Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: "Mike Pagano (mpagano)" <mpagano@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] linux-patches r2819 - genpatches-2.6/trunk/3.10
Date: Mon, 09 Jun 2014 12:27:40
Message-Id: 20140609122735.6977E2004E@flycatcher.gentoo.org
1 Author: mpagano
2 Date: 2014-06-09 12:27:34 +0000 (Mon, 09 Jun 2014)
3 New Revision: 2819
4
5 Added:
6 genpatches-2.6/trunk/3.10/1041_linux-3.10.42.patch
7 Removed:
8 genpatches-2.6/trunk/3.10/1501-futex-add-another-early-deadlock-detection-check.patch
9 genpatches-2.6/trunk/3.10/1502-futex-prevent-attaching-to-kernel-threads.patch
10 genpatches-2.6/trunk/3.10/1503-futex-prevent-requeue-pi-on-same-futex-patch-futex-forbid-uaddr-uaddr2-in-futex_requeue-requeue_pi-1.patch
11 genpatches-2.6/trunk/3.10/1504-futex-validate-atomic-acquisition-in-futex_lock_pi_atomic.patch
12 genpatches-2.6/trunk/3.10/1505-futex-always-cleanup-owner-tid-in-unlock_pi.patch
13 genpatches-2.6/trunk/3.10/1506-futex-make-lookup_pi_state-more-robust.patch
14 Modified:
15 genpatches-2.6/trunk/3.10/0000_README
16 Log:
17 Linux patch 3.10.42. Remove redundant patches
18
19 Modified: genpatches-2.6/trunk/3.10/0000_README
20 ===================================================================
21 --- genpatches-2.6/trunk/3.10/0000_README 2014-06-09 00:42:33 UTC (rev 2818)
22 +++ genpatches-2.6/trunk/3.10/0000_README 2014-06-09 12:27:34 UTC (rev 2819)
23 @@ -206,6 +206,10 @@
24 From: http://www.kernel.org
25 Desc: Linux 3.10.41
26
27 +Patch: 1041_linux-3.10.42.patch
28 +From: http://www.kernel.org
29 +Desc: Linux 3.10.42
30 +
31 Patch: 1500_XATTR_USER_PREFIX.patch
32 From: https://bugs.gentoo.org/show_bug.cgi?id=470644
33 Desc: Support for namespace user.pax.* on tmpfs.
34 @@ -214,30 +218,6 @@
35 From: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=6a96e15096da6e7491107321cfa660c7c2aa119d
36 Desc: selinux: add SOCK_DIAG_BY_FAMILY to the list of netlink message types
37
38 -Patch: 1501-futex-add-another-early-deadlock-detection-check.patch
39 -From: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=866293ee54227584ffcb4a42f69c1f365974ba7f
40 -Desc: CVE-2014-3153
41 -
42 -Patch: 1502-futex-prevent-attaching-to-kernel-threads.patch
43 -From: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=f0d71b3dcb8332f7971b5f2363632573e6d9486a
44 -Desc: CVE-2014-3153
45 -
46 -Patch: 1503-futex-prevent-requeue-pi-on-same-futex-patch-futex-forbid-uaddr-uaddr2-in-futex_requeue-requeue_pi-1.patch
47 -From: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=e9c243a5a6de0be8e584c604d353412584b592f8
48 -Desc: CVE-2014-3153
49 -
50 -Patch: 1504-futex-validate-atomic-acquisition-in-futex_lock_pi_atomic.patch
51 -From: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=b3eaa9fc5cd0a4d74b18f6b8dc617aeaf1873270
52 -Desc: CVE-2014-3153
53 -
54 -Patch: 1505-futex-always-cleanup-owner-tid-in-unlock_pi.patch
55 -From: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=13fbca4c6ecd96ec1a1cfa2e4f2ce191fe928a5e
56 -Desc: CVE-2014-3153
57 -
58 -Patch: 1506-futex-make-lookup_pi_state-more-robust.patch
59 -From: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=54a217887a7b658e2650c3feff22756ab80c7339
60 -Desc: CVE-2014-3153
61 -
62 Patch: 1700_enable-thinkpad-micled.patch
63 From: https://bugs.gentoo.org/show_bug.cgi?id=449248
64 Desc: Enable mic mute led in thinkpads
65
66 Added: genpatches-2.6/trunk/3.10/1041_linux-3.10.42.patch
67 ===================================================================
68 --- genpatches-2.6/trunk/3.10/1041_linux-3.10.42.patch (rev 0)
69 +++ genpatches-2.6/trunk/3.10/1041_linux-3.10.42.patch 2014-06-09 12:27:34 UTC (rev 2819)
70 @@ -0,0 +1,3808 @@
71 +diff --git a/Documentation/i2c/busses/i2c-i801 b/Documentation/i2c/busses/i2c-i801
72 +index d29dea0f3232..babe2ef16139 100644
73 +--- a/Documentation/i2c/busses/i2c-i801
74 ++++ b/Documentation/i2c/busses/i2c-i801
75 +@@ -25,6 +25,8 @@ Supported adapters:
76 + * Intel Avoton (SOC)
77 + * Intel Wellsburg (PCH)
78 + * Intel Coleto Creek (PCH)
79 ++ * Intel Wildcat Point-LP (PCH)
80 ++ * Intel BayTrail (SOC)
81 + Datasheets: Publicly available at the Intel website
82 +
83 + On Intel Patsburg and later chipsets, both the normal host SMBus controller
84 +diff --git a/Documentation/input/elantech.txt b/Documentation/input/elantech.txt
85 +index 5602eb71ad5d..e1ae127ed099 100644
86 +--- a/Documentation/input/elantech.txt
87 ++++ b/Documentation/input/elantech.txt
88 +@@ -504,9 +504,12 @@ byte 5:
89 + * reg_10
90 +
91 + bit 7 6 5 4 3 2 1 0
92 +- 0 0 0 0 0 0 0 A
93 ++ 0 0 0 0 R F T A
94 +
95 + A: 1 = enable absolute tracking
96 ++ T: 1 = enable two finger mode auto correct
97 ++ F: 1 = disable ABS Position Filter
98 ++ R: 1 = enable real hardware resolution
99 +
100 + 6.2 Native absolute mode 6 byte packet format
101 + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
102 +diff --git a/Documentation/ja_JP/HOWTO b/Documentation/ja_JP/HOWTO
103 +index 050d37fe6d40..46ed73593465 100644
104 +--- a/Documentation/ja_JP/HOWTO
105 ++++ b/Documentation/ja_JP/HOWTO
106 +@@ -315,7 +315,7 @@ Andrew Morton が Linux-kernel メーリングリストにカーネルリリー
107 + もし、2.6.x.y カーネルが存在しない場合には、番号が一番大きい 2.6.x が
108 + 最新の安定版カーネルです。
109 +
110 +-2.6.x.y は "stable" チーム <stable@××××××.org> でメンテされており、必
111 ++2.6.x.y は "stable" チーム <stable@×××××××××××.org> でメンテされており、必
112 + 要に応じてリリースされます。通常のリリース期間は 2週間毎ですが、差し迫っ
113 + た問題がなければもう少し長くなることもあります。セキュリティ関連の問題
114 + の場合はこれに対してだいたいの場合、すぐにリリースがされます。
115 +diff --git a/Documentation/ja_JP/stable_kernel_rules.txt b/Documentation/ja_JP/stable_kernel_rules.txt
116 +index 14265837c4ce..9dbda9b5d21e 100644
117 +--- a/Documentation/ja_JP/stable_kernel_rules.txt
118 ++++ b/Documentation/ja_JP/stable_kernel_rules.txt
119 +@@ -50,16 +50,16 @@ linux-2.6.29/Documentation/stable_kernel_rules.txt
120 +
121 + -stable ツリーにパッチを送付する手続き-
122 +
123 +- - 上記の規則に従っているかを確認した後に、stable@××××××.org にパッチ
124 ++ - 上記の規則に従っているかを確認した後に、stable@×××××××××××.org にパッチ
125 + を送る。
126 + - 送信者はパッチがキューに受け付けられた際には ACK を、却下された場合
127 + には NAK を受け取る。この反応は開発者たちのスケジュールによって、数
128 + 日かかる場合がある。
129 + - もし受け取られたら、パッチは他の開発者たちと関連するサブシステムの
130 + メンテナーによるレビューのために -stable キューに追加される。
131 +- - パッチに stable@××××××.org のアドレスが付加されているときには、それ
132 ++ - パッチに stable@×××××××××××.org のアドレスが付加されているときには、それ
133 + が Linus のツリーに入る時に自動的に stable チームに email される。
134 +- - セキュリティパッチはこのエイリアス (stable@××××××.org) に送られるべ
135 ++ - セキュリティパッチはこのエイリアス (stable@×××××××××××.org) に送られるべ
136 + きではなく、代わりに security@××××××.org のアドレスに送られる。
137 +
138 + レビューサイクル-
139 +diff --git a/Documentation/zh_CN/HOWTO b/Documentation/zh_CN/HOWTO
140 +index 7fba5aab9ef9..7599eb38b764 100644
141 +--- a/Documentation/zh_CN/HOWTO
142 ++++ b/Documentation/zh_CN/HOWTO
143 +@@ -237,7 +237,7 @@ kernel.org网站的pub/linux/kernel/v2.6/目录下找到它。它的开发遵循
144 + 如果没有2.6.x.y版本内核存在,那么最新的2.6.x版本内核就相当于是当前的稳定
145 + 版内核。
146 +
147 +-2.6.x.y版本由“稳定版”小组(邮件地址<stable@××××××.org>)维护,一般隔周发
148 ++2.6.x.y版本由“稳定版”小组(邮件地址<stable@×××××××××××.org>)维护,一般隔周发
149 + 布新版本。
150 +
151 + 内核源码中的Documentation/stable_kernel_rules.txt文件具体描述了可被稳定
152 +diff --git a/Documentation/zh_CN/stable_kernel_rules.txt b/Documentation/zh_CN/stable_kernel_rules.txt
153 +index b5b9b0ab02fd..26ea5ed7cd9c 100644
154 +--- a/Documentation/zh_CN/stable_kernel_rules.txt
155 ++++ b/Documentation/zh_CN/stable_kernel_rules.txt
156 +@@ -42,7 +42,7 @@ Documentation/stable_kernel_rules.txt 的中文翻译
157 +
158 + 向稳定版代码树提交补丁的过程:
159 +
160 +- - 在确认了补丁符合以上的规则后,将补丁发送到stable@××××××.org。
161 ++ - 在确认了补丁符合以上的规则后,将补丁发送到stable@×××××××××××.org。
162 + - 如果补丁被接受到队列里,发送者会收到一个ACK回复,如果没有被接受,收
163 + 到的是NAK回复。回复需要几天的时间,这取决于开发者的时间安排。
164 + - 被接受的补丁会被加到稳定版本队列里,等待其他开发者的审查。
165 +diff --git a/Makefile b/Makefile
166 +index 370cc01afb07..4634015fed68 100644
167 +--- a/Makefile
168 ++++ b/Makefile
169 +@@ -1,6 +1,6 @@
170 + VERSION = 3
171 + PATCHLEVEL = 10
172 +-SUBLEVEL = 41
173 ++SUBLEVEL = 42
174 + EXTRAVERSION =
175 + NAME = TOSSUG Baby Fish
176 +
177 +diff --git a/arch/arm/boot/dts/imx53.dtsi b/arch/arm/boot/dts/imx53.dtsi
178 +index eb83aa039b8b..e524316998f4 100644
179 +--- a/arch/arm/boot/dts/imx53.dtsi
180 ++++ b/arch/arm/boot/dts/imx53.dtsi
181 +@@ -71,7 +71,7 @@
182 + ipu: ipu@18000000 {
183 + #crtc-cells = <1>;
184 + compatible = "fsl,imx53-ipu";
185 +- reg = <0x18000000 0x080000000>;
186 ++ reg = <0x18000000 0x08000000>;
187 + interrupts = <11 10>;
188 + clocks = <&clks 59>, <&clks 110>, <&clks 61>;
189 + clock-names = "bus", "di0", "di1";
190 +diff --git a/arch/arm/kernel/crash_dump.c b/arch/arm/kernel/crash_dump.c
191 +index 90c50d4b43f7..5d1286d51154 100644
192 +--- a/arch/arm/kernel/crash_dump.c
193 ++++ b/arch/arm/kernel/crash_dump.c
194 +@@ -39,7 +39,7 @@ ssize_t copy_oldmem_page(unsigned long pfn, char *buf,
195 + if (!csize)
196 + return 0;
197 +
198 +- vaddr = ioremap(pfn << PAGE_SHIFT, PAGE_SIZE);
199 ++ vaddr = ioremap(__pfn_to_phys(pfn), PAGE_SIZE);
200 + if (!vaddr)
201 + return -ENOMEM;
202 +
203 +diff --git a/arch/metag/include/asm/barrier.h b/arch/metag/include/asm/barrier.h
204 +index c90bfc6bf648..e355a4c10968 100644
205 +--- a/arch/metag/include/asm/barrier.h
206 ++++ b/arch/metag/include/asm/barrier.h
207 +@@ -15,6 +15,7 @@ static inline void wr_fence(void)
208 + volatile int *flushptr = (volatile int *) LINSYSEVENT_WR_FENCE;
209 + barrier();
210 + *flushptr = 0;
211 ++ barrier();
212 + }
213 +
214 + #else /* CONFIG_METAG_META21 */
215 +@@ -35,6 +36,7 @@ static inline void wr_fence(void)
216 + *flushptr = 0;
217 + *flushptr = 0;
218 + *flushptr = 0;
219 ++ barrier();
220 + }
221 +
222 + #endif /* !CONFIG_METAG_META21 */
223 +@@ -68,6 +70,7 @@ static inline void fence(void)
224 + volatile int *flushptr = (volatile int *) LINSYSEVENT_WR_ATOMIC_UNLOCK;
225 + barrier();
226 + *flushptr = 0;
227 ++ barrier();
228 + }
229 + #define smp_mb() fence()
230 + #define smp_rmb() fence()
231 +diff --git a/arch/metag/include/asm/processor.h b/arch/metag/include/asm/processor.h
232 +index 9b029a7911c3..579e3d93a5ca 100644
233 +--- a/arch/metag/include/asm/processor.h
234 ++++ b/arch/metag/include/asm/processor.h
235 +@@ -22,6 +22,8 @@
236 + /* Add an extra page of padding at the top of the stack for the guard page. */
237 + #define STACK_TOP (TASK_SIZE - PAGE_SIZE)
238 + #define STACK_TOP_MAX STACK_TOP
239 ++/* Maximum virtual space for stack */
240 ++#define STACK_SIZE_MAX (1 << 28) /* 256 MB */
241 +
242 + /* This decides where the kernel will search for a free chunk of vm
243 + * space during mmap's.
244 +diff --git a/arch/mips/cavium-octeon/octeon-irq.c b/arch/mips/cavium-octeon/octeon-irq.c
245 +index a22f06a6f7ca..45c1a6caa206 100644
246 +--- a/arch/mips/cavium-octeon/octeon-irq.c
247 ++++ b/arch/mips/cavium-octeon/octeon-irq.c
248 +@@ -635,7 +635,7 @@ static void octeon_irq_cpu_offline_ciu(struct irq_data *data)
249 + cpumask_clear(&new_affinity);
250 + cpumask_set_cpu(cpumask_first(cpu_online_mask), &new_affinity);
251 + }
252 +- __irq_set_affinity_locked(data, &new_affinity);
253 ++ irq_set_affinity_locked(data, &new_affinity, false);
254 + }
255 +
256 + static int octeon_irq_ciu_set_affinity(struct irq_data *data,
257 +diff --git a/arch/mips/lantiq/dts/easy50712.dts b/arch/mips/lantiq/dts/easy50712.dts
258 +index fac1f5b178eb..143b8a37b5e4 100644
259 +--- a/arch/mips/lantiq/dts/easy50712.dts
260 ++++ b/arch/mips/lantiq/dts/easy50712.dts
261 +@@ -8,6 +8,7 @@
262 + };
263 +
264 + memory@0 {
265 ++ device_type = "memory";
266 + reg = <0x0 0x2000000>;
267 + };
268 +
269 +diff --git a/arch/mips/ralink/dts/mt7620a_eval.dts b/arch/mips/ralink/dts/mt7620a_eval.dts
270 +index 35eb874ab7f1..709f58132f5c 100644
271 +--- a/arch/mips/ralink/dts/mt7620a_eval.dts
272 ++++ b/arch/mips/ralink/dts/mt7620a_eval.dts
273 +@@ -7,6 +7,7 @@
274 + model = "Ralink MT7620A evaluation board";
275 +
276 + memory@0 {
277 ++ device_type = "memory";
278 + reg = <0x0 0x2000000>;
279 + };
280 +
281 +diff --git a/arch/mips/ralink/dts/rt2880_eval.dts b/arch/mips/ralink/dts/rt2880_eval.dts
282 +index 322d7002595b..0a685db093d4 100644
283 +--- a/arch/mips/ralink/dts/rt2880_eval.dts
284 ++++ b/arch/mips/ralink/dts/rt2880_eval.dts
285 +@@ -7,6 +7,7 @@
286 + model = "Ralink RT2880 evaluation board";
287 +
288 + memory@0 {
289 ++ device_type = "memory";
290 + reg = <0x8000000 0x2000000>;
291 + };
292 +
293 +diff --git a/arch/mips/ralink/dts/rt3052_eval.dts b/arch/mips/ralink/dts/rt3052_eval.dts
294 +index 0ac73ea28198..ec9e9a035541 100644
295 +--- a/arch/mips/ralink/dts/rt3052_eval.dts
296 ++++ b/arch/mips/ralink/dts/rt3052_eval.dts
297 +@@ -7,6 +7,7 @@
298 + model = "Ralink RT3052 evaluation board";
299 +
300 + memory@0 {
301 ++ device_type = "memory";
302 + reg = <0x0 0x2000000>;
303 + };
304 +
305 +diff --git a/arch/mips/ralink/dts/rt3883_eval.dts b/arch/mips/ralink/dts/rt3883_eval.dts
306 +index 2fa6b330bf4f..e8df21a5d10d 100644
307 +--- a/arch/mips/ralink/dts/rt3883_eval.dts
308 ++++ b/arch/mips/ralink/dts/rt3883_eval.dts
309 +@@ -7,6 +7,7 @@
310 + model = "Ralink RT3883 evaluation board";
311 +
312 + memory@0 {
313 ++ device_type = "memory";
314 + reg = <0x0 0x2000000>;
315 + };
316 +
317 +diff --git a/arch/parisc/include/asm/processor.h b/arch/parisc/include/asm/processor.h
318 +index cc2290a3cace..c6ee86542fec 100644
319 +--- a/arch/parisc/include/asm/processor.h
320 ++++ b/arch/parisc/include/asm/processor.h
321 +@@ -53,6 +53,8 @@
322 + #define STACK_TOP TASK_SIZE
323 + #define STACK_TOP_MAX DEFAULT_TASK_SIZE
324 +
325 ++#define STACK_SIZE_MAX (1 << 30) /* 1 GB */
326 ++
327 + #endif
328 +
329 + #ifndef __ASSEMBLY__
330 +diff --git a/arch/powerpc/Makefile b/arch/powerpc/Makefile
331 +index 967fd23ace78..56a4a5d205af 100644
332 +--- a/arch/powerpc/Makefile
333 ++++ b/arch/powerpc/Makefile
334 +@@ -97,7 +97,9 @@ CFLAGS-$(CONFIG_POWER7_CPU) += $(call cc-option,-mcpu=power7)
335 +
336 + CFLAGS-$(CONFIG_TUNE_CELL) += $(call cc-option,-mtune=cell)
337 +
338 +-KBUILD_CPPFLAGS += -Iarch/$(ARCH)
339 ++asinstr := $(call as-instr,lis 9$(comma)foo@high,-DHAVE_AS_ATHIGH=1)
340 ++
341 ++KBUILD_CPPFLAGS += -Iarch/$(ARCH) $(asinstr)
342 + KBUILD_AFLAGS += -Iarch/$(ARCH)
343 + KBUILD_CFLAGS += -msoft-float -pipe -Iarch/$(ARCH) $(CFLAGS-y)
344 + CPP = $(CC) -E $(KBUILD_CFLAGS)
345 +diff --git a/arch/powerpc/include/asm/ppc_asm.h b/arch/powerpc/include/asm/ppc_asm.h
346 +index 2f1b6c5f8174..22cee04a47fc 100644
347 +--- a/arch/powerpc/include/asm/ppc_asm.h
348 ++++ b/arch/powerpc/include/asm/ppc_asm.h
349 +@@ -390,11 +390,16 @@ n:
350 + * ld rY,ADDROFF(name)(rX)
351 + */
352 + #ifdef __powerpc64__
353 ++#ifdef HAVE_AS_ATHIGH
354 ++#define __AS_ATHIGH high
355 ++#else
356 ++#define __AS_ATHIGH h
357 ++#endif
358 + #define LOAD_REG_IMMEDIATE(reg,expr) \
359 + lis reg,(expr)@highest; \
360 + ori reg,reg,(expr)@higher; \
361 + rldicr reg,reg,32,31; \
362 +- oris reg,reg,(expr)@h; \
363 ++ oris reg,reg,(expr)@__AS_ATHIGH; \
364 + ori reg,reg,(expr)@l;
365 +
366 + #define LOAD_REG_ADDR(reg,name) \
367 +diff --git a/arch/powerpc/kernel/process.c b/arch/powerpc/kernel/process.c
368 +index 1e1c995ddacc..d55357ee9028 100644
369 +--- a/arch/powerpc/kernel/process.c
370 ++++ b/arch/powerpc/kernel/process.c
371 +@@ -948,6 +948,16 @@ int arch_dup_task_struct(struct task_struct *dst, struct task_struct *src)
372 + flush_altivec_to_thread(src);
373 + flush_vsx_to_thread(src);
374 + flush_spe_to_thread(src);
375 ++ /*
376 ++ * Flush TM state out so we can copy it. __switch_to_tm() does this
377 ++ * flush but it removes the checkpointed state from the current CPU and
378 ++ * transitions the CPU out of TM mode. Hence we need to call
379 ++ * tm_recheckpoint_new_task() (on the same task) to restore the
380 ++ * checkpointed state back and the TM mode.
381 ++ */
382 ++ __switch_to_tm(src);
383 ++ tm_recheckpoint_new_task(src);
384 ++
385 + *dst = *src;
386 + return 0;
387 + }
388 +diff --git a/arch/s390/crypto/aes_s390.c b/arch/s390/crypto/aes_s390.c
389 +index 2a245b55bb71..fd104db9cea1 100644
390 +--- a/arch/s390/crypto/aes_s390.c
391 ++++ b/arch/s390/crypto/aes_s390.c
392 +@@ -818,6 +818,9 @@ static int ctr_aes_crypt(struct blkcipher_desc *desc, long func,
393 + else
394 + memcpy(walk->iv, ctrptr, AES_BLOCK_SIZE);
395 + spin_unlock(&ctrblk_lock);
396 ++ } else {
397 ++ if (!nbytes)
398 ++ memcpy(walk->iv, ctrptr, AES_BLOCK_SIZE);
399 + }
400 + /*
401 + * final block may be < AES_BLOCK_SIZE, copy only nbytes
402 +diff --git a/arch/s390/crypto/des_s390.c b/arch/s390/crypto/des_s390.c
403 +index 2d96e68febb2..f2d6cccddcf8 100644
404 +--- a/arch/s390/crypto/des_s390.c
405 ++++ b/arch/s390/crypto/des_s390.c
406 +@@ -429,6 +429,9 @@ static int ctr_desall_crypt(struct blkcipher_desc *desc, long func,
407 + else
408 + memcpy(walk->iv, ctrptr, DES_BLOCK_SIZE);
409 + spin_unlock(&ctrblk_lock);
410 ++ } else {
411 ++ if (!nbytes)
412 ++ memcpy(walk->iv, ctrptr, DES_BLOCK_SIZE);
413 + }
414 + /* final block may be < DES_BLOCK_SIZE, copy only nbytes */
415 + if (nbytes) {
416 +diff --git a/arch/x86/include/asm/hugetlb.h b/arch/x86/include/asm/hugetlb.h
417 +index a8091216963b..68c05398bba9 100644
418 +--- a/arch/x86/include/asm/hugetlb.h
419 ++++ b/arch/x86/include/asm/hugetlb.h
420 +@@ -52,6 +52,7 @@ static inline pte_t huge_ptep_get_and_clear(struct mm_struct *mm,
421 + static inline void huge_ptep_clear_flush(struct vm_area_struct *vma,
422 + unsigned long addr, pte_t *ptep)
423 + {
424 ++ ptep_clear_flush(vma, addr, ptep);
425 + }
426 +
427 + static inline int huge_pte_none(pte_t pte)
428 +diff --git a/arch/x86/kernel/ldt.c b/arch/x86/kernel/ldt.c
429 +index af1d14a9ebda..dcbbaa165bde 100644
430 +--- a/arch/x86/kernel/ldt.c
431 ++++ b/arch/x86/kernel/ldt.c
432 +@@ -20,6 +20,8 @@
433 + #include <asm/mmu_context.h>
434 + #include <asm/syscalls.h>
435 +
436 ++int sysctl_ldt16 = 0;
437 ++
438 + #ifdef CONFIG_SMP
439 + static void flush_ldt(void *current_mm)
440 + {
441 +@@ -234,7 +236,7 @@ static int write_ldt(void __user *ptr, unsigned long bytecount, int oldmode)
442 + * IRET leaking the high bits of the kernel stack address.
443 + */
444 + #ifdef CONFIG_X86_64
445 +- if (!ldt_info.seg_32bit) {
446 ++ if (!ldt_info.seg_32bit && !sysctl_ldt16) {
447 + error = -EINVAL;
448 + goto out_unlock;
449 + }
450 +diff --git a/arch/x86/vdso/vdso32-setup.c b/arch/x86/vdso/vdso32-setup.c
451 +index 0faad646f5fd..0f134c7cfc24 100644
452 +--- a/arch/x86/vdso/vdso32-setup.c
453 ++++ b/arch/x86/vdso/vdso32-setup.c
454 +@@ -41,6 +41,7 @@ enum {
455 + #ifdef CONFIG_X86_64
456 + #define vdso_enabled sysctl_vsyscall32
457 + #define arch_setup_additional_pages syscall32_setup_pages
458 ++extern int sysctl_ldt16;
459 + #endif
460 +
461 + /*
462 +@@ -380,6 +381,13 @@ static ctl_table abi_table2[] = {
463 + .mode = 0644,
464 + .proc_handler = proc_dointvec
465 + },
466 ++ {
467 ++ .procname = "ldt16",
468 ++ .data = &sysctl_ldt16,
469 ++ .maxlen = sizeof(int),
470 ++ .mode = 0644,
471 ++ .proc_handler = proc_dointvec
472 ++ },
473 + {}
474 + };
475 +
476 +diff --git a/crypto/crypto_wq.c b/crypto/crypto_wq.c
477 +index adad92a44ba2..2f1b8d12952a 100644
478 +--- a/crypto/crypto_wq.c
479 ++++ b/crypto/crypto_wq.c
480 +@@ -33,7 +33,7 @@ static void __exit crypto_wq_exit(void)
481 + destroy_workqueue(kcrypto_wq);
482 + }
483 +
484 +-module_init(crypto_wq_init);
485 ++subsys_initcall(crypto_wq_init);
486 + module_exit(crypto_wq_exit);
487 +
488 + MODULE_LICENSE("GPL");
489 +diff --git a/drivers/acpi/blacklist.c b/drivers/acpi/blacklist.c
490 +index cb9629638def..76da257cfc28 100644
491 +--- a/drivers/acpi/blacklist.c
492 ++++ b/drivers/acpi/blacklist.c
493 +@@ -327,6 +327,19 @@ static struct dmi_system_id acpi_osi_dmi_table[] __initdata = {
494 + DMI_MATCH(DMI_PRODUCT_VERSION, "ThinkPad T500"),
495 + },
496 + },
497 ++ /*
498 ++ * Without this this EEEpc exports a non working WMI interface, with
499 ++ * this it exports a working "good old" eeepc_laptop interface, fixing
500 ++ * both brightness control, and rfkill not working.
