical_maximum);
23922 + }
23923 +
23924 + /*
23925 +diff --git a/drivers/hid/hidraw.c b/drivers/hid/hidraw.c
23926 +index 9c2d7c23f296..c0c4df198725 100644
23927 +--- a/drivers/hid/hidraw.c
23928 ++++ b/drivers/hid/hidraw.c
23929 +@@ -197,6 +197,11 @@ static ssize_t hidraw_get_report(struct file *file, char __user *buffer, size_t
23930 + int ret = 0, len;
23931 + unsigned char report_number;
23932 +
23933 ++ if (!hidraw_table[minor] || !hidraw_table[minor]->exist) {
23934 ++ ret = -ENODEV;
23935 ++ goto out;
23936 ++ }
23937 ++
23938 + dev = hidraw_table[minor]->hid;
23939 +
23940 + if (!dev->ll_driver->raw_request) {
23941 +diff --git a/drivers/hid/i2c-hid/i2c-hid.c b/drivers/hid/i2c-hid/i2c-hid.c
23942 +index a9054be9bca2..fd72f894865d 100644
23943 +--- a/drivers/hid/i2c-hid/i2c-hid.c
23944 ++++ b/drivers/hid/i2c-hid/i2c-hid.c
23945 +@@ -137,10 +137,10 @@ struct i2c_hid {
23946 + * register of the HID
23947 + * descriptor. */
23948 + unsigned int bufsize; /* i2c buffer size */
23949 +- char *inbuf; /* Input buffer */
23950 +- char *rawbuf; /* Raw Input buffer */
23951 +- char *cmdbuf; /* Command buffer */
23952 +- char *argsbuf; /* Command arguments buffer */
23953 ++ u8 *inbuf; /* Input buffer */
23954 ++ u8 *rawbuf; /* Raw Input buffer */
23955 ++ u8 *cmdbuf; /* Command buffer */
23956 ++ u8 *argsbuf; /* Command arguments buffer */
23957 +
23958 + unsigned long flags; /* device flags */
23959 +
23960 +@@ -385,7 +385,8 @@ static int i2c_hid_hwreset(struct i2c_client *client)
23961 +
23962 + static void i2c_hid_get_input(struct i2c_hid *ihid)
23963 + {
23964 +- int ret, ret_size;
23965 ++ int ret;
23966 ++ u32 ret_size;
23967 + int size = le16_to_cpu(ihid->hdesc.wMaxInputLength);
23968 +
23969 + if (size > ihid->bufsize)
23970 +@@ -410,7 +411,7 @@ static void i2c_hid_get_input(struct i2c_hid *ihid)
23971 + return;
23972 + }
23973 +
23974 +- if (ret_size > size) {
23975 ++ if ((ret_size > size) || (ret_size <= 2)) {
23976 + dev_err(&ihid->client->dev, "%s: incomplete report (%d/%d)\n",
23977 + __func__, size, ret_size);
23978 + return;
23979 +diff --git a/drivers/hsi/clients/ssi_protocol.c b/drivers/hsi/clients/ssi_protocol.c
23980 +index e5c7a969f28b..0cb78f30696b 100644
23981 +--- a/drivers/hsi/clients/ssi_protocol.c
23982 ++++ b/drivers/hsi/clients/ssi_protocol.c
23983 +@@ -976,7 +976,7 @@ static int ssip_pn_xmit(struct sk_buff *skb, struct net_device *dev)
23984 + goto drop;
23985 + /* Pad to 32-bits - FIXME: Revisit*/
23986 + if ((skb->len & 3) && skb_pad(skb, 4 - (skb->len & 3)))
23987 +- goto drop;
23988 ++ goto inc_dropped;
23989 +
23990 + /*
23991 + * Modem sends Phonet messages over SSI with its own endianess...
23992 +@@ -1028,8 +1028,9 @@ static int ssip_pn_xmit(struct sk_buff *skb, struct net_device *dev)
23993 + drop2:
23994 + hsi_free_msg(msg);
23995 + drop:
23996 +- dev->stats.tx_dropped++;
23997 + dev_kfree_skb(skb);
23998 ++inc_dropped:
23999 ++ dev->stats.tx_dropped++;
24000 +
24001 + return 0;
24002 + }
24003 +diff --git a/drivers/hwtracing/coresight/coresight-tpiu.c b/drivers/hwtracing/coresight/coresight-tpiu.c
24004 +index 3b33af2416bb..12dc09db55e5 100644
24005 +--- a/drivers/hwtracing/coresight/coresight-tpiu.c
24006 ++++ b/drivers/hwtracing/coresight/coresight-tpiu.c
24007 +@@ -44,8 +44,11 @@
24008 + #define TPIU_ITATBCTR0 0xef8
24009 +
24010 + /** register definition **/
24011 ++/* FFSR - 0x300 */
24012 ++#define FFSR_FT_STOPPED BIT(1)
24013 + /* FFCR - 0x304 */
24014 + #define FFCR_FON_MAN BIT(6)
24015 ++#define FFCR_STOP_FI BIT(12)
24016 +
24017 + /**
24018 + * @base: memory mapped base address for this component.
24019 +@@ -88,10 +91,14 @@ static void tpiu_disable_hw(struct tpiu_drvdata *drvdata)
24020 + {
24021 + CS_UNLOCK(drvdata->base);
24022 +
24023 +- /* Clear formatter controle reg. */
24024 +- writel_relaxed(0x0, drvdata->base + TPIU_FFCR);
24025 ++ /* Clear formatter and stop on flush */
24026 ++ writel_relaxed(FFCR_STOP_FI, drvdata->base + TPIU_FFCR);
24027 + /* Generate manual flush */
24028 +- writel_relaxed(FFCR_FON_MAN, drvdata->base + TPIU_FFCR);
24029 ++ writel_relaxed(FFCR_STOP_FI | FFCR_FON_MAN, drvdata->base + TPIU_FFCR);
24030 ++ /* Wait for flush to complete */
24031 ++ coresight_timeout(drvdata->base, TPIU_FFCR, FFCR_FON_MAN, 0);
24032 ++ /* Wait for formatter to stop */
24033 ++ coresight_timeout(drvdata->base, TPIU_FFSR, FFSR_FT_STOPPED, 1);
24034 +
24035 + CS_LOCK(drvdata->base);
24036 + }
24037 +diff --git a/drivers/hwtracing/coresight/of_coresight.c b/drivers/hwtracing/coresight/of_coresight.c
24038 +index 35e51ce93a5c..62a56654df97 100644
24039 +--- a/drivers/hwtracing/coresight/of_coresight.c
24040 ++++ b/drivers/hwtracing/coresight/of_coresight.c
24041 +@@ -150,7 +150,7 @@ struct coresight_platform_data *of_get_coresight_platform_data(
24042 + continue;
24043 +
24044 + /* The local out port number */
24045 +- pdata->outports[i] = endpoint.id;
24046 ++ pdata->outports[i] = endpoint.port;
24047 +
24048 + /*
24049 + * Get a handle on the remote port and parent
24050 +diff --git a/drivers/i2c/busses/i2c-scmi.c b/drivers/i2c/busses/i2c-scmi.c
24051 +index dfc98df7b1b6..7aa7b9cb6203 100644
24052 +--- a/drivers/i2c/busses/i2c-scmi.c
24053 ++++ b/drivers/i2c/busses/i2c-scmi.c
24054 +@@ -18,6 +18,9 @@
24055 + #define ACPI_SMBUS_HC_CLASS "smbus"
24056 + #define ACPI_SMBUS_HC_DEVICE_NAME "cmi"
24057 +
24058 ++/* SMBUS HID definition as supported by Microsoft Windows */
24059 ++#define ACPI_SMBUS_MS_HID "SMB0001"
24060 ++
24061 + ACPI_MODULE_NAME("smbus_cmi");
24062 +
24063 + struct smbus_methods_t {
24064 +@@ -51,6 +54,7 @@ static const struct smbus_methods_t ibm_smbus_methods = {
24065 + static const struct acpi_device_id acpi_smbus_cmi_ids[] = {
24066 + {"SMBUS01", (kernel_ulong_t)&smbus_methods},
24067 + {ACPI_SMBUS_IBM_HID, (kernel_ulong_t)&ibm_smbus_methods},
24068 ++ {ACPI_SMBUS_MS_HID, (kernel_ulong_t)&smbus_methods},
24069 + {"", 0}
24070 + };
24071 + MODULE_DEVICE_TABLE(acpi, acpi_smbus_cmi_ids);
24072 +diff --git a/drivers/iio/accel/st_accel_core.c b/drivers/iio/accel/st_accel_core.c
24073 +index 2ae7150442fc..2f94d1164730 100644
24074 +--- a/drivers/iio/accel/st_accel_core.c
24075 ++++ b/drivers/iio/accel/st_accel_core.c
24076 +@@ -535,6 +535,8 @@ static const struct iio_trigger_ops st_accel_trigger_ops = {
24077 + int st_accel_common_probe(struct iio_dev *indio_dev)
24078 + {
24079 + struct st_sensor_data *adata = iio_priv(indio_dev);
24080 ++ struct st_sensors_platform_data *pdata =
24081 ++ (struct st_sensors_platform_data *)adata->dev->platform_data;
24082 + int irq = adata->get_irq_data_ready(indio_dev);
24083 + int err;
24084 +
24085 +@@ -559,11 +561,10 @@ int st_accel_common_probe(struct iio_dev *indio_dev)
24086 + &adata->sensor_settings->fs.fs_avl[0];
24087 + adata->odr = adata->sensor_settings->odr.odr_avl[0].hz;
24088 +
24089 +- if (!adata->dev->platform_data)
24090 +- adata->dev->platform_data =
24091 +- (struct st_sensors_platform_data *)&default_accel_pdata;
24092 ++ if (!pdata)
24093 ++ pdata = (struct st_sensors_platform_data *)&default_accel_pdata;
24094 +
24095 +- err = st_sensors_init_sensor(indio_dev, adata->dev->platform_data);
24096 ++ err = st_sensors_init_sensor(indio_dev, pdata);
24097 + if (err < 0)
24098 + return err;
24099 +
24100 +diff --git a/drivers/iio/magnetometer/st_magn_spi.c b/drivers/iio/magnetometer/st_magn_spi.c
24101 +index 7adacf160146..899ed591d666 100644
24102 +--- a/drivers/iio/magnetometer/st_magn_spi.c
24103 ++++ b/drivers/iio/magnetometer/st_magn_spi.c
24104 +@@ -48,8 +48,6 @@ static int st_magn_spi_remove(struct spi_device *spi)
24105 + }
24106 +
24107 + static const struct spi_device_id st_magn_id_table[] = {
24108 +- { LSM303DLHC_MAGN_DEV_NAME },
24109 +- { LSM303DLM_MAGN_DEV_NAME },
24110 + { LIS3MDL_MAGN_DEV_NAME },
24111 + {},
24112 + };
24113 +diff --git a/drivers/iio/pressure/st_pressure_core.c b/drivers/iio/pressure/st_pressure_core.c
24114 +index 1f7f844bc0b8..c80bc75790e7 100644
24115 +--- a/drivers/iio/pressure/st_pressure_core.c
24116 ++++ b/drivers/iio/pressure/st_pressure_core.c
24117 +@@ -432,6 +432,8 @@ static const struct iio_trigger_ops st_press_trigger_ops = {
24118 + int st_press_common_probe(struct iio_dev *indio_dev)
24119 + {
24120 + struct st_sensor_data *press_data = iio_priv(indio_dev);
24121 ++ struct st_sensors_platform_data *pdata =
24122 ++ (struct st_sensors_platform_data *)press_data->dev->platform_data;
24123 + int irq = press_data->get_irq_data_ready(indio_dev);
24124 + int err;
24125 +
24126 +@@ -460,12 +462,10 @@ int st_press_common_probe(struct iio_dev *indio_dev)
24127 + press_data->odr = press_data->sensor_settings->odr.odr_avl[0].hz;
24128 +
24129 + /* Some devices don't support a data ready pin. */
24130 +- if (!press_data->dev->platform_data &&
24131 +- press_data->sensor_settings->drdy_irq.addr)
24132 +- press_data->dev->platform_data =
24133 +- (struct st_sensors_platform_data *)&default_press_pdata;
24134 ++ if (!pdata && press_data->sensor_settings->drdy_irq.addr)
24135 ++ pdata = (struct st_sensors_platform_data *)&default_press_pdata;
24136 +
24137 +- err = st_sensors_init_sensor(indio_dev, press_data->dev->platform_data);
24138 ++ err = st_sensors_init_sensor(indio_dev, pdata);
24139 + if (err < 0)
24140 + return err;
24141 +
24142 +diff --git a/drivers/infiniband/core/addr.c b/drivers/infiniband/core/addr.c
24143 +index 38339d220d7f..33d69b5d70ec 100644
24144 +--- a/drivers/infiniband/core/addr.c
24145 ++++ b/drivers/infiniband/core/addr.c
24146 +@@ -86,6 +86,22 @@ int rdma_addr_size(struct sockaddr *addr)
24147 + }
24148 + EXPORT_SYMBOL(rdma_addr_size);
24149 +
24150 ++int rdma_addr_size_in6(struct sockaddr_in6 *addr)
24151 ++{
24152 ++ int ret = rdma_addr_size((struct sockaddr *) addr);
24153 ++
24154 ++ return ret <= sizeof(*addr) ? ret : 0;
24155 ++}
24156 ++EXPORT_SYMBOL(rdma_addr_size_in6);
24157 ++
24158 ++int rdma_addr_size_kss(struct __kernel_sockaddr_storage *addr)
24159 ++{
24160 ++ int ret = rdma_addr_size((struct sockaddr *) addr);
24161 ++
24162 ++ return ret <= sizeof(*addr) ? ret : 0;
24163 ++}
24164 ++EXPORT_SYMBOL(rdma_addr_size_kss);
24165 ++
24166 + static struct rdma_addr_client self;
24167 +
24168 + void rdma_addr_register_client(struct rdma_addr_client *client)
24169 +diff --git a/drivers/infiniband/core/cma.c b/drivers/infiniband/core/cma.c
24170 +index de1c8a78374e..8c89dac48a04 100644
24171 +--- a/drivers/infiniband/core/cma.c
24172 ++++ b/drivers/infiniband/core/cma.c
24173 +@@ -3363,6 +3363,9 @@ int rdma_join_multicast(struct rdma_cm_id *id, struct sockaddr *addr,
24174 + struct cma_multicast *mc;
24175 + int ret;
24176 +
24177 ++ if (!id->device)
24178 ++ return -EINVAL;
24179 ++
24180 + id_priv = container_of(id, struct rdma_id_private, id);
24181 + if (!cma_comp(id_priv, RDMA_CM_ADDR_BOUND) &&
24182 + !cma_comp(id_priv, RDMA_CM_ADDR_RESOLVED))
24183 +@@ -3645,7 +3648,7 @@ static int cma_get_id_stats(struct sk_buff *skb, struct netlink_callback *cb)
24184 + RDMA_NL_RDMA_CM_ATTR_SRC_ADDR))
24185 + goto out;
24186 + if (ibnl_put_attr(skb, nlh,
24187 +- rdma_addr_size(cma_src_addr(id_priv)),
24188 ++ rdma_addr_size(cma_dst_addr(id_priv)),
24189 + cma_dst_addr(id_priv),
24190 + RDMA_NL_RDMA_CM_ATTR_DST_ADDR))
24191 + goto out;
24192 +diff --git a/drivers/infiniband/core/iwpm_util.c b/drivers/infiniband/core/iwpm_util.c
24193 +index a626795bf9c7..f1c37b7c666f 100644
24194 +--- a/drivers/infiniband/core/iwpm_util.c
24195 ++++ b/drivers/infiniband/core/iwpm_util.c
24196 +@@ -654,6 +654,7 @@ int iwpm_send_mapinfo(u8 nl_client, int iwpm_pid)
24197 + }
24198 + skb_num++;
24199 + spin_lock_irqsave(&iwpm_mapinfo_lock, flags);
24200 ++ ret = -EINVAL;
24201 + for (i = 0; i < IWPM_MAPINFO_HASH_SIZE; i++) {
24202 + hlist_for_each_entry(map_info, &iwpm_hash_bucket[i],
24203 + hlist_node) {
24204 +diff --git a/drivers/infiniband/core/ucma.c b/drivers/infiniband/core/ucma.c
24205 +index 9e7dd06031ae..2daae8b758f1 100644
24206 +--- a/drivers/infiniband/core/ucma.c
24207 ++++ b/drivers/infiniband/core/ucma.c
24208 +@@ -411,6 +411,9 @@ err1:
24209 + mutex_lock(&mut);
24210 + idr_remove(&ctx_idr, ctx->id);
24211 + mutex_unlock(&mut);
24212 ++ mutex_lock(&file->mut);
24213 ++ list_del(&ctx->list);
24214 ++ mutex_unlock(&file->mut);
24215 + kfree(ctx);
24216 + return ret;
24217 + }
24218 +@@ -522,6 +525,9 @@ static ssize_t ucma_bind_ip(struct ucma_file *file, const char __user *inbuf,
24219 + if (copy_from_user(&cmd, inbuf, sizeof(cmd)))
24220 + return -EFAULT;
24221 +
24222 ++ if (!rdma_addr_size_in6(&cmd.addr))
24223 ++ return -EINVAL;
24224 ++
24225 + ctx = ucma_get_ctx(file, cmd.id);
24226 + if (IS_ERR(ctx))
24227 + return PTR_ERR(ctx);
24228 +@@ -535,22 +541,21 @@ static ssize_t ucma_bind(struct ucma_file *file, const char __user *inbuf,
24229 + int in_len, int out_len)
24230 + {
24231 + struct rdma_ucm_bind cmd;
24232 +- struct sockaddr *addr;
24233 + struct ucma_context *ctx;
24234 + int ret;
24235 +
24236 + if (copy_from_user(&cmd, inbuf, sizeof(cmd)))
24237 + return -EFAULT;
24238 +
24239 +- addr = (struct sockaddr *) &cmd.addr;
24240 +- if (cmd.reserved || !cmd.addr_size || (cmd.addr_size != rdma_addr_size(addr)))
24241 ++ if (cmd.reserved || !cmd.addr_size ||
24242 ++ cmd.addr_size != rdma_addr_size_kss(&cmd.addr))
24243 + return -EINVAL;
24244 +
24245 + ctx = ucma_get_ctx(file, cmd.id);
24246 + if (IS_ERR(ctx))
24247 + return PTR_ERR(ctx);
24248 +
24249 +- ret = rdma_bind_addr(ctx->cm_id, addr);
24250 ++ ret = rdma_bind_addr(ctx->cm_id, (struct sockaddr *) &cmd.addr);
24251 + ucma_put_ctx(ctx);
24252 + return ret;
24253 + }
24254 +@@ -566,13 +571,16 @@ static ssize_t ucma_resolve_ip(struct ucma_file *file,
24255 + if (copy_from_user(&cmd, inbuf, sizeof(cmd)))
24256 + return -EFAULT;
24257 +
24258 ++ if ((cmd.src_addr.sin6_family && !rdma_addr_size_in6(&cmd.src_addr)) ||
24259 ++ !rdma_addr_size_in6(&cmd.dst_addr))
24260 ++ return -EINVAL;
24261 ++
24262 + ctx = ucma_get_ctx(file, cmd.id);
24263 + if (IS_ERR(ctx))
24264 + return PTR_ERR(ctx);
24265 +
24266 + ret = rdma_resolve_addr(ctx->cm_id, (struct sockaddr *) &cmd.src_addr,
24267 +- (struct sockaddr *) &cmd.dst_addr,
24268 +- cmd.timeout_ms);
24269 ++ (struct sockaddr *) &cmd.dst_addr, cmd.timeout_ms);
24270 + ucma_put_ctx(ctx);
24271 + return ret;
24272 + }
24273 +@@ -582,24 +590,23 @@ static ssize_t ucma_resolve_addr(struct ucma_file *file,
24274 + int in_len, int out_len)
24275 + {
24276 + struct rdma_ucm_resolve_addr cmd;
24277 +- struct sockaddr *src, *dst;
24278 + struct ucma_context *ctx;
24279 + int ret;
24280 +
24281 + if (copy_from_user(&cmd, inbuf, sizeof(cmd)))
24282 + return -EFAULT;
24283 +
24284 +- src = (struct sockaddr *) &cmd.src_addr;
24285 +- dst = (struct sockaddr *) &cmd.dst_addr;
24286 +- if (cmd.reserved || (cmd.src_size && (cmd.src_size != rdma_addr_size(src))) ||
24287 +- !cmd.dst_size || (cmd.dst_size != rdma_addr_size(dst)))
24288 ++ if (cmd.reserved ||
24289 ++ (cmd.src_size && (cmd.src_size != rdma_addr_size_kss(&cmd.src_addr))) ||
24290 ++ !cmd.dst_size || (cmd.dst_size != rdma_addr_size_kss(&cmd.dst_addr)))
24291 + return -EINVAL;
24292 +
24293 + ctx = ucma_get_ctx(file, cmd.id);
24294 + if (IS_ERR(ctx))
24295 + return PTR_ERR(ctx);
24296 +
24297 +- ret = rdma_resolve_addr(ctx->cm_id, src, dst, cmd.timeout_ms);
24298 ++ ret = rdma_resolve_addr(ctx->cm_id, (struct sockaddr *) &cmd.src_addr,
24299 ++ (struct sockaddr *) &cmd.dst_addr, cmd.timeout_ms);
24300 + ucma_put_ctx(ctx);
24301 + return ret;
24302 + }
24303 +@@ -1057,6 +1064,11 @@ static ssize_t ucma_init_qp_attr(struct ucma_file *file,
24304 + if (IS_ERR(ctx))
24305 + return PTR_ERR(ctx);
24306 +
24307 ++ if (!ctx->cm_id->device) {
24308 ++ ret = -EINVAL;
24309 ++ goto out;
24310 ++ }
24311 ++
24312 + resp.qp_attr_mask = 0;
24313 + memset(&qp_attr, 0, sizeof qp_attr);
24314 + qp_attr.qp_state = cmd.qp_state;
24315 +@@ -1127,6 +1139,9 @@ static int ucma_set_ib_path(struct ucma_context *ctx,
24316 + if (!optlen)
24317 + return -EINVAL;
24318 +
24319 ++ if (!ctx->cm_id->device)
24320 ++ return -EINVAL;
24321 ++
24322 + memset(&sa_path, 0, sizeof(sa_path));
24323 + sa_path.vlan_id = 0xffff;
24324 +
24325 +@@ -1214,7 +1229,7 @@ static ssize_t ucma_notify(struct ucma_file *file, const char __user *inbuf,
24326 + {
24327 + struct rdma_ucm_notify cmd;
24328 + struct ucma_context *ctx;
24329 +- int ret;
24330 ++ int ret = -EINVAL;
24331 +
24332 + if (copy_from_user(&cmd, inbuf, sizeof(cmd)))
24333 + return -EFAULT;
24334 +@@ -1223,7 +1238,9 @@ static ssize_t ucma_notify(struct ucma_file *file, const char __user *inbuf,
24335 + if (IS_ERR(ctx))
24336 + return PTR_ERR(ctx);
24337 +
24338 +- ret = rdma_notify(ctx->cm_id, (enum ib_event_type) cmd.event);
24339 ++ if (ctx->cm_id->device)
24340 ++ ret = rdma_notify(ctx->cm_id, (enum ib_event_type)cmd.event);
24341 ++
24342 + ucma_put_ctx(ctx);
24343 + return ret;
24344 + }
24345 +@@ -1241,7 +1258,7 @@ static ssize_t ucma_process_join(struct ucma_file *file,
24346 + return -ENOSPC;
24347 +
24348 + addr = (struct sockaddr *) &cmd->addr;
24349 +- if (cmd->reserved || !cmd->addr_size || (cmd->addr_size != rdma_addr_size(addr)))
24350 ++ if (cmd->reserved || (cmd->addr_size != rdma_addr_size(addr)))
24351 + return -EINVAL;
24352 +
24353 + ctx = ucma_get_ctx(file, cmd->id);
24354 +@@ -1300,7 +1317,10 @@ static ssize_t ucma_join_ip_multicast(struct ucma_file *file,
24355 + join_cmd.response = cmd.response;
24356 + join_cmd.uid = cmd.uid;
24357 + join_cmd.id = cmd.id;
24358 +- join_cmd.addr_size = rdma_addr_size((struct sockaddr *) &cmd.addr);
24359 ++ join_cmd.addr_size = rdma_addr_size_in6(&cmd.addr);
24360 ++ if (!join_cmd.addr_size)
24361 ++ return -EINVAL;
24362 ++
24363 + join_cmd.reserved = 0;
24364 + memcpy(&join_cmd.addr, &cmd.addr, join_cmd.addr_size);
24365 +
24366 +@@ -1316,6 +1336,9 @@ static ssize_t ucma_join_multicast(struct ucma_file *file,
24367 + if (copy_from_user(&cmd, inbuf, sizeof(cmd)))
24368 + return -EFAULT;
24369 +
24370 ++ if (!rdma_addr_size_kss(&cmd.addr))
24371 ++ return -EINVAL;
24372 ++
24373 + return ucma_process_join(file, &cmd, out_len);
24374 + }
24375 +
24376 +diff --git a/drivers/infiniband/core/umem.c b/drivers/infiniband/core/umem.c
24377 +index 38acb3cfc545..bda76b9cf396 100644
24378 +--- a/drivers/infiniband/core/umem.c
24379 ++++ b/drivers/infiniband/core/umem.c
24380 +@@ -352,7 +352,7 @@ int ib_umem_copy_from(void *dst, struct ib_umem *umem, size_t offset,
24381 + return -EINVAL;
24382 + }
24383 +
24384 +- ret = sg_pcopy_to_buffer(umem->sg_head.sgl, umem->nmap, dst, length,
24385 ++ ret = sg_pcopy_to_buffer(umem->sg_head.sgl, umem->npages, dst, length,
24386 + offset + ib_umem_offset(umem));
24387 +
24388 + if (ret < 0)
24389 +diff --git a/drivers/infiniband/hw/mlx5/qp.c b/drivers/infiniband/hw/mlx5/qp.c
24390 +index d35f62d4f4c5..5d4ef3567743 100644
24391 +--- a/drivers/infiniband/hw/mlx5/qp.c
24392 ++++ b/drivers/infiniband/hw/mlx5/qp.c
24393 +@@ -236,7 +236,11 @@ static int set_rq_size(struct mlx5_ib_dev *dev, struct ib_qp_cap *cap,
24394 + } else {
24395 + if (ucmd) {
24396 + qp->rq.wqe_cnt = ucmd->rq_wqe_count;
24397 ++ if (ucmd->rq_wqe_shift > BITS_PER_BYTE * sizeof(ucmd->rq_wqe_shift))
24398 ++ return -EINVAL;
24399 + qp->rq.wqe_shift = ucmd->rq_wqe_shift;
24400 ++ if ((1 << qp->rq.wqe_shift) / sizeof(struct mlx5_wqe_data_seg) < qp->wq_sig)
24401 ++ return -EINVAL;
24402 + qp->rq.max_gs = (1 << qp->rq.wqe_shift) / sizeof(struct mlx5_wqe_data_seg) - qp->wq_sig;
24403 + qp->rq.max_post = qp->rq.wqe_cnt;
24404 + } else {
24405 +diff --git a/drivers/infiniband/hw/ocrdma/ocrdma_stats.c b/drivers/infiniband/hw/ocrdma/ocrdma_stats.c
24406 +index 48d7ef51aa0c..9b8a2c000280 100644
24407 +--- a/drivers/infiniband/hw/ocrdma/ocrdma_stats.c
24408 ++++ b/drivers/infiniband/hw/ocrdma/ocrdma_stats.c
24409 +@@ -819,7 +819,7 @@ void ocrdma_add_port_stats(struct ocrdma_dev *dev)
24410 +
24411 + dev->reset_stats.type = OCRDMA_RESET_STATS;
24412 + dev->reset_stats.dev = dev;
24413 +- if (!debugfs_create_file("reset_stats", S_IRUSR, dev->dir,
24414 ++ if (!debugfs_create_file("reset_stats", 0200, dev->dir,
24415 + &dev->reset_stats, &ocrdma_dbg_ops))
24416 + goto err;
24417 +
24418 +diff --git a/drivers/infiniband/ulp/ipoib/ipoib_ib.c b/drivers/infiniband/ulp/ipoib/ipoib_ib.c
24419 +index 545c7ef480e8..18f732aa1510 100644
24420 +--- a/drivers/infiniband/ulp/ipoib/ipoib_ib.c
24421 ++++ b/drivers/infiniband/ulp/ipoib/ipoib_ib.c
24422 +@@ -963,6 +963,19 @@ static inline int update_parent_pkey(struct ipoib_dev_priv *priv)
24423 + */
24424 + priv->dev->broadcast[8] = priv->pkey >> 8;
24425 + priv->dev->broadcast[9] = priv->pkey & 0xff;
24426 ++
24427 ++ /*
24428 ++ * Update the broadcast address in the priv->broadcast object,
24429 ++ * in case it already exists, otherwise no one will do that.
24430 ++ */
24431 ++ if (priv->broadcast) {
24432 ++ spin_lock_irq(&priv->lock);
24433 ++ memcpy(priv->broadcast->mcmember.mgid.raw,
24434 ++ priv->dev->broadcast + 4,
24435 ++ sizeof(union ib_gid));
24436 ++ spin_unlock_irq(&priv->lock);
24437 ++ }
24438 ++
24439 + return 0;
24440 + }
24441 +
24442 +diff --git a/drivers/infiniband/ulp/ipoib/ipoib_main.c b/drivers/infiniband/ulp/ipoib/ipoib_main.c
24443 +index 7599fb0b2d98..17a1bb19b8d1 100644
24444 +--- a/drivers/infiniband/ulp/ipoib/ipoib_main.c
24445 ++++ b/drivers/infiniband/ulp/ipoib/ipoib_main.c
24446 +@@ -488,6 +488,22 @@ static void path_rec_completion(int status,
24447 + spin_lock_irqsave(&priv->lock, flags);
24448 +
24449 + if (!IS_ERR_OR_NULL(ah)) {
24450 ++ /*
24451 ++ * pathrec.dgid is used as the database key from the LLADDR,
24452 ++ * it must remain unchanged even if the SA returns a different
24453 ++ * GID to use in the AH.
24454 ++ */
24455 ++ if (memcmp(pathrec->dgid.raw, path->pathrec.dgid.raw,
24456 ++ sizeof(union ib_gid))) {
24457 ++ ipoib_dbg(
24458 ++ priv,
24459 ++ "%s got PathRec for gid %pI6 while asked for %pI6\n",
24460 ++ dev->name, pathrec->dgid.raw,
24461 ++ path->pathrec.dgid.raw);
24462 ++ memcpy(pathrec->dgid.raw, path->pathrec.dgid.raw,
24463 ++ sizeof(union ib_gid));
24464 ++ }
24465 ++
24466 + path->pathrec = *pathrec;
24467 +
24468 + old_ah = path->ah;
24469 +diff --git a/drivers/infiniband/ulp/srp/ib_srp.c b/drivers/infiniband/ulp/srp/ib_srp.c
24470 +index 18e688d68e66..d210df3f7188 100644
24471 +--- a/drivers/infiniband/ulp/srp/ib_srp.c
24472 ++++ b/drivers/infiniband/ulp/srp/ib_srp.c
24473 +@@ -2510,9 +2510,11 @@ static int srp_abort(struct scsi_cmnd *scmnd)
24474 + ret = FAST_IO_FAIL;
24475 + else
24476 + ret = FAILED;
24477 +- srp_free_req(ch, req, scmnd, 0);
24478 +- scmnd->result = DID_ABORT << 16;
24479 +- scmnd->scsi_done(scmnd);
24480 ++ if (ret == SUCCESS) {
24481 ++ srp_free_req(ch, req, scmnd, 0);
24482 ++ scmnd->result = DID_ABORT << 16;
24483 ++ scmnd->scsi_done(scmnd);
24484 ++ }
24485 +
24486 + return ret;
24487 + }
24488 +@@ -3245,12 +3247,10 @@ static ssize_t srp_create_target(struct device *dev,
24489 + num_online_nodes());
24490 + const int ch_end = ((node_idx + 1) * target->ch_count /
24491 + num_online_nodes());
24492 +- const int cv_start = (node_idx * ibdev->num_comp_vectors /
24493 +- num_online_nodes() + target->comp_vector)
24494 +- % ibdev->num_comp_vectors;
24495 +- const int cv_end = ((node_idx + 1) * ibdev->num_comp_vectors /
24496 +- num_online_nodes() + target->comp_vector)
24497 +- % ibdev->num_comp_vectors;
24498 ++ const int cv_start = node_idx * ibdev->num_comp_vectors /
24499 ++ num_online_nodes();
24500 ++ const int cv_end = (node_idx + 1) * ibdev->num_comp_vectors /
24501 ++ num_online_nodes();
24502 + int cpu_idx = 0;
24503 +
24504 + for_each_online_cpu(cpu) {
24505 +diff --git a/drivers/infiniband/ulp/srpt/ib_srpt.c b/drivers/infiniband/ulp/srpt/ib_srpt.c
24506 +index 6c30192dcb78..ee696c6a769d 100644
24507 +--- a/drivers/infiniband/ulp/srpt/ib_srpt.c
24508 ++++ b/drivers/infiniband/ulp/srpt/ib_srpt.c
24509 +@@ -2981,12 +2981,8 @@ static void srpt_queue_response(struct se_cmd *cmd)
24510 + }
24511 + spin_unlock_irqrestore(&ioctx->spinlock, flags);
24512 +
24513 +- if (unlikely(transport_check_aborted_status(&ioctx->cmd, false)
24514 +- || WARN_ON_ONCE(state == SRPT_STATE_CMD_RSP_SENT))) {
24515 +- atomic_inc(&ch->req_lim_delta);
24516 +- srpt_abort_cmd(ioctx);
24517 ++ if (unlikely(WARN_ON_ONCE(state == SRPT_STATE_CMD_RSP_SENT)))
24518 + return;
24519 +- }
24520 +
24521 + dir = ioctx->cmd.data_direction;
24522 +
24523 +diff --git a/drivers/input/misc/drv260x.c b/drivers/input/misc/drv260x.c
24524 +index 009f75d25268..4e5ad9e120d6 100644
24525 +--- a/drivers/input/misc/drv260x.c
24526 ++++ b/drivers/input/misc/drv260x.c
24527 +@@ -521,7 +521,7 @@ static int drv260x_probe(struct i2c_client *client,
24528 + if (!haptics)
24529 + return -ENOMEM;
24530 +
24531 +- haptics->rated_voltage = DRV260X_DEF_OD_CLAMP_VOLT;
24532 ++ haptics->overdrive_voltage = DRV260X_DEF_OD_CLAMP_VOLT;
24533 + haptics->rated_voltage = DRV260X_DEF_RATED_VOLT;
24534 +
24535 + if (pdata) {
24536 +diff --git a/drivers/input/mouse/elan_i2c_core.c b/drivers/input/mouse/elan_i2c_core.c
24537 +index fd5068b2542d..152d057ed87c 100644
24538 +--- a/drivers/input/mouse/elan_i2c_core.c
24539 ++++ b/drivers/input/mouse/elan_i2c_core.c
24540 +@@ -972,6 +972,13 @@ static int elan_probe(struct i2c_client *client,
24541 + return error;
24542 + }
24543 +
24544 ++ /* Make sure there is something at this address */
24545 ++ error = i2c_smbus_read_byte(client);
24546 ++ if (error < 0) {
24547 ++ dev_dbg(&client->dev, "nothing at this address: %d\n", error);
24548 ++ return -ENXIO;
24549 ++ }
24550 ++
24551 + /* Initialize the touchpad. */
24552 + error = elan_initialize(data);
24553 + if (error)
24554 +diff --git a/drivers/input/mouse/elan_i2c_i2c.c b/drivers/input/mouse/elan_i2c_i2c.c
24555 +index a0acbbf83bfd..4ea436c173be 100644
24556 +--- a/drivers/input/mouse/elan_i2c_i2c.c
24557 ++++ b/drivers/input/mouse/elan_i2c_i2c.c
24558 +@@ -555,7 +555,14 @@ static int elan_i2c_finish_fw_update(struct i2c_client *client,
24559 + long ret;
24560 + int error;
24561 + int len;
24562 +- u8 buffer[ETP_I2C_INF_LENGTH];
24563 ++ u8 buffer[ETP_I2C_REPORT_LEN];
24564 ++
24565 ++ len = i2c_master_recv(client, buffer, ETP_I2C_REPORT_LEN);
24566 ++ if (len != ETP_I2C_REPORT_LEN) {
24567 ++ error = len < 0 ? len : -EIO;
24568 ++ dev_warn(dev, "failed to read I2C data after FW WDT reset: %d (%d)\n",
24569 ++ error, len);
24570 ++ }
24571 +
24572 + reinit_completion(completion);
24573 + enable_irq(client->irq);
24574 +diff --git a/drivers/input/mousedev.c b/drivers/input/mousedev.c
24575 +index b604564dec5c..30328e57fdda 100644
24576 +--- a/drivers/input/mousedev.c
24577 ++++ b/drivers/input/mousedev.c
24578 +@@ -15,6 +15,7 @@
24579 + #define MOUSEDEV_MINORS 31
24580 + #define MOUSEDEV_MIX 63
24581 +
24582 ++#include <linux/bitops.h>
24583 + #include <linux/sched.h>
24584 + #include <linux/slab.h>
24585 + #include <linux/poll.h>
24586 +@@ -103,7 +104,7 @@ struct mousedev_client {
24587 + spinlock_t packet_lock;
24588 + int pos_x, pos_y;
24589 +
24590 +- signed char ps2[6];
24591 ++ u8 ps2[6];
24592 + unsigned char ready, buffer, bufsiz;
24593 + unsigned char imexseq, impsseq;
24594 + enum mousedev_emul mode;
24595 +@@ -291,11 +292,10 @@ static void mousedev_notify_readers(struct mousedev *mousedev,
24596 + }
24597 +
24598 + client->pos_x += packet->dx;
24599 +- client->pos_x = client->pos_x < 0 ?
24600 +- 0 : (client->pos_x >= xres ? xres : client->pos_x);
24601 ++ client->pos_x = clamp_val(client->pos_x, 0, xres);
24602 ++
24603 + client->pos_y += packet->dy;
24604 +- client->pos_y = client->pos_y < 0 ?
24605 +- 0 : (client->pos_y >= yres ? yres : client->pos_y);
24606 ++ client->pos_y = clamp_val(client->pos_y, 0, yres);
24607 +
24608 + p->dx += packet->dx;
24609 + p->dy += packet->dy;
24610 +@@ -571,44 +571,50 @@ static int mousedev_open(struct inode *inode, struct file *file)
24611 + return error;
24612 + }
24613 +
24614 +-static inline int mousedev_limit_delta(int delta, int limit)
24615 +-{
24616 +- return delta > limit ? limit : (delta < -limit ? -limit : delta);
24617 +-}
24618 +-
24619 +-static void mousedev_packet(struct mousedev_client *client,
24620 +- signed char *ps2_data)
24621 ++static void mousedev_packet(struct mousedev_client *client, u8 *ps2_data)
24622 + {
24623 + struct mousedev_motion *p = &client->packets[client->tail];
24624 ++ s8 dx, dy, dz;
24625 ++
24626 ++ dx = clamp_val(p->dx, -127, 127);
24627 ++ p->dx -= dx;
24628 ++
24629 ++ dy = clamp_val(p->dy, -127, 127);
24630 ++ p->dy -= dy;
24631 +
24632 +- ps2_data[0] = 0x08 |
24633 +- ((p->dx < 0) << 4) | ((p->dy < 0) << 5) | (p->buttons & 0x07);
24634 +- ps2_data[1] = mousedev_limit_delta(p->dx, 127);
24635 +- ps2_data[2] = mousedev_limit_delta(p->dy, 127);
24636 +- p->dx -= ps2_data[1];
24637 +- p->dy -= ps2_data[2];
24638 ++ ps2_data[0] = BIT(3);
24639 ++ ps2_data[0] |= ((dx & BIT(7)) >> 3) | ((dy & BIT(7)) >> 2);
24640 ++ ps2_data[0] |= p->buttons & 0x07;
24641 ++ ps2_data[1] = dx;
24642 ++ ps2_data[2] = dy;
24643 +
24644 + switch (client->mode) {
24645 + case MOUSEDEV_EMUL_EXPS:
24646 +- ps2_data[3] = mousedev_limit_delta(p->dz, 7);
24647 +- p->dz -= ps2_data[3];
24648 +- ps2_data[3] = (ps2_data[3] & 0x0f) | ((p->buttons & 0x18) << 1);
24649 ++ dz = clamp_val(p->dz, -7, 7);
24650 ++ p->dz -= dz;
24651 ++
24652 ++ ps2_data[3] = (dz & 0x0f) | ((p->buttons & 0x18) << 1);
24653 + client->bufsiz = 4;
24654 + break;
24655 +
24656 + case MOUSEDEV_EMUL_IMPS:
24657 +- ps2_data[0] |=
24658 +- ((p->buttons & 0x10) >> 3) | ((p->buttons & 0x08) >> 1);
24659 +- ps2_data[3] = mousedev_limit_delta(p->dz, 127);
24660 +- p->dz -= ps2_data[3];
24661 ++ dz = clamp_val(p->dz, -127, 127);
24662 ++ p->dz -= dz;
24663 ++
24664 ++ ps2_data[0] |= ((p->buttons & 0x10) >> 3) |
24665 ++ ((p->buttons & 0x08) >> 1);
24666 ++ ps2_data[3] = dz;
24667 ++
24668 + client->bufsiz = 4;
24669 + break;
24670 +
24671 + case MOUSEDEV_EMUL_PS2:
24672 + default:
24673 +- ps2_data[0] |=
24674 +- ((p->buttons & 0x10) >> 3) | ((p->buttons & 0x08) >> 1);
24675 + p->dz = 0;
24676 ++
24677 ++ ps2_data[0] |= ((p->buttons & 0x10) >> 3) |
24678 ++ ((p->buttons & 0x08) >> 1);
24679 ++
24680 + client->bufsiz = 3;
24681 + break;
24682 + }
24683 +@@ -714,7 +720,7 @@ static ssize_t mousedev_read(struct file *file, char __user *buffer,
24684 + {
24685 + struct mousedev_client *client = file->private_data;
24686 + struct mousedev *mousedev = client->mousedev;
24687 +- signed char data[sizeof(client->ps2)];
24688 ++ u8 data[sizeof(client->ps2)];
24689 + int retval = 0;
24690 +
24691 + if (!client->ready && !client->buffer && mousedev->exist &&
24692 +diff --git a/drivers/input/serio/i8042-x86ia64io.h b/drivers/input/serio/i8042-x86ia64io.h
24693 +index 74d69fdbdec9..10e340943218 100644
24694 +--- a/drivers/input/serio/i8042-x86ia64io.h
24695 ++++ b/drivers/input/serio/i8042-x86ia64io.h
24696 +@@ -602,6 +602,13 @@ static const struct dmi_system_id __initconst i8042_dmi_reset_table[] = {
24697 + DMI_MATCH(DMI_PRODUCT_NAME, "20046"),
24698 + },
24699 + },
24700 ++ {
24701 ++ /* Lenovo ThinkPad L460 */
24702 ++ .matches = {
24703 ++ DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
24704 ++ DMI_MATCH(DMI_PRODUCT_VERSION, "ThinkPad L460"),
24705 ++ },
24706 ++ },
24707 + {
24708 + /* Clevo P650RS, 650RP6, Sager NP8152-S, and others */
24709 + .matches = {
24710 +diff --git a/drivers/input/touchscreen/ar1021_i2c.c b/drivers/input/touchscreen/ar1021_i2c.c
24711 +index f0b954d46a25..b89fbc4d3096 100644
24712 +--- a/drivers/input/touchscreen/ar1021_i2c.c
24713 ++++ b/drivers/input/touchscreen/ar1021_i2c.c
24714 +@@ -152,7 +152,7 @@ static int __maybe_unused ar1021_i2c_resume(struct device *dev)
24715 + static SIMPLE_DEV_PM_OPS(ar1021_i2c_pm, ar1021_i2c_suspend, ar1021_i2c_resume);
24716 +
24717 + static const struct i2c_device_id ar1021_i2c_id[] = {
24718 +- { "MICROCHIP_AR1021_I2C", 0 },
24719 ++ { "ar1021", 0 },
24720 + { },
24721 + };
24722 + MODULE_DEVICE_TABLE(i2c, ar1021_i2c_id);
24723 +diff --git a/drivers/input/touchscreen/tsc2007.c b/drivers/input/touchscreen/tsc2007.c
24724 +index ccc8aa615709..0299a2882ff7 100644
24725 +--- a/drivers/input/touchscreen/tsc2007.c
24726 ++++ b/drivers/input/touchscreen/tsc2007.c
24727 +@@ -455,6 +455,14 @@ static int tsc2007_probe(struct i2c_client *client,
24728 +
24729 + tsc2007_stop(ts);
24730 +
24731 ++ /* power down the chip (TSC2007_SETUP does not ACK on I2C) */
24732 ++ err = tsc2007_xfer(ts, PWRDOWN);
24733 ++ if (err < 0) {
24734 ++ dev_err(&client->dev,
24735 ++ "Failed to setup chip: %d\n", err);
24736 ++ return err; /* usually, chip does not respond */
24737 ++ }
24738 ++
24739 + err = input_register_device(input_dev);
24740 + if (err) {
24741 + dev_err(&client->dev,
24742 +diff --git a/drivers/iommu/iova.c b/drivers/iommu/iova.c
24743 +index 9dd8208312c2..3100bc0cc805 100644
24744 +--- a/drivers/iommu/iova.c
24745 ++++ b/drivers/iommu/iova.c
24746 +@@ -163,7 +163,7 @@ static int __alloc_and_insert_iova_range(struct iova_domain *iovad,
24747 + break; /* found a free slot */
24748 + }
24749 + adjust_limit_pfn:
24750 +- limit_pfn = curr_iova->pfn_lo - 1;
24751 ++ limit_pfn = curr_iova->pfn_lo ? (curr_iova->pfn_lo - 1) : 0;
24752 + move_left:
24753 + prev = curr;
24754 + curr = rb_prev(curr);
24755 +diff --git a/drivers/iommu/omap-iommu.c b/drivers/iommu/omap-iommu.c
24756 +index a22c33d6a486..f604a74cc890 100644
24757 +--- a/drivers/iommu/omap-iommu.c
24758 ++++ b/drivers/iommu/omap-iommu.c
24759 +@@ -1386,6 +1386,7 @@ static int __init omap_iommu_init(void)
24760 + const unsigned long flags = SLAB_HWCACHE_ALIGN;
24761 + size_t align = 1 << 10; /* L2 pagetable alignement */
24762 + struct device_node *np;
24763 ++ int ret;
24764 +
24765 + np = of_find_matching_node(NULL, omap_iommu_of_match);
24766 + if (!np)
24767 +@@ -1399,11 +1400,25 @@ static int __init omap_iommu_init(void)
24768 + return -ENOMEM;
24769 + iopte_cachep = p;
24770 +
24771 +- bus_set_iommu(&platform_bus_type, &omap_iommu_ops);
24772 +-
24773 + omap_iommu_debugfs_init();
24774 +
24775 +- return platform_driver_register(&omap_iommu_driver);
24776 ++ ret = platform_driver_register(&omap_iommu_driver);
24777 ++ if (ret) {
24778 ++ pr_err("%s: failed to register driver\n", __func__);
24779 ++ goto fail_driver;
24780 ++ }
24781 ++
24782 ++ ret = bus_set_iommu(&platform_bus_type, &omap_iommu_ops);
24783 ++ if (ret)
24784 ++ goto fail_bus;
24785 ++
24786 ++ return 0;
24787 ++
24788 ++fail_bus:
24789 ++ platform_driver_unregister(&omap_iommu_driver);
24790 ++fail_driver:
24791 ++ kmem_cache_destroy(iopte_cachep);
24792 ++ return ret;
24793 + }
24794 + /* must be ready before omap3isp is probed */
24795 + subsys_initcall(omap_iommu_init);
24796 +diff --git a/drivers/irqchip/irq-gic-v3-its.c b/drivers/irqchip/irq-gic-v3-its.c
24797 +index 9a791dd52199..eff99f862e83 100644
24798 +--- a/drivers/irqchip/irq-gic-v3-its.c
24799 ++++ b/drivers/irqchip/irq-gic-v3-its.c
24800 +@@ -674,7 +674,7 @@ static struct irq_chip its_msi_irq_chip = {
24801 + * This gives us (((1UL << id_bits) - 8192) >> 5) possible allocations.
24802 + */
24803 + #define IRQS_PER_CHUNK_SHIFT 5
24804 +-#define IRQS_PER_CHUNK (1 << IRQS_PER_CHUNK_SHIFT)
24805 ++#define IRQS_PER_CHUNK (1UL << IRQS_PER_CHUNK_SHIFT)
24806 +
24807 + static unsigned long *lpi_bitmap;
24808 + static u32 lpi_chunks;
24809 +@@ -1145,11 +1145,10 @@ static struct its_device *its_create_device(struct its_node *its, u32 dev_id,
24810 +
24811 + dev = kzalloc(sizeof(*dev), GFP_KERNEL);
24812 + /*
24813 +- * At least one bit of EventID is being used, hence a minimum
24814 +- * of two entries. No, the architecture doesn't let you
24815 +- * express an ITT with a single entry.
24816 ++ * We allocate at least one chunk worth of LPIs bet device,
24817 ++ * and thus that many ITEs. The device may require less though.
24818 + */
24819 +- nr_ites = max(2UL, roundup_pow_of_two(nvecs));
24820 ++ nr_ites = max(IRQS_PER_CHUNK, roundup_pow_of_two(nvecs));
24821 + sz = nr_ites * its->ite_size;
24822 + sz = max(sz, ITS_ITT_ALIGN) + ITS_ITT_ALIGN - 1;
24823 + itt = kzalloc(sz, GFP_KERNEL);
24824 +diff --git a/drivers/isdn/mISDN/stack.c b/drivers/isdn/mISDN/stack.c
24825 +index 9cb4b621fbc3..b92a19a594a1 100644
24826 +--- a/drivers/isdn/mISDN/stack.c
24827 ++++ b/drivers/isdn/mISDN/stack.c
24828 +@@ -72,7 +72,7 @@ send_socklist(struct mISDN_sock_list *sl, struct sk_buff *skb)
24829 + if (sk->sk_state != MISDN_BOUND)
24830 + continue;
24831 + if (!cskb)
24832 +- cskb = skb_copy(skb, GFP_KERNEL);
24833 ++ cskb = skb_copy(skb, GFP_ATOMIC);
24834 + if (!cskb) {
24835 + printk(KERN_WARNING "%s no skb\n", __func__);
24836 + break;
24837 +diff --git a/drivers/leds/leds-pca955x.c b/drivers/leds/leds-pca955x.c
24838 +index c3a08b60535b..760deffa9ad3 100644
24839 +--- a/drivers/leds/leds-pca955x.c
24840 ++++ b/drivers/leds/leds-pca955x.c
24841 +@@ -281,7 +281,7 @@ static int pca955x_probe(struct i2c_client *client,
24842 + "slave address 0x%02x\n",
24843 + id->name, chip->bits, client->addr);
24844 +
24845 +- if (!i2c_check_functionality(adapter, I2C_FUNC_I2C))
24846 ++ if (!i2c_check_functionality(adapter, I2C_FUNC_SMBUS_BYTE_DATA))
24847 + return -EIO;
24848 +
24849 + if (pdata) {
24850 +diff --git a/drivers/md/bcache/alloc.c b/drivers/md/bcache/alloc.c
24851 +index 4d46f2ce606f..aa84fcfd59fc 100644
24852 +--- a/drivers/md/bcache/alloc.c
24853 ++++ b/drivers/md/bcache/alloc.c
24854 +@@ -514,15 +514,21 @@ struct open_bucket {
24855 +
24856 + /*
24857 + * We keep multiple buckets open for writes, and try to segregate different
24858 +- * write streams for better cache utilization: first we look for a bucket where
24859 +- * the last write to it was sequential with the current write, and failing that
24860 +- * we look for a bucket that was last used by the same task.
24861 ++ * write streams for better cache utilization: first we try to segregate flash
24862 ++ * only volume write streams from cached devices, secondly we look for a bucket
24863 ++ * where the last write to it was sequential with the current write, and
24864 ++ * failing that we look for a bucket that was last used by the same task.
24865 + *
24866 + * The ideas is if you've got multiple tasks pulling data into the cache at the
24867 + * same time, you'll get better cache utilization if you try to segregate their
24868 + * data and preserve locality.
24869 + *
24870 +- * For example, say you've starting Firefox at the same time you're copying a
24871 ++ * For example, dirty sectors of flash only volume is not reclaimable, if their
24872 ++ * dirty sectors mixed with dirty sectors of cached device, such buckets will
24873 ++ * be marked as dirty and won't be reclaimed, though the dirty data of cached
24874 ++ * device have been written back to backend device.
24875 ++ *
24876 ++ * And say you've starting Firefox at the same time you're copying a
24877 + * bunch of files. Firefox will likely end up being fairly hot and stay in the
24878 + * cache awhile, but the data you copied might not be; if you wrote all that
24879 + * data to the same buckets it'd get invalidated at the same time.
24880 +@@ -539,7 +545,10 @@ static struct open_bucket *pick_data_bucket(struct cache_set *c,
24881 + struct open_bucket *ret, *ret_task = NULL;
24882 +
24883 + list_for_each_entry_reverse(ret, &c->data_buckets, list)
24884 +- if (!bkey_cmp(&ret->key, search))
24885 ++ if (UUID_FLASH_ONLY(&c->uuids[KEY_INODE(&ret->key)]) !=
24886 ++ UUID_FLASH_ONLY(&c->uuids[KEY_INODE(search)]))
24887 ++ continue;
24888 ++ else if (!bkey_cmp(&ret->key, search))
24889 + goto found;
24890 + else if (ret->last_write_point == write_point)
24891 + ret_task = ret;
24892 +diff --git a/drivers/md/bcache/super.c b/drivers/md/bcache/super.c
24893 +index b8013e386c76..80812d05b3e2 100644
24894 +--- a/drivers/md/bcache/super.c
24895 ++++ b/drivers/md/bcache/super.c
24896 +@@ -921,6 +921,12 @@ static void cached_dev_detach_finish(struct work_struct *w)
24897 +
24898 + mutex_lock(&bch_register_lock);
24899 +
24900 ++ cancel_delayed_work_sync(&dc->writeback_rate_update);
24901 ++ if (!IS_ERR_OR_NULL(dc->writeback_thread)) {
24902 ++ kthread_stop(dc->writeback_thread);
24903 ++ dc->writeback_thread = NULL;
24904 ++ }
24905 ++
24906 + memset(&dc->sb.set_uuid, 0, 16);
24907 + SET_BDEV_STATE(&dc->sb, BDEV_STATE_NONE);
24908 +
24909 +diff --git a/drivers/md/dm-ioctl.c b/drivers/md/dm-ioctl.c
24910 +index df060fd016f6..e8200892ed41 100644
24911 +--- a/drivers/md/dm-ioctl.c
24912 ++++ b/drivers/md/dm-ioctl.c
24913 +@@ -1773,12 +1773,12 @@ static int validate_params(uint cmd, struct dm_ioctl *param)
24914 + cmd == DM_LIST_VERSIONS_CMD)
24915 + return 0;
24916 +
24917 +- if ((cmd == DM_DEV_CREATE_CMD)) {
24918 ++ if (cmd == DM_DEV_CREATE_CMD) {
24919 + if (!*param->name) {
24920 + DMWARN("name not supplied when creating device");
24921 + return -EINVAL;
24922 + }
24923 +- } else if ((*param->uuid && *param->name)) {
24924 ++ } else if (*param->uuid && *param->name) {
24925 + DMWARN("only supply one of name or uuid, cmd(%u)", cmd);
24926 + return -EINVAL;
24927 + }
24928 +diff --git a/drivers/md/md-cluster.c b/drivers/md/md-cluster.c
24929 +index 4eb5cb18f98d..f490382173b6 100644
24930 +--- a/drivers/md/md-cluster.c
24931 ++++ b/drivers/md/md-cluster.c
24932 +@@ -850,8 +850,10 @@ static int add_new_disk_start(struct mddev *mddev, struct md_rdev *rdev)
24933 + cmsg.raid_slot = rdev->desc_nr;
24934 + lock_comm(cinfo);
24935 + ret = __sendmsg(cinfo, &cmsg);
24936 +- if (ret)
24937 ++ if (ret) {
24938 ++ unlock_comm(cinfo);
24939 + return ret;
24940 ++ }
24941 + cinfo->no_new_dev_lockres->flags |= DLM_LKF_NOQUEUE;
24942 + ret = dlm_lock_sync(cinfo->no_new_dev_lockres, DLM_LOCK_EX);
24943 + cinfo->no_new_dev_lockres->flags &= ~DLM_LKF_NOQUEUE;
24944 +diff --git a/drivers/md/raid10.c b/drivers/md/raid10.c
24945 +index 4cbc3df79a2a..641259fe891b 100644
24946 +--- a/drivers/md/raid10.c
24947 ++++ b/drivers/md/raid10.c
24948 +@@ -3702,6 +3702,7 @@ static int run(struct mddev *mddev)
24949 +
24950 + if (blk_queue_discard(bdev_get_queue(rdev->bdev)))
24951 + discard_supported = true;
24952 ++ first = 0;
24953 + }
24954 +
24955 + if (mddev->queue) {
24956 +@@ -4110,6 +4111,7 @@ static int raid10_start_reshape(struct mddev *mddev)
24957 + diff = 0;
24958 + if (first || diff < min_offset_diff)
24959 + min_offset_diff = diff;
24960 ++ first = 0;
24961 + }
24962 + }
24963 +
24964 +diff --git a/drivers/md/raid5.c b/drivers/md/raid5.c
24965 +index 907aa9c6e894..8de0b1684dc6 100644
24966 +--- a/drivers/md/raid5.c
24967 ++++ b/drivers/md/raid5.c
24968 +@@ -110,8 +110,7 @@ static inline void unlock_device_hash_lock(struct r5conf *conf, int hash)
24969 + static inline void lock_all_device_hash_locks_irq(struct r5conf *conf)
24970 + {
24971 + int i;
24972 +- local_irq_disable();
24973 +- spin_lock(conf->hash_locks);
24974 ++ spin_lock_irq(conf->hash_locks);
24975 + for (i = 1; i < NR_STRIPE_HASH_LOCKS; i++)
24976 + spin_lock_nest_lock(conf->hash_locks + i, conf->hash_locks);
24977 + spin_lock(&conf->device_lock);
24978 +@@ -121,9 +120,9 @@ static inline void unlock_all_device_hash_locks_irq(struct r5conf *conf)
24979 + {
24980 + int i;
24981 + spin_unlock(&conf->device_lock);
24982 +- for (i = NR_STRIPE_HASH_LOCKS; i; i--)
24983 +- spin_unlock(conf->hash_locks + i - 1);
24984 +- local_irq_enable();
24985 ++ for (i = NR_STRIPE_HASH_LOCKS - 1; i; i--)
24986 ++ spin_unlock(conf->hash_locks + i);
24987 ++ spin_unlock_irq(conf->hash_locks);
24988 + }
24989 +
24990 + /* bio's attached to a stripe+device for I/O are linked together in bi_sector
24991 +@@ -728,12 +727,11 @@ static bool is_full_stripe_write(struct stripe_head *sh)
24992 +
24993 + static void lock_two_stripes(struct stripe_head *sh1, struct stripe_head *sh2)
24994 + {
24995 +- local_irq_disable();
24996 + if (sh1 > sh2) {
24997 +- spin_lock(&sh2->stripe_lock);
24998 ++ spin_lock_irq(&sh2->stripe_lock);
24999 + spin_lock_nested(&sh1->stripe_lock, 1);
25000 + } else {
25001 +- spin_lock(&sh1->stripe_lock);
25002 ++ spin_lock_irq(&sh1->stripe_lock);
25003 + spin_lock_nested(&sh2->stripe_lock, 1);
25004 + }
25005 + }
25006 +@@ -741,8 +739,7 @@ static void lock_two_stripes(struct stripe_head *sh1, struct stripe_head *sh2)
25007 + static void unlock_two_stripes(struct stripe_head *sh1, struct stripe_head *sh2)
25008 + {
25009 + spin_unlock(&sh1->stripe_lock);
25010 +- spin_unlock(&sh2->stripe_lock);
25011 +- local_irq_enable();
25012 ++ spin_unlock_irq(&sh2->stripe_lock);
25013 + }
25014 +
25015 + /* Only freshly new full stripe normal write stripe can be added to a batch list */
25016 +@@ -3368,9 +3365,20 @@ static int fetch_block(struct stripe_head *sh, struct stripe_head_state *s,
25017 + BUG_ON(test_bit(R5_Wantcompute, &dev->flags));
25018 + BUG_ON(test_bit(R5_Wantread, &dev->flags));
25019 + BUG_ON(sh->batch_head);
25020 ++
25021 ++ /*
25022 ++ * In the raid6 case if the only non-uptodate disk is P
25023 ++ * then we already trusted P to compute the other failed
25024 ++ * drives. It is safe to compute rather than re-read P.
25025 ++ * In other cases we only compute blocks from failed
25026 ++ * devices, otherwise check/repair might fail to detect
25027 ++ * a real inconsistency.
25028 ++ */
25029 ++
25030 + if ((s->uptodate == disks - 1) &&
25031 ++ ((sh->qd_idx >= 0 && sh->pd_idx == disk_idx) ||
25032 + (s->failed && (disk_idx == s->failed_num[0] ||
25033 +- disk_idx == s->failed_num[1]))) {
25034 ++ disk_idx == s->failed_num[1])))) {
25035 + /* have disk failed, and we're requested to fetch it;
25036 + * do compute it
25037 + */
25038 +diff --git a/drivers/media/dvb-core/dvb_ca_en50221.c b/drivers/media/dvb-core/dvb_ca_en50221.c
25039 +index 72937756f60c..c084ad3f2811 100644
25040 +--- a/drivers/media/dvb-core/dvb_ca_en50221.c
25041 ++++ b/drivers/media/dvb-core/dvb_ca_en50221.c
25042 +@@ -749,6 +749,29 @@ static int dvb_ca_en50221_write_data(struct dvb_ca_private *ca, int slot, u8 * b
25043 + goto exit;
25044 + }
25045 +
25046 ++ /*
25047 ++ * It may need some time for the CAM to settle down, or there might
25048 ++ * be a race condition between the CAM, writing HC and our last
25049 ++ * check for DA. This happens, if the CAM asserts DA, just after
25050 ++ * checking DA before we are setting HC. In this case it might be
25051 ++ * a bug in the CAM to keep the FR bit, the lower layer/HW
25052 ++ * communication requires a longer timeout or the CAM needs more
25053 ++ * time internally. But this happens in reality!
25054 ++ * We need to read the status from the HW again and do the same
25055 ++ * we did for the previous check for DA
25056 ++ */
25057 ++ status = ca->pub->read_cam_control(ca->pub, slot, CTRLIF_STATUS);
25058 ++ if (status < 0)
25059 ++ goto exit;
25060 ++
25061 ++ if (status & (STATUSREG_DA | STATUSREG_RE)) {
25062 ++ if (status & STATUSREG_DA)
25063 ++ dvb_ca_en50221_thread_wakeup(ca);
25064 ++
25065 ++ status = -EAGAIN;
25066 ++ goto exit;
25067 ++ }
25068 ++
25069 + /* send the amount of data */
25070 + if ((status = ca->pub->write_cam_control(ca->pub, slot, CTRLIF_SIZE_HIGH, bytes_write >> 8)) != 0)
25071 + goto exit;
25072 +diff --git a/drivers/media/dvb-frontends/si2168.c b/drivers/media/dvb-frontends/si2168.c
25073 +index 391e98395b41..c2cad898072a 100644
25074 +--- a/drivers/media/dvb-frontends/si2168.c
25075 ++++ b/drivers/media/dvb-frontends/si2168.c
25076 +@@ -14,6 +14,8 @@
25077 + * GNU General Public License for more details.
25078 + */
25079 +
25080 ++#include <linux/delay.h>
25081 ++
25082 + #include "si2168_priv.h"
25083 +
25084 + static const struct dvb_frontend_ops si2168_ops;
25085 +@@ -375,6 +377,7 @@ static int si2168_init(struct dvb_frontend *fe)
25086 + if (ret)
25087 + goto err;
25088 +
25089 ++ udelay(100);
25090 + memcpy(cmd.args, "\x85", 1);
25091 + cmd.wlen = 1;
25092 + cmd.rlen = 1;
25093 +diff --git a/drivers/media/i2c/cx25840/cx25840-core.c b/drivers/media/i2c/cx25840/cx25840-core.c
25094 +index bd496447749a..8e4eccc1d952 100644
25095 +--- a/drivers/media/i2c/cx25840/cx25840-core.c
25096 ++++ b/drivers/media/i2c/cx25840/cx25840-core.c
25097 +@@ -420,11 +420,13 @@ static void cx25840_initialize(struct i2c_client *client)
25098 + INIT_WORK(&state->fw_work, cx25840_work_handler);
25099 + init_waitqueue_head(&state->fw_wait);
25100 + q = create_singlethread_workqueue("cx25840_fw");
25101 +- prepare_to_wait(&state->fw_wait, &wait, TASK_UNINTERRUPTIBLE);
25102 +- queue_work(q, &state->fw_work);
25103 +- schedule();
25104 +- finish_wait(&state->fw_wait, &wait);
25105 +- destroy_workqueue(q);
25106 ++ if (q) {
25107 ++ prepare_to_wait(&state->fw_wait, &wait, TASK_UNINTERRUPTIBLE);
25108 ++ queue_work(q, &state->fw_work);
25109 ++ schedule();
25110 ++ finish_wait(&state->fw_wait, &wait);
25111 ++ destroy_workqueue(q);
25112 ++ }
25113 +
25114 + /* 6. */
25115 + cx25840_write(client, 0x115, 0x8c);
25116 +@@ -631,11 +633,13 @@ static void cx23885_initialize(struct i2c_client *client)
25117 + INIT_WORK(&state->fw_work, cx25840_work_handler);
25118 + init_waitqueue_head(&state->fw_wait);
25119 + q = create_singlethread_workqueue("cx25840_fw");
25120 +- prepare_to_wait(&state->fw_wait, &wait, TASK_UNINTERRUPTIBLE);
25121 +- queue_work(q, &state->fw_work);
25122 +- schedule();
25123 +- finish_wait(&state->fw_wait, &wait);
25124 +- destroy_workqueue(q);
25125 ++ if (q) {
25126 ++ prepare_to_wait(&state->fw_wait, &wait, TASK_UNINTERRUPTIBLE);
25127 ++ queue_work(q, &state->fw_work);
25128 ++ schedule();
25129 ++ finish_wait(&state->fw_wait, &wait);
25130 ++ destroy_workqueue(q);
25131 ++ }
25132 +
25133 + /* Call the cx23888 specific std setup func, we no longer rely on
25134 + * the generic cx24840 func.
25135 +@@ -746,11 +750,13 @@ static void cx231xx_initialize(struct i2c_client *client)
25136 + INIT_WORK(&state->fw_work, cx25840_work_handler);
25137 + init_waitqueue_head(&state->fw_wait);
25138 + q = create_singlethread_workqueue("cx25840_fw");
25139 +- prepare_to_wait(&state->fw_wait, &wait, TASK_UNINTERRUPTIBLE);
25140 +- queue_work(q, &state->fw_work);
25141 +- schedule();
25142 +- finish_wait(&state->fw_wait, &wait);
25143 +- destroy_workqueue(q);
25144 ++ if (q) {
25145 ++ prepare_to_wait(&state->fw_wait, &wait, TASK_UNINTERRUPTIBLE);
25146 ++ queue_work(q, &state->fw_work);
25147 ++ schedule();
25148 ++ finish_wait(&state->fw_wait, &wait);
25149 ++ destroy_workqueue(q);
25150 ++ }
25151 +
25152 + cx25840_std_setup(client);
25153 +
25154 +diff --git a/drivers/media/i2c/soc_camera/ov6650.c b/drivers/media/i2c/soc_camera/ov6650.c
25155 +index f4eef2fa6f6f..cd8f8151d834 100644
25156 +--- a/drivers/media/i2c/soc_camera/ov6650.c
25157 ++++ b/drivers/media/i2c/soc_camera/ov6650.c
25158 +@@ -1016,7 +1016,7 @@ static int ov6650_probe(struct i2c_client *client,
25159 + priv->code = MEDIA_BUS_FMT_YUYV8_2X8;
25160 + priv->colorspace = V4L2_COLORSPACE_JPEG;
25161 +
25162 +- priv->clk = v4l2_clk_get(&client->dev, "mclk");
25163 ++ priv->clk = v4l2_clk_get(&client->dev, NULL);
25164 + if (IS_ERR(priv->clk)) {
25165 + ret = PTR_ERR(priv->clk);
25166 + goto eclkget;
25167 +diff --git a/drivers/media/pci/bt8xx/bt878.c b/drivers/media/pci/bt8xx/bt878.c
25168 +index 8aa726651630..90fcccc05b56 100644
25169 +--- a/drivers/media/pci/bt8xx/bt878.c
25170 ++++ b/drivers/media/pci/bt8xx/bt878.c
25171 +@@ -422,8 +422,7 @@ static int bt878_probe(struct pci_dev *dev, const struct pci_device_id *pci_id)
25172 + bt878_num);
25173 + if (bt878_num >= BT878_MAX) {
25174 + printk(KERN_ERR "bt878: Too many devices inserted\n");
25175 +- result = -ENOMEM;
25176 +- goto fail0;
25177 ++ return -ENOMEM;
25178 + }
25179 + if (pci_enable_device(dev))
25180 + return -EIO;
25181 +diff --git a/drivers/media/rc/mceusb.c b/drivers/media/rc/mceusb.c
25182 +index f838d9c7ed12..0fba4a2c1602 100644
25183 +--- a/drivers/media/rc/mceusb.c
25184 ++++ b/drivers/media/rc/mceusb.c
25185 +@@ -1370,8 +1370,13 @@ static int mceusb_dev_probe(struct usb_interface *intf,
25186 + goto rc_dev_fail;
25187 +
25188 + /* wire up inbound data handler */
25189 +- usb_fill_int_urb(ir->urb_in, dev, pipe, ir->buf_in, maxp,
25190 +- mceusb_dev_recv, ir, ep_in->bInterval);
25191 ++ if (usb_endpoint_xfer_int(ep_in))
25192 ++ usb_fill_int_urb(ir->urb_in, dev, pipe, ir->buf_in, maxp,
25193 ++ mceusb_dev_recv, ir, ep_in->bInterval);
25194 ++ else
25195 ++ usb_fill_bulk_urb(ir->urb_in, dev, pipe, ir->buf_in, maxp,
25196 ++ mceusb_dev_recv, ir);
25197 ++
25198 + ir->urb_in->transfer_dma = ir->dma_in;
25199 + ir->urb_in->transfer_flags |= URB_NO_TRANSFER_DMA_MAP;
25200 +
25201 +diff --git a/drivers/media/usb/cpia2/cpia2_v4l.c b/drivers/media/usb/cpia2/cpia2_v4l.c
25202 +index 9caea8344547..d793c630f1dd 100644
25203 +--- a/drivers/media/usb/cpia2/cpia2_v4l.c
25204 ++++ b/drivers/media/usb/cpia2/cpia2_v4l.c
25205 +@@ -812,7 +812,7 @@ static int cpia2_querybuf(struct file *file, void *fh, struct v4l2_buffer *buf)
25206 + struct camera_data *cam = video_drvdata(file);
25207 +
25208 + if(buf->type != V4L2_BUF_TYPE_VIDEO_CAPTURE ||
25209 +- buf->index > cam->num_frames)
25210 ++ buf->index >= cam->num_frames)
25211 + return -EINVAL;
25212 +
25213 + buf->m.offset = cam->buffers[buf->index].data - cam->frame_buffer;
25214 +@@ -863,7 +863,7 @@ static int cpia2_qbuf(struct file *file, void *fh, struct v4l2_buffer *buf)
25215 +
25216 + if(buf->type != V4L2_BUF_TYPE_VIDEO_CAPTURE ||
25217 + buf->memory != V4L2_MEMORY_MMAP ||
25218 +- buf->index > cam->num_frames)
25219 ++ buf->index >= cam->num_frames)
25220 + return -EINVAL;
25221 +
25222 + DBG("QBUF #%d\n", buf->index);
25223 +diff --git a/drivers/media/usb/usbtv/usbtv-core.c b/drivers/media/usb/usbtv/usbtv-core.c
25224 +index 3bbc77aa6a33..483457d4904f 100644
25225 +--- a/drivers/media/usb/usbtv/usbtv-core.c
25226 ++++ b/drivers/media/usb/usbtv/usbtv-core.c
25227 +@@ -95,6 +95,8 @@ static int usbtv_probe(struct usb_interface *intf,
25228 + return 0;
25229 +
25230 + usbtv_audio_fail:
25231 ++ /* we must not free at this point */
25232 ++ usb_get_dev(usbtv->udev);
25233 + usbtv_video_free(usbtv);
25234 +
25235 + usbtv_video_fail:
25236 +diff --git a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
25237 +index e03aa0961360..0686cbc94675 100644
25238 +--- a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
25239 ++++ b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
25240 +@@ -101,7 +101,7 @@ static int get_v4l2_window32(struct v4l2_window __user *kp,
25241 + static int put_v4l2_window32(struct v4l2_window __user *kp,
25242 + struct v4l2_window32 __user *up)
25243 + {
25244 +- struct v4l2_clip __user *kclips = kp->clips;
25245 ++ struct v4l2_clip __user *kclips;
25246 + struct v4l2_clip32 __user *uclips;
25247 + compat_caddr_t p;
25248 + u32 clipcount;
25249 +@@ -116,6 +116,8 @@ static int put_v4l2_window32(struct v4l2_window __user *kp,
25250 + if (!clipcount)
25251 + return 0;
25252 +
25253 ++ if (get_user(kclips, &kp->clips))
25254 ++ return -EFAULT;
25255 + if (get_user(p, &up->clips))
25256 + return -EFAULT;
25257 + uclips = compat_ptr(p);
25258 +diff --git a/drivers/mfd/palmas.c b/drivers/mfd/palmas.c
25259 +index 28cb048f4760..907247bc2501 100644
25260 +--- a/drivers/mfd/palmas.c
25261 ++++ b/drivers/mfd/palmas.c
25262 +@@ -430,6 +430,20 @@ static void palmas_power_off(void)
25263 + {
25264 + unsigned int addr;
25265 + int ret, slave;
25266 ++ struct device_node *np = palmas_dev->dev->of_node;
25267 ++
25268 ++ if (of_property_read_bool(np, "ti,palmas-override-powerhold")) {
25269 ++ addr = PALMAS_BASE_TO_REG(PALMAS_PU_PD_OD_BASE,
25270 ++ PALMAS_PRIMARY_SECONDARY_PAD2);
25271 ++ slave = PALMAS_BASE_TO_SLAVE(PALMAS_PU_PD_OD_BASE);
25272 ++
25273 ++ ret = regmap_update_bits(palmas_dev->regmap[slave], addr,
25274 ++ PALMAS_PRIMARY_SECONDARY_PAD2_GPIO_7_MASK, 0);
25275 ++ if (ret)
25276 ++ dev_err(palmas_dev->dev,
25277 ++ "Unable to write PRIMARY_SECONDARY_PAD2 %d\n",
25278 ++ ret);
25279 ++ }
25280 +
25281 + if (!palmas_dev)
25282 + return;
25283 +diff --git a/drivers/misc/enclosure.c b/drivers/misc/enclosure.c
25284 +index cc91f7b3d90c..eb29113e0bac 100644
25285 +--- a/drivers/misc/enclosure.c
25286 ++++ b/drivers/misc/enclosure.c
25287 +@@ -148,7 +148,7 @@ enclosure_register(struct device *dev, const char *name, int components,
25288 + for (i = 0; i < components; i++) {
25289 + edev->component[i].number = -1;
25290 + edev->component[i].slot = -1;
25291 +- edev->component[i].power_status = 1;
25292 ++ edev->component[i].power_status = -1;
25293 + }
25294 +
25295 + mutex_lock(&container_list_lock);
25296 +@@ -600,6 +600,11 @@ static ssize_t get_component_power_status(struct device *cdev,
25297 +
25298 + if (edev->cb->get_power_status)
25299 + edev->cb->get_power_status(edev, ecomp);
25300 ++
25301 ++ /* If still uninitialized, the callback failed or does not exist. */
25302 ++ if (ecomp->power_status == -1)
25303 ++ return (edev->cb->get_power_status) ? -EIO : -ENOTTY;
25304 ++
25305 + return snprintf(buf, 40, "%s\n", ecomp->power_status ? "on" : "off");
25306 + }
25307 +
25308 +diff --git a/drivers/misc/mei/main.c b/drivers/misc/mei/main.c
25309 +index e40bcd03bd47..2353ec9dd7d2 100644
25310 +--- a/drivers/misc/mei/main.c
25311 ++++ b/drivers/misc/mei/main.c
25312 +@@ -503,7 +503,6 @@ static long mei_ioctl(struct file *file, unsigned int cmd, unsigned long data)
25313 + break;
25314 +
25315 + default:
25316 +- dev_err(dev->dev, ": unsupported ioctl %d.\n", cmd);
25317 + rets = -ENOIOCTLCMD;
25318 + }
25319 +
25320 +diff --git a/drivers/misc/vmw_vmci/vmci_queue_pair.c b/drivers/misc/vmw_vmci/vmci_queue_pair.c
25321 +index f42d9c4e4561..cc277f7849b0 100644
25322 +--- a/drivers/misc/vmw_vmci/vmci_queue_pair.c
25323 ++++ b/drivers/misc/vmw_vmci/vmci_queue_pair.c
25324 +@@ -298,8 +298,11 @@ static void *qp_alloc_queue(u64 size, u32 flags)
25325 + size_t pas_size;
25326 + size_t vas_size;
25327 + size_t queue_size = sizeof(*queue) + sizeof(*queue->kernel_if);
25328 +- const u64 num_pages = DIV_ROUND_UP(size, PAGE_SIZE) + 1;
25329 ++ u64 num_pages;
25330 +
25331 ++ if (size > SIZE_MAX - PAGE_SIZE)
25332 ++ return NULL;
25333 ++ num_pages = DIV_ROUND_UP(size, PAGE_SIZE) + 1;
25334 + if (num_pages >
25335 + (SIZE_MAX - queue_size) /
25336 + (sizeof(*queue->kernel_if->u.g.pas) +
25337 +@@ -624,9 +627,12 @@ static struct vmci_queue *qp_host_alloc_queue(u64 size)
25338 + {
25339 + struct vmci_queue *queue;
25340 + size_t queue_page_size;
25341 +- const u64 num_pages = DIV_ROUND_UP(size, PAGE_SIZE) + 1;
25342 ++ u64 num_pages;
25343 + const size_t queue_size = sizeof(*queue) + sizeof(*(queue->kernel_if));
25344 +
25345 ++ if (size > SIZE_MAX - PAGE_SIZE)
25346 ++ return NULL;
25347 ++ num_pages = DIV_ROUND_UP(size, PAGE_SIZE) + 1;
25348 + if (num_pages > (SIZE_MAX - queue_size) /
25349 + sizeof(*queue->kernel_if->u.h.page))
25350 + return NULL;
25351 +diff --git a/drivers/mmc/core/core.c b/drivers/mmc/core/core.c
25352 +index b5d8906ac34f..9368d49d3e83 100644
25353 +--- a/drivers/mmc/core/core.c
25354 ++++ b/drivers/mmc/core/core.c
25355 +@@ -2668,6 +2668,14 @@ int mmc_pm_notify(struct notifier_block *notify_block,
25356 + if (!err)
25357 + break;
25358 +
25359 ++ if (!mmc_card_is_removable(host)) {
25360 ++ dev_warn(mmc_dev(host),
25361 ++ "pre_suspend failed for non-removable host: "
25362 ++ "%d\n", err);
25363 ++ /* Avoid removing non-removable hosts */
25364 ++ break;
25365 ++ }
25366 ++
25367 + /* Calling bus_ops->remove() with a claimed host can deadlock */
25368 + host->bus_ops->remove(host);
25369 + mmc_claim_host(host);
25370 +diff --git a/drivers/mmc/host/jz4740_mmc.c b/drivers/mmc/host/jz4740_mmc.c
25371 +index 76e8bce6f46e..ad572a0f2124 100644
25372 +--- a/drivers/mmc/host/jz4740_mmc.c
25373 ++++ b/drivers/mmc/host/jz4740_mmc.c
25374 +@@ -368,9 +368,9 @@ static void jz4740_mmc_set_irq_enabled(struct jz4740_mmc_host *host,
25375 + host->irq_mask &= ~irq;
25376 + else
25377 + host->irq_mask |= irq;
25378 +- spin_unlock_irqrestore(&host->lock, flags);
25379 +
25380 + writew(host->irq_mask, host->base + JZ_REG_MMC_IMASK);
25381 ++ spin_unlock_irqrestore(&host->lock, flags);
25382 + }
25383 +
25384 + static void jz4740_mmc_clock_enable(struct jz4740_mmc_host *host,
25385 +diff --git a/drivers/mmc/host/omap_hsmmc.c b/drivers/mmc/host/omap_hsmmc.c
25386 +index d0abdffb0d7c..18b716bb5752 100644
25387 +--- a/drivers/mmc/host/omap_hsmmc.c
25388 ++++ b/drivers/mmc/host/omap_hsmmc.c
25389 +@@ -1693,8 +1693,8 @@ static int omap_hsmmc_configure_wake_irq(struct omap_hsmmc_host *host)
25390 + */
25391 + if (host->pdata->controller_flags & OMAP_HSMMC_SWAKEUP_MISSING) {
25392 + struct pinctrl *p = devm_pinctrl_get(host->dev);
25393 +- if (!p) {
25394 +- ret = -ENODEV;
25395 ++ if (IS_ERR(p)) {
25396 ++ ret = PTR_ERR(p);
25397 + goto err_free_irq;
25398 + }
25399 + if (IS_ERR(pinctrl_lookup_state(p, PINCTRL_STATE_DEFAULT))) {
25400 +diff --git a/drivers/mtd/chips/cfi_cmdset_0001.c b/drivers/mtd/chips/cfi_cmdset_0001.c
25401 +index 286b97a304cf..4509ee0b294a 100644
25402 +--- a/drivers/mtd/chips/cfi_cmdset_0001.c
25403 ++++ b/drivers/mtd/chips/cfi_cmdset_0001.c
25404 +@@ -45,6 +45,7 @@
25405 + #define I82802AB 0x00ad
25406 + #define I82802AC 0x00ac
25407 + #define PF38F4476 0x881c
25408 ++#define M28F00AP30 0x8963
25409 + /* STMicroelectronics chips */
25410 + #define M50LPW080 0x002F
25411 + #define M50FLW080A 0x0080
25412 +@@ -375,6 +376,17 @@ static void cfi_fixup_major_minor(struct cfi_private *cfi,
25413 + extp->MinorVersion = '1';
25414 + }
25415 +
25416 ++static int cfi_is_micron_28F00AP30(struct cfi_private *cfi, struct flchip *chip)
25417 ++{
25418 ++ /*
25419 ++ * Micron(was Numonyx) 1Gbit bottom boot are buggy w.r.t
25420 ++ * Erase Supend for their small Erase Blocks(0x8000)
25421 ++ */
25422 ++ if (cfi->mfr == CFI_MFR_INTEL && cfi->id == M28F00AP30)
25423 ++ return 1;
25424 ++ return 0;
25425 ++}
25426 ++
25427 + static inline struct cfi_pri_intelext *
25428 + read_pri_intelext(struct map_info *map, __u16 adr)
25429 + {
25430 +@@ -825,21 +837,30 @@ static int chip_ready (struct map_info *map, struct flchip *chip, unsigned long
25431 + (mode == FL_WRITING && (cfip->SuspendCmdSupport & 1))))
25432 + goto sleep;
25433 +
25434 ++ /* Do not allow suspend iff read/write to EB address */
25435 ++ if ((adr & chip->in_progress_block_mask) ==
25436 ++ chip->in_progress_block_addr)
25437 ++ goto sleep;
25438 ++
25439 ++ /* do not suspend small EBs, buggy Micron Chips */
25440 ++ if (cfi_is_micron_28F00AP30(cfi, chip) &&
25441 ++ (chip->in_progress_block_mask == ~(0x8000-1)))
25442 ++ goto sleep;
25443 +
25444 + /* Erase suspend */
25445 +- map_write(map, CMD(0xB0), adr);
25446 ++ map_write(map, CMD(0xB0), chip->in_progress_block_addr);
25447 +
25448 + /* If the flash has finished erasing, then 'erase suspend'
25449 + * appears to make some (28F320) flash devices switch to
25450 + * 'read' mode. Make sure that we switch to 'read status'
25451 + * mode so we get the right data. --rmk
25452 + */
25453 +- map_write(map, CMD(0x70), adr);
25454 ++ map_write(map, CMD(0x70), chip->in_progress_block_addr);
25455 + chip->oldstate = FL_ERASING;
25456 + chip->state = FL_ERASE_SUSPENDING;
25457 + chip->erase_suspended = 1;
25458 + for (;;) {
25459 +- status = map_read(map, adr);
25460 ++ status = map_read(map, chip->in_progress_block_addr);
25461 + if (map_word_andequal(map, status, status_OK, status_OK))
25462 + break;
25463 +
25464 +@@ -1035,8 +1056,8 @@ static void put_chip(struct map_info *map, struct flchip *chip, unsigned long ad
25465 + sending the 0x70 (Read Status) command to an erasing
25466 + chip and expecting it to be ignored, that's what we
25467 + do. */
25468 +- map_write(map, CMD(0xd0), adr);
25469 +- map_write(map, CMD(0x70), adr);
25470 ++ map_write(map, CMD(0xd0), chip->in_progress_block_addr);
25471 ++ map_write(map, CMD(0x70), chip->in_progress_block_addr);
25472 + chip->oldstate = FL_READY;
25473 + chip->state = FL_ERASING;
25474 + break;
25475 +@@ -1927,6 +1948,8 @@ static int __xipram do_erase_oneblock(struct map_info *map, struct flchip *chip,
25476 + map_write(map, CMD(0xD0), adr);
25477 + chip->state = FL_ERASING;
25478 + chip->erase_suspended = 0;
25479 ++ chip->in_progress_block_addr = adr;
25480 ++ chip->in_progress_block_mask = ~(len - 1);
25481 +
25482 + ret = INVAL_CACHE_AND_WAIT(map, chip, adr,
25483 + adr, len,
25484 +diff --git a/drivers/mtd/chips/cfi_cmdset_0002.c b/drivers/mtd/chips/cfi_cmdset_0002.c
25485 +index c50d8cf0f60d..16faa97ac3f2 100644
25486 +--- a/drivers/mtd/chips/cfi_cmdset_0002.c
25487 ++++ b/drivers/mtd/chips/cfi_cmdset_0002.c
25488 +@@ -814,9 +814,10 @@ static int get_chip(struct map_info *map, struct flchip *chip, unsigned long adr
25489 + (mode == FL_WRITING && (cfip->EraseSuspend & 0x2))))
25490 + goto sleep;
25491 +
25492 +- /* We could check to see if we're trying to access the sector
25493 +- * that is currently being erased. However, no user will try
25494 +- * anything like that so we just wait for the timeout. */
25495 ++ /* Do not allow suspend iff read/write to EB address */
25496 ++ if ((adr & chip->in_progress_block_mask) ==
25497 ++ chip->in_progress_block_addr)
25498 ++ goto sleep;
25499 +
25500 + /* Erase suspend */
25501 + /* It's harmless to issue the Erase-Suspend and Erase-Resume
25502 +@@ -2265,6 +2266,7 @@ static int __xipram do_erase_chip(struct map_info *map, struct flchip *chip)
25503 + chip->state = FL_ERASING;
25504 + chip->erase_suspended = 0;
25505 + chip->in_progress_block_addr = adr;
25506 ++ chip->in_progress_block_mask = ~(map->size - 1);
25507 +
25508 + INVALIDATE_CACHE_UDELAY(map, chip,
25509 + adr, map->size,
25510 +@@ -2354,6 +2356,7 @@ static int __xipram do_erase_oneblock(struct map_info *map, struct flchip *chip,
25511 + chip->state = FL_ERASING;
25512 + chip->erase_suspended = 0;
25513 + chip->in_progress_block_addr = adr;
25514 ++ chip->in_progress_block_mask = ~(len - 1);
25515 +
25516 + INVALIDATE_CACHE_UDELAY(map, chip,
25517 + adr, len,
25518 +diff --git a/drivers/mtd/chips/jedec_probe.c b/drivers/mtd/chips/jedec_probe.c
25519 +index 7c0b27d132b1..b479bd81120b 100644
25520 +--- a/drivers/mtd/chips/jedec_probe.c
25521 ++++ b/drivers/mtd/chips/jedec_probe.c
25522 +@@ -1889,6 +1889,8 @@ static inline u32 jedec_read_mfr(struct map_info *map, uint32_t base,
25523 + do {
25524 + uint32_t ofs = cfi_build_cmd_addr(0 + (bank << 8), map, cfi);
25525 + mask = (1 << (cfi->device_type * 8)) - 1;
25526 ++ if (ofs >= map->size)
25527 ++ return 0;
25528 + result = map_read(map, base + ofs);
25529 + bank++;
25530 + } while ((result.x[0] & mask) == CFI_MFR_CONTINUATION);
25531 +diff --git a/drivers/mtd/nand/nand_base.c b/drivers/mtd/nand/nand_base.c
25532 +index 14a5f559e300..eb5ff54c9263 100644
25533 +--- a/drivers/mtd/nand/nand_base.c
25534 ++++ b/drivers/mtd/nand/nand_base.c
25535 +@@ -618,7 +618,8 @@ static void nand_command(struct mtd_info *mtd, unsigned int command,
25536 + chip->cmd_ctrl(mtd, readcmd, ctrl);
25537 + ctrl &= ~NAND_CTRL_CHANGE;
25538 + }
25539 +- chip->cmd_ctrl(mtd, command, ctrl);
25540 ++ if (command != NAND_CMD_NONE)
25541 ++ chip->cmd_ctrl(mtd, command, ctrl);
25542 +
25543 + /* Address cycle, when necessary */
25544 + ctrl = NAND_CTRL_ALE | NAND_CTRL_CHANGE;
25545 +@@ -647,6 +648,7 @@ static void nand_command(struct mtd_info *mtd, unsigned int command,
25546 + */
25547 + switch (command) {
25548 +
25549 ++ case NAND_CMD_NONE:
25550 + case NAND_CMD_PAGEPROG:
25551 + case NAND_CMD_ERASE1:
25552 + case NAND_CMD_ERASE2:
25553 +@@ -709,7 +711,9 @@ static void nand_command_lp(struct mtd_info *mtd, unsigned int command,
25554 + }
25555 +
25556 + /* Command latch cycle */
25557 +- chip->cmd_ctrl(mtd, command, NAND_NCE | NAND_CLE | NAND_CTRL_CHANGE);
25558 ++ if (command != NAND_CMD_NONE)
25559 ++ chip->cmd_ctrl(mtd, command,
25560 ++ NAND_NCE | NAND_CLE | NAND_CTRL_CHANGE);
25561 +
25562 + if (column != -1 || page_addr != -1) {
25563 + int ctrl = NAND_CTRL_CHANGE | NAND_NCE | NAND_ALE;
25564 +@@ -742,6 +746,7 @@ static void nand_command_lp(struct mtd_info *mtd, unsigned int command,
25565 + */
25566 + switch (command) {
25567 +
25568 ++ case NAND_CMD_NONE:
25569 + case NAND_CMD_CACHEDPROG:
25570 + case NAND_CMD_PAGEPROG:
25571 + case NAND_CMD_ERASE1:
25572 +diff --git a/drivers/mtd/ubi/block.c b/drivers/mtd/ubi/block.c
25573 +index c9eb78f10a0d..421ae660d579 100644
25574 +--- a/drivers/mtd/ubi/block.c
25575 ++++ b/drivers/mtd/ubi/block.c
25576 +@@ -241,7 +241,7 @@ static int ubiblock_open(struct block_device *bdev, fmode_t mode)
25577 + * in any case.