501 ++ */
502 ++ {
503 ++ .callback = dmi_enable_osi_linux,
504 ++ .ident = "Asus EEE PC 1015PX",
505 ++ .matches = {
506 ++ DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK Computer INC."),
507 ++ DMI_MATCH(DMI_PRODUCT_NAME, "1015PX"),
508 ++ },
509 ++ },
510 + {}
511 + };
512 +
513 +diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c
514 +index 9cf616b5210b..bf00fbcde8ad 100644
515 +--- a/drivers/ata/libata-core.c
516 ++++ b/drivers/ata/libata-core.c
517 +@@ -6300,6 +6300,8 @@ int ata_host_activate(struct ata_host *host, int irq,
518 + static void ata_port_detach(struct ata_port *ap)
519 + {
520 + unsigned long flags;
521 ++ struct ata_link *link;
522 ++ struct ata_device *dev;
523 +
524 + if (!ap->ops->error_handler)
525 + goto skip_eh;
526 +@@ -6319,6 +6321,13 @@ static void ata_port_detach(struct ata_port *ap)
527 + cancel_delayed_work_sync(&ap->hotplug_task);
528 +
529 + skip_eh:
530 ++ /* clean up zpodd on port removal */
531 ++ ata_for_each_link(link, ap, HOST_FIRST) {
532 ++ ata_for_each_dev(dev, link, ALL) {
533 ++ if (zpodd_dev_enabled(dev))
534 ++ zpodd_exit(dev);
535 ++ }
536 ++ }
537 + if (ap->pmp_link) {
538 + int i;
539 + for (i = 0; i < SATA_PMP_MAX_PORTS; i++)
540 +diff --git a/drivers/ata/pata_at91.c b/drivers/ata/pata_at91.c
541 +index 033f3f4c20ad..fa288597f01b 100644
542 +--- a/drivers/ata/pata_at91.c
543 ++++ b/drivers/ata/pata_at91.c
544 +@@ -408,12 +408,13 @@ static int pata_at91_probe(struct platform_device *pdev)
545 +
546 + host->private_data = info;
547 +
548 +- return ata_host_activate(host, gpio_is_valid(irq) ? gpio_to_irq(irq) : 0,
549 +- gpio_is_valid(irq) ? ata_sff_interrupt : NULL,
550 +- irq_flags, &pata_at91_sht);
551 ++ ret = ata_host_activate(host, gpio_is_valid(irq) ? gpio_to_irq(irq) : 0,
552 ++ gpio_is_valid(irq) ? ata_sff_interrupt : NULL,
553 ++ irq_flags, &pata_at91_sht);
554 ++ if (ret)
555 ++ goto err_put;
556 +
557 +- if (!ret)
558 +- return 0;
559 ++ return 0;
560 +
561 + err_put:
562 + clk_put(info->mck);
563 +diff --git a/drivers/base/dd.c b/drivers/base/dd.c
564 +index 06051767393f..8a8d611f2021 100644
565 +--- a/drivers/base/dd.c
566 ++++ b/drivers/base/dd.c
567 +@@ -52,6 +52,7 @@ static DEFINE_MUTEX(deferred_probe_mutex);
568 + static LIST_HEAD(deferred_probe_pending_list);
569 + static LIST_HEAD(deferred_probe_active_list);
570 + static struct workqueue_struct *deferred_wq;
571 ++static atomic_t deferred_trigger_count = ATOMIC_INIT(0);
572 +
573 + /**
574 + * deferred_probe_work_func() - Retry probing devices in the active list.
575 +@@ -135,6 +136,17 @@ static bool driver_deferred_probe_enable = false;
576 + * This functions moves all devices from the pending list to the active
577 + * list and schedules the deferred probe workqueue to process them. It
578 + * should be called anytime a driver is successfully bound to a device.
579 ++ *
580 ++ * Note, there is a race condition in multi-threaded probe. In the case where
581 ++ * more than one device is probing at the same time, it is possible for one
582 ++ * probe to complete successfully while another is about to defer. If the second
583 ++ * depends on the first, then it will get put on the pending list after the
584 ++ * trigger event has already occured and will be stuck there.
585 ++ *
586 ++ * The atomic 'deferred_trigger_count' is used to determine if a successful
587 ++ * trigger has occurred in the midst of probing a driver. If the trigger count
588 ++ * changes in the midst of a probe, then deferred processing should be triggered
589 ++ * again.
590 + */
591 + static void driver_deferred_probe_trigger(void)
592 + {
593 +@@ -147,6 +159,7 @@ static void driver_deferred_probe_trigger(void)
594 + * into the active list so they can be retried by the workqueue
595 + */
596 + mutex_lock(&deferred_probe_mutex);
597 ++ atomic_inc(&deferred_trigger_count);
598 + list_splice_tail_init(&deferred_probe_pending_list,
599 + &deferred_probe_active_list);
600 + mutex_unlock(&deferred_probe_mutex);
601 +@@ -265,6 +278,7 @@ static DECLARE_WAIT_QUEUE_HEAD(probe_waitqueue);
602 + static int really_probe(struct device *dev, struct device_driver *drv)
603 + {
604 + int ret = 0;
605 ++ int local_trigger_count = atomic_read(&deferred_trigger_count);
606 +
607 + atomic_inc(&probe_count);
608 + pr_debug("bus: '%s': %s: probing driver %s with device %s\n",
609 +@@ -310,6 +324,9 @@ probe_failed:
610 + /* Driver requested deferred probing */
611 + dev_info(dev, "Driver %s requests probe deferral\n", drv->name);
612 + driver_deferred_probe_add(dev);
613 ++ /* Did a trigger occur while probing? Need to re-trigger if yes */
614 ++ if (local_trigger_count != atomic_read(&deferred_trigger_count))
615 ++ driver_deferred_probe_trigger();
616 + } else if (ret != -ENODEV && ret != -ENXIO) {
617 + /* driver matched but the probe failed */
618 + printk(KERN_WARNING
619 +diff --git a/drivers/base/topology.c b/drivers/base/topology.c
620 +index ae989c57cd5e..bcd19886fa1a 100644
621 +--- a/drivers/base/topology.c
622 ++++ b/drivers/base/topology.c
623 +@@ -40,8 +40,7 @@
624 + static ssize_t show_##name(struct device *dev, \
625 + struct device_attribute *attr, char *buf) \
626 + { \
627 +- unsigned int cpu = dev->id; \
628 +- return sprintf(buf, "%d\n", topology_##name(cpu)); \
629 ++ return sprintf(buf, "%d\n", topology_##name(dev->id)); \
630 + }
631 +
632 + #if defined(topology_thread_cpumask) || defined(topology_core_cpumask) || \
633 +diff --git a/drivers/block/xen-blkfront.c b/drivers/block/xen-blkfront.c
634 +index 1735b0d17e29..ddd9a098bc67 100644
635 +--- a/drivers/block/xen-blkfront.c
636 ++++ b/drivers/block/xen-blkfront.c
637 +@@ -104,7 +104,7 @@ struct blkfront_info
638 + struct work_struct work;
639 + struct gnttab_free_callback callback;
640 + struct blk_shadow shadow[BLK_RING_SIZE];
641 +- struct list_head persistent_gnts;
642 ++ struct list_head grants;
643 + unsigned int persistent_gnts_c;
644 + unsigned long shadow_free;
645 + unsigned int feature_flush;
646 +@@ -175,15 +175,17 @@ static int fill_grant_buffer(struct blkfront_info *info, int num)
647 + if (!gnt_list_entry)
648 + goto out_of_memory;
649 +
650 +- granted_page = alloc_page(GFP_NOIO);
651 +- if (!granted_page) {
652 +- kfree(gnt_list_entry);
653 +- goto out_of_memory;
654 ++ if (info->feature_persistent) {
655 ++ granted_page = alloc_page(GFP_NOIO);
656 ++ if (!granted_page) {
657 ++ kfree(gnt_list_entry);
658 ++ goto out_of_memory;
659 ++ }
660 ++ gnt_list_entry->pfn = page_to_pfn(granted_page);
661 + }
662 +
663 +- gnt_list_entry->pfn = page_to_pfn(granted_page);
664 + gnt_list_entry->gref = GRANT_INVALID_REF;
665 +- list_add(&gnt_list_entry->node, &info->persistent_gnts);
666 ++ list_add(&gnt_list_entry->node, &info->grants);
667 + i++;
668 + }
669 +
670 +@@ -191,9 +193,10 @@ static int fill_grant_buffer(struct blkfront_info *info, int num)
671 +
672 + out_of_memory:
673 + list_for_each_entry_safe(gnt_list_entry, n,
674 +- &info->persistent_gnts, node) {
675 ++ &info->grants, node) {
676 + list_del(&gnt_list_entry->node);
677 +- __free_page(pfn_to_page(gnt_list_entry->pfn));
678 ++ if (info->feature_persistent)
679 ++ __free_page(pfn_to_page(gnt_list_entry->pfn));
680 + kfree(gnt_list_entry);
681 + i--;
682 + }
683 +@@ -202,14 +205,14 @@ out_of_memory:
684 + }
685 +
686 + static struct grant *get_grant(grant_ref_t *gref_head,
687 ++ unsigned long pfn,
688 + struct blkfront_info *info)
689 + {
690 + struct grant *gnt_list_entry;
691 + unsigned long buffer_mfn;
692 +
693 +- BUG_ON(list_empty(&info->persistent_gnts));
694 +- gnt_list_entry = list_first_entry(&info->persistent_gnts, struct grant,
695 +- node);
696 ++ BUG_ON(list_empty(&info->grants));
697 ++ gnt_list_entry = list_first_entry(&info->grants, struct grant, node);
698 + list_del(&gnt_list_entry->node);
699 +
700 + if (gnt_list_entry->gref != GRANT_INVALID_REF) {
701 +@@ -220,6 +223,10 @@ static struct grant *get_grant(grant_ref_t *gref_head,
702 + /* Assign a gref to this page */
703 + gnt_list_entry->gref = gnttab_claim_grant_reference(gref_head);
704 + BUG_ON(gnt_list_entry->gref == -ENOSPC);
705 ++ if (!info->feature_persistent) {
706 ++ BUG_ON(!pfn);
707 ++ gnt_list_entry->pfn = pfn;
708 ++ }
709 + buffer_mfn = pfn_to_mfn(gnt_list_entry->pfn);
710 + gnttab_grant_foreign_access_ref(gnt_list_entry->gref,
711 + info->xbdev->otherend_id,
712 +@@ -430,12 +437,12 @@ static int blkif_queue_request(struct request *req)
713 + fsect = sg->offset >> 9;
714 + lsect = fsect + (sg->length >> 9) - 1;
715 +
716 +- gnt_list_entry = get_grant(&gref_head, info);
717 ++ gnt_list_entry = get_grant(&gref_head, page_to_pfn(sg_page(sg)), info);
718 + ref = gnt_list_entry->gref;
719 +
720 + info->shadow[id].grants_used[i] = gnt_list_entry;
721 +
722 +- if (rq_data_dir(req)) {
723 ++ if (rq_data_dir(req) && info->feature_persistent) {
724 + char *bvec_data;
725 + void *shared_data;
726 +
727 +@@ -828,16 +835,17 @@ static void blkif_free(struct blkfront_info *info, int suspend)
728 + blk_stop_queue(info->rq);
729 +
730 + /* Remove all persistent grants */
731 +- if (!list_empty(&info->persistent_gnts)) {
732 ++ if (!list_empty(&info->grants)) {
733 + list_for_each_entry_safe(persistent_gnt, n,
734 +- &info->persistent_gnts, node) {
735 ++ &info->grants, node) {
736 + list_del(&persistent_gnt->node);
737 + if (persistent_gnt->gref != GRANT_INVALID_REF) {
738 + gnttab_end_foreign_access(persistent_gnt->gref,
739 + 0, 0UL);
740 + info->persistent_gnts_c--;
741 + }
742 +- __free_page(pfn_to_page(persistent_gnt->pfn));
743 ++ if (info->feature_persistent)
744 ++ __free_page(pfn_to_page(persistent_gnt->pfn));
745 + kfree(persistent_gnt);
746 + }
747 + }
748 +@@ -874,7 +882,7 @@ static void blkif_completion(struct blk_shadow *s, struct blkfront_info *info,
749 +
750 + nseg = s->req.u.rw.nr_segments;
751 +
752 +- if (bret->operation == BLKIF_OP_READ) {
753 ++ if (bret->operation == BLKIF_OP_READ && info->feature_persistent) {
754 + /*
755 + * Copy the data received from the backend into the bvec.
756 + * Since bv_offset can be different than 0, and bv_len different
757 +@@ -894,9 +902,30 @@ static void blkif_completion(struct blk_shadow *s, struct blkfront_info *info,
758 + }
759 + }
760 + /* Add the persistent grant into the list of free grants */
761 +- for (i = 0; i < s->req.u.rw.nr_segments; i++) {
762 +- list_add(&s->grants_used[i]->node, &info->persistent_gnts);
763 +- info->persistent_gnts_c++;
764 ++ for (i = 0; i < nseg; i++) {
765 ++ if (gnttab_query_foreign_access(s->grants_used[i]->gref)) {
766 ++ /*
767 ++ * If the grant is still mapped by the backend (the
768 ++ * backend has chosen to make this grant persistent)
769 ++ * we add it at the head of the list, so it will be
770 ++ * reused first.
771 ++ */
772 ++ if (!info->feature_persistent)
773 ++ pr_alert_ratelimited("backed has not unmapped grant: %u\n",
774 ++ s->grants_used[i]->gref);
775 ++ list_add(&s->grants_used[i]->node, &info->grants);
776 ++ info->persistent_gnts_c++;
777 ++ } else {
778 ++ /*
779 ++ * If the grant is not mapped by the backend we end the
780 ++ * foreign access and add it to the tail of the list,
781 ++ * so it will not be picked again unless we run out of
782 ++ * persistent grants.
783 ++ */
784 ++ gnttab_end_foreign_access(s->grants_used[i]->gref, 0, 0UL);
785 ++ s->grants_used[i]->gref = GRANT_INVALID_REF;
786 ++ list_add_tail(&s->grants_used[i]->node, &info->grants);
787 ++ }
788 + }
789 + }
790 +
791 +@@ -1034,12 +1063,6 @@ static int setup_blkring(struct xenbus_device *dev,
792 + for (i = 0; i < BLK_RING_SIZE; i++)
793 + sg_init_table(info->shadow[i].sg, BLKIF_MAX_SEGMENTS_PER_REQUEST);
794 +
795 +- /* Allocate memory for grants */
796 +- err = fill_grant_buffer(info, BLK_RING_SIZE *
797 +- BLKIF_MAX_SEGMENTS_PER_REQUEST);
798 +- if (err)
799 +- goto fail;
800 +-
801 + err = xenbus_grant_ring(dev, virt_to_mfn(info->ring.sring));
802 + if (err < 0) {
803 + free_page((unsigned long)sring);
804 +@@ -1198,7 +1221,7 @@ static int blkfront_probe(struct xenbus_device *dev,
805 + spin_lock_init(&info->io_lock);
806 + info->xbdev = dev;
807 + info->vdevice = vdevice;
808 +- INIT_LIST_HEAD(&info->persistent_gnts);
809 ++ INIT_LIST_HEAD(&info->grants);
810 + info->persistent_gnts_c = 0;
811 + info->connected = BLKIF_STATE_DISCONNECTED;
812 + INIT_WORK(&info->work, blkif_restart_queue);
813 +@@ -1227,7 +1250,8 @@ static int blkif_recover(struct blkfront_info *info)
814 + int i;
815 + struct blkif_request *req;
816 + struct blk_shadow *copy;
817 +- int j;
818 ++ unsigned int persistent;
819 ++ int j, rc;
820 +
821 + /* Stage 1: Make a safe copy of the shadow state. */
822 + copy = kmemdup(info->shadow, sizeof(info->shadow),
823 +@@ -1242,6 +1266,24 @@ static int blkif_recover(struct blkfront_info *info)
824 + info->shadow_free = info->ring.req_prod_pvt;
825 + info->shadow[BLK_RING_SIZE-1].req.u.rw.id = 0x0fffffff;
826 +
827 ++ /* Check if the backend supports persistent grants */
828 ++ rc = xenbus_gather(XBT_NIL, info->xbdev->otherend,
829 ++ "feature-persistent", "%u", &persistent,
830 ++ NULL);
831 ++ if (rc)
832 ++ info->feature_persistent = 0;
833 ++ else
834 ++ info->feature_persistent = persistent;
835 ++
836 ++ /* Allocate memory for grants */
837 ++ rc = fill_grant_buffer(info, BLK_RING_SIZE *
838 ++ BLKIF_MAX_SEGMENTS_PER_REQUEST);
839 ++ if (rc) {
840 ++ xenbus_dev_fatal(info->xbdev, rc, "setting grant buffer failed");
841 ++ kfree(copy);
842 ++ return rc;
843 ++ }
844 ++
845 + /* Stage 3: Find pending requests and requeue them. */
846 + for (i = 0; i < BLK_RING_SIZE; i++) {
847 + /* Not in use? */
848 +@@ -1306,8 +1348,12 @@ static int blkfront_resume(struct xenbus_device *dev)
849 + blkif_free(info, info->connected == BLKIF_STATE_CONNECTED);
850 +
851 + err = talk_to_blkback(dev, info);
852 +- if (info->connected == BLKIF_STATE_SUSPENDED && !err)
853 +- err = blkif_recover(info);
854 ++
855 ++ /*
856 ++ * We have to wait for the backend to switch to
857 ++ * connected state, since we want to read which
858 ++ * features it supports.
859 ++ */
860 +
861 + return err;
862 + }
863 +@@ -1411,9 +1457,16 @@ static void blkfront_connect(struct blkfront_info *info)
864 + sectors);
865 + set_capacity(info->gd, sectors);
866 + revalidate_disk(info->gd);
867 ++ return;
868 +
869 +- /* fall through */
870 + case BLKIF_STATE_SUSPENDED:
871 ++ /*
872 ++ * If we are recovering from suspension, we need to wait
873 ++ * for the backend to announce it's features before
874 ++ * reconnecting, we need to know if the backend supports
875 ++ * persistent grants.
876 ++ */
877 ++ blkif_recover(info);
878 + return;
879 +
880 + default:
881 +@@ -1481,6 +1534,14 @@ static void blkfront_connect(struct blkfront_info *info)
882 + else
883 + info->feature_persistent = persistent;
884 +
885 ++ /* Allocate memory for grants */
886 ++ err = fill_grant_buffer(info, BLK_RING_SIZE *
887 ++ BLKIF_MAX_SEGMENTS_PER_REQUEST);
888 ++ if (err) {
889 ++ xenbus_dev_fatal(info->xbdev, err, "setting grant buffer failed");
890 ++ return;
891 ++ }
892 ++
893 + err = xlvbd_alloc_gendisk(sectors, info, binfo, sector_size);
894 + if (err) {
895 + xenbus_dev_fatal(info->xbdev, err, "xlvbd_add at %s",
896 +diff --git a/drivers/bluetooth/ath3k.c b/drivers/bluetooth/ath3k.c
897 +index 0a327f4154a2..2acabdaecec8 100644
898 +--- a/drivers/bluetooth/ath3k.c
899 ++++ b/drivers/bluetooth/ath3k.c
900 +@@ -82,6 +82,7 @@ static struct usb_device_id ath3k_table[] = {
901 + { USB_DEVICE(0x04CA, 0x3004) },
902 + { USB_DEVICE(0x04CA, 0x3005) },
903 + { USB_DEVICE(0x04CA, 0x3006) },
904 ++ { USB_DEVICE(0x04CA, 0x3007) },
905 + { USB_DEVICE(0x04CA, 0x3008) },
906 + { USB_DEVICE(0x13d3, 0x3362) },
907 + { USB_DEVICE(0x0CF3, 0xE004) },
908 +@@ -124,6 +125,7 @@ static struct usb_device_id ath3k_blist_tbl[] = {
909 + { USB_DEVICE(0x04ca, 0x3004), .driver_info = BTUSB_ATH3012 },
910 + { USB_DEVICE(0x04ca, 0x3005), .driver_info = BTUSB_ATH3012 },
911 + { USB_DEVICE(0x04ca, 0x3006), .driver_info = BTUSB_ATH3012 },
912 ++ { USB_DEVICE(0x04ca, 0x3007), .driver_info = BTUSB_ATH3012 },
913 + { USB_DEVICE(0x04ca, 0x3008), .driver_info = BTUSB_ATH3012 },
914 + { USB_DEVICE(0x13d3, 0x3362), .driver_info = BTUSB_ATH3012 },
915 + { USB_DEVICE(0x0cf3, 0xe004), .driver_info = BTUSB_ATH3012 },
916 +diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c
917 +index 58491f1b2799..45aa8e760124 100644
918 +--- a/drivers/bluetooth/btusb.c
919 ++++ b/drivers/bluetooth/btusb.c
920 +@@ -146,6 +146,7 @@ static struct usb_device_id blacklist_table[] = {
921 + { USB_DEVICE(0x04ca, 0x3004), .driver_info = BTUSB_ATH3012 },
922 + { USB_DEVICE(0x04ca, 0x3005), .driver_info = BTUSB_ATH3012 },
923 + { USB_DEVICE(0x04ca, 0x3006), .driver_info = BTUSB_ATH3012 },
924 ++ { USB_DEVICE(0x04ca, 0x3007), .driver_info = BTUSB_ATH3012 },
925 + { USB_DEVICE(0x04ca, 0x3008), .driver_info = BTUSB_ATH3012 },
926 + { USB_DEVICE(0x13d3, 0x3362), .driver_info = BTUSB_ATH3012 },
927 + { USB_DEVICE(0x0cf3, 0xe004), .driver_info = BTUSB_ATH3012 },
928 +diff --git a/drivers/bus/mvebu-mbus.c b/drivers/bus/mvebu-mbus.c
929 +index 8740f46b4d0d..5dcc8305abd1 100644
930 +--- a/drivers/bus/mvebu-mbus.c
931 ++++ b/drivers/bus/mvebu-mbus.c
932 +@@ -250,12 +250,6 @@ static int mvebu_mbus_window_conflicts(struct mvebu_mbus_state *mbus,
933 + */
934 + if ((u64)base < wend && end > wbase)
935 + return 0;
936 +-
937 +- /*
938 +- * Check if target/attribute conflicts
939 +- */
940 +- if (target == wtarget && attr == wattr)
941 +- return 0;
942 + }
943 +
944 + return 1;
945 +diff --git a/drivers/char/ipmi/ipmi_kcs_sm.c b/drivers/char/ipmi/ipmi_kcs_sm.c
946 +index e53fc24c6af3..e1ddcf938519 100644
947 +--- a/drivers/char/ipmi/ipmi_kcs_sm.c
948 ++++ b/drivers/char/ipmi/ipmi_kcs_sm.c
949 +@@ -251,8 +251,9 @@ static inline int check_obf(struct si_sm_data *kcs, unsigned char status,
950 + if (!GET_STATUS_OBF(status)) {
951 + kcs->obf_timeout -= time;
952 + if (kcs->obf_timeout < 0) {
953 +- start_error_recovery(kcs, "OBF not ready in time");
954 +- return 1;
955 ++ kcs->obf_timeout = OBF_RETRY_TIMEOUT;
956 ++ start_error_recovery(kcs, "OBF not ready in time");
957 ++ return 1;
958 + }
959 + return 0;
960 + }
961 +diff --git a/drivers/char/ipmi/ipmi_si_intf.c b/drivers/char/ipmi/ipmi_si_intf.c
962 +index af4b23ffc5a6..40b3f756f904 100644
963 +--- a/drivers/char/ipmi/ipmi_si_intf.c
964 ++++ b/drivers/char/ipmi/ipmi_si_intf.c
965 +@@ -244,6 +244,9 @@ struct smi_info {
966 + /* The timer for this si. */
967 + struct timer_list si_timer;
968 +
969 ++ /* This flag is set, if the timer is running (timer_pending() isn't enough) */
970 ++ bool timer_running;
971 ++
972 + /* The time (in jiffies) the last timeout occurred at. */
973 + unsigned long last_timeout_jiffies;
974 +
975 +@@ -427,6 +430,13 @@ static void start_clear_flags(struct smi_info *smi_info)
976 + smi_info->si_state = SI_CLEARING_FLAGS;
977 + }
978 +
979 ++static void smi_mod_timer(struct smi_info *smi_info, unsigned long new_val)
980 ++{
981 ++ smi_info->last_timeout_jiffies = jiffies;
982 ++ mod_timer(&smi_info->si_timer, new_val);
983 ++ smi_info->timer_running = true;
984 ++}
985 ++
986 + /*
987 + * When we have a situtaion where we run out of memory and cannot
988 + * allocate messages, we just leave them in the BMC and run the system
989 +@@ -439,8 +449,7 @@ static inline void disable_si_irq(struct smi_info *smi_info)
990 + start_disable_irq(smi_info);
991 + smi_info->interrupt_disabled = 1;
992 + if (!atomic_read(&smi_info->stop_operation))
993 +- mod_timer(&smi_info->si_timer,
994 +- jiffies + SI_TIMEOUT_JIFFIES);
995 ++ smi_mod_timer(smi_info, jiffies + SI_TIMEOUT_JIFFIES);
996 + }
997 + }
998 +
999 +@@ -900,15 +909,7 @@ static void sender(void *send_info,
1000 + list_add_tail(&msg->link, &smi_info->xmit_msgs);
1001 +
1002 + if (smi_info->si_state == SI_NORMAL && smi_info->curr_msg == NULL) {
1003 +- /*
1004 +- * last_timeout_jiffies is updated here to avoid
1005 +- * smi_timeout() handler passing very large time_diff
1006 +- * value to smi_event_handler() that causes
1007 +- * the send command to abort.
1008 +- */
1009 +- smi_info->last_timeout_jiffies = jiffies;
1010 +-
1011 +- mod_timer(&smi_info->si_timer, jiffies + SI_TIMEOUT_JIFFIES);
1012 ++ smi_mod_timer(smi_info, jiffies + SI_TIMEOUT_JIFFIES);
1013 +
1014 + if (smi_info->thread)
1015 + wake_up_process(smi_info->thread);
1016 +@@ -997,6 +998,17 @@ static int ipmi_thread(void *data)
1017 +
1018 + spin_lock_irqsave(&(smi_info->si_lock), flags);
1019 + smi_result = smi_event_handler(smi_info, 0);
1020 ++
1021 ++ /*
1022 ++ * If the driver is doing something, there is a possible
1023 ++ * race with the timer. If the timer handler see idle,
1024 ++ * and the thread here sees something else, the timer
1025 ++ * handler won't restart the timer even though it is
1026 ++ * required. So start it here if necessary.
1027 ++ */
1028 ++ if (smi_result != SI_SM_IDLE && !smi_info->timer_running)
1029 ++ smi_mod_timer(smi_info, jiffies + SI_TIMEOUT_JIFFIES);
1030 ++
1031 + spin_unlock_irqrestore(&(smi_info->si_lock), flags);
1032 + busy_wait = ipmi_thread_busy_wait(smi_result, smi_info,
1033 + &busy_until);
1034 +@@ -1066,10 +1078,6 @@ static void smi_timeout(unsigned long data)
1035 + * SI_USEC_PER_JIFFY);
1036 + smi_result = smi_event_handler(smi_info, time_diff);
1037 +
1038 +- spin_unlock_irqrestore(&(smi_info->si_lock), flags);
1039 +-
1040 +- smi_info->last_timeout_jiffies = jiffies_now;
1041 +-
1042 + if ((smi_info->irq) && (!smi_info->interrupt_disabled)) {
1043 + /* Running with interrupts, only do long timeouts. */
1044 + timeout = jiffies + SI_TIMEOUT_JIFFIES;
1045 +@@ -1091,7 +1099,10 @@ static void smi_timeout(unsigned long data)
1046 +
1047 + do_mod_timer:
1048 + if (smi_result != SI_SM_IDLE)
1049 +- mod_timer(&(smi_info->si_timer), timeout);
1050 ++ smi_mod_timer(smi_info, timeout);
1051 ++ else
1052 ++ smi_info->timer_running = false;
1053 ++ spin_unlock_irqrestore(&(smi_info->si_lock), flags);
1054 + }
1055 +
1056 + static irqreturn_t si_irq_handler(int irq, void *data)
1057 +@@ -1139,8 +1150,7 @@ static int smi_start_processing(void *send_info,
1058 +
1059 + /* Set up the timer that drives the interface. */
1060 + setup_timer(&new_smi->si_timer, smi_timeout, (long)new_smi);
1061 +- new_smi->last_timeout_jiffies = jiffies;
1062 +- mod_timer(&new_smi->si_timer, jiffies + SI_TIMEOUT_JIFFIES);
1063 ++ smi_mod_timer(new_smi, jiffies + SI_TIMEOUT_JIFFIES);
1064 +
1065 + /*
1066 + * Check if the user forcefully enabled the daemon.