25578 + */
25579 + if (mode & FMODE_WRITE) {
25580 +- ret = -EPERM;
25581 ++ ret = -EROFS;
25582 + goto out_unlock;
25583 + }
25584 +
25585 +diff --git a/drivers/mtd/ubi/build.c b/drivers/mtd/ubi/build.c
25586 +index 9fd4f7838080..db6957a2b011 100644
25587 +--- a/drivers/mtd/ubi/build.c
25588 ++++ b/drivers/mtd/ubi/build.c
25589 +@@ -907,6 +907,17 @@ int ubi_attach_mtd_dev(struct mtd_info *mtd, int ubi_num,
25590 + return -EINVAL;
25591 + }
25592 +
25593 ++ /*
25594 ++ * Both UBI and UBIFS have been designed for SLC NAND and NOR flashes.
25595 ++ * MLC NAND is different and needs special care, otherwise UBI or UBIFS
25596 ++ * will die soon and you will lose all your data.
25597 ++ */
25598 ++ if (mtd->type == MTD_MLCNANDFLASH) {
25599 ++ pr_err("ubi: refuse attaching mtd%d - MLC NAND is not supported\n",
25600 ++ mtd->index);
25601 ++ return -EINVAL;
25602 ++ }
25603 ++
25604 + if (ubi_num == UBI_DEV_NUM_AUTO) {
25605 + /* Search for an empty slot in the @ubi_devices array */
25606 + for (ubi_num = 0; ubi_num < UBI_MAX_DEVICES; ubi_num++)
25607 +diff --git a/drivers/mtd/ubi/fastmap-wl.c b/drivers/mtd/ubi/fastmap-wl.c
25608 +index b2a665398bca..4c1d12bacfd0 100644
25609 +--- a/drivers/mtd/ubi/fastmap-wl.c
25610 ++++ b/drivers/mtd/ubi/fastmap-wl.c
25611 +@@ -331,7 +331,6 @@ static void ubi_fastmap_close(struct ubi_device *ubi)
25612 + {
25613 + int i;
25614 +
25615 +- flush_work(&ubi->fm_work);
25616 + return_unused_pool_pebs(ubi, &ubi->fm_pool);
25617 + return_unused_pool_pebs(ubi, &ubi->fm_wl_pool);
25618 +
25619 +diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
25620 +index 16f9c742bc30..32fe93a2d73e 100644
25621 +--- a/drivers/net/bonding/bond_main.c
25622 ++++ b/drivers/net/bonding/bond_main.c
25623 +@@ -1476,39 +1476,6 @@ int bond_enslave(struct net_device *bond_dev, struct net_device *slave_dev)
25624 + goto err_close;
25625 + }
25626 +
25627 +- /* If the mode uses primary, then the following is handled by
25628 +- * bond_change_active_slave().
25629 +- */
25630 +- if (!bond_uses_primary(bond)) {
25631 +- /* set promiscuity level to new slave */
25632 +- if (bond_dev->flags & IFF_PROMISC) {
25633 +- res = dev_set_promiscuity(slave_dev, 1);
25634 +- if (res)
25635 +- goto err_close;
25636 +- }
25637 +-
25638 +- /* set allmulti level to new slave */
25639 +- if (bond_dev->flags & IFF_ALLMULTI) {
25640 +- res = dev_set_allmulti(slave_dev, 1);
25641 +- if (res)
25642 +- goto err_close;
25643 +- }
25644 +-
25645 +- netif_addr_lock_bh(bond_dev);
25646 +-
25647 +- dev_mc_sync_multiple(slave_dev, bond_dev);
25648 +- dev_uc_sync_multiple(slave_dev, bond_dev);
25649 +-
25650 +- netif_addr_unlock_bh(bond_dev);
25651 +- }
25652 +-
25653 +- if (BOND_MODE(bond) == BOND_MODE_8023AD) {
25654 +- /* add lacpdu mc addr to mc list */
25655 +- u8 lacpdu_multicast[ETH_ALEN] = MULTICAST_LACPDU_ADDR;
25656 +-
25657 +- dev_mc_add(slave_dev, lacpdu_multicast);
25658 +- }
25659 +-
25660 + res = vlan_vids_add_by_dev(slave_dev, bond_dev);
25661 + if (res) {
25662 + netdev_err(bond_dev, "Couldn't add bond vlan ids to %s\n",
25663 +@@ -1633,8 +1600,7 @@ int bond_enslave(struct net_device *bond_dev, struct net_device *slave_dev)
25664 + } /* switch(bond_mode) */
25665 +
25666 + #ifdef CONFIG_NET_POLL_CONTROLLER
25667 +- slave_dev->npinfo = bond->dev->npinfo;
25668 +- if (slave_dev->npinfo) {
25669 ++ if (bond->dev->npinfo) {
25670 + if (slave_enable_netpoll(new_slave)) {
25671 + netdev_info(bond_dev, "master_dev is using netpoll, but new slave device does not support netpoll\n");
25672 + res = -EBUSY;
25673 +@@ -1665,6 +1631,40 @@ int bond_enslave(struct net_device *bond_dev, struct net_device *slave_dev)
25674 + goto err_upper_unlink;
25675 + }
25676 +
25677 ++ /* If the mode uses primary, then the following is handled by
25678 ++ * bond_change_active_slave().
25679 ++ */
25680 ++ if (!bond_uses_primary(bond)) {
25681 ++ /* set promiscuity level to new slave */
25682 ++ if (bond_dev->flags & IFF_PROMISC) {
25683 ++ res = dev_set_promiscuity(slave_dev, 1);
25684 ++ if (res)
25685 ++ goto err_sysfs_del;
25686 ++ }
25687 ++
25688 ++ /* set allmulti level to new slave */
25689 ++ if (bond_dev->flags & IFF_ALLMULTI) {
25690 ++ res = dev_set_allmulti(slave_dev, 1);
25691 ++ if (res) {
25692 ++ if (bond_dev->flags & IFF_PROMISC)
25693 ++ dev_set_promiscuity(slave_dev, -1);
25694 ++ goto err_sysfs_del;
25695 ++ }
25696 ++ }
25697 ++
25698 ++ netif_addr_lock_bh(bond_dev);
25699 ++ dev_mc_sync_multiple(slave_dev, bond_dev);
25700 ++ dev_uc_sync_multiple(slave_dev, bond_dev);
25701 ++ netif_addr_unlock_bh(bond_dev);
25702 ++
25703 ++ if (BOND_MODE(bond) == BOND_MODE_8023AD) {
25704 ++ /* add lacpdu mc addr to mc list */
25705 ++ u8 lacpdu_multicast[ETH_ALEN] = MULTICAST_LACPDU_ADDR;
25706 ++
25707 ++ dev_mc_add(slave_dev, lacpdu_multicast);
25708 ++ }
25709 ++ }
25710 ++
25711 + bond->slave_cnt++;
25712 + bond_compute_features(bond);
25713 + bond_set_carrier(bond);
25714 +@@ -1688,6 +1688,9 @@ int bond_enslave(struct net_device *bond_dev, struct net_device *slave_dev)
25715 + return 0;
25716 +
25717 + /* Undo stages on error */
25718 ++err_sysfs_del:
25719 ++ bond_sysfs_slave_del(new_slave);
25720 ++
25721 + err_upper_unlink:
25722 + bond_upper_dev_unlink(bond_dev, slave_dev);
25723 +
25724 +@@ -1695,9 +1698,6 @@ err_unregister:
25725 + netdev_rx_handler_unregister(slave_dev);
25726 +
25727 + err_detach:
25728 +- if (!bond_uses_primary(bond))
25729 +- bond_hw_addr_flush(bond_dev, slave_dev);
25730 +-
25731 + vlan_vids_del_by_dev(slave_dev, bond_dev);
25732 + if (rcu_access_pointer(bond->primary_slave) == new_slave)
25733 + RCU_INIT_POINTER(bond->primary_slave, NULL);
25734 +@@ -2533,11 +2533,13 @@ static void bond_loadbalance_arp_mon(struct work_struct *work)
25735 + bond_for_each_slave_rcu(bond, slave, iter) {
25736 + unsigned long trans_start = dev_trans_start(slave->dev);
25737 +
25738 ++ slave->new_link = BOND_LINK_NOCHANGE;
25739 ++
25740 + if (slave->link != BOND_LINK_UP) {
25741 + if (bond_time_in_interval(bond, trans_start, 1) &&
25742 + bond_time_in_interval(bond, slave->last_rx, 1)) {
25743 +
25744 +- slave->link = BOND_LINK_UP;
25745 ++ slave->new_link = BOND_LINK_UP;
25746 + slave_state_changed = 1;
25747 +
25748 + /* primary_slave has no meaning in round-robin
25749 +@@ -2564,7 +2566,7 @@ static void bond_loadbalance_arp_mon(struct work_struct *work)
25750 + if (!bond_time_in_interval(bond, trans_start, 2) ||
25751 + !bond_time_in_interval(bond, slave->last_rx, 2)) {
25752 +
25753 +- slave->link = BOND_LINK_DOWN;
25754 ++ slave->new_link = BOND_LINK_DOWN;
25755 + slave_state_changed = 1;
25756 +
25757 + if (slave->link_failure_count < UINT_MAX)
25758 +@@ -2595,6 +2597,11 @@ static void bond_loadbalance_arp_mon(struct work_struct *work)
25759 + if (!rtnl_trylock())
25760 + goto re_arm;
25761 +
25762 ++ bond_for_each_slave(bond, slave, iter) {
25763 ++ if (slave->new_link != BOND_LINK_NOCHANGE)
25764 ++ slave->link = slave->new_link;
25765 ++ }
25766 ++
25767 + if (slave_state_changed) {
25768 + bond_slave_state_change(bond);
25769 + if (BOND_MODE(bond) == BOND_MODE_XOR)
25770 +@@ -3261,12 +3268,17 @@ static void bond_fold_stats(struct rtnl_link_stats64 *_res,
25771 + for (i = 0; i < sizeof(*_res) / sizeof(u64); i++) {
25772 + u64 nv = new[i];
25773 + u64 ov = old[i];
25774 ++ s64 delta = nv - ov;
25775 +
25776 + /* detects if this particular field is 32bit only */
25777 + if (((nv | ov) >> 32) == 0)
25778 +- res[i] += (u32)nv - (u32)ov;
25779 +- else
25780 +- res[i] += nv - ov;
25781 ++ delta = (s64)(s32)((u32)nv - (u32)ov);
25782 ++
25783 ++ /* filter anomalies, some drivers reset their stats
25784 ++ * at down/up events.
25785 ++ */
25786 ++ if (delta > 0)
25787 ++ res[i] += delta;
25788 + }
25789 + }
25790 +
25791 +diff --git a/drivers/net/can/cc770/cc770.c b/drivers/net/can/cc770/cc770.c
25792 +index c11d44984036..76b3c1462139 100644
25793 +--- a/drivers/net/can/cc770/cc770.c
25794 ++++ b/drivers/net/can/cc770/cc770.c
25795 +@@ -390,37 +390,23 @@ static int cc770_get_berr_counter(const struct net_device *dev,
25796 + return 0;
25797 + }
25798 +
25799 +-static netdev_tx_t cc770_start_xmit(struct sk_buff *skb, struct net_device *dev)
25800 ++static void cc770_tx(struct net_device *dev, int mo)
25801 + {
25802 + struct cc770_priv *priv = netdev_priv(dev);
25803 +- struct net_device_stats *stats = &dev->stats;
25804 +- struct can_frame *cf = (struct can_frame *)skb->data;
25805 +- unsigned int mo = obj2msgobj(CC770_OBJ_TX);
25806 ++ struct can_frame *cf = (struct can_frame *)priv->tx_skb->data;
25807 + u8 dlc, rtr;
25808 + u32 id;
25809 + int i;
25810 +
25811 +- if (can_dropped_invalid_skb(dev, skb))
25812 +- return NETDEV_TX_OK;
25813 +-
25814 +- if ((cc770_read_reg(priv,
25815 +- msgobj[mo].ctrl1) & TXRQST_UNC) == TXRQST_SET) {
25816 +- netdev_err(dev, "TX register is still occupied!\n");
25817 +- return NETDEV_TX_BUSY;
25818 +- }
25819 +-
25820 +- netif_stop_queue(dev);
25821 +-
25822 + dlc = cf->can_dlc;
25823 + id = cf->can_id;
25824 +- if (cf->can_id & CAN_RTR_FLAG)
25825 +- rtr = 0;
25826 +- else
25827 +- rtr = MSGCFG_DIR;
25828 ++ rtr = cf->can_id & CAN_RTR_FLAG ? 0 : MSGCFG_DIR;
25829 ++
25830 ++ cc770_write_reg(priv, msgobj[mo].ctrl0,
25831 ++ MSGVAL_RES | TXIE_RES | RXIE_RES | INTPND_RES);
25832 + cc770_write_reg(priv, msgobj[mo].ctrl1,
25833 + RMTPND_RES | TXRQST_RES | CPUUPD_SET | NEWDAT_RES);
25834 +- cc770_write_reg(priv, msgobj[mo].ctrl0,
25835 +- MSGVAL_SET | TXIE_SET | RXIE_RES | INTPND_RES);
25836 ++
25837 + if (id & CAN_EFF_FLAG) {
25838 + id &= CAN_EFF_MASK;
25839 + cc770_write_reg(priv, msgobj[mo].config,
25840 +@@ -439,22 +425,30 @@ static netdev_tx_t cc770_start_xmit(struct sk_buff *skb, struct net_device *dev)
25841 + for (i = 0; i < dlc; i++)
25842 + cc770_write_reg(priv, msgobj[mo].data[i], cf->data[i]);
25843 +
25844 +- /* Store echo skb before starting the transfer */
25845 +- can_put_echo_skb(skb, dev, 0);
25846 +-
25847 + cc770_write_reg(priv, msgobj[mo].ctrl1,
25848 +- RMTPND_RES | TXRQST_SET | CPUUPD_RES | NEWDAT_UNC);
25849 ++ RMTPND_UNC | TXRQST_SET | CPUUPD_RES | NEWDAT_UNC);
25850 ++ cc770_write_reg(priv, msgobj[mo].ctrl0,
25851 ++ MSGVAL_SET | TXIE_SET | RXIE_SET | INTPND_UNC);
25852 ++}
25853 +
25854 +- stats->tx_bytes += dlc;
25855 ++static netdev_tx_t cc770_start_xmit(struct sk_buff *skb, struct net_device *dev)
25856 ++{
25857 ++ struct cc770_priv *priv = netdev_priv(dev);
25858 ++ unsigned int mo = obj2msgobj(CC770_OBJ_TX);
25859 +
25860 ++ if (can_dropped_invalid_skb(dev, skb))
25861 ++ return NETDEV_TX_OK;
25862 +
25863 +- /*
25864 +- * HM: We had some cases of repeated IRQs so make sure the
25865 +- * INT is acknowledged I know it's already further up, but
25866 +- * doing again fixed the issue
25867 +- */
25868 +- cc770_write_reg(priv, msgobj[mo].ctrl0,
25869 +- MSGVAL_UNC | TXIE_UNC | RXIE_UNC | INTPND_RES);
25870 ++ netif_stop_queue(dev);
25871 ++
25872 ++ if ((cc770_read_reg(priv,
25873 ++ msgobj[mo].ctrl1) & TXRQST_UNC) == TXRQST_SET) {
25874 ++ netdev_err(dev, "TX register is still occupied!\n");
25875 ++ return NETDEV_TX_BUSY;
25876 ++ }
25877 ++
25878 ++ priv->tx_skb = skb;
25879 ++ cc770_tx(dev, mo);
25880 +
25881 + return NETDEV_TX_OK;
25882 + }
25883 +@@ -680,19 +674,46 @@ static void cc770_tx_interrupt(struct net_device *dev, unsigned int o)
25884 + struct cc770_priv *priv = netdev_priv(dev);
25885 + struct net_device_stats *stats = &dev->stats;
25886 + unsigned int mo = obj2msgobj(o);
25887 ++ struct can_frame *cf;
25888 ++ u8 ctrl1;
25889 ++
25890 ++ ctrl1 = cc770_read_reg(priv, msgobj[mo].ctrl1);
25891 +
25892 +- /* Nothing more to send, switch off interrupts */
25893 + cc770_write_reg(priv, msgobj[mo].ctrl0,
25894 + MSGVAL_RES | TXIE_RES | RXIE_RES | INTPND_RES);
25895 +- /*
25896 +- * We had some cases of repeated IRQ so make sure the
25897 +- * INT is acknowledged
25898 ++ cc770_write_reg(priv, msgobj[mo].ctrl1,
25899 ++ RMTPND_RES | TXRQST_RES | MSGLST_RES | NEWDAT_RES);
25900 ++
25901 ++ if (unlikely(!priv->tx_skb)) {
25902 ++ netdev_err(dev, "missing tx skb in tx interrupt\n");
25903 ++ return;
25904 ++ }
25905 ++
25906 ++ if (unlikely(ctrl1 & MSGLST_SET)) {
25907 ++ stats->rx_over_errors++;
25908 ++ stats->rx_errors++;
25909 ++ }
25910 ++
25911 ++ /* When the CC770 is sending an RTR message and it receives a regular
25912 ++ * message that matches the id of the RTR message, it will overwrite the
25913 ++ * outgoing message in the TX register. When this happens we must
25914 ++ * process the received message and try to transmit the outgoing skb
25915 ++ * again.
25916 + */
25917 +- cc770_write_reg(priv, msgobj[mo].ctrl0,
25918 +- MSGVAL_UNC | TXIE_UNC | RXIE_UNC | INTPND_RES);
25919 ++ if (unlikely(ctrl1 & NEWDAT_SET)) {
25920 ++ cc770_rx(dev, mo, ctrl1);
25921 ++ cc770_tx(dev, mo);
25922 ++ return;
25923 ++ }
25924 +
25925 ++ cf = (struct can_frame *)priv->tx_skb->data;
25926 ++ stats->tx_bytes += cf->can_dlc;
25927 + stats->tx_packets++;
25928 ++
25929 ++ can_put_echo_skb(priv->tx_skb, dev, 0);
25930 + can_get_echo_skb(dev, 0);
25931 ++ priv->tx_skb = NULL;
25932 ++
25933 + netif_wake_queue(dev);
25934 + }
25935 +
25936 +@@ -804,6 +825,7 @@ struct net_device *alloc_cc770dev(int sizeof_priv)
25937 + priv->can.do_set_bittiming = cc770_set_bittiming;
25938 + priv->can.do_set_mode = cc770_set_mode;
25939 + priv->can.ctrlmode_supported = CAN_CTRLMODE_3_SAMPLES;
25940 ++ priv->tx_skb = NULL;
25941 +
25942 + memcpy(priv->obj_flags, cc770_obj_flags, sizeof(cc770_obj_flags));
25943 +
25944 +diff --git a/drivers/net/can/cc770/cc770.h b/drivers/net/can/cc770/cc770.h
25945 +index a1739db98d91..95752e1d1283 100644
25946 +--- a/drivers/net/can/cc770/cc770.h
25947 ++++ b/drivers/net/can/cc770/cc770.h
25948 +@@ -193,6 +193,8 @@ struct cc770_priv {
25949 + u8 cpu_interface; /* CPU interface register */
25950 + u8 clkout; /* Clock out register */
25951 + u8 bus_config; /* Bus conffiguration register */
25952 ++
25953 ++ struct sk_buff *tx_skb;
25954 + };
25955 +
25956 + struct net_device *alloc_cc770dev(int sizeof_priv);
25957 +diff --git a/drivers/net/ethernet/apm/xgene/xgene_enet_hw.c b/drivers/net/ethernet/apm/xgene/xgene_enet_hw.c
25958 +index b927021c6c40..af3db6b146ab 100644
25959 +--- a/drivers/net/ethernet/apm/xgene/xgene_enet_hw.c
25960 ++++ b/drivers/net/ethernet/apm/xgene/xgene_enet_hw.c
25961 +@@ -535,6 +535,7 @@ static void xgene_enet_cle_bypass(struct xgene_enet_pdata *pdata,
25962 + xgene_enet_rd_csr(pdata, CLE_BYPASS_REG0_0_ADDR, &cb);
25963 + cb |= CFG_CLE_BYPASS_EN0;
25964 + CFG_CLE_IP_PROTOCOL0_SET(&cb, 3);
25965 ++ CFG_CLE_IP_HDR_LEN_SET(&cb, 0);
25966 + xgene_enet_wr_csr(pdata, CLE_BYPASS_REG0_0_ADDR, cb);
25967 +
25968 + xgene_enet_rd_csr(pdata, CLE_BYPASS_REG1_0_ADDR, &cb);
25969 +diff --git a/drivers/net/ethernet/apm/xgene/xgene_enet_hw.h b/drivers/net/ethernet/apm/xgene/xgene_enet_hw.h
25970 +index d9bc89d69266..2a2b41a4c9bf 100644
25971 +--- a/drivers/net/ethernet/apm/xgene/xgene_enet_hw.h
25972 ++++ b/drivers/net/ethernet/apm/xgene/xgene_enet_hw.h
25973 +@@ -145,6 +145,7 @@ enum xgene_enet_rm {
25974 + #define CFG_TXCLK_MUXSEL0_SET(dst, val) xgene_set_bits(dst, val, 29, 3)
25975 +
25976 + #define CFG_CLE_IP_PROTOCOL0_SET(dst, val) xgene_set_bits(dst, val, 16, 2)
25977 ++#define CFG_CLE_IP_HDR_LEN_SET(dst, val) xgene_set_bits(dst, val, 8, 5)
25978 + #define CFG_CLE_DSTQID0_SET(dst, val) xgene_set_bits(dst, val, 0, 12)
25979 + #define CFG_CLE_FPSEL0_SET(dst, val) xgene_set_bits(dst, val, 16, 4)
25980 + #define CFG_MACMODE_SET(dst, val) xgene_set_bits(dst, val, 18, 2)
25981 +diff --git a/drivers/net/ethernet/arc/emac_rockchip.c b/drivers/net/ethernet/arc/emac_rockchip.c
25982 +index c31c7407b753..425dae560322 100644
25983 +--- a/drivers/net/ethernet/arc/emac_rockchip.c
25984 ++++ b/drivers/net/ethernet/arc/emac_rockchip.c
25985 +@@ -150,8 +150,10 @@ static int emac_rockchip_probe(struct platform_device *pdev)
25986 + /* Optional regulator for PHY */
25987 + priv->regulator = devm_regulator_get_optional(dev, "phy");
25988 + if (IS_ERR(priv->regulator)) {
25989 +- if (PTR_ERR(priv->regulator) == -EPROBE_DEFER)
25990 +- return -EPROBE_DEFER;
25991 ++ if (PTR_ERR(priv->regulator) == -EPROBE_DEFER) {
25992 ++ err = -EPROBE_DEFER;
25993 ++ goto out_clk_disable;
25994 ++ }
25995 + dev_err(dev, "no regulator found\n");
25996 + priv->regulator = NULL;
25997 + }
25998 +diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c
25999 +index 0eb43586c034..a3348ba658d3 100644
26000 +--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c
26001 ++++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c
26002 +@@ -2024,6 +2024,7 @@ static void bnx2x_set_rx_buf_size(struct bnx2x *bp)
26003 + ETH_OVREHEAD +
26004 + mtu +
26005 + BNX2X_FW_RX_ALIGN_END;
26006 ++ fp->rx_buf_size = SKB_DATA_ALIGN(fp->rx_buf_size);
26007 + /* Note : rx_buf_size doesn't take into account NET_SKB_PAD */
26008 + if (fp->rx_buf_size + NET_SKB_PAD <= PAGE_SIZE)
26009 + fp->rx_frag_size = fp->rx_buf_size + NET_SKB_PAD;
26010 +@@ -3877,15 +3878,26 @@ netdev_tx_t bnx2x_start_xmit(struct sk_buff *skb, struct net_device *dev)
26011 + /* when transmitting in a vf, start bd must hold the ethertype
26012 + * for fw to enforce it
26013 + */
26014 ++ u16 vlan_tci = 0;
26015 + #ifndef BNX2X_STOP_ON_ERROR
26016 +- if (IS_VF(bp))
26017 ++ if (IS_VF(bp)) {
26018 + #endif
26019 +- tx_start_bd->vlan_or_ethertype =
26020 +- cpu_to_le16(ntohs(eth->h_proto));
26021 ++ /* Still need to consider inband vlan for enforced */
26022 ++ if (__vlan_get_tag(skb, &vlan_tci)) {
26023 ++ tx_start_bd->vlan_or_ethertype =
26024 ++ cpu_to_le16(ntohs(eth->h_proto));
26025 ++ } else {
26026 ++ tx_start_bd->bd_flags.as_bitfield |=
26027 ++ (X_ETH_INBAND_VLAN <<
26028 ++ ETH_TX_BD_FLAGS_VLAN_MODE_SHIFT);
26029 ++ tx_start_bd->vlan_or_ethertype =
26030 ++ cpu_to_le16(vlan_tci);
26031 ++ }
26032 + #ifndef BNX2X_STOP_ON_ERROR
26033 +- else
26034 ++ } else {
26035 + /* used by FW for packet accounting */
26036 + tx_start_bd->vlan_or_ethertype = cpu_to_le16(pkt_prod);
26037 ++ }
26038 + #endif
26039 + }
26040 +
26041 +diff --git a/drivers/net/ethernet/brocade/bna/bfa_ioc.c b/drivers/net/ethernet/brocade/bna/bfa_ioc.c
26042 +index 5be892ffdaed..767132ec00f9 100644
26043 +--- a/drivers/net/ethernet/brocade/bna/bfa_ioc.c
26044 ++++ b/drivers/net/ethernet/brocade/bna/bfa_ioc.c
26045 +@@ -2861,7 +2861,7 @@ bfa_ioc_get_adapter_optrom_ver(struct bfa_ioc *ioc, char *optrom_ver)
26046 + static void
26047 + bfa_ioc_get_adapter_manufacturer(struct bfa_ioc *ioc, char *manufacturer)
26048 + {
26049 +- memcpy(manufacturer, BFA_MFG_NAME, BFA_ADAPTER_MFG_NAME_LEN);
26050 ++ strncpy(manufacturer, BFA_MFG_NAME, BFA_ADAPTER_MFG_NAME_LEN);
26051 + }
26052 +
26053 + static void
26054 +diff --git a/drivers/net/ethernet/chelsio/cxgb4vf/sge.c b/drivers/net/ethernet/chelsio/cxgb4vf/sge.c
26055 +index 482f6de6817d..ae96b4a32d90 100644
26056 +--- a/drivers/net/ethernet/chelsio/cxgb4vf/sge.c
26057 ++++ b/drivers/net/ethernet/chelsio/cxgb4vf/sge.c
26058 +@@ -2573,8 +2573,8 @@ void t4vf_sge_stop(struct adapter *adapter)
26059 + int t4vf_sge_init(struct adapter *adapter)
26060 + {
26061 + struct sge_params *sge_params = &adapter->params.sge;
26062 +- u32 fl0 = sge_params->sge_fl_buffer_size[0];
26063 +- u32 fl1 = sge_params->sge_fl_buffer_size[1];
26064 ++ u32 fl_small_pg = sge_params->sge_fl_buffer_size[0];
26065 ++ u32 fl_large_pg = sge_params->sge_fl_buffer_size[1];
26066 + struct sge *s = &adapter->sge;
26067 + unsigned int ingpadboundary, ingpackboundary;
26068 +
26069 +@@ -2583,9 +2583,20 @@ int t4vf_sge_init(struct adapter *adapter)
26070 + * the Physical Function Driver. Ideally we should be able to deal
26071 + * with _any_ configuration. Practice is different ...
26072 + */
26073 +- if (fl0 != PAGE_SIZE || (fl1 != 0 && fl1 <= fl0)) {
26074 ++
26075 ++ /* We only bother using the Large Page logic if the Large Page Buffer
26076 ++ * is larger than our Page Size Buffer.
26077 ++ */
26078 ++ if (fl_large_pg <= fl_small_pg)
26079 ++ fl_large_pg = 0;
26080 ++
26081 ++ /* The Page Size Buffer must be exactly equal to our Page Size and the
26082 ++ * Large Page Size Buffer should be 0 (per above) or a power of 2.
26083 ++ */
26084 ++ if (fl_small_pg != PAGE_SIZE ||
26085 ++ (fl_large_pg & (fl_large_pg - 1)) != 0) {
26086 + dev_err(adapter->pdev_dev, "bad SGE FL buffer sizes [%d, %d]\n",
26087 +- fl0, fl1);
26088 ++ fl_small_pg, fl_large_pg);
26089 + return -EINVAL;
26090 + }
26091 + if ((sge_params->sge_control & RXPKTCPLMODE_F) == 0) {
26092 +@@ -2596,8 +2607,8 @@ int t4vf_sge_init(struct adapter *adapter)
26093 + /*
26094 + * Now translate the adapter parameters into our internal forms.
26095 + */
26096 +- if (fl1)
26097 +- s->fl_pg_order = ilog2(fl1) - PAGE_SHIFT;
26098 ++ if (fl_large_pg)
26099 ++ s->fl_pg_order = ilog2(fl_large_pg) - PAGE_SHIFT;
26100 + s->stat_len = ((sge_params->sge_control & EGRSTATUSPAGESIZE_F)
26101 + ? 128 : 64);
26102 + s->pktshift = PKTSHIFT_G(sge_params->sge_control);
26103 +diff --git a/drivers/net/ethernet/faraday/ftgmac100.c b/drivers/net/ethernet/faraday/ftgmac100.c
26104 +index 6d0c5d5eea6d..58c0fccdd8cb 100644
26105 +--- a/drivers/net/ethernet/faraday/ftgmac100.c
26106 ++++ b/drivers/net/ethernet/faraday/ftgmac100.c
26107 +@@ -28,6 +28,7 @@
26108 + #include <linux/io.h>
26109 + #include <linux/module.h>
26110 + #include <linux/netdevice.h>
26111 ++#include <linux/of.h>
26112 + #include <linux/phy.h>
26113 + #include <linux/platform_device.h>
26114 + #include <net/ip.h>
26115 +diff --git a/drivers/net/ethernet/freescale/fsl_pq_mdio.c b/drivers/net/ethernet/freescale/fsl_pq_mdio.c
26116 +index 3c40f6b99224..28e97686f6aa 100644
26117 +--- a/drivers/net/ethernet/freescale/fsl_pq_mdio.c
26118 ++++ b/drivers/net/ethernet/freescale/fsl_pq_mdio.c
26119 +@@ -370,7 +370,7 @@ static int fsl_pq_mdio_probe(struct platform_device *pdev)
26120 + {
26121 + const struct of_device_id *id =
26122 + of_match_device(fsl_pq_mdio_match, &pdev->dev);
26123 +- const struct fsl_pq_mdio_data *data = id->data;
26124 ++ const struct fsl_pq_mdio_data *data;
26125 + struct device_node *np = pdev->dev.of_node;
26126 + struct resource res;
26127 + struct device_node *tbi;
26128 +@@ -378,6 +378,13 @@ static int fsl_pq_mdio_probe(struct platform_device *pdev)
26129 + struct mii_bus *new_bus;
26130 + int err;
26131 +
26132 ++ if (!id) {
26133 ++ dev_err(&pdev->dev, "Failed to match device\n");
26134 ++ return -ENODEV;
26135 ++ }
26136 ++
26137 ++ data = id->data;
26138 ++
26139 + dev_dbg(&pdev->dev, "found %s compatible node\n", id->compatible);
26140 +
26141 + new_bus = mdiobus_alloc_size(sizeof(*priv));
26142 +diff --git a/drivers/net/ethernet/ibm/emac/core.c b/drivers/net/ethernet/ibm/emac/core.c
26143 +index b9df0cbd0a38..9571f7dad162 100644
26144 +--- a/drivers/net/ethernet/ibm/emac/core.c
26145 ++++ b/drivers/net/ethernet/ibm/emac/core.c
26146 +@@ -342,6 +342,7 @@ static int emac_reset(struct emac_instance *dev)
26147 + {
26148 + struct emac_regs __iomem *p = dev->emacp;
26149 + int n = 20;
26150 ++ bool __maybe_unused try_internal_clock = false;
26151 +
26152 + DBG(dev, "reset" NL);
26153 +
26154 +@@ -354,6 +355,7 @@ static int emac_reset(struct emac_instance *dev)
26155 + }
26156 +
26157 + #ifdef CONFIG_PPC_DCR_NATIVE
26158 ++do_retry:
26159 + /*
26160 + * PPC460EX/GT Embedded Processor Advanced User's Manual
26161 + * section 28.10.1 Mode Register 0 (EMACx_MR0) states:
26162 +@@ -361,10 +363,19 @@ static int emac_reset(struct emac_instance *dev)
26163 + * of the EMAC. If none is present, select the internal clock
26164 + * (SDR0_ETH_CFG[EMACx_PHY_CLK] = 1).
26165 + * After a soft reset, select the external clock.
26166 ++ *
26167 ++ * The AR8035-A PHY Meraki MR24 does not provide a TX Clk if the
26168 ++ * ethernet cable is not attached. This causes the reset to timeout
26169 ++ * and the PHY detection code in emac_init_phy() is unable to
26170 ++ * communicate and detect the AR8035-A PHY. As a result, the emac
26171 ++ * driver bails out early and the user has no ethernet.
26172 ++ * In order to stay compatible with existing configurations, the
26173 ++ * driver will temporarily switch to the internal clock, after
26174 ++ * the first reset fails.
26175 + */
26176 + if (emac_has_feature(dev, EMAC_FTR_460EX_PHY_CLK_FIX)) {
26177 +- if (dev->phy_address == 0xffffffff &&
26178 +- dev->phy_map == 0xffffffff) {
26179 ++ if (try_internal_clock || (dev->phy_address == 0xffffffff &&
26180 ++ dev->phy_map == 0xffffffff)) {
26181 + /* No PHY: select internal loop clock before reset */
26182 + dcri_clrset(SDR0, SDR0_ETH_CFG,
26183 + 0, SDR0_ETH_CFG_ECS << dev->cell_index);
26184 +@@ -382,8 +393,15 @@ static int emac_reset(struct emac_instance *dev)
26185 +
26186 + #ifdef CONFIG_PPC_DCR_NATIVE
26187 + if (emac_has_feature(dev, EMAC_FTR_460EX_PHY_CLK_FIX)) {
26188 +- if (dev->phy_address == 0xffffffff &&
26189 +- dev->phy_map == 0xffffffff) {
26190 ++ if (!n && !try_internal_clock) {
26191 ++ /* first attempt has timed out. */
26192 ++ n = 20;
26193 ++ try_internal_clock = true;
26194 ++ goto do_retry;
26195 ++ }
26196 ++
26197 ++ if (try_internal_clock || (dev->phy_address == 0xffffffff &&
26198 ++ dev->phy_map == 0xffffffff)) {
26199 + /* No PHY: restore external clock source after reset */
26200 + dcri_clrset(SDR0, SDR0_ETH_CFG,
26201 + SDR0_ETH_CFG_ECS << dev->cell_index, 0);
26202 +diff --git a/drivers/net/ethernet/intel/e1000e/netdev.c b/drivers/net/ethernet/intel/e1000e/netdev.c
26203 +index 39e9d7db23df..66cbf19b7635 100644
26204 +--- a/drivers/net/ethernet/intel/e1000e/netdev.c
26205 ++++ b/drivers/net/ethernet/intel/e1000e/netdev.c
26206 +@@ -1182,6 +1182,7 @@ static void e1000e_tx_hwtstamp_work(struct work_struct *work)
26207 + struct e1000_hw *hw = &adapter->hw;
26208 +
26209 + if (er32(TSYNCTXCTL) & E1000_TSYNCTXCTL_VALID) {
26210 ++ struct sk_buff *skb = adapter->tx_hwtstamp_skb;
26211 + struct skb_shared_hwtstamps shhwtstamps;
26212 + u64 txstmp;
26213 +
26214 +@@ -1190,9 +1191,14 @@ static void e1000e_tx_hwtstamp_work(struct work_struct *work)
26215 +
26216 + e1000e_systim_to_hwtstamp(adapter, &shhwtstamps, txstmp);
26217 +
26218 +- skb_tstamp_tx(adapter->tx_hwtstamp_skb, &shhwtstamps);
26219 +- dev_kfree_skb_any(adapter->tx_hwtstamp_skb);
26220 ++ /* Clear the global tx_hwtstamp_skb pointer and force writes
26221 ++ * prior to notifying the stack of a Tx timestamp.
26222 ++ */
26223 + adapter->tx_hwtstamp_skb = NULL;
26224 ++ wmb(); /* force write prior to skb_tstamp_tx */
26225 ++
26226 ++ skb_tstamp_tx(skb, &shhwtstamps);
26227 ++ dev_kfree_skb_any(skb);
26228 + } else if (time_after(jiffies, adapter->tx_hwtstamp_start
26229 + + adapter->tx_timeout_factor * HZ)) {
26230 + dev_kfree_skb_any(adapter->tx_hwtstamp_skb);
26231 +@@ -3524,6 +3530,12 @@ s32 e1000e_get_base_timinca(struct e1000_adapter *adapter, u32 *timinca)
26232 +
26233 + switch (hw->mac.type) {
26234 + case e1000_pch2lan:
26235 ++ /* Stable 96MHz frequency */
26236 ++ incperiod = INCPERIOD_96MHz;
26237 ++ incvalue = INCVALUE_96MHz;
26238 ++ shift = INCVALUE_SHIFT_96MHz;
26239 ++ adapter->cc.shift = shift + INCPERIOD_SHIFT_96MHz;
26240 ++ break;
26241 + case e1000_pch_lpt:
26242 + case e1000_pch_spt:
26243 + /* On I217, I218 and I219, the clock frequency is 25MHz
26244 +@@ -6375,12 +6387,17 @@ static int e1000e_pm_thaw(struct device *dev)
26245 + static int e1000e_pm_suspend(struct device *dev)
26246 + {
26247 + struct pci_dev *pdev = to_pci_dev(dev);
26248 ++ int rc;
26249 +
26250 + e1000e_flush_lpic(pdev);
26251 +
26252 + e1000e_pm_freeze(dev);
26253 +
26254 +- return __e1000_shutdown(pdev, false);
26255 ++ rc = __e1000_shutdown(pdev, false);
26256 ++ if (rc)
26257 ++ e1000e_pm_thaw(dev);
26258 ++
26259 ++ return rc;
26260 + }
26261 +
26262 + static int e1000e_pm_resume(struct device *dev)
26263 +diff --git a/drivers/net/ethernet/intel/fm10k/fm10k_ethtool.c b/drivers/net/ethernet/intel/fm10k/fm10k_ethtool.c
26264 +index 4b9d9f88af70..502a54e9ac33 100644
26265 +--- a/drivers/net/ethernet/intel/fm10k/fm10k_ethtool.c
26266 ++++ b/drivers/net/ethernet/intel/fm10k/fm10k_ethtool.c
26267 +@@ -869,7 +869,7 @@ static void fm10k_self_test(struct net_device *dev,
26268 +
26269 + memset(data, 0, sizeof(*data) * FM10K_TEST_LEN);
26270 +
26271 +- if (FM10K_REMOVED(hw)) {
26272 ++ if (FM10K_REMOVED(hw->hw_addr)) {
26273 + netif_err(interface, drv, dev,
26274 + "Interface removed - test blocked\n");
26275 + eth_test->flags |= ETH_TEST_FL_FAILED;
26276 +diff --git a/drivers/net/ethernet/marvell/sky2.c b/drivers/net/ethernet/marvell/sky2.c
26277 +index d9f4498832a1..bc39fd5e22ad 100644
26278 +--- a/drivers/net/ethernet/marvell/sky2.c
26279 ++++ b/drivers/net/ethernet/marvell/sky2.c
26280 +@@ -5067,7 +5067,7 @@ static int sky2_probe(struct pci_dev *pdev, const struct pci_device_id *ent)
26281 + INIT_WORK(&hw->restart_work, sky2_restart);
26282 +
26283 + pci_set_drvdata(pdev, hw);
26284 +- pdev->d3_delay = 150;
26285 ++ pdev->d3_delay = 200;
26286 +
26287 + return 0;
26288 +
26289 +diff --git a/drivers/net/ethernet/mellanox/mlx4/mcg.c b/drivers/net/ethernet/mellanox/mlx4/mcg.c
26290 +index bd9ea0d01aae..b0d677cad93a 100644
26291 +--- a/drivers/net/ethernet/mellanox/mlx4/mcg.c
26292 ++++ b/drivers/net/ethernet/mellanox/mlx4/mcg.c
26293 +@@ -35,6 +35,7 @@
26294 + #include <linux/etherdevice.h>
26295 +
26296 + #include <linux/mlx4/cmd.h>
26297 ++#include <linux/mlx4/qp.h>
26298 + #include <linux/export.h>
26299 +
26300 + #include "mlx4.h"
26301 +@@ -985,16 +986,21 @@ int mlx4_flow_attach(struct mlx4_dev *dev,
26302 + if (IS_ERR(mailbox))
26303 + return PTR_ERR(mailbox);
26304 +
26305 ++ if (!mlx4_qp_lookup(dev, rule->qpn)) {
26306 ++ mlx4_err_rule(dev, "QP doesn't exist\n", rule);
26307 ++ ret = -EINVAL;
26308 ++ goto out;
26309 ++ }
26310 ++
26311 + trans_rule_ctrl_to_hw(rule, mailbox->buf);
26312 +
26313 + size += sizeof(struct mlx4_net_trans_rule_hw_ctrl);
26314 +
26315 + list_for_each_entry(cur, &rule->list, list) {
26316 + ret = parse_trans_rule(dev, cur, mailbox->buf + size);
26317 +- if (ret < 0) {
26318 +- mlx4_free_cmd_mailbox(dev, mailbox);
26319 +- return ret;
26320 +- }
26321 ++ if (ret < 0)
26322 ++ goto out;
26323 ++
26324 + size += ret;
26325 + }
26326 +
26327 +@@ -1021,6 +1027,7 @@ int mlx4_flow_attach(struct mlx4_dev *dev,
26328 + }
26329 + }
26330 +
26331 ++out:
26332 + mlx4_free_cmd_mailbox(dev, mailbox);
26333 +
26334 + return ret;
26335 +diff --git a/drivers/net/ethernet/mellanox/mlx4/qp.c b/drivers/net/ethernet/mellanox/mlx4/qp.c
26336 +index eb1dcb7e9e96..c20e2d2f911a 100644
26337 +--- a/drivers/net/ethernet/mellanox/mlx4/qp.c
26338 ++++ b/drivers/net/ethernet/mellanox/mlx4/qp.c
26339 +@@ -381,6 +381,19 @@ static void mlx4_qp_free_icm(struct mlx4_dev *dev, int qpn)
26340 + __mlx4_qp_free_icm(dev, qpn);
26341 + }
26342 +
26343 ++struct mlx4_qp *mlx4_qp_lookup(struct mlx4_dev *dev, u32 qpn)
26344 ++{
26345 ++ struct mlx4_qp_table *qp_table = &mlx4_priv(dev)->qp_table;
26346 ++ struct mlx4_qp *qp;
26347 ++
26348 ++ spin_lock(&qp_table->lock);
26349 ++
26350 ++ qp = __mlx4_qp_lookup(dev, qpn);
26351 ++
26352 ++ spin_unlock(&qp_table->lock);
26353 ++ return qp;
26354 ++}
26355 ++
26356 + int mlx4_qp_alloc(struct mlx4_dev *dev, int qpn, struct mlx4_qp *qp, gfp_t gfp)
26357 + {
26358 + struct mlx4_priv *priv = mlx4_priv(dev);
26359 +diff --git a/drivers/net/ethernet/qlogic/netxen/netxen_nic_ctx.c b/drivers/net/ethernet/qlogic/netxen/netxen_nic_ctx.c
26360 +index b8d5270359cd..e30676515529 100644
26361 +--- a/drivers/net/ethernet/qlogic/netxen/netxen_nic_ctx.c
26362 ++++ b/drivers/net/ethernet/qlogic/netxen/netxen_nic_ctx.c
26363 +@@ -247,7 +247,7 @@ nx_fw_cmd_set_mtu(struct netxen_adapter *adapter, int mtu)
26364 + cmd.req.arg3 = 0;
26365 +
26366 + if (recv_ctx->state == NX_HOST_CTX_STATE_ACTIVE)
26367 +- netxen_issue_cmd(adapter, &cmd);
26368 ++ rcode = netxen_issue_cmd(adapter, &cmd);
26369 +
26370 + if (rcode != NX_RCODE_SUCCESS)
26371 + return -EIO;
26372 +diff --git a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_hw.c b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_hw.c
26373 +index 75ee9e4ced51..01e250935787 100644
26374 +--- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_hw.c
26375 ++++ b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_hw.c
26376 +@@ -341,7 +341,7 @@ qlcnic_pcie_sem_lock(struct qlcnic_adapter *adapter, int sem, u32 id_reg)
26377 + }
26378 + return -EIO;
26379 + }
26380 +- usleep_range(1000, 1500);
26381 ++ udelay(1200);
26382 + }
26383 +
26384 + if (id_reg)
26385 +diff --git a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_common.c b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_common.c
26386 +index e6312465fe45..d732c63cd496 100644
26387 +--- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_common.c
26388 ++++ b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_common.c
26389 +@@ -126,6 +126,8 @@ static int qlcnic_sriov_virtid_fn(struct qlcnic_adapter *adapter, int vf_id)
26390 + return 0;
26391 +
26392 + pos = pci_find_ext_capability(dev, PCI_EXT_CAP_ID_SRIOV);
26393 ++ if (!pos)
26394 ++ return 0;
26395 + pci_read_config_word(dev, pos + PCI_SRIOV_VF_OFFSET, &offset);
26396 + pci_read_config_word(dev, pos + PCI_SRIOV_VF_STRIDE, &stride);
26397 +
26398 +diff --git a/drivers/net/ethernet/qlogic/qlge/qlge_dbg.c b/drivers/net/ethernet/qlogic/qlge/qlge_dbg.c
26399 +index be258d90de9e..e3223f2fe2ff 100644
26400 +--- a/drivers/net/ethernet/qlogic/qlge/qlge_dbg.c
26401 ++++ b/drivers/net/ethernet/qlogic/qlge/qlge_dbg.c
26402 +@@ -765,7 +765,7 @@ int ql_core_dump(struct ql_adapter *qdev, struct ql_mpi_coredump *mpi_coredump)
26403 + sizeof(struct mpi_coredump_global_header);
26404 + mpi_coredump->mpi_global_header.imageSize =
26405 + sizeof(struct ql_mpi_coredump);
26406 +- memcpy(mpi_coredump->mpi_global_header.idString, "MPI Coredump",
26407 ++ strncpy(mpi_coredump->mpi_global_header.idString, "MPI Coredump",
26408 + sizeof(mpi_coredump->mpi_global_header.idString));
26409 +
26410 + /* Get generic NIC reg dump */
26411 +@@ -1255,7 +1255,7 @@ static void ql_gen_reg_dump(struct ql_adapter *qdev,
26412 + sizeof(struct mpi_coredump_global_header);
26413 + mpi_coredump->mpi_global_header.imageSize =
26414 + sizeof(struct ql_reg_dump);
26415 +- memcpy(mpi_coredump->mpi_global_header.idString, "MPI Coredump",
26416 ++ strncpy(mpi_coredump->mpi_global_header.idString, "MPI Coredump",
26417 + sizeof(mpi_coredump->mpi_global_header.idString));
26418 +
26419 +
26420 +diff --git a/drivers/net/ethernet/qualcomm/qca_spi.c b/drivers/net/ethernet/qualcomm/qca_spi.c
26421 +index cba41860167c..32113fafc07b 100644
26422 +--- a/drivers/net/ethernet/qualcomm/qca_spi.c
26423 ++++ b/drivers/net/ethernet/qualcomm/qca_spi.c
26424 +@@ -296,8 +296,9 @@ qcaspi_receive(struct qcaspi *qca)
26425 +
26426 + /* Allocate rx SKB if we don't have one available. */
26427 + if (!qca->rx_skb) {
26428 +- qca->rx_skb = netdev_alloc_skb(net_dev,
26429 +- net_dev->mtu + VLAN_ETH_HLEN);
26430 ++ qca->rx_skb = netdev_alloc_skb_ip_align(net_dev,
26431 ++ net_dev->mtu +
26432 ++ VLAN_ETH_HLEN);
26433 + if (!qca->rx_skb) {
26434 + netdev_dbg(net_dev, "out of RX resources\n");
26435 + qca->stats.out_of_mem++;
26436 +@@ -377,7 +378,7 @@ qcaspi_receive(struct qcaspi *qca)
26437 + qca->rx_skb, qca->rx_skb->dev);
26438 + qca->rx_skb->ip_summed = CHECKSUM_UNNECESSARY;
26439 + netif_rx_ni(qca->rx_skb);
26440 +- qca->rx_skb = netdev_alloc_skb(net_dev,
26441 ++ qca->rx_skb = netdev_alloc_skb_ip_align(net_dev,
26442 + net_dev->mtu + VLAN_ETH_HLEN);
26443 + if (!qca->rx_skb) {
26444 + netdev_dbg(net_dev, "out of RX resources\n");
26445 +@@ -759,7 +760,8 @@ qcaspi_netdev_init(struct net_device *dev)
26446 + if (!qca->rx_buffer)
26447 + return -ENOBUFS;
26448 +
26449 +- qca->rx_skb = netdev_alloc_skb(dev, qca->net_dev->mtu + VLAN_ETH_HLEN);
26450 ++ qca->rx_skb = netdev_alloc_skb_ip_align(dev, qca->net_dev->mtu +
26451 ++ VLAN_ETH_HLEN);
26452 + if (!qca->rx_skb) {
26453 + kfree(qca->rx_buffer);
26454 + netdev_info(qca->net_dev, "Failed to allocate RX sk_buff.\n");
26455 +diff --git a/drivers/net/ethernet/renesas/sh_eth.c b/drivers/net/ethernet/renesas/sh_eth.c
26456 +index 0ae76e419482..c64ed1613928 100644
26457 +--- a/drivers/net/ethernet/renesas/sh_eth.c
26458 ++++ b/drivers/net/ethernet/renesas/sh_eth.c
26459 +@@ -3217,7 +3217,7 @@ static int sh_eth_drv_probe(struct platform_device *pdev)
26460 + /* MDIO bus init */
26461 + ret = sh_mdio_init(mdp, pd);
26462 + if (ret) {
26463 +- dev_err(&ndev->dev, "failed to initialise MDIO\n");
26464 ++ dev_err(&pdev->dev, "failed to initialise MDIO\n");
26465 + goto out_release;
26466 + }
26467 +
26468 +diff --git a/drivers/net/ethernet/ti/cpsw.c b/drivers/net/ethernet/ti/cpsw.c
26469 +index b536b4c82752..9d12f7012798 100644
26470 +--- a/drivers/net/ethernet/ti/cpsw.c
26471 ++++ b/drivers/net/ethernet/ti/cpsw.c
26472 +@@ -291,6 +291,10 @@ struct cpsw_ss_regs {
26473 + /* Bit definitions for the CPSW1_TS_SEQ_LTYPE register */
26474 + #define CPSW_V1_SEQ_ID_OFS_SHIFT 16
26475 +
26476 ++#define CPSW_MAX_BLKS_TX 15
26477 ++#define CPSW_MAX_BLKS_TX_SHIFT 4
26478 ++#define CPSW_MAX_BLKS_RX 5
26479 ++
26480 + struct cpsw_host_regs {
26481 + u32 max_blks;
26482 + u32 blk_cnt;
26483 +@@ -1126,11 +1130,23 @@ static void cpsw_slave_open(struct cpsw_slave *slave, struct cpsw_priv *priv)
26484 + switch (priv->version) {
26485 + case CPSW_VERSION_1:
26486 + slave_write(slave, TX_PRIORITY_MAPPING, CPSW1_TX_PRI_MAP);
26487 ++ /* Increase RX FIFO size to 5 for supporting fullduplex
26488 ++ * flow control mode
26489 ++ */
26490 ++ slave_write(slave,
26491 ++ (CPSW_MAX_BLKS_TX << CPSW_MAX_BLKS_TX_SHIFT) |
26492 ++ CPSW_MAX_BLKS_RX, CPSW1_MAX_BLKS);
26493 + break;
26494 + case CPSW_VERSION_2:
26495 + case CPSW_VERSION_3:
26496 + case CPSW_VERSION_4:
26497 + slave_write(slave, TX_PRIORITY_MAPPING, CPSW2_TX_PRI_MAP);
26498 ++ /* Increase RX FIFO size to 5 for supporting fullduplex
26499 ++ * flow control mode
26500 ++ */
26501 ++ slave_write(slave,
26502 ++ (CPSW_MAX_BLKS_TX << CPSW_MAX_BLKS_TX_SHIFT) |
26503 ++ CPSW_MAX_BLKS_RX, CPSW2_MAX_BLKS);
26504 + break;
26505 + }
26506 +
26507 +diff --git a/drivers/net/hamradio/hdlcdrv.c b/drivers/net/hamradio/hdlcdrv.c
26508 +index 49fe59b180a8..a75ce9051a7f 100644
26509 +--- a/drivers/net/hamradio/hdlcdrv.c
26510 ++++ b/drivers/net/hamradio/hdlcdrv.c
26511 +@@ -574,6 +574,8 @@ static int hdlcdrv_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd)
26512 + case HDLCDRVCTL_CALIBRATE:
26513 + if(!capable(CAP_SYS_RAWIO))
26514 + return -EPERM;
26515 ++ if (s->par.bitrate <= 0)
26516 ++ return -EINVAL;
26517 + if (bi.data.calibrate > INT_MAX / s->par.bitrate)
26518 + return -EINVAL;
26519 + s->hdlctx.calibrate = bi.data.calibrate * s->par.bitrate / 16;
26520 +diff --git a/drivers/net/ipvlan/ipvlan_core.c b/drivers/net/ipvlan/ipvlan_core.c
26521 +index f3cd85ecd795..7439df3dd667 100644
26522 +--- a/drivers/net/ipvlan/ipvlan_core.c
26523 ++++ b/drivers/net/ipvlan/ipvlan_core.c
26524 +@@ -275,6 +275,10 @@ static int ipvlan_rcv_frame(struct ipvl_addr *addr, struct sk_buff *skb,
26525 + if (dev_forward_skb(ipvlan->dev, skb) == NET_RX_SUCCESS)
26526 + success = true;
26527 + } else {
26528 ++ if (!ether_addr_equal_64bits(eth_hdr(skb)->h_dest,
26529 ++ ipvlan->phy_dev->dev_addr))
26530 ++ skb->pkt_type = PACKET_OTHERHOST;
26531 ++
26532 + ret = RX_HANDLER_ANOTHER;
26533 + success = true;
26534 + }
26535 +diff --git a/drivers/net/phy/phy.c b/drivers/net/phy/phy.c
26536 +index 1ca78b46c01b..0afda59439d5 100644
26537 +--- a/drivers/net/phy/phy.c
26538 ++++ b/drivers/net/phy/phy.c
26539 +@@ -123,6 +123,12 @@ static inline int phy_aneg_done(struct phy_device *phydev)
26540 + if (phydev->drv->aneg_done)
26541 + return phydev->drv->aneg_done(phydev);
26542 +
26543 ++ /* Avoid genphy_aneg_done() if the Clause 45 PHY does not
26544 ++ * implement Clause 22 registers
26545 ++ */
26546 ++ if (phydev->is_c45 && !(phydev->c45_ids.devices_in_package & BIT(0)))
26547 ++ return -EINVAL;
26548 ++
26549 + return genphy_aneg_done(phydev);
26550 + }
26551 +
26552 +diff --git a/drivers/net/ppp/pppoe.c b/drivers/net/ppp/pppoe.c
26553 +index 31aa93907b77..0123d7d1a391 100644
26554 +--- a/drivers/net/ppp/pppoe.c
26555 ++++ b/drivers/net/ppp/pppoe.c
26556 +@@ -638,6 +638,10 @@ static int pppoe_connect(struct socket *sock, struct sockaddr *uservaddr,
26557 + lock_sock(sk);
26558 +
26559 + error = -EINVAL;
26560 ++
26561 ++ if (sockaddr_len != sizeof(struct sockaddr_pppox))
26562 ++ goto end;
26563 ++
26564 + if (sp->sa_protocol != PX_PROTO_OE)
26565 + goto end;
26566 +
26567 +diff --git a/drivers/net/ppp/pptp.c b/drivers/net/ppp/pptp.c
26568 +index b35199cc8f34..17407494531e 100644
26569 +--- a/drivers/net/ppp/pptp.c
26570 ++++ b/drivers/net/ppp/pptp.c
26571 +@@ -502,7 +502,6 @@ static int pptp_connect(struct socket *sock, struct sockaddr *uservaddr,
26572 + po->chan.mtu = dst_mtu(&rt->dst);
26573 + if (!po->chan.mtu)
26574 + po->chan.mtu = PPP_MRU;
26575 +- ip_rt_put(rt);
26576 + po->chan.mtu -= PPTP_HEADER_OVERHEAD;
26577 +
26578 + po->chan.hdrlen = 2 + sizeof(struct pptp_gre_header);
26579 +diff --git a/drivers/net/slip/slhc.c b/drivers/net/slip/slhc.c
26580 +index 27ed25252aac..cfd81eb1b532 100644
26581 +--- a/drivers/net/slip/slhc.c
26582 ++++ b/drivers/net/slip/slhc.c
26583 +@@ -509,6 +509,10 @@ slhc_uncompress(struct slcompress *comp, unsigned char *icp, int isize)
26584 + if(x < 0 || x > comp->rslot_limit)
26585 + goto bad;
26586 +
26587 ++ /* Check if the cstate is initialized */
26588 ++ if (!comp->rstate[x].initialized)
26589 ++ goto bad;
26590 ++
26591 + comp->flags &=~ SLF_TOSS;
26592 + comp->recv_current = x;
26593 + } else {
26594 +@@ -673,6 +677,7 @@ slhc_remember(struct slcompress *comp, unsigned char *icp, int isize)
26595 + if (cs->cs_tcp.doff > 5)
26596 + memcpy(cs->cs_tcpopt, icp + ihl*4 + sizeof(struct tcphdr), (cs->cs_tcp.doff - 5) * 4);
26597 + cs->cs_hsize = ihl*2 + cs->cs_tcp.doff*2;
26598 ++ cs->initialized = true;
26599 + /* Put headers back on packet
26600 + * Neither header checksum is recalculated
26601 + */
26602 +diff --git a/drivers/net/team/team.c b/drivers/net/team/team.c
26603 +index a16b054a4fa6..463b8d013deb 100644
26604 +--- a/drivers/net/team/team.c
26605 ++++ b/drivers/net/team/team.c
26606 +@@ -247,6 +247,17 @@ static void __team_option_inst_mark_removed_port(struct team *team,
26607 + }
26608 + }
26609 +
26610 ++static bool __team_option_inst_tmp_find(const struct list_head *opts,
26611 ++ const struct team_option_inst *needle)
26612 ++{
26613 ++ struct team_option_inst *opt_inst;
26614 ++
26615 ++ list_for_each_entry(opt_inst, opts, tmp_list)
26616 ++ if (opt_inst == needle)
26617 ++ return true;
26618 ++ return false;
26619 ++}
26620 ++
26621 + static int __team_options_register(struct team *team,
26622 + const struct team_option *option,
26623 + size_t option_count)
26624 +@@ -1034,14 +1045,11 @@ static void team_port_leave(struct team *team, struct team_port *port)
26625 + }
26626 +
26627 + #ifdef CONFIG_NET_POLL_CONTROLLER
26628 +-static int team_port_enable_netpoll(struct team *team, struct team_port *port)
26629 ++static int __team_port_enable_netpoll(struct team_port *port)
26630 + {
26631 + struct netpoll *np;
26632 + int err;
26633 +
26634 +- if (!team->dev->npinfo)
26635 +- return 0;
26636 +-
26637 + np = kzalloc(sizeof(*np), GFP_KERNEL);
26638 + if (!np)
26639 + return -ENOMEM;
26640 +@@ -1055,6 +1063,14 @@ static int team_port_enable_netpoll(struct team *team, struct team_port *port)
26641 + return err;
26642 + }
26643 +
26644 ++static int team_port_enable_netpoll(struct team_port *port)
26645 ++{
26646 ++ if (!port->team->dev->npinfo)
26647 ++ return 0;
26648 ++
26649 ++ return __team_port_enable_netpoll(port);
26650 ++}
26651 ++
26652 + static void team_port_disable_netpoll(struct team_port *port)
26653 + {
26654 + struct netpoll *np = port->np;
26655 +@@ -1069,7 +1085,7 @@ static void team_port_disable_netpoll(struct team_port *port)
26656 + kfree(np);
26657 + }
26658 + #else
26659 +-static int team_port_enable_netpoll(struct team *team, struct team_port *port)
26660 ++static int team_port_enable_netpoll(struct team_port *port)
26661 + {
26662 + return 0;
26663 + }
26664 +@@ -1176,7 +1192,7 @@ static int team_port_add(struct team *team, struct net_device *port_dev)
26665 + goto err_vids_add;
26666 + }
26667 +
26668 +- err = team_port_enable_netpoll(team, port);
26669 ++ err = team_port_enable_netpoll(port);
26670 + if (err) {
26671 + netdev_err(dev, "Failed to enable netpoll on device %s\n",
26672 + portname);
26673 +@@ -1884,7 +1900,7 @@ static int team_netpoll_setup(struct net_device *dev,
26674 +
26675 + mutex_lock(&team->lock);
26676 + list_for_each_entry(port, &team->port_list, list) {
26677 +- err = team_port_enable_netpoll(team, port);
26678 ++ err = __team_port_enable_netpoll(port);
26679 + if (err) {
26680 + __team_netpoll_cleanup(team);
26681 + break;
26682 +@@ -2371,7 +2387,7 @@ send_done:
26683 + if (!nlh) {
26684 + err = __send_and_alloc_skb(&skb, team, portid, send_func);
26685 + if (err)
26686 +- goto errout;
26687 ++ return err;
26688 + goto send_done;
26689 + }
26690 +
26691 +@@ -2535,6 +2551,14 @@ static int team_nl_cmd_options_set(struct sk_buff *skb, struct genl_info *info)
26692 + if (err)
26693 + goto team_put;
26694 + opt_inst->changed = true;
26695 ++
26696 ++ /* dumb/evil user-space can send us duplicate opt,
26697 ++ * keep only the last one
26698 ++ */
26699 ++ if (__team_option_inst_tmp_find(&opt_inst_list,
26700 ++ opt_inst))
26701 ++ continue;
26702 ++
26703 + list_add(&opt_inst->tmp_list, &opt_inst_list);
26704 + }
26705 + if (!opt_found) {
26706 +@@ -2651,7 +2675,7 @@ send_done:
26707 + if (!nlh) {
26708 + err = __send_and_alloc_skb(&skb, team, portid, send_func);
26709 + if (err)
26710 +- goto errout;
26711 ++ return err;
26712 + goto send_done;
26713 + }
26714 +
26715 +diff --git a/drivers/net/usb/cdc_ether.c b/drivers/net/usb/cdc_ether.c
26716 +index 4545e78840b0..5243d2797c3d 100644
26717 +--- a/drivers/net/usb/cdc_ether.c
26718 ++++ b/drivers/net/usb/cdc_ether.c
26719 +@@ -750,6 +750,12 @@ static const struct usb_device_id products[] = {
26720 + USB_CDC_SUBCLASS_ETHERNET,
26721 + USB_CDC_PROTO_NONE),
26722 + .driver_info = (unsigned long)&wwan_info,
26723 ++}, {
26724 ++ /* Cinterion AHS3 modem by GEMALTO */
26725 ++ USB_DEVICE_AND_INTERFACE_INFO(0x1e2d, 0x0055, USB_CLASS_COMM,
26726 ++ USB_CDC_SUBCLASS_ETHERNET,
26727 ++ USB_CDC_PROTO_NONE),
26728 ++ .driver_info = (unsigned long)&wwan_info,
26729 + }, {
26730 + /* Telit modules */
26731 + USB_VENDOR_AND_INTERFACE_INFO(0x1bc7, USB_CLASS_COMM,
26732 +diff --git a/drivers/net/usb/qmi_wwan.c b/drivers/net/usb/qmi_wwan.c
26733 +index 3d97fd391793..23a327e93732 100644
26734 +--- a/drivers/net/usb/qmi_wwan.c
26735 ++++ b/drivers/net/usb/qmi_wwan.c
26736 +@@ -674,6 +674,7 @@ static const struct usb_device_id products[] = {
26737 + {QMI_FIXED_INTF(0x05c6, 0x9080, 8)},
26738 + {QMI_FIXED_INTF(0x05c6, 0x9083, 3)},
26739 + {QMI_FIXED_INTF(0x05c6, 0x9084, 4)},
26740 ++ {QMI_FIXED_INTF(0x05c6, 0x90b2, 3)}, /* ublox R410M */
26741 + {QMI_FIXED_INTF(0x05c6, 0x920d, 0)},
26742 + {QMI_FIXED_INTF(0x05c6, 0x920d, 5)},
26743 + {QMI_FIXED_INTF(0x0846, 0x68a2, 8)},
26744 +diff --git a/drivers/net/veth.c b/drivers/net/veth.c
26745 +index 2e61a799f32a..611c78be4da9 100644
26746 +--- a/drivers/net/veth.c
26747 ++++ b/drivers/net/veth.c
26748 +@@ -397,6 +397,9 @@ static int veth_newlink(struct net *src_net, struct net_device *dev,
26749 + if (ifmp && (dev->ifindex != 0))
26750 + peer->ifindex = ifmp->ifi_index;
26751 +
26752 ++ peer->gso_max_size = dev->gso_max_size;
26753 ++ peer->gso_max_segs = dev->gso_max_segs;
26754 ++
26755 + err = register_netdevice(peer);
26756 + put_net(net);
26757 + net = NULL;
26758 +diff --git a/drivers/net/virtio_net.c b/drivers/net/virtio_net.c
26759 +index 64ca961bca18..9ecc6ca5e4b4 100644
26760 +--- a/drivers/net/virtio_net.c
26761 ++++ b/drivers/net/virtio_net.c
26762 +@@ -852,7 +852,7 @@ static int xmit_skb(struct send_queue *sq, struct sk_buff *skb)
26763 + struct virtio_net_hdr_mrg_rxbuf *hdr;
26764 + const unsigned char *dest = ((struct ethhdr *)skb->data)->h_dest;
26765 + struct virtnet_info *vi = sq->vq->vdev->priv;
26766 +- unsigned num_sg;
26767 ++ int num_sg;
26768 + unsigned hdr_len = vi->hdr_len;
26769 + bool can_push;
26770 +
26771 +@@ -905,11 +905,16 @@ static int xmit_skb(struct send_queue *sq, struct sk_buff *skb)
26772 + if (can_push) {
26773 + __skb_push(skb, hdr_len);
26774 + num_sg = skb_to_sgvec(skb, sq->sg, 0, skb->len);
26775 ++ if (unlikely(num_sg < 0))
26776 ++ return num_sg;
26777 + /* Pull header back to avoid skew in tx bytes calculations. */
26778 + __skb_pull(skb, hdr_len);
26779 + } else {
26780 + sg_set_buf(sq->sg, hdr, hdr_len);
26781 +- num_sg = skb_to_sgvec(skb, sq->sg + 1, 0, skb->len) + 1;
26782 ++ num_sg = skb_to_sgvec(skb, sq->sg + 1, 0, skb->len);
26783 ++ if (unlikely(num_sg < 0))
26784 ++ return num_sg;
26785 ++ num_sg++;
26786 + }
26787 + return virtqueue_add_outbuf(sq->vq, sq->sg, num_sg, skb, GFP_ATOMIC);
26788 + }
26789 +diff --git a/drivers/net/vmxnet3/vmxnet3_drv.c b/drivers/net/vmxnet3/vmxnet3_drv.c
26790 +index 0b9c8d61f7d1..51998a85e314 100644
26791 +--- a/drivers/net/vmxnet3/vmxnet3_drv.c
26792 ++++ b/drivers/net/vmxnet3/vmxnet3_drv.c
26793 +@@ -2655,6 +2655,11 @@ vmxnet3_force_close(struct vmxnet3_adapter *adapter)
26794 + /* we need to enable NAPI, otherwise dev_close will deadlock */
26795 + for (i = 0; i < adapter->num_rx_queues; i++)
26796 + napi_enable(&adapter->rx_queue[i].napi);
26797 ++ /*
26798 ++ * Need to clear the quiesce bit to ensure that vmxnet3_close
26799 ++ * can quiesce the device properly
26800 ++ */
26801 ++ clear_bit(VMXNET3_STATE_BIT_QUIESCED, &adapter->state);
26802 + dev_close(adapter->netdev);
26803 + }
26804 +
26805 +diff --git a/drivers/net/vxlan.c b/drivers/net/vxlan.c
26806 +index 1ad3700ed9c7..8ddefc96fb50 100644
26807 +--- a/drivers/net/vxlan.c
26808 ++++ b/drivers/net/vxlan.c
26809 +@@ -1001,7 +1001,7 @@ static bool vxlan_snoop(struct net_device *dev,
26810 + return false;
26811 +
26812 + /* Don't migrate static entries, drop packets */
26813 +- if (f->state & NUD_NOARP)
26814 ++ if (f->state & (NUD_PERMANENT | NUD_NOARP))
26815 + return true;
26816 +
26817 + if (net_ratelimit())
26818 +diff --git a/drivers/net/wan/pc300too.c b/drivers/net/wan/pc300too.c
26819 +index db363856e0b5..2b064998915f 100644
26820 +--- a/drivers/net/wan/pc300too.c
26821 ++++ b/drivers/net/wan/pc300too.c
26822 +@@ -347,6 +347,7 @@ static int pc300_pci_init_one(struct pci_dev *pdev,
26823 + card->rambase == NULL) {
26824 + pr_err("ioremap() failed\n");
26825 + pc300_pci_remove_one(pdev);
26826 ++ return -ENOMEM;
26827 + }
26828 +
26829 + /* PLX PCI 9050 workaround for local configuration register read bug */
26830 +diff --git a/drivers/net/wireless/ath/ath10k/debug.c b/drivers/net/wireless/ath/ath10k/debug.c
26831 +index 1b69427fbb29..8b1ab8880113 100644
26832 +--- a/drivers/net/wireless/ath/ath10k/debug.c
26833 ++++ b/drivers/net/wireless/ath/ath10k/debug.c
26834 +@@ -1853,6 +1853,15 @@ static ssize_t ath10k_write_simulate_radar(struct file *file,
26835 + size_t count, loff_t *ppos)
26836 + {
26837 + struct ath10k *ar = file->private_data;
26838 ++ struct ath10k_vif *arvif;
26839 ++
26840 ++ /* Just check for for the first vif alone, as all the vifs will be
26841 ++ * sharing the same channel and if the channel is disabled, all the
26842 ++ * vifs will share the same 'is_started' state.