1067 +diff --git a/drivers/clk/versatile/clk-vexpress-osc.c b/drivers/clk/versatile/clk-vexpress-osc.c
1068 +index 256c8be74df8..8b8798bb93f3 100644
1069 +--- a/drivers/clk/versatile/clk-vexpress-osc.c
1070 ++++ b/drivers/clk/versatile/clk-vexpress-osc.c
1071 +@@ -102,7 +102,7 @@ void __init vexpress_osc_of_setup(struct device_node *node)
1072 +
1073 + osc = kzalloc(sizeof(*osc), GFP_KERNEL);
1074 + if (!osc)
1075 +- goto error;
1076 ++ return;
1077 +
1078 + osc->func = vexpress_config_func_get_by_node(node);
1079 + if (!osc->func) {
1080 +diff --git a/drivers/clocksource/exynos_mct.c b/drivers/clocksource/exynos_mct.c
1081 +index 662fcc065821..b7960185919d 100644
1082 +--- a/drivers/clocksource/exynos_mct.c
1083 ++++ b/drivers/clocksource/exynos_mct.c
1084 +@@ -429,8 +429,6 @@ static int __cpuinit exynos4_local_timer_setup(struct clock_event_device *evt)
1085 + evt->set_mode = exynos4_tick_set_mode;
1086 + evt->features = CLOCK_EVT_FEAT_PERIODIC | CLOCK_EVT_FEAT_ONESHOT;
1087 + evt->rating = 450;
1088 +- clockevents_config_and_register(evt, clk_rate / (TICK_BASE_CNT + 1),
1089 +- 0xf, 0x7fffffff);
1090 +
1091 + exynos4_mct_write(TICK_BASE_CNT, mevt->base + MCT_L_TCNTB_OFFSET);
1092 +
1093 +@@ -448,6 +446,8 @@ static int __cpuinit exynos4_local_timer_setup(struct clock_event_device *evt)
1094 + } else {
1095 + enable_percpu_irq(mct_irqs[MCT_L0_IRQ], 0);
1096 + }
1097 ++ clockevents_config_and_register(evt, clk_rate / (TICK_BASE_CNT + 1),
1098 ++ 0xf, 0x7fffffff);
1099 +
1100 + return 0;
1101 + }
1102 +diff --git a/drivers/crypto/caam/error.c b/drivers/crypto/caam/error.c
1103 +index 9f25f5296029..0eabd81e1a90 100644
1104 +--- a/drivers/crypto/caam/error.c
1105 ++++ b/drivers/crypto/caam/error.c
1106 +@@ -16,9 +16,13 @@
1107 + char *tmp; \
1108 + \
1109 + tmp = kmalloc(sizeof(format) + max_alloc, GFP_ATOMIC); \
1110 +- sprintf(tmp, format, param); \
1111 +- strcat(str, tmp); \
1112 +- kfree(tmp); \
1113 ++ if (likely(tmp)) { \
1114 ++ sprintf(tmp, format, param); \
1115 ++ strcat(str, tmp); \
1116 ++ kfree(tmp); \
1117 ++ } else { \
1118 ++ strcat(str, "kmalloc failure in SPRINTFCAT"); \
1119 ++ } \
1120 + }
1121 +
1122 + static void report_jump_idx(u32 status, char *outstr)
1123 +diff --git a/drivers/gpu/drm/i915/intel_display.c b/drivers/gpu/drm/i915/intel_display.c
1124 +index 54ae96f7bec6..8814b0dbfc4f 100644
1125 +--- a/drivers/gpu/drm/i915/intel_display.c
1126 ++++ b/drivers/gpu/drm/i915/intel_display.c
1127 +@@ -9123,15 +9123,6 @@ void intel_modeset_init(struct drm_device *dev)
1128 + intel_disable_fbc(dev);
1129 + }
1130 +
1131 +-static void
1132 +-intel_connector_break_all_links(struct intel_connector *connector)
1133 +-{
1134 +- connector->base.dpms = DRM_MODE_DPMS_OFF;
1135 +- connector->base.encoder = NULL;
1136 +- connector->encoder->connectors_active = false;
1137 +- connector->encoder->base.crtc = NULL;
1138 +-}
1139 +-
1140 + static void intel_enable_pipe_a(struct drm_device *dev)
1141 + {
1142 + struct intel_connector *connector;
1143 +@@ -9213,8 +9204,17 @@ static void intel_sanitize_crtc(struct intel_crtc *crtc)
1144 + if (connector->encoder->base.crtc != &crtc->base)
1145 + continue;
1146 +
1147 +- intel_connector_break_all_links(connector);
1148 ++ connector->base.dpms = DRM_MODE_DPMS_OFF;
1149 ++ connector->base.encoder = NULL;
1150 + }
1151 ++ /* multiple connectors may have the same encoder:
1152 ++ * handle them and break crtc link separately */
1153 ++ list_for_each_entry(connector, &dev->mode_config.connector_list,
1154 ++ base.head)
1155 ++ if (connector->encoder->base.crtc == &crtc->base) {
1156 ++ connector->encoder->base.crtc = NULL;
1157 ++ connector->encoder->connectors_active = false;
1158 ++ }
1159 +
1160 + WARN_ON(crtc->active);
1161 + crtc->base.enabled = false;
1162 +@@ -9285,6 +9285,8 @@ static void intel_sanitize_encoder(struct intel_encoder *encoder)
1163 + drm_get_encoder_name(&encoder->base));
1164 + encoder->disable(encoder);
1165 + }
1166 ++ encoder->base.crtc = NULL;
1167 ++ encoder->connectors_active = false;
1168 +
1169 + /* Inconsistent output/port/pipe state happens presumably due to
1170 + * a bug in one of the get_hw_state functions. Or someplace else
1171 +@@ -9295,8 +9297,8 @@ static void intel_sanitize_encoder(struct intel_encoder *encoder)
1172 + base.head) {
1173 + if (connector->encoder != encoder)
1174 + continue;
1175 +-
1176 +- intel_connector_break_all_links(connector);
1177 ++ connector->base.dpms = DRM_MODE_DPMS_OFF;
1178 ++ connector->base.encoder = NULL;
1179 + }
1180 + }
1181 + /* Enabled encoders without active connectors will be fixed in
1182 +diff --git a/drivers/gpu/drm/nouveau/core/subdev/therm/fan.c b/drivers/gpu/drm/nouveau/core/subdev/therm/fan.c
1183 +index c728380d3d62..ea19acd20784 100644
1184 +--- a/drivers/gpu/drm/nouveau/core/subdev/therm/fan.c
1185 ++++ b/drivers/gpu/drm/nouveau/core/subdev/therm/fan.c
1186 +@@ -54,8 +54,10 @@ nouveau_fan_update(struct nouveau_fan *fan, bool immediate, int target)
1187 +
1188 + /* check that we're not already at the target duty cycle */
1189 + duty = fan->get(therm);
1190 +- if (duty == target)
1191 +- goto done;
1192 ++ if (duty == target) {
1193 ++ spin_unlock_irqrestore(&fan->lock, flags);
1194 ++ return 0;
1195 ++ }
1196 +
1197 + /* smooth out the fanspeed increase/decrease */
1198 + if (!immediate && duty >= 0) {
1199 +@@ -73,8 +75,15 @@ nouveau_fan_update(struct nouveau_fan *fan, bool immediate, int target)
1200 +
1201 + nv_debug(therm, "FAN update: %d\n", duty);
1202 + ret = fan->set(therm, duty);
1203 +- if (ret)
1204 +- goto done;
1205 ++ if (ret) {
1206 ++ spin_unlock_irqrestore(&fan->lock, flags);
1207 ++ return ret;
1208 ++ }
1209 ++
1210 ++ /* fan speed updated, drop the fan lock before grabbing the
1211 ++ * alarm-scheduling lock and risking a deadlock
1212 ++ */
1213 ++ spin_unlock_irqrestore(&fan->lock, flags);
1214 +
1215 + /* schedule next fan update, if not at target speed already */
1216 + if (list_empty(&fan->alarm.head) && target != duty) {
1217 +@@ -92,8 +101,6 @@ nouveau_fan_update(struct nouveau_fan *fan, bool immediate, int target)
1218 + ptimer->alarm(ptimer, delay * 1000 * 1000, &fan->alarm);
1219 + }
1220 +
1221 +-done:
1222 +- spin_unlock_irqrestore(&fan->lock, flags);
1223 + return ret;
1224 + }
1225 +
1226 +diff --git a/drivers/gpu/drm/nouveau/nouveau_acpi.c b/drivers/gpu/drm/nouveau/nouveau_acpi.c
1227 +index d97f20069d3e..5cec3a0c6c85 100644
1228 +--- a/drivers/gpu/drm/nouveau/nouveau_acpi.c
1229 ++++ b/drivers/gpu/drm/nouveau/nouveau_acpi.c
1230 +@@ -372,9 +372,6 @@ bool nouveau_acpi_rom_supported(struct pci_dev *pdev)
1231 + acpi_status status;
1232 + acpi_handle dhandle, rom_handle;
1233 +
1234 +- if (!nouveau_dsm_priv.dsm_detected && !nouveau_dsm_priv.optimus_detected)
1235 +- return false;
1236 +-
1237 + dhandle = DEVICE_ACPI_HANDLE(&pdev->dev);
1238 + if (!dhandle)
1239 + return false;
1240 +diff --git a/drivers/gpu/drm/radeon/radeon_atpx_handler.c b/drivers/gpu/drm/radeon/radeon_atpx_handler.c
1241 +index cbb06d7c89b5..8c44ef57864b 100644
1242 +--- a/drivers/gpu/drm/radeon/radeon_atpx_handler.c
1243 ++++ b/drivers/gpu/drm/radeon/radeon_atpx_handler.c
1244 +@@ -523,6 +523,13 @@ static bool radeon_atpx_detect(void)
1245 + has_atpx |= (radeon_atpx_pci_probe_handle(pdev) == true);
1246 + }
1247 +
1248 ++ /* some newer PX laptops mark the dGPU as a non-VGA display device */
1249 ++ while ((pdev = pci_get_class(PCI_CLASS_DISPLAY_OTHER << 8, pdev)) != NULL) {
1250 ++ vga_count++;
1251 ++
1252 ++ has_atpx |= (radeon_atpx_pci_probe_handle(pdev) == true);
1253 ++ }
1254 ++
1255 + if (has_atpx && vga_count == 2) {
1256 + acpi_get_name(radeon_atpx_priv.atpx.handle, ACPI_FULL_PATHNAME, &buffer);
1257 + printk(KERN_INFO "VGA switcheroo: detected switching method %s handle\n",
1258 +diff --git a/drivers/gpu/drm/radeon/radeon_uvd.c b/drivers/gpu/drm/radeon/radeon_uvd.c
1259 +index 21d2d5280fc1..5715429279fb 100644
1260 +--- a/drivers/gpu/drm/radeon/radeon_uvd.c
1261 ++++ b/drivers/gpu/drm/radeon/radeon_uvd.c
1262 +@@ -449,6 +449,10 @@ static int radeon_uvd_cs_reloc(struct radeon_cs_parser *p,
1263 + cmd = radeon_get_ib_value(p, p->idx) >> 1;
1264 +
1265 + if (cmd < 0x4) {
1266 ++ if (end <= start) {
1267 ++ DRM_ERROR("invalid reloc offset %X!\n", offset);
1268 ++ return -EINVAL;
1269 ++ }
1270 + if ((end - start) < buf_sizes[cmd]) {
1271 + DRM_ERROR("buffer to small (%d / %d)!\n",
1272 + (unsigned)(end - start), buf_sizes[cmd]);
1273 +diff --git a/drivers/gpu/host1x/hw/intr_hw.c b/drivers/gpu/host1x/hw/intr_hw.c
1274 +index b592eef1efcb..b083509325e4 100644
1275 +--- a/drivers/gpu/host1x/hw/intr_hw.c
1276 ++++ b/drivers/gpu/host1x/hw/intr_hw.c
1277 +@@ -48,7 +48,7 @@ static irqreturn_t syncpt_thresh_isr(int irq, void *dev_id)
1278 + unsigned long reg;
1279 + int i, id;
1280 +
1281 +- for (i = 0; i <= BIT_WORD(host->info->nb_pts); i++) {
1282 ++ for (i = 0; i < DIV_ROUND_UP(host->info->nb_pts, 32); i++) {
1283 + reg = host1x_sync_readl(host,
1284 + HOST1X_SYNC_SYNCPT_THRESH_CPU0_INT_STATUS(i));
1285 + for_each_set_bit(id, &reg, BITS_PER_LONG) {
1286 +@@ -65,7 +65,7 @@ static void _host1x_intr_disable_all_syncpt_intrs(struct host1x *host)
1287 + {
1288 + u32 i;
1289 +
1290 +- for (i = 0; i <= BIT_WORD(host->info->nb_pts); ++i) {
1291 ++ for (i = 0; i < DIV_ROUND_UP(host->info->nb_pts, 32); ++i) {
1292 + host1x_sync_writel(host, 0xffffffffu,
1293 + HOST1X_SYNC_SYNCPT_THRESH_INT_DISABLE(i));
1294 + host1x_sync_writel(host, 0xffffffffu,
1295 +diff --git a/drivers/hv/connection.c b/drivers/hv/connection.c
1296 +index d4fac934b220..fd02cb79a99c 100644
1297 +--- a/drivers/hv/connection.c
1298 ++++ b/drivers/hv/connection.c
1299 +@@ -55,6 +55,9 @@ static __u32 vmbus_get_next_version(__u32 current_version)
1300 + case (VERSION_WIN8):
1301 + return VERSION_WIN7;
1302 +
1303 ++ case (VERSION_WIN8_1):
1304 ++ return VERSION_WIN8;
1305 ++
1306 + case (VERSION_WS2008):
1307 + default:
1308 + return VERSION_INVAL;
1309 +@@ -80,6 +83,9 @@ static int vmbus_negotiate_version(struct vmbus_channel_msginfo *msginfo,
1310 + (void *)((unsigned long)vmbus_connection.monitor_pages +
1311 + PAGE_SIZE));
1312 +
1313 ++ if (version == VERSION_WIN8_1)
1314 ++ msg->target_vcpu = hv_context.vp_index[smp_processor_id()];
1315 ++
1316 + /*
1317 + * Add to list before we send the request since we may
1318 + * receive the response before returning from this routine
1319 +diff --git a/drivers/hwmon/emc1403.c b/drivers/hwmon/emc1403.c
1320 +index 142e1cb8dea7..361f50b221bd 100644
1321 +--- a/drivers/hwmon/emc1403.c
1322 ++++ b/drivers/hwmon/emc1403.c
1323 +@@ -162,7 +162,7 @@ static ssize_t store_hyst(struct device *dev,
1324 + if (retval < 0)
1325 + goto fail;
1326 +
1327 +- hyst = val - retval * 1000;
1328 ++ hyst = retval * 1000 - val;
1329 + hyst = DIV_ROUND_CLOSEST(hyst, 1000);
1330 + if (hyst < 0 || hyst > 255) {
1331 + retval = -ERANGE;
1332 +@@ -295,7 +295,7 @@ static int emc1403_detect(struct i2c_client *client,
1333 + }
1334 +
1335 + id = i2c_smbus_read_byte_data(client, THERMAL_REVISION_REG);
1336 +- if (id != 0x01)
1337 ++ if (id < 0x01 || id > 0x04)
1338 + return -ENODEV;
1339 +
1340 + return 0;
1341 +diff --git a/drivers/i2c/busses/Kconfig b/drivers/i2c/busses/Kconfig
1342 +index 49423e913459..d4fe13ee543e 100644
1343 +--- a/drivers/i2c/busses/Kconfig
1344 ++++ b/drivers/i2c/busses/Kconfig
1345 +@@ -109,6 +109,8 @@ config I2C_I801
1346 + Avoton (SOC)
1347 + Wellsburg (PCH)
1348 + Coleto Creek (PCH)
1349 ++ Wildcat Point-LP (PCH)
1350 ++ BayTrail (SOC)
1351 +
1352 + This driver can also be built as a module. If so, the module
1353 + will be called i2c-i801.
1354 +diff --git a/drivers/i2c/busses/i2c-designware-core.c b/drivers/i2c/busses/i2c-designware-core.c
1355 +index c41ca6354fc5..f24a7385260a 100644
1356 +--- a/drivers/i2c/busses/i2c-designware-core.c
1357 ++++ b/drivers/i2c/busses/i2c-designware-core.c
1358 +@@ -380,6 +380,9 @@ static void i2c_dw_xfer_init(struct dw_i2c_dev *dev)
1359 + ic_con &= ~DW_IC_CON_10BITADDR_MASTER;
1360 + dw_writel(dev, ic_con, DW_IC_CON);
1361 +
1362 ++ /* enforce disabled interrupts (due to HW issues) */
1363 ++ i2c_dw_disable_int(dev);
1364 ++
1365 + /* Enable the adapter */
1366 + __i2c_dw_enable(dev, true);
1367 +
1368 +diff --git a/drivers/i2c/busses/i2c-i801.c b/drivers/i2c/busses/i2c-i801.c
1369 +index 4ebceed6bc66..783fa75e13ae 100644
1370 +--- a/drivers/i2c/busses/i2c-i801.c
1371 ++++ b/drivers/i2c/busses/i2c-i801.c
1372 +@@ -59,6 +59,8 @@
1373 + Wellsburg (PCH) MS 0x8d7e 32 hard yes yes yes
1374 + Wellsburg (PCH) MS 0x8d7f 32 hard yes yes yes
1375 + Coleto Creek (PCH) 0x23b0 32 hard yes yes yes
1376 ++ Wildcat Point-LP (PCH) 0x9ca2 32 hard yes yes yes
1377 ++ BayTrail (SOC) 0x0f12 32 hard yes yes yes
1378 +
1379 + Features supported by this driver:
1380 + Software PEC no
1381 +@@ -161,6 +163,7 @@
1382 + STATUS_ERROR_FLAGS)
1383 +
1384 + /* Older devices have their ID defined in <linux/pci_ids.h> */
1385 ++#define PCI_DEVICE_ID_INTEL_BAYTRAIL_SMBUS 0x0f12
1386 + #define PCI_DEVICE_ID_INTEL_COUGARPOINT_SMBUS 0x1c22
1387 + #define PCI_DEVICE_ID_INTEL_PATSBURG_SMBUS 0x1d22
1388 + /* Patsburg also has three 'Integrated Device Function' SMBus controllers */
1389 +@@ -178,6 +181,7 @@
1390 + #define PCI_DEVICE_ID_INTEL_WELLSBURG_SMBUS_MS1 0x8d7e
1391 + #define PCI_DEVICE_ID_INTEL_WELLSBURG_SMBUS_MS2 0x8d7f
1392 + #define PCI_DEVICE_ID_INTEL_LYNXPOINT_LP_SMBUS 0x9c22
1393 ++#define PCI_DEVICE_ID_INTEL_WILDCATPOINT_LP_SMBUS 0x9ca2
1394 +
1395 + struct i801_mux_config {
1396 + char *gpio_chip;
1397 +@@ -820,6 +824,8 @@ static DEFINE_PCI_DEVICE_TABLE(i801_ids) = {
1398 + { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_WELLSBURG_SMBUS_MS1) },
1399 + { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_WELLSBURG_SMBUS_MS2) },
1400 + { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_COLETOCREEK_SMBUS) },
1401 ++ { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_WILDCATPOINT_LP_SMBUS) },
1402 ++ { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_BAYTRAIL_SMBUS) },
1403 + { 0, }
1404 + };
1405 +
1406 +diff --git a/drivers/i2c/busses/i2c-rcar.c b/drivers/i2c/busses/i2c-rcar.c
1407 +index 4ba4a95b6b26..8a806f5c40cf 100644
1408 +--- a/drivers/i2c/busses/i2c-rcar.c
1409 ++++ b/drivers/i2c/busses/i2c-rcar.c
1410 +@@ -541,6 +541,12 @@ static int rcar_i2c_master_xfer(struct i2c_adapter *adap,
1411 +
1412 + ret = -EINVAL;
1413 + for (i = 0; i < num; i++) {
1414 ++ /* This HW can't send STOP after address phase */
1415 ++ if (msgs[i].len == 0) {
1416 ++ ret = -EOPNOTSUPP;
1417 ++ break;
1418 ++ }
1419 ++
1420 + /*-------------- spin lock -----------------*/
1421 + spin_lock_irqsave(&priv->lock, flags);
1422 +
1423 +@@ -605,7 +611,8 @@ static int rcar_i2c_master_xfer(struct i2c_adapter *adap,
1424 +
1425 + static u32 rcar_i2c_func(struct i2c_adapter *adap)
1426 + {
1427 +- return I2C_FUNC_I2C | I2C_FUNC_SMBUS_EMUL;
1428 ++ /* This HW can't do SMBUS_QUICK and NOSTART */
1429 ++ return I2C_FUNC_I2C | (I2C_FUNC_SMBUS_EMUL & ~I2C_FUNC_SMBUS_QUICK);
1430 + }
1431 +
1432 + static const struct i2c_algorithm rcar_i2c_algo = {
1433 +diff --git a/drivers/i2c/busses/i2c-s3c2410.c b/drivers/i2c/busses/i2c-s3c2410.c
1434 +index cab1c91b75a3..a72aad9561b0 100644
1435 +--- a/drivers/i2c/busses/i2c-s3c2410.c
1436 ++++ b/drivers/i2c/busses/i2c-s3c2410.c
1437 +@@ -1204,10 +1204,10 @@ static int s3c24xx_i2c_resume(struct device *dev)
1438 + struct platform_device *pdev = to_platform_device(dev);
1439 + struct s3c24xx_i2c *i2c = platform_get_drvdata(pdev);
1440 +
1441 +- i2c->suspended = 0;
1442 + clk_prepare_enable(i2c->clk);
1443 + s3c24xx_i2c_init(i2c);
1444 + clk_disable_unprepare(i2c->clk);
1445 ++ i2c->suspended = 0;
1446 +
1447 + return 0;
1448 + }
1449 +diff --git a/drivers/iio/imu/inv_mpu6050/inv_mpu_core.c b/drivers/iio/imu/inv_mpu6050/inv_mpu_core.c
1450 +index fe4c61e219f3..111ac381b40b 100644
1451 +--- a/drivers/iio/imu/inv_mpu6050/inv_mpu_core.c
1452 ++++ b/drivers/iio/imu/inv_mpu6050/inv_mpu_core.c
1453 +@@ -660,6 +660,7 @@ static int inv_mpu_probe(struct i2c_client *client,
1454 + {
1455 + struct inv_mpu6050_state *st;
1456 + struct iio_dev *indio_dev;
1457 ++ struct inv_mpu6050_platform_data *pdata;
1458 + int result;
1459 +
1460 + if (!i2c_check_functionality(client->adapter,
1461 +@@ -675,8 +676,10 @@ static int inv_mpu_probe(struct i2c_client *client,
1462 + }
1463 + st = iio_priv(indio_dev);
1464 + st->client = client;
1465 +- st->plat_data = *(struct inv_mpu6050_platform_data
1466 +- *)dev_get_platdata(&client->dev);
1467 ++ pdata = (struct inv_mpu6050_platform_data
1468 ++ *)dev_get_platdata(&client->dev);
1469 ++ if (pdata)
1470 ++ st->plat_data = *pdata;
1471 + /* power is turned on inside check chip type*/
1472 + result = inv_check_and_setup_chip(st, id);
1473 + if (result)
1474 +diff --git a/drivers/infiniband/ulp/isert/ib_isert.c b/drivers/infiniband/ulp/isert/ib_isert.c
1475 +index ce6c603a3cc9..988e29d18bb4 100644
1476 +--- a/drivers/infiniband/ulp/isert/ib_isert.c
1477 ++++ b/drivers/infiniband/ulp/isert/ib_isert.c
1478 +@@ -27,6 +27,7 @@
1479 + #include <target/target_core_base.h>
1480 + #include <target/target_core_fabric.h>
1481 + #include <target/iscsi/iscsi_transport.h>
1482 ++#include <linux/semaphore.h>
1483 +
1484 + #include "isert_proto.h"
1485 + #include "ib_isert.h"
1486 +@@ -459,11 +460,11 @@ isert_connect_request(struct rdma_cm_id *cma_id, struct rdma_cm_event *event)
1487 + goto out_conn_dev;
1488 +
1489 + mutex_lock(&isert_np->np_accept_mutex);
1490 +- list_add_tail(&isert_np->np_accept_list, &isert_conn->conn_accept_node);
1491 ++ list_add_tail(&isert_conn->conn_accept_node, &isert_np->np_accept_list);
1492 + mutex_unlock(&isert_np->np_accept_mutex);
1493 +
1494 +- pr_debug("isert_connect_request() waking up np_accept_wq: %p\n", np);
1495 +- wake_up(&isert_np->np_accept_wq);
1496 ++ pr_debug("isert_connect_request() up np_sem np: %p\n", np);
1497 ++ up(&isert_np->np_sem);
1498 + return 0;
1499 +
1500 + out_conn_dev:
1501 +@@ -2042,7 +2043,7 @@ isert_setup_np(struct iscsi_np *np,
1502 + pr_err("Unable to allocate struct isert_np\n");
1503 + return -ENOMEM;
1504 + }
1505 +- init_waitqueue_head(&isert_np->np_accept_wq);
1506 ++ sema_init(&isert_np->np_sem, 0);
1507 + mutex_init(&isert_np->np_accept_mutex);
1508 + INIT_LIST_HEAD(&isert_np->np_accept_list);
1509 + init_completion(&isert_np->np_login_comp);
1510 +@@ -2091,18 +2092,6 @@ out:
1511 + }
1512 +
1513 + static int
1514 +-isert_check_accept_queue(struct isert_np *isert_np)
1515 +-{
1516 +- int empty;
1517 +-
1518 +- mutex_lock(&isert_np->np_accept_mutex);
1519 +- empty = list_empty(&isert_np->np_accept_list);
1520 +- mutex_unlock(&isert_np->np_accept_mutex);
1521 +-
1522 +- return empty;
1523 +-}
1524 +-
1525 +-static int
1526 + isert_rdma_accept(struct isert_conn *isert_conn)
1527 + {
1528 + struct rdma_cm_id *cm_id = isert_conn->conn_cm_id;
1529 +@@ -2186,16 +2175,14 @@ isert_accept_np(struct iscsi_np *np, struct iscsi_conn *conn)
1530 + int max_accept = 0, ret;
1531 +
1532 + accept_wait:
1533 +- ret = wait_event_interruptible(isert_np->np_accept_wq,
1534 +- !isert_check_accept_queue(isert_np) ||
1535 +- np->np_thread_state == ISCSI_NP_THREAD_RESET);
1536 ++ ret = down_interruptible(&isert_np->np_sem);
1537 + if (max_accept > 5)
1538 + return -ENODEV;
1539 +
1540 + spin_lock_bh(&np->np_thread_lock);
1541 + if (np->np_thread_state == ISCSI_NP_THREAD_RESET) {
1542 + spin_unlock_bh(&np->np_thread_lock);
1543 +- pr_err("ISCSI_NP_THREAD_RESET for isert_accept_np\n");
1544 ++ pr_debug("ISCSI_NP_THREAD_RESET for isert_accept_np\n");
1545 + return -ENODEV;
1546 + }
1547 + spin_unlock_bh(&np->np_thread_lock);
1548 +diff --git a/drivers/infiniband/ulp/isert/ib_isert.h b/drivers/infiniband/ulp/isert/ib_isert.h
1549 +index b9d6cc6917cf..dfe4a2ebef0d 100644
1550 +--- a/drivers/infiniband/ulp/isert/ib_isert.h
1551 ++++ b/drivers/infiniband/ulp/isert/ib_isert.h
1552 +@@ -131,7 +131,7 @@ struct isert_device {
1553 + };
1554 +
1555 + struct isert_np {
1556 +- wait_queue_head_t np_accept_wq;
1557 ++ struct semaphore np_sem;
1558 + struct rdma_cm_id *np_cm_id;
1559 + struct mutex np_accept_mutex;
1560 + struct list_head np_accept_list;
1561 +diff --git a/drivers/input/keyboard/atkbd.c b/drivers/input/keyboard/atkbd.c
1562 +index 2626773ff29b..2dd1d0dd4f7d 100644
1563 +--- a/drivers/input/keyboard/atkbd.c
1564 ++++ b/drivers/input/keyboard/atkbd.c
1565 +@@ -243,6 +243,12 @@ static void (*atkbd_platform_fixup)(struct atkbd *, const void *data);
1566 + static void *atkbd_platform_fixup_data;
1567 + static unsigned int (*atkbd_platform_scancode_fixup)(struct atkbd *, unsigned int);
1568 +
1569 ++/*
1570 ++ * Certain keyboards to not like ATKBD_CMD_RESET_DIS and stop responding
1571 ++ * to many commands until full reset (ATKBD_CMD_RESET_BAT) is performed.
1572 ++ */
1573 ++static bool atkbd_skip_deactivate;
1574 ++
1575 + static ssize_t atkbd_attr_show_helper(struct device *dev, char *buf,
1576 + ssize_t (*handler)(struct atkbd *, char *));
1577 + static ssize_t atkbd_attr_set_helper(struct device *dev, const char *buf, size_t count,
1578 +@@ -768,7 +774,8 @@ static int atkbd_probe(struct atkbd *atkbd)
1579 + * Make sure nothing is coming from the keyboard and disturbs our
1580 + * internal state.