26843 ++ */
26844 ++ arvif = list_first_entry(&ar->arvifs, typeof(*arvif), list);
26845 ++ if (!arvif->is_started)
26846 ++ return -EINVAL;
26847 +
26848 + ieee80211_radar_detected(ar->hw);
26849 +
26850 +diff --git a/drivers/net/wireless/ath/ath10k/mac.c b/drivers/net/wireless/ath/ath10k/mac.c
26851 +index 6757d9c63bf2..561a777ba8c7 100644
26852 +--- a/drivers/net/wireless/ath/ath10k/mac.c
26853 ++++ b/drivers/net/wireless/ath/ath10k/mac.c
26854 +@@ -4001,9 +4001,8 @@ static void ath10k_sta_rc_update_wk(struct work_struct *wk)
26855 + sta->addr, smps, err);
26856 + }
26857 +
26858 +- if (changed & IEEE80211_RC_SUPP_RATES_CHANGED ||
26859 +- changed & IEEE80211_RC_NSS_CHANGED) {
26860 +- ath10k_dbg(ar, ATH10K_DBG_MAC, "mac update sta %pM supp rates/nss\n",
26861 ++ if (changed & IEEE80211_RC_SUPP_RATES_CHANGED) {
26862 ++ ath10k_dbg(ar, ATH10K_DBG_MAC, "mac update sta %pM supp rates\n",
26863 + sta->addr);
26864 +
26865 + err = ath10k_station_assoc(ar, arvif->vif, sta, true);
26866 +diff --git a/drivers/net/wireless/ath/ath5k/debug.c b/drivers/net/wireless/ath/ath5k/debug.c
26867 +index c70782e8f07b..b5802e37ab24 100644
26868 +--- a/drivers/net/wireless/ath/ath5k/debug.c
26869 ++++ b/drivers/net/wireless/ath/ath5k/debug.c
26870 +@@ -939,7 +939,10 @@ static int open_file_eeprom(struct inode *inode, struct file *file)
26871 + }
26872 +
26873 + for (i = 0; i < eesize; ++i) {
26874 +- AR5K_EEPROM_READ(i, val);
26875 ++ if (!ath5k_hw_nvram_read(ah, i, &val)) {
26876 ++ ret = -EIO;
26877 ++ goto freebuf;
26878 ++ }
26879 + buf[i] = val;
26880 + }
26881 +
26882 +diff --git a/drivers/net/wireless/ath/ath9k/hw.c b/drivers/net/wireless/ath/ath9k/hw.c
26883 +index 5e15e8e10ed3..bb64d7377a96 100644
26884 +--- a/drivers/net/wireless/ath/ath9k/hw.c
26885 ++++ b/drivers/net/wireless/ath/ath9k/hw.c
26886 +@@ -1593,6 +1593,10 @@ bool ath9k_hw_check_alive(struct ath_hw *ah)
26887 + int count = 50;
26888 + u32 reg, last_val;
26889 +
26890 ++ /* Check if chip failed to wake up */
26891 ++ if (REG_READ(ah, AR_CFG) == 0xdeadbeef)
26892 ++ return false;
26893 ++
26894 + if (AR_SREV_9300(ah))
26895 + return !ath9k_hw_detect_mac_hang(ah);
26896 +
26897 +diff --git a/drivers/net/wireless/ath/regd.c b/drivers/net/wireless/ath/regd.c
26898 +index 06ea6cc9e30a..62077bda8dde 100644
26899 +--- a/drivers/net/wireless/ath/regd.c
26900 ++++ b/drivers/net/wireless/ath/regd.c
26901 +@@ -254,8 +254,12 @@ bool ath_is_49ghz_allowed(u16 regdomain)
26902 + EXPORT_SYMBOL(ath_is_49ghz_allowed);
26903 +
26904 + /* Frequency is one where radar detection is required */
26905 +-static bool ath_is_radar_freq(u16 center_freq)
26906 ++static bool ath_is_radar_freq(u16 center_freq,
26907 ++ struct ath_regulatory *reg)
26908 ++
26909 + {
26910 ++ if (reg->country_code == CTRY_INDIA)
26911 ++ return (center_freq >= 5500 && center_freq <= 5700);
26912 + return (center_freq >= 5260 && center_freq <= 5700);
26913 + }
26914 +
26915 +@@ -306,7 +310,7 @@ __ath_reg_apply_beaconing_flags(struct wiphy *wiphy,
26916 + enum nl80211_reg_initiator initiator,
26917 + struct ieee80211_channel *ch)
26918 + {
26919 +- if (ath_is_radar_freq(ch->center_freq) ||
26920 ++ if (ath_is_radar_freq(ch->center_freq, reg) ||
26921 + (ch->flags & IEEE80211_CHAN_RADAR))
26922 + return;
26923 +
26924 +@@ -395,8 +399,9 @@ ath_reg_apply_ir_flags(struct wiphy *wiphy,
26925 + }
26926 + }
26927 +
26928 +-/* Always apply Radar/DFS rules on freq range 5260 MHz - 5700 MHz */
26929 +-static void ath_reg_apply_radar_flags(struct wiphy *wiphy)
26930 ++/* Always apply Radar/DFS rules on freq range 5500 MHz - 5700 MHz */
26931 ++static void ath_reg_apply_radar_flags(struct wiphy *wiphy,
26932 ++ struct ath_regulatory *reg)
26933 + {
26934 + struct ieee80211_supported_band *sband;
26935 + struct ieee80211_channel *ch;
26936 +@@ -409,7 +414,7 @@ static void ath_reg_apply_radar_flags(struct wiphy *wiphy)
26937 +
26938 + for (i = 0; i < sband->n_channels; i++) {
26939 + ch = &sband->channels[i];
26940 +- if (!ath_is_radar_freq(ch->center_freq))
26941 ++ if (!ath_is_radar_freq(ch->center_freq, reg))
26942 + continue;
26943 + /* We always enable radar detection/DFS on this
26944 + * frequency range. Additionally we also apply on
26945 +@@ -505,7 +510,7 @@ void ath_reg_notifier_apply(struct wiphy *wiphy,
26946 + struct ath_common *common = container_of(reg, struct ath_common,
26947 + regulatory);
26948 + /* We always apply this */
26949 +- ath_reg_apply_radar_flags(wiphy);
26950 ++ ath_reg_apply_radar_flags(wiphy, reg);
26951 +
26952 + /*
26953 + * This would happen when we have sent a custom regulatory request
26954 +@@ -653,7 +658,7 @@ ath_regd_init_wiphy(struct ath_regulatory *reg,
26955 + }
26956 +
26957 + wiphy_apply_custom_regulatory(wiphy, regd);
26958 +- ath_reg_apply_radar_flags(wiphy);
26959 ++ ath_reg_apply_radar_flags(wiphy, reg);
26960 + ath_reg_apply_world_flags(wiphy, NL80211_REGDOM_SET_BY_DRIVER, reg);
26961 + return 0;
26962 + }
26963 +diff --git a/drivers/net/wireless/ath/wil6210/main.c b/drivers/net/wireless/ath/wil6210/main.c
26964 +index a058151f5eed..ec51447365c1 100644
26965 +--- a/drivers/net/wireless/ath/wil6210/main.c
26966 ++++ b/drivers/net/wireless/ath/wil6210/main.c
26967 +@@ -118,9 +118,15 @@ void wil_memcpy_fromio_32(void *dst, const volatile void __iomem *src,
26968 + u32 *d = dst;
26969 + const volatile u32 __iomem *s = src;
26970 +
26971 +- /* size_t is unsigned, if (count%4 != 0) it will wrap */
26972 +- for (count += 4; count > 4; count -= 4)
26973 ++ for (; count >= 4; count -= 4)
26974 + *d++ = __raw_readl(s++);
26975 ++
26976 ++ if (unlikely(count)) {
26977 ++ /* count can be 1..3 */
26978 ++ u32 tmp = __raw_readl(s);
26979 ++
26980 ++ memcpy(d, &tmp, count);
26981 ++ }
26982 + }
26983 +
26984 + void wil_memcpy_toio_32(volatile void __iomem *dst, const void *src,
26985 +@@ -129,8 +135,16 @@ void wil_memcpy_toio_32(volatile void __iomem *dst, const void *src,
26986 + volatile u32 __iomem *d = dst;
26987 + const u32 *s = src;
26988 +
26989 +- for (count += 4; count > 4; count -= 4)
26990 ++ for (; count >= 4; count -= 4)
26991 + __raw_writel(*s++, d++);
26992 ++
26993 ++ if (unlikely(count)) {
26994 ++ /* count can be 1..3 */
26995 ++ u32 tmp = 0;
26996 ++
26997 ++ memcpy(&tmp, s, count);
26998 ++ __raw_writel(tmp, d);
26999 ++ }
27000 + }
27001 +
27002 + static void wil_disconnect_cid(struct wil6210_priv *wil, int cid,
27003 +diff --git a/drivers/net/wireless/brcm80211/brcmfmac/p2p.c b/drivers/net/wireless/brcm80211/brcmfmac/p2p.c
27004 +index 710fbe570eb2..a85ac706f892 100644
27005 +--- a/drivers/net/wireless/brcm80211/brcmfmac/p2p.c
27006 ++++ b/drivers/net/wireless/brcm80211/brcmfmac/p2p.c
27007 +@@ -460,25 +460,23 @@ static int brcmf_p2p_set_firmware(struct brcmf_if *ifp, u8 *p2p_mac)
27008 + * @dev_addr: optional device address.
27009 + *
27010 + * P2P needs mac addresses for P2P device and interface. If no device
27011 +- * address it specified, these are derived from the primary net device, ie.
27012 +- * the permanent ethernet address of the device.
27013 ++ * address it specified, these are derived from a random ethernet
27014 ++ * address.
27015 + */
27016 + static void brcmf_p2p_generate_bss_mac(struct brcmf_p2p_info *p2p, u8 *dev_addr)
27017 + {
27018 +- struct brcmf_if *pri_ifp = p2p->bss_idx[P2PAPI_BSSCFG_PRIMARY].vif->ifp;
27019 +- bool local_admin = false;
27020 ++ bool random_addr = false;
27021 +
27022 +- if (!dev_addr || is_zero_ether_addr(dev_addr)) {
27023 +- dev_addr = pri_ifp->mac_addr;
27024 +- local_admin = true;
27025 +- }
27026 ++ if (!dev_addr || is_zero_ether_addr(dev_addr))
27027 ++ random_addr = true;
27028 +
27029 +- /* Generate the P2P Device Address. This consists of the device's
27030 +- * primary MAC address with the locally administered bit set.
27031 ++ /* Generate the P2P Device Address obtaining a random ethernet
27032 ++ * address with the locally administered bit set.
27033 + */
27034 +- memcpy(p2p->dev_addr, dev_addr, ETH_ALEN);
27035 +- if (local_admin)
27036 +- p2p->dev_addr[0] |= 0x02;
27037 ++ if (random_addr)
27038 ++ eth_random_addr(p2p->dev_addr);
27039 ++ else
27040 ++ memcpy(p2p->dev_addr, dev_addr, ETH_ALEN);
27041 +
27042 + /* Generate the P2P Interface Address. If the discovery and connection
27043 + * BSSCFGs need to simultaneously co-exist, then this address must be
27044 +diff --git a/drivers/net/wireless/mac80211_hwsim.c b/drivers/net/wireless/mac80211_hwsim.c
27045 +index aafb97ce080d..eadb9ded7070 100644
27046 +--- a/drivers/net/wireless/mac80211_hwsim.c
27047 ++++ b/drivers/net/wireless/mac80211_hwsim.c
27048 +@@ -699,16 +699,21 @@ static int hwsim_fops_ps_write(void *dat, u64 val)
27049 + val != PS_MANUAL_POLL)
27050 + return -EINVAL;
27051 +
27052 +- old_ps = data->ps;
27053 +- data->ps = val;
27054 +-
27055 +- local_bh_disable();
27056 + if (val == PS_MANUAL_POLL) {
27057 ++ if (data->ps != PS_ENABLED)
27058 ++ return -EINVAL;
27059 ++ local_bh_disable();
27060 + ieee80211_iterate_active_interfaces_atomic(
27061 + data->hw, IEEE80211_IFACE_ITER_NORMAL,
27062 + hwsim_send_ps_poll, data);
27063 +- data->ps_poll_pending = true;
27064 +- } else if (old_ps == PS_DISABLED && val != PS_DISABLED) {
27065 ++ local_bh_enable();
27066 ++ return 0;
27067 ++ }
27068 ++ old_ps = data->ps;
27069 ++ data->ps = val;
27070 ++
27071 ++ local_bh_disable();
27072 ++ if (old_ps == PS_DISABLED && val != PS_DISABLED) {
27073 + ieee80211_iterate_active_interfaces_atomic(
27074 + data->hw, IEEE80211_IFACE_ITER_NORMAL,
27075 + hwsim_send_nullfunc_ps, data);
27076 +diff --git a/drivers/net/wireless/ray_cs.c b/drivers/net/wireless/ray_cs.c
27077 +index 477f86354dc5..4482debcfe84 100644
27078 +--- a/drivers/net/wireless/ray_cs.c
27079 ++++ b/drivers/net/wireless/ray_cs.c
27080 +@@ -247,7 +247,10 @@ static const UCHAR b4_default_startup_parms[] = {
27081 + 0x04, 0x08, /* Noise gain, limit offset */
27082 + 0x28, 0x28, /* det rssi, med busy offsets */
27083 + 7, /* det sync thresh */
27084 +- 0, 2, 2 /* test mode, min, max */
27085 ++ 0, 2, 2, /* test mode, min, max */
27086 ++ 0, /* rx/tx delay */
27087 ++ 0, 0, 0, 0, 0, 0, /* current BSS id */
27088 ++ 0 /* hop set */
27089 + };
27090 +
27091 + /*===========================================================================*/
27092 +@@ -598,7 +601,7 @@ static void init_startup_params(ray_dev_t *local)
27093 + * a_beacon_period = hops a_beacon_period = KuS
27094 + *//* 64ms = 010000 */
27095 + if (local->fw_ver == 0x55) {
27096 +- memcpy((UCHAR *) &local->sparm.b4, b4_default_startup_parms,
27097 ++ memcpy(&local->sparm.b4, b4_default_startup_parms,
27098 + sizeof(struct b4_startup_params));
27099 + /* Translate sane kus input values to old build 4/5 format */
27100 + /* i = hop time in uS truncated to 3 bytes */
27101 +diff --git a/drivers/net/wireless/rndis_wlan.c b/drivers/net/wireless/rndis_wlan.c
27102 +index d72ff8e7125d..3f2554fb1a62 100644
27103 +--- a/drivers/net/wireless/rndis_wlan.c
27104 ++++ b/drivers/net/wireless/rndis_wlan.c
27105 +@@ -3425,6 +3425,10 @@ static int rndis_wlan_bind(struct usbnet *usbdev, struct usb_interface *intf)
27106 +
27107 + /* because rndis_command() sleeps we need to use workqueue */
27108 + priv->workqueue = create_singlethread_workqueue("rndis_wlan");
27109 ++ if (!priv->workqueue) {
27110 ++ wiphy_free(wiphy);
27111 ++ return -ENOMEM;
27112 ++ }
27113 + INIT_WORK(&priv->work, rndis_wlan_worker);
27114 + INIT_DELAYED_WORK(&priv->dev_poller_work, rndis_device_poller);
27115 + INIT_DELAYED_WORK(&priv->scan_work, rndis_get_scan_results);
27116 +diff --git a/drivers/net/wireless/rtl818x/rtl8187/dev.c b/drivers/net/wireless/rtl818x/rtl8187/dev.c
27117 +index 629ad8cfa17b..6952aaa232f7 100644
27118 +--- a/drivers/net/wireless/rtl818x/rtl8187/dev.c
27119 ++++ b/drivers/net/wireless/rtl818x/rtl8187/dev.c
27120 +@@ -1454,6 +1454,7 @@ static int rtl8187_probe(struct usb_interface *intf,
27121 + goto err_free_dev;
27122 + }
27123 + mutex_init(&priv->io_mutex);
27124 ++ mutex_init(&priv->conf_mutex);
27125 +
27126 + SET_IEEE80211_DEV(dev, &intf->dev);
27127 + usb_set_intfdata(intf, dev);
27128 +@@ -1627,7 +1628,6 @@ static int rtl8187_probe(struct usb_interface *intf,
27129 + printk(KERN_ERR "rtl8187: Cannot register device\n");
27130 + goto err_free_dmabuf;
27131 + }
27132 +- mutex_init(&priv->conf_mutex);
27133 + skb_queue_head_init(&priv->b_tx_status.queue);
27134 +
27135 + wiphy_info(dev->wiphy, "hwaddr %pM, %s V%d + %s, rfkill mask %d\n",
27136 +diff --git a/drivers/net/wireless/rtlwifi/pci.c b/drivers/net/wireless/rtlwifi/pci.c
27137 +index 5b4048041147..1f75586ab3a6 100644
27138 +--- a/drivers/net/wireless/rtlwifi/pci.c
27139 ++++ b/drivers/net/wireless/rtlwifi/pci.c
27140 +@@ -1576,7 +1576,14 @@ int rtl_pci_reset_trx_ring(struct ieee80211_hw *hw)
27141 + dev_kfree_skb_irq(skb);
27142 + ring->idx = (ring->idx + 1) % ring->entries;
27143 + }
27144 ++
27145 ++ if (rtlpriv->use_new_trx_flow) {
27146 ++ rtlpci->tx_ring[i].cur_tx_rp = 0;
27147 ++ rtlpci->tx_ring[i].cur_tx_wp = 0;
27148 ++ }
27149 ++
27150 + ring->idx = 0;
27151 ++ ring->entries = rtlpci->txringcount[i];
27152 + }
27153 + }
27154 + spin_unlock_irqrestore(&rtlpriv->locks.irq_th_lock, flags);
27155 +diff --git a/drivers/net/wireless/rtlwifi/rtl8192ee/fw.c b/drivers/net/wireless/rtlwifi/rtl8192ee/fw.c
27156 +index c5d4b8013cde..5a0fffaed0f5 100644
27157 +--- a/drivers/net/wireless/rtlwifi/rtl8192ee/fw.c
27158 ++++ b/drivers/net/wireless/rtlwifi/rtl8192ee/fw.c
27159 +@@ -664,7 +664,7 @@ void rtl92ee_set_fw_rsvdpagepkt(struct ieee80211_hw *hw, bool b_dl_finished)
27160 + struct rtl_priv *rtlpriv = rtl_priv(hw);
27161 + struct rtl_mac *mac = rtl_mac(rtl_priv(hw));
27162 + struct sk_buff *skb = NULL;
27163 +-
27164 ++ bool rtstatus;
27165 + u32 totalpacketlen;
27166 + u8 u1rsvdpageloc[5] = { 0 };
27167 + bool b_dlok = false;
27168 +@@ -727,7 +727,9 @@ void rtl92ee_set_fw_rsvdpagepkt(struct ieee80211_hw *hw, bool b_dl_finished)
27169 + memcpy((u8 *)skb_put(skb, totalpacketlen),
27170 + &reserved_page_packet, totalpacketlen);
27171 +
27172 +- b_dlok = true;
27173 ++ rtstatus = rtl_cmd_send_packet(hw, skb);
27174 ++ if (rtstatus)
27175 ++ b_dlok = true;
27176 +
27177 + if (b_dlok) {
27178 + RT_TRACE(rtlpriv, COMP_POWER, DBG_LOUD ,
27179 +diff --git a/drivers/net/wireless/rtlwifi/rtl8821ae/dm.c b/drivers/net/wireless/rtlwifi/rtl8821ae/dm.c
27180 +index 342678d2ed42..19f0db505a50 100644
27181 +--- a/drivers/net/wireless/rtlwifi/rtl8821ae/dm.c
27182 ++++ b/drivers/net/wireless/rtlwifi/rtl8821ae/dm.c
27183 +@@ -2490,9 +2490,9 @@ void rtl8821ae_dm_txpower_tracking_callback_thermalmeter(
27184 + for (p = RF90_PATH_A; p < MAX_PATH_NUM_8821A; p++)
27185 + rtldm->swing_idx_ofdm_base[p] = rtldm->swing_idx_ofdm[p];
27186 +
27187 +- RT_TRACE(rtlpriv, COMP_POWER_TRACKING, DBG_LOUD,
27188 +- "pDM_Odm->RFCalibrateInfo.ThermalValue = %d ThermalValue= %d\n",
27189 +- rtldm->thermalvalue, thermal_value);
27190 ++ RT_TRACE(rtlpriv, COMP_POWER_TRACKING, DBG_LOUD,
27191 ++ "pDM_Odm->RFCalibrateInfo.ThermalValue = %d ThermalValue= %d\n",
27192 ++ rtldm->thermalvalue, thermal_value);
27193 + /*Record last Power Tracking Thermal Value*/
27194 + rtldm->thermalvalue = thermal_value;
27195 + }
27196 +diff --git a/drivers/net/wireless/rtlwifi/rtl8821ae/hw.c b/drivers/net/wireless/rtlwifi/rtl8821ae/hw.c
27197 +index 76e52dfb2be5..cf0e54b8846c 100644
27198 +--- a/drivers/net/wireless/rtlwifi/rtl8821ae/hw.c
27199 ++++ b/drivers/net/wireless/rtlwifi/rtl8821ae/hw.c
27200 +@@ -1377,6 +1377,7 @@ static void _rtl8821ae_get_wakeup_reason(struct ieee80211_hw *hw)
27201 +
27202 + ppsc->wakeup_reason = 0;
27203 +
27204 ++ do_gettimeofday(&ts);
27205 + rtlhal->last_suspend_sec = ts.tv_sec;
27206 +
27207 + switch (fw_reason) {
27208 +diff --git a/drivers/net/wireless/ti/wl1251/main.c b/drivers/net/wireless/ti/wl1251/main.c
27209 +index 040bf3c66958..0ac639ed4be9 100644
27210 +--- a/drivers/net/wireless/ti/wl1251/main.c
27211 ++++ b/drivers/net/wireless/ti/wl1251/main.c
27212 +@@ -1201,8 +1201,7 @@ static void wl1251_op_bss_info_changed(struct ieee80211_hw *hw,
27213 + WARN_ON(wl->bss_type != BSS_TYPE_STA_BSS);
27214 +
27215 + enable = bss_conf->arp_addr_cnt == 1 && bss_conf->assoc;
27216 +- wl1251_acx_arp_ip_filter(wl, enable, addr);
27217 +-
27218 ++ ret = wl1251_acx_arp_ip_filter(wl, enable, addr);
27219 + if (ret < 0)
27220 + goto out_sleep;
27221 + }
27222 +diff --git a/drivers/net/xen-netfront.c b/drivers/net/xen-netfront.c
27223 +index fd9f6ce14e8e..58cb86417da0 100644
27224 +--- a/drivers/net/xen-netfront.c
27225 ++++ b/drivers/net/xen-netfront.c
27226 +@@ -1986,7 +1986,10 @@ static void netback_changed(struct xenbus_device *dev,
27227 + case XenbusStateInitialised:
27228 + case XenbusStateReconfiguring:
27229 + case XenbusStateReconfigured:
27230 ++ break;
27231 ++
27232 + case XenbusStateUnknown:
27233 ++ wake_up_all(&module_unload_q);
27234 + break;
27235 +
27236 + case XenbusStateInitWait:
27237 +@@ -2117,7 +2120,9 @@ static int xennet_remove(struct xenbus_device *dev)
27238 + xenbus_switch_state(dev, XenbusStateClosing);
27239 + wait_event(module_unload_q,
27240 + xenbus_read_driver_state(dev->otherend) ==
27241 +- XenbusStateClosing);
27242 ++ XenbusStateClosing ||
27243 ++ xenbus_read_driver_state(dev->otherend) ==
27244 ++ XenbusStateUnknown);
27245 +
27246 + xenbus_switch_state(dev, XenbusStateClosed);
27247 + wait_event(module_unload_q,
27248 +diff --git a/drivers/of/device.c b/drivers/of/device.c
27249 +index 493b21bd1199..6601cc62a990 100644
27250 +--- a/drivers/of/device.c
27251 ++++ b/drivers/of/device.c
27252 +@@ -210,7 +210,7 @@ ssize_t of_device_get_modalias(struct device *dev, char *str, ssize_t len)
27253 + str[i] = '_';
27254 + }
27255 +
27256 +- return tsize;
27257 ++ return repend;
27258 + }
27259 + EXPORT_SYMBOL_GPL(of_device_get_modalias);
27260 +
27261 +diff --git a/drivers/parport/parport_pc.c b/drivers/parport/parport_pc.c
27262 +index 53d15b30636a..e914007f5523 100644
27263 +--- a/drivers/parport/parport_pc.c
27264 ++++ b/drivers/parport/parport_pc.c
27265 +@@ -2646,6 +2646,7 @@ enum parport_pc_pci_cards {
27266 + netmos_9901,
27267 + netmos_9865,
27268 + quatech_sppxp100,
27269 ++ wch_ch382l,
27270 + };
27271 +
27272 +
27273 +@@ -2708,6 +2709,7 @@ static struct parport_pc_pci {
27274 + /* netmos_9901 */ { 1, { { 0, -1 }, } },
27275 + /* netmos_9865 */ { 1, { { 0, -1 }, } },
27276 + /* quatech_sppxp100 */ { 1, { { 0, 1 }, } },
27277 ++ /* wch_ch382l */ { 1, { { 2, -1 }, } },
27278 + };
27279 +
27280 + static const struct pci_device_id parport_pc_pci_tbl[] = {
27281 +@@ -2797,6 +2799,8 @@ static const struct pci_device_id parport_pc_pci_tbl[] = {
27282 + /* Quatech SPPXP-100 Parallel port PCI ExpressCard */
27283 + { PCI_VENDOR_ID_QUATECH, PCI_DEVICE_ID_QUATECH_SPPXP_100,
27284 + PCI_ANY_ID, PCI_ANY_ID, 0, 0, quatech_sppxp100 },
27285 ++ /* WCH CH382L PCI-E single parallel port card */
27286 ++ { 0x1c00, 0x3050, 0x1c00, 0x3050, 0, 0, wch_ch382l },
27287 + { 0, } /* terminate list */
27288 + };
27289 + MODULE_DEVICE_TABLE(pci, parport_pc_pci_tbl);
27290 +diff --git a/drivers/pci/hotplug/acpiphp_glue.c b/drivers/pci/hotplug/acpiphp_glue.c
27291 +index b60309ee80ed..031f64da6151 100644
27292 +--- a/drivers/pci/hotplug/acpiphp_glue.c
27293 ++++ b/drivers/pci/hotplug/acpiphp_glue.c
27294 +@@ -587,6 +587,7 @@ static unsigned int get_slot_status(struct acpiphp_slot *slot)
27295 + {
27296 + unsigned long long sta = 0;
27297 + struct acpiphp_func *func;
27298 ++ u32 dvid;
27299 +
27300 + list_for_each_entry(func, &slot->funcs, sibling) {
27301 + if (func->flags & FUNC_HAS_STA) {
27302 +@@ -597,19 +598,27 @@ static unsigned int get_slot_status(struct acpiphp_slot *slot)
27303 + if (ACPI_SUCCESS(status) && sta)
27304 + break;
27305 + } else {
27306 +- u32 dvid;
27307 +-
27308 +- pci_bus_read_config_dword(slot->bus,
27309 +- PCI_DEVFN(slot->device,
27310 +- func->function),
27311 +- PCI_VENDOR_ID, &dvid);
27312 +- if (dvid != 0xffffffff) {
27313 ++ if (pci_bus_read_dev_vendor_id(slot->bus,
27314 ++ PCI_DEVFN(slot->device, func->function),
27315 ++ &dvid, 0)) {
27316 + sta = ACPI_STA_ALL;
27317 + break;
27318 + }
27319 + }
27320 + }
27321 +
27322 ++ if (!sta) {
27323 ++ /*
27324 ++ * Check for the slot itself since it may be that the
27325 ++ * ACPI slot is a device below PCIe upstream port so in
27326 ++ * that case it may not even be reachable yet.
27327 ++ */
27328 ++ if (pci_bus_read_dev_vendor_id(slot->bus,
27329 ++ PCI_DEVFN(slot->device, 0), &dvid, 0)) {
27330 ++ sta = ACPI_STA_ALL;
27331 ++ }
27332 ++ }
27333 ++
27334 + return (unsigned int)sta;
27335 + }
27336 +
27337 +diff --git a/drivers/pci/pci-driver.c b/drivers/pci/pci-driver.c
27338 +index 1363fe636281..afb80eb5a528 100644
27339 +--- a/drivers/pci/pci-driver.c
27340 ++++ b/drivers/pci/pci-driver.c
27341 +@@ -450,8 +450,6 @@ static void pci_device_shutdown(struct device *dev)
27342 +
27343 + if (drv && drv->shutdown)
27344 + drv->shutdown(pci_dev);
27345 +- pci_msi_shutdown(pci_dev);
27346 +- pci_msix_shutdown(pci_dev);
27347 +
27348 + #ifdef CONFIG_KEXEC
27349 + /*
27350 +diff --git a/drivers/pci/probe.c b/drivers/pci/probe.c
27351 +index c7dc06636bf6..005fc2478ef4 100644
27352 +--- a/drivers/pci/probe.c
27353 ++++ b/drivers/pci/probe.c
27354 +@@ -227,7 +227,7 @@ int __pci_read_base(struct pci_dev *dev, enum pci_bar_type type,
27355 + res->flags |= IORESOURCE_ROM_ENABLE;
27356 + l64 = l & PCI_ROM_ADDRESS_MASK;
27357 + sz64 = sz & PCI_ROM_ADDRESS_MASK;
27358 +- mask64 = (u32)PCI_ROM_ADDRESS_MASK;
27359 ++ mask64 = PCI_ROM_ADDRESS_MASK;
27360 + }
27361 +
27362 + if (res->flags & IORESOURCE_MEM_64) {
27363 +diff --git a/drivers/pci/quirks.c b/drivers/pci/quirks.c
27364 +index 7b9e3564fc43..4de72003515f 100644
27365 +--- a/drivers/pci/quirks.c
27366 ++++ b/drivers/pci/quirks.c
27367 +@@ -3645,6 +3645,8 @@ DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_MARVELL_EXT, 0x9230,
27368 + quirk_dma_func1_alias);
27369 + DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_TTI, 0x0642,
27370 + quirk_dma_func1_alias);
27371 ++DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_TTI, 0x0645,
27372 ++ quirk_dma_func1_alias);
27373 + /* https://bugs.gentoo.org/show_bug.cgi?id=497630 */
27374 + DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_JMICRON,
27375 + PCI_DEVICE_ID_JMICRON_JMB388_ESD,
27376 +diff --git a/drivers/pci/setup-res.c b/drivers/pci/setup-res.c
27377 +index 00f32ff6f74e..c03763d68a95 100644
27378 +--- a/drivers/pci/setup-res.c
27379 ++++ b/drivers/pci/setup-res.c
27380 +@@ -59,7 +59,7 @@ static void pci_std_update_resource(struct pci_dev *dev, int resno)
27381 + mask = (u32)PCI_BASE_ADDRESS_IO_MASK;
27382 + new |= res->flags & ~PCI_BASE_ADDRESS_IO_MASK;
27383 + } else if (resno == PCI_ROM_RESOURCE) {
27384 +- mask = (u32)PCI_ROM_ADDRESS_MASK;
27385 ++ mask = PCI_ROM_ADDRESS_MASK;
27386 + } else {
27387 + mask = (u32)PCI_BASE_ADDRESS_MEM_MASK;
27388 + new |= res->flags & ~PCI_BASE_ADDRESS_MEM_MASK;
27389 +diff --git a/drivers/pinctrl/core.c b/drivers/pinctrl/core.c
27390 +index 18ee2089df4a..db43f8b34e2a 100644
27391 +--- a/drivers/pinctrl/core.c
27392 ++++ b/drivers/pinctrl/core.c
27393 +@@ -977,19 +977,16 @@ struct pinctrl_state *pinctrl_lookup_state(struct pinctrl *p,
27394 + EXPORT_SYMBOL_GPL(pinctrl_lookup_state);
27395 +
27396 + /**
27397 +- * pinctrl_select_state() - select/activate/program a pinctrl state to HW
27398 ++ * pinctrl_commit_state() - select/activate/program a pinctrl state to HW
27399 + * @p: the pinctrl handle for the device that requests configuration
27400 + * @state: the state handle to select/activate/program
27401 + */
27402 +-int pinctrl_select_state(struct pinctrl *p, struct pinctrl_state *state)
27403 ++static int pinctrl_commit_state(struct pinctrl *p, struct pinctrl_state *state)
27404 + {
27405 + struct pinctrl_setting *setting, *setting2;
27406 + struct pinctrl_state *old_state = p->state;
27407 + int ret;
27408 +
27409 +- if (p->state == state)
27410 +- return 0;
27411 +-
27412 + if (p->state) {
27413 + /*
27414 + * For each pinmux setting in the old state, forget SW's record
27415 +@@ -1053,6 +1050,19 @@ unapply_new_state:
27416 +
27417 + return ret;
27418 + }
27419 ++
27420 ++/**
27421 ++ * pinctrl_select_state() - select/activate/program a pinctrl state to HW
27422 ++ * @p: the pinctrl handle for the device that requests configuration
27423 ++ * @state: the state handle to select/activate/program
27424 ++ */
27425 ++int pinctrl_select_state(struct pinctrl *p, struct pinctrl_state *state)
27426 ++{
27427 ++ if (p->state == state)
27428 ++ return 0;
27429 ++
27430 ++ return pinctrl_commit_state(p, state);
27431 ++}
27432 + EXPORT_SYMBOL_GPL(pinctrl_select_state);
27433 +
27434 + static void devm_pinctrl_release(struct device *dev, void *res)
27435 +@@ -1221,7 +1231,7 @@ void pinctrl_unregister_map(struct pinctrl_map const *map)
27436 + int pinctrl_force_sleep(struct pinctrl_dev *pctldev)
27437 + {
27438 + if (!IS_ERR(pctldev->p) && !IS_ERR(pctldev->hog_sleep))
27439 +- return pinctrl_select_state(pctldev->p, pctldev->hog_sleep);
27440 ++ return pinctrl_commit_state(pctldev->p, pctldev->hog_sleep);
27441 + return 0;
27442 + }
27443 + EXPORT_SYMBOL_GPL(pinctrl_force_sleep);
27444 +@@ -1233,7 +1243,7 @@ EXPORT_SYMBOL_GPL(pinctrl_force_sleep);
27445 + int pinctrl_force_default(struct pinctrl_dev *pctldev)
27446 + {
27447 + if (!IS_ERR(pctldev->p) && !IS_ERR(pctldev->hog_default))
27448 +- return pinctrl_select_state(pctldev->p, pctldev->hog_default);
27449 ++ return pinctrl_commit_state(pctldev->p, pctldev->hog_default);
27450 + return 0;
27451 + }
27452 + EXPORT_SYMBOL_GPL(pinctrl_force_default);
27453 +diff --git a/drivers/platform/x86/asus-nb-wmi.c b/drivers/platform/x86/asus-nb-wmi.c
27454 +index abdaed34c728..5ea4c5a72a66 100644
27455 +--- a/drivers/platform/x86/asus-nb-wmi.c
27456 ++++ b/drivers/platform/x86/asus-nb-wmi.c
27457 +@@ -99,6 +99,15 @@ static const struct dmi_system_id asus_quirks[] = {
27458 + */
27459 + .driver_data = &quirk_asus_wapf4,
27460 + },
27461 ++ {
27462 ++ .callback = dmi_matched,
27463 ++ .ident = "ASUSTeK COMPUTER INC. X302UA",
27464 ++ .matches = {
27465 ++ DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."),
27466 ++ DMI_MATCH(DMI_PRODUCT_NAME, "X302UA"),
27467 ++ },
27468 ++ .driver_data = &quirk_asus_wapf4,
27469 ++ },
27470 + {
27471 + .callback = dmi_matched,
27472 + .ident = "ASUSTeK COMPUTER INC. X401U",
27473 +diff --git a/drivers/power/pda_power.c b/drivers/power/pda_power.c
27474 +index dfe1ee89f7c7..922a86787c5c 100644
27475 +--- a/drivers/power/pda_power.c
27476 ++++ b/drivers/power/pda_power.c
27477 +@@ -30,9 +30,9 @@ static inline unsigned int get_irq_flags(struct resource *res)
27478 + static struct device *dev;
27479 + static struct pda_power_pdata *pdata;
27480 + static struct resource *ac_irq, *usb_irq;
27481 +-static struct timer_list charger_timer;
27482 +-static struct timer_list supply_timer;
27483 +-static struct timer_list polling_timer;
27484 ++static struct delayed_work charger_work;
27485 ++static struct delayed_work polling_work;
27486 ++static struct delayed_work supply_work;
27487 + static int polling;
27488 + static struct power_supply *pda_psy_ac, *pda_psy_usb;
27489 +
27490 +@@ -140,7 +140,7 @@ static void update_charger(void)
27491 + }
27492 + }
27493 +
27494 +-static void supply_timer_func(unsigned long unused)
27495 ++static void supply_work_func(struct work_struct *work)
27496 + {
27497 + if (ac_status == PDA_PSY_TO_CHANGE) {
27498 + ac_status = new_ac_status;
27499 +@@ -161,11 +161,12 @@ static void psy_changed(void)
27500 + * Okay, charger set. Now wait a bit before notifying supplicants,
27501 + * charge power should stabilize.
27502 + */
27503 +- mod_timer(&supply_timer,
27504 +- jiffies + msecs_to_jiffies(pdata->wait_for_charger));
27505 ++ cancel_delayed_work(&supply_work);
27506 ++ schedule_delayed_work(&supply_work,
27507 ++ msecs_to_jiffies(pdata->wait_for_charger));
27508 + }
27509 +
27510 +-static void charger_timer_func(unsigned long unused)
27511 ++static void charger_work_func(struct work_struct *work)
27512 + {
27513 + update_status();
27514 + psy_changed();
27515 +@@ -184,13 +185,14 @@ static irqreturn_t power_changed_isr(int irq, void *power_supply)
27516 + * Wait a bit before reading ac/usb line status and setting charger,
27517 + * because ac/usb status readings may lag from irq.
27518 + */
27519 +- mod_timer(&charger_timer,
27520 +- jiffies + msecs_to_jiffies(pdata->wait_for_status));
27521 ++ cancel_delayed_work(&charger_work);
27522 ++ schedule_delayed_work(&charger_work,
27523 ++ msecs_to_jiffies(pdata->wait_for_status));
27524 +
27525 + return IRQ_HANDLED;
27526 + }
27527 +
27528 +-static void polling_timer_func(unsigned long unused)
27529 ++static void polling_work_func(struct work_struct *work)
27530 + {
27531 + int changed = 0;
27532 +
27533 +@@ -211,8 +213,9 @@ static void polling_timer_func(unsigned long unused)
27534 + if (changed)
27535 + psy_changed();
27536 +
27537 +- mod_timer(&polling_timer,
27538 +- jiffies + msecs_to_jiffies(pdata->polling_interval));
27539 ++ cancel_delayed_work(&polling_work);
27540 ++ schedule_delayed_work(&polling_work,
27541 ++ msecs_to_jiffies(pdata->polling_interval));
27542 + }
27543 +
27544 + #if IS_ENABLED(CONFIG_USB_PHY)
27545 +@@ -250,8 +253,9 @@ static int otg_handle_notification(struct notifier_block *nb,
27546 + * Wait a bit before reading ac/usb line status and setting charger,
27547 + * because ac/usb status readings may lag from irq.
27548 + */
27549 +- mod_timer(&charger_timer,
27550 +- jiffies + msecs_to_jiffies(pdata->wait_for_status));
27551 ++ cancel_delayed_work(&charger_work);
27552 ++ schedule_delayed_work(&charger_work,
27553 ++ msecs_to_jiffies(pdata->wait_for_status));
27554 +
27555 + return NOTIFY_OK;
27556 + }
27557 +@@ -300,8 +304,8 @@ static int pda_power_probe(struct platform_device *pdev)
27558 + if (!pdata->ac_max_uA)
27559 + pdata->ac_max_uA = 500000;
27560 +
27561 +- setup_timer(&charger_timer, charger_timer_func, 0);
27562 +- setup_timer(&supply_timer, supply_timer_func, 0);
27563 ++ INIT_DELAYED_WORK(&charger_work, charger_work_func);
27564 ++ INIT_DELAYED_WORK(&supply_work, supply_work_func);
27565 +
27566 + ac_irq = platform_get_resource_byname(pdev, IORESOURCE_IRQ, "ac");
27567 + usb_irq = platform_get_resource_byname(pdev, IORESOURCE_IRQ, "usb");
27568 +@@ -385,9 +389,10 @@ static int pda_power_probe(struct platform_device *pdev)
27569 +
27570 + if (polling) {
27571 + dev_dbg(dev, "will poll for status\n");
27572 +- setup_timer(&polling_timer, polling_timer_func, 0);
27573 +- mod_timer(&polling_timer,
27574 +- jiffies + msecs_to_jiffies(pdata->polling_interval));
27575 ++ INIT_DELAYED_WORK(&polling_work, polling_work_func);
27576 ++ cancel_delayed_work(&polling_work);
27577 ++ schedule_delayed_work(&polling_work,
27578 ++ msecs_to_jiffies(pdata->polling_interval));
27579 + }
27580 +
27581 + if (ac_irq || usb_irq)
27582 +@@ -433,9 +438,9 @@ static int pda_power_remove(struct platform_device *pdev)
27583 + free_irq(ac_irq->start, pda_psy_ac);
27584 +
27585 + if (polling)
27586 +- del_timer_sync(&polling_timer);
27587 +- del_timer_sync(&charger_timer);
27588 +- del_timer_sync(&supply_timer);
27589 ++ cancel_delayed_work_sync(&polling_work);
27590 ++ cancel_delayed_work_sync(&charger_work);
27591 ++ cancel_delayed_work_sync(&supply_work);
27592 +
27593 + if (pdata->is_usb_online)
27594 + power_supply_unregister(pda_psy_usb);
27595 +diff --git a/drivers/powercap/powercap_sys.c b/drivers/powercap/powercap_sys.c
27596 +index 84419af16f77..fd12ccc11e26 100644
27597 +--- a/drivers/powercap/powercap_sys.c
27598 ++++ b/drivers/powercap/powercap_sys.c
27599 +@@ -538,6 +538,7 @@ struct powercap_zone *powercap_register_zone(
27600 +
27601 + power_zone->id = result;
27602 + idr_init(&power_zone->idr);
27603 ++ result = -ENOMEM;
27604 + power_zone->name = kstrdup(name, GFP_KERNEL);
27605 + if (!power_zone->name)
27606 + goto err_name_alloc;
27607 +diff --git a/drivers/pwm/pwm-tegra.c b/drivers/pwm/pwm-tegra.c
27608 +index cabd7d8e05cc..3e07855bbea7 100644
27609 +--- a/drivers/pwm/pwm-tegra.c
27610 ++++ b/drivers/pwm/pwm-tegra.c
27611 +@@ -69,6 +69,7 @@ static int tegra_pwm_config(struct pwm_chip *chip, struct pwm_device *pwm,
27612 + struct tegra_pwm_chip *pc = to_tegra_pwm_chip(chip);
27613 + unsigned long long c;
27614 + unsigned long rate, hz;
27615 ++ unsigned long long ns100 = NSEC_PER_SEC;
27616 + u32 val = 0;
27617 + int err;
27618 +
27619 +@@ -87,9 +88,11 @@ static int tegra_pwm_config(struct pwm_chip *chip, struct pwm_device *pwm,
27620 + * cycles at the PWM clock rate will take period_ns nanoseconds.
27621 + */
27622 + rate = clk_get_rate(pc->clk) >> PWM_DUTY_WIDTH;
27623 +- hz = NSEC_PER_SEC / period_ns;
27624 +
27625 +- rate = (rate + (hz / 2)) / hz;
27626 ++ /* Consider precision in PWM_SCALE_WIDTH rate calculation */
27627 ++ ns100 *= 100;
27628 ++ hz = DIV_ROUND_CLOSEST_ULL(ns100, period_ns);
27629 ++ rate = DIV_ROUND_CLOSEST(rate * 100, hz);
27630 +
27631 + /*
27632 + * Since the actual PWM divider is the register's frequency divider
27633 +diff --git a/drivers/rtc/interface.c b/drivers/rtc/interface.c
27634 +index 038da40e4038..f84c0506afd0 100644
27635 +--- a/drivers/rtc/interface.c
27636 ++++ b/drivers/rtc/interface.c
27637 +@@ -262,6 +262,13 @@ int __rtc_read_alarm(struct rtc_device *rtc, struct rtc_wkalrm *alarm)
27638 + missing = year;
27639 + }
27640 +
27641 ++ /* Can't proceed if alarm is still invalid after replacing
27642 ++ * missing fields.
27643 ++ */
27644 ++ err = rtc_valid_tm(&alarm->time);
27645 ++ if (err)
27646 ++ goto done;
27647 ++
27648 + /* with luck, no rollover is needed */
27649 + t_now = rtc_tm_to_time64(&now);
27650 + t_alm = rtc_tm_to_time64(&alarm->time);
27651 +@@ -313,9 +320,9 @@ int __rtc_read_alarm(struct rtc_device *rtc, struct rtc_wkalrm *alarm)
27652 + dev_warn(&rtc->dev, "alarm rollover not handled\n");
27653 + }
27654 +
27655 +-done:
27656 + err = rtc_valid_tm(&alarm->time);
27657 +
27658 ++done:
27659 + if (err) {
27660 + dev_warn(&rtc->dev, "invalid alarm value: %d-%d-%d %d:%d:%d\n",
27661 + alarm->time.tm_year + 1900, alarm->time.tm_mon + 1,
27662 +diff --git a/drivers/rtc/rtc-ds1374.c b/drivers/rtc/rtc-ds1374.c
27663 +index 167783fa7ac1..216ad22996b8 100644
27664 +--- a/drivers/rtc/rtc-ds1374.c
27665 ++++ b/drivers/rtc/rtc-ds1374.c
27666 +@@ -527,6 +527,10 @@ static long ds1374_wdt_ioctl(struct file *file, unsigned int cmd,
27667 + if (get_user(new_margin, (int __user *)arg))
27668 + return -EFAULT;
27669 +
27670 ++ /* the hardware's tick rate is 4096 Hz, so
27671 ++ * the counter value needs to be scaled accordingly
27672 ++ */
27673 ++ new_margin <<= 12;
27674 + if (new_margin < 1 || new_margin > 16777216)
27675 + return -EINVAL;
27676 +
27677 +@@ -535,7 +539,8 @@ static long ds1374_wdt_ioctl(struct file *file, unsigned int cmd,
27678 + ds1374_wdt_ping();
27679 + /* fallthrough */
27680 + case WDIOC_GETTIMEOUT:
27681 +- return put_user(wdt_margin, (int __user *)arg);
27682 ++ /* when returning ... inverse is true */
27683 ++ return put_user((wdt_margin >> 12), (int __user *)arg);
27684 + case WDIOC_SETOPTIONS:
27685 + if (copy_from_user(&options, (int __user *)arg, sizeof(int)))
27686 + return -EFAULT;
27687 +@@ -543,14 +548,15 @@ static long ds1374_wdt_ioctl(struct file *file, unsigned int cmd,
27688 + if (options & WDIOS_DISABLECARD) {
27689 + pr_info("disable watchdog\n");
27690 + ds1374_wdt_disable();
27691 ++ return 0;
27692 + }
27693 +
27694 + if (options & WDIOS_ENABLECARD) {
27695 + pr_info("enable watchdog\n");
27696 + ds1374_wdt_settimeout(wdt_margin);
27697 + ds1374_wdt_ping();
27698 ++ return 0;
27699 + }
27700 +-
27701 + return -EINVAL;
27702 + }
27703 + return -ENOTTY;
27704 +diff --git a/drivers/rtc/rtc-opal.c b/drivers/rtc/rtc-opal.c
27705 +index 482af0dda0b0..ff217034f6d6 100644
27706 +--- a/drivers/rtc/rtc-opal.c
27707 ++++ b/drivers/rtc/rtc-opal.c
27708 +@@ -150,6 +150,16 @@ static int opal_get_tpo_time(struct device *dev, struct rtc_wkalrm *alarm)
27709 +
27710 + y_m_d = be32_to_cpu(__y_m_d);
27711 + h_m_s_ms = ((u64)be32_to_cpu(__h_m) << 32);
27712 ++
27713 ++ /* check if no alarm is set */
27714 ++ if (y_m_d == 0 && h_m_s_ms == 0) {
27715 ++ pr_debug("No alarm is set\n");
27716 ++ rc = -ENOENT;
27717 ++ goto exit;
27718 ++ } else {
27719 ++ pr_debug("Alarm set to %x %llx\n", y_m_d, h_m_s_ms);
27720 ++ }
27721 ++
27722 + opal_to_tm(y_m_d, h_m_s_ms, &alarm->time);
27723 +
27724 + exit:
27725 +diff --git a/drivers/s390/cio/chsc.c b/drivers/s390/cio/chsc.c
27726 +index e3bf885f4a6c..d5f02c3da878 100644
27727 +--- a/drivers/s390/cio/chsc.c
27728 ++++ b/drivers/s390/cio/chsc.c
27729 +@@ -362,6 +362,7 @@ static void chsc_process_sei_link_incident(struct chsc_sei_nt0_area *sei_area)
27730 +
27731 + static void chsc_process_sei_res_acc(struct chsc_sei_nt0_area *sei_area)
27732 + {
27733 ++ struct channel_path *chp;
27734 + struct chp_link link;
27735 + struct chp_id chpid;
27736 + int status;
27737 +@@ -374,10 +375,17 @@ static void chsc_process_sei_res_acc(struct chsc_sei_nt0_area *sei_area)
27738 + chpid.id = sei_area->rsid;
27739 + /* allocate a new channel path structure, if needed */
27740 + status = chp_get_status(chpid);
27741 +- if (status < 0)
27742 +- chp_new(chpid);
27743 +- else if (!status)
27744 ++ if (!status)
27745 + return;
27746 ++
27747 ++ if (status < 0) {
27748 ++ chp_new(chpid);
27749 ++ } else {
27750 ++ chp = chpid_to_chp(chpid);
27751 ++ mutex_lock(&chp->lock);
27752 ++ chp_update_desc(chp);
27753 ++ mutex_unlock(&chp->lock);
27754 ++ }
27755 + memset(&link, 0, sizeof(struct chp_link));
27756 + link.chpid = chpid;
27757 + if ((sei_area->vf & 0xc0) != 0) {
27758 +diff --git a/drivers/s390/cio/qdio_main.c b/drivers/s390/cio/qdio_main.c
27759 +index 848e3b64ea6e..fb7298920c8c 100644
27760 +--- a/drivers/s390/cio/qdio_main.c
27761 ++++ b/drivers/s390/cio/qdio_main.c
27762 +@@ -126,7 +126,7 @@ static inline int qdio_check_ccq(struct qdio_q *q, unsigned int ccq)
27763 + static int qdio_do_eqbs(struct qdio_q *q, unsigned char *state,
27764 + int start, int count, int auto_ack)
27765 + {
27766 +- int rc, tmp_count = count, tmp_start = start, nr = q->nr, retried = 0;
27767 ++ int rc, tmp_count = count, tmp_start = start, nr = q->nr;
27768 + unsigned int ccq = 0;
27769 +
27770 + qperf_inc(q, eqbs);
27771 +@@ -149,14 +149,7 @@ again:
27772 + qperf_inc(q, eqbs_partial);
27773 + DBF_DEV_EVENT(DBF_WARN, q->irq_ptr, "EQBS part:%02x",
27774 + tmp_count);
27775 +- /*
27776 +- * Retry once, if that fails bail out and process the
27777 +- * extracted buffers before trying again.
27778 +- */
27779 +- if (!retried++)
27780 +- goto again;
27781 +- else
27782 +- return count - tmp_count;
27783 ++ return count - tmp_count;
27784 + }
27785 +
27786 + DBF_ERROR("%4x EQBS ERROR", SCH_NO(q));
27787 +@@ -212,7 +205,10 @@ again:
27788 + return 0;
27789 + }
27790 +
27791 +-/* returns number of examined buffers and their common state in *state */
27792 ++/*
27793 ++ * Returns number of examined buffers and their common state in *state.
27794 ++ * Requested number of buffers-to-examine must be > 0.
27795 ++ */
27796 + static inline int get_buf_states(struct qdio_q *q, unsigned int bufnr,
27797 + unsigned char *state, unsigned int count,
27798 + int auto_ack, int merge_pending)
27799 +@@ -223,17 +219,23 @@ static inline int get_buf_states(struct qdio_q *q, unsigned int bufnr,
27800 + if (is_qebsm(q))
27801 + return qdio_do_eqbs(q, state, bufnr, count, auto_ack);
27802 +
27803 +- for (i = 0; i < count; i++) {
27804 +- if (!__state) {
27805 +- __state = q->slsb.val[bufnr];
27806 +- if (merge_pending && __state == SLSB_P_OUTPUT_PENDING)
27807 +- __state = SLSB_P_OUTPUT_EMPTY;
27808 +- } else if (merge_pending) {
27809 +- if ((q->slsb.val[bufnr] & __state) != __state)
27810 +- break;
27811 +- } else if (q->slsb.val[bufnr] != __state)
27812 +- break;
27813 ++ /* get initial state: */
27814 ++ __state = q->slsb.val[bufnr];
27815 ++ if (merge_pending && __state == SLSB_P_OUTPUT_PENDING)
27816 ++ __state = SLSB_P_OUTPUT_EMPTY;
27817 ++
27818 ++ for (i = 1; i < count; i++) {
27819 + bufnr = next_buf(bufnr);
27820 ++
27821 ++ /* merge PENDING into EMPTY: */
27822 ++ if (merge_pending &&
27823 ++ q->slsb.val[bufnr] == SLSB_P_OUTPUT_PENDING &&
27824 ++ __state == SLSB_P_OUTPUT_EMPTY)
27825 ++ continue;
27826 ++
27827 ++ /* stop if next state differs from initial state: */
27828 ++ if (q->slsb.val[bufnr] != __state)
27829 ++ break;
27830 + }
27831 + *state = __state;
27832 + return i;
27833 +diff --git a/drivers/s390/net/qeth_core_main.c b/drivers/s390/net/qeth_core_main.c
27834 +index 9e9964ca696b..81d23bbbd316 100644
27835 +--- a/drivers/s390/net/qeth_core_main.c
27836 ++++ b/drivers/s390/net/qeth_core_main.c
27837 +@@ -517,8 +517,7 @@ static inline int qeth_is_cq(struct qeth_card *card, unsigned int queue)
27838 + queue == card->qdio.no_in_queues - 1;
27839 + }
27840 +
27841 +-
27842 +-static int qeth_issue_next_read(struct qeth_card *card)
27843 ++static int __qeth_issue_next_read(struct qeth_card *card)
27844 + {
27845 + int rc;
27846 + struct qeth_cmd_buffer *iob;
27847 +@@ -549,6 +548,17 @@ static int qeth_issue_next_read(struct qeth_card *card)
27848 + return rc;
27849 + }
27850 +
27851 ++static int qeth_issue_next_read(struct qeth_card *card)
27852 ++{
27853 ++ int ret;
27854 ++
27855 ++ spin_lock_irq(get_ccwdev_lock(CARD_RDEV(card)));
27856 ++ ret = __qeth_issue_next_read(card);
27857 ++ spin_unlock_irq(get_ccwdev_lock(CARD_RDEV(card)));
27858 ++
27859 ++ return ret;
27860 ++}
27861 ++
27862 + static struct qeth_reply *qeth_alloc_reply(struct qeth_card *card)
27863 + {
27864 + struct qeth_reply *reply;
27865 +@@ -951,7 +961,7 @@ void qeth_clear_thread_running_bit(struct qeth_card *card, unsigned long thread)
27866 + spin_lock_irqsave(&card->thread_mask_lock, flags);
27867 + card->thread_running_mask &= ~thread;
27868 + spin_unlock_irqrestore(&card->thread_mask_lock, flags);
27869 +- wake_up(&card->wait_q);
27870 ++ wake_up_all(&card->wait_q);
27871 + }
27872 + EXPORT_SYMBOL_GPL(qeth_clear_thread_running_bit);
27873 +
27874 +@@ -1155,6 +1165,7 @@ static void qeth_irq(struct ccw_device *cdev, unsigned long intparm,
27875 + }
27876 + rc = qeth_get_problem(cdev, irb);
27877 + if (rc) {
27878 ++ card->read_or_write_problem = 1;
27879 + qeth_clear_ipacmd_list(card);
27880 + qeth_schedule_recovery(card);
27881 + goto out;
27882 +@@ -1173,7 +1184,7 @@ static void qeth_irq(struct ccw_device *cdev, unsigned long intparm,
27883 + return;
27884 + if (channel == &card->read &&
27885 + channel->state == CH_STATE_UP)
27886 +- qeth_issue_next_read(card);
27887 ++ __qeth_issue_next_read(card);
27888 +
27889 + iob = channel->iob;
27890 + index = channel->buf_no;
27891 +@@ -5017,8 +5028,6 @@ static void qeth_core_free_card(struct qeth_card *card)
27892 + QETH_DBF_HEX(SETUP, 2, &card, sizeof(void *));
27893 + qeth_clean_channel(&card->read);
27894 + qeth_clean_channel(&card->write);
27895 +- if (card->dev)
27896 +- free_netdev(card->dev);
27897 + kfree(card->ip_tbd_list);
27898 + qeth_free_qdio_buffers(card);
27899 + unregister_service_level(&card->qeth_service_level);
27900 +diff --git a/drivers/s390/net/qeth_l2_main.c b/drivers/s390/net/qeth_l2_main.c
27901 +index b0413f5611cf..3f79f83451ae 100644
27902 +--- a/drivers/s390/net/qeth_l2_main.c
27903 ++++ b/drivers/s390/net/qeth_l2_main.c
27904 +@@ -913,8 +913,8 @@ static void qeth_l2_remove_device(struct ccwgroup_device *cgdev)
27905 + qeth_l2_set_offline(cgdev);
27906 +
27907 + if (card->dev) {
27908 +- netif_napi_del(&card->napi);
27909 + unregister_netdev(card->dev);
27910 ++ free_netdev(card->dev);
27911 + card->dev = NULL;
27912 + }
27913 + return;
27914 +diff --git a/drivers/s390/net/qeth_l3_main.c b/drivers/s390/net/qeth_l3_main.c
27915 +index 6dbf0d5a2a22..34c8a4d20498 100644
27916 +--- a/drivers/s390/net/qeth_l3_main.c
27917 ++++ b/drivers/s390/net/qeth_l3_main.c
27918 +@@ -3358,8 +3358,8 @@ static void qeth_l3_remove_device(struct ccwgroup_device *cgdev)
27919 + qeth_l3_set_offline(cgdev);
27920 +
27921 + if (card->dev) {
27922 +- netif_napi_del(&card->napi);
27923 + unregister_netdev(card->dev);
27924 ++ free_netdev(card->dev);
27925 + card->dev = NULL;
27926 + }
27927 +
27928 +diff --git a/drivers/scsi/bnx2fc/bnx2fc.h b/drivers/scsi/bnx2fc/bnx2fc.h
27929 +index 1346e052e03c..8009158a6639 100644
27930 +--- a/drivers/scsi/bnx2fc/bnx2fc.h
27931 ++++ b/drivers/scsi/bnx2fc/bnx2fc.h
27932 +@@ -191,6 +191,7 @@ struct bnx2fc_hba {
27933 + struct bnx2fc_cmd_mgr *cmd_mgr;
27934 + spinlock_t hba_lock;
27935 + struct mutex hba_mutex;
27936 ++ struct mutex hba_stats_mutex;
27937 + unsigned long adapter_state;
27938 + #define ADAPTER_STATE_UP 0
27939 + #define ADAPTER_STATE_GOING_DOWN 1
27940 +diff --git a/drivers/scsi/bnx2fc/bnx2fc_fcoe.c b/drivers/scsi/bnx2fc/bnx2fc_fcoe.c
27941 +index 98d06d151958..d477c687af55 100644
27942 +--- a/drivers/scsi/bnx2fc/bnx2fc_fcoe.c
27943 ++++ b/drivers/scsi/bnx2fc/bnx2fc_fcoe.c
27944 +@@ -641,15 +641,17 @@ static struct fc_host_statistics *bnx2fc_get_host_stats(struct Scsi_Host *shost)
27945 + if (!fw_stats)
27946 + return NULL;
27947 +
27948 ++ mutex_lock(&hba->hba_stats_mutex);
27949 ++
27950 + bnx2fc_stats = fc_get_host_stats(shost);
27951 +
27952 + init_completion(&hba->stat_req_done);
27953 + if (bnx2fc_send_stat_req(hba))
27954 +- return bnx2fc_stats;
27955 ++ goto unlock_stats_mutex;
27956 + rc = wait_for_completion_timeout(&hba->stat_req_done, (2 * HZ));
27957 + if (!rc) {
27958 + BNX2FC_HBA_DBG(lport, "FW stat req timed out\n");
27959 +- return bnx2fc_stats;
27960 ++ goto unlock_stats_mutex;
27961 + }
27962 + BNX2FC_STATS(hba, rx_stat2, fc_crc_cnt);
27963 + bnx2fc_stats->invalid_crc_count += hba->bfw_stats.fc_crc_cnt;
27964 +@@ -671,6 +673,9 @@ static struct fc_host_statistics *bnx2fc_get_host_stats(struct Scsi_Host *shost)
27965 +
27966 + memcpy(&hba->prev_stats, hba->stats_buffer,
27967 + sizeof(struct fcoe_statistics_params));
27968 ++
27969 ++unlock_stats_mutex:
27970 ++ mutex_unlock(&hba->hba_stats_mutex);
27971 + return bnx2fc_stats;
27972 + }
27973 +
27974 +@@ -1303,6 +1308,7 @@ static struct bnx2fc_hba *bnx2fc_hba_create(struct cnic_dev *cnic)
27975 + }
27976 + spin_lock_init(&hba->hba_lock);
27977 + mutex_init(&hba->hba_mutex);
27978 ++ mutex_init(&hba->hba_stats_mutex);
27979 +
27980 + hba->cnic = cnic;
27981 +
27982 +diff --git a/drivers/scsi/csiostor/csio_hw.c b/drivers/scsi/csiostor/csio_hw.c
27983 +index 2e66f34ebb79..13580192691f 100644
27984 +--- a/drivers/scsi/csiostor/csio_hw.c
27985 ++++ b/drivers/scsi/csiostor/csio_hw.c
27986 +@@ -1769,7 +1769,6 @@ csio_hw_use_fwconfig(struct csio_hw *hw, int reset, u32 *fw_cfg_param)
27987 + goto bye;
27988 + }
27989 +
27990 +- mempool_free(mbp, hw->mb_mempool);
27991 + if (finicsum != cfcsum) {
27992 + csio_warn(hw,
27993 + "Config File checksum mismatch: csum=%#x, computed=%#x\n",
27994 +@@ -1780,6 +1779,10 @@ csio_hw_use_fwconfig(struct csio_hw *hw, int reset, u32 *fw_cfg_param)
27995 + rv = csio_hw_validate_caps(hw, mbp);
27996 + if (rv != 0)
27997 + goto bye;
27998 ++
27999 ++ mempool_free(mbp, hw->mb_mempool);
28000 ++ mbp = NULL;
28001 ++
28002 + /*
28003 + * Note that we're operating with parameters
28004 + * not supplied by the driver, rather than from hard-wired
28005 +diff --git a/drivers/scsi/ipr.c b/drivers/scsi/ipr.c
28006 +index cd52c070701b..3a9648d7f441 100644
28007 +--- a/drivers/scsi/ipr.c
28008 ++++ b/drivers/scsi/ipr.c
28009 +@@ -835,8 +835,10 @@ static void ipr_sata_eh_done(struct ipr_cmnd *ipr_cmd)
28010 +
28011 + qc->err_mask |= AC_ERR_OTHER;
28012 + sata_port->ioasa.status |= ATA_BUSY;
28013 +- list_add_tail(&ipr_cmd->queue, &ipr_cmd->hrrq->hrrq_free_q);
28014 + ata_qc_complete(qc);
28015 ++ if (ipr_cmd->eh_comp)
28016 ++ complete(ipr_cmd->eh_comp);
28017 ++ list_add_tail(&ipr_cmd->queue, &ipr_cmd->hrrq->hrrq_free_q);
28018 + }
28019 +
28020 + /**
28021 +@@ -5859,8 +5861,10 @@ static void ipr_erp_done(struct ipr_cmnd *ipr_cmd)
28022 + res->in_erp = 0;
28023 + }
28024 + scsi_dma_unmap(ipr_cmd->scsi_cmd);
28025 +- list_add_tail(&ipr_cmd->queue, &ipr_cmd->hrrq->hrrq_free_q);
28026 + scsi_cmd->scsi_done(scsi_cmd);
28027 ++ if (ipr_cmd->eh_comp)
28028 ++ complete(ipr_cmd->eh_comp);
28029 ++ list_add_tail(&ipr_cmd->queue, &ipr_cmd->hrrq->hrrq_free_q);
28030 + }
28031 +
28032 + /**
28033 +@@ -6250,8 +6254,10 @@ static void ipr_erp_start(struct ipr_ioa_cfg *ioa_cfg,
28034 + }
28035 +
28036 + scsi_dma_unmap(ipr_cmd->scsi_cmd);
28037 +- list_add_tail(&ipr_cmd->queue, &ipr_cmd->hrrq->hrrq_free_q);
28038 + scsi_cmd->scsi_done(scsi_cmd);
28039 ++ if (ipr_cmd->eh_comp)
28040 ++ complete(ipr_cmd->eh_comp);
28041 ++ list_add_tail(&ipr_cmd->queue, &ipr_cmd->hrrq->hrrq_free_q);
28042 + }
28043 +
28044 + /**
28045 +@@ -6277,8 +6283,10 @@ static void ipr_scsi_done(struct ipr_cmnd *ipr_cmd)
28046 + scsi_dma_unmap(scsi_cmd);
28047 +
28048 + spin_lock_irqsave(ipr_cmd->hrrq->lock, lock_flags);
28049 +- list_add_tail(&ipr_cmd->queue, &ipr_cmd->hrrq->hrrq_free_q);
28050 + scsi_cmd->scsi_done(scsi_cmd);
28051 ++ if (ipr_cmd->eh_comp)
28052 ++ complete(ipr_cmd->eh_comp);
28053 ++ list_add_tail(&ipr_cmd->queue, &ipr_cmd->hrrq->hrrq_free_q);
28054 + spin_unlock_irqrestore(ipr_cmd->hrrq->lock, lock_flags);
28055 + } else {
28056 + spin_lock_irqsave(ioa_cfg->host->host_lock, lock_flags);
28057 +diff --git a/drivers/scsi/libiscsi.c b/drivers/scsi/libiscsi.c
28058 +index 8826110991eb..e14bfcd37692 100644
28059 +--- a/drivers/scsi/libiscsi.c
28060 ++++ b/drivers/scsi/libiscsi.c
28061 +@@ -1695,6 +1695,15 @@ int iscsi_queuecommand(struct Scsi_Host *host, struct scsi_cmnd *sc)
28062 + */
28063 + switch (session->state) {
28064 + case ISCSI_STATE_FAILED:
28065 ++ /*
28066 ++ * cmds should fail during shutdown, if the session
28067 ++ * state is bad, allowing completion to happen
28068 ++ */
28069 ++ if (unlikely(system_state != SYSTEM_RUNNING)) {
28070 ++ reason = FAILURE_SESSION_FAILED;
28071 ++ sc->result = DID_NO_CONNECT << 16;
28072 ++ break;
28073 ++ }
28074 + case ISCSI_STATE_IN_RECOVERY:
28075 + reason = FAILURE_SESSION_IN_RECOVERY;
28076 + sc->result = DID_IMM_RETRY << 16;
28077 +@@ -1979,6 +1988,19 @@ static enum blk_eh_timer_return iscsi_eh_cmd_timed_out(struct scsi_cmnd *sc)
28078 + }
28079 +
28080 + if (session->state != ISCSI_STATE_LOGGED_IN) {
28081 ++ /*
28082 ++ * During shutdown, if session is prematurely disconnected,
28083 ++ * recovery won't happen and there will be hung cmds. Not
28084 ++ * handling cmds would trigger EH, also bad in this case.
28085 ++ * Instead, handle cmd, allow completion to happen and let
28086 ++ * upper layer to deal with the result.
28087 ++ */
28088 ++ if (unlikely(system_state != SYSTEM_RUNNING)) {
28089 ++ sc->result = DID_NO_CONNECT << 16;
28090 ++ ISCSI_DBG_EH(session, "sc on shutdown, handled\n");
28091 ++ rc = BLK_EH_HANDLED;
28092 ++ goto done;
28093 ++ }
28094 + /*
28095 + * We are probably in the middle of iscsi recovery so let
28096 + * that complete and handle the error.
28097 +@@ -2083,7 +2105,7 @@ done:
28098 + task->last_timeout = jiffies;
28099 + spin_unlock(&session->frwd_lock);
28100 + ISCSI_DBG_EH(session, "return %s\n", rc == BLK_EH_RESET_TIMER ?
28101 +- "timer reset" : "nh");
28102 ++ "timer reset" : "shutdown or nh");
28103 + return rc;
28104 + }
28105 +
28106 +diff --git a/drivers/scsi/libsas/sas_expander.c b/drivers/scsi/libsas/sas_expander.c
28107 +index 022bb6e10d98..12886f96b286 100644
28108 +--- a/drivers/scsi/libsas/sas_expander.c
28109 ++++ b/drivers/scsi/libsas/sas_expander.c
28110 +@@ -282,6 +282,7 @@ static void sas_set_ex_phy(struct domain_device *dev, int phy_id, void *rsp)
28111 + phy->phy->minimum_linkrate = dr->pmin_linkrate;
28112 + phy->phy->maximum_linkrate = dr->pmax_linkrate;
28113 + phy->phy->negotiated_linkrate = phy->linkrate;
28114 ++ phy->phy->enabled = (phy->linkrate != SAS_PHY_DISABLED);
28115 +
28116 + skip:
28117 + if (new_phy)
28118 +@@ -675,7 +676,7 @@ int sas_smp_get_phy_events(struct sas_phy *phy)
28119 + res = smp_execute_task(dev, req, RPEL_REQ_SIZE,
28120 + resp, RPEL_RESP_SIZE);
28121 +
28122 +- if (!res)
28123 ++ if (res)
28124 + goto out;
28125 +
28126 + phy->invalid_dword_count = scsi_to_u32(&resp[12]);
28127 +@@ -684,6 +685,7 @@ int sas_smp_get_phy_events(struct sas_phy *phy)
28128 + phy->phy_reset_problem_count = scsi_to_u32(&resp[24]);
28129 +
28130 + out:
28131 ++ kfree(req);
28132 + kfree(resp);
28133 + return res;
28134 +
28135 +diff --git a/drivers/scsi/lpfc/lpfc_sli.c b/drivers/scsi/lpfc/lpfc_sli.c
28136 +index 625e3ee877ee..570332956ae7 100644
28137 +--- a/drivers/scsi/lpfc/lpfc_sli.c
28138 ++++ b/drivers/scsi/lpfc/lpfc_sli.c
28139 +@@ -13517,6 +13517,9 @@ lpfc_wq_create(struct lpfc_hba *phba, struct lpfc_queue *wq,
28140 + case LPFC_Q_CREATE_VERSION_1:
28141 + bf_set(lpfc_mbx_wq_create_wqe_count, &wq_create->u.request_1,
28142 + wq->entry_count);
28143 ++ bf_set(lpfc_mbox_hdr_version, &shdr->request,
28144 ++ LPFC_Q_CREATE_VERSION_1);
28145 ++
28146 + switch (wq->entry_size) {
28147 + default:
28148 + case 64:
28149 +diff --git a/drivers/scsi/mac_esp.c b/drivers/scsi/mac_esp.c
28150 +index 14c0334f41e4..26c67c42985c 100644
28151 +--- a/drivers/scsi/mac_esp.c
28152 ++++ b/drivers/scsi/mac_esp.c
28153 +@@ -55,6 +55,7 @@ struct mac_esp_priv {
28154 + int error;
28155 + };
28156 + static struct esp *esp_chips[2];
28157 ++static DEFINE_SPINLOCK(esp_chips_lock);
28158 +
28159 + #define MAC_ESP_GET_PRIV(esp) ((struct mac_esp_priv *) \
28160 + platform_get_drvdata((struct platform_device *) \
28161 +@@ -562,15 +563,18 @@ static int esp_mac_probe(struct platform_device *dev)
28162 + }
28163 +
28164 + host->irq = IRQ_MAC_SCSI;
28165 +- esp_chips[dev->id] = esp;
28166 +- mb();
28167 +- if (esp_chips[!dev->id] == NULL) {
28168 +- err = request_irq(host->irq, mac_scsi_esp_intr, 0, "ESP", NULL);
28169 +- if (err < 0) {
28170 +- esp_chips[dev->id] = NULL;
28171 +- goto fail_free_priv;
28172 +- }
28173 ++
28174 ++ /* The request_irq() call is intended to succeed for the first device
28175 ++ * and fail for the second device.
28176 ++ */
28177 ++ err = request_irq(host->irq, mac_scsi_esp_intr, 0, "ESP", NULL);
28178 ++ spin_lock(&esp_chips_lock);
28179 ++ if (err < 0 && esp_chips[!dev->id] == NULL) {
28180 ++ spin_unlock(&esp_chips_lock);
28181 ++ goto fail_free_priv;
28182 + }
28183 ++ esp_chips[dev->id] = esp;
28184 ++ spin_unlock(&esp_chips_lock);
28185 +
28186 + err = scsi_esp_register(esp, &dev->dev);
28187 + if (err)
28188 +@@ -579,8 +583,13 @@ static int esp_mac_probe(struct platform_device *dev)
28189 + return 0;
28190 +
28191 + fail_free_irq:
28192 +- if (esp_chips[!dev->id] == NULL)
28193 ++ spin_lock(&esp_chips_lock);
28194 ++ esp_chips[dev->id] = NULL;
28195 ++ if (esp_chips[!dev->id] == NULL) {
28196 ++ spin_unlock(&esp_chips_lock);
28197 + free_irq(host->irq, esp);
28198 ++ } else
28199 ++ spin_unlock(&esp_chips_lock);
28200 + fail_free_priv:
28201 + kfree(mep);
28202 + fail_free_command_block:
28203 +@@ -599,9 +608,13 @@ static int esp_mac_remove(struct platform_device *dev)
28204 +
28205 + scsi_esp_unregister(esp);
28206 +
28207 ++ spin_lock(&esp_chips_lock);
28208 + esp_chips[dev->id] = NULL;
28209 +- if (!(esp_chips[0] || esp_chips[1]))
28210 ++ if (esp_chips[!dev->id] == NULL) {
28211 ++ spin_unlock(&esp_chips_lock);
28212 + free_irq(irq, NULL);
28213 ++ } else
28214 ++ spin_unlock(&esp_chips_lock);
28215 +
28216 + kfree(mep);
28217 +
28218 +diff --git a/drivers/scsi/scsi_devinfo.c b/drivers/scsi/scsi_devinfo.c
28219 +index 55df57341858..17c12263dbd1 100644
28220 +--- a/drivers/scsi/scsi_devinfo.c
28221 ++++ b/drivers/scsi/scsi_devinfo.c
28222 +@@ -180,7 +180,7 @@ static struct {
28223 + {"HITACHI", "6586-", "*", BLIST_SPARSELUN | BLIST_LARGELUN},
28224 + {"HITACHI", "6588-", "*", BLIST_SPARSELUN | BLIST_LARGELUN},
28225 + {"HP", "A6189A", NULL, BLIST_SPARSELUN | BLIST_LARGELUN}, /* HP VA7400 */
28226 +- {"HP", "OPEN-", "*", BLIST_REPORTLUN2}, /* HP XP Arrays */
28227 ++ {"HP", "OPEN-", "*", BLIST_REPORTLUN2 | BLIST_TRY_VPD_PAGES}, /* HP XP Arrays */
28228 + {"HP", "NetRAID-4M", NULL, BLIST_FORCELUN},
28229 + {"HP", "HSV100", NULL, BLIST_REPORTLUN2 | BLIST_NOSTARTONADD},
28230 + {"HP", "C1557A", NULL, BLIST_FORCELUN},
28231 +diff --git a/drivers/scsi/sd.c b/drivers/scsi/sd.c
28232 +index a678dd10905f..1977738cb0f5 100644
28233 +--- a/drivers/scsi/sd.c
28234 ++++ b/drivers/scsi/sd.c
28235 +@@ -1811,6 +1811,8 @@ sd_spinup_disk(struct scsi_disk *sdkp)
28236 + break; /* standby */
28237 + if (sshdr.asc == 4 && sshdr.ascq == 0xc)
28238 + break; /* unavailable */
28239 ++ if (sshdr.asc == 4 && sshdr.ascq == 0x1b)
28240 ++ break; /* sanitize in progress */
28241 + /*
28242 + * Issue command to spin up drive when not ready
28243 + */
28244 +diff --git a/drivers/scsi/ses.c b/drivers/scsi/ses.c
28245 +index dcb0d76d7312..2ecf9844eb2e 100644
28246 +--- a/drivers/scsi/ses.c
28247 ++++ b/drivers/scsi/ses.c
28248 +@@ -528,7 +528,6 @@ static void ses_enclosure_data_process(struct enclosure_device *edev,
28249 + ecomp = &edev->component[components++];
28250 +
28251 + if (!IS_ERR(ecomp)) {
28252 +- ses_get_power_status(edev, ecomp);
28253 + if (addl_desc_ptr)
28254 + ses_process_descriptor(
28255 + ecomp,
28256 +diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c
28257 +index 2589a75f0810..b03ca046c79f 100644
28258 +--- a/drivers/scsi/sg.c
28259 ++++ b/drivers/scsi/sg.c
28260 +@@ -535,6 +535,7 @@ sg_read(struct file *filp, char __user *buf, size_t count, loff_t * ppos)
28261 + } else
28262 + count = (old_hdr->result == 0) ? 0 : -EIO;
28263 + sg_finish_rem_req(srp);
28264 ++ sg_remove_request(sfp, srp);
28265 + retval = count;
28266 + free_old_hdr:
28267 + kfree(old_hdr);
28268 +@@ -575,6 +576,7 @@ sg_new_read(Sg_fd * sfp, char __user *buf, size_t count, Sg_request * srp)
28269 + }
28270 + err_out:
28271 + err2 = sg_finish_rem_req(srp);
28272 ++ sg_remove_request(sfp, srp);
28273 + return err ? : err2 ? : count;
28274 + }
28275 +
28276 +@@ -674,18 +676,14 @@ sg_write(struct file *filp, const char __user *buf, size_t count, loff_t * ppos)
28277 + * is a non-zero input_size, so emit a warning.
28278 + */
28279 + if (hp->dxfer_direction == SG_DXFER_TO_FROM_DEV) {
28280 +- static char cmd[TASK_COMM_LEN];
28281 +- if (strcmp(current->comm, cmd)) {
28282 +- printk_ratelimited(KERN_WARNING
28283 +- "sg_write: data in/out %d/%d bytes "
28284 +- "for SCSI command 0x%x-- guessing "
28285 +- "data in;\n program %s not setting "
28286 +- "count and/or reply_len properly\n",
28287 +- old_hdr.reply_len - (int)SZ_SG_HEADER,
28288 +- input_size, (unsigned int) cmnd[0],
28289 +- current->comm);
28290 +- strcpy(cmd, current->comm);
28291 +- }
28292 ++ printk_ratelimited(KERN_WARNING
28293 ++ "sg_write: data in/out %d/%d bytes "
28294 ++ "for SCSI command 0x%x-- guessing "
28295 ++ "data in;\n program %s not setting "
28296 ++ "count and/or reply_len properly\n",
28297 ++ old_hdr.reply_len - (int)SZ_SG_HEADER,
28298 ++ input_size, (unsigned int) cmnd[0],
28299 ++ current->comm);
28300 + }
28301 + k = sg_common_write(sfp, srp, cmnd, sfp->timeout, blocking);
28302 + return (k < 0) ? k : count;
28303 +@@ -764,6 +762,35 @@ sg_new_write(Sg_fd *sfp, struct file *file, const char __user *buf,
28304 + return count;
28305 + }
28306 +
28307 ++static bool sg_is_valid_dxfer(sg_io_hdr_t *hp)
28308 ++{
28309 ++ switch (hp->dxfer_direction) {
28310 ++ case SG_DXFER_NONE:
28311 ++ if (hp->dxferp || hp->dxfer_len > 0)
28312 ++ return false;
28313 ++ return true;
28314 ++ case SG_DXFER_FROM_DEV:
28315 ++ /*
28316 ++ * for SG_DXFER_FROM_DEV we always set dxfer_len to > 0. dxferp
28317 ++ * can either be NULL or != NULL so there's no point in checking
28318 ++ * it either. So just return true.
28319 ++ */
28320 ++ return true;
28321 ++ case SG_DXFER_TO_DEV:
28322 ++ case SG_DXFER_TO_FROM_DEV:
28323 ++ if (!hp->dxferp || hp->dxfer_len == 0)
28324 ++ return false;
28325 ++ return true;
28326 ++ case SG_DXFER_UNKNOWN:
28327 ++ if ((!hp->dxferp && hp->dxfer_len) ||
28328 ++ (hp->dxferp && hp->dxfer_len == 0))
28329 ++ return false;
28330 ++ return true;
28331 ++ default:
28332 ++ return false;
28333 ++ }
28334 ++}
28335 ++
28336 + static int
28337 + sg_common_write(Sg_fd * sfp, Sg_request * srp,
28338 + unsigned char *cmnd, int timeout, int blocking)
28339 +@@ -784,17 +811,22 @@ sg_common_write(Sg_fd * sfp, Sg_request * srp,
28340 + "sg_common_write: scsi opcode=0x%02x, cmd_size=%d\n",
28341 + (int) cmnd[0], (int) hp->cmd_len));
28342 +
28343 ++ if (!sg_is_valid_dxfer(hp))
28344 ++ return -EINVAL;
28345 ++
28346 + k = sg_start_req(srp, cmnd);
28347 + if (k) {
28348 + SCSI_LOG_TIMEOUT(1, sg_printk(KERN_INFO, sfp->parentdp,
28349 + "sg_common_write: start_req err=%d\n", k));
28350 + sg_finish_rem_req(srp);
28351 ++ sg_remove_request(sfp, srp);
28352 + return k; /* probably out of space --> ENOMEM */
28353 + }
28354 + if (atomic_read(&sdp->detaching)) {
28355 + if (srp->bio)
28356 + blk_end_request_all(srp->rq, -EIO);
28357 + sg_finish_rem_req(srp);
28358 ++ sg_remove_request(sfp, srp);
28359 + return -ENODEV;
28360 + }
28361 +
28362 +@@ -1284,6 +1316,7 @@ sg_rq_end_io_usercontext(struct work_struct *work)
28363 + struct sg_fd *sfp = srp->parentfp;
28364 +
28365 + sg_finish_rem_req(srp);
28366 ++ sg_remove_request(sfp, srp);
28367 + kref_put(&sfp->f_ref, sg_remove_sfp);
28368 + }
28369 +
28370 +@@ -1828,8 +1861,6 @@ sg_finish_rem_req(Sg_request *srp)
28371 + else
28372 + sg_remove_scat(sfp, req_schp);
28373 +
28374 +- sg_remove_request(sfp, srp);
28375 +-
28376 + return ret;
28377 + }
28378 +
28379 +@@ -2066,11 +2097,12 @@ sg_get_rq_mark(Sg_fd * sfp, int pack_id)
28380 + if ((1 == resp->done) && (!resp->sg_io_owned) &&
28381 + ((-1 == pack_id) || (resp->header.pack_id == pack_id))) {
28382 + resp->done = 2; /* guard against other readers */
28383 +- break;
28384 ++ write_unlock_irqrestore(&sfp->rq_list_lock, iflags);
28385 ++ return resp;
28386 + }
28387 + }
28388 + write_unlock_irqrestore(&sfp->rq_list_lock, iflags);
28389 +- return resp;
28390 ++ return NULL;
28391 + }
28392 +
28393 + /* always adds to end of list */
28394 +@@ -2176,12 +2208,17 @@ sg_remove_sfp_usercontext(struct work_struct *work)
28395 + struct sg_fd *sfp = container_of(work, struct sg_fd, ew.work);
28396 + struct sg_device *sdp = sfp->parentdp;
28397 + Sg_request *srp;
28398 ++ unsigned long iflags;
28399 +
28400 + /* Cleanup any responses which were never read(). */
28401 ++ write_lock_irqsave(&sfp->rq_list_lock, iflags);
28402 + while (!list_empty(&sfp->rq_list)) {
28403 + srp = list_first_entry(&sfp->rq_list, Sg_request, entry);
28404 + sg_finish_rem_req(srp);
28405 ++ list_del(&srp->entry);
28406 ++ srp->parentfp = NULL;
28407 + }
28408 ++ write_unlock_irqrestore(&sfp->rq_list_lock, iflags);
28409 +
28410 + if (sfp->reserve.bufflen > 0) {
28411 + SCSI_LOG_TIMEOUT(6, sg_printk(KERN_INFO, sdp,
28412 +diff --git a/drivers/scsi/virtio_scsi.c b/drivers/scsi/virtio_scsi.c
28413 +index d836414c920d..ac2b06a7142e 100644
28414 +--- a/drivers/scsi/virtio_scsi.c
28415 ++++ b/drivers/scsi/virtio_scsi.c
28416 +@@ -28,6 +28,7 @@
28417 + #include <scsi/scsi_device.h>
28418 + #include <scsi/scsi_cmnd.h>
28419 + #include <scsi/scsi_tcq.h>
28420 ++#include <scsi/scsi_devinfo.h>
28421 + #include <linux/seqlock.h>
28422 +
28423 + #define VIRTIO_SCSI_MEMPOOL_SZ 64
28424 +@@ -699,6 +700,28 @@ static int virtscsi_device_reset(struct scsi_cmnd *sc)
28425 + return virtscsi_tmf(vscsi, cmd);
28426 + }
28427 +
28428 ++static int virtscsi_device_alloc(struct scsi_device *sdevice)
28429 ++{
28430 ++ /*
28431 ++ * Passed through SCSI targets (e.g. with qemu's 'scsi-block')
28432 ++ * may have transfer limits which come from the host SCSI
28433 ++ * controller or something on the host side other than the
28434 ++ * target itself.