1581 + */
1582 +- atkbd_deactivate(atkbd);
1583 ++ if (!atkbd_skip_deactivate)
1584 ++ atkbd_deactivate(atkbd);
1585 +
1586 + return 0;
1587 + }
1588 +@@ -1638,6 +1645,12 @@ static int __init atkbd_setup_scancode_fixup(const struct dmi_system_id *id)
1589 + return 1;
1590 + }
1591 +
1592 ++static int __init atkbd_deactivate_fixup(const struct dmi_system_id *id)
1593 ++{
1594 ++ atkbd_skip_deactivate = true;
1595 ++ return 1;
1596 ++}
1597 ++
1598 + static const struct dmi_system_id atkbd_dmi_quirk_table[] __initconst = {
1599 + {
1600 + .matches = {
1601 +@@ -1775,6 +1788,20 @@ static const struct dmi_system_id atkbd_dmi_quirk_table[] __initconst = {
1602 + .callback = atkbd_setup_scancode_fixup,
1603 + .driver_data = atkbd_oqo_01plus_scancode_fixup,
1604 + },
1605 ++ {
1606 ++ .matches = {
1607 ++ DMI_MATCH(DMI_SYS_VENDOR, "LG Electronics"),
1608 ++ DMI_MATCH(DMI_PRODUCT_NAME, "LW25-B7HV"),
1609 ++ },
1610 ++ .callback = atkbd_deactivate_fixup,
1611 ++ },
1612 ++ {
1613 ++ .matches = {
1614 ++ DMI_MATCH(DMI_SYS_VENDOR, "LG Electronics"),
1615 ++ DMI_MATCH(DMI_PRODUCT_NAME, "P1-J273B"),
1616 ++ },
1617 ++ .callback = atkbd_deactivate_fixup,
1618 ++ },
1619 + { }
1620 + };
1621 +
1622 +diff --git a/drivers/input/mouse/elantech.c b/drivers/input/mouse/elantech.c
1623 +index 1fb1a7b5a754..76f1d37ac0ff 100644
1624 +--- a/drivers/input/mouse/elantech.c
1625 ++++ b/drivers/input/mouse/elantech.c
1626 +@@ -11,6 +11,7 @@
1627 + */
1628 +
1629 + #include <linux/delay.h>
1630 ++#include <linux/dmi.h>
1631 + #include <linux/slab.h>
1632 + #include <linux/module.h>
1633 + #include <linux/input.h>
1634 +@@ -801,7 +802,11 @@ static int elantech_set_absolute_mode(struct psmouse *psmouse)
1635 + break;
1636 +
1637 + case 3:
1638 +- etd->reg_10 = 0x0b;
1639 ++ if (etd->set_hw_resolution)
1640 ++ etd->reg_10 = 0x0b;
1641 ++ else
1642 ++ etd->reg_10 = 0x03;
1643 ++
1644 + if (elantech_write_reg(psmouse, 0x10, etd->reg_10))
1645 + rc = -1;
1646 +
1647 +@@ -1301,6 +1306,22 @@ static int elantech_reconnect(struct psmouse *psmouse)
1648 + }
1649 +
1650 + /*
1651 ++ * Some hw_version 3 models go into error state when we try to set bit 3 of r10
1652 ++ */
1653 ++static const struct dmi_system_id no_hw_res_dmi_table[] = {
1654 ++#if defined(CONFIG_DMI) && defined(CONFIG_X86)
1655 ++ {
1656 ++ /* Gigabyte U2442 */
1657 ++ .matches = {
1658 ++ DMI_MATCH(DMI_SYS_VENDOR, "GIGABYTE"),
1659 ++ DMI_MATCH(DMI_PRODUCT_NAME, "U2442"),
1660 ++ },
1661 ++ },
1662 ++#endif
1663 ++ { }
1664 ++};
1665 ++
1666 ++/*
1667 + * determine hardware version and set some properties according to it.
1668 + */
1669 + static int elantech_set_properties(struct elantech_data *etd)
1670 +@@ -1351,6 +1372,9 @@ static int elantech_set_properties(struct elantech_data *etd)
1671 + etd->reports_pressure = true;
1672 + }
1673 +
1674 ++ /* Enable real hardware resolution on hw_version 3 ? */
1675 ++ etd->set_hw_resolution = !dmi_check_system(no_hw_res_dmi_table);
1676 ++
1677 + return 0;
1678 + }
1679 +
1680 +diff --git a/drivers/input/mouse/elantech.h b/drivers/input/mouse/elantech.h
1681 +index 46db3be45ac9..c1c15ab6872d 100644
1682 +--- a/drivers/input/mouse/elantech.h
1683 ++++ b/drivers/input/mouse/elantech.h
1684 +@@ -129,6 +129,7 @@ struct elantech_data {
1685 + bool paritycheck;
1686 + bool jumpy_cursor;
1687 + bool reports_pressure;
1688 ++ bool set_hw_resolution;
1689 + unsigned char hw_version;
1690 + unsigned int fw_version;
1691 + unsigned int single_finger_reports;
1692 +diff --git a/drivers/input/mouse/synaptics.c b/drivers/input/mouse/synaptics.c
1693 +index d60c9b7ad1b8..f36f7b88f260 100644
1694 +--- a/drivers/input/mouse/synaptics.c
1695 ++++ b/drivers/input/mouse/synaptics.c
1696 +@@ -1552,7 +1552,7 @@ static const struct dmi_system_id min_max_dmi_table[] __initconst = {
1697 + DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
1698 + DMI_MATCH(DMI_PRODUCT_VERSION, "ThinkPad T540"),
1699 + },
1700 +- .driver_data = (int []){1024, 5056, 2058, 4832},
1701 ++ .driver_data = (int []){1024, 5112, 2024, 4832},
1702 + },
1703 + {
1704 + /* Lenovo ThinkPad L540 */
1705 +@@ -1563,6 +1563,14 @@ static const struct dmi_system_id min_max_dmi_table[] __initconst = {
1706 + .driver_data = (int []){1024, 5112, 2024, 4832},
1707 + },
1708 + {
1709 ++ /* Lenovo ThinkPad W540 */
1710 ++ .matches = {
1711 ++ DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
1712 ++ DMI_MATCH(DMI_PRODUCT_VERSION, "ThinkPad W540"),
1713 ++ },
1714 ++ .driver_data = (int []){1024, 5112, 2024, 4832},
1715 ++ },
1716 ++ {
1717 + /* Lenovo Yoga S1 */
1718 + .matches = {
1719 + DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
1720 +diff --git a/drivers/iommu/amd_iommu.c b/drivers/iommu/amd_iommu.c
1721 +index a3c338942f10..6f849cbcac6f 100644
1722 +--- a/drivers/iommu/amd_iommu.c
1723 ++++ b/drivers/iommu/amd_iommu.c
1724 +@@ -3959,7 +3959,7 @@ static struct irq_remap_table *get_irq_table(u16 devid, bool ioapic)
1725 + iommu_flush_dte(iommu, devid);
1726 + if (devid != alias) {
1727 + irq_lookup_table[alias] = table;
1728 +- set_dte_irq_entry(devid, table);
1729 ++ set_dte_irq_entry(alias, table);
1730 + iommu_flush_dte(iommu, alias);
1731 + }
1732 +
1733 +diff --git a/drivers/irqchip/irq-gic.c b/drivers/irqchip/irq-gic.c
1734 +index 19ceaa60e0f4..4e11218d644e 100644
1735 +--- a/drivers/irqchip/irq-gic.c
1736 ++++ b/drivers/irqchip/irq-gic.c
1737 +@@ -246,10 +246,14 @@ static int gic_set_affinity(struct irq_data *d, const struct cpumask *mask_val,
1738 + bool force)
1739 + {
1740 + void __iomem *reg = gic_dist_base(d) + GIC_DIST_TARGET + (gic_irq(d) & ~3);
1741 +- unsigned int shift = (gic_irq(d) % 4) * 8;
1742 +- unsigned int cpu = cpumask_any_and(mask_val, cpu_online_mask);
1743 ++ unsigned int cpu, shift = (gic_irq(d) % 4) * 8;
1744 + u32 val, mask, bit;
1745 +
1746 ++ if (!force)
1747 ++ cpu = cpumask_any_and(mask_val, cpu_online_mask);
1748 ++ else
1749 ++ cpu = cpumask_first(mask_val);
1750 ++
1751 + if (cpu >= NR_GIC_CPU_IF || cpu >= nr_cpu_ids)
1752 + return -EINVAL;
1753 +
1754 +diff --git a/drivers/leds/leds-pwm.c b/drivers/leds/leds-pwm.c
1755 +index faf52c005e8c..5d64b2431415 100644
1756 +--- a/drivers/leds/leds-pwm.c
1757 ++++ b/drivers/leds/leds-pwm.c
1758 +@@ -82,6 +82,15 @@ static inline size_t sizeof_pwm_leds_priv(int num_leds)
1759 + (sizeof(struct led_pwm_data) * num_leds);
1760 + }
1761 +
1762 ++static void led_pwm_cleanup(struct led_pwm_priv *priv)
1763 ++{
1764 ++ while (priv->num_leds--) {
1765 ++ led_classdev_unregister(&priv->leds[priv->num_leds].cdev);
1766 ++ if (priv->leds[priv->num_leds].can_sleep)
1767 ++ cancel_work_sync(&priv->leds[priv->num_leds].work);
1768 ++ }
1769 ++}
1770 ++
1771 + static struct led_pwm_priv *led_pwm_create_of(struct platform_device *pdev)
1772 + {
1773 + struct device_node *node = pdev->dev.of_node;
1774 +@@ -139,8 +148,7 @@ static struct led_pwm_priv *led_pwm_create_of(struct platform_device *pdev)
1775 +
1776 + return priv;
1777 + err:
1778 +- while (priv->num_leds--)
1779 +- led_classdev_unregister(&priv->leds[priv->num_leds].cdev);
1780 ++ led_pwm_cleanup(priv);
1781 +
1782 + return NULL;
1783 + }
1784 +@@ -200,8 +208,8 @@ static int led_pwm_probe(struct platform_device *pdev)
1785 + return 0;
1786 +
1787 + err:
1788 +- while (i--)
1789 +- led_classdev_unregister(&priv->leds[i].cdev);
1790 ++ priv->num_leds = i;
1791 ++ led_pwm_cleanup(priv);
1792 +
1793 + return ret;
1794 + }
1795 +@@ -209,13 +217,8 @@ err:
1796 + static int led_pwm_remove(struct platform_device *pdev)
1797 + {
1798 + struct led_pwm_priv *priv = platform_get_drvdata(pdev);
1799 +- int i;
1800 +
1801 +- for (i = 0; i < priv->num_leds; i++) {
1802 +- led_classdev_unregister(&priv->leds[i].cdev);
1803 +- if (priv->leds[i].can_sleep)
1804 +- cancel_work_sync(&priv->leds[i].work);
1805 +- }
1806 ++ led_pwm_cleanup(priv);
1807 +
1808 + return 0;
1809 + }
1810 +diff --git a/drivers/md/dm-crypt.c b/drivers/md/dm-crypt.c
1811 +index 6d2d41ae9e32..5177ba54559b 100644
1812 +--- a/drivers/md/dm-crypt.c
1813 ++++ b/drivers/md/dm-crypt.c
1814 +@@ -18,7 +18,6 @@
1815 + #include <linux/crypto.h>
1816 + #include <linux/workqueue.h>
1817 + #include <linux/backing-dev.h>
1818 +-#include <linux/percpu.h>
1819 + #include <linux/atomic.h>
1820 + #include <linux/scatterlist.h>
1821 + #include <asm/page.h>
1822 +@@ -44,6 +43,7 @@ struct convert_context {
1823 + unsigned int idx_out;
1824 + sector_t cc_sector;
1825 + atomic_t cc_pending;
1826 ++ struct ablkcipher_request *req;
1827 + };
1828 +
1829 + /*
1830 +@@ -105,15 +105,7 @@ struct iv_lmk_private {
1831 + enum flags { DM_CRYPT_SUSPENDED, DM_CRYPT_KEY_VALID };
1832 +
1833 + /*
1834 +- * Duplicated per-CPU state for cipher.
1835 +- */
1836 +-struct crypt_cpu {
1837 +- struct ablkcipher_request *req;
1838 +-};
1839 +-
1840 +-/*
1841 +- * The fields in here must be read only after initialization,
1842 +- * changing state should be in crypt_cpu.
1843 ++ * The fields in here must be read only after initialization.
1844 + */
1845 + struct crypt_config {
1846 + struct dm_dev *dev;
1847 +@@ -143,12 +135,6 @@ struct crypt_config {
1848 + sector_t iv_offset;
1849 + unsigned int iv_size;
1850 +
1851 +- /*
1852 +- * Duplicated per cpu state. Access through
1853 +- * per_cpu_ptr() only.
1854 +- */
1855 +- struct crypt_cpu __percpu *cpu;
1856 +-
1857 + /* ESSIV: struct crypto_cipher *essiv_tfm */
1858 + void *iv_private;
1859 + struct crypto_ablkcipher **tfms;
1860 +@@ -184,11 +170,6 @@ static void clone_init(struct dm_crypt_io *, struct bio *);
1861 + static void kcryptd_queue_crypt(struct dm_crypt_io *io);
1862 + static u8 *iv_of_dmreq(struct crypt_config *cc, struct dm_crypt_request *dmreq);
1863 +
1864 +-static struct crypt_cpu *this_crypt_config(struct crypt_config *cc)
1865 +-{
1866 +- return this_cpu_ptr(cc->cpu);
1867 +-}
1868 +-
1869 + /*
1870 + * Use this to access cipher attributes that are the same for each CPU.
1871 + */
1872 +@@ -738,16 +719,15 @@ static void kcryptd_async_done(struct crypto_async_request *async_req,
1873 + static void crypt_alloc_req(struct crypt_config *cc,
1874 + struct convert_context *ctx)
1875 + {
1876 +- struct crypt_cpu *this_cc = this_crypt_config(cc);
1877 + unsigned key_index = ctx->cc_sector & (cc->tfms_count - 1);
1878 +
1879 +- if (!this_cc->req)
1880 +- this_cc->req = mempool_alloc(cc->req_pool, GFP_NOIO);
1881 ++ if (!ctx->req)
1882 ++ ctx->req = mempool_alloc(cc->req_pool, GFP_NOIO);
1883 +
1884 +- ablkcipher_request_set_tfm(this_cc->req, cc->tfms[key_index]);
1885 +- ablkcipher_request_set_callback(this_cc->req,
1886 ++ ablkcipher_request_set_tfm(ctx->req, cc->tfms[key_index]);
1887 ++ ablkcipher_request_set_callback(ctx->req,
1888 + CRYPTO_TFM_REQ_MAY_BACKLOG | CRYPTO_TFM_REQ_MAY_SLEEP,
1889 +- kcryptd_async_done, dmreq_of_req(cc, this_cc->req));
1890 ++ kcryptd_async_done, dmreq_of_req(cc, ctx->req));
1891 + }
1892 +
1893 + /*
1894 +@@ -756,7 +736,6 @@ static void crypt_alloc_req(struct crypt_config *cc,
1895 + static int crypt_convert(struct crypt_config *cc,
1896 + struct convert_context *ctx)
1897 + {
1898 +- struct crypt_cpu *this_cc = this_crypt_config(cc);
1899 + int r;
1900 +
1901 + atomic_set(&ctx->cc_pending, 1);
1902 +@@ -768,7 +747,7 @@ static int crypt_convert(struct crypt_config *cc,
1903 +
1904 + atomic_inc(&ctx->cc_pending);
1905 +
1906 +- r = crypt_convert_block(cc, ctx, this_cc->req);
1907 ++ r = crypt_convert_block(cc, ctx, ctx->req);
1908 +
1909 + switch (r) {
1910 + /* async */
1911 +@@ -777,7 +756,7 @@ static int crypt_convert(struct crypt_config *cc,
1912 + INIT_COMPLETION(ctx->restart);
1913 + /* fall through*/
1914 + case -EINPROGRESS:
1915 +- this_cc->req = NULL;
1916 ++ ctx->req = NULL;
1917 + ctx->cc_sector++;
1918 + continue;
1919 +
1920 +@@ -876,6 +855,7 @@ static struct dm_crypt_io *crypt_io_alloc(struct crypt_config *cc,
1921 + io->sector = sector;
1922 + io->error = 0;
1923 + io->base_io = NULL;
1924 ++ io->ctx.req = NULL;
1925 + atomic_set(&io->io_pending, 0);
1926 +
1927 + return io;
1928 +@@ -901,6 +881,8 @@ static void crypt_dec_pending(struct dm_crypt_io *io)
1929 + if (!atomic_dec_and_test(&io->io_pending))
1930 + return;
1931 +
1932 ++ if (io->ctx.req)
1933 ++ mempool_free(io->ctx.req, cc->req_pool);
1934 + mempool_free(io, cc->io_pool);
1935 +
1936 + if (likely(!base_io))
1937 +@@ -1326,8 +1308,6 @@ static int crypt_wipe_key(struct crypt_config *cc)
1938 + static void crypt_dtr(struct dm_target *ti)
1939 + {
1940 + struct crypt_config *cc = ti->private;
1941 +- struct crypt_cpu *cpu_cc;
1942 +- int cpu;
1943 +
1944 + ti->private = NULL;
1945 +
1946 +@@ -1339,13 +1319,6 @@ static void crypt_dtr(struct dm_target *ti)
1947 + if (cc->crypt_queue)
1948 + destroy_workqueue(cc->crypt_queue);
1949 +
1950 +- if (cc->cpu)
1951 +- for_each_possible_cpu(cpu) {
1952 +- cpu_cc = per_cpu_ptr(cc->cpu, cpu);
1953 +- if (cpu_cc->req)
1954 +- mempool_free(cpu_cc->req, cc->req_pool);
1955 +- }
1956 +-
1957 + crypt_free_tfms(cc);
1958 +
1959 + if (cc->bs)
1960 +@@ -1364,9 +1337,6 @@ static void crypt_dtr(struct dm_target *ti)
1961 + if (cc->dev)
1962 + dm_put_device(ti, cc->dev);
1963 +
1964 +- if (cc->cpu)
1965 +- free_percpu(cc->cpu);
1966 +-
1967 + kzfree(cc->cipher);
1968 + kzfree(cc->cipher_string);
1969 +
1970 +@@ -1421,13 +1391,6 @@ static int crypt_ctr_cipher(struct dm_target *ti,
1971 + if (tmp)
1972 + DMWARN("Ignoring unexpected additional cipher options");
1973 +
1974 +- cc->cpu = __alloc_percpu(sizeof(*(cc->cpu)),
1975 +- __alignof__(struct crypt_cpu));
1976 +- if (!cc->cpu) {
1977 +- ti->error = "Cannot allocate per cpu state";
1978 +- goto bad_mem;
1979 +- }
1980 +-
1981 + /*
1982 + * For compatibility with the original dm-crypt mapping format, if
1983 + * only the cipher name is supplied, use cbc-plain.
1984 +diff --git a/drivers/md/md.c b/drivers/md/md.c
1985 +index a2dda416c9cb..00a99fe797d4 100644
1986 +--- a/drivers/md/md.c
1987 ++++ b/drivers/md/md.c
1988 +@@ -8481,7 +8481,8 @@ static int md_notify_reboot(struct notifier_block *this,
1989 + if (mddev_trylock(mddev)) {
1990 + if (mddev->pers)
1991 + __md_stop_writes(mddev);
1992 +- mddev->safemode = 2;
1993 ++ if (mddev->persistent)
1994 ++ mddev->safemode = 2;
1995 + mddev_unlock(mddev);
1996 + }
1997 + need_delay = 1;
1998 +diff --git a/drivers/media/i2c/ov7670.c b/drivers/media/i2c/ov7670.c
1999 +index 617ad3fff4aa..3ead3a83f04a 100644
2000 +--- a/drivers/media/i2c/ov7670.c
2001 ++++ b/drivers/media/i2c/ov7670.c
2002 +@@ -1110,7 +1110,7 @@ static int ov7670_enum_framesizes(struct v4l2_subdev *sd,
2003 + * windows that fall outside that.
2004 + */
2005 + for (i = 0; i < n_win_sizes; i++) {
2006 +- struct ov7670_win_size *win = &info->devtype->win_sizes[index];
2007 ++ struct ov7670_win_size *win = &info->devtype->win_sizes[i];
2008 + if (info->min_width && win->width < info->min_width)
2009 + continue;
2010 + if (info->min_height && win->height < info->min_height)
2011 +diff --git a/drivers/media/media-device.c b/drivers/media/media-device.c
2012 +index 1957c0df08fd..79715f9feb0a 100644
2013 +--- a/drivers/media/media-device.c
2014 ++++ b/drivers/media/media-device.c
2015 +@@ -93,6 +93,7 @@ static long media_device_enum_entities(struct media_device *mdev,
2016 + struct media_entity *ent;
2017 + struct media_entity_desc u_ent;
2018 +
2019 ++ memset(&u_ent, 0, sizeof(u_ent));
2020 + if (copy_from_user(&u_ent.id, &uent->id, sizeof(u_ent.id)))
2021 + return -EFAULT;
2022 +
2023 +diff --git a/drivers/media/platform/omap3isp/isp.c b/drivers/media/platform/omap3isp/isp.c
2024 +index 1d7dbd5c0fba..3e8ef11f67aa 100644
2025 +--- a/drivers/media/platform/omap3isp/isp.c
2026 ++++ b/drivers/media/platform/omap3isp/isp.c
2027 +@@ -2249,6 +2249,7 @@ static int isp_probe(struct platform_device *pdev)
2028 + ret = iommu_attach_device(isp->domain, &pdev->dev);
2029 + if (ret) {
2030 + dev_err(&pdev->dev, "can't attach iommu device: %d\n", ret);
2031 ++ ret = -EPROBE_DEFER;
2032 + goto free_domain;
2033 + }
2034 +
2035 +@@ -2287,6 +2288,7 @@ detach_dev:
2036 + iommu_detach_device(isp->domain, &pdev->dev);
2037 + free_domain:
2038 + iommu_domain_free(isp->domain);
2039 ++ isp->domain = NULL;
2040 + error_isp:
2041 + isp_xclk_cleanup(isp);
2042 + omap3isp_put(isp);
2043 +diff --git a/drivers/media/tuners/fc2580.c b/drivers/media/tuners/fc2580.c
2044 +index 3aecaf465094..f0c9c42867de 100644
2045 +--- a/drivers/media/tuners/fc2580.c
2046 ++++ b/drivers/media/tuners/fc2580.c
2047 +@@ -195,7 +195,7 @@ static int fc2580_set_params(struct dvb_frontend *fe)
2048 +
2049 + f_ref = 2UL * priv->cfg->clock / r_val;
2050 + n_val = div_u64_rem(f_vco, f_ref, &k_val);
2051 +- k_val_reg = 1UL * k_val * (1 << 20) / f_ref;
2052 ++ k_val_reg = div_u64(1ULL * k_val * (1 << 20), f_ref);
2053 +
2054 + ret = fc2580_wr_reg(priv, 0x18, r18_val | ((k_val_reg >> 16) & 0xff));
2055 + if (ret < 0)
2056 +@@ -348,8 +348,8 @@ static int fc2580_set_params(struct dvb_frontend *fe)
2057 + if (ret < 0)
2058 + goto err;
2059 +
2060 +- ret = fc2580_wr_reg(priv, 0x37, 1UL * priv->cfg->clock * \
2061 +- fc2580_if_filter_lut[i].mul / 1000000000);
2062 ++ ret = fc2580_wr_reg(priv, 0x37, div_u64(1ULL * priv->cfg->clock *
2063 ++ fc2580_if_filter_lut[i].mul, 1000000000));
2064 + if (ret < 0)
2065 + goto err;
2066 +
2067 +diff --git a/drivers/media/tuners/fc2580_priv.h b/drivers/media/tuners/fc2580_priv.h
2068 +index be38a9e637e0..646c99452136 100644
2069 +--- a/drivers/media/tuners/fc2580_priv.h
2070 ++++ b/drivers/media/tuners/fc2580_priv.h
2071 +@@ -22,6 +22,7 @@
2072 + #define FC2580_PRIV_H
2073 +
2074 + #include "fc2580.h"
2075 ++#include <linux/math64.h>
2076 +
2077 + struct fc2580_reg_val {
2078 + u8 reg;
2079 +diff --git a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
2080 +index f56b729581e7..e2b0a0969ebb 100644
2081 +--- a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
2082 ++++ b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
2083 +@@ -178,6 +178,9 @@ struct v4l2_create_buffers32 {
2084 +
2085 + static int __get_v4l2_format32(struct v4l2_format *kp, struct v4l2_format32 __user *up)
2086 + {
2087 ++ if (get_user(kp->type, &up->type))
2088 ++ return -EFAULT;
2089 ++
2090 + switch (kp->type) {
2091 + case V4L2_BUF_TYPE_VIDEO_CAPTURE:
2092 + case V4L2_BUF_TYPE_VIDEO_OUTPUT:
2093 +@@ -204,17 +207,16 @@ static int __get_v4l2_format32(struct v4l2_format *kp, struct v4l2_format32 __us
2094 +
2095 + static int get_v4l2_format32(struct v4l2_format *kp, struct v4l2_format32 __user *up)
2096 + {
2097 +- if (!access_ok(VERIFY_READ, up, sizeof(struct v4l2_format32)) ||
2098 +- get_user(kp->type, &up->type))
2099 +- return -EFAULT;
2100 ++ if (!access_ok(VERIFY_READ, up, sizeof(struct v4l2_format32)))
2101 ++ return -EFAULT;
2102 + return __get_v4l2_format32(kp, up);
2103 + }
2104 +
2105 + static int get_v4l2_create32(struct v4l2_create_buffers *kp, struct v4l2_create_buffers32 __user *up)
2106 + {
2107 + if (!access_ok(VERIFY_READ, up, sizeof(struct v4l2_create_buffers32)) ||
2108 +- copy_from_user(kp, up, offsetof(struct v4l2_create_buffers32, format.fmt)))
2109 +- return -EFAULT;
2110 ++ copy_from_user(kp, up, offsetof(struct v4l2_create_buffers32, format)))
2111 ++ return -EFAULT;
2112 + return __get_v4l2_format32(&kp->format, &up->format);
2113 + }
2114 +
2115 +diff --git a/drivers/net/wireless/ath/ath9k/xmit.c b/drivers/net/wireless/ath/ath9k/xmit.c
2116 +index e752f5d4995d..0c9b2f1c6939 100644
2117 +--- a/drivers/net/wireless/ath/ath9k/xmit.c
2118 ++++ b/drivers/net/wireless/ath/ath9k/xmit.c
2119 +@@ -1255,14 +1255,16 @@ void ath_tx_aggr_sleep(struct ieee80211_sta *sta, struct ath_softc *sc,
2120 + for (tidno = 0, tid = &an->tid[tidno];
2121 + tidno < IEEE80211_NUM_TIDS; tidno++, tid++) {
2122 +
2123 +- if (!tid->sched)
2124 +- continue;
2125 +-
2126 + ac = tid->ac;
2127 + txq = ac->txq;
2128 +
2129 + ath_txq_lock(sc, txq);
2130 +
2131 ++ if (!tid->sched) {
2132 ++ ath_txq_unlock(sc, txq);
2133 ++ continue;
2134 ++ }
2135 ++
2136 + buffered = !skb_queue_empty(&tid->buf_q);
2137 +
2138 + tid->sched = false;
2139 +diff --git a/drivers/net/wireless/brcm80211/brcmsmac/mac80211_if.c b/drivers/net/wireless/brcm80211/brcmsmac/mac80211_if.c
2140 +index 3a6544710c8a..8e8543cfe489 100644
2141 +--- a/drivers/net/wireless/brcm80211/brcmsmac/mac80211_if.c
2142 ++++ b/drivers/net/wireless/brcm80211/brcmsmac/mac80211_if.c
2143 +@@ -426,6 +426,12 @@ static int brcms_ops_start(struct ieee80211_hw *hw)
2144 + bool blocked;
2145 + int err;
2146 +
2147 ++ if (!wl->ucode.bcm43xx_bomminor) {
2148 ++ err = brcms_request_fw(wl, wl->wlc->hw->d11core);
2149 ++ if (err)
2150 ++ return -ENOENT;
2151 ++ }
2152 ++
2153 + ieee80211_wake_queues(hw);
2154 + spin_lock_bh(&wl->lock);
2155 + blocked = brcms_rfkill_set_hw_state(wl);
2156 +@@ -433,14 +439,6 @@ static int brcms_ops_start(struct ieee80211_hw *hw)
2157 + if (!blocked)
2158 + wiphy_rfkill_stop_polling(wl->pub->ieee_hw->wiphy);
2159 +
2160 +- if (!wl->ucode.bcm43xx_bomminor) {
2161 +- err = brcms_request_fw(wl, wl->wlc->hw->d11core);
2162 +- if (err) {
2163 +- brcms_remove(wl->wlc->hw->d11core);
2164 +- return -ENOENT;
2165 +- }
2166 +- }
2167 +-
2168 + spin_lock_bh(&wl->lock);
2169 + /* avoid acknowledging frames before a non-monitor device is added */
2170 + wl->mute_tx = true;
2171 +diff --git a/drivers/net/wireless/rt2x00/rt2x00mac.c b/drivers/net/wireless/rt2x00/rt2x00mac.c
2172 +index f8cff1f0b6b7..2b724fc4e306 100644
2173 +--- a/drivers/net/wireless/rt2x00/rt2x00mac.c
2174 ++++ b/drivers/net/wireless/rt2x00/rt2x00mac.c
2175 +@@ -623,20 +623,18 @@ void rt2x00mac_bss_info_changed(struct ieee80211_hw *hw,
2176 + bss_conf->bssid);
2177 +
2178 + /*
2179 +- * Update the beacon. This is only required on USB devices. PCI
2180 +- * devices fetch beacons periodically.
2181 +- */
2182 +- if (changes & BSS_CHANGED_BEACON && rt2x00_is_usb(rt2x00dev))
2183 +- rt2x00queue_update_beacon(rt2x00dev, vif);
2184 +-
2185 +- /*
2186 + * Start/stop beaconing.
2187 + */
2188 + if (changes & BSS_CHANGED_BEACON_ENABLED) {
2189 + if (!bss_conf->enable_beacon && intf->enable_beacon) {
2190 +- rt2x00queue_clear_beacon(rt2x00dev, vif);
2191 + rt2x00dev->intf_beaconing--;
2192 + intf->enable_beacon = false;
2193 ++ /*
2194 ++ * Clear beacon in the H/W for this vif. This is needed
2195 ++ * to disable beaconing on this particular interface
2196 ++ * and keep it running on other interfaces.
2197 ++ */
2198 ++ rt2x00queue_clear_beacon(rt2x00dev, vif);
2199 +
2200 + if (rt2x00dev->intf_beaconing == 0) {
2201 + /*
2202 +@@ -647,11 +645,15 @@ void rt2x00mac_bss_info_changed(struct ieee80211_hw *hw,
2203 + rt2x00queue_stop_queue(rt2x00dev->bcn);
2204 + mutex_unlock(&intf->beacon_skb_mutex);
2205 + }
2206 +-
2207 +-
2208 + } else if (bss_conf->enable_beacon && !intf->enable_beacon) {
2209 + rt2x00dev->intf_beaconing++;
2210 + intf->enable_beacon = true;
2211 ++ /*
2212 ++ * Upload beacon to the H/W. This is only required on
2213 ++ * USB devices. PCI devices fetch beacons periodically.
2214 ++ */
2215 ++ if (rt2x00_is_usb(rt2x00dev))
2216 ++ rt2x00queue_update_beacon(rt2x00dev, vif);
2217 +
2218 + if (rt2x00dev->intf_beaconing == 1) {
2219 + /*
2220 +diff --git a/drivers/net/wireless/rtlwifi/rtl8192cu/hw.c b/drivers/net/wireless/rtlwifi/rtl8192cu/hw.c
2221 +index 324aa581938e..c3f2b55501ae 100644
2222 +--- a/drivers/net/wireless/rtlwifi/rtl8192cu/hw.c
2223 ++++ b/drivers/net/wireless/rtlwifi/rtl8192cu/hw.c
2224 +@@ -1001,7 +1001,7 @@ int rtl92cu_hw_init(struct ieee80211_hw *hw)
2225 + err = _rtl92cu_init_mac(hw);
2226 + if (err) {
2227 + RT_TRACE(rtlpriv, COMP_ERR, DBG_EMERG, "init mac failed!\n");
2228 +- return err;
2229 ++ goto exit;
2230 + }
2231 + err = rtl92c_download_fw(hw);
2232 + if (err) {
2233 +diff --git a/drivers/pci/hotplug/shpchp_ctrl.c b/drivers/pci/hotplug/shpchp_ctrl.c
2234 +index 58499277903a..6efc2ec5e4db 100644
2235 +--- a/drivers/pci/hotplug/shpchp_ctrl.c
2236 ++++ b/drivers/pci/hotplug/shpchp_ctrl.c
2237 +@@ -282,8 +282,8 @@ static int board_added(struct slot *p_slot)
2238 + return WRONG_BUS_FREQUENCY;
2239 + }
2240 +
2241 +- bsp = ctrl->pci_dev->bus->cur_bus_speed;
2242 +- msp = ctrl->pci_dev->bus->max_bus_speed;
2243 ++ bsp = ctrl->pci_dev->subordinate->cur_bus_speed;
2244 ++ msp = ctrl->pci_dev->subordinate->max_bus_speed;
2245 +
2246 + /* Check if there are other slots or devices on the same bus */
2247 + if (!list_empty(&ctrl->pci_dev->subordinate->devices))
2248 +diff --git a/drivers/target/target_core_device.c b/drivers/target/target_core_device.c
2249 +index 660b109487ae..8032917b6636 100644
2250 +--- a/drivers/target/target_core_device.c
2251 ++++ b/drivers/target/target_core_device.c
2252 +@@ -796,10 +796,10 @@ int se_dev_set_emulate_write_cache(struct se_device *dev, int flag)
2253 + pr_err("emulate_write_cache not supported for pSCSI\n");
2254 + return -EINVAL;
2255 + }
2256 +- if (dev->transport->get_write_cache) {
2257 +- pr_warn("emulate_write_cache cannot be changed when underlying"
2258 +- " HW reports WriteCacheEnabled, ignoring request\n");
2259 +- return 0;
2260 ++ if (flag &&
2261 ++ dev->transport->get_write_cache) {
2262 ++ pr_err("emulate_write_cache not supported for this device\n");
2263 ++ return -EINVAL;
2264 + }
2265 +
2266 + dev->dev_attrib.emulate_write_cache = flag;
2267 +diff --git a/drivers/tty/serial/8250/8250_core.c b/drivers/tty/serial/8250/8250_core.c
2268 +index b167665b7de2..d8c06a3d391e 100644
2269 +--- a/drivers/tty/serial/8250/8250_core.c
2270 ++++ b/drivers/tty/serial/8250/8250_core.c
2271 +@@ -1520,7 +1520,7 @@ int serial8250_handle_irq(struct uart_port *port, unsigned int iir)
2272 + status = serial8250_rx_chars(up, status);
2273 + }
2274 + serial8250_modem_status(up);
2275 +- if (status & UART_LSR_THRE)
2276 ++ if (!up->dma && (status & UART_LSR_THRE))
2277 + serial8250_tx_chars(up);
2278 +
2279 + spin_unlock_irqrestore(&port->lock, flags);
2280 +diff --git a/drivers/tty/serial/8250/8250_dma.c b/drivers/tty/serial/8250/8250_dma.c
2281 +index 7046769608d4..ab9096dc3849 100644
2282 +--- a/drivers/tty/serial/8250/8250_dma.c
2283 ++++ b/drivers/tty/serial/8250/8250_dma.c
2284 +@@ -20,12 +20,15 @@ static void __dma_tx_complete(void *param)
2285 + struct uart_8250_port *p = param;
2286 + struct uart_8250_dma *dma = p->dma;
2287 + struct circ_buf *xmit = &p->port.state->xmit;
2288 +-
2289 +- dma->tx_running = 0;
2290 ++ unsigned long flags;
2291 +
2292 + dma_sync_single_for_cpu(dma->txchan->device->dev, dma->tx_addr,
2293 + UART_XMIT_SIZE, DMA_TO_DEVICE);
2294 +
2295 ++ spin_lock_irqsave(&p->port.lock, flags);
2296 ++
2297 ++ dma->tx_running = 0;
2298 ++
2299 + xmit->tail += dma->tx_size;
2300 + xmit->tail &= UART_XMIT_SIZE - 1;
2301 + p->port.icount.tx += dma->tx_size;
2302 +@@ -35,6 +38,8 @@ static void __dma_tx_complete(void *param)
2303 +
2304 + if (!uart_circ_empty(xmit) && !uart_tx_stopped(&p->port))
2305 + serial8250_tx_dma(p);
2306 ++
2307 ++ spin_unlock_irqrestore(&p->port.lock, flags);
2308 + }
2309 +
2310 + static void __dma_rx_complete(void *param)
2311 +diff --git a/drivers/usb/gadget/at91_udc.c b/drivers/usb/gadget/at91_udc.c
2312 +index 073b938f9135..55e96131753e 100644
2313 +--- a/drivers/usb/gadget/at91_udc.c
2314 ++++ b/drivers/usb/gadget/at91_udc.c
2315 +@@ -1703,16 +1703,6 @@ static int at91udc_probe(struct platform_device *pdev)
2316 + return -ENODEV;
2317 + }
2318 +
2319 +- if (pdev->num_resources != 2) {
2320 +- DBG("invalid num_resources\n");
2321 +- return -ENODEV;
2322 +- }
2323 +- if ((pdev->resource[0].flags != IORESOURCE_MEM)
2324 +- || (pdev->resource[1].flags != IORESOURCE_IRQ)) {
2325 +- DBG("invalid resource type\n");
2326 +- return -ENODEV;
2327 +- }
2328 +-
2329 + res = platform_get_resource(pdev, IORESOURCE_MEM, 0);
2330 + if (!res)
2331 + return -ENXIO;
2332 +diff --git a/drivers/usb/host/ehci-fsl.c b/drivers/usb/host/ehci-fsl.c
2333 +index 3c0a49a298dd..bfcf38383f74 100644
2334 +--- a/drivers/usb/host/ehci-fsl.c
2335 ++++ b/drivers/usb/host/ehci-fsl.c
2336 +@@ -261,7 +261,8 @@ static int ehci_fsl_setup_phy(struct usb_hcd *hcd,
2337 + break;
2338 + }
2339 +
2340 +- if (pdata->have_sysif_regs && pdata->controller_ver &&
2341 ++ if (pdata->have_sysif_regs &&
2342 ++ pdata->controller_ver > FSL_USB_VER_1_6 &&
2343 + (phy_mode == FSL_USB2_PHY_ULPI)) {
2344 + /* check PHY_CLK_VALID to get phy clk valid */
2345 + if (!spin_event_timeout(in_be32(non_ehci + FSL_SOC_USB_CTRL) &
2346 +diff --git a/drivers/usb/host/ohci-hub.c b/drivers/usb/host/ohci-hub.c
2347 +index 60ff4220e8b4..cd908066fde9 100644
2348 +--- a/drivers/usb/host/ohci-hub.c
2349 ++++ b/drivers/usb/host/ohci-hub.c
2350 +@@ -90,6 +90,24 @@ __acquires(ohci->lock)
2351 + dl_done_list (ohci);
2352 + finish_unlinks (ohci, ohci_frame_no(ohci));
2353 +
2354 ++ /*
2355 ++ * Some controllers don't handle "global" suspend properly if
2356 ++ * there are unsuspended ports. For these controllers, put all
2357 ++ * the enabled ports into suspend before suspending the root hub.
2358 ++ */
2359 ++ if (ohci->flags & OHCI_QUIRK_GLOBAL_SUSPEND) {
2360 ++ __hc32 __iomem *portstat = ohci->regs->roothub.portstatus;
2361 ++ int i;
2362 ++ unsigned temp;
2363 ++
2364 ++ for (i = 0; i < ohci->num_ports; (++i, ++portstat)) {
2365 ++ temp = ohci_readl(ohci, portstat);
2366 ++ if ((temp & (RH_PS_PES | RH_PS_PSS)) ==
2367 ++ RH_PS_PES)
2368 ++ ohci_writel(ohci, RH_PS_PSS, portstat);
2369 ++ }
2370 ++ }
2371 ++
2372 + /* maybe resume can wake root hub */
2373 + if (ohci_to_hcd(ohci)->self.root_hub->do_remote_wakeup || autostop) {
2374 + ohci->hc_control |= OHCI_CTRL_RWE;
2375 +diff --git a/drivers/usb/host/ohci-pci.c b/drivers/usb/host/ohci-pci.c
2376 +index ef6782bd1fa9..67af8eef6537 100644
2377 +--- a/drivers/usb/host/ohci-pci.c
2378 ++++ b/drivers/usb/host/ohci-pci.c
2379 +@@ -172,6 +172,7 @@ static int ohci_quirk_amd700(struct usb_hcd *hcd)
2380 + pci_dev_put(amd_smbus_dev);
2381 + amd_smbus_dev = NULL;
2382 +
2383 ++ ohci->flags |= OHCI_QUIRK_GLOBAL_SUSPEND;
2384 + return 0;
2385 + }
2386 +
2387 +diff --git a/drivers/usb/host/ohci.h b/drivers/usb/host/ohci.h
2388 +index d3299143d9e2..f2521f3185d2 100644
2389 +--- a/drivers/usb/host/ohci.h
2390 ++++ b/drivers/usb/host/ohci.h
2391 +@@ -405,6 +405,8 @@ struct ohci_hcd {
2392 + #define OHCI_QUIRK_HUB_POWER 0x100 /* distrust firmware power/oc setup */
2393 + #define OHCI_QUIRK_AMD_PLL 0x200 /* AMD PLL quirk*/
2394 + #define OHCI_QUIRK_AMD_PREFETCH 0x400 /* pre-fetch for ISO transfer */
2395 ++#define OHCI_QUIRK_GLOBAL_SUSPEND 0x800 /* must suspend ports */
2396 ++
2397 + // there are also chip quirks/bugs in init logic
2398 +
2399 + struct work_struct nec_work; /* Worker for NEC quirk */
2400 +diff --git a/drivers/usb/serial/qcserial.c b/drivers/usb/serial/qcserial.c
2401 +index 7ed681a714a5..6c0a542e8ec1 100644
2402 +--- a/drivers/usb/serial/qcserial.c
2403 ++++ b/drivers/usb/serial/qcserial.c
2404 +@@ -151,6 +151,21 @@ static const struct usb_device_id id_table[] = {
2405 + {USB_DEVICE_INTERFACE_NUMBER(0x1199, 0x9051, 0)}, /* Netgear AirCard 340U Device Management */
2406 + {USB_DEVICE_INTERFACE_NUMBER(0x1199, 0x9051, 2)}, /* Netgear AirCard 340U NMEA */
2407 + {USB_DEVICE_INTERFACE_NUMBER(0x1199, 0x9051, 3)}, /* Netgear AirCard 340U Modem */
2408 ++ {USB_DEVICE_INTERFACE_NUMBER(0x413c, 0x81a2, 0)}, /* Dell Wireless 5806 Gobi(TM) 4G LTE Mobile Broadband Card Device Management */
2409 ++ {USB_DEVICE_INTERFACE_NUMBER(0x413c, 0x81a2, 2)}, /* Dell Wireless 5806 Gobi(TM) 4G LTE Mobile Broadband Card NMEA */
2410 ++ {USB_DEVICE_INTERFACE_NUMBER(0x413c, 0x81a2, 3)}, /* Dell Wireless 5806 Gobi(TM) 4G LTE Mobile Broadband Card Modem */
2411 ++ {USB_DEVICE_INTERFACE_NUMBER(0x413c, 0x81a3, 0)}, /* Dell Wireless 5570 HSPA+ (42Mbps) Mobile Broadband Card Device Management */
2412 ++ {USB_DEVICE_INTERFACE_NUMBER(0x413c, 0x81a3, 2)}, /* Dell Wireless 5570 HSPA+ (42Mbps) Mobile Broadband Card NMEA */
2413 ++ {USB_DEVICE_INTERFACE_NUMBER(0x413c, 0x81a3, 3)}, /* Dell Wireless 5570 HSPA+ (42Mbps) Mobile Broadband Card Modem */
2414 ++ {USB_DEVICE_INTERFACE_NUMBER(0x413c, 0x81a4, 0)}, /* Dell Wireless 5570e HSPA+ (42Mbps) Mobile Broadband Card Device Management */
2415 ++ {USB_DEVICE_INTERFACE_NUMBER(0x413c, 0x81a4, 2)}, /* Dell Wireless 5570e HSPA+ (42Mbps) Mobile Broadband Card NMEA */
2416 ++ {USB_DEVICE_INTERFACE_NUMBER(0x413c, 0x81a4, 3)}, /* Dell Wireless 5570e HSPA+ (42Mbps) Mobile Broadband Card Modem */
2417 ++ {USB_DEVICE_INTERFACE_NUMBER(0x413c, 0x81a8, 0)}, /* Dell Wireless 5808 Gobi(TM) 4G LTE Mobile Broadband Card Device Management */
2418 ++ {USB_DEVICE_INTERFACE_NUMBER(0x413c, 0x81a8, 2)}, /* Dell Wireless 5808 Gobi(TM) 4G LTE Mobile Broadband Card NMEA */
2419 ++ {USB_DEVICE_INTERFACE_NUMBER(0x413c, 0x81a8, 3)}, /* Dell Wireless 5808 Gobi(TM) 4G LTE Mobile Broadband Card Modem */
2420 ++ {USB_DEVICE_INTERFACE_NUMBER(0x413c, 0x81a9, 0)}, /* Dell Wireless 5808e Gobi(TM) 4G LTE Mobile Broadband Card Device Management */
2421 ++ {USB_DEVICE_INTERFACE_NUMBER(0x413c, 0x81a9, 2)}, /* Dell Wireless 5808e Gobi(TM) 4G LTE Mobile Broadband Card NMEA */
2422 ++ {USB_DEVICE_INTERFACE_NUMBER(0x413c, 0x81a9, 3)}, /* Dell Wireless 5808e Gobi(TM) 4G LTE Mobile Broadband Card Modem */
2423 +
2424 + { } /* Terminating entry */
2425 + };
2426 +diff --git a/drivers/usb/storage/shuttle_usbat.c b/drivers/usb/storage/shuttle_usbat.c
2427 +index 4ef2a80728f7..008d805c3d21 100644
2428 +--- a/drivers/usb/storage/shuttle_usbat.c
2429 ++++ b/drivers/usb/storage/shuttle_usbat.c
2430 +@@ -1851,7 +1851,7 @@ static int usbat_probe(struct usb_interface *intf,
2431 + us->transport_name = "Shuttle USBAT";
2432 + us->transport = usbat_flash_transport;
2433 + us->transport_reset = usb_stor_CB_reset;
2434 +- us->max_lun = 1;
2435 ++ us->max_lun = 0;
2436 +
2437 + result = usb_stor_probe2(us);
2438 + return result;
2439 +diff --git a/drivers/usb/storage/unusual_devs.h b/drivers/usb/storage/unusual_devs.h
2440 +index adbeb255616a..042c83b01046 100644
2441 +--- a/drivers/usb/storage/unusual_devs.h
2442 ++++ b/drivers/usb/storage/unusual_devs.h
2443 +@@ -234,6 +234,20 @@ UNUSUAL_DEV( 0x0421, 0x0495, 0x0370, 0x0370,
2444 + USB_SC_DEVICE, USB_PR_DEVICE, NULL,
2445 + US_FL_MAX_SECTORS_64 ),
2446 +
2447 ++/* Reported by Daniele Forsi <dforsi@×××××.com> */
2448 ++UNUSUAL_DEV( 0x0421, 0x04b9, 0x0350, 0x0350,
2449 ++ "Nokia",
2450 ++ "5300",
2451 ++ USB_SC_DEVICE, USB_PR_DEVICE, NULL,
2452 ++ US_FL_MAX_SECTORS_64 ),
2453 ++
2454 ++/* Patch submitted by Victor A. Santos <victoraur.santos@×××××.com> */
2455 ++UNUSUAL_DEV( 0x0421, 0x05af, 0x0742, 0x0742,
2456 ++ "Nokia",
2457 ++ "305",
2458 ++ USB_SC_DEVICE, USB_PR_DEVICE, NULL,
2459 ++ US_FL_MAX_SECTORS_64),
2460 ++
2461 + /* Patch submitted by Mikhail Zolotaryov <lebon@×××××××××.ua> */
2462 + UNUSUAL_DEV( 0x0421, 0x06aa, 0x1110, 0x1110,
2463 + "Nokia",
2464 +diff --git a/fs/exec.c b/fs/exec.c
2465 +index bb60cda5ee30..dd6aa61c8548 100644
2466 +--- a/fs/exec.c
2467 ++++ b/fs/exec.c
2468 +@@ -654,10 +654,10 @@ int setup_arg_pages(struct linux_binprm *bprm,
2469 + unsigned long rlim_stack;
2470 +
2471 + #ifdef CONFIG_STACK_GROWSUP
2472 +- /* Limit stack size to 1GB */
2473 ++ /* Limit stack size */
2474 + stack_base = rlimit_max(RLIMIT_STACK);
2475 +- if (stack_base > (1 << 30))
2476 +- stack_base = 1 << 30;
2477 ++ if (stack_base > STACK_SIZE_MAX)
2478 ++ stack_base = STACK_SIZE_MAX;
2479 +
2480 + /* Make sure we didn't let the argument array grow too large. */
2481 + if (vma->vm_end - vma->vm_start > stack_base)
2482 +diff --git a/fs/nfsd/nfs4acl.c b/fs/nfsd/nfs4acl.c
2483 +index 8a50b3c18093..e15bcbd5043c 100644
2484 +--- a/fs/nfsd/nfs4acl.c
2485 ++++ b/fs/nfsd/nfs4acl.c
2486 +@@ -385,8 +385,10 @@ sort_pacl(struct posix_acl *pacl)
2487 + * by uid/gid. */
2488 + int i, j;
2489 +
2490 +- if (pacl->a_count <= 4)
2491 +- return; /* no users or groups */
2492 ++ /* no users or groups */
2493 ++ if (!pacl || pacl->a_count <= 4)
2494 ++ return;
2495 ++
2496 + i = 1;
2497 + while (pacl->a_entries[i].e_tag == ACL_USER)
2498 + i++;
2499 +@@ -513,13 +515,12 @@ posix_state_to_acl(struct posix_acl_state *state, unsigned int flags)
2500 +
2501 + /*
2502 + * ACLs with no ACEs are treated differently in the inheritable
2503 +- * and effective cases: when there are no inheritable ACEs, we
2504 +- * set a zero-length default posix acl:
2505 ++ * and effective cases: when there are no inheritable ACEs,
2506 ++ * calls ->set_acl with a NULL ACL structure.
2507 + */
2508 +- if (state->empty && (flags & NFS4_ACL_TYPE_DEFAULT)) {
2509 +- pacl = posix_acl_alloc(0, GFP_KERNEL);
2510 +- return pacl ? pacl : ERR_PTR(-ENOMEM);
2511 +- }
2512 ++ if (state->empty && (flags & NFS4_ACL_TYPE_DEFAULT))
2513 ++ return NULL;
2514 ++
2515 + /*
2516 + * When there are no effective ACEs, the following will end
2517 + * up setting a 3-element effective posix ACL with all
2518 +diff --git a/fs/nfsd/nfs4state.c b/fs/nfsd/nfs4state.c
2519 +index 442509285ca9..ae6a50b7a617 100644
2520 +--- a/fs/nfsd/nfs4state.c
2521 ++++ b/fs/nfsd/nfs4state.c
2522 +@@ -1081,6 +1081,18 @@ static struct nfs4_client *alloc_client(struct xdr_netobj name)
2523 + return NULL;
2524 + }
2525 + clp->cl_name.len = name.len;
2526 ++ INIT_LIST_HEAD(&clp->cl_sessions);
2527 ++ idr_init(&clp->cl_stateids);
2528 ++ atomic_set(&clp->cl_refcount, 0);
2529 ++ clp->cl_cb_state = NFSD4_CB_UNKNOWN;
2530 ++ INIT_LIST_HEAD(&clp->cl_idhash);
2531 ++ INIT_LIST_HEAD(&clp->cl_openowners);
2532 ++ INIT_LIST_HEAD(&clp->cl_delegations);
2533 ++ INIT_LIST_HEAD(&clp->cl_lru);
2534 ++ INIT_LIST_HEAD(&clp->cl_callbacks);
2535 ++ INIT_LIST_HEAD(&clp->cl_revoked);
2536 ++ spin_lock_init(&clp->cl_lock);
2537 ++ rpc_init_wait_queue(&clp->cl_cb_waitq, "Backchannel slot table");
2538 + return clp;
2539 + }
2540 +
2541 +@@ -1098,6 +1110,7 @@ free_client(struct nfs4_client *clp)
2542 + WARN_ON_ONCE(atomic_read(&ses->se_ref));
2543 + free_session(ses);
2544 + }
2545 ++ rpc_destroy_wait_queue(&clp->cl_cb_waitq);
2546 + free_svc_cred(&clp->cl_cred);
2547 + kfree(clp->cl_name.data);
2548 + idr_destroy(&clp->cl_stateids);
2549 +@@ -1315,7 +1328,6 @@ static struct nfs4_client *create_client(struct xdr_netobj name,
2550 + if (clp == NULL)
2551 + return NULL;
2552 +
2553 +- INIT_LIST_HEAD(&clp->cl_sessions);
2554 + ret = copy_cred(&clp->cl_cred, &rqstp->rq_cred);
2555 + if (ret) {
2556 + spin_lock(&nn->client_lock);
2557 +@@ -1323,20 +1335,9 @@ static struct nfs4_client *create_client(struct xdr_netobj name,
2558 + spin_unlock(&nn->client_lock);
2559 + return NULL;
2560 + }
2561 +- idr_init(&clp->cl_stateids);
2562 +- atomic_set(&clp->cl_refcount, 0);
2563 +- clp->cl_cb_state = NFSD4_CB_UNKNOWN;
2564 +- INIT_LIST_HEAD(&clp->cl_idhash);
2565 +- INIT_LIST_HEAD(&clp->cl_openowners);
2566 +- INIT_LIST_HEAD(&clp->cl_delegations);
2567 +- INIT_LIST_HEAD(&clp->cl_lru);
2568 +- INIT_LIST_HEAD(&clp->cl_callbacks);
2569 +- INIT_LIST_HEAD(&clp->cl_revoked);
2570 +- spin_lock_init(&clp->cl_lock);
2571 + nfsd4_init_callback(&clp->cl_cb_null);
2572 + clp->cl_time = get_seconds();
2573 + clear_bit(0, &clp->cl_cb_slot_busy);
2574 +- rpc_init_wait_queue(&clp->cl_cb_waitq, "Backchannel slot table");
2575 + copy_verf(clp, verf);
2576 + rpc_copy_addr((struct sockaddr *) &clp->cl_addr, sa);
2577 + gen_confirm(clp);
2578 +@@ -3598,9 +3599,16 @@ out:
2579 + static __be32
2580 + nfsd4_free_lock_stateid(struct nfs4_ol_stateid *stp)
2581 + {
2582 +- if (check_for_locks(stp->st_file, lockowner(stp->st_stateowner)))
2583 ++ struct nfs4_lockowner *lo = lockowner(stp->st_stateowner);
2584 ++
2585 ++ if (check_for_locks(stp->st_file, lo))
2586 + return nfserr_locks_held;
2587 +- release_lock_stateid(stp);
2588 ++ /*
2589 ++ * Currently there's a 1-1 lock stateid<->lockowner
2590 ++ * correspondance, and we have to delete the lockowner when we
2591 ++ * delete the lock stateid:
2592 ++ */
2593 ++ unhash_lockowner(lo);
2594 + return nfs_ok;
2595 + }
2596 +
2597 +@@ -4044,6 +4052,10 @@ static bool same_lockowner_ino(struct nfs4_lockowner *lo, struct inode *inode, c
2598 +
2599 + if (!same_owner_str(&lo->lo_owner, owner, clid))
2600 + return false;
2601 ++ if (list_empty(&lo->lo_owner.so_stateids)) {
2602 ++ WARN_ON_ONCE(1);
2603 ++ return false;
2604 ++ }
2605 + lst = list_first_entry(&lo->lo_owner.so_stateids,
2606 + struct nfs4_ol_stateid, st_perstateowner);
2607 + return lst->st_file->fi_inode == inode;
2608 +diff --git a/fs/posix_acl.c b/fs/posix_acl.c
2609 +index 8bd2135b7f82..3542f1f814e2 100644
2610 +--- a/fs/posix_acl.c
2611 ++++ b/fs/posix_acl.c
2612 +@@ -158,6 +158,12 @@ posix_acl_equiv_mode(const struct posix_acl *acl, umode_t *mode_p)
2613 + umode_t mode = 0;
2614 + int not_equiv = 0;
2615 +
2616 ++ /*
2617 ++ * A null ACL can always be presented as mode bits.