28435 ++ *
28436 ++ * To make this work properly, the hypervisor can adjust the
28437 ++ * target's VPD information to advertise these limits. But
28438 ++ * for that to work, the guest has to look at the VPD pages,
28439 ++ * which we won't do by default if it is an SPC-2 device, even
28440 ++ * if it does actually support it.
28441 ++ *
28442 ++ * So, set the blist to always try to read the VPD pages.
28443 ++ */
28444 ++ sdevice->sdev_bflags = BLIST_TRY_VPD_PAGES;
28445 ++
28446 ++ return 0;
28447 ++}
28448 ++
28449 ++
28450 + /**
28451 + * virtscsi_change_queue_depth() - Change a virtscsi target's queue depth
28452 + * @sdev: Virtscsi target whose queue depth to change
28453 +@@ -770,6 +793,7 @@ static struct scsi_host_template virtscsi_host_template_single = {
28454 + .change_queue_depth = virtscsi_change_queue_depth,
28455 + .eh_abort_handler = virtscsi_abort,
28456 + .eh_device_reset_handler = virtscsi_device_reset,
28457 ++ .slave_alloc = virtscsi_device_alloc,
28458 +
28459 + .can_queue = 1024,
28460 + .dma_boundary = UINT_MAX,
28461 +@@ -790,6 +814,7 @@ static struct scsi_host_template virtscsi_host_template_multi = {
28462 + .eh_abort_handler = virtscsi_abort,
28463 + .eh_device_reset_handler = virtscsi_device_reset,
28464 +
28465 ++ .slave_alloc = virtscsi_device_alloc,
28466 + .can_queue = 1024,
28467 + .dma_boundary = UINT_MAX,
28468 + .use_clustering = ENABLE_CLUSTERING,
28469 +diff --git a/drivers/spi/spi-dw-mmio.c b/drivers/spi/spi-dw-mmio.c
28470 +index 7edede6e024b..d075ee4de8b5 100644
28471 +--- a/drivers/spi/spi-dw-mmio.c
28472 ++++ b/drivers/spi/spi-dw-mmio.c
28473 +@@ -121,8 +121,8 @@ static int dw_spi_mmio_remove(struct platform_device *pdev)
28474 + {
28475 + struct dw_spi_mmio *dwsmmio = platform_get_drvdata(pdev);
28476 +
28477 +- clk_disable_unprepare(dwsmmio->clk);
28478 + dw_spi_remove_host(&dwsmmio->dws);
28479 ++ clk_disable_unprepare(dwsmmio->clk);
28480 +
28481 + return 0;
28482 + }
28483 +diff --git a/drivers/spi/spi-omap2-mcspi.c b/drivers/spi/spi-omap2-mcspi.c
28484 +index d1a5b9fc3eba..f1c1d84f9268 100644
28485 +--- a/drivers/spi/spi-omap2-mcspi.c
28486 ++++ b/drivers/spi/spi-omap2-mcspi.c
28487 +@@ -436,6 +436,8 @@ omap2_mcspi_rx_dma(struct spi_device *spi, struct spi_transfer *xfer,
28488 + int elements = 0;
28489 + int word_len, element_count;
28490 + struct omap2_mcspi_cs *cs = spi->controller_state;
28491 ++ void __iomem *chstat_reg = cs->base + OMAP2_MCSPI_CHSTAT0;
28492 ++
28493 + mcspi = spi_master_get_devdata(spi->master);
28494 + mcspi_dma = &mcspi->dma_channels[spi->chip_select];
28495 + count = xfer->len;
28496 +@@ -496,8 +498,8 @@ omap2_mcspi_rx_dma(struct spi_device *spi, struct spi_transfer *xfer,
28497 + if (l & OMAP2_MCSPI_CHCONF_TURBO) {
28498 + elements--;
28499 +
28500 +- if (likely(mcspi_read_cs_reg(spi, OMAP2_MCSPI_CHSTAT0)
28501 +- & OMAP2_MCSPI_CHSTAT_RXS)) {
28502 ++ if (!mcspi_wait_for_reg_bit(chstat_reg,
28503 ++ OMAP2_MCSPI_CHSTAT_RXS)) {
28504 + u32 w;
28505 +
28506 + w = mcspi_read_cs_reg(spi, OMAP2_MCSPI_RX0);
28507 +@@ -515,8 +517,7 @@ omap2_mcspi_rx_dma(struct spi_device *spi, struct spi_transfer *xfer,
28508 + return count;
28509 + }
28510 + }
28511 +- if (likely(mcspi_read_cs_reg(spi, OMAP2_MCSPI_CHSTAT0)
28512 +- & OMAP2_MCSPI_CHSTAT_RXS)) {
28513 ++ if (!mcspi_wait_for_reg_bit(chstat_reg, OMAP2_MCSPI_CHSTAT_RXS)) {
28514 + u32 w;
28515 +
28516 + w = mcspi_read_cs_reg(spi, OMAP2_MCSPI_RX0);
28517 +diff --git a/drivers/spi/spi-sun6i.c b/drivers/spi/spi-sun6i.c
28518 +index e77add01b0e9..48888ab630c2 100644
28519 +--- a/drivers/spi/spi-sun6i.c
28520 ++++ b/drivers/spi/spi-sun6i.c
28521 +@@ -457,7 +457,7 @@ err_free_master:
28522 +
28523 + static int sun6i_spi_remove(struct platform_device *pdev)
28524 + {
28525 +- pm_runtime_disable(&pdev->dev);
28526 ++ pm_runtime_force_suspend(&pdev->dev);
28527 +
28528 + return 0;
28529 + }
28530 +diff --git a/drivers/staging/speakup/kobjects.c b/drivers/staging/speakup/kobjects.c
28531 +index 0211df60004a..4bd93e584075 100644
28532 +--- a/drivers/staging/speakup/kobjects.c
28533 ++++ b/drivers/staging/speakup/kobjects.c
28534 +@@ -830,7 +830,9 @@ static ssize_t message_show(struct kobject *kobj,
28535 + struct msg_group_t *group = spk_find_msg_group(attr->attr.name);
28536 + unsigned long flags;
28537 +
28538 +- BUG_ON(!group);
28539 ++ if (WARN_ON(!group))
28540 ++ return -EINVAL;
28541 ++
28542 + spin_lock_irqsave(&speakup_info.spinlock, flags);
28543 + retval = message_show_helper(buf, group->start, group->end);
28544 + spin_unlock_irqrestore(&speakup_info.spinlock, flags);
28545 +@@ -842,7 +844,9 @@ static ssize_t message_store(struct kobject *kobj, struct kobj_attribute *attr,
28546 + {
28547 + struct msg_group_t *group = spk_find_msg_group(attr->attr.name);
28548 +
28549 +- BUG_ON(!group);
28550 ++ if (WARN_ON(!group))
28551 ++ return -EINVAL;
28552 ++
28553 + return message_store_helper(buf, count, group);
28554 + }
28555 +
28556 +diff --git a/drivers/staging/wlan-ng/prism2mgmt.c b/drivers/staging/wlan-ng/prism2mgmt.c
28557 +index 013a6240f193..c1ad0aea23b9 100644
28558 +--- a/drivers/staging/wlan-ng/prism2mgmt.c
28559 ++++ b/drivers/staging/wlan-ng/prism2mgmt.c
28560 +@@ -169,7 +169,7 @@ int prism2mgmt_scan(wlandevice_t *wlandev, void *msgp)
28561 + hw->ident_sta_fw.variant) >
28562 + HFA384x_FIRMWARE_VERSION(1, 5, 0)) {
28563 + if (msg->scantype.data != P80211ENUM_scantype_active)
28564 +- word = cpu_to_le16(msg->maxchanneltime.data);
28565 ++ word = msg->maxchanneltime.data;
28566 + else
28567 + word = 0;
28568 +
28569 +diff --git a/drivers/thunderbolt/nhi.c b/drivers/thunderbolt/nhi.c
28570 +index c68fe1222c16..5f3c4f45ab65 100644
28571 +--- a/drivers/thunderbolt/nhi.c
28572 ++++ b/drivers/thunderbolt/nhi.c
28573 +@@ -627,6 +627,7 @@ static const struct dev_pm_ops nhi_pm_ops = {
28574 + * we just disable hotplug, the
28575 + * pci-tunnels stay alive.
28576 + */
28577 ++ .thaw_noirq = nhi_resume_noirq,
28578 + .restore_noirq = nhi_resume_noirq,
28579 + };
28580 +
28581 +diff --git a/drivers/tty/n_gsm.c b/drivers/tty/n_gsm.c
28582 +index 2ec337612a79..c41dfe40fd23 100644
28583 +--- a/drivers/tty/n_gsm.c
28584 ++++ b/drivers/tty/n_gsm.c
28585 +@@ -137,6 +137,9 @@ struct gsm_dlci {
28586 + struct mutex mutex;
28587 +
28588 + /* Link layer */
28589 ++ int mode;
28590 ++#define DLCI_MODE_ABM 0 /* Normal Asynchronous Balanced Mode */
28591 ++#define DLCI_MODE_ADM 1 /* Asynchronous Disconnected Mode */
28592 + spinlock_t lock; /* Protects the internal state */
28593 + struct timer_list t1; /* Retransmit timer for SABM and UA */
28594 + int retries;
28595 +@@ -1380,7 +1383,13 @@ retry:
28596 + ctrl->data = data;
28597 + ctrl->len = clen;
28598 + gsm->pending_cmd = ctrl;
28599 +- gsm->cretries = gsm->n2;
28600 ++
28601 ++ /* If DLCI0 is in ADM mode skip retries, it won't respond */
28602 ++ if (gsm->dlci[0]->mode == DLCI_MODE_ADM)
28603 ++ gsm->cretries = 1;
28604 ++ else
28605 ++ gsm->cretries = gsm->n2;
28606 ++
28607 + mod_timer(&gsm->t2_timer, jiffies + gsm->t2 * HZ / 100);
28608 + gsm_control_transmit(gsm, ctrl);
28609 + spin_unlock_irqrestore(&gsm->control_lock, flags);
28610 +@@ -1467,6 +1476,10 @@ static void gsm_dlci_open(struct gsm_dlci *dlci)
28611 + * in which case an opening port goes back to closed and a closing port
28612 + * is simply put into closed state (any further frames from the other
28613 + * end will get a DM response)
28614 ++ *
28615 ++ * Some control dlci can stay in ADM mode with other dlci working just
28616 ++ * fine. In that case we can just keep the control dlci open after the
28617 ++ * DLCI_OPENING retries time out.
28618 + */
28619 +
28620 + static void gsm_dlci_t1(unsigned long data)
28621 +@@ -1480,8 +1493,16 @@ static void gsm_dlci_t1(unsigned long data)
28622 + if (dlci->retries) {
28623 + gsm_command(dlci->gsm, dlci->addr, SABM|PF);
28624 + mod_timer(&dlci->t1, jiffies + gsm->t1 * HZ / 100);
28625 +- } else
28626 ++ } else if (!dlci->addr && gsm->control == (DM | PF)) {
28627 ++ if (debug & 8)
28628 ++ pr_info("DLCI %d opening in ADM mode.\n",
28629 ++ dlci->addr);
28630 ++ dlci->mode = DLCI_MODE_ADM;
28631 ++ gsm_dlci_open(dlci);
28632 ++ } else {
28633 + gsm_dlci_close(dlci);
28634 ++ }
28635 ++
28636 + break;
28637 + case DLCI_CLOSING:
28638 + dlci->retries--;
28639 +@@ -1499,8 +1520,8 @@ static void gsm_dlci_t1(unsigned long data)
28640 + * @dlci: DLCI to open
28641 + *
28642 + * Commence opening a DLCI from the Linux side. We issue SABM messages
28643 +- * to the modem which should then reply with a UA, at which point we
28644 +- * will move into open state. Opening is done asynchronously with retry
28645 ++ * to the modem which should then reply with a UA or ADM, at which point
28646 ++ * we will move into open state. Opening is done asynchronously with retry
28647 + * running off timers and the responses.
28648 + */
28649 +
28650 +@@ -2871,11 +2892,22 @@ static int gsmtty_modem_update(struct gsm_dlci *dlci, u8 brk)
28651 + static int gsm_carrier_raised(struct tty_port *port)
28652 + {
28653 + struct gsm_dlci *dlci = container_of(port, struct gsm_dlci, port);
28654 ++ struct gsm_mux *gsm = dlci->gsm;
28655 ++
28656 + /* Not yet open so no carrier info */
28657 + if (dlci->state != DLCI_OPEN)
28658 + return 0;
28659 + if (debug & 2)
28660 + return 1;
28661 ++
28662 ++ /*
28663 ++ * Basic mode with control channel in ADM mode may not respond
28664 ++ * to CMD_MSC at all and modem_rx is empty.
28665 ++ */
28666 ++ if (gsm->encoding == 0 && gsm->dlci[0]->mode == DLCI_MODE_ADM &&
28667 ++ !dlci->modem_rx)
28668 ++ return 1;
28669 ++
28670 + return dlci->modem_rx & TIOCM_CD;
28671 + }
28672 +
28673 +diff --git a/drivers/tty/n_tty.c b/drivers/tty/n_tty.c
28674 +index 66e257b5a5b7..4693a1d0151f 100644
28675 +--- a/drivers/tty/n_tty.c
28676 ++++ b/drivers/tty/n_tty.c
28677 +@@ -2259,6 +2259,12 @@ static ssize_t n_tty_read(struct tty_struct *tty, struct file *file,
28678 + }
28679 + if (tty_hung_up_p(file))
28680 + break;
28681 ++ /*
28682 ++ * Abort readers for ttys which never actually
28683 ++ * get hung up. See __tty_hangup().
28684 ++ */
28685 ++ if (test_bit(TTY_HUPPING, &tty->flags))
28686 ++ break;
28687 + if (!timeout)
28688 + break;
28689 + if (file->f_flags & O_NONBLOCK) {
28690 +diff --git a/drivers/tty/serial/8250/8250_omap.c b/drivers/tty/serial/8250/8250_omap.c
28691 +index 531d76a276e4..89974a112cab 100644
28692 +--- a/drivers/tty/serial/8250/8250_omap.c
28693 ++++ b/drivers/tty/serial/8250/8250_omap.c
28694 +@@ -612,6 +612,10 @@ static int omap_8250_startup(struct uart_port *port)
28695 + up->lsr_saved_flags = 0;
28696 + up->msr_saved_flags = 0;
28697 +
28698 ++ /* Disable DMA for console UART */
28699 ++ if (uart_console(port))
28700 ++ up->dma = NULL;
28701 ++
28702 + if (up->dma) {
28703 + ret = serial8250_request_dma(up);
28704 + if (ret) {
28705 +diff --git a/drivers/tty/serial/sccnxp.c b/drivers/tty/serial/sccnxp.c
28706 +index fcf803ffad19..cdd2f942317c 100644
28707 +--- a/drivers/tty/serial/sccnxp.c
28708 ++++ b/drivers/tty/serial/sccnxp.c
28709 +@@ -884,14 +884,19 @@ static int sccnxp_probe(struct platform_device *pdev)
28710 +
28711 + clk = devm_clk_get(&pdev->dev, NULL);
28712 + if (IS_ERR(clk)) {
28713 +- if (PTR_ERR(clk) == -EPROBE_DEFER) {
28714 +- ret = -EPROBE_DEFER;
28715 ++ ret = PTR_ERR(clk);
28716 ++ if (ret == -EPROBE_DEFER)
28717 + goto err_out;
28718 +- }
28719 ++ uartclk = 0;
28720 ++ } else {
28721 ++ clk_prepare_enable(clk);
28722 ++ uartclk = clk_get_rate(clk);
28723 ++ }
28724 ++
28725 ++ if (!uartclk) {
28726 + dev_notice(&pdev->dev, "Using default clock frequency\n");
28727 + uartclk = s->chip->freq_std;
28728 +- } else
28729 +- uartclk = clk_get_rate(clk);
28730 ++ }
28731 +
28732 + /* Check input frequency */
28733 + if ((uartclk < s->chip->freq_min) || (uartclk > s->chip->freq_max)) {
28734 +diff --git a/drivers/tty/tty_io.c b/drivers/tty/tty_io.c
28735 +index be96970646a9..152cd369ce84 100644
28736 +--- a/drivers/tty/tty_io.c
28737 ++++ b/drivers/tty/tty_io.c
28738 +@@ -690,6 +690,14 @@ static void __tty_hangup(struct tty_struct *tty, int exit_session)
28739 + return;
28740 + }
28741 +
28742 ++ /*
28743 ++ * Some console devices aren't actually hung up for technical and
28744 ++ * historical reasons, which can lead to indefinite interruptible
28745 ++ * sleep in n_tty_read(). The following explicitly tells
28746 ++ * n_tty_read() to abort readers.
28747 ++ */
28748 ++ set_bit(TTY_HUPPING, &tty->flags);
28749 ++
28750 + /* inuse_filps is protected by the single tty lock,
28751 + this really needs to change if we want to flush the
28752 + workqueue with the lock held */
28753 +@@ -745,6 +753,7 @@ static void __tty_hangup(struct tty_struct *tty, int exit_session)
28754 + * can't yet guarantee all that.
28755 + */
28756 + set_bit(TTY_HUPPED, &tty->flags);
28757 ++ clear_bit(TTY_HUPPING, &tty->flags);
28758 + tty_unlock(tty);
28759 +
28760 + if (f)
28761 +@@ -3151,7 +3160,10 @@ struct tty_struct *alloc_tty_struct(struct tty_driver *driver, int idx)
28762 +
28763 + kref_init(&tty->kref);
28764 + tty->magic = TTY_MAGIC;
28765 +- tty_ldisc_init(tty);
28766 ++ if (tty_ldisc_init(tty)) {
28767 ++ kfree(tty);
28768 ++ return NULL;
28769 ++ }
28770 + tty->session = NULL;
28771 + tty->pgrp = NULL;
28772 + mutex_init(&tty->legacy_mutex);
28773 +diff --git a/drivers/tty/tty_ldisc.c b/drivers/tty/tty_ldisc.c
28774 +index 3737f55272d2..f4cfe7ca7d6d 100644
28775 +--- a/drivers/tty/tty_ldisc.c
28776 ++++ b/drivers/tty/tty_ldisc.c
28777 +@@ -171,12 +171,11 @@ static struct tty_ldisc *tty_ldisc_get(struct tty_struct *tty, int disc)
28778 + return ERR_CAST(ldops);
28779 + }
28780 +
28781 +- ld = kmalloc(sizeof(struct tty_ldisc), GFP_KERNEL);
28782 +- if (ld == NULL) {
28783 +- put_ldops(ldops);
28784 +- return ERR_PTR(-ENOMEM);
28785 +- }
28786 +-
28787 ++ /*
28788 ++ * There is no way to handle allocation failure of only 16 bytes.
28789 ++ * Let's simplify error handling and save more memory.
28790 ++ */
28791 ++ ld = kmalloc(sizeof(struct tty_ldisc), GFP_KERNEL | __GFP_NOFAIL);
28792 + ld->ops = ldops;
28793 + ld->tty = tty;
28794 +
28795 +@@ -800,12 +799,13 @@ void tty_ldisc_release(struct tty_struct *tty)
28796 + * the tty structure is not completely set up when this call is made.
28797 + */
28798 +
28799 +-void tty_ldisc_init(struct tty_struct *tty)
28800 ++int tty_ldisc_init(struct tty_struct *tty)
28801 + {
28802 + struct tty_ldisc *ld = tty_ldisc_get(tty, N_TTY);
28803 + if (IS_ERR(ld))
28804 +- panic("n_tty: init_tty");
28805 ++ return PTR_ERR(ld);
28806 + tty->ldisc = ld;
28807 ++ return 0;
28808 + }
28809 +
28810 + /**
28811 +diff --git a/drivers/tty/vt/vt.c b/drivers/tty/vt/vt.c
28812 +index 50b67ff2b6ea..c989a6aa2561 100644
28813 +--- a/drivers/tty/vt/vt.c
28814 ++++ b/drivers/tty/vt/vt.c
28815 +@@ -1305,6 +1305,11 @@ static void csi_m(struct vc_data *vc)
28816 + case 3:
28817 + vc->vc_italic = 1;
28818 + break;
28819 ++ case 21:
28820 ++ /*
28821 ++ * No console drivers support double underline, so
28822 ++ * convert it to a single underline.
28823 ++ */
28824 + case 4:
28825 + vc->vc_underline = 1;
28826 + break;
28827 +@@ -1341,7 +1346,6 @@ static void csi_m(struct vc_data *vc)
28828 + vc->vc_disp_ctrl = 1;
28829 + vc->vc_toggle_meta = 1;
28830 + break;
28831 +- case 21:
28832 + case 22:
28833 + vc->vc_intensity = 1;
28834 + break;
28835 +@@ -1711,7 +1715,7 @@ static void reset_terminal(struct vc_data *vc, int do_clear)
28836 + default_attr(vc);
28837 + update_attr(vc);
28838 +
28839 +- vc->vc_tab_stop[0] = 0x01010100;
28840 ++ vc->vc_tab_stop[0] =
28841 + vc->vc_tab_stop[1] =
28842 + vc->vc_tab_stop[2] =
28843 + vc->vc_tab_stop[3] =
28844 +@@ -1754,7 +1758,7 @@ static void do_con_trol(struct tty_struct *tty, struct vc_data *vc, int c)
28845 + vc->vc_pos -= (vc->vc_x << 1);
28846 + while (vc->vc_x < vc->vc_cols - 1) {
28847 + vc->vc_x++;
28848 +- if (vc->vc_tab_stop[vc->vc_x >> 5] & (1 << (vc->vc_x & 31)))
28849 ++ if (vc->vc_tab_stop[7 & (vc->vc_x >> 5)] & (1 << (vc->vc_x & 31)))
28850 + break;
28851 + }
28852 + vc->vc_pos += (vc->vc_x << 1);
28853 +@@ -1814,7 +1818,7 @@ static void do_con_trol(struct tty_struct *tty, struct vc_data *vc, int c)
28854 + lf(vc);
28855 + return;
28856 + case 'H':
28857 +- vc->vc_tab_stop[vc->vc_x >> 5] |= (1 << (vc->vc_x & 31));
28858 ++ vc->vc_tab_stop[7 & (vc->vc_x >> 5)] |= (1 << (vc->vc_x & 31));
28859 + return;
28860 + case 'Z':
28861 + respond_ID(tty);
28862 +@@ -2007,7 +2011,7 @@ static void do_con_trol(struct tty_struct *tty, struct vc_data *vc, int c)
28863 + return;
28864 + case 'g':
28865 + if (!vc->vc_par[0])
28866 +- vc->vc_tab_stop[vc->vc_x >> 5] &= ~(1 << (vc->vc_x & 31));
28867 ++ vc->vc_tab_stop[7 & (vc->vc_x >> 5)] &= ~(1 << (vc->vc_x & 31));
28868 + else if (vc->vc_par[0] == 3) {
28869 + vc->vc_tab_stop[0] =
28870 + vc->vc_tab_stop[1] =
28871 +diff --git a/drivers/usb/chipidea/core.c b/drivers/usb/chipidea/core.c
28872 +index 3ad48e1c0c57..f37a908b2884 100644
28873 +--- a/drivers/usb/chipidea/core.c
28874 ++++ b/drivers/usb/chipidea/core.c
28875 +@@ -656,7 +656,7 @@ static inline void ci_role_destroy(struct ci_hdrc *ci)
28876 + {
28877 + ci_hdrc_gadget_destroy(ci);
28878 + ci_hdrc_host_destroy(ci);
28879 +- if (ci->is_otg)
28880 ++ if (ci->is_otg && ci->roles[CI_ROLE_GADGET])
28881 + ci_hdrc_otg_destroy(ci);
28882 + }
28883 +
28884 +@@ -755,27 +755,35 @@ static int ci_hdrc_probe(struct platform_device *pdev)
28885 + /* initialize role(s) before the interrupt is requested */
28886 + if (dr_mode == USB_DR_MODE_OTG || dr_mode == USB_DR_MODE_HOST) {
28887 + ret = ci_hdrc_host_init(ci);
28888 +- if (ret)
28889 +- dev_info(dev, "doesn't support host\n");
28890 ++ if (ret) {
28891 ++ if (ret == -ENXIO)
28892 ++ dev_info(dev, "doesn't support host\n");
28893 ++ else
28894 ++ goto deinit_phy;
28895 ++ }
28896 + }
28897 +
28898 + if (dr_mode == USB_DR_MODE_OTG || dr_mode == USB_DR_MODE_PERIPHERAL) {
28899 + ret = ci_hdrc_gadget_init(ci);
28900 +- if (ret)
28901 +- dev_info(dev, "doesn't support gadget\n");
28902 ++ if (ret) {
28903 ++ if (ret == -ENXIO)
28904 ++ dev_info(dev, "doesn't support gadget\n");
28905 ++ else
28906 ++ goto deinit_host;
28907 ++ }
28908 + }
28909 +
28910 + if (!ci->roles[CI_ROLE_HOST] && !ci->roles[CI_ROLE_GADGET]) {
28911 + dev_err(dev, "no supported roles\n");
28912 + ret = -ENODEV;
28913 +- goto deinit_phy;
28914 ++ goto deinit_gadget;
28915 + }
28916 +
28917 + if (ci->is_otg && ci->roles[CI_ROLE_GADGET]) {
28918 + ret = ci_hdrc_otg_init(ci);
28919 + if (ret) {
28920 + dev_err(dev, "init otg fails, ret = %d\n", ret);
28921 +- goto stop;
28922 ++ goto deinit_gadget;
28923 + }
28924 + }
28925 +
28926 +@@ -835,7 +843,12 @@ static int ci_hdrc_probe(struct platform_device *pdev)
28927 + return 0;
28928 +
28929 + stop:
28930 +- ci_role_destroy(ci);
28931 ++ if (ci->is_otg && ci->roles[CI_ROLE_GADGET])
28932 ++ ci_hdrc_otg_destroy(ci);
28933 ++deinit_gadget:
28934 ++ ci_hdrc_gadget_destroy(ci);
28935 ++deinit_host:
28936 ++ ci_hdrc_host_destroy(ci);
28937 + deinit_phy:
28938 + ci_usb_phy_exit(ci);
28939 +
28940 +diff --git a/drivers/usb/core/generic.c b/drivers/usb/core/generic.c
28941 +index 358ca8dd784f..a5240b4d7ab9 100644
28942 +--- a/drivers/usb/core/generic.c
28943 ++++ b/drivers/usb/core/generic.c
28944 +@@ -208,8 +208,13 @@ static int generic_suspend(struct usb_device *udev, pm_message_t msg)
28945 + if (!udev->parent)
28946 + rc = hcd_bus_suspend(udev, msg);
28947 +
28948 +- /* Non-root devices don't need to do anything for FREEZE or PRETHAW */
28949 +- else if (msg.event == PM_EVENT_FREEZE || msg.event == PM_EVENT_PRETHAW)
28950 ++ /*
28951 ++ * Non-root USB2 devices don't need to do anything for FREEZE
28952 ++ * or PRETHAW. USB3 devices don't support global suspend and
28953 ++ * needs to be selectively suspended.
28954 ++ */
28955 ++ else if ((msg.event == PM_EVENT_FREEZE || msg.event == PM_EVENT_PRETHAW)
28956 ++ && (udev->speed < USB_SPEED_SUPER))
28957 + rc = 0;
28958 + else
28959 + rc = usb_port_suspend(udev, msg);
28960 +diff --git a/drivers/usb/core/hcd.c b/drivers/usb/core/hcd.c
28961 +index de0843cdeb9f..2a06bd656963 100644
28962 +--- a/drivers/usb/core/hcd.c
28963 ++++ b/drivers/usb/core/hcd.c
28964 +@@ -2288,6 +2288,7 @@ void usb_hcd_resume_root_hub (struct usb_hcd *hcd)
28965 +
28966 + spin_lock_irqsave (&hcd_root_hub_lock, flags);
28967 + if (hcd->rh_registered) {
28968 ++ pm_wakeup_event(&hcd->self.root_hub->dev, 0);
28969 + set_bit(HCD_FLAG_WAKEUP_PENDING, &hcd->flags);
28970 + queue_work(pm_wq, &hcd->wakeup_work);
28971 + }
28972 +diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c
28973 +index 1ba74441d7bf..a2686b95c3dd 100644
28974 +--- a/drivers/usb/core/hub.c
28975 ++++ b/drivers/usb/core/hub.c
28976 +@@ -633,12 +633,17 @@ void usb_wakeup_notification(struct usb_device *hdev,
28977 + unsigned int portnum)
28978 + {
28979 + struct usb_hub *hub;
28980 ++ struct usb_port *port_dev;
28981 +
28982 + if (!hdev)
28983 + return;
28984 +
28985 + hub = usb_hub_to_struct_hub(hdev);
28986 + if (hub) {
28987 ++ port_dev = hub->ports[portnum - 1];
28988 ++ if (port_dev && port_dev->child)
28989 ++ pm_wakeup_event(&port_dev->child->dev, 0);
28990 ++
28991 + set_bit(portnum, hub->wakeup_bits);
28992 + kick_hub_wq(hub);
28993 + }
28994 +@@ -3375,8 +3380,11 @@ int usb_port_resume(struct usb_device *udev, pm_message_t msg)
28995 +
28996 + /* Skip the initial Clear-Suspend step for a remote wakeup */
28997 + status = hub_port_status(hub, port1, &portstatus, &portchange);
28998 +- if (status == 0 && !port_is_suspended(hub, portstatus))
28999 ++ if (status == 0 && !port_is_suspended(hub, portstatus)) {
29000 ++ if (portchange & USB_PORT_STAT_C_SUSPEND)
29001 ++ pm_wakeup_event(&udev->dev, 0);
29002 + goto SuspendCleared;
29003 ++ }
29004 +
29005 + /* see 7.1.7.7; affects power usage, but not budgeting */
29006 + if (hub_is_superspeed(hub->hdev))
29007 +diff --git a/drivers/usb/core/quirks.c b/drivers/usb/core/quirks.c
29008 +index 4f1c6f8d4352..40ce175655e6 100644
29009 +--- a/drivers/usb/core/quirks.c
29010 ++++ b/drivers/usb/core/quirks.c
29011 +@@ -45,6 +45,9 @@ static const struct usb_device_id usb_quirk_list[] = {
29012 + { USB_DEVICE(0x03f0, 0x0701), .driver_info =
29013 + USB_QUIRK_STRING_FETCH_255 },
29014 +
29015 ++ /* HP v222w 16GB Mini USB Drive */
29016 ++ { USB_DEVICE(0x03f0, 0x3f40), .driver_info = USB_QUIRK_DELAY_INIT },
29017 ++
29018 + /* Creative SB Audigy 2 NX */
29019 + { USB_DEVICE(0x041e, 0x3020), .driver_info = USB_QUIRK_RESET_RESUME },
29020 +
29021 +diff --git a/drivers/usb/dwc3/dwc3-keystone.c b/drivers/usb/dwc3/dwc3-keystone.c
29022 +index fe3b9335a74e..88a5b798b1ea 100644
29023 +--- a/drivers/usb/dwc3/dwc3-keystone.c
29024 ++++ b/drivers/usb/dwc3/dwc3-keystone.c
29025 +@@ -112,6 +112,10 @@ static int kdwc3_probe(struct platform_device *pdev)
29026 + dev->dma_mask = &kdwc3_dma_mask;
29027 +
29028 + kdwc->clk = devm_clk_get(kdwc->dev, "usb");
29029 ++ if (IS_ERR(kdwc->clk)) {
29030 ++ dev_err(kdwc->dev, "unable to get usb clock\n");
29031 ++ return PTR_ERR(kdwc->clk);
29032 ++ }
29033 +
29034 + error = clk_prepare_enable(kdwc->clk);
29035 + if (error < 0) {
29036 +diff --git a/drivers/usb/dwc3/dwc3-pci.c b/drivers/usb/dwc3/dwc3-pci.c
29037 +index c702f5d941d9..01816e8411fc 100644
29038 +--- a/drivers/usb/dwc3/dwc3-pci.c
29039 ++++ b/drivers/usb/dwc3/dwc3-pci.c
29040 +@@ -124,7 +124,7 @@ static int dwc3_pci_probe(struct pci_dev *pci,
29041 + ret = platform_device_add_resources(dwc3, res, ARRAY_SIZE(res));
29042 + if (ret) {
29043 + dev_err(dev, "couldn't add resources to dwc3 device\n");
29044 +- return ret;
29045 ++ goto err;
29046 + }
29047 +
29048 + pci_set_drvdata(pci, dwc3);
29049 +diff --git a/drivers/usb/gadget/function/f_hid.c b/drivers/usb/gadget/function/f_hid.c
29050 +index 466640afa7be..4a7861022d20 100644
29051 +--- a/drivers/usb/gadget/function/f_hid.c
29052 ++++ b/drivers/usb/gadget/function/f_hid.c
29053 +@@ -223,6 +223,13 @@ static ssize_t f_hidg_read(struct file *file, char __user *buffer,
29054 + /* pick the first one */
29055 + list = list_first_entry(&hidg->completed_out_req,
29056 + struct f_hidg_req_list, list);
29057 ++
29058 ++ /*
29059 ++ * Remove this from list to protect it from beign free()
29060 ++ * while host disables our function
29061 ++ */
29062 ++ list_del(&list->list);
29063 ++
29064 + req = list->req;
29065 + count = min_t(unsigned int, count, req->actual - list->pos);
29066 + spin_unlock_irqrestore(&hidg->spinlock, flags);
29067 +@@ -238,15 +245,20 @@ static ssize_t f_hidg_read(struct file *file, char __user *buffer,
29068 + * call, taking into account its current read position.
29069 + */
29070 + if (list->pos == req->actual) {
29071 +- spin_lock_irqsave(&hidg->spinlock, flags);
29072 +- list_del(&list->list);
29073 + kfree(list);
29074 +- spin_unlock_irqrestore(&hidg->spinlock, flags);
29075 +
29076 + req->length = hidg->report_length;
29077 + ret = usb_ep_queue(hidg->out_ep, req, GFP_KERNEL);
29078 +- if (ret < 0)
29079 ++ if (ret < 0) {
29080 ++ free_ep_req(hidg->out_ep, req);
29081 + return ret;
29082 ++ }
29083 ++ } else {
29084 ++ spin_lock_irqsave(&hidg->spinlock, flags);
29085 ++ list_add(&list->list, &hidg->completed_out_req);
29086 ++ spin_unlock_irqrestore(&hidg->spinlock, flags);
29087 ++
29088 ++ wake_up(&hidg->read_queue);
29089 + }
29090 +
29091 + return count;
29092 +@@ -490,6 +502,7 @@ static void hidg_disable(struct usb_function *f)
29093 + {
29094 + struct f_hidg *hidg = func_to_hidg(f);
29095 + struct f_hidg_req_list *list, *next;
29096 ++ unsigned long flags;
29097 +
29098 + usb_ep_disable(hidg->in_ep);
29099 + hidg->in_ep->driver_data = NULL;
29100 +@@ -497,10 +510,13 @@ static void hidg_disable(struct usb_function *f)
29101 + usb_ep_disable(hidg->out_ep);
29102 + hidg->out_ep->driver_data = NULL;
29103 +
29104 ++ spin_lock_irqsave(&hidg->spinlock, flags);
29105 + list_for_each_entry_safe(list, next, &hidg->completed_out_req, list) {
29106 ++ free_ep_req(hidg->out_ep, list->req);
29107 + list_del(&list->list);
29108 + kfree(list);
29109 + }
29110 ++ spin_unlock_irqrestore(&hidg->spinlock, flags);
29111 + }
29112 +
29113 + static int hidg_set_alt(struct usb_function *f, unsigned intf, unsigned alt)
29114 +diff --git a/drivers/usb/gadget/function/f_midi.c b/drivers/usb/gadget/function/f_midi.c
29115 +index d97f362b3604..a32ed6359b03 100644
29116 +--- a/drivers/usb/gadget/function/f_midi.c
29117 ++++ b/drivers/usb/gadget/function/f_midi.c
29118 +@@ -201,12 +201,6 @@ static inline struct usb_request *midi_alloc_ep_req(struct usb_ep *ep,
29119 + return alloc_ep_req(ep, length, length);
29120 + }
29121 +
29122 +-static void free_ep_req(struct usb_ep *ep, struct usb_request *req)
29123 +-{
29124 +- kfree(req->buf);
29125 +- usb_ep_free_request(ep, req);
29126 +-}
29127 +-
29128 + static const uint8_t f_midi_cin_length[] = {
29129 + 0, 0, 2, 3, 3, 1, 2, 3, 3, 3, 3, 3, 2, 2, 3, 1
29130 + };
29131 +diff --git a/drivers/usb/gadget/function/f_sourcesink.c b/drivers/usb/gadget/function/f_sourcesink.c
29132 +index 3a5ae9900b1e..eedea7f093d1 100644
29133 +--- a/drivers/usb/gadget/function/f_sourcesink.c
29134 ++++ b/drivers/usb/gadget/function/f_sourcesink.c
29135 +@@ -307,12 +307,6 @@ static inline struct usb_request *ss_alloc_ep_req(struct usb_ep *ep, int len)
29136 + return alloc_ep_req(ep, len, buflen);
29137 + }
29138 +
29139 +-void free_ep_req(struct usb_ep *ep, struct usb_request *req)
29140 +-{
29141 +- kfree(req->buf);
29142 +- usb_ep_free_request(ep, req);
29143 +-}
29144 +-
29145 + static void disable_ep(struct usb_composite_dev *cdev, struct usb_ep *ep)
29146 + {
29147 + int value;
29148 +diff --git a/drivers/usb/gadget/function/g_zero.h b/drivers/usb/gadget/function/g_zero.h
29149 +index 15f180904f8a..5ed90b437f18 100644
29150 +--- a/drivers/usb/gadget/function/g_zero.h
29151 ++++ b/drivers/usb/gadget/function/g_zero.h
29152 +@@ -59,7 +59,6 @@ void lb_modexit(void);
29153 + int lb_modinit(void);
29154 +
29155 + /* common utilities */
29156 +-void free_ep_req(struct usb_ep *ep, struct usb_request *req);
29157 + void disable_endpoints(struct usb_composite_dev *cdev,
29158 + struct usb_ep *in, struct usb_ep *out,
29159 + struct usb_ep *iso_in, struct usb_ep *iso_out);
29160 +diff --git a/drivers/usb/gadget/u_f.c b/drivers/usb/gadget/u_f.c
29161 +index c6276f0268ae..907f8144813c 100644
29162 +--- a/drivers/usb/gadget/u_f.c
29163 ++++ b/drivers/usb/gadget/u_f.c
29164 +@@ -11,16 +11,18 @@
29165 + * published by the Free Software Foundation.
29166 + */
29167 +
29168 +-#include <linux/usb/gadget.h>
29169 + #include "u_f.h"
29170 ++#include <linux/usb/ch9.h>
29171 +
29172 +-struct usb_request *alloc_ep_req(struct usb_ep *ep, int len, int default_len)
29173 ++struct usb_request *alloc_ep_req(struct usb_ep *ep, size_t len, int default_len)
29174 + {
29175 + struct usb_request *req;
29176 +
29177 + req = usb_ep_alloc_request(ep, GFP_ATOMIC);
29178 + if (req) {
29179 + req->length = len ?: default_len;
29180 ++ if (usb_endpoint_dir_out(ep->desc))
29181 ++ req->length = usb_ep_align(ep, req->length);
29182 + req->buf = kmalloc(req->length, GFP_ATOMIC);
29183 + if (!req->buf) {
29184 + usb_ep_free_request(ep, req);
29185 +diff --git a/drivers/usb/gadget/u_f.h b/drivers/usb/gadget/u_f.h
29186 +index 1d5f0eb68552..69a1d10df04f 100644
29187 +--- a/drivers/usb/gadget/u_f.h
29188 ++++ b/drivers/usb/gadget/u_f.h
29189 +@@ -16,6 +16,8 @@
29190 + #ifndef __U_F_H__
29191 + #define __U_F_H__
29192 +
29193 ++#include <linux/usb/gadget.h>
29194 ++
29195 + /* Variable Length Array Macros **********************************************/
29196 + #define vla_group(groupname) size_t groupname##__next = 0
29197 + #define vla_group_size(groupname) groupname##__next
29198 +@@ -45,8 +47,26 @@
29199 + struct usb_ep;
29200 + struct usb_request;
29201 +
29202 +-struct usb_request *alloc_ep_req(struct usb_ep *ep, int len, int default_len);
29203 +-
29204 +-#endif /* __U_F_H__ */
29205 ++/**
29206 ++ * alloc_ep_req - returns a usb_request allocated by the gadget driver and
29207 ++ * allocates the request's buffer.
29208 ++ *
29209 ++ * @ep: the endpoint to allocate a usb_request
29210 ++ * @len: usb_requests's buffer suggested size
29211 ++ * @default_len: used if @len is not provided, ie, is 0
29212 ++ *
29213 ++ * In case @ep direction is OUT, the @len will be aligned to ep's
29214 ++ * wMaxPacketSize. In order to avoid memory leaks or drops, *always* use
29215 ++ * usb_requests's length (req->length) to refer to the allocated buffer size.
29216 ++ * Requests allocated via alloc_ep_req() *must* be freed by free_ep_req().
29217 ++ */
29218 ++struct usb_request *alloc_ep_req(struct usb_ep *ep, size_t len, int default_len);
29219 +
29220 ++/* Frees a usb_request previously allocated by alloc_ep_req() */
29221 ++static inline void free_ep_req(struct usb_ep *ep, struct usb_request *req)
29222 ++{
29223 ++ kfree(req->buf);
29224 ++ usb_ep_free_request(ep, req);
29225 ++}
29226 +
29227 ++#endif /* __U_F_H__ */
29228 +diff --git a/drivers/usb/gadget/udc/bdc/bdc_core.c b/drivers/usb/gadget/udc/bdc/bdc_core.c
29229 +index 5c8f4effb62a..caec234822c6 100644
29230 +--- a/drivers/usb/gadget/udc/bdc/bdc_core.c
29231 ++++ b/drivers/usb/gadget/udc/bdc/bdc_core.c
29232 +@@ -476,7 +476,7 @@ static int bdc_probe(struct platform_device *pdev)
29233 + bdc->dev = dev;
29234 + dev_dbg(bdc->dev, "bdc->regs: %p irq=%d\n", bdc->regs, bdc->irq);
29235 +
29236 +- temp = bdc_readl(bdc->regs, BDC_BDCSC);
29237 ++ temp = bdc_readl(bdc->regs, BDC_BDCCAP1);
29238 + if ((temp & BDC_P64) &&
29239 + !dma_set_mask_and_coherent(dev, DMA_BIT_MASK(64))) {
29240 + dev_dbg(bdc->dev, "Using 64-bit address\n");
29241 +diff --git a/drivers/usb/gadget/udc/bdc/bdc_pci.c b/drivers/usb/gadget/udc/bdc/bdc_pci.c
29242 +index 02968842b359..708e36f530d8 100644
29243 +--- a/drivers/usb/gadget/udc/bdc/bdc_pci.c
29244 ++++ b/drivers/usb/gadget/udc/bdc/bdc_pci.c
29245 +@@ -82,6 +82,7 @@ static int bdc_pci_probe(struct pci_dev *pci, const struct pci_device_id *id)
29246 + if (ret) {
29247 + dev_err(&pci->dev,
29248 + "couldn't add resources to bdc device\n");
29249 ++ platform_device_put(bdc);
29250 + return ret;
29251 + }
29252 +
29253 +diff --git a/drivers/usb/gadget/udc/dummy_hcd.c b/drivers/usb/gadget/udc/dummy_hcd.c
29254 +index 35f730324b63..a5a260b7ff25 100644
29255 +--- a/drivers/usb/gadget/udc/dummy_hcd.c
29256 ++++ b/drivers/usb/gadget/udc/dummy_hcd.c
29257 +@@ -2026,16 +2026,13 @@ static int dummy_hub_control(
29258 + }
29259 + break;
29260 + case USB_PORT_FEAT_POWER:
29261 +- if (hcd->speed == HCD_USB3) {
29262 +- if (dum_hcd->port_status & USB_PORT_STAT_POWER)
29263 +- dev_dbg(dummy_dev(dum_hcd),
29264 +- "power-off\n");
29265 +- } else
29266 +- if (dum_hcd->port_status &
29267 +- USB_SS_PORT_STAT_POWER)
29268 +- dev_dbg(dummy_dev(dum_hcd),
29269 +- "power-off\n");
29270 +- /* FALLS THROUGH */
29271 ++ dev_dbg(dummy_dev(dum_hcd), "power-off\n");
29272 ++ if (hcd->speed == HCD_USB3)
29273 ++ dum_hcd->port_status &= ~USB_SS_PORT_STAT_POWER;
29274 ++ else
29275 ++ dum_hcd->port_status &= ~USB_PORT_STAT_POWER;
29276 ++ set_link_state(dum_hcd);
29277 ++ break;
29278 + default:
29279 + dum_hcd->port_status &= ~(1 << wValue);
29280 + set_link_state(dum_hcd);
29281 +@@ -2206,14 +2203,13 @@ static int dummy_hub_control(
29282 + if ((dum_hcd->port_status &
29283 + USB_SS_PORT_STAT_POWER) != 0) {
29284 + dum_hcd->port_status |= (1 << wValue);
29285 +- set_link_state(dum_hcd);
29286 + }
29287 + } else
29288 + if ((dum_hcd->port_status &
29289 + USB_PORT_STAT_POWER) != 0) {
29290 + dum_hcd->port_status |= (1 << wValue);
29291 +- set_link_state(dum_hcd);
29292 + }
29293 ++ set_link_state(dum_hcd);
29294 + }
29295 + break;
29296 + case GetPortErrorCount:
29297 +diff --git a/drivers/usb/host/xhci-plat.c b/drivers/usb/host/xhci-plat.c
29298 +index e92b9903faa4..23c5bdab988d 100644
29299 +--- a/drivers/usb/host/xhci-plat.c
29300 ++++ b/drivers/usb/host/xhci-plat.c
29301 +@@ -266,7 +266,6 @@ MODULE_DEVICE_TABLE(of, usb_xhci_of_match);
29302 + static struct platform_driver usb_xhci_driver = {
29303 + .probe = xhci_plat_probe,
29304 + .remove = xhci_plat_remove,
29305 +- .shutdown = usb_hcd_platform_shutdown,
29306 + .driver = {
29307 + .name = "xhci-hcd",
29308 + .pm = DEV_PM_OPS,
29309 +diff --git a/drivers/usb/musb/musb_gadget_ep0.c b/drivers/usb/musb/musb_gadget_ep0.c
29310 +index 10d30afe4a3c..a0d1417362cd 100644
29311 +--- a/drivers/usb/musb/musb_gadget_ep0.c
29312 ++++ b/drivers/usb/musb/musb_gadget_ep0.c
29313 +@@ -114,15 +114,19 @@ static int service_tx_status_request(
29314 + }
29315 +
29316 + is_in = epnum & USB_DIR_IN;
29317 +- if (is_in) {
29318 +- epnum &= 0x0f;
29319 ++ epnum &= 0x0f;
29320 ++ if (epnum >= MUSB_C_NUM_EPS) {
29321 ++ handled = -EINVAL;
29322 ++ break;
29323 ++ }
29324 ++
29325 ++ if (is_in)
29326 + ep = &musb->endpoints[epnum].ep_in;
29327 +- } else {
29328 ++ else
29329 + ep = &musb->endpoints[epnum].ep_out;
29330 +- }
29331 + regs = musb->endpoints[epnum].regs;
29332 +
29333 +- if (epnum >= MUSB_C_NUM_EPS || !ep->desc) {
29334 ++ if (!ep->desc) {
29335 + handled = -EINVAL;
29336 + break;
29337 + }
29338 +diff --git a/drivers/usb/musb/musb_host.c b/drivers/usb/musb/musb_host.c
29339 +index 1d0c096c1b84..4b707d527855 100644
29340 +--- a/drivers/usb/musb/musb_host.c
29341 ++++ b/drivers/usb/musb/musb_host.c
29342 +@@ -1002,7 +1002,9 @@ static void musb_bulk_nak_timeout(struct musb *musb, struct musb_hw_ep *ep,
29343 + /* set tx_reinit and schedule the next qh */
29344 + ep->tx_reinit = 1;
29345 + }
29346 +- musb_start_urb(musb, is_in, next_qh);
29347 ++
29348 ++ if (next_qh)
29349 ++ musb_start_urb(musb, is_in, next_qh);
29350 + }
29351 + }
29352 +
29353 +diff --git a/drivers/usb/serial/Kconfig b/drivers/usb/serial/Kconfig
29354 +index 941716c1177e..3d09c1037e36 100644
29355 +--- a/drivers/usb/serial/Kconfig
29356 ++++ b/drivers/usb/serial/Kconfig
29357 +@@ -62,6 +62,7 @@ config USB_SERIAL_SIMPLE
29358 + - Fundamental Software dongle.
29359 + - Google USB serial devices
29360 + - HP4x calculators
29361 ++ - Libtransistor USB console
29362 + - a number of Motorola phones
29363 + - Motorola Tetra devices
29364 + - Novatel Wireless GPS receivers
29365 +diff --git a/drivers/usb/serial/cp210x.c b/drivers/usb/serial/cp210x.c
29366 +index 142c876e7b19..1011fc41deb7 100644
29367 +--- a/drivers/usb/serial/cp210x.c
29368 ++++ b/drivers/usb/serial/cp210x.c
29369 +@@ -149,6 +149,7 @@ static const struct usb_device_id id_table[] = {
29370 + { USB_DEVICE(0x12B8, 0xEC62) }, /* Link G4+ ECU */
29371 + { USB_DEVICE(0x13AD, 0x9999) }, /* Baltech card reader */
29372 + { USB_DEVICE(0x1555, 0x0004) }, /* Owen AC4 USB-RS485 Converter */
29373 ++ { USB_DEVICE(0x155A, 0x1006) }, /* ELDAT Easywave RX09 */
29374 + { USB_DEVICE(0x166A, 0x0201) }, /* Clipsal 5500PACA C-Bus Pascal Automation Controller */
29375 + { USB_DEVICE(0x166A, 0x0301) }, /* Clipsal 5800PC C-Bus Wireless PC Interface */
29376 + { USB_DEVICE(0x166A, 0x0303) }, /* Clipsal 5500PCU C-Bus USB interface */
29377 +@@ -207,6 +208,7 @@ static const struct usb_device_id id_table[] = {
29378 + { USB_DEVICE(0x3195, 0xF190) }, /* Link Instruments MSO-19 */
29379 + { USB_DEVICE(0x3195, 0xF280) }, /* Link Instruments MSO-28 */
29380 + { USB_DEVICE(0x3195, 0xF281) }, /* Link Instruments MSO-28 */
29381 ++ { USB_DEVICE(0x3923, 0x7A0B) }, /* National Instruments USB Serial Console */
29382 + { USB_DEVICE(0x413C, 0x9500) }, /* DW700 GPS USB interface */
29383 + { } /* Terminating Entry */
29384 + };
29385 +diff --git a/drivers/usb/serial/ftdi_sio.c b/drivers/usb/serial/ftdi_sio.c
29386 +index 252f580cf3e7..00b5cc4c9f38 100644
29387 +--- a/drivers/usb/serial/ftdi_sio.c
29388 ++++ b/drivers/usb/serial/ftdi_sio.c
29389 +@@ -773,6 +773,7 @@ static const struct usb_device_id id_table_combined[] = {
29390 + .driver_info = (kernel_ulong_t)&ftdi_NDI_device_quirk },
29391 + { USB_DEVICE(TELLDUS_VID, TELLDUS_TELLSTICK_PID) },
29392 + { USB_DEVICE(NOVITUS_VID, NOVITUS_BONO_E_PID) },
29393 ++ { USB_DEVICE(FTDI_VID, RTSYSTEMS_USB_VX8_PID) },
29394 + { USB_DEVICE(RTSYSTEMS_VID, RTSYSTEMS_USB_S03_PID) },
29395 + { USB_DEVICE(RTSYSTEMS_VID, RTSYSTEMS_USB_59_PID) },
29396 + { USB_DEVICE(RTSYSTEMS_VID, RTSYSTEMS_USB_57A_PID) },
29397 +@@ -935,6 +936,7 @@ static const struct usb_device_id id_table_combined[] = {
29398 + { USB_DEVICE(FTDI_VID, FTDI_SCIENCESCOPE_LS_LOGBOOK_PID) },
29399 + { USB_DEVICE(FTDI_VID, FTDI_SCIENCESCOPE_HS_LOGBOOK_PID) },
29400 + { USB_DEVICE(FTDI_VID, FTDI_CINTERION_MC55I_PID) },
29401 ++ { USB_DEVICE(FTDI_VID, FTDI_FHE_PID) },
29402 + { USB_DEVICE(FTDI_VID, FTDI_DOTEC_PID) },
29403 + { USB_DEVICE(QIHARDWARE_VID, MILKYMISTONE_JTAGSERIAL_PID),
29404 + .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk },
29405 +@@ -1904,7 +1906,8 @@ static int ftdi_8u2232c_probe(struct usb_serial *serial)
29406 + return ftdi_jtag_probe(serial);
29407 +
29408 + if (udev->product &&
29409 +- (!strcmp(udev->product, "BeagleBone/XDS100V2") ||
29410 ++ (!strcmp(udev->product, "Arrow USB Blaster") ||
29411 ++ !strcmp(udev->product, "BeagleBone/XDS100V2") ||
29412 + !strcmp(udev->product, "SNAP Connect E10")))
29413 + return ftdi_jtag_probe(serial);
29414 +
29415 +diff --git a/drivers/usb/serial/ftdi_sio_ids.h b/drivers/usb/serial/ftdi_sio_ids.h
29416 +index 6d847ecb423f..eaaada41359e 100644
29417 +--- a/drivers/usb/serial/ftdi_sio_ids.h
29418 ++++ b/drivers/usb/serial/ftdi_sio_ids.h
29419 +@@ -903,6 +903,9 @@
29420 + /*
29421 + * RT Systems programming cables for various ham radios
29422 + */
29423 ++/* This device uses the VID of FTDI */
29424 ++#define RTSYSTEMS_USB_VX8_PID 0x9e50 /* USB-VX8 USB to 7 pin modular plug for Yaesu VX-8 radio */
29425 ++
29426 + #define RTSYSTEMS_VID 0x2100 /* Vendor ID */
29427 + #define RTSYSTEMS_USB_S03_PID 0x9001 /* RTS-03 USB to Serial Adapter */
29428 + #define RTSYSTEMS_USB_59_PID 0x9e50 /* USB-59 USB to 8 pin plug */
29429 +@@ -1421,6 +1424,12 @@
29430 + */
29431 + #define FTDI_CINTERION_MC55I_PID 0xA951
29432 +
29433 ++/*
29434 ++ * Product: FirmwareHubEmulator
29435 ++ * Manufacturer: Harman Becker Automotive Systems
29436 ++ */
29437 ++#define FTDI_FHE_PID 0xA9A0
29438 ++
29439 + /*
29440 + * Product: Comet Caller ID decoder
29441 + * Manufacturer: Crucible Technologies
29442 +diff --git a/drivers/usb/serial/usb-serial-simple.c b/drivers/usb/serial/usb-serial-simple.c
29443 +index 6aa7ff2c1cf7..2674da40d9cd 100644
29444 +--- a/drivers/usb/serial/usb-serial-simple.c
29445 ++++ b/drivers/usb/serial/usb-serial-simple.c
29446 +@@ -66,6 +66,11 @@ DEVICE(flashloader, FLASHLOADER_IDS);
29447 + 0x01) }
29448 + DEVICE(google, GOOGLE_IDS);
29449 +
29450 ++/* Libtransistor USB console */
29451 ++#define LIBTRANSISTOR_IDS() \
29452 ++ { USB_DEVICE(0x1209, 0x8b00) }
29453 ++DEVICE(libtransistor, LIBTRANSISTOR_IDS);
29454 ++
29455 + /* ViVOpay USB Serial Driver */
29456 + #define VIVOPAY_IDS() \
29457 + { USB_DEVICE(0x1d5f, 0x1004) } /* ViVOpay 8800 */
29458 +@@ -113,6 +118,7 @@ static struct usb_serial_driver * const serial_drivers[] = {
29459 + &funsoft_device,
29460 + &flashloader_device,
29461 + &google_device,
29462 ++ &libtransistor_device,
29463 + &vivopay_device,
29464 + &moto_modem_device,
29465 + &motorola_tetra_device,
29466 +@@ -129,6 +135,7 @@ static const struct usb_device_id id_table[] = {
29467 + FUNSOFT_IDS(),
29468 + FLASHLOADER_IDS(),
29469 + GOOGLE_IDS(),
29470 ++ LIBTRANSISTOR_IDS(),
29471 + VIVOPAY_IDS(),
29472 + MOTO_IDS(),
29473 + MOTOROLA_TETRA_IDS(),
29474 +diff --git a/drivers/usb/serial/visor.c b/drivers/usb/serial/visor.c
29475 +index 337a0be89fcf..dbc3801b43eb 100644
29476 +--- a/drivers/usb/serial/visor.c
29477 ++++ b/drivers/usb/serial/visor.c
29478 +@@ -338,47 +338,48 @@ static int palm_os_3_probe(struct usb_serial *serial,
29479 + goto exit;
29480 + }
29481 +
29482 +- if (retval == sizeof(*connection_info)) {
29483 +- connection_info = (struct visor_connection_info *)
29484 +- transfer_buffer;
29485 +-
29486 +- num_ports = le16_to_cpu(connection_info->num_ports);
29487 +- for (i = 0; i < num_ports; ++i) {
29488 +- switch (
29489 +- connection_info->connections[i].port_function_id) {
29490 +- case VISOR_FUNCTION_GENERIC:
29491 +- string = "Generic";
29492 +- break;
29493 +- case VISOR_FUNCTION_DEBUGGER:
29494 +- string = "Debugger";
29495 +- break;
29496 +- case VISOR_FUNCTION_HOTSYNC:
29497 +- string = "HotSync";
29498 +- break;
29499 +- case VISOR_FUNCTION_CONSOLE:
29500 +- string = "Console";
29501 +- break;
29502 +- case VISOR_FUNCTION_REMOTE_FILE_SYS:
29503 +- string = "Remote File System";
29504 +- break;
29505 +- default:
29506 +- string = "unknown";
29507 +- break;
29508 +- }
29509 +- dev_info(dev, "%s: port %d, is for %s use\n",
29510 +- serial->type->description,
29511 +- connection_info->connections[i].port, string);
29512 +- }
29513 ++ if (retval != sizeof(*connection_info)) {
29514 ++ dev_err(dev, "Invalid connection information received from device\n");
29515 ++ retval = -ENODEV;
29516 ++ goto exit;
29517 + }
29518 +- /*
29519 +- * Handle devices that report invalid stuff here.
29520 +- */
29521 ++
29522 ++ connection_info = (struct visor_connection_info *)transfer_buffer;
29523 ++
29524 ++ num_ports = le16_to_cpu(connection_info->num_ports);
29525 ++
29526 ++ /* Handle devices that report invalid stuff here. */
29527 + if (num_ports == 0 || num_ports > 2) {
29528 + dev_warn(dev, "%s: No valid connect info available\n",
29529 + serial->type->description);
29530 + num_ports = 2;
29531 + }
29532 +
29533 ++ for (i = 0; i < num_ports; ++i) {
29534 ++ switch (connection_info->connections[i].port_function_id) {
29535 ++ case VISOR_FUNCTION_GENERIC:
29536 ++ string = "Generic";
29537 ++ break;
29538 ++ case VISOR_FUNCTION_DEBUGGER:
29539 ++ string = "Debugger";
29540 ++ break;
29541 ++ case VISOR_FUNCTION_HOTSYNC:
29542 ++ string = "HotSync";
29543 ++ break;
29544 ++ case VISOR_FUNCTION_CONSOLE:
29545 ++ string = "Console";
29546 ++ break;
29547 ++ case VISOR_FUNCTION_REMOTE_FILE_SYS:
29548 ++ string = "Remote File System";
29549 ++ break;
29550 ++ default:
29551 ++ string = "unknown";
29552 ++ break;
29553 ++ }
29554 ++ dev_info(dev, "%s: port %d, is for %s use\n",
29555 ++ serial->type->description,
29556 ++ connection_info->connections[i].port, string);
29557 ++ }
29558 + dev_info(dev, "%s: Number of ports: %d\n", serial->type->description,
29559 + num_ports);
29560 +
29561 +diff --git a/drivers/usb/storage/ene_ub6250.c b/drivers/usb/storage/ene_ub6250.c
29562 +index 26c26e3e21d3..e82e179f3558 100644
29563 +--- a/drivers/usb/storage/ene_ub6250.c
29564 ++++ b/drivers/usb/storage/ene_ub6250.c
29565 +@@ -1950,6 +1950,8 @@ static int ene_load_bincode(struct us_data *us, unsigned char flag)
29566 + bcb->CDB[0] = 0xEF;
29567 +
29568 + result = ene_send_scsi_cmd(us, FDIR_WRITE, buf, 0);
29569 ++ if (us->srb != NULL)
29570 ++ scsi_set_resid(us->srb, 0);
29571 + info->BIN_FLAG = flag;
29572 + kfree(buf);
29573 +
29574 +@@ -2303,21 +2305,22 @@ static int ms_scsi_irp(struct us_data *us, struct scsi_cmnd *srb)
29575 +
29576 + static int ene_transport(struct scsi_cmnd *srb, struct us_data *us)
29577 + {
29578 +- int result = 0;
29579 ++ int result = USB_STOR_XFER_GOOD;
29580 + struct ene_ub6250_info *info = (struct ene_ub6250_info *)(us->extra);
29581 +
29582 + /*US_DEBUG(usb_stor_show_command(us, srb)); */
29583 + scsi_set_resid(srb, 0);
29584 +- if (unlikely(!(info->SD_Status.Ready || info->MS_Status.Ready))) {
29585 ++ if (unlikely(!(info->SD_Status.Ready || info->MS_Status.Ready)))
29586 + result = ene_init(us);
29587 +- } else {
29588 ++ if (result == USB_STOR_XFER_GOOD) {
29589 ++ result = USB_STOR_TRANSPORT_ERROR;
29590 + if (info->SD_Status.Ready)
29591 + result = sd_scsi_irp(us, srb);
29592 +
29593 + if (info->MS_Status.Ready)
29594 + result = ms_scsi_irp(us, srb);
29595 + }
29596 +- return 0;
29597 ++ return result;
29598 + }
29599 +
29600 +
29601 +diff --git a/drivers/usb/usbip/stub_main.c b/drivers/usb/usbip/stub_main.c
29602 +index 325b4c05acdd..f761e02e75c9 100644
29603 +--- a/drivers/usb/usbip/stub_main.c
29604 ++++ b/drivers/usb/usbip/stub_main.c
29605 +@@ -201,7 +201,12 @@ static ssize_t rebind_store(struct device_driver *dev, const char *buf,
29606 + if (!bid)
29607 + return -ENODEV;
29608 +
29609 ++ /* device_attach() callers should hold parent lock for USB */
29610 ++ if (bid->udev->dev.parent)
29611 ++ device_lock(bid->udev->dev.parent);
29612 + ret = device_attach(&bid->udev->dev);
29613 ++ if (bid->udev->dev.parent)
29614 ++ device_unlock(bid->udev->dev.parent);
29615 + if (ret < 0) {
29616 + dev_err(&bid->udev->dev, "rebind failed\n");
29617 + return ret;
29618 +diff --git a/drivers/usb/usbip/usbip_common.h b/drivers/usb/usbip/usbip_common.h
29619 +index f875ccaa55f9..0fc5ace57c0e 100644
29620 +--- a/drivers/usb/usbip/usbip_common.h
29621 ++++ b/drivers/usb/usbip/usbip_common.h
29622 +@@ -248,7 +248,7 @@ enum usbip_side {
29623 + #define SDEV_EVENT_ERROR_SUBMIT (USBIP_EH_SHUTDOWN | USBIP_EH_RESET)
29624 + #define SDEV_EVENT_ERROR_MALLOC (USBIP_EH_SHUTDOWN | USBIP_EH_UNUSABLE)
29625 +
29626 +-#define VDEV_EVENT_REMOVED (USBIP_EH_SHUTDOWN | USBIP_EH_BYE)
29627 ++#define VDEV_EVENT_REMOVED (USBIP_EH_SHUTDOWN | USBIP_EH_RESET | USBIP_EH_BYE)
29628 + #define VDEV_EVENT_DOWN (USBIP_EH_SHUTDOWN | USBIP_EH_RESET)
29629 + #define VDEV_EVENT_ERROR_TCP (USBIP_EH_SHUTDOWN | USBIP_EH_RESET)
29630 + #define VDEV_EVENT_ERROR_MALLOC (USBIP_EH_SHUTDOWN | USBIP_EH_UNUSABLE)
29631 +diff --git a/drivers/vfio/pci/vfio_pci_config.c b/drivers/vfio/pci/vfio_pci_config.c
29632 +index ff75ca31a199..a9fc4a6d010a 100644
29633 +--- a/drivers/vfio/pci/vfio_pci_config.c
29634 ++++ b/drivers/vfio/pci/vfio_pci_config.c
29635 +@@ -685,6 +685,62 @@ static int __init init_pci_cap_pcix_perm(struct perm_bits *perm)
29636 + return 0;
29637 + }
29638 +
29639 ++static int vfio_exp_config_write(struct vfio_pci_device *vdev, int pos,
29640 ++ int count, struct perm_bits *perm,
29641 ++ int offset, __le32 val)
29642 ++{
29643 ++ __le16 *ctrl = (__le16 *)(vdev->vconfig + pos -
29644 ++ offset + PCI_EXP_DEVCTL);
29645 ++ int readrq = le16_to_cpu(*ctrl) & PCI_EXP_DEVCTL_READRQ;
29646 ++
29647 ++ count = vfio_default_config_write(vdev, pos, count, perm, offset, val);
29648 ++ if (count < 0)
29649 ++ return count;
29650 ++
29651 ++ /*
29652 ++ * The FLR bit is virtualized, if set and the device supports PCIe
29653 ++ * FLR, issue a reset_function. Regardless, clear the bit, the spec
29654 ++ * requires it to be always read as zero. NB, reset_function might
29655 ++ * not use a PCIe FLR, we don't have that level of granularity.
29656 ++ */
29657 ++ if (*ctrl & cpu_to_le16(PCI_EXP_DEVCTL_BCR_FLR)) {
29658 ++ u32 cap;
29659 ++ int ret;
29660 ++
29661 ++ *ctrl &= ~cpu_to_le16(PCI_EXP_DEVCTL_BCR_FLR);
29662 ++
29663 ++ ret = pci_user_read_config_dword(vdev->pdev,
29664 ++ pos - offset + PCI_EXP_DEVCAP,
29665 ++ &cap);
29666 ++
29667 ++ if (!ret && (cap & PCI_EXP_DEVCAP_FLR))
29668 ++ pci_try_reset_function(vdev->pdev);
29669 ++ }
29670 ++
29671 ++ /*
29672 ++ * MPS is virtualized to the user, writes do not change the physical
29673 ++ * register since determining a proper MPS value requires a system wide
29674 ++ * device view. The MRRS is largely independent of MPS, but since the
29675 ++ * user does not have that system-wide view, they might set a safe, but
29676 ++ * inefficiently low value. Here we allow writes through to hardware,
29677 ++ * but we set the floor to the physical device MPS setting, so that
29678 ++ * we can at least use full TLPs, as defined by the MPS value.
29679 ++ *
29680 ++ * NB, if any devices actually depend on an artificially low MRRS
29681 ++ * setting, this will need to be revisited, perhaps with a quirk
29682 ++ * though pcie_set_readrq().
29683 ++ */
29684 ++ if (readrq != (le16_to_cpu(*ctrl) & PCI_EXP_DEVCTL_READRQ)) {
29685 ++ readrq = 128 <<
29686 ++ ((le16_to_cpu(*ctrl) & PCI_EXP_DEVCTL_READRQ) >> 12);
29687 ++ readrq = max(readrq, pcie_get_mps(vdev->pdev));
29688 ++
29689 ++ pcie_set_readrq(vdev->pdev, readrq);
29690 ++ }
29691 ++
29692 ++ return count;
29693 ++}
29694 ++
29695 + /* Permissions for PCI Express capability */
29696 + static int __init init_pci_cap_exp_perm(struct perm_bits *perm)
29697 + {
29698 +@@ -692,26 +748,67 @@ static int __init init_pci_cap_exp_perm(struct perm_bits *perm)
29699 + if (alloc_perm_bits(perm, PCI_CAP_EXP_ENDPOINT_SIZEOF_V2))
29700 + return -ENOMEM;
29701 +
29702 ++ perm->writefn = vfio_exp_config_write;
29703 ++
29704 + p_setb(perm, PCI_CAP_LIST_NEXT, (u8)ALL_VIRT, NO_WRITE);
29705 +
29706 + /*
29707 +- * Allow writes to device control fields (includes FLR!)
29708 +- * but not to devctl_phantom which could confuse IOMMU
29709 +- * or to the ARI bit in devctl2 which is set at probe time
29710 ++ * Allow writes to device control fields, except devctl_phantom,
29711 ++ * which could confuse IOMMU, MPS, which can break communication
29712 ++ * with other physical devices, and the ARI bit in devctl2, which
29713 ++ * is set at probe time. FLR and MRRS get virtualized via our
29714 ++ * writefn.
29715 + */
29716 +- p_setw(perm, PCI_EXP_DEVCTL, NO_VIRT, ~PCI_EXP_DEVCTL_PHANTOM);
29717 ++ p_setw(perm, PCI_EXP_DEVCTL,
29718 ++ PCI_EXP_DEVCTL_BCR_FLR | PCI_EXP_DEVCTL_PAYLOAD |
29719 ++ PCI_EXP_DEVCTL_READRQ, ~PCI_EXP_DEVCTL_PHANTOM);
29720 + p_setw(perm, PCI_EXP_DEVCTL2, NO_VIRT, ~PCI_EXP_DEVCTL2_ARI);
29721 + return 0;
29722 + }
29723 +
29724 ++static int vfio_af_config_write(struct vfio_pci_device *vdev, int pos,
29725 ++ int count, struct perm_bits *perm,
29726 ++ int offset, __le32 val)
29727 ++{
29728 ++ u8 *ctrl = vdev->vconfig + pos - offset + PCI_AF_CTRL;
29729 ++
29730 ++ count = vfio_default_config_write(vdev, pos, count, perm, offset, val);
29731 ++ if (count < 0)
29732 ++ return count;
29733 ++
29734 ++ /*
29735 ++ * The FLR bit is virtualized, if set and the device supports AF
29736 ++ * FLR, issue a reset_function. Regardless, clear the bit, the spec
29737 ++ * requires it to be always read as zero. NB, reset_function might
29738 ++ * not use an AF FLR, we don't have that level of granularity.