2618 ++ */
2619 ++ if (!acl)
2620 ++ return 0;
2621 ++
2622 + FOREACH_ACL_ENTRY(pa, acl, pe) {
2623 + switch (pa->e_tag) {
2624 + case ACL_USER_OBJ:
2625 +diff --git a/include/linux/ftrace.h b/include/linux/ftrace.h
2626 +index 99d0fbcbaf79..7a13848d635c 100644
2627 +--- a/include/linux/ftrace.h
2628 ++++ b/include/linux/ftrace.h
2629 +@@ -524,6 +524,7 @@ static inline int ftrace_modify_call(struct dyn_ftrace *rec, unsigned long old_a
2630 + extern int ftrace_arch_read_dyn_info(char *buf, int size);
2631 +
2632 + extern int skip_trace(unsigned long ip);
2633 ++extern void ftrace_module_init(struct module *mod);
2634 +
2635 + extern void ftrace_disable_daemon(void);
2636 + extern void ftrace_enable_daemon(void);
2637 +@@ -533,6 +534,7 @@ static inline int ftrace_force_update(void) { return 0; }
2638 + static inline void ftrace_disable_daemon(void) { }
2639 + static inline void ftrace_enable_daemon(void) { }
2640 + static inline void ftrace_release_mod(struct module *mod) {}
2641 ++static inline void ftrace_module_init(struct module *mod) {}
2642 + static inline int register_ftrace_command(struct ftrace_func_command *cmd)
2643 + {
2644 + return -EINVAL;
2645 +diff --git a/include/linux/hyperv.h b/include/linux/hyperv.h
2646 +index c2559847d7ee..422eac8538fd 100644
2647 +--- a/include/linux/hyperv.h
2648 ++++ b/include/linux/hyperv.h
2649 +@@ -483,15 +483,18 @@ hv_get_ringbuffer_availbytes(struct hv_ring_buffer_info *rbi,
2650 + * 0 . 13 (Windows Server 2008)
2651 + * 1 . 1 (Windows 7)
2652 + * 2 . 4 (Windows 8)
2653 ++ * 3 . 0 (Windows 8 R2)
2654 + */
2655 +
2656 + #define VERSION_WS2008 ((0 << 16) | (13))
2657 + #define VERSION_WIN7 ((1 << 16) | (1))
2658 + #define VERSION_WIN8 ((2 << 16) | (4))
2659 ++#define VERSION_WIN8_1 ((3 << 16) | (0))
2660 ++
2661 +
2662 + #define VERSION_INVAL -1
2663 +
2664 +-#define VERSION_CURRENT VERSION_WIN8
2665 ++#define VERSION_CURRENT VERSION_WIN8_1
2666 +
2667 + /* Make maximum size of pipe payload of 16K */
2668 + #define MAX_PIPE_DATA_PAYLOAD (sizeof(u8) * 16384)
2669 +@@ -894,7 +897,7 @@ struct vmbus_channel_relid_released {
2670 + struct vmbus_channel_initiate_contact {
2671 + struct vmbus_channel_message_header header;
2672 + u32 vmbus_version_requested;
2673 +- u32 padding2;
2674 ++ u32 target_vcpu; /* The VCPU the host should respond to */
2675 + u64 interrupt_page;
2676 + u64 monitor_page1;
2677 + u64 monitor_page2;
2678 +diff --git a/include/linux/interrupt.h b/include/linux/interrupt.h
2679 +index 5fa5afeeb759..6de0f2c14ec0 100644
2680 +--- a/include/linux/interrupt.h
2681 ++++ b/include/linux/interrupt.h
2682 +@@ -239,7 +239,40 @@ static inline int check_wakeup_irqs(void) { return 0; }
2683 +
2684 + extern cpumask_var_t irq_default_affinity;
2685 +
2686 +-extern int irq_set_affinity(unsigned int irq, const struct cpumask *cpumask);
2687 ++/* Internal implementation. Use the helpers below */
2688 ++extern int __irq_set_affinity(unsigned int irq, const struct cpumask *cpumask,
2689 ++ bool force);
2690 ++
2691 ++/**
2692 ++ * irq_set_affinity - Set the irq affinity of a given irq
2693 ++ * @irq: Interrupt to set affinity
2694 ++ * @mask: cpumask
2695 ++ *
2696 ++ * Fails if cpumask does not contain an online CPU
2697 ++ */
2698 ++static inline int
2699 ++irq_set_affinity(unsigned int irq, const struct cpumask *cpumask)
2700 ++{
2701 ++ return __irq_set_affinity(irq, cpumask, false);
2702 ++}
2703 ++
2704 ++/**
2705 ++ * irq_force_affinity - Force the irq affinity of a given irq
2706 ++ * @irq: Interrupt to set affinity
2707 ++ * @mask: cpumask
2708 ++ *
2709 ++ * Same as irq_set_affinity, but without checking the mask against
2710 ++ * online cpus.
2711 ++ *
2712 ++ * Solely for low level cpu hotplug code, where we need to make per
2713 ++ * cpu interrupts affine before the cpu becomes online.
2714 ++ */
2715 ++static inline int
2716 ++irq_force_affinity(unsigned int irq, const struct cpumask *cpumask)
2717 ++{
2718 ++ return __irq_set_affinity(irq, cpumask, true);
2719 ++}
2720 ++
2721 + extern int irq_can_set_affinity(unsigned int irq);
2722 + extern int irq_select_affinity(unsigned int irq);
2723 +
2724 +@@ -275,6 +308,11 @@ static inline int irq_set_affinity(unsigned int irq, const struct cpumask *m)
2725 + return -EINVAL;
2726 + }
2727 +
2728 ++static inline int irq_force_affinity(unsigned int irq, const struct cpumask *cpumask)
2729 ++{
2730 ++ return 0;
2731 ++}
2732 ++
2733 + static inline int irq_can_set_affinity(unsigned int irq)
2734 + {
2735 + return 0;
2736 +diff --git a/include/linux/irq.h b/include/linux/irq.h
2737 +index bc4e06611958..d591bfe1475b 100644
2738 +--- a/include/linux/irq.h
2739 ++++ b/include/linux/irq.h
2740 +@@ -375,7 +375,8 @@ extern void remove_percpu_irq(unsigned int irq, struct irqaction *act);
2741 +
2742 + extern void irq_cpu_online(void);
2743 + extern void irq_cpu_offline(void);
2744 +-extern int __irq_set_affinity_locked(struct irq_data *data, const struct cpumask *cpumask);
2745 ++extern int irq_set_affinity_locked(struct irq_data *data,
2746 ++ const struct cpumask *cpumask, bool force);
2747 +
2748 + #ifdef CONFIG_GENERIC_HARDIRQS
2749 +
2750 +diff --git a/include/trace/events/module.h b/include/trace/events/module.h
2751 +index 161932737416..ca298c7157ae 100644
2752 +--- a/include/trace/events/module.h
2753 ++++ b/include/trace/events/module.h
2754 +@@ -78,7 +78,7 @@ DECLARE_EVENT_CLASS(module_refcnt,
2755 +
2756 + TP_fast_assign(
2757 + __entry->ip = ip;
2758 +- __entry->refcnt = __this_cpu_read(mod->refptr->incs) + __this_cpu_read(mod->refptr->decs);
2759 ++ __entry->refcnt = __this_cpu_read(mod->refptr->incs) - __this_cpu_read(mod->refptr->decs);
2760 + __assign_str(name, mod->name);
2761 + ),
2762 +
2763 +diff --git a/include/uapi/drm/tegra_drm.h b/include/uapi/drm/tegra_drm.h
2764 +index 6e132a2f7420..86b1f9942d0a 100644
2765 +--- a/include/uapi/drm/tegra_drm.h
2766 ++++ b/include/uapi/drm/tegra_drm.h
2767 +@@ -103,7 +103,6 @@ struct drm_tegra_submit {
2768 + __u32 num_waitchks;
2769 + __u32 waitchk_mask;
2770 + __u32 timeout;
2771 +- __u32 pad;
2772 + __u64 syncpts;
2773 + __u64 cmdbufs;
2774 + __u64 relocs;
2775 +diff --git a/kernel/futex.c b/kernel/futex.c
2776 +index 3bc18bf48d0c..625a4e659e7a 100644
2777 +--- a/kernel/futex.c
2778 ++++ b/kernel/futex.c
2779 +@@ -592,6 +592,55 @@ void exit_pi_state_list(struct task_struct *curr)
2780 + raw_spin_unlock_irq(&curr->pi_lock);
2781 + }
2782 +
2783 ++/*
2784 ++ * We need to check the following states:
2785 ++ *
2786 ++ * Waiter | pi_state | pi->owner | uTID | uODIED | ?
2787 ++ *
2788 ++ * [1] NULL | --- | --- | 0 | 0/1 | Valid
2789 ++ * [2] NULL | --- | --- | >0 | 0/1 | Valid
2790 ++ *
2791 ++ * [3] Found | NULL | -- | Any | 0/1 | Invalid
2792 ++ *
2793 ++ * [4] Found | Found | NULL | 0 | 1 | Valid
2794 ++ * [5] Found | Found | NULL | >0 | 1 | Invalid
2795 ++ *
2796 ++ * [6] Found | Found | task | 0 | 1 | Valid
2797 ++ *
2798 ++ * [7] Found | Found | NULL | Any | 0 | Invalid
2799 ++ *
2800 ++ * [8] Found | Found | task | ==taskTID | 0/1 | Valid
2801 ++ * [9] Found | Found | task | 0 | 0 | Invalid
2802 ++ * [10] Found | Found | task | !=taskTID | 0/1 | Invalid
2803 ++ *
2804 ++ * [1] Indicates that the kernel can acquire the futex atomically. We
2805 ++ * came came here due to a stale FUTEX_WAITERS/FUTEX_OWNER_DIED bit.
2806 ++ *
2807 ++ * [2] Valid, if TID does not belong to a kernel thread. If no matching
2808 ++ * thread is found then it indicates that the owner TID has died.
2809 ++ *
2810 ++ * [3] Invalid. The waiter is queued on a non PI futex
2811 ++ *
2812 ++ * [4] Valid state after exit_robust_list(), which sets the user space
2813 ++ * value to FUTEX_WAITERS | FUTEX_OWNER_DIED.
2814 ++ *
2815 ++ * [5] The user space value got manipulated between exit_robust_list()
2816 ++ * and exit_pi_state_list()
2817 ++ *
2818 ++ * [6] Valid state after exit_pi_state_list() which sets the new owner in
2819 ++ * the pi_state but cannot access the user space value.
2820 ++ *
2821 ++ * [7] pi_state->owner can only be NULL when the OWNER_DIED bit is set.
2822 ++ *
2823 ++ * [8] Owner and user space value match
2824 ++ *
2825 ++ * [9] There is no transient state which sets the user space TID to 0
2826 ++ * except exit_robust_list(), but this is indicated by the
2827 ++ * FUTEX_OWNER_DIED bit. See [4]
2828 ++ *
2829 ++ * [10] There is no transient state which leaves owner and user space
2830 ++ * TID out of sync.
2831 ++ */
2832 + static int
2833 + lookup_pi_state(u32 uval, struct futex_hash_bucket *hb,
2834 + union futex_key *key, struct futex_pi_state **ps)
2835 +@@ -607,12 +656,13 @@ lookup_pi_state(u32 uval, struct futex_hash_bucket *hb,
2836 + plist_for_each_entry_safe(this, next, head, list) {
2837 + if (match_futex(&this->key, key)) {
2838 + /*
2839 +- * Another waiter already exists - bump up
2840 +- * the refcount and return its pi_state:
2841 ++ * Sanity check the waiter before increasing
2842 ++ * the refcount and attaching to it.
2843 + */
2844 + pi_state = this->pi_state;
2845 + /*
2846 +- * Userspace might have messed up non-PI and PI futexes
2847 ++ * Userspace might have messed up non-PI and
2848 ++ * PI futexes [3]
2849 + */
2850 + if (unlikely(!pi_state))
2851 + return -EINVAL;
2852 +@@ -620,34 +670,70 @@ lookup_pi_state(u32 uval, struct futex_hash_bucket *hb,
2853 + WARN_ON(!atomic_read(&pi_state->refcount));
2854 +
2855 + /*
2856 +- * When pi_state->owner is NULL then the owner died
2857 +- * and another waiter is on the fly. pi_state->owner
2858 +- * is fixed up by the task which acquires
2859 +- * pi_state->rt_mutex.
2860 +- *
2861 +- * We do not check for pid == 0 which can happen when
2862 +- * the owner died and robust_list_exit() cleared the
2863 +- * TID.
2864 ++ * Handle the owner died case:
2865 + */
2866 +- if (pid && pi_state->owner) {
2867 ++ if (uval & FUTEX_OWNER_DIED) {
2868 ++ /*
2869 ++ * exit_pi_state_list sets owner to NULL and
2870 ++ * wakes the topmost waiter. The task which
2871 ++ * acquires the pi_state->rt_mutex will fixup
2872 ++ * owner.
2873 ++ */
2874 ++ if (!pi_state->owner) {
2875 ++ /*
2876 ++ * No pi state owner, but the user
2877 ++ * space TID is not 0. Inconsistent
2878 ++ * state. [5]
2879 ++ */
2880 ++ if (pid)
2881 ++ return -EINVAL;
2882 ++ /*
2883 ++ * Take a ref on the state and
2884 ++ * return. [4]
2885 ++ */
2886 ++ goto out_state;
2887 ++ }
2888 ++
2889 + /*
2890 +- * Bail out if user space manipulated the
2891 +- * futex value.
2892 ++ * If TID is 0, then either the dying owner
2893 ++ * has not yet executed exit_pi_state_list()
2894 ++ * or some waiter acquired the rtmutex in the
2895 ++ * pi state, but did not yet fixup the TID in
2896 ++ * user space.
2897 ++ *
2898 ++ * Take a ref on the state and return. [6]
2899 + */
2900 +- if (pid != task_pid_vnr(pi_state->owner))
2901 ++ if (!pid)
2902 ++ goto out_state;
2903 ++ } else {
2904 ++ /*
2905 ++ * If the owner died bit is not set,
2906 ++ * then the pi_state must have an
2907 ++ * owner. [7]
2908 ++ */
2909 ++ if (!pi_state->owner)
2910 + return -EINVAL;
2911 + }
2912 +
2913 ++ /*
2914 ++ * Bail out if user space manipulated the
2915 ++ * futex value. If pi state exists then the
2916 ++ * owner TID must be the same as the user
2917 ++ * space TID. [9/10]
2918 ++ */
2919 ++ if (pid != task_pid_vnr(pi_state->owner))
2920 ++ return -EINVAL;
2921 ++
2922 ++ out_state:
2923 + atomic_inc(&pi_state->refcount);
2924 + *ps = pi_state;
2925 +-
2926 + return 0;
2927 + }
2928 + }
2929 +
2930 + /*
2931 + * We are the first waiter - try to look up the real owner and attach
2932 +- * the new pi_state to it, but bail out when TID = 0
2933 ++ * the new pi_state to it, but bail out when TID = 0 [1]
2934 + */
2935 + if (!pid)
2936 + return -ESRCH;
2937 +@@ -655,6 +741,11 @@ lookup_pi_state(u32 uval, struct futex_hash_bucket *hb,
2938 + if (!p)
2939 + return -ESRCH;
2940 +
2941 ++ if (!p->mm) {
2942 ++ put_task_struct(p);
2943 ++ return -EPERM;
2944 ++ }
2945 ++
2946 + /*
2947 + * We need to look at the task state flags to figure out,
2948 + * whether the task is exiting. To protect against the do_exit
2949 +@@ -675,6 +766,9 @@ lookup_pi_state(u32 uval, struct futex_hash_bucket *hb,
2950 + return ret;
2951 + }
2952 +
2953 ++ /*
2954 ++ * No existing pi state. First waiter. [2]
2955 ++ */
2956 + pi_state = alloc_pi_state();
2957 +
2958 + /*
2959 +@@ -746,10 +840,18 @@ retry:
2960 + return -EDEADLK;
2961 +
2962 + /*
2963 +- * Surprise - we got the lock. Just return to userspace:
2964 ++ * Surprise - we got the lock, but we do not trust user space at all.
2965 + */
2966 +- if (unlikely(!curval))
2967 +- return 1;
2968 ++ if (unlikely(!curval)) {
2969 ++ /*
2970 ++ * We verify whether there is kernel state for this
2971 ++ * futex. If not, we can safely assume, that the 0 ->
2972 ++ * TID transition is correct. If state exists, we do
2973 ++ * not bother to fixup the user space state as it was
2974 ++ * corrupted already.
2975 ++ */
2976 ++ return futex_top_waiter(hb, key) ? -EINVAL : 1;
2977 ++ }
2978 +
2979 + uval = curval;
2980 +
2981 +@@ -879,6 +981,7 @@ static int wake_futex_pi(u32 __user *uaddr, u32 uval, struct futex_q *this)
2982 + struct task_struct *new_owner;
2983 + struct futex_pi_state *pi_state = this->pi_state;
2984 + u32 uninitialized_var(curval), newval;
2985 ++ int ret = 0;
2986 +
2987 + if (!pi_state)
2988 + return -EINVAL;
2989 +@@ -902,23 +1005,19 @@ static int wake_futex_pi(u32 __user *uaddr, u32 uval, struct futex_q *this)
2990 + new_owner = this->task;
2991 +
2992 + /*
2993 +- * We pass it to the next owner. (The WAITERS bit is always
2994 +- * kept enabled while there is PI state around. We must also
2995 +- * preserve the owner died bit.)
2996 ++ * We pass it to the next owner. The WAITERS bit is always
2997 ++ * kept enabled while there is PI state around. We cleanup the
2998 ++ * owner died bit, because we are the owner.
2999 + */
3000 +- if (!(uval & FUTEX_OWNER_DIED)) {
3001 +- int ret = 0;
3002 ++ newval = FUTEX_WAITERS | task_pid_vnr(new_owner);
3003 +
3004 +- newval = FUTEX_WAITERS | task_pid_vnr(new_owner);
3005 +-
3006 +- if (cmpxchg_futex_value_locked(&curval, uaddr, uval, newval))
3007 +- ret = -EFAULT;
3008 +- else if (curval != uval)
3009 +- ret = -EINVAL;
3010 +- if (ret) {
3011 +- raw_spin_unlock(&pi_state->pi_mutex.wait_lock);
3012 +- return ret;
3013 +- }
3014 ++ if (cmpxchg_futex_value_locked(&curval, uaddr, uval, newval))
3015 ++ ret = -EFAULT;
3016 ++ else if (curval != uval)
3017 ++ ret = -EINVAL;
3018 ++ if (ret) {
3019 ++ raw_spin_unlock(&pi_state->pi_mutex.wait_lock);
3020 ++ return ret;
3021 + }
3022 +
3023 + raw_spin_lock_irq(&pi_state->owner->pi_lock);
3024 +@@ -1197,7 +1296,7 @@ void requeue_pi_wake_futex(struct futex_q *q, union futex_key *key,
3025 + *
3026 + * Return:
3027 + * 0 - failed to acquire the lock atomically;
3028 +- * 1 - acquired the lock;
3029 ++ * >0 - acquired the lock, return value is vpid of the top_waiter
3030 + * <0 - error
3031 + */
3032 + static int futex_proxy_trylock_atomic(u32 __user *pifutex,
3033 +@@ -1208,7 +1307,7 @@ static int futex_proxy_trylock_atomic(u32 __user *pifutex,
3034 + {
3035 + struct futex_q *top_waiter = NULL;
3036 + u32 curval;
3037 +- int ret;
3038 ++ int ret, vpid;
3039 +
3040 + if (get_futex_value_locked(&curval, pifutex))
3041 + return -EFAULT;
3042 +@@ -1236,11 +1335,13 @@ static int futex_proxy_trylock_atomic(u32 __user *pifutex,
3043 + * the contended case or if set_waiters is 1. The pi_state is returned
3044 + * in ps in contended cases.
3045 + */
3046 ++ vpid = task_pid_vnr(top_waiter->task);
3047 + ret = futex_lock_pi_atomic(pifutex, hb2, key2, ps, top_waiter->task,
3048 + set_waiters);
3049 +- if (ret == 1)
3050 ++ if (ret == 1) {
3051 + requeue_pi_wake_futex(top_waiter, key2, hb2);
3052 +-
3053 ++ return vpid;
3054 ++ }
3055 + return ret;
3056 + }
3057 +
3058 +@@ -1272,10 +1373,16 @@ static int futex_requeue(u32 __user *uaddr1, unsigned int flags,
3059 + struct futex_hash_bucket *hb1, *hb2;
3060 + struct plist_head *head1;
3061 + struct futex_q *this, *next;
3062 +- u32 curval2;
3063 +
3064 + if (requeue_pi) {
3065 + /*
3066 ++ * Requeue PI only works on two distinct uaddrs. This
3067 ++ * check is only valid for private futexes. See below.
3068 ++ */
3069 ++ if (uaddr1 == uaddr2)
3070 ++ return -EINVAL;
3071 ++
3072 ++ /*
3073 + * requeue_pi requires a pi_state, try to allocate it now
3074 + * without any locks in case it fails.
3075 + */
3076 +@@ -1313,6 +1420,15 @@ retry:
3077 + if (unlikely(ret != 0))
3078 + goto out_put_key1;
3079 +
3080 ++ /*
3081 ++ * The check above which compares uaddrs is not sufficient for
3082 ++ * shared futexes. We need to compare the keys:
3083 ++ */
3084 ++ if (requeue_pi && match_futex(&key1, &key2)) {
3085 ++ ret = -EINVAL;
3086 ++ goto out_put_keys;
3087 ++ }
3088 ++
3089 + hb1 = hash_futex(&key1);
3090 + hb2 = hash_futex(&key2);
3091 +
3092 +@@ -1358,16 +1474,25 @@ retry_private:
3093 + * At this point the top_waiter has either taken uaddr2 or is
3094 + * waiting on it. If the former, then the pi_state will not
3095 + * exist yet, look it up one more time to ensure we have a
3096 +- * reference to it.
3097 ++ * reference to it. If the lock was taken, ret contains the
3098 ++ * vpid of the top waiter task.
3099 + */
3100 +- if (ret == 1) {
3101 ++ if (ret > 0) {
3102 + WARN_ON(pi_state);
3103 + drop_count++;
3104 + task_count++;
3105 +- ret = get_futex_value_locked(&curval2, uaddr2);
3106 +- if (!ret)
3107 +- ret = lookup_pi_state(curval2, hb2, &key2,
3108 +- &pi_state);
3109 ++ /*
3110 ++ * If we acquired the lock, then the user
3111 ++ * space value of uaddr2 should be vpid. It
3112 ++ * cannot be changed by the top waiter as it
3113 ++ * is blocked on hb2 lock if it tries to do
3114 ++ * so. If something fiddled with it behind our
3115 ++ * back the pi state lookup might unearth
3116 ++ * it. So we rather use the known value than
3117 ++ * rereading and handing potential crap to
3118 ++ * lookup_pi_state.
3119 ++ */
3120 ++ ret = lookup_pi_state(ret, hb2, &key2, &pi_state);
3121 + }
3122 +
3123 + switch (ret) {
3124 +@@ -2137,9 +2262,10 @@ retry:
3125 + /*
3126 + * To avoid races, try to do the TID -> 0 atomic transition
3127 + * again. If it succeeds then we can return without waking
3128 +- * anyone else up:
3129 ++ * anyone else up. We only try this if neither the waiters nor
3130 ++ * the owner died bit are set.
3131 + */
3132 +- if (!(uval & FUTEX_OWNER_DIED) &&
3133 ++ if (!(uval & ~FUTEX_TID_MASK) &&
3134 + cmpxchg_futex_value_locked(&uval, uaddr, vpid, 0))
3135 + goto pi_faulted;
3136 + /*
3137 +@@ -2171,11 +2297,9 @@ retry:
3138 + /*
3139 + * No waiters - kernel unlocks the futex:
3140 + */
3141 +- if (!(uval & FUTEX_OWNER_DIED)) {
3142 +- ret = unlock_futex_pi(uaddr, uval);
3143 +- if (ret == -EFAULT)
3144 +- goto pi_faulted;
3145 +- }
3146 ++ ret = unlock_futex_pi(uaddr, uval);
3147 ++ if (ret == -EFAULT)
3148 ++ goto pi_faulted;
3149 +
3150 + out_unlock:
3151 + spin_unlock(&hb->lock);
3152 +@@ -2334,6 +2458,15 @@ static int futex_wait_requeue_pi(u32 __user *uaddr, unsigned int flags,
3153 + if (ret)
3154 + goto out_key2;
3155 +
3156 ++ /*
3157 ++ * The check above which compares uaddrs is not sufficient for
3158 ++ * shared futexes. We need to compare the keys:
3159 ++ */
3160 ++ if (match_futex(&q.key, &key2)) {
3161 ++ ret = -EINVAL;
3162 ++ goto out_put_keys;
3163 ++ }
3164 ++
3165 + /* Queue the futex_q, drop the hb lock, wait for wakeup. */
3166 + futex_wait_queue_me(hb, &q, to);
3167 +
3168 +diff --git a/kernel/hrtimer.c b/kernel/hrtimer.c
3169 +index 2288fbdada16..aadf4b7a607c 100644
3170 +--- a/kernel/hrtimer.c
3171 ++++ b/kernel/hrtimer.c
3172 +@@ -245,6 +245,11 @@ again:
3173 + goto again;
3174 + }
3175 + timer->base = new_base;
3176 ++ } else {
3177 ++ if (cpu != this_cpu && hrtimer_check_target(timer, new_base)) {
3178 ++ cpu = this_cpu;
3179 ++ goto again;
3180 ++ }
3181 + }
3182 + return new_base;
3183 + }
3184 +@@ -580,6 +585,23 @@ hrtimer_force_reprogram(struct hrtimer_cpu_base *cpu_base, int skip_equal)
3185 +
3186 + cpu_base->expires_next.tv64 = expires_next.tv64;
3187 +
3188 ++ /*
3189 ++ * If a hang was detected in the last timer interrupt then we
3190 ++ * leave the hang delay active in the hardware. We want the
3191 ++ * system to make progress. That also prevents the following
3192 ++ * scenario:
3193 ++ * T1 expires 50ms from now
3194 ++ * T2 expires 5s from now
3195 ++ *
3196 ++ * T1 is removed, so this code is called and would reprogram
3197 ++ * the hardware to 5s from now. Any hrtimer_start after that
3198 ++ * will not reprogram the hardware due to hang_detected being
3199 ++ * set. So we'd effectivly block all timers until the T2 event
3200 ++ * fires.