29739 ++ */
29740 ++ if (*ctrl & PCI_AF_CTRL_FLR) {
29741 ++ u8 cap;
29742 ++ int ret;
29743 ++
29744 ++ *ctrl &= ~PCI_AF_CTRL_FLR;
29745 ++
29746 ++ ret = pci_user_read_config_byte(vdev->pdev,
29747 ++ pos - offset + PCI_AF_CAP,
29748 ++ &cap);
29749 ++
29750 ++ if (!ret && (cap & PCI_AF_CAP_FLR) && (cap & PCI_AF_CAP_TP))
29751 ++ pci_try_reset_function(vdev->pdev);
29752 ++ }
29753 ++
29754 ++ return count;
29755 ++}
29756 ++
29757 + /* Permissions for Advanced Function capability */
29758 + static int __init init_pci_cap_af_perm(struct perm_bits *perm)
29759 + {
29760 + if (alloc_perm_bits(perm, pci_cap_length[PCI_CAP_ID_AF]))
29761 + return -ENOMEM;
29762 +
29763 ++ perm->writefn = vfio_af_config_write;
29764 ++
29765 + p_setb(perm, PCI_CAP_LIST_NEXT, (u8)ALL_VIRT, NO_WRITE);
29766 +- p_setb(perm, PCI_AF_CTRL, NO_VIRT, PCI_AF_CTRL_FLR);
29767 ++ p_setb(perm, PCI_AF_CTRL, PCI_AF_CTRL_FLR, PCI_AF_CTRL_FLR);
29768 + return 0;
29769 + }
29770 +
29771 +diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c
29772 +index fa49d3294cd5..1fd31650e01c 100644
29773 +--- a/drivers/vhost/vhost.c
29774 ++++ b/drivers/vhost/vhost.c
29775 +@@ -96,8 +96,7 @@ int vhost_poll_start(struct vhost_poll *poll, struct file *file)
29776 + if (mask)
29777 + vhost_poll_wakeup(&poll->wait, 0, 0, (void *)mask);
29778 + if (mask & POLLERR) {
29779 +- if (poll->wqh)
29780 +- remove_wait_queue(poll->wqh, &poll->wait);
29781 ++ vhost_poll_stop(poll);
29782 + ret = -EINVAL;
29783 + }
29784 +
29785 +diff --git a/drivers/video/console/vgacon.c b/drivers/video/console/vgacon.c
29786 +index 517f565b65d7..598ec7545e84 100644
29787 +--- a/drivers/video/console/vgacon.c
29788 ++++ b/drivers/video/console/vgacon.c
29789 +@@ -409,7 +409,10 @@ static const char *vgacon_startup(void)
29790 + vga_video_port_val = VGA_CRT_DM;
29791 + if ((screen_info.orig_video_ega_bx & 0xff) != 0x10) {
29792 + static struct resource ega_console_resource =
29793 +- { .name = "ega", .start = 0x3B0, .end = 0x3BF };
29794 ++ { .name = "ega",
29795 ++ .flags = IORESOURCE_IO,
29796 ++ .start = 0x3B0,
29797 ++ .end = 0x3BF };
29798 + vga_video_type = VIDEO_TYPE_EGAM;
29799 + vga_vram_size = 0x8000;
29800 + display_desc = "EGA+";
29801 +@@ -417,9 +420,15 @@ static const char *vgacon_startup(void)
29802 + &ega_console_resource);
29803 + } else {
29804 + static struct resource mda1_console_resource =
29805 +- { .name = "mda", .start = 0x3B0, .end = 0x3BB };
29806 ++ { .name = "mda",
29807 ++ .flags = IORESOURCE_IO,
29808 ++ .start = 0x3B0,
29809 ++ .end = 0x3BB };
29810 + static struct resource mda2_console_resource =
29811 +- { .name = "mda", .start = 0x3BF, .end = 0x3BF };
29812 ++ { .name = "mda",
29813 ++ .flags = IORESOURCE_IO,
29814 ++ .start = 0x3BF,
29815 ++ .end = 0x3BF };
29816 + vga_video_type = VIDEO_TYPE_MDA;
29817 + vga_vram_size = 0x2000;
29818 + display_desc = "*MDA";
29819 +@@ -441,15 +450,21 @@ static const char *vgacon_startup(void)
29820 + vga_vram_size = 0x8000;
29821 +
29822 + if (!screen_info.orig_video_isVGA) {
29823 +- static struct resource ega_console_resource
29824 +- = { .name = "ega", .start = 0x3C0, .end = 0x3DF };
29825 ++ static struct resource ega_console_resource =
29826 ++ { .name = "ega",
29827 ++ .flags = IORESOURCE_IO,
29828 ++ .start = 0x3C0,
29829 ++ .end = 0x3DF };
29830 + vga_video_type = VIDEO_TYPE_EGAC;
29831 + display_desc = "EGA";
29832 + request_resource(&ioport_resource,
29833 + &ega_console_resource);
29834 + } else {
29835 +- static struct resource vga_console_resource
29836 +- = { .name = "vga+", .start = 0x3C0, .end = 0x3DF };
29837 ++ static struct resource vga_console_resource =
29838 ++ { .name = "vga+",
29839 ++ .flags = IORESOURCE_IO,
29840 ++ .start = 0x3C0,
29841 ++ .end = 0x3DF };
29842 + vga_video_type = VIDEO_TYPE_VGAC;
29843 + display_desc = "VGA+";
29844 + request_resource(&ioport_resource,
29845 +@@ -493,7 +508,10 @@ static const char *vgacon_startup(void)
29846 + }
29847 + } else {
29848 + static struct resource cga_console_resource =
29849 +- { .name = "cga", .start = 0x3D4, .end = 0x3D5 };
29850 ++ { .name = "cga",
29851 ++ .flags = IORESOURCE_IO,
29852 ++ .start = 0x3D4,
29853 ++ .end = 0x3D5 };
29854 + vga_video_type = VIDEO_TYPE_CGA;
29855 + vga_vram_size = 0x2000;
29856 + display_desc = "*CGA";
29857 +diff --git a/drivers/video/fbdev/amba-clcd.c b/drivers/video/fbdev/amba-clcd.c
29858 +index 9362424c2340..924b3d6c3e9b 100644
29859 +--- a/drivers/video/fbdev/amba-clcd.c
29860 ++++ b/drivers/video/fbdev/amba-clcd.c
29861 +@@ -759,8 +759,8 @@ static int clcdfb_of_dma_setup(struct clcd_fb *fb)
29862 + if (err)
29863 + return err;
29864 +
29865 +- framesize = fb->panel->mode.xres * fb->panel->mode.yres *
29866 +- fb->panel->bpp / 8;
29867 ++ framesize = PAGE_ALIGN(fb->panel->mode.xres * fb->panel->mode.yres *
29868 ++ fb->panel->bpp / 8);
29869 + fb->fb.screen_base = dma_alloc_coherent(&fb->dev->dev, framesize,
29870 + &dma, GFP_KERNEL);
29871 + if (!fb->fb.screen_base)
29872 +diff --git a/drivers/video/fbdev/sm501fb.c b/drivers/video/fbdev/sm501fb.c
29873 +index d0a4e2f79a57..d215faacce04 100644
29874 +--- a/drivers/video/fbdev/sm501fb.c
29875 ++++ b/drivers/video/fbdev/sm501fb.c
29876 +@@ -1600,6 +1600,7 @@ static int sm501fb_start(struct sm501fb_info *info,
29877 + info->fbmem = ioremap(res->start, resource_size(res));
29878 + if (info->fbmem == NULL) {
29879 + dev_err(dev, "cannot remap framebuffer\n");
29880 ++ ret = -ENXIO;
29881 + goto err_mem_res;
29882 + }
29883 +
29884 +diff --git a/drivers/video/fbdev/udlfb.c b/drivers/video/fbdev/udlfb.c
29885 +index d2a985e59fcd..105a269ff66a 100644
29886 +--- a/drivers/video/fbdev/udlfb.c
29887 ++++ b/drivers/video/fbdev/udlfb.c
29888 +@@ -1487,15 +1487,25 @@ static struct device_attribute fb_device_attrs[] = {
29889 + static int dlfb_select_std_channel(struct dlfb_data *dev)
29890 + {
29891 + int ret;
29892 +- u8 set_def_chn[] = { 0x57, 0xCD, 0xDC, 0xA7,
29893 ++ void *buf;
29894 ++ static const u8 set_def_chn[] = {
29895 ++ 0x57, 0xCD, 0xDC, 0xA7,
29896 + 0x1C, 0x88, 0x5E, 0x15,
29897 + 0x60, 0xFE, 0xC6, 0x97,
29898 + 0x16, 0x3D, 0x47, 0xF2 };
29899 +
29900 ++ buf = kmemdup(set_def_chn, sizeof(set_def_chn), GFP_KERNEL);
29901 ++
29902 ++ if (!buf)
29903 ++ return -ENOMEM;
29904 ++
29905 + ret = usb_control_msg(dev->udev, usb_sndctrlpipe(dev->udev, 0),
29906 + NR_USB_REQUEST_CHANNEL,
29907 + (USB_DIR_OUT | USB_TYPE_VENDOR), 0, 0,
29908 +- set_def_chn, sizeof(set_def_chn), USB_CTRL_SET_TIMEOUT);
29909 ++ buf, sizeof(set_def_chn), USB_CTRL_SET_TIMEOUT);
29910 ++
29911 ++ kfree(buf);
29912 ++
29913 + return ret;
29914 + }
29915 +
29916 +diff --git a/drivers/video/fbdev/vfb.c b/drivers/video/fbdev/vfb.c
29917 +index 70a897b1e458..146cc3516f61 100644
29918 +--- a/drivers/video/fbdev/vfb.c
29919 ++++ b/drivers/video/fbdev/vfb.c
29920 +@@ -284,8 +284,23 @@ static int vfb_check_var(struct fb_var_screeninfo *var,
29921 + */
29922 + static int vfb_set_par(struct fb_info *info)
29923 + {
29924 ++ switch (info->var.bits_per_pixel) {
29925 ++ case 1:
29926 ++ info->fix.visual = FB_VISUAL_MONO01;
29927 ++ break;
29928 ++ case 8:
29929 ++ info->fix.visual = FB_VISUAL_PSEUDOCOLOR;
29930 ++ break;
29931 ++ case 16:
29932 ++ case 24:
29933 ++ case 32:
29934 ++ info->fix.visual = FB_VISUAL_TRUECOLOR;
29935 ++ break;
29936 ++ }
29937 ++
29938 + info->fix.line_length = get_line_length(info->var.xres_virtual,
29939 + info->var.bits_per_pixel);
29940 ++
29941 + return 0;
29942 + }
29943 +
29944 +@@ -526,6 +541,8 @@ static int vfb_probe(struct platform_device *dev)
29945 + goto err2;
29946 + platform_set_drvdata(dev, info);
29947 +
29948 ++ vfb_set_par(info);
29949 ++
29950 + fb_info(info, "Virtual frame buffer device, using %ldK of video memory\n",
29951 + videomemorysize >> 10);
29952 + return 0;
29953 +diff --git a/drivers/video/hdmi.c b/drivers/video/hdmi.c
29954 +index 162689227a23..b73520aaf697 100644
29955 +--- a/drivers/video/hdmi.c
29956 ++++ b/drivers/video/hdmi.c
29957 +@@ -321,6 +321,17 @@ int hdmi_vendor_infoframe_init(struct hdmi_vendor_infoframe *frame)
29958 + }
29959 + EXPORT_SYMBOL(hdmi_vendor_infoframe_init);
29960 +
29961 ++static int hdmi_vendor_infoframe_length(const struct hdmi_vendor_infoframe *frame)
29962 ++{
29963 ++ /* for side by side (half) we also need to provide 3D_Ext_Data */
29964 ++ if (frame->s3d_struct >= HDMI_3D_STRUCTURE_SIDE_BY_SIDE_HALF)
29965 ++ return 6;
29966 ++ else if (frame->vic != 0 || frame->s3d_struct != HDMI_3D_STRUCTURE_INVALID)
29967 ++ return 5;
29968 ++ else
29969 ++ return 4;
29970 ++}
29971 ++
29972 + /**
29973 + * hdmi_vendor_infoframe_pack() - write a HDMI vendor infoframe to binary buffer
29974 + * @frame: HDMI infoframe
29975 +@@ -341,19 +352,11 @@ ssize_t hdmi_vendor_infoframe_pack(struct hdmi_vendor_infoframe *frame,
29976 + u8 *ptr = buffer;
29977 + size_t length;
29978 +
29979 +- /* empty info frame */
29980 +- if (frame->vic == 0 && frame->s3d_struct == HDMI_3D_STRUCTURE_INVALID)
29981 +- return -EINVAL;
29982 +-
29983 + /* only one of those can be supplied */
29984 + if (frame->vic != 0 && frame->s3d_struct != HDMI_3D_STRUCTURE_INVALID)
29985 + return -EINVAL;
29986 +
29987 +- /* for side by side (half) we also need to provide 3D_Ext_Data */
29988 +- if (frame->s3d_struct >= HDMI_3D_STRUCTURE_SIDE_BY_SIDE_HALF)
29989 +- frame->length = 6;
29990 +- else
29991 +- frame->length = 5;
29992 ++ frame->length = hdmi_vendor_infoframe_length(frame);
29993 +
29994 + length = HDMI_INFOFRAME_HEADER_SIZE + frame->length;
29995 +
29996 +@@ -372,14 +375,16 @@ ssize_t hdmi_vendor_infoframe_pack(struct hdmi_vendor_infoframe *frame,
29997 + ptr[5] = 0x0c;
29998 + ptr[6] = 0x00;
29999 +
30000 +- if (frame->vic) {
30001 +- ptr[7] = 0x1 << 5; /* video format */
30002 +- ptr[8] = frame->vic;
30003 +- } else {
30004 ++ if (frame->s3d_struct != HDMI_3D_STRUCTURE_INVALID) {
30005 + ptr[7] = 0x2 << 5; /* video format */
30006 + ptr[8] = (frame->s3d_struct & 0xf) << 4;
30007 + if (frame->s3d_struct >= HDMI_3D_STRUCTURE_SIDE_BY_SIDE_HALF)
30008 + ptr[9] = (frame->s3d_ext_data & 0xf) << 4;
30009 ++ } else if (frame->vic) {
30010 ++ ptr[7] = 0x1 << 5; /* video format */
30011 ++ ptr[8] = frame->vic;
30012 ++ } else {
30013 ++ ptr[7] = 0x0 << 5; /* video format */
30014 + }
30015 +
30016 + hdmi_infoframe_set_checksum(buffer, length);
30017 +@@ -1161,7 +1166,7 @@ hdmi_vendor_any_infoframe_unpack(union hdmi_vendor_any_infoframe *frame,
30018 +
30019 + if (ptr[0] != HDMI_INFOFRAME_TYPE_VENDOR ||
30020 + ptr[1] != 1 ||
30021 +- (ptr[2] != 5 && ptr[2] != 6))
30022 ++ (ptr[2] != 4 && ptr[2] != 5 && ptr[2] != 6))
30023 + return -EINVAL;
30024 +
30025 + length = ptr[2];
30026 +@@ -1189,16 +1194,22 @@ hdmi_vendor_any_infoframe_unpack(union hdmi_vendor_any_infoframe *frame,
30027 +
30028 + hvf->length = length;
30029 +
30030 +- if (hdmi_video_format == 0x1) {
30031 +- hvf->vic = ptr[4];
30032 +- } else if (hdmi_video_format == 0x2) {
30033 ++ if (hdmi_video_format == 0x2) {
30034 ++ if (length != 5 && length != 6)
30035 ++ return -EINVAL;
30036 + hvf->s3d_struct = ptr[4] >> 4;
30037 + if (hvf->s3d_struct >= HDMI_3D_STRUCTURE_SIDE_BY_SIDE_HALF) {
30038 +- if (length == 6)
30039 +- hvf->s3d_ext_data = ptr[5] >> 4;
30040 +- else
30041 ++ if (length != 6)
30042 + return -EINVAL;
30043 ++ hvf->s3d_ext_data = ptr[5] >> 4;
30044 + }
30045 ++ } else if (hdmi_video_format == 0x1) {
30046 ++ if (length != 5)
30047 ++ return -EINVAL;
30048 ++ hvf->vic = ptr[4];
30049 ++ } else {
30050 ++ if (length != 4)
30051 ++ return -EINVAL;
30052 + }
30053 +
30054 + return 0;
30055 +diff --git a/drivers/watchdog/f71808e_wdt.c b/drivers/watchdog/f71808e_wdt.c
30056 +index 016bd9355190..aa93df5833dc 100644
30057 +--- a/drivers/watchdog/f71808e_wdt.c
30058 ++++ b/drivers/watchdog/f71808e_wdt.c
30059 +@@ -450,7 +450,7 @@ static bool watchdog_is_running(void)
30060 +
30061 + is_running = (superio_inb(watchdog.sioaddr, SIO_REG_ENABLE) & BIT(0))
30062 + && (superio_inb(watchdog.sioaddr, F71808FG_REG_WDT_CONF)
30063 +- & F71808FG_FLAG_WD_EN);
30064 ++ & BIT(F71808FG_FLAG_WD_EN));
30065 +
30066 + superio_exit(watchdog.sioaddr);
30067 +
30068 +diff --git a/fs/aio.c b/fs/aio.c
30069 +index 480440f4701f..61ada5047da2 100644
30070 +--- a/fs/aio.c
30071 ++++ b/fs/aio.c
30072 +@@ -68,9 +68,9 @@ struct aio_ring {
30073 + #define AIO_RING_PAGES 8
30074 +
30075 + struct kioctx_table {
30076 +- struct rcu_head rcu;
30077 +- unsigned nr;
30078 +- struct kioctx *table[];
30079 ++ struct rcu_head rcu;
30080 ++ unsigned nr;
30081 ++ struct kioctx __rcu *table[];
30082 + };
30083 +
30084 + struct kioctx_cpu {
30085 +@@ -115,7 +115,8 @@ struct kioctx {
30086 + struct page **ring_pages;
30087 + long nr_pages;
30088 +
30089 +- struct work_struct free_work;
30090 ++ struct rcu_head free_rcu;
30091 ++ struct work_struct free_work; /* see free_ioctx() */
30092 +
30093 + /*
30094 + * signals when all in-flight requests are done
30095 +@@ -327,7 +328,7 @@ static int aio_ring_remap(struct file *file, struct vm_area_struct *vma)
30096 + for (i = 0; i < table->nr; i++) {
30097 + struct kioctx *ctx;
30098 +
30099 +- ctx = table->table[i];
30100 ++ ctx = rcu_dereference(table->table[i]);
30101 + if (ctx && ctx->aio_ring_file == file) {
30102 + if (!atomic_read(&ctx->dead)) {
30103 + ctx->user_id = ctx->mmap_base = vma->vm_start;
30104 +@@ -559,6 +560,12 @@ static int kiocb_cancel(struct aio_kiocb *kiocb)
30105 + return cancel(&kiocb->common);
30106 + }
30107 +
30108 ++/*
30109 ++ * free_ioctx() should be RCU delayed to synchronize against the RCU
30110 ++ * protected lookup_ioctx() and also needs process context to call
30111 ++ * aio_free_ring(), so the double bouncing through kioctx->free_rcu and
30112 ++ * ->free_work.
30113 ++ */
30114 + static void free_ioctx(struct work_struct *work)
30115 + {
30116 + struct kioctx *ctx = container_of(work, struct kioctx, free_work);
30117 +@@ -572,6 +579,14 @@ static void free_ioctx(struct work_struct *work)
30118 + kmem_cache_free(kioctx_cachep, ctx);
30119 + }
30120 +
30121 ++static void free_ioctx_rcufn(struct rcu_head *head)
30122 ++{
30123 ++ struct kioctx *ctx = container_of(head, struct kioctx, free_rcu);
30124 ++
30125 ++ INIT_WORK(&ctx->free_work, free_ioctx);
30126 ++ schedule_work(&ctx->free_work);
30127 ++}
30128 ++
30129 + static void free_ioctx_reqs(struct percpu_ref *ref)
30130 + {
30131 + struct kioctx *ctx = container_of(ref, struct kioctx, reqs);
30132 +@@ -580,8 +595,8 @@ static void free_ioctx_reqs(struct percpu_ref *ref)
30133 + if (ctx->rq_wait && atomic_dec_and_test(&ctx->rq_wait->count))
30134 + complete(&ctx->rq_wait->comp);
30135 +
30136 +- INIT_WORK(&ctx->free_work, free_ioctx);
30137 +- schedule_work(&ctx->free_work);
30138 ++ /* Synchronize against RCU protected table->table[] dereferences */
30139 ++ call_rcu(&ctx->free_rcu, free_ioctx_rcufn);
30140 + }
30141 +
30142 + /*
30143 +@@ -622,9 +637,9 @@ static int ioctx_add_table(struct kioctx *ctx, struct mm_struct *mm)
30144 + while (1) {
30145 + if (table)
30146 + for (i = 0; i < table->nr; i++)
30147 +- if (!table->table[i]) {
30148 ++ if (!rcu_access_pointer(table->table[i])) {
30149 + ctx->id = i;
30150 +- table->table[i] = ctx;
30151 ++ rcu_assign_pointer(table->table[i], ctx);
30152 + spin_unlock(&mm->ioctx_lock);
30153 +
30154 + /* While kioctx setup is in progress,
30155 +@@ -799,11 +814,11 @@ static int kill_ioctx(struct mm_struct *mm, struct kioctx *ctx,
30156 + }
30157 +
30158 + table = rcu_dereference_raw(mm->ioctx_table);
30159 +- WARN_ON(ctx != table->table[ctx->id]);
30160 +- table->table[ctx->id] = NULL;
30161 ++ WARN_ON(ctx != rcu_access_pointer(table->table[ctx->id]));
30162 ++ RCU_INIT_POINTER(table->table[ctx->id], NULL);
30163 + spin_unlock(&mm->ioctx_lock);
30164 +
30165 +- /* percpu_ref_kill() will do the necessary call_rcu() */
30166 ++ /* free_ioctx_reqs() will do the necessary RCU synchronization */
30167 + wake_up_all(&ctx->wait);
30168 +
30169 + /*
30170 +@@ -845,7 +860,8 @@ void exit_aio(struct mm_struct *mm)
30171 +
30172 + skipped = 0;
30173 + for (i = 0; i < table->nr; ++i) {
30174 +- struct kioctx *ctx = table->table[i];
30175 ++ struct kioctx *ctx =
30176 ++ rcu_dereference_protected(table->table[i], true);
30177 +
30178 + if (!ctx) {
30179 + skipped++;
30180 +@@ -1034,7 +1050,7 @@ static struct kioctx *lookup_ioctx(unsigned long ctx_id)
30181 + if (!table || id >= table->nr)
30182 + goto out;
30183 +
30184 +- ctx = table->table[id];
30185 ++ ctx = rcu_dereference(table->table[id]);
30186 + if (ctx && ctx->user_id == ctx_id) {
30187 + percpu_ref_get(&ctx->users);
30188 + ret = ctx;
30189 +diff --git a/fs/autofs4/root.c b/fs/autofs4/root.c
30190 +index 7a54c6a867c8..500098cdb960 100644
30191 +--- a/fs/autofs4/root.c
30192 ++++ b/fs/autofs4/root.c
30193 +@@ -746,7 +746,7 @@ static int autofs4_dir_mkdir(struct inode *dir, struct dentry *dentry, umode_t m
30194 +
30195 + autofs4_del_active(dentry);
30196 +
30197 +- inode = autofs4_get_inode(dir->i_sb, S_IFDIR | 0555);
30198 ++ inode = autofs4_get_inode(dir->i_sb, S_IFDIR | mode);
30199 + if (!inode)
30200 + return -ENOMEM;
30201 + d_add(dentry, inode);
30202 +diff --git a/fs/btrfs/extent_io.c b/fs/btrfs/extent_io.c
30203 +index 885f533a34d9..f179946d67ed 100644
30204 +--- a/fs/btrfs/extent_io.c
30205 ++++ b/fs/btrfs/extent_io.c
30206 +@@ -2466,7 +2466,7 @@ int end_extent_writepage(struct page *page, int err, u64 start, u64 end)
30207 + if (!uptodate) {
30208 + ClearPageUptodate(page);
30209 + SetPageError(page);
30210 +- ret = ret < 0 ? ret : -EIO;
30211 ++ ret = err < 0 ? err : -EIO;
30212 + mapping_set_error(page->mapping, ret);
30213 + }
30214 + return 0;
30215 +diff --git a/fs/btrfs/send.c b/fs/btrfs/send.c
30216 +index 5fe5314270fd..68ca200b714a 100644
30217 +--- a/fs/btrfs/send.c
30218 ++++ b/fs/btrfs/send.c
30219 +@@ -4759,13 +4759,19 @@ static int is_extent_unchanged(struct send_ctx *sctx,
30220 + while (key.offset < ekey->offset + left_len) {
30221 + ei = btrfs_item_ptr(eb, slot, struct btrfs_file_extent_item);
30222 + right_type = btrfs_file_extent_type(eb, ei);
30223 +- if (right_type != BTRFS_FILE_EXTENT_REG) {
30224 ++ if (right_type != BTRFS_FILE_EXTENT_REG &&
30225 ++ right_type != BTRFS_FILE_EXTENT_INLINE) {
30226 + ret = 0;
30227 + goto out;
30228 + }
30229 +
30230 + right_disknr = btrfs_file_extent_disk_bytenr(eb, ei);
30231 +- right_len = btrfs_file_extent_num_bytes(eb, ei);
30232 ++ if (right_type == BTRFS_FILE_EXTENT_INLINE) {
30233 ++ right_len = btrfs_file_extent_inline_len(eb, slot, ei);
30234 ++ right_len = PAGE_ALIGN(right_len);
30235 ++ } else {
30236 ++ right_len = btrfs_file_extent_num_bytes(eb, ei);
30237 ++ }
30238 + right_offset = btrfs_file_extent_offset(eb, ei);
30239 + right_gen = btrfs_file_extent_generation(eb, ei);
30240 +
30241 +@@ -4779,6 +4785,19 @@ static int is_extent_unchanged(struct send_ctx *sctx,
30242 + goto out;
30243 + }
30244 +
30245 ++ /*
30246 ++ * We just wanted to see if when we have an inline extent, what
30247 ++ * follows it is a regular extent (wanted to check the above
30248 ++ * condition for inline extents too). This should normally not
30249 ++ * happen but it's possible for example when we have an inline
30250 ++ * compressed extent representing data with a size matching
30251 ++ * the page size (currently the same as sector size).
30252 ++ */
30253 ++ if (right_type == BTRFS_FILE_EXTENT_INLINE) {
30254 ++ ret = 0;
30255 ++ goto out;
30256 ++ }
30257 ++
30258 + left_offset_fixed = left_offset;
30259 + if (key.offset < ekey->offset) {
30260 + /* Fix the right offset for 2a and 7. */
30261 +diff --git a/fs/btrfs/volumes.c b/fs/btrfs/volumes.c
30262 +index 18a3573e1444..4a0318ee4ed1 100644
30263 +--- a/fs/btrfs/volumes.c
30264 ++++ b/fs/btrfs/volumes.c
30265 +@@ -4370,10 +4370,13 @@ static int __btrfs_alloc_chunk(struct btrfs_trans_handle *trans,
30266 + if (devs_max && ndevs > devs_max)
30267 + ndevs = devs_max;
30268 + /*
30269 +- * the primary goal is to maximize the number of stripes, so use as many
30270 +- * devices as possible, even if the stripes are not maximum sized.
30271 ++ * The primary goal is to maximize the number of stripes, so use as
30272 ++ * many devices as possible, even if the stripes are not maximum sized.
30273 ++ *
30274 ++ * The DUP profile stores more than one stripe per device, the
30275 ++ * max_avail is the total size so we have to adjust.
30276 + */
30277 +- stripe_size = devices_info[ndevs-1].max_avail;
30278 ++ stripe_size = div_u64(devices_info[ndevs - 1].max_avail, dev_stripes);
30279 + num_stripes = ndevs * dev_stripes;
30280 +
30281 + /*
30282 +@@ -4413,8 +4416,6 @@ static int __btrfs_alloc_chunk(struct btrfs_trans_handle *trans,
30283 + stripe_size = devices_info[ndevs-1].max_avail;
30284 + }
30285 +
30286 +- stripe_size = div_u64(stripe_size, dev_stripes);
30287 +-
30288 + /* align to BTRFS_STRIPE_LEN */
30289 + stripe_size = div_u64(stripe_size, raid_stripe_len);
30290 + stripe_size *= raid_stripe_len;
30291 +diff --git a/fs/cifs/dir.c b/fs/cifs/dir.c
30292 +index 49a0d6b027c1..76dacd5307b9 100644
30293 +--- a/fs/cifs/dir.c
30294 ++++ b/fs/cifs/dir.c
30295 +@@ -673,6 +673,9 @@ int cifs_mknod(struct inode *inode, struct dentry *direntry, umode_t mode,
30296 + goto mknod_out;
30297 + }
30298 +
30299 ++ if (!S_ISCHR(mode) && !S_ISBLK(mode))
30300 ++ goto mknod_out;
30301 ++
30302 + if (!(cifs_sb->mnt_cifs_flags & CIFS_MOUNT_UNX_EMUL))
30303 + goto mknod_out;
30304 +
30305 +@@ -681,10 +684,8 @@ int cifs_mknod(struct inode *inode, struct dentry *direntry, umode_t mode,
30306 +
30307 + buf = kmalloc(sizeof(FILE_ALL_INFO), GFP_KERNEL);
30308 + if (buf == NULL) {
30309 +- kfree(full_path);
30310 + rc = -ENOMEM;
30311 +- free_xid(xid);
30312 +- return rc;
30313 ++ goto mknod_out;
30314 + }
30315 +
30316 + if (backup_cred(cifs_sb))
30317 +@@ -731,7 +732,7 @@ int cifs_mknod(struct inode *inode, struct dentry *direntry, umode_t mode,
30318 + pdev->minor = cpu_to_le64(MINOR(device_number));
30319 + rc = tcon->ses->server->ops->sync_write(xid, &fid, &io_parms,
30320 + &bytes_written, iov, 1);
30321 +- } /* else if (S_ISFIFO) */
30322 ++ }
30323 + tcon->ses->server->ops->close(xid, tcon, &fid);
30324 + d_drop(direntry);
30325 +
30326 +diff --git a/fs/cifs/file.c b/fs/cifs/file.c
30327 +index 1366d2151389..6f20a8ca5e7c 100644
30328 +--- a/fs/cifs/file.c
30329 ++++ b/fs/cifs/file.c
30330 +@@ -582,7 +582,7 @@ cifs_relock_file(struct cifsFileInfo *cfile)
30331 + struct cifs_tcon *tcon = tlink_tcon(cfile->tlink);
30332 + int rc = 0;
30333 +
30334 +- down_read(&cinode->lock_sem);
30335 ++ down_read_nested(&cinode->lock_sem, SINGLE_DEPTH_NESTING);
30336 + if (cinode->can_cache_brlcks) {
30337 + /* can cache locks - no need to relock */
30338 + up_read(&cinode->lock_sem);
30339 +diff --git a/fs/cifs/netmisc.c b/fs/cifs/netmisc.c
30340 +index abae6dd2c6b9..cc88f4f0325e 100644
30341 +--- a/fs/cifs/netmisc.c
30342 ++++ b/fs/cifs/netmisc.c
30343 +@@ -980,10 +980,10 @@ struct timespec cnvrtDosUnixTm(__le16 le_date, __le16 le_time, int offset)
30344 + cifs_dbg(VFS, "illegal hours %d\n", st->Hours);
30345 + days = sd->Day;
30346 + month = sd->Month;
30347 +- if ((days > 31) || (month > 12)) {
30348 ++ if (days < 1 || days > 31 || month < 1 || month > 12) {
30349 + cifs_dbg(VFS, "illegal date, month %d day: %d\n", month, days);
30350 +- if (month > 12)
30351 +- month = 12;
30352 ++ days = clamp(days, 1, 31);
30353 ++ month = clamp(month, 1, 12);
30354 + }
30355 + month -= 1;
30356 + days += total_days_of_prev_months[month];
30357 +diff --git a/fs/cifs/sess.c b/fs/cifs/sess.c
30358 +index 5f9229ddf335..11b562ac8f31 100644
30359 +--- a/fs/cifs/sess.c
30360 ++++ b/fs/cifs/sess.c
30361 +@@ -344,13 +344,12 @@ void build_ntlmssp_negotiate_blob(unsigned char *pbuffer,
30362 + /* BB is NTLMV2 session security format easier to use here? */
30363 + flags = NTLMSSP_NEGOTIATE_56 | NTLMSSP_REQUEST_TARGET |
30364 + NTLMSSP_NEGOTIATE_128 | NTLMSSP_NEGOTIATE_UNICODE |
30365 +- NTLMSSP_NEGOTIATE_NTLM | NTLMSSP_NEGOTIATE_EXTENDED_SEC;
30366 +- if (ses->server->sign) {
30367 ++ NTLMSSP_NEGOTIATE_NTLM | NTLMSSP_NEGOTIATE_EXTENDED_SEC |
30368 ++ NTLMSSP_NEGOTIATE_SEAL;
30369 ++ if (ses->server->sign)
30370 + flags |= NTLMSSP_NEGOTIATE_SIGN;
30371 +- if (!ses->server->session_estab ||
30372 +- ses->ntlmssp->sesskey_per_smbsess)
30373 +- flags |= NTLMSSP_NEGOTIATE_KEY_XCH;
30374 +- }
30375 ++ if (!ses->server->session_estab || ses->ntlmssp->sesskey_per_smbsess)
30376 ++ flags |= NTLMSSP_NEGOTIATE_KEY_XCH;
30377 +
30378 + sec_blob->NegotiateFlags = cpu_to_le32(flags);
30379 +
30380 +@@ -407,13 +406,12 @@ int build_ntlmssp_auth_blob(unsigned char **pbuffer,
30381 + flags = NTLMSSP_NEGOTIATE_56 |
30382 + NTLMSSP_REQUEST_TARGET | NTLMSSP_NEGOTIATE_TARGET_INFO |
30383 + NTLMSSP_NEGOTIATE_128 | NTLMSSP_NEGOTIATE_UNICODE |
30384 +- NTLMSSP_NEGOTIATE_NTLM | NTLMSSP_NEGOTIATE_EXTENDED_SEC;
30385 +- if (ses->server->sign) {
30386 ++ NTLMSSP_NEGOTIATE_NTLM | NTLMSSP_NEGOTIATE_EXTENDED_SEC |
30387 ++ NTLMSSP_NEGOTIATE_SEAL;
30388 ++ if (ses->server->sign)
30389 + flags |= NTLMSSP_NEGOTIATE_SIGN;
30390 +- if (!ses->server->session_estab ||
30391 +- ses->ntlmssp->sesskey_per_smbsess)
30392 +- flags |= NTLMSSP_NEGOTIATE_KEY_XCH;
30393 +- }
30394 ++ if (!ses->server->session_estab || ses->ntlmssp->sesskey_per_smbsess)
30395 ++ flags |= NTLMSSP_NEGOTIATE_KEY_XCH;
30396 +
30397 + tmp = *pbuffer + sizeof(AUTHENTICATE_MESSAGE);
30398 + sec_blob->NegotiateFlags = cpu_to_le32(flags);
30399 +diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c
30400 +index 69422157c71b..4b4b1cbc69b2 100644
30401 +--- a/fs/cifs/smb2pdu.c
30402 ++++ b/fs/cifs/smb2pdu.c
30403 +@@ -754,10 +754,8 @@ ssetup_exit:
30404 +
30405 + if (!rc) {
30406 + mutex_lock(&server->srv_mutex);
30407 +- if (server->sign && server->ops->generate_signingkey) {
30408 ++ if (server->ops->generate_signingkey) {
30409 + rc = server->ops->generate_signingkey(ses);
30410 +- kfree(ses->auth_key.response);
30411 +- ses->auth_key.response = NULL;
30412 + if (rc) {
30413 + cifs_dbg(FYI,
30414 + "SMB3 session key generation failed\n");
30415 +@@ -779,10 +777,6 @@ ssetup_exit:
30416 + }
30417 +
30418 + keygen_exit:
30419 +- if (!server->sign) {
30420 +- kfree(ses->auth_key.response);
30421 +- ses->auth_key.response = NULL;
30422 +- }
30423 + if (spnego_key) {
30424 + key_invalidate(spnego_key);
30425 + key_put(spnego_key);
30426 +@@ -921,15 +915,19 @@ SMB2_tcon(const unsigned int xid, struct cifs_ses *ses, const char *tree,
30427 + goto tcon_exit;
30428 + }
30429 +
30430 +- if (rsp->ShareType & SMB2_SHARE_TYPE_DISK)
30431 ++ switch (rsp->ShareType) {
30432 ++ case SMB2_SHARE_TYPE_DISK:
30433 + cifs_dbg(FYI, "connection to disk share\n");
30434 +- else if (rsp->ShareType & SMB2_SHARE_TYPE_PIPE) {
30435 ++ break;
30436 ++ case SMB2_SHARE_TYPE_PIPE:
30437 + tcon->ipc = true;
30438 + cifs_dbg(FYI, "connection to pipe share\n");
30439 +- } else if (rsp->ShareType & SMB2_SHARE_TYPE_PRINT) {
30440 +- tcon->print = true;
30441 ++ break;
30442 ++ case SMB2_SHARE_TYPE_PRINT:
30443 ++ tcon->ipc = true;
30444 + cifs_dbg(FYI, "connection to printer\n");
30445 +- } else {
30446 ++ break;
30447 ++ default:
30448 + cifs_dbg(VFS, "unknown share type %d\n", rsp->ShareType);
30449 + rc = -EOPNOTSUPP;
30450 + goto tcon_error_exit;
30451 +@@ -1353,6 +1351,9 @@ SMB2_ioctl(const unsigned int xid, struct cifs_tcon *tcon, u64 persistent_fid,
30452 + } else
30453 + iov[0].iov_len = get_rfc1002_length(req) + 4;
30454 +
30455 ++ /* validate negotiate request must be signed - see MS-SMB2 3.2.5.5 */
30456 ++ if (opcode == FSCTL_VALIDATE_NEGOTIATE_INFO)
30457 ++ req->hdr.Flags |= SMB2_FLAGS_SIGNED;
30458 +
30459 + rc = SendReceive2(xid, ses, iov, num_iovecs, &resp_buftype, 0);
30460 + rsp = (struct smb2_ioctl_rsp *)iov[0].iov_base;
30461 +diff --git a/fs/compat_ioctl.c b/fs/compat_ioctl.c
30462 +index 6b8e2f091f5b..5e6798a3c9b6 100644
30463 +--- a/fs/compat_ioctl.c
30464 ++++ b/fs/compat_ioctl.c
30465 +@@ -811,7 +811,7 @@ static int compat_ioctl_preallocate(struct file *file,
30466 + */
30467 + #define XFORM(i) (((i) ^ ((i) << 27) ^ ((i) << 17)) & 0xffffffff)
30468 +
30469 +-#define COMPATIBLE_IOCTL(cmd) XFORM(cmd),
30470 ++#define COMPATIBLE_IOCTL(cmd) XFORM((u32)cmd),
30471 + /* ioctl should not be warned about even if it's not implemented.
30472 + Valid reasons to use this:
30473 + - It is implemented with ->compat_ioctl on some device, but programs
30474 +diff --git a/fs/dcache.c b/fs/dcache.c
30475 +index 5ca8f0b2b897..c19576fa779e 100644
30476 +--- a/fs/dcache.c
30477 ++++ b/fs/dcache.c
30478 +@@ -607,11 +607,16 @@ again:
30479 + spin_unlock(&parent->d_lock);
30480 + goto again;
30481 + }
30482 +- rcu_read_unlock();
30483 +- if (parent != dentry)
30484 ++ if (parent != dentry) {
30485 + spin_lock_nested(&dentry->d_lock, DENTRY_D_LOCK_NESTED);
30486 +- else
30487 ++ if (unlikely(dentry->d_lockref.count < 0)) {
30488 ++ spin_unlock(&parent->d_lock);
30489 ++ parent = NULL;
30490 ++ }
30491 ++ } else {
30492 + parent = NULL;
30493 ++ }
30494 ++ rcu_read_unlock();
30495 + return parent;
30496 + }
30497 +
30498 +diff --git a/fs/ext4/file.c b/fs/ext4/file.c
30499 +index f57cf1c42ca3..79f974ba1999 100644
30500 +--- a/fs/ext4/file.c
30501 ++++ b/fs/ext4/file.c
30502 +@@ -351,7 +351,7 @@ static int ext4_find_unwritten_pgoff(struct inode *inode,
30503 + int i, num;
30504 + unsigned long nr_pages;
30505 +
30506 +- num = min_t(pgoff_t, end - index, PAGEVEC_SIZE);
30507 ++ num = min_t(pgoff_t, end - index, PAGEVEC_SIZE - 1) + 1;
30508 + nr_pages = pagevec_lookup(&pvec, inode->i_mapping, index,
30509 + (pgoff_t)num);
30510 + if (nr_pages == 0)
30511 +diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c
30512 +index c1feaf011515..25fcf7b2bdaa 100644
30513 +--- a/fs/ext4/inode.c
30514 ++++ b/fs/ext4/inode.c
30515 +@@ -1476,6 +1476,8 @@ static void mpage_release_unused_pages(struct mpage_da_data *mpd,
30516 + BUG_ON(!PageLocked(page));
30517 + BUG_ON(PageWriteback(page));
30518 + if (invalidate) {
30519 ++ if (page_mapped(page))
30520 ++ clear_page_dirty_for_io(page);
30521 + block_invalidatepage(page, 0, PAGE_CACHE_SIZE);
30522 + ClearPageUptodate(page);
30523 + }
30524 +diff --git a/fs/ext4/super.c b/fs/ext4/super.c
30525 +index c67056a8c901..1f5062222425 100644
30526 +--- a/fs/ext4/super.c
30527 ++++ b/fs/ext4/super.c
30528 +@@ -2126,6 +2126,8 @@ static int ext4_check_descriptors(struct super_block *sb,
30529 + ext4_msg(sb, KERN_ERR, "ext4_check_descriptors: "
30530 + "Block bitmap for group %u overlaps "
30531 + "superblock", i);
30532 ++ if (!(sb->s_flags & MS_RDONLY))
30533 ++ return 0;
30534 + }
30535 + if (block_bitmap < first_block || block_bitmap > last_block) {
30536 + ext4_msg(sb, KERN_ERR, "ext4_check_descriptors: "
30537 +@@ -2138,6 +2140,8 @@ static int ext4_check_descriptors(struct super_block *sb,
30538 + ext4_msg(sb, KERN_ERR, "ext4_check_descriptors: "
30539 + "Inode bitmap for group %u overlaps "
30540 + "superblock", i);
30541 ++ if (!(sb->s_flags & MS_RDONLY))
30542 ++ return 0;
30543 + }
30544 + if (inode_bitmap < first_block || inode_bitmap > last_block) {
30545 + ext4_msg(sb, KERN_ERR, "ext4_check_descriptors: "
30546 +@@ -2150,6 +2154,8 @@ static int ext4_check_descriptors(struct super_block *sb,
30547 + ext4_msg(sb, KERN_ERR, "ext4_check_descriptors: "
30548 + "Inode table for group %u overlaps "
30549 + "superblock", i);
30550 ++ if (!(sb->s_flags & MS_RDONLY))
30551 ++ return 0;
30552 + }
30553 + if (inode_table < first_block ||
30554 + inode_table + sbi->s_itb_per_group - 1 > last_block) {
30555 +diff --git a/fs/jbd2/journal.c b/fs/jbd2/journal.c
30556 +index e4d224315a1f..0bb394b4f04b 100644
30557 +--- a/fs/jbd2/journal.c
30558 ++++ b/fs/jbd2/journal.c
30559 +@@ -275,11 +275,11 @@ loop:
30560 + goto loop;
30561 +
30562 + end_loop:
30563 +- write_unlock(&journal->j_state_lock);
30564 + del_timer_sync(&journal->j_commit_timer);
30565 + journal->j_task = NULL;
30566 + wake_up(&journal->j_wait_done_commit);
30567 + jbd_debug(1, "Journal thread exiting.\n");
30568 ++ write_unlock(&journal->j_state_lock);
30569 + return 0;
30570 + }
30571 +
30572 +@@ -923,7 +923,7 @@ out:
30573 + }
30574 +
30575 + /*
30576 +- * This is a variaon of __jbd2_update_log_tail which checks for validity of
30577 ++ * This is a variation of __jbd2_update_log_tail which checks for validity of
30578 + * provided log tail and locks j_checkpoint_mutex. So it is safe against races
30579 + * with other threads updating log tail.
30580 + */
30581 +@@ -1399,6 +1399,9 @@ int jbd2_journal_update_sb_log_tail(journal_t *journal, tid_t tail_tid,
30582 + journal_superblock_t *sb = journal->j_superblock;
30583 + int ret;
30584 +
30585 ++ if (is_journal_aborted(journal))
30586 ++ return -EIO;
30587 ++
30588 + BUG_ON(!mutex_is_locked(&journal->j_checkpoint_mutex));
30589 + jbd_debug(1, "JBD2: updating superblock (start %lu, seq %u)\n",
30590 + tail_block, tail_tid);
30591 +diff --git a/fs/jbd2/transaction.c b/fs/jbd2/transaction.c
30592 +index deff03371626..4ddcaf949a16 100644
30593 +--- a/fs/jbd2/transaction.c
30594 ++++ b/fs/jbd2/transaction.c
30595 +@@ -515,6 +515,7 @@ int jbd2_journal_start_reserved(handle_t *handle, unsigned int type,
30596 + */
30597 + ret = start_this_handle(journal, handle, GFP_NOFS);
30598 + if (ret < 0) {
30599 ++ handle->h_journal = journal;
30600 + jbd2_journal_free_reserved(handle);
30601 + return ret;
30602 + }
30603 +diff --git a/fs/jffs2/super.c b/fs/jffs2/super.c
30604 +index d86c5e3176a1..600da1a4df29 100644
30605 +--- a/fs/jffs2/super.c
30606 ++++ b/fs/jffs2/super.c
30607 +@@ -345,7 +345,7 @@ static void jffs2_put_super (struct super_block *sb)
30608 + static void jffs2_kill_sb(struct super_block *sb)
30609 + {
30610 + struct jffs2_sb_info *c = JFFS2_SB_INFO(sb);
30611 +- if (!(sb->s_flags & MS_RDONLY))
30612 ++ if (c && !(sb->s_flags & MS_RDONLY))
30613 + jffs2_stop_garbage_collect_thread(c);
30614 + kill_mtd_super(sb);
30615 + kfree(c);
30616 +diff --git a/fs/lockd/svc.c b/fs/lockd/svc.c
30617 +index 55505cbe11af..375efc1ced83 100644
30618 +--- a/fs/lockd/svc.c
30619 ++++ b/fs/lockd/svc.c
30620 +@@ -129,6 +129,8 @@ lockd(void *vrqstp)
30621 + {
30622 + int err = 0;
30623 + struct svc_rqst *rqstp = vrqstp;
30624 ++ struct net *net = &init_net;
30625 ++ struct lockd_net *ln = net_generic(net, lockd_net_id);
30626 +
30627 + /* try_to_freeze() is called from svc_recv() */
30628 + set_freezable();
30629 +@@ -173,6 +175,8 @@ lockd(void *vrqstp)
30630 + if (nlmsvc_ops)
30631 + nlmsvc_invalidate_all();
30632 + nlm_shutdown_hosts();
30633 ++ cancel_delayed_work_sync(&ln->grace_period_end);
30634 ++ locks_end_grace(&ln->lockd_manager);
30635 + return 0;
30636 + }
30637 +
30638 +@@ -267,8 +271,6 @@ static void lockd_down_net(struct svc_serv *serv, struct net *net)
30639 + if (ln->nlmsvc_users) {
30640 + if (--ln->nlmsvc_users == 0) {
30641 + nlm_shutdown_hosts_net(net);
30642 +- cancel_delayed_work_sync(&ln->grace_period_end);
30643 +- locks_end_grace(&ln->lockd_manager);
30644 + svc_shutdown_net(serv, net);
30645 + dprintk("lockd_down_net: per-net data destroyed; net=%p\n", net);
30646 + }
30647 +diff --git a/fs/namei.c b/fs/namei.c
30648 +index 0d97235019a9..4d333d26a028 100644
30649 +--- a/fs/namei.c
30650 ++++ b/fs/namei.c
30651 +@@ -219,9 +219,10 @@ getname_kernel(const char * filename)
30652 + if (len <= EMBEDDED_NAME_MAX) {
30653 + result->name = (char *)result->iname;
30654 + } else if (len <= PATH_MAX) {
30655 ++ const size_t size = offsetof(struct filename, iname[1]);
30656 + struct filename *tmp;
30657 +
30658 +- tmp = kmalloc(sizeof(*tmp), GFP_KERNEL);
30659 ++ tmp = kmalloc(size, GFP_KERNEL);
30660 + if (unlikely(!tmp)) {
30661 + __putname(result);
30662 + return ERR_PTR(-ENOMEM);
30663 +diff --git a/fs/namespace.c b/fs/namespace.c
30664 +index 58b281ad30d5..45fc042b84ce 100644
30665 +--- a/fs/namespace.c
30666 ++++ b/fs/namespace.c
30667 +@@ -1007,7 +1007,8 @@ static struct mount *clone_mnt(struct mount *old, struct dentry *root,
30668 + goto out_free;
30669 + }
30670 +
30671 +- mnt->mnt.mnt_flags = old->mnt.mnt_flags & ~(MNT_WRITE_HOLD|MNT_MARKED);
30672 ++ mnt->mnt.mnt_flags = old->mnt.mnt_flags;
30673 ++ mnt->mnt.mnt_flags &= ~(MNT_WRITE_HOLD|MNT_MARKED|MNT_INTERNAL);
30674 + /* Don't allow unprivileged users to change mount flags */
30675 + if (flag & CL_UNPRIVILEGED) {
30676 + mnt->mnt.mnt_flags |= MNT_LOCK_ATIME;
30677 +diff --git a/fs/ncpfs/ncplib_kernel.c b/fs/ncpfs/ncplib_kernel.c
30678 +index 88dbbc9fcf4d..f571570a2e72 100644
30679 +--- a/fs/ncpfs/ncplib_kernel.c
30680 ++++ b/fs/ncpfs/ncplib_kernel.c
30681 +@@ -980,6 +980,10 @@ ncp_read_kernel(struct ncp_server *server, const char *file_id,
30682 + goto out;
30683 + }
30684 + *bytes_read = ncp_reply_be16(server, 0);
30685 ++ if (*bytes_read > to_read) {
30686 ++ result = -EINVAL;
30687 ++ goto out;
30688 ++ }
30689 + source = ncp_reply_data(server, 2 + (offset & 1));
30690 +
30691 + memcpy(target, source, *bytes_read);
30692 +diff --git a/fs/nfs/direct.c b/fs/nfs/direct.c
30693 +index cb050d1e8146..10b055105b36 100644
30694 +--- a/fs/nfs/direct.c
30695 ++++ b/fs/nfs/direct.c
30696 +@@ -86,9 +86,9 @@ struct nfs_direct_req {
30697 + struct nfs_direct_mirror mirrors[NFS_PAGEIO_DESCRIPTOR_MIRROR_MAX];
30698 + int mirror_count;
30699 +
30700 ++ loff_t io_start; /* Start offset for I/O */
30701 + ssize_t count, /* bytes actually processed */
30702 + bytes_left, /* bytes left to be sent */
30703 +- io_start, /* start of IO */
30704 + error; /* any reported error */
30705 + struct completion completion; /* wait for i/o completion */
30706 +
30707 +diff --git a/fs/nfs/flexfilelayout/flexfilelayout.c b/fs/nfs/flexfilelayout/flexfilelayout.c
30708 +index c2abdc7db6c3..4af8e428e4c9 100644
30709 +--- a/fs/nfs/flexfilelayout/flexfilelayout.c
30710 ++++ b/fs/nfs/flexfilelayout/flexfilelayout.c
30711 +@@ -307,6 +307,7 @@ ff_layout_alloc_lseg(struct pnfs_layout_hdr *lh,
30712 + goto out_err_free;
30713 +
30714 + /* fh */
30715 ++ rc = -EIO;
30716 + p = xdr_inline_decode(&stream, 4);
30717 + if (!p)
30718 + goto out_err_free;
30719 +diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c
30720 +index 0fb0dc739fb2..9b6950a5fcc6 100644
30721 +--- a/fs/nfs/nfs4proc.c
30722 ++++ b/fs/nfs/nfs4proc.c
30723 +@@ -7531,6 +7531,12 @@ static int nfs41_reclaim_complete_handle_errors(struct rpc_task *task, struct nf
30724 + /* fall through */
30725 + case -NFS4ERR_RETRY_UNCACHED_REP:
30726 + return -EAGAIN;
30727 ++ case -NFS4ERR_BADSESSION:
30728 ++ case -NFS4ERR_DEADSESSION:
30729 ++ case -NFS4ERR_CONN_NOT_BOUND_TO_SESSION:
30730 ++ nfs4_schedule_session_recovery(clp->cl_session,
30731 ++ task->tk_status);
30732 ++ break;
30733 + default:
30734 + nfs4_schedule_lease_recovery(clp);
30735 + }
30736 +@@ -7609,7 +7615,6 @@ static int nfs41_proc_reclaim_complete(struct nfs_client *clp,
30737 + if (status == 0)
30738 + status = task->tk_status;
30739 + rpc_put_task(task);
30740 +- return 0;
30741 + out:
30742 + dprintk("<-- %s status=%d\n", __func__, status);
30743 + return status;
30744 +diff --git a/fs/nfs/nfs4state.c b/fs/nfs/nfs4state.c
30745 +index f8d2902ec118..0b50bdfbc32f 100644
30746 +--- a/fs/nfs/nfs4state.c
30747 ++++ b/fs/nfs/nfs4state.c
30748 +@@ -1591,13 +1591,14 @@ static void nfs4_state_start_reclaim_reboot(struct nfs_client *clp)
30749 + nfs4_state_mark_reclaim_helper(clp, nfs4_state_mark_reclaim_reboot);
30750 + }
30751 +
30752 +-static void nfs4_reclaim_complete(struct nfs_client *clp,
30753 ++static int nfs4_reclaim_complete(struct nfs_client *clp,
30754 + const struct nfs4_state_recovery_ops *ops,
30755 + struct rpc_cred *cred)
30756 + {
30757 + /* Notify the server we're done reclaiming our state */
30758 + if (ops->reclaim_complete)
30759 +- (void)ops->reclaim_complete(clp, cred);
30760 ++ return ops->reclaim_complete(clp, cred);
30761 ++ return 0;
30762 + }
30763 +
30764 + static void nfs4_clear_reclaim_server(struct nfs_server *server)
30765 +@@ -1644,13 +1645,16 @@ static void nfs4_state_end_reclaim_reboot(struct nfs_client *clp)
30766 + {
30767 + const struct nfs4_state_recovery_ops *ops;
30768 + struct rpc_cred *cred;
30769 ++ int err;
30770 +
30771 + if (!nfs4_state_clear_reclaim_reboot(clp))
30772 + return;
30773 + ops = clp->cl_mvops->reboot_recovery_ops;
30774 + cred = nfs4_get_clid_cred(clp);
30775 +- nfs4_reclaim_complete(clp, ops, cred);
30776 ++ err = nfs4_reclaim_complete(clp, ops, cred);
30777 + put_rpccred(cred);
30778 ++ if (err == -NFS4ERR_CONN_NOT_BOUND_TO_SESSION)
30779 ++ set_bit(NFS4CLNT_RECLAIM_REBOOT, &clp->cl_state);
30780 + }
30781 +
30782 + static void nfs_delegation_clear_all(struct nfs_client *clp)
30783 +diff --git a/fs/nfs/pagelist.c b/fs/nfs/pagelist.c
30784 +index 93d355c8b467..50d40b129737 100644
30785 +--- a/fs/nfs/pagelist.c
30786 ++++ b/fs/nfs/pagelist.c
30787 +@@ -1277,8 +1277,10 @@ void nfs_pageio_cond_complete(struct nfs_pageio_descriptor *desc, pgoff_t index)
30788 + mirror = &desc->pg_mirrors[midx];
30789 + if (!list_empty(&mirror->pg_list)) {
30790 + prev = nfs_list_entry(mirror->pg_list.prev);
30791 +- if (index != prev->wb_index + 1)
30792 +- nfs_pageio_complete_mirror(desc, midx);
30793 ++ if (index != prev->wb_index + 1) {
30794 ++ nfs_pageio_complete(desc);
30795 ++ break;
30796 ++ }
30797 + }
30798 + }
30799 + }
30800 +diff --git a/fs/nfsd/nfs4proc.c b/fs/nfsd/nfs4proc.c
30801 +index 1e58fa0a28a3..73c93f2d6353 100644
30802 +--- a/fs/nfsd/nfs4proc.c
30803 ++++ b/fs/nfsd/nfs4proc.c
30804 +@@ -1256,14 +1256,14 @@ nfsd4_layoutget(struct svc_rqst *rqstp,
30805 + const struct nfsd4_layout_ops *ops;
30806 + struct nfs4_layout_stateid *ls;
30807 + __be32 nfserr;
30808 +- int accmode;
30809 ++ int accmode = NFSD_MAY_READ_IF_EXEC;
30810 +
30811 + switch (lgp->lg_seg.iomode) {
30812 + case IOMODE_READ:
30813 +- accmode = NFSD_MAY_READ;
30814 ++ accmode |= NFSD_MAY_READ;
30815 + break;
30816 + case IOMODE_RW:
30817 +- accmode = NFSD_MAY_READ | NFSD_MAY_WRITE;
30818 ++ accmode |= NFSD_MAY_READ | NFSD_MAY_WRITE;
30819 + break;
30820 + default:
30821 + dprintk("%s: invalid iomode %d\n",
30822 +diff --git a/fs/nfsd/vfs.c b/fs/nfsd/vfs.c
30823 +index 5eaee287be23..9bfcd93448dc 100644
30824 +--- a/fs/nfsd/vfs.c
30825 ++++ b/fs/nfsd/vfs.c
30826 +@@ -92,6 +92,12 @@ nfsd_cross_mnt(struct svc_rqst *rqstp, struct dentry **dpp,
30827 + err = follow_down(&path);
30828 + if (err < 0)
30829 + goto out;
30830 ++ if (path.mnt == exp->ex_path.mnt && path.dentry == dentry &&
30831 ++ nfsd_mountpoint(dentry, exp) == 2) {
30832 ++ /* This is only a mountpoint in some other namespace */
30833 ++ path_put(&path);
30834 ++ goto out;
30835 ++ }
30836 +
30837 + exp2 = rqst_exp_get_by_name(rqstp, &path);
30838 + if (IS_ERR(exp2)) {
30839 +@@ -165,16 +171,26 @@ static int nfsd_lookup_parent(struct svc_rqst *rqstp, struct dentry *dparent, st
30840 + /*
30841 + * For nfsd purposes, we treat V4ROOT exports as though there was an
30842 + * export at *every* directory.
30843 ++ * We return:
30844 ++ * '1' if this dentry *must* be an export point,
30845 ++ * '2' if it might be, if there is really a mount here, and
30846 ++ * '0' if there is no chance of an export point here.
30847 + */
30848 + int nfsd_mountpoint(struct dentry *dentry, struct svc_export *exp)
30849 + {
30850 +- if (d_mountpoint(dentry))
30851 ++ if (!d_inode(dentry))
30852 ++ return 0;
30853 ++ if (exp->ex_flags & NFSEXP_V4ROOT)
30854 + return 1;
30855 + if (nfsd4_is_junction(dentry))
30856 + return 1;
30857 +- if (!(exp->ex_flags & NFSEXP_V4ROOT))
30858 +- return 0;
30859 +- return d_inode(dentry) != NULL;
30860 ++ if (d_mountpoint(dentry))
30861 ++ /*
30862 ++ * Might only be a mountpoint in a different namespace,
30863 ++ * but we need to check.
30864 ++ */
30865 ++ return 2;
30866 ++ return 0;
30867 + }
30868 +
30869 + __be32
30870 +diff --git a/fs/notify/fanotify/fanotify.c b/fs/notify/fanotify/fanotify.c
30871 +index e0e5f7c3c99f..8a459b179183 100644
30872 +--- a/fs/notify/fanotify/fanotify.c
30873 ++++ b/fs/notify/fanotify/fanotify.c
30874 +@@ -92,7 +92,7 @@ static bool fanotify_should_send_event(struct fsnotify_mark *inode_mark,
30875 + u32 event_mask,
30876 + void *data, int data_type)
30877 + {
30878 +- __u32 marks_mask, marks_ignored_mask;
30879 ++ __u32 marks_mask = 0, marks_ignored_mask = 0;
30880 + struct path *path = data;
30881 +
30882 + pr_debug("%s: inode_mark=%p vfsmnt_mark=%p mask=%x data=%p"
30883 +@@ -108,24 +108,20 @@ static bool fanotify_should_send_event(struct fsnotify_mark *inode_mark,
30884 + !d_can_lookup(path->dentry))
30885 + return false;
30886 +
30887 +- if (inode_mark && vfsmnt_mark) {
30888 +- marks_mask = (vfsmnt_mark->mask | inode_mark->mask);
30889 +- marks_ignored_mask = (vfsmnt_mark->ignored_mask | inode_mark->ignored_mask);
30890 +- } else if (inode_mark) {
30891 +- /*
30892 +- * if the event is for a child and this inode doesn't care about
30893 +- * events on the child, don't send it!
30894 +- */
30895 +- if ((event_mask & FS_EVENT_ON_CHILD) &&
30896 +- !(inode_mark->mask & FS_EVENT_ON_CHILD))
30897 +- return false;
30898 +- marks_mask = inode_mark->mask;
30899 +- marks_ignored_mask = inode_mark->ignored_mask;
30900 +- } else if (vfsmnt_mark) {
30901 +- marks_mask = vfsmnt_mark->mask;
30902 +- marks_ignored_mask = vfsmnt_mark->ignored_mask;
30903 +- } else {
30904 +- BUG();
30905 ++ /*
30906 ++ * if the event is for a child and this inode doesn't care about
30907 ++ * events on the child, don't send it!
30908 ++ */
30909 ++ if (inode_mark &&
30910 ++ (!(event_mask & FS_EVENT_ON_CHILD) ||
30911 ++ (inode_mark->mask & FS_EVENT_ON_CHILD))) {
30912 ++ marks_mask |= inode_mark->mask;
30913 ++ marks_ignored_mask |= inode_mark->ignored_mask;
30914 ++ }
30915 ++
30916 ++ if (vfsmnt_mark) {
30917 ++ marks_mask |= vfsmnt_mark->mask;
30918 ++ marks_ignored_mask |= vfsmnt_mark->ignored_mask;
30919 + }
30920 +
30921 + if (d_is_dir(path->dentry) &&
30922 +diff --git a/fs/overlayfs/inode.c b/fs/overlayfs/inode.c
30923 +index d293034ae2cb..e73f0070a0fc 100644
30924 +--- a/fs/overlayfs/inode.c
30925 ++++ b/fs/overlayfs/inode.c
30926 +@@ -274,6 +274,16 @@ ssize_t ovl_getxattr(struct dentry *dentry, const char *name,
30927 + return vfs_getxattr(realpath.dentry, name, value, size);
30928 + }
30929 +
30930 ++static bool ovl_can_list(const char *s)
30931 ++{
30932 ++ /* List all non-trusted xatts */
30933 ++ if (strncmp(s, XATTR_TRUSTED_PREFIX, XATTR_TRUSTED_PREFIX_LEN) != 0)
30934 ++ return true;
30935 ++
30936 ++ /* Never list trusted.overlay, list other trusted for superuser only */
30937 ++ return !ovl_is_private_xattr(s) && capable(CAP_SYS_ADMIN);
30938 ++}
30939 ++
30940 + ssize_t ovl_listxattr(struct dentry *dentry, char *list, size_t size)
30941 + {
30942 + struct path realpath;
30943 +@@ -298,7 +308,7 @@ ssize_t ovl_listxattr(struct dentry *dentry, char *list, size_t size)
30944 + return -EIO;
30945 +
30946 + len -= slen;
30947 +- if (ovl_is_private_xattr(s)) {
30948 ++ if (!ovl_can_list(s)) {
30949 + res -= slen;
30950 + memmove(s, s + slen, len);
30951 + } else {
30952 +diff --git a/fs/reiserfs/journal.c b/fs/reiserfs/journal.c
30953 +index 9d6486d416a3..00985f9db9f7 100644
30954 +--- a/fs/reiserfs/journal.c
30955 ++++ b/fs/reiserfs/journal.c
30956 +@@ -1961,7 +1961,7 @@ static int do_journal_release(struct reiserfs_transaction_handle *th,
30957 + * will be requeued because superblock is being shutdown and doesn't
30958 + * have MS_ACTIVE set.
30959 + */
30960 +- cancel_delayed_work_sync(&REISERFS_SB(sb)->old_work);
30961 ++ reiserfs_cancel_old_flush(sb);
30962 + /* wait for all commits to finish */
30963 + cancel_delayed_work_sync(&SB_JOURNAL(sb)->j_work);
30964 +
30965 +@@ -2643,7 +2643,7 @@ static int journal_init_dev(struct super_block *super,
30966 + if (IS_ERR(journal->j_dev_bd)) {
30967 + result = PTR_ERR(journal->j_dev_bd);
30968 + journal->j_dev_bd = NULL;
30969 +- reiserfs_warning(super,
30970 ++ reiserfs_warning(super, "sh-457",
30971 + "journal_init_dev: Cannot open '%s': %i",
30972 + jdev_name, result);
30973 + return result;
30974 +diff --git a/fs/reiserfs/reiserfs.h b/fs/reiserfs/reiserfs.h
30975 +index 5dcf3ab83886..6ca00471afbf 100644
30976 +--- a/fs/reiserfs/reiserfs.h
30977 ++++ b/fs/reiserfs/reiserfs.h
30978 +@@ -2948,6 +2948,7 @@ int reiserfs_allocate_list_bitmaps(struct super_block *s,
30979 + struct reiserfs_list_bitmap *, unsigned int);
30980 +
30981 + void reiserfs_schedule_old_flush(struct super_block *s);
30982 ++void reiserfs_cancel_old_flush(struct super_block *s);
30983 + void add_save_link(struct reiserfs_transaction_handle *th,
30984 + struct inode *inode, int truncate);
30985 + int remove_save_link(struct inode *inode, int truncate);
30986 +diff --git a/fs/reiserfs/super.c b/fs/reiserfs/super.c
30987 +index cf6fa25f884b..45ec0e91010a 100644
30988 +--- a/fs/reiserfs/super.c
30989 ++++ b/fs/reiserfs/super.c
30990 +@@ -89,7 +89,9 @@ static void flush_old_commits(struct work_struct *work)
30991 + s = sbi->s_journal->j_work_sb;
30992 +
30993 + spin_lock(&sbi->old_work_lock);
30994 +- sbi->work_queued = 0;
30995 ++ /* Avoid clobbering the cancel state... */
30996 ++ if (sbi->work_queued == 1)
30997 ++ sbi->work_queued = 0;
30998 + spin_unlock(&sbi->old_work_lock);
30999 +
31000 + reiserfs_sync_fs(s, 1);
31001 +@@ -116,21 +118,22 @@ void reiserfs_schedule_old_flush(struct super_block *s)
31002 + spin_unlock(&sbi->old_work_lock);
31003 + }
31004 +
31005 +-static void cancel_old_flush(struct super_block *s)
31006 ++void reiserfs_cancel_old_flush(struct super_block *s)
31007 + {
31008 + struct reiserfs_sb_info *sbi = REISERFS_SB(s);
31009 +
31010 +- cancel_delayed_work_sync(&REISERFS_SB(s)->old_work);
31011 + spin_lock(&sbi->old_work_lock);
31012 +- sbi->work_queued = 0;
31013 ++ /* Make sure no new flushes will be queued */
31014 ++ sbi->work_queued = 2;
31015 + spin_unlock(&sbi->old_work_lock);
31016 ++ cancel_delayed_work_sync(&REISERFS_SB(s)->old_work);
31017 + }
31018 +
31019 + static int reiserfs_freeze(struct super_block *s)
31020 + {
31021 + struct reiserfs_transaction_handle th;
31022 +
31023 +- cancel_old_flush(s);
31024 ++ reiserfs_cancel_old_flush(s);
31025 +
31026 + reiserfs_write_lock(s);
31027 + if (!(s->s_flags & MS_RDONLY)) {
31028 +@@ -151,7 +154,13 @@ static int reiserfs_freeze(struct super_block *s)
31029 +
31030 + static int reiserfs_unfreeze(struct super_block *s)
31031 + {
31032 ++ struct reiserfs_sb_info *sbi = REISERFS_SB(s);
31033 ++
31034 + reiserfs_allow_writes(s);
31035 ++ spin_lock(&sbi->old_work_lock);
31036 ++ /* Allow old_work to run again */
31037 ++ sbi->work_queued = 0;
31038 ++ spin_unlock(&sbi->old_work_lock);
31039 + return 0;
31040 + }
31041 +
31042 +@@ -2177,7 +2186,7 @@ error_unlocked:
31043 + if (sbi->commit_wq)
31044 + destroy_workqueue(sbi->commit_wq);
31045 +
31046 +- cancel_delayed_work_sync(&REISERFS_SB(s)->old_work);
31047 ++ reiserfs_cancel_old_flush(s);
31048 +
31049 + reiserfs_free_bitmap_cache(s);
31050 + if (SB_BUFFER_WITH_SB(s))
31051 +diff --git a/fs/ubifs/super.c b/fs/ubifs/super.c
31052 +index 75e6f04bb795..48ab0c462f21 100644
31053 +--- a/fs/ubifs/super.c
31054 ++++ b/fs/ubifs/super.c
31055 +@@ -1724,8 +1724,11 @@ static void ubifs_remount_ro(struct ubifs_info *c)
31056 +
31057 + dbg_save_space_info(c);
31058 +
31059 +- for (i = 0; i < c->jhead_cnt; i++)
31060 +- ubifs_wbuf_sync(&c->jheads[i].wbuf);
31061 ++ for (i = 0; i < c->jhead_cnt; i++) {
31062 ++ err = ubifs_wbuf_sync(&c->jheads[i].wbuf);
31063 ++ if (err)
31064 ++ ubifs_ro_mode(c, err);
31065 ++ }
31066 +
31067 + c->mst_node->flags &= ~cpu_to_le32(UBIFS_MST_DIRTY);
31068 + c->mst_node->flags |= cpu_to_le32(UBIFS_MST_NO_ORPHS);
31069 +@@ -1791,8 +1794,11 @@ static void ubifs_put_super(struct super_block *sb)
31070 + int err;
31071 +
31072 + /* Synchronize write-buffers */
31073 +- for (i = 0; i < c->jhead_cnt; i++)
31074 +- ubifs_wbuf_sync(&c->jheads[i].wbuf);
31075 ++ for (i = 0; i < c->jhead_cnt; i++) {
31076 ++ err = ubifs_wbuf_sync(&c->jheads[i].wbuf);
31077 ++ if (err)
31078 ++ ubifs_ro_mode(c, err);
31079 ++ }
31080 +
31081 + /*
31082 + * We are being cleanly unmounted which means the
31083 +diff --git a/include/linux/compiler-clang.h b/include/linux/compiler-clang.h
31084 +index d1e49d52b640..de179993e039 100644
31085 +--- a/include/linux/compiler-clang.h
31086 ++++ b/include/linux/compiler-clang.h
31087 +@@ -10,3 +10,8 @@
31088 + #undef uninitialized_var
31089 + #define uninitialized_var(x) x = *(&(x))
31090 + #endif
31091 ++
31092 ++/* same as gcc, this was present in clang-2.6 so we can assume it works
31093 ++ * with any version that can compile the kernel
31094 ++ */
31095 ++#define __UNIQUE_ID(prefix) __PASTE(__PASTE(__UNIQUE_ID_, prefix), __COUNTER__)
31096 +diff --git a/include/linux/cpumask.h b/include/linux/cpumask.h
31097 +index a91b3b75da0f..bb3a4bb35183 100644
31098 +--- a/include/linux/cpumask.h
31099 ++++ b/include/linux/cpumask.h
31100 +@@ -661,6 +661,11 @@ void alloc_bootmem_cpumask_var(cpumask_var_t *mask);
31101 + void free_cpumask_var(cpumask_var_t mask);
31102 + void free_bootmem_cpumask_var(cpumask_var_t mask);
31103 +
31104 ++static inline bool cpumask_available(cpumask_var_t mask)
31105 ++{
31106 ++ return mask != NULL;
31107 ++}
31108 ++
31109 + #else
31110 + typedef struct cpumask cpumask_var_t[1];
31111 +
31112 +@@ -701,6 +706,11 @@ static inline void free_cpumask_var(cpumask_var_t mask)
31113 + static inline void free_bootmem_cpumask_var(cpumask_var_t mask)
31114 + {
31115 + }
31116 ++
31117 ++static inline bool cpumask_available(cpumask_var_t mask)
31118 ++{
31119 ++ return true;
31120 ++}
31121 + #endif /* CONFIG_CPUMASK_OFFSTACK */
31122 +
31123 + /* It's common to want to use cpu_all_mask in struct member initializers,
31124 +diff --git a/include/linux/hid.h b/include/linux/hid.h
31125 +index 176b43670e5d..123852d873fa 100644
31126 +--- a/include/linux/hid.h
31127 ++++ b/include/linux/hid.h
31128 +@@ -793,7 +793,7 @@ extern int hidinput_connect(struct hid_device *hid, unsigned int force);
31129 + extern void hidinput_disconnect(struct hid_device *);
31130 +
31131 + int hid_set_field(struct hid_field *, unsigned, __s32);
31132 +-int hid_input_report(struct hid_device *, int type, u8 *, int, int);
31133 ++int hid_input_report(struct hid_device *, int type, u8 *, u32, int);
31134 + int hidinput_find_field(struct hid_device *hid, unsigned int type, unsigned int code, struct hid_field **field);
31135 + struct hid_field *hidinput_get_led_field(struct hid_device *hid);
31136 + unsigned int hidinput_count_leds(struct hid_device *hid);
31137 +@@ -1096,13 +1096,13 @@ static inline void hid_hw_wait(struct hid_device *hdev)
31138 + *
31139 + * @report: the report we want to know the length
31140 + */
31141 +-static inline int hid_report_len(struct hid_report *report)
31142 ++static inline u32 hid_report_len(struct hid_report *report)
31143 + {
31144 + /* equivalent to DIV_ROUND_UP(report->size, 8) + !!(report->id > 0) */
31145 + return ((report->size - 1) >> 3) + 1 + (report->id > 0);
31146 + }
31147 +
31148 +-int hid_report_raw_event(struct hid_device *hid, int type, u8 *data, int size,
31149 ++int hid_report_raw_event(struct hid_device *hid, int type, u8 *data, u32 size,
31150 + int interrupt);
31151 +
31152 + /* HID quirks API */
31153 +diff --git a/include/linux/if_vlan.h b/include/linux/if_vlan.h
31154 +index 99de81a5a4c6..adbf5b313ff8 100644
31155 +--- a/include/linux/if_vlan.h
31156 ++++ b/include/linux/if_vlan.h
31157 +@@ -585,7 +585,7 @@ static inline bool skb_vlan_tagged(const struct sk_buff *skb)
31158 + * Returns true if the skb is tagged with multiple vlan headers, regardless
31159 + * of whether it is hardware accelerated or not.
31160 + */
31161 +-static inline bool skb_vlan_tagged_multi(const struct sk_buff *skb)
31162 ++static inline bool skb_vlan_tagged_multi(struct sk_buff *skb)
31163 + {
31164 + __be16 protocol = skb->protocol;
31165 +
31166 +@@ -596,6 +596,9 @@ static inline bool skb_vlan_tagged_multi(const struct sk_buff *skb)
31167 + protocol != htons(ETH_P_8021AD)))
31168 + return false;
31169 +
31170 ++ if (unlikely(!pskb_may_pull(skb, VLAN_ETH_HLEN)))
31171 ++ return false;
31172 ++
31173 + veh = (struct vlan_ethhdr *)skb->data;
31174 + protocol = veh->h_vlan_encapsulated_proto;
31175 + }
31176 +@@ -613,7 +616,7 @@ static inline bool skb_vlan_tagged_multi(const struct sk_buff *skb)
31177 + *
31178 + * Returns features without unsafe ones if the skb has multiple tags.
31179 + */
31180 +-static inline netdev_features_t vlan_features_check(const struct sk_buff *skb,
31181 ++static inline netdev_features_t vlan_features_check(struct sk_buff *skb,
31182 + netdev_features_t features)
31183 + {
31184 + if (skb_vlan_tagged_multi(skb)) {
31185 +diff --git a/include/linux/jiffies.h b/include/linux/jiffies.h
31186 +index c367cbdf73ab..443dd702537f 100644
31187 +--- a/include/linux/jiffies.h
31188 ++++ b/include/linux/jiffies.h
31189 +@@ -1,6 +1,7 @@
31190 + #ifndef _LINUX_JIFFIES_H
31191 + #define _LINUX_JIFFIES_H
31192 +
31193 ++#include <linux/cache.h>
31194 + #include <linux/math64.h>
31195 + #include <linux/kernel.h>
31196 + #include <linux/types.h>
31197 +@@ -62,19 +63,17 @@ extern int register_refined_jiffies(long clock_tick_rate);
31198 + /* TICK_USEC is the time between ticks in usec assuming fake USER_HZ */
31199 + #define TICK_USEC ((1000000UL + USER_HZ/2) / USER_HZ)
31200 +
31201 +-/* some arch's have a small-data section that can be accessed register-relative
31202 +- * but that can only take up to, say, 4-byte variables. jiffies being part of
31203 +- * an 8-byte variable may not be correctly accessed unless we force the issue
31204 +- */
31205 +-#define __jiffy_data __attribute__((section(".data")))
31206 ++#ifndef __jiffy_arch_data
31207 ++#define __jiffy_arch_data
31208 ++#endif
31209 +
31210 + /*
31211 + * The 64-bit value is not atomic - you MUST NOT read it
31212 + * without sampling the sequence number in jiffies_lock.
31213 + * get_jiffies_64() will do this for you as appropriate.
31214 + */
31215 +-extern u64 __jiffy_data jiffies_64;
31216 +-extern unsigned long volatile __jiffy_data jiffies;
31217 ++extern u64 __cacheline_aligned_in_smp jiffies_64;
31218 ++extern unsigned long volatile __cacheline_aligned_in_smp __jiffy_arch_data jiffies;
31219 +
31220 + #if (BITS_PER_LONG < 64)
31221 + u64 get_jiffies_64(void);
31222 +diff --git a/include/linux/llist.h b/include/linux/llist.h
31223 +index fbf10a0bc095..4d86a9d273b3 100644
31224 +--- a/include/linux/llist.h
31225 ++++ b/include/linux/llist.h
31226 +@@ -87,6 +87,23 @@ static inline void init_llist_head(struct llist_head *list)
31227 + #define llist_entry(ptr, type, member) \
31228 + container_of(ptr, type, member)
31229 +
31230 ++/**
31231 ++ * member_address_is_nonnull - check whether the member address is not NULL
31232 ++ * @ptr: the object pointer (struct type * that contains the llist_node)
31233 ++ * @member: the name of the llist_node within the struct.
31234 ++ *
31235 ++ * This macro is conceptually the same as
31236 ++ * &ptr->member != NULL
31237 ++ * but it works around the fact that compilers can decide that taking a member
31238 ++ * address is never a NULL pointer.
31239 ++ *
31240 ++ * Real objects that start at a high address and have a member at NULL are
31241 ++ * unlikely to exist, but such pointers may be returned e.g. by the
31242 ++ * container_of() macro.
31243 ++ */
31244 ++#define member_address_is_nonnull(ptr, member) \
31245 ++ ((uintptr_t)(ptr) + offsetof(typeof(*(ptr)), member) != 0)
31246 ++
31247 + /**
31248 + * llist_for_each - iterate over some deleted entries of a lock-less list
31249 + * @pos: the &struct llist_node to use as a loop cursor
31250 +@@ -121,7 +138,7 @@ static inline void init_llist_head(struct llist_head *list)
31251 + */
31252 + #define llist_for_each_entry(pos, node, member) \
31253 + for ((pos) = llist_entry((node), typeof(*(pos)), member); \
31254 +- &(pos)->member != NULL; \
31255 ++ member_address_is_nonnull(pos, member); \
31256 + (pos) = llist_entry((pos)->member.next, typeof(*(pos)), member))
31257 +
31258 + /**
31259 +@@ -143,7 +160,7 @@ static inline void init_llist_head(struct llist_head *list)
31260 + */
31261 + #define llist_for_each_entry_safe(pos, n, node, member) \
31262 + for (pos = llist_entry((node), typeof(*pos), member); \
31263 +- &pos->member != NULL && \
31264 ++ member_address_is_nonnull(pos, member) && \
31265 + (n = llist_entry(pos->member.next, typeof(*n), member), true); \
31266 + pos = n)
31267 +
31268 +diff --git a/include/linux/mlx4/qp.h b/include/linux/mlx4/qp.h
31269 +index 6fed539e5456..066818f0a0ac 100644
31270 +--- a/include/linux/mlx4/qp.h
31271 ++++ b/include/linux/mlx4/qp.h
31272 +@@ -450,6 +450,7 @@ struct mlx4_update_qp_params {
31273 + u16 rate_val;
31274 + };
31275 +
31276 ++struct mlx4_qp *mlx4_qp_lookup(struct mlx4_dev *dev, u32 qpn);
31277 + int mlx4_update_qp(struct mlx4_dev *dev, u32 qpn,
31278 + enum mlx4_update_qp_attr attr,
31279 + struct mlx4_update_qp_params *params);
31280 +diff --git a/include/linux/mtd/flashchip.h b/include/linux/mtd/flashchip.h
31281 +index b63fa457febd..3529683f691e 100644
31282 +--- a/include/linux/mtd/flashchip.h
31283 ++++ b/include/linux/mtd/flashchip.h
31284 +@@ -85,6 +85,7 @@ struct flchip {
31285 + unsigned int write_suspended:1;
31286 + unsigned int erase_suspended:1;
31287 + unsigned long in_progress_block_addr;
31288 ++ unsigned long in_progress_block_mask;
31289 +
31290 + struct mutex mutex;
31291 + wait_queue_head_t wq; /* Wait on here when we're waiting for the chip
31292 +diff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h
31293 +index cc615e273f80..b95f00cb6219 100644
31294 +--- a/include/linux/netfilter/x_tables.h
31295 ++++ b/include/linux/netfilter/x_tables.h
31296 +@@ -247,6 +247,8 @@ unsigned int *xt_alloc_entry_offsets(unsigned int size);
31297 + bool xt_find_jump_offset(const unsigned int *offsets,
31298 + unsigned int target, unsigned int size);
31299 +
31300 ++int xt_check_proc_name(const char *name, unsigned int size);
31301 ++
31302 + int xt_check_match(struct xt_mtchk_param *, unsigned int size, u_int8_t proto,
31303 + bool inv_proto);
31304 + int xt_check_target(struct xt_tgchk_param *, unsigned int size, u_int8_t proto,
31305 +diff --git a/include/linux/pagemap.h b/include/linux/pagemap.h
31306 +index 30a8f531236c..2629fc3e24e0 100644
31307 +--- a/include/linux/pagemap.h
31308 ++++ b/include/linux/pagemap.h
31309 +@@ -146,7 +146,7 @@ static inline int page_cache_get_speculative(struct page *page)
31310 +
31311 + #ifdef CONFIG_TINY_RCU
31312 + # ifdef CONFIG_PREEMPT_COUNT
31313 +- VM_BUG_ON(!in_atomic());
31314 ++ VM_BUG_ON(!in_atomic() && !irqs_disabled());
31315 + # endif
31316 + /*
31317 + * Preempt must be disabled here - we rely on rcu_read_lock doing
31318 +@@ -184,7 +184,7 @@ static inline int page_cache_add_speculative(struct page *page, int count)
31319 +
31320 + #if !defined(CONFIG_SMP) && defined(CONFIG_TREE_RCU)
31321 + # ifdef CONFIG_PREEMPT_COUNT
31322 +- VM_BUG_ON(!in_atomic());
31323 ++ VM_BUG_ON(!in_atomic() && !irqs_disabled());
31324 + # endif
31325 + VM_BUG_ON_PAGE(page_count(page) == 0, page);
31326 + atomic_add(count, &page->_count);
31327 +diff --git a/include/linux/platform_data/isl9305.h b/include/linux/platform_data/isl9305.h
31328 +index 1419133fa69e..4ac1a070af0a 100644
31329 +--- a/include/linux/platform_data/isl9305.h
31330 ++++ b/include/linux/platform_data/isl9305.h
31331 +@@ -24,7 +24,7 @@
31332 + struct regulator_init_data;
31333 +
31334 + struct isl9305_pdata {
31335 +- struct regulator_init_data *init_data[ISL9305_MAX_REGULATOR];
31336 ++ struct regulator_init_data *init_data[ISL9305_MAX_REGULATOR + 1];
31337 + };
31338 +
31339 + #endif
31340 +diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h
31341 +index 495ad8fbe240..30fb6495315b 100644
31342 +--- a/include/linux/skbuff.h
31343 ++++ b/include/linux/skbuff.h
31344 +@@ -847,10 +847,10 @@ struct sk_buff *skb_realloc_headroom(struct sk_buff *skb,
31345 + unsigned int headroom);
31346 + struct sk_buff *skb_copy_expand(const struct sk_buff *skb, int newheadroom,
31347 + int newtailroom, gfp_t priority);
31348 +-int skb_to_sgvec_nomark(struct sk_buff *skb, struct scatterlist *sg,
31349 +- int offset, int len);
31350 +-int skb_to_sgvec(struct sk_buff *skb, struct scatterlist *sg, int offset,
31351 +- int len);
31352 ++int __must_check skb_to_sgvec_nomark(struct sk_buff *skb, struct scatterlist *sg,
31353 ++ int offset, int len);
31354 ++int __must_check skb_to_sgvec(struct sk_buff *skb, struct scatterlist *sg,
31355 ++ int offset, int len);
31356 + int skb_cow_data(struct sk_buff *skb, int tailbits, struct sk_buff **trailer);
31357 + int skb_pad(struct sk_buff *skb, int pad);
31358 + #define dev_kfree_skb(a) consume_skb(a)
31359 +diff --git a/include/linux/tty.h b/include/linux/tty.h
31360 +index 52baf4089bd2..0d56f919bda3 100644
31361 +--- a/include/linux/tty.h
31362 ++++ b/include/linux/tty.h
31363 +@@ -343,6 +343,7 @@ struct tty_file_private {
31364 + #define TTY_PTY_LOCK 16 /* pty private */
31365 + #define TTY_NO_WRITE_SPLIT 17 /* Preserve write boundaries to driver */
31366 + #define TTY_HUPPED 18 /* Post driver->hangup() */
31367 ++#define TTY_HUPPING 19 /* Hangup in progress */
31368 + #define TTY_LDISC_HALTED 22 /* Line discipline is halted */
31369 +
31370 + #define TTY_WRITE_FLUSH(tty) tty_write_flush((tty))
31371 +@@ -581,7 +582,7 @@ extern int tty_unregister_ldisc(int disc);
31372 + extern int tty_set_ldisc(struct tty_struct *tty, int ldisc);
31373 + extern int tty_ldisc_setup(struct tty_struct *tty, struct tty_struct *o_tty);
31374 + extern void tty_ldisc_release(struct tty_struct *tty);
31375 +-extern void tty_ldisc_init(struct tty_struct *tty);
31376 ++extern int __must_check tty_ldisc_init(struct tty_struct *tty);
31377 + extern void tty_ldisc_deinit(struct tty_struct *tty);
31378 + extern void tty_ldisc_begin(void);
31379 +
31380 +diff --git a/include/linux/usb/gadget.h b/include/linux/usb/gadget.h
31381 +index 4f3dfb7d0654..96a8870e38fe 100644
31382 +--- a/include/linux/usb/gadget.h
31383 ++++ b/include/linux/usb/gadget.h
31384 +@@ -585,9 +585,21 @@ static inline struct usb_gadget *dev_to_usb_gadget(struct device *dev)
31385 + list_for_each_entry(tmp, &(gadget)->ep_list, ep_list)
31386 +
31387 +
31388 ++/**
31389 ++ * usb_ep_align - returns @len aligned to ep's maxpacketsize.
31390 ++ * @ep: the endpoint whose maxpacketsize is used to align @len
31391 ++ * @len: buffer size's length to align to @ep's maxpacketsize
31392 ++ *
31393 ++ * This helper is used to align buffer's size to an ep's maxpacketsize.
31394 ++ */
31395 ++static inline size_t usb_ep_align(struct usb_ep *ep, size_t len)
31396 ++{
31397 ++ return round_up(len, (size_t)le16_to_cpu(ep->desc->wMaxPacketSize));
31398 ++}
31399 ++
31400 + /**
31401 + * usb_ep_align_maybe - returns @len aligned to ep's maxpacketsize if gadget
31402 +- * requires quirk_ep_out_aligned_size, otherwise reguens len.
31403 ++ * requires quirk_ep_out_aligned_size, otherwise returns len.
31404 + * @g: controller to check for quirk
31405 + * @ep: the endpoint whose maxpacketsize is used to align @len
31406 + * @len: buffer size's length to align to @ep's maxpacketsize
31407 +@@ -598,8 +610,7 @@ static inline struct usb_gadget *dev_to_usb_gadget(struct device *dev)
31408 + static inline size_t
31409 + usb_ep_align_maybe(struct usb_gadget *g, struct usb_ep *ep, size_t len)
31410 + {
31411 +- return !g->quirk_ep_out_aligned_size ? len :
31412 +- round_up(len, (size_t)ep->desc->wMaxPacketSize);
31413 ++ return g->quirk_ep_out_aligned_size ? usb_ep_align(ep, len) : len;
31414 + }
31415 +
31416 + /**
31417 +diff --git a/include/linux/virtio.h b/include/linux/virtio.h
31418 +index 8f4d4bfa6d46..d7844d215381 100644
31419 +--- a/include/linux/virtio.h
31420 ++++ b/include/linux/virtio.h
31421 +@@ -124,6 +124,9 @@ int virtio_device_freeze(struct virtio_device *dev);
31422 + int virtio_device_restore(struct virtio_device *dev);
31423 + #endif
31424 +
31425 ++#define virtio_device_for_each_vq(vdev, vq) \
31426 ++ list_for_each_entry(vq, &vdev->vqs, list)
31427 ++
31428 + /**
31429 + * virtio_driver - operations for a virtio I/O driver
31430 + * @driver: underlying device driver (populate name and owner).
31431 +diff --git a/include/net/cfg80211.h b/include/net/cfg80211.h
31432 +index f8d6813cd5b2..0cd8002cdddd 100644
31433 +--- a/include/net/cfg80211.h
31434 ++++ b/include/net/cfg80211.h
31435 +@@ -929,9 +929,9 @@ enum rate_info_flags {
31436 + * @RATE_INFO_BW_160: 160 MHz bandwidth
31437 + */
31438 + enum rate_info_bw {
31439 ++ RATE_INFO_BW_20 = 0,
31440 + RATE_INFO_BW_5,
31441 + RATE_INFO_BW_10,
31442 +- RATE_INFO_BW_20,
31443 + RATE_INFO_BW_40,
31444 + RATE_INFO_BW_80,
31445 + RATE_INFO_BW_160,
31446 +diff --git a/include/net/inet_timewait_sock.h b/include/net/inet_timewait_sock.h
31447 +index 7682cb2ae237..378238f50208 100644
31448 +--- a/include/net/inet_timewait_sock.h
31449 ++++ b/include/net/inet_timewait_sock.h
31450 +@@ -55,6 +55,7 @@ struct inet_timewait_sock {
31451 + #define tw_family __tw_common.skc_family
31452 + #define tw_state __tw_common.skc_state
31453 + #define tw_reuse __tw_common.skc_reuse
31454 ++#define tw_reuseport __tw_common.skc_reuseport
31455 + #define tw_ipv6only __tw_common.skc_ipv6only
31456 + #define tw_bound_dev_if __tw_common.skc_bound_dev_if
31457 + #define tw_node __tw_common.skc_nulls_node
31458 +diff --git a/include/net/nexthop.h b/include/net/nexthop.h
31459 +index 3334dbfa5aa4..7fc78663ec9d 100644
31460 +--- a/include/net/nexthop.h
31461 ++++ b/include/net/nexthop.h
31462 +@@ -6,7 +6,7 @@
31463 +
31464 + static inline int rtnh_ok(const struct rtnexthop *rtnh, int remaining)
31465 + {
31466 +- return remaining >= sizeof(*rtnh) &&
31467 ++ return remaining >= (int)sizeof(*rtnh) &&
31468 + rtnh->rtnh_len >= sizeof(*rtnh) &&
31469 + rtnh->rtnh_len <= remaining;
31470 + }
31471 +diff --git a/include/net/slhc_vj.h b/include/net/slhc_vj.h
31472 +index 8716d5942b65..8fcf8908a694 100644
31473 +--- a/include/net/slhc_vj.h
31474 ++++ b/include/net/slhc_vj.h
31475 +@@ -127,6 +127,7 @@ typedef __u32 int32;
31476 + */
31477 + struct cstate {
31478 + byte_t cs_this; /* connection id number (xmit) */
31479 ++ bool initialized; /* true if initialized */
31480 + struct cstate *next; /* next in ring (xmit) */
31481 + struct iphdr cs_ip; /* ip/tcp hdr from most recent packet */
31482 + struct tcphdr cs_tcp;
31483 +diff --git a/include/net/tcp.h b/include/net/tcp.h
31484 +index 966d229d4482..dc542603d0f1 100644
31485 +--- a/include/net/tcp.h
31486 ++++ b/include/net/tcp.h
31487 +@@ -1123,9 +1123,11 @@ void tcp_select_initial_window(int __space, __u32 mss, __u32 *rcv_wnd,
31488 +
31489 + static inline int tcp_win_from_space(int space)
31490 + {
31491 +- return sysctl_tcp_adv_win_scale<=0 ?
31492 +- (space>>(-sysctl_tcp_adv_win_scale)) :
31493 +- space - (space>>sysctl_tcp_adv_win_scale);
31494 ++ int tcp_adv_win_scale = sysctl_tcp_adv_win_scale;
31495 ++
31496 ++ return tcp_adv_win_scale <= 0 ?
31497 ++ (space>>(-tcp_adv_win_scale)) :
31498 ++ space - (space>>tcp_adv_win_scale);
31499 + }
31500 +
31501 + /* Note: caller must be prepared to deal with negative returns */
31502 +diff --git a/include/net/x25.h b/include/net/x25.h
31503 +index c383aa4edbf0..6d30a01d281d 100644
31504 +--- a/include/net/x25.h
31505 ++++ b/include/net/x25.h
31506 +@@ -298,10 +298,10 @@ void x25_check_rbuf(struct sock *);
31507 +
31508 + /* sysctl_net_x25.c */
31509 + #ifdef CONFIG_SYSCTL
31510 +-void x25_register_sysctl(void);
31511 ++int x25_register_sysctl(void);
31512 + void x25_unregister_sysctl(void);
31513 + #else
31514 +-static inline void x25_register_sysctl(void) {};
31515 ++static inline int x25_register_sysctl(void) { return 0; };
31516 + static inline void x25_unregister_sysctl(void) {};
31517 + #endif /* CONFIG_SYSCTL */
31518 +
31519 +diff --git a/include/rdma/ib_addr.h b/include/rdma/ib_addr.h
31520 +index e6796dc8c764..561b0ca8cb19 100644
31521 +--- a/include/rdma/ib_addr.h
31522 ++++ b/include/rdma/ib_addr.h
31523 +@@ -109,6 +109,8 @@ int rdma_copy_addr(struct rdma_dev_addr *dev_addr, struct net_device *dev,
31524 + const unsigned char *dst_dev_addr);
31525 +
31526 + int rdma_addr_size(struct sockaddr *addr);
31527 ++int rdma_addr_size_in6(struct sockaddr_in6 *addr);
31528 ++int rdma_addr_size_kss(struct __kernel_sockaddr_storage *addr);
31529 +
31530 + int rdma_addr_find_smac_by_sgid(union ib_gid *sgid, u8 *smac, u16 *vlan_id);
31531 + int rdma_addr_find_dmac_by_grh(union ib_gid *sgid, union ib_gid *dgid, u8 *smac,
31532 +diff --git a/include/sound/control.h b/include/sound/control.h
31533 +index 95aad6d3fd1a..8e752793b94a 100644
31534 +--- a/include/sound/control.h
31535 ++++ b/include/sound/control.h
31536 +@@ -22,6 +22,7 @@
31537 + *
31538 + */
31539 +
31540 ++#include <linux/nospec.h>
31541 + #include <sound/asound.h>
31542 +
31543 + #define snd_kcontrol_chip(kcontrol) ((kcontrol)->private_data)
31544 +@@ -147,12 +148,14 @@ int snd_ctl_get_preferred_subdevice(struct snd_card *card, int type);
31545 +
31546 + static inline unsigned int snd_ctl_get_ioffnum(struct snd_kcontrol *kctl, struct snd_ctl_elem_id *id)
31547 + {
31548 +- return id->numid - kctl->id.numid;
31549 ++ unsigned int ioff = id->numid - kctl->id.numid;
31550 ++ return array_index_nospec(ioff, kctl->count);
31551 + }
31552 +
31553 + static inline unsigned int snd_ctl_get_ioffidx(struct snd_kcontrol *kctl, struct snd_ctl_elem_id *id)
31554 + {
31555 +- return id->index - kctl->id.index;
31556 ++ unsigned int ioff = id->index - kctl->id.index;
31557 ++ return array_index_nospec(ioff, kctl->count);
31558 + }
31559 +
31560 + static inline unsigned int snd_ctl_get_ioff(struct snd_kcontrol *kctl, struct snd_ctl_elem_id *id)
31561 +diff --git a/include/sound/pcm_oss.h b/include/sound/pcm_oss.h
31562 +index 760c969d885d..12bbf8c81112 100644
31563 +--- a/include/sound/pcm_oss.h
31564 ++++ b/include/sound/pcm_oss.h
31565 +@@ -57,6 +57,7 @@ struct snd_pcm_oss_runtime {
31566 + char *buffer; /* vmallocated period */
31567 + size_t buffer_used; /* used length from period buffer */
31568 + struct mutex params_lock;
31569 ++ atomic_t rw_ref; /* concurrent read/write accesses */
31570 + #ifdef CONFIG_SND_PCM_OSS_PLUGINS
31571 + struct snd_pcm_plugin *plugin_first;
31572 + struct snd_pcm_plugin *plugin_last;
31573 +diff --git a/include/uapi/linux/pci_regs.h b/include/uapi/linux/pci_regs.h
31574 +index 413417f3707b..7aa8cbc23b28 100644
31575 +--- a/include/uapi/linux/pci_regs.h
31576 ++++ b/include/uapi/linux/pci_regs.h
31577 +@@ -106,7 +106,7 @@
31578 + #define PCI_SUBSYSTEM_ID 0x2e
31579 + #define PCI_ROM_ADDRESS 0x30 /* Bits 31..11 are address, 10..1 reserved */
31580 + #define PCI_ROM_ADDRESS_ENABLE 0x01
31581 +-#define PCI_ROM_ADDRESS_MASK (~0x7ffUL)
31582 ++#define PCI_ROM_ADDRESS_MASK (~0x7ffU)
31583 +
31584 + #define PCI_CAPABILITY_LIST 0x34 /* Offset of first capability list entry */
31585 +
31586 +diff --git a/include/uapi/linux/usb/audio.h b/include/uapi/linux/usb/audio.h
31587 +index d2314be4f0c0..19f9dc2c06f6 100644
31588 +--- a/include/uapi/linux/usb/audio.h
31589 ++++ b/include/uapi/linux/usb/audio.h
31590 +@@ -369,7 +369,7 @@ static inline __u8 uac_processing_unit_bControlSize(struct uac_processing_unit_d
31591 + {
31592 + return (protocol == UAC_VERSION_1) ?
31593 + desc->baSourceID[desc->bNrInPins + 4] :
31594 +- desc->baSourceID[desc->bNrInPins + 6];
31595 ++ 2; /* in UAC2, this value is constant */
31596 + }
31597 +
31598 + static inline __u8 *uac_processing_unit_bmControls(struct uac_processing_unit_descriptor *desc,
31599 +@@ -377,7 +377,7 @@ static inline __u8 *uac_processing_unit_bmControls(struct uac_processing_unit_de
31600 + {
31601 + return (protocol == UAC_VERSION_1) ?
31602 + &desc->baSourceID[desc->bNrInPins + 5] :
31603 +- &desc->baSourceID[desc->bNrInPins + 7];
31604 ++ &desc->baSourceID[desc->bNrInPins + 6];
31605 + }
31606 +
31607 + static inline __u8 uac_processing_unit_iProcessing(struct uac_processing_unit_descriptor *desc,
31608 +diff --git a/ipc/shm.c b/ipc/shm.c
31609 +index c2384d0e4fa6..aa3090ddc9eb 100644
31610 +--- a/ipc/shm.c
31611 ++++ b/ipc/shm.c
31612 +@@ -198,6 +198,12 @@ static int __shm_open(struct vm_area_struct *vma)
31613 + if (IS_ERR(shp))
31614 + return PTR_ERR(shp);
31615 +
31616 ++ if (shp->shm_file != sfd->file) {
31617 ++ /* ID was reused */
31618 ++ shm_unlock(shp);
31619 ++ return -EINVAL;
31620 ++ }
31621 ++
31622 + shp->shm_atim = get_seconds();
31623 + shp->shm_lprid = task_tgid_vnr(current);
31624 + shp->shm_nattch++;
31625 +@@ -414,8 +420,9 @@ static int shm_mmap(struct file *file, struct vm_area_struct *vma)
31626 + int ret;
31627 +
31628 + /*
31629 +- * In case of remap_file_pages() emulation, the file can represent
31630 +- * removed IPC ID: propogate shm_lock() error to caller.
31631 ++ * In case of remap_file_pages() emulation, the file can represent an
31632 ++ * IPC ID that was removed, and possibly even reused by another shm
31633 ++ * segment already. Propagate this case as an error to caller.
31634 + */
31635 + ret =__shm_open(vma);
31636 + if (ret)
31637 +@@ -439,6 +446,7 @@ static int shm_release(struct inode *ino, struct file *file)
31638 + struct shm_file_data *sfd = shm_file_data(file);
31639 +
31640 + put_ipc_ns(sfd->ns);
31641 ++ fput(sfd->file);
31642 + shm_file_data(file) = NULL;
31643 + kfree(sfd);
31644 + return 0;
31645 +@@ -1198,7 +1206,16 @@ long do_shmat(int shmid, char __user *shmaddr, int shmflg,
31646 + file->f_mapping = shp->shm_file->f_mapping;
31647 + sfd->id = shp->shm_perm.id;
31648 + sfd->ns = get_ipc_ns(ns);
31649 +- sfd->file = shp->shm_file;
31650 ++ /*
31651 ++ * We need to take a reference to the real shm file to prevent the
31652 ++ * pointer from becoming stale in cases where the lifetime of the outer
31653 ++ * file extends beyond that of the shm segment. It's not usually
31654 ++ * possible, but it can happen during remap_file_pages() emulation as
31655 ++ * that unmaps the memory, then does ->mmap() via file reference only.
31656 ++ * We'll deny the ->mmap() if the shm segment was since removed, but to
31657 ++ * detect shm ID reuse we need to compare the file pointers.
31658 ++ */
31659 ++ sfd->file = get_file(shp->shm_file);
31660 + sfd->vm_ops = NULL;
31661 +
31662 + err = security_mmap_file(file, prot, flags);
31663 +diff --git a/kernel/bpf/arraymap.c b/kernel/bpf/arraymap.c
31664 +index 1c1b8ab34037..6c1783bff424 100644
31665 +--- a/kernel/bpf/arraymap.c
31666 ++++ b/kernel/bpf/arraymap.c
31667 +@@ -75,7 +75,7 @@ static void *array_map_lookup_elem(struct bpf_map *map, void *key)
31668 + static int array_map_get_next_key(struct bpf_map *map, void *key, void *next_key)
31669 + {
31670 + struct bpf_array *array = container_of(map, struct bpf_array, map);
31671 +- u32 index = *(u32 *)key;
31672 ++ u32 index = key ? *(u32 *)key : U32_MAX;
31673 + u32 *next = (u32 *)next_key;
31674 +
31675 + if (index >= array->map.max_entries) {
31676 +diff --git a/kernel/bpf/hashtab.c b/kernel/bpf/hashtab.c
31677 +index 83c209d9b17a..ef7173e82179 100644
31678 +--- a/kernel/bpf/hashtab.c
31679 ++++ b/kernel/bpf/hashtab.c
31680 +@@ -149,12 +149,15 @@ static int htab_map_get_next_key(struct bpf_map *map, void *key, void *next_key)
31681 + struct hlist_head *head;
31682 + struct htab_elem *l, *next_l;
31683 + u32 hash, key_size;
31684 +- int i;
31685 ++ int i = 0;
31686 +
31687 + WARN_ON_ONCE(!rcu_read_lock_held());
31688 +
31689 + key_size = map->key_size;
31690 +
31691 ++ if (!key)
31692 ++ goto find_first_elem;
31693 ++
31694 + hash = htab_map_hash(key, key_size);
31695 +
31696 + head = select_bucket(htab, hash);
31697 +@@ -162,10 +165,8 @@ static int htab_map_get_next_key(struct bpf_map *map, void *key, void *next_key)
31698 + /* lookup the key */
31699 + l = lookup_elem_raw(head, hash, key, key_size);
31700 +
31701 +- if (!l) {
31702 +- i = 0;
31703 ++ if (!l)
31704 + goto find_first_elem;
31705 +- }
31706 +
31707 + /* key was found, get next key in the same bucket */
31708 + next_l = hlist_entry_safe(rcu_dereference_raw(hlist_next_rcu(&l->hash_node)),
31709 +diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c
31710 +index 3bae6c591914..0fcb43cb2006 100644
31711 +--- a/kernel/bpf/syscall.c
31712 ++++ b/kernel/bpf/syscall.c
31713 +@@ -311,14 +311,18 @@ static int map_get_next_key(union bpf_attr *attr)
31714 + if (IS_ERR(map))
31715 + return PTR_ERR(map);
31716 +
31717 +- err = -ENOMEM;
31718 +- key = kmalloc(map->key_size, GFP_USER);
31719 +- if (!key)
31720 +- goto err_put;
31721 +-
31722 +- err = -EFAULT;
31723 +- if (copy_from_user(key, ukey, map->key_size) != 0)
31724 +- goto free_key;
31725 ++ if (ukey) {
31726 ++ err = -ENOMEM;
31727 ++ key = kmalloc(map->key_size, GFP_USER);
31728 ++ if (!key)
31729 ++ goto err_put;
31730 ++
31731 ++ err = -EFAULT;
31732 ++ if (copy_from_user(key, ukey, map->key_size) != 0)
31733 ++ goto free_key;
31734 ++ } else {
31735 ++ key = NULL;
31736 ++ }
31737 +
31738 + err = -ENOMEM;
31739 + next_key = kmalloc(map->key_size, GFP_USER);
31740 +diff --git a/kernel/events/callchain.c b/kernel/events/callchain.c
31741 +index d659487254d5..d37acf86037a 100644
31742 +--- a/kernel/events/callchain.c
31743 ++++ b/kernel/events/callchain.c
31744 +@@ -107,14 +107,8 @@ int get_callchain_buffers(void)
31745 + goto exit;
31746 + }
31747 +
31748 +- if (count > 1) {
31749 +- /* If the allocation failed, give up */
31750 +- if (!callchain_cpus_entries)
31751 +- err = -ENOMEM;
31752 +- goto exit;
31753 +- }
31754 +-
31755 +- err = alloc_callchain_buffers();
31756 ++ if (count == 1)
31757 ++ err = alloc_callchain_buffers();
31758 + exit:
31759 + if (err)
31760 + atomic_dec(&nr_callchain_events);
31761 +diff --git a/kernel/events/core.c b/kernel/events/core.c
31762 +index e5553bdaf6c2..c6e653201737 100644
31763 +--- a/kernel/events/core.c
31764 ++++ b/kernel/events/core.c
31765 +@@ -5107,9 +5107,6 @@ static void perf_output_read_one(struct perf_output_handle *handle,
31766 + __output_copy(handle, values, n * sizeof(u64));
31767 + }
31768 +
31769 +-/*
31770 +- * XXX PERF_FORMAT_GROUP vs inherited events seems difficult.
31771 +- */
31772 + static void perf_output_read_group(struct perf_output_handle *handle,
31773 + struct perf_event *event,
31774 + u64 enabled, u64 running)
31775 +@@ -5154,6 +5151,13 @@ static void perf_output_read_group(struct perf_output_handle *handle,
31776 + #define PERF_FORMAT_TOTAL_TIMES (PERF_FORMAT_TOTAL_TIME_ENABLED|\
31777 + PERF_FORMAT_TOTAL_TIME_RUNNING)
31778 +
31779 ++/*
31780 ++ * XXX PERF_SAMPLE_READ vs inherited events seems difficult.
31781 ++ *
31782 ++ * The problem is that its both hard and excessively expensive to iterate the
31783 ++ * child list, not to mention that its impossible to IPI the children running
31784 ++ * on another CPU, from interrupt/NMI context.
31785 ++ */
31786 + static void perf_output_read(struct perf_output_handle *handle,
31787 + struct perf_event *event)
31788 + {
31789 +@@ -7630,9 +7634,10 @@ perf_event_alloc(struct perf_event_attr *attr, int cpu,
31790 + local64_set(&hwc->period_left, hwc->sample_period);
31791 +
31792 + /*
31793 +- * we currently do not support PERF_FORMAT_GROUP on inherited events
31794 ++ * We currently do not support PERF_SAMPLE_READ on inherited events.
31795 ++ * See perf_output_read().
31796 + */
31797 +- if (attr->inherit && (attr->read_format & PERF_FORMAT_GROUP))
31798 ++ if (attr->inherit && (attr->sample_type & PERF_SAMPLE_READ))
31799 + goto err_ns;
31800 +
31801 + if (!has_branch_stack(event))
31802 +@@ -7800,9 +7805,9 @@ static int perf_copy_attr(struct perf_event_attr __user *uattr,
31803 + * __u16 sample size limit.
31804 + */
31805 + if (attr->sample_stack_user >= USHRT_MAX)
31806 +- ret = -EINVAL;
31807 ++ return -EINVAL;
31808 + else if (!IS_ALIGNED(attr->sample_stack_user, sizeof(u64)))
31809 +- ret = -EINVAL;
31810 ++ return -EINVAL;
31811 + }
31812 +
31813 + if (attr->sample_type & PERF_SAMPLE_REGS_INTR)
31814 +diff --git a/kernel/events/hw_breakpoint.c b/kernel/events/hw_breakpoint.c
31815 +index 92ce5f4ccc26..a27245fdcd81 100644
31816 +--- a/kernel/events/hw_breakpoint.c
31817 ++++ b/kernel/events/hw_breakpoint.c
31818 +@@ -427,16 +427,9 @@ EXPORT_SYMBOL_GPL(register_user_hw_breakpoint);
31819 + * modify_user_hw_breakpoint - modify a user-space hardware breakpoint
31820 + * @bp: the breakpoint structure to modify
31821 + * @attr: new breakpoint attributes
31822 +- * @triggered: callback to trigger when we hit the breakpoint
31823 +- * @tsk: pointer to 'task_struct' of the process to which the address belongs
31824 + */
31825 + int modify_user_hw_breakpoint(struct perf_event *bp, struct perf_event_attr *attr)
31826 + {
31827 +- u64 old_addr = bp->attr.bp_addr;
31828 +- u64 old_len = bp->attr.bp_len;
31829 +- int old_type = bp->attr.bp_type;
31830 +- int err = 0;
31831 +-
31832 + /*
31833 + * modify_user_hw_breakpoint can be invoked with IRQs disabled and hence it
31834 + * will not be possible to raise IPIs that invoke __perf_event_disable.
31835 +@@ -451,27 +444,18 @@ int modify_user_hw_breakpoint(struct perf_event *bp, struct perf_event_attr *att
31836 + bp->attr.bp_addr = attr->bp_addr;
31837 + bp->attr.bp_type = attr->bp_type;
31838 + bp->attr.bp_len = attr->bp_len;
31839 ++ bp->attr.disabled = 1;
31840 +
31841 +- if (attr->disabled)
31842 +- goto end;
31843 +-
31844 +- err = validate_hw_breakpoint(bp);
31845 +- if (!err)
31846 +- perf_event_enable(bp);
31847 ++ if (!attr->disabled) {
31848 ++ int err = validate_hw_breakpoint(bp);
31849 +
31850 +- if (err) {
31851 +- bp->attr.bp_addr = old_addr;
31852 +- bp->attr.bp_type = old_type;
31853 +- bp->attr.bp_len = old_len;
31854 +- if (!bp->attr.disabled)
31855 +- perf_event_enable(bp);
31856 ++ if (err)
31857 ++ return err;
31858 +
31859 +- return err;
31860 ++ perf_event_enable(bp);
31861 ++ bp->attr.disabled = 0;
31862 + }
31863 +
31864 +-end:
31865 +- bp->attr.disabled = attr->disabled;
31866 +-
31867 + return 0;
31868 + }
31869 + EXPORT_SYMBOL_GPL(modify_user_hw_breakpoint);
31870 +diff --git a/kernel/futex.c b/kernel/futex.c
31871 +index 4195616b27d9..8944e397cd47 100644
31872 +--- a/kernel/futex.c
31873 ++++ b/kernel/futex.c
31874 +@@ -400,6 +400,7 @@ get_futex_key(u32 __user *uaddr, int fshared, union futex_key *key, int rw)
31875 + unsigned long address = (unsigned long)uaddr;
31876 + struct mm_struct *mm = current->mm;
31877 + struct page *page, *page_head;
31878 ++ struct address_space *mapping;
31879 + int err, ro = 0;
31880 +
31881 + /*
31882 +@@ -478,7 +479,19 @@ again:
31883 + }
31884 + #endif
31885 +
31886 +- lock_page(page_head);
31887 ++ /*
31888 ++ * The treatment of mapping from this point on is critical. The page
31889 ++ * lock protects many things but in this context the page lock
31890 ++ * stabilizes mapping, prevents inode freeing in the shared
31891 ++ * file-backed region case and guards against movement to swap cache.
31892 ++ *
31893 ++ * Strictly speaking the page lock is not needed in all cases being
31894 ++ * considered here and page lock forces unnecessarily serialization
31895 ++ * From this point on, mapping will be re-verified if necessary and
31896 ++ * page lock will be acquired only if it is unavoidable
31897 ++ */
31898 ++
31899 ++ mapping = READ_ONCE(page_head->mapping);
31900 +
31901 + /*
31902 + * If page_head->mapping is NULL, then it cannot be a PageAnon
31903 +@@ -495,18 +508,31 @@ again:
31904 + * shmem_writepage move it from filecache to swapcache beneath us:
31905 + * an unlikely race, but we do need to retry for page_head->mapping.
31906 + */
31907 +- if (!page_head->mapping) {
31908 +- int shmem_swizzled = PageSwapCache(page_head);
31909 ++ if (unlikely(!mapping)) {
31910 ++ int shmem_swizzled;
31911 ++
31912 ++ /*
31913 ++ * Page lock is required to identify which special case above
31914 ++ * applies. If this is really a shmem page then the page lock
31915 ++ * will prevent unexpected transitions.
31916 ++ */
31917 ++ lock_page(page);
31918 ++ shmem_swizzled = PageSwapCache(page) || page->mapping;
31919 + unlock_page(page_head);
31920 + put_page(page_head);
31921 ++
31922 + if (shmem_swizzled)
31923 + goto again;
31924 ++
31925 + return -EFAULT;
31926 + }
31927 +
31928 + /*
31929 + * Private mappings are handled in a simple way.
31930 + *
31931 ++ * If the futex key is stored on an anonymous page, then the associated
31932 ++ * object is the mm which is implicitly pinned by the calling process.
31933 ++ *
31934 + * NOTE: When userspace waits on a MAP_SHARED mapping, even if
31935 + * it's a read-only handle, it's expected that futexes attach to
31936 + * the object not the particular process.
31937 +@@ -524,16 +550,74 @@ again:
31938 + key->both.offset |= FUT_OFF_MMSHARED; /* ref taken on mm */
31939 + key->private.mm = mm;
31940 + key->private.address = address;
31941 ++
31942 ++ get_futex_key_refs(key); /* implies smp_mb(); (B) */
31943 ++
31944 + } else {
31945 ++ struct inode *inode;
31946 ++
31947 ++ /*
31948 ++ * The associated futex object in this case is the inode and
31949 ++ * the page->mapping must be traversed. Ordinarily this should
31950 ++ * be stabilised under page lock but it's not strictly
31951 ++ * necessary in this case as we just want to pin the inode, not
31952 ++ * update the radix tree or anything like that.
31953 ++ *
31954 ++ * The RCU read lock is taken as the inode is finally freed
31955 ++ * under RCU. If the mapping still matches expectations then the
31956 ++ * mapping->host can be safely accessed as being a valid inode.
31957 ++ */
31958 ++ rcu_read_lock();
31959 ++
31960 ++ if (READ_ONCE(page_head->mapping) != mapping) {
31961 ++ rcu_read_unlock();
31962 ++ put_page(page_head);
31963 ++
31964 ++ goto again;
31965 ++ }
31966 ++
31967 ++ inode = READ_ONCE(mapping->host);
31968 ++ if (!inode) {
31969 ++ rcu_read_unlock();
31970 ++ put_page(page_head);
31971 ++
31972 ++ goto again;
31973 ++ }
31974 ++
31975 ++ /*
31976 ++ * Take a reference unless it is about to be freed. Previously
31977 ++ * this reference was taken by ihold under the page lock
31978 ++ * pinning the inode in place so i_lock was unnecessary. The
31979 ++ * only way for this check to fail is if the inode was
31980 ++ * truncated in parallel so warn for now if this happens.
31981 ++ *
31982 ++ * We are not calling into get_futex_key_refs() in file-backed
31983 ++ * cases, therefore a successful atomic_inc return below will
31984 ++ * guarantee that get_futex_key() will still imply smp_mb(); (B).
31985 ++ */
31986 ++ if (WARN_ON_ONCE(!atomic_inc_not_zero(&inode->i_count))) {
31987 ++ rcu_read_unlock();
31988 ++ put_page(page_head);
31989 ++
31990 ++ goto again;
31991 ++ }
31992 ++
31993 ++ /* Should be impossible but lets be paranoid for now */
31994 ++ if (WARN_ON_ONCE(inode->i_mapping != mapping)) {
31995 ++ err = -EFAULT;
31996 ++ rcu_read_unlock();
31997 ++ iput(inode);
31998 ++
31999 ++ goto out;
32000 ++ }
32001 ++
32002 + key->both.offset |= FUT_OFF_INODE; /* inode-based key */
32003 +- key->shared.inode = page_head->mapping->host;
32004 ++ key->shared.inode = inode;
32005 + key->shared.pgoff = basepage_index(page);
32006 ++ rcu_read_unlock();
32007 + }
32008 +
32009 +- get_futex_key_refs(key); /* implies MB (B) */
32010 +-
32011 + out:
32012 +- unlock_page(page_head);
32013 + put_page(page_head);
32014 + return err;
32015 + }
32016 +diff --git a/kernel/irq/manage.c b/kernel/irq/manage.c
32017 +index f4b1f0a1dba5..76c9d6f62458 100644
32018 +--- a/kernel/irq/manage.c
32019 ++++ b/kernel/irq/manage.c
32020 +@@ -1095,8 +1095,10 @@ __setup_irq(unsigned int irq, struct irq_desc *desc, struct irqaction *new)
32021 + * set the trigger type must match. Also all must
32022 + * agree on ONESHOT.
32023 + */
32024 ++ unsigned int oldtype = irqd_get_trigger_type(&desc->irq_data);
32025 ++
32026 + if (!((old->flags & new->flags) & IRQF_SHARED) ||
32027 +- ((old->flags ^ new->flags) & IRQF_TRIGGER_MASK) ||
32028 ++ (oldtype != (new->flags & IRQF_TRIGGER_MASK)) ||
32029 + ((old->flags ^ new->flags) & IRQF_ONESHOT))
32030 + goto mismatch;
32031 +
32032 +diff --git a/kernel/kprobes.c b/kernel/kprobes.c
32033 +index 7dd73a3059b8..04486d8e5809 100644
32034 +--- a/kernel/kprobes.c
32035 ++++ b/kernel/kprobes.c
32036 +@@ -125,7 +125,7 @@ static void *alloc_insn_page(void)
32037 + return module_alloc(PAGE_SIZE);
32038 + }
32039 +
32040 +-static void free_insn_page(void *page)
32041 ++void __weak free_insn_page(void *page)
32042 + {
32043 + module_memfree(page);
32044 + }
32045 +diff --git a/kernel/pid.c b/kernel/pid.c
32046 +index 4fd07d5b7baf..365281244acc 100644
32047 +--- a/kernel/pid.c
32048 ++++ b/kernel/pid.c
32049 +@@ -322,8 +322,10 @@ struct pid *alloc_pid(struct pid_namespace *ns)
32050 + }
32051 +
32052 + if (unlikely(is_child_reaper(pid))) {
32053 +- if (pid_ns_prepare_proc(ns))
32054 ++ if (pid_ns_prepare_proc(ns)) {
32055 ++ disable_pid_allocation(ns);
32056 + goto out_free;
32057 ++ }
32058 + }
32059 +
32060 + get_pid_ns(ns);
32061 +diff --git a/kernel/printk/braille.c b/kernel/printk/braille.c
32062 +index 276762f3a460..e035876af5e2 100644
32063 +--- a/kernel/printk/braille.c
32064 ++++ b/kernel/printk/braille.c
32065 +@@ -2,12 +2,13 @@
32066 +
32067 + #include <linux/kernel.h>
32068 + #include <linux/console.h>
32069 ++#include <linux/errno.h>
32070 + #include <linux/string.h>
32071 +
32072 + #include "console_cmdline.h"
32073 + #include "braille.h"
32074 +
32075 +-char *_braille_console_setup(char **str, char **brl_options)
32076 ++int _braille_console_setup(char **str, char **brl_options)
32077 + {
32078 + if (!memcmp(*str, "brl,", 4)) {
32079 + *brl_options = "";
32080 +@@ -15,14 +16,14 @@ char *_braille_console_setup(char **str, char **brl_options)
32081 + } else if (!memcmp(str, "brl=", 4)) {
32082 + *brl_options = *str + 4;
32083 + *str = strchr(*brl_options, ',');
32084 +- if (!*str)
32085 ++ if (!*str) {
32086 + pr_err("need port name after brl=\n");
32087 +- else
32088 +- *((*str)++) = 0;
32089 +- } else
32090 +- return NULL;
32091 ++ return -EINVAL;
32092 ++ }
32093 ++ *((*str)++) = 0;
32094 ++ }
32095 +
32096 +- return *str;
32097 ++ return 0;
32098 + }
32099 +
32100 + int
32101 +diff --git a/kernel/printk/braille.h b/kernel/printk/braille.h
32102 +index 769d771145c8..749a6756843a 100644
32103 +--- a/kernel/printk/braille.h
32104 ++++ b/kernel/printk/braille.h
32105 +@@ -9,7 +9,14 @@ braille_set_options(struct console_cmdline *c, char *brl_options)
32106 + c->brl_options = brl_options;
32107 + }
32108 +
32109 +-char *
32110 ++/*
32111 ++ * Setup console according to braille options.
32112 ++ * Return -EINVAL on syntax error, 0 on success (or no braille option was
32113 ++ * actually given).
32114 ++ * Modifies str to point to the serial options
32115 ++ * Sets brl_options to the parsed braille options.
32116 ++ */
32117 ++int
32118 + _braille_console_setup(char **str, char **brl_options);
32119 +
32120 + int
32121 +@@ -25,10 +32,10 @@ braille_set_options(struct console_cmdline *c, char *brl_options)
32122 + {
32123 + }
32124 +
32125 +-static inline char *
32126 ++static inline int
32127 + _braille_console_setup(char **str, char **brl_options)
32128 + {
32129 +- return NULL;
32130 ++ return 0;
32131 + }
32132 +
32133 + static inline int
32134 +diff --git a/kernel/resource.c b/kernel/resource.c
32135 +index cbf725c24c3b..39ee5aeaf1e3 100644
32136 +--- a/kernel/resource.c
32137 ++++ b/kernel/resource.c
32138 +@@ -600,7 +600,8 @@ static int __find_resource(struct resource *root, struct resource *old,
32139 + alloc.start = constraint->alignf(constraint->alignf_data, &avail,
32140 + size, constraint->align);
32141 + alloc.end = alloc.start + size - 1;
32142 +- if (resource_contains(&avail, &alloc)) {
32143 ++ if (alloc.start <= alloc.end &&
32144 ++ resource_contains(&avail, &alloc)) {
32145 + new->start = alloc.start;
32146 + new->end = alloc.end;
32147 + return 0;
32148 +diff --git a/kernel/sched/core.c b/kernel/sched/core.c
32149 +index 9c905bd94ff0..5e7608c5b9ec 100644
32150 +--- a/kernel/sched/core.c
32151 ++++ b/kernel/sched/core.c
32152 +@@ -578,7 +578,8 @@ void resched_cpu(int cpu)
32153 + unsigned long flags;
32154 +
32155 + raw_spin_lock_irqsave(&rq->lock, flags);
32156 +- resched_curr(rq);
32157 ++ if (cpu_online(cpu) || cpu == smp_processor_id())
32158 ++ resched_curr(rq);
32159 + raw_spin_unlock_irqrestore(&rq->lock, flags);
32160 + }
32161 +
32162 +diff --git a/kernel/time/sched_clock.c b/kernel/time/sched_clock.c
32163 +index a26036d37a38..382b159d8592 100644
32164 +--- a/kernel/time/sched_clock.c
32165 ++++ b/kernel/time/sched_clock.c
32166 +@@ -205,6 +205,11 @@ sched_clock_register(u64 (*read)(void), int bits, unsigned long rate)
32167 +
32168 + update_clock_read_data(&rd);
32169 +
32170 ++ if (sched_clock_timer.function != NULL) {
32171 ++ /* update timeout for clock wrap */
32172 ++ hrtimer_start(&sched_clock_timer, cd.wrap_kt, HRTIMER_MODE_REL);
32173 ++ }
32174 ++
32175 + r = rate;
32176 + if (r >= 4000000) {
32177 + r /= 1000000;
32178 +diff --git a/kernel/time/timer_list.c b/kernel/time/timer_list.c
32179 +index e878c2e0ba45..e81d45097d05 100644
32180 +--- a/kernel/time/timer_list.c
32181 ++++ b/kernel/time/timer_list.c
32182 +@@ -16,6 +16,7 @@
32183 + #include <linux/sched.h>
32184 + #include <linux/seq_file.h>
32185 + #include <linux/kallsyms.h>
32186 ++#include <linux/nmi.h>
32187 +
32188 + #include <asm/uaccess.h>
32189 +
32190 +@@ -91,6 +92,9 @@ print_active_timers(struct seq_file *m, struct hrtimer_clock_base *base,
32191 +
32192 + next_one:
32193 + i = 0;
32194 ++
32195 ++ touch_nmi_watchdog();
32196 ++
32197 + raw_spin_lock_irqsave(&base->cpu_base->lock, flags);
32198 +
32199 + curr = timerqueue_getnext(&base->active);
32200 +@@ -202,6 +206,8 @@ print_tickdevice(struct seq_file *m, struct tick_device *td, int cpu)
32201 + {
32202 + struct clock_event_device *dev = td->evtdev;
32203 +
32204 ++ touch_nmi_watchdog();
32205 ++
32206 + SEQ_printf(m, "Tick Device: mode: %d\n", td->mode);
32207 + if (cpu < 0)
32208 + SEQ_printf(m, "Broadcast device\n");
32209 +diff --git a/kernel/trace/trace_kprobe.c b/kernel/trace/trace_kprobe.c
32210 +index 9a4aee1d3345..2bdb78ab3bd2 100644
32211 +--- a/kernel/trace/trace_kprobe.c
32212 ++++ b/kernel/trace/trace_kprobe.c
32213 +@@ -611,7 +611,7 @@ static int create_trace_kprobe(int argc, char **argv)
32214 + bool is_return = false, is_delete = false;
32215 + char *symbol = NULL, *event = NULL, *group = NULL;
32216 + char *arg;
32217 +- unsigned long offset = 0;
32218 ++ long offset = 0;
32219 + void *addr = NULL;
32220 + char buf[MAX_EVENT_NAME_LEN];
32221 +
32222 +@@ -679,7 +679,7 @@ static int create_trace_kprobe(int argc, char **argv)
32223 + symbol = argv[1];
32224 + /* TODO: support .init module functions */
32225 + ret = traceprobe_split_symbol_offset(symbol, &offset);
32226 +- if (ret) {
32227 ++ if (ret || offset < 0 || offset > UINT_MAX) {
32228 + pr_info("Failed to parse either an address or a symbol.\n");
32229 + return ret;
32230 + }
32231 +diff --git a/kernel/trace/trace_probe.c b/kernel/trace/trace_probe.c
32232 +index 1769a81da8a7..741c00b90fdc 100644
32233 +--- a/kernel/trace/trace_probe.c
32234 ++++ b/kernel/trace/trace_probe.c
32235 +@@ -293,7 +293,7 @@ static fetch_func_t get_fetch_size_function(const struct fetch_type *type,
32236 + }
32237 +
32238 + /* Split symbol and offset. */
32239 +-int traceprobe_split_symbol_offset(char *symbol, unsigned long *offset)
32240 ++int traceprobe_split_symbol_offset(char *symbol, long *offset)
32241 + {
32242 + char *tmp;
32243 + int ret;
32244 +@@ -301,13 +301,11 @@ int traceprobe_split_symbol_offset(char *symbol, unsigned long *offset)
32245 + if (!offset)
32246 + return -EINVAL;
32247 +
32248 +- tmp = strchr(symbol, '+');
32249 ++ tmp = strpbrk(symbol, "+-");
32250 + if (tmp) {
32251 +- /* skip sign because kstrtoul doesn't accept '+' */
32252 +- ret = kstrtoul(tmp + 1, 0, offset);
32253 ++ ret = kstrtol(tmp, 0, offset);
32254 + if (ret)
32255 + return ret;
32256 +-
32257 + *tmp = '\0';
32258 + } else
32259 + *offset = 0;
32260 +diff --git a/kernel/trace/trace_probe.h b/kernel/trace/trace_probe.h
32261 +index ab283e146b70..80c4ff36896c 100644
32262 +--- a/kernel/trace/trace_probe.h
32263 ++++ b/kernel/trace/trace_probe.h
32264 +@@ -335,7 +335,7 @@ extern int traceprobe_conflict_field_name(const char *name,
32265 + extern void traceprobe_update_arg(struct probe_arg *arg);
32266 + extern void traceprobe_free_probe_arg(struct probe_arg *arg);
32267 +
32268 +-extern int traceprobe_split_symbol_offset(char *symbol, unsigned long *offset);
32269 ++extern int traceprobe_split_symbol_offset(char *symbol, long *offset);
32270 +
32271 + extern ssize_t traceprobe_probes_write(struct file *file,
32272 + const char __user *buffer, size_t count, loff_t *ppos,
32273 +diff --git a/kernel/trace/trace_uprobe.c b/kernel/trace/trace_uprobe.c
32274 +index 6dd022c7b5bc..1b11c3c21a29 100644
32275 +--- a/kernel/trace/trace_uprobe.c
32276 ++++ b/kernel/trace/trace_uprobe.c
32277 +@@ -149,6 +149,8 @@ static void FETCH_FUNC_NAME(memory, string)(struct pt_regs *regs,
32278 + return;
32279 +
32280 + ret = strncpy_from_user(dst, src, maxlen);
32281 ++ if (ret == maxlen)
32282 ++ dst[--ret] = '\0';
32283 +
32284 + if (ret < 0) { /* Failed to fetch string */
32285 + ((u8 *)get_rloc_data(dest))[0] = '\0';
32286 +diff --git a/kernel/tracepoint.c b/kernel/tracepoint.c
32287 +index 3490407dc7b7..4b12034e15b0 100644
32288 +--- a/kernel/tracepoint.c
32289 ++++ b/kernel/tracepoint.c
32290 +@@ -185,7 +185,7 @@ static int tracepoint_add_func(struct tracepoint *tp,
32291 + lockdep_is_held(&tracepoints_mutex));
32292 + old = func_add(&tp_funcs, func);
32293 + if (IS_ERR(old)) {
32294 +- WARN_ON_ONCE(1);
32295 ++ WARN_ON_ONCE(PTR_ERR(old) != -ENOMEM);
32296 + return PTR_ERR(old);
32297 + }
32298 +
32299 +@@ -218,7 +218,7 @@ static int tracepoint_remove_func(struct tracepoint *tp,
32300 + lockdep_is_held(&tracepoints_mutex));
32301 + old = func_remove(&tp_funcs, func);
32302 + if (IS_ERR(old)) {
32303 +- WARN_ON_ONCE(1);
32304 ++ WARN_ON_ONCE(PTR_ERR(old) != -ENOMEM);
32305 + return PTR_ERR(old);
32306 + }
32307 +
32308 +diff --git a/lib/kobject.c b/lib/kobject.c
32309 +index 3b841b97fccd..bb89e879d3a4 100644
32310 +--- a/lib/kobject.c
32311 ++++ b/lib/kobject.c
32312 +@@ -234,14 +234,12 @@ static int kobject_add_internal(struct kobject *kobj)
32313 +
32314 + /* be noisy on error issues */
32315 + if (error == -EEXIST)
32316 +- WARN(1, "%s failed for %s with "
32317 +- "-EEXIST, don't try to register things with "
32318 +- "the same name in the same directory.\n",
32319 +- __func__, kobject_name(kobj));
32320 ++ pr_err("%s failed for %s with -EEXIST, don't try to register things with the same name in the same directory.\n",
32321 ++ __func__, kobject_name(kobj));
32322 + else
32323 +- WARN(1, "%s failed for %s (error: %d parent: %s)\n",
32324 +- __func__, kobject_name(kobj), error,
32325 +- parent ? kobject_name(parent) : "'none'");
32326 ++ pr_err("%s failed for %s (error: %d parent: %s)\n",
32327 ++ __func__, kobject_name(kobj), error,
32328 ++ parent ? kobject_name(parent) : "'none'");
32329 + } else
32330 + kobj->state_in_sysfs = 1;
32331 +
32332 +diff --git a/mm/percpu.c b/mm/percpu.c
32333 +index a40d5e04a3d1..1b95b9fdd616 100644
32334 +--- a/mm/percpu.c
32335 ++++ b/mm/percpu.c
32336 +@@ -68,6 +68,7 @@
32337 + #include <linux/vmalloc.h>
32338 + #include <linux/workqueue.h>
32339 + #include <linux/kmemleak.h>
32340 ++#include <linux/sched.h>
32341 +
32342 + #include <asm/cacheflush.h>
32343 + #include <asm/sections.h>
32344 +diff --git a/net/8021q/vlan_dev.c b/net/8021q/vlan_dev.c
32345 +index 93010f34c200..00fabb3424df 100644
32346 +--- a/net/8021q/vlan_dev.c
32347 ++++ b/net/8021q/vlan_dev.c
32348 +@@ -29,6 +29,7 @@
32349 + #include <linux/net_tstamp.h>
32350 + #include <linux/etherdevice.h>
32351 + #include <linux/ethtool.h>
32352 ++#include <linux/phy.h>
32353 + #include <net/arp.h>
32354 +
32355 + #include "vlan.h"
32356 +@@ -559,8 +560,7 @@ static int vlan_dev_init(struct net_device *dev)
32357 + NETIF_F_HIGHDMA | NETIF_F_SCTP_CSUM |
32358 + NETIF_F_ALL_FCOE;
32359 +
32360 +- dev->features |= real_dev->vlan_features | NETIF_F_LLTX |
32361 +- NETIF_F_GSO_SOFTWARE;
32362 ++ dev->features |= dev->hw_features | NETIF_F_LLTX;
32363 + dev->gso_max_size = real_dev->gso_max_size;
32364 + if (dev->features & NETIF_F_VLAN_FEATURES)
32365 + netdev_warn(real_dev, "VLAN features are set incorrectly. Q-in-Q configurations may not work correctly.\n");
32366 +@@ -655,8 +655,11 @@ static int vlan_ethtool_get_ts_info(struct net_device *dev,
32367 + {
32368 + const struct vlan_dev_priv *vlan = vlan_dev_priv(dev);
32369 + const struct ethtool_ops *ops = vlan->real_dev->ethtool_ops;
32370 ++ struct phy_device *phydev = vlan->real_dev->phydev;
32371 +
32372 +- if (ops->get_ts_info) {
32373 ++ if (phydev && phydev->drv && phydev->drv->ts_info) {
32374 ++ return phydev->drv->ts_info(phydev, info);
32375 ++ } else if (ops->get_ts_info) {
32376 + return ops->get_ts_info(vlan->real_dev, info);
32377 + } else {
32378 + info->so_timestamping = SOF_TIMESTAMPING_RX_SOFTWARE |
32379 +diff --git a/net/batman-adv/bridge_loop_avoidance.c b/net/batman-adv/bridge_loop_avoidance.c
32380 +index bd3357e69c5c..1732fe952089 100644
32381 +--- a/net/batman-adv/bridge_loop_avoidance.c
32382 ++++ b/net/batman-adv/bridge_loop_avoidance.c
32383 +@@ -1589,10 +1589,22 @@ int batadv_bla_tx(struct batadv_priv *bat_priv, struct sk_buff *skb,
32384 + /* if yes, the client has roamed and we have
32385 + * to unclaim it.
32386 + */
32387 +- batadv_handle_unclaim(bat_priv, primary_if,
32388 +- primary_if->net_dev->dev_addr,
32389 +- ethhdr->h_source, vid);
32390 +- goto allow;
32391 ++ if (batadv_has_timed_out(claim->lasttime, 100)) {
32392 ++ /* only unclaim if the last claim entry is
32393 ++ * older than 100 ms to make sure we really
32394 ++ * have a roaming client here.
32395 ++ */
32396 ++ batadv_dbg(BATADV_DBG_BLA, bat_priv, "bla_tx(): Roaming client %pM detected. Unclaim it.\n",
32397 ++ ethhdr->h_source);
32398 ++ batadv_handle_unclaim(bat_priv, primary_if,
32399 ++ primary_if->net_dev->dev_addr,
32400 ++ ethhdr->h_source, vid);
32401 ++ goto allow;
32402 ++ } else {
32403 ++ batadv_dbg(BATADV_DBG_BLA, bat_priv, "bla_tx(): Race for claim %pM detected. Drop packet.\n",
32404 ++ ethhdr->h_source);
32405 ++ goto handled;
32406 ++ }
32407 + }
32408 +
32409 + /* check if it is a multicast/broadcast frame */
32410 +diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
32411 +index c4802f3bd4c5..e0d20501df76 100644
32412 +--- a/net/bluetooth/hci_core.c
32413 ++++ b/net/bluetooth/hci_core.c
32414 +@@ -663,6 +663,7 @@ static void hci_set_event_mask_page_2(struct hci_request *req)
32415 + {
32416 + struct hci_dev *hdev = req->hdev;
32417 + u8 events[8] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
32418 ++ bool changed = false;
32419 +
32420 + /* If Connectionless Slave Broadcast master role is supported
32421 + * enable all necessary events for it.
32422 +@@ -672,6 +673,7 @@ static void hci_set_event_mask_page_2(struct hci_request *req)
32423 + events[1] |= 0x80; /* Synchronization Train Complete */
32424 + events[2] |= 0x10; /* Slave Page Response Timeout */
32425 + events[2] |= 0x20; /* CSB Channel Map Change */
32426 ++ changed = true;
32427 + }
32428 +
32429 + /* If Connectionless Slave Broadcast slave role is supported
32430 +@@ -682,13 +684,24 @@ static void hci_set_event_mask_page_2(struct hci_request *req)
32431 + events[2] |= 0x02; /* CSB Receive */
32432 + events[2] |= 0x04; /* CSB Timeout */
32433 + events[2] |= 0x08; /* Truncated Page Complete */
32434 ++ changed = true;
32435 + }
32436 +
32437 + /* Enable Authenticated Payload Timeout Expired event if supported */
32438 +- if (lmp_ping_capable(hdev) || hdev->le_features[0] & HCI_LE_PING)
32439 ++ if (lmp_ping_capable(hdev) || hdev->le_features[0] & HCI_LE_PING) {
32440 + events[2] |= 0x80;
32441 ++ changed = true;
32442 ++ }
32443 +
32444 +- hci_req_add(req, HCI_OP_SET_EVENT_MASK_PAGE_2, sizeof(events), events);
32445 ++ /* Some Broadcom based controllers indicate support for Set Event
32446 ++ * Mask Page 2 command, but then actually do not support it. Since
32447 ++ * the default value is all bits set to zero, the command is only
32448 ++ * required if the event mask has to be changed. In case no change
32449 ++ * to the event mask is needed, skip this command.
32450 ++ */
32451 ++ if (changed)
32452 ++ hci_req_add(req, HCI_OP_SET_EVENT_MASK_PAGE_2,
32453 ++ sizeof(events), events);
32454 + }
32455 +
32456 + static void hci_init3_req(struct hci_request *req, unsigned long opt)
32457 +diff --git a/net/bluetooth/smp.c b/net/bluetooth/smp.c
32458 +index e4b56fcb5d4e..e259b9da05f1 100644
32459 +--- a/net/bluetooth/smp.c
32460 ++++ b/net/bluetooth/smp.c
32461 +@@ -2250,8 +2250,14 @@ static u8 smp_cmd_security_req(struct l2cap_conn *conn, struct sk_buff *skb)
32462 + else
32463 + sec_level = authreq_to_seclevel(auth);
32464 +
32465 +- if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK))
32466 ++ if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK)) {
32467 ++ /* If link is already encrypted with sufficient security we
32468 ++ * still need refresh encryption as per Core Spec 5.0 Vol 3,
32469 ++ * Part H 2.4.6
32470 ++ */
32471 ++ smp_ltk_encrypt(conn, hcon->sec_level);
32472 + return 0;
32473 ++ }
32474 +
32475 + if (sec_level > hcon->pending_sec_level)
32476 + hcon->pending_sec_level = sec_level;
32477 +diff --git a/net/bridge/netfilter/ebt_among.c b/net/bridge/netfilter/ebt_among.c
32478 +index 9637a681bdda..9adf16258cab 100644
32479 +--- a/net/bridge/netfilter/ebt_among.c
32480 ++++ b/net/bridge/netfilter/ebt_among.c
32481 +@@ -177,6 +177,28 @@ static bool poolsize_invalid(const struct ebt_mac_wormhash *w)
32482 + return w && w->poolsize >= (INT_MAX / sizeof(struct ebt_mac_wormhash_tuple));
32483 + }
32484 +
32485 ++static bool wormhash_offset_invalid(int off, unsigned int len)
32486 ++{
32487 ++ if (off == 0) /* not present */
32488 ++ return false;
32489 ++
32490 ++ if (off < (int)sizeof(struct ebt_among_info) ||
32491 ++ off % __alignof__(struct ebt_mac_wormhash))
32492 ++ return true;
32493 ++
32494 ++ off += sizeof(struct ebt_mac_wormhash);
32495 ++
32496 ++ return off > len;
32497 ++}
32498 ++
32499 ++static bool wormhash_sizes_valid(const struct ebt_mac_wormhash *wh, int a, int b)
32500 ++{
32501 ++ if (a == 0)
32502 ++ a = sizeof(struct ebt_among_info);
32503 ++
32504 ++ return ebt_mac_wormhash_size(wh) + a == b;
32505 ++}
32506 ++
32507 + static int ebt_among_mt_check(const struct xt_mtchk_param *par)
32508 + {
32509 + const struct ebt_among_info *info = par->matchinfo;
32510 +@@ -189,6 +211,10 @@ static int ebt_among_mt_check(const struct xt_mtchk_param *par)
32511 + if (expected_length > em->match_size)
32512 + return -EINVAL;
32513 +
32514 ++ if (wormhash_offset_invalid(info->wh_dst_ofs, em->match_size) ||
32515 ++ wormhash_offset_invalid(info->wh_src_ofs, em->match_size))
32516 ++ return -EINVAL;
32517 ++
32518 + wh_dst = ebt_among_wh_dst(info);
32519 + if (poolsize_invalid(wh_dst))
32520 + return -EINVAL;
32521 +@@ -201,6 +227,14 @@ static int ebt_among_mt_check(const struct xt_mtchk_param *par)
32522 + if (poolsize_invalid(wh_src))
32523 + return -EINVAL;
32524 +
32525 ++ if (info->wh_src_ofs < info->wh_dst_ofs) {
32526 ++ if (!wormhash_sizes_valid(wh_src, info->wh_src_ofs, info->wh_dst_ofs))
32527 ++ return -EINVAL;
32528 ++ } else {
32529 ++ if (!wormhash_sizes_valid(wh_dst, info->wh_dst_ofs, info->wh_src_ofs))
32530 ++ return -EINVAL;
32531 ++ }
32532 ++
32533 + expected_length += ebt_mac_wormhash_size(wh_src);
32534 +
32535 + if (em->match_size != EBT_ALIGN(expected_length)) {
32536 +diff --git a/net/ceph/messenger.c b/net/ceph/messenger.c
32537 +index d30864a8ed57..1e08c25c43f3 100644
32538 +--- a/net/ceph/messenger.c
32539 ++++ b/net/ceph/messenger.c
32540 +@@ -2518,6 +2518,11 @@ static int try_write(struct ceph_connection *con)
32541 + int ret = 1;
32542 +
32543 + dout("try_write start %p state %lu\n", con, con->state);
32544 ++ if (con->state != CON_STATE_PREOPEN &&
32545 ++ con->state != CON_STATE_CONNECTING &&
32546 ++ con->state != CON_STATE_NEGOTIATING &&
32547 ++ con->state != CON_STATE_OPEN)
32548 ++ return 0;
32549 +
32550 + more:
32551 + dout("try_write out_kvec_bytes %d\n", con->out_kvec_bytes);
32552 +@@ -2543,6 +2548,8 @@ more:
32553 + }
32554 +
32555 + more_kvec:
32556 ++ BUG_ON(!con->sock);
32557 ++
32558 + /* kvec data queued? */
32559 + if (con->out_kvec_left) {
32560 + ret = write_partial_kvec(con);
32561 +diff --git a/net/ceph/osdmap.c b/net/ceph/osdmap.c
32562 +index bc95e48d5cfb..378c9ed00d40 100644
32563 +--- a/net/ceph/osdmap.c
32564 ++++ b/net/ceph/osdmap.c
32565 +@@ -295,6 +295,7 @@ static struct crush_map *crush_decode(void *pbyval, void *end)
32566 + u32 yes;
32567 + struct crush_rule *r;
32568 +
32569 ++ err = -EINVAL;
32570 + ceph_decode_32_safe(p, end, yes, bad);
32571 + if (!yes) {
32572 + dout("crush_decode NO rule %d off %x %p to %p\n",
32573 +diff --git a/net/core/dev.c b/net/core/dev.c
32574 +index c2d927f91a30..1cbbc79b4509 100644
32575 +--- a/net/core/dev.c
32576 ++++ b/net/core/dev.c
32577 +@@ -957,7 +957,7 @@ bool dev_valid_name(const char *name)
32578 + {
32579 + if (*name == '\0')
32580 + return false;
32581 +- if (strlen(name) >= IFNAMSIZ)
32582 ++ if (strnlen(name, IFNAMSIZ) == IFNAMSIZ)
32583 + return false;
32584 + if (!strcmp(name, ".") || !strcmp(name, ".."))
32585 + return false;
32586 +@@ -2430,7 +2430,7 @@ __be16 skb_network_protocol(struct sk_buff *skb, int *depth)
32587 + if (unlikely(!pskb_may_pull(skb, sizeof(struct ethhdr))))
32588 + return 0;
32589 +
32590 +- eth = (struct ethhdr *)skb_mac_header(skb);
32591 ++ eth = (struct ethhdr *)skb->data;
32592 + type = eth->h_proto;
32593 + }
32594 +
32595 +@@ -2621,7 +2621,7 @@ netdev_features_t passthru_features_check(struct sk_buff *skb,
32596 + }
32597 + EXPORT_SYMBOL(passthru_features_check);
32598 +
32599 +-static netdev_features_t dflt_features_check(const struct sk_buff *skb,
32600 ++static netdev_features_t dflt_features_check(struct sk_buff *skb,
32601 + struct net_device *dev,
32602 + netdev_features_t features)
32603 + {
32604 +diff --git a/net/core/dev_addr_lists.c b/net/core/dev_addr_lists.c
32605 +index c0548d268e1a..e3e6a3e2ca22 100644
32606 +--- a/net/core/dev_addr_lists.c
32607 ++++ b/net/core/dev_addr_lists.c
32608 +@@ -57,8 +57,8 @@ static int __hw_addr_add_ex(struct netdev_hw_addr_list *list,
32609 + return -EINVAL;
32610 +
32611 + list_for_each_entry(ha, &list->list, list) {
32612 +- if (!memcmp(ha->addr, addr, addr_len) &&
32613 +- ha->type == addr_type) {
32614 ++ if (ha->type == addr_type &&
32615 ++ !memcmp(ha->addr, addr, addr_len)) {
32616 + if (global) {
32617 + /* check if addr is already used as global */
32618 + if (ha->global_use)
32619 +diff --git a/net/core/neighbour.c b/net/core/neighbour.c
32620 +index 5fd6c6e699aa..c305645b22bc 100644
32621 +--- a/net/core/neighbour.c
32622 ++++ b/net/core/neighbour.c
32623 +@@ -54,7 +54,8 @@ do { \
32624 + static void neigh_timer_handler(unsigned long arg);
32625 + static void __neigh_notify(struct neighbour *n, int type, int flags);
32626 + static void neigh_update_notify(struct neighbour *neigh);
32627 +-static int pneigh_ifdown(struct neigh_table *tbl, struct net_device *dev);
32628 ++static int pneigh_ifdown_and_unlock(struct neigh_table *tbl,
32629 ++ struct net_device *dev);
32630 +
32631 + #ifdef CONFIG_PROC_FS
32632 + static const struct file_operations neigh_stat_seq_fops;
32633 +@@ -254,8 +255,7 @@ int neigh_ifdown(struct neigh_table *tbl, struct net_device *dev)
32634 + {
32635 + write_lock_bh(&tbl->lock);
32636 + neigh_flush_dev(tbl, dev);
32637 +- pneigh_ifdown(tbl, dev);
32638 +- write_unlock_bh(&tbl->lock);
32639 ++ pneigh_ifdown_and_unlock(tbl, dev);
32640 +
32641 + del_timer_sync(&tbl->proxy_timer);
32642 + pneigh_queue_purge(&tbl->proxy_queue);
32643 +@@ -641,9 +641,10 @@ int pneigh_delete(struct neigh_table *tbl, struct net *net, const void *pkey,
32644 + return -ENOENT;
32645 + }
32646 +
32647 +-static int pneigh_ifdown(struct neigh_table *tbl, struct net_device *dev)
32648 ++static int pneigh_ifdown_and_unlock(struct neigh_table *tbl,
32649 ++ struct net_device *dev)
32650 + {
32651 +- struct pneigh_entry *n, **np;
32652 ++ struct pneigh_entry *n, **np, *freelist = NULL;
32653 + u32 h;
32654 +
32655 + for (h = 0; h <= PNEIGH_HASHMASK; h++) {
32656 +@@ -651,16 +652,23 @@ static int pneigh_ifdown(struct neigh_table *tbl, struct net_device *dev)
32657 + while ((n = *np) != NULL) {
32658 + if (!dev || n->dev == dev) {
32659 + *np = n->next;
32660 +- if (tbl->pdestructor)
32661 +- tbl->pdestructor(n);
32662 +- if (n->dev)
32663 +- dev_put(n->dev);
32664 +- kfree(n);
32665 ++ n->next = freelist;
32666 ++ freelist = n;
32667 + continue;
32668 + }
32669 + np = &n->next;
32670 + }
32671 + }
32672 ++ write_unlock_bh(&tbl->lock);
32673 ++ while ((n = freelist)) {
32674 ++ freelist = n->next;
32675 ++ n->next = NULL;
32676 ++ if (tbl->pdestructor)
32677 ++ tbl->pdestructor(n);
32678 ++ if (n->dev)
32679 ++ dev_put(n->dev);
32680 ++ kfree(n);
32681 ++ }
32682 + return -ENOENT;
32683 + }
32684 +
32685 +@@ -1127,10 +1135,6 @@ int neigh_update(struct neighbour *neigh, const u8 *lladdr, u8 new,
32686 + lladdr = neigh->ha;
32687 + }
32688 +
32689 +- if (new & NUD_CONNECTED)
32690 +- neigh->confirmed = jiffies;
32691 +- neigh->updated = jiffies;
32692 +-
32693 + /* If entry was valid and address is not changed,
32694 + do not change entry state, if new one is STALE.
32695 + */
32696 +@@ -1154,6 +1158,16 @@ int neigh_update(struct neighbour *neigh, const u8 *lladdr, u8 new,
32697 + }
32698 + }
32699 +
32700 ++ /* Update timestamps only once we know we will make a change to the
32701 ++ * neighbour entry. Otherwise we risk to move the locktime window with
32702 ++ * noop updates and ignore relevant ARP updates.
32703 ++ */
32704 ++ if (new != old || lladdr != neigh->ha) {
32705 ++ if (new & NUD_CONNECTED)
32706 ++ neigh->confirmed = jiffies;
32707 ++ neigh->updated = jiffies;
32708 ++ }
32709 ++
32710 + if (new != old) {
32711 + neigh_del_timer(neigh);
32712 + if (new & NUD_IN_TIMER)
32713 +diff --git a/net/core/net_namespace.c b/net/core/net_namespace.c
32714 +index 572af0011997..9195a109ea79 100644
32715 +--- a/net/core/net_namespace.c
32716 ++++ b/net/core/net_namespace.c
32717 +@@ -268,6 +268,25 @@ out_undo:
32718 + goto out;
32719 + }
32720 +
32721 ++static int __net_init net_defaults_init_net(struct net *net)
32722 ++{
32723 ++ net->core.sysctl_somaxconn = SOMAXCONN;
32724 ++ return 0;
32725 ++}
32726 ++
32727 ++static struct pernet_operations net_defaults_ops = {
32728 ++ .init = net_defaults_init_net,
32729 ++};
32730 ++
32731 ++static __init int net_defaults_init(void)
32732 ++{
32733 ++ if (register_pernet_subsys(&net_defaults_ops))
32734 ++ panic("Cannot initialize net default settings");
32735 ++
32736 ++ return 0;
32737 ++}
32738 ++
32739 ++core_initcall(net_defaults_init);
32740 +
32741 + #ifdef CONFIG_NET_NS
32742 + static struct kmem_cache *net_cachep;
32743 +diff --git a/net/core/skbuff.c b/net/core/skbuff.c
32744 +index 853e82075ebd..ac1436be3cf7 100644
32745 +--- a/net/core/skbuff.c
32746 ++++ b/net/core/skbuff.c
32747 +@@ -875,6 +875,7 @@ static struct sk_buff *__skb_clone(struct sk_buff *n, struct sk_buff *skb)
32748 + n->hdr_len = skb->nohdr ? skb_headroom(skb) : skb->hdr_len;
32749 + n->cloned = 1;
32750 + n->nohdr = 0;
32751 ++ n->peeked = 0;
32752 + n->destructor = NULL;
32753 + C(tail);
32754 + C(end);
32755 +@@ -2587,7 +2588,8 @@ void skb_split(struct sk_buff *skb, struct sk_buff *skb1, const u32 len)
32756 + {
32757 + int pos = skb_headlen(skb);
32758 +
32759 +- skb_shinfo(skb1)->tx_flags = skb_shinfo(skb)->tx_flags & SKBTX_SHARED_FRAG;
32760 ++ skb_shinfo(skb1)->tx_flags |= skb_shinfo(skb)->tx_flags &
32761 ++ SKBTX_SHARED_FRAG;
32762 + if (len < pos) /* Split line is inside header. */
32763 + skb_split_inside_header(skb, skb1, len, pos);
32764 + else /* Second chunk has no header, nothing to copy. */
32765 +@@ -3133,8 +3135,8 @@ struct sk_buff *skb_segment(struct sk_buff *head_skb,
32766 + skb_copy_from_linear_data_offset(head_skb, offset,
32767 + skb_put(nskb, hsize), hsize);
32768 +
32769 +- skb_shinfo(nskb)->tx_flags = skb_shinfo(head_skb)->tx_flags &
32770 +- SKBTX_SHARED_FRAG;
32771 ++ skb_shinfo(nskb)->tx_flags |= skb_shinfo(head_skb)->tx_flags &
32772 ++ SKBTX_SHARED_FRAG;
32773 +
32774 + while (pos < offset + len) {
32775 + if (i >= nfrags) {
32776 +@@ -3347,24 +3349,18 @@ void __init skb_init(void)
32777 + NULL);
32778 + }
32779 +
32780 +-/**
32781 +- * skb_to_sgvec - Fill a scatter-gather list from a socket buffer
32782 +- * @skb: Socket buffer containing the buffers to be mapped
32783 +- * @sg: The scatter-gather list to map into
32784 +- * @offset: The offset into the buffer's contents to start mapping
32785 +- * @len: Length of buffer space to be mapped
32786 +- *
32787 +- * Fill the specified scatter-gather list with mappings/pointers into a
32788 +- * region of the buffer space attached to a socket buffer.
32789 +- */
32790 + static int
32791 +-__skb_to_sgvec(struct sk_buff *skb, struct scatterlist *sg, int offset, int len)
32792 ++__skb_to_sgvec(struct sk_buff *skb, struct scatterlist *sg, int offset, int len,
32793 ++ unsigned int recursion_level)
32794 + {
32795 + int start = skb_headlen(skb);
32796 + int i, copy = start - offset;
32797 + struct sk_buff *frag_iter;
32798 + int elt = 0;
32799 +
32800 ++ if (unlikely(recursion_level >= 24))
32801 ++ return -EMSGSIZE;
32802 ++
32803 + if (copy > 0) {
32804 + if (copy > len)
32805 + copy = len;
32806 +@@ -3383,6 +3379,8 @@ __skb_to_sgvec(struct sk_buff *skb, struct scatterlist *sg, int offset, int len)
32807 + end = start + skb_frag_size(&skb_shinfo(skb)->frags[i]);
32808 + if ((copy = end - offset) > 0) {
32809 + skb_frag_t *frag = &skb_shinfo(skb)->frags[i];
32810 ++ if (unlikely(elt && sg_is_last(&sg[elt - 1])))
32811 ++ return -EMSGSIZE;
32812 +
32813 + if (copy > len)
32814 + copy = len;
32815 +@@ -3397,16 +3395,22 @@ __skb_to_sgvec(struct sk_buff *skb, struct scatterlist *sg, int offset, int len)
32816 + }
32817 +
32818 + skb_walk_frags(skb, frag_iter) {
32819 +- int end;
32820 ++ int end, ret;
32821 +
32822 + WARN_ON(start > offset + len);
32823 +
32824 + end = start + frag_iter->len;
32825 + if ((copy = end - offset) > 0) {
32826 ++ if (unlikely(elt && sg_is_last(&sg[elt - 1])))
32827 ++ return -EMSGSIZE;
32828 ++
32829 + if (copy > len)
32830 + copy = len;
32831 +- elt += __skb_to_sgvec(frag_iter, sg+elt, offset - start,
32832 +- copy);
32833 ++ ret = __skb_to_sgvec(frag_iter, sg+elt, offset - start,
32834 ++ copy, recursion_level + 1);
32835 ++ if (unlikely(ret < 0))
32836 ++ return ret;
32837 ++ elt += ret;
32838 + if ((len -= copy) == 0)
32839 + return elt;
32840 + offset += copy;
32841 +@@ -3417,6 +3421,31 @@ __skb_to_sgvec(struct sk_buff *skb, struct scatterlist *sg, int offset, int len)
32842 + return elt;
32843 + }
32844 +
32845 ++/**
32846 ++ * skb_to_sgvec - Fill a scatter-gather list from a socket buffer
32847 ++ * @skb: Socket buffer containing the buffers to be mapped
32848 ++ * @sg: The scatter-gather list to map into
32849 ++ * @offset: The offset into the buffer's contents to start mapping
32850 ++ * @len: Length of buffer space to be mapped
32851 ++ *
32852 ++ * Fill the specified scatter-gather list with mappings/pointers into a
32853 ++ * region of the buffer space attached to a socket buffer. Returns either
32854 ++ * the number of scatterlist items used, or -EMSGSIZE if the contents
32855 ++ * could not fit.
32856 ++ */
32857 ++int skb_to_sgvec(struct sk_buff *skb, struct scatterlist *sg, int offset, int len)
32858 ++{
32859 ++ int nsg = __skb_to_sgvec(skb, sg, offset, len, 0);
32860 ++
32861 ++ if (nsg <= 0)
32862 ++ return nsg;
32863 ++
32864 ++ sg_mark_end(&sg[nsg - 1]);
32865 ++
32866 ++ return nsg;
32867 ++}
32868 ++EXPORT_SYMBOL_GPL(skb_to_sgvec);
32869 ++
32870 + /* As compared with skb_to_sgvec, skb_to_sgvec_nomark only map skb to given
32871 + * sglist without mark the sg which contain last skb data as the end.
32872 + * So the caller can mannipulate sg list as will when padding new data after
32873 +@@ -3439,19 +3468,11 @@ __skb_to_sgvec(struct sk_buff *skb, struct scatterlist *sg, int offset, int len)
32874 + int skb_to_sgvec_nomark(struct sk_buff *skb, struct scatterlist *sg,
32875 + int offset, int len)
32876 + {
32877 +- return __skb_to_sgvec(skb, sg, offset, len);
32878 ++ return __skb_to_sgvec(skb, sg, offset, len, 0);
32879 + }
32880 + EXPORT_SYMBOL_GPL(skb_to_sgvec_nomark);
32881 +
32882 +-int skb_to_sgvec(struct sk_buff *skb, struct scatterlist *sg, int offset, int len)
32883 +-{
32884 +- int nsg = __skb_to_sgvec(skb, sg, offset, len);
32885 +
32886 +- sg_mark_end(&sg[nsg - 1]);
32887 +-
32888 +- return nsg;
32889 +-}
32890 +-EXPORT_SYMBOL_GPL(skb_to_sgvec);
32891 +
32892 + /**
32893 + * skb_cow_data - Check that a socket buffer's data buffers are writable
32894 +@@ -3589,7 +3610,7 @@ int sock_queue_err_skb(struct sock *sk, struct sk_buff *skb)
32895 +
32896 + skb_queue_tail(&sk->sk_error_queue, skb);
32897 + if (!sock_flag(sk, SOCK_DEAD))
32898 +- sk->sk_data_ready(sk);
32899 ++ sk->sk_error_report(sk);
32900 + return 0;
32901 + }
32902 + EXPORT_SYMBOL(sock_queue_err_skb);
32903 +@@ -3733,7 +3754,8 @@ void __skb_tstamp_tx(struct sk_buff *orig_skb,
32904 + return;
32905 +
32906 + if (tsonly) {
32907 +- skb_shinfo(skb)->tx_flags = skb_shinfo(orig_skb)->tx_flags;
32908 ++ skb_shinfo(skb)->tx_flags |= skb_shinfo(orig_skb)->tx_flags &
32909 ++ SKBTX_ANY_TSTAMP;
32910 + skb_shinfo(skb)->tskey = skb_shinfo(orig_skb)->tskey;
32911 + }
32912 +
32913 +diff --git a/net/core/sysctl_net_core.c b/net/core/sysctl_net_core.c
32914 +index f5ef2115871f..a9a4276609ef 100644
32915 +--- a/net/core/sysctl_net_core.c
32916 ++++ b/net/core/sysctl_net_core.c
32917 +@@ -423,8 +423,6 @@ static __net_init int sysctl_core_net_init(struct net *net)
32918 + {
32919 + struct ctl_table *tbl;
32920 +
32921 +- net->core.sysctl_somaxconn = SOMAXCONN;
32922 +-
32923 + tbl = netns_core_table;
32924 + if (!net_eq(net, &init_net)) {
32925 + tbl = kmemdup(tbl, sizeof(netns_core_table), GFP_KERNEL);
32926 +diff --git a/net/dccp/ipv4.c b/net/dccp/ipv4.c
32927 +index bafb2223b879..2fa37d32ae3b 100644
32928 +--- a/net/dccp/ipv4.c
32929 ++++ b/net/dccp/ipv4.c
32930 +@@ -642,6 +642,7 @@ int dccp_v4_conn_request(struct sock *sk, struct sk_buff *skb)
32931 + ireq = inet_rsk(req);
32932 + sk_rcv_saddr_set(req_to_sk(req), ip_hdr(skb)->daddr);
32933 + sk_daddr_set(req_to_sk(req), ip_hdr(skb)->saddr);
32934 ++ ireq->ir_mark = inet_request_mark(sk, skb);
32935 + ireq->ireq_family = AF_INET;
32936 + ireq->ir_iif = sk->sk_bound_dev_if;
32937 +
32938 +diff --git a/net/dccp/ipv6.c b/net/dccp/ipv6.c
32939 +index d61027e78e25..a56919d47403 100644
32940 +--- a/net/dccp/ipv6.c
32941 ++++ b/net/dccp/ipv6.c
32942 +@@ -375,6 +375,7 @@ static int dccp_v6_conn_request(struct sock *sk, struct sk_buff *skb)
32943 + ireq->ir_v6_rmt_addr = ipv6_hdr(skb)->saddr;
32944 + ireq->ir_v6_loc_addr = ipv6_hdr(skb)->daddr;
32945 + ireq->ireq_family = AF_INET6;
32946 ++ ireq->ir_mark = inet_request_mark(sk, skb);
32947 +
32948 + if (ipv6_opt_accepted(sk, skb, IP6CB(skb)) ||
32949 + np->rxopt.bits.rxinfo || np->rxopt.bits.rxoinfo ||
32950 +diff --git a/net/dccp/proto.c b/net/dccp/proto.c
32951 +index a20dc23360f9..be71e07ba6f1 100644
32952 +--- a/net/dccp/proto.c
32953 ++++ b/net/dccp/proto.c
32954 +@@ -790,6 +790,11 @@ int dccp_sendmsg(struct sock *sk, struct msghdr *msg, size_t len)
32955 + if (skb == NULL)
32956 + goto out_release;
32957 +
32958 ++ if (sk->sk_state == DCCP_CLOSED) {
32959 ++ rc = -ENOTCONN;
32960 ++ goto out_discard;
32961 ++ }
32962 ++
32963 + skb_reserve(skb, sk->sk_prot->max_header);
32964 + rc = memcpy_from_msg(skb_put(skb, len), msg, len);
32965 + if (rc != 0)
32966 +diff --git a/net/dns_resolver/dns_key.c b/net/dns_resolver/dns_key.c
32967 +index 31cd4fd75486..4b437445c2ea 100644
32968 +--- a/net/dns_resolver/dns_key.c
32969 ++++ b/net/dns_resolver/dns_key.c
32970 +@@ -25,6 +25,7 @@
32971 + #include <linux/moduleparam.h>
32972 + #include <linux/slab.h>
32973 + #include <linux/string.h>
32974 ++#include <linux/ratelimit.h>
32975 + #include <linux/kernel.h>
32976 + #include <linux/keyctl.h>
32977 + #include <linux/err.h>
32978 +@@ -91,9 +92,9 @@ dns_resolver_preparse(struct key_preparsed_payload *prep)
32979 +
32980 + next_opt = memchr(opt, '#', end - opt) ?: end;
32981 + opt_len = next_opt - opt;
32982 +- if (!opt_len) {
32983 +- printk(KERN_WARNING
32984 +- "Empty option to dns_resolver key\n");
32985 ++ if (opt_len <= 0 || opt_len > 128) {
32986 ++ pr_warn_ratelimited("Invalid option length (%d) for dns_resolver key\n",
32987 ++ opt_len);
32988 + return -EINVAL;
32989 + }
32990 +
32991 +@@ -127,10 +128,8 @@ dns_resolver_preparse(struct key_preparsed_payload *prep)
32992 + }
32993 +
32994 + bad_option_value:
32995 +- printk(KERN_WARNING
32996 +- "Option '%*.*s' to dns_resolver key:"
32997 +- " bad/missing value\n",
32998 +- opt_nlen, opt_nlen, opt);
32999 ++ pr_warn_ratelimited("Option '%*.*s' to dns_resolver key: bad/missing value\n",
33000 ++ opt_nlen, opt_nlen, opt);
33001 + return -EINVAL;
33002 + } while (opt = next_opt + 1, opt < end);
33003 + }
33004 +diff --git a/net/ieee802154/socket.c b/net/ieee802154/socket.c
33005 +index 627a2537634e..7c5040c4fa90 100644
33006 +--- a/net/ieee802154/socket.c
33007 ++++ b/net/ieee802154/socket.c
33008 +@@ -310,12 +310,12 @@ static int raw_sendmsg(struct sock *sk, struct msghdr *msg, size_t size)
33009 + skb->sk = sk;
33010 + skb->protocol = htons(ETH_P_IEEE802154);
33011 +
33012 +- dev_put(dev);
33013 +-
33014 + err = dev_queue_xmit(skb);
33015 + if (err > 0)
33016 + err = net_xmit_errno(err);
33017 +
33018 ++ dev_put(dev);
33019 ++
33020 + return err ?: size;
33021 +
33022 + out_skb:
33023 +@@ -697,12 +697,12 @@ static int dgram_sendmsg(struct sock *sk, struct msghdr *msg, size_t size)
33024 + skb->sk = sk;
33025 + skb->protocol = htons(ETH_P_IEEE802154);
33026 +
33027 +- dev_put(dev);
33028 +-
33029 + err = dev_queue_xmit(skb);
33030 + if (err > 0)
33031 + err = net_xmit_errno(err);
33032 +
33033 ++ dev_put(dev);
33034 ++
33035 + return err ?: size;
33036 +
33037 + out_skb:
33038 +diff --git a/net/ipv4/inet_timewait_sock.c b/net/ipv4/inet_timewait_sock.c
33039 +index bb96c1c4edd6..35ea352a9cef 100644
33040 +--- a/net/ipv4/inet_timewait_sock.c
33041 ++++ b/net/ipv4/inet_timewait_sock.c
33042 +@@ -212,6 +212,7 @@ struct inet_timewait_sock *inet_twsk_alloc(const struct sock *sk,
33043 + tw->tw_dport = inet->inet_dport;
33044 + tw->tw_family = sk->sk_family;
33045 + tw->tw_reuse = sk->sk_reuse;
33046 ++ tw->tw_reuseport = sk->sk_reuseport;
33047 + tw->tw_hash = sk->sk_hash;
33048 + tw->tw_ipv6only = 0;
33049 + tw->tw_transparent = inet->transparent;
33050 +diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c
33051 +index 67c1333422a4..d4bdeed4e0a4 100644
33052 +--- a/net/ipv4/ip_sockglue.c
33053 ++++ b/net/ipv4/ip_sockglue.c
33054 +@@ -239,7 +239,8 @@ int ip_cmsg_send(struct net *net, struct msghdr *msg, struct ipcm_cookie *ipc,
33055 + src_info = (struct in6_pktinfo *)CMSG_DATA(cmsg);
33056 + if (!ipv6_addr_v4mapped(&src_info->ipi6_addr))
33057 + return -EINVAL;
33058 +- ipc->oif = src_info->ipi6_ifindex;
33059 ++ if (src_info->ipi6_ifindex)
33060 ++ ipc->oif = src_info->ipi6_ifindex;
33061 + ipc->addr = src_info->ipi6_addr.s6_addr32[3];
33062 + continue;
33063 + }
33064 +@@ -262,7 +263,8 @@ int ip_cmsg_send(struct net *net, struct msghdr *msg, struct ipcm_cookie *ipc,
33065 + if (cmsg->cmsg_len != CMSG_LEN(sizeof(struct in_pktinfo)))
33066 + return -EINVAL;
33067 + info = (struct in_pktinfo *)CMSG_DATA(cmsg);
33068 +- ipc->oif = info->ipi_ifindex;
33069 ++ if (info->ipi_ifindex)
33070 ++ ipc->oif = info->ipi_ifindex;
33071 + ipc->addr = info->ipi_spec_dst.s_addr;
33072 + break;
33073 + }
33074 +diff --git a/net/ipv4/ip_tunnel.c b/net/ipv4/ip_tunnel.c
33075 +index 169bf7d1d8ca..2385ec7083c6 100644
33076 +--- a/net/ipv4/ip_tunnel.c
33077 ++++ b/net/ipv4/ip_tunnel.c
33078 +@@ -301,13 +301,14 @@ static struct net_device *__ip_tunnel_create(struct net *net,
33079 + struct net_device *dev;
33080 + char name[IFNAMSIZ];
33081 +
33082 +- if (parms->name[0])
33083 ++ err = -E2BIG;
33084 ++ if (parms->name[0]) {
33085 ++ if (!dev_valid_name(parms->name))
33086 ++ goto failed;
33087 + strlcpy(name, parms->name, IFNAMSIZ);
33088 +- else {
33089 +- if (strlen(ops->kind) > (IFNAMSIZ - 3)) {
33090 +- err = -E2BIG;
33091 ++ } else {
33092 ++ if (strlen(ops->kind) > (IFNAMSIZ - 3))
33093 + goto failed;
33094 +- }
33095 + strlcpy(name, ops->kind, IFNAMSIZ);
33096 + strncat(name, "%d", 2);
33097 + }
33098 +diff --git a/net/ipv4/netfilter/nf_nat_h323.c b/net/ipv4/netfilter/nf_nat_h323.c
33099 +index 574f7ebba0b6..ac8342dcb55e 100644
33100 +--- a/net/ipv4/netfilter/nf_nat_h323.c
33101 ++++ b/net/ipv4/netfilter/nf_nat_h323.c
33102 +@@ -252,16 +252,16 @@ static int nat_rtp_rtcp(struct sk_buff *skb, struct nf_conn *ct,
33103 + if (set_h245_addr(skb, protoff, data, dataoff, taddr,
33104 + &ct->tuplehash[!dir].tuple.dst.u3,
33105 + htons((port & htons(1)) ? nated_port + 1 :
33106 +- nated_port)) == 0) {
33107 +- /* Save ports */
33108 +- info->rtp_port[i][dir] = rtp_port;
33109 +- info->rtp_port[i][!dir] = htons(nated_port);
33110 +- } else {
33111 ++ nated_port))) {
33112 + nf_ct_unexpect_related(rtp_exp);
33113 + nf_ct_unexpect_related(rtcp_exp);
33114 + return -1;
33115 + }
33116 +
33117 ++ /* Save ports */
33118 ++ info->rtp_port[i][dir] = rtp_port;
33119 ++ info->rtp_port[i][!dir] = htons(nated_port);
33120 ++
33121 + /* Success */
33122 + pr_debug("nf_nat_h323: expect RTP %pI4:%hu->%pI4:%hu\n",
33123 + &rtp_exp->tuple.src.u3.ip,
33124 +@@ -370,15 +370,15 @@ static int nat_h245(struct sk_buff *skb, struct nf_conn *ct,
33125 + /* Modify signal */
33126 + if (set_h225_addr(skb, protoff, data, dataoff, taddr,
33127 + &ct->tuplehash[!dir].tuple.dst.u3,
33128 +- htons(nated_port)) == 0) {
33129 +- /* Save ports */
33130 +- info->sig_port[dir] = port;
33131 +- info->sig_port[!dir] = htons(nated_port);
33132 +- } else {
33133 ++ htons(nated_port))) {
33134 + nf_ct_unexpect_related(exp);
33135 + return -1;
33136 + }
33137 +
33138 ++ /* Save ports */
33139 ++ info->sig_port[dir] = port;
33140 ++ info->sig_port[!dir] = htons(nated_port);
33141 ++
33142 + pr_debug("nf_nat_q931: expect H.245 %pI4:%hu->%pI4:%hu\n",
33143 + &exp->tuple.src.u3.ip,
33144 + ntohs(exp->tuple.src.u.tcp.port),
33145 +@@ -462,24 +462,27 @@ static int nat_q931(struct sk_buff *skb, struct nf_conn *ct,
33146 + /* Modify signal */
33147 + if (set_h225_addr(skb, protoff, data, 0, &taddr[idx],
33148 + &ct->tuplehash[!dir].tuple.dst.u3,
33149 +- htons(nated_port)) == 0) {
33150 +- /* Save ports */
33151 +- info->sig_port[dir] = port;
33152 +- info->sig_port[!dir] = htons(nated_port);
33153 +-
33154 +- /* Fix for Gnomemeeting */
33155 +- if (idx > 0 &&
33156 +- get_h225_addr(ct, *data, &taddr[0], &addr, &port) &&
33157 +- (ntohl(addr.ip) & 0xff000000) == 0x7f000000) {
33158 +- set_h225_addr(skb, protoff, data, 0, &taddr[0],
33159 +- &ct->tuplehash[!dir].tuple.dst.u3,
33160 +- info->sig_port[!dir]);
33161 +- }
33162 +- } else {
33163 ++ htons(nated_port))) {
33164 + nf_ct_unexpect_related(exp);
33165 + return -1;
33166 + }
33167 +
33168 ++ /* Save ports */
33169 ++ info->sig_port[dir] = port;
33170 ++ info->sig_port[!dir] = htons(nated_port);
33171 ++
33172 ++ /* Fix for Gnomemeeting */
33173 ++ if (idx > 0 &&
33174 ++ get_h225_addr(ct, *data, &taddr[0], &addr, &port) &&
33175 ++ (ntohl(addr.ip) & 0xff000000) == 0x7f000000) {
33176 ++ if (set_h225_addr(skb, protoff, data, 0, &taddr[0],
33177 ++ &ct->tuplehash[!dir].tuple.dst.u3,
33178 ++ info->sig_port[!dir])) {
33179 ++ nf_ct_unexpect_related(exp);
33180 ++ return -1;
33181 ++ }
33182 ++ }
33183 ++
33184 + /* Success */
33185 + pr_debug("nf_nat_ras: expect Q.931 %pI4:%hu->%pI4:%hu\n",
33186 + &exp->tuple.src.u3.ip,
33187 +@@ -550,9 +553,9 @@ static int nat_callforwarding(struct sk_buff *skb, struct nf_conn *ct,
33188 + }
33189 +
33190 + /* Modify signal */
33191 +- if (!set_h225_addr(skb, protoff, data, dataoff, taddr,
33192 +- &ct->tuplehash[!dir].tuple.dst.u3,
33193 +- htons(nated_port)) == 0) {
33194 ++ if (set_h225_addr(skb, protoff, data, dataoff, taddr,
33195 ++ &ct->tuplehash[!dir].tuple.dst.u3,
33196 ++ htons(nated_port))) {
33197 + nf_ct_unexpect_related(exp);
33198 + return -1;
33199 + }
33200 +diff --git a/net/ipv4/raw.c b/net/ipv4/raw.c
33201 +index 9a2294d01b9d..acf09ab17a62 100644
33202 +--- a/net/ipv4/raw.c
33203 ++++ b/net/ipv4/raw.c
33204 +@@ -496,11 +496,16 @@ static int raw_sendmsg(struct sock *sk, struct msghdr *msg, size_t len)
33205 + int err;
33206 + struct ip_options_data opt_copy;
33207 + struct raw_frag_vec rfv;
33208 ++ int hdrincl;
33209 +
33210 + err = -EMSGSIZE;
33211 + if (len > 0xFFFF)
33212 + goto out;
33213 +
33214 ++ /* hdrincl should be READ_ONCE(inet->hdrincl)
33215 ++ * but READ_ONCE() doesn't work with bit fields
33216 ++ */
33217 ++ hdrincl = inet->hdrincl;
33218 + /*
33219 + * Check the flags.