3201 ++ */
3202 ++ if (cpu_base->hang_detected)
3203 ++ return;
3204 ++
3205 + if (cpu_base->expires_next.tv64 != KTIME_MAX)
3206 + tick_program_event(cpu_base->expires_next, 1);
3207 + }
3208 +@@ -977,11 +999,8 @@ int __hrtimer_start_range_ns(struct hrtimer *timer, ktime_t tim,
3209 + /* Remove an active timer from the queue: */
3210 + ret = remove_hrtimer(timer, base);
3211 +
3212 +- /* Switch the timer base, if necessary: */
3213 +- new_base = switch_hrtimer_base(timer, base, mode & HRTIMER_MODE_PINNED);
3214 +-
3215 + if (mode & HRTIMER_MODE_REL) {
3216 +- tim = ktime_add_safe(tim, new_base->get_time());
3217 ++ tim = ktime_add_safe(tim, base->get_time());
3218 + /*
3219 + * CONFIG_TIME_LOW_RES is a temporary way for architectures
3220 + * to signal that they simply return xtime in
3221 +@@ -996,6 +1015,9 @@ int __hrtimer_start_range_ns(struct hrtimer *timer, ktime_t tim,
3222 +
3223 + hrtimer_set_expires_range_ns(timer, tim, delta_ns);
3224 +
3225 ++ /* Switch the timer base, if necessary: */
3226 ++ new_base = switch_hrtimer_base(timer, base, mode & HRTIMER_MODE_PINNED);
3227 ++
3228 + timer_stats_hrtimer_set_start_info(timer);
3229 +
3230 + leftmost = enqueue_hrtimer(timer, new_base);
3231 +diff --git a/kernel/irq/manage.c b/kernel/irq/manage.c
3232 +index 9bd5c8a6c8ee..8815abfdf2cb 100644
3233 +--- a/kernel/irq/manage.c
3234 ++++ b/kernel/irq/manage.c
3235 +@@ -150,7 +150,7 @@ int irq_do_set_affinity(struct irq_data *data, const struct cpumask *mask,
3236 + struct irq_chip *chip = irq_data_get_irq_chip(data);
3237 + int ret;
3238 +
3239 +- ret = chip->irq_set_affinity(data, mask, false);
3240 ++ ret = chip->irq_set_affinity(data, mask, force);
3241 + switch (ret) {
3242 + case IRQ_SET_MASK_OK:
3243 + cpumask_copy(data->affinity, mask);
3244 +@@ -162,7 +162,8 @@ int irq_do_set_affinity(struct irq_data *data, const struct cpumask *mask,
3245 + return ret;
3246 + }
3247 +
3248 +-int __irq_set_affinity_locked(struct irq_data *data, const struct cpumask *mask)
3249 ++int irq_set_affinity_locked(struct irq_data *data, const struct cpumask *mask,
3250 ++ bool force)
3251 + {
3252 + struct irq_chip *chip = irq_data_get_irq_chip(data);
3253 + struct irq_desc *desc = irq_data_to_desc(data);
3254 +@@ -172,7 +173,7 @@ int __irq_set_affinity_locked(struct irq_data *data, const struct cpumask *mask)
3255 + return -EINVAL;
3256 +
3257 + if (irq_can_move_pcntxt(data)) {
3258 +- ret = irq_do_set_affinity(data, mask, false);
3259 ++ ret = irq_do_set_affinity(data, mask, force);
3260 + } else {
3261 + irqd_set_move_pending(data);
3262 + irq_copy_pending(desc, mask);
3263 +@@ -187,13 +188,7 @@ int __irq_set_affinity_locked(struct irq_data *data, const struct cpumask *mask)
3264 + return ret;
3265 + }
3266 +
3267 +-/**
3268 +- * irq_set_affinity - Set the irq affinity of a given irq
3269 +- * @irq: Interrupt to set affinity
3270 +- * @mask: cpumask
3271 +- *
3272 +- */
3273 +-int irq_set_affinity(unsigned int irq, const struct cpumask *mask)
3274 ++int __irq_set_affinity(unsigned int irq, const struct cpumask *mask, bool force)
3275 + {
3276 + struct irq_desc *desc = irq_to_desc(irq);
3277 + unsigned long flags;
3278 +@@ -203,7 +198,7 @@ int irq_set_affinity(unsigned int irq, const struct cpumask *mask)
3279 + return -EINVAL;
3280 +
3281 + raw_spin_lock_irqsave(&desc->lock, flags);
3282 +- ret = __irq_set_affinity_locked(irq_desc_get_irq_data(desc), mask);
3283 ++ ret = irq_set_affinity_locked(irq_desc_get_irq_data(desc), mask, force);
3284 + raw_spin_unlock_irqrestore(&desc->lock, flags);
3285 + return ret;
3286 + }
3287 +diff --git a/kernel/module.c b/kernel/module.c
3288 +index fa53db8aadeb..10a3af821d28 100644
3289 +--- a/kernel/module.c
3290 ++++ b/kernel/module.c
3291 +@@ -3279,6 +3279,9 @@ static int load_module(struct load_info *info, const char __user *uargs,
3292 +
3293 + dynamic_debug_setup(info->debug, info->num_debug);
3294 +
3295 ++ /* Ftrace init must be called in the MODULE_STATE_UNFORMED state */
3296 ++ ftrace_module_init(mod);
3297 ++
3298 + /* Finally it's fully formed, ready to start executing. */
3299 + err = complete_formation(mod, info);
3300 + if (err)
3301 +diff --git a/kernel/timer.c b/kernel/timer.c
3302 +index 15bc1b41021d..20f45ea6f5a4 100644
3303 +--- a/kernel/timer.c
3304 ++++ b/kernel/timer.c
3305 +@@ -822,7 +822,7 @@ unsigned long apply_slack(struct timer_list *timer, unsigned long expires)
3306 +
3307 + bit = find_last_bit(&mask, BITS_PER_LONG);
3308 +
3309 +- mask = (1 << bit) - 1;
3310 ++ mask = (1UL << bit) - 1;
3311 +
3312 + expires_limit = expires_limit & ~(mask);
3313 +
3314 +diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c
3315 +index 4b93b8412252..797d3b91a30b 100644
3316 +--- a/kernel/trace/ftrace.c
3317 ++++ b/kernel/trace/ftrace.c
3318 +@@ -4222,16 +4222,11 @@ static void ftrace_init_module(struct module *mod,
3319 + ftrace_process_locs(mod, start, end);
3320 + }
3321 +
3322 +-static int ftrace_module_notify_enter(struct notifier_block *self,
3323 +- unsigned long val, void *data)
3324 ++void ftrace_module_init(struct module *mod)
3325 + {
3326 +- struct module *mod = data;
3327 +-
3328 +- if (val == MODULE_STATE_COMING)
3329 +- ftrace_init_module(mod, mod->ftrace_callsites,
3330 +- mod->ftrace_callsites +
3331 +- mod->num_ftrace_callsites);
3332 +- return 0;
3333 ++ ftrace_init_module(mod, mod->ftrace_callsites,
3334 ++ mod->ftrace_callsites +
3335 ++ mod->num_ftrace_callsites);
3336 + }
3337 +
3338 + static int ftrace_module_notify_exit(struct notifier_block *self,
3339 +@@ -4245,11 +4240,6 @@ static int ftrace_module_notify_exit(struct notifier_block *self,
3340 + return 0;
3341 + }
3342 + #else
3343 +-static int ftrace_module_notify_enter(struct notifier_block *self,
3344 +- unsigned long val, void *data)
3345 +-{
3346 +- return 0;
3347 +-}
3348 + static int ftrace_module_notify_exit(struct notifier_block *self,
3349 + unsigned long val, void *data)
3350 + {
3351 +@@ -4257,11 +4247,6 @@ static int ftrace_module_notify_exit(struct notifier_block *self,
3352 + }
3353 + #endif /* CONFIG_MODULES */
3354 +
3355 +-struct notifier_block ftrace_module_enter_nb = {
3356 +- .notifier_call = ftrace_module_notify_enter,
3357 +- .priority = INT_MAX, /* Run before anything that can use kprobes */
3358 +-};
3359 +-
3360 + struct notifier_block ftrace_module_exit_nb = {
3361 + .notifier_call = ftrace_module_notify_exit,
3362 + .priority = INT_MIN, /* Run after anything that can remove kprobes */
3363 +@@ -4298,10 +4283,6 @@ void __init ftrace_init(void)
3364 + __start_mcount_loc,
3365 + __stop_mcount_loc);
3366 +
3367 +- ret = register_module_notifier(&ftrace_module_enter_nb);
3368 +- if (ret)
3369 +- pr_warning("Failed to register trace ftrace module enter notifier\n");
3370 +-
3371 + ret = register_module_notifier(&ftrace_module_exit_nb);
3372 + if (ret)
3373 + pr_warning("Failed to register trace ftrace module exit notifier\n");
3374 +diff --git a/kernel/workqueue.c b/kernel/workqueue.c
3375 +index db7a6ac7c0a8..652f36dd40de 100644
3376 +--- a/kernel/workqueue.c
3377 ++++ b/kernel/workqueue.c
3378 +@@ -1881,6 +1881,12 @@ static void send_mayday(struct work_struct *work)
3379 +
3380 + /* mayday mayday mayday */
3381 + if (list_empty(&pwq->mayday_node)) {
3382 ++ /*
3383 ++ * If @pwq is for an unbound wq, its base ref may be put at
3384 ++ * any time due to an attribute change. Pin @pwq until the
3385 ++ * rescuer is done with it.
3386 ++ */
3387 ++ get_pwq(pwq);
3388 + list_add_tail(&pwq->mayday_node, &wq->maydays);
3389 + wake_up_process(wq->rescuer->task);
3390 + }
3391 +@@ -2356,6 +2362,7 @@ static int rescuer_thread(void *__rescuer)
3392 + struct worker *rescuer = __rescuer;
3393 + struct workqueue_struct *wq = rescuer->rescue_wq;
3394 + struct list_head *scheduled = &rescuer->scheduled;
3395 ++ bool should_stop;
3396 +
3397 + set_user_nice(current, RESCUER_NICE_LEVEL);
3398 +
3399 +@@ -2367,11 +2374,15 @@ static int rescuer_thread(void *__rescuer)
3400 + repeat:
3401 + set_current_state(TASK_INTERRUPTIBLE);
3402 +
3403 +- if (kthread_should_stop()) {
3404 +- __set_current_state(TASK_RUNNING);
3405 +- rescuer->task->flags &= ~PF_WQ_WORKER;
3406 +- return 0;
3407 +- }
3408 ++ /*
3409 ++ * By the time the rescuer is requested to stop, the workqueue
3410 ++ * shouldn't have any work pending, but @wq->maydays may still have
3411 ++ * pwq(s) queued. This can happen by non-rescuer workers consuming
3412 ++ * all the work items before the rescuer got to them. Go through
3413 ++ * @wq->maydays processing before acting on should_stop so that the
3414 ++ * list is always empty on exit.
3415 ++ */
3416 ++ should_stop = kthread_should_stop();
3417 +
3418 + /* see whether any pwq is asking for help */
3419 + spin_lock_irq(&wq_mayday_lock);
3420 +@@ -2403,6 +2414,12 @@ repeat:
3421 + process_scheduled_works(rescuer);
3422 +
3423 + /*
3424 ++ * Put the reference grabbed by send_mayday(). @pool won't
3425 ++ * go away while we're holding its lock.
3426 ++ */
3427 ++ put_pwq(pwq);
3428 ++
3429 ++ /*
3430 + * Leave this pool. If keep_working() is %true, notify a
3431 + * regular worker; otherwise, we end up with 0 concurrency
3432 + * and stalling the execution.
3433 +@@ -2417,6 +2434,12 @@ repeat:
3434 +
3435 + spin_unlock_irq(&wq_mayday_lock);
3436 +
3437 ++ if (should_stop) {
3438 ++ __set_current_state(TASK_RUNNING);
3439 ++ rescuer->task->flags &= ~PF_WQ_WORKER;
3440 ++ return 0;
3441 ++ }
3442 ++
3443 + /* rescuers should never participate in concurrency management */
3444 + WARN_ON_ONCE(!(rescuer->flags & WORKER_NOT_RUNNING));
3445 + schedule();
3446 +@@ -4043,7 +4066,8 @@ static void wq_update_unbound_numa(struct workqueue_struct *wq, int cpu,
3447 + if (!pwq) {
3448 + pr_warning("workqueue: allocation failed while updating NUMA affinity of \"%s\"\n",
3449 + wq->name);
3450 +- goto out_unlock;
3451 ++ mutex_lock(&wq->mutex);
3452 ++ goto use_dfl_pwq;
3453 + }
3454 +
3455 + /*
3456 +diff --git a/mm/memory-failure.c b/mm/memory-failure.c
3457 +index 59c62fa75c5a..4254eb021583 100644
3458 +--- a/mm/memory-failure.c
3459 ++++ b/mm/memory-failure.c
3460 +@@ -1083,15 +1083,16 @@ int memory_failure(unsigned long pfn, int trapno, int flags)
3461 + return 0;
3462 + } else if (PageHuge(hpage)) {
3463 + /*
3464 +- * Check "just unpoisoned", "filter hit", and
3465 +- * "race with other subpage."
3466 ++ * Check "filter hit" and "race with other subpage."
3467 + */
3468 + lock_page(hpage);
3469 +- if (!PageHWPoison(hpage)
3470 +- || (hwpoison_filter(p) && TestClearPageHWPoison(p))
3471 +- || (p != hpage && TestSetPageHWPoison(hpage))) {
3472 +- atomic_long_sub(nr_pages, &num_poisoned_pages);
3473 +- return 0;
3474 ++ if (PageHWPoison(hpage)) {
3475 ++ if ((hwpoison_filter(p) && TestClearPageHWPoison(p))
3476 ++ || (p != hpage && TestSetPageHWPoison(hpage))) {
3477 ++ atomic_long_sub(nr_pages, &num_poisoned_pages);
3478 ++ unlock_page(hpage);
3479 ++ return 0;
3480 ++ }
3481 + }
3482 + set_page_hwpoison_huge_page(hpage);
3483 + res = dequeue_hwpoisoned_huge_page(hpage);
3484 +diff --git a/mm/memory.c b/mm/memory.c
3485 +index 4b60011907d7..ebe0f285c0e7 100644
3486 +--- a/mm/memory.c
3487 ++++ b/mm/memory.c
3488 +@@ -1937,12 +1937,17 @@ int fixup_user_fault(struct task_struct *tsk, struct mm_struct *mm,
3489 + unsigned long address, unsigned int fault_flags)
3490 + {
3491 + struct vm_area_struct *vma;
3492 ++ vm_flags_t vm_flags;
3493 + int ret;
3494 +
3495 + vma = find_extend_vma(mm, address);
3496 + if (!vma || address < vma->vm_start)
3497 + return -EFAULT;
3498 +
3499 ++ vm_flags = (fault_flags & FAULT_FLAG_WRITE) ? VM_WRITE : VM_READ;
3500 ++ if (!(vm_flags & vma->vm_flags))
3501 ++ return -EFAULT;
3502 ++
3503 + ret = handle_mm_fault(mm, vma, address, fault_flags);
3504 + if (ret & VM_FAULT_ERROR) {
3505 + if (ret & VM_FAULT_OOM)
3506 +diff --git a/mm/mremap.c b/mm/mremap.c
3507 +index 463a25705ac6..2201d060c31b 100644
3508 +--- a/mm/mremap.c
3509 ++++ b/mm/mremap.c
3510 +@@ -175,10 +175,17 @@ unsigned long move_page_tables(struct vm_area_struct *vma,
3511 + break;
3512 + if (pmd_trans_huge(*old_pmd)) {
3513 + int err = 0;
3514 +- if (extent == HPAGE_PMD_SIZE)
3515 ++ if (extent == HPAGE_PMD_SIZE) {
3516 ++ VM_BUG_ON(vma->vm_file || !vma->anon_vma);
3517 ++ /* See comment in move_ptes() */
3518 ++ if (need_rmap_locks)
3519 ++ anon_vma_lock_write(vma->anon_vma);
3520 + err = move_huge_pmd(vma, new_vma, old_addr,
3521 + new_addr, old_end,
3522 + old_pmd, new_pmd);
3523 ++ if (need_rmap_locks)
3524 ++ anon_vma_unlock_write(vma->anon_vma);
3525 ++ }
3526 + if (err > 0) {
3527 + need_flush = true;
3528 + continue;
3529 +diff --git a/mm/percpu.c b/mm/percpu.c
3530 +index 8c8e08f3a692..25e2ea52db82 100644
3531 +--- a/mm/percpu.c
3532 ++++ b/mm/percpu.c
3533 +@@ -612,7 +612,7 @@ static struct pcpu_chunk *pcpu_alloc_chunk(void)
3534 + chunk->map = pcpu_mem_zalloc(PCPU_DFL_MAP_ALLOC *
3535 + sizeof(chunk->map[0]));
3536 + if (!chunk->map) {
3537 +- kfree(chunk);
3538 ++ pcpu_mem_free(chunk, pcpu_chunk_struct_size);
3539 + return NULL;
3540 + }
3541 +
3542 +diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c
3543 +index 6c7f36379722..4c51c055d00f 100644
3544 +--- a/net/bluetooth/hci_conn.c
3545 ++++ b/net/bluetooth/hci_conn.c
3546 +@@ -652,14 +652,17 @@ static int hci_conn_auth(struct hci_conn *conn, __u8 sec_level, __u8 auth_type)
3547 + if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->flags)) {
3548 + struct hci_cp_auth_requested cp;
3549 +
3550 +- /* encrypt must be pending if auth is also pending */
3551 +- set_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
3552 +-
3553 + cp.handle = cpu_to_le16(conn->handle);
3554 + hci_send_cmd(conn->hdev, HCI_OP_AUTH_REQUESTED,
3555 + sizeof(cp), &cp);
3556 ++
3557 ++ /* If we're already encrypted set the REAUTH_PEND flag,
3558 ++ * otherwise set the ENCRYPT_PEND.
3559 ++ */
3560 + if (conn->key_type != 0xff)
3561 + set_bit(HCI_CONN_REAUTH_PEND, &conn->flags);
3562 ++ else
3563 ++ set_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
3564 + }
3565 +
3566 + return 0;
3567 +diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
3568 +index cfca44f8d048..ab2ec7c414cb 100644
3569 +--- a/net/bluetooth/hci_event.c
3570 ++++ b/net/bluetooth/hci_event.c
3571 +@@ -3051,6 +3051,12 @@ static void hci_key_refresh_complete_evt(struct hci_dev *hdev,
3572 + if (!conn)
3573 + goto unlock;
3574 +
3575 ++ /* For BR/EDR the necessary steps are taken through the
3576 ++ * auth_complete event.
3577 ++ */
3578 ++ if (conn->type != LE_LINK)
3579 ++ goto unlock;
3580 ++
3581 + if (!ev->status)
3582 + conn->sec_level = conn->pending_sec_level;
3583 +
3584 +diff --git a/net/ceph/messenger.c b/net/ceph/messenger.c
3585 +index eb0a46a49bd4..b9d7df175700 100644
3586 +--- a/net/ceph/messenger.c
3587 ++++ b/net/ceph/messenger.c
3588 +@@ -556,7 +556,7 @@ static int ceph_tcp_sendmsg(struct socket *sock, struct kvec *iov,
3589 + return r;
3590 + }
3591 +
3592 +-static int ceph_tcp_sendpage(struct socket *sock, struct page *page,
3593 ++static int __ceph_tcp_sendpage(struct socket *sock, struct page *page,
3594 + int offset, size_t size, bool more)
3595 + {
3596 + int flags = MSG_DONTWAIT | MSG_NOSIGNAL | (more ? MSG_MORE : MSG_EOR);
3597 +@@ -569,6 +569,24 @@ static int ceph_tcp_sendpage(struct socket *sock, struct page *page,
3598 + return ret;
3599 + }
3600 +
3601 ++static int ceph_tcp_sendpage(struct socket *sock, struct page *page,
3602 ++ int offset, size_t size, bool more)
3603 ++{
3604 ++ int ret;
3605 ++ struct kvec iov;
3606 ++
3607 ++ /* sendpage cannot properly handle pages with page_count == 0,
3608 ++ * we need to fallback to sendmsg if that's the case */
3609 ++ if (page_count(page) >= 1)
3610 ++ return __ceph_tcp_sendpage(sock, page, offset, size, more);
3611 ++
3612 ++ iov.iov_base = kmap(page) + offset;
3613 ++ iov.iov_len = size;
3614 ++ ret = ceph_tcp_sendmsg(sock, &iov, 1, size, more);
3615 ++ kunmap(page);
3616 ++
3617 ++ return ret;
3618 ++}
3619 +
3620 + /*
3621 + * Shutdown/close the socket for the given connection.
3622 +diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h
3623 +index 92ef04c72c51..845563b81a0f 100644
3624 +--- a/net/mac80211/ieee80211_i.h
3625 ++++ b/net/mac80211/ieee80211_i.h
3626 +@@ -311,6 +311,7 @@ struct ieee80211_roc_work {
3627 +
3628 + bool started, abort, hw_begun, notified;
3629 + bool to_be_freed;
3630 ++ bool on_channel;
3631 +
3632 + unsigned long hw_start_time;
3633 +
3634 +@@ -1270,6 +1271,7 @@ void ieee80211_sta_reset_conn_monitor(struct ieee80211_sub_if_data *sdata);
3635 + void ieee80211_mgd_stop(struct ieee80211_sub_if_data *sdata);
3636 + void ieee80211_mgd_conn_tx_status(struct ieee80211_sub_if_data *sdata,
3637 + __le16 fc, bool acked);
3638 ++void ieee80211_mgd_quiesce(struct ieee80211_sub_if_data *sdata);
3639 + void ieee80211_sta_restart(struct ieee80211_sub_if_data *sdata);
3640 +
3641 + /* IBSS code */
3642 +diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
3643 +index 49bc2246bd86..fc94937cd7b3 100644
3644 +--- a/net/mac80211/mlme.c
3645 ++++ b/net/mac80211/mlme.c
3646 +@@ -3754,6 +3754,32 @@ static void ieee80211_restart_sta_timer(struct ieee80211_sub_if_data *sdata)
3647 + }
3648 +
3649 + #ifdef CONFIG_PM
3650 ++void ieee80211_mgd_quiesce(struct ieee80211_sub_if_data *sdata)
3651 ++{
3652 ++ struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
3653 ++ u8 frame_buf[IEEE80211_DEAUTH_FRAME_LEN];
3654 ++
3655 ++ mutex_lock(&ifmgd->mtx);
3656 ++
3657 ++ if (ifmgd->auth_data) {
3658 ++ /*
3659 ++ * If we are trying to authenticate while suspending, cfg80211
3660 ++ * won't know and won't actually abort those attempts, thus we
3661 ++ * need to do that ourselves.
3662 ++ */
3663 ++ ieee80211_send_deauth_disassoc(sdata,
3664 ++ ifmgd->auth_data->bss->bssid,
3665 ++ IEEE80211_STYPE_DEAUTH,
3666 ++ WLAN_REASON_DEAUTH_LEAVING,
3667 ++ false, frame_buf);
3668 ++ ieee80211_destroy_auth_data(sdata, false);
3669 ++ cfg80211_send_deauth(sdata->dev, frame_buf,
3670 ++ IEEE80211_DEAUTH_FRAME_LEN);
3671 ++ }
3672 ++
3673 ++ mutex_unlock(&ifmgd->mtx);
3674 ++}
3675 ++
3676 + void ieee80211_sta_restart(struct ieee80211_sub_if_data *sdata)
3677 + {
3678 + struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
3679 +diff --git a/net/mac80211/offchannel.c b/net/mac80211/offchannel.c
3680 +index 11d3f227e11e..0427a58b4397 100644
3681 +--- a/net/mac80211/offchannel.c
3682 ++++ b/net/mac80211/offchannel.c
3683 +@@ -333,7 +333,7 @@ void ieee80211_sw_roc_work(struct work_struct *work)
3684 + container_of(work, struct ieee80211_roc_work, work.work);
3685 + struct ieee80211_sub_if_data *sdata = roc->sdata;
3686 + struct ieee80211_local *local = sdata->local;
3687 +- bool started;
3688 ++ bool started, on_channel;
3689 +
3690 + mutex_lock(&local->mtx);
3691 +
3692 +@@ -354,14 +354,24 @@ void ieee80211_sw_roc_work(struct work_struct *work)
3693 + if (!roc->started) {
3694 + struct ieee80211_roc_work *dep;
3695 +
3696 +- /* start this ROC */
3697 +- ieee80211_offchannel_stop_vifs(local);
3698 ++ WARN_ON(local->use_chanctx);
3699 ++
3700 ++ /* If actually operating on the desired channel (with at least
3701 ++ * 20 MHz channel width) don't stop all the operations but still
3702 ++ * treat it as though the ROC operation started properly, so
3703 ++ * other ROC operations won't interfere with this one.
3704 ++ */
3705 ++ roc->on_channel = roc->chan == local->_oper_chandef.chan;
3706 +
3707 +- /* switch channel etc */
3708 ++ /* start this ROC */
3709 + ieee80211_recalc_idle(local);
3710 +
3711 +- local->tmp_channel = roc->chan;
3712 +- ieee80211_hw_config(local, 0);
3713 ++ if (!roc->on_channel) {
3714 ++ ieee80211_offchannel_stop_vifs(local);
3715 ++
3716 ++ local->tmp_channel = roc->chan;
3717 ++ ieee80211_hw_config(local, 0);
3718 ++ }
3719 +
3720 + /* tell userspace or send frame */
3721 + ieee80211_handle_roc_started(roc);
3722 +@@ -380,9 +390,10 @@ void ieee80211_sw_roc_work(struct work_struct *work)
3723 + finish:
3724 + list_del(&roc->list);
3725 + started = roc->started;
3726 ++ on_channel = roc->on_channel;
3727 + ieee80211_roc_notify_destroy(roc, !roc->abort);
3728 +
3729 +- if (started) {
3730 ++ if (started && !on_channel) {
3731 + ieee80211_flush_queues(local, NULL);
3732 +
3733 + local->tmp_channel = NULL;
3734 +diff --git a/net/mac80211/pm.c b/net/mac80211/pm.c
3735 +index 340126204343..efb510e6f206 100644
3736 +--- a/net/mac80211/pm.c
3737 ++++ b/net/mac80211/pm.c
3738 +@@ -101,10 +101,18 @@ int __ieee80211_suspend(struct ieee80211_hw *hw, struct cfg80211_wowlan *wowlan)
3739 +
3740 + /* remove all interfaces that were created in the driver */
3741 + list_for_each_entry(sdata, &local->interfaces, list) {
3742 +- if (!ieee80211_sdata_running(sdata) ||
3743 +- sdata->vif.type == NL80211_IFTYPE_AP_VLAN ||
3744 +- sdata->vif.type == NL80211_IFTYPE_MONITOR)
3745 ++ if (!ieee80211_sdata_running(sdata))
3746 + continue;
3747 ++ switch (sdata->vif.type) {
3748 ++ case NL80211_IFTYPE_AP_VLAN:
3749 ++ case NL80211_IFTYPE_MONITOR:
3750 ++ continue;
3751 ++ case NL80211_IFTYPE_STATION:
3752 ++ ieee80211_mgd_quiesce(sdata);
3753 ++ break;
3754 ++ default:
3755 ++ break;
3756 ++ }
3757 +
3758 + drv_remove_interface(local, sdata);
3759 + }
3760 +diff --git a/sound/pci/hda/hda_intel.c b/sound/pci/hda/hda_intel.c
3761 +index 5f055d7ee85b..1800db643a16 100644
3762 +--- a/sound/pci/hda/hda_intel.c
3763 ++++ b/sound/pci/hda/hda_intel.c
3764 +@@ -3856,6 +3856,9 @@ static DEFINE_PCI_DEVICE_TABLE(azx_ids) = {
3765 + /* Lynx Point */
3766 + { PCI_DEVICE(0x8086, 0x8c20),
3767 + .driver_data = AZX_DRIVER_PCH | AZX_DCAPS_INTEL_PCH },
3768 ++ /* 9 Series */
3769 ++ { PCI_DEVICE(0x8086, 0x8ca0),
3770 ++ .driver_data = AZX_DRIVER_PCH | AZX_DCAPS_INTEL_PCH },
3771 + /* Wellsburg */
3772 + { PCI_DEVICE(0x8086, 0x8d20),
3773 + .driver_data = AZX_DRIVER_PCH | AZX_DCAPS_INTEL_PCH },
3774 +diff --git a/sound/soc/codecs/wm8962.c b/sound/soc/codecs/wm8962.c
3775 +index e3cd86514cea..1ae1f8bd9c36 100644
3776 +--- a/sound/soc/codecs/wm8962.c
3777 ++++ b/sound/soc/codecs/wm8962.c
3778 +@@ -153,6 +153,7 @@ static struct reg_default wm8962_reg[] = {
3779 + { 40, 0x0000 }, /* R40 - SPKOUTL volume */
3780 + { 41, 0x0000 }, /* R41 - SPKOUTR volume */
3781 +
3782 ++ { 49, 0x0010 }, /* R49 - Class D Control 1 */
3783 + { 51, 0x0003 }, /* R51 - Class D Control 2 */
3784 +
3785 + { 56, 0x0506 }, /* R56 - Clocking 4 */
3786 +@@ -794,7 +795,6 @@ static bool wm8962_volatile_register(struct device *dev, unsigned int reg)
3787 + case WM8962_ALC2:
3788 + case WM8962_THERMAL_SHUTDOWN_STATUS:
3789 + case WM8962_ADDITIONAL_CONTROL_4:
3790 +- case WM8962_CLASS_D_CONTROL_1:
3791 + case WM8962_DC_SERVO_6:
3792 + case WM8962_INTERRUPT_STATUS_1:
3793 + case WM8962_INTERRUPT_STATUS_2:
3794 +@@ -2901,13 +2901,22 @@ static int wm8962_set_fll(struct snd_soc_codec *codec, int fll_id, int source,
3795 + static int wm8962_mute(struct snd_soc_dai *dai, int mute)
3796 + {
3797 + struct snd_soc_codec *codec = dai->codec;
3798 +- int val;
3799 ++ int val, ret;
3800 +
3801 + if (mute)
3802 +- val = WM8962_DAC_MUTE;
3803 ++ val = WM8962_DAC_MUTE | WM8962_DAC_MUTE_ALT;
3804 + else
3805 + val = 0;
3806 +
3807 ++ /**
3808 ++ * The DAC mute bit is mirrored in two registers, update both to keep
3809 ++ * the register cache consistent.