33220 + */
33221 +@@ -575,7 +580,7 @@ static int raw_sendmsg(struct sock *sk, struct msghdr *msg, size_t len)
33222 + /* Linux does not mangle headers on raw sockets,
33223 + * so that IP options + IP_HDRINCL is non-sense.
33224 + */
33225 +- if (inet->hdrincl)
33226 ++ if (hdrincl)
33227 + goto done;
33228 + if (ipc.opt->opt.srr) {
33229 + if (!daddr)
33230 +@@ -597,12 +602,12 @@ static int raw_sendmsg(struct sock *sk, struct msghdr *msg, size_t len)
33231 +
33232 + flowi4_init_output(&fl4, ipc.oif, sk->sk_mark, tos,
33233 + RT_SCOPE_UNIVERSE,
33234 +- inet->hdrincl ? IPPROTO_RAW : sk->sk_protocol,
33235 ++ hdrincl ? IPPROTO_RAW : sk->sk_protocol,
33236 + inet_sk_flowi_flags(sk) |
33237 +- (inet->hdrincl ? FLOWI_FLAG_KNOWN_NH : 0),
33238 ++ (hdrincl ? FLOWI_FLAG_KNOWN_NH : 0),
33239 + daddr, saddr, 0, 0);
33240 +
33241 +- if (!inet->hdrincl) {
33242 ++ if (!hdrincl) {
33243 + rfv.msg = msg;
33244 + rfv.hlen = 0;
33245 +
33246 +@@ -627,7 +632,7 @@ static int raw_sendmsg(struct sock *sk, struct msghdr *msg, size_t len)
33247 + goto do_confirm;
33248 + back_from_confirm:
33249 +
33250 +- if (inet->hdrincl)
33251 ++ if (hdrincl)
33252 + err = raw_send_hdrinc(sk, &fl4, msg, len,
33253 + &rt, msg->msg_flags);
33254 +
33255 +diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
33256 +index 94a4b28e5da6..07d65ae018ee 100644
33257 +--- a/net/ipv4/tcp.c
33258 ++++ b/net/ipv4/tcp.c
33259 +@@ -2416,7 +2416,7 @@ static int do_tcp_setsockopt(struct sock *sk, int level,
33260 + case TCP_REPAIR_QUEUE:
33261 + if (!tp->repair)
33262 + err = -EPERM;
33263 +- else if (val < TCP_QUEUES_NR)
33264 ++ else if ((unsigned int)val < TCP_QUEUES_NR)
33265 + tp->repair_queue = val;
33266 + else
33267 + err = -EINVAL;
33268 +@@ -2548,8 +2548,10 @@ static int do_tcp_setsockopt(struct sock *sk, int level,
33269 +
33270 + #ifdef CONFIG_TCP_MD5SIG
33271 + case TCP_MD5SIG:
33272 +- /* Read the IP->Key mappings from userspace */
33273 +- err = tp->af_specific->md5_parse(sk, optval, optlen);
33274 ++ if ((1 << sk->sk_state) & (TCPF_CLOSE | TCPF_LISTEN))
33275 ++ err = tp->af_specific->md5_parse(sk, optval, optlen);
33276 ++ else
33277 ++ err = -EINVAL;
33278 + break;
33279 + #endif
33280 + case TCP_USER_TIMEOUT:
33281 +diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
33282 +index 4763c431f7d8..d61371cefaf0 100644
33283 +--- a/net/ipv4/tcp_input.c
33284 ++++ b/net/ipv4/tcp_input.c
33285 +@@ -3819,11 +3819,8 @@ const u8 *tcp_parse_md5sig_option(const struct tcphdr *th)
33286 + int length = (th->doff << 2) - sizeof(*th);
33287 + const u8 *ptr = (const u8 *)(th + 1);
33288 +
33289 +- /* If the TCP option is too short, we can short cut */
33290 +- if (length < TCPOLEN_MD5SIG)
33291 +- return NULL;
33292 +-
33293 +- while (length > 0) {
33294 ++ /* If not enough data remaining, we can short cut */
33295 ++ while (length >= TCPOLEN_MD5SIG) {
33296 + int opcode = *ptr++;
33297 + int opsize;
33298 +
33299 +@@ -5417,10 +5414,6 @@ void tcp_finish_connect(struct sock *sk, struct sk_buff *skb)
33300 + else
33301 + tp->pred_flags = 0;
33302 +
33303 +- if (!sock_flag(sk, SOCK_DEAD)) {
33304 +- sk->sk_state_change(sk);
33305 +- sk_wake_async(sk, SOCK_WAKE_IO, POLL_OUT);
33306 +- }
33307 + }
33308 +
33309 + static bool tcp_rcv_fastopen_synack(struct sock *sk, struct sk_buff *synack,
33310 +@@ -5484,6 +5477,7 @@ static int tcp_rcv_synsent_state_process(struct sock *sk, struct sk_buff *skb,
33311 + struct tcp_sock *tp = tcp_sk(sk);
33312 + struct tcp_fastopen_cookie foc = { .len = -1 };
33313 + int saved_clamp = tp->rx_opt.mss_clamp;
33314 ++ bool fastopen_fail;
33315 +
33316 + tcp_parse_options(skb, &tp->rx_opt, 0, &foc);
33317 + if (tp->rx_opt.saw_tstamp && tp->rx_opt.rcv_tsecr)
33318 +@@ -5586,10 +5580,15 @@ static int tcp_rcv_synsent_state_process(struct sock *sk, struct sk_buff *skb,
33319 +
33320 + tcp_finish_connect(sk, skb);
33321 +
33322 +- if ((tp->syn_fastopen || tp->syn_data) &&
33323 +- tcp_rcv_fastopen_synack(sk, skb, &foc))
33324 +- return -1;
33325 ++ fastopen_fail = (tp->syn_fastopen || tp->syn_data) &&
33326 ++ tcp_rcv_fastopen_synack(sk, skb, &foc);
33327 +
33328 ++ if (!sock_flag(sk, SOCK_DEAD)) {
33329 ++ sk->sk_state_change(sk);
33330 ++ sk_wake_async(sk, SOCK_WAKE_IO, POLL_OUT);
33331 ++ }
33332 ++ if (fastopen_fail)
33333 ++ return -1;
33334 + if (sk->sk_write_pending ||
33335 + icsk->icsk_accept_queue.rskq_defer_accept ||
33336 + icsk->icsk_ack.pingpong) {
33337 +diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
33338 +index 8441f9939d49..185ccfd781ed 100644
33339 +--- a/net/ipv6/addrconf.c
33340 ++++ b/net/ipv6/addrconf.c
33341 +@@ -886,7 +886,10 @@ ipv6_add_addr(struct inet6_dev *idev, const struct in6_addr *addr,
33342 + INIT_HLIST_NODE(&ifa->addr_lst);
33343 + ifa->scope = scope;
33344 + ifa->prefix_len = pfxlen;
33345 +- ifa->flags = flags | IFA_F_TENTATIVE;
33346 ++ ifa->flags = flags;
33347 ++ /* No need to add the TENTATIVE flag for addresses with NODAD */
33348 ++ if (!(flags & IFA_F_NODAD))
33349 ++ ifa->flags |= IFA_F_TENTATIVE;
33350 + ifa->valid_lft = valid_lft;
33351 + ifa->prefered_lft = prefered_lft;
33352 + ifa->cstamp = ifa->tstamp = jiffies;
33353 +diff --git a/net/ipv6/ip6_gre.c b/net/ipv6/ip6_gre.c
33354 +index b1311da5d7b8..cda3cc6c3535 100644
33355 +--- a/net/ipv6/ip6_gre.c
33356 ++++ b/net/ipv6/ip6_gre.c
33357 +@@ -319,11 +319,13 @@ static struct ip6_tnl *ip6gre_tunnel_locate(struct net *net,
33358 + if (t || !create)
33359 + return t;
33360 +
33361 +- if (parms->name[0])
33362 ++ if (parms->name[0]) {
33363 ++ if (!dev_valid_name(parms->name))
33364 ++ return NULL;
33365 + strlcpy(name, parms->name, IFNAMSIZ);
33366 +- else
33367 ++ } else {
33368 + strcpy(name, "ip6gre%d");
33369 +-
33370 ++ }
33371 + dev = alloc_netdev(sizeof(*t), name, NET_NAME_UNKNOWN,
33372 + ip6gre_tunnel_setup);
33373 + if (!dev)
33374 +diff --git a/net/ipv6/ip6_tunnel.c b/net/ipv6/ip6_tunnel.c
33375 +index c7c2c33aa4af..2219f454c0db 100644
33376 +--- a/net/ipv6/ip6_tunnel.c
33377 ++++ b/net/ipv6/ip6_tunnel.c
33378 +@@ -316,13 +316,16 @@ static struct ip6_tnl *ip6_tnl_create(struct net *net, struct __ip6_tnl_parm *p)
33379 + struct net_device *dev;
33380 + struct ip6_tnl *t;
33381 + char name[IFNAMSIZ];
33382 +- int err = -ENOMEM;
33383 ++ int err = -E2BIG;
33384 +
33385 +- if (p->name[0])
33386 ++ if (p->name[0]) {
33387 ++ if (!dev_valid_name(p->name))
33388 ++ goto failed;
33389 + strlcpy(name, p->name, IFNAMSIZ);
33390 +- else
33391 ++ } else {
33392 + sprintf(name, "ip6tnl%%d");
33393 +-
33394 ++ }
33395 ++ err = -ENOMEM;
33396 + dev = alloc_netdev(sizeof(*t), name, NET_NAME_UNKNOWN,
33397 + ip6_tnl_dev_setup);
33398 + if (!dev)
33399 +diff --git a/net/ipv6/ip6_vti.c b/net/ipv6/ip6_vti.c
33400 +index c460e653b6a5..9b1c466fd0fd 100644
33401 +--- a/net/ipv6/ip6_vti.c
33402 ++++ b/net/ipv6/ip6_vti.c
33403 +@@ -212,10 +212,13 @@ static struct ip6_tnl *vti6_tnl_create(struct net *net, struct __ip6_tnl_parm *p
33404 + char name[IFNAMSIZ];
33405 + int err;
33406 +
33407 +- if (p->name[0])
33408 ++ if (p->name[0]) {
33409 ++ if (!dev_valid_name(p->name))
33410 ++ goto failed;
33411 + strlcpy(name, p->name, IFNAMSIZ);
33412 +- else
33413 ++ } else {
33414 + sprintf(name, "ip6_vti%%d");
33415 ++ }
33416 +
33417 + dev = alloc_netdev(sizeof(*t), name, NET_NAME_UNKNOWN, vti6_dev_setup);
33418 + if (!dev)
33419 +@@ -614,6 +617,7 @@ static void vti6_link_config(struct ip6_tnl *t)
33420 + {
33421 + struct net_device *dev = t->dev;
33422 + struct __ip6_tnl_parm *p = &t->parms;
33423 ++ struct net_device *tdev = NULL;
33424 +
33425 + memcpy(dev->dev_addr, &p->laddr, sizeof(struct in6_addr));
33426 + memcpy(dev->broadcast, &p->raddr, sizeof(struct in6_addr));
33427 +@@ -626,6 +630,25 @@ static void vti6_link_config(struct ip6_tnl *t)
33428 + dev->flags |= IFF_POINTOPOINT;
33429 + else
33430 + dev->flags &= ~IFF_POINTOPOINT;
33431 ++
33432 ++ if (p->flags & IP6_TNL_F_CAP_XMIT) {
33433 ++ int strict = (ipv6_addr_type(&p->raddr) &
33434 ++ (IPV6_ADDR_MULTICAST | IPV6_ADDR_LINKLOCAL));
33435 ++ struct rt6_info *rt = rt6_lookup(t->net,
33436 ++ &p->raddr, &p->laddr,
33437 ++ p->link, strict);
33438 ++
33439 ++ if (rt)
33440 ++ tdev = rt->dst.dev;
33441 ++ ip6_rt_put(rt);
33442 ++ }
33443 ++
33444 ++ if (!tdev && p->link)
33445 ++ tdev = __dev_get_by_index(t->net, p->link);
33446 ++
33447 ++ if (tdev)
33448 ++ dev->mtu = max_t(int, tdev->mtu - dev->hard_header_len,
33449 ++ IPV6_MIN_MTU);
33450 + }
33451 +
33452 + /**
33453 +diff --git a/net/ipv6/ndisc.c b/net/ipv6/ndisc.c
33454 +index abb0bdda759a..460f63619552 100644
33455 +--- a/net/ipv6/ndisc.c
33456 ++++ b/net/ipv6/ndisc.c
33457 +@@ -1452,7 +1452,8 @@ static void ndisc_fill_redirect_hdr_option(struct sk_buff *skb,
33458 + *(opt++) = (rd_len >> 3);
33459 + opt += 6;
33460 +
33461 +- memcpy(opt, ipv6_hdr(orig_skb), rd_len - 8);
33462 ++ skb_copy_bits(orig_skb, skb_network_offset(orig_skb), opt,
33463 ++ rd_len - 8);
33464 + }
33465 +
33466 + void ndisc_send_redirect(struct sk_buff *skb, const struct in6_addr *target)
33467 +@@ -1655,6 +1656,8 @@ static int ndisc_netdev_event(struct notifier_block *this, unsigned long event,
33468 + case NETDEV_CHANGEADDR:
33469 + neigh_changeaddr(&nd_tbl, dev);
33470 + fib6_run_gc(0, net, false);
33471 ++ /* fallthrough */
33472 ++ case NETDEV_UP:
33473 + idev = in6_dev_get(dev);
33474 + if (!idev)
33475 + break;
33476 +diff --git a/net/ipv6/sit.c b/net/ipv6/sit.c
33477 +index f4034c4eadf7..400548d53a43 100644
33478 +--- a/net/ipv6/sit.c
33479 ++++ b/net/ipv6/sit.c
33480 +@@ -244,11 +244,13 @@ static struct ip_tunnel *ipip6_tunnel_locate(struct net *net,
33481 + if (!create)
33482 + goto failed;
33483 +
33484 +- if (parms->name[0])
33485 ++ if (parms->name[0]) {
33486 ++ if (!dev_valid_name(parms->name))
33487 ++ goto failed;
33488 + strlcpy(name, parms->name, IFNAMSIZ);
33489 +- else
33490 ++ } else {
33491 + strcpy(name, "sit%d");
33492 +-
33493 ++ }
33494 + dev = alloc_netdev(sizeof(*t), name, NET_NAME_UNKNOWN,
33495 + ipip6_tunnel_setup);
33496 + if (!dev)
33497 +diff --git a/net/iucv/af_iucv.c b/net/iucv/af_iucv.c
33498 +index 123f6f9f854c..8f9493b1bb1f 100644
33499 +--- a/net/iucv/af_iucv.c
33500 ++++ b/net/iucv/af_iucv.c
33501 +@@ -2382,9 +2382,11 @@ static int afiucv_iucv_init(void)
33502 + af_iucv_dev->driver = &af_iucv_driver;
33503 + err = device_register(af_iucv_dev);
33504 + if (err)
33505 +- goto out_driver;
33506 ++ goto out_iucv_dev;
33507 + return 0;
33508 +
33509 ++out_iucv_dev:
33510 ++ put_device(af_iucv_dev);
33511 + out_driver:
33512 + driver_unregister(&af_iucv_driver);
33513 + out_iucv:
33514 +diff --git a/net/key/af_key.c b/net/key/af_key.c
33515 +index 354c43a1c43d..fd4b5a0cb7ee 100644
33516 +--- a/net/key/af_key.c
33517 ++++ b/net/key/af_key.c
33518 +@@ -3301,7 +3301,7 @@ static struct xfrm_policy *pfkey_compile_policy(struct sock *sk, int opt,
33519 + p += pol->sadb_x_policy_len*8;
33520 + sec_ctx = (struct sadb_x_sec_ctx *)p;
33521 + if (len < pol->sadb_x_policy_len*8 +
33522 +- sec_ctx->sadb_x_sec_len) {
33523 ++ sec_ctx->sadb_x_sec_len*8) {
33524 + *dir = -EINVAL;
33525 + goto out;
33526 + }
33527 +diff --git a/net/l2tp/l2tp_core.c b/net/l2tp/l2tp_core.c
33528 +index 0c4de8dd58bf..0b92ff822534 100644
33529 +--- a/net/l2tp/l2tp_core.c
33530 ++++ b/net/l2tp/l2tp_core.c
33531 +@@ -1521,9 +1521,14 @@ int l2tp_tunnel_create(struct net *net, int fd, int version, u32 tunnel_id, u32
33532 + encap = cfg->encap;
33533 +
33534 + /* Quick sanity checks */
33535 ++ err = -EPROTONOSUPPORT;
33536 ++ if (sk->sk_type != SOCK_DGRAM) {
33537 ++ pr_debug("tunl %hu: fd %d wrong socket type\n",
33538 ++ tunnel_id, fd);
33539 ++ goto err;
33540 ++ }
33541 + switch (encap) {
33542 + case L2TP_ENCAPTYPE_UDP:
33543 +- err = -EPROTONOSUPPORT;
33544 + if (sk->sk_protocol != IPPROTO_UDP) {
33545 + pr_err("tunl %hu: fd %d wrong protocol, got %d, expected %d\n",
33546 + tunnel_id, fd, sk->sk_protocol, IPPROTO_UDP);
33547 +@@ -1531,7 +1536,6 @@ int l2tp_tunnel_create(struct net *net, int fd, int version, u32 tunnel_id, u32
33548 + }
33549 + break;
33550 + case L2TP_ENCAPTYPE_IP:
33551 +- err = -EPROTONOSUPPORT;
33552 + if (sk->sk_protocol != IPPROTO_L2TP) {
33553 + pr_err("tunl %hu: fd %d wrong protocol, got %d, expected %d\n",
33554 + tunnel_id, fd, sk->sk_protocol, IPPROTO_L2TP);
33555 +diff --git a/net/l2tp/l2tp_netlink.c b/net/l2tp/l2tp_netlink.c
33556 +index 1e412ad6ced5..ad2b93aafcd5 100644
33557 +--- a/net/l2tp/l2tp_netlink.c
33558 ++++ b/net/l2tp/l2tp_netlink.c
33559 +@@ -725,6 +725,8 @@ static int l2tp_nl_session_send(struct sk_buff *skb, u32 portid, u32 seq, int fl
33560 +
33561 + if ((session->ifname[0] &&
33562 + nla_put_string(skb, L2TP_ATTR_IFNAME, session->ifname)) ||
33563 ++ (session->offset &&
33564 ++ nla_put_u16(skb, L2TP_ATTR_OFFSET, session->offset)) ||
33565 + (session->cookie_len &&
33566 + nla_put(skb, L2TP_ATTR_COOKIE, session->cookie_len,
33567 + &session->cookie[0])) ||
33568 +diff --git a/net/l2tp/l2tp_ppp.c b/net/l2tp/l2tp_ppp.c
33569 +index 2d4d2230f976..ac518cc76c3e 100644
33570 +--- a/net/l2tp/l2tp_ppp.c
33571 ++++ b/net/l2tp/l2tp_ppp.c
33572 +@@ -606,6 +606,13 @@ static int pppol2tp_connect(struct socket *sock, struct sockaddr *uservaddr,
33573 + lock_sock(sk);
33574 +
33575 + error = -EINVAL;
33576 ++
33577 ++ if (sockaddr_len != sizeof(struct sockaddr_pppol2tp) &&
33578 ++ sockaddr_len != sizeof(struct sockaddr_pppol2tpv3) &&
33579 ++ sockaddr_len != sizeof(struct sockaddr_pppol2tpin6) &&
33580 ++ sockaddr_len != sizeof(struct sockaddr_pppol2tpv3in6))
33581 ++ goto end;
33582 ++
33583 + if (sp->sa_protocol != PX_PROTO_OL2TP)
33584 + goto end;
33585 +
33586 +diff --git a/net/llc/af_llc.c b/net/llc/af_llc.c
33587 +index c58f242c00f1..f5d8cf1b96f3 100644
33588 +--- a/net/llc/af_llc.c
33589 ++++ b/net/llc/af_llc.c
33590 +@@ -197,9 +197,19 @@ static int llc_ui_release(struct socket *sock)
33591 + llc->laddr.lsap, llc->daddr.lsap);
33592 + if (!llc_send_disc(sk))
33593 + llc_ui_wait_for_disc(sk, sk->sk_rcvtimeo);
33594 +- if (!sock_flag(sk, SOCK_ZAPPED))
33595 ++ if (!sock_flag(sk, SOCK_ZAPPED)) {
33596 ++ struct llc_sap *sap = llc->sap;
33597 ++
33598 ++ /* Hold this for release_sock(), so that llc_backlog_rcv()
33599 ++ * could still use it.
33600 ++ */
33601 ++ llc_sap_hold(sap);
33602 + llc_sap_remove_socket(llc->sap, sk);
33603 +- release_sock(sk);
33604 ++ release_sock(sk);
33605 ++ llc_sap_put(sap);
33606 ++ } else {
33607 ++ release_sock(sk);
33608 ++ }
33609 + if (llc->dev)
33610 + dev_put(llc->dev);
33611 + sock_put(sk);
33612 +@@ -309,6 +319,8 @@ static int llc_ui_bind(struct socket *sock, struct sockaddr *uaddr, int addrlen)
33613 + int rc = -EINVAL;
33614 +
33615 + dprintk("%s: binding %02X\n", __func__, addr->sllc_sap);
33616 ++
33617 ++ lock_sock(sk);
33618 + if (unlikely(!sock_flag(sk, SOCK_ZAPPED) || addrlen != sizeof(*addr)))
33619 + goto out;
33620 + rc = -EAFNOSUPPORT;
33621 +@@ -380,6 +392,7 @@ static int llc_ui_bind(struct socket *sock, struct sockaddr *uaddr, int addrlen)
33622 + out_put:
33623 + llc_sap_put(sap);
33624 + out:
33625 ++ release_sock(sk);
33626 + return rc;
33627 + }
33628 +
33629 +diff --git a/net/mac80211/iface.c b/net/mac80211/iface.c
33630 +index 6e89ab8eac44..83aade477855 100644
33631 +--- a/net/mac80211/iface.c
33632 ++++ b/net/mac80211/iface.c
33633 +@@ -1418,7 +1418,7 @@ static void ieee80211_setup_sdata(struct ieee80211_sub_if_data *sdata,
33634 + break;
33635 + case NL80211_IFTYPE_UNSPECIFIED:
33636 + case NUM_NL80211_IFTYPES:
33637 +- BUG();
33638 ++ WARN_ON(1);
33639 + break;
33640 + }
33641 +
33642 +diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
33643 +index 844825829992..41d059ec04b4 100644
33644 +--- a/net/mac80211/mlme.c
33645 ++++ b/net/mac80211/mlme.c
33646 +@@ -4321,6 +4321,10 @@ static int ieee80211_prep_connection(struct ieee80211_sub_if_data *sdata,
33647 + if (WARN_ON(!ifmgd->auth_data && !ifmgd->assoc_data))
33648 + return -EINVAL;
33649 +
33650 ++ /* If a reconfig is happening, bail out */
33651 ++ if (local->in_reconfig)
33652 ++ return -EBUSY;
33653 ++
33654 + if (assoc) {
33655 + rcu_read_lock();
33656 + have_sta = sta_info_get(sdata, cbss->bssid);
33657 +diff --git a/net/mac80211/status.c b/net/mac80211/status.c
33658 +index 005fdbe39a8b..363c82b08d28 100644
33659 +--- a/net/mac80211/status.c
33660 ++++ b/net/mac80211/status.c
33661 +@@ -193,6 +193,7 @@ static void ieee80211_frame_acked(struct sta_info *sta, struct sk_buff *skb)
33662 + }
33663 +
33664 + if (ieee80211_is_action(mgmt->frame_control) &&
33665 ++ !ieee80211_has_protected(mgmt->frame_control) &&
33666 + mgmt->u.action.category == WLAN_CATEGORY_HT &&
33667 + mgmt->u.action.u.ht_smps.action == WLAN_HT_ACTION_SMPS &&
33668 + ieee80211_sdata_running(sdata)) {
33669 +diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
33670 +index c0e64d15cf34..ee4dfecdc596 100644
33671 +--- a/net/netfilter/nf_conntrack_netlink.c
33672 ++++ b/net/netfilter/nf_conntrack_netlink.c
33673 +@@ -855,8 +855,13 @@ restart:
33674 + }
33675 + out:
33676 + local_bh_enable();
33677 +- if (last)
33678 ++ if (last) {
33679 ++ /* nf ct hash resize happened, now clear the leftover. */
33680 ++ if ((struct nf_conn *)cb->args[1] == last)
33681 ++ cb->args[1] = 0;
33682 ++
33683 + nf_ct_put(last);
33684 ++ }
33685 +
33686 + return skb->len;
33687 + }
33688 +diff --git a/net/netfilter/nfnetlink_queue_core.c b/net/netfilter/nfnetlink_queue_core.c
33689 +index 32d0437abdd8..86f7555a98d1 100644
33690 +--- a/net/netfilter/nfnetlink_queue_core.c
33691 ++++ b/net/netfilter/nfnetlink_queue_core.c
33692 +@@ -993,10 +993,8 @@ nfqnl_recv_verdict(struct sock *ctnl, struct sk_buff *skb,
33693 + struct net *net = sock_net(ctnl);
33694 + struct nfnl_queue_net *q = nfnl_queue_pernet(net);
33695 +
33696 +- queue = instance_lookup(q, queue_num);
33697 +- if (!queue)
33698 +- queue = verdict_instance_lookup(q, queue_num,
33699 +- NETLINK_CB(skb).portid);
33700 ++ queue = verdict_instance_lookup(q, queue_num,
33701 ++ NETLINK_CB(skb).portid);
33702 + if (IS_ERR(queue))
33703 + return PTR_ERR(queue);
33704 +
33705 +diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
33706 +index f4fcd9441561..48e36611a869 100644
33707 +--- a/net/netfilter/x_tables.c
33708 ++++ b/net/netfilter/x_tables.c
33709 +@@ -367,6 +367,36 @@ textify_hooks(char *buf, size_t size, unsigned int mask, uint8_t nfproto)
33710 + return buf;
33711 + }
33712 +
33713 ++/**
33714 ++ * xt_check_proc_name - check that name is suitable for /proc file creation
33715 ++ *
33716 ++ * @name: file name candidate
33717 ++ * @size: length of buffer
33718 ++ *
33719 ++ * some x_tables modules wish to create a file in /proc.
33720 ++ * This function makes sure that the name is suitable for this
33721 ++ * purpose, it checks that name is NUL terminated and isn't a 'special'
33722 ++ * name, like "..".
33723 ++ *
33724 ++ * returns negative number on error or 0 if name is useable.
33725 ++ */
33726 ++int xt_check_proc_name(const char *name, unsigned int size)
33727 ++{
33728 ++ if (name[0] == '\0')
33729 ++ return -EINVAL;
33730 ++
33731 ++ if (strnlen(name, size) == size)
33732 ++ return -ENAMETOOLONG;
33733 ++
33734 ++ if (strcmp(name, ".") == 0 ||
33735 ++ strcmp(name, "..") == 0 ||
33736 ++ strchr(name, '/'))
33737 ++ return -EINVAL;
33738 ++
33739 ++ return 0;
33740 ++}
33741 ++EXPORT_SYMBOL(xt_check_proc_name);
33742 ++
33743 + int xt_check_match(struct xt_mtchk_param *par,
33744 + unsigned int size, u_int8_t proto, bool inv_proto)
33745 + {
33746 +diff --git a/net/netfilter/xt_hashlimit.c b/net/netfilter/xt_hashlimit.c
33747 +index 178696852bde..7381be0cdcdf 100644
33748 +--- a/net/netfilter/xt_hashlimit.c
33749 ++++ b/net/netfilter/xt_hashlimit.c
33750 +@@ -668,8 +668,9 @@ static int hashlimit_mt_check(const struct xt_mtchk_param *par)
33751 +
33752 + if (info->cfg.gc_interval == 0 || info->cfg.expire == 0)
33753 + return -EINVAL;
33754 +- if (info->name[sizeof(info->name)-1] != '\0')
33755 +- return -EINVAL;
33756 ++ ret = xt_check_proc_name(info->name, sizeof(info->name));
33757 ++ if (ret)
33758 ++ return ret;
33759 + if (par->family == NFPROTO_IPV4) {
33760 + if (info->cfg.srcmask > 32 || info->cfg.dstmask > 32)
33761 + return -EINVAL;
33762 +diff --git a/net/netfilter/xt_recent.c b/net/netfilter/xt_recent.c
33763 +index 45e1b30e4fb2..f2780ee57163 100644
33764 +--- a/net/netfilter/xt_recent.c
33765 ++++ b/net/netfilter/xt_recent.c
33766 +@@ -364,9 +364,9 @@ static int recent_mt_check(const struct xt_mtchk_param *par,
33767 + info->hit_count, XT_RECENT_MAX_NSTAMPS - 1);
33768 + return -EINVAL;
33769 + }
33770 +- if (info->name[0] == '\0' ||
33771 +- strnlen(info->name, XT_RECENT_NAME_LEN) == XT_RECENT_NAME_LEN)
33772 +- return -EINVAL;
33773 ++ ret = xt_check_proc_name(info->name, sizeof(info->name));
33774 ++ if (ret)
33775 ++ return ret;
33776 +
33777 + if (ip_pkt_list_tot && info->hit_count < ip_pkt_list_tot)
33778 + nstamp_mask = roundup_pow_of_two(ip_pkt_list_tot) - 1;
33779 +diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
33780 +index 66c340bc0553..45ecf1f433ad 100644
33781 +--- a/net/netlink/af_netlink.c
33782 ++++ b/net/netlink/af_netlink.c
33783 +@@ -1635,6 +1635,9 @@ static int netlink_connect(struct socket *sock, struct sockaddr *addr,
33784 + if (addr->sa_family != AF_NETLINK)
33785 + return -EINVAL;
33786 +
33787 ++ if (alen < sizeof(struct sockaddr_nl))
33788 ++ return -EINVAL;
33789 ++
33790 + if ((nladdr->nl_groups || nladdr->nl_pid) &&
33791 + !netlink_allowed(sock, NL_CFG_F_NONROOT_SEND))
33792 + return -EPERM;
33793 +@@ -2385,6 +2388,8 @@ static int netlink_sendmsg(struct socket *sock, struct msghdr *msg, size_t len)
33794 +
33795 + if (msg->msg_namelen) {
33796 + err = -EINVAL;
33797 ++ if (msg->msg_namelen < sizeof(struct sockaddr_nl))
33798 ++ goto out;
33799 + if (addr->nl_family != AF_NETLINK)
33800 + goto out;
33801 + dst_portid = addr->nl_pid;
33802 +diff --git a/net/netlink/genetlink.c b/net/netlink/genetlink.c
33803 +index 97c22c818134..1c58b0326c54 100644
33804 +--- a/net/netlink/genetlink.c
33805 ++++ b/net/netlink/genetlink.c
33806 +@@ -1143,7 +1143,7 @@ static int genlmsg_mcast(struct sk_buff *skb, u32 portid, unsigned long group,
33807 + if (!err)
33808 + delivered = true;
33809 + else if (err != -ESRCH)
33810 +- goto error;
33811 ++ return err;
33812 + return delivered ? 0 : -ESRCH;
33813 + error:
33814 + kfree_skb(skb);
33815 +diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
33816 +index 7f5d147aff63..b778a3460842 100644
33817 +--- a/net/packet/af_packet.c
33818 ++++ b/net/packet/af_packet.c
33819 +@@ -2652,6 +2652,7 @@ static int packet_release(struct socket *sock)
33820 +
33821 + packet_flush_mclist(sk);
33822 +
33823 ++ lock_sock(sk);
33824 + if (po->rx_ring.pg_vec) {
33825 + memset(&req_u, 0, sizeof(req_u));
33826 + packet_set_ring(sk, &req_u, 1, 0);
33827 +@@ -2661,6 +2662,7 @@ static int packet_release(struct socket *sock)
33828 + memset(&req_u, 0, sizeof(req_u));
33829 + packet_set_ring(sk, &req_u, 1, 1);
33830 + }
33831 ++ release_sock(sk);
33832 +
33833 + fanout_release(sk);
33834 +
33835 +@@ -3320,6 +3322,7 @@ packet_setsockopt(struct socket *sock, int level, int optname, char __user *optv
33836 + union tpacket_req_u req_u;
33837 + int len;
33838 +
33839 ++ lock_sock(sk);
33840 + switch (po->tp_version) {
33841 + case TPACKET_V1:
33842 + case TPACKET_V2:
33843 +@@ -3330,14 +3333,21 @@ packet_setsockopt(struct socket *sock, int level, int optname, char __user *optv
33844 + len = sizeof(req_u.req3);
33845 + break;
33846 + }
33847 +- if (optlen < len)
33848 +- return -EINVAL;
33849 +- if (pkt_sk(sk)->has_vnet_hdr)
33850 +- return -EINVAL;
33851 +- if (copy_from_user(&req_u.req, optval, len))
33852 +- return -EFAULT;
33853 +- return packet_set_ring(sk, &req_u, 0,
33854 +- optname == PACKET_TX_RING);
33855 ++ if (optlen < len) {
33856 ++ ret = -EINVAL;
33857 ++ } else {
33858 ++ if (pkt_sk(sk)->has_vnet_hdr) {
33859 ++ ret = -EINVAL;
33860 ++ } else {
33861 ++ if (copy_from_user(&req_u.req, optval, len))
33862 ++ ret = -EFAULT;
33863 ++ else
33864 ++ ret = packet_set_ring(sk, &req_u, 0,
33865 ++ optname == PACKET_TX_RING);
33866 ++ }
33867 ++ }
33868 ++ release_sock(sk);
33869 ++ return ret;
33870 + }
33871 + case PACKET_COPY_THRESH:
33872 + {
33873 +@@ -3847,7 +3857,6 @@ static int packet_set_ring(struct sock *sk, union tpacket_req_u *req_u,
33874 + /* Added to avoid minimal code churn */
33875 + struct tpacket_req *req = &req_u->req;
33876 +
33877 +- lock_sock(sk);
33878 + /* Opening a Tx-ring is NOT supported in TPACKET_V3 */
33879 + if (!closing && tx_ring && (po->tp_version > TPACKET_V2)) {
33880 + WARN(1, "Tx-ring is not supported.\n");
33881 +@@ -3983,7 +3992,6 @@ static int packet_set_ring(struct sock *sk, union tpacket_req_u *req_u,
33882 + if (pg_vec)
33883 + free_pg_vec(pg_vec, order, req->tp_block_nr);
33884 + out:
33885 +- release_sock(sk);
33886 + return err;
33887 + }
33888 +
33889 +diff --git a/net/rxrpc/rxkad.c b/net/rxrpc/rxkad.c
33890 +index f226709ebd8f..ca5f3662a485 100644
33891 +--- a/net/rxrpc/rxkad.c
33892 ++++ b/net/rxrpc/rxkad.c
33893 +@@ -209,7 +209,7 @@ static int rxkad_secure_packet_encrypt(const struct rxrpc_call *call,
33894 + struct sk_buff *trailer;
33895 + unsigned int len;
33896 + u16 check;
33897 +- int nsg;
33898 ++ int nsg, err;
33899 +
33900 + sp = rxrpc_skb(skb);
33901 +
33902 +@@ -240,7 +240,9 @@ static int rxkad_secure_packet_encrypt(const struct rxrpc_call *call,
33903 + len &= ~(call->conn->size_align - 1);
33904 +
33905 + sg_init_table(sg, nsg);
33906 +- skb_to_sgvec(skb, sg, 0, len);
33907 ++ err = skb_to_sgvec(skb, sg, 0, len);
33908 ++ if (unlikely(err < 0))
33909 ++ return err;
33910 + crypto_blkcipher_encrypt_iv(&desc, sg, sg, len);
33911 +
33912 + _leave(" = 0");
33913 +@@ -336,7 +338,7 @@ static int rxkad_verify_packet_auth(const struct rxrpc_call *call,
33914 + struct sk_buff *trailer;
33915 + u32 data_size, buf;
33916 + u16 check;
33917 +- int nsg;
33918 ++ int nsg, ret;
33919 +
33920 + _enter("");
33921 +
33922 +@@ -348,7 +350,9 @@ static int rxkad_verify_packet_auth(const struct rxrpc_call *call,
33923 + goto nomem;
33924 +
33925 + sg_init_table(sg, nsg);
33926 +- skb_to_sgvec(skb, sg, 0, 8);
33927 ++ ret = skb_to_sgvec(skb, sg, 0, 8);
33928 ++ if (unlikely(ret < 0))
33929 ++ return ret;
33930 +
33931 + /* start the decryption afresh */
33932 + memset(&iv, 0, sizeof(iv));
33933 +@@ -411,7 +415,7 @@ static int rxkad_verify_packet_encrypt(const struct rxrpc_call *call,
33934 + struct sk_buff *trailer;
33935 + u32 data_size, buf;
33936 + u16 check;
33937 +- int nsg;
33938 ++ int nsg, ret;
33939 +
33940 + _enter(",{%d}", skb->len);
33941 +
33942 +@@ -430,7 +434,12 @@ static int rxkad_verify_packet_encrypt(const struct rxrpc_call *call,
33943 + }
33944 +
33945 + sg_init_table(sg, nsg);
33946 +- skb_to_sgvec(skb, sg, 0, skb->len);
33947 ++ ret = skb_to_sgvec(skb, sg, 0, skb->len);
33948 ++ if (unlikely(ret < 0)) {
33949 ++ if (sg != _sg)
33950 ++ kfree(sg);
33951 ++ return ret;
33952 ++ }
33953 +
33954 + /* decrypt from the session key */
33955 + token = call->conn->key->payload.data;
33956 +diff --git a/net/sched/act_api.c b/net/sched/act_api.c
33957 +index c9387f62f634..97dbf5775c47 100644
33958 +--- a/net/sched/act_api.c
33959 ++++ b/net/sched/act_api.c
33960 +@@ -93,8 +93,10 @@ static int tcf_dump_walker(struct sk_buff *skb, struct netlink_callback *cb,
33961 + a->order = n_i;
33962 +
33963 + nest = nla_nest_start(skb, a->order);
33964 +- if (nest == NULL)
33965 ++ if (nest == NULL) {
33966 ++ index--;
33967 + goto nla_put_failure;
33968 ++ }
33969 + err = tcf_action_dump_1(skb, a, 0, 0);
33970 + if (err < 0) {
33971 + index--;
33972 +diff --git a/net/sched/act_csum.c b/net/sched/act_csum.c
33973 +index 4cd5cf1aedf8..a40ed3d29988 100644
33974 +--- a/net/sched/act_csum.c
33975 ++++ b/net/sched/act_csum.c
33976 +@@ -176,6 +176,9 @@ static int tcf_csum_ipv4_tcp(struct sk_buff *skb,
33977 + struct tcphdr *tcph;
33978 + const struct iphdr *iph;
33979 +
33980 ++ if (skb_is_gso(skb) && skb_shinfo(skb)->gso_type & SKB_GSO_TCPV4)
33981 ++ return 1;
33982 ++
33983 + tcph = tcf_csum_skb_nextlayer(skb, ihl, ipl, sizeof(*tcph));
33984 + if (tcph == NULL)
33985 + return 0;
33986 +@@ -197,6 +200,9 @@ static int tcf_csum_ipv6_tcp(struct sk_buff *skb,
33987 + struct tcphdr *tcph;
33988 + const struct ipv6hdr *ip6h;
33989 +
33990 ++ if (skb_is_gso(skb) && skb_shinfo(skb)->gso_type & SKB_GSO_TCPV6)
33991 ++ return 1;
33992 ++
33993 + tcph = tcf_csum_skb_nextlayer(skb, ihl, ipl, sizeof(*tcph));
33994 + if (tcph == NULL)
33995 + return 0;
33996 +@@ -220,6 +226,9 @@ static int tcf_csum_ipv4_udp(struct sk_buff *skb,
33997 + const struct iphdr *iph;
33998 + u16 ul;
33999 +
34000 ++ if (skb_is_gso(skb) && skb_shinfo(skb)->gso_type & SKB_GSO_UDP)
34001 ++ return 1;
34002 ++
34003 + /*
34004 + * Support both UDP and UDPLITE checksum algorithms, Don't use
34005 + * udph->len to get the real length without any protocol check,
34006 +@@ -273,6 +282,9 @@ static int tcf_csum_ipv6_udp(struct sk_buff *skb,
34007 + const struct ipv6hdr *ip6h;
34008 + u16 ul;
34009 +
34010 ++ if (skb_is_gso(skb) && skb_shinfo(skb)->gso_type & SKB_GSO_UDP)
34011 ++ return 1;
34012 ++
34013 + /*
34014 + * Support both UDP and UDPLITE checksum algorithms, Don't use
34015 + * udph->len to get the real length without any protocol check,
34016 +diff --git a/net/sctp/ipv6.c b/net/sctp/ipv6.c
34017 +index 00db4424faf1..7fee02981619 100644
34018 +--- a/net/sctp/ipv6.c
34019 ++++ b/net/sctp/ipv6.c
34020 +@@ -496,46 +496,49 @@ static void sctp_v6_to_addr(union sctp_addr *addr, struct in6_addr *saddr,
34021 + addr->v6.sin6_scope_id = 0;
34022 + }
34023 +
34024 +-/* Compare addresses exactly.
34025 +- * v4-mapped-v6 is also in consideration.
34026 +- */
34027 +-static int sctp_v6_cmp_addr(const union sctp_addr *addr1,
34028 +- const union sctp_addr *addr2)
34029 ++static int __sctp_v6_cmp_addr(const union sctp_addr *addr1,
34030 ++ const union sctp_addr *addr2)
34031 + {
34032 + if (addr1->sa.sa_family != addr2->sa.sa_family) {
34033 + if (addr1->sa.sa_family == AF_INET &&
34034 + addr2->sa.sa_family == AF_INET6 &&
34035 +- ipv6_addr_v4mapped(&addr2->v6.sin6_addr)) {
34036 +- if (addr2->v6.sin6_port == addr1->v4.sin_port &&
34037 +- addr2->v6.sin6_addr.s6_addr32[3] ==
34038 +- addr1->v4.sin_addr.s_addr)
34039 +- return 1;
34040 +- }
34041 ++ ipv6_addr_v4mapped(&addr2->v6.sin6_addr) &&
34042 ++ addr2->v6.sin6_addr.s6_addr32[3] ==
34043 ++ addr1->v4.sin_addr.s_addr)
34044 ++ return 1;
34045 ++
34046 + if (addr2->sa.sa_family == AF_INET &&
34047 + addr1->sa.sa_family == AF_INET6 &&
34048 +- ipv6_addr_v4mapped(&addr1->v6.sin6_addr)) {
34049 +- if (addr1->v6.sin6_port == addr2->v4.sin_port &&
34050 +- addr1->v6.sin6_addr.s6_addr32[3] ==
34051 +- addr2->v4.sin_addr.s_addr)
34052 +- return 1;
34053 +- }
34054 ++ ipv6_addr_v4mapped(&addr1->v6.sin6_addr) &&
34055 ++ addr1->v6.sin6_addr.s6_addr32[3] ==
34056 ++ addr2->v4.sin_addr.s_addr)
34057 ++ return 1;
34058 ++
34059 + return 0;
34060 + }
34061 +- if (addr1->v6.sin6_port != addr2->v6.sin6_port)
34062 +- return 0;
34063 ++
34064 + if (!ipv6_addr_equal(&addr1->v6.sin6_addr, &addr2->v6.sin6_addr))
34065 + return 0;
34066 ++
34067 + /* If this is a linklocal address, compare the scope_id. */
34068 +- if (ipv6_addr_type(&addr1->v6.sin6_addr) & IPV6_ADDR_LINKLOCAL) {
34069 +- if (addr1->v6.sin6_scope_id && addr2->v6.sin6_scope_id &&
34070 +- (addr1->v6.sin6_scope_id != addr2->v6.sin6_scope_id)) {
34071 +- return 0;
34072 +- }
34073 +- }
34074 ++ if ((ipv6_addr_type(&addr1->v6.sin6_addr) & IPV6_ADDR_LINKLOCAL) &&
34075 ++ addr1->v6.sin6_scope_id && addr2->v6.sin6_scope_id &&
34076 ++ addr1->v6.sin6_scope_id != addr2->v6.sin6_scope_id)
34077 ++ return 0;
34078 +
34079 + return 1;
34080 + }
34081 +
34082 ++/* Compare addresses exactly.
34083 ++ * v4-mapped-v6 is also in consideration.
34084 ++ */
34085 ++static int sctp_v6_cmp_addr(const union sctp_addr *addr1,
34086 ++ const union sctp_addr *addr2)
34087 ++{
34088 ++ return __sctp_v6_cmp_addr(addr1, addr2) &&
34089 ++ addr1->v6.sin6_port == addr2->v6.sin6_port;
34090 ++}
34091 ++
34092 + /* Initialize addr struct to INADDR_ANY. */
34093 + static void sctp_v6_inaddr_any(union sctp_addr *addr, __be16 port)
34094 + {
34095 +@@ -700,8 +703,10 @@ static int sctp_v6_addr_to_user(struct sctp_sock *sp, union sctp_addr *addr)
34096 + sctp_v6_map_v4(addr);
34097 + }
34098 +
34099 +- if (addr->sa.sa_family == AF_INET)
34100 ++ if (addr->sa.sa_family == AF_INET) {
34101 ++ memset(addr->v4.sin_zero, 0, sizeof(addr->v4.sin_zero));
34102 + return sizeof(struct sockaddr_in);
34103 ++ }
34104 + return sizeof(struct sockaddr_in6);
34105 + }
34106 +
34107 +@@ -818,8 +823,8 @@ static int sctp_inet6_cmp_addr(const union sctp_addr *addr1,
34108 + const union sctp_addr *addr2,
34109 + struct sctp_sock *opt)
34110 + {
34111 +- struct sctp_af *af1, *af2;
34112 + struct sock *sk = sctp_opt2sk(opt);
34113 ++ struct sctp_af *af1, *af2;
34114 +
34115 + af1 = sctp_get_af_specific(addr1->sa.sa_family);
34116 + af2 = sctp_get_af_specific(addr2->sa.sa_family);
34117 +@@ -835,10 +840,7 @@ static int sctp_inet6_cmp_addr(const union sctp_addr *addr1,
34118 + if (sctp_is_any(sk, addr1) || sctp_is_any(sk, addr2))
34119 + return 1;
34120 +
34121 +- if (addr1->sa.sa_family != addr2->sa.sa_family)
34122 +- return 0;
34123 +-
34124 +- return af1->cmp_addr(addr1, addr2);
34125 ++ return __sctp_v6_cmp_addr(addr1, addr2);
34126 + }
34127 +
34128 + /* Verify that the provided sockaddr looks bindable. Common verification,
34129 +diff --git a/net/sctp/socket.c b/net/sctp/socket.c
34130 +index 195b54a19f1e..25127a0aeb3c 100644
34131 +--- a/net/sctp/socket.c
34132 ++++ b/net/sctp/socket.c
34133 +@@ -335,11 +335,14 @@ static struct sctp_af *sctp_sockaddr_af(struct sctp_sock *opt,
34134 + if (!opt->pf->af_supported(addr->sa.sa_family, opt))
34135 + return NULL;
34136 +
34137 +- /* V4 mapped address are really of AF_INET family */
34138 +- if (addr->sa.sa_family == AF_INET6 &&
34139 +- ipv6_addr_v4mapped(&addr->v6.sin6_addr) &&
34140 +- !opt->pf->af_supported(AF_INET, opt))
34141 +- return NULL;
34142 ++ if (addr->sa.sa_family == AF_INET6) {
34143 ++ if (len < SIN6_LEN_RFC2133)
34144 ++ return NULL;
34145 ++ /* V4 mapped address are really of AF_INET family */
34146 ++ if (ipv6_addr_v4mapped(&addr->v6.sin6_addr) &&
34147 ++ !opt->pf->af_supported(AF_INET, opt))
34148 ++ return NULL;
34149 ++ }
34150 +
34151 + /* If we get this far, af is valid. */
34152 + af = sctp_get_af_specific(addr->sa.sa_family);
34153 +@@ -1512,7 +1515,7 @@ static void sctp_close(struct sock *sk, long timeout)
34154 +
34155 + pr_debug("%s: sk:%p, timeout:%ld\n", __func__, sk, timeout);
34156 +
34157 +- lock_sock(sk);
34158 ++ lock_sock_nested(sk, SINGLE_DEPTH_NESTING);
34159 + sk->sk_shutdown = SHUTDOWN_MASK;
34160 + sk->sk_state = SCTP_SS_CLOSING;
34161 +
34162 +@@ -1563,7 +1566,7 @@ static void sctp_close(struct sock *sk, long timeout)
34163 + * held and that should be grabbed before socket lock.
34164 + */
34165 + spin_lock_bh(&net->sctp.addr_wq_lock);
34166 +- bh_lock_sock(sk);
34167 ++ bh_lock_sock_nested(sk);
34168 +
34169 + /* Hold the sock, since sk_common_release() will put sock_put()
34170 + * and we have just a little more cleanup.
34171 +diff --git a/net/sunrpc/rpc_pipe.c b/net/sunrpc/rpc_pipe.c
34172 +index d81186d34558..9103dd15511c 100644
34173 +--- a/net/sunrpc/rpc_pipe.c
34174 ++++ b/net/sunrpc/rpc_pipe.c
34175 +@@ -1375,6 +1375,7 @@ rpc_gssd_dummy_depopulate(struct dentry *pipe_dentry)
34176 + struct dentry *clnt_dir = pipe_dentry->d_parent;
34177 + struct dentry *gssd_dir = clnt_dir->d_parent;
34178 +
34179 ++ dget(pipe_dentry);
34180 + __rpc_rmpipe(d_inode(clnt_dir), pipe_dentry);
34181 + __rpc_depopulate(clnt_dir, gssd_dummy_info_file, 0, 1);
34182 + __rpc_depopulate(gssd_dir, gssd_dummy_clnt_dir, 0, 1);
34183 +diff --git a/net/sunrpc/xprtsock.c b/net/sunrpc/xprtsock.c
34184 +index 14972988d29d..3721a6422610 100644
34185 +--- a/net/sunrpc/xprtsock.c
34186 ++++ b/net/sunrpc/xprtsock.c
34187 +@@ -2192,7 +2192,12 @@ static void xs_tcp_setup_socket(struct work_struct *work)
34188 + case -EHOSTUNREACH:
34189 + case -EADDRINUSE:
34190 + case -ENOBUFS:
34191 +- /* retry with existing socket, after a delay */
34192 ++ /*
34193 ++ * xs_tcp_force_close() wakes tasks with -EIO.
34194 ++ * We need to wake them first to ensure the
34195 ++ * correct error code.
34196 ++ */
34197 ++ xprt_wake_pending_tasks(xprt, status);
34198 + xs_tcp_force_close(xprt);
34199 + goto out;
34200 + }
34201 +diff --git a/net/tipc/net.c b/net/tipc/net.c
34202 +index a54f3cbe2246..64ead4f47b70 100644
34203 +--- a/net/tipc/net.c
34204 ++++ b/net/tipc/net.c
34205 +@@ -43,7 +43,8 @@
34206 +
34207 + static const struct nla_policy tipc_nl_net_policy[TIPC_NLA_NET_MAX + 1] = {
34208 + [TIPC_NLA_NET_UNSPEC] = { .type = NLA_UNSPEC },
34209 +- [TIPC_NLA_NET_ID] = { .type = NLA_U32 }
34210 ++ [TIPC_NLA_NET_ID] = { .type = NLA_U32 },
34211 ++ [TIPC_NLA_NET_ADDR] = { .type = NLA_U32 },
34212 + };
34213 +
34214 + /*
34215 +diff --git a/net/x25/af_x25.c b/net/x25/af_x25.c
34216 +index c3ab230e4493..a9072fb5c767 100644
34217 +--- a/net/x25/af_x25.c
34218 ++++ b/net/x25/af_x25.c
34219 +@@ -1794,32 +1794,40 @@ void x25_kill_by_neigh(struct x25_neigh *nb)
34220 +
34221 + static int __init x25_init(void)
34222 + {
34223 +- int rc = proto_register(&x25_proto, 0);
34224 ++ int rc;
34225 +
34226 +- if (rc != 0)
34227 ++ rc = proto_register(&x25_proto, 0);
34228 ++ if (rc)
34229 + goto out;
34230 +
34231 + rc = sock_register(&x25_family_ops);
34232 +- if (rc != 0)
34233 ++ if (rc)
34234 + goto out_proto;
34235 +
34236 + dev_add_pack(&x25_packet_type);
34237 +
34238 + rc = register_netdevice_notifier(&x25_dev_notifier);
34239 +- if (rc != 0)
34240 ++ if (rc)
34241 + goto out_sock;
34242 +
34243 +- pr_info("Linux Version 0.2\n");
34244 ++ rc = x25_register_sysctl();
34245 ++ if (rc)
34246 ++ goto out_dev;
34247 +
34248 +- x25_register_sysctl();
34249 + rc = x25_proc_init();
34250 +- if (rc != 0)
34251 +- goto out_dev;
34252 ++ if (rc)
34253 ++ goto out_sysctl;
34254 ++
34255 ++ pr_info("Linux Version 0.2\n");
34256 ++
34257 + out:
34258 + return rc;
34259 ++out_sysctl:
34260 ++ x25_unregister_sysctl();
34261 + out_dev:
34262 + unregister_netdevice_notifier(&x25_dev_notifier);
34263 + out_sock:
34264 ++ dev_remove_pack(&x25_packet_type);
34265 + sock_unregister(AF_X25);
34266 + out_proto:
34267 + proto_unregister(&x25_proto);
34268 +diff --git a/net/x25/sysctl_net_x25.c b/net/x25/sysctl_net_x25.c
34269 +index 43239527a205..703d46aae7a2 100644
34270 +--- a/net/x25/sysctl_net_x25.c
34271 ++++ b/net/x25/sysctl_net_x25.c
34272 +@@ -73,9 +73,12 @@ static struct ctl_table x25_table[] = {
34273 + { 0, },
34274 + };
34275 +
34276 +-void __init x25_register_sysctl(void)
34277 ++int __init x25_register_sysctl(void)
34278 + {
34279 + x25_table_header = register_net_sysctl(&init_net, "net/x25", x25_table);
34280 ++ if (!x25_table_header)
34281 ++ return -ENOMEM;
34282 ++ return 0;
34283 + }
34284 +
34285 + void x25_unregister_sysctl(void)
34286 +diff --git a/net/xfrm/xfrm_ipcomp.c b/net/xfrm/xfrm_ipcomp.c
34287 +index ccfdc7115a83..a00ec715aa46 100644
34288 +--- a/net/xfrm/xfrm_ipcomp.c
34289 ++++ b/net/xfrm/xfrm_ipcomp.c
34290 +@@ -283,7 +283,7 @@ static struct crypto_comp * __percpu *ipcomp_alloc_tfms(const char *alg_name)
34291 + struct crypto_comp *tfm;
34292 +
34293 + /* This can be any valid CPU ID so we don't need locking. */
34294 +- tfm = __this_cpu_read(*pos->tfms);
34295 ++ tfm = this_cpu_read(*pos->tfms);
34296 +
34297 + if (!strcmp(crypto_comp_name(tfm), alg_name)) {
34298 + pos->users++;
34299 +diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
34300 +index 7306683a7207..94b522fc231e 100644
34301 +--- a/net/xfrm/xfrm_policy.c
34302 ++++ b/net/xfrm/xfrm_policy.c
34303 +@@ -1299,7 +1299,7 @@ EXPORT_SYMBOL(xfrm_policy_delete);
34304 +
34305 + int xfrm_sk_policy_insert(struct sock *sk, int dir, struct xfrm_policy *pol)
34306 + {
34307 +- struct net *net = xp_net(pol);
34308 ++ struct net *net = sock_net(sk);
34309 + struct xfrm_policy *old_pol;
34310 +
34311 + #ifdef CONFIG_XFRM_SUB_POLICY
34312 +diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
34313 +index 96688cd0f6f1..733e8028f54f 100644
34314 +--- a/net/xfrm/xfrm_state.c
34315 ++++ b/net/xfrm/xfrm_state.c
34316 +@@ -1208,6 +1208,8 @@ static struct xfrm_state *xfrm_state_clone(struct xfrm_state *orig)
34317 + x->curlft.add_time = orig->curlft.add_time;
34318 + x->km.state = orig->km.state;
34319 + x->km.seq = orig->km.seq;
34320 ++ x->replay = orig->replay;
34321 ++ x->preplay = orig->preplay;
34322 +
34323 + return x;
34324 +
34325 +@@ -1845,6 +1847,18 @@ int xfrm_user_policy(struct sock *sk, int optname, u8 __user *optval, int optlen
34326 + struct xfrm_mgr *km;
34327 + struct xfrm_policy *pol = NULL;
34328 +
34329 ++#ifdef CONFIG_COMPAT
34330 ++ if (is_compat_task())
34331 ++ return -EOPNOTSUPP;
34332 ++#endif
34333 ++
34334 ++ if (!optval && !optlen) {
34335 ++ xfrm_sk_policy_insert(sk, XFRM_POLICY_IN, NULL);
34336 ++ xfrm_sk_policy_insert(sk, XFRM_POLICY_OUT, NULL);
34337 ++ __sk_dst_reset(sk);
34338 ++ return 0;
34339 ++ }
34340 ++
34341 + if (optlen <= 0 || optlen > PAGE_SIZE)
34342 + return -EMSGSIZE;
34343 +
34344 +diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
34345 +index 84541b35629a..0f6285f9674e 100644
34346 +--- a/net/xfrm/xfrm_user.c
34347 ++++ b/net/xfrm/xfrm_user.c
34348 +@@ -120,22 +120,17 @@ static inline int verify_replay(struct xfrm_usersa_info *p,
34349 + struct nlattr *rt = attrs[XFRMA_REPLAY_ESN_VAL];
34350 + struct xfrm_replay_state_esn *rs;
34351 +
34352 +- if (p->flags & XFRM_STATE_ESN) {
34353 +- if (!rt)
34354 +- return -EINVAL;
34355 ++ if (!rt)
34356 ++ return (p->flags & XFRM_STATE_ESN) ? -EINVAL : 0;
34357 +
34358 +- rs = nla_data(rt);
34359 ++ rs = nla_data(rt);
34360 +
34361 +- if (rs->bmp_len > XFRMA_REPLAY_ESN_MAX / sizeof(rs->bmp[0]) / 8)
34362 +- return -EINVAL;
34363 +-
34364 +- if (nla_len(rt) < xfrm_replay_state_esn_len(rs) &&
34365 +- nla_len(rt) != sizeof(*rs))
34366 +- return -EINVAL;
34367 +- }
34368 ++ if (rs->bmp_len > XFRMA_REPLAY_ESN_MAX / sizeof(rs->bmp[0]) / 8)
34369 ++ return -EINVAL;
34370 +
34371 +- if (!rt)
34372 +- return 0;
34373 ++ if (nla_len(rt) < xfrm_replay_state_esn_len(rs) &&
34374 ++ nla_len(rt) != sizeof(*rs))
34375 ++ return -EINVAL;
34376 +
34377 + /* As only ESP and AH support ESN feature. */
34378 + if ((p->id.proto != IPPROTO_ESP) && (p->id.proto != IPPROTO_AH))
34379 +@@ -2460,7 +2455,7 @@ static int xfrm_user_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
34380 +
34381 + #ifdef CONFIG_COMPAT
34382 + if (is_compat_task())
34383 +- return -ENOTSUPP;
34384 ++ return -EOPNOTSUPP;
34385 + #endif
34386 +
34387 + type = nlh->nlmsg_type;
34388 +diff --git a/scripts/tags.sh b/scripts/tags.sh
34389 +index cdb491d84503..7056322b53f0 100755
34390 +--- a/scripts/tags.sh
34391 ++++ b/scripts/tags.sh
34392 +@@ -106,6 +106,7 @@ all_compiled_sources()
34393 + case "$i" in
34394 + *.[cS])
34395 + j=${i/\.[cS]/\.o}
34396 ++ j="${j#$tree}"
34397 + if [ -e $j ]; then
34398 + echo $i
34399 + fi
34400 +diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
34401 +index e5f1561439db..b7e269317e0c 100644
34402 +--- a/security/apparmor/lsm.c
34403 ++++ b/security/apparmor/lsm.c
34404 +@@ -735,7 +735,7 @@ module_param_named(logsyscall, aa_g_logsyscall, aabool, S_IRUSR | S_IWUSR);
34405 +
34406 + /* Maximum pathname length before accesses will start getting rejected */
34407 + unsigned int aa_g_path_max = 2 * PATH_MAX;
34408 +-module_param_named(path_max, aa_g_path_max, aauint, S_IRUSR | S_IWUSR);
34409 ++module_param_named(path_max, aa_g_path_max, aauint, S_IRUSR);
34410 +
34411 + /* Determines how paranoid loading of policy is and how much verification
34412 + * on the loaded policy is done.
34413 +diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
34414 +index 9ee9139b0b07..7f8c0322548c 100644
34415 +--- a/security/integrity/ima/ima_appraise.c
34416 ++++ b/security/integrity/ima/ima_appraise.c
34417 +@@ -206,7 +206,8 @@ int ima_appraise_measurement(int func, struct integrity_iint_cache *iint,
34418 + if (opened & FILE_CREATED)
34419 + iint->flags |= IMA_NEW_FILE;
34420 + if ((iint->flags & IMA_NEW_FILE) &&
34421 +- !(iint->flags & IMA_DIGSIG_REQUIRED))
34422 ++ (!(iint->flags & IMA_DIGSIG_REQUIRED) ||
34423 ++ (inode->i_size == 0)))
34424 + status = INTEGRITY_PASS;
34425 + goto out;
34426 + }
34427 +diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
34428 +index 0034eb420b0e..de1e43f6adf1 100644
34429 +--- a/security/selinux/hooks.c
34430 ++++ b/security/selinux/hooks.c
34431 +@@ -321,18 +321,6 @@ static void superblock_free_security(struct super_block *sb)
34432 + kfree(sbsec);
34433 + }
34434 +
34435 +-/* The file system's label must be initialized prior to use. */
34436 +-
34437 +-static const char *labeling_behaviors[7] = {
34438 +- "uses xattr",
34439 +- "uses transition SIDs",
34440 +- "uses task SIDs",
34441 +- "uses genfs_contexts",
34442 +- "not configured for labeling",
34443 +- "uses mountpoint labeling",
34444 +- "uses native labeling",
34445 +-};
34446 +-
34447 + static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
34448 +
34449 + static inline int inode_doinit(struct inode *inode)
34450 +@@ -444,10 +432,6 @@ static int sb_finish_set_opts(struct super_block *sb)
34451 + }
34452 + }
34453 +
34454 +- if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
34455 +- printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
34456 +- sb->s_id, sb->s_type->name);
34457 +-
34458 + sbsec->flags |= SE_SBINITIALIZED;
34459 + if (selinux_is_sblabel_mnt(sb))
34460 + sbsec->flags |= SBLABEL_MNT;
34461 +@@ -4106,10 +4090,18 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in
34462 + u32 sid, node_perm;
34463 +
34464 + if (family == PF_INET) {
34465 ++ if (addrlen < sizeof(struct sockaddr_in)) {
34466 ++ err = -EINVAL;
34467 ++ goto out;
34468 ++ }
34469 + addr4 = (struct sockaddr_in *)address;
34470 + snum = ntohs(addr4->sin_port);
34471 + addrp = (char *)&addr4->sin_addr.s_addr;
34472 + } else {
34473 ++ if (addrlen < SIN6_LEN_RFC2133) {
34474 ++ err = -EINVAL;
34475 ++ goto out;
34476 ++ }
34477 + addr6 = (struct sockaddr_in6 *)address;
34478 + snum = ntohs(addr6->sin6_port);
34479 + addrp = (char *)&addr6->sin6_addr.s6_addr;
34480 +diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
34481 +index 31d1d2ebd6f2..f20b2b0a2a54 100644
34482 +--- a/security/selinux/ss/services.c
34483 ++++ b/security/selinux/ss/services.c
34484 +@@ -154,7 +154,7 @@ static int selinux_set_mapping(struct policydb *pol,
34485 + }
34486 +
34487 + k = 0;
34488 +- while (p_in->perms && p_in->perms[k]) {
34489 ++ while (p_in->perms[k]) {
34490 + /* An empty permission string skips ahead */
34491 + if (!*p_in->perms[k]) {
34492 + k++;
34493 +diff --git a/sound/core/oss/pcm_oss.c b/sound/core/oss/pcm_oss.c
34494 +index 494b7b533366..7b2719acbeba 100644
34495 +--- a/sound/core/oss/pcm_oss.c
34496 ++++ b/sound/core/oss/pcm_oss.c
34497 +@@ -833,8 +833,25 @@ static int choose_rate(struct snd_pcm_substream *substream,
34498 + return snd_pcm_hw_param_near(substream, params, SNDRV_PCM_HW_PARAM_RATE, best_rate, NULL);
34499 + }
34500 +
34501 +-static int snd_pcm_oss_change_params(struct snd_pcm_substream *substream,
34502 +- bool trylock)
34503 ++/* parameter locking: returns immediately if tried during streaming */
34504 ++static int lock_params(struct snd_pcm_runtime *runtime)
34505 ++{
34506 ++ if (mutex_lock_interruptible(&runtime->oss.params_lock))
34507 ++ return -ERESTARTSYS;
34508 ++ if (atomic_read(&runtime->oss.rw_ref)) {
34509 ++ mutex_unlock(&runtime->oss.params_lock);
34510 ++ return -EBUSY;
34511 ++ }
34512 ++ return 0;
34513 ++}
34514 ++
34515 ++static void unlock_params(struct snd_pcm_runtime *runtime)
34516 ++{
34517 ++ mutex_unlock(&runtime->oss.params_lock);
34518 ++}
34519 ++
34520 ++/* call with params_lock held */
34521 ++static int snd_pcm_oss_change_params_locked(struct snd_pcm_substream *substream)
34522 + {
34523 + struct snd_pcm_runtime *runtime = substream->runtime;
34524 + struct snd_pcm_hw_params *params, *sparams;
34525 +@@ -848,12 +865,9 @@ static int snd_pcm_oss_change_params(struct snd_pcm_substream *substream,
34526 + struct snd_mask sformat_mask;
34527 + struct snd_mask mask;
34528 +
34529 +- if (trylock) {
34530 +- if (!(mutex_trylock(&runtime->oss.params_lock)))
34531 +- return -EAGAIN;
34532 +- } else if (mutex_lock_interruptible(&runtime->oss.params_lock))
34533 +- return -EINTR;
34534 +- sw_params = kmalloc(sizeof(*sw_params), GFP_KERNEL);
34535 ++ if (!runtime->oss.params)
34536 ++ return 0;
34537 ++ sw_params = kzalloc(sizeof(*sw_params), GFP_KERNEL);
34538 + params = kmalloc(sizeof(*params), GFP_KERNEL);
34539 + sparams = kmalloc(sizeof(*sparams), GFP_KERNEL);
34540 + if (!sw_params || !params || !sparams) {
34541 +@@ -991,7 +1005,6 @@ static int snd_pcm_oss_change_params(struct snd_pcm_substream *substream,
34542 + goto failure;
34543 + }
34544 +
34545 +- memset(sw_params, 0, sizeof(*sw_params));
34546 + if (runtime->oss.trigger) {
34547 + sw_params->start_threshold = 1;
34548 + } else {
34549 +@@ -1079,6 +1092,23 @@ failure:
34550 + kfree(sw_params);
34551 + kfree(params);
34552 + kfree(sparams);
34553 ++ return err;
34554 ++}
34555 ++
34556 ++/* this one takes the lock by itself */
34557 ++static int snd_pcm_oss_change_params(struct snd_pcm_substream *substream,
34558 ++ bool trylock)
34559 ++{
34560 ++ struct snd_pcm_runtime *runtime = substream->runtime;
34561 ++ int err;
34562 ++
34563 ++ if (trylock) {
34564 ++ if (!(mutex_trylock(&runtime->oss.params_lock)))
34565 ++ return -EAGAIN;
34566 ++ } else if (mutex_lock_interruptible(&runtime->oss.params_lock))
34567 ++ return -ERESTARTSYS;
34568 ++
34569 ++ err = snd_pcm_oss_change_params_locked(substream);
34570 + mutex_unlock(&runtime->oss.params_lock);
34571 + return err;
34572 + }
34573 +@@ -1107,6 +1137,10 @@ static int snd_pcm_oss_get_active_substream(struct snd_pcm_oss_file *pcm_oss_fil
34574 + return 0;
34575 + }
34576 +
34577 ++/* call with params_lock held */
34578 ++/* NOTE: this always call PREPARE unconditionally no matter whether
34579 ++ * runtime->oss.prepare is set or not
34580 ++ */
34581 + static int snd_pcm_oss_prepare(struct snd_pcm_substream *substream)
34582 + {
34583 + int err;
34584 +@@ -1131,14 +1165,35 @@ static int snd_pcm_oss_make_ready(struct snd_pcm_substream *substream)
34585 + struct snd_pcm_runtime *runtime;
34586 + int err;
34587 +
34588 +- if (substream == NULL)
34589 +- return 0;
34590 + runtime = substream->runtime;
34591 + if (runtime->oss.params) {
34592 + err = snd_pcm_oss_change_params(substream, false);
34593 + if (err < 0)
34594 + return err;
34595 + }
34596 ++ if (runtime->oss.prepare) {
34597 ++ if (mutex_lock_interruptible(&runtime->oss.params_lock))
34598 ++ return -ERESTARTSYS;
34599 ++ err = snd_pcm_oss_prepare(substream);
34600 ++ mutex_unlock(&runtime->oss.params_lock);
34601 ++ if (err < 0)
34602 ++ return err;
34603 ++ }
34604 ++ return 0;
34605 ++}
34606 ++
34607 ++/* call with params_lock held */
34608 ++static int snd_pcm_oss_make_ready_locked(struct snd_pcm_substream *substream)
34609 ++{
34610 ++ struct snd_pcm_runtime *runtime;
34611 ++ int err;
34612 ++
34613 ++ runtime = substream->runtime;
34614 ++ if (runtime->oss.params) {
34615 ++ err = snd_pcm_oss_change_params_locked(substream);
34616 ++ if (err < 0)
34617 ++ return err;
34618 ++ }
34619 + if (runtime->oss.prepare) {
34620 + err = snd_pcm_oss_prepare(substream);
34621 + if (err < 0)
34622 +@@ -1367,13 +1422,15 @@ static ssize_t snd_pcm_oss_write1(struct snd_pcm_substream *substream, const cha
34623 + if (atomic_read(&substream->mmap_count))
34624 + return -ENXIO;
34625 +
34626 +- if ((tmp = snd_pcm_oss_make_ready(substream)) < 0)
34627 +- return tmp;
34628 ++ atomic_inc(&runtime->oss.rw_ref);
34629 + while (bytes > 0) {
34630 + if (mutex_lock_interruptible(&runtime->oss.params_lock)) {
34631 + tmp = -ERESTARTSYS;
34632 + break;
34633 + }
34634 ++ tmp = snd_pcm_oss_make_ready_locked(substream);
34635 ++ if (tmp < 0)
34636 ++ goto err;
34637 + if (bytes < runtime->oss.period_bytes || runtime->oss.buffer_used > 0) {
34638 + tmp = bytes;
34639 + if (tmp + runtime->oss.buffer_used > runtime->oss.period_bytes)
34640 +@@ -1429,6 +1486,7 @@ static ssize_t snd_pcm_oss_write1(struct snd_pcm_substream *substream, const cha
34641 + }
34642 + tmp = 0;
34643 + }
34644 ++ atomic_dec(&runtime->oss.rw_ref);
34645 + return xfer > 0 ? (snd_pcm_sframes_t)xfer : tmp;
34646 + }
34647 +
34648 +@@ -1474,13 +1532,15 @@ static ssize_t snd_pcm_oss_read1(struct snd_pcm_substream *substream, char __use
34649 + if (atomic_read(&substream->mmap_count))
34650 + return -ENXIO;
34651 +
34652 +- if ((tmp = snd_pcm_oss_make_ready(substream)) < 0)
34653 +- return tmp;
34654 ++ atomic_inc(&runtime->oss.rw_ref);
34655 + while (bytes > 0) {
34656 + if (mutex_lock_interruptible(&runtime->oss.params_lock)) {
34657 + tmp = -ERESTARTSYS;
34658 + break;
34659 + }
34660 ++ tmp = snd_pcm_oss_make_ready_locked(substream);
34661 ++ if (tmp < 0)
34662 ++ goto err;
34663 + if (bytes < runtime->oss.period_bytes || runtime->oss.buffer_used > 0) {
34664 + if (runtime->oss.buffer_used == 0) {
34665 + tmp = snd_pcm_oss_read2(substream, runtime->oss.buffer, runtime->oss.period_bytes, 1);
34666 +@@ -1521,6 +1581,7 @@ static ssize_t snd_pcm_oss_read1(struct snd_pcm_substream *substream, char __use
34667 + }
34668 + tmp = 0;
34669 + }
34670 ++ atomic_dec(&runtime->oss.rw_ref);
34671 + return xfer > 0 ? (snd_pcm_sframes_t)xfer : tmp;
34672 + }
34673 +
34674 +@@ -1536,10 +1597,12 @@ static int snd_pcm_oss_reset(struct snd_pcm_oss_file *pcm_oss_file)
34675 + continue;
34676 + runtime = substream->runtime;
34677 + snd_pcm_kernel_ioctl(substream, SNDRV_PCM_IOCTL_DROP, NULL);
34678 ++ mutex_lock(&runtime->oss.params_lock);
34679 + runtime->oss.prepare = 1;
34680 + runtime->oss.buffer_used = 0;
34681 + runtime->oss.prev_hw_ptr_period = 0;
34682 + runtime->oss.period_ptr = 0;
34683 ++ mutex_unlock(&runtime->oss.params_lock);
34684 + }
34685 + return 0;
34686 + }
34687 +@@ -1625,9 +1688,13 @@ static int snd_pcm_oss_sync(struct snd_pcm_oss_file *pcm_oss_file)
34688 + goto __direct;
34689 + if ((err = snd_pcm_oss_make_ready(substream)) < 0)
34690 + return err;
34691 ++ atomic_inc(&runtime->oss.rw_ref);
34692 ++ if (mutex_lock_interruptible(&runtime->oss.params_lock)) {
34693 ++ atomic_dec(&runtime->oss.rw_ref);
34694 ++ return -ERESTARTSYS;
34695 ++ }
34696 + format = snd_pcm_oss_format_from(runtime->oss.format);
34697 + width = snd_pcm_format_physical_width(format);
34698 +- mutex_lock(&runtime->oss.params_lock);
34699 + if (runtime->oss.buffer_used > 0) {
34700 + #ifdef OSS_DEBUG
34701 + pcm_dbg(substream->pcm, "sync: buffer_used\n");
34702 +@@ -1637,10 +1704,8 @@ static int snd_pcm_oss_sync(struct snd_pcm_oss_file *pcm_oss_file)
34703 + runtime->oss.buffer + runtime->oss.buffer_used,
34704 + size);
34705 + err = snd_pcm_oss_sync1(substream, runtime->oss.period_bytes);
34706 +- if (err < 0) {
34707 +- mutex_unlock(&runtime->oss.params_lock);
34708 +- return err;
34709 +- }
34710 ++ if (err < 0)
34711 ++ goto unlock;
34712 + } else if (runtime->oss.period_ptr > 0) {
34713 + #ifdef OSS_DEBUG
34714 + pcm_dbg(substream->pcm, "sync: period_ptr\n");
34715 +@@ -1650,10 +1715,8 @@ static int snd_pcm_oss_sync(struct snd_pcm_oss_file *pcm_oss_file)
34716 + runtime->oss.buffer,
34717 + size * 8 / width);
34718 + err = snd_pcm_oss_sync1(substream, size);
34719 +- if (err < 0) {
34720 +- mutex_unlock(&runtime->oss.params_lock);
34721 +- return err;
34722 +- }
34723 ++ if (err < 0)
34724 ++ goto unlock;
34725 + }
34726 + /*
34727 + * The ALSA's period might be a bit large than OSS one.
34728 +@@ -1684,7 +1747,11 @@ static int snd_pcm_oss_sync(struct snd_pcm_oss_file *pcm_oss_file)
34729 + snd_pcm_lib_writev(substream, buffers, size);
34730 + }
34731 + }
34732 ++unlock:
34733 + mutex_unlock(&runtime->oss.params_lock);
34734 ++ atomic_dec(&runtime->oss.rw_ref);
34735 ++ if (err < 0)
34736 ++ return err;
34737 + /*
34738 + * finish sync: drain the buffer
34739 + */
34740 +@@ -1695,7 +1762,9 @@ static int snd_pcm_oss_sync(struct snd_pcm_oss_file *pcm_oss_file)
34741 + substream->f_flags = saved_f_flags;
34742 + if (err < 0)
34743 + return err;
34744 ++ mutex_lock(&runtime->oss.params_lock);
34745 + runtime->oss.prepare = 1;
34746 ++ mutex_unlock(&runtime->oss.params_lock);
34747 + }
34748 +
34749 + substream = pcm_oss_file->streams[SNDRV_PCM_STREAM_CAPTURE];
34750 +@@ -1706,8 +1775,10 @@ static int snd_pcm_oss_sync(struct snd_pcm_oss_file *pcm_oss_file)
34751 + err = snd_pcm_kernel_ioctl(substream, SNDRV_PCM_IOCTL_DROP, NULL);
34752 + if (err < 0)
34753 + return err;
34754 ++ mutex_lock(&runtime->oss.params_lock);
34755 + runtime->oss.buffer_used = 0;
34756 + runtime->oss.prepare = 1;
34757 ++ mutex_unlock(&runtime->oss.params_lock);
34758 + }
34759 + return 0;
34760 + }
34761 +@@ -1719,6 +1790,8 @@ static int snd_pcm_oss_set_rate(struct snd_pcm_oss_file *pcm_oss_file, int rate)
34762 + for (idx = 1; idx >= 0; --idx) {
34763 + struct snd_pcm_substream *substream = pcm_oss_file->streams[idx];
34764 + struct snd_pcm_runtime *runtime;
34765 ++ int err;
34766 ++
34767 + if (substream == NULL)
34768 + continue;
34769 + runtime = substream->runtime;
34770 +@@ -1726,10 +1799,14 @@ static int snd_pcm_oss_set_rate(struct snd_pcm_oss_file *pcm_oss_file, int rate)
34771 + rate = 1000;
34772 + else if (rate > 192000)
34773 + rate = 192000;
34774 ++ err = lock_params(runtime);
34775 ++ if (err < 0)
34776 ++ return err;
34777 + if (runtime->oss.rate != rate) {
34778 + runtime->oss.params = 1;
34779 + runtime->oss.rate = rate;
34780 + }
34781 ++ unlock_params(runtime);
34782 + }
34783 + return snd_pcm_oss_get_rate(pcm_oss_file);
34784 + }
34785 +@@ -1754,13 +1831,19 @@ static int snd_pcm_oss_set_channels(struct snd_pcm_oss_file *pcm_oss_file, unsig
34786 + for (idx = 1; idx >= 0; --idx) {
34787 + struct snd_pcm_substream *substream = pcm_oss_file->streams[idx];
34788 + struct snd_pcm_runtime *runtime;
34789 ++ int err;
34790 ++
34791 + if (substream == NULL)
34792 + continue;
34793 + runtime = substream->runtime;
34794 ++ err = lock_params(runtime);
34795 ++ if (err < 0)
34796 ++ return err;
34797 + if (runtime->oss.channels != channels) {
34798 + runtime->oss.params = 1;
34799 + runtime->oss.channels = channels;
34800 + }
34801 ++ unlock_params(runtime);
34802 + }
34803 + return snd_pcm_oss_get_channels(pcm_oss_file);
34804 + }
34805 +@@ -1814,10 +1897,9 @@ static int snd_pcm_oss_get_formats(struct snd_pcm_oss_file *pcm_oss_file)
34806 + return -ENOMEM;
34807 + _snd_pcm_hw_params_any(params);
34808 + err = snd_pcm_hw_refine(substream, params);
34809 +- format_mask = *hw_param_mask(params, SNDRV_PCM_HW_PARAM_FORMAT);
34810 +- kfree(params);
34811 + if (err < 0)
34812 +- return err;
34813 ++ goto error;
34814 ++ format_mask = *hw_param_mask(params, SNDRV_PCM_HW_PARAM_FORMAT);
34815 + for (fmt = 0; fmt < 32; ++fmt) {
34816 + if (snd_mask_test(&format_mask, fmt)) {
34817 + int f = snd_pcm_oss_format_to(fmt);
34818 +@@ -1825,12 +1907,16 @@ static int snd_pcm_oss_get_formats(struct snd_pcm_oss_file *pcm_oss_file)
34819 + formats |= f;
34820 + }
34821 + }
34822 +- return formats;
34823 ++
34824 ++ error:
34825 ++ kfree(params);
34826 ++ return err < 0 ? err : formats;
34827 + }
34828 +
34829 + static int snd_pcm_oss_set_format(struct snd_pcm_oss_file *pcm_oss_file, int format)
34830 + {
34831 + int formats, idx;
34832 ++ int err;
34833 +
34834 + if (format != AFMT_QUERY) {
34835 + formats = snd_pcm_oss_get_formats(pcm_oss_file);
34836 +@@ -1844,10 +1930,14 @@ static int snd_pcm_oss_set_format(struct snd_pcm_oss_file *pcm_oss_file, int for
34837 + if (substream == NULL)
34838 + continue;
34839 + runtime = substream->runtime;
34840 ++ err = lock_params(runtime);
34841 ++ if (err < 0)
34842 ++ return err;
34843 + if (runtime->oss.format != format) {
34844 + runtime->oss.params = 1;
34845 + runtime->oss.format = format;
34846 + }
34847 ++ unlock_params(runtime);
34848 + }
34849 + }
34850 + return snd_pcm_oss_get_format(pcm_oss_file);
34851 +@@ -1867,8 +1957,6 @@ static int snd_pcm_oss_set_subdivide1(struct snd_pcm_substream *substream, int s
34852 + {
34853 + struct snd_pcm_runtime *runtime;
34854 +
34855 +- if (substream == NULL)
34856 +- return 0;
34857 + runtime = substream->runtime;
34858 + if (subdivide == 0) {
34859 + subdivide = runtime->oss.subdivision;
34860 +@@ -1892,9 +1980,17 @@ static int snd_pcm_oss_set_subdivide(struct snd_pcm_oss_file *pcm_oss_file, int
34861 +
34862 + for (idx = 1; idx >= 0; --idx) {
34863 + struct snd_pcm_substream *substream = pcm_oss_file->streams[idx];
34864 ++ struct snd_pcm_runtime *runtime;
34865 ++
34866 + if (substream == NULL)
34867 + continue;
34868 +- if ((err = snd_pcm_oss_set_subdivide1(substream, subdivide)) < 0)
34869 ++ runtime = substream->runtime;
34870 ++ err = lock_params(runtime);
34871 ++ if (err < 0)
34872 ++ return err;
34873 ++ err = snd_pcm_oss_set_subdivide1(substream, subdivide);
34874 ++ unlock_params(runtime);
34875 ++ if (err < 0)
34876 + return err;
34877 + }
34878 + return err;
34879 +@@ -1904,8 +2000,6 @@ static int snd_pcm_oss_set_fragment1(struct snd_pcm_substream *substream, unsign
34880 + {
34881 + struct snd_pcm_runtime *runtime;
34882 +
34883 +- if (substream == NULL)
34884 +- return 0;
34885 + runtime = substream->runtime;
34886 + if (runtime->oss.subdivision || runtime->oss.fragshift)
34887 + return -EINVAL;
34888 +@@ -1925,9 +2019,17 @@ static int snd_pcm_oss_set_fragment(struct snd_pcm_oss_file *pcm_oss_file, unsig
34889 +
34890 + for (idx = 1; idx >= 0; --idx) {
34891 + struct snd_pcm_substream *substream = pcm_oss_file->streams[idx];
34892 ++ struct snd_pcm_runtime *runtime;
34893 ++
34894 + if (substream == NULL)
34895 + continue;
34896 +- if ((err = snd_pcm_oss_set_fragment1(substream, val)) < 0)
34897 ++ runtime = substream->runtime;
34898 ++ err = lock_params(runtime);
34899 ++ if (err < 0)
34900 ++ return err;
34901 ++ err = snd_pcm_oss_set_fragment1(substream, val);
34902 ++ unlock_params(runtime);
34903 ++ if (err < 0)
34904 + return err;
34905 + }
34906 + return err;
34907 +@@ -2011,6 +2113,9 @@ static int snd_pcm_oss_set_trigger(struct snd_pcm_oss_file *pcm_oss_file, int tr
34908 + }
34909 + if (psubstream) {
34910 + runtime = psubstream->runtime;
34911 ++ cmd = 0;
34912 ++ if (mutex_lock_interruptible(&runtime->oss.params_lock))
34913 ++ return -ERESTARTSYS;
34914 + if (trigger & PCM_ENABLE_OUTPUT) {
34915 + if (runtime->oss.trigger)
34916 + goto _skip1;
34917 +@@ -2028,13 +2133,19 @@ static int snd_pcm_oss_set_trigger(struct snd_pcm_oss_file *pcm_oss_file, int tr
34918 + cmd = SNDRV_PCM_IOCTL_DROP;
34919 + runtime->oss.prepare = 1;
34920 + }
34921 +- err = snd_pcm_kernel_ioctl(psubstream, cmd, NULL);
34922 +- if (err < 0)
34923 +- return err;
34924 +- }
34925 + _skip1:
34926 ++ mutex_unlock(&runtime->oss.params_lock);
34927 ++ if (cmd) {
34928 ++ err = snd_pcm_kernel_ioctl(psubstream, cmd, NULL);
34929 ++ if (err < 0)
34930 ++ return err;
34931 ++ }
34932 ++ }
34933 + if (csubstream) {
34934 + runtime = csubstream->runtime;
34935 ++ cmd = 0;
34936 ++ if (mutex_lock_interruptible(&runtime->oss.params_lock))
34937 ++ return -ERESTARTSYS;
34938 + if (trigger & PCM_ENABLE_INPUT) {
34939 + if (runtime->oss.trigger)
34940 + goto _skip2;
34941 +@@ -2049,11 +2160,14 @@ static int snd_pcm_oss_set_trigger(struct snd_pcm_oss_file *pcm_oss_file, int tr
34942 + cmd = SNDRV_PCM_IOCTL_DROP;
34943 + runtime->oss.prepare = 1;
34944 + }
34945 +- err = snd_pcm_kernel_ioctl(csubstream, cmd, NULL);
34946 +- if (err < 0)
34947 +- return err;
34948 +- }
34949 + _skip2:
34950 ++ mutex_unlock(&runtime->oss.params_lock);
34951 ++ if (cmd) {
34952 ++ err = snd_pcm_kernel_ioctl(csubstream, cmd, NULL);
34953 ++ if (err < 0)
34954 ++ return err;
34955 ++ }
34956 ++ }
34957 + return 0;
34958 + }
34959 +
34960 +@@ -2305,6 +2419,7 @@ static void snd_pcm_oss_init_substream(struct snd_pcm_substream *substream,
34961 + runtime->oss.maxfrags = 0;
34962 + runtime->oss.subdivision = 0;
34963 + substream->pcm_release = snd_pcm_oss_release_substream;
34964 ++ atomic_set(&runtime->oss.rw_ref, 0);
34965 + }
34966 +
34967 + static int snd_pcm_oss_release_file(struct snd_pcm_oss_file *pcm_oss_file)
34968 +diff --git a/sound/core/pcm_compat.c b/sound/core/pcm_compat.c
34969 +index 1f64ab0c2a95..7ae080bae15c 100644
34970 +--- a/sound/core/pcm_compat.c
34971 ++++ b/sound/core/pcm_compat.c
34972 +@@ -426,6 +426,8 @@ static int snd_pcm_ioctl_xfern_compat(struct snd_pcm_substream *substream,
34973 + return -ENOTTY;
34974 + if (substream->stream != dir)
34975 + return -EINVAL;
34976 ++ if (substream->runtime->status->state == SNDRV_PCM_STATE_OPEN)
34977 ++ return -EBADFD;
34978 +
34979 + if ((ch = substream->runtime->channels) > 128)
34980 + return -EINVAL;
34981 +diff --git a/sound/core/pcm_native.c b/sound/core/pcm_native.c
34982 +index aa999e747c94..889087808ebe 100644
34983 +--- a/sound/core/pcm_native.c
34984 ++++ b/sound/core/pcm_native.c
34985 +@@ -2729,6 +2729,7 @@ static int snd_pcm_sync_ptr(struct snd_pcm_substream *substream,
34986 + sync_ptr.s.status.hw_ptr = status->hw_ptr;
34987 + sync_ptr.s.status.tstamp = status->tstamp;
34988 + sync_ptr.s.status.suspended_state = status->suspended_state;
34989 ++ sync_ptr.s.status.audio_tstamp = status->audio_tstamp;
34990 + snd_pcm_stream_unlock_irq(substream);
34991 + if (copy_to_user(_sync_ptr, &sync_ptr, sizeof(sync_ptr)))
34992 + return -EFAULT;
34993 +@@ -3410,7 +3411,7 @@ int snd_pcm_lib_default_mmap(struct snd_pcm_substream *substream,
34994 + area,
34995 + substream->runtime->dma_area,
34996 + substream->runtime->dma_addr,
34997 +- area->vm_end - area->vm_start);
34998 ++ substream->runtime->dma_bytes);
34999 + #endif /* CONFIG_X86 */
35000 + /* mmap with fault handler */
35001 + area->vm_ops = &snd_pcm_vm_ops_data_fault;
35002 +diff --git a/sound/core/rawmidi_compat.c b/sound/core/rawmidi_compat.c
35003 +index 09a89094dcf7..4e304a24924a 100644
35004 +--- a/sound/core/rawmidi_compat.c
35005 ++++ b/sound/core/rawmidi_compat.c
35006 +@@ -36,8 +36,6 @@ static int snd_rawmidi_ioctl_params_compat(struct snd_rawmidi_file *rfile,
35007 + struct snd_rawmidi_params params;
35008 + unsigned int val;
35009 +
35010 +- if (rfile->output == NULL)
35011 +- return -EINVAL;
35012 + if (get_user(params.stream, &src->stream) ||
35013 + get_user(params.buffer_size, &src->buffer_size) ||
35014 + get_user(params.avail_min, &src->avail_min) ||
35015 +@@ -46,8 +44,12 @@ static int snd_rawmidi_ioctl_params_compat(struct snd_rawmidi_file *rfile,
35016 + params.no_active_sensing = val;
35017 + switch (params.stream) {
35018 + case SNDRV_RAWMIDI_STREAM_OUTPUT:
35019 ++ if (!rfile->output)
35020 ++ return -EINVAL;
35021 + return snd_rawmidi_output_params(rfile->output, &params);
35022 + case SNDRV_RAWMIDI_STREAM_INPUT:
35023 ++ if (!rfile->input)
35024 ++ return -EINVAL;
35025 + return snd_rawmidi_input_params(rfile->input, &params);
35026 + }
35027 + return -EINVAL;
35028 +@@ -67,16 +69,18 @@ static int snd_rawmidi_ioctl_status_compat(struct snd_rawmidi_file *rfile,
35029 + int err;
35030 + struct snd_rawmidi_status status;
35031 +
35032 +- if (rfile->output == NULL)
35033 +- return -EINVAL;
35034 + if (get_user(status.stream, &src->stream))
35035 + return -EFAULT;
35036 +
35037 + switch (status.stream) {
35038 + case SNDRV_RAWMIDI_STREAM_OUTPUT:
35039 ++ if (!rfile->output)
35040 ++ return -EINVAL;
35041 + err = snd_rawmidi_output_status(rfile->output, &status);
35042 + break;
35043 + case SNDRV_RAWMIDI_STREAM_INPUT:
35044 ++ if (!rfile->input)
35045 ++ return -EINVAL;
35046 + err = snd_rawmidi_input_status(rfile->input, &status);
35047 + break;
35048 + default:
35049 +@@ -113,16 +117,18 @@ static int snd_rawmidi_ioctl_status_x32(struct snd_rawmidi_file *rfile,
35050 + int err;
35051 + struct snd_rawmidi_status status;
35052 +
35053 +- if (rfile->output == NULL)
35054 +- return -EINVAL;
35055 + if (get_user(status.stream, &src->stream))
35056 + return -EFAULT;
35057 +
35058 + switch (status.stream) {
35059 + case SNDRV_RAWMIDI_STREAM_OUTPUT:
35060 ++ if (!rfile->output)
35061 ++ return -EINVAL;
35062 + err = snd_rawmidi_output_status(rfile->output, &status);
35063 + break;
35064 + case SNDRV_RAWMIDI_STREAM_INPUT:
35065 ++ if (!rfile->input)
35066 ++ return -EINVAL;
35067 + err = snd_rawmidi_input_status(rfile->input, &status);
35068 + break;
35069 + default:
35070 +diff --git a/sound/core/seq/oss/seq_oss_event.c b/sound/core/seq/oss/seq_oss_event.c
35071 +index c3908862bc8b..86ca584c27b2 100644
35072 +--- a/sound/core/seq/oss/seq_oss_event.c
35073 ++++ b/sound/core/seq/oss/seq_oss_event.c
35074 +@@ -26,6 +26,7 @@
35075 + #include <sound/seq_oss_legacy.h>
35076 + #include "seq_oss_readq.h"
35077 + #include "seq_oss_writeq.h"
35078 ++#include <linux/nospec.h>
35079 +
35080 +
35081 + /*
35082 +@@ -287,10 +288,10 @@ note_on_event(struct seq_oss_devinfo *dp, int dev, int ch, int note, int vel, st
35083 + {
35084 + struct seq_oss_synthinfo *info;
35085 +
35086 +- if (!snd_seq_oss_synth_is_valid(dp, dev))
35087 ++ info = snd_seq_oss_synth_info(dp, dev);
35088 ++ if (!info)
35089 + return -ENXIO;
35090 +
35091 +- info = &dp->synths[dev];
35092 + switch (info->arg.event_passing) {
35093 + case SNDRV_SEQ_OSS_PROCESS_EVENTS:
35094 + if (! info->ch || ch < 0 || ch >= info->nr_voices) {
35095 +@@ -298,6 +299,7 @@ note_on_event(struct seq_oss_devinfo *dp, int dev, int ch, int note, int vel, st
35096 + return set_note_event(dp, dev, SNDRV_SEQ_EVENT_NOTEON, ch, note, vel, ev);
35097 + }
35098 +
35099 ++ ch = array_index_nospec(ch, info->nr_voices);
35100 + if (note == 255 && info->ch[ch].note >= 0) {
35101 + /* volume control */
35102 + int type;
35103 +@@ -347,10 +349,10 @@ note_off_event(struct seq_oss_devinfo *dp, int dev, int ch, int note, int vel, s
35104 + {
35105 + struct seq_oss_synthinfo *info;
35106 +
35107 +- if (!snd_seq_oss_synth_is_valid(dp, dev))
35108 ++ info = snd_seq_oss_synth_info(dp, dev);
35109 ++ if (!info)
35110 + return -ENXIO;
35111 +
35112 +- info = &dp->synths[dev];
35113 + switch (info->arg.event_passing) {
35114 + case SNDRV_SEQ_OSS_PROCESS_EVENTS:
35115 + if (! info->ch || ch < 0 || ch >= info->nr_voices) {
35116 +@@ -358,6 +360,7 @@ note_off_event(struct seq_oss_devinfo *dp, int dev, int ch, int note, int vel, s
35117 + return set_note_event(dp, dev, SNDRV_SEQ_EVENT_NOTEON, ch, note, vel, ev);
35118 + }
35119 +
35120 ++ ch = array_index_nospec(ch, info->nr_voices);
35121 + if (info->ch[ch].note >= 0) {
35122 + note = info->ch[ch].note;
35123 + info->ch[ch].vel = 0;
35124 +@@ -381,7 +384,7 @@ note_off_event(struct seq_oss_devinfo *dp, int dev, int ch, int note, int vel, s
35125 + static int
35126 + set_note_event(struct seq_oss_devinfo *dp, int dev, int type, int ch, int note, int vel, struct snd_seq_event *ev)
35127 + {
35128 +- if (! snd_seq_oss_synth_is_valid(dp, dev))
35129 ++ if (!snd_seq_oss_synth_info(dp, dev))
35130 + return -ENXIO;
35131 +
35132 + ev->type = type;
35133 +@@ -399,7 +402,7 @@ set_note_event(struct seq_oss_devinfo *dp, int dev, int type, int ch, int note,
35134 + static int
35135 + set_control_event(struct seq_oss_devinfo *dp, int dev, int type, int ch, int param, int val, struct snd_seq_event *ev)
35136 + {
35137 +- if (! snd_seq_oss_synth_is_valid(dp, dev))
35138 ++ if (!snd_seq_oss_synth_info(dp, dev))
35139 + return -ENXIO;
35140 +
35141 + ev->type = type;
35142 +diff --git a/sound/core/seq/oss/seq_oss_midi.c b/sound/core/seq/oss/seq_oss_midi.c
35143 +index 74c68a0f8abe..28c8e6720a08 100644
35144 +--- a/sound/core/seq/oss/seq_oss_midi.c
35145 ++++ b/sound/core/seq/oss/seq_oss_midi.c
35146 +@@ -29,6 +29,7 @@
35147 + #include "../seq_lock.h"
35148 + #include <linux/init.h>
35149 + #include <linux/slab.h>
35150 ++#include <linux/nospec.h>
35151 +
35152 +
35153 + /*
35154 +@@ -315,6 +316,7 @@ get_mididev(struct seq_oss_devinfo *dp, int dev)
35155 + {
35156 + if (dev < 0 || dev >= dp->max_mididev)
35157 + return NULL;
35158 ++ dev = array_index_nospec(dev, dp->max_mididev);
35159 + return get_mdev(dev);
35160 + }
35161 +
35162 +diff --git a/sound/core/seq/oss/seq_oss_synth.c b/sound/core/seq/oss/seq_oss_synth.c
35163 +index f38cf91b4faf..ff3fe10555eb 100644
35164 +--- a/sound/core/seq/oss/seq_oss_synth.c
35165 ++++ b/sound/core/seq/oss/seq_oss_synth.c
35166 +@@ -26,6 +26,7 @@
35167 + #include <linux/init.h>
35168 + #include <linux/module.h>
35169 + #include <linux/slab.h>
35170 ++#include <linux/nospec.h>
35171 +
35172 + /*
35173 + * constants
35174 +@@ -339,17 +340,13 @@ snd_seq_oss_synth_cleanup(struct seq_oss_devinfo *dp)
35175 + dp->max_synthdev = 0;
35176 + }
35177 +
35178 +-/*
35179 +- * check if the specified device is MIDI mapped device
35180 +- */
35181 +-static int
35182 +-is_midi_dev(struct seq_oss_devinfo *dp, int dev)
35183 ++static struct seq_oss_synthinfo *
35184 ++get_synthinfo_nospec(struct seq_oss_devinfo *dp, int dev)
35185 + {
35186 + if (dev < 0 || dev >= dp->max_synthdev)
35187 +- return 0;
35188 +- if (dp->synths[dev].is_midi)
35189 +- return 1;
35190 +- return 0;
35191 ++ return NULL;
35192 ++ dev = array_index_nospec(dev, SNDRV_SEQ_OSS_MAX_SYNTH_DEVS);
35193 ++ return &dp->synths[dev];
35194 + }
35195 +
35196 + /*
35197 +@@ -359,14 +356,20 @@ static struct seq_oss_synth *
35198 + get_synthdev(struct seq_oss_devinfo *dp, int dev)
35199 + {
35200 + struct seq_oss_synth *rec;
35201 +- if (dev < 0 || dev >= dp->max_synthdev)
35202 +- return NULL;
35203 +- if (! dp->synths[dev].opened)
35204 ++ struct seq_oss_synthinfo *info = get_synthinfo_nospec(dp, dev);
35205 ++
35206 ++ if (!info)
35207 + return NULL;
35208 +- if (dp->synths[dev].is_midi)
35209 +- return &midi_synth_dev;
35210 +- if ((rec = get_sdev(dev)) == NULL)
35211 ++ if (!info->opened)
35212 + return NULL;
35213 ++ if (info->is_midi) {
35214 ++ rec = &midi_synth_dev;
35215 ++ snd_use_lock_use(&rec->use_lock);
35216 ++ } else {
35217 ++ rec = get_sdev(dev);
35218 ++ if (!rec)
35219 ++ return NULL;
35220 ++ }
35221 + if (! rec->opened) {
35222 + snd_use_lock_free(&rec->use_lock);
35223 + return NULL;
35224 +@@ -402,10 +405,8 @@ snd_seq_oss_synth_reset(struct seq_oss_devinfo *dp, int dev)
35225 + struct seq_oss_synth *rec;
35226 + struct seq_oss_synthinfo *info;
35227 +
35228 +- if (snd_BUG_ON(dev < 0 || dev >= dp->max_synthdev))
35229 +- return;
35230 +- info = &dp->synths[dev];
35231 +- if (! info->opened)
35232 ++ info = get_synthinfo_nospec(dp, dev);
35233 ++ if (!info || !info->opened)
35234 + return;
35235 + if (info->sysex)
35236 + info->sysex->len = 0; /* reset sysex */
35237 +@@ -454,12 +455,14 @@ snd_seq_oss_synth_load_patch(struct seq_oss_devinfo *dp, int dev, int fmt,
35238 + const char __user *buf, int p, int c)
35239 + {
35240 + struct seq_oss_synth *rec;
35241 ++ struct seq_oss_synthinfo *info;
35242 + int rc;
35243 +
35244 +- if (dev < 0 || dev >= dp->max_synthdev)
35245 ++ info = get_synthinfo_nospec(dp, dev);
35246 ++ if (!info)
35247 + return -ENXIO;
35248 +
35249 +- if (is_midi_dev(dp, dev))
35250 ++ if (info->is_midi)
35251 + return 0;
35252 + if ((rec = get_synthdev(dp, dev)) == NULL)
35253 + return -ENXIO;
35254 +@@ -467,24 +470,25 @@ snd_seq_oss_synth_load_patch(struct seq_oss_devinfo *dp, int dev, int fmt,
35255 + if (rec->oper.load_patch == NULL)
35256 + rc = -ENXIO;
35257 + else
35258 +- rc = rec->oper.load_patch(&dp->synths[dev].arg, fmt, buf, p, c);
35259 ++ rc = rec->oper.load_patch(&info->arg, fmt, buf, p, c);
35260 + snd_use_lock_free(&rec->use_lock);
35261 + return rc;
35262 + }
35263 +
35264 + /*
35265 +- * check if the device is valid synth device
35266 ++ * check if the device is valid synth device and return the synth info
35267 + */
35268 +-int
35269 +-snd_seq_oss_synth_is_valid(struct seq_oss_devinfo *dp, int dev)
35270 ++struct seq_oss_synthinfo *
35271 ++snd_seq_oss_synth_info(struct seq_oss_devinfo *dp, int dev)
35272 + {
35273 + struct seq_oss_synth *rec;
35274 ++
35275 + rec = get_synthdev(dp, dev);
35276 + if (rec) {
35277 + snd_use_lock_free(&rec->use_lock);
35278 +- return 1;
35279 ++ return get_synthinfo_nospec(dp, dev);
35280 + }
35281 +- return 0;
35282 ++ return NULL;
35283 + }
35284 +
35285 +
35286 +@@ -499,16 +503,18 @@ snd_seq_oss_synth_sysex(struct seq_oss_devinfo *dp, int dev, unsigned char *buf,
35287 + int i, send;
35288 + unsigned char *dest;
35289 + struct seq_oss_synth_sysex *sysex;
35290 ++ struct seq_oss_synthinfo *info;
35291 +
35292 +- if (! snd_seq_oss_synth_is_valid(dp, dev))
35293 ++ info = snd_seq_oss_synth_info(dp, dev);
35294 ++ if (!info)
35295 + return -ENXIO;
35296 +
35297 +- sysex = dp->synths[dev].sysex;
35298 ++ sysex = info->sysex;
35299 + if (sysex == NULL) {
35300 + sysex = kzalloc(sizeof(*sysex), GFP_KERNEL);
35301 + if (sysex == NULL)
35302 + return -ENOMEM;
35303 +- dp->synths[dev].sysex = sysex;
35304 ++ info->sysex = sysex;
35305 + }
35306 +
35307 + send = 0;
35308 +@@ -553,10 +559,12 @@ snd_seq_oss_synth_sysex(struct seq_oss_devinfo *dp, int dev, unsigned char *buf,
35309 + int
35310 + snd_seq_oss_synth_addr(struct seq_oss_devinfo *dp, int dev, struct snd_seq_event *ev)
35311 + {
35312 +- if (! snd_seq_oss_synth_is_valid(dp, dev))
35313 ++ struct seq_oss_synthinfo *info = snd_seq_oss_synth_info(dp, dev);
35314 ++
35315 ++ if (!info)
35316 + return -EINVAL;
35317 +- snd_seq_oss_fill_addr(dp, ev, dp->synths[dev].arg.addr.client,
35318 +- dp->synths[dev].arg.addr.port);
35319 ++ snd_seq_oss_fill_addr(dp, ev, info->arg.addr.client,
35320 ++ info->arg.addr.port);
35321 + return 0;
35322 + }
35323 +
35324 +@@ -568,16 +576,18 @@ int
35325 + snd_seq_oss_synth_ioctl(struct seq_oss_devinfo *dp, int dev, unsigned int cmd, unsigned long addr)
35326 + {
35327 + struct seq_oss_synth *rec;
35328 ++ struct seq_oss_synthinfo *info;
35329 + int rc;
35330 +
35331 +- if (is_midi_dev(dp, dev))
35332 ++ info = get_synthinfo_nospec(dp, dev);
35333 ++ if (!info || info->is_midi)
35334 + return -ENXIO;
35335 + if ((rec = get_synthdev(dp, dev)) == NULL)
35336 + return -ENXIO;
35337 + if (rec->oper.ioctl == NULL)
35338 + rc = -ENXIO;
35339 + else
35340 +- rc = rec->oper.ioctl(&dp->synths[dev].arg, cmd, addr);
35341 ++ rc = rec->oper.ioctl(&info->arg, cmd, addr);
35342 + snd_use_lock_free(&rec->use_lock);
35343 + return rc;
35344 + }
35345 +@@ -589,7 +599,10 @@ snd_seq_oss_synth_ioctl(struct seq_oss_devinfo *dp, int dev, unsigned int cmd, u
35346 + int
35347 + snd_seq_oss_synth_raw_event(struct seq_oss_devinfo *dp, int dev, unsigned char *data, struct snd_seq_event *ev)
35348 + {
35349 +- if (! snd_seq_oss_synth_is_valid(dp, dev) || is_midi_dev(dp, dev))
35350 ++ struct seq_oss_synthinfo *info;
35351 ++
35352 ++ info = snd_seq_oss_synth_info(dp, dev);
35353 ++ if (!info || info->is_midi)
35354 + return -ENXIO;
35355 + ev->type = SNDRV_SEQ_EVENT_OSS;
35356 + memcpy(ev->data.raw8.d, data, 8);
35357 +diff --git a/sound/core/seq/oss/seq_oss_synth.h b/sound/core/seq/oss/seq_oss_synth.h
35358 +index 74ac55f166b6..a63f9e22974d 100644
35359 +--- a/sound/core/seq/oss/seq_oss_synth.h
35360 ++++ b/sound/core/seq/oss/seq_oss_synth.h
35361 +@@ -37,7 +37,8 @@ void snd_seq_oss_synth_cleanup(struct seq_oss_devinfo *dp);
35362 + void snd_seq_oss_synth_reset(struct seq_oss_devinfo *dp, int dev);
35363 + int snd_seq_oss_synth_load_patch(struct seq_oss_devinfo *dp, int dev, int fmt,
35364 + const char __user *buf, int p, int c);
35365 +-int snd_seq_oss_synth_is_valid(struct seq_oss_devinfo *dp, int dev);
35366 ++struct seq_oss_synthinfo *snd_seq_oss_synth_info(struct seq_oss_devinfo *dp,
35367 ++ int dev);
35368 + int snd_seq_oss_synth_sysex(struct seq_oss_devinfo *dp, int dev, unsigned char *buf,
35369 + struct snd_seq_event *ev);
35370 + int snd_seq_oss_synth_addr(struct seq_oss_devinfo *dp, int dev, struct snd_seq_event *ev);
35371 +diff --git a/sound/core/seq/seq_clientmgr.c b/sound/core/seq/seq_clientmgr.c
35372 +index dac0a54e39de..64a1ae720e49 100644
35373 +--- a/sound/core/seq/seq_clientmgr.c
35374 ++++ b/sound/core/seq/seq_clientmgr.c
35375 +@@ -270,12 +270,12 @@ static int seq_free_client1(struct snd_seq_client *client)
35376 +
35377 + if (!client)
35378 + return 0;
35379 +- snd_seq_delete_all_ports(client);
35380 +- snd_seq_queue_client_leave(client->number);
35381 + spin_lock_irqsave(&clients_lock, flags);
35382 + clienttablock[client->number] = 1;
35383 + clienttab[client->number] = NULL;
35384 + spin_unlock_irqrestore(&clients_lock, flags);
35385 ++ snd_seq_delete_all_ports(client);
35386 ++ snd_seq_queue_client_leave(client->number);
35387 + snd_use_lock_sync(&client->use_lock);
35388 + snd_seq_queue_client_termination(client->number);
35389 + if (client->pool)
35390 +diff --git a/sound/core/seq/seq_prioq.c b/sound/core/seq/seq_prioq.c
35391 +index bc1c8488fc2a..2bc6759e4adc 100644
35392 +--- a/sound/core/seq/seq_prioq.c
35393 ++++ b/sound/core/seq/seq_prioq.c
35394 +@@ -87,7 +87,7 @@ void snd_seq_prioq_delete(struct snd_seq_prioq **fifo)
35395 + if (f->cells > 0) {
35396 + /* drain prioQ */
35397 + while (f->cells > 0)
35398 +- snd_seq_cell_free(snd_seq_prioq_cell_out(f));
35399 ++ snd_seq_cell_free(snd_seq_prioq_cell_out(f, NULL));
35400 + }
35401 +
35402 + kfree(f);
35403 +@@ -214,8 +214,18 @@ int snd_seq_prioq_cell_in(struct snd_seq_prioq * f,
35404 + return 0;
35405 + }
35406 +
35407 ++/* return 1 if the current time >= event timestamp */
35408 ++static int event_is_ready(struct snd_seq_event *ev, void *current_time)
35409 ++{
35410 ++ if ((ev->flags & SNDRV_SEQ_TIME_STAMP_MASK) == SNDRV_SEQ_TIME_STAMP_TICK)
35411 ++ return snd_seq_compare_tick_time(current_time, &ev->time.tick);
35412 ++ else
35413 ++ return snd_seq_compare_real_time(current_time, &ev->time.time);
35414 ++}
35415 ++
35416 + /* dequeue cell from prioq */
35417 +-struct snd_seq_event_cell *snd_seq_prioq_cell_out(struct snd_seq_prioq *f)
35418 ++struct snd_seq_event_cell *snd_seq_prioq_cell_out(struct snd_seq_prioq *f,
35419 ++ void *current_time)
35420 + {
35421 + struct snd_seq_event_cell *cell;
35422 + unsigned long flags;
35423 +@@ -227,6 +237,8 @@ struct snd_seq_event_cell *snd_seq_prioq_cell_out(struct snd_seq_prioq *f)
35424 + spin_lock_irqsave(&f->lock, flags);
35425 +
35426 + cell = f->head;
35427 ++ if (cell && current_time && !event_is_ready(&cell->event, current_time))
35428 ++ cell = NULL;
35429 + if (cell) {
35430 + f->head = cell->next;
35431 +
35432 +@@ -252,18 +264,6 @@ int snd_seq_prioq_avail(struct snd_seq_prioq * f)
35433 + return f->cells;
35434 + }
35435 +
35436 +-
35437 +-/* peek at cell at the head of the prioq */
35438 +-struct snd_seq_event_cell *snd_seq_prioq_cell_peek(struct snd_seq_prioq * f)
35439 +-{
35440 +- if (f == NULL) {
35441 +- pr_debug("ALSA: seq: snd_seq_prioq_cell_in() called with NULL prioq\n");
35442 +- return NULL;
35443 +- }
35444 +- return f->head;
35445 +-}
35446 +-
35447 +-
35448 + static inline int prioq_match(struct snd_seq_event_cell *cell,
35449 + int client, int timestamp)
35450 + {
35451 +diff --git a/sound/core/seq/seq_prioq.h b/sound/core/seq/seq_prioq.h
35452 +index d38bb78d9345..2c315ca10fc4 100644
35453 +--- a/sound/core/seq/seq_prioq.h
35454 ++++ b/sound/core/seq/seq_prioq.h
35455 +@@ -44,14 +44,12 @@ void snd_seq_prioq_delete(struct snd_seq_prioq **fifo);
35456 + int snd_seq_prioq_cell_in(struct snd_seq_prioq *f, struct snd_seq_event_cell *cell);
35457 +
35458 + /* dequeue cell from prioq */
35459 +-struct snd_seq_event_cell *snd_seq_prioq_cell_out(struct snd_seq_prioq *f);
35460 ++struct snd_seq_event_cell *snd_seq_prioq_cell_out(struct snd_seq_prioq *f,
35461 ++ void *current_time);
35462 +
35463 + /* return number of events available in prioq */
35464 + int snd_seq_prioq_avail(struct snd_seq_prioq *f);
35465 +
35466 +-/* peek at cell at the head of the prioq */
35467 +-struct snd_seq_event_cell *snd_seq_prioq_cell_peek(struct snd_seq_prioq *f);
35468 +-
35469 + /* client left queue */
35470 + void snd_seq_prioq_leave(struct snd_seq_prioq *f, int client, int timestamp);
35471 +
35472 +diff --git a/sound/core/seq/seq_queue.c b/sound/core/seq/seq_queue.c
35473 +index a7bd074f6c0e..b83fdc72011e 100644
35474 +--- a/sound/core/seq/seq_queue.c
35475 ++++ b/sound/core/seq/seq_queue.c
35476 +@@ -277,30 +277,20 @@ void snd_seq_check_queue(struct snd_seq_queue *q, int atomic, int hop)
35477 +
35478 + __again:
35479 + /* Process tick queue... */
35480 +- while ((cell = snd_seq_prioq_cell_peek(q->tickq)) != NULL) {
35481 +- if (snd_seq_compare_tick_time(&q->timer->tick.cur_tick,
35482 +- &cell->event.time.tick)) {
35483 +- cell = snd_seq_prioq_cell_out(q->tickq);
35484 +- if (cell)
35485 +- snd_seq_dispatch_event(cell, atomic, hop);
35486 +- } else {
35487 +- /* event remains in the queue */
35488 ++ for (;;) {
35489 ++ cell = snd_seq_prioq_cell_out(q->tickq,
35490 ++ &q->timer->tick.cur_tick);
35491 ++ if (!cell)
35492 + break;
35493 +- }
35494 ++ snd_seq_dispatch_event(cell, atomic, hop);
35495 + }
35496 +
35497 +-
35498 + /* Process time queue... */
35499 +- while ((cell = snd_seq_prioq_cell_peek(q->timeq)) != NULL) {
35500 +- if (snd_seq_compare_real_time(&q->timer->cur_time,
35501 +- &cell->event.time.time)) {
35502 +- cell = snd_seq_prioq_cell_out(q->timeq);
35503 +- if (cell)
35504 +- snd_seq_dispatch_event(cell, atomic, hop);
35505 +- } else {
35506 +- /* event remains in the queue */
35507 ++ for (;;) {
35508 ++ cell = snd_seq_prioq_cell_out(q->timeq, &q->timer->cur_time);
35509 ++ if (!cell)
35510 + break;
35511 +- }
35512 ++ snd_seq_dispatch_event(cell, atomic, hop);
35513 + }
35514 +
35515 + /* free lock */
35516 +diff --git a/sound/core/seq/seq_virmidi.c b/sound/core/seq/seq_virmidi.c
35517 +index 3b126af4a026..ef494ffc1369 100644
35518 +--- a/sound/core/seq/seq_virmidi.c
35519 ++++ b/sound/core/seq/seq_virmidi.c
35520 +@@ -174,12 +174,12 @@ static void snd_virmidi_output_trigger(struct snd_rawmidi_substream *substream,
35521 + }
35522 + return;
35523 + }
35524 ++ spin_lock_irqsave(&substream->runtime->lock, flags);
35525 + if (vmidi->event.type != SNDRV_SEQ_EVENT_NONE) {
35526 + if (snd_seq_kernel_client_dispatch(vmidi->client, &vmidi->event, in_atomic(), 0) < 0)
35527 +- return;
35528 ++ goto out;
35529 + vmidi->event.type = SNDRV_SEQ_EVENT_NONE;
35530 + }
35531 +- spin_lock_irqsave(&substream->runtime->lock, flags);
35532 + while (1) {
35533 + count = __snd_rawmidi_transmit_peek(substream, buf, sizeof(buf));
35534 + if (count <= 0)
35535 +diff --git a/sound/drivers/aloop.c b/sound/drivers/aloop.c
35536 +index 83ae083b192f..23df6a501648 100644
35537 +--- a/sound/drivers/aloop.c
35538 ++++ b/sound/drivers/aloop.c
35539 +@@ -192,6 +192,11 @@ static inline void loopback_timer_stop(struct loopback_pcm *dpcm)
35540 + dpcm->timer.expires = 0;
35541 + }
35542 +
35543 ++static inline void loopback_timer_stop_sync(struct loopback_pcm *dpcm)
35544 ++{
35545 ++ del_timer_sync(&dpcm->timer);
35546 ++}
35547 ++
35548 + #define CABLE_VALID_PLAYBACK (1 << SNDRV_PCM_STREAM_PLAYBACK)
35549 + #define CABLE_VALID_CAPTURE (1 << SNDRV_PCM_STREAM_CAPTURE)
35550 + #define CABLE_VALID_BOTH (CABLE_VALID_PLAYBACK|CABLE_VALID_CAPTURE)
35551 +@@ -291,6 +296,8 @@ static int loopback_trigger(struct snd_pcm_substream *substream, int cmd)
35552 + cable->pause |= stream;
35553 + loopback_timer_stop(dpcm);
35554 + spin_unlock(&cable->lock);
35555 ++ if (substream->stream == SNDRV_PCM_STREAM_PLAYBACK)
35556 ++ loopback_active_notify(dpcm);
35557 + break;
35558 + case SNDRV_PCM_TRIGGER_PAUSE_RELEASE:
35559 + case SNDRV_PCM_TRIGGER_RESUME:
35560 +@@ -299,6 +306,8 @@ static int loopback_trigger(struct snd_pcm_substream *substream, int cmd)
35561 + cable->pause &= ~stream;
35562 + loopback_timer_start(dpcm);
35563 + spin_unlock(&cable->lock);
35564 ++ if (substream->stream == SNDRV_PCM_STREAM_PLAYBACK)
35565 ++ loopback_active_notify(dpcm);
35566 + break;
35567 + default:
35568 + return -EINVAL;
35569 +@@ -326,6 +335,8 @@ static int loopback_prepare(struct snd_pcm_substream *substream)
35570 + struct loopback_cable *cable = dpcm->cable;
35571 + int bps, salign;
35572 +
35573 ++ loopback_timer_stop_sync(dpcm);
35574 ++
35575 + salign = (snd_pcm_format_width(runtime->format) *
35576 + runtime->channels) / 8;
35577 + bps = salign * runtime->rate;
35578 +@@ -659,7 +670,9 @@ static void free_cable(struct snd_pcm_substream *substream)
35579 + return;
35580 + if (cable->streams[!substream->stream]) {
35581 + /* other stream is still alive */
35582 ++ spin_lock_irq(&cable->lock);
35583 + cable->streams[substream->stream] = NULL;
35584 ++ spin_unlock_irq(&cable->lock);
35585 + } else {
35586 + /* free the cable */
35587 + loopback->cables[substream->number][dev] = NULL;
35588 +@@ -699,7 +712,6 @@ static int loopback_open(struct snd_pcm_substream *substream)
35589 + loopback->cables[substream->number][dev] = cable;
35590 + }
35591 + dpcm->cable = cable;
35592 +- cable->streams[substream->stream] = dpcm;
35593 +
35594 + snd_pcm_hw_constraint_integer(runtime, SNDRV_PCM_HW_PARAM_PERIODS);
35595 +
35596 +@@ -731,6 +743,11 @@ static int loopback_open(struct snd_pcm_substream *substream)
35597 + runtime->hw = loopback_pcm_hardware;
35598 + else
35599 + runtime->hw = cable->hw;
35600 ++
35601 ++ spin_lock_irq(&cable->lock);
35602 ++ cable->streams[substream->stream] = dpcm;
35603 ++ spin_unlock_irq(&cable->lock);
35604 ++
35605 + unlock:
35606 + if (err < 0) {
35607 + free_cable(substream);
35608 +@@ -745,7 +762,7 @@ static int loopback_close(struct snd_pcm_substream *substream)
35609 + struct loopback *loopback = substream->private_data;
35610 + struct loopback_pcm *dpcm = substream->runtime->private_data;
35611 +
35612 +- loopback_timer_stop(dpcm);
35613 ++ loopback_timer_stop_sync(dpcm);
35614 + mutex_lock(&loopback->cable_lock);
35615 + free_cable(substream);
35616 + mutex_unlock(&loopback->cable_lock);
35617 +@@ -815,9 +832,11 @@ static int loopback_rate_shift_get(struct snd_kcontrol *kcontrol,
35618 + {
35619 + struct loopback *loopback = snd_kcontrol_chip(kcontrol);
35620 +
35621 ++ mutex_lock(&loopback->cable_lock);
35622 + ucontrol->value.integer.value[0] =
35623 + loopback->setup[kcontrol->id.subdevice]
35624 + [kcontrol->id.device].rate_shift;
35625 ++ mutex_unlock(&loopback->cable_lock);
35626 + return 0;
35627 + }
35628 +
35629 +@@ -849,9 +868,11 @@ static int loopback_notify_get(struct snd_kcontrol *kcontrol,
35630 + {
35631 + struct loopback *loopback = snd_kcontrol_chip(kcontrol);
35632 +
35633 ++ mutex_lock(&loopback->cable_lock);
35634 + ucontrol->value.integer.value[0] =
35635 + loopback->setup[kcontrol->id.subdevice]
35636 + [kcontrol->id.device].notify;
35637 ++ mutex_unlock(&loopback->cable_lock);
35638 + return 0;
35639 + }
35640 +
35641 +@@ -863,12 +884,14 @@ static int loopback_notify_put(struct snd_kcontrol *kcontrol,
35642 + int change = 0;
35643 +
35644 + val = ucontrol->value.integer.value[0] ? 1 : 0;
35645 ++ mutex_lock(&loopback->cable_lock);
35646 + if (val != loopback->setup[kcontrol->id.subdevice]
35647 + [kcontrol->id.device].notify) {
35648 + loopback->setup[kcontrol->id.subdevice]
35649 + [kcontrol->id.device].notify = val;
35650 + change = 1;
35651 + }
35652 ++ mutex_unlock(&loopback->cable_lock);
35653 + return change;
35654 + }
35655 +
35656 +@@ -876,13 +899,18 @@ static int loopback_active_get(struct snd_kcontrol *kcontrol,
35657 + struct snd_ctl_elem_value *ucontrol)
35658 + {
35659 + struct loopback *loopback = snd_kcontrol_chip(kcontrol);
35660 +- struct loopback_cable *cable = loopback->cables
35661 +- [kcontrol->id.subdevice][kcontrol->id.device ^ 1];
35662 ++ struct loopback_cable *cable;
35663 ++
35664 + unsigned int val = 0;
35665 +
35666 +- if (cable != NULL)
35667 +- val = (cable->running & (1 << SNDRV_PCM_STREAM_PLAYBACK)) ?
35668 +- 1 : 0;
35669 ++ mutex_lock(&loopback->cable_lock);
35670 ++ cable = loopback->cables[kcontrol->id.subdevice][kcontrol->id.device ^ 1];
35671 ++ if (cable != NULL) {
35672 ++ unsigned int running = cable->running ^ cable->pause;
35673 ++
35674 ++ val = (running & (1 << SNDRV_PCM_STREAM_PLAYBACK)) ? 1 : 0;
35675 ++ }
35676 ++ mutex_unlock(&loopback->cable_lock);
35677 + ucontrol->value.integer.value[0] = val;
35678 + return 0;
35679 + }
35680 +@@ -925,9 +953,11 @@ static int loopback_rate_get(struct snd_kcontrol *kcontrol,
35681 + {
35682 + struct loopback *loopback = snd_kcontrol_chip(kcontrol);
35683 +
35684 ++ mutex_lock(&loopback->cable_lock);
35685 + ucontrol->value.integer.value[0] =
35686 + loopback->setup[kcontrol->id.subdevice]
35687 + [kcontrol->id.device].rate;
35688 ++ mutex_unlock(&loopback->cable_lock);
35689 + return 0;
35690 + }
35691 +
35692 +@@ -947,9 +977,11 @@ static int loopback_channels_get(struct snd_kcontrol *kcontrol,
35693 + {
35694 + struct loopback *loopback = snd_kcontrol_chip(kcontrol);
35695 +
35696 ++ mutex_lock(&loopback->cable_lock);
35697 + ucontrol->value.integer.value[0] =
35698 + loopback->setup[kcontrol->id.subdevice]
35699 + [kcontrol->id.device].channels;
35700 ++ mutex_unlock(&loopback->cable_lock);
35701 + return 0;
35702 + }
35703 +
35704 +diff --git a/sound/drivers/opl3/opl3_synth.c b/sound/drivers/opl3/opl3_synth.c
35705 +index ddcc1a325a61..42920a243328 100644
35706 +--- a/sound/drivers/opl3/opl3_synth.c
35707 ++++ b/sound/drivers/opl3/opl3_synth.c
35708 +@@ -21,6 +21,7 @@
35709 +
35710 + #include <linux/slab.h>
35711 + #include <linux/export.h>
35712 ++#include <linux/nospec.h>
35713 + #include <sound/opl3.h>
35714 + #include <sound/asound_fm.h>
35715 +
35716 +@@ -448,7 +449,7 @@ static int snd_opl3_set_voice(struct snd_opl3 * opl3, struct snd_dm_fm_voice * v
35717 + {
35718 + unsigned short reg_side;
35719 + unsigned char op_offset;
35720 +- unsigned char voice_offset;
35721 ++ unsigned char voice_offset, voice_op;
35722 +
35723 + unsigned short opl3_reg;
35724 + unsigned char reg_val;
35725 +@@ -473,7 +474,9 @@ static int snd_opl3_set_voice(struct snd_opl3 * opl3, struct snd_dm_fm_voice * v
35726 + voice_offset = voice->voice - MAX_OPL2_VOICES;
35727 + }
35728 + /* Get register offset of operator */
35729 +- op_offset = snd_opl3_regmap[voice_offset][voice->op];
35730 ++ voice_offset = array_index_nospec(voice_offset, MAX_OPL2_VOICES);
35731 ++ voice_op = array_index_nospec(voice->op, 4);
35732 ++ op_offset = snd_opl3_regmap[voice_offset][voice_op];
35733 +
35734 + reg_val = 0x00;
35735 + /* Set amplitude modulation (tremolo) effect */
35736 +diff --git a/sound/pci/hda/hda_hwdep.c b/sound/pci/hda/hda_hwdep.c
35737 +index 57df06e76968..cc009a4a3d1d 100644
35738 +--- a/sound/pci/hda/hda_hwdep.c
35739 ++++ b/sound/pci/hda/hda_hwdep.c
35740 +@@ -21,6 +21,7 @@
35741 + #include <linux/init.h>
35742 + #include <linux/slab.h>
35743 + #include <linux/compat.h>
35744 ++#include <linux/nospec.h>
35745 + #include <sound/core.h>
35746 + #include "hda_codec.h"
35747 + #include "hda_local.h"
35748 +@@ -51,7 +52,16 @@ static int get_wcap_ioctl(struct hda_codec *codec,
35749 +
35750 + if (get_user(verb, &arg->verb))
35751 + return -EFAULT;
35752 +- res = get_wcaps(codec, verb >> 24);
35753 ++ /* open-code get_wcaps(verb>>24) with nospec */
35754 ++ verb >>= 24;
35755 ++ if (verb < codec->core.start_nid ||
35756 ++ verb >= codec->core.start_nid + codec->core.num_nodes) {
35757 ++ res = 0;
35758 ++ } else {
35759 ++ verb -= codec->core.start_nid;
35760 ++ verb = array_index_nospec(verb, codec->core.num_nodes);
35761 ++ res = codec->wcaps[verb];
35762 ++ }
35763 + if (put_user(res, &arg->res))
35764 + return -EFAULT;
35765 + return 0;
35766 +diff --git a/sound/pci/hda/hda_intel.c b/sound/pci/hda/hda_intel.c
35767 +index b8886d493083..8c9345949794 100644
35768 +--- a/sound/pci/hda/hda_intel.c
35769 ++++ b/sound/pci/hda/hda_intel.c
35770 +@@ -1393,7 +1393,8 @@ static void azx_check_snoop_available(struct azx *chip)
35771 + */
35772 + u8 val;
35773 + pci_read_config_byte(chip->pci, 0x42, &val);
35774 +- if (!(val & 0x80) && chip->pci->revision == 0x30)
35775 ++ if (!(val & 0x80) && (chip->pci->revision == 0x30 ||
35776 ++ chip->pci->revision == 0x20))
35777 + snoop = false;
35778 + }
35779 +
35780 +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c
35781 +index 0fd1402e427b..64214c72a71b 100644
35782 +--- a/sound/pci/hda/patch_realtek.c
35783 ++++ b/sound/pci/hda/patch_realtek.c
35784 +@@ -3250,8 +3250,12 @@ static void alc269_fixup_mic_mute_hook(void *private_data, int enabled)
35785 + pinval = snd_hda_codec_get_pin_target(codec, spec->mute_led_nid);
35786 + pinval &= ~AC_PINCTL_VREFEN;
35787 + pinval |= enabled ? AC_PINCTL_VREF_HIZ : AC_PINCTL_VREF_80;
35788 +- if (spec->mute_led_nid)
35789 ++ if (spec->mute_led_nid) {
35790 ++ /* temporarily power up/down for setting VREF */
35791 ++ snd_hda_power_up_pm(codec);
35792 + snd_hda_set_pin_ctl_cache(codec, spec->mute_led_nid, pinval);
35793 ++ snd_hda_power_down_pm(codec);
35794 ++ }
35795 + }
35796 +
35797 + /* Make sure the led works even in runtime suspend */
35798 +@@ -6723,6 +6727,7 @@ enum {
35799 + ALC668_FIXUP_DELL_DISABLE_AAMIX,
35800 + ALC668_FIXUP_DELL_XPS13,
35801 + ALC662_FIXUP_ASUS_Nx50,
35802 ++ ALC668_FIXUP_ASUS_Nx51_HEADSET_MODE,
35803 + ALC668_FIXUP_ASUS_Nx51,
35804 + };
35805 +
35806 +@@ -6970,14 +6975,21 @@ static const struct hda_fixup alc662_fixups[] = {
35807 + .chained = true,
35808 + .chain_id = ALC662_FIXUP_BASS_1A
35809 + },
35810 ++ [ALC668_FIXUP_ASUS_Nx51_HEADSET_MODE] = {
35811 ++ .type = HDA_FIXUP_FUNC,
35812 ++ .v.func = alc_fixup_headset_mode_alc668,
35813 ++ .chain_id = ALC662_FIXUP_BASS_CHMAP
35814 ++ },
35815 + [ALC668_FIXUP_ASUS_Nx51] = {
35816 + .type = HDA_FIXUP_PINS,
35817 + .v.pins = (const struct hda_pintbl[]) {
35818 +- {0x1a, 0x90170151}, /* bass speaker */
35819 ++ { 0x19, 0x03a1913d }, /* use as headphone mic, without its own jack detect */
35820 ++ { 0x1a, 0x90170151 }, /* bass speaker */
35821 ++ { 0x1b, 0x03a1113c }, /* use as headset mic, without its own jack detect */
35822 + {}
35823 + },
35824 + .chained = true,
35825 +- .chain_id = ALC662_FIXUP_BASS_CHMAP,
35826 ++ .chain_id = ALC668_FIXUP_ASUS_Nx51_HEADSET_MODE,
35827 + },
35828 + };
35829 +
35830 +diff --git a/sound/pci/rme9652/hdspm.c b/sound/pci/rme9652/hdspm.c
35831 +index 7f6190606f5e..61a8eafc575c 100644
35832 +--- a/sound/pci/rme9652/hdspm.c
35833 ++++ b/sound/pci/rme9652/hdspm.c
35834 +@@ -137,6 +137,7 @@
35835 + #include <linux/pci.h>
35836 + #include <linux/math64.h>
35837 + #include <linux/io.h>
35838 ++#include <linux/nospec.h>
35839 +
35840 + #include <sound/core.h>
35841 + #include <sound/control.h>
35842 +@@ -5692,40 +5693,43 @@ static int snd_hdspm_channel_info(struct snd_pcm_substream *substream,
35843 + struct snd_pcm_channel_info *info)
35844 + {
35845 + struct hdspm *hdspm = snd_pcm_substream_chip(substream);
35846 ++ unsigned int channel = info->channel;
35847 +
35848 + if (substream->stream == SNDRV_PCM_STREAM_PLAYBACK) {
35849 +- if (snd_BUG_ON(info->channel >= hdspm->max_channels_out)) {
35850 ++ if (snd_BUG_ON(channel >= hdspm->max_channels_out)) {
35851 + dev_info(hdspm->card->dev,
35852 + "snd_hdspm_channel_info: output channel out of range (%d)\n",
35853 +- info->channel);
35854 ++ channel);
35855 + return -EINVAL;
35856 + }
35857 +
35858 +- if (hdspm->channel_map_out[info->channel] < 0) {
35859 ++ channel = array_index_nospec(channel, hdspm->max_channels_out);
35860 ++ if (hdspm->channel_map_out[channel] < 0) {
35861 + dev_info(hdspm->card->dev,
35862 + "snd_hdspm_channel_info: output channel %d mapped out\n",
35863 +- info->channel);
35864 ++ channel);
35865 + return -EINVAL;
35866 + }
35867 +
35868 +- info->offset = hdspm->channel_map_out[info->channel] *
35869 ++ info->offset = hdspm->channel_map_out[channel] *
35870 + HDSPM_CHANNEL_BUFFER_BYTES;
35871 + } else {
35872 +- if (snd_BUG_ON(info->channel >= hdspm->max_channels_in)) {
35873 ++ if (snd_BUG_ON(channel >= hdspm->max_channels_in)) {
35874 + dev_info(hdspm->card->dev,
35875 + "snd_hdspm_channel_info: input channel out of range (%d)\n",
35876 +- info->channel);
35877 ++ channel);
35878 + return -EINVAL;
35879 + }
35880 +
35881 +- if (hdspm->channel_map_in[info->channel] < 0) {
35882 ++ channel = array_index_nospec(channel, hdspm->max_channels_in);
35883 ++ if (hdspm->channel_map_in[channel] < 0) {
35884 + dev_info(hdspm->card->dev,
35885 + "snd_hdspm_channel_info: input channel %d mapped out\n",
35886 +- info->channel);
35887 ++ channel);
35888 + return -EINVAL;
35889 + }
35890 +
35891 +- info->offset = hdspm->channel_map_in[info->channel] *
35892 ++ info->offset = hdspm->channel_map_in[channel] *
35893 + HDSPM_CHANNEL_BUFFER_BYTES;
35894 + }
35895 +
35896 +diff --git a/sound/pci/rme9652/rme9652.c b/sound/pci/rme9652/rme9652.c
35897 +index fdbc0aa2776a..c253bdf92e36 100644
35898 +--- a/sound/pci/rme9652/rme9652.c
35899 ++++ b/sound/pci/rme9652/rme9652.c
35900 +@@ -26,6 +26,7 @@
35901 + #include <linux/pci.h>
35902 + #include <linux/module.h>
35903 + #include <linux/io.h>
35904 ++#include <linux/nospec.h>
35905 +
35906 + #include <sound/core.h>
35907 + #include <sound/control.h>
35908 +@@ -2036,9 +2037,10 @@ static int snd_rme9652_channel_info(struct snd_pcm_substream *substream,
35909 + if (snd_BUG_ON(info->channel >= RME9652_NCHANNELS))
35910 + return -EINVAL;
35911 +
35912 +- if ((chn = rme9652->channel_map[info->channel]) < 0) {
35913 ++ chn = rme9652->channel_map[array_index_nospec(info->channel,
35914 ++ RME9652_NCHANNELS)];
35915 ++ if (chn < 0)
35916 + return -EINVAL;
35917 +- }
35918 +
35919 + info->offset = chn * RME9652_CHANNEL_BUFFER_BYTES;
35920 + info->first = 0;
35921 +diff --git a/sound/soc/codecs/ssm2602.c b/sound/soc/codecs/ssm2602.c
35922 +index 314eaece1b7d..ddf67da394de 100644
35923 +--- a/sound/soc/codecs/ssm2602.c
35924 ++++ b/sound/soc/codecs/ssm2602.c
35925 +@@ -54,10 +54,17 @@ struct ssm2602_priv {
35926 + * using 2 wire for device control, so we cache them instead.
35927 + * There is no point in caching the reset register
35928 + */
35929 +-static const u16 ssm2602_reg[SSM2602_CACHEREGNUM] = {
35930 +- 0x0097, 0x0097, 0x0079, 0x0079,
35931 +- 0x000a, 0x0008, 0x009f, 0x000a,
35932 +- 0x0000, 0x0000
35933 ++static const struct reg_default ssm2602_reg[SSM2602_CACHEREGNUM] = {
35934 ++ { .reg = 0x00, .def = 0x0097 },
35935 ++ { .reg = 0x01, .def = 0x0097 },
35936 ++ { .reg = 0x02, .def = 0x0079 },
35937 ++ { .reg = 0x03, .def = 0x0079 },
35938 ++ { .reg = 0x04, .def = 0x000a },
35939 ++ { .reg = 0x05, .def = 0x0008 },
35940 ++ { .reg = 0x06, .def = 0x009f },
35941 ++ { .reg = 0x07, .def = 0x000a },
35942 ++ { .reg = 0x08, .def = 0x0000 },
35943 ++ { .reg = 0x09, .def = 0x0000 }
35944 + };
35945 +
35946 +
35947 +@@ -620,8 +627,8 @@ const struct regmap_config ssm2602_regmap_config = {
35948 + .volatile_reg = ssm2602_register_volatile,
35949 +
35950 + .cache_type = REGCACHE_RBTREE,
35951 +- .reg_defaults_raw = ssm2602_reg,
35952 +- .num_reg_defaults_raw = ARRAY_SIZE(ssm2602_reg),
35953 ++ .reg_defaults = ssm2602_reg,
35954 ++ .num_reg_defaults = ARRAY_SIZE(ssm2602_reg),
35955 + };
35956 + EXPORT_SYMBOL_GPL(ssm2602_regmap_config);
35957 +
35958 +diff --git a/sound/soc/fsl/fsl_esai.c b/sound/soc/fsl/fsl_esai.c
35959 +index 5c7597191e3f..80e3ca115f15 100644
35960 +--- a/sound/soc/fsl/fsl_esai.c
35961 ++++ b/sound/soc/fsl/fsl_esai.c
35962 +@@ -143,6 +143,13 @@ static int fsl_esai_divisor_cal(struct snd_soc_dai *dai, bool tx, u32 ratio,
35963 +
35964 + psr = ratio <= 256 * maxfp ? ESAI_xCCR_xPSR_BYPASS : ESAI_xCCR_xPSR_DIV8;
35965 +
35966 ++ /* Do not loop-search if PM (1 ~ 256) alone can serve the ratio */
35967 ++ if (ratio <= 256) {
35968 ++ pm = ratio;
35969 ++ fp = 1;
35970 ++ goto out;
35971 ++ }
35972 ++
35973 + /* Set the max fluctuation -- 0.1% of the max devisor */
35974 + savesub = (psr ? 1 : 8) * 256 * maxfp / 1000;
35975 +
35976 +diff --git a/sound/soc/intel/atom/sst/sst_stream.c b/sound/soc/intel/atom/sst/sst_stream.c
35977 +index a74c64c7053c..e83da42a8c03 100644
35978 +--- a/sound/soc/intel/atom/sst/sst_stream.c
35979 ++++ b/sound/soc/intel/atom/sst/sst_stream.c
35980 +@@ -221,7 +221,7 @@ int sst_send_byte_stream_mrfld(struct intel_sst_drv *sst_drv_ctx,
35981 + sst_free_block(sst_drv_ctx, block);
35982 + out:
35983 + test_and_clear_bit(pvt_id, &sst_drv_ctx->pvt_id);
35984 +- return 0;
35985 ++ return ret;
35986 + }
35987 +
35988 + /*
35989 +diff --git a/sound/soc/intel/boards/cht_bsw_rt5645.c b/sound/soc/intel/boards/cht_bsw_rt5645.c
35990 +index 20a28b22e30f..5c3a38612c01 100644
35991 +--- a/sound/soc/intel/boards/cht_bsw_rt5645.c
35992 ++++ b/sound/soc/intel/boards/cht_bsw_rt5645.c
35993 +@@ -89,6 +89,7 @@ static const struct snd_soc_dapm_widget cht_dapm_widgets[] = {
35994 + SND_SOC_DAPM_HP("Headphone", NULL),
35995 + SND_SOC_DAPM_MIC("Headset Mic", NULL),
35996 + SND_SOC_DAPM_MIC("Int Mic", NULL),
35997 ++ SND_SOC_DAPM_MIC("Int Analog Mic", NULL),
35998 + SND_SOC_DAPM_SPK("Ext Spk", NULL),
35999 + SND_SOC_DAPM_SUPPLY("Platform Clock", SND_SOC_NOPM, 0, 0,
36000 + platform_clock_control, SND_SOC_DAPM_POST_PMD),
36001 +@@ -99,6 +100,8 @@ static const struct snd_soc_dapm_route cht_audio_map[] = {
36002 + {"IN1N", NULL, "Headset Mic"},
36003 + {"DMIC L1", NULL, "Int Mic"},
36004 + {"DMIC R1", NULL, "Int Mic"},
36005 ++ {"IN2P", NULL, "Int Analog Mic"},
36006 ++ {"IN2N", NULL, "Int Analog Mic"},
36007 + {"Headphone", NULL, "HPOL"},
36008 + {"Headphone", NULL, "HPOR"},
36009 + {"Ext Spk", NULL, "SPOL"},
36010 +@@ -112,6 +115,9 @@ static const struct snd_soc_dapm_route cht_audio_map[] = {
36011 + {"Headphone", NULL, "Platform Clock"},
36012 + {"Headset Mic", NULL, "Platform Clock"},
36013 + {"Int Mic", NULL, "Platform Clock"},
36014 ++ {"Int Analog Mic", NULL, "Platform Clock"},
36015 ++ {"Int Analog Mic", NULL, "micbias1"},
36016 ++ {"Int Analog Mic", NULL, "micbias2"},
36017 + {"Ext Spk", NULL, "Platform Clock"},
36018 + };
36019 +
36020 +@@ -119,6 +125,7 @@ static const struct snd_kcontrol_new cht_mc_controls[] = {
36021 + SOC_DAPM_PIN_SWITCH("Headphone"),
36022 + SOC_DAPM_PIN_SWITCH("Headset Mic"),
36023 + SOC_DAPM_PIN_SWITCH("Int Mic"),
36024 ++ SOC_DAPM_PIN_SWITCH("Int Analog Mic"),
36025 + SOC_DAPM_PIN_SWITCH("Ext Spk"),
36026 + };
36027 +
36028 +diff --git a/sound/soc/nuc900/nuc900-ac97.c b/sound/soc/nuc900/nuc900-ac97.c
36029 +index b6615affe571..fde974d52bb2 100644
36030 +--- a/sound/soc/nuc900/nuc900-ac97.c
36031 ++++ b/sound/soc/nuc900/nuc900-ac97.c
36032 +@@ -67,7 +67,7 @@ static unsigned short nuc900_ac97_read(struct snd_ac97 *ac97,
36033 +
36034 + /* polling the AC_R_FINISH */
36035 + while (!(AUDIO_READ(nuc900_audio->mmio + ACTL_ACCON) & AC_R_FINISH)
36036 +- && timeout--)
36037 ++ && --timeout)
36038 + mdelay(1);
36039 +
36040 + if (!timeout) {
36041 +@@ -121,7 +121,7 @@ static void nuc900_ac97_write(struct snd_ac97 *ac97, unsigned short reg,
36042 +
36043 + /* polling the AC_W_FINISH */
36044 + while ((AUDIO_READ(nuc900_audio->mmio + ACTL_ACCON) & AC_W_FINISH)
36045 +- && timeout--)
36046 ++ && --timeout)
36047 + mdelay(1);
36048 +
36049 + if (!timeout)
36050 +diff --git a/sound/soc/sh/rcar/ssi.c b/sound/soc/sh/rcar/ssi.c
36051 +index 4599983cfc8a..c3b9d01d4e91 100644
36052 +--- a/sound/soc/sh/rcar/ssi.c
36053 ++++ b/sound/soc/sh/rcar/ssi.c
36054 +@@ -396,6 +396,13 @@ static irqreturn_t rsnd_ssi_interrupt(int irq, void *data)
36055 + struct snd_pcm_runtime *runtime = rsnd_io_to_runtime(io);
36056 + u32 *buf = (u32 *)(runtime->dma_area +
36057 + rsnd_dai_pointer_offset(io, 0));
36058 ++ int shift = 0;
36059 ++
36060 ++ switch (runtime->sample_bits) {
36061 ++ case 32:
36062 ++ shift = 8;
36063 ++ break;
36064 ++ }
36065 +
36066 + /*
36067 + * 8/16/32 data can be assesse to TDR/RDR register
36068 +@@ -403,9 +410,9 @@ static irqreturn_t rsnd_ssi_interrupt(int irq, void *data)
36069 + * see rsnd_ssi_init()
36070 + */
36071 + if (rsnd_io_is_play(io))
36072 +- rsnd_mod_write(mod, SSITDR, *buf);
36073 ++ rsnd_mod_write(mod, SSITDR, (*buf) << shift);
36074 + else
36075 +- *buf = rsnd_mod_read(mod, SSIRDR);
36076 ++ *buf = (rsnd_mod_read(mod, SSIRDR) >> shift);
36077 +
36078 + rsnd_dai_pointer_update(io, sizeof(*buf));
36079 + }
36080 +diff --git a/sound/usb/line6/midi.c b/sound/usb/line6/midi.c
36081 +index cebea9b7f769..6a9be1df7851 100644
36082 +--- a/sound/usb/line6/midi.c
36083 ++++ b/sound/usb/line6/midi.c
36084 +@@ -125,7 +125,7 @@ static int send_midi_async(struct usb_line6 *line6, unsigned char *data,
36085 + }
36086 +
36087 + usb_fill_int_urb(urb, line6->usbdev,
36088 +- usb_sndbulkpipe(line6->usbdev,
36089 ++ usb_sndintpipe(line6->usbdev,
36090 + line6->properties->ep_ctrl_w),
36091 + transfer_buffer, length, midi_sent, line6,
36092 + line6->interval);
36093 +diff --git a/sound/usb/mixer_maps.c b/sound/usb/mixer_maps.c
36094 +index 1f8fb0d904e0..f5cf23ffb35b 100644
36095 +--- a/sound/usb/mixer_maps.c
36096 ++++ b/sound/usb/mixer_maps.c
36097 +@@ -351,8 +351,11 @@ static struct usbmix_name_map bose_companion5_map[] = {
36098 + /*
36099 + * Dell usb dock with ALC4020 codec had a firmware problem where it got
36100 + * screwed up when zero volume is passed; just skip it as a workaround
36101 ++ *
36102 ++ * Also the extension unit gives an access error, so skip it as well.
36103 + */
36104 + static const struct usbmix_name_map dell_alc4020_map[] = {
36105 ++ { 4, NULL }, /* extension unit */
36106 + { 16, NULL },
36107 + { 19, NULL },
36108 + { 0 }
36109 +diff --git a/tools/perf/builtin-trace.c b/tools/perf/builtin-trace.c
36110 +index 09b9b74e4c1b..6b169043db1f 100644
36111 +--- a/tools/perf/builtin-trace.c
36112 ++++ b/tools/perf/builtin-trace.c
36113 +@@ -1023,6 +1023,10 @@ static struct syscall_fmt {
36114 + { .name = "mlockall", .errmsg = true,
36115 + .arg_scnprintf = { [0] = SCA_HEX, /* addr */ }, },
36116 + { .name = "mmap", .hexret = true,
36117 ++/* The standard mmap maps to old_mmap on s390x */
36118 ++#if defined(__s390x__)
36119 ++ .alias = "old_mmap",
36120 ++#endif
36121 + .arg_scnprintf = { [0] = SCA_HEX, /* addr */
36122 + [2] = SCA_MMAP_PROT, /* prot */
36123 + [3] = SCA_MMAP_FLAGS, /* flags */
36124 +diff --git a/tools/perf/tests/code-reading.c b/tools/perf/tests/code-reading.c
36125 +index f671ec37a7c4..0a9362680aa4 100644
36126 +--- a/tools/perf/tests/code-reading.c
36127 ++++ b/tools/perf/tests/code-reading.c
36128 +@@ -140,6 +140,8 @@ static int read_object_code(u64 addr, size_t len, u8 cpumode,
36129 + unsigned char buf2[BUFSZ];
36130 + size_t ret_len;
36131 + u64 objdump_addr;
36132 ++ const char *objdump_name;
36133 ++ char decomp_name[KMOD_DECOMP_LEN];
36134 + int ret;
36135 +
36136 + pr_debug("Reading object code for memory address: %#"PRIx64"\n", addr);
36137 +@@ -200,9 +202,25 @@ static int read_object_code(u64 addr, size_t len, u8 cpumode,
36138 + state->done[state->done_cnt++] = al.map->start;
36139 + }
36140 +
36141 ++ objdump_name = al.map->dso->long_name;
36142 ++ if (dso__needs_decompress(al.map->dso)) {
36143 ++ if (dso__decompress_kmodule_path(al.map->dso, objdump_name,
36144 ++ decomp_name,
36145 ++ sizeof(decomp_name)) < 0) {
36146 ++ pr_debug("decompression failed\n");
36147 ++ return -1;
36148 ++ }
36149 ++
36150 ++ objdump_name = decomp_name;
36151 ++ }
36152 ++
36153 + /* Read the object code using objdump */
36154 + objdump_addr = map__rip_2objdump(al.map, al.addr);
36155 +- ret = read_via_objdump(al.map->dso->long_name, objdump_addr, buf2, len);
36156 ++ ret = read_via_objdump(objdump_name, objdump_addr, buf2, len);
36157 ++
36158 ++ if (dso__needs_decompress(al.map->dso))
36159 ++ unlink(objdump_name);
36160 ++
36161 + if (ret > 0) {
36162 + /*
36163 + * The kernel maps are inaccurate - assume objdump is right in
36164 +diff --git a/tools/perf/util/event.c b/tools/perf/util/event.c
36165 +index 12ad79717d94..36822be05b07 100644
36166 +--- a/tools/perf/util/event.c
36167 ++++ b/tools/perf/util/event.c
36168 +@@ -221,8 +221,8 @@ int perf_event__synthesize_mmap_events(struct perf_tool *tool,
36169 + if (machine__is_default_guest(machine))
36170 + return 0;
36171 +
36172 +- snprintf(filename, sizeof(filename), "%s/proc/%d/maps",
36173 +- machine->root_dir, pid);
36174 ++ snprintf(filename, sizeof(filename), "%s/proc/%d/task/%d/maps",
36175 ++ machine->root_dir, pid, pid);
36176 +
36177 + fp = fopen(filename, "r");
36178 + if (fp == NULL) {
36179 +diff --git a/tools/perf/util/ordered-events.c b/tools/perf/util/ordered-events.c
36180 +index 52be201b9b25..90a986740684 100644
36181 +--- a/tools/perf/util/ordered-events.c
36182 ++++ b/tools/perf/util/ordered-events.c
36183 +@@ -79,7 +79,7 @@ static union perf_event *dup_event(struct ordered_events *oe,
36184 +
36185 + static void free_dup_event(struct ordered_events *oe, union perf_event *event)
36186 + {
36187 +- if (oe->copy_on_queue) {
36188 ++ if (event && oe->copy_on_queue) {
36189 + oe->cur_alloc_size -= event->header.size;
36190 + free(event);
36191 + }
36192 +@@ -150,6 +150,7 @@ void ordered_events__delete(struct ordered_events *oe, struct ordered_event *eve
36193 + list_move(&event->list, &oe->cache);
36194 + oe->nr_events--;
36195 + free_dup_event(oe, event->event);
36196 ++ event->event = NULL;
36197 + }
36198 +
36199 + int ordered_events__queue(struct ordered_events *oe, union perf_event *event,
36200 +diff --git a/tools/perf/util/session.c b/tools/perf/util/session.c
36201 +index 83054ef6c1a1..f947f069449c 100644
36202 +--- a/tools/perf/util/session.c
36203 ++++ b/tools/perf/util/session.c
36204 +@@ -132,8 +132,14 @@ struct perf_session *perf_session__new(struct perf_data_file *file,
36205 + if (perf_session__open(session) < 0)
36206 + goto out_close;
36207 +
36208 +- perf_session__set_id_hdr_size(session);
36209 +- perf_session__set_comm_exec(session);
36210 ++ /*
36211 ++ * set session attributes that are present in perf.data
36212 ++ * but not in pipe-mode.
36213 ++ */
36214 ++ if (!file->is_pipe) {
36215 ++ perf_session__set_id_hdr_size(session);
36216 ++ perf_session__set_comm_exec(session);
36217 ++ }
36218 + }
36219 + }
36220 +
36221 +@@ -146,7 +152,11 @@ struct perf_session *perf_session__new(struct perf_data_file *file,
36222 + pr_warning("Cannot read kernel map\n");
36223 + }
36224 +
36225 +- if (tool && tool->ordering_requires_timestamps &&
36226 ++ /*
36227 ++ * In pipe-mode, evlist is empty until PERF_RECORD_HEADER_ATTR is
36228 ++ * processed, so perf_evlist__sample_id_all is not meaningful here.
36229 ++ */
36230 ++ if ((!file || !file->is_pipe) && tool && tool->ordering_requires_timestamps &&
36231 + tool->ordered_events && !perf_evlist__sample_id_all(session->evlist)) {
36232 + dump_printf("WARNING: No sample_id_all support, falling back to unordered processing\n");
36233 + tool->ordered_events = false;
36234 +@@ -1193,6 +1203,7 @@ static int __perf_session__process_pipe_events(struct perf_session *session)
36235 + buf = malloc(cur_size);
36236 + if (!buf)
36237 + return -errno;
36238 ++ ordered_events__set_copy_on_queue(oe, true);
36239 + more:
36240 + event = buf;
36241 + err = readn(fd, event, sizeof(struct perf_event_header));
36242 +diff --git a/tools/perf/util/unwind-libdw.c b/tools/perf/util/unwind-libdw.c
36243 +index 2dcfe9a7c8d0..60edec383281 100644
36244 +--- a/tools/perf/util/unwind-libdw.c
36245 ++++ b/tools/perf/util/unwind-libdw.c
36246 +@@ -37,6 +37,14 @@ static int __report_module(struct addr_location *al, u64 ip,
36247 + return 0;
36248 +
36249 + mod = dwfl_addrmodule(ui->dwfl, ip);
36250 ++ if (mod) {
36251 ++ Dwarf_Addr s;
36252 ++
36253 ++ dwfl_module_info(mod, NULL, &s, NULL, NULL, NULL, NULL, NULL);
36254 ++ if (s != al->map->start)
36255 ++ mod = 0;
36256 ++ }
36257 ++
36258 + if (!mod)
36259 + mod = dwfl_report_elf(ui->dwfl, dso->short_name,
36260 + dso->long_name, -1, al->map->start,
36261 +diff --git a/tools/testing/selftests/powerpc/tm/tm-resched-dscr.c b/tools/testing/selftests/powerpc/tm/tm-resched-dscr.c
36262 +index 42d4c8caad81..de8dc82e2567 100644
36263 +--- a/tools/testing/selftests/powerpc/tm/tm-resched-dscr.c
36264 ++++ b/tools/testing/selftests/powerpc/tm/tm-resched-dscr.c
36265 +@@ -45,12 +45,12 @@ int test_body(void)
36266 + printf("Check DSCR TM context switch: ");
36267 + fflush(stdout);
36268 + for (;;) {
36269 +- rv = 1;
36270 + asm __volatile__ (
36271 + /* set a known value into the DSCR */
36272 + "ld 3, %[dscr1];"
36273 + "mtspr %[sprn_dscr], 3;"
36274 +
36275 ++ "li %[rv], 1;"
36276 + /* start and suspend a transaction */
36277 + TBEGIN
36278 + "beq 1f;"
36279 +diff --git a/tools/testing/selftests/rcutorture/bin/configinit.sh b/tools/testing/selftests/rcutorture/bin/configinit.sh
36280 +index 15f1a17ca96e..0b679d8382c7 100755
36281 +--- a/tools/testing/selftests/rcutorture/bin/configinit.sh
36282 ++++ b/tools/testing/selftests/rcutorture/bin/configinit.sh
36283 +@@ -51,7 +51,7 @@ then
36284 + mkdir $builddir
36285 + fi
36286 + else
36287 +- echo Bad build directory: \"$builddir\"
36288 ++ echo Bad build directory: \"$buildloc\"
36289 + exit 2
36290 + fi
36291 + fi
36292 +diff --git a/tools/usb/usbip/src/usbipd.c b/tools/usb/usbip/src/usbipd.c
36293 +index 2a7cd2b8d966..8c5b0faba229 100644
36294 +--- a/tools/usb/usbip/src/usbipd.c
36295 ++++ b/tools/usb/usbip/src/usbipd.c
36296 +@@ -451,7 +451,7 @@ static void set_signal(void)
36297 + sigaction(SIGTERM, &act, NULL);
36298 + sigaction(SIGINT, &act, NULL);
36299 + act.sa_handler = SIG_IGN;
36300 +- sigaction(SIGCLD, &act, NULL);
36301 ++ sigaction(SIGCHLD, &act, NULL);
36302 + }
36303 +
36304 + static const char *pid_file;
Report Message
Find on MARC Find on Google Groups