3810 ++ */
3811 ++ ret = snd_soc_update_bits(codec, WM8962_CLASS_D_CONTROL_1,
3812 ++ WM8962_DAC_MUTE_ALT, val);
3813 ++ if (ret < 0)
3814 ++ return ret;
3815 ++
3816 + return snd_soc_update_bits(codec, WM8962_ADC_DAC_CONTROL_1,
3817 + WM8962_DAC_MUTE, val);
3818 + }
3819 +diff --git a/sound/soc/codecs/wm8962.h b/sound/soc/codecs/wm8962.h
3820 +index a1a5d5294c19..910aafd09d21 100644
3821 +--- a/sound/soc/codecs/wm8962.h
3822 ++++ b/sound/soc/codecs/wm8962.h
3823 +@@ -1954,6 +1954,10 @@
3824 + #define WM8962_SPKOUTL_ENA_MASK 0x0040 /* SPKOUTL_ENA */
3825 + #define WM8962_SPKOUTL_ENA_SHIFT 6 /* SPKOUTL_ENA */
3826 + #define WM8962_SPKOUTL_ENA_WIDTH 1 /* SPKOUTL_ENA */
3827 ++#define WM8962_DAC_MUTE_ALT 0x0010 /* DAC_MUTE */
3828 ++#define WM8962_DAC_MUTE_ALT_MASK 0x0010 /* DAC_MUTE */
3829 ++#define WM8962_DAC_MUTE_ALT_SHIFT 4 /* DAC_MUTE */
3830 ++#define WM8962_DAC_MUTE_ALT_WIDTH 1 /* DAC_MUTE */
3831 + #define WM8962_SPKOUTL_PGA_MUTE 0x0002 /* SPKOUTL_PGA_MUTE */
3832 + #define WM8962_SPKOUTL_PGA_MUTE_MASK 0x0002 /* SPKOUTL_PGA_MUTE */
3833 + #define WM8962_SPKOUTL_PGA_MUTE_SHIFT 1 /* SPKOUTL_PGA_MUTE */
3834 +diff --git a/sound/usb/card.h b/sound/usb/card.h
3835 +index bf2889a2cae5..82c2d80c8228 100644
3836 +--- a/sound/usb/card.h
3837 ++++ b/sound/usb/card.h
3838 +@@ -90,6 +90,7 @@ struct snd_usb_endpoint {
3839 + unsigned int curframesize; /* current packet size in frames (for capture) */
3840 + unsigned int syncmaxsize; /* sync endpoint packet size */
3841 + unsigned int fill_max:1; /* fill max packet size always */
3842 ++ unsigned int udh01_fb_quirk:1; /* corrupted feedback data */
3843 + unsigned int datainterval; /* log_2 of data packet interval */
3844 + unsigned int syncinterval; /* P for adaptive mode, 0 otherwise */
3845 + unsigned char silence_value;
3846 +diff --git a/sound/usb/endpoint.c b/sound/usb/endpoint.c
3847 +index 659950e5b94f..308c02b2a597 100644
3848 +--- a/sound/usb/endpoint.c
3849 ++++ b/sound/usb/endpoint.c
3850 +@@ -467,6 +467,10 @@ struct snd_usb_endpoint *snd_usb_add_endpoint(struct snd_usb_audio *chip,
3851 + ep->syncinterval = 3;
3852 +
3853 + ep->syncmaxsize = le16_to_cpu(get_endpoint(alts, 1)->wMaxPacketSize);
3854 ++
3855 ++ if (chip->usb_id == USB_ID(0x0644, 0x8038) /* TEAC UD-H01 */ &&
3856 ++ ep->syncmaxsize == 4)
3857 ++ ep->udh01_fb_quirk = 1;
3858 + }
3859 +
3860 + list_add_tail(&ep->list, &chip->ep_list);
3861 +@@ -1075,7 +1079,16 @@ void snd_usb_handle_sync_urb(struct snd_usb_endpoint *ep,
3862 + if (f == 0)
3863 + return;
3864 +
3865 +- if (unlikely(ep->freqshift == INT_MIN)) {
3866 ++ if (unlikely(sender->udh01_fb_quirk)) {
3867 ++ /*
3868 ++ * The TEAC UD-H01 firmware sometimes changes the feedback value
3869 ++ * by +/- 0x1.0000.
3870 ++ */
3871 ++ if (f < ep->freqn - 0x8000)
3872 ++ f += 0x10000;
3873 ++ else if (f > ep->freqn + 0x8000)
3874 ++ f -= 0x10000;
3875 ++ } else if (unlikely(ep->freqshift == INT_MIN)) {
3876 + /*
3877 + * The first time we see a feedback value, determine its format
3878 + * by shifting it left or right until it matches the nominal
3879
3880 Deleted: genpatches-2.6/trunk/3.10/1501-futex-add-another-early-deadlock-detection-check.patch
3881 ===================================================================
3882 --- genpatches-2.6/trunk/3.10/1501-futex-add-another-early-deadlock-detection-check.patch 2014-06-09 00:42:33 UTC (rev 2818)
3883 +++ genpatches-2.6/trunk/3.10/1501-futex-add-another-early-deadlock-detection-check.patch 2014-06-09 12:27:34 UTC (rev 2819)
3884 @@ -1,160 +0,0 @@
3885 -From: Thomas Gleixner <tglx@××××××××××.de>
3886 -Date: Mon, 12 May 2014 20:45:34 +0000
3887 -Subject: futex: Add another early deadlock detection check
3888 -Git-commit: 866293ee54227584ffcb4a42f69c1f365974ba7f
3889 -
3890 -Dave Jones trinity syscall fuzzer exposed an issue in the deadlock
3891 -detection code of rtmutex:
3892 - http://lkml.kernel.org/r/20140429151655.GA14277@××××××.com
3893 -
3894 -That underlying issue has been fixed with a patch to the rtmutex code,
3895 -but the futex code must not call into rtmutex in that case because
3896 - - it can detect that issue early
3897 - - it avoids a different and more complex fixup for backing out
3898 -
3899 -If the user space variable got manipulated to 0x80000000 which means
3900 -no lock holder, but the waiters bit set and an active pi_state in the
3901 -kernel is found we can figure out the recursive locking issue by
3902 -looking at the pi_state owner. If that is the current task, then we
3903 -can safely return -EDEADLK.
3904 -
3905 -The check should have been added in commit 59fa62451 (futex: Handle
3906 -futex_pi OWNER_DIED take over correctly) already, but I did not see
3907 -the above issue caused by user space manipulation back then.
3908 -
3909 -Signed-off-by: Thomas Gleixner <tglx@××××××××××.de>
3910 -Cc: Dave Jones <davej@××××××.com>
3911 -Cc: Linus Torvalds <torvalds@××××××××××××××××.org>
3912 -Cc: Peter Zijlstra <peterz@×××××××××.org>
3913 -Cc: Darren Hart <darren@××××××.com>
3914 -Cc: Davidlohr Bueso <davidlohr@××.com>
3915 -Cc: Steven Rostedt <rostedt@×××××××.org>
3916 -Cc: Clark Williams <williams@××××××.com>
3917 -Cc: Paul McKenney <paulmck@××××××××××××××.com>
3918 -Cc: Lai Jiangshan <laijs@××××××××××.com>
3919 -Cc: Roland McGrath <roland@×××××××××.com>
3920 -Cc: Carlos ODonell <carlos@××××××.com>
3921 -Cc: Jakub Jelinek <jakub@××××××.com>
3922 -Cc: Michael Kerrisk <mtk.manpages@×××××.com>
3923 -Cc: Sebastian Andrzej Siewior <bigeasy@××××××××××.de>
3924 -Link: http://lkml.kernel.org/r/20140512201701.097349971@××××××××××.de
3925 -Signed-off-by: Thomas Gleixner <tglx@××××××××××.de>
3926 -Cc: stable@×××××××××××.org
3927 ----
3928 - kernel/futex.c | 47 ++++++++++++++++++++++++++++++++++-------------
3929 - 1 file changed, 34 insertions(+), 13 deletions(-)
3930 -
3931 -Index: linux-3.12/kernel/futex.c
3932 -===================================================================
3933 ---- linux-3.12.orig/kernel/futex.c
3934 -+++ linux-3.12/kernel/futex.c
3935 -@@ -596,7 +596,8 @@ void exit_pi_state_list(struct task_stru
3936 -
3937 - static int
3938 - lookup_pi_state(u32 uval, struct futex_hash_bucket *hb,
3939 -- union futex_key *key, struct futex_pi_state **ps)
3940 -+ union futex_key *key, struct futex_pi_state **ps,
3941 -+ struct task_struct *task)
3942 - {
3943 - struct futex_pi_state *pi_state = NULL;
3944 - struct futex_q *this, *next;
3945 -@@ -640,6 +641,16 @@ lookup_pi_state(u32 uval, struct futex_h
3946 - return -EINVAL;
3947 - }
3948 -
3949 -+ /*
3950 -+ * Protect against a corrupted uval. If uval
3951 -+ * is 0x80000000 then pid is 0 and the waiter
3952 -+ * bit is set. So the deadlock check in the
3953 -+ * calling code has failed and we did not fall
3954 -+ * into the check above due to !pid.
3955 -+ */
3956 -+ if (task && pi_state->owner == task)
3957 -+ return -EDEADLK;
3958 -+
3959 - atomic_inc(&pi_state->refcount);
3960 - *ps = pi_state;
3961 -
3962 -@@ -789,7 +800,7 @@ retry:
3963 - * We dont have the lock. Look up the PI state (or create it if
3964 - * we are the first waiter):
3965 - */
3966 -- ret = lookup_pi_state(uval, hb, key, ps);
3967 -+ ret = lookup_pi_state(uval, hb, key, ps, task);
3968 -
3969 - if (unlikely(ret)) {
3970 - switch (ret) {
3971 -@@ -1199,7 +1210,7 @@ void requeue_pi_wake_futex(struct futex_
3972 - *
3973 - * Return:
3974 - * 0 - failed to acquire the lock atomically;
3975 -- * 1 - acquired the lock;
3976 -+ * >0 - acquired the lock, return value is vpid of the top_waiter
3977 - * <0 - error
3978 - */
3979 - static int futex_proxy_trylock_atomic(u32 __user *pifutex,
3980 -@@ -1210,7 +1221,7 @@ static int futex_proxy_trylock_atomic(u3
3981 - {
3982 - struct futex_q *top_waiter = NULL;
3983 - u32 curval;
3984 -- int ret;
3985 -+ int ret, vpid;
3986 -
3987 - if (get_futex_value_locked(&curval, pifutex))
3988 - return -EFAULT;
3989 -@@ -1238,11 +1249,13 @@ static int futex_proxy_trylock_atomic(u3
3990 - * the contended case or if set_waiters is 1. The pi_state is returned
3991 - * in ps in contended cases.
3992 - */
3993 -+ vpid = task_pid_vnr(top_waiter->task);
3994 - ret = futex_lock_pi_atomic(pifutex, hb2, key2, ps, top_waiter->task,
3995 - set_waiters);
3996 -- if (ret == 1)
3997 -+ if (ret == 1) {
3998 - requeue_pi_wake_futex(top_waiter, key2, hb2);
3999 --
4000 -+ return vpid;
4001 -+ }
4002 - return ret;
4003 - }
4004 -
4005 -@@ -1274,7 +1287,6 @@ static int futex_requeue(u32 __user *uad
4006 - struct futex_hash_bucket *hb1, *hb2;
4007 - struct plist_head *head1;
4008 - struct futex_q *this, *next;
4009 -- u32 curval2;
4010 -
4011 - if (requeue_pi) {
4012 - /*
4013 -@@ -1360,16 +1372,25 @@ retry_private:
4014 - * At this point the top_waiter has either taken uaddr2 or is
4015 - * waiting on it. If the former, then the pi_state will not
4016 - * exist yet, look it up one more time to ensure we have a
4017 -- * reference to it.
4018 -+ * reference to it. If the lock was taken, ret contains the
4019 -+ * vpid of the top waiter task.
4020 - */
4021 -- if (ret == 1) {
4022 -+ if (ret > 0) {
4023 - WARN_ON(pi_state);
4024 - drop_count++;
4025 - task_count++;
4026 -- ret = get_futex_value_locked(&curval2, uaddr2);
4027 -- if (!ret)
4028 -- ret = lookup_pi_state(curval2, hb2, &key2,
4029 -- &pi_state);
4030 -+ /*
4031 -+ * If we acquired the lock, then the user
4032 -+ * space value of uaddr2 should be vpid. It
4033 -+ * cannot be changed by the top waiter as it
4034 -+ * is blocked on hb2 lock if it tries to do
4035 -+ * so. If something fiddled with it behind our
4036 -+ * back the pi state lookup might unearth
4037 -+ * it. So we rather use the known value than
4038 -+ * rereading and handing potential crap to
4039 -+ * lookup_pi_state.
4040 -+ */
4041 -+ ret = lookup_pi_state(ret, hb2, &key2, &pi_state, NULL);
4042 - }
4043 -
4044 - switch (ret) {
4045
4046 Deleted: genpatches-2.6/trunk/3.10/1502-futex-prevent-attaching-to-kernel-threads.patch
4047 ===================================================================
4048 --- genpatches-2.6/trunk/3.10/1502-futex-prevent-attaching-to-kernel-threads.patch 2014-06-09 00:42:33 UTC (rev 2818)
4049 +++ genpatches-2.6/trunk/3.10/1502-futex-prevent-attaching-to-kernel-threads.patch 2014-06-09 12:27:34 UTC (rev 2819)
4050 @@ -1,52 +0,0 @@
4051 -From: Thomas Gleixner <tglx@××××××××××.de>
4052 -Date: Mon, 12 May 2014 20:45:35 +0000
4053 -Subject: futex: Prevent attaching to kernel threads
4054 -Git-commit: f0d71b3dcb8332f7971b5f2363632573e6d9486a
4055 -
4056 -We happily allow userspace to declare a random kernel thread to be the
4057 -owner of a user space PI futex.
4058 -
4059 -Found while analysing the fallout of Dave Jones syscall fuzzer.
4060 -
4061 -We also should validate the thread group for private futexes and find
4062 -some fast way to validate whether the "alleged" owner has RW access on
4063 -the file which backs the SHM, but that's a separate issue.
4064 -
4065 -Signed-off-by: Thomas Gleixner <tglx@××××××××××.de>
4066 -Cc: Dave Jones <davej@××××××.com>
4067 -Cc: Linus Torvalds <torvalds@××××××××××××××××.org>
4068 -Cc: Peter Zijlstra <peterz@×××××××××.org>
4069 -Cc: Darren Hart <darren@××××××.com>
4070 -Cc: Davidlohr Bueso <davidlohr@××.com>
4071 -Cc: Steven Rostedt <rostedt@×××××××.org>
4072 -Cc: Clark Williams <williams@××××××.com>
4073 -Cc: Paul McKenney <paulmck@××××××××××××××.com>
4074 -Cc: Lai Jiangshan <laijs@××××××××××.com>
4075 -Cc: Roland McGrath <roland@×××××××××.com>
4076 -Cc: Carlos ODonell <carlos@××××××.com>
4077 -Cc: Jakub Jelinek <jakub@××××××.com>
4078 -Cc: Michael Kerrisk <mtk.manpages@×××××.com>
4079 -Cc: Sebastian Andrzej Siewior <bigeasy@××××××××××.de>
4080 -Link: http://lkml.kernel.org/r/20140512201701.194824402@××××××××××.de
4081 -Signed-off-by: Thomas Gleixner <tglx@××××××××××.de>
4082 -Cc: stable@×××××××××××.org
4083 ----
4084 - kernel/futex.c | 5 +++++
4085 - 1 file changed, 5 insertions(+)
4086 -
4087 -Index: linux-3.12/kernel/futex.c
4088 -===================================================================
4089 ---- linux-3.12.orig/kernel/futex.c
4090 -+++ linux-3.12/kernel/futex.c
4091 -@@ -668,6 +668,11 @@ lookup_pi_state(u32 uval, struct futex_h
4092 - if (!p)
4093 - return -ESRCH;
4094 -
4095 -+ if (!p->mm) {
4096 -+ put_task_struct(p);
4097 -+ return -EPERM;
4098 -+ }
4099 -+
4100 - /*
4101 - * We need to look at the task state flags to figure out,
4102 - * whether the task is exiting. To protect against the do_exit
4103
4104 Deleted: genpatches-2.6/trunk/3.10/1503-futex-prevent-requeue-pi-on-same-futex-patch-futex-forbid-uaddr-uaddr2-in-futex_requeue-requeue_pi-1.patch
4105 ===================================================================
4106 --- genpatches-2.6/trunk/3.10/1503-futex-prevent-requeue-pi-on-same-futex-patch-futex-forbid-uaddr-uaddr2-in-futex_requeue-requeue_pi-1.patch 2014-06-09 00:42:33 UTC (rev 2818)
4107 +++ genpatches-2.6/trunk/3.10/1503-futex-prevent-requeue-pi-on-same-futex-patch-futex-forbid-uaddr-uaddr2-in-futex_requeue-requeue_pi-1.patch 2014-06-09 12:27:34 UTC (rev 2819)
4108 @@ -1,81 +0,0 @@
4109 -From: Thomas Gleixner <tglx@××××××××××.de>
4110 -Date: Tue, 3 Jun 2014 12:27:06 +0000
4111 -Subject: futex-prevent-requeue-pi-on-same-futex.patch futex: Forbid uaddr ==
4112 - uaddr2 in futex_requeue(..., requeue_pi=1)
4113 -Git-commit: e9c243a5a6de0be8e584c604d353412584b592f8
4114 -
4115 -If uaddr == uaddr2, then we have broken the rule of only requeueing from
4116 -a non-pi futex to a pi futex with this call. If we attempt this, then
4117 -dangling pointers may be left for rt_waiter resulting in an exploitable
4118 -condition.
4119 -
4120 -This change brings futex_requeue() in line with futex_wait_requeue_pi()
4121 -which performs the same check as per commit 6f7b0a2a5c0f ("futex: Forbid
4122 -uaddr == uaddr2 in futex_wait_requeue_pi()")
4123 -
4124 -[ tglx: Compare the resulting keys as well, as uaddrs might be
4125 - different depending on the mapping ]
4126 -
4127 -Fixes CVE-2014-3153.
4128 -
4129 -Reported-by: Pinkie Pie
4130 -Signed-off-by: Will Drewry <wad@××××××××.org>
4131 -Signed-off-by: Kees Cook <keescook@××××××××.org>
4132 -Cc: stable@×××××××××××.org
4133 -Signed-off-by: Thomas Gleixner <tglx@××××××××××.de>
4134 -Reviewed-by: Darren Hart <dvhart@×××××××××××.com>
4135 -Signed-off-by: Linus Torvalds <torvalds@××××××××××××××××.org>
4136 ----
4137 - kernel/futex.c | 25 +++++++++++++++++++++++++
4138 - 1 file changed, 25 insertions(+)
4139 -
4140 -Index: linux-3.12/kernel/futex.c
4141 -===================================================================
4142 ---- linux-3.12.orig/kernel/futex.c
4143 -+++ linux-3.12/kernel/futex.c
4144 -@@ -1295,6 +1295,13 @@ static int futex_requeue(u32 __user *uad
4145 -
4146 - if (requeue_pi) {
4147 - /*
4148 -+ * Requeue PI only works on two distinct uaddrs. This
4149 -+ * check is only valid for private futexes. See below.
4150 -+ */
4151 -+ if (uaddr1 == uaddr2)
4152 -+ return -EINVAL;
4153 -+
4154 -+ /*
4155 - * requeue_pi requires a pi_state, try to allocate it now
4156 - * without any locks in case it fails.
4157 - */
4158 -@@ -1332,6 +1339,15 @@ retry:
4159 - if (unlikely(ret != 0))
4160 - goto out_put_key1;
4161 -
4162 -+ /*
4163 -+ * The check above which compares uaddrs is not sufficient for
4164 -+ * shared futexes. We need to compare the keys:
4165 -+ */
4166 -+ if (requeue_pi && match_futex(&key1, &key2)) {
4167 -+ ret = -EINVAL;
4168 -+ goto out_put_keys;
4169 -+ }
4170 -+
4171 - hb1 = hash_futex(&key1);
4172 - hb2 = hash_futex(&key2);
4173 -
4174 -@@ -2362,6 +2378,15 @@ static int futex_wait_requeue_pi(u32 __u
4175 - if (ret)
4176 - goto out_key2;
4177 -
4178 -+ /*
4179 -+ * The check above which compares uaddrs is not sufficient for
4180 -+ * shared futexes. We need to compare the keys:
4181 -+ */
4182 -+ if (match_futex(&q.key, &key2)) {
4183 -+ ret = -EINVAL;
4184 -+ goto out_put_keys;
4185 -+ }
4186 -+
4187 - /* Queue the futex_q, drop the hb lock, wait for wakeup. */
4188 - futex_wait_queue_me(hb, &q, to);
4189 -
4190
4191 Deleted: genpatches-2.6/trunk/3.10/1504-futex-validate-atomic-acquisition-in-futex_lock_pi_atomic.patch
4192 ===================================================================
4193 --- genpatches-2.6/trunk/3.10/1504-futex-validate-atomic-acquisition-in-futex_lock_pi_atomic.patch 2014-06-09 00:42:33 UTC (rev 2818)
4194 +++ genpatches-2.6/trunk/3.10/1504-futex-validate-atomic-acquisition-in-futex_lock_pi_atomic.patch 2014-06-09 12:27:34 UTC (rev 2819)
4195 @@ -1,53 +0,0 @@
4196 -From: Thomas Gleixner <tglx@××××××××××.de>
4197 -Date: Tue, 3 Jun 2014 12:27:06 +0000
4198 -Subject: futex: Validate atomic acquisition in futex_lock_pi_atomic()
4199 -Git-commit: b3eaa9fc5cd0a4d74b18f6b8dc617aeaf1873270
4200 -
4201 -We need to protect the atomic acquisition in the kernel against rogue
4202 -user space which sets the user space futex to 0, so the kernel side
4203 -acquisition succeeds while there is existing state in the kernel
4204 -associated to the real owner.
4205 -
4206 -Verify whether the futex has waiters associated with kernel state. If
4207 -it has, return -EINVAL. The state is corrupted already, so no point in
4208 -cleaning it up. Subsequent calls will fail as well. Not our problem.
4209 -
4210 -[ tglx: Use futex_top_waiter() and explain why we do not need to try
4211 - restoring the already corrupted user space state. ]
4212 -
4213 -Signed-off-by: Darren Hart <dvhart@×××××××××××.com>
4214 -Cc: Kees Cook <keescook@××××××××.org>
4215 -Cc: Will Drewry <wad@××××××××.org>
4216 -Cc: stable@×××××××××××.org
4217 -Signed-off-by: Thomas Gleixner <tglx@××××××××××.de>
4218 -Signed-off-by: Linus Torvalds <torvalds@××××××××××××××××.org>
4219 ----
4220 - kernel/futex.c | 14 +++++++++++---
4221 - 1 file changed, 11 insertions(+), 3 deletions(-)
4222 -
4223 -Index: linux-3.12/kernel/futex.c
4224 -===================================================================
4225 ---- linux-3.12.orig/kernel/futex.c
4226 -+++ linux-3.12/kernel/futex.c
4227 -@@ -764,10 +764,18 @@ retry:
4228 - return -EDEADLK;
4229 -
4230 - /*
4231 -- * Surprise - we got the lock. Just return to userspace:
4232 -+ * Surprise - we got the lock, but we do not trust user space at all.
4233 - */
4234 -- if (unlikely(!curval))
4235 -- return 1;
4236 -+ if (unlikely(!curval)) {
4237 -+ /*
4238 -+ * We verify whether there is kernel state for this
4239 -+ * futex. If not, we can safely assume, that the 0 ->
4240 -+ * TID transition is correct. If state exists, we do
4241 -+ * not bother to fixup the user space state as it was
4242 -+ * corrupted already.
4243 -+ */
4244 -+ return futex_top_waiter(hb, key) ? -EINVAL : 1;
4245 -+ }
4246 -
4247 - uval = curval;
4248 -
4249
4250 Deleted: genpatches-2.6/trunk/3.10/1505-futex-always-cleanup-owner-tid-in-unlock_pi.patch
4251 ===================================================================
4252 --- genpatches-2.6/trunk/3.10/1505-futex-always-cleanup-owner-tid-in-unlock_pi.patch 2014-06-09 00:42:33 UTC (rev 2818)
4253 +++ genpatches-2.6/trunk/3.10/1505-futex-always-cleanup-owner-tid-in-unlock_pi.patch 2014-06-09 12:27:34 UTC (rev 2819)
4254 @@ -1,99 +0,0 @@
4255 -From: Thomas Gleixner <tglx@××××××××××.de>
4256 -Date: Tue, 3 Jun 2014 12:27:07 +0000
4257 -Subject: futex: Always cleanup owner tid in unlock_pi
4258 -Git-commit: 13fbca4c6ecd96ec1a1cfa2e4f2ce191fe928a5e
4259 -
4260 -If the owner died bit is set at futex_unlock_pi, we currently do not
4261 -cleanup the user space futex. So the owner TID of the current owner
4262 -(the unlocker) persists. That's observable inconsistant state,
4263 -especially when the ownership of the pi state got transferred.
4264 -
4265 -Clean it up unconditionally.
4266 -
4267 -Signed-off-by: Thomas Gleixner <tglx@××××××××××.de>
4268 -Cc: Kees Cook <keescook@××××××××.org>
4269 -Cc: Will Drewry <wad@××××××××.org>
4270 -Cc: Darren Hart <dvhart@×××××××××××.com>
4271 -Cc: stable@×××××××××××.org
4272 -Signed-off-by: Linus Torvalds <torvalds@××××××××××××××××.org>
4273 ----
4274 - kernel/futex.c | 40 ++++++++++++++++++----------------------
4275 - 1 file changed, 18 insertions(+), 22 deletions(-)
4276 -
4277 -Index: linux-3.12/kernel/futex.c
4278 -===================================================================
4279 ---- linux-3.12.orig/kernel/futex.c
4280 -+++ linux-3.12/kernel/futex.c
4281 -@@ -905,6 +905,7 @@ static int wake_futex_pi(u32 __user *uad
4282 - struct task_struct *new_owner;
4283 - struct futex_pi_state *pi_state = this->pi_state;
4284 - u32 uninitialized_var(curval), newval;
4285 -+ int ret = 0;
4286 -
4287 - if (!pi_state)
4288 - return -EINVAL;
4289 -@@ -928,23 +929,19 @@ static int wake_futex_pi(u32 __user *uad
4290 - new_owner = this->task;
4291 -
4292 - /*
4293 -- * We pass it to the next owner. (The WAITERS bit is always
4294 -- * kept enabled while there is PI state around. We must also
4295 -- * preserve the owner died bit.)
4296 -- */
4297 -- if (!(uval & FUTEX_OWNER_DIED)) {
4298 -- int ret = 0;
4299 --
4300 -- newval = FUTEX_WAITERS | task_pid_vnr(new_owner);
4301 --
4302 -- if (cmpxchg_futex_value_locked(&curval, uaddr, uval, newval))
4303 -- ret = -EFAULT;
4304 -- else if (curval != uval)
4305 -- ret = -EINVAL;
4306 -- if (ret) {
4307 -- raw_spin_unlock(&pi_state->pi_mutex.wait_lock);
4308 -- return ret;
4309 -- }
4310 -+ * We pass it to the next owner. The WAITERS bit is always
4311 -+ * kept enabled while there is PI state around. We cleanup the
4312 -+ * owner died bit, because we are the owner.
4313 -+ */
4314 -+ newval = FUTEX_WAITERS | task_pid_vnr(new_owner);
4315 -+
4316 -+ if (cmpxchg_futex_value_locked(&curval, uaddr, uval, newval))
4317 -+ ret = -EFAULT;
4318 -+ else if (curval != uval)
4319 -+ ret = -EINVAL;
4320 -+ if (ret) {
4321 -+ raw_spin_unlock(&pi_state->pi_mutex.wait_lock);
4322 -+ return ret;
4323 - }
4324 -
4325 - raw_spin_lock_irq(&pi_state->owner->pi_lock);
4326 -@@ -2189,9 +2186,10 @@ retry:
4327 - /*
4328 - * To avoid races, try to do the TID -> 0 atomic transition
4329 - * again. If it succeeds then we can return without waking
4330 -- * anyone else up:
4331 -+ * anyone else up. We only try this if neither the waiters nor
4332 -+ * the owner died bit are set.
4333 - */
4334 -- if (!(uval & FUTEX_OWNER_DIED) &&
4335 -+ if (!(uval & ~FUTEX_TID_MASK) &&
4336 - cmpxchg_futex_value_locked(&uval, uaddr, vpid, 0))
4337 - goto pi_faulted;
4338 - /*
4339 -@@ -2223,11 +2221,9 @@ retry:
4340 - /*
4341 - * No waiters - kernel unlocks the futex:
4342 - */
4343 -- if (!(uval & FUTEX_OWNER_DIED)) {
4344 -- ret = unlock_futex_pi(uaddr, uval);
4345 -- if (ret == -EFAULT)
4346 -- goto pi_faulted;
4347 -- }
4348 -+ ret = unlock_futex_pi(uaddr, uval);
4349 -+ if (ret == -EFAULT)
4350 -+ goto pi_faulted;
4351 -
4352 - out_unlock:
4353 - spin_unlock(&hb->lock);
4354
4355 Deleted: genpatches-2.6/trunk/3.10/1506-futex-make-lookup_pi_state-more-robust.patch
4356 ===================================================================
4357 (Binary files differ)
Report Message
Find on MARC Find on Google Groups